diff --git a/tcpdump_tools/by_hosts b/tcpdump_tools/by_hosts
new file mode 100755
index 0000000..868ecdd
--- /dev/null
+++ b/tcpdump_tools/by_hosts
@@ -0,0 +1,24 @@
+#!/usr/bin/perl -w
+use strict;
+# 15:20:56.789680 P 0:48:54:5c:4d:f1 0:0:0:0:0:1 ip 1514: wsrppp15.wsr.ac.at.1605 > 195.202.170.227.smtp: P 420284195:420285643(1448) ack 3689574287 win 32120 <nop,nop,timestamp 2363951 3391664> (DF)
+my %octets;
+
+while (<>) {
+    if (/([\d.:]+) . ([\w:]+) ([\w:]+) ip (\d+): ([\w.]+)\.(\w+) > ([\w.]+)\.(\w+):/) {
+	# print;
+	# print "-> $1 $2 $3 $4 $5 $6 $7 $8\n";
+	my $octets = $4;
+	my $sip = $5;
+	my $sport = $6;
+	my $dip = $7;
+	my $dport = $8;
+	# print "-> proto = $proto\n";
+	$octets{"$sip - $dip"} += $octets;
+    }
+}
+for my $i (sort { $octets{$a} <=> $octets{$b} } keys %octets) {
+    printf "%10d %s\n", $octets{$i}, $i;
+}
+
+#vim:sw=4
+
diff --git a/tcpdump_tools/by_proto b/tcpdump_tools/by_proto
new file mode 100755
index 0000000..2437ea8
--- /dev/null
+++ b/tcpdump_tools/by_proto
@@ -0,0 +1,32 @@
+#!/usr/bin/perl -w
+use strict;
+# 15:20:56.789680 P 0:48:54:5c:4d:f1 0:0:0:0:0:1 ip 1514: wsrppp15.wsr.ac.at.1605 > 195.202.170.227.smtp: P 420284195:420285643(1448) ack 3689574287 win 32120 <nop,nop,timestamp 2363951 3391664> (DF)
+my %octets;
+
+while (<>) {
+    if (/([\d.:]+) . ([\w:]+) ([\w:]+) ip (\d+): ([\w.]+)\.(\w+) > ([\w.]+)\.(\w+):/) {
+	# print;
+	# print "-> $1 $2 $3 $4 $5 $6 $7 $8\n";
+	my $octets = $4;
+	my $sport = $6;
+	my $dport = $8;
+	my $proto;
+	if ($sport =~ m/[a-z]/) {
+	    $proto = $sport;
+	}
+	elsif ($dport =~ m/[a-z]/) {
+	    $proto = $dport;
+	}
+	else {
+	    $proto = "$sport/$dport";
+	}
+	# print "-> proto = $proto\n";
+	$octets{$proto} += $octets;
+    }
+}
+for my $i (sort { $octets{$a} <=> $octets{$b} } keys %octets) {
+    printf "%10d %s\n", $octets{$i}, $i;
+}
+
+#vim:sw=4
+
diff --git a/tcpdump_tools/tcpdump-collect b/tcpdump_tools/tcpdump-collect
new file mode 100755
index 0000000..52cb7d8
--- /dev/null
+++ b/tcpdump_tools/tcpdump-collect
@@ -0,0 +1,10 @@
+#!/bin/sh
+while true
+do
+	tcpdump -i eth2 -p -e -s 2000 -c 10000 > dump.`isodate`
+	while [ `du -s . | awk '{print $1}'` -gt 1000000 ]
+	do
+		file=`ls -tr dump.????-??-??T??:??:?? | head -1`
+		rm $file
+	done
+done
diff --git a/tcpdump_tools/tcpdump_sum.pl b/tcpdump_tools/tcpdump_sum.pl
index edf38d0..ab17b0b 100755
--- a/tcpdump_tools/tcpdump_sum.pl
+++ b/tcpdump_tools/tcpdump_sum.pl
@@ -11,7 +11,7 @@ sub dumpstats {
 }
 
 while (<>) {
-    if (m/^(\d\d:\d\d):\d\d\.\d{6} ([-\w\.]+) \> ([-\w\.]+): (.*)/) {
+    if (m/^(\d\d:\d\d):\d\d\.\d{6} . ([-\w\.]+) \> ([-\w\.]+): (.*)/) {
 	$time = $1;
 	$from = $2;
 	$to = $3;
@@ -28,7 +28,7 @@ while (<>) {
 	    # tcp ack 
 	    $sum{$from . " > " . $to} += 0;
 	} else {
-	    print stderr "unparseable2: $_";
+	    print stderr "unparseable2: $rest\n";
 	}