private Session[] GetSessionsFromNetMonCAP(BinaryReader rdr, uint uiMagic) { NetMonFileHeader netMonFileHeader = NetMonFileHeader.CreateFromReader(rdr, uiMagic); uint[] frameOffsets = netMonFileHeader.GetFrameOffsets(rdr); PacketCaptureImport.PacketCounts packetCounts = default(PacketCaptureImport.PacketCounts); Dictionary <uint, DNSTransaction> dictionary = new Dictionary <uint, DNSTransaction>(); Dictionary <string, TCPStream> dictionary2 = new Dictionary <string, TCPStream>(); uint num = 0u; while ((ulong)num < (ulong)((long)frameOffsets.Length)) { packetCounts.Total += 1u; rdr.BaseStream.Position = (long)((ulong)frameOffsets[(int)((UIntPtr)num)]); NetmonPacketHeader netmonPacketHeader = NetmonPacketHeader.CreateFromReader(rdr, netMonFileHeader.dtCapture); if (netmonPacketHeader.MediaType != MediaTypes.Ethernet && netmonPacketHeader.MediaType != MediaTypes.WFPCapture_Message2V4) { if (PacketCaptureImport.bVerboseDebug) { //FiddlerApplication.get_Log().LogFormat("Skipping frame {0} with MediaType: 0x{1:x}", new object[] //{ // num, // netmonPacketHeader.MediaType //}); } } else { byte[] array = new byte[netmonPacketHeader.PacketSavedSize]; rdr.BaseStream.Position = (long)((ulong)(frameOffsets[(int)((UIntPtr)num)] + 16u)); rdr.BaseStream.Read(array, 0, array.Length); IPFrame iPFrame; if (netmonPacketHeader.MediaType == MediaTypes.WFPCapture_Message2V4) { iPFrame = IPFrame.FakeAsIPFrame(num, array, netmonPacketHeader.dtPacket); } else { iPFrame = IPFrame.ParseAsIPFrame(num, array, netmonPacketHeader.dtPacket); } if (iPFrame != null) { if (iPFrame.IPVersion == 4) { packetCounts.IPv4 += 1u; } else { if (iPFrame.IPVersion == 6) { packetCounts.IPv6 += 1u; } } if (PacketCaptureImport.bVerboseDebug) { //FiddlerApplication.get_Log().LogFormat("Adding frame {0} - {1}", new object[] //{ // num, // iPFrame.ToString() //}); } IPSubProtocols nextProtocol = iPFrame.NextProtocol; if (nextProtocol != IPSubProtocols.TCP) { if (nextProtocol != IPSubProtocols.UDP) { if (nextProtocol == IPSubProtocols.ESP) { if (PacketCaptureImport.bVerboseDebug) { //FiddlerApplication.get_Log().LogFormat("ESP Frame #{0} skipped; parsing NYI", new object[] //{ // iPFrame.iFrameNumber //}); } } } else { UDPMessage uDPMessage = UDPMessage.Parse(iPFrame, array); packetCounts.UDP += 1u; if (WellKnownPorts.DNS == uDPMessage.DstPort) { DNSQuery dNSQuery = DNSQuery.Parse(iPFrame, array); if (dNSQuery.QueryType == DNSQueryType.AddressQuery) { DNSTransaction dNSTransaction; if (!dictionary.TryGetValue(dNSQuery.uiTransactionID, out dNSTransaction)) { dNSTransaction = new DNSTransaction(); dictionary.Add(dNSQuery.uiTransactionID, dNSTransaction); } dNSTransaction.uiTransactionID = dNSQuery.uiTransactionID; dNSTransaction.sQueryForHostname = dNSQuery.sHostname; dNSTransaction.bAAAAQuery = (dNSQuery.QueryType == DNSQueryType.AAAA); dNSTransaction.dtQuerySent = netmonPacketHeader.dtPacket; } } else { if (WellKnownPorts.DNS == uDPMessage.SrcPort) { DNSResponse dNSResponse = DNSResponse.Parse(iPFrame, array); DNSTransaction dNSTransaction2; if (dictionary.TryGetValue(dNSResponse.uiTransactionID, out dNSTransaction2)) { dNSTransaction2.dtResponseReceived = netmonPacketHeader.dtPacket; } } } } } else { TCPFrame tCPFrame = TCPFrame.Parse(iPFrame, array); if (tCPFrame != null) { packetCounts.TCP += 1u; TCPEndpoints tCPEndpoints = new TCPEndpoints(iPFrame.ipSrc, iPFrame.ipDest, tCPFrame.SrcPort, tCPFrame.DstPort); string key = tCPEndpoints.ToString(); TCPStream tCPStream; if (!dictionary2.TryGetValue(key, out tCPStream)) { tCPStream = new TCPStream(tCPEndpoints); uint processTableIndex = netmonPacketHeader.ProcessTableIndex; if ((ulong)processTableIndex < (ulong)((long)netMonFileHeader.arrProcesses.Length)) { tCPStream.sProcessInfo = netMonFileHeader.arrProcesses[(int)((UIntPtr)processTableIndex)]; } dictionary2.Add(key, tCPStream); } tCPStream.AddFrame(tCPFrame); } } } } num += 1u; } return(this.GetSessionsFromPackets(ref packetCounts, dictionary2)); }