diff options
| author | Maatuq <mahmoudmatook.mm@gmail.com> | 2023-11-15 22:45:48 +0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-11-15 19:45:48 +0100 |
| commit | 344ac694688c95cc29afa7bb4f5528db860c383c (patch) | |
| tree | a3fbf414c9596f555f405e0201598475a76f9ec7 /src | |
| parent | 38f9a74713c9905ab9fe4761ff975aa20ea1a8e8 (diff) | |
protocols/ethereum: enhance node discovery protocol detection. (#2145)
* packet-type == 0x0 shouldn't be allowed.
* allow more packet-type e.g. ENRRequest, ENRResponse.
Signed-off-by: Mahmoud Maatuq <mahmoudmatook.mm@gmail.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/protocols/ethereum.c | 57 |
1 files changed, 39 insertions, 18 deletions
diff --git a/src/lib/protocols/ethereum.c b/src/lib/protocols/ethereum.c index bf9da6bfb..5aaafc641 100644 --- a/src/lib/protocols/ethereum.c +++ b/src/lib/protocols/ethereum.c @@ -25,6 +25,14 @@ #include "ndpi_api.h" #include "ndpi_private.h" +enum ether_disc_packet_type { + DISC_PING = 0x01, + DISC_PONG = 0x02, + DISC_FINDNODE = 0x03, + DISC_NEIGHBOURS = 0x04, + DISC_ENRREQUEST = 0x05, + DISC_ENRRESPONSE = 0x06 +}; /* ************************************************************************** */ @@ -50,34 +58,47 @@ static void ndpi_ether_cache_connection(struct ndpi_detection_module_struct *ndp /* ************************************************************************** */ +/* +* https://github.com/ethereum/devp2p/blob/master/discv4.md +*/ +static bool ndpi_ether_is_discv4(const struct ndpi_packet_struct *packet) { + u_int16_t source = ntohs(packet->udp->source); + u_int16_t dest = ntohs(packet->udp->dest); + if((packet->payload_packet_len > 98) + && (packet->payload_packet_len < 1280) + && ((source == 30303) || (dest == 30303)) /*one way to remove default port is to compute packet hash and use it for verification*/ + ) { + uint8_t packet_type = packet->payload[97]; + switch(packet_type) { + case DISC_PING: + case DISC_PONG: + case DISC_FINDNODE: + case DISC_NEIGHBOURS: + case DISC_ENRREQUEST: + case DISC_ENRRESPONSE: + return true; + default: + return false; + } + } + return false; +} + +/* ************************************************************************** */ + static void ndpi_search_ethereum_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - u_int16_t source = ntohs(packet->udp->source); - u_int16_t dest = ntohs(packet->udp->dest); NDPI_LOG_DBG(ndpi_struct, "search ETHEREUM UDP\n"); - - /* - Ethereum P2P Discovery Protocol - https://github.com/ConsenSys/ethereum-dissectors/blob/master/packet-ethereum-disc.c - */ - if((packet->payload_packet_len > 98) - && (packet->payload_packet_len < 1280) - && ((source == 30303) || (dest == 30303)) - && (packet->payload[97] <= 0x04 /* NODES */) - ) { - if((packet->iph) && ((ntohl(packet->iph->daddr) & 0xFF000000 /* 255.0.0.0 */) == 0xFF000000)) - ; - else if(packet->iphv6 && ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[0]) == 0xFF020000) - ; - else { + if((packet->iph && ((ntohl(packet->iph->daddr) & 0xFF000000) != 0xFF000000 /* 255.0.0.0 */)) + ||(packet->iphv6 && (ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[0]) != 0xFF020000 /* ff02:: */))) { + if(ndpi_ether_is_discv4(packet) /*|| ndpi_is_discv5(packet)*/) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ETHEREUM, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); ndpi_ether_cache_connection(ndpi_struct, flow); return; } } - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } |