#!/usr/bin/ruby

require 'unified'

class Pcapout
    attr_accessor :fh, :magic, :version_major, :version_minor, :zone, :sig, :snaplen, :linktype
    def initialize(file)
        self.fh = File.open(file, 'w')

        self.magic = 0xa1b2c3d4
        self.version_major = 2
        self.version_minor = 4
        self.zone = 0
        self.sig = 0
        self.snaplen = 0xffff
        self.linktype = 1

        self.fh.print [ self.magic, self.version_major, self.version_minor, self.zone, self.sig, self.snaplen, self.linktype ].pack("NnnNNNN")
    end

    def write(tvsec, uvsec, packet)
        self.fh.print [tvsec, uvsec, packet.size, packet.size].pack("NNNN") + packet
    end
end


unified = Unified.new(ARGV[0])
if unified.type != 'log'
    raise TypeError, "unified-to-pcap.rb only handles unified log files.  #{ARGV[0]} is a unified.#{unified.type} file"
end
pcap = Pcapout.new(ARGV[1])
print "Unified type=#{unified.type} endian=#{unified.endian} version=#{ unified.version_major }.#{ unified.version_minor }\n"
begin
while (record = unified.record())
    # p record  ### uncomment this line if you want have the contents of the unified record struct printed to console
    pcap.write(record['pkt_sec'], record['pkt_usec'], record['pkt'])
end
rescue
end