两年前为了更好验证正确性,刚摸PERL,写的一个数据包分析脚本,整体还是比较弱的,缺少了perl的任性
这个脚本优点有:
1:基本能将wireshark的命令行程序tshark的所有用法都揽括在内了,再也不用担心不会命令了
2:离线能够分析链路层,IP层,TCP层以及HTTP层的相关信息,并以文件方式储存起来
3:由于输入是一个文件列表,所以可以一次性处理多个数据包文件,每个文件信息分开储存起来
4:多线程执行,每个线程执行一个tshark进程
5:设置CPU亲和性,进程单独绑核,可惜的是在两CPU,16核心的sandy bridge服务器上,设置了CPU Affinity处理性能还没有系统分配CPU的性能好,侧面也说明程序写得不太好
6:相对而言,基于tshark,和wireshark基本一致,准确性稍显可靠
7:扩展性还好,需要多一个分析域,只要添加一个线程,调用tshark命令即可
缺点:
1:最弱的地方大部分都是由正则表达式获取信息,显然性能就弱了一大截,由于最开始没这么多信息,都是一个一个添加的,尽管命令都是通过管道执行,但是改成split方式获取数据性能应该更好
2:多线程虽然能提高很多性能(大概3/4),但每个线程都是调用的同一个应用程序tshark执行进程
3:命令的完全正确性值得探讨,比如TCP的乱序和重传,很多肯定会不完整,有残缺
4:有的流量是需要测试某些特定流量要求计算的
5:整个程序不美观,比较弱,因为都是一个又一个独立的函数,总感觉少了点什么
#!/usr/bin/perl
##########################################
#http_parser.pl
#input:
# trace file list
#output:
# L2, L3, L4, L7 information
#require:
# tshark
#2013-10-21 HuiLi
##########################################
use threads;
#use Sys::CpuAffinity;
use Term::ANSIColor;
sub Get_pcap {
my $pcap_path_file = shift;
my $pcap_file;
if($pcap_path_file =~ /.*\/(.*)/){
$pcap_file = $1;
}
else {
$pcap_file = $pcap_path_file;
}
return $pcap_file;
}
sub Ports_traffic {
my ($four_trace_file, $four_parser_pf, $Pretty) = @_;
my %ports_traffic;
my $ports;
my $traffic;
my $total_traffic;
open $PORT, "tshark -r $four_trace_file -T fields -e tcp.port -e frame.len |";
while(<$PORT>){
if(/(\d+),(\d+)\s+(\d+)/){
$srcports = $1;
$dstports = $2;
$ports_traffic{$srcports} += $3;
$ports_traffic{$dstports} += $3;
$total_traffic += $3;
}
}
close($PORT);
foreach my $key (sort { $ports_traffic{$b} <=> $ports_traffic{$a} } keys %ports_traffic ){
my $traffic_rate = $ports_traffic{$key} * 100 / $total_traffic;
print $four_parser_pf "dst_port $key : $ports_traffic{$key} => $traffic_rate% \n";
}
$Pretty->("Ports-Traffic");
}
sub Four_tuple {
my ($four_trace_file, $four_parser_pf, $Pretty) = @_;
my %src_ip;
my %dst_ip;
my %src_pt;
my %dst_pt;
my @srcip;
my @dstip;
my @srcpt;
my @dstpt;
my $srcip_number = 0;
my $dstip_number = 0;
my $srcpt_number = 0;
my $dstpt_number = 0;
open $FOUR, "tshark -r $four_trace_file -T fields -e tcp.srcport -e tcp.dstport -e ip.src -e ip.dst |";
while(<$FOUR>){
if(/(\d+)\s+(\d+)\s+(\d+\.\d+\.\d+\.\d+)\s+(\d+\.\d+\.\d+\.\d+)/){
push @srcpt, $1;
push @dstpt, $2;
push @srcip, $3;
push @dstip, $4;
}
}
++$src_ip{$_} for(@srcip);
++$srcip_number foreach (keys %src_ip);
++$dst_ip{$_} for(@dstip);
++$dstip_number foreach (keys %dst_ip);
++$src_pt{$_} for(@srcpt);
++$srcpt_number foreach (keys %src_pt);
foreach my $src_port (keys %src_pt) {
print $four_parser_pf "src_port $src_port : $src_pt{$src_port}\n";
}
++$dst_pt{$_} for(@dstpt);
++$dstpt_number foreach (keys %dst_pt);
foreach my $dst_port (keys %dst_pt) {
print $four_parser_pf "dst_port $dst_port : $dst_pt{$dst_port}\n";
}
close($FOUR);
print $four_parser_pf "src_ipaddr : $srcip_number\n";
$Pretty->("Src-IPAddr");
print $four_parser_pf "dst_ipaddr : $dstip_number\n";
$Pretty->("Dst-IPAddr");
print $four_parser_pf "src_port : $srcpt_number\n";
$Pretty->("Src-Port");
print $four_parser_pf "dst_port : $dstpt_number\n";
$Pretty->("Dst-Port");
}
sub Frame {
