aboutsummaryrefslogtreecommitdiff
path: root/src/lib/protocols
diff options
context:
space:
mode:
authorLuca Deri <deri@ntop.org>2020-09-24 23:26:03 +0200
committerLuca Deri <deri@ntop.org>2020-09-24 23:26:03 +0200
commit044ed14b4f23708ec05f5b5c85ca29acbf4b59db (patch)
treea03aea7d48eb8ec6b5d83da71c7ab2c40fcbc10c /src/lib/protocols
parent51e86346d31f270099d4169cd2ebcb0146e5e593 (diff)
Various optimizations to reduce not-necessary calls
Optimized various UDP dissectors Removed dead protocols such as pando and pplive
Diffstat (limited to 'src/lib/protocols')
-rw-r--r--src/lib/protocols/bittorrent.c11
-rw-r--r--src/lib/protocols/ciscovpn.c5
-rw-r--r--src/lib/protocols/csgo.c79
-rw-r--r--src/lib/protocols/dns.c3
-rw-r--r--src/lib/protocols/edonkey.c14
-rw-r--r--src/lib/protocols/h323.c16
-rw-r--r--src/lib/protocols/imo.c2
-rw-r--r--src/lib/protocols/netflow.c19
-rw-r--r--src/lib/protocols/noe.c23
-rw-r--r--src/lib/protocols/openvpn.c48
-rw-r--r--src/lib/protocols/pando.c167
-rw-r--r--src/lib/protocols/pplive.c232
-rw-r--r--src/lib/protocols/radius.c8
-rw-r--r--src/lib/protocols/rtcp.c5
-rw-r--r--src/lib/protocols/rtp.c14
-rw-r--r--src/lib/protocols/sip.c224
-rw-r--r--src/lib/protocols/steam.c1
-rw-r--r--src/lib/protocols/stun.c120
-rw-r--r--src/lib/protocols/tftp.c33
-rw-r--r--src/lib/protocols/tinc.c4
20 files changed, 352 insertions, 676 deletions
diff --git a/src/lib/protocols/bittorrent.c b/src/lib/protocols/bittorrent.c
index 9f7620558..3509449b2 100644
--- a/src/lib/protocols/bittorrent.c
+++ b/src/lib/protocols/bittorrent.c
@@ -389,10 +389,8 @@ void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, st
/* This is broadcast */
if(packet->iph) {
-
if((packet->iph->saddr == 0xFFFFFFFF) || (packet->iph->daddr == 0xFFFFFFFF))
goto exclude_bt;
-
if(packet->udp) {
u_int16_t sport = ntohs(packet->udp->source), dport = ntohs(packet->udp->dest);
@@ -417,9 +415,11 @@ void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, st
char *bt_search = "BT-SEARCH * HTTP/1.1\r\n";
if((ntohs(packet->udp->source) < 1024)
- || (ntohs(packet->udp->dest) < 1024) /* High ports only */)
+ || (ntohs(packet->udp->dest) < 1024) /* High ports only */) {
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
return;
-
+ }
+
/*
Check for uTP http://www.bittorrent.org/beps/bep_0029.html
@@ -464,7 +464,7 @@ void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, st
flow->bittorrent_stage++;
- if(flow->bittorrent_stage < 10) {
+ if(flow->bittorrent_stage < 5) {
/* We have detected bittorrent but we need to wait until we get a hash */
if(packet->payload_packet_len > 19 /* min size */) {
@@ -489,6 +489,7 @@ void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, st
return;
}
+
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
}
diff --git a/src/lib/protocols/ciscovpn.c b/src/lib/protocols/ciscovpn.c
index 43acb7b53..c97ab25db 100644
--- a/src/lib/protocols/ciscovpn.c
+++ b/src/lib/protocols/ciscovpn.c
@@ -48,6 +48,7 @@ void ndpi_search_ciscovpn(struct ndpi_detection_module_struct *ndpi_struct, stru
tsport = ntohs(packet->tcp->source), tdport = ntohs(packet->tcp->dest);
NDPI_LOG_DBG2(ndpi_struct, "calculated CISCOVPN over tcp ports\n");
}
+
if(packet->udp != NULL) {
usport = ntohs(packet->udp->source), udport = ntohs(packet->udp->dest);
NDPI_LOG_DBG2(ndpi_struct, "calculated CISCOVPN over udp ports\n");
@@ -107,8 +108,6 @@ void ndpi_search_ciscovpn(struct ndpi_detection_module_struct *ndpi_struct, stru
)
)
{
-
-
/* This is a good query fe577e2b */
NDPI_LOG_INFO(ndpi_struct, "found CISCOVPN\n");
ndpi_int_ciscovpn_add_connection(ndpi_struct, flow);
@@ -130,7 +129,7 @@ void ndpi_search_ciscovpn(struct ndpi_detection_module_struct *ndpi_struct, stru
return;
}
- if(flow->num_processed_pkts > 10)
+ if(flow->num_processed_pkts > 5)
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
diff --git a/src/lib/protocols/csgo.c b/src/lib/protocols/csgo.c
index f316f96b7..a1f5e56ef 100644
--- a/src/lib/protocols/csgo.c
+++ b/src/lib/protocols/csgo.c
@@ -29,8 +29,8 @@
void ndpi_search_csgo(struct ndpi_detection_module_struct* ndpi_struct, struct ndpi_flow_struct* flow) {
struct ndpi_packet_struct* packet = &flow->packet;
- if (packet->udp != NULL) {
- if (packet->payload_packet_len < sizeof(uint32_t)) {
+ if(packet->udp != NULL) {
+ if(packet->payload_packet_len < sizeof(uint32_t)) {
NDPI_LOG_DBG2(ndpi_struct, "Short csgo packet\n");
return;
}
@@ -38,58 +38,65 @@ void ndpi_search_csgo(struct ndpi_detection_module_struct* ndpi_struct, struct n
uint32_t w = htonl(get_u_int32_t(packet->payload, 0));
NDPI_LOG_DBG2(ndpi_struct, "CSGO: word %08x\n", w);
- if (!flow->csgo_state && packet->payload_packet_len == 23 && w == 0xfffffffful) {
- if (!memcmp(packet->payload + 5, "connect0x", 9)) {
+ if(!flow->csgo_state && packet->payload_packet_len == 23 && w == 0xfffffffful) {
+ if(!memcmp(packet->payload + 5, "connect0x", 9)) {
flow->csgo_state++;
memcpy(flow->csgo_strid, packet->payload + 5, 18);
NDPI_LOG_DBG2(ndpi_struct, "Found csgo connect0x\n");
return;
}
}
- if (flow->csgo_state == 1 && packet->payload_packet_len >= 42 && w == 0xfffffffful) {
- if (!memcmp(packet->payload + 24, flow->csgo_strid, 18)) {
+
+ if(flow->csgo_state == 1 && packet->payload_packet_len >= 42 && w == 0xfffffffful) {
+ if(!memcmp(packet->payload + 24, flow->csgo_strid, 18)) {
flow->csgo_state++;
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CSGO, NDPI_PROTOCOL_UNKNOWN);
NDPI_LOG_INFO( ndpi_struct, "found csgo connect0x reply\n");
return;
}
}
- if (packet->payload_packet_len == 8 && ( w == 0x3a180000 || w == 0x39180000) ) {
+
+ if(packet->payload_packet_len == 8 && ( w == 0x3a180000 || w == 0x39180000) ) {
NDPI_LOG_INFO( ndpi_struct, "found csgo udp 8b\n");
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CSGO, NDPI_PROTOCOL_UNKNOWN);
return;
}
- if (packet->payload_packet_len >= 36 && w == 0x56533031ul) {
+
+ if(packet->payload_packet_len >= 36 && w == 0x56533031ul) {
NDPI_LOG_INFO( ndpi_struct, "found csgo udp\n");
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CSGO, NDPI_PROTOCOL_UNKNOWN);
return;
}
- if (packet->payload_packet_len >= 36 && w == 0x01007364) {
+
+ if(packet->payload_packet_len >= 36 && w == 0x01007364) {
uint32_t w2 = htonl(get_u_int32_t(packet->payload, 4));
- if (w2 == 0x70696e67) {
+ if(w2 == 0x70696e67) {
NDPI_LOG_INFO( ndpi_struct, "found csgo udp ping\n");
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CSGO, NDPI_PROTOCOL_UNKNOWN);
return;
}
}
- if (flow->csgo_s2 < 3 && (w & 0xffff0000ul) == 0x0d1d0000) {
+
+ if(flow->csgo_s2 < 3 && (w & 0xffff0000ul) == 0x0d1d0000) {
uint32_t w2 = get_u_int32_t(packet->payload, 2);
- if (packet->payload_packet_len == 13) {
- if (!flow->csgo_s2) {
+ if(packet->payload_packet_len == 13) {
+ if(!flow->csgo_s2) {
flow->csgo_id2 = w2;
flow->csgo_s2 = 1;
NDPI_LOG_DBG2( ndpi_struct, "Found csgo udp 0d1d step1\n");
return;
}
- if (flow->csgo_s2 == 1 && flow->csgo_id2 == w2) {
+
+ if(flow->csgo_s2 == 1 && flow->csgo_id2 == w2) {
NDPI_LOG_DBG2( ndpi_struct, "Found csgo udp 0d1d step1 DUP\n");
return;
}
flow->csgo_s2 = 3;
return;
}
- if (packet->payload_packet_len == 15) {
- if (flow->csgo_s2 == 1 && flow->csgo_id2 == w2) {
+
+ if(packet->payload_packet_len == 15) {
+ if(flow->csgo_s2 == 1 && flow->csgo_id2 == w2) {
NDPI_LOG_INFO( ndpi_struct, "found csgo udp 0d1d\n");
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CSGO, NDPI_PROTOCOL_UNKNOWN);
return;
@@ -97,31 +104,39 @@ void ndpi_search_csgo(struct ndpi_detection_module_struct* ndpi_struct, struct n
}
flow->csgo_s2 = 3;
}
- if (packet->payload_packet_len >= 140 && (w == 0x02124c6c || w == 0x02125c6c) &&
+
+ if(packet->payload_packet_len >= 140 && (w == 0x02124c6c || w == 0x02125c6c) &&
!memcmp(&packet->payload[3], "lta\000mob\000tpc\000bhj\000bxd\000tae\000urg\000gkh\000", 32)) {
- NDPI_LOG_INFO( ndpi_struct, "found csgo dictionary udp\n");
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CSGO, NDPI_PROTOCOL_UNKNOWN);
- return;
+ NDPI_LOG_INFO( ndpi_struct, "found csgo dictionary udp\n");
+ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CSGO, NDPI_PROTOCOL_UNKNOWN);
+ return;
}
- if (packet->payload_packet_len >= 33 && packet->iph && packet->iph->daddr == 0xffffffff &&
+
+ if(packet->payload_packet_len >= 33 && packet->iph && packet->iph->daddr == 0xffffffff &&
!memcmp(&packet->payload[17], "LanSearch", 9)) {
- NDPI_LOG_INFO( ndpi_struct, "found csgo LanSearch udp\n");
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CSGO, NDPI_PROTOCOL_UNKNOWN);
- return;
+ NDPI_LOG_INFO( ndpi_struct, "found csgo LanSearch udp\n");
+ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CSGO, NDPI_PROTOCOL_UNKNOWN);
+ return;
+ }
+
+ if(w == 0) {
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+ return;
}
}
- if (flow->packet_counter > 20)
- NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+
+ if(flow->packet_counter > 5)
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
void init_csgo_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
{
- ndpi_set_bitmask_protocol_detection("CSGO", ndpi_struct, detection_bitmask, *id,
- NDPI_PROTOCOL_CSGO,
- ndpi_search_csgo,
- NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD,
- SAVE_DETECTION_BITMASK_AS_UNKNOWN,
- ADD_TO_DETECTION_BITMASK);
+ ndpi_set_bitmask_protocol_detection("CSGO", ndpi_struct, detection_bitmask, *id,
+ NDPI_PROTOCOL_CSGO,
+ ndpi_search_csgo,
+ NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD,
+ SAVE_DETECTION_BITMASK_AS_UNKNOWN,
+ ADD_TO_DETECTION_BITMASK);
*id += 1;
}
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c
index f8f590a5b..a9ae258e7 100644
--- a/src/lib/protocols/dns.c
+++ b/src/lib/protocols/dns.c
@@ -486,6 +486,9 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
}
+
+ if(flow->packet_counter > 3)
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
void init_dns_dissector(struct ndpi_detection_module_struct *ndpi_struct,
diff --git a/src/lib/protocols/edonkey.c b/src/lib/protocols/edonkey.c
index ca5abebad..9f73592f8 100644
--- a/src/lib/protocols/edonkey.c
+++ b/src/lib/protocols/edonkey.c
@@ -165,8 +165,11 @@ static void ndpi_check_edonkey(struct ndpi_detection_module_struct *ndpi_struct,
return;
}
- if(payload_len == 0) return;
-
+ if(payload_len == 0) {
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+ return;
+ }
+
/* Check if we so far detected the protocol in the request or not. */
if(flow->edonkey_stage == 0) {
NDPI_LOG_DBG2(ndpi_struct, "EDONKEY stage 0: \n");
@@ -176,7 +179,8 @@ static void ndpi_check_edonkey(struct ndpi_detection_module_struct *ndpi_struct,
/* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */
flow->edonkey_stage = packet->packet_direction + 1;
- }
+ } else
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
} else {
NDPI_LOG_DBG2(ndpi_struct, "EDONKEY stage %u: \n", flow->edonkey_stage);
@@ -193,8 +197,10 @@ static void ndpi_check_edonkey(struct ndpi_detection_module_struct *ndpi_struct,
NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to EDONKEY, resetting the stage to 0\n");
flow->edonkey_stage = 0;
}
-
}
+
+ if(flow->packet_counter > 5)
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
void ndpi_search_edonkey(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
diff --git a/src/lib/protocols/h323.c b/src/lib/protocols/h323.c
index 1d70a8cec..015a6a134 100644
--- a/src/lib/protocols/h323.c
+++ b/src/lib/protocols/h323.c
@@ -4,6 +4,19 @@
* Copyright (C) 2015-20 ntop.org
* Copyright (C) 2013 Remy Mudingay <mudingay@ill.fr>
*
+ * nDPI is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * nDPI is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with nDPI. If not, see <http://www.gnu.org/licenses/>.
+ *
*/
#include "ndpi_protocol_ids.h"
@@ -99,6 +112,9 @@ void ndpi_search_h323(struct ndpi_detection_module_struct *ndpi_struct, struct n
}
}
}
+
+ if(flow->packet_counter > 5)
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
void init_h323_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
diff --git a/src/lib/protocols/imo.c b/src/lib/protocols/imo.c
index dfc42a39b..90f2c6086 100644
--- a/src/lib/protocols/imo.c
+++ b/src/lib/protocols/imo.c
@@ -59,7 +59,7 @@ void ndpi_search_imo(struct ndpi_detection_module_struct *ndpi_struct, struct nd
NDPI_LOG_INFO(ndpi_struct, "found IMO\n");
ndpi_int_imo_add_connection(ndpi_struct, flow);
} else {
- if(flow->num_processed_pkts > 7)
+ if(flow->num_processed_pkts > 5)
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
else
flow->protos.imo.last_one_byte_pkt = 0;
diff --git a/src/lib/protocols/netflow.c b/src/lib/protocols/netflow.c
index 16c1e0406..ef9125b6e 100644
--- a/src/lib/protocols/netflow.c
+++ b/src/lib/protocols/netflow.c
@@ -117,19 +117,24 @@ void ndpi_search_netflow(struct ndpi_detection_module_struct *ndpi_struct, struc
case 5:
case 7:
case 9:
- if((n == 0) || (n > 30))
+ if((n == 0) || (n > 30)) {
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
return;
-
+ }
+
switch(version) {
case 1:
expected_len = n * sizeof(struct flow_ver1_rec) + 16 /* header */;
break;
+
case 5:
expected_len = n * sizeof(struct flow_ver5_rec) + 24 /* header */;
break;
+
case 7:
expected_len = n * sizeof(struct flow_ver7_rec) + 24 /* header */;
break;
+
case 9:
/* We need to check the template */
break;
@@ -142,16 +147,21 @@ void ndpi_search_netflow(struct ndpi_detection_module_struct *ndpi_struct, struc
uptime_offset = 8;
break;
+
case 10: /* IPFIX */
{
u_int16_t ipfix_len = n;
- if(ipfix_len != payload_len)
+ if(ipfix_len != payload_len) {
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
return;
+ }
}
uptime_offset = 4;
break;
+
default:
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
return;
}
@@ -167,7 +177,8 @@ void ndpi_search_netflow(struct ndpi_detection_module_struct *ndpi_struct, struc
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NETFLOW, NDPI_PROTOCOL_UNKNOWN);
return;
}
- }
+ } else
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
void init_netflow_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
diff --git a/src/lib/protocols/noe.c b/src/lib/protocols/noe.c
index da572b6c0..f830d3104 100644
--- a/src/lib/protocols/noe.c
+++ b/src/lib/protocols/noe.c
@@ -2,6 +2,23 @@
* noe.c (Alcatel new office environment)
*
* Copyright (C) 2013 Remy Mudingay <mudingay@ill.fr>
+ * Copyright (C) 2011-20 - ntop.org
+ *
+ * This file is part of nDPI, an open source deep packet inspection
+ * library based on the OpenDPI and PACE technology by ipoque GmbH
+ *
+ * nDPI is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * nDPI is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with nDPI. If not, see <http://www.gnu.org/licenses/>.
*
*/
@@ -47,9 +64,9 @@ void ndpi_search_noe(struct ndpi_detection_module_struct *ndpi_struct,
ndpi_int_noe_add_connection(ndpi_struct, flow);
return;
}
- } else {
- NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
- }
+ }
+
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
diff --git a/src/lib/protocols/openvpn.c b/src/lib/protocols/openvpn.c
index f0e3428cf..076a681f8 100644
--- a/src/lib/protocols/openvpn.c
+++ b/src/lib/protocols/openvpn.c
@@ -3,6 +3,29 @@
*
* Copyright (C) 2011-20 - ntop.org
*
+ *
+ * nDPI is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * nDPI is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with nDPI. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "ndpi_protocol_ids.h"
+
+#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_OPENVPN
+
+#include "ndpi_api.h"
+
+/*
* OpenVPN TCP / UDP Detection - 128/160 hmac
*
* Detection based upon these openvpn protocol properties:
@@ -21,13 +44,6 @@
*
*/
-#include "ndpi_protocol_ids.h"
-
-#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_OPENVPN
-
-#include "ndpi_api.h"
-
-
#define P_CONTROL_HARD_RESET_CLIENT_V1 (0x01 << 3)
#define P_CONTROL_HARD_RESET_CLIENT_V2 (0x07 << 3)
#define P_CONTROL_HARD_RESET_SERVER_V1 (0x02 << 3)
@@ -105,17 +121,17 @@ void ndpi_search_openvpn(struct ndpi_detection_module_struct* ndpi_struct,
}
if(flow->ovpn_counter < P_HARD_RESET_CLIENT_MAX_COUNT && (opcode == P_CONTROL_HARD_RESET_CLIENT_V1 ||
- opcode == P_CONTROL_HARD_RESET_CLIENT_V2)) {
+ opcode == P_CONTROL_HARD_RESET_CLIENT_V2)) {
if(check_pkid_and_detect_hmac_size(ovpn_payload) > 0) {
memcpy(flow->ovpn_session_id, ovpn_payload+1, 8);
NDPI_LOG_DBG2(ndpi_struct,
- "session key: %02x%02x%02x%02x%02x%02x%02x%02x\n",
- flow->ovpn_session_id[0], flow->ovpn_session_id[1], flow->ovpn_session_id[2], flow->ovpn_session_id[3],
- flow->ovpn_session_id[4], flow->ovpn_session_id[5], flow->ovpn_session_id[6], flow->ovpn_session_id[7]);
+ "session key: %02x%02x%02x%02x%02x%02x%02x%02x\n",
+ flow->ovpn_session_id[0], flow->ovpn_session_id[1], flow->ovpn_session_id[2], flow->ovpn_session_id[3],
+ flow->ovpn_session_id[4], flow->ovpn_session_id[5], flow->ovpn_session_id[6], flow->ovpn_session_id[7]);
}
} else if(flow->ovpn_counter >= 1 && flow->ovpn_counter <= P_HARD_RESET_CLIENT_MAX_COUNT &&
- (opcode == P_CONTROL_HARD_RESET_SERVER_V1 || opcode == P_CONTROL_HARD_RESET_SERVER_V2)) {
+ (opcode == P_CONTROL_HARD_RESET_SERVER_V1 || opcode == P_CONTROL_HARD_RESET_SERVER_V2)) {
hmac_size = check_pkid_and_detect_hmac_size(ovpn_payload);
@@ -152,10 +168,12 @@ void ndpi_search_openvpn(struct ndpi_detection_module_struct* ndpi_struct,
flow->ovpn_counter++;
- if(failed) {
- NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
- }
+ if(failed)
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
+
+ if(flow->packet_counter > 5)
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
void init_openvpn_dissector(struct ndpi_detection_module_struct *ndpi_struct,
diff --git a/src/lib/protocols/pando.c b/src/lib/protocols/pando.c
deleted file mode 100644
index ece78559d..000000000
--- a/src/lib/protocols/pando.c
+++ /dev/null
@@ -1,167 +0,0 @@
-/*
- * pando.c
- *
- * Copyright (C) 2014 Tomasz Bujlow <tomasz@skatnet.dk>
- *
- * The signature is based on the Libprotoident library.
- *
- * This file is part of nDPI, an open source deep packet inspection
- * library based on the OpenDPI and PACE technology by ipoque GmbH
- *
- * nDPI is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * nDPI is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with nDPI. If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-#include "ndpi_protocol_ids.h"
-
-#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_PANDO
-
-#include "ndpi_api.h"
-
-static void ndpi_int_pando_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PANDO, NDPI_PROTOCOL_UNKNOWN);
-}
-
-static void ndpi_check_pando_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
- struct ndpi_packet_struct *packet = &flow->packet;
- u_int32_t payload_len = packet->payload_packet_len;
-
- if (ndpi_match_strprefix(packet->payload, payload_len, "\x0ePan")) {
- NDPI_LOG_INFO(ndpi_struct, "Found PANDO\n");
- ndpi_int_pando_add_connection(ndpi_struct, flow);
- }
-}
-
-static void ndpi_check_pando_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
- struct ndpi_packet_struct *packet = &flow->packet;
- u_int32_t payload_len = packet->payload_packet_len;
-
- /* Check if we so far detected the protocol in the request or not. */
- NDPI_LOG_DBG2(ndpi_struct, "PANDO stage %u: \n", flow->pando_stage);
- if (flow->pando_stage == 0) {
-
- if ((payload_len >= 4) && (packet->payload[0] == 0x00) && (packet->payload[1] == 0x00) && (packet->payload[2] == 0x00) && (packet->payload[3] == 0x09)) {
- NDPI_LOG_DBG2(ndpi_struct, "Possible PANDO request detected, we will look further for the response..\n");
-
- /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */
- flow->pando_stage = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2
- return;
- }
-
- if (ndpi_match_strprefix(packet->payload, payload_len, "UDPA")) {
- NDPI_LOG_DBG2(ndpi_struct, "Possible PANDO request detected, we will look further for the response..\n");
-
- /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */
- flow->pando_stage = packet->packet_direction + 3; // packet_direction 0: stage 3, packet_direction 1: stage 4
- return;
- }
-
- if (ndpi_match_strprefix(packet->payload, payload_len, "UDPR") || ndpi_match_strprefix(packet->payload, payload_len, "UDPE")) {
- NDPI_LOG_DBG2(ndpi_struct, "Possible PANDO request detected, we will look further for the response..\n");
-
- /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */
- flow->pando_stage = packet->packet_direction + 5; // packet_direction 0: stage 5, packet_direction 1: stage 6
- return;
- }
-
- } else if ((flow->pando_stage == 1) || (flow->pando_stage == 2)) {
-
- /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */
- if ((flow->pando_stage - packet->packet_direction) == 1) {
- return;
- }
-
- /* This is a packet in another direction. Check if we find the proper response. */
- if ((payload_len == 0) || ((payload_len >= 4) && (packet->payload[0] == 0x00) && (packet->payload[1] == 0x00) && (packet->payload[2] == 0x00) && (packet->payload[3] == 0x09))) {
- NDPI_LOG_INFO(ndpi_struct, "found PANDO\n");
- ndpi_int_pando_add_connection(ndpi_struct, flow);
- } else {
- NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to PANDO, resetting the stage to 0..\n");
- flow->pando_stage = 0;
- }
-
- } else if ((flow->pando_stage == 3) || (flow->pando_stage == 4)) {
-
- /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */
- if ((flow->pando_stage - packet->packet_direction) == 3) {
- return;
- }
-
- /* This is a packet in another direction. Check if we find the proper response. */
- if ((payload_len == 0) || (ndpi_match_strprefix(packet->payload, payload_len, "UDPR") || ndpi_match_strprefix(packet->payload, payload_len, "UDPE"))) {
- NDPI_LOG_INFO(ndpi_struct, "found PANDO\n");
- ndpi_int_pando_add_connection(ndpi_struct, flow);
- } else {
- NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to PANDO, resetting the stage to 0..\n");
- flow->pando_stage = 0;
- }
-
- } else if ((flow->pando_stage == 5) || (flow->pando_stage == 6)) {
-
- /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */
- if ((flow->pando_stage - packet->packet_direction) == 5) {
- return;
- }
-
- /* This is a packet in another direction. Check if we find the proper response. */
- if (ndpi_match_strprefix(packet->payload, payload_len, "UDPA")) {
- NDPI_LOG_INFO(ndpi_struct, "found PANDO\n");
- ndpi_int_pando_add_connection(ndpi_struct, flow);
- } else {
- NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to PANDO, resetting the stage to 0\n");
- flow->pando_stage = 0;
- }
- }
-}
-
-void ndpi_search_pando(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
- struct ndpi_packet_struct *packet = &flow->packet;
-
- NDPI_LOG_DBG(ndpi_struct, "search PANDO\n");
- /* Break after 20 packets. */
- if (flow->packet_counter > 20) {
- NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
- return;
- }
-
- /* skip marked or retransmitted packets */
- if (packet->tcp_retransmission != 0) {
- return;
- }
-
- if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_PANDO) {
- return;
- }
-
- ndpi_check_pando_tcp(ndpi_struct, flow);
-
- if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_PANDO) {
- return;
- }
-
- ndpi_check_pando_udp(ndpi_struct, flow);
-}
-
-
-void init_pando_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
-{
- ndpi_set_bitmask_protocol_detection("Pando_Media_Booster", ndpi_struct, detection_bitmask, *id,
- NDPI_PROTOCOL_PANDO,
- ndpi_search_pando,
- NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITHOUT_RETRANSMISSION,
- SAVE_DETECTION_BITMASK_AS_UNKNOWN,
- ADD_TO_DETECTION_BITMASK);
-
- *id += 1;
-}
diff --git a/src/lib/protocols/pplive.c b/src/lib/protocols/pplive.c
deleted file mode 100644
index 2e41d64f5..000000000
--- a/src/lib/protocols/pplive.c
+++ /dev/null
@@ -1,232 +0,0 @@
-/*
- * pplive.c
- *
- * Copyright (C) 2014 Tomasz Bujlow <tomasz@skatnet.dk>
- *
- * The signature is mostly based on the Libprotoident library
- * except the detection of HTTP Steam flows.
- *
- * This file is part of nDPI, an open source deep packet inspection
- * library based on the OpenDPI and PACE technology by ipoque GmbH
- *
- * nDPI is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * nDPI is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with nDPI. If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-#include "ndpi_protocol_ids.h"
-
-#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_PPLIVE
-
-#include "ndpi_api.h"
-
-static void ndpi_int_pplive_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PPLIVE, NDPI_PROTOCOL_UNKNOWN);
-}
-
-static void ndpi_check_pplive_udp1(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
- struct ndpi_packet_struct *packet = &flow->packet;
- u_int32_t payload_len = packet->payload_packet_len;
-
- /* Check if we so far detected the protocol in the request or not. */
- if (flow->pplive_stage1 == 0) {
- NDPI_LOG_DBG2(ndpi_struct, "PPLIVE stage 0: \n");
-
- if (ndpi_match_strprefix(packet->payload, payload_len, "\xe9\x03\x41\x01")) {
- NDPI_LOG_DBG2(ndpi_struct, "Possible PPLIVE request detected, we will look further for the response..\n");
-
- /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */
- flow->pplive_stage1 = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2
- return;
- }
-
- if (ndpi_match_strprefix(packet->payload, payload_len, "\xe9\x03\x42\x01")) {
- NDPI_LOG_DBG2(ndpi_struct, "Possible PPLIVE request detected, we will look further for the response..\n");
-
- /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */
- flow->pplive_stage1 = packet->packet_direction + 3; // packet_direction 0: stage 3, packet_direction 1: stage 4
- return;
- }
-
- if (ndpi_match_strprefix(packet->payload, payload_len, "\x1c\x1c\x32\x01")) {
- NDPI_LOG_DBG2(ndpi_struct, "Possible PPLIVE request detected, we will look further for the response..\n");
-
- /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */
- flow->pplive_stage1 = packet->packet_direction + 5; // packet_direction 0: stage 5, packet_direction 1: stage 6
- return;
- }
-
- } else if ((flow->pplive_stage1 == 1) || (flow->pplive_stage1 == 2)) {
- NDPI_LOG_DBG2(ndpi_struct, "PPLIVE stage %u: \n", flow->pplive_stage1);
-
- /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */
- if ((flow->pplive_stage1 - packet->packet_direction) == 1) {
- return;
- }
-
- /* This is a packet in another direction. Check if we find the proper response. */
- if (ndpi_match_strprefix(packet->payload, payload_len, "\xe9\x03\x42\x01") || ndpi_match_strprefix(packet->payload, payload_len, "\xe9\x03\x41\x01")) {
- NDPI_LOG_DBG2(ndpi_struct, "Found PPLIVE\n");
- ndpi_int_pplive_add_connection(ndpi_struct, flow);
- } else {
- NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to PPLIVE, resetting the stage to 0..\n");
- flow->pplive_stage1 = 0;
- }
-
- } else if ((flow->pplive_stage1 == 3) || (flow->pplive_stage1 == 4)) {
- NDPI_LOG_DBG2(ndpi_struct, "PPLIVE stage %u: \n", flow->pplive_stage1);
-
- /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */
- if ((flow->pplive_stage1 - packet->packet_direction) == 3) {
- return;
- }
-
- /* This is a packet in another direction. Check if we find the proper response. */
- if (ndpi_match_strprefix(packet->payload, payload_len, "\xe9\x03\x41\x01")) {
- NDPI_LOG_INFO(ndpi_struct, "found PPLIVE\n");
- ndpi_int_pplive_add_connection(ndpi_struct, flow);
- } else {
- NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to PPLIVE, resetting the stage to 0..\n");
- flow->pplive_stage1 = 0;
- }
- } else if ((flow->pplive_stage1 == 5) || (flow->pplive_stage1 == 6)) {
- NDPI_LOG_DBG2(ndpi_struct, "PPLIVE stage %u: \n", flow->pplive_stage1);
-
- /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */
- if ((flow->pplive_stage1 - packet->packet_direction) == 5) {
- return;
- }
-
- /* This is a packet in another direction. Check if we find the proper response. */
- if (ndpi_match_strprefix(packet->payload, payload_len, "\x1c\x1c\x32\x01")) {
- NDPI_LOG_INFO(ndpi_struct, "Found PPLIVE\n");
- ndpi_int_pplive_add_connection(ndpi_struct, flow);
- } else {
- NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to PPLIVE, resetting the stage to 0..\n");
- flow->pplive_stage1 = 0;
- }
- }
-
-}
-
-static void ndpi_check_pplive_udp2(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
- struct ndpi_packet_struct *packet = &flow->packet;
- u_int32_t payload_len = packet->payload_packet_len;
-
- /* Check if we so far detected the protocol in the request or not. */
- NDPI_LOG_DBG2(ndpi_struct, "PPLIVE stage %u: \n", flow->pplive_stage2);
- if (flow->pplive_stage2 == 0) {
-
- if ((payload_len == 57) && ndpi_match_strprefix(packet->payload, payload_len, "\xe9\x03\x41\x01")) {
- NDPI_LOG_DBG2(ndpi_struct, "Possible PPLIVE request detected, we will look further for the response..\n");
-
- /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */
- flow->pplive_stage2 = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2
- }
-
- } else {
- /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */
- if ((flow->pplive_stage2 - packet->packet_direction) == 1) {
- return;
- }
-
- /* This is a packet in another direction. Check if we find the proper response. */
- if (payload_len == 0) {
- NDPI_LOG_INFO(ndpi_struct, "found PPLIVE\n");
- ndpi_int_pplive_add_connection(ndpi_struct, flow);
- } else {
- NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to PPLIVE, resetting the stage to 0..\n");
- flow->pplive_stage2 = 0;
- }
-
- }
-}
-
-static void ndpi_check_pplive_udp3(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
- struct ndpi_packet_struct *packet = &flow->packet;
- u_int32_t payload_len = packet->payload_packet_len;
-
- /* Check if we so far detected the protocol in the request or not. */
- NDPI_LOG_DBG(ndpi_struct, "PPLIVE stage %u: \n", flow->pplive_stage3);
- if (flow->pplive_stage3 == 0) {
-
- if ((payload_len == 94) && (packet->udp->dest == htons(5041) || packet->udp->source == htons(5041) || packet->udp->dest == htons(8303) || packet->udp->source == htons(8303))) {
- NDPI_LOG_DBG2(ndpi_struct, "Possible PPLIVE request detected, we will look further for the response..\n");
-
- /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */
- flow->pplive_stage3 = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2
- return;
- }
-
- } else {
-
- /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */
- if ((flow->pplive_stage3 - packet->packet_direction) == 1) {
- return;
- }
-
- /* This is a packet in another direction. Check if we find the proper response. */
- if ((payload_len == 0) || (payload_len == 49) ||(payload_len == 94)) {
- NDPI_LOG_INFO(ndpi_struct, "found PPLIVE\n");
- ndpi_int_pplive_add_connection(ndpi_struct, flow);
- } else {
- NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to PPLIVE, resetting the stage to 0..\n");
- flow->pplive_stage3 = 0;
- }
- }
-
-}
-
-void ndpi_search_pplive(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
- struct ndpi_packet_struct *packet = &flow->packet;
-
- NDPI_LOG_DBG(ndpi_struct, "search PPLIVE\n");
-
- /* Break after 20 packets. */
- if (flow->packet_counter > 20) {
- NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
- return;
- }
-
- if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_PPLIVE) {
- return;
- }
-
- ndpi_check_pplive_udp1(ndpi_struct, flow);
-
- if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_PPLIVE) {
- return;
- }
-
- ndpi_check_pplive_udp2(ndpi_struct, flow);
-
- if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_PPLIVE) {
- return;
- }
-
- ndpi_check_pplive_udp3(ndpi_struct, flow);
-}
-
-
-void init_pplive_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
-{
- ndpi_set_bitmask_protocol_detection("PPLive", ndpi_struct, detection_bitmask, *id,
- NDPI_PROTOCOL_PPLIVE,
- ndpi_search_pplive,
- NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP,
- SAVE_DETECTION_BITMASK_AS_UNKNOWN,
- ADD_TO_DETECTION_BITMASK);
-
- *id += 1;
-}
-
diff --git a/src/lib/protocols/radius.c b/src/lib/protocols/radius.c
index 5597f64a2..4e2782d9c 100644
--- a/src/lib/protocols/radius.c
+++ b/src/lib/protocols/radius.c
@@ -40,9 +40,11 @@ static void ndpi_check_radius(struct ndpi_detection_module_struct *ndpi_struct,
if(packet->udp != NULL) {
struct radius_header *h = (struct radius_header*)packet->payload;
/* RFC2865: The minimum length is 20 and maximum length is 4096. */
- if((payload_len < 20) || (payload_len > 4096))
- return;
-
+ if((payload_len < 20) || (payload_len > 4096)) {
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+ return;
+ }
+
if((h->code > 0)
&& (h->code <= 13)
&& (ntohs(h->len) == payload_len)) {
diff --git a/src/lib/protocols/rtcp.c b/src/lib/protocols/rtcp.c
index 77903d6cc..0e03ea8a8 100644
--- a/src/lib/protocols/rtcp.c
+++ b/src/lib/protocols/rtcp.c
@@ -45,7 +45,7 @@ void ndpi_search_rtcp(struct ndpi_detection_module_struct *ndpi_struct,
len = packet->payload[2+offset] * 256 + packet->payload[2+offset+1];
rtcp_section_len = (len + 1) * 4;
- if(((offset+rtcp_section_len) > packet->payload_packet_len) || (rtcp_section_len == 0))
+ if(((offset+rtcp_section_len) > packet->payload_packet_len) || (rtcp_section_len == 0) || (len == 0))
goto exclude_rtcp;
else
offset += rtcp_section_len;
@@ -60,6 +60,9 @@ void ndpi_search_rtcp(struct ndpi_detection_module_struct *ndpi_struct,
NDPI_LOG_INFO(ndpi_struct, "found rtcp\n");
ndpi_int_rtcp_add_connection(ndpi_struct, flow);
}
+
+ if(flow->packet_counter > 3)
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
} else {
exclude_rtcp:
diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c
index acea41b54..fdf8d8b9f 100644
--- a/src/lib/protocols/rtp.c
+++ b/src/lib/protocols/rtp.c
@@ -76,6 +76,8 @@ static u_int8_t isValidMSRTPType(u_int8_t payloadType) {
static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
const u_int8_t * payload, const u_int16_t payload_len) {
+ u_int8_t payloadType, payload_type = payload[1] & 0x7F;
+
NDPI_LOG_DBG(ndpi_struct, "search RTP\n");
if((payload_len < 2) || flow->protos.stun_ssl.stun.num_binding_requests) {
@@ -83,9 +85,6 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct,
return;
}
- //struct ndpi_packet_struct *packet = &flow->packet;
- u_int8_t payloadType, payload_type = payload[1] & 0x7F;
-
/* Check whether this is an RTP flow */
if((payload_len >= 12)
&& (((payload[0] & 0xFF) == 0x80) || ((payload[0] & 0xFF) == 0xA0)) /* RTP magic byte[1] */
@@ -105,13 +104,6 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct,
NDPI_LOG_INFO(ndpi_struct, "Found Skype for Business (former MS Lync)\n");
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_UNKNOWN);
return;
- } else /* RTCP */ {
-#if 0
- /* If it's RTCP the RTCP decoder will catch it */
- NDPI_LOG_INFO(ndpi_struct, "Found MS RTCP\n");
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RTCP, NDPI_PROTOCOL_UNKNOWN);
- return;
-#endif
}
}
@@ -136,6 +128,8 @@ void ndpi_search_rtp(struct ndpi_detection_module_struct *ndpi_struct, struct nd
&& (dest > 1023)
)
ndpi_rtp_search(ndpi_struct, flow, packet->payload, packet->payload_packet_len);
+ else
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
/* *************************************************************** */
diff --git a/src/lib/protocols/sip.c b/src/lib/protocols/sip.c
index 4da380a4b..b7806d036 100644
--- a/src/lib/protocols/sip.c
+++ b/src/lib/protocols/sip.c
@@ -48,142 +48,131 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct
const u_int8_t *packet_payload = packet->payload;
u_int32_t payload_len = packet->payload_packet_len;
- if (payload_len > 4) {
+ if(payload_len > 4) {
/* search for STUN Turn ChannelData Prefix */
u_int16_t message_len = ntohs(get_u_int16_t(packet->payload, 2));
- if (payload_len - 4 == message_len) {
+
+ if(payload_len - 4 == message_len) {
NDPI_LOG_DBG2(ndpi_struct, "found STUN TURN ChannelData prefix\n");
payload_len -= 4;
packet_payload += 4;
}
}
- if (payload_len >= 14)
- {
-
- if ((memcmp(packet_payload, "NOTIFY ", 7) == 0 || memcmp(packet_payload, "notify ", 7) == 0)
- && (memcmp(&packet_payload[7], "SIP:", 4) == 0 || memcmp(&packet_payload[7], "sip:", 4) == 0)) {
-
- NDPI_LOG_INFO(ndpi_struct, "found sip NOTIFY\n");
- ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
- return;
- }
-
- if ((memcmp(packet_payload, "REGISTER ", 9) == 0 || memcmp(packet_payload, "register ", 9) == 0)
- && (memcmp(&packet_payload[9], "SIP:", 4) == 0 || memcmp(&packet_payload[9], "sip:", 4) == 0)) {
-
- NDPI_LOG_INFO(ndpi_struct, "found sip REGISTER\n");
- ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
- return;
- }
-
- if ((memcmp(packet_payload, "INVITE ", 7) == 0 || memcmp(packet_payload, "invite ", 7) == 0)
- && (memcmp(&packet_payload[7], "SIP:", 4) == 0 || memcmp(&packet_payload[7], "sip:", 4) == 0)) {
- NDPI_LOG_INFO(ndpi_struct, "found sip INVITE\n");
- ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
- return;
- }
-
- /* seen this in second direction on the third position,
- * maybe it could be deleted, if somebody sees it in the first direction,
- * please delete this comment.
