public static NetMonFileHeader CreateFromReader(BinaryReader rdrFrom, uint uiMagic) { NetMonFileHeader netMonFileHeader = new NetMonFileHeader(); netMonFileHeader.MagicNumber = uiMagic; netMonFileHeader.VerMinor = rdrFrom.ReadByte(); netMonFileHeader.VerMajor = rdrFrom.ReadByte(); netMonFileHeader.MacType = rdrFrom.ReadUInt16(); ushort year = rdrFrom.ReadUInt16(); ushort month = rdrFrom.ReadUInt16(); rdrFrom.ReadUInt16(); ushort day = rdrFrom.ReadUInt16(); ushort hour = rdrFrom.ReadUInt16(); ushort minute = rdrFrom.ReadUInt16(); ushort second = rdrFrom.ReadUInt16(); ushort millisecond = rdrFrom.ReadUInt16(); netMonFileHeader.dtCapture = new DateTime((int)year, (int)month, (int)day, (int)hour, (int)minute, (int)second, (int)millisecond); netMonFileHeader.FrameTableOffset = rdrFrom.ReadUInt32(); netMonFileHeader.FrameTableLength = rdrFrom.ReadUInt32(); netMonFileHeader.UserDataOffset = rdrFrom.ReadUInt32(); netMonFileHeader.UserDataLength = rdrFrom.ReadUInt32(); netMonFileHeader.CommentDataOffset = rdrFrom.ReadUInt32(); netMonFileHeader.CommentDataLength = rdrFrom.ReadUInt32(); netMonFileHeader.ProcessListOffset = rdrFrom.ReadUInt32(); netMonFileHeader.ProcessListCount = rdrFrom.ReadUInt32(); netMonFileHeader.StatisticsOffset = rdrFrom.ReadUInt32(); netMonFileHeader.StatisticsLength = rdrFrom.ReadUInt32(); netMonFileHeader.ExtendedInfoOffset = rdrFrom.ReadUInt32(); netMonFileHeader.ExtendedInfoLength = rdrFrom.ReadUInt32(); netMonFileHeader.ConversationStatsOffset = rdrFrom.ReadUInt32(); netMonFileHeader.ConversationStatsLength = rdrFrom.ReadUInt32(); if (netMonFileHeader.VerMajor == 2 && netMonFileHeader.VerMinor > 1) { netMonFileHeader.FillProcessList(rdrFrom); } // [hidd3ncod3s]I fixed it. //FiddlerApplication.get_Log().LogFormat("Importing NetMon Capture\n{0}\n", new object[] //{ // netMonFileHeader //}); Console.WriteLine(String.Format("Importing NetMon Capture\n{0}\n", netMonFileHeader)); return(netMonFileHeader); }
private Session[] GetSessionsFromNetMonCAP(BinaryReader rdr, uint uiMagic) { NetMonFileHeader netMonFileHeader = NetMonFileHeader.CreateFromReader(rdr, uiMagic); uint[] frameOffsets = netMonFileHeader.GetFrameOffsets(rdr); PacketCaptureImport.PacketCounts packetCounts = default(PacketCaptureImport.PacketCounts); Dictionary <uint, DNSTransaction> dictionary = new Dictionary <uint, DNSTransaction>(); Dictionary <string, TCPStream> dictionary2 = new Dictionary <string, TCPStream>(); uint num = 0u; while ((ulong)num < (ulong)((long)frameOffsets.Length)) { packetCounts.Total += 1u; rdr.BaseStream.Position = (long)((ulong)frameOffsets[(int)((UIntPtr)num)]); NetmonPacketHeader netmonPacketHeader = NetmonPacketHeader.CreateFromReader(rdr, netMonFileHeader.dtCapture); if (netmonPacketHeader.MediaType != MediaTypes.Ethernet && netmonPacketHeader.MediaType != MediaTypes.WFPCapture_Message2V4) { if (PacketCaptureImport.bVerboseDebug) { //FiddlerApplication.get_Log().LogFormat("Skipping frame {0} with MediaType: 0x{1:x}", new object[] //{ // num, // netmonPacketHeader.MediaType //}); } } else { byte[] array = new byte[netmonPacketHeader.PacketSavedSize]; rdr.BaseStream.Position = (long)((ulong)(frameOffsets[(int)((UIntPtr)num)] + 16u)); rdr.BaseStream.Read(array, 0, array.Length); IPFrame iPFrame; if (netmonPacketHeader.MediaType == MediaTypes.WFPCapture_Message2V4) { iPFrame = IPFrame.FakeAsIPFrame(num, array, netmonPacketHeader.dtPacket); } else { iPFrame = IPFrame.ParseAsIPFrame(num, array, netmonPacketHeader.dtPacket); } if (iPFrame != null) { if (iPFrame.IPVersion == 4) { packetCounts.IPv4 += 1u; } else { if (iPFrame.IPVersion == 6) { packetCounts.IPv6 += 1u; } } if (PacketCaptureImport.bVerboseDebug) { //FiddlerApplication.get_Log().LogFormat("Adding frame {0} - {1}", new object[] //{ // num, // iPFrame.ToString() //}); } IPSubProtocols nextProtocol = iPFrame.NextProtocol; if (nextProtocol != IPSubProtocols.TCP) { if (nextProtocol != IPSubProtocols.UDP) { if (nextProtocol == IPSubProtocols.ESP) { if (PacketCaptureImport.bVerboseDebug) { //FiddlerApplication.get_Log().LogFormat("ESP Frame #{0} skipped; parsing NYI", new object[] //{ // iPFrame.iFrameNumber //}); } } } else { UDPMessage uDPMessage = UDPMessage.Parse(iPFrame, array); packetCounts.UDP += 1u; if (WellKnownPorts.DNS == uDPMessage.DstPort) { DNSQuery dNSQuery = DNSQuery.Parse(iPFrame, array); if (dNSQuery.QueryType == DNSQueryType.AddressQuery) { DNSTransaction dNSTransaction; if (!dictionary.TryGetValue(dNSQuery.uiTransactionID, out dNSTransaction)) { dNSTransaction = new DNSTransaction(); dictionary.Add(dNSQuery.uiTransactionID, dNSTransaction); } dNSTransaction.uiTransactionID = dNSQuery.uiTransactionID; dNSTransaction.sQueryForHostname = dNSQuery.sHostname; dNSTransaction.bAAAAQuery = (dNSQuery.QueryType == DNSQueryType.AAAA); dNSTransaction.dtQuerySent = netmonPacketHeader.dtPacket; } } else { if (WellKnownPorts.DNS == uDPMessage.SrcPort) { DNSResponse dNSResponse = DNSResponse.Parse(iPFrame, array); DNSTransaction dNSTransaction2; if (dictionary.TryGetValue(dNSResponse.uiTransactionID, out dNSTransaction2)) { dNSTransaction2.dtResponseReceived = netmonPacketHeader.dtPacket; } } } } } else { TCPFrame tCPFrame = TCPFrame.Parse(iPFrame, array); if (tCPFrame != null) { packetCounts.TCP += 1u; TCPEndpoints tCPEndpoints = new TCPEndpoints(iPFrame.ipSrc, iPFrame.ipDest, tCPFrame.SrcPort, tCPFrame.DstPort); string key = tCPEndpoints.ToString(); TCPStream tCPStream; if (!dictionary2.TryGetValue(key, out tCPStream)) { tCPStream = new TCPStream(tCPEndpoints); uint processTableIndex = netmonPacketHeader.ProcessTableIndex; if ((ulong)processTableIndex < (ulong)((long)netMonFileHeader.arrProcesses.Length)) { tCPStream.sProcessInfo = netMonFileHeader.arrProcesses[(int)((UIntPtr)processTableIndex)]; } dictionary2.Add(key, tCPStream); } tCPStream.AddFrame(tCPFrame); } } } } num += 1u; } return(this.GetSessionsFromPackets(ref packetCounts, dictionary2)); }