"Fossies" - the Fresh Open Source Software Archive

Member "aif-2.1.1/bin/arno-fwfilter" (16 Sep 2020, 25383 Bytes) of package /linux/privat/aif-2.1.1.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Bash source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "arno-fwfilter": 2.1.0_vs_2.1.1.

    1 #!/bin/bash
    2 #
    3 # description: Firewall-log filter script (arno-fwfilter)
    4 # Last update: March 20, 2015
    5 
    6 # Usage examples (make sure arno-fwfilter is executable!):
    7 # --------------------------------------------------------
    8 # Static firewall log filtering                         : cat /var/log/messages |arno-fwfilter
    9 # or
   10 # Static firewall log filtering                         : cat /var/log/arno-iptables-firewall |arno-fwfilter
   11 # Realtime firewall logging on TTY10                    : tail --follow /var/log/messages |fwfilter >/dev/tty10 &
   12 # Example on how to disable kernel debug logging        : cat /var/log/messages |grep -v kernel |arno-fwfilter
   13 # Email firewall logs to root                           : cat /var/log/arno-iptables-firewall |arno-fwfilter --html-output --no-colors |mail -s "Firewall Log" -a "Content-Type: text/html; charset=us-ascii" root
   14 
   15 # ------------------------------------------------------------------------------------------
   16 #                     -= Arno's Iptables Firewall(AIF) =-
   17 #                  Firewall-log filter script (arno-fwfilter)
   18 #
   19 # (C) Copyright 2001-2015 by Arno van Amersfoort
   20 # Homepage              : https://rocky.eld.leidenuniv.nl/
   21 # Email                 : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
   22 #                         (note: you must remove all spaces and substitute the @ and the .
   23 #                          at the proper locations!)
   24 # ------------------------------------------------------------------------------------------
   25 # Some of the information used to create this script was obtained from:
   26 # - http://ports.tantalo.net/
   27 # - http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml
   28 # - http://www.speedguide.net/ports.php
   29 # ------------------------------------------------------------------------------------------
   30 # This program is free software; you can redistribute it and/or
   31 # modify it under the terms of the GNU General Public License
   32 # version 2 as published by the Free Software Foundation.
   33 
   34 # This program is distributed in the hope that it will be useful,
   35 # but WITHOUT ANY WARRANTY; without even the implied warranty of
   36 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   37 # GNU General Public License for more details.
   38 
   39 # You should have received a copy of the GNU General Public License
   40 # along with this program; if not, write to the Free Software
   41 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
   42 # -------------------------------------------------------------------------------------------
   43 
   44 # Options:
   45 ##########
   46 
   47 # Enable this option if you want to resolve IP adresses to names (requires "dig")
   48 RESOLVE_NAMES=1
   49 
   50 # Enable this option if you want to (try to) obtain the IPs geographical location (can be very slow!) (requires "curl")
   51 SHOW_LOCATION=0
   52 
   53 # Enable this option if you want to resolve both the source and target host when doing location/name lookups (slower)
   54 FULL_INFO=0
   55 
   56 # Enable this option to use ANSI colors (increases readability)
   57 USE_ANSI_COLORS=1
   58 
   59 # Enable this if you want the output to be (colored) html formatted (for emails etc.)
   60 USE_HTML=0
   61 
   62 # Enable this if you want want to put all information on a single line
   63 USE_1ROW=0
   64 
   65 # Use this variable if your awk binary is in a non-default location (use 'locate awk' or 'whereis
   66 # awk' to manually locate it).
   67 AWK_BIN=""
   68 
   69 #################################################################################################
   70 # Parse commandline options (taken from the getopt examples from the Debian util-linux package) #
   71 #################################################################################################
   72 
   73 # Note that we use `"$@"' to let each command-line parameter expand to a
   74 # separate word. The quotes around `$@' are essential!
   75 # We need CLOPTS as the `eval set --' would nuke the return value of getopt.
   76 CLOPTS=`getopt -o h,r,o,l,c,s --long help,no-resolve,html-output,no-locations,no-colors,single-line -n 'arno-fwfilter' -- "$@"`
   77 
   78 if [ $? != 0 ] ; then
   79   echo "Terminating..." >&2
   80   exit 1
   81 fi
   82 
   83 # Note the quotes around `$CLOPTS': they are essential!
