diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2021-12-18 13:24:51 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-12-18 13:24:51 +0100 |
| commit | 7153b8933ca6a3df3f6de7d47cbb25e66a8970d4 (patch) | |
| tree | 1c85b93b96cb78648ec60628afe5a728a5a1d43b /src/lib/protocols/gtp.c | |
| parent | 58b33dcb2d60faf3d0fa8f7a482752b4664c5344 (diff) | |
Improve/add several protocols (#1383)
Improve Microsoft, GMail, Likee, Whatsapp, DisneyPlus and Tiktok
detection.
Add Vimeo, Fuze, Alibaba and Firebase Crashlytics detection.
Try to differentiate between Messenger/Signal standard flows (i.e chat)
and their VOIP (video)calls (like we already do for Whatsapp and
Snapchat).
Add a partial list of some ADS/Tracking stuff.
Fix Cassandra, Radius and GTP false positives.
Fix DNS, Syslog and SIP false negatives.
Improve GTP (sub)classification: differentiate among GTP-U, GTP_C and
GTP_PRIME.
Fix 3 LGTM warnings.
Diffstat (limited to 'src/lib/protocols/gtp.c')
| -rw-r--r-- | src/lib/protocols/gtp.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/src/lib/protocols/gtp.c b/src/lib/protocols/gtp.c index 956ebe355..f94138baf 100644 --- a/src/lib/protocols/gtp.c +++ b/src/lib/protocols/gtp.c @@ -82,28 +82,33 @@ static void ndpi_check_gtp(struct ndpi_detection_module_struct *ndpi_struct, str (payload_len >= HEADER_LEN_GTP_U) && (message_len <= (payload_len - HEADER_LEN_GTP_U))) { NDPI_LOG_INFO(ndpi_struct, "found gtp-u\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GTP, NDPI_PROTOCOL_UNKNOWN); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GTP_U, NDPI_PROTOCOL_GTP); return; } } if((packet->udp->source == gtp_c) || (packet->udp->dest == gtp_c)) { if(((version == 1) && (payload_len >= HEADER_LEN_GTP_C_V1) && - (message_len == (payload_len - HEADER_LEN_GTP_C_V1))) || + (message_len == (payload_len - HEADER_LEN_GTP_C_V1)) && + (message_len >= 4 * (!!(gtp->flags & 0x07))) && + (gtp->message_type > 0 && gtp->message_type <= 129)) || /* Loose check based on TS 29.060 7.1 */ ((version == 2) && /* payload_len is always valid, because HEADER_LEN_GTP_C_V2 == sizeof(struct gtp_header_generic) */ (message_len <= (payload_len - HEADER_LEN_GTP_C_V2)))) { NDPI_LOG_INFO(ndpi_struct, "found gtp-c\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GTP, NDPI_PROTOCOL_UNKNOWN); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GTP_C, NDPI_PROTOCOL_GTP); return; } } if((packet->udp->source == gtp_prime) || (packet->udp->dest == gtp_prime)) { if((pt == 0) && + ((gtp->flags & 0x0E) >> 1 == 0x7) && /* Spare bits */ (payload_len >= HEADER_LEN_GTP_PRIME) && - (message_len <= (payload_len - HEADER_LEN_GTP_PRIME))) { + (message_len <= (payload_len - HEADER_LEN_GTP_PRIME)) && + ((gtp->message_type > 0 && gtp->message_type <= 7) || /* Check based on TS 32.295 6.2.1 */ + gtp->message_type == 240 || gtp->message_type == 241)) { NDPI_LOG_INFO(ndpi_struct, "found gtp-prime\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GTP, NDPI_PROTOCOL_UNKNOWN); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GTP_PRIME, NDPI_PROTOCOL_GTP); return; } } |