diff options
| author | Luca Deri <deri@ntop.org> | 2022-06-13 23:19:47 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2022-06-13 23:19:47 +0200 |
| commit | cf5873ffd72ba8b530429bda3c8931f9ada33747 (patch) | |
| tree | b41586b7fcd1f8e7291c0e348f57f2d0b532ef20 /src/lib/protocols | |
| parent | 32428026d6dbcf7ee36aa3c882056b869b593d65 (diff) | |
Improved DNS traffic analysis
Added ability to identify application and network protocols
Diffstat (limited to 'src/lib/protocols')
| -rw-r--r-- | src/lib/protocols/aimini.c | 400 | ||||
| -rw-r--r-- | src/lib/protocols/florensia.c | 144 | ||||
| -rw-r--r-- | src/lib/protocols/guildwars.c | 50 | ||||
| -rw-r--r-- | src/lib/protocols/maplestory.c | 74 | ||||
| -rw-r--r-- | src/lib/protocols/s7comm.c | 9 | ||||
| -rw-r--r-- | src/lib/protocols/warcraft3.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/websocket.c | 92 |
7 files changed, 386 insertions, 385 deletions
diff --git a/src/lib/protocols/aimini.c b/src/lib/protocols/aimini.c index 2c42b1a41..297d180bc 100644 --- a/src/lib/protocols/aimini.c +++ b/src/lib/protocols/aimini.c @@ -39,220 +39,220 @@ static void ndpi_int_aimini_add_connection(struct ndpi_detection_module_struct * void ndpi_search_aimini(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &ndpi_struct->packet; + struct ndpi_packet_struct *packet = &ndpi_struct->packet; - NDPI_LOG_DBG(ndpi_struct, "search aimini\n"); + NDPI_LOG_DBG(ndpi_struct, "search aimini\n"); - if (packet->udp != NULL) { - if (flow->l4.udp.aimini_stage == 0) { - if (packet->payload_packet_len == 64 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010b) { - flow->l4.udp.aimini_stage = 1; - NDPI_LOG_DBG2(ndpi_struct, "stage = 1\n"); - return; - } - if (packet->payload_packet_len == 136 - && (ntohs(get_u_int16_t(packet->payload, 0)) == 0x01c9 || ntohs(get_u_int16_t(packet->payload, 0)) == 0x0165)) { - flow->l4.udp.aimini_stage = 4; - NDPI_LOG_DBG2(ndpi_struct, "stage = 4\n"); - return; - } - if (packet->payload_packet_len == 88 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0101) { - flow->l4.udp.aimini_stage = 7; - NDPI_LOG_DBG2(ndpi_struct, "stage = 7\n"); - return; - } - if (packet->payload_packet_len == 104 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0102) { - flow->l4.udp.aimini_stage = 10; - NDPI_LOG_DBG2(ndpi_struct, "stage = 10\n"); - return; - } - if (packet->payload_packet_len == 32 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x01ca) { - flow->l4.udp.aimini_stage = 13; - NDPI_LOG_DBG2(ndpi_struct, "stage = 13\n"); - return; - } - if (packet->payload_packet_len == 16 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010c) { - flow->l4.udp.aimini_stage = 16; - NDPI_LOG_DBG2(ndpi_struct, "stage = 16\n"); - return; - } - } - /* first packet chronology: (len, value): (64, 0x010b), (>100, 0x0115), (16, 0x010c || 64, 0x010b || 88, 0x0115), - * (16, 0x010c || 64, 0x010b || >100, 0x0115) - */ - if (flow->l4.udp.aimini_stage == 1 && packet->payload_packet_len > 100 - && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0115) { - flow->l4.udp.aimini_stage = 2; - NDPI_LOG_DBG2(ndpi_struct, "stage = 2\n"); - return; - } - if (flow->l4.udp.aimini_stage == 2 && - ((packet->payload_packet_len == 16 && get_u_int16_t(packet->payload, 0) == htons(0x010c)) || - (packet->payload_packet_len == 64 && get_u_int16_t(packet->payload, 0) == htons(0x010b)) || - (packet->payload_packet_len == 88 && get_u_int16_t(packet->payload, 0) == ntohs(0x0115)))) { - flow->l4.udp.aimini_stage = 3; - NDPI_LOG_DBG2(ndpi_struct, "stage = 3\n"); - return; - } - if (flow->l4.udp.aimini_stage == 3 - && ((packet->payload_packet_len == 16 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010c) - || (packet->payload_packet_len == 64 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010b) - || (packet->payload_packet_len > 100 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0115))) { - NDPI_LOG_INFO(ndpi_struct, "found aimini (64, 0x010b), (>300, 0x0115), " - "(16, 0x010c || 64, 0x010b), (16, 0x010c || 64, 0x010b || >100, 0x0115).\n"); - ndpi_int_aimini_add_connection(ndpi_struct, flow); - return; - } + if (packet->udp != NULL) { + if (flow->l4.udp.aimini_stage == 0) { + if (packet->payload_packet_len == 64 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010b) { + flow->l4.udp.aimini_stage = 1; + NDPI_LOG_DBG2(ndpi_struct, "stage = 1\n"); + return; + } + if (packet->payload_packet_len == 136 + && (ntohs(get_u_int16_t(packet->payload, 0)) == 0x01c9 || ntohs(get_u_int16_t(packet->payload, 0)) == 0x0165)) { + flow->l4.udp.aimini_stage = 4; + NDPI_LOG_DBG2(ndpi_struct, "stage = 4\n"); + return; + } + if (packet->payload_packet_len == 88 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0101) { + flow->l4.udp.aimini_stage = 7; + NDPI_LOG_DBG2(ndpi_struct, "stage = 7\n"); + return; + } + if (packet->payload_packet_len == 104 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0102) { + flow->l4.udp.aimini_stage = 10; + NDPI_LOG_DBG2(ndpi_struct, "stage = 10\n"); + return; + } + if (packet->payload_packet_len == 32 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x01ca) { + flow->l4.udp.aimini_stage = 13; + NDPI_LOG_DBG2(ndpi_struct, "stage = 13\n"); + return; + } + if (packet->payload_packet_len == 16 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010c) { + flow->l4.udp.aimini_stage = 16; + NDPI_LOG_DBG2(ndpi_struct, "stage = 16\n"); + return; + } + } + /* first packet chronology: (len, value): (64, 0x010b), (>100, 0x0115), (16, 0x010c || 64, 0x010b || 88, 0x0115), + * (16, 0x010c || 64, 0x010b || >100, 0x0115) + */ + if (flow->l4.udp.aimini_stage == 1 && packet->payload_packet_len > 100 + && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0115) { + flow->l4.udp.aimini_stage = 2; + NDPI_LOG_DBG2(ndpi_struct, "stage = 2\n"); + return; + } + if (flow->l4.udp.aimini_stage == 2 && + ((packet->payload_packet_len == 16 && get_u_int16_t(packet->payload, 0) == htons(0x010c)) || + (packet->payload_packet_len == 64 && get_u_int16_t(packet->payload, 0) == htons(0x010b)) || + (packet->payload_packet_len == 88 && get_u_int16_t(packet->payload, 0) == ntohs(0x0115)))) { + flow->l4.udp.aimini_stage = 3; + NDPI_LOG_DBG2(ndpi_struct, "stage = 3\n"); + return; + } + if (flow->l4.udp.aimini_stage == 3 + && ((packet->payload_packet_len == 16 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010c) + || (packet->payload_packet_len == 64 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010b) + || (packet->payload_packet_len > 100 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0115))) { + NDPI_LOG_INFO(ndpi_struct, "found aimini (64, 0x010b), (>300, 0x0115), " + "(16, 0x010c || 64, 0x010b), (16, 0x010c || 64, 0x010b || >100, 0x0115).\n"); + ndpi_int_aimini_add_connection(ndpi_struct, flow); + return; + } - /* second packet chronology: (len, value): (136, 0x01c9), (136, 0x01c9),(136, 0x01c9),(136, 0x01c9 || 32, 0x01ca) */ + /* second packet chronology: (len, value): (136, 0x01c9), (136, 0x01c9),(136, 0x01c9),(136, 0x01c9 || 32, 0x01ca) */ - if (flow->l4.udp.aimini_stage == 4 && packet->payload_packet_len == 136 - && (ntohs(get_u_int16_t(packet->payload, 0)) == 0x01c9 || ntohs(get_u_int16_t(packet->payload, 0)) == 0x0165)) { - flow->l4.udp.aimini_stage = 5; - NDPI_LOG_DBG2(ndpi_struct, "stage = 5\n"); - return; - } - if (flow->l4.udp.aimini_stage == 5 && (packet->payload_packet_len == 136 - && (ntohs(get_u_int16_t(packet->payload, 0)) == 0x01c9 - || ntohs(get_u_int16_t(packet->payload, 0)) == 0x0165))) { - flow->l4.udp.aimini_stage = 6; - NDPI_LOG_DBG2(ndpi_struct, "stage = 6\n"); - return; - } - if (flow->l4.udp.aimini_stage == 6 && ((packet->payload_packet_len == 136 - && ((ntohs(get_u_int16_t(packet->payload, 0)) == 0x0165) - || ntohs(get_u_int16_t(packet->payload, 0)) == 0x01c9)) - || (packet->payload_packet_len == 32 - && ntohs(get_u_int16_t(packet->payload, 0)) == 0x01ca))) { - NDPI_LOG_INFO(ndpi_struct, - "found aimini (136, 0x01c9), (136, 0x01c9)," "(136, 0x01c9),(136, 0x01c9 || 32, 0x01ca).\n"); - ndpi_int_aimini_add_connection(ndpi_struct, flow); - return; - } + if (flow->l4.udp.aimini_stage == 4 && packet->payload_packet_len == 136 + && (ntohs(get_u_int16_t(packet->payload, 0)) == 0x01c9 || ntohs(get_u_int16_t(packet->payload, 0)) == 0x0165)) { + flow->l4.udp.aimini_stage = 5; + NDPI_LOG_DBG2(ndpi_struct, "stage = 5\n"); + return; + } + if (flow->l4.udp.aimini_stage == 5 && (packet->payload_packet_len == 136 + && (ntohs(get_u_int16_t(packet->payload, 0)) == 0x01c9 + || ntohs(get_u_int16_t(packet->payload, 0)) == 0x0165))) { + flow->l4.udp.aimini_stage = 6; + NDPI_LOG_DBG2(ndpi_struct, "stage = 6\n"); + return; + } + if (flow->l4.udp.aimini_stage == 6 && ((packet->payload_packet_len == 136 + && ((ntohs(get_u_int16_t(packet->payload, 0)) == 0x0165) + || ntohs(get_u_int16_t(packet->payload, 0)) == 0x01c9)) + || (packet->payload_packet_len == 32 + && ntohs(get_u_int16_t(packet->payload, 0)) == 0x01ca))) { + NDPI_LOG_INFO(ndpi_struct, + "found aimini (136, 0x01c9), (136, 0x01c9)," "(136, 0x01c9),(136, 0x01c9 || 32, 0x01ca).\n"); + ndpi_int_aimini_add_connection(ndpi_struct, flow); + return; + } - /* third packet chronology: (len, value): (88, 0x0101), (88, 0x0101),(88, 0x0101),(88, 0x0101) */ + /* third packet chronology: (len, value): (88, 0x0101), (88, 0x0101),(88, 0x0101),(88, 0x0101) */ - if (flow->l4.udp.aimini_stage == 7 && packet->payload_packet_len == 88 - && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0101) { - flow->l4.udp.aimini_stage = 8; - NDPI_LOG_DBG2(ndpi_struct, "stage = 8\n"); - return; - } - if (flow->l4.udp.aimini_stage == 8 - && (packet->payload_packet_len == 88 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0101)) { - flow->l4.udp.aimini_stage = 9; - NDPI_LOG_DBG2(ndpi_struct, "stage = 9\n"); - return; - } - if (flow->l4.udp.aimini_stage == 9 - && (packet->payload_packet_len == 88 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0101)) { - NDPI_LOG_INFO(ndpi_struct, - "found aimini (88, 0x0101), (88, 0x0101)," "(88, 0x0101),(88, 0x0101).