Arp Scan results to delimited file with pipe delimiter

arp-scan linux
arp-scan get hostname
nmap output to file
nmap output to csv file
nmap grepable output example
nmap output example
nmap output to excel
nmap failed to open xml output file

Have a file with arp-scan results that looks like this for each line:

192.168.103.216   c4:2f:90:e5:8d:31    Hangzhou Hikvision

I want to go through and add a pipe delimiter after the IP address and after MAC address so final file will look like this:

192.168.103.216|c4:2f:90:e5:8d:31|Hangzhou Hikvision

Different ARP scans will produce different IPs and MACs so I have to match on the pattern of an IP address and a MAC address and put a | after the IP address and after the MAC address. Or I could just put a | at the beginning of the MAC address and the End of the MAC address. Result would be the same.

I know sed can match an IP address with something like:

sed '/\n/!s/[0-9.]\+/\n&\n/;/^\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}\n/P;D'

Am thinking I can match a MAC address with a similar statement only using [0-9A-Z:] as a pattern.

Should be semi easy to go through the file and add the delimiters. Is there an easier way to do this?

Only if your file is exactly like that, and for conciseness, with GNU awk:

awk '$3=$3" "$4{NF--}1' OFS=\| file
192.168.103.216|c4:2f:90:e5:8d:31|Hangzhou Hikvision

And if the hostname can have more than one spaces:

awk '{for(i=4;i<=NF;i++)$3=$3" "$i;NF=3}1' OFS=\| file

arp-scan: The ARP scanner - Linux Man Pages (1), arp-scan sends ARP packets to hosts on the local network and displays any responses that are Target hosts must be specified on the command line unless the --file option is given, The output fields are separated by a single tab character. NAME. arp-scan - The ARP scanner SYNOPSIS arp-scan [options] [hosts]. Target hosts must be specified on the command line unless the --file option is given, in which case the targets are read from the specified file instead, or the --localnet option is used, in which case the targets are generated from the network interface IP address and netmask.

Use awk; it makes the process much simpler.

awk 'BEGIN { OFS = "|" } { $1 = "" $1; print }'

Change the output field separator from white space to a pipe symbol. Then print the inputs, but you have to change something to trigger a reformatting with the new OFS, and prepending an empty string to $1 achieves that.

Pipe delimited output - UNIX and Linux Forums, i want the output to look like the below (either in a file or to output to screen i dont mind):. Code: Get the output of w command in pipe delimited format. Since output of w command Tagged: beginners, pipe delimiter., regex, sed. Discussion� $ arp-scan -i ens3 -Q 10 Write Received Packets To Pcap. If the responses return by the scanned hosts are important for us we can save them in pcap format. Pcap format is supported by tools like tcpdump, wireshark etc. We will us -pcapsavefile or -W options to specify pcap file. $ sudo arp-scan --localnet -W scan.pcap

EDIT: Adding solution which will take care of spaces remomal too. Completely based on shown samples only. One more thing this solution will only print lines with pipe after ips and mac address if both matches found else it will simply print the line.

awk --re-interval '
{
  $1=$1
}
match($0,/([0-9]+\.){3}[0-9]+ /){
  val=substr($0,RSTART,RLENGTH-1)"|"
  $0=substr($0,RSTART+RLENGTH)
}
match($0,/([[:xdigit:]]+:){5}[[:xdigit:]]+ /){
  print val substr($0,RSTART,RLENGTH-1)"|" substr($0,RSTART+RLENGTH)
  next
}
1
'  Input_file


Could you please try following(tested with provided samples only, with GNU awk, we could shorten it too but since I have old version of awk I will try to add it later).

awk '{sub(/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/,"&|");sub(/[[:xdigit:]]+:[[:xdigit:]]+:[[:xdigit:]]+:[[:xdigit:]]+:[[:xdigit:]]+:[[:xdigit:]]+/,"&|")} 1' Input_file

OR above code's regex could be shorten to as follows too.

awk --re-interval '{sub(/([0-9]+\.){3}[0-9]+/,"&|");sub(/([[:xdigit:]]+:){5}[[:xdigit:]]+/,"&|")} 1' Input_file

OR with using gsub and mentioning regex in single gsub itself.

awk --re-interval '{gsub(/([0-9]+\.){3}[0-9]+|([[:xdigit:]]+:){5}[[:xdigit:]]+/,"&|")} 1' Input_file

In case you want to save output into Input_file itself then append > temp_file && mv temp_file Input_file to above code too.



sed solution: Tested with GNU sed.

sed -E 's/([0-9]+\.){3}[0-9]+|([[:xdigit:]]+:){5}[[:xdigit:]]+/&|/g' Input_file

NOTE: I am using --re-interval since it is old else you could remove it, if you latest version of awk with you(GNU awk)

Grepable Output (-oG), The XML output format is far more powerful, and is nearly as convenient for nmap -T4 -A -v -oG - scanme.nmap.org # Nmap 5.35DC18 scan initiated [time] as : nmap Because they are tab-delimited, you might split up the fields with a Perl line such as: Since a slash is the subfield delimiter, this would screw up parsing. I'm having trouble writing a one-liner that will select out the numbers between the parentheses, wrap it in double quotes, insert a comma, then select all the text after "USER_RULE: " up to the next

X01 Delimiter, The delimiter can be coded in any way that the incoming file character set a file , pass any delimiter as an argument, and convert it to bar delimited on the output. For example, if the delimiter is the broken pipe character: �, the delimiter can be arp_reply(dest_ip, dest_mac, src_ip, src_mac) - Send gratuitous ARP replies. To create permanent static arp cache entries, place the appropriate arp commands in a batch file and use Scheduled Tasks to run the batch file at startup. Examples. To display the arp cache tables for all interfaces, type: arp /a To display the arp cache table for the interface that is assigned the IP address 10.0.0.99, type: arp /a /n 10.0.0.99

arp-scan(1): ARP scanner, arp-scan sends ARP packets to hosts on the local network and displays any responses that are Target hosts must be specified on the command line unless the --file option is given, The output fields are separated by a single tab character. About the ARP Scan Tool. The ARP Scan Tool (AKA ARP Sweep or MAC Scanner) is a very fast ARP packet scanner that shows every active IPv4 device on your subnet. Since ARP is non-routable, this type of scanner only works on the local LAN (local subnet or network segment).

2.2 Preprocessors, This option can produce large amounts of output. flow-file - Prints flow statistics in a comma-delimited format to the file that is specified. Timestamp; Total % TCP� Using the arp command allows you to display and modify the Address Resolution Protocol (ARP) cache. An ARP cache is a simple mapping of IP addresses to MAC addresses. Each time a computer’s TCP/IP stack uses ARP to determine the Media Access Control (MAC) address for an IP address, it records the mapping in the …

Comments
  • The second awk statement works like a charm as the hostname/manufacture column can have more than one space. Thanks much.
  • All the examples work great on my debian machine. They do not deal with white space between the fields as the accepted answer does, but I did not really make that request in my original question.
  • @WilliamK, ok, assuming that your Input_file is same as shown samples if this is the case then could you please try following. Again- it considers that your Input_file is exactly same s shown samples: awk --re-interval -v OFS="" '{$1=$1;gsub(/([0-9]+\.){3}[0-9]+|([[:xdigit:]]+:){5}[[:xdigit:]]+/,"&|")} 1' Input_file let me know then? PS: + point of these codes is it field numbers are NOT hardcoded so anywhere IPs or Macs will be concatenated with |.
  • @WilliamK, Happy that you have selected an answer as correct one, you could also what should one do for encouraging other good answers too, you could see this once stackoverflow.com/help/someone-answers
  • @WilliamK, please check my EDIT command once and let me know then if that helps you.