internal FileSegmentAssembler(string fileOutputDirectory, NetworkTcpSession networkTcpSession, bool transferIsClientToServer, string filePath, string uniqueFileId, FileTransfer.FileStreamAssemblerList fileStreamAssemblerList, PopularityList <string, PacketParser.FileTransfer.FileSegmentAssembler> parentAssemblerList, FileStreamTypes fileStreamType, string details, string serverHostname)
: this(fileOutputDirectory, filePath, uniqueFileId, fileStreamAssemblerList, parentAssemblerList, fileStreamType, details, serverHostname)
{
//this.fileOutputDirectory = fileOutputDirectory;
//this.networkTcpSession = networkTcpSession;
this.fiveTuple = networkTcpSession.Flow.FiveTuple;
this.transferIsClientToServer = transferIsClientToServer;
/*
* if (this.fileTransferIsServerToClient) {
* this.sourceHost = networkTcpSession.ServerHost;
* this.destinationHost = networkTcpSession.ClientHost;
* this.sourcePort = networkTcpSession.ServerTcpPort;
* this.destinationPort = networkTcpSession.ClientTcpPort;
* }
* else {
* this.sourceHost = networkTcpSession.ClientHost;
* this.destinationHost = networkTcpSession.ServerHost;
* this.sourcePort = networkTcpSession.ClientTcpPort;
* this.destinationPort = networkTcpSession.ServerTcpPort;
* }*/
/*
* this.filePath = filePath;
* this.uniqueFileId = uniqueFileId;
* this.parentAssemblerList = parentAssemblerList;
* this.fileStreamAssemblerList = fileStreamAssemblerList;
* this.fileStreamType = fileStreamType;
* this.details = details;
*/
}
private void ExtractFileData(FileTransfer.FileStreamAssembler assembler, FileTransfer.FileStreamAssemblerList fileStreamAssemblerList, NetworkHost sourceHost, ushort sourcePort, NetworkHost destinationHost, ushort destinationPort, Packets.TftpPacket tftpPacket)
{
if (tftpPacket.OpCode == Packets.TftpPacket.OpCodes.Data)
{
if (!assembler.IsActive)
{
//create a new active assembler if ports need to be changed!
if (assembler.SourcePort != sourcePort || assembler.DestinationPort != destinationPort)
{
fileStreamAssemblerList.Remove(assembler, true);
//now change the port number in the AssemblerPool
FiveTuple tmpFiveTuple = new FiveTuple(sourceHost, sourcePort, destinationHost, destinationPort, FiveTuple.TransportProtocol.UDP);
assembler = new FileTransfer.FileStreamAssembler(fileStreamAssemblerList, tmpFiveTuple, true, FileTransfer.FileStreamTypes.TFTP, assembler.Filename, assembler.FileLocation, assembler.Details, tftpPacket.ParentFrame.FrameNumber, tftpPacket.ParentFrame.Timestamp);
fileStreamAssemblerList.Add(assembler);
}
//activate the assembler
assembler.TryActivate();
}
if (assembler.SourceHost == sourceHost && assembler.SourcePort == sourcePort && assembler.DestinationHost == destinationHost && assembler.DestinationPort == destinationPort)
{
assembler.AddData(tftpPacket.DataBlock, tftpPacket.DataBlockNumber);
if (tftpPacket.DataBlockIsLast)
{
assembler.FinishAssembling();//we now have the complete file
}
}
}
}
private bool TryGetFileStreamAssembler(out FileTransfer.FileStreamAssembler assembler, FileTransfer.FileStreamAssemblerList fileStreamAssemblerList, NetworkHost sourceHost, ushort sourcePort, NetworkHost destinationHost, ushort destinationPort)
{
FiveTuple tmpFiveTuple = new FiveTuple(sourceHost, sourcePort, destinationHost, destinationPort, FiveTuple.TransportProtocol.UDP);
if (fileStreamAssemblerList.ContainsAssembler(tmpFiveTuple, true))
{
//already activated read or write request data
assembler = fileStreamAssemblerList.GetAssembler(tmpFiveTuple, true);
return(true);
}
tmpFiveTuple = new FiveTuple(sourceHost, Packets.TftpPacket.DefaultUdpPortNumber, destinationHost, destinationPort, FiveTuple.TransportProtocol.UDP);
if (fileStreamAssemblerList.ContainsAssembler(tmpFiveTuple, true))
{
//first read request data
assembler = fileStreamAssemblerList.GetAssembler(tmpFiveTuple, true);
return(true);
}
tmpFiveTuple = new FiveTuple(sourceHost, sourcePort, destinationHost, Packets.TftpPacket.DefaultUdpPortNumber, FiveTuple.TransportProtocol.UDP);
if (fileStreamAssemblerList.ContainsAssembler(tmpFiveTuple, true))
{
//check for write request data
assembler = fileStreamAssemblerList.GetAssembler(tmpFiveTuple, true);
return(true);
}
else
{
assembler = null;
return(false);//no assembler found...
}
}
internal FileSegmentAssembler(string fileOutputDirectory, NetworkTcpSession networkTcpSession, bool transferIsClientToServer, string filePath, string uniqueFileId, FileTransfer.FileStreamAssemblerList fileStreamAssemblerList, PopularityList <string, PacketParser.FileTransfer.FileSegmentAssembler> parentAssemblerList, FileStreamTypes fileStreamType, string details, string serverHostname)
: this(fileOutputDirectory, filePath, uniqueFileId, fileStreamAssemblerList, parentAssemblerList, fileStreamType, details, serverHostname)
{
//this.fileOutputDirectory = fileOutputDirectory;
//this.networkTcpSession = networkTcpSession;
this.fiveTuple = networkTcpSession.Flow.FiveTuple;
this.transferIsClientToServer = transferIsClientToServer;
}
internal FileSegmentAssembler(string fileOutputDirectory, bool transferIsClientToServer, string filePath, string uniqueFileId, FileTransfer.FileStreamAssemblerList fileStreamAssemblerList, PopularityList <string, PacketParser.FileTransfer.FileSegmentAssembler> parentAssemblerList, FileStreamTypes fileStreamType, string details, FiveTuple fiveTuple, string serverHostname)
: this(fileOutputDirectory, filePath, uniqueFileId, fileStreamAssemblerList, parentAssemblerList, fileStreamType, details, serverHostname)
{
this.fiveTuple = fiveTuple;
this.transferIsClientToServer = transferIsClientToServer;
/*
* this.sourceHost = sourceHost;
* this.destinationHost = destinationHost;
* this.sourcePort = sourcePort;
* this.destinationPort = destinationPort;
*/
}
private bool TryCreateNewAssembler(out FileTransfer.FileStreamAssembler assembler, FileTransfer.FileStreamAssemblerList fileStreamAssemblerList, Packets.TftpPacket tftpPacket, NetworkHost sourceHost, ushort sourcePort, NetworkHost destinationHost) //destinationPort is not needed
{
assembler = null;
//create new assembler if it is a RRQ or WRQ
if (tftpPacket.OpCode == Packets.TftpPacket.OpCodes.ReadRequest)
{
try {
FiveTuple tmpFiveTuple = new FiveTuple(destinationHost, Packets.TftpPacket.DefaultUdpPortNumber, sourceHost, sourcePort, FiveTuple.TransportProtocol.UDP);
assembler = new FileTransfer.FileStreamAssembler(fileStreamAssemblerList, tmpFiveTuple, true, FileTransfer.FileStreamTypes.TFTP, tftpPacket.Filename, "", tftpPacket.OpCode.ToString() + " " + tftpPacket.Mode.ToString() + " " + tftpPacket.Filename, tftpPacket.ParentFrame.FrameNumber, tftpPacket.ParentFrame.Timestamp);
fileStreamAssemblerList.Add(assembler);
}
catch (Exception e) {
SharedUtils.Logger.Log("Error creating assembler for TFTP file transfer in " + tftpPacket.ParentFrame.ToString() + ". " + e.ToString(), SharedUtils.Logger.EventLogEntryType.Information);
//throw new Exception("Error creating assembler for TFTP file transfer", e);
//this.parentForm.ShowError("Error creating assembler for TFTP file transfer: "+e.Message);
if (assembler != null)
{
assembler.Clear();
assembler = null;
}
return(false);
}
return(true);
}
else if (tftpPacket.OpCode == Packets.TftpPacket.OpCodes.WriteRequest)
{
try {
FiveTuple tmpFiveTuple = new FiveTuple(sourceHost, sourcePort, destinationHost, Packets.TftpPacket.DefaultUdpPortNumber, FiveTuple.TransportProtocol.UDP);
assembler = new FileTransfer.FileStreamAssembler(fileStreamAssemblerList, tmpFiveTuple, true, FileTransfer.FileStreamTypes.TFTP, tftpPacket.Filename, "", tftpPacket.OpCode.ToString() + " " + tftpPacket.Mode.ToString() + " " + tftpPacket.Filename, tftpPacket.ParentFrame.FrameNumber, tftpPacket.ParentFrame.Timestamp);
fileStreamAssemblerList.Add(assembler);
}
catch (Exception e) {
SharedUtils.Logger.Log("Error creating assembler for TFTP file transfer in " + tftpPacket.ParentFrame.ToString() + ". " + e.ToString(), SharedUtils.Logger.EventLogEntryType.Information);
//throw new Exception("Error creating assembler for TFTP file transfer", e);
//this.parentForm.ShowError("Error creating assembler for TFTP file transfer: "+e.Message);
if (assembler != null)
{
assembler.Clear();
assembler = null;
}
return(false);
}
return(true);
}
else
{
assembler = null;
return(false);
}
}
public void ExtractData(ref NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <PacketParser.Packets.AbstractPacket> packetList)
{
Packets.UdpPacket udpPacket = null;
foreach (Packets.AbstractPacket p in packetList)
{
if (p.GetType() == typeof(Packets.UdpPacket))
{
udpPacket = (Packets.UdpPacket)p;
}
else if (udpPacket != null && p.GetType() == typeof(Packets.RtpPacket))
{
Packets.RtpPacket rtpPacket = (Packets.RtpPacket)p;
if (Enum.IsDefined(typeof(RtpPayloadType), rtpPacket.PayloadType))
{
RtpPayloadType payloadType = (RtpPayloadType)rtpPacket.PayloadType;
FiveTuple fiveTuple = new FiveTuple(sourceHost, udpPacket.SourcePort, destinationHost, udpPacket.DestinationPort, FiveTuple.TransportProtocol.UDP);
AudioStream audioStream;
Tuple <System.Net.IPAddress, ushort, System.Net.IPAddress, ushort, RtpPayloadType> key = new Tuple <System.Net.IPAddress, ushort, System.Net.IPAddress, ushort, RtpPayloadType>(sourceHost.IPAddress, udpPacket.SourcePort, destinationHost.IPAddress, udpPacket.DestinationPort, payloadType);
if (this.audioStreams.ContainsKey(key))
{
audioStream = this.audioStreams[key];
}
else
{
//FileTransfer.FileStreamAssembler assembler = new FileTransfer.FileStreamAssembler(MainPacketHandler.FileStreamAssemblerList, fiveTuple, true, FileTransfer.FileStreamTypes.RTP, "AudioStream-" + fiveTuple.GetHashCode() + ".wav", "/", "RTP " + fiveTuple.ToString(), rtpPacket.ParentFrame.FrameNumber, rtpPacket.ParentFrame.Timestamp);
//-1 is set instead of null if Content-Length is not defined
//assembler.FileContentLength = -1;
//assembler.FileSegmentRemainingBytes = -1;
//this.MainPacketHandler.FileStreamAssemblerList.Add(assembler);
//audioStream = new AudioStream(sourceHost, destinationHost, wavAudioFormat.Value, MainPacketHandler.FileStreamAssemblerList, fiveTuple, rtpPacket.ParentFrame.FrameNumber);
audioStream = new AudioStream(sourceHost, destinationHost, payloadType, MainPacketHandler.FileStreamAssemblerList, fiveTuple, rtpPacket.ParentFrame.FrameNumber);
this.audioStreams.Add(key, audioStream);
base.MainPacketHandler.OnAudioDetected(audioStream);
}
audioStream.AddSamples(rtpPacket.ParentFrame.Data.Skip(rtpPacket.PacketStartIndex + Packets.RtpPacket.HEADER_LENGTH).ToArray(), rtpPacket.SampleTick, rtpPacket.ParentFrame.Timestamp, rtpPacket.SyncSourceID);
}
}
}
}
public void ExtractData(ref NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <PacketParser.Packets.AbstractPacket> packetList)
{
Packets.UdpPacket udpPacket = null;
foreach (Packets.AbstractPacket p in packetList)
{
if (p.GetType() == typeof(Packets.UdpPacket))
{
udpPacket = (Packets.UdpPacket)p;
}
else if (udpPacket != null && p is Packets.RtpPacket rtpPacket)
{
//Packets.RtpPacket rtpPacket =(Packets.RtpPacket)p;
if (Enum.IsDefined(typeof(RtpPayloadType), rtpPacket.PayloadType))
{
RtpPayloadType payloadType = (RtpPayloadType)rtpPacket.PayloadType;
FiveTuple fiveTuple = new FiveTuple(sourceHost, udpPacket.SourcePort, destinationHost, udpPacket.DestinationPort, FiveTuple.TransportProtocol.UDP);
AudioStream audioStream;
Tuple <System.Net.IPAddress, ushort, System.Net.IPAddress, ushort, RtpPayloadType> key = new Tuple <System.Net.IPAddress, ushort, System.Net.IPAddress, ushort, RtpPayloadType>(sourceHost.IPAddress, udpPacket.SourcePort, destinationHost.IPAddress, udpPacket.DestinationPort, payloadType);
if (this.audioStreams.ContainsKey(key))
{
audioStream = this.audioStreams[key];
}
else
{
audioStream = new AudioStream(sourceHost, destinationHost, payloadType, MainPacketHandler.FileStreamAssemblerList, fiveTuple, rtpPacket.ParentFrame.FrameNumber);
this.audioStreams.Add(key, audioStream);
base.MainPacketHandler.OnAudioDetected(audioStream);
}
audioStream.AddSamples(rtpPacket.ParentFrame.Data.Skip(rtpPacket.PacketStartIndex + Packets.RtpPacket.HEADER_LENGTH).ToArray(), rtpPacket.SampleTick, rtpPacket.ParentFrame.Timestamp, rtpPacket.SyncSourceID);
}
}
}
}
public Email(System.IO.MemoryStream emailMimeStream, PacketHandler mainPacketHandler, Packets.TcpPacket tcpPacket, bool transferIsClientToServer, NetworkTcpSession tcpSession, ApplicationLayerProtocol protocol, FileTransfer.FileStreamAssembler.FileAssmeblyRootLocation fileAssmeblyRootLocation = FileTransfer.FileStreamAssembler.FileAssmeblyRootLocation.destination)
{
SharedUtils.Logger.Log("Extracting Email from MIME data in " + tcpPacket.ParentFrame.ToString(), SharedUtils.Logger.EventLogEntryType.Information);
Mime.UnbufferedReader ur = new PacketParser.Mime.UnbufferedReader(emailMimeStream);
this.MainPacketHandler = mainPacketHandler;
this.protocol = protocol;
if (this.protocol == ApplicationLayerProtocol.Smtp)
{
this.fileTransferProtocol = FileTransfer.FileStreamTypes.SMTP;
}
else if (this.protocol == ApplicationLayerProtocol.Pop3)
{
this.fileTransferProtocol = FileTransfer.FileStreamTypes.POP3;
}
else if (this.protocol == ApplicationLayerProtocol.Imap)
{
this.fileTransferProtocol = FileTransfer.FileStreamTypes.IMAP;
}
//this.reassembleFileAtSourceHost = reassembleFileAtSourceHost;
this.fileAssmeblyRootLocation = fileAssmeblyRootLocation;
this.fiveTuple = tcpSession.Flow.FiveTuple;
this.transferIsClientToServer = transferIsClientToServer;
this.attachments = new List <FileTransfer.ReconstructedFile>();
this.from = null;
this.to = null;
this.subject = null;
this.messageId = null;
this.date = null;//Date: Fri, 1 Aug 2003 14:17:51 -0700
Encoding customEncoding = null;
this.RootAttributes = null;
bool messageSentToPacketHandler = false;
//The open source .NET implementation Mono can crash if the strings contain Unicode chracters
//see KeePass bug: https://sourceforge.net/p/keepass/feature-requests/2254/
foreach (Mime.MultipartPart multipart in Mime.PartBuilder.GetParts(ur, Utils.SystemHelper.IsRunningOnMono(), null)) //I might need to add "ref customEncoding" as a parameter here
{
SharedUtils.Logger.Log("Extracting MIME part with attributes \"" + String.Join(",", multipart.Attributes.AllKeys) + "\" in " + tcpPacket.ParentFrame.ToString(), SharedUtils.Logger.EventLogEntryType.Information);
if (this.RootAttributes == null)
{
from = multipart.Attributes["From"];
to = multipart.Attributes["To"];
subject = multipart.Attributes["Subject"];
messageId = multipart.Attributes["Message-ID"];
date = multipart.Attributes["Date"];
this.RootAttributes = multipart.Attributes;
}
if (multipart.Attributes["charset"] != null)
{
try {
customEncoding = Encoding.GetEncoding(multipart.Attributes["charset"]);
}
catch (Exception e) {
SharedUtils.Logger.Log("Exception getting encoding for charset \"" + multipart.Attributes["charset"] + "\". " + e.ToString(), SharedUtils.Logger.EventLogEntryType.Warning);
}
}
this.parseMultipart(multipart, this.RootAttributes, tcpPacket, ref messageSentToPacketHandler, customEncoding, emailMimeStream.Length, from, to, subject, messageId);
}
if (!messageSentToPacketHandler && from != null && to != null)
{
//send message to PacketHandler with force
if (this.transferIsClientToServer)
{
this.MainPacketHandler.OnMessageDetected(new PacketParser.Events.MessageEventArgs(this.protocol, this.fiveTuple.ClientHost, this.fiveTuple.ServerHost, tcpPacket.ParentFrame.FrameNumber, tcpPacket.ParentFrame.Timestamp, from, to, subject, "", customEncoding, this.RootAttributes, emailMimeStream.Length));
}
else
{
this.MainPacketHandler.OnMessageDetected(new PacketParser.Events.MessageEventArgs(this.protocol, this.fiveTuple.ServerHost, this.fiveTuple.ClientHost, tcpPacket.ParentFrame.FrameNumber, tcpPacket.ParentFrame.Timestamp, from, to, subject, "", customEncoding, this.RootAttributes, emailMimeStream.Length));
}
messageSentToPacketHandler = true;
}
//create an .eml file with the whole DATA portion
string emlFilename = null;
if (subject != null && subject.Length > 3)
{
emlFilename = Utils.StringManglerUtil.ConvertToFilename(subject, 10);
}
if (emlFilename == null || emlFilename.Length == 0)
{
if (messageId != null && messageId.Length > 3)
{
emlFilename = Utils.StringManglerUtil.ConvertToFilename(messageId, 10);
}
else
{
emlFilename = "message_" + tcpSession.GetHashCode().ToString("X8");
}
}
emlFilename = emlFilename + ".eml";
if (this.RootAttributes != null)
{
string extendedFileId = GetMessageId(this.RootAttributes);
