luca-m · March 24, 2013 16:32
diff --git a/dissect.sh b/dissect.sh
 #!/bin/bash
 ##
 ## Dissect network traffic from a PCAP file.
 ## Extract network bidirectional flows (source ip, source port, dest ip, dest port, timestamp) and
 ## store them in separate files 
 ##
 ## Usage: dissect.sh  <CAPTUREFILE.PCAP> <OUTPUTFOLDER>
 ##
 ## Options:
 ##      -h, --help Display this message
 ##      -v, --verbose Verbose output on STDOUT
 ## 
 ## Dependencies:
 ##      tshark
 ##

 function extractFlows(){
 	#
 	# Dissect the network capture in bidirectional flows 
 	# (unlike tcpflow which separate in unidirectional flows)
 	# 
 	# Usage: extractFlows <CAPTUREFILE.PCAP> <OUTPUTFOLDER>
 	#
 	PCAPFILE=$1
 	OUTDIR=$2
 	NSTREAMS=`tshark -n -r $PCAPFILE -T fields -e tcp.stream 2>/dev/null |tail -1`
 	
 	for i in $(seq 0 1 $NSTREAMS); 
 	do  
 		#
 		# Assumption: we assume that services are firstly contacted by remote clients. 
 		#             So consider the $DIP and the $DPORT as SERVICEIP and SERVICEPORT.
 		#             We also assume that REMOTE CLIENT ports are 5 digits
 		#
 		ROW=`tshark -r $PCAPFILE -R "tcp.stream eq $i" -tad -o column.format:'"Source", "%s", "Destination", "%d", "srcport", "%uS", "dstport", "%uD","Time","%t"' 2>/dev/null | head -1`
 		PORTS=`echo $ROW | sed "s/[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}//g" | sed "s/[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\} [0-9]\{2\}:[0-9]\{2\}:[0-9]\{2\}\.[0-9]\{0,6\}//g" | xargs`
 		SPORT=`echo $PORTS | egrep -o "[0-9]{5}" | head -1 | xargs`
 		DPORT=`echo $PORTS | egrep -o "[0-9]{1,5}" | tail -1 | xargs`
 		SIP=`echo $ROW | egrep -o "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | head -1 | xargs `  #'10.13.38.54'
 		DIP=`echo $ROW | egrep -o "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | tail -1 | xargs`    #'10.13.37.54'
 		TIMESTAMP=`echo $ROW | egrep -o "[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}\.[0-9]{0,6}" | head -1 | xargs`	
 		OUTFILE="$OUTDIR/$SIP,$SPORT,$DIP,$DPORT,$TIMESTAMP"
 		if [ $VERBOSE -eq 1 ]; then
 			echo -e "Extracting Flow #$i/$NSTREAMS\t:{sip:\"$SIP\",sport:\"$SPORT\",dip:\"$DIP\",dport:\"$DPORT\",ts:\"$TIMESTAMP\"}"
 			echo -e "Conversation stored in \"$OUTFILE\""
 		fi
 		#echo $OUTFILE
 		tshark -r $PCAPFILE -R "tcp.stream eq $i" -w $OUTFILE 2>/dev/null
 	
 	done	
 }


 usage() {
  [ "$*" ] && echo "$0: $*"
  sed -n '/^##/,/^$/s/^## \{0,1\}//p' "$0"
  exit 2
 } 2>/dev/null

 while [ $# -gt 0 ]; do
    case $1 in
    (-h|--help) usage 2>&1;;
    (-v|--verbose) VERBOSE=1;shift;break;;
    (--) shift; break;;
    (-*) usage "$1: unknown option";;
    (*) break;;
    esac
 done

