Thank You. This seems to work. I will have to get a book on perl next. David ----- Original Message ----- From: Kevin Buettner To: Sent: Saturday, July 08, 2000 12:24 AM Subject: Re: Port Probes Again > On Jul 7, 10:58pm, David Demland wrote: > > Subject: Re: Port Probes Again > > Here is what the current log looks like: > > > > Jul 6 19:38:04 localhost kernel: Packet log: input DENY eth1 PROTO=17 > > 200.1.28.20:1024 255.255.255.255:6612 L=46 S=0x00 I=28629 F=0x0000 T=63 > > (#34) > > Jul 6 19:38:04 localhost kernel: Packet log: input DENY eth1 PROTO=17 > > 200.1.28.20:1024 255.255.255.255:6612 L=56 S=0x00 I=28630 F=0x0000 T=63 > > (#34) > > Jul 6 19:38:04 localhost kernel: Packet log: input DENY eth1 PROTO=17 > > 200.1.28.20:1024 255.255.255.255:6612 L=56 S=0x00 I=28631 F=0x0000 T=63 > > (#34) > > Jul 6 19:38:04 localhost kernel: Packet log: input DENY eth1 PROTO=17 > > 200.1.28.20:1024 255.255.255.255:6612 L=46 S=0x00 I=28632 F=0x0000 T=63 > > (#34) > > Jul 6 19:38:04 localhost kernel: Packet log: input DENY eth1 PROTO=17 > > 200.1.28.20:1024 255.255.255.255:6612 L=56 S=0x00 I=28633 F=0x0000 T=63 > > (#34) > > Jul 6 19:38:05 localhost kernel: Packet log: input DENY eth1 PROTO=17 > > 24.8.65.123:7778 255.255.255.255:7777 L=64 S=0x00 I=63193 F=0x0000 T=128 > > (#34) > > Jul 6 19:38:06 localhost kernel: Packet log: input DENY eth1 PROTO=17 > > 169.254.172.44:2519 255.255.255.255:2519 L=54 S=0x00 I=45704 F=0x0000 T=128 > > (#34) > > Jul 6 19:38:06 localhost kernel: Packet log: input DENY eth1 PROTO=17 > > 10.10.10.10:3419 255.255.255.255:123 L=76 S=0x00 I=26896 F=0x0000 T=128 > > (#34) > > Jul 6 19:38:09 localhost kernel: Packet log: input DENY eth1 PROTO=17 > > 200.1.28.20:1024 255.255.255.255:6612 L=56 S=0x00 I=28634 F=0x0000 T=63 > > (#34) > > Jul 6 19:38:09 localhost kernel: Packet log: input DENY eth1 PROTO=17 > > 200.1.28.20:1024 255.255.255.255:6612 L=56 S=0x00 I=28635 F=0x0000 T=63 > > (#34) > > Jul 6 19:38:09 localhost kernel: Packet log: input DENY eth1 PROTO=17 > > 200.1.28.20:1024 255.255.255.255:6612 L=46 S=0x00 I=28636 F=0x0000 T=63 > > (#34) > > Jul 6 19:38:09 localhost kernel: Packet log: input DENY eth1 PROTO=17 > > 200.1.28.20:1024 255.255.255.255:6612 L=56 S=0x00 I=28637 F=0x0000 T=63 > > (#34) > > Jul 6 19:38:09 localhost kernel: Packet log: input DENY eth1 PROTO=17 > > 200.1.28.20:1024 255.255.255.255:6612 L=56 S=0x00 I=28639 F=0x0000 T=63 > > (#34) > > Jul 6 19:38:09 localhost kernel: Packet log: input DENY eth1 PROTO=17 > > 200.1.28.20:1024 255.255.255.255:6612 L=56 S=0x00 I=28640 F=0x0000 T=63 > > (#34) > > Jul 6 19:38:09 localhost kernel: Packet log: input DENY eth1 PROTO=17 > > 200.1.28.20:1024 255.255.255.255:6612 L=56 S=0x00 I=28641 F=0x0000 T=63 > > (#34) > > Try the following script: > > --- ipaddrs --- > #!/usr/bin/perl -w > > my %ipaddrs; > > while (<>) { > while (/(\b\d+\.\d+\.\d+\.\d+\b)/g) { > my $addr = $1; > next if $addr =~ /^255\./; > $ipaddrs{$addr}++; > } > } > > foreach my $addr (sort {$ipaddrs{$b} <=> $ipaddrs{$a}} keys %ipaddrs) { > print "$addr: $ipaddrs{$addr}\n"; > } > --- end ipaddrs --- > > It'll sort the addresses by the number of times that they occur in the > input stream. E.g, when I run it on your example data above, I get > the following output: > > ocotillo:ptests$ ./ipaddrs ipaddrs.data > 200.1.28.20: 12 > 24.8.65.123: 1 > 10.10.10.10: 1 > 169.254.172.44: 1 > > It is possible (easy, even) to enhance this script so that it does > lots of other things, like keeping track of the port numbers that a > given IP address attempting to probe and summarizing this data as > well. > > Kevin > > _______________________________________________ > Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss