The modifications that I made to Dave and Johns script is below. I haveincluded it as an
attachment also but just in case the formatting gets messed up being sent in email. But as most of
you would know by now, we don't want to open attachments from people we don't TRUST.
-----------------------
#! /usr/bin/perl
#################################################################################################
# topports - a utility for use with cflowd based on a tool by Dave Plonka (software re-use? :-) #
# By: Dave Plonka(plonka@doit.wisc.edu) #
# Edited By: John Kristoff(jtk@aharp.is-net.depaul.edu) #
# Edited By: Edson Manners(emanners@acns.fsu.edu) #
# Date: August 1, 2001 #
# Changes: Added $totalpkts, $totalflows and if statements to compute averages for #
# different thingys. #
use FindBin;
use Cflow qw(:flowvars 1.007); # for flow file data
#use Socket; # for inet_ntoa, inet_aton
use POSIX; # for strftime
require 'getopts.pl'; # for cml options
if (!Getopts('hvH:t:nm:') || $opt_h) {
print STDERR <<_EOF_
usage: $FindBin::Script [-h] [-H nexthop] [flow_file [...]]
-h - shows this usage information (mnemonic: 'h'elp)
-H nexthop -
-t thingy - ('bytes', 'pkts', or 'flows')
-n - show names rather than port numbers
-m n - show, at most, top 'n' ports (mnemonic: at 'm'ost or
'm'ax)
-v - verbose - show warnings (mnemonic: 'v'erbose)
If no flow file arguments are specified, <*.flows*> will be
used.
_EOF_
;
exit($opt_h? 0 : 2)
}
Cflow::verbose($opt_v);
$thingy; # this is a global set by report subroutine and used by by_thingy sub
# these vars are used by the wanted subroutine:
#$hop = unpack("N", inet_aton($opt_H));
$min_secs = 0;
$max_secs = 0;
#%name_cache = ();
#print STDERR "Deliver SIGQUIT to generate a report...\n" if -t;
#$SIG{'QUIT'} = \&srcport_report;
Cflow::find(\&wanted, (-1 != $#ARGV)? @ARGV : <*.flows*>);
&srcport_report;
&dstport_report;
close NOTPERM;
`rm notperm`;
exit 0;
sub wanted {
return if ($opt_H && $nexthop != $hop);
# Ah, now *this* is an interesting flow!
# remember the time range we've seen so far...
if (0 == $min_secs || $unix_secs < $min_secs) {
$min_secs = $unix_secs
}
if (0 == $max_secs || $unix_secs > $max_secs) {
$max_secs = $unix_secs
}
# keep totals
$srcport_results{$srcport}{bytes} += $bytes;
$srcport_results{$srcport}{pkts} += $pkts;
$srcport_results{$srcport}{flows}++;
$dstport_results{$dstport}{bytes} += $bytes;
$dstport_results{$dstport}{pkts} += $pkts;
$dstport_results{$dstport}{flows}++;
$nflows++;
$totalbytes += $bytes;
$totalpkts += $pkts;
$totalflows = $nflows;
}
sub srcport_by_thingy {
return $srcport_results{$b}{$thingy} <=>
$srcport_results{$a}{$thingy}
}
sub dstport_by_thingy {
return $dstport_results{$b}{$thingy} <=>
$dstport_results{$a}{$thingy}
}
sub srcport_report {
# my $thingy;
printf "\nSaw %d outbound flows between %s and %s.\n", $nflows, scalar(localtime($min_secs)),
scalar(localtime($max_secs));
return unless %srcport_results;
open(NOTPERM, ">notperm") || die "Can't open notperm\n";
foreach $thingy ($opt_t? ($opt_t) : ('flows', 'pkts', 'bytes')) {
my $n = $opt_m? $opt_m : 10;
print NOTPERM ("\n$thingy", $opt_H? " nexthop to " : "", $opt_H? $opt_H :"", ":\n");
foreach $srcport (sort srcport_by_thingy keys %srcport_results) {
my($name, $src);
$src = '';
if ($opt_n) {
if (defined($name_cache{$srcport})) {
$name = $name_cache{$srcport}
} else {
# hack, too lazy to get protocol type
($name, $aliases, $number) = getservbyport($srcport,"tcp");
$name_cache{$srcport} = $name
}
$src = $name
}
if ('' eq $src) {
## $src = inet_ntoa(pack("N", $srcaddr))
$src = $srcport
}
print NOTPERM $src, ": ", $srcport_results{$srcport}{$thingy};
if($thingy eq flows)
{
