#!/bin/bash
#
# Based on http://heapspray.net/post/using-tshark-to-view-raw-socket-streams/
#
# I always name my PCAPs with the .pcap extension. Modify this if you don't.
#
dump=$(echo $1|sed 's/\.pcap//')
echo "\$dump.pcap: $dump.pcap"
read FAKE

# I like to have a log to look up. Some PCAPs are slow to work. Need to know at
# what stage the work is.
tshlog=tsh-$(date +%y%m%d_%H%M).log
export tshlog
touch $tshlog
echo "\$tshlog: $tshlog"
ls -l $tshlog
read FAKE

if [ "$#" -lt 1 ]; then
        echo "Usage: tshark_streams.sh <pcap file> [filter rules]"
        exit
fi

if [ ! -z "$2" ]; then
        echo "STREAMS=\$(tshark -r $dump.pcap -2 -R \"$2\" -T fields -e tcp.stream | sort -n | uniq)" |& tee -a $tshlog
        STREAMS=$(tshark -r "$dump.pcap" -2 -R "$2" -T fields -e tcp.stream | sort -n | uniq)
		echo "\$STREAMS: $STREAMS" |& tee -a $tshlog
else
		echo "tshark -r $dump.pcap -T fields -e tcp.stream | sort -n | uniq" |& tee -a $tshlog
		tshark -r "$dump.pcap" -T fields -e tcp.stream | sort -n | uniq
        echo "STREAMS=\$(tshark -r $dump.pcap -T fields -e tcp.stream | sort -n | uniq)" |& tee -a $tshlog
        STREAMS=$(tshark -r "$dump.pcap" -T fields -e tcp.stream | sort -n | uniq)
		echo "\$STREAMS: $STREAMS" |& tee -a $tshlog
fi


for i in $STREAMS
do 
        echo "INDEX=`printf '%.5d' $i`"
        INDEX=`printf '%.5d' $i`
        echo "Processing stream $INDEX ..."

        echo "tshark -r $dump.pcap -T fields -e data -qz follow,tcp,raw,$i | egrep '[[:print:]]' > ${dump}_s$INDEX.bin" |& tee -a $tshlog
        tshark -r "$dump.pcap" -T fields -e data -qz follow,tcp,raw,$i | egrep '[[:print:]]' > "${dump}"_s$INDEX.bin

        echo "tshark -r $dump.pcap -qz follow,tcp,ascii,$i | egrep '[[:print:]]' > ${dump}_s$INDEX.txt" |& tee -a $tshlog
        tshark -r "$dump.pcap" -qz follow,tcp,ascii,$i | egrep '[[:print:]]' > "${dump}"_s$INDEX.txt

        echo "tshark -r $dump.pcap -T fields -e data -qz follow,ssl,raw,$i | egrep '[[:print:]]' > ${dump}_s$INDEX-ssl.bin" |& tee -a $tshlog
        tshark -r "$dump.pcap" -T fields -e data -qz follow,ssl,raw,$i | egrep '[[:print:]]' > "${dump}"_s$INDEX-ssl.bin

        echo "tshark -r $dump.pcap -qz follow,ssl,ascii,$i | egrep '[[:print:]]' > ${dump}_s$INDEX-ssl.txt" |& tee -a $tshlog
		#read FAKE
        tshark -r "$dump.pcap" -qz follow,ssl,ascii,$i | egrep '[[:print:]]' > "${dump}"_s$INDEX-ssl.txt

done