public DnsRecordEventArgs(Packets.DnsPacket.IDnsResponseInfo record, NetworkHost dnsServer, NetworkHost dnsClient, Packets.IIPPacket ipPakcet, Packets.ITransportLayerPacket transportLayerPacket)
{
this.Record = record;
this.DnsServer = dnsServer;
this.DnsClient = dnsClient;
this.IpPacket = ipPakcet;
this.TransportLayerPacket = transportLayerPacket;
}
public void ExtractData(ref NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <Packets.AbstractPacket> packetList)
{
//Packets.IIPPacket ipPacket = null;
Packets.ITransportLayerPacket transportLayerPacket = null;
foreach (Packets.AbstractPacket p in packetList)
{
if (p.GetType() == typeof(Packets.NetBiosNameServicePacket))
{
ExtractData((Packets.NetBiosNameServicePacket)p, sourceHost, destinationHost, transportLayerPacket);
}
/*else if (p is Packets.IIPPacket)
* ipPacket = (Packets.IIPPacket)p;*/
else if (p is Packets.ITransportLayerPacket tlp)
{
transportLayerPacket = tlp;
}
}
}
public void ExtractData(ref NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <Packets.AbstractPacket> packetList)
{
Packets.DnsPacket dnsPacket = null;
Packets.IIPPacket ipPacket = null;
Packets.ITransportLayerPacket transportLayerPacket = null;
foreach (Packets.AbstractPacket p in packetList)
{
if (p.GetType() == typeof(Packets.DnsPacket))
{
dnsPacket = (Packets.DnsPacket)p;
}
else if (p is Packets.IIPPacket)
{
ipPacket = (Packets.IIPPacket)p;
}
/*else if(p.GetType()==typeof(Packets.IPv6Packet))
* ipv6Packet=(Packets.IPv6Packet)p;*/
else if (p is Packets.ITransportLayerPacket tlp)
{
transportLayerPacket = tlp;
}
}
if (dnsPacket != null)
{
//ExtractDnsData(dnsPacket);
if (dnsPacket.Flags.Response)
{
System.Collections.Specialized.NameValueCollection cNamePointers = new System.Collections.Specialized.NameValueCollection();
if (dnsPacket.AnswerRecords != null && dnsPacket.AnswerRecords.Length > 0)
{
foreach (Packets.DnsPacket.ResourceRecord r in dnsPacket.AnswerRecords)
{
if (r.IP != null)
{
if (!base.MainPacketHandler.NetworkHostList.ContainsIP(r.IP))
{
NetworkHost host = new NetworkHost(r.IP);
host.AddHostName(r.DNS, dnsPacket.PacketTypeDescription);
lock (base.MainPacketHandler.NetworkHostList)
base.MainPacketHandler.NetworkHostList.Add(host);
MainPacketHandler.OnNetworkHostDetected(new Events.NetworkHostEventArgs(host));
//base.MainPacketHandler.ParentForm.ShowDetectedHost(host);
}
else
{
base.MainPacketHandler.NetworkHostList.GetNetworkHost(r.IP).AddHostName(r.DNS, dnsPacket.PacketTypeDescription);
}
if (cNamePointers[r.DNS] != null)
{
base.MainPacketHandler.NetworkHostList.GetNetworkHost(r.IP).AddHostName(cNamePointers[r.DNS], dnsPacket.PacketTypeDescription);
}
}
else if (r.Type == (ushort)Packets.DnsPacket.RRTypes.CNAME)
{
cNamePointers.Add(r.PrimaryName, r.DNS);
}
MainPacketHandler.OnDnsRecordDetected(new Events.DnsRecordEventArgs(r, sourceHost, destinationHost, ipPacket, transportLayerPacket));
//base.MainPacketHandler.ParentForm.ShowDnsRecord(r, sourceHost, destinationHost, ipPakcet, udpPacket);
}
}
else
{
//display the flags instead
//TODO : MainPacketHandler.OnDnsRecordDetected(new Events.DnsRecordEventArgs(
if (dnsPacket.QueriedDnsName != null && dnsPacket.QueriedDnsName.Length > 0)
{
MainPacketHandler.OnDnsRecordDetected(new Events.DnsRecordEventArgs(new Packets.DnsPacket.ResponseWithErrorCode(dnsPacket), sourceHost, destinationHost, ipPacket, transportLayerPacket));
}
}
}
else //DNS request
{
if (dnsPacket.QueriedDnsName != null && dnsPacket.QueriedDnsName.Length > 0)
{
sourceHost.AddQueriedDnsName(dnsPacket.QueriedDnsName);
}
}
}
}
public int ExtractData(NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <PacketParser.Packets.AbstractPacket> packetList)
{
int parsedBytes = 0;
Packets.ITransportLayerPacket transportLayerPacket = null;
foreach (Packets.AbstractPacket p in packetList)
{
if (p is ITransportLayerPacket)
{
transportLayerPacket = p as ITransportLayerPacket;
}
if (p.GetType() == typeof(Packets.KerberosPacket))
{
Packets.KerberosPacket kerberosPacket = (Packets.KerberosPacket)p;
//TicketPrimitives sessionTicketPrimitives = null;
System.Collections.Specialized.NameValueCollection parameters = new System.Collections.Specialized.NameValueCollection();
string sessionSalt = this.GetKrbErrorSalt(kerberosPacket);//returns null in none found
if (sessionSalt != null)
{
parameters.Add("Kerberos Salt", sessionSalt);
}
int hostPairHash = sourceHost.IPAddress.GetHashCode() ^ destinationHost.IPAddress.GetHashCode();
if (this.saltList.ContainsKey(hostPairHash))
{
if (sessionSalt == null)
{
sessionSalt = this.saltList[hostPairHash];
}
else
{
this.saltList[hostPairHash] = sessionSalt;
}
}
else if (sessionSalt != null)
{
this.saltList.Add(hostPairHash, sessionSalt);
}
//parameters.Add("Kerberos message type", Enum.GetName(typeof(KerberosPacket.MessageType), kerberosPacket.MsgType) + " ("+((int)kerberosPacket.MsgType).ToString()+")");
List <uint> packetIntegers = new List <uint>();
byte encryptionType = 0;
//uint lastInteger = 0;
//List<string> spnParts = new List<string>();
List <(string username, string hash)> kerberosHashes = new List <(string username, string hash)>();
//string username, realm;
(string username, string realm) = this.GetUserAndRealm(kerberosPacket, sourceHost, destinationHost);
if (!string.IsNullOrEmpty(username))
{
parameters.Add("Kerberos Username", username);
}
if (!string.IsNullOrEmpty(realm))
{
parameters.Add("Kerberos Realm", realm);
}
foreach (var item in kerberosPacket.AsnData)
{
if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.Integer)
{
//lastInteger = Utils.ByteConverter.ToUInt32(item.Item3);
uint number = Utils.ByteConverter.ToUInt32(item.Item3);
packetIntegers.Add(number);
if (kerberosPacket.MsgType == KerberosPacket.MessageType.krb_tgs_rep && item.Item1.Equals("6d.30.a5.61.30.a3.30.a0"))
{
encryptionType = (byte)number;
}
else if (kerberosPacket.MsgType == KerberosPacket.MessageType.krb_as_rep)
{
if (item.Item1.Equals("6b.30.a5.61.30.a3.30.a0") || item.Item1.Equals("6b.30.a6.30.a0"))
{
encryptionType = (byte)number;
}
}
}
else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.OctetString)
{
//string hexValue = Utils.ByteConverter.ReadHexString(item.Item3, item.Item3.Length, true);
if (kerberosPacket.MsgType == KerberosPacket.MessageType.krb_as_req)
{
if (item.Item1 == "6a.30.a3.30.30.a2" && packetIntegers.Last() == (ushort)KerberosPacket.PADataType.ENC_TIMESTAMP)
{
foreach (var encTimestampItem in Utils.ByteConverter.GetAsn1Data(item.Item3))
{
if (encTimestampItem.Item2 == Utils.ByteConverter.Asn1TypeTag.Integer && encTimestampItem.Item1 == "30.a0" && encTimestampItem.Item3.Length == 1)
{
encryptionType = encTimestampItem.Item3.First();
}
else if (encTimestampItem.Item2 == Utils.ByteConverter.Asn1TypeTag.OctetString && encTimestampItem.Item1 == "30.a2")
{
//sessionTicketPrimitives.Data = Utils.ByteConverter.ReadHexString(encTimestampItem.Item3, encTimestampItem.Item3.Length, true);
//if (sessionTicketPrimitives.TryGetTicketHash(kerberosPacket.MsgType, encryptionType, encTimestampItem.Item3, out string hash))
// kerberosHashes.Add(hash);
byte[] data = encTimestampItem.Item3;
//krb5pa
//user:$krb5pa$etype$user$realm$salt$HexTimestampHexChecksum
//des:$krb5pa$23$des$DENYDC$$32d396a914a4d0a78e979ba75d4ff53c1db7294141760fee05e434c12ecf8d5b9aa5839e09a2244893aff5f384f79c37883f154a
//des:$krb5pa$3$des$DENYDC$DENYDC.COMdes$233b4272aa93727221facfdbdcc9d1d9a0c43a2798c810600310c0daf48fb969c26cb47d69f575a65e00163845f68811f9c5266271cc0f91
//u5:$krb5pa$23$u5$DENYDC$DENYDC.COMdes$daf324dccec73739f6e49ef8fde60a9f9dfff50551ff5a7e969c6e395f18b842fb17c3b503df3025ab5a9dfc3031e893c4002008
//u5:$krb5pa$23$u5$DENYDC$DENYDC.COMdes$addbe67ccf9dd3c3da9e233612816c5720447ae202cfe7a84a719e1ef70b93bcef49786f71319a93d60531fcb443f7e96039f540
StringBuilder sb = new StringBuilder();
//sb.Append(username);
//sb.Append(":$krb5pa$");
sb.Append("$krb5pa$");
sb.Append(encryptionType);
sb.Append("$");
sb.Append(username);
sb.Append("$");
sb.Append(realm);
sb.Append("$");
sb.Append(sessionSalt);
sb.Append("$");
if (encryptionType == 23)
{
//string checksum = Data.Substring(0, 32);
string checksum = Utils.ByteConverter.ReadHexString(data, 16, 0, true);
//string encTimestamp = Data.Substring(32);
string encTimestamp = Utils.ByteConverter.ReadHexString(data, data.Length - 16, 16, true);
//"%s:$krb5pa$%s$%s$%s$%s$%s%s\n" % (user, etype, user, realm, salt, enc_timestamp, checksum)
sb.Append(encTimestamp);
sb.Append(checksum);
}
else //"%s:$krb5pa$%s$%s$%s$%s$%s\n" % (user, etype, user, realm, salt, PA_DATA_ENC_TIMESTAMP)
{
sb.Append(Utils.ByteConverter.ReadHexString(data, data.Length, true));
}
kerberosHashes.Add((username, sb.ToString()));
}
}
}
}
else if (kerberosPacket.MsgType == KerberosPacket.MessageType.krb_tgs_rep)
{
if (item.Item1 == "6d.30.a5.61.30.a3.30.a2" &&
encryptionType == 23 &&
packetIntegers.Count > 2 && packetIntegers.Skip(packetIntegers.Count - 2).First() == 23)
{
byte[] data = item.Item3;
//sessionTicketPrimitives.Username = string.Join("/", spnParts);
//if (sessionTicketPrimitives.TryGetTicketHash(kerberosPacket.MsgType, encryptionType, item.Item3, out string hash))
// kerberosHashes.Add(hash);
//$krb5tgs$<ENCRYPTION_TYPE>$*<USERNAME>$<REALM>$<SPN>*$<FIRST_16_BYTES_TICKET>$<REMAINING_TICKET_BYTES>
//"%s:$krb5tgs$%s$%s$%s\n" % (spn, etype, data[:32], data[32:])
StringBuilder sb = new StringBuilder();
//sb.Append(username);
//sb.Append(":$krb5tgs$");
sb.Append("$krb5tgs$");
sb.Append(encryptionType);
sb.Append("$");
string encPart1 = Utils.ByteConverter.ReadHexString(data, 16, 0, true);
string encPart2 = Utils.ByteConverter.ReadHexString(data, data.Length - 16, 16, true);
sb.Append(encPart1);
sb.Append("$");
sb.Append(encPart2);
kerberosHashes.Add((username, sb.ToString()));
//sessionTicketPrimitives.Data = Utils.ByteConverter.ReadHexString(item.Item3, item.Item3.Length, true);
}
}
else if (kerberosPacket.MsgType == KerberosPacket.MessageType.krb_as_rep)
{
if (krbAsRepTicketPaths.Contains(item.Item1))
{
byte[] data = item.Item3;
//TODO: create kerberosHash
StringBuilder sb = new StringBuilder();
sb.Append("$krb5asrep$");
sb.Append(encryptionType);
sb.Append("$");
if (string.IsNullOrEmpty(username) && !string.IsNullOrEmpty(sessionSalt))
{
username = sessionSalt;
}
if (encryptionType == 23)
{
//sys.stdout.write("$krb5asrep$%s$%s$%s\n" % (etype, data[0:32], data[32:]))
string encPart1 = Utils.ByteConverter.ReadHexString(data, 16, 0, true);
string encPart2 = Utils.ByteConverter.ReadHexString(data, data.Length - 16, 16, true);
sb.Append(encPart1);
sb.Append("$");
sb.Append(encPart2);
kerberosHashes.Add((username, sb.ToString()));
}
else if (!string.IsNullOrEmpty(sessionSalt))
{
//if etype != "23":
//sys.stdout.write("$krb5asrep$%s$%s$%s$%s\n" % (etype, salt, data[0:-24], data[-24:]))
sb.Append(sessionSalt);
sb.Append("$");
string encPart1 = Utils.ByteConverter.ReadHexString(data, 12, 0, true);
string encPart2 = Utils.ByteConverter.ReadHexString(data, data.Length - 12, 12, true);
sb.Append(encPart1);
sb.Append("$");
sb.Append(encPart2);
kerberosHashes.Add((username, sb.ToString()));
}
}
}
}
}
foreach (var h in kerberosHashes)
{
string hashUser = h.username;
//string hashUser = hash.Split(new char[] { ':', '$' }).First();
if (string.IsNullOrEmpty(hashUser))
{
if (!string.IsNullOrEmpty(username))
{
hashUser = username;
}
else if (!string.IsNullOrEmpty(sessionSalt))
{
hashUser = sessionSalt;
}
else
{
hashUser = "******";
}
}
if (kerberosPacket.IsRequest)
{
base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "Kerberos", hashUser, h.hash, kerberosPacket.ParentFrame.Timestamp));
}
else
{
base.MainPacketHandler.AddCredential(new NetworkCredential(destinationHost, sourceHost, "Kerberos", hashUser, h.hash, kerberosPacket.ParentFrame.Timestamp));
}
}
/*
* string krbHash = sessionTicketPrimitives.GetTicketHash(kerberosPacket.MsgType);
* if (krbHash != null)
* base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "Kerberos", sessionTicketPrimitives.Username, krbHash, kerberosPacket.ParentFrame.Timestamp, sessionTicketPrimitives.Realm));
*/
base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(kerberosPacket.ParentFrame.FrameNumber, sourceHost, destinationHost, transportLayerPacket.TransportProtocol, transportLayerPacket.SourcePort, transportLayerPacket.DestinationPort, parameters, kerberosPacket.ParentFrame.Timestamp, "Kerberos " + Enum.GetName(typeof(KerberosPacket.MessageType), kerberosPacket.MsgType)));
parsedBytes += kerberosPacket.PacketLength;
}
}
return(parsedBytes);
}
private void ExtractData(Packets.NetBiosNameServicePacket netBiosNameServicePacket, NetworkHost sourceHost, NetworkHost destinationHost, Packets.ITransportLayerPacket transportLayerPacket)
{
System.Collections.Specialized.NameValueCollection parameters = new System.Collections.Specialized.NameValueCollection();
if (netBiosNameServicePacket.QueriedNetBiosName != null)
{
sourceHost.AddQueriedNetBiosName(netBiosNameServicePacket.QueriedNetBiosName);
parameters.Add("NetBIOS Query", netBiosNameServicePacket.QueriedNetBiosName);
}
/*
* if(netBiosNameServicePacket.AnsweredNetBiosName!=null) {
* parameters.Add(netBiosNameServicePacket.AnsweredNetBiosName, netBiosNameServicePacket.AnsweredIpAddress.ToString());
* if (base.MainPacketHandler.NetworkHostList.ContainsIP(netBiosNameServicePacket.AnsweredIpAddress))
* base.MainPacketHandler.NetworkHostList.GetNetworkHost(netBiosNameServicePacket.AnsweredIpAddress).AddHostName(netBiosNameServicePacket.AnsweredNetBiosName);
* }
*/
foreach (Packets.NetBiosNameServicePacket.ResourceRecord answer in netBiosNameServicePacket.AnswerResourceRecords)
{
UInt16 flags = Utils.ByteConverter.ToUInt16(answer.Data.Array, answer.Data.Offset);
byte[] ipBytes = new byte[4];//IP4...
Array.Copy(answer.Data.Array, answer.Data.Offset + 2, ipBytes, 0, ipBytes.Length);
System.Net.IPAddress answeredIpAddress = new System.Net.IPAddress(ipBytes);
parameters.Add(answer.Name, answeredIpAddress.ToString());
if (base.MainPacketHandler.NetworkHostList.ContainsIP(answeredIpAddress))
{
base.MainPacketHandler.NetworkHostList.GetNetworkHost(answeredIpAddress).AddHostName(answer.NameTrimmed);
}
}
foreach (Packets.NetBiosNameServicePacket.ResourceRecord additional in netBiosNameServicePacket.AdditionalResourceRecords)
{
UInt16 flags = Utils.ByteConverter.ToUInt16(additional.Data.Array, additional.Data.Offset);
if (additional.Type == 32 && additional.Class == 1 && (flags & 0x8000) == 0 && (additional.Name.EndsWith("<00>") || additional.Name.EndsWith("<20>")))
{
//https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-brws/0c773bdd-78e2-4d8b-8b3d-b7506849847b
//unique name with IP
byte[] ipBytes = new byte[4];//IP4...
Array.Copy(additional.Data.Array, additional.Data.Offset + 2, ipBytes, 0, ipBytes.Length);
System.Net.IPAddress answeredIpAddress = new System.Net.IPAddress(ipBytes);
parameters.Add(additional.Name, answeredIpAddress.ToString());
if (base.MainPacketHandler.NetworkHostList.ContainsIP(answeredIpAddress))
{
base.MainPacketHandler.NetworkHostList.GetNetworkHost(answeredIpAddress).AddHostName(additional.NameTrimmed);
}
}
}
if (parameters.Count > 0 && transportLayerPacket != null)
{
if (netBiosNameServicePacket.Flags.Response)
{
base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(netBiosNameServicePacket.ParentFrame.FrameNumber, sourceHost, destinationHost, transportLayerPacket.TransportProtocol, transportLayerPacket.SourcePort, transportLayerPacket.DestinationPort, parameters, netBiosNameServicePacket.ParentFrame.Timestamp, "NBNS Response"));
}
else if (netBiosNameServicePacket.Flags.OperationCode == (byte)Packets.NetBiosNameServicePacket.HeaderFlags.OperationCodes.registration)
{
base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(netBiosNameServicePacket.ParentFrame.FrameNumber, sourceHost, destinationHost, transportLayerPacket.TransportProtocol, transportLayerPacket.SourcePort, transportLayerPacket.DestinationPort, parameters, netBiosNameServicePacket.ParentFrame.Timestamp, "NBNS Registration"));
}
else if (netBiosNameServicePacket.Flags.OperationCode == (byte)Packets.NetBiosNameServicePacket.HeaderFlags.OperationCodes.query)
{
base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(netBiosNameServicePacket.ParentFrame.FrameNumber, sourceHost, destinationHost, transportLayerPacket.TransportProtocol, transportLayerPacket.SourcePort, transportLayerPacket.DestinationPort, parameters, netBiosNameServicePacket.ParentFrame.Timestamp, "NBNS Query"));
}
else
{
base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(netBiosNameServicePacket.ParentFrame.FrameNumber, sourceHost, destinationHost, transportLayerPacket.TransportProtocol, transportLayerPacket.SourcePort, transportLayerPacket.DestinationPort, parameters, netBiosNameServicePacket.ParentFrame.Timestamp, "NBNS Message"));
}
}
}
