diff options
| author | Toni <matzeton@googlemail.com> | 2022-04-22 18:33:27 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-04-22 18:33:27 +0200 |
| commit | d5ae9170ba5c909fd1b027e2d2f71bdc4d7abbe7 (patch) | |
| tree | ad195bad72937c68ad9489ee2a8909ce6c8d5fe4 /src | |
| parent | 824c343602da5844f153049053664b6de84ec287 (diff) | |
Tiny gnutella improvement if gtk-gnutella used. (#1525)
Signed-off-by: lns <matzeton@googlemail.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/protocols/gnutella.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/src/lib/protocols/gnutella.c b/src/lib/protocols/gnutella.c index ecb93d53f..7f6656424 100644 --- a/src/lib/protocols/gnutella.c +++ b/src/lib/protocols/gnutella.c @@ -185,6 +185,20 @@ void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, stru } } } else if (packet->udp != NULL) { + /* Check for Mojito-DHT encapsulated gnutella (gtk-gnutella). */ + if (packet->payload_packet_len >= 28 && + ntohl(get_u_int32_t(packet->payload, 24)) == 0x47544b47 /* GTKG */) + { + u_int32_t gnutella_payload_len = le32toh(get_u_int32_t(packet->payload, 19)); + + if (gnutella_payload_len == (u_int32_t)packet->payload_packet_len - 23) + { + NDPI_LOG_DBG2(ndpi_struct, "detected mojito-dht/gnutella udp\n"); + ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); + return; + } + } + /* observations: * all the following patterns send out many packets which are the only ones of their flows, * often on the very beginning of the traces, or flows with many packets in one direction only. |