cps86 has asked for the wisdom of the Perl Monks concerning the following question:
Output from the above code is something like this.#!/usr/bin/perl use NetPacket::Ethernet; use NetPacket::IP; use NetPacket::TCP; use Net::TcpDumpLog; use strict; use warnings; if ($#ARGV gt 0 ) { print "Usage: pcap.pl <pcap.file>\n"; exit; } my $key; my $value; my %sum; my $log = Net::TcpDumpLog->new(); $log->read($ARGV[0]); foreach my $index ($log->indexes) { my ($length_orig, $length_incl, $drops, $secs, $msecs) = $log->heade +r($index); my $data = $log->data($index); my $eth_obj = NetPacket::Ethernet->decode($data); next unless $eth_obj->{type} == NetPacket::Ethernet::ETH_TYPE_IP; my $ip_obj = NetPacket::IP->decode($eth_obj->{data}); next unless $ip_obj->{proto} == NetPacket::IP::IP_PROTO_TCP; my $tcp_obj = NetPacket::TCP->decode($ip_obj->{data}); my $keyName = $ip_obj->{src_ip}.":".$tcp_obj->{src_port}." <-> ".$i +p_obj->{dest_ip}.":".$tcp_obj->{dest_port}; if ($sum{$keyName}) { $sum{$keyName} = $ip_obj->{len} + $sum{$keyName}; } else { $sum{$keyName} = $ip_obj->{len}; } } sub hashSort { $sum{$b} <=> $sum{$a}; } print "\tSession \t\t\t\t\tBytes Total\n"; print "======================================================\n"; foreach $key (sort hashSort (keys(%sum))) { print "\t$key \t$sum{$key}\n"; }
Let's assume that 10.11.11.11 is some server. Looking on the above data we can say that 22.22.22.22 client has sent to server 80000 bytes. Accordingly server 10.11.11.11 has sent to client 22.22.22.22 50000 bytes. Having this in mind I would like to have following output:Bytes Total =================================================== 10.11.11.11:445 <-> 22.22.22.22:47766 80000 22.22.22.22:47766 <-> 10.11.11.11:445 50000
The problem which i have is hash array used there (maybe i should use something different than hash arrays?). It happens because all connections are stored into key hash array, so:SESSION BYTES REC BYTES SENT TOTA +L 10.11.11.11:445 <-> 22.22.22.22:47766 80000 30000 110 +000
There are different keys, however it's the same connection. How to compare these ip addresses and count for them bytes sent/rec and total? Tried even something like this:FIRST KEY: 10.11.11.11:445 <-> 22.22.22.22:47766 80000 SECOND KEY: 22.22.22.22:47766 <-> 10.11.11.11:445 5000
However,still both lines are printed with same value, which is undesrtable. Is there any easy way to get this?foreach $key (keys(%sum)) { my @excludeList = split("<->", $key); my @ipportlist = split(":",$excludeList[0]); my $firstvalue = trim($ipportlist[0]); # ip address of first my $secondvalue = $ipportlist[1]; # Port of first @ipportlist = split(":",$excludeList[1]); my $thirdvalue = trim($ipportlist[0]); # ip address of first my $forthvalue = $ipportlist[1]; # Port of firstk foreach $keyx (keys(%sum)) { @excludeList = split("<->", $keyx); @ipportlist = split(":",$excludeList[0]); my $five = trim($ipportlist[0]); # ip address of first my $six = $ipportlist[1]; # Port of first @ipportlist = split(":",$excludeList[1]); my $seven = trim($ipportlist[0]); # ip address of first my $eight = $ipportlist[1]; # Port of first { if ((($firstvalue eq $seven) && ($secondvalue == $eight)) +&& (($forthvalue == $six) && ($thirdvalue eq $five))) { $othcnt = $othcnt + 1; my $suma; $suma = $sum{$key} + $sum{$keyx}; print "$key \t $sum{$key} \t $sum{$keyx} \t $suma +\n"; } } } }
|
|---|
| Replies are listed 'Best First'. | |
|---|---|
|
Re: Parsing pcap files with Net::TcpDumpLog - comparing two hash arrays?
by cps86 (Initiate) on Sep 14, 2012 at 12:16 UTC |