抓取默认网关sh脚本错误

Question

我编写了用于监控默认网关的MAC地址的脚本，并在发现ARP攻击时发出警报。但我在执行过程中遇到了一些错误。

我不能用te正则表达式返回结果。这是针对linux脚本的

#!/bin/bash
function getmac {
dg = netstat -rn | grep -Eo 'default.*([0-9]{1,3}\.){3}[0-9]{1,3}'  #grab the default gateway (DG)
dg_ip= $dg | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}'         #strip the DG to just IP
dg_arp = arp -a | grep -w $dg_ip                                    #grab the arp entry for DG
dg_mac=$(echo $dg_arp | grep -Eo '[0-9a-f]{1,2}[:-][0-9a-f]{2}[:-][0-9a-f]{2}[:-][0-9a-f]{2}[:-][0-9a-f]{2}[:-][0-9a-f]{2}') #strip the ARP entry to just the MAC
echo "netstat shows "$dg
echo "DG IP shows "$dg_ip
echo "arp shows "$dg_arp
echo "DG MAC shows "$dg_mac
}

提前感谢并对我的英语表达歉意。

Answer 1

我建议您使用像arpwatch这样的工具。

但是，正如您所请求的帮助，我已经准备了一个bash函数，它应该可以完成您正在寻找的功能：

#!/bin/bash

# The function expects an interface name
# such as 'eth0' as param
#
function getmac {
    interface="$1"
    # grab the ip of the default gateway
    dg=`route -n | grep UG | grep "$interface"`
    # extract the IP from netstat's output
    dg_ip=`echo "$dg" | awk '{print $2}'`
    # grab the arp entry for default gateway
    dg_arp=`arp -a "$dg_ip"`                                    
    # strip the ARP entry to just the MAC
    dg_mac=`echo "$dg_arp" | awk '{print $4}'`

    # output
    echo "netstat shows $dg"
    echo "DG IP shows $dg_ip"
    echo "arp shows $dg_arp"
    echo "DG MAC shows $dg_mac"
}

# test it with eth0
getmac "eth0"