diff options
| -rw-r--r-- | example/ndpiReader.c | 16 | ||||
| -rw-r--r-- | example/reader_util.c | 37 | ||||
| -rw-r--r-- | example/reader_util.h | 4 | ||||
| -rw-r--r-- | src/include/ndpi_define.h.in | 2 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 6 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 4 | ||||
| -rw-r--r-- | tests/pcap/ja3_lots_of_cipher_suites.pcap | bin | 0 -> 5332 bytes | |||
| -rw-r--r-- | tests/pcap/ja3_lots_of_cipher_suites_2_anon.pcap | bin | 0 -> 7422 bytes | |||
| -rw-r--r-- | tests/result/dnp3.pcap.out | 5 | ||||
| -rw-r--r-- | tests/result/ja3_lots_of_cipher_suites.pcap.out | 8 | ||||
| -rw-r--r-- | tests/result/ja3_lots_of_cipher_suites_2_anon.pcap.out | 8 |
11 files changed, 62 insertions, 28 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 57f8048df..2ded09888 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -843,9 +843,6 @@ static void parseOptions(int argc, char **argv) { } } - if(_pcap_file[0] == NULL) - help(0); - if(csv_fp) printCSVHeader(); @@ -855,6 +852,9 @@ static void parseOptions(int argc, char **argv) { extcap_capture(); } + if(_pcap_file[0] == NULL) + help(0); + if(strchr(_pcap_file[0], ',')) { /* multiple ingress interfaces */ num_threads = 0; /* setting number of threads = number of interfaces */ __pcap_file = strtok(_pcap_file[0], ","); @@ -1823,13 +1823,13 @@ static void node_idle_scan_walker(const void *node, ndpi_VISIT which, int depth, /* update stats */ node_proto_guess_walker(node, which, depth, user_data); + if(verbose == 3) + port_stats_walker(node, which, depth, user_data); if((flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UNKNOWN) && !undetected_flows_deleted) undetected_flows_deleted = 1; - ndpi_free_flow_info_half(flow); - ndpi_free_flow_data_analysis(flow); - ndpi_free_flow_tls_data(flow); + ndpi_flow_info_free_data(flow); ndpi_thread_info[thread_id].workflow->stats.ndpi_flow_count--; /* adding to a queue (we can't delete it from the tree inline ) */ @@ -3089,6 +3089,10 @@ void test_lib() { } } +#ifdef USE_DPDK + dpdk_port_deinit(dpdk_port_id); +#endif + gettimeofday(&end, NULL); processing_time_usec = end.tv_sec*1000000 + end.tv_usec - (begin.tv_sec*1000000 + begin.tv_usec); setup_time_usec = begin.tv_sec*1000000 + begin.tv_usec - (startup_time.tv_sec*1000000 + startup_time.tv_usec); diff --git a/example/reader_util.c b/example/reader_util.c index 753c78cf1..508777ec2 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -459,23 +459,13 @@ struct ndpi_workflow* ndpi_workflow_init(const struct ndpi_workflow_prefs * pref void ndpi_flow_info_freer(void *node) { struct ndpi_flow_info *flow = (struct ndpi_flow_info*)node; - ndpi_free_flow_info_half(flow); - ndpi_free_flow_data_analysis(flow); - ndpi_free_flow_tls_data(flow); - -#ifdef DIRECTION_BINS - ndpi_free_bin(&flow->payload_len_bin_src2dst); - ndpi_free_bin(&flow->payload_len_bin_dst2src); -#else - ndpi_free_bin(&flow->payload_len_bin); -#endif - + ndpi_flow_info_free_data(flow); ndpi_free(flow); } /* ***************************************************** */ -void ndpi_free_flow_tls_data(struct ndpi_flow_info *flow) { +static void ndpi_free_flow_tls_data(struct ndpi_flow_info *flow) { if(flow->ssh_tls.server_names) { ndpi_free(flow->ssh_tls.server_names); @@ -510,7 +500,7 @@ void ndpi_free_flow_tls_data(struct ndpi_flow_info *flow) { /* ***************************************************** */ -void ndpi_free_flow_data_analysis(struct ndpi_flow_info *flow) { +static void ndpi_free_flow_data_analysis(struct ndpi_flow_info *flow) { if(flow->iat_c_to_s) ndpi_free_data_analysis(flow->iat_c_to_s); if(flow->iat_s_to_c) ndpi_free_data_analysis(flow->iat_s_to_c); @@ -522,6 +512,22 @@ void ndpi_free_flow_data_analysis(struct ndpi_flow_info *flow) { /* ***************************************************** */ +void ndpi_flow_info_free_data(struct ndpi_flow_info *flow) { + + ndpi_free_flow_info_half(flow); + ndpi_free_flow_data_analysis(flow); + ndpi_free_flow_tls_data(flow); + +#ifdef DIRECTION_BINS + ndpi_free_bin(&flow->payload_len_bin_src2dst); + ndpi_free_bin(&flow->payload_len_bin_dst2src); +#else + ndpi_free_bin(&flow->payload_len_bin); +#endif +} + +/* ***************************************************** */ + void ndpi_workflow_free(struct ndpi_workflow * workflow) { u_int i; @@ -2032,4 +2038,9 @@ int dpdk_port_init(int port, struct rte_mempool *mbuf_pool) { return 0; } +int dpdk_port_deinit(int port) { + rte_eth_dev_stop(port); + rte_eth_dev_close(port); +} + #endif diff --git a/example/reader_util.h b/example/reader_util.h index 8298e2ef8..c94998496 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -50,6 +50,7 @@ #define PREFETCH_OFFSET 3 extern int dpdk_port_init(int port, struct rte_mempool *mbuf_pool); +extern int dpdk_port_deinit(int port); #endif /* ETTA Spec defiintions for feature readiness */ @@ -328,9 +329,8 @@ static inline void ndpi_workflow_set_flow_giveup_callback(struct ndpi_workflow * int ndpi_workflow_node_cmp(const void *a, const void *b); void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_flow_info *flow); u_int32_t ethernet_crc32(const void* data, size_t n_bytes); +void ndpi_flow_info_free_data(struct ndpi_flow_info *flow); void ndpi_flow_info_freer(void *node); -void ndpi_free_flow_data_analysis(struct ndpi_flow_info *flow); -void ndpi_free_flow_tls_data(struct ndpi_flow_info *flow); const char* print_cipher_id(u_int32_t cipher); float ndpi_flow_get_byte_count_entropy(const uint32_t byte_count[256], unsigned int num_bytes); diff --git a/src/include/ndpi_define.h.in b/src/include/ndpi_define.h.in index be7c21175..13989a60e 100644 --- a/src/include/ndpi_define.h.in +++ b/src/include/ndpi_define.h.in @@ -277,7 +277,7 @@ #define NDPI_SET_BIT(num, n) num |= 1UL << n #define NDPI_CLR_BIT(num, n) num &= ~(1UL << n) #define NDPI_CLR_BIT(num, n) num &= ~(1UL << n) -#define NDPI_ISSET_BIT(num, n) (num & (1 << n)) +#define NDPI_ISSET_BIT(num, n) (num & (1UL << n)) #define NDPI_ZERO_BIT(num) num = 0 /* this is a very very tricky macro *g*, diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index e34a5a5ee..957e3b763 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -3288,6 +3288,9 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* IEC 60870-5-104 */ init_104_dissector(ndpi_str, &a, detection_bitmask); + /* DNP3 */ + init_dnp3_dissector(ndpi_str, &a, detection_bitmask); + /* WEBSOCKET */ init_websocket_dissector(ndpi_str, &a, detection_bitmask); @@ -4376,7 +4379,8 @@ static void ndpi_reset_packet_line_info(struct ndpi_packet_struct *packet) { packet->http_cookie.len = 0, packet->http_origin.len = 0, packet->http_origin.ptr = NULL, packet->http_x_session_type.ptr = NULL, packet->http_x_session_type.len = 0, packet->server_line.ptr = NULL, packet->server_line.len = 0, packet->http_method.ptr = NULL, packet->http_method.len = 0, - packet->http_response.ptr = NULL, packet->http_response.len = 0, packet->http_num_headers = 0; + packet->http_response.ptr = NULL, packet->http_response.len = 0, packet->http_num_headers = 0, + packet->forwarded_line.ptr = NULL, packet->forwarded_line.len = 0; } /* ********************************************************************************* */ diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index c9b2d0ee2..007931e19 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -818,14 +818,14 @@ static void ndpi_int_tls_add_connection(struct ndpi_detection_module_struct *ndp /* https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 */ #define JA3_STR_LEN 1024 -#define MAX_NUM_JA3 128 +#define MAX_NUM_JA3 512 struct ja3_info { u_int16_t tls_handshake_version; u_int16_t num_cipher, cipher[MAX_NUM_JA3]; u_int16_t num_tls_extension, tls_extension[MAX_NUM_JA3]; u_int16_t num_elliptic_curve, elliptic_curve[MAX_NUM_JA3]; - u_int8_t num_elliptic_curve_point_format, elliptic_curve_point_format[MAX_NUM_JA3]; + u_int16_t num_elliptic_curve_point_format, elliptic_curve_point_format[MAX_NUM_JA3]; }; /* **************************************** */ diff --git a/tests/pcap/ja3_lots_of_cipher_suites.pcap b/tests/pcap/ja3_lots_of_cipher_suites.pcap Binary files differnew file mode 100644 index 000000000..86fc74712 --- /dev/null +++ b/tests/pcap/ja3_lots_of_cipher_suites.pcap diff --git a/tests/pcap/ja3_lots_of_cipher_suites_2_anon.pcap b/tests/pcap/ja3_lots_of_cipher_suites_2_anon.pcap Binary files differnew file mode 100644 index 000000000..7286f3a73 --- /dev/null +++ b/tests/pcap/ja3_lots_of_cipher_suites_2_anon.pcap diff --git a/tests/result/dnp3.pcap.out b/tests/result/dnp3.pcap.out index 4c9319e5d..5d80040a7 100644 --- a/tests/result/dnp3.pcap.out +++ b/tests/result/dnp3.pcap.out @@ -1,8 +1,7 @@ -SOCKS 135 9351 1 -DNP3 408 29403 7 +DNP3 543 38754 8 1 TCP 10.0.0.8:2828 <-> 10.0.0.3:20000 [proto: 244/DNP3][cat: Network/14][60 pkts/4041 bytes <-> 78 pkts/7164 bytes][Goodput ratio: 17/38][121.83 sec][bytes ratio: -0.279 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 421/302 13044/8439 1926/1115][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 67/92 79/145 5/37][Plen Bins: 64,3,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 2 TCP 10.0.0.9:1080 <-> 10.0.0.3:20000 [proto: 172/SOCKS][cat: Web/5][72 pkts/4659 bytes <-> 63 pkts/4692 bytes][Goodput ratio: 10/27][384.60 sec][bytes ratio: -0.004 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 4732/3049 75028/40127 13787/9968][Pkt Len c2s/s2c min/avg/max/stddev: 60/62 65/74 81/147 7/16][Plen Bins: 96,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 TCP 10.0.0.9:1080 <-> 10.0.0.3:20000 [proto: 244/DNP3][cat: Network/14][72 pkts/4659 bytes <-> 63 pkts/4692 bytes][Goodput ratio: 10/27][384.60 sec][bytes ratio: -0.004 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 4732/3049 75028/40127 13787/9968][Pkt Len c2s/s2c min/avg/max/stddev: 60/62 65/74 81/147 7/16][Plen Bins: 96,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 3 TCP 10.0.0.8:1086 <-> 10.0.0.3:20000 [proto: 244/DNP3][cat: Network/14][57 pkts/3891 bytes <-> 36 pkts/2760 bytes][Goodput ratio: 17/28][70.37 sec][bytes ratio: 0.170 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1467/2686 45001/45233 7093/9611][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 68/77 81/147 8/22][Plen Bins: 95,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 4 TCP 10.0.0.8:2789 <-> 10.0.0.3:20000 [proto: 244/DNP3][cat: Network/14][24 pkts/1584 bytes <-> 15 