[Coral-dev] Combining destination IPs with destination Ports
Jeff Terrell
jeff.terrell at acm.org
Fri Jul 16 15:00:25 PDT 2010
D'oh...one correction below.
On Fri, Jul 16, 2010 at 5:58 PM, Jeff Terrell <jeff.terrell at acm.org> wrote:
> On Fri, Jul 16, 2010 at 4:36 PM, Faisal Khan <khan7 at llnl.gov> wrote:
>> I am having this problem and was hoping someone can point me in the
>> right direction. Basically, I want to list destination IPs that have
>> highest number of ports accessed in a trace.
>
> Hi Faisal,
>
> I'm not sure how you would solve the problem using CoralReef
> command-line tools, but my first thought is always to use standard
> Unix command-line tools. Something like this:
>
> $ tcpdump -nnttr file.pcap 'tcp or udp' |
> cut -d' ' -f5 | # select only the 5th word, the destination IP.port field
> cut -d: -f1 | # strip off the trailing ':' character (not strictly necessary)
> sort -u | # sort and remove duplicate IP.port combinations
> cut -d. -f1-4 | # strip off the port field
> uniq -c | # count how many occurrences of each IP
> sort -n | # sort by number of occurrences of each IP
That last line should be:
sort -n # sort by number of occurrences of each IP
(i.e. without the trailing "|")
> The idea is that you get all unique destination IP.port combinations,
> and then remove the port field, and count how many of each destination
> IP there is. It might take some thinking to wrap your head around
> that logic, but I'm pretty sure it is correct.
>
> One other subtlety: you should set the LC_ALL environmental variable
> to C (e.g. "export LC_ALL=C" on the command line). Otherwise, the
> 'sort' command sometimes tries to be too clever, converting IP
> addresses to numbers and thinking that "1.2.3.45" and "1.2.34.5" are
> equal.
>
> Hope this helps,
> -Jeff T.
More information about the Coral-dev
mailing list