#! /usr/local/bin/perl
# oc32tflags.pl inputfile interface
# analysis of TCP flags

$fname=$ARGV[0];
open(I,$fname) || die("Can't open input file\n");
$if=$ARGV[1];		# requested interface

# skip header
while(read(I,$record,512)){
 $cellcount=vec($record,2,8)*256+vec($record,3,8);
 $interface=vec($record,4,8)*256+vec($record,5,8);
 printf stderr "$interface\t$cellcount\n";
# Start reading in entries
 for ($i = 1; $i <= 17408; $i++) {
  read(I,$record,60) || last;
  if($i > $cellcount){next;}
  if(($if > 0) && ($if != $interface)){next;}
  if(vec($record,18,8) == 0x08){
   $ts1= vec($record,4,8); $ts2= vec($record,5,8);
   $clock=($ts1<<8)+$ts2;
   if($clock < $oldclock){$clock2++;}
   $oldclock=$clock;
   $timestamp=(($clock2*65536)+$clock)*0.00000004;

# get info from packet trace entry
   $src   =vec($record,8,32);
   $dst  = vec($record,9,32);
   $plen  =vec($record,22,8)*256+vec($record,23,8);
   $prot  =vec($record,29,8);
   $ihl   =(vec($record,20,8)&0xf)*4;
   $sport =vec($record,$ihl+20,8)*256+vec($record,$ihl+21,8);
   $dport =vec($record,$ihl+22,8)*256+vec($record,$ihl+23,8);
   $tflags=vec($record,$ihl+33,8)&0x3f;

# global stats
   $pcount++;
   if($plen <= 40){$pcount40++;}
   $bvol=$bvol+$plen;
   if($plen <= 40){$bvol40=$bvol40+$plen;}

# protocol stats
   $appcount{$prot}++;			# array prot packet
   if($plen <= 40){$appcount40{$prot}++;}
   $apbvol{$prot}=$apbvol{$prot}+$plen;
   if($plen <= 40){$apbvol40{$prot}=$apbvol40{$prot}+$plen;}

# TCP flags
   if($prot == 6){
    if($tflags == 0x2){
     $asyndport{$dport}++;			# SYN for dst port
     $asyn{$src,$dst,$prot,$sport,$dport}++;
    }
    $afpcount{$tflags}++;
    if($plen <= 40){
     $afpcount40{$tflags}++;
     $tpcount40++;
    }
    $tpcount++;
   }
#
  }
 }
}


printf"File: $fname\n";
printf"Trace duration: $timestamp seconds\n";
printf"\nTotals:\n";
printf" %10d packets\n",$pcount;
printf" %10d bytes\n",$bvol;
printf"\nTotals of 40 byte packets:\n";
printf" %10d packets, (%.3f of total)\n",$pcount40,$pcount40/$pcount;
printf" %10d bytes,   (%.3f of total)\n",$bvol40,$bvol40/$bvol;

printf"\nPer protocol breakout:\n";
printf"Prot|kpackts fract  Mbytes fract |kpackts    fract     Mbytes    fract    |\n";
printf"    |                            |          all/40              all/40    |\n";
printf"=== |======= ===== ======= ===== |======= =========== ======= =========== |\n";
foreach $key ( sort numerically ( keys %appcount)) {
 printf"%3d |%7d %.3f %7d %.3f |%7d %.3f/%.3f %7d %.3f/%.3f |%s\n",
      $key,
      $appcount{$key}/1e3,$appcount{$key}/$pcount,
      $apbvol{$key}/1e6,$apbvol{$key}/$bvol,
      $appcount40{$key}/1e3,
      $appcount40{$key}/$pcount,$appcount40{$key}/$pcount40,
      $apbvol40{$key}/1e6,
      $apbvol40{$key}/$bvol,$apbvol40{$key}/$bvol40,
      getprotobynumber($key); 
}

printf"\nTCP flags statistics, any packet size:\n";
printf"(total=%d, fraction=%.3f)\n",$tpcount,$tpcount/$pcount;
printf"Flg kpackets fract TCPfract  flags\n";
printf"=== ======== ===== ======== ======\n";
foreach $key ( sort numerically ( keys %afpcount)) {
 $fa="";
 if($key&0x01){$fa=join("","F",$fa);}
 if($key&0x02){$fa=join("","S",$fa);}
 if($key&0x04){$fa=join("","R",$fa);}
 if($key&0x08){$fa=join("","P",$fa);}
 if($key&0x10){$fa=join("","A",$fa);}
 if($key&0x20){$fa=join("","U",$fa);}
 printf" %2x %8d %.3f    %.3f %6s\n",
        $key,$afpcount{$key}/1000,
        $afpcount{$key}/$pcount,
        $afpcount{$key}/$tpcount,$fa;
}

printf"\nTCP flags statistics, 40 byte packets only:\n";
printf"(total=%d, fraction=%.3f, of TCP=%.3f)\n",
       $tpcount40,$tpcount40/$pcount,$tpcount40/$tpcount;
printf"Flg kpackets fract T40fract  flags\n";
printf"=== ======== ===== ======== ======\n";
foreach $key ( sort numerically ( keys %afpcount40)) {
 $fa="";
 if($key&0x01){$fa=join("","F",$fa);}
 if($key&0x02){$fa=join("","S",$fa);}
 if($key&0x04){$fa=join("","R",$fa);}
 if($key&0x08){$fa=join("","P",$fa);}
 if($key&0x10){$fa=join("","A",$fa);}
 if($key&0x20){$fa=join("","U",$fa);}
 printf" %2x %8d %.3f    %.3f %6s\n",
        $key,$afpcount40{$key}/1000,
        $afpcount40{$key}/$pcount,
        $afpcount40{$key}/$tpcount40,$fa;
}

open(S,"/etc/services") || die("Cannot open /etc/services");
while(<S>) {
 ($name,$serv,@r)=split(' ',$_);
 if($name !~ "#"){
  ($port,$proto)=split("\/",$serv);
  $portarray{$port,$proto}=$name;
 }
}

printf"\nSYN packets to destination ports:\n";
printf" Port packets portname\n";
printf"===== ======= ========\n";
foreach $key ( sort spnumerically ( keys %asyndport)) {
 printf"%5d %7d %s\n",$key,$asyndport{$key},$portarray{$key,'tcp'};
}

printf"\nmulti-SYN to same quintuples:\n";
printf"quint#\tcount\tprot:sp:dp triplet\n";
printf"======= ======= ==================\n";
foreach $key ( sort srnumerically ( keys %asyn)) {
 ($src,$dst,$prot,$sport,$dport)=split($;,$key);
 if($asyn{$key} > 1){
  printf"%d\t%d\t%d:%d:%d\n",++$count,$asyn{$key},$prot,$sport,$dport;
 }
}

sub numerically  { $a <=> $b;}
sub spnumerically { $asyndport{$b} <=> $asyndport{$a};}
sub srnumerically { $asyn{$b} <=> $asyn{$a};}