private static void device_OnPacketArrival(object sender, CaptureEventArgs e)
{
try
{
Kavprot.Packets.Packet packet = Kavprot.Packets.Packet.ParsePacket(e.Packet);
if (packet is Kavprot.Packets.EthernetPacket)
{
var ip = Kavprot.Packets.IpPacket.GetEncapsulated(packet);
if (ip.Protocol == Kavprot.Packets.IPProtocolType.TCP)
{
TcpPacket tcp = TcpPacket.GetEncapsulated(packet);
if (tcp != null)
{
Alert.Attack("Intrusion Detected", "an intrusion was detected using TCP from " + ip.SourceAddress.ToString() + " @port " + tcp.SourcePort.ToString(), ToolTipIcon.Warning, true);
}
}
else if (ip.Protocol == Kavprot.Packets.IPProtocolType.UDP)
{
UdpPacket udp = UdpPacket.GetEncapsulated(packet);
if (udp != null)
{
Alert.Attack("Intrusion Detected", "an intrusion was detected using UDP from " + ip.SourceAddress.ToString() + " @port " + udp.SourcePort.ToString(), ToolTipIcon.Warning, true);
}
}
else if (ip.Protocol == Kavprot.Packets.IPProtocolType.IGMP)
{
IGMPv2Packet igmp = IGMPv2Packet.GetEncapsulated(packet);
if (igmp != null)
{
Alert.Attack("Intrusion Detected : Unwanted IGMP Packet", "an intrusion was detected using IGMP from " + ip.SourceAddress.ToString(), ToolTipIcon.Warning, true);
}
}
else if (ip.Protocol == Kavprot.Packets.IPProtocolType.ICMPV6)
{
ICMPv6Packet icmp6 = ICMPv6Packet.GetEncapsulated(packet);
if (icmp6 != null)
{
Alert.Attack("Intrusion Detected : Unwanted ICMPv6 Packet", "an intrusion was detected using ICMPv6 from " + ip.SourceAddress.ToString(), ToolTipIcon.Warning, true);
}
}
else if (ip.Protocol == Kavprot.Packets.IPProtocolType.ICMP)
{
ICMPv4Packet icmp4 = ICMPv4Packet.GetEncapsulated(packet);
if (icmp4 != null)
{
Alert.Attack("Intrusion Detected : Unwanted ICMPv4 Packet", "an intrusion was detected using ICMPv4 from " + ip.SourceAddress.ToString(), ToolTipIcon.Warning, true);
}
}
}
}
catch
{
}
finally
{
}
}
public PacketDetials(Packet packet)
{
this.packet = packet;
ethernetPacket = EthernetPacket.GetEncapsulated(packet);
if (ethernetPacket != null)
{
typeName = "Ethernet";
}
ipPacket = IpPacket.GetEncapsulated(packet);
if (ipPacket != null)
{
typeName = "Ip";
}
arpPacket = ARPPacket.GetEncapsulated(packet);
if (arpPacket != null)
{
typeName = "ARP";
}
icmpv4Packet = ICMPv4Packet.GetEncapsulated(packet);
if (icmpv4Packet != null)
{
typeName = "ICMPv4";
}
icmpv6Packet = ICMPv6Packet.GetEncapsulated(packet);
if (icmpv6Packet != null)
{
typeName = "ICMPv6";
}
igmpv2Packet = IGMPv2Packet.GetEncapsulated(packet);
if (igmpv2Packet != null)
{
typeName = "IGMPv2";
}
pppoePacket = PPPoEPacket.GetEncapsulated(packet);
if (pppoePacket != null)
{
typeName = "PPPoE";
}
pppPacket = PPPPacket.GetEncapsulated(packet);
if (pppPacket != null)
{
typeName = "PPP";
}
tcpPacket = TcpPacket.GetEncapsulated(packet);
if (tcpPacket != null)
{
typeName = "TCP";
}
udpPacket = UdpPacket.GetEncapsulated(packet);
if (udpPacket != null)
{
typeName = "UDP";
}
}
private void ipNext(IpPacket ip)
{
PayLoadData = ip.PayloadData;
switch (ip.NextHeader)
{
case IPProtocolType.TCP: //最终协议为TCP
TcpPacket tcp = TcpPacket.GetEncapsulated(packet);
TCP(tcp);
break;
case IPProtocolType.UDP:
UdpPacket udp = UdpPacket.GetEncapsulated(packet);
UDP(udp);
break;
case IPProtocolType.ICMP:
ICMPv4Packet icmp = ICMPv4Packet.GetEncapsulated(packet);