my ($L2_trace_file, $L2_parser_pf, $Pretty) = @_;
my $L2_frame_number = 0;
my $L2_frame_length = 0;
my $L2_ave_frame_length = 0;
my $frame_length = 0;
my $max_frame_length = 0;
my $max_frame_number = 0;
my $long_frame_number = 0;
my $frame_pid = 0;
$frame_pid = open $TSHARK_L2, "tshark -r $L2_trace_file -T fields -e frame.number -e frame.len |";
# Sys::CpuAffinity::setAffinity($frame_pid, [2]);
# @cpus = Sys::CpuAffinity::getAffinity($frame_pid);
# print @cpus;
while(<$TSHARK_L2>){
($L2_frame_number, $frame_length) = split /\s+/;
if($max_frame_length < $frame_length){
$max_frame_number = $L2_frame_number;
$max_frame_length = $frame_length;
}
# print $frame_number . " hello " . $frame_length . "\n";
$L2_frame_length += $frame_length;
++$long_frame_number if $frame_length > 1600;
}
# $L2_frame_number = $frame_number;
close($TSHARK_L2);
print $L2_parser_pf "total_frame_number : $L2_frame_number\n";
print $L2_parser_pf "total_frame_length : $L2_frame_length\n";
$L2_ave_frame_length = $L2_frame_length / $L2_frame_number;
print $L2_parser_pf "ave_frame_length : $L2_ave_frame_length\n";
print $L2_parser_pf "frame_length_>1600 : $long_frame_number\n";
print $L2_parser_pf "max_frame_length $max_frame_length : frame $max_frame_number\n";
$Pretty->("L2-Frame");
}
sub L7 {
my ($L7_trace_file, $L7_parser_pf, $Pretty) = @_;
my $trace_file = Get_pcap($L7_trace_file);
my $url_file = $trace_file . ".information/" . $trace_file . ".url";
my $host_file = $trace_file . ".information/" . $trace_file . ".host";
my $refer_file = $trace_file . ".information/" . $trace_file . ".refer";
my $method_file = $trace_file . ".information/" . $trace_file . ".method";
unlink $url_file if -f $url_file;
unlink $host_file if -f $host_file;
unlink $refer_file if -f $refer_file;
unlink $method_file if -f $method_file;
my $url;
my $method;
my $host;
my $uri;
my $refer;
my $max_url_frame = 0;
my $max_url_length = 0;
my $url_length = 0;
my $total_url_length = 0;
my $ave_url_length = 0;
my $url_number = 0;
my $url_length_100 = 0;
my $url_length_500 = 0;
my $url_length_1000 = 0;
my $url_length_2000 = 0;
my $url_length_long = 0;
my $L7_pid = 0;
$L7_pid = open $L7, "tshark -r $L7_trace_file -T fields -e frame.number -e http.request.method -e http.host -e http.request.uri -e http.referer|";
# Sys::CpuAffinity::setAffinity($L7_pid, [3, 4]);
open $URL_FILE, '>>', $url_file;
open $HOST_FILE, '>>', $host_file;
open $REFER_FILE, '>>', $refer_file;
open $METHOD_FILE, '>>', $method_file;
while(<$L7>){
($frame, $method, $host, $uri, $refer) = split /\s+/;
$url = $host . $uri;
print $METHOD_FILE "Frame $frame: $method\n" if $method;
print $HOST_FILE "Frame $frame: $host\n" if $host;
# ++$url_number and print $URL_FILE $url . "\n" if $url;
print $URL_FILE "Frame $frame: $url\n" if $url;
print $REFER_FILE "Frame $frame: $refer\n" if $refer;
$url_length = length $url;
$total_url_length += $url_length;
if ($url_length <= 100 && $url_length > 0){
++$url_length_100;
} elsif ($url_length > 100 && $url_length <= 500){
++$url_length_500;
} elsif ($url_length > 500 && $url_length <= 1000){
++$url_length_1000;
