bool RSTFound; // set to true if and when an RST packet found #endregion Fields #region Constructors public TCPG(Packet pkt, H h) : base(pkt) { // note: base class constructor is called first (due to : base(pkt) above) TCPH th = (TCPH)h; // set group properties here S1IP4 = pkt.SrcIP4; S1Port = pkt.SrcPort; S2IP4 = pkt.DestIP4; S2Port = pkt.DestPort; // SET ADDITIONAL GROUP PROPERTIES AS NECESSARY OPL1 = new OPL(this, S1Port); OPL2 = new OPL(this, S2Port); State = TCPGState.NotSequencedYet; RSTFound = false; }
// returns true if pkt belongs to group, also tests for normal start sequence of TCP group public override bool Belongs(Packet pkt, H h) { // h argument is for utility - GList.GroupPacket function will pass in a reference to the packet header matching the protocol specified in the GList - this save this function from having to search for the protocol header in pkt.phlist each time it is called // rules for membership in an TCP packet group: // packet is an IP4 packet (later handle ipv6 and other layer 3 protocols) // all packets with same pair of IP/Port in source and destination (either direction) // can assume GList.CanBelong has returned true // also set Complete = true if this packet completes group if (((pkt.SrcIP4 == S1IP4) && (pkt.SrcPort == S1Port) && (pkt.DestIP4 == S2IP4) && (pkt.DestPort == S2Port)) // if source==source and dest==dest || ((pkt.SrcIP4 == S2IP4) && (pkt.SrcPort == S2Port) && (pkt.DestIP4 == S1IP4) && (pkt.DestPort == S1Port))) // or source==dest and dest==source { if((((TCPH)h).Flags & 0x04) != 0) { if (RSTFound == false) { RSTFound = true; return true; } else { MessageBox.Show("Packet found for TCP group after an RST packet for that group"); return true; } } if (State == TCPGState.NotSequencedYet) { if (L.Count == 2) // NOTE: OTHER LOGIC DEPENDS ON THE FACT THAT "NormalState" SPECIFICALLY IMPLIES THAT FIRST THREE PACKETS ARE // SYN, SYN/ACK AND ACK, THE TYPICAL 3 WAY HANDSHAKE // ANY DEVIATION FROM THAT PATTERN COULD BREAK ASSUMPTIONS MADE DOWNSTREAM // if this is the third packet, test for normal start sequence // if the first three packets match the "normal" sequence, set State = NormalStart // otherwise set State = SequenceFailed // in no case do we leave State as NotSequencedYet { TCPH th = (TCPH)(L[0].groupprotoheader); if ((th.Flags & 0x12)==0x02) // if SYN set and ACK not set in first packet { th = (TCPH)(L[1].groupprotoheader); if (th.SrcPort == S2Port) // and if second packet is from stream 2 { if ((th.Flags & 0x12) == 0x12) // and if SYN set and ACK set in second packet { if (pkt.SrcPort == S1Port) // and if this (the third) packet is from stream 1 { th = (TCPH)(pkt.groupprotoheader); if ((th.Flags & 0x12)==0x10) // and if SYN not set and ACK set in third packet { State = TCPGState.NormalStart; // then we have a normal start sequence } } } } } if (State != TCPGState.NormalStart) State = TCPGState.SequenceFailed; } } return true; } else return false; }