Exemple #1
0
        public FTPMsg(PDUStreamReader reader)
        {
            // fill default values and store things we'll need later
            this._reader        = reader;
            this.Valid          = true;
            this.InvalidReason  = string.Empty;
            this.Type           = FTPMsgType.OTHER;
            this.MessageContent = string.Empty;
            this.DataContent    = null;
            this.ExportSources  = new List <IExportSource>();

            // do the parsing itself
            this.Parse();
        }
Exemple #2
0
        private void Parse()
        {
            // transform reader to stream provider to get timestamp and frame numbers values
            var _streamProvider = this._reader.PDUStreamBasedProvider;

            this.Frames = _streamProvider.ProcessedFrames;
            if (_streamProvider.GetCurrentPDU() != null)
            {
                this.Timestamp = _streamProvider.GetCurrentPDU().FirstSeen;
            }
            else
            {
                this.InvalidReason = "could not retrieve PDU";
                this.ExportSources.Add(_streamProvider.Conversation);
                this.Valid = false;
                return;
            }

            //Console.WriteLine("FTPMsg created, frame numbers: " + string.Join(",", Frames.ToArray()));
            if (!_streamProvider.GetCurrentPDU().L7Conversation.ApplicationTags.Any())
            {
                this.Valid         = false;
                this.InvalidReason = "no application tag";
                this.ExportSources.Add(_streamProvider.GetCurrentPDU());
                return;
            }

            this.ExportSources.Add(_streamProvider.GetCurrentPDU());

            switch (_streamProvider.GetCurrentPDU().L7Conversation.ApplicationTags[0])
            {
            case "ftp":
                var _line         = this._reader.ReadLine();
                var _splittedLine = _line.Split(' ');
                if (_splittedLine[0].IndexOf("PORT", StringComparison.OrdinalIgnoreCase) == 0)
                {
                    // PORT message
                    this.Type = FTPMsgType.PORT;
                    var _value   = _splittedLine[1].Split(',');
                    var _address = _value[0] + '.' + _value[1] + '.' + _value[2] + '.' + _value[3];
                    var _port1   = 0;
                    var _port2   = 0;
                    int.TryParse(_value[4], out _port1);
                    int.TryParse(_value[5], out _port2);
                    var _port = _port1 * 256 + _port2;
                    int.TryParse(_value[4], out _port1);
                    //EndPoint _endpoint = new IPEndPoint(_address);
                    //Console.WriteLine("  PORT: " + _address + ":" + _port);
                    this.MessageContent = _address + ":" + _port;
                }
                else if (_splittedLine[0].IndexOf("257", StringComparison.OrdinalIgnoreCase) == 0)
                {
                    var _tmp = _line.Split('"');
                    this.MessageContent = _tmp[1];
                    //Console.WriteLine("  PWD: working directory changed: \"" + MessageContent + '"');
                    this.Type = FTPMsgType.PWD;
                }
                else if (_splittedLine[0].IndexOf("LIST", StringComparison.OrdinalIgnoreCase) == 0)
                {
                    this.Type = FTPMsgType.LIST;
                    //Console.WriteLine("  LIST");
                }
                else if (_splittedLine[0].IndexOf("STOR", StringComparison.OrdinalIgnoreCase) == 0)
                {
                    this.Type           = FTPMsgType.STOR;
                    this.MessageContent = _splittedLine[1];
                    //Console.WriteLine("  STOR: uploaded file: " + MessageContent);
                }
                else if (_splittedLine[0].IndexOf("RETR", StringComparison.OrdinalIgnoreCase) == 0)
                {
                    this.Type           = FTPMsgType.RETR;
                    this.MessageContent = _splittedLine[1];
                    //Console.WriteLine("  RETR: downloaded file: " + MessageContent);
                }
                else if (_splittedLine[0].IndexOf("DELE", StringComparison.OrdinalIgnoreCase) == 0)
                {
                    this.Type           = FTPMsgType.RETR;
                    this.MessageContent = _splittedLine[1];
                    //Console.WriteLine("  DELE: deleted file: " + MessageContent);
                }
                else if (_splittedLine[0].IndexOf("USER", StringComparison.OrdinalIgnoreCase) == 0)
                {
                    this.Type           = FTPMsgType.USER;
                    this.MessageContent = _splittedLine[1];
                    //Console.WriteLine("  USER: "******"PASS", StringComparison.OrdinalIgnoreCase) == 0)
                {
                    this.Type           = FTPMsgType.PASS;
                    this.MessageContent = _splittedLine[1];
                    //Console.WriteLine("  PASS: "******"ftp-data":
                //Console.WriteLine("  FTP DATA encountered");
                this.Type = FTPMsgType.DATA;
                // assign
                this.DataContent = _streamProvider.GetCurrentPDU().PDUByteArr;
                break;

            default:
                this.Valid         = false;
                this.InvalidReason = "unknown app tag encountered";
                break;
            }
        }