1

我目前正在尝试从 ICMP 数据包中提取原始有效负载。

我已经设法将它修剪成我喜欢的格式(每行没有前 5 个字符,也没有 ....... 的东西)。

原始格式:

0000  ca fe 00 00 ba be de ad 00 00 be ef 08 00 45 00   ..............E.
0010  00 4c 00 01 00 00 40 01 9b 48 c0 a8 01 c8 b9 f5   .L....@..H......
0020  63 02 08 00 10 b4 00 00 00 00 50 4b 03 04 14 00   c.........PK....
0030  09 00 08 00 92 ac 88 51 e2 f5 38 a1 6d 70 03 00   .......Q..8.mp..
0040  94 72 03 00 08 00 1c 00 66 6c 61 67 2e 6a 70 67   .r......thing.jpg
0050  55 54 09 00 03 d3 e3 cf 5f e7                     UT......_.

脚本:

awk '{x="";x=substr($0,5,50);gsub(/ +/,"",x);print x}' nontrimmed.txt > raw.txt

tr -d "\n" < raw,txt > newraw.txt

结果:

cafe0000babedead0000beef08004500004c0001000040019b48c0a801c8b9f56302080010b400000000504b030414000900080092ac8851e2f538a16d7003009472030008001c00666c61672e6a70675554090003d3e3cf5fe7cafe0000babedead0000beef08004500004c0001000040019b48c0a801c8b9f5630208005b5000000000e3cf5f75780b000104e803000004e80300003bc....ect

但是,我想每 x 个字符获得特定数量的字节 - 即:

ca fe 00 00 ba be de ad 00 00 be ef 08 00 45 00
00 4c 00 01 00 00 40 01 9b 48 c0 a8 01 c8 b9 f5 63 02 08
00 10 b4 00 00 00 00 50 4b 03 04 14 0
08 00 92 ac 88 51 e2 f5 38 a1 6d 70 03 00
94 72 03 00 08 00 1c 00 66 6c 61 67 2e 6a 70 67
55 54 09 00 03 d3 e3 cf 5f e7

会变成这样:

504b030414000900080092ac8851e2f538a16d7003009472030008001c00666c61672e6a70675554090003d3e3cf5fe7

而不是这个:

cafe0000babedead0000beef08004500004c0001000040019b48c0a801c8b9f56302080010b400000000504b030414000900080092ac8851e2f538a16d7003009472030008001c00666c61672e6a70675554090003d3e3cf5fe7cafe0000babedead0000beef08004500004c0001000040019b48c0a801c8b9f5630208005b5000000000e3cf5f75780b000104e803000004e80300003bc....ect

但是对于相同格式的多个不同的:

0000  ca fe 00 00 ba be de ad 00 00 be ef 08 00 45 00   ..............E.
0010  00 4c 00 01 00 00 40 01 9b 48 c0 a8 01 c8 b9 f5   .L....@..H......
0020  63 02 08 00 10 b4 00 00 00 00 50 4b 03 04 14 00   c.........PK....
0030  09 00 08 00 92 ac 88 51 e2 f5 38 a1 6d 70 03 00   .......Q..8.mp..
0040  94 72 03 00 08 00 1c 00 66 6c 61 67 2e 6a 70 67   .r......flag.jpg
0050  55 54 09 00 03 d3 e3 cf 5f e7                     UT......_.

0000  ca fe 00 00 ba be de ad 00 00 be ef 08 00 45 00   ..............E.
0010  00 4c 00 01 00 00 40 01 9b 48 c0 a8 01 c8 b9 f5   .L....@..H......
0020  63 02 08 00 5b 50 00 00 00 00 e3 cf 5f 75 78 0b   c...[P......_ux.
0030  00 01 04 e8 03 00 00 04 e8 03 00 00 3b c1 7d b7   ............;.}.
0040  30 0b ce 53 1e 99 d2 3a 1b 83 4c 7c be cd ef fa   0..S...:..L|....
0050  54 86 4d 24 19 58 c5 a9 b1 4d                     T.M$.X...M

0000  ca fe 00 00 ba be de ad 00 00 be ef 08 00 45 00   ..............E.
0010  00 4c 00 01 00 00 40 01 9b 48 c0 a8 01 c8 b9 f5   .L....@..H......
0020  63 02 08 00 3e f4 00 00 00 00 dd 56 4c 00 11 bf   c...>......VL...
0030  42 22 2a 52 86 75 01 0a e2 90 90 f5 2b ec d0 67   B"*R.u......+..g
0040  74 5a 17 70 05 b6 27 35 21 cf 98 fb a2 5e 82 a8   tZ.p..'5!....^..
0050  56 f9 05 05 3d 3e 80 3f 68 23                     V...=>.?h#

有任何想法吗?谢谢!

