aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorDaniele De Lorenzi <daniele.delorenzi@fastnetserv.net>2019-04-02 15:49:54 +0200
committerGitHub <noreply@github.com>2019-04-02 15:49:54 +0200
commite27022b69886a327205dcdd166d7ccef1d02bcd9 (patch)
tree8e7e1aa15bdff1f152befbe4c6c205e47dcd26e6 /src
parentc51405e99bae3217545fa34386987b839a8c68a6 (diff)
parent153c77c2cd28d52d6b459263dea3ce988ceccd3c (diff)
Merge pull request #11 from ntop/dev
Add all dev branch modifications
Diffstat (limited to 'src')
-rw-r--r--src/include/Makefile.am2
-rw-r--r--src/include/ndpi_api.h26
-rw-r--r--src/include/ndpi_define.h.in22
-rw-r--r--src/include/ndpi_protocol_ids.h8
-rw-r--r--src/include/ndpi_protocols.h1
-rw-r--r--src/include/ndpi_typedefs.h458
-rw-r--r--src/lib/Makefile.in6
-rw-r--r--src/lib/ndpi_content_match.c.inc165
-rw-r--r--src/lib/ndpi_main.c709
-rw-r--r--src/lib/protocols/apple_push.c30
-rw-r--r--src/lib/protocols/coap.c2
-rw-r--r--src/lib/protocols/dns.c115
-rw-r--r--src/lib/protocols/ftp_data.c50
-rw-r--r--src/lib/protocols/h323.c3
-rw-r--r--src/lib/protocols/http.c551
-rw-r--r--src/lib/protocols/mdns_proto.c31
-rw-r--r--src/lib/protocols/mining.c18
-rw-r--r--src/lib/protocols/modbus.c72
-rw-r--r--src/lib/protocols/ookla.c15
-rw-r--r--src/lib/protocols/quic.c8
-rw-r--r--src/lib/protocols/radius.c5
-rw-r--r--src/lib/protocols/ssl.c162
-rw-r--r--src/lib/protocols/whatsapp.c34
-rw-r--r--src/lib/third_party/include/lruc.h55
-rw-r--r--src/lib/third_party/src/lruc.c294
25 files changed, 1316 insertions, 1526 deletions
diff --git a/src/include/Makefile.am b/src/include/Makefile.am
index 6eeca93b4..47fcbd224 100644
--- a/src/include/Makefile.am
+++ b/src/include/Makefile.am
@@ -1,4 +1,4 @@
-library_includedir=$(includedir)/libndpi-@VERSION@/libndpi
+plibrary_includedir=$(includedir)/libndpi-@VERSION@/libndpi
library_include_HEADERS = ndpi_api.h \
ndpi_define.h \
diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h
index e57f3a568..84633c3ae 100644
--- a/src/include/ndpi_api.h
+++ b/src/include/ndpi_api.h
@@ -1,7 +1,7 @@
/*
* ndpi_api.h
*
- * Copyright (C) 2011-17 - ntop.org
+ * Copyright (C) 2011-19 - ntop.org
*
* This file is part of nDPI, an open source deep packet inspection
* library based on the OpenDPI and PACE technology by ipoque GmbH
@@ -206,7 +206,18 @@ extern "C" {
*/
void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *ndpi_struct,
const NDPI_PROTOCOL_BITMASK * detection_bitmask);
-
+
+ /**
+ * Function to be called to see in case of unknown match to see if there is
+ * a partial match that has been prevented by the current nDPI preferences configuration
+ *
+ * @par ndpi_struct = the detection module
+ * @par flow = the flow given for the detection module
+ * @return the detected protocol even if the flow is not completed;
+ *
+ */
+ ndpi_protocol ndpi_get_partial_detection(struct ndpi_detection_module_struct *ndpi_struct,
+ struct ndpi_flow_struct *flow);
/**
* Function to be called before we give up with detection for a given flow.
* This function reduces the NDPI_UNKNOWN_PROTOCOL detection
@@ -740,8 +751,11 @@ extern "C" {
char *name, ndpi_protocol_category_t category);
int ndpi_enable_loaded_categories(struct ndpi_detection_module_struct *ndpi_struct);
int ndpi_fill_ip_protocol_category(struct ndpi_detection_module_struct *ndpi_struct,
- const struct ndpi_iphdr *iph,
+ u_int32_t saddr,
+ u_int32_t daddr,
ndpi_protocol *ret);
+ int ndpi_match_custom_category(struct ndpi_detection_module_struct *ndpi_struct,
+ char *name, unsigned long *id);
void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
ndpi_protocol *ret);
@@ -756,6 +770,12 @@ extern "C" {
u_int ndpi_get_ndpi_num_custom_protocols(struct ndpi_detection_module_struct *ndpi_mod);
u_int ndpi_get_ndpi_detection_module_size();
void ndpi_set_log_level(struct ndpi_detection_module_struct *ndpi_mod, u_int l);
+
+ /* LRU cache */
+ struct ndpi_lru_cache* ndpi_lru_cache_init(u_int32_t num_entries);
+ void ndpi_lru_free_cache(struct ndpi_lru_cache *c);
+ u_int8_t ndpi_lru_find_cache(struct ndpi_lru_cache *c, u_int32_t key, u_int8_t clean_key_when_found);
+ void ndpi_lru_add_to_cache(struct ndpi_lru_cache *c, u_int32_t key);
/**
* Add a string to match to an automata
diff --git a/src/include/ndpi_define.h.in b/src/include/ndpi_define.h.in
index a73e03bc5..dc5fea74a 100644
--- a/src/include/ndpi_define.h.in
+++ b/src/include/ndpi_define.h.in
@@ -338,4 +338,26 @@
#define NDPI_MINOR @NDPI_MINOR@
#define NDPI_PATCH @NDPI_PATCH@
+
+#ifdef __APPLE__
+
+#include <libkern/OSByteOrder.h>
+
+#define htobe16(x) OSSwapHostToBigInt16(x)
+#define htole16(x) OSSwapHostToLittleInt16(x)
+#define be16toh(x) OSSwapBigToHostInt16(x)
+#define le16toh(x) OSSwapLittleToHostInt16(x)
+
+#define htobe32(x) OSSwapHostToBigInt32(x)
+#define htole32(x) OSSwapHostToLittleInt32(x)
+#define be32toh(x) OSSwapBigToHostInt32(x)
+#define le32toh(x) OSSwapLittleToHostInt32(x)
+
+#define htobe64(x) OSSwapHostToBigInt64(x)
+#define htole64(x) OSSwapHostToLittleInt64(x)
+#define be64toh(x) OSSwapBigToHostInt64(x)
+#define le64toh(x) OSSwapLittleToHostInt64(x)
+
+#endif /* __APPLE__ */
+
#endif /* __NDPI_DEFINE_INCLUDE_FILE__ */
diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h
index 14f1810ed..7e2f55711 100644
--- a/src/include/ndpi_protocol_ids.h
+++ b/src/include/ndpi_protocol_ids.h
@@ -78,14 +78,14 @@ typedef enum {
NDPI_PROTOCOL_SMBV23 = 41, /* SMB version 2/3 */
NDPI_PROTOCOL_MINING = 42, /* Bitcoin, Ethereum, ZCash, Monero */
NDPI_PROTOCOL_NEST_LOG_SINK = 43, /* Nest Log Sink (Nest Protect) - Darryl Sokoloski <darryl@egloo.ca> */
-
- NDPI_PROTOCOL_FREE_44 = 44, /* Free */
+ NDPI_PROTOCOL_MODBUS = 44, /* Modbus */
+
NDPI_PROTOCOL_FREE_45 = 45, /* Free */
NDPI_PROTOCOL_FREE_46 = 46, /* Free */
NDPI_PROTOCOL_XBOX = 47,
NDPI_PROTOCOL_QQ = 48,
- NDPI_PROTOCOL_FREE_49 = 49, /* Free */
+ NDPI_PROTOCOL_TIKTOK = 49,
NDPI_PROTOCOL_RTSP = 50,
NDPI_PROTOCOL_MAIL_IMAPS = 51,
NDPI_PROTOCOL_ICECAST = 52,
@@ -242,7 +242,7 @@ typedef enum {
NDPI_PROTOCOL_GITHUB = 203,
NDPI_PROTOCOL_BJNP = 204,
NDPI_PROTOCOL_FREE_205 = 205, /* Free */
- NDPI_PROTOCOL_VIDTO = 206,
+ NDPI_PROTOCOL_FREE_206 = 206, /* Free */
NDPI_PROTOCOL_SMPP = 207, /* Damir Franusic <df@release14.org> */
NDPI_PROTOCOL_DNSCRYPT = 208,
NDPI_PROTOCOL_TINC = 209, /* William Guglielmo <william@deselmo.com> */
diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h
index 5349237d4..f29ffa72a 100644
--- a/src/include/ndpi_protocols.h
+++ b/src/include/ndpi_protocols.h
@@ -363,4 +363,5 @@ void init_fbzero_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i
void init_memcached_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_nest_log_sink_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_ookla_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
+void init_modbus_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
#endif /* __NDPI_PROTOCOLS_H__ */
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 294af22b3..1bd8fd2db 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -29,18 +29,18 @@
/* NDPI_LOG_LEVEL */
typedef enum {
- NDPI_LOG_ERROR,
- NDPI_LOG_TRACE,
- NDPI_LOG_DEBUG,
- NDPI_LOG_DEBUG_EXTRA
+ NDPI_LOG_ERROR,
+ NDPI_LOG_TRACE,
+ NDPI_LOG_DEBUG,
+ NDPI_LOG_DEBUG_EXTRA
} ndpi_log_level_t;
/* NDPI_VISIT */
typedef enum {
- ndpi_preorder,
- ndpi_postorder,
- ndpi_endorder,
- ndpi_leaf
+ ndpi_preorder,
+ ndpi_postorder,
+ ndpi_endorder,
+ ndpi_leaf
} ndpi_VISIT;
/* NDPI_NODE */
@@ -356,17 +356,21 @@ PACK_ON struct tinc_cache_entry {
} PACK_OFF;
typedef enum {
- HTTP_METHOD_UNKNOWN = 0,
- HTTP_METHOD_OPTIONS,
- HTTP_METHOD_GET,
- HTTP_METHOD_HEAD,
- HTTP_METHOD_POST,
- HTTP_METHOD_PUT,
- HTTP_METHOD_DELETE,
- HTTP_METHOD_TRACE,
- HTTP_METHOD_CONNECT
+ NDPI_HTTP_METHOD_UNKNOWN = 0,
+ NDPI_HTTP_METHOD_OPTIONS,
+ NDPI_HTTP_METHOD_GET,
+ NDPI_HTTP_METHOD_HEAD,
+ NDPI_HTTP_METHOD_POST,
+ NDPI_HTTP_METHOD_PUT,
+ NDPI_HTTP_METHOD_DELETE,
+ NDPI_HTTP_METHOD_TRACE,
+ NDPI_HTTP_METHOD_CONNECT
} ndpi_http_method;
+struct ndpi_lru_cache {
+ u_int32_t num_entries, *entries;
+};
+
struct ndpi_id_struct {
/**
detected_protocol_bitmask:
@@ -375,229 +379,232 @@ struct ndpi_id_struct {
to compare this, use:
**/
NDPI_PROTOCOL_BITMASK detected_protocol_bitmask;
-/* NDPI_PROTOCOL_RTSP */
+ /* NDPI_PROTOCOL_RTSP */
ndpi_ip_addr_t rtsp_ip_address;
-/* NDPI_PROTOCOL_YAHOO */
+ /* NDPI_PROTOCOL_YAHOO */
u_int32_t yahoo_video_lan_timer;
/* NDPI_PROTOCOL_IRC_MAXPORT % 2 must be 0 */
-/* NDPI_PROTOCOL_IRC */
+ /* NDPI_PROTOCOL_IRC */
#define NDPI_PROTOCOL_IRC_MAXPORT 8
u_int16_t irc_port[NDPI_PROTOCOL_IRC_MAXPORT];
u_int32_t last_time_port_used[NDPI_PROTOCOL_IRC_MAXPORT];
u_int32_t irc_ts;
-/* NDPI_PROTOCOL_GNUTELLA */
+ /* NDPI_PROTOCOL_GNUTELLA */
u_int32_t gnutella_ts;
-/* NDPI_PROTOCOL_BATTLEFIELD */
+ /* NDPI_PROTOCOL_BATTLEFIELD */
u_int32_t battlefield_ts;
-/* NDPI_PROTOCOL_THUNDER */
+ /* NDPI_PROTOCOL_THUNDER */
u_int32_t thunder_ts;
-/* NDPI_PROTOCOL_RTSP */
+ /* NDPI_PROTOCOL_RTSP */
u_int32_t rtsp_timer;
-/* NDPI_PROTOCOL_OSCAR */
+ /* NDPI_PROTOCOL_OSCAR */
u_int32_t oscar_last_safe_access_time;
-/* NDPI_PROTOCOL_ZATTOO */
+ /* NDPI_PROTOCOL_ZATTOO */
u_int32_t zattoo_ts;
-/* NDPI_PROTOCOL_UNENCRYPTED_JABBER */
+ /* NDPI_PROTOCOL_UNENCRYPTED_JABBER */
u_int32_t jabber_stun_or_ft_ts;
-/* NDPI_PROTOCOL_DIRECTCONNECT */
+ /* NDPI_PROTOCOL_DIRECTCONNECT */
u_int32_t directconnect_last_safe_access_time;
-/* NDPI_PROTOCOL_SOULSEEK */
+ /* NDPI_PROTOCOL_SOULSEEK */
u_int32_t soulseek_last_safe_access_time;
-/* NDPI_PROTOCOL_DIRECTCONNECT */
+ /* NDPI_PROTOCOL_DIRECTCONNECT */
u_int16_t detected_directconnect_port;
u_int16_t detected_directconnect_udp_port;
u_int16_t detected_directconnect_ssl_port;
-/* NDPI_PROTOCOL_BITTORRENT */
+ /* NDPI_PROTOCOL_BITTORRENT */
#define NDPI_BT_PORTS 8
u_int16_t bt_port_t[NDPI_BT_PORTS];
u_int16_t bt_port_u[NDPI_BT_PORTS];
-/* NDPI_PROTOCOL_UNENCRYPTED_JABBER */
+ /* NDPI_PROTOCOL_UNENCRYPTED_JABBER */
#define JABBER_MAX_STUN_PORTS 6
u_int16_t jabber_voice_stun_port[JABBER_MAX_STUN_PORTS];
u_int16_t jabber_file_transfer_port[2];
-/* NDPI_PROTOCOL_GNUTELLA */
+ /* NDPI_PROTOCOL_GNUTELLA */
u_int16_t detected_gnutella_port;
-/* NDPI_PROTOCOL_GNUTELLA */
+ /* NDPI_PROTOCOL_GNUTELLA */
u_int16_t detected_gnutella_udp_port1;
u_int16_t detected_gnutella_udp_port2;
-/* NDPI_PROTOCOL_SOULSEEK */
+ /* NDPI_PROTOCOL_SOULSEEK */
u_int16_t soulseek_listen_port;
-/* NDPI_PROTOCOL_IRC */
+ /* NDPI_PROTOCOL_IRC */
u_int8_t irc_number_of_port;
-/* NDPI_PROTOCOL_OSCAR */
+ /* NDPI_PROTOCOL_OSCAR */
u_int8_t oscar_ssl_session_id[33];
-/* NDPI_PROTOCOL_UNENCRYPTED_JABBER */
+ /* NDPI_PROTOCOL_UNENCRYPTED_JABBER */
u_int8_t jabber_voice_stun_used_ports;
-/* NDPI_PROTOCOL_SIP */
-/* NDPI_PROTOCOL_YAHOO */
+ /* NDPI_PROTOCOL_SIP */
+ /* NDPI_PROTOCOL_YAHOO */
u_int32_t yahoo_video_lan_dir:1;
-/* NDPI_PROTOCOL_YAHOO */
+ /* NDPI_PROTOCOL_YAHOO */
u_int32_t yahoo_conf_logged_in:1;
u_int32_t yahoo_voice_conf_logged_in:1;
-/* NDPI_PROTOCOL_RTSP */
+ /* NDPI_PROTOCOL_RTSP */
u_int32_t rtsp_ts_set:1;
};
/* ************************************************** */
struct ndpi_flow_tcp_struct {
-/* NDPI_PROTOCOL_MAIL_SMTP */
+ /* NDPI_PROTOCOL_MAIL_SMTP */
u_int16_t smtp_command_bitmask;
-/* NDPI_PROTOCOL_MAIL_POP */
+ /* NDPI_PROTOCOL_MAIL_POP */
u_int16_t pop_command_bitmask;
-/* NDPI_PROTOCOL_QQ */
+ /* NDPI_PROTOCOL_QQ */
u_int16_t qq_nxt_len;
/* NDPI_PROTOCOL_WHATSAPP */
u_int8_t wa_matched_so_far;
-/* NDPI_PROTOCOL_TDS */
+ /* NDPI_PROTOCOL_TDS */
u_int8_t tds_login_version;
-/* NDPI_PROTOCOL_IRC */
+ /* NDPI_PROTOCOL_IRC */
u_int8_t irc_stage;
u_int8_t irc_port;
-/* NDPI_PROTOCOL_H323 */
+ /* NDPI_PROTOCOL_H323 */
u_int8_t h323_valid_packets;
-/* NDPI_PROTOCOL_GNUTELLA */
+ /* NDPI_PROTOCOL_GNUTELLA */
u_int8_t gnutella_msg_id[3];
-/* NDPI_PROTOCOL_IRC */
+ /* NDPI_PROTOCOL_IRC */
u_int32_t irc_3a_counter:3;
u_int32_t irc_stage2:5;
u_int32_t irc_direction:2;
u_int32_t irc_0x1000_full:1;
-/* NDPI_PROTOCOL_SOULSEEK */
+ /* NDPI_PROTOCOL_SOULSEEK */
u_int32_t soulseek_stage:2;
-/* NDPI_PROTOCOL_TDS */
+ /* NDPI_PROTOCOL_TDS */
u_int32_t tds_stage:3;
-/* NDPI_PROTOCOL_USENET */
+ /* NDPI_PROTOCOL_USENET */
u_int32_t usenet_stage:2;
-/* NDPI_PROTOCOL_IMESH */
+ /* NDPI_PROTOCOL_IMESH */
u_int32_t imesh_stage:4;
-/* NDPI_PROTOCOL_HTTP */
+ /* NDPI_PROTOCOL_HTTP */
u_int32_t http_setup_dir:2;
u_int32_t http_stage:2;
u_int32_t http_empty_line_seen:1;
u_int32_t http_wait_for_retransmission:1;
-/* NDPI_PROTOCOL_GNUTELLA */
+ /* NDPI_PROTOCOL_GNUTELLA */
u_int32_t gnutella_stage:2; // 0 - 2
-/* NDPI_CONTENT_MMS */
+ /* NDPI_CONTENT_MMS */
u_int32_t mms_stage:2;
-/* NDPI_PROTOCOL_YAHOO */
+ /* NDPI_PROTOCOL_YAHOO */
u_int32_t yahoo_sip_comm:1;
u_int32_t yahoo_http_proxy_stage:2;
-/* NDPI_PROTOCOL_MSN */
+ /* NDPI_PROTOCOL_MSN */
u_int32_t msn_stage:3;
u_int32_t msn_ssl_ft:2;
-/* NDPI_PROTOCOL_SSH */
+ /* NDPI_PROTOCOL_SSH */
u_int32_t ssh_stage:3;
-/* NDPI_PROTOCOL_VNC */
+ /* NDPI_PROTOCOL_VNC */
u_int32_t vnc_stage:2; // 0 - 3
-/* NDPI_PROTOCOL_TELNET */
+ /* NDPI_PROTOCOL_TELNET */
u_int32_t telnet_stage:2; // 0 - 2
-/* NDPI_PROTOCOL_SSL */
- u_int8_t ssl_seen_client_cert:1, ssl_seen_server_cert:1, ssl_stage:2; // 0 - 5
+ /* NDPI_PROTOCOL_SSL */
+ u_int8_t ssl_seen_client_cert:1,
+ ssl_seen_server_cert:1,
+ ssl_seen_certificate:1,
+ ssl_stage:2; // 0 - 5
-/* NDPI_PROTOCOL_POSTGRES */
+ /* NDPI_PROTOCOL_POSTGRES */
u_int32_t postgres_stage:3;
-/* NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK */
+ /* NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK */
u_int32_t ddlink_server_direction:1;
u_int32_t seen_syn:1;
u_int32_t seen_syn_ack:1;
u_int32_t seen_ack:1;
-/* NDPI_PROTOCOL_ICECAST */
+ /* NDPI_PROTOCOL_ICECAST */
u_int32_t icecast_stage:1;
-/* NDPI_PROTOCOL_DOFUS */
+ /* NDPI_PROTOCOL_DOFUS */
u_int32_t dofus_stage:1;
-/* NDPI_PROTOCOL_FIESTA */
+ /* NDPI_PROTOCOL_FIESTA */
u_int32_t fiesta_stage:2;
-/* NDPI_PROTOCOL_WORLDOFWARCRAFT */
+ /* NDPI_PROTOCOL_WORLDOFWARCRAFT */
u_int32_t wow_stage:2;
-/* NDPI_PROTOCOL_HTTP_APPLICATION_VEOHTV */
+ /* NDPI_PROTOCOL_HTTP_APPLICATION_VEOHTV */
u_int32_t veoh_tv_stage:2;
-/* NDPI_PROTOCOL_SHOUTCAST */
+ /* NDPI_PROTOCOL_SHOUTCAST */
u_int32_t shoutcast_stage:2;
-/* NDPI_PROTOCOL_RTP */
+ /* NDPI_PROTOCOL_RTP */
u_int32_t rtp_special_packets_seen:1;
-/* NDPI_PROTOCOL_MAIL_POP */
+ /* NDPI_PROTOCOL_MAIL_POP */
u_int32_t mail_pop_stage:2;
-/* NDPI_PROTOCOL_MAIL_IMAP */
+ /* NDPI_PROTOCOL_MAIL_IMAP */
u_int32_t mail_imap_stage:3, mail_imap_starttls:2;
-/* NDPI_PROTOCOL_SKYPE */
+ /* NDPI_PROTOCOL_SKYPE */
u_int8_t skype_packet_id;
-/* NDPI_PROTOCOL_CITRIX */
+ /* NDPI_PROTOCOL_CITRIX */
u_int8_t citrix_packet_id;
-/* NDPI_PROTOCOL_LOTUS_NOTES */
+ /* NDPI_PROTOCOL_LOTUS_NOTES */
u_int8_t lotus_notes_packet_id;
-/* NDPI_PROTOCOL_TEAMVIEWER */
+ /* NDPI_PROTOCOL_TEAMVIEWER */
u_int8_t teamviewer_stage;
-/* NDPI_PROTOCOL_ZMQ */
+ /* NDPI_PROTOCOL_ZMQ */
u_int8_t prev_zmq_pkt_len;
u_char prev_zmq_pkt[10];
-/* NDPI_PROTOCOL_PPSTREAM */
+ /* NDPI_PROTOCOL_PPSTREAM */
u_int32_t ppstream_stage:3;
-/* NDPI_PROTOCOL_MEMCACHED */
+ /* NDPI_PROTOCOL_MEMCACHED */
u_int8_t memcached_matches;
-/* NDPI_PROTOCOL_NEST_LOG_SINK */
+ /* NDPI_PROTOCOL_NEST_LOG_SINK */
u_int8_t nest_log_sink_matches;
}
#ifndef WIN32
@@ -608,51 +615,51 @@ struct ndpi_flow_tcp_struct {
/* ************************************************** */
struct ndpi_flow_udp_struct {
-/* NDPI_PROTOCOL_BATTLEFIELD */
+ /* NDPI_PROTOCOL_BATTLEFIELD */
u_int32_t battlefield_msg_id;
-/* NDPI_PROTOCOL_SNMP */
+ /* NDPI_PROTOCOL_SNMP */
u_int32_t snmp_msg_id;
-/* NDPI_PROTOCOL_BATTLEFIELD */
+ /* NDPI_PROTOCOL_BATTLEFIELD */
u_int32_t battlefield_stage:3;
-/* NDPI_PROTOCOL_SNMP */
+ /* NDPI_PROTOCOL_SNMP */
u_int32_t snmp_stage:2;
-/* NDPI_PROTOCOL_PPSTREAM */
+ /* NDPI_PROTOCOL_PPSTREAM */
u_int32_t ppstream_stage:3; // 0 - 7
-/* NDPI_PROTOCOL_HALFLIFE2 */
+ /* NDPI_PROTOCOL_HALFLIFE2 */
u_int32_t halflife2_stage:2; // 0 - 2
-/* NDPI_PROTOCOL_TFTP */
+ /* NDPI_PROTOCOL_TFTP */
u_int32_t tftp_stage:1;
-/* NDPI_PROTOCOL_AIMINI */
+ /* NDPI_PROTOCOL_AIMINI */
u_int32_t aimini_stage:5;
-/* NDPI_PROTOCOL_XBOX */
+ /* NDPI_PROTOCOL_XBOX */
u_int32_t xbox_stage:1;
-/* NDPI_PROTOCOL_WINDOWS_UPDATE */
+ /* NDPI_PROTOCOL_WINDOWS_UPDATE */
u_int32_t wsus_stage:1;
-/* NDPI_PROTOCOL_SKYPE */
+ /* NDPI_PROTOCOL_SKYPE */
u_int8_t skype_packet_id;
-/* NDPI_PROTOCOL_TEAMVIEWER */
+ /* NDPI_PROTOCOL_TEAMVIEWER */
u_int8_t teamviewer_stage;
-/* NDPI_PROTOCOL_EAQ */
+ /* NDPI_PROTOCOL_EAQ */
u_int8_t eaq_pkt_id;
u_int32_t eaq_sequence;
-/* NDPI_PROTOCOL_RX */
+ /* NDPI_PROTOCOL_RX */
u_int32_t rx_conn_epoch;
u_int32_t rx_conn_id;
-/* NDPI_PROTOCOL_MEMCACHED */
+ /* NDPI_PROTOCOL_MEMCACHED */
u_int8_t memcached_matches;
}
#ifndef WIN32
@@ -746,87 +753,84 @@ typedef struct {
} ndpi_port_range;
typedef enum {
- NDPI_PROTOCOL_SAFE = 0, /* Surely doesn't provide risks for the network. (e.g., a news site) */
- NDPI_PROTOCOL_ACCEPTABLE, /* Probably doesn't provide risks, but could be malicious (e.g., Dropbox) */
- NDPI_PROTOCOL_FUN, /* Pure fun protocol, which may be prohibited by the user policy (e.g., Netflix) */
- NDPI_PROTOCOL_UNSAFE, /* Probably provides risks, but could be a normal traffic. Unencrypted protocols with clear pass should be here (e.g., telnet) */
- NDPI_PROTOCOL_POTENTIALLY_DANGEROUS, /* Surely is dangerous (ex. Tor). Be prepared to troubles */
- NDPI_PROTOCOL_TRACKER_ADS, /* Trackers, Advertisements... */
- NDPI_PROTOCOL_UNRATED /* No idea, not implemented or impossible to classify */
+ NDPI_PROTOCOL_SAFE = 0, /* Surely doesn't provide risks for the network. (e.g., a news site) */
+ NDPI_PROTOCOL_ACCEPTABLE, /* Probably doesn't provide risks, but could be malicious (e.g., Dropbox) */
+ NDPI_PROTOCOL_FUN, /* Pure fun protocol, which may be prohibited by the user policy (e.g., Netflix) */
+ NDPI_PROTOCOL_UNSAFE, /* Probably provides risks, but could be a normal traffic. Unencrypted protocols with clear pass should be here (e.g., telnet) */
+ NDPI_PROTOCOL_POTENTIALLY_DANGEROUS, /* Surely is dangerous (ex. Tor). Be prepared to troubles */
+ NDPI_PROTOCOL_TRACKER_ADS, /* Trackers, Advertisements... */
+ NDPI_PROTOCOL_UNRATED /* No idea, not implemented or impossible to classify */
} ndpi_protocol_breed_t;
#define NUM_BREEDS (NDPI_PROTOCOL_UNRATED+1)
/* Abstract categories to group the protocols. */
typedef enum {
- NDPI_PROTOCOL_CATEGORY_UNSPECIFIED = 0, /* For general services and unknown protocols */
- NDPI_PROTOCOL_CATEGORY_MEDIA, /* Multimedia and streaming */
- NDPI_PROTOCOL_CATEGORY_VPN, /* Virtual Private Networks */
- NDPI_PROTOCOL_CATEGORY_MAIL, /* Protocols to send/receive/sync emails */
- NDPI_PROTOCOL_CATEGORY_DATA_TRANSFER, /* AFS/NFS and similar protocols */
- NDPI_PROTOCOL_CATEGORY_WEB, /* Web/mobile protocols and services */
- NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, /* Social networks */
- NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, /* Download, FTP, file transfer/sharing */
- NDPI_PROTOCOL_CATEGORY_GAME, /* Online games */
- NDPI_PROTOCOL_CATEGORY_CHAT, /* Instant messaging */
- NDPI_PROTOCOL_CATEGORY_VOIP, /* Real-time communications and conferencing */
- NDPI_PROTOCOL_CATEGORY_DATABASE, /* Protocols for database communication */
- NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS, /* Remote access and control */
- NDPI_PROTOCOL_CATEGORY_CLOUD, /* Online cloud services */
- NDPI_PROTOCOL_CATEGORY_NETWORK, /* Network infrastructure protocols */
- NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, /* Software for collaborative development, including Webmail */
- NDPI_PROTOCOL_CATEGORY_RPC, /* High level network communication protocols */
- NDPI_PROTOCOL_CATEGORY_STREAMING, /* Streaming protocols */
- NDPI_PROTOCOL_CATEGORY_SYSTEM_OS, /* System/Operating System level applications */
- NDPI_PROTOCOL_CATEGORY_SW_UPDATE, /* Software update */
-
- /* See #define NUM_CUSTOM_CATEGORIES */
- NDPI_PROTOCOL_CATEGORY_CUSTOM_1, /* User custom category 1 */
- NDPI_PROTOCOL_CATEGORY_CUSTOM_2, /* User custom category 2 */
- NDPI_PROTOCOL_CATEGORY_CUSTOM_3, /* User custom category 3 */
- NDPI_PROTOCOL_CATEGORY_CUSTOM_4, /* User custom category 4 */
- NDPI_PROTOCOL_CATEGORY_CUSTOM_5, /* User custom category 5 */
-
- /* Payload Content */
- NDPI_CONTENT_CATEGORY_AVI,
- NDPI_CONTENT_CATEGORY_FLASH,
- NDPI_CONTENT_CATEGORY_OGG,
- NDPI_CONTENT_CATEGORY_MPEG,
- NDPI_CONTENT_CATEGORY_QUICKTIME,
- NDPI_CONTENT_CATEGORY_REALMEDIA,
- NDPI_CONTENT_CATEGORY_WINDOWSMEDIA,
- NDPI_CONTENT_CATEGORY_WEBM,
-
- /* Some custom categories */
- CUSTOM_CATEGORY_MINING = 99,
- CUSTOM_CATEGORY_MALWARE = 100,
- CUSTOM_CATEGORY_ADVERTISEMENT = 101,
- CUSTOM_CATEGORY_BANNED_SITE = 102,
- CUSTOM_CATEGORY_SITE_UNAVAILABLE = 103,
-
- /*
- IMPORTANT
-
- Please keep in sync with
-
- static const char* categories[] = { ..}
-
- in ndpi_main.c
- */
+ NDPI_PROTOCOL_CATEGORY_UNSPECIFIED = 0, /* For general services and unknown protocols */
+ NDPI_PROTOCOL_CATEGORY_MEDIA, /* Multimedia and streaming */
+ NDPI_PROTOCOL_CATEGORY_VPN, /* Virtual Private Networks */
+ NDPI_PROTOCOL_CATEGORY_MAIL, /* Protocols to send/receive/sync emails */
+ NDPI_PROTOCOL_CATEGORY_DATA_TRANSFER, /* AFS/NFS and similar protocols */
+ NDPI_PROTOCOL_CATEGORY_WEB, /* Web/mobile protocols and services */
+ NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, /* Social networks */
+ NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, /* Download, FTP, file transfer/sharing */
+ NDPI_PROTOCOL_CATEGORY_GAME, /* Online games */
+ NDPI_PROTOCOL_CATEGORY_CHAT, /* Instant messaging */
+ NDPI_PROTOCOL_CATEGORY_VOIP, /* Real-time communications and conferencing */
+ NDPI_PROTOCOL_CATEGORY_DATABASE, /* Protocols for database communication */
+ NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS, /* Remote access and control */
+ NDPI_PROTOCOL_CATEGORY_CLOUD, /* Online cloud services */
+ NDPI_PROTOCOL_CATEGORY_NETWORK, /* Network infrastructure protocols */
+ NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, /* Software for collaborative development, including Webmail */
+ NDPI_PROTOCOL_CATEGORY_RPC, /* High level network communication protocols */
+ NDPI_PROTOCOL_CATEGORY_STREAMING, /* Streaming protocols */
+ NDPI_PROTOCOL_CATEGORY_SYSTEM_OS, /* System/Operating System level applications */
+ NDPI_PROTOCOL_CATEGORY_SW_UPDATE, /* Software update */
+
+ /* See #define NUM_CUSTOM_CATEGORIES */
+ NDPI_PROTOCOL_CATEGORY_CUSTOM_1, /* User custom category 1 */
+ NDPI_PROTOCOL_CATEGORY_CUSTOM_2, /* User custom category 2 */
+ NDPI_PROTOCOL_CATEGORY_CUSTOM_3, /* User custom category 3 */
+ NDPI_PROTOCOL_CATEGORY_CUSTOM_4, /* User custom category 4 */
+ NDPI_PROTOCOL_CATEGORY_CUSTOM_5, /* User custom category 5 */
+
+ /* Further categories... */
+ NDPI_PROTOCOL_CATEGORY_MUSIC,
+ NDPI_PROTOCOL_CATEGORY_VIDEO,
+ NDPI_PROTOCOL_CATEGORY_SHOPPING,
+ NDPI_PROTOCOL_CATEGORY_PRODUCTIVITY,
+ NDPI_PROTOCOL_CATEGORY_FILE_SHARING,
+
+ /* Some custom categories */
+ CUSTOM_CATEGORY_MINING = 99,
+ CUSTOM_CATEGORY_MALWARE = 100,
+ CUSTOM_CATEGORY_ADVERTISEMENT = 101,
+ CUSTOM_CATEGORY_BANNED_SITE = 102,
+ CUSTOM_CATEGORY_SITE_UNAVAILABLE = 103,
+
+ /*
+ IMPORTANT
+
+ Please keep in sync with
+
+ static const char* categories[] = { ..}
+
+ in ndpi_main.c
+ */
- NDPI_PROTOCOL_NUM_CATEGORIES /*
- NOTE: Keep this as last member
- Unused as value but useful to getting the number of elements
- in this datastructure
- */
+ NDPI_PROTOCOL_NUM_CATEGORIES /*
+ NOTE: Keep this as last member
+ Unused as value but useful to getting the number of elements
+ in this datastructure
+ */
} ndpi_protocol_category_t;
typedef enum {
- ndpi_pref_http_dont_dissect_response = 0,
- ndpi_pref_dns_dissect_response,
- ndpi_pref_direction_detect_disable,
- ndpi_pref_disable_metadata_export,
- ndpi_pref_enable_category_substring_match
+ ndpi_pref_http_dont_dissect_response = 0,
+ ndpi_pref_dns_dont_dissect_response,
+ ndpi_pref_direction_detect_disable,
+ ndpi_pref_disable_metadata_export,
+ ndpi_pref_enable_category_substring_match
} ndpi_detection_preference;
/* ntop extensions */
@@ -875,9 +879,9 @@ typedef struct ndpi_proto {
#include <hs/hs.h>
struct hs_list {
- char *expression;
- unsigned int id;
- struct hs_list *next;
+ char *expression;
+ unsigned int id;
+ struct hs_list *next;
};
struct hs {
@@ -986,25 +990,25 @@ struct ndpi_detection_module_struct {
char ip_string[NDPI_IP_STRING_SIZE];
#endif
u_int8_t ip_version_limit;
-/* NDPI_PROTOCOL_BITTORRENT */
+ /* NDPI_PROTOCOL_BITTORRENT */
struct hash_ip4p_table *bt_ht;
#ifdef NDPI_DETECTION_SUPPORT_IPV6
struct hash_ip4p_table *bt6_ht;
#endif
-/* BT_ANNOUNCE */
+ /* BT_ANNOUNCE */
struct bt_announce *bt_ann;
int bt_ann_len;
/* NDPI_PROTOCOL_OOKLA */
- void *ookla_cache;
+ struct ndpi_lru_cache *ookla_cache;
/* NDPI_PROTOCOL_TINC */
struct cache *tinc_cache;
ndpi_proto_defaults_t proto_defaults[NDPI_MAX_SUPPORTED_PROTOCOLS+NDPI_MAX_NUM_CUSTOM_PROTOCOLS];
- u_int8_t http_dont_dissect_response:1, dns_dissect_response:1,
+ u_int8_t http_dont_dissect_response:1, dns_dont_dissect_response:1,
direction_detect_disable:1, /* disable internal detection of packet direction */
disable_metadata_export:1, /* No metadata is exported */
enable_category_substring_match:1 /* Default is perfect match */
@@ -1067,7 +1071,7 @@ struct ndpi_flow_struct {
char *url, *content_type;
u_int8_t num_request_headers, num_response_headers;
u_int8_t request_version; /* 0=1.0 and 1=1.1. Create an enum for this? */
- u_char response_status_code[5]; /* 200, 404, etc. */
+ u_int16_t response_status_code; /* 200, 404, etc. */
} http;
union {
@@ -1075,6 +1079,7 @@ struct ndpi_flow_struct {
struct {
u_int8_t num_queries, num_answers, reply_code;
u_int16_t query_type, query_class, rsp_type;
+ ndpi_ip_addr_t rsp_addr; /* The first address in a DNS response packet */
} dns;
struct {
@@ -1084,7 +1089,7 @@ struct ndpi_flow_struct {
struct {
struct {
- char client_certificate[64], server_certificate[64];
+ char client_certificate[64], server_certificate[64], server_organization[64];
} ssl;
struct {
@@ -1122,7 +1127,7 @@ struct ndpi_flow_struct {
char fingerprint[48];
char class_ident[48];
} dhcp;
- } protos;
+ } protos;
/*** ALL protocol specific 64 bit variables here ***/
@@ -1131,90 +1136,83 @@ struct ndpi_flow_struct {
ndpi_protocol_category_t category;
-/* NDPI_PROTOCOL_REDIS */
+ /* NDPI_PROTOCOL_REDIS */
u_int8_t redis_s2d_first_char, redis_d2s_first_char;
u_int16_t packet_counter; // can be 0 - 65000
u_int16_t packet_direction_counter[2];
u_int16_t byte_counter[2];
-/* NDPI_PROTOCOL_BITTORRENT */
+ /* NDPI_PROTOCOL_BITTORRENT */
u_int8_t bittorrent_stage; // can be 0 - 255
-/* NDPI_PROTOCOL_DIRECTCONNECT */
- u_int32_t directconnect_stage:2; // 0 - 1
-
-/* NDPI_PROTOCOL_YAHOO */
- u_int32_t sip_yahoo_voice:1;
+ /* NDPI_PROTOCOL_DIRECTCONNECT */
+ u_int8_t directconnect_stage:2; // 0 - 1
-/* NDPI_PROTOCOL_HTTP */
- u_int32_t http_detected:1;
+ /* NDPI_PROTOCOL_YAHOO */
+ u_int8_t sip_yahoo_voice:1;
-/* NDPI_PROTOCOL_RTSP */
- u_int32_t rtsprdt_stage:2;
- u_int32_t rtsp_control_flow:1;
+ /* NDPI_PROTOCOL_HTTP */
+ u_int8_t http_detected:1;
+ u_int16_t http_upper_protocol, http_lower_protocol;
+
+ /* NDPI_PROTOCOL_RTSP */
+ u_int8_t rtsprdt_stage:2, rtsp_control_flow:1;
-/* NDPI_PROTOCOL_YAHOO */
- u_int32_t yahoo_detection_finished:2;
+ /* NDPI_PROTOCOL_YAHOO */
+ u_int8_t yahoo_detection_finished:2;
-/* NDPI_PROTOCOL_ZATTOO */
- u_int32_t zattoo_stage:3;
+ /* NDPI_PROTOCOL_ZATTOO */
+ u_int8_t zattoo_stage:3;
-/* NDPI_PROTOCOL_QQ */
- u_int32_t qq_stage:3;
+ /* NDPI_PROTOCOL_QQ */
+ u_int8_t qq_stage:3;
-/* NDPI_PROTOCOL_THUNDER */
- u_int32_t thunder_stage:2; // 0 - 3
+ /* NDPI_PROTOCOL_THUNDER */
+ u_int8_t thunder_stage:2; // 0 - 3
-/* NDPI_PROTOCOL_OSCAR */
- u_int32_t oscar_ssl_voice_stage:3;
- u_int32_t oscar_video_voice:1;
+ /* NDPI_PROTOCOL_OSCAR */
+ u_int8_t oscar_ssl_voice_stage:3, oscar_video_voice:1;
-/* NDPI_PROTOCOL_FLORENSIA */
- u_int32_t florensia_stage:1;
+ /* NDPI_PROTOCOL_FLORENSIA */
+ u_int8_t florensia_stage:1;
-/* NDPI_PROTOCOL_SOCKS */
- u_int32_t socks5_stage:2; // 0 - 3
- u_int32_t socks4_stage:2; // 0 - 3
+ /* NDPI_PROTOCOL_SOCKS */
+ u_int8_t socks5_stage:2, socks4_stage:2; // 0 - 3
-/* NDPI_PROTOCOL_EDONKEY */
- u_int32_t edonkey_stage:2; // 0 - 3
+ /* NDPI_PROTOCOL_EDONKEY */
+ u_int8_t edonkey_stage:2; // 0 - 3
-/* NDPI_PROTOCOL_FTP_CONTROL */
- u_int32_t ftp_control_stage:2;
+ /* NDPI_PROTOCOL_FTP_CONTROL */
+ u_int8_t ftp_control_stage:2;
-/* NDPI_PROTOCOL_RTMP */
- u_int32_t rtmp_stage:2;
+ /* NDPI_PROTOCOL_RTMP */
+ u_int8_t rtmp_stage:2;
-/* NDPI_PROTOCOL_PANDO */
- u_int32_t pando_stage:3;
+ /* NDPI_PROTOCOL_PANDO */
+ u_int8_t pando_stage:3;
-/* NDPI_PROTOCOL_STEAM */
- u_int32_t steam_stage:3;
- u_int32_t steam_stage1:3; // 0 - 4
- u_int32_t steam_stage2:2; // 0 - 2
- u_int32_t steam_stage3:2; // 0 - 2
+ /* NDPI_PROTOCOL_STEAM */
+ u_int16_t steam_stage:3, steam_stage1:3, steam_stage2:2, steam_stage3:2;
-/* NDPI_PROTOCOL_PPLIVE */
- u_int32_t pplive_stage1:3; // 0 - 6
- u_int32_t pplive_stage2:2; // 0 - 2
- u_int32_t pplive_stage3:2; // 0 - 2
+ /* NDPI_PROTOCOL_PPLIVE */
+ u_int8_t pplive_stage1:3, pplive_stage2:2, pplive_stage3:2;
-/* NDPI_PROTOCOL_STARCRAFT */
- u_int32_t starcraft_udp_stage : 3; // 0-7
+ /* NDPI_PROTOCOL_STARCRAFT */
+ u_int8_t starcraft_udp_stage : 3; // 0-7
-/* NDPI_PROTOCOL_OPENVPN */
+ /* NDPI_PROTOCOL_OPENVPN */
u_int8_t ovpn_session_id[8];
u_int8_t ovpn_counter;
-/* NDPI_PROTOCOL_TINC */
+ /* NDPI_PROTOCOL_TINC */
u_int8_t tinc_state;
struct tinc_cache_entry tinc_cache_entry;
-/* NDPI_PROTOCOL_CSGO */
+ /* NDPI_PROTOCOL_CSGO */
u_int8_t csgo_strid[18],csgo_state,csgo_s2;
u_int32_t csgo_id2;
-/* NDPI_PROTOCOL_1KXUN || NDPI_PROTOCOL_IQIYI */
+ /* NDPI_PROTOCOL_1KXUN || NDPI_PROTOCOL_IQIYI */
u_int16_t kxun_counter, iqiyi_counter;
/* internal structures to save functions calls */
diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in
index 0ffeb9db5..cadd65ddd 100644
--- a/src/lib/Makefile.in
+++ b/src/lib/Makefile.in
@@ -10,7 +10,7 @@
#
# Installation directories
#
-prefix = /usr/local
+prefix = @prefix@
libdir = ${prefix}/lib
includedir = ${prefix}/include/ndpi
CC = @CC@
@@ -61,7 +61,7 @@ distclean: clean
install: $(NDPI_LIBS)
mkdir -p $(DESTDIR)$(libdir)
cp $(NDPI_LIBS) $(DESTDIR)$(libdir)/
- ln -Ffs $(DESTDIR)$(libdir)/$(NDPI_LIB_SHARED) $(DESTDIR)$(libdir)/$(NDPI_LIB_SHARED_BASE)
- ln -Ffs $(DESTDIR)$(libdir)/$(NDPI_LIB_SHARED) $(DESTDIR)$(libdir)/$(NDPI_LIB_SHARED_BASE).$(NDPI_VERSION_MAJOR)
+ cp -P $(NDPI_LIB_SHARED_BASE) $(DESTDIR)$(libdir)/
+ cp -P $(NDPI_LIB_SHARED_BASE).$(NDPI_VERSION_MAJOR) $(DESTDIR)$(libdir)/
mkdir -p $(DESTDIR)$(includedir)
cp ../include/*.h $(DESTDIR)$(includedir)
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index c0cba0b89..a060182d8 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -7947,13 +7947,6 @@ static ndpi_network host_protocol_list[] = {
{ 0xD040C900 /* 208.64.201.0/22 */, 22, NDPI_PROTOCOL_STEAM },
{ 0xD04EA400 /* 208.78.164.0/22 */, 22, NDPI_PROTOCOL_STEAM },
- /*
- VidTO
- */
- { 0x51111030 /* 81.17.16.48/32 */, 32, NDPI_PROTOCOL_VIDTO },
- { 0x5fb7329d /* 95.183.50.157/32 */, 32, NDPI_PROTOCOL_VIDTO },
- { 0x577824f2 /* 87.120.36.242/32 */, 32, NDPI_PROTOCOL_VIDTO },
-
{ 0x0, 0, 0 }
};
@@ -8031,17 +8024,18 @@ https://www.regular-expressions.info/email.html
/* ****************************************************** */
ndpi_protocol_match host_match[] = {
- { "s3.ll.dash.row.aiv-cdn.net", NULL, "s3\\.ll\\.dash\\.row\\.aiv-cdn\\.net", "AmazonVideo", NDPI_PROTOCOL_AMAZON_VIDEO, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN },
- { "s3-dub.cf.dash.row.aiv-cdn.net", NULL, "s3-dub\\.cf\\.dash\\.row\\.aiv-cdn\\.net", "AmazonVideo", NDPI_PROTOCOL_AMAZON_VIDEO, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN },
- { "dmqdd6hw24ucf.cloudfront.net", NULL, "dmqdd6hw24ucf\\.cloudfront\\.net", "AmazonVideo", NDPI_PROTOCOL_AMAZON_VIDEO, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN },
- { "d25xi40x97liuc.cloudfront.net", NULL, "d25xi40x97liuc\\.cloudfront\\.net", "AmazonVideo", NDPI_PROTOCOL_AMAZON_VIDEO, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN },
- { ".aiv-delivery.net", NULL, "\\.aiv-delivery\\.net", "AmazonVideo", NDPI_PROTOCOL_AMAZON_VIDEO, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN },
- { "amazon.", NULL, NULL, "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE },
- { "amazon.com", NULL, "amazon" TLD, "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE },
- { "images-amazon.com", NULL, "images-amazon" TLD, "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
- { "amazonaws.com", NULL, "amazonaws" TLD, "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
- { "amazon-adsystem.com", NULL, "amazon-adsystem" TLD, "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
- { ".cloudfront.net", NULL, "\\.cloudfront" TLD, "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
+ { "s3.ll.dash.row.aiv-cdn.net", NULL, "s3\\.ll\\.dash\\.row\\.aiv-cdn\\.net", "AmazonVideo", NDPI_PROTOCOL_AMAZON_VIDEO, NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_FUN },
+ { "s3-dub.cf.dash.row.aiv-cdn.net", NULL, "s3-dub\\.cf\\.dash\\.row\\.aiv-cdn\\.net", "AmazonVideo", NDPI_PROTOCOL_AMAZON_VIDEO, NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_FUN },
+ { "dmqdd6hw24ucf.cloudfront.net", NULL, "dmqdd6hw24ucf\\.cloudfront\\.net", "AmazonVideo", NDPI_PROTOCOL_AMAZON_VIDEO, NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_FUN },
+ { "d25xi40x97liuc.cloudfront.net", NULL, "d25xi40x97liuc\\.cloudfront\\.net", "AmazonVideo", NDPI_PROTOCOL_AMAZON_VIDEO, NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_FUN },
+ { ".aiv-delivery.net", NULL, "\\.aiv-delivery\\.net", "AmazonVideo", NDPI_PROTOCOL_AMAZON_VIDEO, NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_FUN },
+ { ".aiv-cdn.net", NULL, "\\.aiv-cdn\\.net", "AmazonVideo", NDPI_PROTOCOL_AMAZON_VIDEO, NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_FUN },
+ { "amazon.", NULL, NULL, "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
+ { "amazon.com", NULL, "amazon" TLD, "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
+ { "images-amazon.com", NULL, "images-amazon" TLD, "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
+ { "amazonaws.com", NULL, "amazonaws" TLD, "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
+ { "amazon-adsystem.com", NULL, "amazon-adsystem" TLD, "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
+ { ".cloudfront.net", NULL, "\\.cloudfront" TLD, "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
{ ".push.apple.com", NULL, "\\.push\\.apple" TLD, "ApplePush", NDPI_PROTOCOL_APPLE_PUSH, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE },
{ ".apple-dns.net", NULL, "\\.apple-dns" TLD, "Apple", NDPI_PROTOCOL_APPLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE },
@@ -8070,13 +8064,13 @@ ndpi_protocol_match host_match[] = {
{ ".dropbox-dns.com", NULL, "\\.dropbox-dns" TLD, "DropBox", NDPI_PROTOCOL_DROPBOX, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE },
{ "log.getdropbox.com", NULL, "log\\.getdropbox" TLD, "DropBox", NDPI_PROTOCOL_DROPBOX, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE },
- { ".ebay.", NULL, "\\.ebay" TLD, "eBay", NDPI_PROTOCOL_EBAY, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, /* or FUN */
- { ".ebay.com", NULL, NULL, "eBay", NDPI_PROTOCOL_EBAY, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE },
- { ".ebaystatic.com", NULL, "\\.ebaystatic" TLD, "eBay", NDPI_PROTOCOL_EBAY, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE },
- { ".ebaydesc.com", NULL, "\\.ebaydesc" TLD, "eBay", NDPI_PROTOCOL_EBAY, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE },
- { ".ebayrtm.com", NULL, "\\.ebayrtm" TLD, "eBay", NDPI_PROTOCOL_EBAY, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE },
- { ".ebaystratus.com", NULL, "\\.ebaystratus" TLD, "eBay", NDPI_PROTOCOL_EBAY, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE },
- { ".ebayimg.com", NULL, "\\.ebayimg" TLD, "eBay", NDPI_PROTOCOL_EBAY, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE },
+ { ".ebay.", NULL, "\\.ebay" TLD, "eBay", NDPI_PROTOCOL_EBAY, NDPI_PROTOCOL_CATEGORY_SHOPPING, NDPI_PROTOCOL_SAFE }, /* or FUN */
+ { ".ebay.com", NULL, NULL, "eBay", NDPI_PROTOCOL_EBAY, NDPI_PROTOCOL_CATEGORY_SHOPPING, NDPI_PROTOCOL_SAFE },
+ { ".ebaystatic.com", NULL, "\\.ebaystatic" TLD, "eBay", NDPI_PROTOCOL_EBAY, NDPI_PROTOCOL_CATEGORY_SHOPPING, NDPI_PROTOCOL_SAFE },
+ { ".ebaydesc.com", NULL, "\\.ebaydesc" TLD, "eBay", NDPI_PROTOCOL_EBAY, NDPI_PROTOCOL_CATEGORY_SHOPPING, NDPI_PROTOCOL_SAFE },
+ { ".ebayrtm.com", NULL, "\\.ebayrtm" TLD, "eBay", NDPI_PROTOCOL_EBAY, NDPI_PROTOCOL_CATEGORY_SHOPPING, NDPI_PROTOCOL_SAFE },
+ { ".ebaystratus.com", NULL, "\\.ebaystratus" TLD, "eBay", NDPI_PROTOCOL_EBAY, NDPI_PROTOCOL_CATEGORY_SHOPPING, NDPI_PROTOCOL_SAFE },
+ { ".ebayimg.com", NULL, "\\.ebayimg" TLD, "eBay", NDPI_PROTOCOL_EBAY, NDPI_PROTOCOL_CATEGORY_SHOPPING, NDPI_PROTOCOL_SAFE },
/* Detected "instagram.c10r.facebook.com". Omitted "*amazonaws.com" and "*facebook.com" CDNs e.g. "ig-telegraph-shv-04-frc3.facebook.com" */
{ ".instagram.", NULL, "\\.instagram" TLD, "Instagram", NDPI_PROTOCOL_INSTAGRAM, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN },
@@ -8126,8 +8120,6 @@ ndpi_protocol_match host_match[] = {
Gstatic by Google (gstatic.com)
*/
-
-
/* Google Advertisements */
{ ".googlesyndication.com", NULL, "\\.googlesyndication" TLD, "Google", NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_TRACKER_ADS },
{ "googleads.", NULL, "googleads\\.", "Google", NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_TRACKER_ADS },
@@ -8168,16 +8160,16 @@ ndpi_protocol_match host_match[] = {
{ "mail.outlook.com", NULL, "mail\\.outlook" TLD, "Hotmail", NDPI_PROTOCOL_HOTMAIL, NDPI_PROTOCOL_CATEGORY_MAIL, NDPI_PROTOCOL_ACCEPTABLE },
- { ".last.fm", NULL, "\\.last\\.fm$", "LastFM", NDPI_PROTOCOL_LASTFM, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN },
+ { ".last.fm", NULL, "\\.last\\.fm$", "LastFM", NDPI_PROTOCOL_LASTFM, NDPI_PROTOCOL_CATEGORY_MUSIC, NDPI_PROTOCOL_FUN },
{ "msn.com", NULL, "msn" TLD, "MSN", NDPI_PROTOCOL_MSN, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, /* News site */
- { "netflix.com", NULL, "netflix" TLD, "NetFlix", NDPI_PROTOCOL_NETFLIX, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN },
- { "nflxext.com", NULL, "nflxext" TLD, "NetFlix", NDPI_PROTOCOL_NETFLIX, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN },
- { "nflximg.com", NULL, "nflximg" TLD, "NetFlix", NDPI_PROTOCOL_NETFLIX, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN },
- { "nflximg.net", NULL, "nflximg" TLD, "NetFlix", NDPI_PROTOCOL_NETFLIX, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN },
- { "nflxvideo.net", NULL, "nflxvideo" TLD, "NetFlix", NDPI_PROTOCOL_NETFLIX, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN },
- { "nflxso.net", NULL, "nflxso" TLD, "NetFlix", NDPI_PROTOCOL_NETFLIX, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN },
+ { "netflix.com", NULL, "netflix" TLD, "NetFlix", NDPI_PROTOCOL_NETFLIX, NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_FUN },
+ { "nflxext.com", NULL, "nflxext" TLD, "NetFlix", NDPI_PROTOCOL_NETFLIX, NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_FUN },
+ { "nflximg.com", NULL, "nflximg" TLD, "NetFlix", NDPI_PROTOCOL_NETFLIX, NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_FUN },
+ { "nflximg.net", NULL, "nflximg" TLD, "NetFlix", NDPI_PROTOCOL_NETFLIX, NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_FUN },
+ { "nflxvideo.net", NULL, "nflxvideo" TLD, "NetFlix", NDPI_PROTOCOL_NETFLIX, NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_FUN },
+ { "nflxso.net", NULL, "nflxso" TLD, "NetFlix", NDPI_PROTOCOL_NETFLIX, NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_FUN },
{ ".skype.", NULL, "\\.skype\\.", "Skype", NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE },
{ ".skypeassets.", NULL, "\\.skypeassets\\.", "Skype", NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE },
@@ -8221,10 +8213,10 @@ ndpi_protocol_match host_match[] = {
{ ".ytimg.com", NULL, "\\.ytimg" TLD, "YouTube", NDPI_PROTOCOL_YOUTUBE, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
{ "youtube-nocookie.", NULL, "youtube-nocookie" TLD, "YouTube", NDPI_PROTOCOL_YOUTUBE, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { ".vevo.com", NULL, "\\.vevo" TLD, "Vevo", NDPI_PROTOCOL_VEVO, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
+ { ".vevo.com", NULL, "\\.vevo" TLD, "Vevo", NDPI_PROTOCOL_VEVO, NDPI_PROTOCOL_CATEGORY_MUSIC, NDPI_PROTOCOL_FUN },
- { ".spotify.", NULL, "\\.spotify" TLD, "Spotify", NDPI_PROTOCOL_SPOTIFY, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "audio-fa.scdn.co", NULL, "audio-fa\\.scdn" TLD, "Spotify", NDPI_PROTOCOL_SPOTIFY, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
+ { ".spotify.", NULL, "\\.spotify" TLD, "Spotify", NDPI_PROTOCOL_SPOTIFY, NDPI_PROTOCOL_CATEGORY_MUSIC, NDPI_PROTOCOL_FUN },
+ { "audio-fa.scdn.co", NULL, "audio-fa\\.scdn" TLD, "Spotify", NDPI_PROTOCOL_SPOTIFY, NDPI_PROTOCOL_CATEGORY_MUSIC, NDPI_PROTOCOL_FUN },
{ "edge-mqtt.facebook.com", NULL, "edge-mqtt\\.facebook" TLD, "Messenger", NDPI_PROTOCOL_MESSENGER, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN },
{ "messenger.com", NULL, "messenger\\.com" TLD, "Messenger", NDPI_PROTOCOL_MESSENGER, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN },
@@ -8233,11 +8225,11 @@ ndpi_protocol_match host_match[] = {
{ ".torproject.org", NULL, "\\.torproject\\.org$", "Tor", NDPI_PROTOCOL_TOR, NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS },
- { ".kakao.com", NULL, "\\.kakao" TLD, "KakaoTalk", NDPI_PROTOCOL_KAKAOTALK, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE },
+ { ".kakao.com", NULL, "\\.kakao" TLD, "KakaoTalk", NDPI_PROTOCOL_KAKAOTALK, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE },
- { "ttvnw.net", NULL, "ttvnw" TLD, "Twitch", NDPI_PROTOCOL_TWITCH, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "static-cdn.jtvnw.net", NULL, "static-cdn\\.jtvnw" TLD, "Twitch", NDPI_PROTOCOL_TWITCH, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "www-cdn.jtvnw.net", NULL, "www-cdn\\.jtvnw" TLD, "Twitch", NDPI_PROTOCOL_TWITCH, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
+ { "ttvnw.net", NULL, "ttvnw" TLD, "Twitch", NDPI_PROTOCOL_TWITCH, NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_FUN },
+ { "static-cdn.jtvnw.net", NULL, "static-cdn\\.jtvnw" TLD, "Twitch", NDPI_PROTOCOL_TWITCH, NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_FUN },
+ { "www-cdn.jtvnw.net", NULL, "www-cdn\\.jtvnw" TLD, "Twitch", NDPI_PROTOCOL_TWITCH, NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_FUN },
{ ".qq.com", NULL, "\\.qq" TLD, "QQ", NDPI_PROTOCOL_QQ, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN },
{ ".gtimg.com", NULL, "\\.gtimg" TLD, "QQ", NDPI_PROTOCOL_QQ, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN },
@@ -8250,15 +8242,19 @@ ndpi_protocol_match host_match[] = {
{ ".sina.com.cn", NULL, "\\.sina\\.com\\.cn$", "Sina", NDPI_PROTOCOL_SINA, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN },
/* https://support.cipafilter.com/index.php?/Knowledgebase/Article/View/117/0/snapchat---how-to-block */
- { "feelinsonice.appspot.com", NULL, "\\.appspot" TLD, "Snapchat", NDPI_PROTOCOL_SNAPCHAT, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN },
- { "feelinsonice-hrd.appspot.com", NULL, "feelinsonice-hrd\\.appspot" TLD, "Snapchat", NDPI_PROTOCOL_SNAPCHAT, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN },
- { "feelinsonice.com", NULL, "\\.feelsonice" TLD, "Snapchat", NDPI_PROTOCOL_SNAPCHAT, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN },
- { ".snapchat.", NULL, "\\.snapchat" TLD, "Snapchat", NDPI_PROTOCOL_SNAPCHAT, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN },
- { ".snapads.", NULL, "\\.snapads" TLD, "Snapchat", NDPI_PROTOCOL_SNAPCHAT, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN },
+ { "feelinsonice.appspot.com", NULL, "\\.appspot" TLD, "Snapchat", NDPI_PROTOCOL_SNAPCHAT, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN },
+ { "feelinsonice-hrd.appspot.com", NULL, "feelinsonice-hrd\\.appspot" TLD, "Snapchat", NDPI_PROTOCOL_SNAPCHAT, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN },
+ { "feelinsonice.com", NULL, "\\.feelsonice" TLD, "Snapchat", NDPI_PROTOCOL_SNAPCHAT, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN },
+ { ".snapchat.", NULL, "\\.snapchat" TLD, "Snapchat", NDPI_PROTOCOL_SNAPCHAT, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN },
+ { ".snapads.", NULL, "\\.snapads" TLD, "Snapchat", NDPI_PROTOCOL_SNAPCHAT, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN },
+ { ".sc-cdn.net", NULL, "\\.sc-cdn\\.net" TLD, "Snapchat", NDPI_PROTOCOL_SNAPCHAT, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN },
+ { ".sc-prod.net", NULL, "\\.sc-prod\\.net" TLD, "Snapchat", NDPI_PROTOCOL_SNAPCHAT, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN },
+ { ".sc-jpl.com", NULL, "\\.sc-jpl\\.com" TLD, "Snapchat", NDPI_PROTOCOL_SNAPCHAT, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN },
+ { "sc-analytics.appspot.com", NULL, "sc-analytics\\.appspot\\.com", "Snapchat", NDPI_PROTOCOL_SNAPCHAT, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN },
{ ".waze.com", NULL, "\\.waze" TLD, "Waze", NDPI_PROTOCOL_WAZE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
- { ".deezer.com", NULL, "\\.deezer" TLD, "Deezer", NDPI_PROTOCOL_DEEZER, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN },
+ { ".deezer.com", NULL, "\\.deezer" TLD, "Deezer", NDPI_PROTOCOL_DEEZER, NDPI_PROTOCOL_CATEGORY_MUSIC, NDPI_PROTOCOL_FUN },
{ ".microsoft.com", NULL, "\\.microsoft" TLD, "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE },
{ "i-msdn.sec.s-msft.com", NULL, "i-msdn.sec\\.s-msft" TLD, "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_SYSTEM_OS, NDPI_PROTOCOL_ACCEPTABLE },
@@ -8291,9 +8287,9 @@ ndpi_protocol_match host_match[] = {
{ ".ocs.fr", NULL, NULL, "OCS", NDPI_PROTOCOL_OCS, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
{ ".labgency.ws", NULL, ".labgency" TLD, "OCS", NDPI_PROTOCOL_OCS, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { ".iflix.com", NULL, "\\.iflix" TLD, "IFLIX", NDPI_PROTOCOL_IFLIX, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { ".app.iflixcorp.com", NULL, "\\.app\\.iflixcorp" TLD, "IFLIX", NDPI_PROTOCOL_IFLIX, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { ".images.iflixassets.com", NULL, "\\.images\\.iflixassets" TLD, "IFLIX", NDPI_PROTOCOL_IFLIX, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
+ { ".iflix.com", NULL, "\\.iflix" TLD, "IFLIX", NDPI_PROTOCOL_IFLIX, NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_FUN },
+ { ".app.iflixcorp.com", NULL, "\\.app\\.iflixcorp" TLD, "IFLIX", NDPI_PROTOCOL_IFLIX, NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_FUN },
+ { ".images.iflixassets.com", NULL, "\\.images\\.iflixassets" TLD, "IFLIX", NDPI_PROTOCOL_IFLIX, NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_FUN },
{ "crl.microsoft.com", NULL, "crl\\.microsoft" TLD, "Office365", NDPI_PROTOCOL_OFFICE_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE },
{ "evsecure-ocsp.verisign.com", NULL, "evsecure-ocsp\\.verisign" TLD,"Office365", NDPI_PROTOCOL_OFFICE_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE },
@@ -8369,9 +8365,9 @@ ndpi_protocol_match host_match[] = {
{ ".linkedin.com", NULL, "\\.linkedin" TLD, "LinkedIn", NDPI_PROTOCOL_LINKEDIN, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN },
{ ".licdn.com", NULL, "\\.licdn" TLD, "LinkedIn", NDPI_PROTOCOL_LINKEDIN, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN },
- { ".sndcdn.com", NULL, "\\.sndcdn" TLD, "SoundCloud", NDPI_PROTOCOL_SOUNDCLOUD, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN },
- { ".soundcloud.com", NULL, "\\.soundcloud" TLD, "SoundCloud", NDPI_PROTOCOL_SOUNDCLOUD, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN },
- { "getrockerbox.com", NULL, "getrockerbox" TLD, "SoundCloud", NDPI_PROTOCOL_SOUNDCLOUD, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN },
+ { ".sndcdn.com", NULL, "\\.sndcdn" TLD, "SoundCloud", NDPI_PROTOCOL_SOUNDCLOUD, NDPI_PROTOCOL_CATEGORY_MUSIC, NDPI_PROTOCOL_FUN },
+ { ".soundcloud.com", NULL, "\\.soundcloud" TLD, "SoundCloud", NDPI_PROTOCOL_SOUNDCLOUD, NDPI_PROTOCOL_CATEGORY_MUSIC, NDPI_PROTOCOL_FUN },
+ { "getrockerbox.com", NULL, "getrockerbox" TLD, "SoundCloud", NDPI_PROTOCOL_SOUNDCLOUD, NDPI_PROTOCOL_CATEGORY_MUSIC, NDPI_PROTOCOL_FUN },
{ "web.telegram.org", NULL, "web\\.telegram" TLD, "Telegram", NDPI_PROTOCOL_TELEGRAM, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE },
{ "tdesktop.com", NULL, "tdesktop" TLD, "Telegram", NDPI_PROTOCOL_TELEGRAM, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE },
@@ -8414,71 +8410,16 @@ ndpi_protocol_match host_match[] = {
{ ".playercdn.net", NULL, "\\.playercdn" TLD, "RapidVideo", NDPI_PROTOCOL_GENERIC, NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN },
/* showmax.com video streaming */
- { "showmax.com", NULL, "showmax" TLD, "Showmax", NDPI_PROTOCOL_GENERIC, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "showmax.akamaized.net", NULL, "showmax\\.akamaized" TLD, "Showmax", NDPI_PROTOCOL_GENERIC, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
+ { "showmax.com", NULL, "showmax" TLD, "Showmax", NDPI_PROTOCOL_GENERIC, NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_FUN },
+ { "showmax.akamaized.net", NULL, "showmax\\.akamaized" TLD, "Showmax", NDPI_PROTOCOL_GENERIC, NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_FUN },
{ "snapcraft.io", NULL, "snapcraft\\.io" TLD, "UbuntuONE", NDPI_PROTOCOL_UBUNTUONE, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE },
{ "ubuntu.com", NULL, "ubuntu\\.com" TLD, "UbuntuONE", NDPI_PROTOCOL_UBUNTUONE, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE },
{ "signal.org", NULL, "signal\\.org" TLD, "Signal", NDPI_PROTOCOL_SIGNAL, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE },
{ "whispersystems.org", NULL, "whispersystems\\.org" TLD, "Signal", NDPI_PROTOCOL_SIGNAL, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE },
- { NULL, NULL, NULL, 0 }
-};
-
-
-/*
- Mime-type content match match
-*/
-ndpi_protocol_match content_match[] = {
- { "audio/mpeg", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_MPEG, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "audio/x-mpeg", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_MPEG, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "audio/mpeg3", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_MPEG, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "audio/mp4a", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_MPEG, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "video/mpeg", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_MPEG, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "video/nsv", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_MPEG, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "misc/ultravox", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_MPEG, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "audio/ogg", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_OGG, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "video/ogg", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_OGG, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "application/ogg", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_OGG, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { ".adobe.", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_FLASH, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "video/flv", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_FLASH, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "video/x-flv", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_FLASH, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "application/x-fcs", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_FLASH, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "application/x-shockwave-flash",NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_FLASH, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_ACCEPTABLE },
- { "video/flash", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_FLASH, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "application/flv", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_FLASH, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "flv-application/octet-stream", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_FLASH, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "application/futuresplash", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_FLASH, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "video/quicktime", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_QUICKTIME, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "video/mp4", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_QUICKTIME, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "video/x-m4v", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_QUICKTIME, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "audio/x-pn-realaudio", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_REALMEDIA, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "application/vnd.rn-realmedia", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_REALMEDIA, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "video/x-ms-", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_WINDOWSMEDIA, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "asf", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_WINDOWSMEDIA, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "asx", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_WINDOWSMEDIA, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "video/x-msvideo", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_WINDOWSMEDIA, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "audio/x-wav", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_WINDOWSMEDIA, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "application/vnd.ms.wms-hdr.asfv1", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_WINDOWSMEDIA, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "NSPlayer/", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_WINDOWSMEDIA, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "Xbox Live Client/", NULL, NULL, NULL, NDPI_PROTOCOL_XBOX, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "Windows-Update-Agent", NULL, NULL, NULL, NDPI_PROTOCOL_WINDOWS_UPDATE, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_ACCEPTABLE },
- { "audio/webm", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_WEBM, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "video/webm", NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_WEBM, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "application/x-rtsp-tunnelled", NULL, NULL, NULL, NDPI_PROTOCOL_RTSP, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "application/vnd.apple.mpegurl",NULL, NULL, NULL, NDPI_CONTENT_CATEGORY_MPEG, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
- { "application/x-tar", NULL, NULL, NULL, NDPI_PROTOCOL_HTTP_DOWNLOAD, NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_ACCEPTABLE },
- { "application/octet-stream", NULL, NULL, NULL, NDPI_PROTOCOL_HTTP_DOWNLOAD, NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_ACCEPTABLE },
- { "application/mac-binary", NULL, NULL, NULL, NDPI_PROTOCOL_HTTP_DOWNLOAD, NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_ACCEPTABLE },
- { "/x-bzip", NULL, NULL, NULL, NDPI_PROTOCOL_HTTP_DOWNLOAD, NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_ACCEPTABLE },
- { "/x-gzip", NULL, NULL, NULL, NDPI_PROTOCOL_HTTP_DOWNLOAD, NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_ACCEPTABLE },
- { "/x-zip", NULL, NULL, NULL, NDPI_PROTOCOL_HTTP_DOWNLOAD, NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_ACCEPTABLE },
- { "/zip", NULL, NULL, NULL, NDPI_PROTOCOL_HTTP_DOWNLOAD, NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_ACCEPTABLE },
- { "binhex", NULL, NULL, NULL, NDPI_PROTOCOL_HTTP_DOWNLOAD, NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_ACCEPTABLE },
- { "/base64", NULL, NULL, NULL, NDPI_PROTOCOL_HTTP_DOWNLOAD, NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_ACCEPTABLE },
- { "application/gnutar", NULL, NULL, NULL, NDPI_PROTOCOL_HTTP_DOWNLOAD, NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_ACCEPTABLE },
- { "application/x-compressed", NULL, NULL, NULL, NDPI_PROTOCOL_HTTP_DOWNLOAD, NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_ACCEPTABLE },
-
+ { "musical.ly", NULL, "musical\\.ly" TLD, "TikTok", NDPI_PROTOCOL_TIKTOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+ { "muscdn.com", NULL, "muscndl\\.com" TLD, "TikTok", NDPI_PROTOCOL_TIKTOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
{ NULL, NULL, NULL, 0 }
};
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index e882feaa6..866f65a10 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -1,7 +1,7 @@
/*
* ndpi_main.c
*
- * Copyright (C) 2011-18 - ntop.org
+ * Copyright (C) 2011-19 - ntop.org
*
* This file is part of nDPI, an open source deep packet inspection
* library based on the OpenDPI and PACE technology by ipoque GmbH
@@ -30,7 +30,6 @@
#include <sys/types.h>
#include "ahocorasick.h"
#include "libcache.h"
-#include "lruc.h"
#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_UNKNOWN
@@ -42,6 +41,10 @@
#include <unistd.h>
#endif
+#if defined __FreeBSD__ || defined __NetBSD__ || defined __OpenBSD__
+#include <sys/endian.h>
+#endif
+
#include "ndpi_content_match.c.inc"
#include "third_party/include/ndpi_patricia.h"
#include "third_party/include/ht_hash.h"
@@ -315,6 +318,116 @@ int strncasecmp(s1, s2, n)
/* ****************************************** */
+/* Keep it in order and in sync with ndpi_protocol_category_t in ndpi_typedefs.h */
+static const char* categories[] = {
+ "Unspecified",
+ "Media",
+ "VPN",
+ "Email",
+ "DataTransfer",
+ "Web",
+ "SocialNetwork",
+ "Download-FileTransfer-FileSharing",
+ "Game",
+ "Chat",
+ "VoIP",
+ "Database",
+ "RemoteAccess",
+ "Cloud",
+ "Network",
+ "Collaborative",
+ "RPC",
+ "Streaming",
+ "System",
+ "SoftwareUpdate",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "Music",
+ "Video",
+ "Shopping",
+ "Productivity",
+ "FileSharing",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "",
+ "Mining", /* 99 */
+ "Malware",
+ "Advertisement",
+ "Banned_Site",
+ "Site_Unavailable"
+};
+
+/* ****************************************** */
+
/* Forward */
static void addDefaultPort(struct ndpi_detection_module_struct *ndpi_mod,
ndpi_port_range *range,
@@ -556,7 +669,7 @@ void ndpi_set_proto_defaults(struct ndpi_detection_module_struct *ndpi_mod,
ndpi_mod->proto_defaults[protoId].protoId = protoId,
ndpi_mod->proto_defaults[protoId].protoBreed = breed;
ndpi_mod->proto_defaults[protoId].can_have_a_subprotocol = can_have_a_subprotocol;
-
+
memcpy(&ndpi_mod->proto_defaults[protoId].master_tcp_protoId, tcp_master_protoId, 2*sizeof(u_int16_t));
memcpy(&ndpi_mod->proto_defaults[protoId].master_udp_protoId, udp_master_protoId, 2*sizeof(u_int16_t));
@@ -564,7 +677,7 @@ void ndpi_set_proto_defaults(struct ndpi_detection_module_struct *ndpi_mod,
if(udpDefPorts[j].port_low != 0)
addDefaultPort(ndpi_mod, &udpDefPorts[j],
&ndpi_mod->proto_defaults[protoId], 0, &ndpi_mod->udpRoot, __FUNCTION__,__LINE__);
-
+
if(tcpDefPorts[j].port_low != 0)
addDefaultPort(ndpi_mod, &tcpDefPorts[j],
&ndpi_mod->proto_defaults[protoId], 0, &ndpi_mod->tcpRoot, __FUNCTION__,__LINE__);
@@ -677,15 +790,15 @@ static int ndpi_string_to_automa(struct ndpi_detection_module_struct *ndpi_struc
if(automa->ac_automa == NULL) return(-2);
ac_pattern.astring = value,
- ac_pattern.rep.number = protocol_id,
+ ac_pattern.rep.number = protocol_id,
ac_pattern.rep.category = (u_int16_t)category,
ac_pattern.rep.breed = (u_int16_t)breed;
-
+
#ifdef MATCH_DEBUG
printf("Adding to automa [%s][protocol_id: %u][category: %u][breed: %u]\n",
value, protocol_id, category, breed);
#endif
-
+
if(value == NULL)
ac_pattern.length = 0;
else
@@ -743,14 +856,14 @@ void ndpi_init_protocol_match(struct ndpi_detection_module_struct *ndpi_mod,
u_int16_t no_master[2] = { NDPI_PROTOCOL_NO_MASTER_PROTO, NDPI_PROTOCOL_NO_MASTER_PROTO };
ndpi_port_range ports_a[MAX_DEFAULT_PORTS], ports_b[MAX_DEFAULT_PORTS];
static u_int16_t generic_id = NDPI_LAST_IMPLEMENTED_PROTOCOL;
-
+
if(ndpi_mod->proto_defaults[match->protocol_id].protoName == NULL) {
if(match->protocol_id == NDPI_PROTOCOL_GENERIC)
ndpi_mod->proto_defaults[match->protocol_id].protoName = ndpi_strdup(NDPI_CONST_GENERIC_PROTOCOL_NAME);
else
ndpi_mod->proto_defaults[match->protocol_id].protoName = ndpi_strdup(match->proto_name);
-
- ndpi_mod->proto_defaults[match->protocol_id].protoId = match->protocol_id;
+
+ ndpi_mod->proto_defaults[match->protocol_id].protoId = match->protocol_id;
ndpi_mod->proto_defaults[match->protocol_id].protoCategory = match->protocol_category;
ndpi_mod->proto_defaults[match->protocol_id].protoBreed = match->protocol_breed;
@@ -762,7 +875,7 @@ void ndpi_init_protocol_match(struct ndpi_detection_module_struct *ndpi_mod,
ndpi_mod->proto_defaults[match->protocol_id].protoName,
ndpi_mod->proto_defaults[match->protocol_id].protoCategory,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
- ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
+ ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
}
ndpi_add_host_url_subprotocol(ndpi_mod,
@@ -842,21 +955,21 @@ static int init_hyperscan(struct ndpi_detection_module_struct *ndpi_mod) {
}
need_to_be_free = (unsigned char*)calloc(sizeof(unsigned char), num_patterns + 1);
- if (!need_to_be_free) {
+ if(!need_to_be_free) {
free(expressions);
free(ids);
return(-1);
}
- for (i = 0, j = 0; host_match[i].string_to_match != NULL || host_match[i].pattern_to_match != NULL; i++) {
- if (host_match[i].pattern_to_match) {
+ for(i = 0, j = 0; host_match[i].string_to_match != NULL || host_match[i].pattern_to_match != NULL; i++) {
+ if(host_match[i].pattern_to_match) {
expressions[j] = host_match[i].pattern_to_match;
ids[j] = host_match[i].protocol_id;
need_to_be_free[j] = 0;
++j;
} else {
expressions[j] = string2hex(host_match[i].string_to_match);
- if (expressions[j] != NULL) {
+ if(expressions[j] != NULL) {
ids[j] = host_match[i].protocol_id;
need_to_be_free[j] = 1;
++j;
@@ -871,11 +984,12 @@ static int init_hyperscan(struct ndpi_detection_module_struct *ndpi_mod) {
rc = hyperscan_load_patterns(hs, j, (const char**)expressions, ids);
- for (i = 0; i < j; ++i)
- if (need_to_be_free[i])
+ for(i = 0; i < j; ++i)
+ if(need_to_be_free[i])
free(expressions[i]);
free(expressions), free(ids);
+ free(need_to_be_free);
return(rc);
}
@@ -911,16 +1025,10 @@ static void init_string_based_protocols(struct ndpi_detection_module_struct *ndp
for(i=0; host_match[i].string_to_match != NULL; i++)
ndpi_init_protocol_match(ndpi_mod, &host_match[i]);
-#ifdef MATCH_DEBUG
+#ifdef MATCH_DEBUG
// ac_automata_display(ndpi_mod->host_automa.ac_automa, 'n');
#endif
- for(i=0; content_match[i].string_to_match != NULL; i++)
- ndpi_add_content_subprotocol(ndpi_mod, content_match[i].string_to_match,
- content_match[i].protocol_id,
- content_match[i].protocol_category,
- content_match[i].protocol_breed);
-
for(i=0; ndpi_en_bigrams[i] != NULL; i++)
ndpi_string_to_automa(ndpi_mod, &ndpi_mod->bigrams_automa,
(char*)ndpi_en_bigrams[i],
@@ -942,8 +1050,8 @@ int ndpi_set_detection_preferences(struct ndpi_detection_module_struct *ndpi_mod
ndpi_mod->http_dont_dissect_response = (u_int8_t)value;
break;
- case ndpi_pref_dns_dissect_response:
- ndpi_mod->dns_dissect_response = (u_int8_t)value;
+ case ndpi_pref_dns_dont_dissect_response:
+ ndpi_mod->dns_dont_dissect_response = (u_int8_t)value;
break;
case ndpi_pref_direction_detect_disable:
@@ -957,7 +1065,7 @@ int ndpi_set_detection_preferences(struct ndpi_detection_module_struct *ndpi_mod
case ndpi_pref_enable_category_substring_match:
ndpi_mod->enable_category_substring_match = (u_int8_t)value;
break;
-
+
default:
return(-1);
}
@@ -1155,7 +1263,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
ndpi_build_default_ports(ports_b, 902, 903, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_FBZERO,
0 /* can_have_a_subprotocol */, no_master,
- no_master, "FacebookZero", NDPI_PROTOCOL_CATEGORY_WEB,
+ no_master, "FacebookZero", NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK,
ndpi_build_default_ports(ports_a, 443, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS, NDPI_PROTOCOL_KONTIKI,
@@ -1198,14 +1306,9 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
no_master, "SkypeCall", NDPI_PROTOCOL_CATEGORY_VOIP,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
- ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_FREE_49,
+ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TIKTOK,
0 /* can_have_a_subprotocol */, no_master,
- no_master, "Free_49", NDPI_PROTOCOL_CATEGORY_VOIP,
- ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
- ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
- ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_FREE_49,
- 0 /* can_have_a_subprotocol */, no_master,
- no_master, "SkypeCall", NDPI_PROTOCOL_CATEGORY_VOIP,
+ no_master, "TikTok", NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TEREDO,
@@ -1238,11 +1341,11 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
no_master, "NestLogSink", NDPI_PROTOCOL_CATEGORY_CLOUD,
ndpi_build_default_ports(ports_a, 11095, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
- ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_FREE_44,
- 0 /* can_have_a_subprotocol */, no_master,
- no_master, "Free", NDPI_PROTOCOL_CATEGORY_CUSTOM_1 /* dummy */,
- ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
- ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
+ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MODBUS,
+ 1 /* no subprotocol */, no_master,
+ no_master, "Modbus", NDPI_PROTOCOL_CATEGORY_NETWORK, /* Perhaps IoT in the future */
+ ndpi_build_default_ports(ports_a, 502, 0, 0, 0, 0) /* TCP */,
+ ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_FREE_45,
0 /* can_have_a_subprotocol */, no_master,
no_master, "Free", NDPI_PROTOCOL_CATEGORY_CUSTOM_1 /* dummy */,
@@ -1268,9 +1371,14 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
no_master, "Free", NDPI_PROTOCOL_CATEGORY_CUSTOM_1 /* dummy */,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
- ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_VIDTO,
+ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_FREE_206,
0 /* can_have_a_subprotocol */, no_master,
- no_master, "PPStream", NDPI_PROTOCOL_CATEGORY_MEDIA,
+ no_master, "Free", NDPI_PROTOCOL_CATEGORY_CUSTOM_1 /* dummy */,
+ ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
+ ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
+ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_PPSTREAM,
+ 0 /* can_have_a_subprotocol */, no_master,
+ no_master, "PPStream", NDPI_PROTOCOL_CATEGORY_VIDEO,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
@@ -1306,27 +1414,27 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_ZATTOO,
0 /* can_have_a_subprotocol */, no_master,
- no_master, "Zattoo", NDPI_PROTOCOL_CATEGORY_MEDIA,
+ no_master, "Zattoo", NDPI_PROTOCOL_CATEGORY_VIDEO,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_SHOUTCAST,
0 /* can_have_a_subprotocol */, no_master,
- no_master, "ShoutCast", NDPI_PROTOCOL_CATEGORY_MEDIA,
+ no_master, "ShoutCast", NDPI_PROTOCOL_CATEGORY_MUSIC,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_SOPCAST,
0 /* can_have_a_subprotocol */, no_master,
- no_master, "Sopcast", NDPI_PROTOCOL_CATEGORY_MEDIA,
+ no_master, "Sopcast", NDPI_PROTOCOL_CATEGORY_VIDEO,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_TVANTS,
0 /* can_have_a_subprotocol */, no_master,
- no_master, "Tvants", NDPI_PROTOCOL_CATEGORY_MEDIA,
+ no_master, "Tvants", NDPI_PROTOCOL_CATEGORY_VIDEO,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_TVUPLAYER,
0 /* can_have_a_subprotocol */, no_master,
- no_master, "TVUplayer", NDPI_PROTOCOL_CATEGORY_MEDIA,
+ no_master, "TVUplayer", NDPI_PROTOCOL_CATEGORY_VIDEO,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_HTTP_DOWNLOAD,
@@ -1336,7 +1444,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_QQLIVE,
0 /* can_have_a_subprotocol */, no_master,
- no_master, "QQLive", NDPI_PROTOCOL_CATEGORY_MEDIA,
+ no_master, "QQLive", NDPI_PROTOCOL_CATEGORY_VIDEO,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_THUNDER,
@@ -1699,7 +1807,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
0 /* can_have_a_subprotocol */, no_master,
no_master, "UPnP", NDPI_PROTOCOL_CATEGORY_NETWORK,
ndpi_build_default_ports(ports_a, 1780, 0, 0, 0, 0) /* TCP */,
- ndpi_build_default_ports(ports_b, 1900, 0, 0, 0, 0) /* UDP */); /* Missing dissector: port based only */
+ ndpi_build_default_ports(ports_b, 1900, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TELEGRAM,
0 /* can_have_a_subprotocol */, no_master,
no_master, "Telegram", NDPI_PROTOCOL_CATEGORY_CHAT,
@@ -1727,7 +1835,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
ndpi_build_default_ports(ports_b, 17500, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SPOTIFY,
0 /* can_have_a_subprotocol */, no_master,
- no_master, "Spotify", NDPI_PROTOCOL_CATEGORY_STREAMING,
+ no_master, "Spotify", NDPI_PROTOCOL_CATEGORY_MUSIC,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_LISP,
@@ -1784,7 +1892,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
ndpi_build_default_ports(ports_b, 10000, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TEAMSPEAK,
0 /* can_have_a_subprotocol */, no_master,
- no_master, "TeamSpeak", NDPI_PROTOCOL_CATEGORY_CHAT,
+ no_master, "TeamSpeak", NDPI_PROTOCOL_CATEGORY_VOIP,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SKINNY,
@@ -1879,7 +1987,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
ndpi_build_default_ports(ports_b, 10001, 0, 0, 0, 0)); /* UDP */
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_VIBER,
0 /* can_have_a_subprotocol */, no_master,
- no_master, "Viber", NDPI_PROTOCOL_CATEGORY_CHAT,
+ no_master, "Viber", NDPI_PROTOCOL_CATEGORY_VOIP,
ndpi_build_default_ports(ports_a, 7985, 5242, 5243, 4244, 0), /* TCP */
ndpi_build_default_ports(ports_b, 7985, 7987, 5242, 5243, 4244)); /* UDP */
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_COAP,
@@ -1914,7 +2022,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_HANGOUT,
0 /* can_have_a_subprotocol */, no_master,
- no_master, "GoogleHangout", NDPI_PROTOCOL_CATEGORY_CHAT,
+ no_master, "GoogleHangout", NDPI_PROTOCOL_CATEGORY_VOIP,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_BJNP,
@@ -1981,7 +2089,7 @@ static int ac_match_handler(AC_MATCH_t *m, AC_TEXT_t *txt, AC_REP_t *match) {
char buf[64] = { '\0' };
int min_buf_len = (txt->length > 63 /* sizeof(buf)-1 */) ? 63 : txt->length;
u_int buf_len = strlen(buf);
-
+
strncpy(buf, txt->astring, min_buf_len);
buf[min_buf_len] = '\0';
@@ -1991,21 +2099,42 @@ static int ac_match_handler(AC_MATCH_t *m, AC_TEXT_t *txt, AC_REP_t *match) {
m->match_num, m->patterns->astring);
#endif
+ {
+ char *whatfound = strstr(buf, m->patterns->astring);
+
+#ifdef MATCH_DEBUG
+ printf("[NDPI] %s() [searching=%s][pattern=%s][%s][%c]\n",
+ __FUNCTION__, buf, m->patterns->astring,
+ whatfound ? whatfound : "<NULL>",
+ whatfound[-1]);
+#endif
+
+ /*
+ The patch below allows in case of pattern ws.amazon.com
+ to avoid matching aws.amazon.com whereas a.ws.amazon.com
+ has to match
+ */
+ if(whatfound && (whatfound != buf)
+ && (m->patterns->astring[0] != '.') /* The searched patter does not start with . */
+ && strchr(m->patterns->astring, '.') /* The matched pattern has a . (e.g. numeric or sym IPs) */
+ && (whatfound[-1] != '.')
+ )
+ return(0);
+ }
+
/*
Return 1 for stopping to the first match.
We might consider searching for the more
specific match, paying more cpu cycles.
*/
-
memcpy(match, &m->patterns[0].rep, sizeof(AC_REP_t));
if(((buf_len >= min_len) && (strncmp(&buf[buf_len-min_len], m->patterns->astring, min_len) == 0))
|| (strncmp(buf, m->patterns->astring, min_len) == 0) /* begins with */
- )
- {
+ ) {
#ifdef MATCH_DEBUG
printf("Found match [%s][%s] [len: %u][proto_id: %u]\n",
- buf, m->patterns->astring, min_len, *matching_protocol_id);
+ buf, m->patterns->astring, min_len , *matching_protocol_id);
#endif
return(1); /* If the pattern found matches the string at the beginning we stop here */
} else
@@ -2224,6 +2353,12 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(void) {
ndpi_str->bigrams_automa.ac_automa = ac_automata_init(ac_match_handler);
ndpi_str->impossible_bigrams_automa.ac_automa = ac_automata_init(ac_match_handler);
+ if((sizeof(categories)/sizeof(char*)) != NDPI_PROTOCOL_NUM_CATEGORIES) {
+ NDPI_LOG_ERR(ndpi_str, "[NDPI] invalid categories length: expected %u, got %u\n",
+ NDPI_PROTOCOL_NUM_CATEGORIES, (unsigned int)(sizeof(categories)/sizeof(char*)));
+ return(NULL);
+ }
+
#ifdef HAVE_HYPERSCAN
ndpi_str->custom_categories.num_to_load = 0, ndpi_str->custom_categories.to_load = NULL;
ndpi_str->custom_categories.hostnames = NULL;
@@ -2233,7 +2368,7 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(void) {
#endif
ndpi_str->custom_categories.hostnames_hash = NULL;
-
+
ndpi_str->custom_categories.ipAddresses = ndpi_New_Patricia(32 /* IPv4 */);
ndpi_str->custom_categories.ipAddresses_shadow = ndpi_New_Patricia(32 /* IPv4 */);
@@ -2302,7 +2437,7 @@ int ndpi_match_string_id(void *_automa, char *string_to_match, unsigned long *id
AC_TEXT_t ac_input_text;
AC_AUTOMATA_t *automa = (AC_AUTOMATA_t*)_automa;
AC_REP_t match = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NDPI_PROTOCOL_UNRATED };
-
+
*id = -1;
if((automa == NULL)
|| (string_to_match == NULL)
@@ -2314,7 +2449,7 @@ int ndpi_match_string_id(void *_automa, char *string_to_match, unsigned long *id
ac_automata_reset(automa);
*id = match.number;
-
+
return(*id != NDPI_PROTOCOL_UNKNOWN ? 0 : -1);
}
@@ -2338,11 +2473,14 @@ static int hyperscanCustomEventHandler(unsigned int id,
/* *********************************************** */
-static int ndpi_match_custom_category(struct ndpi_detection_module_struct *ndpi_struct,
- char *name, unsigned long *id) {
- /* printf("[NDPI] %s(%s)\n", __FUNCTION__, name); */
+int ndpi_match_custom_category(struct ndpi_detection_module_struct *ndpi_struct,
+ char *name, unsigned long *id) {
+#ifdef DEBUG
+ printf("[NDPI] %s(%s) [enable_category_substring_match: %u]\n",
+ __FUNCTION__, name, ndpi_struct->enable_category_substring_match);
+#endif
- if(!ndpi_struct->enable_category_substring_match) {
+ if(ndpi_struct->enable_category_substring_match == 0) {
if(ndpi_struct->custom_categories.hostnames_hash == NULL)
return(-1);
else {
@@ -2380,7 +2518,7 @@ static int ndpi_match_custom_category(struct ndpi_detection_module_struct *ndpi_
/* *********************************************** */
int ndpi_get_custom_category_match(struct ndpi_detection_module_struct *ndpi_struct,
- char *name_or_ip, unsigned long *id) {
+ char *name_or_ip, unsigned long *id) {
char ipbuf[64];
struct in_addr pin;
@@ -2433,11 +2571,11 @@ void ndpi_exit_detection_module(struct ndpi_detection_module_struct *ndpi_struct
cache_free((cache_t)(ndpi_struct->tinc_cache));
if(ndpi_struct->ookla_cache)
- lruc_free((lruc*)ndpi_struct->ookla_cache);
+ ndpi_lru_free_cache(ndpi_struct->ookla_cache);
if(ndpi_struct->protocols_ptree)
ndpi_Destroy_Patricia((patricia_tree_t*)ndpi_struct->protocols_ptree, free_ptree_data);
-
+
if(ndpi_struct->udpRoot != NULL)
ndpi_tdestroy(ndpi_struct->udpRoot, ndpi_free);
if(ndpi_struct->tcpRoot != NULL)
@@ -2483,7 +2621,7 @@ void ndpi_exit_detection_module(struct ndpi_detection_module_struct *ndpi_struct
if(ndpi_struct->custom_categories.hostnames_hash)
ht_free((hashtable_t*)ndpi_struct->custom_categories.hostnames_hash);
-
+
ndpi_free(ndpi_struct);
}
}
@@ -2496,7 +2634,7 @@ int ndpi_get_protocol_id_master_proto(struct ndpi_detection_module_struct *ndpi_
u_int16_t** udp_master_proto) {
if(protocol_id >= (NDPI_MAX_SUPPORTED_PROTOCOLS+NDPI_MAX_NUM_CUSTOM_PROTOCOLS)) {
*tcp_master_proto = ndpi_struct->proto_defaults[NDPI_PROTOCOL_UNKNOWN].master_tcp_protoId,
- *udp_master_proto = ndpi_struct->proto_defaults[NDPI_PROTOCOL_UNKNOWN].master_udp_protoId;
+ *udp_master_proto = ndpi_struct->proto_defaults[NDPI_PROTOCOL_UNKNOWN].master_udp_protoId;
return(-1);
}
@@ -2644,7 +2782,7 @@ char * strsep(char **sp, char *sep)
/* ******************************************************************** */
-int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_mod,
+int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_mod,
char* rule, u_int8_t do_add) {
char *at, *proto, *elem;
ndpi_proto_defaults_t *def;
@@ -2731,7 +2869,8 @@ int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_mod,
if(sscanf(value, "%u-%u", (u_int32_t *)&range.port_low, (u_int32_t *)&range.port_high) != 2)
range.port_low = range.port_high = atoi(&elem[4]);
if(do_add)
- addDefaultPort(ndpi_mod, &range, def, 1 /* Custom user proto */, is_tcp ? &ndpi_mod->tcpRoot : &ndpi_mod->udpRoot, __FUNCTION__,__LINE__);
+ addDefaultPort(ndpi_mod, &range, def, 1 /* Custom user proto */,
+ is_tcp ? &ndpi_mod->tcpRoot : &ndpi_mod->udpRoot, __FUNCTION__,__LINE__);
else
removeDefaultPort(&range, def, is_tcp ? &ndpi_mod->tcpRoot : &ndpi_mod->udpRoot);
} else if(is_ip) {
@@ -2762,31 +2901,68 @@ int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_mod,
*/
int ndpi_load_protocols_file(struct ndpi_detection_module_struct *ndpi_mod, char* path) {
- FILE *fd = fopen(path, "r");
- int i;
+ FILE *fd;
+ char *buffer, *old_buffer;
+ int chunk_len = 512, buffer_len = chunk_len, old_buffer_len;
+ int i, rc = -1;
+
+ fd = fopen(path, "r");
if(fd == NULL) {
NDPI_LOG_ERR(ndpi_mod, "Unable to open file %s [%s]", path, strerror(errno));
- return(-1);
+ goto error;
+ }
+
+ buffer = ndpi_malloc(buffer_len);
+
+ if(buffer == NULL) {
+ NDPI_LOG_ERR(ndpi_mod, "Memory allocation failure");
+ goto close_fd;
}
while(fd) {
- char buffer[512], *line;
+ char *line = buffer;
+ int line_len = buffer_len;
- if(!(line = fgets(buffer, sizeof(buffer), fd)))
+ while((line = fgets(line, line_len, fd)) != NULL && line[strlen(line)-1] != '\n') {
+ i = strlen(line);
+ old_buffer = buffer;
+ old_buffer_len = buffer_len;
+ buffer_len += chunk_len;
+
+ buffer = ndpi_realloc(old_buffer, old_buffer_len, buffer_len);
+
+ if(buffer == NULL) {
+ NDPI_LOG_ERR(ndpi_mod, "Memory allocation failure");
+ free(old_buffer);
+ goto close_fd;
+ }
+
+ line = &buffer[i];
+ line_len = chunk_len;
+ }
+
+ if(!line) /* safety check */
break;
- if(((i = strlen(line)) <= 1) || (line[0] == '#'))
+ i = strlen(buffer);
+ if((i <= 1) || (buffer[0] == '#'))
continue;
else
- line[i-1] = '\0';
+ buffer[i-1] = '\0';
- ndpi_handle_rule(ndpi_mod, line, 1);
+ ndpi_handle_rule(ndpi_mod, buffer, 1);
}
+ rc = 0;
+
+ free(buffer);
+
+ close_fd:
fclose(fd);
- return(0);
+ error:
+ return(rc);
}
/* ******************************************************************** */
@@ -3285,6 +3461,9 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n
/* NINTENDO */
init_nintendo_dissector(ndpi_struct, &a, detection_bitmask);
+ /* MODBUS */
+ init_modbus_dissector(ndpi_struct, &a, detection_bitmask);
+
/*** Put false-positive sensitive protocols at the end ***/
/* SKYPE */
@@ -3641,18 +3820,18 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str
&& flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) {
u_int8_t backup;
u_int16_t backup1, backup2;
-
+
if(flow->http.url) ndpi_free(flow->http.url);
if(flow->http.content_type) ndpi_free(flow->http.content_type);
backup = flow->num_processed_pkts;
backup1 = flow->guessed_protocol_id;
- backup2 = flow->guessed_host_protocol_id;
+ backup2 = flow->guessed_host_protocol_id;
memset(flow, 0, sizeof(*(flow)));
flow->num_processed_pkts = backup;
flow->guessed_protocol_id = backup1;
flow->guessed_host_protocol_id = backup2;
-
+
NDPI_LOG_DBG(ndpi_struct,
"tcp syn packet for unknown protocol, reset detection state\n");
}
@@ -3690,7 +3869,7 @@ void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_struct,
if(ndpi_struct->direction_detect_disable) {
packet->packet_direction = flow->packet_direction;
} else {
- if(iph != NULL && iph->saddr < iph->daddr)
+ if(iph != NULL && le32toh(iph->saddr) < le32toh(iph->daddr))
packet->packet_direction = 1;
#ifdef NDPI_DETECTION_SUPPORT_IPV6
@@ -3714,7 +3893,7 @@ void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_struct,
packet->num_retried_bytes = 0;
if(!ndpi_struct->direction_detect_disable)
- packet->packet_direction = (tcph->source < tcph->dest) ? 1 : 0;
+ packet->packet_direction = (le16toh(tcph->source) < le16toh(tcph->dest)) ? 1 : 0;
if(tcph->syn != 0 && tcph->ack == 0 && flow->l4.tcp.seen_syn == 0 && flow->l4.tcp.seen_syn_ack == 0
&& flow->l4.tcp.seen_ack == 0) {
@@ -3778,7 +3957,7 @@ void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_struct,
}
} else if(udph != NULL) {
if(!ndpi_struct->direction_detect_disable)
- packet->packet_direction = (udph->source < udph->dest) ? 1 : 0;
+ packet->packet_direction = (le16toh(udph->source) < le16toh(udph->dest)) ? 1 : 0;
}
if(flow->packet_counter < MAX_PACKET_COUNTER && packet->payload_packet_len) {
@@ -3898,8 +4077,7 @@ void check_ndpi_tcp_flow_func(struct ndpi_detection_module_struct *ndpi_struct,
if((proto_id != NDPI_PROTOCOL_UNKNOWN)
&& NDPI_BITMASK_COMPARE(flow->excluded_protocol_bitmask,
ndpi_struct->callback_buffer[proto_index].excluded_protocol_bitmask) == 0
- && NDPI_BITMASK_COMPARE(ndpi_struct->callback_buffer[proto_index].detection_bitmask,
- detection_bitmask) != 0
+ && NDPI_BITMASK_COMPARE(ndpi_struct->callback_buffer[proto_index].detection_bitmask, detection_bitmask) != 0
&& (ndpi_struct->callback_buffer[proto_index].ndpi_selection_bitmask & *ndpi_selection_packet) == ndpi_struct->callback_buffer[proto_index].ndpi_selection_bitmask) {
if((flow->guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN)
&& (ndpi_struct->proto_defaults[flow->guessed_protocol_id].func != NULL))
@@ -3917,7 +4095,6 @@ void check_ndpi_tcp_flow_func(struct ndpi_detection_module_struct *ndpi_struct,
detection_bitmask) != 0) {
ndpi_struct->callback_buffer_tcp_payload[a].func(ndpi_struct, flow);
-
if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN)
break; /* Stop after detecting the first protocol */
}
@@ -3988,24 +4165,91 @@ static u_int16_t ndpi_guess_host_protocol_id(struct ndpi_detection_module_struct
/* ********************************************************************************* */
+static ndpi_protocol ndpi_process_partial_detection(struct ndpi_detection_module_struct *ndpi_struct,
+ struct ndpi_flow_struct *flow) {
+ ndpi_protocol ret;
+ ndpi_protocol_match_result ret_match;
+
+ ret.master_protocol = flow->guessed_protocol_id;
+ ret.app_protocol = ndpi_match_host_subprotocol(ndpi_struct, flow,
+ (char *)flow->host_server_name,
+ strlen((const char*)flow->host_server_name),
+ &ret_match,
+ flow->guessed_protocol_id);
+
+ if(flow->category != NDPI_PROTOCOL_CATEGORY_UNSPECIFIED)
+ ret.category = flow->category;
+ else
+ ret.category = ret_match.protocol_category;
+
+ if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN)
+ ret.app_protocol = ret.master_protocol;
+
+ ndpi_fill_protocol_category(ndpi_struct, flow, &ret);
+ ndpi_int_change_protocol(ndpi_struct, flow, ret.app_protocol, ret.master_protocol);
+
+ return(ret);
+}
+
+/* ********************************************************************************* */
+
+/*
+ You can call this function at any time in case of unknown match to see if there is
+ a partial match that has been prevented by the current nDPI preferences configuration
+ */
+ndpi_protocol ndpi_get_partial_detection(struct ndpi_detection_module_struct *ndpi_struct,
+ struct ndpi_flow_struct *flow) {
+ if((flow->guessed_protocol_id == NDPI_PROTOCOL_HTTP)
+ && (ndpi_struct->http_dont_dissect_response == 0)
+ && (flow->host_server_name[0] != '\0')
+ && (!NDPI_ISSET(&flow->excluded_protocol_bitmask, flow->guessed_host_protocol_id)))
+ return(ndpi_process_partial_detection(ndpi_struct, flow));
+ else if((flow->guessed_protocol_id == NDPI_PROTOCOL_DNS)
+ && (ndpi_struct->dns_dont_dissect_response == 0)
+ && (flow->host_server_name[0] != '\0')
+ && (!NDPI_ISSET(&flow->excluded_protocol_bitmask, flow->guessed_host_protocol_id)))
+ return(ndpi_process_partial_detection(ndpi_struct, flow));
+ else {
+ ndpi_protocol ret = { NDPI_PROTOCOL_UNKNOWN,
+ NDPI_PROTOCOL_UNKNOWN,
+ NDPI_PROTOCOL_CATEGORY_UNSPECIFIED };
+
+ if(flow) ret.category = flow->category;
+
+ return(ret);
+ }
+}
+
+/* ********************************************************************************* */
+
ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow, u_int8_t enable_guess) {
ndpi_protocol ret = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED };
- if(flow == NULL) return(ret);
-
+ if(flow == NULL)
+ return(ret);
+ else
+ ret.category = flow->category;
+
/* TODO: add the remaining stage_XXXX protocols */
if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) {
u_int16_t guessed_protocol_id, guessed_host_protocol_id;
if(flow->guessed_protocol_id == NDPI_PROTOCOL_STUN)
goto check_stun_export;
- else if((flow->l4.tcp.ssl_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) {
+ else if((flow->l4.tcp.ssl_seen_client_cert == 1)
+ && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) {
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSL, NDPI_PROTOCOL_UNKNOWN);
} else {
- if(!enable_guess)
- return(ret);
-
+ ndpi_protocol ret_g = ndpi_get_partial_detection(ndpi_struct, flow);
+
+ if(ret_g.master_protocol != NDPI_PROTOCOL_UNKNOWN)
+ return(ret_g);
+ else {
+ if(!enable_guess)
+ return(ret);
+ }
+
if((flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN)
&& (flow->packet.l4_protocol == IPPROTO_TCP)
&& (flow->l4.tcp.ssl_stage > 1))
@@ -4019,7 +4263,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
&& is_udp_guessable_protocol(guessed_host_protocol_id)
))
flow->guessed_host_protocol_id = guessed_host_protocol_id = NDPI_PROTOCOL_UNKNOWN;
-
+
/* Ignore guessed protocol if they have been discarded */
if((guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN)
// && (guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN)
@@ -4030,7 +4274,6 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
if((guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN)
|| (guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN)) {
-
if((guessed_protocol_id == 0)
&& (flow->protos.stun_ssl.stun.num_binding_requests > 0)
&& (flow->protos.stun_ssl.stun.num_processed_pkts > 0))
@@ -4069,7 +4312,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
else if(ret.app_protocol == NDPI_PROTOCOL_GOOGLE)
ret.app_protocol = NDPI_PROTOCOL_HANGOUT;
}
-
+
if(enable_guess
&& (ret.app_protocol == NDPI_PROTOCOL_UNKNOWN)
&& flow->packet.iph /* Guess only IPv4 */
@@ -4083,7 +4326,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
ntohl(flow->packet.iph->daddr),
ntohs(flow->packet.udp ? flow->packet.udp->dest : flow->packet.tcp->dest)
);
-
+
ndpi_fill_protocol_category(ndpi_struct, flow, &ret);
return(ret);
@@ -4176,15 +4419,15 @@ int ndpi_load_hostname_category(struct ndpi_detection_module_struct *ndpi_struct
if(ndpi_struct->custom_categories.hostnames_hash)
ht_set((hashtable_t*)ndpi_struct->custom_categories.hostnames_hash, name, (u_int16_t)category);
-
- return(0);
+
+ return(0);
} else {
AC_PATTERN_t ac_pattern;
-
+
/* printf("===> Loading %s as %u\n", name, category); */
memset(&ac_pattern, 0, sizeof(ac_pattern));
-
+
#ifdef HAVE_HYPERSCAN
{
struct hs_list *h = (struct hs_list*)malloc(sizeof(struct hs_list));
@@ -4224,7 +4467,7 @@ int ndpi_load_hostname_category(struct ndpi_detection_module_struct *ndpi_struct
ac_automata_add(ndpi_struct->custom_categories.hostnames_shadow.ac_automa, &ac_pattern);
#endif
}
-
+
return(0);
}
@@ -4304,35 +4547,36 @@ int ndpi_enable_loaded_categories(struct ndpi_detection_module_struct *ndpi_str)
ndpi_str->custom_categories.hostnames_shadow.ac_automa = ac_automata_init(ac_match_handler);
#endif
}
-
+
if(ndpi_str->custom_categories.ipAddresses != NULL)
- ndpi_Destroy_Patricia((patricia_tree_t*)ndpi_str->custom_categories.ipAddresses,
+ ndpi_Destroy_Patricia((patricia_tree_t*)ndpi_str->custom_categories.ipAddresses,
free_ptree_data);
ndpi_str->custom_categories.ipAddresses = ndpi_str->custom_categories.ipAddresses_shadow;
ndpi_str->custom_categories.ipAddresses_shadow = ndpi_New_Patricia(32 /* IPv4 */);
ndpi_str->custom_categories.categories_loaded = 1;
-
+
return(0);
}
/* ********************************************************************************* */
int ndpi_fill_ip_protocol_category(struct ndpi_detection_module_struct *ndpi_struct,
- const struct ndpi_iphdr *iph,
+ u_int32_t saddr,
+ u_int32_t daddr,
ndpi_protocol *ret) {
if(ndpi_struct->custom_categories.categories_loaded) {
prefix_t prefix;
patricia_node_t *node;
/* Make sure all in network byte order otherwise compares wont work */
- fill_prefix_v4(&prefix, (struct in_addr *)&iph->saddr,
+ fill_prefix_v4(&prefix, (struct in_addr *)&saddr,
32, ((patricia_tree_t*)ndpi_struct->protocols_ptree)->maxbits);
node = ndpi_patricia_search_best(ndpi_struct->custom_categories.ipAddresses, &prefix);
if(!node) {
- fill_prefix_v4(&prefix, (struct in_addr *)&iph->daddr,
+ fill_prefix_v4(&prefix, (struct in_addr *)&daddr,
32, ((patricia_tree_t*)ndpi_struct->protocols_ptree)->maxbits);
node = ndpi_patricia_search_best(ndpi_struct->custom_categories.ipAddresses, &prefix);
}
@@ -4347,12 +4591,14 @@ int ndpi_fill_ip_protocol_category(struct ndpi_detection_module_struct *ndpi_str
return 0;
}
+/* ********************************************************************************* */
+
void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
ndpi_protocol *ret) {
if(ndpi_struct->custom_categories.categories_loaded) {
if(flow->packet.iph) {
- if(ndpi_fill_ip_protocol_category(ndpi_struct, flow->packet.iph, ret)) {
+ if(ndpi_fill_ip_protocol_category(ndpi_struct, flow->packet.iph->saddr, flow->packet.iph->daddr, ret)) {
flow->category = ret->category;
return;
}
@@ -4397,12 +4643,15 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
if(ndpi_struct->ndpi_log_level >= NDPI_LOG_TRACE)
NDPI_LOG(flow ? flow->detected_protocol_stack[0]:NDPI_PROTOCOL_UNKNOWN,
- ndpi_struct, NDPI_LOG_TRACE, "START packet processing\n");
+ ndpi_struct, NDPI_LOG_TRACE, "START packet processing\n");
+
if(flow == NULL)
return(ret);
-
+ else
+ ret.category = flow->category;
+
flow->num_processed_pkts++;
-
+
if(flow->server_id == NULL) flow->server_id = dst; /* Default */
if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN)
goto ret_protocols;
@@ -4525,7 +4774,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
break;
}
}
-
+
ndpi_check_flow_func(ndpi_struct, flow, &ndpi_selection_packet);
ndpi_fill_protocol_category(ndpi_struct, flow, &ret);
@@ -4728,14 +4977,13 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_struc
{
u_int32_t a;
struct ndpi_packet_struct *packet = &flow->packet;
+
if(packet->packet_lines_parsed_complete != 0)
return;
packet->packet_lines_parsed_complete = 1;
packet->parsed_lines = 0;
-
packet->empty_line_position_set = 0;
-
packet->host_line.ptr = NULL;
packet->host_line.len = 0;
packet->referer_line.ptr = NULL;
@@ -4776,7 +5024,6 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_struc
packet->line[packet->parsed_lines].len = 0;
for(a = 0; a < packet->payload_packet_len; a++) {
-
if((a + 1) == packet->payload_packet_len)
return; /* Return if only one byte remains (prevent invalid reads past end-of-buffer) */
@@ -4785,22 +5032,28 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_struc
/* First line of a HTTP response parsing. Expected a "HTTP/1.? ???" */
if(packet->parsed_lines == 0 && packet->line[0].len >= NDPI_STATICSTRING_LEN("HTTP/1.X 200 ") &&
- strncasecmp((const char *)packet->line[0].ptr, "HTTP/1.", NDPI_STATICSTRING_LEN("HTTP/1.")) == 0 &&
- packet->line[0].ptr[NDPI_STATICSTRING_LEN("HTTP/1.X ")] > '0' && /* response code between 000 and 699 */
- packet->line[0].ptr[NDPI_STATICSTRING_LEN("HTTP/1.X ")] < '6') {
-
- packet->http_response.ptr = &packet->line[0].ptr[NDPI_STATICSTRING_LEN("HTTP/1.1 ")];
- packet->http_response.len = packet->line[0].len - NDPI_STATICSTRING_LEN("HTTP/1.1 ");
- packet->http_num_headers++;
-
- /* Set server HTTP response code */
- strncpy((char*)flow->http.response_status_code, (char*)packet->http_response.ptr, 3);
- flow->http.response_status_code[4]='\0';
-
- NDPI_LOG_DBG2(ndpi_struct,
- "ndpi_parse_packet_line_info: HTTP response parsed: \"%.*s\"\n",
- packet->http_response.len, packet->http_response.ptr);
+ strncasecmp((const char *)packet->line[0].ptr, "HTTP/1.", NDPI_STATICSTRING_LEN("HTTP/1.")) == 0 &&
+ packet->line[0].ptr[NDPI_STATICSTRING_LEN("HTTP/1.X ")] > '0' && /* response code between 000 and 699 */
+ packet->line[0].ptr[NDPI_STATICSTRING_LEN("HTTP/1.X ")] < '6') {
+ packet->http_response.ptr = &packet->line[0].ptr[NDPI_STATICSTRING_LEN("HTTP/1.1 ")];
+ packet->http_response.len = packet->line[0].len - NDPI_STATICSTRING_LEN("HTTP/1.1 ");
+ packet->http_num_headers++;
+
+ /* Set server HTTP response code */
+ if(packet->payload_packet_len >= 12) {
+ char buf[4];
+
+ /* Set server HTTP response code */
+ strncpy(buf, (char*)&packet->payload[9], 3);
+ buf[3] = '\0';
+
+ flow->http.response_status_code = atoi(buf);
+ /* https://en.wikipedia.org/wiki/List_of_HTTP_status_codes */
+ if((flow->http.response_status_code < 100) || (flow->http.response_status_code > 509))
+ flow->http.response_status_code = 0; /* Out of range */
+ }
}
+
/* "Server:" header line in HTTP response */
if(packet->line[packet->parsed_lines].len > NDPI_STATICSTRING_LEN("Server:") + 1
&& strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Server:", NDPI_STATICSTRING_LEN("Server:")) == 0) {
@@ -5219,7 +5472,7 @@ void ndpi_int_change_protocol(struct ndpi_detection_module_struct *ndpi_struct,
}
}
}
-
+
ndpi_int_change_flow_protocol(ndpi_struct, flow,
upper_detected_protocol, lower_detected_protocol);
ndpi_int_change_packet_protocol(ndpi_struct, flow,
@@ -5250,9 +5503,8 @@ void ndpi_int_reset_protocol(struct ndpi_flow_struct *flow) {
if(flow) {
int a;
- for(a = 0; a < NDPI_PROTOCOL_SIZE; a++) {
+ for(a = 0; a < NDPI_PROTOCOL_SIZE; a++)
flow->detected_protocol_stack[a] = NDPI_PROTOCOL_UNKNOWN;
- }
}
}
@@ -5474,10 +5726,10 @@ ndpi_protocol ndpi_guess_undetected_protocol(struct ndpi_detection_module_struct
ret.app_protocol = rc,
ret.master_protocol = ndpi_guess_protocol_id(ndpi_struct, NULL, proto, sport,
dport, &user_defined_proto);
-
+
if(ret.app_protocol == ret.master_protocol)
ret.master_protocol = NDPI_PROTOCOL_UNKNOWN;
-
+
ret.category = ndpi_get_proto_category(ndpi_struct, ret);
return(ret);
}
@@ -5491,7 +5743,7 @@ ndpi_protocol ndpi_guess_undetected_protocol(struct ndpi_detection_module_struct
;
else {
ret.app_protocol = rc;
-
+
if(rc == NDPI_PROTOCOL_SSL)
goto check_guessed_skype;
else {
@@ -5514,7 +5766,7 @@ ndpi_protocol ndpi_guess_undetected_protocol(struct ndpi_detection_module_struct
ret.app_protocol = ndpi_guess_protocol_id(ndpi_struct, NULL, proto, sport,
dport, &user_defined_proto);
- ret.category = ndpi_get_proto_category(ndpi_struct, ret);
+ ret.category = ndpi_get_proto_category(ndpi_struct, ret);
return(ret);
}
@@ -5608,129 +5860,12 @@ void ndpi_category_set_name(struct ndpi_detection_module_struct *ndpi_mod,
/* ****************************************************** */
-/* Keep it in order and in sync with ndpi_protocol_category_t in ndpi_typedefs.h */
-static const char* categories[] = {
- "Unspecified",
- "Media",
- "VPN",
- "Email",
- "DataTransfer",
- "Web",
- "SocialNetwork",
- "Download-FileTransfer-FileSharing",
- "Game",
- "Chat",
- "VoIP",
- "Database",
- "RemoteAccess",
- "Cloud",
- "Network",
- "Collaborative",
- "RPC",
- "Streaming",
- "System",
- "SoftwareUpdate",
- "",
- "",
- "",
- "",
- "",
- "AVI",
- "Flash",
- "OGG",
- "MPEG",
- "QuickTime",
- "RealMedia",
- "WindowsMedia",
- "Webm", /* 32 */
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
-
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
-
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
-
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
-
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
-
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
-
- "",
- "",
- "",
- "",
- "",
- "",
- "",
- "",
-
- "Mining", /* 99 */
- "Malware",
- "Advertisement",
- "Banned_Site",
- "Site_Unavailable"
-};
-
const char* ndpi_category_get_name(struct ndpi_detection_module_struct *ndpi_mod,
ndpi_protocol_category_t category) {
if((!ndpi_mod) || (category >= NDPI_PROTOCOL_NUM_CATEGORIES))
return(NULL);
- if((category < NDPI_PROTOCOL_CATEGORY_CUSTOM_1) || (category >= CUSTOM_CATEGORY_MINING))
- return(categories[category]);
- else {
+ if((category >= NDPI_PROTOCOL_CATEGORY_CUSTOM_1) && (category <= NDPI_PROTOCOL_CATEGORY_CUSTOM_5)) {
switch(category) {
case NDPI_PROTOCOL_CATEGORY_CUSTOM_1:
return(ndpi_mod->custom_category_labels[0]);
@@ -5747,7 +5882,8 @@ const char* ndpi_category_get_name(struct ndpi_detection_module_struct *ndpi_mod
default:
return("Unspecified");
}
- }
+ } else
+ return(categories[category]);
}
/* ****************************************************** */
@@ -5872,7 +6008,7 @@ char* ndpi_strnstr(const char *s, const char *find, size_t slen) {
} while(strncmp(s, find, len) != 0);
s--;
}
-
+
return((char *)s);
}
@@ -5920,7 +6056,7 @@ int ndpi_match_string_subprotocol(struct ndpi_detection_module_struct *ndpi_stru
ndpi_automa *automa = is_host_match ? &ndpi_struct->host_automa :
&ndpi_struct->content_automa;
AC_REP_t match = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NDPI_PROTOCOL_UNRATED };
-
+
if((automa->ac_automa == NULL) || (string_to_match_len == 0))
return(NDPI_PROTOCOL_UNKNOWN);
@@ -5928,15 +6064,15 @@ int ndpi_match_string_subprotocol(struct ndpi_detection_module_struct *ndpi_stru
ac_automata_finalize((AC_AUTOMATA_t*)automa->ac_automa);
automa->ac_automa_finalized = 1;
}
-
+
ac_input_text.astring = string_to_match, ac_input_text.length = string_to_match_len;
ac_automata_search(((AC_AUTOMATA_t*)automa->ac_automa), &ac_input_text, &match);
ac_automata_reset(((AC_AUTOMATA_t*)automa->ac_automa));
-
+
ret_match->protocol_id = match.number,
ret_match->protocol_category = match.category,
ret_match->protocol_breed = match.breed;
-
+
return(match.number);
}
@@ -5971,7 +6107,6 @@ static int ndpi_automa_match_string_subprotocol(struct ndpi_detection_module_str
matching_protocol_id = ndpi_match_string_subprotocol(ndpi_struct, string_to_match,
string_to_match_len, ret_match,
is_host_match);
-
#else
struct hs *hs = (struct hs*)ndpi_struct->hyperscan;
hs_error_t status;
@@ -6173,6 +6308,48 @@ void ndpi_set_log_level(struct ndpi_detection_module_struct *ndpi_mod, u_int l)
/* ******************************************************************** */
+/* LRU cache */
+
+struct ndpi_lru_cache* ndpi_lru_cache_init(u_int32_t num_entries) {
+ struct ndpi_lru_cache *c = (struct ndpi_lru_cache*)malloc(sizeof(struct ndpi_lru_cache));
+
+ if(!c) return(NULL);
+
+ c->entries = (u_int32_t*)calloc(num_entries, sizeof(u_int32_t));
+
+ if(!c->entries) {
+ free(c);
+ return(NULL);
+ } else
+ c->num_entries = num_entries;
+
+ return(c);
+}
+
+void ndpi_lru_free_cache(struct ndpi_lru_cache *c) {
+ free(c->entries);
+ free(c);
+}
+
+
+u_int8_t ndpi_lru_find_cache(struct ndpi_lru_cache *c, u_int32_t key, u_int8_t clean_key_when_found) {
+ u_int32_t slot = key % c->num_entries;
+
+ if(c->entries[slot] == key) {
+ if(clean_key_when_found) c->entries[slot] = 0;
+ return(1);
+ } else
+ return(0);
+}
+
+void ndpi_lru_add_to_cache(struct ndpi_lru_cache *c, u_int32_t key) {
+ u_int32_t slot = key % c->num_entries;
+
+ c->entries[slot] = key;
+}
+
+/* ******************************************************************** */
+
/*
NOTE:
- Leave fields empty/zero when information is missing (e.g. with ICMP ports are zero)
diff --git a/src/lib/protocols/apple_push.c b/src/lib/protocols/apple_push.c
index 6930dba86..45346e07b 100644
--- a/src/lib/protocols/apple_push.c
+++ b/src/lib/protocols/apple_push.c
@@ -31,20 +31,22 @@ static void ndpi_check_apple_push(struct ndpi_detection_module_struct *ndpi_stru
struct ndpi_flow_struct *flow) {
struct ndpi_packet_struct *packet = &flow->packet;
- /* https://support.apple.com/en-us/HT203609 */
- if(((ntohl(packet->iph->saddr) & 0xFF000000 /* 255.0.0.0 */) == 0x11000000 /* 17.0.0.0/8 */)
- || ((ntohl(packet->iph->daddr) & 0xFF000000 /* 255.0.0.0 */) == 0x11000000 /* 17.0.0.0/8 */)) {
- u_int16_t apple_push_port = ntohs(5223);
- u_int16_t notification_apn_port = ntohs(2195);
- u_int16_t apn_feedback_port = ntohs(2196);
-
- if(((packet->tcp->source == apple_push_port) || (packet->tcp->dest == apple_push_port))
- || ((packet->tcp->source == notification_apn_port) || (packet->tcp->dest == notification_apn_port))
- || ((packet->tcp->source == apn_feedback_port) || (packet->tcp->dest == apn_feedback_port))
- ) {
- NDPI_LOG_INFO(ndpi_struct, "found apple_push\n");
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_APPLE_PUSH, NDPI_PROTOCOL_UNKNOWN);
- return;
+ if(packet->iph) {
+ /* https://support.apple.com/en-us/HT203609 */
+ if(((ntohl(packet->iph->saddr) & 0xFF000000 /* 255.0.0.0 */) == 0x11000000 /* 17.0.0.0/8 */)
+ || ((ntohl(packet->iph->daddr) & 0xFF000000 /* 255.0.0.0 */) == 0x11000000 /* 17.0.0.0/8 */)) {
+ u_int16_t apple_push_port = ntohs(5223);
+ u_int16_t notification_apn_port = ntohs(2195);
+ u_int16_t apn_feedback_port = ntohs(2196);
+
+ if(((packet->tcp->source == apple_push_port) || (packet->tcp->dest == apple_push_port))
+ || ((packet->tcp->source == notification_apn_port) || (packet->tcp->dest == notification_apn_port))
+ || ((packet->tcp->source == apn_feedback_port) || (packet->tcp->dest == apn_feedback_port))
+ ) {
+ NDPI_LOG_INFO(ndpi_struct, "found apple_push\n");
+ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_APPLE_PUSH, NDPI_PROTOCOL_UNKNOWN);
+ return;
+ }
}
}
diff --git a/src/lib/protocols/coap.c b/src/lib/protocols/coap.c
index 5ac8cb80e..cf5061bbe 100644
--- a/src/lib/protocols/coap.c
+++ b/src/lib/protocols/coap.c
@@ -129,7 +129,7 @@ void ndpi_search_coap (struct ndpi_detection_module_struct *ndpi_struct,
// check values in header
if(h->version == 1) {
if(h->type == CON || h->type == NO_CON || h->type == ACK || h->type == RST ) {
- if(h->tkl == 0 || h->tkl < 8) {
+ if(h->tkl < 8) {
if((h->code >= 0 && h->code <= 5) || (h->code >= 65 && h->code <= 69) ||
(h->code >= 128 && h->code <= 134) || (h->code >= 140 && h->code <= 143) ||
(h->code >= 160 && h->code <= 165)) {
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c
index 90be9544c..1c2593feb 100644
--- a/src/lib/protocols/dns.c
+++ b/src/lib/protocols/dns.c
@@ -36,9 +36,9 @@
static u_int16_t get16(int *i, const u_int8_t *payload) {
u_int16_t v = *(u_int16_t*)&payload[*i];
-
+
(*i) += 2;
-
+
return(ntohs(v));
}
@@ -52,36 +52,50 @@ static u_int getNameLength(u_int i, const u_int8_t *payload, u_int payloadLen) {
else {
u_int8_t len = payload[i];
u_int8_t off = len + 1;
-
+
if(off == 0) /* Bad packet */
return(0);
else
return(off + getNameLength(i+off, payload, payloadLen));
}
}
+/*
+ allowed chars for dns names A-Z 0-9 _ -
+ Perl script for generation map:
+ my @M;
+ for(my $ch=0; $ch < 256; $ch++) {
+ $M[$ch >> 5] |= 1 << ($ch & 0x1f) if chr($ch) =~ /[a-z0-9_-]/i;
+ }
+ print join(',', map { sprintf "0x%08x",$_ } @M),"\n";
+ */
+static uint32_t dns_validchar[8] = {
+ 0x00000000,0x03ff2000,0x87fffffe,0x07fffffe,0,0,0,0
+};
/* *********************************************** */
void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
- int x;
+ int x, payload_offset;
u_int8_t is_query;
u_int16_t s_port = 0, d_port = 0;
-
+
NDPI_LOG_DBG(ndpi_struct, "search DNS\n");
if(flow->packet.udp != NULL) {
s_port = ntohs(flow->packet.udp->source);
d_port = ntohs(flow->packet.udp->dest);
- x = 0;
+ payload_offset = 0;
} else if(flow->packet.tcp != NULL) /* pkt size > 512 bytes */ {
s_port = ntohs(flow->packet.tcp->source);
d_port = ntohs(flow->packet.tcp->dest);
- x = 2;
+ payload_offset = 2;
} else {
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
return;
}
+ x = payload_offset;
+
if((s_port == 53 || d_port == 53 || d_port == 5355)
&& (flow->packet.payload_packet_len > sizeof(struct ndpi_dns_packet_header)+x)) {
struct ndpi_dns_packet_header dns_header;
@@ -106,6 +120,7 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd
invalid = 1;
if(!invalid) {
+ int j = 0, max_len, off;
if(is_query) {
/* DNS Request */
if((dns_header.num_queries > 0) && (dns_header.num_queries <= NDPI_MAX_DNS_REQUESTS)
@@ -118,7 +133,7 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd
if(flow->packet.payload[x] == '\0') {
x++;
flow->protos.dns.query_type = get16(&x, flow->packet.payload);
-#ifdef DNS_DEBUG
+#ifdef DNS_DEBUG
NDPI_LOG_DBG2(ndpi_struct, "query_type=%2d\n", flow->protos.dns.query_type);
#endif
break;
@@ -128,7 +143,6 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd
}
} else
invalid = 1;
-
} else {
/* DNS Reply */
@@ -139,16 +153,18 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd
|| ((dns_header.authority_rrs > 0) && (dns_header.authority_rrs <= NDPI_MAX_DNS_REQUESTS))
|| ((dns_header.additional_rrs > 0) && (dns_header.additional_rrs <= NDPI_MAX_DNS_REQUESTS)))
) {
- /* This is a good reply */
- if(ndpi_struct->dns_dissect_response) {
+ /* This is a good reply: we dissect it both for request and response */
+
+ /* Leave the statement below commented necessary in case of call to ndpi_get_partial_detection() */
+ /* if(ndpi_struct->dns_dont_dissect_response == 0) */ {
x++;
-
+
if(flow->packet.payload[x] != '\0') {
while((x < flow->packet.payload_packet_len)
&& (flow->packet.payload[x] != '\0')) {
x++;
}
-
+
x++;
}
@@ -160,7 +176,7 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd
for(num = 0; num < dns_header.num_answers; num++) {
u_int16_t data_len;
-
+
if((x+6) >= flow->packet.payload_packet_len) {
break;
}
@@ -169,14 +185,31 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd
break;
} else
x += data_len;
-
+
rsp_type = get16(&x, flow->packet.payload);
flow->protos.dns.rsp_type = rsp_type;
+
+ /* here x points to the response "class" field */
+ if((x+12) < flow->packet.payload_packet_len) {
+ x += 6;
+ data_len = get16(&x, flow->packet.payload);
+
+ if(((x + data_len) < flow->packet.payload_packet_len)
+ && (((rsp_type == 0x1) && (data_len == 4)) /* A */
+#ifdef NDPI_DETECTION_SUPPORT_IPV6
+ || ((rsp_type == 0x1c) && (data_len == 16)) /* AAAA */
+#endif
+ )) {
+ memcpy(&flow->protos.dns.rsp_addr, flow->packet.payload + x, data_len);
+ }
+ }
+
break;
}
}
}
- }
+ } else
+ invalid = 1;
}
if(invalid) {
@@ -185,57 +218,61 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd
}
/* extract host name server */
- int j = 0, max_len = sizeof(flow->host_server_name)-1, off = sizeof(struct ndpi_dns_packet_header) + 1;
-
- while(off < flow->packet.payload_packet_len && flow->packet.payload[off] != '\0') {
- flow->host_server_name[j] = flow->packet.payload[off];
- if(j < max_len) {
- if(flow->host_server_name[j] < ' ')
- flow->host_server_name[j] = '.';
- j++;
- } else
- break;
-
- off++;
+ max_len = sizeof(flow->host_server_name)-1;
+ off = sizeof(struct ndpi_dns_packet_header) + payload_offset;
+
+ while(j < max_len && off < flow->packet.payload_packet_len && flow->packet.payload[off] != '\0') {
+ uint8_t c,cl = flow->packet.payload[off++];
+ if( (cl & 0xc0) != 0 || // we not support compressed names in query
+ off + cl >= flow->packet.payload_packet_len) {
+ j = 0; break;
+ }
+ if(j && j < max_len) flow->host_server_name[j++] = '.';
+ while(j < max_len && cl != 0) {
+ c = flow->packet.payload[off++];
+ flow->host_server_name[j++] = dns_validchar[c >> 5] & (1 << (c & 0x1f)) ? c:'_';
+ cl--;
+ }
}
-
- if(is_query && ndpi_struct->dns_dissect_response)
- return; /* The response will set the verdict */
-
flow->host_server_name[j] = '\0';
+ if(is_query && (ndpi_struct->dns_dont_dissect_response == 0)) {
+ // dpi_set_detected_protocol(ndpi_struct, flow, (d_port == 5355) ? NDPI_PROTOCOL_LLMNR : NDPI_PROTOCOL_DNS, NDPI_PROTOCOL_UNKNOWN);
+ return; /* The response will set the verdict */
+ }
+
flow->protos.dns.num_queries = (u_int8_t)dns_header.num_queries,
- flow->protos.dns.num_answers = (u_int8_t) (dns_header.num_answers + dns_header.authority_rrs + dns_header.additional_rrs);
+ flow->protos.dns.num_answers = (u_int8_t) (dns_header.num_answers + dns_header.authority_rrs + dns_header.additional_rrs);
if(j > 0) {
ndpi_protocol_match_result ret_match;
-
- ndpi_match_host_subprotocol(ndpi_struct, flow,
+
+ ndpi_match_host_subprotocol(ndpi_struct, flow,
(char *)flow->host_server_name,
strlen((const char*)flow->host_server_name),
&ret_match,
NDPI_PROTOCOL_DNS);
}
-
+
#ifdef DNS_DEBUG
NDPI_LOG_DBG2(ndpi_struct, "[num_queries=%d][num_answers=%d][reply_code=%u][rsp_type=%u][host_server_name=%s]\n",
flow->protos.dns.num_queries, flow->protos.dns.num_answers,
flow->protos.dns.reply_code, flow->protos.dns.rsp_type, flow->host_server_name
);
#endif
-
+
if(flow->packet.detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) {
/**
Do not set the protocol with DNS if ndpi_match_host_subprotocol() has
matched a subprotocol
**/
- NDPI_LOG_INFO(ndpi_struct, "found DNS\n");
+ NDPI_LOG_INFO(ndpi_struct, "found DNS\n");
ndpi_set_detected_protocol(ndpi_struct, flow, (d_port == 5355) ? NDPI_PROTOCOL_LLMNR : NDPI_PROTOCOL_DNS, NDPI_PROTOCOL_UNKNOWN);
} else {
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
}
- }
+ }
}
void init_dns_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
diff --git a/src/lib/protocols/ftp_data.c b/src/lib/protocols/ftp_data.c
index 8d3e6fa8c..7c646c363 100644
--- a/src/lib/protocols/ftp_data.c
+++ b/src/lib/protocols/ftp_data.c
@@ -49,16 +49,22 @@ static int ndpi_match_ftp_data_directory(struct ndpi_detection_module_struct *nd
struct ndpi_packet_struct *packet = &flow->packet;
u_int32_t payload_len = packet->payload_packet_len;
- if((payload_len >= 4)
- && ((packet->payload[0] == '-') || (packet->payload[0] == 'd'))
- && ((packet->payload[1] == '-') || (packet->payload[1] == 'r'))
- && ((packet->payload[2] == '-') || (packet->payload[2] == 'w'))
- && ((packet->payload[3] == '-') || (packet->payload[3] == 'x'))) {
-
- return 1;
+ if(payload_len > 10) {
+ int i;
+
+ if(!((packet->payload[0] == '-') || (packet->payload[0] == 'd')))
+ return(0);
+
+ for(i=0; i<9; i += 3)
+ if(((packet->payload[1+i] == '-') || (packet->payload[1+i] == 'r'))
+ && ((packet->payload[2+i] == '-') || (packet->payload[2+i] == 'w'))
+ && ((packet->payload[3+i] == '-') || (packet->payload[3+i] == 'x'))) {
+ ;
+ } else
+ return 0;
}
- return 0;
+ return 1;
}
static int ndpi_match_file_header(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
@@ -220,16 +226,24 @@ static int ndpi_match_file_header(struct ndpi_detection_module_struct *ndpi_stru
static void ndpi_check_ftp_data(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
struct ndpi_packet_struct *packet = &flow->packet;
- if((packet->payload_packet_len > 0)
- && (ndpi_match_file_header(ndpi_struct, flow)
- || ndpi_match_ftp_data_directory(ndpi_struct, flow)
- || ndpi_match_ftp_data_port(ndpi_struct, flow)
- )
- ) {
- NDPI_LOG_INFO(ndpi_struct, "found FTP_DATA request\n");
- ndpi_int_ftp_data_add_connection(ndpi_struct, flow);
- } else
- NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+ /*
+ Make sure we see the beginning of the connection as otherwise we might have
+ false positive results
+ */
+ if(flow->l4.tcp.seen_syn) {
+ if((packet->payload_packet_len > 0)
+ && (ndpi_match_file_header(ndpi_struct, flow)
+ || ndpi_match_ftp_data_directory(ndpi_struct, flow)
+ || ndpi_match_ftp_data_port(ndpi_struct, flow)
+ )
+ ) {
+ NDPI_LOG_INFO(ndpi_struct, "found FTP_DATA request\n");
