diff options
| author | Renan de Souza <renan.souza@setinet.com.br> | 2019-10-25 08:57:49 -0300 |
|---|---|---|
| committer | Renan de Souza <renan.souza@setinet.com.br> | 2019-10-25 08:57:49 -0300 |
| commit | 56db916833493ca0042ce1b5de1bf29366680c7b (patch) | |
| tree | eb720198f5c8909624956683f26c9b64d7660ba2 /src | |
| parent | 653c2092536466cf8d62bc73e73f12ecf97ed9fc (diff) | |
| parent | 12cf0c47639a965d156ebd3a2a7721cca1331f23 (diff) | |
Merge remote-tracking branch 'upstream/dev' into dev
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_api.h | 13 | ||||
| -rw-r--r-- | src/include/ndpi_protocol_ids.h | 13 | ||||
| -rw-r--r-- | src/include/ndpi_protocols.h | 159 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 8 | ||||
| -rw-r--r-- | src/lib/ndpi_content_match.c.inc | 11 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 128 | ||||
| -rw-r--r-- | src/lib/protocols/dns.c | 89 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 140 | ||||
| -rw-r--r-- | src/lib/protocols/iec60870-5-104.c | 42 | ||||
| -rw-r--r-- | src/lib/protocols/mail_smtp.c | 6 | ||||
| -rw-r--r-- | src/lib/protocols/smb.c | 18 | ||||
| -rw-r--r-- | src/lib/protocols/ssh.c | 70 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 66 |
13 files changed, 318 insertions, 445 deletions
diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h index 372eddf72..a1c33b36e 100644 --- a/src/include/ndpi_api.h +++ b/src/include/ndpi_api.h @@ -207,18 +207,7 @@ extern "C" { void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *ndpi_struct, const NDPI_PROTOCOL_BITMASK * detection_bitmask); - /** - * Function to be called to see in case of unknown match to see if there is - * a partial match that has been prevented by the current nDPI preferences configuration - * - * @par ndpi_struct = the detection module - * @par flow = the flow given for the detection module - * @return the detected protocol even if the flow is not completed; - * - */ - ndpi_protocol ndpi_get_partial_detection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow); - /** + /** * Function to be called before we give up with detection for a given flow. * This function reduces the NDPI_UNKNOWN_PROTOCOL detection * diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index 05be1381d..7a4ceb22f 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -75,12 +75,12 @@ typedef enum { NDPI_PROTOCOL_SKYPE_CALL = 38, /* Skype call and videocalls */ NDPI_PROTOCOL_SIGNAL = 39, NDPI_PROTOCOL_MEMCACHED = 40, /* Memcached - Darryl Sokoloski <darryl@egloo.ca> */ - NDPI_PROTOCOL_SMBV23 = 41, /* SMB version 2/3 */ + NDPI_PROTOCOL_SMBV23 = 41, /* SMB version 2/3 */ NDPI_PROTOCOL_MINING = 42, /* Bitcoin, Ethereum, ZCash, Monero */ NDPI_PROTOCOL_NEST_LOG_SINK = 43, /* Nest Log Sink (Nest Protect) - Darryl Sokoloski <darryl@egloo.ca> */ NDPI_PROTOCOL_MODBUS = 44, /* Modbus */ NDPI_PROTOCOL_WHATSAPP_CALL = 45, /* WhatsApp video ad audio calls go here */ - NDPI_PROTOCOL_DATASAVER = 46, /* Protocols used to save data on Internet communications */ + NDPI_PROTOCOL_DATASAVER = 46, /* Protocols used to save data on Internet communications */ NDPI_PROTOCOL_XBOX = 47, NDPI_PROTOCOL_QQ = 48, NDPI_PROTOCOL_TIKTOK = 49, @@ -235,7 +235,7 @@ typedef enum { NDPI_PROTOCOL_MPEGTS = 198, NDPI_PROTOCOL_SNAPCHAT = 199, NDPI_PROTOCOL_SINA = 200, - NDPI_PROTOCOL_HANGOUT_DUO = 201, /* Google Hangout ad Duo (merged as they are very similar) */ + NDPI_PROTOCOL_HANGOUT_DUO = 201, /* Google Hangout ad Duo (merged as they are very similar) */ NDPI_PROTOCOL_IFLIX = 202, /* www.vizuamatix.com R&D team & M.Mallawaarachchie <manoj_ws@yahoo.com> */ NDPI_PROTOCOL_GITHUB = 203, NDPI_PROTOCOL_BJNP = 204, @@ -279,14 +279,17 @@ typedef enum { NDPI_PROTOCOL_WHATSAPP_FILES = 242, /* Videos, pictures, voice messages... */ NDPI_PROTOCOL_TARGUS_GETDATA = 243, NDPI_PROTOCOL_DNP3 = 244, - NDPI_PROTOCOL_104 = 245, + NDPI_PROTOCOL_104 = 245, + NDPI_PROTOCOL_BLOOMBERG = 246, + NDPI_PROTOCOL_CAPWAP = 247, + /* IMPORTANT before allocating a new identifier please fill up one of those named NDPI_PROTOCOL_FREE_XXX and not used (placeholders to avoid protocol renumbering) */ - + /* IMPORTANT:NDPI_LAST_IMPLEMENTED_PROTOCOL MUST BE THE LAST ELEMENT */ NDPI_LAST_IMPLEMENTED_PROTOCOL } ndpi_protocol_id_t; diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h index 17941d5b2..ea0abe173 100644 --- a/src/include/ndpi_protocols.h +++ b/src/include/ndpi_protocols.h @@ -51,165 +51,6 @@ u_int ndpi_search_tcp_or_udp_raw(struct ndpi_detection_module_struct *ndpi_struc void ndpi_search_tcp_or_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -/* Applications and other protocols. */ -void ndpi_search_diameter(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_lisp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_edonkey(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_fasttrack_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_directconnect(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_applejuice_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_i23v5(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_socrates(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_soulseek_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_msn(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_yahoo(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_oscar(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_sip(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_imo(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_direct_download_link_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_mail_pop_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_http_subprotocol_conf(struct ndpi_detection_module_struct *ndpi_struct, char *attr, char *value, int protocol_id); -void ndpi_search_ftp_control(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_ftp_data(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_usenet_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_rtsp_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_filetopia_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_vmware(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_mms_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_icecast_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_shoutcast_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_veohtv_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_openft_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_tvants_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_sopcast(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_tvuplayer(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_ppstream(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_pplive(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_iax(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_mgcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_zattoo(struct ndpi_detection_module_struct*ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_qq(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_feidian(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_ayiya(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_thunder(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_activesync(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_in_non_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_vnc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_dhcp_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_steam(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_halflife2(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_xbox(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_smb_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_telnet_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_ntp_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_nfs(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_rtp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_ssdp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_worldofwarcraft(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_postgres_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_mysql_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_bgp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_quake(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_battlefield(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_secondlife(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_pcanywhere(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_rdp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_snmp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_kontiki(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_syslog(struct ndpi_detection_module_struct*ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_mdns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_ipp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_ldap(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_warcraft3(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_xdmcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_tftp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_mssql_tds(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_pptp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_stealthnet(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_dhcpv6_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_afp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_checkmk(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_aimini(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_florensia(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_maplestory(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_dofus(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_world_of_kung_fu(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_fiesta(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_crossfire_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_guildwars_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_armagetron_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_dropbox(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_citrix(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_dcerpc(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_netflow(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_sflow(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_radius(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_wsus(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_teamview(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_lotus_notes(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_gtp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_spotify(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_h323(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_openvpn(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_noe(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_ciscovpn(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_viber(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_teamspeak(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_corba(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_collectd(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_oracle(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_rsync(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_rtcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_skinny(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_tor(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_whois_das(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_socks5(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_socks4(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_rtmp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_pando(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_megaco(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_redis(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_zmq(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_vhua(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_telegram(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_quic(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_eaq(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_kakaotalk_voice(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_mpegts(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_starcraft(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_ubntac2(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_coap(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_mqtt (struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_rx(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_git(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_drda(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_bjnp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_smpp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_tinc(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_fix(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_csgo(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_ajp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_memcached(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_nest_log_sink(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_wireguard(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_targus_getdata(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_apple_push(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_amazon_video(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -/* --- INIT FUNCTIONS --- */ void init_diameter_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_afp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_aimini_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 64644d76f..88d9d9ae4 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -926,9 +926,7 @@ typedef enum { } ndpi_protocol_category_t; typedef enum { - ndpi_pref_http_dont_dissect_response = 0, - ndpi_pref_dns_dont_dissect_response, - ndpi_pref_direction_detect_disable, + ndpi_pref_direction_detect_disable = 0, ndpi_pref_disable_metadata_export, } ndpi_detection_preference; @@ -1105,8 +1103,7 @@ struct ndpi_detection_module_struct { ndpi_proto_defaults_t proto_defaults[NDPI_MAX_SUPPORTED_PROTOCOLS+NDPI_MAX_NUM_CUSTOM_PROTOCOLS]; - u_int8_t http_dont_dissect_response:1, dns_dont_dissect_response:1, - direction_detect_disable:1, /* disable internal detection of packet direction */ + u_int8_t direction_detect_disable:1, /* disable internal detection of packet direction */ disable_metadata_export:1 /* No metadata is exported */ ; @@ -1275,7 +1272,6 @@ struct ndpi_flow_struct { /* NDPI_PROTOCOL_HTTP */ u_int8_t http_detected:1; - u_int16_t http_upper_protocol, http_lower_protocol; /* NDPI_PROTOCOL_RTSP */ u_int8_t rtsprdt_stage:2, rtsp_control_flow:1; diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index ca8b757c5..54ce263e6 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -8401,9 +8401,18 @@ static ndpi_protocol_match host_match[] = { { "images-amazon.com", NULL, "images-amazon" TLD, "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { "amazonaws.com", NULL, "amazonaws" TLD, "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { "amazon-adsystem.com", NULL, "amazon-adsystem" TLD, "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, + { ".aws.", NULL, "\\.aws\\." TLD, "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { ".cloudfront.net", NULL, "\\.cloudfront" TLD, "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, - { ".us-west-2.compute.amazonaws.com", NULL, "\\.us-west-2\\.compute\\.amazonaws\\.com", "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, + { ".us-west-2.compute.amazonaws.com", NULL, "\\.us-west-2\\.compute\\.amazonaws\\.com","Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, + /* Microsoft + Azure */ + { ".azure.com", NULL, "\\.azure.\\com" TLD, "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE }, + { ".windows.net", NULL, "\\.windows.\\net" TLD, "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE }, + { ".microsoft.com", NULL, "\\.microsoft.\\com" TLD, "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE }, + + { ".bloombergvault.com", NULL, "\\.bloombergvault.\\com" TLD, "Bloomberg", NDPI_PROTOCOL_BLOOMBERG, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE }, + { ".bloomberg.com", NULL, "\\.bloomberg.\\com" TLD, "Bloomberg", NDPI_PROTOCOL_BLOOMBERG, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE }, + { ".push.apple.com", NULL, "\\.push\\.apple" TLD, "ApplePush", NDPI_PROTOCOL_APPLE_PUSH, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE }, { ".apple-dns.net", NULL, "\\.apple-dns" TLD, "Apple", NDPI_PROTOCOL_APPLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, { ".mzstatic.com", NULL, "\\.mzstatic" TLD, "Apple", NDPI_PROTOCOL_APPLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 8cd661243..8cf171f19 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -714,14 +714,6 @@ int ndpi_set_detection_preferences(struct ndpi_detection_module_struct *ndpi_str ndpi_detection_preference pref, int value) { switch(pref) { - case ndpi_pref_http_dont_dissect_response: - ndpi_str->http_dont_dissect_response = (u_int8_t)value; - break; - - case ndpi_pref_dns_dont_dissect_response: - ndpi_str->dns_dont_dissect_response = (u_int8_t)value; - break; - case ndpi_pref_direction_detect_disable: ndpi_str->direction_detect_disable = (u_int8_t)value; break; @@ -1767,6 +1759,19 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp ndpi_build_default_ports(ports_a, 2404, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + + ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_BLOOMBERG, + 1 /* no subprotocol */, no_master, + no_master, "Bloomberg", NDPI_PROTOCOL_CATEGORY_NETWORK, + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + + ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_CAPWAP, + 1 /* no subprotocol */, no_master, + no_master, "CAPWAP", NDPI_PROTOCOL_CATEGORY_NETWORK, + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + /* calling function for host and content matched protocols */ init_string_based_protocols(ndpi_str); @@ -4062,64 +4067,6 @@ u_int16_t ndpi_guess_host_protocol_id(struct ndpi_detection_module_struct *ndpi_ /* ********************************************************************************* */ -static ndpi_protocol ndpi_process_partial_detection(struct ndpi_detection_module_struct *ndpi_str, - struct ndpi_flow_struct *flow) { - ndpi_protocol ret; - ndpi_protocol_match_result ret_match; - - ret.master_protocol = flow->guessed_protocol_id; - ret.app_protocol = ndpi_match_host_subprotocol(ndpi_str, flow, - (char *)flow->host_server_name, - strlen((const char*)flow->host_server_name), - &ret_match, - flow->guessed_protocol_id); - - if(flow->category != NDPI_PROTOCOL_CATEGORY_UNSPECIFIED) - ret.category = flow->category; - else - ret.category = ret_match.protocol_category; - - if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN) - ret.app_protocol = ret.master_protocol; - - ndpi_fill_protocol_category(ndpi_str, flow, &ret); - - ndpi_int_change_protocol(ndpi_str, flow, ret.app_protocol, ret.master_protocol); - - return(ret); -} - -/* ********************************************************************************* */ - -/* - You can call this function at any