public int ExtractData(NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <PacketParser.Packets.AbstractPacket> packetList)
{
//Packets.UdpPacket udpPacket = null;
int parsedBytes = 0;
Packets.ITransportLayerPacket transportLayerPacket = null;
FiveTuple ft = null;
foreach (Packets.AbstractPacket p in packetList)
{
if (p is Packets.ITransportLayerPacket)
{
transportLayerPacket = (Packets.ITransportLayerPacket)p;
if (transportLayerPacket is Packets.UdpPacket)
{
ft = new FiveTuple(sourceHost, transportLayerPacket.SourcePort, destinationHost, transportLayerPacket.DestinationPort, FiveTuple.TransportProtocol.UDP);
}
else if (transportLayerPacket is Packets.TcpPacket)
{
ft = new FiveTuple(sourceHost, transportLayerPacket.SourcePort, destinationHost, transportLayerPacket.DestinationPort, FiveTuple.TransportProtocol.TCP);
}
}
if (p.GetType() == typeof(Packets.SipPacket))
{
Packets.SipPacket sipPacket = (Packets.SipPacket)p;
if (sipPacket.MessageLine.StartsWith(INVITE))
{
string to = null;
string from = null;
if (sipPacket.To != null && sipPacket.To.Length > 0)
{
to = sipPacket.To;
if (to.Contains(";"))
{
to = to.Substring(0, to.IndexOf(';'));
}
destinationHost.AddNumberedExtraDetail("SIP User", to);
//destinationHost.ExtraDetailsList["SIP User"]=to;
}
if (sipPacket.From != null && sipPacket.From.Length > 0)
{
from = sipPacket.From;
if (from.Contains(";"))
{
from = from.Substring(0, from.IndexOf(';'));
}
//destinationHost.AddNumberedExtraDetail("SIP User", from);
sourceHost.AddNumberedExtraDetail("SIP User", from);
//sourceHost.ExtraDetailsList["SIP User"]=from;
}
if (ft != null && to != null && from != null && !String.IsNullOrEmpty(sipPacket.CallID))
{
System.Collections.Specialized.NameValueCollection nvc = new System.Collections.Specialized.NameValueCollection {
{ "From", sipPacket.From },
{ "To", sipPacket.To },
{ "Call-ID", sipPacket.CallID }
};
this.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(sipPacket.ParentFrame.FrameNumber, ft, true, nvc, sipPacket.ParentFrame.Timestamp, "SIP session " + ft.ToString()));
}
}
if (!String.IsNullOrEmpty(sipPacket.UserAgent))
{
sourceHost.AddHttpUserAgentBanner(sipPacket.UserAgent);
}
if (sipPacket.SDP != null)
{
if (sipPacket.SDP.Port != null && sipPacket.SDP.IP != null && sipPacket.CallID != null && ft != null)
{
lock (callEndPoints) {
Tuple <System.Net.IPAddress, ushort, FiveTuple> endPoint = new Tuple <System.Net.IPAddress, ushort, FiveTuple>(sipPacket.SDP.IP, sipPacket.SDP.Port.Value, ft);
if (this.callEndPoints.ContainsKey(sipPacket.CallID))
{
Tuple <System.Net.IPAddress, ushort, FiveTuple> matchedTuple = null;
foreach (var previousEndPoint in this.callEndPoints[sipPacket.CallID])
{
if (previousEndPoint.Item3.EqualsIgnoreDirection(ft))
{
//Tuple<System.Net.IPAddress, ushort, FiveTuple> previousEndPoint = ;
if (!(previousEndPoint.Item1.Equals(endPoint.Item1) && previousEndPoint.Item2.Equals(endPoint.Item2)))
{
//this.callEndPoints.Remove(sipPacket.CallID);
matchedTuple = previousEndPoint;
if (sipPacket.From != null && sipPacket.To != null)
{
this.MainPacketHandler.OnVoipCallDetected(sipPacket.SDP.IP, sipPacket.SDP.Port.Value, previousEndPoint.Item1, previousEndPoint.Item2, sipPacket.CallID, sipPacket.From, sipPacket.To);
