private static void DispatcherHandler(PcapDotNet.Packets.Packet packet) { if (packet.Ethernet.IpV4.Tcp == null) return; if (packet.Ethernet.IpV4.Tcp.Payload == null) return; if (packet.Ethernet.IpV4.Tcp.Payload.Length == 0) return; MooNetRouter.ReadProto(packet.Ethernet.IpV4.Tcp.Payload); }
public static void ReadProto(PcapDotNet.Packets.Datagram payload) { Console.Write('.'); var stream = CodedInputStream.CreateInstance(payload.ToArray()); while (!stream.IsAtEnd) { Identify(stream); } }
/// <summary> /// /// </summary> /// <param name="packet"></param> public Connection(PcapDotNet.Packets.Packet packet) { IpV4Datagram ip = packet.Ethernet.IpV4; TcpDatagram tcp = ip.Tcp; SourceIp = ip.Source.ToString(); SourceIpNumeric = ip.Source.ToValue(); DestinationIp = ip.Destination.ToString(); DestinationIpNumeric = ip.Destination.ToValue(); SourcePort = (ushort)tcp.SourcePort; DestinationPort = (ushort)tcp.DestinationPort; }
public void StartCapture(PcapDotNet.Core.HandlePacket PacketHandler, LivePacketDevice device) { _device = device; StartCapture(PacketHandler); }
//functions public void StartCapture(PcapDotNet.Core.HandlePacket PacketHandler) { _packetHandler = PacketHandler; _bgWorker.DoWork += new DoWorkEventHandler(DoWork); _bgWorker.RunWorkerAsync(); }
/// <summary> /// The main function of the class receives a tcp packet and reconstructs the stream /// </summary> /// <param name="packet"></param> public void ReassemblePacket(PcapDotNet.Packets.Packet packet) { try { if (_maxSize > 0) { if (DataSize > _maxSize) { return; } } ushort sourcePort = 0; ushort destinationPort = 0; IpV4Datagram ip = packet.Ethernet.IpV4; if (ip.Protocol == IpV4Protocol.Tcp) { TcpDatagram tcp = (TcpDatagram)ip.Tcp; sourcePort = tcp.SourcePort; destinationPort = tcp.DestinationPort; // If the payload length is zero bail out ulong length = (ulong)(tcp.Length - tcp.HeaderLength); if (length == 0) { //Console.WriteLine("Invalid length (TCP): " + ip.Source.ToString() + "#" + ip.Destination.ToString()); //return; } if (tcp.IsFin == true) { this.HasFin = true; } uint acknowledged = Convert.ToUInt32(tcp.IsAcknowledgment); ReassembleTcp((ulong)tcp.SequenceNumber, acknowledged, length, tcp.Payload.ToMemoryStream().ToArray(), (ulong)tcp.Payload.Length, tcp.IsSynchronize, ip.Source.ToValue(), ip.Destination.ToValue(), (uint)tcp.SourcePort, (uint)tcp.DestinationPort, packet.Timestamp); } else if (ip.Protocol == IpV4Protocol.Udp) { UdpDatagram udp = (UdpDatagram)ip.Udp; sourcePort = udp.SourcePort; destinationPort = udp.DestinationPort; // If the payload length is zero bail out ulong length = (ulong)(udp.Length); if (length == 0) { Console.WriteLine("Invalid length (UDP): " + ip.Source.ToString() + "#" + ip.Destination.ToString()); //return; } int index = ReassembleUdp(length, udp.Payload.ToMemoryStream().ToArray(), (ulong)udp.Payload.Length, ip.Source.ToValue(), ip.Destination.ToValue(), (uint)udp.SourcePort, (uint)udp.DestinationPort, packet.Timestamp); // We assume that if a response e.g index 1 has been received then the session is complete if (index == 1) { HasFin = true; } } if (TimestampFirstPacket == null) { TimestampFirstPacket = packet.Timestamp; } TimestampLastPacket = packet.Timestamp; // Now run any applicable parsers var temp = from p in _packetParsers where (p.Port == sourcePort | p.Port == destinationPort) & p.Type == ParserType.Packet select p; foreach (InterfaceParser parser in temp) { if (parser.Enabled == false) { continue; } InterfacePacketParser packetParser = (InterfacePacketParser)parser; packetParser.Process(_storage, _outputPath, ip); } } catch (Exception ex ) { this.Log().Error(ex.ToString()); } }
/// <summary> /// /// </summary> /// <param name="packet"></param> private void WriteOldSessions(PcapDotNet.Packets.Packet packet) { try { OnMessage("Writing session data to database..." + _packetCount + " packets"); using (DbConnection dbConnection = Db.GetOpenConnection(_outputPath)) using (var db = new NPoco.Database(dbConnection, NPoco.DatabaseType.SQLCe)) { var keys = _dictionary.Keys.ToList(); foreach (var connection in keys) { var temp = _dictionary[connection]; if (temp.TimestampLastPacket == null) { if (temp.DataSize == 0) { _dictionary[connection].Dispose(); _dictionary.Remove(connection); } continue; } if (temp.HasFin == false) { if (packet != null) { // Lets ignore sessions that are still within the threshold if (packet.Timestamp < temp.TimestampLastPacket.Value.AddMinutes(SessionInterval)) { continue; } } } else { if (packet != null) { // Only kill sessions that have had a FIN and at least a minute has past if (packet.Timestamp < temp.TimestampLastPacket.Value.AddMinutes(1)) { continue; } } } Session session = CreateNewSession(temp.Guid, temp.DataSize, connection); _dictionary[connection].Dispose(); if (_dictionary.Remove(connection) == false) { Console.WriteLine("Unable to remove connection object: " + connection.GetName()); } if (temp.DataSize > 0) { int pk = Convert.ToInt32(db.Insert("Sessions", "Id", session)); PerformSessionProcessing(session, pk); } } OnMessage("Commiting database transaction..." + _packetCount + " packets"); } } catch (Exception ex) { this.Log().Error(ex.ToString()); } finally { OnMessage(string.Empty); } }
/// <summary> /// /// </summary> /// <param name="packet"></param> private void DispatcherHandler(PcapDotNet.Packets.Packet packet) { try { _packetCount++; IpV4Datagram ip = packet.Ethernet.IpV4; TcpDatagram tcp = ip.Tcp; if (tcp == null) { Console.WriteLine("No TCP: " + ip.Source.ToString() + "#" + ip.Destination.ToString()); return; } if (IgnoreLocal == true) { if (Networking.IsOnIntranet(System.Net.IPAddress.Parse(ip.Source.ToString())) == true & Networking.IsOnIntranet(System.Net.IPAddress.Parse(ip.Destination.ToString())) == true) { return; } } Connection connection = new Connection(packet); if (_dictionary.ContainsKey(connection) == false) { PacketReconstructor packetReconstructor = new PacketReconstructor(_outputPath, _maxSize); var parsers = from p in _parsers where p.Type == ParserType.Packet select p; packetReconstructor.SetPacketParsers(parsers.ToList()); _dictionary.Add(connection, packetReconstructor); } _dictionary[connection].ReassemblePacket(packet); if (_timestamp == DateTime.MinValue) { _timestamp = packet.Timestamp; } // Only write the data after the user defined period if (packet.Timestamp > _timestamp.AddMinutes(BufferInterval)) { _timestamp = packet.Timestamp; WriteOldSessions(packet); } if (_packetCount % 10000 == 0) { OnMessage("Processed " + _packetCount + " packets...(" + _dictionary.Count + " sessions)"); } } catch (Exception ex) { OnMessage("Error: " + ex.ToString()); Console.WriteLine(ex); } }