[Coral-dev] Combining destination IPs with destination Ports
Faisal N. Khan
fnkhan at ucdavis.edu
Fri Jul 16 14:41:33 PDT 2010
Thanks Srinivas,
I thought you might have to write up something yourself. And am pretty sure
it would be some small code too. However, am not too much experienced in
CoralReef programming. Do you know any example code and documentation for
the library.
Faisal
On Fri, Jul 16, 2010 at 2:38 PM, Srinivas Krishnan <krishnan at cs.unc.edu>wrote:
> If you are willing to use the liboral library, it is fairly easy to write
> the code. You will simply call read_pkt and use get_payload_by_proto to get
> the IP layer, cast it using a ip header struct and extract the 5 tuples you
> need. There is a simple hashtable implemenation included in coral than you
> can use to keep track of your flows.
>
> Of course you will have to roll your code, but I doubt its going to be more
> than 200 lines of code.
>
> -srinivas
>
>
> On Fri, Jul 16, 2010 at 1:36 PM, Faisal Khan <khan7 at llnl.gov> wrote:
>
>> Hi,
>>
>> I am having this problem and was hoping someone can point me in the
>> right direction. Basically, I want to list destination IPs that have
>> highest number of ports accessed in a trace. I initially thought
>> something like this might work, which is exactly what I need
>>
>> crl_flow -I -b file.pcap | t2_convert -b -F dst_IP_dst_Port_Table |
>> t2_top -Sf -n10 > out.txt
>>
>> but it turns out the Key 'dst_IP_dst_Port_Table' is not implemented.
>>
>> I then used
>>
>> crl_flow -I -b file.pcap | t2_convert -b dst_IP_Proto_dst_Port_Table |
>> t2_convert -F dst_IP_Table | t2_top -Sf -n10 > out.txt
>>
>> which could have approximated what I wanted but it turns out the table
>> spitted by first t2_convert is incompatible with what the second
>> t2_convert requires.
>>
>>
>> I was wondering if any of you know of any way to achieve what I am want
>> to do?
>>
>>
>> Thanks
>> Faisal
>>
>> _______________________________________________
>> Coral-dev mailing list
>> Coral-dev at caida.org
>> https://rommie.caida.org/mailman/listinfo/coral-dev
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://rommie.caida.org/pipermail/coral-dev/attachments/20100716/90eb6db3/attachment.htm
More information about the Coral-dev
mailing list