diff --git a/SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/.suo b/SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/.suo index a7ef14d..16f1bf4 100644 Binary files a/SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/.suo and b/SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/.suo differ diff --git a/SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide b/SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide index 810eca8..de59ed6 100644 Binary files a/SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide and b/SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide differ diff --git a/SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide-shm b/SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide-shm index c818ced..4434da7 100644 Binary files a/SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide-shm and b/SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide-shm differ diff --git a/SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide-wal b/SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide-wal index f419838..70d0079 100644 Binary files a/SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide-wal and b/SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide-wal differ diff --git a/SQL_Network_Analyzer/SQLNA/OutputText.cs b/SQL_Network_Analyzer/SQLNA/OutputText.cs index 337e088..5883d78 100644 --- a/SQL_Network_Analyzer/SQLNA/OutputText.cs +++ b/SQL_Network_Analyzer/SQLNA/OutputText.cs @@ -1748,7 +1748,7 @@ private static void DisplayDelayedLogins(NetworkTrace Trace) // if we have login failures, was the total duration more than 2 seconds long duration = ((FrameData)c.frames[c.frames.Count - 1]).ticks - ((FrameData)c.frames[0]).ticks; - if (c.hasLoginFailure && duration < 2 * utility.TICKS_PER_SECOND) continue; + if (!c.hasLoginFailure || duration < 2 * utility.TICKS_PER_SECOND) continue; // if we are encrypted, was the time up until the Login packet greater than 2 seconds? // the packets after that are all encrypted, so we can't reliably time them diff --git a/SQL_Network_Analyzer/SQLNA/Parser.cs b/SQL_Network_Analyzer/SQLNA/Parser.cs index fbe563f..f6a1985 100644 --- a/SQL_Network_Analyzer/SQLNA/Parser.cs +++ b/SQL_Network_Analyzer/SQLNA/Parser.cs @@ -323,10 +323,14 @@ public static void ParseOneFile(string filePath, NetworkTrace t) } break; } - } break; } + case 276: + { + ParseLinuxCookedFramev2(frame.data, 0, t, f); + break; + } case 0x0071: // Linux Cooked Capture - no MAC addresses, just IP and higher protocols case 0xE071: // Linux Cooked Capture - no MAC addresses, just IP and higher protocols { @@ -524,8 +528,86 @@ public static void ParseLinuxCookedFrame(byte[] b, int offset, NetworkTrace t, F if (f.conversation != null) { - f.conversation.sourceMAC = sourceMAC; - f.conversation.destMAC = destMAC; + if (sourceMAC != 0) f.conversation.sourceMAC = sourceMAC; + if (destMAC != 0) f.conversation.destMAC = destMAC; + // statistical gathering + if (f.conversation.startTick == 0 || f.ticks < f.conversation.startTick) + { + f.conversation.startTick = f.ticks; + } + if (f.conversation.endTick < f.ticks) f.conversation.endTick = f.ticks; + if (f.isFromClient) f.conversation.sourceFrames++; else f.conversation.destFrames++; + } + } + + public static void ParseLinuxCookedFramev2(byte[] b, int offset, NetworkTrace t, FrameData f) + { + ushort NextProtocol = 0; // IPV4 = 0x0800 (2048) IPV6 = 0x86DD (34525) + UInt32 InterfaceIndex = 0; // where does this packet come from + UInt16 AddressType = 0; // we just want 0 or 1 = Ethernet or 772 = loopback - we can largely ignore that; use the NextProtocol, instead + byte PacketType = 0; // we just want 0=Incoming and 4=Outgoing + byte AddressLength = 0; // we can read MAC address if length = 6 + ulong sourceMAC = 0; + ulong destMAC = 0; + + + NextProtocol = utility.B2UInt16(b, offset); + offset += 2; + + // skip unnamed/unused bytes + offset += 2; + + InterfaceIndex = utility.B2UInt32(b, offset); + offset += 4; + + AddressType = utility.B2UInt16(b, offset); + if (AddressType != 0 && AddressType != 1 && AddressType != 772) return; + offset += 2; + + PacketType = b[offset]; + if (PacketType != 0 && PacketType != 4) return; + offset++; + + AddressLength = b[offset]; + offset++; + + switch (AddressLength) + { + case 6: + { + if (PacketType == 0) + { + sourceMAC = utility.B2UInt48(b, offset); + } + else + { + destMAC = utility.B2UInt48(b, offset); + } + offset += 8; // ignore implementation-specific data of 2 bytes + break; + } + default: + { + offset += 8; // data is always 8 in length, address + remainder bytes + break; + } + } + + + try + { + ParseNextProtocol(NextProtocol, b, offset, t, f); + } + catch (IndexOutOfRangeException) + { + if (f.conversation != null) f.conversation.truncationErrorCount++; + } + catch { throw; } + + if (f.conversation != null) + { + if (sourceMAC != 0) f.conversation.sourceMAC = sourceMAC; + if (destMAC != 0) f.conversation.destMAC = destMAC; // statistical gathering if (f.conversation.startTick == 0 || f.ticks < f.conversation.startTick) {