diff options
| -rw-r--r-- | src/include/ndpi_typedefs.h | 7 | ||||
| -rw-r--r-- | src/lib/protocols/ntp.c | 13 | ||||
| -rwxr-xr-x | tests/do.sh | 2 | ||||
| -rw-r--r-- | tests/pcap/NTPv2.pcap | bin | 0 -> 450 bytes | |||
| -rw-r--r-- | tests/pcap/NTPv3.pcap | bin | 0 -> 130 bytes | |||
| -rw-r--r-- | tests/pcap/NTPv4.pcap | bin | 0 -> 130 bytes | |||
| -rw-r--r-- | tests/result/NTPv2.pcap.out | 3 | ||||
| -rw-r--r-- | tests/result/NTPv3.pcap.out | 3 | ||||
| -rw-r--r-- | tests/result/NTPv4.pcap.out | 3 |
9 files changed, 27 insertions, 4 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 7b6b90121..8ea4650a6 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -720,7 +720,12 @@ typedef struct ndpi_flow_struct { u_int8_t bad_packet /* the received packet looks bad */; u_int16_t query_type, query_class, rsp_type; } dns; - + + struct { + u_int8_t request_code; + u_int8_t version; + } ntp; + struct { char client_certificate[48], server_certificate[48]; } ssl; diff --git a/src/lib/protocols/ntp.c b/src/lib/protocols/ntp.c index 7b65c4c16..a0fa92a20 100644 --- a/src/lib/protocols/ntp.c +++ b/src/lib/protocols/ntp.c @@ -46,14 +46,23 @@ void ndpi_search_ntp_udp(struct ndpi_detection_module_struct *ndpi_struct, struc NDPI_LOG(NDPI_PROTOCOL_NTP, ndpi_struct, NDPI_LOG_DEBUG, "NTP port detected\n"); - if (packet->payload_packet_len != 48) - goto exclude_ntp; + // It's not correct because packets could be bigger + //if (packet->payload_packet_len != 48) + // goto exclude_ntp; NDPI_LOG(NDPI_PROTOCOL_NTP, ndpi_struct, NDPI_LOG_DEBUG, "NTP length detected\n"); if ((((packet->payload[0] & 0x38) >> 3) <= 4)) { NDPI_LOG(NDPI_PROTOCOL_NTP, ndpi_struct, NDPI_LOG_DEBUG, "detected NTP."); + + // 38 in binary representation is 00111000 + flow->protos.ntp.version = (packet->payload[0] & 0x38) >> 3; + + if (flow->protos.ntp.version == 2) { + flow->protos.ntp.request_code = packet->payload[3]; + } + ndpi_int_ntp_add_connection(ndpi_struct, flow); return; } diff --git a/tests/do.sh b/tests/do.sh index 764b049f9..bbd44edc6 100755 --- a/tests/do.sh +++ b/tests/do.sh @@ -36,4 +36,4 @@ check_results() { build_results check_results -exit $RC
\ No newline at end of file +exit $RC diff --git a/tests/pcap/NTPv2.pcap b/tests/pcap/NTPv2.pcap Binary files differnew file mode 100644 index 000000000..ec22e2cda --- /dev/null +++ b/tests/pcap/NTPv2.pcap diff --git a/tests/pcap/NTPv3.pcap b/tests/pcap/NTPv3.pcap Binary files differnew file mode 100644 index 000000000..483e349af --- /dev/null +++ b/tests/pcap/NTPv3.pcap diff --git a/tests/pcap/NTPv4.pcap b/tests/pcap/NTPv4.pcap Binary files differnew file mode 100644 index 000000000..6f91a111e --- /dev/null +++ b/tests/pcap/NTPv4.pcap diff --git a/tests/result/NTPv2.pcap.out b/tests/result/NTPv2.pcap.out new file mode 100644 index 000000000..960fbe062 --- /dev/null +++ b/tests/result/NTPv2.pcap.out @@ -0,0 +1,3 @@ +NTP 1 410 1 + + 1 UDP 78.46.76.2:80 <-> 208.104.95.10:123 [proto: 9/NTP][1 pkts/410 bytes] diff --git a/tests/result/NTPv3.pcap.out b/tests/result/NTPv3.pcap.out new file mode 100644 index 000000000..91d817e5e --- /dev/null +++ b/tests/result/NTPv3.pcap.out @@ -0,0 +1,3 @@ +NTP 1 90 1 + + 1 UDP 78.46.76.2:80 <-> 175.144.140.29:123 [proto: 9/NTP][1 pkts/90 bytes] diff --git a/tests/result/NTPv4.pcap.out b/tests/result/NTPv4.pcap.out new file mode 100644 index 000000000..fba0fd419 --- /dev/null +++ b/tests/result/NTPv4.pcap.out @@ -0,0 +1,3 @@ +NTP 1 90 1 + + 1 UDP 78.46.76.11:123 <-> 85.22.62.120:123 [proto: 9/NTP][1 pkts/90 bytes] |