#!/bin/sh
# CONV_FILTER="tcp[13] = 18"			# Match SYN & ACK
# CONV_FILTER="tcp[13] & 2 = 2"			# Match SYN
CONV_FILTER="((tcp[20:4] = 0x47455420) or (tcp[32:4] = 0x47455420))" # Match "GET " HTTP req 

tcpdump="/usr/sbin/tcpdump"

if [ $# -lt 1 ]; then
  echo "USAGE: `basename $0` <inputfile.cap> [base filter]"
  echo ""
  echo " Creates a directory tree per host in the input .cap file,"
  echo " with subdirectories containing split out conversations for that host"
  echo ' based on the $CONV_FILTER variable from the script'
  echo ""
  exit 1
else
  input=$1
  shift

  base="`dirname $input`/`basename $input`-hosts"
  echo "Creating $base" > /dev/stderr
  mkdir -p $base

  $tcpdump -nqr $input "$*" 2> /dev/null | awk -F"[. ]" '{print $4 "." $5 "." $6 "." $7}' | sort | uniq | while read fhost; do
    mkdir -p $base/$fhost/
    $tcpdump -nqr $input "host $fhost" -w $base/$fhost/$fhost-packets.cap 2> /dev/null
    $tcpdump -nqr $base/$fhost/$fhost-packets.cap "$CONV_FILTER" 2> /dev/null| awk -F"[. ]" '{print $8 " " $14}' | sed -e 's/://g' | sort | uniq | while read sport dport; do
      mkdir -p $base/$fhost/conv/source-$sport/
      $tcpdump -nqr $base/$fhost/$fhost-packets.cap "port $sport and port $dport" -w $base/$fhost/conv/source-$sport/dest-$dport.cap 2> /dev/null
    done
  done
fi