diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2022-01-30 19:18:12 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-01-30 19:18:12 +0100 |
| commit | 5bb5bec477e1a10a404fd9228ddc0f5041b51123 (patch) | |
| tree | 923e8b698416595cf18e853215394fe6c66c8e02 /src/lib/protocols | |
| parent | 1fdcddb33d105a45061da1ceaefcb6a00542322f (diff) | |
Remove `struct ndpi_id_struct` (#1427)
Remove the last uses of `struct ndpi_id_struct`.
That code is not really used and it has not been updated for a very long
time: see #1279 for details.
Correlation among flows is achieved via LRU caches.
This change allows to further reduce memory consumption (see also
91bb77a8).
At nDPI 4.0 (more precisly, at a6b10cf, because memory stats
were wrong until that commit):
```
nDPI Memory statistics:
nDPI Memory (once): 221.15 KB
Flow Memory (per flow): 2.94 KB
```
Now:
```
nDPI Memory statistics:
nDPI Memory (once): 235.27 KB
Flow Memory (per flow): 688 B <--------
```
i.e. memory usage per flow has been reduced by 77%.
Close #1279
Diffstat (limited to 'src/lib/protocols')
| -rw-r--r-- | src/lib/protocols/directconnect.c | 246 | ||||
| -rw-r--r-- | src/lib/protocols/gnutella.c | 65 | ||||
| -rw-r--r-- | src/lib/protocols/icecast.c | 5 | ||||
| -rw-r--r-- | src/lib/protocols/irc.c | 146 | ||||
| -rw-r--r-- | src/lib/protocols/jabber.c | 186 | ||||
| -rw-r--r-- | src/lib/protocols/thunder.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/world_of_warcraft.c | 16 |
7 files changed, 15 insertions, 653 deletions
diff --git a/src/lib/protocols/directconnect.c b/src/lib/protocols/directconnect.c index 55a3f8145..ea418f36d 100644 --- a/src/lib/protocols/directconnect.c +++ b/src/lib/protocols/directconnect.c @@ -77,151 +77,23 @@ static void ndpi_int_directconnect_add_connection(struct ndpi_detection_module_s struct ndpi_flow_struct *flow, const u_int8_t connection_type) { - - struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - - if(src != NULL) { - src->directconnect_last_safe_access_time = packet->current_time_ms; - if(connection_type == DIRECT_CONNECT_TYPE_PEER) { - if(packet->tcp != NULL - && flow->setup_packet_direction != packet->packet_direction && src->detected_directconnect_port == 0) { - src->detected_directconnect_port = packet->tcp->source; - NDPI_LOG_DBG2(ndpi_struct, "DC tcp PORT %u for src\n", ntohs(src->detected_directconnect_port)); - } - if(packet->udp != NULL && src->detected_directconnect_udp_port == 0) { - src->detected_directconnect_udp_port = packet->udp->source; - NDPI_LOG_DBG2(ndpi_struct, "DC udp PORT %u for src\n", ntohs(src->detected_directconnect_port)); - - } - } - - } - if(dst != NULL) { - dst->directconnect_last_safe_access_time = packet->current_time_ms; - if(connection_type == DIRECT_CONNECT_TYPE_PEER) { - if(packet->tcp != NULL - && flow->setup_packet_direction == packet->packet_direction && dst->detected_directconnect_port == 0) { - /* DST PORT MARKING CAN LEAD TO PORT MISSDETECTIONS - * seen at large customer http servers, where someone has send faked DC tcp packets - * to the server - */ - - /* - dst->detected_directconnect_port = packet->tcp->dest; - NDPI_LOG_DBG2(ndpi_struct, - "DC tcp PORT %u for dst\n", - ntohs (dst->detected_directconnect_port)); - */ - } - } - } } static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_DIRECTCONNECT) { if(packet->payload_packet_len >= 40 && memcmp(&packet->payload[0], "BINF", 4) == 0) { - u_int16_t ssl_port = parse_binf_message(ndpi_struct, - &packet->payload[4], - packet->payload_packet_len - 4); - if(dst != NULL && ssl_port) - dst->detected_directconnect_ssl_port = ssl_port; - - if(src != NULL && ssl_port) - src->detected_directconnect_ssl_port = ssl_port; + parse_binf_message(ndpi_struct, + &packet->payload[4], + packet->payload_packet_len - 4); } - if((packet->payload_packet_len >= 38 && packet->payload_packet_len <= 42) - && memcmp(&packet->payload[0], "DCTM", 4) == 0 && memcmp(&packet->payload[15], "ADCS", 4) == 0) { - u_int16_t bytes_read = 0; - if(dst != NULL) { - dst->detected_directconnect_ssl_port = - ntohs_ndpi_bytestream_to_number(&packet->payload[25], 5, &bytes_read); - NDPI_LOG_DBG2(ndpi_struct, "DC ssl port parsed %d\n", ntohs(dst->detected_directconnect_ssl_port)); - } - if(src != NULL) { - src->detected_directconnect_ssl_port = - ntohs_ndpi_bytestream_to_number(&packet->payload[25], 5, &bytes_read); - NDPI_LOG_DBG2(ndpi_struct, "DC ssl port parsed %d\n", ntohs(src->detected_directconnect_ssl_port)); - } - - - } return; } - if(src != NULL) { - if(src->detected_directconnect_port == packet->tcp->source) { - if((u_int32_t) - (packet->current_time_ms - - src->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - src->directconnect_last_safe_access_time = packet->current_time_ms; - NDPI_LOG_INFO(ndpi_struct, "found DC using port %d\n", ntohs(src->detected_directconnect_port)); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - return; - } else { - src->detected_directconnect_port = 0; - NDPI_LOG_DBG2(ndpi_struct, "resetting src port due to timeout\n"); - return; - } - } - if(src->detected_directconnect_ssl_port == packet->tcp->dest) { - if((u_int32_t) - (packet->current_time_ms - - src->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - src->directconnect_last_safe_access_time = packet->current_time_ms; - NDPI_LOG_INFO(ndpi_struct, "found DC using port %d\n", ntohs(src->detected_directconnect_ssl_port)); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - return; - } else { - src->detected_directconnect_ssl_port = 0; - NDPI_LOG_DBG2(ndpi_struct, "resetting src port due to timeout\n"); - return; - } - } - - } - - if(dst != NULL) { - if(dst->detected_directconnect_port == packet->tcp->dest) { - if((u_int32_t) - (packet->current_time_ms - - dst->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - dst->directconnect_last_safe_access_time = packet->current_time_ms; - NDPI_LOG_INFO(ndpi_struct, "found DC using port %d\n", ntohs(dst->detected_directconnect_port)); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - return; - } else { - dst->detected_directconnect_port = 0; - NDPI_LOG_DBG(ndpi_struct, "resetting dst port due to timeout\n"); - return; - } - } - if(dst->detected_directconnect_ssl_port == packet->tcp->dest) { - if((u_int32_t) - (packet->current_time_ms - - dst->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - dst->directconnect_last_safe_access_time = packet->current_time_ms; - NDPI_LOG_DBG(ndpi_struct, "found DC using port %d\n", ntohs(dst->detected_directconnect_ssl_port)); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - return; - } else { - dst->detected_directconnect_ssl_port = 0; - NDPI_LOG_DBG2(ndpi_struct, "resetting dst port due to timeout\n"); - return; - } - } - - } if(flow->directconnect_stage == 0) { @@ -308,124 +180,15 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n } -static void ndpi_search_directconnect_udp(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) -{ - struct ndpi_packet_struct *packet = &ndpi_struct->packet; - - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - int pos, count = 0; - - if(dst != NULL && dst->detected_directconnect_udp_port == packet->udp->dest) { - if((u_int32_t) - (packet->current_time_ms - - dst->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - - dst->directconnect_last_safe_access_time = packet->current_time_ms; - NDPI_LOG_INFO(ndpi_struct, "found DC using udp port %d\n", ntohs(dst->detected_directconnect_udp_port)); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - return; - } else { - dst->detected_directconnect_udp_port = 0; - NDPI_LOG_DBG2(ndpi_struct, "resetting dst udp port due to timeout\n"); - return; - } - } - - if(packet->payload_packet_len > 58) { - if(src != NULL - && NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_DIRECTCONNECT)) { - if(packet->payload[0] == '$' - && packet->payload[packet->payload_packet_len - 1] == '|' - && memcmp(&packet->payload[1], "SR ", 3) == 0) { - pos = packet->payload_packet_len - 2; - if(packet->payload[pos] == ')') { - while (pos > 0 && packet->payload[pos] != '(' && count < 21) { - pos--; - count++; - } - if(packet->payload[pos] == '(') { - pos = pos - 44; - if(pos > 2 && memcmp(&packet->payload[pos], "TTH:", 4) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found DC udp\n"); - ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_TYPE_PEER); - return; - } - } - } - flow->directconnect_stage++; - if(flow->directconnect_stage < 3) - return; - } - - } - if(dst != NULL - && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_DIRECTCONNECT)) { - if(packet->payload[0] == '$' - && packet->payload[packet->payload_packet_len - 1] == '|' - && memcmp(&packet->payload[1], "SR ", 3) == 0) { - pos = packet->payload_packet_len - 2; - if(packet->payload[pos] == ')') { - while (pos > 0 && packet->payload[pos] != '(' && count < 21) { - pos--; - count++; - } - if(packet->payload[pos] == '(') { - pos = pos - 44; - if(pos > 2 && memcmp(&packet->payload[pos], "TTH:", 4) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found DC udp\n"); - ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_TYPE_PEER); - return; - } - } - } - flow->directconnect_stage++; - if(flow->directconnect_stage < 3) - return; - } - } - - } - NDPI_LOG_DBG(ndpi_struct, "excluded DC at stage %d \n", flow->directconnect_stage); - - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DIRECTCONNECT); - - -} - void ndpi_search_directconnect(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; NDPI_LOG_DBG(ndpi_struct, "search DC\n"); - if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_DIRECTCONNECT) { - if(src != NULL && ((u_int32_t) - (packet->current_time_ms - - src->directconnect_last_safe_access_time) < - ndpi_struct->directconnect_connection_ip_tick_timeout)) { - src->directconnect_last_safe_access_time = packet->current_time_ms; - - } else if(dst != NULL && ((u_int32_t) - (packet->current_time_ms - - dst->directconnect_last_safe_access_time) < - ndpi_struct->directconnect_connection_ip_tick_timeout)) { - dst->directconnect_last_safe_access_time = packet->current_time_ms; - } else { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_UNKNOWN); - NDPI_LOG_DBG2(ndpi_struct, "skipping as unknown due to timeout\n"); - } - return; - } - if(packet->tcp != NULL) { ndpi_search_directconnect_tcp(ndpi_struct, flow); - } else if(packet->udp != NULL) { - ndpi_search_directconnect_udp(ndpi_struct, flow); } } @@ -435,7 +198,8 @@ void init_directconnect_dissector(struct ndpi_detection_module_struct *ndpi_stru ndpi_set_bitmask_protocol_detection("DirectConnect", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_DIRECTCONNECT, ndpi_search_directconnect, - NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, + /* TODO: UDP?*/ + NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); diff --git a/src/lib/protocols/gnutella.c b/src/lib/protocols/gnutella.c index 2af76085f..ecb93d53f 100644 --- a/src/lib/protocols/gnutella.c +++ b/src/lib/protocols/gnutella.c @@ -33,67 +33,18 @@ static void ndpi_int_gnutella_add_connection(struct ndpi_detection_module_struct struct ndpi_flow_struct *flow, ndpi_confidence_t confidence) { - struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GNUTELLA, NDPI_PROTOCOL_UNKNOWN, confidence); NDPI_LOG_INFO(ndpi_struct, "found GNUTELLA\n"); - - if (src != NULL) { - src->gnutella_ts = packet->current_time_ms; - if (packet->udp != NULL) { - if (!src->detected_gnutella_udp_port1) { - src->detected_gnutella_udp_port1 = (packet->udp->source); - NDPI_LOG_DBG2(ndpi_struct, - "GNUTELLA UDP PORT1 DETECTED as %u\n", src->detected_gnutella_udp_port1); - - } else if ((ntohs(packet->udp->source) != src->detected_gnutella_udp_port1) - && !src->detected_gnutella_udp_port2) { - src->detected_gnutella_udp_port2 = (packet->udp->source); - NDPI_LOG_DBG2(ndpi_struct, - "GNUTELLA UDP PORT2 DETECTED as %u\n", src->detected_gnutella_udp_port2); - - } - } - } - if (dst != NULL) { - dst->gnutella_ts = packet->current_time_ms; - } } void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; u_int16_t c; NDPI_LOG_DBG(ndpi_struct, "search GNUTELLA\n"); - if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_GNUTELLA) { - if (src != NULL && ((u_int32_t) - (packet->current_time_ms - src->gnutella_ts) < ndpi_struct->gnutella_timeout)) { - NDPI_LOG_DBG2(ndpi_struct, "save src connection packet detected\n"); - src->gnutella_ts = packet->current_time_ms; - } else if (dst != NULL && ((u_int32_t) - (packet->current_time_ms - dst->gnutella_ts) < ndpi_struct->gnutella_timeout)) { - NDPI_LOG_DBG2(ndpi_struct, "save dst connection packet detected\n"); - dst->gnutella_ts = packet->current_time_ms; - } - if (src != NULL && (packet->current_time_ms - src->gnutella_ts) > ndpi_struct->gnutella_timeout) { - src->detected_gnutella_udp_port1 = 0; - src->detected_gnutella_udp_port2 = 0; - } - if (dst != NULL && (packet->current_time_ms - dst->gnutella_ts) > ndpi_struct->gnutella_timeout) { - dst->detected_gnutella_udp_port1 = 0; - dst->detected_gnutella_udp_port2 = 0; - } - - return; - } - /* skip packets without payload */ if (packet->payload_packet_len < 2) { return; @@ -234,12 +185,6 @@ void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, stru } } } else if (packet->udp != NULL) { - if (src != NULL && (packet->udp->source == src->detected_gnutella_udp_port1 || - packet->udp->source == src->detected_gnutella_udp_port2) && - (packet->current_time_ms - src->gnutella_ts) < ndpi_struct->gnutella_timeout) { - NDPI_LOG_DBG2(ndpi_struct, "port based detection\n\n"); - ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - } /* observations: * all the following patterns send out many packets which are the only ones of their flows, * often on the very beginning of the traces, or flows with many packets in one direction only. @@ -333,20 +278,18 @@ void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, stru if (flow->packet_counter == 2 && (packet->payload_packet_len == 33 || packet->payload_packet_len == 22) && flow->l4.tcp.gnutella_msg_id[0] == packet->payload[0] && flow->l4.tcp.gnutella_msg_id[1] == packet->payload[2] - && flow->l4.tcp.gnutella_msg_id[2] == packet->payload[4] - && NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_GNUTELLA)) { + && flow->l4.tcp.gnutella_msg_id[2] == packet->payload[4]) { NDPI_LOG_DBG2(ndpi_struct, "GNUTELLA DETECTED due to message ID match (NEONet protocol)\n"); - ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI_SRC_DST_ID); + ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); return; } } else if (flow->l4.tcp.gnutella_stage == 2 - packet->packet_direction) { if (flow->packet_counter == 2 && (packet->payload_packet_len == 10 || packet->payload_packet_len == 75) && flow->l4.tcp.gnutella_msg_id[0] == packet->payload[0] && flow->l4.tcp.gnutella_msg_id[1] == packet->payload[2] - && flow->l4.tcp.gnutella_msg_id[2] == packet->payload[4] - && NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_GNUTELLA)) { + && flow->l4.tcp.gnutella_msg_id[2] == packet->payload[4]) { NDPI_LOG_DBG2(ndpi_struct, "GNUTELLA DETECTED due to message ID match (NEONet protocol)\n"); - ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI_SRC_DST_ID); + ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); return; } } diff --git a/src/lib/protocols/icecast.c b/src/lib/protocols/icecast.c index 61dafc2d6..ce8b20c12 100644 --- a/src/lib/protocols/icecast.c +++ b/src/lib/protocols/icecast.c @@ -60,10 +60,6 @@ void ndpi_search_icecast_tcp(struct ndpi_detection_module_struct *ndpi_struct, s } } - if(NDPI_FLOW_PROTOCOL_EXCLUDED(ndpi_struct, flow, NDPI_PROTOCOL_HTTP)) { - goto icecast_exclude; - } - if(flow == NULL) return; if((packet->packet_direction == flow->setup_packet_direction) @@ -89,7 +85,6 @@ void ndpi_search_icecast_tcp(struct ndpi_detection_module_struct *ndpi_struct, s } } - icecast_exclude: NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/irc.c b/src/lib/protocols/irc.c index 6ff3af836..33c41a4c3 100644 --- a/src/lib/protocols/irc.c +++ b/src/lib/protocols/irc.c @@ -29,38 +29,11 @@ #include "ndpi_api.h" -#define NDPI_IRC_FIND_LESS(time_err,less) {int t1 = 0; \ - u_int32_t timestamp = time_err[0]; \ - for(t1=0;t1 < NDPI_PROTOCOL_IRC_MAXPORT;t1++) { \ - if(timestamp > time_err[t1]) { \ - timestamp = time_err[t1]; \ - less = t1;}}} - static void ndpi_int_irc_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, ndpi_confidence_t confidence) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_IRC, NDPI_PROTOCOL_UNKNOWN, confidence); } - - -#if !defined(WIN32) -static inline -#elif defined(MINGW_GCC) -__mingw_forceinline static -#else -__forceinline static -#endif -u_int8_t ndpi_is_duplicate(struct ndpi_id_struct *id_t, u_int16_t port) -{ - int index = 0; - while (index < id_t->irc_number_of_port) { - if (port == id_t->irc_port[index]) - return 1; - index++; - } - return 0; -} - static u_int8_t ndpi_check_for_NOTICE_or_PRIVMSG(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -369,17 +342,9 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - int less; u_int16_t c = 0; - u_int16_t port = 0; - u_int16_t sport = 0; - u_int16_t dport = 0; - u_int16_t counter = 0; u_int16_t i = 0; u_int16_t j = 0; - u_int16_t k = 0; u_int16_t h; u_int16_t http_content_ptr_len = 0; u_int8_t space = 0; @@ -391,53 +356,6 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc return; } - if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_IRC) { - if (src != NULL && ((u_int32_t) - (packet->current_time_ms - src->irc_ts) < ndpi_struct->irc_timeout)) { - NDPI_LOG_DBG2(ndpi_struct, "irc : save src connection packet detected\n"); - src->irc_ts = packet->current_time_ms; - } else if (dst != NULL && ((u_int32_t) - (packet->current_time_ms - dst->irc_ts) < ndpi_struct->irc_timeout)) { - NDPI_LOG_DBG2(ndpi_struct, "irc : save dst connection packet detected\n"); - dst->irc_ts = packet->current_time_ms; - } - } - - if (((dst != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_IRC) - && ((u_int32_t) - (packet->current_time_ms - dst->irc_ts)) < - ndpi_struct->irc_timeout)) || (src != NULL - && - NDPI_COMPARE_PROTOCOL_TO_BITMASK - (src->detected_protocol_bitmask, NDPI_PROTOCOL_IRC) - && ((u_int32_t) - (packet->current_time_ms - src->irc_ts)) < ndpi_struct->irc_timeout)) { - if (packet->tcp != NULL) { - sport = packet->tcp->source; - dport = packet->tcp->dest; - } - if (dst != NULL) { - for (counter = 0; counter < dst->irc_number_of_port; counter++) { - if (dst->irc_port[counter] == sport || dst->irc_port[counter] == dport) { - dst->last_time_port_used[counter] = packet->current_time_ms; - NDPI_LOG_INFO(ndpi_struct, "found IRC: dest port matched with the DCC port"); - ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - return; - } - } - } - if (src != NULL) { - for (counter = 0; counter < src->irc_number_of_port; counter++) { - if (src->irc_port[counter] == sport || src->irc_port[counter] == dport) { - src->last_time_port_used[counter] = packet->current_time_ms; - NDPI_LOG_INFO(ndpi_struct, "found IRC: Source port matched with the DCC port"); - ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - return; - } - } - } - } - if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC && ndpi_search_irc_ssl_detect_ninety_percent_but_very_fast(ndpi_struct, flow) != 0) { return; @@ -667,70 +585,6 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc if (space == 3) { j++; NDPI_LOG_DBG2(ndpi_struct, "read port."); - if (src != NULL) { - k = j; - port = - ntohs_ndpi_bytestream_to_number - (&packet->line[i].ptr[j], packet->payload_packet_len - j, &j); - NDPI_LOG_DBG2(ndpi_struct, "port %u.", - port); - j = k; - // hier jetzt überlegen, wie die ports abgespeichert werden sollen - if (src->irc_number_of_port < NDPI_PROTOCOL_IRC_MAXPORT) - NDPI_LOG_DBG2(ndpi_struct, "src->irc_number_of_port < NDPI_PROTOCOL_IRC_MAXPORT."); - if (src->irc_number_of_port < NDPI_PROTOCOL_IRC_MAXPORT && port != 0) { - if (!ndpi_is_duplicate(src, port)) { - src->irc_port[src->irc_number_of_port] - = port; - src->irc_number_of_port++; - NDPI_LOG_DBG2(ndpi_struct, "found port=%d jjeeeeeeeeeeeeeeeeeeeeeeeee", - ntohs(get_u_int16_t(src->irc_port, 0))); - } - src->irc_ts = packet->current_time_ms; - } else if (port != 0 && src->irc_number_of_port == NDPI_PROTOCOL_IRC_MAXPORT) { - if (!ndpi_is_duplicate(src, port)) { - less = 0; - NDPI_IRC_FIND_LESS(src->last_time_port_used, less); - src->irc_port[less] = port; - NDPI_LOG_DBG2(ndpi_struct, "found port=%d", ntohs(get_u_int16_t(src->irc_port, 0))); - } - src->irc_ts = packet->current_time_ms; - } - if (dst == NULL) { - break; - } - } - if (dst != NULL) { - port = ntohs_ndpi_bytestream_to_number - (&packet->line[i].ptr[j], packet->payload_packet_len - j, &j); - NDPI_LOG_DBG2(ndpi_struct, "port %u.", port); - // hier das gleiche wie oben. - /* hier werden NDPI_PROTOCOL_IRC_MAXPORT ports pro irc flows mitgespeichert. könnte man denn nicht ein- - * fach an die dst oder src einen flag setzten, dass dieser port für eine bestimmte - * zeit ein irc-port bleibt? - */ - if (dst->irc_number_of_port < NDPI_PROTOCOL_IRC_MAXPORT && port != 0) { - if (!ndpi_is_duplicate(dst, port)) { - dst->irc_port[dst->irc_number_of_port] - = port; - dst->irc_number_of_port++; - NDPI_LOG_DBG2(ndpi_struct, "found port=%d", ntohs(get_u_int16_t(dst->irc_port, 0))); - NDPI_LOG_DBG2(ndpi_struct, "juuuuuuuuuuuuuuuu"); - } - dst->irc_ts = packet->current_time_ms; - } else if (port != 0 && dst->irc_number_of_port == NDPI_PROTOCOL_IRC_MAXPORT) { - if (!ndpi_is_duplicate(dst, port)) { - less = 0; - NDPI_IRC_FIND_LESS(dst->last_time_port_used, less); - dst->irc_port[less] = port; - - NDPI_LOG_DBG2(ndpi_struct, "found port=%d", ntohs(get_u_int16_t(dst->irc_port, 0))); - } - dst->irc_ts = packet->current_time_ms; - } - - break; - } } diff --git a/src/lib/protocols/jabber.c b/src/lib/protocols/jabber.c index a5e5a069e..89dd3c8db 100644 --- a/src/lib/protocols/jabber.c +++ b/src/lib/protocols/jabber.c @@ -65,9 +65,6 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - u_int16_t x; NDPI_LOG_DBG(ndpi_struct, "search JABBER\n"); @@ -76,193 +73,10 @@ void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, st return; } - /* search for jabber file transfer */ - /* this part is working asymmetrically */ - if (packet->tcp != NULL && packet->tcp->syn != 0 && packet->payload_packet_len == 0) { - NDPI_LOG_DBG2(ndpi_struct, "check jabber syn\n"); - if (src != NULL && src->jabber_file_transfer_port[0] != 0) { - NDPI_LOG_DBG2(ndpi_struct, "src jabber ft port set, ports are: %u, %u\n", - ntohs(src->jabber_file_transfer_port[0]), - ntohs(src->jabber_file_transfer_port[1])); - if (((u_int32_t) - (packet->current_time_ms - src->jabber_stun_or_ft_ts)) >= ndpi_struct->jabber_file_transfer_timeout) { - NDPI_LOG_DBG2(ndpi_struct, "JABBER src stun timeout %u %u\n", - src->jabber_stun_or_ft_ts, packet->current_time_ms); - src->jabber_file_transfer_port[0] = 0; - src->jabber_file_transfer_port[1] = 0; - } else if (src->jabber_file_transfer_port[0] == packet->tcp->dest - || src->jabber_file_transfer_port[0] == packet->tcp->source - || src->jabber_file_transfer_port[1] == packet->tcp->dest - || src->jabber_file_transfer_port[1] == packet->tcp->source) { - NDPI_LOG_INFO(ndpi_struct, "found jabber file transfer\n"); - - ndpi_int_jabber_add_connection(ndpi_struct, flow, - NDPI_PROTOCOL_JABBER, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - } - } - if (dst != NULL && dst->jabber_file_transfer_port[0] != 0) { - NDPI_LOG_DBG2(ndpi_struct, "dst jabber ft port set, ports are: %u, %u\n", - ntohs(dst->jabber_file_transfer_port[0]), - ntohs(dst->jabber_file_transfer_port[1])); - if (((u_int32_t) - (packet->current_time_ms - dst->jabber_stun_or_ft_ts)) >= ndpi_struct->jabber_file_transfer_timeout) { - NDPI_LOG_DBG2(ndpi_struct, "JABBER dst stun timeout %u %u\n", - dst->jabber_stun_or_ft_ts, packet->current_time_ms); - dst->jabber_file_transfer_port[0] = 0; - dst->jabber_file_transfer_port[1] = 0; - } else if (dst->jabber_file_transfer_port[0] == packet->tcp->dest - || dst->jabber_file_transfer_port[0] == packet->tcp->source - || dst->jabber_file_transfer_port[1] == packet->tcp->dest - || dst->jabber_file_transfer_port[1] == packet->tcp->source) { - NDPI_LOG_INFO(ndpi_struct, "found jabber file transfer\n"); - - ndpi_int_jabber_add_connection(ndpi_struct, flow, - NDPI_PROTOCOL_JABBER, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - } - } - return; - } - if (packet->tcp != 0 && packet->payload_packet_len == 0) { return; } - - /* this part parses a packet and searches for port=. it works asymmetrically. */ - if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_JABBER) { - u_int16_t lastlen; - u_int16_t j_port = 0; - /* check for google jabber voip connections ... */ - /* need big packet */ - if (packet->payload_packet_len < 100) { - NDPI_LOG_DBG2(ndpi_struct, "packet too small, return\n"); - return; - } - /* need message to or type for file-transfer */ - if (memcmp(packet->payload, "<iq from=\"", 10) == 0 || memcmp(packet->payload, "<iq from=\'", 10) == 0) { - NDPI_LOG_DBG2(ndpi_struct, "JABBER <iq from=\"\n"); - lastlen = packet->payload_packet_len - 11; - for (x = 10; x < lastlen; x++) { - if (packet->payload[x] == 'p') { - if (memcmp(&packet->payload[x], "port=", 5) == 0) { - NDPI_LOG_DBG2(ndpi_struct, "port=\n"); - if (src != NULL) { - src->jabber_stun_or_ft_ts = packet->current_time_ms; - } - - if (dst != NULL) { - dst->jabber_stun_or_ft_ts = packet->current_time_ms; - } - x += 6; - j_port = ntohs_ndpi_bytestream_to_number(&packet->payload[x], packet->payload_packet_len, &x); - NDPI_LOG_DBG2(ndpi_struct, "JABBER port : %u\n", ntohs(j_port)); - if (src != NULL) { - if (src->jabber_file_transfer_port[0] == 0 || src->jabber_file_transfer_port[0] == j_port) { - NDPI_LOG_DBG2(ndpi_struct, "src->jabber_file_transfer_port[0] = j_port = %u;\n", - ntohs(j_port)); - src->jabber_file_transfer_port[0] = j_port; - } else { - NDPI_LOG_DBG2(ndpi_struct, "src->jabber_file_transfer_port[1] = j_port = %u;\n", - ntohs(j_port)); - src->jabber_file_transfer_port[1] = j_port; - } - } - if (dst != NULL) { - if (dst->jabber_file_transfer_port[0] == 0 || dst->jabber_file_transfer_port[0] == j_port) { - NDPI_LOG_DBG2(ndpi_struct, "dst->jabber_file_transfer_port[0] = j_port = %u;\n", - ntohs(j_port)); - dst->jabber_file_transfer_port[0] = j_port; - } else { - NDPI_LOG_DBG2(ndpi_struct, "dst->jabber_file_transfer_port[1] = j_port = %u;\n", - ntohs(j_port)); - dst->jabber_file_transfer_port[1] = j_port; - } - } - } - - - } - } - - } else if (memcmp(packet->payload, "<iq to=\"", 8) == 0 || memcmp(packet->payload, "<iq to=\'", 8) == 0 - || memcmp(packet->payload, "<iq type=", 9) == 0) { - NDPI_LOG_DBG2(ndpi_struct, "JABBER <iq to=\"/type=\"\n"); - lastlen = packet->payload_packet_len - 21; - for (x = 8; x < lastlen; x++) { - /* invalid character */ - if (packet->payload[x] < 32 || packet->payload[x] > 127) { - return; - } - if (packet->payload[x] == '@') { - NDPI_LOG_DBG2(ndpi_struct, "JABBER @\n"); - break; - } - } - if (x >= lastlen) { - return; - } - - lastlen = packet->payload_packet_len - 10; - for (; x < lastlen; x++) { - if (packet->payload[x] == 'p') { - if (memcmp(&packet->payload[x], "port=", 5) == 0) { - NDPI_LOG_DBG2(ndpi_struct, "port=\n"); - if (src != NULL) { - src->jabber_stun_or_ft_ts = packet->current_time_ms; - } - - if (dst != NULL) { - dst->jabber_stun_or_ft_ts = packet->current_time_ms; - } - - x += 6; - j_port = ntohs_ndpi_bytestream_to_number(&packet->payload[x], packet->payload_packet_len, &x); - NDPI_LOG_DBG2(ndpi_struct, "JABBER port : %u\n", ntohs(j_port)); - - if (src != NULL && src->jabber_voice_stun_used_ports < JABBER_MAX_STUN_PORTS - 1) { - if (packet->payload[5] == 'o') { - src->jabber_voice_stun_port[src->jabber_voice_stun_used_ports++] - = j_port; - } else { - if (src->jabber_file_transfer_port[0] == 0 - || src->jabber_file_transfer_port[0] == j_port) { - NDPI_LOG_DBG2(ndpi_struct, "src->jabber_file_transfer_port[0] = j_port = %u;\n", - ntohs(j_port)); - src->jabber_file_transfer_port[0] = j_port; - } else { - NDPI_LOG_DBG2(ndpi_struct, "src->jabber_file_transfer_port[1] = j_port = %u;\n", - ntohs(j_port)); - src->jabber_file_transfer_port[1] = j_port; - } - } - } - - if (dst != NULL && dst->jabber_voice_stun_used_ports < JABBER_MAX_STUN_PORTS - 1) { - if (packet->payload[5] == 'o') { - dst->jabber_voice_stun_port[dst->jabber_voice_stun_used_ports++] - = j_port; - } else { - if (dst->jabber_file_transfer_port[0] == 0 - || dst->jabber_file_transfer_port[0] == j_port) { - NDPI_LOG_DBG2(ndpi_struct, "dst->jabber_file_transfer_port[0] = j_port = %u;\n", - ntohs(j_port)); - dst->jabber_file_transfer_port[0] = j_port; - } else { - NDPI_LOG_DBG2(ndpi_struct, "dst->jabber_file_transfer_port[1] = j_port = %u;\n", - ntohs(j_port)); - dst->jabber_file_transfer_port[1] = j_port; - } - } - } - return; - } - } - } - } - return; - } - - /* search for jabber here */ /* this part is working asymmetrically */ if ((packet->payload_packet_len > 13 && memcmp(packet->payload, "<?xml version=", 14) == 0) diff --git a/src/lib/protocols/thunder.c b/src/lib/protocols/thunder.c index 7b5625511..caafa4e4c 100644 --- a/src/lib/protocols/thunder.c +++ b/src/lib/protocols/thunder.c @@ -135,11 +135,9 @@ void ndpi_int_search_thunder_http(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; if (packet->payload_packet_len > 5 - && memcmp(packet->payload, "GET /", 5) == 0 && NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_THUNDER)) { + && memcmp(packet->payload, "GET /", 5) == 0) { NDPI_LOG_DBG2(ndpi_struct, "HTTP packet detected\n"); ndpi_parse_packet_line_info(ndpi_struct, flow); diff --git a/src/lib/protocols/world_of_warcraft.c b/src/lib/protocols/world_of_warcraft.c index 2d35fe7ab..8b6da51f9 100644 --- a/src/lib/protocols/world_of_warcraft.c +++ b/src/lib/protocols/world_of_warcraft.c @@ -56,9 +56,6 @@ void ndpi_search_worldofwarcraft(struct ndpi_detection_module_struct { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - NDPI_LOG_DBG(ndpi_struct, "search World of Warcraft\n"); if (packet->tcp != NULL) { @@ -108,14 +105,11 @@ void ndpi_search_worldofwarcraft(struct ndpi_detection_module_struct return; } - if (NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_WORLDOFWARCRAFT) != 0) { - if (packet->tcp->source == htons(3724) - && packet->payload_packet_len == 8 && get_u_int32_t(packet->payload, 0) == htonl(0x0006ec01)) { - ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow); - NDPI_LOG_INFO(ndpi_struct, "World of Warcraft: connection detected\n"); - return; - } - + if (packet->tcp->source == htons(3724) + && packet->payload_packet_len == 8 && get_u_int32_t(packet->payload, 0) == htonl(0x0006ec01)) { + ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow); + NDPI_LOG_INFO(ndpi_struct, "World of Warcraft: connection detected\n"); + return; } /* for some well known WoW ports |