Filtering Input
grep command is a text filter that searches for the input and returns the text lines by a given pattern.
grep [OPTIONS] [PATTERN] [FILE]
In order to start the example, use the following command to get to the /Documents/ folder: cd ~/Documents
and then copy the file on which we will make tests, to the current directory: cp /etc/passwd . (note the dot, it’s important!)
next, run the grep command line this:
grep sysadmin passwd
The line that will be returned from the passwd file contains the pattern sysadmin.
Edit passwd file, add more lines that will contain the word sysadmin, then run the grep command and see what happens.
Regular Expressions
Regular expressions have two forms: basic and extended,
Basic regular expressions:
. any one single character
[ ] any one specified character
[^ ] not the specified character
* zero or more of the previous character
^ if the first character in a pattern, the pattern must be at the beginning of the line to match
$ if the last character in a pattern, the pattern must be at the end of the line to match
Extended regular expressions (must be used with grep command or grep -E command):
+ one or more of the previous pattern
? the preceding pattern is optional
{ } specify minimum, maximum or exact matches of a previous pattern
| alteration, a logical “or”
( ) used to create groups
Basic patterns
Regular expressions can be improved in order to match certain sequences of characters in a text.
Anchor characters
Anchor characters are used to mark and filter search result. To prevent the shell from wrong interpretation of the commands the word to be searched for must be placed between ‘ ‘, like in the example below:
grep ‘root’ passwd
How many times the root word is displayed in the output? Correct answer is 4 times.
Run the following command: grep ‘^root’ passwd ( ^ character ensures that the pattern appears at the beginning of each line)
In the next example run cat command to see the contents of passwd file: cat passwd
Run: grep ‘n$’ passwd command and see what will be displayed. $ character ensures that the patterns appears at end of each line.
For example you can run: grep ‘n…..n’ passwd. It will mark all words that starts with n character have any 5 letters inside and ends with n character. You can also try: grep ‘…’ passwd or grep ‘.a..’ passwd and see what will be displayed.
Let’s try to filter numbers: grep ‘[0-9]’ passwd. This command will mark all numbers from 0 to 9.
To negate all numbers from 0 to 9 use the following command: grep ‘[^0-9]’ passwd
Mark special characters: grep ‘[.]’ passwd
To mark 0(zero) or more occurrences of a character: grep ‘s*’ passwd
grep ‘n[bs]s*’ passwd
As we will see later in this tutorial, grep is a very important command and will ease your work a lot if used properly.
Using grep with firewall logs: grep -iE ‘(192.168.1.1|DROP|DPT=443|)’ firewall.log
This command will search in firewall.log and will mark the ip 192.168.1.1 or DROP or DPT=443 (destination port 443, port 443 is used by https).
tail or cat commands can be combined with grep or egrep. This way will be outputted only the lines with the requested keywords:
cat | grep -iE ‘(192.168.1.1|DROP|DPT=443|)’ firewall.log
tail | grep -iE ‘(192.168.1.1|DROP|DPT=443|)’ firewall.log
On other Linux distributions might work as well the following commands, for multiple grep commands combined with cat, tac or tail:
cat firewall.log | egrep -iE “192.168.1.1|DROP|DPT=443”
tac firewall.log | egrep -iE “192.168.1.1|DROP|DPT=443”
tail firewall.log | egrep -iE “192.168.1.1|DROP|DPT=443”
