public SSRPData GetSSRPRequest(uint IP, ulong IPHi, ulong IPLo, bool isIPV6) { // search for existing SQL Server and return it - can use foreach loop as this is not called often and there are a small number of entries foreach (SSRPData s in SSRPRequests) { if (s.isIPV6 == isIPV6 && s.sqlIP == IP && s.sqlIPHi == IPHi && s.sqlIPLo == IPLo) { return(s); } } // not found - create new SSRPRequestr and return it SSRPData s2 = new SSRPData(); s2.sqlIP = IP; s2.sqlIPHi = IPHi; s2.sqlIPLo = IPLo; SSRPRequests.Add(s2); return(s2); }
public static void ProcessUDP(NetworkTrace trace) { foreach (ConversationData c in trace.conversations) { if (c.isUDP && c.sourcePort == 1434) { TDSParser.reverseSourceDest(c); } //parse only UDP conversations that are on port 1434 if ((!c.isUDP) || ((c.isUDP) && (c.destPort != 1434))) { continue; } SSRPData SSRPRequest = trace.GetSSRPRequest(c.destIP, c.destIPHi, c.destIPLo, c.isIPV6); if (!SSRPRequest.hasConversation(c)) { SSRPRequest.conversations.Add(c); } foreach (FrameData fd in c.frames) { try { if ((byte)(fd.payload[0]) == (byte)3) // CLNT_UCAST_EX { SSRPRequest.hasResponse = false; } else if ((byte)(fd.payload[0]) == (byte)4) // Request for specific instance (CLNT_UCAST_INST) { SSRPRequest.hasResponse = false; if (c.frames.Count == 1) { SSRPRequest.hasNoResponse = true; } ushort Length = utility.ReadUInt16(fd.payload, 1); SSRPRequest.instanceRequested = utility.ReadAnsiString(fd.payload, 3, Length); //SSRPRequest.clientPort = c.sourcePort; //SSRPRequest.clientIP = (c.isIPV6) ? utility.FormatIPV6Address(c.sourceIPHi, c.sourceIPLo) : utility.FormatIPV4Address(c.sourceIP); SSRPRequest.sqlIP = c.destIP; SSRPRequest.sqlIPHi = c.destIPHi; SSRPRequest.sqlIPLo = c.destIPLo; } else if ((byte)(fd.payload[0]) == (byte)5) // Response of specifric instance (SVR_RESP) { SSRPRequest.hasResponse = true; ushort Length = utility.ReadUInt16(fd.payload, 1); String Response = utility.ReadAnsiString(fd.payload, 3, Length); ParseSSRPResponse(Response, SSRPRequest, trace); //if (SSRPRequest.sqlPort != 0) //{ // SQLServer s = trace.GetSQLServer(SSRPRequest.sqlIP, SSRPRequest.sqlIPHi, SSRPRequest.sqlIPLo, SSRPRequest.sqlPort, SSRPRequest.isIPV6); // if (s != null) // { // if (s.sqlHostName == "") s.sqlHostName = SSRPRequest.sqlHostName; // if (s.instanceName == "") s.instanceName = SSRPRequest.instanceName; // if (s.isClustered == "") s.isClustered = SSRPRequest.isClustered; // if (s.serverVersion == "") s.serverVersion = SSRPRequest.serverVersion; // if (s.namedPipe == "") s.namedPipe = SSRPRequest.namedPipe; // } } } catch (Exception ex) { Program.logDiagnostic("SSRP Parser: Problem parsing frame " + fd.frameNo + " in file " + fd.file.filePath + "."); Program.logDiagnostic(ex.Message); } } } } // Process UDP
public static void ParseSSRPResponse(String ssrpResponse, SSRPData SSRPRequest, NetworkTrace trace) { if (ssrpResponse.Length <= 0) { return; } //the client either (i) sends a single request to a specific machine and expects a single response, or //(ii) broadcasts or multicasts a request to the network and expects zero or more responses from different //discovery services on the network - Page# 30 in SSRP Specs. //Response can contain more than one server informaton. //Each server info separated by ;; String[] Servers = ssrpResponse.Split(new string[] { ";;" }, StringSplitOptions.None); foreach (var Server in Servers) { String[] Tokens = Server.Split(';'); SSRPRequest.sqlHostName = GetUDPToken(Tokens, "ServerName"); SSRPRequest.instanceName = GetUDPToken(Tokens, "InstanceName"); SSRPRequest.isClustered = GetUDPToken(Tokens, "IsClustered"); SSRPRequest.serverVersion = GetUDPToken(Tokens, "Version"); SSRPRequest.namedPipe = GetUDPToken(Tokens, "np"); string portString = GetUDPToken(Tokens, "tcp"); SSRPRequest.sqlPort = portString.Length > 0 ? Convert.ToUInt16(portString) : (ushort)0; if (SSRPRequest.sqlPort != 0) { SQLServer s = trace.GetSQLServer(SSRPRequest.sqlIP, SSRPRequest.sqlIPHi, SSRPRequest.sqlIPLo, SSRPRequest.sqlPort, SSRPRequest.isIPV6); if (s != null) { if (s.sqlHostName == "") { s.sqlHostName = SSRPRequest.sqlHostName; } if (s.instanceName == "") { s.instanceName = SSRPRequest.instanceName; } if (s.isClustered == "") { s.isClustered = SSRPRequest.isClustered; } if (s.serverVersion == "") { s.serverVersion = SSRPRequest.serverVersion; } if (s.namedPipe == "") { s.namedPipe = SSRPRequest.namedPipe; } } } } }