Ejemplo n.º 1
0
        protected override void ProcessConversation()
        {
            // we need a stream to read from
            var stream = new PDUStreamBasedProvider(this.CurrentConversation, EfcPDUProviderType.Breaked);

            // now we can create a reader that will be reading from the stream we just created


            //////////////////////////////////
            // reader will spawn messages, cycle through them
            do
            {
                var reader = new PDUStreamReader(stream, Encoding.ASCII)
                {
                    ReadBigEndian = true
                };
                this.OnBeforeProtocolParsing();

                var msg = new ICQMsg(reader);

                if (!msg.Valid)
                {
                    // parsing went wrong, we have to report it
                    this.SnooperExport.TimeStampFirst = msg.Timestamp;
                    this.SnooperExport.AddExportReport(ExportReport.ReportLevel.Warn, this.Name, "parsing of ICQ message failed: " + msg.InvalidReason, msg.ExportSources);
                    // skip processing, go to next message
                    continue;
                }
                this.OnAfterProtocolParsing();

                this.OnBeforeDataExporting();
                this.ProcessMsg(msg);
                this.OnAfterDataExporting();
            } while(stream.NewMessage());
        }
        public void TestStreamReaderMore()
        {
            var captureFile = this.PrepareCaptureForProcessing(Pcaps.Default.sip_caps_sip_rtcp_pcap);

            this.FrameworkController.ProcessCapture(captureFile);
            this._conversations = this.L7Conversations.Where(c => c.ApplicationTags.Contains("SIP")).ToArray();
            var    counter = 0;
            string line;

            foreach (var conversation in this._conversations)
            {
                var stream = new PDUStreamBasedProvider(conversation, EfcPDUProviderType.SingleMessage);
                var reader = new PDUStreamReader(stream, Encoding.ASCII);
                do
                {
                    counter++;
                    Console.WriteLine(counter + ". message ######### ");
                    do
                    {
                        line = reader.ReadLine();
                        Console.WriteLine(line);
                    } while(line != null);
                } while(reader.NewMessage());
            }
        }
Ejemplo n.º 3
0
        protected override void ProcessConversation()
        {
            Console.WriteLine(@"SnooperMinecraft.ProcessConversation() called");

            // we need a stream to read from
            var stream = new PDUStreamBasedProvider(this.CurrentConversation, EfcPDUProviderType.SingleMessage);
            // now we can create a reader that will be reading from the stream we just created
            var reader = new BinaryReader(stream, Encoding.ASCII);

            // reader will spawn messages, cycle through them
            do
            {
                this.OnBeforeProtocolParsing();

                // parse protocol
                // this is self parsing message, it just needs a reader to get data from
                var message = new MinecraftMsg(reader);
                if (!message.Valid) // is not chat message
                {
                    continue;
                }

                // parsing done
                this.OnAfterProtocolParsing();

                // start processing
                this.OnBeforeDataExporting();

                var exportedObject = new SnooperExportedMinecraftMessage(this.SnooperExport)
                {
                    TimeStamp = message.Timestamp,
                    Message   = message.MessageContent,
                    Sender    = message.Sender,
                    Receiver  = message.Receiver,
                    Text      = message.Text,
                    Type      = message.MessageType
                };

                // export
                exportedObject.ExportSources.Add(this.CurrentConversation);
                this.SnooperExport.AddExportObject(exportedObject);

                this.OnAfterDataExporting();

                //finalize processing of current message, moving to next one
                // IMPORTANT !!! this has to be called after each message successfully processed
                // so correct connections between exported data and exported reports can be kept
                //base.ProcessingDone();
            } while (stream.NewMessage());
        }
        public void ContinueInterlayReadTest()
        {
            this._stream = new PDUStreamBasedProvider(this._conversations.ToArray()[1], EfcPDUProviderType.ContinueInterlay);
            var cost = new byte[4];
            var big  = new byte[800];
            var two  = this._stream.Read(cost, 0, 2);

            Assert.IsTrue(two == 2 && this._stream.Position == 2);
            var two1 = this._stream.Read(cost, 2, 2);

            Assert.IsTrue(two1 == 2 && this._stream.Position == 4);
            var v800 = this._stream.Read(big, 0, 800);

            Assert.IsTrue(v800 == 800 && this._stream.Position == 804);
            big  = new byte[800];
            v800 = this._stream.Read(big, 0, 800);
            Assert.IsTrue(v800 == 800 && this._stream.Position == 1604);
            v800 = this._stream.Read(big, 0, 800);
            Assert.IsTrue(v800 == 800 && this._stream.Position == 2404);

            var v0 = this._stream.Seek(0, SeekOrigin.Begin);

            big = new byte[30000];
            var vxx = this._stream.Read(big, 0, 22911); // to end of stream

            Assert.IsTrue(v0 == 0 && vxx == 22911 && this._stream.Position == 22911);

            v0 = this._stream.Read(big, 0, 10);
            Assert.IsTrue(v0 == 0 && this._stream.Position == 22911);
            v0 = this._stream.Read(big, 0, 10);
            Assert.IsTrue(v0 == 0 && this._stream.Position == 22911);

            var boollen = this._stream.NewMessage();

            Assert.IsTrue(boollen && this._stream.Position == 0);
            vxx = this._stream.Read(big, 0, 4005); // to end of stream
            Assert.IsTrue(v0 == 0 && vxx == 4005 && this._stream.Position == 4005);
            v0 = this._stream.Read(big, 0, 10);
            Assert.IsTrue(v0 == 0 && this._stream.Position == 4005);
            v0 = this._stream.Read(big, 0, 10);
            Assert.IsTrue(v0 == 0 && this._stream.Position == 4005);

            boollen = this._stream.NewMessage();
            Assert.IsTrue(!boollen && this._stream.Position == 0);

            //after total end of stream
            v0 = this._stream.Read(big, 0, 10);
            Assert.IsTrue(v0 == 0 && this._stream.Position == 0);
        }
        public void BinReaderBreakedTest()
        {
            this._stream = new PDUStreamBasedProvider(this._conversations.ToArray()[2], EfcPDUProviderType.Breaked);
            var binaryReader   = new BinaryReader(this._stream, Encoding.ASCII);
            var endOfFileFound = false;

            do
            {
                if (binaryReader.PeekChar() < 0)
                {
                    endOfFileFound = true;
                }
                else
                {
                    int c = binaryReader.ReadByte();
                }
            } while(!endOfFileFound);
        }
        public void BinReaderContinueInterlayTest()
        {
            this._stream = new PDUStreamBasedProvider(this._conversations.ToArray()[2], EfcPDUProviderType.ContinueInterlay);
            var binaryReader   = new BinaryReader(this._stream, Encoding.ASCII);
            var endOfFileFound = false;

            do
            {
                var c = binaryReader.PeekChar();
                if (c < 0)
                {
                    endOfFileFound = true;
                }
                else
                {
                    // stream.Seek(221, SeekOrigin.Begin);
                    c = binaryReader.ReadByte();
                }
            } while(!endOfFileFound);
        }
        public void BreakedReadTest()
        {
            this._stream = new PDUStreamBasedProvider(this._conversations.First(conv => conv.L7PDUs.Count() == this._conversations.Max(c => c.L7PDUs.Count())),
                                                      EfcPDUProviderType.Breaked);
            var cost = new byte[4];
            var big  = new byte[800];
            var two  = this._stream.Read(cost, 0, 2);

            Assert.IsTrue(two == 2 && this._stream.Position == 2);
            var two1 = this._stream.Read(cost, 2, 2);

            Assert.IsTrue(two1 == 2 && this._stream.Position == 4);
            var vxx = this._stream.Read(big, 0, 800);

            Assert.IsTrue(vxx == 6 && this._stream.Position == 10);
            vxx = this._stream.Read(big, 0, 800);
            Assert.IsTrue(vxx == 0 && this._stream.Position == 10);

            var boollen = this._stream.NewMessage();

            Assert.IsTrue(boollen && this._stream.Position == 0);

            two = this._stream.Read(cost, 0, 2);
            Assert.IsTrue(two == 2 && this._stream.Position == 2);
            two1 = this._stream.Read(cost, 2, 2);
            Assert.IsTrue(two1 == 2 && this._stream.Position == 4);
            vxx = this._stream.Read(big, 0, 800);
            Assert.IsTrue(vxx == 468 && this._stream.Position == 472);
            vxx = this._stream.Read(big, 0, 800);
            Assert.IsTrue(vxx == 0 && this._stream.Position == 472);

            boollen = this._stream.NewMessage();
            Assert.IsTrue(boollen && this._stream.Position == 0);

            vxx = this._stream.Read(big, 0, 800);
            Assert.IsTrue(vxx == 461 && this._stream.Position == 461);
            var v0 = this._stream.Read(big, 0, 800);

            Assert.IsTrue(v0 == 0 && this._stream.Position == 461);
        }
 public void TeraDown()
 {
     this._stream = null;
 }
        public void MixedReadTest()
        {
            this._stream = new PDUStreamBasedProvider(this._conversations.First(), EfcPDUProviderType.Mixed);
            var cost  = new byte[4];
            var cost1 = new byte[4];
            var big   = new byte[2000];
            var two   = this._stream.Read(cost, 0, 2);

            Assert.IsTrue(two == 2 && this._stream.Position == 2);
            var two1 = this._stream.Read(cost, 2, 2);

            Assert.IsTrue(two1 == 2 && this._stream.Position == 4);
            var v800 = this._stream.Read(big, 0, 800);

            Assert.IsTrue(v800 == 800 && this._stream.Position == 804);
            big = new byte[2000];
            var vxx = this._stream.Read(big, 0, 800);

            Assert.IsTrue(vxx == 595 && this._stream.Position == 1399);
            long v0 = this._stream.Read(big, 0, 800);

            Assert.IsTrue(v0 == 0 && this._stream.Position == 1399);
            v0 = this._stream.Seek(0, SeekOrigin.Begin);
            Assert.IsTrue(v0 == 0 && this._stream.Position == 0);
            var v10 = this._stream.Seek(10, SeekOrigin.Begin);

            Assert.IsTrue(v10 == 10 && this._stream.Position == 10);
            v0 = this._stream.Seek(-10, SeekOrigin.Current);
            Assert.IsTrue(v0 == 0 && this._stream.Position == 0);
            v10 = this._stream.Seek(10, SeekOrigin.Current);
            Assert.IsTrue(v10 == 10 && this._stream.Position == 10);
            var v20 = this._stream.Seek(10, SeekOrigin.Current);

            Assert.IsTrue(v20 == 20 && this._stream.Position == 20);
            v10 = this._stream.Seek(-10, SeekOrigin.Current);
            Assert.IsTrue(v10 == 10 && this._stream.Position == 10);
            v0 = this._stream.Seek(-10, SeekOrigin.Current);
            Assert.IsTrue(v0 == 0 && this._stream.Position == 0);
            v0 = this._stream.Seek(-10, SeekOrigin.Current);
            Assert.IsTrue(v0 == 0 && this._stream.Position == 0);

            var v2 = this._stream.Seek(2, SeekOrigin.Begin);

            two = this._stream.Read(cost, 0, 2);
            v0  = this._stream.Seek(-4, SeekOrigin.Current);
            Assert.IsTrue(v2 == 2 && this._stream.Position == 0 && v0 == 0 && two == 2);
            two = this._stream.Peek(cost1, 0, 2, 2, SeekOrigin.Current);
            Assert.IsTrue(two == 2 && cost[0] == cost1[0] && cost[1] == cost1[1] && this._stream.Position == 0);

            var v700 = this._stream.Seek(700, SeekOrigin.Begin);

            two = this._stream.Read(cost, 0, 2);
            v0  = this._stream.Seek(0, SeekOrigin.Begin);
            Assert.IsTrue(v700 == 700 && this._stream.Position == 0 && v0 == 0 && two == 2);
            two = this._stream.Peek(cost1, 0, 700, 2, SeekOrigin.Current);
            Assert.IsTrue(two == 2 && cost[0] == cost1[0] && cost[1] == cost1[1] && this._stream.Position == 0);

            v0 = this._stream.Seek(0, SeekOrigin.Begin);
            Assert.IsTrue(v0 == 0 && this._stream.Position == 0);
            two = this._stream.Read(cost, 0, 2);
            Assert.IsTrue(two == 2 && this._stream.Position == 2);

            v0 = this._stream.Seek(0, SeekOrigin.Begin);
            Assert.IsTrue(v0 == 0 && this._stream.Position == 0);
            vxx = this._stream.Read(big, 0, 1399); // to end of stream
            Assert.IsTrue(vxx == 1399 && this._stream.Position == 1399);
            v0 = this._stream.Read(big, 0, 10);
            Assert.IsTrue(v0 == 0 && this._stream.Position == 1399);
            v0 = this._stream.Read(big, 0, 10);
            Assert.IsTrue(v0 == 0 && this._stream.Position == 1399);

            var boollen = this._stream.NewMessage();

            Assert.IsTrue(!boollen && this._stream.Position == 0);
            two = this._stream.Read(cost, 0, 2);
            Assert.IsTrue(two == 0 && this._stream.Position == 0);
        }
Ejemplo n.º 10
0
        protected override void ProcessConversation()
        {
            Debug.WriteLine(@"SnooperSMTP.ProcessConversation() called [" + this.CurrentConversation.SourceEndPoint + "->" + this.CurrentConversation.DestinationEndPoint + "]");

            // we need a stream to read from
            var stream = new PDUStreamBasedProvider(this.CurrentConversation, EfcPDUProviderType.Breaked);
            // now we can create a reader that will be reading from the stream we just created
            var reader = new PDUStreamReader(stream, Encoding.ASCII);

            // reader will spawn messages, cycle through them
            do
            {
                this.OnBeforeProtocolParsing();
                // parse protocol

                // this is self parsing message, it just needs a reader to get data from
                var message = new SMTPMsg(reader);
                if (!message.Valid)
                {
                    // parsing went wrong, we have to report it
                    this.SnooperExport.TimeStampFirst = message.Timestamp;
                    this.SnooperExport.AddExportReport(
                        ExportReport.ReportLevel.Warn,
                        this.Name,
                        "parsing of SMTP message failed, frame numbers: " + string.Join(",", message.Frames) + ": " +
                        message.InvalidReason,
                        message.ExportSources);
                    Debug.WriteLine(@"parsing of SMTP message failed, frame numbers: " + string.Join(",", message.Frames) + ": " + message.InvalidReason);
                    // skip processing, go to next message
                    continue;
                }

                // parsing done
                this.OnAfterProtocolParsing();

                // start processing
                this.OnBeforeDataExporting();

                // process parsed structure
                switch (message.Type)
                {
                case SMTPMsg.SMTPMsgType.MAIL:
                    var toBytes = Encoding.ASCII.GetBytes(message.MessageContent);

                    var exportedObject = new MIMEemail(this.SnooperExport, toBytes, EMailContentType.Whole);
                    exportedObject.EMailType = EMailType.SMTPOrgEmail;
                    exportedObject.TimeStamp = message.Timestamp;

                    foreach (var exportSource in message.ExportSources)
                    {
                        exportedObject.ExportSources.Add(exportSource);
                    }
                    this.SnooperExport.AddExportObject(exportedObject);
                    break;

                default:
                    break;
                }

                this.OnAfterDataExporting();
            } while (reader.NewMessage());
        }
Ejemplo n.º 11
0
        public L7DvbS2GseDecapsulatorBlock()
        {
            this._outputBuffer = new BufferBlock <PmFrameBase>();
            this._decapsulator = new ActionBlock <L7Conversation>(async l7Conversation =>
            {
                var stream = new PDUStreamBasedProvider(l7Conversation, EfcPDUProviderType.ContinueInterlay);
                var reader = new PDUStreamReader(stream, Encoding.GetEncoding(437), true)
                {
                    ReadBigEndian = true
                };

                var gseReassembler = new GseReassemblingDecapsulator();
                while (!reader.EndOfStream)
                {
                    try
                    {
                        var bb = BaseBandFrame.Parse(reader);

                        // It's important to get `reader.PDUStreamBasedProvider.GetCurrentPDU()` after parsing Base-Band frame.
                        // During reading, its value is set to the last read PDU. If we would call it before Base-Band parsing,
                        // retrieved value would not be current PDU, but the previous one.
                        // frames encapsulating parsed Base-Band
                        var pdu = reader.PDUStreamBasedProvider.GetCurrentPDU();
                        if (pdu == null)
                        {
                            break;
                        }
                        var frames = ImmutableList.CreateRange(pdu.FrameList);

                        // Reassemble any fragmented GSE packets and obtain decapsulated frames, if any of them have been just finished.
                        var decapsulatedFrames = gseReassembler.Process(bb, frames);
                        foreach (var f in decapsulatedFrames)
                        {
                            this._outputBuffer.Post(f);
                        }
                    }
                    catch (InvalidPacketFormatException)
                    {
                        // Current PDU of l7Conversation does not contain DVB-S2 Base Band Frame.
                    }
                    catch (NotImplementedException)
                    {
                        // NOTE: Only Generic Continuous Stream Input is supported at this moment.
                    }

                    // move to the next message
                    if (!reader.NewMessage())
                    {
                        break;
                    }
                }
            });
            this._decapsulator.Completion.ContinueWith(t =>
            {
                if (t.IsFaulted)
                {
                    ((IDataflowBlock)this._outputBuffer).Fault(t.Exception);
                }
                else
                {
                    this._outputBuffer.Complete();
                }
            });
        }
Ejemplo n.º 12
0
        protected override void ProcessConversation()
        {
            // we need a stream to read from
            var stream = new PDUStreamBasedProvider(this.CurrentConversation, EfcPDUProviderType.Mixed);
            // now we can create a reader that will be reading from the stream we just created
            var reader = new PDUStreamReader(stream, Encoding.GetEncoding(437), true);

            // reader will spawn messages, cycle through them
            do
            {
                this.OnBeforeProtocolParsing();
                // parse protocol

                // this is self parsing message, it just needs a reader to get data from
                var message = new DNSParseMsg(reader);
                if (!message.Valid)
                {
                    // parsing went wrong, we have to report it
                    this.SnooperExport.TimeStampFirst = message.Timestamp;
                    this.SnooperExport.AddExportReport(
                        ExportReport.ReportLevel.Warn,
                        this.Name,
                        "parsing of DNS message failed, frame numbers: " +
                        string.Join(",", message.Frames) + ": " +
                        message.InvalidReason,
                        message.ExportSources);
                    Console.WriteLine(@"parsing of DNS message failed, frame numbers: " +
                                      string.Join(",", message.Frames) + ": " + message.InvalidReason);
                    // skip processing, go to next message
                    continue;
                }

                // parsing done
                this.OnAfterProtocolParsing();

                // start processing
                this.OnBeforeDataExporting();

                var exportedObject = new SnooperExportedDataObjectDNS(this.SnooperExport)
                {
                    TimeStamp  = message.Timestamp,
                    MessageId  = message.MessageId,
                    Flags      = message.Flags,
                    Queries    = message.Queries,
                    Answer     = message.Answer,
                    Authority  = message.Authority,
                    Additional = message.Additional
                };

                //export
                foreach (var exportSource in message.ExportSources)
                {
                    exportedObject.ExportSources.Add(exportSource);
                }
                this.SnooperExport.AddExportObject(exportedObject);


                this.OnAfterDataExporting();

                //finalize processing of current message, moving to next one
                // IMPORTANT !!! this has to be called after each message successfully processed
                // so correct connections between exported data and exported reports can be kept
                //base.ProcessingDone();
            } while (reader.NewMessage());
        }
Ejemplo n.º 13
0
        protected override void ProcessConversation()
        {
            {
                var stream = new PDUStreamBasedProvider(this.CurrentConversation, EfcPDUProviderType.SingleMessage);
                var reader = new PDUStreamReader(stream, Encoding.Default);
                do
                {
                    this.OnBeforeProtocolParsing();
                    //Parse protocol....
                    SIPMsg _message;
                    _message = new SIPMsg(reader);

                    if (!_message.Valid)
                    {
                        this.SnooperExport.TimeStampFirst = _message.Timestamp;
                        this.SnooperExport.AddExportReport(
                            ExportReport.ReportLevel.Warn,
                            this.Name,
                            "parsing of SIP message failed, frame numbers: " + string.Join(",", _message.Frames) + ": " +
                            _message.InvalidReason,
                            _message.ExportSources);
                        Console.WriteLine("parsing of SIP message failed, frame numbers: " + string.Join(",", _message.Frames) + ": " + _message.InvalidReason);
                        continue;
                    }
                    this.OnAfterProtocolParsing();
                    //Console.WriteLine("successful parsing: frame " + string.Join(",", _message.FrameNumbers.ToArray()));
                    //Do some magic...
                    SIPEvent _event;
                    if (this._eventsDictionary.TryGetValue(_message.Headers.CallID, out _event))
                    {
                        //Event already present
                        switch (_event.Type)
                        {
                        case SIPEventType.Authentization:
                            //Console.WriteLine("authentication "+_message.Headers.CallID+" present");
                            _event.Update(_message);
                            break;

                        case SIPEventType.Call:
                            //Console.WriteLine("call "+_message.Headers.CallID+" present");
                            _event.Update(_message);
                            break;

                        case SIPEventType.Unknown:
                            var oldEvent = _event as SIPUnknownEvent;
                            if (this.PossibleCall(_message))
                            {
                                this._eventsDictionary.Remove(_message.Headers.CallID);
                                this.SnooperExport.DiscardExportObject(_event);
                                _event = new SIPCall(this.SnooperExport);
                                this._eventsDictionary.Add(_message.Headers.CallID, _event);
                                _event.UpdateFromUnkownEvent(oldEvent);
                            }
                            else if (this.PossibleAuthentization(_message))
                            {
                                this._eventsDictionary.Remove(_message.Headers.CallID);
                                this.SnooperExport.DiscardExportObject(_event);
                                _event = new SIPAuthentization(this.SnooperExport);
                                this._eventsDictionary.Add(_message.Headers.CallID, _event);
                                _event.UpdateFromUnkownEvent(oldEvent);
                            }
                            _event.Update(_message);
                            break;

                        default:
                            Console.WriteLine("unknown event " + _message.Headers.CallID + " present");
                            //TODO throw some exception
                            break;
                        }
                    }
                    else
                    {
                        //New event, create
                        if (_message.Type == SIPMsg.SIPMsgType.Request && _message.RequestLine.Method == "REGISTER")
                        {
                            _event = new SIPAuthentization(this.SnooperExport);
                            this._eventsDictionary.Add(_message.Headers.CallID, _event);

                            //Console.WriteLine("authentication " + _message.Headers.CallID + " added");
                            _event.Update(_message);
                        }
                        else if (_message.Type == SIPMsg.SIPMsgType.Request && _message.RequestLine.Method == "INVITE")
                        {
                            _event = new SIPCall(this.SnooperExport);
                            this._eventsDictionary.Add(_message.Headers.CallID, _event);

                            //Console.WriteLine("call " + _message.Headers.CallID + " added");
                            _event.Update(_message);
                        }
                        else                     // type can't be easily decided
                        {
                            if (this.PossibleCall(_message))
                            {
                                _event = new SIPCall(this.SnooperExport);
                            }
                            else if (this.PossibleAuthentization(_message))
                            {
                                _event = new SIPAuthentization(this.SnooperExport);
                            }
                            else
                            {
                                _event = new SIPUnknownEvent(this.SnooperExport);
                            }
                            this._eventsDictionary.Add(_message.Headers.CallID, _event);
                            _event.Update(_message);
                        }
                    }
                    //        this.eventExporter.AddExportedData(); //Export some meaningful message, object, what so ever...
                    //        this.eventExporter.AddExportReport(); //Export problem, exception some meaningful note that will be part of exported data object or export report in case that no data were exported between two escalation of BeforeProtocolParsing
                    //Console.WriteLine(_message.ToString());
                } while(reader.NewMessage());

                //Export
                this.OnBeforeDataExporting();
                var _callCounter = 0;
                foreach (var kvp in this._eventsDictionary)
                {
                    if (kvp.Value.Type == SIPEventType.Unknown)
                    {
                        this.SnooperExport.DiscardExportObject(kvp.Value);
                    }
                    else
                    {
                        if (kvp.Value is SIPCall)
                        {
                            // Process RTP flows of every call
                            var s = kvp.Value as SIPCall;
                            //s.CallId = _callCounter.ToString();
                            // Pass it inside the call
                            //s.SetExportedPayloads(this.ProcessRTP(s.RTPAddresses, _callCounter.ToString()));
                            ++_callCounter;
                        }

                        //Console.WriteLine("event " + kvp.Key);
                        //Console.WriteLine(kvp.Value.ToString());

                        kvp.Value.ExportValidity = ExportValidity.ValidWhole;

                        //TODO there should be list of guids (frames, other objects)
                        //kvp.Value.ExportSources.Add(this.CurrentConversation); //todo switch to used PDUs
                        this.SnooperExport.AddExportObject(kvp.Value);
                    }
                }
                this.OnAfterDataExporting();
                //Clean event dictionary
                this._eventsDictionary.Clear();
            }
        }
Ejemplo n.º 14
0
        protected override void ProcessConversation()
        {
            Console.WriteLine(@"SnooperFTP.ProcessConversation() called");

            // we need a stream to read from
            var stream = new PDUStreamBasedProvider(this.CurrentConversation, EfcPDUProviderType.SingleMessage);
            // now we can create a reader that will be reading from the stream we just created
            var reader = new PDUStreamReader(stream, Encoding.ASCII);

            // create export directory if it doesn't exist
            //if (!Directory.Exists(base.ExportBaseDirectory.FullName))
            //{
            //    Directory.CreateDirectory(base.ExportBaseDirectory.FullName);
            //}

            var dataFileName = this.GetDataFileName(this.ExportBaseDirectory.FullName);

            // reader will spawn messages, cycle through them
            do
            {
                this.OnBeforeProtocolParsing();
                // parse protocol

                // this is self parsing message, it just needs a reader to get data from
                var message = new FTPMsg(reader);
                if (!message.Valid)
                {
                    // parsing went wrong, we have to report it
                    this.SnooperExport.TimeStampFirst = message.Timestamp;
                    this.SnooperExport.AddExportReport(
                        ExportReport.ReportLevel.Warn,
                        this.Name,
                        "parsing of FTP message failed, frame numbers: " +
                        string.Join(",", message.Frames) + ": " +
                        message.InvalidReason,
                        message.ExportSources);
                    Console.WriteLine(@"parsing of FTP message failed, frame numbers: " +
                                      string.Join(",", message.Frames) + ": " + message.InvalidReason);
                    // skip processing, go to next message
                    continue;
                }

                // parsing done
                this.OnAfterProtocolParsing();

                // start processing
                this.OnBeforeDataExporting();

                var exportedObject = new SnooperExportedDataObjectFTP(this.SnooperExport);
                var addObject      = true;
                exportedObject.TimeStamp = message.Timestamp;

                // process parsed structure
                switch (message.Type)
                {
                case FTPMsg.FTPMsgType.USER:
                    //Console.WriteLine("  user: "******"USER";
                    exportedObject.Value   = message.MessageContent;
                    break;

                case FTPMsg.FTPMsgType.LIST:
                    //Console.WriteLine("  directory listing");
                    exportedObject.Command = "DIRECTORY LIST";
                    break;

                case FTPMsg.FTPMsgType.PASS:
                    //Console.WriteLine("  password: "******"PASSWORD";
                    exportedObject.Value   = message.MessageContent;
                    break;

                case FTPMsg.FTPMsgType.DELE:
                    //Console.WriteLine("  deleted file: " + _message.MessageContent);
                    exportedObject.Command = "DELETED FILE";
                    exportedObject.Value   = message.MessageContent;
                    break;

                case FTPMsg.FTPMsgType.PORT:
                    //Console.WriteLine("  new connection address: " + _message.MessageContent);
                    exportedObject.Command = "PORT";
                    exportedObject.Value   = message.MessageContent;
                    break;

                case FTPMsg.FTPMsgType.PWD:
                    //Console.WriteLine("  directory path: " + _message.MessageContent);
                    exportedObject.Command = "PATH";
                    exportedObject.Value   = message.MessageContent;
                    break;

                case FTPMsg.FTPMsgType.RETR:
                    //Console.WriteLine("  downloaded file: " + _message.MessageContent);
                    exportedObject.Command = "DOWNLOAD";
                    exportedObject.Value   = message.MessageContent;
                    break;

                case FTPMsg.FTPMsgType.STOR:
                    //Console.WriteLine("  uploaded file: " + _message.MessageContent);
                    exportedObject.Command = "UPLOAD";
                    exportedObject.Value   = message.MessageContent;
                    break;

                case FTPMsg.FTPMsgType.DATA:
                    var file = new FileStream(dataFileName, FileMode.Append);
                    file.Write(message.DataContent, 0, message.DataContent.Length);
                    file.Close();
                    //Console.WriteLine("  data dumped to " + _dataFileName);
                    exportedObject.Command = "DATA";
                    exportedObject.Value   = dataFileName;
                    break;

                default:
                    //Console.WriteLine("  unknown type of FTP message");
                    addObject = false;
                    break;
                }
                //export
                if (addObject)
                {
                    //TODO there should be list of guids (frames, other objects)
                    foreach (var exportSource in message.ExportSources)
                    {
                        exportedObject.ExportSources.Add(exportSource);
                    }
                    this.SnooperExport.AddExportObject(exportedObject);
                }
                else
                {
                    this.SnooperExport.DiscardExportObject(exportedObject);
                }

                this.OnAfterDataExporting();

                //finalize processing of current message, moving to next one
                // IMPORTANT !!! this has to be called after each message successfully processed
                // so correct connections between exported data and exported reports can be kept
                //base.ProcessingDone();
            } while (reader.NewMessage());
        }
Ejemplo n.º 15
0
        protected override void ProcessConversation()
        {
            this._messageBuffer = new List <XMPPMsg>();
            Debug.WriteLine(@"SnooperXMPP.ProcessConversation() called [" + this.CurrentConversation.SourceEndPoint + "->" + this.CurrentConversation.DestinationEndPoint + "]");

            // we need a stream to read from
            var stream = new PDUStreamBasedProvider(this.CurrentConversation, EfcPDUProviderType.Breaked);
            // now we can create a reader that will be reading from the stream we just created
            var reader = new PDUStreamReader(stream, Encoding.UTF8);

            this.OnBeforeProtocolParsing();
            //////////////////////////////////
            // reader will spawn messages, cycle through them
            do
            {
                // parse protocol

                // this is self parsing message, it just needs a reader to get data from
                var message = new XMPPMsg(reader);
                if (!message.Valid)
                {
                    // parsing went wrong, we have to report it
                    this.SnooperExport.TimeStampFirst = message.Timestamp;
                    this.SnooperExport.AddExportReport(ExportReport.ReportLevel.Warn, this.Name,
                                                       "parsing of XMPP message failed, frame numbers: " + message.Frames.ToArray() + ": " + message.InvalidReason, message.ExportSources);
                    // skip processing, go to next message
                    continue;
                }

                // process parsed structure
                switch (message.MsgType)
                {
                case XMPPMsgType.MSG:
                    this._messageBuffer.Add(message);
                    string sender;
                    string receiver;
                    if (message.Direction == DaRFlowDirection.down)
                    {
                        sender   = message.From ?? string.Empty;
                        receiver = message.To ?? string.Empty;
                    }
                    else
                    {
                        sender   = message.To ?? string.Empty;
                        receiver = message.From ?? string.Empty;
                    }

                    if (sender.Length > this._sender.Length)
                    {
                        this._sender = sender;
                    }
                    if (receiver.Length > this._reciever.Length)
                    {
                        this._reciever = receiver;
                    }

                    break;
                }
            } while(reader.NewMessage());
            //////////////////////////////////
            this.OnAfterProtocolParsing();

            // start processing
            this.OnBeforeDataExporting();

            foreach (var msg in this._messageBuffer)
            {
                if (msg.MsgBody.IsNullOrEmpty())
                {
                    continue;
                }
                var exportedObject = new SnooperExportedObjectXMPP(this.SnooperExport)
                {
                    TimeStamp = msg.Timestamp,
                    Message   = msg.MsgBody
                };
                if (msg.Direction == DaRFlowDirection.down)
                {
                    exportedObject.Sender   = this._sender;
                    exportedObject.Receiver = this._reciever;
                }
                else
                {
                    exportedObject.Receiver = this._sender;
                    exportedObject.Sender   = this._reciever;
                }
                exportedObject.ExportSources.AddRange(msg.ExportSources);
                this.SnooperExport.AddExportObject(exportedObject);
            }

            this.OnAfterDataExporting();
        }
Ejemplo n.º 16
0
        protected override void ProcessConversation()
        {
            Debug.WriteLine(@"SnooperPOP.ProcessConversation() called [" + this.CurrentConversation.SourceEndPoint + "->" + this.CurrentConversation.DestinationEndPoint + "]");

            // we need a stream to read from
            var stream = new PDUStreamBasedProvider(this.CurrentConversation, EfcPDUProviderType.SingleMessage);
            // now we can create a reader that will be reading from the stream we just created
            var reader = new PDUStreamReader(stream, Encoding.ASCII);

            // reader will spawn messages, cycle through them
            do
            {
                this.OnBeforeProtocolParsing();
                // parse protocol

                // this is self parsing message, it just needs a reader to get data from
                var message = new POPMsg(reader);
                if (!message.Valid)
                {
                    // parsing went wrong, we have to report it
                    this.SnooperExport.TimeStampFirst = message.Timestamp;
                    this.SnooperExport.AddExportReport(
                        ExportReport.ReportLevel.Warn,
                        this.Name,
                        "parsing of POP message failed, frame numbers: " +
                        string.Join(",", message.Frames) + ": " +
                        message.InvalidReason,
                        message.ExportSources);
                    Debug.WriteLine(@"parsing of POP message failed, frame numbers: " +
                                    string.Join(",", message.Frames) + ": " + message.InvalidReason);
                    // skip processing, go to next message
                    continue;
                }

                // parsing done
                this.OnAfterProtocolParsing();

                // start processing
                this.OnBeforeDataExporting();

                var exportedObject = new SnooperExportedDataObjectPOP(this.SnooperExport);
                var addObject      = true;
                exportedObject.TimeStamp = message.Timestamp;

                // process parsed structure
                switch (message.Type)
                {
                case POPMsg.POPMsgType.USER:
                    //Debug.WriteLine("  user: "******"USER";
                    exportedObject.Value = message.MessageContent;
                    break;

                case POPMsg.POPMsgType.PASS:
                    //Debug.WriteLine("  password: "******"PASS";
                    exportedObject.Value = message.MessageContent;
                    break;

                case POPMsg.POPMsgType.RETR:
                    //Debug.WriteLine("  password: "******"  unknown type of FTP message");
                    addObject = false;
                    break;
                }
                //export
                if (addObject)
                {
                    //TODO there should be list of guids (frames, other objects)
                    foreach (var exportSource in message.ExportSources)
                    {
                        exportedObject.ExportSources.Add(exportSource);
                    }
                    this.SnooperExport.AddExportObject(exportedObject);
                }
                else
                {
                    this.SnooperExport.DiscardExportObject(exportedObject);
                }

                this.OnAfterDataExporting();

                //finalize processing of current message, moving to next one
                // IMPORTANT !!! this has to be called after each message successfully processed
                // so correct connections between exported data and exported reports can be kept
                //base.ProcessingDone();
            } while (reader.NewMessage());
        }
Ejemplo n.º 17
0
        protected override void ProcessConversation()
        {
            Console.WriteLine("SnooperBTC.ProcessConversation() called");

            // we need a stream to read from
            var stream = new PDUStreamBasedProvider(this.CurrentConversation, EfcPDUProviderType.SingleMessage);
            //var stream = new PDUStreamBasedProvider(base.CurrentConversation, EFcPDUProviderType.ContinueInterlay);
            // now we can create a reader that will be reading from the stream we just created
            //var reader = new PDUStreamReader(stream, Encoding.GetEncoding(437));
            var reader = new PDUStreamReader(stream, Encoding.Default, true);

            //var reader = new PDUStreamReader(stream);
            //var reader = new PDUStreamReader(stream);
            //reader.Reset();

            // reader will spawn messages, cycle through them
            do
            {
                this.OnBeforeProtocolParsing();
                // parse protocol

                // this is self parsing message, it just needs a reader to get data from
                var message = new BTCMsg(reader);
                if (!message.Valid)
                {
                    // parsing went wrong, we have to report it
                    this.SnooperExport.TimeStampFirst = message.Timestamp;
                    if (message.ExportSources == null || message.ExportSources.Count == 0)
                    {
                        Console.WriteLine("EMPTY SOURCES parsing of BTC message failed, frame numbers: "
                                          + string.Join(",", message.Frames) + ": " +
                                          message.InvalidReason);
                    }
                    this.SnooperExport.AddExportReport(
                        ExportReport.ReportLevel.Warn,
                        this.Name,
                        "parsing of BTC message failed, frames: "
                        + string.Join(",", message.Frames) + ": " +
                        message.InvalidReason,
                        message.ExportSources);
                    //Console.WriteLine(@"parsing of BTC message failed, frame numbers: " +
                    //	string.Join(",", message.FrameNumbers.ToArray()) + ": " + message.InvalidReason);
                    // skip processing, go to next message
                    continue;
                }
                // parsing done
                this.OnAfterProtocolParsing();

                // start processing
                this.OnBeforeDataExporting();

                /*var exportedObject = new SnooperExportedDataObjectBTC(this.SnooperExport);
                 * var addObject = true;
                 * exportedObject.TimeStamp = message.Timestamp;*/
                SnooperExportedDataObjectBTC pendingObject = null;
                switch (message.Type)
                {
                case BTCMsg.BTCMsgType.Version:
                    pendingObject = (from obj in this._pendingObjects
                                     where obj.Type == SnooperExportedDataObjectBTCType.Version_Verack
                                     select obj).FirstOrDefault();
                    if (pendingObject == null)                            // first message "version" in the stream
                    {
                        pendingObject                = new SnooperExportedDataObjectBTC(this.SnooperExport);
                        pendingObject.TimeStamp      = message.Timestamp;
                        pendingObject.Type           = SnooperExportedDataObjectBTCType.Version_Verack;
                        pendingObject.State          = SnooperExportedDataObjectBTCState.VersionReceived;
                        pendingObject.ExportValidity = ExportValidity.ValidFragment;
                        pendingObject.ClientAddress  = message.SourceAddress;
                        pendingObject.ServerAddress  = message.DestinationAddress;
                        foreach (var exportSource in message.ExportSources)
                        {
                            pendingObject.ExportSources.Add(exportSource);
                        }
                        if (!pendingObject.UserAgents.Contains(message.UserAgent))
                        {
                            pendingObject.UserAgents.Add(message.UserAgent);
                        }
                        this._pendingObjects.Add(pendingObject);
                    }
                    else
                    {
                        foreach (var exportSource in message.ExportSources)
                        {
                            if (!pendingObject.ExportSources.Contains(exportSource))
                            {
                                pendingObject.ExportSources.Add(exportSource);
                            }
                        }
                        if (pendingObject.State == SnooperExportedDataObjectBTCState.VerackReceived)
                        {
                            pendingObject.State          = SnooperExportedDataObjectBTCState.VersionAndVerackReceived;
                            pendingObject.ExportValidity = ExportValidity.ValidWhole;
                            if (!pendingObject.UserAgents.Contains(message.UserAgent))
                            {
                                pendingObject.UserAgents.Add(message.UserAgent);
                            }
                        }
                    }
                    break;

                case BTCMsg.BTCMsgType.Verack:
                    pendingObject = (from obj in this._pendingObjects
                                     where obj.Type == SnooperExportedDataObjectBTCType.Version_Verack
                                     select obj).FirstOrDefault();
                    if (pendingObject == null)                            // there is no object of type SnooperExportedDataObjectBTCType.Version_Verack created meaning message "version" is either lost or will come later
                    {
                        pendingObject                = new SnooperExportedDataObjectBTC(this.SnooperExport);
                        pendingObject.TimeStamp      = message.Timestamp;
                        pendingObject.Type           = SnooperExportedDataObjectBTCType.Version_Verack;
                        pendingObject.State          = SnooperExportedDataObjectBTCState.VerackReceived;
                        pendingObject.ExportValidity = ExportValidity.ValidFragment;
                        pendingObject.ClientAddress  = message.DestinationAddress;
                        pendingObject.ServerAddress  = message.SourceAddress;
                        foreach (var exportSource in message.ExportSources)
                        {
                            pendingObject.ExportSources.Add(exportSource);
                        }
                        if (!pendingObject.UserAgents.Contains(message.UserAgent))
                        {
                            pendingObject.UserAgents.Add(message.UserAgent);
                        }
                        this._pendingObjects.Add(pendingObject);
                    }
                    else                             // object already exists
                    {
                        foreach (var exportSource in message.ExportSources)
                        {
                            if (!pendingObject.ExportSources.Contains(exportSource))
                            {
                                pendingObject.ExportSources.Add(exportSource);
                            }
                        }
                        if (pendingObject.State == SnooperExportedDataObjectBTCState.VersionReceived)
                        {
                            pendingObject.State          = SnooperExportedDataObjectBTCState.VersionAndVerackReceived;
                            pendingObject.ExportValidity = ExportValidity.ValidWhole;
                        }
                    }
                    break;

                case BTCMsg.BTCMsgType.Tx:
                    pendingObject                = new SnooperExportedDataObjectBTC(this.SnooperExport);
                    pendingObject.TimeStamp      = message.Timestamp;
                    pendingObject.Type           = SnooperExportedDataObjectBTCType.Tx;
                    pendingObject.ExportValidity = ExportValidity.ValidWhole;
                    pendingObject.ClientAddress  = message.DestinationAddress;
                    pendingObject.ServerAddress  = message.SourceAddress;
                    foreach (var exportSource in message.ExportSources)
                    {
                        pendingObject.ExportSources.Add(exportSource);
                    }
                    this._pendingObjects.Add(pendingObject);
                    break;

                case BTCMsg.BTCMsgType.Other:
                    // do nothing
                    break;
                }

                //export

                /*if (addObject)
                 * {
                 *      //TODO there should be list of guids (frames, other objects)
                 *      exportedObject.Source.Add(new Guid());
                 *      this.SnooperExport.AddExportObject(exportedObject);
                 * }
                 * else
                 * {
                 *      this.SnooperExport.DiscardExportObject(exportedObject);
                 * }
                 *
                 * base.OnAfterDataExporting();*/

                //} while(reader.NewMessage());
                if (reader.EndOfPDU)
                {
                    try
                    {
                        reader.NewMessage();
                    } catch (InvalidOperationException) { }
                }
            } while (!reader.EndOfStream);

            if (this._pendingObjects.Count > 0)
            {
                this.OnBeforeDataExporting();

                foreach (var pendingObject in this._pendingObjects)
                {
                    this.SnooperExport.AddExportObject(pendingObject);
                }
                this._pendingObjects.Clear();

                this.OnAfterDataExporting();
            }
        }