internal FileSegmentAssembler(string fileOutputDirectory, NetworkTcpSession networkTcpSession, bool transferIsClientToServer, string filePath, string uniqueFileId, FileTransfer.FileStreamAssemblerList fileStreamAssemblerList, PopularityList <string, PacketParser.FileTransfer.FileSegmentAssembler> parentAssemblerList, FileStreamTypes fileStreamType, string details, string serverHostname) : this(fileOutputDirectory, filePath, uniqueFileId, fileStreamAssemblerList, parentAssemblerList, fileStreamType, details, serverHostname) { //this.fileOutputDirectory = fileOutputDirectory; //this.networkTcpSession = networkTcpSession; this.fiveTuple = networkTcpSession.Flow.FiveTuple; this.transferIsClientToServer = transferIsClientToServer; /* * if (this.fileTransferIsServerToClient) { * this.sourceHost = networkTcpSession.ServerHost; * this.destinationHost = networkTcpSession.ClientHost; * this.sourcePort = networkTcpSession.ServerTcpPort; * this.destinationPort = networkTcpSession.ClientTcpPort; * } * else { * this.sourceHost = networkTcpSession.ClientHost; * this.destinationHost = networkTcpSession.ServerHost; * this.sourcePort = networkTcpSession.ClientTcpPort; * this.destinationPort = networkTcpSession.ServerTcpPort; * }*/ /* * this.filePath = filePath; * this.uniqueFileId = uniqueFileId; * this.parentAssemblerList = parentAssemblerList; * this.fileStreamAssemblerList = fileStreamAssemblerList; * this.fileStreamType = fileStreamType; * this.details = details; */ }
private void ExtractFileData(FileTransfer.FileStreamAssembler assembler, FileTransfer.FileStreamAssemblerList fileStreamAssemblerList, NetworkHost sourceHost, ushort sourcePort, NetworkHost destinationHost, ushort destinationPort, Packets.TftpPacket tftpPacket) { if (tftpPacket.OpCode == Packets.TftpPacket.OpCodes.Data) { if (!assembler.IsActive) { //create a new active assembler if ports need to be changed! if (assembler.SourcePort != sourcePort || assembler.DestinationPort != destinationPort) { fileStreamAssemblerList.Remove(assembler, true); //now change the port number in the AssemblerPool FiveTuple tmpFiveTuple = new FiveTuple(sourceHost, sourcePort, destinationHost, destinationPort, FiveTuple.TransportProtocol.UDP); assembler = new FileTransfer.FileStreamAssembler(fileStreamAssemblerList, tmpFiveTuple, true, FileTransfer.FileStreamTypes.TFTP, assembler.Filename, assembler.FileLocation, assembler.Details, tftpPacket.ParentFrame.FrameNumber, tftpPacket.ParentFrame.Timestamp); fileStreamAssemblerList.Add(assembler); } //activate the assembler assembler.TryActivate(); } if (assembler.SourceHost == sourceHost && assembler.SourcePort == sourcePort && assembler.DestinationHost == destinationHost && assembler.DestinationPort == destinationPort) { assembler.AddData(tftpPacket.DataBlock, tftpPacket.DataBlockNumber); if (tftpPacket.DataBlockIsLast) { assembler.FinishAssembling();//we now have the complete file } } } }
private bool TryGetFileStreamAssembler(out FileTransfer.FileStreamAssembler assembler, FileTransfer.FileStreamAssemblerList fileStreamAssemblerList, NetworkHost sourceHost, ushort sourcePort, NetworkHost destinationHost, ushort destinationPort) { FiveTuple tmpFiveTuple = new FiveTuple(sourceHost, sourcePort, destinationHost, destinationPort, FiveTuple.TransportProtocol.UDP); if (fileStreamAssemblerList.ContainsAssembler(tmpFiveTuple, true)) { //already activated read or write request data assembler = fileStreamAssemblerList.GetAssembler(tmpFiveTuple, true); return(true); } tmpFiveTuple = new FiveTuple(sourceHost, Packets.TftpPacket.DefaultUdpPortNumber, destinationHost, destinationPort, FiveTuple.TransportProtocol.UDP); if (fileStreamAssemblerList.ContainsAssembler(tmpFiveTuple, true)) { //first read request data assembler = fileStreamAssemblerList.GetAssembler(tmpFiveTuple, true); return(true); } tmpFiveTuple = new FiveTuple(sourceHost, sourcePort, destinationHost, Packets.TftpPacket.DefaultUdpPortNumber, FiveTuple.TransportProtocol.UDP); if (fileStreamAssemblerList.ContainsAssembler(tmpFiveTuple, true)) { //check for write request data assembler = fileStreamAssemblerList.GetAssembler(tmpFiveTuple, true); return(true); } else { assembler = null; return(false);//no assembler found... } }
