private static void DispatcherHandler(PcapDotNet.Packets.Packet packet)
{
if (packet.Ethernet.IpV4.Tcp == null) return;
if (packet.Ethernet.IpV4.Tcp.Payload == null) return;
if (packet.Ethernet.IpV4.Tcp.Payload.Length == 0) return;
MooNetRouter.ReadProto(packet.Ethernet.IpV4.Tcp.Payload);
}
public static void ReadProto(PcapDotNet.Packets.Datagram payload)
{
Console.Write('.');
var stream = CodedInputStream.CreateInstance(payload.ToArray());
while (!stream.IsAtEnd)
{
Identify(stream);
}
}
/// <summary>
///
/// </summary>
/// <param name="packet"></param>
public Connection(PcapDotNet.Packets.Packet packet)
{
IpV4Datagram ip = packet.Ethernet.IpV4;
TcpDatagram tcp = ip.Tcp;
SourceIp = ip.Source.ToString();
SourceIpNumeric = ip.Source.ToValue();
DestinationIp = ip.Destination.ToString();
DestinationIpNumeric = ip.Destination.ToValue();
SourcePort = (ushort)tcp.SourcePort;
DestinationPort = (ushort)tcp.DestinationPort;
}
public void StartCapture(PcapDotNet.Core.HandlePacket PacketHandler, LivePacketDevice device)
{
_device = device;
StartCapture(PacketHandler);
}
//functions
public void StartCapture(PcapDotNet.Core.HandlePacket PacketHandler)
{
_packetHandler = PacketHandler;
_bgWorker.DoWork += new DoWorkEventHandler(DoWork);
_bgWorker.RunWorkerAsync();
}
/// <summary>
/// The main function of the class receives a tcp packet and reconstructs the stream
/// </summary>
/// <param name="packet"></param>
public void ReassemblePacket(PcapDotNet.Packets.Packet packet)
{
try
{
if (_maxSize > 0)
{
if (DataSize > _maxSize)
{
return;
}
}
ushort sourcePort = 0;
ushort destinationPort = 0;
IpV4Datagram ip = packet.Ethernet.IpV4;
if (ip.Protocol == IpV4Protocol.Tcp)
{
TcpDatagram tcp = (TcpDatagram)ip.Tcp;
sourcePort = tcp.SourcePort;
destinationPort = tcp.DestinationPort;
// If the payload length is zero bail out
ulong length = (ulong)(tcp.Length - tcp.HeaderLength);
if (length == 0)
{
//Console.WriteLine("Invalid length (TCP): " + ip.Source.ToString() + "#" + ip.Destination.ToString());
//return;
}
if (tcp.IsFin == true)
{
this.HasFin = true;
}
uint acknowledged = Convert.ToUInt32(tcp.IsAcknowledgment);
ReassembleTcp((ulong)tcp.SequenceNumber,
acknowledged,
length,
tcp.Payload.ToMemoryStream().ToArray(),
(ulong)tcp.Payload.Length,
tcp.IsSynchronize,
ip.Source.ToValue(),
ip.Destination.ToValue(),
(uint)tcp.SourcePort,
(uint)tcp.DestinationPort,
packet.Timestamp);
}
else if (ip.Protocol == IpV4Protocol.Udp)
{
UdpDatagram udp = (UdpDatagram)ip.Udp;
sourcePort = udp.SourcePort;
destinationPort = udp.DestinationPort;
// If the payload length is zero bail out
ulong length = (ulong)(udp.Length);
if (length == 0)
{
Console.WriteLine("Invalid length (UDP): " + ip.Source.ToString() + "#" + ip.Destination.ToString());
//return;
}
int index = ReassembleUdp(length,
udp.Payload.ToMemoryStream().ToArray(),
(ulong)udp.Payload.Length,
ip.Source.ToValue(),
ip.Destination.ToValue(),
(uint)udp.SourcePort,
(uint)udp.DestinationPort,
packet.Timestamp);
// We assume that if a response e.g index 1 has been received then the session is complete
if (index == 1)
{
HasFin = true;
}
}
if (TimestampFirstPacket == null)
{
TimestampFirstPacket = packet.Timestamp;
}
TimestampLastPacket = packet.Timestamp;
// Now run any applicable parsers
var temp = from p in _packetParsers where (p.Port == sourcePort | p.Port == destinationPort) & p.Type == ParserType.Packet select p;
foreach (InterfaceParser parser in temp)
{
if (parser.Enabled == false)
{
continue;
}
InterfacePacketParser packetParser = (InterfacePacketParser)parser;
packetParser.Process(_storage, _outputPath, ip);
}
}
catch (Exception ex )
{
this.Log().Error(ex.ToString());
}
}
/// <summary>
///
/// </summary>
/// <param name="packet"></param>
private void WriteOldSessions(PcapDotNet.Packets.Packet packet)
{
try
{
OnMessage("Writing session data to database..." + _packetCount + " packets");
using (DbConnection dbConnection = Db.GetOpenConnection(_outputPath))
using (var db = new NPoco.Database(dbConnection, NPoco.DatabaseType.SQLCe))
{
var keys = _dictionary.Keys.ToList();
foreach (var connection in keys)
{
var temp = _dictionary[connection];
if (temp.TimestampLastPacket == null)
{
if (temp.DataSize == 0)
{
_dictionary[connection].Dispose();
_dictionary.Remove(connection);
}
continue;
}
if (temp.HasFin == false)
{
if (packet != null)
{
// Lets ignore sessions that are still within the threshold
if (packet.Timestamp < temp.TimestampLastPacket.Value.AddMinutes(SessionInterval))
{
continue;
}
}
}
else
{
if (packet != null)
{
// Only kill sessions that have had a FIN and at least a minute has past
if (packet.Timestamp < temp.TimestampLastPacket.Value.AddMinutes(1))
{
continue;
}
}
}
Session session = CreateNewSession(temp.Guid,
temp.DataSize,
connection);
_dictionary[connection].Dispose();
if (_dictionary.Remove(connection) == false)
{
Console.WriteLine("Unable to remove connection object: " + connection.GetName());
}
if (temp.DataSize > 0)
{
int pk = Convert.ToInt32(db.Insert("Sessions", "Id", session));
PerformSessionProcessing(session, pk);
}
}
OnMessage("Commiting database transaction..." + _packetCount + " packets");
}
}
catch (Exception ex)
{
this.Log().Error(ex.ToString());
}
finally
{
OnMessage(string.Empty);
}
}
/// <summary>
///
/// </summary>
/// <param name="packet"></param>
private void DispatcherHandler(PcapDotNet.Packets.Packet packet)
{
try
{
_packetCount++;
IpV4Datagram ip = packet.Ethernet.IpV4;
TcpDatagram tcp = ip.Tcp;
if (tcp == null)
{
Console.WriteLine("No TCP: " + ip.Source.ToString() + "#" + ip.Destination.ToString());
return;
}
if (IgnoreLocal == true)
{
if (Networking.IsOnIntranet(System.Net.IPAddress.Parse(ip.Source.ToString())) == true &
Networking.IsOnIntranet(System.Net.IPAddress.Parse(ip.Destination.ToString())) == true)
{
return;
}
}
Connection connection = new Connection(packet);
if (_dictionary.ContainsKey(connection) == false)
{
PacketReconstructor packetReconstructor = new PacketReconstructor(_outputPath, _maxSize);
var parsers = from p in _parsers where p.Type == ParserType.Packet select p;
packetReconstructor.SetPacketParsers(parsers.ToList());
_dictionary.Add(connection, packetReconstructor);
}
_dictionary[connection].ReassemblePacket(packet);
if (_timestamp == DateTime.MinValue)
{
_timestamp = packet.Timestamp;
}
// Only write the data after the user defined period
if (packet.Timestamp > _timestamp.AddMinutes(BufferInterval))
{
_timestamp = packet.Timestamp;
WriteOldSessions(packet);
}
if (_packetCount % 10000 == 0)
{
OnMessage("Processed " + _packetCount + " packets...(" + _dictionary.Count + " sessions)");
}
}
catch (Exception ex)
{
OnMessage("Error: " + ex.ToString());
Console.WriteLine(ex);
}
}
