我正在从stdin读取dumpcap,我想通过IPC :: open2将其传递给tshark,并通过IPC :: open2从tshark收集输出。
就像这样:
dumpcap - > STDIN - > myscript.pl< - IPC:open2 - > tshark的
所以我试图通过STDIN读取dumpcap文件,我用getHeader(在代码中)读取文件头,然后开始逐包读取并将其传递给tshark(也是逐包)它将数据包解析返回给我的脚本。
现在,我的问题是:
my $in = <CHLD_IN>;
即使tshark非常快速地返回输出,也需要almos正好返回半秒。如果我删除该行,它会非常快......
不合适吗?
提前致谢!
这是perl中的代码:
#!/usr/bin/perl
use strict;
use warnings;
use Expect;
use IO::Handle;
use IPC::Open2;
my $pid = open2(\*CHLD_IN, \*CHLD_OUT, '/usr/local/bin/tshark -c 100 -l -i - ');
open(OUT,"> cap.txt");
my $file = shift;
my $packet_count = 0;
my $magic_number = "";
my $version_major = "";
my $version_minor = "";
my $thiszone = "";
my $sigfigs = "";
my $snaplen = "";
my $network = "";
binmode(STDIN);
binmode(CHLD_OUT);
STDOUT->autoflush(1);
CHLD_OUT->autoflush(1);
my $counter = 1;
my $gblCounter = 1;
getHeader();
while(1){
my $data;
read(STDIN, my $data, 16);
print "<---- reading 16 bytes: packet number. $packet_count\n";
my $packet = $data;
my $ts_sec = substr($packet,0,4); $packet = substr($packet,4); my $ts_sec_bin = $ts_sec; $ts_sec = reverse $ts_sec; $ts_sec = unPack($ts_sec);
my $ts_usec = substr($packet,0,4); $packet = substr($packet,4); my $ts_usec_bin = $ts_usec; $ts_usec = reverse $ts_usec; $ts_usec = unPack($ts_usec);
my $incl_len = substr($packet,0,4); $packet = substr($packet,4); my $incl_len_bin = $incl_len; $incl_len = reverse $incl_len; $incl_len = unPack($incl_len);
my $orig_len = substr($packet,0,4); $packet = substr($packet,4); my $orig_len_bin = $orig_len; $orig_len = reverse $orig_len; my $data_len = sumBytes($orig_len);
my $packet_data;
my $count=1;
read(STDIN, my $packet_data, $data_len);
my $packet_data_bin = $packet_data;
$packet_data = unPack($packet_data);
# PRINT PACKET HEADER
print CHLD_OUT $ts_sec_bin . $ts_usec_bin . $incl_len_bin . $orig_len_bin;
print OUT "HEADER : " . unPack(reverse($ts_sec_bin) . reverse($ts_usec_bin) . reverse($incl_len_bin) . reverse($orig_len_bin)) . "\n";
$|++;
# PRINT PACKET DATA
print CHLD_OUT $packet_data_bin;
print OUT "DATA : " . unPack($packet_data_bin) . "\n";
$|++;
my $in = <CHLD_IN>; <----Here's my problem
print "IN: $in";
$packet_count++;
exit if $packet_count >= 100;
}
exit;
sub getHeader{
read (STDIN, my $data, 24);
#my $line = read (FILE, my $data, 40);
my $header = $data;
$magic_number = substr($header,0,4); $header = substr($header,4); $magic_number = reverse $magic_number; $magic_number = unPack($magic_number);
$version_major = substr($header,0,2); $header = substr($header,2); $version_major = reverse $version_major; $version_major = unPack($version_major);
$version_minor = substr($header,0,2); $header = substr($header,2); $version_minor = reverse $version_minor; $version_minor = unPack($version_minor);
$thiszone = substr($header,0,4); $header = substr($header,4); $thiszone = reverse $thiszone; $thiszone = unPack($thiszone);
$sigfigs = substr($header,0,4); $header = substr($header,4); $sigfigs = reverse $sigfigs; $sigfigs = unPack($sigfigs);
$snaplen = substr($header,0,4); $header = substr($header,4); $snaplen = reverse $snaplen; $snaplen = unPack($snaplen);
$network = substr($header,0,4); $header = substr($header,4); $network = reverse $network; $network = unPack($network);
print OUT reverse($magic_number) . reverse($version_major) . reverse($version_minor) . reverse($thiszone) . reverse($sigfigs) . reverse($snaplen) . reverse($network);
print CHLD_OUT $data;
$|++;
}
sub unPack{
my $unpacked = unpack('H*', $_[0]);
return uc($unpacked);
}
sub sumBytes{
my $sum = 0;
foreach my $ascval (unpack("C*", $_[0])) {
$sum += $ascval;
}
return $sum;
}
你可能会问为什么我这样做。我一直在插入一个db解剖结果(没有我的脚本),但是有太多的数据(我使用的是近400Gb /天),那是因为我正在插入完整的解剖... < / p>
我想要做的就是从tshark获取有关数据包的somw元数据,并仅将元数据和RAW数据包插入数据库..
当然,如果有人有更好的建议我全都听见了!
谢谢!
大卫