internal FileSegmentAssembler(string fileOutputDirectory, NetworkTcpSession networkTcpSession, bool transferIsClientToServer, string filePath, string uniqueFileId, FileTransfer.FileStreamAssemblerList fileStreamAssemblerList, PopularityList <string, PacketParser.FileTransfer.FileSegmentAssembler> parentAssemblerList, FileStreamTypes fileStreamType, string details, string serverHostname) : this(fileOutputDirectory, filePath, uniqueFileId, fileStreamAssemblerList, parentAssemblerList, fileStreamType, details, serverHostname) { //this.fileOutputDirectory = fileOutputDirectory; //this.networkTcpSession = networkTcpSession; this.fiveTuple = networkTcpSession.Flow.FiveTuple; this.transferIsClientToServer = transferIsClientToServer; }
internal FileSegmentAssembler(string fileOutputDirectory, bool transferIsClientToServer, string filePath, string uniqueFileId, FileTransfer.FileStreamAssemblerList fileStreamAssemblerList, PopularityList <string, PacketParser.FileTransfer.FileSegmentAssembler> parentAssemblerList, FileStreamTypes fileStreamType, string details, FiveTuple fiveTuple, string serverHostname) : this(fileOutputDirectory, filePath, uniqueFileId, fileStreamAssemblerList, parentAssemblerList, fileStreamType, details, serverHostname) { this.fiveTuple = fiveTuple; this.transferIsClientToServer = transferIsClientToServer; /* * this.sourceHost = sourceHost; * this.destinationHost = destinationHost; * this.sourcePort = sourcePort; * this.destinationPort = destinationPort; */ }
private bool TryCreateNewAssembler(out FileTransfer.FileStreamAssembler assembler, FileTransfer.FileStreamAssemblerList fileStreamAssemblerList, Packets.TftpPacket tftpPacket, NetworkHost sourceHost, ushort sourcePort, NetworkHost destinationHost) //destinationPort is not needed { assembler = null; //create new assembler if it is a RRQ or WRQ if (tftpPacket.OpCode == Packets.TftpPacket.OpCodes.ReadRequest) { try { FiveTuple tmpFiveTuple = new FiveTuple(destinationHost, Packets.TftpPacket.DefaultUdpPortNumber, sourceHost, sourcePort, FiveTuple.TransportProtocol.UDP); assembler = new FileTransfer.FileStreamAssembler(fileStreamAssemblerList, tmpFiveTuple, true, FileTransfer.FileStreamTypes.TFTP, tftpPacket.Filename, "", tftpPacket.OpCode.ToString() + " " + tftpPacket.Mode.ToString() + " " + tftpPacket.Filename, tftpPacket.ParentFrame.FrameNumber, tftpPacket.ParentFrame.Timestamp); fileStreamAssemblerList.Add(assembler); } catch (Exception e) { SharedUtils.Logger.Log("Error creating assembler for TFTP file transfer in " + tftpPacket.ParentFrame.ToString() + ". " + e.ToString(), SharedUtils.Logger.EventLogEntryType.Information); //throw new Exception("Error creating assembler for TFTP file transfer", e); //this.parentForm.ShowError("Error creating assembler for TFTP file transfer: "+e.Message); if (assembler != null) { assembler.Clear(); assembler = null; } return(false); } return(true); } else if (tftpPacket.OpCode == Packets.TftpPacket.OpCodes.WriteRequest) { try { FiveTuple tmpFiveTuple = new FiveTuple(sourceHost, sourcePort, destinationHost, Packets.TftpPacket.DefaultUdpPortNumber, FiveTuple.TransportProtocol.UDP); assembler = new FileTransfer.FileStreamAssembler(fileStreamAssemblerList, tmpFiveTuple, true, FileTransfer.FileStreamTypes.TFTP, tftpPacket.Filename, "", tftpPacket.OpCode.ToString() + " " + tftpPacket.Mode.ToString() + " " + tftpPacket.Filename, tftpPacket.ParentFrame.FrameNumber, tftpPacket.ParentFrame.Timestamp); fileStreamAssemblerList.Add(assembler); } catch (Exception e) { SharedUtils.Logger.Log("Error creating assembler for TFTP file transfer in " + tftpPacket.ParentFrame.ToString() + ". " + e.ToString(), SharedUtils.Logger.EventLogEntryType.Information); //throw new Exception("Error creating assembler for TFTP file transfer", e); //this.parentForm.ShowError("Error creating assembler for TFTP file transfer: "+e.Message); if (assembler != null) { assembler.Clear(); assembler = null; } return(false); } return(true); } else { assembler = null; return(false); } }
public void ExtractData(ref NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <PacketParser.Packets.AbstractPacket> packetList) { Packets.UdpPacket udpPacket = null; foreach (Packets.AbstractPacket p in packetList) { if (p.GetType() == typeof(Packets.UdpPacket)) { udpPacket = (Packets.UdpPacket)p; } else if (udpPacket != null && p.GetType() == typeof(Packets.RtpPacket)) { Packets.RtpPacket rtpPacket = (Packets.RtpPacket)p; if (Enum.IsDefined(typeof(RtpPayloadType), rtpPacket.PayloadType)) { RtpPayloadType payloadType = (RtpPayloadType)rtpPacket.PayloadType; FiveTuple fiveTuple = new FiveTuple(sourceHost, udpPacket.SourcePort, destinationHost, udpPacket.DestinationPort, FiveTuple.TransportProtocol.UDP); AudioStream audioStream; Tuple <System.Net.IPAddress, ushort, System.Net.IPAddress, ushort, RtpPayloadType> key = new Tuple <System.Net.IPAddress, ushort, System.Net.IPAddress, ushort, RtpPayloadType>(sourceHost.IPAddress, udpPacket.SourcePort, destinationHost.IPAddress, udpPacket.DestinationPort, payloadType); if (this.audioStreams.ContainsKey(key)) { audioStream = this.audioStreams[key]; } else { //FileTransfer.FileStreamAssembler assembler = new FileTransfer.FileStreamAssembler(MainPacketHandler.FileStreamAssemblerList, fiveTuple, true, FileTransfer.FileStreamTypes.RTP, "AudioStream-" + fiveTuple.GetHashCode() + ".wav", "/", "RTP " + fiveTuple.ToString(), rtpPacket.ParentFrame.FrameNumber, rtpPacket.ParentFrame.Timestamp); //-1 is set instead of null if Content-Length is not defined //assembler.FileContentLength = -1; //assembler.FileSegmentRemainingBytes = -1; //this.MainPacketHandler.FileStreamAssemblerList.Add(assembler); //audioStream = new AudioStream(sourceHost, destinationHost, wavAudioFormat.Value, MainPacketHandler.FileStreamAssemblerList, fiveTuple, rtpPacket.ParentFrame.FrameNumber); audioStream = new AudioStream(sourceHost, destinationHost, payloadType, MainPacketHandler.FileStreamAssemblerList, fiveTuple, rtpPacket.ParentFrame.FrameNumber); this.audioStreams.Add(key, audioStream); base.MainPacketHandler.OnAudioDetected(audioStream); } audioStream.AddSamples(rtpPacket.ParentFrame.Data.Skip(rtpPacket.PacketStartIndex + Packets.RtpPacket.HEADER_LENGTH).ToArray(), rtpPacket.SampleTick, rtpPacket.ParentFrame.Timestamp, rtpPacket.SyncSourceID); } } } }
public void ExtractData(ref NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <PacketParser.Packets.AbstractPacket> packetList) { Packets.UdpPacket udpPacket = null; foreach (Packets.AbstractPacket p in packetList) { if (p.GetType() == typeof(Packets.UdpPacket)) { udpPacket = (Packets.UdpPacket)p; } else if (udpPacket != null && p is Packets.RtpPacket rtpPacket) { //Packets.RtpPacket rtpPacket =(Packets.RtpPacket)p; if (Enum.IsDefined(typeof(RtpPayloadType), rtpPacket.PayloadType)) { RtpPayloadType payloadType = (RtpPayloadType)rtpPacket.PayloadType; FiveTuple fiveTuple = new FiveTuple(sourceHost, udpPacket.SourcePort, destinationHost, udpPacket.DestinationPort, FiveTuple.TransportProtocol.UDP); AudioStream audioStream; Tuple <System.Net.IPAddress, ushort, System.Net.IPAddress, ushort, RtpPayloadType> key = new Tuple <System.Net.IPAddress, ushort, System.Net.IPAddress, ushort, RtpPayloadType>(sourceHost.IPAddress, udpPacket.SourcePort, destinationHost.IPAddress, udpPacket.DestinationPort, payloadType); if (this.audioStreams.ContainsKey(key)) { audioStream = this.audioStreams[key]; } else { audioStream = new AudioStream(sourceHost, destinationHost, payloadType, MainPacketHandler.FileStreamAssemblerList, fiveTuple, rtpPacket.ParentFrame.FrameNumber); this.audioStreams.Add(key, audioStream); base.MainPacketHandler.OnAudioDetected(audioStream); } audioStream.AddSamples(rtpPacket.ParentFrame.Data.Skip(rtpPacket.PacketStartIndex + Packets.RtpPacket.HEADER_LENGTH).ToArray(), rtpPacket.SampleTick, rtpPacket.ParentFrame.Timestamp, rtpPacket.SyncSourceID); } } } }
public Email(System.IO.MemoryStream emailMimeStream, PacketHandler mainPacketHandler, Packets.TcpPacket tcpPacket, bool transferIsClientToServer, NetworkTcpSession tcpSession, ApplicationLayerProtocol protocol, FileTransfer.FileStreamAssembler.FileAssmeblyRootLocation fileAssmeblyRootLocation = FileTransfer.FileStreamAssembler.FileAssmeblyRootLocation.destination) { SharedUtils.Logger.Log("Extracting Email from MIME data in " + tcpPacket.ParentFrame.ToString(), SharedUtils.Logger.EventLogEntryType.Information); Mime.UnbufferedReader ur = new PacketParser.Mime.UnbufferedReader(emailMimeStream); this.MainPacketHandler = mainPacketHandler; this.protocol = protocol; if (this.protocol == ApplicationLayerProtocol.Smtp) { this.fileTransferProtocol = FileTransfer.FileStreamTypes.SMTP; } else if (this.protocol == ApplicationLayerProtocol.Pop3) { this.fileTransferProtocol = FileTransfer.FileStreamTypes.POP3; } else if (this.protocol == ApplicationLayerProtocol.Imap) { this.fileTransferProtocol = FileTransfer.FileStreamTypes.IMAP; } //this.reassembleFileAtSourceHost = reassembleFileAtSourceHost; this.fileAssmeblyRootLocation = fileAssmeblyRootLocation; this.fiveTuple = tcpSession.Flow.FiveTuple; this.transferIsClientToServer = transferIsClientToServer; this.attachments = new List <FileTransfer.ReconstructedFile>(); this.from = null; this.to = null; this.subject = null; this.messageId = null; this.date = null;//Date: Fri, 1 Aug 2003 14:17:51 -0700 Encoding customEncoding = null; this.RootAttributes = null; bool messageSentToPacketHandler = false; //The open source .NET implementation Mono can crash if the strings contain Unicode chracters //see KeePass bug: https://sourceforge.net/p/keepass/feature-requests/2254/ foreach (Mime.MultipartPart multipart in Mime.PartBuilder.GetParts(ur, Utils.SystemHelper.IsRunningOnMono(), null)) //I might need to add "ref customEncoding" as a parameter here { SharedUtils.Logger.Log("Extracting MIME part with attributes \"" + String.Join(",", multipart.Attributes.AllKeys) + "\" in " + tcpPacket.ParentFrame.ToString(), SharedUtils.Logger.EventLogEntryType.Information); if (this.RootAttributes == null) { from = multipart.Attributes["From"]; to = multipart.Attributes["To"]; subject = multipart.Attributes["Subject"]; messageId = multipart.Attributes["Message-ID"]; date = multipart.Attributes["Date"]; this.RootAttributes = multipart.Attributes; } if (multipart.Attributes["charset"] != null) { try { customEncoding = Encoding.GetEncoding(multipart.Attributes["charset"]); } catch (Exception e) { SharedUtils.Logger.Log("Exception getting encoding for charset \"" + multipart.Attributes["charset"] + "\". " + e.ToString(), SharedUtils.Logger.EventLogEntryType.Warning); } } this.parseMultipart(multipart, this.RootAttributes, tcpPacket, ref messageSentToPacketHandler, customEncoding, emailMimeStream.Length, from, to, subject, messageId); } if (!messageSentToPacketHandler && from != null && to != null) { //send message to PacketHandler with force if (this.transferIsClientToServer) { this.MainPacketHandler.OnMessageDetected(new PacketParser.Events.MessageEventArgs(this.protocol, this.fiveTuple.ClientHost, this.fiveTuple.ServerHost, tcpPacket.ParentFrame.FrameNumber, tcpPacket.ParentFrame.Timestamp, from, to, subject, "", customEncoding, this.RootAttributes, emailMimeStream.Length)); } else { this.MainPacketHandler.OnMessageDetected(new PacketParser.Events.MessageEventArgs(this.protocol, this.fiveTuple.ServerHost, this.fiveTuple.ClientHost, tcpPacket.ParentFrame.FrameNumber, tcpPacket.ParentFrame.Timestamp, from, to, subject, "", customEncoding, this.RootAttributes, emailMimeStream.Length)); } messageSentToPacketHandler = true; } //create an .eml file with the whole DATA portion string emlFilename = null; if (subject != null && subject.Length > 3) { emlFilename = Utils.StringManglerUtil.ConvertToFilename(subject, 10); } if (emlFilename == null || emlFilename.Length == 0) { if (messageId != null && messageId.Length > 3) { emlFilename = Utils.StringManglerUtil.ConvertToFilename(messageId, 10); } else { emlFilename = "message_" + tcpSession.GetHashCode().ToString("X8"); } } emlFilename = emlFilename + ".eml"; if (this.RootAttributes != null) { string