?
Solved

Mawk question

Posted on 2013-12-23
2
Medium Priority
?
349 Views
Last Modified: 2013-12-26
Firstly thank you so much for attending my question.

I want to say that i do not understand too much from awk / gawk and mawk i have a script that i downloaded from the internet . It returns me some output about getting too much traffic ip addresses.and gives an out put as :

Time IP xxxMbps
Time IP xxxpps
Time IP xxxpps
Time IP xxxMbps
Time IP xxxpps



but this is just for src_ip side.
i want also to get dst_ip and add one more expression to it like that


Time IP xxxMbps   in
Time IP xxxpps   in
Time IP xxxpps  out
Time IP xxxMbps in
Time IP xxxpps out


how should i do this ?





#!/islemler/mawk-1.3.4-20130803/mawk -f

# ALK 2013-01-10
#
# for performance reasons, mawk is preferred to gawk
# newer versions of mawk include things like strftime that tradionally had been
# gawk-only features. code and builds of mawk-cur (cutting edge) can be found at:
#    http://invisible-island.net/mawk/
# (the features of mawk-cur aren't available in official debian packages of mawk)
#
# based on ipTopTalkers from InMon:
#
# Copyright (c) 2001 InMon Corp. Licensed under the terms of the InMon sFlow licence:
# http://www.inmon.com/technology/sflowlicense.txt

# usage: sflowtool | DoSTargets

BEGIN{
  lastInt = 0;
  report = "tee -a /var/log/ddos-report.log ";
  interval = 1; #1 minute window
  BPSthreshold = 8388608; # 83886080 alert threshold in bits per second i.e. 80 Mb/s
  PPSthreshold = 1500; # 10000  alert threshold in packets per second i.e 10kpps
}
/unixSecondsUTC/{
  currentInt = $2 - ($2 % interval);
  if(currentInt != lastInt) {
    for(i = 1; i < 1000; i++) { # consider up to 1000 simultaneous targets
      BPSmaxCount = 0;
      BPSmaxKey = "";
      for(BPSkey in BPScount) {
        if(BPScount[BPSkey] > BPSmaxCount) {
          BPSmaxCount = BPScount[BPSkey];
          BPSmaxKey = BPSkey;
        }
      }
      if(BPSmaxCount > (BPSthreshold * interval)) printf("%d %s %d %s", strftime("%s", lastInt), BPSmaxKey, sprintf("%d",(BPSmaxCount/1024/1024/interval)),"mbps\n") | report ;
      delete BPScount[BPSmaxKey];

      PPSmaxCount = 0;
      PPSmaxKey = "";
      for(PPSkey in PPScount) {
        if(PPScount[PPSkey] > PPSmaxCount) {
          PPSmaxCount = PPScount[PPSkey];
          PPSmaxKey = PPSkey;
        }
      }
      if(PPSmaxCount > (PPSthreshold * interval)) printf("%d %s %d %s", strftime("%s", lastInt), PPSmaxKey, sprintf("%d",(PPSmaxCount/interval)),"pps\n")  | report ;
      delete PPScount[PPSmaxKey];
    }
    fflush(stdout); # write out stdout buffer
    close(report); # send the alert email
    lastInt = currentInt;
    delete BPScount;
    delete PPScount;
  }
}
/meanSkipCount/{ samplingInterval = $2; }
/sampledPacketSize/{ sampledPacketSize = $2; }
/dstIP/{ BPScount[$2] = BPScount[$2] + ( samplingInterval * sampledPacketSize * 8); PPScount[$2] = PPScount[$2] + samplingInterval; }
END{}

Open in new window

0
Comment
Question by:3XLcom
2 Comments
 
LVL 29

Accepted Solution

by:
MikeOM_DBA earned 2000 total points
ID: 39736399
Perhaps you should contact the script owners:
. . .
#
# Copyright (c) 2001 InMon Corp. Licensed under the terms of the InMon sFlow licence:
# http://www.inmon.com/technology/sflowlicense.txt
. . .

Open in new window

0
 

Author Closing Comment

by:3XLcom
ID: 39740609
i will
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Often times it's very very easy to extend a volume on a Linux instance in AWS, but impossible to shrink it. I wanted to contribute to the experts-exchange community a way of providing a procedure that works on an AWS instance. It can also be used on…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
Suggested Courses

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question