#!/usr/bin/perl -w
##
## Analyse.pl 
##
## Made by Tab <rv@crans.org> 
##
## Started on  Tue 09 Oct 2001 01:28:25 AM CEST tab 
## Last Update Tue Nov 25 19:00:00 2001 Nico
##
##
##    This program is free software; you can redistribute it and/or modify
##    it under the terms of the GNU General Public License as published by
##    the Free Software Foundation; either version 2 of the License, or
##    (at your option) any later version.
## 
##    This program is distributed in the hope that it will be useful,
##    but WITHOUT ANY WARRANTY; without even the implied warranty of
##    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
##    GNU General Public License for more details.
## 
##    You should have received a copy of the GNU General Public License
##    along with this program; if not, write to the Free Software
##    Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111, USA.
##
##
## AUTEUR: Tab
## MAINTAINERS: Nico, Tab
##
## DESCRIPTION: analyse permet de creer des resumes des fichiers de 
## log cree par net-acct. Net-acct est un daemon qui permet de logguer toutes
## les connexions effectues. 
##
## SYNOPSIS: analyse (-d|-u) [-h <host>] [-m <to>] [-n <nb>] [-f <file>]
##
## VERSION: 0.2
##

use strict;

my $inputfile = "/var/log/net-acct/net-acct.log.0";
my $host = "";
my $download = 0;
my $nombre_line_affiche = -1;
my $dns_resolve = 1;
my $ip_interne = "138\.231\.1(3[6-9]|4[0-3])\.";

######## ERROR GEST ########
# USAGE: affiche en cas d'erreur dans les arguments.

sub usage
{
print "Usage:\tanalyse (-d) [-h <host>][-m <to>][-n <nb>][-f <file>]\n\n";

print "\t-d, --download\tTri la base sur le download\n";
print "\t-h, --host\tResume des connexions effectues par la machine <host IP>\n";
print "\t-n, --nombre\tChoisi le nombre de lignes affichees\n";
print "\t-f, --file\tSpecifie le fichier qui sera analyse\n";
print "\t    --nodns\tNe resout pas les noms DNS\n";
print "\t    --help\tAffiche cette aide\n";
print "\n";
print "par defaut si l'option n'existe pas:\n";
print "\tdownload = on tri sur l'upload\n";
print "\tnombre = tout est affiche\n";
print "\tfile = analyse de /var/log/net-acct/net-acct.log.0\n"; 

exit (1);
}

sub show_all
{
	my $id;
	my %up_db;
	my %down_db;
	my $max;
	
	my ($nb_to_print, $sort_by_upload) = @_;
	
	open INPUT, $inputfile;
	while (my $line = <INPUT>) {
		my ($src_ip, $dst_ip, $size) = (split "\t", $line)[2,4,6];
		if ($src_ip =~ /$ip_interne/ ) {
			$up_db{$src_ip} += $size;
		}
		if ($dst_ip =~ /$ip_interne/ ) {
			$down_db{$dst_ip} += $size;
		}
	}
	close(INPUT);
	
	if ($nb_to_print == -1)
		{ $nb_to_print = (my @nb = (keys %up_db)); }
	
	$max = (keys %up_db)[0];
	if ($sort_by_upload) {
	for (my $dec=$nb_to_print; $dec > 0; $dec--) {
		foreach my $ip (keys %up_db) {
			if ($up_db{$max} <= $up_db{$ip})
				{ $max = $ip; }
		}
		print normalize($up_db{$max})." (".normalize($down_db{$max}).")\t".ip_to_name($max)."\n" if $up_db{$max} > 0;
		$up_db{$max} = 0;
	}
	} else {
	for (my $dec=$nb_to_print; $dec > 0; $dec--) {
		foreach my $ip (keys %down_db) {
			if ($down_db{$max} <= $down_db{$ip})
				{ $max = $ip; }
		}
		print normalize($down_db{$max})." (".normalize($up_db{$max}).
			")\t".ip_to_name($max)."\n" if $down_db{$max} > 0;
		$down_db{$max} = 0;
	}
	}
}

sub get_host_info
{
	my $up_size = 0;
	my $down_size = 0;
	my %up_loc_db;
	my %down_loc_db;
	my %up_dist_db;
	my %down_dist_db;
	my $max;
	my ($ip_search) = @_;
	open INPUT, $inputfile;
	
	while (my $line = <INPUT>) {
		my ($src_ip, $src_port, $dst_ip, $dst_port, $size) = 
			(split "\t", $line)[2,3,4,5,6];
		if ($src_ip eq $ip_search) {
			$up_size += $size;
			$up_loc_db{$src_port} += $size;
			$up_dist_db{$dst_port} += $size;
		} 
		if ($dst_ip eq $ip_search) {
			$down_size += $size;
			$down_loc_db{$dst_port} += $size;
			$down_dist_db{$src_port} += $size;
		}
	}
	close(INPUT);

	print "--- Info for $ip_search ---";
	print "\n ";
	print "\nUpload:  \t".normalize($up_size);
	print "\nPorts locaux: ";
	$max = (keys %up_loc_db)[0];
	for (my $dec=5; $dec > 0; $dec--) {
		foreach my $port (keys %up_loc_db) {
			if ($up_loc_db{$max} <= $up_loc_db{$port})
				{ $max = $port; }
		}
		print "$max(".normalize($up_loc_db{$max}).") " 
			if ($up_loc_db{$max} > 0);
		$up_loc_db{$max} = 0;
	}
	print "\nPorts distants: ";
  $max = (keys %up_dist_db)[0];
  for (my $dec=5; $dec > 0; $dec--) {
    foreach my $port (keys %up_dist_db) {
      if ($up_dist_db{$max} <= $up_dist_db{$port})
        { $max = $port; }
    }
    print "$max(".normalize($up_dist_db{$max}).") "
      if ($up_dist_db{$max} > 0);
    $up_dist_db{$max} = 0;
  }

	
	print "\n ";
	print "\nDownload:\t".normalize($down_size);
	print "\nPorts locaux: ";	
	$max = (keys %down_loc_db)[0];
  for (my $dec=5; $dec > 0; $dec--) {
    foreach my $port (keys %down_loc_db) {
      if ($down_loc_db{$max} <= $down_loc_db{$port})
        { $max = $port; }
    }
    print "$max(".normalize($down_loc_db{$max}).") "
      if ($down_loc_db{$max} > 0);
    $down_loc_db{$max} = 0;
  }

	print "\nPorts distants: ";
	$max = (keys %down_dist_db)[0];
	for (my $dec=5; $dec > 0; $dec--) {
		foreach my $port (keys %down_dist_db) {
			if ($down_dist_db{$max} <= $down_dist_db{$port})
				{ $max = $port; }
		}
		print "$max(".normalize($down_dist_db{$max}).") " 
			if ($down_dist_db{$max} > 0);
		$down_dist_db{$max} = 0;
	}
	print "\n ";
	print "\n--- Quelques Calculs (Purement Informatif) ---";
	print "\nUpload pur:\t".normalize($up_size - $down_size/20);
	print "\nTaux download:\t";
	print normalize($down_size/24)."/h  -  ";
	print normalize($down_size/1440)."/min  -  ";
	print normalize($down_size/86400)."/s";
	print "\nTaux upload:\t";
	print normalize($up_size/24)."/h  -  ";
	print normalize($up_size/1440)."/min  -  ";
	print normalize($up_size/86400)."/s";
	print "\n\nCategoria:\t".categorie($up_size, $down_size);
	print "\n(info: 20 mo download = 1 mo upload)";
}

#sub get_db_for_host
#{
#	open INPUT, $inputfile;
#	my $id_port;
#	my $id_ip;
#
#	my ($host) = @_;
#	
#	print "--- Info $host ---\n";
#	
#	if ($option_get_upload == 1) 
#		{ $id_ip = 2; $id_port = 3; }
#	else 
#		{ $id_ip = 4; $id_port = 3; }
#	
#	while (my $line = <INPUT>) {
#		my ($ip, $port, $size) = (split "\t", $line)[$id_ip,$id_port,6];
#		if ($ip =~ $host) {
#			$db{$port} += $size;
#		}	
#	}
#}

###########################
######### TOOLKIT #########
# normalize: transforme un nombre, en un nombre suivi d'un prefixe
# Go, Mo, Ko, Octets.

sub normalize
{
	my ($nb) = @_;
	if (defined $nb) {
	if ($nb < 0)
	 	{ return ("0o"); }
	if ($nb > (1024*1024*1024))
		{ return ((int($nb*100/(1024*1024*1024))/100)."Go"); }
	elsif ($nb > (1024*1024))
		{ return (int($nb/(1024*1024))."Mo"); }
	elsif ($nb > 1024)
		{ return (int($nb/(1024))."Ko"); }
	else
		{ return ($nb."o"); }
	}
	
	return ("0o");
}

# ip_to_name: resout le nom associe a l'ip donne en argument

sub ip_to_name
{
	my ($ip) = @_;
	my $ret;
	my $host_name;
	my $aliases;
	my $addrtype;
	my $length;
	my @addrs;

	if ($dns_resolve) {
		my $ipaddr = pack("C4", split(/\./, $ip));
		if (($host_name, $aliases, $addrtype, $length, @addrs) 
				= gethostbyaddr($ipaddr, 2)) {
			return ($host_name);
		} else
		{	return ("$ip [lookup failed]"); }
	}
	return ($ip);
}

sub categorie
{
	my $upload_pure;
	my ($upload, $download) = @_;
	
	$upload_pure = $upload - $download/20;
	
	if ($upload_pure < 200*1024*1024)
		{ return ("OK"); } 
	if ($upload_pure < 300*1024*1024)
		{ return ("Avertissement"); }
	if ($upload_pure < 1000*1024*1024)
		{ return ("Deconnexion 2 semaines"); }
	if ($upload_pure < 3000*1024*1024)
		{ return ("Deconnexion 1 mois"); }
	return ("Adios");
}

# print_host_info: on affiche $nb (@_) ports pour l'hote. 
#sub print_host_info
#{
#	my ($nb) = @_;
#	my $max;
#	
#	if ($nb == -1)
#		{ $nb = (my @nb = (keys %db)); }
#
#	for (my $dec=$nb; $dec > 0; $dec--) {
#		foreach my $port (keys %db) {
#			if ($db{$max} <= $db{$port})
#				{ $max = $port; }
#		}
#		print "port $max:\t".normalize($db{$max})."\n" 
#			if ($db{$max} > 0);
#		$db{$max} = 0;
#	}
#}

###########################
########## MAIN ###########

## Options 
for (my $ct = 0; $ct < @ARGV; $ct++)
{
	if ($ARGV[$ct] eq '-d' || $ARGV[$ct] eq '--download') {
		$download = 1;
	} elsif ($ARGV[$ct] eq '-h' || $ARGV[$ct] eq '--host') {
		if ($ARGV[$ct+1] =~ /[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}/)
			{ $host = $ARGV[$ct+1]; $ct++; }
		else { usage(); }
	} elsif ($ARGV[$ct] =~ '-n' || $ARGV[$ct] eq '--nombre') {
		if ($ARGV[$ct+1])
			{ $nombre_line_affiche = $ARGV[$ct+1]; $ct++; }
		else { usage(); }
	} elsif ($ARGV[$ct] eq '-f' || $ARGV[$ct] eq '--file') {
		if ($ARGV[$ct+1])
			{ $inputfile = $ARGV[$ct+1]; $ct++; }
		else { usage(); }
	} elsif ( $ARGV[$ct] =~ '--nodns') {
			$dns_resolve = 0;
	} elsif ( $ARGV[$ct] =~ '--help') {
		usage();
		}
}

if ($host ne "") {
	get_host_info($host);
} else {
	show_all($nombre_line_affiche, !$download);
}

exit (0);