-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathprocess-tcp
executable file
·76 lines (69 loc) · 2.32 KB
/
process-tcp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
#!/usr/bin/perl -w
#
# Return the number of SYN,SYNACK,FIN,RST per second.
#
# tcpdump -nn -tt -r file.pcap 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0' | process-tcp > file.csv
#
# 1358614014.474113 IP 127.0.0.1.36656 > 127.0.0.1.14000: Flags [S], seq 1883124844, win 12288,
# 1358614014.474147 IP 127.0.0.1.14000 > 127.0.0.1.36656: Flags [S.], seq 2896662404, ack 1883124845,
# 1358614014.474169 IP 127.0.0.1.36656 > 127.0.0.1.14000: Flags [.], ack 1, win 12, length 0
# 1358614014.474261 IP 127.0.0.1.36656 > 127.0.0.1.14000: Flags [P.], seq 1:180, ack 1, win 12, length 179
# 1358614014.474302 IP 127.0.0.1.14000 > 127.0.0.1.36656: Flags [.], ack 180, win 14, length 0
#
# TS, S, SA, F, R
# 1358614010, 1, 1, 0, 0
# 1358614020, 1, 1, 0, 0
#
use strict;
use warnings;
use Getopt::Long;
my $start;
my $end;
my $interval = 5 ;
GetOptions (
"start=i" => \$start,
"end=i" => \$end,
"interval=i" => \$interval);
# snap start/end time to interval
$start = int($start / $interval) * $interval if $start;
$end = int($end / $interval) * $interval if $end;
my %completed ;
my $min_time = 0;
my $max_time = 0;
my @flags = qw(SYN SYNACK FIN RST);
my %flags = (
'S' => 'SYN',
'S.' => 'SYNACK',
'F.' => 'FIN',
'R' => 'RST'
);
# Collect all input into summary of flag counts, indexed by time.
# Time is bucketed by $interval.
while (<>) {
my ($timestamp) = (/^([\d\.]+)/) ;
next unless $timestamp;
$timestamp = int($timestamp / $interval) * $interval;
next if $start && $start > $timestamp;
last if $end && $end < $timestamp;
die ("unexpected flag at $_") unless /Flags \[([SFRP\.]+)\]/ ;
my $flag = $flags{$1} || $1;
$max_time = $timestamp if ($timestamp > $max_time);
$min_time = $timestamp if ($min_time == 0);
$completed{$timestamp}{$flag} ++ ;
}
# Ensure report duration snapped to getops values
$min_time = $start if $start && $min_time > $start;
$max_time = $end if $end && $max_time < $end;
printf("timestamp,gmdate,tzdate,%s\n", join(',',@flags));
for (my $idx = $min_time;
$idx < $max_time + $interval;
$idx = $idx + $interval
) {
# compute the average over $interval
my @avg_set = map { ($completed{$idx}{$_} || 0) / $interval} @flags ;
printf("%d,%s,%s,%s\n",
$idx,
scalar gmtime($idx),
scalar localtime($idx),
join(',', @avg_set));
}