# Open and read the data files. split into lists on newline. # snmp.txt contains snmp messages in this form: # MON DAY TIME USER MESSAGEID INTERNAL-ROUTER-IP TRAP INFO ROUTERINFO "@out INTERNAL-IP CONVERSATION-PORT EXTERNAL-IP SERVICE-PORT " # # tcpdump.txt contains tcpdump output in this form: # 16:00:04.038100 length 52 70.41.43.223.2413 > 208.73.181.192.5223 # TIMESTAMP length BYTES_IN_PACKET IP.PORT > IP.PORT set if1 [open snmp.txt r] set if2 [open tcpdump.txt r] set lst1 [split [read $if1] \n] set lst2 [split [read $if2] \n] close $if1 close $if2 # This is the external address of the router. # All tcpdump output will have this address as the # source or destination. set routerIP 70.41.43.223 # Step through each line in the snmp data. # Use snmp data in the outer loop because each line in that file # references a single conversation, while multiple lines in the # tcpdump file are connected to a conversation. foreach line $lst1 { # Split the line on spaces. If you don't do this, the quoted # part of the message is treated as a single list element. set l [split $line " "] # Extract useful fields from this data set timestamp [lindex $l 2] set srcIP1 [lindex $l 18] set conversationPort1 [lindex $l 19] set destIP1 [lindex $l 20] set servicePort1 [lindex $l 21] # There might be blank lines in the data # If the line was empty, then timestamp will hold an empty string. # If it's not empty, we can continue processing this line. if {$timestamp ne ""} { # Initialize our total-number-of-bytes variables set inTotal 0 set outTotal 0 # Search for lines in tcpdump that are part of this conversation. # The next line fails because some times are hh:mm:ss.$destPort # foreach i [lsearch -all $lst2 "*.$conversationPort1*"] {} foreach i [lsearch -all $lst2 "*$routerIP.$conversationPort1*"] { set l2 [split [lindex $lst2 $i] ] set bytes [lindex $l2 2] set srcIP2 [lindex $l2 3] set destIP2 [lindex $l2 5] set srcPort2 [lindex [split $srcIP2 .] 4] # The tcpdump data may be data in or data out. We can determine # which it is by checking for where the service Port is in the message. if {$srcPort2 == $servicePort1} { set inTotal [expr $inTotal + $bytes] } else { set outTotal [expr $outTotal + $bytes] } } } puts "$timestamp $inTotal $outTotal $srcIP1 -> $destIP1 $servicePort1" }