public DataBlock(string pFile, int start, int len, TcpRecon pRecon)
{
parentFile = pFile;
startOffset = start;
length = len;
endOffset = start + len;
recon = pRecon;
}
// The callback function for the SharpPcap library
private void device_PcapOnPacketArrival(object sender, CaptureEventArgs e)
{
Packet packet;
try
{
packet = PacketDotNet.Packet.ParsePacket(e.Packet.LinkLayerType, e.Packet.Data);
}
catch (Exception ex)
{
//System.Console.Write(ex.Message); //todo: sometimes get error raw packet not implemented?
return;
}
if (firstTimeStamp == 0)
{
firstTimeStamp = decimal.Parse(e.Packet.Timeval.Seconds.ToString() + "." + e.Packet.Timeval.MicroSeconds.ToString());
}
totalPackets++;
UdpPacket udpPacket = (UdpPacket)packet.Extract(typeof(UdpPacket));
if (udpPacket != null)
{
HandleDNS(udpPacket);
return;
}
IpPacket ipPacket = (IpPacket)packet.Extract(typeof(IpPacket));
TcpPacket tcpPacket = (TcpPacket)packet.Extract(typeof(TcpPacket));
if (tcpPacket == null) return;
totalTCPPackets++;
Connection c = new Connection(tcpPacket);
TcpRecon recon = null;
curPacket = tcpPacket;
curPacketTime = e.Packet.Timeval;
if (!sharpPcapDict.ContainsKey(c))
{
c.generateFileName(outDir);
recon = new TcpRecon(c.fileName);
recon.LastSourcePort = tcpPacket.SourcePort;
recon.StreamStartTimeStamp = e.Packet.Timeval.Seconds.ToString() + "." + e.Packet.Timeval.MicroSeconds.ToString();
decimal curTime = decimal.Parse(recon.StreamStartTimeStamp);
recon.relativeTimeStamp = (curTime - firstTimeStamp).ToString();
sharpPcapDict.Add(c, recon);
if (!IPExists("tcp: " + ipPacket.DestinationAddress)) ips.Add("tcp: " + ipPacket.DestinationAddress);
if (!IPExists("tcp: " + ipPacket.SourceAddress)) ips.Add("tcp: " + ipPacket.SourceAddress);
owner.Invoke(NewStream, recon);
}else{
recon = sharpPcapDict[c];
}
//can contain fragments and out of order packets
recon.ReassemblePacket(ipPacket.SourceAddress.Address,
ipPacket.DestinationAddress.Address,
tcpPacket, e.Packet.Timeval);
if (recon.PacketWritten) //reassembly/reordering complete data was saved this time..
{
if (recon.LastSourcePort != tcpPacket.SourcePort) //previous entry is now complete so lets add it.
{
AddNewNode(recon);
recon.LastSourcePort = tcpPacket.SourcePort;
}
}
}
private void AddNewNode(TcpRecon recon)
{
int startAt = (int)recon.LastSavedOffset;
int endAt = (int)recon.PreviousPacketEndOffset;
if (recon.isComplete) endAt =(int)recon.CurrentOffset;
DataBlock db = new DataBlock(recon.dumpFile, startAt, endAt - startAt, recon);
db.EpochTimeStamp = curPacketTime.Seconds.ToString() + "." + curPacketTime.MicroSeconds.ToString();
/*string fu = firstTimeStamp_s.ToString() + "." + firstTimeStamp_ms.ToString();
string fu2 = firstpacketTimeStamp_s.ToString() + "." + firstpacketTimeStamp_ms.ToString();
decimal tmp = decimal.Parse(fu);
decimal temp2 = decimal.Parse(fu2);
decimal x = temp2 - tmp;
db.relativeTimeStamp = x.ToString();
firstpacketTimeStamp_s = 0;*/
/*long hi = (long)curPacket.PcapHeader.Seconds - firstTimeStamp_s;
long low = (long)curPacket.PcapHeader.MicroSeconds - firstTimeStamp_ms;
db.relativeTimeStamp = hi.ToString() + "." + low.ToString();
*/
owner.Invoke(NewNode, db);
recon.LastSavedOffset = recon.PreviousPacketEndOffset;
}
//#region reconManager callbacks
private string getParentNodeName(TcpRecon recon)
{
string nText = Path.GetFileName(recon.dumpFile);
return getParentNodeName(nText);
}
public void NewStream(TcpRecon recon)
{
TreeNode n = null;
string nText = getParentNodeName(recon);
n = tv.Nodes.Add(recon.HashCode, nText);
n.Tag = recon;
tv.Refresh();
}