diff options
| author | Campus <campus@ntop.org> | 2016-05-24 23:33:13 +0200 |
|---|---|---|
| committer | Campus <campus@ntop.org> | 2016-05-24 23:33:13 +0200 |
| commit | 67d3c9e9c8e7c975189b718905c5dddbd961b681 (patch) | |
| tree | 5fdde547cb5aef2e41262e9f878f61769b0a0020 | |
| parent | f8ecdc004f337dd478484f5cc2c087022803762b (diff) | |
| parent | ac664940da983308cc6b9e4088c2c1cb238521a5 (diff) | |
Merge branch 'dev' of https://github.com/ntop/nDPI into dev
| -rw-r--r-- | example/ndpi_util.c | 53 | ||||
| -rw-r--r-- | src/include/ndpi_api.h | 46 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 55 | ||||
| -rw-r--r-- | src/lib/protocols/bittorrent.c | 1 | ||||
| -rw-r--r-- | src/lib/protocols/dns.c | 5 | ||||
| -rw-r--r-- | src/lib/protocols/ftp_data.c | 1 | ||||
| -rw-r--r-- | src/lib/protocols/rtcp.c | 1 |
7 files changed, 125 insertions, 37 deletions
diff --git a/example/ndpi_util.c b/example/ndpi_util.c index f28da7078..939b3efd0 100644 --- a/example/ndpi_util.c +++ b/example/ndpi_util.c @@ -552,11 +552,10 @@ void ndpi_workflow_process_packet (struct ndpi_workflow * workflow, u_int16_t radio_len; u_int16_t fc; u_int16_t type; - int wifi_len; + int wifi_len = 0; int llc_off; int pyld_eth_len = 0; int check; - u_int32_t fcs; u_int64_t time; u_int16_t ip_offset, ip_len, ip6_offset; u_int16_t frag_off = 0, vlan_id = 0; @@ -646,8 +645,6 @@ void ndpi_workflow_process_packet (struct ndpi_workflow * workflow, return; } - fcs = header->len - 4; - /* Calculate 802.11 header length (variable) */ wifi = (struct ndpi_wifi_header*)( packet + eth_offset + radio_len); fc = wifi->fc; @@ -679,31 +676,33 @@ void ndpi_workflow_process_packet (struct ndpi_workflow * workflow, } /* check ether type */ - if(type == VLAN) { - vlan_id = ((packet[ip_offset] << 8) + packet[ip_offset+1]) & 0xFFF; - type = (packet[ip_offset+2] << 8) + packet[ip_offset+3]; - ip_offset += 4; - vlan_packet = 1; - } else if(type == MPLS_UNI || type == MPLS_MULTI) { - mpls = (struct ndpi_mpls_header *) &packet[ip_offset]; - label = ntohl(mpls->label); - /* label = ntohl(*((u_int32_t*)&packet[ip_offset])); */ - workflow->stats.mpls_count++; - type = ETH_P_IP, ip_offset += 4; - - while((label & 0x100) != 0x100) { + switch(type) { + case VLAN: + vlan_id = ((packet[ip_offset] << 8) + packet[ip_offset+1]) & 0xFFF; + type = (packet[ip_offset+2] << 8) + packet[ip_offset+3]; ip_offset += 4; + vlan_packet = 1; + break; + case MPLS_UNI: + case MPLS_MULTI: + mpls = (struct ndpi_mpls_header *) &packet[ip_offset]; label = ntohl(mpls->label); - } - } - else if(type == SLARP) - slarp = (struct ndpi_slarp *) &packet[ip_offset]; - else if(type == CISCO_D_PROTO) - cdp = (struct ndpi_cdp *) &packet[ip_offset]; - else if(type == PPPoE) { - workflow->stats.pppoe_count++; - type = ETH_P_IP; - ip_offset += 8; + /* label = ntohl(*((u_int32_t*)&packet[ip_offset])); */ + workflow->stats.mpls_count++; + type = ETH_P_IP, ip_offset += 4; + + while((label & 0x100) != 0x100) { + ip_offset += 4; + label = ntohl(mpls->label); + } + break; + case PPPoE: + workflow->stats.pppoe_count++; + type = ETH_P_IP; + ip_offset += 8; + break; + default: + break; } workflow->stats.vlan_count += vlan_packet; diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h index 95254a9fa..737e29cb9 100644 --- a/src/include/ndpi_api.h +++ b/src/include/ndpi_api.h @@ -224,6 +224,52 @@ extern "C" { struct ndpi_id_struct *src, struct ndpi_id_struct *dst); + + /** + * Processes one packet of L4 and returns the ID of the detected protocol. + * L3 and L4 packet headers are passed in the arguments while payload + * points to the L4 body. + * This function mimics ndpi_detection_process_packet behaviour. + * + * @par ndpi_struct = the detection module + * @par flow = pointer to the connection state machine + * @par iph = IP packet header for IPv4 or NULL + * @par iph6 = IP packet header for IPv6 or NULL + * @par tcp = TCP packet header for TCP or NULL + * @par udp = UDP packet header for UDP or NULL + * @par src_to_dst_direction = order of src/dst state machines in a flow. + * @par l4_proto = L4 protocol of the packet. + * @par src = pointer to the source subscriber state machine + * @par dst = pointer to the destination subscriber state machine + * @par sport = source port of L4 packet, used for protocol guessing. + * @par dport = destination port of L4 packet, used for protocol guessing. + * @par current_tick_l = the current timestamp for the packet + * @par payload = unsigned char pointer to the Layer 4 (TCP/UDP body) + * @par payload_len = the length of the payload + * @return the detected ID of the protocol + * + * NOTE: in a current implementation flow->src and flow->dst are swapped with + * the src_to_dst_direction flag while ndpi_detection_process_packet does not swap + * these values. + * + */ + +ndpi_protocol ndpi_l4_detection_process_packet(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + const struct ndpi_iphdr *iph, + struct ndpi_ipv6hdr *iph6, + struct ndpi_tcphdr *tcp, + struct ndpi_udphdr *udp, + u_int8_t src_to_dst_direction, + u_int8_t l4_proto, + struct ndpi_id_struct *src, + u_int16_t sport, + struct ndpi_id_struct *dst, + u_int16_t dport, + const u_int64_t current_tick_l, + u_int8_t *payload, u_int16_t payload_len); + + /** * Get the main protocol of the passed flows for the detected module diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 682cdca03..070492cf7 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -550,7 +550,11 @@ static int ndpi_string_to_automa(struct ndpi_detection_module_struct *ndpi_struc if(automa->ac_automa == NULL) return(-2); ac_pattern.astring = value; ac_pattern.rep.number = protocol_id; - ac_pattern.length = strlen(ac_pattern.astring); + if(value == NULL) + ac_pattern.length = 0; + else + ac_pattern.length = strlen(ac_pattern.astring); + ac_automata_add(((AC_AUTOMATA_t*)automa->ac_automa), &ac_pattern); return(0); @@ -3208,16 +3212,33 @@ ndpi_protocol ndpi_l4_detection_process_packet(struct ndpi_detection_module_stru u_int16_t sport, struct ndpi_id_struct *dst, u_int16_t dport, + const u_int64_t current_tick_l, u_int8_t *payload, u_int16_t payload_len) { NDPI_SELECTION_BITMASK_PROTOCOL_SIZE ndpi_selection_packet; u_int32_t a; ndpi_protocol ret = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_UNKNOWN }; + if(flow == NULL) + return(ret); + if(payload_len == 0) return(ret); flow->packet.tcp = tcp, flow->packet.udp = udp; flow->packet.payload = payload, flow->packet.payload_packet_len = payload_len; + flow->packet.tick_timestamp_l = current_tick_l; + flow->packet.tick_timestamp = (u_int32_t)current_tick_l/1000; + + if(flow) { + ndpi_apply_flow_protocol_to_packet(flow, &flow->packet); + } else { + ndpi_int_reset_packet_protocol(&flow->packet); + } + + if(flow->server_id == NULL) flow->server_id = dst; /* Default */ + if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) + goto ret_protocols; + if(src_to_dst_direction) flow->src = src, flow->dst = dst; else @@ -3231,6 +3252,8 @@ ndpi_protocol ndpi_l4_detection_process_packet(struct ndpi_detection_module_stru ndpi_selection_packet |= NDPI_SELECTION_BITMASK_PROTOCOL_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6; #endif /* NDPI_DETECTION_SUPPORT_IPV6 */ + ndpi_connection_tracking(ndpi_struct, flow); + if(flow->packet.tcp != NULL) ndpi_selection_packet |= (NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP); @@ -3248,6 +3271,34 @@ ndpi_protocol ndpi_l4_detection_process_packet(struct ndpi_detection_module_stru flow->packet.l4_protocol = l4_proto, flow->packet.packet_direction = src_to_dst_direction; + if((!flow->protocol_id_already_guessed) + && ( +#ifdef NDPI_DETECTION_SUPPORT_IPV6 + flow->packet.iphv6 || +#endif + flow->packet.iph)) { + u_int32_t saddr, daddr; + + flow->protocol_id_already_guessed = 1; + +#ifdef NDPI_DETECTION_SUPPORT_IPV6 + if(flow->packet.iphv6 != NULL) { + saddr = 0, daddr = 0; + } else +#endif + { + saddr = ntohl(flow->packet.iph->saddr); + daddr = ntohl(flow->packet.iph->daddr); + } + + flow->guessed_protocol_id = (int16_t)ndpi_guess_protocol_id(ndpi_struct, l4_proto, sport, dport); + + if(flow->packet.iph) { + if((flow->guessed_host_protocol_id = ndpi_network_ptree_match(ndpi_struct, (struct in_addr *)&flow->packet.iph->saddr)) == NDPI_PROTOCOL_UNKNOWN) + flow->guessed_host_protocol_id = ndpi_network_ptree_match(ndpi_struct, (struct in_addr *)&flow->packet.iph->daddr); + } + } + check_ndpi_flow_func(ndpi_struct, flow, &ndpi_selection_packet); a = flow->packet.detected_protocol_stack[0]; @@ -3391,8 +3442,6 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct #endif { protocol = flow->packet.iph->protocol; - saddr = ntohl(flow->packet.iph->saddr); - daddr = ntohl(flow->packet.iph->daddr); } if(flow->packet.udp) sport = ntohs(flow->packet.udp->source), dport = ntohs(flow->packet.udp->dest); diff --git a/src/lib/protocols/bittorrent.c b/src/lib/protocols/bittorrent.c index 8213d3b45..6ac9ec69a 100644 --- a/src/lib/protocols/bittorrent.c +++ b/src/lib/protocols/bittorrent.c @@ -135,7 +135,6 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module || memcmp(packet->payload, "POST ", 5) == 0)) { const u_int8_t *ptr = &packet->payload[4]; u_int16_t len = packet->payload_packet_len - 4; - a = 0; /* parse complete get packet here into line structure elements */ diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index f8b50f733..98df46481 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -112,10 +112,8 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd ret_code = (is_query == 0) ? 0 : (dns_header.flags & 0x0F); int j = 0; int off = sizeof(struct ndpi_dns_packet_header) + 1; - while((flow->packet.payload[off] != '\0')) + while(flow->packet.payload[off] != '\0' && off < flow->packet.payload_packet_len) { - if(off < flow->packet.payload_packet_len) - { flow->host_server_name[j] = flow->packet.payload[off]; if(j < strlen((char*)flow->host_server_name)) { if(flow->host_server_name[j] < ' ') @@ -123,7 +121,6 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd j++; } off++; - } } flow->host_server_name[j] = '\0'; diff --git a/src/lib/protocols/ftp_data.c b/src/lib/protocols/ftp_data.c index 32774899c..7daf9190d 100644 --- a/src/lib/protocols/ftp_data.c +++ b/src/lib/protocols/ftp_data.c @@ -230,7 +230,6 @@ static void ndpi_check_ftp_data(struct ndpi_detection_module_struct *ndpi_struct } void ndpi_search_ftp_data(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; /* Break after 20 packets. */ if(flow->packet_counter > 20) { diff --git a/src/lib/protocols/rtcp.c b/src/lib/protocols/rtcp.c index be4aee669..cc6265220 100644 --- a/src/lib/protocols/rtcp.c +++ b/src/lib/protocols/rtcp.c @@ -48,7 +48,6 @@ void ndpi_search_rtcp(struct ndpi_detection_module_struct *ndpi_struct, struct n offset += rtcp_section_len; } - sport = ntohs(packet->udp->source), dport = ntohs(packet->udp->dest); NDPI_LOG(NDPI_PROTOCOL_RTCP, ndpi_struct, NDPI_LOG_DEBUG, "calculating dport over udp.\n"); /* TODO changed a pair of length condition to the && from ||. Is it correct? */ if(((packet->payload_packet_len >= 28 && packet->payload_packet_len <= 1200) && |