# distribution of first octet of source addresses in a trace
crl_print_pkt -Cp=1000000 TRACE | perl -nle 'if (/proto: IPv4:.*?(\d+)\.\d+\.\d+\.\d+/) { $c++ ; $cdf{$1}++ } ; END { printf("%d\t%f\n", $_, $cdf{$_}/$c*100 ) foreach sort {$cdf{$a} <=> $cdf{$b} } keys %cdf }'

# determine if a trace is anonymized or not (based on first 5 networks of bogon list), number should be low/zero for unanonymized traces
crl_stats -Cp=1000000 -Cipfilter='net 0 or net 1 or net 2 or net 5 or net 7' TRACE | grep 'IPv4 pkts:'

BOGONS=`wget -O - http://www.cymru.com/Documents/bogon-bn-agg.txt | perl -0777 -lane'print join(" or ", map { " net $_ " } @F)'` ; crl_rate -Ci=1 -s -Cipfilter="$BOGONS" TRACE

# check for layer 4 payload
crl_print_pkt TRACE | perl -nle 'if ( /^data:\s+(\S+,\s+)*[1-9]\d*\s+bytes/ .. /^$/ ) { print $buf . $_ ; $buf = "" } else { $buf .= $_ . "\n" }; if (/^$/) { $buf = "" }'

# look for strange timejumps
crl_print_pkt TRACE | perl -nle '$|=1; if (/time:  (\d+)/) { $c{$1}++ ; if ($last && $1 < $last ) { print "\nERROR: temporal anomaly detected: $1 < $last" } ; if ($last && $1 > $last ) { printf("%d ",$1) } ; $last = $1 }'