protected override void ProcessConversation()
{
// we need a stream to read from
var stream = new PDUStreamBasedProvider(this.CurrentConversation, EfcPDUProviderType.Breaked);
// now we can create a reader that will be reading from the stream we just created
//////////////////////////////////
// reader will spawn messages, cycle through them
do
{
var reader = new PDUStreamReader(stream, Encoding.ASCII)
{
ReadBigEndian = true
};
this.OnBeforeProtocolParsing();
var msg = new ICQMsg(reader);
if (!msg.Valid)
{
// parsing went wrong, we have to report it
this.SnooperExport.TimeStampFirst = msg.Timestamp;
this.SnooperExport.AddExportReport(ExportReport.ReportLevel.Warn, this.Name, "parsing of ICQ message failed: " + msg.InvalidReason, msg.ExportSources);
// skip processing, go to next message
continue;
}
this.OnAfterProtocolParsing();
this.OnBeforeDataExporting();
this.ProcessMsg(msg);
this.OnAfterDataExporting();
} while(stream.NewMessage());
}
public void TestStreamReaderMore()
{
var captureFile = this.PrepareCaptureForProcessing(Pcaps.Default.sip_caps_sip_rtcp_pcap);
this.FrameworkController.ProcessCapture(captureFile);
this._conversations = this.L7Conversations.Where(c => c.ApplicationTags.Contains("SIP")).ToArray();
var counter = 0;
string line;
foreach (var conversation in this._conversations)
{
var stream = new PDUStreamBasedProvider(conversation, EfcPDUProviderType.SingleMessage);
var reader = new PDUStreamReader(stream, Encoding.ASCII);
do
{
counter++;
Console.WriteLine(counter + ". message ######### ");
do
{
line = reader.ReadLine();
Console.WriteLine(line);
} while(line != null);
} while(reader.NewMessage());
}
}
protected override void ProcessConversation()
{
Console.WriteLine(@"SnooperMinecraft.ProcessConversation() called");
// we need a stream to read from
var stream = new PDUStreamBasedProvider(this.CurrentConversation, EfcPDUProviderType.SingleMessage);
// now we can create a reader that will be reading from the stream we just created
var reader = new BinaryReader(stream, Encoding.ASCII);
// reader will spawn messages, cycle through them
do
{
this.OnBeforeProtocolParsing();
// parse protocol
// this is self parsing message, it just needs a reader to get data from
var message = new MinecraftMsg(reader);
if (!message.Valid) // is not chat message
{
continue;
}
// parsing done
this.OnAfterProtocolParsing();
// start processing
this.OnBeforeDataExporting();
var exportedObject = new SnooperExportedMinecraftMessage(this.SnooperExport)
{
TimeStamp = message.Timestamp,
Message = message.MessageContent,
Sender = message.Sender,
Receiver = message.Receiver,
Text = message.Text,
Type = message.MessageType
};
// export
exportedObject.ExportSources.Add(this.CurrentConversation);
this.SnooperExport.AddExportObject(exportedObject);
this.OnAfterDataExporting();
//finalize processing of current message, moving to next one
// IMPORTANT !!! this has to be called after each message successfully processed
// so correct connections between exported data and exported reports can be kept
//base.ProcessingDone();
} while (stream.NewMessage());
}
public void ContinueInterlayReadTest()
{
this._stream = new PDUStreamBasedProvider(this._conversations.ToArray()[1], EfcPDUProviderType.ContinueInterlay);
var cost = new byte[4];
var big = new byte[800];
var two = this._stream.Read(cost, 0, 2);
Assert.IsTrue(two == 2 && this._stream.Position == 2);
var two1 = this._stream.Read(cost, 2, 2);
Assert.IsTrue(two1 == 2 && this._stream.Position == 4);
var v800 = this._stream.Read(big, 0, 800);
Assert.IsTrue(v800 == 800 && this._stream.Position == 804);
big = new byte[800];
v800 = this._stream.Read(big, 0, 800);
Assert.IsTrue(v800 == 800 && this._stream.Position == 1604);
v800 = this._stream.Read(big, 0, 800);
Assert.IsTrue(v800 == 800 && this._stream.Position == 2404);
var v0 = this._stream.Seek(0, SeekOrigin.Begin);
big = new byte[30000];
var vxx = this._stream.Read(big, 0, 22911); // to end of stream
Assert.IsTrue(v0 == 0 && vxx == 22911 && this._stream.Position == 22911);
v0 = this._stream.Read(big, 0, 10);
Assert.IsTrue(v0 == 0 && this._stream.Position == 22911);
v0 = this._stream.Read(big, 0, 10);
Assert.IsTrue(v0 == 0 && this._stream.Position == 22911);
var boollen = this._stream.NewMessage();
Assert.IsTrue(boollen && this._stream.Position == 0);
vxx = this._stream.Read(big, 0, 4005); // to end of stream
Assert.IsTrue(v0 == 0 && vxx == 4005 && this._stream.Position == 4005);
v0 = this._stream.Read(big, 0, 10);
Assert.IsTrue(v0 == 0 && this._stream.Position == 4005);
v0 = this._stream.Read(big, 0, 10);
Assert.IsTrue(v0 == 0 && this._stream.Position == 4005);
boollen = this._stream.NewMessage();
Assert.IsTrue(!boollen && this._stream.Position == 0);
//after total end of stream
v0 = this._stream.Read(big, 0, 10);
Assert.IsTrue(v0 == 0 && this._stream.Position == 0);
}
public void BinReaderBreakedTest()
{
this._stream = new PDUStreamBasedProvider(this._conversations.ToArray()[2], EfcPDUProviderType.Breaked);
var binaryReader = new BinaryReader(this._stream, Encoding.ASCII);
var endOfFileFound = false;
do
{
if (binaryReader.PeekChar() < 0)
{
endOfFileFound = true;
}
else
{
int c = binaryReader.ReadByte();
}
} while(!endOfFileFound);
}
public void BinReaderContinueInterlayTest()
{
this._stream = new PDUStreamBasedProvider(this._conversations.ToArray()[2], EfcPDUProviderType.ContinueInterlay);
var binaryReader = new BinaryReader(this._stream, Encoding.ASCII);
var endOfFileFound = false;
do
{
var c = binaryReader.PeekChar();
if (c < 0)
{
endOfFileFound = true;
}
else
{
// stream.Seek(221, SeekOrigin.Begin);
c = binaryReader.ReadByte();
}
} while(!endOfFileFound);
}
public void BreakedReadTest()
{
this._stream = new PDUStreamBasedProvider(this._conversations.First(conv => conv.L7PDUs.Count() == this._conversations.Max(c => c.L7PDUs.Count())),
EfcPDUProviderType.Breaked);
var cost = new byte[4];
var big = new byte[800];
var two = this._stream.Read(cost, 0, 2);
Assert.IsTrue(two == 2 && this._stream.Position == 2);
var two1 = this._stream.Read(cost, 2, 2);
Assert.IsTrue(two1 == 2 && this._stream.Position == 4);
var vxx = this._stream.Read(big, 0, 800);
Assert.IsTrue(vxx == 6 && this._stream.Position == 10);
vxx = this._stream.Read(big, 0, 800);
Assert.IsTrue(vxx == 0 && this._stream.Position == 10);
var boollen = this._stream.NewMessage();
Assert.IsTrue(boollen && this._stream.Position == 0);
two = this._stream.Read(cost, 0, 2);
Assert.IsTrue(two == 2 && this._stream.Position == 2);
two1 = this._stream.Read(cost, 2, 2);
Assert.IsTrue(two1 == 2 && this._stream.Position == 4);
vxx = this._stream.Read(big, 0, 800);
Assert.IsTrue(vxx == 468 && this._stream.Position == 472);
vxx = this._stream.Read(big, 0, 800);
Assert.IsTrue(vxx == 0 && this._stream.Position == 472);
boollen = this._stream.NewMessage();
Assert.IsTrue(boollen && this._stream.Position == 0);
vxx = this._stream.Read(big, 0, 800);
Assert.IsTrue(vxx == 461 && this._stream.Position == 461);
var v0 = this._stream.Read(big, 0, 800);
Assert.IsTrue(v0 == 0 && this._stream.Position == 461);
}
public void TeraDown()
{
this._stream = null;
}
public void MixedReadTest()
{
this._stream = new PDUStreamBasedProvider(this._conversations.First(), EfcPDUProviderType.Mixed);
var cost = new byte[4];
var cost1 = new byte[4];
var big = new byte[2000];
var two = this._stream.Read(cost, 0, 2);
Assert.IsTrue(two == 2 && this._stream.Position == 2);
var two1 = this._stream.Read(cost, 2, 2);
Assert.IsTrue(two1 == 2 && this._stream.Position == 4);
var v800 = this._stream.Read(big, 0, 800);
Assert.IsTrue(v800 == 800 && this._stream.Position == 804);
big = new byte[2000];
var vxx = this._stream.Read(big, 0, 800);
Assert.IsTrue(vxx == 595 && this._stream.Position == 1399);
long v0 = this._stream.Read(big, 0, 800);
Assert.IsTrue(v0 == 0 && this._stream.Position == 1399);
v0 = this._stream.Seek(0, SeekOrigin.Begin);
Assert.IsTrue(v0 == 0 && this._stream.Position == 0);
var v10 = this._stream.Seek(10, SeekOrigin.Begin);
Assert.IsTrue(v10 == 10 && this._stream.Position == 10);
v0 = this._stream.Seek(-10, SeekOrigin.Current);
Assert.IsTrue(v0 == 0 && this._stream.Position == 0);
v10 = this._stream.Seek(10, SeekOrigin.Current);
Assert.IsTrue(v10 == 10 && this._stream.Position == 10);
var v20 = this._stream.Seek(10, SeekOrigin.Current);
Assert.IsTrue(v20 == 20 && this._stream.Position == 20);
v10 = this._stream.Seek(-10, SeekOrigin.Current);
Assert.IsTrue(v10 == 10 && this._stream.Position == 10);
