public static NetMonFileHeader CreateFromReader(BinaryReader rdrFrom, uint uiMagic)
{
NetMonFileHeader netMonFileHeader = new NetMonFileHeader();
netMonFileHeader.MagicNumber = uiMagic;
netMonFileHeader.VerMinor = rdrFrom.ReadByte();
netMonFileHeader.VerMajor = rdrFrom.ReadByte();
netMonFileHeader.MacType = rdrFrom.ReadUInt16();
ushort year = rdrFrom.ReadUInt16();
ushort month = rdrFrom.ReadUInt16();
rdrFrom.ReadUInt16();
ushort day = rdrFrom.ReadUInt16();
ushort hour = rdrFrom.ReadUInt16();
ushort minute = rdrFrom.ReadUInt16();
ushort second = rdrFrom.ReadUInt16();
ushort millisecond = rdrFrom.ReadUInt16();
netMonFileHeader.dtCapture = new DateTime((int)year, (int)month, (int)day, (int)hour, (int)minute, (int)second, (int)millisecond);
netMonFileHeader.FrameTableOffset = rdrFrom.ReadUInt32();
netMonFileHeader.FrameTableLength = rdrFrom.ReadUInt32();
netMonFileHeader.UserDataOffset = rdrFrom.ReadUInt32();
netMonFileHeader.UserDataLength = rdrFrom.ReadUInt32();
netMonFileHeader.CommentDataOffset = rdrFrom.ReadUInt32();
netMonFileHeader.CommentDataLength = rdrFrom.ReadUInt32();
netMonFileHeader.ProcessListOffset = rdrFrom.ReadUInt32();
netMonFileHeader.ProcessListCount = rdrFrom.ReadUInt32();
netMonFileHeader.StatisticsOffset = rdrFrom.ReadUInt32();
netMonFileHeader.StatisticsLength = rdrFrom.ReadUInt32();
netMonFileHeader.ExtendedInfoOffset = rdrFrom.ReadUInt32();
netMonFileHeader.ExtendedInfoLength = rdrFrom.ReadUInt32();
netMonFileHeader.ConversationStatsOffset = rdrFrom.ReadUInt32();
netMonFileHeader.ConversationStatsLength = rdrFrom.ReadUInt32();
if (netMonFileHeader.VerMajor == 2 && netMonFileHeader.VerMinor > 1)
{
netMonFileHeader.FillProcessList(rdrFrom);
}
// [hidd3ncod3s]I fixed it.
//FiddlerApplication.get_Log().LogFormat("Importing NetMon Capture\n{0}\n", new object[]
//{
// netMonFileHeader
//});
Console.WriteLine(String.Format("Importing NetMon Capture\n{0}\n", netMonFileHeader));
return(netMonFileHeader);
}
private Session[] GetSessionsFromNetMonCAP(BinaryReader rdr, uint uiMagic)
{
NetMonFileHeader netMonFileHeader = NetMonFileHeader.CreateFromReader(rdr, uiMagic);
uint[] frameOffsets = netMonFileHeader.GetFrameOffsets(rdr);
PacketCaptureImport.PacketCounts packetCounts = default(PacketCaptureImport.PacketCounts);
Dictionary <uint, DNSTransaction> dictionary = new Dictionary <uint, DNSTransaction>();
Dictionary <string, TCPStream> dictionary2 = new Dictionary <string, TCPStream>();
uint num = 0u;
while ((ulong)num < (ulong)((long)frameOffsets.Length))
{
packetCounts.Total += 1u;
rdr.BaseStream.Position = (long)((ulong)frameOffsets[(int)((UIntPtr)num)]);
NetmonPacketHeader netmonPacketHeader = NetmonPacketHeader.CreateFromReader(rdr, netMonFileHeader.dtCapture);
if (netmonPacketHeader.MediaType != MediaTypes.Ethernet && netmonPacketHeader.MediaType != MediaTypes.WFPCapture_Message2V4)
{
if (PacketCaptureImport.bVerboseDebug)
{
//FiddlerApplication.get_Log().LogFormat("Skipping frame {0} with MediaType: 0x{1:x}", new object[]
//{
// num,
// netmonPacketHeader.MediaType
//});
}
}
else
{
byte[] array = new byte[netmonPacketHeader.PacketSavedSize];
rdr.BaseStream.Position = (long)((ulong)(frameOffsets[(int)((UIntPtr)num)] + 16u));
rdr.BaseStream.Read(array, 0, array.Length);
IPFrame iPFrame;
if (netmonPacketHeader.MediaType == MediaTypes.WFPCapture_Message2V4)
{
iPFrame = IPFrame.FakeAsIPFrame(num, array, netmonPacketHeader.dtPacket);
}
else
{
iPFrame = IPFrame.ParseAsIPFrame(num, array, netmonPacketHeader.dtPacket);
}
if (iPFrame != null)
{
if (iPFrame.IPVersion == 4)
{
packetCounts.IPv4 += 1u;
}
else
{
if (iPFrame.IPVersion == 6)
{
packetCounts.IPv6 += 1u;
}
}
if (PacketCaptureImport.bVerboseDebug)
{
//FiddlerApplication.get_Log().LogFormat("Adding frame {0} - {1}", new object[]
//{
// num,
// iPFrame.ToString()
//});
}
IPSubProtocols nextProtocol = iPFrame.NextProtocol;
if (nextProtocol != IPSubProtocols.TCP)
{
if (nextProtocol != IPSubProtocols.UDP)
{
if (nextProtocol == IPSubProtocols.ESP)
{
if (PacketCaptureImport.bVerboseDebug)
{
//FiddlerApplication.get_Log().LogFormat("ESP Frame #{0} skipped; parsing NYI", new object[]
//{
// iPFrame.iFrameNumber
//});
}
}
}
else
{
UDPMessage uDPMessage = UDPMessage.Parse(iPFrame, array);
packetCounts.UDP += 1u;
if (WellKnownPorts.DNS == uDPMessage.DstPort)
{
DNSQuery dNSQuery = DNSQuery.Parse(iPFrame, array);
if (dNSQuery.QueryType == DNSQueryType.AddressQuery)
{
DNSTransaction dNSTransaction;
if (!dictionary.TryGetValue(dNSQuery.uiTransactionID, out dNSTransaction))
{
dNSTransaction = new DNSTransaction();
dictionary.Add(dNSQuery.uiTransactionID, dNSTransaction);
}
dNSTransaction.uiTransactionID = dNSQuery.uiTransactionID;
dNSTransaction.sQueryForHostname = dNSQuery.sHostname;
dNSTransaction.bAAAAQuery = (dNSQuery.QueryType == DNSQueryType.AAAA);
dNSTransaction.dtQuerySent = netmonPacketHeader.dtPacket;
}
}
else
{
if (WellKnownPorts.DNS == uDPMessage.SrcPort)
{
DNSResponse dNSResponse = DNSResponse.Parse(iPFrame, array);
DNSTransaction dNSTransaction2;
if (dictionary.TryGetValue(dNSResponse.uiTransactionID, out dNSTransaction2))
{
dNSTransaction2.dtResponseReceived = netmonPacketHeader.dtPacket;
}
}
}
}
}
else
{
TCPFrame tCPFrame = TCPFrame.Parse(iPFrame, array);
if (tCPFrame != null)
{
packetCounts.TCP += 1u;
TCPEndpoints tCPEndpoints = new TCPEndpoints(iPFrame.ipSrc, iPFrame.ipDest, tCPFrame.SrcPort, tCPFrame.DstPort);
string key = tCPEndpoints.ToString();
TCPStream tCPStream;
if (!dictionary2.TryGetValue(key, out tCPStream))
{
tCPStream = new TCPStream(tCPEndpoints);
uint processTableIndex = netmonPacketHeader.ProcessTableIndex;
if ((ulong)processTableIndex < (ulong)((long)netMonFileHeader.arrProcesses.Length))
{
tCPStream.sProcessInfo = netMonFileHeader.arrProcesses[(int)((UIntPtr)processTableIndex)];
}
dictionary2.Add(key, tCPStream);
}
tCPStream.AddFrame(tCPFrame);
}
}
}
}
num += 1u;
}
return(this.GetSessionsFromPackets(ref packetCounts, dictionary2));
}
