u_connectiontcp.pas

linux program to read packet data

(*
 * One Way Network Sniffer (OWNS)
 * Copyright (C) 2001-2002 OWNS
 *
 * http://owns.sourceforge.net/
 * http://www.owns.st
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 2
 * of the License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
 *)

(*
 * $Id: u_ConnectionTCP.pas,v 1.7 2002/11/02 14:05:37 owns Exp $
 * Represents an active TCP connection
 *
 *)
unit u_ConnectionTCP;
interface
uses classes,sysutils,
     u_TCPPacket,u_IPPacket,u_ConnectionHTTP, u_Filter, u_Statistics,u_DataBuffer,
     u_ConnectionPop3, u_ConnectionNntp,u_FilterHttp, u_MimeTypes,u_FileStreamCapture,u_Debug;


type
  TConnectionTCP = class
  private
    FSourcePort          : Word;
    FDestPort            : Word;
    FSeq0                : Cardinal;    // seq number that correspond to byte 0
    FLastSeq             : Cardinal;    // last received seq number
    FIPDestAddr          : IP_ADDR;
    FIPSourceAddr        : IP_ADDR;
    FNumConnection       : Integer;  // we attribute a number to each (0->+inf)
    FLastMomentReception : Cardinal;    // moment de r閏eption de la derni鑢e trame (en ms depuis 0h00)
    FDataBuffer          : TDataBuffer; // TCP stream
    procedure ConnectionClosed;
    procedure connectionHttpClosed;
    procedure connectionPop3Closed;
    procedure connectionNntpClosed;
    procedure SaveTCPStream(p_MimeType : String);
    function getKeySrc : Int64;
    function getKeyDest : Int64;
    function getHashValue : Int64;
  public
    constructor create(p_NumConnection : LongInt;p_TCPPacket : TTCPPacket;p_MomentReception : Cardinal);
    destructor destroy; override;
    procedure addTCPPacket(p_TCPPacket : TTCPPacket;p_MomentReception : Cardinal);
    procedure save;
    function isSameConnection(p_TCPPacket : TTCPPacket) : boolean;

    property DestPort : Word read FDestPort;
    property SourcePort : Word read FSourcePort;
    property IPDestAddr : IP_ADDR read FIPDestAddr;
    property IPSourceAddr :IP_ADDR read FIPSourceAddr;
    property LastMomentReception : Cardinal read FLastMomentReception;
    property KeySrc : Int64 read getKeySrc;
    property KeyDest : Int64 read getKeyDest;
    property HashValue : Int64 read getHashValue;
  end;


implementation

////////////////////////////////////////////////////////////////////////////////
//
// TConnectionTCP
//
////////////////////////////////////////////////////////////////////////////////


constructor TConnectionTCP.create(p_NumConnection : LongInt;p_TCPPacket : TTCPPacket;p_MomentReception : Cardinal);
var
  i : Integer;
begin
  g_Statistics.nouvelleConnection;
  FDataBuffer := TDataBuffer.create;

  // if SYN flag is present, seq number is called ISN (Initial Sequence Number)
  // and that means that the first byte of data that will come will have seq = ISN+1
  if (p_TCPPacket.TCPFlag and TCP_FLAG_SYN <> 0) then
    FSeq0 := p_TCPPacket.TCPSeqNum+1
  else
    FSeq0 := p_TCPPacket.TCPSeqNum;

  FLastSeq := FSeq0;
  FDestPort := p_TCPPacket.TCPDestPort;
  FSourcePort := p_TCPPacket.TCPSourcePort;
  for i := 0 to 3 do
  begin
    FIPDestAddr[i] := p_TCPPacket.IPDestAddr[i];
    FIPSourceAddr[i] := p_TCPPacket.IPSourceAddr[i];
  end;

  FNumConnection := p_NumConnection;

  // quite often, for the first packet (SYN), there is no data
  addTCPPacket(p_TCPPacket, p_MomentReception);
end;

// add a TCP packet to the connection
procedure TConnectionTCP.addTCPPacket(p_TCPPacket : TTCPPacket;p_MomentReception : Cardinal);
begin
  FLastMomentReception := p_MomentReception;

  if (p_TCPPacket.TCPDataLength > 0) then
  begin
    if (FSeq0 > p_TCPPacket.TCPSeqNum) then
    begin
      g_Debug.debug('FSeq0 > p_TCPPacket.TCPSeqNum','TConnectionTCP.addTCPPacket');
      // asm int 3 end;
      exit;
    end;

    // si Le seqNum est trop loin du pr閏閐ent, c'est qu'il ne s'agit en fait pas
    // de la m阭e connection.
    // Cela peut arriver si la connection (IP+port) a 閠