Exemplo n.º 1
0
            public override IEnumerable <AbstractPacket> GetSubPackets(bool includeSelfReference)
            {
                if (includeSelfReference)
                {
                    yield return(this);
                }
                AbstractPacket packet = null;

                try {
                    if (this.spnegoIndex != null)
                    {
                        packet = new SimpleAndProtectedGssapiNegotiation(ParentFrame, spnegoIndex.Value, PacketEndIndex);
                    }
                    else if (this.ntlmsspIndex != null)
                    {
                        packet = new Packets.NtlmSspPacket(ParentFrame, ntlmsspIndex.Value, PacketEndIndex);
                    }
                }
                catch (Exception) {
                    //do nothing...
                }
                if (packet != null)
                {
                    yield return(packet);

                    foreach (AbstractPacket subPacket in packet.GetSubPackets(false))
                    {
                        yield return(subPacket);
                    }
                }
                else
                {
                    yield break;
                }
            }
Exemplo n.º 2
0
        public override IEnumerable <AbstractPacket> GetSubPackets(bool includeSelfReference)
        {
            if (includeSelfReference)
            {
                yield return(this);
            }
            AbstractPacket packet = null;

            try {
                if (this.dsap == (byte)ServiceAccessPointType.SubNetworkAccessProtocol)
                {
                    if (PacketStartIndex + 8 < PacketEndIndex)
                    {
                        if (this.etherType == (ushort)Ethernet2Packet.EtherTypes.IPv4)//IPv4
                        //packet=new IPv4Packet(this.ParentFrame, PacketStartIndex+8, PacketEndIndex);
                        {
                            IPv4Packet.TryParse(this.ParentFrame, PacketStartIndex + 8, PacketEndIndex, out packet);
                        }
                        else if (this.etherType == (ushort)Ethernet2Packet.EtherTypes.ARP)//ARP
                        //packet=new Ethernet2Packet(this.ParentFrame, PacketStartIndex+8, PacketEndIndex);
                        {
                            packet = new ArpPacket(this.ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                        }
                        else
                        {
                            packet = new RawPacket(this.ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                        }
                    }
                }
                else if (this.dsap == (byte)ServiceAccessPointType.HpExtendedLLC && this.etherType == (ushort)Ethernet2Packet.EtherTypes.HPSW)
                {
                    if (PacketStartIndex + 10 < PacketEndIndex)
                    {
                        //skip HP Extended LLC positions...
                        packet = new HpSwitchProtocolPacket(this.ParentFrame, PacketStartIndex + 3 + 3 + 2 + 2, PacketEndIndex);
                    }
                }
                else  //Not 802.2 SNAP or HPSW
                {
                    if (PacketStartIndex + 3 < PacketEndIndex)
                    {
                        packet = new RawPacket(this.ParentFrame, PacketStartIndex + 3, PacketEndIndex);
                    }
                }
            }
            catch (Exception e) {
                //packet=new RawPacket(this.ParentFrame, PacketStartIndex+14, PacketEndIndex);
                SharedUtils.Logger.Log("Exception when parsing inner packet of LLC: " + e.Message, SharedUtils.Logger.EventLogEntryType.Error);
                packet = new RawPacket(this.ParentFrame, PacketStartIndex + 3, PacketEndIndex);
            }
            if (packet != null)
            {
                yield return(packet);

                foreach (AbstractPacket subPacket in packet.GetSubPackets(false))
                {
                    yield return(subPacket);
                }
            }
        }
        public override IEnumerable <AbstractPacket> GetSubPackets(bool includeSelfReference)
        {
            if (includeSelfReference)
            {
                yield return(this);
            }
            AbstractPacket packet = null;

            if (base.PacketLength >= this.length)
            {
                if (parentTcpPacket.DestinationPort == 3389 || parentTcpPacket.SourcePort == 3389)
                {
                    packet = new CotpPacket(base.ParentFrame, base.PacketStartIndex + 4, base.PacketStartIndex + this.length, CotpPacket.PayloadProtocol.RDP);
                }

                if (packet != null)
                {
                    yield return(packet);

                    foreach (AbstractPacket subPacket in packet.GetSubPackets(false))
                    {
                        yield return(subPacket);
                    }
                }
            }
        }
Exemplo n.º 4
0
        public override IEnumerable <AbstractPacket> GetSubPackets(bool includeSelfReference)
        {
            if (includeSelfReference)
            {
                yield return(this);
            }
            AbstractPacket packet          = null;
            int            erfHeaderLength = 16;

