diff options
| author | Luca Deri <deri@ntop.org> | 2024-05-20 12:17:04 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2024-05-20 12:17:04 +0200 |
| commit | 2093ac5bf6444db290cdf1c7d64cf4b80f415d2f (patch) | |
| tree | 5dc382739fd26eac2f0490f3e76e630b137b683c /src | |
| parent | 42dba2e4afd12ab77073cc21df1d56d0ef02b232 (diff) | |
Minor dissector optimizations
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/ndpi_main.c | 73 | ||||
| -rw-r--r-- | src/lib/protocols/bittorrent.c | 5 | ||||
| -rw-r--r-- | src/lib/protocols/cassandra.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/ciscovpn.c | 29 | ||||
| -rw-r--r-- | src/lib/protocols/dnscrypt.c | 6 | ||||
| -rw-r--r-- | src/lib/protocols/imo.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/irc.c | 5 | ||||
| -rw-r--r-- | src/lib/protocols/rtp.c | 10 | ||||
| -rw-r--r-- | src/lib/protocols/sip.c | 34 | ||||
| -rw-r--r-- | src/lib/protocols/socks45.c | 17 | ||||
| -rw-r--r-- | src/lib/protocols/stun.c | 24 | ||||
| -rw-r--r-- | src/lib/protocols/xbox.c | 1 |
12 files changed, 110 insertions, 99 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 65df915e1..c698bcb83 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -349,9 +349,11 @@ u_int16_t ndpi_map_ndpi_id_to_user_proto_id(struct ndpi_detection_module_struct NDPI_LOG_DBG2(ndpi_str, "[DEBUG] ***** %s(%u)\n", __FUNCTION__, ndpi_proto_id); #endif + /* if(!ndpi_str) return(0); - + */ + if(ndpi_proto_id < NDPI_MAX_SUPPORTED_PROTOCOLS) return(ndpi_proto_id); else if(ndpi_proto_id < ndpi_str->ndpi_num_supported_protocols) { @@ -6291,6 +6293,7 @@ static void ndpi_enabled_callbacks_init(struct ndpi_detection_module_struct *ndp /* now build the specific buffer for tcp, udp and non_tcp_udp */ ndpi_str->callback_buffer_size_tcp_payload = 0; ndpi_str->callback_buffer_size_tcp_no_payload = 0; + for(a = 0; a < ndpi_str->callback_buffer_size; a++) { if(!NDPI_ISSET(dbm,ndpi_str->callback_buffer[a].ndpi_protocol_id)) continue; if(!ndpi_proto_cb_tcp_payload(ndpi_str,a)) continue; @@ -6302,6 +6305,7 @@ static void ndpi_enabled_callbacks_init(struct ndpi_detection_module_struct *ndp } ndpi_str->callback_buffer_size_tcp_payload++; } + for(a = 0; a < ndpi_str->callback_buffer_size; a++) { if(!NDPI_ISSET(dbm,ndpi_str->callback_buffer[a].ndpi_protocol_id)) continue; if(!ndpi_proto_cb_tcp_nopayload(ndpi_str,a)) continue; @@ -6315,6 +6319,7 @@ static void ndpi_enabled_callbacks_init(struct ndpi_detection_module_struct *ndp } ndpi_str->callback_buffer_size_udp = 0; + for(a = 0; a < ndpi_str->callback_buffer_size; a++) { if(!NDPI_ISSET(dbm,ndpi_str->callback_buffer[a].ndpi_protocol_id)) continue; if(!ndpi_proto_cb_udp(ndpi_str,a)) continue; @@ -6328,6 +6333,7 @@ static void ndpi_enabled_callbacks_init(struct ndpi_detection_module_struct *ndp } ndpi_str->callback_buffer_size_non_tcp_udp = 0; + for(a = 0; a < ndpi_str->callback_buffer_size; a++) { if(!NDPI_ISSET(dbm,ndpi_str->callback_buffer[a].ndpi_protocol_id)) continue; if(!ndpi_proto_cb_other(ndpi_str,a)) continue; @@ -6836,18 +6842,23 @@ int current_pkt_from_server_to_client(const struct ndpi_detection_module_struct static int tcp_ack_padding(struct ndpi_packet_struct *packet) { const struct ndpi_tcphdr *tcph = packet->tcp; + if(tcph && tcph->ack && !tcph->psh && packet->payload_packet_len < 8 && packet->payload_packet_len > 1 /* To avoid TCP keep-alives */) { int i; + for(i = 0; i < packet->payload_packet_len; i++) if(packet->payload[i] != 0) return 0; return 1; } + return 0; } +/* ******************************************************************** */ + static void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow) { /* const for gcc code optimization and cleaner code */ @@ -6869,7 +6880,8 @@ static void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_s for(i=0; (i<packet->payload_packet_len) && (flow->flow_payload_len < ndpi_str->max_payload_track_len); i++) { flow->flow_payload[flow->flow_payload_len++] = - (ndpi_isprint(packet->payload[i]) || ndpi_isspace(packet->payload[i])) ? packet->payload[i] : '.'; + (ndpi_isprint(packet->payload[i]) + || ndpi_isspace(packet->payload[i])) ? packet->payload[i] : '.'; } } } @@ -6988,29 +7000,25 @@ static void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_s } if(flow->init_finished == 0) { - u_int16_t s_port, d_port; /* Source/Dest ports */ + u_int16_t s_port = 0, d_port = 0; /* Source/Dest ports */ flow->init_finished = 1; - - if(tcph != NULL && - ndpi_str->input_info && - ndpi_str->input_info->seen_flow_beginning == NDPI_FLOW_BEGINNING_SEEN) { - flow->l4.tcp.seen_syn = 1; - flow->l4.tcp.seen_syn_ack = 1; - flow->l4.tcp.seen_ack = 1; - } - - /* Client/Server direction */ - - s_port = 0; - d_port = 0; + if(tcph != NULL) { - s_port = tcph->source; - d_port = tcph->dest; + if(ndpi_str->input_info && + ndpi_str->input_info->seen_flow_beginning == NDPI_FLOW_BEGINNING_SEEN) { + flow->l4.tcp.seen_syn = 1; + flow->l4.tcp.seen_syn_ack = 1; + flow->l4.tcp.seen_ack = 1; + } + + s_port = tcph->source, d_port = tcph->dest; } else if(udph != NULL) { s_port = udph->source; d_port = udph->dest; } + + /* Client/Server direction */ if(ndpi_str->input_info && ndpi_str->input_info->in_pkt_dir != NDPI_IN_PKT_DIR_UNKNOWN) { @@ -7042,6 +7050,7 @@ static void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_s memcpy(flow->c_address.v6, &packet->iphv6->ip6_src, 16); memcpy(flow->s_address.v6, &packet->iphv6->ip6_dst, 16); } + flow->c_port = s_port; flow->s_port = d_port; } else { @@ -7052,6 +7061,7 @@ static void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_s memcpy(flow->c_address.v6, &packet->iphv6->ip6_dst, 16); memcpy(flow->s_address.v6, &packet->iphv6->ip6_src, 16); } + flow->c_port = d_port; flow->s_port = s_port; } @@ -7073,9 +7083,9 @@ static void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_s flow->packet_direction_complete_counter[packet->packet_direction]++; } - if(ndpi_is_multi_or_broadcast(packet)) - ; /* multicast or broadcast */ - else { + if(!ndpi_is_multi_or_broadcast(packet)) { + /* ! (multicast or broadcast) */ + if(flow->packet_direction_complete_counter[flow->client_packet_direction] == 0) ndpi_set_risk(flow, NDPI_UNIDIRECTIONAL_TRAFFIC, "No client to server traffic"); /* Should never happen */ else if(flow->packet_direction_complete_counter[!flow->client_packet_direction] == 0) @@ -7097,28 +7107,25 @@ static u_int32_t check_ndpi_subprotocols(struct ndpi_detection_module_struct * c u_int32_t num_calls = 0, a; if(detected_protocol == NDPI_PROTOCOL_UNKNOWN) - { return num_calls; - } - for (a = 0; a < ndpi_str->proto_defaults[detected_protocol].subprotocol_count; a++) - { + for (a = 0; a < ndpi_str->proto_defaults[detected_protocol].subprotocol_count; a++) { u_int16_t subproto_id = ndpi_str->proto_defaults[detected_protocol].subprotocols[a]; + if(subproto_id == (uint16_t)NDPI_PROTOCOL_MATCHED_BY_CONTENT || subproto_id == flow->detected_protocol_stack[0] || - subproto_id == flow->detected_protocol_stack[1]) - { + subproto_id == flow->detected_protocol_stack[1]) { continue; } u_int16_t subproto_index = ndpi_str->proto_defaults[subproto_id].protoIdx; + if((ndpi_str->callback_buffer[subproto_index].ndpi_selection_bitmask & ndpi_selection_packet) == ndpi_str->callback_buffer[subproto_index].ndpi_selection_bitmask && NDPI_BITMASK_COMPARE(flow->excluded_protocol_bitmask, ndpi_str->callback_buffer[subproto_index].excluded_protocol_bitmask) == 0 && NDPI_BITMASK_COMPARE(ndpi_str->callback_buffer[subproto_index].detection_bitmask, - detection_bitmask) != 0) - { + detection_bitmask) != 0) { ndpi_str->callback_buffer[subproto_index].func(ndpi_str, flow); num_calls++; } @@ -7134,8 +7141,7 @@ static u_int32_t check_ndpi_detection_func(struct ndpi_detection_module_struct * NDPI_SELECTION_BITMASK_PROTOCOL_SIZE const ndpi_selection_packet, struct call_function_struct const * const callback_buffer, uint32_t callback_buffer_size, - int is_tcp_without_payload) -{ + int is_tcp_without_payload) { void *func = NULL; u_int32_t num_calls = 0; u_int16_t proto_index = ndpi_str->proto_defaults[flow->guessed_protocol_id].protoIdx; @@ -7166,6 +7172,8 @@ static u_int32_t check_ndpi_detection_func(struct ndpi_detection_module_struct * if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { + /* TODO: optimize as today we're doing a linear scan */ + for (a = 0; a < callback_buffer_size; a++) { if((func != callback_buffer[a].func) && (callback_buffer[a].ndpi_selection_bitmask & ndpi_selection_packet) == @@ -7209,8 +7217,7 @@ u_int32_t check_ndpi_other_flow_func(struct ndpi_detection_module_struct *ndpi_s static u_int32_t check_ndpi_udp_flow_func(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, - NDPI_SELECTION_BITMASK_PROTOCOL_SIZE *ndpi_selection_packet) -{ + NDPI_SELECTION_BITMASK_PROTOCOL_SIZE *ndpi_selection_packet) { return check_ndpi_detection_func(ndpi_str, flow, *ndpi_selection_packet, ndpi_str->callback_buffer_udp, ndpi_str->callback_buffer_size_udp, 0); diff --git a/src/lib/protocols/bittorrent.c b/src/lib/protocols/bittorrent.c index f80bb0d36..1522a14e9 100644 --- a/src/lib/protocols/bittorrent.c +++ b/src/lib/protocols/bittorrent.c @@ -642,9 +642,8 @@ static void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_str } } - if(flow->packet_counter > 8) { - ndpi_skip_bittorrent(ndpi_struct, flow); - } + if(flow->packet_counter > 5) + ndpi_skip_bittorrent(ndpi_struct, flow); } /* ************************************* */ diff --git a/src/lib/protocols/cassandra.c b/src/lib/protocols/cassandra.c index de5b21f87..7e52dab14 100644 --- a/src/lib/protocols/cassandra.c +++ b/src/lib/protocols/cassandra.c @@ -66,7 +66,8 @@ static void ndpi_search_cassandra(struct ndpi_detection_module_struct *ndpi_stru return; } - if (packet->payload_packet_len < 9 || + if ((packet->payload_packet_len < 9) || + (flow->packet_counter >= 8) || (!ndpi_validate_cassandra_response(packet->payload[0]) || !ndpi_validate_cassandra_request(packet->payload[0]))) { diff --git a/src/lib/protocols/ciscovpn.c b/src/lib/protocols/ciscovpn.c index e5bfd6a22..792d060b1 100644 --- a/src/lib/protocols/ciscovpn.c +++ b/src/lib/protocols/ciscovpn.c @@ -48,26 +48,23 @@ static void ndpi_search_ciscovpn(struct ndpi_detection_module_struct *ndpi_struc NDPI_LOG_DBG2(ndpi_struct, "calculated CISCOVPN over udp ports\n"); } - if( - ( - (usport == 10000 && udport == 10000) - && - (packet->payload_packet_len >= 4) && - (packet->payload[0] == 0xfe && - packet->payload[1] == 0x57 && - packet->payload[2] == 0x7e && - packet->payload[3] == 0x2b) - ) - ) - { + if((usport == 10000 && udport == 