[Coral-dev] Combining destination IPs with destination Ports
Jeff Terrell
jeff.terrell at acm.org
Fri Jul 16 14:58:01 PDT 2010
On Fri, Jul 16, 2010 at 4:36 PM, Faisal Khan <khan7 at llnl.gov> wrote:
> I am having this problem and was hoping someone can point me in the
> right direction. Basically, I want to list destination IPs that have
> highest number of ports accessed in a trace.
Hi Faisal,
I'm not sure how you would solve the problem using CoralReef
command-line tools, but my first thought is always to use standard
Unix command-line tools. Something like this:
$ tcpdump -nnttr file.pcap 'tcp or udp' |
cut -d' ' -f5 | # select only the 5th word, the destination IP.port field
cut -d: -f1 | # strip off the trailing ':' character (not strictly necessary)
sort -u | # sort and remove duplicate IP.port combinations
cut -d. -f1-4 | # strip off the port field
uniq -c | # count how many occurrences of each IP
sort -n | # sort by number of occurrences of each IP
The idea is that you get all unique destination IP.port combinations,
and then remove the port field, and count how many of each destination
IP there is. It might take some thinking to wrap your head around
that logic, but I'm pretty sure it is correct.
One other subtlety: you should set the LC_ALL environmental variable
to C (e.g. "export LC_ALL=C" on the command line). Otherwise, the
'sort' command sometimes tries to be too clever, converting IP
addresses to numbers and thinking that "1.2.3.45" and "1.2.34.5" are
equal.
Hope this helps,
-Jeff T.
More information about the Coral-dev
mailing list