I wonder if there is a way how to split a pcap that contains (only) IRC per channels. I'm trying to compare accuracy of botnet detection in channels using existing IDS (suricata, snort). The only way how to check which IRC channel was detected seems to be splitting pcap by IRC channels and try to analyze each pcap separately. Is there any way how to do this in tcpdump or any other tool?
Thanks a lot!
This should be pretty straightforward, as every message (RFC 2812, 3.3; RFC 1459, 2.3) and channel operation (RFC 2812, 3.2; RFC 1459, 4.2) has the channel name in it, in both directions:
Client message to channel:
PRIVMSG #channel :Hello!
Server message from channel:
:nick!user@host.example.com PRIVMSG #channel :Hello!
Channel related operation command examples, to and from server:
JOIN #channel
:nick!user@host.example.com JOIN #channel
MODE #channel +ts
:nick!user@host.example.com MODE #channel +ts
TOPIC #test :new topic
:nick!user@host.example.com TOPIC #test :new topic
Of course you have to make a regular expression that doesn't count channel name if it's inside a message, topic etc. I think it would be OK to use the : character as a delimiter like this:
/^(:|)[^:]*(PRIVMSG|JOIN|PART|MODE|TOPIC) #channel( |$)/gm
^(:|) allows an optional : as the first character for messages from the server[^:]* disables all lookup after the next :(PRIVMSG|JOIN|PART|MODE|TOPIC) list of command you are looking for – complete as required!#channel the name of the channel( |$)tailing space or end of line (we don't want to match #channelfoo)/gm for global and multi lineThis should work in your use case: it may fail in border cases and isn't really a full IRC protocol parser.
