Perl script to sort Wireshark Ethernet packets for source/destination IP from a k12 text file

Question

Basically looking to do exactly what Tshark does using

tshark -r mysample.pcapng.gz -2 -Tfields -R ip -eip.src -eip.dst -eframe.protocols

with perl... So pulling from a k12 text file (Example of info in text file)

+---------+---------------+----------+
02:25:41,660,101   ETHER

|0   |ff|ff|ff|ff|ff|ff|b4|b6|76|53|9d|a0|08|00|45|00|00|4e|4f|85|00|00|80|11|68|b3|c0|a8|00|17|c0|a8|00|ff|
00|89|00|89|00|3a|74|68|c6|2a|01|10|00|01|00|00|00|00|00|00|20|46|48|46|41|45|42|45|45|43|41|43|41|43|41|43|41|43|41|43|41|43|41|43|41|43|41|43|41|43|41|41|41|00|00|20|00|01|

Been going over my codes splitting and sorting into arays and just cant for the life of me even get a start. Basically need to remove everything up to the second "|" take the next 6 sections (separated by "|") which is destination IP, then next 6 which is Source IP then next 2 which is protocol type, then convert to binary.

If anyone has written anything simple for this I would greatly appreciate taking a look at it. this is for a piece of class work, for a securities class.

Original source Wireshark Display Filter for Unique Source/Destination IP and Protocol

salva salva · Accepted Answer · 2014-10-01T08:07:32

You just need a function that creates a key that can be used to compare the entries:

# untested
sub key {
    my $line = shift;
    my @key = (split /\|/, $line)[2..7, 8..13, 14..15];
    return join '-', @key;
}

sub sort_lines {
    my @lines = @_;
    return sort { key($a) cmp key($b) } @lines;
}

BTW, no need to convert to binary, comparing the hexadecimal representation is also correct.

Perl script to sort Wireshark Ethernet packets for source/destination IP from a k12 text file

1 Answers