Fixes #83. Critical fix: due to an invalid endianess conversion some protocol were not properly indetified

7 files changed, 52 insertions, 45 deletions

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 8ea4650a6..7f82d0a28 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -672,12 +672,10 @@ typedef struct ndpi_flow_struct {
     u_int16_t protocol_stack_info;  
 
   /* init parameter, internal used to set up timestamp,... */
-  u_int16_t guessed_protocol_id;
+  u_int16_t guessed_protocol_id, guessed_host_proto_id;
 
-  u_int8_t protocol_id_already_guessed:1;
-  u_int8_t init_finished:1;
-  u_int8_t setup_packet_direction:1;
-  u_int8_t packet_direction:1; /* if ndpi_struct->direction_detect_disable == 1 */
+  u_int8_t protocol_id_already_guessed:1, host_already_guessed:1, init_finished:1, setup_packet_direction:1, packet_direction:1; 
+  /* if ndpi_struct->direction_detect_disable == 1 */
   /* tcp sequence number connection tracking */
   u_int32_t next_tcp_seq_nr[2];
 
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 5fb0b6cd8..fc5042b0f 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -1670,10 +1670,10 @@ u_int16_t ndpi_network_ptree_match(struct ndpi_detection_module_struct *ndpi_str
   prefix_t prefix;
   patricia_node_t *node;
 
-  pin->s_addr = ntohl(pin->s_addr); /* Make sure all in network byte order otherwise compares wont work */
+  /* Make sure all in network byte order otherwise compares wont work */
   fill_prefix_v4(&prefix, pin, 32, ((patricia_tree_t*)ndpi_struct->protocols_ptree)->maxbits);
   node = ndpi_patricia_search_best(ndpi_struct->protocols_ptree, &prefix);
-
+  
   return(node ? node->value.user_value : NDPI_PROTOCOL_UNKNOWN);
 }
 
@@ -1736,7 +1736,7 @@ static void ndpi_init_ptree_ipv4(struct ndpi_detection_module_struct *ndpi_str,
     struct in_addr pin;
     patricia_node_t *node;
 
-    pin.s_addr = ntohl(host_list[i].network);
+    pin.s_addr = htonl(host_list[i].network);
     if((node = add_to_ptree(ptree, AF_INET, &pin, host_list[i].cidr /* bits */)) != NULL)
       node->value.user_value = host_list[i].value;
   }
@@ -1745,19 +1745,19 @@ static void ndpi_init_ptree_ipv4(struct ndpi_detection_module_struct *ndpi_str,
 /* ******************************************* */
 
 static int ndpi_add_host_ip_subprotocol(struct ndpi_detection_module_struct *ndpi_struct,
-                     char *value, int protocol_id) {
+					char *value, int protocol_id) {
 
-    patricia_node_t *node;
-    struct in_addr pin;
-
-    inet_pton(AF_INET, value, &pin);
-    pin.s_addr = ntohl(pin.s_addr);
-
-    if((node = add_to_ptree(ndpi_struct->protocols_ptree, AF_INET, &pin, 32)) != NULL) {
-        node->value.user_value = protocol_id;
-    }
+  patricia_node_t *node;
+  struct in_addr pin;
+  
+  inet_pton(AF_INET, value, &pin);
+  pin.s_addr = ntohl(pin.s_addr);
+  
+  if((node = add_to_ptree(ndpi_struct->protocols_ptree, AF_INET, &pin, 32)) != NULL) {
+    node->value.user_value = protocol_id;
+  }
 
-    return(0);
+  return(0);
 }
 
 #endif
@@ -1891,13 +1891,16 @@ u_int16_t ndpi_guess_protocol_id(struct ndpi_detection_module_struct *ndpi_struc
   ndpi_default_ports_tree_node_t node;
 
   if(sport && dport) {
-    node.default_port = sport;
+    int low  = ndpi_min(sport, dport);
+    int high = ndpi_max(sport, dport);
+
+    node.default_port = low; /* Check server port first */
     ret = ndpi_tfind(&node,
 		     (proto == IPPROTO_TCP) ? (void*)&ndpi_struct->tcpRoot : (void*)&ndpi_struct->udpRoot,
 		     ndpi_default_ports_tree_node_t_cmp);
 
     if(ret == NULL) {
-      node.default_port = dport;
+      node.default_port = high;
       ret = ndpi_tfind(&node,
 		       (proto == IPPROTO_TCP) ? (void*)&ndpi_struct->tcpRoot : (void*)&ndpi_struct->udpRoot,
 		       ndpi_default_ports_tree_node_t_cmp);
@@ -3418,23 +3421,33 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
   } else
     ret.protocol = flow->detected_protocol_stack[0];
 
