-
Notifications
You must be signed in to change notification settings - Fork 27
/
Copy pathlf_parse_tshark_log.pl
executable file
·87 lines (76 loc) · 2.51 KB
/
lf_parse_tshark_log.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
#!/usr/bin/perl
use strict;
$| = 1; # Don't buffer things...
my $last_seq = -1;
my $last_pkt = -1;
my $last_ts = -1;
my $last_seq_ooo = -1;
my $last_pkt_ooo = -1;
my $last_ts_ooo = -1;
# Reads in input like:
#23930 18.005150 192.168.1.102 -> 192.168.1.101 LANforge Seq: 66653
#23931 18.005265 192.168.1.102 -> 192.168.1.101 LANforge Seq: 66654
#23932 18.005391 192.168.1.102 -> 192.168.1.101 LANforge Seq: 66655
while(<>) {
my $ln = $_;
chomp($ln);
if ($ln =~ /^\s*(\d+)\s+(\S+)\s+(.*)\s+LANforge Seq:\s+(\d+)/) {
my $pkt = $1;
my $ts = $2;
my $stream = $3;
my $seq = $4;
#print "pkt is LANforge protocol: $ln\n";
my $gap = $seq - $last_seq;
my $skip_update = 0;
# TODO: Deal with different streams, have to take IP ports into account too probably.
if ($gap != 1) {
if ($gap > 1) {
print "DROP: pkt-gap, seq: $last_seq\/$seq pkt-cnt: $last_pkt\/$pkt timestamp: $last_ts\/$ts gap: $gap\n";
$last_seq_ooo = -1;
}
elsif ($gap == 0) {
print "DUP: pkt-gap, seq: $last_seq\/$seq pkt-cnt: $last_pkt\/$pkt timestamp: $last_ts\/$ts gap: $gap\n";
$last_seq_ooo = -1;
}
else {
# New seq is smaller than old. Either an OOO pkt, or perhaps a seq-number wrap?
if ($seq <= 10) {
# Assume wrap
print "WRAP: pkt-gap, seq: $last_seq\/$seq pkt-cnt: $last_pkt\/$pkt timestamp: $last_ts\/$ts gap: $gap\n";
$last_seq_ooo = -1;
}
else {
my $ooo_gap = $seq - $last_seq_ooo;
my $skip_update_ooo = 0;
if ($last_seq_ooo == -1) {
print "OOO: pkt-gap, seq: $last_seq\/$seq pkt-cnt: $last_pkt\/$pkt timestamp: $last_ts\/$ts gap: $gap\n";
}
elsif ($ooo_gap > 1) {
print "OOO-DROP: pkt-gap, seq: $last_seq_ooo\/$seq pkt-cnt: $last_pkt_ooo\/$pkt timestamp: $last_ts_ooo\/$ts gap: $ooo_gap\n";
}
elsif ($ooo_gap == 0) {
print "OOO-DUP: pkt-gap, seq: $last_seq_ooo\/$seq pkt-cnt: $last_pkt_ooo\/$pkt timestamp: $last_ts_ooo\/$ts gap: $ooo_gap\n";
}
elsif ($ooo_gap < 0) {
# Fun, out of order flow in already out of order flow!
print "OOO-OOO: pkt-gap, seq: $last_seq_ooo\/$seq pkt-cnt: $last_pkt_ooo\/$pkt timestamp: $last_ts_ooo\/$ts gap: $ooo_gap\n";
$skip_update_ooo = 1;
}
if (! $skip_update_ooo) {
# Start of OOO pkt sequence
$last_seq_ooo = $seq;
$last_pkt_ooo = $pkt;
$last_ts_ooo = $ts;
}
# Don't update main pkt counters for OOO pkts.
$skip_update = 1;
}
}
}
if (! $skip_update) {
$last_seq = $seq;
$last_pkt = $pkt;
$last_ts = $ts;
}
}
}