Merge pull request #72 from pavel-odintsov/dev

Enhance NTP support, add protocol version identification; Add pcap ex…

9 files changed, 27 insertions, 4 deletions

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 7b6b90121..8ea4650a6 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -720,7 +720,12 @@ typedef struct ndpi_flow_struct {
       u_int8_t bad_packet /* the received packet looks bad */;
       u_int16_t query_type, query_class, rsp_type;
     } dns;
-    
+   
+    struct {
+      u_int8_t request_code;
+      u_int8_t version;
+    } ntp;
+ 
     struct {
       char client_certificate[48], server_certificate[48];
     } ssl;
diff --git a/src/lib/protocols/ntp.c b/src/lib/protocols/ntp.c
index 7b65c4c16..a0fa92a20 100644
--- a/src/lib/protocols/ntp.c
+++ b/src/lib/protocols/ntp.c
@@ -46,14 +46,23 @@ void ndpi_search_ntp_udp(struct ndpi_detection_module_struct *ndpi_struct, struc
 
 	NDPI_LOG(NDPI_PROTOCOL_NTP, ndpi_struct, NDPI_LOG_DEBUG, "NTP port detected\n");
 
-	if (packet->payload_packet_len != 48)
-		goto exclude_ntp;
+        // It's not correct because packets could be bigger
+	//if (packet->payload_packet_len != 48)
+	//	goto exclude_ntp;
 
 	NDPI_LOG(NDPI_PROTOCOL_NTP, ndpi_struct, NDPI_LOG_DEBUG, "NTP length detected\n");
 
 
 	if ((((packet->payload[0] & 0x38) >> 3) <= 4)) {
 		NDPI_LOG(NDPI_PROTOCOL_NTP, ndpi_struct, NDPI_LOG_DEBUG, "detected NTP.");
+    
+                // 38 in binary representation is 00111000 
+                flow->protos.ntp.version = (packet->payload[0] & 0x38) >> 3;
+
+                if (flow->protos.ntp.version == 2) {
+                    flow->protos.ntp.request_code = packet->payload[3];
+                }
+ 
 		ndpi_int_ntp_add_connection(ndpi_struct, flow);
 		return;
 	}
diff --git a/tests/do.sh b/tests/do.sh
index 764b049f9..bbd44edc6 100755
--- a/tests/do.sh
+++ b/tests/do.sh
@@ -36,4 +36,4 @@ check_results() {
 build_results
 check_results
 
-exit $RC
\ No newline at end of file
+exit $RC
diff --git a/tests/pcap/NTPv2.pcap b/tests/pcap/NTPv2.pcap
new file mode 100644
index 000000000..ec22e2cda
--- /dev/null
+++ b/tests/pcap/NTPv2.pcap
diff --git a/tests/pcap/NTPv3.pcap b/tests/pcap/NTPv3.pcap
new file mode 100644
index 000000000..483e349af
--- /dev/null
+++ b/tests/pcap/NTPv3.pcap
diff --git a/tests/pcap/NTPv4.pcap b/tests/pcap/NTPv4.pcap
new file mode 100644
index 000000000..6f91a111e
--- /dev/null
+++ b/tests/pcap/NTPv4.pcap
diff --git a/tests/result/NTPv2.pcap.out b/tests/result/NTPv2.pcap.out
new file mode 100644
index 000000000..960fbe062
--- /dev/null
+++ b/tests/result/NTPv2.pcap.out
@@ -0,0 +1,3 @@
+NTP	1	410	1
+
+	1	UDP 78.46.76.2:80 <-> 208.104.95.10:123 [proto: 9/NTP][1 pkts/410 bytes]
diff --git a/tests/result/NTPv3.pcap.out b/tests/result/NTPv3.pcap.out
new file mode 100644
index 000000000..91d817e5e
--- /dev/null
+++ b/tests/result/NTPv3.pcap.out
@@ -0,0 +1,3 @@
+NTP	1	90	1
+
+	1	UDP 78.46.76.2:80 <-> 175.144.140.29:123 [proto: 9/NTP][1 pkts/90 bytes]
diff --git a/tests/result/NTPv4.pcap.out b/tests/result/NTPv4.pcap.out
new file mode 100644
index 000000000..fba0fd419
--- /dev/null
+++ b/tests/result/NTPv4.pcap.out
@@ -0,0 +1,3 @@
+NTP	1	90	1
+
+	1	UDP 78.46.76.11:123 <-> 85.22.62.120:123 [proto: 9/NTP][1 pkts/90 bytes]