diff options
| author | Luca Deri <deri@ntop.org> | 2021-08-11 11:52:24 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2021-08-11 11:52:24 +0200 |
| commit | 5c33fbf19b5bab76aca04432fc7fa6f956ff785f (patch) | |
| tree | 2a85731111b0ab18a188d82aeeb4cdab816e867e | |
| parent | 846b546dbc9540d08824cd5fa69e2b683cabfad1 (diff) | |
Added extraction of hostname in SMTP
Fixed mail incalid subprotocol calculation
| -rw-r--r-- | src/lib/ndpi_main.c | 1 | ||||
| -rw-r--r-- | src/lib/protocols/mail_imap.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/mail_pop.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/mail_smtp.c | 22 | ||||
| -rw-r--r-- | tests/pcap/smtp-starttls.pcap | bin | 0 -> 9003 bytes | |||
| -rw-r--r-- | tests/result/smtp-starttls.pcap.out | 7 |
6 files changed, 33 insertions, 3 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 464b2b326..493c71aea 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -4406,7 +4406,6 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str */ if(flow->packet.tcp->syn != 0 && flow->packet.tcp->ack == 0 && flow->init_finished != 0 && flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { - u_int16_t guessed_protocol_id, guessed_host_protocol_id; u_int16_t packet_direction_counter[2]; u_int8_t num_processed_pkts; diff --git a/src/lib/protocols/mail_imap.c b/src/lib/protocols/mail_imap.c index e9a068db3..7fc50c4b7 100644 --- a/src/lib/protocols/mail_imap.c +++ b/src/lib/protocols/mail_imap.c @@ -30,8 +30,8 @@ /* #define IMAP_DEBUG 1*/ -static void ndpi_int_mail_imap_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ +static void ndpi_int_mail_imap_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + flow->guessed_protocol_id = NDPI_PROTOCOL_UNKNOWN; /* Avoid IMAPS to be used s sub-protocol */ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MAIL_IMAP, NDPI_PROTOCOL_UNKNOWN); } diff --git a/src/lib/protocols/mail_pop.c b/src/lib/protocols/mail_pop.c index 9a893bd0d..feb2757a2 100644 --- a/src/lib/protocols/mail_pop.c +++ b/src/lib/protocols/mail_pop.c @@ -45,6 +45,8 @@ static void ndpi_int_mail_pop_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + + flow->guessed_protocol_id = NDPI_PROTOCOL_UNKNOWN; /* Avoid POP3S to be used s sub-protocol */ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MAIL_POP, NDPI_PROTOCOL_UNKNOWN); } diff --git a/src/lib/protocols/mail_smtp.c b/src/lib/protocols/mail_smtp.c index 72926402a..359ccbfb5 100644 --- a/src/lib/protocols/mail_smtp.c +++ b/src/lib/protocols/mail_smtp.c @@ -52,6 +52,8 @@ static void ndpi_int_mail_smtp_add_connection(struct ndpi_detection_module_struc #ifdef SMTP_DEBUG printf("**** %s()\n", __FUNCTION__); #endif + + flow->guessed_protocol_id = NDPI_PROTOCOL_MAIL_SMTP; /* Avoid SMTPS to be used s sub-protocol */ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MAIL_SMTP, NDPI_PROTOCOL_UNKNOWN); @@ -83,6 +85,26 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_struct, if(packet->line[a].len >= 3) { if(memcmp(packet->line[a].ptr, "220", 3) == 0) { flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_220; + + if(flow->host_server_name[0] == '\0') { + if(packet->line[a].len > 4) { + int i, len; + + for(i=5; (i<packet->line[a].len-1) && (packet->line[a].ptr[i] != ' '); i++) + ; + + len = i-4; + /* Copy result for nDPI apps */ + len = ndpi_min(len, sizeof(flow->host_server_name)-1); + strncpy((char*)flow->host_server_name, (char*)&packet->line[a].ptr[4], len); + flow->host_server_name[len] = '\0'; + + ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MAIL_SMTP, + (char *)flow->host_server_name, + strlen((const char *)flow->host_server_name)); + + } + } } else if(memcmp(packet->line[a].ptr, "250", 3) == 0) { flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_250; } else if(memcmp(packet->line[a].ptr, "235", 3) == 0) { diff --git a/tests/pcap/smtp-starttls.pcap b/tests/pcap/smtp-starttls.pcap Binary files differnew file mode 100644 index 000000000..493751539 --- /dev/null +++ b/tests/pcap/smtp-starttls.pcap diff --git a/tests/result/smtp-starttls.pcap.out b/tests/result/smtp-starttls.pcap.out new file mode 100644 index 000000000..660a76c9d --- /dev/null +++ b/tests/result/smtp-starttls.pcap.out @@ -0,0 +1,7 @@ +Guessed flow protos: 1 + +DPI Packets (TCP): 36 (36.00 pkts/flow) + +Google 36 8403 1 + + 1 TCP 10.0.0.1:57406 <-> 173.194.68.26:25 [proto: 3.126/SMTP.Google][Encrypted][cat: Web/5][17 pkts/2514 bytes <-> 19 pkts/5889 bytes][Goodput ratio: 55/79][0.48 sec][Host: mx.google.com][bytes ratio: -0.402 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 30/24 156/103 42/26][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 148/310 752/1484 168/444][PLAIN TEXT (x.google.com ESMTP s4)][Plen Bins: 23,18,13,9,4,4,4,0,0,4,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0] |