#! perl -w
# Network Forensics Puzzle Contest
# Alan Tu <alantu@as2.info>
# August 15, 2009

use strict;

my $TSHARK = 'c:\progra~1\wireshark\tshark.exe'; # define tshark executable
die "tshark not found\n" unless -f $TSHARK;

# decode AIM session and output desired fields
my @results = `$TSHARK -r evidence.pcap -R \"tcp.port == 51128\" -d tcp.port==443,aim -T fields -e frame.number -e frame.time -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e aim.messageblock.message`;

# for each packet
for my $packet (@results)
{
    chomp $packet;
    my @fields = split("\t", $packet);
    next unless $fields[6]; # message must not be null
    printf("%d %s %s:%s > %s:%s\n%s\n\n", @fields);
}