diff options
| author | Toni <matzeton@googlemail.com> | 2021-07-05 09:41:35 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-07-05 09:41:35 +0200 |
| commit | 21b2cce7151311931130a6513a8f26fdb4fb3fca (patch) | |
| tree | 6fdaf9bbf971b9dd8434a6dd023cb5405080257d | |
| parent | ced6fca184a4549333c2d582e53419f66cd99ec1 (diff) | |
Improved Z39.50 detection. (#1225)
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
| -rw-r--r-- | src/lib/protocols/z3950.c | 13 | ||||
| -rw-r--r-- | tests/pcap/z3950.pcap | bin | 5261 -> 0 bytes | |||
| -rw-r--r-- | tests/pcap/z3950.pcapng | bin | 0 -> 7508 bytes | |||
| -rw-r--r-- | tests/result/z3950.pcap.out | 3 | ||||
| -rw-r--r-- | tests/result/z3950.pcapng.out | 4 |
5 files changed, 8 insertions, 12 deletions
diff --git a/src/lib/protocols/z3950.c b/src/lib/protocols/z3950.c index b267c776d..8a6620ed0 100644 --- a/src/lib/protocols/z3950.c +++ b/src/lib/protocols/z3950.c @@ -62,15 +62,10 @@ static int z3950_parse_sequences(struct ndpi_packet_struct const * const packet, u_int8_t seq_length; payload = &packet->payload[payload_offset]; - if (payload[0] == 0x9F) + if ((payload[0] & 0x1F) == 0x1F) { - if (payload_offset + 3 >= packet->payload_packet_len) - { - return -1; - } - payload_offset++; - payload = &packet->payload[payload_offset]; - seq_type = payload[0]; + /* We ignore decoding of complex sequences for now. */ + return cur_sequences; } else { seq_type = payload[0] & 0x1F; } @@ -103,7 +98,7 @@ static void ndpi_search_z3950(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct * packet = &flow->packet; - int const minimum_expected_sequences = 7; + int const minimum_expected_sequences = 6; NDPI_LOG_DBG(ndpi_struct, "search z39.50\n"); diff --git a/tests/pcap/z3950.pcap b/tests/pcap/z3950.pcap Binary files differdeleted file mode 100644 index 713a3acf6..000000000 --- a/tests/pcap/z3950.pcap +++ /dev/null diff --git a/tests/pcap/z3950.pcapng b/tests/pcap/z3950.pcapng Binary files differnew file mode 100644 index 000000000..7f19cb791 --- /dev/null +++ b/tests/pcap/z3950.pcapng diff --git a/tests/result/z3950.pcap.out b/tests/result/z3950.pcap.out deleted file mode 100644 index 8aed9fd28..000000000 --- a/tests/result/z3950.pcap.out +++ /dev/null @@ -1,3 +0,0 @@ -Z39.50 15 4997 1 - - 1 TCP 192.168.2.100:58921 <-> 193.174.240.93:210 [proto: 260/Z39.50][cat: Network/14][7 pkts/623 bytes <-> 8 pkts/4374 bytes][Goodput ratio: 37/90][1.55 sec][bytes ratio: -0.751 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 293/29 1341/73 524/28][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 89/547 170/1506 44/623][PLAIN TEXT (p.5.4.1 12b)][Plen Bins: 25,0,25,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0] diff --git a/tests/result/z3950.pcapng.out b/tests/result/z3950.pcapng.out new file mode 100644 index 000000000..779d71f70 --- /dev/null +++ b/tests/result/z3950.pcapng.out @@ -0,0 +1,4 @@ +Z39.50 31 6308 2 + + 1 TCP 192.168.2.100:58921 <-> 193.174.240.93:210 [proto: 260/Z39.50][cat: Network/14][7 pkts/623 bytes <-> 8 pkts/4374 bytes][Goodput ratio: 37/90][1.55 sec][bytes ratio: -0.751 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 293/29 1341/73 524/28][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 89/547 170/1506 44/623][PLAIN TEXT (p.5.4.1 12b)][Plen Bins: 25,0,25,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0] + 2 TCP 192.168.0.20:46524 <-> 129.187.139.43:9991 [proto: 260/Z39.50][cat: Network/14][10 pkts/764 bytes <-> 6 pkts/547 bytes][Goodput ratio: 28/36][76.54 sec][bytes ratio: 0.166 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/2 1539/3022 9007/9037 3003/4253][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 76/91 138/167 32/37][PLAIN TEXT (p/5.27.1 872b)][Plen Bins: 0,50,33,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |