#!/usr/local/bin/perl
#
#################################################################################
# 
# Arp Data Processor                                     ver 4.0
# 
# Goal : To process the data from arp watch program
#        letting you sort and search for specific data
#
# This is a perl script to process the data file produced by arpwatch
# using an html interface.  Adjust the first line to point to your perl.
#
# You can pretty up the background and buttons to your own 
# liking and I didn't add a "back" button as that tends to 
# be system specific. 
#
# Author : B Johnston
#
#  Copyright (c) 2000,2001,2002 B. Johnston
#
#  This program is free software; you can redistribute it and/or modify
#  it under the terms of the GNU General Public License as published by
#  the Free Software Foundation; either version 2, or (at your option)
#  any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.  */
#
#
#
# ver 1.1 : Fixed an error in the sh "if" test that gives problems
#           the first time you run when there is no $QUERY_STRING
#           defined.  Also cleaned up the code and "looks".
#
# ver 1.2 : Found one minor error but the big error was the comments
#           inside the "cat <<EOM" portion of the code.  Sun's sh
#           allowed the comments but BSD didn't.
#           Also had to fix my awk calls to run with "gawk".
#
# ver 2.0 : Added a DOWNLOAD feature that would use FTP to transfer
#           the selected data in a comma delimited format.  This required
#           adding another "download" form and button and the arpview.dwn
#           script.  Your server must be setup to run files that DO NOT
#           have the .cgi extension or you need to change the name of
#           arpview.dwn to something with a .cgi extension and fix the
#           reference to it in the download form.
#           I also added a gawk script file "arp.awk" that is used to
#           give a TRUE numerical sort of the ip address (it's pretty
#           tricky).
#
# ver 3.0 : Converted the cgi and awk scripts into a single perl implementation
#           with the DOWNLOAD added to the same script.  Everything is self
#           contained in this one script.
#
# ver 3.1 : Finally handled the dates and added a header to the download file.
#           Figured out how to name the download file using the "Disposition"
#           attribute of the mime reference.  I dynamically create a filename 
#           for the download file based on the current date.
#
#           You may be able to script this by calling the program with the 
#           following : 
#         .../cgi-bin/arpview.pl?srch_str=.&sort_order=hostname&download=download
#           This will call the script and create the download file all you need to 
#           figure out is how to push the "OK" button on the ftp dialogue box.
#
# ver 3.2 : Added support to allow the script to be put anywhere and called 
#           anything, it is independent of location and name.  See $ver in SETUP.
#     
#           Bug Fix : Fixed the bug that overwrites duplicate addresses.  One of
#           the plusses of arpview is that it can show you when you have duplicate
#           ip's in your network, when I switched to perl I used arrrays for sorting
#           and ended up overwriting duplicate data.
#
# ver 3.2f : Added "Julian" to the downloaded .csv file header. Gary Sullivan
#
# ver 3.3 : Bug Fix (?) - Just as in ver 3.2 we can overwrite duplicate MAC address
#           with the array structure I adopted in perl.  You can have duplicate
#           entries with the same MAC address and they will be thrown away.
#           Feature - Added a MAC sort button in conjuction with the above bug
#           and added an announcer that lets you know you have duplicates and 
#           highlights them in RED.  If you don't like the color go to the Subs
#           at the bottom of the file and change the #FF0000 to some other color.
#           The announcer script is on line 293 (or search on FF) and you can 
#           change that format and color also as you desire.
#
# ver 4.0 : Added a BLUE color highlight to the date sort, shows significant events
#           via a time stamp.  It shows if a lot of hosts arp at the same time.  
#           Also modified the Download Data function to give you both an excel csv
#           file and a text report file that also highlights the duplicates.  You 
#           can use it to add to a report or email it etc.  Try arpview on the 
#           arp_dup that came in the tar file to see the new features. 
#           
#           Made this an official release that can be spread around, added a license
#           file and copyright notices to the code.  I was able to get the email
#           address arpview@yahoo.com (pretty cool) so I changed the $signature
#           variable.
###################################################################################
# set some defaults
# Change the $arp_data line to point to your data file using a full
# unix path, I use a link set in the cgi-bin directory to point to 
# the data file.
#
# set the $ver variable to the path and filename for this perl
# program in "server" format, ie from the root of your htdocs.
###################################################################
$[ = 1;
$, = ' ';
$\ = "\n";

$ver = "/cgi-bin/arpview40.pl";
# $arp_data = "/usr/local/arpwatch/arp.dat";
$arp_data = "arp_dup.dat";
$downld = "download";
($wday,$month,$day,$hour,$year) = split(' ', (localtime(time)));
$downld_file = sprintf('arpview_%s%s.', $month, $day);
$duplicate = 0;
$sort_order = "hostname";
$search_string = ".";
$date = localtime((stat($arp_data))[10]);
($wday,$month,$day,$hour,$year) = split(' ', $date);
$file_date = sprintf('%s %s %s %s @ %s', $wday, $month, $day, $year, $hour);

$signature="<H5>ArpView v4.0 - <I>Created by Bill Johnston <A HREF=\"mailto:arpview\@yahoo.com\">Arpview email</A> 
   </I></H5>";

###################################################################
# Open the arpwatch data file
###################################################################
open(ARP_DATA, $arp_data);

###################################################################
# Process the QUERY_STRING environment variable for the values
# from the form.
###################################################################
$QS = $ENV{"QUERY_STRING"};
$QS =~ s/\+//g;
@para = split(/[&]/, $QS);
for ($i = 1; $i <= $#para; $i++)
  {
   @tmp = split(/=/, $para[$i], 9999);
   $parameter{$tmp[1]} = $tmp[2];
  }

if ($parameter{'srch_str'} =~ /./)
 {
  $search_string = $parameter{'srch_str'};
 }

if ($parameter{'sort_order'} ne undef)
 {
  $sort_order = $parameter{'sort_order'};
 }

$downld = $parameter{'download'};

$date = localtime((stat($arp_data))[10]);
($wday,$month,$day,$hour,$year) = split(' ', $date);
$file_date = sprintf('%s %s %s %s @ %s', $wday, $month, $day, $year, $hour);
$count = 1;

###################################################################
# Start the loop to process the data file, doing the sort based
# on the $sort_order variable.  Check out the ip number sort it
# is a tricky little routine that does a logical not numeric sort.
###################################################################
while (<ARP_DATA>)
 {
  ($edress,$ip_num,$jdate,$hostname) = split(' ', $_);
  $date = localtime($jdate);
  ($wday,$month,$day,$hour,$year) = split(' ', $date);
  $trans_date = sprintf('%s %s %s %s @ %s', $wday, $month, $day, $year, $hour);
  @tmp = split(/\./, $ip_num);
  $trans_ip = sprintf('%03d%03d%03d%03d', $tmp[1], $tmp[2], $tmp[3], $tmp[4]);
  $host{$count} = $hostname;
  $ip{$count} = $ip_num;
  $tip{$count} = $trans_ip;
  $date{$count} = $jdate;
  $tdate{$count} = $trans_date;
  $mac{$count} = $edress;
  $count++;
 }   
  if ($sort_order eq 'hostname')
   {
    @sorted = sort by_hostname keys(%host);
   }
  elsif ($sort_order eq 'ip_num')
   {
    @sorted = sort by_ip keys(%tip);
   }
  elsif ($sort_order eq 'mac_num')
   {
    @sorted = sort by_mac keys(%mac);
   }
  else
   {
    @sorted = sort by_date keys(%date);
    $ip = $jdate;
   }

###################################################################
# If you are downloading data fill the data array with comma delimited
# data, if you are making a html table add the TR, TD needed to the 
# data as you load the array.
###################################################################


