Added telnet dissector

Improved data report

3 files changed, 91 insertions, 30 deletions

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 88d9d9ae4..1795ed5f1 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -1218,6 +1218,12 @@ struct ndpi_flow_struct {
     } imo;
     
     struct {
+      u_int8_t username_detected:1, username_found:1, skip_next:1, _pad:5;
+      u_int8_t character_id;
+      char username[32];
+    } telnet;
+    
+    struct {
       char answer[96];
     } mdns;
 
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index c483e0f20..b28c2c331 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -6460,6 +6460,11 @@ u_int8_t ndpi_extra_dissection_possible(struct ndpi_detection_module_struct *ndp
        || (flow->protos.ssh.hassh_server[0] == '\0'))
       return(1);
     break;
+
+  case NDPI_PROTOCOL_TELNET:
+    if(!flow->protos.telnet.username_detected)
+      return(1);
+    break;
   }
 
   return(0);
@@ -6492,8 +6497,7 @@ const char* ndpi_get_l4_proto_name(ndpi_l4_proto_info proto) {
 /* ******************************************************************** */
 
 ndpi_l4_proto_info ndpi_get_l4_proto_info(struct ndpi_detection_module_struct *ndpi_struct,
-					  u_int16_t ndpi_proto_id) {
-  
+					  u_int16_t ndpi_proto_id) {  
   if(ndpi_proto_id < ndpi_struct->ndpi_num_supported_protocols) {
     u_int16_t idx = ndpi_struct->proto_defaults[ndpi_proto_id].protoIdx;
     NDPI_SELECTION_BITMASK_PROTOCOL_SIZE bm = ndpi_struct->callback_buffer[idx].ndpi_selection_bitmask;
diff --git a/src/lib/protocols/telnet.c b/src/lib/protocols/telnet.c
index e293fc960..59b1e4978 100644
--- a/src/lib/protocols/telnet.c
+++ b/src/lib/protocols/telnet.c
@@ -19,7 +19,7 @@
  *
  * You should have received a copy of the GNU Lesser General Public License
  * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.
- * 
+ *
  */
 
 
@@ -29,14 +29,66 @@
 
 #include "ndpi_api.h"
 
+/* ************************************************************************ */
+
+static int search_telnet_again(struct ndpi_detection_module_struct *ndpi_struct,
+			       struct ndpi_flow_struct *flow) {
+  struct ndpi_packet_struct *packet = &flow->packet;
+
+  // printf("==> %s()\n", __FUNCTION__);
+
+  if(packet->payload[0] == 0xFF)
+    return(1);
+
+  if(packet->payload_packet_len > 0) {
+    int i;
+
+    if((!flow->protos.telnet.username_found)
+       && (packet->payload_packet_len > 6)) {
+
+      if(strncasecmp((char*)packet->payload, "login:", 6) == 0) {
+	flow->protos.telnet.username_found = 1;
+      }
+
+      return(1);
+    }
+
+    if(packet->payload[0] == '\r') {
+      flow->protos.telnet.username_detected = 1;
+      flow->protos.telnet.username[flow->protos.telnet.character_id] = '\0';
+      return(0);
+    }
+
+    for(i=0; i<packet->payload_packet_len; i++) {
+      if(!flow->protos.telnet.skip_next) {
+	if(flow->protos.telnet.character_id < (sizeof(flow->protos.telnet.username)-1))
+	  flow->protos.telnet.username[flow->protos.telnet.character_id++] = packet->payload[i];
+	flow->protos.telnet.skip_next = 1;
+      } else
+	flow->protos.telnet.skip_next = 0;
+    }
+  }
+
+  /* Possibly more processing */
+  return(1);
+}
+
+/* ************************************************************************ */
 
 static void ndpi_int_telnet_add_connection(struct ndpi_detection_module_struct
-					   *ndpi_struct, struct ndpi_flow_struct *flow)
-{
+					   *ndpi_struct, struct ndpi_flow_struct *flow) {
+  flow->guessed_host_protocol_id = flow->guessed_protocol_id = NDPI_PROTOCOL_TELNET;
+
+  /* This is necessary to inform the core to call this dissector again */
+  flow->check_extra_packets = 1;
+  flow->max_extra_packets_to_check = 32;
+  flow->extra_packets_func = search_telnet_again;
+
   ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TELNET, NDPI_PROTOCOL_UNKNOWN);
 }
 
