snifftrace.pl

#!/usr/bin/perl

my $snoopfile = "arcachds03-20060510/arcachds03-20060510.txt";
my $rowcount = 0;
my $fh;

# the data structure i'm storing packet information in.
#my @packetlog = (
#                  {
#                    'source:port' => [ type( fin, syn, rst, ack ), seq, length ],
#                    'packet'      => [ $frame, $src, $dest, $deltaT, $abs, $rel, $cum, $byt ],
#                  }
#                );


open( $fh, ,$snoopfile ) or die "can't open snoop file $snoopfile - $!\n";

while( my $line = <$fh> ){
  $rowcount++;
  next unless $rowcount > 1050001;
  #last if $rowcount > 1050000;
  chomp $line;
  my( $FIN, $SYN, $ACK, $RST, $SEQ, $LEN );
  #my ( $fram, $src, $dest, $deltaT, $sum, $abs, $rel, $cum, $byt )
  #  = ( split( /,/, $line ) )[ 1 .. 9 ];
  my( undef, $fram, $date, $abs, $src, $dest, $proto, $srcP, undef, $destP, @rest )
    = split /\s+/, $line;
  #my( $proto, $destP, $srcP, @rest ) = split( /\s+/, $sum );
  next if $proto =~ /ISODE/;
  #$destP =~ s/D=//;
  #$srcP  =~ s/S=//;
  #map { s/^\s*\[?(\S+?)]?\s*$/$1/  } ( $fram, $src, $dest, $deltaT, $sum, $abs, $rel, $cum, $byt );
  for my $entry( @rest ){
    $entry =~ /(FIN)/     && { $FIN = $1 }; 
    $entry =~ /(SYN)/     && { $SYN = $1 };
    $entry =~ /(RST)/     && { $RST = $1 };
    $entry =~ /Ack=(\d+)/ && { $ACK = $1 };
    $entry =~ /Seq=(\d+)/ && { $SEQ = $1 };
    $entry =~ /Len=(\d+)/ && { $LEN = $1 };
  }
  #print "frame: $fram S: $src D: $dest time: $abs\n";
#  print "frame:$fram S: $src D: $dest delt: $deltaT time: $abs byte: $byt\n";
  #print "    Sp: $srcP Dp: $destP :: $FIN $SYN $RST (A:$ACK S:$SEQ L:$LEN)\n\n";
  $TYPE = $FIN || $SYN || $RST || 'ACK';
  $KEY  = "$src:$srcP:$dest:$destP";
  if( $packettrack{$KEY} ){
    #$packetlog->{$KEY}[2] += $LEN;
    $packettrack{$KEY}++;
    push @packetlog, { $KEY => [ $TYPE, $SEQ, $LEN ],  'packet' => [ $fram, $deltaT, $abs, $rel, $cum, $byt ] };
  }
  else {
    $packettrack{$KEY}++;
    push @packetlog, { $KEY => [ $TYPE, $SEQ, $LEN ],  'packet' => [ $fram, $deltaT, $abs, $rel, $cum, $byt ] };
  }
}

close( $fh ) or die "can't close snoop file $snoopfile - $!\n";

for my $packet(
    map  {
      $_->[2]
    }
    sort {
      $a->[0] cmp $b->[0]
              ||
      $b->[1] <=> $a->[1]
    }
    map  {
      my ( $v, $k ) = keys %$_;
      my $val = $v =~ /pack/ ? $k : $v;
      my( $src, $srcP, $dst, $dstP ) = split /:/, $val;
      my( $low, $high ) = sort { $a cmp $b } ( "$src:$srcP", "$dst:$dstP" );
      my $key = $high . '-' . $low;
      [ $key, $srcP, $_ ]
    }
    @packetlog ){
  for my $key( keys %{$packet} ){
    if( $key =~ /packet/ ){
      ( $fram, $deltaT, $abs, $rel, $cum, $byt ) = @{$packet->{$key}};
    }
    else {
      ( $src, $srcP, $dst, $dstP ) = split /:/, $key;
      $type     = $packet->{$key}[0] || q{};
      $sequence = $packet->{$key}[1] || 0;
      $length   = $packet->{$key}[2] || 0;
    }
  }
  $thispack = $type;
  $thisdest = $dst;
  $thisdstp = $dstP;
  if( $thisdstp == $lastdstp ){
    $counter++;
    $totallength += $length;
    $lastlength = $totallength;
    $SEENFINRST++ if $thispack =~ m/FIN|RST/;
  } 
  else {
    if( ! $SEENFINRST ){
      print "    ^^^ did not see a fin or rst\n";
    }
    if( ! $lastlength && $counter ){
      print "    ^^^ issue?\n";
    }
    $totallength = 0;
    $counter = 0;
  }
  print "$src:$srcP -> $dst:$dstP\t";
  print "frame: $fram delt: $deltaT time: $abs byte: $byt";
  print " :-: $type (seq: $sequence len: $length)\n";
  $lastpack = $thispack;
  $lastdest = $thisdest;
  $lastdstp = $thisdstp;
}