extendedFileId = GetMessageId(this.RootAttributes); using (FileTransfer.FileStreamAssembler assembler = new FileTransfer.FileStreamAssembler(MainPacketHandler.FileStreamAssemblerList, this.fiveTuple, this.transferIsClientToServer, this.fileTransferProtocol, emlFilename, "/", emailMimeStream.Length, emailMimeStream.Length, this.protocol.ToString() + " transcript From: " + from + " To: " + to + " Subject: " + subject, extendedFileId, tcpPacket.ParentFrame.FrameNumber, tcpPacket.ParentFrame.Timestamp, this.fileAssmeblyRootLocation)) { if (assembler.TryActivate()) { assembler.FileReconstructed += this.MainPacketHandler.OnMessageAttachmentDetected; assembler.FileReconstructed += this.Assembler_FileReconstructed; SharedUtils.Logger.Log("Adding emailMimeStream bytes: " + emailMimeStream.Length, SharedUtils.Logger.EventLogEntryType.Information); assembler.AddData(emailMimeStream.ToArray(), tcpPacket.SequenceNumber); } else { SharedUtils.Logger.Log("Unable to activate email assembler", SharedUtils.Logger.EventLogEntryType.Warning); assembler.Clear(); assembler.FinishAssembling(); } } } }
public int ExtractData(NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <PacketParser.Packets.AbstractPacket> packetList) { //Packets.UdpPacket udpPacket = null; int parsedBytes = 0; Packets.ITransportLayerPacket transportLayerPacket = null; FiveTuple ft = null; foreach (Packets.AbstractPacket p in packetList) { if (p is Packets.ITransportLayerPacket) { transportLayerPacket = (Packets.ITransportLayerPacket)p; if (transportLayerPacket is Packets.UdpPacket) { ft = new FiveTuple(sourceHost, transportLayerPacket.SourcePort, destinationHost, transportLayerPacket.DestinationPort, FiveTuple.TransportProtocol.UDP); } else if (transportLayerPacket is Packets.TcpPacket) { ft = new FiveTuple(sourceHost, transportLayerPacket.SourcePort, destinationHost, transportLayerPacket.DestinationPort, FiveTuple.TransportProtocol.TCP); } } if (p.GetType() == typeof(Packets.SipPacket)) { Packets.SipPacket sipPacket = (Packets.SipPacket)p; if (sipPacket.MessageLine.StartsWith(INVITE)) { string to = null; string from = null; if (sipPacket.To != null && sipPacket.To.Length > 0) { to = sipPacket.To; if (to.Contains(";")) { to = to.Substring(0, to.IndexOf(';')); } destinationHost.AddNumberedExtraDetail("SIP User", to); //destinationHost.ExtraDetailsList["SIP User"]=to; } if (sipPacket.From != null && sipPacket.From.Length > 0) { from = sipPacket.From; if (from.Contains(";")) { from = from.Substring(0, from.IndexOf(';')); } //destinationHost.AddNumberedExtraDetail("SIP User", from); sourceHost.AddNumberedExtraDetail("SIP User", from); //sourceHost.ExtraDetailsList["SIP User"]=from; } if (ft != null && to != null && from != null && !String.IsNullOrEmpty(sipPacket.CallID)) { System.Collections.Specialized.NameValueCollection nvc = new System.Collections.Specialized.NameValueCollection { { "From", sipPacket.From }, { "To", sipPacket.To }, { "Call-ID", sipPacket.CallID } }; this.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(sipPacket.ParentFrame.FrameNumber, ft, true, nvc, sipPacket.ParentFrame.Timestamp, "SIP session " + ft.ToString())); } } if (!String.IsNullOrEmpty(sipPacket.UserAgent)) { sourceHost.AddHttpUserAgentBanner(sipPacket.UserAgent); } if (sipPacket.SDP != null) { if (sipPacket.SDP.Port != null && sipPacket.SDP.IP != null && sipPacket.CallID != null && ft != null) { lock (callEndPoints) { Tuple <System.Net.IPAddress, ushort, FiveTuple> endPoint = new Tuple <System.Net.IPAddress, ushort, FiveTuple>(sipPacket.SDP.IP, sipPacket.SDP.Port.Value, ft); if (this.callEndPoints.ContainsKey(sipPacket.CallID)) { Tuple <System.Net.IPAddress, ushort, FiveTuple> matchedTuple = null; foreach (var previousEndPoint in this.callEndPoints[sipPacket.CallID]) { if (previousEndPoint.Item3.EqualsIgnoreDirection(ft)) { //Tuple<System.Net.IPAddress, ushort, FiveTuple> previousEndPoint = ; if (!