My router is hammered (like everyone's) and I am curious as to country attribution (excluding obvious VPN contaminants).
I have a live log feed that I am piping through grep to extract the source IP address. From there I am going to pipe that to whois and gain country of origin through another grep.
The stream comes in via port 514, I am using nc, piped to grep using regex, but only getting IP address with a prefix of SRC. This line works:
| grep --line-buffered -E -o "SRC=([0-9]{1,3}[\.]){3}[0-9]{1,3}", but the output is SRC=255.255.255.255.
I tried regex | grep --line-buffered -E -o "(?<=SRC=)(.*)(?= DST)" for everything between "SRC=" and " DST=". But grep produces nothing. As soon as I had a look behind, grep produces nil.
Here is an example from the feed (IP addresses obscured):<4>Mar 13 08:19:09 kernel: DROP IN=ppp0 OUT= MAC= SRC=255.255.255.255 DST=255.255.255.255 LEN=40 TOS=0x00 PREC=0x00 TTL=238 ID=54321 PROTO=TCP SPT=34600 DPT=23 SEQ=282018820 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0
I've tested regex online with (?<=SRC=)(.*)(?= DST) and it works there, but not on cli.
What am I missing?
