Perl finding valid pairs of lines among different cases
-
04-06-2021 - |
Domanda
I have HTTP header request and reply data in tab delimited form with each GET/POST and reply in different lines. This data is such that there are multiple GET, POST and REPLY for one TCP flow. I need to choose only the first valid GET - REPLY pair out of these cases. An example (simplified) is:
ID Source Dest Bytes Type Content-Length host lines....
1 A B 10 GET NA yahoo.com 2
1 A B 10 REPLY 10 NA 2
2 C D 40 GET NA google.com 4
2 C D 40 REPLY 20 NA 4
2 C D 40 GET NA google.com 4
2 C D 40 REPLY 30 NA 4
3 A B 250 POST NA mail.yahoo.com 5
3 A B 250 REPLY NA NA 5
3 A B 250 REPLY 15 NA 5
3 A B 250 GET NA yimg.com 5
3 A B 250 REPLY 35 NA 5
4 G H 415 REPLY 10 NA 6
4 G H 415 POST NA facebook.com 6
4 G H 415 REPLY NA NA 6
4 G H 415 REPLY NA NA 6
4 G H 415 GET NA photos.facebook.com 6
4 G H 415 REPLY 50 NA 6
....
So, basically I need to get one request-reply pair for each ID and write them to a new file.
For '1' it is just one pair so it is easy. But there are also false cases with both lines being a GET, POST or REPLY. So, such cases are ignored.
For '2', I would choose the first GET - REPLY pair.
For '3', I would choose the first GET but the second REPLY as the Content-Length is absent in the first (making the subsequest REPLY a better candidate).
For '4', I would choose the first POST (or GET) as the first header cannot be REPLY. I would not choose the REPLY after the second GET even though the content length is missing in ones after the POST., as the REPLY comes after that. So I would just choose the first REPLY.
So, after choosing the best request and reply pair, I need to pair them up in a single line. For the example, the output would be:
ID Source Dest Bytes Type Content-Length host ....
1 A B 10 GET 10 yahoo.com
2 C D 40 GET 20 google.com
3 A B 250 POST 15 mail.yahoo.com
4 G H 415 POST NA facebook.com
There are a lot of other headers in the actual data but this example pretty much shows what I need. How would one do this in Perl? I pretty much am stuck in the beginning so I have only been able to read the file one line at a time.
open F, "<", "file.txt" || die "Cannot open $f: $!";
while (<F>) {
chomp;
my @line = split /\t/;
# get the valid pairs for cases with multiple request - replies
# get the paired up data together
}
close (F);
*Edit: I have added an additional column giving the number of HTTP header lines for each ID. This may help to know how many subsequent lines to check. Also, I modified ID '4' so that the first header line is a REPLY. *
Soluzione
The program below does what I think you need.
It is commented and I think it is fairly legible. Please ask if anything is unclear.
use strict;
use warnings;
use List::Util 'max';
my $file = $ARGV[0] // 'file.txt';
open my $fh, '<', $file or die qq(Unable to open "$file" for reading: $!);
# Read the field names from the first line to index the hashes
# Remember where the data in the file starts so we can get back here
#
my @fields = split ' ', <$fh>;
my $start = tell $fh;
# Build a format to print the accumulated data
# Create a hash that relates column headers to their widths
#
my @headers = qw/ ID Source Dest Bytes Type Content-Length host /;
my %len = map { $_ => length } @headers;
# Read through the file to find the maximum data width for each column
#
while (<$fh>) {
my %data;
@data{@fields} = split;
next unless $data{ID} =~ /^\d/;
$len{$_} = max($len{$_}, length $data{$_}) for @headers;
}
# Build a format string using the values calculated
#
my $format = join ' ', map sprintf('%%%ds', $_), @len{@headers};
$format .= "\n";
# Go back to the start of the data
# Print the column headers
#
seek $fh, $start, 0;
printf $format, @headers;
# Build transaction data hashes into $record and print them
# Ignore any events before the first request
# Ignore the second request and anything after it
# Update the stored Content-Length field if a value other than NA appears
#
my $record;
my $nreq = 0;
while (<$fh>) {
my %data;
@data{@fields} = split;
my ($id, $type) = @data{ qw/ ID Type / };
next unless $id =~ /^\d/;
if ($record and $id ne $record->{ID}) {
printf $format, @{$record}{@headers};
undef $record;
$nreq = 0;
}
if ($type eq 'GET' or $type eq 'POST') {
$record = \%data if $nreq == 0;
$nreq++;
}
elsif ($nreq == 1) {
if ($record->{'Content-Length'} eq 'NA' and $data{'Content-Length'} ne 'NA') {
$record->{'Content-Length'} = $data{'Content-Length'};
}
}
}
printf $format, @{$record}{@headers} if $record;
output
With the data given in the question, this program produces
ID Source Dest Bytes Type Content-Length host
1 A B 10 GET 10 yahoo.com
2 C D 40 GET 20 google.com
3 A B 250 POST 15 mail.yahoo.com
4 G H 415 POST NA facebook.com
Altri suggerimenti
This seems to work on the given data:
#!/usr/bin/env perl
use strict;
use warnings;
# Shape of input records
use constant ID => 0;
use constant Source => 1;
use constant Dest => 2;
use constant Bytes => 3;
use constant Type => 4;
use constant Length => 5;
use constant Host => 6;
use constant fmt_head => "%-6s %-6s %-6s %-6s %-6s %-6s %s\n";
use constant fmt_data => "%-6d %-6s %-6s % 6d %-6s % 6s %s\n";
printf fmt_head, "ID", "Source", "Dest", "Bytes", "Type", "Length", "Host";
my @post_get;
my @reply;
my $lastid = -1;
my $pg_count = 0;
sub print_data
{
# Final validity checking
if ($lastid != -1)
{
printf fmt_data, $post_get[ID], $post_get[Source],
$post_get[Dest], $post_get[Bytes], $post_get[Type], $reply[Length], $post_get[Host];
# Reset arrays;
@post_get = ();
@reply = ();
$pg_count = 0;
}
}
while (<>)
{
chomp;
my @record = split;
# Validate record here (number of fields, etc)
# Detect change in ID
print_data if ($record[ID] != $lastid);
$lastid = $record[ID];
if ($record[Type] eq "REPLY")
{
# Discard REPLY if there wasn't already a POST/GET
next unless defined $post_get[ID];
# Discard REPLY if there was a second POST/GET
next if $pg_count > 1;
@reply = @record if !defined $reply[ID];
$reply[Length] = $record[Length]
if $reply[Length] eq "NA" && $record[Length] ne "NA";
}
else
{
$pg_count++;
@post_get = @record if !defined $post_get[ID];
$post_get[Length] = $record[Length]
if $post_get[Length] eq "NA" && $record[Length] ne "NA";
}
}
print_data;
It produces:
ID Source Dest Bytes Type Content-Length host
1 A B 10 GET 10 yahoo.com
2 C D 40 GET 20 google.com
3 A B 250 POST 15 mail.yahoo.com
4 G H 415 POST NA facebook.com
The main deviation from the question is the substitution of 'Length' for 'Content-Length'; the fix is easy if enough if desired — change the 6th length in the fmt_data
and fmt_head
to length 14, and change "Length"
to "Content-Length"
.