#############################################################################
#                       sample sniffer script file
#############################################################################

#############################################################################
# sniffer global configuration options
#############################################################################

# name of device to attach sniffer to
#set	device	"eth0"
set	device	"lo"

# priorities for sniffer and dumper threads; -20 is top priority, 0 is
# normal and 20 is the least
set	sniffer_priority	0
set	dumper_priority		-10

# specify location of sniffer log file; if you put "syslog" instead of
# regular file name, sniffer log will be sent to local syslog
#set	log_file	syslog
set	log_file	sniffer.log

# dump buffered packets every x seconds,
set	dump_freq	30

# or whenever buffer exceeds certain size (specified in kilobytes)
set	dump_buffer_size 1024

# or whenever sniffer buffers more that x packets
set	dump_packets	5000

#############################################################################
# sniffer event handlers
#############################################################################

#############################################################################
# on_initialize
#
#  this function is called at scripting engine startup. First, we set some
#  global variables for more comfortable work later on. After that, you can
#  put your own initialization stuff (opening file for packet logging,
#  creating connection to database, or anything else that needs to be called
#  once at session start.
#
#############################################################################

proc on_initialize {} {
	global action ip_proto

	set action(add)		1
	set action(skip)	2 

	set ip_proto(icmp)	1
	set ip_proto(tcp)	6
	set ip_proto(udp)	17

#############################################################################
# Place custom initialization commands here

	global log

	set log [open "./sniffer.dump" "a"]

	# flush I/O buffers at every newline char sent to log file
	# see 'man n fconfigure' for other possible values
	fconfigure $log -buffering line
}

#############################################################################
#  on_shutdown
#
#  is called on sniffer shutdown. Use it to clean up things done in
#  on_initialize (close files, etc).
#
#############################################################################
proc on_shutdown {} {

#############################################################################
# Place custom shutdown commands here

	global log

	close $log

	# turn off promiscuous mode after sniffer exits
	promisc_off
}

#############################################################################
# on_start_sniffing
#
# this function is called after the sniffer engine is initialized, but
# right before actual sniffing starts.
#
#############################################################################
proc on_start_sniffing {} {

	# turn on promiscuous mode on device we're sniffing
	promisc_on
}

#############################################################################
# on_receive_packet
#
#   function is called whenever packet capture engine acquires new packet
#   from the device it's listening to. Do not put some heavy processing here,
#   as this function is called in real time. Intended use is to filter out
#   unwanted packets, so that you have only desired material for later
#   post-processing.
#
#############################################################################
proc on_receive_packet {} {
	global packet eth action ip ip_proto

	# testing custom inserted commands
	promisc_on

	# ignore all non-TCP IP packets
	if { $ip(protocol) != $ip_proto(tcp) } {
		return $action(skip)
	}

	# default is to add packet to the buffer
	return $action(add)
}

#############################################################################
# on_dump_packet
#
#  this function is called whenever buffered packet needs to be processed.
#  Common use would be to log packets to file or database, or any other
#  post-processing.
#
#############################################################################
proc on_dump_packet {} {
	global packet eth ip tcp udp icmp
	global log

	puts $log "[clock format $packet(time)]"
	puts $log "$ip(saddr) ($tcp(source)) -> $ip(daddr) ($tcp(dest))"
	puts $log "TCP data length: $tcp(data_length)"
	puts $log "TCP payload hex dump:"
	puts $log $tcp(data_hex)
	puts $log "TCP payload ASCII dump:"
	puts $log $tcp(data_ascii)
}