4

1 回答 1

3

这是你想要做的吗?

$ awk -v OFS= '{$1=$NF=""; x=x $0} END{print substr(x,85)}' file
504b030414000900080092ac8851e2f538a16d7003009472030008001c00666c61672e6a70675554090003d3e3cf5fe7

以上是针对您的“原始格式”输入文件运行的:

$ cat file
0000  ca fe 00 00 ba be de ad 00 00 be ef 08 00 45 00   ..............E.
0010  00 4c 00 01 00 00 40 01 9b 48 c0 a8 01 c8 b9 f5   .L....@..H......
0020  63 02 08 00 10 b4 00 00 00 00 50 4b 03 04 14 00   c.........PK....
0030  09 00 08 00 92 ac 88 51 e2 f5 38 a1 6d 70 03 00   .......Q..8.mp..
0040  94 72 03 00 08 00 1c 00 66 6c 61 67 2e 6a 70 67   .r......thing.jpg
0050  55 54 09 00 03 d3 e3 cf 5f e7                     UT......_.

如果您的输入文件可以包含多条记录,则:

$ awk -v OFS= '{$1=$NF=""; $0=$0; x=x $0} !NF{print substr(x,85); x=""} END{print substr(x,85)}' file
504b030414000900080092ac8851e2f538a16d7003009472030008001c00666c61672e6a70675554090003d3e3cf5fe7
e3cf5f75780b000104e803000004e80300003bc17db7300bce531e99d23a1b834c7cbecdeffa54864d241958c5a9b14d
dd564c0011bf42222a528675010ae29090f52becd067745a177005b6273521cf98fba25e82a856f905053d3e803f6823

第二个脚本是针对问题结束时“但对于相同格式的多个不同记录:”下的 3 条记录块运行的,但是您没有为其提供预期的输出,所以如果这是否是预期的输出,请注意:

0000  ca fe 00 00 ba be de ad 00 00 be ef 08 00 45 00   ..............E.
0010  00 4c 00 01 00 00 40 01 9b 48 c0 a8 01 c8 b9 f5   .L....@..H......
0020  63 02 08 00 10 b4 00 00 00 00 50 4b 03 04 14 00   c.........PK....
0030  09 00 08 00 92 ac 88 51 e2 f5 38 a1 6d 70 03 00   .......Q..8.mp..
0040  94 72 03 00 08 00 1c 00 66 6c 61 67 2e 6a 70 67   .r......flag.jpg
0050  55 54 09 00 03 d3 e3 cf 5f e7                     UT......_.

0000  ca fe 00 00 ba be de ad 00 00 be ef 08 00 45 00   ..............E.
0010  00 4c 00 01 00 00 40 01 9b 48 c0 a8 01 c8 b9 f5   .L....@..H......
0020  63 02 08 00 5b 50 00 00 00 00 e3 cf 5f 75 78 0b   c...[P......_ux.
0030  00 01 04 e8 03 00 00 04 e8 03 00 00 3b c1 7d b7   ............;.}.
0040  30 0b ce 53 1e 99 d2 3a 1b 83 4c 7c be cd ef fa   0..S...:..L|....
0050  54 86 4d 24 19 58 c5 a9 b1 4d                     T.M$.X...M

0000  ca fe 00 00 ba be de ad 00 00 be ef 08 00 45 00   ..............E.
0010  00 4c 00 01 00 00 40 01 9b 48 c0 a8 01 c8 b9 f5   .L....@..H......
0020  63 02 08 00 3e f4 00 00 00 00 dd 56 4c 00 11 bf   c...>......VL...
0030  42 22 2a 52 86 75 01 0a e2 90 90 f5 2b ec d0 67   B"*R.u......+..g
0040  74 5a 17 70 05 b6 27 35 21 cf 98 fb a2 5e 82 a8   tZ.p..'5!....^..
0050  56 f9 05 05 3d 3e 80 3f 68 23                     V...=>.?h#
于 2020-12-18T13:41:58.627 回答