[Coral-dev] Combining destination IPs with destination Ports
Srinivas Krishnan
krishnan at cs.unc.edu
Fri Jul 16 14:38:49 PDT 2010
If you are willing to use the liboral library, it is fairly easy to write
the code. You will simply call read_pkt and use get_payload_by_proto to get
the IP layer, cast it using a ip header struct and extract the 5 tuples you
need. There is a simple hashtable implemenation included in coral than you
can use to keep track of your flows.
Of course you will have to roll your code, but I doubt its going to be more
than 200 lines of code.
-srinivas
On Fri, Jul 16, 2010 at 1:36 PM, Faisal Khan <khan7 at llnl.gov> wrote:
> Hi,
>
> I am having this problem and was hoping someone can point me in the
> right direction. Basically, I want to list destination IPs that have
> highest number of ports accessed in a trace. I initially thought
> something like this might work, which is exactly what I need
>
> crl_flow -I -b file.pcap | t2_convert -b -F dst_IP_dst_Port_Table |
> t2_top -Sf -n10 > out.txt
>
> but it turns out the Key 'dst_IP_dst_Port_Table' is not implemented.
>
> I then used
>
> crl_flow -I -b file.pcap | t2_convert -b dst_IP_Proto_dst_Port_Table |
> t2_convert -F dst_IP_Table | t2_top -Sf -n10 > out.txt
>
> which could have approximated what I wanted but it turns out the table
> spitted by first t2_convert is incompatible with what the second
> t2_convert requires.
>
>
> I was wondering if any of you know of any way to achieve what I am want
> to do?
>
>
> Thanks
> Faisal
>
> _______________________________________________
> Coral-dev mailing list
> Coral-dev at caida.org
> https://rommie.caida.org/mailman/listinfo/coral-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://rommie.caida.org/pipermail/coral-dev/attachments/20100716/946a8968/attachment.htm
More information about the Coral-dev
mailing list