diff options
| author | Luca Deri <deri@ntop.org> | 2017-07-27 00:18:15 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2017-07-27 00:18:15 +0200 |
| commit | e6b594a626e5cfb5cd0410336f8c1e12966a27cd (patch) | |
| tree | af1492120bdafcb470e87670766484f40e9ef393 /src/lib/protocols | |
| parent | c15f2bda97df15d7c225fe04cd1ef4d453b098b5 (diff) | |
Fixed TINC bug (cache usage)
Merged MS Lync with Skype (Microsoft renamed MS Lync in Skype for Business)
Renumbered Nintendo protocols in former MS Lync that was no longer used
Fix for #425
Diffstat (limited to 'src/lib/protocols')
| -rw-r--r-- | src/lib/protocols/rtp.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/skype.c | 14 | ||||
| -rw-r--r-- | src/lib/protocols/stun.c | 42 | ||||
| -rw-r--r-- | src/lib/protocols/tinc.c | 124 |
4 files changed, 96 insertions, 88 deletions
diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c index 9bcaec941..80848f5ba 100644 --- a/src/lib/protocols/rtp.c +++ b/src/lib/protocols/rtp.c @@ -96,8 +96,8 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, && (((payload[0] & 0xFF) == 0x80) || ((payload[0] & 0xFF) == 0xA0)) /* RTP magic byte[1] */ && (payloadType = isValidMSRTPType(payload[1] & 0xFF))) { if(payloadType == 1 /* RTP */) { - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "Found MS Lync\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MS_LYNC, NDPI_PROTOCOL_UNKNOWN); + NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "Found Skype for Business (former MS Lync)\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_UNKNOWN); } else /* RTCP */ { NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "Found MS RTCP\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RTCP, NDPI_PROTOCOL_UNKNOWN); diff --git a/src/lib/protocols/skype.c b/src/lib/protocols/skype.c index 1a4c260c0..19de3c437 100644 --- a/src/lib/protocols/skype.c +++ b/src/lib/protocols/skype.c @@ -27,7 +27,7 @@ static void ndpi_check_skype(struct ndpi_detection_module_struct *ndpi_struct, s // const u_int8_t *packet_payload = packet->payload; u_int32_t payload_len = packet->payload_packet_len; - + if(flow->host_server_name[0] != '\0') return; @@ -52,7 +52,7 @@ static void ndpi_check_skype(struct ndpi_detection_module_struct *ndpi_struct, s } NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SKYPE); return; - + // TCP check } else if(packet->tcp != NULL) { flow->l4.tcp.skype_packet_id++; @@ -64,11 +64,15 @@ static void ndpi_check_skype(struct ndpi_detection_module_struct *ndpi_struct, s && flow->l4.tcp.seen_syn && flow->l4.tcp.seen_syn_ack && flow->l4.tcp.seen_ack) { - if((payload_len == 8) || (payload_len == 3)) { - //printf("[SKYPE] %u/%u\n", ntohs(packet->tcp->source), ntohs(packet->tcp->dest)); + + if((payload_len == 8) || (payload_len == 3) || (payload_len == 17)) { + // printf("[SKYPE] payload_len=%u\n", payload_len); + /* printf("[SKYPE] %u/%u\n", ntohs(packet->tcp->source), ntohs(packet->tcp->dest)); */ NDPI_LOG(NDPI_PROTOCOL_SKYPE, ndpi_struct, NDPI_LOG_DEBUG, "Found skype.\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_UNKNOWN); + } else { + // printf("NO [SKYPE] payload_len=%u\n", payload_len); } /* printf("[SKYPE] [id: %u][len: %d]\n", flow->l4.tcp.skype_packet_id, payload_len); */ @@ -91,7 +95,7 @@ void ndpi_search_skype(struct ndpi_detection_module_struct *ndpi_struct, struct } -void init_skype_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) +void init_skype_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { ndpi_set_bitmask_protocol_detection("Skype", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_SKYPE, diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index 37feb2871..d44d9c26e 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -18,7 +18,7 @@ * GNU Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License - * along with nDPI. If not, see <http://www.gnu.org/licenses/>. + * along with nDPI. If not, see <http://www.gnu.org/licenses/>. * */ #include "ndpi_protocols.h" @@ -49,12 +49,11 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * const u_int8_t * payload, const u_int16_t payload_length, u_int8_t *is_whatsapp, - u_int8_t *is_lync) { + u_int8_t *is_skype) { u_int16_t msg_type, msg_len; struct stun_packet_header *h = (struct stun_packet_header*)payload; u_int8_t can_this_be_whatsapp_voice = 1; - if(payload_length < sizeof(struct stun_packet_header)) { if(flow->num_stun_udp_pkts > 0) { *is_whatsapp = 1; @@ -80,15 +79,21 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * /* This can either be the standard RTCP or Ms Lync RTCP that - later will becomg Ms Lync RTP. In this case we need to + later will become Ms Lync RTP. In this case we need to be careful before deciding about the protocol before dissecting the packet + + MS Lync = Skype + https://en.wikipedia.org/wiki/Skype_for_Business */ while(offset < payload_length) { - u_int16_t attribute = ntohs(*((u_int16_t*)&payload[offset])); u_int16_t len = ntohs(*((u_int16_t*)&payload[offset+2])); + u_int16_t x = (len + 4) % 4; + if(x != 0) + len += 4-x; + switch(attribute) { case 0x0008: /* Message Integrity */ case 0x0020: /* XOR-MAPPED-ADDRESSES */ @@ -101,7 +106,8 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * && (payload[offset+5] == 0x00) && (payload[offset+6] == 0x00) && (payload[offset+7] == 0x00)) { - *is_lync = 1; + /* Either skype for business or "normal" skype with multiparty call */ + *is_skype = 1; return(NDPI_IS_STUN); } break; @@ -111,8 +117,9 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * && (payload[offset+4] == 0x00) && (payload[offset+5] == 0x00) && (payload[offset+6] == 0x00) - && (payload[offset+7] == 0x02)) { - *is_lync = 1; + && ((payload[offset+7] == 0x02) || (payload[offset+7] == 0x03)) + ) { + *is_skype = 1; return(NDPI_IS_STUN); } break; @@ -122,6 +129,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * can_this_be_whatsapp_voice = 0; break; } + offset += len + 4; } goto udp_stun_found; @@ -244,7 +252,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - u_int8_t is_whatsapp = 0, is_lync = 0; + u_int8_t is_whatsapp = 0, is_skype = 0; NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "search stun.\n"); @@ -257,10 +265,10 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n * improved by checking only the STUN packet of given length */ if(ndpi_int_check_stun(ndpi_struct, flow, packet->payload + 2, - packet->payload_packet_len - 2, &is_whatsapp, &is_lync) == NDPI_IS_STUN) { - if(is_lync) { - NDPI_LOG(NDPI_PROTOCOL_MS_LYNC, ndpi_struct, NDPI_LOG_DEBUG, "Found MS Lync\n"); - ndpi_int_stun_add_connection(ndpi_struct, NDPI_PROTOCOL_MS_LYNC, flow); + packet->payload_packet_len - 2, &is_whatsapp, &is_skype) == NDPI_IS_STUN) { + if(is_skype) { + NDPI_LOG(NDPI_PROTOCOL_SKYPE, ndpi_struct, NDPI_LOG_DEBUG, "Found Skype\n"); + ndpi_int_stun_add_connection(ndpi_struct, NDPI_PROTOCOL_SKYPE, flow); } else { NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "found UDP stun.\n"); ndpi_int_stun_add_connection(ndpi_struct, @@ -272,10 +280,10 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n } if(ndpi_int_check_stun(ndpi_struct, flow, packet->payload, - packet->payload_packet_len, &is_whatsapp, &is_lync) == NDPI_IS_STUN) { - if(is_lync) { - NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "Found MS Lync\n"); - ndpi_int_stun_add_connection(ndpi_struct, NDPI_PROTOCOL_MS_LYNC, flow); + packet->payload_packet_len, &is_whatsapp, &is_skype) == NDPI_IS_STUN) { + if(is_skype) { + NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "Found Skype\n"); + ndpi_int_stun_add_connection(ndpi_struct, NDPI_PROTOCOL_SKYPE, flow); } else { NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "found UDP stun.\n"); ndpi_int_stun_add_connection(ndpi_struct, diff --git a/src/lib/protocols/tinc.c b/src/lib/protocols/tinc.c index a69d18759..cdd330bca 100644 --- a/src/lib/protocols/tinc.c +++ b/src/lib/protocols/tinc.c @@ -32,25 +32,25 @@ static void ndpi_check_tinc(struct ndpi_detection_module_struct *ndpi_struct, st if(packet->udp != NULL) { if(ndpi_struct->tinc_cache != NULL) { - tinc_cache_entry_t tinc_cache_entry1 = { + struct tinc_cache_entry tinc_cache_entry1 = { .src_address = packet->iph->saddr, .dst_address = packet->iph->daddr, .dst_port = packet->udp->dest }; - tinc_cache_entry_t tinc_cache_entry2 = { + struct tinc_cache_entry tinc_cache_entry2 = { .src_address = packet->iph->daddr, .dst_address = packet->iph->saddr, .dst_port = packet->udp->source }; - if( cache_remove(ndpi_struct->tinc_cache, &tinc_cache_entry1, sizeof(tinc_cache_entry1)) == CACHE_NO_ERROR || - cache_remove(ndpi_struct->tinc_cache, &tinc_cache_entry2, sizeof(tinc_cache_entry2)) == CACHE_NO_ERROR) - { + if(cache_remove(ndpi_struct->tinc_cache, &tinc_cache_entry1, sizeof(tinc_cache_entry1)) == CACHE_NO_ERROR || + cache_remove(ndpi_struct->tinc_cache, &tinc_cache_entry2, sizeof(tinc_cache_entry2)) == CACHE_NO_ERROR) { + cache_remove(ndpi_struct->tinc_cache, &tinc_cache_entry1, sizeof(tinc_cache_entry1)); cache_remove(ndpi_struct->tinc_cache, &tinc_cache_entry2, sizeof(tinc_cache_entry2)); - // cache_free(ndpi_struct->tinc_cache); + /* cache_free(ndpi_struct->tinc_cache); */ NDPI_LOG(NDPI_PROTOCOL_TINC, ndpi_struct, NDPI_LOG_DEBUG, "Found tinc udp connection\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TINC, NDPI_PROTOCOL_UNKNOWN); @@ -59,9 +59,7 @@ static void ndpi_check_tinc(struct ndpi_detection_module_struct *ndpi_struct, st return; - } - else if(packet->tcp != NULL) { - + } else if(packet->tcp != NULL) { if(payload_len == 0) { if(packet->tcp->syn == 1 && packet->tcp->ack == 0) { flow->tinc_cache_entry.src_address = packet->iph->saddr; @@ -72,58 +70,56 @@ static void ndpi_check_tinc(struct ndpi_detection_module_struct *ndpi_struct, st } switch(flow->tinc_state) { - case 0: - case 1: - if(payload_len > 6 && memcmp(packet_payload, "0 ", 2) == 0 && packet_payload[2] != ' ') { - u_int16_t i = 3; - while(i < payload_len && packet_payload[i++] != ' '); - if(i+3 == payload_len && memcmp((packet_payload+i), "17\n", 3) == 0) { - flow->tinc_state++; - return; - } - } - break; - - case 2: - case 3: - if(payload_len > 11 && memcmp(packet_payload, "1 ", 2) == 0 && packet_payload[2] != ' ') { - u_int16_t i = 3; - u_int8_t numbers_left = 4; - while(numbers_left) { - while(packet_payload[i] >= '0' && packet_payload[i] <= '9') { - i++; - } - - if(packet_payload[i++] == ' ') { - numbers_left--; - } - else break; - } + case 0: + case 1: + if(payload_len > 6 && memcmp(packet_payload, "0 ", 2) == 0 && packet_payload[2] != ' ') { + u_int16_t i = 3; + while(i < payload_len && packet_payload[i++] != ' '); + if(i+3 == payload_len && memcmp((packet_payload+i), "17\n", 3) == 0) { + flow->tinc_state++; + return; + } + } + break; + + case 2: + case 3: + if(payload_len > 11 && memcmp(packet_payload, "1 ", 2) == 0 && packet_payload[2] != ' ') { + u_int16_t i = 3; + u_int8_t numbers_left = 4; + while(numbers_left) { + while(packet_payload[i] >= '0' && packet_payload[i] <= '9') { + i++; + } + + if(packet_payload[i++] == ' ') { + numbers_left--; + } + else break; + } - if(numbers_left) break; + if(numbers_left) break; - while((packet_payload[i] >= '0' && packet_payload[i] <= '9') || - (packet_payload[i] >= 'A' && packet_payload[i] <= 'Z')) { - i++; - } + while((packet_payload[i] >= '0' && packet_payload[i] <= '9') || + (packet_payload[i] >= 'A' && packet_payload[i] <= 'Z')) { + i++; + } - if(packet_payload[i] == '\n') { - if(++flow->tinc_state > 3) { - if(ndpi_struct->tinc_cache == NULL) { - ndpi_struct->tinc_cache = cache_new(TINC_CACHE_MAX_SIZE); - } - - cache_add(ndpi_struct->tinc_cache, &(flow->tinc_cache_entry), sizeof(flow->tinc_cache_entry)); - - NDPI_LOG(NDPI_PROTOCOL_TINC, ndpi_struct, NDPI_LOG_DEBUG, "Found tinc tcp connection\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TINC, NDPI_PROTOCOL_UNKNOWN); - } - return; - } - } - break; + if(packet_payload[i] == '\n') { + if(++flow->tinc_state > 3) { + if(ndpi_struct->tinc_cache == NULL) + ndpi_struct->tinc_cache = cache_new(TINC_CACHE_MAX_SIZE); + + cache_add(ndpi_struct->tinc_cache, &(flow->tinc_cache_entry), sizeof(flow->tinc_cache_entry)); + NDPI_LOG(NDPI_PROTOCOL_TINC, ndpi_struct, NDPI_LOG_DEBUG, "Found tinc tcp connection\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TINC, NDPI_PROTOCOL_UNKNOWN); + } + return; + } + } + break; - default: break; + default: break; } } @@ -136,8 +132,8 @@ void ndpi_search_tinc(struct ndpi_detection_module_struct* ndpi_struct, struct n NDPI_LOG(NDPI_PROTOCOL_TINC, ndpi_struct, NDPI_LOG_DEBUG, "tinc detection...\n"); - if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_TINC) { - if (packet->tcp_retransmission == 0) { + if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_TINC) { + if(packet->tcp_retransmission == 0) { ndpi_check_tinc(ndpi_struct, flow); } } @@ -146,11 +142,11 @@ void ndpi_search_tinc(struct ndpi_detection_module_struct* ndpi_struct, struct n void init_tinc_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { ndpi_set_bitmask_protocol_detection("TINC", ndpi_struct, detection_bitmask, *id, - NDPI_PROTOCOL_TINC, - ndpi_search_tinc, - NDPI_SELECTION_BITMASK_PROTOCOL_TCP_OR_UDP, - SAVE_DETECTION_BITMASK_AS_UNKNOWN, - ADD_TO_DETECTION_BITMASK); + NDPI_PROTOCOL_TINC, + ndpi_search_tinc, + NDPI_SELECTION_BITMASK_PROTOCOL_TCP_OR_UDP, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); *id += 1; } |