From 4484ff025d7c4c865473c89fc834c2616cc5b95c Mon Sep 17 00:00:00 2001 From: tfarley Date: Sat, 15 Apr 2017 21:00:58 -0700 Subject: [PATCH] Ability to open pcaps as full messages instead of packets (merging fragments) --- aclogview/FindOpcodeInFilesForm.cs | 4 +- aclogview/Form1.Designer.cs | 47 +-- aclogview/Form1.cs | 465 ++++++----------------------- aclogview/FragDatListToolForm.cs | 6 +- aclogview/PCapReader.cs | 391 ++++++++++++++++++------ aclogview/PacketRecord.cs | 5 +- aclogview/Packets.cs | 2 +- aclogview/pcap.cs | 32 ++ 8 files changed, 455 insertions(+), 497 deletions(-) diff --git a/aclogview/FindOpcodeInFilesForm.cs b/aclogview/FindOpcodeInFilesForm.cs index 0f8d1d8..5d2fa28 100644 --- a/aclogview/FindOpcodeInFilesForm.cs +++ b/aclogview/FindOpcodeInFilesForm.cs @@ -183,7 +183,7 @@ private void ProcessFile(string fileName) int hits = 0; int exceptions = 0; - var records = PCapReader.LoadPcap(fileName, ref searchAborted); + var records = PCapReader.LoadPcap(fileName, false, ref searchAborted); foreach (var record in records) { @@ -202,7 +202,7 @@ private void ProcessFile(string fileName) // ******************************************************************** // Custom search code that can output information to Special Output // Below are several commented out examples on how you can search through bulk pcaps for targeted data, and output detailed information to the output tab. - foreach (BlobFrag frag in record.netPacket.fragList_) + foreach (BlobFrag frag in record.frags) { try { diff --git a/aclogview/Form1.Designer.cs b/aclogview/Form1.Designer.cs index 872028b..d5ce760 100644 --- a/aclogview/Form1.Designer.cs +++ b/aclogview/Form1.Designer.cs @@ -36,6 +36,8 @@ private void InitializeComponent() { this.splitContainer_Bottom = new System.Windows.Forms.SplitContainer(); this.textBox_PacketData = new System.Windows.Forms.RichTextBox(); this.treeView_ParsedData = new System.Windows.Forms.TreeView(); + this.parsedContextMenu = new System.Windows.Forms.ContextMenuStrip(this.components); + this.CopyCmd = new System.Windows.Forms.ToolStripMenuItem(); this.mainMenu = new System.Windows.Forms.MainMenu(this.components); this.menuItem_File = new System.Windows.Forms.MenuItem(); this.menuItem_Open = new System.Windows.Forms.MenuItem(); @@ -57,8 +59,7 @@ private void InitializeComponent() { this.statusStrip = new System.Windows.Forms.StatusStrip(); this.checkBox_HideHeaderOnly = new System.Windows.Forms.CheckBox(); this.checkBox_useHighlighting = new System.Windows.Forms.CheckBox(); - this.parsedContextMenu = new System.Windows.Forms.ContextMenuStrip(this.components); - this.CopyCmd = new System.Windows.Forms.ToolStripMenuItem(); + this.menuItem_OpenAsMessages = new System.Windows.Forms.MenuItem(); ((System.ComponentModel.ISupportInitialize)(this.splitContainer_Main)).BeginInit(); this.splitContainer_Main.Panel1.SuspendLayout(); this.splitContainer_Main.Panel2.SuspendLayout(); @@ -67,8 +68,8 @@ private void InitializeComponent() { this.splitContainer_Bottom.Panel1.SuspendLayout(); this.splitContainer_Bottom.Panel2.SuspendLayout(); this.splitContainer_Bottom.SuspendLayout(); - ((System.ComponentModel.ISupportInitialize)(this.pictureBox_Search)).BeginInit(); this.parsedContextMenu.SuspendLayout(); + ((System.ComponentModel.ISupportInitialize)(this.pictureBox_Search)).BeginInit(); this.SuspendLayout(); // // splitContainer_Main @@ -190,6 +191,22 @@ private void InitializeComponent() { this.treeView_ParsedData.TabIndex = 0; this.treeView_ParsedData.AfterSelect += new System.Windows.Forms.TreeViewEventHandler(this.treeView_ParsedData_AfterSelect); // + // parsedContextMenu + // + this.parsedContextMenu.Items.AddRange(new System.Windows.Forms.ToolStripItem[] { + this.CopyCmd}); + this.parsedContextMenu.Name = "parsedContextMenu"; + this.parsedContextMenu.Size = new System.Drawing.Size(96, 26); + this.parsedContextMenu.Opening += new System.ComponentModel.CancelEventHandler(this.parsedContextMenu_Opening); + this.parsedContextMenu.Click += new System.EventHandler(this.parsedContextMenu_Click); + // + // CopyCmd + // + this.CopyCmd.Name = "CopyCmd"; + this.CopyCmd.ShowShortcutKeys = false; + this.CopyCmd.Size = new System.Drawing.Size(95, 22); + this.CopyCmd.Text = "&Copy"; + // // mainMenu // this.mainMenu.MenuItems.AddRange(new System.Windows.Forms.MenuItem[] { @@ -202,7 +219,8 @@ private void InitializeComponent() { // this.menuItem_File.Index = 0; this.menuItem_File.MenuItems.AddRange(new System.Windows.Forms.MenuItem[] { - this.menuItem_Open}); + this.menuItem_Open, + this.menuItem_OpenAsMessages}); this.menuItem_File.Text = "File"; // // menuItem_Open @@ -349,21 +367,11 @@ private void InitializeComponent() { this.checkBox_useHighlighting.UseVisualStyleBackColor = true; this.checkBox_useHighlighting.CheckedChanged += new System.EventHandler(this.checkBox_useHighlighting_CheckedChanged); // - // parsedContextMenu + // menuItem_OpenAsMessages // - this.parsedContextMenu.Items.AddRange(new System.Windows.Forms.ToolStripItem[] { - this.CopyCmd}); - this.parsedContextMenu.Name = "parsedContextMenu"; - this.parsedContextMenu.Size = new System.Drawing.Size(96, 26); - this.parsedContextMenu.Opening += new System.ComponentModel.CancelEventHandler(this.parsedContextMenu_Opening); - this.parsedContextMenu.Click += new System.EventHandler(this.parsedContextMenu_Click); - // - // CopyCmd - // - this.CopyCmd.Name = "CopyCmd"; - this.CopyCmd.ShowShortcutKeys = false; - this.CopyCmd.Size = new System.Drawing.Size(95, 22); - this.CopyCmd.Text = "&Copy"; + this.menuItem_OpenAsMessages.Index = 1; + this.menuItem_OpenAsMessages.Text = "Open As Messages"; + this.menuItem_OpenAsMessages.Click += new System.EventHandler(this.menuItem_OpenAsMessages_Click); // // Form1 // @@ -390,8 +398,8 @@ private void InitializeComponent() { this.splitContainer_Bottom.Panel2.ResumeLayout(false); ((System.ComponentModel.ISupportInitialize)(this.splitContainer_Bottom)).EndInit(); this.splitContainer_Bottom.ResumeLayout(false); - ((System.ComponentModel.ISupportInitialize)(this.pictureBox_Search)).EndInit(); this.parsedContextMenu.ResumeLayout(false); + ((System.ComponentModel.ISupportInitialize)(this.pictureBox_Search)).EndInit(); this.ResumeLayout(false); this.PerformLayout(); @@ -434,6 +442,7 @@ private void InitializeComponent() { private System.Windows.Forms.MenuItem mnuItem_ToolFragDatListTool; private System.Windows.Forms.ContextMenuStrip parsedContextMenu; private System.Windows.Forms.ToolStripMenuItem CopyCmd; + private System.Windows.Forms.MenuItem menuItem_OpenAsMessages; } } diff --git a/aclogview/Form1.cs b/aclogview/Form1.cs index 4d3d924..304981e 100644 --- a/aclogview/Form1.cs +++ b/aclogview/Form1.cs @@ -18,6 +18,7 @@ public partial class Form1 : Form { private ListViewItemComparer comparer = new ListViewItemComparer(); public List messageProcessors = new List(); private long curPacket; + private bool loadedAsMessages; private string[] args; @@ -70,7 +71,7 @@ private void Form1_Load(object sender, EventArgs e) { opCodesToHighlight.Add(opcode); } if (args != null && args.Length >= 1) - loadPcap(args[0]); + loadPcap(args[0], false); } protected override void OnClosing(CancelEventArgs e) @@ -80,349 +81,10 @@ protected override void OnClosing(CancelEventArgs e) Settings.Default.Save(); } - - private void readPacket(PacketRecord packet, StringBuilder packetTypeStr, BinaryReader packetReader) { - BlobFrag newFrag = new BlobFrag(); - newFrag.memberHeader_ = BlobFragHeader_t.read(packetReader); - newFrag.dat_ = packetReader.ReadBytes(newFrag.memberHeader_.blobFragSize - 16); // 16 == size of frag header - - packet.netPacket.fragList_.Add(newFrag); - - BinaryReader fragDataReader = new BinaryReader(new MemoryStream(newFrag.dat_)); - - if (newFrag.memberHeader_.blobNum != 0) { - packetTypeStr.Append("FragData["); - packetTypeStr.Append(newFrag.memberHeader_.blobNum); - packetTypeStr.Append("]"); - } else { - PacketOpcode opcode = Util.readOpcode(fragDataReader); - packet.opcodes.Add(opcode); - packetTypeStr.Append(opcode.ToString()); - } - } - - private void readOptionalHeaders(PacketRecord packet, uint header_, StringBuilder packetHeadersStr, BinaryReader packetReader) { - long readStartPos = packetReader.BaseStream.Position; - - if ((header_ & CServerSwitchStructHeader.mask) != 0) { - CServerSwitchStruct serverSwitchStruct = CServerSwitchStruct.read(packetReader); - if (packetHeadersStr.Length != 0) { - packetHeadersStr.Append(" | "); - } - packetHeadersStr.Append("Server Switch"); - } - - if ((header_ & LogonServerAddrHeader.mask) != 0) { - sockaddr_in serverAddr = sockaddr_in.read(packetReader); - if (packetHeadersStr.Length != 0) { - packetHeadersStr.Append(" | "); - } - packetHeadersStr.Append("Logon Server Addr"); - } - - if ((header_ & CEmptyHeader1.mask) != 0) { - if (packetHeadersStr.Length != 0) { - packetHeadersStr.Append(" | "); - } - packetHeadersStr.Append("Empty Header 1"); - } - - if ((header_ & CReferralStructHeader.mask) != 0) { - CReferralStruct referralStruct = CReferralStruct.read(packetReader); - if (packetHeadersStr.Length != 0) { - packetHeadersStr.Append(" | "); - } - packetHeadersStr.Append("Referral"); - } - - if ((header_ & NakHeader.mask) != 0) { - CSeqIDListHeader nakSeqIDs = NakHeader.read(packetReader); - if (packetHeadersStr.Length != 0) { - packetHeadersStr.Append(" | "); - } - packetHeadersStr.Append("Nak"); - } - - if ((header_ & EmptyAckHeader.mask) != 0) { - CSeqIDListHeader ackSeqIDs = EmptyAckHeader.read(packetReader); - if (packetHeadersStr.Length != 0) { - packetHeadersStr.Append(" | "); - } - packetHeadersStr.Append("Empty Ack"); - } - - if ((header_ & PakHeader.mask) != 0) { - PakHeader pakHeader = PakHeader.read(packetReader); - if (packetHeadersStr.Length != 0) { - packetHeadersStr.Append(" | "); - } - packetHeadersStr.Append("Pak"); - } - - if ((header_ & CEmptyHeader2.mask) != 0) { - if (packetHeadersStr.Length != 0) { - packetHeadersStr.Append(" | "); - } - packetHeadersStr.Append("Empty Header 2"); - } - - if ((header_ & CLogonHeader.mask) != 0) { - CLogonHeader.HandshakeWireData handshakeData = CLogonHeader.HandshakeWireData.read(packetReader); - byte[] authData = packetReader.ReadBytes((int)handshakeData.cbAuthData); - if (packetHeadersStr.Length != 0) { - packetHeadersStr.Append(" | "); - } - packetHeadersStr.Append("Logon"); - } - - if ((header_ & ULongHeader.mask) != 0) { - ULongHeader ulongHeader = ULongHeader.read(packetReader); - if (packetHeadersStr.Length != 0) { - packetHeadersStr.Append(" | "); - } - packetHeadersStr.Append("ULong 1"); - } - - if ((header_ & CConnectHeader.mask) != 0) { - CConnectHeader.HandshakeWireData handshakeData = CConnectHeader.HandshakeWireData.read(packetReader); - if (packetHeadersStr.Length != 0) { - packetHeadersStr.Append(" | "); - } - packetHeadersStr.Append("Connect"); - } - - if ((header_ & ULongHeader2.mask) != 0) { - ULongHeader2 ulongHeader = ULongHeader2.read(packetReader); - if (packetHeadersStr.Length != 0) { - packetHeadersStr.Append(" | "); - } - packetHeadersStr.Append("ULong 2"); - } - - if ((header_ & NetErrorHeader.mask) != 0) { - NetError netError = NetError.read(packetReader); - if (packetHeadersStr.Length != 0) { - packetHeadersStr.Append(" | "); - } - packetHeadersStr.Append("Net Error"); - } - - if ((header_ & NetErrorHeader_cs_DisconnectReceived.mask) != 0) { - NetError netError = NetError.read(packetReader); - if (packetHeadersStr.Length != 0) { - packetHeadersStr.Append(" | "); - } - packetHeadersStr.Append("Net Error Disconnect"); - } - - if ((header_ & CICMDCommandStructHeader.mask) != 0) { - CICMDCommandStruct icmdStruct = CICMDCommandStruct.read(packetReader); - if (packetHeadersStr.Length != 0) { - packetHeadersStr.Append(" | "); - } - packetHeadersStr.Append("ICmd"); - } - - if ((header_ & CTimeSyncHeader.mask) != 0) { - CTimeSyncHeader timeSyncHeader = CTimeSyncHeader.read(packetReader); - if (packetHeadersStr.Length != 0) { - packetHeadersStr.Append(" | "); - } - packetHeadersStr.Append("Time Sync"); - } - - if ((header_ & CEchoRequestHeader.mask) != 0) { - CEchoRequestHeader echoRequestHeader = CEchoRequestHeader.read(packetReader); - if (packetHeadersStr.Length != 0) { - packetHeadersStr.Append(" | "); - } - packetHeadersStr.Append("Echo Request"); - } - - if ((header_ & CEchoResponseHeader.mask) != 0) { - CEchoResponseHeader.CEchoResponseHeaderWireData echoResponseData = CEchoResponseHeader.CEchoResponseHeaderWireData.read(packetReader); - if (packetHeadersStr.Length != 0) { - packetHeadersStr.Append(" | "); - } - packetHeadersStr.Append("Echo Response"); - } - - if ((header_ & CFlowStructHeader.mask) != 0) { - CFlowStruct flowStruct = CFlowStruct.read(packetReader); - if (packetHeadersStr.Length != 0) { - packetHeadersStr.Append(" | "); - } - packetHeadersStr.Append("Flow"); - } - - packet.optionalHeadersLen = (int)(packetReader.BaseStream.Position - readStartPos); - } - List records = new List(); List listItems = new List(); - - private int readPacketRecordData(BinaryReader binaryReader, long len, uint tsSec, long curPacket, bool dontList) { - // Begin reading headers - long packetStartPos = binaryReader.BaseStream.Position; - - EthernetHeader ethernetHeader = EthernetHeader.read(binaryReader); - - // Skip non-IP packets - if (ethernetHeader.proto != 8) { - binaryReader.BaseStream.Position += len - (binaryReader.BaseStream.Position - packetStartPos); - return 1; - } - - IpHeader ipHeader = IpHeader.read(binaryReader); - - // Skip non-UDP packets - if (ipHeader.proto != 17) { - binaryReader.BaseStream.Position += len - (binaryReader.BaseStream.Position - packetStartPos); - return 1; - } - - UdpHeader udpHeader = UdpHeader.read(binaryReader); - - bool isSend = (udpHeader.dPort >= 9000 && udpHeader.dPort <= 9013); - bool isRecv = (udpHeader.sPort >= 9000 && udpHeader.sPort <= 9013); - - // Skip non-AC-port packets - if (!isSend && !isRecv) { - binaryReader.BaseStream.Position += len - (binaryReader.BaseStream.Position - packetStartPos); - return 1; - } - - long headersSize = binaryReader.BaseStream.Position - packetStartPos; - - // Begin reading non-header packet content - StringBuilder packetHeadersStr = new StringBuilder(); - StringBuilder packetTypeStr = new StringBuilder(); - - PacketRecord packet = new PacketRecord(); - packet.index = records.Count; - packet.isSend = isSend; - packet.tsSec = tsSec; - packet.netPacket = new NetPacket(); - packet.data = binaryReader.ReadBytes((int)(len - headersSize)); - packet.extraInfo = ""; - BinaryReader packetReader = new BinaryReader(new MemoryStream(packet.data)); - try { - ProtoHeader pHeader = ProtoHeader.read(packetReader); - - readOptionalHeaders(packet, pHeader.header_, packetHeadersStr, packetReader); - - if (packetReader.BaseStream.Position == packetReader.BaseStream.Length) { - packetTypeStr.Append("
"); - } - - uint HAS_FRAGS_MASK = 0x4; // See SharedNet::SplitPacketData - if ((pHeader.header_ & HAS_FRAGS_MASK) != 0) { - bool first = true; - while (packetReader.BaseStream.Position != packetReader.BaseStream.Length) { - if (!first) { - packetTypeStr.Append(" + "); - } - readPacket(packet, packetTypeStr, packetReader); - first = false; - } - } - - if (packetReader.BaseStream.Position != packetReader.BaseStream.Length) { - packet.extraInfo = "Didnt read entire packet! " + packet.extraInfo; - } - } catch (OutOfMemoryException e) { - //MessageBox.Show("Out of memory (packet " + curPacket + "), stopping read: " + e); - return 2; - } catch (Exception e) { - packet.extraInfo += "EXCEPTION: " + e.Message + " " + e.StackTrace; - } - packet.packetHeadersStr = packetHeadersStr.ToString(); - packet.packetTypeStr = packetTypeStr.ToString(); - - records.Add(packet); - - if (!dontList) { - ListViewItem newItem = new ListViewItem(packet.index.ToString()); - newItem.SubItems.Add(packet.isSend ? "Send" : "Recv"); - newItem.SubItems.Add(packet.tsSec.ToString()); - newItem.SubItems.Add(packet.packetHeadersStr); - newItem.SubItems.Add(packet.packetTypeStr); - newItem.SubItems.Add(packet.data.Length.ToString()); - newItem.SubItems.Add(packet.extraInfo); - listItems.Add(newItem); - } - - return 0; - } - - private void loadPcapContent(BinaryReader binaryReader, bool dontList) { - PcapHeader pcapHeader = PcapHeader.read(binaryReader); - - while (binaryReader.BaseStream.Position != binaryReader.BaseStream.Length) { - curPacket++; - - if (binaryReader.BaseStream.Length - binaryReader.BaseStream.Position < 16) { - //MessageBox.Show("Stream cut short (packet " + curPacket + "), stopping read: " + (binaryReader.BaseStream.Length - binaryReader.BaseStream.Position)); - break; - } - - PcapRecordHeader recordHeader = PcapRecordHeader.read(binaryReader); - - if (recordHeader.inclLen > 50000) { - //MessageBox.Show("Enormous packet (packet " + curPacket + "), stopping read: " + recordHeader.inclLen); - break; - } - - // Make sure there's enough room for an ethernet header - if (recordHeader.inclLen < 14) { - binaryReader.BaseStream.Position += recordHeader.inclLen; - continue; - } - - if (readPacketRecordData(binaryReader, recordHeader.inclLen, recordHeader.tsSec, curPacket, dontList) == 2) { - break; - } - } - } - - private void loadPcapngContent(BinaryReader binaryReader, bool dontList) { - while (binaryReader.BaseStream.Position != binaryReader.BaseStream.Length) { - curPacket++; - - if (binaryReader.BaseStream.Length - binaryReader.BaseStream.Position < 8) { - //MessageBox.Show("Stream cut short (packet " + curPacket + "), stopping read: " + (binaryReader.BaseStream.Length - binaryReader.BaseStream.Position)); - break; - } - - long recordStartPos = binaryReader.BaseStream.Position; - - uint blockType = binaryReader.ReadUInt32(); - uint blockTotalLength = binaryReader.ReadUInt32(); - - if (blockType == 6) { - uint interfaceID = binaryReader.ReadUInt32(); - uint tsHigh = binaryReader.ReadUInt32(); - uint tsLow = binaryReader.ReadUInt32(); - uint capturedLen = binaryReader.ReadUInt32(); - uint packetLen = binaryReader.ReadUInt32(); - - if (readPacketRecordData(binaryReader, capturedLen, tsLow, curPacket, dontList) == 2) { - break; - } - } else if (blockType == 3) { - uint packetLen = binaryReader.ReadUInt32(); - uint capturedLen = blockTotalLength - 16; - - if (readPacketRecordData(binaryReader, capturedLen, 0, curPacket, dontList) == 2) { - break; - } - } - - binaryReader.BaseStream.Position += blockTotalLength - (binaryReader.BaseStream.Position - recordStartPos); - } - } - - private void loadPcap(string fileName, bool dontList = false) { + + private void loadPcap(string fileName, bool asMessages, bool dontList = false) { this.Text = "AC Log View - " + Path.GetFileName(fileName); if (opCodesToHighlight.Count > 0) @@ -435,16 +97,21 @@ private void loadPcap(string fileName, bool dontList = false) { records.Clear(); listItems.Clear(); - using (FileStream fileStream = new FileStream(fileName, FileMode.Open, FileAccess.Read, FileShare.ReadWrite)) { - using (BinaryReader binaryReader = new BinaryReader(fileStream)) { - uint magicNumber = binaryReader.ReadUInt32(); - binaryReader.BaseStream.Position = 0; + bool abort = false; + records = PCapReader.LoadPcap(fileName, asMessages, ref abort); - if (magicNumber == 0xA1B2C3D4 || magicNumber == 0xD4C3B2A1) { - loadPcapContent(binaryReader, dontList); - } else { - loadPcapngContent(binaryReader, dontList); - } + if (!dontList) + { + foreach (PacketRecord record in records) + { + ListViewItem newItem = new ListViewItem(record.index.ToString()); + newItem.SubItems.Add(record.isSend ? "Send" : "Recv"); + newItem.SubItems.Add(record.tsSec.ToString()); + newItem.SubItems.Add(record.packetHeadersStr); + newItem.SubItems.Add(record.packetTypeStr); + newItem.SubItems.Add(record.data.Length.ToString()); + newItem.SubItems.Add(record.extraInfo); + listItems.Add(newItem); } } @@ -509,7 +176,7 @@ private void updateText() { PacketRecord record = records[Int32.Parse(listItems[listView_Packets.SelectedIndices[0]].SubItems[0].Text)]; byte[] data = record.data; - if (checkBox_useHighlighting.Checked) { + if (checkBox_useHighlighting.Checked && !loadedAsMessages) { int fragStartPos = 20 + record.optionalHeadersLen; int curFrag = 0; int curLine = 0; @@ -548,13 +215,13 @@ private void updateText() { } else if (dataIndex < 20 + record.optionalHeadersLen) { // Optional headers textBox_PacketData.SelectionColor = Color.Green; - } else if (record.netPacket.fragList_.Count > 0) { - if (curFrag < record.netPacket.fragList_.Count) { + } else if (record.frags.Count > 0) { + if (curFrag < record.frags.Count) { int fragCurPos = dataIndex - fragStartPos; if (fragCurPos < 16) { // Fragment header textBox_PacketData.SelectionColor = Color.Magenta; - } else if (fragCurPos == (16 + record.netPacket.fragList_[curFrag].dat_.Length)) { + } else if (fragCurPos == (16 + record.frags[curFrag].dat_.Length)) { // Next fragment fragStartPos = dataIndex; curFrag++; @@ -607,13 +274,13 @@ private void updateText() { } else if (dataIndex < 20 + record.optionalHeadersLen) { // Optional headers textBox_PacketData.SelectionColor = Color.Green; - } else if (record.netPacket.fragList_.Count > 0) { - if (curFrag < record.netPacket.fragList_.Count) { + } else if (record.frags.Count > 0) { + if (curFrag < record.frags.Count) { int fragCurPos = dataIndex - fragStartPos; if (fragCurPos < 16) { // Fragment header textBox_PacketData.SelectionColor = Color.Magenta; - } else if (fragCurPos == (16 + record.netPacket.fragList_[curFrag].dat_.Length)) { + } else if (fragCurPos == (16 + record.frags[curFrag].dat_.Length)) { // Next fragment fragStartPos = dataIndex; curFrag++; @@ -706,14 +373,15 @@ private void updateTree() { if (listView_Packets.SelectedIndices.Count > 0) { PacketRecord record = records[Int32.Parse(listItems[listView_Packets.SelectedIndices[0]].SubItems[0].Text)]; - foreach (BlobFrag frag in record.netPacket.fragList_) { - BinaryReader fragDataReader = new BinaryReader(new MemoryStream(frag.dat_)); + if (loadedAsMessages) + { + BinaryReader messageDataReader = new BinaryReader(new MemoryStream(record.data)); try { bool handled = false; foreach (MessageProcessor messageProcessor in messageProcessors) { - long readerStartPos = fragDataReader.BaseStream.Position; + long readerStartPos = messageDataReader.BaseStream.Position; - bool accepted = messageProcessor.acceptMessageData(fragDataReader, treeView_ParsedData); + bool accepted = messageProcessor.acceptMessageData(messageDataReader, treeView_ParsedData); if (accepted && handled) { throw new Exception("Multiple message processors are handling the same data!"); @@ -721,20 +389,54 @@ private void updateTree() { if (accepted) { handled = true; - if (fragDataReader.BaseStream.Position != fragDataReader.BaseStream.Length) { - treeView_ParsedData.Nodes.Add(new TreeNode("WARNING: Prev fragment not fully read!")); + if (messageDataReader.BaseStream.Position != messageDataReader.BaseStream.Length) { + treeView_ParsedData.Nodes.Add(new TreeNode("WARNING: Packet not fully read!")); } } - fragDataReader.BaseStream.Position = readerStartPos; + messageDataReader.BaseStream.Position = readerStartPos; } if (!handled) { - PacketOpcode opcode = Util.readOpcode(fragDataReader); + PacketOpcode opcode = Util.readOpcode(messageDataReader); treeView_ParsedData.Nodes.Add(new TreeNode("Unhandled: " + opcode)); } } catch (Exception e) { treeView_ParsedData.Nodes.Add(new TreeNode("EXCEPTION: " + e.Message)); + } + } + else + { + foreach (BlobFrag frag in record.frags) { + BinaryReader fragDataReader = new BinaryReader(new MemoryStream(frag.dat_)); + try { + bool handled = false; + foreach (MessageProcessor messageProcessor in messageProcessors) { + long readerStartPos = fragDataReader.BaseStream.Position; + + bool accepted = messageProcessor.acceptMessageData(fragDataReader, treeView_ParsedData); + + if (accepted && handled) { + throw new Exception("Multiple message processors are handling the same data!"); + } + + if (accepted) { + handled = true; + if (fragDataReader.BaseStream.Position != fragDataReader.BaseStream.Length) { + treeView_ParsedData.Nodes.Add(new TreeNode("WARNING: Prev fragment not fully read!")); + } + } + + fragDataReader.BaseStream.Position = readerStartPos; + } + + if (!handled) { + PacketOpcode opcode = Util.readOpcode(fragDataReader); + treeView_ParsedData.Nodes.Add(new TreeNode("Unhandled: " + opcode)); + } + } catch (Exception e) { + treeView_ParsedData.Nodes.Add(new TreeNode("EXCEPTION: " + e.Message)); + } } } } @@ -777,9 +479,8 @@ private void treeView_ParsedData_AfterSelect(object sender, TreeViewEventArgs e) updateText(); } - - private void menuItem_Open_Click(object sender, EventArgs e) - { + private void openPcap(bool asMessages) + { OpenFileDialog openFile = new OpenFileDialog(); openFile.AddExtension = true; openFile.Filter = "Packet Captures (*.pcap;*.pcapng)|*.pcap;*.pcapng|All Files (*.*)|*.*"; @@ -787,7 +488,19 @@ private void menuItem_Open_Click(object sender, EventArgs e) if (openFile.ShowDialog() != DialogResult.OK) return; - loadPcap(openFile.FileName); + loadedAsMessages = asMessages; + + loadPcap(openFile.FileName, asMessages); + } + + private void menuItem_Open_Click(object sender, EventArgs e) + { + openPcap(false); + } + + private void menuItem_OpenAsMessages_Click(object sender, EventArgs e) + { + openPcap(true); } private void mnuItem_EditPreviousHighlightedRow_Click(object sender, EventArgs e) @@ -842,7 +555,7 @@ private void menuItem_ToolCount_Click(object sender, EventArgs e) { foreach (string file in files) { - loadPcap(file, true); + loadPcap(file, false, true); foreach (PacketRecord record in records) { @@ -896,7 +609,7 @@ private void menuItem_ToolBad_Click(object sender, EventArgs e) foreach (string file in files) { - loadPcap(file); + loadPcap(file, false); int curPacket = 0; int curFragment = 0; @@ -905,9 +618,9 @@ private void menuItem_ToolBad_Click(object sender, EventArgs e) for (curPacket = 0; curPacket < records.Count; ++curPacket) { PacketRecord record = records[curPacket]; - for (curFragment = 0; curFragment < record.netPacket.fragList_.Count; ++curFragment) + for (curFragment = 0; curFragment < record.frags.Count; ++curFragment) { - BlobFrag frag = record.netPacket.fragList_[curFragment]; + BlobFrag frag = record.frags[curFragment]; if (frag.memberHeader_.numFrags > 0) continue; @@ -961,12 +674,12 @@ private void menuItem_ToolHeatmap_Click(object sender, EventArgs e) uint[,] heatmap = new uint[256, 256]; foreach (string file in files) { - loadPcap(file, true); + loadPcap(file, false, true); foreach (PacketRecord record in records) { packetCount++; - foreach (BlobFrag frag in record.netPacket.fragList_) + foreach (BlobFrag frag in record.frags) { if (frag.memberHeader_.blobNum == 0) messageCount++; diff --git a/aclogview/FragDatListToolForm.cs b/aclogview/FragDatListToolForm.cs index 431efe9..14dafe4 100644 --- a/aclogview/FragDatListToolForm.cs +++ b/aclogview/FragDatListToolForm.cs @@ -194,7 +194,9 @@ private void DoBuild() private void ProcessFileForBuild(string fileName) { - var records = PCapReader.LoadPcap(fileName, ref searchAborted); + // NOTE: If you want to get fully constructed/merged messages isntead of fragments: + // Pass true below and use record.data as the full message, instead of individual record.frags + var records = PCapReader.LoadPcap(fileName, false, ref searchAborted); // Temperorary objects var allFrags = new List(); @@ -208,7 +210,7 @@ private void ProcessFileForBuild(string fileName) // ******************************************************************** // ************************ Custom Search Code ************************ // ******************************************************************** - foreach (BlobFrag frag in record.netPacket.fragList_) + foreach (BlobFrag frag in record.frags) { try { diff --git a/aclogview/PCapReader.cs b/aclogview/PCapReader.cs index 7c7cd28..f16ce9c 100644 --- a/aclogview/PCapReader.cs +++ b/aclogview/PCapReader.cs @@ -7,7 +7,7 @@ namespace aclogview { static class PCapReader { - public static List LoadPcap(string fileName, ref bool abort) + public static List LoadPcap(string fileName, bool asMessages, ref bool abort) { using (FileStream fileStream = new FileStream(fileName, FileMode.Open, FileAccess.Read, FileShare.ReadWrite)) { @@ -18,14 +18,94 @@ public static List LoadPcap(string fileName, ref bool abort) binaryReader.BaseStream.Position = 0; if (magicNumber == 0xA1B2C3D4 || magicNumber == 0xD4C3B2A1) - return loadPcapContent(binaryReader, ref abort); + return loadPcapPacketRecords(binaryReader, asMessages, ref abort); - return loadPcapngContent(binaryReader, ref abort); + return loadPcapngPacketRecords(binaryReader, asMessages, ref abort); } } } - private static List loadPcapContent(BinaryReader binaryReader, ref bool abort) + private class FragNumComparer : IComparer + { + int IComparer.Compare(BlobFrag a, BlobFrag b) + { + if (a.memberHeader_.blobNum > b.memberHeader_.blobNum) + return 1; + if (a.memberHeader_.blobNum < b.memberHeader_.blobNum) + return -1; + else + return 0; + } + } + + private static bool addPacketIfFinished(List finishedRecords, PacketRecord record) + { + record.frags.Sort(new FragNumComparer()); + + // Make sure all fragments are present + if (record.frags.Count < record.frags[0].memberHeader_.numFrags + || record.frags[0].memberHeader_.blobNum != 0 + || record.frags[record.frags.Count - 1].memberHeader_.blobNum != record.frags[0].memberHeader_.numFrags - 1) + { + return false; + } + + record.index = finishedRecords.Count; + + // Remove duplicate fragments + int index = 0; + while (index < record.frags.Count - 1) + { + if (record.frags[index].memberHeader_.blobNum == record.frags[index + 1].memberHeader_.blobNum) + record.frags.RemoveAt(index); + else + index++; + } + + int totalMessageSize = 0; + foreach (BlobFrag frag in record.frags) + { + totalMessageSize += frag.dat_.Length; + } + + record.data = new byte[totalMessageSize]; + int offset = 0; + foreach (BlobFrag frag in record.frags) + { + Buffer.BlockCopy(frag.dat_, 0, record.data, offset, frag.dat_.Length); + offset += frag.dat_.Length; + } + + finishedRecords.Add(record); + + return true; + } + + private static PcapRecordHeader readPcapRecordHeader(BinaryReader binaryReader, int curPacket) + { + if (binaryReader.BaseStream.Length - binaryReader.BaseStream.Position < 16) + { + throw new InvalidDataException("Stream cut short (packet " + curPacket + "), stopping read: " + (binaryReader.BaseStream.Length - binaryReader.BaseStream.Position)); + } + + PcapRecordHeader recordHeader = PcapRecordHeader.read(binaryReader); + + if (recordHeader.inclLen > 50000) + { + throw new InvalidDataException("Enormous packet (packet " + curPacket + "), stopping read: " + recordHeader.inclLen); + } + + // Make sure there's enough room for an ethernet header + if (recordHeader.inclLen < 14) + { + binaryReader.BaseStream.Position += recordHeader.inclLen; + return null; + } + + return recordHeader; + } + + private static List loadPcapPacketRecords(BinaryReader binaryReader, bool asMessages, ref bool abort) { List results = new List(); @@ -34,6 +114,8 @@ private static List loadPcapContent(BinaryReader binaryReader, ref int curPacket = 0; + Dictionary incompletePacketMap = new Dictionary(); + while (binaryReader.BaseStream.Position != binaryReader.BaseStream.Length) { if (abort) @@ -41,44 +123,81 @@ private static List loadPcapContent(BinaryReader binaryReader, ref curPacket++; - if (binaryReader.BaseStream.Length - binaryReader.BaseStream.Position < 16) - { - //MessageBox.Show("Stream cut short (packet " + curPacket + "), stopping read: " + (binaryReader.BaseStream.Length - binaryReader.BaseStream.Position)); - break; - } - - PcapRecordHeader recordHeader = PcapRecordHeader.read(binaryReader); - - if (recordHeader.inclLen > 50000) - { - //MessageBox.Show("Enormous packet (packet " + curPacket + "), stopping read: " + recordHeader.inclLen); - break; + PcapRecordHeader recordHeader; + try + { + recordHeader = readPcapRecordHeader(binaryReader, curPacket); + + if (recordHeader == null) + { + continue; + } } - - // Make sure there's enough room for an ethernet header - if (recordHeader.inclLen < 14) - { - binaryReader.BaseStream.Position += recordHeader.inclLen; - continue; + catch (InvalidDataException e) + { + break; } - var packetRecord = readPacketRecordData(binaryReader, recordHeader.inclLen, recordHeader.tsSec, curPacket); + long packetStartPos = binaryReader.BaseStream.Position; - if (packetRecord == null) - break; + try + { + if (asMessages) + { + if (!readMessageData(binaryReader, recordHeader.inclLen, recordHeader.tsSec, curPacket, results, incompletePacketMap)) + break; + } + else + { + var packetRecord = readPacketData(binaryReader, recordHeader.inclLen, recordHeader.tsSec, curPacket); + + if (packetRecord == null) + break; - results.Add(packetRecord); + results.Add(packetRecord); + } + } + catch (Exception e) + { + binaryReader.BaseStream.Position += recordHeader.inclLen - (binaryReader.BaseStream.Position - packetStartPos); + } } return results; } - private static List loadPcapngContent(BinaryReader binaryReader, ref bool abort) + private static PcapngBlockHeader readPcapngBlockHeader(BinaryReader binaryReader, int curPacket) + { + if (binaryReader.BaseStream.Length - binaryReader.BaseStream.Position < 8) + { + throw new InvalidDataException("Stream cut short (packet " + curPacket + "), stopping read: " + (binaryReader.BaseStream.Length - binaryReader.BaseStream.Position)); + } + + PcapngBlockHeader blockHeader = PcapngBlockHeader.read(binaryReader); + + if (blockHeader.capturedLen > 50000) + { + throw new InvalidDataException("Enormous packet (packet " + curPacket + "), stopping read: " + blockHeader.capturedLen); + } + + // Make sure there's enough room for an ethernet header + if (blockHeader.capturedLen < 14) + { + binaryReader.BaseStream.Position += blockHeader.capturedLen; + return null; + } + + return blockHeader; + } + + private static List loadPcapngPacketRecords(BinaryReader binaryReader, bool asMessages, ref bool abort) { List results = new List(); int curPacket = 0; + Dictionary incompletePacketMap = new Dictionary(); + while (binaryReader.BaseStream.Position != binaryReader.BaseStream.Length) { if (abort) @@ -86,63 +205,61 @@ private static List loadPcapngContent(BinaryReader binaryReader, r curPacket++; - if (binaryReader.BaseStream.Length - binaryReader.BaseStream.Position < 8) - { - //MessageBox.Show("Stream cut short (packet " + curPacket + "), stopping read: " + (binaryReader.BaseStream.Length - binaryReader.BaseStream.Position)); - break; - } - - long recordStartPos = binaryReader.BaseStream.Position; - - uint blockType = binaryReader.ReadUInt32(); - uint blockTotalLength = binaryReader.ReadUInt32(); + long blockStartPos = binaryReader.BaseStream.Position; - if (blockType == 6) - { - /*uint interfaceID = */binaryReader.ReadUInt32(); - /*uint tsHigh = */binaryReader.ReadUInt32(); - uint tsLow = binaryReader.ReadUInt32(); - uint capturedLen = binaryReader.ReadUInt32(); - /*uint packetLen = */binaryReader.ReadUInt32(); + PcapngBlockHeader blockHeader; + try + { + blockHeader = readPcapngBlockHeader(binaryReader, curPacket); - var packetRecord = readPacketRecordData(binaryReader, capturedLen, tsLow, curPacket); + if (blockHeader == null) + { + continue; + } + } + catch (InvalidDataException e) + { + break; + } + + long packetStartPos = binaryReader.BaseStream.Position; + + try + { + if (asMessages) + { + if (!readMessageData(binaryReader, blockHeader.capturedLen, blockHeader.tsLow, curPacket, results, incompletePacketMap)) + break; + } + else + { + var packetRecord = readPacketData(binaryReader, blockHeader.capturedLen, blockHeader.tsLow, curPacket); - if (packetRecord == null) - break; + if (packetRecord == null) + break; - results.Add(packetRecord); + results.Add(packetRecord); + } } - else if (blockType == 3) - { - /*uint packetLen = */binaryReader.ReadUInt32(); - uint capturedLen = blockTotalLength - 16; - - var packetRecord = readPacketRecordData(binaryReader, capturedLen, 0, curPacket); - - if (packetRecord == null) - break; - - results.Add(packetRecord); + catch (Exception e) + { + binaryReader.BaseStream.Position += blockHeader.capturedLen - (binaryReader.BaseStream.Position - packetStartPos); } - binaryReader.BaseStream.Position += blockTotalLength - (binaryReader.BaseStream.Position - recordStartPos); + binaryReader.BaseStream.Position += blockHeader.blockTotalLength - (binaryReader.BaseStream.Position - blockStartPos); } return results; } - private static PacketRecord readPacketRecordData(BinaryReader binaryReader, long len, uint tsSec, int curPacket) + private static bool readNetworkHeaders(BinaryReader binaryReader) { - // Begin reading headers - long packetStartPos = binaryReader.BaseStream.Position; - EthernetHeader ethernetHeader = EthernetHeader.read(binaryReader); // Skip non-IP packets if (ethernetHeader.proto != 8) { - binaryReader.BaseStream.Position += len - (binaryReader.BaseStream.Position - packetStartPos); - return null; + throw new InvalidDataException(); } IpHeader ipHeader = IpHeader.read(binaryReader); @@ -150,8 +267,7 @@ private static PacketRecord readPacketRecordData(BinaryReader binaryReader, long // Skip non-UDP packets if (ipHeader.proto != 17) { - binaryReader.BaseStream.Position += len - (binaryReader.BaseStream.Position - packetStartPos); - return null; + throw new InvalidDataException(); } UdpHeader udpHeader = UdpHeader.read(binaryReader); @@ -162,9 +278,18 @@ private static PacketRecord readPacketRecordData(BinaryReader binaryReader, long // Skip non-AC-port packets if (!isSend && !isRecv) { - binaryReader.BaseStream.Position += len - (binaryReader.BaseStream.Position - packetStartPos); - return null; - } + throw new InvalidDataException(); + } + + return isSend; + } + + private static PacketRecord readPacketData(BinaryReader binaryReader, long len, uint tsSec, int curPacket) + { + // Begin reading headers + long packetStartPos = binaryReader.BaseStream.Position; + + bool isSend = readNetworkHeaders(binaryReader); long headersSize = binaryReader.BaseStream.Position - packetStartPos; @@ -176,15 +301,14 @@ private static PacketRecord readPacketRecordData(BinaryReader binaryReader, long packet.index = (curPacket - 1); packet.isSend = isSend; packet.tsSec = tsSec; - packet.netPacket = new NetPacket(); - packet.data = binaryReader.ReadBytes((int)(len - headersSize)); packet.extraInfo = ""; + packet.data = binaryReader.ReadBytes((int)(len - headersSize)); BinaryReader packetReader = new BinaryReader(new MemoryStream(packet.data)); try { ProtoHeader pHeader = ProtoHeader.read(packetReader); - readOptionalHeaders(packet, pHeader.header_, packetHeadersStr, packetReader); + packet.optionalHeadersLen = readOptionalHeaders(pHeader.header_, packetHeadersStr, packetReader); if (packetReader.BaseStream.Position == packetReader.BaseStream.Length) packetTypeStr.Append("
"); @@ -193,15 +317,27 @@ private static PacketRecord readPacketRecordData(BinaryReader binaryReader, long if ((pHeader.header_ & HAS_FRAGS_MASK) != 0) { - bool first = true; - while (packetReader.BaseStream.Position != packetReader.BaseStream.Length) { - if (!first) + if (packetTypeStr.Length != 0) packetTypeStr.Append(" + "); - readPacket(packet, packetTypeStr, packetReader); - first = false; + BlobFrag newFrag = readFragment(packetReader); + packet.frags.Add(newFrag); + + if (newFrag.memberHeader_.blobNum != 0) + { + packetTypeStr.Append("FragData["); + packetTypeStr.Append(newFrag.memberHeader_.blobNum); + packetTypeStr.Append("]"); + } + else + { + BinaryReader fragDataReader = new BinaryReader(new MemoryStream(newFrag.dat_)); + PacketOpcode opcode = Util.readOpcode(fragDataReader); + packet.opcodes.Add(opcode); + packetTypeStr.Append(opcode); + } } } @@ -224,31 +360,96 @@ private static PacketRecord readPacketRecordData(BinaryReader binaryReader, long return packet; } - private static void readPacket(PacketRecord packet, StringBuilder packetTypeStr, BinaryReader packetReader) + private static bool readMessageData(BinaryReader binaryReader, long len, uint tsSec, int curPacket, List results, Dictionary incompletePacketMap) { - BlobFrag newFrag = new BlobFrag(); - newFrag.memberHeader_ = BlobFragHeader_t.read(packetReader); - newFrag.dat_ = packetReader.ReadBytes(newFrag.memberHeader_.blobFragSize - 16); // 16 == size of frag header + // Begin reading headers + long packetStartPos = binaryReader.BaseStream.Position; + + bool isSend = readNetworkHeaders(binaryReader); + + long headersSize = binaryReader.BaseStream.Position - packetStartPos; + + // Begin reading non-header packet content + StringBuilder packetHeadersStr = new StringBuilder(); + StringBuilder packetTypeStr = new StringBuilder(); + + PacketRecord packet = null; + byte[] packetData = binaryReader.ReadBytes((int)(len - headersSize)); + BinaryReader packetReader = new BinaryReader(new MemoryStream(packetData)); + try + { + ProtoHeader pHeader = ProtoHeader.read(packetReader); + + uint HAS_FRAGS_MASK = 0x4; // See SharedNet::SplitPacketData + + if ((pHeader.header_ & HAS_FRAGS_MASK) != 0) + { + readOptionalHeaders(pHeader.header_, packetHeadersStr, packetReader); + + while (packetReader.BaseStream.Position != packetReader.BaseStream.Length) + { + BlobFrag newFrag = readFragment(packetReader); + + ulong blobID = newFrag.memberHeader_.blobID; + if (incompletePacketMap.ContainsKey(blobID)) + { + packet = incompletePacketMap[newFrag.memberHeader_.blobID]; + } + else + { + packet = new PacketRecord(); + incompletePacketMap.Add(blobID, packet); + } + + if (newFrag.memberHeader_.blobNum == 0) + { + packet.isSend = isSend; + packet.tsSec = tsSec; + packet.extraInfo = ""; + + BinaryReader fragDataReader = new BinaryReader(new MemoryStream(newFrag.dat_)); + PacketOpcode opcode = Util.readOpcode(fragDataReader); + packet.opcodes.Add(opcode); + packet.packetTypeStr = opcode.ToString(); + } - packet.netPacket.fragList_.Add(newFrag); + packet.packetHeadersStr += packetHeadersStr.ToString(); - BinaryReader fragDataReader = new BinaryReader(new MemoryStream(newFrag.dat_)); + packet.frags.Add(newFrag); - if (newFrag.memberHeader_.blobNum != 0) + if (addPacketIfFinished(results, packet)) + { + incompletePacketMap.Remove(blobID); + } + } + + if (packetReader.BaseStream.Position != packetReader.BaseStream.Length) + packet.extraInfo = "Didnt read entire packet! " + packet.extraInfo; + } + } + catch (OutOfMemoryException e) { - packetTypeStr.Append("FragData["); - packetTypeStr.Append(newFrag.memberHeader_.blobNum); - packetTypeStr.Append("]"); + //MessageBox.Show("Out of memory (packet " + curPacket + "), stopping read: " + e); + return false; } - else + catch (Exception e) { - PacketOpcode opcode = Util.readOpcode(fragDataReader); - packet.opcodes.Add(opcode); - packetTypeStr.Append(opcode); + packet.extraInfo += "EXCEPTION: " + e.Message + " " + e.StackTrace; } + + return true; + } + + private static BlobFrag readFragment(BinaryReader packetReader) + { + BlobFrag newFrag = new BlobFrag(); + newFrag.memberHeader_ = BlobFragHeader_t.read(packetReader); + newFrag.dat_ = packetReader.ReadBytes(newFrag.memberHeader_.blobFragSize - 16); // 16 == size of frag header + + return newFrag; } - private static void readOptionalHeaders(PacketRecord packet, uint header_, StringBuilder packetHeadersStr, BinaryReader packetReader) + private static int readOptionalHeaders(uint header_, StringBuilder packetHeadersStr, BinaryReader packetReader) { long readStartPos = packetReader.BaseStream.Position; @@ -403,7 +604,7 @@ private static void readOptionalHeaders(PacketRecord packet, uint header_, Strin packetHeadersStr.Append("Flow"); } - packet.optionalHeadersLen = (int)(packetReader.BaseStream.Position - readStartPos); + return (int)(packetReader.BaseStream.Position - readStartPos); } } } diff --git a/aclogview/PacketRecord.cs b/aclogview/PacketRecord.cs index 4bf6b6c..47ff3f8 100644 --- a/aclogview/PacketRecord.cs +++ b/aclogview/PacketRecord.cs @@ -9,10 +9,11 @@ class PacketRecord public uint tsSec; public string packetHeadersStr; public string packetTypeStr; - public byte[] data; public int optionalHeadersLen; - public NetPacket netPacket; public List opcodes = new List(); public string extraInfo; + + public byte[] data; + public List frags = new List(); } } diff --git a/aclogview/Packets.cs b/aclogview/Packets.cs index 496e31a..e2ebd66 100644 --- a/aclogview/Packets.cs +++ b/aclogview/Packets.cs @@ -134,7 +134,7 @@ public class BlobFrag { //public BlobFragHeader_t hdrRead_; public BlobFragHeader_t memberHeader_; public byte[] dat_; - public NetBlob myBlob_; + //public NetBlob myBlob_; } public class NetPacket { diff --git a/aclogview/pcap.cs b/aclogview/pcap.cs index 3da4fc5..1cdc31c 100644 --- a/aclogview/pcap.cs +++ b/aclogview/pcap.cs @@ -43,6 +43,38 @@ public static PcapRecordHeader read(BinaryReader binaryReader) { } } +class PcapngBlockHeader { + public uint blockType; + public uint blockTotalLength; + public uint interfaceID; + public uint tsHigh; + public uint tsLow; + public uint capturedLen; + public uint packetLen; + + public static PcapngBlockHeader read(BinaryReader binaryReader) { + PcapngBlockHeader newObj = new PcapngBlockHeader(); + + newObj.blockType = binaryReader.ReadUInt32(); + newObj.blockTotalLength = binaryReader.ReadUInt32(); + + uint tsLow = 0; + uint capturedLen = 0; + if (newObj.blockType == 6) { + newObj.interfaceID = binaryReader.ReadUInt32(); + newObj.tsHigh = binaryReader.ReadUInt32(); + newObj.tsLow = binaryReader.ReadUInt32(); + newObj.capturedLen = binaryReader.ReadUInt32(); + newObj.packetLen = binaryReader.ReadUInt32(); + } else if (newObj.blockType == 3) { + newObj.packetLen = binaryReader.ReadUInt32(); + newObj.capturedLen = newObj.blockTotalLength - 16; + } + + return newObj; + } +} + class EthernetHeader { public byte[] dest; public byte[] source;