   84 eval set -- "$CLOPTS"
   85 
   86 while true; do
   87   case "$1" in
   88     -r|--no-resolve) RESOLVE_NAMES=0; shift;;
   89     -o|--html-output) USE_HTML=1; shift;;
   90     -l|--no-locations) SHOW_LOCATION=0; shift;;
   91     -c|--no-colors) USE_ANSI_COLORS=0; shift;;
   92     -s|--single-line) USE_1ROW=1; shift;;
   93     -h|--help)
   94     echo "Options:"
   95     echo "-h, --help         - Print this help"
   96     echo "-r, --no-resolve   - Disable resolving of IPs to names"
   97     echo "-o, --html-output  - Use basic HTML to format the output"
   98     echo "-l, --no-locations - Disable obtaining the IPs geographical location"
   99     echo "-c, --no-colors    - Disable the use of (ANSI) colors in the output"
  100     echo "-s, --single-line  - Put all information about an event in a single line"
  101     exit 0 # nothing left to do
  102     ;;
  103     --) shift ; break ;;
  104     *) echo "Internal error!"; exit 1;;
  105   esac
  106 done
  107 
  108 if [ -z "$AWK_BIN" ]; then
  109   if [ -x '/bin/gawk' ]; then
  110     AWK_BIN='/bin/gawk'
  111   else
  112     if [ -x '/usr/bin/gawk' ]; then
  113       AWK_BIN='/usr/bin/gawk'
  114     else
  115       if [ -x '/bin/awk' ]; then
  116         AWK_BIN='/bin/awk'
  117       else
  118         if [ -x '/usr/bin/awk' ]; then
  119           AWK_BIN='/usr/bin/awk'
  120         fi
  121       fi
  122     fi
  123   fi
  124 fi
  125 
  126 if [ -z "$AWK_BIN" ]; then
  127   echo "ERROR: Could not locate the AWK binary (is it installed?)."
  128   echo "You may want to configure it yourself inside this script."
  129 else
  130   # Test what awk version is used (gawk, mawk etc...)
  131   test=`$AWK_BIN -W version 2>/dev/null |grep -i mawk`
  132   if [ -n "$test" ]; then
  133     # AWK_BIN=$(echo "$AWK_BIN -W interactive")
  134     echo "The configured AWK binary is MAWK, which does not work with the script. Please use GAWK instead"
  135     exit 1
  136   fi
  137 
  138   if [ "$USE_HTML" = "1" ]; then
  139     echo '<html><head><title>Firewall Log</title>'
  140     echo '<meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head>'
  141     echo '<body>'
  142   fi
  143 
  144   $AWK_BIN '
  145 
  146   # This is the function which performs the portname lookups
  147   ##########################################################
  148   function portname_lookup(port_str)
  149   {
  150      port=strtonum(port_str)
  151 
  152      if (port==0) return("Invalid Port(0)")
  153      if (port==1) return("SGI Irix TCPMUX(1)")
  154      if (port==7) return("Echo-Server(7)")
  155      if (port==9) return("Discard-Server(9)")
  156      if (port==11) return("Unix Sysstat(11)")
  157      if (port==13) return("Daytime-Server(13)")
  158      if (port==19) return("Chargen(19)")
  159      if (port==20) return("FTP-Data(20)")
  160      if (port==21) return("FTP(21)")
  161      if (port==22) return("SSH(22)")
  162      if (port==23) return("Telnet(23)")
  163      if (port==25) return("SMTP(25)")
  164      if (port==37) return("Time(37)")
  165      if (port==43) return("Who-IS(43)")
  166      if (port==53) return("DNS(53)")
  167      if (port==59) return("Ident(59)")
  168      if (port==67) return("BootP Server(67)")
  169      if (port==68) return("BootP Client(68)")
  170      if (port==69) return("TFTP(69)")
  171      if (port==79) return("Finger(79)")
  172      if (port==80) return("HTTP(80)")
  173      if (port==88) return("KRB5(88)")
  174      if (port==98) return("LinuxConf(98)")
  175      if (port==109) return("POP2(109)")
  176      if (port==110) return("POP3(110)")
  177      if (port==111) return("SunRPC/RPCbind(111)")
  178      if (port==113) return("IDENT(113)")
  179      if (port==119) return("NNTP News(119)")
  180      if (port==123) return("NTP(123)")
  181      if (port==135) return("MS RPC(135)")
