#!/usr/bin/perl
#
# Name: getpcapfromsancpindex.pl
# Version: 0.1
# Author: John Curry  (john.curry@metre.net)
# Created: 2008-03-10 
# 
# This tool is designed to be used with index and pcap output files produced by SANCP 1.6.2 (or greater) (see: http://www.metre.net/sancp.html)
#
#    NO WARRENTY is expressed or implied, USE AT OWN RISK!!!
#
#

$debug='';   	       # set to '1' to enable debug output
$OUTPUTFILE=$ARGV[0];  # outputfile from command line
$lastfilename="none";  # flag
$lastoutputfilename="none";  # flag
$lastsancpid="none";  # flag
$UNIQUE=$ARGV[1];
$thisoutputfile='';
$pcapfileheader='';

#
#  Check for first command-line argument and print usage, if none is provided
#

if( !defined($OUTPUTFILE) )
{
	print "\n";
	print "Usage: cat index | $0 <outputfilename> [ split ]\n";
	print "\n";
	print " Reads SANCP's default index output format from standard input (example format: sancp_id|output_filename|start_pos|stop_pos)\n";
        print " Opens related pcap output files, extracts packets and appends each to '<outputfilename>'\n";
	print " Provide the second argument to further 'split' packets into unique files according to sancp_id (i.e. '<outputfilename>.\$sancp_id')\n";
	print "\n";
	exit;
}

#
# Begin processing entries from standard input
#

foreach $item (<STDIN>) {

   #
   # Remove new line character
   #

   chomp($item);

   #
   # Extract data fields for this item
   #

   ($sancpid,$filename,$start_pos,$stop_pos)=split(/\|/,$item);
   print "$sancpid,$filename,$start_pos,$stop_pos - $lastfilename\n" if $debug;

   #
   # Determine if should be reading from a new file 
   #

   if($lastfilename!~/^$filename$/){

	#
	# Close current input file
	#

	if(defined(INPUTFILE)){ close(INPUTFILE); }

	#
	# Open new input file
	#

	print "Opening $filename\n" if $debug;
   	open(INPUTFILE,"$filename");
   	binmode INPUTFILE;

	#
	# Copy pcap header to use for creating an output file
	#

        sysseek(INPUTFILE,0,0);      
        sysread(INPUTFILE,$pcapfileheader,24);   
        sysseek(INPUTFILE,$start_pos,0);      

   }

   #
   # Create new output filename, as needed
   #

   if( $UNIQUE=~/split/){ 
   	if($lastsancpid!~/^$sancpid$/){
	     $thisoutputfile="$OUTPUTFILE.$sancpid"; 
	}
   }else {
	$thisoutputfile=$OUTPUTFILE;
   }

   #
   # Open output file, as needed  
   #

   if($lastoutputfilename!~/^$thisoutputfile$/){

       if(defined(OUTFILE)){ close(OUTFILE); }

	#
	# Open output file
	#
	
	print "Opening $thisoutputfile\n" if $debug;

	#
	# Append pcap header from current input file to the output file, if file is empty or not present
	#

	if( ! -s "$thisoutputfile" || ! -f "$thisoutputfile" ){
           open(OUTFILE,">$thisoutputfile");
   	   binmode OUTFILE;
	   syswrite(OUTFILE,"$pcapfileheader");
	}else{
           open(OUTFILE,">>$thisoutputfile");
   	   binmode OUTFILE;
	}

   }

   #
   # Track filename in use
   #

   $lastfilename=$filename; 	

   #
   # Track sancpid in use
   #

   $lastsancpid=$sancpid; 	

   #
   # Track lastoutputfilename in use
   #

   $lastoutputfilename=$thisoutputfile; 	

   #
   # Seek to start of packet
   #

   sysseek(INPUTFILE,$start_pos,0);      

   #
   # Seek to end of file
   #

   sysseek(OUTFILE,0,2);        

   #
   # Calculate length of packet from start_pos and stop_pos
   #

   $len=$stop_pos-$start_pos;           

   #
   # Read packet from input file
   #

   sysread(INPUTFILE,$chunk,$len);   

   #
   # Write packet to output file
   #

   print "Writing chunk $len\n" if $debug;
   syswrite(OUTFILE,$chunk,$len);  

}

#
# Close open file handles and exit
# 

close(OUTFILE);
close(INPUTFILE);