0byt3m1n1
Path:
/
data
/
16
/
.snapshot
/
daily.2025-03-10_0010
/
inventory
/
ARCHIVE
/
[
Home
]
File: traffic_check.pl
#!/usr/local/bin/perl @RAW_LIST = `netstat -an | grep ":80" | awk '{print \$5","\$6}'`; foreach(@RAW_LIST) { $line = $_; chomp($line); $line =~ s/\:.*\,/,/; #This is <IP>,<STATE>; push(@CLEAN_LIST, $line); } foreach(@CLEAN_LIST) { $connection = $_; $ip = (split /\,/, $connection)[0]; push(@ALL_CON, $ip); push(@ESTABLISHED, $ip) if ($connection =~ /ESTABLISHED/); push(@FIN, $ip) if ($connection =~ /FIN_WAIT/); push(@SYN_RECV, $ip) if ($connection =~ /SYN_RECV/); push(@SYN_SENT, $ip) if ($connection =~ /SYN_SENT/); push(@TIME_WAIT, $ip) if ($connection =~ /TIME_WAIT/); $all_cnt = @ALL_CON; $estab_cnt = @ESTABLISHED; $fin_cnt = @FIN; $synrec_cnt = @SYN_RECV; $synsen_cnt = @SYN_SENT; $timewait_cnt = @TIME_WAIT; #Most should be TIME_WAIT or ESTABLISHED. Less than 350 connections is "low" and more than 1100 is "high"; #TIME_WAIT Should be 85% or more #ESTABLISHED should be 10%...15% at most. #The two FIN states should be 5% to 10% #We hate SYNs; well other than the fact that they make the world go 'round. Looking for less than 1% $cnt_flag = "VLOW" if ($all_cnt < 350); $cnt_flag = "LOW" if ($all_cnt < 275); $cnt_flag = "NONE" if (($all_cnt > 350) && ($all_cnt < 1100)); $cnt_flag = "HIGH" if (($all_cnt > 1100) && ( $all_cnt < 2000)); $cnt_flag = "PANIC" if (($all_cnt > 2000)); $estab_percnt = $estab_cnt/$all_cnt; $etsab_flag = "NONE" if (($estab_percnt < .15) && ($estab_percnt > .05));; $estab_flag = "HIGH" if ($estab_percnt > .15); $estab_flag = "LOW" if ($estab_percnt < .05); $fin_percnt = $fin_cnt/$all_cnt; $fin_flag = "NONE" if (($fin_percnt > .05) && ($fin_percnt < .12)); $fin_flag = "HIGH" if ($fin_percnt > .12); $fin_flag = "LOW" if ($fin_percnt < .03); $synrec_percnt = $synrec_cnt/$all_cnt; $synrec_flag = "NONE" if ($synrec_flag < .03); $synrec_flag = "HIGH" if ($synrec_percnt > .03); $synsen_percnt = $synsen_cnt/$all_cnt; $synsen_flag = "NONE" if ($synsen_percnt < .03); $synsen_flag = "HIGH" if ($synsen_percnt > .03); $timewait_percnt = $timewait_cnt/$all_cnt; $timewait_flag = "NONE" if (($timewait_percnt > .85) && ($timewait_percnt < .95)); $timewait_flag = "HIGH" if ($timewait_percnt > .95); $timewait_flag = "LOW" if ($timewait_percnt < .85); ($a, $b, $c, $d) = split /\./ ,$ip,4; $dot = "."; $adotb = "$a$dot$b"; $adotbdotc = "$a$dot$b$dot$c"; push(@A_ARRAY, $a); push(@B_ARRAY, $adotb); push(@C_ARRAY, $adotbdotc); push(@D_ARRAY, $ip); } #END Loop of IPs and codes. foreach(@ESTABLISHED) { $estip = $_; ($ea, $eb, $ec, $ed) = split /\./ ,$estip,4; $eadoteb = "$ea$dot$eb"; $eadotebdotec = "$ea$dot$eb$dot$ec"; push(@EA_ARRAY, $ea); push(@EB_ARRAY, $eadoteb); push(@EC_ARRAY, $eadotebdotec); push(@ED_ARRAY, $estip); $ecnt = @EA_ARRAY; } foreach(@FIN) { $fip = $_; ($fa, $fb, $fc, $fd) = split /\./ ,$fip,4; $fadotfb = "$ea$dot$eb"; $fadotfbdotfc = "$fa$dot$fb$dot$fc"; push(@FA_ARRAY, $fa); push(@FB_ARRAY, $fadotfb); push(@FC_ARRAY, $fadotfbdotfc); push(@FD_ARRAY, $fip); } foreach(@SYN_RECV) { $srip = $_; ($sra, $srb, $src, $srd) = split /\./ ,$srip,4; $sradotsrb = "$sra$dot$srb"; $sradotsrbdotsrc = "$sra$dot$srb$dot$src"; push(@SRA_ARRAY, $sra); push(@SRB_ARRAY, $sradotsrb); push(@SRC_ARRAY, $sradotsrbdotsrc); push(@SRD_ARRAY, $srip); } foreach(@SYN_SENT) { $ssip = $_; ($ssa, $ssb, $ssc, $ssd) = split /\./ ,$ssip,4; $ssadotssb = "$ssa$dot$ssb"; $ssadotssbdotssc = "$ssa$dot$ssb$dot$ssc"; push(@SSA_ARRAY, $ssa); push(@SSB_ARRAY, $ssadotssb); push(@SSC_ARRAY, $ssadotssbdotssc); push(@SSD_ARRAY, $ssip); } foreach(@TIME_WAIT) { $twip = $_; ($ta, $tb, $tc, $td) = split /\./ ,$twip,4; $tadottb = "$ta$dot$tb"; $tadottbdottc = "$ta$dot$tb$dot$tc"; push(@TA_ARRAY, $ta); push(@TB_ARRAY, $tadottb); push(@TC_ARRAY, $tadottbdottc); push(@TD_ARRAY, $twip); } ($ASUM, $A_COUNTS_ref) = getcounts(\@A_ARRAY); %A_COUNTS = %$A_COUNTS_ref; ($EASUM, $EA_COUNTS_ref) = getcounts(\@EA_ARRAY); %EA_COUNTS = %$EA_COUNTS_ref; ($FASUM, $FA_COUNTS_ref) = getcounts(\@FA_ARRAY); %FA_COUNTS = %$FA_COUNTS_ref; ($SRASUM, $SRA_COUNTS_ref) = getcounts(\@SRA_ARRAY); %SRA_COUNTS = %$SRA_COUNTS_ref; ($SSASUM, $SSA_COUNTS_ref) = getcounts(\@SSA_ARRAY); %SSA_COUNTS = %$SSA_COUNTS_ref; ($TASUM, $TA_COUNTS_ref) = getcounts(\@TA_ARRAY); %TA_COUNTS = %$TA_COUNTS_ref; ($BSUM, $B_COUNTS_ref) = getcounts(\@B_ARRAY); %B_COUNTS = %$B_COUNTS_ref; ($EBSUM, $EB_COUNTS_ref) = getcounts(\@EB_ARRAY); %EB_COUNTS = %$EB_COUNTS_ref; ($FBSUM, $FB_COUNTS_ref) = getcounts(\@FB_ARRAY); %FB_COUNTS = %$FB_COUNTS_ref; ($SRBSUM, $SRB_COUNTS_ref) = getcounts(\@SRB_ARRAY); %SRB_COUNTS = %$SRB_COUNTS_ref; ($SSBSUM, $SSB_COUNTS_ref) = getcounts(\@SSB_ARRAY); %SSB_COUNTS = %$SSB_COUNTS_ref; ($TBSUM, $TB_COUNTS_ref) = getcounts(\@TB_ARRAY); %TB_COUNTS = %$TB_COUNTS_ref; ($CSUM, $C_COUNTS_ref) = getcounts(\@C_ARRAY); %C_COUNTS = %$C_COUNTS_ref; ($ECSUM, $EC_COUNTS_ref) = getcounts(\@EC_ARRAY); %EC_COUNTS = %$EC_COUNTS_ref; ($FCSUM, $FC_COUNTS_ref) = getcounts(\@FC_ARRAY); %FC_COUNTS = %$FC_COUNTS_ref; ($SRCSUM, $SRC_COUNTS_ref) = getcounts(\@SRC_ARRAY); %SRC_COUNTS = %$SRC_COUNTS_ref; ($SSCSUM, $SSC_COUNTS_ref) = getcounts(\@SSC_ARRAY); %SSC_COUNTS = %$SSC_COUNTS_ref; ($TCSUM, $TC_COUNTS_ref) = getcounts(\@TC_ARRAY); %TC_COUNTS = %$TC_COUNTS_ref; ($DSUM, $D_COUNTS_ref) = getcounts(\@D_ARRAY); %D_COUNTS = %$D_COUNTS_ref; ($EDSUM, $ED_COUNTS_ref) = getcounts(\@ED_ARRAY); %ED_COUNTS = %$ED_COUNTS_ref; ($FDSUM, $FD_COUNTS_ref) = getcounts(\@FD_ARRAY); %FD_COUNTS = %$FD_COUNTS_ref; ($SRDSUM, $SRD_COUNTS_ref) = getcounts(\@SRD_ARRAY); %SRD_COUNTS = %$SRD_COUNTS_ref; ($SSDSUM, $SSD_COUNTS_ref) = getcounts(\@SSD_ARRAY); %SSD_COUNTS = %$SSD_COUNTS_ref; ($TDSUM, $TD_COUNTS_ref) = getcounts(\@TD_ARRAY); %TD_COUNTS = %$TD_COUNTS_ref; #Now we need to decide what kind of output is needed. In the typical case we only have to deal with normal traffic. That is connections are lower than 1100, and we don't see any weird SYN/FIN/WAIT profiles. @WHATS_GOOD = (); $good_cnt = 0; @NOT_GOOD = (); $bad_cnt = 0; push(@WHATS_GOOD, "ESTABLISHED") if ($estab_flag ne "HIGH"); push(@WHATS_GOOD, "FIN_WAIT") if ($fin_flag ne "HIGH"); push(@WHATS_GOOD, "SYN") if (($synrec_flag ne "HIGH") && ($synsen_flag ne "HIGH"));; push(@WHATS_GOOD, "SYN_RECV") if (($synrec_flag ne "HIGH") && ($synsen_flag eq "HIGH")); push(@WHATS_GOOD, "SYN_SENT") if (($synsen_flag ne "HIGH") && ($synrec_flag eq "HIGH")); push(@WHATS_GOOD, "TIME_WAIT") if ($timewait_flag ne "HIGH"); $good_cnt = @WHATS_GOOD; $good_cnt = $good_cnt - 1; $lastword = $WHATS_GOOD[${good_cnt}]; $newword = "and " . $lastword; $WHATS_GOOD[${good_cnt}] = $newword; $allgood = join(", ", @WHATS_GOOD); if ($allgood ne "ESTABLISHED, FIN_WAIT, SYN, and TIME_WAIT") { push(@NOT_GOOD, "ESTABLISHED") if ($estab_flag eq "HIGH"); push(@NOT_GOOD, "FIN_WAIT") if ($fin_flag eq "HIGH"); push(@NOT_GOOD, "SYN") if (($synrec_flag eq "HIGH") && ($synsen_flag eq "HIGH"));; push(@NOT_GOOD, "SYN_RECV") if (($synrec_flag eq "HIGH") && ($synsen_flag ne "HIGH")); push(@NOT_GOOD, "SYN_SENT") if (($synsen_flag eq "HIGH") && ($synrec_flag ne "HIGH")); push(@NOT_GOOD, "TIME_WAIT") if ($timewait_flag eq "HIGH"); $bad_cnt = @NOT_GOOD; if ($bad_cnt > 1) { $bad_cnt = $bad_cnt - 1; $lastword = $NOT_GOOD[${bad_cnt}]; $newword = "and " . $lastword; $NOT_GOOD[${bad_cnt}] = $newword; } $notgood = join(", ", @NOT_GOOD); } print "\n"; print "\n"; if (($cnt_flag eq 'NONE') && ($bad_cnt == 0)) { print "Total connections look normal at $ASUM\n"; print "All the connection state ratios, $allgood look good as well\n"; } if (($cnt_flag eq 'NONE') && ($bad_cnt > 0)) { print "Total connections look normal at $ASUM\n" if ($cnt_flag eq 'NONE'); print "\n"; $print_ndx = 0; if ($estab_flag eq "HIGH") { $esize = sprintf("%.1f", ($estab_percnt*100)); print "The ratio of connections in the ESTABLISHED state is high, however, at $esize percent\n"; $print_ndx++; } if ($fin_flag eq "HIGH") { $fsize = sprintf("%.1f", ($fin_percnt*100)); print "The ratio of connections in the FIN_WAIT state is high, however, at $fsize percent\n" if ($print_ndx = 0); print "The ratio of connections in the FIN_WAIT state is also high at $fsize percent\n" if ($print_ndx = 1); $print_ndx++; } if ($synrec_flag eq "HIGH") { $synrecsize = sprintf("%.1f", ($synrec_percnt*100)); print "The ratio of connections in the SYN_RECV state is high, however, at $synrecsize percent\n" if ($print_ndx = 0); print "The ratio of connections in the SYN_RECV state is also high at $synrecsize percent\n" if ($print_ndx = 1); print "The ratio of connections in the SYN_RECV state are high as well at $synrecsize percent\n" if ($print_ndx = 2); $print_ndx++; } if ($synsen_flag eq "HIGH") { $synsensize = sprintf("%.1f", ($synrec_percnt*100)); print "The ratio of connections in the SYN_SENT state is high, however, at $synrecsize percent\n" if ($print_ndx = 0); print "The ratio of connections in the SYN_SENT state is also high at $synrecsize percent\n" if ($print_ndx = 1); print "The ratio of connections in the SYN_SENT state are high as well at $synrecsize percent\n" if ($print_ndx = 2); print "As are the ratio of connections in the SYN_SENT state which comprise $synrecsize percent of all connections\n" if ($print_ndx = 3); } print "\n"; print "\n"; print "\n"; print " ******************************************\n"; print " ****Summary of Connection State Ratios****\n"; print " ******************************************\n"; print "\n"; print "\n"; print "The connection state ratios, $allgood look good while the number in $notgood state appear high...\n"; if ($estab_flag eq "HIGH") { checkblocks(\%EA_COUNTS, $ASUM, '.05', 'Class-A networks have high ESTABLISHED rates', 'Connections in the ESTABLISHED state from'); print "\n"; checkblocks(\%EB_COUNTS, $BSUM, '.05', 'Class-B networks have high ESTABLISHED rates', 'Connections in the ESTABLISHED state from'); print "\n"; checkblocks(\%EC_COUNTS, $CSUM, '.05', 'Class-C networks have high ESTABLISHED rates', 'Connections in the ESTABLISHED state from'); print "\n"; checkblocks(\%ED_COUNTS, $DSUM, '.05', 'IP addresses have high ESTABLISHED rates', 'Connections in the ESTABLISHED state from'); print "\n"; } if ($fin_flag eq "HIGH") { checkblocks(\%FA_COUNTS, $ASUM, '.05', 'Class-A networks have high FIN_WAIT rates', 'Connections in the FIN_WAIT state from'); print "\n"; checkblocks(\%FB_COUNTS, $BSUM, '.05', 'Class-B networks have high FIN_WAIT rates', 'Connections in the FIN_WAIT state from'); print "\n"; checkblocks(\%FC_COUNTS, $CSUM, '.05', 'Class-C networks have high FIN_WAIT rates', 'Connections in the FIN_WAIT state from'); print "\n"; checkblocks(\%FD_COUNTS, $DSUM, '.05', 'IP addresses have high FIN_WAIT rates', 'Connections in the FIN_WAIT state from'); print "\n"; } if ($synrec_flag eq "HIGH") { checkblocks(\%SRA_COUNTS, $ASUM, '.05', 'Class-A networks have high SYN_RECV rates', 'Connections in the SYN_RECV state from'); print "\n"; checkblocks(\%SRB_COUNTS, $BSUM, '.05', 'Class-B networks have high SYN_RECV rates', 'Connections in the SYN_RECV state from'); print "\n"; checkblocks(\%SRC_COUNTS, $CSUM, '.05', 'Class-C networks have high SYN_RECV rates', 'Connections in the SYN_RECV state from'); print "\n"; checkblocks(\%SRD_COUNTS, $DSUM, '.05', 'IP addresses have high SYN_RECV rates', 'Connections in the SYN_RECV state from'); print "\n"; } if ($synsen_flag eq "HIGH") { checkblocks(\%SSA_COUNTS, $ASUM, '.05', 'Class-A networks have high SYN_SENT rates', 'Connections in the SYN_SENT state from'); print "\n"; checkblocks(\%SSB_COUNTS, $BSUM, '.05', 'Class-B networks have high SYN_SENT rates', 'Connections in the SYN_SENT state from'); print "\n"; checkblocks(\%SSC_COUNTS, $CSUM, '.05', 'Class-C networks have high SYN_SENT rates', 'Connections in the SYN_SENT state from'); print "\n"; checkblocks(\%SSD_COUNTS, $DSUM, '.05', 'IP addresses have high SYN_SENT rates', 'Connections in the SYN_SENT state from'); print "\n"; } if ($timewait_flag eq "HIGH") { print "blah!