 if [ $# -eq 2 ]; then
   INFILE="$1"
   OUTFOLDER="$2"
 fi

 echo $INFILE
 echo $OUTFOLDER
 if [ -f $INFILE -a -d $OUTFOLDER ]; then
   if [ $VERBOSE -eq 1 ];then
       echo "INFO: Dissecting.." 
   fi
   extractFlows "$INFILE" "$OUTFOLDER"
 else
   echo "ERR: check if $INFULE and $OUTFOLDER exist and verify that they are respectively readable and writable"
 fi
	#!/bin/bash
	##
	## Dissect network traffic from a PCAP file.
	## Extract network bidirectional flows (source ip, source port, dest ip, dest port, timestamp) and
	## store them in separate files
	##
	## Usage: dissect.sh <CAPTUREFILE.PCAP> <OUTPUTFOLDER>
	##
	## Options:
	## -h, --help Display this message
	## -v, --verbose Verbose output on STDOUT
	##
	## Dependencies:
	## tshark
	##

	function extractFlows(){
	#
	# Dissect the network capture in bidirectional flows
	# (unlike tcpflow which separate in unidirectional flows)
	#
	# Usage: extractFlows <CAPTUREFILE.PCAP> <OUTPUTFOLDER>
	#
	PCAPFILE=$1
	OUTDIR=$2
	NSTREAMS=`tshark -n -r $PCAPFILE -T fields -e tcp.stream 2>/dev/null \|tail -1`

	for i in $(seq 0 1 $NSTREAMS);
	do
	#
	# Assumption: we assume that services are firstly contacted by remote clients.
	# So consider the $DIP and the $DPORT as SERVICEIP and SERVICEPORT.
	# We also assume that REMOTE CLIENT ports are 5 digits
	#
	ROW=`tshark -r $PCAPFILE -R "tcp.stream eq $i" -tad -o column.format:'"Source", "%s", "Destination", "%d", "srcport", "%uS", "dstport", "%uD","Time","%t"' 2>/dev/null \| head -1`
	PORTS=`echo $ROW \| sed "s/[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}//g" \| sed "s/[0-9]\{4\}-[0-9]\{2\}-[0-9]\{2\} [0-9]\{2\}:[0-9]\{2\}:[0-9]\{2\}\.[0-9]\{0,6\}//g" \| xargs`
	SPORT=`echo $PORTS \| egrep -o "[0-9]{5}" \| head -1 \| xargs`
	DPORT=`echo $PORTS \| egrep -o "[0-9]{1,5}" \| tail -1 \| xargs`
	SIP=`echo $ROW \| egrep -o "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" \| head -1 \| xargs ` #'10.13.38.54'
	DIP=`echo $ROW \| egrep -o "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" \| tail -1 \| xargs` #'10.13.37.54'
	TIMESTAMP=`echo $ROW \| egrep -o "[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}\.[0-9]{0,6}" \| head -1 \| xargs`
	OUTFILE="$OUTDIR/$SIP,$SPORT,$DIP,$DPORT,$TIMESTAMP"
	if [ $VERBOSE -eq 1 ]; then
	echo -e "Extracting Flow #$i/$NSTREAMS\t:{sip:\"$SIP\",sport:\"$SPORT\",dip:\"$DIP\",dport:\"$DPORT\",ts:\"$TIMESTAMP\"}"
	echo -e "Conversation stored in \"$OUTFILE\""
	fi
	#echo $OUTFILE
	tshark -r $PCAPFILE -R "tcp.stream eq $i" -w $OUTFILE 2>/dev/null

	done
	}


	usage() {
	[ "$" ] && echo "$0: $"
	sed -n '/^##/,/^$/s/^## \{0,1\}//p' "$0"
	exit 2
	} 2>/dev/null

	while [ $# -gt 0 ]; do
	case $1 in
	(-h\|--help) usage 2>&1;;
	(-v\|--verbose) VERBOSE=1;shift;break;;
	(--) shift; break;;
	(-*) usage "$1: unknown option";;
	(*) break;;
	esac
	done

	if [ $# -eq 2 ]; then
	INFILE="$1"
	OUTFOLDER="$2"
	fi

	echo $INFILE
	echo $OUTFOLDER
	if [ -f $INFILE -a -d $OUTFOLDER ]; then
	if [ $VERBOSE -eq 1 ];then
	echo "INFO: Dissecting.."
	fi
	extractFlows "$INFILE" "$OUTFOLDER"
	else
	echo "ERR: check if $INFULE and $OUTFOLDER exist and verify that they are respectively readable and writable"
	fi
No results found