
CPS
Novice
Sep 17, 2012, 9:22 AM
Post #14 of 15
(5928 views)
|
Re: [FishMonger] Searching two-value hash array
[In reply to]
|
Can't Post
|
|
Thanks for reply. There are so many things in perl which i need to learn. And what about printing information about bytes sent/received and total without doubling the lines?
Session REC SENT Bytes Total =================================================================== 10.197.191.43:10461 <-> 10.197.191.250:9090 578 204 782 10.197.191.250:9090 <-> 10.197.191.70:10263 96 40 136 10.197.191.250:9090 <-> 10.197.191.52:3019 80 80 160 10.197.191.250:9090 <-> 10.197.191.101:4968 240466 3920 244386 10.197.191.250:9090 <-> 10.197.191.112:3696 854 659 1513 10.197.191.250:9090 <-> 10.197.191.45:29466 1691 1876 3567 10.197.191.50:47766 <-> 10.197.191.250:445 739008 778663 1517671 10.197.191.47:4688 <-> 10.197.191.250:9090 80 80 160 10.197.191.250:9090 <-> 10.197.191.50:51663 6312 160 6472 10.197.191.45:27547 <-> 10.197.191.250:9090 3000 181070 184070 10.197.191.47:4687 <-> 10.197.191.250:9090 80 80 160 10.197.191.250:9090 <-> 10.197.191.47:4707 935 4349 5284 10.197.191.52:2533 <-> 10.197.191.250:9090 2207 996 3203 10.197.191.43:11200 <-> 10.197.191.250:9090 80 80 160 10.197.191.47:4705 <-> 10.197.191.250:9090 40 80 120 10.197.191.47:4308 <-> 10.197.191.250:9090 3997 753 4750 I did it by this non-professional newbie code, which I wrote before (now it's a little bit modified):
#!/usr/bin/perl use NetPacket::Ethernet; use NetPacket::IP; use NetPacket::TCP; use Net::TcpDumpLog; use strict; use warnings; if ($#ARGV gt 0 ) { print "Usage: pcap.pl <pcap.file>\n"; exit; } my %sum; my $key; my $keyx; my $log = Net::TcpDumpLog->new(); $log->read($ARGV[0]); my @keys = (); foreach my $index ($log->indexes) { my ($length_orig, $length_incl, $drops, $secs, $msecs) = $log->header($index); my $data = $log->data($index); my $eth_obj = NetPacket::Ethernet->decode($data); next unless $eth_obj->{type} == NetPacket::Ethernet::ETH_TYPE_IP; my $ip_obj = NetPacket::IP->decode($eth_obj->{data}); next unless $ip_obj->{proto} == NetPacket::IP::IP_PROTO_TCP; my $tcp_obj = NetPacket::TCP->decode($ip_obj->{data}); my $keyName = $ip_obj->{src_ip}.":".$tcp_obj->{src_port}." <-> ".$ip_obj->{dest_ip}.":".$tcp_obj->{dest_port}; if ($sum{$keyName}) { $sum{$keyName} = $ip_obj->{len} + $sum{$keyName}; } else { $sum{$keyName} = $ip_obj->{len}; } } sub hashSort { $sum{$b} <=> $sum{$a}; } my $cnt = 0; print "\tSession \t\t\t\tREC\tSENT\tBytes Total\n"; print "===================================================================\n"; my $ip = ""; my $othcnt = 0; my @arrayz; my $firstvalue; my $secondvalue; my $thirdvalue; my $forth; foreach $key (keys(%sum)) { my @excludeList = split("<->", $key); $firstvalue = trim($excludeList[0]); # ip address $secondvalue = trim($excludeList[1]); # ip address foreach $keyx (keys(%sum)) { @excludeList = split("<->", $keyx); $thirdvalue = trim($excludeList[0]); # ip address $forth = trim($excludeList[1]); # ip address if (($firstvalue eq $forth) && ($thirdvalue eq $secondvalue)) { $ip = &checkArray($thirdvalue,$forth); if ($ip ne 666) { $arrayz[$othcnt] = $keyx; $othcnt = $othcnt + 1; my $suma; $suma = $sum{$key} + $sum{$keyx}; print "$key \t $sum{$key} \t $sum{$keyx} \t $suma \n"; } } } } sub trim($) { my $string = shift; $string =~ s/^\s+//; $string =~ s/\s+$//; return $string; } sub checkArray { my($a,$b) = @_; my $arrayvalue=""; foreach $arrayvalue(@arrayz) { my @excludeList = split("<->", $arrayvalue); my $one = trim($excludeList[0]); # ip address of first my $sec = trim($excludeList[1]); # ip address of first if ((($a eq $sec) && ($b eq $one)) || (($a eq $one) && ($b eq $sec))) { return 666; } } } And generally that is all which i want to get, so REC BYES, SENT BYTES, TOTAL BYTES (REC+SENT). However, it doesn't work quite well, because if i have completely different connections (client only sent some data didn't receive nothing for example) they won't be printed in output:
Session Bytes Total =================================================================== 10.197.191.250:51182 <-> 10.39.0.123:21 76 10.197.191.250:50779 <-> 10.39.0.123:23 60
|