Ejemplo n.º 1
0
        //public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable<PacketParser.Packets.AbstractPacket> packetList) {
        public int ExtractData(NetworkTcpSession tcpSession, bool transferIsClientToServer, IEnumerable <PacketParser.Packets.AbstractPacket> packetList)
        {
            /*
             * NetworkHost sourceHost, destinationHost;
             * if (transferIsClientToServer) {
             *  sourceHost = tcpSession.Flow.FiveTuple.ClientHost;
             *  destinationHost = tcpSession.Flow.FiveTuple.ServerHost;
             * }
             * else {
             *  sourceHost = tcpSession.Flow.FiveTuple.ServerHost;
             *  destinationHost = tcpSession.Flow.FiveTuple.ClientHost;
             * }*/
            SmtpSession smtpSession;

            if (this.smtpSessionList.ContainsKey(tcpSession))
            {
                smtpSession = this.smtpSessionList[tcpSession];
            }
            else
            {
                smtpSession = new SmtpSession();
                this.smtpSessionList.Add(tcpSession, smtpSession);
            }

            Packets.TcpPacket  tcpPacket  = null;
            Packets.SmtpPacket smtpPacket = null;

            foreach (Packets.AbstractPacket p in packetList)
            {
                if (p.GetType() == typeof(Packets.TcpPacket))
                {
                    tcpPacket = (Packets.TcpPacket)p;
                }
                else if (p.GetType() == typeof(Packets.SmtpPacket))
                {
                    smtpPacket = (Packets.SmtpPacket)p;
                }
            }



            if (smtpPacket != null)
            {
                if (smtpPacket.ClientToServer)
                {
                    if (smtpSession.State == SmtpSession.SmtpState.Username)
                    {
                        string base64Username = smtpPacket.ReadLine().Trim();

                        try {
                            byte[] usernameBytes = System.Convert.FromBase64String(base64Username);
                            smtpSession.Username = System.Text.ASCIIEncoding.ASCII.GetString(usernameBytes);
                        }
                        catch (FormatException e) { }
                    }
                    else if (smtpSession.State == SmtpSession.SmtpState.Password)
                    {
                        string base64Password = smtpPacket.ReadLine().Trim();
                        try {
                            byte[] passwordBytes = System.Convert.FromBase64String(base64Password);
                            smtpSession.Password = System.Text.ASCIIEncoding.ASCII.GetString(passwordBytes);
                        }
                        catch (FormatException e) { }
                    }
                    else if (smtpSession.State == SmtpSession.SmtpState.Data)
                    {
                        //write data to file until we receive "\n.\n" could also be \r\n.\r\n
                        smtpSession.AddData(smtpPacket.ParentFrame.Data, smtpPacket.PacketStartIndex, smtpPacket.PacketLength);
                        //check if state has transitioned over to footer
                        if (smtpSession.State == SmtpSession.SmtpState.Footer)
                        {
                            Mime.Email email = new Mime.Email(smtpSession.DataStream, base.MainPacketHandler, tcpPacket, transferIsClientToServer, tcpSession, ApplicationLayerProtocol.Smtp, FileTransfer.FileStreamAssembler.FileAssmeblyRootLocation.destination);
                        }
                    }
                    else
                    {
                        foreach (KeyValuePair <string, string> requestCommandAndArgument in smtpPacket.RequestCommandsAndArguments)
                        {
                            if (requestCommandAndArgument.Key.Equals(SmtpPacket.ClientCommands.HELO.ToString(), StringComparison.InvariantCultureIgnoreCase))
                            {
                                string clientDomain = requestCommandAndArgument.Value;
                            }
                            else if (requestCommandAndArgument.Key.Equals(SmtpPacket.ClientCommands.EHLO.ToString(), StringComparison.InvariantCultureIgnoreCase))
                            {
                                string clientDomain = requestCommandAndArgument.Value;
                            }
                            else if (requestCommandAndArgument.Key.Equals(SmtpPacket.ClientCommands.AUTH.ToString(), StringComparison.InvariantCultureIgnoreCase))
                            {
                                if (requestCommandAndArgument.Value.Trim().StartsWith("LOGIN", StringComparison.InvariantCultureIgnoreCase))
                                {
                                    //if (requestCommandAndArgument.Value.ToUpper().Contains("LOGIN")) {
                                    smtpSession.State = SmtpSession.SmtpState.AuthLogin;
                                    //SMTP clients sometimes send the email address right away like this: "AUTH LOGIN aGVqaG9wcEBpbnRlcm5ldC5zZQ=="
                                    if (requestCommandAndArgument.Value.Length > "LOGIN ".Length)
                                    {
                                        try {
                                            string base64Username = requestCommandAndArgument.Value.Substring("LOGIN ".Length).Trim();
                                            byte[] usernameBytes  = System.Convert.FromBase64String(base64Username);
                                            smtpSession.Username = System.Text.ASCIIEncoding.ASCII.GetString(usernameBytes);
                                        }
                                        catch (ArgumentException) { }
                                    }
                                }
                                else if (requestCommandAndArgument.Value.Trim().StartsWith("PLAIN", StringComparison.InvariantCultureIgnoreCase))
                                {
                                    //AUTH PLAIN <base64-encoded username and password>
                                    smtpSession.State = SmtpSession.SmtpState.AuthLogin;
                                    //SMTP clients sometimes send the email address right away like this: "AUTH LOGIN aGVqaG9wcEBpbnRlcm5ldC5zZQ=="
                                    if (requestCommandAndArgument.Value.Length > "PLAIN ".Length)
                                    {
                                        try {
                                            string            base64 = requestCommandAndArgument.Value.Substring("PLAIN ".Length).Trim();
                                            NetworkCredential cred   = SmtpPacketHandler.ExtractBase64EncodedAuthPlainCredential(base64, smtpPacket.ParentFrame, tcpSession, ApplicationLayerProtocol.Smtp);
                                            if (cred != null)
                                            {
                                                //this.MainPacketHandler.OnCredentialDetected(new Events.CredentialEventArgs(cred));
                                                this.MainPacketHandler.AddCredential(cred);
                                            }
                                        }
                                        catch (ArgumentException) { }
                                    }
                                }
                            }
                            else if (requestCommandAndArgument.Key.Equals(SmtpPacket.ClientCommands.MAIL.ToString(), StringComparison.InvariantCultureIgnoreCase))
                            {
                                if (requestCommandAndArgument.Value.StartsWith("FROM", StringComparison.InvariantCultureIgnoreCase))
                                {
                                    int colonIndex = requestCommandAndArgument.Value.IndexOf(':');
                                    if (colonIndex > 0 && requestCommandAndArgument.Value.Length > colonIndex + 1)
                                    {
                                        smtpSession.MailFrom = requestCommandAndArgument.Value.Substring(colonIndex + 1).Trim();
                                    }
                                }
                            }
                            else if (requestCommandAndArgument.Key.Equals(SmtpPacket.ClientCommands.RCPT.ToString(), StringComparison.InvariantCultureIgnoreCase))
                            {
                                if (requestCommandAndArgument.Value.StartsWith("TO", StringComparison.InvariantCultureIgnoreCase))
                                {
                                    int colonIndex = requestCommandAndArgument.Value.IndexOf(':');
                                    if (colonIndex > 0 && requestCommandAndArgument.Value.Length > colonIndex + 1)
                                    {
                                        smtpSession.AddRecipient(requestCommandAndArgument.Value.Substring(colonIndex + 1).Trim());
                                    }
                                }
                            }
                            else if (requestCommandAndArgument.Key.Equals(SmtpPacket.ClientCommands.DATA.ToString(), StringComparison.InvariantCultureIgnoreCase))
                            {
                                smtpSession.State = SmtpSession.SmtpState.Data;
                            }
                            else if (requestCommandAndArgument.Key.Equals(SmtpPacket.ClientCommands.STARTTLS.ToString(), StringComparison.InvariantCultureIgnoreCase))
                            {
                                smtpSession.State = SmtpSession.SmtpState.StartTlsRequested;
                            }
                        }
                    }
                }
                else  //server to client
                {
                    foreach (KeyValuePair <int, string> replyCodeAndArgument in smtpPacket.Replies)
                    {
                        if (replyCodeAndArgument.Key == 334)  //AUTH LOGIN
                        {
                            if (replyCodeAndArgument.Value.Equals("VXNlcm5hbWU6"))
                            {
                                smtpSession.State = SmtpSession.SmtpState.Username;
                            }
                            else if (replyCodeAndArgument.Value.Equals("UGFzc3dvcmQ6"))
                            {
                                smtpSession.State = SmtpSession.SmtpState.Password;
                            }
                        }
                        else if (replyCodeAndArgument.Key == 235)  //AUTHENTICATION SUCCESSFUL
                        {
                            base.MainPacketHandler.AddCredential(new NetworkCredential(tcpSession.ClientHost, tcpSession.ServerHost, smtpPacket.PacketTypeDescription, smtpSession.Username, smtpSession.Password, smtpPacket.ParentFrame.Timestamp));
                            smtpSession.State = SmtpSession.SmtpState.Authenticated;
                        }
                        else if (replyCodeAndArgument.Key >= 500) //error
                        {
                            smtpSession.State = SmtpSession.SmtpState.None;
                        }
                        else if (replyCodeAndArgument.Key == 354) //DATA "Start mail input; end with <CRLF>.<CRLF>"
                        {
                            smtpSession.State = SmtpSession.SmtpState.Data;
                        }
                        else if (replyCodeAndArgument.Key == 250)   //"Requested mail action okay, completed"
                        {
                            if (smtpSession.State == SmtpSession.SmtpState.Footer)
                            {
                                //smtpSession.DataStream.Seek(0, System.IO.SeekOrigin.Begin);
                                smtpSession.DataStream = new System.IO.MemoryStream();
                                //System.Diagnostics.Debugger.Break();
                            }
                            smtpSession.State = SmtpSession.SmtpState.None;//Added in order to reset state when multiple SMTP sessions are sent within the same TCP session
                        }
                        else if (replyCodeAndArgument.Key == 220)
                        {
                            if (smtpSession.State == SmtpSession.SmtpState.StartTlsRequested)
                            {
                                tcpSession.ProtocolFinder.SetConfirmedApplicationLayerProtocol(ApplicationLayerProtocol.Ssl, false);
                            }
                        }
                    }
                }
                //There was a SMTP packet, so treat this as a sucsessfull extraction
                return(tcpPacket.PayloadDataLength);
            }
            else //smtpPacket == null
            {
                return(0);
            }
        }
Ejemplo n.º 2
0
        public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <PacketParser.Packets.AbstractPacket> packetList)
        {
            SmtpSession smtpSession;

            if (this.smtpSessionList.ContainsKey(tcpSession))
            {
                smtpSession = this.smtpSessionList[tcpSession];
            }
            else
            {
                smtpSession = new SmtpSession();
                this.smtpSessionList.Add(tcpSession, smtpSession);
            }

            Packets.TcpPacket  tcpPacket  = null;
            Packets.SmtpPacket smtpPacket = null;

            foreach (Packets.AbstractPacket p in packetList)
            {
                if (p.GetType() == typeof(Packets.TcpPacket))
                {
                    tcpPacket = (Packets.TcpPacket)p;
                }
                else if (p.GetType() == typeof(Packets.SmtpPacket))
                {
                    smtpPacket = (Packets.SmtpPacket)p;
                }
            }



            if (smtpPacket != null)
            {
                if (smtpPacket.ClientToServer)
                {
                    if (smtpSession.State == SmtpSession.SmtpState.Username)
                    {
                        string base64Username = smtpPacket.ReadLine().Trim();
                        try {
                            byte[] usernameBytes = System.Convert.FromBase64String(base64Username);
                            smtpSession.Username = System.Text.ASCIIEncoding.ASCII.GetString(usernameBytes);
                        }
                        catch (FormatException e) { }
                    }
                    else if (smtpSession.State == SmtpSession.SmtpState.Password)
                    {
                        string base64Password = smtpPacket.ReadLine().Trim();
                        try {
                            byte[] passwordBytes = System.Convert.FromBase64String(base64Password);
                            smtpSession.Password = System.Text.ASCIIEncoding.ASCII.GetString(passwordBytes);
                        }
                        catch (FormatException e) { }
                    }
                    else if (smtpSession.State == SmtpSession.SmtpState.Data)
                    {
                        //write data to file until we receive "\n.\n" could also be \r\n.\r\n
                        smtpSession.AddData(smtpPacket.ParentFrame.Data, smtpPacket.PacketStartIndex, smtpPacket.PacketLength);
                        //check if state has transitioned over to footer
                        if (smtpSession.State == SmtpSession.SmtpState.Footer)
                        {
                            Mime.UnbufferedReader ur = new PacketParser.Mime.UnbufferedReader(smtpSession.DataStream);
                            string from      = null;
                            string to        = null;
                            string subject   = null;
                            string messageId = null;
                            System.Collections.Specialized.NameValueCollection rootAttributes = null;
                            foreach (Mime.MultipartPart multipart in Mime.PartBuilder.GetParts(ur))
                            {
                                if (rootAttributes == null)
                                {
                                    from           = multipart.Attributes["From"];
                                    to             = multipart.Attributes["To"];
                                    subject        = multipart.Attributes["Subject"];
                                    messageId      = multipart.Attributes["Message-ID"];
                                    rootAttributes = multipart.Attributes;
                                }

                                base.MainPacketHandler.OnParametersDetected(new PacketParser.Events.ParametersEventArgs(smtpPacket.ParentFrame.FrameNumber, sourceHost, destinationHost, "TCP " + tcpPacket.SourcePort, "TCP " + tcpPacket.DestinationPort, multipart.Attributes, tcpPacket.ParentFrame.Timestamp, "SMTP packet"));

                                string   contentType = multipart.Attributes["Content-Type"];
                                string   charset     = multipart.Attributes["charset"];
                                Encoding encoding    = null;
                                if (charset != null && charset.Length > 0)
                                {
                                    try {
                                        encoding = System.Text.Encoding.GetEncoding(charset);
                                    }
                                    catch { };
                                }
                                bool   attachment         = false;
                                string contentDisposition = multipart.Attributes["Content-Disposition"];
                                if (contentDisposition != null && contentDisposition.Contains("attachment"))
                                {
                                    attachment = true;
                                }
                                if (!attachment && contentType == null || contentType.Equals("text/plain", StringComparison.InvariantCultureIgnoreCase))
                                {
                                    //print the data as text
                                    //string textData = null;
                                    byte[] textDataBytes = null;
                                    if (multipart.Attributes["Content-Transfer-Encoding"] == "quoted-printable")
                                    {
                                        textDataBytes = Utils.ByteConverter.ReadQuotedPrintable(multipart.Data).ToArray();
                                        //textData = Utils.ByteConverter.ReadString();
                                    }
                                    else if (multipart.Attributes["Content-Transfer-Encoding"] == "base64")
                                    {
                                        textDataBytes = System.Convert.FromBase64String(Utils.ByteConverter.ReadString(multipart.Data));
                                        //textData = Utils.ByteConverter.ReadString();
                                    }
                                    else
                                    {
                                        textDataBytes = multipart.Data;
                                        //textData = Utils.ByteConverter.ReadString();
                                    }
                                    string textData = null;
                                    if (encoding == null)
                                    {
                                        textData = Utils.ByteConverter.ReadString(textDataBytes);
                                    }
                                    else
                                    {
                                        textData = encoding.GetString(textDataBytes);
                                    }
                                    if (textData != null)
                                    {
                                        //System.Collections.Specialized.NameValueCollection tmpCol=new System.Collections.Specialized.NameValueCollection();
                                        //tmpCol.Add("e-mail", textData);
                                        //base.MainPacketHandler.OnParametersDetected(new PacketParser.Events.ParametersEventArgs(smtpPacket.ParentFrame.FrameNumber, sourceHost, destinationHost, "TCP "+tcpPacket.SourcePort, "TCP "+tcpPacket.DestinationPort, tmpCol, tcpPacket.ParentFrame.Timestamp, "SMTP packet"));
                                        System.Collections.Specialized.NameValueCollection aggregatedAttributes = new System.Collections.Specialized.NameValueCollection();
                                        aggregatedAttributes.Add(rootAttributes);
                                        aggregatedAttributes.Add(multipart.Attributes);
                                        base.MainPacketHandler.OnMessageDetected(new PacketParser.Events.MessageEventArgs(ApplicationLayerProtocol.Smtp, sourceHost, destinationHost, smtpPacket.ParentFrame.FrameNumber, smtpPacket.ParentFrame.Timestamp, from, to, subject, textData, aggregatedAttributes));
                                    }
                                }
                                else
                                {
                                    //store the stuff to disk
                                    string filename = multipart.Attributes["name"];
                                    if (filename == null || filename.Length == 0)
                                    {
                                        filename = multipart.Attributes["filename"];
                                    }
                                    if (filename == null || filename.Length == 0)
                                    {
                                        if (subject != null && subject.Length > 3)
                                        {
                                            filename = Utils.StringManglerUtil.ConvertToFilename(subject, 10);
                                        }
                                        else if (messageId != null && messageId.Length > 3)
                                        {
                                            filename = Utils.StringManglerUtil.ConvertToFilename(messageId, 10);
                                        }
                                        if (filename == null || filename.Length < 3)
                                        {
                                            filename = "email_" + (multipart.GetHashCode() % 1000);
                                        }

                                        string extension = Utils.StringManglerUtil.GetExtension(contentType);
                                        if (extension == null || extension.Length < 1)
                                        {
                                            extension = "dat";
                                        }
                                        filename = filename + "." + extension;
                                    }
                                    //check if filename is encoded as '?CharacterSet?Enum(Q,B)?', for example '=?UTF-8?B?IE1ldGhvZA==?=' RFC2047

                                    /*
                                     * if (Mime.Rfc2047Parser.IsRfc2047String(filename)) {
                                     *  try {
                                     *      filename = Mime.Rfc2047Parser.ParseRfc2047String(filename);
                                     *  }
                                     *  catch (Exception) { }
                                     * }*/
                                    List <byte> fileData = new List <byte>();
                                    if (multipart.Attributes["Content-Transfer-Encoding"] == "base64")
                                    {
                                        //decode base64 stuff
                                        int index = 0;
                                        while (index < multipart.Data.Length)
                                        {
                                            string base64 = Utils.ByteConverter.ReadLine(multipart.Data, ref index);
                                            if (base64 == null && index < multipart.Data.Length)
                                            {
                                                //read the remaining data
                                                base64 = Utils.ByteConverter.ReadString(multipart.Data, index, multipart.Data.Length - index, false, false);
                                                index  = multipart.Data.Length;
                                            }
#if DEBUG
                                            if (base64 == null)
                                            {
                                                System.Diagnostics.Debugger.Break();
                                            }
#endif
                                            //if (base64 != null && base64.Length > 0) {
                                            try {
                                                fileData.AddRange(Convert.FromBase64String(base64));
                                            }
                                            catch (FormatException e) { }
                                        }
                                    }
                                    else if (multipart.Attributes["Content-Transfer-Encoding"] == "quoted-printable")
                                    {
                                        //must be decoded according to http://www.ietf.org/rfc/rfc2045.txt
                                        fileData = Utils.ByteConverter.ReadQuotedPrintable(multipart.Data);
                                    }
                                    else
                                    {
                                        //Add the raw data
                                        fileData.AddRange(multipart.Data);
                                    }

                                    if (fileData != null && fileData.Count > 0)
                                    {
                                        FileTransfer.FileStreamAssembler assembler = new FileTransfer.FileStreamAssembler(MainPacketHandler.FileStreamAssemblerList, sourceHost, tcpPacket.SourcePort, destinationHost, tcpPacket.DestinationPort, true, FileTransfer.FileStreamTypes.SMTP, filename, "/", fileData.Count, fileData.Count, "E-mail From: " + from + " To: " + to + " Subject: " + subject, filename, tcpPacket.ParentFrame.FrameNumber, tcpPacket.ParentFrame.Timestamp);
                                        if (assembler.TryActivate())
                                        {
                                            assembler.AddData(fileData.ToArray(), tcpPacket.SequenceNumber);
                                            //assembler.FinishAssembling();
                                        }
                                        else
                                        {
                                            assembler.Clear();
                                            assembler.FinishAssembling();
                                        }
                                    }
                                }
                            }
                        }
                    }
                    else
                    {
                        foreach (KeyValuePair <string, string> requestCommandAndArgument in smtpPacket.RequestCommandsAndArguments)
                        {
                            if (requestCommandAndArgument.Key.Equals(SmtpPacket.ClientCommands.HELO.ToString(), StringComparison.InvariantCultureIgnoreCase))
                            {
                                string clientDomain = requestCommandAndArgument.Value;
                            }
                            else if (requestCommandAndArgument.Key.Equals(SmtpPacket.ClientCommands.EHLO.ToString(), StringComparison.InvariantCultureIgnoreCase))
                            {
                                string clientDomain = requestCommandAndArgument.Value;
                            }
                            else if (requestCommandAndArgument.Key.Equals(SmtpPacket.ClientCommands.AUTH.ToString(), StringComparison.InvariantCultureIgnoreCase))
                            {
                                if (requestCommandAndArgument.Value.ToUpper().Contains("LOGIN"))
                                {
                                    smtpSession.State = SmtpSession.SmtpState.AuthLogin;
                                }
                            }
                            else if (requestCommandAndArgument.Key.Equals(SmtpPacket.ClientCommands.MAIL.ToString(), StringComparison.InvariantCultureIgnoreCase))
                            {
                                if (requestCommandAndArgument.Value.StartsWith("FROM", StringComparison.InvariantCultureIgnoreCase))
                                {
                                    int colonIndex = requestCommandAndArgument.Value.IndexOf(':');
                                    if (colonIndex > 0 && requestCommandAndArgument.Value.Length > colonIndex + 1)
                                    {
                                        smtpSession.MailFrom = requestCommandAndArgument.Value.Substring(colonIndex + 1).Trim();
                                    }
                                }
                            }
                            else if (requestCommandAndArgument.Key.Equals(SmtpPacket.ClientCommands.RCPT.ToString(), StringComparison.InvariantCultureIgnoreCase))
                            {
                                if (requestCommandAndArgument.Value.StartsWith("TO", StringComparison.InvariantCultureIgnoreCase))
                                {
                                    int colonIndex = requestCommandAndArgument.Value.IndexOf(':');
                                    if (colonIndex > 0 && requestCommandAndArgument.Value.Length > colonIndex + 1)
                                    {
                                        smtpSession.AddRecipient(requestCommandAndArgument.Value.Substring(colonIndex + 1).Trim());
                                    }
                                }
                            }
                            else if (requestCommandAndArgument.Key.Equals(SmtpPacket.ClientCommands.DATA.ToString(), StringComparison.InvariantCultureIgnoreCase))
                            {
                                smtpSession.State = SmtpSession.SmtpState.Data;
                            }
#if DEBUG
                            base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(tcpPacket.ParentFrame.FrameNumber, sourceHost, destinationHost, "TCP " + tcpPacket.SourcePort, "TCP " + tcpPacket.DestinationPort, smtpPacket.RequestCommandsAndArguments, tcpPacket.ParentFrame.Timestamp, "SMTP Request"));
#endif
                        }
                    }

                    /*}
                     * else if(smtpPacket.RequestCommand != null) {
                     *  if(smtpPacket.RequestCommand.Equals(SmtpPacket.ClientCommands.HELO.ToString(), StringComparison.InvariantCultureIgnoreCase)) {
                     *      string clientDomain = smtpPacket.RequestArgument;
                     *  }
                     *  else if(smtpPacket.RequestCommand.Equals(SmtpPacket.ClientCommands.EHLO.ToString(), StringComparison.InvariantCultureIgnoreCase)) {
                     *      string clientDomain = smtpPacket.RequestArgument;
                     *  }
                     *  else if(smtpPacket.RequestCommand.Equals(SmtpPacket.ClientCommands.AUTH.ToString(), StringComparison.InvariantCultureIgnoreCase)) {
                     *      if(smtpPacket.RequestArgument.ToUpper().Contains("LOGIN"))
                     *          smtpSession.State = SmtpSession.SmtpState.AuthLogin;
                     *  }
                     *  else if(smtpPacket.RequestCommand.Equals(SmtpPacket.ClientCommands.MAIL.ToString(), StringComparison.InvariantCultureIgnoreCase)) {
                     *      if(smtpPacket.RequestArgument.StartsWith("FROM", StringComparison.InvariantCultureIgnoreCase)) {
                     *          int colonIndex = smtpPacket.RequestArgument.IndexOf(':');
                     *          if(colonIndex>0 && smtpPacket.RequestArgument.Length > colonIndex+1)
                     *              smtpSession.MailFrom = smtpPacket.RequestArgument.Substring(colonIndex+1).Trim();
                     *      }
                     *  }
                     *  else if(smtpPacket.RequestCommand.Equals(SmtpPacket.ClientCommands.RCPT.ToString(), StringComparison.InvariantCultureIgnoreCase)) {
                     *      if(smtpPacket.RequestArgument.StartsWith("TO", StringComparison.InvariantCultureIgnoreCase)) {
                     *          int colonIndex = smtpPacket.RequestArgument.IndexOf(':');
                     *          if(colonIndex>0 && smtpPacket.RequestArgument.Length > colonIndex+1)
                     *              smtpSession.AddRecipient(smtpPacket.RequestArgument.Substring(colonIndex+1).Trim());
                     *      }
                     *  }
                     *  else if(smtpPacket.RequestCommand.Equals(SmtpPacket.ClientCommands.DATA.ToString(), StringComparison.InvariantCultureIgnoreCase)) {
                     *      smtpSession.State = SmtpSession.SmtpState.Data;
                     *  }
                     * }*/
                }
                else  //server to client
                {
                    foreach (KeyValuePair <int, string> replyCodeAndArgument in smtpPacket.Replies)
                    {
                        if (replyCodeAndArgument.Key == 334)  //AUTH LOGIN
                        {
                            if (replyCodeAndArgument.Value.Equals("VXNlcm5hbWU6"))
                            {
                                smtpSession.State = SmtpSession.SmtpState.Username;
                            }
                            else if (replyCodeAndArgument.Value.Equals("UGFzc3dvcmQ6"))
                            {
                                smtpSession.State = SmtpSession.SmtpState.Password;
                            }
                        }
                        else if (replyCodeAndArgument.Key == 235)  //AUTHENTICATION SUCCESSFUL
                        {
                            base.MainPacketHandler.AddCredential(new NetworkCredential(tcpSession.ClientHost, tcpSession.ServerHost, smtpPacket.PacketTypeDescription, smtpSession.Username, smtpSession.Password, smtpPacket.ParentFrame.Timestamp));
                            smtpSession.State = SmtpSession.SmtpState.Authenticated;
                        }
                        else if (replyCodeAndArgument.Key >= 500) //error
                        {
                            smtpSession.State = SmtpSession.SmtpState.None;
                        }
                        else if (replyCodeAndArgument.Key == 354) //DATA "Start mail input; end with <CRLF>.<CRLF>"
                        {
                            smtpSession.State = SmtpSession.SmtpState.Data;
                        }
                        else if (replyCodeAndArgument.Key == 250) //"Requested mail action okay, completed"
                        {
                            smtpSession.State = SmtpSession.SmtpState.None;
                        }
                    }
                }
                //There was a SMTP packet, so treat this as a sucsessfull extraction
                return(tcpPacket.PayloadDataLength);
            }
            else //smtpPacket == null
            {
                return(0);
            }
        }