[Coral-dev] Combining destination IPs with destination Ports

[Jeff Terrell]

D'oh...one correction below.

On Fri, Jul 16, 2010 at 5:58 PM, Jeff Terrell <jeff.terrell at acm.org> wrote:
> On Fri, Jul 16, 2010 at 4:36 PM, Faisal Khan <khan7 at llnl.gov> wrote:
>> I am having this problem and was hoping someone can point me in the
>> right direction. Basically, I want to list destination IPs that have
>> highest number of ports accessed in a trace.
>
> Hi Faisal,
>
> I'm not sure how you would solve the problem using CoralReef
> command-line tools, but my first thought is always to use standard
> Unix command-line tools.  Something like this:
>
> $ tcpdump -nnttr file.pcap 'tcp or udp' |
> cut -d' ' -f5 |  # select only the 5th word, the destination IP.port field
> cut -d: -f1 |    # strip off the trailing ':' character (not strictly necessary)
> sort -u |        # sort and remove duplicate IP.port combinations
> cut -d. -f1-4 |  # strip off the port field
> uniq -c |        # count how many occurrences of each IP
> sort -n |       # sort by number of occurrences of each IP

That last line should be:

sort -n         # sort by number of occurrences of each IP

(i.e. without the trailing "|")

> The idea is that you get all unique destination IP.port combinations,
> and then remove the port field, and count how many of each destination
> IP there is.  It might take some thinking to wrap your head around
> that logic, but I'm pretty sure it is correct.
>
> One other subtlety: you should set the LC_ALL environmental variable
> to C (e.g. "export LC_ALL=C" on the command line).  Otherwise, the
> 'sort' command sometimes tries to be too clever, converting IP
> addresses to numbers and thinking that "1.2.3.45" and "1.2.34.5" are
> equal.
>
> Hope this helps,
> -Jeff T.