For Programmers: Free Programming Magazines  


Home > Archive > PERL Beginners > October 2006 > Parsing HEX Snoop Dump









You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

 

Author Parsing HEX Snoop Dump
storedge@comcast.net

2006-10-02, 6:59 pm

I'm trying to parse a huge (~2-5MB) Snoop dump from our servers.
The output is below:

15:44:14.57313 199.117.205.249 -> s31 TCP D=57013 S=4500 Push Ack=4051907260 Seq=4004895749 Len=39 Win=49640

0: 0003 ba0c 272b 000c f860 a0f0 0800 4500 ....'+..ø`....E.
16: 004f 9fe9 4000 3806 0231 c775 cdf9 0a01 .O..@.8..1.u.ù..
32: 011f 1194 deb5 eeb5 dc05 f183 32bc 5018 ............2.P.
48: c1e8 78f7 0000 e225 c704 050c 1915 e81d ..x....%........
64: e91b cf01 01d1 0201 01f2 12c0 0231 30c1 .............10.
80: 0101 c209 0401 210a 0656 1187 42 ......!..V..B

15:44:14.66459 s31 -> 199.117.205.249 TCP D=4500 S=57013 Ack=4004895788 Seq=4051907260 Len=0 Win=64140

0: 0000 5e00 01c9 0003 ba0c 272b 0800 4500 ..^.......'+..E.
16: 0028 7e4d 4000 4006 1bf4 0a01 011f c775 .(~M@.@........u
32: cdf9 deb5 1194 f183 32bc eeb5 dc2c 5010 .ù......2....,P.
48: fa8c a0a9 0000 ú.....

15:44:14.74595 s31 -> 199.117.205.249 TCP D=4500 S=57013 Push Ack=4004895788 Seq=4051907260 Len=81 Win=64140

0: 0000 5e00 01c9 0003 ba0c 272b 0800 4500 ..^.......'+..E.
16: 0079 7e4e 4000 4006 1ba2 0a01 011f c775 .y~N@.@........u
32: cdf9 deb5 1194 f183 32bc eeb5 dc2c 5018 .ù......2....,P.
48: fa8c a0fa 0000 e44f c704 050c 1915 e847 .......O.......G
64: ea45 cf01 01f2 40c0 0101 e117 c006 0609 .E....@.........
80: 1d08 a4e2 c10a 0301 34f5 a0c4 1a9e 0000 ........4.......
96: c201 00c2 0902 0021 0a06 2651 9079 c309 .......!..&Q.y..
112: 0401 210a 9990 0932 91c6 0c00 0121 0f13 ..!....2.....!..
128: 0601 1095 1697 f4 .......


What I'd like to see is the time stamp the request came in and time stamp the server responded.
Like...

Time: Transaction Transaction_ID Transaction_Type

15:44:14.57313 199.117.205.249 -> s31 c704 050c (from line 48) Request
15:44:14.74595 s31 -> 199.117.205.249 c704 050c (from line 48) Response

Any ideas? Anyone have done this before?
TIA
DJ Stunks

2006-10-03, 6:58 pm

storedge@comcast.net wrote:
> I'm trying to parse a huge (~2-5MB) Snoop dump from our servers.
> The output is below:
>
> 15:44:14.57313 199.117.205.249 -> s31 TCP D=3D57013 S=3D4500 Pus=
h Ack=3D4051907260 Seq=3D4004895749 Len=3D39 Win=3D49640
>
> 0: 0003 ba0c 272b 000c f860 a0f0 0800 4500 ....'+..=F8`....=
E=2E
> 16: 004f 9fe9 4000 3806 0231 c775 cdf9 0a01 .O..@.8..1.u.=F9=
..=2E
> 32: 011f 1194 deb5 eeb5 dc05 f183 32bc 5018 ............2.P.
> 48: c1e8 78f7 0000 e225 c704 050c 1915 e81d ..x....%........
> 64: e91b cf01 01d1 0201 01f2 12c0 0231 30c1 .............10.
> 80: 0101 c209 0401 210a 0656 1187 42 ......!..V..B
>
> 15:44:14.66459 s31 -> 199.117.205.249 TCP D=3D4500 S=3D57013 Ack=
=3D4004895788 Seq=3D4051907260 Len=3D0 Win=3D64140
>
> 0: 0000 5e00 01c9 0003 ba0c 272b 0800 4500 ..^.......'+..E.
> 16: 0028 7e4d 4000 4006 1bf4 0a01 011f c775 .(~M@.@........u
> 32: cdf9 deb5 1194 f183 32bc eeb5 dc2c 5010 .=F9......2....,=
P=2E
> 48: fa8c a0a9 0000 =FA.....
>
> 15:44:14.74595 s31 -> 199.117.205.249 TCP D=3D4500 S=3D57013 Pus=
h Ack=3D4004895788 Seq=3D4051907260 Len=3D81 Win=3D64140
>
> 0: 0000 5e00 01c9 0003 ba0c 272b 0800 4500 ..^.......'+..E.
> 16: 0079 7e4e 4000 4006 1ba2 0a01 011f c775 .y~N@.@........u
> 32: cdf9 deb5 1194 f183 32bc eeb5 dc2c 5018 .=F9......2....,=
P=2E
> 48: fa8c a0fa 0000 e44f c704 050c 1915 e847 .......O.......G
> 64: ea45 cf01 01f2 40c0 0101 e117 c006 0609 .E....@.........
> 80: 1d08 a4e2 c10a 0301 34f5 a0c4 1a9e 0000 ........4.......
> 96: c201 00c2 0902 0021 0a06 2651 9079 c309 .......!..&Q.y..
> 112: 0401 210a 9990 0932 91c6 0c00 0121 0f13 ..!....2.....!..
> 128: 0601 1095 1697 f4 .......
>
>
> What I'd like to see is the time stamp the request came in and time stamp=
the server responded.
> Like...
>
> Time: Transaction Transaction_ID Transaction_Type
>
> 15:44:14.57313 199.117.205.249 -> s31 c704 050c (from line 48) Request
> 15:44:14.74595 s31 -> 199.117.205.249 c704 050c (from line 48) Response
>
> Any ideas? Anyone have done this before?
> TIA

