bool RSTFound; // set to true if and when an RST packet found
#endregion Fields
#region Constructors
public TCPG(Packet pkt, H h)
: base(pkt)
{
// note: base class constructor is called first (due to : base(pkt) above)
TCPH th = (TCPH)h;
// set group properties here
S1IP4 = pkt.SrcIP4;
S1Port = pkt.SrcPort;
S2IP4 = pkt.DestIP4;
S2Port = pkt.DestPort;
// SET ADDITIONAL GROUP PROPERTIES AS NECESSARY
OPL1 = new OPL(this, S1Port);
OPL2 = new OPL(this, S2Port);
State = TCPGState.NotSequencedYet;
RSTFound = false;
}
// returns true if pkt belongs to group, also tests for normal start sequence of TCP group
public override bool Belongs(Packet pkt, H h)
{
// h argument is for utility - GList.GroupPacket function will pass in a reference to the packet header matching the protocol specified in the GList - this save this function from having to search for the protocol header in pkt.phlist each time it is called
// rules for membership in an TCP packet group:
// packet is an IP4 packet (later handle ipv6 and other layer 3 protocols)
// all packets with same pair of IP/Port in source and destination (either direction)
// can assume GList.CanBelong has returned true
// also set Complete = true if this packet completes group
if (((pkt.SrcIP4 == S1IP4) && (pkt.SrcPort == S1Port) && (pkt.DestIP4 == S2IP4) && (pkt.DestPort == S2Port)) // if source==source and dest==dest
|| ((pkt.SrcIP4 == S2IP4) && (pkt.SrcPort == S2Port) && (pkt.DestIP4 == S1IP4) && (pkt.DestPort == S1Port))) // or source==dest and dest==source
{
if((((TCPH)h).Flags & 0x04) != 0)
{
if (RSTFound == false)
{
RSTFound = true;
return true;
}
else
{
MessageBox.Show("Packet found for TCP group after an RST packet for that group");
return true;
}
}
if (State == TCPGState.NotSequencedYet)
{
if (L.Count == 2) // NOTE: OTHER LOGIC DEPENDS ON THE FACT THAT "NormalState" SPECIFICALLY IMPLIES THAT FIRST THREE PACKETS ARE
// SYN, SYN/ACK AND ACK, THE TYPICAL 3 WAY HANDSHAKE
// ANY DEVIATION FROM THAT PATTERN COULD BREAK ASSUMPTIONS MADE DOWNSTREAM
// if this is the third packet, test for normal start sequence
// if the first three packets match the "normal" sequence, set State = NormalStart
// otherwise set State = SequenceFailed
// in no case do we leave State as NotSequencedYet
{
TCPH th = (TCPH)(L[0].groupprotoheader);
if ((th.Flags & 0x12)==0x02) // if SYN set and ACK not set in first packet
{
th = (TCPH)(L[1].groupprotoheader);
if (th.SrcPort == S2Port) // and if second packet is from stream 2
{
if ((th.Flags & 0x12) == 0x12) // and if SYN set and ACK set in second packet
{
if (pkt.SrcPort == S1Port) // and if this (the third) packet is from stream 1
{
th = (TCPH)(pkt.groupprotoheader);
if ((th.Flags & 0x12)==0x10) // and if SYN not set and ACK set in third packet
{
State = TCPGState.NormalStart; // then we have a normal start sequence
}
}
}
}
}
if (State != TCPGState.NormalStart) State = TCPGState.SequenceFailed;
}
}
return true;
}
else return false;
}