10000)) { + if((packet->payload_packet_len >= 4) && + (packet->payload[0] == 0xfe && + packet->payload[1] == 0x57 && + packet->payload[2] == 0x7e && + packet->payload[3] == 0x2b) + ) { /* This is a good query fe577e2b */ NDPI_LOG_INFO(ndpi_struct, "found CISCOVPN\n"); ndpi_int_ciscovpn_add_connection(ndpi_struct, flow); return; - } - - if(flow->num_processed_pkts > 5) - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + } + + if(flow->num_processed_pkts > 5) + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + } else + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/dnscrypt.c b/src/lib/protocols/dnscrypt.c index c4e28323d..a77bade98 100644 --- a/src/lib/protocols/dnscrypt.c +++ b/src/lib/protocols/dnscrypt.c @@ -46,6 +46,7 @@ static void ndpi_search_dnscrypt(struct ndpi_detection_module_struct *ndpi_struc ndpi_int_dnscrypt_add_connection(ndpi_struct, flow); return; } + /* dnscrypt protocol version 1 and 2: resolver ping */ if (packet->payload_packet_len > 13 + strlen(dnscrypt_initial) && strncasecmp((char*)packet->payload + 13, dnscrypt_initial, strlen(dnscrypt_initial)) == 0) @@ -56,10 +57,9 @@ static void ndpi_search_dnscrypt(struct ndpi_detection_module_struct *ndpi_struc if ((flow->packet_direction_counter[packet->packet_direction] >= 1 && flow->packet_direction_counter[1 - packet->packet_direction] >= 1) || - flow->packet_counter >= 10) - { + flow->packet_counter >= 8) { /* - * Wait for at least one packet per direction, but not more then 10 packets. + * Wait for at least one packet per direction, up to a max * Required as we need to wait for the server response which contains the ASCII pattern below. */ NDPI_EXCLUDE_PROTO(ndpi_struct, flow); diff --git a/src/lib/protocols/imo.c b/src/lib/protocols/imo.c index 68cb9fb1b..3807e5010 100644 --- a/src/lib/protocols/imo.c +++ b/src/lib/protocols/imo.c @@ -1,7 +1,7 @@ /* * imo.c * - * Copyright (C) 2019 - ntop.org + * Copyright (C) 2019-24 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/irc.c b/src/lib/protocols/irc.c index a7f02d848..02b105a0f 100644 --- a/src/lib/protocols/irc.c +++ b/src/lib/protocols/irc.c @@ -97,8 +97,9 @@ static void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct u_int16_t http_content_ptr_len = 0; NDPI_LOG_DBG(ndpi_struct, "search irc\n"); - if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC && (flow->packet_counter > 10)) { - NDPI_LOG_DBG(ndpi_struct, "exclude irc, packet_counter > 70\n"); + if((flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC && (flow->packet_counter > 10)) + || (flow->packet_counter >= 10)) { + NDPI_LOG_DBG(ndpi_struct, "exclude irc, packet_counter too high0\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_IRC); return; } diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c index 97e392f02..b8f0a3978 100644 --- a/src/lib/protocols/rtp.c +++ b/src/lib/protocols/rtp.c @@ -79,8 +79,7 @@ u_int8_t rtp_get_stream_type(u_int8_t payloadType, ndpi_multimedia_flow_type *s_ } } -static int is_valid_rtcp_payload_type(uint8_t type) -{ +static int is_valid_rtcp_payload_type(uint8_t type) { return (type >= 192 && type <= 213); } @@ -172,8 +171,8 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, } is_rtp = is_rtp_or_rtcp(ndpi_struct, &seq); - if(is_rtp == IS_RTP) { + if(is_rtp == IS_RTP) { if(flow->l4.udp.rtp_stage == 2) { if(flow->l4.udp.line_pkts[0] >= 2 && flow->l4.udp.line_pkts[1] >= 2) { /* It seems that it is a LINE stuff; let its dissector to evaluate */ @@ -228,7 +227,10 