public DnsRecordEventArgs(Packets.DnsPacket.IDnsResponseInfo record, NetworkHost dnsServer, NetworkHost dnsClient, Packets.IIPPacket ipPakcet, Packets.ITransportLayerPacket transportLayerPacket) { this.Record = record; this.DnsServer = dnsServer; this.DnsClient = dnsClient; this.IpPacket = ipPakcet; this.TransportLayerPacket = transportLayerPacket; }
public void ExtractData(ref NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <Packets.AbstractPacket> packetList) { //Packets.IIPPacket ipPacket = null; Packets.ITransportLayerPacket transportLayerPacket = null; foreach (Packets.AbstractPacket p in packetList) { if (p.GetType() == typeof(Packets.NetBiosNameServicePacket)) { ExtractData((Packets.NetBiosNameServicePacket)p, sourceHost, destinationHost, transportLayerPacket); } /*else if (p is Packets.IIPPacket) * ipPacket = (Packets.IIPPacket)p;*/ else if (p is Packets.ITransportLayerPacket tlp) { transportLayerPacket = tlp; } } }
public void ExtractData(ref NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <Packets.AbstractPacket> packetList) { Packets.DnsPacket dnsPacket = null; Packets.IIPPacket ipPacket = null; Packets.ITransportLayerPacket transportLayerPacket = null; foreach (Packets.AbstractPacket p in packetList) { if (p.GetType() == typeof(Packets.DnsPacket)) { dnsPacket = (Packets.DnsPacket)p; } else if (p is Packets.IIPPacket) { ipPacket = (Packets.IIPPacket)p; } /*else if(p.GetType()==typeof(Packets.IPv6Packet)) * ipv6Packet=(Packets.IPv6Packet)p;*/ else if (p is Packets.ITransportLayerPacket tlp) { transportLayerPacket = tlp; } } if (dnsPacket != null) { //ExtractDnsData(dnsPacket); if (dnsPacket.Flags.Response) { System.Collections.Specialized.NameValueCollection cNamePointers = new System.Collections.Specialized.NameValueCollection(); if (dnsPacket.AnswerRecords != null && dnsPacket.AnswerRecords.Length > 0) { foreach (Packets.DnsPacket.ResourceRecord r in dnsPacket.AnswerRecords) { if (r.IP != null) { if (!base.MainPacketHandler.NetworkHostList.ContainsIP(r.IP)) { NetworkHost host = new NetworkHost(r.IP); host.AddHostName(r.DNS, dnsPacket.PacketTypeDescription); lock (base.MainPacketHandler.NetworkHostList) base.MainPacketHandler.NetworkHostList.Add(host); MainPacketHandler.OnNetworkHostDetected(new Events.NetworkHostEventArgs(host)); //base.MainPacketHandler.ParentForm.ShowDetectedHost(host); } else { base.MainPacketHandler.NetworkHostList.GetNetworkHost(r.IP).AddHostName(r.DNS, dnsPacket.PacketTypeDescription); } if (cNamePointers[r.DNS] != null) { base.MainPacketHandler.NetworkHostList.GetNetworkHost(r.IP).AddHostName(cNamePointers[r.DNS], dnsPacket.PacketTypeDescription); } } else if (r.Type == (ushort)Packets.DnsPacket.RRTypes.CNAME) { cNamePointers.Add(r.PrimaryName, r.DNS); } MainPacketHandler.OnDnsRecordDetected(new Events.DnsRecordEventArgs(r, sourceHost, destinationHost, ipPacket, transportLayerPacket)); //base.MainPacketHandler.ParentForm.ShowDnsRecord(r, sourceHost, destinationHost, ipPakcet, udpPacket); } } else { //display the flags instead //TODO : MainPacketHandler.OnDnsRecordDetected(new Events.DnsRecordEventArgs( if (dnsPacket.QueriedDnsName != null && dnsPacket.QueriedDnsName.Length > 0) { MainPacketHandler.OnDnsRecordDetected(new Events.DnsRecordEventArgs(new Packets.DnsPacket.ResponseWithErrorCode(dnsPacket), sourceHost, destinationHost, ipPacket, transportLayerPacket)); } } } else //DNS request { if (dnsPacket.QueriedDnsName != null && dnsPacket.QueriedDnsName.Length > 0) { sourceHost.AddQueriedDnsName(dnsPacket.QueriedDnsName); } } } }
public int ExtractData(NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <PacketParser.Packets.AbstractPacket> packetList) { int parsedBytes = 0; Packets.ITransportLayerPacket transportLayerPacket = null; foreach (Packets.AbstractPacket p in packetList) { if (p is ITransportLayerPacket) { transportLayerPacket = p as ITransportLayerPacket; } if (p.GetType() == typeof(Packets.KerberosPacket)) { Packets.KerberosPacket kerberosPacket = (Packets.KerberosPacket)p; //TicketPrimitives sessionTicketPrimitives = null; System.Collections.Specialized.NameValueCollection parameters = new System.Collections.Specialized.NameValueCollection(); string sessionSalt = this.GetKrbErrorSalt(kerberosPacket);//returns null in none found if (sessionSalt != null) { parameters.Add("Kerberos Salt", sessionSalt); } int hostPairHash = sourceHost.IPAddress.GetHashCode() ^ destinationHost.IPAddress.GetHashCode(); if (this.saltList.ContainsKey(hostPairHash)) { if (sessionSalt == null) { sessionSalt = this.saltList[hostPairHash]; } else { this.saltList[hostPairHash] = sessionSalt; } } else if (sessionSalt != null) { this.saltList.Add(hostPairHash, sessionSalt); } //parameters.Add("Kerberos message type", Enum.GetName(typeof(KerberosPacket.MessageType), kerberosPacket.MsgType) + " ("+((int)kerberosPacket.MsgType).ToString()+")"); List <uint> packetIntegers = new List <uint>(); byte encryptionType = 0; //uint lastInteger = 0; //List<string> spnParts = new List<string>(); List <(string username, string hash)> kerberosHashes = new List <(string username, string hash)>(); //string username, realm; (string username, string realm) = this.GetUserAndRealm(kerberosPacket, sourceHost, destinationHost); if (!string.IsNullOrEmpty(username)) { parameters.Add("Kerberos Username", username); } if (!string.IsNullOrEmpty(realm)) { parameters.Add("Kerberos Realm", realm); } foreach (var item in kerberosPacket.AsnData) { if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.Integer) { //lastInteger = Utils.ByteConverter.ToUInt32(item.Item3); uint number = Utils.ByteConverter.ToUInt32(item.Item3); packetIntegers.Add(number); if (kerberosPacket.MsgType == KerberosPacket.MessageType.krb_tgs_rep && item.Item1.Equals("6d.30.a5.61.30.a3.30.a0")) { encryptionType = (byte)number; } else if (kerberosPacket.MsgType == KerberosPacket.MessageType.krb_as_rep) { if (item.Item1.Equals("6b.30.a5.61.30.a3.30.a0") || item.Item1.Equals("6b.30.a6.30.a0")) { encryptionType = (byte)number; } } } else if (item.Item2 == Utils.ByteConverter.Asn1TypeTag.OctetString) { //string hexValue = Utils.ByteConverter.ReadHexString(item.Item3, item.Item3.Length, true); if (kerberosPacket.MsgType == KerberosPacket.MessageType.krb_as_req) { if (item.Item1 == "6a.30.a3.30.30.a2" && packetIntegers.Last() == (ushort)KerberosPacket.PADataType.ENC_TIMESTAMP) { foreach (var encTimestampItem in Utils.ByteConverter.GetAsn1Data(item.Item3)) { if (encTimestampItem.Item2 == Utils.ByteConverter.Asn1TypeTag.Integer && encTimestampItem.Item1 == "30.a0" && encTimestampItem.Item3.Length == 1) { encryptionType = encTimestampItem.Item3.First(); } else if (encTimestampItem.Item2 == Utils.ByteConverter.Asn1TypeTag.OctetString && encTimestampItem.Item1 == "30.a2") { //sessionTicketPrimitives.Data = Utils.ByteConverter.ReadHexString(encTimestampItem.Item3, encTimestampItem.Item3.Length, true); //if (sessionTicketPrimitives.TryGetTicketHash(kerberosPacket.MsgType, encryptionType, encTimestampItem.Item3, out string hash)) // kerberosHashes.Add(hash); byte[] data = encTimestampItem.Item3; //krb5pa //user:$krb5pa$etype$user$realm$salt$HexTimestampHexChecksum //des:$krb5pa$23$des$DENYDC$$32d396a914a4d0a78e979ba75d4ff53c1db7294141760fee05e434c12ecf8d5b9aa5839e09a2244893aff5f384f79c37883f154a //des:$krb5pa$3$des$DENYDC$DENYDC.COMdes$233b4272aa93727221facfdbdcc9d1d9a0c43a2798c810600310c0daf48fb969c26cb47d69f575a65e00163845f68811f9c5266271cc0f91 //u5:$krb5pa$23$u5$DENYDC$DENYDC.COMdes$daf324dccec73739f6e49ef8fde60a9f9dfff50551ff5a7e969c6e395f18b842fb17c3b503df3025ab5a9dfc3031e893c4002008 //u5:$krb5pa$23$u5$DENYDC$DENYDC.COMdes$addbe67ccf9dd3c3da9e233612816c5720447ae202cfe7a84a719e1ef70b93bcef49786f71319a93d60531fcb443f7e96039f540 StringBuilder sb = new StringBuilder(); //sb.Append(username); //sb.Append(":$krb5pa$"); sb.Append("$krb5pa$"); sb.Append(encryptionType); sb.Append("$"); sb.Append(username); sb.Append("$"); sb.Append(realm); sb.Append("$"); sb.Append(sessionSalt); sb.Append("$"); if (encryptionType == 23) { //string checksum = Data.Substring(0, 32); string checksum = Utils.ByteConverter.ReadHexString(data, 16, 0, true); //string encTimestamp = Data.Substring(32); string encTimestamp = Utils.ByteConverter.ReadHexString(data, data.Length - 16, 16, true); //"%s:$krb5pa$%s$%s$%s$%s$%s%s\n" % (user, etype, user, realm, salt, enc_timestamp, checksum) sb.Append(encTimestamp); sb.Append(checksum); } else //"%s:$krb5pa$%s$%s$%s$%s$%s\n" % (user, etype, user, realm, salt, PA_DATA_ENC_TIMESTAMP) { sb.Append(Utils.ByteConverter.ReadHexString(data, data.Length, true)); } kerberosHashes.Add((username, sb.ToString())); } } } } else if (kerberosPacket.MsgType == KerberosPacket.MessageType.krb_tgs_rep) { if (item.Item1 == "6d.30.a5.61.30.a3.30.a2" && encryptionType == 23 && packetIntegers.Count > 2 && packetIntegers.Skip(packetIntegers.Count - 2).First() == 23) { byte[] data = item.Item3; //sessionTicketPrimitives.Username = string.Join("/", spnParts); //if (sessionTicketPrimitives.TryGetTicketHash(kerberosPacket.MsgType, encryptionType, item.Item3, out string hash)) // kerberosHashes.Add(hash); //$krb5tgs$<ENCRYPTION_TYPE>$*<USERNAME>$<REALM>$<SPN>*$<FIRST_16_BYTES_TICKET>$<REMAINING_TICKET_BYTES> //"%s:$krb5tgs$%s$%s$%s\n" % (spn, etype, data[:32], data[32:]) StringBuilder sb = new StringBuilder(); //sb.Append(username); //sb.Append(":$krb5tgs$"); sb.Append("$krb5tgs$"); sb.Append(encryptionType); sb.Append("$"); string encPart1 = Utils.ByteConverter.ReadHexString(data, 16, 0, true); string encPart2 = Utils.ByteConverter.ReadHexString(data, data.Length - 16, 16, true); sb.Append(encPart1); sb.Append("$"); sb.Append(encPart2); kerberosHashes.Add((username, sb.ToString())); //sessionTicketPrimitives.Data = Utils.ByteConverter.ReadHexString(item.Item3, item.Item3.Length, true); } } else if (kerberosPacket.MsgType == KerberosPacket.MessageType.krb_as_rep) { if (krbAsRepTicketPaths.Contains(item.Item1)) { byte[] data = item.Item3; //TODO: create kerberosHash StringBuilder sb = new StringBuilder(); sb.Append("$krb5asrep$"); sb.Append(encryptionType); sb.Append("$"); if (string.IsNullOrEmpty(username) && !string.IsNullOrEmpty(sessionSalt)) { username = sessionSalt; } if (encryptionType == 23) { //sys.stdout.write("$krb5asrep$%s$%s$%s\n" % (etype, data[0:32], data[32:])) string encPart1 = Utils.ByteConverter.ReadHexString(data, 16, 0, true); string encPart2 = Utils.ByteConverter.ReadHexString(data, data.Length - 16, 16, true); sb.Append(encPart1); sb.Append("$"); sb.Append(encPart2); kerberosHashes.Add((username, sb.ToString())); } else if (!string.IsNullOrEmpty(sessionSalt)) { //if etype != "23": //sys.stdout.write("$krb5asrep$%s$%s$%s$%s\n" % (etype, salt, data[0:-24], data[-24:])) sb.Append(sessionSalt); sb.Append("$"); string encPart1 = Utils.ByteConverter.ReadHexString(data, 12, 0, true); string encPart2 = Utils.ByteConverter.ReadHexString(data, data.Length - 12, 12, true); sb.Append(encPart1); sb.Append("$"); sb.Append(encPart2); kerberosHashes.Add((username, sb.ToString())); } } } } } foreach (var h in kerberosHashes) { string hashUser = h.username; //string hashUser = hash.Split(new char[] { ':', '$' }).First(); if (string.IsNullOrEmpty(hashUser)) { if (!string.IsNullOrEmpty(username)) { hashUser = username; } else if (!string.IsNullOrEmpty(sessionSalt)) { hashUser = sessionSalt; } else { hashUser = "******"; } } if (kerberosPacket.IsRequest) { base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "Kerberos", hashUser, h.hash, kerberosPacket.ParentFrame.Timestamp)); } else { base.MainPacketHandler.AddCredential(new NetworkCredential(destinationHost, sourceHost, "Kerberos", hashUser, h.hash, kerberosPacket.ParentFrame.Timestamp)); } } /* * string krbHash = sessionTicketPrimitives.GetTicketHash(kerberosPacket.MsgType); * if (krbHash != null) * base.MainPacketHandler.AddCredential(new NetworkCredential(sourceHost, destinationHost, "Kerberos", sessionTicketPrimitives.Username, krbHash, kerberosPacket.ParentFrame.Timestamp, sessionTicketPrimitives.Realm)); */ base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(kerberosPacket.ParentFrame.FrameNumber, sourceHost, destinationHost, transportLayerPacket.TransportProtocol, transportLayerPacket.SourcePort, transportLayerPacket.DestinationPort, parameters, kerberosPacket.ParentFrame.Timestamp, "Kerberos " + Enum.GetName(typeof(KerberosPacket.MessageType), kerberosPacket.MsgType))); parsedBytes += kerberosPacket.PacketLength; } } return(parsedBytes); }
private void ExtractData(Packets.NetBiosNameServicePacket netBiosNameServicePacket, NetworkHost sourceHost, NetworkHost destinationHost, Packets.ITransportLayerPacket transportLayerPacket) { System.Collections.Specialized.NameValueCollection parameters = new System.Collections.Specialized.NameValueCollection(); if (netBiosNameServicePacket.QueriedNetBiosName != null) { sourceHost.AddQueriedNetBiosName(netBiosNameServicePacket.QueriedNetBiosName); parameters.Add("NetBIOS Query", netBiosNameServicePacket.QueriedNetBiosName); } /* * if(netBiosNameServicePacket.AnsweredNetBiosName!