diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2022-12-03 12:07:32 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-12-03 12:07:32 +0100 |
| commit | 81e1ea545ca465cda064e7cc80333fe7f0ef2aff (patch) | |
| tree | d4aeb94cda0891d50f5502a289e0116b1cbeab8a /src | |
| parent | a387072872c93a7ebef637dec7745b2941bc5743 (diff) | |
Make LRU caches ipv6 aware (#1810)
Simplest solution, keeping the existing cache data structure
TLS certificate cache is used for DTLS traffic, too.
Note that Ookla cache already works with ipv6 flows.
TODO:
* make the key/hashing more robust (extending the key size?)
* update bittorrent cache too. That task is quite difficult because
ntopng uses a public function (`ndpi_guess_undetected_protocol()`)
intrinsically ipv4 only...
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/ndpi_main.c | 80 | ||||
| -rw-r--r-- | src/lib/protocols/hangout.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/mining.c | 34 | ||||
| -rw-r--r-- | src/lib/protocols/stun.c | 19 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 49 |
5 files changed, 131 insertions, 53 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 2fdc02b4b..e4fe28890 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -175,6 +175,7 @@ static ndpi_risk_info ndpi_known_risks[] = { extern void ndpi_unset_risk(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, ndpi_risk_enum r); +extern u_int32_t make_mining_key(struct ndpi_flow_struct *flow); /* Forward */ static void addDefaultPort(struct ndpi_detection_module_struct *ndpi_str, @@ -5693,6 +5694,19 @@ u_int16_t ndpi_guess_host_protocol_id(struct ndpi_detection_module_struct *ndpi_ /* ********************************************************************************* */ +static u_int32_t make_msteams_key(struct ndpi_flow_struct *flow) { + u_int32_t key; + + if(flow->is_ipv6) + key = ndpi_quick_hash(flow->c_address.v6, 16); + else + key = ntohl(flow->c_address.v4); + + return key; +} + +/* ********************************************************************************* */ + static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, ndpi_protocol *ret) { @@ -5715,12 +5729,12 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s (MS Teams uses Skype as transport protocol for voice/video) */ case NDPI_PROTOCOL_MSTEAMS: - if(flow->is_ipv6 == 0 && flow->l4_proto == IPPROTO_TCP) { + if(flow->l4_proto == IPPROTO_TCP) { // printf("====>> NDPI_PROTOCOL_MSTEAMS\n"); if(ndpi_str->msteams_cache) ndpi_lru_add_to_cache(ndpi_str->msteams_cache, - ntohl(flow->c_address.v4), + make_msteams_key(flow), (flow->last_packet_time_ms / 1000) & 0xFFFF /* 16 bit */); } break; @@ -5740,12 +5754,11 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s case NDPI_PROTOCOL_SKYPE_TEAMS: case NDPI_PROTOCOL_SKYPE_TEAMS_CALL: - if(flow->is_ipv6 == 0 - && flow->l4_proto == IPPROTO_UDP + if(flow->l4_proto == IPPROTO_UDP && ndpi_str->msteams_cache) { u_int16_t when; - if(ndpi_lru_find_cache(ndpi_str->msteams_cache, ntohl(flow->c_address.v4), + if(ndpi_lru_find_cache(ndpi_str->msteams_cache, make_msteams_key(flow), &when, 0 /* Don't remove it as it can be used for other connections */)) { u_int16_t tdiff = ((flow->last_packet_time_ms /1000) & 0xFFFF) - when; @@ -5755,7 +5768,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s /* Refresh cache */ ndpi_lru_add_to_cache(ndpi_str->msteams_cache, - ntohl(flow->c_address.v4), + make_msteams_key(flow), (flow->last_packet_time_ms / 1000) & 0xFFFF /* 16 bit */); } } @@ -5845,21 +5858,40 @@ int ndpi_search_into_bittorrent_cache(struct ndpi_detection_module_struct *ndpi_ /* #define ZOOM_CACHE_DEBUG */ -static u_int8_t ndpi_search_into_zoom_cache(struct ndpi_detection_module_struct *ndpi_struct, - u_int32_t daddr /* Network byte order */) { -#ifdef ZOOM_CACHE_DEBUG - printf("[%s:%u] ndpi_search_into_zoom_cache(%08X, %u)\n", - __FILE__, __LINE__, daddr, dport); -#endif +static u_int32_t make_zoom_key(struct ndpi_flow_struct *flow, int server) { + u_int32_t key; + + if(server) { + if(flow->is_ipv6) + key = ndpi_quick_hash(flow->s_address.v6, 16); + else + key = flow->s_address.v4; + } else { + if(flow->is_ipv6) + key = ndpi_quick_hash(flow->c_address.v6, 16); + else + key = flow->c_address.v4; + } + + return key; +} + +/* ********************************************************************************* */ + +static u_int8_t ndpi_search_into_zoom_cache(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, int server) { if(ndpi_struct->zoom_cache) { u_int16_t cached_proto; - u_int8_t found = ndpi_lru_find_cache(ndpi_struct->zoom_cache, daddr, &cached_proto, + u_int32_t key; + + key = make_zoom_key(flow, server); + u_int8_t found = ndpi_lru_find_cache(ndpi_struct->zoom_cache, key, &cached_proto, 0 /* Don't remove it as it can be used for other connections */); #ifdef ZOOM_CACHE_DEBUG - printf("[Zoom] *** [TCP] SEARCHING host %u [found: %u]\n", daddr, found); + printf("[Zoom] *** [TCP] SEARCHING key %u [found: %u]\n", key, found); #endif return(found); @@ -5871,9 +5903,9 @@ static u_int8_t ndpi_search_into_zoom_cache(struct ndpi_detection_module_struct /* ********************************************************************************* */ static void ndpi_add_connection_as_zoom(struct ndpi_detection_module_struct *ndpi_struct, - u_int32_t daddr /* Network byte order */) { + struct ndpi_flow_struct *flow) { if(ndpi_struct->zoom_cache) - ndpi_lru_add_to_cache(ndpi_struct->zoom_cache, daddr, NDPI_PROTOCOL_ZOOM); + ndpi_lru_add_to_cache(ndpi_struct->zoom_cache, make_zoom_key(flow, 1), NDPI_PROTOCOL_ZOOM); } /* ********************************************************************************* */ @@ -5901,10 +5933,10 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st /* TODO: this lookup seems in the wrong place here... Move it somewhere else (?) or setting flow->guessed_protocol_id directly in the mining dissector? */ - if(ndpi_str->mining_cache && flow->is_ipv6 == 0) { + if(ndpi_str->mining_cache) { u_int16_t cached_proto; - if(ndpi_lru_find_cache(ndpi_str->mining_cache, flow->c_address.v4 + flow->s_address.v4, + if(ndpi_lru_find_cache(ndpi_str->mining_cache, make_mining_key(flow), &cached_proto, 0 /* Don't remove it as it can be used for other connections */)) { ndpi_set_detected_protocol(ndpi_str, flow, cached_proto, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL_CACHE); ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0]; @@ -5982,10 +6014,9 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st /* This looks like BitTorrent */ ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_BITTORRENT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL_CACHE); ret.app_protocol = NDPI_PROTOCOL_BITTORRENT; - } else if((flow->l4_proto == IPPROTO_UDP) /* Zoom/UDP used for video */ - && (((ntohs(flow->c_port) == 8801 /* Zoom port */) && ndpi_search_into_zoom_cache(ndpi_str, flow->c_address.v4)) - || ((ntohs(flow->s_port) == 8801 /* Zoom port */) && ndpi_search_into_zoom_cache(ndpi_str, flow->s_address.v4)) - )) { + } else if((flow->l4_proto == IPPROTO_UDP) && /* Zoom/UDP used for video */ + ((ntohs(flow->s_port) == 8801 && ndpi_search_into_zoom_cache(ndpi_str, flow, 1)) || + (ntohs(flow->c_port) == 8801 && ndpi_search_into_zoom_cache(ndpi_str, flow, 0)))) { /* This looks like Zoom */ ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_ZOOM, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL_CACHE); ret.app_protocol = NDPI_PROTOCOL_ZOOM; @@ -6642,9 +6673,8 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct /* Zoom cache */ if((ret.app_protocol == NDPI_PROTOCOL_ZOOM) - && (flow->l4_proto == IPPROTO_TCP) - && (ndpi_str->packet.iph != NULL)) - ndpi_add_connection_as_zoom(ndpi_str, ndpi_str->packet.iph->daddr); + && (flow->l4_proto == IPPROTO_TCP)) + ndpi_add_connection_as_zoom(ndpi_str, flow); return(ret); } diff --git a/src/lib/protocols/hangout.c b/src/lib/protocols/hangout.c index ebc978420..867e0544f 100644 --- a/src/lib/protocols/hangout.c +++ b/src/lib/protocols/hangout.c @@ -73,7 +73,7 @@ void ndpi_search_hangout(struct ndpi_detection_module_struct *ndpi_struct, /* Hangout is over STUN hence the LRU cache is shared */ - if(ndpi_struct->stun_cache && packet->iph) { + if(ndpi_struct->stun_cache) { u_int32_t key = get_stun_lru_key(flow, !matched_src); #ifdef DEBUG_LRU diff --git a/src/lib/protocols/mining.c b/src/lib/protocols/mining.c index 6d6e48f02..1f6fecd7b 100644 --- a/src/lib/protocols/mining.c +++ b/src/lib/protocols/mining.c @@ -24,12 +24,27 @@ #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MINING #include "ndpi_api.h" + +/* ************************************************************************** */ + +u_int32_t make_mining_key(struct ndpi_flow_struct *flow) { + u_int32_t key; + + /* network byte order */ + if(flow->is_ipv6) + key = ndpi_quick_hash(flow->c_address.v6, 16) + ndpi_quick_hash(flow->s_address.v6, 16); + else + key = flow->c_address.v4 + flow->s_address.v4; + + return key; +} + /* ************************************************************************** */ static void cacheMiningHostTwins(struct ndpi_detection_module_struct *ndpi_struct, - u_int32_t host_keys /* network byte order */) { + struct ndpi_flow_struct *flow) { if(ndpi_struct->mining_cache) - ndpi_lru_add_to_cache(ndpi_struct->mining_cache, host_keys, NDPI_PROTOCOL_MINING); + ndpi_lru_add_to_cache(ndpi_struct->mining_cache, make_mining_key(flow), NDPI_PROTOCOL_MINING); } /* ************************************************************************** */ @@ -59,8 +74,7 @@ static void ndpi_search_mining_udp(struct ndpi_detection_module_struct *ndpi_str else { ndpi_snprintf(flow->flow_extra_info, sizeof(flow->flow_extra_info), "%s", "ETH"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - if(packet->iph) /* TODO: ipv6 */ - cacheMiningHostTwins(ndpi_struct, packet->iph->saddr + packet->iph->daddr); + cacheMiningHostTwins(ndpi_struct, flow); return; } } @@ -96,8 +110,7 @@ static void ndpi_search_mining_tcp(struct ndpi_detection_module_struct *ndpi_str if((*to_match == magic) || (*to_match == magic1)) { ndpi_snprintf(flow->flow_extra_info, sizeof(flow->flow_extra_info), "%s", "ETH"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - if(packet->iph) /* TODO: ipv6 */ - cacheMiningHostTwins(ndpi_struct, packet->iph->saddr + packet->iph->daddr); + cacheMiningHostTwins(ndpi_struct, flow); return; } } @@ -108,8 +121,7 @@ static void ndpi_search_mining_tcp(struct ndpi_detection_module_struct *ndpi_str if(isEthPort(ntohs(packet->tcp->dest)) /* Ethereum port */) { ndpi_snprintf(flow->flow_extra_info, sizeof(flow->flow_extra_info), "%s", "ETH"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - if(packet->iph) /* TODO: ipv6 */ - cacheMiningHostTwins(ndpi_struct, packet->iph->saddr + packet->iph->daddr); + cacheMiningHostTwins(ndpi_struct, flow); return; } } else if(ndpi_strnstr((const char *)packet->payload, "{", packet->payload_packet_len) @@ -127,8 +139,7 @@ static void ndpi_search_mining_tcp(struct ndpi_detection_module_struct *ndpi_str */ ndpi_snprintf(flow->flow_extra_info, sizeof(flow->flow_extra_info), "%s", "ETH"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - if(packet->iph) /* TODO: ipv6 */ - cacheMiningHostTwins(ndpi_struct, packet->iph->saddr + packet->iph->daddr); + cacheMiningHostTwins(ndpi_struct, flow); return; } else if(ndpi_strnstr((const char *)packet->payload, "{", packet->payload_packet_len) && (ndpi_strnstr((const char *)packet->payload, "\"method\":", packet->payload_packet_len) @@ -151,8 +162,7 @@ static void ndpi_search_mining_tcp(struct ndpi_detection_module_struct *ndpi_str */ ndpi_snprintf(flow->flow_extra_info, sizeof(flow->flow_extra_info), "%s", "ZCash/Monero"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - if(packet->iph) /* TODO: ipv6 */ - cacheMiningHostTwins(ndpi_struct, packet->iph->saddr + packet->iph->daddr); + cacheMiningHostTwins(ndpi_struct, flow); return; } } diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index d60270ecc..a06612b28 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -37,10 +37,17 @@ /* ************************************************************ */ u_int32_t get_stun_lru_key(struct ndpi_flow_struct *flow, u_int8_t rev) { - if(rev) - return(ntohl(flow->s_address.v4) + ntohs(flow->s_port)); - else - return(ntohl(flow->c_address.v4) + ntohs(flow->c_port)); + if(rev) { + if(flow->is_ipv6) + return ndpi_quick_hash(flow->s_address.v6, 16) + ntohs(flow->s_port); + else + return ntohl(flow->s_address.v4) + ntohs(flow->s_port); + } else { + if(flow->is_ipv6) + return ndpi_quick_hash(flow->c_address.v6, 16) + ntohs(flow->c_port); + else + return ntohl(flow->c_address.v4) + ntohs(flow->c_port); + } } /* ************************************************************ */ @@ -48,7 +55,6 @@ u_int32_t get_stun_lru_key(struct ndpi_flow_struct *flow, u_int8_t rev) { static void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int app_proto) { - struct ndpi_packet_struct *packet = &ndpi_struct->packet; ndpi_confidence_t confidence = NDPI_CONFIDENCE_DPI; if(app_proto == NDPI_PROTOCOL_UNKNOWN) { @@ -59,7 +65,6 @@ static void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *nd } if(ndpi_struct->stun_cache - && packet->iph && (app_proto != NDPI_PROTOCOL_UNKNOWN) ) /* Cache flow sender info */ { u_int32_t key = get_stun_lru_key(flow, 0); @@ -182,7 +187,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * return(NDPI_IS_NOT_STUN); } - if(ndpi_struct->stun_cache && packet->iph) { /* TODO: ipv6 */ + if(ndpi_struct->stun_cache) { u_int16_t proto; u_int32_t key = get_stun_lru_key(flow, 0); int rc = ndpi_lru_find_cache(ndpi_struct->stun_cache, key, &proto, diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 3e8b50c4e..e8ce0ea97 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -290,6 +290,42 @@ static int extractRDNSequence(struct ndpi_packet_struct *packet, /* **************************************** */ +static u_int32_t make_tls_cert_key(struct ndpi_packet_struct *packet, int is_from_client) +{ + u_int32_t key; + + /* Server ip/port */ + if(packet->iphv6 == NULL) { + if(packet->tcp) { + if(is_from_client) + key = packet->iph->daddr + packet->tcp->dest; + else + key = packet->iph->saddr + packet->tcp->source; + } else { + if(is_from_client) + key = packet->iph->daddr + packet->udp->dest; + else + key = packet->iph->saddr + packet->udp->source; + } + } else { + if(packet->tcp) { + if(is_from_client) + key = ndpi_quick_hash((unsigned char *)&packet->iphv6->ip6_dst, 16) + packet->tcp->dest; + else + key = ndpi_quick_hash((unsigned char *)&packet->iphv6->ip6_src, 16) + packet->tcp->source; + } else { + if(is_from_client) + key = ndpi_quick_hash((unsigned char *)&packet->iphv6->ip6_dst, 16) + packet->udp->dest; + else + key = ndpi_quick_hash((unsigned char *)&packet->iphv6->ip6_src, 16) + packet->udp->source; + } + } + + return key; +} + +/* **************************************** */ + static void checkTLSSubprotocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, int is_from_client) { @@ -298,14 +334,11 @@ static void checkTLSSubprotocol(struct ndpi_detection_module_struct *ndpi_struct if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) { /* Subprotocol not yet set */ - if(ndpi_struct->tls_cert_cache && packet->iph && packet->tcp) { - u_int32_t key; /* Server ip/port */ + if(ndpi_struct->tls_cert_cache) { u_int16_t cached_proto; + u_int32_t key; - if(is_from_client) - key = packet->iph->daddr + packet->tcp->dest; - else - key = packet->iph->saddr + packet->tcp->source; + key = make_tls_cert_key(packet, is_from_client); if(ndpi_lru_find_cache(ndpi_struct->tls_cert_cache, key, &cached_proto, 0 /* Don't remove it as it can be used for other connections */)) { @@ -695,8 +728,8 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi flow->category = ndpi_get_proto_category(ndpi_struct, ret); ndpi_check_subprotocol_risk(ndpi_struct, flow, proto_id); - if(ndpi_struct->tls_cert_cache && packet->iph && packet->tcp) { - u_int32_t key = packet->iph->saddr + packet->tcp->source; /* Server */ + if(ndpi_struct->tls_cert_cache) { + u_int32_t key = make_tls_cert_key(packet, 0 /* from the server */); ndpi_lru_add_to_cache(ndpi_struct->tls_cert_cache, key, proto_id); } |