/* Analyzors used in PacketDetail, parsing link layer information to the tree nodes.*/ public static String EthernetAnalyzor(ref TreeView tree, Packet packet) { TreeNode EthernetNode; string info = "\r\n------ Ethernet Header ----\r\n"; EthernetPacket Ethernetpacket = (EthernetPacket)packet.Extract(typeof(EthernetPacket)); string smac = Ethernetpacket.SourceHwAddress.ToString(); string dmac = Ethernetpacket.DestinationHwAddress.ToString(); string type = Ethernetpacket.Type.ToString(); EthernetNode = new TreeNode("Ethernet: src-" + smac + ", dst-" + dmac); EthernetNode.Nodes.Add("source address :" + smac); EthernetNode.Nodes.Add("destination address : " + dmac); EthernetNode.Nodes.Add("type : " + type); tree.Nodes.Add(EthernetNode); info += "destination addr : " + dmac + "\r\n" + "source addr : " + smac + "\r\n" + "type : " + type + "\r\n"; return info; }
public static WakeOnLanPacket GetEncapsulated(Packet p) { // see if we have an ethernet packet that contains a wol packet var ethernetPacket = (EthernetPacket)p.Extract(typeof(EthernetPacket)); if (ethernetPacket != null) { if (ethernetPacket.Type == EthernetPacketType.WakeOnLan) { return((WakeOnLanPacket)ethernetPacket.PayloadPacket); } } // otherwise see if we have a udp packet (might have been sent to port 7 or 9) that // contains a wol packet var udpPacket = (UdpPacket)p.Extract(typeof(UdpPacket)); if (udpPacket != null) { // if the destination port is 7 or 9 then this is already parsed as a // WakeOnLan packet so just return it if ((udpPacket.DestinationPort == 7) || (udpPacket.DestinationPort == 9)) { return((WakeOnLanPacket)udpPacket.PayloadPacket); } } return(null); }
public void ReportPacketCapture(Packet packet, DateTime arrivalTime) { var ip = (PacketDotNet.IpPacket)packet.Extract(typeof(PacketDotNet.IpPacket)); //IpPacket ip = (IpPacket)packet.Extract(typeof(IpPacket)); TcpPacket tcp = (TcpPacket)packet.Extract(typeof(TcpPacket)); ASCIIEncoding format = new ASCIIEncoding(); string payloadAsText = format.GetString(packet.Bytes); payloadAsText = payloadAsText.ToLower(); //remove non readable characters //payloadAsText = Regex.Replace(payloadAsText, @"[^\u0000-\u007F]", string.Empty); payloadAsText = Regex.Replace(payloadAsText, "[^0-9a-zA-Z]+", string.Empty); if ((tcp != null) && (payloadAsText.Contains("ftp"))) { int x = 5; } if (payloadAsText.Length > 255) { payloadAsText = payloadAsText.Substring(0, 255); } if (tcp != null) { _sensorEventAgent.LogEvent(_sensorId, ip.DestinationAddress.ToString(), tcp.DestinationPort, ip.SourceAddress.ToString(), tcp.SourcePort, arrivalTime, payloadAsText); } }
/// <summary> /// Called by IPv4 and IPv6 packets to parse their packet payload /// </summary> /// <param name="payload"> /// A <see cref="ByteArraySegment"/> /// </param> /// <param name="ProtocolType"> /// A <see cref="IPProtocolType"/> /// </param> /// <param name="ParentPacket"> /// A <see cref="Packet"/> /// </param> /// <returns> /// A <see cref="PacketOrByteArraySegment"/> /// </returns> internal static PacketOrByteArraySegment ParseEncapsulatedBytes(ByteArraySegment payload, IPProtocolType ProtocolType, Packet ParentPacket) { log.DebugFormat("payload: {0}, ParentPacket.GetType() {1}", payload, ParentPacket.GetType()); var payloadPacketOrData = new PacketOrByteArraySegment(); // if we are an ipv4 packet with a non-zero FragementOffset we shouldn't attempt // to decode the content, it is a continuation of a previous packet so it won't // have the proper headers for its type, that was in the first packet fragment var ipv4Packet = ParentPacket.Extract(typeof(IPv4Packet)) as IPv4Packet; if (ipv4Packet != null) { if (ipv4Packet.FragmentOffset > 0) { payloadPacketOrData.TheByteArraySegment = payload; return(payloadPacketOrData); } } switch (ProtocolType) { case IPProtocolType.TCP: payloadPacketOrData.ThePacket = new TcpPacket(payload, ParentPacket); break; case IPProtocolType.UDP: payloadPacketOrData.ThePacket = new UdpPacket(payload, ParentPacket); break; case IPProtocolType.ICMP: payloadPacketOrData.ThePacket = new ICMPv4Packet(payload, ParentPacket); break; case IPProtocolType.ICMPV6: payloadPacketOrData.ThePacket = new ICMPv6Packet(payload, ParentPacket); break; case IPProtocolType.IGMP: payloadPacketOrData.ThePacket = new IGMPv2Packet(payload, ParentPacket); break; // NOTE: new payload parsing entries go here default: payloadPacketOrData.TheByteArraySegment = payload; break; } return(payloadPacketOrData); }
/// <summary> /// Initialize Http Packet /// </summary> /// <param name="packet">First TCP packet which consist of Http packet</param> public HttpPacket(Packet packet) : this() { try { TcpPacket tcpPacket = (TcpPacket)packet.Extract(typeof(TcpPacket)); // Update next sequence number nextSequenceNumber = tcpPacket.SequenceNumber + (uint)packet.PayloadPacket.PayloadPacket.PayloadData.Length; ParsingHeader(packet.PayloadPacket.PayloadPacket.PayloadData); } catch (ArgumentException e) { throw new ArgumentException("invalid packet data"); } }
// arp response private void VerifyPacket1(Packet p) { var arpPacket = (ARPPacket)p.Extract (typeof(ARPPacket)); Assert.IsNotNull(arpPacket, "Expected arpPacket to not be null"); IPAddress senderIp = IPAddress.Parse("192.168.1.214"); IPAddress targetIp = IPAddress.Parse("192.168.1.202"); Assert.AreEqual(senderIp, arpPacket.SenderProtocolAddress); Assert.AreEqual(targetIp, arpPacket.TargetProtocolAddress); string senderMacAddress = "00216A020854"; string targetMacAddress = "000461990154"; Assert.AreEqual(senderMacAddress, arpPacket.SenderHardwareAddress.ToString()); Assert.AreEqual(targetMacAddress, arpPacket.TargetHardwareAddress.ToString()); }
private void VerifyPacket0(Packet p) { // expect an arp packet var arpPacket = (ARPPacket)p.Extract(typeof(ARPPacket)); Assert.IsNotNull(arpPacket, "Expected arpPacket to not be null"); // validate some of the LinuxSSLPacket fields var l = (LinuxSLLPacket)p; Assert.AreEqual(6, l.LinkLayerAddressLength, "Address length"); Assert.AreEqual(1, l.LinkLayerAddressType); Assert.AreEqual(LinuxSLLType.PacketSentToUs, l.Type); // validate some of the arp fields Assert.AreEqual("192.168.1.1", arpPacket.SenderProtocolAddress.ToString(), "Arp SenderProtocolAddress"); Assert.AreEqual("192.168.1.102", arpPacket.TargetProtocolAddress.ToString(), "Arp TargetProtocolAddress"); }
// icmpv6 public void VerifyPacket0(Packet p, RawCapture rawCapture) { Assert.IsNotNull(p); Console.WriteLine(p.ToString()); EthernetPacket e = (EthernetPacket)p; Assert.AreEqual(PhysicalAddress.Parse("00-A0-CC-D9-41-75"), e.SourceHwAddress); Assert.AreEqual(PhysicalAddress.Parse("33-33-00-00-00-02"), e.DestinationHwAddress); var ip = (IpPacket)p.Extract (typeof(IpPacket)); Console.WriteLine("ip {0}", ip.ToString()); Assert.AreEqual(System.Net.IPAddress.Parse("fe80::2a0:ccff:fed9:4175"), ip.SourceAddress); Assert.AreEqual(System.Net.IPAddress.Parse("ff02::2"), ip.DestinationAddress); Assert.AreEqual(IpVersion.IPv6, ip.Version); Assert.AreEqual(IPProtocolType.ICMPV6, ip.Protocol); Assert.AreEqual(16, ip.PayloadPacket.Bytes.Length, "ip.PayloadPacket.Bytes.Length mismatch"); Assert.AreEqual(255, ip.HopLimit); Assert.AreEqual(255, ip.TimeToLive); Assert.AreEqual(0x3a, (byte)ip.NextHeader); Console.WriteLine("Failed: ip.ComputeIPChecksum() not implemented."); Assert.AreEqual(1221145299, rawCapture.Timeval.Seconds); Assert.AreEqual(453568.000, rawCapture.Timeval.MicroSeconds); }
// udp public void VerifyPacket2(Packet p, RawCapture rawCapture) { Console.WriteLine(p.ToString()); EthernetPacket e = (EthernetPacket)p; Assert.AreEqual("0014BFF2EF0A", e.SourceHwAddress.ToString()); Assert.AreEqual("0016CFC91E29", e.DestinationHwAddress.ToString()); var ip = (IpPacket)p.Extract (typeof(IpPacket)); Assert.AreEqual(System.Net.IPAddress.Parse("172.210.164.56"), ip.SourceAddress); Assert.AreEqual(System.Net.IPAddress.Parse("192.168.1.104"), ip.DestinationAddress); Assert.AreEqual(IpVersion.IPv4, ip.Version); Assert.AreEqual(IPProtocolType.UDP, ip.Protocol); Assert.AreEqual(112, ip.TimeToLive); Assert.AreEqual(0xe0a2, ((IPv4Packet)ip).CalculateIPChecksum()); Assert.AreEqual(1171483602, rawCapture.Timeval.Seconds); Assert.AreEqual(578641.000, rawCapture.Timeval.MicroSeconds); var udp = (UdpPacket)p.Extract(typeof(UdpPacket)); Assert.AreEqual(52886, udp.SourcePort); Assert.AreEqual(56924, udp.DestinationPort); Assert.AreEqual(71, udp.Length); Assert.AreEqual(0xc8b8, udp.Checksum); }
// icmp public void VerifyPacket5(Packet p, RawCapture rawCapture) { Console.WriteLine(p.ToString()); EthernetPacket e = (EthernetPacket)p; Assert.AreEqual("0016CFC91E29", e.SourceHwAddress.ToString()); Assert.AreEqual("0014BFF2EF0A", e.DestinationHwAddress.ToString()); var ip = (IpPacket)p.Extract (typeof(IpPacket)); Assert.AreEqual(System.Net.IPAddress.Parse("192.168.1.104"), ip.SourceAddress); Assert.AreEqual(System.Net.IPAddress.Parse("85.195.52.22"), ip.DestinationAddress); }
// dns public void VerifyPacket3(Packet p, RawCapture rawCapture) { Console.WriteLine(p.ToString()); EthernetPacket e = (EthernetPacket)p; Assert.AreEqual("0016CFC91E29", e.SourceHwAddress.ToString()); Assert.AreEqual("0014BFF2EF0A", e.DestinationHwAddress.ToString()); var ip = (IpPacket)p.Extract (typeof(IpPacket)); Assert.AreEqual(System.Net.IPAddress.Parse("192.168.1.172"), ip.SourceAddress); Assert.AreEqual(System.Net.IPAddress.Parse("66.189.0.29"), ip.DestinationAddress); Assert.AreEqual(IPProtocolType.UDP, ip.Protocol); Assert.AreEqual(0x7988, ((IPv4Packet)ip).CalculateIPChecksum()); var udp = (UdpPacket)p.Extract (typeof(UdpPacket)); Assert.AreEqual(3619, udp.SourcePort); Assert.AreEqual(53, udp.DestinationPort); Assert.AreEqual(47, udp.Length); Assert.AreEqual(0xbe2d, udp.Checksum); }
public void ReportPacketCapture(Packet packet, DateTime arrivalTime) { IpPacket ip = (IpPacket)packet.Extract(typeof(IpPacket)); TcpPacket tcp = (TcpPacket)packet.Extract(typeof(TcpPacket)); ASCIIEncoding format = new ASCIIEncoding(); string payloadAsText = format.GetString(packet.Bytes); payloadAsText = payloadAsText.ToLower(); //remove non readable characters //payloadAsText = Regex.Replace(payloadAsText, @"[^\u0000-\u007F]", string.Empty); payloadAsText = Regex.Replace(payloadAsText, "[^0-9a-zA-Z]+", string.Empty); if ((tcp != null) && (payloadAsText.Contains("ftp"))) { int x = 5; } if (payloadAsText.Length > 255) { payloadAsText = payloadAsText.Substring(0, 255); } if (tcp != null) { _sensorEventAgent.LogEvent(_sensorId, ip.DestinationAddress.ToString(), tcp.DestinationPort, ip.SourceAddress.ToString(), tcp.SourcePort, arrivalTime, payloadAsText); } }
public Boolean AssembleTcpPacket(Packet packet) { TcpPacket tcpPacket = (TcpPacket)packet.Extract(typeof(TcpPacket)); byte[] data = packet.PayloadPacket.PayloadPacket.PayloadData; string content = Encoding.UTF8.GetString(data); if (tcpPacket.SequenceNumber == nextSequenceNumber && data.Length != 0) { if (body != null) { Array.Copy(data, 0, body, relativeNextSequenceNumber, data.Length); // Update next sequence number // Next Sequence Number = Current Sequence Number + Packet Payload Data Length nextSequenceNumber += (uint)data.Length; relativeNextSequenceNumber += (uint)data.Length; isAssembleEnded = relativeNextSequenceNumber >= body.Length; } else { isAssembleEnded = true; } } return isAssembleEnded; }
private void VerifyPacket2(Packet p) { // expecting a tcp packet Assert.IsNotNull((TcpPacket)p.Extract(typeof(TcpPacket)), "expected a tcp packet"); }
private void VerifyPacket1(Packet p) { // expect a udp packet Assert.IsNotNull((UdpPacket)p.Extract(typeof(UdpPacket)), "expected a udp packet"); }