Re: Extracting data from a WireShark log

This is a common parsing pattern:

...open LOGFILE...
my (@list, %info);
while (<LOGFILE>) {
  if (/^Frame /) { # detect start of new data record
    if (%info) { push(@list, { %info }) } # save last collected record
    %info = ();    # start with blank record
  } elsif (/^  *Source port: (\S+)\s+(\S+)/) {
    $info{source_port} = $1; # also save $2?
  } elsif (/^  *Destination port: (\S+)\s+(\S+)/) {
    $info{dest_port} = $1;
  } elsif (/^[\da-f]{4}\s+[\da-f\s]+/i) {
      push(@{$info{data}}, $_);  # save data lines
  }
}
if (%info) { # must check at end of loop
  push(@list, { %info }); 
}
# @list contains parsed Frame records
[download]

And here's one way to convert the saved data lines to bytes:

my $bytes;
for my $line (@{$info->{data}}) {
  if ($line =~ m/^[\da-f]{4}\s*(([\da-f]{2} )+)/i) {
    my $hex = $1;
    $hex =~ s/\s//g;
    $bytes .= pack("H*", $hex);
  }
}
[download]

Comment on Re: Extracting data from a WireShark log Select or Download Code

Replies are listed 'Best First'.
Better scoping for the hash: was Re^2: Extracting data from a WireShark log by Narveson (Chaplain) on Apr 29, 2008 at 18:13 UTC
What if we could declare a new copy of `my %frame` each time we detect the start of a new frame record? We wouldn't need to initialize `%info = ()`. We wouldn't need to test `if (%info)`. We could store `\%frame` instead of the clever but busy `{ %info }`. All it takes is loop labels: # detect start of new data record my $FRAME_BEGINNING = qr/^Frame /; # store parsed Frame records my @frame_list; SKIP: while (<DATA>) { next SKIP if !/$FRAME_BEGINNING/; FRAME: while (!eof) { my %frame; DETAIL: while (<DATA>) { last DETAIL if /$FRAME_BEGINNING/; if (/^ Source port: (\S+)\s+(\S+)/) { $frame{source_port} = $1; # also save $2? } if (/^ Destination port: (\S+)\s+(\S+)/) { $frame{dest_port} = $1; } if (/^[\da-f]{4}\s+[\da-f\s]+/i) { push @{$frame{data}}, $_; # save data lines } } push @frame_list, \%frame; } } [download]	[reply] [d/l] [select]

Replies are listed 'Best First'.

Better scoping for the hash: was Re^2: Extracting data from a WireShark log
by Narveson (Chaplain) on Apr 29, 2008 at 18:13 UTC

What if we could declare a new copy of my %frame each time we detect the start of a new frame record?

We wouldn't need to initialize %info = (). We wouldn't need to test if (%info). We could store \%frame instead of the clever but busy { %info }.

All it takes is loop labels:

# detect start of new data record
my $FRAME_BEGINNING = qr/^Frame /;

# store parsed Frame records
my @frame_list;


SKIP:
while (<DATA>) {
    next SKIP if !/$FRAME_BEGINNING/;

    FRAME:
    while (!eof) {
        my %frame;    
        DETAIL:
        while (<DATA>) {
            last DETAIL if /$FRAME_BEGINNING/;
            if (/^  *Source port: (\S+)\s+(\S+)/) {
                $frame{source_port} = $1; # also save $2?
            }
            if (/^  *Destination port: (\S+)\s+(\S+)/) {
                $frame{dest_port} = $1;
            }
            if (/^[\da-f]{4}\s+[\da-f\s]+/i) {
                push @{$frame{data}}, $_;  # save data lines
            }
        }
        push @frame_list, \%frame; 
    }
}
[download]

[reply]
[d/l]
[select]