diff options
| author | Luca Deri <deri@ntop.org> | 2019-11-23 13:27:34 +0100 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2019-11-23 13:27:34 +0100 |
| commit | 68d66b780ca005f3d29b6f19063d86f857e1f03d (patch) | |
| tree | 9d5f972a68e3f3b7df9e90423b279f644e93ab7d | |
| parent | 382217887b61d8b364a64f241afbf75a75052f57 (diff) | |
Added new test pcaps
Renamed protocol 104 to IEC60870 (more meaningful)
| -rw-r--r-- | src/include/ndpi_protocol_ids.h | 2 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/iec60870-5-104.c | 18 | ||||
| -rw-r--r-- | tests/pcap/dnp3.pcap (renamed from tests/dnp3.pcap) | bin | 56812 -> 56812 bytes | |||
| -rw-r--r-- | tests/pcap/iec60780-5-104.pcap (renamed from tests/iec60780-5-104.pcap) | bin | 11409 -> 11409 bytes | |||
| -rw-r--r-- | tests/result/dnp3.pcap.out | 11 | ||||
| -rw-r--r-- | tests/result/iec60780-5-104.pcap.out | 8 |
7 files changed, 31 insertions, 12 deletions
diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index 4f793baec..a9c14dc85 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -278,7 +278,7 @@ typedef enum { NDPI_PROTOCOL_WHATSAPP_FILES = 242, /* Videos, pictures, voice messages... */ NDPI_PROTOCOL_TARGUS_GETDATA = 243, NDPI_PROTOCOL_DNP3 = 244, - NDPI_PROTOCOL_104 = 245, + NDPI_PROTOCOL_IEC60870 = 245, /* https://en.wikipedia.org/wiki/IEC_60870-5 */ NDPI_PROTOCOL_BLOOMBERG = 246, NDPI_PROTOCOL_CAPWAP = 247, NDPI_PROTOCOL_ZABBIX = 248, diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 7a77f8fbf..1589b0431 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1757,9 +1757,9 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "DNP3", NDPI_PROTOCOL_CATEGORY_NETWORK, ndpi_build_default_ports(ports_a, 20000, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); - ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_104, + ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_IEC60870, 1 /* no subprotocol */, no_master, - no_master, "104", NDPI_PROTOCOL_CATEGORY_NETWORK, /* Perhaps IoT in the future */ + no_master, "IEC60870", NDPI_PROTOCOL_CATEGORY_NETWORK, /* Perhaps IoT in the future */ ndpi_build_default_ports(ports_a, 2404, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_BLOOMBERG, diff --git a/src/lib/protocols/iec60870-5-104.c b/src/lib/protocols/iec60870-5-104.c index e34ca3d63..040a1842a 100644 --- a/src/lib/protocols/iec60870-5-104.c +++ b/src/lib/protocols/iec60870-5-104.c @@ -27,16 +27,16 @@ #include "ndpi_protocol_ids.h" #include "ndpi_api.h" -#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_104 +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_IEC60870 -void ndpi_search_104_tcp(struct ndpi_detection_module_struct *ndpi_struct, +void ndpi_search_iec60870_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG_DBG(ndpi_struct, "search 104\n"); - u_int16_t iec104_port = htons(2404); // port used by 104 + u_int16_t iec104_port = htons(2404); // port used by IEC60870 /* Check connection over TCP */ - + NDPI_LOG_DBG(ndpi_struct, "search IEC60870\n"); + if(packet->tcp) { /* The start byte of 104 is 0x68 * The usual port: 2404 @@ -44,7 +44,7 @@ void ndpi_search_104_tcp(struct ndpi_detection_module_struct *ndpi_struct, if((packet->payload[0] == 0x68) && ((packet->tcp->dest == iec104_port) || (packet->tcp->source == iec104_port)) ){ NDPI_LOG_INFO(ndpi_struct, "found 104\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_104, NDPI_PROTOCOL_UNKNOWN); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_IEC60870, NDPI_PROTOCOL_UNKNOWN); return; } } @@ -56,9 +56,9 @@ void ndpi_search_104_tcp(struct ndpi_detection_module_struct *ndpi_struct, void init_104_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { - ndpi_set_bitmask_protocol_detection("104", ndpi_struct, detection_bitmask, *id, - NDPI_PROTOCOL_104, - ndpi_search_104_tcp, + ndpi_set_bitmask_protocol_detection("IEC60870", ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_IEC60870, + ndpi_search_iec60870_tcp, NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); diff --git a/tests/dnp3.pcap b/tests/pcap/dnp3.pcap Binary files differindex 48dca2c01..48dca2c01 100644 --- a/tests/dnp3.pcap +++ b/tests/pcap/dnp3.pcap diff --git a/tests/iec60780-5-104.pcap b/tests/pcap/iec60780-5-104.pcap Binary files differindex dbd77b098..dbd77b098 100644 --- a/tests/iec60780-5-104.pcap +++ b/tests/pcap/iec60780-5-104.pcap diff --git a/tests/result/dnp3.pcap.out b/tests/result/dnp3.pcap.out new file mode 100644 index 000000000..3897eb033 --- /dev/null +++ b/tests/result/dnp3.pcap.out @@ -0,0 +1,11 @@ +SOCKS 135 9351 1 +DNP3 408 29403 7 + + 1 TCP 10.0.0.8:2828 <-> 10.0.0.3:20000 [proto: 244/DNP3][cat: Network/14][60 pkts/4041 bytes <-> 78 pkts/7164 bytes][Goodput ratio: 17.0/38.1][121.83 sec][bytes ratio: -0.279 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 420.5/302.2 13044/8439 1925.7/1115.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 67.3/91.8 79/145 5.4/37.0] + 2 TCP 10.0.0.9:1080 <-> 10.0.0.3:20000 [proto: 172/SOCKS][cat: Web/5][72 pkts/4659 bytes <-> 63 pkts/4692 bytes][Goodput ratio: 9.8/27.0][384.60 sec][bytes ratio: -0.004 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 4731.8/3048.6 75028/40127 13787.2/9967.8][Pkt Len c2s/s2c min/avg/max/stddev: 60/62 64.7/74.5 81/147 7.5/16.4] + 3 TCP 10.0.0.8:1086 <-> 10.0.0.3:20000 [proto: 244/DNP3][cat: Network/14][57 pkts/3891 bytes <-> 36 pkts/2760 bytes][Goodput ratio: 16.6/28.0][70.37 sec][bytes ratio: 0.170 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1467.0/2685.8 45001/45233 7093.4/9611.2][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 68.3/76.7 81/147 8.3/21.7] + 4 TCP 10.0.0.8:2789 <-> 10.0.0.3:20000 [proto: 244/DNP3][cat: Network/14][24 pkts/1584 bytes <-> 15 pkts/1005 bytes][Goodput ratio: 12.1/15.2][123.54 sec][bytes ratio: 0.224 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 161.9/2.4 2891/21 628.4/6.6][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 66.0/67.0 79/71 7.8/4.9] + 5 TCP 10.0.0.8:2803 <-> 10.0.0.3:20000 [proto: 244/DNP3][cat: Network/14][21 pkts/1374 bytes <-> 18 pkts/1119 bytes][Goodput ratio: 10.5/4.6][25.63 sec][bytes ratio: 0.102 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1204.6/2488.3 17203/17487 4072.9/5519.1][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 65.4/62.2 78/71 8.0/4.0] + 6 TCP 10.0.0.9:1084 <-> 10.0.0.3:20000 [proto: 244/DNP3][cat: Network/14][21 pkts/1374 bytes <-> 18 pkts/1119 bytes][Goodput ratio: 10.5/4.6][7.81 sec][bytes ratio: 0.102 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 343.2/629.6 3672/3963 975.0/1292.5][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 65.4/62.2 78/71 8.0/4.0] + 7 TCP 10.0.0.8:1184 <-> 10.0.0.3:20000 [proto: 244/DNP3][cat: Network/14][21 pkts/1374 bytes <-> 12 pkts/825 bytes][Goodput ratio: 10.5/18.5][12.41 sec][bytes ratio: 0.250 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 697.8/1757.4 9226/9487 2220.1/3301.6][Pkt Len c2s/s2c min/avg/max/stddev: 60/62 65.4/68.8 78/71 8.0/3.9] + 8 TCP 10.0.0.8:1159 <-> 10.0.0.3:20000 [proto: 244/DNP3][cat: Network/14][15 pkts/1014 bytes <-> 12 pkts/759 bytes][Goodput ratio: 14.2/6.7][12.40 sec][bytes ratio: 0.144 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 245.5/1770.4 2946/9113 814.2/3204.0][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 67.6/63.2 78/71 8.5/4.5] diff --git a/tests/result/iec60780-5-104.pcap.out b/tests/result/iec60780-5-104.pcap.out new file mode 100644 index 000000000..04afc31db --- /dev/null +++ b/tests/result/iec60780-5-104.pcap.out @@ -0,0 +1,8 @@ +IEC60870 147 9033 6 + + 1 TCP 172.27.248.109:1578 <-> 172.27.248.79:2404 [proto: 245/IEC60870][cat: Network/14][28 pkts/1758 bytes <-> 19 pkts/1297 bytes][Goodput ratio: 8.8/20.3][235.18 sec][bytes ratio: 0.151 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/4 9105.8/11905.2 32485/32516 10297.2/10287.4][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 62.8/68.3 76/118 4.8/15.2] + 2 TCP 172.27.248.109:1568 <-> 172.27.248.79:2404 [proto: 245/IEC60870][cat: Network/14][17 pkts/1040 bytes <-> 12 pkts/674 bytes][Goodput ratio: 6.6/2.7][160.96 sec][bytes ratio: 0.214 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 9874.4/10028.6 38294/26906 11814.6/8997.2][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 61.2/56.2 68/62 2.2/3.1] + 3 TCP 172.27.248.109:1572 <-> 172.27.248.79:2404 [proto: 245/IEC60870][cat: Network/14][15 pkts/940 bytes <-> 10 pkts/572 bytes][Goodput ratio: 9.1/4.2][191.16 sec][bytes ratio: 0.243 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 12849.7/21995.9 59783/60001 22022.7/25275.8][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 62.7/57.2 76/62 5.2/3.2] + 4 TCP 172.27.248.109:1571 <-> 172.27.248.79:2404 [proto: 245/IEC60870][cat: Network/14][10 pkts/609 bytes <-> 7 pkts/398 bytes][Goodput ratio: 4.9/3.0][102.90 sec][bytes ratio: 0.210 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 8707.9/15094.0 59736/60003 19502.7/25928.3][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 60.9/56.9 67/62 2.1/3.4] + 5 TCP 172.27.248.109:1570 <-> 172.27.248.79:2404 [proto: 245/IEC60870][cat: Network/14][10 pkts/624 bytes <-> 6 pkts/344 bytes][Goodput ratio: 7.4/3.5][92.07 sec][bytes ratio: 0.289 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 11476.9/15000.2 42399/42717 16042.0/17487.9][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 62.4/57.3 72/62 4.4/3.4] + 6 TCP 172.27.248.109:1577 <-> 172.27.248.79:2404 [proto: 245/IEC60870][cat: Network/14][8 pkts/493 bytes <-> 5 pkts/284 bytes][Goodput ratio: 5.7/2.1][36.61 sec][bytes ratio: 0.269 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/4 6100.3/11100.0 21872/22196 8836.3/11096.0][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 61.6/56.8 71/62 3.6/3.5] |