The pm21line.pl (PM-to-one-line) perl script can be used to combine all of the protocol header lines displayed by packet_monitor into 1 line. This makes for some very long lines but also makes it easy to do a "display -match" or grep, or match.pl and display only specific packets. It also makes it easy to compare packets since all he fields line up. By eliminating non-header lines it makes the traces smaller for faster transfer. You can even load the traces into a spreadsheet for more extensive filtering and processing.
This macro can be run on VOS assuming that the gnu_library is installed. Since it requires redirection of standard input it has to be used from the bash shell. It can also be run on an ftLinux platform or under Windows provided that a perl environment is installed.
Usage
perl pm21line.pl < packet_monitor_file > output_file
Examples
ARP packets
C:\>type pm.arp.out dir icmp type tcp hh:mm:ss.ttt dir len proto source destination src port dst port type 14:52:05.803 Rcvd Ether Dst ff:ff:ff:ff:ff:ff Src 00:04:96:19:0b:20 Type 0806 (ARP) ARP Req Target 164.152.77.207 Src 164.152.76.1 [00:04:96:19:0b:20] 14:52:05.815 Rcvd Ether Dst ff:ff:ff:ff:ff:ff Src 00:04:96:19:0b:20 Type 0806 (ARP) ARP Req Target 164.152.76.146 Src 164.152.76.1 [00:04:96:19:0b:20] 14:52:05.815 Rcvd Ether Dst ff:ff:ff:ff:ff:ff Src 00:04:96:19:0b:20 Type 0806 (ARP) ARP Req Target 164.152.77.161 Src 164.152.76.1 [00:04:96:19:0b:20] 14:52:30.327 Rcvd Ether Dst ff:ff:ff:ff:ff:ff Src 00:00:a8:41:52:22 Type 0806 (ARP) ARP Req Target 172.16.1.34 Src 172.16.1.116 [00:00:a8:41:52:22] 14:52:30.327 Xmit Ether Dst 00:00:a8:41:52:22 Src 00:00:a8:42:3b:6e Type 0806 (ARP) ARP Rep Target 172.16.1.116 [00:00:a8:41:52:22] Src 172.16.1.34 [00:00:a8:42:3b:6e] 14:52:31.209 Rcvd Ether Dst ff:ff:ff:ff:ff:ff Src 00:90:27:c7:93:06 Type 0806 (ARP) ARP Req Target 164.152.77.163 Src 164.152.77.248 [00:90:27:c7:93:06] C:\>perl pm21line.pl < pm.arp.out > pm.arp.out C:\>type pm.arp.txt 14:52:05.803 Rcvd Ether Dst ff:ff:ff:ff:ff:ff Src 00:04:96:19:0b:20 Type 0806 (ARP) ARP Req Target 164.152.77.207 Src 164.152.76.1 [00:04:96:19:0b:20] 14:52:05.815 Rcvd Ether Dst ff:ff:ff:ff:ff:ff Src 00:04:96:19:0b:20 Type 0806 (ARP) ARP Req Target 164.152.76.146 Src 164.152.76.1 [00:04:96:19:0b:20] 14:52:05.815 Rcvd Ether Dst ff:ff:ff:ff:ff:ff Src 00:04:96:19:0b:20 Type 0806 (ARP) ARP Req Target 164.152.77.161 Src 164.152.76.1 [00:04:96:19:0b:20] 14:52:30.327 Rcvd Ether Dst ff:ff:ff:ff:ff:ff Src 00:00:a8:41:52:22 Type 0806 (ARP) ARP Req Target 172.16.1.34 Src 172.16.1.116 [00:00:a8:41:52:22] 14:52:30.327 Xmit Ether Dst 00:00:a8:41:52:22 Src 00:00:a8:42:3b:6e Type 0806 (ARP) ARP Rep Target 172.16.1.116 [00:00:a8:41:52:22] Src 172.16.1.34 [00:00:a8:42:3b:6e] 14:52:31.209 Rcvd Ether Dst ff:ff:ff:ff:ff:ff Src 00:90:27:c7:93:06 Type 0806 (ARP) ARP Req Target 164.152.77.163 Src 164.152.77.248 [00:90:27:c7:93:06] |
ICMP packets
Note that any line that is not a header line is just ignored.
C:\>type pm.icmp.out Noah_Davids.CAC logged in on %phx_vos#m15 at 08-09-05 14:51:27 mst. %phx_vos#m15_mas>system>stcp>command_library>packet_monitor -numeric -time_stamp -verbose -pkt_hdr -hex_header -filter -protocol icmp *********************************************************** WARNING: failure to specify a specific interface will cause packet_monitor to bind to ALL interfaces on the module, greatly increasing the amount of Streams memory used!!! *********************************************************** dir icmp type tcp hh:mm:ss.ttt dir len proto source destination src port ds t port type 14:51:28.708 Xmit Ether Dst 00:c0:8c:64:56:ec Src 00:00:a8:40:3b:6e Type 0800 (IP) offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 45 0 0 5c 5e 5b 0 0 3c 1 a 1c a 14 1 1 E \^[ <<<<<<<< 10 a 14 1 2 <<<< IP Ver/HL 45, ToS 0, Len 5c, ID 5e5b, Flg/Frg 0, TTL 3c, Prtl 1 Cksum 0a1c, Src 0a140101, Dst 0a140102 ICMP from 10.20.1.1 to 10.20.1.2 echo 14:51:28.710 Rcvd Ether Dst 00:00:a8:40:3b:6e Src 00:c0:8c:64:56:ec Type 0800 (IP) offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 45 0 0 5c fe 0 0 0 40 1 66 76 a 14 1 2 E \~ @<fv<<<< 10 a 14 1 1 <<<< IP Ver/HL 45, ToS 0, Len 5c, ID fe00, Flg/Frg 0, TTL 40, Prtl 1 Cksum 6676, Src 0a140102, Dst 0a140101 ICMP from 10.20.1.2 to 10.20.1.1 echo rep 14:51:28.710 Xmit Ether Dst 00:c0:8c:64:e6:8c Src 00:00:a8:40:3b:6e Type 0800 (IP) offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 45 0 0 5c 5e 5c 0 0 3c 1 a 8 a 14 1 1 E \^\ <<<<<<<< 10 a 14 1 15 <<<< IP Ver/HL 45, ToS 0, Len 5c, ID 5e5c, Flg/Frg 0, TTL 3c, Prtl 1 Cksum 0a08, Src 0a140101, Dst 0a140115 ICMP from 10.20.1.1 to 10.20.1.21 echo 14:51:28.711 Rcvd Ether Dst 00:00:a8:40:3b:6e Src 00:c0:8c:64:e6:8c Type 0800 (IP) offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 45 0 0 5c fd 6f 0 0 40 1 66 f4 a 14 1 15 E \}o @<ft<<<< 10 a 14 1 1 <<<< IP Ver/HL 45, ToS 0, Len 5c, ID fd6f, Flg/Frg 0, TTL 40, Prtl 1 Cksum 66f4, Src 0a140115, Dst 0a140101 ICMP from 10.20.1.21 to 10.20.1.1 echo rep 14:51:28.712 Xmit Ether Dst 00:c0:8c:d8:d1:2d Src 00:00:a8:40:3b:6e Type 0800 (IP) offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 45 0 0 5c 5e 5d 0 0 3c 1 a 19 a 14 1 1 E \^] <<<<<<<< 10 a 14 1 3 <<<< IP Ver/HL 45, ToS 0, Len 5c, ID 5e5d, Flg/Frg 0, TTL 3c, Prtl 1 Cksum 0a19, Src 0a140101, Dst 0a140103 ICMP from 10.20.1.1 to 10.20.1.3 echo 14:51:28.712 Rcvd Ether Dst 00:00:a8:40:3b:6e Src 00:c0:8c:d8:d1:2d Type 0800 (IP) offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 45 0 0 5c 9b 17 0 0 40 1 c9 5e a 14 1 3 E \>< @<I^<<<< 10 a 14 1 1 <<<< IP Ver/HL 45, ToS 0, Len 5c, ID 9b17, Flg/Frg 0, TTL 40, Prtl 1 Cksum c95e, Src 0a140103, Dst 0a140101 ICMP from 10.20.1.3 to 10.20.1.1 echo rep 14:51:29.028 Rcvd Ether Dst 00:00:a8:41:3b:6e Src 00:0c:6e:3f:ab:45 Type 0800 (IP) offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 45 0 0 3c d9 76 0 0 80 1 7d c5 a4 98 4d 32 E <Yv ><}E$>M2 10 a4 98 4d 22 $>M" IP Ver/HL 45, ToS 0, Len 3c, ID d976, Flg/Frg 0, TTL 80, Prtl 1 Cksum 7dc5, Src