diff options
| author | Luca Deri <deri@ntop.org> | 2021-11-17 22:41:35 +0100 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2021-11-17 22:41:35 +0100 |
| commit | 2e2d4c911a8ffce297a927addfe795a3b6b3d3fb (patch) | |
| tree | a0260ec62e6b48bc9a157d62e9d7b0051b0a75fc /src/lib/protocols/bittorrent.c | |
| parent | 2a6e5c634136e74651c0c39c9ea1987d4949cc69 (diff) | |
BitTorrent detection improvements
Diffstat (limited to 'src/lib/protocols/bittorrent.c')
| -rw-r--r-- | src/lib/protocols/bittorrent.c | 302 |
1 files changed, 175 insertions, 127 deletions
diff --git a/src/lib/protocols/bittorrent.c b/src/lib/protocols/bittorrent.c index 19b176bd7..bd02cd864 100644 --- a/src/lib/protocols/bittorrent.c +++ b/src/lib/protocols/bittorrent.c @@ -35,6 +35,8 @@ #define NDPI_PROTOCOL_PLAIN_DETECTION 0 #define NDPI_PROTOCOL_WEBSEED_DETECTION 2 +#define BITTORRENT_PROTO_STRING "BitTorrent protocol" + //#define CACHE_DEBUG 1 struct ndpi_utp_hdr { @@ -44,10 +46,31 @@ struct ndpi_utp_hdr { u_int16_t sequence_nr, ack_nr; }; +/* Forward declaration */ +static void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow); +static void ndpi_search_bittorrent_hash(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, int bt_offset); + +/* *********************************************** */ + +static int search_bittorrent_again(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + ndpi_search_bittorrent(ndpi_struct, flow); + ndpi_search_bittorrent_hash(ndpi_struct, flow, -1); + + /* Possibly more processing */ + return(1); +} + +/* *********************************************** */ + static inline u_int32_t bt_hash_funct(u_int32_t ip, u_int16_t port) { return(ip + 3 * port); } +/* *********************************************** */ + static u_int8_t is_utpv1_pkt(const u_int8_t *payload, u_int payload_len) { struct ndpi_utp_hdr *h = (struct ndpi_utp_hdr*)payload; @@ -63,31 +86,53 @@ static u_int8_t is_utpv1_pkt(const u_int8_t *payload, u_int payload_len) { return(1); } +/* *********************************************** */ + +static void ndpi_search_bittorrent_hash(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, int bt_offset) { + const char *bt_hash = NULL; /* 20 bytes long */ + struct ndpi_packet_struct *packet = &ndpi_struct->packet; + + if(bt_offset == -1) { + const char *bt_magic = ndpi_strnstr((const char *)packet->payload, + BITTORRENT_PROTO_STRING, packet->payload_packet_len); + + if(bt_magic) { + if(bt_magic == (const char*)&packet->payload[1]) + bt_hash = (const char*)&packet->payload[28]; + else + bt_hash = &bt_magic[19]; + } + } else + bt_hash = (const char*)&packet->payload[28]; + + if(bt_hash && (packet->payload_packet_len >= (20 + (bt_hash-(const char*)packet->payload)))) + memcpy(flow->protos.bittorrent.hash, bt_hash, 20); +} + +/* *********************************************** */ + static void ndpi_add_connection_as_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, int bt_offset, int check_hash, - const u_int8_t save_detection, const u_int8_t encrypted_connection) -{ + const u_int8_t save_detection, + const u_int8_t encrypted_connection) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - if(check_hash) { - const char *bt_hash = NULL; /* 20 bytes long */ - - if(bt_offset == -1) { - const char *bt_magic = ndpi_strnstr((const char *)packet->payload, - "BitTorrent protocol", packet->payload_packet_len); - - if(bt_magic) - bt_hash = &bt_magic[19]; - } else - bt_hash = (const char*)&packet->payload[28]; - - if(bt_hash && (packet->payload_packet_len >= (20 + (bt_hash-(const char*)packet->payload)))) - memcpy(flow->protos.bittorrent.hash, bt_hash, 20); - } + if(check_hash) + ndpi_search_bittorrent_hash(ndpi_struct, flow, bt_offset); ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BITTORRENT, NDPI_PROTOCOL_UNKNOWN); - + + if(flow->protos.bittorrent.hash[0] == '\0') { + /* This is necessary to inform the core to call this dissector again */ + flow->check_extra_packets = 1; + + /* Don't use just 1 as in TCP DNS more packets could be returned (e.g. ACK). */ + flow->max_extra_packets_to_check = 3; + flow->extra_packets_func = search_bittorrent_again; + } + if(ndpi_struct->bittorrent_cache == NULL) ndpi_struct->bittorrent_cache = ndpi_lru_cache_init(32768); @@ -124,21 +169,21 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module } if(flow->packet_counter == 2 && packet->payload_packet_len > 20) { - if(memcmp(&packet->payload[0], "BitTorrent protocol", 19) == 0) { + if(memcmp(&packet->payload[0], BITTORRENT_PROTO_STRING, 19) == 0) { NDPI_LOG_INFO(ndpi_struct, "found BT: plain\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, 19, 1, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); return 1; } } if(packet->payload_packet_len > 20) { - /* test for match 0x13+"BitTorrent protocol" */ + /* test for match 0x13+BITTORRENT_PROTO_STRING */ if(packet->payload[0] == 0x13) { - if(memcmp(&packet->payload[1], "BitTorrent protocol", 19) == 0) { + if(memcmp(&packet->payload[1], BITTORRENT_PROTO_STRING, 19) == 0) { NDPI_LOG_INFO(ndpi_struct, "found BT: plain\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, 20, 1, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); return 1; } } @@ -147,23 +192,23 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module if(packet->payload_packet_len > 23 && memcmp(packet->payload, "GET /webseed?info_hash=", 23) == 0) { NDPI_LOG_INFO(ndpi_struct, "found BT: plain webseed\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); return 1; } /* seen Azureus as server for webseed, possibly other servers existing, to implement */ /* is Server: hypertracker Bittorrent? */ /* no asymmetric detection possible for answer of pattern "GET /data?fid=". */ if(packet->payload_packet_len > 60 - && memcmp(packet->payload, "GET /data?fid=", 14) == 0 && memcmp(&packet->payload[54], "&size=", 6) == 0) { + && memcmp(packet->payload, "GET /data?fid=", 14) == 0 && memcmp(&packet->payload[54], "&size=", 6) == 0) { NDPI_LOG_INFO(ndpi_struct, "found BT: plain Bitcomet persistent seed\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); return 1; } if(packet->payload_packet_len > 90 && (memcmp(packet->payload, "GET ", 4) == 0 - || memcmp(packet->payload, "POST ", 5) == 0)) { + || memcmp(packet->payload, "POST ", 5) == 0)) { const u_int8_t *ptr = &packet->payload[4]; u_int16_t len = packet->payload_packet_len - 4; @@ -171,12 +216,12 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module ndpi_parse_packet_line_info(ndpi_struct, flow); /* answer to this pattern is HTTP....Server: hypertracker */ if(packet->user_agent_line.ptr != NULL - && ((packet->user_agent_line.len > 8 && memcmp(packet->user_agent_line.ptr, "Azureus ", 8) == 0) - || (packet->user_agent_line.len >= 10 && memcmp(packet->user_agent_line.ptr, "BitTorrent", 10) == 0) - || (packet->user_agent_line.len >= 11 && memcmp(packet->user_agent_line.ptr, "BTWebClient", 11) == 0))) { + && ((packet->user_agent_line.len > 8 && memcmp(packet->user_agent_line.ptr, "Azureus ", 8) == 0) + || (packet->user_agent_line.len >= 10 && memcmp(packet->user_agent_line.ptr, "BitTorrent", 10) == 0) + || (packet->user_agent_line.len >= 11 && memcmp(packet->user_agent_line.ptr, "BTWebClient", 11) == 0))) { NDPI_LOG_INFO(ndpi_struct, "found BT: Azureus /Bittorrent user agent\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); return 1; } @@ -186,87 +231,87 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module && packet->line[8].len >= 9 && memcmp(packet->line[8].ptr, "X-Queue: ", 9) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found BT: Shareaza detected\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); return 1; } /* this is a self built client, not possible to catch asymmetrically */ if((packet->parsed_lines == 10 || (packet->parsed_lines == 11 && packet->line[10].len == 0)) - && packet->user_agent_line.ptr != NULL - && packet->user_agent_line.len > 12 - && memcmp(packet->user_agent_line.ptr, "Mozilla/4.0 ", - 12) == 0 - && packet->host_line.ptr != NULL - && packet->host_line.len >= 7 - && packet->line[2].ptr != NULL - && packet->line[2].len > 14 - && memcmp(packet->line[2].ptr, "Keep-Alive: 300", 15) == 0 - && packet->line[3].ptr != NULL - && packet->line[3].len > 21 - && memcmp(packet->line[3].ptr, "Connection: Keep-alive", 22) == 0 - && packet->line[4].ptr != NULL - && packet->line[4].len > 10 - && (memcmp(packet->line[4].ptr, "Accpet: */*", 11) == 0 - || memcmp(packet->line[4].ptr, "Accept: */*", 11) == 0) - - && packet->line[5].ptr != NULL - && packet->line[5].len > 12 - && memcmp(packet->line[5].ptr, "Range: bytes=", 13) == 0 - && packet->line[7].ptr != NULL - && packet->line[7].len > 15 - && memcmp(packet->line[7].ptr, "Pragma: no-cache", 16) == 0 - && packet->line[8].ptr != NULL - && packet->line[8].len > 22 && memcmp(packet->line[8].ptr, "Cache-Control: no-cache", 23) == 0) { + && packet->user_agent_line.ptr != NULL + && packet->user_agent_line.len > 12 + && memcmp(packet->user_agent_line.ptr, "Mozilla/4.0 ", + 12) == 0 + && packet->host_line.ptr != NULL + && packet->host_line.len >= 7 + && packet->line[2].ptr != NULL + && packet->line[2].len > 14 + && memcmp(packet->line[2].ptr, "Keep-Alive: 300", 15) == 0 + && packet->line[3].ptr != NULL + && packet->line[3].len > 21 + && memcmp(packet->line[3].ptr, "Connection: Keep-alive", 22) == 0 + && packet->line[4].ptr != NULL + && packet->line[4].len > 10 + && (memcmp(packet->line[4].ptr, "Accpet: */*", 11) == 0 + || memcmp(packet->line[4].ptr, "Accept: */*", 11) == 0) + + && packet->line[5].ptr != NULL + && packet->line[5].len > 12 + && memcmp(packet->line[5].ptr, "Range: bytes=", 13) == 0 + && packet->line[7].ptr != NULL + && packet->line[7].len > 15 + && memcmp(packet->line[7].ptr, "Pragma: no-cache", 16) == 0 + && packet->line[8].ptr != NULL + && packet->line[8].len > 22 && memcmp(packet->line[8].ptr, "Cache-Control: no-cache", 23) == 0) { NDPI_LOG_INFO(ndpi_struct, "found BT: Bitcomet LTS\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_UNSAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); + NDPI_PROTOCOL_UNSAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); return 1; } /* FlashGet pattern */ if(packet->parsed_lines == 8 - && packet->user_agent_line.ptr != NULL - && packet->user_agent_line.len > (sizeof("Mozilla/4.0 (compatible; MSIE 6.0;") - 1) - && memcmp(packet->user_agent_line.ptr, "Mozilla/4.0 (compatible; MSIE 6.0;", - sizeof("Mozilla/4.0 (compatible; MSIE 6.0;") - 1) == 0 - && packet->host_line.ptr != NULL - && packet->host_line.len >= 7 - && packet->line[2].ptr != NULL - && packet->line[2].len == 11 - && memcmp(packet->line[2].ptr, "Accept: */*", 11) == 0 - && packet->line[3].ptr != NULL && packet->line[3].len >= (sizeof("Referer: ") - 1) - && memcmp(packet->line[3].ptr, "Referer: ", sizeof("Referer: ") - 1) == 0 - && packet->line[5].ptr != NULL - && packet->line[5].len > 13 - && memcmp(packet->line[5].ptr, "Range: bytes=", 13) == 0 - && packet->line[6].ptr != NULL - && packet->line[6].len > 21 && memcmp(packet->line[6].ptr, "Connection: Keep-Alive", 22) == 0) { + && packet->user_agent_line.ptr != NULL + && packet->user_agent_line.len > (sizeof("Mozilla/4.0 (compatible; MSIE 6.0;") - 1) + && memcmp(packet->user_agent_line.ptr, "Mozilla/4.0 (compatible; MSIE 6.0;", + sizeof("Mozilla/4.0 (compatible; MSIE 6.0;") - 1) == 0 + && packet->host_line.ptr != NULL + && packet->host_line.len >= 7 + && packet->line[2].ptr != NULL + && packet->line[2].len == 11 + && memcmp(packet->line[2].ptr, "Accept: */*", 11) == 0 + && packet->line[3].ptr != NULL && packet->line[3].len >= (sizeof("Referer: ") - 1) + && memcmp(packet->line[3].ptr, "Referer: ", sizeof("Referer: ") - 1) == 0 + && packet->line[5].ptr != NULL + && packet->line[5].len > 13 + && memcmp(packet->line[5].ptr, "Range: bytes=", 13) == 0 + && packet->line[6].ptr != NULL + && packet->line[6].len > 21 && memcmp(packet->line[6].ptr, "Connection: Keep-Alive", 22) == 0) { NDPI_LOG_INFO(ndpi_struct, "found BT: FlashGet\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_UNSAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); + NDPI_PROTOCOL_UNSAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); return 1; } if(packet->parsed_lines == 7 - && packet->user_agent_line.ptr != NULL - && packet->user_agent_line.len > (sizeof("Mozilla/4.0 (compatible; MSIE 6.0;") - 1) - && memcmp(packet->user_agent_line.ptr, "Mozilla/4.0 (compatible; MSIE 6.0;", - sizeof("Mozilla/4.0 (compatible; MSIE 6.0;") - 1) == 0 - && packet->host_line.ptr != NULL - && packet->host_line.len >= 7 - && packet->line[2].ptr != NULL - && packet->line[2].len == 11 - && memcmp(packet->line[2].ptr, "Accept: */*", 11) == 0 - && packet->line[3].ptr != NULL && packet->line[3].len >= (sizeof("Referer: ") - 1) - && memcmp(packet->line[3].ptr, "Referer: ", sizeof("Referer: ") - 1) == 0 - && packet->line[5].ptr != NULL - && packet->line[5].len > 21 && memcmp(packet->line[5].ptr, "Connection: Keep-Alive", 22) == 0) { + && packet->user_agent_line.ptr != NULL + && packet->user_agent_line.len > (sizeof("Mozilla/4.0 (compatible; MSIE 6.0;") - 1) + && memcmp(packet->user_agent_line.ptr, "Mozilla/4.0 (compatible; MSIE 6.0;", + sizeof("Mozilla/4.0 (compatible; MSIE 6.0;") - 1) == 0 + && packet->host_line.ptr != NULL + && packet->host_line.len >= 7 + && packet->line[2].ptr != NULL + && packet->line[2].len == 11 + && memcmp(packet->line[2].ptr, "Accept: */*", 11) == 0 + && packet->line[3].ptr != NULL && packet->line[3].len >= (sizeof("Referer: ") - 1) + && memcmp(packet->line[3].ptr, "Referer: ", sizeof("Referer: ") - 1) == 0 + && packet->line[5].ptr != NULL + && packet->line[5].len > 21 && memcmp(packet->line[5].ptr, "Connection: Keep-Alive", 22) == 0) { NDPI_LOG_INFO(ndpi_struct, "found BT: FlashGet\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_UNSAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); + NDPI_PROTOCOL_UNSAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); return 1; } @@ -333,7 +378,7 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module NDPI_LOG_INFO(ndpi_struct, "found BT: tracker info hash parsed\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); return 1; } @@ -358,10 +403,10 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module /* did not see this pattern anywhere */ if((memcmp(&packet->payload[0], pattern_20_bytes, 20) == 0) - && (memcmp(&packet->payload[52], pattern_12_bytes, 12) == 0)) { + && (memcmp(&packet->payload[52], pattern_12_bytes, 12) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found BT: Warez - Plain\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); return 1; } } @@ -372,10 +417,10 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module ndpi_parse_packet_line_info(ndpi_struct, flow); /* haven't fount this pattern anywhere */ if(packet->host_line.ptr != NULL - && packet->host_line.len >= 9 && memcmp(packet->host_line.ptr, "ip2p.com:", 9) == 0) { + && packet->host_line.len >= 9 && memcmp(packet->host_line.ptr, "ip2p.com:", 9) == 0) { NDPI_LOG_INFO(ndpi_struct, "found BT: Warez - Plain Host: ip2p.com: pattern\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); return 1; } } @@ -410,8 +455,8 @@ static u_int8_t is_port(u_int16_t a, u_int16_t b, u_int16_t what) { return(((what == a) || (what == b)) ? 1 : 0); } -void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ +static void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; char *bt_proto = NULL; @@ -460,9 +505,11 @@ void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, st ntohs(packet->tcp->source), ntohs(packet->tcp->dest), key1, key2, found, flow->packet_counter); #endif - if(found) - goto bittorrent_found; + if(found) { + ndpi_search_bittorrent_hash(ndpi_struct, flow, -1); + goto bittorrent_found; } + } if(packet->tcp != NULL) { ndpi_int_search_bittorrent_tcp(ndpi_struct, flow); @@ -497,15 +544,15 @@ void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, st u_int8_t v0_flags = packet->payload[18]; if(is_utpv1_pkt(packet->payload, packet->payload_packet_len)) { - bt_proto = ndpi_strnstr((const char *)&packet->payload[20], "BitTorrent protocol", packet->payload_packet_len-20); + bt_proto = ndpi_strnstr((const char *)&packet->payload[20], BITTORRENT_PROTO_STRING, packet->payload_packet_len-20); goto bittorrent_found; } else if((packet->payload[0]== 0x60) - && (packet->payload[1]== 0x0) - && (packet->payload[2]== 0x0) - && (packet->payload[3]== 0x0) - && (packet->payload[4]== 0x0)) { + && (packet->payload[1]== 0x0) + && (packet->payload[2]== 0x0) + && (packet->payload[3]== 0x0) + && (packet->payload[4]== 0x0)) { /* Heuristic */ - bt_proto = ndpi_strnstr((const char *)&packet->payload[20], "BitTorrent protocol", packet->payload_packet_len-20); + bt_proto = ndpi_strnstr((const char *)&packet->payload[20], BITTORRENT_PROTO_STRING, packet->payload_packet_len-20); goto bittorrent_found; /* CSGO/DOTA conflict */ } else if((v0_flags < 6 /* ST_NUM_STATES */) && (v0_extension < 3 /* EXT_NUM_EXT */)) { @@ -515,10 +562,10 @@ void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, st now = (u_int32_t)time(NULL); if((ts < (now+86400)) && (ts > (now-86400))) { - bt_proto = ndpi_strnstr((const char *)&packet->payload[20], "BitTorrent protocol", packet->payload_packet_len-20); + bt_proto = ndpi_strnstr((const char *)&packet->payload[20], BITTORRENT_PROTO_STRING, packet->payload_packet_len-20); goto bittorrent_found; } - } else if(ndpi_strnstr((const char *)&packet->payload[20], "BitTorrent protocol", packet->payload_packet_len-20) + } else if(ndpi_strnstr((const char *)&packet->payload[20], BITTORRENT_PROTO_STRING, packet->payload_packet_len-20) ) { goto bittorrent_found; } @@ -529,29 +576,30 @@ void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, st flow->bittorrent_stage++; if(flow->bittorrent_stage < 5) { - /* We have detected bittorrent but we need to wait until we get a hash */ - - if(packet->payload_packet_len > 19 /* min size */) { - if(ndpi_strnstr((const char *)packet->payload, ":target20:", packet->payload_packet_len) - || ndpi_strnstr((const char *)packet->payload, ":find_node1:", packet->payload_packet_len) - || ndpi_strnstr((const char *)packet->payload, "d1:ad2:id20:", packet->payload_packet_len) - || ndpi_strnstr((const char *)packet->payload, ":info_hash20:", packet->payload_packet_len) - || ndpi_strnstr((const char *)packet->payload, ":filter64", packet->payload_packet_len) - || ndpi_strnstr((const char *)packet->payload, "d1:rd2:id20:", packet->payload_packet_len) - || (bt_proto = ndpi_strnstr((const char *)packet->payload, "BitTorrent protocol", packet->payload_packet_len)) - ) { - bittorrent_found: - if(bt_proto != NULL && ((u_int8_t *)&bt_proto[27] - packet->payload + - sizeof(flow->protos.bittorrent.hash)) < packet->payload_packet_len) { - memcpy(flow->protos.bittorrent.hash, &bt_proto[27], sizeof(flow->protos.bittorrent.hash)); - } - - NDPI_LOG_INFO(ndpi_struct, "found BT: plain\n"); - ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 0, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); - return; + /* We have detected bittorrent but we need to wait until we get a hash */ + + if(packet->payload_packet_len > 19 /* min size */) { + if(ndpi_strnstr((const char *)packet->payload, ":target20:", packet->payload_packet_len) + || ndpi_strnstr((const char *)packet->payload, ":find_node1:", packet->payload_packet_len) + || ndpi_strnstr((const char *)packet->payload, "d1:ad2:id20:", packet->payload_packet_len) + || ndpi_strnstr((const char *)packet->payload, ":info_hash20:", packet->payload_packet_len) + || ndpi_strnstr((const char *)packet->payload, ":filter64", packet->payload_packet_len) + || ndpi_strnstr((const char *)packet->payload, "d1:rd2:id20:", packet->payload_packet_len) + || (bt_proto = ndpi_strnstr((const char *)packet->payload, BITTORRENT_PROTO_STRING, packet->payload_packet_len)) + ) { + bittorrent_found: + if(bt_proto != NULL && ((u_int8_t *)&bt_proto[27] - packet->payload + + sizeof(flow->protos.bittorrent.hash)) < packet->payload_packet_len) { + memcpy(flow->protos.bittorrent.hash, &bt_proto[27], sizeof(flow->protos.bittorrent.hash)); + flow->extra_packets_func = NULL; /* Nothing else to do */ } + + NDPI_LOG_INFO(ndpi_struct, "found BT: plain\n"); + ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 0, + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); + return; } + } return; } |