Beispiel #1
0
        public static DNSQuery Parse(IPFrame thisIPFrame, byte[] arrThisFrame)
        {
            DNSQuery dNSQuery       = new DNSQuery();
            int      iPayloadOffset = (int)thisIPFrame.iPayloadOffset;

            dNSQuery.uiTransactionID = (uint)((int)arrThisFrame[iPayloadOffset + 8] << 8 | (int)arrThisFrame[iPayloadOffset + 9]);
            dNSQuery.uiFlags         = (uint)((int)arrThisFrame[iPayloadOffset + 10] << 8 | (int)arrThisFrame[iPayloadOffset + 11]);
            dNSQuery.uiQuestionCount = (uint)((int)arrThisFrame[iPayloadOffset + 12] << 8 | (int)arrThisFrame[iPayloadOffset + 13]);
            byte   arg_51_0 = arrThisFrame[iPayloadOffset + 14];
            byte   arg_58_0 = arrThisFrame[iPayloadOffset + 15];
            byte   arg_5F_0 = arrThisFrame[iPayloadOffset + 16];
            byte   arg_66_0 = arrThisFrame[iPayloadOffset + 17];
            byte   arg_6D_0 = arrThisFrame[iPayloadOffset + 18];
            byte   arg_74_0 = arrThisFrame[iPayloadOffset + 19];
            int    num      = iPayloadOffset + 20;
            string empty    = string.Empty;

            while (arrThisFrame[num] != 0)
            {
                int    num2    = (int)arrThisFrame[num];
                string @string = Encoding.UTF8.GetString(arrThisFrame, num + 1, num2);
                dNSQuery.sHostname = string.Format("{0}{1}{2}", empty, (empty.Length > 0) ? "." : string.Empty, @string);
                num += 1 + num2;
            }
            dNSQuery.QueryType = (DNSQueryType)((int)arrThisFrame[num + 1] << 8 | (int)arrThisFrame[num + 2]);
            return(dNSQuery);
        }
Beispiel #2
0
        private Session[] GetSessionsFromPCAPNG(BinaryReader rdr, uint uiMagic)
        {
            PCAPNGFileHeader pCAPNGFileHeader = PCAPNGFileHeader.CreateFromReader(rdr, uiMagic);

            if (pCAPNGFileHeader.ByteOrderMagic != 439041101u)
            {
                Console.WriteLine(String.Format("Sorry, this format is not yet supported. Please contact support.", "Unsupported Byte-Order"));
                return(null);
            }
            if (pCAPNGFileHeader.SectionHeaderLength != pCAPNGFileHeader.RepeatedHeaderLength)
            {
                Console.WriteLine(String.Format("Sorry, this file appears to be corrupt. HeaderLength != TrailingHeaderLength. Please contact support.", "File Corrupt"));
                return(null);
            }
            //Console.WriteLine(String.Format("Importing PCAPNG:\n{0}", pCAPNGFileHeader);

            PacketCaptureImport.PacketCounts  packetCounts = default(PacketCaptureImport.PacketCounts);
            Dictionary <uint, DNSTransaction> dictionary   = new Dictionary <uint, DNSTransaction>();
            Dictionary <string, TCPStream>    dictionary2  = new Dictionary <string, TCPStream>();
            long length = rdr.BaseStream.Length;
            bool flag   = false;