  182      if (port==137) return("SMB Name(137)")
  183      if (port==138) return("SMB Data(138)")
  184      if (port==139) return("SMB Session(139)")
  185      if (port==143) return("IMAP(143)")
  186      if (port==161) return("SNMP(161)")
  187      if (port==177) return("XDMCP(177)")
  188      if (port==389) return("LDAP(389)")
  189      if (port==427) return("SLP(427)")
  190      if (port==443) return("HTTPS(443)")
  191      if (port==445) return("MSFT DS(445)")
  192      if (port==464) return("KPASSWD(464)")
  193      if (port==465) return("SMTP-SSL(465)")
  194      if (port==500) return("Appleshare(500)")
  195      if (port==513) return("Rwho(513)")
  196      if (port==515) return("Printer(515)")
  197      if (port==520) return("Route(520)")
  198      if (port==524) return("NCP(524)")
  199      if (port==525) return("TimeServer(525)")
  200      if (port==535) return("CORBA IIOP(535)")
  201      if (port==554) return("RealServer(554)")
  202      if (port==555) return("phAse zero(555)")
  203      if (port==587) return("SMTP-msa(587)")
  204      if (port==600) return("PC Server Backdoor(600)")
  205      if (port==635) return("Linux Mountd bug(635)")
  206      if (port==636) return("LDAPs(636)")
  207      if (port==691) return("MS-Exchange(691)")
  208      if (port==873) return("Rsync(873)")
  209      if (port==990) return("FTPs(990)")
  210      if (port==993) return("IMAPs(993)")
  211      if (port==995) return("POP3s(995)")
  212      if (port==1025) return("NFS(1025)")
  213      if (port==1026) return("Windows-Message-Service(1026)")
  214      if (port==1027) return("Windows-Message-Service(1027)")
  215      if (port==1080) return("SOCKS(1080)")
  216      if (port==1114) return("SQL(1114)")
  217      if (port==1214) return("KaZaa(1214)")
  218      if (port==1243) return("Sub-7(1243)")
  219      if (port==1394) return("Network Log Client(1394)")
  220      if (port==1433) return("MS-SQL(1433)")
  221      if (port==1434) return("MS-SQL monitor(1434)")
  222      if (port==1524) return("Trin 00(1524)")
  223      if (port==1662) return("Netview-aix-2(1662)")
  224      if (port==1723) return("PPtP(1723)")
  225      if (port==1883) return("IBM MQSeries SCADA(1883)")
  226      if (port==1900) return("UPnP(1900)")
  227      if (port==1999) return("Backdoor-G or Sub-7 2.x(1999)")
  228      if (port==2002) return("Cisco Secure ACS WebServer(2002)")
  229      if (port==2049) return("NFS(2049)")
  230      if (port==2243) return("Magicom Protocol(2243)")
  231      if (port==2343) return("Nati logos(2343)")
  232      if (port==2772) return("Sub-7 ScreenCapture(2772)")
  233      if (port==2773) return("Sub-7 KeyLogger(2773)")
  234      if (port==3127) return("MyDoom Backdoor(3127)")
  235      if (port==3128) return("Squid(3128)")
  236      if (port==3129) return("Masters Paradise(3129)")
  237      if (port==3268) return("globalcat-LDAP(3268)")
  238      if (port==3449) return("HotU Chat(3449)")
  239      if (port==3544) return("Teredo IPv6-IPv4 Tunnel(3544)")
  240      if (port==4500) return("MS IPsec NAT-T(4500)")
  241      if (port==4662) return("eDonkey(4662)")
  242      if (port==5000) return("UPnP(5000)")
  243      if (port==5060) return("SIP(5060)")
  244      if (port==5061) return("SIP over TLS(5061)")
  245      if (port==5222) return("Jabber/xmpp-client(5222)")
  246      if (port==5223) return("Jabber-SSL(5223)")
  247      if (port==5228) return("Android Market(5228)")
  248      if (port==5500) return("VNC(5500)")
  249      if (port==5554) return("Sasser-backdoor(5554)")
  250      if (port==5623) return("pcAnywhere(5623)")
  251      if (port==5800) return("VNC-data(5800)")
  252      if (port==5900) return("VNC-HTTP(5900)")
  253      if (port==5938) return("Teamviewer(5938)")
  254      if (port==6346) return("GNUtella(6346)")
  255      if (port==6670) return("Deep Throat(6670)")
  256      if (port==6711) return("Sub-7(6711)")
  257      if (port==6712) return("Sub-7(6712)")
  258      if (port==6713) return("Sub-7(6713)")
  259      if (port==6776) return("Backdoor-G or Sub-7(6776)")
  260      if (port==6969) return("GateCrasher(6969)")
  261      if (port==6970) return("RealAudio(6970)")
  262      if (port==7215) return("Sub-7 Matrix Chat(7215)")
  263      if (port==7777) return("Unreal or Klingon Honor Guard(7777)")
  264      if (port==7778) return("Unreal Tournament(7778)")
  265      if (port==8000) return("Seafile-seahub(8000)")
  266      if (port==8030) return("iTunes Radio Streams(8030)")
  267      if (port==8080) return("HTTP Alternate(8080)")
  268      if (port==8082) return("Seafile-fileserver(8082)")
  269      if (port==9100) return("JetDirect(9100)")
  270      if (port==9418) return("Git(9418)")
  271      if (port==10000) return("Webadmin(10000)")
  272      if (port==10001) return("Seafile-ccnet(10001)")
  273      if (port==10008) return("Cheeseworm(10008)")
  274      if (port==12001) return("Seafile-service(12001)")
  275      if (port==12345) return("Netbus(12345)")
  276      if (port==12346) return("Netbus(12346)")
  277      if (port==13223) return("PowWow(13223)")
  278      if (port>=16384 && port<=16472) return(sprintf("Real-Time Transport Protocol(RTP) (%i)",port))
  279      if (port==16660) return("Stacheldraht(16660)")
  280      if (port==16959) return("Sub-7(16959)")
  281      if (port==17027) return("Conducent(17027)")
  282      if (port==20034) return("Netbus 2 Pro(20034)")
  283      if (port==20002) return("Acidkor(20002)")
  284      if (port==21544) return("Girlfriend(21544)")
  285      if (port==22450) return("Sin(22450)")
  286      if (port==23456) return("EvilFTP(23456)")
  287      if (port==26000) return("Quake(26000)")
  288      if (port==26900) return("Hexen 2(26900)")
  289      if (port==26950) return("Hexen World(26950)")
  290      if (port==27015) return("Half-life Or Team Fortress Classic(27015)")
  291      if (port==27374) return("Backdoor-G or Sub-7(27374)")
  292      if (port==27444) return("Trin 00(27444)")
  293      if (port==27500) return("Quake World(27500)")
  294      if (port==27665) return("Trin 00(27665)")
  295      if (port>=27910 && port<=27961) return(sprintf("Quake(%i)", port))
  296      if (port>=28000 && port<=28008) return(sprintf("Starsiege Tribes(%i)", port))
  297      if (port==28910) return("Heretic 2(28910)")
  298      if (port==30100) return("NetSphere(30100)")
  299      if (port==31335) return("Trin 00(31335)")
  300      if (port==31337) return("Back Orifice(31337)")
  301      if (port==31338) return("Back Orifice(31338)")
  302      if (port==31789) return("Hack'a'Tack(31789)")
  303      if (port==31337) return("Back Orifice(31337)")
  304      if (port>=32770 && port<=32900) return(sprintf("SUN-RPC Portmapper(%i)",port))
  305      if (port==33270) return("Trinity v3(33270)")
  306      if (port>=33434 && port<=33600) return(sprintf("Traceroute?(%i)",port))
  307      if (port==41508) return("Inoculan(41508)")
  308      if (port==50505) return("Sockets de Troi(50505)")
  309      if (port==54283) return("Sub-7 Spy port(54283)")
  310      if (port==54320) return("Back Orifice 2K(54320)")
  311      if (port==54321) return("Back Orifice 2K(54321)")
  312      if (port==60001) return("Stacheldraht(60001)")
  313      if (port==65000) return("Stacheldraht(65000)")
  314 
  315      # If nothing else matches just return the port number
  316      return(port_str)
  317   }
  318 
  319   # This is the function which performs the ICMP lookups
  320   ######################################################
  321   function ICMP_lookup(type, code)
  322   {
  323      if (type==0 && code==0) return ("Echo reply")