+ ndpi_int_ftp_data_add_connection(ndpi_struct, flow);
+ return;
+ }
+ }
+
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
void ndpi_search_ftp_data(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
diff --git a/src/lib/protocols/h323.c b/src/lib/protocols/h323.c
index ddbcdadf3..d407c981b 100644
--- a/src/lib/protocols/h323.c
+++ b/src/lib/protocols/h323.c
@@ -31,8 +31,7 @@ void ndpi_search_h323(struct ndpi_detection_module_struct *ndpi_struct, struct n
/* H323 */
if(packet->payload_packet_len >= 3
&& (packet->payload[0] == 0x03)
- && (packet->payload[1] == 0x00)
- && (packet->payload[2] == 0x00)) {
+ && (packet->payload[1] == 0x00)) {
struct tpkt *t = (struct tpkt*)packet->payload;
u_int16_t len = ntohs(t->len);
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 09b816129..33ef9e2ed 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -26,116 +26,43 @@
#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_HTTP
#include "ndpi_api.h"
-#include "lruc.h"
-
-/* global variables used for 1kxun protocol and iqiyi service */
+#include <stdlib.h>
static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
u_int16_t category) {
-
+#ifdef DEBUG
+ printf("[%s] [http_dont_dissect_response: %u]->> %s\n", __FUNCTION__,
+ ndpi_struct->http_dont_dissect_response, flow->http.response_status_code);
+#endif
+
if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) {
/* This is HTTP and it is not a sub protocol (e.g. skype or dropbox) */
ndpi_search_tcp_or_udp(ndpi_struct, flow);
/* If no custom protocol has been detected */
-
if(flow->guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN) {
ndpi_int_reset_protocol(flow);
- ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id, NDPI_PROTOCOL_HTTP);
+ flow->http_upper_protocol = flow->guessed_host_protocol_id, flow->http_lower_protocol = NDPI_PROTOCOL_HTTP;
} else
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_UNKNOWN);
-
- flow->http_detected = 1, flow->guessed_category = category;
- }
-}
-
-#ifdef NDPI_CONTENT_CATEGORY_FLASH
-static void flash_check_http_payload(struct ndpi_detection_module_struct
- *ndpi_struct, struct ndpi_flow_struct *flow)
-{
- struct ndpi_packet_struct *packet = &flow->packet;
- const u_int8_t *pos;
-
- if(packet->empty_line_position_set == 0 || (packet->empty_line_position + 10) > (packet->payload_packet_len))
- return;
-
- pos = &packet->payload[packet->empty_line_position] + 2;
-
- if(memcmp(pos, "FLV", 3) == 0 && pos[3] == 0x01 && (pos[4] == 0x01 || pos[4] == 0x04 || pos[4] == 0x05)
- && pos[5] == 0x00 && pos[6] == 0x00 && pos[7] == 0x00 && pos[8] == 0x09) {
-
- NDPI_LOG_INFO(ndpi_struct, "found Flash content in HTTP\n");
- ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_CONTENT_CATEGORY_FLASH);
- }
-}
-#endif
-
-#ifdef NDPI_CONTENT_CATEGORY_AVI
-static void avi_check_http_payload(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
-{
- struct ndpi_packet_struct *packet = &flow->packet;
-
-
- NDPI_LOG_DBG2(ndpi_struct, "called avi_check_http_payload: %u %u %u\n",
- packet->empty_line_position_set, flow->l4.tcp.http_empty_line_seen, packet->empty_line_position);
-
- if(packet->empty_line_position_set == 0 && flow->l4.tcp.http_empty_line_seen == 0)
- return;
-
- if(packet->empty_line_position_set != 0 && ((packet->empty_line_position + 20) > (packet->payload_packet_len))
- && flow->l4.tcp.http_empty_line_seen == 0) {
- flow->l4.tcp.http_empty_line_seen = 1;
- return;
- }
+ flow->http_upper_protocol = NDPI_PROTOCOL_HTTP, flow->http_lower_protocol = NDPI_PROTOCOL_UNKNOWN;
- if(flow->l4.tcp.http_empty_line_seen == 1) {
- if(packet->payload_packet_len > 20 && memcmp(packet->payload, "RIFF", 4) == 0
- && memcmp(packet->payload + 8, "AVI LIST", 8) == 0) {
- NDPI_LOG_INFO(ndpi_struct, "found Avi content in HTTP\n");
- ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_CONTENT_CATEGORY_AVI);
+ if(ndpi_struct->http_dont_dissect_response)
+ ndpi_set_detected_protocol(ndpi_struct, flow, flow->http_upper_protocol, flow->http_lower_protocol);
+ else {
+ flow->detected_protocol_stack[0] = NDPI_PROTOCOL_UNKNOWN, flow->detected_protocol_stack[1] = NDPI_PROTOCOL_UNKNOWN;
+ flow->packet.detected_protocol_stack[0] = NDPI_PROTOCOL_UNKNOWN, flow->packet.detected_protocol_stack[1] = NDPI_PROTOCOL_UNKNOWN;
}
- flow->l4.tcp.http_empty_line_seen = 0;
- return;
- }
-
- /**
- for reference see http://msdn.microsoft.com/archive/default.asp?url=/archive/en-us/directx9_c/directx/htm/avirifffilereference.asp
- **/
- if(packet->empty_line_position_set != 0) {
-
- u_int32_t p = packet->empty_line_position + 2;
-
- // check for avi header
- NDPI_LOG_DBG2(ndpi_struct, "p = %u\n", p);
-
- if((p + 16) <= packet->payload_packet_len && memcmp(&packet->payload[p], "RIFF", 4) == 0
- && memcmp(&packet->payload[p + 8], "AVI LIST", 8) == 0) {
- NDPI_LOG_INFO(ndpi_struct, "found Avi content in HTTP\n");
- ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_CONTENT_CATEGORY_AVI);
+ } else {
+ if((!ndpi_struct->http_dont_dissect_response) && (flow->http.response_status_code == 0)) {
+ flow->http_upper_protocol = flow->detected_protocol_stack[0], flow->http_lower_protocol = flow->detected_protocol_stack[1];
+ flow->detected_protocol_stack[0] = NDPI_PROTOCOL_UNKNOWN, flow->detected_protocol_stack[1] = NDPI_PROTOCOL_UNKNOWN;
+ flow->packet.detected_protocol_stack[0] = NDPI_PROTOCOL_UNKNOWN, flow->packet.detected_protocol_stack[1] = NDPI_PROTOCOL_UNKNOWN;
}
}
-}
-#endif
-
-static void teamviewer_check_http_payload(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
-{
- struct ndpi_packet_struct *packet = &flow->packet;
- const u_int8_t *pos;
-
- NDPI_LOG_DBG2(ndpi_struct, "called teamviewer_check_http_payload: %u %u %u\n",
- packet->empty_line_position_set, flow->l4.tcp.http_empty_line_seen, packet->empty_line_position);
-
- if(packet->empty_line_position_set == 0 || (packet->empty_line_position + 5) > (packet->payload_packet_len))
- return;
-
- pos = &packet->payload[packet->empty_line_position] + 2;
- if(pos[0] == 0x17 && pos[1] == 0x24) {
- NDPI_LOG_INFO(ndpi_struct, "found TeamViewer content in HTTP\n");
- ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TEAMVIEWER);
- }
+ flow->http_detected = 1, flow->guessed_category = category;
}
static void rtsp_parse_packet_acceptline(struct ndpi_detection_module_struct
@@ -171,10 +98,10 @@ static void setHttpUserAgent(struct ndpi_detection_module_struct *ndpi_struct,
static void parseHttpSubprotocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
if((flow->l4.tcp.http_stage == 0) || (flow->http.url && flow->http_detected)) {
- char *double_col = strchr((char*)flow->host_server_name, ':');
- ndpi_protocol_match_result ret_match;
-
- if(double_col) double_col[0] = '\0';
+ char *double_col = strchr((char*)flow->host_server_name, ':');
+ ndpi_protocol_match_result ret_match;
+
+ if(double_col) double_col[0] = '\0';
/**
NOTE
@@ -198,6 +125,14 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
struct ndpi_packet_struct *packet = &flow->packet;
u_int8_t a;
+ if((!ndpi_struct->http_dont_dissect_response) && flow->http_detected && (flow->http.response_status_code != 0)) {
+ ndpi_set_detected_protocol(ndpi_struct, flow, flow->http_upper_protocol, flow->http_lower_protocol);
+#ifdef DEBUG
+ printf("[%s] [http_dont_dissect_response: %u]->> %s\n",
+ __FUNCTION__, ndpi_struct->http_dont_dissect_response, flow->http.response_status_code);
+#endif
+ return;
+ }
#if defined(NDPI_PROTOCOL_1KXUN) || defined(NDPI_PROTOCOL_IQIYI)
/* PPStream */
@@ -222,7 +157,9 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
}
#endif
- if(!ndpi_struct->http_dont_dissect_response) {
+ /* Leave the statement below commented necessary in case of call to ndpi_get_partial_detection() */
+
+ /* if(!ndpi_struct->http_dont_dissect_response) */ {
if((flow->http.url == NULL)
&& (packet->http_url_name.len > 0)
&& (packet->host_line.len > 0)) {
@@ -238,25 +175,25 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
}
if(flow->packet.http_method.len < 3)
- flow->http.method = HTTP_METHOD_UNKNOWN;
+ flow->http.method = NDPI_HTTP_METHOD_UNKNOWN;
else {
switch(flow->packet.http_method.ptr[0]) {
- case 'O': flow->http.method = HTTP_METHOD_OPTIONS; break;
- case 'G': flow->http.method = HTTP_METHOD_GET; break;
- case 'H': flow->http.method = HTTP_METHOD_HEAD; break;
+ case 'O': flow->http.method = NDPI_HTTP_METHOD_OPTIONS; break;
+ case 'G': flow->http.method = NDPI_HTTP_METHOD_GET; break;
+ case 'H': flow->http.method = NDPI_HTTP_METHOD_HEAD; break;
case 'P':
switch(flow->packet.http_method.ptr[1]) {
- case 'O': flow->http.method = HTTP_METHOD_POST; break;
- case 'U': flow->http.method = HTTP_METHOD_PUT; break;
+ case 'O': flow->http.method = NDPI_HTTP_METHOD_POST; break;
+ case 'U': flow->http.method = NDPI_HTTP_METHOD_PUT; break;
}
break;
- case 'D': flow->http.method = HTTP_METHOD_DELETE; break;
- case 'T': flow->http.method = HTTP_METHOD_TRACE; break;
- case 'C': flow->http.method = HTTP_METHOD_CONNECT; break;
+ case 'D': flow->http.method = NDPI_HTTP_METHOD_DELETE; break;
+ case 'T': flow->http.method = NDPI_HTTP_METHOD_TRACE; break;
+ case 'C': flow->http.method = NDPI_HTTP_METHOD_CONNECT; break;
default:
- flow->http.method = HTTP_METHOD_UNKNOWN;
+ flow->http.method = NDPI_HTTP_METHOD_UNKNOWN;
break;
}
}
@@ -277,8 +214,8 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
if(packet->user_agent_line.ptr != NULL && packet->user_agent_line.len != 0) {
/**
Format examples:
- Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) ....
- Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0
+ Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) ....
+ Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0
*/
if(packet->user_agent_line.len > 7) {
char ua[256];
@@ -308,22 +245,22 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
if(token && (token[0] == ' ')) token++; /* Skip space */
if(token
- && ((strcmp(token, "U") == 0)
- || (strncmp(token, "MSIE", 4) == 0))) {
- token = strsep(&parent, ";");
- if(token && (token[0] == ' ')) token++; /* Skip space */
+ && ((strcmp(token, "U") == 0)
+ || (strncmp(token, "MSIE", 4) == 0))) {
+ token = strsep(&parent, ";");
+ if(token && (token[0] == ' ')) token++; /* Skip space */
- if(token && (strncmp(token, "Update", 6) == 0)) {
- token = strsep(&parent, ";");
+ if(token && (strncmp(token, "Update", 6) == 0)) {
+ token = strsep(&parent, ";");
- if(token && (token[0] == ' ')) token++; /* Skip space */
+ if(token && (token[0] == ' ')) token++; /* Skip space */
- if(token && (strncmp(token, "AOL", 3) == 0)) {
+ if(token && (strncmp(token, "AOL", 3) == 0)) {
- token = strsep(&parent, ";");
- if(token && (token[0] == ' ')) token++; /* Skip space */
- }
- }
+ token = strsep(&parent, ";");
+ if(token && (token[0] == ' ')) token++; /* Skip space */
+ }
+ }
}
}
@@ -340,7 +277,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
}
NDPI_LOG_DBG2(ndpi_struct, "User Agent Type line found %.*s\n",
- packet->user_agent_line.len, packet->user_agent_line.ptr);
+ packet->user_agent_line.len, packet->user_agent_line.ptr);
}
/* check for host line */
@@ -348,37 +285,37 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
u_int len;
NDPI_LOG_DBG2(ndpi_struct, "HOST line found %.*s\n",
- packet->host_line.len, packet->host_line.ptr);
+ packet->host_line.len, packet->host_line.ptr);
/* call ndpi_match_host_subprotocol to see if there is a match with known-host HTTP subprotocol */
if((ndpi_struct->http_dont_dissect_response) || flow->http_detected) {
ndpi_protocol_match_result ret_match;
-
+
ndpi_match_host_subprotocol(ndpi_struct, flow,
(char*)packet->host_line.ptr,
packet->host_line.len,
&ret_match,
NDPI_PROTOCOL_HTTP);
}
-
+
/* Copy result for nDPI apps */
if(!ndpi_struct->disable_metadata_export) {
len = ndpi_min(packet->host_line.len, sizeof(flow->host_server_name)-1);
strncpy((char*)flow->host_server_name, (char*)packet->host_line.ptr, len);
flow->host_server_name[len] = '\0';
}
-
+
flow->server_id = flow->dst;
if(packet->forwarded_line.ptr) {
- len = ndpi_min(packet->forwarded_line.len, sizeof(flow->protos.http.nat_ip)-1);
- if(!ndpi_struct->disable_metadata_export) {
- strncpy((char*)flow->protos.http.nat_ip, (char*)packet->forwarded_line.ptr, len);
- flow->protos.http.nat_ip[len] = '\0';
- }
+ len = ndpi_min(packet->forwarded_line.len, sizeof(flow->protos.http.nat_ip)-1);
+ if(!ndpi_struct->disable_metadata_export) {
+ strncpy((char*)flow->protos.http.nat_ip, (char*)packet->forwarded_line.ptr, len);
+ flow->protos.http.nat_ip[len] = '\0';
+ }
}
- if(ndpi_struct->http_dont_dissect_response)
+ if(!ndpi_struct->http_dont_dissect_response)
parseHttpSubprotocol(ndpi_struct, flow);
/**
@@ -403,26 +340,28 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
&& ((ndpi_struct->http_dont_dissect_response) || flow->http_detected)
&& (packet->http_origin.len > 0)) {
ndpi_protocol_match_result ret_match;
-
+
ndpi_match_host_subprotocol(ndpi_struct, flow,
(char *)packet->http_origin.ptr,
packet->http_origin.len,
&ret_match,
NDPI_PROTOCOL_HTTP);
}
-
+
if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) {
if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_HTTP) {
- NDPI_LOG_INFO(ndpi_struct, "found HTTP/%s\n",
- ndpi_get_proto_name(ndpi_struct, packet->detected_protocol_stack[0]));
+ NDPI_LOG_INFO(ndpi_struct, "found HTTP/%s\n",
+ ndpi_get_proto_name(ndpi_struct, packet->detected_protocol_stack[0]));
ndpi_int_http_add_connection(ndpi_struct, flow, packet->detected_protocol_stack[0]);
return; /* We have identified a sub-protocol so we're done */
}
}
}
+#if 0
if(!ndpi_struct->http_dont_dissect_response && flow->http_detected)
parseHttpSubprotocol(ndpi_struct, flow);
+#endif
if(flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN)
flow->guessed_protocol_id = NDPI_PROTOCOL_HTTP;
@@ -430,50 +369,31 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
/* check for accept line */
if(packet->accept_line.ptr != NULL) {
NDPI_LOG_DBG2(ndpi_struct, "Accept line found %.*s\n",
- packet->accept_line.len, packet->accept_line.ptr);
+ packet->accept_line.len, packet->accept_line.ptr);
if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask,
NDPI_PROTOCOL_RTSP) != 0) {
rtsp_parse_packet_acceptline(ndpi_struct, flow);
}
}
- /* search for line startin with "Icy-MetaData" */
- for (a = 0; a < packet->parsed_lines; a++) {
- if(packet->line[a].len > 11 && memcmp(packet->line[a].ptr, "Icy-MetaData", 12) == 0) {
- NDPI_LOG_INFO(ndpi_struct, "found MPEG: Icy-MetaData\n");
- ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_CONTENT_CATEGORY_MPEG);
- return;
- }
- }
-
if(packet->content_line.ptr != NULL && packet->content_line.len != 0) {
NDPI_LOG_DBG2(ndpi_struct, "Content Type line found %.*s\n",
- packet->content_line.len, packet->content_line.ptr);
+ packet->content_line.len, packet->content_line.ptr);
if((ndpi_struct->http_dont_dissect_response) || flow->http_detected) {
ndpi_protocol_match_result ret_match;
-
+
ndpi_match_content_subprotocol(ndpi_struct, flow,
(char*)packet->content_line.ptr, packet->content_line.len,
&ret_match, NDPI_PROTOCOL_HTTP);
}
}
-}
-static void check_http_payload(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
-{
- NDPI_LOG_DBG2(ndpi_struct, "called check_http_payload\n");
-
-#ifdef NDPI_CONTENT_CATEGORY_FLASH
- if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_CONTENT_CATEGORY_FLASH) != 0)
- flash_check_http_payload(ndpi_struct, flow);
-#endif
-#ifdef NDPI_CONTENT_CATEGORY_AVI
- if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_CONTENT_CATEGORY_AVI) != 0)
- avi_check_http_payload(ndpi_struct, flow);
-#endif
+ ndpi_int_http_add_connection(ndpi_struct, flow, packet->detected_protocol_stack[0]);
+}
- teamviewer_check_http_payload(ndpi_struct, flow);
+static void check_http_payload(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
+ /* Add here your paylod code check */
}
/**
@@ -486,22 +406,22 @@ static void check_http_payload(struct ndpi_detection_module_struct *ndpi_struct,
#define STATIC_STRING_L(a) {.str=a, .len=sizeof(a)-1 }
static struct l_string {
- const char *str;
- size_t len;
+ const char *str;
+ size_t len;
} http_methods[] = {
- STATIC_STRING_L("GET "),
- STATIC_STRING_L("POST "),
- STATIC_STRING_L("OPTIONS "),
- STATIC_STRING_L("HEAD "),
- STATIC_STRING_L("PUT "),
- STATIC_STRING_L("DELETE "),
- STATIC_STRING_L("CONNECT "),
- STATIC_STRING_L("PROPFIND "),
- STATIC_STRING_L("REPORT ") };
+ STATIC_STRING_L("GET "),
+ STATIC_STRING_L("POST "),
+ STATIC_STRING_L("OPTIONS "),
+ STATIC_STRING_L("HEAD "),
+ STATIC_STRING_L("PUT "),
+ STATIC_STRING_L("DELETE "),
+ STATIC_STRING_L("CONNECT "),
+ STATIC_STRING_L("PROPFIND "),
+ STATIC_STRING_L("REPORT ") };
static const char *http_fs = "CDGHOPR";
static uint8_t non_ctrl(uint8_t c) {
- return c < 32 ? '.':c;
+ return c < 32 ? '.':c;
}
static u_int16_t http_request_url_offset(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
@@ -510,9 +430,9 @@ static u_int16_t http_request_url_offset(struct ndpi_detection_module_struct *nd
int i;
NDPI_LOG_DBG2(ndpi_struct, "====>>>> HTTP: %c%c%c%c [len: %u]\n",
- non_ctrl(packet->payload[0]), non_ctrl(packet->payload[1]),
- non_ctrl(packet->payload[2]), non_ctrl(packet->payload[3]),
- packet->payload_packet_len);
+ non_ctrl(packet->payload[0]), non_ctrl(packet->payload[1]),
+ non_ctrl(packet->payload[2]), non_ctrl(packet->payload[3]),
+ packet->payload_packet_len);
/* Check first char */
if(!strchr(http_fs,packet->payload[0])) return 0;
@@ -520,43 +440,24 @@ static u_int16_t http_request_url_offset(struct ndpi_detection_module_struct *nd
FIRST PAYLOAD PACKET FROM CLIENT
**/
for(i=0; i < sizeof(http_methods)/sizeof(http_methods[0]); i++) {
- if(packet->payload_packet_len >= http_methods[i].len &&
- memcmp(packet->payload,http_methods[i].str,http_methods[i].len) == 0) {
- NDPI_LOG_DBG2(ndpi_struct, "HTTP: %sFOUND\n",http_methods[i].str);
- return http_methods[i].len;
- }
+ if(packet->payload_packet_len >= http_methods[i].len &&
+ memcmp(packet->payload,http_methods[i].str,http_methods[i].len) == 0) {
+ NDPI_LOG_DBG2(ndpi_struct, "HTTP: %sFOUND\n",http_methods[i].str);
+ return http_methods[i].len;
+ }
}
return 0;
}
static void http_bitmask_exclude_other(struct ndpi_flow_struct *flow)
{
-#ifdef NDPI_CONTENT_CATEGORY_MPEG
- NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_CONTENT_CATEGORY_MPEG);
-#endif
-#ifdef NDPI_CONTENT_CATEGORY_QUICKTIME
- NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_CONTENT_CATEGORY_QUICKTIME);
-#endif
-#ifdef NDPI_CONTENT_CATEGORY_WINDOWSMEDIA
- NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_CONTENT_CATEGORY_WINDOWSMEDIA);
-#endif
-#ifdef NDPI_CONTENT_CATEGORY_REALMEDIA
- NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_CONTENT_CATEGORY_REALMEDIA);
-#endif
-#ifdef NDPI_CONTENT_CATEGORY_AVI
- NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_CONTENT_CATEGORY_AVI);
-#endif
-#ifdef NDPI_CONTENT_CATEGORY_OGG
- NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_CONTENT_CATEGORY_OGG);
-#endif
-
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_XBOX);
}
/*************************************************************************************************/
static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct,
- struct ndpi_flow_struct *flow) {
+ struct ndpi_flow_struct *flow) {
struct ndpi_packet_struct *packet = &flow->packet;
u_int16_t filename_start; /* the filename in the request method line, e.g., "GET filename_start..."*/
@@ -576,6 +477,20 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
if(packet->payload_packet_len >= 7 && memcmp(packet->payload, "HTTP/1.", 7) == 0) {
NDPI_LOG_INFO(ndpi_struct, "found HTTP response\n");
+
+ if(packet->payload_packet_len >= 12) {
+ char buf[4];
+
+ /* Set server HTTP response code */
+ strncpy(buf, (char*)&packet->payload[9], 3);
+ buf[3] = '\0';
+
+ flow->http.response_status_code = atoi(buf);
+ /* https://en.wikipedia.org/wiki/List_of_HTTP_status_codes */
+ if((flow->http.response_status_code < 100) || (flow->http.response_status_code > 509))
+ flow->http.response_status_code = 0; /* Out of range */
+ }
+
ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP);
check_content_type_and_change_protocol(ndpi_struct, flow);
return;
@@ -586,7 +501,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
flow->l4.tcp.http_stage = 1;
return;
}
-
+
if((packet->payload_packet_len == 40) && (flow->l4.tcp.http_stage == 0)) {
/*
-> QR O06L0072-6L91-4O43-857J-K8OO172L6L51
@@ -600,11 +515,11 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
&& (packet->payload[21] == '-')
&& (packet->payload[26] == '-')
&& (packet->payload[39] == 0x0A)
- )
- flow->l4.tcp.http_stage = 1;
- return;
+ )
+ flow->l4.tcp.http_stage = 1;
+ return;
}
-
+
if((packet->payload_packet_len == 23) && (memcmp(packet->payload, "<policy-file-request/>", 23) == 0)) {
/*
<policy-file-request/>
@@ -617,35 +532,31 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_UNKNOWN);
if(ndpi_struct->ookla_cache == NULL)
- ndpi_struct->ookla_cache = lruc_new(4*1024, 1024);
+ ndpi_struct->ookla_cache = ndpi_lru_cache_init(1024);
- if(ndpi_struct->ookla_cache != NULL) {
- u_int8_t *dummy = (u_int8_t*)ndpi_malloc(sizeof(u_int8_t));
-
- if(dummy) {
- if(packet->tcp->source == htons(8080))
- lruc_set((lruc*)ndpi_struct->ookla_cache, (void*)&packet->iph->saddr, 4, dummy, 1);
- else
- lruc_set((lruc*)ndpi_struct->ookla_cache, (void*)&packet->iph->daddr, 4, dummy, 1);
- }
+ if(packet->iph != NULL && ndpi_struct->ookla_cache != NULL) {
+ if(packet->tcp->source == htons(8080))
+ ndpi_lru_add_to_cache(ndpi_struct->ookla_cache, packet->iph->saddr);
+ else
+ ndpi_lru_add_to_cache(ndpi_struct->ookla_cache, packet->iph->daddr);
}
return;
}
-
+
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
http_bitmask_exclude_other(flow);
return;
}
NDPI_LOG_DBG2(ndpi_struct,
- "Filename HTTP found: %d, we look for line info..\n", filename_start);
+ "Filename HTTP found: %d, we look for line info..\n", filename_start);
ndpi_parse_packet_line_info(ndpi_struct, flow);
if(packet->parsed_lines <= 1) {
NDPI_LOG_DBG2(ndpi_struct,
- "Found just one line, we will look further for the next packet...\n");
+ "Found just one line, we will look further for the next packet...\n");
packet->http_method.ptr = packet->line[0].ptr;
packet->http_method.len = filename_start - 1;
@@ -656,10 +567,10 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
}
NDPI_LOG_DBG2(ndpi_struct,
- "Found more than one line, we look further for the next packet...\n");
+ "Found more than one line, we look further for the next packet...\n");
if(packet->line[0].len >= (9 + filename_start)
- && memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) { /* Request line complete. Ex. "GET / HTTP/1.1" */
+ && memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) { /* Request line complete. Ex. "GET / HTTP/1.1" */
packet->http_url_name.ptr = &packet->payload[filename_start];
packet->http_url_name.len = packet->line[0].len - (filename_start + 9);
@@ -669,14 +580,13 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
// Set the HTTP requested version: 0=HTTP/1.0 and 1=HTTP/1.1
if(memcmp(&packet->line[0].ptr[packet->line[0].len - 1], "1", 1) == 0)
- flow->http.request_version = 1;
+ flow->http.request_version = 1;
else
- flow->http.request_version = 0;
+ flow->http.request_version = 0;
/* Set the first found headers in request */
flow->http.num_request_headers = packet->http_num_headers;
-
/* Check for Ookla */
if((packet->referer_line.len > 0)
&& ndpi_strnstr((const char *)packet->referer_line.ptr, "www.speedtest.net", packet->referer_line.len)) {
@@ -686,22 +596,22 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
/* Check for additional field introduced by Steam */
int x = 1;
if(packet->line[x].len >= 11 && (memcmp(packet->line[x].ptr, "x-steam-sid", 11)) == 0) {
- NDPI_LOG_INFO(ndpi_struct, "found STEAM\n");
- ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_STEAM);
- check_content_type_and_change_protocol(ndpi_struct, flow);
- return;
+ NDPI_LOG_INFO(ndpi_struct, "found STEAM\n");
+ ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_STEAM);
+ check_content_type_and_change_protocol(ndpi_struct, flow);
+ return;
}
/* Check for additional field introduced by Facebook */
x = 1;
while(packet->line[x].len != 0) {
- if(packet->line[x].len >= 12 && (memcmp(packet->line[x].ptr, "X-FB-SIM-HNI", 12)) == 0) {
- NDPI_LOG_INFO(ndpi_struct, "found FACEBOOK\n");
- ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_FACEBOOK);
- check_content_type_and_change_protocol(ndpi_struct, flow);
- return;
- }
- x++;
+ if(packet->line[x].len >= 12 && (memcmp(packet->line[x].ptr, "X-FB-SIM-HNI", 12)) == 0) {
+ NDPI_LOG_INFO(ndpi_struct, "found FACEBOOK\n");
+ ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_FACEBOOK);
+ check_content_type_and_change_protocol(ndpi_struct, flow);
+ return;
+ }
+ x++;
}
#if defined(NDPI_PROTOCOL_1KXUN) || defined(NDPI_PROTOCOL_IQIYI)
@@ -746,23 +656,23 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
}
}
#endif
-
+
if((packet->http_url_name.len > 7)
- && (!strncmp((const char*) packet->http_url_name.ptr, "http://", 7))) {
+ && (!strncmp((const char*) packet->http_url_name.ptr, "http://", 7))) {
NDPI_LOG_INFO(ndpi_struct, "found HTTP_PROXY\n");
ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP_PROXY);
check_content_type_and_change_protocol(ndpi_struct, flow);
}
if(filename_start == 8 && (memcmp(packet->payload, "CONNECT ", 8) == 0)) {
- /* nathan@getoffmalawn.com */
+ /* nathan@getoffmalawn.com */
NDPI_LOG_INFO(ndpi_struct, "found HTTP_CONNECT\n");
ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP_CONNECT);
check_content_type_and_change_protocol(ndpi_struct, flow);
}
NDPI_LOG_DBG2(ndpi_struct,
- "HTTP START Found, we will look for sub-protocols (content and host)...\n");
+ "HTTP START Found, we will look for sub-protocols (content and host)...\n");
if(packet->host_line.ptr != NULL) {
/**
@@ -775,11 +685,11 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
if(ndpi_struct->http_dont_dissect_response) {
if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) /* No subprotocol found */
NDPI_LOG_INFO(ndpi_struct, "found HTTP\n");
- ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP);
+ ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP);
} else {
flow->http_detected = 1;
NDPI_LOG_DBG2(ndpi_struct,
- "HTTP START Found, we will look further for the response...\n");
+ "HTTP START Found, we will look further for the response...\n");
flow->l4.tcp.http_stage = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2
}
@@ -790,23 +700,21 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
http_bitmask_exclude_other(flow);
-
} else if((flow->l4.tcp.http_stage == 1) || (flow->l4.tcp.http_stage == 2)) {
-
NDPI_LOG_DBG2(ndpi_struct, "HTTP stage %u: \n", flow->l4.tcp.http_stage);
-
+
if((packet->payload_packet_len == 34) && (flow->l4.tcp.http_stage == 1)) {
if((packet->payload[5] == ' ') && (packet->payload[9] == ' ')) {
goto ookla_found;
}
}
-
+
if((packet->payload_packet_len > 6) && memcmp(packet->payload, "HELLO ", 6) == 0) {
- /* This looks like Ookla */
+ /* This looks like Ookla */
goto ookla_found;
} else
- NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_OOKLA);
-
+ NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_OOKLA);
+
/**
At first check, if this is for sure a response packet (in another direction. If not, if HTTP is detected do nothing now and return,
otherwise check the second packet for the HTTP request
@@ -817,7 +725,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
return;
NDPI_LOG_DBG2(ndpi_struct,
- " SECOND PAYLOAD TRAFFIC FROM CLIENT, FIRST PACKET MIGHT HAVE BEEN HTTP...UNKNOWN TRAFFIC, HERE FOR HTTP again.. \n");
+ " SECOND PAYLOAD TRAFFIC FROM CLIENT, FIRST PACKET MIGHT HAVE BEEN HTTP...UNKNOWN TRAFFIC, HERE FOR HTTP again.. \n");
ndpi_parse_packet_line_info(ndpi_struct, flow);
@@ -839,14 +747,14 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
}
// http://www.slideshare.net/DSPIP/rtsp-analysis-wireshark
if(packet->line[0].len >= 9
- && memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) {
+ && memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) {
NDPI_LOG_INFO(ndpi_struct, "found HTTP\n");
ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP);
check_content_type_and_change_protocol(ndpi_struct, flow);
NDPI_LOG_DBG2(ndpi_struct,
- "HTTP START Found in 2. packet, we will look further for the response....\n");
+ "HTTP START Found in 2. packet, we will look further for the response....\n");
flow->http_detected = 1;
}
@@ -879,9 +787,8 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
ndpi_parse_packet_line_info(ndpi_struct, flow);
check_content_type_and_change_protocol(ndpi_struct, flow);
- if(packet->packet_direction == 1 /* server -> client */){
- flow->http.num_response_headers += packet->http_num_headers; /* flow structs are initialized with zeros */
- }
+ if(packet->packet_direction == 1 /* server -> client */)
+ flow->http.num_response_headers += packet->http_num_headers; /* flow structs are initialized with zeros */
if(packet->empty_line_position_set != 0 || flow->l4.tcp.http_empty_line_seen == 1) {
NDPI_LOG_DBG2(ndpi_struct, "empty line. check_http_payload\n");
@@ -905,8 +812,8 @@ void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struct,
}
if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) {
- return;
- }
+ return;
+ }
NDPI_LOG_DBG(ndpi_struct, "search HTTP\n");
ndpi_check_http_tcp(ndpi_struct, flow);
@@ -917,7 +824,7 @@ void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struct,
ndpi_http_method ndpi_get_http_method(struct ndpi_detection_module_struct *ndpi_mod,
struct ndpi_flow_struct *flow) {
if(!flow)
- return(HTTP_METHOD_UNKNOWN);
+ return(NDPI_HTTP_METHOD_UNKNOWN);
else
return(flow->http.method);
}
@@ -935,7 +842,7 @@ char* ndpi_get_http_url(struct ndpi_detection_module_struct *ndpi_mod,
/* ********************************* */
char* ndpi_get_http_content_type(struct ndpi_detection_module_struct *ndpi_mod,
- struct ndpi_flow_struct *flow) {
+ struct ndpi_flow_struct *flow) {
if((!flow) || (!flow->http.content_type))
return("");
else
@@ -953,130 +860,4 @@ void init_http_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int
SAVE_DETECTION_BITMASK_AS_UNKNOWN,
ADD_TO_DETECTION_BITMASK);
*id += 1;
-
-#if 0
- ndpi_set_bitmask_protocol_detection("HTTP_Proxy", ndpi_struct, detection_bitmask, *id,
- NDPI_PROTOCOL_HTTP_PROXY,
- ndpi_search_http_tcp,
- NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD,
- SAVE_DETECTION_BITMASK_AS_UNKNOWN,
- ADD_TO_DETECTION_BITMASK);
- *id += 1;
-
-#ifdef NDPI_CONTENT_CATEGORY_MPEG
- ndpi_set_bitmask_protocol_detection("MPEG", ndpi_struct, detection_bitmask, *id,
- NDPI_CONTENT_CATEGORY_MPEG,
- ndpi_search_http_tcp,
- NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD,
- NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN,
- ADD_TO_DETECTION_BITMASK);
-
- *id += 1;
-#endif
-#ifdef NDPI_CONTENT_CATEGORY_FLASH
- ndpi_set_bitmask_protocol_detection("Flash", ndpi_struct, detection_bitmask, *id,
- NDPI_CONTENT_CATEGORY_FLASH,
- ndpi_search_http_tcp,
- NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD,
- NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN,
- ADD_TO_DETECTION_BITMASK);
- *id += 1;
-#endif
-#ifdef NDPI_CONTENT_CATEGORY_QUICKTIME
- ndpi_set_bitmask_protocol_detection("QuickTime", ndpi_struct, detection_bitmask, *id,
- NDPI_CONTENT_CATEGORY_QUICKTIME,
- ndpi_search_http_tcp,
- NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD,
- NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN,
- ADD_TO_DETECTION_BITMASK);
- *id += 1;
-#endif
-#ifdef NDPI_CONTENT_CATEGORY_REALMEDIA
- ndpi_set_bitmask_protocol_detection("RealMedia", ndpi_struct, detection_bitmask, *id,
- NDPI_CONTENT_CATEGORY_REALMEDIA,
- ndpi_search_http_tcp,
- NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD,
- NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN,
- ADD_TO_DETECTION_BITMASK);
- *id += 1;
-#endif
-#ifdef NDPI_CONTENT_CATEGORY_WINDOWSMEDIA
- ndpi_set_bitmask_protocol_detection("WindowsMedia", ndpi_struct, detection_bitmask, *id,
- NDPI_CONTENT_CATEGORY_WINDOWSMEDIA,
- ndpi_search_http_tcp,
- NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD,
- NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN,
- ADD_TO_DETECTION_BITMASK);
- *id += 1;
-#endif
-#ifdef NDPI_CONTENT_CATEGORY_MMS
- ndpi_set_bitmask_protocol_detection("MMS", ndpi_struct, detection_bitmask, *id,
- NDPI_CONTENT_CATEGORY_MMS,
- ndpi_search_http_tcp,
- NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD,
- NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN,
- ADD_TO_DETECTION_BITMASK);
- *id += 1;
-#endif
-
- ndpi_set_bitmask_protocol_detection("Xbox", ndpi_struct, detection_bitmask, *id,
- NDPI_PROTOCOL_XBOX,
- ndpi_search_http_tcp,
- NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD,
- NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN,
- ADD_TO_DETECTION_BITMASK);
- *id += 1;
-
- ndpi_set_bitmask_protocol_detection("QQ", ndpi_struct, detection_bitmask, *id,
- NDPI_PROTOCOL_QQ,
- ndpi_search_http_tcp,
- NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD,
- NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN,
- ADD_TO_DETECTION_BITMASK);
- *id += 1;
-
-#ifdef NDPI_CONTENT_CATEGORY_AVI
- ndpi_set_bitmask_protocol_detection("AVI", ndpi_struct, detection_bitmask, *id,
- NDPI_CONTENT_CATEGORY_AVI,
- ndpi_search_http_tcp,
- NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD,
- NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN,
- ADD_TO_DETECTION_BITMASK);
- *id += 1;
-#endif
-#ifdef NDPI_CONTENT_CATEGORY_OGG
- ndpi_set_bitmask_protocol_detection("OggVorbis", ndpi_struct, detection_bitmask, *id,
- NDPI_CONTENT_CATEGORY_OGG,
- ndpi_search_http_tcp,
- NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD,
- NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN,
- ADD_TO_DETECTION_BITMASK);
- *id += 1;
-#endif
-
- /* Update excluded protocol bitmask */
- NDPI_BITMASK_SET(ndpi_struct->callback_buffer[a].excluded_protocol_bitmask,
- ndpi_struct->callback_buffer[a].detection_bitmask);
-
- /*Delete protocol from excluded protocol bitmask*/
- NDPI_DEL_PROTOCOL_FROM_BITMASK(ndpi_struct->callback_buffer[a].excluded_protocol_bitmask, NDPI_PROTOCOL_UNKNOWN);
-
- NDPI_DEL_PROTOCOL_FROM_BITMASK(ndpi_struct->callback_buffer[a].excluded_protocol_bitmask, NDPI_PROTOCOL_QQ);
-
-#ifdef NDPI_CONTENT_CATEGORY_FLASH
- NDPI_DEL_PROTOCOL_FROM_BITMASK(ndpi_struct->callback_buffer[a].excluded_protocol_bitmask, NDPI_CONTENT_CATEGORY_FLASH);
-#endif
-
- NDPI_DEL_PROTOCOL_FROM_BITMASK(ndpi_struct->callback_buffer[a].excluded_protocol_bitmask, NDPI_CONTENT_CATEGORY_MMS);
-
- NDPI_DEL_PROTOCOL_FROM_BITMASK(ndpi_struct->callback_buffer[a].excluded_protocol_bitmask, NDPI_PROTOCOL_XBOX);
-
- NDPI_BITMASK_SET(ndpi_struct->generic_http_packet_bitmask, ndpi_struct->callback_buffer[a].detection_bitmask);
-
- NDPI_DEL_PROTOCOL_FROM_BITMASK(ndpi_struct->generic_http_packet_bitmask, NDPI_PROTOCOL_UNKNOWN);
-
- /* Update callback_buffer index */
- a++;
-
-#endif
}
diff --git a/src/lib/protocols/mdns_proto.c b/src/lib/protocols/mdns_proto.c
index 77bdf4208..75eab720b 100644
--- a/src/lib/protocols/mdns_proto.c
+++ b/src/lib/protocols/mdns_proto.c
@@ -63,21 +63,19 @@ static int ndpi_int_check_mdns_payload(struct ndpi_detection_module_struct
struct ndpi_packet_struct *packet = &flow->packet;
struct mdns_header *h = (struct mdns_header*)packet->payload;
u_int16_t questions = ntohs(h->questions), answers = ntohs(h->answers);
+
+ if((questions > NDPI_MAX_MDNS_REQUESTS)
+ || (answers > NDPI_MAX_MDNS_REQUESTS))
+ return(0);
- if(((packet->payload[2] & 0x80) == 0)
- && (questions <= NDPI_MAX_MDNS_REQUESTS)
- && (answers <= NDPI_MAX_MDNS_REQUESTS)) {
+ if((packet->payload[2] & 0x80) == 0) {
NDPI_LOG_INFO(ndpi_struct, "found MDNS with question query\n");
return 1;
- }
- else if(((packet->payload[2] & 0x80) != 0)
- && (questions == 0)
- && (answers <= NDPI_MAX_MDNS_REQUESTS)
- && (answers != 0)) {
+ } else if((packet->payload[2] & 0x80) != 0) {
char answer[256];
int i, j, len;
- for(i=13, j=0; (packet->payload[i] != 0) && (i < packet->payload_packet_len) && (i < (sizeof(answer)-1)); i++)
+ for(i=13, j=0; (i < packet->payload_packet_len) && (i < (sizeof(answer)-1)) && (packet->payload[i] != 0); i++)
answer[j++] = (packet->payload[i] < 13) ? '.' : packet->payload[i];
answer[j] = '\0';
@@ -100,8 +98,6 @@ static int ndpi_int_check_mdns_payload(struct ndpi_detection_module_struct
void ndpi_search_mdns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &flow->packet;
- u_int16_t dport;
-
NDPI_LOG_DBG(ndpi_struct, "search MDNS\n");
/**
@@ -111,15 +107,13 @@ void ndpi_search_mdns(struct ndpi_detection_module_struct *ndpi_struct, struct n
/* check if UDP packet */
if(packet->udp != NULL) {
/* read destination port */
- dport = ntohs(packet->udp->dest);
+ u_int16_t sport = ntohs(packet->udp->source);
+ u_int16_t dport = ntohs(packet->udp->dest);
/* check standard MDNS ON port 5353 */
- if(dport == 5353 && packet->payload_packet_len >= 12) {
- /* mdns protocol must have destination address 224.0.0.251 */
- if(packet->iph != NULL /* && ntohl(packet->iph->daddr) == 0xe00000fb */) {
-
- NDPI_LOG_INFO(ndpi_struct, "found MDNS with destination address 224.0.0.251 (=0xe00000fb)\n");
-
+ if(((dport == 5353) || (sport == 5353))
+ && (packet->payload_packet_len >= 12)) {
+ if(packet->iph != NULL) {
if(ndpi_int_check_mdns_payload(ndpi_struct, flow) == 1) {
ndpi_int_mdns_add_connection(ndpi_struct, flow);
return;
@@ -141,6 +135,7 @@ void ndpi_search_mdns(struct ndpi_detection_module_struct *ndpi_struct, struct n
#endif
}
}
+
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
diff --git a/src/lib/protocols/mining.c b/src/lib/protocols/mining.c
index ec094e7d3..b4361e270 100644
--- a/src/lib/protocols/mining.c
+++ b/src/lib/protocols/mining.c
@@ -44,9 +44,12 @@ void ndpi_search_mining_tcp(struct ndpi_detection_module_struct *ndpi_struct,
if((*to_match == magic) || (*to_match == magic1)) {
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, NDPI_PROTOCOL_UNKNOWN);
}
- } if(ndpi_strnstr((const char *)packet->payload, "\"eth1.0\"", packet->payload_packet_len)
- || ndpi_strnstr((const char *)packet->payload, "\"worker\"", packet->payload_packet_len)
- || ndpi_strnstr((const char *)packet->payload, "\"id\"", packet->payload_packet_len)) {
+ } if(ndpi_strnstr((const char *)packet->payload, "{", packet->payload_packet_len)
+ && (
+ ndpi_strnstr((const char *)packet->payload, "\"eth1.0\"", packet->payload_packet_len)
+ || ndpi_strnstr((const char *)packet->payload, "\"worker\":", packet->payload_packet_len)
+ /* || ndpi_strnstr((const char *)packet->payload, "\"id\":", packet->payload_packet_len) - Removed as too generic */
+ )) {
/*
Ethereum
@@ -55,9 +58,12 @@ void ndpi_search_mining_tcp(struct ndpi_detection_module_struct *ndpi_struct,
{"worker": "", "jsonrpc": "2.0", "params": [], "id": 3, "method": "eth_getWork"}
*/
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, NDPI_PROTOCOL_UNKNOWN);
- } else if(ndpi_strnstr((const char *)packet->payload, "\"method\"", packet->payload_packet_len)
- || ndpi_strnstr((const char *)packet->payload, "\"blob\"", packet->payload_packet_len)
- || ndpi_strnstr((const char *)packet->payload, "\"id\"", packet->payload_packet_len)) {
+ } else if(ndpi_strnstr((const char *)packet->payload, "{", packet->payload_packet_len)
+ && (ndpi_strnstr((const char *)packet->payload, "\"method\":", packet->payload_packet_len)
+ || ndpi_strnstr((const char *)packet->payload, "\"blob\":", packet->payload_packet_len)
+ /* || ndpi_strnstr((const char *)packet->payload, "\"id\":", packet->payload_packet_len) - Removed as too generic */
+ )
+ ) {
/*
ZCash
diff --git a/src/lib/protocols/modbus.c b/src/lib/protocols/modbus.c
new file mode 100644
index 000000000..2a6dd2a49
--- /dev/null
+++ b/src/lib/protocols/modbus.c
@@ -0,0 +1,72 @@
+
+/*
+ * modbus.c
+ *
+ * Copyright (C) 2018 - ntop.org
+ *
+ * This file is part of nDPI, an open source deep packet inspection
+ * library based on the OpenDPI and PACE technology by ipoque GmbH
+ *
+ * nDPI is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * nDPI is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with nDPI. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+
+#include "ndpi_protocol_ids.h"
+#include "ndpi_api.h"
+
+#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MODBUS
+
+void ndpi_search_modbus_tcp(struct ndpi_detection_module_struct *ndpi_struct,
+ struct ndpi_flow_struct *flow) {
+ struct ndpi_packet_struct *packet = &flow->packet;
+ NDPI_LOG_DBG(ndpi_struct, "search Modbus\n");
+ u_int16_t modbus_port = htons(502); // port used by modbus
+
+ /* Check connection over TCP */
+
+ if(packet->tcp) {
+ /* The payload of Modbus-TCP segment must be at least 8 bytes (7 bytes of header application
+ packet plus 1 byte of minimum payload of application packet)
+ */
+ if((packet->payload_packet_len >= 8)
+ &&((packet->tcp->dest == modbus_port) || (packet->tcp->source == modbus_port))) {
+ // Modbus uses the port 502
+ u_int16_t modbus_len = htons(*((u_int16_t*)&packet->payload[4]));
+
+ // the fourth parameter of the payload is the length of the segment
+ if((modbus_len-1) == (packet->payload_packet_len - 7 /* ModbusTCP header len */)) {
+ NDPI_LOG_INFO(ndpi_struct, "found MODBUS\n");
+ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MODBUS, NDPI_PROTOCOL_UNKNOWN);
+ return;
+ }
+ }
+ }
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+
+}
+
+
+
+void init_modbus_dissector(struct ndpi_detection_module_struct *ndpi_struct,
+ u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) {
+
+ ndpi_set_bitmask_protocol_detection("Modbus", ndpi_struct, detection_bitmask, *id,
+ NDPI_PROTOCOL_MODBUS,
+ ndpi_search_modbus_tcp,
+ NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
+ SAVE_DETECTION_BITMASK_AS_UNKNOWN,
+ ADD_TO_DETECTION_BITMASK);
+ *id += 1;
+}
diff --git a/src/lib/protocols/ookla.c b/src/lib/protocols/ookla.c
index b1eb295a7..06d97e216 100644
--- a/src/lib/protocols/ookla.c
+++ b/src/lib/protocols/ookla.c
@@ -22,34 +22,32 @@
#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_OOKLA
#include "ndpi_api.h"
-#include "lruc.h"
void ndpi_search_ookla(struct ndpi_detection_module_struct* ndpi_struct, struct ndpi_flow_struct* flow) {
struct ndpi_packet_struct* packet = &flow->packet;
u_int32_t addr = 0;
void *value;
-
+
NDPI_LOG_DBG(ndpi_struct, "Ookla detection\n");
-
+
if(packet->tcp->source == htons(8080))
addr = packet->iph->saddr;
else if(packet->tcp->dest == htons(8080))
addr = packet->iph->daddr;
else
goto ookla_exclude;
-
+
if(ndpi_struct->ookla_cache != NULL) {
- if(lruc_get(ndpi_struct->ookla_cache, &addr, sizeof(addr), &value) == LRUC_NO_ERROR) {
- /* Don't remove it as it can be used for other connections */
+ if(ndpi_lru_find_cache(ndpi_struct->ookla_cache, addr, 0 /* Don't remove it as it can be used for other connections */)) {
NDPI_LOG_INFO(ndpi_struct, "found ookla tcp connection\n");
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_UNKNOWN);
return;
- }
+ }
}
ookla_exclude:
- NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
void init_ookla_dissector(struct ndpi_detection_module_struct *ndpi_struct,
@@ -63,4 +61,3 @@ void init_ookla_dissector(struct ndpi_detection_module_struct *ndpi_struct,
*id += 1;
}
-
diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c
index e28db634a..d14538e0d 100644
--- a/src/lib/protocols/quic.c
+++ b/src/lib/protocols/quic.c
@@ -22,6 +22,10 @@
*
*/
+#if defined __FreeBSD__ || defined __NetBSD__ || defined __OpenBSD__
+#include <sys/endian.h>
+#endif
+
#include "ndpi_protocol_ids.h"
#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_QUIC
@@ -96,8 +100,8 @@ void ndpi_search_quic(struct ndpi_detection_module_struct *ndpi_struct,
&& (packet->payload[i+1] == 'N')
&& (packet->payload[i+2] == 'I')
&& (packet->payload[i+3] == 0)) {
- u_int32_t offset = *((u_int32_t*)&packet->payload[i+4]);
- u_int32_t prev_offset = *((u_int32_t*)&packet->payload[i-4]);
+ u_int32_t offset = le32toh(*((u_int32_t*)&packet->payload[i+4]));
+ u_int32_t prev_offset = le32toh(*((u_int32_t*)&packet->payload[i-4]));
int len = offset-prev_offset;
int sni_offset = i+prev_offset+1;
diff --git a/src/lib/protocols/radius.c b/src/lib/protocols/radius.c
index 1c85f48d7..209e71177 100644
--- a/src/lib/protocols/radius.c
+++ b/src/lib/protocols/radius.c
@@ -39,10 +39,13 @@ static void ndpi_check_radius(struct ndpi_detection_module_struct *ndpi_struct,
if(packet->udp != NULL) {
struct radius_header *h = (struct radius_header*)packet->payload;
+ /* RFC2865: The minimum length is 20 and maximum length is 4096. */
+ if((payload_len < 20) || (payload_len > 4096))
+ return;
if((payload_len > sizeof(struct radius_header))
&& (h->code > 0)
- && (h->code <= 5)
+ && (h->code <= 13)
&& (ntohs(h->len) == payload_len)) {
NDPI_LOG_INFO(ndpi_struct, "Found radius\n");
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RADIUS, NDPI_PROTOCOL_UNKNOWN);
diff --git a/src/lib/protocols/ssl.c b/src/lib/protocols/ssl.c
index 25d535a57..05988a8d4 100644
--- a/src/lib/protocols/ssl.c
+++ b/src/lib/protocols/ssl.c
@@ -28,6 +28,7 @@
#include "ndpi_api.h"
// #define CERTIFICATE_DEBUG 1
+
#define NDPI_MAX_SSL_REQUEST_SIZE 10000
/* Skype.c */
@@ -150,9 +151,10 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
#ifdef CERTIFICATE_DEBUG
{
- static u_int8_t id = 0;
-
- NDPI_LOG_DBG2(ndpi_struct,"-> [%u] %02X\n", ++id, packet->payload[0] & 0xFF);
+ u_int16_t ssl_version = (packet->payload[1] << 8) + packet->payload[2];
+ u_int16_t ssl_len = (packet->payload[3] << 8) + packet->payload[4];
+
+ printf("SSL Record [version: 0x%02X][len: %u]\n", ssl_version, ssl_len);
}
#endif
@@ -174,10 +176,18 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
if(total_len > 4) {
int i;
- if(handshake_protocol == 0x02 || handshake_protocol == 0xb /* Server Hello and Certificate message types are interesting for us */) {
+#ifdef CERTIFICATE_DEBUG
+ printf("SSL [len: %u][handshake_protocol: %02X]\n", packet->payload_packet_len, handshake_protocol);
+#endif
+
+ if((handshake_protocol == 0x02)
+ || (handshake_protocol == 0xb) /* Server Hello and Certificate message types are interesting for us */) {
u_int num_found = 0;
- flow->l4.tcp.ssl_seen_server_cert = 1;
+ if(handshake_protocol == 0x02)
+ flow->l4.tcp.ssl_seen_server_cert = 1;
+ else
+ flow->l4.tcp.ssl_seen_certificate = 1;
/* Check after handshake protocol header (5 bytes) and message header (4 bytes) */
for(i = 9; i < packet->payload_packet_len-3; i++) {
@@ -215,11 +225,11 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
break;
} else if(buffer[j] == '.') {
num_dots++;
- if(num_dots >=2) break;
+ if(num_dots >=1) break;
}
}
- if(num_dots >= 2) {
+ if(num_dots >= 1) {
if(!ndpi_struct->disable_metadata_export) {
stripCertificateTrailer(buffer, buffer_len);
snprintf(flow->protos.stun_ssl.ssl.server_certificate,
@@ -232,8 +242,7 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
}
} else if(handshake_protocol == 0x01 /* Client Hello */) {
u_int offset, base_offset = 43;
- if (base_offset + 2 <= packet->payload_packet_len)
- {
+ if(base_offset + 2 <= packet->payload_packet_len) {
u_int16_t session_id_len = packet->payload[base_offset];
if((session_id_len+base_offset+2) <= total_len) {
@@ -335,25 +344,94 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
return(0); /* Not found */
}
+void getSSLorganization(struct ndpi_detection_module_struct *ndpi_struct,
+ struct ndpi_flow_struct *flow,
+ char *buffer, int buffer_len) {
+ struct ndpi_packet_struct *packet = &flow->packet;
+
+ if(packet->payload[0] != 0x16 /* Handshake */)
+ return;
+
+ u_int16_t total_len = (packet->payload[3] << 8) + packet->payload[4] + 5 /* SSL Header */;
+ u_int8_t handshake_protocol = packet->payload[5]; /* handshake protocol a bit misleading, it is message type according TLS specs */
+
+ if(handshake_protocol != 0x02 && handshake_protocol != 0xb /* Server Hello and Certificate message types are interesting for us */)
+ return;
+
+ /* Truncate total len, search at least in incomplete packet */
+ if(total_len > packet->payload_packet_len)
+ total_len = packet->payload_packet_len;
+
+ memset(buffer, 0, buffer_len);
+
+ /* Check after handshake protocol header (5 bytes) and message header (4 bytes) */
+ u_int num_found = 0;
+ u_int i, j;
+ for(i = 9; i < packet->payload_packet_len-4; i++) {
+ /* Organization OID: 2.5.4.10 */
+ if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x04) && (packet->payload[i+2] == 0x0a)) {
+ u_int8_t type_tag = packet->payload[i+3]; // 0x0c: utf8string / 0x13: printable_string
+ u_int8_t server_len = packet->payload[i+4];
+
+ num_found++;
+ /* what we want is subject certificate, so we bypass the issuer certificate */
+ if(num_found != 2) continue;
+
+ // packet is truncated... further inspection is not needed
+ if(i+4+server_len >= packet->payload_packet_len) {
+ break;
+ }
+
+ char *server_org = (char*)&packet->payload[i+5];
+
+ u_int len = (u_int)ndpi_min(server_len, buffer_len-1);
+ strncpy(buffer, server_org, len);
+ buffer[len] = '\0';
+
+ // check if organization string are all printable
+ u_int8_t is_printable = 1;
+ for (j = 0; j < len; j++) {
+ if(!ndpi_isprint(buffer[j])) {
+ is_printable = 0;
+ break;
+ }
+ }
+
+ if(is_printable == 1) {
+ snprintf(flow->protos.stun_ssl.ssl.server_organization,
+ sizeof(flow->protos.stun_ssl.ssl.server_organization), "%s", buffer);
+#ifdef CERTIFICATE_DEBUG
+ printf("Certificate origanization: %s\n", flow->protos.stun_ssl.ssl.server_organization);
+#endif
+ }
+ }
+ }
+}
+
int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
struct ndpi_packet_struct *packet = &flow->packet;
/* consider only specific SSL packets (handshake) */
if((packet->payload_packet_len > 9) && (packet->payload[0] == 0x16)) {
char certificate[64];
+ char organization[64];
int rc;
certificate[0] = '\0';
rc = getSSLcertificate(ndpi_struct, flow, certificate, sizeof(certificate));
packet->ssl_certificate_num_checks++;
- if (rc > 0) {
+ if(rc > 0) {
+ // try fetch server organization once server certificate is found
+ organization[0] = '\0';
+ getSSLorganization(ndpi_struct, flow, organization, sizeof(organization));
+
packet->ssl_certificate_detected++;
- if ((flow->l4.tcp.ssl_seen_server_cert == 1) && (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0'))
+ if((flow->l4.tcp.ssl_seen_server_cert == 1) && (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0'))
/* 0 means we're done processing extra packets (since we found what we wanted) */
return 0;
}
/* Client hello, Server Hello, and certificate packets probably all checked in this case */
- if ((packet->ssl_certificate_num_checks >= 3)
+ if((packet->ssl_certificate_num_checks >= 3)
&& (flow->l4.tcp.seen_syn)
&& (flow->l4.tcp.seen_syn_ack)
&& (flow->l4.tcp.seen_ack) /* We have seen the 3-way handshake */)
@@ -369,7 +447,7 @@ int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi
void sslInitExtraPacketProcessing(int caseNum, struct ndpi_flow_struct *flow) {
flow->check_extra_packets = 1;
/* 0 is the case for waiting for the server certificate */
- if (caseNum == 0) {
+ if(caseNum == 0) {
/* At most 7 packets should almost always be enough to find the server certificate if it's there */
flow->max_extra_packets_to_check = 7;
flow->extra_packets_func = sslTryAndRetrieveServerCertificate;
@@ -405,7 +483,8 @@ int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s
/* If we've detected the subprotocol from client certificate but haven't had a chance
* to see the server certificate yet, set up extra packet processing to wait
* a few more packets. */
- if(((flow->l4.tcp.ssl_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) && ((flow->l4.tcp.ssl_seen_server_cert != 1) && (flow->protos.stun_ssl.ssl.server_certificate[0] == '\0'))) {
+ if(((flow->l4.tcp.ssl_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0'))
+ && ((flow->l4.tcp.ssl_seen_server_cert != 1) && (flow->protos.stun_ssl.ssl.server_certificate[0] == '\0'))) {
sslInitExtraPacketProcessing(0, flow);
}
@@ -418,11 +497,13 @@ int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s
return(rc);
}
- if(((packet->ssl_certificate_num_checks >= 2)
+ if(((packet->ssl_certificate_num_checks >= 3)
&& flow->l4.tcp.seen_syn
&& flow->l4.tcp.seen_syn_ack
&& flow->l4.tcp.seen_ack /* We have seen the 3-way handshake */)
- || ((flow->l4.tcp.ssl_seen_server_cert == 1) && (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0'))
+ || ((flow->l4.tcp.ssl_seen_certificate == 1)
+ && (flow->l4.tcp.ssl_seen_server_cert == 1)
+ && (flow->protos.stun_ssl.ssl.server_certificate[0] != '\0'))
/* || ((flow->l4.tcp.ssl_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) */
) {
ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SSL);
@@ -432,8 +513,7 @@ int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s
return(0);
}
-static void ssl_mark_and_payload_search_for_other_protocols(struct
- ndpi_detection_module_struct
+static void ssl_mark_and_payload_search_for_other_protocols(struct ndpi_detection_module_struct
*ndpi_struct, struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &flow->packet;
@@ -510,16 +590,16 @@ static void ssl_mark_and_payload_search_for_other_protocols(struct
/* SSL without certificate (Skype, Ultrasurf?) */
NDPI_LOG_INFO(ndpi_struct, "found ssl NO_CERT\n");
ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SSL_NO_CERT);
- } else
+ } else if(packet->ssl_certificate_num_checks >= 3) {
NDPI_LOG_INFO(ndpi_struct, "found ssl\n");
- ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SSL);
+ ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SSL);
+ }
}
}
static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow) {
-
struct ndpi_packet_struct *packet = &flow->packet;
if((packet->payload_packet_len >= 5)
@@ -559,7 +639,7 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct
}
}
- if((packet->payload_packet_len > temp && packet->payload_packet_len > 100) && packet->payload_packet_len > 9) {
+ if((packet->payload_packet_len > temp) && (packet->payload_packet_len > 100)) {
/* the server hello may be split into small packets and the certificate has its own SSL Record
* so temp contains only the length for the first ServerHello block */
u_int32_t cert_start;
@@ -647,27 +727,25 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc
NDPI_LOG_DBG(ndpi_struct, "search ssl\n");
- {
- /* Check if this is whatsapp first (this proto runs over port 443) */
- if((packet->payload_packet_len > 5)
- && ((packet->payload[0] == 'W')
- && (packet->payload[1] == 'A')
- && (packet->payload[4] == 0)
- && (packet->payload[2] <= 9)
- && (packet->payload[3] <= 9))) {
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN);
- return;
- } else if((packet->payload_packet_len == 4)
- && (packet->payload[0] == 'W')
- && (packet->payload[1] == 'A')) {
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN);
+ /* Check if this is whatsapp first (this proto runs over port 443) */
+ if((packet->payload_packet_len > 5)
+ && ((packet->payload[0] == 'W')
+ && (packet->payload[1] == 'A')
+ && (packet->payload[4] == 0)
+ && (packet->payload[2] <= 9)
+ && (packet->payload[3] <= 9))) {
+ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN);
+ return;
+ } else if((packet->payload_packet_len == 4)
+ && (packet->payload[0] == 'W')
+ && (packet->payload[1] == 'A')) {
+ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN);
+ return;
+ } else {
+ /* No whatsapp, let's try SSL */
+ if(sslDetectProtocolFromCertificate(ndpi_struct, flow) > 0)
return;
- } else {
- /* No whatsapp, let's try SSL */
- if(sslDetectProtocolFromCertificate(ndpi_struct, flow) > 0)
- return;
- }
- }
+ }
if(packet->payload_packet_len > 40 && flow->l4.tcp.ssl_stage == 0) {
NDPI_LOG_DBG2(ndpi_struct, "first ssl packet\n");
diff --git a/src/lib/protocols/whatsapp.c b/src/lib/protocols/whatsapp.c
index 6964a8e0e..608e6576e 100644
--- a/src/lib/protocols/whatsapp.c
+++ b/src/lib/protocols/whatsapp.c
@@ -26,34 +26,26 @@
void ndpi_search_whatsapp(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow) {
struct ndpi_packet_struct *packet = &flow->packet;
- u_int8_t whatsapp_sequence[] = {
+ static u_int8_t whatsapp_sequence[] = {
0x45, 0x44, 0x0, 0x01, 0x0, 0x0, 0x02, 0x08,
0x0, 0x57, 0x41, 0x02, 0x0, 0x0, 0x0
};
NDPI_LOG_DBG(ndpi_struct, "search WhatsApp\n");
- if(flow->l4.tcp.wa_matched_so_far == 0) {
- if(memcmp(packet->payload, whatsapp_sequence, packet->payload_packet_len)) {
- NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
- } else
- flow->l4.tcp.wa_matched_so_far = packet->payload_packet_len;
+ if(flow->l4.tcp.wa_matched_so_far < sizeof(whatsapp_sequence)) {
+ size_t match_len = sizeof(whatsapp_sequence) - flow->l4.tcp.wa_matched_so_far;
+ if(packet->payload_packet_len < match_len)
+ match_len = packet->payload_packet_len;
- return;
- } else {
- if(memcmp(packet->payload, &whatsapp_sequence[flow->l4.tcp.wa_matched_so_far],
- sizeof(whatsapp_sequence)-flow->l4.tcp.wa_matched_so_far))
- NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
- else
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN);
-
- return;
- }
-
- if((packet->payload_packet_len > 240)
- && (memcmp(packet->payload, whatsapp_sequence, sizeof(whatsapp_sequence)) == 0)) {
- NDPI_LOG_INFO(ndpi_struct, "found WhatsApp\n");
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN);
+ if(!memcmp(packet->payload, &whatsapp_sequence[flow->l4.tcp.wa_matched_so_far], match_len)) {
+ flow->l4.tcp.wa_matched_so_far += match_len;
+ if(flow->l4.tcp.wa_matched_so_far == sizeof(whatsapp_sequence)) {
+ NDPI_LOG_INFO(ndpi_struct, "found WhatsApp\n");
+ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN);
+ }
+ return;
+ }
}
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
diff --git a/src/lib/third_party/include/lruc.h b/src/lib/third_party/include/lruc.h
deleted file mode 100644
index 55fb271fe..000000000
--- a/src/lib/third_party/include/lruc.h
+++ /dev/null
@@ -1,55 +0,0 @@
-#include <pthread.h>
-#include <stdint.h>
-#include <time.h>
-
-#ifndef __lruc_header__
-#define __lruc_header__
-
-// ------------------------------------------
-// errors
-// ------------------------------------------
-typedef enum {
- LRUC_NO_ERROR = 0,
- LRUC_MISSING_CACHE,
- LRUC_MISSING_KEY,
- LRUC_MISSING_VALUE,
- LRUC_PTHREAD_ERROR,
- LRUC_VALUE_TOO_LARGE
-} lruc_error;
-
-
-// ------------------------------------------
-// types
-// ------------------------------------------
-typedef struct {
- void *value;
- void *key;
- uint32_t value_length;
- uint32_t key_length;
- uint64_t access_count;
- void *next;
-} lruc_item;
-
-typedef struct {
- lruc_item **items;
- uint64_t access_count;
- uint64_t free_memory;
- uint64_t total_memory;
- uint64_t average_item_length;
- uint32_t hash_table_size;
- time_t seed;
- lruc_item *free_items;
- pthread_mutex_t *mutex;
-} lruc;
-
-
-// ------------------------------------------
-// api
-// ------------------------------------------
-lruc *lruc_new(uint64_t cache_size, uint32_t average_length);
-lruc_error lruc_free(lruc *cache);
-lruc_error lruc_set(lruc *cache, void *key, uint32_t key_length, void *value, uint32_t value_length);
-lruc_error lruc_get(lruc *cache, void *key, uint32_t key_length, void **value);
-lruc_error lruc_delete(lruc *cache, void *key, uint32_t key_length);
-
-#endif
diff --git a/src/lib/third_party/src/lruc.c b/src/lib/third_party/src/lruc.c
deleted file mode 100644
index f08fb2ce1..000000000
--- a/src/lib/third_party/src/lruc.c
+++ /dev/null
@@ -1,294 +0,0 @@
-/* https://github.com/willcannings/C-LRU-Cache */
-
-#include "lruc.h"
-#include <stdlib.h>
-#include <string.h>
-#include <stdio.h>
-#include <err.h>
-
-// ------------------------------------------
-// private functions
-// ------------------------------------------
-// MurmurHash2, by Austin Appleby
-// http://sites.google.com/site/murmurhash/
-uint32_t lruc_hash(lruc *cache, void *key, uint32_t key_length) {
- uint32_t m = 0x5bd1e995;
- uint32_t r = 24;
- uint32_t h = cache->seed ^ key_length;
- char* data = (char *)key;
-
- while(key_length >= 4) {
- uint32_t k = *(uint32_t *)data;
- k *= m;
- k ^= k >> r;
- k *= m;
- h *= m;
- h ^= k;
- data += 4;
- key_length -= 4;
- }
-
- switch(key_length) {
- case 3: h ^= data[2] << 16;
- case 2: h ^= data[1] << 8;
- case 1: h ^= data[0];
- h *= m;
- };
-
- h ^= h >> 13;
- h *= m;
- h ^= h >> 15;
- return h % cache->hash_table_size;
-}
-
-// compare a key against an existing item's key
-int lruc_cmp_keys(lruc_item *item, void *key, uint32_t key_length) {
- if(key_length != item->key_length)
- return 1;
- else
- return memcmp(key, item->key, key_length);
-}
-
-// remove an item and push it to the free items queue
-void lruc_remove_item(lruc *cache, lruc_item *prev, lruc_item *item, uint32_t hash_index) {
- if(prev)
- prev->next = item->next;
- else
- cache->items[hash_index] = (lruc_item *) item->next;
-
- // free memory and update the free memory counter
- cache->free_memory += item->value_length;
- free(item->value);
- free(item->key);
-
- // push the item to the free items queue
- memset(item, 0, sizeof(lruc_item));
- item->next = cache->free_items;
- cache->free_items = item;
-}
-
-// remove the least recently used item
-// TODO: we can optimise this by finding the n lru items, where n = required_space / average_length
-void lruc_remove_lru_item(lruc *cache) {
- lruc_item *min_item = NULL, *min_prev = NULL;
- lruc_item *item = NULL, *prev = NULL;
- uint32_t i = 0, min_index = -1;
- uint64_t min_access_count = -1;
-
- for(; i < cache->hash_table_size; i++) {
- item = cache->items[i];
- prev = NULL;
-
- while(item) {
- if(item->access_count < min_access_count || min_access_count == -1) {
- min_access_count = item->access_count;
- min_item = item;
- min_prev = prev;
- min_index = i;
- }
- prev = item;
- item = item->next;
- }
- }
-
- if(min_item)
- lruc_remove_item(cache, min_prev, min_item, min_index);
-}
-
-// pop an existing item off the free queue, or create a new one
-lruc_item *lruc_pop_or_create_item(lruc *cache) {
- lruc_item *item = NULL;
-
- if(cache->free_items) {
- item = cache->free_items;
- cache->free_items = item->next;
- } else {
- item = (lruc_item *) calloc(sizeof(lruc_item), 1);
- }
-
- return item;
-}
-
-// error helpers
-#define error_for(conditions, error) if(conditions) {return error;}
-#define test_for_missing_cache() error_for(!cache, LRUC_MISSING_CACHE)
-#define test_for_missing_key() error_for(!key || key_length == 0, LRUC_MISSING_KEY)
-#define test_for_missing_value() error_for(!value || value_length == 0, LRUC_MISSING_VALUE)
-#define test_for_value_too_large() error_for(value_length > cache->total_memory, LRUC_VALUE_TOO_LARGE)
-
-// lock helpers
-#define lock_cache() if(pthread_mutex_lock(cache->mutex)) {\
- perror("LRU Cache unable to obtain mutex lock");\
- return LRUC_PTHREAD_ERROR;\
-}
-
-#define unlock_cache() if(pthread_mutex_unlock(cache->mutex)) {\
- perror("LRU Cache unable to release mutex lock");\
- return LRUC_PTHREAD_ERROR;\
-}
-
-
-// ------------------------------------------
-// public api
-// ------------------------------------------
-lruc *lruc_new(uint64_t cache_size, uint32_t average_length) {
- // create the cache
- lruc *cache = (lruc *) calloc(sizeof(lruc), 1);
- if(!cache) {
- perror("LRU Cache unable to create cache object");
- return NULL;
- }
- cache->hash_table_size = cache_size / average_length;
- cache->average_item_length = average_length;
- cache->free_memory = cache_size;
- cache->total_memory = cache_size;
- cache->seed = time(NULL);
-
- // size the hash table to a guestimate of the number of slots required (assuming a perfect hash)
- cache->items = (lruc_item **) calloc(sizeof(lruc_item *), cache->hash_table_size);
- if(!cache->items) {
- perror("LRU Cache unable to create cache hash table");
- free(cache);
- return NULL;
- }
-
- // all cache calls are guarded by a mutex
- cache->mutex = (pthread_mutex_t *) malloc(sizeof(pthread_mutex_t));
- if(pthread_mutex_init(cache->mutex, NULL)) {
- perror("LRU Cache unable to initialise mutex");
- free(cache->items);
- free(cache);
- return NULL;
- }
- return cache;
-}
-
-
-lruc_error lruc_free(lruc *cache) {
- test_for_missing_cache();
-
- // free each of the cached items, and the hash table
- lruc_item *item = NULL, *next = NULL;
- uint32_t i = 0;
- if(cache->items) {
- for(; i < cache->hash_table_size; i++) {
- item = cache->items[i];
- while(item) {
- next = (lruc_item *) item->next;
- free(item);
- item = next;
- }
- }
- free(cache->items);
- }
-
- // free the cache
- if(cache->mutex) {
- if(pthread_mutex_destroy(cache->mutex)) {
- perror("LRU Cache unable to destroy mutex");
- return LRUC_PTHREAD_ERROR;
- }
- }
- free(cache);
-
- return LRUC_NO_ERROR;
-}
-
-
-lruc_error lruc_set(lruc *cache, void *key, uint32_t key_length, void *value, uint32_t value_length) {
- test_for_missing_cache();
- test_for_missing_key();
- test_for_missing_value();
- test_for_value_too_large();
- lock_cache();
-
- // see if the key already exists
- uint32_t hash_index = lruc_hash(cache, key, key_length), required = 0;
- lruc_item *item = NULL, *prev = NULL;
- item = cache->items[hash_index];
-
- while(item && lruc_cmp_keys(item, key, key_length)) {
- prev = item;
- item = (lruc_item *) item->next;
- }
-
- if(item) {
- // update the value and value_lengths
- required = value_length - item->value_length;
- free(item->value);
- item->value = value;
- item->value_length = value_length;
-
- } else {
- // insert a new item
- item = lruc_pop_or_create_item(cache);
- item->value = value;
- item->key = key;
- item->value_length = value_length;
- item->key_length = key_length;
- required = value_length;
-
- if(prev)
- prev->next = item;
- else
- cache->items[hash_index] = item;
- }
- item->access_count = ++cache->access_count;
-
- // remove as many items as necessary to free enough space
- if(required > 0 && required > cache->free_memory) {
- while(cache->free_memory < required)
- lruc_remove_lru_item(cache);
- }
- cache->free_memory -= required;
- unlock_cache();
- return LRUC_NO_ERROR;
-}
-
-
-lruc_error lruc_get(lruc *cache, void *key, uint32_t key_length, void **value) {
- test_for_missing_cache();
- test_for_missing_key();
- lock_cache();
-
- // loop until we find the item, or hit the end of a chain
- uint32_t hash_index = lruc_hash(cache, key, key_length);
- lruc_item *item = cache->items[hash_index];
-
- while(item && lruc_cmp_keys(item, key, key_length))
- item = (lruc_item *) item->next;
-
- if(item) {
- *value = item->value;
- item->access_count = ++cache->access_count;
- } else {
- *value = NULL;
- }
-
- unlock_cache();
- return LRUC_NO_ERROR;
-}
-
-
-lruc_error lruc_delete(lruc *cache, void *key, uint32_t key_length) {
- test_for_missing_cache();
- test_for_missing_key();
- lock_cache();
-
- // loop until we find the item, or hit the end of a chain
- lruc_item *item = NULL, *prev = NULL;
- uint32_t hash_index = lruc_hash(cache, key, key_length);
- item = cache->items[hash_index];
-
- while(item && lruc_cmp_keys(item, key, key_length)) {
- prev = item;
- item = (lruc_item *) item->next;
- }
-
- if(item) {
- lruc_remove_item(cache, prev, item, hash_index);
- }
-
- unlock_cache();
- return LRUC_NO_ERROR;
-}
Powered by cgit, Themed by Ted Yin.