public void Read(TDSReader r)
{
PacketType = r.ReadByte();
if (PacketType != (byte)TDSPacketType.SQLBATCH &&
PacketType != (byte)TDSPacketType.LOGIN &&
PacketType != (byte)TDSPacketType.RPC &&
PacketType != (byte)TDSPacketType.RESPONSE &&
PacketType != (byte)TDSPacketType.ATTENTION &&
PacketType != (byte)TDSPacketType.BULKLOAD &&
PacketType != (byte)TDSPacketType.DTC &&
PacketType != (byte)TDSPacketType.LOGIN7 &&
PacketType != (byte)TDSPacketType.SSPI &&
PacketType != (byte)TDSPacketType.PRELOGIN &&
PacketType != (byte)TDSPacketType.APPDATA)
{
throw new InvalidTDSException("Unknown token type: " + PacketType);
}
Status = r.ReadByte();
if (Status > 31)
{
throw new InvalidTDSException("Unknown Status value: " + Status); // supposed to ignore other flag fields
}
Length = r.ReadBigEndianUInt16();
SPID = r.ReadBigEndianUInt16();
PacketID = r.ReadByte();
Window = r.ReadByte();
if (Window != 0)
{
throw new InvalidTDSException("Invalid TDS Window value: " + Window); // supposed to ignore
}
}
public static TDSHeader Read(TDSReader r) // TODo - not all token types have a TDS Header, like APPDATA or perhaps SSPI - needs more research
{
TDSHeader head = new TDSHeader();
head.PacketType = r.ReadByte();
if (head.PacketType != (byte)TDSPacketType.SQLBATCH &&
head.PacketType != (byte)TDSPacketType.LOGIN &&
head.PacketType != (byte)TDSPacketType.RPC &&
head.PacketType != (byte)TDSPacketType.RESPONSE &&
head.PacketType != (byte)TDSPacketType.ATTENTION &&
head.PacketType != (byte)TDSPacketType.BULKLOAD &&
head.PacketType != (byte)TDSPacketType.DTC &&
head.PacketType != (byte)TDSPacketType.LOGIN7 &&
head.PacketType != (byte)TDSPacketType.SSPI &&
head.PacketType != (byte)TDSPacketType.PRELOGIN &&
head.PacketType != (byte)TDSPacketType.APPDATA)
{
throw new InvalidTDSException("Unknown token type: " + head.PacketType);
}
head.Status = r.ReadByte();
if (head.Status > 31)
{
throw new InvalidTDSException("Unknown Status value: " + head.Status); // supposed to ignore other flag fields
}
head.Length = r.ReadBigEndianUInt16();
head.SPID = r.ReadBigEndianUInt16();
head.PacketID = r.ReadByte();
head.Window = r.ReadByte();
if (head.Window != 0)
{
throw new InvalidTDSException("Invalid TDS Window value: " + head.Window); // supposed to ignore
}
return(head);
}
static Int32 ReadAsnLen(TDSReader ByteReader, bool IsReadFirstByte = true)
{
if (IsReadFirstByte)
{
ByteReader.ReadByte();
}
int Len = ByteReader.ReadByte();
if ((Len & (int)0x80) == (int)0x80)
{
switch (Len & 0x7F)
{
case 1:
{
Len = ByteReader.ReadByte();
break;
}
case 2:
{
Len = ByteReader.ReadBigEndianUInt16();
break;
}
case 3:
{
Len = (int)ByteReader.ReadUInt32();
break;
}
default:
{
//throw new Exception("Unknown tag (" + Len + ") in kerberos packet.");
break;
}
}
}
return(Len);
}
public static void ProcessUDP(NetworkTrace trace)
{
string[] DnsReturnMessage = new string[] {
"Success",
"Format error; DNS server did not understand the update request.",
"DNS server encountered an internal error, such as a forwarding timeout.",
"A name that should exist does not exist.",
"DNS server does not support the specified Operation code.",
"DNS server refuses to perform the update.",
"A name that should not exist does exist.",
"A resource record set that should not exist does exist.",
"A resource record set that should exist does not exist.",
"DNS server is not authoritative for the zone named in the Zone section.",
"A name used in the Prerequisite or Update sections is not within the zone specified by the Zone section.",
"Invalid return code.",
"Invalid return code.",
"Invalid return code.",
"Invalid return code.",
"Reserved."
};
foreach (ConversationData c in trace.conversations)
{
//DNS traffic is over UDP. If the current converstion is not UDP then skip that non DNS conversation.
if (!c.isUDP)
{
continue;
}
//Skip the conversation, if its just UDP, but not DNS
if ((c.isUDP) && c.destPort != 53)
{
continue;
}
trace.DNSRequestCount++;
try
{
//Parse the DNS frames of the conversation.
foreach (FrameData fd in c.frames)
{
DNS DNSresponse = new DNS();
if (fd.payloadLength < 1)
{
continue;
}
//DNS data starts at 42nd byte of the total payload. so the payload = (Total Payload - 42) bytes.
TDSReader ByteReader = new TDSReader(fd.payload, 0, -1, fd.payloadLength);
ByteReader.ReadBigEndianUInt16(); //Skip over the query ID.
//Read the Flags and convert into bytes.
int FlagsHigh = ByteReader.ReadByte();
int FlagsLow = ByteReader.ReadByte();
if ((FlagsHigh & (int)0x80) == (int)0x0) // DNS request
{
//DNSresponse.srcServerIP = c.sourceIP.ToString();
DNSresponse.dnsServerIP = c.destIP.ToString();
}
else if ((FlagsHigh & (int)0x80) == (int)0x80) // DNS response
{
int rCode = FlagsLow & 0x0F; // should be between 0 - 15.
//DNSresponse.srcServerIP= c.destIP.ToString();
DNSresponse.dnsServerIP = c.sourceIP.ToString();
DNSresponse.frameNo = fd.frameNo;
DNSresponse.TimeStamp = new DateTime(((FrameData)c.frames[c.frames.Count - 1]).ticks).ToString(utility.TIME_FORMAT);
//new DateTime(((FrameData)trace.frames[0]).ticks).ToString(utility.TIME_FORMAT);
DNSresponse.errorCode = rCode;
DNSresponse.ErrorDesc = DnsReturnMessage[rCode];
//Question Count - 2 bytes
DNSresponse.QuestionCount = ByteReader.ReadInt16();
//Answer Count - 2 bytes
DNSresponse.AnswerCount = ByteReader.ReadInt16();
//Skip 2 bytes - Name Server count
ByteReader.ReadInt16();
//Skip 2 bytes - Additional count
ByteReader.ReadInt16();
//Start reading the QName
//13th byte of the DNS Payload - payload[12]
byte length = ByteReader.ReadByte();
string Name = "";
while (length != 0)
{
Name += (Name == "" ? "" : ".") + ByteReader.ReadAnsiString(length);
length = ByteReader.ReadByte();
}
DNSresponse.nameReqested = Name;
DNSresponse.convData = c;
//DNSresponse.srcPort = c.sourcePort;
// Console.WriteLine(fd.file.filePath + "\t" + fd.frameNo.ToString());
if (rCode != (int)DNSReturnCodes.NOERROR)
{
trace.DNSResponses.Add(DNSresponse);
}
}
}
}
catch (Exception ex)
{
Console.WriteLine("Error parsing DNS conversation: " + ex.Message + "\r\n" + ex.StackTrace);
Program.logDiagnostic("Error parsing DNS conversation: " + ex.Message + "\r\n" + ex.StackTrace);
}
}
}
byte[] Nonce = null; // 32 bytes of data if FedAuth is non-zero
public void Read(TDSReader r)
{
byte OptionToken = 0;;
int DataOffset;
int DataLength;
TDSReader offsetReader = null;
OptionToken = r.ReadByte();
while (OptionToken != (byte)TDSTokenType.DONEINPROC) // 255 or 0xFF
{
DataOffset = r.ReadBigEndianUInt16();
DataLength = r.ReadBigEndianUInt16();
offsetReader = r.OffsetReader(DataOffset);
switch (OptionToken)
{
case 0: // version
{
if (DataLength > 0)
{
Version = offsetReader.ReadUInt32();
SubBuild = offsetReader.ReadUInt16();
}
break;
}
case 1: // encryption
{
if (DataLength > 0)
{
Encryption = offsetReader.ReadByte();
}
if (Encryption > 3)
{
throw new InvalidTDSException("Invalid encryption option: " + Encryption);
}
break;
}
case 2: // instanceValidity validity
{
if (DataLength > 0)
{
InstanceValidity = offsetReader.ReadByte();
}
break;
}
case 3: // thread ID
{
if (DataLength > 0)
{
ThreadID = offsetReader.ReadUInt32();
}
break;
}
case 4: // MARS
{
if (DataLength > 0)
{
MarsData = offsetReader.ReadByte();
}
if (MarsData > 1)
{
throw new InvalidTDSException("Invalid MARS option: " + MarsData);
}
break;
}
case 5: // Trace ID
{
if (DataLength > 0)
{
TraceID = new Guid(offsetReader.ReadBytes(16));
}
break;
}
case 6: // Federated Auth Required
{
if (DataLength > 0)
{
FedAuth = offsetReader.ReadByte();
}
break;
}
case 7: // NONCE Option - 32 bytes of encrypted data
{
if (DataLength > 0)
{
Nonce = offsetReader.ReadBytes(32);
}
break;
}
}
}
r.DoneWithChildReaders(); // updates parent reader offset with child reader high offset - i.e. causes the parent to jump past the referenced data
}