I'm trying to perform some analysis on pcap files. I've written a script using Perl's Net::TcpDumpLog which allows me to parse each individual packet and extract header information as well as the payload. For example, here's what I'm currently printing out:
IP_SRC,IP DST, IP_LENGTH, IP_TOS, IP_TTL, IP_Offset, TCP_ACK, TCP_flags, TCP_Winsize, TCP_Chksum, TCP_URG
Now I want to look at some statistics regarding TCP sessions. I've been playing with a few tools to reconstruct flows, such as tcpflow . tcpflow reconstructs sessions and dumps session data into files, but does not give much information at all on the individual packets that made up the flow.
I want to be in a position where I have, say, a flow object which consists of all the packet objects which make up the flow. Ultimately I want to create output containing stats on each flow, one flow per line. For example:
Flow_num, IP_Src, IP_Dst, TCP_SrcPort, TCP_DstPort, Flow_Duration, Packet_interarrival_mean, Number_of_packets_in_flow, Avg_packet_payload_size
I've been playing with tshark and Net::Analysis too, but haven't managed to get what I want. Any assistance would be greatly appreciated.