-  
-  if((ret.master_protocol == NDPI_PROTOCOL_UNKNOWN) && flow->packet.iph) {
-    struct in_addr pin = { flow->packet.iph->saddr };
-
-    if((ret.master_protocol = ndpi_network_ptree_match(ndpi_struct, &pin)) == NDPI_PROTOCOL_UNKNOWN) {
+  if((ret.protocol == NDPI_PROTOCOL_UNKNOWN)
+     && flow->packet.iph
+     && (!flow->host_already_guessed)) {
+    struct in_addr pin;
+    
+    pin.s_addr = flow->packet.iph->saddr;
+    if((flow->guessed_host_proto_id = ndpi_network_ptree_match(ndpi_struct, &pin)) == NDPI_PROTOCOL_UNKNOWN) {
       pin.s_addr = flow->packet.iph->daddr;
-      ret.master_protocol = ndpi_network_ptree_match(ndpi_struct, &pin);
+      flow->guessed_host_proto_id = ndpi_network_ptree_match(ndpi_struct, &pin);
     }
+    
+    flow->host_already_guessed = 1;
+  }
+
+#if 0
 
-    /* Swap proocols in case of success */
+    /* Swap protocols in case of success */
     if(ret.master_protocol != NDPI_PROTOCOL_UNKNOWN) {
       u_int16_t t = ret.master_protocol;
 
       ret.master_protocol = ret.protocol;
       ret.protocol = t;
     }
-  }
+#endif
+
+    if((ret.protocol == NDPI_PROTOCOL_UNKNOWN) && (ret.master_protocol != NDPI_PROTOCOL_UNKNOWN))
+      ret.protocol = flow->guessed_host_proto_id;
 
   return(ret);
 }
diff --git a/src/lib/protocols/skype.c b/src/lib/protocols/skype.c
index 7f201569c..e3bd00332 100644
--- a/src/lib/protocols/skype.c
+++ b/src/lib/protocols/skype.c
@@ -40,8 +40,8 @@ u_int8_t is_skype_flow(struct ndpi_detection_module_struct *ndpi_struct,
       Skype connections are identified by some SSL-like communications
       without SSL certificate being exchanged
     */	
-    if(is_skype_host(ndpi_struct, ntohl(packet->iph->saddr))
-       || is_skype_host(ndpi_struct, ntohl(packet->iph->daddr))) {
+    if(is_skype_host(ndpi_struct, packet->iph->saddr)
+       || is_skype_host(ndpi_struct, packet->iph->daddr)) {
       return(1);
     }
   }
diff --git a/src/lib/protocols/tcp_udp.c b/src/lib/protocols/tcp_udp.c
index 1eb9c8773..7ca276dca 100644
--- a/src/lib/protocols/tcp_udp.c
+++ b/src/lib/protocols/tcp_udp.c
@@ -37,9 +37,9 @@ u_int ndpi_search_tcp_or_udp_raw(struct ndpi_detection_module_struct *ndpi_struc
     }
   }
 
-  if((rc = ndpi_host_ptree_match(ndpi_struct, saddr)) != NDPI_PROTOCOL_UNKNOWN) return(rc);
+  if((rc = ndpi_host_ptree_match(ndpi_struct, htonl(saddr))) != NDPI_PROTOCOL_UNKNOWN) return(rc);
   
-  return(ndpi_host_ptree_match(ndpi_struct, daddr));
+  return(ndpi_host_ptree_match(ndpi_struct, htonl(daddr)));
 }
 
 void ndpi_search_tcp_or_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
diff --git a/tests/result/NTPv3.pcap.out b/tests/result/NTPv3.pcap.out
index 91d817e5e..dcf9eafda 100644
--- a/tests/result/NTPv3.pcap.out
+++ b/tests/result/NTPv3.pcap.out
@@ -1,3 +1,3 @@
-NTP	1	90	1
+Quic	1	90	1
 
-	1	UDP 78.46.76.2:80 <-> 175.144.140.29:123 [proto: 9/NTP][1 pkts/90 bytes]
+	1	UDP 78.46.76.2:80 <-> 175.144.140.29:123 [proto: 188/Quic][1 pkts/90 bytes]
diff --git a/tests/result/README.txt b/tests/result/README.txt
deleted file mode 100644
index 08992145b..000000000
--- a/tests/result/README.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-Place here test results for pcaps used for regressions testing
-
-Example 
-
-for pcap/myprotocol.pcap add result/myprotocol.result
diff --git a/tests/result/starcraft_battle.pcap.out b/tests/result/starcraft_battle.pcap.out
index 918647cef..4cbdb5ceb 100644
--- a/tests/result/starcraft_battle.pcap.out
+++ b/tests/result/starcraft_battle.pcap.out
@@ -4,7 +4,8 @@ HTTP	450	294880	19
 SSDP	11	4984	1
 WorldOfWarcraft	9	880	1
 IGMP	2	120	1
-SSL	43	2903	13
+SSL	27	1803	9
+Skype	16	1100	4
 Google	12	1467	2
 Quic	6	475	1
 Starcraft	236	51494	6
@@ -27,10 +28,10 @@ Starcraft	236	51494	6
 	16	TCP 192.168.1.100:3530 <-> 2.228.46.112:80 [proto: 7/HTTP][29 pkts/25102 bytes][Host: bnetcmsus-a.akamaihd.net]
 	17	TCP 192.168.1.100:3532 <-> 2.228.46.112:80 [proto: 7/HTTP][4 pkts/386 bytes]
 	18	TCP 192.168.1.100:3534 <-> 2.228.46.112:80 [proto: 7/HTTP][1 pkts/66 bytes]
-	19	TCP 192.168.1.100:3489 <-> 2.228.46.104:443 [proto: 91/SSL][4 pkts/275 bytes]
+	19	TCP 192.168.1.100:3489 <-> 2.228.46.104:443 [proto: 125/Skype][4 pkts/275 bytes]
 	20	TCP 192.168.1.100:3481 <-> 2.228.46.114:443 [proto: 91/SSL][4 pkts/275 bytes]
 	21	TCP 192.168.1.100:3479 <-> 2.228.46.114:443 [proto: 91/SSL][4 pkts/275 bytes]
-	22	TCP 192.168.1.100:3491 <-> 2.228.46.104:443 [proto: 91/SSL][4 pkts/275 bytes]
+	22	TCP 192.168.1.100:3491 <-> 2.228.46.104:443 [proto: 125/Skype][4 pkts/275 bytes]
 	23	TCP 80.239.186.26:80 <-> 192.168.1.100:3515 [proto: 7/HTTP][10 pkts/1224 bytes][Host: nydus.battle.net]
 	24	TCP 80.239.186.21:80 <-> 192.168.1.100:3519 [proto: 7/HTTP][9 pkts/979 bytes][Host: eu.launcher.battle.net]
 	25	TCP 80.239.186.26:80 <-> 192.168.1.100:3521 [proto: 7/HTTP][10 pkts/1224 bytes][Host: nydus.battle.net]
@@ -54,8 +55,8 @@ Starcraft	236	51494	6
 	43	TCP 192.168.1.100:3529 <-> 2.228.46.112:80 [proto: 7/HTTP][29 pkts/25102 bytes][Host: bnetcmsus-a.akamaihd.net]
 	44	TCP 192.168.1.100:3531 <-> 2.228.46.112:80 [proto: 7/HTTP][29 pkts/25102 bytes][Host: bnetcmsus-a.akamaihd.net]
 	45	TCP 192.168.1.100:3533 <-> 2.228.46.112:80 [proto: 7/HTTP][4 pkts/386 bytes]
-	46	TCP 192.168.1.100:3492 <-> 2.228.46.104:443 [proto: 91/SSL][4 pkts/275 bytes]
-	47	TCP 192.168.1.100:3490 <-> 2.228.46.104:443 [proto: 91/SSL][4 pkts/275 bytes]
+	46	TCP 192.168.1.100:3492 <-> 2.228.46.104:443 [proto: 125/Skype][4 pkts/275 bytes]
+	47	TCP 192.168.1.100:3490 <-> 2.228.46.104:443 [proto: 125/Skype][4 pkts/275 bytes]
 	48	TCP 192.168.1.100:3482 <-> 2.228.46.114:443 [proto: 91/SSL][4 pkts/275 bytes]
 	49	TCP 192.168.1.100:3480 <-> 2.228.46.114:443 [proto: 91/SSL][4 pkts/275 bytes]
 	50	TCP 12.129.222.54:80 <-> 192.168.1.100:3512 [proto: 7.76/HTTP.WorldOfWarcraft][9 pkts/880 bytes][Host: us.scan.worldofwarcraft.com]