public static PCAPNGFileHeader CreateFromReader(BinaryReader rdrFrom, uint uiMagic)
{
PCAPNGFileHeader pCAPNGFileHeader = new PCAPNGFileHeader();
pCAPNGFileHeader.MagicNumber = uiMagic;
pCAPNGFileHeader.SectionHeaderLength = rdrFrom.ReadUInt32();
pCAPNGFileHeader.ByteOrderMagic = rdrFrom.ReadUInt32();
pCAPNGFileHeader.VerMajor = rdrFrom.ReadUInt16();
pCAPNGFileHeader.VerMinor = rdrFrom.ReadUInt16();
pCAPNGFileHeader.longSectionLength = rdrFrom.ReadInt64();
uint count = pCAPNGFileHeader.SectionHeaderLength - 28u;
rdrFrom.ReadBytes((int)count);
pCAPNGFileHeader.RepeatedHeaderLength = rdrFrom.ReadUInt32();
return(pCAPNGFileHeader);
}
private Session[] GetSessionsFromPCAPNG(BinaryReader rdr, uint uiMagic)
{
PCAPNGFileHeader pCAPNGFileHeader = PCAPNGFileHeader.CreateFromReader(rdr, uiMagic);
if (pCAPNGFileHeader.ByteOrderMagic != 439041101u)
{
Console.WriteLine(String.Format("Sorry, this format is not yet supported. Please contact support.", "Unsupported Byte-Order"));
return(null);
}
if (pCAPNGFileHeader.SectionHeaderLength != pCAPNGFileHeader.RepeatedHeaderLength)
{
Console.WriteLine(String.Format("Sorry, this file appears to be corrupt. HeaderLength != TrailingHeaderLength. Please contact support.", "File Corrupt"));
return(null);
}
//Console.WriteLine(String.Format("Importing PCAPNG:\n{0}", pCAPNGFileHeader);
PacketCaptureImport.PacketCounts packetCounts = default(PacketCaptureImport.PacketCounts);
Dictionary <uint, DNSTransaction> dictionary = new Dictionary <uint, DNSTransaction>();
Dictionary <string, TCPStream> dictionary2 = new Dictionary <string, TCPStream>();
long length = rdr.BaseStream.Length;
bool flag = false;
while (!flag && rdr.BaseStream.Position + 8L <= length)
{
PCAPNGBlockHeader pCAPNGBlockHeader = PCAPNGBlockHeader.CreateFromReader(rdr);
PCAPNGBlockType uiBlockType = pCAPNGBlockHeader.uiBlockType;
if (uiBlockType != PCAPNGBlockType.InterfaceDescriptionBlock)
{
if (uiBlockType != PCAPNGBlockType.EnhancedPacketBlock)
{
//FiddlerApplication.get_Log().LogString(pCAPNGBlockHeader.ToString());
rdr.ReadBytes((int)(pCAPNGBlockHeader.uiBlockLength - 8u));
}
else
{
packetCounts.Total += 1u;
PCAPNGEnhancedPacketHeader pCAPNGEnhancedPacketHeader = PCAPNGEnhancedPacketHeader.CreateFromReader(rdr);
if (pCAPNGEnhancedPacketHeader.PacketOriginalSize != pCAPNGEnhancedPacketHeader.PacketSavedSize)
{
//FiddlerApplication.get_Log().LogFormat("! WARNING: Packet was not stored completely. Stored only {0}/{1} bytes", new object[]
//{
// pCAPNGEnhancedPacketHeader.PacketSavedSize,
// pCAPNGEnhancedPacketHeader.PacketOriginalSize
//});
}
byte[] array = rdr.ReadBytes((int)pCAPNGEnhancedPacketHeader.PacketSavedSize);
if ((long)array.Length != (long)((ulong)pCAPNGEnhancedPacketHeader.PacketSavedSize))
{
//FiddlerApplication.get_Log().LogFormat("! WARNING: File was incomplete. Last frame stored only {0}/{1} bytes", new object[]
//{
// array.Length,
// pCAPNGEnhancedPacketHeader.PacketSavedSize
//});
flag = true;
}
else
{
IPFrame iPFrame = IPFrame.ParseAsIPFrame(packetCounts.Total, array, pCAPNGEnhancedPacketHeader.dtPacket);
if (iPFrame == null)
{
rdr.ReadBytes((int)((ulong)(pCAPNGBlockHeader.uiBlockLength - 28u) - (ulong)((long)pCAPNGEnhancedPacketHeader.PacketSavedSize)));
}
else
{
if (iPFrame.IPVersion == 4)
{
packetCounts.IPv4 += 1u;
}
else
{
if (iPFrame.IPVersion == 6)
{
packetCounts.IPv6 += 1u;
}
}
IPSubProtocols nextProtocol = iPFrame.NextProtocol;
if (nextProtocol != IPSubProtocols.TCP)
{
if (nextProtocol != IPSubProtocols.UDP)
{
if (nextProtocol == IPSubProtocols.ESP)
{
if (PacketCaptureImport.bVerboseDebug)
{
//FiddlerApplication.get_Log().LogFormat("ESP Frame #{0} skipped; parsing NYI", new object[]
//{
// iPFrame.iFrameNumber
//});
}
}
}
else
{
UDPMessage uDPMessage = UDPMessage.Parse(iPFrame, array);
packetCounts.UDP += 1u;
if (WellKnownPorts.DNS == uDPMessage.DstPort)
{
DNSQuery dNSQuery = DNSQuery.Parse(iPFrame, array);
if (dNSQuery.QueryType == DNSQueryType.AddressQuery)
{
DNSTransaction dNSTransaction;
if (!dictionary.TryGetValue(dNSQuery.uiTransactionID, out dNSTransaction))
{
dNSTransaction = new DNSTransaction();
dictionary.Add(dNSQuery.uiTransactionID, dNSTransaction);
}
dNSTransaction.uiTransactionID = dNSQuery.uiTransactionID;
dNSTransaction.sQueryForHostname = dNSQuery.sHostname;
dNSTransaction.bAAAAQuery = (dNSQuery.QueryType == DNSQueryType.AAAA);
dNSTransaction.dtQuerySent = pCAPNGEnhancedPacketHeader.dtPacket;
}
}
else
{
if (WellKnownPorts.DNS == uDPMessage.SrcPort)
{
DNSResponse dNSResponse = DNSResponse.Parse(iPFrame, array);
DNSTransaction dNSTransaction2;
if (dictionary.TryGetValue(dNSResponse.uiTransactionID, out dNSTransaction2))
{
dNSTransaction2.dtResponseReceived = pCAPNGEnhancedPacketHeader.dtPacket;
}
}
}
}
}
else
{
TCPFrame tCPFrame = TCPFrame.Parse(iPFrame, array);
if (tCPFrame == null)
{
continue;
}
packetCounts.TCP += 1u;
TCPEndpoints tCPEndpoints = new TCPEndpoints(iPFrame.ipSrc, iPFrame.ipDest, tCPFrame.SrcPort, tCPFrame.DstPort);
string key = tCPEndpoints.ToString();
TCPStream tCPStream;
if (!dictionary2.TryGetValue(key, out tCPStream))
{
tCPStream = new TCPStream(tCPEndpoints);
dictionary2.Add(key, tCPStream);
}
tCPStream.AddFrame(tCPFrame);
}
int count = (int)((ulong)(pCAPNGBlockHeader.uiBlockLength - 28u) - (ulong)((long)pCAPNGEnhancedPacketHeader.PacketSavedSize));
rdr.ReadBytes(count);
}
}
}
}
else
{
//FiddlerApplication.get_Log().LogString(pCAPNGBlockHeader.ToString());
rdr.ReadBytes((int)(pCAPNGBlockHeader.uiBlockLength - 8u));
}
}
return(this.GetSessionsFromPackets(ref packetCounts, dictionary2));
}