Implemented HTTP User Agent discovery

author: Luca Deri <deri@ntop.org> 2017-10-14 11:21:01 +0200
committer: Luca Deri <deri@ntop.org> 2017-10-14 11:21:01 +0200
commit: 75993242b0d9a2982140bef3a1b574f46640b572 (patch)
tree: b9a38bf5d203e92b2bbec93fc0363a1e235b5a07 /wireshark
parent: 83d5a46ec483e934317671b8fa015ac12add7849 (diff)
1 files changed, 81 insertions, 1 deletions
diff --git a/wireshark/ndpi.lua b/wireshark/ndpi.lua
index ad1f5fe0e..bab43abe8 100644
--- a/wireshark/ndpi.lua
+++ b/wireshark/ndpi.lua
@@ -53,6 +53,7 @@ local f_tcp_ooo           = Field.new('tcp.analysis.out_of_order')
 local f_tcp_lost_segment  = Field.new('tcp.analysis.lost_segment') -- packet drop ?
 local f_rpc_xid           = Field.new('rpc.xid')
 local f_rpc_msgtyp        = Field.new('rpc.msgtyp')
+local f_user_agent        = Field.new('http.user_agent')
 
 local ndpi_protos            = {}
 local ndpi_flows             = {}
@@ -84,6 +85,9 @@ local max_num_dns_queries    = 50
 local ssl_server_names       = {}
 local tot_ssl_flows          = 0
 
+local http_ua                = {}
+local tot_http_ua_flows      = 0
+
 local min_nw_client_RRT      = {}
 local min_nw_server_RRT      = {}
 local max_nw_client_RRT      = {}
@@ -214,6 +218,24 @@ end
 
 -- ###############################################
 
+function pairsByKeys(t, f)
+  local a = {}
+
+  -- io.write(debug.traceback().."\n")
+  for n in pairs(t) do table.insert(a, n) end
+  table.sort(a, f)
+  local i = 0      -- iterator variable
+  local iter = function ()   -- iterator function
+    i = i + 1
+    if a[i] == nil then return nil
+    else return a[i], t[a[i]]
+    end
+  end
+  return iter
+end
+
+-- ###############################################
+
 function pairsByValues(t, f)
    local a = {}
    for n in pairs(t) do table.insert(a, n) end
@@ -293,7 +315,12 @@ function ndpi_proto.init()
 
    -- SSL
    ssl_server_names       = {}
-
+   tot_ssl_flows          = 0
+   
+   -- HTTP
+   http_ua                = {}
+   tot_http_ua_flows      = 0
+   
    -- DNS
    dns_responses_ok       = {}
    dns_responses_error    = {}
@@ -482,6 +509,27 @@ end
 
 -- ###############################################
 
+function http_dissector(tvb, pinfo, tree)
+   local user_agent = f_user_agent()
+   if(user_agent ~= nil) then
+      local srckey = tostring(pinfo.src)
+      
+      user_agent = getval(user_agent)
+
+      if(http_ua[user_agent] == nil) then
+	 http_ua[user_agent] = { }
+	 tot_http_ua_flows = tot_http_ua_flows + 1
+      end
+
+      if(http_ua[user_agent][srckey] == nil) then
+	 http_ua[user_agent][srckey] = 1
+	 -- io.write("Adding ["..user_agent.."] @ "..srckey.."\n")
+      end
+   end
+end
+
+-- ###############################################
+
 function dns_dissector(tvb, pinfo, tree)
    local dns_response = f_dns_response()
    if(dns_response ~= nil) then
@@ -843,6 +891,7 @@ function ndpi_proto.dissector(tvb, pinfo, tree)
    arp_dissector(tvb, pinfo, tree)
    vlan_dissector(tvb, pinfo, tree)
    ssl_dissector(tvb, pinfo, tree)
+   http_dissector(tvb, pinfo, tree)
    dns_dissector(tvb, pinfo, tree)
    rpc_dissector(tvb, pinfo, tree)
 end
@@ -1124,6 +1173,36 @@ end
 
 -- ###############################################
 
+local function http_ua_dialog_menu()
+   local win = TextWindow.new("HTTP User Agent");
+   local label = ""
+   local tot = 0
+   local i
+
+   if(tot_http_ua_flows > 0) then
+      i = 0
+      label = label .. "Client\t\tUser Agent\n"
+      for k,v in pairsByKeys(http_ua, rev) do
+	 local ips = ""
+	 for k1,v1 in pairs(v) do
+	    if(ips ~= "") then ips = ips .. "," end
+	    ips = ips .. k1
+	 end
+
+	 --	 label = label .. string.format("%-32s", shortenString(k,32)).."\t"..ips.."\n"
+	 label = label .. ips.."\t"..k.."\n"
+	 if(i == 50) then break else i = i + 1 end
+      end
+   else
+      label = "No HTTP User agents detected"
+   end
+
+   win:set(label)
+   win:add_button("Clear", function() win:clear() end)
+end
+
+-- ###############################################
+
 local function ssl_dialog_menu()
    local win = TextWindow.new("SSL Server Contacts");
    local label = ""
@@ -1195,6 +1274,7 @@ register_menu("ntop/ARP",          arp_dialog_menu, MENU_TOOLS_UNSORTED)
 register_menu("ntop/VLAN",         vlan_dialog_menu, MENU_TOOLS_UNSORTED)
 register_menu("ntop/IP-MAC",       ip_mac_dialog_menu, MENU_TOOLS_UNSORTED)
 register_menu("ntop/DNS",          dns_dialog_menu, MENU_TOOLS_UNSORTED)
+register_menu("ntop/HTTP UA",      http_ua_dialog_menu, MENU_TOOLS_UNSORTED)
 register_menu("ntop/SSL",          ssl_dialog_menu, MENU_TOOLS_UNSORTED)
 register_menu("ntop/TCP Analysis", tcp_dialog_menu, MENU_TOOLS_UNSORTED)
 register_menu("ntop/Latency/Network",      rtt_dialog_menu, MENU_TOOLS_UNSORTED)
author	Luca Deri <deri@ntop.org>	2017-10-14 11:21:01 +0200
committer	Luca Deri <deri@ntop.org>	2017-10-14 11:21:01 +0200
commit	75993242b0d9a2982140bef3a1b574f46640b572 (patch)
tree	b9a38bf5d203e92b2bbec93fc0363a1e235b5a07 /wireshark
parent	83d5a46ec483e934317671b8fa015ac12add7849 (diff)