Пример #1
0
            public ResourceRecord(DnsPacket parentPacket, int startIndex)
            {
                this.parentPacket = parentPacket;
                int typeStartOffset;
                List <NameLabel> nameLabelList = GetNameLabelList(parentPacket.ParentFrame.Data, parentPacket.PacketStartIndex, startIndex - parentPacket.PacketStartIndex, out typeStartOffset);

                this.answerRequestedNameDecoded = new string[nameLabelList.Count];
                for (int i = 0; i < nameLabelList.Count; i++)
                {
                    this.answerRequestedNameDecoded[i] = nameLabelList[i].ToString();
                }

                /*
                 * this.answerType=ByteConverter.ToUInt16(parentPacket.ParentFrame.Data, startIndex+2);
                 * this.answerClass=ByteConverter.ToUInt16(parentPacket.ParentFrame.Data, startIndex+4);
                 * this.answerTimeToLive=ByteConverter.ToUInt32(parentPacket.ParentFrame.Data, startIndex+6);
                 * this.answerDataLength=ByteConverter.ToUInt16(parentPacket.ParentFrame.Data, startIndex+10);
                 */
                this.answerType       = Utils.ByteConverter.ToUInt16(parentPacket.ParentFrame.Data, parentPacket.PacketStartIndex + typeStartOffset);
                this.answerClass      = Utils.ByteConverter.ToUInt16(parentPacket.ParentFrame.Data, parentPacket.PacketStartIndex + typeStartOffset + 2);
                this.answerTimeToLive = Utils.ByteConverter.ToUInt32(parentPacket.ParentFrame.Data, parentPacket.PacketStartIndex + typeStartOffset + 4);
                this.answerDataLength = Utils.ByteConverter.ToUInt16(parentPacket.ParentFrame.Data, parentPacket.PacketStartIndex + typeStartOffset + 8);

                //this.recordByteCount=12+answerDataLength;
                this.recordByteCount = typeStartOffset - startIndex + parentPacket.PacketStartIndex + 10 + answerDataLength;


                //kolla....
                if (parentPacket.Flags.OperationCode == (byte)HeaderFlags.OperationCodes.Query && this.answerType != (ushort)RRTypes.CNAME)
                {
                    this.answerRepliedNameDecoded = new string[answerDataLength];
                    for (int i = 0; i < answerDataLength; i++)
                    {
                        this.answerRepliedNameDecoded[i] = parentPacket.ParentFrame.Data[startIndex + 12 + i].ToString();
                    }
                }
                else if (parentPacket.Flags.OperationCode == (byte)HeaderFlags.OperationCodes.Query && this.answerType == (ushort)RRTypes.CNAME)
                {
                    List <NameLabel> answerRepliedName = GetNameLabelList(parentPacket.ParentFrame.Data, parentPacket.PacketStartIndex, startIndex + 12 - parentPacket.PacketStartIndex, out typeStartOffset);

                    this.answerRepliedNameDecoded = new string[answerRepliedName.Count];
                    for (int i = 0; i < answerRepliedName.Count; i++)
                    {
                        this.answerRepliedNameDecoded[i] = answerRepliedName[i].ToString();
                    }
                }
                else if (parentPacket.Flags.OperationCode == (byte)HeaderFlags.OperationCodes.InverseQuery)
                {
                    //nameLabelList=GetNameLabelList(parentPacket.ParentFrame.Data, startIndex+12);
                    nameLabelList = GetNameLabelList(parentPacket.ParentFrame.Data, parentPacket.PacketStartIndex, startIndex + 12 - parentPacket.PacketStartIndex, out typeStartOffset);

                    this.answerRepliedNameDecoded = new string[nameLabelList.Count];
                    for (int i = 0; i < nameLabelList.Count; i++)
                    {
                        this.answerRepliedNameDecoded[i] = nameLabelList[i].ToString();
                    }
                }
            }
Пример #2
0
        //answer