(previousEndPoint.Item1.Equals(endPoint.Item1) && previousEndPoint.Item2.Equals(endPoint.Item2))) { //this.callEndPoints.Remove(sipPacket.CallID); matchedTuple = previousEndPoint; if (sipPacket.From != null && sipPacket.To != null) { this.MainPacketHandler.OnVoipCallDetected(sipPacket.SDP.IP, sipPacket.SDP.Port.Value, previousEndPoint.Item1, previousEndPoint.Item2, sipPacket.CallID, sipPacket.From, sipPacket.To); if (ft != null) { } } break; } } } if (matchedTuple == null) { this.callEndPoints[sipPacket.CallID].Add(endPoint); } if (matchedTuple != null) { this.callEndPoints[sipPacket.CallID].Remove(matchedTuple); } } else { this.callEndPoints.Add(sipPacket.CallID, new List <Tuple <System.Net.IPAddress, ushort, FiveTuple> >() { endPoint }); } } } } parsedBytes += sipPacket.PacketLength; } } return(parsedBytes); }
public int ExtractData(NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <PacketParser.Packets.AbstractPacket> packetList) { //Packets.UdpPacket udpPacket = null; int parsedBytes = 0; //Packets.ITransportLayerPacket transportLayerPacket = null; FiveTuple ft = null; foreach (Packets.AbstractPacket p in packetList) { if (p is Packets.ITransportLayerPacket transportLayerPacket) { //transportLayerPacket = (Packets.ITransportLayerPacket)p; if (transportLayerPacket is Packets.UdpPacket) { ft = new FiveTuple(sourceHost, transportLayerPacket.SourcePort, destinationHost, transportLayerPacket.DestinationPort, FiveTuple.TransportProtocol.UDP); } else if (transportLayerPacket is Packets.TcpPacket) { ft = new FiveTuple(sourceHost, transportLayerPacket.SourcePort, destinationHost, transportLayerPacket.DestinationPort, FiveTuple.TransportProtocol.TCP); } } if (p is Packets.SipPacket sipPacket) { //Packets.SipPacket sipPacket=(Packets.SipPacket)p; System.Collections.Specialized.NameValueCollection nvc = new System.Collections.Specialized.NameValueCollection(); if (sipPacket.RequestMethod != null) { nvc.Add(sipPacket.RequestMethod.ToString(), sipPacket.MessageLine.Substring(sipPacket.RequestMethod.ToString().Length).Trim()); if (sipPacket.From != null && sipPacket.From.Length > 0) { sourceHost.AddNumberedExtraDetail("SIP User", this.ExtractSipAddressFromHeader(sipPacket.From)); } if (sipPacket.Contact?.Length > 0) { sourceHost.AddNumberedExtraDetail("SIP User", this.ExtractSipAddressFromHeader(sipPacket.Contact)); } //if (sipPacket.MessageLine.StartsWith(INVITE)) { if (sipPacket.RequestMethod == SipPacket.RequestMethods.INVITE) { string to = null; string from = null; if (sipPacket.To != null && sipPacket.To.Length > 0) { destinationHost.AddNumberedExtraDetail("SIP User", this.ExtractSipAddressFromHeader(sipPacket.To)); } if (ft != null && to != null && from != null && !String.IsNullOrEmpty(sipPacket.CallID)) { nvc.Add("From", sipPacket.From); nvc.Add("To", sipPacket.To); nvc.Add("Call-ID", sipPacket.CallID); } } else if (sipPacket.RequestMethod == SipPacket.RequestMethods.MESSAGE) { if (sipPacket.ContentLength > 0 && sipPacket.ContentType.StartsWith("text/plain", StringComparison.OrdinalIgnoreCase)) { string message = Encoding.UTF8.GetString(sipPacket.ParentFrame.Data, sipPacket.MessageBodyStartIndex, sipPacket.ContentLength); //sipPacket.ParentFrame.Data. sipPacket.MessageBodyStartIndex string to = this.ExtractSipAddressFromHeader(sipPacket.To); string from = this.ExtractSipAddressFromHeader(sipPacket.From); string callId = sipPacket.CallID; if (message?.Length > 0) { if (callId == null || callId.Length == 0) { callId = message; } this.MainPacketHandler.OnMessageDetected(new Events.MessageEventArgs(ApplicationLayerProtocol.Sip, sourceHost, destinationHost, sipPacket.ParentFrame.FrameNumber, sipPacket.ParentFrame.Timestamp, from, to, callId, message, sipPacket.HeaderFields, sipPacket.PacketLength)); } } } } nvc.Add(sipPacket.HeaderFields); //Extract SIP headers like "X-msisdn" and "X-user-id" as explained by Sandro Gauci here: https://www.rtcsec.com/2020/09/01-smuggling-sip-headers-ftw/ foreach (string interestingSipHeader in sipPacket.HeaderFields.AllKeys.Where(k => k.Trim().StartsWith("X-", StringComparison.InvariantCultureIgnoreCase))) { sourceHost.AddNumberedExtraDetail("SIP header: " + interestingSipHeader, sipPacket.HeaderFields[interestingSipHeader]); } if (ft != null && nvc?.Count > 0) { this.