diff options
| author | Daniele De Lorenzi <daniele.delorenzi@fastnetserv.net> | 2018-12-20 11:04:03 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-12-20 11:04:03 +0100 |
| commit | 2aea4da9adc3ba87346d01d20bd815004016db4f (patch) | |
| tree | 91c94e1645640407f32e0cf5b1097444f6f26271 /src/lib/protocols | |
| parent | 3b1047b0c8136b85010554ac31f7845c68b5898b (diff) | |
| parent | d3be349fa0d03477be1c84fad23fcc37df9bcf67 (diff) | |
Merge pull request #10 from ntop/dev
Repo sync
Diffstat (limited to 'src/lib/protocols')
160 files changed, 1158 insertions, 1125 deletions
diff --git a/src/lib/protocols/afp.c b/src/lib/protocols/afp.c index ee8dc5973..ffe303cea 100644 --- a/src/lib/protocols/afp.c +++ b/src/lib/protocols/afp.c @@ -1,8 +1,8 @@ /* * afp.c * - * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-16 - ntop.org + * Copyright (C) 2009-11 by ipoque GmbH + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -25,8 +25,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_AFP - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_AFP #include "ndpi_api.h" @@ -100,5 +98,3 @@ void init_afp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 *id += 1; } - -#endif diff --git a/src/lib/protocols/aimini.c b/src/lib/protocols/aimini.c index fb439f817..dec8118c2 100644 --- a/src/lib/protocols/aimini.c +++ b/src/lib/protocols/aimini.c @@ -2,7 +2,7 @@ * aimini.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -25,8 +25,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_AIMINI - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_AIMINI #include "ndpi_api.h" @@ -293,5 +291,3 @@ void init_aimini_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i *id += 1; } - -#endif diff --git a/src/lib/protocols/ajp.c b/src/lib/protocols/ajp.c index ed7bb83f7..7cae40f20 100644 --- a/src/lib/protocols/ajp.c +++ b/src/lib/protocols/ajp.c @@ -22,8 +22,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_AJP - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_AJP #include "ndpi_api.h" @@ -149,5 +147,3 @@ void init_ajp_dissector(struct ndpi_detection_module_struct *ndpi_struct, *id += 1; } - -#endif diff --git a/src/lib/protocols/amqp.c b/src/lib/protocols/amqp.c index 6b530c16d..793b3699e 100644 --- a/src/lib/protocols/amqp.c +++ b/src/lib/protocols/amqp.c @@ -1,7 +1,7 @@ /* * amqp.c * - * Copyright (C) 2011-17 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -20,8 +20,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_AMQP - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_AMQP #include "ndpi_api.h" @@ -87,4 +85,3 @@ void init_amqp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int *id += 1; } -#endif diff --git a/src/lib/protocols/apple_push.c b/src/lib/protocols/apple_push.c index 734be6e96..6930dba86 100644 --- a/src/lib/protocols/apple_push.c +++ b/src/lib/protocols/apple_push.c @@ -23,8 +23,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_APPLE_PUSH - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_APPLE_PUSH #include "ndpi_api.h" @@ -76,6 +74,3 @@ void init_apple_push_dissector(struct ndpi_detection_module_struct *ndpi_struct, *id += 1; } - - -#endif diff --git a/src/lib/protocols/applejuice.c b/src/lib/protocols/applejuice.c index a80c39d7f..95e6b4458 100644 --- a/src/lib/protocols/applejuice.c +++ b/src/lib/protocols/applejuice.c @@ -2,7 +2,7 @@ * applejuice.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_APPLEJUICE - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_APPLEJUICE #include "ndpi_api.h" @@ -67,5 +65,3 @@ void init_applejuice_dissector(struct ndpi_detection_module_struct *ndpi_struct, *id += 1; } - -#endif diff --git a/src/lib/protocols/armagetron.c b/src/lib/protocols/armagetron.c index 7f4fb9ec0..53c36a5f9 100644 --- a/src/lib/protocols/armagetron.c +++ b/src/lib/protocols/armagetron.c @@ -2,7 +2,7 @@ * armagetron.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_ARMAGETRON - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_ARMAGETRON #include "ndpi_api.h" @@ -109,6 +107,3 @@ void init_armagetron_dissector(struct ndpi_detection_module_struct *ndpi_struct, *id += 1; } - - -#endif diff --git a/src/lib/protocols/attic/flash.c b/src/lib/protocols/attic/flash.c index bc47ee881..eb27807d7 100644 --- a/src/lib/protocols/attic/flash.c +++ b/src/lib/protocols/attic/flash.c @@ -2,7 +2,7 @@ * flash.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/attic/ftp.c b/src/lib/protocols/attic/ftp.c index 2e06aec9a..19604089c 100644 --- a/src/lib/protocols/attic/ftp.c +++ b/src/lib/protocols/attic/ftp.c @@ -2,7 +2,7 @@ * ftp.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/attic/manolito.c b/src/lib/protocols/attic/manolito.c index 3b1db0df5..71fdaeaff 100644 --- a/src/lib/protocols/attic/manolito.c +++ b/src/lib/protocols/attic/manolito.c @@ -2,7 +2,7 @@ * manolito.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/attic/popo.c b/src/lib/protocols/attic/popo.c index 4bd040efe..c5b0447df 100644 --- a/src/lib/protocols/attic/popo.c +++ b/src/lib/protocols/attic/popo.c @@ -2,7 +2,7 @@ * popo.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/attic/secondlife.c b/src/lib/protocols/attic/secondlife.c index d475dc386..487c03597 100644 --- a/src/lib/protocols/attic/secondlife.c +++ b/src/lib/protocols/attic/secondlife.c @@ -2,7 +2,7 @@ * secondlife.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/ayiya.c b/src/lib/protocols/ayiya.c index bc993cfe3..c44c723b5 100644 --- a/src/lib/protocols/ayiya.c +++ b/src/lib/protocols/ayiya.c @@ -1,7 +1,7 @@ /* * ayiya.c * - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -28,8 +28,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_AYIYA - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_AYIYA #include "ndpi_api.h" @@ -85,5 +83,3 @@ void init_ayiya_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_in *id += 1; } - -#endif diff --git a/src/lib/protocols/battlefield.c b/src/lib/protocols/battlefield.c index 23a3749b2..b4ec74cfe 100644 --- a/src/lib/protocols/battlefield.c +++ b/src/lib/protocols/battlefield.c @@ -2,7 +2,7 @@ * battlefield.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_BATTLEFIELD - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_BATTLEFIELD #include "ndpi_api.h" @@ -126,5 +124,3 @@ void init_battlefield_dissector(struct ndpi_detection_module_struct *ndpi_struct ADD_TO_DETECTION_BITMASK); *id += 1; } - -#endif diff --git a/src/lib/protocols/bgp.c b/src/lib/protocols/bgp.c index f7896968b..aaa5730f7 100644 --- a/src/lib/protocols/bgp.c +++ b/src/lib/protocols/bgp.c @@ -1,7 +1,7 @@ /* * bgp.c * - * Copyright (C) 2016 - ntop.org + * Copyright (C) 2016-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -23,8 +23,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_BGP - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_BGP #include "ndpi_api.h" @@ -67,5 +65,3 @@ void init_bgp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 *id += 1; } - -#endif diff --git a/src/lib/protocols/bittorrent.c b/src/lib/protocols/bittorrent.c index fceafc188..ad7de6b42 100644 --- a/src/lib/protocols/bittorrent.c +++ b/src/lib/protocols/bittorrent.c @@ -25,8 +25,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_BITTORRENT - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_BITTORRENT #include "ndpi_api.h" @@ -503,5 +501,3 @@ void init_bittorrent_dissector(struct ndpi_detection_module_struct *ndpi_struct, ADD_TO_DETECTION_BITMASK); *id += 1; } - -#endif diff --git a/src/lib/protocols/bjnp.c b/src/lib/protocols/bjnp.c index f9f690308..759f810be 100644 --- a/src/lib/protocols/bjnp.c +++ b/src/lib/protocols/bjnp.c @@ -1,16 +1,14 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_BJNP - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_BJNP #include "ndpi_api.h" static void ndpi_int_bjnp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, - u_int8_t due_to_correlation) -{ - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BJNP, NDPI_PROTOCOL_UNKNOWN); + u_int8_t due_to_correlation) { + ndpi_set_detected_protocol(ndpi_struct, flow, + NDPI_PROTOCOL_BJNP, NDPI_PROTOCOL_UNKNOWN); } @@ -61,7 +59,3 @@ void init_bjnp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int ADD_TO_DETECTION_BITMASK); *id += 1; } - - - -#endif diff --git a/src/lib/protocols/btlib.c b/src/lib/protocols/btlib.c index ac456f364..5992c1b28 100644 --- a/src/lib/protocols/btlib.c +++ b/src/lib/protocols/btlib.c @@ -1,7 +1,7 @@ /* * btlib.c * - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * Contributed by Vitaly Lavrov <vel21ripn@gmail.com> * * This file is part of nDPI, an open source deep packet inspection @@ -22,6 +22,8 @@ * */ +#include "ndpi_api.h" + #ifndef NDPI_NO_STD_INC #include <stdlib.h> #include <stdio.h> diff --git a/src/lib/protocols/checkmk.c b/src/lib/protocols/checkmk.c index 81ac543b6..991885fce 100644 --- a/src/lib/protocols/checkmk.c +++ b/src/lib/protocols/checkmk.c @@ -1,7 +1,7 @@ /* * checkmk.c * - * Copyright (C) 2011-17 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -23,8 +23,6 @@ */ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_CHECKMK - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_CHECKMK #include "ndpi_api.h" @@ -82,6 +80,3 @@ void init_checkmk_dissector(struct ndpi_detection_module_struct *ndpi_struct, ADD_TO_DETECTION_BITMASK); *id += 1; } - - -#endif diff --git a/src/lib/protocols/ciscovpn.c b/src/lib/protocols/ciscovpn.c index e04fba936..d98f91e02 100644 --- a/src/lib/protocols/ciscovpn.c +++ b/src/lib/protocols/ciscovpn.c @@ -6,8 +6,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_CISCOVPN - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_CISCOVPN #include "ndpi_api.h" @@ -84,5 +82,3 @@ void init_ciscovpn_dissector(struct ndpi_detection_module_struct *ndpi_struct, u ADD_TO_DETECTION_BITMASK); *id += 1; } - -#endif diff --git a/src/lib/protocols/citrix.c b/src/lib/protocols/citrix.c index 7d6406bff..89e520815 100644 --- a/src/lib/protocols/citrix.c +++ b/src/lib/protocols/citrix.c @@ -1,7 +1,7 @@ /* * citrix.c * - * Copyright (C) 2012-15 - ntop.org + * Copyright (C) 2012-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -23,8 +23,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_CITRIX - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_CITRIX #include "ndpi_api.h" @@ -95,5 +93,3 @@ void init_citrix_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i ADD_TO_DETECTION_BITMASK); *id += 1; } - -#endif diff --git a/src/lib/protocols/coap.c b/src/lib/protocols/coap.c index 288d15f23..5ac8cb80e 100644 --- a/src/lib/protocols/coap.c +++ b/src/lib/protocols/coap.c @@ -23,8 +23,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_COAP - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_COAP #include "ndpi_api.h" @@ -163,5 +161,3 @@ void init_coap_dissector (struct ndpi_detection_module_struct *ndpi_struct, *id +=1; } - -#endif // NDPI_PROTOCOL_COAP diff --git a/src/lib/protocols/collectd.c b/src/lib/protocols/collectd.c index 2d4a06bb3..6f96871ea 100644 --- a/src/lib/protocols/collectd.c +++ b/src/lib/protocols/collectd.c @@ -1,7 +1,7 @@ /* * collectd.c * - * Copyright (C) 2014 - ntop.org + * Copyright (C) 2014-18 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -21,8 +21,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_COLLECTD - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_COLLECTD #include "ndpi_api.h" @@ -54,5 +52,3 @@ void ndpi_search_collectd(struct ndpi_detection_module_struct *ndpi_struct, stru NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } } - -#endif diff --git a/src/lib/protocols/corba.c b/src/lib/protocols/corba.c index 94e9f324a..ffb12fec1 100644 --- a/src/lib/protocols/corba.c +++ b/src/lib/protocols/corba.c @@ -20,8 +20,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_CORBA - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_CORBA #include "ndpi_api.h" @@ -60,4 +58,3 @@ void init_corba_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_in ADD_TO_DETECTION_BITMASK); *id += 1; } -#endif diff --git a/src/lib/protocols/crossfire.c b/src/lib/protocols/crossfire.c index ea1dce66a..03f3b4264 100644 --- a/src/lib/protocols/crossfire.c +++ b/src/lib/protocols/crossfire.c @@ -1,7 +1,7 @@ /* * crossfire.c * - * Copyright (C) 2012-15 - ntop.org + * Copyright (C) 2012-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -23,8 +23,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_CROSSFIRE - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_CROSSFIRE #include "ndpi_api.h" @@ -88,5 +86,3 @@ void init_crossfire_dissector(struct ndpi_detection_module_struct *ndpi_struct, ADD_TO_DETECTION_BITMASK); *id += 1; } - -#endif diff --git a/src/lib/protocols/csgo.c b/src/lib/protocols/csgo.c index 3bf0b4fe9..7f4479419 100644 --- a/src/lib/protocols/csgo.c +++ b/src/lib/protocols/csgo.c @@ -22,8 +22,6 @@ */ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_CSGO - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_CSGO #include "ndpi_api.h" @@ -122,5 +120,3 @@ void init_csgo_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int *id += 1; } - -#endif diff --git a/src/lib/protocols/dcerpc.c b/src/lib/protocols/dcerpc.c index 3aef077cd..ae1266a01 100644 --- a/src/lib/protocols/dcerpc.c +++ b/src/lib/protocols/dcerpc.c @@ -1,7 +1,7 @@ /* * dcerpc.c * - * Copyright (C) 2011-13 by ntop.org + * Copyright (C) 2011-18 by ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -23,8 +23,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_DCERPC - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_DCERPC #include "ndpi_api.h" @@ -69,4 +67,3 @@ void init_dcerpc_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i *id += 1; } -#endif diff --git a/src/lib/protocols/dhcp.c b/src/lib/protocols/dhcp.c index 6ac07e832..52415946b 100644 --- a/src/lib/protocols/dhcp.c +++ b/src/lib/protocols/dhcp.c @@ -1,7 +1,7 @@ /* * dhcp.c * - * Copyright (C) 2016 - ntop.org + * Copyright (C) 2016-18 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -20,8 +20,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_DHCP - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_DHCP #include "ndpi_api.h" @@ -166,5 +164,3 @@ void init_dhcp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int ADD_TO_DETECTION_BITMASK); *id += 1; } - -#endif diff --git a/src/lib/protocols/dhcpv6.c b/src/lib/protocols/dhcpv6.c index 98ed08cda..77be89e40 100644 --- a/src/lib/protocols/dhcpv6.c +++ b/src/lib/protocols/dhcpv6.c @@ -2,7 +2,7 @@ * dhcpv6.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_DHCPV6 - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_DHCPV6 #include "ndpi_api.h" @@ -68,5 +66,3 @@ void init_dhcpv6_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i ADD_TO_DETECTION_BITMASK); *id += 1; } - -#endif diff --git a/src/lib/protocols/diameter.c b/src/lib/protocols/diameter.c index 24317f498..7fb443c34 100644 --- a/src/lib/protocols/diameter.c +++ b/src/lib/protocols/diameter.c @@ -1,8 +1,7 @@ /* - * aimini.c + * diameter.c * * Copyright (C) 2018 - ntop.org - * Written by Michele Campus - <campus@ntop.org> * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -19,22 +18,22 @@ * * You should have received a copy of the GNU Lesser General Public License * along with nDPI. If not, see <http://www.gnu.org/licenses/>. - * + * + * Based on code of: + * Michele Campus - <campus@ntop.org> */ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_DIAMETER - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_DIAMETER #include "ndpi_api.h" // Header Flags possibile values -#define REQUEST 0X80 -#define PROXYABLE 0X40 -#define ERROR 0X20 -#define RETRASM 0X10 +#define DIAMETER_REQUEST 0X80 +#define DIAMETER_PROXYABLE 0X40 +#define DIAMETER_ERROR 0X20 +#define DIAMETER_RETRASM 0X10 typedef enum { AC = 271, @@ -73,10 +72,10 @@ int is_diameter(struct ndpi_packet_struct *packet, int size_payload) // check if the packet is diameter if(diameter->version == 0x01 && - (diameter->flags == REQUEST || - diameter->flags == PROXYABLE || - diameter->flags == ERROR || - diameter->flags == RETRASM)) { + (diameter->flags == DIAMETER_REQUEST || + diameter->flags == DIAMETER_PROXYABLE || + diameter->flags == DIAMETER_ERROR || + diameter->flags == DIAMETER_RETRASM)) { u_int16_t com_code = diameter->com_code[2] + (diameter->com_code[1] << 8) + (diameter->com_code[0] << 8); @@ -128,5 +127,3 @@ void init_diameter_dissector(struct ndpi_detection_module_struct *ndpi_struct, u *id += 1; } -#endif /* NDPI_PROTOCOL_DIAMETER */ - diff --git a/src/lib/protocols/directconnect.c b/src/lib/protocols/directconnect.c index 725e53348..5088685e4 100644 --- a/src/lib/protocols/directconnect.c +++ b/src/lib/protocols/directconnect.c @@ -2,7 +2,7 @@ * directconnect.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -25,8 +25,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_DIRECTCONNECT - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_DIRECTCONNECT #include "ndpi_api.h" @@ -80,8 +78,7 @@ static void ndpi_int_directconnect_add_connection(struct ndpi_detection_module_s const u_int8_t connection_type) { - struct ndpi_packet_struct *packet = &flow->packet; - + struct ndpi_packet_struct *packet = &flow->packet; struct ndpi_id_struct *src = flow->src; struct ndpi_id_struct *dst = flow->dst; @@ -446,5 +443,3 @@ void init_directconnect_dissector(struct ndpi_detection_module_struct *ndpi_stru *id += 1; } - -#endif diff --git a/src/lib/protocols/directdownloadlink.c b/src/lib/protocols/directdownloadlink.c index 0a4d528f2..cd8243786 100644 --- a/src/lib/protocols/directdownloadlink.c +++ b/src/lib/protocols/directdownloadlink.c @@ -2,7 +2,7 @@ * directdownloadlink.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-14svn - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -25,8 +25,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK #include "ndpi_api.h" @@ -731,4 +729,4 @@ void init_directdownloadlink_dissector(struct ndpi_detection_module_struct *ndpi *id += 1; } -#endif + diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 7b56c3c02..90be9544c 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -1,7 +1,7 @@ /* * dns.c * - * Copyright (C) 2012-16 - ntop.org + * Copyright (C) 2012-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -23,8 +23,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_DNS - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_DNS #include "ndpi_api.h" @@ -209,12 +207,16 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd flow->protos.dns.num_queries = (u_int8_t)dns_header.num_queries, flow->protos.dns.num_answers = (u_int8_t) (dns_header.num_answers + dns_header.authority_rrs + dns_header.additional_rrs); - if(j > 0) + if(j > 0) { + ndpi_protocol_match_result ret_match; + ndpi_match_host_subprotocol(ndpi_struct, flow, (char *)flow->host_server_name, strlen((const char*)flow->host_server_name), + &ret_match, NDPI_PROTOCOL_DNS); - + } + #ifdef DNS_DEBUG NDPI_LOG_DBG2(ndpi_struct, "[num_queries=%d][num_answers=%d][reply_code=%u][rsp_type=%u][host_server_name=%s]\n", flow->protos.dns.num_queries, flow->protos.dns.num_answers, @@ -247,5 +249,3 @@ void init_dns_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 *id += 1; } - -#endif diff --git a/src/lib/protocols/dofus.c b/src/lib/protocols/dofus.c index baed6c262..997f999a0 100644 --- a/src/lib/protocols/dofus.c +++ b/src/lib/protocols/dofus.c @@ -2,7 +2,7 @@ * dofus.