Use the Force Working on the Chain Gang

BASH provides many functions to improve your Linux prefers small, single-purpose functions and
accuracy, speed, and efficiency – know and use them! utilities. Chain them together with the “pipe”, which
Tab Completion sends the output of one command into the next as input.
Hit the <TAB> key to expand the first few characters of $ grep pattern input.txt | sort | uniq -c
a command, directory name, filename, or variable name. Iteratively build a series of commands to create output
If there is more than one possible option, it will complete that definitively addresses your requirements. Linux Shell Survival Guide v2.3
POCKET REFERENCE GUIDE
as far as possible. Press <TAB> again to see the possible
completion options. SANS Institute by Phil Hagen
http://computer-forensics.sans.org http:/lewestech.com
Standard Variables Order in the Court
~ An alias for the current user’s home sort Sort lines alphabetically or numerically
directory (also available as $HOME) Purpose
$ sort input.txt
$PATH The command search path -n Sort numerically (5 before 10) This guide is a supplement to SANS FOR572: Advanced
$? The exit value of the previous command
-r Reverse sort order Network Forensics and Analysis. It covers some of what
-k Specify an alternate sort field we consider the more useful Linux shell primitives and
$PWD The current working directory -t Specify a field delimiter for -k (default core utilities. These can be exceedingly helpful when
Command History automating analysis processes, generating output that can
Cycle through previous commands by pressing the up and be copied and pasted into a report or spreadsheet
De-Duplication and De-Duplication
down arrows. Use the history command to see a list document, or supporting quick-turn responses when a full
uniq Only print consecutive matching lines once tool kit is not available.
of the command history buffer. (BASH writes this buffer
Remember: If you can make it happen in a shell over a
is ~/.bash_history upon exiting, overwriting any $ grep pattern input.txt | uniq
lag-ridden SSH connection, there is a better chance of
existing contents.) Press Ctrl-R to search through history -c Print the count of consecutive lines
being the lethal forensicator when it really matters!
for commands that match a search string. Remember: Only finds consecutive matching lines! Most
useful with input piped from the sort command. How To Use This Document
Searching: Where For Art Thou? $ grep pattern input.txt | sort | uniq
Linux has been around since 1991, and its *NIX parents
since 1969. This handout cannot begin to scratch the
grep Print lines matching a pattern
Redirect Output: I Don’t Want to Hear You surface of the great and powerful things you can do with
$ grep pattern input.txt
nothing more than a shell prompt and some moxie. Use
-i Case-insensitive pattern matching Redirect output to a file instead of the shell itself with the this document as a “memory jog” for some of the
-v Print lines that do not match “greater than” character. (Warning: Overwrites any capabilities of the more commonly used tools in this
-c Count matching lines instead of printing them existing contents!) course and in the forensic workflow in general.
-l Print filenames containing matching lines
-h Do not include filenames when searching
$ grep pattern1 input.txt > results.txt Dig into the details of each tool’s features through its
multiple input files (e.g. output*.txt) Append to existing files with “double greater than”. manual pages (aka “man pages”) and other online and
offline references. We think you will find the shell to be
$ grep pattern2 input.txt >> results.txt
as powerful as the GUI, and in some cases a far superior
alternative – especially for scalability and automation.
FOR572HANDOUT_LSSG_V2.3_E02_03
 No Packets, No Party Go With The (Net)Flow GUI-less Packet Spelunking
tcpdump Dump network traffic nfdump Process NetFlow data from files on disk tshark Dump and analyze network traffic
$ sudo tcpdump -n -s 0 -i eth0 ⏎ $ nfdump -R ./ -O tstart –o extended (aka “Wireshark in the shell”)
'<BPF filter>' -R Recursively read data from the specified directory $ tshark -n -r in.pcap -Y '<disp filter>'
$ tcpdump -n -r input.pcap ⏎ -r Read data from a single nfcapd file -n Prevent DNS and port lookups
-w output.pcap '<BPF filter>' -a Aggregate by src+dst IP, src+dst port, protocol -r Read from pcap file instead of the network
-n Prevent DNS lookups on IP addresses. Use twice -A Specify custom aggregation -w Write output to a pcap file instead of the terminal
to also prevent port-to-service lookups -t Time window, in “YYYY/MM/DD.hh:mm:ss” -T Output format (text, fields, etc.)
-r Read from pcap file instead of the network format (See man page for additional details) -e With “-T fields”, add a field to the output
-w Write packet data to a file -s Generate “TopN” statistics -Y Protocol-aware display filter to apply
-D Enumerate network interfaces -O Specify output ordering -z Statistical output modes – see man page
-i Specify the network interface on which to capture -o Specify output format (line, long, See the wireshark-filter man page for
Number of bytes per packet to capture extended, or custom). Custom formatting uses
-s
“fmt:<format string>” syntax, where
information on building protocol-aware display filters.
-C Number of megabytes to save in a capture file
before starting a new file “<format string>” defines values displayed
-G Number of seconds to save in each capture file (see man page for full list). Bring Out the Big Guns
(requires time format in output filename) %ts Start time %te End time
-W Used with the -C or -G options, limit the number %td Duration %pr Protocol awk Pattern scanning and processing language
of rotated files (see man page for detailed usage) %sa Source address %da Destination address
%sap Source IP:port %dap Destination IP:port
Seriously powerful stuff™!
-x Display packet contents in hex
%sp Source port %dp Destination port $ awk -F ',' '{ print $1,$6,$3 }' in.txt
tcpdump requires root privileges to capture network %sas Source ASN %das Destination ASN -F Specify input field separator (default is space)
traffic promiscuously. User-level permissions are %pkt Packet count %byt Byte count Input and output field separators can be specified in
sufficient for manipulating existing capture files. %fl Flow count %flg TCP flags the awk script itself with the FS and OFS variables:
%bps Bits per second %pps Packets per second
See the pcap-filter man page for information on %bpp Bytes per packet $ awk '{ FS = ","; OFS = "\t"; ⏎
building BPFs to control captured traffic. print $2,$4 }' in.txt

For More About These Fine Commands...

What’s in a Name? Use the built-in reference manual:
Index That pcap File!
passivedns Generate normalized records for all man Interface to the on-line reference manuals
nfpcapd Generate nfdump-compatible DNS queries and responses $ man find
NetFlow records from pcap file $ passivedns -r input.pcap ⏎ -k Perform keyword search through all man pages
$ nfpcapd -r in.pcap –l ./netflow/ -S 1 -z –l pdnslog.txt -L pdns_nxdomain.txt Use inline command help where available – many
-r pcap file to read -r Specify pcap file to read commands provide brief usage statements with the
-l Output directory -l Log for normal (non-error) queries “--help" or “-h” options
-S Output directory format (0=flat, 1=yr/mo/day; -L Log for SRC error queries
Specify interface for live DNS observation $ tcpdump --help
see nfcapd man page for more) -i
-z Compress output flows The Grymoire - home for UNIX wizards:
http://www.grymoire.com/Unix/

FOR572HANDOUT_LSSG_V2.3_E02_03