blob: d3391eb5d82955f967bb4ca4c7644b3c0d55da44 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
#!/bin/bash
if [[ x"$1" = x ]]; then
echo "usage: $0 <pcapdump>"
exit 1
fi
if ! type tcpflow > /dev/null 2>&1 || ! type foremost > /dev/null 2>&1; then
echo "tcpflow or foemost missing"
exit 1
fi
if [[ -d flow ]]; then
rm -rf flow
fi
if [[ -d processed ]]; then
rm -rf processed
fi
if [[ -d files ]]; then
rm -rf files
fi
mkdir flow
mkdir processed
mkdir files
DUMP=$(readlink -f $1)
echo -n "reconstructing packets... "
cd flow && tcpflow -r $DUMP && cd ..
echo "done"
echo -n "mining data... "
for f in flow/*; do foremost -Q -o processed/`basename $f` -i $f; done
echo "done"
# nuke useless dirs
echo -n "nuking useless data... "
find processed/* -name audit.txt -exec rm -f {} \;
find processed/* -type f -size -1024c -exec rm -f -- {} \; # files < 1Kb
find processed/* -type d -empty -delete
find processed/* -type d -empty -delete # ran twice since max depth is 1
echo "done"
echo -n "moving data into \"files\" dir... "
for f in `find processed/* -type f`; do ((i++)); mv -- $f files/$i."${f##*.}"; done
echo "done"
|