a4984d32, Dst a4984d22 ICMP from 164.152.77.50 to 164.152.77.34 echo 14:51:29.028 Xmit Ether Dst 00:0c:6e:3f:ab:45 Src 00:00:a8:41:3b:6e Type 0800 (IP) offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 45 0 0 3c 5e 5e 0 0 3c 1 3c de a4 98 4d 22 E <^^ <<<^$>M" 10 a4 98 4d 32 $>M2 IP Ver/HL 45, ToS 0, Len 3c, ID 5e5e, Flg/Frg 0, TTL 3c, Prtl 1 Cksum 3cde, Src a4984d22, Dst a4984d32 ICMP from 164.152.77.34 to 164.152.77.50 echo rep C:\>perl pm21line.pl < pm.icmp.out > pm.icmp.txt C:\>type pm.icmp.txt 14:51:28.708 Xmit Ether Dst 00:c0:8c:64:56:ec Src 00:00:a8:40:3b:6e Type 0800 (IP) IP Ver/HL 45, ToS 0, Len 5c, ID 5e5b, Flg/Frg 0, TTL 3c, Prtl 1 ICMP from 10.20.1.1 to 10.20.1.2 echo 14:51:28.710 Rcvd Ether Dst 00:00:a8:40:3b:6e Src 00:c0:8c:64:56:ec Type 0800 (IP) IP Ver/HL 45, ToS 0, Len 5c, ID fe00, Flg/Frg 0, TTL 40, Prtl 1 ICMP from 10.20.1.2 to 10.20.1.1 echo rep 14:51:28.710 Xmit Ether Dst 00:c0:8c:64:e6:8c Src 00:00:a8:40:3b:6e Type 0800 (IP) IP Ver/HL 45, ToS 0, Len 5c, ID 5e5c, Flg/Frg 0, TTL 3c, Prtl 1 ICMP from 10.20.1.1 to 10.20.1.21 echo 14:51:28.711 Rcvd Ether Dst 00:00:a8:40:3b:6e Src 00:c0:8c:64:e6:8c Type 0800 (IP) IP Ver/HL 45, ToS 0, Len 5c, ID fd6f, Flg/Frg 0, TTL 40, Prtl 1 ICMP from 10.20.1.21 to 10.20.1.1 echo rep 14:51:28.712 Xmit Ether Dst 00:c0:8c:d8:d1:2d Src 00:00:a8:40:3b:6e Type 0800 (IP) IP Ver/HL 45, ToS 0, Len 5c, ID 5e5d, Flg/Frg 0, TTL 3c, Prtl 1 ICMP from 10.20.1.1 to 10.20.1.3 echo 14:51:28.712 Rcvd Ether Dst 00:00:a8:40:3b:6e Src 00:c0:8c:d8:d1:2d Type 0800 (IP) IP Ver/HL 45, ToS 0, Len 5c, ID 9b17, Flg/Frg 0, TTL 40, Prtl 1 ICMP from 10.20.1.3 to 10.20.1.1 echo rep 14:51:29.028 Rcvd Ether Dst 00:00:a8:41:3b:6e Src 00:0c:6e:3f:ab:45 Type 0800 (IP) IP Ver/HL 45, ToS 0, Len 3c, ID d976, Flg/Frg 0, TTL 80, Prtl 1 ICMP from 164.152.77.50 to 164.152.77.34 echo 14:51:29.028 Xmit Ether Dst 00:0c:6e:3f:ab:45 Src 00:00:a8:41:3b:6e Type 0800 (IP) IP Ver/HL 45, ToS 0, Len 3c, ID 5e5e, Flg/Frg 0, TTL 3c, Prtl 1 ICMP from 164.152.77.34 to 164.152.77.50 echo rep |
C:\>type pm.udp.out Noah_Davids.CAC logged in on %phx_vos#m15 at 08-09-05 14:50:39 mst. %phx_vos#m15_mas>system>stcp>command_library>packet_monitor -numeric -time_stamp -verbose -pkt_hdr -hex_header -filter -protocol udp *********************************************************** WARNING: failure to specify a specific interface will cause packet_monitor to bind to ALL interfaces on the module, greatly increasing the amount of Streams memory used!!! *********************************************************** dir icmp type tcp hh:mm:ss.ttt dir len proto source destination src port ds t port type 14:50:40.232 Rcvd Ether Dst ff:ff:ff:ff:ff:ff Src 00:0c:6e:c6:0e:de Type 0800 (IP) offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 45 0 0 4e 1a 55 0 0 80 11 3c de a4 98 4c 3c E N<U >><^$>L< 10 a4 98 4d ff $>M> IP Ver/HL 45, ToS 0, Len 4e, ID 1a55, Flg/Frg 0, TTL 80, Prtl 11 Cksum 3cde, Src a4984c3c, Dst a4984dff UDP from 164.152.76.60.137 to 164.152.77.255.137 Cksum 4282, 58 data bytes. 14:50:40.629 Rcvd Ether Dst ff:ff:ff:ff:ff:ff Src 00:d0:b7:9e:d0:2f Type 0800 (IP) offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 45 0 0 4e 57 5 0 0 80 11 fe 6c a4 98 4d fd E NW< ><~l$>M} 10 a4 98 4d ff $>M> IP Ver/HL 45, ToS 0, Len 4e, ID 5705, Flg/Frg 0, TTL 80, Prtl 11 Cksum fe6c, Src a4984dfd, Dst a4984dff UDP from 164.152.77.253.137 to 164.152.77.255.137 Cksum 121f, 58 data bytes. 14:50:40.644 Xmit Ether Dst 00:80:50:04:1c:27 Src 00:00:a8:40:3b:6e Type 0800 (IP) offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 45 0 0 53 df 3e 0 0 3c 11 89 15 a 14 1 1 E S_> <<><<<<< 10 a 14 1 1e <<<< IP Ver/HL 45, ToS 0, Len 53, ID df3e, Flg/Frg 0, TTL 3c, Prtl 11 Cksum 8915, Src 0a140101, Dst 0a14011e UDP from 10.20.1.1.49668 to 10.20.1.30.161 Cksum 0000, 63 data bytes. 14:50:40.680 Rcvd Ether Dst 00:00:a8:40:3b:6e Src 00:80:50:04:1c:27 Type 0800 (IP) offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 45 0 0 54 0 0 40 0 40 11 24 56 a 14 1 1b E T @ @<$V<<<< 10 a 14 1 1 <<<< IP Ver/HL 45, ToS 0, Len 54, ID 0, Flg/Frg 4000, TTL 40, Prtl 11 Cksum 2456, Src 0a14011b, Dst 0a140101 UDP from 10.20.1.27.161 to 10.20.1.1.49668 Cksum 4a30, 64 data bytes. 14:50:40.980 Rcvd Ether Dst ff:ff:ff:ff:ff:ff Src 00:0c:6e:c6:0e:de Type 0800 (IP) offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 45 0 0 4e 1a 6c 0 0 80 11 3c c7 a4 98 4c 3c E N<l ><<G$>L< 10 a4 98 4d ff $>M> IP Ver/HL 45, ToS 0, Len 4e, ID 1a6c, Flg/Frg 0, TTL 80, Prtl 11 Cksum 3cc7, Src a4984c3c, Dst a4984dff UDP from 164.152.76.60.137 to 164.152.77.255.137 Cksum 4282, 58 data bytes. 14:50:41.379 Rcvd Ether Dst ff:ff:ff:ff:ff:ff Src 00:d0:b7:9e:d0:2f Type 0800 (IP) offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 45 0 0 4e 57 6 0 0 80 11 fe 6b a4 98 4d fd E NW< ><~k$>M} 10 a4 98 4d ff $>M> IP Ver/HL 45, ToS 0, Len 4e, ID 5706, Flg/Frg 0, TTL 80, Prtl 11 Cksum fe6b, Src a4984dfd, Dst a4984dff UDP from 164.152.77.253.137 to 164.152.77.255.137 Cksum 121f, 58 data bytes. 14:50:41.685 Xmit Ether Dst 00:80:50:04:1c:27 Src 00:00:a8:40:3b:6e Type 0800 (IP) offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 45 0 0 53 df 3f 0 0 3c 11 89 14 a 14 1 1 E S_? <<><<<<< 10 a 14 1 1e <<<< IP Ver/HL 45, ToS 0, Len 53, ID df3f, Flg/Frg 0, TTL 3c, Prtl 11 Cksum 8914, Src 0a140101, Dst 0a14011e UDP from 10.20.1.1.49669 to 10.20.1.30.161 Cksum 0000, 63 data bytes. 14:50:41.722 Rcvd Ether Dst 00:00:a8:40:3b:6e Src 00:80:50:04:1c:27 Type 0800 (IP) offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 45 0 0 54 0 0 40 0 40 11 24 56 a 14 1 1b E T @ @<$V<<<< 10 a 14 1 1 <<<< IP Ver/HL 45, ToS 0, Len 54, ID 0, Flg/Frg 4000, TTL 40, Prtl 11 Cksum 2456, Src 0a14011b, Dst 0a140101 UDP from 10.20.1.27.161 to 10.20.1.1.49669 Cksum 4a2e, 64 data bytes. 14:50:42.130 Rcvd Ether Dst ff:ff:ff:ff:ff:ff Src 00:d0:b7:9e:d0:2f Type 0800 (IP) offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 45 0 0 4e 57 7 0 0 80 11 fe 6a a4 98 4d fd E NW< ><~j$>M} 10 a4 98 4d ff $>M> IP Ver/HL 45, ToS 0, Len 4e, ID 5707, Flg/Frg 0, TTL 80, Prtl 11 Cksum fe6a, Src a4984dfd, Dst a4984dff UDP from 164.152.77.253.137 to 164.152.77.255.137 Cksum 121f, 58 data bytes. 14:50:42.189 Rcvd Ether Dst ff:ff:ff:ff:ff:ff Src 00:16:97:c4:01:ab Type 0800 (IP) offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 45 0 0 7e 48 39 0 0 80 11 96 ea ac 10 1 2c E ~H9 ><>j,<<, 10 ac 10 1 ff ,<<> IP Ver/HL 45, ToS 0, Len 7e, ID 4839, Flg/Frg 0, TTL 80, Prtl 11 Cksum 96ea, Src ac10012c, Dst ac1001ff UDP from 172.16.1.44.1026 to 172.16.1.255.1100 Cksum 68c5, 106 data bytes. 14:50:42.726 Xmit Ether Dst 00:80:50:04:1c:27 Src 00:00:a8:40:3b:6e Type 0800 (IP) offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 45 0 0 53 df 40 0 0 3c 11 89 13 a 14 1 1 E S_@ <<><<<<< 10 a 14 1 1e <<<< IP Ver/HL 45, ToS 0, Len 53, ID df40, Flg/Frg 0, TTL 3c, Prtl 11 Cksum 8913, Src 0a140101, Dst 0a14011e UDP from 10.20.1.1.49670 to 10.20.1.30.161 Cksum 0000, 63 data bytes. ready 14:50:56 Process finished. Terminating Noah_Davids.CAC (pm). Process stopped by Noah_Davids.CAC. C:\>perl pm21line.pl < pm.udp.out > pm.udp.txt C:\>type pm.udp.txt 14:50:40.232 Rcvd Ether Dst ff:ff:ff:ff:ff:ff Src 00:0c:6e:c6:0e:de Type 0800 (IP) IP Ver/HL 45, ToS 0, Len 4e, ID 1a55, Flg/Frg 0, TTL 80, Prtl 11 UDP from 164.152.76.60.137 to 164.152.77.255.137 Cksum 4282, 58 data bytes. 14:50:40.629 Rcvd Ether Dst ff:ff:ff:ff:ff:ff Src 00:d0:b7:9e:d0:2f Type 0800 (IP) IP Ver/HL 45, ToS 0, Len 4e, ID 5705, Flg/Frg 0, TTL 80, Prtl 11 UDP from 164.152.77.253.137 to 164.152.77.255.137 Cksum 121f, 58 data bytes. 14:50:40.644 Xmit Ether Dst 00:80:50:04:1c:27 Src 00:00:a8:40:3b:6e Type 0800 (IP) IP Ver/HL 45, ToS 0, Len 53, ID df3e, Flg/Frg 0, TTL 3c, Prtl 11 UDP from 10.20.1.1.49668 to 10.20.1.30.161 Cksum 0000, 63 data bytes. 14:50:40.680 Rcvd Ether Dst 00:00:a8:40:3b:6e Src 00:80:50:04:1c:27 Type 0800 (IP) IP Ver/HL 45, ToS 0, Len 54, ID 0, Flg/Frg 4000, TTL 40, Prtl 11 UDP from 10.20.1.27.161 to 10.20.1.1.49668 Cksum 4a30, 64 data bytes. 14:50:40.980 Rcvd Ether Dst ff:ff:ff:ff:ff:ff Src 00:0c:6e:c6:0e:de Type 0800 (IP) IP Ver/HL 45, ToS 0, Len 4e, ID 1a6c, Flg/Frg 0, TTL 80, Prtl 11 UDP from 164.152.76.60.137 to 164.152.77.255.137 Cksum 4282, 58 data bytes. 14:50:41.379 Rcvd Ether Dst ff:ff:ff:ff:ff:ff Src 00:d0:b7:9e:d0:2f Type 0800 (IP) IP Ver/HL 45, ToS 0, Len 4e, ID 5706, Flg/Frg 0, TTL 80, Prtl 11 UDP from 164.152.77.253.137 to 164.152.77.255.137 Cksum 121f, 58 data bytes. 14:50:41.685 Xmit Ether Dst 00:80:50:04:1c:27 Src 00:00:a8:40:3b:6e Type 0800 (IP) IP Ver/HL 45, ToS 0, Len 53, ID df3f, Flg/Frg 0, TTL 3c, Prtl 11 UDP from 10.20.1.1.49669 to 10.20.1.30.161 Cksum 0000, 63 data bytes. 14:50:41.722 Rcvd Ether Dst 00:00:a8:40:3b:6e Src 00:80:50:04:1c:27 Type 0800 (IP) IP Ver/HL 45, ToS 0, Len 54, ID 0, Flg/Frg 4000, TTL 40, Prtl 11 UDP from 10.20.1.27.161 to 10.20.1.1.49669 Cksum 4a2e, 64 data bytes. 14:50:42.130 Rcvd Ether Dst ff:ff:ff:ff:ff:ff Src 00:d0:b7:9e:d0:2f Type 0800 (IP) IP Ver/HL 45, ToS 0, Len 4e, ID 5707, Flg/Frg 0, TTL 80, Prtl 11 UDP from 164.152.77.253.137 to 164.152.77.255.137 Cksum 121f, 58 data bytes. 14:50:42.189 Rcvd Ether Dst ff:ff:ff:ff:ff:ff Src 00:16:97:c4:01:ab Type 0800 (IP) IP Ver/HL 45, ToS 0, Len 7e, ID 4839, Flg/Frg 0, TTL 80, Prtl 11 UDP from 172.16.1.44.1026 to 172.16.1.255.1100 Cksum 68c5, 106 data bytes. 14:50:42.726 Xmit Ether Dst 00:80:50:04:1c:27 Src 00:00:a8:40:3b:6e Type 0800 (IP) IP Ver/HL 45, ToS 0, Len 53, ID df40, Flg/Frg 0, TTL 3c, Prtl 11 UDP from 10.20.1.1.49670 to 10.20.1.30.161 Cksum 0000, 63 data bytes. |
C:\>type pm.tcp.out Noah_Davids.CAC logged in on %phx_vos#m15 at 08-09-05 16:17:27 mst. %phx_vos#m15_mas>system>stcp>command_library>packet_monitor -numeric -time_stamp -verbose -pkt_hdr -hex_header -hex_dump -length 1500 -filter -protocol tcp *********************************************************** WARNING: failure to specify a specific interface will cause packet_monitor to bind to ALL interfaces on the module, greatly increasing the amount of Streams memory used!!! *********************************************************** dir icmp type tcp hh:mm:ss.ttt dir len proto source destination src port ds t port type 16:17:28.372 Xmit Ether Dst 00:00:a8:c0:86:a1 Src 00:00:a8:41:3b:6e Type 0800 (IP) offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 45 0 0 4a a9 64 0 0 3c 6 f1 2b a4 98 4d 22 E J)d <<q+$>M" 10 a4 98 4d cb $>MK IP Ver/HL 45, ToS 0, Len 4a, ID a964, Flg/Frg 0, TTL 3c, Prtl 6 Cksum f12b, Src a4984d22, Dst a4984dcb TCP from 164.152.77.34.49170 to 164.152.77.203.3000 seq 125847069, ack 68071061, window 32768, 34 data bytes, flags Push Ack . X/Off 05, Flags 18, Cksum 3231, Urg-> 0000 offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 55 e 55 f 3a 3b ff fe 0 0 0 0 0 0 0 0 U<U<:;>~ 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2e e9 .i 20 3a e :< 16:17:28.378 Rcvd Ether Dst 00:00:a8:41:3b:6e Src 00:00:a8:c0:86:a1 Type 0800 (IP) offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 45 0 0 4a 13 a7 0 0 3c 6 86 e9 a4 98 4d cb E J<' <<>i$>MK 10 a4 98 4d 22 $>M" IP Ver/HL 45, ToS 0, Len 4a, ID 13a7, Flg/Frg 0, TTL 3c, Prtl 6 Cksum 86e9, Src a4984dcb, Dst a4984d22 TCP from 164.152.77.203.3000 to 164.152.77.34.49170 seq 68071061, ack 125847103, window 32768, 34 data bytes, flags Push Ack . X/Off 05, Flags 18, Cksum 320f, Urg-> 0000 offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 55 f 55 e 3a 3b ff fe 0 0 0 0 0 0 0 0 U<U<:;>~ 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2e e9 .i 20 3a e :< 16:17:28.570 Rcvd Ether Dst 00:00:a8:41:3b:6e Src 00:00:a8:c0:86:a1 Type 0800 (IP) offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 45 0 0 28 13 a8 0 0 3c 6 87 a a4 98 4d cb E (<( <<><$>MK 10 a4 98 4d 22 $>M" IP Ver/HL 45, ToS 0, Len 28, ID 13a8, Flg/Frg 0, TTL 3c, Prtl 6 Cksum 870a, Src a4984dcb, Dst a4984d22 TCP from 164.152.77.203.3000 to 164.152.77.34.49170 seq 68071095, ack 125847103, window 32768, 0 data bytes, flags Ack. X/Off 05, Flags 10, Cksum 7f66, Urg-> 0000 No tcp data. 16:17:28.600 Xmit Ether Dst 00:00:a8:c0:86:a1 Src 00:00:a8:41:3b:6e Type 0800 (IP) offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 45 0 0 28 a9 65 0 0 3c 6 f1 4c a4 98 4d 22 E ()e <<qL$>M" 10 a4 98 4d cb $>MK IP Ver/HL 45, ToS 0, Len 28, ID a965, Flg/Frg 0, TTL 3c, Prtl 6 Cksum f14c, Src a4984d22, Dst a4984dcb TCP from 164.152.77.34.49170 to 164.152.77.203.3000 seq 125847103, ack 68071095, window 32768, 0 data bytes, flags Ack. X/Off 05, Flags 10, Cksum 7f66, Urg-> 0000 No tcp data. 16:17:29.120 Xmit Ether Dst 00:00:a8:80:80:4a Src 00:00:a8:41:3b:6e Type 0800 (IP) offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 45 0 0 4a a9 66 0 0 3c 6 f1 e9 a4 98 4d 22 E J)f <<qi$>M" 10 a4 98 4d b $>M< IP Ver/HL 45, ToS 0, Len 4a, ID a966, Flg/Frg 0, TTL 3c, Prtl 6 Cksum f1e9, Src a4984d22, Dst a4984d0b TCP from 164.152.77.34.49177 to 164.152.77.11.3002 seq 132742361, ack 858875097, window 32768, 34 data bytes, flags Push Ack . X/Off 05, Flags 18, Cksum 2dff, Urg-> 0000 offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 55 d 55 f ae af ff fe 0 0 0 0 0 0 0 0 U<U<./>~ 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2e d3 .S 20 ae d .< 16:17:29.121 Rcvd Ether Dst 00:00:a8:41:3b:6e Src 00:00:a8:80:80:4a Type 0800 (IP) offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 45 0 0 4a 58 68 0 0 40 6 3e e8 a4 98 4d b E JXh @<>h$>M< 10 a4 98 4d 22 $>M" IP Ver/HL 45, ToS 0, Len 4a, ID 5868, Flg/Frg 0, TTL 40, Prtl 6 Cksum 3ee8, Src a4984d0b, Dst a4984d22 TCP from 164.152.77.11.3002 to 164.152.77.34.49177 seq 858875097, ack 132742395, window 11468, 34 data bytes, flags Push Ack . X/Off 05, Flags 18, Cksum 8111, Urg-> 0000 offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 55 f 55 d ae af ff fe 0 0 0 0 0 0 0 0 U<U<./>~ 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2e d3 .S 20 ae d .< 16:17:29.347 Xmit Ether Dst 00:00:a8:80:80:4a Src 00:00:a8:41:3b:6e Type 0800 (IP) offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 45 0 0 28 a9 67 0 0 3c 6 f2 a a4 98 4d 22 E ()g <<r<$>M" 10 a4 98 4d b $>M< IP Ver/HL 45, ToS 0, Len 28, ID a967, Flg/Frg 0, TTL 3c, Prtl 6 Cksum f20a, Src a4984d22, Dst a4984d0b TCP from 164.152.77.34.49177 to 164.152.77.11.3002 seq 132742395, ack 858875131, window 32768, 0 data bytes, flags Ack. X/Off 05, Flags 10, Cksum 6391, Urg-> 0000 No tcp data. C:\>perl pm21line.pl < pm.tcp.out > pm.tcp.txt C:\>type pm.tcp.txt 16:17:28.372 Xmit Ether Dst 00:00:a8:c0:86:a1 Src 00:00:a8:41:3b:6e Type 0800 (IP) IP Ver/HL 45, ToS 0, Len 4a, ID a964, Flg/Frg 0, TTL 3c, Prtl 6 TCP from 164.152.77.34.49170 to 164.152.77.203.3000 seq 125847069, ack 68071061, window 32768, 34 data bytes, flags Push Ack. 16:17:28.378 Rcvd Ether Dst 00:00:a8:41:3b:6e Src 00:00:a8:c0:86:a1 Type 0800 (IP) IP Ver/HL 45, ToS 0, Len 4a, ID 13a7, Flg/Frg 0, TTL 3c, Prtl 6 TCP from 164.152.77.203.3000 to 164.152.77.34.49170 seq 68071061, ack 125847103, window 32768, 34 data bytes, flags Push Ack. 16:17:28.570 Rcvd Ether Dst 00:00:a8:41:3b:6e Src 00:00:a8:c0:86:a1 Type 0800 (IP) IP Ver/HL 45, ToS 0, Len 28, ID 13a8, Flg/Frg 0, TTL 3c, Prtl 6 TCP from 164.152.77.203.3000 to 164.152.77.34.49170 seq 68071095, ack 125847103, window 32768, 0 data bytes, flags Ack. 16:17:28.600 Xmit Ether Dst 00:00:a8:c0:86:a1 Src 00:00:a8:41:3b:6e Type 0800 (IP) IP Ver/HL 45, ToS 0, Len 28, ID a965, Flg/Frg 0, TTL 3c, Prtl 6 TCP from 164.152.77.34.49170 to 164.152.77.203.3000 seq 125847103, ack 68071095, window 32768, 0 data bytes, flags Ack. 16:17:29.120 Xmit Ether Dst 00:00:a8:80:80:4a Src 00:00:a8:41:3b:6e Type 0800 (IP) IP Ver/HL 45, ToS 0, Len 4a, ID a966, Flg/Frg 0, TTL 3c, Prtl 6 TCP from 164.152.77.34.49177 to 164.152.77.11.3002 seq 132742361, ack 858875097, window 32768, 34 data bytes, flags Push Ack. 16:17:29.121 Rcvd Ether Dst 00:00:a8:41:3b:6e Src 00:00:a8:80:80:4a Type 0800 (IP) IP Ver/HL 45, ToS 0, Len 4a, ID 5868, Flg/Frg 0, TTL 40, Prtl 6 TCP from 164.152.77.11.3002 to 164.152.77.34.49177 seq 858875097, ack 132742395, window 11468, 34 data bytes, flags Push Ack. 16:17:29.347 Xmit Ether Dst 00:00:a8:80:80:4a Src 00:00:a8:41:3b:6e Type 0800 (IP) IP Ver/HL 45, ToS 0, Len 28, ID a967, Flg/Frg 0, TTL 3c, Prtl 6 TCP from 164.152.77.34.49177 to 164.152.77.11.3002 seq 132742395, ack 858875131, window 32768, 0 data bytes, flags Ack. |
# pm21line.pl begins here # # pm21line.pl # version 1.0 # version 1.1 08-09-04 Added the match for /\^+.*Prtl/ to capture the final part # of the IP header if it wraps around to a new line. Note this # will only happen if the input was originally captured from a # terminal session or a capture file was displayed to a terminal. # version 1.2 10-11-26 Added disclaimer # Noah.Davids@stratus.com # # The lastest version of this script and documentation can be found at # http://noahdavids.org/self_published/pm21line.html # # # tested with the following combinations of (format control) packet_monitor # arguments. The filter controls shouldn't have any effect. # -numeric -time_stamp -verbose -pkt_hdr -hex_header # -numeric -time_stamp -verbose -pkt_hdr # -numeric -time_stamp -verbose # -verbose # -verbose -pkt_hdr # # This software is provided on an "AS IS" basis, WITHOUT ANY WARRANTY OR ANY # SUPPORT OF ANY KIND. The AUTHOR SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES # OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE. This disclaimer # applies, despite any verbal representations of any kind provided by the # author or anyone else. # use strict; use warnings; my ($oneLine); while ($_ = <stdin>) { if (/Rcvd Ether/) {$oneLine = substr($_, 0, -1);} if (/Xmit Ether/) {$oneLine = substr($_, 0, -1);} if (/Rcvd IP/) {$oneLine = substr($_, 0, -1);} if (/Xmit IP/) {$oneLine = substr($_, 0, -1);} if (/^\+.*Prtl /){$oneLine = $oneLine . substr($_, 1, -1);} if (/Rcvd ARP/ | /Xmit ARP/) { print $_; $oneLine = "start over"; } if (/^IP Ver/) {$oneLine = $oneLine . " " . substr($_, 0, -1);} if (/^TCP/) { $oneLine = $oneLine . " " .substr($_, 0, -1); $_ = <stdin>; $oneLine = $oneLine . " " . $_; print $oneLine; $oneLine = "start over"; } if (/^UDP/ | /^ICMP/ | /^ARP/) { $oneLine = $oneLine . " " . $_; print $oneLine; $oneLine = "start over"; } } # # pm21line.pl ends here |