0

I have a program that keeps on writing the icmp echo requests being received by a machine into a file.

I am using system ("tcpdump icmpecho[0] == 8 | tee abc.txt") to do that.

So this process keeps on going till I end the program manually.

Each line has the timestamp as its first word.

now i want to calculate the frequency of the echo requests I am receiving using a separate script so that if it reaches a certain threshold , I can print an alert.

I tried to use grep -Eo '^[^ ]+' file to get the timestamps into an array, but I dont know what to do after getting them into an array. grep goes on in a while loop since the file it is reading from keeps on getting populated infinitely.(I'll not have an option of monitoring the differences and printing an alert if grep goes on like that right?)

All I am trying to do is to keep track of the frequency of icmp echo requests that are coming in on my machine and print an alert message whenever that frequency crosses a threshold. is there any alternative way?

Philip Kendall
  • 4,304
  • 1
  • 23
  • 42
Kiran Vemuri
  • 2,762
  • 2
  • 24
  • 40

2 Answers2

1

All timestamps are saved in @arr

perl -ne '$f{$_}++ or push @arr, $_ for /(\d+:\d+)/ }{ print "$_ [$f{$_} times]\n" for @arr' file

constantly reading from log file,

 perl -e 'open$T,pop;while(1){while(<$T>){ ++$f{$_}>10 and print "[$f{$_}]$_" for /(\d+:\d+)/ }sleep 1;seek $T,0,1}' file
mpapec
  • 50,217
  • 8
  • 67
  • 127
  • am able to get the timestamps into a file using grep buddy. I am not able to figure out how to calculate the frequency of the requests. @mpapec – Kiran Vemuri Jul 08 '13 at 09:18
  • i am getting something like 9:15:11.035726 9:16:10.042612 9:16:18:231205 so on.. now i want to find the frequency of these... i dont want to group them in any way.. – Kiran Vemuri Jul 08 '13 at 12:11
  • this ends as soon as we reach the end of the file right? but the file keeps getting uploaded dynamically. cant we loop this or do something so that this stays alive? and cant we fire an alert(just a print statement) if the count reaches some threshold? sorry for asking so much.. this as far as my perl knowledge goes :| – Kiran Vemuri Jul 08 '13 at 22:24
  • i tried using that but the prompt still waits for me to input something. – Kiran Vemuri Jul 10 '13 at 17:51
  • thanks a lot! i'll try modifying your input according to my needs! @mpacpec – Kiran Vemuri Jul 11 '13 at 18:27
  • hey.. one small question! everything from this question aside, is there a way to calculate the frequency of icmp requests received on a linux machine. either using perl or ruby or any other utility? @mpapec – Kiran Vemuri Jul 15 '13 at 17:36
  • @KiranVemuri look at linux `iptables` and setting rules for packet count – mpapec Jul 15 '13 at 20:09
  • blocking them isn't my motive... I have a controller kind of thing that takes measurements and performs necessary actions and i need a script that runs continuously and returns back the frequency to the controller. – Kiran Vemuri Jul 15 '13 at 20:12
  • besides blocking you can accept icmp packets explicitly and have packet/byte counter as side effect http://stackoverflow.com/questions/17548383/iptable-check-hit-count-check-for-each-rule – mpapec Jul 15 '13 at 20:18
  • yes! but i can get a total number of packets using the sequence number of the packet right? instead i want my output to be something like this 15:23:00 25 where first one is the time and the second one is the number of requests received at that point of time.. similar output as your perl script.. but can we do that without having to use file? @mpapec – Kiran Vemuri Jul 15 '13 at 20:23
  • you want snort or snort like logger http://wiki.aanval.com/wiki/Snort_vs_Suricata – mpapec Jul 15 '13 at 20:30
0

I am using

tcpstat -i eth1 -f icmp[0] == 8

to get the request count. it gives me 3 more parameters but got to research a bit bout them!

Kiran Vemuri
  • 2,762
  • 2
  • 24
  • 40