parsing text (log file)

Question

i'm a perl rookie :) and I need your help i want to parsing my log.txt but i'm confused and i'm not sure to this coding.

i have tried log.pcap but it's not like i need. so i want to parsing text not parsing pcap with recursive. Is there anyone edit my coding?? http://pastebin.com/mwZ1y2kM

this is my log.txt: (input) http://pastebin.com/P0g0D6Pi

Frame 1 (640 bytes on wire, 640 bytes captured)
   Arrival Time: Jan 31, 2012 19:41:17.121115000
   [Time delta from previous captured frame: 0.000000000 seconds]
   [Time delta from previous displayed frame: 0.000000000 seconds]
   [Time since reference or first frame: 0.000000000 seconds]
   Frame Number: 1
   Frame Length: 640 bytes
   Capture Length: 640 bytes
   [Frame is marked: False]
   [Protocols in frame: eth:ip:tcp:http]
Ethernet II, Src: SunMicro_45:39:78 (01:24:4c:50:79:95), Dst:
Cisco_03:3c:dc (03:49:12:65:3f:dc)
   Destination: Cisco_03:3c:dc (03:49:12:65:3f:dc)
       Address: Cisco_03:3c:dc (03:49:12:65:3f:dc)
       .... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
       .... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
   Source: SunMicro_45:39:78 (01:24:4c:50:79:95)
       Address: SunMicro_45:39:78 (01:24:4c:50:79:95)
       .... ...0 .... .... .... .... = IG bit: Individual address
(unicast)
       .... ..0. .... .... .... .... = LG bit: Globally unique
address (factory default)
   Type: IP (0x0800)
Internet Protocol, Src: 221.255.225.143 (221.255.225.143), Dst:
10.12.264.43 (10.12.264.43)
   Version: 4
   Header length: 20 bytes
   Differentiated Services Field: 0x01 (DSCP 0x00: Default; ECN:
0x01)
       0000 00.. = Differentiated Services Codepoint: Default (0x01)
       .... ..0. = ECN-Capable Transport (ECT): 0
       .... ...0 = ECN-CE: 0
   Total Length: 626
   Identification: 0x3b68 (15208)
   Flags: 0x02 (Don't Fragment)
       0.. = Reserved bit: Not Set
       .1. = Don't fragment: Set
       ..0 = More fragments: Not Set
   Fragment offset: 0
   Time to live: 118
   Protocol: TCP (0x06)
   Header checksum: 0xfc4b [correct]
       [Good: True]
       [Bad : False]
   Source:221.255.225.143 (221.255.225.143)
   Destination: 10.12.264.43 (10.12.264.43)
Transmission Control Protocol, Src Port: 45267 (45267), Dst Port: http
(80), Seq: 1, Ack: 1, Len: 566
   Source port: 45267 (45267)
   Destination port: http (80)
   [Stream index: 0]
   Sequence number: 1    (relative sequence number)
   [Next sequence number: 587    (relative sequence number)]
   Acknowledgement number: 1    (relative ack number)
   Header length: 20 bytes
   Flags: 0x18 (PSH, ACK)
       0... .... = Congestion Window Reduced (CWR): Not set
       .0.. .... = ECN-Echo: Not set
       ..0. .... = Urgent: Not set
       ...1 .... = Acknowledgement: Set
       .... 1... = Push: Set
       .... .0.. = Reset: Not set
       .... ..0. = Syn: Not set
       .... ...0 = Fin: Not set
   Window size: 17520
   Checksum: 0xc19e [validation disabled]
       [Good Checksum: False]
       [Bad Checksum: False]
   [SEQ/ACK analysis]
       [Number of bytes in flight: 586]
Hypertext Transfer Protocol
   [truncated] GET /index.php?page=rilis&artikel=999999.9%27+union+all
+select+0x31303235343830303536%2C
       [[truncated] Expert Info (Chat/Sequence): GET /index.php?
page=rilis&artikel=999999.9%27+union+all+select
+0x31303235343830303536%2C
           [Message [truncated]: GET /index.php?
page=rilis&artikel=999999.9%27+union+all+select
+0x31303235343830303536%2C
           [Severity level: Chat]
           [Group: Sequence]
       Request Method: GET
       Request URI [truncated]: /index.php?
page=rilis&artikel=999999.9%27+union+all+select
+0x31303235343830303536%2C
       Request Version: HTTP/1.1
   Host: example.com\r\n
   Accept: */*\r\n
   User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
SV1; .NET CLR 2.0.50727) Havij\r\n
   Connection: Close\r\n
   \r\n

yeah, and I want to parsing like this: (output)

Time: Jan 31, 2012 19:41:17
   IP Address Source: 221.255.225.143
           Mac Address Source: 010912063cfc
           Port Numbers Source: 44535
   IP Address Destination: 10.12.264.43
           Mac Address Destination: 00f04c080788
           Port Numbers Destination: 3306
   HTTP Host: example.com
           Request Method: GET
           Request URI: /index.php?page=rilis artikel=999999.9%27+union
                         +all+select+0x31303235343830303536%2C
           Tool: Havij

thank you... can you help me??? what i'm doing right now...

Answer 1

Have you tried Net::Pcap or the approach described here?

Answer 2

Your log lines are a bit strange. Some of the fields (Request URI and Tool) contain a space before the colon, which is unexpected. I would check that your log lines really contain those unexpected spaces. Also, it's a bit surprising that Port Numbers appears twice without the Source or Destination qualifier. Again, check your real log file. The following code snippet works for the log line posted in the question. Since the field names are not unique, it assumes they are always printed in the same order.

my @fields = ('Time', 'IP Address Source', 'Mac Address Source', 'Port Numbers',
    'IP Address Destination', 'Mac Address Destination', 'Port Numbers', 'HTTP Host',
    'Request Method', 'Request URI ', 'Tool ');

my $re = join(':\s+(.*?)\s+', @fields);
$re .= ':\s+(.*)';

warn $re;

$line = 'Time: Jan 31, 2012 19:41:17 IP Address Source: 221.255.225.143 Mac Address Source: 010912063cfc Port Numbers: 44535 IP Address Destination: 10.12.264.43 Mac Address Destination: 00f04c080788 Port Numbers: 3306 HTTP Host: example.com Request Method: GET Request URI : /index.php?page=rilis artikel=999999.9%27+union +all+select+0x31303235343830303536%2C Tool : Havij';

my @values = $line =~ /$re/;

print "values = @values\n"