diff options
| author | Luca Deri <deri@ntop.org> | 2019-10-08 23:40:56 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2019-10-08 23:40:56 +0200 |
| commit | 24a26a2e942b26ec93b5cff330f9cda29487ab68 (patch) | |
| tree | 2862a47c9bd9252cd74e748f2bb84667c59b681c /src/lib/protocols/netbios.c | |
| parent | 0a7521060a910d0ea1d098af334c7bae8b92f0e3 (diff) | |
Added NetBIOS metadata export
Diffstat (limited to 'src/lib/protocols/netbios.c')
| -rw-r--r-- | src/lib/protocols/netbios.c | 51 |
1 files changed, 25 insertions, 26 deletions
diff --git a/src/lib/protocols/netbios.c b/src/lib/protocols/netbios.c index fd0e579c1..09666366a 100644 --- a/src/lib/protocols/netbios.c +++ b/src/lib/protocols/netbios.c @@ -41,7 +41,7 @@ int ndpi_netbios_name_interpret(char *in, char *out, u_int out_len) { len = (*in++)/2; b = out; - *out=0; + *out = 0; if(len > (out_len-1) || len < 1) return(-1); @@ -71,24 +71,29 @@ int ndpi_netbios_name_interpret(char *in, char *out, u_int out_len) { static void ndpi_int_netbios_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) -{ + *ndpi_struct, struct ndpi_flow_struct *flow) { + char name[64]; + + if(!ndpi_struct->disable_metadata_export) { + u_int off = flow->packet.payload[12] == 0x20 ? 12 : 14; + + if(ndpi_netbios_name_interpret((char*)&flow->packet.payload[off], name, sizeof(name)) > 0) + snprintf((char*)flow->host_server_name, sizeof(flow->host_server_name)-1, "%s", name); + } ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NETBIOS, NDPI_PROTOCOL_UNKNOWN); } -void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ +void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; u_int16_t dport; - char name[64]; NDPI_LOG_DBG(ndpi_struct, "search netbios\n"); if(packet->udp != NULL) { dport = ntohs(packet->udp->dest); - /*check standard NETBIOS over udp to port 137 */ if((dport == 137 || 0) && packet->payload_packet_len >= 50) { struct netbios_header h; @@ -110,6 +115,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc ndpi_int_netbios_add_connection(ndpi_struct, flow); return; } + if(((h.flags & 0x8710) == 0x10) && h.questions == 1 && h.answer_rrs == 0 && @@ -117,15 +123,10 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc NDPI_LOG_INFO(ndpi_struct, "found netbios with questions = 1 and answers = 0, authority = 0 and broadcast \n"); - if(ndpi_netbios_name_interpret((char*)&packet->payload[12], name, sizeof(name)) > 0) { - if(!ndpi_struct->disable_metadata_export) { - snprintf((char*)flow->host_server_name, sizeof(flow->host_server_name)-1, "%s", name); - } - } - ndpi_int_netbios_add_connection(ndpi_struct, flow); return; } + if(packet->payload[2] == 0x80 && h.questions == 1 && h.answer_rrs == 0 && @@ -136,6 +137,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc ndpi_int_netbios_add_connection(ndpi_struct, flow); return; } + if(h.flags == 0x4000 && h.questions == 1 && h.answer_rrs == 0 && @@ -146,6 +148,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc ndpi_int_netbios_add_connection(ndpi_struct, flow); return; } + if(h.flags == 0x8400 && h.questions == 0 && h.answer_rrs == 1 && @@ -157,6 +160,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc ndpi_int_netbios_add_connection(ndpi_struct, flow); return; } + if(h.flags == 0x8500 && h.questions == 0 && h.answer_rrs == 1 && @@ -168,7 +172,8 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc ndpi_int_netbios_add_connection(ndpi_struct, flow); return; } - if(h.flags == 0x2910 && + + if(((h.flags == 0x2900) || (h.flags == 0x2910)) && h.questions == 1 && h.answer_rrs == 0 && h.authority_rrs == 0 && h.additional_rrs == 1) { @@ -179,6 +184,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc ndpi_int_netbios_add_connection(ndpi_struct, flow); return; } + if(h.flags == 0xAD86 && h.questions == 0 && h.answer_rrs == 1 && @@ -190,6 +196,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc ndpi_int_netbios_add_connection(ndpi_struct, flow); return; } + if(h.flags == 0x0110 && h.questions == 1 && h.answer_rrs == 0 && @@ -203,7 +210,6 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc } if((h.flags & 0xf800) == 0) { - NDPI_LOG_DBG2(ndpi_struct, "possible netbios name query request\n"); if(get_u_int16_t(packet->payload, 4) == htons(1) && @@ -325,23 +331,17 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc /*netbios header token from http://www.protocolbase.net/protocols/protocol_NBDGM.php */ if((dport == 138) && - packet->payload_packet_len >= 14 && - ntohs(get_u_int16_t(packet->payload, 10)) == packet->payload_packet_len - 14) { - + packet->payload_packet_len >= 14 && + ntohs(get_u_int16_t(packet->payload, 10)) == packet->payload_packet_len - 14) { + NDPI_LOG_DBG2(ndpi_struct, "found netbios port 138 and payload length >= 112 \n"); - + if(packet->payload[0] >= 0x10 && packet->payload[0] <= 0x16) { NDPI_LOG_DBG2(ndpi_struct, "found netbios with MSG-type 0x10,0x11,0x12,0x13,0x14,0x15 or 0x16\n"); if(ntohl(get_u_int32_t(packet->payload, 4)) == ntohl(packet->iph->saddr)) { NDPI_LOG_INFO(ndpi_struct, "found netbios with checked ip-address\n"); - if(ndpi_netbios_name_interpret((char*)&packet->payload[12], name, sizeof(name)) > 0) { - if(!ndpi_struct->disable_metadata_export) { - snprintf((char*)flow->host_server_name, sizeof(flow->host_server_name)-1, "%s", name); - } - } - ndpi_int_netbios_add_connection(ndpi_struct, flow); return; } @@ -354,7 +354,6 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc /* destination port must be 139 */ if(dport == 139) { - NDPI_LOG_DBG2(ndpi_struct, "found netbios with destination port 139\n"); /* payload_packet_len must be 72 */ |