#!/usr/bin/perl
#################################################################################################
#             applejuice 
#################################################################################################
# This script reads a PCAP file and prints out all searches done with the AppleTV and the
# results that were clicked on.
#
# Author: Amar Yousif
# Version : 1.0
# Date : 1/22/2010
#
# Dependencies: TSHARK, SORT
#
# Copyright 2010 Amar Yousif (AmarYousif ( a t ) gmail.com)
#
# Please 1) report bugs and give suggestions when you can, and 
#        2) give credit when you use  :) 
#
#    This program is free software: you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation, either version 2 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#    See <http://www.gnu.org/licenses/> for more info.
#
# If you are missing any of the perl modules needed for this script, install from CPAN    
# like so, we'll use Pod::Usage as an example: "perl -MCPAN -e 'install Pod::Usage'".

use strict;
use Getopt::Long;
use Pod::Usage;
use FindBin '$Bin';

# other variables
my $file;
my $print_help;
my $show_version;
my $SANS;
my $version = "1.0";
my $date;
my $time;
my $userip;
my $action;
my $object;
my $getstrg;
my $ignore1;
my $ignore2;
my $ignore3;
my $ignore4;
my $ignore5;
my $ignore6;


# read options
GetOptions(
    "read:s"    => \$file,
    "version!"  => \$show_version,
    "SANS!"     => \$SANS,
    "help|?!"   => \$print_help
) or pod2usage(2);

# check if we are asking for help
pod2usage( -verbose => 1 ) if $print_help;

# print version information
show_version() if $show_version;
&SAN if $SANS;

# check if input file exists
pod2usage(2) unless -e $file;


#get the pcap and run the tshark magic on it, put the output in the juice file
`tshark -t ad -r evidence03.pcap -R 'http.request.uri contains "/WebObjects/MZSearch.woa/wa/incrementalSearch"' > $Bin/orangeconcentrate.tmp`;
`tshark -t ad -r evidence03.pcap -R 'http.request.uri contains "/b/ss/applesuperglobal/1/G.6--NS?pageName=Movie%20Page"' >> $Bin/orangeconcentrate.tmp`;
`sort -n $Bin/orangeconcentrate.tmp > $Bin/orangejuice.tmp`;

#format the juice and print out the info
open( IN, "<$Bin/orangejuice.tmp" )
      || die "Can't open $Bin/orangejuice.tmp for reading: $!\n";
    while (<IN>) {
		($ignore1,$date,$time,$userip,$ignore2,$ignore3,$ignore4,$ignore5,$getstrg)=split(" ");
		if ($getstrg=~/incrementalSearch/) 
			{
			$action='searched-for';
			$_=$getstrg;
			s/.*\?//; s/\&/ /;
			$object=$_;
			}
		else
			{
			$action='clicked-on';
			$_=$getstrg;
			s/.*\?//; s/\&.*//; s/%20//g;  
			$object=$_;
			}
		#$time=~s/\..*//;
		print "$date $time $userip  $action:  $object\n";	

    }
    close(IN);

`rm $Bin/orange*.tmp`; 

exit;




#---------------------------Yummy SUBS-------------------

sub SAN {
    my $range = 100;
    my $random_number = rand($range);
    print "\n", 'Sec558 is more magical than a liger. -Napoleon Dynamite', "\n\n" if ($random_number < 70);
    print "\n", 'I caught you a delicious bass. -Napoleon Dynamite', "\n\n" if ($random_number == 70);
    print "\n", 'Pedro offers you his protection if you take Sec558. -Napoleon Dynamite', "\n\n" if ($random_number > 70);
    exit 0;
}

sub show_version {
    print "\n\n", $0, ' version ', $version, ' copyright 2010, Amar Yousif',
      "\n\n";
    exit 0;
}


__END__

=pod

=head1 msg 

B<applejuice> takes a pcap file as an input and prints out information about all Apple Store searches in that pcap file.

=head1 NAME

B<applejuice> - a script to read PCAP file and display info about Apple Store searches. 

=head1 SYNOPSIS

B<applejuice> -r|--read PCAP_FILE

=head1 OPTIONS

=over 8

=item B<-r|-read PCAP_FILE>

The PCAP file that the script should read.

=item B<-v|-version>

Dump the version number of the script to the screen and quit.

=item B<-h|-help|-?>

Print this help menu.

=back

=head1 DESCRIPTION

B<applejuice> takes a pcap file as an input and prints out information about all Apple Store searches in that pcap file.

=head1 AUTHOR

Amar Yousif <amaryousif AT gmail.com> 2010

=cut



----------------------------------------------------------------------------------