I would like to count the number of connections per IP per second (on port 80) to a web server whose IP is 192.168.1.216. The entry for the count is a network dump file in the PCAP format (.pcap file) generated with tcpdump. The output will be directed to the count.txt file
Is the following regular expression (regex) correct? What do you think?
PCAP file: link
tcpdump -anr arquivo.pcap host 192.168.1.216 and port 80 |
sed -une '
s/^\(.\{8\}\).* IP \(.*\)\.[0-9]\+ > 192.168.1.216.80: Flags \[S\],.*/ /p
' |
sort | uniq -c >contagem.txt
Example input:
Exampleofanoutput:
107:50:00192.168.1.107107:50:00192.168.1.108107:50:00192.168.1.110107:50:00192.168.1.121107:50:00192.168.1.128107:50:00192.168.1.129107:50:00192.168.1.130107:50:00192.168.1.138107:50:00192.168.1.140107:50:00192.168.1.143107:50:00192.168.1.148107:50:00192.168.1.153107:50:00192.168.1.160107:50:00192.168.1.169107:50:00192.168.1.170107:50:00192.168.1.176
ThesumafterwardsisdonewithaPythonscript:
withopen('contagem.txt')asf:linhas=f.readlines()soma=0forlinhainlinhas:soma+=int(linha.strip().split(" ")[0])
print(soma)
Is the regular expression (regex) correct? What do you think?