public TCPState(TCPPacket packet, string signature0, string signature1)
{
for (int i = 0; i < 2; i++)
{
data[i] = new byte[80]; //0000];
Position[i] = 0;
Packets[i] = new System.Collections.ArrayList();
Times[i] = new System.Collections.ArrayList();
Signature[0] = signature0;
Signature[1] = signature1;
}
LastAddedTime = packet.TimeStamp;
}
public void AddPacket(int direction, TCPPacket packet)
{
if (State[direction] == States.NEW && direction == 0 && packet.SYN)
{
FirstPacket(packet, direction);
State[direction] = States.SYN1;
}
if (State[direction] == States.NEW && direction == 1 && packet.SYN) // should check SYNs as well
{
FirstPacket(packet, direction);
State[0] = States.RUNNING;
State[1] = States.RUNNING;
}
//Added irrespective of whether we can handle it now, unless known to be "dead"
if (State[direction] != States.FINISHED && State[direction] != States.REPORTED)
{
Packets[direction].Add(packet);
}
LastAddedTime = packet.TimeStamp;
}
void FirstPacket(TCPPacket packet, int direction)
{
Sequence[direction]=packet.PTcp.SequenceNumber + 1 ; //+1 removes SYN from stream
}
public void AddPacket(int direction, TCPPacket packet)
{
if(State[direction] == States.NEW && direction==0 && packet.SYN)
{
FirstPacket(packet,direction);
State[direction] = States.SYN1;
}
if(State[direction] == States.NEW && direction==1 && packet.SYN) // should check SYNs as well
{
FirstPacket(packet,direction);
State[0] = States.RUNNING;
State[1] = States.RUNNING;
}
//Added irrespective of whether we can handle it now, unless known to be "dead"
if(State[direction] != States.FINISHED && State[direction] != States.REPORTED)
Packets[direction].Add(packet);
LastAddedTime = packet.TimeStamp;
}
public TCPState(TCPPacket packet, string signature0, string signature1)
{
for(int i=0;i<2;i++)
{
data[i]=new byte[80];//0000];
Position[i]=0;
Packets[i]=new System.Collections.ArrayList();
Times[i]=new System.Collections.ArrayList();
Signature[0] = signature0;
Signature[1] = signature1;
}
LastAddedTime = packet.TimeStamp;
}
void FirstPacket(TCPPacket packet, int direction)
{
Sequence[direction] = packet.PTcp.SequenceNumber + 1; //+1 removes SYN from stream
}
public void AnalysePacket(PacketInfo data)
{
byte [] PacketData = data.Data;
int StartIndex = data.StartIndex;
int Index = StartIndex;
// Start by eliminating non IP and non TCP packets
if( ( Index + LENGTH_OF_INTERNET + LENGTH_OF_TCP ) > PacketData.Length )
{
return ;
}
PacketINTERNET.PACKET_INTERNET PInternet = new PacketINTERNET.PACKET_INTERNET();
PInternet.Version = PacketData[ Index++ ];
PInternet.HeaderLength = (byte) ( ( (int) PInternet.Version & 0x0f ) * 4 );
PInternet.Version = (byte) ( (int) PInternet.Version >> 4 );
PInternet.DifferentiatedServicesField = PacketData[ Index++ ];
PInternet.Length = Function.Get2Bytes( PacketData , ref Index , Const.NORMAL );
PInternet.Identification = Function.Get2Bytes( PacketData , ref Index , Const.NORMAL );
PInternet.FragmentOffset = Function.Get2Bytes( PacketData , ref Index , Const.NORMAL );
PInternet.Flags = (byte)( (int) PInternet.FragmentOffset >> 12 );
PInternet.FragmentOffset = (ushort) ( (int) PInternet.FragmentOffset & 0x0f );
PInternet.TimeToLive = PacketData[ Index++ ];
PInternet.Protocol = PacketData[ Index++ ];
PInternet.HeaderChecksum = Function.Get2Bytes( PacketData , ref Index , Const.NORMAL );
PInternet.Source = Function.GetIpAddress( PacketData , ref Index );
PInternet.Destination = Function.GetIpAddress( PacketData , ref Index );
if(PInternet.Protocol != IPPROTO_TCP )
return;
// Check IPs
//if(!analysisFromCapFile)
//{
if(((PInternet.Source == IP1) && (PInternet.Destination == IP1)) ||
(PInternet.Source == PInternet.Destination))
{
return;
}
//}
PacketTCP.PACKET_TCP PTcp = new PacketTCP.PACKET_TCP();
PTcp.SourcePort = Function.Get2Bytes( PacketData , ref Index , Const.NORMAL );
PTcp.DestinationPort = Function.Get2Bytes( PacketData , ref Index , Const.NORMAL );
PTcp.SequenceNumber = Function.Get4Bytes( PacketData , ref Index , Const.NORMAL );
PTcp.Acknowledgement = Function.Get4Bytes( PacketData , ref Index , Const.NORMAL );
PTcp.HeaderLength = PacketData[ Index++ ];
PTcp.HeaderLength = (byte) ( ( (int) PTcp.HeaderLength >> 4 ) * 4 );
PTcp.Flags = PacketData[ Index++ ];
PTcp.WindowSize = Function.Get2Bytes( PacketData , ref Index , Const.NORMAL );
PTcp.Checksum = Function.Get2Bytes( PacketData , ref Index , Const.NORMAL );
PTcp.Options = Function.Get2Bytes( PacketData , ref Index , Const.NORMAL );
//if(!analysisFromCapFile)
//{
if(((PTcp.SourcePort == Port1) && (PTcp.DestinationPort == Port1)) ||
((PTcp.SourcePort == Port2) && (PTcp.DestinationPort == Port2)))
{
return;
}
//}
String signature = Signature(PInternet.Source, PTcp.SourcePort, PInternet.Destination, PTcp.DestinationPort);
//Keep track of the connections which have been established.(The list will be used later to populate the Associations Combo Box.)
if (!listOfConnections.Contains(signature))
{
listOfConnections.Add(signature);
}
TCPPacket packet = new TCPPacket(PacketData, StartIndex , PInternet, PTcp, data.TimeStamp);
LastParsedPacketTime = packet.TimeStamp;
int match = -1;
TCPState state;
for(int i=0;i<2;i++)
{
if(List[i].Contains(signature))
{
match=i;
}
}
// add as new item if necessary
if(match==(-1))
{
//Need to check here that we have SYNs
String signature1 = Signature(PInternet.Destination, PTcp.DestinationPort,PInternet.Source, PTcp.SourcePort);
state = new TCPState(packet,signature, signature1);
List[0].Add(signature,state);
List[1].Add(signature1,state);
match=0;
}
else
{
state = (TCPState) List[match][signature];
}
lock(state)
{
if(state.State[match] != TCPState.States.REPORTED)
{
state.AddPacket(match,packet);
TCPState.PacketAction LastAction;
while((LastAction = state.Defragment(match)) == TCPState.PacketAction.DATA)
{
if(FragmentAdded != null)
{
FragmentAdded(state, match);
}
nrOfCapturedPackets++;
}
if(LastAction == TCPState.PacketAction.FIN)
{
if(EndOfStream != null)
EndOfStream(state, match, "FIN Seen (" + signature + ")");
}
if(LastAction == TCPState.PacketAction.RST)
{
if(EndOfStream != null)
EndOfStream(state, match, "RST Seen (" + signature + ")");
}
if(LastAction == TCPState.PacketAction.DEAD)
{
//Error("DEAD seen" + signature);
if(EndOfStream != null)
EndOfStream(state, match, "DEAD data seen (" + signature + ")");
}
}
}
}
public void AnalysePacket(PacketInfo data)
{
byte [] PacketData = data.Data;
int StartIndex = data.StartIndex;
int Index = StartIndex;
// Start by eliminating non IP and non TCP packets
if ((Index + LENGTH_OF_INTERNET + LENGTH_OF_TCP) > PacketData.Length)
{
return;
}
PacketINTERNET.PACKET_INTERNET PInternet = new PacketINTERNET.PACKET_INTERNET();
PInternet.Version = PacketData[Index++];
PInternet.HeaderLength = (byte)(((int)PInternet.Version & 0x0f) * 4);
PInternet.Version = (byte)((int)PInternet.Version >> 4);
PInternet.DifferentiatedServicesField = PacketData[Index++];
PInternet.Length = Function.Get2Bytes(PacketData, ref Index, Const.NORMAL);
PInternet.Identification = Function.Get2Bytes(PacketData, ref Index, Const.NORMAL);
PInternet.FragmentOffset = Function.Get2Bytes(PacketData, ref Index, Const.NORMAL);
PInternet.Flags = (byte)((int)PInternet.FragmentOffset >> 12);
PInternet.FragmentOffset = (ushort)((int)PInternet.FragmentOffset & 0x0f);
PInternet.TimeToLive = PacketData[Index++];
PInternet.Protocol = PacketData[Index++];
PInternet.HeaderChecksum = Function.Get2Bytes(PacketData, ref Index, Const.NORMAL);
PInternet.Source = Function.GetIpAddress(PacketData, ref Index);
PInternet.Destination = Function.GetIpAddress(PacketData, ref Index);
if (PInternet.Protocol != IPPROTO_TCP)
{
return;
}
// Check IPs
//if(!analysisFromCapFile)
//{
if (((PInternet.Source == IP1) && (PInternet.Destination == IP1)) ||
(PInternet.Source == PInternet.Destination))
{
return;
}
//}
PacketTCP.PACKET_TCP PTcp = new PacketTCP.PACKET_TCP();
PTcp.SourcePort = Function.Get2Bytes(PacketData, ref Index, Const.NORMAL);
PTcp.DestinationPort = Function.Get2Bytes(PacketData, ref Index, Const.NORMAL);
PTcp.SequenceNumber = Function.Get4Bytes(PacketData, ref Index, Const.NORMAL);
PTcp.Acknowledgement = Function.Get4Bytes(PacketData, ref Index, Const.NORMAL);
PTcp.HeaderLength = PacketData[Index++];
PTcp.HeaderLength = (byte)(((int)PTcp.HeaderLength >> 4) * 4);
PTcp.Flags = PacketData[Index++];
PTcp.WindowSize = Function.Get2Bytes(PacketData, ref Index, Const.NORMAL);
PTcp.Checksum = Function.Get2Bytes(PacketData, ref Index, Const.NORMAL);
PTcp.Options = Function.Get2Bytes(PacketData, ref Index, Const.NORMAL);
//if(!analysisFromCapFile)
//{
if (((PTcp.SourcePort == Port1) && (PTcp.DestinationPort == Port1)) ||
((PTcp.SourcePort == Port2) && (PTcp.DestinationPort == Port2)))
{
return;
}
//}
String signature = Signature(PInternet.Source, PTcp.SourcePort, PInternet.Destination, PTcp.DestinationPort);
//Keep track of the connections which have been established.(The list will be used later to populate the Associations Combo Box.)
if (!listOfConnections.Contains(signature))
{
listOfConnections.Add(signature);
}
TCPPacket packet = new TCPPacket(PacketData, StartIndex, PInternet, PTcp, data.TimeStamp);
LastParsedPacketTime = packet.TimeStamp;
int match = -1;
TCPState state;
for (int i = 0; i < 2; i++)
{
if (List[i].Contains(signature))
{
match = i;
}
}
// add as new item if necessary
if (match == (-1))
{
//Need to check here that we have SYNs
String signature1 = Signature(PInternet.Destination, PTcp.DestinationPort, PInternet.Source, PTcp.SourcePort);
state = new TCPState(packet, signature, signature1);
List[0].Add(signature, state);
List[1].Add(signature1, state);
match = 0;
}
else
{
state = (TCPState)List[match][signature];
}
lock (state)
{
if (state.State[match] != TCPState.States.REPORTED)
{
state.AddPacket(match, packet);
TCPState.PacketAction LastAction;
while ((LastAction = state.Defragment(match)) == TCPState.PacketAction.DATA)
{
if (FragmentAdded != null)
{
FragmentAdded(state, match);
}
nrOfCapturedPackets++;
}
if (LastAction == TCPState.PacketAction.FIN)
{
if (EndOfStream != null)
{
EndOfStream(state, match, "FIN Seen (" + signature + ")");
}
}
if (LastAction == TCPState.PacketAction.RST)
{
if (EndOfStream != null)
{
EndOfStream(state, match, "RST Seen (" + signature + ")");
}
}
if (LastAction == TCPState.PacketAction.DEAD)
{
//Error("DEAD seen" + signature);
if (EndOfStream != null)
{
EndOfStream(state, match, "DEAD data seen (" + signature + ")");
}
}
}
}
}