\n"); - ndpi_int_aimini_add_connection(ndpi_struct, flow); - return; - } + if (flow->l4.udp.aimini_stage == 7 && packet->payload_packet_len == 88 + && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0101) { + flow->l4.udp.aimini_stage = 8; + NDPI_LOG_DBG2(ndpi_struct, "stage = 8\n"); + return; + } + if (flow->l4.udp.aimini_stage == 8 + && (packet->payload_packet_len == 88 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0101)) { + flow->l4.udp.aimini_stage = 9; + NDPI_LOG_DBG2(ndpi_struct, "stage = 9\n"); + return; + } + if (flow->l4.udp.aimini_stage == 9 + && (packet->payload_packet_len == 88 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0101)) { + NDPI_LOG_INFO(ndpi_struct, + "found aimini (88, 0x0101), (88, 0x0101)," "(88, 0x0101),(88, 0x0101).\n"); + ndpi_int_aimini_add_connection(ndpi_struct, flow); + return; + } - /* fourth packet chronology: (len, value): (104, 0x0102), (104, 0x0102), (104, 0x0102), (104, 0x0102) */ + /* fourth packet chronology: (len, value): (104, 0x0102), (104, 0x0102), (104, 0x0102), (104, 0x0102) */ - if (flow->l4.udp.aimini_stage == 10 && packet->payload_packet_len == 104 - && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0102) { - flow->l4.udp.aimini_stage = 11; - NDPI_LOG_DBG2(ndpi_struct, "stage = 11\n"); - return; - } - if (flow->l4.udp.aimini_stage == 11 - && (packet->payload_packet_len == 104 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0102)) { - flow->l4.udp.aimini_stage = 12; - NDPI_LOG_DBG2(ndpi_struct, "stage = 12\n"); - return; - } - if (flow->l4.udp.aimini_stage == 12 - && ((packet->payload_packet_len == 104 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0102) - || (packet->payload_packet_len == 32 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x01ca))) { - NDPI_LOG_INFO(ndpi_struct, - "found aimini (104, 0x0102), (104, 0x0102), " "(104, 0x0102), (104, 0x0102).\n"); - ndpi_int_aimini_add_connection(ndpi_struct, flow); - return; - } + if (flow->l4.udp.aimini_stage == 10 && packet->payload_packet_len == 104 + && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0102) { + flow->l4.udp.aimini_stage = 11; + NDPI_LOG_DBG2(ndpi_struct, "stage = 11\n"); + return; + } + if (flow->l4.udp.aimini_stage == 11 + && (packet->payload_packet_len == 104 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0102)) { + flow->l4.udp.aimini_stage = 12; + NDPI_LOG_DBG2(ndpi_struct, "stage = 12\n"); + return; + } + if (flow->l4.udp.aimini_stage == 12 + && ((packet->payload_packet_len == 104 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0102) + || (packet->payload_packet_len == 32 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x01ca))) { + NDPI_LOG_INFO(ndpi_struct, + "found aimini (104, 0x0102), (104, 0x0102), " "(104, 0x0102), (104, 0x0102).\n"); + ndpi_int_aimini_add_connection(ndpi_struct, flow); + return; + } - /* fifth packet chronology (len, value): (32,0x01ca), (32,0x01ca), (32,0x01ca), ((136, 0x0166) || (32,0x01ca)) */ + /* fifth packet chronology (len, value): (32,0x01ca), (32,0x01ca), (32,0x01ca), ((136, 0x0166) || (32,0x01ca)) */ - if (flow->l4.udp.aimini_stage == 13 && packet->payload_packet_len == 32 - && ntohs(get_u_int16_t(packet->payload, 0)) == 0x01ca) { - flow->l4.udp.aimini_stage = 14; - NDPI_LOG_DBG2(ndpi_struct, "stage = 14\n"); - return; - } - if (flow->l4.udp.aimini_stage == 14 - && ((packet->payload_packet_len == 32 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x01ca) - || (packet->payload_packet_len == 136 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0166))) { - flow->l4.udp.aimini_stage = 15; - NDPI_LOG_DBG2(ndpi_struct, "stage = 15\n"); - return; - } - if (flow->l4.udp.aimini_stage == 15 - && ((packet->payload_packet_len == 136 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0166) - || (packet->payload_packet_len == 32 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x01ca))) { - NDPI_LOG_INFO(ndpi_struct, - "found aimini (32,0x01ca), (32,0x01ca), (32,0x01ca), ((136, 0x0166)||(32,0x01ca)).\n"); - ndpi_int_aimini_add_connection(ndpi_struct, flow); - return; - } + if (flow->l4.udp.aimini_stage == 13 && packet->payload_packet_len == 32 + && ntohs(get_u_int16_t(packet->payload, 0)) == 0x01ca) { + flow->l4.udp.aimini_stage = 14; + NDPI_LOG_DBG2(ndpi_struct, "stage = 14\n"); + return; + } + if (flow->l4.udp.aimini_stage == 14 + && ((packet->payload_packet_len == 32 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x01ca) + || (packet->payload_packet_len == 136 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0166))) { + flow->l4.udp.aimini_stage = 15; + NDPI_LOG_DBG2(ndpi_struct, "stage = 15\n"); + return; + } + if (flow->l4.udp.aimini_stage == 15 + && ((packet->payload_packet_len == 136 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0166) + || (packet->payload_packet_len == 32 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x01ca))) { + NDPI_LOG_INFO(ndpi_struct, + "found aimini (32,0x01ca), (32,0x01ca), (32,0x01ca), ((136, 0x0166)||(32,0x01ca)).\n"); + ndpi_int_aimini_add_connection(ndpi_struct, flow); + return; + } - /* sixth packet chronology (len, value): (16, 0x010c), (16, 0x010c), (16, 0x010c), (16, 0x010c) */ + /* sixth packet chronology (len, value): (16, 0x010c), (16, 0x010c), (16, 0x010c), (16, 0x010c) */ - if (flow->l4.udp.aimini_stage == 16 && packet->payload_packet_len == 16 - && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010c) { - flow->l4.udp.aimini_stage = 17; - NDPI_LOG_DBG2(ndpi_struct, "stage = 17\n"); - return; - } - if (flow->l4.udp.aimini_stage == 17 - && (packet->payload_packet_len == 16 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010c)) { - flow->l4.udp.aimini_stage = 18; - NDPI_LOG_DBG2(ndpi_struct, "stage = 18\n"); - return; - } - if (flow->l4.udp.aimini_stage == 18 - && (packet->payload_packet_len == 16 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010c)) { - NDPI_LOG_INFO(ndpi_struct, - "found aimini (16, 0x010c), (16, 0x010c), (16, 0x010c), (16, 0x010c).\n"); - ndpi_int_aimini_add_connection(ndpi_struct, flow); - return; - } - } + if (flow->l4.udp.aimini_stage == 16 && packet->payload_packet_len == 16 + && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010c) { + flow->l4.udp.aimini_stage = 17; + NDPI_LOG_DBG2(ndpi_struct, "stage = 17\n"); + return; + } + if (flow->l4.udp.aimini_stage == 17 + && (packet->payload_packet_len == 16 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010c)) { + flow->l4.udp.aimini_stage = 18; + NDPI_LOG_DBG2(ndpi_struct, "stage = 18\n"); + return; + } + if (flow->l4.udp.aimini_stage == 18 + && (packet->payload_packet_len == 16 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010c)) { + NDPI_LOG_INFO(ndpi_struct, + "found aimini (16, 0x010c), (16, 0x010c), (16, 0x010c), (16, 0x010c).\n"); + ndpi_int_aimini_add_connection(ndpi_struct, flow); + return; + } + } - if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP) { - if (flow->http.method == NDPI_HTTP_METHOD_GET) - { - if ((LINE_STARTS(packet->http_url_name, "/download/") == 1 || - LINE_STARTS(packet->http_url_name, "/player/") == 1 || - LINE_STARTS(packet->http_url_name, "/webcounter/") == 1 || - LINE_STARTS(packet->http_url_name, "/play/") == 1 || - LINE_STARTS(packet->http_url_name, "/search/") == 1 || - LINE_STARTS(packet->http_url_name, "/member/") == 1) && - (LINE_ENDS(packet->host_line, ".aimini.net") == 1 || - LINE_ENDS(packet->host_line, ".aimini.com") == 1)) - { - NDPI_LOG_INFO(ndpi_struct, "found AIMINI HTTP traffic\n"); - ndpi_int_aimini_add_connection(ndpi_struct, flow); - return; - } - } else if (flow->http.method == NDPI_HTTP_METHOD_POST) - { - if ((LINE_STARTS(packet->http_url_name, "/upload/") == 1 || - LINE_STARTS(packet->http_url_name, "/member/") == 1) && - (LINE_ENDS(packet->host_line, ".aimini.net") == 1 || - LINE_ENDS(packet->host_line, ".aimini.com") == 1)) - { - NDPI_LOG_INFO(ndpi_struct, "found AIMINI HTTP traffic\n"); - ndpi_int_aimini_add_connection(ndpi_struct, flow); - return; - } - } - } + if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP) { + if (flow->http.method == NDPI_HTTP_METHOD_GET) + { + if ((LINE_STARTS(packet->http_url_name, "/download/") == 1 || + LINE_STARTS(packet->http_url_name, "/player/") == 1 || + LINE_STARTS(packet->http_url_name, "/webcounter/") == 1 || + LINE_STARTS(packet->http_url_name, "/play/") == 1 || + LINE_STARTS(packet->http_url_name, "/search/") == 1 || + LINE_STARTS(packet->http_url_name, "/member/") == 1) && + (LINE_ENDS(packet->host_line, ".aimini.net") == 1 || + LINE_ENDS(packet->host_line, ".aimini.com") == 1)) + { + NDPI_LOG_INFO(ndpi_struct, "found AIMINI HTTP traffic\n"); + ndpi_int_aimini_add_connection(ndpi_struct, flow); + return; + } + } else if (flow->http.method == NDPI_HTTP_METHOD_POST) + { + if ((LINE_STARTS(packet->http_url_name, "/upload/") == 1 || + LINE_STARTS(packet->http_url_name, "/member/") == 1) && + (LINE_ENDS(packet->host_line, ".aimini.net") == 1 || + LINE_ENDS(packet->host_line, ".aimini.com") == 1)) + { + NDPI_LOG_INFO(ndpi_struct, "found AIMINI HTTP traffic\n"); + ndpi_int_aimini_add_connection(ndpi_struct, flow); + return; + } + } + } - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/florensia.c b/src/lib/protocols/florensia.c index ca173a48c..95a6d99d5 100644 --- a/src/lib/protocols/florensia.c +++ b/src/lib/protocols/florensia.c @@ -36,83 +36,83 @@ static void ndpi_florensia_add_connection(struct ndpi_detection_module_struct *n void ndpi_search_florensia(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &ndpi_struct->packet; + struct ndpi_packet_struct *packet = &ndpi_struct->packet; - NDPI_LOG_DBG(ndpi_struct, "search florensia\n"); + NDPI_LOG_DBG(ndpi_struct, "search florensia\n"); - if (packet->tcp != NULL) { - if (packet->payload_packet_len == 5 && get_l16(packet->payload, 0) == packet->payload_packet_len - && packet->payload[2] == 0x65 && packet->payload[4] == 0xff) { - if (flow->florensia_stage == 1) { - NDPI_LOG_INFO(ndpi_struct, "found florensia\n"); - ndpi_florensia_add_connection(ndpi_struct, flow); - return; - } - NDPI_LOG_DBG2(ndpi_struct, "maybe florensia -> stage is set to 1\n"); - flow->florensia_stage = 1; - return; - } - if (packet->payload_packet_len > 8 && get_l16(packet->payload, 0) == packet->payload_packet_len - && get_u_int16_t(packet->payload, 2) == htons(0x0201) && get_u_int32_t(packet->payload, 4) == htonl(0xFFFFFFFF)) { - NDPI_LOG_DBG2(ndpi_struct, "maybe florensia -> stage is set to 1\n"); - flow->florensia_stage = 1; - return; - } - if (packet->payload_packet_len == 406 && get_l16(packet->payload, 0) == packet->payload_packet_len - && packet->payload[2] == 0x63) { - NDPI_LOG_DBG2(ndpi_struct, "maybe florensia -> stage is set to 1\n"); - flow->florensia_stage = 1; - return; - } - if (packet->payload_packet_len == 12 && get_l16(packet->payload, 0) == packet->payload_packet_len - && get_u_int16_t(packet->payload, 2) == htons(0x0301)) { - if (flow->florensia_stage == 1) { - NDPI_LOG_INFO(ndpi_struct, "found florensia\n"); - ndpi_florensia_add_connection(ndpi_struct, flow); - return; - } - NDPI_LOG_DBG2(ndpi_struct, "maybe florensia -> stage is set to 1\n"); - flow->florensia_stage = 1; - return; - } + if (packet->tcp != NULL) { + if (packet->payload_packet_len == 5 && get_l16(packet->payload, 0) == packet->payload_packet_len + && packet->payload[2] == 0x65 && packet->payload[4] == 0xff) { + if (flow->florensia_stage == 1) { + NDPI_LOG_INFO(ndpi_struct, "found florensia\n"); + ndpi_florensia_add_connection(ndpi_struct, flow); + return; + } + NDPI_LOG_DBG2(ndpi_struct, "maybe florensia -> stage is set to 1\n"); + flow->florensia_stage = 1; + return; + } + if (packet->payload_packet_len > 8 && get_l16(packet->payload, 0) == packet->payload_packet_len + && get_u_int16_t(packet->payload, 2) == htons(0x0201) && get_u_int32_t(packet->payload, 4) == htonl(0xFFFFFFFF)) { + NDPI_LOG_DBG2(ndpi_struct, "maybe florensia -> stage is set to 1\n"); + flow->florensia_stage = 1; + return; + } + if (packet->payload_packet_len == 406 && get_l16(packet->payload, 0) == packet->payload_packet_len + && packet->payload[2] == 0x63) { + NDPI_LOG_DBG2(ndpi_struct, "maybe florensia -> stage is set to 1\n"); + flow->florensia_stage = 1; + return; + } + if (packet->payload_packet_len == 12 && get_l16(packet->payload, 0) == packet->payload_packet_len + && get_u_int16_t(packet->payload, 2) == htons(0x0301)) { + if (flow->florensia_stage == 1) { + NDPI_LOG_INFO(ndpi_struct, "found florensia\n"); + ndpi_florensia_add_connection(ndpi_struct, flow); + return; + } + NDPI_LOG_DBG2(ndpi_struct, "maybe florensia -> stage is set to 1\n"); + flow->florensia_stage = 1; + return; + } - if (flow->florensia_stage == 1) { - if (packet->payload_packet_len == 8 && get_l16(packet->payload, 0) == packet->payload_packet_len - && get_u_int16_t(packet->payload, 2) == htons(0x0302) && get_u_int32_t(packet->payload, 4) == htonl(0xFFFFFFFF)) { - NDPI_LOG_INFO(ndpi_struct, "found florensia asymmetrically\n"); - ndpi_florensia_add_connection(ndpi_struct, flow); - return; - } - if (packet->payload_packet_len == 24 && get_l16(packet->payload, 0) == packet->payload_packet_len - && get_u_int16_t(packet->payload, 2) == htons(0x0202) - && get_u_int32_t(packet->payload, packet->payload_packet_len - 4) == htonl(0xFFFFFFFF)) { - NDPI_LOG_INFO(ndpi_struct, "found florensia\n"); - ndpi_florensia_add_connection(ndpi_struct, flow); - return; - } - if (flow->packet_counter < 10 && get_l16(packet->payload, 0) == packet->payload_packet_len) { - NDPI_LOG_DBG2(ndpi_struct, "maybe florensia\n"); - return; - } - } - } + if (flow->florensia_stage == 1) { + if (packet->payload_packet_len == 8 && get_l16(packet->payload, 0) == packet->payload_packet_len + && get_u_int16_t(packet->payload, 2) == htons(0x0302) && get_u_int32_t(packet->payload, 4) == htonl(0xFFFFFFFF)) { + NDPI_LOG_INFO(ndpi_struct, "found florensia asymmetrically\n"); + ndpi_florensia_add_connection(ndpi_struct, flow); + return; + } + if (packet->payload_packet_len == 24 && get_l16(packet->payload, 0) == packet->payload_packet_len + && get_u_int16_t(packet->payload, 2) == htons(0x0202) + && get_u_int32_t(packet->payload, packet->payload_packet_len - 4) == htonl(0xFFFFFFFF)) { + NDPI_LOG_INFO(ndpi_struct, "found florensia\n"); + ndpi_florensia_add_connection(ndpi_struct, flow); + return; + } + if (flow->packet_counter < 10 && get_l16(packet->payload, 0) == packet->payload_packet_len) { + NDPI_LOG_DBG2(ndpi_struct, "maybe florensia\n"); + return; + } + } + } - if (packet->udp != NULL) { - if (flow->florensia_stage == 0 && packet->payload_packet_len == 6 - && get_u_int16_t(packet->payload, 0) == ntohs(0x0503) && get_u_int32_t(packet->payload, 2) == htonl(0xFFFF0000)) { - NDPI_LOG_DBG2(ndpi_struct, "maybe florensia -> stage is set to 1\n"); - flow->florensia_stage = 1; - return; - } - if (flow->florensia_stage == 1 && packet->payload_packet_len == 8 - && get_u_int16_t(packet->payload, 0) == ntohs(0x0500) && get_u_int16_t(packet->payload, 4) == htons(0x4191)) { - NDPI_LOG_INFO(ndpi_struct, "found florensia\n"); - ndpi_florensia_add_connection(ndpi_struct, flow); - return; - } - } + if (packet->udp != NULL) { + if (flow->florensia_stage == 0 && packet->payload_packet_len == 6 + && get_u_int16_t(packet->payload, 0) == ntohs(0x0503) && get_u_int32_t(packet->payload, 2) == htonl(0xFFFF0000)) { + NDPI_LOG_DBG2(ndpi_struct, "maybe florensia -> stage is set to 1\n"); + flow->florensia_stage = 1; + return; + } + if (flow->florensia_stage == 1 && packet->payload_packet_len == 8 + && get_u_int16_t(packet->payload, 0) == ntohs(0x0500) && get_u_int16_t(packet->payload, 4) == htons(0x4191)) { + NDPI_LOG_INFO(ndpi_struct, "found florensia\n"); + ndpi_florensia_add_connection(ndpi_struct, flow); + return; + } + } - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/guildwars.c b/src/lib/protocols/guildwars.c index 924133793..1420ed954 100644 --- a/src/lib/protocols/guildwars.c +++ b/src/lib/protocols/guildwars.c @@ -36,43 +36,43 @@ static void ndpi_int_guildwars_add_connection(struct ndpi_detection_module_struc void ndpi_search_guildwars_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &ndpi_struct->packet; + struct ndpi_packet_struct *packet = &ndpi_struct->packet; - NDPI_LOG_DBG(ndpi_struct, "search guildwars\n"); + NDPI_LOG_DBG(ndpi_struct, "search guildwars\n"); - if (packet->payload_packet_len == 64 && get_u_int16_t(packet->payload, 1) == ntohs(0x050c) - && memcmp(&packet->payload[50], "@2&P", 4) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found GuildWars version 29.350\n"); - ndpi_int_guildwars_add_connection(ndpi_struct, flow); - return; - } - if (packet->payload_packet_len == 16 && get_u_int16_t(packet->payload, 1) == ntohs(0x040c) - && get_u_int16_t(packet->payload, 4) == ntohs(0xa672) - && packet->payload[8] == 0x01 && packet->payload[12] == 0x04) { - NDPI_LOG_INFO(ndpi_struct, "found GuildWars version 29.350\n"); - ndpi_int_guildwars_add_connection(ndpi_struct, flow); - return; - } - if (packet->payload_packet_len == 21 && get_u_int16_t(packet->payload, 0) == ntohs(0x0100) - && get_u_int32_t(packet->payload, 5) == ntohl(0xf1001000) - && packet->payload[9] == 0x01) { - NDPI_LOG_INFO(ndpi_struct, "found GuildWars version 216.107.245.50\n"); - ndpi_int_guildwars_add_connection(ndpi_struct, flow); - return; - } + if (packet->payload_packet_len == 64 && get_u_int16_t(packet->payload, 1) == ntohs(0x050c) + && memcmp(&packet->payload[50], "@2&P", 4) == 0) { + NDPI_LOG_INFO(ndpi_struct, "found GuildWars version 29.350\n"); + ndpi_int_guildwars_add_connection(ndpi_struct, flow); + return; + } + if (packet->payload_packet_len == 16 && get_u_int16_t(packet->payload, 1) == ntohs(0x040c) + && get_u_int16_t(packet->payload, 4) == ntohs(0xa672) + && packet->payload[8] == 0x01 && packet->payload[12] == 0x04) { + NDPI_LOG_INFO(ndpi_struct, "found GuildWars version 29.350\n"); + ndpi_int_guildwars_add_connection(ndpi_struct, flow); + return; + } + if (packet->payload_packet_len == 21 && get_u_int16_t(packet->payload, 0) == ntohs(0x0100) + && get_u_int32_t(packet->payload, 5) == ntohl(0xf1001000) + && packet->payload[9] == 0x01) { + NDPI_LOG_INFO(ndpi_struct, "found GuildWars version 216.107.245.50\n"); + ndpi_int_guildwars_add_connection(ndpi_struct, flow); + return; + } - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } void init_guildwars_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { - ndpi_set_bitmask_protocol_detection("Guildwars", ndpi_struct, detection_bitmask, *id, + ndpi_set_bitmask_protocol_detection("Guildwars", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_GUILDWARS, ndpi_search_guildwars_tcp, NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); - *id += 1; + *id += 1; } diff --git a/src/lib/protocols/maplestory.c b/src/lib/protocols/maplestory.c index 1f119ce5f..2c5adf290 100644 --- a/src/lib/protocols/maplestory.c +++ b/src/lib/protocols/maplestory.c @@ -36,47 +36,47 @@ static void ndpi_int_maplestory_add_connection(struct ndpi_detection_module_stru void ndpi_search_maplestory(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &ndpi_struct->packet; + struct ndpi_packet_struct *packet = &ndpi_struct->packet; - NDPI_LOG_DBG(ndpi_struct, "search maplestory\n"); + NDPI_LOG_DBG(ndpi_struct, "search maplestory\n"); - if (packet->payload_packet_len == 16 - && (ntohl(get_u_int32_t(packet->payload, 0)) == 0x0e003a00 || ntohl(get_u_int32_t(packet->payload, 0)) == 0x0e003b00 - || ntohl(get_u_int32_t(packet->payload, 0)) == 0x0e004200) - && ntohs(get_u_int16_t(packet->payload, 4)) == 0x0100 && (packet->payload[6] == 0x32 || packet->payload[6] == 0x33)) { - NDPI_LOG_INFO(ndpi_struct, "found maplestory\n"); - ndpi_int_maplestory_add_connection(ndpi_struct, flow); - return; - } + if (packet->payload_packet_len == 16 + && (ntohl(get_u_int32_t(packet->payload, 0)) == 0x0e003a00 || ntohl(get_u_int32_t(packet->payload, 0)) == 0x0e003b00 + || ntohl(get_u_int32_t(packet->payload, 0)) == 0x0e004200) + && ntohs(get_u_int16_t(packet->payload, 4)) == 0x0100 && (packet->payload[6] == 0x32 || packet->payload[6] == 0x33)) { + NDPI_LOG_INFO(ndpi_struct, "found maplestory\n"); + ndpi_int_maplestory_add_connection(ndpi_struct, flow); + return; + } - if (packet->payload_packet_len > NDPI_STATICSTRING_LEN("GET /maple") - && memcmp(packet->payload, "GET /maple", NDPI_STATICSTRING_LEN("GET /maple")) == 0) { - ndpi_parse_packet_line_info(ndpi_struct, flow); - /* Maplestory update */ - if (packet->payload_packet_len > NDPI_STATICSTRING_LEN("GET /maple/patch") - && packet->payload[NDPI_STATICSTRING_LEN("GET /maple")] == '/') { - if (packet->user_agent_line.ptr != NULL && packet->host_line.ptr != NULL - && packet->user_agent_line.len == NDPI_STATICSTRING_LEN("Patcher") - && packet->host_line.len > NDPI_STATICSTRING_LEN("patch.") - && memcmp(&packet->payload[NDPI_STATICSTRING_LEN("GET /maple/")], "patch", - NDPI_STATICSTRING_LEN("patch")) == 0 - && memcmp(packet->user_agent_line.ptr, "Patcher", NDPI_STATICSTRING_LEN("Patcher")) == 0 - && memcmp(packet->host_line.ptr, "patch.", NDPI_STATICSTRING_LEN("patch.")) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found maplestory update\n"); - ndpi_int_maplestory_add_connection(ndpi_struct, flow); - return; - } - } else if (packet->user_agent_line.ptr != NULL && packet->user_agent_line.len == NDPI_STATICSTRING_LEN("AspINet") - && memcmp(&packet->payload[NDPI_STATICSTRING_LEN("GET /maple")], "story/", - NDPI_STATICSTRING_LEN("story/")) == 0 - && memcmp(packet->user_agent_line.ptr, "AspINet", NDPI_STATICSTRING_LEN("AspINet")) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found maplestory update\n"); - ndpi_int_maplestory_add_connection(ndpi_struct, flow); - return; - } - } + if (packet->payload_packet_len > NDPI_STATICSTRING_LEN("GET /maple") + && memcmp(packet->payload, "GET /maple", NDPI_STATICSTRING_LEN("GET /maple")) == 0) { + ndpi_parse_packet_line_info(ndpi_struct, flow); + /* Maplestory update */ + if (packet->payload_packet_len > NDPI_STATICSTRING_LEN("GET /maple/patch") + && packet->payload[NDPI_STATICSTRING_LEN("GET /maple")] == '/') { + if (packet->user_agent_line.ptr != NULL && packet->host_line.ptr != NULL + && packet->user_agent_line.len == NDPI_STATICSTRING_LEN("Patcher") + && packet->host_line.len > NDPI_STATICSTRING_LEN("patch.") + && memcmp(&packet->payload[NDPI_STATICSTRING_LEN("GET /maple/")], "patch", + NDPI_STATICSTRING_LEN("patch")) == 0 + && memcmp(packet->user_agent_line.ptr, "Patcher", NDPI_STATICSTRING_LEN("Patcher")) == 0 + && memcmp(packet->host_line.ptr, "patch.", NDPI_STATICSTRING_LEN("patch.")) == 0) { + NDPI_LOG_INFO(ndpi_struct, "found maplestory update\n"); + ndpi_int_maplestory_add_connection(ndpi_struct, flow); + return; + } + } else if (packet->user_agent_line.ptr != NULL && packet->user_agent_line.len == NDPI_STATICSTRING_LEN("AspINet") + && memcmp(&packet->payload[NDPI_STATICSTRING_LEN("GET /maple")], "story/", + NDPI_STATICSTRING_LEN("story/")) == 0 + && memcmp(packet->user_agent_line.ptr, "AspINet", NDPI_STATICSTRING_LEN("AspINet")) == 0) { + NDPI_LOG_INFO(ndpi_struct, "found maplestory update\n"); + ndpi_int_maplestory_add_connection(ndpi_struct, flow); + return; + } + } - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/s7comm.c b/src/lib/protocols/s7comm.c index f92e1b351..c0aba2119 100644 --- a/src/lib/protocols/s7comm.c +++ b/src/lib/protocols/s7comm.c @@ -48,10 +48,11 @@ void init_s7comm_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) {
ndpi_set_bitmask_protocol_detection("S7COMM", ndpi_struct, detection_bitmask, *id,
- NDPI_PROTOCOL_S7COMM,
- ndpi_search_s7comm_tcp, NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
- SAVE_DETECTION_BITMASK_AS_UNKNOWN,
- ADD_TO_DETECTION_BITMASK);
+ NDPI_PROTOCOL_S7COMM,
+ ndpi_search_s7comm_tcp,
+ NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
+ SAVE_DETECTION_BITMASK_AS_UNKNOWN,
+ ADD_TO_DETECTION_BITMASK);
*id += 1;
}
diff --git a/src/lib/protocols/warcraft3.c b/src/lib/protocols/warcraft3.c index 42162b4b7..dd9e3a6bc 100644 --- a/src/lib/protocols/warcraft3.c +++ b/src/lib/protocols/warcraft3.c @@ -78,7 +78,7 @@ void ndpi_search_warcraft3(struct ndpi_detection_module_struct if (l == packet->payload_packet_len) { NDPI_LOG_DBG2(ndpi_struct, "maybe WARCRAFT3 flow->packet_counter = %u \n", - flow->packet_counter); + flow->packet_counter); if (flow->packet_counter > 2) { NDPI_LOG_INFO(ndpi_struct, "found WARCRAFT3\n"); ndpi_int_warcraft3_add_connection(ndpi_struct, flow); diff --git a/src/lib/protocols/websocket.c b/src/lib/protocols/websocket.c index 1901ec296..eef20ade5 100644 --- a/src/lib/protocols/websocket.c +++ b/src/lib/protocols/websocket.c @@ -27,12 +27,12 @@ #include "ndpi_api.h" enum websocket_opcode -{ + { /* - * CONTINUATION_FRAME is not relevant for the detection and leads to many false positives - CONTINUATION_FRAME = 0x00, - FIN_CONTINUATION_FRAME = 0x80, - */ + * CONTINUATION_FRAME is not relevant for the detection and leads to many false positives + CONTINUATION_FRAME = 0x00, + FIN_CONTINUATION_FRAME = 0x80, + */ TEXT_FRAME = 0x01, FIN_TEXT_FRAME = 0x81, BINARY_FRAME = 0x02, @@ -43,17 +43,17 @@ enum websocket_opcode FIN_PING_FRAME = 0x89, PONG_FRAME = 0x0A, FIN_PONG_FRAME = 0x8A -}; + }; static void set_websocket_detected(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - /* If no custom protocol has been detected */ - if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) + /* If no custom protocol has been detected */ + if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { - ndpi_search_tcp_or_udp(ndpi_struct, flow); + ndpi_search_tcp_or_udp(ndpi_struct, flow); - ndpi_int_reset_protocol(flow); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WEBSOCKET, flow->guessed_host_protocol_id, NDPI_CONFIDENCE_DPI); + ndpi_int_reset_protocol(flow); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WEBSOCKET, flow->guessed_host_protocol_id, NDPI_CONFIDENCE_DPI); } } @@ -61,59 +61,59 @@ static void set_websocket_detected(struct ndpi_detection_module_struct *ndpi_str static void ndpi_check_websocket(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &ndpi_struct->packet; + struct ndpi_packet_struct *packet = &ndpi_struct->packet; - if (packet->payload_packet_len < sizeof(u_int16_t)) + if (packet->payload_packet_len < sizeof(u_int16_t)) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return; + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; } - u_int8_t websocket_payload_length = packet->payload[1] & 0x7F; - u_int8_t websocket_masked = packet->payload[1] & 0x80; + u_int8_t websocket_payload_length = packet->payload[1] & 0x7F; + u_int8_t websocket_masked = packet->payload[1] & 0x80; - uint8_t hdr_size = (websocket_masked == 1) ? 6 : 2; + uint8_t hdr_size = (websocket_masked == 1) ? 6 : 2; - if (packet->payload_packet_len != hdr_size + websocket_payload_length) + if (packet->payload_packet_len != hdr_size + websocket_payload_length) { - NDPI_LOG_DBG(ndpi_struct, "Invalid WEBSOCKET payload"); - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return; + NDPI_LOG_DBG(ndpi_struct, "Invalid WEBSOCKET payload"); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; } - if (packet->payload[0] == TEXT_FRAME || packet->payload[0] == FIN_TEXT_FRAME || - packet->payload[0] == BINARY_FRAME || packet->payload[0] == FIN_BINARY_FRAME || - packet->payload[0] == CONNECTION_CLOSE_FRAME || packet->payload[0] == FIN_CONNECTION_CLOSE_FRAME || - packet->payload[0] == PING_FRAME || packet->payload[0] == FIN_PING_FRAME || - packet->payload[0] == PONG_FRAME || packet->payload[0] == FIN_PONG_FRAME) { + if (packet->payload[0] == TEXT_FRAME || packet->payload[0] == FIN_TEXT_FRAME || + packet->payload[0] == BINARY_FRAME || packet->payload[0] == FIN_BINARY_FRAME || + packet->payload[0] == CONNECTION_CLOSE_FRAME || packet->payload[0] == FIN_CONNECTION_CLOSE_FRAME || + packet->payload[0] == PING_FRAME || packet->payload[0] == FIN_PING_FRAME || + packet->payload[0] == PONG_FRAME || packet->payload[0] == FIN_PONG_FRAME) { - set_websocket_detected(ndpi_struct, flow); + set_websocket_detected(ndpi_struct, flow); - } else { - NDPI_LOG_DBG(ndpi_struct, "Invalid WEBSOCKET payload"); - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return; - } + } else { + NDPI_LOG_DBG(ndpi_struct, "Invalid WEBSOCKET payload"); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } } void ndpi_search_websocket(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - // Break after 6 packets. - if (flow->packet_counter > 10) + // Break after 6 packets. + if (flow->packet_counter > 10) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return; + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; } - if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) + if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { - return; + return; } - NDPI_LOG_DBG(ndpi_struct, "search WEBSOCKET\n"); - ndpi_check_websocket(ndpi_struct, flow); + NDPI_LOG_DBG(ndpi_struct, "search WEBSOCKET\n"); + ndpi_check_websocket(ndpi_struct, flow); - return; + return; } /* ********************************* */ @@ -121,9 +121,9 @@ void ndpi_search_websocket(struct ndpi_detection_module_struct *ndpi_struct, str void init_websocket_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { - ndpi_set_bitmask_protocol_detection("WEBSOCKET", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_WEBSOCKET, - ndpi_search_websocket, NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD, - SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); + ndpi_set_bitmask_protocol_detection("WEBSOCKET", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_WEBSOCKET, + ndpi_search_websocket, NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); - *id += 1; + *id += 1; } |