diff --git a/tcpdump_tools/by_host b/tcpdump_tools/by_host new file mode 100755 index 0000000..dc8e064 --- /dev/null +++ b/tcpdump_tools/by_host @@ -0,0 +1,54 @@ +#!/usr/bin/perl -w + +=head1 NAME + +by_host + +=head1 DESCRIPTION + +Aggregate tcpdump output by endpoint host. Source and destination are +not distinguished. + +=cut + +use strict; +# 15:20:56.789680 P 0:48:54:5c:4d:f1 0:0:0:0:0:1 ip 1514: wsrppp15.wsr.ac.at.1605 > 195.202.170.227.smtp: P 420284195:420285643(1448) ack 3689574287 win 32120 (DF) +# 09:29:10.114541 In ethertype IPv4 (0x0800), length 457: 199.19.109.76.5070 > 143.130.145.221.5060: SIP, length: 413 +# 09:29:10.114541 Out ethertype IPv4 (0x0800), length 457: 199.19.109.76.5070 > 143.130.145.221.5060: SIP, length: 413 +# 09:29:10.114541 In ethertype IPv4 (0x0800), length 60: 46.137.105.92.80 > 143.130.28.14.29878: Flags [S.], seq 790291952, ack 2509176833, win 17922, options [mss 1436], length 0 +# 09:29:10.114541 Out ethertype IPv4 (0x0800), length 60: 46.137.105.92.80 > 143.130.28.14.29878: Flags [S.], seq 790291952, ack 2509176833, win 17922, options [mss 1436], length 0 + +my %octets; + +while (<>) { + if (/([\d.:]+) ([\w:]+) ([\w:]+) ip (\d+): ([-\w.]+)\.(\w+) > ([-\w.]+)\.(\w+):/) { + # ethernet + # print; + # print "-> $1 $2 $3 $4 $5 $6 $7 $8\n"; + my $octets = $4; + my $sip = $5; + my $sport = $6; + my $dip = $7; + my $dport = $8; + # print "-> proto = $proto\n"; + $octets{$sip} += $octets; + $octets{$dip} += $octets; + } elsif (/(In|Out) ethertype IPv[46] \(0x....\), length (\d+): ([-\w.]+)\.(\w+) > ([-\w.]+)\.(\w+):/) { + # GRE tunnel + my $octets = $2; + my $sip = $3; + my $sport = $4; + my $dip = $5; + my $dport = $6; + # print "-> proto = $proto\n"; + $octets{$sip} += $octets; + $octets{$dip} += $octets; + + } +} +for my $i (sort { $octets{$a} <=> $octets{$b} } keys %octets) { + printf "%10d %s\n", $octets{$i}, $i; +} + +#vim:sw=4 +