' ' xstream - dump reassembled raw tcp stream data in/out On Error Resume Next Set Sout = WScript.StdOut if WScript.Arguments.Count <> 2 then Sout.WriteLine "Usage: cscript xstream.vbs input-tcpdump-file output-dir " WScript.Quit end if InputTCPD = WScript.Arguments.Item(0) DirName = WScript.Arguments.Item(1) Dim fso Set fso = CreateObject("Scripting.FileSystemObject") If fso.FileExists("temp_cap.usnf") Then fso.DeleteFile "temp_cap.usnf" End If ' ' Check if Directory Exists (Create if it doesnt) ' If Not fso.FolderExists(DirName) Then fso.CreateFolder (DirName) Sout.WriteLine "Created Output Folder " & DirName End If ' Import from tcpdump (libpcap) format Set UnsniffDB = CreateObject("Unsniff.Database") UnsniffDB.New("temp_cap.usnf" ) UnsniffDB.Import "libpcap", InputTCPD Sout.WriteLine "Imported tcpdump file " & InputTCPD Dim STIndex Set STIndex = UnsniffDB.StreamIndex For Each ST In STIndex With ST Fname = .SourceAddress & "_" & .SourcePort & "_" & .DestinationAddress & "_" & .DestinationPort ExpFilePath = fso.BuildPath (DirName, Fname ) Sout.WriteLine "OUT " & ExpFilePath .SaveToFile ExpFilePath & ".OUT.dat","out",0,-1 Sout.WriteLine "IN " & ExpFilePath .SaveToFile ExpFilePath & ".IN.dat","in",0,-1 End With Next UnsniffDB.Close() fso.DeleteFile "temp_cap.usnf"