\n"; checkblocks(\%TA_COUNTS, $ASUM, '.00', 'Class-A networks have high TIME_WAIT rates', 'Connections in the TIME_WAIT state from'); print "\n"; checkblocks(\%TB_COUNTS, $BSUM, '.00', 'Class-B networks have high TIME_WAIT rates', 'Connections in the TIME_WAIT state from'); print "\n"; checkblocks(\%TC_COUNTS, $CSUM, '.00', 'Class-C networks have high TIME_WAIT rates', 'Connections in the TIME_WAIT state from'); print "\n"; checkblocks(\%TD_COUNTS, $DSUM, '.00', 'IP addresses have high TIME_WAIT rates', 'Connections in the TIME_WAIT state from'); print "\n"; } } if ( (($cnt_flag eq 'HIGH') || ($cnt_flag eq 'PANIC')) && ($bad_cnt == 0)) { print "Total connections are high at $ASUM\n" if ($cnt_flag eq 'HIGH'); print "Total connections are very high at $ASUM\n" if ($cnt_flag eq 'PANIC'); print "\n"; print "All the connection state ratios ($allgood), however, look good\n"; print "\n"; print " ***************************************\n"; print " ****Summary of high traffic sources****\n"; print " ***************************************\n"; print "\n"; checkblocks(\%A_COUNTS, $ASUM, '.1', 'Class-A networks standout', 'Connections from'); print "\n"; checkblocks(\%B_COUNTS, $BSUM, '.1', 'Class-B networks standout', 'Connections from'); print "\n"; checkblocks(\%C_COUNTS, $CSUM, '.1', 'Class-C networks standout', 'Connections from'); print "\n"; checkblocks(\%D_COUNTS, $DSUM, '.1', 'individual IPs standout', 'Connections from'); } if ((($cnt_flag eq 'HIGH') || ($cnt_flag eq 'PANIC')) && ($bad_cnt > 0)) { $print_ndx = 0; print "Total connections are high at $ASUM\n" if ($cnt_flag eq 'HIGH'); print "Total connections are very high at $ASUM\n" if ($cnt_flag eq 'PANIC'); print "\n"; print "All the connection state ratios for $notgood are also not ideal (see the \"Connection State Ratio\" below the traffic source section)\n"; print "\n"; print " ***************************************\n"; print " ****Summary of High Traffic Sources****\n"; print " ***************************************\n"; print "\n"; checkblocks(\%A_COUNTS, $ASUM, '.1', 'Class-A networks standout', 'Connections from'); print "\n"; checkblocks(\%B_COUNTS, $BSUM, '.1', 'Class-B networks standout', 'Connections from'); print "\n"; checkblocks(\%C_COUNTS, $CSUM, '.1', 'Class-C networks standout', 'Connections from'); print "\n"; checkblocks(\%D_COUNTS, $DSUM, '.1', 'individual IPs standout', 'Connections from'); if ($estab_flag eq "HIGH") { $esize = sprintf("%.1f", ($estab_percnt*100)); print "The ratio of connections in the ESTABLISHED state is high, however, at $esize percent\n"; $print_ndx++; } if ($fin_flag eq "HIGH") { $fsize = sprintf("%.1f", ($fin_percnt*100)); print "The ratio of connections in the FIN_WAIT state is high, however, at $fsize percent\n" if ($print_ndx = 0); print "The ratio of connections in the FIN_WAIT state is also high at $fsize percent\n" if ($print_ndx = 1); $print_ndx++; } if ($synrec_flag eq "HIGH") { $synrecsize = sprintf("%.1f", ($synrec_percnt*100)); print "The ratio of connections in the SYN_RECV state is high, however, at $synrecsize percent\n" if ($print_ndx = 0); print "The ratio of connections in the SYN_RECV state is also high at $synrecsize percent\n" if ($print_ndx = 1); print "The ratio of connections in the SYN_RECV state are high as well at $synrecsize percent\n" if ($print_ndx = 2); $print_ndx++; } if ($synsen_flag eq "HIGH") { $synsensize = sprintf("%.1f", ($synrec_percnt*100)); print "The ratio of connections in the SYN_SENT state is high, however, at $synrecsize percent\n" if ($print_ndx = 0); print "The ratio of connections in the SYN_SENT state is also high at $synrecsize percent\n" if ($print_ndx = 1); print "The ratio of connections in the SYN_SENT state are high as well at $synrecsize percent\n" if ($print_ndx = 2); print "As are the ratio of connections in the SYN_SENT state which comprise $synrecsize percent of all connections\n" if ($print_ndx = 3); } print "\n"; print "\n"; print "\n"; print " ******************************************\n"; print " ****Summary of Connection State Ratios****\n"; print " ******************************************\n"; print "\n"; print "\n"; print "The connection state ratios, $allgood look good while the number in $notgood state appear high...\n"; if ($estab_flag eq "HIGH") { checkblocks(\%EA_COUNTS, $ASUM, '.05', 'Class-A networks have high ESTABLISHED rates', 'Connections in the ESTABLISHED state from'); print "\n"; checkblocks(\%EB_COUNTS, $BSUM, '.05', 'Class-B networks have high ESTABLISHED rates', 'Connections in the ESTABLISHED state from'); print "\n"; checkblocks(\%EC_COUNTS, $CSUM, '.05', 'Class-C networks have high ESTABLISHED rates', 'Connections in the ESTABLISHED state from'); print "\n"; checkblocks(\%ED_COUNTS, $DSUM, '.05', 'IP addresses have high ESTABLISHED rates', 'Connections in the ESTABLISHED state from'); print "\n"; } if ($fin_flag eq "HIGH") { checkblocks(\%FA_COUNTS, $ASUM, '.05', 'Class-A networks have high FIN_WAIT rates', 'Connections in the FIN_WAIT state from'); print "\n"; checkblocks(\%FB_COUNTS, $BSUM, '.05', 'Class-B networks have high FIN_WAIT rates', 'Connections in the FIN_WAIT state from'); print "\n"; checkblocks(\%FC_COUNTS, $CSUM, '.05', 'Class-C networks have high FIN_WAIT rates', 'Connections in the FIN_WAIT state from'); print "\n"; checkblocks(\%FD_COUNTS, $DSUM, '.05', 'IP addresses have high FIN_WAIT rates', 'Connections in the FIN_WAIT state from'); print "\n"; } if ($synrec_flag eq "HIGH") { checkblocks(\%SRA_COUNTS, $ASUM, '.05', 'Class-A networks have high SYN_RECV rates', 'Connections in the SYN_RECV state from'); print "\n"; checkblocks(\%SRB_COUNTS, $BSUM, '.05', 'Class-B networks have high SYN_RECV rates', 'Connections in the SYN_RECV state from'); print "\n"; checkblocks(\%SRC_COUNTS, $CSUM, '.05', 'Class-C networks have high SYN_RECV rates', 'Connections in the SYN_RECV state from'); print "\n"; checkblocks(\%SRD_COUNTS, $DSUM, '.05', 'IP addresses have high SYN_RECV rates', 'Connections in the SYN_RECV state from'); print "\n"; } if ($synsen_flag eq "HIGH") { checkblocks(\%SSA_COUNTS, $ASUM, '.05', 'Class-A networks have high SYN_SENT rates', 'Connections in the SYN_SENT state from'); print "\n"; checkblocks(\%SSB_COUNTS, $BSUM, '.05', 'Class-B networks have high SYN_SENT rates', 'Connections in the SYN_SENT state from'); print "\n"; checkblocks(\%SSC_COUNTS, $CSUM, '.05', 'Class-C networks have high SYN_SENT rates', 'Connections in the SYN_SENT state from'); print "\n"; checkblocks(\%SSD_COUNTS, $DSUM, '.05', 'IP addresses have high SYN_SENT rates', 'Connections in the SYN_SENT state from'); print "\n"; } if ($timewait_flag eq "HIGH") { checkblocks(\%TA_COUNTS, $ASUM, '.05', 'Class-A networks have high TIME_WAIT rates', 'Connections in the TIME_WAIT state from'); print "\n"; checkblocks(\%TB_COUNTS, $BSUM, '.05', 'Class-B networks have high TIME_WAIT rates', 'Connections in the TIME_WAIT state from'); print "\n"; checkblocks(\%TC_COUNTS, $CSUM, '.05', 'Class-C networks have high TIME_WAIT rates', 'Connections in the TIME_WAIT state from'); print "\n"; checkblocks(\%TD_COUNTS, $DSUM, '.05', 'IP addresses have high TIME_WAIT rates', 'Connections in the TIME_WAIT state from'); print "\n"; } } sub getcounts { $ARRAY = $_[0]; @ARRAY = $ARRAY; %COUNTS = (); for (@$ARRAY) { $COUNTS{$_}++; } $SUM = 0; @AVALUES = values(%COUNTS); $SUM = ($SUM+=$_) for (@AVALUES); return($SUM, \%COUNTS); } sub checkblocks { $HASH = $_[0]; $SUM = $_[1]; $lowper = $_[2]; $type = $_[3]; $preamble = $_[4]; %LHASH = %$HASH; $ndx = 0; $dots = ".0.0.0" if ($type =~ /^Class-A networks/); $dots = ".0.0" if ($type =~ /^Class-B networks/); $dots = ".0" if ($type =~ /^Class-C networks/); $dots = "" if ($type =~ /^IP addresses/); foreach my $key (keys %LHASH) { $percnt = $LHASH{$key}/$SUM; if ($percnt > $lowper) { print "The following $type:\n" if ($ndx < 1); print " $preamble $key$dots represent more than 5% ($LHASH{$key} out of $SUM) of all connections\n" if (($percnt < .1) && ($percnt > $lowper)); print " $preamble $key$dots represent more than 10% ($LHASH{$key} out of $SUM) of all connections\n" if (($percnt < .15) && ($percnt > .1)); print " $preamble $key$dots represent more than 15% ($LHASH{$key} out of $SUM) of all connections\n" if (($percnt < .20) && ($percnt > .15)); print " $preamble $key$dots represent more than 20% ($LHASH{$key} out of $SUM) of all connections\n" if (($percnt < .30) && ($percnt > .20)); print " $preamble $key$dots represent more than 30% ($LHASH{$key} out of $SUM) of all connections\n" if ($percnt > .30); $ndx++; } } } print "\n"; print "\n";