printf NOTPERM ": %.1f%%\n", 100*($srcport_results{$srcport}{$thingy}/$totalflows);
}
elsif($thingy eq pkts)
{
printf NOTPERM ": %.1f%%\n", 100*($srcport_results{$srcport}{$thingy}/$totalpkts);
}
elsif($thingy eq bytes)
{
printf NOTPERM ": %.1f%%\n", 100*($srcport_results{$srcport}{$thingy}/$totalbytes);
}
last unless --$n
} #End of Foreach srcport
close NOTPERM;
open(NOTPERM, "notperm") || die "Can't Open notperm";
$arraycounter = 0;
foreach(<NOTPERM>)
{
chomp;
if($thingy eq flows)
{
@flows[$arraycounter] = $_;
}
if($thingy eq pkts)
{
@pkts[$arraycounter] = $_;
}
if($thingy eq bytes)
{
@bytes[$arraycounter] = $_;
}
$arraycounter++;
}
close NOTPERM;
open(NOTPERM, ">notperm") || die "Can't open notperm\n";
} #End of Foreach thingy
if(!(defined($opt_m)))
{
print "----------------";
$opt_m = 10;
}
for($i=0;$i<=$opt_m+1;$i++)
{
printf "%-32s", $flows[$i];
printf "%-32s", $pkts[$i];
printf "%-32s\n", $bytes[$i];
}
close NOTPERM;
} #End of sub srcport
sub dstport_report {
# my $thingy;
printf "\nSaw %d inbound flows between %s and %s.\n", $nflows, scalar(localtime($min_secs)),
scalar(localtime($max_secs));
return unless %dstport_results;
open(NOTPERM, ">notperm") || die "Can't open notperm\n";
foreach $thingy ($opt_t? ($opt_t) : ('flows', 'pkts', 'bytes')) {
my $n = $opt_m? $opt_m : 10;
print NOTPERM ("\n$thingy", $opt_H? " nexthop to " : "", $opt_H? $opt_H :"", ":\n");
foreach $dstport (sort dstport_by_thingy keys %dstport_results) {
my($name, $dst);
$dst = '';
if ($opt_n) {
if (defined($name_cache{$dstport})) {
$name = $name_cache{$dstport}
} else {
# hack, too lazy to get protocol type
($name, $aliases, $number) = getservbyport($dstport,"tcp");
$name_cache{$dstport} = $name
}
$dst = $name
}
if ('' eq $dst) {
## $dst = inet_ntoa(pack("N", $dstaaddr)
$dst = $dstport
}
print NOTPERM $dst, ": ", $dstport_results{$dstport}{$thingy};
if($thingy eq flows)
{
printf NOTPERM ": %.1f%%\n", 100*($dstport_results{$dstport}{$thingy}/$totalflows);
}
elsif($thingy eq pkts)
{
printf NOTPERM ": %.1f%%\n", 100*($dstport_results{$dstport}{$thingy}/$totalpkts);
}
elsif($thingy eq bytes)
{
printf NOTPERM ": %.1f%%\n", 100*($dstport_results{$dstport}{$thingy}/$totalbytes);
}
last unless --$n
} #End of foreach dstport
close NOTPERM;
open(NOTPERM, "notperm") || die "Can't Open notperm";
$arraycounter = 0;
foreach(<NOTPERM>)
{
chomp;
if($thingy eq flows)
{
@flows[$arraycounter] = $_;
}
if($thingy eq pkts)
{
@pkts[$arraycounter] = $_;
}
if($thingy eq bytes)
{
@bytes[$arraycounter] = $_;
}
$arraycounter++;
}
close NOTPERM;
open(NOTPERM, ">notperm") || die "Can't open notperm\n";
} #End of Foreach thingy
for($i=0;$i<=$opt_m+1;$i++)
{
printf "%-32s", $flows[$i];
printf "%-32s", $pkts[$i];
printf "%-32s\n", $bytes[$i];
}
} #End of sub
=====
Edson Manners
Academic Computing & Networking Services
Florida State University
__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/
#! /usr/bin/perl
#################################################################################################
# topports - a utility for use with cflowd based on a tool by Dave Plonka (software re-use? :-) #
# By: Dave Plonka(plonka@doit.wisc.edu) #
# Edited By: John Kristoff(jtk@aharp.is-net.depaul.edu) #
# Edited By: Edson Manners(emanners@acns.fsu.edu) #
# Date: August 1, 2001 #
# Changes: Added $totalpkts, $totalflows and if statements to compute averages for #
# different thingys. #
use FindBin;
use Cflow qw(:flowvars 1.007); # for flow file data
#use Socket; # for inet_ntoa, inet_aton
use POSIX; # for strftime
require 'getopts.pl'; # for cml options
if (!Getopts('hvH:t:nm:') || $opt_h) {
print STDERR <<_EOF_
usage: $FindBin::Script [-h] [-H nexthop] [flow_file [...]]
