diff options
| author | Toni <matzeton@googlemail.com> | 2022-08-30 11:21:58 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-08-30 11:21:58 +0200 |
| commit | fe28d55801e589bdf74c32948002b797959bf0bd (patch) | |
| tree | fd76a9368befb987a02c151c490a366d2da8d6e8 | |
| parent | 79653f99e051500b6a41e2d59143c20b1322f8d2 (diff) | |
Improved MGCP dissector. (#1717)
* typ0s fixed
* dissect endpoint hostnames
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
| -rw-r--r-- | src/include/ndpi_protocols.h | 2 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 2 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/mgcp.c | 41 | ||||
| -rw-r--r--[-rwxr-xr-x] | tests/pcap/mgcp.pcapng | bin | 2192 -> 3988 bytes | |||
| -rw-r--r-- | tests/result/mgcp.pcapng.out | 15 |
6 files changed, 43 insertions, 21 deletions
diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h index 6d2696846..1bbd9e6b5 100644 --- a/src/include/ndpi_protocols.h +++ b/src/include/ndpi_protocols.h @@ -105,7 +105,7 @@ void init_mail_pop_dissector(struct ndpi_detection_module_struct *ndpi_struct, u void init_mail_smtp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_maplestory_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_megaco_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); -void init_mgpc_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_mgcp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_mining_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_mms_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_nats_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 94c22a667..4982db318 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1303,7 +1303,7 @@ struct ndpi_flow_struct { char flow_extra_info[16]; /* General purpose field used to save mainly hostname/SNI information. - * In details it used for: COLLECTD, DNS, SSDP and NETBIOS name, HTTP and DHCP hostname, + * In details it used for: MGCP, COLLECTD, DNS, SSDP and NETBIOS name, HTTP and DHCP hostname, * WHOIS request, TLS/QUIC server name, XIAOMI domain and STUN realm. * * Please, think *very* hard before increasing its size! diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index e096b8617..58931d567 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -4110,8 +4110,8 @@ static int ndpi_callback_init(struct ndpi_detection_module_struct *ndpi_str) { /* IAX */ init_iax_dissector(ndpi_str, &a, detection_bitmask); - /* MGPC */ - init_mgpc_dissector(ndpi_str, &a, detection_bitmask); + /* Media Gateway Control Protocol */ + init_mgcp_dissector(ndpi_str, &a, detection_bitmask); /* ZATTOO */ init_zattoo_dissector(ndpi_str, &a, detection_bitmask); diff --git a/src/lib/protocols/mgcp.c b/src/lib/protocols/mgcp.c index 85c6acf86..94da86a37 100644 --- a/src/lib/protocols/mgcp.c +++ b/src/lib/protocols/mgcp.c @@ -30,6 +30,7 @@ static void ndpi_int_mgcp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + NDPI_LOG_INFO(ndpi_struct, "found MGCP\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MGCP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); } @@ -39,7 +40,9 @@ void ndpi_search_mgcp(struct ndpi_detection_module_struct *ndpi_struct, struct n struct ndpi_packet_struct *packet = &ndpi_struct->packet; - u_int16_t pos = 5; + char const * endpoint; + char const * endpoint_hostname; + char const * mgcp; NDPI_LOG_DBG(ndpi_struct, "search MGCP\n"); @@ -61,23 +64,41 @@ void ndpi_search_mgcp(struct ndpi_detection_module_struct *ndpi_struct, struct n memcmp(packet->payload, "RSIP ", 5) != 0) break; - // now search for string "MGCP " in the rest of the message - while ((pos + 4) < packet->payload_packet_len) { - if (memcmp(&packet->payload[pos], "MGCP ", 5) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found MGCP\n"); - ndpi_int_mgcp_add_connection(ndpi_struct, flow); - return; - } - pos++; + endpoint = ndpi_strnstr((char const *)packet->payload + 5, " ", packet->payload_packet_len - 5); + if (endpoint == NULL) + { + break; } + endpoint++; + mgcp = ndpi_strnstr(endpoint, " ", packet->payload_packet_len - ((u_int8_t const *)endpoint - packet->payload)); + if (mgcp == NULL) + { + break; + } + mgcp++; + + if (strncmp(mgcp, "MGCP ", ndpi_min(5, packet->payload_packet_len - ((u_int8_t const *)mgcp - packet->payload))) == 0) + { + ndpi_int_mgcp_add_connection(ndpi_struct, flow); + + endpoint_hostname = ndpi_strnstr(endpoint, "@", packet->payload_packet_len - ((u_int8_t const *)endpoint - packet->payload)); + if (endpoint_hostname == NULL || endpoint_hostname >= mgcp) + { + ndpi_hostname_sni_set(flow, (u_int8_t const *)endpoint, (mgcp - endpoint) - 1); + } else { + endpoint_hostname++; + ndpi_hostname_sni_set(flow, (u_int8_t const *)endpoint_hostname, (mgcp - endpoint_hostname) - 1); + } + return; + } } while(0); NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } -void init_mgpc_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) +void init_mgcp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { ndpi_set_bitmask_protocol_detection("MGCP", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_MGCP, diff --git a/tests/pcap/mgcp.pcapng b/tests/pcap/mgcp.pcapng Binary files differindex 1728b0bcc..d14f1a4f4 100755..100644 --- a/tests/pcap/mgcp.pcapng +++ b/tests/pcap/mgcp.pcapng diff --git a/tests/result/mgcp.pcapng.out b/tests/result/mgcp.pcapng.out index 9f1f02175..440caac7a 100644 --- a/tests/result/mgcp.pcapng.out +++ b/tests/result/mgcp.pcapng.out @@ -1,8 +1,8 @@ Guessed flow protos: 0 -DPI Packets (UDP): 1 (1.00 pkts/flow) -Confidence DPI : 1 (flows) -Num dissector calls: 19 (19.00 diss/flow) +DPI Packets (UDP): 2 (1.00 pkts/flow) +Confidence DPI : 2 (flows) +Num dissector calls: 38 (19.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) @@ -15,10 +15,11 @@ Automa domain: 0/0 (search/found) Automa tls cert: 0/0 (search/found) Automa risk mask: 0/0 (search/found) Automa common alpns: 0/0 (search/found) -Patricia risk mask: 2/0 (search/found) +Patricia risk mask: 4/0 (search/found) Patricia risk: 0/0 (search/found) -Patricia protocols: 4/0 (search/found) +Patricia protocols: 8/0 (search/found) -MGCP 12 1672 1 +MGCP 20 2437 2 - 1 UDP 10.10.228.72:2427 <-> 10.10.244.2:2427 [proto: 94/MGCP][ClearText][Confidence: DPI][cat: VoIP/10][6 pkts/1254 bytes <-> 6 pkts/418 bytes][Goodput ratio: 79/40][6.26 sec][bytes ratio: 0.500 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/0 884/884 3523/3523 1524/1523][Pkt Len c2s/s2c min/avg/max/stddev: 60/57 209/70 846/104 285/19][PLAIN TEXT (RSIP 262662134 )][Plen Bins: 41,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 UDP 10.10.228.72:2427 <-> 10.10.244.2:2427 [proto: 94/MGCP][ClearText][Confidence: DPI][cat: VoIP/10][6 pkts/1254 bytes <-> 6 pkts/418 bytes][Goodput ratio: 79/40][6.26 sec][Hostname/SNI: vg224][bytes ratio: 0.500 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1/0 884/884 3523/3523 1524/1523][Pkt Len c2s/s2c min/avg/max/stddev: 60/57 209/70 846/104 285/19][PLAIN TEXT (RSIP 262662134 )][Plen Bins: 41,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 172.16.1.116:2427 <-> 172.16.1.119:2427 [proto: 94/MGCP][ClearText][Confidence: DPI][cat: VoIP/10][4 pkts/370 bytes <-> 4 pkts/395 bytes][Goodput ratio: 54/57][80.75 sec][Hostname/SNI: gateway44.myplace.com][bytes ratio: -0.033 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 9/36 26914/26914 76721/76695 35257/35238][Pkt Len c2s/s2c min/avg/max/stddev: 61/98 92/99 103/101 18/1][PLAIN TEXT (RQNT 1 )][Plen Bins: 12,87,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |