Greg Sarsons wrote:
>
> Hopefully someone can point/help me out. What is below is an extract of
> packet capture ... similar to tcpdump. What I want to do is to
> determine the amount of traffic a port has on it. I just plan on
> redirecting the output to this program.
>
> My thoughts are to maybe create a hash have the totals stored in the has
> using the port numbers as keys. So at each block say I'm looking for
> TCP traffic then I would make sure it is TCP and then I would find the
> incoming source port ( the tcp packets below have a source port of 6699)
>
> Once the source address is determined then the has would be checked to
> see if the key exists. If the key exists then add the DgmLen (datagram)
> length onto it. If the key(port) does not exist then add the key and
> DgmLen.
>
> Then when it is done I'll print out the hash sorted by the ascending key
> (port) values.
>
> Care has to be taken if the Traffic type is not TCP or UDP say ICMP as
> the format of the line changes at bit. There is no port numbers.
>
> With either TCP,UDP, or ICMP the 3rd line of each dump is not required.
>
> If someone could help me with the structure/setup of this ... extracting
> the data I would appreciate it.
>
> PS is there a size that the hash should not exceed?
No.
Here is one way to do it:
#!/usr/bin/perl -w
use strict;
$/ = "";
my %hash;
while ( <DATA> ) {
next unless (split)[4] eq 'TCP';
my $port = $1 if /\d+:(\d+)\s*->\s*\d+/;
my $len = $1 if /DgmLen:(\d+)/;
$hash{$port}{'count'}++;
$hash{$port}{'length'} += $len;
}
for ( sort { $a <=> $b } keys %hash ) {
print "Port: $_ Count: $hash{$_}{'count'} Length:
$hash{$_}{'length'}\n";
}
__DATA__
10/15-10:56:39.788943 64.229.130.126:6699 -> 192.117.91.98:1395
TCP TTL:120 TOS:0x0 ID:2936 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x6AA4F9 Ack: 0x1DAEF3DB Win: 0x2124 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10/15-10:56:39.812796 212.58.240.61:57905 -> 192.117.91.59:6970
UDP TTL:236 TOS:0x0 ID:39733 IpLen:20 DgmLen:318 DF
Len: 298
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10/15-10:56:39.826366 24.48.104.144:6699 -> 192.117.90.128:1577
TCP TTL:11 TOS:0x0 ID:35437 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x5FC28E Ack: 0x5A8547D Win: 0x3ED0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
10/15-10:56:39.887449 24.22.243.72:6699 -> 192.117.89.212:1608
TCP TTL:114 TOS:0x0 ID:59166 IpLen:20 DgmLen:1500 DF
***AP*** Seq: 0x2A085633 Ack: 0xBEEE29B0 Win: 0x4432 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
John
--
use Perl;
program
fulfillment
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
