#!/usr/local/bin/perl
# version 1.4
# by Shuhei Ohkado
#
# plan:
#  (1)add printing  by dest
#  (2)consider proto(tcp/udp)
#  (3)consider src port(higher/lower than 1024) (good)
# You should 'grep ipflog xxx' to get more infomation by now
# high means that the port is equal or greater than 1024
# 

($command_name)=$0=~m|/|?($0=~m|[\w./]+/([\w.]+)|):$0;

use Getopt::Long;
$Getopt::Long::autoabbrev=0;

$min=50;

$result = GetOptions ("min:i","host!","port!","help","h","match:s");
exit unless $result;

sub print_usage()
{
    print <<"_EOF";
 Usage: $command_name [OPTION] ipflog_file

  -min num   cutoff less than num
  -host      print hostname list in the way "host: port * num"
  -nohost    don't print hostname list (default)
  -port      print port list in the way "port: host * num"
  -noport    don't print port list (default)
  -match pat print when souce host is matched by pat

 Example:
  $command_name ipflog -match '^[\\d.]+\$'
  $command_name ipflog -min 1 -match '\.jp\$'
  $command_name ipflog -match utnet.org -port
  $command_name ipflog -match '' -nohost -noport -min 50 (default)
_EOF
    exit;
}

if ($opt_help||$opt_h) {
    &print_usage;
    exit;
}
$pat = $opt_match;
$min = 1 if ($pat);
$min = $opt_min if (defined $opt_min);

$hostdisp = $opt_host;
$portdisp = $opt_port;

while (<>) {
    if (s/^\w+\s+\d+\s+\d+:\d+:\d+\s+(?:\d\w:)?[\w\.\-]+\s+\S*ipmon\[\d+\]:\s+(?:\[ID\s+\d+\s+[\w\.]+\]\s+)?\d+:\d+:\d+\.\d+\s+//)
    {
	$log = $_;
    }
    elsif (s/^(?:\d+\/\d+\/\d+)\s+(?:\d+:\d+:\d+\.\d+)\s+//)
    {
	$log = $_;
    }
    else
    {
	# It don't look like no ipmon output to me, baby.
	next;
    }

    my @fields = ($log =~ /^(?:(\d+)x)?\s*(\w+)\s+@(\d+):(\d+)\s+(\w)\s+([\w\-\.,]+)\s+->\s+([\w\-\.,]+)\s+PR\s+(\w+)\s+len\s+(\d+)\s+\(?(\d+)\)?\s*(.*)$/ox);
    unless (scalar (@fields))
    {
	print STDERR "$me:$.: cannot parse: $_\n";
	next;
    }
    my ($count, $if, $group, $rule, $act, $src, $dest, $proto, $hlen, $len, $more) = @fields;
    ($shost,$sport)=split(/,/,$src);

    $kind{$shost}.=":$sport,$dest";
}

printf "%46s : %6s : %6s : %6s : %s\n","source host","#log","#hosts","#ports","other(src=>dst)";

foreach $shost (sort {
           my(@sa) = split(/:/, $kind{$a});
           my(@sb) = split(/:/, $kind{$b});
	   $#sb <=> $#sa; } keys(%kind)) {
    local (%uhosts,  %uports, %sports);
    local (@dpairs) = split(/:/,$kind{$shost});

    next if ($#dpairs < $min);
    if ($pat) {
	next unless $shost =~ $pat;
    }

    foreach (@dpairs) {
	($sport,$dhost,$dport)=split(/,/);
	if ($dhost && $dport){
	    $sport="high" if $sport >= 1024;
	    $uhosts{"$dhost"}{"$dport"}++;
	    $uports{"$dport"}{"$dhost"}++;
	    $sports{"$sport"}++;
	}
    }

    @kuh=keys %uhosts;
    @kup=keys %uports;

    printf "%46s : %6d : %6d : %6d :",$shost,$#dpairs,$#kuh+1,$#kup+1;

    my(@kss)=keys %sports;
    print " (",join(',',@kss),") => " if $#kss <= 60;#60

    if ($#kuh==0) { # $host=1
	print "$kuh[0]";
    }
    if ($#kup==0) { #port=1
	print "($kup[0])";
    } elsif ($#kup<=5) { #5
	print " (",join(',',@kup),")";
    }
    print "\n";
    
    if ($hostdisp) {
	print "<destination host: port * num>\n";
	foreach $dhost (sort @kuh) {
	    my(%psort);
	    my($cnt)=0;
	    my($len)=length($dhost);
	    foreach (keys %{$uhosts{$dhost}}) {
		if ($cnt++) {
		    for ($i=0;$i<$len;$i++) { print " "; }
		    print ": $_ * $uhosts{$dhost}{$_}\n";
		} else {
		    print "$dhost: $_ * $uhosts{$dhost}{$_}\n";
		}
	    }
	}
    }

    if ($portdisp) {
	print "<port: destination host * num>\n";
	foreach $dport (sort @kup) {
	    my(%hsort);
	    my($cnt)=0;
	    my($len)=length($dport);
	    foreach (keys %{$uports{$dport}}) {
		if ($cnt++) {
		    for ($i=0;$i<$len;$i++) { print " "; }
		    print ": $_ * $uports{$dport}{$_}\n";
		} else {
		    print "$dport: $_ * $uports{$dport}{$_}\n";
		}
	    }
	}
    }
}