diff options
| author | Luca Deri <deri@ntop.org> | 2016-03-04 22:13:37 +0100 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2016-03-04 22:13:37 +0100 |
| commit | 7ea37edfbf2a603faedfb8c4e174446bbbd79d8c (patch) | |
| tree | fb637709cd6d9f91f36aef3eacff0fa9b9389bd2 | |
| parent | 462368f959daf9ffc72fc0fd91ef62a03487354c (diff) | |
Improved protocol detection
| -rw-r--r-- | example/ndpiReader.c | 5 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 15 | ||||
| -rw-r--r-- | tests/result/whatsapp_login_call.pcap.out | 106 |
3 files changed, 67 insertions, 59 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 037b194d2..082871346 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -1086,7 +1086,10 @@ static unsigned int packet_processing(u_int16_t thread_id, snprintf(flow->ssl.client_certificate, sizeof(flow->ssl.client_certificate), "%s", flow->ndpi_flow->protos.ssl.client_certificate); snprintf(flow->ssl.server_certificate, sizeof(flow->ssl.server_certificate), "%s", flow->ndpi_flow->protos.ssl.server_certificate); } - + + if(flow->detected_protocol.protocol == NDPI_PROTOCOL_UNKNOWN) + flow->detected_protocol = ndpi_detection_giveup(ndpi_thread_info[thread_id].ndpi_struct, flow->ndpi_flow); + free_ndpi_flow(flow); if(verbose > 1) { diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index cffdc65bf..0d1c21c9e 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1161,8 +1161,8 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SIP, no_master, no_master, "SIP", - ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 5060, 0, 0, 0, 0) /* UDP */); + ndpi_build_default_ports(ports_a, 5060, 5061, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_b, 5060, 5061, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TRUPHONE, no_master, no_master, "TruPhone", @@ -3196,10 +3196,16 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st struct ndpi_flow_struct *flow) { ndpi_protocol ret = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_UNKNOWN }; + /* TODO: add the remaining stage_XXXX protocols */ if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { if(flow->http_detected) ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_UNKNOWN); - else { + else if((flow->packet.l4_protocol == IPPROTO_TCP) && (flow->l4.tcp.ssl_stage > 1)) { + if(flow->guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN) + ndpi_int_change_protocol(ndpi_struct, flow, flow->guessed_protocol_id, NDPI_PROTOCOL_SSL); + else + ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSL, NDPI_PROTOCOL_UNKNOWN); + } else { flow->detected_protocol_stack[1] = flow->guessed_protocol_id, flow->detected_protocol_stack[0] = flow->guessed_host_protocol_id; if(flow->detected_protocol_stack[1] == flow->detected_protocol_stack[0]) @@ -3911,6 +3917,9 @@ void ndpi_int_change_protocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int16_t upper_detected_protocol, u_int16_t lower_detected_protocol) { + if(upper_detected_protocol == lower_detected_protocol) + lower_detected_protocol = NDPI_PROTOCOL_UNKNOWN; + ndpi_int_change_flow_protocol(ndpi_struct, flow, upper_detected_protocol, lower_detected_protocol); ndpi_int_change_packet_protocol(ndpi_struct, flow, upper_detected_protocol, lower_detected_protocol); } diff --git a/tests/result/whatsapp_login_call.pcap.out b/tests/result/whatsapp_login_call.pcap.out