1

I'm trying to write a script used on a buffer box that does full packet capture of network traffic. As it's for a fairly big network we split the captures into 100MB segments. At times of high network traffic oftentimes over a one minute period we will have multiple pcaps which cover that period.

So what I want to do is have a bash script that lets the analyst who is searching for something specify a date and time and how many minutes either side of it they want to search for files. Obviously I can do something like this -

ls -al | grep "Dec  1" | grep 02:00
ls -al | grep "Dec  1" | grep 02:01

and so on, get each result and grep each file individually for the specific keyword I'm looking for, but I'd like to be able to do a wider search for all files created within a time range and then grep each of them for the keyword.

I'm not entirely sure how to do that, any help would be appreciated.

Steve
  • 576
  • 2
  • 7
  • 21
  • You want files in a time range or want log in time range in the files ? – PasteBT Dec 01 '13 at 02:32
  • `find` is your friend, with the `-ctime`, `-newer` and/or `-mtime` options (among others). This, piped into `xargs` is a favorite idiom to grab a bunch of files based on some criteria, then do things to them. – Eric Dec 01 '13 at 02:35
  • What I want is for an analyst to say 1st December at 11:00am with a keyword of "foo" searching 5 minutes either side. The script should find all files created between 10:55am and 11:05am and grep them for the keyword "foo" – Steve Dec 01 '13 at 02:37
  • Possible duplicate of: http://stackoverflow.com/questions/12735182/linux-find-files-after-and-before-a-particular-file – vangelion Dec 01 '13 at 03:00

4 Answers4

1
find . -maxdepth 1 -newermt "2013-10-28 00:00:00" ! -newermt "2013-10-29 00:00:00"
Steve
  • 576
  • 2
  • 7
  • 21
1

What I want is for an analyst to say 1st December at 11:00am with a keyword of "foo" searching 5 minutes either side. The script should find all files created between 10:55am and 11:05am and grep them for the keyword "foo"

This script uses touch -d to create temporary files with time stamps of the start and end of the time range, because older versions of find have the option -newer only, not -newermt, and touch -d conveniently allows using the given time specification (with little modification) with the minutes adjustment. The necessary modifications to the given date are done with sed and consist of moving the day after the month and removing suffixes as st or nd as well as the word at.

read -p'date and time: ' dat
read -p'+/- minutes: ' min
read -p'keyword: ' key
dat=`sed 's/\([0-9]\+\)\(st\|nd\|rd\|th\|\) \([^ ]*\)/\3 \1/; s/at //' <<<$dat`
touch -d"$dat $min min" /tmp/to
touch -d"$dat -$min min" /tmp/from
find . -type f -newer /tmp/from ! -newer /tmp/to | xargs grep "$key"
rm /tmp/from /tmp/to
Armali
  • 18,255
  • 14
  • 57
  • 171
0

Check out find with the -cmin or -ctime arguments.

So,

find -iname "*.log" -mtime +30 -mtime -90 -exec grep plasma {} \;

, would find files ending in ".log" which were modified greater than 30 days ago, but less than 90 days, then run said file through grep looking for the word "plasma".

vangelion
  • 255
  • 2
  • 7
  • 3
    If you're not going to provide a more complete answer, then this should be a comment. – Jim Garrison Dec 01 '13 at 02:35
  • I've looked into this, but I don't want to look X minutes back, I need to look for files of a specific date and between 2 times. See my comment above. – Steve Dec 01 '13 at 02:39
  • find . -maxdepth 1 -newermt "2013-10-28 00:00:00" ! -newermt "2013-10-29 00:00:00" – Steve Dec 01 '13 at 02:53
0

Say you want 20131130 from 0100 to 0130 - This does that with find:

touch -t 201311300100 dummy1
touch -t 201311300130 dummy2 
find /path/to/logs type -f \( -newer dummy1 -a ! -newer dummy2 \) -name '*.log'

the 201311300100 bit is a touch timestring. I posted the most vanilla version I know because of the UNIX tag....

jim mcnamara
  • 16,005
  • 2
  • 34
  • 51