-
Notifications
You must be signed in to change notification settings - Fork 0
/
process_pcap.sh
38 lines (30 loc) · 1.39 KB
/
process_pcap.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#!/bin/bash
# Ensure a .pcap file is passed as an argument
if [ -z "$1" ]; then
echo "Usage: $0 <pcap_file>"
exit 1
fi
# Assign the provided .pcap file path to a variable
PCAP_FILE="$1"
# Extract the base name of the pcap file without the .pcap extension
PCAP_NAME=$(basename "$PCAP_FILE" .pcap)
# Directory paths (update these as needed)
ZEEK_OUTPUT_DIR="ZeekFiles"
ARGUS_OUTPUT_DIR="ArgusFiles"
FINAL_OUTPUT_DIR="FinalOutput"
ZEEK_SCRIPT="script.zeek"
# Create output directories if they don't exist
mkdir -p "$ZEEK_OUTPUT_DIR" "$ARGUS_OUTPUT_DIR" "$FINAL_OUTPUT_DIR" || true
# Run Zeek with the specified log directory and script, storing output with PCAP name
zeek -r "$PCAP_FILE" "ExtractFeatures::log_dir=$ZEEK_OUTPUT_DIR/ZEEK_${PCAP_NAME}" "$ZEEK_SCRIPT" || true
# Run Argus to generate ARGUS file
argus -r "$PCAP_FILE" -w "$ARGUS_OUTPUT_DIR/ARGUS_${PCAP_NAME}.argus" || true
# Run ra on the ARGUS file to generate CSV
ra -r "$ARGUS_OUTPUT_DIR/ARGUS_${PCAP_NAME}.argus" \
-s sport,saddr,dport,daddr,stime,dur,proto,state,spkts,dpkts,sbytes,dbytes,rate,sload,dload,sloss,dloss,sintpkt,dintpkt,sjit,djit,tcprtt,smeansz \
-u -c ',' > "$ARGUS_OUTPUT_DIR/RA_${PCAP_NAME}.csv" || true
# Call to python script with proper arguments
python3 ./merge.py \
"$ARGUS_OUTPUT_DIR/RA_${PCAP_NAME}.csv" \
"$ZEEK_OUTPUT_DIR/ZEEK_${PCAP_NAME}.log" \
"$FINAL_OUTPUT_DIR/MERGED_${PCAP_NAME}.csv" || true