Re: Novice::Help>Split IP Address(port) + count
- From: "Jim Keenan" <jkeen_via_google@xxxxxxxxx>
- Date: 16 Jun 2005 09:35:28 -0700
RobO wrote:
> [snip]
> I have a feeling that I'm not splitting the lines correctly or I need
> to split them seperately possibly in different "if" statements.???
> As mentioned an ICMP count is fine I get the results I want but when
> its a UDP count as in the other log line the format is
> ip_address(port).
>
> I have only been able to analyze the IP addresses but not anything
> within parenthesis.
>
> ###start###newbie-dont laugh :-)
> open (INFILE, $log_file) || die "Could not open $log_file";
> foreach (<INFILE>) {
> chomp($log_file);
> ($date_stmp, $time_stmp, $facility, $logsrc, $loglevel, $restof) =
> split (/\s+/, $_, 6);
> ($left, $right) = split (/\-\>/, $restof, 2);
> ($list, $listname, $action, $protocol, $src_ip) = split (/\s+/, $left,
> 5);
> ($dest_ip, $icmp_type, $packets) = split (/\,/, $right, 3);
> # ($src_ip, $dest_ip) = split (/[()]/, $_, 2);
>
> if ($protocol =~ /icmp/) {
> $icmp_hits++;
> $_ = $src_ip;
> /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/;
> $icmp_ip_count{$src_ip}++;
> }
> # if ($src_ip =~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/) {
> # $denied_hits++;
> # $_ = $src_ip;
> # (/\(\d{1,5}\)/);
> # /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/;
> # $deny_ip_count{$src_ip}++;
> # }
> close (INFILE);
>
>
> sub icmp_count_ip_byval { $icmp_ip_count{$b}-$icmp_ip_count{$a}; }
> $icmp_ip_count = 0;
> foreach (sort icmp_count_ip_byval keys %icmp_ip_count) {
> # if ($icmp_ip_count{$_} > 1) {
> print "$icmp_ip_count{$_}\t$_\n";
> # }
>
> sub deny_count_ip_byval { $deny_ip_count{$b}-$deny_ip_count{$a}; }
> $deny_ip_count = 0;
> foreach (sort deny_count_ip_byval keys %deny_ip_count) {
> print "$_\n";
> }
> }
> ###end###
You need to focus your analysis more, for two reasons.
The less important of the two is that, when posting on this or any
other list, you will elicit more offers of assistance if the people
reading your post don't have to wade through irrelevant material to get
to the heart of the problem. (Cf the Posting Guidelines).
The more important is that the *very process of focusing your analysis*
will often help you diagnose the problem yourself.
The problem you originally described has to do with parsing a line in a
log file: What is the best combination of 'split' and regexes to do
so? So far, so good.
But the code you posted starts with opening and reading the file --
which is not your stated problem. You also provide a lot of code
dealing with printing the results of your line parsing to STDOUT --
again, not your stated problem.
My hunch is that your problem lies in this area:
> ($date_stmp, $time_stmp, $facility, $logsrc, $loglevel, $restof) =
> split (/\s+/, $_, 6);
> ($left, $right) = split (/\-\>/, $restof, 2);
> ($list, $listname, $action, $protocol, $src_ip) = split (/\s+/, $left,
> 5);
> ($dest_ip, $icmp_type, $packets) = split (/\,/, $right, 3);
Can you narrow the focus further? In particular, figure out what you
need to do with this line:
INGRESS1 denied udp 202.97.175.52(4864) -> xxx.xxx.xxx.xxx(1434), 1
packet
HTH
jimk
.
- References:
- Novice::Help>Split IP Address(port) + count
- From: RobO
- Re: Novice::Help>Split IP Address(port) + count
- From: Jim Keenan
- Re: Novice::Help>Split IP Address(port) + count
- From: RobO
- Novice::Help>Split IP Address(port) + count
- Prev by Date: Re: Specifying which Perl with pp.bat
- Next by Date: Re: How to send struct data over socket?
- Previous by thread: Re: Novice::Help>Split IP Address(port) + count
- Next by thread: Re: Novice::Help>Split IP Address(port) + count
- Index(es):
Relevant Pages
|