v0 = this._stream.Seek(-10, SeekOrigin.Current);
Assert.IsTrue(v0 == 0 && this._stream.Position == 0);
v0 = this._stream.Seek(-10, SeekOrigin.Current);
Assert.IsTrue(v0 == 0 && this._stream.Position == 0);
var v2 = this._stream.Seek(2, SeekOrigin.Begin);
two = this._stream.Read(cost, 0, 2);
v0 = this._stream.Seek(-4, SeekOrigin.Current);
Assert.IsTrue(v2 == 2 && this._stream.Position == 0 && v0 == 0 && two == 2);
two = this._stream.Peek(cost1, 0, 2, 2, SeekOrigin.Current);
Assert.IsTrue(two == 2 && cost[0] == cost1[0] && cost[1] == cost1[1] && this._stream.Position == 0);
var v700 = this._stream.Seek(700, SeekOrigin.Begin);
two = this._stream.Read(cost, 0, 2);
v0 = this._stream.Seek(0, SeekOrigin.Begin);
Assert.IsTrue(v700 == 700 && this._stream.Position == 0 && v0 == 0 && two == 2);
two = this._stream.Peek(cost1, 0, 700, 2, SeekOrigin.Current);
Assert.IsTrue(two == 2 && cost[0] == cost1[0] && cost[1] == cost1[1] && this._stream.Position == 0);
v0 = this._stream.Seek(0, SeekOrigin.Begin);
Assert.IsTrue(v0 == 0 && this._stream.Position == 0);
two = this._stream.Read(cost, 0, 2);
Assert.IsTrue(two == 2 && this._stream.Position == 2);
v0 = this._stream.Seek(0, SeekOrigin.Begin);
Assert.IsTrue(v0 == 0 && this._stream.Position == 0);
vxx = this._stream.Read(big, 0, 1399); // to end of stream
Assert.IsTrue(vxx == 1399 && this._stream.Position == 1399);
v0 = this._stream.Read(big, 0, 10);
Assert.IsTrue(v0 == 0 && this._stream.Position == 1399);
v0 = this._stream.Read(big, 0, 10);
Assert.IsTrue(v0 == 0 && this._stream.Position == 1399);
var boollen = this._stream.NewMessage();
Assert.IsTrue(!boollen && this._stream.Position == 0);
two = this._stream.Read(cost, 0, 2);
Assert.IsTrue(two == 0 && this._stream.Position == 0);
}
protected override void ProcessConversation()
{
Debug.WriteLine(@"SnooperSMTP.ProcessConversation() called [" + this.CurrentConversation.SourceEndPoint + "->" + this.CurrentConversation.DestinationEndPoint + "]");
// we need a stream to read from
var stream = new PDUStreamBasedProvider(this.CurrentConversation, EfcPDUProviderType.Breaked);
// now we can create a reader that will be reading from the stream we just created
var reader = new PDUStreamReader(stream, Encoding.ASCII);
// reader will spawn messages, cycle through them
do
{
this.OnBeforeProtocolParsing();
// parse protocol
// this is self parsing message, it just needs a reader to get data from
var message = new SMTPMsg(reader);
if (!message.Valid)
{
// parsing went wrong, we have to report it
this.SnooperExport.TimeStampFirst = message.Timestamp;
this.SnooperExport.AddExportReport(
ExportReport.ReportLevel.Warn,
this.Name,
"parsing of SMTP message failed, frame numbers: " + string.Join(",", message.Frames) + ": " +
message.InvalidReason,
message.ExportSources);
Debug.WriteLine(@"parsing of SMTP message failed, frame numbers: " + string.Join(",", message.Frames) + ": " + message.InvalidReason);
// skip processing, go to next message
continue;
}
// parsing done
this.OnAfterProtocolParsing();
// start processing
this.OnBeforeDataExporting();
// process parsed structure
switch (message.Type)
{
case SMTPMsg.SMTPMsgType.MAIL:
var toBytes = Encoding.ASCII.GetBytes(message.MessageContent);
var exportedObject = new MIMEemail(this.SnooperExport, toBytes, EMailContentType.Whole);
exportedObject.EMailType = EMailType.SMTPOrgEmail;
exportedObject.TimeStamp = message.Timestamp;
foreach (var exportSource in message.ExportSources)
{
exportedObject.ExportSources.Add(exportSource);
}
this.SnooperExport.AddExportObject(exportedObject);
break;
default:
break;
}
this.OnAfterDataExporting();
} while (reader.NewMessage());
}
public L7DvbS2GseDecapsulatorBlock()
{
this._outputBuffer = new BufferBlock <PmFrameBase>();
this._decapsulator = new ActionBlock <L7Conversation>(async l7Conversation =>
{
var stream = new PDUStreamBasedProvider(l7Conversation, EfcPDUProviderType.ContinueInterlay);
var reader = new PDUStreamReader(stream, Encoding.GetEncoding(437), true)
{
ReadBigEndian = true
};
var gseReassembler = new GseReassemblingDecapsulator();
while (!reader.EndOfStream)
{
try
{
var bb = BaseBandFrame.Parse(reader);
// It's important to get `reader.PDUStreamBasedProvider.GetCurrentPDU()` after parsing Base-Band frame.
// During reading, its value is set to the last read PDU. If we would call it before Base-Band parsing,
// retrieved value would not be current PDU, but the previous one.
// frames encapsulating parsed Base-Band
var pdu = reader.PDUStreamBasedProvider.GetCurrentPDU();
if (pdu == null)
{
break;
}
var frames = ImmutableList.CreateRange(pdu.FrameList);
// Reassemble any fragmented GSE packets and obtain decapsulated frames, if any of them have been just finished.
var decapsulatedFrames = gseReassembler.Process(bb, frames);
foreach (var f in decapsulatedFrames)
{
this._outputBuffer.Post(f);
}
}
catch (InvalidPacketFormatException)
{
// Current PDU of l7Conversation does not contain DVB-S2 Base Band Frame.
}
catch (NotImplementedException)
{
// NOTE: Only Generic Continuous Stream Input is supported at this moment.
}
// move to the next message
if (!reader.NewMessage())
{
break;
}
}
});
this._decapsulator.Completion.ContinueWith(t =>
{
if (t.IsFaulted)
{
((IDataflowBlock)this._outputBuffer).Fault(t.Exception);
}
else
{
this._outputBuffer.Complete();
}
});
}
protected override void ProcessConversation()
{
// we need a stream to read from
var stream = new PDUStreamBasedProvider(this.CurrentConversation, EfcPDUProviderType.Mixed);
// now we can create a reader that will be reading from the stream we just created
var reader = new PDUStreamReader(stream, Encoding.GetEncoding(437), true);
// reader will spawn messages, cycle through them
do
{
this.OnBeforeProtocolParsing();
// parse protocol
// this is self parsing message, it just needs a reader to get data from
var message = new DNSParseMsg(reader);
if (!message.Valid)
{
// parsing went wrong, we have to report it
this.SnooperExport.TimeStampFirst = message.Timestamp;
this.SnooperExport.AddExportReport(
ExportReport.ReportLevel.Warn,
this.Name,
"parsing of DNS message failed, frame numbers: " +
string.Join(",", message.Frames) + ": " +
message.InvalidReason,
message.ExportSources);
Console.WriteLine(@"parsing of DNS message failed, frame numbers: " +
string.Join(",", message.Frames) + ": " + message.InvalidReason);
// skip processing, go to next message
continue;
}
// parsing done
this.OnAfterProtocolParsing();
// start processing
this.OnBeforeDataExporting();
var exportedObject = new SnooperExportedDataObjectDNS(this.SnooperExport)
{
TimeStamp = message.Timestamp,
MessageId = message.MessageId,
Flags = message.Flags,
Queries = message.Queries,
Answer = message.Answer,
Authority = message.Authority,
Additional = message.Additional
};
//export
foreach (var exportSource in message.ExportSources)
{
exportedObject.ExportSources.Add(exportSource);
}
this.SnooperExport.AddExportObject(exportedObject);
this.OnAfterDataExporting();
//finalize processing of current message, moving to next one
// IMPORTANT !!! this has to be called after each message successfully processed
// so correct connections between exported data and exported reports can be kept
//base.ProcessingDone();
} while (reader.NewMessage());
}
protected override void ProcessConversation()
{
{
var stream = new PDUStreamBasedProvider(this.CurrentConversation, EfcPDUProviderType.SingleMessage);
var reader = new PDUStreamReader(stream, Encoding.Default);
do
{
this.OnBeforeProtocolParsing();
//Parse protocol....
SIPMsg _message;
_message = new SIPMsg(reader);
if (!_message.Valid)
{
this.SnooperExport.TimeStampFirst = _message.Timestamp;
this.SnooperExport.AddExportReport(
ExportReport.ReportLevel.Warn,
this.Name,
"parsing of SIP message failed, frame numbers: " + string.Join(",", _message.Frames) + ": " +
_message.InvalidReason,
_message.ExportSources);
Console.WriteLine("parsing of SIP message failed, frame numbers: " + string.Join(",", _message.Frames) + ": " + _message.InvalidReason);
continue;
}
this.OnAfterProtocolParsing();
//Console.WriteLine("successful parsing: frame " + string.Join(",", _message.FrameNumbers.ToArray()));
//Do some magic...
SIPEvent _event;
if (this._eventsDictionary.TryGetValue(_message.Headers.CallID, out _event))
{
//Event already present
switch (_event.Type)
{
case SIPEventType.Authentization:
//Console.WriteLine("authentication "+_message.Headers.CallID+" present");
_event.Update(_message);
break;
case SIPEventType.Call:
//Console.WriteLine("call "+_message.Headers.CallID+" present");
_event.Update(_message);
break;
case SIPEventType.Unknown:
var oldEvent = _event as SIPUnknownEvent;
if (this.PossibleCall(_message))
{
this._eventsDictionary.Remove(_message.Headers.CallID);
this.SnooperExport.DiscardExportObject(_event);
_event = new SIPCall(this.SnooperExport);
this._eventsDictionary.Add(_message.Headers.CallID, _event);
_event.UpdateFromUnkownEvent(oldEvent);
}
else if (this.PossibleAuthentization(_message))
{
this._eventsDictionary.Remove(_message.Headers.CallID);
this.SnooperExport.DiscardExportObject(_event);
_event = new SIPAuthentization(this.SnooperExport);
this._eventsDictionary.Add(_message.Headers.CallID, _event);
_event.UpdateFromUnkownEvent(oldEvent);
}
_event.Update(_message);
break;
default:
Console.WriteLine("unknown event " + _message.Headers.CallID + " present");
//TODO throw some exception
break;
}
}
else
{
//New event, create
if (_message.Type == SIPMsg.SIPMsgType.Request && _message.RequestLine.Method == "REGISTER")
{
_event = new SIPAuthentization(this.SnooperExport);
this._eventsDictionary.Add(_message.Headers.CallID, _event);
//Console.WriteLine("authentication " + _message.Headers.CallID + " added");
_event.Update(_message);
}
else if (_message.Type == SIPMsg.SIPMsgType.Request && _message.RequestLine.Method == "INVITE")
{
_event = new SIPCall(this.SnooperExport);
this._eventsDictionary.Add(_message.Headers.CallID, _event);
//Console.WriteLine("call " + _message.Headers.CallID + " added");
_event.Update(_message);
}
else // type can't be easily decided
{
if (this.PossibleCall(_message))
{
_event = new SIPCall(this.SnooperExport);
}
else if (this.PossibleAuthentization(_message))
{
_event = new SIPAuthentization(this.SnooperExport);
}
else
{
_event = new SIPUnknownEvent(this.SnooperExport);
}
this._eventsDictionary.Add(_message.Headers.CallID, _event);
_event.Update(_message);
}
}
// this.eventExporter.AddExportedData(); //Export some meaningful message, object, what so ever...
// this.eventExporter.AddExportReport(); //Export problem, exception some meaningful note that will be part of exported data object or export report in case that no data were exported between two escalation of BeforeProtocolParsing
//Console.WriteLine(_message.ToString());
} while(reader.NewMessage());
//Export
this.OnBeforeDataExporting();
var _callCounter = 0;
foreach (var kvp in this._eventsDictionary)
{
if (kvp.Value.Type == SIPEventType.Unknown)
{
this.SnooperExport.DiscardExportObject(kvp.Value);
}
else
{
if (kvp.Value is SIPCall)
{
// Process RTP flows of every call
var s = kvp.Value as SIPCall;
//s.CallId = _callCounter.ToString();
// Pass it inside the call
//s.SetExportedPayloads(this.ProcessRTP(s.RTPAddresses, _callCounter.ToString()));
++_callCounter;
}
//Console.WriteLine("event " + kvp.Key);
//Console.WriteLine(kvp.Value.ToString());
kvp.Value.ExportValidity = ExportValidity.ValidWhole;
//TODO there should be list of guids (frames, other objects)
//kvp.Value.ExportSources.Add(this.CurrentConversation); //todo switch to used PDUs
this.SnooperExport.AddExportObject(kvp.Value);
}
}
this.OnAfterDataExporting();
//Clean event dictionary
this._eventsDictionary.Clear();
}
}
protected override void ProcessConversation()
{
Console.WriteLine(@"SnooperFTP.ProcessConversation() called");
// we need a stream to read from
var stream = new PDUStreamBasedProvider(this.CurrentConversation, EfcPDUProviderType.SingleMessage);
// now we can create a reader that will be reading from the stream we just created
var reader = new PDUStreamReader(stream, Encoding.ASCII);
// create export directory if it doesn't exist
//if (!Directory.Exists(base.ExportBaseDirectory.FullName))
//{
// Directory.CreateDirectory(base.ExportBaseDirectory.FullName);
//}
var dataFileName = this.GetDataFileName(this.ExportBaseDirectory.FullName);
// reader will spawn messages, cycle through them
do
{
this.OnBeforeProtocolParsing();
// parse protocol
// this is self parsing message, it just needs a reader to get data from
var message = new FTPMsg(reader);
if (!message.Valid)
{
// parsing went wrong, we have to report it
this.SnooperExport.TimeStampFirst = message.Timestamp;
this.SnooperExport.AddExportReport(
ExportReport.ReportLevel.Warn,
this.Name,
"parsing of FTP message failed, frame numbers: " +
string.Join(",", message.Frames) + ": " +
message.InvalidReason,
message.ExportSources);
Console.WriteLine(@"parsing of FTP message failed, frame numbers: " +
string.Join(",", message.Frames) + ": " + message.InvalidReason);
// skip processing, go to next message
continue;
}
// parsing done
this.OnAfterProtocolParsing();
// start processing
this.OnBeforeDataExporting();
var exportedObject = new SnooperExportedDataObjectFTP(this.SnooperExport);
var addObject = true;
exportedObject.TimeStamp = message.Timestamp;
// process parsed structure
switch (message.Type)
{
case FTPMsg.FTPMsgType.USER:
//Console.WriteLine(" user: "******"USER";
exportedObject.Value = message.MessageContent;
break;
case FTPMsg.FTPMsgType.LIST:
//Console.WriteLine(" directory listing");
exportedObject.Command = "DIRECTORY LIST";
break;
case FTPMsg.FTPMsgType.PASS:
//Console.WriteLine(" password: "******"PASSWORD";
exportedObject.Value = message.MessageContent;
break;
case FTPMsg.FTPMsgType.DELE:
//Console.WriteLine(" deleted file: " + _message.MessageContent);
exportedObject.Command = "DELETED FILE";
exportedObject.Value = message.MessageContent;
break;
case FTPMsg.FTPMsgType.PORT:
//Console.WriteLine(" new connection address: " + _message.MessageContent);
exportedObject.Command = "PORT";
exportedObject.Value = message.MessageContent;
break;
case FTPMsg.FTPMsgType.PWD:
//Console.WriteLine(" directory path: " + _message.MessageContent);
exportedObject.Command = "PATH";
exportedObject.Value = message.MessageContent;
break;
case FTPMsg.FTPMsgType.RETR:
//Console.WriteLine(" downloaded file: " + _message.MessageContent);
exportedObject.Command = "DOWNLOAD";
exportedObject.Value = message.MessageContent;
break;
case FTPMsg.FTPMsgType.STOR:
//Console.WriteLine(" uploaded file: " + _message.MessageContent);
exportedObject.Command = "UPLOAD";
exportedObject.Value = message.MessageContent;
break;
case FTPMsg.FTPMsgType.DATA:
var file = new FileStream(dataFileName, FileMode.Append);
file.Write(message.DataContent, 0, message.DataContent.Length);
file.Close();
//Console.WriteLine(" data dumped to " + _dataFileName);
exportedObject.Command = "DATA";
exportedObject.Value = dataFileName;
break;
default:
//Console.WriteLine(" unknown type of FTP message");
addObject = false;
break;
}
//export
if (addObject)
{
//TODO there should be list of guids (frames, other objects)
foreach (var exportSource in message.ExportSources)
{
exportedObject.ExportSources.Add(exportSource);
}
this.SnooperExport.AddExportObject(exportedObject);
}
else
{
this.SnooperExport.DiscardExportObject(exportedObject);
}
this.OnAfterDataExporting();
//finalize processing of current message, moving to next one
// IMPORTANT !!! this has to be called after each message successfully processed
// so correct connections between exported data and exported reports can be kept
//base.ProcessingDone();
} while (reader.NewMessage());
}
protected override void ProcessConversation()
{
this._messageBuffer = new List <XMPPMsg>();
Debug.WriteLine(@"SnooperXMPP.ProcessConversation() called [" + this.CurrentConversation.SourceEndPoint + "->" + this.CurrentConversation.DestinationEndPoint + "]");
// we need a stream to read from
var stream = new PDUStreamBasedProvider(this.CurrentConversation, EfcPDUProviderType.Breaked);
// now we can create a reader that will be reading from the stream we just created
var reader = new PDUStreamReader(stream, Encoding.UTF8);
this.OnBeforeProtocolParsing();
//////////////////////////////////
// reader will spawn messages, cycle through them
do
{
// parse protocol
// this is self parsing message, it just needs a reader to get data from
var message = new XMPPMsg(reader);
if (!message.Valid)
{
// parsing went wrong, we have to report it
this.SnooperExport.TimeStampFirst = message.Timestamp;
this.SnooperExport.AddExportReport(ExportReport.ReportLevel.Warn, this.Name,
"parsing of XMPP message failed, frame numbers: " + message.Frames.ToArray() + ": " + message.InvalidReason, message.ExportSources);
// skip processing, go to next message
continue;
}
// process parsed structure
switch (message.MsgType)
{
case XMPPMsgType.MSG:
this._messageBuffer.Add(message);
string sender;
string receiver;
if (message.Direction == DaRFlowDirection.down)
{
sender = message.From ?? string.Empty;
receiver = message.To ?? string.Empty;
}
else
{
sender = message.To ?? string.Empty;
receiver = message.From ?? string.Empty;
}
if (sender.Length > this._sender.Length)
{
this._sender = sender;
}
if (receiver.Length > this._reciever.Length)
{
this._reciever = receiver;
}
break;
}
} while(reader.NewMessage());
//////////////////////////////////
this.OnAfterProtocolParsing();
// start processing
this.OnBeforeDataExporting();
foreach (var msg in this._messageBuffer)
{
if (msg.MsgBody.IsNullOrEmpty())
{
continue;
}
var exportedObject = new SnooperExportedObjectXMPP(this.SnooperExport)
{
TimeStamp = msg.Timestamp,
Message = msg.MsgBody
};
if (msg.Direction == DaRFlowDirection.down)
{
exportedObject.Sender = this._sender;
exportedObject.Receiver = this._reciever;
}
else
{
exportedObject.Receiver = this._sender;
exportedObject.Sender = this._reciever;
}
exportedObject.ExportSources.AddRange(msg.ExportSources);
this.SnooperExport.AddExportObject(exportedObject);
}
this.OnAfterDataExporting();
}
protected override void ProcessConversation()
{
Debug.WriteLine(@"SnooperPOP.ProcessConversation() called [" + this.CurrentConversation.SourceEndPoint + "->" + this.CurrentConversation.DestinationEndPoint + "]");
// we need a stream to read from
var stream = new PDUStreamBasedProvider(this.CurrentConversation, EfcPDUProviderType.SingleMessage);
// now we can create a reader that will be reading from the stream we just created
var reader = new PDUStreamReader(stream, Encoding.ASCII);
// reader will spawn messages, cycle through them
do
{
this.OnBeforeProtocolParsing();
// parse protocol
// this is self parsing message, it just needs a reader to get data from
var message = new POPMsg(reader);
if (!message.Valid)
{
// parsing went wrong, we have to report it
this.SnooperExport.TimeStampFirst = message.Timestamp;
this.SnooperExport.AddExportReport(
ExportReport.ReportLevel.Warn,
this.Name,
"parsing of POP message failed, frame numbers: " +
string.Join(",", message.Frames) + ": " +
message.InvalidReason,
message.ExportSources);
Debug.WriteLine(@"parsing of POP message failed, frame numbers: " +
string.Join(",", message.Frames) + ": " + message.InvalidReason);
// skip processing, go to next message
continue;
}
// parsing done
this.OnAfterProtocolParsing();
// start processing
this.OnBeforeDataExporting();
var exportedObject = new SnooperExportedDataObjectPOP(this.SnooperExport);
var addObject = true;
exportedObject.TimeStamp = message.Timestamp;
// process parsed structure
switch (message.Type)
{
case POPMsg.POPMsgType.USER:
//Debug.WriteLine(" user: "******"USER";
exportedObject.Value = message.MessageContent;
break;
case POPMsg.POPMsgType.PASS:
//Debug.WriteLine(" password: "******"PASS";
exportedObject.Value = message.MessageContent;
break;
case POPMsg.POPMsgType.RETR:
//Debug.WriteLine(" password: "******" unknown type of FTP message");
addObject = false;
break;
}
//export
if (addObject)
{
//TODO there should be list of guids (frames, other objects)
foreach (var exportSource in message.ExportSources)
{
exportedObject.ExportSources.Add(exportSource);
}
this.SnooperExport.AddExportObject(exportedObject);
}
else
{
this.SnooperExport.DiscardExportObject(exportedObject);
}
this.OnAfterDataExporting();
//finalize processing of current message, moving to next one
// IMPORTANT !!! this has to be called after each message successfully processed
// so correct connections between exported data and exported reports can be kept
//base.ProcessingDone();
} while (reader.NewMessage());
}
protected override void ProcessConversation()
{
Console.WriteLine("SnooperBTC.ProcessConversation() called");
// we need a stream to read from
var stream = new PDUStreamBasedProvider(this.CurrentConversation, EfcPDUProviderType.SingleMessage);
//var stream = new PDUStreamBasedProvider(base.CurrentConversation, EFcPDUProviderType.ContinueInterlay);
// now we can create a reader that will be reading from the stream we just created
//var reader = new PDUStreamReader(stream, Encoding.GetEncoding(437));
var reader = new PDUStreamReader(stream, Encoding.Default, true);
//var reader = new PDUStreamReader(stream);
//var reader = new PDUStreamReader(stream);
//reader.Reset();
// reader will spawn messages, cycle through them
do
{
this.OnBeforeProtocolParsing();
// parse protocol
// this is self parsing message, it just needs a reader to get data from
var message = new BTCMsg(reader);
if (!message.Valid)
{
// parsing went wrong, we have to report it
this.SnooperExport.TimeStampFirst = message.Timestamp;
if (message.ExportSources == null || message.ExportSources.Count == 0)
{
Console.WriteLine("EMPTY SOURCES parsing of BTC message failed, frame numbers: "
+ string.Join(",", message.Frames) + ": " +
message.InvalidReason);
}
this.SnooperExport.AddExportReport(
ExportReport.ReportLevel.Warn,
this.Name,
"parsing of BTC message failed, frames: "
+ string.Join(",", message.Frames) + ": " +
message.InvalidReason,
message.ExportSources);
//Console.WriteLine(@"parsing of BTC message failed, frame numbers: " +
// string.Join(",", message.FrameNumbers.ToArray()) + ": " + message.InvalidReason);
// skip processing, go to next message
continue;
}
// parsing done
this.OnAfterProtocolParsing();
// start processing
this.OnBeforeDataExporting();
/*var exportedObject = new SnooperExportedDataObjectBTC(this.SnooperExport);
* var addObject = true;
* exportedObject.TimeStamp = message.Timestamp;*/
SnooperExportedDataObjectBTC pendingObject = null;
switch (message.Type)
{
case BTCMsg.BTCMsgType.Version:
pendingObject = (from obj in this._pendingObjects
where obj.Type == SnooperExportedDataObjectBTCType.Version_Verack
select obj).FirstOrDefault();
if (pendingObject == null) // first message "version" in the stream
{
pendingObject = new SnooperExportedDataObjectBTC(this.SnooperExport);
pendingObject.TimeStamp = message.Timestamp;
pendingObject.Type = SnooperExportedDataObjectBTCType.Version_Verack;
pendingObject.State = SnooperExportedDataObjectBTCState.VersionReceived;
pendingObject.ExportValidity = ExportValidity.ValidFragment;
pendingObject.ClientAddress = message.SourceAddress;
pendingObject.ServerAddress = message.DestinationAddress;
foreach (var exportSource in message.ExportSources)
{
pendingObject.ExportSources.Add(exportSource);
}
if (!pendingObject.UserAgents.Contains(message.UserAgent))
{
pendingObject.UserAgents.Add(message.UserAgent);
}
this._pendingObjects.Add(pendingObject);
}
else
{
foreach (var exportSource in message.ExportSources)
{
if (!pendingObject.ExportSources.Contains(exportSource))
{
pendingObject.ExportSources.Add(exportSource);
}
}
if (pendingObject.State == SnooperExportedDataObjectBTCState.VerackReceived)
{
pendingObject.State = SnooperExportedDataObjectBTCState.VersionAndVerackReceived;
pendingObject.ExportValidity = ExportValidity.ValidWhole;
if (!pendingObject.UserAgents.Contains(message.UserAgent))
{
pendingObject.UserAgents.Add(message.UserAgent);
}
}
}
break;
case BTCMsg.BTCMsgType.Verack:
pendingObject = (from obj in this._pendingObjects
where obj.Type == SnooperExportedDataObjectBTCType.Version_Verack
select obj).FirstOrDefault();
if (pendingObject == null) // there is no object of type SnooperExportedDataObjectBTCType.Version_Verack created meaning message "version" is either lost or will come later
{
pendingObject = new SnooperExportedDataObjectBTC(this.SnooperExport);
pendingObject.TimeStamp = message.Timestamp;
pendingObject.Type = SnooperExportedDataObjectBTCType.Version_Verack;
pendingObject.State = SnooperExportedDataObjectBTCState.VerackReceived;
pendingObject.ExportValidity = ExportValidity.ValidFragment;
pendingObject.ClientAddress = message.DestinationAddress;
pendingObject.ServerAddress = message.SourceAddress;
foreach (var exportSource in message.ExportSources)
{
pendingObject.ExportSources.Add(exportSource);
}
if (!pendingObject.UserAgents.Contains(message.UserAgent))
{
pendingObject.UserAgents.Add(message.UserAgent);
}
this._pendingObjects.Add(pendingObject);
}
else // object already exists
{
foreach (var exportSource in message.ExportSources)
{
if (!pendingObject.ExportSources.Contains(exportSource))
{
pendingObject.ExportSources.Add(exportSource);
}
}
if (pendingObject.State == SnooperExportedDataObjectBTCState.VersionReceived)
{
pendingObject.State = SnooperExportedDataObjectBTCState.VersionAndVerackReceived;
pendingObject.ExportValidity = ExportValidity.ValidWhole;
}
}
break;
case BTCMsg.BTCMsgType.Tx:
pendingObject = new SnooperExportedDataObjectBTC(this.SnooperExport);
pendingObject.TimeStamp = message.Timestamp;
pendingObject.Type = SnooperExportedDataObjectBTCType.Tx;
pendingObject.ExportValidity = ExportValidity.ValidWhole;
pendingObject.ClientAddress = message.DestinationAddress;
pendingObject.ServerAddress = message.SourceAddress;
foreach (var exportSource in message.ExportSources)
{
pendingObject.ExportSources.Add(exportSource);
}
this._pendingObjects.Add(pendingObject);
break;
case BTCMsg.BTCMsgType.Other:
// do nothing
break;
}
//export
/*if (addObject)
* {
* //TODO there should be list of guids (frames, other objects)
* exportedObject.Source.Add(new Guid());
* this.SnooperExport.AddExportObject(exportedObject);
* }
* else
* {
* this.SnooperExport.DiscardExportObject(exportedObject);
* }
*
* base.OnAfterDataExporting();*/
//} while(reader.NewMessage());
if (reader.EndOfPDU)
{
try
{
reader.NewMessage();
} catch (InvalidOperationException) { }
}
} while (!reader.EndOfStream);
if (this._pendingObjects.Count > 0)
{
this.OnBeforeDataExporting();
foreach (var pendingObject in this._pendingObjects)
{
this.SnooperExport.AddExportObject(pendingObject);
}
this._pendingObjects.Clear();
this.OnAfterDataExporting();
}
}
