private void mBtnStopMonitor_Click(object sender, EventArgs e)
{
if (Status == EnumStatus.Idle)
{
return;
}
if (Status == EnumStatus.Monitor)
{
Device.StopCapture();
trdGetPacketFromQueueAct = false; // Thread for GetPacketFromQueue
trdUpdateListUIAct = false;
Status = EnumStatus.Idle;
this.Text = "Packets Monitor ";
mStatusMonitor.Text = "Status : Idle ";
}
else if (Status == EnumStatus.OpenFile)
{
trdGetPacketFromQueueAct = false; // Thread for GetPacketFromQueue
trdUpdateListUIAct = false;
PcapFileEOF = false;
Status = EnumStatus.Idle;
this.Text = "Packets Monitor ";
mStatusMonitor.Text = "Status : Idle ";
}
PcapFileWriter.CloseAll();
if (AllPcapFileWriter != null)
{
AllPcapFileWriter.Close();
}
}
internal void ResetCapturedData()
{
if (this.pcapWriter != null && this.pcapWriter.IsOpen)
{
this.pcapWriter.Close();
}
this.pcapWriter = null;
packetHandler.ResetCapturedData();
}
internal PacketHandlerWrapper(NetworkMinerForm parentForm, System.IO.DirectoryInfo outputDirectory, bool useRelativePathIfAvailable, List <PacketParser.Fingerprints.IOsFingerprinter> preloadedFingerprints)
{
this.parentForm = parentForm;
this.pcapWriter = null;
string exePath = System.IO.Path.GetFullPath(System.Windows.Forms.Application.ExecutablePath);
if (this.parentForm == null || this.parentForm.GuiProperties == null)
{
this.packetHandler = new PacketParser.PacketHandler(exePath, outputDirectory.FullName, preloadedFingerprints, false, NetworkMiner.GuiProperties.ToDefaultTimeZoneString, useRelativePathIfAvailable);
}
else
{
this.packetHandler = new PacketParser.PacketHandler(exePath, outputDirectory.FullName, preloadedFingerprints, false, this.parentForm.GuiProperties.ToCustomTimeZoneString, useRelativePathIfAvailable);
}
this.PacketHandler.AnomalyDetected += new PacketParser.AnomalyEventHandler(AnomalyDetected);
this.PacketHandler.BufferUsageChanged += new PacketParser.BufferUsageEventHandler(BufferUsageChanged);
this.packetHandler.CleartextWordsDetected += new PacketParser.CleartextWordsEventHandler(CleartextWordsDetected);
this.packetHandler.CredentialDetected += new PacketParser.CredentialEventHandler(CredentialDetected);
this.packetHandler.DnsRecordDetected += new PacketParser.DnsRecordEventHandler(packetHandler_DnsRecordDetected);
this.packetHandler.FileReconstructed += new PacketParser.FileEventHandler(packetHandler_FileReconstructed);
this.packetHandler.FrameDetected += new PacketParser.FrameEventHandler(packetHandler_FrameDetected);
this.packetHandler.KeywordDetected += new PacketParser.KeywordEventHandler(packetHandler_KeywordDetected);
this.packetHandler.NetworkHostDetected += new PacketParser.NetworkHostEventHandler(packetHandler_NetworkHostDetected);
this.packetHandler.HttpTransactionDetected += new PacketParser.HttpClientEventHandler(packetHandler_HttpTransactionDetected);
this.packetHandler.ParametersDetected += new PacketParser.ParameterEventHandler(packetHandler_ParametersDetected);
//this.packetHandler.ParametersDetected += new PacketParser.ParameterEventHandler()
//this.packetHandler.ParametersDetected += (s, pe) => parentForm.ParametersQueue.Enqueue(pe);
this.packetHandler.SessionDetected += new PacketParser.SessionEventHandler(packetHandler_SessionDetected);
this.packetHandler.MessageDetected += new PacketParser.MessageEventHandler(packetHandler_MessageDetected);
this.packetHandler.AudioDetected += this.PacketHandler_AudioDetected;
this.packetHandler.VoipCallDetected += this.PacketHandler_VoipCallDetected;
this.packetHandler.MessageAttachmentDetected += new PacketParser.FileTransfer.FileStreamAssembler.FileReconsructedEventHandler(parentForm.ShowMessageAttachment);
this.packetHandler.InsufficientWritePermissionsDetected += delegate(string path) {
parentForm.BeginInvoke((System.Windows.Forms.MethodInvoker) delegate {
System.Windows.Forms.MessageBox.Show(parentForm, "User is unauthorized to access the following file:" + System.Environment.NewLine + path + System.Environment.NewLine + System.Environment.NewLine + "File(s) will not be extracted!", "Insufficient Write Permissions");
});
};
}
void pcapOverIpReceiver_DoWork(object sender, DoWorkEventArgs e)
{
this.receivedFrames = 0;
DateTime lastGuiUpdateTime = DateTime.Now;
TimeSpan updateRate = new TimeSpan(2000000);
DateTime firstFrameTimestamp = DateTime.MinValue;
DateTime lastFrameTimestamp = DateTime.MinValue;
string filename = Tools.GenerateCaptureFileName(DateTime.Now);
string fileFullPath = this.packetHandler.OutputDirectory + "Captures" + System.IO.Path.DirectorySeparatorChar + filename;
//string fileFullPath = System.IO.Path.GetDirectoryName(System.IO.Path.GetFullPath(System.Windows.Forms.Application.ExecutablePath)) + System.IO.Path.DirectorySeparatorChar + "Captures" + System.IO.Path.DirectorySeparatorChar + filename;
PcapFileWriter pcapFileWriter = new PcapFileWriter(fileFullPath, this.pcapStreamReader.FileDataLinkType[0]);
//this.caseFileLoadedCallback(
this.addCaseFileCallback(fileFullPath, filename);
using (pcapFileWriter) {
//foreach (PcapFileHandler.PcapPacket pcapPacket in this.pcapStreamReader.PacketEnumerator(delegate() { Application.DoEvents(); }, null)) {
foreach (PcapFrame pcapPacket in this.pcapStreamReader.PacketEnumerator())
{
this.receivedFrames++;
if (this.pcapTcpStream.SocketState == PcapTcpStream.TcpSocketState.Connected)
{
this.pcapTcpStream.SocketState = PcapTcpStream.TcpSocketState.Receiving;
}
pcapFileWriter.WriteFrame(pcapPacket);
if (firstFrameTimestamp == DateTime.MinValue)
{
firstFrameTimestamp = pcapPacket.Timestamp;
}
lastFrameTimestamp = pcapPacket.Timestamp;
int millisecondsToSleep = 1;
while (this.packetHandler.FramesInQueue > 100) //This can become a for-ever loop if packetHandler chokes and hangs might might be a good idea to do a this.pcapStreamReader.AbortFileRead() and throw an exception?
{
System.Threading.Thread.Sleep(millisecondsToSleep);
if (millisecondsToSleep < 200)
{
millisecondsToSleep *= 2;
}
//Application.DoEvents();//REMOVED 2014-06-24
}
PacketParser.Frame frame = packetHandler.GetFrame(pcapPacket.Timestamp, pcapPacket.Data, pcapPacket.DataLinkType);
packetHandler.AddFrameToFrameParsingQueue(frame);
if (DateTime.Now > lastGuiUpdateTime.Add(updateRate))
{
//we need to update the GUI
this.UpdateGui();
lastGuiUpdateTime = DateTime.Now;
}
if (this.pcapOverIpReceiver.CancellationPending)
{
break;
}
}
}
this.UpdateGui();
this.caseFileLoadedCallback(fileFullPath, this.receivedFrames, firstFrameTimestamp, lastFrameTimestamp);
}
public unsafe void ProcessLoop()
{
// Allocate and initialize packet structures
ETH_REQUEST Request = new ETH_REQUEST();
INTERMEDIATE_BUFFER PacketBuffer = new INTERMEDIATE_BUFFER();
IntPtr PacketBufferIntPtr = Marshal.AllocHGlobal(Marshal.SizeOf(PacketBuffer));
try
{
win32api.ZeroMemory(PacketBufferIntPtr, Marshal.SizeOf(PacketBuffer));
Request.hAdapterHandle = adapterHandle;
Request.EthPacket.Buffer = PacketBufferIntPtr;
Modules = new ModuleList(this);
Modules.LoadExternalModules();
Modules.UpdateModuleOrder();
string folder = Configuration.ConfigurationManagement.Instance.ConfigurationPath;
folder = folder + System.IO.Path.DirectorySeparatorChar + "pcapLogs";
if (!System.IO.Directory.Exists(folder))
{
System.IO.Directory.CreateDirectory(folder);
}
string f = folder + System.IO.Path.DirectorySeparatorChar + "blocked-" + inter.Name + "-" + DateTime.Now.ToBinary() + ".pcap";
pcaplog = new PcapFileWriter(f);
INTERMEDIATE_BUFFER *PacketPointer;
while (true)
{
hEvent.WaitOne();
while (Ndisapi.ReadPacket(hNdisapi, ref Request))
{
PacketPointer = (INTERMEDIATE_BUFFER *)PacketBufferIntPtr;
Packet pkt = new EthPacket(PacketPointer).MakeNextLayerPacket();
if (pkt.Outbound)
{
inter.DataOut.AddBits(pkt.Length());
}
else
{
inter.DataIn.AddBits(pkt.Length());
}
bool drop = false;
bool log = false;
if (this.Filtering)
{
for (int x = 0; x < Modules.Count; x++)
{
NDISModule fm = Modules.GetModule(x);
int pmr = fm.PacketMain(ref pkt);
if (pmr == null)
{
continue;
}
if ((pmr & (int)PacketMainReturnType.LogPacket) == (int)PacketMainReturnType.LogPacket)
{
log = true;
}
if ((pmr & (int)PacketMainReturnType.Drop) == (int)PacketMainReturnType.Drop)
{
drop = true;
break;
}
}
}
if (!drop && !DropAll)
{
if (pkt.Outbound)
{
Ndisapi.SendPacketToAdapter(hNdisapi, ref Request);
}
else
{
Ndisapi.SendPacketToMstcp(hNdisapi, ref Request);
}
}
if (log)
{
pcaplog.AddPacket(pkt.Data(), (int)pkt.Length());
}
}
//OM NOM NOM PASTA!
while (processQueue.Count != 0)
{
Packet pkt = processQueue.Dequeue().MakeNextLayerPacket();
if (pkt.Outbound)
{
inter.DataOut.AddBits(pkt.Length());
}
else
{
inter.DataIn.AddBits(pkt.Length());
}
bool drop = false;
bool log = false;
if (this.Filtering)
{
for (int x = 0; x < Modules.Count; x++)
{
NDISModule fm = Modules.GetModule(x);
int pmr = fm.PacketMain(ref pkt);
if (pmr == 0)
{
continue;
}
if ((pmr & (int)PacketMainReturnType.LogPacket) == (int)PacketMainReturnType.LogPacket)
{
log = true;
}
if ((pmr & (int)PacketMainReturnType.Drop) == (int)PacketMainReturnType.Drop)
{
drop = true;
break;
}
}
}
if (!drop && !DropAll)
{
if (pkt.Outbound)
{
Ndisapi.SendPacketToAdapter(hNdisapi, ref Request);
}
else
{
Ndisapi.SendPacketToMstcp(hNdisapi, ref Request);
}
}
if (log)
{
pcaplog.AddPacket(pkt.Data(), (int)pkt.Length());
}
}
hEvent.Reset();
}
}
catch (Exception tae)
{
Marshal.FreeHGlobal(PacketBufferIntPtr);
}
}
