Improved Zoom protocol detection

author: Luca Deri <deri@ntop.org> 2022-01-23 20:59:36 +0100
committer: Luca Deri <deri@ntop.org> 2022-01-23 20:59:36 +0100
commit: b6b4967aa603035af066a4a7a3b5155573a5112f (patch)
tree: 747127ae97022fd6f42b6e758bec131341e27dba /src/lib
parent: a8fe74e502461cf6d6d1dee3567a3c39445d301e (diff)
2 files changed, 61 insertions, 10 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 1cd867327..2e528b6a4 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -2772,6 +2772,9 @@ void ndpi_exit_detection_module(struct ndpi_detection_module_struct *ndpi_str) {
     if(ndpi_str->bittorrent_cache)
       ndpi_lru_free_cache(ndpi_str->bittorrent_cache);
 
+    if(ndpi_str->zoom_cache)
+      ndpi_lru_free_cache(ndpi_str->zoom_cache);
+
     if(ndpi_str->stun_cache)
       ndpi_lru_free_cache(ndpi_str->stun_cache);
 
@@ -5007,7 +5010,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s
 
 /* ********************************************************************************* */
 
-u_int32_t ndpi_bittorrent_hash_funct(u_int32_t ip, u_int16_t port) {
+u_int32_t ndpi_ip_port_hash_funct(u_int32_t ip, u_int16_t port) {
   return(ip + 3 * port);
 }
 
@@ -5038,7 +5041,7 @@ int ndpi_search_into_bittorrent_cache(struct ndpi_detection_module_struct *ndpi_
       flow->bt_check_performed = 1;
 
     /* Check cached communications */
-    key1 = ndpi_bittorrent_hash_funct(saddr, sport), key2 = ndpi_bittorrent_hash_funct(daddr, dport);
+    key1 = ndpi_ip_port_hash_funct(saddr, sport), key2 = ndpi_ip_port_hash_funct(daddr, dport);
 
     found =
       ndpi_lru_find_cache(ndpi_struct->bittorrent_cache, saddr+daddr, &cached_proto, 0 /* Don't remove it as it can be used for other connections */)
@@ -5062,14 +5065,50 @@ int ndpi_search_into_bittorrent_cache(struct ndpi_detection_module_struct *ndpi_
 
 /* ********************************************************************************* */
 
+/* #define ZOOM_CACHE_DEBUG */
+
+static u_int8_t ndpi_search_into_zoom_cache(struct ndpi_detection_module_struct *ndpi_struct,
+					    u_int32_t daddr /* Network byte order */) {
+  
+#ifdef ZOOM_CACHE_DEBUG
+  printf("[%s:%u] ndpi_search_into_zoom_cache(%08X, %u)\n",
+	 __FILE__, __LINE__, daddr, dport);
+#endif
+
+  if(ndpi_struct->zoom_cache) {
+    u_int16_t cached_proto;
+    u_int8_t found = ndpi_lru_find_cache(ndpi_struct->zoom_cache, daddr, &cached_proto,
+					 0 /* Don't remove it as it can be used for other connections */);
+    
+#ifdef ZOOM_CACHE_DEBUG
+    printf("[Zoom] *** [TCP] SEARCHING host %u [found: %u]\n", daddr, found);
+#endif
+    
+    return(found);
+  }
+
+  return(0);
+}
+
+/* ********************************************************************************* */
+
+static void ndpi_add_connection_as_zoom(struct ndpi_detection_module_struct *ndpi_struct,
+					u_int32_t daddr /* Network byte order */) {
+  if(ndpi_struct->zoom_cache == NULL)
+    ndpi_struct->zoom_cache = ndpi_lru_cache_init(512);
+  
+  if(ndpi_struct->zoom_cache)
+    ndpi_lru_add_to_cache(ndpi_struct->zoom_cache, daddr, NDPI_PROTOCOL_ZOOM);
+}
+
+/* ********************************************************************************* */
+
 ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow,
 				    u_int8_t enable_guess, u_int8_t *protocol_was_guessed) {
   ndpi_protocol ret = {NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED};
   u_int16_t guessed_protocol_id = NDPI_PROTOCOL_UNKNOWN, guessed_host_protocol_id = NDPI_PROTOCOL_UNKNOWN;
-
-  /*
-   *** We can't access ndpi_str->packet from this function!! ***
-   */
+  
+  /* *** We can't access ndpi_str->packet from this function!! *** */
 
   *protocol_was_guessed = 0;
 
@@ -5215,6 +5254,12 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
 					 flow->daddr, flow->dport)) {
       /* This looks like BitTorrent */
       ret.app_protocol = NDPI_PROTOCOL_BITTORRENT;
+    } else if((flow->l4_proto == IPPROTO_UDP) /* Zoom/UDP used for video */
+	      && (((ntohs(flow->sport) == 8801 /* Zoom port */) && ndpi_search_into_zoom_cache(ndpi_str, flow->saddr))
+		  || ((ntohs(flow->dport) == 8801 /* Zoom port */) && ndpi_search_into_zoom_cache(ndpi_str, flow->daddr))
+		  )) {
+      /* This looks like Zoom */
+      ret.app_protocol = NDPI_PROTOCOL_ZOOM;
     }
   }
 
@@ -5782,6 +5827,12 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
   if(num_calls == 0)
     flow->fail_with_unknown = 1;
 
+  /* Zoom cache */
+  if((ret.app_protocol == NDPI_PROTOCOL_ZOOM)
+     && (flow->l4_proto == IPPROTO_TCP)
+     && (ndpi_str->packet.iph != NULL))
+    ndpi_add_connection_as_zoom(ndpi_str, ndpi_str->packet.iph->daddr);
+				
   return(ret);
 }
 
diff --git a/src/lib/protocols/bittorrent.c b/src/lib/protocols/bittorrent.c
index fae1f6f46..a88fe7ad9 100644
--- a/src/lib/protocols/bittorrent.c
+++ b/src/lib/protocols/bittorrent.c
@@ -134,9 +134,9 @@ static void ndpi_add_connection_as_bittorrent(struct ndpi_detection_module_struc
     u_int32_t key1, key2, i;
 
     if(packet->udp)
-      key1 = ndpi_bittorrent_hash_funct(packet->iph->saddr, packet->udp->source), key2 = ndpi_bittorrent_hash_funct(packet->iph->daddr, packet->udp->dest);
+      key1 = ndpi_ip_port_hash_funct(packet->iph->saddr, packet->udp->source), key2 = ndpi_ip_port_hash_funct(packet->iph->daddr, packet->udp->dest);
     else
-      key1 = ndpi_bittorrent_hash_funct(packet->iph->saddr, packet->tcp->source), key2 = ndpi_bittorrent_hash_funct(packet->iph->daddr, packet->tcp->dest);
+      key1 = ndpi_ip_port_hash_funct(packet->iph->saddr, packet->tcp->source), key2 = ndpi_ip_port_hash_funct(packet->iph->daddr, packet->tcp->dest);
     
     ndpi_lru_add_to_cache(ndpi_struct->bittorrent_cache, key1, NDPI_PROTOCOL_BITTORRENT);
     ndpi_lru_add_to_cache(ndpi_struct->bittorrent_cache, key2, NDPI_PROTOCOL_BITTORRENT);
@@ -149,9 +149,9 @@ static void ndpi_add_connection_as_bittorrent(struct ndpi_detection_module_struc
     /* Also add +2 ports of the sender in order to catch additional sockets open by the same client */
     for(i=0; i<2; i++) {
       if(packet->udp)
-	key1 = ndpi_bittorrent_hash_funct(packet->iph->saddr, htons(ntohs(packet->udp->source)+1));
+	key1 = ndpi_ip_port_hash_funct(packet->iph->saddr, htons(ntohs(packet->udp->source)+1));
       else
-	key1 = ndpi_bittorrent_hash_funct(packet->iph->saddr, htons(ntohs(packet->tcp->source)+1));
+	key1 = ndpi_ip_port_hash_funct(packet->iph->saddr, htons(ntohs(packet->tcp->source)+1));
 
       ndpi_lru_add_to_cache(ndpi_struct->bittorrent_cache, key1, NDPI_PROTOCOL_BITTORRENT);
     }
author	Luca Deri <deri@ntop.org>	2022-01-23 20:59:36 +0100
committer	Luca Deri <deri@ntop.org>	2022-01-23 20:59:36 +0100
commit	b6b4967aa603035af066a4a7a3b5155573a5112f (patch)
tree	747127ae97022fd6f42b6e758bec131341e27dba /src/lib
parent	a8fe74e502461cf6d6d1dee3567a3c39445d301e (diff)