aboutsummaryrefslogtreecommitdiff
path: root/src/lib
diff options
context:
space:
mode:
authorIvan Nardi <12729895+IvanNardi@users.noreply.github.com>2022-03-09 22:37:35 +0100
committerGitHub <noreply@github.com>2022-03-09 22:37:35 +0100
commit7aee856aa063f7861be7e7fe2970ba014391d9bf (patch)
treeb02873c5d63cb1ade981a437bbf4c1cfdf19a66f /src/lib
parentf646a4bce036edfd26215b5875fe81473dbb175d (diff)
Extend tests coverage (#1476)
Now there is at least one flow under `tests/pcap` for 249 protocols out of the 284 ones supported by nDPI. The 35 protocols without any tests are: * P2P/sharing protocols: DIRECT_DOWNLOAD_LINK, OPENFT, FASTTRACK, EDONKEY, SOPCAST, THUNDER, APPLEJUICE, DIRECTCONNECT, STEALTHNET * games: CSGO, HALFLIFE2, ARMAGETRON, CROSSFIRE, DOFUS, FIESTA, FLORENSIA, GUILDWARS, MAPLESTORY, WORLD_OF_KUNG_FU * voip/streaming: VHUA, ICECAST, SHOUTCAST, TVUPLAYER, TRUPHONE * other: AYIYA, SOAP, TARGUS_GETDATA, RPC, ZMQ, REDIS, VMWARE, NOE, LOTUS_NOTES, EGP, SAP Most of these protocols (expecially the P2P and games ones) have been inherited by OpenDPI and have not been updated since then: even if they are still used, the detection rules might be outdated. However code coverage (of `lib/protocols`) only increases from 65.6% to 68.9%. Improve Citrix, Corba, Fix, Aimini, Megaco, PPStream, SNMP and Some/IP dissection. Treat IPP as a HTTP sub protocol. Fix Cassandra false positives. Remove `NDPI_PROTOCOL_QQLIVE` and `NDPI_PROTOCOL_REMOTE_SCAN`: these protocol ids are defined but they are never used. Remove Collectd support: its code has never been called. If someone is really interested in this protocol, we can re-add it later, updating the dissector. Add decoding of PPI (Per-Packet Information) data link type.
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/ndpi_content_match.c.inc16
-rw-r--r--src/lib/ndpi_main.c19
-rw-r--r--src/lib/protocols/aimini.c4
-rw-r--r--src/lib/protocols/cassandra.c7
-rw-r--r--src/lib/protocols/citrix.c50
-rw-r--r--src/lib/protocols/collectd.c54
-rw-r--r--src/lib/protocols/corba.c4
-rw-r--r--src/lib/protocols/fix.c7
-rw-r--r--src/lib/protocols/ipp.c81
-rw-r--r--src/lib/protocols/lisp.c40
-rw-r--r--src/lib/protocols/megaco.c3
-rw-r--r--src/lib/protocols/snmp_proto.c136
-rw-r--r--src/lib/protocols/someip.c25
-rw-r--r--src/lib/protocols/xdmcp.c2
14 files changed, 188 insertions, 260 deletions
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index 323d7116e..34ca02ac1 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -1297,7 +1297,7 @@ static ndpi_protocol_match host_match[] =
{ ".m.me", "Messenger", NDPI_PROTOCOL_MESSENGER, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
/* Pandora */
- { ".pandora.com", "Pandora", NDPI_PROTOCOL_PANDORA, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { "pandora.com", "Pandora", NDPI_PROTOCOL_PANDORA, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ ".torproject.org", "Tor", NDPI_PROTOCOL_TOR, NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS, NDPI_PROTOCOL_DEFAULT_LEVEL },
@@ -1334,7 +1334,7 @@ static ndpi_protocol_match host_match[] =
{ ".waze.com", "Waze", NDPI_PROTOCOL_WAZE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ "wazespeechactiviation-pa.googleapis.com", "Waze", NDPI_PROTOCOL_WAZE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
- { ".deezer.com", "Deezer", NDPI_PROTOCOL_DEEZER, NDPI_PROTOCOL_CATEGORY_MUSIC, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { "deezer.com", "Deezer", NDPI_PROTOCOL_DEEZER, NDPI_PROTOCOL_CATEGORY_MUSIC, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
/* Microsoft + Azure */
{ ".wpc.v0cdn.net", "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
@@ -1523,7 +1523,7 @@ static ndpi_protocol_match host_match[] =
{ ".licdn.com", "LinkedIn", NDPI_PROTOCOL_LINKEDIN, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ ".sndcdn.com", "SoundCloud", NDPI_PROTOCOL_SOUNDCLOUD, NDPI_PROTOCOL_CATEGORY_MUSIC, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
