Shell script question

Paul Schmehl pauls at
Thu Aug 4 17:46:21 GMT 2005

I'm working on a shell script to use p0f to identify "unauthorized" hosts 
on our network.

In the script I use an echo command to see what the output of the command 
is.  This is what it looks like:
/usr/local/bin/p0f -i xl0 -N -l -o /root/capture.1123177152.log 'src net or src net'

If I paste the output of the echo command to the cli and hit enter, p0f 
runs and writes to the log.  Yet when I actually try to run that same 
command from the script, p0f complains:

pcap_compile: illegal token: '
See man tcpdump or p0f README for help on bpf filter expressions.

Here's the script.  It's very simple right now, but there's a lot more work 
to be done.  I first have to figure out this problem, though:


EPOCH_DATE=`date -j -f "%a %b %d %T %Z %Y" "\`date\`" "+%s"`
NIC="-i xl0"
ARGS="-N -l -o ${LOG}"
FILTER="'src net or src net'"

echo "${P0F} ${NIC} ${ARGS} ${DAEMON} ${FILTER}"
${P0F} ${NIC} ${ARGS} ${FILTER}

Why is p0f complaining about the bpf filter?  I've tried escaping the 
single quotes, but that generates a different error.  I don't understand 
why the identical command works on the cli, but not in the script.

Paul Schmehl (pauls at
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member

More information about the freebsd-questions mailing list