my %conn; while() { my ($src_ip, $src_port, $dest_ip, $dest_port, @more) = /^([\d\.]+):(\d+) -> ([\d\.]+):(\d+) ...$/; my $conn = $conn{join('-', $src_ip, $src_port, $dest_port, $dest_ip)} ||= []; # $. can be used as a sequence number: push @{$conn}, [$., @more] } # and then analyze the sequence of packets for every connection: for my $key (keys %conn) { my $conn = $conn{$key}; my $conn_back = $conn{join('-', reverse split /-/, $key)} || []; ...