diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2022-01-30 19:18:12 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-01-30 19:18:12 +0100 |
| commit | 5bb5bec477e1a10a404fd9228ddc0f5041b51123 (patch) | |
| tree | 923e8b698416595cf18e853215394fe6c66c8e02 | |
| parent | 1fdcddb33d105a45061da1ceaefcb6a00542322f (diff) | |
Remove `struct ndpi_id_struct` (#1427)
Remove the last uses of `struct ndpi_id_struct`.
That code is not really used and it has not been updated for a very long
time: see #1279 for details.
Correlation among flows is achieved via LRU caches.
This change allows to further reduce memory consumption (see also
91bb77a8).
At nDPI 4.0 (more precisly, at a6b10cf, because memory stats
were wrong until that commit):
```
nDPI Memory statistics:
nDPI Memory (once): 221.15 KB
Flow Memory (per flow): 2.94 KB
```
Now:
```
nDPI Memory statistics:
nDPI Memory (once): 235.27 KB
Flow Memory (per flow): 688 B <--------
```
i.e. memory usage per flow has been reduced by 77%.
Close #1279
| -rw-r--r-- | example/ndpiReader.c | 2 | ||||
| -rw-r--r-- | example/ndpiSimpleIntegration.c | 38 | ||||
| -rw-r--r-- | example/reader_util.c | 49 | ||||
| -rw-r--r-- | fuzz/fuzz_process_packet.c | 8 | ||||
| -rw-r--r-- | src/include/ndpi_api.h.in | 22 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 50 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 37 | ||||
| -rw-r--r-- | src/lib/protocols/directconnect.c | 246 | ||||
| -rw-r--r-- | src/lib/protocols/gnutella.c | 65 | ||||
| -rw-r--r-- | src/lib/protocols/icecast.c | 5 | ||||
| -rw-r--r-- | src/lib/protocols/irc.c | 146 | ||||
| -rw-r--r-- | src/lib/protocols/jabber.c | 186 | ||||
| -rw-r--r-- | src/lib/protocols/thunder.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/world_of_warcraft.c | 16 |
14 files changed, 31 insertions, 843 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index c84e88fcd..f21fbc86a 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -2911,7 +2911,7 @@ static void printResults(u_int64_t processing_time_usec, u_int64_t setup_time_us if(!quiet_mode) { printf("\nnDPI Memory statistics:\n"); printf("\tnDPI Memory (once): %-13s\n", formatBytes(ndpi_get_ndpi_detection_module_size(), buf, sizeof(buf))); - printf("\tFlow Memory (per flow): %-13s\n", formatBytes( ndpi_detection_get_sizeof_ndpi_flow_struct() + 2*ndpi_detection_get_sizeof_ndpi_id_struct(), buf, sizeof(buf))); + printf("\tFlow Memory (per flow): %-13s\n", formatBytes( ndpi_detection_get_sizeof_ndpi_flow_struct(), buf, sizeof(buf))); printf("\tActual Memory: %-13s\n", formatBytes(current_ndpi_memory, buf, sizeof(buf))); printf("\tPeak Memory: %-13s\n", formatBytes(max_ndpi_memory, buf, sizeof(buf))); printf("\tSetup Time: %lu msec\n", (unsigned long)(setup_time_usec/1000)); diff --git a/example/ndpiSimpleIntegration.c b/example/ndpiSimpleIntegration.c index d8a83dc47..57b51450c 100644 --- a/example/ndpiSimpleIntegration.c +++ b/example/ndpiSimpleIntegration.c @@ -85,8 +85,6 @@ struct nDPI_flow_info { struct ndpi_proto guessed_protocol; struct ndpi_flow_struct * ndpi_flow; - struct ndpi_id_struct * ndpi_src; - struct ndpi_id_struct * ndpi_dst; }; struct nDPI_workflow { @@ -190,8 +188,6 @@ static void ndpi_flow_info_freer(void * const node) { struct nDPI_flow_info * const flow = (struct nDPI_flow_info *)node; - ndpi_free(flow->ndpi_dst); - ndpi_free(flow->ndpi_src); ndpi_flow_free(flow->ndpi_flow); ndpi_free(flow); } @@ -505,10 +501,6 @@ static void ndpi_process_packet(uint8_t * const args, void * tree_result; struct nDPI_flow_info * flow_to_process; - int direction_changed = 0; - struct ndpi_id_struct * ndpi_src; - struct ndpi_id_struct * ndpi_dst; - const struct ndpi_ethhdr * ethernet; const struct ndpi_iphdr * ip; struct ndpi_ipv6hdr * ip6; @@ -753,9 +745,6 @@ static void ndpi_process_packet(uint8_t * const args, flow.dst_port = orig_src_port; tree_result = ndpi_tfind(&flow, &workflow->ndpi_flows_active[hashed_index], ndpi_workflow_node_cmp); - if (tree_result != NULL) { - direction_changed = 1; - } flow.ip_tuple.u32.src[0] = orig_src_ip[0]; flow.ip_tuple.u32.src[1] = orig_src_ip[1]; @@ -800,20 +789,6 @@ static void ndpi_process_packet(uint8_t * const args, } memset(flow_to_process->ndpi_flow, 0, SIZEOF_FLOW_STRUCT); - flow_to_process->ndpi_src = (struct ndpi_id_struct *)ndpi_calloc(1, SIZEOF_ID_STRUCT); - if (flow_to_process->ndpi_src == NULL) { - fprintf(stderr, "[%8llu, %d, %4u] Not enough memory for src id struct\n", - workflow->packets_captured, reader_thread->array_index, flow_to_process->flow_id); - return; - } - - flow_to_process->ndpi_dst = (struct ndpi_id_struct *)ndpi_calloc(1, SIZEOF_ID_STRUCT); - if (flow_to_process->ndpi_dst == NULL) { - fprintf(stderr, "[%8llu, %d, %4u] Not enough memory for dst id struct\n", - workflow->packets_captured, reader_thread->array_index, flow_to_process->flow_id); - return; - } - printf("[%8llu, %d, %4u] new %sflow\n", workflow->packets_captured, thread_index, flow_to_process->flow_id, (flow_to_process->is_midstream_flow != 0 ? "midstream-" : "")); @@ -821,19 +796,8 @@ static void ndpi_process_packet(uint8_t * const args, /* Possible Leak, but should not happen as we'd abort earlier. */ return; } - - ndpi_src = flow_to_process->ndpi_src; - ndpi_dst = flow_to_process->ndpi_dst; } else { flow_to_process = *(struct nDPI_flow_info **)tree_result; - - if (direction_changed != 0) { - ndpi_src = flow_to_process->ndpi_dst; - ndpi_dst = flow_to_process->ndpi_src; - } else { - ndpi_src = flow_to_process->ndpi_src; - ndpi_dst = flow_to_process->ndpi_dst; - } } flow_to_process->packets_processed++; @@ -884,7 +848,7 @@ static void ndpi_process_packet(uint8_t * const args, flow_to_process->detected_l7_protocol = ndpi_detection_process_packet(workflow->ndpi_struct, flow_to_process->ndpi_flow, ip != NULL ? (uint8_t *)ip : (uint8_t *)ip6, - ip_size, time_ms, ndpi_src, ndpi_dst); + ip_size, time_ms); if (ndpi_is_protocol_detected(workflow->ndpi_struct, flow_to_process->detected_l7_protocol) != 0 && diff --git a/example/reader_util.c b/example/reader_util.c index d47b5a5ec..3340170ef 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -300,8 +300,6 @@ void ndpi_report_payload_stats() { void ndpi_free_flow_info_half(struct ndpi_flow_info *flow) { if(flow->ndpi_flow) { ndpi_flow_free(flow->ndpi_flow); flow->ndpi_flow = NULL; } - if(flow->src_id) { ndpi_free(flow->src_id); flow->src_id = NULL; } - if(flow->dst_id) { ndpi_free(flow->dst_id); flow->dst_id = NULL; } } /* ***************************************************** */ @@ -699,8 +697,6 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow struct ndpi_tcphdr **tcph, struct ndpi_udphdr **udph, u_int16_t *sport, u_int16_t *dport, - struct ndpi_id_struct **src, - struct ndpi_id_struct **dst, u_int8_t *proto, u_int8_t **payload, u_int16_t *payload_len, @@ -878,30 +874,6 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow } else memset(newflow->ndpi_flow, 0, SIZEOF_FLOW_STRUCT); - if((newflow->src_id = ndpi_malloc(SIZEOF_ID_STRUCT)) == NULL) { - LOG(NDPI_LOG_ERROR, "[NDPI] %s(3): not enough memory\n", __FUNCTION__); -#ifdef DIRECTION_BINS - ndpi_free_bin(&newflow->payload_len_bin_src2dst), ndpi_free_bin(&newflow->payload_len_bin_dst2src); -#else - ndpi_free_bin(&newflow->payload_len_bin); -#endif - ndpi_free(newflow); - return(NULL); - } else - memset(newflow->src_id, 0, SIZEOF_ID_STRUCT); - - if((newflow->dst_id = ndpi_malloc(SIZEOF_ID_STRUCT)) == NULL) { - LOG(NDPI_LOG_ERROR, "[NDPI] %s(4): not enough memory\n", __FUNCTION__); -#ifdef DIRECTION_BINS - ndpi_free_bin(&newflow->payload_len_bin_src2dst), ndpi_free_bin(&newflow->payload_len_bin_dst2src); -#else - ndpi_free_bin(&newflow->payload_len_bin); -#endif - ndpi_free(newflow); - return(NULL); - } else - memset(newflow->dst_id, 0, SIZEOF_ID_STRUCT); - ndpi_tsearch(newflow, &workflow->ndpi_flows_root[idx], ndpi_workflow_node_cmp); /* Add */ workflow->stats.ndpi_flow_count++; if(*proto == IPPROTO_TCP) @@ -911,8 +883,6 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow else workflow->stats.flow_count[2]++; - *src = newflow->src_id, *dst = newflow->dst_id; - if(enable_flow_stats) { newflow->entropy = ndpi_calloc(1, sizeof(struct ndpi_entropy)); newflow->last_entropy = ndpi_calloc(1, sizeof(struct ndpi_entropy)); @@ -939,9 +909,9 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow && rflow->src_port == htons(*sport) && rflow->dst_port == htons(*dport) ) - *src = rflow->dst_id, *dst = rflow->src_id, *src_to_dst_direction = 0, rflow->bidirectional = 1; + *src_to_dst_direction = 0, rflow->bidirectional = 1; else - *src = rflow->src_id, *dst = rflow->dst_id, *src_to_dst_direction = 1; + *src_to_dst_direction = 1; } else { if(rflow->src_ip == iph->saddr @@ -949,9 +919,9 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow && rflow->src_port == htons(*sport) && rflow->dst_port == htons(*dport) ) - *src = rflow->src_id, *dst = rflow->dst_id, *src_to_dst_direction = 1; + *src_to_dst_direction = 1; else - *src = rflow->dst_id, *dst = rflow->src_id, *src_to_dst_direction = 0, rflow->bidirectional = 1; + *src_to_dst_direction = 0, rflow->bidirectional = 1; } if(enable_flow_stats) { if(src_to_dst_direction) { @@ -997,8 +967,6 @@ static struct ndpi_flow_info *get_ndpi_flow_info6(struct ndpi_workflow * workflo struct ndpi_tcphdr **tcph, struct ndpi_udphdr **udph, u_int16_t *sport, u_int16_t *dport, - struct ndpi_id_struct **src, - struct ndpi_id_struct **dst, u_int8_t *proto, u_int8_t **payload, u_int16_t *payload_len, @@ -1024,7 +992,7 @@ static struct ndpi_flow_info *get_ndpi_flow_info6(struct ndpi_workflow * workflo &iph, iph6, ip_offset, ipsize, ip_len, l4ptr - (const u_int8_t *)iph6, tcph, udph, sport, dport, - src, dst, proto, payload, + proto, payload, payload_len, src_to_dst_direction, when)); } @@ -1347,7 +1315,6 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, pkt_timeval when, ndpi_risk *flow_risk, FILE * csv_fp) { - struct ndpi_id_struct *src, *dst; struct ndpi_flow_info *flow = NULL; struct ndpi_flow_struct *ndpi_flow = NULL; u_int8_t proto; @@ -1369,13 +1336,13 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, ntohs(iph->tot_len) - (iph->ihl * 4), iph->ihl * 4, &tcph, &udph, &sport, &dport, - &src, &dst, &proto, + &proto, &payload, &payload_len, &src_to_dst_direction, when); else flow = get_ndpi_flow_info6(workflow, vlan_id, tunnel_type, iph6, ip_offset, ipsize, &tcph, &udph, &sport, &dport, - &src, &dst, &proto, + &proto, &payload, &payload_len, &src_to_dst_direction, when); if(flow != NULL) { @@ -1563,7 +1530,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, flow->detected_protocol = ndpi_detection_process_packet(workflow->ndpi_struct, ndpi_flow, iph ? (uint8_t *)iph : (uint8_t *)iph6, - ipsize, time_ms, src, dst); + ipsize, time_ms); if(enough_packets || (flow->detected_protocol.app_protocol != NDPI_PROTOCOL_UNKNOWN)) { if((!enough_packets) diff --git a/fuzz/fuzz_process_packet.c b/fuzz/fuzz_process_packet.c index b8780b7a8..8841c0a1c 100644 --- a/fuzz/fuzz_process_packet.c +++ b/fuzz/fuzz_process_packet.c @@ -4,8 +4,6 @@ #include <stdio.h> struct ndpi_detection_module_struct *ndpi_info_mod = NULL; -struct ndpi_id_struct *src; -struct ndpi_id_struct *dst; int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { uint8_t protocol_was_guessed; @@ -16,8 +14,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { NDPI_BITMASK_SET_ALL(all); NDPI_BITMASK_SET_ALL(debug_bitmask); ndpi_set_protocol_detection_bitmask2(ndpi_info_mod, &all); - src = ndpi_malloc(SIZEOF_ID_STRUCT); - dst = ndpi_malloc(SIZEOF_ID_STRUCT); ndpi_set_log_level(ndpi_info_mod, 4); ndpi_set_debug_bitmask(ndpi_info_mod, debug_bitmask); ndpi_finalize_initialization(ndpi_info_mod); @@ -25,9 +21,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { struct ndpi_flow_struct *ndpi_flow = ndpi_flow_malloc(SIZEOF_FLOW_STRUCT); memset(ndpi_flow, 0, SIZEOF_FLOW_STRUCT); - memset(src, 0, SIZEOF_ID_STRUCT); - memset(dst, 0, SIZEOF_ID_STRUCT); - ndpi_detection_process_packet(ndpi_info_mod, ndpi_flow, Data, Size, 0, src, dst); + ndpi_detection_process_packet(ndpi_info_mod, ndpi_flow, Data, Size, 0); ndpi_detection_giveup(ndpi_info_mod, ndpi_flow, 1, &protocol_was_guessed); ndpi_free_flow(ndpi_flow); diff --git a/src/include/ndpi_api.h.in b/src/include/ndpi_api.h.in index e0b813597..ed468f6d8 100644 --- a/src/include/ndpi_api.h.in +++ b/src/include/ndpi_api.h.in @@ -36,7 +36,6 @@ extern "C" { */ #define NDPI_API_VERSION @NDPI_API_VERSION@ -#define SIZEOF_ID_STRUCT ( sizeof(struct ndpi_id_struct) ) #define SIZEOF_FLOW_STRUCT ( sizeof(struct ndpi_flow_struct) ) #define NDPI_DETECTION_ONLY_IPV4 ( 1 << 0 ) @@ -76,15 +75,6 @@ extern "C" { /** - * Get the size of the id struct - * - * @return the size of the id struct - * - */ - u_int32_t ndpi_detection_get_sizeof_ndpi_id_struct(void); - - - /** * Get the size of the flow tcp struct * * @return the size of the flow tcp struct @@ -303,8 +293,6 @@ extern "C" { * @par packet = unsigned char pointer to the Layer 3 (IP header) * @par packetlen = the length of the packet * @par packet_time_ms = the current timestamp for the packet (expressed in msec) - * @par src = pointer to the source subscriber state machine - * @par dst = pointer to the destination subscriber state machine * @return void * */ @@ -312,9 +300,7 @@ extern "C" { struct ndpi_flow_struct *flow, const unsigned char *packet, const unsigned short packetlen, - const u_int64_t packet_time_ms, - struct ndpi_id_struct *src, - struct ndpi_id_struct *dst); + const u_int64_t packet_time_ms); /** * Processes one packet and returns the ID of the detected protocol. @@ -325,8 +311,6 @@ extern "C" { * @par packet = unsigned char pointer to the Layer 3 (IP header) * @par packetlen = the length of the packet * @par packet_time_ms = the current timestamp for the packet (expressed in msec) - * @par src = pointer to the source subscriber state machine - * @par dst = pointer to the destination subscriber state machine * @return the detected ID of the protocol * */ @@ -334,9 +318,7 @@ extern "C" { struct ndpi_flow_struct *flow, const unsigned char *packet, const unsigned short packetlen, - const u_int64_t packet_time_ms, - struct ndpi_id_struct *src, - struct ndpi_id_struct *dst); + const u_int64_t packet_time_ms); /** * Get the main protocol of the passed flows for the detected module * diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index bdbc622d5..c5e98ec78 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -530,52 +530,6 @@ struct ndpi_lru_cache { struct ndpi_lru_cache_entry *entries; }; -struct ndpi_id_struct { - /** - detected_protocol_bitmask: - access this bitmask to find out whether an id has used skype or not - if a flag is set here, it will not be reset - to compare this, use: - **/ - NDPI_PROTOCOL_BITMASK detected_protocol_bitmask; - - /* NDPI_PROTOCOL_IRC_MAXPORT % 2 must be 0 */ - /* NDPI_PROTOCOL_IRC */ -#define NDPI_PROTOCOL_IRC_MAXPORT 8 - u_int16_t irc_port[NDPI_PROTOCOL_IRC_MAXPORT]; - u_int32_t last_time_port_used[NDPI_PROTOCOL_IRC_MAXPORT]; - u_int32_t irc_ts; - - /* NDPI_PROTOCOL_GNUTELLA */ - u_int32_t gnutella_ts; - - /* NDPI_PROTOCOL_JABBER */ - u_int32_t jabber_stun_or_ft_ts; - - /* NDPI_PROTOCOL_DIRECTCONNECT */ - u_int32_t directconnect_last_safe_access_time; - - /* NDPI_PROTOCOL_DIRECTCONNECT */ - u_int16_t detected_directconnect_port; - u_int16_t detected_directconnect_udp_port; - u_int16_t detected_directconnect_ssl_port; - - /* NDPI_PROTOCOL_JABBER */ -#define JABBER_MAX_STUN_PORTS 6 - u_int16_t jabber_voice_stun_port[JABBER_MAX_STUN_PORTS]; - u_int16_t jabber_file_transfer_port[2]; - - /* NDPI_PROTOCOL_GNUTELLA */ - u_int16_t detected_gnutella_udp_port1; - u_int16_t detected_gnutella_udp_port2; - - /* NDPI_PROTOCOL_IRC */ - u_int8_t irc_number_of_port; - - /* NDPI_PROTOCOL_JABBER */ - u_int8_t jabber_voice_stun_used_ports; -}; - /* ************************************************** */ struct ndpi_flow_tcp_struct { @@ -850,7 +804,6 @@ typedef enum { NDPI_CONFIDENCE_UNKNOWN = 0, /* Unknown classification */ NDPI_CONFIDENCE_MATCH_BY_PORT, /* Classification obtained looking only at the L4 ports */ NDPI_CONFIDENCE_MATCH_BY_IP, /* Classification obtained looking only at the L3 addresses */ - NDPI_CONFIDENCE_DPI_SRC_DST_ID, /* Classification results based on ndpi_id_struct structures */ NDPI_CONFIDENCE_DPI_CACHE, /* Classification results based on same LRU cache (i.e. correlation among sessions) */ NDPI_CONFIDENCE_DPI, /* Deep packet inspection */ @@ -1399,9 +1352,6 @@ struct ndpi_flow_struct { /* NDPI_PROTOCOL_TINC */ u_int8_t tinc_state; struct tinc_cache_entry tinc_cache_entry; - - struct ndpi_id_struct *src; - struct ndpi_id_struct *dst; }; #define NDPI_PROTOCOL_DEFAULT_LEVEL 0 diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 200486bf0..063b65a54 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -246,12 +246,6 @@ u_int32_t ndpi_detection_get_sizeof_ndpi_flow_struct(void) { /* *********************************************************************************** */ -u_int32_t ndpi_detection_get_sizeof_ndpi_id_struct(void) { - return(sizeof(struct ndpi_id_struct)); -} - -/* *********************************************************************************** */ - u_int32_t ndpi_detection_get_sizeof_ndpi_flow_tcp_struct(void) { return(sizeof(struct ndpi_flow_tcp_struct)); } @@ -5279,7 +5273,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st void ndpi_process_extra_packet(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, const unsigned char *packet_data, const unsigned short packetlen, - const u_int64_t current_time_ms, struct ndpi_id_struct *src, struct ndpi_id_struct *dst) { + const u_int64_t current_time_ms) { if(flow == NULL) return; @@ -5287,9 +5281,6 @@ void ndpi_process_extra_packet(struct ndpi_detection_module_struct *ndpi_str, st if(ndpi_init_packet(ndpi_str, flow, current_time_ms, packet_data, packetlen) != 0) return; - /* detect traffic for tcp or udp only */ - flow->src = src, flow->dst = dst; - ndpi_connection_tracking(ndpi_str, flow); /* call the extra packet function (which may add more data/info to flow) */ @@ -5633,8 +5624,7 @@ static int ndpi_do_guess(struct ndpi_detection_module_struct *ndpi_str, struct n ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, const unsigned char *packet_data, - const unsigned short packetlen, const u_int64_t current_time_ms, - struct ndpi_id_struct *src, struct ndpi_id_struct *dst) { + const unsigned short packetlen, const u_int64_t current_time_ms) { struct ndpi_packet_struct *packet = &ndpi_str->packet; NDPI_SELECTION_BITMASK_PROTOCOL_SIZE ndpi_selection_packet; u_int32_t num_calls = 0; @@ -5664,7 +5654,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct ret.app_protocol = flow->detected_protocol_stack[0]; if(flow->check_extra_packets) { - ndpi_process_extra_packet(ndpi_str, flow, packet_data, packetlen, current_time_ms, src, dst); + ndpi_process_extra_packet(ndpi_str, flow, packet_data, packetlen, current_time_ms); /* Update in case of new match */ ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0], @@ -5679,9 +5669,6 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct if(ndpi_init_packet(ndpi_str, flow, current_time_ms, packet_data, packetlen) != 0) return ret; - /* detect traffic for tcp or udp only */ - flow->src = src, flow->dst = dst; - ndpi_connection_tracking(ndpi_str, flow); /* build ndpi_selection packet bitmask */ @@ -6419,23 +6406,7 @@ u_int8_t ndpi_detection_get_l4(const u_int8_t *l3, u_int16_t l3_len, const u_int void ndpi_set_detected_protocol(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, u_int16_t upper_detected_protocol, u_int16_t lower_detected_protocol, ndpi_confidence_t confidence) { - struct ndpi_id_struct *src = flow->src, *dst = flow->dst; - ndpi_int_change_protocol(ndpi_str, flow, upper_detected_protocol, lower_detected_protocol, confidence); - - if(src != NULL) { - NDPI_ADD_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, upper_detected_protocol); - - if(lower_detected_protocol != NDPI_PROTOCOL_UNKNOWN) - NDPI_ADD_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, lower_detected_protocol); - } - - if(dst != NULL) { - NDPI_ADD_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, upper_detected_protocol); - - if(lower_detected_protocol != NDPI_PROTOCOL_UNKNOWN) - NDPI_ADD_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, lower_detected_protocol); - } } /* ********************************************************************************* */ @@ -6857,8 +6828,6 @@ const char *ndpi_confidence_get_name(ndpi_confidence_t confidence) return "Match by port"; case NDPI_CONFIDENCE_MATCH_BY_IP: return "Match by IP"; - case NDPI_CONFIDENCE_DPI_SRC_DST_ID: - return "DPI (src/dst ids)"; case NDPI_CONFIDENCE_DPI_CACHE: return "DPI (cache)"; case NDPI_CONFIDENCE_DPI: diff --git a/src/lib/protocols/directconnect.c b/src/lib/protocols/directconnect.c index 55a3f8145..ea418f36d 100644 --- a/src/lib/protocols/directconnect.c +++ b/src/lib/protocols/directconnect.c @@ -77,151 +77,23 @@ static void ndpi_int_directconnect_add_connection(struct ndpi_detection_module_s struct ndpi_flow_struct *flow, const u_int8_t connection_type) { - - struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - - if(src != NULL) { - src->directconnect_last_safe_access_time = packet->current_time_ms; - if(connection_type == DIRECT_CONNECT_TYPE_PEER) { - if(packet->tcp != NULL - && flow->setup_packet_direction != packet->packet_direction && src->detected_directconnect_port == 0) { - src->detected_directconnect_port = packet->tcp->source; - NDPI_LOG_DBG2(ndpi_struct, "DC tcp PORT %u for src\n", ntohs(src->detected_directconnect_port)); - } - if(packet->udp != NULL && src->detected_directconnect_udp_port == 0) { - src->detected_directconnect_udp_port = packet->udp->source; - NDPI_LOG_DBG2(ndpi_struct, "DC udp PORT %u for src\n", ntohs(src->detected_directconnect_port)); - - } - } - - } - if(dst != NULL) { - dst->directconnect_last_safe_access_time = packet->current_time_ms; - if(connection_type == DIRECT_CONNECT_TYPE_PEER) { - if(packet->tcp != NULL - && flow->setup_packet_direction == packet->packet_direction && dst->detected_directconnect_port == 0) { - /* DST PORT MARKING CAN LEAD TO PORT MISSDETECTIONS - * seen at large customer http servers, where someone has send faked DC tcp packets - * to the server - */ - - /* - dst->detected_directconnect_port = packet->tcp->dest; - NDPI_LOG_DBG2(ndpi_struct, - "DC tcp PORT %u for dst\n", - ntohs (dst->detected_directconnect_port)); - */ - } - } - } } static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_DIRECTCONNECT) { if(packet->payload_packet_len >= 40 && memcmp(&packet->payload[0], "BINF", 4) == 0) { - u_int16_t ssl_port = parse_binf_message(ndpi_struct, - &packet->payload[4], - packet->payload_packet_len - 4); - if(dst != NULL && ssl_port) - dst->detected_directconnect_ssl_port = ssl_port; - - if(src != NULL && ssl_port) - src->detected_directconnect_ssl_port = ssl_port; + parse_binf_message(ndpi_struct, + &packet->payload[4], + packet->payload_packet_len - 4); } - if((packet->payload_packet_len >= 38 && packet->payload_packet_len <= 42) - && memcmp(&packet->payload[0], "DCTM", 4) == 0 && memcmp(&packet->payload[15], "ADCS", 4) == 0) { - u_int16_t bytes_read = 0; - if(dst != NULL) { - dst->detected_directconnect_ssl_port = - ntohs_ndpi_bytestream_to_number(&packet->payload[25], 5, &bytes_read); - NDPI_LOG_DBG2(ndpi_struct, "DC ssl port parsed %d\n", ntohs(dst->detected_directconnect_ssl_port)); - } - if(src != NULL) { - src->detected_directconnect_ssl_port = - ntohs_ndpi_bytestream_to_number(&packet->payload[25], 5, &bytes_read); - NDPI_LOG_DBG2(ndpi_struct, "DC ssl port parsed %d\n", ntohs(src->detected_directconnect_ssl_port)); - } - - - } return; } - if(src != NULL) { - if(src->detected_directconnect_port == packet->tcp->source) { - if((u_int32_t) - (packet->current_time_ms - - src->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - src->directconnect_last_safe_access_time = packet->current_time_ms; - NDPI_LOG_INFO(ndpi_struct, "found DC using port %d\n", ntohs(src->detected_directconnect_port)); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - return; - } else { - src->detected_directconnect_port = 0; - NDPI_LOG_DBG2(ndpi_struct, "resetting src port due to timeout\n"); - return; - } - } - if(src->detected_directconnect_ssl_port == packet->tcp->dest) { - if((u_int32_t) - (packet->current_time_ms - - src->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - src->directconnect_last_safe_access_time = packet->current_time_ms; - NDPI_LOG_INFO(ndpi_struct, "found DC using port %d\n", ntohs(src->detected_directconnect_ssl_port)); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - return; - } else { - src->detected_directconnect_ssl_port = 0; - NDPI_LOG_DBG2(ndpi_struct, "resetting src port due to timeout\n"); - return; - } - } - - } - - if(dst != NULL) { - if(dst->detected_directconnect_port == packet->tcp->dest) { - if((u_int32_t) - (packet->current_time_ms - - dst->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - dst->directconnect_last_safe_access_time = packet->current_time_ms; - NDPI_LOG_INFO(ndpi_struct, "found DC using port %d\n", ntohs(dst->detected_directconnect_port)); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - return; - } else { - dst->detected_directconnect_port = 0; - NDPI_LOG_DBG(ndpi_struct, "resetting dst port due to timeout\n"); - return; - } - } - if(dst->detected_directconnect_ssl_port == packet->tcp->dest) { - if((u_int32_t) - (packet->current_time_ms - - dst->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - dst->directconnect_last_safe_access_time = packet->current_time_ms; - NDPI_LOG_DBG(ndpi_struct, "found DC using port %d\n", ntohs(dst->detected_directconnect_ssl_port)); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - return; - } else { - dst->detected_directconnect_ssl_port = 0; - NDPI_LOG_DBG2(ndpi_struct, "resetting dst port due to timeout\n"); - return; - } - } - - } if(flow->directconnect_stage == 0) { @@ -308,124 +180,15 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n } -static void ndpi_search_directconnect_udp(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) -{ - struct ndpi_packet_struct *packet = &ndpi_struct->packet; - - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - int pos, count = 0; - - if(dst != NULL && dst->detected_directconnect_udp_port == packet->udp->dest) { - if((u_int32_t) - (packet->current_time_ms - - dst->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - - dst->directconnect_last_safe_access_time = packet->current_time_ms; - NDPI_LOG_INFO(ndpi_struct, "found DC using udp port %d\n", ntohs(dst->detected_directconnect_udp_port)); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - return; - } else { - dst->detected_directconnect_udp_port = 0; - NDPI_LOG_DBG2(ndpi_struct, "resetting dst udp port due to timeout\n"); - return; - } - } - - if(packet->payload_packet_len > 58) { - if(src != NULL - && NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_DIRECTCONNECT)) { - if(packet->payload[0] == '$' - && packet->payload[packet->payload_packet_len - 1] == '|' - && memcmp(&packet->payload[1], "SR ", 3) == 0) { - pos = packet->payload_packet_len - 2; - if(packet->payload[pos] == ')') { - while (pos > 0 && packet->payload[pos] != '(' && count < 21) { - pos--; - count++; - } - if(packet->payload[pos] == '(') { - pos = pos - 44; - if(pos > 2 && memcmp(&packet->payload[pos], "TTH:", 4) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found DC udp\n"); - ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_TYPE_PEER); - return; - } - } - } - flow->directconnect_stage++; - if(flow->directconnect_stage < 3) - return; - } - - } - if(dst != NULL - && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_DIRECTCONNECT)) { - if(packet->payload[0] == '$' - && packet->payload[packet->payload_packet_len - 1] == '|' - && memcmp(&packet->payload[1], "SR ", 3) == 0) { - pos = packet->payload_packet_len - 2; - if(packet->payload[pos] == ')') { - while (pos > 0 && packet->payload[pos] != '(' && count < 21) { - pos--; - count++; - } - if(packet->payload[pos] == '(') { - pos = pos - 44; - if(pos > 2 && memcmp(&packet->payload[pos], "TTH:", 4) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found DC udp\n"); - ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_TYPE_PEER); - return; - } - } - } - flow->directconnect_stage++; - if(flow->directconnect_stage < 3) - return; - } - } - - } - NDPI_LOG_DBG(ndpi_struct, "excluded DC at stage %d \n", flow->directconnect_stage); - - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DIRECTCONNECT); - - -} - void ndpi_search_directconnect(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; NDPI_LOG_DBG(ndpi_struct, "search DC\n"); - if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_DIRECTCONNECT) { - if(src != NULL && ((u_int32_t) - (packet->current_time_ms - - src->directconnect_last_safe_access_time) < - ndpi_struct->directconnect_connection_ip_tick_timeout)) { - src->directconnect_last_safe_access_time = packet->current_time_ms; - - } else if(dst != NULL && ((u_int32_t) - (packet->current_time_ms - - dst->directconnect_last_safe_access_time) < - ndpi_struct->directconnect_connection_ip_tick_timeout)) { - dst->directconnect_last_safe_access_time = packet->current_time_ms; - } else { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_UNKNOWN); - NDPI_LOG_DBG2(ndpi_struct, "skipping as unknown due to timeout\n"); - } - return; - } - if(packet->tcp != NULL) { ndpi_search_directconnect_tcp(ndpi_struct, flow); - } else if(packet->udp != NULL) { - ndpi_search_directconnect_udp(ndpi_struct, flow); } } @@ -435,7 +198,8 @@ void init_directconnect_dissector(struct ndpi_detection_module_struct *ndpi_stru ndpi_set_bitmask_protocol_detection("DirectConnect", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_DIRECTCONNECT, ndpi_search_directconnect, - NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, + /* TODO: UDP?*/ + NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); diff --git a/src/lib/protocols/gnutella.c b/src/lib/protocols/gnutella.c index 2af76085f..ecb93d53f 100644 --- a/src/lib/protocols/gnutella.c +++ b/src/lib/protocols/gnutella.c @@ -33,67 +33,18 @@ static void ndpi_int_gnutella_add_connection(struct ndpi_detection_module_struct struct ndpi_flow_struct *flow, ndpi_confidence_t confidence) { - struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GNUTELLA, NDPI_PROTOCOL_UNKNOWN, confidence); NDPI_LOG_INFO(ndpi_struct, "found GNUTELLA\n"); - - if (src != NULL) { - src->gnutella_ts = packet->current_time_ms; - if (packet->udp != NULL) { - if (!src->detected_gnutella_udp_port1) { - src->detected_gnutella_udp_port1 = (packet->udp->source); - NDPI_LOG_DBG2(ndpi_struct, - "GNUTELLA UDP PORT1 DETECTED as %u\n", src->detected_gnutella_udp_port1); - - } else if ((ntohs(packet->udp->source) != src->detected_gnutella_udp_port1) - && !src->detected_gnutella_udp_port2) { - src->detected_gnutella_udp_port2 = (packet->udp->source); - NDPI_LOG_DBG2(ndpi_struct, - "GNUTELLA UDP PORT2 DETECTED as %u\n", src->detected_gnutella_udp_port2); - - } - } - } - if (dst != NULL) { - dst->gnutella_ts = packet->current_time_ms; - } } void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; u_int16_t c; NDPI_LOG_DBG(ndpi_struct, "search GNUTELLA\n"); - if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_GNUTELLA) { - if (src != NULL && ((u_int32_t) - (packet->current_time_ms - src->gnutella_ts) < ndpi_struct->gnutella_timeout)) { - NDPI_LOG_DBG2(ndpi_struct, "save src connection packet detected\n"); - src->gnutella_ts = packet->current_time_ms; - } else if (dst != NULL && ((u_int32_t) - (packet->current_time_ms - dst->gnutella_ts) < ndpi_struct->gnutella_timeout)) { - NDPI_LOG_DBG2(ndpi_struct, "save dst connection packet detected\n"); - dst->gnutella_ts = packet->current_time_ms; - } - if (src != NULL && (packet->current_time_ms - src->gnutella_ts) > ndpi_struct->gnutella_timeout) { - src->detected_gnutella_udp_port1 = 0; - src->detected_gnutella_udp_port2 = 0; - } - if (dst != NULL && (packet->current_time_ms - dst->gnutella_ts) > ndpi_struct->gnutella_timeout) { - dst->detected_gnutella_udp_port1 = 0; - dst->detected_gnutella_udp_port2 = 0; - } - - return; - } - /* skip packets without payload */ if (packet->payload_packet_len < 2) { return; @@ -234,12 +185,6 @@ void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, stru } } } else if (packet->udp != NULL) { - if (src != NULL && (packet->udp->source == src->detected_gnutella_udp_port1 || - packet->udp->source == src->detected_gnutella_udp_port2) && - (packet->current_time_ms - src->gnutella_ts) < ndpi_struct->gnutella_timeout) { - NDPI_LOG_DBG2(ndpi_struct, "port based detection\n\n"); - ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - } /* observations: * all the following patterns send out many packets which are the only ones of their flows, * often on the very beginning of the traces, or flows with many packets in one direction only. @@ -333,20 +278,18 @@ void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, stru if (flow->packet_counter == 2 && (packet->payload_packet_len == 33 || packet->payload_packet_len == 22) && flow->l4.tcp.gnutella_msg_id[0] == packet->payload[0] && flow->l4.tcp.gnutella_msg_id[1] == packet->payload[2] - && flow->l4.tcp.gnutella_msg_id[2] == packet->payload[4] - && NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_GNUTELLA)) { + && flow->l4.tcp.gnutella_msg_id[2] == packet->payload[4]) { NDPI_LOG_DBG2(ndpi_struct, "GNUTELLA DETECTED due to message ID match (NEONet protocol)\n"); - ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI_SRC_DST_ID); + ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); return; } } else if (flow->l4.tcp.gnutella_stage == 2 - packet->packet_direction) { if (flow->packet_counter == 2 && (packet->payload_packet_len == 10 || packet->payload_packet_len == 75) && flow->l4.tcp.gnutella_msg_id[0] == packet->payload[0] && flow->l4.tcp.gnutella_msg_id[1] == packet->payload[2] - && flow->l4.tcp.gnutella_msg_id[2] == packet->payload[4] - && NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_GNUTELLA)) { + && flow->l4.tcp.gnutella_msg_id[2] == packet->payload[4]) { NDPI_LOG_DBG2(ndpi_struct, "GNUTELLA DETECTED due to message ID match (NEONet protocol)\n"); - ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI_SRC_DST_ID); + ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); return; } } diff --git a/src/lib/protocols/icecast.c b/src/lib/protocols/icecast.c index 61dafc2d6..ce8b20c12 100644 --- a/src/lib/protocols/icecast.c +++ b/src/lib/protocols/icecast.c @@ -60,10 +60,6 @@ void ndpi_search_icecast_tcp(struct ndpi_detection_module_struct *ndpi_struct, s } } - if(NDPI_FLOW_PROTOCOL_EXCLUDED(ndpi_struct, flow, NDPI_PROTOCOL_HTTP)) { - goto icecast_exclude; - } - if(flow == NULL) return; if((packet->packet_direction == flow->setup_packet_direction) @@ -89,7 +85,6 @@ void ndpi_search_icecast_tcp(struct ndpi_detection_module_struct *ndpi_struct, s } } - icecast_exclude: NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/irc.c b/src/lib/protocols/irc.c index 6ff3af836..33c41a4c3 100644 --- a/src/lib/protocols/irc.c +++ b/src/lib/protocols/irc.c @@ -29,38 +29,11 @@ #include "ndpi_api.h" -#define NDPI_IRC_FIND_LESS(time_err,less) {int t1 = 0; \ - u_int32_t timestamp = time_err[0]; \ - for(t1=0;t1 < NDPI_PROTOCOL_IRC_MAXPORT;t1++) { \ - if(timestamp > time_err[t1]) { \ - timestamp = time_err[t1]; \ - less = t1;}}} - static void ndpi_int_irc_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, ndpi_confidence_t confidence) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_IRC, NDPI_PROTOCOL_UNKNOWN, confidence); } - - -#if !defined(WIN32) -static inline -#elif defined(MINGW_GCC) -__mingw_forceinline static -#else -__forceinline static -#endif -u_int8_t ndpi_is_duplicate(struct ndpi_id_struct *id_t, u_int16_t port) -{ - int index = 0; - while (index < id_t->irc_number_of_port) { - if (port == id_t->irc_port[index]) - return 1; - index++; - } - return 0; -} - static u_int8_t ndpi_check_for_NOTICE_or_PRIVMSG(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -369,17 +342,9 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - int less; u_int16_t c = 0; - u_int16_t port = 0; - u_int16_t sport = 0; - u_int16_t dport = 0; - u_int16_t counter = 0; u_int16_t i = 0; u_int16_t j = 0; - u_int16_t k = 0; u_int16_t h; u_int16_t http_content_ptr_len = 0; u_int8_t space = 0; @@ -391,53 +356,6 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc return; } - if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_IRC) { - if (src != NULL && ((u_int32_t) - (packet->current_time_ms - src->irc_ts) < ndpi_struct->irc_timeout)) { - NDPI_LOG_DBG2(ndpi_struct, "irc : save src connection packet detected\n"); - src->irc_ts = packet->current_time_ms; - } else if (dst != NULL && ((u_int32_t) - (packet->current_time_ms - dst->irc_ts) < ndpi_struct->irc_timeout)) { - NDPI_LOG_DBG2(ndpi_struct, "irc : save dst connection packet detected\n"); - dst->irc_ts = packet->current_time_ms; - } - } - - if (((dst != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_IRC) - && ((u_int32_t) - (packet->current_time_ms - dst->irc_ts)) < - ndpi_struct->irc_timeout)) || (src != NULL - && - NDPI_COMPARE_PROTOCOL_TO_BITMASK - (src->detected_protocol_bitmask, NDPI_PROTOCOL_IRC) - && ((u_int32_t) - (packet->current_time_ms - src->irc_ts)) < ndpi_struct->irc_timeout)) { - if (packet->tcp != NULL) { - sport = packet->tcp->source; - dport = packet->tcp->dest; - } - if (dst != NULL) { - for (counter = 0; counter < dst->irc_number_of_port; counter++) { - if (dst->irc_port[counter] == sport || dst->irc_port[counter] == dport) { - dst->last_time_port_used[counter] = packet->current_time_ms; - NDPI_LOG_INFO(ndpi_struct, "found IRC: dest port matched with the DCC port"); - ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - return; - } - } - } - if (src != NULL) { - for (counter = 0; counter < src->irc_number_of_port; counter++) { - if (src->irc_port[counter] == sport || src->irc_port[counter] == dport) { - src->last_time_port_used[counter] = packet->current_time_ms; - NDPI_LOG_INFO(ndpi_struct, "found IRC: Source port matched with the DCC port"); - ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - return; - } - } - } - } - if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC && ndpi_search_irc_ssl_detect_ninety_percent_but_very_fast(ndpi_struct, flow) != 0) { return; @@ -667,70 +585,6 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc if (space == 3) { j++; NDPI_LOG_DBG2(ndpi_struct, "read port."); - if (src != NULL) { - k = j; - port = - ntohs_ndpi_bytestream_to_number - (&packet->line[i].ptr[j], packet->payload_packet_len - j, &j); - NDPI_LOG_DBG2(ndpi_struct, "port %u.", - port); - j = k; - // hier jetzt überlegen, wie die ports abgespeichert werden sollen - if (src->irc_number_of_port < NDPI_PROTOCOL_IRC_MAXPORT) - NDPI_LOG_DBG2(ndpi_struct, "src->irc_number_of_port < NDPI_PROTOCOL_IRC_MAXPORT."); - if (src->irc_number_of_port < NDPI_PROTOCOL_IRC_MAXPORT && port != 0) { - if (!ndpi_is_duplicate(src, port)) { - src->irc_port[src->irc_number_of_port] - = port; - src->irc_number_of_port++; - NDPI_LOG_DBG2(ndpi_struct, "found port=%d jjeeeeeeeeeeeeeeeeeeeeeeeee", - ntohs(get_u_int16_t(src->irc_port, 0))); - } - src->irc_ts = packet->current_time_ms; - } else if (port != 0 && src->irc_number_of_port == NDPI_PROTOCOL_IRC_MAXPORT) { - if (!ndpi_is_duplicate(src, port)) { - less = 0; - NDPI_IRC_FIND_LESS(src->last_time_port_used, less); - src->irc_port[less] = port; - NDPI_LOG_DBG2(ndpi_struct, "found port=%d", ntohs(get_u_int16_t(src->irc_port, 0))); - } - src->irc_ts = packet->current_time_ms; - } - if (dst == NULL) { - break; - } - } - if (dst != NULL) { - port = ntohs_ndpi_bytestream_to_number - (&packet->line[i].ptr[j], packet->payload_packet_len - j, &j); - NDPI_LOG_DBG2(ndpi_struct, "port %u.", port); - // hier das gleiche wie oben. - /* hier werden NDPI_PROTOCOL_IRC_MAXPORT ports pro irc flows mitgespeichert. könnte man denn nicht ein- - * fach an die dst oder src einen flag setzten, dass dieser port für eine bestimmte - * zeit ein irc-port bleibt? - */ - if (dst->irc_number_of_port < NDPI_PROTOCOL_IRC_MAXPORT && port != 0) { - if (!ndpi_is_duplicate(dst, port)) { - dst->irc_port[dst->irc_number_of_port] - = port; - dst->irc_number_of_port++; - NDPI_LOG_DBG2(ndpi_struct, "found port=%d", ntohs(get_u_int16_t(dst->irc_port, 0))); - NDPI_LOG_DBG2(ndpi_struct, "juuuuuuuuuuuuuuuu"); - } - dst->irc_ts = packet->current_time_ms; - } else if (port != 0 && dst->irc_number_of_port == NDPI_PROTOCOL_IRC_MAXPORT) { - if (!ndpi_is_duplicate(dst, port)) { - less = 0; - NDPI_IRC_FIND_LESS(dst->last_time_port_used, less); - dst->irc_port[less] = port; - - NDPI_LOG_DBG2(ndpi_struct, "found port=%d", ntohs(get_u_int16_t(dst->irc_port, 0))); - } - dst->irc_ts = packet->current_time_ms; - } - - break; - } } diff --git a/src/lib/protocols/jabber.c b/src/lib/protocols/jabber.c index a5e5a069e..89dd3c8db 100644 --- a/src/lib/protocols/jabber.c +++ b/src/lib/protocols/jabber.c @@ -65,9 +65,6 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - u_int16_t x; NDPI_LOG_DBG(ndpi_struct, "search JABBER\n"); @@ -76,193 +73,10 @@ void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, st return; } - /* search for jabber file transfer */ - /* this part is working asymmetrically */ - if (packet->tcp != NULL && packet->tcp->syn != 0 && packet->payload_packet_len == 0) { - NDPI_LOG_DBG2(ndpi_struct, "check jabber syn\n"); - if (src != NULL && src->jabber_file_transfer_port[0] != 0) { - NDPI_LOG_DBG2(ndpi_struct, "src jabber ft port set, ports are: %u, %u\n", - ntohs(src->jabber_file_transfer_port[0]), - ntohs(src->jabber_file_transfer_port[1])); - if (((u_int32_t) - (packet->current_time_ms - src->jabber_stun_or_ft_ts)) >= ndpi_struct->jabber_file_transfer_timeout) { - NDPI_LOG_DBG2(ndpi_struct, "JABBER src stun timeout %u %u\n", - src->jabber_stun_or_ft_ts, packet->current_time_ms); - src->jabber_file_transfer_port[0] = 0; - src->jabber_file_transfer_port[1] = 0; - } else if (src->jabber_file_transfer_port[0] == packet->tcp->dest - || src->jabber_file_transfer_port[0] == packet->tcp->source - || src->jabber_file_transfer_port[1] == packet->tcp->dest - || src->jabber_file_transfer_port[1] == packet->tcp->source) { - NDPI_LOG_INFO(ndpi_struct, "found jabber file transfer\n"); - - ndpi_int_jabber_add_connection(ndpi_struct, flow, - NDPI_PROTOCOL_JABBER, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - } - } - if (dst != NULL && dst->jabber_file_transfer_port[0] != 0) { - NDPI_LOG_DBG2(ndpi_struct, "dst jabber ft port set, ports are: %u, %u\n", - ntohs(dst->jabber_file_transfer_port[0]), - ntohs(dst->jabber_file_transfer_port[1])); - if (((u_int32_t) - (packet->current_time_ms - dst->jabber_stun_or_ft_ts)) >= ndpi_struct->jabber_file_transfer_timeout) { - NDPI_LOG_DBG2(ndpi_struct, "JABBER dst stun timeout %u %u\n", - dst->jabber_stun_or_ft_ts, packet->current_time_ms); - dst->jabber_file_transfer_port[0] = 0; - dst->jabber_file_transfer_port[1] = 0; - } else if (dst->jabber_file_transfer_port[0] == packet->tcp->dest - || dst->jabber_file_transfer_port[0] == packet->tcp->source - || dst->jabber_file_transfer_port[1] == packet->tcp->dest - || dst->jabber_file_transfer_port[1] == packet->tcp->source) { - NDPI_LOG_INFO(ndpi_struct, "found jabber file transfer\n"); - - ndpi_int_jabber_add_connection(ndpi_struct, flow, - NDPI_PROTOCOL_JABBER, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - } - } - return; - } - if (packet->tcp != 0 && packet->payload_packet_len == 0) { return; } - - /* this part parses a packet and searches for port=. it works asymmetrically. */ - if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_JABBER) { - u_int16_t lastlen; - u_int16_t j_port = 0; - /* check for google jabber voip connections ... */ - /* need big packet */ - if (packet->payload_packet_len < 100) { - NDPI_LOG_DBG2(ndpi_struct, "packet too small, return\n"); - return; - } - /* need message to or type for file-transfer */ - if (memcmp(packet->payload, "<iq from=\"", 10) == 0 || memcmp(packet->payload, "<iq from=\'", 10) == 0) { - NDPI_LOG_DBG2(ndpi_struct, "JABBER <iq from=\"\n"); - lastlen = packet->payload_packet_len - 11; - for (x = 10; x < lastlen; x++) { - if (packet->payload[x] == 'p') { - if (memcmp(&packet->payload[x], "port=", 5) == 0) { - NDPI_LOG_DBG2(ndpi_struct, "port=\n"); - if (src != NULL) { - src->jabber_stun_or_ft_ts = packet->current_time_ms; - } - - if (dst != NULL) { - dst->jabber_stun_or_ft_ts = packet->current_time_ms; - } - x += 6; - j_port = ntohs_ndpi_bytestream_to_number(&packet->payload[x], packet->payload_packet_len, &x); - NDPI_LOG_DBG2(ndpi_struct, "JABBER port : %u\n", ntohs(j_port)); - if (src != NULL) { - if (src->jabber_file_transfer_port[0] == 0 || src->jabber_file_transfer_port[0] == j_port) { - NDPI_LOG_DBG2(ndpi_struct, "src->jabber_file_transfer_port[0] = j_port = %u;\n", - ntohs(j_port)); - src->jabber_file_transfer_port[0] = j_port; - } else { - NDPI_LOG_DBG2(ndpi_struct, "src->jabber_file_transfer_port[1] = j_port = %u;\n", - ntohs(j_port)); - src->jabber_file_transfer_port[1] = j_port; - } - } - if (dst != NULL) { - if (dst->jabber_file_transfer_port[0] == 0 || dst->jabber_file_transfer_port[0] == j_port) { - NDPI_LOG_DBG2(ndpi_struct, "dst->jabber_file_transfer_port[0] = j_port = %u;\n", - ntohs(j_port)); - dst->jabber_file_transfer_port[0] = j_port; - } else { - NDPI_LOG_DBG2(ndpi_struct, "dst->jabber_file_transfer_port[1] = j_port = %u;\n", - ntohs(j_port)); - dst->jabber_file_transfer_port[1] = j_port; - } - } - } - - - } - } - - } else if (memcmp(packet->payload, "<iq to=\"", 8) == 0 || memcmp(packet->payload, "<iq to=\'", 8) == 0 - || memcmp(packet->payload, "<iq type=", 9) == 0) { - NDPI_LOG_DBG2(ndpi_struct, "JABBER <iq to=\"/type=\"\n"); - lastlen = packet->payload_packet_len - 21; - for (x = 8; x < lastlen; x++) { - /* invalid character */ - if (packet->payload[x] < 32 || packet->payload[x] > 127) { - return; - } - if (packet->payload[x] == '@') { - NDPI_LOG_DBG2(ndpi_struct, "JABBER @\n"); - break; - } - } - if (x >= lastlen) { - return; - } - - lastlen = packet->payload_packet_len - 10; - for (; x < lastlen; x++) { - if (packet->payload[x] == 'p') { - if (memcmp(&packet->payload[x], "port=", 5) == 0) { - NDPI_LOG_DBG2(ndpi_struct, "port=\n"); - if (src != NULL) { - src->jabber_stun_or_ft_ts = packet->current_time_ms; - } - - if (dst != NULL) { - dst->jabber_stun_or_ft_ts = packet->current_time_ms; - } - - x += 6; - j_port = ntohs_ndpi_bytestream_to_number(&packet->payload[x], packet->payload_packet_len, &x); - NDPI_LOG_DBG2(ndpi_struct, "JABBER port : %u\n", ntohs(j_port)); - - if (src != NULL && src->jabber_voice_stun_used_ports < JABBER_MAX_STUN_PORTS - 1) { - if (packet->payload[5] == 'o') { - src->jabber_voice_stun_port[src->jabber_voice_stun_used_ports++] - = j_port; - } else { - if (src->jabber_file_transfer_port[0] == 0 - || src->jabber_file_transfer_port[0] == j_port) { - NDPI_LOG_DBG2(ndpi_struct, "src->jabber_file_transfer_port[0] = j_port = %u;\n", - ntohs(j_port)); - src->jabber_file_transfer_port[0] = j_port; - } else { - NDPI_LOG_DBG2(ndpi_struct, "src->jabber_file_transfer_port[1] = j_port = %u;\n", - ntohs(j_port)); - src->jabber_file_transfer_port[1] = j_port; - } - } - } - - if (dst != NULL && dst->jabber_voice_stun_used_ports < JABBER_MAX_STUN_PORTS - 1) { - if (packet->payload[5] == 'o') { - dst->jabber_voice_stun_port[dst->jabber_voice_stun_used_ports++] - = j_port; - } else { - if (dst->jabber_file_transfer_port[0] == 0 - || dst->jabber_file_transfer_port[0] == j_port) { - NDPI_LOG_DBG2(ndpi_struct, "dst->jabber_file_transfer_port[0] = j_port = %u;\n", - ntohs(j_port)); - dst->jabber_file_transfer_port[0] = j_port; - } else { - NDPI_LOG_DBG2(ndpi_struct, "dst->jabber_file_transfer_port[1] = j_port = %u;\n", - ntohs(j_port)); - dst->jabber_file_transfer_port[1] = j_port; - } - } - } - return; - } - } - } - } - return; - } - - /* search for jabber here */ /* this part is working asymmetrically */ if ((packet->payload_packet_len > 13 && memcmp(packet->payload, "<?xml version=", 14) == 0) diff --git a/src/lib/protocols/thunder.c b/src/lib/protocols/thunder.c index 7b5625511..caafa4e4c 100644 --- a/src/lib/protocols/thunder.c +++ b/src/lib/protocols/thunder.c @@ -135,11 +135,9 @@ void ndpi_int_search_thunder_http(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; if (packet->payload_packet_len > 5 - && memcmp(packet->payload, "GET /", 5) == 0 && NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_THUNDER)) { + && memcmp(packet->payload, "GET /", 5) == 0) { NDPI_LOG_DBG2(ndpi_struct, "HTTP packet detected\n"); ndpi_parse_packet_line_info(ndpi_struct, flow); diff --git a/src/lib/protocols/world_of_warcraft.c b/src/lib/protocols/world_of_warcraft.c index 2d35fe7ab..8b6da51f9 100644 --- a/src/lib/protocols/world_of_warcraft.c +++ b/src/lib/protocols/world_of_warcraft.c @@ -56,9 +56,6 @@ void ndpi_search_worldofwarcraft(struct ndpi_detection_module_struct { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - NDPI_LOG_DBG(ndpi_struct, "search World of Warcraft\n"); if (packet->tcp != NULL) { @@ -108,14 +105,11 @@ void ndpi_search_worldofwarcraft(struct ndpi_detection_module_struct return; } - if (NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_WORLDOFWARCRAFT) != 0) { - if (packet->tcp->source == htons(3724) - && packet->payload_packet_len == 8 && get_u_int32_t(packet->payload, 0) == htonl(0x0006ec01)) { - ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow); - NDPI_LOG_INFO(ndpi_struct, "World of Warcraft: connection detected\n"); - return; - } - + if (packet->tcp->source == htons(3724) + && packet->payload_packet_len == 8 && get_u_int32_t(packet->payload, 0) == htonl(0x0006ec01)) { + ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow); + NDPI_LOG_INFO(ndpi_struct, "World of Warcraft: connection detected\n"); + return; } /* for some well known WoW ports |