diff options
| author | Luca Deri <deri@ntop.org> | 2022-06-08 09:11:22 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2022-06-08 09:11:22 +0200 |
| commit | 11babc7ea33ff1d088aaeb3a1a196df25cb6b779 (patch) | |
| tree | 90fd459b671333d2e251855b22388a501195f445 | |
| parent | bb3c2e82de91860808ca79e43a3bbe09a1c39298 (diff) | |
Added Pragmatic General Multicast (PGM) protocol detection
| -rw-r--r-- | src/include/ndpi_define.h.in | 1 | ||||
| -rw-r--r-- | src/include/ndpi_protocol_ids.h | 1 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 8 | ||||
| -rw-r--r-- | src/lib/protocols/non_tcp_udp.c | 12 | ||||
| -rw-r--r-- | tests/pcap/pgm.pcap | bin | 0 -> 212326 bytes | |||
| -rw-r--r-- | tests/result/pgm.pcap.out | 8 | ||||
| -rw-r--r-- | tests/result/synscan.pcap.out | 4 |
7 files changed, 31 insertions, 3 deletions
diff --git a/src/include/ndpi_define.h.in b/src/include/ndpi_define.h.in index b1b6a7599..8ec960dd3 100644 --- a/src/include/ndpi_define.h.in +++ b/src/include/ndpi_define.h.in @@ -296,6 +296,7 @@ #define NDPI_SCTP_PROTOCOL_TYPE 132 #define NDPI_IPIP_PROTOCOL_TYPE 0x04 #define NDPI_ICMPV6_PROTOCOL_TYPE 0x3a +#define NDPI_PGM_PROTOCOL_TYPE 0x71 #define NDPI_ARRAY_LENGTH(array) (sizeof(array) / sizeof((array)[0])) diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index 29e87b277..b12180cf7 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -324,6 +324,7 @@ typedef enum { NDPI_PROTOCOL_GOTO = 293, /* GoTo products, mainly GoToMeeting */ NDPI_PROTOCOL_RSH = 294, NDPI_PROTOCOL_1KXUN = 295, + NDPI_PROTOCOL_IP_PGM = 296, #ifdef CUSTOM_NDPI_PROTOCOLS #include "../../../nDPI-custom/custom_ndpi_protocol_ids.h" diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 9be024642..044b93739 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1294,6 +1294,10 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp "EGP", NDPI_PROTOCOL_CATEGORY_NETWORK, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_IP_PGM, + "PGM", NDPI_PROTOCOL_CATEGORY_NETWORK, + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_IP_SCTP, "SCTP", NDPI_PROTOCOL_CATEGORY_NETWORK, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, @@ -3128,6 +3132,9 @@ u_int16_t ndpi_guess_protocol_id(struct ndpi_detection_module_struct *ndpi_str, case NDPI_GRE_PROTOCOL_TYPE: return(NDPI_PROTOCOL_IP_GRE); break; + case NDPI_PGM_PROTOCOL_TYPE: + return(NDPI_PROTOCOL_IP_PGM); + break; case NDPI_ICMP_PROTOCOL_TYPE: if(flow) { flow->entropy = 0.0f; @@ -4942,7 +4949,6 @@ static int ndpi_init_packet(struct ndpi_detection_module_struct *ndpi_str, /* ************************************************ */ - void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow) { if(!flow) { diff --git a/src/lib/protocols/non_tcp_udp.c b/src/lib/protocols/non_tcp_udp.c index 8d078731b..50e3a949b 100644 --- a/src/lib/protocols/non_tcp_udp.c +++ b/src/lib/protocols/non_tcp_udp.c @@ -73,6 +73,10 @@ void ndpi_search_in_non_tcp_udp(struct ndpi_detection_module_struct set_protocol_and_bmask(NDPI_PROTOCOL_IP_SCTP); break; + case NDPI_PGM_PROTOCOL_TYPE: + set_protocol_and_bmask(NDPI_PROTOCOL_IP_PGM); + break; + case NDPI_OSPF_PROTOCOL_TYPE: set_protocol_and_bmask(NDPI_PROTOCOL_IP_OSPF); break; @@ -146,6 +150,14 @@ void init_non_tcp_udp_dissector(struct ndpi_detection_module_struct *ndpi_struct ADD_TO_DETECTION_BITMASK); *id += 1; + ndpi_set_bitmask_protocol_detection("IP_PGM", ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_IP_PGM, + ndpi_search_in_non_tcp_udp, + NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6, + NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); + *id += 1; + ndpi_set_bitmask_protocol_detection("IP_OSPF", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_IP_OSPF, ndpi_search_in_non_tcp_udp, diff --git a/tests/pcap/pgm.pcap b/tests/pcap/pgm.pcap Binary files differnew file mode 100644 index 000000000..93b0b350f --- /dev/null +++ b/tests/pcap/pgm.pcap diff --git a/tests/result/pgm.pcap.out b/tests/result/pgm.pcap.out new file mode 100644 index 000000000..46e5d0ad7 --- /dev/null +++ b/tests/result/pgm.pcap.out @@ -0,0 +1,8 @@ +Guessed flow protos: 0 + +DPI Packets (other): 1 (1.00 pkts/flow) +Confidence DPI : 1 (flows) + +PGM 1000 196302 1 + + 1 113 10.244.64.154:0 -> 235.0.1.47:0 [proto: 296/PGM][ClearText][Confidence: DPI][cat: Network/14][1000 pkts/196302 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][78.91 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 78/0 1479/0 169/0][Pkt Len c2s/s2c min/avg/max/stddev: 70/0 196/0 1344/0 201/0][PLAIN TEXT (PORTFOLIO)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/synscan.pcap.out b/tests/result/synscan.pcap.out index 9e58b4f7c..49e026cac 100644 --- a/tests/result/synscan.pcap.out +++ b/tests/result/synscan.pcap.out @@ -104,7 +104,7 @@ iSCSI 2 116 2 43 TCP 172.16.0.8:36050 -> 64.13.134.52:2605 [proto: 13/BGP][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 44 TCP 172.16.0.8:36050 -> 64.13.134.52:3000 [proto: 26/ntop][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 45 TCP 172.16.0.8:36050 -> 64.13.134.52:3128 [proto: 131/HTTP_Proxy][ClearText][Confidence: Match by port][cat: Web/5][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 46 TCP 172.16.0.8:36050 -> 64.13.134.52:3260 [proto: 296/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 46 TCP 172.16.0.8:36050 -> 64.13.134.52:3260 [proto: 297/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 47 TCP 172.16.0.8:36050 -> 64.13.134.52:3306 [proto: 20/MySQL][ClearText][Confidence: Match by port][cat: Database/11][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 48 TCP 172.16.0.8:36050 -> 64.13.134.52:3389 [proto: 88/RDP][ClearText][Confidence: Match by port][cat: RemoteAccess/12][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Desktop/File Sharing **][Risk Score: 10][Risk Info: Found RDP][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 49 TCP 172.16.0.8:36050 -> 64.13.134.52:4343 [proto: 170/Whois-DAS][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] @@ -165,7 +165,7 @@ iSCSI 2 116 2 104 TCP 172.16.0.8:36051 -> 64.13.134.52:2605 [proto: 13/BGP][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 105 TCP 172.16.0.8:36051 -> 64.13.134.52:3000 [proto: 26/ntop][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 106 TCP 172.16.0.8:36051 -> 64.13.134.52:3128 [proto: 131/HTTP_Proxy][ClearText][Confidence: Match by port][cat: Web/5][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 107 TCP 172.16.0.8:36051 -> 64.13.134.52:3260 [proto: 296/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 107 TCP 172.16.0.8:36051 -> 64.13.134.52:3260 [proto: 297/iSCSI][ClearText][Confidence: Match by port][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 108 TCP 172.16.0.8:36051 -> 64.13.134.52:3306 [proto: 20/MySQL][ClearText][Confidence: Match by port][cat: Database/11][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 109 TCP 172.16.0.8:36051 -> 64.13.134.52:3389 [proto: 88/RDP][ClearText][Confidence: Match by port][cat: RemoteAccess/12][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Risk: ** Desktop/File Sharing **][Risk Score: 10][Risk Info: Found RDP][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 110 TCP 172.16.0.8:36051 -> 64.13.134.52:4343 [proto: 170/Whois-DAS][ClearText][Confidence: Match by port][cat: Network/14][1 pkts/58 bytes -> 0 pkts/0 bytes][Goodput ratio: 0/0][< 1 sec][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |