Rework the old MapleStory code to identify traffic from generic Nexon games (#2773)

Remove `NDPI_PROTOCOL_MAPLESTORY` and add a generic
`NDPI_PROTOCOL_NEXON`

6 files changed, 87 insertions, 102 deletions

diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h
index adce06815..8b8106112 100644
--- a/src/include/ndpi_private.h
+++ b/src/include/ndpi_private.h
@@ -789,7 +789,7 @@ void init_lotus_notes_dissector(struct ndpi_detection_module_struct *ndpi_struct
 void init_mail_imap_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
 void init_mail_pop_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
 void init_mail_smtp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
-void init_maplestory_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
+void init_nexon_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
 void init_megaco_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
 void init_mgcp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
 void init_mining_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h
index 54fb38ffb..3b18e9ab6 100644
--- a/src/include/ndpi_protocol_ids.h
+++ b/src/include/ndpi_protocol_ids.h
@@ -141,7 +141,7 @@ typedef enum {
   NDPI_PROTOCOL_AMAZON_ALEXA          = 110,
   NDPI_PROTOCOL_KERBEROS              = 111,
   NDPI_PROTOCOL_LDAP                  = 112,
-  NDPI_PROTOCOL_MAPLESTORY            = 113,
+  NDPI_PROTOCOL_NEXON                 = 113,
   NDPI_PROTOCOL_MSSQL_TDS             = 114,
   NDPI_PROTOCOL_PPTP                  = 115,
   NDPI_PROTOCOL_WARCRAFT3             = 116,
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index 023023c97..de9250668 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -1349,6 +1349,11 @@ static ndpi_protocol_match host_match[] =
    { "epicgames.net",                    "EpicGames", NDPI_PROTOCOL_EPICGAMES, NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL},
    { "epicgames.dev",                    "EpicGames", NDPI_PROTOCOL_EPICGAMES, NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL},
 
+   { "nexon.com",                        "Nexon", NDPI_PROTOCOL_NEXON, NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL},
+   { "nexoncdn.co.kr",                   "Nexon", NDPI_PROTOCOL_NEXON, NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL},
+   { "nxm-maplemgl-staticweb.s3.amazonaws.com", "Nexon", NDPI_PROTOCOL_NEXON, NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL},
+   { "nexon.io",                         "Nexon", NDPI_PROTOCOL_NEXON, NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL},
+
    { "ea.com",                           "ElectronicArts", NDPI_PROTOCOL_ELECTRONICARTS, NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL},
    { "origin-a.akamaihd.net",            "ElectronicArts", NDPI_PROTOCOL_ELECTRONICARTS, NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DEFAULT_LEVEL},
 
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index d34451561..11e40c47d 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -1147,7 +1147,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
 			      NDPI_PROTOCOL_WEBSOCKET,
 			      NDPI_PROTOCOL_CROSSFIRE, NDPI_PROTOCOL_SOAP,
 			      NDPI_PROTOCOL_BITTORRENT, NDPI_PROTOCOL_GNUTELLA,
-			      NDPI_PROTOCOL_MAPLESTORY, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_WORLDOFWARCRAFT,
+			      NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_WORLDOFWARCRAFT,
 			      NDPI_PROTOCOL_IRC,
 			      NDPI_PROTOCOL_IPP,
 			      NDPI_PROTOCOL_MPEGDASH,
@@ -1542,8 +1542,8 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
 			  "LDAP", NDPI_PROTOCOL_CATEGORY_SYSTEM_OS, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED,
 			  ndpi_build_default_ports(ports_a, 389, 0, 0, 0, 0) /* TCP */,
 			  ndpi_build_default_ports(ports_b, 389, 0, 0, 0, 0) /* UDP */);
-  ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_MAPLESTORY,
-			  "MapleStory", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING,
+  ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_NEXON,
+			  "Nexon", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING,
 			  ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
 			  ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
   ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MSSQL_TDS,
@@ -5815,8 +5815,8 @@ static int ndpi_callback_init(struct ndpi_detection_module_struct *ndpi_str) {
   /* cpha */
   init_cpha_dissector(ndpi_str, &a);
 
-  /* MAPLESTORY */
-  init_maplestory_dissector(ndpi_str, &a);
+  /* NEXON */
+  init_nexon_dissector(ndpi_str, &a);
 
   /* DOFUS */
   init_dofus_dissector(ndpi_str, &a);
diff --git a/src/lib/protocols/maplestory.c b/src/lib/protocols/maplestory.c
deleted file mode 100644
index 20ecc3dbe..000000000
--- a/src/lib/protocols/maplestory.c
+++ /dev/null
@@ -1,95 +0,0 @@
-/*
- * maplestory.c
- *
- * Copyright (C) 2009-11 - ipoque GmbH
- * Copyright (C) 2011-25 - ntop.org
- *
- * This file is part of nDPI, an open source deep packet inspection
- * library based on the OpenDPI and PACE technology by ipoque GmbH
- *
- * nDPI is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * nDPI is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.
- * 
- */
-
-#include "ndpi_protocol_ids.h"
-
-#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MAPLESTORY
-
-#include "ndpi_api.h"
-#include "ndpi_private.h"
-
-static void ndpi_int_maplestory_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
-{
-  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MAPLESTORY, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
-}
-
-
-static void ndpi_search_maplestory(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
-{
-  struct ndpi_packet_struct *packet = &ndpi_struct->packet;
-	
-  NDPI_LOG_DBG(ndpi_struct, "search maplestory\n");
-
-  if (packet->payload_packet_len == 16
-      && (ntohl(get_u_int32_t(packet->payload, 0)) == 0x0e003a00 || ntohl(get_u_int32_t(packet->payload, 0)) == 0x0e003b00
-	  || ntohl(get_u_int32_t(packet->payload, 0)) == 0x0e004200)
-      && ntohs(get_u_int16_t(packet->payload, 4)) == 0x0100 && (packet->payload[6] == 0x32 || packet->payload[6] == 0x33)) {
-    NDPI_LOG_INFO(ndpi_struct, "found maplestory\n");
-    ndpi_int_maplestory_add_connection(ndpi_struct, flow);
-    return;
-  }
-
-  if (packet->payload_packet_len > NDPI_STATICSTRING_LEN("GET /maple")
-      && memcmp(packet->payload, "GET /maple", NDPI_STATICSTRING_LEN("GET /maple")) == 0) {
-    ndpi_parse_packet_line_info(ndpi_struct, flow);
-    /* Maplestory update */
-    if (packet->payload_packet_len > NDPI_STATICSTRING_LEN("GET /maple/patch")
-	&& packet->payload[NDPI_STATICSTRING_LEN("GET /maple")] == '/') {
-      if (packet->user_agent_line.ptr != NULL && packet->host_line.ptr != NULL
-	  && packet->user_agent_line.len == NDPI_STATICSTRING_LEN("Patcher")
-	  && packet->host_line.len > NDPI_STATICSTRING_LEN("patch.")
-	  && memcmp(&packet->payload[NDPI_STATICSTRING_LEN("GET /maple/")], "patch",
-		    NDPI_STATICSTRING_LEN("patch")) == 0
-	  && memcmp(packet->user_agent_line.ptr, "Patcher", NDPI_STATICSTRING_LEN("Patcher")) == 0
-	  && memcmp(packet->host_line.ptr, "patch.", NDPI_STATICSTRING_LEN("patch.")) == 0) {
-	NDPI_LOG_INFO(ndpi_struct, "found maplestory update\n");
-	ndpi_int_maplestory_add_connection(ndpi_struct, flow);
-	return;
-      }
-    } else if (packet->user_agent_line.ptr != NULL && packet->user_agent_line.len == NDPI_STATICSTRING_LEN("AspINet")
-	       && memcmp(&packet->payload[NDPI_STATICSTRING_LEN("GET /maple")], "story/",
-			 NDPI_STATICSTRING_LEN("story/")) == 0
-	       && memcmp(packet->user_agent_line.ptr, "AspINet", NDPI_STATICSTRING_LEN("AspINet")) == 0) {
-      NDPI_LOG_INFO(ndpi_struct, "found maplestory update\n");
-      ndpi_int_maplestory_add_connection(ndpi_struct, flow);
-      return;
-    }
-  }
-
-  NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
-
-}
-
-
-void init_maplestory_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id)
-{
-  ndpi_set_bitmask_protocol_detection("MapleStory", ndpi_struct, *id,
-				      NDPI_PROTOCOL_MAPLESTORY,
-				      ndpi_search_maplestory,
-				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
-				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
-				      ADD_TO_DETECTION_BITMASK);
-
-  *id += 1;
-}
diff --git a/src/lib/protocols/nexon.c b/src/lib/protocols/nexon.c
new file mode 100644
index 000000000..df5f29be4
--- /dev/null
+++ b/src/lib/protocols/nexon.c
@@ -0,0 +1,75 @@
+/*
+ * nexon.c
+ *
+ * Copyright (C) 2009-11 - ipoque GmbH
+ * Copyright (C) 2011-25 - ntop.org
+ *
+ * This file is part of nDPI, an open source deep packet inspection
+ * library based on the OpenDPI and PACE technology by ipoque GmbH
+ *
+ * nDPI is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * nDPI is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.
+ * 
+ */
+
+#include "ndpi_protocol_ids.h"
+
+#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_NEXON
+
+#include "ndpi_api.h"
+#include "ndpi_private.h"
+
+static void ndpi_int_nexon_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
+{
+  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NEXON, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+}
+
+
+static void ndpi_search_nexon(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
+{
+  struct ndpi_packet_struct *packet = &ndpi_struct->packet;
+	
+  NDPI_LOG_DBG(ndpi_struct, "search nexon\n");
+
+  if(packet->payload_packet_len == 24 &&
+     ntohl(get_u_int32_t(packet->payload, 0)) == 0x18000000 &&
+     ntohl(get_u_int32_t(packet->payload, 4)) == 0x64000000) {
+    NDPI_LOG_INFO(ndpi_struct, "found nexon\n");
+    ndpi_int_nexon_add_connection(ndpi_struct, flow);
+    return;
+  }
+  if(packet->payload_packet_len == 20 &&
+     ntohl(get_u_int32_t(packet->payload, 4)) == 0x163A992E) {
+    NDPI_LOG_INFO(ndpi_struct, "found nexon\n");
+    ndpi_int_nexon_add_connection(ndpi_struct, flow);
+    return;
+  }
+
+  /* TODO: detect UDP traffic */
+
+  NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+
+}
+
+
+void init_nexon_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id)
+{
+  ndpi_set_bitmask_protocol_detection("Nexon", ndpi_struct, *id,
+				      NDPI_PROTOCOL_NEXON,
+				      ndpi_search_nexon,
+				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
+				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
+				      ADD_TO_DETECTION_BITMASK);
+
+  *id += 1;
+}