解析TCPDUMP输出

Question

我正在尝试解析我的TCPDUMP命令输出，如果特定的服务器在给定的秒数(或纳秒)之前发回数据，则输出"ok“。例如：

11:45:41.198150 IP X.X.X.X.662 > Y.Y.Y.Y.161: UDP, length 37
11:45:41.315699 IP Y.Y.Y.Y.161 > X.X.X.X.662: UDP, length 13
11:45:42.198845 IP X.X.X.X.168.662 > Y.Y.Y.Y.161: UDP, length 37
11:45:42.316745 IP Y.Y.Y.Y.161 > X.X.X.X.662: UDP, length 13

正如你所看到的，它首先输出第一行，然后是我发送数据到响应的服务器，现在我想要它，所以如果我发送数据的服务器在设定的秒数内没有响应，那么我什么也不做。但如果是这样的话，我会打印"ok“。

有时数据会如下所示

11:45:41.198150 IP X.X.X.X.662 > Y.Y.Y.Y.161: UDP, length 37
11:45:41.315699 IP Y.Y.Y.Y.161 > X.X.X.X.662: UDP, length 13
11:45:42.198845 IP X.X.X.X.168.662 > Y.Y.Y.Y.161: UDP, length 37
11:45:42.198845 IP X.X.X.X.168.662 > Y.Y.Y.Y.161: UDP, length 37
11:45:42.198845 IP X.X.X.X.168.662 > Y.Y.Y.Y.161: UDP, length 37
11:45:42.316745 IP Y.Y.Y.Y.161 > X.X.X.X.662: UDP, length 13

而且ips会在不同的时间响应，我怎么还能解析它呢。

Answer 1

使用您的另一个问题Parsing TCPDUMP output中的信息，既然您问到了解析文件的问题，那么有几种方法可以完成。我已经生成了一个简单的脚本来读取数据并将其放入散列中。我将使用您的另一个帖子中的数据作为您要解析的输入。它不进行数据验证，并要求文件中的所有行都采用相同的格式。

# Checking for errors (Good practice to always use)
use strict;

# open the file (first on on the command line)1
open my $input,$ARGV[0] or die "Unable to open file: $ARGV[0]";

# scalar/variable into which to save the line read from the file
my $line;
# Hash/mapping by machine for the time
my %machine2time;
# Array/List to store parsed line into individual list/array items
my @parsedLineSpace;

# Read line from the file.  This will fail when a line cannot be read
while ( $line = <$input> ) 
{
  # Parse the line based on spaces first element is time (index 0), 
  # the second is IP (index 1)
  @parsedLineSpace = split('\s+',$line);

  # If the IP exists in the hash/mapping, then the delta time needs to be
  # computed as there is a response 
  if ( exists $machine2time{$parsedLineSpace[1]} ) 
  {
    # Get the times which are needed to compute the difference
    # and place in scalar/variables 
    my $firstTime = $machine2time{$parsedLineSpace[1]};
    my $responseTime = $parsedLineSpace[0];

    # Compute the time difference (Exercise for the user)
    # Use an array and split to break the time into individual components or 
    # the to do that.  Make sure you use a \ to escape the . for the split
    # and that you check for boundary conditions  

    # Remove the item from the hash/mapping as it is not needed and 
    # any remaining items left in the hash would be items which did
    # get a response
    delete $machine2time{$parsedLineSpace[1]};
  }
  # else this the first occurrence (or there was no response) so 
  # save the time for use later
  else
  {
    $machine2time{$parsedLineSpace[1]} = $parsedLineSpace[0];
  }
}

# Print out any machines which did not have a matched response
print "\nIPs which did not get a response\n";
# For each key in the hash/mapping (sorted) print out the key which 
# is the IP
foreach my $machine ( sort keys %machine2time )
{
  print "$machine\n";
}

希望这能让你开始努力