#!/usr/bin/perl -w # # Copyright (C) 2001 by USC/ISI # All rights reserved. # # Redistribution and use in source and binary forms are permitted # provided that the above copyright notice and this paragraph are # duplicated in all such forms and that any documentation, advertising # materials, and other materials related to such distribution and use # acknowledge that the software was developed by the University of # Southern California, Information Sciences Institute. The name of the # University may not be used to endorse or promote products derived from # this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED # WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. # # An perl script takes a tcpdump trace as input and outputs # statistics (total # of packetz and total size) of each type of traffic # # This work is supported by DARPA through SAMAN Project # (http://www.isi.edu/saman/), administered by the Space and Naval # Warfare System Center San Diego under Contract No. N66001-00-C-8066 $total=0; $http=0; $nntp=0; $ftp=0; $domain=0; $ntp=0; $smtp=0; #$icmp=0; $realaudio=0; $pop3=0; $time=0; $webcache=0; $ssh=0; $squid=0; $telnet=0; $cvs=0; $h323=0; $datametric=0; $x11=0; $phonebook=0; $snmp=0; $syslog=0; $gopher=0; $bgp=0; $auth=0; $rtsp=0; #$gris=0; $other=0; $totals=0; $https=0; $nntps=0; $ftps=0; $domains=0; $ntps=0; $smtps=0; $realaudios=0; $others=0; $pop3s=0; $times=0; $webcaches=0; $sshs=0; $squids=0; $telnets=0; $cvss=0; $h323s=0; $datametrics=0; $x11s=0; $phonebooks=0; $snmps=0; $syslogs=0; $gophers=0; $bgps=0; $auths=0; $rtsps=0; #$griss=0; $httpP= "80"; $httpsP= "443"; $sshP= "22"; $squidP= "3128"; $datametricsP= "1645"; $phonebookP= "767"; $x11P= "6000"; $telnetP= "23"; $webcacheP= "8080"; $cvspserverP= "2401"; $domainP= "53"; $nntpP= "119"; $ntpP= "123"; $h323gatediscP= "1718"; $h323gatestatP= "1719"; $h323hostcallP= "1720"; $pop3P= "110"; $timeP= "37"; $ftpdataP= "20"; $ftpP= "21"; $smtpP= "25"; $snmpP= "161"; $gopherP= "70"; $authP= "11"; $rtspP= "554"; $bgpP= "179"; $syslogP= "514"; while (<>) { ($time1,$time2,$ip11,$ip12,$ip13,$ip14,$srcPort,$dummy2,$ip21,$ip22,$ip23,$ip24,$dstPort,$dummy3,$proto,$size) = split(/[.: ]/,$_); #print join("#",split(/[.: ]/,$_)); $time1=""; $time2=""; # $dummy1=""; $dummy2=""; $dummy3=""; $ip11=""; $ip12=""; $ip13=""; $ip14=""; $ip21=""; $ip22=""; $ip23=""; $ip24=""; if (defined($proto) && defined($size)) { if (($proto eq "udp") || ($proto eq "tcp")) { if (defined($srcPort) && defined($dstPort) && ($size < 1500)) { if (($srcPort eq $httpP) || ($dstPort eq $httpP)) { $https=$https+$size; } elsif (($srcPort eq $httpsP) || ($dstPort eq $httpsP)) { $https=$https+$size; } elsif (($srcPort eq $sshP) || ($dstPort eq $sshP)) { $sshs=$sshs+$size; } elsif (($srcPort eq $squidP) || ($dstPort eq $squidP)) { $squids=$squids+$size; } elsif (($srcPort eq $datametricsP) || ($dstPort eq $datametricsP)) { $datametrics=$datametrics+$size; } elsif (($srcPort eq $phonebookP) || ($dstPort eq $phonebookP)) { $phonebooks=$phonebooks+$size; } elsif (($srcPort eq $x11P) || ($dstPort eq $x11P)) { $x11s=$x11s+$size; } elsif (($srcPort eq $telnetP) || ($dstPort eq $telnetP)) { $telnets=$telnets+$size; } elsif (($srcPort eq $webcacheP) || ($dstPort eq $webcacheP)) { $webcaches=$webcaches+$size; } elsif (($srcPort eq $cvspserverP) || ($dstPort eq $cvspserverP)) { $cvss=$cvss+$size; } elsif (($srcPort eq $domainP) || ($dstPort eq $domainP)) { $domains=$domains+$size; } elsif (($srcPort eq $ntpP) || ($dstPort eq $ntpP)) { $ntps=$ntps+$size; } elsif (($srcPort eq $h323gatestatP) || ($dstPort eq $h323gatestatP)) { $h323s=$h323s+$size; } elsif (($srcPort eq $h323hostcallP) || ($dstPort eq $h323hostcallP)) { $h323s=$h323s+$size; } elsif (($srcPort eq $h323gatediscP) || ($dstPort eq $h323gatediscP)) { $h323s=$h323s+$size; } elsif (($srcPort eq $pop3P) || ($dstPort eq $pop3P)) { $pop3s=$pop3s+$size; } elsif (($srcPort eq $timeP) || ($dstPort eq $timeP)) { $times=$times+$size; } elsif (($srcPort eq $nntpP) || ($dstPort eq $nntpP)) { $nntps=$nntps+$size; } elsif (($srcPort eq $ftpP) || ($dstPort eq $ftpP)) { $ftps=$ftps+$size; } elsif (($srcPort eq $ftpdataP) || ($dstPort eq $ftpdataP)) { $ftps=$ftps+$size; } elsif (($srcPort eq $smtpP) || ($dstPort eq $smtpP)) { $smtps=$smtps+$size; } elsif (($srcPort eq $snmpP) || ($dstPort eq $snmpP)) { $snmps=$snmps+$size; } elsif (($srcPort eq $gopherP) || ($dstPort eq $gopherP)) { $gophers=$gophers+$size; } elsif (($srcPort eq $authP) || ($dstPort eq $authP)) { $auths=$auths+$size; } elsif (($srcPort eq $rtspP) || ($dstPort eq $rtspP)) { $rtsps=$rtsps+$size; } elsif (($srcPort eq $bgpP) || ($dstPort eq $bgpP)) { $bgps=$bgps+$size; } elsif (($srcPort eq $syslogP) || ($dstPort eq $syslogP)) { $syslogs=$syslogs+$size; } elsif (($srcPort eq "6970") || ($dstPort eq "6970")) { $realaudios=$realaudios+$size; } else { $others=$others+$size; } $totals=$totals+$size; } } } if (defined($srcPort) && defined($dstPort)) { if (($srcPort eq $httpP) || ($dstPort eq $httpP)) { $http=$http+1; } elsif (($srcPort eq $httpsP) || ($dstPort eq $httpsP)) { $http=$http+1; } elsif (($srcPort eq $domainP) || ($dstPort eq $domainP)) { $domain=$domain+1; } elsif (($srcPort eq $webcacheP) || ($dstPort eq $webcacheP)) { $webcache=$webcache+1; } elsif (($srcPort eq $sshP) || ($dstPort eq $sshP)) { $ssh=$ssh+1; } elsif (($srcPort eq $phonebookP) || ($dstPort eq $phonebookP)) { $phonebook=$phonebook+1; } elsif (($srcPort eq $x11P) || ($dstPort eq $x11P)) { $x11=$x11+1; } elsif (($srcPort eq $snmpP) || ($dstPort eq $snmpP)) { $snmp=$snmp+1; } elsif (($srcPort eq $gopherP) || ($dstPort eq $gopherP)) { $gopher=$gopher+1; } elsif (($srcPort eq $authP) || ($dstPort eq $authP)) { $auth=$auth+1; } elsif (($srcPort eq $rtspP) || ($dstPort eq $rtspP)) { $rtsp=$rtsp+1; } elsif (($srcPort eq $bgpP) || ($dstPort eq $bgpP)) { $bgp=$bgp+1; } # elsif (($srcPort eq $grisP) || ($dstPort eq $grisP)) { # $gris=$gris+1; # } elsif (($srcPort eq $syslogP) || ($dstPort eq $syslogP)) { $syslog=$syslog+1; } elsif (($srcPort eq $datametricsP) || ($dstPort eq $datametricsP)) { $datametric=$datametric+1; } elsif (($srcPort eq $squidP) || ($dstPort eq $squidP)) { $squid=$squid+1; } elsif (($srcPort eq $cvspserverP) || ($dstPort eq $cvspserverP)) { $cvs=$cvs+1; } elsif (($srcPort eq $telnetP) || ($dstPort eq $telnetP)) { $telnet=$telnet+1; } elsif (($srcPort eq $ntpP) || ($dstPort eq $ntpP)) { $ntp=$ntp+1; } elsif (($srcPort eq $pop3P) || ($dstPort eq $pop3P)) { $pop3=$pop3+1; } elsif (($srcPort