=null) { * parameters.Add(netBiosNameServicePacket.AnsweredNetBiosName, netBiosNameServicePacket.AnsweredIpAddress.ToString()); * if (base.MainPacketHandler.NetworkHostList.ContainsIP(netBiosNameServicePacket.AnsweredIpAddress)) * base.MainPacketHandler.NetworkHostList.GetNetworkHost(netBiosNameServicePacket.AnsweredIpAddress).AddHostName(netBiosNameServicePacket.AnsweredNetBiosName); * } */ foreach (Packets.NetBiosNameServicePacket.ResourceRecord answer in netBiosNameServicePacket.AnswerResourceRecords) { UInt16 flags = Utils.ByteConverter.ToUInt16(answer.Data.Array, answer.Data.Offset); byte[] ipBytes = new byte[4];//IP4... Array.Copy(answer.Data.Array, answer.Data.Offset + 2, ipBytes, 0, ipBytes.Length); System.Net.IPAddress answeredIpAddress = new System.Net.IPAddress(ipBytes); parameters.Add(answer.Name, answeredIpAddress.ToString()); if (base.MainPacketHandler.NetworkHostList.ContainsIP(answeredIpAddress)) { base.MainPacketHandler.NetworkHostList.GetNetworkHost(answeredIpAddress).AddHostName(answer.NameTrimmed); } } foreach (Packets.NetBiosNameServicePacket.ResourceRecord additional in netBiosNameServicePacket.AdditionalResourceRecords) { UInt16 flags = Utils.ByteConverter.ToUInt16(additional.Data.Array, additional.Data.Offset); if (additional.Type == 32 && additional.Class == 1 && (flags & 0x8000) == 0 && (additional.Name.EndsWith("<00>") || additional.Name.EndsWith("<20>"))) { //https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-brws/0c773bdd-78e2-4d8b-8b3d-b7506849847b //unique name with IP byte[] ipBytes = new byte[4];//IP4... Array.Copy(additional.Data.Array, additional.Data.Offset + 2, ipBytes, 0, ipBytes.Length); System.Net.IPAddress answeredIpAddress = new System.Net.IPAddress(ipBytes); parameters.Add(additional.Name, answeredIpAddress.ToString()); if (base.MainPacketHandler.NetworkHostList.ContainsIP(answeredIpAddress)) { base.MainPacketHandler.NetworkHostList.GetNetworkHost(answeredIpAddress).AddHostName(additional.NameTrimmed); } } } if (parameters.Count > 0 && transportLayerPacket != null) { if (netBiosNameServicePacket.Flags.Response) { base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(netBiosNameServicePacket.ParentFrame.FrameNumber, sourceHost, destinationHost, transportLayerPacket.TransportProtocol, transportLayerPacket.SourcePort, transportLayerPacket.DestinationPort, parameters, netBiosNameServicePacket.ParentFrame.Timestamp, "NBNS Response")); } else if (netBiosNameServicePacket.Flags.OperationCode == (byte)Packets.NetBiosNameServicePacket.HeaderFlags.OperationCodes.registration) { base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(netBiosNameServicePacket.ParentFrame.FrameNumber, sourceHost, destinationHost, transportLayerPacket.TransportProtocol, transportLayerPacket.SourcePort, transportLayerPacket.DestinationPort, parameters, netBiosNameServicePacket.ParentFrame.Timestamp, "NBNS Registration")); } else if (netBiosNameServicePacket.Flags.OperationCode == (byte)Packets.NetBiosNameServicePacket.HeaderFlags.OperationCodes.query) { base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(netBiosNameServicePacket.ParentFrame.FrameNumber, sourceHost, destinationHost, transportLayerPacket.TransportProtocol, transportLayerPacket.SourcePort, transportLayerPacket.DestinationPort, parameters, netBiosNameServicePacket.ParentFrame.Timestamp, "NBNS Query")); } else { base.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(netBiosNameServicePacket.ParentFrame.FrameNumber, sourceHost, destinationHost, transportLayerPacket.TransportProtocol, transportLayerPacket.SourcePort, transportLayerPacket.DestinationPort, parameters, netBiosNameServicePacket.ParentFrame.Timestamp, "NBNS Message")); } } }
public int ExtractData(NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <PacketParser.Packets.AbstractPacket> packetList) { //Packets.UdpPacket udpPacket = null; int parsedBytes = 0; Packets.ITransportLayerPacket transportLayerPacket = null; FiveTuple ft = null; foreach (Packets.AbstractPacket p in packetList) { if (p is Packets.ITransportLayerPacket) { transportLayerPacket = (Packets.ITransportLayerPacket)p; if (transportLayerPacket is Packets.UdpPacket) { ft = new FiveTuple(sourceHost, transportLayerPacket.SourcePort, destinationHost, transportLayerPacket.DestinationPort, FiveTuple.TransportProtocol.UDP); } else if (transportLayerPacket is Packets.TcpPacket) { ft = new FiveTuple(sourceHost, transportLayerPacket.SourcePort, destinationHost, transportLayerPacket.DestinationPort, FiveTuple.TransportProtocol.TCP); } } if (p.GetType() == typeof(Packets.SipPacket)) { Packets.SipPacket sipPacket = (Packets.SipPacket)p; if (sipPacket.MessageLine.StartsWith(INVITE)) { string to = null; string from = null; if (sipPacket.To != null && sipPacket.To.Length > 0) { to = sipPacket.To; if (to.Contains(";")) { to = to.Substring(0, to.IndexOf(';')); } destinationHost.AddNumberedExtraDetail("SIP User", to); //destinationHost.ExtraDetailsList["SIP User"]=to; } if (sipPacket.From != null && sipPacket.From.Length > 0) { from = sipPacket.From; if (from.Contains(";")) { from = from.Substring(0, from.IndexOf(';')); } //destinationHost.AddNumberedExtraDetail("SIP User", from); sourceHost.AddNumberedExtraDetail("SIP User", from); //sourceHost.ExtraDetailsList["SIP User"]=from; } if (ft != null && to != null && from != null && !String.IsNullOrEmpty(sipPacket.CallID)) { System.Collections.Specialized.NameValueCollection nvc = new System.Collections.Specialized.NameValueCollection { { "From", sipPacket.From }, { "To", sipPacket.To }, { "Call-ID", sipPacket.CallID } }; this.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(sipPacket.ParentFrame.FrameNumber, ft, true, nvc, sipPacket.ParentFrame.Timestamp, "SIP session " + ft.ToString())); } } if (!String.IsNullOrEmpty(sipPacket.UserAgent)) { sourceHost.AddHttpUserAgentBanner(sipPacket.UserAgent); } if (sipPacket.SDP != null) { if (sipPacket.SDP.Port != null && sipPacket.SDP.IP != null && sipPacket.CallID != null && ft != null) { lock (callEndPoints) { Tuple <System.Net.IPAddress, ushort, FiveTuple> endPoint = new Tuple <System.Net.IPAddress, ushort, FiveTuple>(sipPacket.SDP.IP, sipPacket.SDP.Port.Value, ft); if (this.callEndPoints.ContainsKey(sipPacket.CallID)) { Tuple <System.Net.IPAddress, ushort, FiveTuple> matchedTuple = null; foreach (var previousEndPoint in this.callEndPoints[sipPacket.CallID]) { if (previousEndPoint.Item3.EqualsIgnoreDirection(ft)) { //Tuple<System.Net.IPAddress, ushort, FiveTuple> previousEndPoint = ; if (!(previousEndPoint.Item1.Equals(endPoint.Item1) && previousEndPoint.Item2.Equals(endPoint.Item2))) { //this.callEndPoints.Remove(sipPacket.CallID); matchedTuple = previousEndPoint; if (sipPacket.From != null && sipPacket.To != null) { this.MainPacketHandler.OnVoipCallDetected(sipPacket.SDP.IP, sipPacket.SDP.Port.Value, previousEndPoint.Item1, previousEndPoint.Item2, sipPacket.CallID, sipPacket.From, sipPacket.To); if (ft != null) { } } break; } } } if (matchedTuple == null) { this.callEndPoints[sipPacket.CallID].Add(endPoint); } if (matchedTuple != null) { this.callEndPoints[sipPacket.CallID].Remove(matchedTuple); } } else { this.callEndPoints.Add(sipPacket.CallID, new List <Tuple <System.Net.IPAddress, ushort, FiveTuple> >() { endPoint }); } } } } parsedBytes += sipPacket.PacketLength; } } return(parsedBytes); }
public void ExtractData(ref NetworkHost sourceHost, NetworkHost destinationHost, IEnumerable <PacketParser.Packets.AbstractPacket> packetList) { //Packets.UdpPacket udpPacket = null; Packets.ITransportLayerPacket transportLayerPacket = null; FiveTuple ft = null; foreach (Packets.AbstractPacket p in packetList) { /* * Packets.IIPPacket ipPacket; * if (p is Packets.IIPPacket) { * ipPacket = p as Packets.IIPPacket; * } */ if (p is Packets.ITransportLayerPacket) { transportLayerPacket = (Packets.ITransportLayerPacket)p; if (transportLayerPacket is Packets.UdpPacket) { ft = new FiveTuple(sourceHost, transportLayerPacket.SourcePort, destinationHost, transportLayerPacket.DestinationPort, FiveTuple.TransportProtocol.UDP); } else if (transportLayerPacket is Packets.TcpPacket) { ft = new FiveTuple(sourceHost, transportLayerPacket.SourcePort, destinationHost, transportLayerPacket.DestinationPort, FiveTuple.TransportProtocol.TCP); } } if (p.GetType() == typeof(Packets.SipPacket)) { Packets.SipPacket sipPacket = (Packets.SipPacket)p; if (sipPacket.MessageLine.StartsWith(INVITE)) { string to = null; string from = null; if (sipPacket.To != null && sipPacket.To.Length > 0) { to = sipPacket.To; if (to.Contains(";")) { to = to.Substring(0, to.IndexOf(';')); } destinationHost.AddNumberedExtraDetail("SIP User", to); //destinationHost.ExtraDetailsList["SIP User"]=to; } if (sipPacket.From != null && sipPacket.From.Length > 0) { from = sipPacket.From; if (from.Contains(";")) { from = from.Substring(0, from.IndexOf(';')); } //destinationHost.AddNumberedExtraDetail("SIP User", from); sourceHost.AddNumberedExtraDetail("SIP User", from); //sourceHost.ExtraDetailsList["SIP User"]=from; } if (ft != null && to != null && from != null && !String.IsNullOrEmpty(sipPacket.CallID)) { System.Collections.Specialized.NameValueCollection nvc = new System.Collections.Specialized.NameValueCollection { { "From", sipPacket.From }, { "To", sipPacket.To }, { "Call-ID", sipPacket.CallID } }; this.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(sipPacket.ParentFrame.FrameNumber, ft, true, nvc, sipPacket.ParentFrame.Timestamp, "SIP session " + ft.ToString())); } } if (!String.IsNullOrEmpty(sipPacket.UserAgent)) { sourceHost.AddHttpUserAgentBanner(sipPacket.UserAgent); } if (sipPacket.SDP != null) { if (sipPacket.SDP.Port != null && sipPacket.SDP.IP != null && sipPacket.CallID != null && ft != null) { lock (callEndPoints) { Tuple <System.Net.IPAddress, ushort, FiveTuple> endPoint = new Tuple <System.Net.IPAddress, ushort, FiveTuple>(sipPacket.SDP.IP, sipPacket.SDP.Port.Value, ft); if (this.callEndPoints.ContainsKey(sipPacket.CallID)) { Tuple <System.Net.IPAddress, ushort, FiveTuple> matchedTuple = null; foreach (var previousEndPoint in this.callEndPoints[sipPacket.CallID]) { if (previousEndPoint.Item3.EqualsIgnoreDirection(ft)) { //Tuple<System.Net.IPAddress, ushort, FiveTuple> previousEndPoint = ; if (!(previousEndPoint.Item1.Equals(endPoint.Item1) && previousEndPoint.Item2.Equals(endPoint.Item2))) { //this.callEndPoints.Remove(sipPacket.CallID); matchedTuple = previousEndPoint; if (sipPacket.From != null && sipPacket.To != null) { this.MainPacketHandler.OnVoipCallDetected(sipPacket.SDP.IP, sipPacket.SDP.Port.Value, previousEndPoint.Item1, previousEndPoint.Item2, sipPacket.CallID, sipPacket.From, sipPacket.To); if (ft != null) { } } break; } } } if (matchedTuple == null) { this.callEndPoints[sipPacket.CallID].Add(endPoint); } if (matchedTuple != null) { this.callEndPoints[sipPacket.CallID].Remove(matchedTuple); } } else { this.callEndPoints.Add(sipPacket.CallID, new List <Tuple <System.Net.IPAddress, ushort, FiveTuple> >() { endPoint }); } } /* * //check if we have a reverse tuple * Tuple<System.Net.IPAddress, System.Net.IPAddress> reverseIpPair = new Tuple<System.Net.IPAddress, System.Net.IPAddress>(destinationHost.IPAddress, sourceHost.IPAddress); * * TODO: Använd CALL ID istället som unik nyckel! * * lock (this.endPointCandidates) { * if (this.endPointCandidates.ContainsKey(reverseIpPair)) { * ushort reversePort = this.endPointCandidates[reverseIpPair]; * this.endPointCandidates.Remove(reverseIpPair); * * if (this.udpPayloadProtocolFinder != null && !String.IsNullOrEmpty(sipPacket.SDP.Protocol) && sipPacket.SDP.Protocol.StartsWith("RTP", StringComparison.InvariantCultureIgnoreCase)) * this.udpPayloadProtocolFinder.SetPayload(sourceHost.IPAddress, sipPacket.SDP.Port.Value, destinationHost.IPAddress, reversePort, ApplicationLayerProtocol.Rtp);//this might come in too late because the UDP packet has probably already been parsed by now. * if(sipPacket.From != null && sipPacket.To != null) { * FiveTuple fiveTuple = new FiveTuple(sourceHost, sipPacket.SDP.Port.Value, destinationHost, reversePort, FiveTuple.TransportProtocol.UDP); * this.MainPacketHandler.OnVoipCallDetected(fiveTuple, sipPacket.From, sipPacket.To); * System.Collections.Specialized.NameValueCollection nvc = new System.Collections.Specialized.NameValueCollection(); * nvc.Add("From", sipPacket.From); * nvc.Add("To", sipPacket.To); * this.MainPacketHandler.OnParametersDetected(new Events.ParametersEventArgs(sipPacket.ParentFrame.FrameNumber, fiveTuple, true, nvc, sipPacket.ParentFrame.Timestamp, "SIP setup of call " + fiveTuple.ToString())); * } * * } * else { * Tuple<System.Net.IPAddress, System.Net.IPAddress> ipPair = new Tuple<System.Net.IPAddress, System.Net.IPAddress>(sourceHost.IPAddress, destinationHost.IPAddress); * if (this.endPointCandidates.ContainsKey(ipPair)) * this.endPointCandidates[ipPair] = sipPacket.SDP.Port.Value; * else * this.endPointCandidates.Add(ipPair, sipPacket.SDP.Port.Value); * } * } */ } //rtpPacketHandler.NewRtpEndPoints.Enqueue(new Tuple<System.Net.IPAddress, System.Net.IPAddress, ushort>(destinationHost.IPAddress, sourceHost.IPAddress, sipPacket.SDP.Port.Value)); } } } }