            if (this.extensionHeadersPresent)
            {
                erfHeaderLength += 4;//correct?
            }
            if (PacketStartIndex + 16 < PacketEndIndex)
            {
                if (type == (byte)RecordTypes.ERF_TYPE_ETH || type == (byte)RecordTypes.ERF_TYPE_COLOR_ETH || type == (byte)RecordTypes.ERF_TYPE_DSM_COLOR_ETH)
                {
                    packet = new Ethernet2Packet(this.ParentFrame, this.PacketStartIndex + erfHeaderLength + 2, this.PacketEndIndex);
                }
                else if (type == (byte)RecordTypes.ERF_TYPE_IPV4)
                {
                    IPv4Packet.TryParse(this.ParentFrame, this.PacketStartIndex + erfHeaderLength, this.PacketEndIndex, out packet);
                    //packet = new IPv4Packet(this.ParentFrame, this.PacketStartIndex + erfHeaderLength, this.PacketEndIndex);
                }
                else if (type == (byte)RecordTypes.ERF_TYPE_IPV6)
                {
                    packet = new IPv6Packet(this.ParentFrame, this.PacketStartIndex + erfHeaderLength, this.PacketEndIndex);
                }
                else if (
                    type == (byte)RecordTypes.ERF_TYPE_HDLC_POS ||
                    type == (byte)RecordTypes.ERF_TYPE_COLOR_HDLC_POS ||
                    type == (byte)RecordTypes.ERF_TYPE_DSM_COLOR_HDLC_POS ||
                    type == (byte)RecordTypes.ERF_TYPE_COLOR_MC_HDLC_POS)
                {
                    int firstByte = this.ParentFrame.Data[this.PacketStartIndex];
                    if (firstByte == 0x0f || firstByte == 0x8f)
                    {
                        packet = new CiscoHdlcPacket(this.ParentFrame, this.PacketStartIndex + erfHeaderLength, this.PacketEndIndex);
                    }
                    else
                    {
                        packet = new PointToPointPacket(this.ParentFrame, this.PacketStartIndex + erfHeaderLength, this.PacketEndIndex);
                    }
                }

                if (packet != null)
                {
                    yield return(packet);

                    foreach (AbstractPacket subPacket in packet.GetSubPackets(false))
                    {
                        yield return(subPacket);
                    }
                }
            }
        }
Exemplo n.º 5
0
 internal NetworkPacket(NetworkHost sourceHost, NetworkHost destinationHost, Packets.AbstractPacket ipPacket)
 {
     this.tcpSynFlag         = false;
     this.tcpSynAckFlag      = false;
     this.tcpPacketByteCount = 0;
     this.sourceHost         = sourceHost;
     this.destinationHost    = destinationHost;
     this.packetBytes        = ipPacket.PacketEndIndex - ipPacket.PacketStartIndex + 1;
     this.timestamp          = ipPacket.ParentFrame.Timestamp;
     this.payloadBytes       = 0;
     this.cleartextBytes     = 0;
 }
Exemplo n.º 6
0
        internal IEnumerable <AbstractPacket> GetSubPackets(bool includeSelfReference, ISessionProtocolFinder protocolFinder, bool clientToServer)
        {
            if (includeSelfReference)
            {
                yield return(this);
            }
            if (this.PayloadDataLength > 0)
            {
                AbstractPacket packet = null;
                if (protocolFinder.GetConfirmedApplicationLayerProtocol() != ApplicationLayerProtocol.Unknown)
                {
                    try {
                        packet = this.GetProtocolPacket(protocolFinder.GetConfirmedApplicationLayerProtocol(), clientToServer);
                    }
                    catch (Exception e) {
                        SharedUtils.Logger.Log("Error parsing frame " + this.ParentFrame.FrameNumber + " as " + protocolFinder.GetConfirmedApplicationLayerProtocol() + " packet: " + e.Message, SharedUtils.Logger.EventLogEntryType.Error);
                        packet = null;
                    }
                }
                if (packet == null)
                {
                    foreach (ApplicationLayerProtocol protocol in protocolFinder.GetProbableApplicationLayerProtocols())
                    {
                        try {
                            packet = this.GetProtocolPacket(protocol, clientToServer);
                            if (packet != null)
                            {
                                protocolFinder.SetConfirmedApplicationLayerProtocol(protocol, true);
                                break;
                            }
                        }
                        catch (Exception e) {
                            SharedUtils.Logger.Log("Unable to parse frame " + this.ParentFrame.FrameNumber + " as " + protocol + " packet: " + e.Message, SharedUtils.Logger.EventLogEntryType.Warning);
                            packet = null;
                        }
                    }
                }
                if (packet == null)
                {
                    packet = new RawPacket(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex);
                }
                yield return(packet);

                foreach (AbstractPacket subPacket in packet.GetSubPackets(false))
                {
                    yield return(subPacket);
                }
            }
        }
Exemplo n.º 7
0
        public Frame(DateTime timestamp, byte[] data, System.Type packetType, long frameNumber, bool precomputePacketList, bool quickParse, int maxFrameSize)
        {
            if (data.Length > maxFrameSize)
            {
                throw new ArgumentException("Frame larger than max allowed size " + maxFrameSize);
            }

            this.precomputePacketList = precomputePacketList;
            this.frameNumber          = frameNumber;
            this.quickParse           = quickParse;

            this.timestamp = timestamp;
            this.data      = data;

            //TODO: add check for quickParse
            if (!quickParse)
            {
                this.errorList = new List <Error>();
            }

            this.packetList = new SortedList <int, Packets.AbstractPacket>();


            Packets.AbstractPacket packet = null;

            if (data.Length > 0)
            {
                Packets.PacketFactory.TryGetPacket(out packet, packetType, this, 0, data.Length - 1);
            }

            if (packet != null)
            {
                packetList.Add(packet.PacketStartIndex, packet);
                if (this.precomputePacketList)
                {
                    foreach (Packets.AbstractPacket p in packet.GetSubPackets(false))
                    {
                        if (packetList.ContainsKey(p.PacketStartIndex))
                        {
                            packetList[p.PacketStartIndex] = p;
                        }
                        else
                        {
                            packetList.Add(p.PacketStartIndex, p);
                        }
                    }
                }
            }
        }
Exemplo n.º 8
0
        public override IEnumerable <AbstractPacket> GetSubPackets(bool includeSelfReference)
        {
            if (includeSelfReference)
            {
                yield return(this);
            }
            AbstractPacket packet = Ethernet2Packet.GetPacketForType(this.etherType, this.ParentFrame, this.PacketStartIndex + PACKET_LENGTH, this.PacketEndIndex);

            yield return(packet);

            foreach (AbstractPacket subPacket in packet.GetSubPackets(false))
            {
                yield return(subPacket);
            }
        }
Exemplo n.º 9
0
        internal NetworkPacket(NetworkHost sourceHost, NetworkHost destinationHost, Packets.AbstractPacket ipPacket)
        {
            this.tcpSynFlag         = false;
            this.tcpSynAckFlag      = false;
            this.tcpPacketByteCount = 0;
            this.sourceHost         = sourceHost;
            this.destinationHost    = destinationHost;
            this.packetBytes        = ipPacket.PacketEndIndex - ipPacket.PacketStartIndex + 1;
            this.timestamp          = ipPacket.ParentFrame.Timestamp;
            //this.cleartextWords=new List<string>();
            this.payloadBytes   = 0;
            this.cleartextBytes = 0;

            //these have to be set after for example SetPayload()
            //sourceHost.SentPackets.Add(this);
            //destinationHost.ReceivedPackets.Add(this);
        }
Exemplo n.º 10
0
 public override IEnumerable <AbstractPacket> GetSubPackets(bool includeSelfReference)
 {
     if (includeSelfReference)
     {
         yield return(this);
     }
     if (this.PacketStartIndex + this.ppiLength <= this.PacketEndIndex)
     {
         AbstractPacket subPacket = null;
         if (PacketFactory.TryGetPacket(out subPacket, this.dataLinkType, this.ParentFrame, this.PacketStartIndex + this.ppiLength, this.PacketEndIndex))
         {
             yield return(subPacket);
         }
         else
         {
             yield return(new RawPacket(this.ParentFrame, this.PacketStartIndex + this.ppiLength, this.PacketEndIndex));
         }
     }
 }
Exemplo n.º 11
0
        public override IEnumerable <AbstractPacket> GetSubPackets(bool includeSelfReference)
        {
            if (includeSelfReference)
            {
                yield return(this);
            }
            AbstractPacket packet = null;

            if (this.protocolFamily == (uint)ProtocolFamily.AF_INET && IPv4Packet.TryParse(this.ParentFrame, this.PacketStartIndex + PACKET_LENGTH, this.PacketEndIndex, out packet))
            {
                //packet = new IPv4Packet(this.ParentFrame, this.PacketStartIndex + PACKET_LENGTH, this.PacketEndIndex);
            }
            else if (this.protocolFamily == (uint)ProtocolFamily.AF_INET6_OpenBSD)
            {
                packet = new IPv6Packet(this.ParentFrame, this.PacketStartIndex + PACKET_LENGTH, this.PacketEndIndex);
            }
            else if (this.protocolFamily == (uint)ProtocolFamily.AF_INET6_FreeBSD)
            {
                packet = new IPv6Packet(this.ParentFrame, this.PacketStartIndex + PACKET_LENGTH, this.PacketEndIndex);
            }
            else if (this.protocolFamily == (uint)ProtocolFamily.AF_INET6_OSX)
            {
                packet = new IPv6Packet(this.ParentFrame, this.PacketStartIndex + PACKET_LENGTH, this.PacketEndIndex);
            }

            if (packet == null)
            {
                yield break;
            }
            else
            {
                yield return(packet);
            }
            foreach (AbstractPacket subPacket in packet.GetSubPackets(false))
            {
                yield return(subPacket);
            }
        }
        public override IEnumerable <AbstractPacket> GetSubPackets(bool includeSelfReference)
        {
            if (includeSelfReference)
            {
                yield return(this);
            }
            //what to do here?? SMB packet???
            if (smbPacketIndex == null)
            {
                yield break;
            }
            else
            {
                AbstractPacket smb = null;
                if (ParentFrame.Data[this.smbPacketIndex.Value] == 0xff)//SMB
                {
                    smb = new SmbPacket(this.ParentFrame, this.smbPacketIndex.Value, this.PacketEndIndex);
                }
                else if (ParentFrame.Data[this.smbPacketIndex.Value] == 0xfe)//SMB2
                {
                    smb = new Smb2Packet(this.ParentFrame, this.smbPacketIndex.Value, this.PacketEndIndex);
                }
                else
                {
                    yield break;
                }

                if (smb != null)
                {
                    foreach (AbstractPacket p in smb.GetSubPackets(true))
                    {
                        yield return(p);
                    }
                }
            }
        }
Exemplo n.º 13
0
        public override IEnumerable <AbstractPacket> GetSubPackets(bool includeSelfReference)
        {
            //throw new Exception("The method or operation is not implemented.");
            if (includeSelfReference)
            {
                yield return(this);
            }

            AbstractPacket packet = null;

            if (this.encapsulatedProtocol == PayloadProtocol.RDP && this.GetTpdu() == Tpdu.ConnectionRequest)
            {
                packet = new RdpPacket.Cookie(base.ParentFrame, base.PacketStartIndex + 7, base.PacketEndIndex);
            }
            if (packet != null)
            {
                yield return(packet);

                foreach (AbstractPacket subPacket in packet.GetSubPackets(false))
                {
                    yield return(subPacket);
                }
            }
        }
Exemplo n.º 14
0
        //use this one instead of the constructor to speed things up by reducing Exceptions
        public static bool TryParse(Frame parentFrame, int packetStartIndex, int packetEndIndex, bool clientToServer, out AbstractPacket result)
        {
            result = null;

            //start testing to see if this is a valid Spotify packet
            if (clientToServer)
            {
                //check if the keyExchangePacketLength equals the application data length
                ushort keyExchangePacketLength = Utils.ByteConverter.ToUInt16(parentFrame.Data, packetStartIndex + 2);
                if (keyExchangePacketLength != packetEndIndex - packetStartIndex + 1)
                {
                    return(false);
                }
                //it is now pretty probable that what we have is a spotify packet
                //but not sure enough since TDS (MS-SQL) has the length field in the same place...
                ushort version = Utils.ByteConverter.ToUInt16(parentFrame.Data, packetStartIndex);
                if (version != 0x02 && version != 0x03)
                {
                    return(false);
                }
                try {
                    result = new SpotifyKeyExchangePacket(parentFrame, packetStartIndex, packetEndIndex, clientToServer);
                }
                catch {
                    result = null;
                }
            }
            else
            {
                //the best I can do with the server->client packet is to ensure that the length of the data matches what the content says it should be
                if (packetEndIndex - packetStartIndex + 1 < 381) //from version 2
                {
                    return(false);                               //too short message
                }
                //if(packetEndIndex-packetStartIndex+1>381+256+256)//from version 2
                if (packetEndIndex - packetStartIndex + 1 > 388 + 256 + 256 + 4 * 65535) //from version 3
                {
                    return(false);                                                       //too long message
                }
                //380+username_length+padding_length
                int v2expectedLength = -1;
                if (packetStartIndex + 380 + parentFrame.Data[packetStartIndex + 17] <= packetEndIndex)
                {
                    v2expectedLength = 380 + parentFrame.Data[packetStartIndex + 17] + parentFrame.Data[packetStartIndex + 380 + parentFrame.Data[packetStartIndex + 17]];
                }
                int v3expectedLength = -1;
                if (packetStartIndex + 0x182 + 1 <= packetEndIndex)
                {
                    v3expectedLength = 0x184 + parentFrame.Data[packetStartIndex + 0x17a] + parentFrame.Data[packetStartIndex + 0x17b] + Utils.ByteConverter.ToUInt16(parentFrame.Data, packetStartIndex + 0x17c) + Utils.ByteConverter.ToUInt16(parentFrame.Data, packetStartIndex + 0x17e) + Utils.ByteConverter.ToUInt16(parentFrame.Data, packetStartIndex + 0x180) + Utils.ByteConverter.ToUInt16(parentFrame.Data, packetStartIndex + 0x182);
                }
                //see if any of the lengths match
                if (packetEndIndex - packetStartIndex + 1 != v2expectedLength && packetEndIndex - packetStartIndex + 1 != v3expectedLength)
                {
                    return(false);
                }

                try {
                    result = new SpotifyKeyExchangePacket(parentFrame, packetStartIndex, packetEndIndex, clientToServer);
                }
                catch {
                    result = null;
                }
            }

            if (result == null)
            {
                return(false);
            }
            else
            {
                return(true);
            }
        }
        new public static bool TryParse(Frame parentFrame, int packetStartIndex, int packetEndIndex, out AbstractPacket result)
        {
            result = null;
            try {
                if (packetEndIndex - packetStartIndex < 255)
                {
                    return(false);
                }
                if (!Utils.ByteConverter.ReadString(parentFrame.Data, packetStartIndex, 4).Equals("OFT2"))
                {
                    return(false);
                }
                if (!Enum.IsDefined(typeof(CommandType), Utils.ByteConverter.ToUInt16(parentFrame.Data, packetStartIndex + 6)))
                {
                    return(false);
                }

                result = new OscarFileTransferPacket(parentFrame, packetStartIndex, packetEndIndex);
            }
            catch {
                return(false);
            }
            return(true);
        }
Exemplo n.º 16
0
 //public static bool TryParse(Frame parentFrame, int packetStartIndex, int packetEndIndex, out AbstractPacket result) {
 public static new bool TryParse(Frame parentFrame, int packetStartIndex, int packetEndIndex, out AbstractPacket result)
 {
     result = null;
     try {
         byte headerLength = (byte)(4 * (parentFrame.Data[packetStartIndex] & (byte)0x0F));
         if ((parentFrame.Data.Length < packetStartIndex + 20))
         {
             return(false);
         }
         else if ((parentFrame.Data[packetStartIndex] >> 4) != 0x04 || headerLength < 20)
         {
             return(false);
         }
         else
         {
             ushort totalLength = Utils.ByteConverter.ToUInt16(parentFrame.Data, packetStartIndex + 2);
             if (totalLength > MAX_JUMBO_FRAME_SIZE && totalLength > parentFrame.Data.Length)
             {
                 return(false);
             }
             else
             {
                 result = new IPv4Packet(parentFrame, packetStartIndex, packetEndIndex);
                 return(true);
             }
         }
     }
     catch {
         return(false);
     }
 }
Exemplo n.º 17
0
 new public static bool TryParse(Frame parentFrame, int packetStartIndex, int packetEndIndex, out AbstractPacket result)
 {
     result = null;
     try {
         if (parentFrame.Data[packetStartIndex] != APDU_START_MAGIC_VALUE)
         {
             return(false);
         }
         else
         {
             result = new IEC_60870_5_104Packet(parentFrame, packetStartIndex, packetEndIndex);
             return(true);
         }
     } catch {
         return(false);
     }
 }
Exemplo n.º 18
0
 public static bool TryParse(Frame parentFrame, int packetStartIndex, int packetEndIndex, bool clientToServer, out AbstractPacket result)
 {
     result = null;
     try {
         if (clientToServer)
         {
             if (LpdRequestPacket.TryParseCommandLine(parentFrame.Data, packetStartIndex, packetEndIndex, out _, out _, out _))
             {
                 result = new LpdRequestPacket(parentFrame, packetStartIndex, packetEndIndex);
             }
             else
             {
                 return(LpdControlFilePacket.TryParse(parentFrame, packetStartIndex, packetEndIndex, out result));
             }
         }
         else if (packetStartIndex == packetEndIndex)
         {
             result = new LpdResponsePacket(parentFrame, packetStartIndex);
         }
     }
     catch { }
     return(result != null);
 }
Exemplo n.º 19
0
 public static bool TryParse(Frame parentFrame, int packetStartIndex, int packetEndIndex, ushort sourcePort, ushort destinationPort, out AbstractPacket result)
 {
     result = null;
     try {
         if (packetEndIndex - packetStartIndex + 1 >= MIN_FRAME_LENGTH && Utils.ByteConverter.ToUInt16(parentFrame.Data, packetStartIndex + 2, false) == MODBUS_TCP_PROTOCOL_ID)
         {
             result = new ModbusTcpPacket(parentFrame, packetStartIndex, packetEndIndex, sourcePort, destinationPort);
             return(true);
         }
         else
         {
             return(false);
         }
     } catch {
         return(false);
     }
 }
Exemplo n.º 20
0
        internal IEnumerable <AbstractPacket> GetSubPackets(bool includeSelfReference, ISessionProtocolFinder protocolFinder, bool clientToServer)
        {
            if (includeSelfReference)
            {
                yield return(this);
            }
            if (PacketStartIndex + dataOffsetByteCount < PacketEndIndex)
            {
                AbstractPacket packet = null;
                if (protocolFinder.GetConfirmedApplicationLayerProtocol() != ApplicationLayerProtocol.Unknown)
                {
                    try {
                        packet = this.GetProtocolPacket(protocolFinder.GetConfirmedApplicationLayerProtocol(), clientToServer);
                    }
                    catch { }
                }
                if (packet == null)
                {
                    foreach (ApplicationLayerProtocol protocol in protocolFinder.GetProbableApplicationLayerProtocols())
                    {
                        try {
                            packet = this.GetProtocolPacket(protocol, clientToServer);
                            if (packet != null)
                            {
                                protocolFinder.SetConfirmedApplicationLayerProtocol(protocol, true);
                                break;
                            }

                            /*
                             * if (protocol == ApplicationLayerProtocol.Dns) {
                             *  packet = new DnsPacket(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex);
                             *  protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Dns;
                             *  break;
                             * }
                             * else if (protocol == ApplicationLayerProtocol.FtpControl) {
                             *  if (FtpPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, clientToServer, out packet)) {
                             *      protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.FtpControl;
                             *      break;
                             *  }
                             * }
                             * else if (protocol == ApplicationLayerProtocol.Http) {
                             *  if (HttpPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet)) {
                             *      protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Http;
                             *      break;
                             *  }
                             * }
                             * else if (protocol == ApplicationLayerProtocol.Irc) {
                             *  if (IrcPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet)) {
                             *      protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Irc;
                             *      break;
                             *  }
                             * }
                             * else if (protocol == ApplicationLayerProtocol.IEC_104) {
                             *  if (IEC_60870_5_104Packet.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet)) {
                             *      protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.IEC_104;
                             *      break;
                             *  }
                             * }
                             * else if (protocol == ApplicationLayerProtocol.Imap) {
                             *  packet = new ImapPacket(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, clientToServer);
                             *  protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Imap;
                             *  break;
                             * }
                             * else if (protocol == ApplicationLayerProtocol.ModbusTCP) {
                             *  if (ModbusTcpPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, this.sourcePort, this.destinationPort, out packet)) {
                             *      protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.ModbusTCP;
                             *      break;
                             *  }
                             * }
                             * else if (protocol == ApplicationLayerProtocol.NetBiosNameService) {
                             *  packet = new NetBiosNameServicePacket(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex);
                             *  protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.NetBiosNameService;
                             *  break;
                             * }
                             * else if (protocol == ApplicationLayerProtocol.NetBiosSessionService) {
                             *  //if (NetBiosSessionService.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet)) {
                             *  if (NetBiosSessionService.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, this.sourcePort, this.destinationPort, out packet)) {
                             *      //packet = new NetBiosSessionService(ParentFrame, PacketStartIndex+dataOffsetByteCount, PacketEndIndex, false);
                             *      protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.NetBiosSessionService;
                             *      break;
                             *  }
                             * }
                             * else if (protocol == ApplicationLayerProtocol.OpenFlow) {
                             *  if (OpenFlowPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet)) {
                             *      protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.OpenFlow;
                             *      break;
                             *  }
                             * }
                             * else if (protocol == ApplicationLayerProtocol.Oscar) {
                             *  if (OscarPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet)) {
                             *      protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Oscar;
                             *      break;
                             *  }
                             * }
                             * else if (protocol == ApplicationLayerProtocol.OscarFileTransfer) {
                             *  if (OscarFileTransferPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet)) {
                             *      protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.OscarFileTransfer;
                             *      break;
                             *  }
                             * }
                             * else if (protocol == ApplicationLayerProtocol.Pop3) {
                             *  packet = new Pop3Packet(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, clientToServer);
                             *  protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Pop3;
                             *  break;
                             * }
                             * else if (protocol == ApplicationLayerProtocol.Smtp) {
                             *  packet = new SmtpPacket(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, clientToServer);
                             *  protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Smtp;
                             *  break;
                             * }
                             * else if (protocol == ApplicationLayerProtocol.Socks) {
                             *  if (SocksPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, clientToServer, out packet)) {
                             *      protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Socks;
                             *      break;
                             *  }
                             * }
                             * else if (protocol == ApplicationLayerProtocol.SpotifyServerProtocol) {
                             *  if (SpotifyKeyExchangePacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, clientToServer, out packet)) {
                             *      protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.SpotifyServerProtocol;
                             *      break;
                             *  }
                             * }
                             * else if (protocol == ApplicationLayerProtocol.Ssh) {
                             *  if (SshPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet)) {
                             *      protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Ssh;
                             *      break;
                             *  }
                             * }
                             * else if (protocol == ApplicationLayerProtocol.Ssl) {
                             *  if (SslPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet)) {
                             *      protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Ssl;
                             *      break;
                             *  }
                             * }
                             * else if (protocol == ApplicationLayerProtocol.TabularDataStream) {
                             *  packet = new TabularDataStreamPacket(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex);
                             *  protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.TabularDataStream;
                             *  break;
                             * }
                             * else if (protocol == ApplicationLayerProtocol.Tpkt) {
                             *  if (TpktPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, this, out packet)) {
                             *      protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Tpkt;
                             *      break;
                             *  }
                             * }*/
                        }
                        catch (Exception) {
                            packet = null;
                        }
                    }
                }
                if (packet == null)
                {
                    packet = new RawPacket(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex);
                }
                yield return(packet);

                foreach (AbstractPacket subPacket in packet.GetSubPackets(false))
                {
                    yield return(subPacket);
                }
            }
        }
Exemplo n.º 21
0
        private AbstractPacket GetProtocolPacket(ApplicationLayerProtocol protocol, bool clientToServer)
        {
            AbstractPacket packet = null;

            if (protocol == ApplicationLayerProtocol.Dns)
            {
                if (DnsPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, true, out DnsPacket dnsPacket))
                {
                    return(dnsPacket);
                }
            }
            else if (protocol == ApplicationLayerProtocol.FtpControl)
            {
                if (FtpPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, clientToServer, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.Http)
            {
                if (HttpPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.Http2)
            {
                if (Http2Packet.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.Irc)
            {
                if (IrcPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.IEC_104)
            {
                if (IEC_60870_5_104Packet.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.Imap)
            {
                return(new ImapPacket(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, clientToServer));
            }
            else if (protocol == ApplicationLayerProtocol.Kerberos)
            {
                return(new KerberosPacket(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, true));
            }
            else if (protocol == ApplicationLayerProtocol.Lpd)
            {
                if (LpdPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, clientToServer, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.ModbusTCP)
            {
                if (ModbusTcpPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, this.sourcePort, this.destinationPort, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.NetBiosNameService)
            {
                return(new NetBiosNameServicePacket(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex));
            }
            else if (protocol == ApplicationLayerProtocol.NetBiosSessionService)
            {
                if (NetBiosSessionService.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, this.sourcePort, this.destinationPort, out packet, this.IsVirtualPacketFromTrailingDataInTcpSegment))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.OpenFlow)
            {
                if (OpenFlowPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.Oscar)
            {
                if (OscarPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.OscarFileTransfer)
            {
                if (OscarFileTransferPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.Pop3)
            {
                return(new Pop3Packet(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, clientToServer));
            }
            else if (protocol == ApplicationLayerProtocol.Sip)
            {
                return(new SipPacket(this.ParentFrame, this.PacketStartIndex + this.DataOffsetByteCount, this.PacketEndIndex));
            }
            else if (protocol == ApplicationLayerProtocol.Smtp)
            {
                return(new SmtpPacket(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, clientToServer));
            }
            else if (protocol == ApplicationLayerProtocol.Socks)
            {
                if (SocksPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, clientToServer, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.SpotifyServerProtocol)
            {
                if (SpotifyKeyExchangePacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, clientToServer, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.Ssh)
            {
                if (SshPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.Ssl)
            {
                if (SslPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.TabularDataStream)
            {
                return(new TabularDataStreamPacket(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex));
            }
            else if (protocol == ApplicationLayerProtocol.Tpkt)
            {
                if (TpktPacket.TryParse(ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, this, out packet))
                {
                    return(packet);
                }
            }
            return(packet);
        }
Exemplo n.º 22
0
 public new static bool TryParse(Frame parentFrame, int packetStartIndex, int packetEndIndex, out AbstractPacket result)
 {
     /**
      *  The control file must be an ASCII stream with the ends of lines
      *  indicated by ASCII LF.
      *  [...]
      *  Once all of the contents have
      *  been delivered, an octet of zero bits is sent as an indication that
      *  the file being sent is complete.
      */
     result = null;
     if (parentFrame.Data[packetEndIndex] != 0x00)
     {
         return(false);
     }
     if (packetEndIndex > packetStartIndex && parentFrame.Data[packetEndIndex - 1] != 0x0a)
     {
         return(false);
     }
     for (int i = packetStartIndex; i < packetEndIndex - 1; i++)
     {
         if (parentFrame.Data[i] > 126)
         {
             return(false);
         }
         if (parentFrame.Data[i] != 0x0a && char.IsControl((char)parentFrame.Data[i]) && !WHITE_SPACE_CHARS.Contains((char)parentFrame.Data[i]))
         {
             return(false);
         }
     }
     try {
         result = new LpdControlFilePacket(parentFrame, packetStartIndex, packetEndIndex);
         return(true);
     }
     catch {
         return(false);
     }
 }
        public static new bool TryParse(Frame parentFrame, int packetStartIndex, int packetEndIndex, out AbstractPacket result)
        {
            result = null;
            if (!Enum.IsDefined(typeof(ContentTypes), parentFrame.Data[packetStartIndex]))
            {
                return(false);
            }

            //verify that the complete TLS record has been received
            ushort length = Utils.ByteConverter.ToUInt16(parentFrame.Data, packetStartIndex + 3);

            if (length + 5 > packetEndIndex - packetStartIndex + 1)
            {
                return(false);
            }

            try {
                result = new TlsRecordPacket(parentFrame, packetStartIndex, packetEndIndex);
            }
            catch {
                result = null;
            }

            if (result == null)
            {
                return(false);
            }
            else
            {
                return(true);
            }
        }
Exemplo n.º 24
0
 public static new bool TryParse(Frame parentFrame, int packetStartIndex, int packetEndIndex, out AbstractPacket result)
 {
     //this.version = parentFrame.Data[packetStartIndex];
     //this.type = parentFrame.Data[packetStartIndex + 1];
     result = null;
     try {
         ushort length = (ushort)Utils.ByteConverter.ToUInt16(parentFrame.Data, packetStartIndex + 2);
         if (length > packetEndIndex - packetStartIndex + 1)
         {
             return(false);
         }
         else
         {
             result = new OpenFlowPacket(parentFrame, packetStartIndex, packetEndIndex);
         }
     }
     catch (Exception) {
         return(false);
     }
     return(result != null);
 }
 public static new bool TryParse(Frame parentFrame, int packetStartIndex, int packetEndIndex, out AbstractPacket result)
 {
     throw new System.NotImplementedException("use TryParse(Frame parentFrame, int packetStartIndex, int packetEndIndex, ushort sourcePort, ushort destinationPort, out AbstractPacket result)");
 }
        public static bool TryParse(Frame parentFrame, int packetStartIndex, int packetEndIndex, ushort sourcePort, ushort destinationPort, out AbstractPacket result, bool isVirtualPacketFromTrailingDataInTcpSegment = false)
        {
            result = null;
            bool raw = sourcePort == 445 || destinationPort == 445;
            uint sessionServiceHeader = Utils.ByteConverter.ToUInt32(parentFrame.Data, packetStartIndex);

            if (sessionServiceHeader == 0x85000000)
            {
                //CIFS TCP session keep-alive message
                result = new NetBiosSessionService(parentFrame, packetStartIndex, packetStartIndex + 3, raw);
                return(true);
            }
            else
            {
                uint   length;
                byte[] allowedCommands = { 0x00, 0x81, 0x82, 0x83, 0x84, 0x85 };                          //see NetBIOS RFC 1002 http://tools.ietf.org/html/rfc1002
                //if ((sessionServiceHeader & 0xff000000) != 0) //first byte must be zero according to http://ubiqx.org/cifs/SMB.html
                if (Array.IndexOf <byte>(allowedCommands, (byte)(sessionServiceHeader & 0xff000000)) < 0) //first byte must be 0x00, 0x81, 0x82, 0x83, 0x84, 0x85 according to RFC 1002
                {
                    return(false);
                }
                if (raw)
                {
                    length = sessionServiceHeader & 0x00ffffff;//get the last 3 bytes (24 bits)
                }
                else
                {
                    length = sessionServiceHeader & 0x0001ffff;//get the last 17 bits
                }
                if (length == packetEndIndex - packetStartIndex + 1 - 4)
                {
                    result = new NetBiosSessionService(parentFrame, packetStartIndex, packetEndIndex, raw);
                    return(true);
                }
                else if (length < packetEndIndex - packetStartIndex + 1 - 4)
                {
                    //there is more data to parse after the returned result
                    byte nextPacketHeaderByte = parentFrame.Data[packetStartIndex + length + 4];
                    if (nextPacketHeaderByte == 0x00 || nextPacketHeaderByte == 0x85)
                    {
                        result = new NetBiosSessionService(parentFrame, packetStartIndex, packetStartIndex + (int)length + 3, raw);
                        return(true);
                    }
                    else
                    {
                        return(false);
                    }
                }
                else
                {
                    //Check for EternalBlue exploit
                    //https://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a
                    if (length > 0x1000 && packetEndIndex - packetStartIndex + 1 - 4 < 800 && !isVirtualPacketFromTrailingDataInTcpSegment)
                    {
                        if (length == 0xfff7)//this is the value used in most exploits, but it can probably be any large value
                        {
                            parentFrame.Errors.Add(new Frame.Error(parentFrame, packetStartIndex, packetEndIndex, "EternalBlue exploit attempt, nbss size = 0x" + length.ToString("x4")));
                        }
                        else
                        {
                            //this might lead to false positives if this is an SMB packet that has been chained after another AndX SMB packet in the same frame. Thus this is the trailing packet that has been cut off due to MSS (see PCAP "SMB File transfer 3" for details)
                            parentFrame.Errors.Add(new Frame.Error(parentFrame, packetStartIndex, packetEndIndex, "Possible EternalBlue exploit attempt, nbss size = 0x" + length.ToString("x4")));
                        }
                    }
                    return(false);
                }
            }
        }
Exemplo n.º 27
0
 public static bool TryParse(Frame parentFrame, int packetStartIndex, int packetEndIndex, out AbstractPacket result)
 {
     result = null;
     return(false);
 }
Exemplo n.º 28
0
        /*
         * public override
         *  LÄGG TILL EN PACKET FACTORY TILL VARJE PAKET_KLASS OCH LÅT DEN GÖRA EN ENKEL KOLL ATT PAKETET KAN PARSAS!
         * GÖR SJÄLVA KONSTRUKTORN PRIVAT!
         */
        new public static bool TryParse(Frame parentFrame, int packetStartIndex, int packetEndIndex, out AbstractPacket result)
        {
            result = null;

            //start testing
            int    dataIndex = packetStartIndex;
            string startLine = Utils.ByteConverter.ReadLine(parentFrame.Data, ref dataIndex);

            if (startLine == null)
            {
                return(false);
            }
            else if (startLine.Length > 2048)
            {
                return(false);
            }
            else if (!(startLine.StartsWith("GET") || startLine.StartsWith("HEAD") || startLine.StartsWith("POST") || startLine.StartsWith("PUT") || startLine.StartsWith("DELETE") || startLine.StartsWith("TRACE") || startLine.StartsWith("OPTIONS") || startLine.StartsWith("CONNECT") || startLine.StartsWith("HTTP")))
            {
                return(false);
            }


            try {
                result = new HttpPacket(parentFrame, packetStartIndex, packetEndIndex);
            }
            catch {
                result = null;
            }


            if (result == null)
            {
                return(false);
            }
            else
            {
                return(true);
            }
        }
Exemplo n.º 29
0
        public static bool TryParse(Frame parentFrame, int packetStartIndex, int packetEndIndex, bool clientToServer, out AbstractPacket result)
        {
            result = null;
            try {
                if (clientToServer)
                {
                    //first character should be letter
                    char firstChar = (char)parentFrame.Data[packetStartIndex];
                    if (!Char.IsLetter(firstChar))
                    {
                        return(false);
                    }
                    int    index   = packetStartIndex;//index will be changed...
                    string command = Utils.ByteConverter.ReadLine(parentFrame.Data, ref index);
                    if (command.Contains(" "))
                    {
                        command = command.Substring(0, command.IndexOf(' '));
                    }
                    if (Array.IndexOf <string>(userCommands, command.ToUpper()) == -1)
                    {
                        return(false);
                    }
                }
                else  //server to client
                      //first 3 characters should be numbers
                {
                    if (!Char.IsDigit((char)parentFrame.Data[packetStartIndex]))
                    {
                        return(false);
                    }
                    if (!Char.IsDigit((char)parentFrame.Data[packetStartIndex + 1]))
                    {
                        return(false);
                    }
                    if (!Char.IsDigit((char)parentFrame.Data[packetStartIndex + 2]))
                    {
                        return(false);
                    }

                    //avoid classifying SMTP as FTP
                    int index = packetStartIndex;
                    if (Utils.ByteConverter.ReadLine(parentFrame.Data, ref index).Contains("ESMTP"))
                    {
                        return(false);
                    }
                }
                result = new FtpPacket(parentFrame, packetStartIndex, packetEndIndex, clientToServer);
                return(true);
            }
            catch {
                return(false);
            }
        }
Exemplo n.º 30
0
 new public static bool TryParse(Frame parentFrame, int packetStartIndex, int packetEndIndex, out AbstractPacket result)
 {
     throw new Exception("Not implemented");
 }