public NetworkTcpSession(Packets.TcpPacket tcpSynPacket, NetworkHost clientHost, NetworkHost serverHost, ISessionProtocolFinderFactory protocolFinderFactory)
{
if (tcpSynPacket.FlagBits.Synchronize) //It's normal to start the session with a SYN flag
{
FiveTuple fiveTuple = new FiveTuple(clientHost, tcpSynPacket.SourcePort, serverHost, tcpSynPacket.DestinationPort, FiveTuple.TransportProtocol.TCP);
this.flow = new NetworkFlow(fiveTuple, tcpSynPacket.ParentFrame.Timestamp, tcpSynPacket.ParentFrame.Timestamp, 0, 0);
//this.synPacketTimestamp=tcpSynPacket.ParentFrame.Timestamp;
//this.clientHost=clientHost;
//this.serverHost=serverHost;
//this.clientTcpPort=tcpSynPacket.SourcePort;
//this.serverTcpPort=tcpSynPacket.DestinationPort;
this.synPacketReceived = false;
this.synAckPacketReceived = false;
this.finPacketReceived = false;
this.clientToServerFinPacketSequenceNumber = UInt32.MaxValue;
this.serverToClientFinPacketSequenceNumber = UInt32.MaxValue;
this.sessionEstablished = false;
this.sessionClosed = false;
this.startFrameNumber = tcpSynPacket.ParentFrame.FrameNumber;
this.clientToServerTcpDataStream = null;
this.serverToClientTcpDataStream = null;
this.protocolFinder = protocolFinderFactory.CreateProtocolFinder(this.flow, this.startFrameNumber);
}
else
{
throw new Exception("SYN flag not set on TCP packet");
}
}
//internal VirtualTcpData(System.Collections.Generic.SortedList<uint, byte[]> dataPacketList, ushort sourcePort, ushort destinationPort) {
internal VirtualTcpData(TcpDataStream tcpDataStream, ushort sourcePort, ushort destinationPort)
{
this.tcpDataStream = tcpDataStream;
this.sourcePort = sourcePort;
this.destinationPort = destinationPort;
this.nPackets = 1;
//this.firstPacketSequenceNumber=tcpDataStream.dataList.Keys[0];
}
/// <summary>
/// Creates a truncated TCP session where the initial 3 way handshake is missing
/// </summary>
/// <param name="sourceHost"></param>
/// <param name="destinationHost"></param>
/// <param name="tcpPacket"></param>
internal NetworkTcpSession(NetworkHost sourceHost, NetworkHost destinationHost, Packets.TcpPacket tcpPacket, ISessionProtocolFinderFactory protocolFinderFactory)
{
//this part is used to create a cropped (truncated) session where the beginning is missing!
this.synPacketTimestamp = tcpPacket.ParentFrame.Timestamp;
this.synPacketReceived = true;
this.synAckPacketReceived = true;
this.finPacketReceived = false;
this.sessionEstablished = false;//I will change this one soon,...
this.sessionClosed = false;
this.startFrameNumber = tcpPacket.ParentFrame.FrameNumber;
this.clientToServerTcpDataStream = null;
this.serverToClientTcpDataStream = null;
//now let's do a qualified guess of who is the server and who is client...
System.Collections.Generic.List <ApplicationLayerProtocol> serverToClientProtocols = new List <ApplicationLayerProtocol>(TcpPortProtocolFinder.GetProbableApplicationLayerProtocols(tcpPacket.SourcePort, tcpPacket.DestinationPort));
System.Collections.Generic.List <ApplicationLayerProtocol> clientToServerProtocols = new List <ApplicationLayerProtocol>(TcpPortProtocolFinder.GetProbableApplicationLayerProtocols(tcpPacket.DestinationPort, tcpPacket.SourcePort));
if (serverToClientProtocols.Count > 0) //server -> client
{
this.clientHost = destinationHost;
this.serverHost = sourceHost;
this.clientTcpPort = tcpPacket.DestinationPort;
this.serverTcpPort = tcpPacket.SourcePort;
this.SetEstablished(tcpPacket.AcknowledgmentNumber, tcpPacket.SequenceNumber);
}
else if (clientToServerProtocols.Count > 0) //client -> server
{
this.clientHost = sourceHost;
this.serverHost = destinationHost;
this.clientTcpPort = tcpPacket.SourcePort;
this.serverTcpPort = tcpPacket.DestinationPort;
this.SetEstablished(tcpPacket.SequenceNumber, tcpPacket.AcknowledgmentNumber);
}
else if (tcpPacket.SourcePort < tcpPacket.DestinationPort)//server -> client
{
this.clientHost = destinationHost;
this.serverHost = sourceHost;
this.clientTcpPort = tcpPacket.DestinationPort;
this.serverTcpPort = tcpPacket.SourcePort;
this.SetEstablished(tcpPacket.AcknowledgmentNumber, tcpPacket.SequenceNumber);
}
else //client -> server
{
this.clientHost = sourceHost;
this.serverHost = destinationHost;
this.clientTcpPort = tcpPacket.SourcePort;
this.serverTcpPort = tcpPacket.DestinationPort;
this.SetEstablished(tcpPacket.SequenceNumber, tcpPacket.AcknowledgmentNumber);
}
this.protocolFinder = protocolFinderFactory.CreateProtocolFinder(this.clientHost, this.serverHost, this.clientTcpPort, this.serverTcpPort, true, this.startFrameNumber, this.synPacketTimestamp);
}
private void SetEstablished(uint clientInitialSequenceNumber, uint serverInitialSequenceNumber)
{
this.sessionEstablished = true;
if (this.clientToServerTcpDataStream == null)
{
this.clientToServerTcpDataStream = new TcpDataStream(clientInitialSequenceNumber, clientTcpPort, serverTcpPort, this);
}
else
{
this.clientToServerTcpDataStream.InitialTcpSequenceNumber = clientInitialSequenceNumber;
}
if (this.serverToClientTcpDataStream == null)
{
this.serverToClientTcpDataStream = new TcpDataStream(serverInitialSequenceNumber, serverTcpPort, clientTcpPort, this);
}
else
{
this.serverToClientTcpDataStream.InitialTcpSequenceNumber = serverInitialSequenceNumber;
}
this.ServerHost.IncomingSessionList.Add(this);
this.ClientHost.OutgoingSessionList.Add(this);
}
public bool TryAddPacket(Packets.TcpPacket tcpPacket, NetworkHost sourceHost, NetworkHost destinationHost)
{
if (this.sessionClosed)
{
return(false);
}
//Make sure the hosts are correct
if (sourceHost == this.ClientHost && tcpPacket.SourcePort == this.ClientTcpPort)//client -> server
{
if (destinationHost != this.ServerHost)
{
return(false);
}
if (tcpPacket.SourcePort != this.ClientTcpPort)
{
return(false);
}
if (tcpPacket.DestinationPort != this.ServerTcpPort)
{
return(false);
}
}
else if (sourceHost == this.ServerHost && tcpPacket.SourcePort == this.ServerTcpPort)//server -> client
{
if (destinationHost != ClientHost)
{
return(false);
}
if (tcpPacket.SourcePort != ServerTcpPort)
{
return(false);
}
if (tcpPacket.DestinationPort != ClientTcpPort)
{
return(false);
}
}
else//unknown direction
{
return(false);
}
//this.latestPacketTimestamp=tcpPacket.ParentFrame.Timestamp;
this.flow.EndTime = tcpPacket.ParentFrame.Timestamp;
//Check TCP handshake
if (!this.synPacketReceived) //SYN (client->server)
{
if (tcpPacket.FlagBits.Synchronize && sourceHost == this.ClientHost)
{
this.synPacketReceived = true;
}
else
{
return(false);
}
}
else if (!this.synAckPacketReceived) //SYN+ACK (server->client)
{
if (tcpPacket.FlagBits.Synchronize && tcpPacket.FlagBits.Acknowledgement && sourceHost == this.ServerHost)
{
this.synAckPacketReceived = true;
}
else
{
return(false);
}
}
else if (!this.sessionEstablished) //ACK (client->server)
{
if (tcpPacket.FlagBits.Acknowledgement && sourceHost == this.ClientHost)
{
this.SetEstablished(tcpPacket.SequenceNumber, tcpPacket.AcknowledgmentNumber);
}
else
{
return(false);
}
}
//FIN and RST is handeled lower down
//else{//an established and not closed session!
if (tcpPacket.PayloadDataLength > 0)
{
this.protocolFinder.AddPacket(tcpPacket, sourceHost, destinationHost);
try {
//If we've come this far the packet should be allright for the networkSession
byte[] tcpSegmentData = tcpPacket.GetTcpPacketPayloadData();
//now add the data to the server to calculate service statistics for the open port
NetworkServiceMetadata networkServiceMetadata = null;
lock (this.ServerHost.NetworkServiceMetadataList) {
if (!this.ServerHost.NetworkServiceMetadataList.ContainsKey(this.ServerTcpPort))
{
networkServiceMetadata = new NetworkServiceMetadata(this.ServerHost, this.ServerTcpPort);
this.ServerHost.NetworkServiceMetadataList.Add(this.ServerTcpPort, networkServiceMetadata);
}
else
{
networkServiceMetadata = this.ServerHost.NetworkServiceMetadataList[this.ServerTcpPort];
}
}
//now, lets extract some data from the TCP packet!
if (sourceHost == this.ServerHost && tcpPacket.SourcePort == this.ServerTcpPort)
{
networkServiceMetadata.OutgoingTraffic.AddTcpPayloadData(tcpSegmentData);
//this.clientToServerTcpDataStream.AddTcpData(tcpPacket.SequenceNumber, tcpSegmentData);
if (this.serverToClientTcpDataStream == null)
{
this.serverToClientTcpDataStream = new TcpDataStream(tcpPacket.SequenceNumber, false, this);
}
if (this.requiredNextTcpDataStreamIsClientToServer == null && this.serverToClientTcpDataStream.TotalByteCount == 0)
{
this.requiredNextTcpDataStreamIsClientToServer = false;
}
this.serverToClientTcpDataStream.AddTcpData(tcpPacket.SequenceNumber, tcpSegmentData);
}
else
{
networkServiceMetadata.IncomingTraffic.AddTcpPayloadData(tcpSegmentData);
//this.serverToClientTcpDataStream.AddTcpData(tcpPacket.SequenceNumber, tcpSegmentData);
if (this.clientToServerTcpDataStream == null)
{
this.clientToServerTcpDataStream = new TcpDataStream(tcpPacket.SequenceNumber, true, this);
}
if (this.requiredNextTcpDataStreamIsClientToServer == null && this.clientToServerTcpDataStream.TotalByteCount == 0)
{
this.requiredNextTcpDataStreamIsClientToServer = true;
}
this.clientToServerTcpDataStream.AddTcpData(tcpPacket.SequenceNumber, tcpSegmentData);
}
}
catch (Exception ex) {
if (!tcpPacket.ParentFrame.QuickParse)
{
tcpPacket.ParentFrame.Errors.Add(new Frame.Error(tcpPacket.ParentFrame, tcpPacket.PacketStartIndex, tcpPacket.PacketEndIndex, ex.Message));
}
return(false);
}
}
//}
//se if stream should be closed
if (tcpPacket.FlagBits.Reset)//close no matter what
{
this.Close();
}
else if (tcpPacket.FlagBits.Fin)//close nicely
{
if (!this.finPacketReceived)
{
this.finPacketReceived = true;
if (sourceHost == this.ServerHost && tcpPacket.SourcePort == this.ServerTcpPort)
{
this.serverToClientFinPacketSequenceNumber = tcpPacket.SequenceNumber;
}
else
{
this.clientToServerFinPacketSequenceNumber = tcpPacket.SequenceNumber;
}
}
else if (tcpPacket.FlagBits.Acknowledgement)//fin+ack
{
this.Close();
}
}
return(true);
}
/// <summary>
/// Creates a truncated TCP session where the initial 3 way handshake is missing
/// </summary>
/// <param name="sourceHost"></param>
/// <param name="destinationHost"></param>
/// <param name="tcpPacket"></param>
public NetworkTcpSession(NetworkHost sourceHost, NetworkHost destinationHost, Packets.TcpPacket tcpPacket, ISessionProtocolFinderFactory protocolFinderFactory, Func <DateTime, string> toCustomTimeZoneStringFunction)
{
//this part is used to create a cropped (truncated) session where the beginning is missing!
//this.synPacketTimestamp=tcpPacket.ParentFrame.Timestamp;
this.toCustomTimeZoneStringFunction = toCustomTimeZoneStringFunction;
this.synPacketReceived = true;
this.synAckPacketReceived = true;
this.finPacketReceived = false;
this.sessionEstablished = false;//I will change this one soon,...
this.sessionClosed = false;
this.startFrameNumber = tcpPacket.ParentFrame.FrameNumber;
this.clientToServerTcpDataStream = null;
this.serverToClientTcpDataStream = null;
//now let's do a qualified guess of who is the server and who is client...
FiveTuple fiveTuple;
System.Collections.Generic.List <ApplicationLayerProtocol> sourcePortProtocols = new List <ApplicationLayerProtocol>(TcpPortProtocolFinder.GetProbableApplicationLayerProtocols(tcpPacket.SourcePort, tcpPacket.SourcePort));
System.Collections.Generic.List <ApplicationLayerProtocol> destinationPortProtocols = new List <ApplicationLayerProtocol>(TcpPortProtocolFinder.GetProbableApplicationLayerProtocols(tcpPacket.DestinationPort, tcpPacket.DestinationPort));
if (sourcePortProtocols.Count > destinationPortProtocols.Count) //packet is server -> client
//this.clientHost=destinationHost;
//this.serverHost=sourceHost;
//this.clientTcpPort=tcpPacket.DestinationPort;
//this.serverTcpPort=tcpPacket.SourcePort;
{
fiveTuple = new FiveTuple(destinationHost, tcpPacket.DestinationPort, sourceHost, tcpPacket.SourcePort, FiveTuple.TransportProtocol.TCP);
this.flow = new NetworkFlow(fiveTuple, tcpPacket.ParentFrame.Timestamp, tcpPacket.ParentFrame.Timestamp, 0, 0);
this.SetEstablished(tcpPacket.AcknowledgmentNumber, tcpPacket.SequenceNumber);
}
else if (destinationPortProtocols.Count > 0) //packet is client -> server
//this.clientHost=sourceHost;
//this.serverHost=destinationHost;
//this.clientTcpPort=tcpPacket.SourcePort;
//this.serverTcpPort=tcpPacket.DestinationPort;
{
fiveTuple = new FiveTuple(sourceHost, tcpPacket.SourcePort, destinationHost, tcpPacket.DestinationPort, FiveTuple.TransportProtocol.TCP);
this.flow = new NetworkFlow(fiveTuple, tcpPacket.ParentFrame.Timestamp, tcpPacket.ParentFrame.Timestamp, 0, 0);
this.SetEstablished(tcpPacket.SequenceNumber, tcpPacket.AcknowledgmentNumber);
}
else if (tcpPacket.SourcePort < tcpPacket.DestinationPort)//packet is server -> client
//this.clientHost=destinationHost;
//this.serverHost=sourceHost;
//this.clientTcpPort=tcpPacket.DestinationPort;
//this.serverTcpPort=tcpPacket.SourcePort;
{
fiveTuple = new FiveTuple(destinationHost, tcpPacket.DestinationPort, sourceHost, tcpPacket.SourcePort, FiveTuple.TransportProtocol.TCP);
this.flow = new NetworkFlow(fiveTuple, tcpPacket.ParentFrame.Timestamp, tcpPacket.ParentFrame.Timestamp, 0, 0);
this.SetEstablished(tcpPacket.AcknowledgmentNumber, tcpPacket.SequenceNumber);
}
else //packet is client -> server
//this.clientHost=sourceHost;
//this.serverHost=destinationHost;
//this.clientTcpPort=tcpPacket.SourcePort;
//this.serverTcpPort=tcpPacket.DestinationPort;
{
fiveTuple = new FiveTuple(sourceHost, tcpPacket.SourcePort, destinationHost, tcpPacket.DestinationPort, FiveTuple.TransportProtocol.TCP);
this.flow = new NetworkFlow(fiveTuple, tcpPacket.ParentFrame.Timestamp, tcpPacket.ParentFrame.Timestamp, 0, 0);
this.SetEstablished(tcpPacket.SequenceNumber, tcpPacket.AcknowledgmentNumber);
}
this.protocolFinder = protocolFinderFactory.CreateProtocolFinder(this.flow, this.startFrameNumber);
}
