SQLNA Fixed the firewall parser

Author: Malcolm-Stewart

SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/.suo

@@ -97,10 +97,16 @@ private void TraceEvent_EventCallback(TraceEventInterop.EVENT_RECORD* rawData)
             bool f_Wifi = ((rawData->EventHeader.Keyword) & 0x100) != 0;        // process Wi-Fi events - not yet implemented
             Guid gu = (&rawData->EventHeader)->ProviderId;
             ushort eventID = rawData->EventHeader.Id;
+            ushort WFPFragmentEventType = 0;              // WFP fragments need to remove the fragment header in event type 2000
+            uint WFPFragmentGroup = 0;                    // all fragments of the same packet have the same group number
+            uint WFPFragmentLength = 0;                   // this is 10 less than the user payload length as header is 10 bytes in length
+            bool WFPIncoming = ((rawData->EventHeader.Keyword) & 0x100000000) != 0;  // only take incoming packets and reject outgoing ones 0x200000000
             Frame f = null;
             PartialFrame pf = null;
             byte[] userData = null;
 
+            short arrayOffset = gu == PKTMON || gu == WFP ? (short)0 : NDIS_HEADER_LENGTH;  // we want the pktmon header to be part of the data, not so with the NDIS/wfp header
+
             // Debug.WriteLine($"TraceEvent_EventCallback: Frame:{m_eventCount + 1}, ProviderID: {gu}, NDIS: {NDIS}, PKTMON: {PKTMON}");
 
             if (gu != NDIS && gu != PKTMON && gu != WFP)
@@ -130,14 +136,16 @@ private void TraceEvent_EventCallback(TraceEventInterop.EVENT_RECORD* rawData)
 
             if (gu == WFP)
             {
-                if (eventID != 60011 && eventID != 60012 && eventID != 60021 && eventID != 60022)
+                if (eventID != 60011 && eventID != 60012 && eventID != 60021 && eventID != 60022 && eventID != 2000)  // 2000 is a fragmented packet, needs special handling
+                {
+                    m_eventCount++; // Track the count
+                    return;
+                }
+                if (!WFPIncoming)  // easier to disable than if combined with the conditions above
                 {
                     m_eventCount++; // Track the count
                     return;
                 }
-                // Only preocess PKTMON events that contain a network payload
-                f_start = true;   // Are these set for WFP captures?
-                f_end = true;
                 // Debug.WriteLine($"TraceEvent_EventCallback: It's a WFP event.");
             }
 
@@ -156,13 +164,22 @@ private void TraceEvent_EventCallback(TraceEventInterop.EVENT_RECORD* rawData)
                     // Program.logDiagnostic("Lost end of partial frame " + pf.f.frameNumber + " (PID=" + pf.ProcessID + ", TID=" + pf.ThreadID + ").");
                     // Console.WriteLine("Lost end of partial frame " + pf.f.frameNumber + " (PID=" + pf.ProcessID + ", TID=" + pf.ThreadID + ").");
                 }
-                short arrayOffset = gu == PKTMON || gu == WFP ? (short)0 : NDIS_HEADER_LENGTH;  // we want the pktmon/wfp header to be part of the data, not so with the NDIS header
                 f = new Frame();
                 f.frameNumber = m_eventCount;
                 f.ticks = m_sessionStartTime.Ticks + ((long)(((rawData->EventHeader).TimeStamp - FirstTimeStamp) * 10000000 / m_QPCFreq));
                 userData = new byte[rawData->UserDataLength - arrayOffset];
                 var x = ((byte*)rawData->UserData);
-                for (int i = 0; i < userData.Length; i++) userData[i] = x[i + arrayOffset];
+                for (int i = 0; i < userData.Length; i++) userData[i] = x[i + arrayOffset];  // move bytes over
+
+                if (gu == WFP && eventID == 2000)  // fragmented WFP packet
+                {
+                    WFPFragmentEventType = utility.ReadUInt16(userData, 0);
+                    WFPFragmentGroup = utility.ReadUInt32(userData, 2);
+                    WFPFragmentLength = utility.ReadUInt32(userData, 6);
+                    byte[] temp = new byte[userData.Length - 10];
+                    Array.Copy(userData, 10, temp, 0, temp.Length);  // copies from userData[10..userData.Length-1] to temp [0..temp.Length-11]
+                    userData = temp;
+                }
                 f.length = userData.Length;
                 f.frameLength = (uint)userData.Length;
                 f.bytesAvailable = (uint)userData.Length;
@@ -178,10 +195,10 @@ private void TraceEvent_EventCallback(TraceEventInterop.EVENT_RECORD* rawData)
                 if (gu == WFP)
                 {
                     f.isWFP = true;
-                    f.EventType = eventID;
+                    f.EventType = eventID == 2000 ? WFPFragmentEventType : eventID;  // use eventID for non-fragmented events and WFPFragmentEventType for fragmented ones
                 }
 
-                if (f_end) // add Frame to FrameBuffer directly
+                if (f_end) // add Frame to FrameBuffer directly - no fragmentation
                 {
                     lock (FrameBuffer)
                     {
@@ -211,9 +228,20 @@ private void TraceEvent_EventCallback(TraceEventInterop.EVENT_RECORD* rawData)
                     return;
                 }
 
-                userData = new byte[rawData->UserDataLength - NDIS_HEADER_LENGTH];
+                userData = new byte[rawData->UserDataLength - arrayOffset];
                 var x = ((byte*)rawData->UserData);
-                for (int i = 0; i < userData.Length; i++) userData[i] = x[i + NDIS_HEADER_LENGTH];
+                for (int i = 0; i < userData.Length; i++) userData[i] = x[i + arrayOffset];
+
+                if (gu == WFP && eventID == 2000)  // fragmented WFP packet
+                {
+                    WFPFragmentEventType = utility.ReadUInt16(userData, 0);
+                    WFPFragmentGroup = utility.ReadUInt32(userData, 2);
+                    WFPFragmentLength = utility.ReadUInt32(userData, 6);
+                    byte[] temp = new byte[userData.Length - 10];
+                    Array.Copy(userData, 10, temp, 0, temp.Length);  // copies from userData[10..userData.Length-1] to temp [0..temp.Length-11]
+                    userData = temp;
+                }
+
                 pf.f.length += userData.Length;
                 pf.f.frameLength += (uint)userData.Length;
                 pf.f.bytesAvailable += (uint)userData.Length;

SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide

@@ -667,6 +667,9 @@ public static void ParseWFPFrame(byte[] b, int offset, NetworkTrace t, FrameData
                             ushort DPort = utility.B2UInt16(b, offset + 2);
                             ConversationData c = t.GetIPV4Conversation(sourceIP, SPort, destIP, DPort);  // adds conversation if new
 
+                            // Is the Frame from Client or Server? This may be reversed later in ReverseBackwardConversations.
+                            if (sourceIP == c.sourceIP && SPort == c.sourcePort) f.isFromClient = true;
+
                             //
                             // What:   Determine whether the TCP client port has rolled around and is re-used and this should be a new conversation
                             //
@@ -711,9 +714,6 @@ public static void ParseWFPFrame(byte[] b, int offset, NetworkTrace t, FrameData
                             }
                             f.conversation = c;
                             c.AddFrame(f, t);  // optionally add to the NetworkTrace frames collection, too
-
-                            // Is the Frame from Client or Server? This may be reversed later in ReverseBackwardConversations.
-                            if (sourceIP == c.sourceIP) f.isFromClient = true;
                         }
 
                         ParseNextProtocol(NextProtocol, b, offset, t, f);
@@ -723,13 +723,13 @@ public static void ParseWFPFrame(byte[] b, int offset, NetworkTrace t, FrameData
                 case 60021: // WFP MessageV6
                 case 60022: // WFP Message2V6
                     {
-                        ulong sourceIPHi = utility.B2UInt64(b, offset);                   offset += 4;
-                        ulong sourceIPLo = utility.B2UInt64(b, offset);                   offset += 4;
-                        ulong destIPHi = utility.B2UInt64(b, offset);                     offset += 4;
-                        ulong destIPLo = utility.B2UInt64(b, offset);                     offset += 4;
+                        ulong sourceIPHi = utility.B2UInt64(b, offset);                   offset += 8;
+                        ulong sourceIPLo = utility.B2UInt64(b, offset);                   offset += 8;
+                        ulong destIPHi = utility.B2UInt64(b, offset);                     offset += 8;
+                        ulong destIPLo = utility.B2UInt64(b, offset);                     offset += 8;
                         byte NextProtocol = b[offset];                                    offset++;        // TCP = 6    UDP = 0x11 (17)
                         if (eventID == 60022) offset += 8;                                                 // bypass FlowContext field in the Message2V4 record
-                        short payloadLength = (short)utility.B2UInt16(b, offset);         offset += 2;
+                        short payloadLength = (short)utility.ReadUInt16(b, offset);       offset += 2;
 
                         // determine the last element of b[] that contains IP64 data - also the last byte of TCP payload - ethernet may extend beyond this
                         if (payloadLength == 0)
@@ -747,6 +747,9 @@ public static void ParseWFPFrame(byte[] b, int offset, NetworkTrace t, FrameData
                             ushort DPort = utility.B2UInt16(b, offset + 2);
                             ConversationData c = t.GetIPV6Conversation(sourceIPHi, sourceIPLo, SPort, destIPHi, destIPLo, DPort);  // adds conversation if new
 
+                            // Is the Frame from Client or Server? This may be reversed later in ReverseBackwardConversations.
+                            if (sourceIPHi == c.sourceIPHi && sourceIPLo == c.sourceIPLo && SPort == c.sourcePort) f.isFromClient = true;
+
                             //
                             // What:   Determine whether the TCP client port has rolled around and is re-used and this should be a new conversation
                             //
@@ -791,9 +794,6 @@ public static void ParseWFPFrame(byte[] b, int offset, NetworkTrace t, FrameData
                             }
                             f.conversation = c;
                             c.AddFrame(f, t);  // optionally add to the NetworkTrace frames collection, too
-
-                            // Is the Frame from Client or Server? This may be reversed later in ReverseBackwardConversations.
-                            if (sourceIPHi == c.sourceIPHi && sourceIPLo == c.sourceIPLo) f.isFromClient = true;
                         }
 
                         ParseNextProtocol(NextProtocol, b, offset, t, f);
@@ -1200,6 +1200,9 @@ public static void ParseIPV4Frame(byte[] b, int offset, NetworkTrace t, FrameDat
                 DPort = utility.B2UInt16(b, offset + HeaderLength + 2);
                 ConversationData c = t.GetIPV4Conversation(sourceIP, SPort, destIP, DPort);  // adds conversation if new
 
+                // Is the Frame from Client or Server? This may be reversed later in ReverseBackwardConversations.
+                if (sourceIP == c.sourceIP && SPort == c.sourcePort) f.isFromClient = true;
+
                 //
                 // Purpose: Do not record duplicate frames unless it has a PktmonData record associated with it
                 //
@@ -1219,7 +1222,7 @@ public static void ParseIPV4Frame(byte[] b, int offset, NetworkTrace t, FrameDat
 
                 int backCount = 0;
 
-                if (f.pktmon == null)  // we want to see the pktmon trace points
+                if (f.pktmon == null)  // we want to avoid the pktmon trace points
                 {
                     for (int j = c.frames.Count - 1; j >= 0; j--) // look in descending order for the same Packet ID number
                     {
@@ -1282,8 +1285,6 @@ public static void ParseIPV4Frame(byte[] b, int offset, NetworkTrace t, FrameDat
                 f.conversation = c;
                 c.AddFrame(f, t);  // optionally add to the NetworkTrace frames collection, too
 
-                // Is the Frame from Client or Server? This may be reversed later in ReverseBackwardConversations.
-                if (sourceIP == c.sourceIP) f.isFromClient = true;
              }
 
             ParseNextProtocol(NextProtocol, b, offset + HeaderLength, t, f);
@@ -1346,6 +1347,10 @@ public static void ParseIPV6Frame(byte[] b, int offset, NetworkTrace t, FrameDat
                 SPort = utility.B2UInt16(b, offset + HeaderLength);
                 DPort = utility.B2UInt16(b, offset + HeaderLength + 2);
                 ConversationData c = t.GetIPV6Conversation(sourceIPHi, sourceIPLo, SPort, destIPHi, destIPLo, DPort);
+
+                //Is the Frame from Client or Server?
+                if (sourceIPHi == c.sourceIPHi && sourceIPLo == c.sourceIPLo && SPort == c.sourcePort) f.isFromClient = true;
+
                 //
                 // Determine whether the TCP client port has rolled around and this should be a new conversation
                 //
@@ -1384,10 +1389,6 @@ public static void ParseIPV6Frame(byte[] b, int offset, NetworkTrace t, FrameDat
                 }
                 f.conversation = c;
                 c.AddFrame(f, t);
-
-                //Is the Frame from Client or Server?
-                if (sourceIPHi == c.sourceIPHi && sourceIPLo == c.sourceIPLo)
-                    f.isFromClient = true;
             }
 
             ParseNextProtocol(NextProtocol, b, offset + HeaderLength, t, f);

SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide-shm

@@ -32,5 +32,5 @@
 // You can specify all the values or you can default the Build and Revision Numbers 
 // by using the '*' as shown below:
 // [assembly: AssemblyVersion("1.0.*")]
-[assembly: AssemblyVersion("1.5.1963.0")]
-[assembly: AssemblyFileVersion("1.5.1963.0")]
+[assembly: AssemblyVersion("1.5.1974.0")]
+[assembly: AssemblyFileVersion("1.5.1974.0")]