/* Analyzors used in PacketDetail, parsing link layer information to the tree nodes.*/
public static String EthernetAnalyzor(ref TreeView tree, Packet packet)
{
TreeNode EthernetNode;
string info = "\r\n------ Ethernet Header ----\r\n";
EthernetPacket Ethernetpacket = (EthernetPacket)packet.Extract(typeof(EthernetPacket));
string smac = Ethernetpacket.SourceHwAddress.ToString();
string dmac = Ethernetpacket.DestinationHwAddress.ToString();
string type = Ethernetpacket.Type.ToString();
EthernetNode = new TreeNode("Ethernet: src-" + smac + ", dst-" + dmac);
EthernetNode.Nodes.Add("source address :" + smac);
EthernetNode.Nodes.Add("destination address : " + dmac);
EthernetNode.Nodes.Add("type : " + type);
tree.Nodes.Add(EthernetNode);
info += "destination addr : " + dmac + "\r\n" + "source addr : " + smac + "\r\n" + "type : " + type + "\r\n";
return info;
}
public static WakeOnLanPacket GetEncapsulated(Packet p)
{
// see if we have an ethernet packet that contains a wol packet
var ethernetPacket = (EthernetPacket)p.Extract(typeof(EthernetPacket));
if (ethernetPacket != null)
{
if (ethernetPacket.Type == EthernetPacketType.WakeOnLan)
{
return((WakeOnLanPacket)ethernetPacket.PayloadPacket);
}
}
// otherwise see if we have a udp packet (might have been sent to port 7 or 9) that
// contains a wol packet
var udpPacket = (UdpPacket)p.Extract(typeof(UdpPacket));
if (udpPacket != null)
{
// if the destination port is 7 or 9 then this is already parsed as a
// WakeOnLan packet so just return it
if ((udpPacket.DestinationPort == 7) || (udpPacket.DestinationPort == 9))
{
return((WakeOnLanPacket)udpPacket.PayloadPacket);
}
}
return(null);
}
public void ReportPacketCapture(Packet packet, DateTime arrivalTime)
{
var ip = (PacketDotNet.IpPacket)packet.Extract(typeof(PacketDotNet.IpPacket));
//IpPacket ip = (IpPacket)packet.Extract(typeof(IpPacket));
TcpPacket tcp = (TcpPacket)packet.Extract(typeof(TcpPacket));
ASCIIEncoding format = new ASCIIEncoding();
string payloadAsText = format.GetString(packet.Bytes);
payloadAsText = payloadAsText.ToLower();
//remove non readable characters
//payloadAsText = Regex.Replace(payloadAsText, @"[^\u0000-\u007F]", string.Empty);
payloadAsText = Regex.Replace(payloadAsText, "[^0-9a-zA-Z]+", string.Empty);
if ((tcp != null) && (payloadAsText.Contains("ftp")))
{
int x = 5;
}
if (payloadAsText.Length > 255)
{
payloadAsText = payloadAsText.Substring(0, 255);
}
if (tcp != null)
{
_sensorEventAgent.LogEvent(_sensorId, ip.DestinationAddress.ToString(), tcp.DestinationPort, ip.SourceAddress.ToString(), tcp.SourcePort,
arrivalTime, payloadAsText);
}
}
/// <summary>
/// Called by IPv4 and IPv6 packets to parse their packet payload
/// </summary>
/// <param name="payload">
/// A <see cref="ByteArraySegment"/>
/// </param>
/// <param name="ProtocolType">
/// A <see cref="IPProtocolType"/>
/// </param>
/// <param name="ParentPacket">
/// A <see cref="Packet"/>
/// </param>
/// <returns>
/// A <see cref="PacketOrByteArraySegment"/>
/// </returns>
internal static PacketOrByteArraySegment ParseEncapsulatedBytes(ByteArraySegment payload,
IPProtocolType ProtocolType,
Packet ParentPacket)
{
log.DebugFormat("payload: {0}, ParentPacket.GetType() {1}",
payload,
ParentPacket.GetType());
var payloadPacketOrData = new PacketOrByteArraySegment();
// if we are an ipv4 packet with a non-zero FragementOffset we shouldn't attempt
// to decode the content, it is a continuation of a previous packet so it won't
// have the proper headers for its type, that was in the first packet fragment
var ipv4Packet = ParentPacket.Extract(typeof(IPv4Packet)) as IPv4Packet;
if (ipv4Packet != null)
{
if (ipv4Packet.FragmentOffset > 0)
{
payloadPacketOrData.TheByteArraySegment = payload;
return(payloadPacketOrData);
}
}
switch (ProtocolType)
{
case IPProtocolType.TCP:
payloadPacketOrData.ThePacket = new TcpPacket(payload,
ParentPacket);
break;
case IPProtocolType.UDP:
payloadPacketOrData.ThePacket = new UdpPacket(payload,
ParentPacket);
break;
case IPProtocolType.ICMP:
payloadPacketOrData.ThePacket = new ICMPv4Packet(payload,
ParentPacket);
break;
case IPProtocolType.ICMPV6:
payloadPacketOrData.ThePacket = new ICMPv6Packet(payload,
ParentPacket);
break;
case IPProtocolType.IGMP:
payloadPacketOrData.ThePacket = new IGMPv2Packet(payload,
ParentPacket);
break;
// NOTE: new payload parsing entries go here
default:
payloadPacketOrData.TheByteArraySegment = payload;
break;
}
return(payloadPacketOrData);
}
/// <summary>
/// Initialize Http Packet
/// </summary>
/// <param name="packet">First TCP packet which consist of Http packet</param>
public HttpPacket(Packet packet)
: this()
{
try
{
TcpPacket tcpPacket = (TcpPacket)packet.Extract(typeof(TcpPacket));
// Update next sequence number
nextSequenceNumber = tcpPacket.SequenceNumber + (uint)packet.PayloadPacket.PayloadPacket.PayloadData.Length;
ParsingHeader(packet.PayloadPacket.PayloadPacket.PayloadData);
}
catch (ArgumentException e)
{
throw new ArgumentException("invalid packet data");
}
}
// arp response
private void VerifyPacket1(Packet p)
{
var arpPacket = (ARPPacket)p.Extract (typeof(ARPPacket));
Assert.IsNotNull(arpPacket, "Expected arpPacket to not be null");
IPAddress senderIp = IPAddress.Parse("192.168.1.214");
IPAddress targetIp = IPAddress.Parse("192.168.1.202");
Assert.AreEqual(senderIp, arpPacket.SenderProtocolAddress);
Assert.AreEqual(targetIp, arpPacket.TargetProtocolAddress);
string senderMacAddress = "00216A020854";
string targetMacAddress = "000461990154";
Assert.AreEqual(senderMacAddress, arpPacket.SenderHardwareAddress.ToString());
Assert.AreEqual(targetMacAddress, arpPacket.TargetHardwareAddress.ToString());
}
private void VerifyPacket0(Packet p)
{
// expect an arp packet
var arpPacket = (ARPPacket)p.Extract(typeof(ARPPacket));
Assert.IsNotNull(arpPacket, "Expected arpPacket to not be null");
// validate some of the LinuxSSLPacket fields
var l = (LinuxSLLPacket)p;
Assert.AreEqual(6, l.LinkLayerAddressLength, "Address length");
Assert.AreEqual(1, l.LinkLayerAddressType);
Assert.AreEqual(LinuxSLLType.PacketSentToUs, l.Type);
// validate some of the arp fields
Assert.AreEqual("192.168.1.1",
arpPacket.SenderProtocolAddress.ToString(),
"Arp SenderProtocolAddress");
Assert.AreEqual("192.168.1.102",
arpPacket.TargetProtocolAddress.ToString(),
"Arp TargetProtocolAddress");
}
// icmpv6
public void VerifyPacket0(Packet p, RawCapture rawCapture)
{
Assert.IsNotNull(p);
Console.WriteLine(p.ToString());
EthernetPacket e = (EthernetPacket)p;
Assert.AreEqual(PhysicalAddress.Parse("00-A0-CC-D9-41-75"), e.SourceHwAddress);
Assert.AreEqual(PhysicalAddress.Parse("33-33-00-00-00-02"), e.DestinationHwAddress);
var ip = (IpPacket)p.Extract (typeof(IpPacket));
Console.WriteLine("ip {0}", ip.ToString());
Assert.AreEqual(System.Net.IPAddress.Parse("fe80::2a0:ccff:fed9:4175"), ip.SourceAddress);
Assert.AreEqual(System.Net.IPAddress.Parse("ff02::2"), ip.DestinationAddress);
Assert.AreEqual(IpVersion.IPv6, ip.Version);
Assert.AreEqual(IPProtocolType.ICMPV6, ip.Protocol);
Assert.AreEqual(16, ip.PayloadPacket.Bytes.Length, "ip.PayloadPacket.Bytes.Length mismatch");
Assert.AreEqual(255, ip.HopLimit);
Assert.AreEqual(255, ip.TimeToLive);
Assert.AreEqual(0x3a, (byte)ip.NextHeader);
Console.WriteLine("Failed: ip.ComputeIPChecksum() not implemented.");
Assert.AreEqual(1221145299, rawCapture.Timeval.Seconds);
Assert.AreEqual(453568.000, rawCapture.Timeval.MicroSeconds);
}
// udp
public void VerifyPacket2(Packet p, RawCapture rawCapture)
{
Console.WriteLine(p.ToString());
EthernetPacket e = (EthernetPacket)p;
Assert.AreEqual("0014BFF2EF0A", e.SourceHwAddress.ToString());
Assert.AreEqual("0016CFC91E29", e.DestinationHwAddress.ToString());
var ip = (IpPacket)p.Extract (typeof(IpPacket));
Assert.AreEqual(System.Net.IPAddress.Parse("172.210.164.56"), ip.SourceAddress);
Assert.AreEqual(System.Net.IPAddress.Parse("192.168.1.104"), ip.DestinationAddress);
Assert.AreEqual(IpVersion.IPv4, ip.Version);
Assert.AreEqual(IPProtocolType.UDP, ip.Protocol);
Assert.AreEqual(112, ip.TimeToLive);
Assert.AreEqual(0xe0a2, ((IPv4Packet)ip).CalculateIPChecksum());
Assert.AreEqual(1171483602, rawCapture.Timeval.Seconds);
Assert.AreEqual(578641.000, rawCapture.Timeval.MicroSeconds);
var udp = (UdpPacket)p.Extract(typeof(UdpPacket));
Assert.AreEqual(52886, udp.SourcePort);
Assert.AreEqual(56924, udp.DestinationPort);
Assert.AreEqual(71, udp.Length);
Assert.AreEqual(0xc8b8, udp.Checksum);
}
// icmp
public void VerifyPacket5(Packet p, RawCapture rawCapture)
{
Console.WriteLine(p.ToString());
EthernetPacket e = (EthernetPacket)p;
Assert.AreEqual("0016CFC91E29", e.SourceHwAddress.ToString());
Assert.AreEqual("0014BFF2EF0A", e.DestinationHwAddress.ToString());
var ip = (IpPacket)p.Extract (typeof(IpPacket));
Assert.AreEqual(System.Net.IPAddress.Parse("192.168.1.104"), ip.SourceAddress);
Assert.AreEqual(System.Net.IPAddress.Parse("85.195.52.22"), ip.DestinationAddress);
}
// dns
public void VerifyPacket3(Packet p, RawCapture rawCapture)
{
Console.WriteLine(p.ToString());
EthernetPacket e = (EthernetPacket)p;
Assert.AreEqual("0016CFC91E29", e.SourceHwAddress.ToString());
Assert.AreEqual("0014BFF2EF0A", e.DestinationHwAddress.ToString());
var ip = (IpPacket)p.Extract (typeof(IpPacket));
Assert.AreEqual(System.Net.IPAddress.Parse("192.168.1.172"), ip.SourceAddress);
Assert.AreEqual(System.Net.IPAddress.Parse("66.189.0.29"), ip.DestinationAddress);
Assert.AreEqual(IPProtocolType.UDP, ip.Protocol);
Assert.AreEqual(0x7988, ((IPv4Packet)ip).CalculateIPChecksum());
var udp = (UdpPacket)p.Extract (typeof(UdpPacket));
Assert.AreEqual(3619, udp.SourcePort);
Assert.AreEqual(53, udp.DestinationPort);
Assert.AreEqual(47, udp.Length);
Assert.AreEqual(0xbe2d, udp.Checksum);
}
public void ReportPacketCapture(Packet packet, DateTime arrivalTime)
{
IpPacket ip = (IpPacket)packet.Extract(typeof(IpPacket));
TcpPacket tcp = (TcpPacket)packet.Extract(typeof(TcpPacket));
ASCIIEncoding format = new ASCIIEncoding();
string payloadAsText = format.GetString(packet.Bytes);
payloadAsText = payloadAsText.ToLower();
//remove non readable characters
//payloadAsText = Regex.Replace(payloadAsText, @"[^\u0000-\u007F]", string.Empty);
payloadAsText = Regex.Replace(payloadAsText, "[^0-9a-zA-Z]+", string.Empty);
if ((tcp != null) && (payloadAsText.Contains("ftp")))
{
int x = 5;
}
if (payloadAsText.Length > 255)
{
payloadAsText = payloadAsText.Substring(0, 255);
}
if (tcp != null)
{
_sensorEventAgent.LogEvent(_sensorId, ip.DestinationAddress.ToString(), tcp.DestinationPort, ip.SourceAddress.ToString(), tcp.SourcePort,
arrivalTime, payloadAsText);
}
}
public Boolean AssembleTcpPacket(Packet packet)
{
TcpPacket tcpPacket = (TcpPacket)packet.Extract(typeof(TcpPacket));
byte[] data = packet.PayloadPacket.PayloadPacket.PayloadData;
string content = Encoding.UTF8.GetString(data);
if (tcpPacket.SequenceNumber == nextSequenceNumber && data.Length != 0)
{
if (body != null)
{
Array.Copy(data, 0, body, relativeNextSequenceNumber, data.Length);
// Update next sequence number
// Next Sequence Number = Current Sequence Number + Packet Payload Data Length
nextSequenceNumber += (uint)data.Length;
relativeNextSequenceNumber += (uint)data.Length;
isAssembleEnded = relativeNextSequenceNumber >= body.Length;
}
else
{
isAssembleEnded = true;
}
}
return isAssembleEnded;
}
private void VerifyPacket2(Packet p)
{
// expecting a tcp packet
Assert.IsNotNull((TcpPacket)p.Extract(typeof(TcpPacket)), "expected a tcp packet");
}
private void VerifyPacket1(Packet p)
{
// expect a udp packet
Assert.IsNotNull((UdpPacket)p.Extract(typeof(UdpPacket)), "expected a udp packet");
}
