diff options
| author | Luca <deri@ntop.org> | 2015-07-01 17:40:14 +0200 |
|---|---|---|
| committer | Luca <deri@ntop.org> | 2015-07-01 17:40:14 +0200 |
| commit | 60884f9047882863d27f7e8f5fb760897c599800 (patch) | |
| tree | 2b09f2ec1a551b59a98baee790c858fb3e038ffe | |
| parent | 49ea23530f876930896dc5aa6a84ef6219589171 (diff) | |
Split former protocol into upper and lower protocol
138 files changed, 1578 insertions, 1636 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index d642f2501..e0a46829d 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -977,7 +977,7 @@ static unsigned int packet_processing(u_int16_t thread_id, flow->detection_completed = 1; if((flow->detected_protocol == NDPI_PROTOCOL_UNKNOWN) && (ndpi_flow->num_stun_udp_pkts > 0)) - ndpi_set_detected_protocol(ndpi_thread_info[thread_id].ndpi_struct, ndpi_flow, NDPI_PROTOCOL_STUN); + ndpi_set_detected_protocol(ndpi_thread_info[thread_id].ndpi_struct, ndpi_flow, NDPI_PROTOCOL_STUN, NDPI_PROTOCOL_UNKNOWN); snprintf(flow->host_server_name, sizeof(flow->host_server_name), "%s", flow->ndpi_flow->host_server_name); diff --git a/src/include/ndpi_main.h b/src/include/ndpi_main.h index 11182ad31..ab869b167 100644 --- a/src/include/ndpi_main.h +++ b/src/include/ndpi_main.h @@ -99,8 +99,9 @@ u_int32_t ndpi_bytestream_to_ipv4(const u_int8_t * str, u_int16_t max_chars_to_r void ndpi_set_detected_protocol(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - u_int16_t detected_protocol/* , ndpi_protocol_type_t protocol_type */); + struct ndpi_flow_struct *flow, + u_int16_t upper_detected_protocol, + u_int16_t lower_detected_protocol); /* function to parse a packet which has line based information into a line based structure @@ -112,11 +113,12 @@ extern void ndpi_parse_packet_line_info_any(struct ndpi_detection_module_struct extern u_int16_t ndpi_check_for_email_address(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int16_t counter); extern void ndpi_int_change_packet_protocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, - u_int16_t detected_protocol/* , ndpi_protocol_type_t protocol_type */); + u_int16_t upper_detected_protocol, + u_int16_t lower_detected_protocol); extern void ndpi_int_change_protocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, - u_int16_t detected_protocol/* , */ - /* ndpi_protocol_type_t protocol_type */); + u_int16_t upper_detected_protocol, + u_int16_t lower_detected_protocol); extern void ndpi_set_proto_defaults(struct ndpi_detection_module_struct *ndpi_mod, ndpi_protocol_breed_t protoBreed, u_int16_t protoId, u_int16_t tcp_alias_protoId[2], u_int16_t udp_alias_protoId[2], @@ -147,8 +149,8 @@ extern u_int8_t ndpi_ips_match(u_int32_t src, u_int32_t dst, u_int32_t net, u_int32_t num_bits); #ifdef NDPI_ENABLE_DEBUG_MESSAGES - void ndpi_debug_get_last_log_function_line(struct ndpi_detection_module_struct *ndpi_struct, - const char **file, const char **func, u_int32_t * line); +void ndpi_debug_get_last_log_function_line(struct ndpi_detection_module_struct *ndpi_struct, + const char **file, const char **func, u_int32_t * line); #endif #include "ndpi_api.h" diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index bd5547eaf..c02cd56b9 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -4881,31 +4881,42 @@ u_int8_t ndpi_detection_get_l4(const u_int8_t * l3, u_int16_t l3_len, const u_in void ndpi_set_detected_protocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, - u_int16_t detected_protocol) + u_int16_t upper_detected_protocol, + u_int16_t lower_detected_protocol) { struct ndpi_id_struct *src = flow->src; struct ndpi_id_struct *dst = flow->dst; - ndpi_int_change_protocol(ndpi_struct, flow, detected_protocol); + ndpi_int_change_protocol(ndpi_struct, flow, upper_detected_protocol, lower_detected_protocol); - if(src != NULL) - NDPI_ADD_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, detected_protocol); - - if(dst != NULL) - NDPI_ADD_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, detected_protocol); + if(src != NULL) { + NDPI_ADD_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, upper_detected_protocol); + + if(lower_detected_protocol != NDPI_PROTOCOL_UNKNOWN) + NDPI_ADD_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, lower_detected_protocol); + } + + if(dst != NULL) { + NDPI_ADD_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, upper_detected_protocol); + + if(lower_detected_protocol != NDPI_PROTOCOL_UNKNOWN) + NDPI_ADD_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, lower_detected_protocol); + } } void ndpi_int_change_flow_protocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, - u_int16_t detected_protocol) { + u_int16_t upper_detected_protocol, + u_int16_t lower_detected_protocol) { if(!flow) return; - flow->detected_protocol_stack[0] = detected_protocol; + flow->detected_protocol_stack[0] = upper_detected_protocol, flow->detected_protocol_stack[1] = lower_detected_protocol; } void ndpi_int_change_packet_protocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, - u_int16_t detected_protocol) { + u_int16_t upper_detected_protocol, + u_int16_t lower_detected_protocol) { struct ndpi_packet_struct *packet = &flow->packet; /* NOTE: everything below is identically to change_flow_protocol * except flow->packet If you want to change something here, @@ -4915,7 +4926,7 @@ void ndpi_int_change_packet_protocol(struct ndpi_detection_module_struct *ndpi_s if(!packet) return; - packet->detected_protocol_stack[0] = detected_protocol; + packet->detected_protocol_stack[0] = upper_detected_protocol, packet->detected_protocol_stack[1] = lower_detected_protocol; } /* @@ -4940,34 +4951,6 @@ u_int8_t ndpi_detection_flow_protocol_history_contains_protocol(struct ndpi_dete return 0; } -/* generic function for setting a protocol for a flow - * - * what it does is: - * 1.call ndpi_int_change_protocol - * 2.set protocol in detected bitmask for src and dst - */ -void ndpi_set_detected_protocol(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - u_int16_t detected_protocol); - -/* generic function for changing the flow protocol - * - * what it does is: - * 1.update the flow protocol stack with the new protocol - */ -void ndpi_int_change_flow_protocol(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - u_int16_t detected_protocol); - -/* generic function for changing the packetprotocol - * - * what it does is: - * 1.update the packet protocol stack with the new protocol - */ -void ndpi_int_change_packet_protocol(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - u_int16_t detected_protocol); - /* generic function for changing the protocol * * what it does is: @@ -4976,10 +4959,10 @@ void ndpi_int_change_packet_protocol(struct ndpi_detection_module_struct *ndpi_s */ void ndpi_int_change_protocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, - u_int16_t detected_protocol) -{ - ndpi_int_change_flow_protocol(ndpi_struct, flow, detected_protocol); - ndpi_int_change_packet_protocol(ndpi_struct, flow, detected_protocol); + u_int16_t upper_detected_protocol, + u_int16_t lower_detected_protocol) { + ndpi_int_change_flow_protocol(ndpi_struct, flow, upper_detected_protocol, lower_detected_protocol); + ndpi_int_change_packet_protocol(ndpi_struct, flow, upper_detected_protocol, lower_detected_protocol); } @@ -5328,6 +5311,9 @@ static int ndpi_automa_match_string_subprotocol(struct ndpi_detection_module_str #endif if(matching_protocol_id != NDPI_PROTOCOL_UNKNOWN) { + /* Move the protocol on slot 0 down one position */ + packet->detected_protocol_stack[1] = packet->detected_protocol_stack[0]; + packet->detected_protocol_stack[0] = matching_protocol_id; if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) diff --git a/src/lib/protocols/afp.c b/src/lib/protocols/afp.c index 5eb7862b4..2ed7b5ccc 100644 --- a/src/lib/protocols/afp.c +++ b/src/lib/protocols/afp.c @@ -29,7 +29,7 @@ static void ndpi_int_afp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_AFP); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_AFP, NDPI_PROTOCOL_UNKNOWN); } @@ -37,39 +37,38 @@ void ndpi_search_afp(struct ndpi_detection_module_struct *ndpi_struct, struct nd { struct ndpi_packet_struct *packet = &flow->packet; // struct ndpi_id_struct *src = flow->src; -// struct ndpi_id_struct *dst = flow->dst; + // struct ndpi_id_struct *dst = flow->dst; + /* + * this will detect the OpenSession command of the Data Stream Interface (DSI) protocol + * which is exclusively used by the Apple Filing Protocol (AFP) on TCP/IP networks + */ + if (packet->payload_packet_len >= 22 && get_u_int16_t(packet->payload, 0) == htons(0x0004) && + get_u_int16_t(packet->payload, 2) == htons(0x0001) && get_u_int32_t(packet->payload, 4) == 0 && + get_u_int32_t(packet->payload, 8) == htonl(packet->payload_packet_len - 16) && + get_u_int32_t(packet->payload, 12) == 0 && get_u_int16_t(packet->payload, 16) == htons(0x0104)) { - /* - * this will detect the OpenSession command of the Data Stream Interface (DSI) protocol - * which is exclusively used by the Apple Filing Protocol (AFP) on TCP/IP networks - */ - if (packet->payload_packet_len >= 22 && get_u_int16_t(packet->payload, 0) == htons(0x0004) && - get_u_int16_t(packet->payload, 2) == htons(0x0001) && get_u_int32_t(packet->payload, 4) == 0 && - get_u_int32_t(packet->payload, 8) == htonl(packet->payload_packet_len - 16) && - get_u_int32_t(packet->payload, 12) == 0 && get_u_int16_t(packet->payload, 16) == htons(0x0104)) { + NDPI_LOG(NDPI_PROTOCOL_AFP, ndpi_struct, NDPI_LOG_DEBUG, "AFP: DSI OpenSession detected.\n"); + ndpi_int_afp_add_connection(ndpi_struct, flow); + return; + } - NDPI_LOG(NDPI_PROTOCOL_AFP, ndpi_struct, NDPI_LOG_DEBUG, "AFP: DSI OpenSession detected.\n"); - ndpi_int_afp_add_connection(ndpi_struct, flow); - return; - } + /* + * detection of GetStatus command of DSI protocl + */ + if (packet->payload_packet_len >= 18 && get_u_int16_t(packet->payload, 0) == htons(0x0003) && + get_u_int16_t(packet->payload, 2) == htons(0x0001) && get_u_int32_t(packet->payload, 4) == 0 && + get_u_int32_t(packet->payload, 8) == htonl(packet->payload_packet_len - 16) && + get_u_int32_t(packet->payload, 12) == 0 && get_u_int16_t(packet->payload, 16) == htons(0x0f00)) { - /* - * detection of GetStatus command of DSI protocl - */ - if (packet->payload_packet_len >= 18 && get_u_int16_t(packet->payload, 0) == htons(0x0003) && - get_u_int16_t(packet->payload, 2) == htons(0x0001) && get_u_int32_t(packet->payload, 4) == 0 && - get_u_int32_t(packet->payload, 8) == htonl(packet->payload_packet_len - 16) && - get_u_int32_t(packet->payload, 12) == 0 && get_u_int16_t(packet->payload, 16) == htons(0x0f00)) { + NDPI_LOG(NDPI_PROTOCOL_AFP, ndpi_struct, NDPI_LOG_DEBUG, "AFP: DSI GetStatus detected.\n"); + ndpi_int_afp_add_connection(ndpi_struct, flow); + return; + } - NDPI_LOG(NDPI_PROTOCOL_AFP, ndpi_struct, NDPI_LOG_DEBUG, "AFP: DSI GetStatus detected.\n"); - ndpi_int_afp_add_connection(ndpi_struct, flow); - return; - } - - NDPI_LOG(NDPI_PROTOCOL_AFP, ndpi_struct, NDPI_LOG_DEBUG, "AFP excluded.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_AFP); + NDPI_LOG(NDPI_PROTOCOL_AFP, ndpi_struct, NDPI_LOG_DEBUG, "AFP excluded.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_AFP); } #endif diff --git a/src/lib/protocols/aimini.c b/src/lib/protocols/aimini.c index 414480577..9fd5172cb 100644 --- a/src/lib/protocols/aimini.c +++ b/src/lib/protocols/aimini.c @@ -31,7 +31,7 @@ static void ndpi_int_aimini_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow/* , */ /* ndpi_protocol_type_t protocol_type */) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_AIMINI); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_AIMINI, NDPI_PROTOCOL_UNKNOWN); } diff --git a/src/lib/protocols/applejuice.c b/src/lib/protocols/applejuice.c index e5d21b7fc..3ca4985a6 100644 --- a/src/lib/protocols/applejuice.c +++ b/src/lib/protocols/applejuice.c @@ -30,7 +30,7 @@ static void ndpi_int_applejuice_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_APPLEJUICE); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_APPLEJUICE, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_applejuice_tcp(struct ndpi_detection_module_struct *ndpi_struct, diff --git a/src/lib/protocols/armagetron.c b/src/lib/protocols/armagetron.c index 0c75f8931..d97927b2e 100644 --- a/src/lib/protocols/armagetron.c +++ b/src/lib/protocols/armagetron.c @@ -33,7 +33,7 @@ static void ndpi_int_armagetron_add_connection(struct ndpi_detection_module_stru struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ARMAGETRON); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ARMAGETRON, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_armagetron_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/ayiya.c b/src/lib/protocols/ayiya.c index 06205c81c..ea190ed47 100644 --- a/src/lib/protocols/ayiya.c +++ b/src/lib/protocols/ayiya.c @@ -56,7 +56,7 @@ void ndpi_search_ayiya(struct ndpi_detection_module_struct *ndpi_struct, struct now = flow->packet.tick_timestamp; if((epoch >= (now - fireyears)) && (epoch <= (now+86400 /* 1 day */))) - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_AYIYA); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_AYIYA, NDPI_PROTOCOL_UNKNOWN); return; } diff --git a/src/lib/protocols/battlefield.c b/src/lib/protocols/battlefield.c index 9a36c673c..eef89afd1 100644 --- a/src/lib/protocols/battlefield.c +++ b/src/lib/protocols/battlefield.c @@ -33,7 +33,7 @@ static void ndpi_int_battlefield_add_connection(struct ndpi_detection_module_str struct ndpi_id_struct *src = flow->src; struct ndpi_id_struct *dst = flow->dst; - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BATTLEFIELD); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BATTLEFIELD, NDPI_PROTOCOL_UNKNOWN); if (src != NULL) { src->battlefield_ts = packet->tick_timestamp; diff --git a/src/lib/protocols/bgp.c b/src/lib/protocols/bgp.c index b5ad57c7a..6b937a453 100644 --- a/src/lib/protocols/bgp.c +++ b/src/lib/protocols/bgp.c @@ -29,7 +29,7 @@ static void ndpi_int_bgp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BGP); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BGP, NDPI_PROTOCOL_UNKNOWN); } /* this detection also works asymmetrically */ diff --git a/src/lib/protocols/bittorrent.c b/src/lib/protocols/bittorrent.c index ee0117171..358ad7523 100644 --- a/src/lib/protocols/bittorrent.c +++ b/src/lib/protocols/bittorrent.c @@ -34,7 +34,7 @@ static void ndpi_add_connection_as_bittorrent(struct ndpi_detection_module_struc const u_int8_t save_detection, const u_int8_t encrypted_connection/* , */ /* ndpi_protocol_type_t protocol_type */) { - ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BITTORRENT); + ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BITTORRENT, NDPI_PROTOCOL_UNKNOWN); } static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module_struct diff --git a/src/lib/protocols/ciscovpn.c b/src/lib/protocols/ciscovpn.c index a1fdcfc78..7d35a0cca 100644 --- a/src/lib/protocols/ciscovpn.c +++ b/src/lib/protocols/ciscovpn.c @@ -10,7 +10,7 @@ static void ndpi_int_ciscovpn_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CISCOVPN); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CISCOVPN, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_ciscovpn(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/citrix.c b/src/lib/protocols/citrix.c index d35eb4823..a5e6ef9de 100644 --- a/src/lib/protocols/citrix.c +++ b/src/lib/protocols/citrix.c @@ -54,7 +54,7 @@ static void ndpi_check_citrix(struct ndpi_detection_module_struct *ndpi_struct, if(memcmp(packet->payload, citrix_header, sizeof(citrix_header)) == 0) { NDPI_LOG(NDPI_PROTOCOL_CITRIX, ndpi_struct, NDPI_LOG_DEBUG, "Found citrix.\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CITRIX); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CITRIX, NDPI_PROTOCOL_UNKNOWN); } return; @@ -64,7 +64,7 @@ static void ndpi_check_citrix(struct ndpi_detection_module_struct *ndpi_struct, if((memcmp(packet->payload, citrix_header, sizeof(citrix_header)) == 0) || (ndpi_strnstr((const char *)packet->payload, "Citrix.TcpProxyService", payload_len) != NULL)) { NDPI_LOG(NDPI_PROTOCOL_CITRIX, ndpi_struct, NDPI_LOG_DEBUG, "Found citrix.\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CITRIX); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CITRIX, NDPI_PROTOCOL_UNKNOWN); } return; diff --git a/src/lib/protocols/collectd.c b/src/lib/protocols/collectd.c index 1cb97c8fc..61ed95327 100644 --- a/src/lib/protocols/collectd.c +++ b/src/lib/protocols/collectd.c @@ -44,7 +44,7 @@ void ndpi_search_collectd(struct ndpi_detection_module_struct *ndpi_struct, stru if(len == packet->payload_packet_len) { NDPI_LOG(NDPI_PROTOCOL_COLLECTD, ndpi_struct, NDPI_LOG_DEBUG, "found COLLECTD.\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_COLLECTD); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_COLLECTD, NDPI_PROTOCOL_UNKNOWN); } else { NDPI_LOG(NDPI_PROTOCOL_COLLECTD, ndpi_struct, NDPI_LOG_DEBUG, "exclude COLLECTD.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_COLLECTD); diff --git a/src/lib/protocols/corba.c b/src/lib/protocols/corba.c index 2586d6740..c694d60a7 100644 --- a/src/lib/protocols/corba.c +++ b/src/lib/protocols/corba.c @@ -25,7 +25,7 @@ static void ndpi_int_corba_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CORBA); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CORBA, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_corba(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { diff --git a/src/lib/protocols/crossfire.c b/src/lib/protocols/crossfire.c index c293eaea1..b70c7fceb 100644 --- a/src/lib/protocols/crossfire.c +++ b/src/lib/protocols/crossfire.c @@ -32,7 +32,7 @@ static void ndpi_int_crossfire_add_connection(struct ndpi_detection_module_struc struct ndpi_flow_struct *flow/* , ndpi_protocol_type_t protocol_type */) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CROSSFIRE); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CROSSFIRE, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_crossfire_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/dcerpc.c b/src/lib/protocols/dcerpc.c index 20a78317a..4ae4a5d42 100644 --- a/src/lib/protocols/dcerpc.c +++ b/src/lib/protocols/dcerpc.c @@ -29,7 +29,7 @@ static void ndpi_int_dcerpc_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DCERPC); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DCERPC, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_dcerpc(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/dhcp.c b/src/lib/protocols/dhcp.c index 1450f2613..4ae48cffb 100644 --- a/src/lib/protocols/dhcp.c +++ b/src/lib/protocols/dhcp.c @@ -29,7 +29,7 @@ static void ndpi_int_dhcp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DHCP); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DHCP, NDPI_PROTOCOL_UNKNOWN); } diff --git a/src/lib/protocols/dhcpv6.c b/src/lib/protocols/dhcpv6.c index 2c156c1ba..dcae86690 100644 --- a/src/lib/protocols/dhcpv6.c +++ b/src/lib/protocols/dhcpv6.c @@ -33,7 +33,7 @@ static void ndpi_int_dhcpv6_add_connection(struct ndpi_detection_module_struct * struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DHCPV6); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DHCPV6, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_dhcpv6_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/directconnect.c b/src/lib/protocols/directconnect.c index 8369d093d..67b09b501 100644 --- a/src/lib/protocols/directconnect.c +++ b/src/lib/protocols/directconnect.c @@ -81,7 +81,7 @@ static void ndpi_int_directconnect_add_connection(struct ndpi_detection_module_s struct ndpi_id_struct *src = flow->src; struct ndpi_id_struct *dst = flow->dst; - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN); if (src != NULL) { src->directconnect_last_safe_access_time = packet->tick_timestamp; @@ -168,7 +168,7 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n if ((u_int32_t) (packet->tick_timestamp - src->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT); + ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN); src->directconnect_last_safe_access_time = packet->tick_timestamp; NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, NDPI_LOG_DEBUG, "marking using dc port\n %d", ntohs(src->detected_directconnect_port)); @@ -184,7 +184,7 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n if ((u_int32_t) (packet->tick_timestamp - src->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT); + ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN); src->directconnect_last_safe_access_time = packet->tick_timestamp; NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, NDPI_LOG_DEBUG, "marking using dc port\n %d", ntohs(src->detected_directconnect_ssl_port)); @@ -204,7 +204,7 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n if ((u_int32_t) (packet->tick_timestamp - dst->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN); dst->directconnect_last_safe_access_time = packet->tick_timestamp; NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, NDPI_LOG_DEBUG, "marking using dc port\n %d", ntohs(dst->detected_directconnect_port)); @@ -220,7 +220,7 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n if ((u_int32_t) (packet->tick_timestamp - dst->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN); dst->directconnect_last_safe_access_time = packet->tick_timestamp; NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, NDPI_LOG_DEBUG, "marking using dc port\n %d", ntohs(dst->detected_directconnect_ssl_port)); @@ -352,7 +352,7 @@ static void ndpi_search_directconnect_udp(struct ndpi_detection_module_struct (packet->tick_timestamp - dst->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN); dst->directconnect_last_safe_access_time = packet->tick_timestamp; NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, NDPI_LOG_DEBUG, "marking using dc udp port\n %d", ntohs(dst->detected_directconnect_udp_port)); diff --git a/src/lib/protocols/directdownloadlink.c b/src/lib/protocols/directdownloadlink.c index 14da9e6d6..1d79eac6a 100644 --- a/src/lib/protocols/directdownloadlink.c +++ b/src/lib/protocols/directdownloadlink.c @@ -38,7 +38,7 @@ static void ndpi_int_direct_download_link_add_connection(struct ndpi_detection_m { struct ndpi_packet_struct *packet = &flow->packet; - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK, NDPI_PROTOCOL_UNKNOWN); flow->l4.tcp.ddlink_server_direction = packet->packet_direction; } diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index bed2e3108..9db7c8c7a 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -288,7 +288,7 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd matched a subprotocol */ NDPI_LOG(NDPI_PROTOCOL_DNS, ndpi_struct, NDPI_LOG_DEBUG, "found DNS.\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, (dport == 5355) ? NDPI_PROTOCOL_LLMNR : NDPI_PROTOCOL_DNS); + ndpi_set_detected_protocol(ndpi_struct, flow, (dport == 5355) ? NDPI_PROTOCOL_LLMNR : NDPI_PROTOCOL_DNS, NDPI_PROTOCOL_UNKNOWN); } } else { flow->protos.dns.bad_packet = 1; diff --git a/src/lib/protocols/dofus.c b/src/lib/protocols/dofus.c index 10fb2b01c..f514b8f6f 100644 --- a/src/lib/protocols/dofus.c +++ b/src/lib/protocols/dofus.c @@ -30,120 +30,119 @@ static void ndpi_dofus_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DOFUS); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DOFUS, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_dofus(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; - -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; + struct ndpi_packet_struct *packet = &flow->packet; + // struct ndpi_id_struct *src=ndpi_struct->src; + // struct ndpi_id_struct *dst=ndpi_struct->dst; - /* Dofus v 1.x.x */ - if (packet->payload_packet_len == 13 && get_u_int16_t(packet->payload, 1) == ntohs(0x0508) - && get_u_int16_t(packet->payload, 5) == ntohs(0x04a0) - && get_u_int16_t(packet->payload, packet->payload_packet_len - 2) == ntohs(0x0194)) { - NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "found dofus.\n"); - ndpi_dofus_add_connection(ndpi_struct, flow); - return; - } - if (flow->l4.tcp.dofus_stage == 0 && packet->payload_packet_len == 3 && memcmp(packet->payload, "HG", 2) == 0 - && packet->payload[packet->payload_packet_len - 1] == 0) { - flow->l4.tcp.dofus_stage = 1; - NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "maybe dofus.\n"); - return; - } - if (flow->l4.tcp.dofus_stage == 0 && packet->payload_packet_len == 35 && memcmp(packet->payload, "HC", 2) == 0 - && packet->payload[packet->payload_packet_len - 1] == 0) { - flow->l4.tcp.dofus_stage = 1; - NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "maybe dofus.\n"); - return; - } - if (flow->l4.tcp.dofus_stage == 0 && packet->payload_packet_len > 2 && packet->payload[0] == 'A' - && (packet->payload[1] == 'x' || packet->payload[1] == 'X') - && packet->payload[packet->payload_packet_len - 1] == 0) { - flow->l4.tcp.dofus_stage = 1; - NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "maybe dofus.\n"); - return; - } - if (flow->l4.tcp.dofus_stage == 0 && packet->payload_packet_len == 12 && memcmp(packet->payload, "Af", 2) == 0 - && packet->payload[packet->payload_packet_len - 1] == 0) { - flow->l4.tcp.dofus_stage = 1; - NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "maybe dofus.\n"); - return; - } - if (flow->l4.tcp.dofus_stage == 0 && packet->payload_packet_len > 2 && memcmp(packet->payload, "Ad", 2) - && packet->payload[packet->payload_packet_len - 1] == 0) { - flow->l4.tcp.dofus_stage = 1; - NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "maybe dofus.\n"); - return; - } - if (packet->payload_packet_len == 11 && memcmp(packet->payload, "AT", 2) == 0 && packet->payload[10] == 0x00) { - if (flow->l4.tcp.dofus_stage == 1) { - NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "found dofus.\n"); - ndpi_dofus_add_connection(ndpi_struct, flow); - return; - } - } - if (flow->l4.tcp.dofus_stage == 1 && packet->payload_packet_len == 5 - && packet->payload[0] == 'A' && packet->payload[4] == 0x00 && (packet->payload[1] == 'T' - || packet->payload[1] == 'k')) { - NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "found dofus asym.\n"); - ndpi_dofus_add_connection(ndpi_struct, flow); - return; - } - /* end Dofus 1.x.x */ + /* Dofus v 1.x.x */ + if (packet->payload_packet_len == 13 && get_u_int16_t(packet->payload, 1) == ntohs(0x0508) + && get_u_int16_t(packet->payload, 5) == ntohs(0x04a0) + && get_u_int16_t(packet->payload, packet->payload_packet_len - 2) == ntohs(0x0194)) { + NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "found dofus.\n"); + ndpi_dofus_add_connection(ndpi_struct, flow); + return; + } + if (flow->l4.tcp.dofus_stage == 0 && packet->payload_packet_len == 3 && memcmp(packet->payload, "HG", 2) == 0 + && packet->payload[packet->payload_packet_len - 1] == 0) { + flow->l4.tcp.dofus_stage = 1; + NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "maybe dofus.\n"); + return; + } + if (flow->l4.tcp.dofus_stage == 0 && packet->payload_packet_len == 35 && memcmp(packet->payload, "HC", 2) == 0 + && packet->payload[packet->payload_packet_len - 1] == 0) { + flow->l4.tcp.dofus_stage = 1; + NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "maybe dofus.\n"); + return; + } + if (flow->l4.tcp.dofus_stage == 0 && packet->payload_packet_len > 2 && packet->payload[0] == 'A' + && (packet->payload[1] == 'x' || packet->payload[1] == 'X') + && packet->payload[packet->payload_packet_len - 1] == 0) { + flow->l4.tcp.dofus_stage = 1; + NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "maybe dofus.\n"); + return; + } + if (flow->l4.tcp.dofus_stage == 0 && packet->payload_packet_len == 12 && memcmp(packet->payload, "Af", 2) == 0 + && packet->payload[packet->payload_packet_len - 1] == 0) { + flow->l4.tcp.dofus_stage = 1; + NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "maybe dofus.\n"); + return; + } + if (flow->l4.tcp.dofus_stage == 0 && packet->payload_packet_len > 2 && memcmp(packet->payload, "Ad", 2) + && packet->payload[packet->payload_packet_len - 1] == 0) { + flow->l4.tcp.dofus_stage = 1; + NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "maybe dofus.\n"); + return; + } + if (packet->payload_packet_len == 11 && memcmp(packet->payload, "AT", 2) == 0 && packet->payload[10] == 0x00) { + if (flow->l4.tcp.dofus_stage == 1) { + NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "found dofus.\n"); + ndpi_dofus_add_connection(ndpi_struct, flow); + return; + } + } + if (flow->l4.tcp.dofus_stage == 1 && packet->payload_packet_len == 5 + && packet->payload[0] == 'A' && packet->payload[4] == 0x00 && (packet->payload[1] == 'T' + || packet->payload[1] == 'k')) { + NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "found dofus asym.\n"); + ndpi_dofus_add_connection(ndpi_struct, flow); + return; + } + /* end Dofus 1.x.x */ - /* Dofus 2.0 */ - if ((packet->payload_packet_len == 11 || packet->payload_packet_len == 13 || packet->payload_packet_len == 49) - && get_u_int32_t(packet->payload, 0) == ntohl(0x00050800) - && get_u_int16_t(packet->payload, 4) == ntohs(0x0005) - && get_u_int16_t(packet->payload, 8) == ntohs(0x0005) - && packet->payload[10] == 0x18) { - if (packet->payload_packet_len == 13 - && get_u_int16_t(packet->payload, packet->payload_packet_len - 2) != ntohs(0x0194)) { - goto exclude; - } - if (packet->payload_packet_len == 49 && ntohs(get_u_int16_t(packet->payload, 15)) + 17 != packet->payload_packet_len) { - goto exclude; - } - NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "found dofus.\n"); - ndpi_dofus_add_connection(ndpi_struct, flow); - return; - } - if (packet->payload_packet_len >= 41 && get_u_int16_t(packet->payload, 0) == ntohs(0x01b9) && packet->payload[2] == 0x26) { - u_int16_t len, len2; - len = ntohs(get_u_int16_t(packet->payload, 3)); - if ((len + 5 + 2) > packet->payload_packet_len) - goto exclude; - len2 = ntohs(get_u_int16_t(packet->payload, 5 + len)); - if (5 + len + 2 + len2 == packet->payload_packet_len) { - NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "found dofus.\n"); - ndpi_dofus_add_connection(ndpi_struct, flow); - return; - } - } - if (packet->payload_packet_len == 56 - && memcmp(packet->payload, "\x00\x11\x35\x02\x03\x00\x93\x96\x01\x00", 10) == 0) { - u_int16_t len, len2; - len = ntohs(get_u_int16_t(packet->payload, 10)); - if ((len + 12 + 2) > packet->payload_packet_len) - goto exclude; - len2 = ntohs(get_u_int16_t(packet->payload, 12 + len)); - if ((12 + len + 2 + len2 + 1) > packet->payload_packet_len) - goto exclude; - if (12 + len + 2 + len2 + 1 == packet->payload_packet_len && packet->payload[12 + len + 2 + len2] == 0x01) { - NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "found dofus.\n"); - ndpi_dofus_add_connection(ndpi_struct, flow); - return; - } - } - exclude: - NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "exclude dofus.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DOFUS); + /* Dofus 2.0 */ + if ((packet->payload_packet_len == 11 || packet->payload_packet_len == 13 || packet->payload_packet_len == 49) + && get_u_int32_t(packet->payload, 0) == ntohl(0x00050800) + && get_u_int16_t(packet->payload, 4) == ntohs(0x0005) + && get_u_int16_t(packet->payload, 8) == ntohs(0x0005) + && packet->payload[10] == 0x18) { + if (packet->payload_packet_len == 13 + && get_u_int16_t(packet->payload, packet->payload_packet_len - 2) != ntohs(0x0194)) { + goto exclude; + } + if (packet->payload_packet_len == 49 && ntohs(get_u_int16_t(packet->payload, 15)) + 17 != packet->payload_packet_len) { + goto exclude; + } + NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "found dofus.\n"); + ndpi_dofus_add_connection(ndpi_struct, flow); + return; + } + if (packet->payload_packet_len >= 41 && get_u_int16_t(packet->payload, 0) == ntohs(0x01b9) && packet->payload[2] == 0x26) { + u_int16_t len, len2; + len = ntohs(get_u_int16_t(packet->payload, 3)); + if ((len + 5 + 2) > packet->payload_packet_len) + goto exclude; + len2 = ntohs(get_u_int16_t(packet->payload, 5 + len)); + if (5 + len + 2 + len2 == packet->payload_packet_len) { + NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "found dofus.\n"); + ndpi_dofus_add_connection(ndpi_struct, flow); + return; + } + } + if (packet->payload_packet_len == 56 + && memcmp(packet->payload, "\x00\x11\x35\x02\x03\x00\x93\x96\x01\x00", 10) == 0) { + u_int16_t len, len2; + len = ntohs(get_u_int16_t(packet->payload, 10)); + if ((len + 12 + 2) > packet->payload_packet_len) + goto exclude; + len2 = ntohs(get_u_int16_t(packet->payload, 12 + len)); + if ((12 + len + 2 + len2 + 1) > packet->payload_packet_len) + goto exclude; + if (12 + len + 2 + len2 + 1 == packet->payload_packet_len && packet->payload[12 + len + 2 + len2] == 0x01) { + NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "found dofus.\n"); + ndpi_dofus_add_connection(ndpi_struct, flow); + return; + } + } + exclude: + NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "exclude dofus.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DOFUS); } #endif diff --git a/src/lib/protocols/dropbox.c b/src/lib/protocols/dropbox.c index c1d4404a1..c0104ccde 100644 --- a/src/lib/protocols/dropbox.c +++ b/src/lib/protocols/dropbox.c @@ -29,9 +29,7 @@ static void ndpi_int_dropbox_add_connection(struct ndpi_detection_module_struct struct ndpi_flow_struct *flow, u_int8_t due_to_correlation) { - ndpi_set_detected_protocol(ndpi_struct, flow, - NDPI_PROTOCOL_DROPBOX/* , */ - /* due_to_correlation ? NDPI_CORRELATED_PROTOCOL : NDPI_REAL_PROTOCOL */); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DROPBOX, NDPI_PROTOCOL_UNKNOWN); } diff --git a/src/lib/protocols/eaq.c b/src/lib/protocols/eaq.c index 28d0c264d..9b610db14 100644 --- a/src/lib/protocols/eaq.c +++ b/src/lib/protocols/eaq.c @@ -32,7 +32,7 @@ #ifdef NDPI_PROTOCOL_EAQ static void ndpi_int_eaq_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_EAQ); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_EAQ, NDPI_PROTOCOL_UNKNOWN); } diff --git a/src/lib/protocols/edonkey.c b/src/lib/protocols/edonkey.c index 7d6cc3b66..51c4ed994 100644 --- a/src/lib/protocols/edonkey.c +++ b/src/lib/protocols/edonkey.c @@ -28,7 +28,7 @@ #ifdef NDPI_PROTOCOL_EDONKEY static void ndpi_int_edonkey_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_EDONKEY); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_EDONKEY, NDPI_PROTOCOL_UNKNOWN); } static int ndpi_edonkey_payload_check(const u_int8_t *data, u_int32_t len) { diff --git a/src/lib/protocols/fasttrack.c b/src/lib/protocols/fasttrack.c index 80c1cda79..2b998bda9 100644 --- a/src/lib/protocols/fasttrack.c +++ b/src/lib/protocols/fasttrack.c @@ -31,7 +31,7 @@ static void ndpi_int_fasttrack_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_FASTTRACK); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_FASTTRACK, NDPI_PROTOCOL_UNKNOWN); } diff --git a/src/lib/protocols/fiesta.c b/src/lib/protocols/fiesta.c index bae96b7e4..c312d107f 100644 --- a/src/lib/protocols/fiesta.c +++ b/src/lib/protocols/fiesta.c @@ -31,7 +31,7 @@ static void ndpi_int_fiesta_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_FIESTA); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_FIESTA, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_fiesta(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/filetopia.c b/src/lib/protocols/filetopia.c index bfa883965..f6cf7bef5 100644 --- a/src/lib/protocols/filetopia.c +++ b/src/lib/protocols/filetopia.c @@ -29,7 +29,7 @@ static void ndpi_int_filetopia_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_FILETOPIA); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_FILETOPIA, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_filetopia_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/florensia.c b/src/lib/protocols/florensia.c index f909f4ddc..b82265b00 100644 --- a/src/lib/protocols/florensia.c +++ b/src/lib/protocols/florensia.c @@ -30,7 +30,7 @@ static void ndpi_florensia_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_FLORENSIA); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_FLORENSIA, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_florensia(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/ftp_control.c b/src/lib/protocols/ftp_control.c index a47f5becc..9e9eb1761 100644 --- a/src/lib/protocols/ftp_control.c +++ b/src/lib/protocols/ftp_control.c @@ -27,7 +27,7 @@ #ifdef NDPI_PROTOCOL_FTP_CONTROL static void ndpi_int_ftp_control_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_FTP_CONTROL); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_FTP_CONTROL, NDPI_PROTOCOL_UNKNOWN); } static int ndpi_ftp_control_check_request(const u_int8_t *payload) { diff --git a/src/lib/protocols/ftp_data.c b/src/lib/protocols/ftp_data.c index 9f1359b44..4eb28a908 100644 --- a/src/lib/protocols/ftp_data.c +++ b/src/lib/protocols/ftp_data.c @@ -28,7 +28,7 @@ #ifdef NDPI_PROTOCOL_FTP_DATA static void ndpi_int_ftp_data_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_FTP_DATA); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_FTP_DATA, NDPI_PROTOCOL_UNKNOWN); } static int ndpi_match_ftp_data_port(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { diff --git a/src/lib/protocols/gnutella.c b/src/lib/protocols/gnutella.c index 757d39dd6..cfd6ea74b 100644 --- a/src/lib/protocols/gnutella.c +++ b/src/lib/protocols/gnutella.c @@ -33,12 +33,11 @@ static void ndpi_int_gnutella_add_connection(struct ndpi_detection_module_struct struct ndpi_flow_struct *flow/* , */ /* ndpi_protocol_type_t protocol_type */) { - struct ndpi_packet_struct *packet = &flow->packet; struct ndpi_id_struct *src = flow->src; struct ndpi_id_struct *dst = flow->dst; - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GNUTELLA); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GNUTELLA, NDPI_PROTOCOL_UNKNOWN); if (src != NULL) { src->gnutella_ts = packet->tick_timestamp; diff --git a/src/lib/protocols/gtp.c b/src/lib/protocols/gtp.c index 6412744ce..eb5dd1f0d 100644 --- a/src/lib/protocols/gtp.c +++ b/src/lib/protocols/gtp.c @@ -60,7 +60,7 @@ static void ndpi_check_gtp(struct ndpi_detection_module_struct *ndpi_struct, str if(message_len <= (payload_len-sizeof(struct gtp_header_generic))) { NDPI_LOG(NDPI_PROTOCOL_GTP, ndpi_struct, NDPI_LOG_DEBUG, "Found gtp.\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GTP); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GTP, NDPI_PROTOCOL_UNKNOWN); return; } } diff --git a/src/lib/protocols/guildwars.c b/src/lib/protocols/guildwars.c index 8089295ef..34159d4be 100644 --- a/src/lib/protocols/guildwars.c +++ b/src/lib/protocols/guildwars.c @@ -31,7 +31,7 @@ static void ndpi_int_guildwars_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GUILDWARS); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GUILDWARS, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_guildwars_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/h323.c b/src/lib/protocols/h323.c index 2b8f69094..65d30bf67 100644 --- a/src/lib/protocols/h323.c +++ b/src/lib/protocols/h323.c @@ -43,7 +43,7 @@ void ndpi_search_h323(struct ndpi_detection_module_struct *ndpi_struct, struct n /* ISO 8073/X.224 */ if((packet->payload[5] == 0xE0 /* CC Connect Request */) || (packet->payload[5] == 0xD0 /* CC Connect Confirm */)) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RDP); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RDP, NDPI_PROTOCOL_UNKNOWN); return; } } @@ -52,7 +52,7 @@ void ndpi_search_h323(struct ndpi_detection_module_struct *ndpi_struct, struct n if(flow->l4.tcp.h323_valid_packets >= 2) { NDPI_LOG(NDPI_PROTOCOL_H323, ndpi_struct, NDPI_LOG_DEBUG, "found H323 broadcast.\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_H323); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_H323, NDPI_PROTOCOL_UNKNOWN); } } else { /* This is not H.323 */ @@ -67,7 +67,7 @@ void ndpi_search_h323(struct ndpi_detection_module_struct *ndpi_struct, struct n packet->payload[4] == 0x00 && packet->payload[5] == 0x00) { NDPI_LOG(NDPI_PROTOCOL_H323, ndpi_struct, NDPI_LOG_DEBUG, "found H323 broadcast.\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_H323); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_H323, NDPI_PROTOCOL_UNKNOWN); return; } /* H323 */ @@ -76,13 +76,13 @@ void ndpi_search_h323(struct ndpi_detection_module_struct *ndpi_struct, struct n if(packet->payload[0] == 0x16 && packet->payload[1] == 0x80 && packet->payload[4] == 0x06 && packet->payload[5] == 0x00) { NDPI_LOG(NDPI_PROTOCOL_H323, ndpi_struct, NDPI_LOG_DEBUG, "found H323 broadcast.\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_H323); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_H323, NDPI_PROTOCOL_UNKNOWN); return; } else if(packet->payload_packet_len >= 20 || packet->payload_packet_len <= 117) { NDPI_LOG(NDPI_PROTOCOL_H323, ndpi_struct, NDPI_LOG_DEBUG, "found H323 broadcast.\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_H323); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_H323, NDPI_PROTOCOL_UNKNOWN); return; } else diff --git a/src/lib/protocols/halflife2_and_mods.c b/src/lib/protocols/halflife2_and_mods.c index cf22cd593..eb6ca3585 100644 --- a/src/lib/protocols/halflife2_and_mods.c +++ b/src/lib/protocols/halflife2_and_mods.c @@ -29,7 +29,7 @@ static void ndpi_int_halflife2_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HALFLIFE2); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HALFLIFE2, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_halflife2(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index d21884dc0..1bebc3553 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -39,10 +39,10 @@ static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *nd if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { if(protocol != NDPI_PROTOCOL_HTTP) { ndpi_search_tcp_or_udp(ndpi_struct, flow); - ndpi_set_detected_protocol(ndpi_struct, flow, protocol); + ndpi_set_detected_protocol(ndpi_struct, flow, protocol, NDPI_PROTOCOL_UNKNOWN); } else { ndpi_int_reset_protocol(flow); - ndpi_set_detected_protocol(ndpi_struct, flow, protocol); + ndpi_set_detected_protocol(ndpi_struct, flow, protocol, NDPI_PROTOCOL_UNKNOWN); } } diff --git a/src/lib/protocols/http_activesync.c b/src/lib/protocols/http_activesync.c index 9b7f8a041..b3d44c67e 100644 --- a/src/lib/protocols/http_activesync.c +++ b/src/lib/protocols/http_activesync.c @@ -28,7 +28,7 @@ #ifdef NDPI_PROTOCOL_HTTP_APPLICATION_ACTIVESYNC static void ndpi_int_activesync_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP_APPLICATION_ACTIVESYNC); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP_APPLICATION_ACTIVESYNC, NDPI_PROTOCOL_HTTP); } void ndpi_search_activesync(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/iax.c b/src/lib/protocols/iax.c index bcbe357ef..79f4df8bf 100644 --- a/src/lib/protocols/iax.c +++ b/src/lib/protocols/iax.c @@ -30,7 +30,7 @@ static void ndpi_int_iax_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_IAX); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_IAX, NDPI_PROTOCOL_UNKNOWN); } static void ndpi_search_setup_iax(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/icecast.c b/src/lib/protocols/icecast.c index 6262bc945..b44dfd6cf 100644 --- a/src/lib/protocols/icecast.c +++ b/src/lib/protocols/icecast.c @@ -29,7 +29,7 @@ static void ndpi_int_icecast_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ICECAST); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ICECAST, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_icecast_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/imesh.c b/src/lib/protocols/imesh.c index 8d6a34899..463e4c0cd 100644 --- a/src/lib/protocols/imesh.c +++ b/src/lib/protocols/imesh.c @@ -31,7 +31,7 @@ static void ndpi_int_imesh_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow/* , ndpi_protocol_type_t protocol_type */) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_IMESH); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_IMESH, NDPI_PROTOCOL_UNKNOWN); } diff --git a/src/lib/protocols/ipp.c b/src/lib/protocols/ipp.c index 0f987ca3c..ee11f0fb4 100644 --- a/src/lib/protocols/ipp.c +++ b/src/lib/protocols/ipp.c @@ -29,7 +29,7 @@ static void ndpi_int_ipp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow/* , ndpi_protocol_type_t protocol_type */) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_IPP); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_IPP, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_ipp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/irc.c b/src/lib/protocols/irc.c index a16c231b4..9f2d87a45 100644 --- a/src/lib/protocols/irc.c +++ b/src/lib/protocols/irc.c @@ -35,7 +35,7 @@ static void ndpi_int_irc_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_IRC); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_IRC, NDPI_PROTOCOL_UNKNOWN); } diff --git a/src/lib/protocols/jabber.c b/src/lib/protocols/jabber.c index 294371d44..aea5db715 100644 --- a/src/lib/protocols/jabber.c +++ b/src/lib/protocols/jabber.c @@ -41,9 +41,9 @@ static struct jabber_string jabber_strings[] = { static void ndpi_int_jabber_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, - u_int32_t protocol/* , ndpi_protocol_type_t protocol_type */) + u_int32_t protocol) { - ndpi_set_detected_protocol(ndpi_struct, flow, protocol); + ndpi_set_detected_protocol(ndpi_struct, flow, protocol, NDPI_PROTOCOL_UNKNOWN); } static void check_content_type_and_change_protocol(struct ndpi_detection_module_struct *ndpi_struct, diff --git a/src/lib/protocols/kakaotalk_voice.c b/src/lib/protocols/kakaotalk_voice.c index 27260f7dd..3fd89bafc 100644 --- a/src/lib/protocols/kakaotalk_voice.c +++ b/src/lib/protocols/kakaotalk_voice.c @@ -50,7 +50,7 @@ void ndpi_search_kakaotalk_voice(struct ndpi_detection_module_struct *ndpi_struc if(((ntohl(packet->iph->saddr) & 0xFFFF0000 /* 255.255.0.0 */) == 0x01C90000 /* 1.201.0.0/16 */) || ((ntohl(packet->iph->daddr) & 0xFFFF0000 /* 255.255.0.0 */) == 0x01C90000 /* 1.201.0.0/16 */)) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_SERVICE_KAKAOTALK_VOICE); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_SERVICE_KAKAOTALK_VOICE, NDPI_PROTOCOL_UNKNOWN); return; } } diff --git a/src/lib/protocols/kerberos.c b/src/lib/protocols/kerberos.c index 11991a401..137d6f102 100644 --- a/src/lib/protocols/kerberos.c +++ b/src/lib/protocols/kerberos.c @@ -32,7 +32,7 @@ static void ndpi_int_kerberos_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_KERBEROS); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_KERBEROS, NDPI_PROTOCOL_UNKNOWN); } diff --git a/src/lib/protocols/kontiki.c b/src/lib/protocols/kontiki.c index 9c4098cef..cd52abb00 100644 --- a/src/lib/protocols/kontiki.c +++ b/src/lib/protocols/kontiki.c @@ -29,7 +29,7 @@ static void ndpi_int_kontiki_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_KONTIKI); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_KONTIKI, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_kontiki(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/ldap.c b/src/lib/protocols/ldap.c index e06c8b3e6..e2c08d338 100644 --- a/src/lib/protocols/ldap.c +++ b/src/lib/protocols/ldap.c @@ -32,7 +32,7 @@ static void ndpi_int_ldap_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_LDAP); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_LDAP, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_ldap(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/lotus_notes.c b/src/lib/protocols/lotus_notes.c index 923aaf524..0d3ea0efe 100644 --- a/src/lib/protocols/lotus_notes.c +++ b/src/lib/protocols/lotus_notes.c @@ -59,7 +59,7 @@ static void ndpi_check_lotus_notes(struct ndpi_detection_module_struct *ndpi_str if(memcmp(&packet->payload[6], lotus_notes_header, sizeof(lotus_notes_header)) == 0) { NDPI_LOG(NDPI_PROTOCOL_LOTUS_NOTES, ndpi_struct, NDPI_LOG_DEBUG, "Found lotus_notes.\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_LOTUS_NOTES); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_LOTUS_NOTES, NDPI_PROTOCOL_UNKNOWN); } return; diff --git a/src/lib/protocols/mail_imap.c b/src/lib/protocols/mail_imap.c index 74648981f..0d53770d5 100644 --- a/src/lib/protocols/mail_imap.c +++ b/src/lib/protocols/mail_imap.c @@ -28,7 +28,7 @@ static void ndpi_int_mail_imap_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MAIL_IMAP); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MAIL_IMAP, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/mail_pop.c b/src/lib/protocols/mail_pop.c index 73288de9f..1f7fa41f2 100644 --- a/src/lib/protocols/mail_pop.c +++ b/src/lib/protocols/mail_pop.c @@ -41,14 +41,14 @@ static void ndpi_int_mail_pop_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MAIL_POP); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MAIL_POP, NDPI_PROTOCOL_UNKNOWN); } static int ndpi_int_mail_pop_check_for_client_commands(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; diff --git a/src/lib/protocols/mail_smtp.c b/src/lib/protocols/mail_smtp.c index 9486e7eb3..f18c72ec5 100644 --- a/src/lib/protocols/mail_smtp.c +++ b/src/lib/protocols/mail_smtp.c @@ -45,7 +45,7 @@ static void ndpi_int_mail_smtp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MAIL_SMTP); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MAIL_SMTP, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct diff --git a/src/lib/protocols/maplestory.c b/src/lib/protocols/maplestory.c index e3da38ba6..a49c39108 100644 --- a/src/lib/protocols/maplestory.c +++ b/src/lib/protocols/maplestory.c @@ -28,10 +28,9 @@ #ifdef NDPI_PROTOCOL_MAPLESTORY -static void ndpi_int_maplestory_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow/* , */ - /* ndpi_protocol_type_t protocol_type */) +static void ndpi_int_maplestory_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MAPLESTORY); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MAPLESTORY, NDPI_PROTOCOL_UNKNOWN); } diff --git a/src/lib/protocols/mdns.c b/src/lib/protocols/mdns.c index 16d8943cb..22a2bc36a 100644 --- a/src/lib/protocols/mdns.c +++ b/src/lib/protocols/mdns.c @@ -34,9 +34,9 @@ This module should detect MDNS */ static void ndpi_int_mdns_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MDNS); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MDNS, NDPI_PROTOCOL_UNKNOWN); } static int ndpi_int_check_mdns_payload(struct ndpi_detection_module_struct diff --git a/src/lib/protocols/meebo.c b/src/lib/protocols/meebo.c index 9455374eb..dda7f2c7c 100644 --- a/src/lib/protocols/meebo.c +++ b/src/lib/protocols/meebo.c @@ -30,12 +30,9 @@ static void ndpi_int_meebo_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MEEBO); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MEEBO, NDPI_PROTOCOL_UNKNOWN); } - - - void ndpi_search_meebo(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { diff --git a/src/lib/protocols/megaco.c b/src/lib/protocols/megaco.c index 78ab8a673..151210c9c 100644 --- a/src/lib/protocols/megaco.c +++ b/src/lib/protocols/megaco.c @@ -37,7 +37,7 @@ void ndpi_search_megaco(struct ndpi_detection_module_struct *ndpi_struct, struct packet->payload[5] == 'O' && packet->payload[6] == '/' && packet->payload[7] == '1' && packet->payload[8] == ' ' && packet->payload[9] == '[')) { NDPI_LOG(NDPI_PROTOCOL_MEGACO, ndpi_struct, NDPI_LOG_DEBUG, "found MEGACO.\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MEGACO); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MEGACO, NDPI_PROTOCOL_UNKNOWN); return; } } diff --git a/src/lib/protocols/mgcp.c b/src/lib/protocols/mgcp.c index 251eaa622..56e60e18c 100644 --- a/src/lib/protocols/mgcp.c +++ b/src/lib/protocols/mgcp.c @@ -28,9 +28,9 @@ #ifdef NDPI_PROTOCOL_MGCP static void ndpi_int_mgcp_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MGCP); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MGCP, NDPI_PROTOCOL_UNKNOWN); } diff --git a/src/lib/protocols/mms.c b/src/lib/protocols/mms.c index 53b3cfcfe..67d4002db 100644 --- a/src/lib/protocols/mms.c +++ b/src/lib/protocols/mms.c @@ -31,7 +31,7 @@ static void ndpi_int_mms_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_CONTENT_MMS); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_CONTENT_MMS, NDPI_PROTOCOL_UNKNOWN); } diff --git a/src/lib/protocols/mpegts.c b/src/lib/protocols/mpegts.c index 275e19634..a6ea4b81f 100644 --- a/src/lib/protocols/mpegts.c +++ b/src/lib/protocols/mpegts.c @@ -42,7 +42,7 @@ void ndpi_search_mpegts(struct ndpi_detection_module_struct *ndpi_struct, struct } /* This looks MPEG TS */ - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MPEGTS); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MPEGTS, NDPI_PROTOCOL_UNKNOWN); return; } diff --git a/src/lib/protocols/msn.c b/src/lib/protocols/msn.c index bf8feeb92..24baf653f 100644 --- a/src/lib/protocols/msn.c +++ b/src/lib/protocols/msn.c @@ -31,7 +31,7 @@ static void ndpi_int_msn_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow/* , */ /* ndpi_protocol_type_t protocol_type */) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MSN); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MSN, NDPI_PROTOCOL_UNKNOWN); } static u_int8_t ndpi_int_find_xmsn(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/mssql.c b/src/lib/protocols/mssql.c index 7237c6132..d270cd6fd 100644 --- a/src/lib/protocols/mssql.c +++ b/src/lib/protocols/mssql.c @@ -19,7 +19,7 @@ * * You should have received a copy of the GNU Lesser General Public License * along with nDPI. If not, see <http://www.gnu.org/licenses/>. - * + * */ @@ -30,32 +30,27 @@ #ifdef NDPI_PROTOCOL_MSSQL static void ndpi_int_mssql_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MSSQL); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MSSQL, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_mssql(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; - - - - - NDPI_LOG(NDPI_PROTOCOL_MSSQL, ndpi_struct, NDPI_LOG_DEBUG, "search mssql.\n"); - + struct ndpi_packet_struct *packet = &flow->packet; - if (packet->payload_packet_len > 51 && ntohs(get_u_int32_t(packet->payload, 0)) == 0x1201 - && ntohs(get_u_int16_t(packet->payload, 2)) == packet->payload_packet_len - && ntohl(get_u_int32_t(packet->payload, 4)) == 0x00000100 && memcmp(&packet->payload[41], "sqlexpress", 10) == 0) { - NDPI_LOG(NDPI_PROTOCOL_MSSQL, ndpi_struct, NDPI_LOG_DEBUG, "found mssql.\n"); - ndpi_int_mssql_add_connection(ndpi_struct, flow); - return; - } + NDPI_LOG(NDPI_PROTOCOL_MSSQL, ndpi_struct, NDPI_LOG_DEBUG, "search mssql.\n"); + if (packet->payload_packet_len > 51 && ntohs(get_u_int32_t(packet->payload, 0)) == 0x1201 + && ntohs(get_u_int16_t(packet->payload, 2)) == packet->payload_packet_len + && ntohl(get_u_int32_t(packet->payload, 4)) == 0x00000100 && memcmp(&packet->payload[41], "sqlexpress", 10) == 0) { + NDPI_LOG(NDPI_PROTOCOL_MSSQL, ndpi_struct, NDPI_LOG_DEBUG, "found mssql.\n"); + ndpi_int_mssql_add_connection(ndpi_struct, flow); + return; + } - NDPI_LOG(NDPI_PROTOCOL_MSSQL, ndpi_struct, NDPI_LOG_DEBUG, "exclude mssql.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MSSQL); + NDPI_LOG(NDPI_PROTOCOL_MSSQL, ndpi_struct, NDPI_LOG_DEBUG, "exclude mssql.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MSSQL); } #endif diff --git a/src/lib/protocols/mysql.c b/src/lib/protocols/mysql.c index 424526e99..d23ce29f5 100644 --- a/src/lib/protocols/mysql.c +++ b/src/lib/protocols/mysql.c @@ -27,44 +27,43 @@ #ifdef NDPI_PROTOCOL_MYSQL static void ndpi_int_mysql_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MYSQL); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MYSQL, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_mysql_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &flow->packet; -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; + // struct ndpi_id_struct *src=ndpi_struct->src; + // struct ndpi_id_struct *dst=ndpi_struct->dst; - if (packet->payload_packet_len > 37 //min length - && get_u_int16_t(packet->payload, 0) == packet->payload_packet_len - 4 //first 3 bytes are length - && get_u_int8_t(packet->payload, 2) == 0x00 //3rd byte of packet length - && get_u_int8_t(packet->payload, 3) == 0x00 //packet sequence number is 0 for startup packet - && get_u_int8_t(packet->payload, 5) > 0x30 //server version > 0 - && get_u_int8_t(packet->payload, 5) < 0x37 //server version < 7 - && get_u_int8_t(packet->payload, 6) == 0x2e //dot - ) { - u_int32_t a; - for (a = 7; a + 31 < packet->payload_packet_len; a++) { - if (packet->payload[a] == 0x00) { - if (get_u_int8_t(packet->payload, a + 13) == 0x00 //filler byte - && get_u_int64_t(packet->payload, a + 19) == 0x0ULL //13 more - && get_u_int32_t(packet->payload, a + 27) == 0x0 //filler bytes - && get_u_int8_t(packet->payload, a + 31) == 0x0) { - NDPI_LOG(NDPI_PROTOCOL_MYSQL, ndpi_struct, NDPI_LOG_DEBUG, "MySQL detected.\n"); - ndpi_int_mysql_add_connection(ndpi_struct, flow); - return; - } - break; - } - } + if (packet->payload_packet_len > 37 //min length + && get_u_int16_t(packet->payload, 0) == packet->payload_packet_len - 4 //first 3 bytes are length + && get_u_int8_t(packet->payload, 2) == 0x00 //3rd byte of packet length + && get_u_int8_t(packet->payload, 3) == 0x00 //packet sequence number is 0 for startup packet + && get_u_int8_t(packet->payload, 5) > 0x30 //server version > 0 + && get_u_int8_t(packet->payload, 5) < 0x37 //server version < 7 + && get_u_int8_t(packet->payload, 6) == 0x2e //dot + ) { + u_int32_t a; + for (a = 7; a + 31 < packet->payload_packet_len; a++) { + if (packet->payload[a] == 0x00) { + if (get_u_int8_t(packet->payload, a + 13) == 0x00 //filler byte + && get_u_int64_t(packet->payload, a + 19) == 0x0ULL //13 more + && get_u_int32_t(packet->payload, a + 27) == 0x0 //filler bytes + && get_u_int8_t(packet->payload, a + 31) == 0x0) { + NDPI_LOG(NDPI_PROTOCOL_MYSQL, ndpi_struct, NDPI_LOG_DEBUG, "MySQL detected.\n"); + ndpi_int_mysql_add_connection(ndpi_struct, flow); + return; } + break; + } + } + } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MYSQL); - + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MYSQL); } #endif diff --git a/src/lib/protocols/netbios.c b/src/lib/protocols/netbios.c index ff0bcf04e..556142237 100644 --- a/src/lib/protocols/netbios.c +++ b/src/lib/protocols/netbios.c @@ -63,7 +63,7 @@ static int netbios_name_interpret(char *in, char *out, u_int out_len) { static void ndpi_int_netbios_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NETBIOS); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NETBIOS, NDPI_PROTOCOL_UNKNOWN); } diff --git a/src/lib/protocols/netflow.c b/src/lib/protocols/netflow.c index 7878f698b..0f059b582 100644 --- a/src/lib/protocols/netflow.c +++ b/src/lib/protocols/netflow.c @@ -78,7 +78,7 @@ static void ndpi_check_netflow(struct ndpi_detection_module_struct *ndpi_struct, if(((version == 1) && (when == 0)) || ((when >= 946684800 /* 1/1/2000 */) && (when <= now))) { NDPI_LOG(NDPI_PROTOCOL_NETFLOW, ndpi_struct, NDPI_LOG_DEBUG, "Found netflow.\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NETFLOW); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NETFLOW, NDPI_PROTOCOL_UNKNOWN); return; } } diff --git a/src/lib/protocols/nfs.c b/src/lib/protocols/nfs.c index 01c755829..c411902fc 100644 --- a/src/lib/protocols/nfs.c +++ b/src/lib/protocols/nfs.c @@ -27,9 +27,9 @@ #ifdef NDPI_PROTOCOL_NFS static void ndpi_int_nfs_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NFS); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NFS, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_nfs(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/noe.c b/src/lib/protocols/noe.c index 7fb52aa15..d9cd11e51 100644 --- a/src/lib/protocols/noe.c +++ b/src/lib/protocols/noe.c @@ -13,7 +13,7 @@ static void ndpi_int_noe_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NOE); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NOE, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_noe(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/non_tcp_udp.c b/src/lib/protocols/non_tcp_udp.c index 29c542b80..753ece393 100644 --- a/src/lib/protocols/non_tcp_udp.c +++ b/src/lib/protocols/non_tcp_udp.c @@ -32,8 +32,7 @@ if (NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask,nprot) != 0) \ { \ ndpi_set_detected_protocol(ndpi_struct, flow, \ - nprot/* , */ \ - /* NDPI_REAL_PROTOCOL */); \ + nprot, NDPI_PROTOCOL_UNKNOWN); \ } \ } diff --git a/src/lib/protocols/ntp.c b/src/lib/protocols/ntp.c index 811c3e803..8a2a8aa25 100644 --- a/src/lib/protocols/ntp.c +++ b/src/lib/protocols/ntp.c @@ -27,9 +27,9 @@ #ifdef NDPI_PROTOCOL_NTP static void ndpi_int_ntp_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NTP); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NTP, NDPI_PROTOCOL_UNKNOWN); } /* detection also works asymmetrically */ diff --git a/src/lib/protocols/openft.c b/src/lib/protocols/openft.c index cd0f6a2e0..8402263d3 100644 --- a/src/lib/protocols/openft.c +++ b/src/lib/protocols/openft.c @@ -27,9 +27,9 @@ #ifdef NDPI_PROTOCOL_OPENFT static void ndpi_int_openft_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OPENFT); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OPENFT, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_openft_tcp(struct ndpi_detection_module_struct diff --git a/src/lib/protocols/openvpn.c b/src/lib/protocols/openvpn.c index 841b1e91a..4b9f725d3 100644 --- a/src/lib/protocols/openvpn.c +++ b/src/lib/protocols/openvpn.c @@ -24,8 +24,7 @@ void ndpi_search_openvpn(struct ndpi_detection_module_struct* ndpi_struct, packet->payload[2] == 0x00 && packet->payload[3] == 0x00)) { NDPI_LOG(NDPI_PROTOCOL_OPENVPN, ndpi_struct, NDPI_LOG_DEBUG, "found openvpn udp 443.\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OPENVPN/* , */ - /* NDPI_REAL_PROTOCOL */); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OPENVPN, NDPI_PROTOCOL_UNKNOWN); return; } @@ -39,8 +38,7 @@ void ndpi_search_openvpn(struct ndpi_detection_module_struct* ndpi_struct, packet->payload[0] == 0x38 || packet->payload[0] == 0x39)) { NDPI_LOG(NDPI_PROTOCOL_OPENVPN, ndpi_struct, NDPI_LOG_DEBUG, "found openvpn broadcast udp STD.\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OPENVPN/* , */ - /* NDPI_REAL_PROTOCOL */); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OPENVPN, NDPI_PROTOCOL_UNKNOWN); return; } @@ -56,14 +54,12 @@ void ndpi_search_openvpn(struct ndpi_detection_module_struct* ndpi_struct, (packet->payload[2] == 0x38))) { NDPI_LOG(NDPI_PROTOCOL_OPENVPN, ndpi_struct, NDPI_LOG_DEBUG, "found openvpn broadcast udp STD.\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OPENVPN/* , */ - /* NDPI_REAL_PROTOCOL */); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OPENVPN, NDPI_PROTOCOL_UNKNOWN); return; } } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, - NDPI_PROTOCOL_OPENVPN); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_OPENVPN); } #endif diff --git a/src/lib/protocols/oracle.c b/src/lib/protocols/oracle.c index 3b43f8099..daeb76e7c 100644 --- a/src/lib/protocols/oracle.c +++ b/src/lib/protocols/oracle.c @@ -26,7 +26,7 @@ static void ndpi_int_oracle_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ORACLE); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ORACLE, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_oracle(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/oscar.c b/src/lib/protocols/oscar.c index 20f996c8b..e287f4de7 100644 --- a/src/lib/protocols/oscar.c +++ b/src/lib/protocols/oscar.c @@ -36,7 +36,7 @@ static void ndpi_int_oscar_add_connection(struct ndpi_detection_module_struct *n struct ndpi_id_struct *src = flow->src; struct ndpi_id_struct *dst = flow->dst; - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OSCAR); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OSCAR, NDPI_PROTOCOL_UNKNOWN); if (src != NULL) { src->oscar_last_safe_access_time = packet->tick_timestamp; diff --git a/src/lib/protocols/pando.c b/src/lib/protocols/pando.c index 808e1113a..3237bbac8 100644 --- a/src/lib/protocols/pando.c +++ b/src/lib/protocols/pando.c @@ -27,7 +27,7 @@ #ifdef NDPI_PROTOCOL_PANDO static void ndpi_int_pando_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PANDO); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PANDO, NDPI_PROTOCOL_UNKNOWN); } static void ndpi_check_pando_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { diff --git a/src/lib/protocols/pcanywhere.c b/src/lib/protocols/pcanywhere.c index 0d98f7033..743778816 100644 --- a/src/lib/protocols/pcanywhere.c +++ b/src/lib/protocols/pcanywhere.c @@ -27,29 +27,29 @@ #ifdef NDPI_PROTOCOL_PCANYWHERE static void ndpi_int_pcanywhere_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PCANYWHERE); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PCANYWHERE, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_pcanywhere(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &flow->packet; -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; + // struct ndpi_id_struct *src=ndpi_struct->src; + // struct ndpi_id_struct *dst=ndpi_struct->dst; - if (packet->udp != NULL && packet->udp->dest == htons(5632) - && packet->payload_packet_len == 2 - && (memcmp(packet->payload, "NQ", 2) == 0 || memcmp(packet->payload, "ST", 2) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_PCANYWHERE, ndpi_struct, NDPI_LOG_DEBUG, - "PC Anywhere name or status query detected.\n"); - ndpi_int_pcanywhere_add_connection(ndpi_struct, flow); - return; - } + if (packet->udp != NULL && packet->udp->dest == htons(5632) + && packet->payload_packet_len == 2 + && (memcmp(packet->payload, "NQ", 2) == 0 || memcmp(packet->payload, "ST", 2) == 0)) { + NDPI_LOG(NDPI_PROTOCOL_PCANYWHERE, ndpi_struct, NDPI_LOG_DEBUG, + "PC Anywhere name or status query detected.\n"); + ndpi_int_pcanywhere_add_connection(ndpi_struct, flow); + return; + } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_PCANYWHERE); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_PCANYWHERE); } #endif diff --git a/src/lib/protocols/postgres.c b/src/lib/protocols/postgres.c index eca7d3761..08ec13a26 100644 --- a/src/lib/protocols/postgres.c +++ b/src/lib/protocols/postgres.c @@ -28,9 +28,9 @@ static void ndpi_int_postgres_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_POSTGRES); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_POSTGRES, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_postgres_tcp(struct ndpi_detection_module_struct diff --git a/src/lib/protocols/pplive.c b/src/lib/protocols/pplive.c index c59316b54..57580b6bc 100644 --- a/src/lib/protocols/pplive.c +++ b/src/lib/protocols/pplive.c @@ -28,7 +28,7 @@ #ifdef NDPI_PROTOCOL_PPLIVE static void ndpi_int_pplive_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PPLIVE); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PPLIVE, NDPI_PROTOCOL_UNKNOWN); } static void ndpi_check_pplive_udp1(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { diff --git a/src/lib/protocols/ppstream.c b/src/lib/protocols/ppstream.c index 363c8888e..89c783436 100644 --- a/src/lib/protocols/ppstream.c +++ b/src/lib/protocols/ppstream.c @@ -29,7 +29,7 @@ static void ndpi_int_ppstream_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PPSTREAM); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_ppstream(struct ndpi_detection_module_struct diff --git a/src/lib/protocols/pptp.c b/src/lib/protocols/pptp.c index bc3f5d7a6..085ae5dde 100644 --- a/src/lib/protocols/pptp.c +++ b/src/lib/protocols/pptp.c @@ -32,7 +32,7 @@ static void ndpi_int_pptp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PPTP); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PPTP, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_pptp(struct ndpi_detection_module_struct diff --git a/src/lib/protocols/qq.c b/src/lib/protocols/qq.c index 7cc54ea3b..a70f88878 100644 --- a/src/lib/protocols/qq.c +++ b/src/lib/protocols/qq.c @@ -31,7 +31,7 @@ static void ndpi_int_qq_add_connection(struct ndpi_detection_module_struct *ndpi struct ndpi_flow_struct *flow/* , */ /* ndpi_protocol_type_t protocol_type */) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_QQ); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_QQ, NDPI_PROTOCOL_UNKNOWN); } diff --git a/src/lib/protocols/quake.c b/src/lib/protocols/quake.c index 9cebfbf3f..9029c4b5b 100644 --- a/src/lib/protocols/quake.c +++ b/src/lib/protocols/quake.c @@ -30,7 +30,7 @@ static void ndpi_int_quake_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_QUAKE); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_QUAKE, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_quake(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index 90b579a73..d47affbd8 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -47,7 +47,7 @@ static void ndpi_int_quic_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_QUIC); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_QUIC, NDPI_PROTOCOL_UNKNOWN); } static int connect_id(const unsigned char pflags) diff --git a/src/lib/protocols/radius.c b/src/lib/protocols/radius.c index 9ab33637b..79cd0407d 100644 --- a/src/lib/protocols/radius.c +++ b/src/lib/protocols/radius.c @@ -31,7 +31,7 @@ struct radius_header { static void ndpi_check_radius(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &flow->packet; // const u_int8_t *packet_payload = packet->payload; u_int32_t payload_len = packet->payload_packet_len; @@ -52,11 +52,11 @@ static void ndpi_check_radius(struct ndpi_detection_module_struct *ndpi_struct, && (h->code <= 5) && (len == payload_len)) { NDPI_LOG(NDPI_PROTOCOL_RADIUS, ndpi_struct, NDPI_LOG_DEBUG, "Found radius.\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RADIUS); - + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RADIUS, NDPI_PROTOCOL_UNKNOWN); + return; } - + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RADIUS); return; } diff --git a/src/lib/protocols/rdp.c b/src/lib/protocols/rdp.c index 786772808..e909c17a1 100644 --- a/src/lib/protocols/rdp.c +++ b/src/lib/protocols/rdp.c @@ -29,7 +29,7 @@ static void ndpi_int_rdp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RDP); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RDP, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_rdp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/redis_net.c b/src/lib/protocols/redis_net.c index 9f0eabf7a..0daf67f46 100644 --- a/src/lib/protocols/redis_net.c +++ b/src/lib/protocols/redis_net.c @@ -24,7 +24,7 @@ #ifdef NDPI_PROTOCOL_REDIS static void ndpi_int_redis_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_REDIS); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_REDIS, NDPI_PROTOCOL_UNKNOWN); } diff --git a/src/lib/protocols/rsync.c b/src/lib/protocols/rsync.c index 402c405b5..2430a7e8f 100644 --- a/src/lib/protocols/rsync.c +++ b/src/lib/protocols/rsync.c @@ -26,7 +26,7 @@ static void ndpi_int_rsync_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RSYNC); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RSYNC, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_rsync(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/rtcp.c b/src/lib/protocols/rtcp.c index bdd1de480..49114c8e5 100644 --- a/src/lib/protocols/rtcp.c +++ b/src/lib/protocols/rtcp.c @@ -12,7 +12,7 @@ static void ndpi_int_rtcp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RTCP); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RTCP, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_rtcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/rtmp.c b/src/lib/protocols/rtmp.c index 07262bce9..ec00ff4b8 100644 --- a/src/lib/protocols/rtmp.c +++ b/src/lib/protocols/rtmp.c @@ -29,7 +29,7 @@ #ifdef NDPI_PROTOCOL_RTMP static void ndpi_int_rtmp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RTMP); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RTMP, NDPI_PROTOCOL_UNKNOWN); } static void ndpi_check_rtmp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c index 3332a549d..05a53bb1c 100644 --- a/src/lib/protocols/rtp.c +++ b/src/lib/protocols/rtp.c @@ -19,7 +19,7 @@ * * You should have received a copy of the GNU Lesser General Public License * along with nDPI. If not, see <http://www.gnu.org/licenses/>. - * + * */ @@ -32,7 +32,7 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, const u_int8_t * payload, const u_int16_t payload_len) { - //struct ndpi_packet_struct *packet = &flow->packet; + //struct ndpi_packet_struct *packet = &flow->packet; u_int8_t payload_type = payload[1] & 0x7F; u_int32_t *ssid = (u_int32_t*)&payload[8]; @@ -44,7 +44,7 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, && (*ssid != 0) ) { NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "Found rtp.\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RTP); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RTP, NDPI_PROTOCOL_UNKNOWN); } else { NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "exclude rtp.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RTP); @@ -69,7 +69,7 @@ void ndpi_search_rtp(struct ndpi_detection_module_struct *ndpi_struct, struct nd static void ndpi_int_rtp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RTP); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RTP, NDPI_PROTOCOL_UNKNOWN); } /* @@ -87,7 +87,7 @@ static void ndpi_int_rtp_add_connection(struct ndpi_detection_module_struct * 1, if the current packet should count towards the total, or * 0, if it it regarded as belonging to the previous reporting interval */ - + #if !defined(WIN32) static inline #else @@ -101,7 +101,7 @@ void init_seq(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow } /* returns difference between old and new highest sequence number */ - + #if !defined(WIN32) static inline #else @@ -130,7 +130,7 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, const u_int8_t * payload, const u_int16_t payload_len) { struct ndpi_packet_struct *packet = &flow->packet; - + u_int8_t stage; u_int16_t seqnum = ntohs(get_u_int16_t(payload, 2)); @@ -256,7 +256,7 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, void ndpi_search_rtp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - + if (packet->udp) { ndpi_rtp_search(ndpi_struct, flow, packet->payload, packet->payload_packet_len); diff --git a/src/lib/protocols/rtsp.c b/src/lib/protocols/rtsp.c index 14ddc64b8..3ba1b5e61 100644 --- a/src/lib/protocols/rtsp.c +++ b/src/lib/protocols/rtsp.c @@ -40,7 +40,7 @@ static void ndpi_int_rtsp_add_connection(struct ndpi_detection_module_struct *nd struct ndpi_flow_struct *flow/* , */ /* ndpi_protocol_type_t protocol_type */) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RTSP); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RTSP, NDPI_PROTOCOL_UNKNOWN); } /* this function searches for a rtsp-"handshake" over tcp or udp. */ diff --git a/src/lib/protocols/sflow.c b/src/lib/protocols/sflow.c index 9a8a09f08..768c2eed6 100644 --- a/src/lib/protocols/sflow.c +++ b/src/lib/protocols/sflow.c @@ -35,7 +35,7 @@ static void ndpi_check_sflow(struct ndpi_detection_module_struct *ndpi_struct, s && (packet->payload[0] == 0) && (packet->payload[1] == 0) && (packet->payload[2] == 0) && ((packet->payload[3] == 2) || (packet->payload[3] == 5))) { NDPI_LOG(NDPI_PROTOCOL_SFLOW, ndpi_struct, NDPI_LOG_DEBUG, "Found sflow.\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SFLOW); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SFLOW, NDPI_PROTOCOL_UNKNOWN); return; } } diff --git a/src/lib/protocols/shoutcast.c b/src/lib/protocols/shoutcast.c index 804ee0492..794e20351 100644 --- a/src/lib/protocols/shoutcast.c +++ b/src/lib/protocols/shoutcast.c @@ -28,9 +28,9 @@ #ifdef NDPI_PROTOCOL_SHOUTCAST static void ndpi_int_shoutcast_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SHOUTCAST); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SHOUTCAST, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_shoutcast_tcp(struct ndpi_detection_module_struct diff --git a/src/lib/protocols/sip.c b/src/lib/protocols/sip.c index 285cfe740..a796beb33 100644 --- a/src/lib/protocols/sip.c +++ b/src/lib/protocols/sip.c @@ -28,15 +28,9 @@ #ifdef NDPI_PROTOCOL_SIP static void ndpi_int_sip_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, - u_int8_t due_to_correlation) -{ - - ndpi_set_detected_protocol(ndpi_struct, flow, - NDPI_PROTOCOL_SIP/* , */ - /* due_to_correlation ? NDPI_CORRELATED_PROTOCOL : NDPI_REAL_PROTOCOL */); + u_int8_t due_to_correlation) { + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SIP, NDPI_PROTOCOL_UNKNOWN); } - - #if !defined(WIN32) static inline diff --git a/src/lib/protocols/skinny.c b/src/lib/protocols/skinny.c index 7329879bd..78de1107e 100644 --- a/src/lib/protocols/skinny.c +++ b/src/lib/protocols/skinny.c @@ -26,7 +26,7 @@ static void ndpi_int_skinny_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKINNY); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKINNY, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_skinny(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/skype.c b/src/lib/protocols/skype.c index 12f8461ef..e72852dd5 100644 --- a/src/lib/protocols/skype.c +++ b/src/lib/protocols/skype.c @@ -61,7 +61,7 @@ static void ndpi_check_skype(struct ndpi_detection_module_struct *ndpi_struct, s 212.161.8.0/24 */ if(is_skype_flow(ndpi_struct, flow)) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_UNKNOWN); return; } @@ -75,7 +75,7 @@ static void ndpi_check_skype(struct ndpi_detection_module_struct *ndpi_struct, s && (packet->payload[0] != 0x30) /* Avoid invalid SNMP detection */ && (packet->payload[2] == 0x02))) { NDPI_LOG(NDPI_PROTOCOL_SKYPE, ndpi_struct, NDPI_LOG_DEBUG, "Found skype.\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_UNKNOWN); } return; @@ -97,7 +97,7 @@ static void ndpi_check_skype(struct ndpi_detection_module_struct *ndpi_struct, s //printf("[SKYPE] %u/%u\n", ntohs(packet->tcp->source), ntohs(packet->tcp->dest)); NDPI_LOG(NDPI_PROTOCOL_SKYPE, ndpi_struct, NDPI_LOG_DEBUG, "Found skype.\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_UNKNOWN); } /* printf("[SKYPE] [id: %u][len: %d]\n", flow->l4.tcp.skype_packet_id, payload_len); */ diff --git a/src/lib/protocols/smb.c b/src/lib/protocols/smb.c index ba3c30c9c..e259bc2d2 100644 --- a/src/lib/protocols/smb.c +++ b/src/lib/protocols/smb.c @@ -19,7 +19,7 @@ * * You should have received a copy of the GNU Lesser General Public License * along with nDPI. If not, see <http://www.gnu.org/licenses/>. - * + * */ @@ -27,31 +27,31 @@ #ifdef NDPI_PROTOCOL_SMB static void ndpi_int_smb_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMB); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMB, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_smb_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ - struct ndpi_packet_struct *packet = &flow->packet; - - if(packet && packet->tcp) { - NDPI_LOG(NDPI_PROTOCOL_SMB, ndpi_struct, NDPI_LOG_DEBUG, "search SMB.\n"); - - if (packet->tcp->dest == htons(445) - && packet->payload_packet_len > (32 + 4 + 4) - && (packet->payload_packet_len - 4) == ntohl(get_u_int32_t(packet->payload, 0)) - && get_u_int32_t(packet->payload, 4) == htonl(0xff534d42)) { - NDPI_LOG(NDPI_PROTOCOL_SMB, ndpi_struct, NDPI_LOG_DEBUG, "found SMB.\n"); - ndpi_int_smb_add_connection(ndpi_struct, flow); - return; - - } - } - - NDPI_LOG(NDPI_PROTOCOL_SMB, ndpi_struct, NDPI_LOG_DEBUG, "exclude SMB.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SMB); +{ + struct ndpi_packet_struct *packet = &flow->packet; + + if(packet && packet->tcp) { + NDPI_LOG(NDPI_PROTOCOL_SMB, ndpi_struct, NDPI_LOG_DEBUG, "search SMB.\n"); + + if (packet->tcp->dest == htons(445) + && packet->payload_packet_len > (32 + 4 + 4) + && (packet->payload_packet_len - 4) == ntohl(get_u_int32_t(packet->payload, 0)) + && get_u_int32_t(packet->payload, 4) == htonl(0xff534d42)) { + NDPI_LOG(NDPI_PROTOCOL_SMB, ndpi_struct, NDPI_LOG_DEBUG, "found SMB.\n"); + ndpi_int_smb_add_connection(ndpi_struct, flow); + return; + + } + } + + NDPI_LOG(NDPI_PROTOCOL_SMB, ndpi_struct, NDPI_LOG_DEBUG, "exclude SMB.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SMB); } #endif diff --git a/src/lib/protocols/snmp.c b/src/lib/protocols/snmp.c index 8b5a78bf6..902934490 100644 --- a/src/lib/protocols/snmp.c +++ b/src/lib/protocols/snmp.c @@ -27,99 +27,99 @@ #ifdef NDPI_PROTOCOL_SNMP static void ndpi_int_snmp_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SNMP); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SNMP, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_snmp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &flow->packet; -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; + // struct ndpi_id_struct *src=ndpi_struct->src; + // struct ndpi_id_struct *dst=ndpi_struct->dst; - if (packet->payload_packet_len > 32 && packet->payload[0] == 0x30) { - int offset; - switch (packet->payload[1]) { - case 0x81: - offset = 3; - break; - case 0x82: - offset = 4; - break; - default: - if (packet->payload[1] > 0x82) { - NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, "SNMP excluded, second byte is > 0x82\n"); - goto excl; - } - offset = 2; - } + if (packet->payload_packet_len > 32 && packet->payload[0] == 0x30) { + int offset; + switch (packet->payload[1]) { + case 0x81: + offset = 3; + break; + case 0x82: + offset = 4; + break; + default: + if (packet->payload[1] > 0x82) { + NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, "SNMP excluded, second byte is > 0x82\n"); + goto excl; + } + offset = 2; + } - if (get_u_int16_t(packet->payload, offset) != htons(0x0201)) { - NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, "SNMP excluded, 0x0201 pattern not found\n"); - goto excl; - } + if (get_u_int16_t(packet->payload, offset) != htons(0x0201)) { + NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, "SNMP excluded, 0x0201 pattern not found\n"); + goto excl; + } - if (packet->payload[offset + 2] >= 0x04) { - NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, "SNMP excluded, version > 3\n"); - goto excl; - } + if (packet->payload[offset + 2] >= 0x04) { + NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, "SNMP excluded, version > 3\n"); + goto excl; + } - if (flow->l4.udp.snmp_stage == 0) { - if (packet->udp->dest == htons(161) || packet->udp->dest == htons(162)) { - NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, "SNMP detected due to port.\n"); - ndpi_int_snmp_add_connection(ndpi_struct, flow); - return; - } - NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, "SNMP stage 0.\n"); - if (packet->payload[offset + 2] == 3) { - flow->l4.udp.snmp_msg_id = ntohs(get_u_int32_t(packet->payload, offset + 8)); - } else if (packet->payload[offset + 2] == 0) { - flow->l4.udp.snmp_msg_id = get_u_int8_t(packet->payload, offset + 15); - } else { - flow->l4.udp.snmp_msg_id = ntohs(get_u_int16_t(packet->payload, offset + 15)); - } - flow->l4.udp.snmp_stage = 1 + packet->packet_direction; - return; - } else if (flow->l4.udp.snmp_stage == 1 + packet->packet_direction) { - if (packet->payload[offset + 2] == 0) { - if (flow->l4.udp.snmp_msg_id != get_u_int8_t(packet->payload, offset + 15) - 1) { - NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, - "SNMP v1 excluded, message ID doesn't match\n"); - goto excl; - } - } - } else if (flow->l4.udp.snmp_stage == 2 - packet->packet_direction) { - NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, "SNMP stage 1-2.\n"); - if (packet->payload[offset + 2] == 3) { - if (flow->l4.udp.snmp_msg_id != ntohs(get_u_int32_t(packet->payload, offset + 8))) { - NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, - "SNMP v3 excluded, message ID doesn't match\n"); - goto excl; - } - } else if (packet->payload[offset + 2] == 0) { - if (flow->l4.udp.snmp_msg_id != get_u_int8_t(packet->payload, offset + 15)) { - NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, - "SNMP v1 excluded, message ID doesn't match\n"); - goto excl; - } - } else { - if (flow->l4.udp.snmp_msg_id != ntohs(get_u_int16_t(packet->payload, offset + 15))) { - NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, - "SNMP v2 excluded, message ID doesn't match\n"); - goto excl; - } - } - NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, "SNMP detected.\n"); - ndpi_int_snmp_add_connection(ndpi_struct, flow); - return; - } - } else { - NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, "SNMP excluded.\n"); + if (flow->l4.udp.snmp_stage == 0) { + if (packet->udp->dest == htons(161) || packet->udp->dest == htons(162)) { + NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, "SNMP detected due to port.\n"); + ndpi_int_snmp_add_connection(ndpi_struct, flow); + return; + } + NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, "SNMP stage 0.\n"); + if (packet->payload[offset + 2] == 3) { + flow->l4.udp.snmp_msg_id = ntohs(get_u_int32_t(packet->payload, offset + 8)); + } else if (packet->payload[offset + 2] == 0) { + flow->l4.udp.snmp_msg_id = get_u_int8_t(packet->payload, offset + 15); + } else { + flow->l4.udp.snmp_msg_id = ntohs(get_u_int16_t(packet->payload, offset + 15)); + } + flow->l4.udp.snmp_stage = 1 + packet->packet_direction; + return; + } else if (flow->l4.udp.snmp_stage == 1 + packet->packet_direction) { + if (packet->payload[offset + 2] == 0) { + if (flow->l4.udp.snmp_msg_id != get_u_int8_t(packet->payload, offset + 15) - 1) { + NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, + "SNMP v1 excluded, message ID doesn't match\n"); + goto excl; } - excl: - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SNMP); + } + } else if (flow->l4.udp.snmp_stage == 2 - packet->packet_direction) { + NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, "SNMP stage 1-2.\n"); + if (packet->payload[offset + 2] == 3) { + if (flow->l4.udp.snmp_msg_id != ntohs(get_u_int32_t(packet->payload, offset + 8))) { + NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, + "SNMP v3 excluded, message ID doesn't match\n"); + goto excl; + } + } else if (packet->payload[offset + 2] == 0) { + if (flow->l4.udp.snmp_msg_id != get_u_int8_t(packet->payload, offset + 15)) { + NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, + "SNMP v1 excluded, message ID doesn't match\n"); + goto excl; + } + } else { + if (flow->l4.udp.snmp_msg_id != ntohs(get_u_int16_t(packet->payload, offset + 15))) { + NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, + "SNMP v2 excluded, message ID doesn't match\n"); + goto excl; + } + } + NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, "SNMP detected.\n"); + ndpi_int_snmp_add_connection(ndpi_struct, flow); + return; + } + } else { + NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, "SNMP excluded.\n"); + } + excl: + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SNMP); } diff --git a/src/lib/protocols/socks4.c b/src/lib/protocols/socks4.c index d902fa384..87bc3a634 100644 --- a/src/lib/protocols/socks4.c +++ b/src/lib/protocols/socks4.c @@ -29,7 +29,7 @@ #ifdef NDPI_PROTOCOL_SOCKS4 static void ndpi_int_socks4_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOCKS4); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOCKS4, NDPI_PROTOCOL_UNKNOWN); } static void ndpi_check_socks4(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/socks5.c b/src/lib/protocols/socks5.c index 0bb984c7c..f7cf89dfc 100644 --- a/src/lib/protocols/socks5.c +++ b/src/lib/protocols/socks5.c @@ -29,7 +29,7 @@ #ifdef NDPI_PROTOCOL_SOCKS5 static void ndpi_int_socks5_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOCKS5); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOCKS5, NDPI_PROTOCOL_UNKNOWN); } static void ndpi_check_socks5(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/socrates.c b/src/lib/protocols/socrates.c index c8df1a0d7..91ae76da1 100644 --- a/src/lib/protocols/socrates.c +++ b/src/lib/protocols/socrates.c @@ -28,53 +28,50 @@ static void ndpi_socrates_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOCRATES); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOCRATES, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_socrates(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &flow->packet; -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; + // struct ndpi_id_struct *src=ndpi_struct->src; + // struct ndpi_id_struct *dst=ndpi_struct->dst; - NDPI_LOG(NDPI_PROTOCOL_SOCRATES, ndpi_struct, NDPI_LOG_DEBUG, "search socrates.\n"); - if (packet->udp != NULL) { - if (packet->payload_packet_len > 9 && packet->payload[0] == 0xfe - && packet->payload[packet->payload_packet_len - 1] == 0x05) { - NDPI_LOG(NDPI_PROTOCOL_SOCRATES, ndpi_struct, NDPI_LOG_DEBUG, "found fe.\n"); + NDPI_LOG(NDPI_PROTOCOL_SOCRATES, ndpi_struct, NDPI_LOG_DEBUG, "search socrates.\n"); + if (packet->udp != NULL) { + if (packet->payload_packet_len > 9 && packet->payload[0] == 0xfe + && packet->payload[packet->payload_packet_len - 1] == 0x05) { + NDPI_LOG(NDPI_PROTOCOL_SOCRATES, ndpi_struct, NDPI_LOG_DEBUG, "found fe.\n"); - NDPI_LOG(NDPI_PROTOCOL_SOCRATES, ndpi_struct, NDPI_LOG_DEBUG, "len match.\n"); - if (memcmp(&packet->payload[2], "socrates", 8) == 0) { - NDPI_LOG(NDPI_PROTOCOL_SOCRATES, ndpi_struct, NDPI_LOG_DEBUG, "found socrates udp.\n"); - ndpi_socrates_add_connection(ndpi_struct, flow); - } + NDPI_LOG(NDPI_PROTOCOL_SOCRATES, ndpi_struct, NDPI_LOG_DEBUG, "len match.\n"); + if (memcmp(&packet->payload[2], "socrates", 8) == 0) { + NDPI_LOG(NDPI_PROTOCOL_SOCRATES, ndpi_struct, NDPI_LOG_DEBUG, "found socrates udp.\n"); + ndpi_socrates_add_connection(ndpi_struct, flow); + } - } - } else if (packet->tcp != NULL) { - if (packet->payload_packet_len > 13 && packet->payload[0] == 0xfe - && packet->payload[packet->payload_packet_len - 1] == 0x05) { - NDPI_LOG(NDPI_PROTOCOL_SOCRATES, ndpi_struct, NDPI_LOG_DEBUG, "found fe.\n"); - if (packet->payload_packet_len == ntohl(get_u_int32_t(packet->payload, 2))) { - NDPI_LOG(NDPI_PROTOCOL_SOCRATES, ndpi_struct, NDPI_LOG_DEBUG, "len match.\n"); - if (memcmp(&packet->payload[6], "socrates", 8) == 0) { - NDPI_LOG(NDPI_PROTOCOL_SOCRATES, ndpi_struct, NDPI_LOG_DEBUG, "found socrates tcp.\n"); - ndpi_socrates_add_connection(ndpi_struct, flow); - } - } - } + } + } else if (packet->tcp != NULL) { + if (packet->payload_packet_len > 13 && packet->payload[0] == 0xfe + && packet->payload[packet->payload_packet_len - 1] == 0x05) { + NDPI_LOG(NDPI_PROTOCOL_SOCRATES, ndpi_struct, NDPI_LOG_DEBUG, "found fe.\n"); + if (packet->payload_packet_len == ntohl(get_u_int32_t(packet->payload, 2))) { + NDPI_LOG(NDPI_PROTOCOL_SOCRATES, ndpi_struct, NDPI_LOG_DEBUG, "len match.\n"); + if (memcmp(&packet->payload[6], "socrates", 8) == 0) { + NDPI_LOG(NDPI_PROTOCOL_SOCRATES, ndpi_struct, NDPI_LOG_DEBUG, "found socrates tcp.\n"); + ndpi_socrates_add_connection(ndpi_struct, flow); } + } + } + } - - - - NDPI_LOG(NDPI_PROTOCOL_SOCRATES, ndpi_struct, NDPI_LOG_DEBUG, "exclude socrates.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOCRATES); + NDPI_LOG(NDPI_PROTOCOL_SOCRATES, ndpi_struct, NDPI_LOG_DEBUG, "exclude socrates.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOCRATES); } #endif diff --git a/src/lib/protocols/sopcast.c b/src/lib/protocols/sopcast.c index 33c4f8fca..c0879a2dd 100644 --- a/src/lib/protocols/sopcast.c +++ b/src/lib/protocols/sopcast.c @@ -29,9 +29,9 @@ static void ndpi_int_sopcast_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOPCAST); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOPCAST, NDPI_PROTOCOL_UNKNOWN); } /** @@ -42,178 +42,178 @@ static void ndpi_int_sopcast_add_connection(struct ndpi_detection_module_struct */ #if !defined(WIN32) - static inline +static inline #else __forceinline static #endif - u_int8_t ndpi_int_is_sopcast_tcp(const u_int8_t * payload, const u_int16_t payload_len) +u_int8_t ndpi_int_is_sopcast_tcp(const u_int8_t * payload, const u_int16_t payload_len) { - if (payload_len != 54) - return 0; - - if (payload[2] != payload[3] - 4 && payload[2] != payload[3] + 4) - return 0; - - if (payload[2] != payload[4] - 1 && payload[2] != payload[4] + 1) - return 0; - - if (payload[25] != payload[25 + 16 - 1] + 1 && payload[25] != payload[25 + 16 - 1] - 1) { - - if (payload[3] != payload[25] && - payload[3] != payload[25] - 4 && payload[3] != payload[25] + 4 && payload[3] != payload[25] - 21) { - return 0; - } - } - - if (payload[4] != payload[28] || - payload[28] != payload[30] || - payload[30] != payload[31] || - get_u_int16_t(payload, 30) != get_u_int16_t(payload, 32) || get_u_int16_t(payload, 32) != get_u_int16_t(payload, 34)) { - - if ((payload[2] != payload[5] - 1 && payload[2] != payload[5] + 1) || - payload[2] != payload[25] || - payload[4] != payload[28] || - payload[4] != payload[31] || - payload[4] != payload[32] || - payload[4] != payload[33] || - payload[4] != payload[34] || - payload[4] != payload[35] || payload[4] != payload[30] || payload[2] != payload[36]) { - return 0; - } - } - - if (payload[42] != payload[53]) - return 0; - - if (payload[45] != payload[46] + 1 && payload[45] != payload[46] - 1) - return 0; - - if (payload[45] != payload[49] || payload[46] != payload[50] || payload[47] != payload[51]) - return 0; - - return 1; + if (payload_len != 54) + return 0; + + if (payload[2] != payload[3] - 4 && payload[2] != payload[3] + 4) + return 0; + + if (payload[2] != payload[4] - 1 && payload[2] != payload[4] + 1) + return 0; + + if (payload[25] != payload[25 + 16 - 1] + 1 && payload[25] != payload[25 + 16 - 1] - 1) { + + if (payload[3] != payload[25] && + payload[3] != payload[25] - 4 && payload[3] != payload[25] + 4 && payload[3] != payload[25] - 21) { + return 0; + } + } + + if (payload[4] != payload[28] || + payload[28] != payload[30] || + payload[30] != payload[31] || + get_u_int16_t(payload, 30) != get_u_int16_t(payload, 32) || get_u_int16_t(payload, 32) != get_u_int16_t(payload, 34)) { + + if ((payload[2] != payload[5] - 1 && payload[2] != payload[5] + 1) || + payload[2] != payload[25] || + payload[4] != payload[28] || + payload[4] != payload[31] || + payload[4] != payload[32] || + payload[4] != payload[33] || + payload[4] != payload[34] || + payload[4] != payload[35] || payload[4] != payload[30] || payload[2] != payload[36]) { + return 0; + } + } + + if (payload[42] != payload[53]) + return 0; + + if (payload[45] != payload[46] + 1 && payload[45] != payload[46] - 1) + return 0; + + if (payload[45] != payload[49] || payload[46] != payload[50] || payload[47] != payload[51]) + return 0; + + return 1; } static void ndpi_search_sopcast_tcp(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &flow->packet; - if (flow->packet_counter == 1 && packet->payload_packet_len == 54 && get_u_int16_t(packet->payload, 0) == ntohs(0x0036)) { - if (ndpi_int_is_sopcast_tcp(packet->payload, packet->payload_packet_len)) { - NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "found sopcast TCP \n"); - ndpi_int_sopcast_add_connection(ndpi_struct, flow); - return; - } - } + if (flow->packet_counter == 1 && packet->payload_packet_len == 54 && get_u_int16_t(packet->payload, 0) == ntohs(0x0036)) { + if (ndpi_int_is_sopcast_tcp(packet->payload, packet->payload_packet_len)) { + NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "found sopcast TCP \n"); + ndpi_int_sopcast_add_connection(ndpi_struct, flow); + return; + } + } - NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "exclude sopcast TCP. \n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOPCAST); + NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "exclude sopcast TCP. \n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOPCAST); } static void ndpi_search_sopcast_udp(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &flow->packet; -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; - - NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "search sopcast. \n"); - - - if (packet->payload_packet_len == 52 && packet->payload[0] == 0xff - && packet->payload[1] == 0xff && packet->payload[2] == 0x01 - && packet->payload[8] == 0x02 && packet->payload[9] == 0xff - && packet->payload[10] == 0x00 && packet->payload[11] == 0x2c - && packet->payload[12] == 0x00 && packet->payload[13] == 0x00 && packet->payload[14] == 0x00) { - NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "found sopcast with if I. \n"); - ndpi_int_sopcast_add_connection(ndpi_struct, flow); - return; - } - if ((packet->payload_packet_len == 80 || packet->payload_packet_len == 28 || packet->payload_packet_len == 94) - && packet->payload[0] == 0x00 && (packet->payload[2] == 0x02 || packet->payload[2] == 0x01) - && packet->payload[8] == 0x01 && packet->payload[9] == 0xff - && packet->payload[10] == 0x00 && packet->payload[11] == 0x14 - && packet->payload[12] == 0x00 && packet->payload[13] == 0x00) { - NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "found sopcast with if II. \n"); - ndpi_int_sopcast_add_connection(ndpi_struct, flow); - return; - } - /* this case has been seen once. Please revome this comment, if you see it another time */ - if (packet->payload_packet_len == 60 && packet->payload[0] == 0x00 - && packet->payload[2] == 0x01 - && packet->payload[8] == 0x03 && packet->payload[9] == 0xff - && packet->payload[10] == 0x00 && packet->payload[11] == 0x34 - && packet->payload[12] == 0x00 && packet->payload[13] == 0x00 && packet->payload[14] == 0x00) { - NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "found sopcast with if III. \n"); - ndpi_int_sopcast_add_connection(ndpi_struct, flow); - return; - } - if (packet->payload_packet_len == 42 && packet->payload[0] == 0x00 - && packet->payload[1] == 0x02 && packet->payload[2] == 0x01 - && packet->payload[3] == 0x07 && packet->payload[4] == 0x03 - && packet->payload[8] == 0x06 - && packet->payload[9] == 0x01 && packet->payload[10] == 0x00 - && packet->payload[11] == 0x22 && packet->payload[12] == 0x00 && packet->payload[13] == 0x00) { - NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "found sopcast with if IV. \n"); - ndpi_int_sopcast_add_connection(ndpi_struct, flow); - return; - } - if (packet->payload_packet_len == 28 && packet->payload[0] == 0x00 - && packet->payload[1] == 0x0c && packet->payload[2] == 0x01 - && packet->payload[3] == 0x07 && packet->payload[4] == 0x00 - && packet->payload[8] == 0x01 - && packet->payload[9] == 0x01 && packet->payload[10] == 0x00 - && packet->payload[11] == 0x14 && packet->payload[12] == 0x00 && packet->payload[13] == 0x00) { - NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "found sopcast with if V. \n"); - ndpi_int_sopcast_add_connection(ndpi_struct, flow); - return; - } - /* this case has been seen once. Please revome this comment, if you see it another time */ - if (packet->payload_packet_len == 286 && packet->payload[0] == 0x00 - && packet->payload[1] == 0x02 && packet->payload[2] == 0x01 - && packet->payload[3] == 0x07 && packet->payload[4] == 0x03 - && packet->payload[8] == 0x06 - && packet->payload[9] == 0x01 && packet->payload[10] == 0x01 - && packet->payload[11] == 0x16 && packet->payload[12] == 0x00 && packet->payload[13] == 0x00) { - NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "found sopcast with if VI. \n"); - ndpi_int_sopcast_add_connection(ndpi_struct, flow); - return; - } - if (packet->payload_packet_len == 76 && packet->payload[0] == 0xff - && packet->payload[1] == 0xff && packet->payload[2] == 0x01 - && packet->payload[8] == 0x0c && packet->payload[9] == 0xff - && packet->payload[10] == 0x00 && packet->payload[11] == 0x44 - && packet->payload[16] == 0x01 && packet->payload[15] == 0x01 - && packet->payload[12] == 0x00 && packet->payload[13] == 0x00 && packet->payload[14] == 0x00) { - NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "found sopcast with if VII. \n"); - ndpi_int_sopcast_add_connection(ndpi_struct, flow); - return; - } - - /* Attention please: no asymmetric detection necessary. This detection works asymmetrically as well. */ - - NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "exclude sopcast. \n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOPCAST); + // struct ndpi_id_struct *src=ndpi_struct->src; + // struct ndpi_id_struct *dst=ndpi_struct->dst; + + NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "search sopcast. \n"); + + + if (packet->payload_packet_len == 52 && packet->payload[0] == 0xff + && packet->payload[1] == 0xff && packet->payload[2] == 0x01 + && packet->payload[8] == 0x02 && packet->payload[9] == 0xff + && packet->payload[10] == 0x00 && packet->payload[11] == 0x2c + && packet->payload[12] == 0x00 && packet->payload[13] == 0x00 && packet->payload[14] == 0x00) { + NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "found sopcast with if I. \n"); + ndpi_int_sopcast_add_connection(ndpi_struct, flow); + return; + } + if ((packet->payload_packet_len == 80 || packet->payload_packet_len == 28 || packet->payload_packet_len == 94) + && packet->payload[0] == 0x00 && (packet->payload[2] == 0x02 || packet->payload[2] == 0x01) + && packet->payload[8] == 0x01 && packet->payload[9] == 0xff + && packet->payload[10] == 0x00 && packet->payload[11] == 0x14 + && packet->payload[12] == 0x00 && packet->payload[13] == 0x00) { + NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "found sopcast with if