diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2022-01-16 16:19:00 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-01-16 16:19:00 +0100 |
| commit | 611c753da5e1736ff97fca570d495f0ed2c52c2f (patch) | |
| tree | 95bf406da0d652a3541a99327a3723c993ab09c4 | |
| parent | f3af39ee42b954ec0486986c7cfac9ee44cd63e4 (diff) | |
XBox, Diameter: fix dissectors initialization (#1405)
These dissectors have *never* been triggered because their registration
functions use the wrong parameter/bitmask.
Diameter code is buggy since the origianl commit (1d108234), while
XBox code since 5266c726.
Fix some false positives in Xbox code.
| -rw-r--r-- | src/lib/protocols/diameter.c | 38 | ||||
| -rw-r--r-- | src/lib/protocols/xbox.c | 9 | ||||
| -rw-r--r-- | tests/result/diameter.pcap.out | 8 |
3 files changed, 24 insertions, 31 deletions
diff --git a/src/lib/protocols/diameter.c b/src/lib/protocols/diameter.c index 7d63653ee..ee6c7ec6a 100644 --- a/src/lib/protocols/diameter.c +++ b/src/lib/protocols/diameter.c @@ -62,16 +62,12 @@ struct diameter_header_t // Check packet -int is_diameter(struct ndpi_packet_struct *packet, int size_payload) +int is_diameter(struct ndpi_packet_struct *packet) { - // check param - if(!packet || size_payload == 0) return -1; + struct diameter_header_t *diameter = (struct diameter_header_t *)packet->payload; - // cast to diameter header - struct diameter_header_t *diameter = (struct diameter_header_t *) packet; - - // check if the packet is diameter - if(diameter->version == 0x01 && + if(packet->payload_packet_len >= sizeof(struct diameter_header_t) && + diameter->version == 0x01 && (diameter->flags == DIAMETER_REQUEST || diameter->flags == DIAMETER_PROXYABLE || diameter->flags == DIAMETER_ERROR || @@ -83,10 +79,10 @@ int is_diameter(struct ndpi_packet_struct *packet, int size_payload) com_code == CC || com_code == CE || com_code == DW || com_code == DP || com_code == RA || com_code == ST) - return 0; // OK + return 0; } - // wrong packet - return -2; + + return -1; } @@ -95,24 +91,16 @@ void ndpi_search_diameter(struct ndpi_detection_module_struct *ndpi_struct, { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - // Diameter is on TCP if(packet->tcp) { - - /* Check if it's diameter */ - int ret = is_diameter(packet, packet->payload_packet_len); - if(ret != 0) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return; - } - else { + int ret = is_diameter(packet); + if(ret == 0) { NDPI_LOG_INFO(ndpi_struct, "found Diameter\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIAMETER, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); + return; } } - else { // UDP - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return; - } + + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } @@ -121,7 +109,7 @@ void init_diameter_dissector(struct ndpi_detection_module_struct *ndpi_struct, u { ndpi_set_bitmask_protocol_detection("Diameter", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_DIAMETER, ndpi_search_diameter, - NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, + NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); *id += 1; diff --git a/src/lib/protocols/xbox.c b/src/lib/protocols/xbox.c index 0878f933c..8b2ed2b84 100644 --- a/src/lib/protocols/xbox.c +++ b/src/lib/protocols/xbox.c @@ -80,12 +80,17 @@ void ndpi_search_xbox(struct ndpi_detection_module_struct *ndpi_struct, struct n NDPI_LOG_DBG(ndpi_struct, "maybe xbox\n"); flow->l4.udp.xbox_stage++; return; - } else if ((dport == 3075 || dport == 3076 || dport == 3077 || dport == 3078) || + } +/* Disable this code. These checks are quite weak and these ports are not mentioned at + https://support.xbox.com/en-US/help/hardware-network/connect-network/network-ports-used-xbox-live */ +#if 0 + else if ((dport == 3075 || dport == 3076 || dport == 3077 || dport == 3078) || (sport == 3075 || sport == 3076 || sport == 3077 || sport == 3078)) { ndpi_int_xbox_add_connection(ndpi_struct, flow); NDPI_LOG_INFO(ndpi_struct, "found xbox udp port connection detected\n"); return; } +#endif /* exclude here all non matched udp traffic, exclude here tcp only if http has been excluded, because xbox could use http */ if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_HTTP) != 0) { @@ -102,7 +107,7 @@ void init_xbox_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int NDPI_PROTOCOL_XBOX, ndpi_search_xbox, NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, - NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); *id += 1; diff --git a/tests/result/diameter.pcap.out b/tests/result/diameter.pcap.out index a25af1326..9bf57f443 100644 --- a/tests/result/diameter.pcap.out +++ b/tests/result/diameter.pcap.out @@ -1,8 +1,8 @@ -Guessed flow protos: 1 +Guessed flow protos: 0 -DPI Packets (TCP): 6 (6.00 pkts/flow) -Confidence Match by port : 1 (flows) +DPI Packets (TCP): 1 (1.00 pkts/flow) +Confidence DPI : 1 (flows) Diameter 6 1980 1 - 1 TCP 10.201.9.245:50957 <-> 10.201.9.11:3868 [proto: 237/Diameter][ClearText][Confidence: Match by port][cat: Network/14][3 pkts/1174 bytes <-> 3 pkts/806 bytes][Goodput ratio: 86/80][0.09 sec][bytes ratio: 0.186 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 13/12 39/32 65/51 26/20][Pkt Len c2s/s2c min/avg/max/stddev: 362/226 391/269 414/290 22/30][PLAIN TEXT (1263278878147)][Plen Bins: 0,0,0,0,0,16,0,34,0,16,16,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 TCP 10.201.9.245:50957 <-> 10.201.9.11:3868 [proto: 237/Diameter][ClearText][Confidence: DPI][cat: Network/14][3 pkts/1174 bytes <-> 3 pkts/806 bytes][Goodput ratio: 86/80][0.09 sec][bytes ratio: 0.186 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 13/12 39/32 65/51 26/20][Pkt Len c2s/s2c min/avg/max/stddev: 362/226 391/269 414/290 22/30][PLAIN TEXT (1263278878147)][Plen Bins: 0,0,0,0,0,16,0,34,0,16,16,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |