#!/usr/bin/perl

use strict;
use warnings;
#nightfall(~) [1035] % tcpdump -nr perimeter_class.cap 'dst net 12.33 and tcp[tcpflags] = tcp-syn' | perl sortscan.pl

my %scan;

while (<>) {
	my @words = split(/\s+/, $_);
	my ($time, $source, $dest);
	$time = $words[0];

	$words[2] =~ m/^(.*)\.(\d+)$/;
	#print "$words[2] SRC: $1 $2\n";
	$source = { "ip" => $1, "port" => "$2" };

	$words[4] =~ m/^(.*)\.(\d+):?$/;
	#print "$words[4] / DEST: $1 $2\n";
	$dest = { "ip" => $1, "port" => "$2" };

	push(@{$scan{$dest->{"ip"}}}, {
		time => $time,
		source => $source,
		dest => $dest,
	});
}

my @dests = sort(&sortip, keys(%scan));
foreach (@dests) {
	summary($_);
}

sub summary {
	my $ip = shift;
	my $hits = {};

	print "$ip --- \n";
	#print Dumper($scan{$ip});

	foreach (@{$scan{$ip}}) {
		my $srcip = $_->{"source"}->{"ip"};
		my $destport = $_->{"dest"}->{"port"};
		#print "\t$srcip -> $destport\n"
		$hits->{$srcip}->{$destport}++;
	}

	foreach (keys(%$hits)) {
		my @ports = sort {$a <=> $b} keys(%{$hits->{$_}});
		next unless $#ports > 10;
		print "\t$_ hit the following ports: ";
		print join(", ", @ports);
		print "\n";
	}

}

sub sortip {
	my ($a, $b) = @_;
	$a =~ m/(\d+)\.(\d+)\.(\d+)\.(\d+)/;
	$a = sprintf("%03d.%03d.%03d.%03d",$1,$2,$3,$4);
	$b =~ m/(\d+)\.(\d+)\.(\d+)\.(\d+)/;
	$b = sprintf("%03d.%03d.%03d.%03d",$1,$2,$3,$4);

	return ($b cmp $a)
}