Bizarre Question

Leif Sawyer lsawyer at gci.com
Tue Apr 17 13:11:56 CDT 2001 

Here's a question for you semi-advanced perl guru's out there.

First, a little background so this makes sense:

I have a hash'd array:

%services

with multiple dimensions:

$services{$ACL}{$proto}{$destport} = count


If this sounds a little familiar, i'm parsing the syslog output
of a cisco router's ACL list.


Simply put, ACL is an array of found lists

like:
	$services{"input-1"}
	$services{"input-2"}
	$services{"input-3"}

proto is the types of protocols found per ACL list:

	$services{"input-1"}{"udp"}
	$services{"input-1"}{"tcp"}
	$services{"input-1"}{"icmp"}

destport is of course, the destination port that the connection terminated
to
 for the protocol type:

	$services{"input-1"}{"tcp"}{"23"}
	$services{"input-1"}{"tcp"}{"110"}
	$services{"input-1"}{"tcp"}{"80"}

at the very tail of this, is the count of packets per service

	$services{"input-1"}{"tcp"}{"23"} = 2098
	$services{"input-1"}{"tcp"}{"110"} = 1
	$services{"input-1"}{"tcp"}{"80"} = 2983242





What I'm trying to do, is print out a list of ports, by protocol,
for each ACL.  And i'd like the ports sorted by the number of packets,
descending.

###################################################
#
# Report #1, most popular dest host(s) by acl
#
my($acl,$dest, $proto,$port);
my (@ports);

print "!!---------!! Most Popular Protocol Violations !!---------!!\n";

foreach $acl (sort keys %service) {
	print "ACL: $acl\n";

	foreach $proto (sort keys %{$service{$acl}}) {
		print "Protocol: $proto\n";

############### Attempt one ############
if (1) {
		foreach $port (sort mostusedsvc keys
%{$service{$acl}{$proto}}) {
			my($name,$aliases,$p,$t) =
getservbyport($port,$proto);
			print "Port: $port ($name) = " .
$service{$acl}{$proto}{$port} . "\n";
		}
} else {
############### Attempt two ############

		@ports = sort { $service{$acl}{$proto}{$b} <=>
$service{$acl}{$proto}{$b} } keys %{$service{$acl}{$proto}};

		foreach $port ( @ports ) {
			my($n,$a,$p,$t) = getservbyport($port,$proto);
			print "Port: $port ($n) = " .
$service{$acl}{$proto}{$port} . "\n";
		}
}
#########################################

		print "\n";
	}
	print "\n";
}

sub mostusedsvc { $service{$acl}{$proto}{$b} <=> $service{$acl}{$proto}{$a}
}

-----------------------

But, neither of these seem to work.  It prints out the data, just not
sorted.


I'm probably missing something obvious, but at this point, my brain hurts.
:-)

Thanks for any insight.

Leif
=================================================
Mailing list info:  If at any time you wish to (un|re)subscribe to
the list send the request to majordomo at hfb.pm.org.  All requests
should be in the body, and look like such
                  subscribe anchorage-pm-list
                  unsubscribe anchorage-pm-list

More information about the Anchorage-pm mailing list