<div>If you are willing to use the liboral library, it is fairly easy to write the code. You will simply call read_pkt and use get_payload_by_proto to get the IP layer, cast it using a ip header struct and extract the 5 tuples you need. There is a simple hashtable implemenation included in coral than you can use to keep track of your flows.</div>
<div><br>Of course you will have to roll your code, but I doubt its going to be more than 200 lines of code.</div>
<div> </div>
<div>-srinivas<br><br><br></div>
<div class="gmail_quote">On Fri, Jul 16, 2010 at 1:36 PM, Faisal Khan <span dir="ltr"><<a href="mailto:khan7@llnl.gov">khan7@llnl.gov</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">Hi,<br><br>I am having this problem and was hoping someone can point me in the<br>right direction. Basically, I want to list destination IPs that have<br>
highest number of ports accessed in a trace. I initially thought<br>something like this might work, which is exactly what I need<br><br>crl_flow -I -b file.pcap | t2_convert -b -F dst_IP_dst_Port_Table |<br>t2_top -Sf -n10 > out.txt<br>
<br>but it turns out the Key 'dst_IP_dst_Port_Table' is not implemented.<br><br>I then used<br><br>crl_flow -I -b file.pcap | t2_convert -b dst_IP_Proto_dst_Port_Table |<br>t2_convert -F dst_IP_Table | t2_top -Sf -n10 > out.txt<br>
<br>which could have approximated what I wanted but it turns out the table<br>spitted by first t2_convert is incompatible with what the second<br>t2_convert requires.<br><br><br>I was wondering if any of you know of any way to achieve what I am want<br>
to do?<br><br><br>Thanks<br>Faisal<br><br>_______________________________________________<br>Coral-dev mailing list<br><a href="mailto:Coral-dev@caida.org">Coral-dev@caida.org</a><br><a href="https://rommie.caida.org/mailman/listinfo/coral-dev" target="_blank">https://rommie.caida.org/mailman/listinfo/coral-dev</a><br>
</blockquote></div><br>