pkts/1005 bytes][Goodput ratio: 12/15][123.54 sec][bytes ratio: 0.224 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 162/2 2891/21 628/7][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 66/67 79/71 8/5][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 5 TCP 10.0.0.8:2803 <-> 10.0.0.3:20000 [proto: 244/DNP3][cat: Network/14][21 pkts/1374 bytes <-> 18 pkts/1119 bytes][Goodput ratio: 10/5][25.63 sec][bytes ratio: 0.102 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1205/2488 17203/17487 4073/5519][Pkt Len c2s/s2c min/avg/max/stddev: 60/60 65/62 78/71 8/4][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/ja3_lots_of_cipher_suites.pcap.out b/tests/result/ja3_lots_of_cipher_suites.pcap.out new file mode 100644 index 000000000..cac6eadfb --- /dev/null +++ b/tests/result/ja3_lots_of_cipher_suites.pcap.out @@ -0,0 +1,8 @@ +TLS 11 5132 1 + +JA3 Host Stats: + IP Address # JA3C + 1 10.206.131.18 1 + + + 1 TCP 10.206.131.18:58657 <-> 10.206.65.249:443 [VLAN: 258][proto: 91/TLS][cat: Web/5][5 pkts/1144 bytes <-> 6 pkts/3988 bytes][Goodput ratio: 70/90][0.22 sec][bytes ratio: -0.554 (Download)][IAT c2s/s2c min/avg/max/stddev: 1/0 64/39 164/136 72/50][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 229/665 866/1522 319/650][Risk: ** TLS Certificate Mismatch **** TLS (probably) not carrying HTTPS **][TLSv1.2][JA3C: 0463681bfef175d3d61ec414c65e482c][JA3S: 9d456958a9e86bb0d503543beaf1a65b][Issuer: C=US, ST=New York, L=Rochester, O=Xerox Corporation, OU=Generic Root Certificate Authority, CN=Xerox Generic Root Certificate Authority][Subject: C=US, ST=Connecticut, L=Norwalk, O=Xerox Corporation, OU=Global Product Delivery Group, CN=XRX9C934E949FEF, C=US, ST=Connecticut, L=Norwalk, O=Xerox Corporation, OU=Global Product Delivery Group, CN=XRX9C934E949FEF][Certificate SHA-1: 3B:2B:5E:58:6E:3E:30:1F:52:BF:9B:81:20:47:DE:10:A0:67:8E:FA][Validity: 2018-11-29 18:57:22 - 2023-11-29 18:57:22][Cipher: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,25,0,0,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0] diff --git a/tests/result/ja3_lots_of_cipher_suites_2_anon.pcap.out b/tests/result/ja3_lots_of_cipher_suites_2_anon.pcap.out new file mode 100644 index 000000000..4dbffc3ed --- /dev/null +++ b/tests/result/ja3_lots_of_cipher_suites_2_anon.pcap.out @@ -0,0 +1,8 @@ +TLS 27 6966 1 + +JA3 Host Stats: + IP Address # JA3C + 1 192.168.147.177 1 + + + 1 TCP 192.168.147.177:58496 <-> 151.121.193.160:443 [proto: GTP:91/TLS][cat: Web/5][13 pkts/3520 bytes <-> 14 pkts/3446 bytes][Goodput ratio: 60/59][5.96 sec][bytes ratio: 0.011 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 479/256 1619/1072 582/419][Pkt Len c2s/s2c min/avg/max/stddev: 106/90 271/246 1202/1490 315/354][Risk: ** Self-signed Certificate **** Weak TLS cipher **** TLS (probably) not carrying HTTPS **][TLSv1.2][Client: 192.69.136.179][JA3C: 50221ef5bde0fcee8864bbcea5211d51][JA3S: 7c02dbae662670040c7af9bd15fb7e2f (WEAK)][Issuer: C=DE, ST=Munich, L=Grenoble, O=Munniccan Establishment GmBH, OU=Munnican Workforce, CN=munniccan.de][Subject: C=DE, ST=Munich, L=Grenoble, O=Munniccan Establishment GmBH, OU=Munnican Workforce, CN=munniccan.de][Certificate SHA-1: 91:0C:1D:82:6B:28:01:8F:55:03:28:5B:90:A9:18:B9:ED:72:01:37][Validity: 2016-12-21 19:19:24 - 2019-09-16 19:19:24][Cipher: TLS_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 9,27,0,0,0,9,18,0,0,0,0,0,9,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,9,0,0,0] |