public static void Trace(Packet packet, PacketMonitorForm PacketMonitor)
{
IpPacket ipPacket = null;
TcpPacket tcpPacket = null;
try
{
ipPacket = PacketDotNet.IpPacket.GetEncapsulated(packet);
if (ipPacket == null || ipPacket.Version == IpVersion.IPv6)
{
return;
}
tcpPacket = PacketDotNet.TcpPacket.GetEncapsulated(packet);
if (tcpPacket == null)
{
return;
}
long Key = ipPacket.SourceAddress.Address + tcpPacket.SourcePort + ipPacket.DestinationAddress.Address + tcpPacket.AcknowledgmentNumber;
if (isReassembledPacketOfPostRequest(ipPacket, tcpPacket))
{
PacketReassemble(Key, tcpPacket);
MailList[Key].TimeToLive = 0;
// Var_PushFlag == true 表示資料都已經擷取完全
if (MailList[Key].Var_PushFlag == true)
{
var Mail = MailList[Key];
foreach (var Data in Mail.PostRequestDataList)
{
Mail.PostRequestData += new string(Data);
}
foreach (var Data in Mail.VarDataList)
{
Mail.VarData += new string(Data);
}
DoSomething(Mail, PacketMonitor);
MailList.Remove(Key);
}
}
else if (isPostRequest(tcpPacket))
{
MailList.Add(Key, new HttpMail(ipPacket, tcpPacket));
}
else
{
return;
}
AddMailLiveTime();
}
catch
{
Console.WriteLine();
return;
}
}
// 當Post Request擷取完成時要做的事
private static void DoSomething(HttpMail Mail, PacketMonitorForm PacketMonitor)
{
// PacketMonitor.mTxtBox.Text += Mail.PostRequestData + Mail.VarData + "\r\n\r\n";
// 需要URI解碼
//PacketMonitor.mTxtBox.Text += Uri.UnescapeDataString(Mail.PostRequestData) + Uri.UnescapeDataString(Mail.VarData) + "\r\n";
//PacketMonitor.mTxtBox.Text += "------------------------------------------------------------------------------------------------\r\n\r\n";
}
public unsafe void Trace(Packet packet, PacketMonitorForm Form)
{
IpPacket ipPacket = null;
TcpPacket tcpPacket = null;
try
{
ipPacket = PacketDotNet.IpPacket.GetEncapsulated(packet);
if (ipPacket == null || ipPacket.Version == IpVersion.IPv6)
{
return;
}
tcpPacket = PacketDotNet.TcpPacket.GetEncapsulated(packet);
if (tcpPacket == null)
{
return;
}
if (tcpPacket.PayloadData.Length < 6)
{
return;
}
}
catch
{
return;
}
TraceClientHello(ipPacket, tcpPacket, Form);
fixed(Byte *_Byte = packet.Bytes)
{
SSLAnalyze.InsertPacketData(_Byte);
}
if (SSLAnalyze.GetHandShakeMainContent())
{
var _SSLInformation = AddToSSLInfo(Form, null);
WriteToDB(_SSLInformation);
}
var _Certificate = _CertificateManage.Trace(packet);
if (_Certificate != null)
{
AddToSSLInfo(Form, _Certificate);
DoSomething(Form, _Certificate);
}
}
//追蹤有傳送 ClientHello 之封包,並更新該 IPTraceInfo 為 hasSSL 以標明要儲存往後之對應封包
private void TraceClientHello(IpPacket ipPacket, TcpPacket tcpPacket, PacketMonitorForm form)
{
if (tcpPacket.PayloadData[0] == 0x16 && tcpPacket.PayloadData[5] == 0x01) // Record Layer Type = Handshake(0x16) & Handshake Type = Client Hello(0x01)
{
bool isSSLVersion = false;
if ((tcpPacket.PayloadData[1] == 0x02 && tcpPacket.PayloadData[2] == 0x00) ||
(tcpPacket.PayloadData[1] == 0x03 && tcpPacket.PayloadData[2] == 0x00) ||
(tcpPacket.PayloadData[1] == 0x03 && tcpPacket.PayloadData[2] == 0x01) ||
(tcpPacket.PayloadData[1] == 0x03 && tcpPacket.PayloadData[2] == 0x02) ||
(tcpPacket.PayloadData[1] == 0x03 && tcpPacket.PayloadData[2] == 0x03))
{
isSSLVersion = true;
}
if (!isSSLVersion)
{
return;
}
int Count = form.listIPTrace.Count;
List <IPTraceInfo> _IPTrace = form.listIPTrace;
for (int j = 0; j < Count; j++)
{
if ((_IPTrace[j].SrcIP == ipPacket.SourceAddress.ToString()) && (_IPTrace[j].DstIP == ipPacket.DestinationAddress.ToString()) ||
(_IPTrace[j].SrcIP == ipPacket.DestinationAddress.ToString()) && (_IPTrace[j].DstIP == ipPacket.SourceAddress.ToString()))
{
foreach (var port in _IPTrace[j].Ports)
{
if ((port.SrcPort == tcpPacket.SourcePort.ToString() && port.DstPort == tcpPacket.DestinationPort.ToString()) ||
(port.SrcPort == tcpPacket.DestinationPort.ToString() && port.DstPort == tcpPacket.SourcePort.ToString()))
{
port.hasSSL = true;
string FileName = ipPacket.SourceAddress.ToString() + "(" + tcpPacket.SourcePort.ToString() + ") - " + ipPacket.DestinationAddress.ToString() + "(" + tcpPacket.DestinationPort.ToString() + ").pcap";
port.SSLPcapFileWriter = new PcapFileWriter(StoragePath + "\\" + FileName);
return;
}
}
return;
}
}
}
}
// 取得了 SSL 完整資訊後要做的事情 ( 將Certificate資訊放進listIPTrace )
private void DoSomething(PacketMonitorForm form, Certificate _Certificate)
{
int Count = form.listIPTrace.Count;
List <IPTraceInfo> _IPTrace = form.listIPTrace;
for (int j = 0; j < Count; j++)
{
if ((_IPTrace[j].SrcIP == _Certificate.ServerIP) && (_IPTrace[j].DstIP == _Certificate.UserIP) ||
(_IPTrace[j].DstIP == _Certificate.ServerIP) && (_IPTrace[j].SrcIP == _Certificate.UserIP))
{
if (_IPTrace[j].certificate == null && _Certificate != null)
{
_IPTrace[j].certificate = _Certificate;
}
return;
}
}
}
//結合 Key 和 Certificate 之資訊緩存
private unsafe SSLInformation AddToSSLInfo(PacketMonitorForm form, Certificate _Certificate)
{
List <IPTraceInfo> list = form.listIPTrace;
Port port = null;
// 當有 Certificate 時代表有建立了 SSL 連線對談,但尚未取得完整鑰匙資訊,因此先放入列表中等待資訊完整放入
if (_Certificate != null)
{
SSLInformationList.Add(new SSLInformation {
UserIP = _Certificate.UserIP,
ServerIP = _Certificate.ServerIP,
UserPort = _Certificate.UserPort,
ServerPort = _Certificate.ServerPort,
certificate = _Certificate,
});
return(null);
}
else if (_Certificate == null)
{
string _UserIP = string.Format("{0}.{1}.{2}.{3}", SSLAnalyze.GetUserIP()[3], SSLAnalyze.GetUserIP()[2], SSLAnalyze.GetUserIP()[1], SSLAnalyze.GetUserIP()[0]);
string _ServerIP = string.Format("{0}.{1}.{2}.{3}", SSLAnalyze.GetServerIP()[3], SSLAnalyze.GetServerIP()[2], SSLAnalyze.GetServerIP()[1], SSLAnalyze.GetServerIP()[0]);
string _UserPort = SSLAnalyze.GetUserPort().ToString();
string _ServerPort = SSLAnalyze.GetServerPort().ToString();
for (int j = 0; j < list.Count; j++)
{
if ((list[j].SrcIP == _ServerIP) && (list[j].DstIP == _UserIP))
{
foreach (var p in list[j].Ports)
{
if ((p.SrcPort == _ServerPort) && (p.DstPort == _UserPort))
{
port = p;
break;
}
}
}
else if ((list[j].DstIP == _ServerIP) && (list[j].SrcIP == _UserIP))
{
foreach (var p in list[j].Ports)
{
if ((p.SrcPort == _UserPort) && (p.DstPort == _ServerPort))
{
port = p;
break;
}
}
}
}
foreach (var _SSLInformation in SSLInformationList)
{
if (_UserIP == _SSLInformation.UserIP &&
_ServerIP == _SSLInformation.ServerIP &&
_UserPort == _SSLInformation.UserPort &&
_ServerPort == _SSLInformation.ServerPort)
{
_SSLInformation.Version = SSLAnalyze.GetVersion().ToString();
_SSLInformation.CipherSuite = SSLAnalyze.GetCipherSuite().ToString();
string pubkey = null;
if (SSLAnalyze.GetPubKeyLen() > 0)
{
if (SSLAnalyze.GetPubKeyLen() == SSLAnalyze.GetSessionKeyLen())
{
for (int i = 0; i < SSLAnalyze.GetPubKeyLen(); i++)
{
pubkey += string.Format("{0:x2} ", SSLAnalyze.GetPubkey()[i]);
}
}
else
{
for (int i = 0; i < SSLAnalyze.GetSessionKeyLen(); i++)
{
pubkey += string.Format("{0:x2} ", SSLAnalyze.GetPubkey()[i + 6]);
}
}
}
_SSLInformation.PubKey = pubkey;
string sessionkey = null;
if (SSLAnalyze.GetSessionKeyLen() > 0)
{
for (int i = 0; i < SSLAnalyze.GetSessionKeyLen(); i++)
{
sessionkey += string.Format("{0:x2} ", SSLAnalyze.GetSessionKey()[i]);
}
}
_SSLInformation.SessionKey = sessionkey;
string NewSessionkey = null;
if (SSLAnalyze.GetNewSessionTicketLen() > 0)
{
for (int i = 0; i < SSLAnalyze.GetNewSessionTicketLen(); i++)
{
NewSessionkey += string.Format("{0:x2} ", SSLAnalyze.GetNewSessionTicket()[i]);
}
}
_SSLInformation.NewSessionKey = NewSessionkey;
if (port != null && (pubkey != null || sessionkey != null || NewSessionkey != null))
{
port.keys.ServerPort = _ServerPort;
port.keys.UserPort = _UserPort;
if (port.keys.pubKey == null)
{
port.keys.pubKey = pubkey;
}
if (port.keys.sessionKey == null)
{
port.keys.sessionKey = sessionkey;
}
if (port.keys.newSessionkey == null)
{
port.keys.newSessionkey = NewSessionkey;
}
port.keys.hasKey = true;
}
SSLInformationList.Remove(_SSLInformation);
return(_SSLInformation);
}
}
// 此之後之程式碼是設定沒有 Certificate 之 SSL資訊
var sslInformation = new SSLInformation();
sslInformation.UserIP = _UserIP;
sslInformation.ServerIP = _ServerIP;
sslInformation.UserPort = _UserPort;
sslInformation.ServerPort = _ServerPort;
sslInformation.Version = SSLAnalyze.GetVersion().ToString();
sslInformation.CipherSuite = SSLAnalyze.GetCipherSuite().ToString();
string _pubkey = null;
if (SSLAnalyze.GetPubKeyLen() > 0)
{
if (SSLAnalyze.GetPubKeyLen() == SSLAnalyze.GetSessionKeyLen())
{
for (int i = 0; i < SSLAnalyze.GetPubKeyLen(); i++)
{
_pubkey += string.Format("{0:x2} ", SSLAnalyze.GetPubkey()[i]);
}
}
else
{
for (int i = 0; i < SSLAnalyze.GetSessionKeyLen(); i++)
{
_pubkey += string.Format("{0:x2} ", SSLAnalyze.GetPubkey()[i + 6]);
}
}
}
sslInformation.PubKey = _pubkey;
string _sessionkey = null;
if (SSLAnalyze.GetSessionKeyLen() > 0)
{
for (int i = 0; i < SSLAnalyze.GetSessionKeyLen(); i++)
{
_sessionkey += string.Format("{0:x2} ", SSLAnalyze.GetSessionKey()[i]);
}
}
sslInformation.SessionKey = _sessionkey;
string _NewSessionkey = null;
if (SSLAnalyze.GetNewSessionTicketLen() > 0)
{
for (int i = 0; i < SSLAnalyze.GetNewSessionTicketLen(); i++)
{
_NewSessionkey += string.Format("{0:x2} ", SSLAnalyze.GetNewSessionTicket()[i]);
}
}
sslInformation.NewSessionKey = _NewSessionkey;
sslInformation.certificate = null;
if (port != null && (_pubkey != null || _sessionkey != null || _NewSessionkey != null))
{
port.keys.ServerPort = _ServerPort;
port.keys.UserPort = _UserPort;
if (port.keys.pubKey == null)
{
port.keys.pubKey = _pubkey;
}
if (port.keys.sessionKey == null)
{
port.keys.sessionKey = _sessionkey;
}
if (port.keys.newSessionkey == null)
{
port.keys.newSessionkey = _NewSessionkey;
}
port.keys.hasKey = true;
}
return(sslInformation);
}
return(null);
}