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, NDPI_EXCLUDE_PROTO(ndpi_struct, flow); NDPI_EXCLUDE_PROTO_EXT(ndpi_struct, flow, NDPI_PROTOCOL_RTCP); } - } + } else if(flow->packet_counter > 3) { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + NDPI_EXCLUDE_PROTO_EXT(ndpi_struct, flow, NDPI_PROTOCOL_RTCP); + } } } diff --git a/src/lib/protocols/sip.c b/src/lib/protocols/sip.c index b6963584c..23a88ebf8 100644 --- a/src/lib/protocols/sip.c +++ b/src/lib/protocols/sip.c @@ -34,6 +34,8 @@ static void ndpi_int_sip_add_connection(struct ndpi_detection_module_struct *ndp ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SIP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); } +/* ********************************************************** */ + #if !defined(WIN32) static inline #elif defined(MINGW_GCC) @@ -41,13 +43,16 @@ __mingw_forceinline static #else __forceinline static #endif -void ndpi_search_sip_handshake(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) -{ +void ndpi_search_sip(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; const u_int8_t *packet_payload = packet->payload; u_int32_t payload_len = packet->payload_packet_len; + if(flow->packet_counter >= 8) { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + if(payload_len > 4) { /* search for STUN Turn ChannelData Prefix */ u_int16_t message_len = ntohs(get_u_int16_t(packet->payload, 2)); @@ -57,9 +62,14 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct payload_len -= 4; packet_payload += 4; } + + if(!isprint(packet_payload[0])) { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } } - if(payload_len >= 14) { + if(payload_len >= 14) { if((memcmp(packet_payload, "NOTIFY ", 7) == 0 || memcmp(packet_payload, "notify ", 7) == 0) && (memcmp(&packet_payload[7], "SIP:", 4) == 0 || memcmp(&packet_payload[7], "sip:", 4) == 0)) { @@ -180,28 +190,20 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct /* add bitmask for tcp only, some stupid udp programs * send a very few (< 10 ) packets before invite (mostly a 0x0a0x0d, but just search the first 3 payload_packets here */ - if(packet->udp != NULL && flow->packet_counter < 10) { + if(packet->udp != NULL) { NDPI_LOG_DBG2(ndpi_struct, "need next packet\n"); return; } if(payload_len == 4 && get_u_int32_t(packet_payload, 0) == 0) { - NDPI_LOG_DBG2(ndpi_struct, "maybe sip. need next packet\n"); + NDPI_LOG_DBG2(ndpi_struct, "maybe sip. need next packet\n"); return; } - - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } -static void ndpi_search_sip(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ - NDPI_LOG_DBG(ndpi_struct, "search sip\n"); - - ndpi_search_sip_handshake(ndpi_struct, flow); -} +/* ********************************************************** */ -void init_sip_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id) -{ +void init_sip_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id) { ndpi_set_bitmask_protocol_detection("SIP", ndpi_struct, *id, NDPI_PROTOCOL_SIP, ndpi_search_sip, diff --git a/src/lib/protocols/socks45.c b/src/lib/protocols/socks45.c index 742e0a6e6..78a744087 100644 --- a/src/lib/protocols/socks45.c +++ b/src/lib/protocols/socks45.c @@ -40,12 +40,6 @@ static void ndpi_check_socks4(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int32_t payload_len = packet->payload_packet_len; - /* Break after 10 packets. */ - if(flow->packet_counter > 10) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return; - } - /* Check if we so far detected the protocol in the request or not. */ if(flow->socks4_stage == 0) { NDPI_LOG_DBG2(ndpi_struct, "SOCKS4 