        //authority

        //additional

        public static bool TryParse(Frame parentFrame, int packetStartIndex, int packetEndIndex, bool lengthPrefix, out DnsPacket dnsPacket)
        {
            //const int MAX_LENGTH = ushort.MaxValue;//64 kB
            dnsPacket = null;
            if (lengthPrefix)
            {
                ushort packetLength = Utils.ByteConverter.ToUInt16(parentFrame.Data, packetStartIndex);
                if (packetLength < 4)
                {
                    return(false);
                }
                else if (packetStartIndex + packetLength + 1 > packetEndIndex)
                {
                    return(false);
                }
            }
            try {
                dnsPacket = new DnsPacket(parentFrame, packetStartIndex, packetEndIndex, lengthPrefix);
                return(true);
            }
            catch {
                return(false);
            }
        }
Пример #3
0
 public ResponseWithErrorCode(DnsPacket parentPacket)
 {
     this.parentPacket = parentPacket;
 }
Пример #4
0
        private AbstractPacket GetProtocolPacket(ApplicationLayerProtocol protocol, bool clientToServer)
        {
            AbstractPacket packet = null;

            if (protocol == ApplicationLayerProtocol.Dns)
            {
                if (DnsPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, true, out DnsPacket dnsPacket))
                {
                    return(dnsPacket);
                }
            }
            else if (protocol == ApplicationLayerProtocol.FtpControl)
            {
                if (FtpPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, clientToServer, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.Http)
            {
                if (HttpPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.Http2)
            {
                if (Http2Packet.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.Irc)
            {
                if (IrcPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.IEC_104)
            {
                if (IEC_60870_5_104Packet.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.Imap)
            {
                return(new ImapPacket(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, clientToServer));
            }
            else if (protocol == ApplicationLayerProtocol.Kerberos)
            {
                return(new KerberosPacket(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, true));
            }
            else if (protocol == ApplicationLayerProtocol.Lpd)
            {
                if (LpdPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, clientToServer, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.ModbusTCP)
            {
                if (ModbusTcpPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, this.sourcePort, this.destinationPort, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.NetBiosNameService)
            {
                return(new NetBiosNameServicePacket(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex));
            }
            else if (protocol == ApplicationLayerProtocol.NetBiosSessionService)
            {
                if (NetBiosSessionService.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, this.sourcePort, this.destinationPort, out packet, this.IsVirtualPacketFromTrailingDataInTcpSegment))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.OpenFlow)
            {
                if (OpenFlowPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.Oscar)
            {
                if (OscarPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.OscarFileTransfer)
            {
                if (OscarFileTransferPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.Pop3)
            {
                return(new Pop3Packet(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, clientToServer));
            }
            else if (protocol == ApplicationLayerProtocol.Sip)
            {
                return(new SipPacket(this.ParentFrame, this.PacketStartIndex + this.DataOffsetByteCount, this.PacketEndIndex));
            }
            else if (protocol == ApplicationLayerProtocol.Smtp)
            {
                return(new SmtpPacket(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, clientToServer));
            }
            else if (protocol == ApplicationLayerProtocol.Socks)
            {
                if (SocksPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, clientToServer, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.SpotifyServerProtocol)
            {
                if (SpotifyKeyExchangePacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, clientToServer, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.Ssh)
            {
                if (SshPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.Ssl)
            {
                if (SslPacket.TryParse(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, out packet))
                {
                    return(packet);
                }
            }
            else if (protocol == ApplicationLayerProtocol.TabularDataStream)
            {
                return(new TabularDataStreamPacket(this.ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex));
            }
            else if (protocol == ApplicationLayerProtocol.Tpkt)
            {
                if (TpktPacket.TryParse(ParentFrame, this.PacketStartIndex + this.dataOffsetByteCount, this.PacketEndIndex, this, out packet))
                {
                    return(packet);
                }
            }
            return(packet);
        }
Пример #5
0
        public override IEnumerable <AbstractPacket> GetSubPackets(bool includeSelfReference)
        {
            if (includeSelfReference)
            {
                yield return(this);
            }
            //List<Packet> subPackets=new List<Packet>();
            if (PacketStartIndex + 8 < PacketEndIndex)
            {
                AbstractPacket packet;

                ApplicationLayerProtocol l7Protocol = UdpPortProtocolFinder.Instance.GetApplicationLayerProtocol(FiveTuple.TransportProtocol.UDP, sourcePort, destinationPort);
                if (l7Protocol == ApplicationLayerProtocol.Unknown && UdpPortProtocolFinder.PipiInstance != null)
                {
                    l7Protocol = UdpPortProtocolFinder.PipiInstance.GetApplicationLayerProtocol(this);//do a second attempt using PIPI (NM Pro only)
                }


                if (l7Protocol == ApplicationLayerProtocol.Dns)      //DNS or Multicast DNS http://www.multicastdns.org/
                {
                    try {
                        packet = new DnsPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                    catch (Exception e) {
                        if (!this.ParentFrame.QuickParse)
                        {
                            ParentFrame.Errors.Add(new Frame.Error(ParentFrame, PacketStartIndex + 8, PacketEndIndex, "Cannot parse DNS packet (" + e.Message + ")"));
                        }
                        packet = new RawPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                }
                else if (l7Protocol == ApplicationLayerProtocol.Dhcp)
                {
                    try {
                        packet = new DhcpPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                    catch (Exception e) {
                        if (!this.ParentFrame.QuickParse)
                        {
                            ParentFrame.Errors.Add(new Frame.Error(ParentFrame, PacketStartIndex + 8, PacketEndIndex, "Cannot parse DHCP (or BOOTP) protocol: " + e.Message));
                        }
                        packet = new RawPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                }
                else if (l7Protocol == ApplicationLayerProtocol.Tftp)
                {
                    try {
                        packet = new TftpPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                    catch (Exception e) {
                        if (!this.ParentFrame.QuickParse)
                        {
                            ParentFrame.Errors.Add(new Frame.Error(ParentFrame, PacketStartIndex + 8, PacketEndIndex, "Cannot parse NetBiosNameServicePacket packet (" + e.Message + ")"));
                        }
                        packet = new RawPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                }
                else if (l7Protocol == ApplicationLayerProtocol.NetBiosNameService)
                {
                    try {
                        packet = new NetBiosNameServicePacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                    catch (Exception e) {
                        if (!this.ParentFrame.QuickParse)
                        {
                            ParentFrame.Errors.Add(new Frame.Error(ParentFrame, PacketStartIndex + 8, PacketEndIndex, "Cannot parse NetBiosNameServicePacket packet (" + e.Message + ")"));
                        }
                        packet = new RawPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                }
                else if (l7Protocol == ApplicationLayerProtocol.NetBiosDatagramService)
                {
                    try {
                        packet = new NetBiosDatagramServicePacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                    catch (Exception e) {
                        if (!this.ParentFrame.QuickParse)
                        {
                            ParentFrame.Errors.Add(new Frame.Error(ParentFrame, PacketStartIndex + 8, PacketEndIndex, "Cannot parse NetBiosDatagramServicePacket packet (" + e.Message + ")"));
                        }
                        packet = new RawPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                }
                else if (l7Protocol == ApplicationLayerProtocol.Snmp)
                {
                    try {
                        packet = new SnmpPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                    catch (Exception e) {
                        if (!this.ParentFrame.QuickParse)
                        {
                            ParentFrame.Errors.Add(new Frame.Error(ParentFrame, PacketStartIndex + 8, PacketEndIndex, "Cannot parse SNMP packet (" + e.Message + ")"));
                        }
                        packet = new RawPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                }
                else if (l7Protocol == ApplicationLayerProtocol.Syslog)
                {
                    try {
                        packet = new SyslogPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                    catch (Exception e) {
                        if (!this.ParentFrame.QuickParse)
                        {
                            ParentFrame.Errors.Add(new Frame.Error(ParentFrame, PacketStartIndex + 8, PacketEndIndex, "Cannot parse Syslog packet (" + e.Message + ")"));
                        }
                        packet = new RawPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                }
                else if (l7Protocol == ApplicationLayerProtocol.Upnp)
                {
                    try {
                        packet = new UpnpPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                    catch (Exception e) {
                        if (!this.ParentFrame.QuickParse)
                        {
                            ParentFrame.Errors.Add(new Frame.Error(ParentFrame, PacketStartIndex + 8, PacketEndIndex, "Cannot parse UPnP packet (" + e.Message + ")"));
                        }
                        packet = new RawPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                }
                else if (l7Protocol == ApplicationLayerProtocol.Sip)
                {
                    try {
                        packet = new SipPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                    catch (Exception e) {
                        if (!this.ParentFrame.QuickParse)
                        {
                            ParentFrame.Errors.Add(new Frame.Error(ParentFrame, PacketStartIndex + 8, PacketEndIndex, "Cannot parse SIP packet (" + e.Message + ")"));
                        }
                        packet = new RawPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                }
                else if (l7Protocol == ApplicationLayerProtocol.Rtp)
                {
                    try {
                        packet = new RtpPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                    catch (Exception e) {
                        if (!this.ParentFrame.QuickParse)
                        {
                            ParentFrame.Errors.Add(new Frame.Error(ParentFrame, PacketStartIndex + 8, PacketEndIndex, "Cannot parse RTP packet (" + e.Message + ")"));
                        }
                        packet = new RawPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                }
                else if (l7Protocol == ApplicationLayerProtocol.VXLAN)
                {
                    try {
                        packet = new VxlanPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                    catch (Exception e) {
                        if (!this.ParentFrame.QuickParse)
                        {
                            ParentFrame.Errors.Add(new Frame.Error(ParentFrame, PacketStartIndex + 8, PacketEndIndex, "Cannot parse VXLAN packet (" + e.Message + ")"));
                        }
                        packet = new RawPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                }
                else
                {
                    packet = new RawPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                }
                yield return(packet);

                foreach (AbstractPacket subPacket in packet.GetSubPackets(false))
                {
                    yield return(subPacket);
                }
            }
        }
        //answer

        //authority

        //additional

        public static bool TryParse(Frame parentFrame, int packetStartIndex, int packetEndIndex, bool lengthPrefix, out DnsPacket dnsPacket)
        {
            const ushort INSANE_MAX_LENGTH = 0x8000;//32 kB

            dnsPacket = null;
            if (lengthPrefix)
            {
                ushort packetLength = Utils.ByteConverter.ToUInt16(parentFrame.Data, packetStartIndex);
                if (packetLength < 4)
                {
                    return(false);
                }
                else if (packetLength > INSANE_MAX_LENGTH)
                {
                    return(false);
                }
            }
            try {
                dnsPacket = new DnsPacket(parentFrame, packetStartIndex, packetEndIndex, lengthPrefix);
                return(true);
            }
            catch {
                return(false);
            }
        }
Пример #7
0
        public override IEnumerable <AbstractPacket> GetSubPackets(bool includeSelfReference)
        {
            if (includeSelfReference)
            {
                yield return(this);
            }
            //List<Packet> subPackets=new List<Packet>();
            if (PacketStartIndex + 8 < PacketEndIndex)
            {
                AbstractPacket packet;