ICMPv4(icmp);
break;
case IPProtocolType.ICMPV6:
ICMPv6Packet icmpv6 = ICMPv6Packet.GetEncapsulated(packet);
ICMPv6(icmpv6);
break;
case IPProtocolType.IGMP:
IGMPv2Packet igmp = IGMPv2Packet.GetEncapsulated(packet);
IGMP(igmp);
break;
case IPProtocolType.IPV6:
List <byte> packetData = new List <byte>();
byte[] tmp = new byte[] { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
packetData.AddRange(tmp);
packetData.AddRange(new byte[] { 0x86, 0xdd });
packetData.AddRange(ip.PayloadData);
Packet p = Packet.ParsePacket(LinkLayers.Ethernet, packetData.ToArray());
IPv6Packet ip6 = (IPv6Packet)IPv6Packet.GetEncapsulated(p);
IPv6(ip6);
packet = p;
ipNext(ip6 as IpPacket);
break;
case IPProtocolType.GRE:
GREPacket gre = new GREPacket(ip.PayloadData);
GRE(gre);
break;
}
}
/// <summary>
/// Processes the specified packet capture.
/// </summary>
/// <param name='capture'>
/// The raw data captured from the interface.
/// </param>
public DataPacket Process(RawCapture capture)
{
var dpacket = new DataPacket();
//Convert the raw data from the interface to a packet.
var spacket = Packet.ParsePacket(capture.LinkLayerType, capture.Data);
var ip = IpPacket.GetEncapsulated(spacket);
/*
* Determine if the packet is a TCP packet.
* If it is map each of the fields of the packet to the
* new storage structure.
*/
var tcp = TcpPacket.GetEncapsulated(spacket);
if (tcp != null && ip != null)
{
dpacket.IpAddressSource = ip.SourceAddress.ToString();
dpacket.IpAddressDestination = ip.DestinationAddress.ToString();
dpacket.PortSource = tcp.SourcePort;
dpacket.PortDestination = tcp.DestinationPort;
dpacket.Payload = tcp.PayloadData;
dpacket.Protocol = NetworkProtocol.tcp;
dpacket.Timestamp = DateTime.Now;
//Notify the DNS worker thread that a new packet needs lookup.
lock (DnsLookupQueue)
{
DnsLookupQueue.Enqueue(dpacket);
}
WaitHandle.Set();
return(dpacket);
}
/*
* Determine if the packet is an UDP packet.
* If it is map each of the fields of the packet to the
* new storage structure.
*/
var udp = UdpPacket.GetEncapsulated(spacket);
if (udp != null && ip != null)
{
dpacket.IpAddressSource = ip.SourceAddress.ToString();
dpacket.IpAddressDestination = ip.DestinationAddress.ToString();
dpacket.PortSource = udp.SourcePort;
dpacket.PortDestination = udp.DestinationPort;
dpacket.Payload = udp.PayloadData;
dpacket.Protocol = NetworkProtocol.udp;
dpacket.Timestamp = DateTime.Now;
//Notify the DNS worker thread that a new packet needs lookup.
lock (DnsLookupQueue)
{
DnsLookupQueue.Enqueue(dpacket);
}
WaitHandle.Set();
return(dpacket);
}
/*
* Determine if the packet is an ICMP packet.
* If it is map each of the fields of the packet to the
* new storage structure.
*/
var icmp = ICMPv4Packet.GetEncapsulated(spacket);
if (icmp != null && ip != null)
{
dpacket.IpAddressSource = ip.SourceAddress.ToString();
dpacket.IpAddressDestination = ip.DestinationAddress.ToString();
dpacket.Type = icmp.TypeCode.ToString();
dpacket.Payload = icmp.PayloadData;
dpacket.Protocol = NetworkProtocol.icmp;
dpacket.Timestamp = DateTime.Now;
//Notify the DNS worker thread that a new packet needs lookup.
lock (DnsLookupQueue)
{
DnsLookupQueue.Enqueue(dpacket);
}
WaitHandle.Set();
return(dpacket);
}
/*
* Determine if the packet is an ARP packet.
* If it is map each of the fields of the packet to the
* new storage structure.
*/
var arp = ARPPacket.GetEncapsulated(spacket);
if (arp != null)
{
dpacket.Timestamp = DateTime.Now;
dpacket.HardwareAddressSource = arp.SenderHardwareAddress.ToString();
dpacket.HardwareAddressTarget = arp.TargetHardwareAddress.ToString();
dpacket.Protocol = NetworkProtocol.arp;
dpacket.Payload = spacket.PayloadData;
return(dpacket);
}
//Console.WriteLine(" UNKNOWN TYPE: " + ((EthernetPacket)spacket).Type.ToString());
return(null);
}
//标记当前数据是否有效
#region 构建数据行
/// <summary>
/// DataGridRow
/// </summary>
/// <returns>返回字符串数据</returns>
public string[] Row(RawCapture rawPacket, uint packetID)
{
string[] rows = new string[7];
rows[0] = string.Format("{0:D7}", packetID); //编号
rows[1] = "Unknown";
rows[2] = rawPacket.Data.Length.ToString(); //数据长度bytes
rows[3] = "--";
rows[4] = "--";
rows[5] = "--";
//rows[6] = DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss:fff");
rows[6] = DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss");
Packet packet = Packet.ParsePacket(rawPacket.LinkLayerType, rawPacket.Data);
EthernetPacket ep = EthernetPacket.GetEncapsulated(packet);
if (ep != null)
{
rows[1] = "Ethernet(v2)";
rows[3] = Format.MacFormat(ep.SourceHwAddress.ToString());
rows[4] = Format.MacFormat(ep.DestinationHwAddress.ToString());
rows[5] = "[" + ep.Type.ToString() + "]";
#region IP
IpPacket ip = IpPacket.GetEncapsulated(packet);
if (ip != null)
{
if (ip.Version == IpVersion.IPv4)
{
rows[1] = "IPv4";
}
else
{
rows[1] = "IPv6";
}
rows[3] = ip.SourceAddress.ToString();
rows[4] = ip.DestinationAddress.ToString();
rows[5] = "[下层协议:" + ip.NextHeader.ToString() + "] [版本:" + ip.Version.ToString() + "]";
TcpPacket tcp = TcpPacket.GetEncapsulated(packet);
if (tcp != null)
{
rows[1] = "TCP";
rows[3] += " [" + tcp.SourcePort.ToString() + "]";
rows[4] += " [" + tcp.DestinationPort.ToString() + "]";
#region 25:smtp协议;80, 8080, 3128: Http; 21: FTP;
if (tcp.DestinationPort.ToString() == "25" || tcp.SourcePort.ToString() == "25")
{
rows[1] = "SMTP";
}
else if (tcp.DestinationPort.ToString() == "80" || tcp.DestinationPort.ToString() == "8080" || tcp.DestinationPort.ToString() == "3128")
{
rows[1] = "HTTP";
}
else if (tcp.DestinationPort.ToString() == "21")
{
rows[1] = "FTP";
}
else if (tcp.DestinationPort.ToString() == "143")
{
rows[1] = "POP3";
}
#endregion
return(rows);
}
UdpPacket udp = UdpPacket.GetEncapsulated(packet);
if (udp != null)
{
if (rawPacket.Data[42] == ((byte)02))
{
rows[1] = "OICQ";
}
else
{
rows[1] = "UDP";
}
rows[3] += " [" + udp.SourcePort.ToString() + "]";
rows[4] += " [" + udp.DestinationPort.ToString() + "]";
return(rows);
}
ICMPv4Packet icmpv4 = ICMPv4Packet.GetEncapsulated(packet);
if (icmpv4 != null)
{
rows[1] = "ICMPv4";
rows[5] = "[校验:" + icmpv4.Checksum.ToString() + "] [类型:" + icmpv4.TypeCode.ToString() + "] [序列号:" + icmpv4.Sequence.ToString() + "]";
return(rows);
}
ICMPv6Packet icmpv6 = ICMPv6Packet.GetEncapsulated(packet);
if (icmpv6 != null)
{
rows[1] = "ICMPv6";
rows[5] = "[Code:" + icmpv6.Code.ToString() + "] [Type" + icmpv6.Type.ToString() + "]";
return(rows);
}
IGMPv2Packet igmp = IGMPv2Packet.GetEncapsulated(packet);
if (igmp != null)
{
rows[1] = "IGMP";
rows[5] = "[只适用于IGMPv2] [组地址:" + igmp.GroupAddress.ToString() + "] [类型:" + igmp.Type.ToString() + "]";
return(rows);
}
return(rows);
}
#endregion
ARPPacket arp = ARPPacket.GetEncapsulated(packet);
if (arp != null)
{
rows[1] = "ARP";
rows[3] = Format.MacFormat(arp.SenderHardwareAddress.ToString());
rows[4] = Format.MacFormat(arp.TargetHardwareAddress.ToString());
rows[5] = "[Arp操作方式:" + arp.Operation.ToString() + "] [发送者:" + arp.SenderProtocolAddress.ToString() + "] [目标:" + arp.TargetProtocolAddress.ToString() + "]";
return(rows);
}
WakeOnLanPacket wp = WakeOnLanPacket.GetEncapsulated(packet);
if (wp != null)
{
rows[1] = "Wake On Lan";
rows[3] = Format.MacFormat(ep.SourceHwAddress.ToString());
rows[4] = Format.MacFormat(wp.DestinationMAC.ToString());
rows[5] = "[唤醒网络地址:" + wp.DestinationMAC.ToString() + "] [有效性:" + wp.IsValid().ToString() + "]";
return(rows);
}
PPPoEPacket poe = PPPoEPacket.GetEncapsulated(packet);
if (poe != null)
{
rows[1] = "PPPoE";
rows[5] = poe.Type.ToString() + " " + poe.Version.ToString();
return(rows);
}
LLDPPacket llp = LLDPPacket.GetEncapsulated(packet);
if (llp != null)
{
rows[1] = "LLDP";
rows[5] = llp.ToString();
return(rows);
}
return(rows);
}
//链路层
PPPPacket ppp = PPPPacket.GetEncapsulated(packet);
if (ppp != null)
{
rows[1] = "PPP";
rows[3] = "--";
rows[4] = "--";
rows[5] = "协议类型:" + ppp.Protocol.ToString();
return(rows);
}
//PPPSerial
PppSerialPacket ppps = PppSerialPacket.GetEncapsulated(packet);
if (ppps != null)
{
rows[1] = "PPP";
rows[3] = "--";
rows[4] = "0x" + ppps.Address.ToString("X2");
rows[5] = "地址:" + ppps.Address.ToString("X2") + " 控制:" + ppps.Control.ToString() + " 协议类型:" + ppps.Protocol.ToString();
return(rows);
}
//Cisco HDLC
CiscoHDLCPacket hdlc = CiscoHDLCPacket.GetEncapsulated(packet);
if (hdlc != null)
{
rows[1] = "Cisco HDLC";
rows[3] = "--";
rows[4] = "0x" + hdlc.Address.ToString("X2");
rows[5] = "地址:" + hdlc.Address.ToString("X2") + " 控制:" + hdlc.Control.ToString() + " 协议类型:" + hdlc.Protocol.ToString();
return(rows);
}
#region
//SmtpPacket smtp = SmtpPacket.
#endregion
PacketDotNet.Ieee80211.MacFrame ieee = Packet.ParsePacket(rawPacket.LinkLayerType, rawPacket.Data) as PacketDotNet.Ieee80211.MacFrame;
if (ieee != null)
{
rows[1] = "IEEE802.11 MacFrame";
rows[3] = "--";
rows[4] = "--";
rows[5] = "帧校验序列:" + ieee.FrameCheckSequence.ToString() + " 封装帧:" + ieee.FrameControl.ToString();
return(rows);
}
PacketDotNet.Ieee80211.RadioPacket ieeePacket = Packet.ParsePacket(rawPacket.LinkLayerType, rawPacket.Data) as PacketDotNet.Ieee80211.RadioPacket;
if (ieeePacket != null)
{
rows[1] = "IEEE Radio";
rows[5] = "Version=" + ieeePacket.Version.ToString();
}
LinuxSLLPacket linux = Packet.ParsePacket(rawPacket.LinkLayerType, rawPacket.Data) as LinuxSLLPacket;
if (linux != null)
{
rows[1] = "LinuxSLL";
rows[5] = "Tyep=" + linux.Type.ToString() + " Protocol=" + linux.EthernetProtocolType.ToString();
}
return(rows);
}