1 files changed, 53 insertions, 0 deletions

diff --git a/script/investigate.sh b/script/investigate.sh
new file mode 100755
index 0000000..9f67949
--- /dev/null
+++ b/script/investigate.sh
@@ -0,0 +1,53 @@
+#!/bin/bash
+
+if [ $# -ne 3 ]
+then
+	echo "Extracts the data for one machine and one register from a Modbus dump"
+	echo "and stores both the data and a plot in the current directory."
+	echo
+	echo "Usage: $0 DUMP IP ADDR"
+	echo "Example: $0 packets_00014_20161128135616.cap 192.168.215.66 64"
+	exit
+fi
+
+if [[ ! -f "$1" || ! -r "$1" ]]
+then
+	echo "Dump file $1 does not exist or cannot be read."
+	exit
+fi
+
+CAPTURE_FILE=$(realpath "$1")
+FILTER_MACHINE=$2
+FILTER_REGISTER=$3
+
+BRODIR=$(realpath "$(dirname "$0")/../..")
+BROSCRIPT_BASE=${BRODIR}/broccoli/script/modbus.bro
+
+TMPDIR=$(mktemp --tmpdir --directory pasad.XXXX)
+TMPDIR_BRO=${TMPDIR}/bro
+BROSCRIPT_MOD=${TMPDIR}/modbus.bro
+
+OUTDIR=$(pwd)
+OUTFILE_DAT=${OUTDIR}/${FILTER_MACHINE}-${FILTER_REGISTER}.dat
+OUTFILE_PNG=${OUTDIR}/${FILTER_MACHINE}-${FILTER_REGISTER}.png
+
+echo " * Preparing Bro script ..."
+cp "${BROSCRIPT_BASE}" "${BROSCRIPT_MOD}"
+sed -ie "s/\(const enable_filtering : bool = \).*;/\1T;/g" "${BROSCRIPT_MOD}"
+sed -ie "s/\(const filter_ip_addr : addr = \).*;/\1${FILTER_MACHINE};/g" "${BROSCRIPT_MOD}"
+sed -ie "s/\(const filter_mem_addr : count = \).*;/\1${FILTER_REGISTER};/g" "${BROSCRIPT_MOD}"
+
+echo " * Running Bro ..."
+mkdir "${TMPDIR_BRO}"
+cd "${TMPDIR_BRO}"
+bro -r "${CAPTURE_FILE}" "${BROSCRIPT_MOD}" > /dev/null
+
+echo " * Extracting data ..."
+tail -n +9 "${TMPDIR_BRO}/pasad-parsed.log" | cut -f 5 > "${OUTFILE_DAT}"
+echo "${OUTFILE_DAT}"
+
+echo " * Generating graph ..."
+echo "set terminal png; plot '${OUTFILE_DAT}' using 0:1 title '${FILTER_MACHINE} ${FILTER_REGISTER}'" | gnuplot > "${OUTFILE_PNG}"
+echo "${OUTFILE_PNG}"
+
+rm -r "${TMPDIR}"