Regex to match Exact port number (netstat command)

sk2code · November 14, 2014, 10:44am

Hi All,

We have this regex: \\*.*?(.600[0-9]).*?.(LISTEN|ESTABLISHED)

OS = Solaris 10

The purpose of this regex is to match the ports in output of "netstat -an" and report if any ports between 6000-6009 are getting used. The only problem is if I have something like this (sample output as mentioned below), the regex matches everything with 6000 in it. It matches 46000, 60006 and 6000. Because of that we are getting faulty alerts. How can we fix this to just ONLY pick up ports (6000-6009). Please help.

10.10.10.10.2055    10.10.4.10.60006    49552      0 49552      0 ESTABLISHED
10.10.10.10.6360    10.10.4.10.6000    65290      0 49640      0 LISTEN
10.10.10.10.2044    10.10.4.10.46000    49552      0 49552      0 ESTABLISHED

RudiC · November 14, 2014, 10:49am

Escape the dot in front of the 6. And put a space after the [0-9].

sk2code · November 14, 2014, 10:53am

Thanks RudiC for the quick reply. Can you please send the code for those changes?

RudiC · November 14, 2014, 11:53am

What is unclear about that statement?

\.600[0-9]

shamrock · November 14, 2014, 12:43pm

Or you could make it match more precisely with [n]awk...

Corona688 · November 14, 2014, 12:52pm

I agree, cramming it into a regex is more difficult than (column >= "6000")...

netstat -an | nawk -F"[. \t]+" '(($5 >= "6000") && ($5 <= "6009")) || (($10 >= "6000") && ($10 <= "6009"))'

sk2code · November 14, 2014, 1:42pm

Thanks everyone for replying back on this thread. RudiC, you solution worked fine. I know regex is a bit tricky but we have this special need where we have to only use regex.

Thanks again.