Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight
 
PerlMonks  

Why this code not working with pcap files?

by lepetal (Initiate)
on Nov 02, 2012 at 10:13 UTC ( #1001940=perlquestion: print w/ replies, xml ) Need Help??
lepetal has asked for the wisdom of the Perl Monks concerning the following question:

Hi, folks! Why this code not works with pcap files of tcpdump and go to freeze.
#! /usr/bin/perl use Class::Struct; use Math::BigInt; my $usage = "Usage: $0 tcpdump_file\n"; my $fh; struct( conn => { fin => int, stime => double, etime => double}); my %hash = (); if ($#ARGV != 0) { die "$usage"; } else { my $file = $ARGV[0]; my $start = 0; open(TD, "sudo tcpdump -r $file -tt |") || die "tcpdump failed\n"; while (<TD>) { if (/([0-9]+.[0-9]+)(.*)(1.1.2.3.*)(\.[0-9]+)(.*5.6.7.8.*)(S)/ +) { my $time = $1; if ($start == 0) { $start = $time; } my $port = $4; if ($hash{$port} == 0) { $hash{$port} = new conn(); $hash{$port}->{fin} = 0; $hash{$port}->{stime} = $1; $hash{$port}->{etime} = 0; my $fin = $hash{$port}->{fin}; } } elsif (/([0-9]+.[0-9]+)(.*)(1.1.2.3)(\.[0-9]+)(.*)(5.6.7.8)(.* +)([F|.|R])/) { my $time = $1; my $port = $4; my $flag = $8; my $h = $hash{$port}; if ($hash{$port} != 0 && ($flag eq 'F')) { $hash{$port}->{fin} = 1; } elsif (($flag eq "." && $hash{$port}->{fin} == 1) || $flag eq "R") { $hash{$port}->{etime} = $1; } } elsif (/([0-9]+.[0-9]+)(.*)(1.1.2.3)(\.[0-9]+)(.*)(5.6.7.8.*)( +.*)(R)/) { my $time = $1; my $port = $4; my $flag = $7; $hash{$port}->{etime} = $1; } } for my $key ( keys %hash ) { my $stime = $hash{$key}->{stime}; my $etime = $hash{$key}->{etime}; if ($etime == 0) { $etime = $stime + 200.0; } my $begin = $stime - $start; my $dur = $etime - $stime; print "$begin $dur\n"; } }

Comment on Why this code not working with pcap files?
Download Code
Re: Why this code not working with pcap files?
by grizzley (Chaplain) on Nov 02, 2012 at 11:15 UTC
    It worked on my example file. Maybe your pcap is so big, that it takes time to proceed and you only think it was frozen? Try
    print "Processing line $." if $. % 10 == 0;
    right after while (<TD>) { line to see if it does anything.
Re: Why this code not working with pcap files?
by space_monk (Chaplain) on Nov 02, 2012 at 11:40 UTC
    Not a complete answer, but the regex expressions seem to share a lot of commonality and a fair amount of complexity. Can't you have one regex to check you've found a relevant line, then use much smaller regexs to sort out how you need to respond to that line?
Re: Why this code not working with pcap files?
by aitap (Deacon) on Nov 02, 2012 at 19:18 UTC
    Perhaps Net::Pcap will require less code and will run smoother.
    Sorry if my advice was wrong.
Re: Why this code not working with pcap files?
by graff (Chancellor) on Nov 03, 2012 at 04:23 UTC
    Following up on the first two replies, if the code seems to work well enough on a small set if input data, then the problem is probably with the regexes being to complicated. For one thing, you're capturing up to 8 strings with parens, but you never use more than three of the captures. But the real problem is the number of greedy matches (+ or * instead of using specific numbers or ranges or non-greedy +? and *? wherever possible).

    It also looks like you might not understand some basic details about regex syntax. When you say ([0-9]+.[0-9]+) are you forgetting that "." matches any character (not just a literal period)? Your use of vertical bars in ([F|.|R]) probably doesn't mean exactly what you intend.

    There's bound to be an easier way to parse each line; maybe start by splitting on whitespace into an array, then test the particular elements of the array that matter (ignore the rest), rather than running one or more heavy regexes on the full content of each line.

    It might help if you post a small amount of relevant sample data.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://1001940]
Approved by Corion
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others wandering the Monastery: (6)
As of 2014-07-10 23:20 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    When choosing user names for websites, I prefer to use:








    Results (217 votes), past polls