stage 0: \n"); @@ -81,12 +75,6 @@ static void ndpi_check_socks5(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int32_t payload_len = packet->payload_packet_len; - /* Break after 10 packets. */ - if(flow->packet_counter > 10) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return; - } - /* Check if we so far detected the protocol in the request or not. */ if(flow->socks5_stage == 0) { NDPI_LOG_DBG2(ndpi_struct, "SOCKS5 stage 0: \n"); @@ -123,6 +111,11 @@ static void ndpi_search_socks(struct ndpi_detection_module_struct *ndpi_struct, { NDPI_LOG_DBG(ndpi_struct, "search SOCKS\n"); + if(flow->packet_counter >= 10) { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + ndpi_check_socks4(ndpi_struct, flow); if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_SOCKS) diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index d6e7090d3..4d4fec6db 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -311,6 +311,9 @@ static void parse_xor_ip_port_attribute(struct ndpi_detection_module_struct *ndp } } } + +/* ***************************************************** */ + int is_stun(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int16_t *app_proto) @@ -325,9 +328,8 @@ int is_stun(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t magic_cookie; u_int32_t transaction_id[3]; - if(payload_length < STUN_HDR_LEN) { - return 0; - } + if(payload_length < STUN_HDR_LEN) + return(-1); /* Some really old/legacy stuff */ if(strncmp((const char *)payload, "RSP/", 4) == 0 && @@ -365,20 +367,21 @@ int is_stun(struct ndpi_detection_module_struct *ndpi_struct, if(packet->tcp) { if(msg_len + STUN_HDR_LEN > payload_length) return 0; + payload_length = msg_len + STUN_HDR_LEN; } if(msg_type == 0 || (msg_len + STUN_HDR_LEN != payload_length)) { NDPI_LOG_DBG(ndpi_struct, "Invalid msg_type = %04X or len %d %d\n", msg_type, msg_len, payload_length); - return 0; + return -1; } /* https://www.iana.org/assignments/stun-parameters/stun-parameters.xhtml */ if(((msg_type & 0x3EEF) > 0x000B) && msg_type != 0x0800 && msg_type != 0x0801 && msg_type != 0x0802) { NDPI_LOG_DBG(ndpi_struct, "Invalid msg_type = %04X\n", msg_type); - return 0; + return -1; } if(magic_cookie != 0x2112A442) { @@ -582,6 +585,8 @@ int is_stun(struct ndpi_detection_module_struct *ndpi_struct, return 1; } +/* ***************************************************** */ + static int keep_extra_dissection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -965,7 +970,8 @@ static void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, s { struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int16_t app_proto; - + int rc; + NDPI_LOG_DBG(ndpi_struct, "search stun\n"); app_proto = NDPI_PROTOCOL_UNKNOWN; @@ -977,13 +983,15 @@ static void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, s return; } - if(is_stun(ndpi_struct, flow, &app_proto)) { + rc = is_stun(ndpi_struct, flow, &app_proto); + + if(rc == 1) { ndpi_int_stun_add_connection(ndpi_struct, flow, app_proto, __get_master(flow)); return; } /* TODO: can we stop earlier? */ - if(flow->packet_counter > 10) + if((rc == -1) || (flow->packet_counter > 8)) NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/xbox.c b/src/lib/protocols/xbox.c index e88cf39db..f1f334316 100644 --- a/src/lib/protocols/xbox.c +++ b/src/lib/protocols/xbox.c @@ -92,6 +92,7 @@ static void ndpi_search_xbox(struct ndpi_detection_module_struct *ndpi_struct, s } #endif } + if(flow->packet_counter >= 5) NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } |