public void ExtractData(ref NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <AbstractPacket> packetList) { ITransportLayerPacket transportLayerPacket = packetList.OfType <ITransportLayerPacket>().First(); foreach (CifsBrowserPacket browser in packetList.OfType <CifsBrowserPacket>()) { System.Collections.Specialized.NameValueCollection parameters = new System.Collections.Specialized.NameValueCollection(); if (!string.IsNullOrEmpty(browser.Hostname)) { sourceHost.AddHostName(browser.Hostname, browser.PacketTypeDescription); } if (!string.IsNullOrEmpty(browser.DomainOrWorkgroup)) { sourceHost.AddDomainName(browser.DomainOrWorkgroup); } if (browser.OSVersion.major > 0 || browser.OSVersion.minor > 0) { sourceHost.AddNumberedExtraDetail("Windows Version", "" + browser.OSVersion.major + "." + browser.OSVersion.minor); } if (browser.Uptime != null) { parameters.Add("CIFS Browser Service Uptime", browser.Uptime.Value.ToString()); } if (parameters.Count > 0) { //TODO: figure out the five tuple! Events.ParametersEventArgs pe = new Events.ParametersEventArgs(browser.ParentFrame.FrameNumber, sourceHost, destinationHost, transportLayerPacket.TransportProtocol, transportLayerPacket.SourcePort, transportLayerPacket.DestinationPort, parameters, browser.ParentFrame.Timestamp, "CIFS Browser/MS-BRWS Uptime"); //var pe = new Events.ParametersEventArgs(browser.ParentFrame.FrameNumber, ft, true, parameters, browser.ParentFrame.Timestamp, "CIFS Browser/MS-BRWS Uptime"); base.MainPacketHandler.OnParametersDetected(pe); } } }
private void ExtractData(ref NetworkHost sourceHost, NetworkHost destinationHost, Packets.DhcpPacket dhcpPacket) { if (dhcpPacket.OpCode == Packets.DhcpPacket.OpCodeValue.BootRequest && (sourceHost.MacAddress == null || dhcpPacket.ClientMacAddress != sourceHost.MacAddress)) { sourceHost.MacAddress = dhcpPacket.ClientMacAddress; } else if (dhcpPacket.OpCode == Packets.DhcpPacket.OpCodeValue.BootReply && (destinationHost.MacAddress == null || dhcpPacket.ClientMacAddress != destinationHost.MacAddress)) { destinationHost.MacAddress = dhcpPacket.ClientMacAddress; } if (dhcpPacket.OpCode == Packets.DhcpPacket.OpCodeValue.BootReply && (dhcpPacket.GatewayIpAddress != null && dhcpPacket.GatewayIpAddress != System.Net.IPAddress.None && dhcpPacket.GatewayIpAddress.Address > 0)) { destinationHost.ExtraDetailsList["Default Gateway"] = dhcpPacket.GatewayIpAddress.ToString(); } System.Collections.Specialized.NameValueCollection optionParameterList = new System.Collections.Specialized.NameValueCollection(); //now check all the DHCP options //byte dhcpMessageType=0x00;//1=Discover, 2=Offer, 3=Request, 5=Ack, 8=Inform foreach (Packets.DhcpPacket.Option option in dhcpPacket.OptionList) { //TODO: Add option to Parameters list if (option.OptionCode == 12)//hostname { string hostname = Utils.ByteConverter.ReadString(option.OptionValue); sourceHost.AddHostName(hostname); optionParameterList.Add("DHCP Option 12 Hostname", hostname); } else if (option.OptionCode == 15)//Domain Name { string domain = Utils.ByteConverter.ReadString(option.OptionValue); sourceHost.AddDomainName(domain); optionParameterList.Add("DHCP Option 15 Domain", domain); } else if (option.OptionCode == 50) //requested IP address { if (dhcpPacket.DhcpMessageType == 3) //Must be a DHCP Request { System.Net.IPAddress requestedIpAddress = new System.Net.IPAddress(option.OptionValue); if (sourceHost.IPAddress != requestedIpAddress) { if (!base.MainPacketHandler.NetworkHostList.ContainsIP(requestedIpAddress)) { NetworkHost clonedHost = new NetworkHost(requestedIpAddress); clonedHost.MacAddress = sourceHost.MacAddress; //foreach(string hostname in sourceHost.HostNameList) // clonedHost.AddHostName(hostname); lock (base.MainPacketHandler.NetworkHostList) base.MainPacketHandler.NetworkHostList.Add(clonedHost); //now