            while (!flag && rdr.BaseStream.Position + 8L <= length)
            {
                PCAPNGBlockHeader pCAPNGBlockHeader = PCAPNGBlockHeader.CreateFromReader(rdr);
                PCAPNGBlockType   uiBlockType       = pCAPNGBlockHeader.uiBlockType;
                if (uiBlockType != PCAPNGBlockType.InterfaceDescriptionBlock)
                {
                    if (uiBlockType != PCAPNGBlockType.EnhancedPacketBlock)
                    {
                        //FiddlerApplication.get_Log().LogString(pCAPNGBlockHeader.ToString());
                        rdr.ReadBytes((int)(pCAPNGBlockHeader.uiBlockLength - 8u));
                    }
                    else
                    {
                        packetCounts.Total += 1u;
                        PCAPNGEnhancedPacketHeader pCAPNGEnhancedPacketHeader = PCAPNGEnhancedPacketHeader.CreateFromReader(rdr);
                        if (pCAPNGEnhancedPacketHeader.PacketOriginalSize != pCAPNGEnhancedPacketHeader.PacketSavedSize)
                        {
                            //FiddlerApplication.get_Log().LogFormat("! WARNING: Packet was not stored completely. Stored only {0}/{1} bytes", new object[]
                            //{
                            //    pCAPNGEnhancedPacketHeader.PacketSavedSize,
                            //    pCAPNGEnhancedPacketHeader.PacketOriginalSize
                            //});
                        }
                        byte[] array = rdr.ReadBytes((int)pCAPNGEnhancedPacketHeader.PacketSavedSize);
                        if ((long)array.Length != (long)((ulong)pCAPNGEnhancedPacketHeader.PacketSavedSize))
                        {
                            //FiddlerApplication.get_Log().LogFormat("! WARNING: File was incomplete. Last frame stored only {0}/{1} bytes", new object[]
                            //{
                            //    array.Length,
                            //    pCAPNGEnhancedPacketHeader.PacketSavedSize
                            //});
                            flag = true;
                        }
                        else
                        {
                            IPFrame iPFrame = IPFrame.ParseAsIPFrame(packetCounts.Total, array, pCAPNGEnhancedPacketHeader.dtPacket);
                            if (iPFrame == null)
                            {
                                rdr.ReadBytes((int)((ulong)(pCAPNGBlockHeader.uiBlockLength - 28u) - (ulong)((long)pCAPNGEnhancedPacketHeader.PacketSavedSize)));
                            }
                            else
                            {
                                if (iPFrame.IPVersion == 4)
                                {
                                    packetCounts.IPv4 += 1u;
                                }
                                else
                                {
                                    if (iPFrame.IPVersion == 6)
                                    {
                                        packetCounts.IPv6 += 1u;
                                    }
                                }
                                IPSubProtocols nextProtocol = iPFrame.NextProtocol;
                                if (nextProtocol != IPSubProtocols.TCP)
                                {
                                    if (nextProtocol != IPSubProtocols.UDP)
                                    {
                                        if (nextProtocol == IPSubProtocols.ESP)
                                        {
                                            if (PacketCaptureImport.bVerboseDebug)
                                            {
                                                //FiddlerApplication.get_Log().LogFormat("ESP Frame #{0} skipped; parsing NYI", new object[]
                                                //{
                                                //    iPFrame.iFrameNumber
                                                //});
                                            }
                                        }
                                    }
                                    else
                                    {
                                        UDPMessage uDPMessage = UDPMessage.Parse(iPFrame, array);
                                        packetCounts.UDP += 1u;
                                        if (WellKnownPorts.DNS == uDPMessage.DstPort)
                                        {
                                            DNSQuery dNSQuery = DNSQuery.Parse(iPFrame, array);
                                            if (dNSQuery.QueryType == DNSQueryType.AddressQuery)
                                            {
                                                DNSTransaction dNSTransaction;
                                                if (!dictionary.TryGetValue(dNSQuery.uiTransactionID, out dNSTransaction))
                                                {
                                                    dNSTransaction = new DNSTransaction();
                                                    dictionary.Add(dNSQuery.uiTransactionID, dNSTransaction);
                                                }
                                                dNSTransaction.uiTransactionID   = dNSQuery.uiTransactionID;
                                                dNSTransaction.sQueryForHostname = dNSQuery.sHostname;
                                                dNSTransaction.bAAAAQuery        = (dNSQuery.QueryType == DNSQueryType.AAAA);
                                                dNSTransaction.dtQuerySent       = pCAPNGEnhancedPacketHeader.dtPacket;
                                            }
                                        }
                                        else
                                        {
                                            if (WellKnownPorts.DNS == uDPMessage.SrcPort)
                                            {
                                                DNSResponse    dNSResponse = DNSResponse.Parse(iPFrame, array);
                                                DNSTransaction dNSTransaction2;
                                                if (dictionary.TryGetValue(dNSResponse.uiTransactionID, out dNSTransaction2))
                                                {
                                                    dNSTransaction2.dtResponseReceived = pCAPNGEnhancedPacketHeader.dtPacket;
                                                }
                                            }
                                        }
                                    }
                                }
                                else
                                {
                                    TCPFrame tCPFrame = TCPFrame.Parse(iPFrame, array);
                                    if (tCPFrame == null)
                                    {
                                        continue;
                                    }
                                    packetCounts.TCP += 1u;
                                    TCPEndpoints tCPEndpoints = new TCPEndpoints(iPFrame.ipSrc, iPFrame.ipDest, tCPFrame.SrcPort, tCPFrame.DstPort);
                                    string       key          = tCPEndpoints.ToString();
                                    TCPStream    tCPStream;
                                    if (!dictionary2.TryGetValue(key, out tCPStream))
                                    {
                                        tCPStream = new TCPStream(tCPEndpoints);
                                        dictionary2.Add(key, tCPStream);
                                    }
                                    tCPStream.AddFrame(tCPFrame);
                                }
                                int count = (int)((ulong)(pCAPNGBlockHeader.uiBlockLength - 28u) - (ulong)((long)pCAPNGEnhancedPacketHeader.PacketSavedSize));
                                rdr.ReadBytes(count);
                            }
                        }
                    }
                }
                else
                {
                    //FiddlerApplication.get_Log().LogString(pCAPNGBlockHeader.ToString());
                    rdr.ReadBytes((int)(pCAPNGBlockHeader.uiBlockLength - 8u));
                }
            }
            return(this.GetSessionsFromPackets(ref packetCounts, dictionary2));
        }
Beispiel #3
0
        private Session[] GetSessionsFromNetMonCAP(BinaryReader rdr, uint uiMagic)
        {
            NetMonFileHeader netMonFileHeader = NetMonFileHeader.CreateFromReader(rdr, uiMagic);

            uint[] frameOffsets = netMonFileHeader.GetFrameOffsets(rdr);
            PacketCaptureImport.PacketCounts  packetCounts = default(PacketCaptureImport.PacketCounts);
            Dictionary <uint, DNSTransaction> dictionary   = new Dictionary <uint, DNSTransaction>();
            Dictionary <string, TCPStream>    dictionary2  = new Dictionary <string, TCPStream>();
            uint num = 0u;

            while ((ulong)num < (ulong)((long)frameOffsets.Length))
            {
                packetCounts.Total     += 1u;
                rdr.BaseStream.Position = (long)((ulong)frameOffsets[(int)((UIntPtr)num)]);
                NetmonPacketHeader netmonPacketHeader = NetmonPacketHeader.CreateFromReader(rdr, netMonFileHeader.dtCapture);
                if (netmonPacketHeader.MediaType != MediaTypes.Ethernet && netmonPacketHeader.MediaType != MediaTypes.WFPCapture_Message2V4)
                {
                    if (PacketCaptureImport.bVerboseDebug)
                    {
                        //FiddlerApplication.get_Log().LogFormat("Skipping frame {0} with MediaType: 0x{1:x}", new object[]
                        //{
                        //    num,
                        //    netmonPacketHeader.MediaType
                        //});
                    }
                }
                else
                {
                    byte[] array = new byte[netmonPacketHeader.PacketSavedSize];
                    rdr.BaseStream.Position = (long)((ulong)(frameOffsets[(int)((UIntPtr)num)] + 16u));
                    rdr.BaseStream.Read(array, 0, array.Length);
                    IPFrame iPFrame;
                    if (netmonPacketHeader.MediaType == MediaTypes.WFPCapture_Message2V4)
                    {
                        iPFrame = IPFrame.FakeAsIPFrame(num, array, netmonPacketHeader.dtPacket);
                    }
                    else
                    {
                        iPFrame = IPFrame.ParseAsIPFrame(num, array, netmonPacketHeader.dtPacket);
                    }
                    if (iPFrame != null)
                    {
                        if (iPFrame.IPVersion == 4)
                        {
                            packetCounts.IPv4 += 1u;
                        }
                        else
                        {
                            if (iPFrame.IPVersion == 6)
                            {
                                packetCounts.IPv6 += 1u;
                            }
                        }
                        if (PacketCaptureImport.bVerboseDebug)
                        {
                            //FiddlerApplication.get_Log().LogFormat("Adding frame {0} - {1}", new object[]
                            //{
                            //    num,
                            //    iPFrame.ToString()
                            //});
                        }
                        IPSubProtocols nextProtocol = iPFrame.NextProtocol;
                        if (nextProtocol != IPSubProtocols.TCP)
                        {
                            if (nextProtocol != IPSubProtocols.UDP)
                            {
                                if (nextProtocol == IPSubProtocols.ESP)
                                {
                                    if (PacketCaptureImport.bVerboseDebug)
                                    {
                                        //FiddlerApplication.get_Log().LogFormat("ESP Frame #{0} skipped; parsing NYI", new object[]
                                        //{
                                        //    iPFrame.iFrameNumber
                                        //});
                                    }
                                }
                            }
                            else
                            {
                                UDPMessage uDPMessage = UDPMessage.Parse(iPFrame, array);
                                packetCounts.UDP += 1u;
                                if (WellKnownPorts.DNS == uDPMessage.DstPort)
                                {
                                    DNSQuery dNSQuery = DNSQuery.Parse(iPFrame, array);
                                    if (dNSQuery.QueryType == DNSQueryType.AddressQuery)
                                    {
                                        DNSTransaction dNSTransaction;
                                        if (!dictionary.TryGetValue(dNSQuery.uiTransactionID, out dNSTransaction))
                                        {
                                            dNSTransaction = new DNSTransaction();
                                            dictionary.Add(dNSQuery.uiTransactionID, dNSTransaction);
                                        }
                                        dNSTransaction.uiTransactionID   = dNSQuery.uiTransactionID;
                                        dNSTransaction.sQueryForHostname = dNSQuery.sHostname;
                                        dNSTransaction.bAAAAQuery        = (dNSQuery.QueryType == DNSQueryType.AAAA);
                                        dNSTransaction.dtQuerySent       = netmonPacketHeader.dtPacket;
                                    }
                                }
                                else
                                {
                                    if (WellKnownPorts.DNS == uDPMessage.SrcPort)
                                    {
                                        DNSResponse    dNSResponse = DNSResponse.Parse(iPFrame, array);
                                        DNSTransaction dNSTransaction2;
                                        if (dictionary.TryGetValue(dNSResponse.uiTransactionID, out dNSTransaction2))
                                        {
                                            dNSTransaction2.dtResponseReceived = netmonPacketHeader.dtPacket;
                                        }
                                    }
                                }
                            }
                        }
                        else
                        {
                            TCPFrame tCPFrame = TCPFrame.Parse(iPFrame, array);
                            if (tCPFrame != null)
                            {
                                packetCounts.TCP += 1u;
                                TCPEndpoints tCPEndpoints = new TCPEndpoints(iPFrame.ipSrc, iPFrame.ipDest, tCPFrame.SrcPort, tCPFrame.DstPort);
                                string       key          = tCPEndpoints.ToString();
                                TCPStream    tCPStream;
                                if (!dictionary2.TryGetValue(key, out tCPStream))
                                {
                                    tCPStream = new TCPStream(tCPEndpoints);
                                    uint processTableIndex = netmonPacketHeader.ProcessTableIndex;
                                    if ((ulong)processTableIndex < (ulong)((long)netMonFileHeader.arrProcesses.Length))
                                    {
                                        tCPStream.sProcessInfo = netMonFileHeader.arrProcesses[(int)((UIntPtr)processTableIndex)];
                                    }
                                    dictionary2.Add(key, tCPStream);
                                }
                                tCPStream.AddFrame(tCPFrame);
                            }
                        }
                    }
                }
                num += 1u;
            }
            return(this.GetSessionsFromPackets(ref packetCounts, dictionary2));
        }
Beispiel #4
0
        private Session[] GetSessionsFromPCAP(BinaryReader rdr, uint uiMagic)
        {
            PCAPFileHeader pCAPFileHeader = PCAPFileHeader.CreateFromReader(rdr, uiMagic);

