[Coral-dev] Combining destination IPs with destination Ports
Srinivas Krishnan
krishnan at cs.unc.edu
Fri Jul 16 14:46:07 PDT 2010
http://www.caida.org/tools/measurement/coralreef/doc/doc/libcoral-c.html#single-packet
Of course you can always crl_print_pkt and roll a perl/python script on top
to get the info you need. But in my experience using the C-lib buys you a
lot in speed if you are processing large traces.
-srinivas
On Fri, Jul 16, 2010 at 2:41 PM, Faisal N. Khan <fnkhan at ucdavis.edu> wrote:
> Thanks Srinivas,
>
> I thought you might have to write up something yourself. And am pretty sure
> it would be some small code too. However, am not too much experienced in
> CoralReef programming. Do you know any example code and documentation for
> the library.
>
> Faisal
>
>
> On Fri, Jul 16, 2010 at 2:38 PM, Srinivas Krishnan <krishnan at cs.unc.edu>wrote:
>
>> If you are willing to use the liboral library, it is fairly easy to write
>> the code. You will simply call read_pkt and use get_payload_by_proto to get
>> the IP layer, cast it using a ip header struct and extract the 5 tuples you
>> need. There is a simple hashtable implemenation included in coral than you
>> can use to keep track of your flows.
>>
>> Of course you will have to roll your code, but I doubt its going to be
>> more than 200 lines of code.
>>
>> -srinivas
>>
>>
>> On Fri, Jul 16, 2010 at 1:36 PM, Faisal Khan <khan7 at llnl.gov> wrote:
>>
>>> Hi,
>>>
>>> I am having this problem and was hoping someone can point me in the
>>> right direction. Basically, I want to list destination IPs that have
>>> highest number of ports accessed in a trace. I initially thought
>>> something like this might work, which is exactly what I need
>>>
>>> crl_flow -I -b file.pcap | t2_convert -b -F dst_IP_dst_Port_Table |
>>> t2_top -Sf -n10 > out.txt
>>>
>>> but it turns out the Key 'dst_IP_dst_Port_Table' is not implemented.
>>>
>>> I then used
>>>
>>> crl_flow -I -b file.pcap | t2_convert -b dst_IP_Proto_dst_Port_Table |
>>> t2_convert -F dst_IP_Table | t2_top -Sf -n10 > out.txt
>>>
>>> which could have approximated what I wanted but it turns out the table
>>> spitted by first t2_convert is incompatible with what the second
>>> t2_convert requires.
>>>
>>>
>>> I was wondering if any of you know of any way to achieve what I am want
>>> to do?
>>>
>>>
>>> Thanks
>>> Faisal
>>>
>>> _______________________________________________
>>> Coral-dev mailing list
>>> Coral-dev at caida.org
>>> https://rommie.caida.org/mailman/listinfo/coral-dev
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://rommie.caida.org/pipermail/coral-dev/attachments/20100716/42b2a90b/attachment.htm
More information about the Coral-dev
mailing list