diff options
| author | Campus <campus@ntop.org> | 2016-11-20 13:07:00 +0100 |
|---|---|---|
| committer | Campus <campus@ntop.org> | 2016-11-20 13:07:00 +0100 |
| commit | 9abbef7e05ba8196804962e63e5119cf75436c8b (patch) | |
| tree | d4bdf1a45b1b09204216a3aa611b33523839ee44 /src | |
| parent | 1fbe25f91e87282c22e317e5f7b4c9cdccf2e8ad (diff) | |
added iqiyi media service and updated ppsetream protocol - added 1kxun media service
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_protocol_ids.h | 4 | ||||
| -rw-r--r-- | src/include/ndpi_protocols.h | 2 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 3 | ||||
| -rw-r--r-- | src/lib/Makefile.am | 1 | ||||
| -rw-r--r-- | src/lib/ndpi_content_match.c.inc | 23 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 8 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 150 | ||||
| -rw-r--r-- | src/lib/protocols/kxun.c | 98 | ||||
| -rw-r--r-- | src/lib/protocols/ppstream.c | 248 |
9 files changed, 429 insertions, 108 deletions
diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index dc391989d..7c1ed4a99 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -265,9 +265,11 @@ #define NDPI_SERVICE_IFLIX 215 /* www.vizuamatix.com R&D team & M.Mallawaarachchie <manoj_ws@yahoo.com> */ #define NDPI_SERVICE_GITHUB 216 #define NDPI_PROTOCOL_BJNP 217 +#define NDPI_SERVICE_1KXUN 218 +#define NDPI_SERVICE_IQIYI 219 /* UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE */ -#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_PROTOCOL_BJNP +#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_SERVICE_IQIYI #define NDPI_MAX_SUPPORTED_PROTOCOLS (NDPI_LAST_IMPLEMENTED_PROTOCOL + 1) #define NDPI_MAX_NUM_CUSTOM_PROTOCOLS (NDPI_NUM_BITS-NDPI_LAST_IMPLEMENTED_PROTOCOL) diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h index ae4861b07..16ffb930b 100644 --- a/src/include/ndpi_protocols.h +++ b/src/include/ndpi_protocols.h @@ -193,6 +193,7 @@ void ndpi_search_rx(struct ndpi_detection_module_struct *ndpi_struct, struct ndp void ndpi_search_git(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_drda(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_bjnp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); +void ndpi_search_kxun(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); /* --- INIT FUNCTIONS --- */ void init_afp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_aimini_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); @@ -333,4 +334,5 @@ void init_git_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 void init_hangout_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_drda_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_bjnp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_kxun_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); #endif /* __NDPI_PROTOCOLS_H__ */ diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 414c04abb..094558548 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -572,6 +572,9 @@ struct ndpi_flow_tcp_struct { u_int8_t prev_zmq_pkt_len; u_char prev_zmq_pkt[10]; #endif +#ifdef NDPI_PROTOCOL_PPSTREAM + u_int32_t ppstream_stage:3; +#endif } #ifndef WIN32 __attribute__ ((__packed__)) diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am index 26d60029c..e47cb9934 100644 --- a/src/lib/Makefile.am +++ b/src/lib/Makefile.am @@ -66,6 +66,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/kakaotalk_voice.c \ protocols/kerberos.c \ protocols/kontiki.c \ + protocols/kxun.c \ protocols/ldap.c \ protocols/lotus_notes.c \ protocols/mail_imap.c \ diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index 67fbe9a8c..9d0d54e1a 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -7517,14 +7517,21 @@ ndpi_protocol_match host_match[] = { /* Detected "slack-assets2.s3-us-west-2.amazonaws.com.". Omitted "*amazonaws.com" CDN, but no generic pattern to use on first part */ { "slack-assets2.s3-", "Slack", NDPI_SERVICE_SLACK, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, - { "github.com", "Github", NDPI_SERVICE_GITHUB, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, - { ".github.com", "Github", NDPI_SERVICE_GITHUB, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, - /* https://github.com/blog/1452-new-github-pages-domain-github-io */ - { "github.io", "Github", NDPI_SERVICE_GITHUB, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, - { ".github.io", "Github", NDPI_SERVICE_GITHUB, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, - /* https://developer.github.com/changes/2014-04-25-user-content-security/ */ - { "githubusercontent.com", "Github", NDPI_SERVICE_GITHUB, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, - { ".githubusercontent.com", "Github", NDPI_SERVICE_GITHUB, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, + { "github.com", "Github", NDPI_SERVICE_GITHUB, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, + { ".github.com", "Github", NDPI_SERVICE_GITHUB, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, + { "github.io", "Github", NDPI_SERVICE_GITHUB, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, + { ".github.io", "Github", NDPI_SERVICE_GITHUB, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, + { "githubusercontent.com", "Github", NDPI_SERVICE_GITHUB, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, + { ".githubusercontent.com", "Github", NDPI_SERVICE_GITHUB, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE }, + + { ".iqiyi.com", "iQIYI", NDPI_SERVICE_IQIYI, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, + { ".qiyi.com", "iQIYI", NDPI_SERVICE_IQIYI, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, + { ".71.am", "iQIYI", NDPI_SERVICE_IQIYI, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, + { ".qiyipic.com", "iQIYI", NDPI_SERVICE_IQIYI, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, + { ".ppstream.com", "PPStream", NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, + { ".pps.tv", "PPStream", NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, + { ".1kxun.", "1kxun", NDPI_SERVICE_1KXUN, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, + { "tcad.wedolook.com", "1kxun", NDPI_SERVICE_1KXUN, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN }, { NULL, 0 } }; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 108450eec..7dd3b04a1 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1568,6 +1568,11 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "BJNP", NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_SERVICE_1KXUN, + no_master, + no_master, "1kxun", NDPI_PROTOCOL_CATEGORY_MEDIA, + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ /* calling function for host and content matched protocols */ @@ -2621,6 +2626,9 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* BJNP */ init_bjnp_dissector(ndpi_struct, &a, detection_bitmask); + /* 1KXUN */ + init_kxun_dissector(ndpi_struct, &a, detection_bitmask); + /*** Put false-positive sensitive protocols at the end ***/ /* SKYPE */ diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 039f38b56..6c7db2d7d 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -21,15 +21,19 @@ * along with nDPI. If not, see <http://www.gnu.org/licenses/>. * */ - #include "ndpi_protocols.h" #ifdef NDPI_PROTOCOL_HTTP + +/* global variables used for 1kxun protocol and iqiyi service */ +static u_int16_t kxun_counter; +static u_int16_t iqiyi_counter; + static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int32_t protocol) { - + if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { /* This is HTTP and it is not a sub protocol (e.g. skype or dropbox) */ @@ -97,11 +101,14 @@ static void avi_check_http_payload(struct ndpi_detection_module_struct *ndpi_str return; } + /** + for reference see http://msdn.microsoft.com/archive/default.asp?url=/archive/en-us/directx9_c/directx/htm/avirifffilereference.asp + **/ if(packet->empty_line_position_set != 0) { - // check for avi header - // for reference see http://msdn.microsoft.com/archive/default.asp?url=/archive/en-us/directx9_c/directx/htm/avirifffilereference.asp + u_int32_t p = packet->empty_line_position + 2; + // check for avi header NDPI_LOG(NDPI_CONTENT_AVI, ndpi_struct, NDPI_LOG_DEBUG, "p = %u\n", p); if((p + 16) <= packet->payload_packet_len && memcmp(&packet->payload[p], "RIFF", 4) == 0 @@ -153,25 +160,21 @@ static void setHttpUserAgent(struct ndpi_flow_struct *flow, char *ua) { else if(!strcmp(ua, "Windows NT 5.1")) ua = "Windows XP"; else if(!strcmp(ua, "Windows NT 5.2")) ua = "Windows Server 2003"; else if(!strcmp(ua, "Windows NT 6.0")) ua = "Windows Vista"; - // else if(!strcmp(ua, "Windows NT 7.0")) ua = "Windows 7"; else if(!strcmp(ua, "Windows NT 6.1")) ua = "Windows 7"; else if(!strcmp(ua, "Windows NT 6.2")) ua = "Windows 8"; else if(!strcmp(ua, "Windows NT 6.3")) ua = "Windows 8.1"; - //printf("==> %s\n", ua); + // printf("==> %s\n", ua); snprintf((char*)flow->detected_os, sizeof(flow->detected_os), "%s", ua); } static void parseHttpSubprotocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - // int i = 0; - //struct ndpi_packet_struct *packet = &flow->packet; - - if((flow->l4.tcp.http_stage == 0) - || (flow->http.url && flow->http_detected)) { - /* - NOTE - If http_dont_dissect_response = 1 dissection of HTTP response - mime types won't happen + + if((flow->l4.tcp.http_stage == 0) || (flow->http.url && flow->http_detected)) { + /** + NOTE + If http_dont_dissect_response = 1 dissection of HTTP response + mime types won't happen */ ndpi_match_host_subprotocol(ndpi_struct, flow, (char *)flow->host_server_name, strlen((const char *)flow->host_server_name), @@ -179,24 +182,39 @@ static void parseHttpSubprotocol(struct ndpi_detection_module_struct *ndpi_struc } } -/* - NOTE - - ndpi_parse_packet_line_info @ ndpi_main.c - is the code that parses the packet +/** + NOTE + ndpi_parse_packet_line_info is in ndpi_main.c */ static void check_content_type_and_change_protocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { -#ifdef NDPI_CONTENT_MPEG + struct ndpi_packet_struct *packet = &flow->packet; + u_int8_t a; + + +#ifdef NDPI_PROTOCOL_PPSTREAM + /* PPStream */ + if(flow->l4.tcp.ppstream_stage > 0 && iqiyi_counter == 0) { + NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, "PPStream found.\n"); + ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_PPSTREAM); + } + else if(iqiyi_counter > 0) { + NDPI_LOG(NDPI_SERVICE_IQIYI, ndpi_struct, NDPI_LOG_DEBUG, "iQiyi found.\n"); + ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_SERVICE_IQIYI); + } #endif -#ifdef NDPI_CONTENT_AVI -#endif - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; - u_int8_t a; + +#ifdef NDPI_SERVICE_1KXUN + /* 1KXUN */ + if( kxun_counter > 0) { + NDPI_LOG(NDPI_SERVICE_1KXUN, ndpi_struct, NDPI_LOG_DEBUG, "1kxun found.\n"); + ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_SERVICE_1KXUN); + } +#endif + if(!ndpi_struct->http_dont_dissect_response) { if((flow->http.url == NULL) && (packet->http_url_name.len > 0) @@ -250,7 +268,8 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ } if(packet->user_agent_line.ptr != NULL && packet->user_agent_line.len != 0) { - /* Format: + /** + Format: Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) .... */ if(packet->user_agent_line.len > 7) { @@ -418,7 +437,7 @@ static void check_http_payload(struct ndpi_detection_module_struct *ndpi_struct, } /** - * this functions checks whether the packet begins with a valid http request + * Functions to check whether the packet begins with a valid http request * @param ndpi_struct * @returnvalue 0 if no valid request has been found * @returnvalue >0 indicates start of filename but not necessarily in packet limit @@ -431,7 +450,10 @@ static u_int16_t http_request_url_offset(struct ndpi_detection_module_struct *nd packet->payload[0], packet->payload[1], packet->payload[2], packet->payload[3], packet->payload_packet_len); - /* FIRST PAYLOAD PACKET FROM CLIENT */ + /** + FIRST PAYLOAD PACKET FROM CLIENT + **/ + /* check if the packet starts with POST or GET */ if(packet->payload_packet_len >= 4 && memcmp(packet->payload, "GET ", 4) == 0) { NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP: GET FOUND\n"); @@ -790,6 +812,43 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct } x++; } + + /* check PPStream protocol or iQiyi service + (iqiyi is deliverd by ppstream) */ + // substring in url + int no_pps = 0; + if(strstr((const char*) &packet->payload[filename_start], "iqiyi.com") != NULL) { + if(kxun_counter == 0) { + flow->l4.tcp.ppstream_stage++; + iqiyi_counter++; + check_content_type_and_change_protocol(ndpi_struct, flow); /* ***** CHECK ****** */ + return; + } + } + // additional field in http payload + x = 1; + while(packet->line[x].len != 0) { + if((memcmp(packet->line[x].ptr, "qyid", 4)) == 0 && + (memcmp(packet->line[x+1].ptr, "qypid", 5)) == 0 && + (memcmp(packet->line[x+2].ptr, "qyplatform", 10)) == 0) { + flow->l4.tcp.ppstream_stage++; + iqiyi_counter++; + check_content_type_and_change_protocol(ndpi_struct, flow); + return; + } + x++; + } + + /* Check for 1kxun packet */ + for (int a = 0; a < packet->parsed_lines; a++) { + if((memcmp(packet->line[a].ptr, "Client-Source:", 14)) == 0) { + if((memcmp(packet->line[a].ptr+15, "1kxun", 5)) == 0) { + kxun_counter++; + check_content_type_and_change_protocol(ndpi_struct, flow); + return; + } + } + } if((packet->http_url_name.len > 7) && (!strncmp((const char*) packet->http_url_name.ptr, "http://", 7))) { @@ -809,11 +868,11 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct "HTTP START Found, we will look for sub-protocols (content and host)...\n"); if(packet->host_line.ptr != NULL) { - /* - nDPI is pretty scrupoulous about HTTP so it waits until the - HTTP response is received just to check that it conforms - with the HTTP specs. However this might be a waste of time as - in 99.99% of the cases is like that. + /** + nDPI is pretty scrupoulous about HTTP so it waits until the + HTTP response is received just to check that it conforms + with the HTTP specs. However this might be a waste of time as + in 99.99% of the cases is like that. */ if(ndpi_struct->http_dont_dissect_response) { @@ -838,8 +897,9 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP stage %u: \n", flow->l4.tcp.http_stage); - /* At first check, if this is for sure a response packet (in another direction. If not, if http is detected do nothing now and return, - * otherwise check the second packet for the http request . */ + /** + At first check, if this is for sure a response packet (in another direction. If not, if http is detected do nothing now and return, + otherwise check the second packet for the http request . */ if((flow->l4.tcp.http_stage - packet->packet_direction) == 1) { if(flow->http_detected) @@ -880,21 +940,20 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct return; } - /* This is a packet in another direction. Check if we find the proper response. */ - /* We have received a response for a previously identified partial HTTP request */ + /** + This is a packet in another direction. Check if we find the proper response. + We have received a response for a previously identified partial HTTP request + */ if((packet->parsed_lines == 1) && (packet->packet_direction == 1 /* server -> client */)) { - /* - In apache if you do "GET /\n\n" the response comes without any header so we can assume that - this can be the case - */ + /* In apache if you do "GET /\n\n" the response comes without any header */ NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "Found HTTP. (apache)\n"); ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); check_content_type_and_change_protocol(ndpi_struct, flow); return; } - /* If we already detected the http request, we can add the connection and then check for the sub-protocol*/ + /* If we already detected the http request, we can add the connection and then check for the sub-protocol */ if(flow->http_detected) ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); @@ -1098,10 +1157,7 @@ void init_http_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int #endif NDPI_DEL_PROTOCOL_FROM_BITMASK(ndpi_struct->callback_buffer[a].excluded_protocol_bitmask, NDPI_CONTENT_MMS); - /* #ifdef NDPI_PROTOCOL_RTSP */ - /* NDPI_DEL_PROTOCOL_FROM_BITMASK(ndpi_struct->callback_buffer[a].excluded_protocol_bitmask, */ - /* NDPI_PROTOCOL_RTSP); */ - /* #endif */ + NDPI_DEL_PROTOCOL_FROM_BITMASK(ndpi_struct->callback_buffer[a].excluded_protocol_bitmask, NDPI_PROTOCOL_XBOX); NDPI_BITMASK_SET(ndpi_struct->generic_http_packet_bitmask, ndpi_struct->callback_buffer[a].detection_bitmask); diff --git a/src/lib/protocols/kxun.c b/src/lib/protocols/kxun.c new file mode 100644 index 000000000..33939ed85 --- /dev/null +++ b/src/lib/protocols/kxun.c @@ -0,0 +1,98 @@ +/* + * kxun.c + * + * Copyright (C) 2016 - ntop.org + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see <http://www.gnu.org/licenses/>. + * + */ +#include "ndpi_protocols.h" + +#ifdef NDPI_SERVICE_1KXUN + + +static void ndpi_int_kxun_add_connection(struct ndpi_detection_module_struct + *ndpi_struct, struct ndpi_flow_struct *flow) +{ + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_SERVICE_1KXUN, NDPI_PROTOCOL_UNKNOWN); +} + + +void ndpi_search_kxun(struct ndpi_detection_module_struct + *ndpi_struct, struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct *packet = &flow->packet; + + /* 1KXUN over TCP is detected inside HTTP dissector */ + + /* check 1KXUN over UDP */ + if(packet->udp != NULL) { + /* check ipv6 */ + if(packet->iphv6 != NULL) { + if(packet->iphv6->ip6_dst.u6_addr.u6_addr32[0] == 0x2ff && + packet->payload_packet_len == 329) { + if(packet->payload[0] == 0xff && + packet->payload[1] == 0x0f && + packet->payload[4] == 0xa0 && + packet->payload[5] == 0x00) { + NDPI_LOG(NDPI_SERVICE_1KXUN, ndpi_struct, NDPI_LOG_DEBUG, + "found 1kxun over udp.\n"); + ndpi_int_kxun_add_connection(ndpi_struct, flow); + return; + } + } + } + else if(packet->iph != NULL) { + if(packet->iph->daddr == 0xffffffff) { + if(packet->payload_packet_len == 40 && + packet->payload[8] == 0x41 && + packet->payload[9] == 0x41 && + packet->payload[10] == 0x42) { + NDPI_LOG(NDPI_PROTOCOL_1KXUN, ndpi_struct, NDPI_LOG_DEBUG, + "found 1kxun over udp.\n"); + ndpi_int_kxun_add_connection(ndpi_struct, flow); + return; + } + if(packet->payload_packet_len == 317 && + packet->payload[0] == 0xff && + packet->payload[1] == 0xff && + packet->payload[4] == 0xa0 && + packet->payload[5] == 0x00) { + NDPI_LOG(NDPI_PROTOCOL_1KXUN, ndpi_struct, NDPI_LOG_DEBUG, + "found 1kxun over udp.\n"); + ndpi_int_kxun_add_connection(ndpi_struct, flow); + return; + } + } + } + } + /* EXCLUDE 1KXUN */ + NDPI_LOG(NDPI_SERVICE_1KXUN, ndpi_struct, NDPI_LOG_DEBUG, "exclude 1kxun.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_SERVICE_1KXUN); +} + + +void init_kxun_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) +{ + ndpi_set_bitmask_protocol_detection("1kxun", ndpi_struct, detection_bitmask, *id, + NDPI_SERVICE_1KXUN, + ndpi_search_kxun, + NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); + + *id += 1; +} + +#endif diff --git a/src/lib/protocols/ppstream.c b/src/lib/protocols/ppstream.c index f3323697b..04259def9 100644 --- a/src/lib/protocols/ppstream.c +++ b/src/lib/protocols/ppstream.c @@ -24,72 +24,216 @@ #ifdef NDPI_PROTOCOL_PPSTREAM +#define PPS_PORT 17788 + + static void ndpi_int_ppstream_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_UNKNOWN); } + void ndpi_search_ppstream(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) + *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; - - /* check TCP Connections -> Videodata */ - if (packet->tcp != NULL) { - if (packet->payload_packet_len >= 60 && get_u_int32_t(packet->payload, 52) == 0 - && memcmp(packet->payload, "PSProtocol\x0", 11) == 0) { - NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, "found ppstream over tcp.\n"); - ndpi_int_ppstream_add_connection(ndpi_struct, flow); - return; - } - } + struct ndpi_packet_struct *packet = &flow->packet; - if (packet->udp != NULL) { - if (packet->payload_packet_len > 2 && packet->payload[2] == 0x43 - && ((packet->payload_packet_len - 4 == get_l16(packet->payload, 0)) - || (packet->payload_packet_len == get_l16(packet->payload, 0)) - || (packet->payload_packet_len >= 6 && packet->payload_packet_len - 6 == get_l16(packet->payload, 0)))) { - flow->l4.udp.ppstream_stage++; - if (flow->l4.udp.ppstream_stage == 5) { - NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, - "found ppstream over udp pattern len, 43.\n"); - ndpi_int_ppstream_add_connection(ndpi_struct, flow); - return; - } - return; - } + /** + PPS over TCP is detected inside HTTP dissector + */ + + /* check PPS over UDP */ + if(packet->udp != NULL) { + /*** on port 17788 ***/ + if(packet->payload_packet_len > 12 && ((ntohs(packet->udp->source) == PPS_PORT) || (ntohs(packet->udp->dest) == PPS_PORT))) { + if(((packet->payload_packet_len - 4 == get_l16(packet->payload, 0)) + || (packet->payload_packet_len == get_l16(packet->payload, 0)) + || (packet->payload_packet_len >= 6 && packet->payload_packet_len - 6 == get_l16(packet->payload, 0)))) { + /* check 43 and */ + if(packet->payload[2] == 0x43) { + if(packet->payload[5] == 0xff && + packet->payload[6] == 0x00 && + packet->payload[7] == 0x01 && + packet->payload[8] == 0x00 && + packet->payload[9] == 0x00 && + packet->payload[10] == 0x00 && + packet->payload[11] == 0x00 && + packet->payload[12] == 0x00 && + packet->payload[13] == 0x00 && + packet->payload[14] == 0x00) { + + /* increase count pkt ppstream over udp */ + flow->l4.udp.ppstream_stage++; + + NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, + "found PPStream over UDP.\n"); + ndpi_int_ppstream_add_connection(ndpi_struct, flow); + return; + } + /* check 44 */ + else if(packet->payload[2] == 0x44) { + /** b1 71 **/ + if(packet->payload[3] == 0xb1 && packet->payload[4] == 0x71) { + if(packet->payload[13] == 0x00 && + packet->payload[14] == 0x00 && + packet->payload[15] == 0x01 && + packet->payload[16] == 0x00) { + /* 02 03 04 05 */ + if(packet->payload[17] == 0x02 || + packet->payload[17] == 0x03 || + packet->payload[17] == 0x04 || + packet->payload[17] == 0x05) { + if(packet->payload[18] == 0x00 && + packet->payload[19] == 0x00 && + packet->payload[20] == 0x00) { - if (flow->l4.udp.ppstream_stage == 0 - && packet->payload_packet_len > 4 && ((packet->payload_packet_len - 4 == get_l16(packet->payload, 0)) - || (packet->payload_packet_len == get_l16(packet->payload, 0)) - || (packet->payload_packet_len >= 6 - && packet->payload_packet_len - 6 == get_l16(packet->payload, - 0)))) { - - if (packet->payload[2] == 0x00 && packet->payload[3] == 0x00 && packet->payload[4] == 0x03) { - flow->l4.udp.ppstream_stage = 7; - NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, "need next packet I.\n"); - return; - } + /* increase count pkt ppstream over udp */ + flow->l4.udp.ppstream_stage++; + + NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, + "found PPStream over UDP.\n"); + ndpi_int_ppstream_add_connection(ndpi_struct, flow); + return; + } } + /* ff */ + else if(packet->payload[17] == 0xff) { + if(packet->payload[18] == 0xff && + packet->payload[19] == 0xff && + packet->payload[20] == 0xff) { - if (flow->l4.udp.ppstream_stage == 7 - && packet->payload_packet_len > 4 && packet->payload[3] == 0x00 - && ((packet->payload_packet_len - 4 == get_l16(packet->payload, 0)) - || (packet->payload_packet_len == get_l16(packet->payload, 0)) - || (packet->payload_packet_len >= 6 && packet->payload_packet_len - 6 == get_l16(packet->payload, 0))) - && (packet->payload[2] == 0x00 && packet->payload[4] == 0x03)) { - NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, - "found ppstream over udp with pattern Vb.\n"); - ndpi_int_ppstream_add_connection(ndpi_struct, flow); - return; + /* increase count pkt ppstream over udp */ + flow->l4.udp.ppstream_stage++; + + NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, + "found PPStream over UDP.\n"); + ndpi_int_ppstream_add_connection(ndpi_struct, flow); + return; + } } + } + } + /** 73 17 **/ + else if(packet->payload[3] == 0x73 && packet->payload[4] == 0x17) { + if(packet->payload[5] == 0x00 && + packet->payload[6] == 0x00 && + packet->payload[7] == 0x00 && + packet->payload[8] == 0x00 && + packet->payload[14] == 0x00 && + packet->payload[15] == 0x00 && + packet->payload[16] == 0x00 && + packet->payload[17] == 0x00 && + packet->payload[18] == 0x00 && + packet->payload[19] == 0x00 && + packet->payload[20] == 0x00) { + + /* increase count pkt ppstream over udp */ + flow->l4.udp.ppstream_stage++; + NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, + "found PPStream over UDP.\n"); + ndpi_int_ppstream_add_connection(ndpi_struct, flow); + return; + } + } + /** 74 71 **/ + else if(packet->payload[3] == 0x74 && packet->payload[4] == 0x71 && packet->payload_packet_len == 113) { + /* check "PPStream" string in hex */ + if(packet->payload[94] == 0x50 && + packet->payload[95] == 0x50 && + packet->payload[96] == 0x53 && + packet->payload[97] == 0x74 && + packet->payload[98] == 0x72 && + packet->payload[99] == 0x65 && + packet->payload[100] == 0x61 && + packet->payload[101] == 0x6d) { + + /* increase count pkt ppstream over udp */ + flow->l4.udp.ppstream_stage++; + + NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, + "found PPStream over UDP.\n"); + ndpi_int_ppstream_add_connection(ndpi_struct, flow); + return; + } + } + } + /** check 55 (1) **/ + else if(packet->payload[2] == 0x55 && (packet->payload[13] == 0x1b && + packet->payload[14] == 0xa0 && + packet->payload[15] == 0x00 && + packet->payload[16] == 0x00 && + packet->payload[17] == 0x00 && + packet->payload[18] == 0x00 && + packet->payload[19] == 0x00 && + packet->payload[20] == 0x00 )) { + + /* increase count pkt ppstream over udp */ + flow->l4.udp.ppstream_stage++; + + NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, + "found PPStream over UDP.\n"); + ndpi_int_ppstream_add_connection(ndpi_struct, flow); + return; + } + /** check 55 (2) **/ + else if(packet->payload[2] == 0x55 && packet->payload[1] == 0x00 && + (packet->payload[5] == 0x00 && + packet->payload[6] == 0x00 && + packet->payload[7] == 0x00 && + packet->payload[8] == 0x00 && + packet->payload[14] == 0x00 && + packet->payload[15] == 0x00 && + packet->payload[16] == 0x00 && + packet->payload[17] == 0x00 && + packet->payload[18] == 0x00 && + packet->payload[19] == 0x00 && + packet->payload[20] == 0x00 )) { + + /* increase count pkt ppstream over udp */ + flow->l4.udp.ppstream_stage++; + + NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, + "found PPStream over UDP.\n"); + ndpi_int_ppstream_add_connection(ndpi_struct, flow); + return; + } } + } + /* No port detection */ + if(packet->payload_packet_len > 17) { + /* 80 */ + if(packet->payload[1] == 0x80 || packet->payload[1] == 0x84 ) { + if(packet->payload[3] == packet->payload[4]) { - NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, "exclude ppstream.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_PPSTREAM); + /* increase count pkt ppstream over udp */ + flow->l4.udp.ppstream_stage++; + + NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, + "found PPStream over UDP.\n"); + ndpi_int_ppstream_add_connection(ndpi_struct, flow); + return; + } + } + /* 53 */ + else if(packet->payload[1] == 0x53 && packet->payload[3] == 0x00 && + (packet->payload[0] == 0x08 || packet->payload[0] == 0x0c)) { + + /* increase count pkt ppstream over udp */ + flow->l4.udp.ppstream_stage++; + + NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, + "found PPStream over udp.\n"); + ndpi_int_ppstream_add_connection(ndpi_struct, flow); + return; + } + } + } + /* EXCLUDE PPS */ + NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, "exclude PPStream.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_PPSTREAM); + } } @@ -101,7 +245,7 @@ void init_ppstream_dissector(struct ndpi_detection_module_struct *ndpi_struct, u NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD, SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); - + *id += 1; } |