如何用python做相同字符串的提取、时间做差

sushaoyang 2012-04-16 05:39:08
2012-04-16 17:23:01.832641 IP 192.168.19.70.48635 > 125.64.93.204.65533: Flags [S], seq 692947831, win 14600, options [mss 1460,sackOK,TS val 380086525 ecr 0,nop,wscale 6], length 0
2012-04-16 17:23:09.832641 IP 192.168.19.81.48635 > 203.64.93.204.65533: Flags [S], seq 692947831, win 14600, options [mss 1460,sackOK,TS val 380086525 ecr 0,nop,wscale 6], length 0
2012-04-16 17:24:01.925775 IP 192.168.19.70.48637 > 125.64.93.204.65533: Flags [S], seq 1551096059, win 14600, options [mss 1460,sackOK,TS val 380146618 ecr 0,nop,wscale 6], length 0
2012-04-16 17:25:01.020266 IP 192.168.19.70.48638 > 125.64.93.204.65533: Flags [S], seq 2643095877, win 14600, options [mss 1460,sackOK,TS val 380205712 ecr 0,nop,wscale 6], length 0
2012-04-16 17:23:19.832641 IP 192.168.19.81.48635 > 203.64.93.204.65533: Flags [S], seq 692947831, win 14600, options [mss 1460,sackOK,TS val 380086525 ecr 0,nop,wscale 6], length 0
2012-04-16 17:26:01.104927 IP 192.168.19.70.48639 > 125.64.93.204.65533: Flags [S], seq 4022318958, win 14600, options [mss 1460,sackOK,TS val 380265797 ecr 0,nop,wscale 6], length 0
2012-04-16 17:27:01.187470 IP 192.168.19.70.48640 > 125.64.93.204.65533: Flags [S], seq 2529893861, win 14600, options [mss 1460,sackOK,TS val 380325879 ecr 0,nop,wscale 6], length 0
2012-04-16 17:28:01.271459 IP 192.168.19.70.48641 > 125.64.93.204.65533: Flags [S], seq 1322747235, win 14600, options [mss 1460,sackOK,TS val 380385963 ecr 0,nop,wscale 6], length 0

我的需求是这样的
1、提取出源ip 目地ip 相同行
2、对1中得到的行的时间进行做差 即第二行时间减第一行 第三行减第二行 第N行减(N-1)行

每行格式可以这么理解 提权sip和dip相同的行 然后相邻行的时间做差
date sip dip

如何用python实现 求各位大神指点啊
...全文
369 3 打赏 收藏 转发到动态 举报
写回复
用AI写文章
3 条回复
切换为时间正序
请发表友善的回复…
发表回复
sushaoyang 2012-04-17
  • 打赏
  • 举报
 回复
谢谢两位大牛
libralibra 2012-04-16
  • 打赏
  • 举报
 回复
楼主是不是想把时间按照ip归类啊,ip一样的时间得弄在一起

import re

from datetime import datetime



str = '''

2012-04-16 17:23:01.832641 IP 192.168.19.70.48635 > 125.64.93.204.65533: Flags [S], seq 692947831, win 14600, options [mss 1460,sackOK,TS val 380086525 ecr 0,nop,wscale 6], length 0

2012-04-16 17:23:09.832641 IP 192.168.19.81.48635 > 203.64.93.204.65533: Flags [S], seq 692947831, win 14600, options [mss 1460,sackOK,TS val 380086525 ecr 0,nop,wscale 6], length 0

2012-04-16 17:24:01.925775 IP 192.168.19.70.48637 > 125.64.93.204.65533: Flags [S], seq 1551096059, win 14600, options [mss 1460,sackOK,TS val 380146618 ecr 0,nop,wscale 6], length 0

2012-04-16 17:25:01.020266 IP 192.168.19.70.48638 > 125.64.93.204.65533: Flags [S], seq 2643095877, win 14600, options [mss 1460,sackOK,TS val 380205712 ecr 0,nop,wscale 6], length 0

2012-04-16 17:23:19.832641 IP 192.168.19.81.48635 > 203.64.93.204.65533: Flags [S], seq 692947831, win 14600, options [mss 1460,sackOK,TS val 380086525 ecr 0,nop,wscale 6], length 0

2012-04-16 17:26:01.104927 IP 192.168.19.70.48639 > 125.64.93.204.65533: Flags [S], seq 4022318958, win 14600, options [mss 1460,sackOK,TS val 380265797 ecr 0,nop,wscale 6], length 0

2012-04-16 17:27:01.187470 IP 192.168.19.70.48640 > 125.64.93.204.65533: Flags [S], seq 2529893861, win 14600, options [mss 1460,sackOK,TS val 380325879 ecr 0,nop,wscale 6], length 0