time in case of unknown match to see if there is - a partial match that has been prevented by the current nDPI preferences configuration -*/ -ndpi_protocol ndpi_get_partial_detection(struct ndpi_detection_module_struct *ndpi_str, - struct ndpi_flow_struct *flow) { - if((flow->guessed_protocol_id == NDPI_PROTOCOL_HTTP) - && (ndpi_str->http_dont_dissect_response == 0) - && (flow->host_server_name[0] != '\0') - && (!NDPI_ISSET(&flow->excluded_protocol_bitmask, flow->guessed_host_protocol_id))) - return(ndpi_process_partial_detection(ndpi_str, flow)); - else if((flow->guessed_protocol_id == NDPI_PROTOCOL_DNS) - && (ndpi_str->dns_dont_dissect_response == 0) - && (flow->host_server_name[0] != '\0') - && (!NDPI_ISSET(&flow->excluded_protocol_bitmask, flow->guessed_host_protocol_id))) - return(ndpi_process_partial_detection(ndpi_str, flow)); - else { - ndpi_protocol ret = { NDPI_PROTOCOL_UNKNOWN, - NDPI_PROTOCOL_UNKNOWN, - NDPI_PROTOCOL_CATEGORY_UNSPECIFIED }; - - if(flow) ret.category = flow->category; - - return(ret); - } -} - -/* ********************************************************************************* */ - ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, u_int8_t enable_guess, @@ -4153,15 +4100,6 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) { ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_TLS, NDPI_PROTOCOL_UNKNOWN); } else { - ndpi_protocol ret_g = ndpi_get_partial_detection(ndpi_str, flow); - - if(ret_g.master_protocol != NDPI_PROTOCOL_UNKNOWN) - return(ret_g); - else { - if(!enable_guess) - return(ret); - } - if((flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) && (flow->packet.l4_protocol == IPPROTO_TCP) && (flow->l4.tcp.tls_stage > 1)) @@ -4248,19 +4186,27 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st && flow->packet.iph /* Guess only IPv4 */ && (flow->packet.tcp || flow->packet.udp) ) { - ret = ndpi_guess_undetected_protocol(ndpi_str, - flow, - flow->packet.l4_protocol, - ntohl(flow->packet.iph->saddr), - ntohs(flow->packet.udp ? flow->packet.udp->source : flow->packet.tcp->source), - ntohl(flow->packet.iph->daddr), - ntohs(flow->packet.udp ? flow->packet.udp->dest : flow->packet.tcp->dest) - ); - *protocol_was_guessed = 1; + ndpi_protocol ret1 = ndpi_guess_undetected_protocol(ndpi_str, + flow, + flow->packet.l4_protocol, + ntohl(flow->packet.iph->saddr), + ntohs(flow->packet.udp ? flow->packet.udp->source : flow->packet.tcp->source), + ntohl(flow->packet.iph->daddr), + ntohs(flow->packet.udp ? flow->packet.udp->dest : flow->packet.tcp->dest) + ); + + if(ret1.app_protocol != NDPI_PROTOCOL_UNKNOWN) { + if(ret.master_protocol == NDPI_PROTOCOL_UNKNOWN) ret.master_protocol = ret1.master_protocol; + if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN) ret.app_protocol = ret1.app_protocol; + if(ret.category == NDPI_PROTOCOL_CATEGORY_UNSPECIFIED) ret.category = ret1.category; + + *protocol_was_guessed = 1; + } } - ndpi_fill_protocol_category(ndpi_str, flow, &ret); - + if(ret.app_protocol != NDPI_PROTOCOL_UNKNOWN) + ndpi_fill_protocol_category(ndpi_str, flow, &ret); + return(ret); } @@ -4835,7 +4781,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct } else ret.app_protocol = flow->detected_protocol_stack[0]; - /* Don;t overwrite the category if already set */ + /* Don't overwrite the category if already set */ if(flow->category == NDPI_PROTOCOL_CATEGORY_UNSPECIFIED) ndpi_fill_protocol_category(ndpi_str, flow, &ret); else @@ -5405,8 +5351,7 @@ void ndpi_set_detected_protocol(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, u_int16_t upper_detected_protocol, u_int16_t lower_detected_protocol) { - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; + struct ndpi_id_struct *src = flow->src, *dst = flow->dst; ndpi_int_change_protocol(ndpi_str, flow, upper_detected_protocol, lower_detected_protocol); @@ -6477,13 +6422,12 @@ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndp break; case NDPI_PROTOCOL_HTTP: - if(flow->host_server_name[0] == '\0') + if((flow->host_server_name[0] == '\0') || (flow->http.response_status_code == 0)) return(1); break; case NDPI_PROTOCOL_DNS: - if((ndpi_str->dns_dont_dissect_response == 0) - && (flow->protos.dns.num_answers == 0)) + if(flow->protos.dns.num_answers == 0) return(1); break; diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index f41eb65ee..7051b2227 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -32,6 +32,8 @@ // #define DNS_DEBUG 1 +static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); + /* *********************************************** */ static u_int16_t get16(int *i, const u_int8_t *payload) { @@ -84,6 +86,7 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, memcpy(dns_header, (struct ndpi_dns_packet_header*)&flow->packet.payload[x], sizeof(struct ndpi_dns_packet_header)); + dns_header->tr_id = ntohs(dns_header->tr_id); dns_header->flags = ntohs(dns_header->flags); dns_header->num_queries = ntohs(dns_header->num_queries); @@ -134,58 +137,69 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, /* This is a good reply: we dissect it both for request and response */ /* Leave the statement below commented necessary in case of call to ndpi_get_partial_detection() */ - /* if(ndpi_struct->dns_dont_dissect_response == 0) */ { - x++; - - if(flow->packet.payload[x] != '\0') { - while((x < flow->packet.payload_packet_len) - && (flow->packet.payload[x] != '\0')) { - x++; - } + x++; + if(flow->packet.payload[x] != '\0') { + while((x < flow->packet.payload_packet_len) + && (flow->packet.payload[x] != '\0')) { x++; } - x += 4; + x++; + } - if(dns_header->num_answers > 0) { - u_int16_t rsp_type; - u_int16_t num; + x += 4; - for(num = 0; num < dns_header->num_answers; num++) { - u_int16_t data_len; + if(dns_header->num_answers > 0) { + u_int16_t rsp_type; + u_int16_t num; - if((x+6) >= flow->packet.payload_packet_len) { - break; - } + for(num = 0; num < dns_header->num_answers; num++) { + u_int16_t data_len; + + if((x+6) >= flow->packet.payload_packet_len) { + break; + } - if((data_len = getNameLength(x, flow->packet.payload, flow->packet.payload_packet_len)) == 0) { - break; - } else - x += data_len; + if((data_len = getNameLength(x, flow->packet.payload, flow->packet.payload_packet_len)) == 0) { + break; + } else + x += data_len; - rsp_type = get16(&x, flow->packet.payload); - flow->protos.dns.rsp_type = rsp_type; + rsp_type = get16(&x, flow->packet.payload); + flow->protos.dns.rsp_type = rsp_type; - /* here x