Problem with egrep and cat

yzy9951 · April 26, 2013, 8:40pm

Hello,
I want to find some keywords in a dd image.

I have created a keyword file (1.txt) and search the dd image using,

cat /media/sdb1/test/c.dd.001 | strings | egrep -i --color -f 1.txt

It works,

But how can I get the file name and path?

Many thanks.

Don_Cragun · April 26, 2013, 11:48pm

Assuming that you want to add the pathname because you want to process multiple files, you could try something like:

#!/bin/ksh
# Usage: testscript pathname...
for file in "$@"
do      strings "$file" | while IFS="" read -r line
        do      printf "%s: %s\n" "$file" "$line"
        done
done | egrep -i --color -f 1.txt

However, this may give you a lot of extraneous output if any of the EREs in 1.txt match any of the pathnames of the files being processed.

Note that I got rid of the cat you were using. The strings utility accepts a pathname operand and adding extra commands in a pipeline wastes system resources. Also note that if you try to feed multiple files into a singe invocation of strings (whether by giving strings multiple file operands or by using cat to feed data to strings) there is no way to add a filename to the line being processed after string has processed the input if it is given multiple input files in a single invocation.

If the filenames are matched by something in 1.txt, you could create a similar script that adds the filename to the start of each line output by the egrep command, but it will take more system resources to get the results.

If is also possible to write this script as a 1-liner, but I much prefer readable over producing the minimum number of characters/lines needed to get a job done.

PS I use the Korn shell, but this script will work with any shell that recognizes basic Bourne shell syntax.

RudiC · April 27, 2013, 6:09am

Not sure what you mean by "dd image". Is this a binary file created by dd ing some partition? Is it mounted somewhere? Then the file system is accessible, and it should be easy to find out the matching files' names. Or do you search the entire binary file with strings ? Then I think it's utterly difficult to get at the file names...

yzy9951 · April 27, 2013, 9:12am

It's a full disk raw image, I am searching the entire binary file with the stings.

I am a new Linux learner, is there any other ways to search them and out put the path? I will print the byte off set number using egrep and try to find its inode number.

---------- Post updated at 08:12 AM ---------- Previous update was at 07:47 AM ----------

don cragun:

Assuming that you want to add the pathname because you want to process multiple files, you could try something like:
#!/bin/ksh
# Usage: testscript pathname...
for file in "$@"
do      strings "$file" | while IFS="" read -r line
   do      printf "%s: %s\n" "$file" "$line"
   done
done | egrep -i --color -f 1.txt
However, this may give you a lot of extraneous output if any of the EREs in 1.txt match any of the pathnames of the files being processed.

Note that I got rid of the cat you were using. The strings utility accepts a pathname operand and adding extra commands in a pipeline wastes system resources. Also note that if you try to feed multiple files into a singe invocation of strings (whether by giving strings multiple file operands or by using cat to feed data to strings) there is no way to add a filename to the line being processed after string has processed the input if it is given multiple input files in a single invocation.

If the filenames are matched by something in 1.txt, you could create a similar script that adds the filename to the start of each line output by the egrep command, but it will take more system resources to get the results.

If is also possible to write this script as a 1-liner, but I much prefer readable over producing the minimum number of characters/lines needed to get a job done.

PS I use the Korn shell, but this script will work with any shell that recognizes basic Bourne shell syntax.

Thank you so much, but I don't understand how to use shell....also this search is searching the binary content not the file name.

If the keywords are matched and how to translate the disk off set to the partition inode number? The partition block size is 512 and partition off set is 2048, NTFS file system.

alister · April 27, 2013, 10:21am

Is the image corrupt or the partition table mangled in some way? Why do you not simply mount the filesystem(s) and traverse them with find or grep -R? That's much simpler than taking the byte offset of a string in an image, analyzing the partition table (MBR or GPT) to determine in which partition the byte is located, then jumping to the beginning of that partition and searching for the relevant filesystem data structures.

Regards,
Alister

yzy9951 · April 27, 2013, 12:18pm

Thank you very much. After mount the partition, I found the file names now using grep -iR

grep -iR -f 1.txt /mnt

alister · April 27, 2013, 1:20pm

Happy to help. Welcome to the forums.

Regards,
Alister

Don_Cragun · April 27, 2013, 1:40pm

Note that if 1.txt contains extended regular expression (rather than basic regular expressions), you should still use egrep (like you did in your original pipeline) rather than grep .

If 1.txt only contains strings to be matched (rather than regular expressions), you should use fgrep instead of grep . If you're searching for fixed strings, fgrep will be MUCH faster than grep or egrep when you're examining all of the files in a file system containing lots of files.