public TCPState(TCPPacket packet, string signature0, string signature1) { for (int i = 0; i < 2; i++) { data[i] = new byte[80]; //0000]; Position[i] = 0; Packets[i] = new System.Collections.ArrayList(); Times[i] = new System.Collections.ArrayList(); Signature[0] = signature0; Signature[1] = signature1; } LastAddedTime = packet.TimeStamp; }
public void AddPacket(int direction, TCPPacket packet) { if (State[direction] == States.NEW && direction == 0 && packet.SYN) { FirstPacket(packet, direction); State[direction] = States.SYN1; } if (State[direction] == States.NEW && direction == 1 && packet.SYN) // should check SYNs as well { FirstPacket(packet, direction); State[0] = States.RUNNING; State[1] = States.RUNNING; } //Added irrespective of whether we can handle it now, unless known to be "dead" if (State[direction] != States.FINISHED && State[direction] != States.REPORTED) { Packets[direction].Add(packet); } LastAddedTime = packet.TimeStamp; }
void FirstPacket(TCPPacket packet, int direction) { Sequence[direction]=packet.PTcp.SequenceNumber + 1 ; //+1 removes SYN from stream }
public void AddPacket(int direction, TCPPacket packet) { if(State[direction] == States.NEW && direction==0 && packet.SYN) { FirstPacket(packet,direction); State[direction] = States.SYN1; } if(State[direction] == States.NEW && direction==1 && packet.SYN) // should check SYNs as well { FirstPacket(packet,direction); State[0] = States.RUNNING; State[1] = States.RUNNING; } //Added irrespective of whether we can handle it now, unless known to be "dead" if(State[direction] != States.FINISHED && State[direction] != States.REPORTED) Packets[direction].Add(packet); LastAddedTime = packet.TimeStamp; }
public TCPState(TCPPacket packet, string signature0, string signature1) { for(int i=0;i<2;i++) { data[i]=new byte[80];//0000]; Position[i]=0; Packets[i]=new System.Collections.ArrayList(); Times[i]=new System.Collections.ArrayList(); Signature[0] = signature0; Signature[1] = signature1; } LastAddedTime = packet.TimeStamp; }
void FirstPacket(TCPPacket packet, int direction) { Sequence[direction] = packet.PTcp.SequenceNumber + 1; //+1 removes SYN from stream }
public void AnalysePacket(PacketInfo data) { byte [] PacketData = data.Data; int StartIndex = data.StartIndex; int Index = StartIndex; // Start by eliminating non IP and non TCP packets if( ( Index + LENGTH_OF_INTERNET + LENGTH_OF_TCP ) > PacketData.Length ) { return ; } PacketINTERNET.PACKET_INTERNET PInternet = new PacketINTERNET.PACKET_INTERNET(); PInternet.Version = PacketData[ Index++ ]; PInternet.HeaderLength = (byte) ( ( (int) PInternet.Version & 0x0f ) * 4 ); PInternet.Version = (byte) ( (int) PInternet.Version >> 4 ); PInternet.DifferentiatedServicesField = PacketData[ Index++ ]; PInternet.Length = Function.Get2Bytes( PacketData , ref Index , Const.NORMAL ); PInternet.Identification = Function.Get2Bytes( PacketData , ref Index , Const.NORMAL ); PInternet.FragmentOffset = Function.Get2Bytes( PacketData , ref Index , Const.NORMAL ); PInternet.Flags = (byte)( (int) PInternet.FragmentOffset >> 12 ); PInternet.FragmentOffset = (ushort) ( (int) PInternet.FragmentOffset & 0x0f ); PInternet.TimeToLive = PacketData[ Index++ ]; PInternet.Protocol = PacketData[ Index++ ]; PInternet.HeaderChecksum = Function.Get2Bytes( PacketData , ref Index , Const.NORMAL ); PInternet.Source = Function.GetIpAddress( PacketData , ref Index ); PInternet.Destination = Function.GetIpAddress( PacketData , ref Index ); if(PInternet.Protocol != IPPROTO_TCP ) return; // Check IPs //if(!analysisFromCapFile) //{ if(((PInternet.Source == IP1) && (PInternet.Destination == IP1)) || (PInternet.Source == PInternet.Destination)) { return; } //} PacketTCP.PACKET_TCP PTcp = new PacketTCP.PACKET_TCP(); PTcp.SourcePort = Function.Get2Bytes( PacketData , ref Index , Const.NORMAL ); PTcp.DestinationPort = Function.Get2Bytes( PacketData , ref Index , Const.NORMAL ); PTcp.SequenceNumber = Function.Get4Bytes( PacketData , ref Index , Const.NORMAL ); PTcp.Acknowledgement = Function.Get4Bytes( PacketData , ref Index , Const.NORMAL ); PTcp.HeaderLength = PacketData[ Index++ ]; PTcp.HeaderLength = (byte) ( ( (int) PTcp.HeaderLength >> 4 ) * 4 ); PTcp.Flags = PacketData[ Index++ ]; PTcp.WindowSize = Function.Get2Bytes( PacketData , ref Index , Const.NORMAL ); PTcp.Checksum = Function.Get2Bytes( PacketData , ref Index , Const.NORMAL ); PTcp.Options = Function.Get2Bytes( PacketData , ref Index , Const.NORMAL ); //if(!analysisFromCapFile) //{ if(((PTcp.SourcePort == Port1) && (PTcp.DestinationPort == Port1)) || ((PTcp.SourcePort == Port2) && (PTcp.DestinationPort == Port2))) { return; } //} String signature = Signature(PInternet.Source, PTcp.SourcePort, PInternet.Destination, PTcp.DestinationPort); //Keep track of the connections which have been established.(The list will be used later to populate the Associations Combo Box.) if (!listOfConnections.Contains(signature)) { listOfConnections.Add(signature); } TCPPacket packet = new TCPPacket(PacketData, StartIndex , PInternet, PTcp, data.TimeStamp); LastParsedPacketTime = packet.TimeStamp; int match = -1; TCPState state; for(int i=0;i<2;i++) { if(List[i].Contains(signature)) { match=i; } } // add as new item if necessary if(match==(-1)) { //Need to check here that we have SYNs String signature1 = Signature(PInternet.Destination, PTcp.DestinationPort,PInternet.Source, PTcp.SourcePort); state = new TCPState(packet,signature, signature1); List[0].Add(signature,state); List[1].Add(signature1,state); match=0; } else { state = (TCPState) List[match][signature]; } lock(state) { if(state.State[match] != TCPState.States.REPORTED) { state.AddPacket(match,packet); TCPState.PacketAction LastAction; while((LastAction = state.Defragment(match)) == TCPState.PacketAction.DATA) { if(FragmentAdded != null) { FragmentAdded(state, match); } nrOfCapturedPackets++; } if(LastAction == TCPState.PacketAction.FIN) { if(EndOfStream != null) EndOfStream(state, match, "FIN Seen (" + signature + ")"); } if(LastAction == TCPState.PacketAction.RST) { if(EndOfStream != null) EndOfStream(state, match, "RST Seen (" + signature + ")"); } if(LastAction == TCPState.PacketAction.DEAD) { //Error("DEAD seen" + signature); if(EndOfStream != null) EndOfStream(state, match, "DEAD data seen (" + signature + ")"); } } } }
public void AnalysePacket(PacketInfo data) { byte [] PacketData = data.Data; int StartIndex = data.StartIndex; int Index = StartIndex; // Start by eliminating non IP and non TCP packets if ((Index + LENGTH_OF_INTERNET + LENGTH_OF_TCP) > PacketData.Length) { return; } PacketINTERNET.PACKET_INTERNET PInternet = new PacketINTERNET.PACKET_INTERNET(); PInternet.Version = PacketData[Index++]; PInternet.HeaderLength = (byte)(((int)PInternet.Version & 0x0f) * 4); PInternet.Version = (byte)((int)PInternet.Version >> 4); PInternet.DifferentiatedServicesField = PacketData[Index++]; PInternet.Length = Function.Get2Bytes(PacketData, ref Index, Const.NORMAL); PInternet.Identification = Function.Get2Bytes(PacketData, ref Index, Const.NORMAL); PInternet.FragmentOffset = Function.Get2Bytes(PacketData, ref Index, Const.NORMAL); PInternet.Flags = (byte)((int)PInternet.FragmentOffset >> 12); PInternet.FragmentOffset = (ushort)((int)PInternet.FragmentOffset & 0x0f); PInternet.TimeToLive = PacketData[Index++]; PInternet.Protocol = PacketData[Index++]; PInternet.HeaderChecksum = Function.Get2Bytes(PacketData, ref Index, Const.NORMAL); PInternet.Source = Function.GetIpAddress(PacketData, ref Index); PInternet.Destination = Function.GetIpAddress(PacketData, ref Index); if (PInternet.Protocol != IPPROTO_TCP) { return; } // Check IPs //if(!analysisFromCapFile) //{ if (((PInternet.Source == IP1) && (PInternet.Destination == IP1)) || (PInternet.Source == PInternet.Destination)) { return; } //} PacketTCP.PACKET_TCP PTcp = new PacketTCP.PACKET_TCP(); PTcp.SourcePort = Function.Get2Bytes(PacketData, ref Index, Const.NORMAL); PTcp.DestinationPort = Function.Get2Bytes(PacketData, ref Index, Const.NORMAL); PTcp.SequenceNumber = Function.Get4Bytes(PacketData, ref Index, Const.NORMAL); PTcp.Acknowledgement = Function.Get4Bytes(PacketData, ref Index, Const.NORMAL); PTcp.HeaderLength = PacketData[Index++]; PTcp.HeaderLength = (byte)(((int)PTcp.HeaderLength >> 4) * 4); PTcp.Flags = PacketData[Index++]; PTcp.WindowSize = Function.Get2Bytes(PacketData, ref Index, Const.NORMAL); PTcp.Checksum = Function.Get2Bytes(PacketData, ref Index, Const.NORMAL); PTcp.Options = Function.Get2Bytes(PacketData, ref Index, Const.NORMAL); //if(!analysisFromCapFile) //{ if (((PTcp.SourcePort == Port1) && (PTcp.DestinationPort == Port1)) || ((PTcp.SourcePort == Port2) && (PTcp.DestinationPort == Port2))) { return; } //} String signature = Signature(PInternet.Source, PTcp.SourcePort, PInternet.Destination, PTcp.DestinationPort); //Keep track of the connections which have been established.(The list will be used later to populate the Associations Combo Box.) if (!listOfConnections.Contains(signature)) { listOfConnections.Add(signature); } TCPPacket packet = new TCPPacket(PacketData, StartIndex, PInternet, PTcp, data.TimeStamp); LastParsedPacketTime = packet.TimeStamp; int match = -1; TCPState state; for (int i = 0; i < 2; i++) { if (List[i].Contains(signature)) { match = i; } } // add as new item if necessary if (match == (-1)) { //Need to check here that we have SYNs String signature1 = Signature(PInternet.Destination, PTcp.DestinationPort, PInternet.Source, PTcp.SourcePort); state = new TCPState(packet, signature, signature1); List[0].Add(signature, state); List[1].Add(signature1, state); match = 0; } else { state = (TCPState)List[match][signature]; } lock (state) { if (state.State[match] != TCPState.States.REPORTED) { state.AddPacket(match, packet); TCPState.PacketAction LastAction; while ((LastAction = state.Defragment(match)) == TCPState.PacketAction.DATA) { if (FragmentAdded != null) { FragmentAdded(state, match); } nrOfCapturedPackets++; } if (LastAction == TCPState.PacketAction.FIN) { if (EndOfStream != null) { EndOfStream(state, match, "FIN Seen (" + signature + ")"); } } if (LastAction == TCPState.PacketAction.RST) { if (EndOfStream != null) { EndOfStream(state, match, "RST Seen (" + signature + ")"); } } if (LastAction == TCPState.PacketAction.DEAD) { //Error("DEAD seen" + signature); if (EndOfStream != null) { EndOfStream(state, match, "DEAD data seen (" + signature + ")"); } } } } }