- */
-
- /*
- if (memcmp(packet_payload, "SIP/2.0 200 OK", 14) == 0 || memcmp(packet_payload, "sip/2.0 200 OK", 14) == 0) {
- NDPI_LOG_INFO(ndpi_struct, "found sip SIP/2.0 0K\n");
- ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
- return;
- }
- */
- if (memcmp(packet_payload, "SIP/2.0 ", 8) == 0 || memcmp(packet_payload, "sip/2.0 ", 8) == 0) {
- NDPI_LOG_INFO(ndpi_struct, "found sip SIP/2.0 *\n");
- ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
- return;
- }
-
- if ((memcmp(packet_payload, "BYE ", 4) == 0 || memcmp(packet_payload, "bye ", 4) == 0)
- && (memcmp(&packet_payload[4], "SIP:", 4) == 0 || memcmp(&packet_payload[4], "sip:", 4) == 0)) {
- NDPI_LOG_INFO(ndpi_struct, "found sip BYE\n");
- ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
- return;
- }
-
- if ((memcmp(packet_payload, "ACK ", 4) == 0 || memcmp(packet_payload, "ack ", 4) == 0)
- && (memcmp(&packet_payload[4], "SIP:", 4) == 0 || memcmp(&packet_payload[4], "sip:", 4) == 0)) {
- NDPI_LOG_INFO(ndpi_struct, "found sip ACK\n");
- ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
- return;
- }
-
- if ((memcmp(packet_payload, "CANCEL ", 7) == 0 || memcmp(packet_payload, "cancel ", 7) == 0)
- && (memcmp(&packet_payload[7], "SIP:", 4) == 0 || memcmp(&packet_payload[7], "sip:", 4) == 0)) {
- NDPI_LOG_INFO(ndpi_struct, "found sip CANCEL\n");
- ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
- return;
- }
-
- if ((memcmp(packet_payload, "PUBLISH ", 8) == 0 || memcmp(packet_payload, "publish ", 8) == 0)
- && (memcmp(&packet_payload[8], "SIP:", 4) == 0 || memcmp(&packet_payload[8], "sip:", 4) == 0)) {
- NDPI_LOG_INFO(ndpi_struct, "found sip PUBLISH\n");
- ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
- return;
- }
-
- if ((memcmp(packet_payload, "SUBSCRIBE ", 10) == 0 || memcmp(packet_payload, "subscribe ", 10) == 0)
- && (memcmp(&packet_payload[10], "SIP:", 4) == 0 || memcmp(&packet_payload[10], "sip:", 4) == 0)) {
- NDPI_LOG_INFO(ndpi_struct, "found sip SUBSCRIBE\n");
- ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
- return;
- }
-
- /* SIP message extension RFC 3248 */
- if ((memcmp(packet_payload, "MESSAGE ", 8) == 0 || memcmp(packet_payload, "message ", 8) == 0)
- && (memcmp(&packet_payload[8], "SIP:", 4) == 0 || memcmp(&packet_payload[8], "sip:", 4) == 0)) {
- NDPI_LOG_INFO(ndpi_struct, "found sip MESSAGE\n");
- ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
- return;
- }
-
- /* Courtesy of Miguel Quesada <mquesadab@gmail.com> */
- if ((memcmp(packet_payload, "OPTIONS ", 8) == 0
- || memcmp(packet_payload, "options ", 8) == 0)
- && (memcmp(&packet_payload[8], "SIP:", 4) == 0
- || memcmp(&packet_payload[8], "sip:", 4) == 0)) {
- NDPI_LOG_INFO(ndpi_struct, "found sip OPTIONS\n");
- ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
- return;
- }
+ if(payload_len >= 14) {
+ if((memcmp(packet_payload, "NOTIFY ", 7) == 0 || memcmp(packet_payload, "notify ", 7) == 0)
+ && (memcmp(&packet_payload[7], "SIP:", 4) == 0 || memcmp(&packet_payload[7], "sip:", 4) == 0)) {
+
+ NDPI_LOG_INFO(ndpi_struct, "found sip NOTIFY\n");
+ ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
+ return;
+ }
+
+ if((memcmp(packet_payload, "REGISTER ", 9) == 0 || memcmp(packet_payload, "register ", 9) == 0)
+ && (memcmp(&packet_payload[9], "SIP:", 4) == 0 || memcmp(&packet_payload[9], "sip:", 4) == 0)) {
+
+ NDPI_LOG_INFO(ndpi_struct, "found sip REGISTER\n");
+ ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
+ return;
+ }
+
+ if((memcmp(packet_payload, "INVITE ", 7) == 0 || memcmp(packet_payload, "invite ", 7) == 0)
+ && (memcmp(&packet_payload[7], "SIP:", 4) == 0 || memcmp(&packet_payload[7], "sip:", 4) == 0)) {
+ NDPI_LOG_INFO(ndpi_struct, "found sip INVITE\n");
+ ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
+ return;
+ }
+
+ /* seen this in second direction on the third position,
+ * maybe it could be deleted, if somebody sees it in the first direction,
+ * please delete this comment.
+ */
+
+ /*
+ if(memcmp(packet_payload, "SIP/2.0 200 OK", 14) == 0 || memcmp(packet_payload, "sip/2.0 200 OK", 14) == 0) {
+ NDPI_LOG_INFO(ndpi_struct, "found sip SIP/2.0 0K\n");
+ ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
+ return;
}
+ */
+ if(memcmp(packet_payload, "SIP/2.0 ", 8) == 0 || memcmp(packet_payload, "sip/2.0 ", 8) == 0) {
+ NDPI_LOG_INFO(ndpi_struct, "found sip SIP/2.0 *\n");
+ ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
+ return;
+ }
+
+ if((memcmp(packet_payload, "BYE ", 4) == 0 || memcmp(packet_payload, "bye ", 4) == 0)
+ && (memcmp(&packet_payload[4], "SIP:", 4) == 0 || memcmp(&packet_payload[4], "sip:", 4) == 0)) {
+ NDPI_LOG_INFO(ndpi_struct, "found sip BYE\n");
+ ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
+ return;
+ }
+
+ if((memcmp(packet_payload, "ACK ", 4) == 0 || memcmp(packet_payload, "ack ", 4) == 0)
+ && (memcmp(&packet_payload[4], "SIP:", 4) == 0 || memcmp(&packet_payload[4], "sip:", 4) == 0)) {
+ NDPI_LOG_INFO(ndpi_struct, "found sip ACK\n");
+ ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
+ return;
+ }
+
+ if((memcmp(packet_payload, "CANCEL ", 7) == 0 || memcmp(packet_payload, "cancel ", 7) == 0)
+ && (memcmp(&packet_payload[7], "SIP:", 4) == 0 || memcmp(&packet_payload[7], "sip:", 4) == 0)) {
+ NDPI_LOG_INFO(ndpi_struct, "found sip CANCEL\n");
+ ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
+ return;
+ }
+
+ if((memcmp(packet_payload, "PUBLISH ", 8) == 0 || memcmp(packet_payload, "publish ", 8) == 0)
+ && (memcmp(&packet_payload[8], "SIP:", 4) == 0 || memcmp(&packet_payload[8], "sip:", 4) == 0)) {
+ NDPI_LOG_INFO(ndpi_struct, "found sip PUBLISH\n");
+ ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
+ return;
+ }
+
+ if((memcmp(packet_payload, "SUBSCRIBE ", 10) == 0 || memcmp(packet_payload, "subscribe ", 10) == 0)
+ && (memcmp(&packet_payload[10], "SIP:", 4) == 0 || memcmp(&packet_payload[10], "sip:", 4) == 0)) {
+ NDPI_LOG_INFO(ndpi_struct, "found sip SUBSCRIBE\n");
+ ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
+ return;
+ }
+
+ /* SIP message extension RFC 3248 */
+ if((memcmp(packet_payload, "MESSAGE ", 8) == 0 || memcmp(packet_payload, "message ", 8) == 0)
+ && (memcmp(&packet_payload[8], "SIP:", 4) == 0 || memcmp(&packet_payload[8], "sip:", 4) == 0)) {
+ NDPI_LOG_INFO(ndpi_struct, "found sip MESSAGE\n");
+ ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
+ return;
+ }
+
+ /* Courtesy of Miguel Quesada <mquesadab@gmail.com> */
+ if((memcmp(packet_payload, "OPTIONS ", 8) == 0
+ || memcmp(packet_payload, "options ", 8) == 0)
+ && (memcmp(&packet_payload[8], "SIP:", 4) == 0
+ || memcmp(&packet_payload[8], "sip:", 4) == 0)) {
+ NDPI_LOG_INFO(ndpi_struct, "found sip OPTIONS\n");
+ ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
+ return;
+ }
+ }
/* add bitmask for tcp only, some stupid udp programs
* send a very few (< 10 ) packets before invite (mostly a 0x0a0x0d, but just search the first 3 payload_packets here */
- if (packet->udp != NULL && flow->packet_counter < 20) {
+ if(packet->udp != NULL && flow->packet_counter < 20) {
NDPI_LOG_DBG2(ndpi_struct, "need next packet\n");
return;
}
/* for STUN flows we need some more packets */
- if (packet->udp != NULL && flow->detected_protocol_stack[0] == NDPI_PROTOCOL_STUN && flow->packet_counter < 40) {
+ if(packet->udp != NULL && flow->detected_protocol_stack[0] == NDPI_PROTOCOL_STUN && flow->packet_counter < 40) {
NDPI_LOG_DBG2(ndpi_struct, "need next STUN packet\n");
return;
}
- if (payload_len == 4 && get_u_int32_t(packet_payload, 0) == 0) {
+ if(payload_len == 4 && get_u_int32_t(packet_payload, 0) == 0) {
NDPI_LOG_DBG2(ndpi_struct, "maybe sip. need next packet\n");
return;
}
- if (payload_len > 30 && packet_payload[0] == 0x90
- && packet_payload[3] == payload_len - 20 && get_u_int32_t(packet_payload, 4) == 0
- && get_u_int32_t(packet_payload, 8) == 0) {
- flow->sip_yahoo_voice = 1;
- NDPI_LOG_DBG2(ndpi_struct, "maybe sip yahoo. need next packet\n");
- }
- if (flow->sip_yahoo_voice && flow->packet_counter < 10) {
- return;
- }
-
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
@@ -193,15 +182,18 @@ void ndpi_search_sip(struct ndpi_detection_module_struct *ndpi_struct, struct nd
NDPI_LOG_DBG(ndpi_struct, "search sip\n");
- /* skip marked packets */
- if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_SIP) {
- if (packet->tcp_retransmission == 0) {
- ndpi_search_sip_handshake(ndpi_struct, flow);
+ if(flow->packet_counter > 5)
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+ else {
+ /* skip marked packets */
+ if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_SIP) {
+ if(packet->tcp_retransmission == 0) {
+ ndpi_search_sip_handshake(ndpi_struct, flow);
+ }
}
}
}
-
void init_sip_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
{
ndpi_set_bitmask_protocol_detection("SIP", ndpi_struct, detection_bitmask, *id,
diff --git a/src/lib/protocols/steam.c b/src/lib/protocols/steam.c
index 41d1a7d71..198286c8b 100644
--- a/src/lib/protocols/steam.c
+++ b/src/lib/protocols/steam.c
@@ -267,7 +267,6 @@ void ndpi_search_steam(struct ndpi_detection_module_struct *ndpi_struct, struct
return;
}
-
/* skip marked or retransmitted packets */
if(packet->tcp_retransmission != 0) {
return;
diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
index e4d504821..8db589182 100644
--- a/src/lib/protocols/stun.c
+++ b/src/lib/protocols/stun.c
@@ -27,7 +27,7 @@
#include "ndpi_api.h"
-#define MAX_NUM_STUN_PKTS 8
+#define MAX_NUM_STUN_PKTS 3
// #define DEBUG_STUN 1
// #define DEBUG_LRU 1
@@ -122,15 +122,15 @@ static int is_google_ip_address(u_int32_t host) {
/* ************************************************************ */
/*
- WhatsApp
- 31.13.86.48
- 31.13.92.50
- 157.240.20.51
- 157.240.21.51
- 185.60.216.51
-
- Messenger
- 31.13.86.5
+ WhatsApp
+ 31.13.86.48
+ 31.13.92.50
+ 157.240.20.51
+ 157.240.21.51
+ 185.60.216.51
+
+ Messenger
+ 31.13.86.5
*/
static int is_messenger_ip_address(u_int32_t host) {
@@ -149,14 +149,10 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
u_int16_t msg_type, msg_len;
int rc;
- /* STUN over TCP does not look good */
- if(flow->packet.tcp)
- return(NDPI_IS_NOT_STUN);
-
/* No need to do ntohl() with 0xFFFFFFFF */
if(flow->packet.iph && (flow->packet.iph->daddr == 0xFFFFFFFF /* 255.255.255.255 */)) {
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
- return(NDPI_IS_NOT_STUN);;
+ return(NDPI_IS_NOT_STUN);
}
if(payload_length >= 512) {
@@ -190,25 +186,25 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
#endif
/*
- If we're here it's because this does not look like STUN anymore
- as this was a flow that started as STUN and turned into something
- else. Let's investigate what is that about
- */
+ If we're here it's because this does not look like STUN anymore
+ as this was a flow that started as STUN and turned into something
+ else. Let's investigate what is that about
+ */
if(payload[0] == 0x16) {
/* Let's check if this is DTLS used by some socials */
struct ndpi_packet_struct *packet = &flow->packet;
u_int16_t total_len, version = htons(*((u_int16_t*) &packet->payload[1]));
switch (version) {
- case 0xFEFF: /* DTLS 1.0 */
- case 0xFEFD: /* DTLS 1.2 */
- total_len = ntohs(*((u_int16_t*) &packet->payload[11])) + 13;
-
- if(payload_length == total_len) {
- /* This is DTLS and the only protocol we know behaves like this is signal */
- flow->guessed_host_protocol_id = NDPI_PROTOCOL_SIGNAL;
- return(NDPI_IS_STUN);
- }
+ case 0xFEFF: /* DTLS 1.0 */
+ case 0xFEFD: /* DTLS 1.2 */
+ total_len = ntohs(*((u_int16_t*) &packet->payload[11])) + 13;
+
+ if(payload_length == total_len) {
+ /* This is DTLS and the only protocol we know behaves like this is signal */
+ flow->guessed_host_protocol_id = NDPI_PROTOCOL_SIGNAL;
+ return(NDPI_IS_STUN);
+ }
}
}
@@ -218,7 +214,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
#if 0
if((flow->packet.udp->dest == htons(3480)) ||
(flow->packet.udp->source == htons(3480))
- )
+ )
printf("[STUN] Here we go\n");;
#endif
@@ -285,7 +281,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL;
return(NDPI_IS_STUN); /* This is WhatsApp Call */
} else if((payload[0] == 0x90) && (((msg_len+11) == payload_length) ||
- (flow->protos.stun_ssl.stun.num_binding_requests >= 4))) {
+ (flow->protos.stun_ssl.stun.num_binding_requests >= 4))) {
flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL;
return(NDPI_IS_STUN); /* This is WhatsApp Call */
}
@@ -311,13 +307,13 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
u_int offset = 20;
/*
- This can either be the standard RTCP or Ms Lync RTCP that
- later will become Ms Lync RTP. In this case we need to
- be careful before deciding about the protocol before dissecting the packet
+ This can either be the standard RTCP or Ms Lync RTCP that
+ later will become Ms Lync RTP. In this case we need to
+ be careful before deciding about the protocol before dissecting the packet
- MS Lync = Skype
- https://en.wikipedia.org/wiki/Skype_for_Business
- */
+ MS Lync = Skype
+ https://en.wikipedia.org/wiki/Skype_for_Business
+ */
while((offset+4) < payload_length) {
u_int16_t attribute = ntohs(*((u_int16_t*)&payload[offset]));
@@ -346,36 +342,36 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
break;
case 0x0014: /* Realm */
- {
- u_int16_t realm_len = ntohs(*((u_int16_t*)&payload[offset+2]));
+ {
+ u_int16_t realm_len = ntohs(*((u_int16_t*)&payload[offset+2]));
- if(flow->host_server_name[0] == '\0') {
- u_int j, i = (realm_len > sizeof(flow->host_server_name)) ? sizeof(flow->host_server_name) : realm_len;
- u_int k = offset+4;
+ if(flow->host_server_name[0] == '\0') {
+ u_int j, i = (realm_len > sizeof(flow->host_server_name)) ? sizeof(flow->host_server_name) : realm_len;
+ u_int k = offset+4;
- memset(flow->host_server_name, 0, sizeof(flow->host_server_name));
+ memset(flow->host_server_name, 0, sizeof(flow->host_server_name));
- for(j=0; j<i; j++) {
- if((k+i) < payload_length)
- flow->host_server_name[j] = payload[k++];
- else
- break;
- }
+ for(j=0; j<i; j++) {
+ if((k+i) < payload_length)
+ flow->host_server_name[j] = payload[k++];
+ else
+ break;
+ }
#ifdef DEBUG_STUN
- printf("==> [%s]\n", flow->host_server_name);
+ printf("==> [%s]\n", flow->host_server_name);
#endif
- if(strstr((char*) flow->host_server_name, "google.com") != NULL) {
+ if(strstr((char*) flow->host_server_name, "google.com") != NULL) {
flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO;
return(NDPI_IS_STUN);
- } else if(strstr((char*) flow->host_server_name, "whispersystems.org") != NULL) {
- flow->guessed_host_protocol_id = NDPI_PROTOCOL_SIGNAL;
- return(NDPI_IS_STUN);
- }
- }
- }
- break;
+ } else if(strstr((char*) flow->host_server_name, "whispersystems.org") != NULL) {
+ flow->guessed_host_protocol_id = NDPI_PROTOCOL_SIGNAL;
+ return(NDPI_IS_STUN);
+ }
+ }
+ }
+ break;
case 0xC057: /* Messeger */
if(msg_type == 0x0001) {
@@ -470,7 +466,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
} else
return(NDPI_IS_NOT_STUN);
-udp_stun_found:
+ udp_stun_found:
flow->protos.stun_ssl.stun.num_processed_pkts++;
struct ndpi_packet_struct *packet = &flow->packet;
@@ -489,7 +485,6 @@ udp_stun_found:
return rc;
}
-
void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &flow->packet;
@@ -535,13 +530,12 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n
return;
}
- if(flow->protos.stun_ssl.stun.num_udp_pkts >= MAX_NUM_STUN_PKTS)
- NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
-
if(flow->packet_counter > 0) {
/* This might be a RTP stream: let's make sure we check it */
NDPI_CLR(&flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RTP);
}
+
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
@@ -550,7 +544,7 @@ void init_stun_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int
ndpi_set_bitmask_protocol_detection("STUN", ndpi_struct, detection_bitmask, *id,
NDPI_PROTOCOL_STUN,
ndpi_search_stun,
- NDPI_SELECTION_BITMASK_PROTOCOL_TCP_OR_UDP_WITH_PAYLOAD,
+ NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD,
SAVE_DETECTION_BITMASK_AS_UNKNOWN,
ADD_TO_DETECTION_BITMASK);
diff --git a/src/lib/protocols/tftp.c b/src/lib/protocols/tftp.c
index 941520b25..a9d7a21d3 100644
--- a/src/lib/protocols/tftp.c
+++ b/src/lib/protocols/tftp.c
@@ -41,26 +41,31 @@ void ndpi_search_tftp(struct ndpi_detection_module_struct
NDPI_LOG_DBG(ndpi_struct, "search TFTP\n");
- if (packet->payload_packet_len > 3 && flow->l4.udp.tftp_stage == 0
- && ntohl(get_u_int32_t(packet->payload, 0)) == 0x00030001) {
+ if ((packet->payload_packet_len > 3)
+ && (flow->l4.udp.tftp_stage == 0)
+ && (ntohl(get_u_int32_t(packet->payload, 0)) == 0x00030001)) {
NDPI_LOG_DBG2(ndpi_struct, "maybe tftp. need next packet\n");
flow->l4.udp.tftp_stage = 1;
return;
}
- if (packet->payload_packet_len > 3 && (flow->l4.udp.tftp_stage == 1)
- && ntohl(get_u_int32_t(packet->payload, 0)) == 0x00040001) {
- NDPI_LOG_INFO(ndpi_struct, "found tftp\n");
- ndpi_int_tftp_add_connection(ndpi_struct, flow);
- return;
- }
- if (packet->payload_packet_len > 1
- && ((packet->payload[0] == 0 && packet->payload[packet->payload_packet_len - 1] == 0)
- || (packet->payload_packet_len == 4 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x00040000))) {
- NDPI_LOG_DBG2(ndpi_struct, "skip initial packet\n");
- return;
- }
+ if(flow->l4.udp.tftp_stage == 1) {
+ if (packet->payload_packet_len > 3 && (flow->l4.udp.tftp_stage == 1)
+ && ntohl(get_u_int32_t(packet->payload, 0)) == 0x00040001) {
+
+ NDPI_LOG_INFO(ndpi_struct, "found tftp\n");
+ ndpi_int_tftp_add_connection(ndpi_struct, flow);
+ return;
+ }
+ if (packet->payload_packet_len > 1
+ && ((packet->payload[0] == 0 && packet->payload[packet->payload_packet_len - 1] == 0)
+ || (packet->payload_packet_len == 4 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x00040000))) {
+ NDPI_LOG_DBG2(ndpi_struct, "skip initial packet\n");
+ return;
+ }
+ }
+
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
diff --git a/src/lib/protocols/tinc.c b/src/lib/protocols/tinc.c
index 62981dbb3..4748700cf 100644
--- a/src/lib/protocols/tinc.c
+++ b/src/lib/protocols/tinc.c
@@ -58,9 +58,9 @@ static void ndpi_check_tinc(struct ndpi_detection_module_struct *ndpi_struct, st
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TINC, NDPI_PROTOCOL_UNKNOWN);
}
}
-
+
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
return;
-
} else if(packet->tcp != NULL) {
if(payload_len == 0) {
if(packet->tcp->syn == 1 && packet->tcp->ack == 0) {
Powered by cgit, Themed by Ted Yin.