using (FileTransfer.FileStreamAssembler assembler = new FileTransfer.FileStreamAssembler(MainPacketHandler.FileStreamAssemblerList, this.fiveTuple, this.transferIsClientToServer, this.fileTransferProtocol, emlFilename, "/", emailMimeStream.Length, emailMimeStream.Length, this.protocol.ToString() + " transcript From: " + from + " To: " + to + " Subject: " + subject, extendedFileId, tcpPacket.ParentFrame.FrameNumber, tcpPacket.ParentFrame.Timestamp, this.fileAssmeblyRootLocation)) {
if (assembler.TryActivate())
{
assembler.FileReconstructed += this.MainPacketHandler.OnMessageAttachmentDetected;
assembler.FileReconstructed += this.Assembler_FileReconstructed;
SharedUtils.Logger.Log("Adding emailMimeStream bytes: " + emailMimeStream.Length, SharedUtils.Logger.EventLogEntryType.Information);
assembler.AddData(emailMimeStream.ToArray(), tcpPacket.SequenceNumber);
}
else
{
SharedUtils.Logger.Log("Unable to activate email assembler", SharedUtils.Logger.EventLogEntryType.Warning);
assembler.Clear();
assembler.FinishAssembling();
}
}
}
}
public int ExtractData(NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <PacketParser.Packets.AbstractPacket> packetList)
{
//Packets.UdpPacket udpPacket = null;
int parsedBytes = 0;
Packets.ITransportLayerPacket transportLayerPacket = null;
FiveTuple ft = null;
foreach (Packets.AbstractPacket p in packetList)
{
if (p is Packets.ITransportLayerPacket)
{
transportLayerPacket = (Packets.ITransportLayerPacket)p;
if (transportLayerPacket is Packets.UdpPacket)
{
ft = new FiveTuple(sourceHost, transportLayerPacket.SourcePort, destinationHost, transportLayerPacket.DestinationPort, FiveTuple.TransportProtocol.UDP);
}
else if (transportLayerPacket is Packets.TcpPacket)
{
ft = new FiveTuple(sourceHost, transportLayerPacket.SourcePort, destinationHost, transportLayerPacket.DestinationPort, FiveTuple.TransportProtocol.TCP);
}
}
if (p.GetType() == typeof(Packets.SipPacket))
{
Packets.SipPacket sipPacket = (Packets.SipPacket)p;
if (sipPacket.MessageLine.StartsWith(INVITE))
{
string to = null;
string from = null;
if (sipPacket.To != null && sipPacket.To.Length > 0)
{
to = sipPacket.To;
if (to.Contains(";"))
{
to = to.Substring(0, to.IndexOf(';'));
}
destinationHost.AddNumberedExtraDetail("SIP User", to);
//destinationHost.ExtraDetailsList["SIP User"]=to;
}
if (sipPacket.From != null && sipPacket.From.Length > 0)
{
from = sipPacket.From;
if (from.Contains(";"))
{
from = from.Substring(0, from.IndexOf(';'));
}
//destinationHost.AddNumberedExtraDetail("SIP User", from);
sourceHost.AddNumberedExtraDetail("SIP User", from);
//sourceHost.ExtraDetailsList["SIP User"]=from;
}
if (ft != null && to != null && from != null && !String.IsNullOrEmpty(sipPacket.CallID))
{
System.Collections.Specialized.NameValueCollection nvc = new System.Collections.Specialized.NameValueCollection {
{ "From", sipPacket.From },
{ "To", sipPacket.To },
{ "Call-ID", sipPacket.CallID }
};
this.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(sipPacket.ParentFrame.FrameNumber, ft, true, nvc, sipPacket.ParentFrame.Timestamp, "SIP session " + ft.ToString()));
}
}
if (!String.IsNullOrEmpty(sipPacket.UserAgent))
{
sourceHost.AddHttpUserAgentBanner(sipPacket.UserAgent);
}
if (sipPacket.SDP != null)
{
if (sipPacket.SDP.Port != null && sipPacket.SDP.IP != null && sipPacket.CallID != null && ft != null)
{
lock (callEndPoints) {
Tuple <System.Net.IPAddress, ushort, FiveTuple> endPoint = new Tuple <System.Net.IPAddress, ushort, FiveTuple>(sipPacket.SDP.IP, sipPacket.SDP.Port.Value, ft);
if (this.callEndPoints.ContainsKey(sipPacket.CallID))
{
Tuple <System.Net.IPAddress, ushort, FiveTuple> matchedTuple = null;
foreach (var previousEndPoint in this.callEndPoints[sipPacket.CallID])
{
if (previousEndPoint.Item3.EqualsIgnoreDirection(ft))
{
//Tuple<System.Net.IPAddress, ushort, FiveTuple> previousEndPoint = ;
if (!(previousEndPoint.Item1.Equals(endPoint.Item1) && previousEndPoint.Item2.Equals(endPoint.Item2)))
{
//this.callEndPoints.Remove(sipPacket.CallID);
matchedTuple = previousEndPoint;
if (sipPacket.From != null && sipPacket.To != null)
{