                /*
                 * if(destinationPort==53 || sourcePort==53 || destinationPort==5353 || sourcePort==5353) {//DNS or Multicast DNS http://www.multicastdns.org/
                 *  try {
                 *      packet=new DnsPacket(ParentFrame, PacketStartIndex+8, PacketEndIndex);
                 *  }
                 *  catch(Exception e) {
                 *      if (!this.ParentFrame.QuickParse)
                 *          ParentFrame.Errors.Add(new Frame.Error(ParentFrame, PacketStartIndex+8, PacketEndIndex, "Cannot parse DNS packet ("+e.Message+")"));
                 *      packet=new RawPacket(ParentFrame, PacketStartIndex+8, PacketEndIndex);
                 *  }
                 * }
                 * else if(destinationPort==67 || destinationPort==68 || sourcePort==67 || sourcePort==68) {
                 *  try {
                 *      packet=new DhcpPacket(ParentFrame, PacketStartIndex+8, PacketEndIndex);
                 *  }
                 *  catch(Exception e) {
                 *      if (!this.ParentFrame.QuickParse)
                 *          ParentFrame.Errors.Add(new Frame.Error(ParentFrame, PacketStartIndex+8, PacketEndIndex, "Cannot parse DHCP (or BOOTP) protocol: "+e.Message));
                 *      packet=new RawPacket(ParentFrame, PacketStartIndex+8, PacketEndIndex);
                 *  }
                 *
                 * }
                 * else if(destinationPort==69 || sourcePort==69) {
                 *  try {
                 *      packet=new TftpPacket(ParentFrame, PacketStartIndex+8, PacketEndIndex);
                 *  }
                 *  catch(Exception e) {
                 *      if (!this.ParentFrame.QuickParse)
                 *          ParentFrame.Errors.Add(new Frame.Error(ParentFrame, PacketStartIndex+8, PacketEndIndex, "Cannot parse NetBiosNameServicePacket packet ("+e.Message+")"));
                 *      packet=new RawPacket(ParentFrame, PacketStartIndex+8, PacketEndIndex);
                 *  }
                 * }
                 * else if(destinationPort==137 || sourcePort==137) {
                 *  try {
                 *      packet=new NetBiosNameServicePacket(ParentFrame, PacketStartIndex+8, PacketEndIndex);
                 *  }
                 *  catch(Exception e) {
                 *      if (!this.ParentFrame.QuickParse)
                 *          ParentFrame.Errors.Add(new Frame.Error(ParentFrame, PacketStartIndex+8, PacketEndIndex, "Cannot parse NetBiosNameServicePacket packet ("+e.Message+")"));
                 *      packet=new RawPacket(ParentFrame, PacketStartIndex+8, PacketEndIndex);
                 *  }
                 * }
                 * else if(destinationPort==138 || sourcePort==138) {
                 *  try {
                 *      packet=new NetBiosDatagramServicePacket(ParentFrame, PacketStartIndex+8, PacketEndIndex);
                 *  }
                 *  catch(Exception e) {
                 *      if (!this.ParentFrame.QuickParse)
                 *          ParentFrame.Errors.Add(new Frame.Error(ParentFrame, PacketStartIndex+8, PacketEndIndex, "Cannot parse NetBiosDatagramServicePacket packet ("+e.Message+")"));
                 *      packet=new RawPacket(ParentFrame, PacketStartIndex+8, PacketEndIndex);
                 *  }
                 * }
                 * else if (destinationPort == 514 || sourcePort == 514) {
                 *  try {
                 *      packet = new SyslogPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                 *  }
                 *  catch (Exception e) {
                 *      if (!this.ParentFrame.QuickParse)
                 *          ParentFrame.Errors.Add(new Frame.Error(ParentFrame, PacketStartIndex + 8, PacketEndIndex, "Cannot parse Syslog packet (" + e.Message + ")"));
                 *      packet = new RawPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                 *  }
                 * }
                 * else if(destinationPort==1900 || sourcePort==1900) {
                 *  try {
                 *      packet=new UpnpPacket(ParentFrame, PacketStartIndex+8, PacketEndIndex);
                 *  }
                 *  catch(Exception e) {
                 *      if (!this.ParentFrame.QuickParse)
                 *          ParentFrame.Errors.Add(new Frame.Error(ParentFrame, PacketStartIndex+8, PacketEndIndex, "Cannot parse UPnP packet ("+e.Message+")"));
                 *      packet=new RawPacket(ParentFrame, PacketStartIndex+8, PacketEndIndex);
                 *  }
                 * }
                 * else if(destinationPort==5060 || sourcePort==5060) {
                 *  try {
                 *      packet=new SipPacket(ParentFrame, PacketStartIndex+8, PacketEndIndex);
                 *  }
                 *  catch(Exception e) {
                 *      if (!this.ParentFrame.QuickParse)
                 *          ParentFrame.Errors.Add(new Frame.Error(ParentFrame, PacketStartIndex+8, PacketEndIndex, "Cannot parse SIP packet ("+e.Message+")"));
                 *      packet=new RawPacket(ParentFrame, PacketStartIndex+8, PacketEndIndex);
                 *  }
                 * }
                 * else {
                 *  packet=new RawPacket(ParentFrame, PacketStartIndex+8, PacketEndIndex);
                 * }
                 * */
                ApplicationLayerProtocol l7Protocol = UdpPortProtocolFinder.Instance.GetApplicationLayerProtocol(FiveTuple.TransportProtocol.UDP, sourcePort, destinationPort);

