diff options
| author | Luca <deri@ntop.org> | 2019-10-29 19:12:42 +0100 |
|---|---|---|
| committer | Luca <deri@ntop.org> | 2019-10-29 19:12:42 +0100 |
| commit | 0e54f87b181c163d18860a2cfcd30bbfeeaa1f6b (patch) | |
| tree | f0a9dc5372f839d89c9740abcf14fe7c374d8c69 /example | |
| parent | d2f04f5bdfe986082ca5e5f479a99e4c24a5a898 (diff) | |
Added telnet dissector
Improved data report
Diffstat (limited to 'example')
| -rw-r--r-- | example/ndpiReader.c | 3 | ||||
| -rw-r--r-- | example/reader_util.c | 121 | ||||
| -rw-r--r-- | example/reader_util.h | 4 |
3 files changed, 71 insertions, 57 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index a5481d342..364ee6b50 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -89,7 +89,7 @@ static u_int8_t stats_flag = 0, bpf_filter_flag = 0; static u_int8_t file_first_time = 1; #endif u_int8_t human_readeable_string_len = 5; -u_int8_t max_num_udp_dissected_pkts = 16 /* 8 is enough for most protocols, Signal requires more */, max_num_tcp_dissected_pkts = 16; +u_int8_t max_num_udp_dissected_pkts = 16 /* 8 is enough for most protocols, Signal requires more */, max_num_tcp_dissected_pkts = 32 /* due to telnet */; static u_int32_t pcap_analysis_duration = (u_int32_t)-1; static u_int16_t decode_tunnels = 0; static u_int16_t num_loops = 1; @@ -1115,6 +1115,7 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa (flow->dst2src_packets > 0) ? "<->" : "->", flow->dst2src_packets, (long long unsigned int) flow->dst2src_bytes); + if(flow->telnet.username[0] != '\0') fprintf(out, "[Username: %s]", flow->telnet.username); if(flow->host_server_name[0] != '\0') fprintf(out, "[Host: %s]", flow->host_server_name); if(flow->info[0] != '\0') fprintf(out, "[%s]", flow->info); diff --git a/example/reader_util.c b/example/reader_util.c index 6cb150d87..3d9fde695 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -918,15 +918,25 @@ static struct ndpi_flow_info *get_ndpi_flow_info6(struct ndpi_workflow * workflo /* ****************************************************** */ +static u_int8_t is_ndpi_proto(struct ndpi_flow_info *flow, u_int16_t id) { + if((flow->detected_protocol.master_protocol == id) + || (flow->detected_protocol.app_protocol == id)) + return(1); + else + return(0); +} + +/* ****************************************************** */ + void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_flow_info *flow) { if(!flow->ndpi_flow) return; snprintf(flow->host_server_name, sizeof(flow->host_server_name), "%s", flow->ndpi_flow->host_server_name); - if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_DHCP) { + if(is_ndpi_proto(flow, NDPI_PROTOCOL_DHCP)) { snprintf(flow->dhcp_fingerprint, sizeof(flow->dhcp_fingerprint), "%s", flow->ndpi_flow->protos.dhcp.fingerprint); - } else if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_BITTORRENT) { + } else if(is_ndpi_proto(flow, NDPI_PROTOCOL_BITTORRENT)) { u_int i, j, n = 0; for(i=0, j = 0; j < sizeof(flow->bittorent_hash)-1; i++) { @@ -939,25 +949,25 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl if(n == 0) flow->bittorent_hash[0] = '\0'; } /* MDNS */ - else if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_MDNS) { + else if(is_ndpi_proto(flow, NDPI_PROTOCOL_MDNS)) { snprintf(flow->info, sizeof(flow->info), "%s", flow->ndpi_flow->protos.mdns.answer); } /* UBNTAC2 */ - else if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UBNTAC2) { + else if(is_ndpi_proto(flow, NDPI_PROTOCOL_UBNTAC2)) { snprintf(flow->info, sizeof(flow->info), "%s", flow->ndpi_flow->protos.ubntac2.version); } /* FTP */ - else if((flow->detected_protocol.app_protocol == NDPI_PROTOCOL_FTP_CONTROL) - || /* IMAP */ (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_MAIL_IMAP) - || /* POP */ (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_MAIL_POP) - || /* SMTP */ (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_MAIL_SMTP)) { + else if((is_ndpi_proto(flow, NDPI_PROTOCOL_FTP_CONTROL)) + || /* IMAP */ is_ndpi_proto(flow, NDPI_PROTOCOL_MAIL_IMAP) + || /* POP */ is_ndpi_proto(flow, NDPI_PROTOCOL_MAIL_POP) + || /* SMTP */ is_ndpi_proto(flow, NDPI_PROTOCOL_MAIL_SMTP)) { if(flow->ndpi_flow->protos.ftp_imap_pop_smtp.username[0] != '\0') snprintf(flow->info, sizeof(flow->info), "User: %s][Pwd: %s", flow->ndpi_flow->protos.ftp_imap_pop_smtp.username, flow->ndpi_flow->protos.ftp_imap_pop_smtp.password); } /* KERBEROS */ - else if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_KERBEROS) { + else if(is_ndpi_proto(flow, NDPI_PROTOCOL_KERBEROS)) { if(flow->ndpi_flow->protos.kerberos.cname[0] != '\0') { snprintf(flow->info, sizeof(flow->info), "%s (%s)", flow->ndpi_flow->protos.kerberos.cname, @@ -965,51 +975,50 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl } } /* HTTP */ - else if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_HTTP) { + else if((flow->detected_protocol.master_protocol == NDPI_PROTOCOL_HTTP) + || is_ndpi_proto(flow, NDPI_PROTOCOL_HTTP)) { if(flow->ndpi_flow->http.url != NULL) { snprintf(flow->http.url, sizeof(flow->http.url), "%s", flow->ndpi_flow->http.url); flow->http.response_status_code = flow->ndpi_flow->http.response_status_code; } + } else if(is_ndpi_proto(flow, NDPI_PROTOCOL_TELNET)) { + snprintf(flow->telnet.username, sizeof(flow->telnet.username), "%s", flow->ndpi_flow->protos.telnet.username); + } else if(is_ndpi_proto(flow, NDPI_PROTOCOL_SSH)) { + snprintf(flow->ssh_tls.client_info, sizeof(flow->ssh_tls.client_info), "%s", + flow->ndpi_flow->protos.ssh.client_signature); + snprintf(flow->ssh_tls.server_info, sizeof(flow->ssh_tls.server_info), "%s", + flow->ndpi_flow->protos.ssh.server_signature); + snprintf(flow->ssh_tls.client_hassh, sizeof(flow->ssh_tls.client_hassh), "%s", + flow->ndpi_flow->protos.ssh.hassh_client); + snprintf(flow->ssh_tls.server_hassh, sizeof(flow->ssh_tls.server_hassh), "%s", + flow->ndpi_flow->protos.ssh.hassh_server); } - else if(flow->detected_protocol.app_protocol != NDPI_PROTOCOL_DNS) { - /* SSH */ - if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_SSH) { - snprintf(flow->ssh_tls.client_info, sizeof(flow->ssh_tls.client_info), "%s", - flow->ndpi_flow->protos.ssh.client_signature); - snprintf(flow->ssh_tls.server_info, sizeof(flow->ssh_tls.server_info), "%s", - flow->ndpi_flow->protos.ssh.server_signature); - snprintf(flow->ssh_tls.client_hassh, sizeof(flow->ssh_tls.client_hassh), "%s", - flow->ndpi_flow->protos.ssh.hassh_client); - snprintf(flow->ssh_tls.server_hassh, sizeof(flow->ssh_tls.server_hassh), "%s", - flow->ndpi_flow->protos.ssh.hassh_server); - } - /* TLS */ - else if((flow->detected_protocol.app_protocol == NDPI_PROTOCOL_TLS) - || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS) - || (flow->ndpi_flow->protos.stun_ssl.ssl.ja3_client[0] != '\0') - ) { - flow->ssh_tls.ssl_version = flow->ndpi_flow->protos.stun_ssl.ssl.ssl_version; - snprintf(flow->ssh_tls.client_info, sizeof(flow->ssh_tls.client_info), "%s", - flow->ndpi_flow->protos.stun_ssl.ssl.client_certificate); - snprintf(flow->ssh_tls.server_info, sizeof(flow->ssh_tls.server_info), "%s", - flow->ndpi_flow->protos.stun_ssl.ssl.server_certificate); - snprintf(flow->ssh_tls.server_organization, sizeof(flow->ssh_tls.server_organization), "%s", - flow->ndpi_flow->protos.stun_ssl.ssl.server_organization); - flow->ssh_tls.notBefore = flow->ndpi_flow->protos.stun_ssl.ssl.notBefore; - flow->ssh_tls.notAfter = flow->ndpi_flow->protos.stun_ssl.ssl.notAfter; - snprintf(flow->ssh_tls.ja3_client, sizeof(flow->ssh_tls.ja3_client), "%s", - flow->ndpi_flow->protos.stun_ssl.ssl.ja3_client); - snprintf(flow->ssh_tls.ja3_server, sizeof(flow->ssh_tls.ja3_server), "%s", - flow->ndpi_flow->protos.stun_ssl.ssl.ja3_server); - flow->ssh_tls.server_unsafe_cipher = flow->ndpi_flow->protos.stun_ssl.ssl.server_unsafe_cipher; - flow->ssh_tls.server_cipher = flow->ndpi_flow->protos.stun_ssl.ssl.server_cipher; - memcpy(flow->ssh_tls.sha1_cert_fingerprint, - flow->ndpi_flow->l4.tcp.tls_sha1_certificate_fingerprint, 20); - } - } + /* TLS */ + else if((is_ndpi_proto(flow, NDPI_PROTOCOL_TLS)) + || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS) + || (flow->ndpi_flow->protos.stun_ssl.ssl.ja3_client[0] != '\0') + ) { + flow->ssh_tls.ssl_version = flow->ndpi_flow->protos.stun_ssl.ssl.ssl_version; + snprintf(flow->ssh_tls.client_info, sizeof(flow->ssh_tls.client_info), "%s", + flow->ndpi_flow->protos.stun_ssl.ssl.client_certificate); + snprintf(flow->ssh_tls.server_info, sizeof(flow->ssh_tls.server_info), "%s", + flow->ndpi_flow->protos.stun_ssl.ssl.server_certificate); + snprintf(flow->ssh_tls.server_organization, sizeof(flow->ssh_tls.server_organization), "%s", + flow->ndpi_flow->protos.stun_ssl.ssl.server_organization); + flow->ssh_tls.notBefore = flow->ndpi_flow->protos.stun_ssl.ssl.notBefore; + flow->ssh_tls.notAfter = flow->ndpi_flow->protos.stun_ssl.ssl.notAfter; + snprintf(flow->ssh_tls.ja3_client, sizeof(flow->ssh_tls.ja3_client), "%s", + flow->ndpi_flow->protos.stun_ssl.ssl.ja3_client); + snprintf(flow->ssh_tls.ja3_server, sizeof(flow->ssh_tls.ja3_server), "%s", + flow->ndpi_flow->protos.stun_ssl.ssl.ja3_server); + flow->ssh_tls.server_unsafe_cipher = flow->ndpi_flow->protos.stun_ssl.ssl.server_unsafe_cipher; + flow->ssh_tls.server_cipher = flow->ndpi_flow->protos.stun_ssl.ssl.server_cipher; + memcpy(flow->ssh_tls.sha1_cert_fingerprint, + flow->ndpi_flow->l4.tcp.tls_sha1_certificate_fingerprint, 20); + } if(flow->detection_completed && (!flow->check_extra_packets)) { - if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UNKNOWN) { + if(is_ndpi_proto(flow, NDPI_PROTOCOL_UNKNOWN)) { if(workflow->__flow_giveup_callback != NULL) workflow->__flow_giveup_callback(workflow, flow, workflow->__flow_giveup_udata); } else { @@ -1174,11 +1183,11 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, if((proto == IPPROTO_TCP) && ( - (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_TLS) - || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS) - || (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_SSH) - || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_SSH)) - ) { + is_ndpi_proto(flow, NDPI_PROTOCOL_TLS) + || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS) + || is_ndpi_proto(flow, NDPI_PROTOCOL_SSH) + || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_SSH)) + ) { if((flow->src2dst_packets+flow->dst2src_packets) < 10 /* MIN_NUM_ENCRYPT_SKIP_PACKETS */) skip = 1; } @@ -1193,10 +1202,10 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, } else { if((proto == IPPROTO_TCP) && ( - (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_TLS) - || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS) - || (flow->detected_protocol.app_protocol == NDPI_PROTOCOL_SSH) - || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_SSH)) + is_ndpi_proto(flow, NDPI_PROTOCOL_TLS) + || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_TLS) + || is_ndpi_proto(flow, NDPI_PROTOCOL_SSH) + || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_SSH)) ) flow->has_human_readeable_strings = 0; } diff --git a/example/reader_util.h b/example/reader_util.h index 3374f993f..3ca584c18 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -198,6 +198,10 @@ typedef struct ndpi_flow_info { u_int response_status_code; } http; + struct { + char username[32]; + } telnet; + void *src_id, *dst_id; struct ndpi_entropy entropy; |