#!/bin/bash #Author: Edoardo Coli # #Requirements: bash tshark #Tested with: GNU bash, version 4.4.20(1)-release (x86_64-pc-linux-gnu) #Tested with: TShark (Wireshark) 3.6.7 (Git v3.6.7 packaged as 3.6.7-1~ubuntu18.04.0+wiresharkdevstable) #Temporary files to save data _FILE_TMP=".MACrandom.tmp" _FILE2_TMP=".MAClistall.tmp" _FILE3_TMP=".MACprobe.tmp" #Reverence strings _FILE_REF='' _SSID_REF='' #Flags for optional variables _ENHANCED_FLAG='false' _VERBOSE_FLAG='false' _UNIQ_FLAG='false' _PROBE_FLAG='false' #Global parametric variable _MAX_TO=50000 #Counters to show the results _PCKS_CNTR=0 _PCKS_WLAN_CNTR=0 _PCKS_SSID_CNTR=0 _SCOPE_ALL_CNTR=0 _SCOPE_RAND_CNTR=0 _SCOPE_FIX_CNTR=0 #Set the error color to red ERROR="\e[31m" #Set the warning color to yellow WARNING="\e[33m" #Set color to highlight the results LOOKGOOD="\e[0;38;5;208m" #Set the default color DEFAULT="\e[0m" ### error_msg(program_name, msg) function error_msg() { echo "Error: $2" echo "Usage: $1 [OPTIONS]" echo "Try '$1 -h' for more information." } ### verbose_msg(msg) function verbose_msg() { if [[ $_VERBOSE_FLAG == 'true' ]]; then echo -e "${LOOKGOOD}$1${DEFAULT}" fi } ### usage(program_name) function usage() { echo "Usage: $1 [OPTIONS]" echo "Specifies a file to analyze if not passed through redirection." echo "Pipe(|) have priority over flag -f." echo "Redirection(<) have priority over pipe(|)." echo "WARNING: When using pipe redirection for data stream remember to use the -U and -w flags." echo " The "-U" flag instructs tcpdump to write packets to the output file immediately (unbuffered mode)." echo " (this should avoid having \"appears to have been cut short in the middle of a packet\")" echo " The "-w" flag specifies the output file where packets will be saved." echo echo "Options:" echo " -e, Option to discriminate and merge different MAC addresses (NOT YET DEVELOPED)" echo " -f, Set the file to analyze" echo " -i, Set SSID filter to analyze frames" echo " -n, Number of packets to analyze, in case of file data input (starting from the beginning) ~~TODO test with data stream" echo " -p, Option to pipe in data stream, without a pipe is ignored" echo " -u, Option to not consider duplicates in MAC count" echo " -v, Option for enable verbose messages" echo echo "Example:" echo " sudo tcpdump -i -U -w $_FILE3_TMP | $0 -p" echo " $0 < file.pcap" echo " cat file.pcap | $0" echo " $0 -f file.pcap" echo } ### Behavior when received SIGINT function handle_sigint() { # verbose_msg "SIGINT received..." # verbose_msg "killing main process" #Cleanup code rm -f "$_FILE_TMP" rm -f "$_FILE2_TMP" rm -f "$_FILE3_TMP" rm -f "$lock_print" kill -9 $_PROCESS_ID #forcefully terminate the process, and any subprocesses or child processes, with the ID using the SIGKILL signal (sometimes it's not enough, why?) exit 0 } ### check_ret(prog_name, val_ret) function check_ret() { notgood=0 case $1 in "filtering_away") if [ $2 -ne 0 ]; then notgood=1 fi ;; "print_results") if [ $2 -ne 0 ]; then notgood=1 fi ;; *) echo -e "${WARNING}Setup success value returned for function \"$1\"${DEFAULT}" return 1;; esac if [ $notgood -eq 1 ]; then echo -e "${ERROR}Problem with the execution of \"$1\", exited with status $2${DEFAULT}" fi } ### function filtering_away() { #(TENTATIVO DI PARALLELIZZAZIONE) OK MA SCAMBIA I RISULTATI A CASO IN BASE A COME FINISCE wc # verbose_msg "Counting packets in $_FILE_REF" # verbose_msg "Counting packets with field 'wlan' in $_FILE_REF" # _TMP=$(tshark -r $_FILE_REF -T fields -e frame.number -c $_MAX_TO | wc -l & tshark -r $_FILE_REF -Y "wlan" -T fields -e frame.number -c $_MAX_TO | wc -l) # wait #Command to wait for the background process to finish before continuing with the rest of the script. # _PCKS_CNTR=$(echo $_TMP | cut -d ' ' -f 1) # _PCKS_WLAN_CNTR=$(echo $_TMP | cut -d ' ' -f 2) # verbose_msg "=> $_PCKS_CNTR in $_FILE_REF" # verbose_msg "=> $_PCKS_WLAN_CNTR wlan" scope='wlan.ta' #filter for the main scope of divide randomized MAC and fixed ones. filterSSID='' verbose_msg "Counting packets in $_FILE_REF" _PCKS_CNTR=$(tshark -r $_FILE_REF -T fields -e frame.number -c $_MAX_TO | wc -l) #for details see 'man tshark'. verbose_msg "=> $_PCKS_CNTR" verbose_msg "Counting packets with field 'wlan' in $_FILE_REF" _PCKS_WLAN_CNTR=$(tshark -r $_FILE_REF -Y "wlan" -T fields -e frame.number -c $_MAX_TO | wc -l) #for details see 'man tshark'. verbose_msg "=> $_PCKS_WLAN_CNTR" if ! [[ $_SSID_REF == '' ]]; then filterSSID="&& (wlan.ssid == $_SSID_REF)" #filter from command line to narrow the scope with a specific SSID. verbose_msg "Counting packets with field 'wlan.ssid == $_SSID_REF' in $_FILE_REF" _PCKS_SSID_CNTR=$(tshark -r $_FILE_REF -Y "wlan.ssid == $_SSID_REF" -T fields -e frame.number -c $_MAX_TO | wc -l) #for details see 'man tshark'. verbose_msg "=> $_PCKS_SSID_CNTR" fi filter="($scope) && (wlan) $filterSSID" #save the complete filter which wanna use to split the data. rm -f $_FILE_TMP $_FILE2_TMP #just as a precaution. if [[ $_UNIQ_FLAG == 'true' ]]; then verbose_msg "Counting packets with filter '$filter' in $_FILE_REF" _SCOPE_ALL_CNTR=$(tshark -r $_FILE_REF -Y "$filter" -T fields -e wlan.ta -c $_MAX_TO | tr '[:lower:]' '[:upper:]' | sort | uniq | tee >(wc -l) >"$_FILE2_TMP") #for details see 'man tshark'. tr swap all upper-case. sort+uniq remove the duplicates. tee split the data in the pipe. verbose_msg "=> $_SCOPE_ALL_CNTR" if [[ $_VERBOSE_FLAG == 'true' ]]; then _SCOPE_RAND_CNTR=$(cut -c 1-17 $_FILE2_TMP | awk '/^.[AE26]:..:..:..:..:../{print $1}' | sort | uniq | tee >(wc -l) >"$_FILE_TMP") #cut print selected parts of line. awk is used to consider only MAC specified(x[A E 2 6]:xx:xx:xx:xx:xx). sort+uniq remove the duplicates(seems useless but necessary). tee split the data in the pipe. else _SCOPE_RAND_CNTR=$(cut -c 1-17 $_FILE2_TMP | awk '/^.[AE26]:..:..:..:..:../{print $1}' | sort | uniq | wc -l) #cut print selected parts of line. awk is used to consider only MAC specified(x[A E 2 6]:xx:xx:xx:xx:xx). sort+uniq remove the duplicates(seems useless but necessary). fi else verbose_msg "Counting packets with filter '$filter' in $_FILE_REF" _SCOPE_ALL_CNTR=$(tshark -r $_FILE_REF -Y "$filter" -T fields -e wlan.ta -e wlan.fc.type -c $_MAX_TO | tr '[:lower:]' '[:upper:]' | tee >(wc -l) >"$_FILE2_TMP") #for details see 'man tshark'. tr swap all upper-case. tee split the data in the pipe. verbose_msg "=> $_SCOPE_ALL_CNTR" if [[ $_VERBOSE_FLAG == 'true' ]]; then _SCOPE_RAND_CNTR=$(cut -c 1-17 $_FILE2_TMP | awk '/^.[AE26]:..:..:..:..:../{print $1}' | tee >(wc -l) >"$_FILE_TMP") #cut print selected parts of line. awk is used to consider only MAC specified(x[A E 2 6]:xx:xx:xx:xx:xx). tee split the data in the pipe. else _SCOPE_RAND_CNTR=$(cut -c 1-17 $_FILE2_TMP | awk '/^.[AE26]:..:..:..:..:../{print $1}' | wc -l) #cut print selected parts of line. awk is used to consider only MAC specified(x[A E 2 6]:xx:xx:xx:xx:xx). fi fi _SCOPE_FIX_CNTR=$(expr $_SCOPE_ALL_CNTR - $_SCOPE_RAND_CNTR) return 0; } ### function print_results() { if ! [ -t 0 ]; then echo "Total Number of Packets captured: $_PCKS_CNTR" else echo "Total Number of Packets captured in \"$_FILE_REF\": $_PCKS_CNTR" fi echo echo -n "Number of Frame Structure of IEEE 802.11" if [[ $_UNIQ_FLAG == 'false' ]]; then echo -n " (with field 'wlan.ta' $_SCOPE_ALL_CNTR)" fi echo -n " : $_PCKS_WLAN_CNTR" if [[ $_PCKS_WLAN_CNTR -eq 0 || $_PCKS_CNTR -eq 0 ]]; then echo else echo "(~$(expr $_PCKS_WLAN_CNTR \* 100 / $_PCKS_CNTR )%)" fi if ! [[ $_SSID_REF == '' ]]; then echo "-->Taking into account only those with \"SSID=$_SSID_REF\": $_PCKS_SSID_CNTR" fi echo -n "----> with randomized MAC: $_SCOPE_RAND_CNTR" if [[ $_SCOPE_RAND_CNTR -eq 0 || $_PCKS_WLAN_CNTR -eq 0 ]]; then echo else echo "(~$(expr $_SCOPE_RAND_CNTR \* 100 / $_SCOPE_ALL_CNTR )%)" fi echo "----> with fixed MAC: $_SCOPE_FIX_CNTR" if [[ $_VERBOSE_FLAG == 'true' ]]; then N=10 if [ $(wc -l < $_FILE_TMP) -gt $N ]; then echo && echo -e "${LOOKGOOD}$_FILE_TMP${DEFAULT}" && head -n $N "$_FILE_TMP" && echo "..." elif [ $(wc -l < $_FILE_TMP) -gt 0 ]; then echo && echo -e "${LOOKGOOD}$_FILE_TMP${DEFAULT}" && head -n $N "$_FILE_TMP" fi # rm $_FILE_TMP if [ $(wc -l < $_FILE2_TMP) -gt $N ] && [[ $_UNIQ_FLAG == 'false' ]]; then echo && echo -e "${LOOKGOOD}$_FILE2_TMP${DEFAULT}" && head -n $N "$_FILE2_TMP" && echo "..." && echo "[Frame Control Type:]" && echo "[0-Management Frame, 1-Control Frame, 2-Data Frame, 3-Extension Frame, (4+)-PV1 Reserved]" elif [ $(wc -l < $_FILE2_TMP) -gt $N ]; then echo && echo -e "${LOOKGOOD}$_FILE2_TMP${DEFAULT}" && head -n $N "$_FILE2_TMP" && echo "..." elif [ $(wc -l < $_FILE2_TMP) -gt 0 ]; then echo && echo -e "${LOOKGOOD}$_FILE2_TMP${DEFAULT}" && head -n $N "$_FILE2_TMP" fi # rm $_FILE2_TMP fi echo return 0 } ### START EXECUTION _PROCESS_ID=$$ #save the process ID of the current shell if [ $# -le 0 ] && [ -t 0 ]; then #if the number of arguments is less than or equal to 0 and we don't have a redirection. error_msg $0 "Nothing has been passed to analyze" exit 1 else while getopts 'ef:hi:n:puv' flag; do #colon(:) to indicate that the flag has one argument. case "${flag}" in e) _ENHANCED_FLAG='true' ;; f) _FILE_REF="${OPTARG}" ;; h) usage $0 exit 0;; i) _SSID_REF="${OPTARG}" ;; n) _MAX_TO="${OPTARG}" ;; p) _PROBE_FLAG='true' ;; u) _UNIQ_FLAG='true' ;; v) _VERBOSE_FLAG='true' ;; *) exit 1;; esac done fi if ! [ -t 0 ]; then #checks if the descriptor is opened with a redirection, regardless of type of redirection used. if [ -p /dev/stdin ]; then #checks if there is a pipe redirection. Redirection from a command and not from a file. if [[ $_PROBE_FLAG == 'true' ]]; then #checks if we want to process a data stream (from tcpdump). trap handle_sigint SIGINT #set up a trap for SIGINT lock_print=$(mktemp) #creates a unique temporary file name in /tmp/ folder. _FILE_REF="$_FILE3_TMP" sleep 2 #waiting to have something to analyze echo -ne "\033[2J\033[H" #The "\033[2J" sequence clear the terminal screen, the "\033[H" sequence moves the cursor to the top left corner of the screen. while true do filtering_away > $lock_print check_ret filtering_away $? print_results >> $lock_print check_ret print_results $? echo -e "\033[2J\033[H" #The "\033[2J" sequence clear the terminal screen, the "\033[H" sequence moves the cursor to the top left corner of the screen. echo "$(cat $lock_print)" #The "$()" syntax is used to execute the command inside the parentheses and return the result as a string (used to handle print cases TO REVIEW) done else _FILE_REF=$(mktemp) #creates a unique temporary file name in /tmp/ folder. cat /dev/stdin > "$_FILE_REF" fi else if head -c4 | od -t x4 -N4 | grep -q -e "a1b2c3d4" -e "d4c3b2a1" -e "0a0d0d0a"; then #handled only pcap, pcapng files (not erf ...) using magic number of file. _FILE_REF=$(mktemp) #creates a unique temporary file name in /tmp/ folder. cat /dev/stdin > "$_FILE_REF" else error_msg $0 "Not a pcap/pcapng file" exit 1; fi fi else if ! [[ $_FILE_REF == '' ]]; then if ! head -c4 $_FILE_REF | od -t x4 -N4 | grep -q -e "a1b2c3d4" -e "d4c3b2a1" -e "0a0d0d0a"; then #handled only pcap, pcapng files (not erf ...) using magic number of file. error_msg $0 "'$_FILE_REF' not a pcap/pcapng file" exit 1; fi else error_msg $0 "Insert a file using -f flag" exit 1; fi fi filtering_away check_ret filtering_away $? if ! [ -t 0 ]; then rm -f "$_FILE_REF" fi print_results check_ret print_results $? exit 0