2012-04-16 17:28:01.271459 IP 192.168.19.70.48641 > 125.64.93.204.65533: Flags [S], seq 1322747235, win 14600, options [mss 1460,sackOK,TS val 380385963 ecr 0,nop,wscale 6], length 0

'''



res = r'(.*?) IP (.*?) > (.*?)\:.*?'

lines = str.split('\n')

sourceDest = {}



for line in lines:

    m = re.findall(res,line.strip())

    if len(m)>0 and len(m[0])==3:

        newkey = m[0][1][:m[0][1].rindex('.')]+' > '+m[0][2][:m[0][2].rindex('.')]

        if sourceDest.has_key(newkey):

            sourceDest[newkey].append(m[0][0])

        else:

            sourceDest[newkey] = [m[0][0]]



for k,v in sourceDest.items():

    print '\n=============================\n%s\n=============================\n' % k

    if len(v)==1:

        print v[0]

    else:

        for i in range(1,len(v)):

            print 'Start: \t\t%s\nEnd: \t\t%s\nDuration: \t%s\n' % (v[i-1],v[i],datetime.strptime(v[i], "%Y-%m-%d %H:%M:%S.%f")-datetime.strptime(v[i-1], "%Y-%m-%d %H:%M:%S.%f"))


结果
*** Python 2.7.2 (default, Jun 12 2011, 15:08:59) [MSC v.1500 32 bit (Intel)] on win32. ***

>>>  



=============================

192.168.19.70 > 125.64.93.204

=============================



Start: 		2012-04-16 17:23:01.832641

End: 		2012-04-16 17:24:01.925775

Duration: 	0:01:00.093134



Start: 		2012-04-16 17:24:01.925775

End: 		2012-04-16 17:25:01.020266

Duration: 	0:00:59.094491



Start: 		2012-04-16 17:25:01.020266

End: 		2012-04-16 17:26:01.104927

Duration: 	0:01:00.084661



Start: 		2012-04-16 17:26:01.104927

End: 		2012-04-16 17:27:01.187470

Duration: 	0:01:00.082543



Start: 		2012-04-16 17:27:01.187470

End: 		2012-04-16 17:28:01.271459

Duration: 	0:01:00.083989





=============================

192.168.19.81 > 203.64.93.204

=============================



Start: 		2012-04-16 17:23:09.832641

End: 		2012-04-16 17:23:19.832641

Duration: 	0:00:10



>>>
bugs2k 2012-04-16
  • 打赏
  • 举报
 回复 
import re

from datetime import datetime



str = '''

2012-04-16 17:23:01.832641 IP 192.168.19.70.48635 > 125.64.93.204.65533: Flags [S], seq 692947831, win 14600, options [mss 1460,sackOK,TS val 380086525 ecr 0,nop,wscale 6], length 0

2012-04-16 17:23:09.832641 IP 192.168.19.81.48635 > 203.64.93.204.65533: Flags [S], seq 692947831, win 14600, options [mss 1460,sackOK,TS val 380086525 ecr 0,nop,wscale 6], length 0

2012-04-16 17:24:01.925775 IP 192.168.19.70.48637 > 125.64.93.204.65533: Flags [S], seq 1551096059, win 14600, options [mss 1460,sackOK,TS val 380146618 ecr 0,nop,wscale 6], length 0

2012-04-16 17:25:01.020266 IP 192.168.19.70.48638 > 125.64.93.204.65533: Flags [S], seq 2643095877, win 14600, options [mss 1460,sackOK,TS val 380205712 ecr 0,nop,wscale 6], length 0

2012-04-16 17:23:19.832641 IP 192.168.19.81.48635 > 203.64.93.204.65533: Flags [S], seq 692947831, win 14600, options [mss 1460,sackOK,TS val 380086525 ecr 0,nop,wscale 6], length 0

2012-04-16 17:26:01.104927 IP 192.168.19.70.48639 > 125.64.93.204.65533: Flags [S], seq 4022318958, win 14600, options [mss 1460,sackOK,TS val 380265797 ecr 0,nop,wscale 6], length 0

2012-04-16 17:27:01.187470 IP 192.168.19.70.48640 > 125.64.93.204.65533: Flags [S], seq 2529893861, win 14600, options [mss 1460,sackOK,TS val 380325879 ecr 0,nop,wscale 6], length 0

2012-04-16 17:28:01.271459 IP 192.168.19.70.48641 > 125.64.93.204.65533: Flags [S], seq 1322747235, win 14600, options [mss 1460,sackOK,TS val 380385963 ecr 0,nop,wscale 6], length 0

'''



pat = re.compile( r"^(.*)\s+IP\s+(\d+.\d+.\d+.\d).*>\s*(\d+.\d+.\d+.\d+)" )



ipDict = {}



lines = str.split( '\n' )

for line in lines:

    line = line.strip()

    if line:

        found = pat.match( line )

        if found:

            print( found.groups() )

            key = found.group( 2 ), found.group( 3 )

            value = found.group( 1 )

            if key in ipDict:

                dt = ipDict[ key ]

                last = dt[ -1 ]

                dt.append( value )

                diff = datetime.strptime( value, "%Y-%m-%d %H:%M:%S.%f" ) - datetime.strptime( last, "%Y-%m-%d %H:%M:%S.%f" )

                print( "%s ==> %s" % ( key, diff ) )

            else:

                ipDict[ key ] = [ value ]





>>> 

Python 3.2.3 (default, Apr 11 2012, 07:15:24) [MSC v.1500 32 bit (Intel)] on win32

Type "copyright", "credits" or "license()" for more information.

