#!/usr/bin/perl
#
# Copyright (c) 2006 by Raffael Marty
# 
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#  
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# 
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
#
# Title: 	Argus 2 CSV
#
# File: 	argus2csv.pl
#
# Version: 	1.0
#
# Description:	Takes a argus output and parses it into a csv output.
#
# Usage:	ragator -r file.argus -nn -A -s +dur -s +sttl -s +dttl | ./argus2csv.pl ["field list"]
#
# Possible fields:
# 		time  proto  src  dir  count  status  dur  
# 		dst  sport  dport  sttl  dttl  bytes  pkts
#
# Known Issues:
#
# URL:		http://afterglow.sourceforge.net
#
# Changes:	
# 
# 04/10/06	Initial Version by ram
#
###############################################################################/

use strict vars;

# 10 Apr 06 10:55:46  *        tcp  217.118.195.58.22     ?>     65.219.2.99.37065 1280     1550      309440       23952       RST    10762    64    255
# 10 Apr 06 10:55:47             0 0:d0:58:fb:81:8 0x4    ->     1:80:c2:0:0:0 0x4 30       0         1290         0           INT       58     0      0

# Rest is really optional! You don't need to run it with the -s options!
# 10 Apr 06 10:55:46  *        tcp  217.118.195.58.22     ?>     65.219.2.99.37065 1280     1550      309440       23952       RST
# 10 Apr 06 10:55:47             0 0:d0:58:fb:81:8 0x4    ->     1:80:c2:0:0:0 0x4 30       0         1290         0           INT

my $output=$ARGV[0] || "full";

my $DEBUG=0;

our ($timestamp,$foo,$dip,$sip,$sttl,$dttl,$proto,$dir,$spkts,$dpkts,$sbytes,$dbytes,$sport,$dport,$duration,$status,$smac,$dmac);

while (<STDIN>) {
	chomp;
	my $input = $_;

	if ($input =~ /^(\d+ \S+ \d+ \d+:\d+:\d+) \s*(.*?)\s*(\S+) \s*(\d+\.\d+\.\d+\.\d+)(?:.(\d+))? \s*(\S+)\s* (\d+\.\d+\.\d+\.\d+)(?:.(\d+))?\s*(\d+)\s*(\d+)\s*(\d+)\s*(\d+)\s*(\S+)\s*(\d+)\s*(\d+)\s*(\d+)/) {
		# normal packet
		$timestamp = $1;
		$foo=$2;
		$proto=$3;
		$sip=$4;
		$sport=$5 || "";
		$dir=$6;
		$dip=$7;
		$dport=$8 || "";
		$spkts=$9;
		$dpkts=$10;
		$sbytes=$11;
		$dbytes=$12;
		$status=$13;
		$duration=$14;
		$sttl=$15;
		$dttl=$16;
	} elsif ($input =~ /^(\d+ \S+ \d+ \d+:\d+:\d+) \s*(.*?)\s*(\S+) \s*(\S+:\S+:\S+:\S+:\S+:\S+) \s*(\S+) \s*(\S+)\s* (\S+:\S+:\S+:\S+:\S+:\S+) \s*(\S+)\s*(\d+)\s*(\d+)\s*(\d+)\s*(\d+)\s*(\S+)\s*(\d+)\s*(\d+)\s*(\d+)/) {
		$timestamp = $1;
		$foo=$2;
		$proto=$3;
		$smac=$4;
		# what is this? $=$5;
		$dir=$6;
		$dmac=$7;
		# what is this? $=$8;
		$spkts=$9;
		$dpkts=$10;
		$sbytes=$11;
		$dbytes=$12;
		$status=$13;
		$duration=$14;
		$sttl=$15;
		$dttl=$16;
	} else {
		$DEBUG && print STDERR "ERROR: $input\n";
		next;
	}

	# some sanitization
	
	if ($output eq "full") {
		print "$timestamp $sip $dip $sport $dport $proto $sttl $dttl \n";
	} else {
		my @tokens = split / /,$output;
		print ${shift(@tokens)};
		for my $token (@tokens) {
			if (!defined($$token)) {
				$DEBUG && print STDERR "$token is not a known field\n";
				#exit;
			} else {
				print ','.$$token;
			}
		}
		print "\n";
	}
	