  324      if (type==3 && code==0) return ("Network unreachable")
  325      if (type==3 && code==1) return ("Host unreachable")
  326      if (type==3 && code==2) return ("Protocol unreachable")
  327      if (type==3 && code==3) return ("Port unreachable")
  328      if (type==3 && code==4) return ("Fragmentation needed but no frag. bit set")
  329      if (type==3 && code==5) return ("Source routing failed")
  330      if (type==3 && code==6) return ("Destination network unknown")
  331      if (type==3 && code==7) return ("Destination host unknown")
  332      if (type==3 && code==8) return ("Source host isolated")
  333      if (type==3 && code==9) return ("Destination network administratively prohibited")
  334      if (type==3 && code==10) return ("Destination host administratively prohibited")
  335      if (type==3 && code==11) return ("Network unreachable for TOS")
  336      if (type==3 && code==12) return ("Host unreachable for TOS")
  337      if (type==3 && code==13) return ("Communication administratively prohibited by filtering")
  338      if (type==3 && code==14) return ("Host precedence violation")
  339      if (type==3 && code==15) return ("Precedence cutoff in effect")
  340      if (type==4 && code==0) return ("Source quench")
  341      if (type==5 && code==0) return ("Redirect for network")
  342      if (type==5 && code==1) return ("Redirect for host")
  343      if (type==5 && code==2) return ("Redirect for TOS and network")
  344      if (type==5 && code==3) return ("Redirect for TOS and host")
  345      if (type==8 && code==0) return ("Echo request")
  346      if (type==9 && code==0) return ("Router advertisement")
  347      if (type==9 && code==16) return ("Does not route common traffic")
  348      if (type==10 && code==0) return ("Route solicitation")
  349      if (type==11 && code==0) return ("TTL equals 0 during transit")
  350      if (type==11 && code==1) return ("TTL equals 0 during reassembly")
  351      if (type==12 && code==0) return ("IP header bad (catchall error)")
  352      if (type==12 && code==1) return ("Required options missing")
  353      if (type==12 && code==2) return ("Bad Length")
  354      if (type==13 && code==0) return ("Timestamp request")
  355      if (type==14 && code==0) return ("Timestamp reply (obsolete)")
  356      if (type==15 && code==0) return ("Information request")
  357      if (type==16 && code==0) return ("Information reply")
  358      if (type==17 && code==0) return ("Address mask request")
  359      if (type==18 && code==0) return ("Address mask reply")
  360      if (type==30 && code==0) return ("Outbound Packet succesfully forwarded")
  361      if (type==30 && code==1) return ("No route for Outbound Packet; packet discarded")
  362      if (type==40 && code==0) return ("Bad SPI")
  363      if (type==40 && code==1) return ("Authentication Failed")
  364      if (type==40 && code==2) return ("Decompression Failed")
  365      if (type==40 && code==3) return ("Decryption Failed")
  366      if (type==40 && code==4) return ("Need Authentication")
  367      if (type==40 && code==5) return ("Need Authorization")
  368 
  369      # If nothing else matches just return unknown
  370      return("Unknown ICMP type/code")
  371   }
  372 
  373 
  374   # Main program
  375   ##############
  376   {
  377     if (match($0, "IN=") != 0 || match($0, "firewall") != 0 || match($0, "Firewall") != 0 || match($0, "kernel") != 0)
  378     {
  379       if (match($0, "IN=") == 0)
  380       {
  381         printf("%s", $0)
  382       }
  383       else
  384       {
  385         # Check whether it is an incoming or outgoing packet
  386         if (match($0, "IN= ") != 0) INPUT=0; else INPUT=1
  387         if (match($0, "OUT= ") != 0) OUTPUT=0; else OUTPUT=1
  388 
  389         for (i = 1; i <= NF; i++)
  390         # First show message, SRC etc.
  391         {
  392           if (substr($i,1,4) == "SRC=") SRC_HOST=substr($i, 5, length($i) - 4)
  393           if (substr($i,1,4) == "DST=") DST_HOST=substr($i, 5, length($i) - 4)
  394 
  395           if (substr($i,1,4) != "MAC=" && substr($i,1,4) != "SRC=" && substr($i,1,4) != "DST=" && $i != "IN=" && $i != "OUT=" )
  396           {
  397             if ($(i+1) != "kernel:" && $i != "kernel:" && $i != "[kernel]" )
  398             {
  399               if (i==1)
  400                 printf("%s", $i)
  401               else
  402                 if (i==2 && length($2)==1)
  403                   # We always want 2 digits for the date-day:
  404                   printf(" 0%s", $i)
  405                 else
  406                   printf(" %s", $i)
  407             }
  408           }
  409 
  410           if (substr($i,1,4) == "SRC=")
  411           {
  412             if (USE_ANSI_COLORS==1) printf("\033[0m\033[1;36m")
  413             if (USE_HTML==1) printf("<font color=turquoise>")
  414 
  415             printf(" %s", $i)
  416             
  417             if (USE_ANSI_COLORS==1) printf("\033[0m")
  418             if (USE_HTML==1) printf("</font>")
  419 
  420           }
  421 
  422           if (substr($i,1,4) == "DST=")
  423           {
  424             # Show destination
  425             ##################
  426             if (USE_ANSI_COLORS==1) printf("\033[0m\033[1;35m")
  427             if (USE_HTML==1) printf("<font color=dark purple>")
  428 
  429             printf(" %s", $i)
  430 
  431             if (USE_ANSI_COLORS==1) printf("\033[0m")
  432             if (USE_HTML==1) printf("</font>")
  433  
  434             if (INPUT==1 || FULL_INFO==1)
  435             {
  436               if (RESOLVE_NAMES==1 || SHOW_LOCATION==1)
  437                 if (USE_1ROW==0)
  438                 {
  439                   if (USE_HTML==1) printf("<br>\n                         "); else printf("\n               ")
  440                 }
  441 
  442               if (USE_ANSI_COLORS==1) printf("\033[0m\033[1;36m")
  443               if (USE_HTML==1) printf("<font color=turquoise>")
  444 
  445               if (RESOLVE_NAMES==1)
  446               {
  447                 # If multiple names exist for one IP then only use the first (head -n1)
  448                 syscall=sprintf("printf \" $(dig +short +time=1 +tries=1 -x %s 2>/dev/null |head -n1 |grep -v \";;.*\" |sed s,.$,\"  \",)\" 2>/dev/null", SRC_HOST)
  449                 system(syscall)
  450               }
  451 
  452               if (SHOW_LOCATION==1)
  453               {
  454                 syscall=sprintf("curl -L --silent --connect-timeout 1 http://api.hostip.info/get_html.php?ip=%s 2>/dev/null |grep -e \"Country:\" -e \"City:\" |while read line; do printf \" $line\"; done", SRC_HOST)
  455                 system(syscall)
  456               }
  457             }
  458 
  459             if (OUTPUT==1 || FULL_INFO==1)
  460             {
  461               if (RESOLVE_NAMES==1 || SHOW_LOCATION==1)
  462                 if (USE_1ROW==0)
  463                 {
  464                   if (USE_HTML==1) printf("<br>\n                         "); else printf("\n               ")
  465                 }
  466 
  467               if (USE_ANSI_COLORS==1) printf("\033[0m\033[1;35m")
  468               if (USE_HTML==1) printf("<font color=dark purple>")
  469              
  470               if (RESOLVE_NAMES==1)
  471               {
  472                 # If multiple names exist for one IP then only use the first (head -n1)
  473                 syscall=sprintf("printf \" $(dig +short +time=1 +tries=1 -x %s 2>/dev/null |head -n1 |grep -v \";;.*\" |sed s,.$,\"  \",)\" 2>/dev/null", DST_HOST)
  474                 system(syscall)
  475               }
  476 
  477               if (SHOW_LOCATION==1)
  478               {
  479                 syscall=sprintf("curl -L --silent --connect-timeout 1 http://api.hostip.info/get_html.php?ip=%s 2>/dev/null |grep -e \"Country:\" -e \"City:\" |while read line; do printf \" $line\"; done", DST_HOST)
  480                 system(syscall)
  481               }
  482             }
  483 
  484             if (USE_ANSI_COLORS==1) printf("\033[0m")
  485             if (USE_HTML==1) printf("</font>")
  486 
  487             break
  488           }
  489         }
  490 
  491         if (i==NF)
  492         {
