Here is the shell script:
#! /usr/bin/perl -w
sub concat{
#To ressemble fragmented packets and handle lost fragments.
print "entering concat";
}
$last_time="00:00:00.00000";
$fragment="FFFF";
while (<>)
{
#Sample TCPDUMP with -x -n output would be:
#
#04:09:29.989335 IP 10.0.0.32.55238 > 209.85.227.113.80: Flags [.], ack 2233, win 81, options [nop,nop,TS val 256065 ecr 48692], length 0
# 0x0000: 4500 0034 d413 4000 4006 a7c9 0a00 0020
# 0x0010: d155 e371 d7c6 0050 f5f8 0b98 f76a 480d
# 0x0020: 8010 0051 f7eb 0000 0101 080a 0003 e841
# 0x0030: 0000 be34
#
if(/^([[:digit:]]{2}):([[:digit:]]{2}):([[:digit:]]{2})\.([[:digit:]]+)\s(.*)/){
#new fragment
#*****Here we could check address/lengths in the hash for consistency, but I guess the regex builds the check in.
print "$last_time:$fragment\n";
$fragments{$last_time}="$fragment";
$last_time="$1:$2:$3.$4";
$fragment="";
}
elsif(/^[\s+]0x([[:xdigit:]]{4}):(\s+)([[:xdigit:]]{4})\s+([[:xdigit:]]{4})\s+([[:xdigit:]]{4})\s+([[:xdigit:]]{4})\s+([[:xdigit:]]{4})\s+([[:xdigit:]]{4})\s+([[:xdigit:]]{4})\s+([[:xdigit:]]{4})(.*)/)
{
#new piece of the fragment
$fragment="$fragment$3$4$5$6$7$8$9$10";
}
}
$fragments{$last_time}="$fragment";
print "$last_time:$fragment\n";
No comments:
Post a Comment