>>> ================================ RESTART ================================

>>> 

('2012-04-16 17:23:01.832641', '192.168.19.7', '125.64.93.204')

('2012-04-16 17:23:09.832641', '192.168.19.8', '203.64.93.204')

('2012-04-16 17:24:01.925775', '192.168.19.7', '125.64.93.204')

('192.168.19.7', '125.64.93.204') ==> 0:01:00.093134

('2012-04-16 17:25:01.020266', '192.168.19.7', '125.64.93.204')

('192.168.19.7', '125.64.93.204') ==> 0:00:59.094491

('2012-04-16 17:23:19.832641', '192.168.19.8', '203.64.93.204')

('192.168.19.8', '203.64.93.204') ==> 0:00:10

('2012-04-16 17:26:01.104927', '192.168.19.7', '125.64.93.204')

('192.168.19.7', '125.64.93.204') ==> 0:01:00.084661

('2012-04-16 17:27:01.187470', '192.168.19.7', '125.64.93.204')

('192.168.19.7', '125.64.93.204') ==> 0:01:00.082543

('2012-04-16 17:28:01.271459', '192.168.19.7', '125.64.93.204')

('192.168.19.7', '125.64.93.204') ==> 0:01:00.083989

>>>
Python两文件相同字符串提取
最近工作需要写一个脚本来提取两个文件之间相同字符串,辅助病毒分析。 #!/usr/bin/env python # -*- coding: utf-8 -*- import re import sys def strings(file): chars = r"A-Za-z0-9/\-:.,_$%'()[\]<> \u4e00-\u9fa5" shortestReturnChar = 4 regExp = '[%s]{%d,}' % (chars, shortestRe
python 字符串提取操作_python 中对字符串的操作
一: 字符串基础介绍python中定义的字符串是个常量,一旦定义后只能使用、不能修改1.字符串的定义:s = ‘ aaaa’s = “bbbb ”s = “”“cccc”“”注: 在python中规定了以上三种方式来定义字符串。2. 转义字符串转义字符描述\(在行尾时)续行符\\反斜杠符号\'单引号\"双引号\a响铃\b退格(Backspace)\e转义\000空\n换行\v纵向制表符\t横向制表...
Python初学(字符串字符串截取、常用字符串函数、字符串格式化Format)
Python当中有一块字符串保留区,存放声明的字符串个人理解:例如定义了四个变量,str1、str2、str3的值和地址都是相同的,在字符串保留区里只有一个'hello'字符串。这个时候定义了srt4值为'hello1',而字符串保留区并没有这个值,所以str4就会有一个新的地址。其实就是复用,节省内存空间。
python字符串取出相同的连续子字串(python取出字符串中连续的字母)
python怎么实现,找出一个字符串中的重复字符子串和字符串数量? 代码如下: 【备注】: 1.用str.split(',')只能分隔逗号一种;如果涉及到多重分隔的话就需要使用re.split(',|:')。 2.原字符串以逗号分隔的,后面有一个或多个字符串,所以re.split(',|')。 3.执行re.s...
python程序中字符串的使用
Python支持字符串驻留机制,对符合标识符规则的字符串(仅包含下划线(_),字母和数字)会启用字符串驻留机制。解释原理:前面我们说过在python字符串是不可改变的,replace函数实现字符串的替换实际上是创建了新的字符串,而原来的字符串是不变的。在Python中,字符串是由零个或多个字符组成的有限序列,可以使用单引号(‘)、双引号(")、三引号(’''或”””)来定义。在Python中,空字符串是一个特殊的字符串,它没有任何字符。【注】:在python字符串不可变,无法对原字符串进行任何修改。
脚本语言

37,741

社区成员

34,213

社区内容

发帖
与我相关
我的任务
社区描述
JavaScript,VBScript,AngleScript,ActionScript,Shell,Perl,Ruby,Lua,Tcl,Scala,MaxScript 等脚本语言交流。
社区管理员
  • 脚本语言(Perl/Python)社区
  • WuKongSecurity@BOB
加入社区
  • 近7日
  • 近30日
  • 至今

加载中

查看更多榜单

试试用AI创作助手写篇文章吧

+ 用AI写文章