II. \n"); + ndpi_int_sopcast_add_connection(ndpi_struct, flow); + return; + } + /* this case has been seen once. Please revome this comment, if you see it another time */ + if (packet->payload_packet_len == 60 && packet->payload[0] == 0x00 + && packet->payload[2] == 0x01 + && packet->payload[8] == 0x03 && packet->payload[9] == 0xff + && packet->payload[10] == 0x00 && packet->payload[11] == 0x34 + && packet->payload[12] == 0x00 && packet->payload[13] == 0x00 && packet->payload[14] == 0x00) { + NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "found sopcast with if III. \n"); + ndpi_int_sopcast_add_connection(ndpi_struct, flow); + return; + } + if (packet->payload_packet_len == 42 && packet->payload[0] == 0x00 + && packet->payload[1] == 0x02 && packet->payload[2] == 0x01 + && packet->payload[3] == 0x07 && packet->payload[4] == 0x03 + && packet->payload[8] == 0x06 + && packet->payload[9] == 0x01 && packet->payload[10] == 0x00 + && packet->payload[11] == 0x22 && packet->payload[12] == 0x00 && packet->payload[13] == 0x00) { + NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "found sopcast with if IV. \n"); + ndpi_int_sopcast_add_connection(ndpi_struct, flow); + return; + } + if (packet->payload_packet_len == 28 && packet->payload[0] == 0x00 + && packet->payload[1] == 0x0c && packet->payload[2] == 0x01 + && packet->payload[3] == 0x07 && packet->payload[4] == 0x00 + && packet->payload[8] == 0x01 + && packet->payload[9] == 0x01 && packet->payload[10] == 0x00 + && packet->payload[11] == 0x14 && packet->payload[12] == 0x00 && packet->payload[13] == 0x00) { + NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "found sopcast with if V. \n"); + ndpi_int_sopcast_add_connection(ndpi_struct, flow); + return; + } + /* this case has been seen once. Please revome this comment, if you see it another time */ + if (packet->payload_packet_len == 286 && packet->payload[0] == 0x00 + && packet->payload[1] == 0x02 && packet->payload[2] == 0x01 + && packet->payload[3] == 0x07 && packet->payload[4] == 0x03 + && packet->payload[8] == 0x06 + && packet->payload[9] == 0x01 && packet->payload[10] == 0x01 + && packet->payload[11] == 0x16 && packet->payload[12] == 0x00 && packet->payload[13] == 0x00) { + NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "found sopcast with if VI. \n"); + ndpi_int_sopcast_add_connection(ndpi_struct, flow); + return; + } + if (packet->payload_packet_len == 76 && packet->payload[0] == 0xff + && packet->payload[1] == 0xff && packet->payload[2] == 0x01 + && packet->payload[8] == 0x0c && packet->payload[9] == 0xff + && packet->payload[10] == 0x00 && packet->payload[11] == 0x44 + && packet->payload[16] == 0x01 && packet->payload[15] == 0x01 + && packet->payload[12] == 0x00 && packet->payload[13] == 0x00 && packet->payload[14] == 0x00) { + NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "found sopcast with if VII. \n"); + ndpi_int_sopcast_add_connection(ndpi_struct, flow); + return; + } + + /* Attention please: no asymmetric detection necessary. This detection works asymmetrically as well. */ + + NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "exclude sopcast. \n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOPCAST); } void ndpi_search_sopcast(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &flow->packet; - if (packet->udp != NULL) - ndpi_search_sopcast_udp(ndpi_struct, flow); - if (packet->tcp != NULL) - ndpi_search_sopcast_tcp(ndpi_struct, flow); + if (packet->udp != NULL) + ndpi_search_sopcast_udp(ndpi_struct, flow); + if (packet->tcp != NULL) + ndpi_search_sopcast_tcp(ndpi_struct, flow); } #endif diff --git a/src/lib/protocols/soulseek.c b/src/lib/protocols/soulseek.c index ceea14318..6bfa9334e 100644 --- a/src/lib/protocols/soulseek.c +++ b/src/lib/protocols/soulseek.c @@ -19,7 +19,7 @@ * * You should have received a copy of the GNU Lesser General Public License * along with nDPI. If not, see <http://www.gnu.org/licenses/>. - * + * */ @@ -28,259 +28,259 @@ #ifdef NDPI_PROTOCOL_SOULSEEK static void ndpi_int_soulseek_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; + struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_id_struct *src = flow->src; + struct ndpi_id_struct *dst = flow->dst; - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOULSEEK); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOULSEEK, NDPI_PROTOCOL_UNKNOWN); - if (src != NULL) { - src->soulseek_last_safe_access_time = packet->tick_timestamp; - } - if (dst != NULL) { - dst->soulseek_last_safe_access_time = packet->tick_timestamp; - } + if (src != NULL) { + src->soulseek_last_safe_access_time = packet->tick_timestamp; + } + if (dst != NULL) { + dst->soulseek_last_safe_access_time = packet->tick_timestamp; + } - return; + return; } void ndpi_search_soulseek_tcp(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; - - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "Soulseek: search soulseec tcp \n"); - - - if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SOULSEEK) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "packet marked as Soulseek\n"); - if (src != NULL) - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, - " SRC bitmask: %u, packet tick %llu , last safe access timestamp: %llu\n", - NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_SOULSEEK) - != 0 ? 1 : 0, (u_int64_t) packet->tick_timestamp, (u_int64_t) src->soulseek_last_safe_access_time); - if (dst != NULL) - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, - " DST bitmask: %u, packet tick %llu , last safe ts: %llu\n", - NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_SOULSEEK) - != 0 ? 1 : 0, (u_int64_t) packet->tick_timestamp, (u_int64_t) dst->soulseek_last_safe_access_time); - - if (packet->payload_packet_len == 431) { - if (dst != NULL) { - dst->soulseek_last_safe_access_time = packet->tick_timestamp; - } - return; - } - if (packet->payload_packet_len == 12 && get_l32(packet->payload, 4) == 0x02) { - if (src != NULL) { - src->soulseek_last_safe_access_time = packet->tick_timestamp; - if (packet->tcp != NULL && src->soulseek_listen_port == 0) { - src->soulseek_listen_port = get_l32(packet->payload, 8); - return; - } - } - } - - if (src != NULL && ((u_int32_t) - (packet->tick_timestamp - - src->soulseek_last_safe_access_time) < - ndpi_struct->soulseek_connection_ip_tick_timeout)) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, - "Soulseek: SRC update last safe access time and SKIP_FOR_TIME \n"); - src->soulseek_last_safe_access_time = packet->tick_timestamp; - } - - if (dst != NULL && ((u_int32_t) - (packet->tick_timestamp - - dst->soulseek_last_safe_access_time) < - ndpi_struct->soulseek_connection_ip_tick_timeout)) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, - "Soulseek: DST update last safe access time and SKIP_FOR_TIME \n"); - dst->soulseek_last_safe_access_time = packet->tick_timestamp; - } + struct ndpi_packet_struct *packet = &flow->packet; + + struct ndpi_id_struct *src = flow->src; + struct ndpi_id_struct *dst = flow->dst; + + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "Soulseek: search soulseec tcp \n"); + + + if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SOULSEEK) { + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "packet marked as Soulseek\n"); + if (src != NULL) + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, + " SRC bitmask: %u, packet tick %llu , last safe access timestamp: %llu\n", + NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_SOULSEEK) + != 0 ? 1 : 0, (u_int64_t) packet->tick_timestamp, (u_int64_t) src->soulseek_last_safe_access_time); + if (dst != NULL) + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, + " DST bitmask: %u, packet tick %llu , last safe ts: %llu\n", + NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_SOULSEEK) + != 0 ? 1 : 0, (u_int64_t) packet->tick_timestamp, (u_int64_t) dst->soulseek_last_safe_access_time); + + if (packet->payload_packet_len == 431) { + if (dst != NULL) { + dst->soulseek_last_safe_access_time = packet->tick_timestamp; + } + return; + } + if (packet->payload_packet_len == 12 && get_l32(packet->payload, 4) == 0x02) { + if (src != NULL) { + src->soulseek_last_safe_access_time = packet->tick_timestamp; + if (packet->tcp != NULL && src->soulseek_listen_port == 0) { + src->soulseek_listen_port = get_l32(packet->payload, 8); + return; } + } + } - - if (dst != NULL && dst->soulseek_listen_port != 0 && dst->soulseek_listen_port == ntohs(packet->tcp->dest) - && ((u_int32_t) - (packet->tick_timestamp - dst->soulseek_last_safe_access_time) < + if (src != NULL && ((u_int32_t) + (packet->tick_timestamp - + src->soulseek_last_safe_access_time) < + ndpi_struct->soulseek_connection_ip_tick_timeout)) { + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, + "Soulseek: SRC update last safe access time and SKIP_FOR_TIME \n"); + src->soulseek_last_safe_access_time = packet->tick_timestamp; + } + + if (dst != NULL && ((u_int32_t) + (packet->tick_timestamp - + dst->soulseek_last_safe_access_time) < ndpi_struct->soulseek_connection_ip_tick_timeout)) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, - "Soulseek: Plain detection on Port : %u packet_tick_timestamp: %u soulseeek_last_safe_access_time: %u soulseek_connection_ip_ticktimeout: %u\n", - dst->soulseek_listen_port, packet->tick_timestamp, - dst->soulseek_last_safe_access_time, ndpi_struct->soulseek_connection_ip_tick_timeout); - ndpi_int_soulseek_add_connection(ndpi_struct, flow); - return; + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, + "Soulseek: DST update last safe access time and SKIP_FOR_TIME \n"); + dst->soulseek_last_safe_access_time = packet->tick_timestamp; + } + } + + + if (dst != NULL && dst->soulseek_listen_port != 0 && dst->soulseek_listen_port == ntohs(packet->tcp->dest) + && ((u_int32_t) + (packet->tick_timestamp - dst->soulseek_last_safe_access_time) < + ndpi_struct->soulseek_connection_ip_tick_timeout)) { + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, + "Soulseek: Plain detection on Port : %u packet_tick_timestamp: %u soulseeek_last_safe_access_time: %u soulseek_connection_ip_ticktimeout: %u\n", + dst->soulseek_listen_port, packet->tick_timestamp, + dst->soulseek_last_safe_access_time, ndpi_struct->soulseek_connection_ip_tick_timeout); + ndpi_int_soulseek_add_connection(ndpi_struct, flow); + return; + } + + if (flow->l4.tcp.soulseek_stage == 0) { + + u_int32_t index = 0; + + if (packet->payload_packet_len >= 12 && packet->payload_packet_len < 300 && get_l32(packet->payload, 4) == 1) { + while (!get_u_int16_t(packet->payload, index + 2) + && (index + get_l32(packet->payload, index)) < packet->payload_packet_len - 4) { + if (get_l32(packet->payload, index) < 8) /*Minimum soulsek login msg is 8B */ + break; + + if (index + get_l32(packet->payload, index) + 4 <= index) { + /* avoid overflow */ + break; } - if (flow->l4.tcp.soulseek_stage == 0) { - - u_int32_t index = 0; - - if (packet->payload_packet_len >= 12 && packet->payload_packet_len < 300 && get_l32(packet->payload, 4) == 1) { - while (!get_u_int16_t(packet->payload, index + 2) - && (index + get_l32(packet->payload, index)) < packet->payload_packet_len - 4) { - if (get_l32(packet->payload, index) < 8) /*Minimum soulsek login msg is 8B */ - break; - - if (index + get_l32(packet->payload, index) + 4 <= index) { - /* avoid overflow */ - break; - } - - index += get_l32(packet->payload, index) + 4; - } - if (index + get_l32(packet->payload, index) == - packet->payload_packet_len - 4 && !get_u_int16_t(packet->payload, 10)) { - /*This structure seems to be soulseek proto */ - index = get_l32(packet->payload, 8) + 12; // end of "user name" - if ((index + 4) <= packet->payload_packet_len && !get_u_int16_t(packet->payload, index + 2)) // for passwd len - { - index += get_l32(packet->payload, index) + 4; //end of "Passwd" - if ((index + 4 + 4) <= packet->payload_packet_len && !get_u_int16_t(packet->payload, index + 6)) // to read version,hashlen - { - index += get_l32(packet->payload, index + 4) + 8; // enf of "hash value" - if (index == get_l32(packet->payload, 0)) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, - ndpi_struct, NDPI_LOG_DEBUG, "Soulseek Login Detected\n"); - ndpi_int_soulseek_add_connection(ndpi_struct, flow); - return; - } - } - } - } - } - if (packet->payload_packet_len > 8 - && packet->payload_packet_len < 200 && get_l32(packet->payload, 0) == packet->payload_packet_len - 4) { - //Server Messages: - const u_int32_t msgcode = get_l32(packet->payload, 4); - - if (msgcode == 0x7d) { - flow->l4.tcp.soulseek_stage = 1 + packet->packet_direction; - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "Soulseek Messages Search\n"); - return; - } else if (msgcode == 0x02 && packet->payload_packet_len == 12) { - const u_int32_t soulseek_listen_port = get_l32(packet->payload, 8); - - if (src != NULL) { - src->soulseek_last_safe_access_time = packet->tick_timestamp; - - if (packet->tcp != NULL && src->soulseek_listen_port == 0) { - src->soulseek_listen_port = soulseek_listen_port; - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, - NDPI_LOG_DEBUG, "\n Listen Port Saved : %u", src->soulseek_listen_port); - ndpi_int_soulseek_add_connection(ndpi_struct, flow); - return; - } - } - - } - //Peer Messages : Peer Init Message Detection - if (get_l32(packet->payload, 0) == packet->payload_packet_len - 4) { - const u_int32_t typelen = get_l32(packet->payload, packet->payload_packet_len - 9); - const u_int8_t type = packet->payload[packet->payload_packet_len - 5]; - const u_int32_t namelen = get_l32(packet->payload, 5); - if (packet->payload[4] == 0x01 && typelen == 1 - && namelen <= packet->payload_packet_len - && (4 + 1 + 4 + namelen + 4 + 1 + 4) == - packet->payload_packet_len && (type == 'F' || type == 'P' || type == 'D')) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "soulseek detected\n"); - ndpi_int_soulseek_add_connection(ndpi_struct, flow); - return; - } - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "1\n"); - } - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "3\n"); - //Peer Message : Pierce Firewall - if (packet->payload_packet_len == 9 && get_l32(packet->payload, 0) == 5 - && packet->payload[4] <= 0x10 && get_u_int32_t(packet->payload, 5) != 0x00000000) { - flow->l4.tcp.soulseek_stage = 1 + packet->packet_direction; - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_TRACE, "Soulseek Size 9 Pierce Firewall\n"); - return; - } - - } - - if (packet->payload_packet_len > 25 && packet->payload[4] == 0x01 && !get_u_int16_t(packet->payload, 7) - && !get_u_int16_t(packet->payload, 2)) { - const u_int32_t usrlen = get_l32(packet->payload, 5); - - if (usrlen <= packet->payload_packet_len - 4 + 1 + 4 + 4 + 1 + 4) { - const u_int32_t typelen = get_l32(packet->payload, 4 + 1 + 4 + usrlen); - const u_int8_t type = packet->payload[4 + 1 + 4 + usrlen + 4]; - if (typelen == 1 && (type == 'F' || type == 'P' || type == 'D')) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, - NDPI_LOG_DEBUG, "soulseek detected Pattern command(D|P|F).\n"); - ndpi_int_soulseek_add_connection(ndpi_struct, flow); - return; - } - } - } - - } else if (flow->l4.tcp.soulseek_stage == 2 - packet->packet_direction) { - if (packet->payload_packet_len > 8) { - if ((packet->payload[0] || packet->payload[1]) && get_l32(packet->payload, 4) == 9) { - /* 9 is search result */ - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "soulseek detected Second Pkt\n"); - ndpi_int_soulseek_add_connection(ndpi_struct, flow); - return; - } - if (get_l32(packet->payload, 0) == packet->payload_packet_len - 4) { - const u_int32_t msgcode = get_l32(packet->payload, 4); - if (msgcode == 0x03 && packet->payload_packet_len >= 12) //Server Message : Get Peer Address - { - const u_int32_t usrlen = get_l32(packet->payload, 8); - if (usrlen <= packet->payload_packet_len && 4 + 4 + 4 + usrlen == packet->payload_packet_len) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, - NDPI_LOG_DEBUG, "Soulseek Request Get Peer Address Detected\n"); - ndpi_int_soulseek_add_connection(ndpi_struct, flow); - return; - } - } - } - } - - if (packet->payload_packet_len == 8 && get_l32(packet->payload, 4) == 0x00000004) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "soulseek detected\n"); - ndpi_int_soulseek_add_connection(ndpi_struct, flow); - return; + index += get_l32(packet->payload, index) + 4; + } + if (index + get_l32(packet->payload, index) == + packet->payload_packet_len - 4 && !get_u_int16_t(packet->payload, 10)) { + /*This structure seems to be soulseek proto */ + index = get_l32(packet->payload, 8) + 12; // end of "user name" + if ((index + 4) <= packet->payload_packet_len && !get_u_int16_t(packet->payload, index + 2)) // for passwd len + { + index += get_l32(packet->payload, index) + 4; //end of "Passwd" + if ((index + 4 + 4) <= packet->payload_packet_len && !get_u_int16_t(packet->payload, index + 6)) // to read version,hashlen + { + index += get_l32(packet->payload, index + 4) + 8; // enf of "hash value" + if (index == get_l32(packet->payload, 0)) { + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, + ndpi_struct, NDPI_LOG_DEBUG, "Soulseek Login Detected\n"); + ndpi_int_soulseek_add_connection(ndpi_struct, flow); + return; } + } + } + } + } + if (packet->payload_packet_len > 8 + && packet->payload_packet_len < 200 && get_l32(packet->payload, 0) == packet->payload_packet_len - 4) { + //Server Messages: + const u_int32_t msgcode = get_l32(packet->payload, 4); + + if (msgcode == 0x7d) { + flow->l4.tcp.soulseek_stage = 1 + packet->packet_direction; + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "Soulseek Messages Search\n"); + return; + } else if (msgcode == 0x02 && packet->payload_packet_len == 12) { + const u_int32_t soulseek_listen_port = get_l32(packet->payload, 8); - if (packet->payload_packet_len == 4 - && get_u_int16_t(packet->payload, 2) == 0x00 && get_u_int16_t(packet->payload, 0) != 0x00) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "soulseek detected\n"); - ndpi_int_soulseek_add_connection(ndpi_struct, flow); - return; - } else if (packet->payload_packet_len == 4) { - flow->l4.tcp.soulseek_stage = 3; - return; - } - } else if (flow->l4.tcp.soulseek_stage == 1 + packet->packet_direction) { - if (packet->payload_packet_len > 8) { - if (packet->payload[4] == 0x03 && get_l32(packet->payload, 5) == 0x00000031) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, - NDPI_LOG_DEBUG, "soulseek detected Second Pkt with SIGNATURE :: 0x0331000000 \n"); - ndpi_int_soulseek_add_connection(ndpi_struct, flow); - return; - } - } + if (src != NULL) { + src->soulseek_last_safe_access_time = packet->tick_timestamp; + + if (packet->tcp != NULL && src->soulseek_listen_port == 0) { + src->soulseek_listen_port = soulseek_listen_port; + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, + NDPI_LOG_DEBUG, "\n Listen Port Saved : %u", src->soulseek_listen_port); + ndpi_int_soulseek_add_connection(ndpi_struct, flow); + return; + } } - if (flow->l4.tcp.soulseek_stage == 3 && packet->payload_packet_len == 8 && !get_u_int32_t(packet->payload, 4)) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "soulseek detected bcz of 8B pkt\n"); - ndpi_int_soulseek_add_connection(ndpi_struct, flow); - return; + } + //Peer Messages : Peer Init Message Detection + if (get_l32(packet->payload, 0) == packet->payload_packet_len - 4) { + const u_int32_t typelen = get_l32(packet->payload, packet->payload_packet_len - 9); + const u_int8_t type = packet->payload[packet->payload_packet_len - 5]; + const u_int32_t namelen = get_l32(packet->payload, 5); + if (packet->payload[4] == 0x01 && typelen == 1 + && namelen <= packet->payload_packet_len + && (4 + 1 + 4 + namelen + 4 + 1 + 4) == + packet->payload_packet_len && (type == 'F' || type == 'P' || type == 'D')) { + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "soulseek detected\n"); + ndpi_int_soulseek_add_connection(ndpi_struct, flow); + return; } - if (flow->l4.tcp.soulseek_stage && flow->packet_counter < 11) { - } else { - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOULSEEK); + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "1\n"); + } + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "3\n"); + //Peer Message : Pierce Firewall + if (packet->payload_packet_len == 9 && get_l32(packet->payload, 0) == 5 + && packet->payload[4] <= 0x10 && get_u_int32_t(packet->payload, 5) != 0x00000000) { + flow->l4.tcp.soulseek_stage = 1 + packet->packet_direction; + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_TRACE, "Soulseek Size 9 Pierce Firewall\n"); + return; + } + + } + + if (packet->payload_packet_len > 25 && packet->payload[4] == 0x01 && !get_u_int16_t(packet->payload, 7) + && !get_u_int16_t(packet->payload, 2)) { + const u_int32_t usrlen = get_l32(packet->payload, 5); + + if (usrlen <= packet->payload_packet_len - 4 + 1 + 4 + 4 + 1 + 4) { + const u_int32_t typelen = get_l32(packet->payload, 4 + 1 + 4 + usrlen); + const u_int8_t type = packet->payload[4 + 1 + 4 + usrlen + 4]; + if (typelen == 1 && (type == 'F' || type == 'P' || type == 'D')) { + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, + NDPI_LOG_DEBUG, "soulseek detected Pattern command(D|P|F).\n"); + ndpi_int_soulseek_add_connection(ndpi_struct, flow); + return; } + } + } + + } else if (flow->l4.tcp.soulseek_stage == 2 - packet->packet_direction) { + if (packet->payload_packet_len > 8) { + if ((packet->payload[0] || packet->payload[1]) && get_l32(packet->payload, 4) == 9) { + /* 9 is search result */ + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "soulseek detected Second Pkt\n"); + ndpi_int_soulseek_add_connection(ndpi_struct, flow); + return; + } + if (get_l32(packet->payload, 0) == packet->payload_packet_len - 4) { + const u_int32_t msgcode = get_l32(packet->payload, 4); + if (msgcode == 0x03 && packet->payload_packet_len >= 12) //Server Message : Get Peer Address + { + const u_int32_t usrlen = get_l32(packet->payload, 8); + if (usrlen <= packet->payload_packet_len && 4 + 4 + 4 + usrlen == packet->payload_packet_len) { + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, + NDPI_LOG_DEBUG, "Soulseek Request Get Peer Address Detected\n"); + ndpi_int_soulseek_add_connection(ndpi_struct, flow); + return; + } + } + } + } + + if (packet->payload_packet_len == 8 && get_l32(packet->payload, 4) == 0x00000004) { + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "soulseek detected\n"); + ndpi_int_soulseek_add_connection(ndpi_struct, flow); + return; + } + + if (packet->payload_packet_len == 4 + && get_u_int16_t(packet->payload, 2) == 0x00 && get_u_int16_t(packet->payload, 0) != 0x00) { + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "soulseek detected\n"); + ndpi_int_soulseek_add_connection(ndpi_struct, flow); + return; + } else if (packet->payload_packet_len == 4) { + flow->l4.tcp.soulseek_stage = 3; + return; + } + } else if (flow->l4.tcp.soulseek_stage == 1 + packet->packet_direction) { + if (packet->payload_packet_len > 8) { + if (packet->payload[4] == 0x03 && get_l32(packet->payload, 5) == 0x00000031) { + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, + NDPI_LOG_DEBUG, "soulseek detected Second Pkt with SIGNATURE :: 0x0331000000 \n"); + ndpi_int_soulseek_add_connection(ndpi_struct, flow); + return; + } + } + } + if (flow->l4.tcp.soulseek_stage == 3 && packet->payload_packet_len == 8 && !get_u_int32_t(packet->payload, 4)) { + + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "soulseek detected bcz of 8B pkt\n"); + ndpi_int_soulseek_add_connection(ndpi_struct, flow); + return; + } + if (flow->l4.tcp.soulseek_stage && flow->packet_counter < 11) { + } else { + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOULSEEK); + } } #endif diff --git a/src/lib/protocols/spotify.c b/src/lib/protocols/spotify.c index 9f27c9abb..ee1ceabb3 100644 --- a/src/lib/protocols/spotify.c +++ b/src/lib/protocols/spotify.c @@ -27,11 +27,9 @@ #ifdef NDPI_PROTOCOL_SPOTIFY static void ndpi_int_spotify_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, - u_int8_t due_to_correlation) -{ + u_int8_t due_to_correlation) { ndpi_set_detected_protocol(ndpi_struct, flow, - NDPI_PROTOCOL_SPOTIFY/* , */ - /* due_to_correlation ? NDPI_CORRELATED_PROTOCOL : NDPI_REAL_PROTOCOL */); + NDPI_PROTOCOL_SPOTIFY, NDPI_PROTOCOL_UNKNOWN); } @@ -61,7 +59,7 @@ static void ndpi_check_spotify(struct ndpi_detection_module_struct *ndpi_struct, packet->payload[6] == 0x52 && packet->payload[7] == 0x0e && packet->payload[8] == 0x50 ) { NDPI_LOG(NDPI_PROTOCOL_SPOTIFY, ndpi_struct, NDPI_LOG_DEBUG, "Found spotify tcp dissector.\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SPOTIFY); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SPOTIFY, NDPI_PROTOCOL_UNKNOWN); } @@ -100,7 +98,7 @@ static void ndpi_check_spotify(struct ndpi_detection_module_struct *ndpi_struct, || ((ntohl(packet->iph->daddr) & 0xFFFFFC00 /* 255.255.252.0 */) == 0xC284A200 /* 194.132.162.0 */) ) { NDPI_LOG(NDPI_PROTOCOL_SPOTIFY, ndpi_struct, NDPI_LOG_DEBUG, "Found spotify via ip range.\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SPOTIFY); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SPOTIFY, NDPI_PROTOCOL_UNKNOWN); return; } } diff --git a/src/lib/protocols/ssdp.c b/src/lib/protocols/ssdp.c index 3f7d1cfef..94a0fe30d 100644 --- a/src/lib/protocols/ssdp.c +++ b/src/lib/protocols/ssdp.c @@ -28,43 +28,43 @@ static void ndpi_int_ssdp_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSDP); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSDP, NDPI_PROTOCOL_UNKNOWN); } /* this detection also works asymmetrically */ void ndpi_search_ssdp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &flow->packet; -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; + // struct ndpi_id_struct *src=ndpi_struct->src; + // struct ndpi_id_struct *dst=ndpi_struct->dst; - NDPI_LOG(NDPI_PROTOCOL_SSDP, ndpi_struct, NDPI_LOG_DEBUG, "search ssdp.\n"); - if (packet->udp != NULL) { + NDPI_LOG(NDPI_PROTOCOL_SSDP, ndpi_struct, NDPI_LOG_DEBUG, "search ssdp.\n"); + if (packet->udp != NULL) { - if (packet->payload_packet_len > 100) { - if ((memcmp(packet->payload, "M-SEARCH * HTTP/1.1", 19) == 0) - || memcmp(packet->payload, "NOTIFY * HTTP/1.1", 17) == 0) { + if (packet->payload_packet_len > 100) { + if ((memcmp(packet->payload, "M-SEARCH * HTTP/1.1", 19) == 0) + || memcmp(packet->payload, "NOTIFY * HTTP/1.1", 17) == 0) { - NDPI_LOG(NDPI_PROTOCOL_SSDP, ndpi_struct, NDPI_LOG_DEBUG, "found ssdp.\n"); - ndpi_int_ssdp_add_connection(ndpi_struct, flow); - return; - } + NDPI_LOG(NDPI_PROTOCOL_SSDP, ndpi_struct, NDPI_LOG_DEBUG, "found ssdp.\n"); + ndpi_int_ssdp_add_connection(ndpi_struct, flow); + return; + } #define SSDP_HTTP "HTTP/1.1 200 OK\r\n" - if(memcmp(packet->payload, SSDP_HTTP, strlen(SSDP_HTTP)) == 0) { - NDPI_LOG(NDPI_PROTOCOL_SSDP, ndpi_struct, NDPI_LOG_DEBUG, "found ssdp.\n"); - ndpi_int_ssdp_add_connection(ndpi_struct, flow); - return; - } - } - } + if(memcmp(packet->payload, SSDP_HTTP, strlen(SSDP_HTTP)) == 0) { + NDPI_LOG(NDPI_PROTOCOL_SSDP, ndpi_struct, NDPI_LOG_DEBUG, "found ssdp.\n"); + ndpi_int_ssdp_add_connection(ndpi_struct, flow); + return; + } + } + } - NDPI_LOG(NDPI_PROTOCOL_SSDP, ndpi_struct, NDPI_LOG_DEBUG, "ssdp excluded.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SSDP); + NDPI_LOG(NDPI_PROTOCOL_SSDP, ndpi_struct, NDPI_LOG_DEBUG, "ssdp excluded.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SSDP); } #endif diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c index 27827afa5..cadc43f6d 100644 --- a/src/lib/protocols/ssh.c +++ b/src/lib/protocols/ssh.c @@ -27,42 +27,35 @@ #ifdef NDPI_PROTOCOL_SSH static void ndpi_int_ssh_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) -{ - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSH); + *ndpi_struct, struct ndpi_flow_struct *flow){ + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSH, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; - -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; - - - - if (flow->l4.tcp.ssh_stage == 0) { - if (packet->payload_packet_len > 7 && packet->payload_packet_len < 100 - && memcmp(packet->payload, "SSH-", 4) == 0) { - NDPI_LOG(NDPI_PROTOCOL_SSH, ndpi_struct, NDPI_LOG_DEBUG, "ssh stage 0 passed\n"); - flow->l4.tcp.ssh_stage = 1 + packet->packet_direction; - return; - } - } else if (flow->l4.tcp.ssh_stage == (2 - packet->packet_direction)) { - if (packet->payload_packet_len > 7 && packet->payload_packet_len < 100 - && memcmp(packet->payload, "SSH-", 4) == 0) { - NDPI_LOG(NDPI_PROTOCOL_SSH, ndpi_struct, NDPI_LOG_DEBUG, "found ssh\n"); - ndpi_int_ssh_add_connection(ndpi_struct, flow); - return; - - } - - - } - - NDPI_LOG(NDPI_PROTOCOL_SSH, ndpi_struct, NDPI_LOG_DEBUG, "excluding ssh at stage %d\n", flow->l4.tcp.ssh_stage); - - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SSH); + struct ndpi_packet_struct *packet = &flow->packet; + // struct ndpi_id_struct *src=ndpi_struct->src; + // struct ndpi_id_struct *dst=ndpi_struct->dst; + + if (flow->l4.tcp.ssh_stage == 0) { + if (packet->payload_packet_len > 7 && packet->payload_packet_len < 100 + && memcmp(packet->payload, "SSH-", 4) == 0) { + NDPI_LOG(NDPI_PROTOCOL_SSH, ndpi_struct, NDPI_LOG_DEBUG, "ssh stage 0 passed\n"); + flow->l4.tcp.ssh_stage = 1 + packet->packet_direction; + return; + } + } else if (flow->l4.tcp.ssh_stage == (2 - packet->packet_direction)) { + if (packet->payload_packet_len > 7 && packet->payload_packet_len < 100 + && memcmp(packet->payload, "SSH-", 4) == 0) { + NDPI_LOG(NDPI_PROTOCOL_SSH, ndpi_struct, NDPI_LOG_DEBUG, "found ssh\n"); + ndpi_int_ssh_add_connection(ndpi_struct, flow); + return; + + } + } + + NDPI_LOG(NDPI_PROTOCOL_SSH, ndpi_struct, NDPI_LOG_DEBUG, "excluding ssh at stage %d\n", flow->l4.tcp.ssh_stage); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SSH); } #endif diff --git a/src/lib/protocols/ssl.c b/src/lib/protocols/ssl.c index aac306393..c1ed2b666 100644 --- a/src/lib/protocols/ssl.c +++ b/src/lib/protocols/ssl.c @@ -40,7 +40,7 @@ static void ndpi_int_ssl_add_connection(struct ndpi_detection_module_struct *ndp { if((protocol != NDPI_PROTOCOL_SSL) && (protocol != NDPI_PROTOCOL_SSL_NO_CERT)) { - ndpi_set_detected_protocol(ndpi_struct, flow, protocol); + ndpi_set_detected_protocol(ndpi_struct, flow, protocol, NDPI_PROTOCOL_UNKNOWN); } else { struct ndpi_packet_struct *packet = &flow->packet; @@ -76,7 +76,7 @@ static void ndpi_int_ssl_add_connection(struct ndpi_detection_module_struct *ndp } } - ndpi_set_detected_protocol(ndpi_struct, flow, protocol); + ndpi_set_detected_protocol(ndpi_struct, flow, protocol, NDPI_PROTOCOL_UNKNOWN); } } @@ -569,7 +569,7 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc && (packet->payload[4] == 0) && (packet->payload[2] <= 9) && (packet->payload[3] <= 9))) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_SERVICE_WHATSAPP); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_SERVICE_WHATSAPP, NDPI_PROTOCOL_UNKNOWN); return; } else { /* No whatsapp, let's try SSL */ diff --git a/src/lib/protocols/stealthnet.c b/src/lib/protocols/stealthnet.c index f9120252a..ff147c360 100644 --- a/src/lib/protocols/stealthnet.c +++ b/src/lib/protocols/stealthnet.c @@ -29,30 +29,30 @@ static void ndpi_int_stealthnet_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_STEALTHNET); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_STEALTHNET, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_stealthnet(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &flow->packet; -// struct ndpi_id_struct *src = flow->src; -// struct ndpi_id_struct *dst = flow->dst; + // struct ndpi_id_struct *src = flow->src; + // struct ndpi_id_struct *dst = flow->dst; - if (packet->payload_packet_len > 40 - && memcmp(packet->payload, "LARS REGENSBURGER'S FILE SHARING PROTOCOL", 41) == 0) { - NDPI_LOG(NDPI_PROTOCOL_STEALTHNET, ndpi_struct, NDPI_LOG_DEBUG, "found stealthnet\n"); - ndpi_int_stealthnet_add_connection(ndpi_struct, flow); - return; - } + if (packet->payload_packet_len > 40 + && memcmp(packet->payload, "LARS REGENSBURGER'S FILE SHARING PROTOCOL", 41) == 0) { + NDPI_LOG(NDPI_PROTOCOL_STEALTHNET, ndpi_struct, NDPI_LOG_DEBUG, "found stealthnet\n"); + ndpi_int_stealthnet_add_connection(ndpi_struct, flow); + return; + } - NDPI_LOG(NDPI_PROTOCOL_STEALTHNET, ndpi_struct, NDPI_LOG_DEBUG, "exclude stealthnet.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_STEALTHNET); + NDPI_LOG(NDPI_PROTOCOL_STEALTHNET, ndpi_struct, NDPI_LOG_DEBUG, "exclude stealthnet.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_STEALTHNET); } #endif diff --git a/src/lib/protocols/steam.c b/src/lib/protocols/steam.c index bd79bfa40..d820b9ee7 100644 --- a/src/lib/protocols/steam.c +++ b/src/lib/protocols/steam.c @@ -28,259 +28,259 @@ #ifdef NDPI_PROTOCOL_STEAM static void ndpi_int_steam_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_STEAM); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_STEAM, NDPI_PROTOCOL_UNKNOWN); } static void ndpi_check_steam_http(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &flow->packet; - if (packet->user_agent_line.ptr != NULL - && packet->user_agent_line.len >= 23 - && memcmp(packet->user_agent_line.ptr, "Valve/Steam HTTP Client", 23) == 0) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Found STEAM.\n"); - ndpi_int_steam_add_connection(ndpi_struct, flow); - } + if (packet->user_agent_line.ptr != NULL + && packet->user_agent_line.len >= 23 + && memcmp(packet->user_agent_line.ptr, "Valve/Steam HTTP Client", 23) == 0) { + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Found STEAM.\n"); + ndpi_int_steam_add_connection(ndpi_struct, flow); + } } static void ndpi_check_steam_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; - u_int32_t payload_len = packet->payload_packet_len; + struct ndpi_packet_struct *packet = &flow->packet; + u_int32_t payload_len = packet->payload_packet_len; - if (flow->steam_stage == 0) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM stage 0: \n"); + if (flow->steam_stage == 0) { + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM stage 0: \n"); - if (((payload_len == 1) || (payload_len == 4) || (payload_len == 5)) && match_first_bytes(packet->payload, "\x01\x00\x00\x00")) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Possible STEAM request detected, we will look further for the response...\n"); + if (((payload_len == 1) || (payload_len == 4) || (payload_len == 5)) && match_first_bytes(packet->payload, "\x01\x00\x00\x00")) { + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Possible STEAM request detected, we will look further for the response...\n"); - /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ - flow->steam_stage = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 - return; - } + /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ + flow->steam_stage = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 + return; + } - if (((payload_len == 1) || (payload_len == 4) || (payload_len == 5)) && (packet->payload[0] == 0x00) && (packet->payload[1] == 0x00) && (packet->payload[2] == 0x00)) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Possible STEAM request detected, we will look further for the response...\n"); - - /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ - flow->steam_stage = packet->packet_direction + 3; // packet_direction 0: stage 3, packet_direction 1: stage 4 - return; - } - } else if ((flow->steam_stage == 1) || (flow->steam_stage == 2)) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM stage %u: \n", flow->steam_stage); - - /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ - if ((flow->steam_stage - packet->packet_direction) == 1) { - return; - } - - /* This is a packet in another direction. Check if we find the proper response. */ - if (((payload_len == 1) || (payload_len == 4) || (payload_len == 5)) && (packet->payload[0] == 0x00) && (packet->payload[1] == 0x00) && (packet->payload[2] == 0x00)) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Found STEAM.\n"); - ndpi_int_steam_add_connection(ndpi_struct, flow); - } else { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to STEAM, resetting the stage to 0...\n"); - flow->steam_stage = 0; - } - } else if ((flow->steam_stage == 3) || (flow->steam_stage == 4)) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM stage %u: \n", flow->steam_stage); - - /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ - if ((flow->steam_stage - packet->packet_direction) == 3) { - return; - } - - /* This is a packet in another direction. Check if we find the proper response. */ - if (((payload_len == 1) || (payload_len == 4) || (payload_len == 5)) && match_first_bytes(packet->payload, "\x01\x00\x00\x00")) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Found STEAM.\n"); - ndpi_int_steam_add_connection(ndpi_struct, flow); - } else { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to STEAM, resetting the stage to 0...\n"); - flow->steam_stage = 0; - } - } + if (((payload_len == 1) || (payload_len == 4) || (payload_len == 5)) && (packet->payload[0] == 0x00) && (packet->payload[1] == 0x00) && (packet->payload[2] == 0x00)) { + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Possible STEAM request detected, we will look further for the response...\n"); + + /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ + flow->steam_stage = packet->packet_direction + 3; // packet_direction 0: stage 3, packet_direction 1: stage 4 + return; + } + } else if ((flow->steam_stage == 1) || (flow->steam_stage == 2)) { + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM stage %u: \n", flow->steam_stage); + + /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ + if ((flow->steam_stage - packet->packet_direction) == 1) { + return; + } + + /* This is a packet in another direction. Check if we find the proper response. */ + if (((payload_len == 1) || (payload_len == 4) || (payload_len == 5)) && (packet->payload[0] == 0x00) && (packet->payload[1] == 0x00) && (packet->payload[2] == 0x00)) { + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Found STEAM.\n"); + ndpi_int_steam_add_connection(ndpi_struct, flow); + } else { + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to STEAM, resetting the stage to 0...\n"); + flow->steam_stage = 0; + } + } else if ((flow->steam_stage == 3) || (flow->steam_stage == 4)) { + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM stage %u: \n", flow->steam_stage); + + /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ + if ((flow->steam_stage - packet->packet_direction) == 3) { + return; + } + + /* This is a packet in another direction. Check if we find the proper response. */ + if (((payload_len == 1) || (payload_len == 4) || (payload_len == 5)) && match_first_bytes(packet->payload, "\x01\x00\x00\x00")) { + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Found STEAM.\n"); + ndpi_int_steam_add_connection(ndpi_struct, flow); + } else { + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to STEAM, resetting the stage to 0...\n"); + flow->steam_stage = 0; + } + } } static void ndpi_check_steam_udp1(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; - u_int32_t payload_len = packet->payload_packet_len; + struct ndpi_packet_struct *packet = &flow->packet; + u_int32_t payload_len = packet->payload_packet_len; - if ((payload_len > 0) && match_first_bytes(packet->payload, "VS01")) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Found STEAM.\n"); - ndpi_int_steam_add_connection(ndpi_struct, flow); - return; - } - - /* Check if we so far detected the protocol in the request or not. */ - if (flow->steam_stage1 == 0) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM stage 0: \n"); + if ((payload_len > 0) && match_first_bytes(packet->payload, "VS01")) { + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Found STEAM.\n"); + ndpi_int_steam_add_connection(ndpi_struct, flow); + return; + } + + /* Check if we so far detected the protocol in the request or not. */ + if (flow->steam_stage1 == 0) { + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM stage 0: \n"); - if ((payload_len > 0) && match_first_bytes(packet->payload, "\x31\xff\x30\x2e")) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Possible STEAM request detected, we will look further for the response...\n"); + if ((payload_len > 0) && match_first_bytes(packet->payload, "\x31\xff\x30\x2e")) { + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Possible STEAM request detected, we will look further for the response...\n"); - /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ - flow->steam_stage1 = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 - return; - } + /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ + flow->steam_stage1 = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 + return; + } - if ((payload_len > 0) && match_first_bytes(packet->payload, "\xff\xff\xff\xff")) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Possible STEAM request detected, we will look further for the response...\n"); - - /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ - flow->steam_stage1 = packet->packet_direction + 3; // packet_direction 0: stage 3, packet_direction 1: stage 4 - return; - } - - } else if ((flow->steam_stage1 == 1) || (flow->steam_stage1 == 2)) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM stage %u: \n", flow->steam_stage1); - - /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ - if ((flow->steam_stage1 - packet->packet_direction) == 1) { - return; - } - - /* This is a packet in another direction. Check if we find the proper response. */ - if ((payload_len > 0) && match_first_bytes(packet->payload, "\xff\xff\xff\xff")) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Found STEAM.\n"); - ndpi_int_steam_add_connection(ndpi_struct, flow); - } else { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to STEAM, resetting the stage to 0...\n"); - flow->steam_stage1 = 0; - } + if ((payload_len > 0) && match_first_bytes(packet->payload, "\xff\xff\xff\xff")) { + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Possible STEAM request detected, we will look further for the response...\n"); + + /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ + flow->steam_stage1 = packet->packet_direction + 3; // packet_direction 0: stage 3, packet_direction 1: stage 4 + return; + } + + } else if ((flow->steam_stage1 == 1) || (flow->steam_stage1 == 2)) { + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM stage %u: \n", flow->steam_stage1); + + /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ + if ((flow->steam_stage1 - packet->packet_direction) == 1) { + return; + } + + /* This is a packet in another direction. Check if we find the proper response. */ + if ((payload_len > 0) && match_first_bytes(packet->payload, "\xff\xff\xff\xff")) { + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Found STEAM.\n"); + ndpi_int_steam_add_connection(ndpi_struct, flow); + } else { + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to STEAM, resetting the stage to 0...\n"); + flow->steam_stage1 = 0; + } - } else if ((flow->steam_stage1 == 3) || (flow->steam_stage1 == 4)) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM stage %u: \n", flow->steam_stage1); - - /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ - if ((flow->steam_stage1 - packet->packet_direction) == 3) { - return; - } - - /* This is a packet in another direction. Check if we find the proper response. */ - if ((payload_len > 0) && match_first_bytes(packet->payload, "\x31\xff\x30\x2e")) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Found STEAM.\n"); - ndpi_int_steam_add_connection(ndpi_struct, flow); - } else { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to STEAM, resetting the stage to 0...\n"); - flow->steam_stage1 = 0; - } + } else if ((flow->steam_stage1 == 3) || (flow->steam_stage1 == 4)) { + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM stage %u: \n", flow->steam_stage1); + + /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ + if ((flow->steam_stage1 - packet->packet_direction) == 3) { + return; + } + + /* This is a packet in another direction. Check if we find the proper response. */ + if ((payload_len > 0) && match_first_bytes(packet->payload, "\x31\xff\x30\x2e")) { + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Found STEAM.\n"); + ndpi_int_steam_add_connection(ndpi_struct, flow); + } else { + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to STEAM, resetting the stage to 0...\n"); + flow->steam_stage1 = 0; + } - } + } } static void ndpi_check_steam_udp2(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; - u_int32_t payload_len = packet->payload_packet_len; + struct ndpi_packet_struct *packet = &flow->packet; + u_int32_t payload_len = packet->payload_packet_len; - /* Check if we so far detected the protocol in the request or not. */ - if (flow->steam_stage2 == 0) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM stage 0: \n"); + /* Check if we so far detected the protocol in the request or not. */ + if (flow->steam_stage2 == 0) { + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM stage 0: \n"); - if ((payload_len == 25) && match_first_bytes(packet->payload, "\xff\xff\xff\xff")) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Possible STEAM request detected, we will look further for the response...\n"); - - /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ - flow->steam_stage2 = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 - } - - } else { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM stage %u: \n", flow->steam_stage2); - - /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ - if ((flow->steam_stage2 - packet->packet_direction) == 1) { - return; - } - - /* This is a packet in another direction. Check if we find the proper response. */ - if ((payload_len == 0) || match_first_bytes(packet->payload, "\xff\xff\xff\xff")) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Found STEAM.\n"); - ndpi_int_steam_add_connection(ndpi_struct, flow); - } else { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to STEAM, resetting the stage to 0...\n"); - flow->steam_stage2 = 0; - } + if ((payload_len == 25) && match_first_bytes(packet->payload, "\xff\xff\xff\xff")) { + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Possible STEAM request detected, we will look further for the response...\n"); + + /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ + flow->steam_stage2 = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 + } + + } else { + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM stage %u: \n", flow->steam_stage2); + + /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ + if ((flow->steam_stage2 - packet->packet_direction) == 1) { + return; + } + + /* This is a packet in another direction. Check if we find the proper response. */ + if ((payload_len == 0) || match_first_bytes(packet->payload, "\xff\xff\xff\xff")) { + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Found STEAM.\n"); + ndpi_int_steam_add_connection(ndpi_struct, flow); + } else { + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to STEAM, resetting the stage to 0...\n"); + flow->steam_stage2 = 0; + } - } + } } static void ndpi_check_steam_udp3(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; - u_int32_t payload_len = packet->payload_packet_len; + struct ndpi_packet_struct *packet = &flow->packet; + u_int32_t payload_len = packet->payload_packet_len; - /* Check if we so far detected the protocol in the request or not. */ - if (flow->steam_stage3 == 0) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM stage 0: \n"); + /* Check if we so far detected the protocol in the request or not. */ + if (flow->steam_stage3 == 0) { + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM stage 0: \n"); - if ((payload_len == 4) && (packet->payload[0] == 0x39) && (packet->payload[1] == 0x18) && (packet->payload[2] == 0x00) && (packet->payload[3] == 0x00)) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Possible STEAM request detected, we will look further for the response...\n"); - - /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ - flow->steam_stage3 = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 - } - - } else { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM stage %u: \n", flow->steam_stage3); - - /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ - if ((flow->steam_stage3 - packet->packet_direction) == 1) { - return; - } - - /* This is a packet in another direction. Check if we find the proper response. */ - if ((payload_len == 0) || ((payload_len == 8) && (packet->payload[0] == 0x3a) && (packet->payload[1] == 0x18) && (packet->payload[2] == 0x00) && (packet->payload[3] == 0x00))) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Found STEAM.\n"); - ndpi_int_steam_add_connection(ndpi_struct, flow); - } else { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to STEAM, resetting the stage to 0...\n"); - flow->steam_stage3 = 0; - } + if ((payload_len == 4) && (packet->payload[0] == 0x39) && (packet->payload[1] == 0x18) && (packet->payload[2] == 0x00) && (packet->payload[3] == 0x00)) { + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Possible STEAM request detected, we will look further for the response...\n"); + + /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ + flow->steam_stage3 = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 + } + + } else { + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM stage %u: \n", flow->steam_stage3); + + /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ + if ((flow->steam_stage3 - packet->packet_direction) == 1) { + return; + } + + /* This is a packet in another direction. Check if we find the proper response. */ + if ((payload_len == 0) || ((payload_len == 8) && (packet->payload[0] == 0x3a) && (packet->payload[1] == 0x18) && (packet->payload[2] == 0x00) && (packet->payload[3] == 0x00))) { + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Found STEAM.\n"); + ndpi_int_steam_add_connection(ndpi_struct, flow); + } else { + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to STEAM, resetting the stage to 0...\n"); + flow->steam_stage3 = 0; + } - } + } } void ndpi_search_steam(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &flow->packet; - /* Break after 20 packets. */ - if (flow->packet_counter > 20) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Exclude STEAM.