} elsif ($url_length > 1000 && $url_length <= 2000){
++$url_length_2000;
} elsif ($url_length > 2000){
++$url_length_long;
}
if ($max_url_length < $url_length){
$max_url_length = $url_length;
$max_url_frame = $frame;
}
}
close($L7);
close($URL_FILE);
close($REFER_FILE);
close($HOST_FILE);
close($METHOD_FILE);
$url_number = $url_length_100 + $url_length_500 + $url_length_1000 + $url_length_2000 + $url_length_long;
print $L7_parser_pf "url_number : $url_number\n";
$ave_url_length = $total_url_length / $url_number;
print $L7_parser_pf "max_url_length $max_url_length : frame $max_url_frame\n";
print $L7_parser_pf "ave_url_length : $ave_url_length\n";
print $L7_parser_pf "url_length 0~100 : $url_length_100\n";
print $L7_parser_pf "url_length 100~500 : $url_length_500\n";
print $L7_parser_pf "url_length 500~1000 : $url_length_1000\n";
print $L7_parser_pf "url_length 1000~2000 : $url_length_2000\n";
print $L7_parser_pf "url_length > 2000 : $url_length_long\n";
$Pretty->("L7-Url-Host-Refer");
}
sub IP_fragment {
my ($frag_trace_file, $frag_parser_pf, $Pretty) = @_;
my $frag_number = 0;
my @ip_fragment;
my $fragment_pid;
$fragment_pid = open $FRAGMENT, "tshark -r $frag_trace_file -T fields -e ip.fragment |";
# Sys::CpuAffinity::setAffinity($fragment_pid, [5]);
while(<$FRAGMENT>){
chomp;
@ip_fragment = split /,/;
$frag_number += @ip_fragment;
}
close($FRAGMENT);
print $frag_parser_pf "ip_fragment_number : $frag_number\n";
$Pretty->("IP-Fragment");
}
sub TCP_packet {
my ($tcp_frame_trace_file, $tcp_frame_parser_pf, $Pretty) = @_;
my $tcp_frame_number = 0;
open $TCP_FRAME, "tshark -r $tcp_frame_trace_file -T fields -e tcp |";
while(<$TCP_FRAME>){
++$tcp_frame_number if /Transmission Control Protocol/;
}
close($TCP_FRAME);
print $tcp_frame_parser_pf "tcp_packet_number : $tcp_frame_number\n";
$Pretty->("TCP-Packet");
}
sub UDP_packet {
my ($udp_frame_trace_file, $udp_frame_parser_pf, $Pretty) = @_;
my $udp_frame_number = 0;
open $UDP_FRAME, "tshark -r $udp_frame_trace_file -T fields -e udp |";
while(<$UDP_FRAME>){
++$udp_frame_number if /User Datagram Protocol/;
}
close($UDP_FRAME);
print $udp_frame_parser_pf "udp_packet_number : $udp_frame_number\n";
$Pretty->("UDP-Packet");
}
sub ICMP_packet {
my ($icmp_frame_trace_file, $icmp_frame_parser_pf, $Pretty) = @_;
my $icmp_frame_number = 0;
open $ICMP_FRAME, "tshark -r $icmp_frame_trace_file -T fields -e icmp |";
while(<$ICMP_FRAME>){
++$icmp_frame_number if /icmp/;
}
close($ICMP_FRAME);
print $icmp_frame_parser_pf "icmp_packet_number : $icmp_frame_number\n";
$Pretty->("ICMP-Packet");
}
sub TCP_out_of_order {
my ($out_trace_file, $out_parser_pf, $Pretty) = @_;
my $out_number = 0;
my $out_pid;
$out_pid = open $OUT, "tshark -r $out_trace_file -T fields -e tcp.analysis.out_of_order |";
# Sys::CpuAffinity::setAffinity($fragment_pid, [5]);
while(<$OUT>){
# chomp;
++$out_number if /1/;
}
close($OUT);
print $out_parser_pf "tcp_out_of_order : $out_number\n";
$Pretty->("TCP-Out-Of-Order");
}
sub TCP_retransmission {
my ($re_trace_file, $re_parser_pf, $Pretty) = @_;
my $re_number = 0;
my $re_pid;
$re_pid = open $RETRANSMISSION, "tshark -r $re_trace_file -T fields -e tcp.analysis.retransmission |";
# Sys::CpuAffinity::setAffinity($fragment_pid, [5]);
while(<$RETRANSMISSION>){
# chomp;
++$re_number if /1/;
}
close($RETRANSMISSION);
print $re_parser_pf "tcp_retransmission : $re_number\n";
$Pretty->("TCP-Retransmission");
}
sub HTTP_user_agent {
my ($agent_trace_file, $Pretty) = @_;
my $trace_file = Get_pcap($agent_trace_file);
my $agent_file = $trace_file . ".information/" . $trace_file . ".user_agent";
unlink $agent_file if -f $agent_file;
my $agent_frame_number = 0;
my $user_agent;
my $agent_pid = 0;
open my($AGENT_FILE), '>>', $agent_file;
$agent_pid = open my($AGENT), "tshark -r $agent_trace_file -T fields -e frame.number -e http.user_agent |";
# Sys::CpuAffinity::setAffinity($agent_pid, [6]);
while(<$AGENT>){
# print $USERAGENT $_. "\n";
if(/(\d+)\s+(.*)/){
$agent_frame_number = $1;
$user_agent = $2;
}
print $AGENT_FILE "Frame $agent_frame_number: $user_agent\n" if $user_agent;
}
close($AGENT);
close($AGENT_FILE);
$Pretty->("User-Agent");
}
sub HTTP_xforwarded_for {
my ($xforward_trace_file, $Pretty) = @_;
my $trace_file = Get_pcap($xforward_trace_file);
my $xforward_file = $trace_file . ".information/" . $trace_file . ".xforward";
unlink $xforward_file if -f $xforward_file;
my $xforward_frame_number = 0;
my $xforwarded_for;
my $xforward_pid = 0;
open my($XFORWARD_FILE), '>>', $xforward_file;
$xforward_pid = open my($XFORWARD), "tshark -r $xforward_trace_file -T fields -e frame.number -e http.x_forwarded_for |";
# Sys::CpuAffinity::setAffinity($xforward_pid, [7]);
while(<$XFORWARD>){
if(/(\d+)\s+(.*)/){
$xforward_frame_number = $1;
$xforwarded_for = $2;
}
print $XFORWARD_FILE "Frame $xforward_frame_number: $xforwarded_for\n" if $xforwarded_for;
}
close($XFORWARD);
close($XFORWARD_FILE);
$Pretty->("X-Forwarded-For");
}
sub HTTP_cookie {
my ($cookie_trace_file, $cookie_parser_pf, $Pretty) = @_;
my $trace_file = Get_pcap($cookie_trace_file);
my $cookie_file = $trace_file . ".information/" . $trace_file . ".cookie";
unlink $cookie_file if -f $cookie_file;
my $cookie_frame_number = 0;
my $cookie;
my $cookie_number = 0;
my $cookie_pid = 0;
open my($COOKIE_FILE), '>>', $cookie_file;
$cookie_pid = open my($COOKIE), "tshark -r $cookie_trace_file -T fields -e frame.number -e http.cookie |";
# Sys::CpuAffinity::setAffinity($cookie_pid, [8]);
while(<$COOKIE>){
if(/(\d+)\s+(.*)/){
$cookie_frame_number = $1;
$cookie = $2;
}
print $COOKIE_FILE "Frame $cookie_frame_number: $cookie\n" if $cookie;
++$cookie_number if $cookie;
}
close($COOKIE);
close($COOKIE_FILE);
print $cookie_parser_pf "cookie_number : $cookie_number\n";
$Pretty->("Cookie");
}
sub HTTP_set_cookie {
my ($set_cookie_trace_file, $set_cookie_parser_pf, $Pretty) = @_;
my $trace_file = Get_pcap($set_cookie_trace_file);
my $set_cookie_file = $trace_file . ".information/" . $trace_file . ".set_cookie";
unlink $set_cookie_file if -f $set_cookie_file;
my $set_cookie_frame_number = 0;
my $set_cookie;
my $set_cookie_number = 0;
my $set_cookie_pid = 0;
open my($SETCOOKIE_FILE), '>>', $set_cookie_file;
$set_cookie_pid = open my($SETCOOKIE), "tshark -r $set_cookie_trace_file -T fields -e frame.number -e http.set_cookie |";
# Sys::CpuAffinity::setAffinity($set_cookie_pid, [9]);
while(<$SETCOOKIE>){
if(/(\d+)\s+(.*)/){
$set_cookie_frame_number = $1;
$set_cookie = $2;
}
print $SETCOOKIE_FILE "Frame $set_cookie_frame_number: $set_cookie\n" if $set_cookie;
++$set_cookie_number if $set_cookie;
}
close($SETCOOKIE);
close($SETCOOKIE_FILE);
print $set_cookie_parser_pf "set_cookie_number : $set_cookie_number\n";
$Pretty->("Set-Cookie");
}
sub TCP_segment {
my ($tcp_segment_trace_file, $Pretty) = @_;
my $trace_file = Get_pcap($tcp_segment_trace_file);
my $tcp_segment_file = $trace_file . ".information/" . $trace_file . ".tcp_segment";
unlink $tcp_segment_file if -f $tcp_segment_file;
my $tcp_segment_frame_number = 0;
my $tcp_segment;
my $tcp_segment_pid = 0;
open my($TCPSEGMENT_FILE), '>>', $tcp_segment_file;
$tcp_segment_pid = open my($TCPSEGMENT), "tshark -r $tcp_segment_trace_file -T fields -e frame.number -e tcp.segment_data |";
# Sys::CpuAffinity::setAffinity($agent_pid, [6]);
while(<$TCPSEGMENT>){
# print $USERAGENT $_. "\n";
if(/(\d+)\s+(.*)/){
$tcp_segment_frame_number = $1;
$tcp_segment = $2;
}
# print "$tcp_segment_trace_file in Frame $tcp_segment_frame_number: $tcp_segment\n" and exit if $tcp_segment =~ /47/;
print $TCPSEGMENT_FILE "$tcp_segment_trace_file in Frame $tcp_segment_frame_number: $tcp_segment\n" and exit if $tcp_segment =~ /0d0a300d0a0d0a/;
# print $TCPSEGMENT_FILE "Frame $tcp_segment_frame_number: $tcp_segment\n" if $tcp_segment;
}
close($TCPSEGMENT);
close($TCPSEGMENT_FILE);
$Pretty->("TCP-Segment");
}
sub TCP_four_tuple {
my ($tuple_trace_file, $Pretty) = @_;
open my($TUPLE), "tshark -r $tuple_trace_file -T fields -e frame.number -e tcp.srcport -e tcp.dstport -e ip.src -e ip.dst |";
while(<$TUPLE>){
if(/(\d+)\s+(\d+)\s+(\d+)\s+(\d+\.\d+\.\d+\.\d+)\s+(\d+\.\d+\.\d+\.\d+)/){
# if ($2 == 3861 && $3 == 80){
if ($2 eq "3861" && $3 eq "80" && $4 eq "116.25.109.9" && $5 eq "110.75.200.3"){
print "You can see frame NO: $1\n";
}
}
}
close($TUPLE);
$Pretty->("TCP-Four-Tuple");
}
sub HTTP_status_code {
my ($status_trace_file, $status_parser_pf, $Pretty) = @_;
my @status_code;
my %status;
open my($STATUS), "tshark -r $status_trace_file -T fields -e http.response.code |";
while(<$STATUS>){
push @status_code, $1 if /(\d\d\d)/;
}
close($STATUS);
# print @status_code;
++$status{$_} for @status_code;
foreach my $code (keys %status){
print $status_parser_pf "status_code $code : $status{$code}\n";
}
$Pretty->("HTTP-Status-Code");
}
sub TCP_stream {
my ($stream_trace_file, $stream_parser_pf, $Pretty) = @_;
my $tcp_stream_number = 0;
my $last_tcp_stream = 0;
open my($STREAM), "tshark -r $stream_trace_file -T fields -e tcp.stream |";
while(<$STREAM>){
$last_tcp_stream = $1 if /(\d+)/;
$tcp_stream_number = $last_tcp_stream if ($last_tcp_stream > $tcp_stream_number);
}
close($STREAM);
++$tcp_stream_number;
print $stream_parser_pf "tcp_stream : $tcp_stream_number\n";
$Pretty->("TCP-Stream");
}
sub HTTP_content_length {
my ($length_trace_file, $length_parser_pf, $Pretty) = @_;
