Created
February 4, 2026 15:46
-
-
Save colehocking/641171ad282a7ec0bcc887cee678d555 to your computer and use it in GitHub Desktop.
Capture packets from host via tcpdump if Nmap shows certain ports are open
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # grab pcaps from nmap results with specific ports open | |
| # Current example is TCP/21-23 | |
| # Ports can be modified in bad_ports() array | |
| # usage: ./pcapture.sh <nmap_result_file.txt> | |
| # input from nmap scans | |
| HOSTFILE="$1" | |
| # name pcap file same as input, but .pcap | |
| PCAPFILE="$(echo "${HOSTFILE}" | cut -d "." -f1).pcap" | |
| # Array of ports to look for from nmap results | |
| bad_ports=("21" "22" "23") | |
| # Find the host with TCP/21-23 open | |
| for port in ${bad_ports[@]}; do | |
| cat "${HOSTFILE}" | tr -s " " \ | |
| | grep -r -B 8 "${port}/tcp open" >> tempfile 2>/dev/null | |
| done | |
| # get the IP address | |
| grep -r "Nmap scan report" tempfile | cut -d "(" -f2 | cut -d ")" -f1 | \ | |
| sort -u >> tempfile2 2>/dev/null | |
| rm -f tempfile | |
| # Packet capture the hosts | |
| HOSTS=() | |
| while IFS= read -r line; do | |
| HOSTS+=("$line") | |
| done < tempfile2 | |
| rm -f tempfile2 | |
| # Create capture filter with multiple hosts | |
| # capture filter syntax: tcpdump "host X or host Y or host Z" | |
| for host in "${HOSTS[@]}"; do | |
| if [[ -z "${FILTER_EXP}" ]]; then | |
| FILTER_EXP="host ${host}" | |
| else | |
| FILTER_EXP="${FILTER_EXP} or host ${host}" | |
| fi | |
| done | |
| sudo tcpdump -c 1000 -i eth0 "${FILTER_EXP}" -w "${PCAPFILE}" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment