//Parse User name and domain name
//check are they both 0 length? if yes, set a flag in conversation data that indicates null credentials
public static bool AreTheCredentialsNull(FrameData fd)
{
if (fd.payload == null)
{
return(false);
}
// does not matter if the frame is fragmented. What we want - the length fields - are right near the beginning of the payload - just 36 bytes into it
TDSReader ByteReader = new TDSReader(fd.payload, 0, -1, fd.payloadLength);
ByteReader.ReadBytes(8); // TDS header
ByteReader.ReadBytes(8); // Skip NTLMSSP string.
ByteReader.ReadBytes(4); // Skip Message type
ByteReader.ReadBytes(8); // Skip LmChallengeResponseFields - 8 bytes expected
ByteReader.ReadBytes(8); // Skip NtChallengeResponseFields - 8 bytes expected
short DomainNameLen = ByteReader.ReadInt16(); // Read DomainNameFields->Length - 2 bytes
ByteReader.ReadBytes(2); // Skip DomainNameFields->MaximumLength - 2 bytes - to be ignored per the spec
int DomainNameOffSet = ByteReader.ReadInt32(); // Read DomainNameFields->BufferOffset - 4 bytes
short UserNameLen = ByteReader.ReadInt16(); // Read UserNameFields-Length
ByteReader.ReadBytes(2); // Skip UserNameFields-MaximumLength - 2 bytes - to be ignored per the spec
int UserNameOffSet = (int)ByteReader.ReadInt16(); // Read UserNameFields-BufferOffset
if (UserNameLen > 0 && DomainNameLen > 0)
{
return(false);
}
return(true); // user name or domain name are null
}
public static void ProcessUDP(NetworkTrace trace)
{
string[] DnsReturnMessage = new string[] {
"Success",
"Format error; DNS server did not understand the update request.",
"DNS server encountered an internal error, such as a forwarding timeout.",
"A name that should exist does not exist.",
"DNS server does not support the specified Operation code.",
"DNS server refuses to perform the update.",
"A name that should not exist does exist.",
"A resource record set that should not exist does exist.",
"A resource record set that should exist does not exist.",
"DNS server is not authoritative for the zone named in the Zone section.",
"A name used in the Prerequisite or Update sections is not within the zone specified by the Zone section.",
"Invalid return code.",
"Invalid return code.",
"Invalid return code.",
"Invalid return code.",
"Reserved."
};
foreach (ConversationData c in trace.conversations)
{
//DNS traffic is over UDP. If the current converstion is not UDP then skip that non DNS conversation.
if (!c.isUDP)
{
continue;
}
//Skip the conversation, if its just UDP, but not DNS
if ((c.isUDP) && c.destPort != 53)
{
continue;
}
trace.DNSRequestCount++;
try
{
//Parse the DNS frames of the conversation.
foreach (FrameData fd in c.frames)
{
DNS DNSresponse = new DNS();
if (fd.payloadLength < 1)
{
continue;
}
//DNS data starts at 42nd byte of the total payload. so the payload = (Total Payload - 42) bytes.
TDSReader ByteReader = new TDSReader(fd.payload, 0, -1, fd.payloadLength);
ByteReader.ReadBigEndianUInt16(); //Skip over the query ID.
//Read the Flags and convert into bytes.
int FlagsHigh = ByteReader.ReadByte();
int FlagsLow = ByteReader.ReadByte();
if ((FlagsHigh & (int)0x80) == (int)0x0) // DNS request
{
//DNSresponse.srcServerIP = c.sourceIP.ToString();
DNSresponse.dnsServerIP = c.destIP.ToString();
}
else if ((FlagsHigh & (int)0x80) == (int)0x80) // DNS response
{
int rCode = FlagsLow & 0x0F; // should be between 0 - 15.
//DNSresponse.srcServerIP= c.destIP.ToString();
DNSresponse.dnsServerIP = c.sourceIP.ToString();
DNSresponse.frameNo = fd.frameNo;
DNSresponse.TimeStamp = new DateTime(((FrameData)c.frames[c.frames.Count - 1]).ticks).ToString(utility.TIME_FORMAT);
//new DateTime(((FrameData)trace.frames[0]).ticks).ToString(utility.TIME_FORMAT);
DNSresponse.errorCode = rCode;
DNSresponse.ErrorDesc = DnsReturnMessage[rCode];
//Question Count - 2 bytes
DNSresponse.QuestionCount = ByteReader.ReadInt16();
//Answer Count - 2 bytes
DNSresponse.AnswerCount = ByteReader.ReadInt16();
//Skip 2 bytes - Name Server count
ByteReader.ReadInt16();
//Skip 2 bytes - Additional count
ByteReader.ReadInt16();
//Start reading the QName
//13th byte of the DNS Payload - payload[12]
byte length = ByteReader.ReadByte();
string Name = "";
while (length != 0)
{
Name += (Name == "" ? "" : ".") + ByteReader.ReadAnsiString(length);
length = ByteReader.ReadByte();
}
DNSresponse.nameReqested = Name;
DNSresponse.convData = c;
//DNSresponse.srcPort = c.sourcePort;
// Console.WriteLine(fd.file.filePath + "\t" + fd.frameNo.ToString());
if (rCode != (int)DNSReturnCodes.NOERROR)
{
trace.DNSResponses.Add(DNSresponse);
}
}
}
}
catch (Exception ex)
{
Console.WriteLine("Error parsing DNS conversation: " + ex.Message + "\r\n" + ex.StackTrace);
Program.logDiagnostic("Error parsing DNS conversation: " + ex.Message + "\r\n" + ex.StackTrace);
}
}
}