this.MainPacketHandler.OnVoipCallDetected(sipPacket.SDP.IP, sipPacket.SDP.Port.Value, previousEndPoint.Item1, previousEndPoint.Item2, sipPacket.CallID, sipPacket.From, sipPacket.To);
if (ft != null)
{
}
}
break;
}
}
}
if (matchedTuple == null)
{
this.callEndPoints[sipPacket.CallID].Add(endPoint);
}
if (matchedTuple != null)
{
this.callEndPoints[sipPacket.CallID].Remove(matchedTuple);
}
}
else
{
this.callEndPoints.Add(sipPacket.CallID, new List <Tuple <System.Net.IPAddress, ushort, FiveTuple> >()
{
endPoint
});
}
}
}
}
parsedBytes += sipPacket.PacketLength;
}
}
return(parsedBytes);
}
public int ExtractData(NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <PacketParser.Packets.AbstractPacket> packetList)
{
//Packets.UdpPacket udpPacket = null;
int parsedBytes = 0;
//Packets.ITransportLayerPacket transportLayerPacket = null;
FiveTuple ft = null;
foreach (Packets.AbstractPacket p in packetList)
{
if (p is Packets.ITransportLayerPacket transportLayerPacket)
{
//transportLayerPacket = (Packets.ITransportLayerPacket)p;
if (transportLayerPacket is Packets.UdpPacket)
{
ft = new FiveTuple(sourceHost, transportLayerPacket.SourcePort, destinationHost, transportLayerPacket.DestinationPort, FiveTuple.TransportProtocol.UDP);
}
else if (transportLayerPacket is Packets.TcpPacket)
{
ft = new FiveTuple(sourceHost, transportLayerPacket.SourcePort, destinationHost, transportLayerPacket.DestinationPort, FiveTuple.TransportProtocol.TCP);
}
}
if (p is Packets.SipPacket sipPacket)
{
//Packets.SipPacket sipPacket=(Packets.SipPacket)p;
System.Collections.Specialized.NameValueCollection nvc = new System.Collections.Specialized.NameValueCollection();
if (sipPacket.RequestMethod != null)
{
nvc.Add(sipPacket.RequestMethod.ToString(), sipPacket.MessageLine.Substring(sipPacket.RequestMethod.ToString().Length).Trim());
if (sipPacket.From != null && sipPacket.From.Length > 0)
{
sourceHost.AddNumberedExtraDetail("SIP User", this.ExtractSipAddressFromHeader(sipPacket.From));
}
if (sipPacket.Contact?.Length > 0)
{
sourceHost.AddNumberedExtraDetail("SIP User", this.ExtractSipAddressFromHeader(sipPacket.Contact));
}
//if (sipPacket.MessageLine.StartsWith(INVITE)) {
if (sipPacket.RequestMethod == SipPacket.RequestMethods.INVITE)
{
string to = null;
string from = null;
if (sipPacket.To != null && sipPacket.To.Length > 0)
{
destinationHost.AddNumberedExtraDetail("SIP User", this.ExtractSipAddressFromHeader(sipPacket.To));
}
if (ft != null && to != null && from != null && !String.IsNullOrEmpty(sipPacket.CallID))
{
nvc.Add("From", sipPacket.From);
nvc.Add("To", sipPacket.To);
nvc.Add("Call-ID", sipPacket.CallID);
}
}
else if (sipPacket.RequestMethod == SipPacket.RequestMethods.MESSAGE)
{
if (sipPacket.ContentLength > 0 && sipPacket.ContentType.StartsWith("text/plain", StringComparison.OrdinalIgnoreCase))
{
string message = Encoding.UTF8.GetString(sipPacket.ParentFrame.Data, sipPacket.MessageBodyStartIndex, sipPacket.ContentLength);
//sipPacket.ParentFrame.Data. sipPacket.MessageBodyStartIndex
string to = this.ExtractSipAddressFromHeader(sipPacket.To);
string from = this.ExtractSipAddressFromHeader(sipPacket.From);
string callId = sipPacket.CallID;
if (message?.Length > 0)
{
if (callId == null || callId.Length == 0)
{
callId = message;
}
this.MainPacketHandler.OnMessageDetected(new Events.MessageEventArgs(ApplicationLayerProtocol.Sip, sourceHost, destinationHost, sipPacket.ParentFrame.FrameNumber, sipPacket.ParentFrame.Timestamp, from, to, callId, message, sipPacket.HeaderFields, sipPacket.PacketLength));
}
}
}
}
nvc.Add(sipPacket.HeaderFields);
//Extract SIP headers like "X-msisdn" and "X-user-id" as explained by Sandro Gauci here: https://www.rtcsec.com/2020/09/01-smuggling-sip-headers-ftw/
foreach (string interestingSipHeader in sipPacket.HeaderFields.AllKeys.Where(k => k.Trim().StartsWith("X-", StringComparison.InvariantCultureIgnoreCase)))
{
sourceHost.AddNumberedExtraDetail("SIP header: " + interestingSipHeader, sipPacket.HeaderFields[interestingSipHeader]);
}
if (ft != null && nvc?.Count > 0)
{