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(sipPacket.ParentFrame.FrameNumber, ft, true, nvc, sipPacket.ParentFrame.Timestamp, "SIP session " + ft.ToString())); } if (!String.IsNullOrEmpty(sipPacket.UserAgent)) { sourceHost.AddHttpUserAgentBanner(sipPacket.UserAgent); } if (sipPacket.SDP != null) { if (sipPacket.SDP.Port != null && sipPacket.SDP.IP != null && sipPacket.CallID != null && ft != null) { lock (callEndPoints) { Tuple <System.Net.IPAddress, ushort, FiveTuple> endPoint = new Tuple <System.Net.IPAddress, ushort, FiveTuple>(sipPacket.SDP.IP, sipPacket.SDP.Port.Value, ft); if (this.callEndPoints.ContainsKey(sipPacket.CallID)) { Tuple <System.Net.IPAddress, ushort, FiveTuple> matchedTuple = null; foreach (var previousEndPoint in this.callEndPoints[sipPacket.CallID]) { if (previousEndPoint.Item3.EqualsIgnoreDirection(ft)) { //Tuple<System.Net.IPAddress, ushort, FiveTuple> previousEndPoint = ; if (!(previousEndPoint.Item1.Equals(endPoint.Item1) && previousEndPoint.Item2.Equals(endPoint.Item2))) { //this.callEndPoints.Remove(sipPacket.CallID); matchedTuple = previousEndPoint; if (sipPacket.From != null && sipPacket.To != null) { this.MainPacketHandler.OnVoipCallDetected(sipPacket.SDP.IP, sipPacket.SDP.Port.Value, previousEndPoint.Item1, previousEndPoint.Item2, sipPacket.CallID, this.ExtractSipAddressFromHeader(sipPacket.From), this.ExtractSipAddressFromHeader(sipPacket.To)); } break; } } } if (matchedTuple == null) { this.callEndPoints[sipPacket.CallID].Add(endPoint); } if (matchedTuple != null) { this.callEndPoints[sipPacket.CallID].Remove(matchedTuple); } } else { this.callEndPoints.Add(sipPacket.CallID, new List <Tuple <System.Net.IPAddress, ushort, FiveTuple> >() { endPoint }); } } } } parsedBytes += sipPacket.PacketLength; } } return(parsedBytes); }
public void ExtractData(ref NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <PacketParser.Packets.AbstractPacket> packetList) { //Packets.UdpPacket udpPacket = null; Packets.ITransportLayerPacket transportLayerPacket = null; FiveTuple ft = null; foreach (Packets.AbstractPacket p in packetList) { /* * Packets.IIPPacket ipPacket; * if (p is Packets.IIPPacket) { * ipPacket = p as Packets.IIPPacket; * } */ if (p is Packets.ITransportLayerPacket) { transportLayerPacket = (Packets.ITransportLayerPacket)p; if (transportLayerPacket is Packets.UdpPacket) { ft = new FiveTuple(sourceHost, transportLayerPacket.SourcePort, destinationHost, transportLayerPacket.DestinationPort, FiveTuple.TransportProtocol.UDP); } else if (transportLayerPacket is Packets.TcpPacket) { ft = new FiveTuple(sourceHost, transportLayerPacket.SourcePort, destinationHost, transportLayerPacket.DestinationPort, FiveTuple.TransportProtocol.TCP); } } if (p.GetType() == typeof(Packets.SipPacket)) { Packets.SipPacket sipPacket = (Packets.SipPacket)p; if (sipPacket.MessageLine.StartsWith(INVITE)) { string to = null; string from = null; if (sipPacket.To != null && sipPacket.To.Length > 0) { to = sipPacket.To; if (to.Contains(";")) { to = to.Substring(0, to.IndexOf(';')); } destinationHost.AddNumberedExtraDetail("SIP User", to); //destinationHost.ExtraDetailsList["SIP User"]=to; } if (sipPacket.From != null && sipPacket.From.Length > 0) { from = sipPacket.From; if (from.Contains(";")) { from = from.Substring(0, from.IndexOf(';')); } //destinationHost.AddNumberedExtraDetail("SIP User", from); sourceHost.AddNumberedExtraDetail("SIP User", from); //sourceHost.ExtraDetailsList["SIP User"]=from; } if (ft != null && to != null && from != null && !String.IsNullOrEmpty(sipPacket.CallID)) { System.Collections.Specialized.NameValueCollection nvc = new System.Collections.Specialized.NameValueCollection { { "From", sipPacket.From }, { "To", sipPacket.To }, { "Call-ID", sipPacket.CallID } }; this.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(sipPacket.ParentFrame.FrameNumber, ft, true, nvc, sipPacket.ParentFrame.Timestamp, "SIP session " + ft.ToString())); } } if (!String.IsNullOrEmpty(sipPacket.UserAgent)) { sourceHost.AddHttpUserAgentBanner(sipPacket.UserAgent); } if (sipPacket.SDP != null) { if (sipPacket.SDP.Port != null && sipPacket.SDP.IP != null && sipPacket.CallID != null && ft != null) { lock (callEndPoints) { Tuple <System.Net.IPAddress, ushort, FiveTuple> endPoint = new Tuple <System.Net.IPAddress, ushort, FiveTuple>(sipPacket.SDP.IP, sipPacket.SDP.Port.Value, ft); if (this.callEndPoints.ContainsKey(sipPacket.CallID)) { Tuple <System.Net.IPAddress, ushort, FiveTuple> matchedTuple = null; foreach (var previousEndPoint in this.callEndPoints[sipPacket.CallID]) { if (previousEndPoint.Item3.EqualsIgnoreDirection(ft)) { //Tuple<System.Net.IPAddress, ushort, FiveTuple> previousEndPoint = ; if (!(previousEndPoint.Item1.Equals(endPoint.Item1) && previousEndPoint.Item2.Equals(endPoint.Item2))) { //this.callEndPoints.Remove(sipPacket.CallID); matchedTuple = previousEndPoint; if (sipPacket.From != null && sipPacket.To != null) { this.MainPacketHandler.OnVoipCallDetected(sipPacket.SDP.IP, sipPacket.SDP.Port.Value, previousEndPoint.Item1, previousEndPoint.Item2, sipPacket.CallID, sipPacket.From, sipPacket.To); if (ft != null) { } } break; } } } if (matchedTuple == null) { this.callEndPoints[sipPacket.CallID].Add(endPoint); } if (matchedTuple != null) { this.callEndPoints[sipPacket.CallID].Remove(matchedTuple); } } else { this.callEndPoints.Add(sipPacket.CallID, new List <Tuple <System.Net.IPAddress, ushort, FiveTuple> >() { endPoint }); } } /* * //check if we have a reverse tuple * Tuple<System.Net.IPAddress, System.Net.IPAddress> reverseIpPair = new Tuple<System.Net.IPAddress, System.Net.IPAddress>(destinationHost.IPAddress, sourceHost.IPAddress); * * TODO: Använd CALL ID istället som unik nyckel! * * lock (this.endPointCandidates) { * if (this.endPointCandidates.ContainsKey(reverseIpPair)) { * ushort reversePort = this.endPointCandidates[reverseIpPair]; * this.endPointCandidates.Remove(reverseIpPair); * * if (this.udpPayloadProtocolFinder != null && !String.IsNullOrEmpty(sipPacket.SDP.Protocol) && sipPacket.SDP.Protocol.StartsWith("RTP", StringComparison.InvariantCultureIgnoreCase)) * this.udpPayloadProtocolFinder.SetPayload(sourceHost.IPAddress, sipPacket.SDP.Port.Value, destinationHost.IPAddress, reversePort, ApplicationLayerProtocol.Rtp);//this might come in too late because the UDP packet has probably already been parsed by now. * if(sipPacket.From != null && sipPacket.To != null) { * FiveTuple fiveTuple = new FiveTuple(sourceHost, sipPacket.SDP.Port.Value, destinationHost, reversePort, FiveTuple.TransportProtocol.UDP); * this.MainPacketHandler.OnVoipCallDetected(fiveTuple, sipPacket.From, sipPacket.To); * System.Collections.Specialized.NameValueCollection nvc = new System.Collections.Specialized.NameValueCollection(); * nvc.Add("From", sipPacket.From); * nvc.Add("To", sipPacket.To); * this.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(sipPacket.ParentFrame.FrameNumber, fiveTuple, true, nvc, sipPacket.ParentFrame.Timestamp, "SIP setup of call " + fiveTuple.ToString())); * } * * } * else { * Tuple<System.Net.IPAddress, System.Net.IPAddress> ipPair = new Tuple<System.Net.IPAddress, System.Net.IPAddress>(sourceHost.IPAddress, destinationHost.IPAddress); * if (this.endPointCandidates.ContainsKey(ipPair)) * this.endPointCandidates[ipPair] = sipPacket.SDP.Port.Value; * else * this.endPointCandidates.Add(ipPair, sipPacket.SDP.Port.Value); * } * } */ } //rtpPacketHandler.NewRtpEndPoints.Enqueue(new Tuple<System.Net.IPAddress, System.Net.IPAddress, ushort>(destinationHost.IPAddress, sourceHost.IPAddress, sipPacket.SDP.Port.Value)); } } } }
public WavFileAssembler(string wavFilename, FileStreamAssemblerList fileStreamAssemblerList, FiveTuple fiveTuple, FileStreamTypes fileStreamType, long initialFrameNumber, DateTime startTime, uint sampleRate = 8000) : base(fileStreamAssemblerList, fiveTuple, true, fileStreamType, wavFilename, "/", fileStreamType.ToString() + " " + fiveTuple.ToString(), initialFrameNumber, startTime) { if (fileStreamType == FileStreamTypes.RTP) { this.FileContentLength = -1; this.FileSegmentRemainingBytes = -1; //this.fileStreamAssemblerList.Add(assembler); } this.sampleRate = sampleRate; }