-h - shows this usage information (mnemonic: 'h'elp)
-H nexthop -
-t thingy - ('bytes', 'pkts', or 'flows')
-n - show names rather than port numbers
-m n - show, at most, top 'n' ports (mnemonic: at 'm'ost or
'm'ax)
-v - verbose - show warnings (mnemonic: 'v'erbose)
If no flow file arguments are specified, <*.flows*> will be
used.
_EOF_
;
exit($opt_h? 0 : 2)
}
Cflow::verbose($opt_v);
$thingy; # this is a global set by report subroutine and used by by_thingy sub
# these vars are used by the wanted subroutine:
#$hop = unpack("N", inet_aton($opt_H));
$min_secs = 0;
$max_secs = 0;
#%name_cache = ();
#print STDERR "Deliver SIGQUIT to generate a report...\n" if -t;
#$SIG{'QUIT'} = \&srcport_report;
Cflow::find(\&wanted, (-1 != $#ARGV)? @ARGV : <*.flows*>);
&srcport_report;
&dstport_report;
close NOTPERM;
`rm notperm`;
exit 0;
sub wanted {
return if ($opt_H && $nexthop != $hop);
# Ah, now *this* is an interesting flow!
# remember the time range we've seen so far...
if (0 == $min_secs || $unix_secs < $min_secs) {
$min_secs = $unix_secs
}
if (0 == $max_secs || $unix_secs > $max_secs) {
$max_secs = $unix_secs
}
# keep totals
$srcport_results{$srcport}{bytes} += $bytes;
$srcport_results{$srcport}{pkts} += $pkts;
$srcport_results{$srcport}{flows}++;
$dstport_results{$dstport}{bytes} += $bytes;
$dstport_results{$dstport}{pkts} += $pkts;
$dstport_results{$dstport}{flows}++;
$nflows++;
$totalbytes += $bytes;
$totalpkts += $pkts;
$totalflows = $nflows;
}
sub srcport_by_thingy {
return $srcport_results{$b}{$thingy} <=>
$srcport_results{$a}{$thingy}
}
sub dstport_by_thingy {
return $dstport_results{$b}{$thingy} <=>
$dstport_results{$a}{$thingy}
}
sub srcport_report {
# my $thingy;
printf "\nSaw %d outbound flows between %s and %s.\n", $nflows, scalar(localtime($min_secs)), scalar(localtime($max_secs));
return unless %srcport_results;
open(NOTPERM, ">notperm") || die "Can't open notperm\n";
foreach $thingy ($opt_t? ($opt_t) : ('flows', 'pkts', 'bytes')) {
my $n = $opt_m? $opt_m : 10;
print NOTPERM ("\n$thingy", $opt_H? " nexthop to " : "", $opt_H? $opt_H :"", ":\n");
foreach $srcport (sort srcport_by_thingy keys %srcport_results) {
my($name, $src);
$src = '';
if ($opt_n) {
if (defined($name_cache{$srcport})) {
$name = $name_cache{$srcport}
} else {
# hack, too lazy to get protocol type
($name, $aliases, $number) = getservbyport($srcport,"tcp");
$name_cache{$srcport} = $name
}
$src = $name
}
if ('' eq $src) {
## $src = inet_ntoa(pack("N", $srcaddr))
$src = $srcport
}
print NOTPERM $src, ": ", $srcport_results{$srcport}{$thingy};
if($thingy eq flows)
{
printf NOTPERM ": %.1f%%\n", 100*($srcport_results{$srcport}{$thingy}/$totalflows);
}
elsif($thingy eq pkts)
{