  493           if (USE_HTML==1) printf("<br>")
  494           printf("\n")
  495         }
  496         else
  497         {
  498           offset=i+1
  499           if (USE_1ROW==0)
  500           {
  501             if (USE_HTML==1) printf("<br>\n                         "); else printf("\n               ")
  502           }
  503           else printf(" ")
  504         }
  505 
  506         save_offset=++offset;
  507         for (i = offset; i <= NF; i++) if (substr($i,1,6) == "PROTO=") break;
  508 
  509         offset=i
  510 
  511         # First show PROTO=
  512         if ($offset == "PROTO=UDP")
  513         {
  514           if (USE_ANSI_COLORS==1) printf("\033[0m\033[1;33m")
  515           if (USE_HTML==1) printf("<font color=yellow>")
  516 
  517           printf(" %s", $offset)
  518 
  519           if (USE_ANSI_COLORS==1) printf("\033[0m")
  520           if (USE_HTML==1) printf("</font>")
  521         }
  522         else
  523         if ($offset == "PROTO=TCP")
  524         {
  525           if (USE_ANSI_COLORS==1) printf("\033[0m\033[1;32m")
  526           if (USE_HTML==1) printf("<font color=green>")
  527 
  528           printf(" %s", $offset)
  529 
  530           if (USE_ANSI_COLORS==1) printf("\033[0m")
  531           if (USE_HTML==1) printf("</font>")
  532         }
  533         else
  534         if ($offset == "PROTO=ICMP")
  535         {
  536           if (USE_ANSI_COLORS==1) printf("\033[0m\033[1;34m")
  537           if (USE_HTML==1) printf("<font color=blue>")
  538 
  539           printf(" %s", $offset)
  540 
  541           if (USE_ANSI_COLORS==1) printf("\033[0m")
  542           if (USE_HTML==1) printf("</font>")
  543         }
  544         else
  545         {
  546           printf(" %s", $offset)
  547         }
  548 
  549         if (substr($(offset+1),1,4)=="SPT=")
  550         {
  551           # Second show DPT=
  552           if (USE_ANSI_COLORS==1) printf("\033[0m\033[1;31m")
  553           if (USE_HTML==1) printf("<font color=red>")
  554 
  555           printf(" DPT=%s", portname_lookup(substr($(offset+2), 5, length($(offset+2))-4)))
  556 
  557           if (USE_ANSI_COLORS==1) printf("\033[0m")
  558           if (USE_HTML==1) printf("</font>")
  559 
  560           # Third show SPT=
  561           printf(" SPT=%s", portname_lookup(substr($(offset+1), 5, length($(offset+1))-4)))
  562         }
  563 
  564         if ($(offset)=="PROTO=ICMP")
  565         {
  566           # Resolve type/code
  567           if (USE_ANSI_COLORS==1) printf("\033[0m\033[1;31m")
  568           if (USE_HTML==1) printf("<font color=red>")
  569 
  570           type=strtonum(substr($(offset+1), 6, length($(offset+1))-5))
  571           code=strtonum(substr($(offset+2), 6, length($(offset+2))-5))
  572           printf(" TYPE/CODE=%s(%i,%i)", ICMP_lookup(type, code), type, code)
  573 
  574           if (USE_ANSI_COLORS==1) printf("\033[0m")
  575           if (USE_HTML==1) printf("</font>")
  576         }
  577 
  578         ICMP_INFO=0
  579         for (i = save_offset; i <= NF; i++)
  580         # Show all other info
  581         {
  582           if (substr($i,1,1) == "[") ICMP_INFO=1
  583           if (ICMP_INFO==1)
  584           {
  585             if (substr($i,1,5) != "PREC=" && substr($i,1,4) != "TOS=" && substr($i,1,3) != "ID=" \
  586               && i != 4 && i != 5 && substr($i,1,2) != "DF" \
  587               && $i != "RES=0x00" && $i != "URGP=0")
  588                 printf(" %s", $i)
  589           }
  590           else
  591           {
  592             if (substr($i,1,6) != "PROTO=" && substr($i,1,5) != "PREC=" && substr($i,1,4) != "TOS=" && substr($i,1,3) != "ID=" \
  593               && substr($i,1,4) != "LEN=" && i != 4 && i != 5 && substr($i,1,2) != "DF" && substr($i,1,4) != "SPT=" && substr($i,1,4) != "DPT=" \
  594               && $i != "RES=0x00" && $i != "URGP=0" && substr($i,1,7) != "WINDOW=" && substr($i,1,5) != "TYPE=" && substr($i,1,5) != "CODE=")
  595                 printf(" %s", $i)
  596           }
  597         }
  598       }
  599       if (USE_HTML==1) printf("<br>")
  600       printf("\n")
  601     }
  602   }
  603   ' RESOLVE_NAMES=$RESOLVE_NAMES SHOW_LOCATION=$SHOW_LOCATION USE_ANSI_COLORS=$USE_ANSI_COLORS USE_1ROW=$USE_1ROW USE_HTML=$USE_HTML
  604 
  605   if [ "$USE_HTML" = "1" ]; then
  606     echo "</body></html>"
  607   fi
  608 fi