[Coral-dev] Combining destination IPs with destination Ports

Faisal Khan khan7 at llnl.gov
Fri Jul 16 17:09:24 PDT 2010 

Thanks Jeff,

This looks like a simple solution, keying on the column number(s) in the 
table. I guess it would be nice if CoralReef also has such a 
flexibility. One can then combine the keys in the way they want, instead 
of relying on using the explicitly declared keys, only some of which are 
implemented. I understand that this may have some performance 
implications but then cant we have both explicit as well as user 
selected key implementations.

Faisal

On 7/16/2010 3:00 PM, Jeff Terrell wrote:
> D'oh...one correction below.
>
> On Fri, Jul 16, 2010 at 5:58 PM, Jeff Terrell<jeff.terrell at acm.org>  wrote:
>    
>> On Fri, Jul 16, 2010 at 4:36 PM, Faisal Khan<khan7 at llnl.gov>  wrote:
>>      
>>> I am having this problem and was hoping someone can point me in the
>>> right direction. Basically, I want to list destination IPs that have
>>> highest number of ports accessed in a trace.
>>>        
>> Hi Faisal,
>>
>> I'm not sure how you would solve the problem using CoralReef
>> command-line tools, but my first thought is always to use standard
>> Unix command-line tools.  Something like this:
>>
>> $ tcpdump -nnttr file.pcap 'tcp or udp' |
>> cut -d' ' -f5 |  # select only the 5th word, the destination IP.port field
>> cut -d: -f1 |    # strip off the trailing ':' character (not strictly necessary)
>> sort -u |        # sort and remove duplicate IP.port combinations
>> cut -d. -f1-4 |  # strip off the port field
>> uniq -c |        # count how many occurrences of each IP
>> sort -n |       # sort by number of occurrences of each IP
>>      
> That last line should be:
>
> sort -n         # sort by number of occurrences of each IP
>
> (i.e. without the trailing "|")
>
>    
>> The idea is that you get all unique destination IP.port combinations,
>> and then remove the port field, and count how many of each destination
>> IP there is.  It might take some thinking to wrap your head around
>> that logic, but I'm pretty sure it is correct.
>>
>> One other subtlety: you should set the LC_ALL environmental variable
>> to C (e.g. "export LC_ALL=C" on the command line).  Otherwise, the
>> 'sort' command sometimes tries to be too clever, converting IP
>> addresses to numbers and thinking that "1.2.3.45" and "1.2.34.5" are
>> equal.
>>
>> Hope this helps,
>> -Jeff T.
>>

More information about the Coral-dev mailing list