public DomainController GetDomainController(uint IP, ulong IPHi, ulong IPLo, bool isIPV6)
{
// search for existing DomainController and return it - can use foreach loop as this is not called often and there are a small number of entries
foreach (DomainController d in DomainControllers)
{
if (d.isIPV6 == isIPV6 && d.IP == IP && d.IPHi == IPHi && d.IPLo == IPLo)
{
return(d);
}
}
// not found - create new DomainController and return it
DomainController d2 = new DomainController();
d2.IP = IP;
d2.IPHi = IPHi;
d2.IPLo = IPLo;
DomainControllers.Add(d2);
return(d2);
}
public static void Process(NetworkTrace trace)
{
trace.DomainControllers = new System.Collections.ArrayList();
DomainController d = null;
// Locate TCP and UDP conversations with server ports 53 (DNS) and 88 (KERBEROS) and 389 (LDAP)
foreach (ConversationData c in trace.conversations)
{
if (c.destPort == 53 /* DNS */ || c.destPort == 88 /* Kerberos */ || c.destPort == 389 /* LDAP */)
{
d = trace.GetDomainController(c.destIP, c.destIPHi, c.destIPLo, c.isIPV6);
if (c.destPort == 53)
{
d.DNSPort53Count++;
}
if (c.destPort == 88)
{
d.KerbPort88Count++;
}
if (c.destPort == 389)
{
d.LDAPPort389Count++;
}
}
}
// Find any stray conversations with the DC
foreach (ConversationData c in trace.conversations)
{
d = trace.FindDomainController(c);
if (d != null)
{
d.conversations.Add(c);
}
}
// Find MSRPC Conversations and Port
foreach (DomainController dc in trace.DomainControllers)
{
foreach (ConversationData c in dc.conversations)
{
if (c.isUDP == false && c.destPort > 1000) // ignore low port #s
{
// potential MSRPC traffic
foreach (FrameData f in c.frames)
{
ushort Port = c.destPort;
if (isMSRPC(f.payload))
{
dc.MSRPCPortCount++;
if (dc.MSRPCPort == 0)
{
dc.MSRPCPort = Port;
}
else if (dc.MSRPCPort != Port)
{
dc.hasMultipleMSRPCPorts = true;
}
break;
}
}
}
}
}
}