index 786c342c5..fd2edb823 100644 --- a/tests/result/whatsapp_login_call.pcap.out +++ b/tests/result/whatsapp_login_call.pcap.out @@ -1,8 +1,7 @@ -Unknown 27 2322 2 HTTP 11 726 3 MDNS 8 952 4 DHCP 10 3420 1 -STUN 70 9464 14 +STUN 97 11786 16 ICMP 10 700 1 SSL 8 589 2 DropBox 4 2176 1 @@ -19,56 +18,53 @@ WhatsAppVoice 706 91156 4 5 UDP 173.252.114.1:3478 <-> 192.168.2.4:52794 [proto: 78/STUN][5 pkts/676 bytes] 6 UDP 192.168.2.1:53 <-> 192.168.2.4:51897 [proto: 5.140/DNS.Apple][2 pkts/330 bytes][Host: query.ess.apple.com] 7 UDP 192.168.2.4:52794 <-> 179.60.192.48:3478 [proto: 78/STUN][5 pkts/676 bytes] - 8 TCP 192.168.2.4:49166 <-> 17.154.66.121:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] - 9 TCP 192.168.2.4:49169 <-> 17.173.66.102:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] - 10 TCP 192.168.2.4:49176 <-> 17.130.137.77:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] - 11 TCP 192.168.2.4:49182 <-> 17.172.100.52:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] - 12 TCP 192.168.2.4:49180 <-> 17.172.100.59:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] - 13 TCP 192.168.2.4:49197 <-> 17.167.142.39:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] - 14 TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.145/SSL.AppleiTunes][32 pkts/9705 bytes][SSL client: p53-buy.itunes.apple.com] - 15 TCP 192.168.2.4:49172 <-> 23.50.148.228:443 [proto: 91/SSL][5 pkts/391 bytes] - 16 UDP 192.168.2.4:51518 <-> 31.13.100.14:3478 [proto: 78/STUN][5 pkts/676 bytes] - 17 UDP 192.168.2.4:51518 <-> 31.13.70.48:3478 [proto: 78/STUN][5 pkts/676 bytes] - 18 UDP 192.168.2.4:51518 <-> 31.13.64.48:3478 [proto: 78/STUN][5 pkts/676 bytes] - 19 UDP 192.168.2.4:51518 <-> 31.13.85.48:3478 [proto: 78/STUN][5 pkts/676 bytes] - 20 UDP 192.168.2.4:51518 <-> 31.13.73.48:3478 [proto: 78/STUN][5 pkts/676 bytes] - 21 UDP 192.168.2.4:51518 <-> 31.13.91.48:3478 [proto: 78/STUN][5 pkts/676 bytes] - 22 UDP 192.168.2.4:51518 <-> 31.13.79.192:3478 [proto: 78/STUN][5 pkts/676 bytes] - 23 UDP 192.168.2.4:51518 <-> 31.13.93.48:3478 [proto: 189/WhatsAppVoice][24 pkts/4825 bytes] - 24 UDP 192.168.2.4:52794 <-> 31.13.73.48:3478 [proto: 78/STUN][5 pkts/676 bytes] - 25 UDP 192.168.2.4:52794 <-> 31.13.93.48:3478 [proto: 78/STUN][5 pkts/676 bytes] - 26 UDP 192.168.2.4:52794 <-> 31.13.90.48:3478 [proto: 78/STUN][5 pkts/676 bytes] - 27 UDP 192.168.2.4:52794 <-> 31.13.74.48:3478 [proto: 78/STUN][5 pkts/676 bytes] - 28 UDP 192.168.2.4:52794 <-> 31.13.84.48:3478 [proto: 189/WhatsAppVoice][20 pkts/2993 bytes] - 29 UDP 192.168.2.4:52794 <-> 31.13.79.192:3478 [proto: 78/STUN][5 pkts/676 bytes] - 30 TCP 192.168.2.4:49173 <-> 93.186.135.82:80 [proto: 7/HTTP][3 pkts/198 bytes] - 31 TCP 192.168.2.4:49194 <-> 93.62.150.157:443 [proto: 91/SSL][3 pkts/198 bytes] - 32 UDP 0.0.0.0:68 <-> 255.255.255.255:67 [proto: 18/DHCP][10 pkts/3420 bytes] - 33 UDP 192.168.2.4:51518 <-> 91.253.176.65:9344 [proto: 189/WhatsAppVoice][464 pkts/52920 bytes] - 34 TCP 192.168.2.4:49202 <-> 184.173.179.37:5222 [proto: 142/WhatsApp][180 pkts/24874 bytes] - 35 UDP 192.168.2.1:57621 <-> 192.168.2.255:57621 [proto: 156/Spotify][3 pkts/258 bytes] - 36 UDP 192.168.2.1:53 <-> 192.168.2.4:52190 [proto: 5.142/DNS.WhatsApp][2 pkts/280 bytes][Host: e13.whatsapp.net] - 37 TCP 192.168.2.4:49174 <-> 5.178.42.26:80 [proto: 7/HTTP][3 pkts/198 bytes] - 38 TCP 192.168.2.4:49163 <-> 17.154.66.111:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] - 39 TCP 192.168.2.4:49175 <-> 17.172.100.53:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] - 40 TCP 192.168.2.4:49165 <-> 17.172.100.55:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] - 41 TCP 192.168.2.4:49164 <-> 17.167.142.31:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] - 42 TCP 192.168.2.4:49167 <-> 17.172.100.8:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] - 43 TCP 192.168.2.4:49201 <-> 17.178.104.12:443 [proto: 91.140/SSL.Apple][38 pkts/17220 bytes][SSL client: query.ess.apple.com] - 44 TCP 192.168.2.4:49191 <-> 17.172.100.49:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] - 45 TCP 192.168.2.4:49181 <-> 17.172.100.37:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] - 46 TCP 192.168.2.4:49198 <-> 17.167.142.13:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] - 47 TCP 192.168.2.4:49200 <-> 17.167.142.13:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] - 48 TCP 192.168.2.4:49203 <-> 17.178.104.14:443 [proto: 91.140/SSL.Apple][3 pkts/198 bytes] - 49 TCP 192.168.2.4:49204 <-> 17.173.66.102:443 [proto: 91.145/SSL.AppleiTunes][53 pkts/18382 bytes][SSL client: p53-buy.itunes.apple.com] - 50 TCP 192.168.2.4:49199 <-> 17.172.100.70:993 [proto: 51.140/IMAPS.Apple][17 pkts/1998 bytes] - 51 TCP 192.168.2.4:49193 <-> 17.110.229.14:5223 [proto: 140/Apple][22 pkts/5926 bytes] - 52 UDP 169.254.166.207:5353 <-> 224.0.0.251:5353 [proto: 8/MDNS][2 pkts/218 bytes] - 53 UDP 192.168.2.1:5353 <-> 224.0.0.251:5353 [proto: 8/MDNS][2 pkts/218 bytes] - 54 TCP 192.168.2.4:49192 <-> 93.186.135.8:80 [proto: 7/HTTP][5 pkts/330 bytes] - 55 UDP [fe80::c42c:3ff:fe60:6a64]:5353 <-> [ff02::fb]:5353 [proto: 8/MDNS][2 pkts/258 bytes] - - -Undetected flows: - 1 UDP 192.168.2.4:51518 <-> 1.194.90.191:60312 [proto: 0/Unknown][15 pkts/1290 bytes] - 2 UDP 192.168.2.4:52794 <-> 1.194.90.191:51727 [proto: 0/Unknown][12 pkts/1032 bytes] + 8 UDP 192.168.2.4:51518 <-> 1.194.90.191:60312 [proto: 78/STUN][15 pkts/1290 bytes] + 9 TCP 192.168.2.4:49166 <-> 17.154.66.121:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] + 10 TCP 192.168.2.4:49169 <-> 17.173.66.102:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] + 11 TCP 192.168.2.4:49176 <-> 17.130.137.77:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] + 12 TCP 192.168.2.4:49182 <-> 17.172.100.52:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] + 13 TCP 192.168.2.4:49180 <-> 17.172.100.59:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] + 14 TCP 192.168.2.4:49197 <-> 17.167.142.39:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] + 15 TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.145/SSL.AppleiTunes][32 pkts/9705 bytes][SSL client: p53-buy.itunes.apple.com] + 16 TCP 192.168.2.4:49172 <-> 23.50.148.228:443 [proto: 91/SSL][5 pkts/391 bytes] + 17 UDP 192.168.2.4:51518 <-> 31.13.100.14:3478 [proto: 78/STUN][5 pkts/676 bytes] + 18 UDP 192.168.2.4:51518 <-> 31.13.70.48:3478 [proto: 78/STUN][5 pkts/676 bytes] + 19 UDP 192.168.2.4:51518 <-> 31.13.64.48:3478 [proto: 78/STUN][5 pkts/676 bytes] + 20 UDP 192.168.2.4:51518 <-> 31.13.85.48:3478 [proto: 78/STUN][5 pkts/676 bytes] + 21 UDP 192.168.2.4:51518 <-> 31.13.73.48:3478 [proto: 78/STUN][5 pkts/676 bytes] + 22 UDP 192.168.2.4:51518 <-> 31.13.91.48:3478 [proto: 78/STUN][5 pkts/676 bytes] + 23 UDP 192.168.2.4:51518 <-> 31.13.79.192:3478 [proto: 78/STUN][5 pkts/676 bytes] + 24 UDP 192.168.2.4:51518 <-> 31.13.93.48:3478 [proto: 189/WhatsAppVoice][24 pkts/4825 bytes] + 25 UDP 192.168.2.4:52794 <-> 31.13.73.48:3478 [proto: 78/STUN][5 pkts/676 bytes] + 26 UDP 192.168.2.4:52794 <-> 31.13.93.48:3478 [proto: 78/STUN][5 pkts/676 bytes] + 27 UDP 192.168.2.4:52794 <-> 31.13.90.48:3478 [proto: 78/STUN][5 pkts/676 bytes] + 28 UDP 192.168.2.4:52794 <-> 31.13.74.48:3478 [proto: 78/STUN][5 pkts/676 bytes] + 29 UDP 192.168.2.4:52794 <-> 31.13.84.48:3478 [proto: 189/WhatsAppVoice][20 pkts/2993 bytes] + 30 UDP 192.168.2.4:52794 <-> 31.13.79.192:3478 [proto: 78/STUN][5 pkts/676 bytes] + 31 TCP 192.168.2.4:49173 <-> 93.186.135.82:80 [proto: 7/HTTP][3 pkts/198 bytes] + 32 TCP 192.168.2.4:49194 <-> 93.62.150.157:443 [proto: 91/SSL][3 pkts/198 bytes] + 33 UDP 0.0.0.0:68 <-> 255.255.255.255:67 [proto: 18/DHCP][10 pkts/3420 bytes] + 34 UDP 192.168.2.4:51518 <-> 91.253.176.65:9344 [proto: 189/WhatsAppVoice][464 pkts/52920 bytes] + 35 TCP 192.168.2.4:49202 <-> 184.173.179.37:5222 [proto: 142/WhatsApp][180 pkts/24874 bytes] + 36 UDP 192.168.2.1:57621 <-> 192.168.2.255:57621 [proto: 156/Spotify][3 pkts/258 bytes] + 37 UDP 192.168.2.1:53 <-> 192.168.2.4:52190 [proto: 5.142/DNS.WhatsApp][2 pkts/280 bytes][Host: e13.whatsapp.net] + 38 UDP 192.168.2.4:52794 <-> 1.194.90.191:51727 [proto: 78/STUN][12 pkts/1032 bytes] + 39 TCP 192.168.2.4:49174 <-> 5.178.42.26:80 [proto: 7/HTTP][3 pkts/198 bytes] + 40 TCP 192.168.2.4:49163 <-> 17.154.66.111:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] + 41 TCP 192.168.2.4:49175 <-> 17.172.100.53:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] + 42 TCP 192.168.2.4:49165 <-> 17.172.100.55:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] + 43 TCP 192.168.2.4:49164 <-> 17.167.142.31:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] + 44 TCP 192.168.2.4:49167 <-> 17.172.100.8:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] + 45 TCP 192.168.2.4:49201 <-> 17.178.104.12:443 [proto: 91.140/SSL.Apple][38 pkts/17220 bytes][SSL client: query.ess.apple.com] + 46 TCP 192.168.2.4:49191 <-> 17.172.100.49:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] + 47 TCP 192.168.2.4:49181 <-> 17.172.100.37:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] + 48 TCP 192.168.2.4:49198 <-> 17.167.142.13:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] + 49 TCP 192.168.2.4:49200 <-> 17.167.142.13:443 [proto: 91.140/SSL.Apple][3 pkts/162 bytes] + 50 TCP 192.168.2.4:49203 <-> 17.178.104.14:443 [proto: 91.140/SSL.Apple][3 pkts/198 bytes] + 51 TCP 192.168.2.4:49204 <-> 17.173.66.102:443 [proto: 91.145/SSL.AppleiTunes][53 pkts/18382 bytes][SSL client: p53-buy.itunes.apple.com] + 52 TCP 192.168.2.4:49199 <-> 17.172.100.70:993 [proto: 51.140/IMAPS.Apple][17 pkts/1998 bytes] + 53 TCP 192.168.2.4:49193 <-> 17.110.229.14:5223 [proto: 140/Apple][22 pkts/5926 bytes] + 54 UDP 169.254.166.207:5353 <-> 224.0.0.251:5353 [proto: 8/MDNS][2 pkts/218 bytes] + 55 UDP 192.168.2.1:5353 <-> 224.0.0.251:5353 [proto: 8/MDNS][2 pkts/218 bytes] + 56 TCP 192.168.2.4:49192 <-> 93.186.135.8:80 [proto: 7/HTTP][5 pkts/330 bytes] + 57 UDP [fe80::c42c:3ff:fe60:6a64]:5353 <-> [ff02::fb]:5353 [proto: 8/MDNS][2 pkts/258 bytes] |