• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 354
  • Last Modified:

Mawk question

Firstly thank you so much for attending my question.

I want to say that i do not understand too much from awk / gawk and mawk i have a script that i downloaded from the internet . It returns me some output about getting too much traffic ip addresses.and gives an out put as :

Time IP xxxMbps
Time IP xxxpps
Time IP xxxpps
Time IP xxxMbps
Time IP xxxpps



but this is just for src_ip side.
i want also to get dst_ip and add one more expression to it like that


Time IP xxxMbps   in
Time IP xxxpps   in
Time IP xxxpps  out
Time IP xxxMbps in
Time IP xxxpps out


how should i do this ?





#!/islemler/mawk-1.3.4-20130803/mawk -f

# ALK 2013-01-10
#
# for performance reasons, mawk is preferred to gawk
# newer versions of mawk include things like strftime that tradionally had been
# gawk-only features. code and builds of mawk-cur (cutting edge) can be found at:
#    http://invisible-island.net/mawk/
# (the features of mawk-cur aren't available in official debian packages of mawk)
#
# based on ipTopTalkers from InMon:
#
# Copyright (c) 2001 InMon Corp. Licensed under the terms of the InMon sFlow licence:
# http://www.inmon.com/technology/sflowlicense.txt

# usage: sflowtool | DoSTargets

BEGIN{
  lastInt = 0;
  report = "tee -a /var/log/ddos-report.log ";
  interval = 1; #1 minute window
  BPSthreshold = 8388608; # 83886080 alert threshold in bits per second i.e. 80 Mb/s
  PPSthreshold = 1500; # 10000  alert threshold in packets per second i.e 10kpps
}
/unixSecondsUTC/{
  currentInt = $2 - ($2 % interval);
  if(currentInt != lastInt) {
    for(i = 1; i < 1000; i++) { # consider up to 1000 simultaneous targets
      BPSmaxCount = 0;
      BPSmaxKey = "";
      for(BPSkey in BPScount) {
        if(BPScount[BPSkey] > BPSmaxCount) {
          BPSmaxCount = BPScount[BPSkey];
          BPSmaxKey = BPSkey;
        }
      }
      if(BPSmaxCount > (BPSthreshold * interval)) printf("%d %s %d %s", strftime("%s", lastInt), BPSmaxKey, sprintf("%d",(BPSmaxCount/1024/1024/interval)),"mbps\n") | report ;
      delete BPScount[BPSmaxKey];

      PPSmaxCount = 0;
      PPSmaxKey = "";
      for(PPSkey in PPScount) {
        if(PPScount[PPSkey] > PPSmaxCount) {
          PPSmaxCount = PPScount[PPSkey];
          PPSmaxKey = PPSkey;
        }
      }
      if(PPSmaxCount > (PPSthreshold * interval)) printf("%d %s %d %s", strftime("%s", lastInt), PPSmaxKey, sprintf("%d",(PPSmaxCount/interval)),"pps\n")  | report ;
      delete PPScount[PPSmaxKey];
    }
    fflush(stdout); # write out stdout buffer
    close(report); # send the alert email
    lastInt = currentInt;
    delete BPScount;
    delete PPScount;
  }
}
/meanSkipCount/{ samplingInterval = $2; }
/sampledPacketSize/{ sampledPacketSize = $2; }
/dstIP/{ BPScount[$2] = BPScount[$2] + ( samplingInterval * sampledPacketSize * 8); PPScount[$2] = PPScount[$2] + samplingInterval; }
END{}

Open in new window

0
3XLcom
Asked:
3XLcom
1 Solution
 
MikeOM_DBACommented:
Perhaps you should contact the script owners:
. . .
#
# Copyright (c) 2001 InMon Corp. Licensed under the terms of the InMon sFlow licence:
# http://www.inmon.com/technology/sflowlicense.txt
. . .

Open in new window

0
 
3XLcomAuthor Commented:
i will
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now