- { ".soundcloud.com", "SoundCloud", NDPI_PROTOCOL_SOUNDCLOUD, NDPI_PROTOCOL_CATEGORY_MUSIC, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { "soundcloud.com", "SoundCloud", NDPI_PROTOCOL_SOUNDCLOUD, NDPI_PROTOCOL_CATEGORY_MUSIC, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ "getrockerbox.com", "SoundCloud", NDPI_PROTOCOL_SOUNDCLOUD, NDPI_PROTOCOL_CATEGORY_MUSIC, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ "web.telegram.org", "Telegram", NDPI_PROTOCOL_TELEGRAM, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DEFAULT_LEVEL },
@@ -1733,6 +1733,13 @@ static ndpi_protocol_match host_match[] =
{ "sonicwall.com", "Cybersec", NDPI_PROTOCOL_CYBERSECURITY, NDPI_PROTOCOL_CATEGORY_CYBERSECURITY, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
{ ".rsa.com", "Cybersec", NDPI_PROTOCOL_CYBERSECURITY, NDPI_PROTOCOL_CATEGORY_CYBERSECURITY, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { "iqiyi.com", "PPStream", NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { "iqiyipic.com", "PPStream", NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { "iq.com", "PPStream", NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { "qy.net", "PPStream", NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { "qiyipic.com", "PPStream", NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
+ { "ppstream.com", "PPStream", NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL },
+
{ NULL, NULL, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DEFAULT_LEVEL }
};
@@ -1771,10 +1778,7 @@ static ndpi_category_match category_match[] = {
{ "baidu.com", NDPI_PROTOCOL_CATEGORY_WEB },
{ "icq.com", NDPI_PROTOCOL_CATEGORY_CHAT },
{ "quickplay.com", NDPI_PROTOCOL_CATEGORY_STREAMING },
- { ".iqiyi.com", NDPI_PROTOCOL_CATEGORY_STREAMING },
- { ".qiyi.com", NDPI_PROTOCOL_CATEGORY_STREAMING },
{ ".71.am", NDPI_PROTOCOL_CATEGORY_STREAMING },
- { ".qiyipic.com", NDPI_PROTOCOL_CATEGORY_STREAMING },
{ ".1kxun.", NDPI_PROTOCOL_CATEGORY_STREAMING },
{ "tcad.wedolook.com", NDPI_PROTOCOL_CATEGORY_STREAMING },
{ ".rapidvideo.com", NDPI_PROTOCOL_CATEGORY_STREAMING },
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 14eb06062..7b7d592af 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -961,6 +961,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
NDPI_PROTOCOL_BITTORRENT, NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK, NDPI_PROTOCOL_GNUTELLA,
NDPI_PROTOCOL_MAPLESTORY, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_WORLDOFWARCRAFT,
NDPI_PROTOCOL_THUNDER, NDPI_PROTOCOL_IRC,
+ NDPI_PROTOCOL_IPP,
NDPI_PROTOCOL_MATCHED_BY_CONTENT,
NDPI_PROTOCOL_NO_MORE_SUBPROTOCOLS); /* NDPI_PROTOCOL_HTTP can have (content-matched) subprotocols */
ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MDNS,
@@ -1186,8 +1187,8 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
"TVUplayer", NDPI_PROTOCOL_CATEGORY_VIDEO,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
- ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_QQLIVE,
- "QQLive", NDPI_PROTOCOL_CATEGORY_VIDEO,
+ ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_FREE_61,
+ "FREE61", NDPI_PROTOCOL_CATEGORY_VIDEO,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_THUNDER,
@@ -1558,10 +1559,10 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
"LLMNR", NDPI_PROTOCOL_CATEGORY_NETWORK,
ndpi_build_default_ports(ports_a, 5355, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 5355, 0, 0, 0, 0) /* UDP */); /* Missing dissector: port based only */
- ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS, NDPI_PROTOCOL_REMOTE_SCAN,
- "RemoteScan", NDPI_PROTOCOL_CATEGORY_NETWORK,
- ndpi_build_default_ports(ports_a, 6077, 0, 0, 0, 0) /* TCP */,
- ndpi_build_default_ports(ports_b, 6078, 0, 0, 0, 0) /* UDP */); /* Missing dissector: port based only */
+ ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS, NDPI_PROTOCOL_FREE_155,
+ "FREE155", NDPI_PROTOCOL_CATEGORY_NETWORK,
+ ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
+ ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_H323,
"H323", NDPI_PROTOCOL_CATEGORY_VOIP,
ndpi_build_default_ports(ports_a, 1719, 1720, 0, 0, 0) /* TCP */,
@@ -1614,10 +1615,10 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
"Whois-DAS", NDPI_PROTOCOL_CATEGORY_NETWORK,
ndpi_build_default_ports(ports_a, 43, 4343, 0, 0, 0), /* TCP */
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */
- ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_COLLECTD,
- "Collectd", NDPI_PROTOCOL_CATEGORY_SYSTEM_OS,
+ ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_FREE_171,
+ "FREE171", NDPI_PROTOCOL_CATEGORY_SYSTEM_OS,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */
- ndpi_build_default_ports(ports_b, 25826, 0, 0, 0, 0)); /* UDP */
+ ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */
ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SOCKS,
"SOCKS", NDPI_PROTOCOL_CATEGORY_WEB,
ndpi_build_default_ports(ports_a, 1080, 0, 0, 0, 0), /* TCP */
diff --git a/src/lib/protocols/aimini.c b/src/lib/protocols/aimini.c
index 61158dda3..c0d8327a9 100644
--- a/src/lib/protocols/aimini.c
+++ b/src/lib/protocols/aimini.c
@@ -227,8 +227,10 @@ void ndpi_search_aimini(struct ndpi_detection_module_struct *ndpi_struct, struct
{
if ((LINE_STARTS(packet->http_url_name, "/download/") == 1 ||
LINE_STARTS(packet->http_url_name, "/player/") == 1 ||
+ LINE_STARTS(packet->http_url_name, "/webcounter/") == 1 ||
LINE_STARTS(packet->http_url_name, "/play/") == 1 ||
- LINE_STARTS(packet->http_url_name, "/member/") == 1) &&
+ LINE_STARTS(packet->http_url_name, "/search/") == 1 ||
+ LINE_STARTS(packet->http_url_name, "/member/") == 1) &&
(LINE_ENDS(packet->host_line, ".aimini.net") == 1 ||
LINE_ENDS(packet->host_line, ".aimini.com") == 1))
{
diff --git a/src/lib/protocols/cassandra.c b/src/lib/protocols/cassandra.c
index 15b3b0015..058590ba9 100644
--- a/src/lib/protocols/cassandra.c
+++ b/src/lib/protocols/cassandra.c
@@ -110,13 +110,18 @@ void ndpi_search_cassandra(struct ndpi_detection_module_struct *ndpi_struct,
{
struct ndpi_packet_struct *packet = &ndpi_struct->packet;
+ NDPI_LOG_DBG(ndpi_struct, "search Cassandra\n");
+
if (packet->tcp) {
if (packet->payload_packet_len >= CASSANDRA_HEADER_LEN &&
ndpi_check_valid_cassandra_version(get_u_int8_t(packet->payload, 0)) &&
ndpi_check_valid_cassandra_flags(get_u_int8_t(packet->payload, 1)) &&
ndpi_check_valid_cassandra_opcode(get_u_int8_t(packet->payload, 4)) &&
le32toh(get_u_int32_t(packet->payload, 5)) <= CASSANDRA_MAX_BODY_SIZE &&
- le32toh(get_u_int32_t(packet->payload, 5)) >= (uint32_t) (packet->payload_packet_len - CASSANDRA_HEADER_LEN)) {
+ le32toh(get_u_int32_t(packet->payload, 5)) >= (uint32_t) (packet->payload_packet_len - CASSANDRA_HEADER_LEN) &&
+ flow->l4.tcp.h323_valid_packets == 0 /* To avoid clashing with H323 */ &&
+ flow->socks4_stage == 0 /* To avoid clashing with SOCKS */) {
+ NDPI_LOG_INFO(ndpi_struct, "found Cassandra\n");
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CASSANDRA, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
return;
}
diff --git a/src/lib/protocols/citrix.c b/src/lib/protocols/citrix.c
index 6a9aa25b9..740dfca8b 100644
--- a/src/lib/protocols/citrix.c
+++ b/src/lib/protocols/citrix.c
@@ -35,40 +35,26 @@ static void ndpi_check_citrix(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_packet_struct *packet = &ndpi_struct->packet;
u_int32_t payload_len = packet->payload_packet_len;
- if(packet->tcp != NULL) {
- flow->l4.tcp.citrix_packet_id++;
-
- if((flow->l4.tcp.citrix_packet_id == 3)
- /* We have seen the 3-way handshake */
- && flow->l4.tcp.seen_syn
- && flow->l4.tcp.seen_syn_ack
- && flow->l4.tcp.seen_ack) {
- if(payload_len == 6) {
- char citrix_header[] = { 0x07, 0x07, 0x49, 0x43, 0x41, 0x00 };
-
- if(memcmp(packet->payload, citrix_header, sizeof(citrix_header)) == 0) {
- NDPI_LOG_INFO(ndpi_struct, "found citrix\n");
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CITRIX, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
- }
- return;
- } else if(payload_len > 22) {
- char citrix_header[] = { 0x1a, 0x43, 0x47, 0x50, 0x2f, 0x30, 0x31 };
-
- if((memcmp(packet->payload, citrix_header, sizeof(citrix_header)) == 0)
- || (ndpi_strnstr((const char *)packet->payload, "Citrix.TcpProxyService", payload_len) != NULL)) {
- NDPI_LOG_INFO(ndpi_struct, "found citrix\n");
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CITRIX, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
- }
- return;
- }
-
- NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
- } else if(flow->l4.tcp.citrix_packet_id > 3) {
- NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+ if(payload_len == 6) {
+ char citrix_header[] = { 0x7F, 0x7F, 0x49, 0x43, 0x41, 0x00 };
+
+ if(memcmp(packet->payload, citrix_header, sizeof(citrix_header)) == 0) {
+ NDPI_LOG_INFO(ndpi_struct, "found citrix\n");
+ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CITRIX, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+ return;
+ }
+ } else if(payload_len > 22) {
+ char citrix_header[] = { 0x1a, 0x43, 0x47, 0x50, 0x2f, 0x30, 0x31 };
+
+ if((memcmp(packet->payload, citrix_header, sizeof(citrix_header)) == 0)
+ || (ndpi_strnstr((const char *)packet->payload, "Citrix.TcpProxyService", payload_len) != NULL)) {
+ NDPI_LOG_INFO(ndpi_struct, "found citrix\n");
+ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CITRIX, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+ return;
}
-
- return;
}
+
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
void ndpi_search_citrix(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
diff --git a/src/lib/protocols/collectd.c b/src/lib/protocols/collectd.c
deleted file mode 100644
index f9535ab91..000000000
--- a/src/lib/protocols/collectd.c
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * collectd.c
- *
- * Copyright (C) 2014-22 - ntop.org
- *
- * nDPI is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * nDPI is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with nDPI. If not, see <http://www.gnu.org/licenses/>.
- *
- */
-
-
-#include "ndpi_protocol_ids.h"
-
-#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_COLLECTD
-
-#include "ndpi_api.h"
-
-
-void ndpi_search_collectd(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
-{
- struct ndpi_packet_struct *packet = &ndpi_struct->packet;
- u_int len = 0;
-
- NDPI_LOG_DBG(ndpi_struct, "search collectd\n");
-
- if (packet->udp == NULL) return;
-
-
- while(len < packet->payload_packet_len) {
- // u_int16_t elem_type = ntohs(*((u_int16_t*)&packet->payload[len]));
- u_int16_t elem_len = ntohs(*((u_int16_t*)&packet->payload[len+2]));
-
- if (elem_len == 0) break;
-
- len += elem_len;
- }
-
- if(len == packet->payload_packet_len) {
- NDPI_LOG_INFO(ndpi_struct, "found COLLECTD\n");
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_COLLECTD, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
- } else {
- NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
- }
-}
diff --git a/src/lib/protocols/corba.c b/src/lib/protocols/corba.c
index c994b756c..bcd8ab0ba 100644
--- a/src/lib/protocols/corba.c
+++ b/src/lib/protocols/corba.c
@@ -37,8 +37,8 @@ void ndpi_search_corba(struct ndpi_detection_module_struct *ndpi_struct, struct
if(packet->tcp != NULL) {
NDPI_LOG_DBG2(ndpi_struct, "calculating CORBA over tcp\n");
/* Corba General Inter-ORB Protocol -> GIOP */
- if ((packet->payload_packet_len >= 24 && packet->payload_packet_len <= 144) &&
- memcmp(packet->payload, "GIOP", 4) == 0) {
+ if(packet->payload_packet_len >= 24 &&
+ memcmp(packet->payload, "GIOP", 4) == 0) {
NDPI_LOG_INFO(ndpi_struct, "found corba\n");
ndpi_int_corba_add_connection(ndpi_struct, flow);
}
diff --git a/src/lib/protocols/fix.c b/src/lib/protocols/fix.c
index dcfce6065..dc477341a 100644
--- a/src/lib/protocols/fix.c
+++ b/src/lib/protocols/fix.c
@@ -36,11 +36,10 @@ void ndpi_search_fix(struct ndpi_detection_module_struct *ndpi_struct, struct nd
if(packet->tcp && packet->payload_packet_len > 5) {
// 8=
if(packet->payload[0] == 0x38 && packet->payload[1] == 0x3d) {
- // FIX.