points to the response "class" field */ - if((x+12) <= flow->packet.payload_packet_len) { - x += 6; - data_len = get16(&x, flow->packet.payload); + /* here x points to the response "class" field */ + if((x+12) <= flow->packet.payload_packet_len) { + x += 6; + data_len = get16(&x, flow->packet.payload); - if(((x + data_len) <= flow->packet.payload_packet_len) - && (((rsp_type == 0x1) && (data_len == 4)) /* A */ + if(((x + data_len) <= flow->packet.payload_packet_len) + && (((rsp_type == 0x1) && (data_len == 4)) /* A */ #ifdef NDPI_DETECTION_SUPPORT_IPV6 - || ((rsp_type == 0x1c) && (data_len == 16)) /* AAAA */ + || ((rsp_type == 0x1c) && (data_len == 16)) /* AAAA */ #endif - )) { - memcpy(&flow->protos.dns.rsp_addr, flow->packet.payload + x, data_len); - } + )) { + memcpy(&flow->protos.dns.rsp_addr, flow->packet.payload + x, data_len); } - - break; } + + break; } } + + if((flow->packet.detected_protocol_stack[0] == NDPI_PROTOCOL_DNS) + || (flow->packet.detected_protocol_stack[1] == NDPI_PROTOCOL_DNS)) { + /* Request already set the protocol */ + flow->extra_packets_func = NULL; /* We're good now */ + } else { + /* We missed the request */ + u_int16_t s_port = flow->packet.udp ? ntohs(flow->packet.udp->source) : ntohs(flow->packet.tcp->source); + + ndpi_set_detected_protocol(ndpi_struct, flow, + (s_port == 5355) ? NDPI_PROTOCOL_LLMNR : NDPI_PROTOCOL_DNS, + NDPI_PROTOCOL_UNKNOWN); + } } else return(1 /* invalid */); } @@ -202,6 +216,7 @@ static int search_dns_again(struct ndpi_detection_module_struct *ndpi_struct, st if(flow->protos.dns.num_answers > 0) { /* stop extra processing */ + flow->extra_packets_func = NULL; /* We're good now */ return(0); } @@ -211,7 +226,7 @@ static int search_dns_again(struct ndpi_detection_module_struct *ndpi_struct, st /* *********************************************** */ -void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { +static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { int payload_offset; u_int8_t is_query; u_int16_t s_port = 0, d_port = 0; @@ -290,7 +305,7 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd /* Report if this is a DNS query or reply */ flow->protos.dns.is_query = is_query; - if(is_query && (ndpi_struct->dns_dont_dissect_response == 0) && (flow->check_extra_packets == 0)) { + if(is_query) { /* In this case we say that the protocol has been detected just to let apps carry on with their activities */ ndpi_set_detected_protocol(ndpi_struct, flow, ret.app_protocol, ret.master_protocol); diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index cc27b8eb6..b73a1aeee 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -28,40 +28,54 @@ #include "ndpi_api.h" #include <stdlib.h> -static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - u_int16_t category) { -#ifdef DEBUG - printf("[%s] [http_dont_dissect_response: %u]->> %s\n", __FUNCTION__, - ndpi_struct->http_dont_dissect_response, flow->http.response_status_code); -#endif - - if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { - /* This is HTTP and it is not a sub protocol (e.g. skype or dropbox) */ +static void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow); - ndpi_search_tcp_or_udp(ndpi_struct, flow); +/* *********************************************** */ - /* If no custom protocol has been detected */ - if(flow->guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN) { - ndpi_int_reset_protocol(flow); - flow->http_upper_protocol = flow->guessed_host_protocol_id, flow->http_lower_protocol = NDPI_PROTOCOL_HTTP; - } else - flow->http_upper_protocol = NDPI_PROTOCOL_HTTP, flow->http_lower_protocol = NDPI_PROTOCOL_UNKNOWN; +static int ndpi_search_http_tcp_again(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + ndpi_search_http_tcp(ndpi_struct, flow); - if(ndpi_struct->http_dont_dissect_response) - ndpi_set_detected_protocol(ndpi_struct, flow, flow->http_upper_protocol, flow->http_lower_protocol); - else { - flow->detected_protocol_stack[0] = NDPI_PROTOCOL_UNKNOWN, flow->detected_protocol_stack[1] = NDPI_PROTOCOL_UNKNOWN; - flow->packet.detected_protocol_stack[0] = NDPI_PROTOCOL_UNKNOWN, flow->packet.detected_protocol_stack[1] = NDPI_PROTOCOL_UNKNOWN; - } - } else { - if((!ndpi_struct->http_dont_dissect_response) && (flow->http.response_status_code == 0)) { - flow->http_upper_protocol = flow->detected_protocol_stack[0], flow->http_lower_protocol = flow->detected_protocol_stack[1]; - flow->detected_protocol_stack[0] = NDPI_PROTOCOL_UNKNOWN, flow->detected_protocol_stack[1] = NDPI_PROTOCOL_UNKNOWN; - flow->packet.detected_protocol_stack[0] = NDPI_PROTOCOL_UNKNOWN, flow->packet.detected_protocol_stack[1] = NDPI_PROTOCOL_UNKNOWN; - } +#ifdef HTTP_DEBUG + printf("=> %s()\n", __FUNCTION__); +#endif + + if((flow->host_server_name[0] != '\0') && (flow->http.response_status_code != 0)) { + /* stop extra processing */ + flow->extra_packets_func = NULL; /* We're good now */ + return(0); } + /* Possibly more processing */ + return(1); +} + +/* *********************************************** */ + +static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + u_int16_t category) { +#ifdef HTTP_DEBUG + printf("=> %s()\n", __FUNCTION__); +#endif + + if(flow->extra_packets_func && (flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN)) + return; /* Nothing new to add */ + + /* This is HTTP and it is not a sub protocol (e.g. skype or dropbox) */ + ndpi_search_tcp_or_udp(ndpi_struct, flow); + + /* If no custom protocol has been detected */ + if(flow->guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN) { + ndpi_int_reset_protocol(flow); + ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id, NDPI_PROTOCOL_HTTP); + } else + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_UNKNOWN); + + /* This is necessary to inform the core to call this dissector again */ + flow->check_extra_packets = 1; + flow->max_extra_packets_to_check = 5; + flow->extra_packets_func = ndpi_search_http_tcp_again; flow->http_detected = 1, flow->guessed_category = category; } @@ -103,11 +117,6 @@ static void parseHttpSubprotocol(struct ndpi_detection_module_struct *ndpi_struc if(double_col) double_col[0] = '\0'; - /** - NOTE - If http_dont_dissect_response = 1 dissection of HTTP response - mime types won't happen - */ ndpi_match_host_subprotocol(ndpi_struct, flow, (char *)flow->host_server_name, strlen((const char *)flow->host_server_name), &ret_match, @@ -124,14 +133,10 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ struct ndpi_packet_struct *packet = &flow->packet; - if((!ndpi_struct->http_dont_dissect_response) && flow->http_detected && (flow->http.response_status_code != 0)) { - ndpi_set_detected_protocol(ndpi_struct, flow, flow->http_upper_protocol, flow->http_lower_protocol); -#ifdef DEBUG - printf("[%s] [http_dont_dissect_response: %u]->> %s\n", - __FUNCTION__, ndpi_struct->http_dont_dissect_response, flow->http.response_status_code); -#endif - return; - } + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_UNKNOWN); + + if(flow->http_detected && (flow->http.response_status_code != 0)) + return; #if defined(NDPI_PROTOCOL_1KXUN) || defined(NDPI_PROTOCOL_IQIYI) /* PPStream */ @@ -156,9 +161,6 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ } #endif - /* Leave the statement below commented necessary in case of call to ndpi_get_partial_detection() */ - - /* if(!ndpi_struct->http_dont_dissect_response) */ { if((flow->http.url == NULL) && (packet->http_url_name.len > 0) && (packet->host_line.len > 0)) { @@ -207,8 +209,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ packet->content_line.len); flow->http.content_type[packet->content_line.len] = '\0'; } - } - } + } if(packet->user_agent_line.ptr != NULL && packet->user_agent_line.len != 0) { /** @@ -287,7 +288,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ packet->host_line.len, packet->host_line.ptr); /* call ndpi_match_host_subprotocol to see if there is a match with known-host HTTP subprotocol */ - if((ndpi_struct->http_dont_dissect_response) || flow->http_detected) { + if(flow->http_detected) { ndpi_protocol_match_result ret_match; ndpi_match_host_subprotocol(ndpi_struct, flow, @@ -302,6 +303,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ len = ndpi_min(packet->host_line.len, sizeof(flow->host_server_name)-1); strncpy((char*)flow->host_server_name, (char*)packet->host_line.ptr, len); flow->host_server_name[len] = '\0'; + flow->extra_packets_func = NULL; /* We're good now */ } flow->server_id = flow->dst; @@ -314,8 +316,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ } } - if(!ndpi_struct->http_dont_dissect_response) - parseHttpSubprotocol(ndpi_struct, flow); + parseHttpSubprotocol(ndpi_struct, flow); /** check result of host subprotocol detection @@ -339,7 +340,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ } if((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) - && ((ndpi_struct->http_dont_dissect_response) || flow->http_detected) + && (flow->http_detected) && (packet->http_origin.len > 0)) { ndpi_protocol_match_result ret_match; @@ -361,7 +362,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ } #if 0 - if(!ndpi_struct->http_dont_dissect_response && flow->http_detected) + if(flow->http_detected) parseHttpSubprotocol(ndpi_struct, flow); #endif @@ -382,7 +383,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ NDPI_LOG_DBG2(ndpi_struct, "Content Type line found %.*s\n", packet->content_line.len, packet->content_line.ptr); - if((ndpi_struct->http_dont_dissect_response) || flow->http_detected) { + if(flow->http_detected) { ndpi_protocol_match_result ret_match; ndpi_match_content_subprotocol(ndpi_struct, flow, @@ -592,6 +593,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct goto ookla_found; } +#if OBSOLETE /* Check for additional field introduced by Steam */ int x = 1; if(packet->line[x].len >= 11 && (memcmp(packet->line[x].ptr, "x-steam-sid", 11)) == 0) { @@ -612,7 +614,8 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct } x++; } - +#endif + #if defined(NDPI_PROTOCOL_1KXUN) || defined(NDPI_PROTOCOL_IQIYI) /* check PPStream protocol or iQiyi service (iqiyi is delivered by ppstream) */ @@ -681,17 +684,11 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct in 99.99% of the cases is like that. */ - if(ndpi_struct->http_dont_dissect_response) { - if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) /* No subprotocol found */ - NDPI_LOG_INFO(ndpi_struct, "found HTTP\n"); - ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); - } else { - flow->http_detected = 1; - NDPI_LOG_DBG2(ndpi_struct, - "HTTP START Found, we will look further for the response...\n"); - flow->l4.tcp.http_stage = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 - } - + ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); + flow->http_detected = 1; + NDPI_LOG_DBG2(ndpi_struct, + "HTTP START Found, we will look further for the response...\n"); + flow->l4.tcp.http_stage = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 check_content_type_and_change_protocol(ndpi_struct, flow); return; } @@ -799,10 +796,10 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct } } -void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; +/* ********************************* */ +static void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { /* Break after 20 packets. */ if(flow->packet_counter > 20) { NDPI_EXCLUDE_PROTO(ndpi_struct, flow); @@ -810,10 +807,6 @@ void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struct, return; } - if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { - return; - } - NDPI_LOG_DBG(ndpi_struct, "search HTTP\n"); ndpi_check_http_tcp(ndpi_struct, flow); } @@ -850,8 +843,7 @@ char* ndpi_get_http_content_type(struct ndpi_detection_module_struct *ndpi_mod, void init_http_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, - NDPI_PROTOCOL_BITMASK *detection_bitmask) -{ + NDPI_PROTOCOL_BITMASK *detection_bitmask) { ndpi_set_bitmask_protocol_detection("HTTP",ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_HTTP, ndpi_search_http_tcp, diff --git a/src/lib/protocols/iec60870-5-104.c b/src/lib/protocols/iec60870-5-104.c index b7439f3e0..e34ca3d63 100644 --- a/src/lib/protocols/iec60870-5-104.c +++ b/src/lib/protocols/iec60870-5-104.c @@ -2,7 +2,26 @@ * iec60870-5-104.c * Extension for industrial 104 protocol recognition * - * Created by Cesar HM + * Created by Cesar HM <cesar91hoyos@gmail.com> + * + * Copyright (C) 2019 - ntop.org + * + * This file is part of nDPI, an open source deep packet inspection + * library based on the OpenDPI and PACE technology by ipoque GmbH + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see <http://www.gnu.org/licenses/>. + * */ #include "ndpi_protocol_ids.h" @@ -21,23 +40,22 @@ void ndpi_search_104_tcp(struct ndpi_detection_module_struct *ndpi_struct, if(packet->tcp) { /* The start byte of 104 is 0x68 * The usual port: 2404 - */ - if ( packet->payload[0] == 0x68 && - ((packet->tcp->dest == iec104_port) || (packet->tcp->source == iec104_port)) ){ - NDPI_LOG_INFO(ndpi_struct, "found 104\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_104, NDPI_PROTOCOL_UNKNOWN); - return; - } + */ + if((packet->payload[0] == 0x68) && + ((packet->tcp->dest == iec104_port) || (packet->tcp->source == iec104_port)) ){ + NDPI_LOG_INFO(ndpi_struct, "found 104\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_104, NDPI_PROTOCOL_UNKNOWN); + return; } - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - + } + + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } void init_104_dissector(struct ndpi_detection_module_struct *ndpi_struct, - u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { - + u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { ndpi_set_bitmask_protocol_detection("104", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_104, ndpi_search_104_tcp, diff --git a/src/lib/protocols/mail_smtp.c b/src/lib/protocols/mail_smtp.c index fcb390229..2cd4657c9 100644 --- a/src/lib/protocols/mail_smtp.c +++ b/src/lib/protocols/mail_smtp.c @@ -283,12 +283,14 @@ int ndpi_extra_search_mail_smtp_tcp(struct ndpi_detection_module_struct *ndpi_st static void smtpInitExtraPacketProcessing(struct ndpi_flow_struct *flow) { #ifdef SMTP_DEBUG - printf("**** %s()\n", __FUNCTION__); + static u_int num = 0; + + printf("**** %s(%u)\n", __FUNCTION__, ++num); #endif flow->check_extra_packets = 1; /* At most 7 packets should almost always be enough */ - flow->max_extra_packets_to_check = 7; + flow->max_extra_packets_to_check = 12; flow->extra_packets_func = ndpi_extra_search_mail_smtp_tcp; } diff --git a/src/lib/protocols/smb.c b/src/lib/protocols/smb.c index 71305cd13..de83519f7 100644 --- a/src/lib/protocols/smb.c +++ b/src/lib/protocols/smb.c @@ -33,18 +33,23 @@ void ndpi_search_smb_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc /* Check connection over TCP */ if(packet->tcp) { + u_int16_t fourfourfive = htons(445); - if(packet->tcp->dest == htons(445) + if(((packet->tcp->dest == fourfourfive) || (packet->tcp->source == fourfourfive)) && packet->payload_packet_len > (32 + 4 + 4) && (packet->payload_packet_len - 4) == ntohl(get_u_int32_t(packet->payload, 0)) - && get_u_int32_t(packet->payload, 4) == htonl(0xff534d42)) { - + ) { + u_int8_t smbv1[] = { 0xff, 0x53, 0x4d, 0x42 }; + NDPI_LOG_INFO(ndpi_struct, "found SMB\n"); - if(packet->payload[8] == 0x72) - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV1, NDPI_PROTOCOL_UNKNOWN); - else + if(memcmp(&packet->payload[4], smbv1, sizeof(smbv1)) == 0) { + if(packet->payload[8] != 0x72) /* Skip Negotiate request */ { + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV1, NDPI_PROTOCOL_UNKNOWN); + } + } else ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV23, NDPI_PROTOCOL_UNKNOWN); + return; } } @@ -65,4 +70,3 @@ void init_smb_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 *id += 1; } - diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c index 5dd6fb0e5..5bdf78959 100644 --- a/src/lib/protocols/ssh.c +++ b/src/lib/protocols/ssh.c @@ -56,10 +56,38 @@ /* #define SSH_DEBUG 1 */ +static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); + +/* ************************************************************************ */ + +static int search_ssh_again(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + ndpi_search_ssh_tcp(ndpi_struct, flow); + + if((flow->protos.ssh.hassh_client[0] != '\0') + && (flow->protos.ssh.hassh_server[0] != '\0')) { + /* stop extra processing */ + flow->extra_packets_func = NULL; /* We're good now */ + return(0); + } + + /* Possibly more processing */ + return(1); +} + /* ************************************************************************ */ static void ndpi_int_ssh_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + if(flow->extra_packets_func != NULL) + return; + + flow->guessed_host_protocol_id = flow->guessed_protocol_id = NDPI_PROTOCOL_SSH; + + /* This is necessary to inform the core to call this dissector again */ + flow->check_extra_packets = 1; + flow->max_extra_packets_to_check = 12; + flow->extra_packets_func = search_ssh_again; + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSH, NDPI_PROTOCOL_UNKNOWN); } @@ -183,7 +211,7 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet, /* ssh.languages_server_to_client [None] */ #ifdef SSH_DEBUG - printf("\n[SSH] %s\n", buf); + printf("[SSH] %s\n", buf); #endif return(buf_out_len); @@ -191,7 +219,7 @@ static u_int16_t concat_hash_string(struct ndpi_packet_struct *packet, invalid_payload: #ifdef SSH_DEBUG - printf("\n[SSH] Invalid packet payload\n"); + printf("[SSH] Invalid packet payload\n"); #endif return(0); @@ -213,11 +241,11 @@ static void ndpi_ssh_zap_cr(char *str, int len) { /* ************************************************************************ */ -void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { +static void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; #ifdef SSH_DEBUG - printf("\n[SSH] [stage: %u]\n", flow->l4.tcp.ssh_stage); + printf("[SSH] %s()\n", __FUNCTION__); #endif if(flow->l4.tcp.ssh_stage == 0) { @@ -231,13 +259,13 @@ void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc ndpi_ssh_zap_cr(flow->protos.ssh.client_signature, len); #ifdef SSH_DEBUG - printf("\n[SSH] [client_signature: %s]\n", flow->protos.ssh.client_signature); + printf("[SSH] [client_signature: %s]\n", flow->protos.ssh.client_signature); #endif } NDPI_LOG_DBG2(ndpi_struct, "ssh stage 0 passed\n"); flow->l4.tcp.ssh_stage = 1 + packet->packet_direction; - flow->guessed_host_protocol_id = flow->guessed_protocol_id = NDPI_PROTOCOL_SSH; + ndpi_int_ssh_add_connection(ndpi_struct, flow); return; } } else if(flow->l4.tcp.ssh_stage == (2 - packet->packet_direction)) { @@ -251,7 +279,7 @@ void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc ndpi_ssh_zap_cr(flow->protos.ssh.server_signature, len); #ifdef SSH_DEBUG - printf("\n[SSH] [server_signature: %s]\n", flow->protos.ssh.server_signature); + printf("[SSH] [server_signature: %s]\n", flow->protos.ssh.server_signature); #endif NDPI_LOG_DBG2(ndpi_struct, "ssh stage 1 passed\n"); @@ -262,7 +290,7 @@ void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc } #ifdef SSH_DEBUG - printf("\n[SSH] [completed stage: %u]\n", flow->l4.tcp.ssh_stage); + printf("[SSH] [completed stage: %u]\n", flow->l4.tcp.ssh_stage); #endif flow->l4.tcp.ssh_stage = 3; @@ -272,16 +300,16 @@ void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc u_int8_t msgcode = *(packet->payload + 5); ndpi_MD5_CTX ctx; -#ifdef SSH_DEBUG - printf("\n[SSH] [stage: %u][msg: %u]\n", flow->l4.tcp.ssh_stage, msgcode); -#endif - if(msgcode == 20 /* key exchange init */) { char *hassh_buf = calloc(packet->payload_packet_len, sizeof(char)); u_int i, len; +#ifdef SSH_DEBUG + printf("[SSH] [stage: %u][msg: %u][direction: %u][key exchange init]\n", flow->l4.tcp.ssh_stage, msgcode, packet->packet_direction); +#endif + if(hassh_buf) { - if(flow->l4.tcp.ssh_stage == 3) { + if(packet->packet_direction == 0 /* client */) { u_char fingerprint_client[16]; len = concat_hash_string(packet, hassh_buf, 1 /* client */); @@ -292,7 +320,7 @@ void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc #ifdef SSH_DEBUG { - printf("\n[SSH] [client][%s][", hassh_buf); + printf("[SSH] [client][%s][", hassh_buf); for(i=0; i<16; i++) printf("%02X", fingerprint_client[i]); printf("]\n"); } @@ -310,7 +338,7 @@ void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc #ifdef SSH_DEBUG { - printf("\n[SSH] [server][%s][", hassh_buf); + printf("[SSH] [server][%s][", hassh_buf); for(i=0; i<16; i++) printf("%02X", fingerprint_server[i]); printf("]\n"); } @@ -322,18 +350,22 @@ void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc free(hassh_buf); } - } - if(flow->l4.tcp.ssh_stage++ == 4) { - NDPI_LOG_INFO(ndpi_struct, "found ssh\n"); ndpi_int_ssh_add_connection(ndpi_struct, flow); } + if((flow->protos.ssh.hassh_client[0] != '\0') && (flow->protos.ssh.hassh_server[0] != '\0')) { +#ifdef SSH_DEBUG + printf("[SSH] Dissection completed\n"); +#endif + flow->extra_packets_func = NULL; /* We're good now */ + } + return; } #ifdef SSH_DEBUG - printf("\n[SSH] Excluding SSH"); + printf("[SSH] Excluding SSH"); #endif NDPI_LOG_DBG(ndpi_struct, "excluding ssh at stage %d\n", flow->l4.tcp.ssh_stage); diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index cce5e0471..261f2ab28 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -32,8 +32,7 @@ extern char *strptime(const char *s, const char *format, struct tm *tm); /* #define DEBUG_TLS 1 */ - -#define DEBUG_FINGERPRINT 1 +/* #define DEBUG_FINGERPRINT 1 */ /* NOTE @@ -59,6 +58,9 @@ extern u_int8_t is_skype_flow(struct ndpi_detection_module_struct *ndpi_struct, /* stun.c */ extern u_int32_t get_stun_lru_key(struct ndpi_flow_struct *flow, u_int8_t rev); +extern int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow); + /* **************************************** */ static u_int32_t ndpi_tls_refine_master_protocol(struct ndpi_detection_module_struct *ndpi_struct, @@ -94,6 +96,16 @@ static u_int32_t ndpi_tls_refine_master_protocol(struct ndpi_detection_module_st /* **************************************** */ +static void sslInitExtraPacketProcessing(struct ndpi_flow_struct *flow) { + flow->check_extra_packets = 1; + + /* At most 7 packets should almost always be enough to find the server certificate if it's there */ + flow->max_extra_packets_to_check = 7; + flow->extra_packets_func = sslTryAndRetrieveServerCertificate; +} + +/* **************************************** */ + static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int32_t protocol) { if(protocol != NDPI_PROTOCOL_TLS) @@ -102,6 +114,7 @@ static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndp protocol = ndpi_tls_refine_master_protocol(ndpi_struct, flow, protocol); ndpi_set_detected_protocol(ndpi_struct, flow, protocol, NDPI_PROTOCOL_TLS); + sslInitExtraPacketProcessing(flow); } /* **************************************** */ @@ -869,7 +882,8 @@ int getSSCertificateFingerprint(struct ndpi_detection_module_struct *ndpi_struct } } } - + + flow->extra_packets_func = NULL; /* We're good now */ return(1); } @@ -1070,16 +1084,6 @@ int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi /* **************************************** */ -static void sslInitExtraPacketProcessing(struct ndpi_flow_struct *flow) { - flow->check_extra_packets = 1; - - /* At most 7 packets should almost always be enough to find the server certificate if it's there */ - flow->max_extra_packets_to_check = 7; - flow->extra_packets_func = sslTryAndRetrieveServerCertificate; -} - -/* **************************************** */ - int tlsDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int8_t skip_cert_processing) { @@ -1130,11 +1134,26 @@ int tlsDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s return(rc); } - if(((packet->tls_certificate_num_checks >= 3) - && flow->l4.tcp.seen_syn - && flow->l4.tcp.seen_syn_ack - && flow->l4.tcp.seen_ack /* We have seen the 3-way handshake */ - && flow->l4.tcp.tls_srv_cert_fingerprint_processed +#ifdef DEBUG_TLS + printf("[TLS] %s() [tls_certificate_num_checks: %u][tls_srv_cert_fingerprint_processed: %u][tls_certificate_detected: %u][%u/%u]", + __FUNCTION__, packet->tls_certificate_num_checks, flow->l4.tcp.tls_srv_cert_fingerprint_processed, + packet->tls_certificate_detected, + flow->l4.tcp.tls_seen_client_cert, + flow->l4.tcp.tls_seen_server_cert + ); +#endif + + + if(((packet->tls_certificate_num_checks >= 1) +#if 0 + && (flow->l4.tcp.seen_syn /* User || to be tolerant */ + || flow->l4.tcp.seen_syn_ack + || flow->l4.tcp.seen_ack /* We have seen the 3-way handshake */) +#endif + && (flow->l4.tcp.tls_srv_cert_fingerprint_processed + || flow->l4.tcp.tls_seen_client_cert + || flow->l4.tcp.tls_seen_server_cert + || packet->tls_certificate_detected) ) /* || ((flow->l4.tcp.tls_seen_certificate == 1) @@ -1228,7 +1247,12 @@ static void tls_mark_and_payload_search(struct ndpi_detection_module_struct if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { NDPI_LOG_DBG(ndpi_struct, "found ssl connection\n"); tlsDetectProtocolFromCertificate(ndpi_struct, flow, skip_cert_processing); - + +#ifdef DEBUG_TLS + printf("[TLS] %s() [tls_seen_client_cert: %u][tls_seen_server_cert: %u]\n", __FUNCTION__, + flow->l4.tcp.tls_seen_client_cert, flow->l4.tcp.tls_seen_server_cert); +#endif + if(!packet->tls_certificate_detected && (!(flow->l4.tcp.tls_seen_client_cert && flow->l4.tcp.tls_seen_server_cert))) { /* SSL without certificate (Skype, Ultrasurf?) */ @@ -1354,6 +1378,10 @@ void ndpi_search_tls_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_packet_struct *packet = &flow->packet; u_int8_t ret, skip_cert_processing = 0; +#ifdef DEBUG_TLS + printf("%s()\n", __FUNCTION__); +#endif + if(packet->udp != NULL) { /* DTLS dissector */ int rc = sslTryAndRetrieveServerCertificate(ndpi_struct, flow); |