Hello, I would like to parse tcpdump pcap file logs using following modules: use NetPacket::Ethernet;use NetPacket::IP;use NetPacket::TCP;use Net::TcpDumpLog; 
#!/usr/bin/perl
use NetPacket::Ethernet;
use NetPacket::IP;
use NetPacket::TCP;
use Net::TcpDumpLog;
use strict;
use warnings;

if ($#ARGV gt 0 ) {
    print "Usage: pcap.pl <pcap.file>\n";
    exit;
}
my $key;
my $value;
my %sum;
my $log = Net::TcpDumpLog->new(); 
$log->read($ARGV[0]);
foreach my $index ($log->indexes) { 
  my ($length_orig, $length_incl, $drops, $secs, $msecs) = $log->heade
+r($index); 
  my $data = $log->data($index);
  
  my $eth_obj = NetPacket::Ethernet->decode($data);    
  next unless $eth_obj->{type} == NetPacket::Ethernet::ETH_TYPE_IP;

  my $ip_obj = NetPacket::IP->decode($eth_obj->{data});
  next unless $ip_obj->{proto} == NetPacket::IP::IP_PROTO_TCP;

  my $tcp_obj = NetPacket::TCP->decode($ip_obj->{data});
  my $keyName =  $ip_obj->{src_ip}.":".$tcp_obj->{src_port}." <-> ".$i
+p_obj->{dest_ip}.":".$tcp_obj->{dest_port};

    if ($sum{$keyName}) {
        $sum{$keyName} = $ip_obj->{len} + $sum{$keyName};
    } else {
     $sum{$keyName} = $ip_obj->{len};
    }
}

sub hashSort {
   $sum{$b} <=> $sum{$a};
}

    print "\tSession \t\t\t\t\tBytes Total\n";
    print "======================================================\n";
foreach $key (sort hashSort (keys(%sum))) {
    print "\t$key \t$sum{$key}\n";
}

[download]
Output from the above code is something like this. 
Bytes Total
===================================================
10.11.11.11:445 <-> 22.22.22.22:47766      80000
22.22.22.22:47766 <-> 10.11.11.11:445      50000

[download]
Let's assume that 10.11.11.11 is some server. Looking on the above data we can say that 22.22.22.22 client has sent to server 80000 bytes. Accordingly server 10.11.11.11 has sent to client 22.22.22.22 50000 bytes. Having this in mind I would like to have following output: 
SESSION                                    BYTES REC  BYTES SENT  TOTA
+L
10.11.11.11:445 <-> 22.22.22.22:47766      80000         30000     110
+000

[download]
The problem which i have is hash array used there (maybe i should use something different than hash arrays?). It happens because all connections are stored into key hash array, so: 
FIRST KEY: 10.11.11.11:445 <-> 22.22.22.22:47766      80000
SECOND KEY: 22.22.22.22:47766 <-> 10.11.11.11:445      5000

[download]
There are different keys, however it's the same connection. How to compare these ip addresses and count for them bytes sent/rec and total? Tried even something like this: 
foreach $key (keys(%sum)) {
    my @excludeList = split("<->", $key);
    my @ipportlist = split(":",$excludeList[0]);
    my $firstvalue = trim($ipportlist[0]); # ip address of first    
    my $secondvalue = $ipportlist[1]; # Port of first        
    @ipportlist = split(":",$excludeList[1]);
    my $thirdvalue = trim($ipportlist[0]); # ip address of first
    my $forthvalue = $ipportlist[1]; # Port of firstk    
    foreach $keyx (keys(%sum))        {
        @excludeList = split("<->", $keyx);
        @ipportlist = split(":",$excludeList[0]);
        my $five = trim($ipportlist[0]); # ip address of first        
        my $six = $ipportlist[1]; # Port of first
        @ipportlist = split(":",$excludeList[1]);
        my $seven = trim($ipportlist[0]); # ip address of first
        my $eight = $ipportlist[1]; # Port of first
        {                            
            if ((($firstvalue eq $seven) && ($secondvalue == $eight)) 
+&& (($forthvalue == $six) && ($thirdvalue eq $five)))
                {    
                    $othcnt = $othcnt + 1;                
                    my $suma;            
                    $suma = $sum{$key} + $sum{$keyx};
                    print "$key \t $sum{$key} \t $sum{$keyx} \t $suma 
+\n";                                
                }
            }
        }    
}

[download]
However,still both lines are printed with same value, which is undesrtable. Is there any easy way to get this?

In reply to Parsing pcap files with Net::TcpDumpLog - comparing two hash arrays? by cps86

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.