FishMonger
Veteran
/ Moderator
Sep 17, 2012, 8:22 AM
Views: 5232
|
|
Re: [CPS] Searching two-value hash array
|
|
|
The "ARRAY(0x190d3c4)" lines were due to the hash containing empty array refs that I did not filter out.
This updated version should let you see what I was referring to on the multiple connections.
#!/usr/bin/perl
use 5.10.0;
use strict;
use warnings;
use NetPacket::Ethernet;
use NetPacket::IP;
use NetPacket::TCP;
use Net::TcpDumpLog;
use List::Util qw(sum);
@ARGV or die "Usage: $0 <pcap.file>\n";
my $log = Net::TcpDumpLog->new();
$log->read($ARGV[0]);
my %summary;
foreach my $index ($log->indexes) {
my $data = $log->data($index);
my $eth_obj = NetPacket::Ethernet->decode($data);
next unless $eth_obj->{type} == NetPacket::Ethernet::ETH_TYPE_IP;
my $ip_obj = NetPacket::IP->decode($eth_obj->{data});
next unless $ip_obj->{proto} == NetPacket::IP::IP_PROTO_TCP;
my $tcp_obj = NetPacket::TCP->decode($ip_obj->{data});
my $src = "$ip_obj->{src_ip}:$tcp_obj->{src_port}";
my $dest = "$ip_obj->{dest_ip}:$tcp_obj->{dest_port}";
my $key = join(' -> ', $src, $dest);
push @{$summary{$key}}, $ip_obj->{len};
}
for my $key ( sort %summary ) {
next if ! $summary{$key};
my $transmission_count = scalar(@{$summary{$key}});
my $total = sum(@{ $summary{$key} });
say join(' | ', $key,
"$transmission_count transmissions",
"$total total bytes"
);
}
Which outputs:
D:\perl>pcap.pl out.pcap
10.197.191.101:4968 -> 10.197.191.250:9090 | 98 transmissions | 3920 total bytes
10.197.191.112:3696 -> 10.197.191.250:9090 | 2 transmissions | 659 total bytes
10.197.191.250:445 -> 10.197.191.50:47766 | 691 transmissions | 778663 total bytes
10.197.191.250:9090 -> 10.197.191.101:4968 | 167 transmissions | 240466 total bytes
10.197.191.250:9090 -> 10.197.191.112:3696 | 2 transmissions | 854 total bytes
10.197.191.250:9090 -> 10.197.191.43:10461 | 2 transmissions | 204 total bytes
10.197.191.250:9090 -> 10.197.191.43:11200 | 2 transmissions | 80 total bytes
10.197.191.250:9090 -> 10.197.191.45:27547 | 146 transmissions | 181070 total bytes
10.197.191.250:9090 -> 10.197.191.45:29466 | 9 transmissions | 1691 total bytes
10.197.191.250:9090 -> 10.197.191.47:4308 | 6 transmissions | 753 total bytes
10.197.191.250:9090 -> 10.197.191.47:4687 | 2 transmissions | 80 total bytes
10.197.191.250:9090 -> 10.197.191.47:4688 | 2 transmissions | 80 total bytes
10.197.191.250:9090 -> 10.197.191.47:4705 | 2 transmissions | 80 total bytes
10.197.191.250:9090 -> 10.197.191.47:4707 | 8 transmissions | 935 total bytes
10.197.191.250:9090 -> 10.197.191.50:51663 | 8 transmissions | 6312 total bytes
10.197.191.250:9090 -> 10.197.191.52:2533 | 3 transmissions | 996 total bytes
10.197.191.250:9090 -> 10.197.191.52:3019 | 2 transmissions | 80 total bytes
10.197.191.250:9090 -> 10.197.191.70:10263 | 1 transmissions | 96 total bytes
10.197.191.43:10461 -> 10.197.191.250:9090 | 2 transmissions | 578 total bytes
10.197.191.43:11200 -> 10.197.191.250:9090 | 2 transmissions | 80 total bytes
10.197.191.45:27547 -> 10.197.191.250:9090 | 75 transmissions | 3000 total bytes
10.197.191.45:29466 -> 10.197.191.250:9090 | 8 transmissions | 1876 total bytes
10.197.191.47:4308 -> 10.197.191.250:9090 | 5 transmissions | 3997 total bytes
10.197.191.47:4687 -> 10.197.191.250:9090 | 2 transmissions | 80 total bytes
10.197.191.47:4688 -> 10.197.191.250:9090 | 2 transmissions | 80 total bytes
10.197.191.47:4705 -> 10.197.191.250:9090 | 1 transmissions | 40 total bytes
10.197.191.47:4707 -> 10.197.191.250:9090 | 5 transmissions | 4349 total bytes
10.197.191.50:47766 -> 10.197.191.250:445 | 958 transmissions | 739008 total bytes
10.197.191.50:51663 -> 10.197.191.250:9090 | 4 transmissions | 160 total bytes
10.197.191.52:2533 -> 10.197.191.250:9090 | 3 transmissions | 2207 total bytes
10.197.191.52:3019 -> 10.197.191.250:9090 | 2 transmissions | 80 total bytes
10.197.191.70:10263 -> 10.197.191.250:9090 | 1 transmissions | 40 total bytes
(This post was edited by FishMonger on Sep 17, 2012, 8:24 AM)
|
MAIN
SEARCH
WHO'S 
LOG 
