#!/bin/bash

if [[ x"$1" = x ]]; then
    echo "usage: $0 <pcapdump>"
    exit 1
fi

if ! type tcpflow > /dev/null 2>&1 || ! type foremost > /dev/null 2>&1; then
    echo "tcpflow or foemost missing"
    exit 1
fi

if [[ -d flow ]]; then
    rm -rf flow
fi
if [[ -d processed ]]; then
    rm -rf processed
fi
if [[ -d files ]]; then
    rm -rf files
fi

mkdir flow
mkdir processed
mkdir files
DUMP=$(readlink -f $1)

echo -n "reconstructing packets... "
cd flow && tcpflow -r $DUMP && cd .. 
echo "done"

echo -n "mining data... "
for f in flow/*; do foremost -Q -o processed/`basename $f` -i $f; done
echo "done"

# nuke useless dirs
echo -n "nuking useless data... "
find processed/* -name audit.txt -exec rm -f {} \;
find processed/* -type f -size -1024c -exec rm -f -- {} \; # files < 1Kb
find processed/* -type d -empty -delete
find processed/* -type d -empty -delete # ran twice since max depth is 1
echo "done"

echo -n "moving data into \"files\" dir... "
for f in `find processed/* -type f`; do ((i++)); mv -- $f files/$i."${f##*.}"; done
echo "done"