my $content_length_number = 0;
open my($LENGTH), "tshark -r $length_trace_file -T fields -e http.content_length |";
while(<$LENGTH>){
++$content_length_number if /\d+/;
}
close($LENGTH);
print $length_parser_pf "http_content_length : $content_length_number\n";
$Pretty->("HTTP-Content-Length");
}
sub HTTP_content_encoding {
my ($encoding_trace_file, $encoding_parser_pf, $Pretty) = @_;
my $content_encoding_number = 0;
open my($ENCODING), "tshark -r $encoding_trace_file -T fields -e http.content_encoding |";
while(<$ENCODING>){
++$content_encoding_number if /\w+/;
}
close($ENCODING);
print $encoding_parser_pf "http_content_encoding : $content_encoding_number\n";
$Pretty->("HTTP-Content-Encoding");
}
sub HTTP_transfer_encoding {
my ($transfer_trace_file, $transfer_parser_pf, $Pretty) = @_;
my $transfer_encoding_number = 0;
open my($TRANSFER), "tshark -r $transfer_trace_file -T fields -e http.transfer_encoding |";
while(<$TRANSFER>){
++$transfer_encoding_number if /\w+/;
}
close($TRANSFER);
print $transfer_parser_pf "http_transfer_encoding : $transfer_encoding_number\n";
$Pretty->("HTTP-Transfer-Encoding");
}
sub HTTP_traffic {
my ($http_traffic_trace_file, $http_traffic_parser_pf, $Pretty) = @_;
my $total_http_traffic = 0;
my $data_length = 0;
my $http_traffic = 0;
open my($HTTPTRAFFIC), "tshark -r $http_traffic_trace_file -T fields -e tcp.len -e frame.len |";
while(<$HTTPTRAFFIC>){
($data_length, $http_traffic) = split /\s+/;
$total_http_traffic += $http_traffic if ($data_length);
}
close($HTTPTRAFFIC);
print $http_traffic_parser_pf "http_traffic : $total_http_traffic\n";
$Pretty->("HTTP-Traffic");
}
sub TCP_IN_OUT {
# | Frames Bytes | | Frames Bytes | | Frames Bytes | Start |
#192.168.1.100:54988 <-> 143.248.142.36:http 9 6223 10 1863 19 8086 0.000000000 0.0000
# 13 14 15 16 17 18
my ($in_out_trace_file, $in_out_parser_pf, $Pretty) = @_;
my $in_pkts = 0;
my $out_pkts = 0;
my $in_bytes = 0;
my $out_bytes = 0;
open my($IN_OUT), "tshark -r $in_out_trace_file -q -z conv,tcp |";
while(<$IN_OUT>){
# 12 3 4 5 6 78 9 10 11 12 13 14
if (/((\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})):(.*)\s+<->\s+((\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})):(.*)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+\.\d+)\s+(\d+\.\d+)/){
# 15 16 17 18 19 20
$in_pkts += $15;
$out_pkts += $13;
$in_bytes += $16;
$out_bytes += $14;
}
}
close($IN_OUT);
print $in_out_parser_pf "tcp_in_pkts : $in_pkts\n";
$Pretty->("TCP_IN_PKTS");
print $in_out_parser_pf "tcp_out_pkts : $out_pkts\n";
$Pretty->("TCP_OUT_PKTS");
print $in_out_parser_pf "tcp_in_bytes : $in_bytes\n";
$Pretty->("TCP_IN_BYTES");
print $in_out_parser_pf "tcp_out_bytes : $out_bytes\n";
$Pretty->("TCP_OUT_BYTES");
}
sub Pretty_print {
my $field = shift;
print color 'bold blue';
print "Analyse finish $field \n";
print color 'reset';
}
sub Tshark {
if ( -f "/usr/bin/tshark" || -f "/usr/local/bin/tshark" || -f "/usr/sbin/tshark" ){
print "OK, tshark exist !\n";
}
else {
print "Tshark not found, please install it first !\n";
exit;
}
}
#############################Main Function###########################