###################################################################
# After processing the data file this generates the output, either
# a html form or downloaded data.  The "trick" to cause the download
# is in declaring the TYPE as an octet-stream and the "Disposition"
# allows me to put a filename on the downloaded data. Notice the use of
# the perl format feature to build the html file doing it this way 
# makes it easier to change the form.  
#
# The reason the FORM data was done with a print was needing to use
# variables to load the VALUE fields.  The perl format pads the fields
# with spaces which are translated to "+" when passed through the FORM
# causing problems.  I found it easier to use the print command then
# adding code to strip the "+", personal preference.
###################################################################
if ($downld eq 'download')
 {
  if ($parameter{'format'} eq 'excel')
   {
    print("Content-TYPE: application/octet-stream");
    print("Content-Disposition: attachment; filename=\"".$downld_file."csv\"\n");
    print("Name,IP,MAC,Julian,Time");
    foreach $i (@sorted)
     {
      $data = sprintf("%s,%s,%s,%s,%s",$host{$i},$ip{$i},$mac{$i},$date{$i},$tdate{$i});
      $data =~ s/<F.*\">//;
      $data =~ s/<.*>//;
      if ($data =~ /$search_string/)   
       {    
        print($data);
       } 
     }
   }
  else
   {
    print("Content-TYPE: application/octet-stream");
    print("Content-Disposition: attachment; filename=\"".$downld_file."txt\"\n");
    print("Arpview Data - last updated " . $file_date . "\n");
    print("File : " . $downld_file . "txt       (Duplicates indicated by *)");
    print("+================+=================+===================+=============================+");
    printf("|%15s |%16s |%18s |%28s |\n", "Hostname", "IP Address", "Mac Address", "Date");
    print("+----------------+-----------------+-------------------+-----------------------------+");
    foreach $i (@sorted)
     {
      $host{$i} =~ s/<F.*\">/*/;
      $host{$i} =~ s/<.*>//;
      $ip{$i} =~ s/<F.*\">/*/;
      $ip{$i} =~ s/<.*>//;
      $mac{$i} =~ s/<F.*\">/*/;
      $mac{$i} =~ s/<.*>//;
      $tdate{$i} =~ s/<F.*\">/*/;
      $tdate{$i} =~ s/<.*>//;
      $data = sprintf("|%15s |%16s |%18s |%28s |",$host{$i},$ip{$i},$mac{$i},$tdate{$i});
      if ($data =~ /$search_string/)   
       {    
        print($data);
       } 
     }
    print("+================+=================+===================+=============================+");
   }
 }
else
 {
  $~ = "HTML1";
  write;
  print("<FORM ACTION=\"".$ver."\">\n");
  $~ = "HTML2";
  write;

  print("<FORM ACTION=\"".$ver."\">\n",
        "<Input Type = \"hidden\" Name=\"srch_str\" Value=\"".$search_string."\">\n",
        "<Input Type = \"hidden\" Name=\"sort_order\" Value=\"".$sort_order."\">\n",
        "<Input Type = \"hidden\" Name=\"download\" Value=\"download\">\n",
        "<INPUT ALIGN=\"CENTER\" TYPE=\"submit\" VALUE=\"Download Data\">\n",
        "Format : \n",
        "<Input Type=\"radio\" Name=\"format\" Value=\"excel\" Checked>Excel (csv)\n",
        "<Input Type=\"radio\" Name=\"format\" Value=\"text\">Report (txt)\n",
        "</FORM>\n");

  if ($duplicate == 1)
   {
    print("<I>Duplicate </I><B>" . $sort_order . "</B><I> shown in <Font Color=\"#FF0000\">RED</I></Font>\n",
          "<BR>\n");
   }

  $~ = "TABLEHEAD";
  write;
  foreach $i (@sorted)
   {
    $data = ('<TR><TD>' . $host{$i} . '</TD><TD>' . $ip{$i} .
             '</TD><TD>' . $mac{$i} . '</TD><TD>' . $date{$i} .
             '</TD><TD>' . $tdate{$i} . '</TD></TR>');
    if ($data =~ /$search_string/) 
     {
      print($data);
     } 
   }
  $~ = HTMLEND;
  write;
 }

###################################################################
# Formats
###################################################################
# These are the formats for the write commands that hold the html
# code.  You can customize the FORMS and TABLE as you see fit.
###################################################################
format HTML1 = 
Content-TYPE: text/html

<HTML>

 <HEAD>
  <TITLE>ArpView data</TITLE>
 </HEAD>

 <BODY TEXT="#000000" BGCOLOR="#BFBFBF" LINK="#0000FF" VLINK="#993399" LINK="#FF0000">
 
 <H1 ALIGN="CENTER">Processed Arp Data</H1>
 <H3 ALIGN="CENTER">last updated : @<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< </H3>
                                   $file_date
 <H4>
 </H4>
 <BR><BR>
.

###################################################################
format HTML2 = 
   <P>
      Search String : <INPUT TYPE="text" NAME="srch_str" SIZE=20 MAX_LENGTH=20>
      (This search uses <B>"grep -i"</B> on the <B>@<<<<<<<<<<<<<<<<<<<<<<<<<<< </B> file)
                                                   $arp_data
   <P>
   Sort Data by :  <I>(Currently sorted by @<<<<<<<< )</I>
                                        $sort_order

   <H3>
     <INPUT TYPE="radio" NAME="sort_order" VALUE="hostname" CHECKED > : Hostname
     <INPUT TYPE="radio" NAME="sort_order" VALUE="ip_num"> : IP #
     <INPUT TYPE="radio" NAME="sort_order" VALUE="mac_num"> : MAC #
     <INPUT TYPE="radio" NAME="sort_order" VALUE="jdate"> : Date
     <Input Type = "hidden" Name="download" Value="no">
     <BR>
     <INPUT ALIGN="CENTER" TYPE="submit" VALUE="GO">
   </H3>
   </FORM>

.

###################################################################
format TABLEHEAD =
   <TABLE BORDER=5 CELLPADDING=5 CELLSPACING=5>
   <H4>
   <TH>Name<TD>IP</TD><TD>MAC</TD><TD>Abs Time</TD><TD>Human Time</TD></TH>
.

###################################################################
format HTMLEND = 
   </H4>
   </TABLE>

@*
$signature

 </BODY>

</HTML>

.
###################################################################
# Subroutines
###################################################################

sub by_hostname
{
 $return = $host{$a} cmp $host{$b};
 if (($host{$a} cmp $host{$b}) == 0)
  {
   $host{$a} = "<Font Color=\"#FF0000\"> " . $host{$a} . "</Font>";
   $host{$b} = "<Font Color=\"#FF0000\"> " . $host{$b} . "</Font>";
   $duplicate = 1;
  }
 $return;
}

sub by_ip
{
 $return = $tip{$a} <=> $tip{$b};
 if (($tip{$a} <=> $tip{$b}) == 0)
  {
   $ip{$a} = "<Font Color=\"#FF0000\"> " . $ip{$a} . "</Font>";
   $ip{$b} = "<Font Color=\"#FF0000\"> " . $ip{$b} . "</Font>";
   $duplicate = 1;
  }
 $return;
}

sub by_mac
{
 $return = $mac{$a} cmp $mac{$b};
 if (($mac{$a} cmp $mac{$b}) == 0)
  {
   $mac{$a} = "<Font Color=\"#FF0000\"> " . $mac{$a} . "</Font>";
   $mac{$b} = "<Font Color=\"#FF0000\"> " . $mac{$b} . "</Font>";
   $duplicate = 1;
  }
 $return;
}
sub by_date
{
 $return = $date{$a} <=> $date{$b};
 if(($date{$a} <=> $date{$b}) == 0)
  {
   $tdate{$a} = "<Font Color=\"#0000FF\"> " . $tdate{$a} . "</Font>";
   $tdate{$b} = "<Font Color=\"#0000FF\"> " . $tdate{$b} . "</Font>";
  }
 $return;
}