diff options
| author | Nardi Ivan <nardi.ivan@gmail.com> | 2024-02-23 22:30:54 +0100 |
|---|---|---|
| committer | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-02-26 09:26:21 +0100 |
| commit | ed5ba179f6461fff2a586e3f1a95e5e392c5b540 (patch) | |
| tree | 7993934773c14eba187d0e185e25114c5e620e94 /src/lib/protocols/telegram.c | |
| parent | c95e8c184e7e28915bf37aa623e4886fd720aba0 (diff) | |
Telegram: improve identification
Follow up of 31c706c3dbbf0afc4c8e0a6d0bb6f20796296549 and
75485e177ccc4fafcc62dd46c6917d5b735cf7d2.
Allow fast classification by ip, but give time to other dissectors to
kick in (for example, the TLS code for the Telegram Web flows).
Even if we don't classify it anymore at the very first packet (i.e. SYN)
we fully classify Telegram traffic at the first packet with payload, as
*any* other protocol.
This way, we always have the proper category, the proper confidence
for the UDP flows and we don't overwrite previous classifications (TLS
or ICMP)
Remove old and stale identification logic for TCP flows
Diffstat (limited to 'src/lib/protocols/telegram.c')
| -rw-r--r-- | src/lib/protocols/telegram.c | 28 |
1 files changed, 13 insertions, 15 deletions
diff --git a/src/lib/protocols/telegram.c b/src/lib/protocols/telegram.c index 8c9d18866..23f7cca51 100644 --- a/src/lib/protocols/telegram.c +++ b/src/lib/protocols/telegram.c @@ -31,8 +31,9 @@ #include "ndpi_private.h" static void ndpi_int_telegram_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TELEGRAM, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); + *ndpi_struct, struct ndpi_flow_struct *flow, + ndpi_confidence_t confidence) { + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TELEGRAM, NDPI_PROTOCOL_UNKNOWN, confidence); NDPI_LOG_INFO(ndpi_struct, "found telegram\n"); } @@ -51,18 +52,15 @@ static void ndpi_search_telegram(struct ndpi_detection_module_struct *ndpi_struc NDPI_LOG_DBG(ndpi_struct, "search telegram\n"); if(packet->tcp != NULL) { - if(packet->payload_packet_len > 56) { - u_int16_t dport = ntohs(packet->tcp->dest); - /* u_int16_t sport = ntohs(packet->tcp->source); */ - - if(packet->payload[0] == 0xef && (dport == 443 || dport == 80 || dport == 25)) { - if(packet->payload[1] == 0x7f) { - ndpi_int_telegram_add_connection(ndpi_struct, flow); - } else if(packet->payload[1]*4 <= packet->payload_packet_len - 1) { - ndpi_int_telegram_add_connection(ndpi_struct, flow); - } - return; - } + /* With MTProto 2.0 telegram via app is no longer TLS-based (althought based on TCP/443) so + we need to detect it with Telegram IPs. + Basically, we want a fast classification by ip. Note that, real Telegram traffic over + TLS (i.e. Telegram Web) is correctly classified as TLS/Telegram because TLS dissector + already kicked in. + Let's check every port for the time being */ + if(flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_TELEGRAM) { + ndpi_int_telegram_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_MATCH_BY_IP); + return; } } else if(packet->udp != NULL) { /* @@ -94,7 +92,7 @@ static void ndpi_search_telegram(struct ndpi_detection_module_struct *ndpi_struc } if(found == 12) { - ndpi_int_telegram_add_connection(ndpi_struct, flow); + ndpi_int_telegram_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); return; } } |