Ejemplo n.º 1
0
        /*
         *
         *  Some example packets for manual testing and experimentation, if needed.
         *
         * // Starts with UDP header because it is incomplete (did not fit in 1500 Ethernet frame).
         * // Identified by "frame.protocols": "eth:ethertype:ip:data"
         * // Given that UDP header is not parsed due to incomplete packet, we do not get "udp.dstport" value for this type of packet.
         * // Inside is UDP multicast packet.
         * const string IncompleteUdpPacketHex = "1535153505f50000010000010101005e28500100155d04eb0e0800450005da457340001f1198cbc0a87802ef2850019595138905c61d71000001e55e27e764000e2d69323334350000000030313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334";
         *
         * // Seems to start with TZSP header because it is complete.
         * // Identified by "frame.protocols": "eth:ethertype:ip:udp:data"
         * // We get "udp.dstport" value for this because TShark can parse the full packet.
         * // Inside is TCP packet.
         * const string CompleteTcpPacketHex = "010000010100155d04eb0a00155d04eb0e080045000274655e40003f0661d0c0a87802c0a87902eba01451cf757cdc16f4d46680100480223300000101080acae8ac2922f45e949d2efd0c894fdee47ecc96c750f49ad526016ad8ff12a3a218d5d86dd9445876725583fba461df222d75e97e6983538f84bd6783d00a25e8dffd55b941ad2fb302b2aea6138dc84102b1bf6b3412fab8cf623b9f6c61884c5edd05a08b34538de70234fa8ffc3b92aefafde20cf89bdc5ad67bc637031296e117366c4c89f9338b2d2d1b2a69add863aaba70a2554cfc2cc7c363cbd5f9aced2f1839b9116c443f995f69020c4166b7fbd6595122567de919e0b4eeda60db097814c28a8007c91a66321c7373822a6e5883bf7ad93c64f21d18e1f779bc00f1d1c37b51ca446b307688a3e90acd58635117dd2a54411d715afe68d3ba68c48b2b40ddf5844826fbd0c9e4db973c3ee8541b12a85d2f19b72d818ae8e94e73158e500a1399300e69faf244912f8279839e8b2bfbbb44b2e8c53cd0ae8a44c31994ce2c2dfe3a97f82cdb895b5e02defc8e09f7494da93112e502c16f468488da52b40851ee9f491b7ad376d8d555d4635ecbacac74debe59e07fc926045100560608a7f4a7f10f22c486fa99dbcffd399aa9e50f87a4686723318d27838e7e8996257d3e168d60da135a74ee297127c41a0dd3a2b13b09d46d97fcf0257a79bb9ff6f9b683599096b40484dd75aca190b974326ab03b3e1dd23a0df7b486b3547cac0a00069a96ba9f1b9714c739a480add6ea5d12287ae46387dc170d8f6b8a3b758a411020fbaf3b93c302cc6882793e6cd750955135f8d9110fe6a07b70dbf0fa1d001b18af56ab735977dbdbf11948c86add199fd5f2b0e4d9505f492b504448505f6100b5";
         *
         */

        private static void ProcessTzspPacketWithUdpHeader(byte[] packet)
        {
            using var stream = new MemoryStream(packet);
            using var reader = new MultiEndianBinaryReader(stream, ByteOrder.BigEndian);

            // source port (2)
            // destination port (2)
            // length (2)
            // checksum (2)

            stream.Position = 2;
            var listenPort = reader.ReadUInt16();

            ProcessTzspPacket(packet.Skip(8).ToArray(), listenPort);
        }
Ejemplo n.º 2
0
 public void Reset()
 {
     _reader = new MultiEndianBinaryReader(new MemoryStream(TestData), ByteOrder.LittleEndian);
 }
Ejemplo n.º 3
0
        public void EndOfStreamIsThrown()
        {
            var reader = new MultiEndianBinaryReader(new MemoryStream(new byte[3]), ByteOrder.LittleEndian);

            Assert.ThrowsException <EndOfStreamException>(() => reader.ReadInt32());
        }
Ejemplo n.º 4
0
        private static void ProcessTzspPacket(byte[] packet, ushort listenPort)
        {
            // TZSP header
            // version (1) == 1
            // type (1) == 0
            // protocol (2) == 1
            // tags (N)
            //   type (1) == anything, but 1 means no more tags (not even the rest of the fields of this tag)
            //   length (1)
            //   data (N)
            // packetdata (...)
            //      Ethernet MAC header (14)
            //      IP header
            //        +0 version (0.5)
            //        +0.5 header length / 4 (0.5)
            //        +2 total length (2)
            //        +9 protocol (1)
            //        +12 source address (4)
            //        +16 destination address (4)
            //        ...options...
            //      inner packet

            using var stream = new MemoryStream(packet);
            using var reader = new MultiEndianBinaryReader(stream, ByteOrder.BigEndian);

            var tzspVersion = reader.ReadByte();

            if (tzspVersion != 1)
            {
                throw new NotSupportedException("TZSP version != 1");
            }

            var tzspType = reader.ReadByte();

            if (tzspType != 0)
            {
                throw new NotSupportedException("TZSP type != 0");
            }

            var tzspProtocol = reader.ReadUInt16();

            if (tzspProtocol != 1)
            {
                throw new NotSupportedException("TZSP protocol != 1");
            }

            while (true)
            {
                var tagType = reader.ReadByte();

                if (tagType == 1)
                {
                    break;
                }

                var tagLength = reader.ReadByte();
                stream.Position += tagLength; // Skip the tag.
            }

            stream.Position += 14; // Skip MAC header

            var firstByte = reader.ReadByte();

            var ipVersion = (firstByte & 0xF0) >> 4;

            if (ipVersion != 4)
            {
                return; // We only support IPv4
            }
            var headerLength          = (firstByte & 0x0F) * 4;
            var positionAfterIpHeader = stream.Position - 1 + headerLength;

            stream.Position += 1; // Skip to total length.

            // Captured packet, ignoring any TZSP layers.
            var totalPacketLengthIncludingIpHeader = reader.ReadUInt16();

            stream.Position += 5; // Skip to protocol.

            var protocol = reader.ReadByte();

            stream.Position += 2; // Skip to source address.

            var sourceAddress      = new IPAddress(reader.ReadBytesAndVerify(4));
            var destinationAddress = new IPAddress(reader.ReadBytesAndVerify(4));

            var sourceAddressString      = sourceAddress.ToString();
            var destinationAddressString = destinationAddress.ToString();

            string sourceAddressType      = DetermineIPv4AddressType(sourceAddress);
            string destinationAddressType = DetermineIPv4AddressType(destinationAddress);

            stream.Position = positionAfterIpHeader;

            int?sourcePort      = null;
            int?destinationPort = null;

            if (protocol == 17 || protocol == 6)
            {
                // If UDP or TCP, source and destination port are next fields.
                sourcePort      = reader.ReadUInt16();
                destinationPort = reader.ReadUInt16();
            }
            else
            {
                // unknown protocol
            }

            string protocolName = "unknown";

            if (Enum.IsDefined(typeof(ProtocolType), (int)protocol))
            {
                protocolName = ((ProtocolType)protocol).ToString().ToLowerInvariant();
            }

            BytesBase.WithLabels(sourceAddressString, sourceAddressType, destinationAddressString, destinationAddressType, protocolName, listenPort.ToString()).Inc(totalPacketLengthIncludingIpHeader);
            PacketsBase.WithLabels(sourceAddressString, sourceAddressType, destinationAddressString, destinationAddressType, protocolName, listenPort.ToString()).Inc();
        }