#!/bin/bash
# Ongoing Nuke telemetry monitor
# Logs all Foundry-related network connections with timestamps

LOG_DIR="$HOME/Documents/obsidian-vault/2-projects/Nuke-monitoring/telemetry-logs"
TIMESTAMP=$(date +%Y-%m-%d_%H-%M-%S)
LOG_FILE="$LOG_DIR/nuke_telemetry_$TIMESTAMP.log"
PCAP_FILE="$LOG_DIR/nuke_telemetry_$TIMESTAMP.pcap"

# Create log directory if it doesn't exist
mkdir -p "$LOG_DIR"

echo "=== Nuke Telemetry Monitor Started ===" | tee -a "$LOG_FILE"
echo "Started: $(date)" | tee -a "$LOG_FILE"
echo "Log file: $LOG_FILE" | tee -a "$LOG_FILE"
echo "Packet capture: $PCAP_FILE" | tee -a "$LOG_FILE"
echo "" | tee -a "$LOG_FILE"

# Known Foundry domains and IPs
FOUNDRY_DOMAINS=(
    "foundry.com"
    "learn.foundry.com"
    "sentry.foundry.com"
    "api.honeycomb.io"
    "52.50.232.31"    # AWS Ireland - learn.foundry.com
    "52.205.16.9"     # AWS Virginia - api.honeycomb.io
)

echo "Monitoring for connections to:" | tee -a "$LOG_FILE"
for domain in "${FOUNDRY_DOMAINS[@]}"; do
    echo "  - $domain" | tee -a "$LOG_FILE"
done
echo "" | tee -a "$LOG_FILE"

# Build tcpdump filter
FILTER=""
for i in "${!FOUNDRY_DOMAINS[@]}"; do
    if [ $i -eq 0 ]; then
        FILTER="host ${FOUNDRY_DOMAINS[$i]}"
    else
        FILTER="$FILTER or host ${FOUNDRY_DOMAINS[$i]}"
    fi
done

# Start packet capture in background
echo "Starting packet capture..." | tee -a "$LOG_FILE"
sudo tcpdump -i any -w "$PCAP_FILE" "$FILTER" >> "$LOG_FILE" 2>&1 &
TCPDUMP_PID=$!
echo "tcpdump PID: $TCPDUMP_PID" | tee -a "$LOG_FILE"
echo "" | tee -a "$LOG_FILE"

# Function to log connection
log_connection() {
    local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
    echo "[$timestamp] $1" | tee -a "$LOG_FILE"
}

# Function to cleanup on exit
cleanup() {
    log_connection "Monitor stopped by user (Ctrl+C)"
    log_connection "Stopping tcpdump (PID: $TCPDUMP_PID)..."
    sudo kill $TCPDUMP_PID 2>/dev/null

    # Generate summary
    echo "" | tee -a "$LOG_FILE"
    echo "=== Session Summary ===" | tee -a "$LOG_FILE"
    echo "Ended: $(date)" | tee -a "$LOG_FILE"

    if [ -f "$PCAP_FILE" ]; then
        PACKET_COUNT=$(sudo tcpdump -r "$PCAP_FILE" 2>/dev/null | wc -l)
        PCAP_SIZE=$(du -h "$PCAP_FILE" | cut -f1)
        echo "Packets captured: $PACKET_COUNT" | tee -a "$LOG_FILE"
        echo "Capture file size: $PCAP_SIZE" | tee -a "$LOG_FILE"

        # Quick analysis
        echo "" | tee -a "$LOG_FILE"
        echo "Domains contacted:" | tee -a "$LOG_FILE"
        sudo tcpdump -r "$PCAP_FILE" -n 2>/dev/null | \
            grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | \
            sort -u | while read ip; do
                echo "  - $ip" | tee -a "$LOG_FILE"
            done
    fi

    echo "" | tee -a "$LOG_FILE"
    echo "Log saved to: $LOG_FILE" | tee -a "$LOG_FILE"
    echo "Capture saved to: $PCAP_FILE" | tee -a "$LOG_FILE"
    exit 0
}

trap cleanup INT TERM

# Monitor active connections in real-time
log_connection "Monitoring active connections (press Ctrl+C to stop)..."
echo "" | tee -a "$LOG_FILE"

LAST_CONNECTIONS=""
while true; do
    # Check if Nuke is running
    NUKE_PIDS=$(pgrep -f Nuke)

    if [ -n "$NUKE_PIDS" ]; then
        # Check for Foundry connections
        CURRENT_CONNECTIONS=$(sudo ss -tnp 2>/dev/null | grep -E "$(echo ${FOUNDRY_DOMAINS[@]} | tr ' ' '|')" 2>/dev/null)

        if [ -n "$CURRENT_CONNECTIONS" ] && [ "$CURRENT_CONNECTIONS" != "$LAST_CONNECTIONS" ]; then
            log_connection "NEW CONNECTION DETECTED:"
            echo "$CURRENT_CONNECTIONS" | while read line; do
                echo "    $line" | tee -a "$LOG_FILE"
            done
            echo "" | tee -a "$LOG_FILE"
            LAST_CONNECTIONS="$CURRENT_CONNECTIONS"
        fi
    fi

    sleep 5
done