-	
+/* ************************************************************************ */
+
 #if !defined(WIN32)
 static inline
 #elif defined(MINGW_GCC)
@@ -44,62 +96,62 @@ __mingw_forceinline static
 #else
 __forceinline static
 #endif
-u_int8_t search_iac(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
-{
+u_int8_t search_iac(struct ndpi_detection_module_struct *ndpi_struct,
+		    struct ndpi_flow_struct *flow) {
   struct ndpi_packet_struct *packet = &flow->packet;
 
   u_int16_t a;
 
-  if (packet->payload_packet_len < 3) {
-    return 0;
-  }
+  if(packet->payload_packet_len < 3)
+    return(0);
 
-  if (!(packet->payload[0] == 0xff
-	&& packet->payload[1] > 0xf9 && packet->payload[1] != 0xff && packet->payload[2] < 0x28)) {
-    return 0;
-  }
+  if(!((packet->payload[0] == 0xff)
+       && (packet->payload[1] > 0xf9)
+       && (packet->payload[1] != 0xff)
+       && (packet->payload[2] < 0x28)))
+    return(0);
 
   a = 3;
 
   while (a < packet->payload_packet_len - 2) {
     // commands start with a 0xff byte followed by a command byte >= 0xf0 and < 0xff
     // command bytes 0xfb to 0xfe are followed by an option byte <= 0x28
-    if (!(packet->payload[a] != 0xff ||
+    if(!(packet->payload[a] != 0xff ||
 	  (packet->payload[a] == 0xff && (packet->payload[a + 1] >= 0xf0) && (packet->payload[a + 1] <= 0xfa)) ||
 	  (packet->payload[a] == 0xff && (packet->payload[a + 1] >= 0xfb) && (packet->payload[a + 1] != 0xff)
-	   && (packet->payload[a + 2] <= 0x28)))) {
-      return 0;
-    }
+	   && (packet->payload[a + 2] <= 0x28))))
+      return(0);
+
     a++;
   }
 
   return 1;
 }
 
-/* this detection also works asymmetrically */
-void ndpi_search_telnet_tcp(struct ndpi_detection_module_struct
-			    *ndpi_struct, struct ndpi_flow_struct *flow)
-{
+/* ************************************************************************ */
 
+/* this detection also works asymmetrically */
+void ndpi_search_telnet_tcp(struct ndpi_detection_module_struct *ndpi_struct,
+			    struct ndpi_flow_struct *flow) {
   NDPI_LOG_DBG(ndpi_struct, "search telnet\n");
 
-  if (search_iac(ndpi_struct, flow) == 1) {
-
-    if (flow->l4.tcp.telnet_stage == 2) {
+  if(search_iac(ndpi_struct, flow) == 1) {
+    if(flow->l4.tcp.telnet_stage == 2) {
       NDPI_LOG_INFO(ndpi_struct, "found telnet\n");
       ndpi_int_telnet_add_connection(ndpi_struct, flow);
       return;
     }
+
     flow->l4.tcp.telnet_stage++;
     NDPI_LOG_DBG2(ndpi_struct, "telnet stage %u\n", flow->l4.tcp.telnet_stage);
     return;
   }
 
-  if ((flow->packet_counter < 12 && flow->l4.tcp.telnet_stage > 0) || flow->packet_counter < 6) {
+  if(((flow->packet_counter < 12) && (flow->l4.tcp.telnet_stage > 0)) || (flow->packet_counter < 6))
     return;
-  } else {
+  else
     NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
-  }
+
   return;
 }
 
@@ -112,6 +164,5 @@ void init_telnet_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i
 				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
 				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
 				      ADD_TO_DETECTION_BITMASK);
-
   *id += 1;
 }