AWK：hping：ICMP之間的區別打印起源/接收

Question

我從hping在OpenBSD以下的輸出：

# hping --icmp-ts www.openbsd.org 
HPING www.openbsd.org (re0 129.128.5.194): icmp mode set, 28 headers + 0 data bytes 
len=46 ip=129.128.5.194 ttl=237 id=23807 icmp_seq=0 rtt=155.3 ms 
ICMP timestamp: Originate=22085077 Receive=22085171 Transmit=22085171 
ICMP timestamp RTT tsrtt=156 

len=46 ip=129.128.5.194 ttl=237 id=4150 icmp_seq=1 rtt=154.8 ms 
ICMP timestamp: Originate=22086078 Receive=22086171 Transmit=22086171 
ICMP timestamp RTT tsrtt=155 

^C 
--- www.openbsd.org hping statistic --- 
2 packets tramitted, 2 packets received, 0% packet loss 
round-trip min/avg/max = 154.8/155.0/155.3 ms 

我需要一些額外的運算to troubleshoot asymmetric routes，如a patch in some bugreport可用的，但我不希望必須重新編譯軟件。

TL; DR，這兩個新字段計算爲Receive − Originate和Originate + tsrtt − Transmit，導致如下所示（不一定需要跨越4行）。

len=46 ip=129.128.5.194 ttl=237 id=23807 icmp_seq=0 rtt=155.3 ms 
ICMP timestamp: Originate=22085077 Receive=22085171 Transmit=22085171 
ICMP timestamp RTT tsrtt=156 src->dst=94 dst->src=62 

我該怎麼做awk？ （我很好與其他任何* BSD的工具，太。）

Answer 1

使用perl，你可以做這樣的事情：

#!/usr/bin/perl -n 
# 
if (/Originate=(\d+) Receive=(\d+) Transmit=(\d+)/) { 
    ($o, $r, $t) = ($1, $2, $3); 
} elsif (/tsrtt=(\d+)/) { 
    print $r - $o, " ", $o + $1 - $t, "\n"; 
} 

如果調用此icmpstats.pl，您可以使用hping | perl icmpstats.pl。

Answer 2

從janos中修改解決方案以提供可用的片段。

請注意，當重定向到管道時，hping的輸出變爲完全緩衝，這令人驚訝地嚴重抑制瞭解決方案的可移植性。見https://unix.stackexchange.com/questions/25372/turn-off-buffering-in-pipe和https://unix.stackexchange.com/questions/102403/turn-off-buffering-for-hping-in-openbsd。

在OpenBSD下工作，在安裝expect包後：

unbuffer hping --icmp-ts ntp1.yycix.ca \ 
| perl -ne 'if (/icmp_seq=(\d+) rtt=(\d+\.\d)/) {($s, $p) = ($1, $2);} \ 
if (/ate=(\d+) Receive=(\d+) Transmit=(\d+)/) {($o, $r, $t) = ($1, $2, $3);} \ 
if (/tsrtt=(\d+)/) { \ 
print $s, "\t", $p, "\t", $1, " = ", $r - $o, " + ", $o + $1 - $t, "\n"; }' 

需要在OS X上，因爲它的expect不伴有unbuffer以下：

script -q /dev/null hping3 --icmp-ts ntp1.yycix.ca \ 
| perl -ne 'if (/icmp_seq=(\d+) rtt=(\d+\.\d)/) {($s, $p) = ($1, $2);} \ 
if (/ate=(\d+) Receive=(\d+) Transmit=(\d+)/) {($o, $r, $t) = ($1, $2, $3);} \ 
if (/tsrtt=(\d+)/) { \ 
print $s, "\t", $p, "\t", $1, " = ", $r - $o, " + ", $o + $1 - $t, "\r\n"; }' 

這是一個樣本輸出形成腳本，這表明正向路徑擁塞，返回路徑很可能不是：

0  145.5 146 = 75 + 71 
1  142.7 142 = 72 + 70 
2  140.7 140 = 70 + 70 
3  146.7 146 = 76 + 70 
4  148.3 148 = 77 + 71 
5  157.5 157 = 87 + 70 
6  167.1 167 = 96 + 71 
7  166.3 166 = 95 + 71 
8  167.7 167 = 97 + 70 
9  159.0 159 = 88 + 71 
10  156.7 156 = 86 + 70 
11  154.9 155 = 84 + 71 
12  151.9 152 = 81 + 71 
13  157.3 157 = 86 + 71 
14  155.0 155 = 84 + 71 
15  157.7 158 = 87 + 71 
16  156.6 156 = 86 + 70 
17  157.8 158 = 87 + 71 
18  161.9 162 = 91 + 71 
19  160.1 160 = 89 + 71 
20  166.3 166 = 95 + 71 
21  163.9 164 = 93 + 71 
22  172.0 172 = 101 + 71 
23  177.9 178 = 107 + 71 
24  177.0 177 = 106 + 71 
25  172.1 172 = 101 + 71 
26  167.4 167 = 97 + 70 
27  167.1 167 = 96 + 71 
28  161.0 161 = 90 + 71 
29  150.5 150 = 80 + 70 
30  155.6 155 = 85 + 70 
31  162.0 162 = 91 + 71 
32  154.3 154 = 84 + 70 

---

請注意，如果時鐘不同步，那麼您會變爲負值，但仍然可以作爲哪個方面發生擁塞的良好指標。

以下示例通過相同的路徑;請注意一個值如何隨機上下移動，而另一個值是單調變化的。

0  165.9 166 = -142113 + 142279 
1  160.2 160 = -142118 + 142278 
2  155.2 155 = -142122 + 142277 
3  156.5 156 = -142121 + 142277 
4  164.7 165 = -142112 + 142277 
5  164.4 164 = -142111 + 142275 
6  160.9 161 = -142114 + 142275 
7  158.1 158 = -142117 + 142275 
8  155.6 156 = -142119 + 142275 
9  143.0 143 = -142131 + 142274 
10  153.2 153 = -142120 + 142273 
11  157.1 157 = -142115 + 142272 
12  158.3 158 = -142114 + 142272 
13  148.6 149 = -142123 + 142272 
14  144.3 144 = -142127 + 142271 
15  145.3 145 = -142125 + 142270 
16  141.9 142 = -142128 + 142270