// tcp
public void VerifyPacket1(Packet p, RawCapture rawCapture)
{
Console.WriteLine(p.ToString());
EthernetPacket e = (EthernetPacket)p;
Assert.AreEqual("0016CFC91E29", e.SourceHwAddress.ToString());
Assert.AreEqual("0014BFF2EF0A", e.DestinationHwAddress.ToString());
IpPacket ip = (IpPacket)p.PayloadPacket;
Assert.AreEqual(System.Net.IPAddress.Parse("192.168.1.104"), ip.SourceAddress);
Assert.AreEqual(System.Net.IPAddress.Parse("86.42.196.13"), ip.DestinationAddress);
Assert.AreEqual(64, ip.TimeToLive);
Assert.AreEqual(0x2ff4, ((IPv4Packet)ip).CalculateIPChecksum());
Assert.AreEqual(1171483600, rawCapture.Timeval.Seconds);
Assert.AreEqual(125234.000, rawCapture.Timeval.MicroSeconds);
TcpPacket tcp = (TcpPacket)ip.PayloadPacket;
Assert.AreEqual(56925, tcp.SourcePort);
Assert.AreEqual(50199, tcp.DestinationPort);
Assert.IsTrue(tcp.Ack);
Assert.IsTrue(tcp.Psh);
Assert.AreEqual(16666, tcp.WindowSize);
Assert.AreEqual(0x9b02, tcp.CalculateTCPChecksum());
Assert.AreEqual(0x9b02, tcp.Checksum);
Assert.IsTrue(tcp.ValidTCPChecksum);
}
private void AnalyzeTCP(Packet p)
{
if (!(p.PayloadPacket.PayloadPacket is TcpPacket))
return;
EthernetPacket ethernet = (EthernetPacket)p;
IpPacket ip = (IpPacket)p.PayloadPacket;
TcpPacket tcp = (TcpPacket)p.PayloadPacket.PayloadPacket;
Neighbor neighbor = null;
if (tcp.Syn && tcp.Ack)
{
neighbor = Program.CurrentProject.data.GetNeighbor(ethernet.SourceHwAddress);
if (neighbor == null)
return;
if (neighbor.ExistsIP(ip.SourceAddress))
{
Port port = new Port(tcp.SourcePort, Protocol.TCP, ip.SourceAddress);
if (!(neighbor.ExistsPort(port)))
{
neighbor.AddPort(port);
Program.CurrentProject.data.AddNeighbor(neighbor);
}
}
else
return;
}
}
public void ReportPacketCapture(Packet packet, DateTime arrivalTime)
{
IpPacket ip = (IpPacket)packet.Extract(typeof(IpPacket));
TcpPacket tcp = (TcpPacket)packet.Extract(typeof(TcpPacket));
ASCIIEncoding format = new ASCIIEncoding();
string payloadAsText = format.GetString(packet.Bytes);
payloadAsText = payloadAsText.ToLower();
//remove non readable characters
//payloadAsText = Regex.Replace(payloadAsText, @"[^\u0000-\u007F]", string.Empty);
payloadAsText = Regex.Replace(payloadAsText, "[^0-9a-zA-Z]+", string.Empty);
if ((tcp != null) && (payloadAsText.Contains("ftp")))
{
int x = 5;
}
if (payloadAsText.Length > 255)
{
payloadAsText = payloadAsText.Substring(0, 255);
}
if (tcp != null)
{
_sensorEventAgent.LogEvent(_sensorId, ip.DestinationAddress.ToString(), tcp.DestinationPort, ip.SourceAddress.ToString(), tcp.SourcePort,
arrivalTime, payloadAsText);
}
}
public void ReportPacketCapture(Packet packet, DateTime arrivalTime)
{
var ip = (PacketDotNet.IpPacket)packet.Extract(typeof(PacketDotNet.IpPacket));
//IpPacket ip = (IpPacket)packet.Extract(typeof(IpPacket));
TcpPacket tcp = (TcpPacket)packet.Extract(typeof(TcpPacket));
ASCIIEncoding format = new ASCIIEncoding();
string payloadAsText = format.GetString(packet.Bytes);
payloadAsText = payloadAsText.ToLower();
//remove non readable characters
//payloadAsText = Regex.Replace(payloadAsText, @"[^\u0000-\u007F]", string.Empty);
payloadAsText = Regex.Replace(payloadAsText, "[^0-9a-zA-Z]+", string.Empty);
if ((tcp != null) && (payloadAsText.Contains("ftp")))
{
int x = 5;
}
if (payloadAsText.Length > 255)
{
payloadAsText = payloadAsText.Substring(0, 255);
}
if (tcp != null)
{
_sensorEventAgent.LogEvent(_sensorId, ip.DestinationAddress.ToString(), tcp.DestinationPort, ip.SourceAddress.ToString(), tcp.SourcePort,
arrivalTime, payloadAsText);
}
}
public HLPacket(Packet parent, int headerLen)
{
var i = parent;
for (; i.PayloadPacket != null; i = i.PayloadPacket) ;
header = new PacketDotNet.Utils.ByteArraySegment(i.Bytes, i.Header.Length, headerLen);
i.PayloadPacket = this;
}
// tcp
public void VerifyPacket0(Packet p, RawCapture rawCapture)
{
Console.WriteLine(p.ToString());
EthernetPacket e = (EthernetPacket)p;
Assert.AreEqual(PhysicalAddress.Parse("00-13-10-03-71-47"), e.SourceHwAddress);
Assert.AreEqual(PhysicalAddress.Parse("00-E0-4C-E5-73-AD"), e.DestinationHwAddress);
IpPacket ip = (IpPacket)e.PayloadPacket;
Assert.AreEqual(System.Net.IPAddress.Parse("82.165.240.134"), ip.SourceAddress);
Assert.AreEqual(System.Net.IPAddress.Parse("192.168.1.221"), ip.DestinationAddress);
Assert.AreEqual(IpVersion.IPv4, ip.Version);
Assert.AreEqual(IPProtocolType.TCP, ip.Protocol);
Assert.AreEqual(254, ip.TimeToLive);
Assert.AreEqual(0x0df8, ((IPv4Packet)ip).CalculateIPChecksum());
Assert.AreEqual(1176685346, rawCapture.Timeval.Seconds);
Assert.AreEqual(885259.000, rawCapture.Timeval.MicroSeconds);
TcpPacket tcp = (TcpPacket)ip.PayloadPacket;
Assert.AreEqual(80, tcp.SourcePort);
Assert.AreEqual(4324, tcp.DestinationPort);
Assert.IsTrue(tcp.Ack);
Assert.AreEqual(3536, tcp.WindowSize);
Assert.AreEqual(0xc835, tcp.CalculateTCPChecksum());
Console.WriteLine("tcp.Checksum is {0}", tcp.Checksum);
Assert.AreEqual(0xc835, tcp.Checksum, "tcp.Checksum mismatch");
Assert.IsTrue(tcp.ValidTCPChecksum);
}
private void sendPackage(PacketDotNet.Packet udpPacket)
{
foreach (PcapDevice device in SharpPcap.CaptureDeviceList.Instance)
{
PacketDotNet.Packet p = udpPacket;// = new PacketDotNet.UdpPacket();//
//p.EthernetProtocol = EthernetProtocols_Fields.IP;
//p.IPVersion = IPVersions_Fields.IPV4;
//p.IPProtocol = IPProtocols_Fields.UDP;//
//p.TimeToLive = 2;//
//p.IPHeaderLength = IPFields_Fields.IP_HEADER_LEN;//
//p.Length = 60;//
//p.SourceHwAddress = strSouMac;
//p.DestinationHwAddress = strGateWayMac;
//p.SourceAddress = "201.23.12.88";
//p.SourcePort = 12345;
//p.DestinationAddress = "192.168.100.106";
//p.DestinationPort = 9000;
//p.ComputeIPChecksum(true);//
//p.ComputeUDPChecksum(true);
p.PayloadPacket.PayloadPacket.PayloadData[0] = 0x10;
p.PayloadPacket.PayloadPacket.UpdateCalculatedValues();
device.SendPacket(p.Bytes);
}
}
public bool CheckIfIsDHCP(Packet p)
{
if (p.PayloadPacket == null || p.PayloadPacket.PayloadPacket == null ||
!(p.PayloadPacket.PayloadPacket is UdpPacket) ||
((p.PayloadPacket.PayloadPacket as UdpPacket).DestinationPort != 67 && (p.PayloadPacket.PayloadPacket as UdpPacket).DestinationPort != 68))
return false;
else
return true;
}
/// <summary>
/// handle the packet capture event
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
private void _currentCaptureDevice_OnPacketArrival(object sender, CaptureEventArgs e)
{
PacketDotNet.Packet packet = PacketDotNet.Packet.ParsePacket(e.Packet.LinkLayerType, e.Packet.Data);
Console.WriteLine("device_OnPacketArrival: " + e.Device.Statistics);
foreach (ISensorReport reportMethod in _reportMethods)
{
reportMethod.ReportPacketCapture(packet, e.Packet.Timeval.Date);
}
}
public static EthernetPacket CreateEthernetPacket(PhysicalAddress sourceAddress,
PhysicalAddress destinationAddress, Packet payloapPacket)
{
var result = new EthernetPacket(sourceAddress, destinationAddress, EthernetPacketType.IpV4)
{
PayloadPacket = payloapPacket
};
return result;
}
//handles how packets are processed for connectivity check. if there are packts, sets flag to true. same logic as PacketHandler
private static void DeviceConnectivityHandler(object sender, CaptureEventArgs e)
{
PacketDotNet.Packet packet = PacketDotNet.Packet.ParsePacket(e.Packet.LinkLayerType, e.Packet.Data);
string details = string.Format("{0}", packet.ToString());
if ((!string.IsNullOrEmpty(details)) && (!string.IsNullOrWhiteSpace(details)))
{
isDeviceActive = true;
}
}
private void OnPacketArrival(object sender, CaptureEventArgs e)
{
var tcp = (TcpPacket)Packet.ParsePacket(e.Packet.LinkLayerType, e.Packet.Data).Extract(typeof(TcpPacket));
var ipv4 = (IPv4Packet)tcp.ParentPacket;
var sourceAddress = ipv4.SourceAddress.ToString();
var data = tcp.PayloadData;
if (sourceAddress == _serverIp)
{
if (IsZlibStartPacket(data))
{
_libFaolanCompression = new LibFaolanCompression();
}
if (_libFaolanCompression == null)
{
throw new Exception("_libFaolanCompression == null");
}
var decompressedData = _libFaolanCompression.Inflate(data);
if (decompressedData == null)
{
throw new Exception("decompressedData == null");
}
if (decompressedData.Length == 0)
{
return;
}
foreach (var cp in _serverWireProtocol.CreateMessages(decompressedData))
{
_capturedPackets.Add(new PacketWrapper(_packetCounter++, ipv4, tcp.SourcePort, tcp.DestinationPort,
(ConanPacket)cp));
}
}
else if (sourceAddress == _clientIp)
{
// Client sometimes sends the zlib start packet, but never actually uses compression (anymore)
if (IsZlibStartPacket(data))
{
Console.WriteLine("Client send zlib start packet");
return;
}
foreach (var cp in _clientWireProtocol.CreateMessages(data))
{
_capturedPackets.Add(new PacketWrapper(_packetCounter++, ipv4, tcp.SourcePort, tcp.DestinationPort,
(ConanPacket)cp));
}
}
else
{
throw new Exception("Weird stuff is happening");
}
}
public TcpPacket(byte[] Bytes, int Offset, PosixTimeval Timeval, Packet ParentPacket)
: this(Bytes, Offset, Timeval)
{
this.ParentPacket = ParentPacket;
if (this.ParentPacket is IPv4Packet)
{
IPv4Packet parentPacket = (IPv4Packet) this.ParentPacket;
int num = parentPacket.TotalLength - (parentPacket.HeaderLength * 4);
int num2 = num - this.Header.Length;
base.payloadPacketOrData.TheByteArraySegment.Length = num2;
}
}
public bool CheckIfIsRequestDHCPIpv6(Packet p)
{
if (p.PayloadPacket == null || p.PayloadPacket.PayloadPacket == null)
return false;
if (!(p.PayloadPacket.PayloadPacket is UdpPacket) || !(p.PayloadPacket is IPv6Packet))
return false;
if ((p.PayloadPacket as IPv6Packet).SourceAddress.Equals(Program.CurrentProject.data.GetIPv6LocalLinkFromDevice(device)))
return false;
if ((p.PayloadPacket.PayloadPacket as UdpPacket).SourcePort == 546 && (p.PayloadPacket.PayloadPacket as UdpPacket).DestinationPort == 547)
return true;
return false;
}
public static void getEndPoint(Packet p, out System.Net.IPEndPoint src, out System.Net.IPEndPoint dest)
{
if (p.PayloadPacket is IpPacket)
if (p.PayloadPacket.PayloadPacket is TcpPacket)
{
src = new System.Net.IPEndPoint((p.PayloadPacket as IpPacket).SourceAddress,
(p.PayloadPacket.PayloadPacket as TcpPacket).SourcePort);
dest = new System.Net.IPEndPoint((p.PayloadPacket as IpPacket).DestinationAddress,
(p.PayloadPacket.PayloadPacket as TcpPacket).DestinationPort);
return;
}
src = null; dest = null;
}
public static void AnalyzePacket(Packet p)
{
if (p == null)
return;
if (
(p.PayloadPacket != null && p.PayloadPacket is IPv6Packet)
&&
(p.PayloadPacket.PayloadPacket != null && p.PayloadPacket.PayloadPacket is ICMPv6Packet)
)
{
AnalyzeICMPv6Packet(p);
}
}
/// <summary>
/// Initialize Http Packet
/// </summary>
/// <param name="packet">First TCP packet which consist of Http packet</param>
public HttpPacket(Packet packet)
: this()
{
try
{
TcpPacket tcpPacket = (TcpPacket)packet.Extract(typeof(TcpPacket));
// Update next sequence number
nextSequenceNumber = tcpPacket.SequenceNumber + (uint)packet.PayloadPacket.PayloadPacket.PayloadData.Length;
ParsingHeader(packet.PayloadPacket.PayloadPacket.PayloadData);
}
catch (ArgumentException e)
{
throw new ArgumentException("invalid packet data");
}
}
public void AnalyzePacket(Packet p)
{
try
{
if (p is EthernetPacket)
{
if (p.PayloadPacket == null)
return;
//Para que no se procesen los paquetes del DoS
if ((p as EthernetPacket).SourceHwAddress.Equals(DoSSLAAC.MACsrc))
return;
if (p.PayloadPacket is ARPPacket)
AnalyzeARP(p);
if (p.PayloadPacket is IPv6Packet)
AnalyzeIPv6Packet(p);
else if (p.PayloadPacket is IPv4Packet)
AnalyzeIPv4Packet(p);
AnalyzeLLMNR(p);
// Ataque pasivo DHCP ACK Injector en Ipv4
if ((attacks.Where(A => A.attackType == AttackType.DHCPACKInjection && A.attackStatus == AttackStatus.Attacking).Count() > 0))
{
if (DHCPACKInjection.CheckIfIsDHCP(p))
DHCPACKInjection.AnalyzePacket(device, p);
}
// Ataque pasivo DHCP IPv6
if ((attacks.Where(A => A.attackType == AttackType.DHCPIpv6 && A.attackStatus == AttackStatus.Attacking).Count() > 0))
{
if (DHCPIpv6.CheckIfIsRequestDHCPIpv6(p))
DHCPIpv6.AnalyzePacket(device, p);
}
OSDetector.AnalyzePacket(p);
pasivePortScan.AnalyzePacket(p);
route.CheckToRoutePacket(p);
}
}
catch
{
// Paquete perdido!!!
}
}
/// <summary>
/// Comprueba si el paquete ha sido enrutado verificando si llega de 8.8.8.8 con seqId = 1
/// </summary>
/// <returns></returns>
private bool IsRoutedPacked(Packet p)
{
if ((p.PayloadPacket != null) && (p.PayloadPacket is IPv4Packet) &&
(p.PayloadPacket.PayloadPacket != null) && (p.PayloadPacket.PayloadPacket is TcpPacket))
{
TcpPacket tcp = (TcpPacket)p.PayloadPacket.PayloadPacket;
if (tcp.DestinationPort == 31337 && tcp.SourcePort == 53)
{
if (tcp.AcknowledgmentNumber == 1)
{
return true;
}
}
}
return false;
}
// arp response
private void VerifyPacket1(Packet p)
{
var arpPacket = (ARPPacket)p.Extract (typeof(ARPPacket));
Assert.IsNotNull(arpPacket, "Expected arpPacket to not be null");
IPAddress senderIp = IPAddress.Parse("192.168.1.214");
IPAddress targetIp = IPAddress.Parse("192.168.1.202");
Assert.AreEqual(senderIp, arpPacket.SenderProtocolAddress);
Assert.AreEqual(targetIp, arpPacket.TargetProtocolAddress);
string senderMacAddress = "00216A020854";
string targetMacAddress = "000461990154";
Assert.AreEqual(senderMacAddress, arpPacket.SenderHardwareAddress.ToString());
Assert.AreEqual(targetMacAddress, arpPacket.TargetHardwareAddress.ToString());
}
// arp request
private void VerifyPacket0(Packet p)
{
var arpPacket = ARPPacket.GetEncapsulated(p);
Assert.IsNotNull(arpPacket, "Expected arpPacket to not be null");
IPAddress senderIp = IPAddress.Parse("192.168.1.202");
IPAddress targetIp = IPAddress.Parse("192.168.1.214");
Assert.AreEqual(senderIp, arpPacket.SenderProtocolAddress);
Assert.AreEqual(targetIp, arpPacket.TargetProtocolAddress);
string senderMacAddress = "000461990154";
string targetMacAddress = "000000000000";
Assert.AreEqual(senderMacAddress, arpPacket.SenderHardwareAddress.ToString());
Assert.AreEqual(targetMacAddress, arpPacket.TargetHardwareAddress.ToString());
}
public void GenerateLLMNRResponse(Packet packet)
{
try
{
LLMNR.LLMNRPacket llmnr = new LLMNR.LLMNRPacket();
llmnr.ParsePacket(((UdpPacket)(packet.PayloadPacket.PayloadPacket)).PayloadData);
if (llmnr.Query.Name.ToLower().Equals("wpad") && llmnr.Query.Type.Value == LLMNR.DNSType.A)
{
WinPcapDevice dev = Program.CurrentProject.data.GetDevice();
IPAddress ip = Program.CurrentProject.data.GetIPv4FromDevice(dev);
byte[] ipv4Addr = ip.GetAddressBytes();
llmnr.AnswerList.Add(new LLMNR.DNSAnswer()
{
Class = evilfoca.LLMNR.DNSClass.IN,
Name = llmnr.Query.Name,
Type = evilfoca.LLMNR.DNSType.A,
RData = ipv4Addr,
RDLength = (short)ipv4Addr.Length,
TTL = 12
});
llmnr.IsResponse = true;
EthernetPacket ethDns = new EthernetPacket(dev.MacAddress, ((EthernetPacket)packet).SourceHwAddress, EthernetPacketType.IpV4);
IPv4Packet ipv4Dns = new IPv4Packet(ip, ((IPv4Packet)((EthernetPacket)packet).PayloadPacket).SourceAddress);
UdpPacket udpDns = new UdpPacket(((UdpPacket)(packet.PayloadPacket.PayloadPacket)).DestinationPort, ((UdpPacket)(packet.PayloadPacket.PayloadPacket)).SourcePort);
udpDns.PayloadData = llmnr.BuildPacket();
ipv4Dns.PayloadPacket = udpDns;
udpDns.UpdateCalculatedValues();
udpDns.UpdateUDPChecksum();
ipv4Dns.UpdateIPChecksum();
ipv4Dns.UpdateCalculatedValues();
ethDns.PayloadPacket = ipv4Dns;
Program.CurrentProject.data.SendPacket(ethDns);
}
}
catch (Exception)
{
}
}
public void AnalyzePacket(Packet p)
{
if (p == null)
return;
if (p.PayloadPacket == null)
return;
if (p.PayloadPacket.PayloadPacket == null)
return;
if (p.PayloadPacket is IpPacket)
{
if (p.PayloadPacket.PayloadPacket is TcpPacket)
AnalyzeTCP(p);
else if (p.PayloadPacket.PayloadPacket is UdpPacket)
AnalyzeUDP(p);
}
}
public static Idmef.IDMEFMessage CreateAltertMessageFromRawPacket(Packet packet)
{
IDMEFMessage idmefMessage = new IDMEFMessage();
idmefMessage.Items = new object[1];
//this is an IDMEF alert
Alert alertMessage = new Idmef.Alert();
//build the alert message
alertMessage.CreateTime = CreateTimestamp(DateTime.Now);
// add more alert stuff here
//add the alert to the message
idmefMessage.Items[0] = alertMessage;
return idmefMessage;
}
private void VerifyPacket0(Packet p)
{
// expect an arp packet
var arpPacket = ARPPacket.GetEncapsulated(p);
Assert.IsNotNull(arpPacket, "Expected arpPacket to not be null");
// validate some of the LinuxSSLPacket fields
var l = (LinuxSLLPacket)p;
Assert.AreEqual(6, l.LinkLayerAddressLength, "Address length");
Assert.AreEqual(1, l.LinkLayerAddressType);
Assert.AreEqual(LinuxSLLType.PacketSentToUs, l.Type);
// validate some of the arp fields
Assert.AreEqual("192.168.1.1",
arpPacket.SenderProtocolAddress.ToString(),
"Arp SenderProtocolAddress");
Assert.AreEqual("192.168.1.102",
arpPacket.TargetProtocolAddress.ToString(),
"Arp TargetProtocolAddress");
}
private static void AnalyzeICMPv6Packet(Packet packet)
{
if (!(packet.PayloadPacket.PayloadPacket is ICMPv6Packet))
return;
try
{
ICMPv6Types type = ((ICMPv6Packet)packet.PayloadPacket.PayloadPacket).Type;
if (type == ICMPv6Types.NeighborAdvertisement)
{
ushort payloadLen = ((IPv6Packet)packet.PayloadPacket).PayloadLength;
byte[] flags = new byte[4];
flags[0] = (packet.PayloadPacket.PayloadPacket).Bytes[4];
flags[1] = (packet.PayloadPacket.PayloadPacket).Bytes[5];
flags[2] = (packet.PayloadPacket.PayloadPacket).Bytes[6];
flags[3] = (packet.PayloadPacket.PayloadPacket).Bytes[7];
Data.Neighbor neighbor = Program.CurrentProject.data.GetNeighbor(((EthernetPacket)packet).SourceHwAddress);
if (neighbor != null)
{
// Si el payload UDP es 24 bytes, y los flags son 0x40000000 (sol) puede ser un linux, y no un windows (0x60000000, sol ovr).
if ((flags[0] == 0x40) && (flags[1] == 0x00) && (flags[2] == 0x00) && (flags[3] == 0x00))
{
// Linux
if (neighbor.osPlatform == Data.Platform.Unknow)
neighbor.osPlatform = Data.Platform.Linux;
}
else if ((flags[0] == 0x60) && (flags[1] == 0x00) && (flags[2] == 0x00) && (flags[3] == 0x00))
{
// Windows
if (neighbor.osPlatform == Data.Platform.Unknow)
neighbor.osPlatform = Data.Platform.Windows;
}
}
}
}
catch (ArgumentOutOfRangeException)
{
}
}
/// <summary>
/// 为当前的TreeView增加节点(节点信息来自编码的包的字段)
/// </summary>
/// <param name="p">要解码的包</param>
/// <param name="deepth">当前各个项的根节点的序号</param>
private void addNodes(Packet p, int deepth)
{
//增加包的类型名称并切掉命名空间前缀
string packetName = p.GetType().ToString();
packetName = packetName.Substring(13, packetName.Length - 13);
TreeNode rootNode = new TreeNode(packetName);
this.tvPacket.Nodes.Add(rootNode);
Type t = p.GetType();
PropertyInfo[] pis = t.GetProperties();
//输出包的各个属性
for (int i = 0; i < pis.Length; i++)
{
string name = pis[i].Name;
Object value = pis[i].GetValue(p, null);
//空属性不输出;Color属性不输出;类型为System.Byte[]的项不输出
if (value != null && name != "Color" && pis[i].PropertyType.FullName != "System.Byte[]")
{
string strValue = value.ToString();
this.tvPacket.Nodes[deepth].Nodes.Add(new TreeNode(name + " : " + strValue));
}
}
}
public bool CheckIfHijack(Packet p)
{
foreach (Data.Attack attack in attacks.Where(A => A.attackType == Data.AttackType.DNSHijacking && A.attackStatus == Data.AttackStatus.Attacking))
{
if ((p.PayloadPacket != null && p.PayloadPacket.PayloadPacket != null) && (p.PayloadPacket.PayloadPacket is UdpPacket))
{
EthernetPacket ethernet = (EthernetPacket)p;
IpPacket ip = (IpPacket)p.PayloadPacket;
UdpPacket udp = (UdpPacket)p.PayloadPacket.PayloadPacket;
if ((udp.SourcePort == 53)) // La respuesta DNS
{
// Comprobamos que venga a nuestra MAC pero no a nuestra IP
if (NeedToRoute(ip))
{
try
{
Heijden.DNS.Response response = new Heijden.DNS.Response(new IPEndPoint(IPAddress.Parse("1.2.3.4"), 53), udp.PayloadData);
DNSHijackAttack dnsAttack = (DNSHijackAttack)attack;
foreach (Heijden.DNS.Question q in response.Questions)
{
if ((q.QName == dnsAttack.domain + ".") || dnsAttack.domain == "*")
return true;
}
}
catch
{
return false;
}
}
else
return false;
}
}
}
return false;
}
/*
* handles how packets are processed. prints off timestamp, length of packet, and readable packet information
* saves each packet to a queue for later processing. email admin if there are any issues
*/
private static void PacketHandler(object sender, CaptureEventArgs e)
{
try
{
PacketDotNet.Packet packet = PacketDotNet.Packet.ParsePacket(e.Packet.LinkLayerType, e.Packet.Data);
DateTime time = e.Packet.Timeval.Date;
int length = e.Packet.Data.Length;
string details = string.Format("{0} Length={1}\n{2}\n\n", DateTime.Now, length, packet.ToString());
Console.WriteLine(details);
currentDetailsQueue.AppendLine(details);
IPv4Packet ipv4Packet = packet.PayloadPacket as IPv4Packet;
if ((currentTrafficQueue.Contains(ipv4Packet.SourceAddress) == false) && (ipv4Packet.SourceAddress.ToString().Contains("192.168") == false))
{
currentTrafficQueue.Add(ipv4Packet.SourceAddress);
}
}
catch (Exception exception)
{
Security.CheckInternetConnection();
Security.EmailAdmin(exception.ToString(), "PacketHandler");
}
}
// icmpv6
public void VerifyPacket0(Packet p, RawCapture rawCapture)
{
Assert.IsNotNull(p);
Console.WriteLine(p.ToString());
EthernetPacket e = (EthernetPacket)p;
Assert.AreEqual(PhysicalAddress.Parse("00-A0-CC-D9-41-75"), e.SourceHwAddress);
Assert.AreEqual(PhysicalAddress.Parse("33-33-00-00-00-02"), e.DestinationHwAddress);
var ip = IpPacket.GetEncapsulated(p);
Console.WriteLine("ip {0}", ip.ToString());
Assert.AreEqual(System.Net.IPAddress.Parse("fe80::2a0:ccff:fed9:4175"), ip.SourceAddress);
Assert.AreEqual(System.Net.IPAddress.Parse("ff02::2"), ip.DestinationAddress);
Assert.AreEqual(IpVersion.IPv6, ip.Version);
Assert.AreEqual(IPProtocolType.ICMPV6, ip.Protocol);
Assert.AreEqual(16, ip.PayloadPacket.Bytes.Length, "ip.PayloadPacket.Bytes.Length mismatch");
Assert.AreEqual(255, ip.HopLimit);
Assert.AreEqual(255, ip.TimeToLive);
Assert.AreEqual(0x3a, (byte)ip.NextHeader);
Console.WriteLine("Failed: ip.ComputeIPChecksum() not implemented.");
Assert.AreEqual(1221145299, rawCapture.Timeval.Seconds);
Assert.AreEqual(453568.000, rawCapture.Timeval.MicroSeconds);
}
private void Write(Packet packet)
{
var ethPacket = packet as EthernetPacket;
if (ethPacket == null)
return;
var ipPacket = ethPacket.Extract(typeof (IPv4Packet)) as IPv4Packet;
if (ipPacket == null)
return;
var udpPacket = ipPacket.Extract(typeof (UdpPacket)) as UdpPacket;
if (udpPacket == null)
return;
var sb = new StringBuilder();
sb.Append(String.Format("{0:yyyyMMdd HHmmss:fff}", DateTime.Now));
sb.Append("\t");
sb.Append(ethPacket.SourceHwAddress);
sb.Append("\t");
sb.Append(ethPacket.DestinationHwAddress);
sb.Append("\t");
sb.Append(ipPacket.SourceAddress);
sb.Append("\t");
sb.Append(ipPacket.DestinationAddress);
sb.Append("\t");
sb.Append(udpPacket.SourcePort);
sb.Append("\t");
sb.Append(udpPacket.DestinationPort);
sb.Append("\t");
var dhcpPacket = new DhcpPacket(udpPacket.PayloadData);
dhcpPacket.ReadPacket(_parameters, sb);
sb.Append("\r\n");
String loggingText = sb.ToString();
File.AppendAllText(_parameters.LogFilename, loggingText);
Console.Write(loggingText);
}
public PacketEventArgs(Packet packet)
{
this.packet = packet;
}
public ArpEventArgs(Packet p)
{
this.p = p;
}
public void SendPacket(PacketDotNet.Packet packet)
{
this.device.SendPacket(packet);
}
public static ushort PayloadChecksum(this PacketDotNet.Packet packet)
{
return(CRC16.ComputeChecksum(packet.PayloadData));
}
public Entry(SharpPcap.PosixTimeval timeval, PacketDotNet.Packet packet)
{
this.Timeval = timeval;
this.Packet = packet;
}
private int sendMsg(int srcPort, int destPort, PacketDotNet.Packet packet)
{
if (destPort.Equals(srcPort))
{
// Console.WriteLine("Src a dest sa rovnaju zahod paket");
return(-1);
}
else if (destPort.Equals(-1))
{
// Console.WriteLine("Robime flood");
if (srcPort.Equals(1))
{
// Console.WriteLine("Posielame flood na 2 a ja som src " + srcPort);
try
{
//Send the packet out the network device
dev2.SendPacket(packet);
// System.Diagnostics.Trace.WriteLine("-- Packet sent successfuly.");
}
catch (Exception e)
{
System.Diagnostics.Trace.WriteLine("-- " + e.Message);
}
return(2);
}
else if (srcPort.Equals(2))
{
// Console.WriteLine("Posielame flood na 1 a ja som src " + srcPort);
try
{
//Send the packet out the network device
dev1.SendPacket(packet);
// System.Diagnostics.Trace.WriteLine("-- Packet sent successfuly.");
}
catch (Exception e)
{
System.Diagnostics.Trace.WriteLine("-- " + e.Message);
}
return(1);
}
}
else if (destPort.Equals(1) && !destPort.Equals(srcPort))
{
//Console.WriteLine("Posielame klasika na 1");
try
{
//Send the packet out the network device
dev1.SendPacket(packet);
// System.Diagnostics.Trace.WriteLine("-- Packet sent successfuly.");
}
catch (Exception e)
{
System.Diagnostics.Trace.WriteLine("-- " + e.Message);
}
return(1);
}
else if (destPort.Equals(2) && !destPort.Equals(srcPort))
{
// Console.WriteLine("Posielame klasika na 2");
try
{
//Send the packet out the network device
dev2.SendPacket(packet);
// System.Diagnostics.Trace.WriteLine("-- Packet sent successfuly.");
}
catch (Exception e)
{
System.Diagnostics.Trace.WriteLine("-- " + e.Message);
}
return(2);
}
return(-1);
}
private void VerifyPacket2(Packet p)
{
// expecting a tcp packet
Assert.IsNotNull(TcpPacket.GetEncapsulated(p), "expected a tcp packet");
}
private void VerifyPacket1(Packet p)
{
// expect a udp packet
Assert.IsNotNull(UdpPacket.GetEncapsulated(p), "expected a udp packet");
}
/// <summary>
/// Constructor with parent packet
/// </summary>
/// <param name="bas">
/// A <see cref="ByteArraySegment"/>
/// </param>
/// <param name="ParentPacket">
/// A <see cref="Packet"/>
/// </param>
public ICMPv6Packet(ByteArraySegment bas,
Packet ParentPacket) : this(bas)
{
this.ParentPacket = ParentPacket;
}
public packView(int loffset , ref PacketDotNet.Packet targetPack)
{
pack = targetPack;
Text = pack.GetType().Name;
moffset = loffset;
listField(ref pack);
paintNodes();
}