+ // FIX
if(packet->payload[2] == 0x46 &&
packet->payload[3] == 0x49 &&
- packet->payload[4] == 0x58 &&
- packet->payload[5] == 0x2e) {
+ packet->payload[4] == 0x58) {
NDPI_LOG_INFO(ndpi_struct, "found FIX\n");
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_FIX, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
@@ -68,7 +67,7 @@ void init_fix_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3
ndpi_set_bitmask_protocol_detection("FIX", ndpi_struct, detection_bitmask, *id,
NDPI_PROTOCOL_FIX,
ndpi_search_fix,
- NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD,
+ NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
SAVE_DETECTION_BITMASK_AS_UNKNOWN,
ADD_TO_DETECTION_BITMASK);
*id += 1;
diff --git a/src/lib/protocols/ipp.c b/src/lib/protocols/ipp.c
index 57edee6ad..546bfaea3 100644
--- a/src/lib/protocols/ipp.c
+++ b/src/lib/protocols/ipp.c
@@ -30,83 +30,28 @@
static void ndpi_int_ipp_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
- struct ndpi_flow_struct *flow/* , ndpi_protocol_type_t protocol_type */)
+ struct ndpi_flow_struct *flow)
{
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_IPP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_IPP, NDPI_CONFIDENCE_DPI);
}
void ndpi_search_ipp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
- struct ndpi_packet_struct *packet = &ndpi_struct->packet;
- u_int8_t i;
+ struct ndpi_packet_struct *packet = &ndpi_struct->packet;
- NDPI_LOG_DBG(ndpi_struct, "search ipp\n");
+ NDPI_LOG_DBG(ndpi_struct, "search ipp\n");
- if (packet->payload_packet_len > 20) {
+ /* Treat IPP as a HTTP sub-protocol */
- NDPI_LOG_DBG2(ndpi_struct,
- "searching for a payload with a pattern like 'number(1to8)blanknumber(1to3)ipp://.\n");
- /* this pattern means that there is a printer saying that his state is idle,
- * means that he is not printing anything at the moment */
- i = 0;
+ if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP &&
+ flow->http.method == NDPI_HTTP_METHOD_POST &&
+ LINE_STARTS(packet->http_url_name, "/ipp/") == 1) {
+ NDPI_LOG_INFO(ndpi_struct, "found ipp\n");
+ ndpi_int_ipp_add_connection(ndpi_struct, flow);
+ return;
+ }
- if (packet->payload[i] < '0' || packet->payload[i] > '9') {
- NDPI_LOG_DBG2(ndpi_struct, "payload does not begin with a number\n");
- goto search_for_next_pattern;
- }
-
- for (;;) {
- i++;
- if (!((packet->payload[i] >= '0' && packet->payload[i] <= '9') ||
- (packet->payload[i] >= 'a' && packet->payload[i] <= 'f') ||
- (packet->payload[i] >= 'A' && packet->payload[i] <= 'F')) || i > 8) {
- NDPI_LOG_DBG2(ndpi_struct,
- "read symbols while the symbol is a number.\n");
- break;
- }
- }
-
- if (packet->payload[i++] != ' ') {
- NDPI_LOG_DBG2(ndpi_struct, "there is no blank following the number\n");
- goto search_for_next_pattern;
- }
-
- if (packet->payload[i] < '0' || packet->payload[i] > '9') {
- NDPI_LOG_DBG2(ndpi_struct, "no number following the blank\n");
- goto search_for_next_pattern;
- }
-
- for (;;) {
- i++;
- if (packet->payload[i] < '0' || packet->payload[i] > '9' || i > 12) {
- NDPI_LOG_DBG2(ndpi_struct,
- "read symbols while the symbol is a number.\n");
- break;
- }
- }
-
- if (memcmp(&packet->payload[i], " ipp://", 7) != 0) {
- NDPI_LOG_DBG2(ndpi_struct, "the string ' ipp://' does not follow\n");
- goto search_for_next_pattern;
- }
-
- NDPI_LOG_INFO(ndpi_struct, "found ipp\n");
- ndpi_int_ipp_add_connection(ndpi_struct, flow);
- return;
- }
-
- search_for_next_pattern:
-
- if (packet->payload_packet_len > 3 && memcmp(packet->payload, "POST", 4) == 0) {
- ndpi_parse_packet_line_info(ndpi_struct, flow);
- if (packet->content_line.ptr != NULL && packet->content_line.len > 14
- && memcmp(packet->content_line.ptr, "application/ipp", 15) == 0) {
- NDPI_LOG_INFO(ndpi_struct, "found ipp via POST ... application/ipp\n");
- ndpi_int_ipp_add_connection(ndpi_struct, flow);
- return;
- }
- }
- NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
diff --git a/src/lib/protocols/lisp.c b/src/lib/protocols/lisp.c
index 403355772..a1a2dafbb 100644
--- a/src/lib/protocols/lisp.c
+++ b/src/lib/protocols/lisp.c
@@ -24,8 +24,8 @@
#include "ndpi_api.h"
-#define LISP_PORT 4341
-#define LISP_PORT1 4342
+#define LISP_PORT 4341 /* Only UDP */
+#define LISP_PORT1 4342 /* TCP and UDP */
static void ndpi_int_lisp_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
@@ -39,23 +39,35 @@ static void ndpi_check_lisp(struct ndpi_detection_module_struct *ndpi_struct, st
{
struct ndpi_packet_struct *packet = &ndpi_struct->packet;
+ u_int16_t lisp_port1 = htons(LISP_PORT1);
+ u_int16_t lisp_port = htons(LISP_PORT);
if(packet->udp != NULL) {
-
- u_int16_t lisp_port = htons(LISP_PORT);
- u_int16_t lisp_port1 = htons(LISP_PORT1);
-
- if(((packet->udp->source == lisp_port)
- && (packet->udp->dest == lisp_port)) ||
- ((packet->udp->source == lisp_port1)
- && (packet->udp->dest == lisp_port1)) ) {
-
+ if((packet->udp->source == lisp_port && packet->udp->dest == lisp_port) ||
+ (packet->udp->source == lisp_port1 && packet->udp->dest == lisp_port1)) {
+ NDPI_LOG_INFO(ndpi_struct, "found lisp\n");
+ ndpi_int_lisp_add_connection(ndpi_struct, flow, 0);
+ return;
+ }
+ } else {
+ /* See draft-kouvelas-lisp-map-server-reliable-transport-07 */
+ if(packet->tcp->source == lisp_port1 ||
+ packet->tcp->dest == lisp_port1) {
+ if(packet->payload_packet_len >= 8) {
+ u_int16_t msg_len = ntohs(*(u_int16_t *)&packet->payload[2]);
+ if(msg_len >= packet->payload_packet_len &&
+ /* End marker: we don't handle fragmented messages */
+ packet->payload[packet->payload_packet_len - 1] == 0xE9 &&
+ packet->payload[packet->payload_packet_len - 2] == 0xAD &&
+ packet->payload[packet->payload_packet_len - 3] == 0xAC &&
+ packet->payload[packet->payload_packet_len - 4] == 0x9F) {
NDPI_LOG_INFO(ndpi_struct, "found lisp\n");
ndpi_int_lisp_add_connection(ndpi_struct, flow, 0);
- return;
-
+ return;
+ }
}
}
+ }
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
@@ -78,7 +90,7 @@ void init_lisp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int
ndpi_set_bitmask_protocol_detection("LISP", ndpi_struct, detection_bitmask, *id,
NDPI_PROTOCOL_LISP,
ndpi_search_lisp,
- NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD,
+ NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
SAVE_DETECTION_BITMASK_AS_UNKNOWN,
ADD_TO_DETECTION_BITMASK);
*id += 1;
diff --git a/src/lib/protocols/megaco.c b/src/lib/protocols/megaco.c
index 8c6f0a347..e9430b377 100644
--- a/src/lib/protocols/megaco.c
+++ b/src/lib/protocols/megaco.c
@@ -34,7 +34,8 @@ void ndpi_search_megaco(struct ndpi_detection_module_struct *ndpi_struct,
if(packet->udp != NULL) {
if((packet->payload_packet_len > 4 && packet->payload[0] == '!' && packet->payload[1] == '/' &&
- packet->payload[2] == '1' && packet->payload[3] == ' ' && packet->payload[4] == '[')
+ packet->payload[2] == '1' && packet->payload[3] == ' ' &&
+ (packet->payload[4] == '[' || packet->payload[4] == '<'))
|| (packet->payload_packet_len > 9 && packet->payload[0] == 'M' && packet->payload[1] == 'E' &&
packet->payload[2] == 'G' && packet->payload[3] == 'A' && packet->payload[4] == 'C' &&
packet->payload[5] == 'O' && packet->payload[6] == '/' &&
diff --git a/src/lib/protocols/snmp_proto.c b/src/lib/protocols/snmp_proto.c
index 59b97e596..c4c2b95b9 100644
--- a/src/lib/protocols/snmp_proto.c
+++ b/src/lib/protocols/snmp_proto.c
@@ -24,6 +24,8 @@
#include "ndpi_api.h"
+/* #define SNMP_DEBUG */
+
static void ndpi_search_snmp(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow);
@@ -31,6 +33,7 @@ static void ndpi_search_snmp(struct ndpi_detection_module_struct *ndpi_struct,
static void ndpi_int_snmp_add_connection(struct ndpi_detection_module_struct
*ndpi_struct, struct ndpi_flow_struct *flow) {
+ NDPI_LOG_INFO(ndpi_struct, "found SNMP\n");
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SNMP,
NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
}
@@ -51,65 +54,110 @@ static int ndpi_search_snmp_again(struct ndpi_detection_module_struct *ndpi_stru
/* *************************************************************** */
+static int get_int(const unsigned char *payload, int payload_len, u_int16_t *value_len)
+{
+ int value = -1;
+
+ if(payload_len <=0)
+ return value;
+
+ if(payload[0] <= 0x80) {
+ *value_len = 1;
+ value = payload[0];
+ } else if(payload[0] == 0x81 && payload_len >=2) {
+ *value_len = 2;
+ value = payload[1];
+ } else if(payload[0] == 0x82 && payload_len >=3) {
+ *value_len = 3;
+ value = payload[1] << 8 | payload[2];
+ }
+ return value;
+}
+
+
+
+/* *************************************************************** */
+
void ndpi_search_snmp(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow) {
struct ndpi_packet_struct *packet = &ndpi_struct->packet;
u_int16_t snmp_port = htons(161), trap_port = htons(162);
- u_int8_t version;
-
- if((packet->payload_packet_len <= 32)
- ||(packet->payload[0] != 0x30)
- || (((version = packet->payload[4]) != 0 /* SNMPv1 */)
- && ((version = packet->payload[4]) != 1 /* SNMPv2c */)
- && ((version = packet->payload[4]) != 3 /* SNMPv3 */))
- || ((packet->udp->source != snmp_port)
- && (packet->udp->dest != snmp_port)
- && (packet->udp->dest != trap_port))
- /* version */
- || ((packet->payload[1] + 2) != packet->payload_packet_len)) {
+
+ if((packet->udp->source != snmp_port) &&
+ (packet->udp->dest != snmp_port) &&
+ (packet->udp->source != trap_port) &&
+ (packet->udp->dest != trap_port)) {
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
- } else {
- if((version == 0) || (version == 1)) {
- u_int8_t community_len = packet->payload[6];
- u_int8_t snmp_primitive_offset = 7 + community_len;
+ return;
+ }
- if(snmp_primitive_offset < packet->payload_packet_len) {
- u_int8_t snmp_primitive = packet->payload[snmp_primitive_offset] & 0xF;
+ if(packet->payload_packet_len > 16 && packet->payload[0] == 0x30) {
+ u_int16_t len_length = 0, offset;
+ int len;
- if(snmp_primitive == 2 /* Get Response */) {
- u_int8_t error_status_offset = 17 + community_len;
-
- if(error_status_offset < packet->payload_packet_len) {
- u_int8_t error_status = packet->payload[error_status_offset];
+ len = get_int(&packet->payload[1], packet->payload_packet_len - 1, &len_length);
-#ifdef SNMP_DEBUG
- printf("-> %u [offset: %u][primitive: %u]\n",
- error_status, error_status_offset, snmp_primitive);
-#endif
-
- flow->extra_packets_func = NULL; /* We're good now */
+ if(len > 2 &&
+ 1 + len_length + len == packet->payload_packet_len &&
+ (packet->payload[1 + len_length + 2] == 0 /* SNMPv1 */ ||
+ packet->payload[1 + len_length + 2] == 1 /* SNMPv2c */ ||
+ packet->payload[1 + len_length + 2] == 3 /* SNMPv3 */)) {
- if(error_status != 0)
- ndpi_set_risk(ndpi_struct, flow, NDPI_ERROR_CODE_DETECTED);
- }
- }
+ if(flow->extra_packets_func == NULL) {
+ ndpi_int_snmp_add_connection(ndpi_struct, flow);
}
- }
- ndpi_int_snmp_add_connection(ndpi_struct, flow);
+ offset = 1 + len_length + 2;
+ if((packet->payload[offset] == 0 /* SNMPv1 */ ||
+ packet->payload[offset] == 1 /* SNMPv2c */) &&
+ (offset + 2 < packet->payload_packet_len)) {
+
+ if(flow->extra_packets_func == NULL) {
+ /* This is necessary to inform the core to call this dissector again */
+ flow->check_extra_packets = 1;
+ flow->max_extra_packets_to_check = 8;
+ flow->extra_packets_func = ndpi_search_snmp_again;
+ }
- if(flow->extra_packets_func == NULL) {
- /* This is necessary to inform the core to call this dissector again */
- flow->check_extra_packets = 1;
- flow->max_extra_packets_to_check = 8;
- flow->extra_packets_func = ndpi_search_snmp_again;
+ u_int8_t community_len = packet->payload[offset + 2];
+ u_int8_t snmp_primitive_offset = offset + 2 + 1 + community_len;
+
+ if(snmp_primitive_offset < packet->payload_packet_len) {
+ u_int8_t snmp_primitive = packet->payload[snmp_primitive_offset] & 0xF;
+
+ if(snmp_primitive == 2 /* Get Response */ &&
+ snmp_primitive_offset + 1 < packet->payload_packet_len) {
+ offset = snmp_primitive_offset + 1;
+ get_int(&packet->payload[offset], packet->payload_packet_len - offset, &len_length);
+ offset += len_length + 1;
+ if(offset < packet->payload_packet_len) {
+ len = get_int(&packet->payload[offset], packet->payload_packet_len - offset, &len_length);
+
+ u_int8_t error_status_offset = offset + len_length + len + 2;
+
+ if(error_status_offset < packet->payload_packet_len) {
+ u_int8_t error_status = packet->payload[error_status_offset];
+
+#ifdef SNMP_DEBUG
+ printf("-> %u [offset: %u][primitive: %u]\n",
+ error_status, error_status_offset, snmp_primitive);
+#endif
+
+ flow->extra_packets_func = NULL; /* We're good now */
+
+ if(error_status != 0)
+ ndpi_set_risk(ndpi_struct, flow, NDPI_ERROR_CODE_DETECTED);
+ }
+ }
+ }
+ }
+ }
+ return;
}
-
- return;
}
-}
-/* *************************************************************** */
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+}
void init_snmp_dissector(struct ndpi_detection_module_struct *ndpi_struct,
u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) {
diff --git a/src/lib/protocols/someip.c b/src/lib/protocols/someip.c
index 50a823ec0..c99e8d27c 100644
--- a/src/lib/protocols/someip.c
+++ b/src/lib/protocols/someip.c
@@ -71,12 +71,6 @@ enum MAGIC_COOKIE_CONSTANTS{
MC_INTERFACE_VERSION = 0x01
};
-enum DEFAULT_PROTOCOL_PORTS{
- PORT_DEFAULT_CLIENT = 30491,
- PORT_DEFAULT_SERVER = 30501,
- PORT_DEFAULT_SD = 30490
-};
-
/**
* Entry point when protocol is identified.
*/
@@ -151,6 +145,7 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct,
u_int8_t interface_version = (packet->payload[13]);
u_int8_t message_type = (u_int8_t) (packet->payload[14]);
+ message_type &= (~0x20); /* Clear TP bit */
NDPI_LOG_DBG2(ndpi_struct,"====>>>> SOME/IP message type: [%d]\n",message_type);
if ((message_type != SOMEIP_REQUEST) && (message_type != SOMEIP_REQUEST_NO_RETURN) && (message_type != SOMEIP_NOTIFICATION) && (message_type != SOMEIP_REQUEST_ACK) &&
@@ -201,23 +196,7 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct,
NDPI_LOG_DBG2(ndpi_struct, "SOME/IP-SD currently not supported [%d]\n", message_type);
}
- //Filtering by port.
- //This check is NOT a 100% thing - these ports are mentioned in the documentation but the documentation also states they haven't been approved by IANA yet, and that the user is free to use different ports.
- //This is is PURELY for demo purposes and the rest of the check must be filled in later on!
- if (flow->l4_proto == IPPROTO_UDP){
- if ((packet->udp->dest == ntohs(PORT_DEFAULT_CLIENT)) || (packet->udp->dest == ntohs(PORT_DEFAULT_SERVER)) || (packet->udp->dest == ntohs(PORT_DEFAULT_SD))) {
- ndpi_int_someip_add_connection(ndpi_struct, flow);
- return;
- }
- }
- if (flow->l4_proto == IPPROTO_TCP){
- if ((packet->tcp->dest == ntohs(PORT_DEFAULT_CLIENT)) || (packet->tcp->dest == ntohs(PORT_DEFAULT_SERVER))) {
- ndpi_int_someip_add_connection(ndpi_struct, flow);
- return;
- }
- }
-
- NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+ ndpi_int_someip_add_connection(ndpi_struct, flow);
}
/**
* Entry point for the ndpi library
diff --git a/src/lib/protocols/xdmcp.c b/src/lib/protocols/xdmcp.c
index f8cbed095..c3c908ce4 100644
--- a/src/lib/protocols/xdmcp.c
+++ b/src/lib/protocols/xdmcp.c
@@ -69,7 +69,7 @@ void init_xdmcp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_in
ndpi_set_bitmask_protocol_detection("XDMCP", ndpi_struct, detection_bitmask, *id,
NDPI_PROTOCOL_XDMCP,
ndpi_search_xdmcp,
- NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD,
+ NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
SAVE_DETECTION_BITMASK_AS_UNKNOWN,
ADD_TO_DETECTION_BITMASK);