this.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(sipPacket.ParentFrame.FrameNumber, ft, true, nvc, sipPacket.ParentFrame.Timestamp, "SIP session " + ft.ToString()));
}
if (!String.IsNullOrEmpty(sipPacket.UserAgent))
{
sourceHost.AddHttpUserAgentBanner(sipPacket.UserAgent);
}
if (sipPacket.SDP != null)
{
if (sipPacket.SDP.Port != null && sipPacket.SDP.IP != null && sipPacket.CallID != null && ft != null)
{
lock (callEndPoints) {
Tuple <System.Net.IPAddress, ushort, FiveTuple> endPoint = new Tuple <System.Net.IPAddress, ushort, FiveTuple>(sipPacket.SDP.IP, sipPacket.SDP.Port.Value, ft);
if (this.callEndPoints.ContainsKey(sipPacket.CallID))
{
Tuple <System.Net.IPAddress, ushort, FiveTuple> matchedTuple = null;
foreach (var previousEndPoint in this.callEndPoints[sipPacket.CallID])
{
if (previousEndPoint.Item3.EqualsIgnoreDirection(ft))
{
//Tuple<System.Net.IPAddress, ushort, FiveTuple> previousEndPoint = ;
if (!(previousEndPoint.Item1.Equals(endPoint.Item1) && previousEndPoint.Item2.Equals(endPoint.Item2)))
{
//this.callEndPoints.Remove(sipPacket.CallID);
matchedTuple = previousEndPoint;
if (sipPacket.From != null && sipPacket.To != null)
{
this.MainPacketHandler.OnVoipCallDetected(sipPacket.SDP.IP, sipPacket.SDP.Port.Value, previousEndPoint.Item1, previousEndPoint.Item2, sipPacket.CallID, this.ExtractSipAddressFromHeader(sipPacket.From), this.ExtractSipAddressFromHeader(sipPacket.To));
}
break;
}
}
}
if (matchedTuple == null)
{
this.callEndPoints[sipPacket.CallID].Add(endPoint);
}
if (matchedTuple != null)
{
this.callEndPoints[sipPacket.CallID].Remove(matchedTuple);
}
}
else
{
this.callEndPoints.Add(sipPacket.CallID, new List <Tuple <System.Net.IPAddress, ushort, FiveTuple> >()
{
endPoint
});
}
}
}
}
parsedBytes += sipPacket.PacketLength;
}
}
return(parsedBytes);
}
public void ExtractData(ref NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <PacketParser.Packets.AbstractPacket> packetList)
{
//Packets.UdpPacket udpPacket = null;
Packets.ITransportLayerPacket transportLayerPacket = null;
FiveTuple ft = null;
foreach (Packets.AbstractPacket p in packetList)
{
/*
* Packets.IIPPacket ipPacket;
* if (p is Packets.IIPPacket) {
* ipPacket = p as Packets.IIPPacket;
* }
*/
if (p is Packets.ITransportLayerPacket)
{
transportLayerPacket = (Packets.ITransportLayerPacket)p;
if (transportLayerPacket is Packets.UdpPacket)
{
ft = new FiveTuple(sourceHost, transportLayerPacket.SourcePort, destinationHost, transportLayerPacket.DestinationPort, FiveTuple.TransportProtocol.UDP);
}
else if (transportLayerPacket is Packets.TcpPacket)
{
ft = new FiveTuple(sourceHost, transportLayerPacket.SourcePort, destinationHost, transportLayerPacket.DestinationPort, FiveTuple.TransportProtocol.TCP);
}
}
if (p.GetType() == typeof(Packets.SipPacket))
{
Packets.SipPacket sipPacket = (Packets.SipPacket)p;
if (sipPacket.MessageLine.StartsWith(INVITE))
{
string to = null;
string from = null;
if (sipPacket.To != null && sipPacket.To.Length > 0)
{
to = sipPacket.To;
if (to.Contains(";"))
{
to = to.Substring(0, to.IndexOf(';'));
}
destinationHost.AddNumberedExtraDetail("SIP User", to);
//destinationHost.ExtraDetailsList["SIP User"]=to;
}
if (sipPacket.From != null && sipPacket.From.Length > 0)
{
from = sipPacket.From;
if (from.Contains(";"))
{
from = from.Substring(0, from.IndexOf(';'));
}
//destinationHost.AddNumberedExtraDetail("SIP User", from);
sourceHost.AddNumberedExtraDetail("SIP User", from);
//sourceHost.ExtraDetailsList["SIP User"]=from;
}
if (ft != null && to != null && from != null && !String.IsNullOrEmpty(sipPacket.CallID))
{
System.Collections.Specialized.NameValueCollection nvc = new System.Collections.Specialized.NameValueCollection {
{ "From", sipPacket.From },
{ "To", sipPacket.To },
{ "Call-ID", sipPacket.CallID }
};
this.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(sipPacket.ParentFrame.FrameNumber, ft, true, nvc, sipPacket.ParentFrame.Timestamp, "SIP session " + ft.ToString()));
}
}
if (!String.IsNullOrEmpty(sipPacket.UserAgent))
{
sourceHost.AddHttpUserAgentBanner(sipPacket.UserAgent);
}
if (sipPacket.SDP != null)
{
if (sipPacket.SDP.Port != null && sipPacket.SDP.IP != null && sipPacket.CallID != null && ft != null)
{
lock (callEndPoints) {
Tuple <System.Net.IPAddress, ushort, FiveTuple> endPoint = new Tuple <System.Net.IPAddress, ushort, FiveTuple>(sipPacket.SDP.IP, sipPacket.SDP.Port.Value, ft);
if (this.callEndPoints.ContainsKey(sipPacket.CallID))
{
Tuple <System.Net.IPAddress, ushort, FiveTuple> matchedTuple = null;
foreach (var previousEndPoint in this.callEndPoints[sipPacket.CallID])
{
if (previousEndPoint.Item3.EqualsIgnoreDirection(ft))
{
//Tuple<System.Net.IPAddress, ushort, FiveTuple> previousEndPoint = ;
if (!(previousEndPoint.Item1.Equals(endPoint.Item1) && previousEndPoint.Item2.Equals(endPoint.Item2)))
{
//this.callEndPoints.Remove(sipPacket.CallID);
matchedTuple = previousEndPoint;
if (sipPacket.From != null && sipPacket.To != null)
{
this.MainPacketHandler.OnVoipCallDetected(sipPacket.SDP.IP, sipPacket.SDP.Port.Value, previousEndPoint.Item1, previousEndPoint.Item2, sipPacket.CallID, sipPacket.From, sipPacket.To);
if (ft != null)
{
}
}
break;
}
}
}
if (matchedTuple == null)
{
this.callEndPoints[sipPacket.CallID].Add(endPoint);
}
if (matchedTuple != null)
{
this.callEndPoints[sipPacket.CallID].Remove(matchedTuple);
}
}
else
{
this.callEndPoints.Add(sipPacket.CallID, new List <Tuple <System.Net.IPAddress, ushort, FiveTuple> >()
{
endPoint
});
}
}
/*
* //check if we have a reverse tuple
* Tuple<System.Net.IPAddress, System.Net.IPAddress> reverseIpPair = new Tuple<System.Net.IPAddress, System.Net.IPAddress>(destinationHost.IPAddress, sourceHost.IPAddress);
*
* TODO: Använd CALL ID istället som unik nyckel!
*
* lock (this.endPointCandidates) {
* if (this.endPointCandidates.ContainsKey(reverseIpPair)) {
* ushort reversePort = this.endPointCandidates[reverseIpPair];
* this.endPointCandidates.Remove(reverseIpPair);
*
* if (this.udpPayloadProtocolFinder != null && !String.IsNullOrEmpty(sipPacket.SDP.Protocol) && sipPacket.SDP.Protocol.StartsWith("RTP", StringComparison.InvariantCultureIgnoreCase))
* this.udpPayloadProtocolFinder.SetPayload(sourceHost.IPAddress, sipPacket.SDP.Port.Value, destinationHost.IPAddress, reversePort, ApplicationLayerProtocol.Rtp);//this might come in too late because the UDP packet has probably already been parsed by now.
* if(sipPacket.From != null && sipPacket.To != null) {
* FiveTuple fiveTuple = new FiveTuple(sourceHost, sipPacket.SDP.Port.Value, destinationHost, reversePort, FiveTuple.TransportProtocol.UDP);
* this.MainPacketHandler.OnVoipCallDetected(fiveTuple, sipPacket.From, sipPacket.To);
* System.Collections.Specialized.NameValueCollection nvc = new System.Collections.Specialized.NameValueCollection();
* nvc.Add("From", sipPacket.From);
* nvc.Add("To", sipPacket.To);
* this.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(sipPacket.ParentFrame.FrameNumber, fiveTuple, true, nvc, sipPacket.ParentFrame.Timestamp, "SIP setup of call " + fiveTuple.ToString()));
* }
*
* }
* else {
* Tuple<System.Net.IPAddress, System.Net.IPAddress> ipPair = new Tuple<System.Net.IPAddress, System.Net.IPAddress>(sourceHost.IPAddress, destinationHost.IPAddress);
* if (this.endPointCandidates.ContainsKey(ipPair))
* this.endPointCandidates[ipPair] = sipPacket.SDP.Port.Value;
* else
* this.endPointCandidates.Add(ipPair, sipPacket.SDP.Port.Value);
* }
* }
*/
}
//rtpPacketHandler.NewRtpEndPoints.Enqueue(new Tuple<System.Net.IPAddress, System.Net.IPAddress, ushort>(destinationHost.IPAddress, sourceHost.IPAddress, sipPacket.SDP.Port.Value));
}
}
}
}
public WavFileAssembler(string wavFilename, FileStreamAssemblerList fileStreamAssemblerList, FiveTuple fiveTuple, FileStreamTypes fileStreamType, long initialFrameNumber, DateTime startTime, uint sampleRate = 8000) :
base(fileStreamAssemblerList, fiveTuple, true, fileStreamType, wavFilename, "/", fileStreamType.ToString() + " " + fiveTuple.ToString(), initialFrameNumber, startTime)
{
if (fileStreamType == FileStreamTypes.RTP)
{
this.FileContentLength = -1;
this.FileSegmentRemainingBytes = -1;
//this.fileStreamAssemblerList.Add(assembler);
}
this.sampleRate = sampleRate;
}
