public static bool TryParse(Frame parentFrame, int packetStartIndex, int packetEndIndex, bool clientToServer, out AbstractPacket result) { result = null; try { if (clientToServer) { //first character should be letter char firstChar = (char)parentFrame.Data[packetStartIndex]; if (!Char.IsLetter(firstChar)) { return(false); } int index = packetStartIndex;//index will be changed... string command = Utils.ByteConverter.ReadLine(parentFrame.Data, ref index); if (command.Contains(" ")) { command = command.Substring(0, command.IndexOf(' ')); } if (Array.IndexOf <string>(userCommands, command.ToUpper()) == -1) { return(false); } } else //server to client //first 3 characters should be numbers { if (!Char.IsDigit((char)parentFrame.Data[packetStartIndex])) { return(false); } if (!Char.IsDigit((char)parentFrame.Data[packetStartIndex + 1])) { return(false); } if (!Char.IsDigit((char)parentFrame.Data[packetStartIndex + 2])) { return(false); } //avoid classifying SMTP as FTP int index = packetStartIndex; if (Utils.ByteConverter.ReadLine(parentFrame.Data, ref index).Contains("ESMTP")) { return(false); } } result = new FtpPacket(parentFrame, packetStartIndex, packetEndIndex, clientToServer); return(true); } catch { return(false); } }
private AbstractPacket GetProtocolPacket(ApplicationLayerProtocol protocol, bool clientToServer) { AbstractPacket packet = null; if (protocol == ApplicationLayerProtocol.Dns) { if (DnsPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, true, out DnsPacket dnsPacket)) { return(dnsPacket); } } else if (protocol == ApplicationLayerProtocol.FtpControl) { if (FtpPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, clientToServer, out packet)) { return(packet); } } else if (protocol == ApplicationLayerProtocol.Http) { if (HttpPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet)) { return(packet); } } else if (protocol == ApplicationLayerProtocol.Http2) { if (Http2Packet.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet)) { return(packet); } } else if (protocol == ApplicationLayerProtocol.Irc) { if (IrcPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet)) { return(packet); } } else if (protocol == ApplicationLayerProtocol.IEC_104) { if (IEC_60870_5_104Packet.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet)) { return(packet); } } else if (protocol == ApplicationLayerProtocol.Imap) { return(new ImapPacket(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, clientToServer)); } else if (protocol == ApplicationLayerProtocol.Kerberos) { return(new KerberosPacket(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, true)); } else if (protocol == ApplicationLayerProtocol.Lpd) { if (LpdPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, clientToServer, out packet)) { return(packet); } } else if (protocol == ApplicationLayerProtocol.ModbusTCP) { if (ModbusTcpPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, this.sourcePort, this.destinationPort, out packet)) { return(packet); } } else if (protocol == ApplicationLayerProtocol.NetBiosNameService) { return(new NetBiosNameServicePacket(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex)); } else if (protocol == ApplicationLayerProtocol.NetBiosSessionService) { if (NetBiosSessionService.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, this.sourcePort, this.destinationPort, out packet, this.IsVirtualPacketFromTrailingDataInTcpSegment)) { return(packet); } } else if (protocol == ApplicationLayerProtocol.OpenFlow) { if (OpenFlowPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet)) { return(packet); } } else if (protocol == ApplicationLayerProtocol.Oscar) { if (OscarPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet)) { return(packet); } } else if (protocol == ApplicationLayerProtocol.OscarFileTransfer) { if (OscarFileTransferPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet)) { return(packet); } } else if (protocol == ApplicationLayerProtocol.Pop3) { return(new Pop3Packet(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, clientToServer)); } else if (protocol == ApplicationLayerProtocol.Sip) { return(new SipPacket(this.ParentFrame, this.PacketStartIndex + this.DataOffsetByteCount, this.PacketEndIndex)); } else if (protocol == ApplicationLayerProtocol.Smtp) { return(new SmtpPacket(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, clientToServer)); } else if (protocol == ApplicationLayerProtocol.Socks) { if (SocksPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, clientToServer, out packet)) { return(packet); } } else if (protocol == ApplicationLayerProtocol.SpotifyServerProtocol) { if (SpotifyKeyExchangePacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, clientToServer, out packet)) { return(packet); } } else if (protocol == ApplicationLayerProtocol.Ssh) { if (SshPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet)) { return(packet); } } else if (protocol == ApplicationLayerProtocol.Ssl) { if (SslPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet)) { return(packet); } } else if (protocol == ApplicationLayerProtocol.TabularDataStream) { return(new TabularDataStreamPacket(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex)); } else if (protocol == ApplicationLayerProtocol.Tpkt) { if (TpktPacket.TryParse(ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, this, out packet)) { return(packet); } } return(packet); }
internal IEnumerable <AbstractPacket> GetSubPackets(bool includeSelfReference, ISessionProtocolFinder protocolFinder, bool clientToServer) { if (includeSelfReference) { yield return(this); } if (PacketStartIndex + dataOffsetByteCount < PacketEndIndex) { AbstractPacket packet = null; foreach (ApplicationLayerProtocol protocol in protocolFinder.GetProbableApplicationLayerProtocols()) { try{ if (protocol == ApplicationLayerProtocol.Dns) { packet = new DnsPacket(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex); protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Dns; break; } else if (protocol == ApplicationLayerProtocol.FtpControl) { if (FtpPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, clientToServer, out packet)) { protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.FtpControl; break; } } else if (protocol == ApplicationLayerProtocol.Http) { if (HttpPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet)) { protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Http; break; } } else if (protocol == ApplicationLayerProtocol.Irc) { if (IrcPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet)) { protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Irc; break; } } else if (protocol == ApplicationLayerProtocol.IEC_104) { if (IEC_60870_5_104Packet.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet)) { protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.IEC_104; break; } } else if (protocol == ApplicationLayerProtocol.NetBiosNameService) { packet = new NetBiosNameServicePacket(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex); protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.NetBiosNameService; break; } else if (protocol == ApplicationLayerProtocol.NetBiosSessionService) { if (NetBiosSessionService.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet)) { //packet = new NetBiosSessionService(ParentFrame, PacketStartIndex+dataOffsetByteCount, PacketEndIndex, false); protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.NetBiosSessionService; break; } } else if (protocol == ApplicationLayerProtocol.Oscar) { if (OscarPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet)) { protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Oscar; break; } } else if (protocol == ApplicationLayerProtocol.OscarFileTransfer) { if (OscarFileTransferPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet)) { protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.OscarFileTransfer; break; } } else if (protocol == ApplicationLayerProtocol.Smtp) { packet = new SmtpPacket(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, clientToServer); protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Smtp; break; } else if (protocol == ApplicationLayerProtocol.SpotifyServerProtocol) { if (SpotifyKeyExchangePacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, clientToServer, out packet)) { protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.SpotifyServerProtocol; break; } } else if (protocol == ApplicationLayerProtocol.Ssh) { if (SshPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet)) { protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Ssh; break; } } else if (protocol == ApplicationLayerProtocol.Ssl) { if (SslPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet)) { protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Ssl; break; } } else if (protocol == ApplicationLayerProtocol.TabularDataStream) { packet = new TabularDataStreamPacket(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex); protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.TabularDataStream; break; } } catch (Exception) { packet = null; } } if (packet == null) { packet = new RawPacket(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex); } yield return(packet); foreach (AbstractPacket subPacket in packet.GetSubPackets(false)) { yield return(subPacket); } } }