if (ft != null)
{
}
}
break;
}
}
}
if (matchedTuple == null)
{
this.callEndPoints[sipPacket.CallID].Add(endPoint);
}
if (matchedTuple != null)
{
this.callEndPoints[sipPacket.CallID].Remove(matchedTuple);
}
}
else
{
this.callEndPoints.Add(sipPacket.CallID, new List <Tuple <System.Net.IPAddress, ushort, FiveTuple> >()
{
endPoint
});
}
}
}
}
parsedBytes += sipPacket.PacketLength;
}
}
return(parsedBytes);
}
public void ExtractData(ref NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <PacketParser.Packets.AbstractPacket> packetList)
{
//Packets.UdpPacket udpPacket = null;
Packets.ITransportLayerPacket transportLayerPacket = null;
FiveTuple ft = null;
foreach (Packets.AbstractPacket p in packetList)
{
/*
* Packets.IIPPacket ipPacket;
* if (p is Packets.IIPPacket) {
* ipPacket = p as Packets.IIPPacket;
* }
*/
if (p is Packets.ITransportLayerPacket)
{
transportLayerPacket = (Packets.ITransportLayerPacket)p;
if (transportLayerPacket is Packets.UdpPacket)
{
ft = new FiveTuple(sourceHost, transportLayerPacket.SourcePort, destinationHost, transportLayerPacket.DestinationPort, FiveTuple.TransportProtocol.UDP);
}
else if (transportLayerPacket is Packets.TcpPacket)
{
ft = new FiveTuple(sourceHost, transportLayerPacket.SourcePort, destinationHost, transportLayerPacket.DestinationPort, FiveTuple.TransportProtocol.TCP);
}
}
if (p.GetType() == typeof(Packets.SipPacket))
{
Packets.SipPacket sipPacket = (Packets.SipPacket)p;
if (sipPacket.MessageLine.StartsWith(INVITE))
{
string to = null;
string from = null;
if (sipPacket.To != null && sipPacket.To.Length > 0)
{
to = sipPacket.To;
if (to.Contains(";"))
{
to = to.Substring(0, to.IndexOf(';'));
}
destinationHost.AddNumberedExtraDetail("SIP User", to);
//destinationHost.ExtraDetailsList["SIP User"]=to;
}
if (sipPacket.From != null && sipPacket.From.Length > 0)
{
from = sipPacket.From;
if (from.Contains(";"))
{
from = from.Substring(0, from.IndexOf(';'));
}
//destinationHost.AddNumberedExtraDetail("SIP User", from);
sourceHost.AddNumberedExtraDetail("SIP User", from);
//sourceHost.ExtraDetailsList["SIP User"]=from;
}
if (ft != null && to != null && from != null && !String.IsNullOrEmpty(sipPacket.CallID))
{
System.Collections.Specialized.NameValueCollection nvc = new System.Collections.Specialized.NameValueCollection {
{ "From", sipPacket.From },
{ "To", sipPacket.To },
{ "Call-ID", sipPacket.CallID }
};
this.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(sipPacket.ParentFrame.FrameNumber, ft, true, nvc, sipPacket.ParentFrame.Timestamp, "SIP session " + ft.ToString()));
}
}
if (!String.IsNullOrEmpty(sipPacket.UserAgent))
{
sourceHost.AddHttpUserAgentBanner(sipPacket.UserAgent);
}
if (sipPacket.SDP != null)
{
if (sipPacket.SDP.Port != null && sipPacket.SDP.IP != null && sipPacket.CallID != null && ft != null)
{
lock (callEndPoints) {
Tuple <System.Net.IPAddress, ushort, FiveTuple> endPoint = new Tuple <System.Net.IPAddress, ushort, FiveTuple>(sipPacket.SDP.IP, sipPacket.SDP.Port.Value, ft);
if (this.callEndPoints.ContainsKey(sipPacket.CallID))
{
Tuple <System.Net.IPAddress, ushort, FiveTuple> matchedTuple = null;