Tshark();
chomp(my $file_list = $ARGV[0]);
print "Sorry, please run the script with a file list as ARGV !\n" and exit if !$file_list;
print "Sorry, trace file list $file_list not found !\n" and exit if !-f $file_list;
open my($PCAP), '<', $file_list;
while (my $trace_file = <$PCAP>){
chomp($trace_file);
my $pcap_file = Get_pcap($trace_file);
my $trace_file_path = $pcap_file . ".information";
rmdir $trace_file_path if -d $trace_file_path;
mkdir $trace_file_path;
my $parser_file = $trace_file_path . "/" . $pcap_file . ".parser";
unlink $parser_file if -f $parser_file;
open my($PARSER), '>>', $parser_file;
print color 'bold red';
print "\n===============>start process: $pcap_file, save information in $pcap_file" . ".information\n";
print color 'reset';
my $t1 = threads->create(\&Frame, $trace_file, $PARSER, \&Pretty_print);
my $t2 = threads->create(\&IP_fragment, $trace_file, $PARSER, \&Pretty_print);
my $t3 = threads->create(\&HTTP_user_agent, $trace_file, \&Pretty_print);
my $t4 = threads->create(\&HTTP_xforwarded_for, $trace_file, \&Pretty_print);
my $t5 = threads->create(\&HTTP_cookie, $trace_file, $PARSER, \&Pretty_print);
my $t6 = threads->create(\&HTTP_set_cookie, $trace_file, $PARSER, \&Pretty_print);
my $t7 = threads->create(\&L7, $trace_file, $PARSER, \&Pretty_print);
# my $t8 = threads->create(\&TCP_segment, $trace_file);
my $t9 = threads->create(\&TCP_out_of_order, $trace_file, $PARSER, \&Pretty_print);
my $t10 = threads->create(\&TCP_retransmission, $trace_file, $PARSER, \&Pretty_print);
my $t11 = threads->create(\&TCP_packet, $trace_file, $PARSER, \&Pretty_print);
my $t12 = threads->create(\&UDP_packet, $trace_file, $PARSER, \&Pretty_print);
my $t13 = threads->create(\&ICMP_packet, $trace_file, $PARSER, \&Pretty_print);
# my $t14 = threads->create(\&TCP_four_tuple, $trace_file);
my $t15 = threads->create(\&HTTP_status_code, $trace_file, $PARSER, \&Pretty_print);
my $t16 = threads->create(\&TCP_stream, $trace_file, $PARSER, \&Pretty_print);
my $t17 = threads->create(\&Four_tuple, $trace_file, $PARSER, \&Pretty_print);
my $t18 = threads->create(\&HTTP_content_length, $trace_file, $PARSER, \&Pretty_print);
my $t19 = threads->create(\&HTTP_content_encoding, $trace_file, $PARSER, \&Pretty_print);
my $t20 = threads->create(\&HTTP_transfer_encoding, $trace_file, $PARSER, \&Pretty_print);
my $t21 = threads->create(\&TCP_IN_OUT, $trace_file, $PARSER, \&Pretty_print);
my $t22 = threads->create(\&HTTP_traffic, $trace_file, $PARSER, \&Pretty_print);
my $t23 = threads->create(\&Ports_traffic, $trace_file, $PARSER, \&Pretty_print);
$t1->join();
$t2->join();
$t3->join();
$t4->join();
$t5->join();
$t6->join();
$t7->join();
# $t8->join();
$t9->join();
$t10->join();
$t11->join();
$t12->join();
$t13->join();
# $t14->join();
$t15->join();
$t16->join();
$t17->join();
$t18->join();
$t19->join();
$t20->join();
$t21->join();
$t22->join();
$t23->join();
print color 'bold green';
print "===============>process over: save information in $pcap_file" . ".information\n";
print color 'reset';
}
close($PARSER);
close($PCAP);