	
}

# To be done:
# 2005-01-12 14:36:48.911346 00:0d:56:fc:f3:04 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp who-has 192.168.2.13 tell 192.168.2.12
# 2005-09-08 16:38:27.397885 00:12:f0:c9:59:0e > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: arp reply 10.0.0.183 is-at 00:12:f0:c9:59:0e
# 2005-01-12 14:38:20.660616 00:0d:56:e3:44:33 > 33:33:00:00:00:02, ethertype IPv6 (0x86dd), length 70: fe80::20d:56ff:fee3:4433 > ff02::2: [icmp6 sum ok] icmp6: router solicitation (src lladdr: 00:0d:56:e3:44:33) (len 16, hlim 255)
# 2005-05-03 18:42:31.274438 00:0d:56:74:c4:d9 > ff:ff:ff:ff:ff:ff, 802.3, length 94: LLC, dsap Global (0xff), ssap Global (0xff), cmd 0x00, (NOV-802.3) 00000000.00:0d:56:74:c4:d9.0455 > 00000000.ff:ff:ff:ff:ff:ff.0455: ipx-netbios 50
# 2005-09-08 16:38:14.906293 00:14:69:1f:b3:00 > 01:00:0c:cc:cc:cc, 802.3, length 338: LLC, dsap SNAP (0xaa), ssap SNAP (0xaa), cmd 0x03, CDPv2, ttl: 180s, checksum: 692 (unverified), length 316
# 2005-09-08 16:38:11.013187 00:03:93:ea:dc:2f > 33:33:ff:ea:dc:2f, ethertype IPv6 (0x86dd), length 86: fe80::203:93ff:feea:dc2f > ff02::1:ffea:dc2f: HBH (padn)(rtalert: 0x0000) [icmp6 sum ok] icmp6: multicast listener report max resp delay: 0 addr: ff02::1:ffea:dc2f [hlim 1] (len 32)
# 2005-09-08 16:38:08.146159 00:03:93:ea:dc:2f > 33:33:00:00:00:02, ethertype IPv6 (0x86dd), length 86: fe80::203:93ff:feea:dc2f > ff02::2: HBH (padn)(rtalert: 0x0000) [icmp6 sum ok] icmp6: multicast listener done max resp delay: 0 addr: ff02::fb [hlim 1] (len 32)
# 2005-09-08 16:38:05.896611 00:03:93:ea:dc:2f > 33:33:00:00:00:fb, ethertype IPv6 (0x86dd), length 459: fe80::203:93ff:feea:dc2f.5353 > ff02::fb.5353: [udp sum ok]  0 [8q] [8n] ANY? Altair._ftp._tcp.local. ANY? Altair [00:03:93:d5:81:02]._workstation._tcp.local. ANY? Altair._ssh._tcp.local. ANY? Altair._sftp-ssh._tcp.local. ANY? Ari Serim._http._tcp.local. ANY? AriM-bM-^@M-^Ys Beats._daap._tcp.local. ANY? iTunes_Ctrl_AE2BB3BEAAAB7A8B._dacp._tcp.local. ANY? Altair.local. (397) (len 405, hlim 255)
# 2005-09-08 16:38:05.696393 00:03:93:ea:dc:2f > 33:33:00:00:00:fb, ethertype IPv6 (0x86dd), length 349: fe80::203:93ff:feea:dc2f.5353 > ff02::fb.5353: [udp sum ok]  0*- [0q] 8/0/0 _services._dns-sd._udp.local. PTR _ftp._tcp.local., _services._dns-sd._udp.local. PTR _workstation._tcp.local., _services._dns-sd._udp.local. PTR _ssh._tcp.local., _services._dns-sd._udp.local. PTR _sftp-ssh._tcp.local., _services._dns-sd._udp.local. PTR _http._tcp.local., _services._dns-sd._udp.local. PTR _daap._tcp.local., _services._dns-sd._udp.local. PTR _dacp._tcp.local., F.2.C.D.A.E.E.F.F.F.3.9.3.0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.E.F.ip6.arpa. (Cache flush) PTR Altair.local. (287) (len 295, hlim 255)



