Hi, folks! Why this code not works with pcap files of tcpdump and go to freeze. 
#! /usr/bin/perl
use Class::Struct;
use Math::BigInt;

my $usage = "Usage: $0 tcpdump_file\n";

my $fh;

struct( conn =>
{ fin => int, stime => double, etime => double});

my %hash = ();


if ($#ARGV != 0)
{
    die "$usage";
}
else
{
    my $file = $ARGV[0];
    my $start = 0;
    open(TD, "sudo tcpdump -r $file -tt |") || die "tcpdump failed\n";
    while (<TD>) {

        if (/([0-9]+.[0-9]+)(.*)(1.1.2.3.*)(\.[0-9]+)(.*5.6.7.8.*)(S)/
+)
        {
            my $time = $1;
            if ($start == 0)
            {
                $start = $time;
            }
            my $port = $4;
            if ($hash{$port} == 0)
            {
                $hash{$port} = new conn();
                $hash{$port}->{fin} = 0;
                $hash{$port}->{stime} = $1;
                $hash{$port}->{etime} = 0;
                my $fin = $hash{$port}->{fin};
            }
        }
        elsif (/([0-9]+.[0-9]+)(.*)(1.1.2.3)(\.[0-9]+)(.*)(5.6.7.8)(.*
+)([F|.|R])/)
        {
            my $time = $1;
            my $port = $4;
            my $flag = $8;
            my $h = $hash{$port};
            if ($hash{$port} != 0 && ($flag eq 'F'))
            {
                $hash{$port}->{fin} = 1;
            }
            elsif (($flag eq "." && $hash{$port}->{fin} == 1) ||
              $flag eq "R")
            {
                $hash{$port}->{etime} = $1;
            }
        }
        elsif (/([0-9]+.[0-9]+)(.*)(1.1.2.3)(\.[0-9]+)(.*)(5.6.7.8.*)(
+.*)(R)/)
        {
            my $time = $1;
            my $port = $4;
            my $flag = $7;
            $hash{$port}->{etime} = $1;
        }
    }
    for my $key ( keys %hash ) {
        my $stime = $hash{$key}->{stime};
        my $etime = $hash{$key}->{etime};
        if ($etime == 0)
        {
            $etime = $stime + 200.0;
        }
        my $begin = $stime - $start;
        my $dur = $etime - $stime;
        print "$begin $dur\n";


    }
}

[download]

In reply to Why this code not working with pcap files? by lepetal

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.