                if (l7Protocol == ApplicationLayerProtocol.Dns)  //DNS or Multicast DNS http://www.multicastdns.org/
                {
                    try {
                        packet = new DnsPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                    catch (Exception e) {
                        if (!this.ParentFrame.QuickParse)
                        {
                            ParentFrame.Errors.Add(new Frame.Error(ParentFrame, PacketStartIndex + 8, PacketEndIndex, "Cannot parse DNS packet (" + e.Message + ")"));
                        }
                        packet = new RawPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                }
                else if (l7Protocol == ApplicationLayerProtocol.Dhcp)
                {
                    try {
                        packet = new DhcpPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                    catch (Exception e) {
                        if (!this.ParentFrame.QuickParse)
                        {
                            ParentFrame.Errors.Add(new Frame.Error(ParentFrame, PacketStartIndex + 8, PacketEndIndex, "Cannot parse DHCP (or BOOTP) protocol: " + e.Message));
                        }
                        packet = new RawPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                }
                else if (l7Protocol == ApplicationLayerProtocol.Tftp)
                {
                    try {
                        packet = new TftpPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                    catch (Exception e) {
                        if (!this.ParentFrame.QuickParse)
                        {
                            ParentFrame.Errors.Add(new Frame.Error(ParentFrame, PacketStartIndex + 8, PacketEndIndex, "Cannot parse NetBiosNameServicePacket packet (" + e.Message + ")"));
                        }
                        packet = new RawPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                }
                else if (l7Protocol == ApplicationLayerProtocol.NetBiosNameService)
                {
                    try {
                        packet = new NetBiosNameServicePacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                    catch (Exception e) {
                        if (!this.ParentFrame.QuickParse)
                        {
                            ParentFrame.Errors.Add(new Frame.Error(ParentFrame, PacketStartIndex + 8, PacketEndIndex, "Cannot parse NetBiosNameServicePacket packet (" + e.Message + ")"));
                        }
                        packet = new RawPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                }
                else if (l7Protocol == ApplicationLayerProtocol.NetBiosDatagramService)
                {
                    try {
                        packet = new NetBiosDatagramServicePacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                    catch (Exception e) {
                        if (!this.ParentFrame.QuickParse)
                        {
                            ParentFrame.Errors.Add(new Frame.Error(ParentFrame, PacketStartIndex + 8, PacketEndIndex, "Cannot parse NetBiosDatagramServicePacket packet (" + e.Message + ")"));
                        }
                        packet = new RawPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                }
                else if (l7Protocol == ApplicationLayerProtocol.Syslog)
                {
                    try {
                        packet = new SyslogPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                    catch (Exception e) {
                        if (!this.ParentFrame.QuickParse)
                        {
                            ParentFrame.Errors.Add(new Frame.Error(ParentFrame, PacketStartIndex + 8, PacketEndIndex, "Cannot parse Syslog packet (" + e.Message + ")"));
                        }
                        packet = new RawPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                }
                else if (l7Protocol == ApplicationLayerProtocol.Upnp)
                {
                    try {
                        packet = new UpnpPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                    catch (Exception e) {
                        if (!this.ParentFrame.QuickParse)
                        {
                            ParentFrame.Errors.Add(new Frame.Error(ParentFrame, PacketStartIndex + 8, PacketEndIndex, "Cannot parse UPnP packet (" + e.Message + ")"));
                        }
                        packet = new RawPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                }
                else if (l7Protocol == ApplicationLayerProtocol.Sip)
                {
                    try {
                        packet = new SipPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                    catch (Exception e) {
                        if (!this.ParentFrame.QuickParse)
                        {
                            ParentFrame.Errors.Add(new Frame.Error(ParentFrame, PacketStartIndex + 8, PacketEndIndex, "Cannot parse SIP packet (" + e.Message + ")"));
                        }
                        packet = new RawPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                }
                else if (l7Protocol == ApplicationLayerProtocol.VXLAN)
                {
                    try {
                        packet = new VxlanPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                    catch (Exception e) {
                        if (!this.ParentFrame.QuickParse)
                        {
                            ParentFrame.Errors.Add(new Frame.Error(ParentFrame, PacketStartIndex + 8, PacketEndIndex, "Cannot parse VXLAN packet (" + e.Message + ")"));
                        }
                        packet = new RawPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                    }
                }
                else
                {
                    packet = new RawPacket(ParentFrame, PacketStartIndex + 8, PacketEndIndex);
                }
                yield return(packet);

                foreach (AbstractPacket subPacket in packet.GetSubPackets(false))
                {
                    yield return(subPacket);
                }
            }
        }
Пример #8
0
        internal IEnumerable <AbstractPacket> GetSubPackets(bool includeSelfReference, ISessionProtocolFinder protocolFinder, bool clientToServer)
        {
            if (includeSelfReference)
            {
                yield return(this);
            }
            if (PacketStartIndex + dataOffsetByteCount < PacketEndIndex)
            {
                AbstractPacket packet = null;
                foreach (ApplicationLayerProtocol protocol in protocolFinder.GetProbableApplicationLayerProtocols())
                {
                    try{
                        if (protocol == ApplicationLayerProtocol.Dns)
                        {
                            packet = new DnsPacket(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex);
                            protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Dns;
                            break;
                        }
                        else if (protocol == ApplicationLayerProtocol.FtpControl)
                        {
                            if (FtpPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, clientToServer, out packet))
                            {
                                protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.FtpControl;
                                break;
                            }
                        }
                        else if (protocol == ApplicationLayerProtocol.Http)
                        {
                            if (HttpPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet))
                            {
                                protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Http;
                                break;
                            }
                        }
                        else if (protocol == ApplicationLayerProtocol.Irc)
                        {
                            if (IrcPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet))
                            {
                                protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Irc;
                                break;
                            }
                        }
                        else if (protocol == ApplicationLayerProtocol.IEC_104)
                        {
                            if (IEC_60870_5_104Packet.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet))
                            {
                                protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.IEC_104;
                                break;
                            }
                        }
                        else if (protocol == ApplicationLayerProtocol.NetBiosNameService)
                        {
                            packet = new NetBiosNameServicePacket(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex);
                            protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.NetBiosNameService;
                            break;
                        }
                        else if (protocol == ApplicationLayerProtocol.NetBiosSessionService)
                        {
                            if (NetBiosSessionService.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet))
                            {
                                //packet = new NetBiosSessionService(ParentFrame, PacketStartIndex+dataOffsetByteCount, PacketEndIndex, false);
                                protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.NetBiosSessionService;
                                break;
                            }
                        }
                        else if (protocol == ApplicationLayerProtocol.Oscar)
                        {
                            if (OscarPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet))
                            {
                                protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Oscar;
                                break;
                            }
                        }
                        else if (protocol == ApplicationLayerProtocol.OscarFileTransfer)
                        {
                            if (OscarFileTransferPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet))
                            {
                                protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.OscarFileTransfer;
                                break;
                            }
                        }
                        else if (protocol == ApplicationLayerProtocol.Smtp)
                        {
                            packet = new SmtpPacket(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, clientToServer);
                            protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Smtp;
                            break;
                        }
                        else if (protocol == ApplicationLayerProtocol.SpotifyServerProtocol)
                        {
                            if (SpotifyKeyExchangePacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, clientToServer, out packet))
                            {
                                protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.SpotifyServerProtocol;
                                break;
                            }
                        }
                        else if (protocol == ApplicationLayerProtocol.Ssh)
                        {
                            if (SshPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet))
                            {
                                protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Ssh;
                                break;
                            }
                        }
                        else if (protocol == ApplicationLayerProtocol.Ssl)
                        {
                            if (SslPacket.TryParse(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex, out packet))
                            {
                                protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.Ssl;
                                break;
                            }
                        }
                        else if (protocol == ApplicationLayerProtocol.TabularDataStream)
                        {
                            packet = new TabularDataStreamPacket(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex);
                            protocolFinder.ConfirmedApplicationLayerProtocol = ApplicationLayerProtocol.TabularDataStream;
                            break;
                        }
                    }
                    catch (Exception) {
                        packet = null;
                    }
                }
                if (packet == null)
                {
                    packet = new RawPacket(ParentFrame, PacketStartIndex + dataOffsetByteCount, PacketEndIndex);
                }
                yield return(packet);

                foreach (AbstractPacket subPacket in packet.GetSubPackets(false))
                {
                    yield return(subPacket);
                }
            }
        }
Пример #9
0
            public ResourceRecord(DnsPacket parentPacket, int startIndex)
            {
                this.ParentPacket = parentPacket;
                int typeStartOffset;
                List <NameLabel> nameLabelList = GetNameLabelList(parentPacket.ParentFrame.Data, parentPacket.PacketStartIndex, startIndex - parentPacket.PacketStartIndex, out typeStartOffset);

                this.answerRequestedNameDecoded = new string[nameLabelList.Count];
                for (int i = 0; i < nameLabelList.Count; i++)
                {
                    this.answerRequestedNameDecoded[i] = nameLabelList[i].ToString();
                }

                this.Type             = Utils.ByteConverter.ToUInt16(parentPacket.ParentFrame.Data, parentPacket.PacketStartIndex + typeStartOffset);
                this.answerClass      = Utils.ByteConverter.ToUInt16(parentPacket.ParentFrame.Data, parentPacket.PacketStartIndex + typeStartOffset + 2);
                this.answerTimeToLive = Utils.ByteConverter.ToUInt32(parentPacket.ParentFrame.Data, parentPacket.PacketStartIndex + typeStartOffset + 4);
                this.answerDataLength = Utils.ByteConverter.ToUInt16(parentPacket.ParentFrame.Data, parentPacket.PacketStartIndex + typeStartOffset + 8);

                this.ByteCount = typeStartOffset - startIndex + parentPacket.PacketStartIndex + 10 + this.answerDataLength;
                if (parentPacket.Flags.OperationCode == (byte)HeaderFlags.OperationCodes.Query)
                {
                    if (this.Type == (ushort)RRTypes.CNAME)
                    {
                        List <NameLabel> answerRepliedName = GetNameLabelList(parentPacket.ParentFrame.Data, parentPacket.PacketStartIndex, startIndex + this.ByteCount - this.answerDataLength - parentPacket.PacketStartIndex, out typeStartOffset);

                        this.answerRepliedNameDecoded = new string[answerRepliedName.Count];
                        for (int i = 0; i < answerRepliedName.Count; i++)
                        {
                            this.answerRepliedNameDecoded[i] = answerRepliedName[i].ToString();
                        }
                    }
                    else if (this.Type == (ushort)RRTypes.TXT)
                    {
                        List <string> txtStrings = new List <string>();
                        for (int i = 0; i < this.answerDataLength; i++)
                        {
                            //byte txtLength = parentPacket.ParentFrame.Data[parentPacket.PacketStartIndex + typeStartOffset + 10 + i];
                            byte   txtLength = parentPacket.ParentFrame.Data[startIndex + this.ByteCount - this.answerDataLength + i];
                            string txtData   = ASCIIEncoding.ASCII.GetString(parentPacket.ParentFrame.Data, parentPacket.PacketStartIndex + typeStartOffset + 10 + i + 1, txtLength);
                            txtStrings.Add(txtData);
                            i += txtLength;
                        }
                        this.answerRepliedNameDecoded = txtStrings.ToArray();

                        //TODO a series(?) of 1 byte length, then data TXT records
                        //List<NameLabel> txtData = GetNameLabelList(parentPacket.ParentFrame.Data, parentPacket.PacketStartIndex, startIndex + this.ByteCount - this.answerDataLength - parentPacket.PacketStartIndex, out typeStartOffset);

                        /*
                         * for (int i = 0; i < this.answerDataLength; i++) {
                         *  byte length = parentPacket.ParentFrame.Data[startIndex + this.ByteCount - this.answerDataLength - parentPacket.PacketStartIndex];
                         *  string txtData =
                         * }
                         */
                    }
                    else if (this.Type == (ushort)RRTypes.SRV)
                    {
                        //https://datatracker.ietf.org/doc/html/rfc2782
                        ushort priority = Utils.ByteConverter.ToUInt16(parentPacket.ParentFrame.Data, startIndex + this.ByteCount - this.answerDataLength);
                        ushort weight   = Utils.ByteConverter.ToUInt16(parentPacket.ParentFrame.Data, startIndex + this.ByteCount - this.answerDataLength + 2);
                        ushort port     = Utils.ByteConverter.ToUInt16(parentPacket.ParentFrame.Data, startIndex + this.ByteCount - this.answerDataLength + 4);
                        var    target   = GetNameLabelList(parentPacket.ParentFrame.Data, parentPacket.PacketStartIndex, startIndex + this.ByteCount - this.answerDataLength + 6 - parentPacket.PacketStartIndex, out _);
                        this.answerRepliedNameDecoded = new string[target.Count];
                        for (int i = 0; i < target.Count; i++)
                        {
                            this.answerRepliedNameDecoded[i] = target[i].ToString();
                        }
                    }
                    else
                    {
                        this.answerRepliedNameDecoded = new string[this.answerDataLength];
                        for (int i = 0; i < this.answerDataLength; i++)
                        {
                            this.answerRepliedNameDecoded[i] = parentPacket.ParentFrame.Data[startIndex + this.ByteCount - this.answerDataLength + i].ToString();//the answer is at the end
                        }
                    }
                }
                else if (parentPacket.Flags.OperationCode == (byte)HeaderFlags.OperationCodes.InverseQuery)
                {
                    nameLabelList = GetNameLabelList(parentPacket.ParentFrame.Data, parentPacket.PacketStartIndex, startIndex + 12 - parentPacket.PacketStartIndex, out typeStartOffset);

                    this.answerRepliedNameDecoded = new string[nameLabelList.Count];
                    for (int i = 0; i < nameLabelList.Count; i++)
                    {
                        this.answerRepliedNameDecoded[i] = nameLabelList[i].ToString();
                    }
                }
            }