What have you tried?

Do you know any Perl? Particularly: 1) regular expressions, 2) the $/
variable ?

-jp

PS - which bit determines request vs. response?

Chris Charley

2006-10-05, 6:58 pm


----- Original Message -----
From: <storedge@comcast.net>
Newsgroups: perl.beginners
To: <beginners@perl.org>
Sent: Monday, October 02, 2006 10:33 AM
Subject: Parsing HEX Snoop Dump


> I'm trying to parse a huge (~2-5MB) Snoop dump from our servers.
> The output is below:
>
> 15:44:14.57313 199.117.205.249 -> s31 TCP D=57013 S=4500 Push
> Ack=4051907260 Seq=4004895749 Len=39 Win=49640
>
> 0: 0003 ba0c 272b 000c f860 a0f0 0800 4500 ....'+..ø`....E.
> 16: 004f 9fe9 4000 3806 0231 c775 cdf9 0a01 .O..@.8..1.u.ù..
> 32: 011f 1194 deb5 eeb5 dc05 f183 32bc 5018 ............2.P.
> 48: c1e8 78f7 0000 e225 c704 050c 1915 e81d ..x....%........
> 64: e91b cf01 01d1 0201 01f2 12c0 0231 30c1 .............10.
> 80: 0101 c209 0401 210a 0656 1187 42 ......!..V..B
>
> 15:44:14.66459 s31 -> 199.117.205.249 TCP D=4500 S=57013
> Ack=4004895788 Seq=4051907260 Len=0 Win=64140
>
> 0: 0000 5e00 01c9 0003 ba0c 272b 0800 4500 ..^.......'+..E.
> 16: 0028 7e4d 4000 4006 1bf4 0a01 011f c775 .(~M@.@........u
> 32: cdf9 deb5 1194 f183 32bc eeb5 dc2c 5010 .ù......2....,P.
> 48: fa8c a0a9 0000 ú.....
>
> 15:44:14.74595 s31 -> 199.117.205.249 TCP D=4500 S=57013 Push
> Ack=4004895788 Seq=4051907260 Len=81 Win=64140
>
> 0: 0000 5e00 01c9 0003 ba0c 272b 0800 4500 ..^.......'+..E.
> 16: 0079 7e4e 4000 4006 1ba2 0a01 011f c775 .y~N@.@........u
> 32: cdf9 deb5 1194 f183 32bc eeb5 dc2c 5018 .ù......2....,P.
> 48: fa8c a0fa 0000 e44f c704 050c 1915 e847 .......O.......G
> 64: ea45 cf01 01f2 40c0 0101 e117 c006 0609 .E....@.........
> 80: 1d08 a4e2 c10a 0301 34f5 a0c4 1a9e 0000 ........4.......
> 96: c201 00c2 0902 0021 0a06 2651 9079 c309 .......!..&Q.y..
> 112: 0401 210a 9990 0932 91c6 0c00 0121 0f13 ..!....2.....!..
> 128: 0601 1095 1697 f4 .......
>
>
> What I'd like to see is the time stamp the request came in and time stamp
> the server responded.
> Like...
>
> Time: Transaction Transaction_ID Transaction_Type
>
> 15:44:14.57313 199.117.205.249 -> s31 c704 050c (from line 48) Request
> 15:44:14.74595 s31 -> 199.117.205.249 c704 050c (from line 48) Response
>
> Any ideas? Anyone have done this before?
> TIA

This raises a number of questions. :-)

What constitutes a valid Request/Response? A 'Push Ack' vs. just a 'Push' in
the first line?
Or is a valid Req/Resp indicated by a 'full' line beginning with 48?

Is it possible for another request to come before a valid Response to the
first Request?

Chris


Sponsored Links







Also available: Server administration forum archive | Web Design forum archive | Software forum archive | Hardware reviews archive

Copyright 2009 codecomments.com