printf NOTPERM ": %.1f%%\n", 100*($srcport_results{$srcport}{$thingy}/$totalpkts);
}
elsif($thingy eq bytes)
{
printf NOTPERM ": %.1f%%\n", 100*($srcport_results{$srcport}{$thingy}/$totalbytes);
}
last unless --$n
} #End of Foreach srcport
close NOTPERM;
open(NOTPERM, "notperm") || die "Can't Open notperm";
$arraycounter = 0;
foreach(<NOTPERM>)
{
chomp;
if($thingy eq flows)
{
@flows[$arraycounter] = $_;
}
if($thingy eq pkts)
{
@pkts[$arraycounter] = $_;
}
if($thingy eq bytes)
{
@bytes[$arraycounter] = $_;
}
$arraycounter++;
}
close NOTPERM;
open(NOTPERM, ">notperm") || die "Can't open notperm\n";
} #End of Foreach thingy
if(!(defined($opt_m)))
{
print "----------------";
$opt_m = 10;
}
for($i=0;$i<=$opt_m+1;$i++)
{
printf "%-32s", $flows[$i];
printf "%-32s", $pkts[$i];
printf "%-32s\n", $bytes[$i];
}
close NOTPERM;
} #End of sub srcport
sub dstport_report {
# my $thingy;
printf "\nSaw %d inbound flows between %s and %s.\n", $nflows, scalar(localtime($min_secs)), scalar(localtime($max_secs));
return unless %dstport_results;
open(NOTPERM, ">notperm") || die "Can't open notperm\n";
foreach $thingy ($opt_t? ($opt_t) : ('flows', 'pkts', 'bytes')) {
my $n = $opt_m? $opt_m : 10;
print NOTPERM ("\n$thingy", $opt_H? " nexthop to " : "", $opt_H? $opt_H :"", ":\n");
foreach $dstport (sort dstport_by_thingy keys %dstport_results) {
my($name, $dst);
$dst = '';
if ($opt_n) {
if (defined($name_cache{$dstport})) {
$name = $name_cache{$dstport}
} else {
# hack, too lazy to get protocol type
($name, $aliases, $number) = getservbyport($dstport,"tcp");
$name_cache{$dstport} = $name
}
$dst = $name
}
if ('' eq $dst) {
## $dst = inet_ntoa(pack("N", $dstaaddr)
$dst = $dstport
}
print NOTPERM $dst, ": ", $dstport_results{$dstport}{$thingy};
if($thingy eq flows)
{
printf NOTPERM ": %.1f%%\n", 100*($dstport_results{$dstport}{$thingy}/$totalflows);
}
elsif($thingy eq pkts)
{
printf NOTPERM ": %.1f%%\n", 100*($dstport_results{$dstport}{$thingy}/$totalpkts);
}
elsif($thingy eq bytes)
{
printf NOTPERM ": %.1f%%\n", 100*($dstport_results{$dstport}{$thingy}/$totalbytes);
}
last unless --$n
} #End of foreach dstport
close NOTPERM;
open(NOTPERM, "notperm") || die "Can't Open notperm";
$arraycounter = 0;
foreach(<NOTPERM>)
{
chomp;
if($thingy eq flows)
{
@flows[$arraycounter] = $_;
}
if($thingy eq pkts)
{
@pkts[$arraycounter] = $_;
}
if($thingy eq bytes)
{
@bytes[$arraycounter] = $_;
}
$arraycounter++;
}
close NOTPERM;
open(NOTPERM, ">notperm") || die "Can't open notperm\n";
} #End of Foreach thingy
for($i=0;$i<=$opt_m+1;$i++)
{
printf "%-32s", $flows[$i];
printf "%-32s", $pkts[$i];
printf "%-32s\n", $bytes[$i];
}
} #End of sub
-- cflowd mailing list cflowd@caida.org
This archive was generated by hypermail 2b29 : Wed Aug 08 2001 - 05:34:24 PDT