aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
10 files changed, 58 insertions, 32 deletions
diff --git a/README.md b/README.md
index d9802fc2d..5aff79ae9 100644
--- a/README.md
+++ b/README.md
@@ -29,7 +29,7 @@ The entire procedure of adding new protocols in detail:
1. Add new protocol together with its unique ID to: src/include/ndpi_protocol_ids.h
2. Create a new protocol in: src/lib/protocols/
-3. Variables to be kept for the duration of the entire flow (as state variables) needs to be placed in: /include/ndpi_structs.h in ndpi_flow_tcp_struct (for TCP only), ndpi_flow_udp_struct (for UDP only), or ndpi_flow_struct (for both).
+3. Variables to be kept for the duration of the entire flow (as state variables) need to be placed in: src/include/ndpi_typedefs.h in ndpi_flow_tcp_struct (for TCP only), ndpi_flow_udp_struct (for UDP only), or ndpi_flow_struct (for both).
4. Add a new entry for the search function for the new protocol in: src/include/ndpi_protocols.h
5. Choose (do not change anything) a selection bitmask from: src/include/ndpi_define.h
6. Add a new entry in ndpi_set_protocol_detection_bitmask2 in: src/lib/ndpi_main.c
diff --git a/example/ndpiReader.c b/example/ndpiReader.c
index 8d8ee47b0..40153e168 100644
--- a/example/ndpiReader.c
+++ b/example/ndpiReader.c
@@ -96,6 +96,7 @@ static struct timeval pcap_start, pcap_end;
static time_t capture_for = 0;
static time_t capture_until = 0;
static u_int32_t num_flows;
+static struct ndpi_detection_module_struct *ndpi_info_mod = NULL;
struct flow_info {
struct ndpi_flow_info *flow;
@@ -272,8 +273,7 @@ static void help(u_int long_help) {
if(long_help) {
printf("\n\nSupported protocols:\n");
num_threads = 1;
- setupDetection(0, NULL);
- ndpi_dump_protocols(ndpi_thread_info[0].workflow->ndpi_struct);
+ ndpi_dump_protocols(ndpi_info_mod);
}
exit(!long_help);
}
@@ -365,34 +365,30 @@ int cmpFlows(const void *_a, const void *_b) {
void extcap_config() {
int i, argidx = 0;
- struct ndpi_detection_module_struct *ndpi_mod;
struct ndpi_proto_sorter *protos;
/* -i <interface> */
- printf("arg {number=%d}{call=-i}{display=Capture Interface or Pcap File Path}{type=string}"
+ printf("arg {number=%d}{call=-i}{display=Capture Interface}{type=string}"
"{tooltip=The interface name}\n", argidx++);
printf("arg {number=%d}{call=-i}{display=Pcap File to Analyze}{type=fileselect}"
"{tooltip=The pcap file to analyze (if the interface is unspecified)}\n", argidx++);
- setupDetection(0, NULL);
- ndpi_mod = ndpi_thread_info[0].workflow->ndpi_struct;
-
- protos = (struct ndpi_proto_sorter*)malloc(sizeof(struct ndpi_proto_sorter)*ndpi_mod->ndpi_num_supported_protocols);
+ protos = (struct ndpi_proto_sorter*)malloc(sizeof(struct ndpi_proto_sorter) * ndpi_info_mod->ndpi_num_supported_protocols);
if(!protos) exit(0);
- for(i=0; i<(int)ndpi_mod->ndpi_num_supported_protocols; i++) {
+ for(i=0; i<(int) ndpi_info_mod->ndpi_num_supported_protocols; i++) {
protos[i].id = i;
- snprintf(protos[i].name, sizeof(protos[i].name), "%s", ndpi_mod->proto_defaults[i].protoName);
+ snprintf(protos[i].name, sizeof(protos[i].name), "%s", ndpi_info_mod->proto_defaults[i].protoName);
}
- qsort(protos, ndpi_mod->ndpi_num_supported_protocols, sizeof(struct ndpi_proto_sorter), cmpProto);
+ qsort(protos, ndpi_info_mod->ndpi_num_supported_protocols, sizeof(struct ndpi_proto_sorter), cmpProto);
printf("arg {number=%d}{call=-9}{display=nDPI Protocol Filter}{type=selector}"
"{tooltip=nDPI Protocol to be filtered}\n", argidx);
printf("value {arg=%d}{value=%d}{display=%s}\n", argidx, -1, "All Protocols (no nDPI filtering)");
- for(i=0; i<(int)ndpi_mod->ndpi_num_supported_protocols; i++)
+ for(i=0; i<(int)ndpi_info_mod->ndpi_num_supported_protocols; i++)
printf("value {arg=%d}{value=%d}{display=%s (%d)}\n", argidx, protos[i].id,
protos[i].name, protos[i].id);
@@ -578,7 +574,8 @@ static void parseOptions(int argc, char **argv) {
break;
case '9':
- extcap_packet_filter = atoi(optarg);
+ extcap_packet_filter = ndpi_get_proto_by_name(ndpi_info_mod, optarg);
+ if (extcap_packet_filter == NDPI_PROTOCOL_UNKNOWN) extcap_packet_filter = atoi(optarg);
break;
default:
@@ -1117,6 +1114,8 @@ static struct receiver *cutBackTo(struct receiver **receivers, u_int32_t size, u
HASH_DEL(*receivers, r);
free(r);
}
+
+ return(NULL);
}
/* *********************************************** */
@@ -2302,11 +2301,8 @@ static void pcap_process_packet(u_char *args,
return;
}
- /* Check if capture is live or not */
- if(!live_capture) {
- if(!pcap_start.tv_sec) pcap_start.tv_sec = header->ts.tv_sec, pcap_start.tv_usec = header->ts.tv_usec;
- pcap_end.tv_sec = header->ts.tv_sec, pcap_end.tv_usec = header->ts.tv_usec;
- }
+ if(!pcap_start.tv_sec) pcap_start.tv_sec = header->ts.tv_sec, pcap_start.tv_usec = header->ts.tv_usec;
+ pcap_end.tv_sec = header->ts.tv_sec, pcap_end.tv_usec = header->ts.tv_usec;
/* Idle flows cleanup */
if(live_capture) {
@@ -3123,6 +3119,9 @@ int main(int argc, char **argv) {
automataUnitTest();
+ ndpi_info_mod = ndpi_init_detection_module();
+ if (ndpi_info_mod == NULL) return -1;
+
memset(ndpi_thread_info, 0, sizeof(ndpi_thread_info));
parseOptions(argc, argv);
@@ -3153,6 +3152,7 @@ int main(int argc, char **argv) {
if(results_path) free(results_path);
if(results_file) fclose(results_file);
if(extcap_dumper) pcap_dump_close(extcap_dumper);
+ if(ndpi_info_mod) ndpi_exit_detection_module(ndpi_info_mod);
return 0;
}
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 0587503f9..5383dcf6b 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -1031,6 +1031,7 @@ struct ndpi_flow_struct {
struct {
char fingerprint[48];
+ char class_ident[48];
} dhcp;
} protos;
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index ba14f50f1..1ee97381e 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -8031,6 +8031,7 @@ ndpi_protocol_match host_match[] = {
{ ".cloudfront.net", "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
{ ".apple.com", "Apple", NDPI_PROTOCOL_APPLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE },
+ { ".apple-dns.net", "Apple", NDPI_PROTOCOL_APPLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE },
{ ".mzstatic.com", "Apple", NDPI_PROTOCOL_APPLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE },
{ ".aaplimg.com", "Apple", NDPI_PROTOCOL_APPLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE },
{ ".icloud.com", "AppleiCloud", NDPI_PROTOCOL_APPLE_ICLOUD, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
@@ -8048,6 +8049,7 @@ ndpi_protocol_match host_match[] = {
{ ".cnn.net", "CNN", NDPI_PROTOCOL_CNN, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE },
{ ".dropbox.com", "DropBox", NDPI_PROTOCOL_DROPBOX, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE },
+ { ".dropbox-dns.com", "DropBox", NDPI_PROTOCOL_DROPBOX, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE },
{ "log.getdropbox.com", "DropBox", NDPI_PROTOCOL_DROPBOX, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE },
{ ".ebay.", "eBay", NDPI_PROTOCOL_EBAY, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, /* or FUN */
@@ -8432,7 +8434,7 @@ static const char *ndpi_en_bigrams[] = {
"lz", "nz", "oz", "pz", "rz", "tz", "uz", "zz", NULL };
static const char *ndpi_en_impossible_bigrams[] = {
- "bk", "bq", "bx", "cb", "cf", "cg", "cj", "cp", "cv", "cw", "cx", "dx", "fk", "fq", "fv", "fx", "ee",
+ "bk", "bq", "bx", "cb", "cf", "cg", "cj", "cp", "cv", "cw", "cx", "dx", "fk", "fq", "fv", "fx", /* "ee", removed it can be found in 'meeting' */
"fz", "gq", "gv", "gx", "hh", "hk", "hv", "hx", "hz", "iy", "jb", "jc", "jd", "jf", "jg", "jh", "jk",
"jl", "jm", "jn", "jp", "jq", "jr", /* "js", */ "jt", "jv", "jw", "jx", "jy", "jz", "kg", "kq", "kv", "kx",
"kz", "lq", "lx", "mg", "mj", "mq", "mx", "mz", "pq", "pv", "px", "qb", "qc", "qd", "qe", "qf", "ii",
diff --git a/src/lib/protocols/dhcp.c b/src/lib/protocols/dhcp.c
index cdf33947e..c46cc1c91 100644
--- a/src/lib/protocols/dhcp.c
+++ b/src/lib/protocols/dhcp.c
@@ -104,6 +104,13 @@ void ndpi_search_dhcp_udp(struct ndpi_detection_module_struct *ndpi_struct, stru
"%02X", dhcp->options[i+2+idx] & 0xFF);
offset += 2;
}
+ } else if(id == 60 /* Class Identifier */) {
+ char *name = (char*)&dhcp->options[i+2];
+ int j = 0;
+
+ j = ndpi_min(len, sizeof(flow->protos.dhcp.class_ident)-1);
+ strncpy((char*)flow->protos.dhcp.class_ident, name, j);
+ flow->protos.dhcp.class_ident[j] = '\0';
} else if(id == 12 /* Host Name */) {
char *name = (char*)&dhcp->options[i+2];
int j = 0;
diff --git a/src/lib/protocols/sip.c b/src/lib/protocols/sip.c
index 94386d61e..67459f562 100644
--- a/src/lib/protocols/sip.c
+++ b/src/lib/protocols/sip.c
@@ -121,7 +121,7 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct
}
if ((memcmp(packet_payload, "CANCEL ", 7) == 0 || memcmp(packet_payload, "cancel ", 7) == 0)
- && (memcmp(&packet_payload[4], "SIP:", 4) == 0 || memcmp(&packet_payload[4], "sip:", 4) == 0)) {
+ && (memcmp(&packet_payload[7], "SIP:", 4) == 0 || memcmp(&packet_payload[7], "sip:", 4) == 0)) {
NDPI_LOG(NDPI_PROTOCOL_SIP, ndpi_struct, NDPI_LOG_DEBUG, "found sip CANCEL.\n");
ndpi_int_sip_add_connection(ndpi_struct, flow, 0);
return;
diff --git a/src/lib/protocols/ssl.c b/src/lib/protocols/ssl.c
index 5afca5389..231bde1eb 100644
--- a/src/lib/protocols/ssl.c
+++ b/src/lib/protocols/ssl.c
@@ -641,7 +641,7 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc
return;
} else if((packet->payload_packet_len == 4)
&& (packet->payload[0] == 'W')
- && (packet->payload[1] == 'A')){
+ && (packet->payload[1] == 'A')) {
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN);
return;
} else {
diff --git a/src/lib/protocols/tor.c b/src/lib/protocols/tor.c
index f6987ef19..95233e471 100644
--- a/src/lib/protocols/tor.c
+++ b/src/lib/protocols/tor.c
@@ -16,14 +16,23 @@ static void ndpi_int_tor_add_connection(struct ndpi_detection_module_struct
int ndpi_is_ssl_tor(struct ndpi_detection_module_struct *ndpi_struct,
- struct ndpi_flow_struct *flow, char *certificate) {
-
+ struct ndpi_flow_struct *flow, char *certificate) {
int prev_num = 0, numbers_found = 0, num_found = 0, i, len;
char dummy[48], *dot, *name;
- if((certificate == NULL)
- || (strlen(certificate) < 6)
- || (strncmp(certificate, "www.", 4)))
+ if(certificate == NULL)
+ return(0);
+ else
+ len = strlen(certificate);
+
+ /* Check if it ends in .com or .net */
+ if(strcmp(&certificate[len-4], ".com") && strcmp(&certificate[len-4], ".net"))
+ return(0);
+
+ if((len < 6)
+ || (!strncmp(certificate, "*.", 2)) /* Wildcard certificate */
+ || (strncmp(certificate, "www.", 4)) /* Not starting with www.... */
+ )
return(0);
// printf("***** [SSL] %s(): %s\n", __FUNCTION__, certificate);
@@ -55,13 +64,12 @@ int ndpi_is_ssl_tor(struct ndpi_detection_module_struct *ndpi_struct,
} else
prev_num = 0;
- if(ndpi_match_bigram(ndpi_struct, &ndpi_struct->impossible_bigrams_automa, &name[i])) {
- ndpi_int_tor_add_connection(ndpi_struct, flow);
- return(1);
- }
-
+
if(ndpi_match_bigram(ndpi_struct, &ndpi_struct->bigrams_automa, &name[i])) {
num_found++;
+ } else if(ndpi_match_bigram(ndpi_struct, &ndpi_struct->impossible_bigrams_automa, &name[i])) {
+ ndpi_int_tor_add_connection(ndpi_struct, flow);
+ return(1);
}
}
diff --git a/tests/pcap/sip.pcap b/tests/pcap/sip.pcap
new file mode 100644
index 000000000..8cd7f4761
--- /dev/null
+++ b/tests/pcap/sip.pcap
Binary files differ
diff --git a/tests/result/sip.pcap.out b/tests/result/sip.pcap.out
new file mode 100644
index 000000000..8f1dfb3d2
--- /dev/null
+++ b/tests/result/sip.pcap.out
@@ -0,0 +1,8 @@
+RTP 9 1926 1
+SIP 102 47087 2
+RTCP 1 146 1
+
+ 1 UDP 192.168.1.2:5060 <-> 212.242.33.35:5060 [proto: 100/SIP][53 pkts/21940 bytes <-> 31 pkts/15635 bytes]
+ 2 UDP 192.168.1.2:5060 <-> 200.68.120.81:5060 [proto: 100/SIP][15 pkts/7568 bytes <-> 3 pkts/1944 bytes]
+ 3 UDP 192.168.1.2:30000 -> 212.242.33.36:40392 [proto: 87/RTP][9 pkts/1926 bytes -> 0 pkts/0 bytes]
+ 4 UDP 192.168.1.2:30001 -> 212.242.33.36:40393 [proto: 165/RTCP][1 pkts/146 bytes -> 0 pkts/0 bytes]
Powered by cgit, Themed by Ted Yin.