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_STEAM); - return; - } - - /* skip marked or retransmitted packets */ - if (packet->tcp_retransmission != 0) { - return; - } - - if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STEAM) { - return; - } - - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM detection...\n"); - ndpi_check_steam_http(ndpi_struct, flow); + /* Break after 20 packets. */ + if (flow->packet_counter > 20) { + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Exclude STEAM.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_STEAM); + return; + } + + /* skip marked or retransmitted packets */ + if (packet->tcp_retransmission != 0) { + return; + } + + if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STEAM) { + return; + } + + NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM detection...\n"); + ndpi_check_steam_http(ndpi_struct, flow); - if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STEAM) { - return; - } + if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STEAM) { + return; + } - ndpi_check_steam_tcp(ndpi_struct, flow); + ndpi_check_steam_tcp(ndpi_struct, flow); - if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STEAM) { - return; - } + if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STEAM) { + return; + } - ndpi_check_steam_udp1(ndpi_struct, flow); + ndpi_check_steam_udp1(ndpi_struct, flow); - if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STEAM) { - return; - } + if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STEAM) { + return; + } - ndpi_check_steam_udp2(ndpi_struct, flow); + ndpi_check_steam_udp2(ndpi_struct, flow); - if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STEAM) { - return; - } + if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STEAM) { + return; + } - ndpi_check_steam_udp3(ndpi_struct, flow); + ndpi_check_steam_udp3(ndpi_struct, flow); } #endif diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index d12216288..72af5313e 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -37,9 +37,8 @@ struct stun_packet_header { }; static void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *ndpi_struct, - u_int proto, - struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, proto); + u_int proto, struct ndpi_flow_struct *flow) { + ndpi_set_detected_protocol(ndpi_struct, flow, proto, NDPI_PROTOCOL_UNKNOWN); } typedef enum { diff --git a/src/lib/protocols/syslog.c b/src/lib/protocols/syslog.c index 108a490a4..2d578b2cc 100644 --- a/src/lib/protocols/syslog.c +++ b/src/lib/protocols/syslog.c @@ -27,104 +27,104 @@ #ifdef NDPI_PROTOCOL_SYSLOG static void ndpi_int_syslog_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SYSLOG); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SYSLOG, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_syslog(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &flow->packet; -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; + // struct ndpi_id_struct *src=ndpi_struct->src; + // struct ndpi_id_struct *dst=ndpi_struct->dst; - u_int8_t i; + u_int8_t i; - NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, "search syslog\n"); + NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, "search syslog\n"); - if (packet->payload_packet_len > 20 && packet->payload_packet_len <= 1024 && packet->payload[0] == '<') { - NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, "checked len>20 and <1024 and first symbol=<.\n"); - i = 1; + if (packet->payload_packet_len > 20 && packet->payload_packet_len <= 1024 && packet->payload[0] == '<') { + NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, "checked len>20 and <1024 and first symbol=<.\n"); + i = 1; - for (;;) { - if (packet->payload[i] < '0' || packet->payload[i] > '9' || i++ > 3) { - NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, - "read symbols while the symbol is a number.\n"); - break; - } - } + for (;;) { + if (packet->payload[i] < '0' || packet->payload[i] > '9' || i++ > 3) { + NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, + "read symbols while the symbol is a number.\n"); + break; + } + } - if (packet->payload[i++] != '>') { - NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, "there is no > following the number.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SYSLOG); - return; - } else { - NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, "a > following the number.\n"); - } + if (packet->payload[i++] != '>') { + NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, "there is no > following the number.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SYSLOG); + return; + } else { + NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, "a > following the number.\n"); + } - if (packet->payload[i] == 0x20) { - NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, "a blank following the >: increment i.\n"); - i++; - } else { - NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, "no blank following the >: do nothing.\n"); - } + if (packet->payload[i] == 0x20) { + NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, "a blank following the >: increment i.\n"); + i++; + } else { + NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, "no blank following the >: do nothing.\n"); + } - /* check for "last message repeated" */ - if (i + sizeof("last message") - 1 <= packet->payload_packet_len && - memcmp(packet->payload + i, "last message", sizeof("last message") - 1) == 0) { + /* check for "last message repeated" */ + if (i + sizeof("last message") - 1 <= packet->payload_packet_len && + memcmp(packet->payload + i, "last message", sizeof("last message") - 1) == 0) { - NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, "found syslog by 'last message' string.\n"); + NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, "found syslog by 'last message' string.\n"); - ndpi_int_syslog_add_connection(ndpi_struct, flow); + ndpi_int_syslog_add_connection(ndpi_struct, flow); - return; - } else if (i + sizeof("snort: ") - 1 <= packet->payload_packet_len && - memcmp(packet->payload + i, "snort: ", sizeof("snort: ") - 1) == 0) { + return; + } else if (i + sizeof("snort: ") - 1 <= packet->payload_packet_len && + memcmp(packet->payload + i, "snort: ", sizeof("snort: ") - 1) == 0) { - /* snort events */ + /* snort events */ - NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, "found syslog by 'snort: ' string.\n"); + NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, "found syslog by 'snort: ' string.\n"); - ndpi_int_syslog_add_connection(ndpi_struct, flow); + ndpi_int_syslog_add_connection(ndpi_struct, flow); - return; - } + return; + } - if (memcmp(&packet->payload[i], "Jan", 3) != 0 - && memcmp(&packet->payload[i], "Feb", 3) != 0 - && memcmp(&packet->payload[i], "Mar", 3) != 0 - && memcmp(&packet->payload[i], "Apr", 3) != 0 - && memcmp(&packet->payload[i], "May", 3) != 0 - && memcmp(&packet->payload[i], "Jun", 3) != 0 - && memcmp(&packet->payload[i], "Jul", 3) != 0 - && memcmp(&packet->payload[i], "Aug", 3) != 0 - && memcmp(&packet->payload[i], "Sep", 3) != 0 - && memcmp(&packet->payload[i], "Oct", 3) != 0 - && memcmp(&packet->payload[i], "Nov", 3) != 0 && memcmp(&packet->payload[i], "Dec", 3) != 0) { + if (memcmp(&packet->payload[i], "Jan", 3) != 0 + && memcmp(&packet->payload[i], "Feb", 3) != 0 + && memcmp(&packet->payload[i], "Mar", 3) != 0 + && memcmp(&packet->payload[i], "Apr", 3) != 0 + && memcmp(&packet->payload[i], "May", 3) != 0 + && memcmp(&packet->payload[i], "Jun", 3) != 0 + && memcmp(&packet->payload[i], "Jul", 3) != 0 + && memcmp(&packet->payload[i], "Aug", 3) != 0 + && memcmp(&packet->payload[i], "Sep", 3) != 0 + && memcmp(&packet->payload[i], "Oct", 3) != 0 + && memcmp(&packet->payload[i], "Nov", 3) != 0 && memcmp(&packet->payload[i], "Dec", 3) != 0) { - NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, - "no month-shortname following: syslog excluded.\n"); + NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, + "no month-shortname following: syslog excluded.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SYSLOG); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SYSLOG); - return; + return; - } else { + } else { - NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, - "a month-shortname following: syslog detected.\n"); + NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, + "a month-shortname following: syslog detected.\n"); - ndpi_int_syslog_add_connection(ndpi_struct, flow); + ndpi_int_syslog_add_connection(ndpi_struct, flow); - return; - } - } - NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, "no syslog detected.\n"); + return; + } + } + NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, "no syslog detected.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SYSLOG); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SYSLOG); } #endif diff --git a/src/lib/protocols/tcp_udp.c b/src/lib/protocols/tcp_udp.c index 0d7ecd97d..7abe27b52 100644 --- a/src/lib/protocols/tcp_udp.c +++ b/src/lib/protocols/tcp_udp.c @@ -49,7 +49,7 @@ void ndpi_search_tcp_or_udp(struct ndpi_detection_module_struct *ndpi_struct, st struct ndpi_packet_struct *packet = &flow->packet; if(ndpi_is_tor_flow(ndpi_struct, flow)) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TOR); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TOR, NDPI_PROTOCOL_UNKNOWN); return; } @@ -70,7 +70,7 @@ void ndpi_search_tcp_or_udp(struct ndpi_detection_module_struct *ndpi_struct, st sport, dport); if(proto != NDPI_PROTOCOL_UNKNOWN) - ndpi_set_detected_protocol(ndpi_struct, flow, proto); + ndpi_set_detected_protocol(ndpi_struct, flow, proto, NDPI_PROTOCOL_UNKNOWN); } } diff --git a/src/lib/protocols/tds.c b/src/lib/protocols/tds.c index 7bf6639f4..32accbb6c 100644 --- a/src/lib/protocols/tds.c +++ b/src/lib/protocols/tds.c @@ -27,65 +27,65 @@ #ifdef NDPI_PROTOCOL_TDS static void ndpi_int_tds_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TDS); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TDS, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_tds_tcp(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &flow->packet; -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; + // struct ndpi_id_struct *src=ndpi_struct->src; + // struct ndpi_id_struct *dst=ndpi_struct->dst; - if (packet->payload_packet_len > 8 - && packet->payload_packet_len < 512 - && packet->payload[1] < 0x02 - && ntohs(get_u_int16_t(packet->payload, 2)) == packet->payload_packet_len && get_u_int16_t(packet->payload, 4) == 0x0000) { + if (packet->payload_packet_len > 8 + && packet->payload_packet_len < 512 + && packet->payload[1] < 0x02 + && ntohs(get_u_int16_t(packet->payload, 2)) == packet->payload_packet_len && get_u_int16_t(packet->payload, 4) == 0x0000) { - if (flow->l4.tcp.tds_stage == 0) { - if (packet->payload[0] != 0x02 && packet->payload[0] != 0x07 && packet->payload[0] != 0x12) { - goto exclude_tds; - } else { - flow->l4.tcp.tds_stage = 1 + packet->packet_direction; - flow->l4.tcp.tds_login_version = packet->payload[0]; - return; - } - } else if (flow->l4.tcp.tds_stage == 2 - packet->packet_direction) { - switch (flow->l4.tcp.tds_login_version) { - case 0x12: - if (packet->payload[0] == 0x04) { - flow->l4.tcp.tds_stage = 3 + packet->packet_direction; - return; - } else { - goto exclude_tds; - } - //TODO: add more cases for other versions - default: - goto exclude_tds; - } - } else if (flow->l4.tcp.tds_stage == 4 - packet->packet_direction) { - switch (flow->l4.tcp.tds_login_version) { - case 0x12: - if (packet->payload[0] == 0x12) { - NDPI_LOG(NDPI_PROTOCOL_TDS, ndpi_struct, NDPI_LOG_DEBUG, "TDS detected\n"); - ndpi_int_tds_add_connection(ndpi_struct, flow); - return; - } else { - goto exclude_tds; - } - //TODO: add more cases for other versions - default: - goto exclude_tds; - } - } + if (flow->l4.tcp.tds_stage == 0) { + if (packet->payload[0] != 0x02 && packet->payload[0] != 0x07 && packet->payload[0] != 0x12) { + goto exclude_tds; + } else { + flow->l4.tcp.tds_stage = 1 + packet->packet_direction; + flow->l4.tcp.tds_login_version = packet->payload[0]; + return; + } + } else if (flow->l4.tcp.tds_stage == 2 - packet->packet_direction) { + switch (flow->l4.tcp.tds_login_version) { + case 0x12: + if (packet->payload[0] == 0x04) { + flow->l4.tcp.tds_stage = 3 + packet->packet_direction; + return; + } else { + goto exclude_tds; } + //TODO: add more cases for other versions + default: + goto exclude_tds; + } + } else if (flow->l4.tcp.tds_stage == 4 - packet->packet_direction) { + switch (flow->l4.tcp.tds_login_version) { + case 0x12: + if (packet->payload[0] == 0x12) { + NDPI_LOG(NDPI_PROTOCOL_TDS, ndpi_struct, NDPI_LOG_DEBUG, "TDS detected\n"); + ndpi_int_tds_add_connection(ndpi_struct, flow); + return; + } else { + goto exclude_tds; + } + //TODO: add more cases for other versions + default: + goto exclude_tds; + } + } + } - exclude_tds: + exclude_tds: - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_TDS); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_TDS); } #endif diff --git a/src/lib/protocols/teamspeak.c b/src/lib/protocols/teamspeak.c index e29241675..dbd1874b6 100644 --- a/src/lib/protocols/teamspeak.c +++ b/src/lib/protocols/teamspeak.c @@ -25,7 +25,7 @@ static void ndpi_int_teamspeak_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TEAMSPEAK); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TEAMSPEAK, NDPI_PROTOCOL_UNKNOWN); } u_int16_t tdport = 0, tsport = 0; u_int16_t udport = 0, usport = 0; diff --git a/src/lib/protocols/teamviewer.c b/src/lib/protocols/teamviewer.c index aed62f0e7..6a35bb1af 100644 --- a/src/lib/protocols/teamviewer.c +++ b/src/lib/protocols/teamviewer.c @@ -30,7 +30,7 @@ static void ndpi_int_teamview_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TEAMVIEWER); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TEAMVIEWER, NDPI_PROTOCOL_UNKNOWN); NDPI_LOG(NDPI_PROTOCOL_TEAMVIEWER, ndpi_struct, NDPI_LOG_TRACE, "TEAMWIEWER Found.\n"); } diff --git a/src/lib/protocols/telegram.c b/src/lib/protocols/telegram.c index 3b4085800..0c518a963 100644 --- a/src/lib/protocols/telegram.c +++ b/src/lib/protocols/telegram.c @@ -30,7 +30,7 @@ static void ndpi_int_telegram_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TELEGRAM); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TELEGRAM, NDPI_PROTOCOL_UNKNOWN); NDPI_LOG(NDPI_PROTOCOL_TELEGRAM, ndpi_struct, NDPI_LOG_TRACE, "TELEGRAM Found.\n"); } diff --git a/src/lib/protocols/telnet.c b/src/lib/protocols/telnet.c index b54b09865..4ed6c79ae 100644 --- a/src/lib/protocols/telnet.c +++ b/src/lib/protocols/telnet.c @@ -29,79 +29,79 @@ static void ndpi_int_telnet_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TELNET); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TELNET, NDPI_PROTOCOL_UNKNOWN); } #if !defined(WIN32) - static inline +static inline #else __forceinline static #endif - u_int8_t search_iac(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +u_int8_t search_iac(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; - - u_int16_t a; - - if (packet->payload_packet_len < 3) { - return 0; - } - - if (!(packet->payload[0] == 0xff - && packet->payload[1] > 0xf9 && packet->payload[1] != 0xff && packet->payload[2] < 0x28)) { - return 0; - } - - a = 3; - - while (a < packet->payload_packet_len - 2) { - // commands start with a 0xff byte followed by a command byte >= 0xf0 and < 0xff - // command bytes 0xfb to 0xfe are followed by an option byte <= 0x28 - if (!(packet->payload[a] != 0xff || - (packet->payload[a] == 0xff && (packet->payload[a + 1] >= 0xf0) && (packet->payload[a + 1] <= 0xfa)) || - (packet->payload[a] == 0xff && (packet->payload[a + 1] >= 0xfb) && (packet->payload[a + 1] != 0xff) - && (packet->payload[a + 2] <= 0x28)))) { - return 0; - } - a++; - } - - return 1; + struct ndpi_packet_struct *packet = &flow->packet; + + u_int16_t a; + + if (packet->payload_packet_len < 3) { + return 0; + } + + if (!(packet->payload[0] == 0xff + && packet->payload[1] > 0xf9 && packet->payload[1] != 0xff && packet->payload[2] < 0x28)) { + return 0; + } + + a = 3; + + while (a < packet->payload_packet_len - 2) { + // commands start with a 0xff byte followed by a command byte >= 0xf0 and < 0xff + // command bytes 0xfb to 0xfe are followed by an option byte <= 0x28 + if (!(packet->payload[a] != 0xff || + (packet->payload[a] == 0xff && (packet->payload[a + 1] >= 0xf0) && (packet->payload[a + 1] <= 0xfa)) || + (packet->payload[a] == 0xff && (packet->payload[a + 1] >= 0xfb) && (packet->payload[a + 1] != 0xff) + && (packet->payload[a + 2] <= 0x28)))) { + return 0; + } + a++; + } + + return 1; } /* this detection also works asymmetrically */ void ndpi_search_telnet_tcp(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { -// struct ndpi_packet_struct *packet = &flow->packet; + // struct ndpi_packet_struct *packet = &flow->packet; -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; - - NDPI_LOG(NDPI_PROTOCOL_TELNET, ndpi_struct, NDPI_LOG_DEBUG, "search telnet.\n"); - - if (search_iac(ndpi_struct, flow) == 1) { - - if (flow->l4.tcp.telnet_stage == 2) { - NDPI_LOG(NDPI_PROTOCOL_TELNET, ndpi_struct, NDPI_LOG_DEBUG, "telnet identified.\n"); - ndpi_int_telnet_add_connection(ndpi_struct, flow); - return; - } - flow->l4.tcp.telnet_stage++; - NDPI_LOG(NDPI_PROTOCOL_TELNET, ndpi_struct, NDPI_LOG_DEBUG, "telnet stage %u.\n", flow->l4.tcp.telnet_stage); - return; - } - - if ((flow->packet_counter < 12 && flow->l4.tcp.telnet_stage > 0) || flow->packet_counter < 6) { - return; - } else { - NDPI_LOG(NDPI_PROTOCOL_TELNET, ndpi_struct, NDPI_LOG_DEBUG, "telnet excluded.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_TELNET); - } - return; + // struct ndpi_id_struct *src=ndpi_struct->src; + // struct ndpi_id_struct *dst=ndpi_struct->dst; + + NDPI_LOG(NDPI_PROTOCOL_TELNET, ndpi_struct, NDPI_LOG_DEBUG, "search telnet.\n"); + + if (search_iac(ndpi_struct, flow) == 1) { + + if (flow->l4.tcp.telnet_stage == 2) { + NDPI_LOG(NDPI_PROTOCOL_TELNET, ndpi_struct, NDPI_LOG_DEBUG, "telnet identified.\n"); + ndpi_int_telnet_add_connection(ndpi_struct, flow); + return; + } + flow->l4.tcp.telnet_stage++; + NDPI_LOG(NDPI_PROTOCOL_TELNET, ndpi_struct, NDPI_LOG_DEBUG, "telnet stage %u.\n", flow->l4.tcp.telnet_stage); + return; + } + + if ((flow->packet_counter < 12 && flow->l4.tcp.telnet_stage > 0) || flow->packet_counter < 6) { + return; + } else { + NDPI_LOG(NDPI_PROTOCOL_TELNET, ndpi_struct, NDPI_LOG_DEBUG, "telnet excluded.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_TELNET); + } + return; } #endif diff --git a/src/lib/protocols/tftp.c b/src/lib/protocols/tftp.c index 3efa3eccc..503de6b57 100644 --- a/src/lib/protocols/tftp.c +++ b/src/lib/protocols/tftp.c @@ -27,44 +27,39 @@ #ifdef NDPI_PROTOCOL_TFTP static void ndpi_int_tftp_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TFTP); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TFTP, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_tftp(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; - + struct ndpi_packet_struct *packet = &flow->packet; + NDPI_LOG(NDPI_PROTOCOL_TFTP, ndpi_struct, NDPI_LOG_DEBUG, "search TFTP.\n"); + if (packet->payload_packet_len > 3 && flow->l4.udp.tftp_stage == 0 + && ntohl(get_u_int32_t(packet->payload, 0)) == 0x00030001) { + NDPI_LOG(NDPI_PROTOCOL_TFTP, ndpi_struct, NDPI_LOG_DEBUG, "maybe tftp. need next packet.\n"); + flow->l4.udp.tftp_stage = 1; + return; + } + if (packet->payload_packet_len > 3 && (flow->l4.udp.tftp_stage == 1) + && ntohl(get_u_int32_t(packet->payload, 0)) == 0x00040001) { - NDPI_LOG(NDPI_PROTOCOL_TFTP, ndpi_struct, NDPI_LOG_DEBUG, "search TFTP.\n"); + NDPI_LOG(NDPI_PROTOCOL_TFTP, ndpi_struct, NDPI_LOG_DEBUG, "found tftp.\n"); + ndpi_int_tftp_add_connection(ndpi_struct, flow); + return; + } + if (packet->payload_packet_len > 1 + && ((packet->payload[0] == 0 && packet->payload[packet->payload_packet_len - 1] == 0) + || (packet->payload_packet_len == 4 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x00040000))) { + NDPI_LOG(NDPI_PROTOCOL_TFTP, ndpi_struct, NDPI_LOG_DEBUG, "skip initial packet.\n"); + return; + } - - - if (packet->payload_packet_len > 3 && flow->l4.udp.tftp_stage == 0 - && ntohl(get_u_int32_t(packet->payload, 0)) == 0x00030001) { - NDPI_LOG(NDPI_PROTOCOL_TFTP, ndpi_struct, NDPI_LOG_DEBUG, "maybe tftp. need next packet.\n"); - flow->l4.udp.tftp_stage = 1; - return; - } - if (packet->payload_packet_len > 3 && (flow->l4.udp.tftp_stage == 1) - && ntohl(get_u_int32_t(packet->payload, 0)) == 0x00040001) { - - NDPI_LOG(NDPI_PROTOCOL_TFTP, ndpi_struct, NDPI_LOG_DEBUG, "found tftp.\n"); - ndpi_int_tftp_add_connection(ndpi_struct, flow); - return; - } - if (packet->payload_packet_len > 1 - && ((packet->payload[0] == 0 && packet->payload[packet->payload_packet_len - 1] == 0) - || (packet->payload_packet_len == 4 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x00040000))) { - NDPI_LOG(NDPI_PROTOCOL_TFTP, ndpi_struct, NDPI_LOG_DEBUG, "skip initial packet.\n"); - return; - } - - NDPI_LOG(NDPI_PROTOCOL_TFTP, ndpi_struct, NDPI_LOG_DEBUG, "exclude TFTP.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_TFTP); + NDPI_LOG(NDPI_PROTOCOL_TFTP, ndpi_struct, NDPI_LOG_DEBUG, "exclude TFTP.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_TFTP); } #endif diff --git a/src/lib/protocols/thunder.c b/src/lib/protocols/thunder.c index 0d905dfe8..2c013c750 100644 --- a/src/lib/protocols/thunder.c +++ b/src/lib/protocols/thunder.c @@ -33,7 +33,7 @@ static void ndpi_int_thunder_add_connection(struct ndpi_detection_module_struct struct ndpi_id_struct *src = flow->src; struct ndpi_id_struct *dst = flow->dst; - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_THUNDER); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_THUNDER, NDPI_PROTOCOL_UNKNOWN); if (src != NULL) { src->thunder_ts = packet->tick_timestamp; diff --git a/src/lib/protocols/tor.c b/src/lib/protocols/tor.c index ab9d2b920..458e1ef3a 100644 --- a/src/lib/protocols/tor.c +++ b/src/lib/protocols/tor.c @@ -14,7 +14,7 @@ static void ndpi_int_tor_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TOR); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TOR, NDPI_PROTOCOL_UNKNOWN); } diff --git a/src/lib/protocols/tvants.c b/src/lib/protocols/tvants.c index 4142bfef5..ba52cc50c 100644 --- a/src/lib/protocols/tvants.c +++ b/src/lib/protocols/tvants.c @@ -28,51 +28,51 @@ #ifdef NDPI_PROTOCOL_TVANTS static void ndpi_int_tvants_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TVANTS); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TVANTS, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_tvants_udp(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &flow->packet; -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; + // struct ndpi_id_struct *src=ndpi_struct->src; + // struct ndpi_id_struct *dst=ndpi_struct->dst; - NDPI_LOG(NDPI_PROTOCOL_TVANTS, ndpi_struct, NDPI_LOG_DEBUG, "search tvants. \n"); + NDPI_LOG(NDPI_PROTOCOL_TVANTS, ndpi_struct, NDPI_LOG_DEBUG, "search tvants. \n"); - if (packet->udp != NULL && packet->payload_packet_len > 57 - && packet->payload[0] == 0x04 && packet->payload[1] == 0x00 - && (packet->payload[2] == 0x05 || packet->payload[2] == 0x06 - || packet->payload[2] == 0x07) && packet->payload[3] == 0x00 - && packet->payload_packet_len == (packet->payload[5] << 8) + packet->payload[4] - && packet->payload[6] == 0x00 && packet->payload[7] == 0x00 - && (memcmp(&packet->payload[48], "TVANTS", 6) == 0 - || memcmp(&packet->payload[49], "TVANTS", 6) == 0 || memcmp(&packet->payload[51], "TVANTS", 6) == 0)) { + if (packet->udp != NULL && packet->payload_packet_len > 57 + && packet->payload[0] == 0x04 && packet->payload[1] == 0x00 + && (packet->payload[2] == 0x05 || packet->payload[2] == 0x06 + || packet->payload[2] == 0x07) && packet->payload[3] == 0x00 + && packet->payload_packet_len == (packet->payload[5] << 8) + packet->payload[4] + && packet->payload[6] == 0x00 && packet->payload[7] == 0x00 + && (memcmp(&packet->payload[48], "TVANTS", 6) == 0 + || memcmp(&packet->payload[49], "TVANTS", 6) == 0 || memcmp(&packet->payload[51], "TVANTS", 6) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_TVANTS, ndpi_struct, NDPI_LOG_DEBUG, "found tvants over udp. \n"); - ndpi_int_tvants_add_connection(ndpi_struct, flow); + NDPI_LOG(NDPI_PROTOCOL_TVANTS, ndpi_struct, NDPI_LOG_DEBUG, "found tvants over udp. \n"); + ndpi_int_tvants_add_connection(ndpi_struct, flow); - } else if (packet->tcp != NULL && packet->payload_packet_len > 15 - && packet->payload[0] == 0x04 && packet->payload[1] == 0x00 - && packet->payload[2] == 0x07 && packet->payload[3] == 0x00 - && packet->payload_packet_len == (packet->payload[5] << 8) + packet->payload[4] - && packet->payload[6] == 0x00 && packet->payload[7] == 0x00 - && memcmp(&packet->payload[8], "TVANTS", 6) == 0) { + } else if (packet->tcp != NULL && packet->payload_packet_len > 15 + && packet->payload[0] == 0x04 && packet->payload[1] == 0x00 + && packet->payload[2] == 0x07 && packet->payload[3] == 0x00 + && packet->payload_packet_len == (packet->payload[5] << 8) + packet->payload[4] + && packet->payload[6] == 0x00 && packet->payload[7] == 0x00 + && memcmp(&packet->payload[8], "TVANTS", 6) == 0) { - NDPI_LOG(NDPI_PROTOCOL_TVANTS, ndpi_struct, NDPI_LOG_DEBUG, "found tvants over tcp. \n"); - ndpi_int_tvants_add_connection(ndpi_struct, flow); + NDPI_LOG(NDPI_PROTOCOL_TVANTS, ndpi_struct, NDPI_LOG_DEBUG, "found tvants over tcp. \n"); + ndpi_int_tvants_add_connection(ndpi_struct, flow); - } - NDPI_LOG(NDPI_PROTOCOL_TVANTS, ndpi_struct, NDPI_LOG_DEBUG, "exclude tvants. \n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_TVANTS); + } + NDPI_LOG(NDPI_PROTOCOL_TVANTS, ndpi_struct, NDPI_LOG_DEBUG, "exclude tvants. \n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_TVANTS); } #endif diff --git a/src/lib/protocols/tvuplayer.c b/src/lib/protocols/tvuplayer.c index d14476435..7e58c54a3 100644 --- a/src/lib/protocols/tvuplayer.c +++ b/src/lib/protocols/tvuplayer.c @@ -31,7 +31,7 @@ static void ndpi_int_tvuplayer_add_connection(struct ndpi_detection_module_struc struct ndpi_flow_struct *flow/* , */ /* ndpi_protocol_type_t protocol_type */) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TVUPLAYER); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TVUPLAYER, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_tvuplayer(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/twitter.c b/src/lib/protocols/twitter.c index 7bd1fa74c..13dd1e98d 100644 --- a/src/lib/protocols/twitter.c +++ b/src/lib/protocols/twitter.c @@ -29,7 +29,7 @@ static void ndpi_int_twitter_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_SERVICE_TWITTER); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_SERVICE_TWITTER, NDPI_PROTOCOL_UNKNOWN); } diff --git a/src/lib/protocols/usenet.c b/src/lib/protocols/usenet.c index 345ce07b2..3d81dd928 100644 --- a/src/lib/protocols/usenet.c +++ b/src/lib/protocols/usenet.c @@ -29,9 +29,9 @@ static void ndpi_int_usenet_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_USENET); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_USENET, NDPI_PROTOCOL_UNKNOWN); } diff --git a/src/lib/protocols/veohtv.c b/src/lib/protocols/veohtv.c index e2c9c008b..f6b29607f 100644 --- a/src/lib/protocols/veohtv.c +++ b/src/lib/protocols/veohtv.c @@ -31,7 +31,7 @@ static void ndpi_int_veohtv_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow/* , ndpi_protocol_type_t protocol_type */) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP_APPLICATION_VEOHTV); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP_APPLICATION_VEOHTV, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_veohtv_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/vhua.c b/src/lib/protocols/vhua.c index aa6b3517c..7e8951e4c 100644 --- a/src/lib/protocols/vhua.c +++ b/src/lib/protocols/vhua.c @@ -31,7 +31,7 @@ #ifdef NDPI_PROTOCOL_VHUA static void ndpi_int_vhua_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VHUA); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VHUA, NDPI_PROTOCOL_UNKNOWN); NDPI_LOG(NDPI_PROTOCOL_VHUA, ndpi_struct, NDPI_LOG_TRACE, "VHUA Found.\n"); } diff --git a/src/lib/protocols/viber.c b/src/lib/protocols/viber.c index e6e1a5840..803227457 100644 --- a/src/lib/protocols/viber.c +++ b/src/lib/protocols/viber.c @@ -36,7 +36,7 @@ void ndpi_search_viber(struct ndpi_detection_module_struct *ndpi_struct, struct || (packet->payload_packet_len == 20 && packet->payload[2] == 0x09 && packet->payload[3] == 0x00) || ((packet->payload_packet_len < 135) && (packet->payload[0] == 0x11))) { NDPI_LOG(NDPI_PROTOCOL_VIBER, ndpi_struct, NDPI_LOG_DEBUG, "found VIBER.\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VIBER); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VIBER, NDPI_PROTOCOL_UNKNOWN); return; } } diff --git a/src/lib/protocols/vmware.c b/src/lib/protocols/vmware.c index 881cfb7fe..6fb74aea5 100644 --- a/src/lib/protocols/vmware.c +++ b/src/lib/protocols/vmware.c @@ -15,7 +15,7 @@ * * You should have received a copy of the GNU Lesser General Public License * along with nDPI. If not, see <http://www.gnu.org/licenses/>. - * + * */ @@ -27,13 +27,13 @@ void ndpi_search_vmware(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - + /* Check whether this is an VMWARE flow */ if((packet->payload_packet_len == 66) && (ntohs(packet->udp->dest) == 902) && ((packet->payload[0] & 0xFF) == 0xA4)) { NDPI_LOG(NDPI_PROTOCOL_VMWARE, ndpi_struct, NDPI_LOG_DEBUG, "Found vmware.\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VMWARE); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VMWARE, NDPI_PROTOCOL_UNKNOWN); } else { NDPI_LOG(NDPI_PROTOCOL_VMWARE, ndpi_struct, NDPI_LOG_DEBUG, "exclude vmware.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_VMWARE); diff --git a/src/lib/protocols/vnc.c b/src/lib/protocols/vnc.c index f67ad26ba..b44b7a167 100644 --- a/src/lib/protocols/vnc.c +++ b/src/lib/protocols/vnc.c @@ -28,9 +28,9 @@ #ifdef NDPI_PROTOCOL_VNC static void ndpi_int_vnc_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VNC); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VNC, NDPI_PROTOCOL_UNKNOWN); } /* @@ -40,28 +40,28 @@ static void ndpi_int_vnc_add_connection(struct ndpi_detection_module_struct void ndpi_search_vnc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &flow->packet; -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; + // struct ndpi_id_struct *src=ndpi_struct->src; + // struct ndpi_id_struct *dst=ndpi_struct->dst; - if (flow->l4.tcp.vnc_stage == 0) { - if (packet->payload_packet_len == 12 - && memcmp(packet->payload, "RFB 003.00", 10) == 0 && packet->payload[11] == 0x0a) { - NDPI_LOG(NDPI_PROTOCOL_VNC, ndpi_struct, NDPI_LOG_DEBUG, "reached vnc stage one\n"); - flow->l4.tcp.vnc_stage = 1 + packet->packet_direction; - return; - } - } else if (flow->l4.tcp.vnc_stage == 2 - packet->packet_direction) { - if (packet->payload_packet_len == 12 - && memcmp(packet->payload, "RFB 003.00", 10) == 0 && packet->payload[11] == 0x0a) { - NDPI_LOG(NDPI_PROTOCOL_VNC, ndpi_struct, NDPI_LOG_DEBUG, "found vnc\n"); - ndpi_int_vnc_add_connection(ndpi_struct, flow); - return; - } - } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_VNC); + if (flow->l4.tcp.vnc_stage == 0) { + if (packet->payload_packet_len == 12 + && memcmp(packet->payload, "RFB 003.00", 10) == 0 && packet->payload[11] == 0x0a) { + NDPI_LOG(NDPI_PROTOCOL_VNC, ndpi_struct, NDPI_LOG_DEBUG, "reached vnc stage one\n"); + flow->l4.tcp.vnc_stage = 1 + packet->packet_direction; + return; + } + } else if (flow->l4.tcp.vnc_stage == 2 - packet->packet_direction) { + if (packet->payload_packet_len == 12 + && memcmp(packet->payload, "RFB 003.00", 10) == 0 && packet->payload[11] == 0x0a) { + NDPI_LOG(NDPI_PROTOCOL_VNC, ndpi_struct, NDPI_LOG_DEBUG, "found vnc\n"); + ndpi_int_vnc_add_connection(ndpi_struct, flow); + return; + } + } + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_VNC); } #endif diff --git a/src/lib/protocols/warcraft3.c b/src/lib/protocols/warcraft3.c index aa4f25962..4433eb55d 100644 --- a/src/lib/protocols/warcraft3.c +++ b/src/lib/protocols/warcraft3.c @@ -32,7 +32,7 @@ static void ndpi_int_warcraft3_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WARCRAFT3); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WARCRAFT3, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_warcraft3(struct ndpi_detection_module_struct diff --git a/src/lib/protocols/whoisdas.c b/src/lib/protocols/whoisdas.c index c3a7a2c3c..1da106e8d 100644 --- a/src/lib/protocols/whoisdas.c +++ b/src/lib/protocols/whoisdas.c @@ -50,7 +50,7 @@ void ndpi_search_whois_das(struct ndpi_detection_module_struct *ndpi_struct, str NDPI_LOG(NDPI_PROTOCOL_WHOIS_DAS, ndpi_struct, NDPI_LOG_DEBUG, "[WHOIS/DAS] %s\n", flow->host_server_name); } - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHOIS_DAS); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHOIS_DAS, NDPI_PROTOCOL_UNKNOWN); } else { NDPI_LOG(NDPI_PROTOCOL_WHOIS_DAS, ndpi_struct, NDPI_LOG_TRACE, "WHOIS Excluded.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_WHOIS_DAS); diff --git a/src/lib/protocols/winmx.c b/src/lib/protocols/winmx.c index fc08beab5..f2cac7482 100644 --- a/src/lib/protocols/winmx.c +++ b/src/lib/protocols/winmx.c @@ -29,76 +29,76 @@ static void ndpi_int_winmx_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow); + *ndpi_struct, struct ndpi_flow_struct *flow); static void ndpi_int_winmx_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WINMX); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WINMX, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_winmx_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &flow->packet; -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; - - - if (flow->l4.tcp.winmx_stage == 0) { - if (packet->payload_packet_len == 1 || (packet->payload_packet_len > 1 && packet->payload[0] == 0x31)) { - return; - } - /* did not see this pattern in any trace that we have */ - if (((packet->payload_packet_len) == 4) - && (memcmp(packet->payload, "SEND", 4) == 0)) { - - NDPI_LOG(NDPI_PROTOCOL_WINMX, ndpi_struct, NDPI_LOG_DEBUG, "maybe WinMX Send\n"); - flow->l4.tcp.winmx_stage = 1; - return; - } - - if (((packet->payload_packet_len) == 3) - && (memcmp(packet->payload, "GET", 3) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_WINMX, ndpi_struct, NDPI_LOG_DEBUG, "found winmx by GET\n"); - ndpi_int_winmx_add_connection(ndpi_struct, flow); - return; - } - - - if (packet->payload_packet_len == 149 && packet->payload[0] == '8') { - NDPI_LOG(NDPI_PROTOCOL_WINMX, ndpi_struct, NDPI_LOG_DEBUG, "maybe WinMX\n"); - if (get_u_int32_t(packet->payload, 17) == 0 - && get_u_int32_t(packet->payload, 21) == 0 - && get_u_int32_t(packet->payload, 25) == 0 - && get_u_int16_t(packet->payload, 39) == 0 && get_u_int16_t(packet->payload, 135) == htons(0x7edf) - && get_u_int16_t(packet->payload, 147) == htons(0xf792)) { - - NDPI_LOG(NDPI_PROTOCOL_WINMX, ndpi_struct, NDPI_LOG_DEBUG, - "found winmx by pattern in first packet\n"); - ndpi_int_winmx_add_connection(ndpi_struct, flow); - return; - } - } - /* did not see this pattern in any trace that we have */ - } else if (flow->l4.tcp.winmx_stage == 1) { - if (packet->payload_packet_len > 10 && packet->payload_packet_len < 1000) { - u_int16_t left = packet->payload_packet_len - 1; - while (left > 0) { - if (packet->payload[left] == ' ') { - NDPI_LOG(NDPI_PROTOCOL_WINMX, ndpi_struct, NDPI_LOG_DEBUG, "found winmx in second packet\n"); - ndpi_int_winmx_add_connection(ndpi_struct, flow); - return; - } else if (packet->payload[left] < '0' || packet->payload[left] > '9') { - break; - } - left--; - } - } + // struct ndpi_id_struct *src=ndpi_struct->src; + // struct ndpi_id_struct *dst=ndpi_struct->dst; + + + if (flow->l4.tcp.winmx_stage == 0) { + if (packet->payload_packet_len == 1 || (packet->payload_packet_len > 1 && packet->payload[0] == 0x31)) { + return; + } + /* did not see this pattern in any trace that we have */ + if (((packet->payload_packet_len) == 4) + && (memcmp(packet->payload, "SEND", 4) == 0)) { + + NDPI_LOG(NDPI_PROTOCOL_WINMX, ndpi_struct, NDPI_LOG_DEBUG, "maybe WinMX Send\n"); + flow->l4.tcp.winmx_stage = 1; + return; + } + + if (((packet->payload_packet_len) == 3) + && (memcmp(packet->payload, "GET", 3) == 0)) { + NDPI_LOG(NDPI_PROTOCOL_WINMX, ndpi_struct, NDPI_LOG_DEBUG, "found winmx by GET\n"); + ndpi_int_winmx_add_connection(ndpi_struct, flow); + return; + } + + + if (packet->payload_packet_len == 149 && packet->payload[0] == '8') { + NDPI_LOG(NDPI_PROTOCOL_WINMX, ndpi_struct, NDPI_LOG_DEBUG, "maybe WinMX\n"); + if (get_u_int32_t(packet->payload, 17) == 0 + && get_u_int32_t(packet->payload, 21) == 0 + && get_u_int32_t(packet->payload, 25) == 0 + && get_u_int16_t(packet->payload, 39) == 0 && get_u_int16_t(packet->payload, 135) == htons(0x7edf) + && get_u_int16_t(packet->payload, 147) == htons(0xf792)) { + + NDPI_LOG(NDPI_PROTOCOL_WINMX, ndpi_struct, NDPI_LOG_DEBUG, + "found winmx by pattern in first packet\n"); + ndpi_int_winmx_add_connection(ndpi_struct, flow); + return; + } + } + /* did not see this pattern in any trace that we have */ + } else if (flow->l4.tcp.winmx_stage == 1) { + if (packet->payload_packet_len > 10 && packet->payload_packet_len < 1000) { + u_int16_t left = packet->payload_packet_len - 1; + while (left > 0) { + if (packet->payload[left] == ' ') { + NDPI_LOG(NDPI_PROTOCOL_WINMX, ndpi_struct, NDPI_LOG_DEBUG, "found winmx in second packet\n"); + ndpi_int_winmx_add_connection(ndpi_struct, flow); + return; + } else if (packet->payload[left] < '0' || packet->payload[left] > '9') { + break; } + left--; + } + } + } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_WINMX); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_WINMX); } #endif diff --git a/src/lib/protocols/world_of_kung_fu.c b/src/lib/protocols/world_of_kung_fu.c index 08f1d7c49..b6b202803 100644 --- a/src/lib/protocols/world_of_kung_fu.c +++ b/src/lib/protocols/world_of_kung_fu.c @@ -30,29 +30,29 @@ static void ndpi_int_world_of_kung_fu_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WORLD_OF_KUNG_FU); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WORLD_OF_KUNG_FU, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_world_of_kung_fu(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &flow->packet; - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; - - NDPI_LOG(NDPI_PROTOCOL_WORLD_OF_KUNG_FU, ndpi_struct, NDPI_LOG_DEBUG, "search world_of_kung_fu.\n"); - - if ((packet->payload_packet_len == 16) - && ntohl(get_u_int32_t(packet->payload, 0)) == 0x0c000000 && ntohl(get_u_int32_t(packet->payload, 4)) == 0xd2000c00 - && (packet->payload[9] - == 0x16) && ntohs(get_u_int16_t(packet->payload, 10)) == 0x0000 && ntohs(get_u_int16_t(packet->payload, 14)) == 0x0000) { - NDPI_LOG(NDPI_PROTOCOL_WORLD_OF_KUNG_FU, ndpi_struct, NDPI_LOG_DEBUG, "detected world_of_kung_fu.\n"); - ndpi_int_world_of_kung_fu_add_connection(ndpi_struct, flow); - return; - } - - NDPI_LOG(NDPI_PROTOCOL_WORLD_OF_KUNG_FU, ndpi_struct, NDPI_LOG_DEBUG, "exclude world_of_kung_fu.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_WORLD_OF_KUNG_FU); + // struct ndpi_id_struct *src=ndpi_struct->src; + // struct ndpi_id_struct *dst=ndpi_struct->dst; + + NDPI_LOG(NDPI_PROTOCOL_WORLD_OF_KUNG_FU, ndpi_struct, NDPI_LOG_DEBUG, "search world_of_kung_fu.\n"); + + if ((packet->payload_packet_len == 16) + && ntohl(get_u_int32_t(packet->payload, 0)) == 0x0c000000 && ntohl(get_u_int32_t(packet->payload, 4)) == 0xd2000c00 + && (packet->payload[9] + == 0x16) && ntohs(get_u_int16_t(packet->payload, 10)) == 0x0000 && ntohs(get_u_int16_t(packet->payload, 14)) == 0x0000) { + NDPI_LOG(NDPI_PROTOCOL_WORLD_OF_KUNG_FU, ndpi_struct, NDPI_LOG_DEBUG, "detected world_of_kung_fu.\n"); + ndpi_int_world_of_kung_fu_add_connection(ndpi_struct, flow); + return; + } + + NDPI_LOG(NDPI_PROTOCOL_WORLD_OF_KUNG_FU, ndpi_struct, NDPI_LOG_DEBUG, "exclude world_of_kung_fu.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_WORLD_OF_KUNG_FU); } #endif diff --git a/src/lib/protocols/world_of_warcraft.c b/src/lib/protocols/world_of_warcraft.c index c2e4dade4..b8c0ba3a9 100644 --- a/src/lib/protocols/world_of_warcraft.c +++ b/src/lib/protocols/world_of_warcraft.c @@ -32,7 +32,7 @@ static void ndpi_int_worldofwarcraft_add_connection(struct ndpi_detection_module struct ndpi_flow_struct *flow/* , */ /* ndpi_protocol_type_t protocol_type */) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WORLDOFWARCRAFT); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WORLDOFWARCRAFT, NDPI_PROTOCOL_UNKNOWN); } diff --git a/src/lib/protocols/xbox.c b/src/lib/protocols/xbox.c index 24047c2a0..cd5f9ba67 100644 --- a/src/lib/protocols/xbox.c +++ b/src/lib/protocols/xbox.c @@ -27,77 +27,77 @@ #ifdef NDPI_PROTOCOL_XBOX static void ndpi_int_xbox_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_XBOX); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_XBOX, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_xbox(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &flow->packet; - // struct ndpi_id_struct *src = flow->src; - // struct ndpi_id_struct *dst = flow->dst; + // struct ndpi_id_struct *src = flow->src; + // struct ndpi_id_struct *dst = flow->dst; - /* - * THIS IS TH XBOX UDP DETCTION ONLY !!! - * the xbox tcp detection is done by http code - */ + /* + * THIS IS TH XBOX UDP DETCTION ONLY !!! + * the xbox tcp detection is done by http code + */ - /* this detection also works for asymmetric xbox udp traffic */ - if (packet->udp != NULL) { + /* this detection also works for asymmetric xbox udp traffic */ + if (packet->udp != NULL) { - u_int16_t dport = ntohs(packet->udp->dest); - u_int16_t sport = ntohs(packet->udp->source); + u_int16_t dport = ntohs(packet->udp->dest); + u_int16_t sport = ntohs(packet->udp->source); - NDPI_LOG(NDPI_PROTOCOL_XBOX, ndpi_struct, NDPI_LOG_DEBUG, "search xbox\n"); + NDPI_LOG(NDPI_PROTOCOL_XBOX, ndpi_struct, NDPI_LOG_DEBUG, "search xbox\n"); - if (packet->payload_packet_len > 12 && - get_u_int32_t(packet->payload, 0) == 0 && packet->payload[5] == 0x58 && - memcmp(&packet->payload[7], "\x00\x00\x00", 3) == 0) { + if (packet->payload_packet_len > 12 && + get_u_int32_t(packet->payload, 0) == 0 && packet->payload[5] == 0x58 && + memcmp(&packet->payload[7], "\x00\x00\x00", 3) == 0) { - if ((packet->payload[4] == 0x0c && packet->payload[6] == 0x76) || - (packet->payload[4] == 0x02 && packet->payload[6] == 0x18) || - (packet->payload[4] == 0x0b && packet->payload[6] == 0x80) || - (packet->payload[4] == 0x03 && packet->payload[6] == 0x40) || - (packet->payload[4] == 0x06 && packet->payload[6] == 0x4e)) { + if ((packet->payload[4] == 0x0c && packet->payload[6] == 0x76) || + (packet->payload[4] == 0x02 && packet->payload[6] == 0x18) || + (packet->payload[4] == 0x0b && packet->payload[6] == 0x80) || + (packet->payload[4] == 0x03 && packet->payload[6] == 0x40) || + (packet->payload[4] == 0x06 && packet->payload[6] == 0x4e)) { - ndpi_int_xbox_add_connection(ndpi_struct, flow); - NDPI_LOG(NDPI_PROTOCOL_XBOX, ndpi_struct, NDPI_LOG_DEBUG, "xbox udp connection detected\n"); - return; - } - } - if ((dport == 3074 || sport == 3074) - && ((packet->payload_packet_len == 24 && packet->payload[0] == 0x00) - || (packet->payload_packet_len == 42 && packet->payload[0] == 0x4f && packet->payload[2] == 0x0a) - || (packet->payload_packet_len == 80 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x50bc - && packet->payload[2] == 0x45) - || (packet->payload_packet_len == 40 && ntohl(get_u_int32_t(packet->payload, 0)) == 0xcf5f3202) - || (packet->payload_packet_len == 38 && ntohl(get_u_int32_t(packet->payload, 0)) == 0xc1457f03) - || (packet->payload_packet_len == 28 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x015f2c00))) { - if (flow->l4.udp.xbox_stage == 1) { - ndpi_int_xbox_add_connection(ndpi_struct, flow); - NDPI_LOG(NDPI_PROTOCOL_XBOX, ndpi_struct, NDPI_LOG_DEBUG, "xbox udp connection detected\n"); - return; - } - NDPI_LOG(NDPI_PROTOCOL_XBOX, ndpi_struct, NDPI_LOG_DEBUG, "maybe xbox.\n"); - flow->l4.udp.xbox_stage++; - return; - } + ndpi_int_xbox_add_connection(ndpi_struct, flow); + NDPI_LOG(NDPI_PROTOCOL_XBOX, ndpi_struct, NDPI_LOG_DEBUG, "xbox udp connection detected\n"); + return; + } + } + if ((dport == 3074 || sport == 3074) + && ((packet->payload_packet_len == 24 && packet->payload[0] == 0x00) + || (packet->payload_packet_len == 42 && packet->payload[0] == 0x4f && packet->payload[2] == 0x0a) + || (packet->payload_packet_len == 80 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x50bc + && packet->payload[2] == 0x45) + || (packet->payload_packet_len == 40 && ntohl(get_u_int32_t(packet->payload, 0)) == 0xcf5f3202) + || (packet->payload_packet_len == 38 && ntohl(get_u_int32_t(packet->payload, 0)) == 0xc1457f03) + || (packet->payload_packet_len == 28 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x015f2c00))) { + if (flow->l4.udp.xbox_stage == 1) { + ndpi_int_xbox_add_connection(ndpi_struct, flow); + NDPI_LOG(NDPI_PROTOCOL_XBOX, ndpi_struct, NDPI_LOG_DEBUG, "xbox udp connection detected\n"); + return; + } + NDPI_LOG(NDPI_PROTOCOL_XBOX, ndpi_struct, NDPI_LOG_DEBUG, "maybe xbox.\n"); + flow->l4.udp.xbox_stage++; + return; + } - /* exclude here all non matched udp traffic, exclude here tcp only if http has been excluded, because xbox could use http */ - if (packet->tcp == NULL + /* exclude here all non matched udp traffic, exclude here tcp only if http has been excluded, because xbox could use http */ + if (packet->tcp == NULL #ifdef NDPI_PROTOCOL_HTTP - || NDPI_COMPARE_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_HTTP) != 0 + || NDPI_COMPARE_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_HTTP) != 0 #endif - ) { - NDPI_LOG(NDPI_PROTOCOL_XBOX, ndpi_struct, NDPI_LOG_DEBUG, "xbox udp excluded.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_XBOX); - } - } - /* to not exclude tcp traffic here, done by http code... */ + ) { + NDPI_LOG(NDPI_PROTOCOL_XBOX, ndpi_struct, NDPI_LOG_DEBUG, "xbox udp excluded.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_XBOX); + } + } + /* to not exclude tcp traffic here, done by http code... */ } #endif diff --git a/src/lib/protocols/xdmcp.c b/src/lib/protocols/xdmcp.c index 0553bf69c..7468765c7 100644 --- a/src/lib/protocols/xdmcp.c +++ b/src/lib/protocols/xdmcp.c @@ -28,42 +28,42 @@ static void ndpi_int_xdmcp_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_XDMCP); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_XDMCP, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_xdmcp(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &flow->packet; -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; + // struct ndpi_id_struct *src=ndpi_struct->src; + // struct ndpi_id_struct *dst=ndpi_struct->dst; - NDPI_LOG(NDPI_PROTOCOL_XDMCP, ndpi_struct, NDPI_LOG_DEBUG, "search xdmcp.\n"); + NDPI_LOG(NDPI_PROTOCOL_XDMCP, ndpi_struct, NDPI_LOG_DEBUG, "search xdmcp.\n"); - if (packet->tcp != NULL && (ntohs(packet->tcp->dest) >= 6000 && ntohs(packet->tcp->dest) <= 6005) - && packet->payload_packet_len == 48 - && packet->payload[0] == 0x6c && packet->payload[1] == 0x00 - && ntohs(get_u_int16_t(packet->payload, 6)) == 0x1200 && ntohs(get_u_int16_t(packet->payload, 8)) == 0x1000) { + if (packet->tcp != NULL && (ntohs(packet->tcp->dest) >= 6000 && ntohs(packet->tcp->dest) <= 6005) + && packet->payload_packet_len == 48 + && packet->payload[0] == 0x6c && packet->payload[1] == 0x00 + && ntohs(get_u_int16_t(packet->payload, 6)) == 0x1200 && ntohs(get_u_int16_t(packet->payload, 8)) == 0x1000) { - NDPI_LOG(NDPI_PROTOCOL_XDMCP, ndpi_struct, NDPI_LOG_DEBUG, "found xdmcp over tcp.\n"); - ndpi_int_xdmcp_add_connection(ndpi_struct, flow); - return; - } - if (packet->udp != NULL && ntohs(packet->udp->dest) == 177 - && packet->payload_packet_len >= 6 && packet->payload_packet_len == 6 + ntohs(get_u_int16_t(packet->payload, 4)) - && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0001 && ntohs(get_u_int16_t(packet->payload, 2)) == 0x0002) { + NDPI_LOG(NDPI_PROTOCOL_XDMCP, ndpi_struct, NDPI_LOG_DEBUG, "found xdmcp over tcp.\n"); + ndpi_int_xdmcp_add_connection(ndpi_struct, flow); + return; + } + if (packet->udp != NULL && ntohs(packet->udp->dest) == 177 + && packet->payload_packet_len >= 6 && packet->payload_packet_len == 6 + ntohs(get_u_int16_t(packet->payload, 4)) + && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0001 && ntohs(get_u_int16_t(packet->payload, 2)) == 0x0002) { - NDPI_LOG(NDPI_PROTOCOL_XDMCP, ndpi_struct, NDPI_LOG_DEBUG, "found xdmcp over udp.\n"); - ndpi_int_xdmcp_add_connection(ndpi_struct, flow); - return; - } + NDPI_LOG(NDPI_PROTOCOL_XDMCP, ndpi_struct, NDPI_LOG_DEBUG, "found xdmcp over udp.\n"); + ndpi_int_xdmcp_add_connection(ndpi_struct, flow); + return; + } - NDPI_LOG(NDPI_PROTOCOL_XDMCP, ndpi_struct, NDPI_LOG_DEBUG, "exclude xdmcp.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_XDMCP); + NDPI_LOG(NDPI_PROTOCOL_XDMCP, ndpi_struct, NDPI_LOG_DEBUG, "exclude xdmcp.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_XDMCP); } #endif diff --git a/src/lib/protocols/yahoo.c b/src/lib/protocols/yahoo.c index fdf29fa82..ad9500a40 100644 --- a/src/lib/protocols/yahoo.c +++ b/src/lib/protocols/yahoo.c @@ -57,11 +57,9 @@ static u_int8_t ndpi_check_for_YmsgCommand(u_int16_t len, const u_int8_t * ptr) static void ndpi_int_yahoo_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow/* , ndpi_protocol_type_t protocol_type */) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); } - - - + #if !defined(WIN32) static inline #else diff --git a/src/lib/protocols/zattoo.c b/src/lib/protocols/zattoo.c index 76de3b604..9a9226a04 100644 --- a/src/lib/protocols/zattoo.c +++ b/src/lib/protocols/zattoo.c @@ -36,7 +36,7 @@ static void ndpi_int_zattoo_add_connection(struct ndpi_detection_module_struct * struct ndpi_id_struct *src = flow->src; struct ndpi_id_struct *dst = flow->dst; - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN); if (src != NULL) { src->zattoo_ts = packet->tick_timestamp; diff --git a/src/lib/protocols/zeromq.c b/src/lib/protocols/zeromq.c index 273357969..af277c6dc 100644 --- a/src/lib/protocols/zeromq.c +++ b/src/lib/protocols/zeromq.c @@ -24,7 +24,7 @@ #ifdef NDPI_PROTOCOL_ZMQ static void ndpi_int_zmq_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZMQ); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZMQ, NDPI_PROTOCOL_UNKNOWN); NDPI_LOG(NDPI_PROTOCOL_ZMQ, ndpi_struct, NDPI_LOG_TRACE, "ZMQ Found.\n"); } |