change the host to the cloned one (and hope it works out...) sourceHost = clonedHost; } else { sourceHost = base.MainPacketHandler.NetworkHostList.GetNetworkHost(requestedIpAddress); if (dhcpPacket.OpCode == Packets.DhcpPacket.OpCodeValue.BootRequest && (sourceHost.MacAddress == null || dhcpPacket.ClientMacAddress != sourceHost.MacAddress)) { sourceHost.MacAddress = dhcpPacket.ClientMacAddress; } } } if (sourceHost.MacAddress != null && previousIpList.ContainsKey(sourceHost.MacAddress.ToString())) { //if(previousIpList.ContainsKey(sourceHost.MacAddress.ToString())) { sourceHost.AddNumberedExtraDetail("Previous IP", previousIpList[sourceHost.MacAddress.ToString()].ToString()); //sourceHost.ExtraDetailsList["Previous IP"]=previousIpList[sourceHost.MacAddress.ToString()].ToString(); previousIpList.Remove(sourceHost.MacAddress.ToString()); } } else if (dhcpPacket.DhcpMessageType == 1)//DHCP discover //see which IP address the client hade previously //They normally requests the same IP as they hade before... { System.Net.IPAddress requestedIpAddress = new System.Net.IPAddress(option.OptionValue); this.previousIpList[sourceHost.MacAddress.ToString()] = requestedIpAddress; } } /* * else if(option.OptionCode==53) {//DHCP message type * if(option.OptionValue!=null && option.OptionValue.Length==1) * dhcpMessageType=option.OptionValue[0]; * }/*/ else if (option.OptionCode == 60)//vendor class identifier { string vendorCode = Utils.ByteConverter.ReadString(option.OptionValue); sourceHost.AddDhcpVendorCode(vendorCode); optionParameterList.Add("DHCP Option 60 Vendor Code", vendorCode); } else if (option.OptionCode == 81) //Client Fully Qualified Domain Name { string domain = Utils.ByteConverter.ReadString(option.OptionValue, 3, option.OptionValue.Length - 3); sourceHost.AddHostName(domain); optionParameterList.Add("DHCP Option 81 Domain", domain); } else if (option.OptionCode == 125) //V-I Vendor-specific Information http://tools.ietf.org/html/rfc3925 { uint enterpriceNumber = Utils.ByteConverter.ToUInt32(option.OptionValue, 0); optionParameterList.Add("DHCP Option 125 Enterprise Number", enterpriceNumber.ToString()); byte dataLen = option.OptionValue[4]; if (dataLen > 0 && option.OptionValue.Length >= 5 + dataLen) { string optionData = Utils.ByteConverter.ReadString(option.OptionValue, 5, dataLen); optionParameterList.Add("DHCP Option 125 Data", optionData); } } else { string optionValueString = Utils.ByteConverter.ReadString(option.OptionValue); if (!System.Text.RegularExpressions.Regex.IsMatch(optionValueString, @"[^\u0020-\u007E]")) { optionParameterList.Add("DHCP Option " + option.OptionCode.ToString(), optionValueString); } } } if (optionParameterList.Count > 0) { //try to get the udp packet string sourcePort = "UNKNOWN"; string destinationPort = "UNKNOWN"; foreach (Packets.AbstractPacket p in dhcpPacket.ParentFrame.PacketList) { if (p.GetType() == typeof(Packets.UdpPacket)) { Packets.UdpPacket udpPacket = (Packets.UdpPacket)p; sourcePort = "UDP " + udpPacket.SourcePort; destinationPort = "UDP " + udpPacket.DestinationPort; break; } } Events.ParametersEventArgs ea = new Events.ParametersEventArgs(dhcpPacket.ParentFrame.FrameNumber, sourceHost, destinationHost, sourcePort, destinationPort, optionParameterList, dhcpPacket.ParentFrame.Timestamp, "DHCP Option"); MainPacketHandler.OnParametersDetected(ea); } }
private (string username, string realm) GetUserAndRealm(KerberosPacket kerberosPacket, NetworkHost sourceHost, NetworkHost destinationHost) { string username = ""; string realm = ""; List <string> spnParts = new List <string>(); foreach (var item in kerberosPacket.AsnData.Where(item => stringTypes.Contains(item.Item2))) { string itemString = Utils.ByteConverter.ReadString(item.Item3); if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && hostnameRequestPaths.Contains(item.Item1) && itemString.EndsWith("$")) { string hostname = itemString.TrimEnd(new[] { '$' }); sourceHost.AddHostName(hostname); //parameters.Add("Hostname (" + item.Item1 + ")", hostname); realm = hostname; } else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && hostnameResponsePaths.Contains(item.Item1) && itemString.EndsWith("$")) { string hostname = itemString.TrimEnd(new[] { '$' }); destinationHost.AddHostName(hostname); //parameters.Add("Hostname (" + item.Item1 + ")", hostname); realm = hostname; } else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && (usernameRequestPaths.Contains(item.Item1) || usernameResponsePaths.Contains(item.Item1)) && !itemString.EndsWith("$")) { if (usernameRequestPaths.Contains(item.Item1)) { base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "Kerberos", itemString, kerberosPacket.ParentFrame.Timestamp)); sourceHost.AddNumberedExtraDetail("Kerberos Username", itemString); username = itemString; } else if (usernameResponsePaths.Contains(item.Item1)) { base.MainPacketHandler.AddCredential(new NetworkCredential(destinationHost, sourceHost, "Kerberos", itemString, kerberosPacket.ParentFrame.Timestamp)); destinationHost.AddNumberedExtraDetail("Kerberos Username", itemString); username = itemString; } #if DEBUG else { System.Diagnostics.Debugger.Break(); } #endif //parameters.Add("Username (" + item.Item1 + ")", username); } else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && domainPaths.Contains(item.Item1)) { sourceHost.AddDomainName(itemString); destinationHost.AddDomainName(itemString); //parameters.Add("Realm (" + item.Item1 + ")", itemString); realm = itemString; } else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && kerberosPacket.MsgType == KerberosPacket.MessageType.krb_tgs_rep && hostnameResponsePaths.Contains(item.Item1)) { spnParts.Add(itemString); } else { //parameters.Add(item.Item1 + " " + Enum.GetName(typeof(Utils.ByteConverter.Asn1TypeTag), item.Item2), itemString); } } if (kerberosPacket.MsgType == KerberosPacket.MessageType.krb_tgs_rep && spnParts.Count > 0) { username = string.Join("/", spnParts); } return(username, realm); }
public int ExtractData(NetworkTcpSession tcpSession, NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <Packets.AbstractPacket> packetList) { //bool successfulExtraction=false; int successfullyExtractedBytes = 0; foreach (Packets.AbstractPacket p in packetList) { if (p.GetType() == typeof(Packets.NtlmSspPacket)) { Packets.NtlmSspPacket ntlmPacket = (Packets.NtlmSspPacket)p; if (ntlmPacket.NtlmChallenge != null) { if (ntlmChallengeList.ContainsKey(tcpSession.GetHashCode())) { ntlmChallengeList[tcpSession.GetHashCode()] = ntlmPacket.NtlmChallenge; } else { ntlmChallengeList.Add(tcpSession.GetHashCode(), ntlmPacket.NtlmChallenge); } } if (ntlmPacket.DomainName != null) { sourceHost.AddDomainName(ntlmPacket.DomainName); } if (ntlmPacket.HostName != null) { sourceHost.AddHostName(ntlmPacket.HostName); } if (ntlmPacket.UserName != null) { if (!sourceHost.ExtraDetailsList.ContainsKey("NTLM Username " + ntlmPacket.UserName)) { sourceHost.ExtraDetailsList.Add("NTLM Username " + ntlmPacket.UserName, ntlmPacket.UserName); } string lanManagerHashInfo = null; if (ntlmPacket.LanManagerResponse != null) { lanManagerHashInfo = "LAN Manager Response: " + ntlmPacket.LanManagerResponse; } if (ntlmPacket.NtlmResponse != null) { if (lanManagerHashInfo == null) { lanManagerHashInfo = ""; } else { lanManagerHashInfo = lanManagerHashInfo + " - "; } lanManagerHashInfo = lanManagerHashInfo + "NTLM Response: " + ntlmPacket.NtlmResponse; } if (lanManagerHashInfo == null) { base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.UserName, ntlmPacket.ParentFrame.Timestamp)); } else { if (ntlmChallengeList.ContainsKey(tcpSession.GetHashCode())) { lanManagerHashInfo = "NTLM Challenge: " + ntlmChallengeList[tcpSession.GetHashCode()] + " - " + lanManagerHashInfo; } base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "NTLMSSP", ntlmPacket.UserName, lanManagerHashInfo, ntlmPacket.ParentFrame.Timestamp)); } } successfullyExtractedBytes += ntlmPacket.ParentFrame.Data.Length;//it's OK to return a larger value that what was parsed } } return(successfullyExtractedBytes); }
private (string username, string realm) GetUserAndRealm(KerberosPacket kerberosPacket, NetworkHost sourceHost, NetworkHost destinationHost) { string username = ""; string realm = ""; List <string> spnParts = new List <string>(); int lastInt = 0; foreach (var item in kerberosPacket.AsnData) { if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.Integer)//Utils.ByteConverter.Asn1TypeTag.Integer { lastInt = (int)Utils.ByteConverter.ToUInt32(item.Item3); } else if (stringTypes.Contains(item.Item2)) { string itemString = Utils.ByteConverter.ReadString(item.Item3); //if(kerberosPacket.MsgType == KerberosPacket.MessageType.krb_ap_req) { /** rfc1510 / http://web.mit.edu/freebsd/head/crypto/heimdal/lib/asn1/krb5.asn1 * KDC-REQ-BODY ::= SEQUENCE { * kdc-options[0] KDCOptions, * cname[1] PrincipalName OPTIONAL, -- Used only in AS-REQ * realm[2] Realm, -- Server's realm * -- Also client's in AS-REQ * sname[3] PrincipalName OPTIONAL, * from[4] KerberosTime OPTIONAL, * till[5] KerberosTime OPTIONAL, * rtime[6] KerberosTime OPTIONAL, * nonce[7] krb5int32, * etype[8] SEQUENCE OF ENCTYPE, -- EncryptionType, * -- in preference order * addresses[9] HostAddresses OPTIONAL, * enc-authorization-data[10] EncryptedData OPTIONAL, * -- Encrypted AuthorizationData encoding * additional-tickets[11] SEQUENCE OF Ticket OPTIONAL * } **/ if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && hostnameRequestPaths.Contains(item.Item1) && itemString.EndsWith("$")) { string hostname = itemString.TrimEnd(new[] { '$' }); sourceHost.AddHostName(hostname, kerberosPacket.PacketTypeDescription); //parameters.Add("Hostname (" + item.Item1 + ")", hostname); realm = hostname; } else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && hostnameResponsePaths.Contains(item.Item1) && itemString.EndsWith("$")) { string hostname = itemString.TrimEnd(new[] { '$' }); destinationHost.AddHostName(hostname, kerberosPacket.PacketTypeDescription); //parameters.Add("Hostname (" + item.Item1 + ")", hostname); realm = hostname; } else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && (usernameRequestPaths.Contains(item.Item1) || usernameResponsePaths.Contains(item.Item1)) && !itemString.EndsWith("$")) { if (usernameRequestPaths.Contains(item.Item1)) { base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "Kerberos", itemString, kerberosPacket.ParentFrame.Timestamp)); sourceHost.AddNumberedExtraDetail("Kerberos Username", itemString); username = itemString; } else if (usernameResponsePaths.Contains(item.Item1)) { base.MainPacketHandler.AddCredential(new NetworkCredential(destinationHost, sourceHost, "Kerberos", itemString, kerberosPacket.ParentFrame.Timestamp)); destinationHost.AddNumberedExtraDetail("Kerberos Username", itemString); username = itemString; } #if DEBUG else { System.Diagnostics.Debugger.Break(); } #endif //parameters.Add("Username (" + item.Item1 + ")", username); } else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && domainPaths.Contains(item.Item1)) { sourceHost.AddDomainName(itemString); destinationHost.AddDomainName(itemString); //parameters.Add("Realm (" + item.Item1 + ")", itemString); realm = itemString; } else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.GeneralString && kerberosPacket.MsgType == KerberosPacket.MessageType.krb_tgs_rep && hostnameResponsePaths.Contains(item.Item1)) { spnParts.Add(itemString); } else { //parameters.Add(item.Item1 + " " + Enum.GetName(typeof(Utils.ByteConverter.Asn1TypeTag), item.Item2), itemString); } } } if (kerberosPacket.MsgType == KerberosPacket.MessageType.krb_tgs_rep && spnParts.Count > 0) { username = string.Join("/", spnParts); } return(username, realm); }
private void ExtractSmbData(NetworkHost sourceHost, NetworkHost destinationHost, Packets.TcpPacket tcpPacket, Packets.CifsPacket.AbstractSmbCommand smbCommandPacket, PacketHandler mainPacketHandler) { string smbSessionId; if (smbCommandPacket.ParentCifsPacket.FlagsResponse) { smbSessionId = SmbSession.GetSmbSessionId(sourceHost.IPAddress, tcpPacket.SourcePort, destinationHost.IPAddress, tcpPacket.DestinationPort); } else { smbSessionId = SmbSession.GetSmbSessionId(destinationHost.IPAddress, tcpPacket.DestinationPort, sourceHost.IPAddress, tcpPacket.SourcePort); } if (smbCommandPacket.GetType() == typeof(Packets.CifsPacket.NegotiateProtocolRequest)) { Packets.CifsPacket.NegotiateProtocolRequest request = (Packets.CifsPacket.NegotiateProtocolRequest)smbCommandPacket; sourceHost.AcceptedSmbDialectsList = request.DialectList; } else if (smbCommandPacket.GetType() == typeof(Packets.CifsPacket.NegotiateProtocolResponse)) { Packets.CifsPacket.NegotiateProtocolResponse reply = (Packets.CifsPacket.NegotiateProtocolResponse)smbCommandPacket; if (destinationHost.AcceptedSmbDialectsList != null && destinationHost.AcceptedSmbDialectsList.Count > reply.DialectIndex) { sourceHost.PreferredSmbDialect = destinationHost.AcceptedSmbDialectsList[reply.DialectIndex]; } //sourceHost.ExtraDetailsList.Add("Preferred SMB dialect", destinationHost.AcceptedSmbDialectsList[reply.DialectIndex]); } else if (smbCommandPacket.GetType() == typeof(Packets.CifsPacket.SetupAndXRequest)) { Packets.CifsPacket.SetupAndXRequest request = (Packets.CifsPacket.SetupAndXRequest)smbCommandPacket; if (request.NativeLanManager != null && request.NativeLanManager.Length > 0) { if (sourceHost.ExtraDetailsList.ContainsKey("SMB Native LAN Manager")) { sourceHost.ExtraDetailsList["SMB Native LAN Manager"] = request.NativeLanManager; } else { sourceHost.ExtraDetailsList.Add("SMB Native LAN Manager", request.NativeLanManager); } } if (request.NativeOs != null && request.NativeOs.Length > 0) { if (sourceHost.ExtraDetailsList.ContainsKey("SMB Native OS")) { sourceHost.ExtraDetailsList["SMB Native OS"] = request.NativeOs; } else { sourceHost.ExtraDetailsList.Add("SMB Native OS", request.NativeOs); } } if (request.PrimaryDomain != null && request.PrimaryDomain.Length > 0) { sourceHost.AddDomainName(request.PrimaryDomain); } if (request.AccountName != null && request.AccountName.Length > 0) { NetworkCredential nCredential = new NetworkCredential(sourceHost, destinationHost, smbCommandPacket.PacketTypeDescription, request.AccountName, request.ParentFrame.Timestamp); if (request.AccountPassword != null && request.AccountPassword.Length > 0) { nCredential.Password = request.AccountPassword; } mainPacketHandler.AddCredential(nCredential); } } else if (smbCommandPacket.GetType() == typeof(Packets.CifsPacket.SetupAndXResponse)) { Packets.CifsPacket.SetupAndXResponse response = (Packets.CifsPacket.SetupAndXResponse)smbCommandPacket; if (response.NativeLanManager != null && response.NativeLanManager.Length > 0) { if (sourceHost.ExtraDetailsList.ContainsKey("SMB Native LAN Manager")) { sourceHost.ExtraDetailsList["SMB Native LAN Manager"] = response.NativeLanManager; } else { sourceHost.ExtraDetailsList.Add("SMB Native LAN Manager", response.NativeLanManager); } } if (response.NativeOs != null && response.NativeOs.Length > 0) { if (sourceHost.ExtraDetailsList.ContainsKey("SMB Native OS")) { sourceHost.ExtraDetailsList["SMB Native OS"] = response.NativeOs; } else { sourceHost.ExtraDetailsList.Add("SMB Native OS", response.NativeOs); } } } else if (smbCommandPacket.GetType() == typeof(Packets.CifsPacket.NTCreateAndXRequest)) { Packets.CifsPacket.NTCreateAndXRequest request = (Packets.CifsPacket.NTCreateAndXRequest)smbCommandPacket; string filename, filePath; if (request.Filename.EndsWith("\0")) { filename = request.Filename.Remove(request.Filename.Length - 1); } else { filename = request.Filename; } if (filename.Contains(System.IO.Path.DirectorySeparatorChar.ToString())) { filePath = filename.Substring(0, filename.LastIndexOf(System.IO.Path.DirectorySeparatorChar.ToString())); filename = filename.Substring(filename.LastIndexOf(System.IO.Path.DirectorySeparatorChar.ToString()) + 1); } else { filePath = System.IO.Path.DirectorySeparatorChar.ToString(); } try { //string smbSessionId=SmbSession.GetSmbSessionId(destinationHost.IPAddress, tcpPacket.DestinationPort, sourceHost.IPAddress, tcpPacket.SourcePort); SmbSession smbSession; if (this.smbSessionPopularityList.ContainsKey(smbSessionId)) { smbSession = this.smbSessionPopularityList[smbSessionId]; } else { smbSession = new SmbSession(destinationHost.IPAddress, tcpPacket.DestinationPort, sourceHost.IPAddress, tcpPacket.SourcePort); this.smbSessionPopularityList.Add(smbSessionId, smbSession); } FileTransfer.FileStreamAssembler assembler = new FileTransfer.FileStreamAssembler(mainPacketHandler.FileStreamAssemblerList, destinationHost, tcpPacket.DestinationPort, sourceHost, tcpPacket.SourcePort, tcpPacket != null, FileTransfer.FileStreamTypes.SMB, filename, filePath, request.Filename, smbCommandPacket.ParentFrame.FrameNumber, smbCommandPacket.ParentFrame.Timestamp); smbSession.AddFileStreamAssembler(assembler, request.ParentCifsPacket.TreeId, request.ParentCifsPacket.MultiplexId, request.ParentCifsPacket.ProcessId); } catch (Exception e) { MainPacketHandler.OnAnomalyDetected("Error creating assembler for SMB file transfer: " + e.Message); } } //else if(!smbCommandPacket.ParentCifsPacket.FlagsResponse && mainPacketHandler.FileStreamAssemblerList.ContainsAssembler(destinationHost, tcpPacket.DestinationPort, sourceHost, tcpPacket.SourcePort, true)) { else if (!smbCommandPacket.ParentCifsPacket.FlagsResponse && this.smbSessionPopularityList.ContainsKey(smbSessionId)) { //Request if (smbCommandPacket.GetType() == typeof(Packets.CifsPacket.CloseRequest) && smbSessionPopularityList.ContainsKey(smbSessionId)) { SmbSession smbSession = this.smbSessionPopularityList[smbSessionId]; Packets.CifsPacket.CloseRequest closeRequest = (Packets.CifsPacket.CloseRequest)smbCommandPacket; ushort fileId = closeRequest.FileId; FileTransfer.FileStreamAssembler assemblerToClose; if (smbSession.ContainsFileId(closeRequest.ParentCifsPacket.TreeId, closeRequest.ParentCifsPacket.MultiplexId, closeRequest.ParentCifsPacket.ProcessId, fileId)) { assemblerToClose = smbSession.GetFileStreamAssembler(closeRequest.ParentCifsPacket.TreeId, closeRequest.ParentCifsPacket.MultiplexId, closeRequest.ParentCifsPacket.ProcessId, fileId); smbSession.RemoveFileStreamAssembler(closeRequest.ParentCifsPacket.TreeId, closeRequest.ParentCifsPacket.MultiplexId, closeRequest.ParentCifsPacket.ProcessId, fileId, false); //TODO: remove the following line (added for debugging purpose 2011-04-25) //assemblerToClose.FinishAssembling(); if (mainPacketHandler.FileStreamAssemblerList.ContainsAssembler(assemblerToClose)) { mainPacketHandler.FileStreamAssemblerList.Remove(assemblerToClose, true); } else { assemblerToClose.Clear(); } } } else if (smbCommandPacket.GetType() == typeof(Packets.CifsPacket.ReadAndXRequest) && smbSessionPopularityList.ContainsKey(smbSessionId)) { SmbSession smbSession = this.smbSessionPopularityList[smbSessionId]; //Packets.CifsPacket.ReadAndXRequest request=this.smbSessionPopularityList[smbSessionId]; Packets.CifsPacket.ReadAndXRequest readRequest = (Packets.CifsPacket.ReadAndXRequest)smbCommandPacket; ushort fileId = readRequest.FileId; smbSession.Touch(readRequest.ParentCifsPacket.TreeId, readRequest.ParentCifsPacket.MultiplexId, readRequest.ParentCifsPacket.ProcessId, fileId); } } else if (smbCommandPacket.ParentCifsPacket.FlagsResponse && this.smbSessionPopularityList.ContainsKey(smbSessionId)) { //Response SmbSession smbSession = this.smbSessionPopularityList[smbSessionId]; //FileTransfer.FileStreamAssembler assembler=mainPacketHandler.FileStreamAssemblerList.GetAssembler(sourceHost, tcpPacket.SourcePort, destinationHost, tcpPacket.DestinationPort, true); if (smbCommandPacket.GetType() == typeof(Packets.CifsPacket.NTCreateAndXResponse)) { Packets.CifsPacket.NTCreateAndXResponse response = (Packets.CifsPacket.NTCreateAndXResponse)smbCommandPacket; ushort fileId = response.FileId; int fileLength = (int)response.EndOfFile;//yes, I know I will not be able to store big files now... but an int as length is really enough! //tag the requested file with the fileId FileTransfer.FileStreamAssembler assembler = smbSession.GetLastReferencedFileStreamAssembler(response.ParentCifsPacket.TreeId, response.ParentCifsPacket.MultiplexId, response.ParentCifsPacket.ProcessId); smbSession.RemoveLastReferencedAssembler(response.ParentCifsPacket.TreeId, response.ParentCifsPacket.MultiplexId, response.ParentCifsPacket.ProcessId); if (assembler != null) { //Add file ID as extended ID in order to differentiate between parallell file transfers on disk cache assembler.ExtendedFileId = "Id" + fileId.ToString("X4"); //2011-04-18 smbSession.AddFileStreamAssembler(assembler, response.ParentCifsPacket.TreeId, response.ParentCifsPacket.MultiplexId, response.ParentCifsPacket.ProcessId, response.FileId); assembler.FileContentLength = fileLength; } } else if (smbCommandPacket.GetType() == typeof(Packets.CifsPacket.ReadAndXResponse)) { Packets.CifsPacket.ReadAndXResponse response = (Packets.CifsPacket.ReadAndXResponse)smbCommandPacket; //move the assembler to the real FileStreamAssemblerList! FileTransfer.FileStreamAssembler assembler = smbSession.GetLastReferencedFileStreamAssembler(response.ParentCifsPacket.TreeId, response.ParentCifsPacket.MultiplexId, response.ParentCifsPacket.ProcessId); if (assembler == null) { base.MainPacketHandler.OnAnomalyDetected("Unable to find assembler for " + smbCommandPacket.ToString()); } else if (assembler != null) { /* Removed 2011-04-25 * if(!mainPacketHandler.FileStreamAssemblerList.ContainsAssembler(assembler)) * mainPacketHandler.FileStreamAssemblerList.Add(assembler); * */ assembler.FileSegmentRemainingBytes += response.DataLength;//setting this one so that it can receive more bytes if (!assembler.IsActive) { System.Diagnostics.Debug.Assert(assembler.ExtendedFileId != null && assembler.ExtendedFileId != "", "No FileID set for SMB file transfer!"); if (!assembler.TryActivate()) { if (!response.ParentCifsPacket.ParentFrame.QuickParse) { response.ParentCifsPacket.ParentFrame.Errors.Add(new Frame.Error(response.ParentCifsPacket.ParentFrame, response.PacketStartIndex, response.PacketEndIndex, "Unable to activate file stream assembler for " + assembler.FileLocation + "/" + assembler.Filename)); } } else if (assembler.IsActive) { assembler.AddData(response.GetFileData(), tcpPacket.SequenceNumber); } } /* Removed 2011-04-25 * if(!assembler.IsActive) {//see if the file is fully assembled or if something else went wrong... * smbSession.RemoveLastReferencedAssembler(response.ParentCifsPacket.TreeId, response.ParentCifsPacket.MultiplexId, response.ParentCifsPacket.ProcessId); * } * */ } } } }