// used to convert a FSD object to a Event object private SEvent FSDToEvent(FullSocketData fsd) { SEvent se = new SEvent(40, DateTime.Now, "local Network usage", fsd.pname, EventType.SINGLE, new string[] { "pname", "pid", "local_port", "server", "server_port", "transport_protocol", "protocol", "sent", "received", "packets_counter" }, new string[] { fsd.pname, fsd.pid.ToString(), fsd.localPort.ToString(), fsd.server, fsd.serverPort.ToString(), fsd.tprotocol, fsd.protocol.ToString(), fsd.sent.ToString(), fsd.received.ToString(), fsd.packetCount.ToString() }); return(se); }
// manages the "full sockets" // periodically creates events for each FSD object private void FSDManager() { List <FullSocketData> fsdList = new List <FullSocketData>(); while (true) { // if empty, wait if (fsdQueue.Count == 0) { Thread.Sleep(3000); continue; } // move all FSDs from the concurrent queue to the local list int count = fsdQueue.Count; int counter = 0; foreach (FullSocketData fsd in fsdQueue.GetConsumingEnumerable()) { fsdList.Add(fsd); if (++counter == count) { break; } } // process FSDs while (fsdList.Count > 0) { FullSocketData fsd = fsdList[0]; fsdList.Remove(fsd); for (int i = fsdList.Count - 1; i >= 0; i--) { FullSocketData _fsd = fsdList[i]; if (fsd.SameSocketMerge(_fsd)) { fsdList.Remove(_fsd); } } ParseData(FSDToEvent(fsd)); } Thread.Sleep(5000); } }
// if they are the same socket it will add the sent and received values // it will also return true public bool SameSocketMerge(FullSocketData fsd) { if (localPort == fsd.localPort && server == fsd.server && serverPort == fsd.serverPort && tprotocol == fsd.tprotocol && protocol == fsd.protocol) { if (pid == -1) { pid = fsd.pid; } if (pname == "") { pname = fsd.pname; } sent += fsd.sent; received += fsd.received; packetCount += fsd.packetCount; return(true); } return(false); }
// parses the packets from the temporary queue and assigns them to relevant queues // giving the working threads work to do // occasionally it also creates events eg. DNS queries protected override void RunFetcher() { while (true) { // if empty, wait if (packets.Count == 0) { Thread.Sleep(1000); continue; } // take packet Packet packet = packets.Take(); IpV4Datagram ip = packet.Ethernet.IpV4; // skip if not tcp or udp if (ip.Protocol != IpV4Protocol.Udp && ip.Protocol != IpV4Protocol.Tcp) { continue; } // ports int serverPort = -1; int localPort = -1; bool sending = false; string server = ""; string transport_protocol = ""; string protocol = ""; // treat UDP if (ip.Protocol == IpV4Protocol.Udp) { UdpDatagram udp = ip.Udp; // set transport_protocol transport_protocol += "UDP"; // check if sending or receiving and set ports if (ip.Source.ToString() == deviceIPv4 || ip.Source.ToString() == deviceIPv6) { ips_to_be_checked.Add(ip.Destination.ToString()); serverPort = udp.DestinationPort; localPort = udp.SourcePort; sending = true; } if (ip.Destination.ToString() == deviceIPv4 || ip.Destination.ToString() == deviceIPv6) { ips_to_be_checked.Add(ip.Source.ToString()); serverPort = udp.SourcePort; localPort = udp.DestinationPort; } // treat well known port if (serverPort != -1 && wellKnownPorts.ContainsKey(serverPort)) { // check if DNS if (udp.DestinationPort == 53 && udp.Dns.IsQuery && udp.Dns.QueryCount == 1) { DnsDatagram dns = ip.Udp.Dns; ParseData(new SEvent(41, DateTime.Now, "DNS query", "network", EventType.SINGLE, new string[] { "domain" }, new string[] { dns.Queries[0].DomainName.ToString() })); } // set well known protocol protocol += wellKnownPorts[serverPort]; } } // treat TCP if (ip.Protocol == IpV4Protocol.Tcp) { TcpDatagram tcp = ip.Tcp; // set transport_protocol transport_protocol += "TCP"; if (ip.Source.ToString() == deviceIPv4 || ip.Source.ToString() == deviceIPv6) { ips_to_be_checked.Add(ip.Destination.ToString()); serverPort = tcp.DestinationPort; localPort = tcp.SourcePort; sending = true; } if (ip.Destination.ToString() == deviceIPv4 || ip.Destination.ToString() == deviceIPv6) { ips_to_be_checked.Add(ip.Source.ToString()); serverPort = tcp.SourcePort; localPort = tcp.DestinationPort; } // treat well known port if (serverPort != -1 && wellKnownPorts.ContainsKey(serverPort)) { protocol += wellKnownPorts[serverPort]; } } // process info ProcessData pd; if (used_ports.TryGetValue(localPort, out ProcessData _pd)) { pd = new ProcessData() { name = _pd.name, pid = _pd.pid } } ; else { pd = new ProcessData() { name = "null", pid = -1 } }; // set server if (sending) { server += ip.Destination; } else { server += ip.Source; } FullSocketData fsd; if (pd.pid != -1) { if (sending) { fsd = new FullSocketData(pd.pid, pd.name, localPort, server, serverPort, transport_protocol, protocol, packet.Length, 0, 1); } else { fsd = new FullSocketData(pd.pid, pd.name, localPort, server, serverPort, transport_protocol, protocol, 0, packet.Length, 1); } } else { if (sending) { fsd = new FullSocketData(-1, "", localPort, server, serverPort, transport_protocol, protocol, packet.Length, 0, 1); } else { fsd = new FullSocketData(-1, "", localPort, server, serverPort, transport_protocol, protocol, 0, packet.Length, 1); } } fsdQueue.TryAdd(fsd); } }