public static void Process(NetworkTrace trace)
{
foreach (ConversationData c in trace.conversations)
{
if (c.sourcePort == 88)
{
TDSParser.reverseSourceDest(c);
}
if (c.destPort != 88)
{
continue;
}
KerberosData KerbData = null;
try
{
if (c.isUDP) // UDP
{
KerbData = ProcessUDP(c);
}
else // TCP
{
KerbData = ProcessTCP(c);
}
// ignore non KRB_TGS requests
// ignore responses without an associated request - we don't want to log errors for unidentified request types
// ignore SNames we don't know what they are ... or how to read them
//if (KerbData.RequestType == MessageTypes.KRB_TGS_REQ
// && (KerbData.SNameType == 2 || KerbData.SNameType == 10))
if (KerbData.RequestType == MessageTypes.KRB_TGS_REQ)
{
trace.KerbResponses.Add(KerbData);
}
}
catch (Exception ex)
{
Console.WriteLine("Exception during Kerberos processing." + "\r\n" + ex.Message + "\r\n" + ex.StackTrace);
Program.logDiagnostic("Exception during Kerberos processing." + "\r\n" + ex.Message + "\r\n" + ex.StackTrace);
} // catch
} // foreach
} // void Process(...)
public static void ProcessUDP(NetworkTrace trace)
{
foreach (ConversationData c in trace.conversations)
{
if (c.isUDP && c.sourcePort == 1434)
{
TDSParser.reverseSourceDest(c);
}
//parse only UDP conversations that are on port 1434
if ((!c.isUDP) || ((c.isUDP) && (c.destPort != 1434)))
{
continue;
}
SSRPData SSRPRequest = trace.GetSSRPRequest(c.destIP, c.destIPHi, c.destIPLo, c.isIPV6);
if (!SSRPRequest.hasConversation(c))
{
SSRPRequest.conversations.Add(c);
}
foreach (FrameData fd in c.frames)
{
try
{
if ((byte)(fd.payload[0]) == (byte)3) // CLNT_UCAST_EX
{
SSRPRequest.hasResponse = false;
}
else if ((byte)(fd.payload[0]) == (byte)4) // Request for specific instance (CLNT_UCAST_INST)
{
SSRPRequest.hasResponse = false;
if (c.frames.Count == 1)
{
SSRPRequest.hasNoResponse = true;
}
ushort Length = utility.ReadUInt16(fd.payload, 1);
SSRPRequest.instanceRequested = utility.ReadAnsiString(fd.payload, 3, Length);
//SSRPRequest.clientPort = c.sourcePort;
//SSRPRequest.clientIP = (c.isIPV6) ? utility.FormatIPV6Address(c.sourceIPHi, c.sourceIPLo) : utility.FormatIPV4Address(c.sourceIP);
SSRPRequest.sqlIP = c.destIP;
SSRPRequest.sqlIPHi = c.destIPHi;
SSRPRequest.sqlIPLo = c.destIPLo;
}
else if ((byte)(fd.payload[0]) == (byte)5) // Response of specifric instance (SVR_RESP)
{
SSRPRequest.hasResponse = true;
ushort Length = utility.ReadUInt16(fd.payload, 1);
String Response = utility.ReadAnsiString(fd.payload, 3, Length);
ParseSSRPResponse(Response, SSRPRequest, trace);
//if (SSRPRequest.sqlPort != 0)
//{
// SQLServer s = trace.GetSQLServer(SSRPRequest.sqlIP, SSRPRequest.sqlIPHi, SSRPRequest.sqlIPLo, SSRPRequest.sqlPort, SSRPRequest.isIPV6);
// if (s != null)
// {
// if (s.sqlHostName == "") s.sqlHostName = SSRPRequest.sqlHostName;
// if (s.instanceName == "") s.instanceName = SSRPRequest.instanceName;
// if (s.isClustered == "") s.isClustered = SSRPRequest.isClustered;
// if (s.serverVersion == "") s.serverVersion = SSRPRequest.serverVersion;
// if (s.namedPipe == "") s.namedPipe = SSRPRequest.namedPipe;
// }
}
}
catch (Exception ex)
{
Program.logDiagnostic("SSRP Parser: Problem parsing frame " + fd.frameNo + " in file " + fd.file.filePath + ".");
Program.logDiagnostic(ex.Message);
}
}
}
} // Process UDP