#!/bin/sh
#
# p0frep - trivial reporting script for p0f logfiles
# --------------------------------------------------
#
# Copyright 2002-2004 by Michal Zalewski <lcamtuf@coredump.cx>
#

echo "p0frep: p0f v2 log analyzer by <lcamtuf@coredump.cx>"

if [ $# -lt 2 ]; then
	cat >/dev/stderr <<EOHELP
Usage: $0 logfile.txt sortby [ 'ipmask' 'sysmask' ]

    logfile.txt    - input file
    sortby         - 'system' or 'addr'; sort order
    ipmask         - IP mask, e.g. 195.117.3. (can be '')
    sysmask        - system name mask, e.g. 'Windows'

Typical usage might be:

To get your local systems in 10.0 subnet sorted by OS name:
  p0frep log.txt system 10.0.

To get all AIX boxes sorted by IP:
  p0frep log.txt addr '' AIX

...and so on.
EOHELP
	exit 1
fi

if [ ! -f "$1" ]; then
  echo "No filename given." >/dev/stderr
  exit 1
fi

if [ "$2" = "system" ]; then

  cat "$1" | awk -F'> ' '{print $2}NF==1{print $1}' | grep -F ' - ' | awk '{print "^" $0}' | grep -F "^$3" | \
  awk '{print $3 " " $1}' | grep "^$4" | awk -F: '{print $1}' | \
  sed 's/\^//g' | sort | uniq -c 

elif [ "$2" = "addr" ]; then

  cat "$1" | awk -F'> ' '{print $2}NF==1{print $1}' | grep -F ' - ' | awk '{print "^" $0}' | grep -F "^$3" | \
  awk '{print $3 " " $1}' | grep "^$4" | awk -F: '{print $1}' | \
  sed 's/\^//g' | awk '{print $2 " " $1}' | sort | uniq -c 

else
 
  echo "Second parameter (sort order) mst be 'system' or 'addr'." >/dev/stderr
  exit 1

fi

exit 0