// used to convert a FSD object to a Event object
private SEvent FSDToEvent(FullSocketData fsd)
{
SEvent se = new SEvent(40, DateTime.Now, "local Network usage", fsd.pname, EventType.SINGLE,
new string[] { "pname", "pid", "local_port", "server", "server_port", "transport_protocol", "protocol", "sent", "received", "packets_counter" },
new string[] { fsd.pname, fsd.pid.ToString(), fsd.localPort.ToString(), fsd.server, fsd.serverPort.ToString(), fsd.tprotocol, fsd.protocol.ToString(), fsd.sent.ToString(), fsd.received.ToString(), fsd.packetCount.ToString() });
return(se);
}
// manages the "full sockets"
// periodically creates events for each FSD object
private void FSDManager()
{
List <FullSocketData> fsdList = new List <FullSocketData>();
while (true)
{
// if empty, wait
if (fsdQueue.Count == 0)
{
Thread.Sleep(3000);
continue;
}
// move all FSDs from the concurrent queue to the local list
int count = fsdQueue.Count;
int counter = 0;
foreach (FullSocketData fsd in fsdQueue.GetConsumingEnumerable())
{
fsdList.Add(fsd);
if (++counter == count)
{
break;
}
}
// process FSDs
while (fsdList.Count > 0)
{
FullSocketData fsd = fsdList[0];
fsdList.Remove(fsd);
for (int i = fsdList.Count - 1; i >= 0; i--)
{
FullSocketData _fsd = fsdList[i];
if (fsd.SameSocketMerge(_fsd))
{
fsdList.Remove(_fsd);
}
}
ParseData(FSDToEvent(fsd));
}
Thread.Sleep(5000);
}
}
// if they are the same socket it will add the sent and received values
// it will also return true
public bool SameSocketMerge(FullSocketData fsd)
{
if (localPort == fsd.localPort && server == fsd.server && serverPort == fsd.serverPort &&
tprotocol == fsd.tprotocol && protocol == fsd.protocol)
{
if (pid == -1)
{
pid = fsd.pid;
}
if (pname == "")
{
pname = fsd.pname;
}
sent += fsd.sent;
received += fsd.received;
packetCount += fsd.packetCount;
return(true);
}
return(false);
}
// parses the packets from the temporary queue and assigns them to relevant queues
// giving the working threads work to do
// occasionally it also creates events eg. DNS queries
protected override void RunFetcher()
{
while (true)
{
// if empty, wait
if (packets.Count == 0)
{
Thread.Sleep(1000);
continue;
}
// take packet
Packet packet = packets.Take();
IpV4Datagram ip = packet.Ethernet.IpV4;
// skip if not tcp or udp
if (ip.Protocol != IpV4Protocol.Udp && ip.Protocol != IpV4Protocol.Tcp)
{
continue;
}
// ports
int serverPort = -1;
int localPort = -1;
bool sending = false;
string server = "";
string transport_protocol = "";
string protocol = "";
// treat UDP
if (ip.Protocol == IpV4Protocol.Udp)
{
UdpDatagram udp = ip.Udp;
// set transport_protocol
transport_protocol += "UDP";
// check if sending or receiving and set ports
if (ip.Source.ToString() == deviceIPv4 || ip.Source.ToString() == deviceIPv6)
{
ips_to_be_checked.Add(ip.Destination.ToString());
serverPort = udp.DestinationPort;
localPort = udp.SourcePort;
sending = true;
}
if (ip.Destination.ToString() == deviceIPv4 || ip.Destination.ToString() == deviceIPv6)
{
ips_to_be_checked.Add(ip.Source.ToString());
serverPort = udp.SourcePort;
localPort = udp.DestinationPort;
}
// treat well known port
if (serverPort != -1 && wellKnownPorts.ContainsKey(serverPort))
{
// check if DNS
if (udp.DestinationPort == 53 && udp.Dns.IsQuery && udp.Dns.QueryCount == 1)
{
DnsDatagram dns = ip.Udp.Dns;
ParseData(new SEvent(41, DateTime.Now, "DNS query", "network", EventType.SINGLE, new string[] { "domain" }, new string[] { dns.Queries[0].DomainName.ToString() }));
}
// set well known protocol
protocol += wellKnownPorts[serverPort];
}
}
// treat TCP
if (ip.Protocol == IpV4Protocol.Tcp)
{
TcpDatagram tcp = ip.Tcp;
// set transport_protocol
transport_protocol += "TCP";
if (ip.Source.ToString() == deviceIPv4 || ip.Source.ToString() == deviceIPv6)
{
ips_to_be_checked.Add(ip.Destination.ToString());
serverPort = tcp.DestinationPort;
localPort = tcp.SourcePort;
sending = true;
}
if (ip.Destination.ToString() == deviceIPv4 || ip.Destination.ToString() == deviceIPv6)
{
ips_to_be_checked.Add(ip.Source.ToString());
serverPort = tcp.SourcePort;
localPort = tcp.DestinationPort;
}
// treat well known port
if (serverPort != -1 && wellKnownPorts.ContainsKey(serverPort))
{
protocol += wellKnownPorts[serverPort];
}
}
// process info
ProcessData pd;
if (used_ports.TryGetValue(localPort, out ProcessData _pd))
{
pd = new ProcessData()
{
name = _pd.name,
pid = _pd.pid
}
}
;
else
{
pd = new ProcessData()
{
name = "null",
pid = -1
}
};
// set server
if (sending)
{
server += ip.Destination;
}
else
{
server += ip.Source;
}
FullSocketData fsd;
if (pd.pid != -1)
{
if (sending)
{
fsd = new FullSocketData(pd.pid, pd.name, localPort, server, serverPort, transport_protocol, protocol, packet.Length, 0, 1);
}
else
{
fsd = new FullSocketData(pd.pid, pd.name, localPort, server, serverPort, transport_protocol, protocol, 0, packet.Length, 1);
}
}
else
{
if (sending)
{
fsd = new FullSocketData(-1, "", localPort, server, serverPort, transport_protocol, protocol, packet.Length, 0, 1);
}
else
{
fsd = new FullSocketData(-1, "", localPort, server, serverPort, transport_protocol, protocol, 0, packet.Length, 1);
}
}
fsdQueue.TryAdd(fsd);
}
}
