public DomainController GetDomainController(uint IP, ulong IPHi, ulong IPLo, bool isIPV6) { // search for existing DomainController and return it - can use foreach loop as this is not called often and there are a small number of entries foreach (DomainController d in DomainControllers) { if (d.isIPV6 == isIPV6 && d.IP == IP && d.IPHi == IPHi && d.IPLo == IPLo) { return(d); } } // not found - create new DomainController and return it DomainController d2 = new DomainController(); d2.IP = IP; d2.IPHi = IPHi; d2.IPLo = IPLo; DomainControllers.Add(d2); return(d2); }
public static void Process(NetworkTrace trace) { trace.DomainControllers = new System.Collections.ArrayList(); DomainController d = null; // Locate TCP and UDP conversations with server ports 53 (DNS) and 88 (KERBEROS) and 389 (LDAP) foreach (ConversationData c in trace.conversations) { if (c.destPort == 53 /* DNS */ || c.destPort == 88 /* Kerberos */ || c.destPort == 389 /* LDAP */) { d = trace.GetDomainController(c.destIP, c.destIPHi, c.destIPLo, c.isIPV6); if (c.destPort == 53) { d.DNSPort53Count++; } if (c.destPort == 88) { d.KerbPort88Count++; } if (c.destPort == 389) { d.LDAPPort389Count++; } } } // Find any stray conversations with the DC foreach (ConversationData c in trace.conversations) { d = trace.FindDomainController(c); if (d != null) { d.conversations.Add(c); } } // Find MSRPC Conversations and Port foreach (DomainController dc in trace.DomainControllers) { foreach (ConversationData c in dc.conversations) { if (c.isUDP == false && c.destPort > 1000) // ignore low port #s { // potential MSRPC traffic foreach (FrameData f in c.frames) { ushort Port = c.destPort; if (isMSRPC(f.payload)) { dc.MSRPCPortCount++; if (dc.MSRPCPort == 0) { dc.MSRPCPort = Port; } else if (dc.MSRPCPort != Port) { dc.hasMultipleMSRPCPorts = true; } break; } } } } } }