/* * * Some example packets for manual testing and experimentation, if needed. * * // Starts with UDP header because it is incomplete (did not fit in 1500 Ethernet frame). * // Identified by "frame.protocols": "eth:ethertype:ip:data" * // Given that UDP header is not parsed due to incomplete packet, we do not get "udp.dstport" value for this type of packet. * // Inside is UDP multicast packet. * const string IncompleteUdpPacketHex = "1535153505f50000010000010101005e28500100155d04eb0e0800450005da457340001f1198cbc0a87802ef2850019595138905c61d71000001e55e27e764000e2d69323334350000000030313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334"; * * // Seems to start with TZSP header because it is complete. * // Identified by "frame.protocols": "eth:ethertype:ip:udp:data" * // We get "udp.dstport" value for this because TShark can parse the full packet. * // Inside is TCP packet. * const string CompleteTcpPacketHex = "010000010100155d04eb0a00155d04eb0e080045000274655e40003f0661d0c0a87802c0a87902eba01451cf757cdc16f4d46680100480223300000101080acae8ac2922f45e949d2efd0c894fdee47ecc96c750f49ad526016ad8ff12a3a218d5d86dd9445876725583fba461df222d75e97e6983538f84bd6783d00a25e8dffd55b941ad2fb302b2aea6138dc84102b1bf6b3412fab8cf623b9f6c61884c5edd05a08b34538de70234fa8ffc3b92aefafde20cf89bdc5ad67bc637031296e117366c4c89f9338b2d2d1b2a69add863aaba70a2554cfc2cc7c363cbd5f9aced2f1839b9116c443f995f69020c4166b7fbd6595122567de919e0b4eeda60db097814c28a8007c91a66321c7373822a6e5883bf7ad93c64f21d18e1f779bc00f1d1c37b51ca446b307688a3e90acd58635117dd2a54411d715afe68d3ba68c48b2b40ddf5844826fbd0c9e4db973c3ee8541b12a85d2f19b72d818ae8e94e73158e500a1399300e69faf244912f8279839e8b2bfbbb44b2e8c53cd0ae8a44c31994ce2c2dfe3a97f82cdb895b5e02defc8e09f7494da93112e502c16f468488da52b40851ee9f491b7ad376d8d555d4635ecbacac74debe59e07fc926045100560608a7f4a7f10f22c486fa99dbcffd399aa9e50f87a4686723318d27838e7e8996257d3e168d60da135a74ee297127c41a0dd3a2b13b09d46d97fcf0257a79bb9ff6f9b683599096b40484dd75aca190b974326ab03b3e1dd23a0df7b486b3547cac0a00069a96ba9f1b9714c739a480add6ea5d12287ae46387dc170d8f6b8a3b758a411020fbaf3b93c302cc6882793e6cd750955135f8d9110fe6a07b70dbf0fa1d001b18af56ab735977dbdbf11948c86add199fd5f2b0e4d9505f492b504448505f6100b5"; * */ private static void ProcessTzspPacketWithUdpHeader(byte[] packet) { using var stream = new MemoryStream(packet); using var reader = new MultiEndianBinaryReader(stream, ByteOrder.BigEndian); // source port (2) // destination port (2) // length (2) // checksum (2) stream.Position = 2; var listenPort = reader.ReadUInt16(); ProcessTzspPacket(packet.Skip(8).ToArray(), listenPort); }
public void Reset() { _reader = new MultiEndianBinaryReader(new MemoryStream(TestData), ByteOrder.LittleEndian); }
public void EndOfStreamIsThrown() { var reader = new MultiEndianBinaryReader(new MemoryStream(new byte[3]), ByteOrder.LittleEndian); Assert.ThrowsException <EndOfStreamException>(() => reader.ReadInt32()); }
private static void ProcessTzspPacket(byte[] packet, ushort listenPort) { // TZSP header // version (1) == 1 // type (1) == 0 // protocol (2) == 1 // tags (N) // type (1) == anything, but 1 means no more tags (not even the rest of the fields of this tag) // length (1) // data (N) // packetdata (...) // Ethernet MAC header (14) // IP header // +0 version (0.5) // +0.5 header length / 4 (0.5) // +2 total length (2) // +9 protocol (1) // +12 source address (4) // +16 destination address (4) // ...options... // inner packet using var stream = new MemoryStream(packet); using var reader = new MultiEndianBinaryReader(stream, ByteOrder.BigEndian); var tzspVersion = reader.ReadByte(); if (tzspVersion != 1) { throw new NotSupportedException("TZSP version != 1"); } var tzspType = reader.ReadByte(); if (tzspType != 0) { throw new NotSupportedException("TZSP type != 0"); } var tzspProtocol = reader.ReadUInt16(); if (tzspProtocol != 1) { throw new NotSupportedException("TZSP protocol != 1"); } while (true) { var tagType = reader.ReadByte(); if (tagType == 1) { break; } var tagLength = reader.ReadByte(); stream.Position += tagLength; // Skip the tag. } stream.Position += 14; // Skip MAC header var firstByte = reader.ReadByte(); var ipVersion = (firstByte & 0xF0) >> 4; if (ipVersion != 4) { return; // We only support IPv4 } var headerLength = (firstByte & 0x0F) * 4; var positionAfterIpHeader = stream.Position - 1 + headerLength; stream.Position += 1; // Skip to total length. // Captured packet, ignoring any TZSP layers. var totalPacketLengthIncludingIpHeader = reader.ReadUInt16(); stream.Position += 5; // Skip to protocol. var protocol = reader.ReadByte(); stream.Position += 2; // Skip to source address. var sourceAddress = new IPAddress(reader.ReadBytesAndVerify(4)); var destinationAddress = new IPAddress(reader.ReadBytesAndVerify(4)); var sourceAddressString = sourceAddress.ToString(); var destinationAddressString = destinationAddress.ToString(); string sourceAddressType = DetermineIPv4AddressType(sourceAddress); string destinationAddressType = DetermineIPv4AddressType(destinationAddress); stream.Position = positionAfterIpHeader; int?sourcePort = null; int?destinationPort = null; if (protocol == 17 || protocol == 6) { // If UDP or TCP, source and destination port are next fields. sourcePort = reader.ReadUInt16(); destinationPort = reader.ReadUInt16(); } else { // unknown protocol } string protocolName = "unknown"; if (Enum.IsDefined(typeof(ProtocolType), (int)protocol)) { protocolName = ((ProtocolType)protocol).ToString().ToLowerInvariant(); } BytesBase.WithLabels(sourceAddressString, sourceAddressType, destinationAddressString, destinationAddressType, protocolName, listenPort.ToString()).Inc(totalPacketLengthIncludingIpHeader); PacketsBase.WithLabels(sourceAddressString, sourceAddressType, destinationAddressString, destinationAddressType, protocolName, listenPort.ToString()).Inc(); }