#!/usr/bin/perl
#
# 0.100000 +    40    36:0         6:0        36-1            0       -1 0x0a     SYN     PSH        

while(<>) {
	@fields = split;

	# check for connection initiation
	# => target node is '1', Flags is SYN/PUSH (0x0a), event is '+'
	if($fields[5] =~ /-1$/ && $fields[8] eq '0x0a' && $fields[1] eq '+') {
		# new connection
		# save start time using connection '5-tuple' as key
		$connections{"$fields[3]X$fields[4]"} = $fields[0];
	} elsif ($fields[5] =~ /^1-/ && $fields[5] ne '1-38' && $fields[8] eq '0x19' && $fields[1] eq 'r') {
		# end of connection
		# get start time using '5-tuple' as key and output
		#  time (timestamp - saved start time) and
		#  bytes as SEQ number - 2 (SYN, and ACKno references next unreceived byte)
		print $fields[6] . " " . ( $fields[0] - $connections{"$fields[4]X$fields[3]"} ) . "\n";

		#
		# save memory by deleteing connection
		delete $connections{"$fields[4]X$fields[3]"};
	}
}