Re: Parsing HEX Snoop Dump

Thu, 05 Oct 2006 16:09:54 -0700
----- Original Message ----- From: <[EMAIL PROTECTED]> 
Newsgroups: perl.beginners
To: <beginners@perl.org>
Sent: Monday, October 02, 2006 10:33 AM
Subject: Parsing HEX Snoop Dump



I'm trying to parse a huge (~2-5MB) Snoop dump from our servers.
The output is below:
15:44:14.57313 199.117.205.249 -> s31 TCP D=57013 S=4500 Push Ack=4051907260 Seq=4004895749 Len=39 Win=49640 

          0: 0003 ba0c 272b 000c f860 a0f0 0800 4500    ....'+..ø`....E.
         16: 004f 9fe9 4000 3806 0231 c775 cdf9 0a01    [EMAIL PROTECTED]
         32: 011f 1194 deb5 eeb5 dc05 f183 32bc 5018    ............2.P.
         48: c1e8 78f7 0000 e225 c704 050c 1915 e81d    ..x....%........
         64: e91b cf01 01d1 0201 01f2 12c0 0231 30c1    .............10.
         80: 0101 c209 0401 210a 0656 1187 42           ......!..V..B
15:44:14.66459 s31 -> 199.117.205.249 TCP D=4500 S=57013 Ack=4004895788 Seq=4051907260 Len=0 Win=64140 

          0: 0000 5e00 01c9 0003 ba0c 272b 0800 4500    ..^.......'+..E.
         16: 0028 7e4d 4000 4006 1bf4 0a01 011f c775    .([EMAIL 
PROTECTED]@........u
         32: cdf9 deb5 1194 f183 32bc eeb5 dc2c 5010    .ù......2....,P.
         48: fa8c a0a9 0000                             ú.....
15:44:14.74595 s31 -> 199.117.205.249 TCP D=4500 S=57013 Push Ack=4004895788 Seq=4051907260 Len=81 Win=64140 

          0: 0000 5e00 01c9 0003 ba0c 272b 0800 4500    ..^.......'+..E.
         16: 0079 7e4e 4000 4006 1ba2 0a01 011f c775    [EMAIL 
PROTECTED]@........u
         32: cdf9 deb5 1194 f183 32bc eeb5 dc2c 5018    .ù......2....,P.
         48: fa8c a0fa 0000 e44f c704 050c 1915 e847    .......O.......G
         64: ea45 cf01 01f2 40c0 0101 e117 c006 0609    [EMAIL PROTECTED]
         80: 1d08 a4e2 c10a 0301 34f5 a0c4 1a9e 0000    ........4.......
         96: c201 00c2 0902 0021 0a06 2651 9079 c309    .......!..&Q.y..
        112: 0401 210a 9990 0932 91c6 0c00 0121 0f13    ..!....2.....!..
        128: 0601 1095 1697 f4                          .......
What I'd like to see is the time stamp the request came in and time stamp the server responded. 
Like...

Time:          Transaction Transaction_ID Transaction_Type

15:44:14.57313 199.117.205.249 -> s31   c704 050c (from line 48) Request
15:44:14.74595 s31 -> 199.117.205.249   c704 050c (from line 48) Response

Any ideas?  Anyone have done this before?
TIA


This raises a number of questions. :-)
What constitutes a valid Request/Response? A 'Push Ack' vs. just a 'Push' in the first line? 
Or is a valid Req/Resp indicated by a 'full' line beginning with 48?
Is it possible for another request to come before a valid Response to the first Request?
Chris 


--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>

Reply via email to