Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Sampling pcap file
Top Forums Shell Programming and Scripting Sampling pcap file Post 302471056 by Chubler_XL on Friday 12th of November 2010 12:11:15 AM
Old 11-12-2010
Not sure if the 2nd IP (71.126.222.64) should be counted too, but here it is:

Code:
awk -F"[:, ]" ' { now=mktime("2000 1 1 "$1" "$2" "$3);
if (NR==1) printf("#Time Packets IPs\n", to=now+10);
else {
    if (now >= to) {
           printf("%d %d %d\n", count+=10, found, length(IPs));
           while((to+10) < now) printf("%d 0 0\n", count+=10, to+=10);
           delete IPs;
           found=0;
           to+=10;
        }
}
found++;
IPs[$5]++;
}
END { printf("%d %d %d\n", count + 10 - to + now, found, length(IPs)); } ' logfile

---------- Post updated at 03:11 PM ---------- Previous update was at 12:49 PM ----------

Times past midnight or more than 1 days worth of logs?

If time is less that a time before assume we are in the next day and add 24 hours, also now calculates times without using mktime:

Code:
awk -F"[:, ]" ' { new=$1*3600+$2*60+$3;
while(new < now) new+=3600*24;
now=new;
if (NR==1) printf("#Time Packets IPs\n", to=now+10);
else {
    if (now >= to) {
       printf("%d %d %d\n", count+=10, found, length(IPs));
       while((to+10) < now) printf("%d 0 0\n", count+=10, to+=10);
       delete IPs;
       found=0;
       to+=10;
    }
}
found++;
IPs[$5]++;
}
END { printf("%d %d %d\n", count + 10 - to + now, found, length(IPs)); } infile

Last edited by Chubler_XL; 11-12-2010 at 01:18 AM.. Reason: Updated to include zero readings for missing lines
 

7 More Discussions You Might Find Interesting

1. Programming

Compiling Pcap.c

I don't know if this is the correct forum to post this but hopefully someone can atleast point me in the right direction if they can't help me. I am trying to install the Net::Pcap module for perl from Tim Potter version .04. I have installed gcc 2.95.3 on my Solaris 8 box. I am sure it's just... (6 Replies)
Discussion started by: TioTony
6 Replies

2. Programming

pcap.h

I cant use pcap.h include file. How can I do so? :confused: (8 Replies)
Discussion started by: Pervez Sajjad
8 Replies

3. Programming

Pcap.h Sniffing

Can someone please help me figure out how to use pcap.h to sniff packets between only 2 computers whose mac addresses are know? Thanks (0 Replies)
Discussion started by: papabearcares
0 Replies

4. Shell Programming and Scripting

Pcap.h Sniffing

Can someone please help me figure out how to use pcap.h to sniff packets between only 2 computers whose mac addresses are know? Thanks (0 Replies)
Discussion started by: papabearcares
0 Replies

5. Shell Programming and Scripting

Sampling and Binning- Engineering problem

Hi everyone! Can you please help me with some shell scripting? I have an input file input.txt It has 3 columns (Time, Event, Value) Time event Value 03:38:22 A 57 03:38:23 A 56 03:38:24 B 24 03:38:25 C 51 03:38:26 B 7 03:38:26 ... (7 Replies)
Discussion started by: Needhelp2
7 Replies

6. Shell Programming and Scripting

data sampling

I have a requirement where I have multiple flat file sources. I need to create sample data from each source. Example: Source 1 has 10 flat files-- member, transaction,item,email,....etc Now if I get any 10 records (say first 10 records) from the member flat file, I need to find those matching... (2 Replies)
Discussion started by: arrivederci
2 Replies

7. Programming

printing out information from pcap file

Hi Folks, i got the following Problem: I want to make an analysis on a pcap file. (diestance between different packets and so on) The difficulty now... it's not a simple Ethernet/ IP/ File, but it's a SS7 file. There are the Layers MTP2 MTP3 and ISUP. My analysis depends on the ISUP Layer. Now... (0 Replies)
Discussion started by: thisismyname
0 Replies

LEARN ABOUT SUSE

pcap_open_offline

PCAP_OPEN_OFFLINE(3PCAP)												  PCAP_OPEN_OFFLINE(3PCAP)

NAME

       pcap_open_offline, pcap_fopen_offline - open a saved capture file for reading

SYNOPSIS

       #include <pcap/pcap.h>

       char errbuf[PCAP_ERRBUF_SIZE];

       pcap_t *pcap_open_offline(const char *fname, char *errbuf);
       pcap_t *pcap_fopen_offline(FILE *fp, char *errbuf);

DESCRIPTION

       pcap_open_offline() is called to open a ``savefile'' for reading.

       fname  specifies  the  name of the file to open. The file can have the pcap file format as described in pcap-savefile(5), which is the file
       format used by, among other programs, tcpdump(1) and tcpslice(1), or can have the pcap-ng file format, although not all pcap-ng	files  can
       be read.  The name "-" in a synonym for stdin.

       Alternatively,  you  may  call pcap_fopen_offline() to read dumped data from an existing open stream fp.  Note that on Windows, that stream
       should be opened in binary mode.

RETURN VALUE

       pcap_open_offline() and pcap_fopen_offline() return a pcap_t * on success and NULL on failure.  If NULL is returned, errbuf  is	filled	in
       with an appropriate error message.  errbuf is assumed to be able to hold at least PCAP_ERRBUF_SIZE chars.

SEE ALSO

       pcap(3PCAP), pcap-savefile(5)

								   5 April 2008 					  PCAP_OPEN_OFFLINE(3PCAP)
All times are GMT -4. The time now is 02:06 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy