#!/bin/bash
#
# capture_and_analyze.sh - Capture and analyze covert channel traffic
#
# Usage: sudo ./capture_and_analyze.sh [capture|analyze|live]
#

INTERFACE="docker0"
PCAP_FILE="covert_channel_$(date +%Y%m%d_%H%M%S).pcap"
SYNC_PORT=31337

case "$1" in
    capture)
        echo "╔══════════════════════════════════════════════════════════╗"
        echo "║  Capturing Covert Channel Traffic                        ║"
        echo "╚══════════════════════════════════════════════════════════╝"
        echo
        echo "Interface: $INTERFACE"
        echo "Output: $PCAP_FILE"
        echo "Filter: tcp port $SYNC_PORT"
        echo
        echo "Press Ctrl+C to stop capture"
        echo
        
        tcpdump -i $INTERFACE -w $PCAP_FILE \
            "tcp port $SYNC_PORT or (ip6 and tcp)"
        
        echo
        echo "Capture saved to: $PCAP_FILE"
        echo "Run: $0 analyze $PCAP_FILE"
        ;;
        
    analyze)
        PCAP="${2:-covert_channel.pcap}"
        
        if [ ! -f "$PCAP" ]; then
            echo "Error: File not found: $PCAP"
            exit 1
        fi
        
        echo "╔══════════════════════════════════════════════════════════╗"
        echo "║  Analyzing Covert Channel Traffic                        ║"
        echo "╚══════════════════════════════════════════════════════════╝"
        echo
        echo "File: $PCAP"
        echo
        
        # Basic statistics
        echo "=== Packet Statistics ==="
        tshark -r "$PCAP" -q -z io,stat,1,"COUNT(frame)frame","AVG(frame.time_delta)frame"
        echo
        
        # IPv6 traffic
        echo "=== IPv6 SYN Packets (Sync Channel) ==="
        tshark -r "$PCAP" -Y "ipv6 && tcp.flags.syn==1 && tcp.flags.ack==0" \
            -T fields -e frame.time_relative -e ipv6.src -e ipv6.dst -e tcp.dstport \
            | head -20
        echo "..."
        echo
        
        # Packet rate over time
        echo "=== Packet Rate (packets/100ms) ==="
        tshark -r "$PCAP" -q -z io,stat,0.1,"COUNT(frame)frame" \
            | grep -E "^[|<]" | head -30
        echo
        
        # Unique source addresses
        echo "=== Unique IPv6 Source Addresses ==="
        tshark -r "$PCAP" -Y "ipv6 && tcp.flags.syn==1" \
            -T fields -e ipv6.src | sort -u | head -10
        echo
        
        # Connection attempts over time (for plotting)
        echo "=== Generating timing data for visualization ==="
        tshark -r "$PCAP" -Y "tcp.flags.syn==1" \
            -T fields -e frame.time_relative \
            > timing_data.txt
        
        # Generate gnuplot script
        cat > plot_timing.gnuplot << 'EOF'
set terminal png size 1600,600 enhanced font 'Arial,12'
set output 'covert_channel_timing.png'

set title 'CVE-2023-1206 Covert Sync Channel - Packet Timing'
set xlabel 'Time (seconds)'
set ylabel 'Packet Count (per 100ms bin)'

set style fill solid 0.5
set boxwidth 0.08

# Histogram of packet times
binwidth = 0.1
bin(x, width) = width * floor(x/width)

plot 'timing_data.txt' using (bin($1, binwidth)):(1.0) smooth frequency \
    with boxes lc rgb '#4040ff' title 'SYN Packets (Sync Channel)'
EOF
        
        if command -v gnuplot &> /dev/null; then
            gnuplot plot_timing.gnuplot
            echo "Visualization saved to: covert_channel_timing.png"
        else
            echo "Install gnuplot for visualization: apt install gnuplot"
        fi
        echo
        
        # Detect potential covert channel patterns
        echo "=== Pattern Detection ==="
        
        # Count packets per 100ms window
        WINDOWS=$(tshark -r "$PCAP" -Y "tcp.flags.syn==1" \
            -T fields -e frame.time_relative \
            | awk '{printf "%.1f\n", $1}' | sort | uniq -c | sort -k2 -n)
        
        HIGH_COUNT=$(echo "$WINDOWS" | awk '$1 > 50 {count++} END {print count+0}')
        LOW_COUNT=$(echo "$WINDOWS" | awk '$1 < 10 {count++} END {print count+0}')
        
        echo "High-activity windows (>50 pkts): $HIGH_COUNT"
        echo "Low-activity windows (<10 pkts): $LOW_COUNT"
        
        if [ "$HIGH_COUNT" -gt 5 ] && [ "$LOW_COUNT" -gt 5 ]; then
            echo
            echo "⚠️  POTENTIAL COVERT CHANNEL DETECTED!"
            echo "    Alternating high/low packet rate pattern observed."
            echo "    This matches CVE-2023-1206 sync channel signature."
        fi
        ;;
        
    live)
        echo "╔══════════════════════════════════════════════════════════╗"
        echo "║  Live Traffic Monitor                                    ║"
        echo "╚══════════════════════════════════════════════════════════╝"
        echo
        echo "Monitoring for covert channel patterns..."
        echo "Press Ctrl+C to stop"
        echo
        
        # Live packet rate display
        tshark -i $INTERFACE -f "tcp port $SYNC_PORT" \
            -q -z io,stat,1,"COUNT(frame)frame" 2>/dev/null &
        TSHARK_PID=$!
        
        # Also show live packets
        tcpdump -i $INTERFACE -n -l "tcp port $SYNC_PORT and tcp[tcpflags] & tcp-syn != 0" 2>/dev/null | \
        while read line; do
            echo "$line"
        done
        
        kill $TSHARK_PID 2>/dev/null
        ;;
        
    *)
        echo "Usage: $0 [capture|analyze|live]"
        echo
        echo "Commands:"
        echo "  capture           Start packet capture"
        echo "  analyze [file]    Analyze pcap file"
        echo "  live              Live traffic monitor"
        echo
        echo "Examples:"
        echo "  sudo $0 capture"
        echo "  sudo $0 analyze covert_channel.pcap"
        echo "  sudo $0 live"
        ;;
esac