foreach (var previousEndPoint in this.callEndPoints[sipPacket.CallID])
{
if (previousEndPoint.Item3.EqualsIgnoreDirection(ft))
{
//Tuple<System.Net.IPAddress, ushort, FiveTuple> previousEndPoint = ;
if (!(previousEndPoint.Item1.Equals(endPoint.Item1) && previousEndPoint.Item2.Equals(endPoint.Item2)))
{
//this.callEndPoints.Remove(sipPacket.CallID);
matchedTuple = previousEndPoint;
if (sipPacket.From != null && sipPacket.To != null)
{
this.MainPacketHandler.OnVoipCallDetected(sipPacket.SDP.IP, sipPacket.SDP.Port.Value, previousEndPoint.Item1, previousEndPoint.Item2, sipPacket.CallID, sipPacket.From, sipPacket.To);
if (ft != null)
{
}
}
break;
}
}
}
if (matchedTuple == null)
{
this.callEndPoints[sipPacket.CallID].Add(endPoint);
}
if (matchedTuple != null)
{
this.callEndPoints[sipPacket.CallID].Remove(matchedTuple);
}
}
else
{
this.callEndPoints.Add(sipPacket.CallID, new List <Tuple <System.Net.IPAddress, ushort, FiveTuple> >()
{
endPoint
});
}
}
/*
* //check if we have a reverse tuple
* Tuple<System.Net.IPAddress, System.Net.IPAddress> reverseIpPair = new Tuple<System.Net.IPAddress, System.Net.IPAddress>(destinationHost.IPAddress, sourceHost.IPAddress);
*
* TODO: Använd CALL ID istället som unik nyckel!
*
* lock (this.endPointCandidates) {
* if (this.endPointCandidates.ContainsKey(reverseIpPair)) {
* ushort reversePort = this.endPointCandidates[reverseIpPair];
* this.endPointCandidates.Remove(reverseIpPair);
*
* if (this.udpPayloadProtocolFinder != null && !String.IsNullOrEmpty(sipPacket.SDP.Protocol) && sipPacket.SDP.Protocol.StartsWith("RTP", StringComparison.InvariantCultureIgnoreCase))
* this.udpPayloadProtocolFinder.SetPayload(sourceHost.IPAddress, sipPacket.SDP.Port.Value, destinationHost.IPAddress, reversePort, ApplicationLayerProtocol.Rtp);//this might come in too late because the UDP packet has probably already been parsed by now.
* if(sipPacket.From != null && sipPacket.To != null) {
* FiveTuple fiveTuple = new FiveTuple(sourceHost, sipPacket.SDP.Port.Value, destinationHost, reversePort, FiveTuple.TransportProtocol.UDP);
* this.MainPacketHandler.OnVoipCallDetected(fiveTuple, sipPacket.From, sipPacket.To);
* System.Collections.Specialized.NameValueCollection nvc = new System.Collections.Specialized.NameValueCollection();
* nvc.Add("From", sipPacket.From);
* nvc.Add("To", sipPacket.To);
* this.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(sipPacket.ParentFrame.FrameNumber, fiveTuple, true, nvc, sipPacket.ParentFrame.Timestamp, "SIP setup of call " + fiveTuple.ToString()));
* }
*
* }
* else {
* Tuple<System.Net.IPAddress, System.Net.IPAddress> ipPair = new Tuple<System.Net.IPAddress, System.Net.IPAddress>(sourceHost.IPAddress, destinationHost.IPAddress);
* if (this.endPointCandidates.ContainsKey(ipPair))
* this.endPointCandidates[ipPair] = sipPacket.SDP.Port.Value;
* else
* this.endPointCandidates.Add(ipPair, sipPacket.SDP.Port.Value);
* }
* }
*/
}
//rtpPacketHandler.NewRtpEndPoints.Enqueue(new Tuple<System.Net.IPAddress, System.Net.IPAddress, ushort>(destinationHost.IPAddress, sourceHost.IPAddress, sipPacket.SDP.Port.Value));
}
}
}
}