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_DOFUS - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_DOFUS #include "ndpi_api.h" @@ -151,4 +149,4 @@ void init_dofus_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_in *id += 1; } -#endif + diff --git a/src/lib/protocols/drda.c b/src/lib/protocols/drda.c index 72d708d13..7dc24ffcc 100644 --- a/src/lib/protocols/drda.c +++ b/src/lib/protocols/drda.c @@ -1,7 +1,7 @@ /* * drda.c * - * Copyright (C) 2012-16 - ntop.org + * Copyright (C) 2012-18 - ntop.org * * This module is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -19,8 +19,6 @@ */ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_DRDA - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_DRDA #include "ndpi_api.h" @@ -103,5 +101,3 @@ void init_drda_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int *id += 1; } - -#endif /* NDPI_PROTOCOL_DRDA */ diff --git a/src/lib/protocols/dropbox.c b/src/lib/protocols/dropbox.c index 6e8a2dcb0..39bb96ff2 100644 --- a/src/lib/protocols/dropbox.c +++ b/src/lib/protocols/dropbox.c @@ -1,7 +1,7 @@ /* * dropbox.c * - * Copyright (C) 2012-16 by ntop.org + * Copyright (C) 2012-18 by ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -23,8 +23,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_DROPBOX - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_DROPBOX #include "ndpi_api.h" @@ -50,14 +48,24 @@ static void ndpi_check_dropbox(struct ndpi_detection_module_struct *ndpi_struct, if(packet->udp != NULL) { u_int16_t dropbox_port = htons(DB_LSP_PORT); - if((packet->udp->source == dropbox_port) - && (packet->udp->dest == dropbox_port)) { - if(payload_len > 2) { - if(strncmp((const char *)packet->payload, "{\"host_int\"", 11) == 0) { - - NDPI_LOG_INFO(ndpi_struct, "found dropbox\n"); - ndpi_int_dropbox_add_connection(ndpi_struct, flow, 0); - return; + if(packet->udp->dest == dropbox_port) { + if(packet->udp->source == dropbox_port) { + if(payload_len > 10) { + if(ndpi_strnstr((const char *)packet->payload, "\"host_int\"", payload_len) != NULL) { + + NDPI_LOG_INFO(ndpi_struct, "found dropbox\n"); + ndpi_int_dropbox_add_connection(ndpi_struct, flow, 0); + return; + } + } + } else { + if(payload_len > 10) { + if(ndpi_strnstr((const char *)packet->payload, "Bus17Cmd", payload_len) != NULL) { + + NDPI_LOG_INFO(ndpi_struct, "found dropbox\n"); + ndpi_int_dropbox_add_connection(ndpi_struct, flow, 0); + return; + } } } } @@ -91,7 +99,3 @@ void init_dropbox_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_ ADD_TO_DETECTION_BITMASK); *id += 1; } - - - -#endif diff --git a/src/lib/protocols/eaq.c b/src/lib/protocols/eaq.c index 3929b4ef6..8768cac6f 100644 --- a/src/lib/protocols/eaq.c +++ b/src/lib/protocols/eaq.c @@ -1,7 +1,7 @@ /* * eaq.c * - * Copyright (C) 2015 - ntop.org + * Copyright (C) 2015-18 - ntop.org * * This module is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -27,8 +27,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_EAQ - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_EAQ #include "ndpi_api.h" @@ -55,12 +53,15 @@ void ndpi_search_eaq(struct ndpi_detection_module_struct *ndpi_struct, struct nd if(packet->udp != NULL) { u_int32_t seq = (packet->payload[0] * 1000) + (packet->payload[1] * 100) + (packet->payload[2] * 10) + packet->payload[3]; - + if(flow->l4.udp.eaq_pkt_id == 0) flow->l4.udp.eaq_sequence = seq; else { if( (flow->l4.udp.eaq_sequence != seq) && - ((flow->l4.udp.eaq_sequence+1) != seq)) break; + ((flow->l4.udp.eaq_sequence+1) != seq)) + break; + else + flow->l4.udp.eaq_sequence = seq; } if(++flow->l4.udp.eaq_pkt_id == 4) { @@ -68,7 +69,8 @@ void ndpi_search_eaq(struct ndpi_detection_module_struct *ndpi_struct, struct nd NDPI_LOG_INFO(ndpi_struct, "found eaq\n"); ndpi_int_eaq_add_connection(ndpi_struct, flow); return; - } + } else + return; } } while(0); @@ -88,5 +90,3 @@ void init_eaq_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 *id += 1; } - -#endif diff --git a/src/lib/protocols/edonkey.c b/src/lib/protocols/edonkey.c index 34276bbcb..547bafc5f 100644 --- a/src/lib/protocols/edonkey.c +++ b/src/lib/protocols/edonkey.c @@ -25,8 +25,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_EDONKEY - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_EDONKEY #include "ndpi_api.h" @@ -37,123 +35,122 @@ static void ndpi_int_edonkey_add_connection(struct ndpi_detection_module_struct } static int ndpi_edonkey_payload_check(const u_int8_t *data, u_int32_t len) { + if((len >= 4) && (data[0] == 0xe3) && (data[2] == 0x00) && (data[3] == 0x00)) + return 1; - if ((len >= 4) && (data[0] == 0xe3) && (data[2] == 0x00) && (data[3] == 0x00)) - return 1; - - if ((len >= 4) && (data[0] == 0xc5) && (data[2] == 0x00) && (data[3] == 0x00)) - return 1; + if((len >= 4) && (data[0] == 0xc5) && (data[2] == 0x00) && (data[3] == 0x00)) + return 1; - if ((len >= 2) && (data[0] == 0xe5) && (data[1] == 0x43)) - return 1; + if((len >= 2) && (data[0] == 0xe5) && (data[1] == 0x43)) + return 1; - if ((len >= 4) && (data[0] == 0xe5) && (data[1] == 0x08) && (data[2] == 0x78) && (data[3] == 0xda)) - return 1; + if((len >= 4) && (data[0] == 0xe5) && (data[1] == 0x08) && (data[2] == 0x78) && (data[3] == 0xda)) + return 1; - if ((len >= 4) && (data[0] == 0xe5) && (data[1] == 0x28) && (data[2] == 0x78) && (data[3] == 0xda)) - return 1; + if((len >= 4) && (data[0] == 0xe5) && (data[1] == 0x28) && (data[2] == 0x78) && (data[3] == 0xda)) + return 1; - if ((len >= 2) && (data[0] == 0xc5) && (data[1] == 0x90)) - return 1; + if((len >= 2) && (data[0] == 0xc5) && (data[1] == 0x90)) + return 1; - if ((len >= 2) && (data[0] == 0xc5) && (data[1] == 0x91)) - return 1; + if((len >= 2) && (data[0] == 0xc5) && (data[1] == 0x91)) + return 1; - if ((len == 2) && (data[0] == 0xc5) && (data[1] == 0x92)) - return 1; + if((len == 2) && (data[0] == 0xc5) && (data[1] == 0x92)) + return 1; - if ((len == 2) && (data[0] == 0xc5) && (data[1] == 0x93)) - return 1; + if((len == 2) && (data[0] == 0xc5) && (data[1] == 0x93)) + return 1; - if ((len >= 38 && len <= 70) && (data[0] == 0xc5) && (data[1] == 0x94)) - return 1; + if((len >= 38 && len <= 70) && (data[0] == 0xc5) && (data[1] == 0x94)) + return 1; - if ((len >= 2) && (data[0] == 0xe3) && (data[1] == 0x9a)) - return 1; + if((len >= 2) && (data[0] == 0xe3) && (data[1] == 0x9a)) + return 1; - if ((len >= 2) && (data[0] == 0xe3) && (data[1] == 0x9b)) - return 1; + if((len >= 2) && (data[0] == 0xe3) && (data[1] == 0x9b)) + return 1; - if ((len == 6) && (data[0] == 0xe3) && (data[1] == 0x96)) - return 1; + if((len == 6) && (data[0] == 0xe3) && (data[1] == 0x96)) + return 1; - if ((len <= 34 && ((len - 2) % 4 == 0)) && (data[0] == 0xe3) && (data[1] == 0x97)) - return 1; + if((len <= 34 && ((len - 2) % 4 == 0)) && (data[0] == 0xe3) && (data[1] == 0x97)) + return 1; - if ((len >= 2) && (data[0] == 0xe3) && (data[1] == 0x92)) - return 1; + if((len >= 2) && (data[0] == 0xe3) && (data[1] == 0x92)) + return 1; - if ((len >= 2) && (data[0] == 0xe3) && (data[1] == 0x94)) - return 1; + if((len >= 2) && (data[0] == 0xe3) && (data[1] == 0x94)) + return 1; - if ((len >= 2) && (data[0] == 0xe3) && (data[1] == 0x98)) - return 1; + if((len >= 2) && (data[0] == 0xe3) && (data[1] == 0x98)) + return 1; - if ((len >= 2) && (data[0] == 0xe3) && (data[1] == 0x99)) - return 1; + if((len >= 2) && (data[0] == 0xe3) && (data[1] == 0x99)) + return 1; - if ((len == 6) && (data[0] == 0xe3) && (data[1] == 0xa2)) - return 1; + if((len == 6) && (data[0] == 0xe3) && (data[1] == 0xa2)) + return 1; - if ((len >= 2) && (data[0] == 0xe3) && (data[1] == 0xa3)) - return 1; + if((len >= 2) && (data[0] == 0xe3) && (data[1] == 0xa3)) + return 1; - if ((len == 27) && (data[0] == 0xe4) && (data[1] == 0x00)) - return 1; + if((len == 27) && (data[0] == 0xe4) && (data[1] == 0x00)) + return 1; - if ((len == 529) && (data[0] == 0xe4) && (data[1] == 0x08)) - return 1; + if((len == 529) && (data[0] == 0xe4) && (data[1] == 0x08)) + return 1; - if ((len == 18) && (data[0] == 0xe4) && (data[1] == 0x01) && (data[2] == 0x00) && (data[3] == 0x00)) - return 1; + if((len == 18) && (data[0] == 0xe4) && (data[1] == 0x01) && (data[2] == 0x00) && (data[3] == 0x00)) + return 1; - if ((len == 523) && (data[0] == 0xe4) && (data[1] == 0x09)) - return 1; + if((len == 523) && (data[0] == 0xe4) && (data[1] == 0x09)) + return 1; - if ((len == 35) && (data[0] == 0xe4) && (data[1] == 0x21)) - return 1; + if((len == 35) && (data[0] == 0xe4) && (data[1] == 0x21)) + return 1; - if ((len == 19) && (data[0] == 0xe4) && (data[1] == 0x4b)) - return 1; + if((len == 19) && (data[0] == 0xe4) && (data[1] == 0x4b)) + return 1; - if ((len >= 2) && (data[0] == 0xe4) && (data[1] == 0x11)) - return 1; + if((len >= 2) && (data[0] == 0xe4) && (data[1] == 0x11)) + return 1; - if ((len == 22 || len == 38 || len == 28) && (data[0] == 0xe4) && (data[1] == 0x19)) - return 1; + if((len == 22 || len == 38 || len == 28) && (data[0] == 0xe4) && (data[1] == 0x19)) + return 1; - if ((len == 35) && (data[0] == 0xe4) && (data[1] == 0x20)) - return 1; + if((len == 35) && (data[0] == 0xe4) && (data[1] == 0x20)) + return 1; - if ((len == 27) && (data[0] == 0xe4) && (data[1] == 0x18)) - return 1; + if((len == 27) && (data[0] == 0xe4) && (data[1] == 0x18)) + return 1; - if ((len == 27) && (data[0] == 0xe4) && (data[1] == 0x10)) - return 1; + if((len == 27) && (data[0] == 0xe4) && (data[1] == 0x10)) + return 1; - if ((len == 6) && (data[0] == 0xe4) && (data[1] == 0x58)) - return 1; + if((len == 6) && (data[0] == 0xe4) && (data[1] == 0x58)) + return 1; - if ((len == 4) && (data[0] == 0xe4) && (data[1] == 0x50)) - return 1; + if((len == 4) && (data[0] == 0xe4) && (data[1] == 0x50)) + return 1; - if ((len == 36) && (data[0] == 0xe4) && (data[1] == 0x52)) - return 1; + if((len == 36) && (data[0] == 0xe4) && (data[1] == 0x52)) + return 1; - if ((len == 48) && (data[0] == 0xe4) && (data[1] == 0x40)) - return 1; + if((len == 48) && (data[0] == 0xe4) && (data[1] == 0x40)) + return 1; - if ((len == 225) && (data[0] == 0xe4) && (data[1] == 0x43)) - return 1; + if((len == 225) && (data[0] == 0xe4) && (data[1] == 0x43)) + return 1; - if ((len == 19) && (data[0] == 0xe4) && (data[1] == 0x48)) - return 1; + if((len == 19) && (data[0] == 0xe4) && (data[1] == 0x48)) + return 1; - if ((len == 119 || len == 69 || len == 294) && (data[0] == 0xe4) && (data[1] == 0x29)) - return 1; + if((len == 119 || len == 69 || len == 294) && (data[0] == 0xe4) && (data[1] == 0x29)) + return 1; - if ((len == 119 || len == 69 || len == 294 || len == 44 || len == 269) && (data[0] == 0xe4) && (data[1] == 0x28)) - return 1; + if((len == 119 || len == 69 || len == 294 || len == 44 || len == 269) && (data[0] == 0xe4) && (data[1] == 0x28)) + return 1; return 0; } @@ -161,18 +158,20 @@ static int ndpi_edonkey_payload_check(const u_int8_t *data, u_int32_t len) { static void ndpi_check_edonkey(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; u_int32_t payload_len = packet->payload_packet_len; - + /* Break after 20 packets. */ - if (flow->packet_counter > 20) { + if(flow->packet_counter > 20) { NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } + if(payload_len == 0) return; + /* Check if we so far detected the protocol in the request or not. */ - if (flow->edonkey_stage == 0) { + if(flow->edonkey_stage == 0) { NDPI_LOG_DBG2(ndpi_struct, "EDONKEY stage 0: \n"); - if (ndpi_edonkey_payload_check(packet->payload, payload_len)) { + if(ndpi_edonkey_payload_check(packet->payload, payload_len)) { NDPI_LOG_DBG2(ndpi_struct, "Possible EDONKEY request detected, we will look further for the response\n"); /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ @@ -183,12 +182,12 @@ static void ndpi_check_edonkey(struct ndpi_detection_module_struct *ndpi_struct, NDPI_LOG_DBG2(ndpi_struct, "EDONKEY stage %u: \n", flow->edonkey_stage); /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ - if ((flow->edonkey_stage - packet->packet_direction) == 1) { + if((flow->edonkey_stage - packet->packet_direction) == 1) { return; } /* This is a packet in another direction. Check if we find the proper response. */ - if ((payload_len == 0) || (ndpi_edonkey_payload_check(packet->payload, payload_len))) { + if((payload_len == 0) || (ndpi_edonkey_payload_check(packet->payload, payload_len))) { NDPI_LOG_INFO(ndpi_struct, "found EDONKEY\n"); ndpi_int_edonkey_add_connection(ndpi_struct, flow); } else { @@ -205,8 +204,8 @@ void ndpi_search_edonkey(struct ndpi_detection_module_struct *ndpi_struct, struc NDPI_LOG_DBG(ndpi_struct, "search EDONKEY\n"); /* skip marked packets */ - if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_EDONKEY) { - if (packet->tcp_retransmission == 0) { + if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_EDONKEY) { + if(packet->tcp_retransmission == 0) { ndpi_check_edonkey(ndpi_struct, flow); } } @@ -225,4 +224,3 @@ void init_edonkey_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_ *id += 1; } -#endif diff --git a/src/lib/protocols/fasttrack.c b/src/lib/protocols/fasttrack.c index 016a15621..074468558 100644 --- a/src/lib/protocols/fasttrack.c +++ b/src/lib/protocols/fasttrack.c @@ -2,7 +2,7 @@ * fasttrack.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_FASTTRACK - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_FASTTRACK #include "ndpi_api.h" @@ -94,5 +92,3 @@ void init_fasttrack_dissector(struct ndpi_detection_module_struct *ndpi_struct, *id += 1; } - -#endif diff --git a/src/lib/protocols/fbzero.c b/src/lib/protocols/fbzero.c index 31acd0c9a..6c818e3c7 100644 --- a/src/lib/protocols/fbzero.c +++ b/src/lib/protocols/fbzero.c @@ -22,8 +22,6 @@ /* https://code.facebook.com/posts/608854979307125/building-zero-protocol-for-fast-secure-mobile-connections/ */ -#ifdef NDPI_PROTOCOL_FBZERO - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_FBZERO #include "ndpi_api.h" @@ -86,7 +84,8 @@ void ndpi_search_fbzero(struct ndpi_detection_module_struct *ndpi_struct, && (t->tag[2] == 'I') && (t->tag[3] == '\0')) { char *value = (char*)&packet->payload[data_offset + data_prev_offset]; u_int tag_len = t->tag_offset_len-data_prev_offset, max_len; - + ndpi_protocol_match_result ret_match; + max_len = ndpi_min(tag_len, sizeof(flow->host_server_name)-1); strncpy((char*)flow->host_server_name, value, max_len); @@ -101,6 +100,7 @@ void ndpi_search_fbzero(struct ndpi_detection_module_struct *ndpi_struct, ndpi_match_host_subprotocol(ndpi_struct, flow, (char *)flow->host_server_name, strlen((const char *)flow->host_server_name), + &ret_match, NDPI_PROTOCOL_FBZERO); return; } @@ -129,4 +129,3 @@ void init_fbzero_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i *id += 1; } -#endif diff --git a/src/lib/protocols/fiesta.c b/src/lib/protocols/fiesta.c index 9a9c78852..dc7a86fd4 100644 --- a/src/lib/protocols/fiesta.c +++ b/src/lib/protocols/fiesta.c @@ -2,7 +2,7 @@ * fiesta.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_FIESTA - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_FIESTA #include "ndpi_api.h" @@ -105,4 +103,3 @@ void init_fiesta_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i *id += 1; } -#endif diff --git a/src/lib/protocols/fix.c b/src/lib/protocols/fix.c index 4f3f9849b..3cc9e070c 100644 --- a/src/lib/protocols/fix.c +++ b/src/lib/protocols/fix.c @@ -1,7 +1,7 @@ /* * fix.c * - * Copyright (C) 2017 - ntop.org + * Copyright (C) 2017-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -23,8 +23,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_FIX - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_FIX #include "ndpi_api.h" @@ -75,6 +73,3 @@ void init_fix_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 ADD_TO_DETECTION_BITMASK); *id += 1; } - - -#endif diff --git a/src/lib/protocols/florensia.c b/src/lib/protocols/florensia.c index 217874a6a..cca63485f 100644 --- a/src/lib/protocols/florensia.c +++ b/src/lib/protocols/florensia.c @@ -2,7 +2,7 @@ * florensia.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_FLORENSIA - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_FLORENSIA #include "ndpi_api.h" @@ -129,5 +127,3 @@ void init_florensia_dissector(struct ndpi_detection_module_struct *ndpi_struct, *id += 1; } - -#endif diff --git a/src/lib/protocols/ftp_control.c b/src/lib/protocols/ftp_control.c index f23476db0..893f83d68 100644 --- a/src/lib/protocols/ftp_control.c +++ b/src/lib/protocols/ftp_control.c @@ -1,7 +1,7 @@ /* * ftp_control.c * - * Copyright (C) 2016 - ntop.org + * Copyright (C) 2016-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -23,8 +23,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_FTP_CONTROL - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_FTP_CONTROL #include "ndpi_api.h" @@ -1014,5 +1012,3 @@ void init_ftp_control_dissector(struct ndpi_detection_module_struct *ndpi_struct *id += 1; } - -#endif diff --git a/src/lib/protocols/ftp_data.c b/src/lib/protocols/ftp_data.c index ec1e8d7d8..8d3e6fa8c 100644 --- a/src/lib/protocols/ftp_data.c +++ b/src/lib/protocols/ftp_data.c @@ -1,7 +1,7 @@ /* * ftp_data.c * - * Copyright (C) 2016 - ntop.org + * Copyright (C) 2016-18 - ntop.org * * The signature is based on the Libprotoident library. * @@ -25,8 +25,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_FTP_DATA - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_FTP_DATA #include "ndpi_api.h" @@ -258,5 +256,3 @@ void init_ftp_data_dissector(struct ndpi_detection_module_struct *ndpi_struct, u *id += 1; } - -#endif diff --git a/src/lib/protocols/git.c b/src/lib/protocols/git.c index 0b4192289..1e358d79b 100644 --- a/src/lib/protocols/git.c +++ b/src/lib/protocols/git.c @@ -1,7 +1,7 @@ /* * git.c * - * Copyright (C) 2012-16 - ntop.org + * Copyright (C) 2012-18 - ntop.org * * This module is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -20,8 +20,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_GIT - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_GIT #include <stdlib.h> @@ -73,7 +71,6 @@ void ndpi_search_git(struct ndpi_detection_module_struct *ndpi_struct, /* ***************************************************************** */ - void init_git_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { @@ -86,5 +83,3 @@ void init_git_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 *id += 1; } - -#endif /* NDPI_PROTOCOL_GIT */ diff --git a/src/lib/protocols/gnutella.c b/src/lib/protocols/gnutella.c index 295cfaecd..5bc2980cc 100644 --- a/src/lib/protocols/gnutella.c +++ b/src/lib/protocols/gnutella.c @@ -2,7 +2,7 @@ * gnutella.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_GNUTELLA - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_GNUTELLA #include "ndpi_api.h" @@ -371,5 +369,3 @@ void init_gnutella_dissector(struct ndpi_detection_module_struct *ndpi_struct, u *id += 1; } - -#endif diff --git a/src/lib/protocols/gtp.c b/src/lib/protocols/gtp.c index 0bdc4d8ee..ffe2b2498 100644 --- a/src/lib/protocols/gtp.c +++ b/src/lib/protocols/gtp.c @@ -1,7 +1,7 @@ /* * gtp.c * - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -20,8 +20,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_GTP - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_GTP #include "ndpi_api.h" @@ -89,5 +87,3 @@ void init_gtp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 *id += 1; } - -#endif diff --git a/src/lib/protocols/guildwars.c b/src/lib/protocols/guildwars.c index 7b6581851..1cf3888cf 100644 --- a/src/lib/protocols/guildwars.c +++ b/src/lib/protocols/guildwars.c @@ -2,7 +2,7 @@ * guildwars.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_GUILDWARS - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_GUILDWARS #include "ndpi_api.h" @@ -78,5 +76,3 @@ void init_guildwars_dissector(struct ndpi_detection_module_struct *ndpi_struct, *id += 1; } - -#endif diff --git a/src/lib/protocols/h323.c b/src/lib/protocols/h323.c index 31c353a27..ddbcdadf3 100644 --- a/src/lib/protocols/h323.c +++ b/src/lib/protocols/h323.c @@ -1,16 +1,13 @@ /* * h323.c * - * Copyright (C) 2015 ntop.org + * Copyright (C) 2015-18 ntop.org * Copyright (C) 2013 Remy Mudingay <mudingay@ill.fr> * */ - #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_H323 - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_H323 #include "ndpi_api.h" @@ -115,5 +112,3 @@ void init_h323_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int *id += 1; } - -#endif diff --git a/src/lib/protocols/halflife2_and_mods.c b/src/lib/protocols/halflife2_and_mods.c index 5319424fa..446703220 100644 --- a/src/lib/protocols/halflife2_and_mods.c +++ b/src/lib/protocols/halflife2_and_mods.c @@ -2,7 +2,7 @@ * halflife2_and_mods.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -25,8 +25,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_HALFLIFE2 - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_HALFLIFE2 #include "ndpi_api.h" @@ -77,5 +75,3 @@ void init_halflife2_dissector(struct ndpi_detection_module_struct *ndpi_struct, *id += 1; } - -#endif diff --git a/src/lib/protocols/hangout.c b/src/lib/protocols/hangout.c index de35653ea..fc94aad5f 100644 --- a/src/lib/protocols/hangout.c +++ b/src/lib/protocols/hangout.c @@ -1,7 +1,7 @@ /* * hangout.c * - * Copyright (C) 2012-16 - ntop.org + * Copyright (C) 2012-18 - ntop.org * * This module is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -20,8 +20,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_HANGOUT - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_HANGOUT #include "ndpi_api.h" @@ -109,4 +107,3 @@ void init_hangout_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_ *id += 1; } -#endif /* NDPI_PROTOCOL_HANGOUT */ diff --git a/src/lib/protocols/hep.c b/src/lib/protocols/hep.c index 1c7617c88..02a559af8 100644 --- a/src/lib/protocols/hep.c +++ b/src/lib/protocols/hep.c @@ -2,7 +2,7 @@ * hep.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * Copyright (C) 2011-15 - QXIP BV * * This file is part of nDPI, an open source deep packet inspection @@ -26,8 +26,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_HEP - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_HEP #include "ndpi_api.h" @@ -45,16 +43,17 @@ void ndpi_search_hep(struct ndpi_detection_module_struct *ndpi_struct, struct nd const u_int8_t *packet_payload = packet->payload; u_int32_t payload_len = packet->payload_packet_len; - NDPI_LOG_DBG(ndpi_struct, "searching HEP\n"); - if (payload_len > 10) { - if (memcmp(packet_payload, "HEP3", 4) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found HEP3\n"); - ndpi_int_hep_add_connection(ndpi_struct, flow); - return; - } - } + NDPI_LOG_DBG(ndpi_struct, "searching HEP\n"); + + if(payload_len > 10) { + if(memcmp(packet_payload, "HEP3", 4) == 0) { + NDPI_LOG_INFO(ndpi_struct, "found HEP3\n"); + ndpi_int_hep_add_connection(ndpi_struct, flow); + return; + } + } - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } @@ -69,5 +68,3 @@ void init_hep_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 *id += 1; } - -#endif diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index ac5b9d173..09b816129 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -1,7 +1,7 @@ /* * http.c * - * Copyright (C) 2011-17 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -23,12 +23,10 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_HTTP - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_HTTP #include "ndpi_api.h" - +#include "lruc.h" /* global variables used for 1kxun protocol and iqiyi service */ @@ -121,7 +119,6 @@ static void avi_check_http_payload(struct ndpi_detection_module_struct *ndpi_str } #endif -#ifdef NDPI_PROTOCOL_TEAMVIEWER static void teamviewer_check_http_payload(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; @@ -140,10 +137,7 @@ static void teamviewer_check_http_payload(struct ndpi_detection_module_struct *n ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TEAMVIEWER); } } -#endif - -#ifdef NDPI_PROTOCOL_RTSP static void rtsp_parse_packet_acceptline(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -154,7 +148,6 @@ static void rtsp_parse_packet_acceptline(struct ndpi_detection_module_struct ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_RTSP); } } -#endif static void setHttpUserAgent(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, char *ua) { @@ -179,7 +172,8 @@ static void setHttpUserAgent(struct ndpi_detection_module_struct *ndpi_struct, static void parseHttpSubprotocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { if((flow->l4.tcp.http_stage == 0) || (flow->http.url && flow->http_detected)) { char *double_col = strchr((char*)flow->host_server_name, ':'); - + ndpi_protocol_match_result ret_match; + if(double_col) double_col[0] = '\0'; /** @@ -189,6 +183,7 @@ static void parseHttpSubprotocol(struct ndpi_detection_module_struct *ndpi_struc */ ndpi_match_host_subprotocol(ndpi_struct, flow, (char *)flow->host_server_name, strlen((const char *)flow->host_server_name), + &ret_match, NDPI_PROTOCOL_HTTP); } } @@ -356,12 +351,16 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ packet->host_line.len, packet->host_line.ptr); /* call ndpi_match_host_subprotocol to see if there is a match with known-host HTTP subprotocol */ - if((ndpi_struct->http_dont_dissect_response) || flow->http_detected) + if((ndpi_struct->http_dont_dissect_response) || flow->http_detected) { + ndpi_protocol_match_result ret_match; + ndpi_match_host_subprotocol(ndpi_struct, flow, (char*)packet->host_line.ptr, packet->host_line.len, + &ret_match, NDPI_PROTOCOL_HTTP); - + } + /* Copy result for nDPI apps */ if(!ndpi_struct->disable_metadata_export) { len = ndpi_min(packet->host_line.len, sizeof(flow->host_server_name)-1); @@ -402,12 +401,16 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ if((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) && ((ndpi_struct->http_dont_dissect_response) || flow->http_detected) - && (packet->http_origin.len > 0)) + && (packet->http_origin.len > 0)) { + ndpi_protocol_match_result ret_match; + ndpi_match_host_subprotocol(ndpi_struct, flow, (char *)packet->http_origin.ptr, packet->http_origin.len, + &ret_match, NDPI_PROTOCOL_HTTP); - + } + if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_HTTP) { NDPI_LOG_INFO(ndpi_struct, "found HTTP/%s\n", @@ -428,34 +431,32 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ if(packet->accept_line.ptr != NULL) { NDPI_LOG_DBG2(ndpi_struct, "Accept line found %.*s\n", packet->accept_line.len, packet->accept_line.ptr); -#ifdef NDPI_PROTOCOL_RTSP - if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_RTSP) != 0) { + if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, + NDPI_PROTOCOL_RTSP) != 0) { rtsp_parse_packet_acceptline(ndpi_struct, flow); } -#endif } /* search for line startin with "Icy-MetaData" */ -#ifdef NDPI_CONTENT_CATEGORY_MPEG - for (a = 0; a < packet->parsed_lines; a++) { + for (a = 0; a < packet->parsed_lines; a++) { if(packet->line[a].len > 11 && memcmp(packet->line[a].ptr, "Icy-MetaData", 12) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found MPEG: Icy-MetaData\n"); - ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_CONTENT_CATEGORY_MPEG); - return; - } + NDPI_LOG_INFO(ndpi_struct, "found MPEG: Icy-MetaData\n"); + ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_CONTENT_CATEGORY_MPEG); + return; + } } -#ifdef NDPI_CONTENT_CATEGORY_AVI -#endif -#endif if(packet->content_line.ptr != NULL && packet->content_line.len != 0) { NDPI_LOG_DBG2(ndpi_struct, "Content Type line found %.*s\n", packet->content_line.len, packet->content_line.ptr); - if((ndpi_struct->http_dont_dissect_response) || flow->http_detected) + if((ndpi_struct->http_dont_dissect_response) || flow->http_detected) { + ndpi_protocol_match_result ret_match; + ndpi_match_content_subprotocol(ndpi_struct, flow, (char*)packet->content_line.ptr, packet->content_line.len, - NDPI_PROTOCOL_HTTP); + &ret_match, NDPI_PROTOCOL_HTTP); + } } } @@ -471,10 +472,8 @@ static void check_http_payload(struct ndpi_detection_module_struct *ndpi_struct, if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_CONTENT_CATEGORY_AVI) != 0) avi_check_http_payload(ndpi_struct, flow); #endif -#ifdef NDPI_PROTOCOL_TEAMVIEWER - teamviewer_check_http_payload(ndpi_struct, flow); -#endif + teamviewer_check_http_payload(ndpi_struct, flow); } /** @@ -550,9 +549,8 @@ static void http_bitmask_exclude_other(struct ndpi_flow_struct *flow) #ifdef NDPI_CONTENT_CATEGORY_OGG NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_CONTENT_CATEGORY_OGG); #endif -#ifdef NDPI_PROTOCOL_XBOX + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_XBOX); -#endif } /*************************************************************************************************/ @@ -615,7 +613,23 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct <allow-access-from domain="*.speedtest.net" to-ports="8080"/> </cross-domain-policy> */ + ookla_found: ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_UNKNOWN); + + if(ndpi_struct->ookla_cache == NULL) + ndpi_struct->ookla_cache = lruc_new(4*1024, 1024); + + if(ndpi_struct->ookla_cache != NULL) { + u_int8_t *dummy = (u_int8_t*)ndpi_malloc(sizeof(u_int8_t)); + + if(dummy) { + if(packet->tcp->source == htons(8080)) + lruc_set((lruc*)ndpi_struct->ookla_cache, (void*)&packet->iph->saddr, 4, dummy, 1); + else + lruc_set((lruc*)ndpi_struct->ookla_cache, (void*)&packet->iph->daddr, 4, dummy, 1); + } + } + return; } @@ -665,9 +679,8 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct /* Check for Ookla */ if((packet->referer_line.len > 0) - && ndpi_strnstr((const char *)packet->referer_line.ptr, "www.speedtest.net", packet->referer_line.len)) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_HTTP); - return; + && ndpi_strnstr((const char *)packet->referer_line.ptr, "www.speedtest.net", packet->referer_line.len)) { + goto ookla_found; } /* Check for additional field introduced by Steam */ @@ -784,17 +797,15 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct if((packet->payload_packet_len == 34) && (flow->l4.tcp.http_stage == 1)) { if((packet->payload[5] == ' ') && (packet->payload[9] == ' ')) { - ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA); - return; + goto ookla_found; } } if((packet->payload_packet_len > 6) && memcmp(packet->payload, "HELLO ", 6) == 0) { /* This looks like Ookla */ - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_UNKNOWN); - return; + goto ookla_found; } else - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_OOKLA); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_OOKLA); /** At first check, if this is for sure a response packet (in another direction. If not, if HTTP is detected do nothing now and return, @@ -1007,7 +1018,7 @@ void init_http_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int ADD_TO_DETECTION_BITMASK); *id += 1; #endif -#ifdef NDPI_PROTOCOL_XBOX + ndpi_set_bitmask_protocol_detection("Xbox", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_XBOX, ndpi_search_http_tcp, @@ -1015,8 +1026,7 @@ void init_http_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); *id += 1; -#endif -#ifdef NDPI_PROTOCOL_QQ + ndpi_set_bitmask_protocol_detection("QQ", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_QQ, ndpi_search_http_tcp, @@ -1024,7 +1034,7 @@ void init_http_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); *id += 1; -#endif + #ifdef NDPI_CONTENT_CATEGORY_AVI ndpi_set_bitmask_protocol_detection("AVI", ndpi_struct, detection_bitmask, *id, NDPI_CONTENT_CATEGORY_AVI, @@ -1069,7 +1079,4 @@ void init_http_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int a++; #endif - } - -#endif diff --git a/src/lib/protocols/http_activesync.c b/src/lib/protocols/http_activesync.c index 55451f6bf..0bf267290 100644 --- a/src/lib/protocols/http_activesync.c +++ b/src/lib/protocols/http_activesync.c @@ -2,7 +2,7 @@ * http_activesync.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -26,42 +26,39 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_HTTP_APPLICATION_ACTIVESYNC - -#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_HTTP_APPLICATION_ACTIVESYNC +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_HTTP_ACTIVESYNC #include "ndpi_api.h" static void ndpi_int_activesync_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP_APPLICATION_ACTIVESYNC, NDPI_PROTOCOL_HTTP); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP_ACTIVESYNC, NDPI_PROTOCOL_HTTP); } void ndpi_search_activesync(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG_DBG(ndpi_struct, "search activesync\n"); - if (packet->tcp != NULL) { - - if (packet->payload_packet_len > 150 - && ((memcmp(packet->payload, "OPTIONS /Microsoft-Server-ActiveSync?", 37) == 0) - || (memcmp(packet->payload, "POST /Microsoft-Server-ActiveSync?", 34) == 0))) { - ndpi_int_activesync_add_connection(ndpi_struct, flow); - NDPI_LOG_INFO(ndpi_struct, "found ActiveSync \n"); - return; - } - } + NDPI_LOG_DBG(ndpi_struct, "search activesync\n"); + if (packet->tcp != NULL) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + if (packet->payload_packet_len > 150 + && ((memcmp(packet->payload, "OPTIONS /Microsoft-Server-ActiveSync?", 37) == 0) + || (memcmp(packet->payload, "POST /Microsoft-Server-ActiveSync?", 34) == 0))) { + ndpi_int_activesync_add_connection(ndpi_struct, flow); + NDPI_LOG_INFO(ndpi_struct, "found ActiveSync \n"); + return; + } + } + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } - -void init_http_activesync_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) +void init_http_activesync_dissector(struct ndpi_detection_module_struct *ndpi_struct, + u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { ndpi_set_bitmask_protocol_detection("HTTP_Application_ActiveSync", ndpi_struct, detection_bitmask, *id, - NDPI_PROTOCOL_HTTP_APPLICATION_ACTIVESYNC, + NDPI_PROTOCOL_HTTP_ACTIVESYNC, ndpi_search_activesync, NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, SAVE_DETECTION_BITMASK_AS_UNKNOWN, @@ -70,4 +67,3 @@ void init_http_activesync_dissector(struct ndpi_detection_module_struct *ndpi_st *id += 1; } -#endif diff --git a/src/lib/protocols/iax.c b/src/lib/protocols/iax.c index 7f6e960f1..104a59be4 100644 --- a/src/lib/protocols/iax.c +++ b/src/lib/protocols/iax.c @@ -2,7 +2,7 @@ * iax.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -25,8 +25,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_IAX - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_IAX #include "ndpi_api.h" @@ -107,5 +105,3 @@ void init_iax_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 *id += 1; } - -#endif diff --git a/src/lib/protocols/icecast.c b/src/lib/protocols/icecast.c index 23aca33e9..515d5b572 100644 --- a/src/lib/protocols/icecast.c +++ b/src/lib/protocols/icecast.c @@ -2,7 +2,7 @@ * icecast.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_ICECAST - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_ICECAST #include "ndpi_api.h" @@ -42,13 +40,13 @@ void ndpi_search_icecast_tcp(struct ndpi_detection_module_struct *ndpi_struct, s NDPI_LOG_DBG(ndpi_struct, "search icecast\n"); - if ((packet->payload_packet_len < 500 && + if((packet->payload_packet_len < 500 && packet->payload_packet_len >= 7 && memcmp(packet->payload, "SOURCE ", 7) == 0) || flow->l4.tcp.icecast_stage) { ndpi_parse_packet_line_info_any(ndpi_struct, flow); NDPI_LOG_DBG2(ndpi_struct, "Icecast lines=%d\n", packet->parsed_lines); for (i = 0; i < packet->parsed_lines; i++) { - if (packet->line[i].ptr != NULL && packet->line[i].len > 4 + if(packet->line[i].ptr != NULL && packet->line[i].len > 4 && memcmp(packet->line[i].ptr, "ice-", 4) == 0) { NDPI_LOG_INFO(ndpi_struct, "found Icecast\n"); ndpi_int_icecast_add_connection(ndpi_struct, flow); @@ -56,28 +54,30 @@ void ndpi_search_icecast_tcp(struct ndpi_detection_module_struct *ndpi_struct, s } } - if (packet->parsed_lines < 1 && !flow->l4.tcp.icecast_stage) { + if(packet->parsed_lines < 1 && !flow->l4.tcp.icecast_stage) { flow->l4.tcp.icecast_stage = 1; return; } } -#ifdef NDPI_PROTOCOL_HTTP - if (NDPI_FLOW_PROTOCOL_EXCLUDED(ndpi_struct, flow, NDPI_PROTOCOL_HTTP)) { + + if(NDPI_FLOW_PROTOCOL_EXCLUDED(ndpi_struct, flow, NDPI_PROTOCOL_HTTP)) { goto icecast_exclude; } -#endif - if (packet->packet_direction == flow->setup_packet_direction && flow->packet_counter < 10) { + if((packet->packet_direction == flow->setup_packet_direction) + && (flow->packet_counter < 10)) { return; } - if (packet->packet_direction != flow->setup_packet_direction) { + if(packet->packet_direction != flow->setup_packet_direction) { /* server answer, now test Server for Icecast */ ndpi_parse_packet_line_info(ndpi_struct, flow); - if (packet->server_line.ptr != NULL && packet->server_line.len > NDPI_STATICSTRING_LEN("Icecast") && - memcmp(packet->server_line.ptr, "Icecast", NDPI_STATICSTRING_LEN("Icecast")) == 0) { + if((packet->server_line.ptr != NULL) + && (packet->server_line.len > NDPI_STATICSTRING_LEN("Icecast")) + && memcmp(packet->server_line.ptr, "Icecast", + NDPI_STATICSTRING_LEN("Icecast")) == 0) { /* TODO maybe store the previous protocol type as subtype? * e.g. ogg or mpeg */ @@ -103,5 +103,3 @@ void init_icecast_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_ *id += 1; } - -#endif diff --git a/src/lib/protocols/ipp.c b/src/lib/protocols/ipp.c index fcf25a758..4f4f2438f 100644 --- a/src/lib/protocols/ipp.c +++ b/src/lib/protocols/ipp.c @@ -2,7 +2,7 @@ * ipp.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_IPP - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_IPP #include "ndpi_api.h" @@ -123,5 +121,3 @@ void init_ipp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 *id += 1; } - -#endif diff --git a/src/lib/protocols/irc.c b/src/lib/protocols/irc.c index 7bdd543c3..12660b528 100644 --- a/src/lib/protocols/irc.c +++ b/src/lib/protocols/irc.c @@ -2,7 +2,7 @@ * irc.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -25,8 +25,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_IRC - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_IRC #include "ndpi_api.h" @@ -778,8 +776,8 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc } } - -void init_irc_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) +void init_irc_dissector(struct ndpi_detection_module_struct *ndpi_struct, + u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { ndpi_set_bitmask_protocol_detection("IRC", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_IRC, @@ -791,4 +789,3 @@ void init_irc_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 *id += 1; } -#endif diff --git a/src/lib/protocols/jabber.c b/src/lib/protocols/jabber.c index 05950d8c5..3917b8b20 100644 --- a/src/lib/protocols/jabber.c +++ b/src/lib/protocols/jabber.c @@ -2,7 +2,7 @@ * jabber.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_UNENCRYPTED_JABBER - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_UNENCRYPTED_JABBER #include "ndpi_api.h" @@ -36,10 +34,8 @@ struct jabber_string { }; static struct jabber_string jabber_strings[] = { -#ifdef NDPI_PROTOCOL_TRUPHONE { "='im.truphone.com'", NDPI_PROTOCOL_TRUPHONE }, { "=\"im.truphone.com\"", NDPI_PROTOCOL_TRUPHONE }, -#endif { NULL, 0 } }; @@ -289,9 +285,8 @@ void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, st NDPI_EXCLUDE_PROTO(ndpi_struct, flow); -#ifdef NDPI_PROTOCOL_TRUPHONE - ndpi_exclude_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TRUPHONE,__FILE__,__FUNCTION__,__LINE__); -#endif + ndpi_exclude_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TRUPHONE, + __FILE__,__FUNCTION__,__LINE__); } @@ -306,4 +301,4 @@ void init_jabber_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i *id += 1; } -#endif + diff --git a/src/lib/protocols/kakaotalk_voice.c b/src/lib/protocols/kakaotalk_voice.c index 87c1ef061..1869e06db 100644 --- a/src/lib/protocols/kakaotalk_voice.c +++ b/src/lib/protocols/kakaotalk_voice.c @@ -1,7 +1,7 @@ /* * kakaotalk_voice.c * - * Copyright (C) 2015 - ntop.org + * Copyright (C) 2015-18 - ntop.org * * This module is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -26,8 +26,6 @@ */ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_KAKAOTALK_VOICE - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_KAKAOTALK_VOICE #include "ndpi_api.h" @@ -66,7 +64,8 @@ void ndpi_search_kakaotalk_voice(struct ndpi_detection_module_struct *ndpi_struc } -void init_kakaotalk_voice_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) +void init_kakaotalk_voice_dissector(struct ndpi_detection_module_struct *ndpi_struct, + u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { ndpi_set_bitmask_protocol_detection("KakaoTalk_Voice", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_KAKAOTALK_VOICE, @@ -77,4 +76,3 @@ void init_kakaotalk_voice_dissector(struct ndpi_detection_module_struct *ndpi_st *id += 1; } -#endif diff --git a/src/lib/protocols/kerberos.c b/src/lib/protocols/kerberos.c index 71f4a8636..8b059a1a2 100644 --- a/src/lib/protocols/kerberos.c +++ b/src/lib/protocols/kerberos.c @@ -2,7 +2,7 @@ * kerberos.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_KERBEROS - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_KERBEROS #include "ndpi_api.h" @@ -80,4 +78,3 @@ void init_kerberos_dissector(struct ndpi_detection_module_struct *ndpi_struct, u *id += 1; } -#endif diff --git a/src/lib/protocols/kontiki.c b/src/lib/protocols/kontiki.c index 425fd6b1b..4882c7797 100644 --- a/src/lib/protocols/kontiki.c +++ b/src/lib/protocols/kontiki.c @@ -2,7 +2,7 @@ * kontiki.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -25,8 +25,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_KONTIKI - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_KONTIKI #include "ndpi_api.h" @@ -66,7 +64,8 @@ void ndpi_search_kontiki(struct ndpi_detection_module_struct *ndpi_struct, struc } -void init_kontiki_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) +void init_kontiki_dissector(struct ndpi_detection_module_struct *ndpi_struct, + u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { ndpi_set_bitmask_protocol_detection("Kontiki", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_KONTIKI, @@ -78,4 +77,3 @@ void init_kontiki_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_ *id += 1; } -#endif diff --git a/src/lib/protocols/ldap.c b/src/lib/protocols/ldap.c index 4adb7c471..49b1a39d4 100644 --- a/src/lib/protocols/ldap.c +++ b/src/lib/protocols/ldap.c @@ -2,7 +2,7 @@ * ldap.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_LDAP - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_LDAP #include "ndpi_api.h" @@ -104,4 +102,3 @@ void init_ldap_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int *id += 1; } -#endif diff --git a/src/lib/protocols/lisp.c b/src/lib/protocols/lisp.c index e507be9f9..7343ca034 100644 --- a/src/lib/protocols/lisp.c +++ b/src/lib/protocols/lisp.c @@ -1,12 +1,30 @@ -#include "ndpi_protocol_ids.h" +/* + * list.c + * + * Copyright (C) 2017-18 - ntop.org + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see <http://www.gnu.org/licenses/>. + * + */ -#ifdef NDPI_PROTOCOL_LISP +#include "ndpi_protocol_ids.h" #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_LISP #include "ndpi_api.h" -#define LISP_PORT 4341 +#define LISP_PORT 4341 #define LISP_PORT1 4342 static void ndpi_int_lisp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, @@ -68,4 +86,3 @@ void init_lisp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int *id += 1; } -#endif diff --git a/src/lib/protocols/lotus_notes.c b/src/lib/protocols/lotus_notes.c index 5750c50cd..d5f8f1310 100644 --- a/src/lib/protocols/lotus_notes.c +++ b/src/lib/protocols/lotus_notes.c @@ -1,7 +1,7 @@ /* * lotus_notes.c * - * Copyright (C) 2012-15 - ntop.org + * Copyright (C) 2012-18 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -20,13 +20,10 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_LOTUS_NOTES - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_LOTUS_NOTES #include "ndpi_api.h" - /* ************************************ */ static void ndpi_check_lotus_notes(struct ndpi_detection_module_struct *ndpi_struct, @@ -84,4 +81,3 @@ void init_lotus_notes_dissector(struct ndpi_detection_module_struct *ndpi_struct *id += 1; } -#endif diff --git a/src/lib/protocols/mail_imap.c b/src/lib/protocols/mail_imap.c index 2c3d3d2d7..65341cdc8 100644 --- a/src/lib/protocols/mail_imap.c +++ b/src/lib/protocols/mail_imap.c @@ -1,7 +1,7 @@ /* * mail_imap.c * - * Copyright (C) 2016 - ntop.org + * Copyright (C) 2016-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_MAIL_IMAP - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MAIL_IMAP #include "ndpi_api.h" @@ -48,12 +46,10 @@ void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct, NDPI_LOG_DBG(ndpi_struct, "search IMAP_IMAP\n"); if (flow->l4.tcp.mail_imap_starttls == 2) { -#ifdef NDPI_PROTOCOL_SSL NDPI_LOG_DBG2(ndpi_struct, "starttls detected\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MAIL_IMAP); NDPI_DEL_PROTOCOL_FROM_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SSL); return; -#endif } if (packet->payload_packet_len >= 4 && ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len - 2)) == 0x0d0a) { @@ -320,5 +316,3 @@ void init_mail_imap_dissector(struct ndpi_detection_module_struct *ndpi_struct, *id += 1; } - -#endif diff --git a/src/lib/protocols/mail_pop.c b/src/lib/protocols/mail_pop.c index 4f9a6ea5f..83847f1f8 100644 --- a/src/lib/protocols/mail_pop.c +++ b/src/lib/protocols/mail_pop.c @@ -2,7 +2,7 @@ * mail_pop.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -25,8 +25,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_MAIL_POP - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MAIL_POP #include "ndpi_api.h" @@ -212,5 +210,3 @@ void init_mail_pop_dissector(struct ndpi_detection_module_struct *ndpi_struct, u *id += 1; } - -#endif diff --git a/src/lib/protocols/mail_smtp.c b/src/lib/protocols/mail_smtp.c index 252c74ffe..f7fbd337c 100644 --- a/src/lib/protocols/mail_smtp.c +++ b/src/lib/protocols/mail_smtp.c @@ -2,7 +2,7 @@ * mail_smtp.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -25,8 +25,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_MAIL_SMTP - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MAIL_SMTP #include "ndpi_api.h" @@ -189,4 +187,3 @@ void init_mail_smtp_dissector(struct ndpi_detection_module_struct *ndpi_struct, *id += 1; } -#endif diff --git a/src/lib/protocols/maplestory.c b/src/lib/protocols/maplestory.c index a55c2cc11..e45729b8b 100644 --- a/src/lib/protocols/maplestory.c +++ b/src/lib/protocols/maplestory.c @@ -2,7 +2,7 @@ * maplestory.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_MAPLESTORY - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MAPLESTORY #include "ndpi_api.h" @@ -94,5 +92,3 @@ void init_maplestory_dissector(struct ndpi_detection_module_struct *ndpi_struct, *id += 1; } - -#endif diff --git a/src/lib/protocols/mdns.c b/src/lib/protocols/mdns_proto.c index 17a6d921d..77bdf4208 100644 --- a/src/lib/protocols/mdns.c +++ b/src/lib/protocols/mdns_proto.c @@ -1,7 +1,7 @@ /* * mdns.c * - * Copyright (C) 2016-17 - ntop.org + * Copyright (C) 2016-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -22,8 +22,6 @@ */ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_MDNS - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MDNS #include "ndpi_api.h" @@ -159,4 +157,3 @@ void init_mdns_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int *id += 1; } -#endif diff --git a/src/lib/protocols/megaco.c b/src/lib/protocols/megaco.c index bb317f5d5..e4b694ea6 100644 --- a/src/lib/protocols/megaco.c +++ b/src/lib/protocols/megaco.c @@ -2,7 +2,7 @@ * megaco.c * * Copyright (C) 2014 by Gianluca Costa http://www.capanalysis.net - * Copyright (C) 2012-15 - ntop.org + * Copyright (C) 2012-18 - ntop.org * * This module is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -20,14 +20,13 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_MEGACO - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MEGACO #include "ndpi_api.h" -void ndpi_search_megaco(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +void ndpi_search_megaco(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; @@ -61,4 +60,3 @@ void init_megaco_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i *id += 1; } -#endif diff --git a/src/lib/protocols/memcached.c b/src/lib/protocols/memcached.c new file mode 100644 index 000000000..e9deb5cc9 --- /dev/null +++ b/src/lib/protocols/memcached.c @@ -0,0 +1,189 @@ +/* + * memcached.c + * + * Copyright (C) 2009-2011 by ipoque GmbH + * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2018 - eGloo Incorporated + * + * This file is part of nDPI, an open source deep packet inspection + * library based on the OpenDPI and PACE technology by ipoque GmbH + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see <http://www.gnu.org/licenses/>. + * + */ + +#include "ndpi_protocol_ids.h" + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MEMCACHED + +#include "ndpi_api.h" + +#define MCDC_SET "set " +#define MCDC_SET_LEN (sizeof(MCDC_SET) - 1) +#define MCDC_ADD "add " +#define MCDC_ADD_LEN (sizeof(MCDC_ADD) - 1) +#define MCDC_REPLACE "replace " +#define MCDC_REPLACE_LEN (sizeof(MCDC_REPLACE) - 1) +#define MCDC_APPEND "append " +#define MCDC_APPEND_LEN (sizeof(MCDC_APPEND) - 1) +#define MCDC_PREPEND "prepend " +#define MCDC_PREPEND_LEN (sizeof(MCDC_PREPEND) - 1) +#define MCDC_CAS "cas " +#define MCDC_CAS_LEN (sizeof(MCDC_CAS) - 1) +#define MCDC_GET "get " +#define MCDC_GET_LEN (sizeof(MCDC_GET) - 1) +#define MCDC_GETS "gets " +#define MCDC_GETS_LEN (sizeof(MCDC_GETS) - 1) +#define MCDC_DELETE "delete " +#define MCDC_DELETE_LEN (sizeof(MCDC_DELETE) - 1) +#define MCDC_INCR "incr " +#define MCDC_INCR_LEN (sizeof(MCDC_INCR) - 1) +#define MCDC_DECR "decr " +#define MCDC_DECR_LEN (sizeof(MCDC_DECR) - 1) +#define MCDC_TOUCH "touch " +#define MCDC_TOUCH_LEN (sizeof(MCDC_TOUCH) - 1) +#define MCDC_GAT "gat " +#define MCDC_GAT_LEN (sizeof(MCDC_GAT) - 1) +#define MCDC_GATS "gats " +#define MCDC_GATS_LEN (sizeof(MCDC_GATS) - 1) +#define MCDC_STATS "stats" +#define MCDC_STATS_LEN (sizeof(MCDC_STATS) - 1) + +#define MCDR_ERROR "ERROR\r\n" +#define MCDR_ERROR_LEN (sizeof(MCDR_ERROR) - 1) +#define MCDR_CLIENT_ERROR "CLIENT_ERROR " +#define MCDR_CLIENT_ERROR_LEN (sizeof(MCDR_CLIENT_ERROR) - 1) +#define MCDR_SERVER_ERROR "SERVER_ERROR " +#define MCDR_SERVER_ERROR_LEN (sizeof(MCDR_SERVER_ERROR) - 1) +#define MCDR_STORED "STORED\r\n" +#define MCDR_STORED_LEN (sizeof(MCDR_STORED) - 1) +#define MCDR_NOT_STORED "NOT_STORED\r\n" +#define MCDR_NOT_STORED_LEN (sizeof(MCDR_NOT_STORED) - 1) +#define MCDR_EXISTS "EXISTS\r\n" +#define MCDR_EXISTS_LEN (sizeof(MCDR_EXISTS) - 1) +#define MCDR_NOT_FOUND "NOT_FOUND\r\n" +#define MCDR_NOT_FOUND_LEN (sizeof(MCDR_NOT_FOUND) - 1) +#define MCDR_END "END\r\n" +#define MCDR_END_LEN (sizeof(MCDR_END) - 1) +#define MCDR_DELETED "DELETED\r\n" +#define MCDR_DELETED_LEN (sizeof(MCDR_DELETED) - 1) +#define MCDR_TOUCHED "TOUCHED\r\n" +#define MCDR_TOUCHED_LEN (sizeof(MCDR_TOUCHED) - 1) +#define MCDR_STAT "STAT " +#define MCDR_STAT_LEN (sizeof(MCDR_STAT) - 1) + +#define MEMCACHED_UDP_HDR_LEN 8 +#define MEMCACHED_MIN_LEN MCDR_END_LEN +#define MEMCACHED_MIN_UDP_LEN (MEMCACHED_MIN_LEN + MEMCACHED_UDP_HDR_LEN) + +#define MEMCACHED_MIN_MATCH 2 /* Minimum number of command/responses required */ + +#define MEMCACHED_MATCH(cr) memcmp(offset, cr, cr ## _LEN) + +static void ndpi_int_memcached_add_connection(struct ndpi_detection_module_struct + *ndpi_struct, struct ndpi_flow_struct *flow) +{ + NDPI_LOG_INFO(ndpi_struct, "found memcached\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, + NDPI_PROTOCOL_MEMCACHED, NDPI_PROTOCOL_UNKNOWN); +} + +void ndpi_search_memcached( + struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct *packet = &flow->packet; + const u_int8_t *offset = packet->payload; + u_int8_t *matches; + + NDPI_LOG_DBG(ndpi_struct, "search memcached\n"); + + if (packet->tcp != NULL) { + if (packet->payload_packet_len < MEMCACHED_MIN_LEN) { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + + matches = &flow->l4.tcp.memcached_matches; + } + else if (packet->udp != NULL) { + if (packet->payload_packet_len < MEMCACHED_MIN_UDP_LEN) { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + + if ((offset[4] == 0x00 && offset[5] == 0x00) || + offset[6] != 0x00 || offset[7] != 0x00) { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + + offset += MEMCACHED_UDP_HDR_LEN; + matches = &flow->l4.udp.memcached_matches; + } + else { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + + /* grep MCD memcached.c |\ + * egrep -v '(LEN|MATCH)' |\ + * sed -e 's/^#define //g' |\ + * awk '{ printf "else if (! MEMCACHED_MATCH(%s)) *matches += 1;\n",$1 }' */ + + if (! MEMCACHED_MATCH(MCDC_SET)) *matches += 1; + else if (! MEMCACHED_MATCH(MCDC_ADD)) *matches += 1; + else if (! MEMCACHED_MATCH(MCDC_REPLACE)) *matches += 1; + else if (! MEMCACHED_MATCH(MCDC_APPEND)) *matches += 1; + else if (! MEMCACHED_MATCH(MCDC_PREPEND)) *matches += 1; + else if (! MEMCACHED_MATCH(MCDC_CAS)) *matches += 1; + else if (! MEMCACHED_MATCH(MCDC_GET)) *matches += 1; + else if (! MEMCACHED_MATCH(MCDC_GETS)) *matches += 1; + else if (! MEMCACHED_MATCH(MCDC_DELETE)) *matches += 1; + else if (! MEMCACHED_MATCH(MCDC_INCR)) *matches += 1; + else if (! MEMCACHED_MATCH(MCDC_DECR)) *matches += 1; + else if (! MEMCACHED_MATCH(MCDC_TOUCH)) *matches += 1; + else if (! MEMCACHED_MATCH(MCDC_GAT)) *matches += 1; + else if (! MEMCACHED_MATCH(MCDC_GATS)) *matches += 1; + else if (! MEMCACHED_MATCH(MCDC_STATS)) *matches += 1; + else if (! MEMCACHED_MATCH(MCDR_ERROR)) *matches += 1; + else if (! MEMCACHED_MATCH(MCDR_CLIENT_ERROR)) *matches += 1; + else if (! MEMCACHED_MATCH(MCDR_SERVER_ERROR)) *matches += 1; + else if (! MEMCACHED_MATCH(MCDR_STORED)) *matches += 1; + else if (! MEMCACHED_MATCH(MCDR_NOT_STORED)) *matches += 1; + else if (! MEMCACHED_MATCH(MCDR_EXISTS)) *matches += 1; + else if (! MEMCACHED_MATCH(MCDR_NOT_FOUND)) *matches += 1; + else if (! MEMCACHED_MATCH(MCDR_END)) *matches += 1; + else if (! MEMCACHED_MATCH(MCDR_DELETED)) *matches += 1; + else if (! MEMCACHED_MATCH(MCDR_TOUCHED)) *matches += 1; + else if (! MEMCACHED_MATCH(MCDR_STAT)) *matches += 1; + + if (*matches >= MEMCACHED_MIN_MATCH) + ndpi_int_memcached_add_connection(ndpi_struct, flow); +} + +void init_memcached_dissector( + struct ndpi_detection_module_struct *ndpi_struct, + u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) +{ + ndpi_set_bitmask_protocol_detection("MEMCACHED", + ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_MEMCACHED, + ndpi_search_memcached, + NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); + + *id += 1; +} diff --git a/src/lib/protocols/mgcp.c b/src/lib/protocols/mgcp.c index 69fe33fac..86fadcb63 100644 --- a/src/lib/protocols/mgcp.c +++ b/src/lib/protocols/mgcp.c @@ -1,7 +1,7 @@ /* * mgcp.c * - * Copyright (C) 2017 - ntop.org + * Copyright (C) 2017-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -23,14 +23,10 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_MGCP - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MGCP #include "ndpi_api.h" - - static void ndpi_int_mgcp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -93,4 +89,3 @@ void init_mgpc_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int *id += 1; } -#endif diff --git a/src/lib/protocols/mining.c b/src/lib/protocols/mining.c new file mode 100644 index 000000000..ec094e7d3 --- /dev/null +++ b/src/lib/protocols/mining.c @@ -0,0 +1,94 @@ +/* + * mining.c [Bitcoin, Ethereum, ZCash, Monero] + * + * Copyright (C) 2018 - ntop.org + * + * This file is part of nDPI, an open source deep packet inspection + * library based on the OpenDPI and PACE technology by ipoque GmbH + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see <http://www.gnu.org/licenses/>. + * + */ +#include "ndpi_protocol_ids.h" + +#include "ndpi_api.h" + +void ndpi_search_mining_tcp(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; + + NDPI_LOG_DBG(ndpi_struct, "search MINING\n"); + + /* Check connection over TCP */ + if(packet->tcp && (packet->payload_packet_len > 10)) { + + if(packet->tcp->source == htons(8333)) { + /* + Bitcoin + + bitcoin.magic == 0xf9beb4d9 || bitcoin.magic == 0xfabfb5da + */ + u_int32_t magic = htonl(0xf9beb4d9), magic1 = htonl(0xfabfb5da), *to_match = (u_int32_t*)packet->payload; + + if((*to_match == magic) || (*to_match == magic1)) { + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, NDPI_PROTOCOL_UNKNOWN); + } + } if(ndpi_strnstr((const char *)packet->payload, "\"eth1.0\"", packet->payload_packet_len) + || ndpi_strnstr((const char *)packet->payload, "\"worker\"", packet->payload_packet_len) + || ndpi_strnstr((const char *)packet->payload, "\"id\"", packet->payload_packet_len)) { + /* + Ethereum + + {"worker": "eth1.0", "jsonrpc": "2.0", "params": ["0x0fccfff9e61a230ff380530c6827caf4759337c6.rig2", "x"], "id": 2, "method": "eth_submitLogin"} + { "id": 2, "jsonrpc":"2.0","result":true} + {"worker": "", "jsonrpc": "2.0", "params": [], "id": 3, "method": "eth_getWork"} + */ + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, NDPI_PROTOCOL_UNKNOWN); + } else if(ndpi_strnstr((const char *)packet->payload, "\"method\"", packet->payload_packet_len) + || ndpi_strnstr((const char *)packet->payload, "\"blob\"", packet->payload_packet_len) + || ndpi_strnstr((const char *)packet->payload, "\"id\"", packet->payload_packet_len)) { + /* + ZCash + + {"method":"login","params":{"login":"4BCeEPhodgPMbPWFN1dPwhWXdRX8q4mhhdZdA1dtSMLTLCEYvAj9QXjXAfF7CugEbmfBhgkqHbdgK9b2wKA6nqRZQCgvCDm.cb2b73415c4faf214035a73b9d947c202342f3bf3bdf632132bd6d7af98cb257.ryzen","pass":"x","agent":"xmr-stak-cpu/1.3.0-1.5.0"},"id":1} + {"id":1,"jsonrpc":"2.0","error":null,"result":{"id":"479059546883218","job":{"blob":"0606e89883d205a65d8ee78991838a1cf3ec2ebbc5fb1fa43dec5fa1cd2bee4069212a549cd731000000005a88235653097aa3e97ef2ceef4aee610751a828f9be1a0758a78365fb0a4c8c05","job_id":"722134174127131","target":"dc460300"},"status":"OK"}} + {"method":"submit","params":{"id":"479059546883218","job_id":"722134174127131","nonce":"98024001","result":"c9be9381a68d533c059d614d961e0534d7d8785dd5c339c2f9596eb95f320100"},"id":1} + + Monero + + {"method":"login","params":{"login":"4BCeEPhodgPMbPWFN1dPwhWXdRX8q4mhhdZdA1dtSMLTLCEYvAj9QXjXAfF7CugEbmfBhgkqHbdgK9b2wKA6nqRZQCgvCDm.cb2b73415c4faf214035a73b9d947c202342f3bf3bdf632132bd6d7af98cb257.ryzen","pass":"x","agent":"xmr-stak-cpu/1.3.0-1.5.0"},"id":1} + {"id":1,"jsonrpc":"2.0","error":null,"result":{"id":"479059546883218","job":{"blob":"0606e89883d205a65d8ee78991838a1cf3ec2ebbc5fb1fa43dec5fa1cd2bee4069212a549cd731000000005a88235653097aa3e97ef2ceef4aee610751a828f9be1a0758a78365fb0a4c8c05","job_id":"722134174127131","target":"dc460300"},"status":"OK"}} + {"method":"submit","params":{"id":"479059546883218","job_id":"722134174127131","nonce":"98024001","result":"c9be9381a68d533c059d614d961e0534d7d8785dd5c339c2f9596eb95f320100"},"id":1} + */ + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, NDPI_PROTOCOL_UNKNOWN); + } + } + + ndpi_exclude_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, __FILE__, __FUNCTION__, __LINE__); +} + + +void init_mining_dissector(struct ndpi_detection_module_struct *ndpi_struct, + u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) +{ + ndpi_set_bitmask_protocol_detection("Mining", ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_MINING, + ndpi_search_mining_tcp, + NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); + + *id += 1; +} + diff --git a/src/lib/protocols/mpegts.c b/src/lib/protocols/mpegts.c index 3558bdce7..c1f227565 100644 --- a/src/lib/protocols/mpegts.c +++ b/src/lib/protocols/mpegts.c @@ -2,7 +2,7 @@ * mpegts.c (MPEG Transport Stream) * https://en.wikipedia.org/wiki/MPEG_transport_stream * - * Copyright (C) 2015 - ntop.org + * Copyright (C) 2015-18 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -21,8 +21,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_MPEGTS - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MPEGTS #include "ndpi_api.h" @@ -65,4 +63,3 @@ void init_mpegts_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i *id += 1; } -#endif diff --git a/src/lib/protocols/mqtt.c b/src/lib/protocols/mqtt.c index 950dde5d1..45669c03a 100644 --- a/src/lib/protocols/mqtt.c +++ b/src/lib/protocols/mqtt.c @@ -23,8 +23,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_MQTT - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MQTT #include "ndpi_api.h" @@ -232,7 +230,7 @@ void ndpi_search_mqtt (struct ndpi_detection_module_struct *ndpi_struct, NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); return; } else { - NDPI_LOG_INFO(ndpi_struct, "found Mqtt UNSUBSCRIBE\n",pt); + NDPI_LOG_INFO(ndpi_struct, "found Mqtt UNSUBSCRIBE\n"); ndpi_int_mqtt_add_connection(ndpi_struct,flow); return; } @@ -255,5 +253,4 @@ void init_mqtt_dissector (struct ndpi_detection_module_struct *ndpi_struct, *id +=1; } -#endif // NDPI_PROTOCOL_MQTT diff --git a/src/lib/protocols/msn.c b/src/lib/protocols/msn.c index ec090cf00..8ab45ad32 100644 --- a/src/lib/protocols/msn.c +++ b/src/lib/protocols/msn.c @@ -2,7 +2,7 @@ * msn.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,9 +24,6 @@ #include "ndpi_protocol_ids.h" - -#ifdef NDPI_PROTOCOL_MSN - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MSN #include "ndpi_api.h" @@ -65,7 +62,6 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct u_int16_t plen; u_int16_t status = 0; -#ifdef NDPI_PROTOCOL_SSL if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) { NDPI_LOG_DBG2(ndpi_struct, "msn ssl ft test\n"); @@ -73,28 +69,32 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct if(flow->packet_counter < 10) { if(flow->packet_counter == 7 && packet->payload_packet_len > 300) { if(memcmp(packet->payload + 24, "MSNSLP", 6) == 0 - || (get_u_int32_t(packet->payload, 0) == htonl(0x30000000) && get_u_int32_t(packet->payload, 4) == 0x00000000)) { + || (get_u_int32_t(packet->payload, 0) == htonl(0x30000000) + && get_u_int32_t(packet->payload, 4) == 0x00000000)) { NDPI_LOG_INFO(ndpi_struct, "found MSN File Transfer, ifdef ssl\n"); ndpi_int_msn_add_connection(ndpi_struct, flow); return; } } - if(flow->packet_counter >= 5 && flow->packet_counter <= 10 && (get_u_int32_t(packet->payload, 0) == htonl(0x18000000) - && get_u_int32_t(packet->payload, 4) == 0x00000000)) { + + if(flow->packet_counter >= 5 && flow->packet_counter <= 10 + && (get_u_int32_t(packet->payload, 0) == htonl(0x18000000) + && get_u_int32_t(packet->payload, 4) == 0x00000000)) { flow->l4.tcp.msn_ssl_ft++; NDPI_LOG_DBG2(ndpi_struct, - "increased msn ft ssl stage to: %u at packet nr: %u\n", flow->l4.tcp.msn_ssl_ft, + "increased msn ft ssl stage to: %u at packet nr: %u\n", + flow->l4.tcp.msn_ssl_ft, flow->packet_counter); if (flow->l4.tcp.msn_ssl_ft == 2) { NDPI_LOG_INFO(ndpi_struct, "found MSN File Transfer, ifdef ssl 2.\n"); ndpi_int_msn_add_connection(ndpi_struct, flow); } + return; } } } -#endif /* we detect the initial connection only ! */ /* match: "VER " ..... "CVR" x 0x0d 0x0a @@ -103,15 +103,17 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct */ /* now we have a look at the first packet only. */ if(flow->packet_counter == 1 -#ifdef NDPI_PROTOCOL_SSL - || ((packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) && flow->packet_counter <= 3) -#endif + || ((packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) + && flow->packet_counter <= 3) ) { /* this part is working asymmetrically */ - if(packet->payload_packet_len > 32 && (packet->payload[0] == 0x02 || packet->payload[0] == 0x00) - && (ntohl(get_u_int32_t(packet->payload, 8)) == 0x2112a442 || ntohl(get_u_int32_t(packet->payload, 4)) == 0x2112a442) - && ((ntohl(get_u_int32_t(packet->payload, 24)) == 0x000f0004 && ntohl(get_u_int32_t(packet->payload, 28)) == 0x72c64bc6) + if(packet->payload_packet_len > 32 + && (packet->payload[0] == 0x02 || packet->payload[0] == 0x00) + && (ntohl(get_u_int32_t(packet->payload, 8)) == 0x2112a442 + || ntohl(get_u_int32_t(packet->payload, 4)) == 0x2112a442) + && ((ntohl(get_u_int32_t(packet->payload, 24)) == 0x000f0004 + && ntohl(get_u_int32_t(packet->payload, 28)) == 0x72c64bc6) || (ntohl(get_u_int32_t(packet->payload, 20)) == 0x000f0004 && ntohl(get_u_int32_t(packet->payload, 24)) == 0x72c64bc6))) { NDPI_LOG_INFO(ndpi_struct, @@ -145,10 +147,9 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct } } } + if( -#ifdef NDPI_PROTOCOL_HTTP packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP || -#endif ndpi_match_strprefix(packet->payload, packet->payload_packet_len, "GET ") || ndpi_match_strprefix(packet->payload, packet->payload_packet_len, "POST ")) { ndpi_parse_packet_line_info(ndpi_struct, flow); @@ -160,18 +161,12 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct return; } } -/* #ifdef NDPI_PROTOCOL_HTTP */ -/* /\* we have to examine two http packets *\/ */ -/* if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP) { */ -/* } */ -/* #endif */ + /* not seen this pattern in any trace */ /* now test for http login, at least 100 a bytes packet */ if(packet->payload_packet_len > 100) { if( -#ifdef NDPI_PROTOCOL_HTTP packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP || -#endif memcmp(packet->payload, "POST http://", 12) == 0) { /* scan packet if not already done... */ ndpi_parse_packet_line_info(ndpi_struct, flow); @@ -193,9 +188,7 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct /* for this case the asymmetric detection is asym (1) */ if(packet->payload_packet_len > 400) { if(( -#ifdef NDPI_PROTOCOL_HTTP packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP || -#endif (memcmp(packet->payload, "POST ", 5) == 0))) { u_int16_t c; if(memcmp(&packet->payload[5], "http://", 7) == 0) { @@ -259,9 +252,7 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct && packet->payload_packet_len > 100) { /* not necessary to check the length, because this has been done : >400. */ if( -#ifdef NDPI_PROTOCOL_HTTP packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP || -#endif ndpi_match_strprefix(packet->payload, packet->payload_packet_len, "HTTP/1.0 200 OK") || ndpi_match_strprefix(packet->payload, packet->payload_packet_len, "HTTP/1.1 200 OK") ) { @@ -342,9 +333,7 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct packet->payload_packet_len > 100) { /* not necessary to check the length, because this has been done : >400. */ if( -#ifdef NDPI_PROTOCOL_HTTP packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP || -#endif (memcmp(packet->payload, "HTTP/1.0 200 OK", 15) == 0) || (memcmp(packet->payload, "HTTP/1.1 200 OK", 15) == 0)) { @@ -507,15 +496,9 @@ void ndpi_search_msn(struct ndpi_detection_module_struct *ndpi_struct, struct nd /* the detection can switch out the http or the ssl detection. In this case we need not check those protocols */ // need to do the ceck when protocol == http too (POST /gateway ...) if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN -#ifdef NDPI_PROTOCOL_HTTP || packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP -#endif -#ifdef NDPI_PROTOCOL_SSL || packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL -#endif -#ifdef NDPI_PROTOCOL_STUN || packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STUN -#endif ) ndpi_search_msn_tcp(ndpi_struct, flow); } else if (packet->udp != NULL) { @@ -525,7 +508,8 @@ void ndpi_search_msn(struct ndpi_detection_module_struct *ndpi_struct, struct nd } -void init_msn_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) +void init_msn_dissector(struct ndpi_detection_module_struct *ndpi_struct, + u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { NDPI_BITMASK_RESET(ndpi_struct->callback_buffer[*id].excluded_protocol_bitmask); @@ -540,4 +524,3 @@ void init_msn_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 *id += 1; } -#endif diff --git a/src/lib/protocols/mssql_tds.c b/src/lib/protocols/mssql_tds.c index 75507fd52..621ea2b0e 100644 --- a/src/lib/protocols/mssql_tds.c +++ b/src/lib/protocols/mssql_tds.c @@ -1,7 +1,7 @@ /* * mssql.c * - * Copyright (C) 2016 - ntop.org + * Copyright (C) 2016-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_MSSQL_TDS - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MSSQL_TDS #include "ndpi_api.h" @@ -83,5 +81,3 @@ void init_mssql_tds_dissector(struct ndpi_detection_module_struct *ndpi_struct, *id += 1; } - -#endif diff --git a/src/lib/protocols/mysql.c b/src/lib/protocols/mysql.c index d1e695e55..d1602a2fe 100644 --- a/src/lib/protocols/mysql.c +++ b/src/lib/protocols/mysql.c @@ -2,7 +2,7 @@ * mysql.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -25,8 +25,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_MYSQL - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MYSQL #include "ndpi_api.h" @@ -85,5 +83,3 @@ void init_mysql_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_in *id += 1; } - -#endif diff --git a/src/lib/protocols/nest_log_sink.c b/src/lib/protocols/nest_log_sink.c new file mode 100644 index 000000000..62e8fa75f --- /dev/null +++ b/src/lib/protocols/nest_log_sink.c @@ -0,0 +1,79 @@ +/* + * nest_log_sink.c + * + * Copyright (C) 2009-2011 by ipoque GmbH + * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2018 - eGloo Incorporated + * + * This file is part of nDPI, an open source deep packet inspection + * library based on the OpenDPI and PACE technology by ipoque GmbH + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see <http://www.gnu.org/licenses/>. + * + */ + +#include "ndpi_protocol_ids.h" + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_NEST_LOG_SINK + +#include "ndpi_api.h" + +#define NEST_LOG_SINK_PORT 11095 +#define NEST_LOG_SINK_MIN_LEN 8 +#define NEST_LOG_SINK_MIN_MATCH 3 + +void ndpi_search_nest_log_sink( + struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct *packet = &flow->packet; + + NDPI_LOG_DBG(ndpi_struct, "search nest_log_sink\n"); + + if (packet->payload_packet_len < NEST_LOG_SINK_MIN_LEN) { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + + if (ntohs(packet->tcp->source) != NEST_LOG_SINK_PORT && + ntohs(packet->tcp->dest) != NEST_LOG_SINK_PORT) { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + + if (packet->payload[1] <= 0x02 && + (packet->payload[2] == 0x00 || packet->payload[2] == 0x10) && + packet->payload[3] == 0x13) + flow->l4.tcp.nest_log_sink_matches++; + + if (flow->l4.tcp.nest_log_sink_matches == NEST_LOG_SINK_MIN_MATCH) { + NDPI_LOG_INFO(ndpi_struct, "found nest_log_sink\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NEST_LOG_SINK, NDPI_PROTOCOL_UNKNOWN); + } +} + +void init_nest_log_sink_dissector( + struct ndpi_detection_module_struct *ndpi_struct, + u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) +{ + ndpi_set_bitmask_protocol_detection("NEST_LOG_SINK", + ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_NEST_LOG_SINK, + ndpi_search_nest_log_sink, + NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); + + *id += 1; +} diff --git a/src/lib/protocols/netbios.c b/src/lib/protocols/netbios.c index 634284121..925b864ad 100644 --- a/src/lib/protocols/netbios.c +++ b/src/lib/protocols/netbios.c @@ -2,7 +2,7 @@ * netbios.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-17 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -25,8 +25,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_NETBIOS - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_NETBIOS #include "ndpi_api.h" @@ -332,9 +330,8 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc NDPI_LOG_DBG2(ndpi_struct, "found netbios port 138 and payload length >= 112 \n"); - if(packet->payload[0] >= 0x11 && packet->payload[0] <= 0x16) { - - NDPI_LOG_DBG2(ndpi_struct, "found netbios with MSG-type 0x11,0x12,0x13,0x14,0x15 or 0x16\n"); + if(packet->payload[0] >= 0x10 && packet->payload[0] <= 0x16) { + NDPI_LOG_DBG2(ndpi_struct, "found netbios with MSG-type 0x10,0x11,0x12,0x13,0x14,0x15 or 0x16\n"); if(ntohl(get_u_int32_t(packet->payload, 4)) == ntohl(packet->iph->saddr)) { NDPI_LOG_INFO(ndpi_struct, "found netbios with checked ip-address\n"); @@ -390,5 +387,3 @@ void init_netbios_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_ *id += 1; } - -#endif diff --git a/src/lib/protocols/netflow.c b/src/lib/protocols/netflow.c index a553e4b6a..23c4bc587 100644 --- a/src/lib/protocols/netflow.c +++ b/src/lib/protocols/netflow.c @@ -1,7 +1,7 @@ /* * netflow.c * - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -20,8 +20,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_NETFLOW - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_NETFLOW #include "ndpi_api.h" @@ -184,4 +182,3 @@ void init_netflow_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_ *id += 1; } -#endif diff --git a/src/lib/protocols/nfs.c b/src/lib/protocols/nfs.c index c074b9d3b..c9e3265a5 100644 --- a/src/lib/protocols/nfs.c +++ b/src/lib/protocols/nfs.c @@ -2,7 +2,7 @@ * nfs.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -25,8 +25,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_NFS - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_NFS #include "ndpi_api.h" @@ -101,4 +99,3 @@ void init_nfs_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 *id += 1; } -#endif diff --git a/src/lib/protocols/nintendo.c b/src/lib/protocols/nintendo.c index 8b76f33a6..bbc87a495 100644 --- a/src/lib/protocols/nintendo.c +++ b/src/lib/protocols/nintendo.c @@ -1,7 +1,7 @@ /* * nintendo.c * - * Copyright (C) 2017 by ntop.org + * Copyright (C) 2017-18 by ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -23,8 +23,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_NINTENDO - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_NINTENDO #include "ndpi_api.h" @@ -67,4 +65,3 @@ void init_nintendo_dissector(struct ndpi_detection_module_struct *ndpi_struct, *id += 1; } -#endif diff --git a/src/lib/protocols/noe.c b/src/lib/protocols/noe.c index 9899b056b..da572b6c0 100644 --- a/src/lib/protocols/noe.c +++ b/src/lib/protocols/noe.c @@ -7,8 +7,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_NOE - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_NOE #include "ndpi_api.h" @@ -21,7 +19,8 @@ static void ndpi_int_noe_add_connection(struct ndpi_detection_module_struct NDPI_LOG_INFO(ndpi_struct, "found noe\n"); } -void ndpi_search_noe(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +void ndpi_search_noe(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; @@ -66,4 +65,3 @@ void init_noe_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 *id += 1; } -#endif diff --git a/src/lib/protocols/non_tcp_udp.c b/src/lib/protocols/non_tcp_udp.c index 668a158d7..b7cc4a4d0 100644 --- a/src/lib/protocols/non_tcp_udp.c +++ b/src/lib/protocols/non_tcp_udp.c @@ -2,7 +2,7 @@ * non_tcp_udp.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -25,8 +25,6 @@ #include "ndpi_protocol_ids.h" -#if defined(NDPI_PROTOCOL_IP_IPSEC) || defined(NDPI_PROTOCOL_IP_GRE) || defined(NDPI_PROTOCOL_IP_ICMP) || defined(NDPI_PROTOCOL_IP_IGMP) || defined(NDPI_PROTOCOL_IP_EGP) || defined(NDPI_PROTOCOL_IP_SCTP) || defined(NDPI_PROTOCOL_IP_OSPF) || defined(NDPI_PROTOCOL_IP_IP_IN_IP) - #include "ndpi_api.h" #define set_protocol_and_bmask(nprot) \ @@ -52,57 +50,46 @@ void ndpi_search_in_non_tcp_udp(struct ndpi_detection_module_struct } switch (packet->l4_protocol) { -#ifdef NDPI_PROTOCOL_IP_IPSEC case NDPI_IPSEC_PROTOCOL_ESP: case NDPI_IPSEC_PROTOCOL_AH: set_protocol_and_bmask(NDPI_PROTOCOL_IP_IPSEC); break; -#endif /* NDPI_PROTOCOL_IP_IPSEC */ -#ifdef NDPI_PROTOCOL_IP_GRE + case NDPI_GRE_PROTOCOL_TYPE: set_protocol_and_bmask(NDPI_PROTOCOL_IP_GRE); break; -#endif /* NDPI_PROTOCOL_IP_GRE */ -#ifdef NDPI_PROTOCOL_IP_ICMP + case NDPI_ICMP_PROTOCOL_TYPE: set_protocol_and_bmask(NDPI_PROTOCOL_IP_ICMP); break; -#endif /* NDPI_PROTOCOL_IP_ICMP */ -#ifdef NDPI_PROTOCOL_IP_IGMP + case NDPI_IGMP_PROTOCOL_TYPE: set_protocol_and_bmask(NDPI_PROTOCOL_IP_IGMP); break; -#endif /* NDPI_PROTOCOL_IP_IGMP */ -#ifdef NDPI_PROTOCOL_IP_EGP + case NDPI_EGP_PROTOCOL_TYPE: set_protocol_and_bmask(NDPI_PROTOCOL_IP_EGP); break; -#endif /* NDPI_PROTOCOL_IP_EGP */ -#ifdef NDPI_PROTOCOL_IP_SCTP + case NDPI_SCTP_PROTOCOL_TYPE: set_protocol_and_bmask(NDPI_PROTOCOL_IP_SCTP); break; -#endif /* NDPI_PROTOCOL_IP_SCTP */ -#ifdef NDPI_PROTOCOL_IP_OSPF + case NDPI_OSPF_PROTOCOL_TYPE: set_protocol_and_bmask(NDPI_PROTOCOL_IP_OSPF); break; -#endif /* NDPI_PROTOCOL_IP_OSPF */ -#ifdef NDPI_PROTOCOL_IP_IP_IN_IP + case NDPI_IPIP_PROTOCOL_TYPE: set_protocol_and_bmask(NDPI_PROTOCOL_IP_IP_IN_IP); break; -#endif /* NDPI_PROTOCOL_IP_IP_IN_IP */ -#ifdef NDPI_PROTOCOL_IP_ICMPV6 + case NDPI_ICMPV6_PROTOCOL_TYPE: set_protocol_and_bmask(NDPI_PROTOCOL_IP_ICMPV6); break; -#endif /* NDPI_PROTOCOL_IP_ICMPV6 */ -#ifdef NDPI_PROTOCOL_IP_VRRP + case 112: set_protocol_and_bmask(NDPI_PROTOCOL_IP_VRRP); break; -#endif /* NDPI_PROTOCOL_IP_VRRP */ } } @@ -113,7 +100,6 @@ void init_non_tcp_udp_dissector(struct ndpi_detection_module_struct *ndpi_struct /* always add non tcp/udp if one protocol is compiled in */ NDPI_SAVE_AS_BITMASK(ndpi_struct->callback_buffer[*id].detection_bitmask, NDPI_PROTOCOL_UNKNOWN); -#ifdef NDPI_PROTOCOL_IP_IPSEC ndpi_set_bitmask_protocol_detection("IP_IPSEC", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_IP_IPSEC, ndpi_search_in_non_tcp_udp, @@ -121,8 +107,7 @@ void init_non_tcp_udp_dissector(struct ndpi_detection_module_struct *ndpi_struct NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); *id += 1; -#endif -#ifdef NDPI_PROTOCOL_IP_GRE + ndpi_set_bitmask_protocol_detection("IP_GRE", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_IP_GRE, ndpi_search_in_non_tcp_udp, @@ -130,8 +115,7 @@ void init_non_tcp_udp_dissector(struct ndpi_detection_module_struct *ndpi_struct NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); *id += 1; -#endif -#ifdef NDPI_PROTOCOL_IP_ICMP + ndpi_set_bitmask_protocol_detection("IP_ICMP", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_IP_ICMP, ndpi_search_in_non_tcp_udp, @@ -139,8 +123,7 @@ void init_non_tcp_udp_dissector(struct ndpi_detection_module_struct *ndpi_struct NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); *id += 1; -#endif -#ifdef NDPI_PROTOCOL_IP_IGMP + ndpi_set_bitmask_protocol_detection("IP_IGMP", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_IP_IGMP, ndpi_search_in_non_tcp_udp, @@ -148,8 +131,7 @@ void init_non_tcp_udp_dissector(struct ndpi_detection_module_struct *ndpi_struct NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); *id += 1; -#endif -#ifdef NDPI_PROTOCOL_IP_EGP + ndpi_set_bitmask_protocol_detection("IP_EGP", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_IP_EGP, ndpi_search_in_non_tcp_udp, @@ -157,8 +139,7 @@ void init_non_tcp_udp_dissector(struct ndpi_detection_module_struct *ndpi_struct NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); *id += 1; -#endif -#ifdef NDPI_PROTOCOL_IP_SCTP + ndpi_set_bitmask_protocol_detection("IP_SCTP", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_IP_SCTP, ndpi_search_in_non_tcp_udp, @@ -166,8 +147,7 @@ void init_non_tcp_udp_dissector(struct ndpi_detection_module_struct *ndpi_struct NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); *id += 1; -#endif -#ifdef NDPI_PROTOCOL_IP_OSPF + ndpi_set_bitmask_protocol_detection("IP_OSPF", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_IP_OSPF, ndpi_search_in_non_tcp_udp, @@ -175,8 +155,7 @@ void init_non_tcp_udp_dissector(struct ndpi_detection_module_struct *ndpi_struct NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); *id += 1; -#endif -#ifdef NDPI_PROTOCOL_IP_IP_IN_IP + ndpi_set_bitmask_protocol_detection("IP_IP_IN_IP", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_IP_IP_IN_IP, ndpi_search_in_non_tcp_udp, @@ -184,8 +163,7 @@ void init_non_tcp_udp_dissector(struct ndpi_detection_module_struct *ndpi_struct NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); *id += 1; -#endif -#ifdef NDPI_PROTOCOL_IP_ICMPV6 + ndpi_set_bitmask_protocol_detection("IP_ICMPV6", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_IP_ICMPV6, ndpi_search_in_non_tcp_udp, @@ -193,8 +171,4 @@ void init_non_tcp_udp_dissector(struct ndpi_detection_module_struct *ndpi_struct NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); *id += 1; -#endif - } - -#endif diff --git a/src/lib/protocols/ntp.c b/src/lib/protocols/ntp.c index 3b8eb3d7d..9290fbfb3 100644 --- a/src/lib/protocols/ntp.c +++ b/src/lib/protocols/ntp.c @@ -2,7 +2,7 @@ * ntp.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_NTP - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_NTP #include "ndpi_api.h" @@ -77,4 +75,3 @@ void init_ntp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 *id += 1; } -#endif diff --git a/src/lib/protocols/ookla.c b/src/lib/protocols/ookla.c new file mode 100644 index 000000000..b1eb295a7 --- /dev/null +++ b/src/lib/protocols/ookla.c @@ -0,0 +1,66 @@ +/* + * ookla.c + * + * Copyright (C) 2018 - ntop.org + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see <http://www.gnu.org/licenses/>. + * + */ +#include "ndpi_protocol_ids.h" + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_OOKLA + +#include "ndpi_api.h" +#include "lruc.h" + + +void ndpi_search_ookla(struct ndpi_detection_module_struct* ndpi_struct, struct ndpi_flow_struct* flow) { + struct ndpi_packet_struct* packet = &flow->packet; + u_int32_t addr = 0; + void *value; + + NDPI_LOG_DBG(ndpi_struct, "Ookla detection\n"); + + if(packet->tcp->source == htons(8080)) + addr = packet->iph->saddr; + else if(packet->tcp->dest == htons(8080)) + addr = packet->iph->daddr; + else + goto ookla_exclude; + + if(ndpi_struct->ookla_cache != NULL) { + if(lruc_get(ndpi_struct->ookla_cache, &addr, sizeof(addr), &value) == LRUC_NO_ERROR) { + /* Don't remove it as it can be used for other connections */ + NDPI_LOG_INFO(ndpi_struct, "found ookla tcp connection\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_UNKNOWN); + return; + } + } + + ookla_exclude: + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); +} + +void init_ookla_dissector(struct ndpi_detection_module_struct *ndpi_struct, + u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { + ndpi_set_bitmask_protocol_detection("Ookla", ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_OOKLA, + ndpi_search_ookla, + NDPI_SELECTION_BITMASK_PROTOCOL_TCP, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); + + *id += 1; +} + diff --git a/src/lib/protocols/openft.c b/src/lib/protocols/openft.c index d0b50c8a2..30fb1c68f 100644 --- a/src/lib/protocols/openft.c +++ b/src/lib/protocols/openft.c @@ -2,7 +2,7 @@ * openft.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_OPENFT - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_OPENFT #include "ndpi_api.h" @@ -67,5 +65,3 @@ void init_openft_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i *id += 1; } - -#endif diff --git a/src/lib/protocols/openvpn.c b/src/lib/protocols/openvpn.c index 6756c173d..6bd480ea1 100644 --- a/src/lib/protocols/openvpn.c +++ b/src/lib/protocols/openvpn.c @@ -1,7 +1,7 @@ /* * openvpn.c * - * Copyright (C) 2011-16 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * OpenVPN TCP / UDP Detection - 128/160 hmac * @@ -23,8 +23,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_OPENVPN - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_OPENVPN #include "ndpi_api.h" @@ -135,5 +133,3 @@ void init_openvpn_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_ *id += 1; } - -#endif diff --git a/src/lib/protocols/oracle.c b/src/lib/protocols/oracle.c index 5fda78672..6ad6bac4c 100644 --- a/src/lib/protocols/oracle.c +++ b/src/lib/protocols/oracle.c @@ -20,8 +20,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_ORACLE - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_ORACLE #include "ndpi_api.h" @@ -75,5 +73,3 @@ void init_oracle_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i *id += 1; } - -#endif diff --git a/src/lib/protocols/oscar.c b/src/lib/protocols/oscar.c index 6dec353a5..010a620e9 100644 --- a/src/lib/protocols/oscar.c +++ b/src/lib/protocols/oscar.c @@ -2,7 +2,7 @@ * oscar.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_OSCAR - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_OSCAR #include "ndpi_api.h" @@ -816,5 +814,3 @@ void init_oscar_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_in *id += 1; } - -#endif diff --git a/src/lib/protocols/pando.c b/src/lib/protocols/pando.c index ccf1ee12d..ece78559d 100644 --- a/src/lib/protocols/pando.c +++ b/src/lib/protocols/pando.c @@ -25,8 +25,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_PANDO - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_PANDO #include "ndpi_api.h" @@ -167,5 +165,3 @@ void init_pando_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_in *id += 1; } - -#endif diff --git a/src/lib/protocols/pcanywhere.c b/src/lib/protocols/pcanywhere.c index 56b68b567..0d205d5f3 100644 --- a/src/lib/protocols/pcanywhere.c +++ b/src/lib/protocols/pcanywhere.c @@ -2,7 +2,7 @@ * pcanywhere.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -25,8 +25,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_PCANYWHERE - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_PCANYWHERE #include "ndpi_api.h" @@ -67,4 +65,3 @@ void init_pcanywhere_dissector(struct ndpi_detection_module_struct *ndpi_struct, *id += 1; } -#endif diff --git a/src/lib/protocols/postgres.c b/src/lib/protocols/postgres.c index e23d316e4..089be4e31 100644 --- a/src/lib/protocols/postgres.c +++ b/src/lib/protocols/postgres.c @@ -2,7 +2,7 @@ * postgres.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -25,8 +25,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_POSTGRES - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_POSTGRES #include "ndpi_api.h" @@ -131,4 +129,3 @@ void init_postgres_dissector(struct ndpi_detection_module_struct *ndpi_struct, u *id += 1; } -#endif diff --git a/src/lib/protocols/pplive.c b/src/lib/protocols/pplive.c index 6f874d7b6..2e41d64f5 100644 --- a/src/lib/protocols/pplive.c +++ b/src/lib/protocols/pplive.c @@ -26,8 +26,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_PPLIVE - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_PPLIVE #include "ndpi_api.h" @@ -232,4 +230,3 @@ void init_pplive_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i *id += 1; } -#endif diff --git a/src/lib/protocols/ppstream.c b/src/lib/protocols/ppstream.c index 08d2f8ade..20eb0d428 100644 --- a/src/lib/protocols/ppstream.c +++ b/src/lib/protocols/ppstream.c @@ -1,7 +1,7 @@ /* * ppstream.c * - * Copyright (C) 2016 - ntop.org + * Copyright (C) 2016-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -23,8 +23,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_PPSTREAM - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_PPSTREAM #include "ndpi_api.h" @@ -237,4 +235,3 @@ void init_ppstream_dissector(struct ndpi_detection_module_struct *ndpi_struct, u *id += 1; } -#endif diff --git a/src/lib/protocols/pptp.c b/src/lib/protocols/pptp.c index 9bacdeded..cfe360b5b 100644 --- a/src/lib/protocols/pptp.c +++ b/src/lib/protocols/pptp.c @@ -2,7 +2,7 @@ * pptp.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_PPTP - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_PPTP #include "ndpi_api.h" @@ -69,5 +67,3 @@ void init_pptp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int *id += 1; } - -#endif diff --git a/src/lib/protocols/qq.c b/src/lib/protocols/qq.c index f3b713132..077d385fa 100644 --- a/src/lib/protocols/qq.c +++ b/src/lib/protocols/qq.c @@ -2,7 +2,7 @@ * qq.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_QQ - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_QQ #include "ndpi_api.h" @@ -636,17 +634,13 @@ void ndpi_search_qq_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct } } } -#ifdef NDPI_PROTOCOL_HTTP + if (NDPI_COMPARE_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_HTTP) != 0) { -#endif /* NDPI_PROTOCOL_HTTP */ NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_QQ); NDPI_LOG_DBG(ndpi_struct, "QQ tcp excluded; len %u\n", packet->payload_packet_len); - -#ifdef NDPI_PROTOCOL_HTTP } -#endif /* NDPI_PROTOCOL_HTTP */ } @@ -674,5 +668,3 @@ void init_qq_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32 *id += 1; } - -#endif diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index 6bf5cb0b2..e28db634a 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -3,10 +3,6 @@ * * Copyright (C) 2012-18 - ntop.org * - * Based on code of: - * Andrea Buscarinu - <andrea.buscarinu@gmail.com> - * Michele Campus - <campus@ntop.org> - * * This module is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or @@ -20,12 +16,14 @@ * You should have received a copy of the GNU Lesser General Public License. * If not, see <http://www.gnu.org/licenses/>. * + * Based on code of: + * Andrea Buscarinu - <andrea.buscarinu@gmail.com> + * Michele Campus - <campus@ntop.org> + * */ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_QUIC - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_QUIC #include "ndpi_api.h" @@ -109,6 +107,7 @@ void ndpi_search_quic(struct ndpi_detection_module_struct *ndpi_struct, if((sni_offset+len) < udp_len) { if(!ndpi_struct->disable_metadata_export) { int max_len = sizeof(flow->host_server_name)-1, j = 0; + ndpi_protocol_match_result ret_match; if(len > max_len) len = max_len; @@ -120,6 +119,7 @@ void ndpi_search_quic(struct ndpi_detection_module_struct *ndpi_struct, ndpi_match_host_subprotocol(ndpi_struct, flow, (char *)flow->host_server_name, strlen((const char*)flow->host_server_name), + &ret_match, NDPI_PROTOCOL_QUIC); } } @@ -148,5 +148,3 @@ void init_quic_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int *id += 1; } - -#endif /* NDPI_PROTOCOL_QUIC */ diff --git a/src/lib/protocols/radius.c b/src/lib/protocols/radius.c index e0eb2657b..1c85f48d7 100644 --- a/src/lib/protocols/radius.c +++ b/src/lib/protocols/radius.c @@ -1,7 +1,7 @@ /* * radius.c * - * Copyright (C) 2012-15 - ntop.org + * Copyright (C) 2012-18 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -20,8 +20,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_RADIUS - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_RADIUS #include "ndpi_api.h" @@ -79,5 +77,3 @@ void init_radius_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i *id += 1; } - -#endif diff --git a/src/lib/protocols/rdp.c b/src/lib/protocols/rdp.c index 9ce692893..bc59ea1fb 100644 --- a/src/lib/protocols/rdp.c +++ b/src/lib/protocols/rdp.c @@ -2,7 +2,7 @@ * rdp.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -25,8 +25,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_RDP - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_RDP #include "ndpi_api.h" @@ -69,5 +67,3 @@ void init_rdp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 *id += 1; } - -#endif diff --git a/src/lib/protocols/redis_net.c b/src/lib/protocols/redis_net.c index 4b51908fd..cb1e2e39b 100644 --- a/src/lib/protocols/redis_net.c +++ b/src/lib/protocols/redis_net.c @@ -1,7 +1,7 @@ /* * redis.c * - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -20,8 +20,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_REDIS - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_REDIS #include "ndpi_api.h" @@ -103,5 +101,3 @@ void init_redis_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_in *id += 1; } - -#endif diff --git a/src/lib/protocols/rsync.c b/src/lib/protocols/rsync.c index 157b2e0e0..8cc3dd16d 100644 --- a/src/lib/protocols/rsync.c +++ b/src/lib/protocols/rsync.c @@ -2,7 +2,7 @@ * rsync.c * * Copyright (C) 2013 Remy Mudingay <mudingay@ill.fr> - * Copyright (C) 2016 ntop.org + * Copyright (C) 2016-18 ntop.org * * This module is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -21,8 +21,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_RSYNC - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_RSYNC #include "ndpi_api.h" @@ -69,5 +67,3 @@ void init_rsync_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_in *id += 1; } - -#endif diff --git a/src/lib/protocols/rtcp.c b/src/lib/protocols/rtcp.c index b924b476d..77903d6cc 100644 --- a/src/lib/protocols/rtcp.c +++ b/src/lib/protocols/rtcp.c @@ -6,8 +6,6 @@ */ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_RTCP - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_RTCP #include "ndpi_api.h" @@ -15,10 +13,12 @@ static void ndpi_int_rtcp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RTCP, NDPI_PROTOCOL_UNKNOWN); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RTCP, + NDPI_PROTOCOL_UNKNOWN); } -void ndpi_search_rtcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +void ndpi_search_rtcp(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; u_int16_t dport = 0, sport = 0; @@ -79,5 +79,3 @@ void init_rtcp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int *id += 1; } - -#endif diff --git a/src/lib/protocols/rtmp.c b/src/lib/protocols/rtmp.c index 52492a290..9bf73fecd 100644 --- a/src/lib/protocols/rtmp.c +++ b/src/lib/protocols/rtmp.c @@ -25,8 +25,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_RTMP - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_RTMP #include "ndpi_api.h" @@ -105,4 +103,3 @@ void init_rtmp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int *id += 1; } -#endif diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c index 38cd62504..0ccc08594 100644 --- a/src/lib/protocols/rtp.c +++ b/src/lib/protocols/rtp.c @@ -2,7 +2,7 @@ * rtp.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_RTP - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_RTP #include "ndpi_api.h" @@ -308,13 +306,12 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, return; exclude_rtp: -#ifdef NDPI_PROTOCOL_STUN if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STUN || /* packet->real_protocol_read_only == NDPI_PROTOCOL_STUN */) { NDPI_LOG_DBG(ndpi_struct, "STUN: is detected, need next packet\n"); return; } -#endif /* NDPI_PROTOCOL_STUN */ + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } @@ -337,7 +334,7 @@ void ndpi_search_rtp(struct ndpi_detection_module_struct *ndpi_struct, struct nd "skipping STUN-like, special yahoo packets with payload[0] == 0x90.\n"); return; } -#ifdef NDPI_PROTOCOL_STUN + /* TODO the rtp detection sometimes doesn't exclude rtp * so for TCP flows only run the detection if STUN has been * detected (or RTP is already detected) @@ -360,6 +357,7 @@ void ndpi_search_rtp(struct ndpi_detection_module_struct *ndpi_struct, struct nd return; } } + if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN && flow->l4.tcp.rtp_special_packets_seen == 1) { if (packet->payload_packet_len >= 4 && ntohl(get_u_int32_t(packet->payload, 0)) + 4 == packet->payload_packet_len) { @@ -378,15 +376,13 @@ void ndpi_search_rtp(struct ndpi_detection_module_struct *ndpi_struct, struct nd } else { NDPI_LOG_DBG(ndpi_struct, "STUN not yet excluded, need next packet\n"); } -#else - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); -#endif } } #endif -void init_rtp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) +void init_rtp_dissector(struct ndpi_detection_module_struct *ndpi_struct, + u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { ndpi_set_bitmask_protocol_detection("RTP", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_RTP, @@ -398,6 +394,3 @@ void init_rtp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 *id += 1; } -#endif -/* NDPI_PROTOCOL_RTP */ - diff --git a/src/lib/protocols/rtsp.c b/src/lib/protocols/rtsp.c index e20c53065..9620dd504 100644 --- a/src/lib/protocols/rtsp.c +++ b/src/lib/protocols/rtsp.c @@ -2,7 +2,7 @@ * rtsp.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,14 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_RTSP - #ifndef NDPI_PROTOCOL_RTP - #error RTSP requires RTP detection to work correctly - #endif - #ifndef NDPI_PROTOCOL_RDP - #error RTSP requires RDP detection to work correctly - #endif - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_RTSP #include "ndpi_api.h" @@ -56,9 +48,7 @@ void ndpi_search_rtsp_tcp_udp(struct ndpi_detection_module_struct NDPI_LOG_DBG(ndpi_struct, "search RTSP\n"); if (flow->rtsprdt_stage == 0 -#ifdef NDPI_PROTOCOL_RTCP && !(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_RTCP) -#endif ) { flow->rtsprdt_stage = 1 + packet->packet_direction; NDPI_LOG_DBG2(ndpi_struct, "maybe handshake 1; need next packet, return\n"); @@ -102,9 +92,7 @@ void ndpi_search_rtsp_tcp_udp(struct ndpi_detection_module_struct } if (packet->udp != NULL && packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN && ((NDPI_COMPARE_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RTP) == 0) -#ifdef NDPI_PROTOCOL_RTCP || (NDPI_COMPARE_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RTCP) == 0) -#endif )) { NDPI_LOG_DBG2(ndpi_struct, "maybe RTSP RTP, RTSP RTCP, RDT; need next packet.\n"); @@ -127,5 +115,3 @@ void init_rtsp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int ADD_TO_DETECTION_BITMASK); *id += 1; } - -#endif diff --git a/src/lib/protocols/rx.c b/src/lib/protocols/rx.c index 6eb9bf149..522d9ef5c 100644 --- a/src/lib/protocols/rx.c +++ b/src/lib/protocols/rx.c @@ -1,7 +1,7 @@ /* * rx.c * - * Copyright (C) 2012-16 - ntop.org + * Copyright (C) 2012-18 - ntop.org * * Giovanni Mascellani <gio@debian.org> * @@ -25,8 +25,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_RX - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_RX #include "ndpi_api.h" @@ -227,4 +225,3 @@ void init_rx_dissector(struct ndpi_detection_module_struct *ndpi_struct, *id += 1; } -#endif diff --git a/src/lib/protocols/sflow.c b/src/lib/protocols/sflow.c index 75b631abc..cb1acff8d 100644 --- a/src/lib/protocols/sflow.c +++ b/src/lib/protocols/sflow.c @@ -1,7 +1,7 @@ /* * sflow.c * - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -20,8 +20,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_SFLOW - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SFLOW #include "ndpi_api.h" @@ -59,4 +57,3 @@ void init_sflow_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_in *id += 1; } -#endif diff --git a/src/lib/protocols/shoutcast.c b/src/lib/protocols/shoutcast.c index 2115c574f..10486c0bd 100644 --- a/src/lib/protocols/shoutcast.c +++ b/src/lib/protocols/shoutcast.c @@ -2,7 +2,7 @@ * shoutcast.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_SHOUTCAST - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SHOUTCAST #include "ndpi_api.h" @@ -52,9 +50,7 @@ void ndpi_search_shoutcast_tcp(struct ndpi_detection_module_struct return; } if (flow->packet_counter < 3 -#ifdef NDPI_PROTOCOL_HTTP && packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP -#endif ) { NDPI_LOG_DBG2(ndpi_struct, "http detected, need next packet for shoutcast detection.\n"); @@ -119,4 +115,4 @@ void init_shoutcast_dissector(struct ndpi_detection_module_struct *ndpi_struct, *id += 1; } -#endif + diff --git a/src/lib/protocols/sip.c b/src/lib/protocols/sip.c index 5edd377c6..1436b2cec 100644 --- a/src/lib/protocols/sip.c +++ b/src/lib/protocols/sip.c @@ -2,7 +2,7 @@ * sip.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_SIP - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SIP #include "ndpi_api.h" @@ -59,12 +57,8 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct packet_payload += 4; } } -#ifndef NDPI_PROTOCOL_YAHOO - if (payload_len >= 14 && packet_payload[payload_len - 2] == 0x0d && packet_payload[payload_len - 1] == 0x0a) -#endif -#ifdef NDPI_PROTOCOL_YAHOO - if (payload_len >= 14) -#endif + + if (payload_len >= 14) { if ((memcmp(packet_payload, "NOTIFY ", 7) == 0 || memcmp(packet_payload, "notify ", 7) == 0) @@ -146,19 +140,18 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct NDPI_LOG_DBG2(ndpi_struct, "need next packet\n"); return; } -#ifdef NDPI_PROTOCOL_STUN + /* for STUN flows we need some more packets */ if (packet->udp != NULL && flow->detected_protocol_stack[0] == NDPI_PROTOCOL_STUN && flow->packet_counter < 40) { NDPI_LOG_DBG2(ndpi_struct, "need next STUN packet\n"); return; } -#endif if (payload_len == 4 && get_u_int32_t(packet_payload, 0) == 0) { NDPI_LOG_DBG2(ndpi_struct, "maybe sip. need next packet\n"); return; } -#ifdef NDPI_PROTOCOL_YAHOO + if (payload_len > 30 && packet_payload[0] == 0x90 && packet_payload[3] == payload_len - 20 && get_u_int32_t(packet_payload, 4) == 0 && get_u_int32_t(packet_payload, 8) == 0) { @@ -168,9 +161,8 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct if (flow->sip_yahoo_voice && flow->packet_counter < 10) { return; } -#endif - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } void ndpi_search_sip(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -200,4 +192,3 @@ void init_sip_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 *id += 1; } -#endif diff --git a/src/lib/protocols/skinny.c b/src/lib/protocols/skinny.c index 0acebf271..5ec54dbdf 100644 --- a/src/lib/protocols/skinny.c +++ b/src/lib/protocols/skinny.c @@ -19,8 +19,6 @@ */ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_SKINNY - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SKINNY #include "ndpi_api.h" @@ -75,5 +73,3 @@ void init_skinny_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i *id += 1; } - -#endif diff --git a/src/lib/protocols/skype.c b/src/lib/protocols/skype.c index ea571961f..35dcb0161 100644 --- a/src/lib/protocols/skype.c +++ b/src/lib/protocols/skype.c @@ -1,7 +1,7 @@ /* * skype.c * - * Copyright (C) 2017 - ntop.org + * Copyright (C) 2017-18 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -19,20 +19,26 @@ */ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_SKYPE - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SKYPE #include "ndpi_api.h" +static void ndpi_skype_report_protocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + //printf("-> payload_len=%u\n", flow->packet.payload_packet_len); + + NDPI_LOG_INFO(ndpi_struct, "found skype\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_CALL, NDPI_PROTOCOL_SKYPE); +} -static void ndpi_check_skype(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ +static int is_port(u_int16_t a, u_int16_t b, u_int16_t c) { + return(((a == c) || (b == c)) ? 1 : 0); +} + +static void ndpi_check_skype(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; // const u_int8_t *packet_payload = packet->payload; u_int32_t payload_len = packet->payload_packet_len; - if(flow->host_server_name[0] != '\0') return; @@ -41,25 +47,33 @@ static void ndpi_check_skype(struct ndpi_detection_module_struct *ndpi_struct, s flow->l4.udp.skype_packet_id++; if(flow->l4.udp.skype_packet_id < 5) { + u_int16_t sport = ntohs(packet->udp->source); u_int16_t dport = ntohs(packet->udp->dest); /* skype-to-skype */ - if(dport != 1119) /* It can be confused with battle.net */ { + if(is_port(sport, dport, 1119) /* It can be confused with battle.net */ + || is_port(sport, dport, 80) /* No HTTP-like protocols UDP/80 */ + ) { + ; + } else { if(((payload_len == 3) && ((packet->payload[2] & 0x0F)== 0x0d)) || ((payload_len >= 16) && (packet->payload[0] != 0x30) /* Avoid invalid SNMP detection */ && (packet->payload[2] == 0x02))) { - NDPI_LOG_INFO(ndpi_struct, "found skype\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_UNKNOWN); + ndpi_skype_report_protocol(ndpi_struct, flow); } } - return; + + // return; } + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; - // TCP check - } else if(packet->tcp != NULL) { + } else if((packet->tcp != NULL) + /* As the TCP skype heuristic is weak, we need to make sure no other protocols overlap */ + && (flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN) + && (flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN)) { flow->l4.tcp.skype_packet_id++; if(flow->l4.tcp.skype_packet_id < 3) { @@ -73,9 +87,9 @@ static void ndpi_check_skype(struct ndpi_detection_module_struct *ndpi_struct, s if((payload_len == 8) || (payload_len == 3) || (payload_len == 17)) { // printf("[SKYPE] payload_len=%u\n", payload_len); /* printf("[SKYPE] %u/%u\n", ntohs(packet->tcp->source), ntohs(packet->tcp->dest)); */ - + NDPI_LOG_INFO(ndpi_struct, "found skype\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_UNKNOWN); + ndpi_skype_report_protocol(ndpi_struct, flow); } else { // printf("NO [SKYPE] payload_len=%u\n", payload_len); } @@ -112,5 +126,3 @@ void init_skype_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_in *id += 1; } - -#endif diff --git a/src/lib/protocols/smb.c b/src/lib/protocols/smb.c index 6ac7e282a..c6b0676b6 100644 --- a/src/lib/protocols/smb.c +++ b/src/lib/protocols/smb.c @@ -1,7 +1,7 @@ /* * smb.c * - * Copyright (C) 2016 - ntop.org + * Copyright (C) 2016-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -22,10 +22,6 @@ */ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_SMB - -#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SMB - #include "ndpi_api.h" @@ -45,19 +41,23 @@ void ndpi_search_smb_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc NDPI_LOG_INFO(ndpi_struct, "found SMB\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMB, NDPI_PROTOCOL_UNKNOWN); + if(packet->payload[8] == 0x72) + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV1, NDPI_PROTOCOL_UNKNOWN); + else + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV23, NDPI_PROTOCOL_UNKNOWN); return; } } - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + ndpi_exclude_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV1, __FILE__, __FUNCTION__, __LINE__); + ndpi_exclude_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV23, __FILE__, __FUNCTION__, __LINE__); } void init_smb_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { ndpi_set_bitmask_protocol_detection("SMB", ndpi_struct, detection_bitmask, *id, - NDPI_PROTOCOL_SMB, + NDPI_PROTOCOL_SMBV23, ndpi_search_smb_tcp, NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, SAVE_DETECTION_BITMASK_AS_UNKNOWN, @@ -66,4 +66,3 @@ void init_smb_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 *id += 1; } -#endif diff --git a/src/lib/protocols/smpp.c b/src/lib/protocols/smpp.c index 1bd2a870b..444516cd3 100644 --- a/src/lib/protocols/smpp.c +++ b/src/lib/protocols/smpp.c @@ -2,7 +2,7 @@ * smpp.c * * Copyright (C) 2016 - Damir Franusic <df@release14.org> - * Copyright (C) 2016 - ntop.org + * Copyright (C) 2016-18 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -22,8 +22,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_SMPP - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SMPP #include "ndpi_api.h" @@ -319,5 +317,3 @@ void init_smpp_dissector(struct ndpi_detection_module_struct* ndpi_struct, *id += 1; } - -#endif // NDPI_PROTOCOL_SMPP diff --git a/src/lib/protocols/snmp.c b/src/lib/protocols/snmp_proto.c index 6a2f2624f..77ad4d233 100644 --- a/src/lib/protocols/snmp.c +++ b/src/lib/protocols/snmp_proto.c @@ -2,7 +2,7 @@ * snmp.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_SNMP - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SNMP #include "ndpi_api.h" @@ -125,7 +123,6 @@ void ndpi_search_snmp(struct ndpi_detection_module_struct *ndpi_struct, struct n } excl: NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - } @@ -141,4 +138,3 @@ void init_snmp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int *id += 1; } -#endif diff --git a/src/lib/protocols/socks45.c b/src/lib/protocols/socks45.c index 32c83934a..36c18ef54 100644 --- a/src/lib/protocols/socks45.c +++ b/src/lib/protocols/socks45.c @@ -1,7 +1,7 @@ /* * socks4.c * - * Copyright (C) 2016 - ntop.org + * Copyright (C) 2016-18 - ntop.org * Copyright (C) 2014 Tomasz Bujlow <tomasz@skatnet.dk> * * The signature is based on the Libprotoident library. @@ -25,8 +25,6 @@ */ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_SOCKS - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SOCKS #include "ndpi_api.h" @@ -148,4 +146,3 @@ void init_socks_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_in *id += 1; } -#endif diff --git a/src/lib/protocols/someip.c b/src/lib/protocols/someip.c index 604022714..9211a4b85 100644 --- a/src/lib/protocols/someip.c +++ b/src/lib/protocols/someip.c @@ -23,8 +23,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_SOMEIP - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SOMEIP #include "ndpi_api.h" @@ -192,7 +190,7 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, } if (message_id == MSG_SD){ - NDPI_LOG_DBG2(ndpi_struct, "SOME/IP-SD currently not supported\n", message_type); + NDPI_LOG_DBG2(ndpi_struct, "SOME/IP-SD currently not supported [%d]\n", message_type); } //Filtering by port. @@ -227,5 +225,4 @@ void init_someip_dissector (struct ndpi_detection_module_struct *ndpi_struct, *id +=1; } -#endif // NDPI_PROTOCOL_SOMEIP diff --git a/src/lib/protocols/sopcast.c b/src/lib/protocols/sopcast.c index 3e8009454..c40213bf7 100644 --- a/src/lib/protocols/sopcast.c +++ b/src/lib/protocols/sopcast.c @@ -2,7 +2,7 @@ * sopcast.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_SOPCAST - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SOPCAST #include "ndpi_api.h" @@ -226,4 +224,3 @@ void init_sopcast_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_ *id += 1; } -#endif diff --git a/src/lib/protocols/soulseek.c b/src/lib/protocols/soulseek.c index 8f4bbb32c..de1b548be 100644 --- a/src/lib/protocols/soulseek.c +++ b/src/lib/protocols/soulseek.c @@ -1,7 +1,7 @@ /* * soulseek.c * - * Copyright (C) 2016 - ntop.org + * Copyright (C) 2016-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -23,8 +23,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_SOULSEEK - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SOULSEEK #include "ndpi_api.h" @@ -51,13 +49,15 @@ void ndpi_search_soulseek_tcp(struct ndpi_detection_module_struct *ndpi_struct, if(src != NULL) NDPI_LOG_DBG2(ndpi_struct, " SRC bitmask: %u, packet tick %llu , last safe access timestamp: %llu\n", - NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_SOULSEEK) - != 0 ? 1 : 0, (u_int64_t) packet->tick_timestamp, (u_int64_t) src->soulseek_last_safe_access_time); + NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_SOULSEEK) + != 0 ? 1 : 0, (long long unsigned int) packet->tick_timestamp, + (long long unsigned int) src->soulseek_last_safe_access_time); if(dst != NULL) NDPI_LOG_DBG2(ndpi_struct, " DST bitmask: %u, packet tick %llu , last safe ts: %llu\n", NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_SOULSEEK) - != 0 ? 1 : 0, (u_int64_t) packet->tick_timestamp, (u_int64_t) dst->soulseek_last_safe_access_time); + != 0 ? 1 : 0, (long long unsigned int) packet->tick_timestamp, + (long long unsigned int) dst->soulseek_last_safe_access_time); if(packet->payload_packet_len == 431) { if(dst != NULL) { @@ -278,5 +278,3 @@ void init_soulseek_dissector(struct ndpi_detection_module_struct *ndpi_struct, u *id += 1; } - -#endif diff --git a/src/lib/protocols/spotify.c b/src/lib/protocols/spotify.c index f3b23aadb..a180a1ea7 100644 --- a/src/lib/protocols/spotify.c +++ b/src/lib/protocols/spotify.c @@ -23,8 +23,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_SPOTIFY - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SPOTIFY #include "ndpi_api.h" @@ -90,17 +88,25 @@ static void ndpi_check_spotify(struct ndpi_detection_module_struct *ndpi_struct, */ //printf("%08X - %08X\n", ntohl(packet->iph->saddr), ntohl(packet->iph->daddr)); - if(((ntohl(packet->iph->saddr) & 0xFFFFFC00 /* 255.255.252.0 */) == 0x4E1F0800 /* 78.31.8.0 */) - || ((ntohl(packet->iph->daddr) & 0xFFFFFC00 /* 255.255.252.0 */) == 0x4E1F0800 /* 78.31.8.0 */) + + long src_addr = ntohl(packet->iph->saddr); + long dst_addr = ntohl(packet->iph->daddr); + long src_addr_masked_22 = src_addr & 0xFFFFFC00; // */22 + long dst_addr_masked_22 = dst_addr & 0xFFFFFC00; // */22 + long src_addr_masked_24 = src_addr & 0xFFFFFF00; // */24 + long dst_addr_masked_24 = dst_addr & 0xFFFFFF00; // */24 + + if( src_addr_masked_22 == 0x4E1F0800 /* 78.31.8.0 */ + || dst_addr_masked_22 == 0x4E1F0800 /* 78.31.8.0 */ /* **** */ - || ((ntohl(packet->iph->saddr) & 0xFFFFFC00 /* 255.255.252.0 */) == 0xC1EBE800 /* 193.235.232.0 */) - || ((ntohl(packet->iph->daddr) & 0xFFFFFC00 /* 255.255.252.0 */) == 0xC1EBE800 /* 193.235.232.0 */) - /* **** */ - || ((ntohl(packet->iph->saddr) & 0xFFFFFC00 /* 255.255.252.0 */) == 0xC284C400 /* 194.132.196.0 */) - || ((ntohl(packet->iph->daddr) & 0xFFFFFC00 /* 255.255.252.0 */) == 0xC284C400 /* 194.132.196.0 */) - /* **** */ - || ((ntohl(packet->iph->saddr) & 0xFFFFFC00 /* 255.255.252.0 */) == 0xC284A200 /* 194.132.162.0 */) - || ((ntohl(packet->iph->daddr) & 0xFFFFFC00 /* 255.255.252.0 */) == 0xC284A200 /* 194.132.162.0 */) + || src_addr_masked_22 == 0xC1EBE800 /* 193.235.232.0 */ + || dst_addr_masked_22 == 0xC1EBE800 /* 193.235.232.0 */ + /* **** */ + || src_addr_masked_22 == 0xC284C400 /* 194.132.196.0 */ + || dst_addr_masked_22 == 0xC284C400 /* 194.132.196.0 */ + /* **** */ + || src_addr_masked_24 == 0xC284A200 /* 194.132.162.0 */ + || dst_addr_masked_24 == 0xC284A200 /* 194.132.162.0 */ ) { NDPI_LOG_INFO(ndpi_struct, "found spotify via ip range\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SPOTIFY, NDPI_PROTOCOL_UNKNOWN); @@ -140,4 +146,3 @@ void init_spotify_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_ *id += 1; } -#endif diff --git a/src/lib/protocols/ssdp.c b/src/lib/protocols/ssdp.c index ce681d9b6..6b2bbd188 100644 --- a/src/lib/protocols/ssdp.c +++ b/src/lib/protocols/ssdp.c @@ -2,7 +2,7 @@ * ssdp.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_SSDP - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SSDP #include "ndpi_api.h" @@ -45,7 +43,7 @@ void ndpi_search_ssdp(struct ndpi_detection_module_struct *ndpi_struct, struct n NDPI_LOG_DBG(ndpi_struct, "search ssdp\n"); if (packet->udp != NULL) { - if (packet->payload_packet_len > 100) { + if (packet->payload_packet_len >= 19) { if ((memcmp(packet->payload, "M-SEARCH * HTTP/1.1", 19) == 0) || memcmp(packet->payload, "NOTIFY * HTTP/1.1", 17) == 0) { @@ -80,4 +78,3 @@ void init_ssdp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int *id += 1; } -#endif diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c index 89b359040..1a20078c3 100644 --- a/src/lib/protocols/ssh.c +++ b/src/lib/protocols/ssh.c @@ -2,7 +2,7 @@ * ssh.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_SSH - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SSH #include "ndpi_api.h" @@ -99,4 +97,3 @@ void init_ssh_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 *id += 1; } -#endif diff --git a/src/lib/protocols/ssl.c b/src/lib/protocols/ssl.c index 5c65b83c1..25d535a57 100644 --- a/src/lib/protocols/ssl.c +++ b/src/lib/protocols/ssl.c @@ -1,7 +1,7 @@ /* * ssl.c * - * Copyright (C) 2016 - ntop.org + * Copyright (C) 2016-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -23,14 +23,11 @@ #include "ndpi_protocol_ids.h" - -#ifdef NDPI_PROTOCOL_SSL - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SSL #include "ndpi_api.h" -/* #define CERTIFICATE_DEBUG 1 */ +// #define CERTIFICATE_DEBUG 1 #define NDPI_MAX_SSL_REQUEST_SIZE 10000 /* Skype.c */ @@ -42,8 +39,8 @@ static u_int32_t ndpi_ssl_refine_master_protocol(struct ndpi_detection_module_st { struct ndpi_packet_struct *packet = &flow->packet; - if((flow->protos.stun_ssl.ssl.client_certificate[0] != '\0') - || (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0') + if(((flow->l4.tcp.ssl_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) + || ((flow->l4.tcp.ssl_seen_server_cert == 1) && (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0')) || (flow->host_server_name[0] != '\0')) protocol = NDPI_PROTOCOL_SSL; else @@ -65,9 +62,7 @@ static u_int32_t ndpi_ssl_refine_master_protocol(struct ndpi_detection_module_st if((sport == 465) || (dport == 465) || (sport == 587) || (dport == 587)) protocol = NDPI_PROTOCOL_MAIL_SMTPS; else if((sport == 993) || (dport == 993) -#ifdef NDPI_PROTOCOL_MAIL_IMAP || (flow->l4.tcp.mail_imap_starttls) -#endif ) protocol = NDPI_PROTOCOL_MAIL_IMAPS; else if((sport == 995) || (dport == 995)) protocol = NDPI_PROTOCOL_MAIL_POPS; } @@ -251,32 +246,56 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t compression_len; u_int16_t extensions_len; - compression_len = packet->payload[offset+1]; - offset += compression_len + 3; + offset++; + compression_len = packet->payload[offset]; + offset++; + +#ifdef CERTIFICATE_DEBUG + printf("SSL [compression_len: %u]\n", compression_len); +#endif + + // offset += compression_len + 3; + offset += compression_len; if(offset < total_len) { - extensions_len = packet->payload[offset]; + extensions_len = ntohs(*((u_int16_t*)&packet->payload[offset])); + offset += 2; + +#ifdef CERTIFICATE_DEBUG + printf("SSL [extensions_len: %u]\n", extensions_len); +#endif - if((extensions_len+offset) < total_len) { + if((extensions_len+offset) <= total_len) { /* Move to the first extension Type is u_int to avoid possible overflow on extension_len addition */ - u_int extension_offset = 1; + u_int extension_offset = 0; while(extension_offset < extensions_len) { u_int16_t extension_id, extension_len; - memcpy(&extension_id, &packet->payload[offset+extension_offset], 2); + extension_id = ntohs(*((u_int16_t*)&packet->payload[offset+extension_offset])); extension_offset += 2; - memcpy(&extension_len, &packet->payload[offset+extension_offset], 2); + extension_len = ntohs(*((u_int16_t*)&packet->payload[offset+extension_offset])); extension_offset += 2; - extension_id = ntohs(extension_id), extension_len = ntohs(extension_len); +#ifdef CERTIFICATE_DEBUG + printf("SSL [extension_id: %u][extension_len: %u]\n", extension_id, extension_len); +#endif if(extension_id == 0) { - u_int begin = 0,len; +#if 1 + u_int16_t len; + + len = (packet->payload[offset+extension_offset+3] << 8) + packet->payload[offset+extension_offset+4]; + len = (u_int)ndpi_min(len, buffer_len-1); + strncpy(buffer, (char*)&packet->payload[offset+extension_offset+5], len); + buffer[len] = '\0'; +#else + /* old code */ + u_int begin = 0; char *server_name = (char*)&packet->payload[offset+extension_offset]; - + while(begin < extension_len) { if((!ndpi_isprint(server_name[begin])) || ndpi_ispunct(server_name[begin]) @@ -289,13 +308,15 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, len = (u_int)ndpi_min(extension_len-begin, buffer_len-1); strncpy(buffer, &server_name[begin], len); buffer[len] = '\0'; +#endif + stripCertificateTrailer(buffer, buffer_len); if(!ndpi_struct->disable_metadata_export) { snprintf(flow->protos.stun_ssl.ssl.client_certificate, sizeof(flow->protos.stun_ssl.ssl.client_certificate), "%s", buffer); } - + /* We're happy now */ return(2 /* Client Certificate */); } @@ -321,24 +342,25 @@ int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi if((packet->payload_packet_len > 9) && (packet->payload[0] == 0x16)) { char certificate[64]; int rc; + certificate[0] = '\0'; rc = getSSLcertificate(ndpi_struct, flow, certificate, sizeof(certificate)); packet->ssl_certificate_num_checks++; if (rc > 0) { packet->ssl_certificate_detected++; - if (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0') + if ((flow->l4.tcp.ssl_seen_server_cert == 1) && (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0')) /* 0 means we're done processing extra packets (since we found what we wanted) */ return 0; } /* Client hello, Server Hello, and certificate packets probably all checked in this case */ if ((packet->ssl_certificate_num_checks >= 3) - && (flow->l4.tcp.seen_syn) - && (flow->l4.tcp.seen_syn_ack) - && (flow->l4.tcp.seen_ack) /* We have seen the 3-way handshake */) - { - /* We're done processing extra packets since we've probably checked all possible cert packets */ - return 0; - } + && (flow->l4.tcp.seen_syn) + && (flow->l4.tcp.seen_syn_ack) + && (flow->l4.tcp.seen_ack) /* We have seen the 3-way handshake */) + { + /* We're done processing extra packets since we've probably checked all possible cert packets */ + return 0; + } } /* 1 means keep looking for more packets */ return 1; @@ -373,36 +395,40 @@ int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s #ifdef CERTIFICATE_DEBUG NDPI_LOG_DBG2(ndpi_struct, "***** [SSL] %s\n", certificate); #endif + ndpi_protocol_match_result ret_match; u_int32_t subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, certificate, - strlen(certificate), NDPI_PROTOCOL_SSL); + strlen(certificate), + &ret_match, + NDPI_PROTOCOL_SSL); + if(subproto != NDPI_PROTOCOL_UNKNOWN) { - /* If we've detected the subprotocol from client certificate but haven't had a chance - * to see the server certificate yet, set up extra packet processing to wait - * a few more packets. */ - if((flow->protos.stun_ssl.ssl.client_certificate[0] != '\0') && (flow->protos.stun_ssl.ssl.server_certificate[0] == '\0')) { - sslInitExtraPacketProcessing(0, flow); - } - ndpi_set_detected_protocol(ndpi_struct, flow, subproto, - ndpi_ssl_refine_master_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSL)); - return(rc); /* Fix courtesy of Gianluca Costa <g.costa@xplico.org> */ - } -#ifdef NDPI_PROTOCOL_TOR - if(ndpi_is_ssl_tor(ndpi_struct, flow, certificate) != 0) - return(rc); -#endif + /* If we've detected the subprotocol from client certificate but haven't had a chance + * to see the server certificate yet, set up extra packet processing to wait + * a few more packets. */ + if(((flow->l4.tcp.ssl_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) && ((flow->l4.tcp.ssl_seen_server_cert != 1) && (flow->protos.stun_ssl.ssl.server_certificate[0] == '\0'))) { + sslInitExtraPacketProcessing(0, flow); + } + + ndpi_set_detected_protocol(ndpi_struct, flow, subproto, + ndpi_ssl_refine_master_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSL)); + return(rc); /* Fix courtesy of Gianluca Costa <g.costa@xplico.org> */ + } + + if(ndpi_is_ssl_tor(ndpi_struct, flow, certificate) != 0) + return(rc); } if(((packet->ssl_certificate_num_checks >= 2) && flow->l4.tcp.seen_syn && flow->l4.tcp.seen_syn_ack && flow->l4.tcp.seen_ack /* We have seen the 3-way handshake */) - || (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0') - /* || (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0') */ + || ((flow->l4.tcp.ssl_seen_server_cert == 1) && (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0')) + /* || ((flow->l4.tcp.ssl_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) */ ) { ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SSL); - } + } + } } - } return(0); } @@ -410,24 +436,22 @@ static void ssl_mark_and_payload_search_for_other_protocols(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { -#if defined(NDPI_PROTOCOL_TOR) || defined(NDPI_PROTOCOL_VPN_X) || defined(NDPI_PROTOCOL_UNENCRYPTED_JABBER) || defined (NDPI_PROTOCOL_OSCAR) || defined (NDPI_PROTOCOL_ITUNES) || defined (NDPI_PROTOCOL_GMAIL) struct ndpi_packet_struct *packet = &flow->packet; u_int32_t a; u_int32_t end; -#if defined(NDPI_PROTOCOL_UNENCRYPTED_JABBER) + if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_UNENCRYPTED_JABBER) != 0) goto check_for_ssl_payload; -#endif -#if defined(NDPI_PROTOCOL_OSCAR) + if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_OSCAR) != 0) goto check_for_ssl_payload; -#endif - goto no_check_for_ssl_payload; + else + goto no_check_for_ssl_payload; check_for_ssl_payload: end = packet->payload_packet_len - 20; for (a = 5; a < end; a++) { -#ifdef NDPI_PROTOCOL_UNENCRYPTED_JABBER + if(packet->payload[a] == 't') { if(memcmp(&packet->payload[a], "talk.google.com", 15) == 0) { if(NDPI_COMPARE_PROTOCOL_TO_BITMASK @@ -438,8 +462,7 @@ static void ssl_mark_and_payload_search_for_other_protocols(struct } } } -#endif -#ifdef NDPI_PROTOCOL_OSCAR + if(packet->payload[a] == 'A' || packet->payload[a] == 'k' || packet->payload[a] == 'c' || packet->payload[a] == 'h') { if(((a + 19) < packet->payload_packet_len && memcmp(&packet->payload[a], "America Online Inc.", 19) == 0) @@ -475,11 +498,9 @@ static void ssl_mark_and_payload_search_for_other_protocols(struct return; } } -#endif } no_check_for_ssl_payload: -#endif if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { NDPI_LOG_DBG(ndpi_struct, "found ssl connection\n"); sslDetectProtocolFromCertificate(ndpi_struct, flow); @@ -491,7 +512,7 @@ static void ssl_mark_and_payload_search_for_other_protocols(struct ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SSL_NO_CERT); } else NDPI_LOG_INFO(ndpi_struct, "found ssl\n"); - ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SSL); + ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SSL); } } @@ -502,13 +523,10 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct struct ndpi_packet_struct *packet = &flow->packet; if((packet->payload_packet_len >= 5) - && (packet->payload[0] == 0x16) + && ((packet->payload[0] == 0x16) || packet->payload[0] == 0x17) && (packet->payload[1] == 0x03) - && ((packet->payload[2] == 0x00) - || (packet->payload[2] == 0x01) - || (packet->payload[2] == 0x02) - || (packet->payload[2] == 0x03) - )) { + && ((packet->payload[2] == 0x00) || (packet->payload[2] == 0x01) || + (packet->payload[2] == 0x02) || (packet->payload[2] == 0x03))) { u_int32_t temp; NDPI_LOG_DBG2(ndpi_struct, "search sslv3\n"); // SSLv3 Record @@ -527,16 +545,16 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct u_int32_t cert_start; NDPI_LOG_DBG2(ndpi_struct, - "maybe SSLv3 server hello split into smaller packets\n"); + "maybe SSLv3 server hello split into smaller packets\n"); /* lets hope at least the server hello and the start of the certificate block are in the first packet */ cert_start = ntohs(get_u_int16_t(packet->payload, 7)) + 5 + 4; NDPI_LOG_DBG2(ndpi_struct, "suspected start of certificate: %u\n", - cert_start); + cert_start); if(cert_start < packet->payload_packet_len && packet->payload[cert_start] == 0x0b) { NDPI_LOG_DBG2(ndpi_struct, - "found 0x0b at suspected start of certificate block\n"); + "found 0x0b at suspected start of certificate block\n"); return 2; } } @@ -547,16 +565,16 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct u_int32_t cert_start; NDPI_LOG_DBG2(ndpi_struct, - "maybe SSLv3 server hello split into smaller packets but with seperate record for the certificate\n"); + "maybe SSLv3 server hello split into smaller packets but with seperate record for the certificate\n"); /* lets hope at least the server hello record and the start of the certificate record are in the first packet */ cert_start = ntohs(get_u_int16_t(packet->payload, 7)) + 5 + 5 + 4; NDPI_LOG_DBG2(ndpi_struct, "suspected start of certificate: %u\n", - cert_start); + cert_start); if(cert_start < packet->payload_packet_len && packet->payload[cert_start] == 0x0b) { NDPI_LOG_DBG2(ndpi_struct, - "found 0x0b at suspected start of certificate block\n"); + "found 0x0b at suspected start of certificate block\n"); return 2; } } @@ -614,7 +632,7 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc * so go on checking for certificate patterns for a couple more packets */ NDPI_LOG_DBG2(ndpi_struct, - "ssl flow but check another packet for patterns\n"); + "ssl flow but check another packet for patterns\n"); ssl_mark_and_payload_search_for_other_protocols(ndpi_struct, flow); if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) { /* still ssl so check another packet */ @@ -670,6 +688,17 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc flow->l4.tcp.ssl_stage = 1 + packet->packet_direction; return; } + + // Application Data pkt + if(packet->payload[0] == 0x17 && packet->payload[1] == 0x03 + && (packet->payload[2] == 0x00 || packet->payload[2] == 0x01 || + packet->payload[2] == 0x02 || packet->payload[2] == 0x03)) { + if(packet->payload_packet_len - ntohs(get_u_int16_t(packet->payload, 3)) == 5) { + NDPI_LOG_DBG2(ndpi_struct, "TLS len match\n"); + flow->l4.tcp.ssl_stage = 1 + packet->packet_direction; + return; + } + } } if(packet->payload_packet_len > 40 && @@ -696,7 +725,7 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc return; } else if(ret == 2) { NDPI_LOG_DBG2(ndpi_struct, - "sslv3 server len match with split packet -> check some more packets for SSL patterns\n"); + "sslv3 server len match with split packet -> check some more packets for SSL patterns\n"); ssl_mark_and_payload_search_for_other_protocols(ndpi_struct, flow); if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) { flow->l4.tcp.ssl_stage = 3; @@ -726,5 +755,3 @@ void init_ssl_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 *id += 1; } - -#endif diff --git a/src/lib/protocols/starcraft.c b/src/lib/protocols/starcraft.c index 73cdd0b12..8c344d78d 100644 --- a/src/lib/protocols/starcraft.c +++ b/src/lib/protocols/starcraft.c @@ -2,7 +2,7 @@ * starcraft.c * * Copyright (C) 2015 - Matteo Bracci <matteobracci1@gmail.com> -* Copyright (C) 2015 - ntop.org +* Copyright (C) 2015-18 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -21,8 +21,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_STARCRAFT - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_STARCRAFT #include "ndpi_api.h" @@ -155,4 +153,3 @@ void init_starcraft_dissector(struct ndpi_detection_module_struct *ndpi_struct, *id += 1; } -#endif diff --git a/src/lib/protocols/stealthnet.c b/src/lib/protocols/stealthnet.c index 8bd75b1a3..00c7ba648 100644 --- a/src/lib/protocols/stealthnet.c +++ b/src/lib/protocols/stealthnet.c @@ -2,7 +2,7 @@ * stealthnet.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_STEALTHNET - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_STEALTHNET #include "ndpi_api.h" @@ -69,4 +67,3 @@ void init_stealthnet_dissector(struct ndpi_detection_module_struct *ndpi_struct, *id += 1; } -#endif diff --git a/src/lib/protocols/steam.c b/src/lib/protocols/steam.c index 64eaa04fe..0a737baf9 100644 --- a/src/lib/protocols/steam.c +++ b/src/lib/protocols/steam.c @@ -25,8 +25,6 @@ */ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_STEAM - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_STEAM #include "ndpi_api.h" @@ -299,5 +297,3 @@ void init_steam_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_in *id += 1; } - -#endif diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index 8f374ff59..c169a47db 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -2,7 +2,7 @@ * stun.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_STUN - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_STUN #include "ndpi_api.h" @@ -108,7 +106,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * case 0x4002: /* These are the only messages apparently whatsapp voice can use */ break; - + case 0x8054: /* Candidate Identifier */ if((len == 4) && ((offset+7) < payload_length) @@ -121,6 +119,20 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * } break; + case 0x8055: /* MS Service Quality (skype?) */ + break; + + /* Proprietary fields found on skype calls */ + case 0x24DF: + case 0x3802: + case 0x8036: + case 0x8095: + case 0x0800: + /* printf("====>>>> %04X\n", attribute); */ + flow->protos.stun_ssl.stun.is_skype = 1; + return(NDPI_IS_STUN); + break; + case 0x8070: /* Implementation Version */ if((len == 4) && ((offset+7) < payload_length) @@ -191,7 +203,7 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n NDPI_LOG_INFO(ndpi_struct, "found Skype\n"); if((flow->protos.stun_ssl.stun.num_processed_pkts >= 8) || (flow->protos.stun_ssl.stun.num_binding_requests >= 4)) - ndpi_set_detected_protocol(ndpi_struct, flow, (flow->protos.stun_ssl.stun.num_binding_requests < 4) ? NDPI_PROTOCOL_SKYPE_CALL_IN : NDPI_PROTOCOL_SKYPE_CALL_OUT, NDPI_PROTOCOL_SKYPE); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_CALL, NDPI_PROTOCOL_SKYPE); } else { NDPI_LOG_INFO(ndpi_struct, "found UDP stun\n"); /* Ummmmm we're in the TCP branch. This code looks bad */ ndpi_int_stun_add_connection(ndpi_struct, @@ -209,9 +221,10 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n if(flow->protos.stun_ssl.stun.is_skype) { NDPI_LOG_INFO(ndpi_struct, "Found Skype\n"); - + + /* flow->protos.stun_ssl.stun.num_binding_requests < 4) ? NDPI_PROTOCOL_SKYPE_CALL_IN : NDPI_PROTOCOL_SKYPE_CALL_OUT */ if((flow->protos.stun_ssl.stun.num_processed_pkts >= 8) || (flow->protos.stun_ssl.stun.num_binding_requests >= 4)) - ndpi_set_detected_protocol(ndpi_struct, flow, (flow->protos.stun_ssl.stun.num_binding_requests < 4) ? NDPI_PROTOCOL_SKYPE_CALL_IN : NDPI_PROTOCOL_SKYPE_CALL_OUT, NDPI_PROTOCOL_SKYPE); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_CALL, NDPI_PROTOCOL_SKYPE); } else { NDPI_LOG_INFO(ndpi_struct, "found UDP stun\n"); ndpi_int_stun_add_connection(ndpi_struct, @@ -242,5 +255,3 @@ void init_stun_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int *id += 1; } - -#endif diff --git a/src/lib/protocols/syslog.c b/src/lib/protocols/syslog.c index d83cd99f7..fc51fc065 100644 --- a/src/lib/protocols/syslog.c +++ b/src/lib/protocols/syslog.c @@ -2,7 +2,7 @@ * syslog.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_SYSLOG - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SYSLOG #include "ndpi_api.h" @@ -131,5 +129,3 @@ void init_syslog_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i *id += 1; } - -#endif diff --git a/src/lib/protocols/tcp_udp.c b/src/lib/protocols/tcp_udp.c index 407d36b3b..2d28182df 100644 --- a/src/lib/protocols/tcp_udp.c +++ b/src/lib/protocols/tcp_udp.c @@ -1,7 +1,7 @@ /* * tcp_or_udp.c * - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by diff --git a/src/lib/protocols/teamspeak.c b/src/lib/protocols/teamspeak.c index df13c9756..214a2fe99 100644 --- a/src/lib/protocols/teamspeak.c +++ b/src/lib/protocols/teamspeak.c @@ -19,8 +19,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_TEAMSPEAK - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_TEAMSPEAK #include "ndpi_api.h" @@ -79,4 +77,3 @@ void init_teamspeak_dissector(struct ndpi_detection_module_struct *ndpi_struct, *id += 1; } -#endif diff --git a/src/lib/protocols/teamviewer.c b/src/lib/protocols/teamviewer.c index f06e40a73..1fa39ff43 100644 --- a/src/lib/protocols/teamviewer.c +++ b/src/lib/protocols/teamviewer.c @@ -2,7 +2,7 @@ * teamviewer.c * * Copyright (C) 2012 by Gianluca Costa xplico.org - * Copyright (C) 2012-15 - ntop.org + * Copyright (C) 2012-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_TEAMVIEWER - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_TEAMVIEWER #include "ndpi_api.h" @@ -116,4 +114,3 @@ void init_teamviewer_dissector(struct ndpi_detection_module_struct *ndpi_struct, *id += 1; } -#endif diff --git a/src/lib/protocols/telegram.c b/src/lib/protocols/telegram.c index d80f5f6b5..79be38eae 100644 --- a/src/lib/protocols/telegram.c +++ b/src/lib/protocols/telegram.c @@ -2,7 +2,7 @@ * telegram.c * * Copyright (C) 2014 by Gianluca Costa xplico.org - * Copyright (C) 2012-15 - ntop.org + * Copyright (C) 2012-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -25,8 +25,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_TELEGRAM - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_TELEGRAM #include "ndpi_api.h" @@ -83,4 +81,3 @@ void init_telegram_dissector(struct ndpi_detection_module_struct *ndpi_struct, u *id += 1; } -#endif diff --git a/src/lib/protocols/telnet.c b/src/lib/protocols/telnet.c index 264e83aa1..33d19e1dc 100644 --- a/src/lib/protocols/telnet.c +++ b/src/lib/protocols/telnet.c @@ -2,7 +2,7 @@ * telnet.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -25,8 +25,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_TELNET - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_TELNET #include "ndpi_api.h" @@ -117,5 +115,3 @@ void init_telnet_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i *id += 1; } - -#endif diff --git a/src/lib/protocols/teredo.c b/src/lib/protocols/teredo.c index 2439f997b..e377d09a4 100644 --- a/src/lib/protocols/teredo.c +++ b/src/lib/protocols/teredo.c @@ -1,7 +1,7 @@ /* * teredo.c * - * Copyright (C) 2015 - ntop.org + * Copyright (C) 2015-18 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -20,8 +20,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_TEREDO - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_TEREDO #include "ndpi_api.h" @@ -34,7 +32,7 @@ void ndpi_search_teredo(struct ndpi_detection_module_struct *ndpi_struct, struct NDPI_LOG_DBG(ndpi_struct,"search teredo\n"); if(packet->udp && packet->iph - && ((ntohl(packet->iph->daddr) & 0xF0000000) == 0xE0000000 /* A multicast address */) + && ((ntohl(packet->iph->daddr) & 0xF0000000) != 0xE0000000 /* Not a multicast address */) && ((ntohs(packet->udp->source) == 3544) || (ntohs(packet->udp->dest) == 3544)) && (packet->payload_packet_len >= 40 /* IPv6 header */)) { NDPI_LOG_INFO(ndpi_struct,"found teredo\n"); @@ -57,4 +55,3 @@ void init_teredo_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i *id += 1; } -#endif diff --git a/src/lib/protocols/tftp.c b/src/lib/protocols/tftp.c index 082e04326..f3da3463c 100644 --- a/src/lib/protocols/tftp.c +++ b/src/lib/protocols/tftp.c @@ -2,7 +2,7 @@ * tftp.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_TFTP - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_TFTP #include "ndpi_api.h" @@ -79,4 +77,3 @@ void init_tftp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int *id += 1; } -#endif diff --git a/src/lib/protocols/thunder.c b/src/lib/protocols/thunder.c index 384436f13..754f68f60 100644 --- a/src/lib/protocols/thunder.c +++ b/src/lib/protocols/thunder.c @@ -2,7 +2,7 @@ * thunder.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_THUNDER - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_THUNDER #include "ndpi_api.h" @@ -221,5 +219,3 @@ void init_thunder_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_ *id += 1; } - -#endif diff --git a/src/lib/protocols/tinc.c b/src/lib/protocols/tinc.c index 19bfa34aa..7ee4105e8 100644 --- a/src/lib/protocols/tinc.c +++ b/src/lib/protocols/tinc.c @@ -2,7 +2,7 @@ * tinc.c * * Copyright (C) 2017 - William Guglielmo <william@deselmo.com> - * Copyright (C) 2017 - ntop.org + * Copyright (C) 2017-18 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -20,8 +20,6 @@ */ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_TINC - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_TINC #include "ndpi_api.h" @@ -154,4 +152,3 @@ void init_tinc_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int *id += 1; } -#endif diff --git a/src/lib/protocols/tor.c b/src/lib/protocols/tor.c index 462833db0..f1c6f586a 100644 --- a/src/lib/protocols/tor.c +++ b/src/lib/protocols/tor.c @@ -1,14 +1,12 @@ /* * tor.c * - * Copyright (C) 2016 ntop.org + * Copyright (C) 2016-18 ntop.org * Copyright (C) 2013 Remy Mudingay <mudingay@ill.fr> * */ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_TOR - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_TOR #include "ndpi_api.h" @@ -22,7 +20,7 @@ static void ndpi_int_tor_add_connection(struct ndpi_detection_module_struct int ndpi_is_ssl_tor(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, char *certificate) { - int prev_num = 0, numbers_found = 0, num_found = 0, i, len; + int prev_num = 0, numbers_found = 0, num_found = 0, i, len, num_impossible = 0; char dummy[48], *dot, *name; if(certificate == NULL) @@ -73,12 +71,11 @@ int ndpi_is_ssl_tor(struct ndpi_detection_module_struct *ndpi_struct, if(ndpi_match_bigram(ndpi_struct, &ndpi_struct->bigrams_automa, &name[i])) { num_found++; } else if(ndpi_match_bigram(ndpi_struct, &ndpi_struct->impossible_bigrams_automa, &name[i])) { - ndpi_int_tor_add_connection(ndpi_struct, flow); - return(1); + num_impossible++; } } - if(num_found == 0) { + if((num_found == 0) || (num_impossible > 1)) { ndpi_int_tor_add_connection(ndpi_struct, flow); return(1); } else { @@ -133,4 +130,3 @@ void init_tor_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 *id += 1; } -#endif diff --git a/src/lib/protocols/tvants.c b/src/lib/protocols/tvants.c index ceee278b9..eafce38c4 100644 --- a/src/lib/protocols/tvants.c +++ b/src/lib/protocols/tvants.c @@ -2,7 +2,7 @@ * tvants.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_TVANTS - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_TVANTS #include "ndpi_api.h" @@ -85,5 +83,3 @@ void init_tvants_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i *id += 1; } - -#endif diff --git a/src/lib/protocols/tvuplayer.c b/src/lib/protocols/tvuplayer.c index 2160a5afa..ce84c7de3 100644 --- a/src/lib/protocols/tvuplayer.c +++ b/src/lib/protocols/tvuplayer.c @@ -2,7 +2,7 @@ * tvuplayer.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_TVUPLAYER - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_TVUPLAYER #include "ndpi_api.h" @@ -160,5 +158,3 @@ void init_tvuplayer_dissector(struct ndpi_detection_module_struct *ndpi_struct, *id += 1; } - -#endif diff --git a/src/lib/protocols/ubntac2.c b/src/lib/protocols/ubntac2.c index d8392fda7..2e35d1d98 100644 --- a/src/lib/protocols/ubntac2.c +++ b/src/lib/protocols/ubntac2.c @@ -21,13 +21,10 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_UBNTAC2 - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_UBNTAC2 #include "ndpi_api.h" - static void ndpi_int_ubntac2_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_UBNTAC2, NDPI_PROTOCOL_UNKNOWN); @@ -94,5 +91,3 @@ void init_ubntac2_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_ ADD_TO_DETECTION_BITMASK); *id += 1; } - -#endif diff --git a/src/lib/protocols/upnp.c b/src/lib/protocols/upnp.c new file mode 100644 index 000000000..1706d021d --- /dev/null +++ b/src/lib/protocols/upnp.c @@ -0,0 +1,65 @@ +/* + * upnp.c + * + * Copyright (C) 2018 - ntop.org + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see <http://www.gnu.org/licenses/>. + * + */ + +#include "ndpi_protocol_ids.h" + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_UPNP + +#include "ndpi_api.h" + +#define UPNP_PORT 3702 + +void ndpi_search_upnp(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; + + NDPI_LOG_DBG(ndpi_struct, "search upnp\n"); + + if(packet->udp + && ( + (packet->iph && ((ntohl(packet->iph->daddr) & 0xF0000000) == 0xE0000000 /* A multicast address */)) +#ifdef NDPI_DETECTION_SUPPORT_IPV6 + || + (packet->iphv6 && ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[0]) == 0xFF020000) +#endif + ) + && (ntohs(packet->udp->dest) == UPNP_PORT) + && (packet->payload_packet_len >= 40) + && (strncmp((char*)packet->payload, "<?xml", 5) == 0) + ) { + NDPI_LOG_INFO(ndpi_struct,"found teredo\n"); + ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_UPNP, NDPI_PROTOCOL_UNKNOWN); + } else { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + } +} + + +void init_upnp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, + NDPI_PROTOCOL_BITMASK *detection_bitmask) { + ndpi_set_bitmask_protocol_detection("UPNP", ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_UPNP, + ndpi_search_upnp, + NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); + *id += 1; +} + diff --git a/src/lib/protocols/usenet.c b/src/lib/protocols/usenet.c index 0a995d6f8..6a2970d6e 100644 --- a/src/lib/protocols/usenet.c +++ b/src/lib/protocols/usenet.c @@ -2,7 +2,7 @@ * usenet.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -25,8 +25,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_USENET - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_USENET #include "ndpi_api.h" @@ -104,5 +102,3 @@ void init_usenet_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i *id += 1; } - -#endif diff --git a/src/lib/protocols/vhua.c b/src/lib/protocols/vhua.c index 844eaf84f..eef5c065f 100644 --- a/src/lib/protocols/vhua.c +++ b/src/lib/protocols/vhua.c @@ -1,7 +1,7 @@ /* * vhua.c * - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * nDPI is free software: you can vhuatribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -19,8 +19,6 @@ */ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_VHUA - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_VHUA #include "ndpi_api.h" @@ -79,4 +77,3 @@ void init_vhua_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int *id += 1; } -#endif diff --git a/src/lib/protocols/viber.c b/src/lib/protocols/viber.c index 517b74b91..65e227234 100644 --- a/src/lib/protocols/viber.c +++ b/src/lib/protocols/viber.c @@ -2,7 +2,7 @@ * viber.c * * Copyright (C) 2013 Remy Mudingay <mudingay@ill.fr> - * Copyright (C) 2013 - 2014 ntop.org + * Copyright (C) 2013-18 - ntop.org * * This module is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -20,8 +20,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_VIBER - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_VIBER #include "ndpi_api.h" @@ -61,5 +59,3 @@ void init_viber_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_in *id += 1; } - -#endif diff --git a/src/lib/protocols/vmware.c b/src/lib/protocols/vmware.c index 34fe84ab9..138d09bbc 100644 --- a/src/lib/protocols/vmware.c +++ b/src/lib/protocols/vmware.c @@ -1,7 +1,7 @@ /* * vmware.c * - * Copyright (C) 2016 - ntop.org + * Copyright (C) 2016-18 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -20,8 +20,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_VMWARE - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_VMWARE #include "ndpi_api.h" @@ -56,5 +54,3 @@ void init_vmware_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i *id += 1; } - -#endif diff --git a/src/lib/protocols/vnc.c b/src/lib/protocols/vnc.c index 6bbb26c6d..65988bce6 100644 --- a/src/lib/protocols/vnc.c +++ b/src/lib/protocols/vnc.c @@ -1,7 +1,7 @@ /* * vnc.c * - * Copyright (C) 2016 - ntop.org + * Copyright (C) 2016-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -22,8 +22,6 @@ */ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_VNC - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_VNC #include "ndpi_api.h" @@ -76,5 +74,3 @@ void init_vnc_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 *id += 1; } - -#endif diff --git a/src/lib/protocols/warcraft3.c b/src/lib/protocols/warcraft3.c index bbc1d8388..3f970bd25 100644 --- a/src/lib/protocols/warcraft3.c +++ b/src/lib/protocols/warcraft3.c @@ -2,7 +2,7 @@ * warcraft3.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_WARCRAFT3 - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_WARCRAFT3 #include "ndpi_api.h" @@ -106,4 +104,3 @@ void init_warcraft3_dissector(struct ndpi_detection_module_struct *ndpi_struct, *id += 1; } -#endif diff --git a/src/lib/protocols/whatsapp.c b/src/lib/protocols/whatsapp.c index b079dcd01..6964a8e0e 100644 --- a/src/lib/protocols/whatsapp.c +++ b/src/lib/protocols/whatsapp.c @@ -19,8 +19,6 @@ */ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_WHATSAPP - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_WHATSAPP #include "ndpi_api.h" @@ -35,12 +33,30 @@ void ndpi_search_whatsapp(struct ndpi_detection_module_struct *ndpi_struct, NDPI_LOG_DBG(ndpi_struct, "search WhatsApp\n"); + if(flow->l4.tcp.wa_matched_so_far == 0) { + if(memcmp(packet->payload, whatsapp_sequence, packet->payload_packet_len)) { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + } else + flow->l4.tcp.wa_matched_so_far = packet->payload_packet_len; + + return; + } else { + if(memcmp(packet->payload, &whatsapp_sequence[flow->l4.tcp.wa_matched_so_far], + sizeof(whatsapp_sequence)-flow->l4.tcp.wa_matched_so_far)) + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + else + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN); + + return; + } + if((packet->payload_packet_len > 240) && (memcmp(packet->payload, whatsapp_sequence, sizeof(whatsapp_sequence)) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found WhatsApp\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN); - } else - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + } + + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } @@ -55,6 +71,3 @@ void init_whatsapp_dissector(struct ndpi_detection_module_struct *ndpi_struct, ADD_TO_DETECTION_BITMASK); *id += 1; } - - -#endif diff --git a/src/lib/protocols/whoisdas.c b/src/lib/protocols/whoisdas.c index 291ae15ca..335aa6f65 100644 --- a/src/lib/protocols/whoisdas.c +++ b/src/lib/protocols/whoisdas.c @@ -1,7 +1,7 @@ /* * whoisdas.c * - * Copyright (C) 2016 - ntop.org + * Copyright (C) 2016-18 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -20,8 +20,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_WHOIS_DAS - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_WHOIS_DAS #include "ndpi_api.h" @@ -75,5 +73,3 @@ void init_whois_das_dissector(struct ndpi_detection_module_struct *ndpi_struct, *id += 1; } - -#endif diff --git a/src/lib/protocols/world_of_kung_fu.c b/src/lib/protocols/world_of_kung_fu.c index 534addc7d..d179ef526 100644 --- a/src/lib/protocols/world_of_kung_fu.c +++ b/src/lib/protocols/world_of_kung_fu.c @@ -2,7 +2,7 @@ * world_of_kung_fu.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,7 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_WORLD_OF_KUNG_FU #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_WORLD_OF_KUNG_FU #include "ndpi_api.h" @@ -64,5 +63,3 @@ void init_world_of_kung_fu_dissector(struct ndpi_detection_module_struct *ndpi_s *id += 1; } - -#endif diff --git a/src/lib/protocols/world_of_warcraft.c b/src/lib/protocols/world_of_warcraft.c index bfcf3f4e1..acb010a85 100644 --- a/src/lib/protocols/world_of_warcraft.c +++ b/src/lib/protocols/world_of_warcraft.c @@ -2,7 +2,7 @@ * world_of_warcraft.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -23,8 +23,6 @@ */ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_WORLDOFWARCRAFT - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_WORLDOFWARCRAFT #include "ndpi_api.h" @@ -215,4 +213,3 @@ void init_world_of_warcraft_dissector(struct ndpi_detection_module_struct *ndpi_ *id += 1; } -#endif diff --git a/src/lib/protocols/xbox.c b/src/lib/protocols/xbox.c index 3182c191c..5d1f64d43 100644 --- a/src/lib/protocols/xbox.c +++ b/src/lib/protocols/xbox.c @@ -1,7 +1,7 @@ /* * xbox.c * - * Copyright (C) 2016 - ntop.org + * Copyright (C) 2016-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -23,7 +23,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_XBOX #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_XBOX #include "ndpi_api.h" @@ -84,9 +83,7 @@ void ndpi_search_xbox(struct ndpi_detection_module_struct *ndpi_struct, struct n } /* exclude here all non matched udp traffic, exclude here tcp only if http has been excluded, because xbox could use http */ -#ifdef NDPI_PROTOCOL_HTTP if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_HTTP) != 0) { -#endif NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } } @@ -106,4 +103,3 @@ void init_xbox_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int *id += 1; } -#endif diff --git a/src/lib/protocols/xdmcp.c b/src/lib/protocols/xdmcp.c index 71bcd9c69..35b08b91b 100644 --- a/src/lib/protocols/xdmcp.c +++ b/src/lib/protocols/xdmcp.c @@ -2,7 +2,7 @@ * xdmcp.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -24,8 +24,6 @@ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_XDMCP - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_XDMCP #include "ndpi_api.h" @@ -77,5 +75,3 @@ void init_xdmcp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_in *id += 1; } - -#endif diff --git a/src/lib/protocols/yahoo.c b/src/lib/protocols/yahoo.c index 1144fb4ef..3be953939 100644 --- a/src/lib/protocols/yahoo.c +++ b/src/lib/protocols/yahoo.c @@ -1,7 +1,7 @@ /* * yahoo.c * - * Copyright (C) 2016 - ntop.org + * Copyright (C) 2016-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -22,11 +22,9 @@ */ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_YAHOO #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_YAHOO -#include "ndpi_api.h" - +#include "ndpi_api.h" struct ndpi_yahoo_header { u_int8_t YMSG_str[4]; @@ -313,9 +311,7 @@ static void ndpi_search_yahoo_tcp(struct ndpi_detection_module_struct *ndpi_stru } } /* detect YAHOO over HTTP proxy */ -#ifdef NDPI_PROTOCOL_HTTP if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP) -#endif { if (flow->l4.tcp.yahoo_http_proxy_stage == 0) { @@ -370,12 +366,8 @@ void ndpi_search_yahoo(struct ndpi_detection_module_struct *ndpi_struct, struct if(packet->tcp != NULL && packet->tcp_retransmission == 0) { if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN -#ifdef NDPI_PROTOCOL_HTTP || packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP -#endif -#ifdef NDPI_PROTOCOL_SSL || packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) { -#endif /* search over TCP */ ndpi_search_yahoo_tcp(ndpi_struct, flow); } @@ -412,4 +404,3 @@ void init_yahoo_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_in *id += 1; } -#endif diff --git a/src/lib/protocols/zattoo.c b/src/lib/protocols/zattoo.c index c3e514dda..3b0c02d80 100644 --- a/src/lib/protocols/zattoo.c +++ b/src/lib/protocols/zattoo.c @@ -1,7 +1,7 @@ /* * zattoo.c * - * Copyright (C) 2016 - ntop.org + * Copyright (C) 2016-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -22,8 +22,6 @@ */ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_ZATTOO - #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_ZATTOO #include "ndpi_api.h" @@ -240,5 +238,3 @@ void init_zattoo_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i *id += 1; } - -#endif diff --git a/src/lib/protocols/zeromq.c b/src/lib/protocols/zeromq.c index c7c8e9519..aa73d4a6d 100644 --- a/src/lib/protocols/zeromq.c +++ b/src/lib/protocols/zeromq.c @@ -1,7 +1,7 @@ /* * zmq.c * - * Copyright (C) 2016 - ntop.org + * Copyright (C) 2016-18 - ntop.org * * nDPI is free software: you can zmqtribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -19,7 +19,6 @@ */ #include "ndpi_protocol_ids.h" -#ifdef NDPI_PROTOCOL_ZMQ #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_ZMQ #include "ndpi_api.h" @@ -109,5 +108,3 @@ void init_zmq_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 *id += 1; } - -#endif |