            if (pCAPFileHeader.IsByteOrderSwapped && !PacketCaptureImport.bSilent)
            {
                Console.WriteLine(String.Format("Warning: Byte order swapped. Import will fail!", "FILE FORMAT WARNING"));
            }
            if (pCAPFileHeader.LinkType != 1u && !PacketCaptureImport.bSilent)
            {
                Console.WriteLine(String.Format("Warning: Link Type is not Ethernet. Import likely to fail!", "FILE FORMAT WARNING"));
            }

            //Console.WriteLine(String.Format("Importing PCAP:\n{0}", pCAPFileHeader));

            PacketCaptureImport.PacketCounts  packetCounts = default(PacketCaptureImport.PacketCounts);
            Dictionary <uint, DNSTransaction> dictionary   = new Dictionary <uint, DNSTransaction>();
            Dictionary <string, TCPStream>    dictionary2  = new Dictionary <string, TCPStream>();
            long length = rdr.BaseStream.Length;
            bool flag   = false;

            //Console.WriteLine(String.Format("length #{0}\n", length));
            while (!flag && rdr.BaseStream.Position + 16L <= length)
            {
                packetCounts.Total += 1u;
                //Console.WriteLine(String.Format("packetCounts.Total : {0}", packetCounts.Total));
                PCAPPacketHeader pCAPPacketHeader = PCAPPacketHeader.CreateFromReader(rdr);
                if (14u > pCAPPacketHeader.PacketSavedSize)
                {
                    //Console.WriteLine("14u > pCAPPacketHeader.PacketSavedSize");
                    rdr.BaseStream.Position += (long)pCAPPacketHeader.PacketSavedSize;
                }
                else
                {
                    if (pCAPPacketHeader.PacketOriginalSize != pCAPPacketHeader.PacketSavedSize)
                    {
                        Console.WriteLine(String.Format("! WARNING: Packet{0} was not stored completely. Stored only {1}/{2} bytes", packetCounts.Total, pCAPPacketHeader.PacketSavedSize,
                                                        pCAPPacketHeader.PacketOriginalSize));
                    }
                    byte[] array = rdr.ReadBytes((int)pCAPPacketHeader.PacketSavedSize);

                    //hidd3ncodes: Trying to skip this packet.
                    if (pCAPPacketHeader.PacketOriginalSize != pCAPPacketHeader.PacketSavedSize)
                    {
                        continue;
                    }

                    if ((long)array.Length != (long)((ulong)pCAPPacketHeader.PacketSavedSize))
                    {
                        Console.WriteLine(String.Format("! WARNING: File was incomplete. Last frame stored only {0}/{1} bytes", array.Length, pCAPPacketHeader.PacketSavedSize));
                        flag = true;
                    }
                    else
                    {
                        IPFrame iPFrame = IPFrame.ParseAsIPFrame(packetCounts.Total, array, pCAPPacketHeader.dtPacket);
                        if (iPFrame != null)
                        {
                            if (iPFrame.IPVersion == 4)
                            {
                                packetCounts.IPv4 += 1u;
                            }
                            else
                            {
                                if (iPFrame.IPVersion == 6)
                                {
                                    packetCounts.IPv6 += 1u;
                                }
                            }

                            IPSubProtocols nextProtocol = iPFrame.NextProtocol;
                            if (nextProtocol != IPSubProtocols.TCP)
                            {
                                if (nextProtocol != IPSubProtocols.UDP)
                                {
                                    if (nextProtocol == IPSubProtocols.ESP)
                                    {
                                        //if (PacketCaptureImport.bVerboseDebug)
                                        //{
                                        Console.WriteLine(String.Format("ESP Frame #{0} skipped; parsing NYI", iPFrame.iFrameNumber));
                                        //}
                                    }
                                }
                                else
                                {
                                    UDPMessage uDPMessage = UDPMessage.Parse(iPFrame, array);
                                    packetCounts.UDP += 1u;
                                    if (WellKnownPorts.DNS == uDPMessage.DstPort)
                                    {
                                        DNSQuery dNSQuery = DNSQuery.Parse(iPFrame, array);
                                        if (dNSQuery.QueryType == DNSQueryType.AddressQuery)
                                        {
                                            DNSTransaction dNSTransaction;
                                            if (!dictionary.TryGetValue(dNSQuery.uiTransactionID, out dNSTransaction))
                                            {
                                                dNSTransaction = new DNSTransaction();
                                                dictionary.Add(dNSQuery.uiTransactionID, dNSTransaction);
                                            }
                                            dNSTransaction.uiTransactionID   = dNSQuery.uiTransactionID;
                                            dNSTransaction.sQueryForHostname = dNSQuery.sHostname;
                                            dNSTransaction.bAAAAQuery        = (dNSQuery.QueryType == DNSQueryType.AAAA);
                                            dNSTransaction.dtQuerySent       = pCAPPacketHeader.dtPacket;
                                        }
                                    }
                                    else
                                    {
                                        if (WellKnownPorts.DNS == uDPMessage.SrcPort)
                                        {
                                            DNSResponse    dNSResponse = DNSResponse.Parse(iPFrame, array);
                                            DNSTransaction dNSTransaction2;
                                            if (dictionary.TryGetValue(dNSResponse.uiTransactionID, out dNSTransaction2))
                                            {
                                                dNSTransaction2.dtResponseReceived = pCAPPacketHeader.dtPacket;
                                            }
                                        }
                                    }
                                }
                            }
                            else
                            {
                                TCPFrame tCPFrame = TCPFrame.Parse(iPFrame, array);
                                //Console.WriteLine(String.Format("I am here", length));
                                if (tCPFrame != null)
                                {
                                    packetCounts.TCP += 1u;
                                    TCPEndpoints tCPEndpoints = new TCPEndpoints(iPFrame.ipSrc, iPFrame.ipDest, tCPFrame.SrcPort, tCPFrame.DstPort);
                                    string       key          = tCPEndpoints.ToString();
                                    TCPStream    tCPStream;
                                    if (!dictionary2.TryGetValue(key, out tCPStream))
                                    {
                                        tCPStream = new TCPStream(tCPEndpoints);
                                        dictionary2.Add(key, tCPStream);
                                    }
                                    tCPStream.AddFrame(tCPFrame);
                                }
                            }
                        }
                    }
                }
                //Console.WriteLine(String.Format("Flag #{0}", flag));
                //Console.WriteLine(String.Format("rdr.BaseStream.Position #{0}", rdr.BaseStream.Position));
            }
            return(this.GetSessionsFromPackets(ref packetCounts, dictionary2));
        }