eq $timeP) || ($dstPort eq $timeP)) { $time=$time+1; } elsif (($srcPort eq $nntpP) || ($dstPort eq $nntpP)) { $nntp=$nntp+1; } elsif (($srcPort eq $ftpP) || ($dstPort eq $ftpP)) { $ftp=$ftp+1; } elsif (($srcPort eq $ftpdataP) || ($dstPort eq $ftpdataP)) { $ftp=$ftp+1; } elsif (($srcPort eq $smtpP) || ($dstPort eq $smtpP)) { $smtp=$smtp+1; } elsif (($srcPort eq $h323gatestatP) || ($dstPort eq $h323gatestatP)) { $h323=$h323+1; } elsif (($srcPort eq $h323hostcallP) || ($dstPort eq $h323hostcallP)) { $h323=$h323+1; } elsif (($srcPort eq $h323gatediscP) || ($dstPort eq $h323gatediscP)) { $h323=$h323+1; } elsif (($srcPort eq "6970") || ($dstPort eq "6970")) { $realaudio=$realaudio+1; } else { $other=$other+1; } $total=$total+1; } } print "[PROTO] [# of PKT] [% of TOTAL PKT] [SIZE] [% of TOTAL SIZE]\n"; $httpp1=$http/$total; $httpp2=$https/$totals; print "HTTP $http $httpp1 $https $httpp2\n"; $nntpp1=$nntp/$total; $nntpp2=$nntps/$totals; print "NNTP $nntp $nntpp1 $nntps $nntpp2\n"; $ntpp1=$ntp/$total; $ntpp2=$ntps/$totals; print "NTP $ntp $ntpp1 $ntps $ntpp2\n"; $domainp1=$domain/$total; $domainp2=$domains/$totals; print "DNS $domain $domainp1 $domains $domainp2\n"; $smtpp1=$smtp/$total; $smtpp2=$smtps/$totals; print "SMTP $smtp $smtpp1 $smtps $smtpp2\n"; $ftpp1=$ftp/$total; $ftpp2=$ftps/$totals; print "FTP $ftp $ftpp1 $ftps $ftpp2\n"; $snmpp1=$snmp/$total; $snmpp2=$snmps/$totals; print "SNMP $snmp $snmpp1 $snmps $snmpp2\n"; $gopherp1=$gopher/$total; $gopherp2=$gophers/$totals; print "GOPHER $gopher $gopherp1 $gophers $gopherp2\n"; #$authp1=$auth/$total; #$authp2=$auths/$totals; #print "AUTH $auth $authp1 $auths $authp2\n"; $rtspp1=$rtsp/$total; $rtspp2=$rtsps/$totals; print "RTSP $rtsp $rtspp1 $rtsps $rtspp2\n"; #$grisp1=$gris/$total; #$grisp2=$griss/$totals; #print "GRIS $gris $grisp1 $griss $grisp2\n"; $syslogp1=$syslog/$total; $syslogp2=$syslogs/$totals; print "SYSLOG $syslog $syslogp1 $syslogs $syslogp2\n"; $bgpp1=$bgp/$total; $bgpp2=$bgps/$totals; print "BGP $bgp $bgpp1 $bgps $bgpp2\n"; $webcachep1=$webcache/$total; $webcachep2=$webcaches/$totals; print "WEBCACHE $webcache $webcachep1 $webcaches $webcachep2\n"; $pop3p1=$pop3/$total; $pop3p2=$pop3s/$totals; print "POP3 $pop3 $pop3p1 $pop3s $pop3p2\n"; $datametricp1=$datametric/$total; $datametricp2=$datametrics/$totals; print "DATAMETRICS $datametric $datametricp1 $datametrics $datametricp2\n"; $timep1=$time/$total; $timep2=$times/$totals; print "TIME $time $timep1 $times $timep2\n"; $sshp1=$ssh/$total; $sshp2=$sshs/$totals; print "SSH $ssh $sshp1 $sshs $sshp2\n"; $squidp1=$squid/$total; $squidp2=$squids/$totals; print "SQUID $squid $squidp1 $squids $squidp2\n"; $telnetp1=$telnet/$total; $telnetp2=$telnets/$totals; print "TELNET $telnet $telnetp1 $telnets $telnetp2\n"; $cvsp1=$cvs/$total; $cvsp2=$cvss/$totals; print "CVS $cvs $cvsp1 $cvss $cvsp2\n"; $h323p1=$h323/$total; $h323p2=$h323s/$totals; print "H323 $h323 $h323p1 $h323s $h323p2\n"; $phonebookp1=$phonebook/$total; $phonebookp2=$phonebooks/$totals; print "PHONEBOOK $phonebook $phonebookp1 $phonebooks $phonebookp2\n"; $x11p1=$x11/$total; $x11p2=$x11s/$totals; print "X11 $x11 $x11p1 $x11s $x11p2\n"; $otherp1=$other/$total; $otherp2=$others/$totals; print "OTHER $other $otherp1 $others $otherp2\n";