diff options
| -rw-r--r-- | src/lib/protocols/bgp.c | 31 | ||||
| -rw-r--r-- | src/lib/protocols/ftp_control.c | 1 | ||||
| -rw-r--r-- | src/lib/protocols/smb.c | 29 | ||||
| -rw-r--r-- | src/lib/protocols/soulseek.c | 447 | ||||
| -rw-r--r-- | src/lib/protocols/stun.c | 13 | ||||
| -rw-r--r-- | src/lib/protocols/tor.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/vmware.c | 45 | ||||
| -rw-r--r-- | src/lib/protocols/whoisdas.c | 53 | ||||
| -rw-r--r-- | src/lib/protocols/yahoo.c | 564 | ||||
| -rw-r--r-- | src/lib/protocols/zattoo.c | 272 | ||||
| -rw-r--r-- | src/lib/protocols/zeromq.c | 6 |
11 files changed, 745 insertions, 719 deletions
diff --git a/src/lib/protocols/bgp.c b/src/lib/protocols/bgp.c index e72fdee57..0ec6fa59c 100644 --- a/src/lib/protocols/bgp.c +++ b/src/lib/protocols/bgp.c @@ -1,8 +1,7 @@ /* * bgp.c * - * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2016 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -21,9 +20,8 @@ * along with nDPI. If not, see <http://www.gnu.org/licenses/>. * */ - - #include "ndpi_protocols.h" + #ifdef NDPI_PROTOCOL_BGP @@ -38,19 +36,20 @@ void ndpi_search_bgp(struct ndpi_detection_module_struct *ndpi_struct, struct nd struct ndpi_packet_struct *packet = &flow->packet; u_int16_t bgp_port = htons(179); - if(packet->tcp - && (packet->payload_packet_len > 18) - && (packet->payload[18] < 5) - && ((packet->tcp->dest == bgp_port) || (packet->tcp->source == bgp_port)) - && (get_u_int64_t(packet->payload, 0) == 0xffffffffffffffffULL) - && (get_u_int64_t(packet->payload, 8) == 0xffffffffffffffffULL) - && (ntohs(get_u_int16_t(packet->payload, 16)) <= packet->payload_packet_len) - ) { - NDPI_LOG(NDPI_PROTOCOL_BGP, ndpi_struct, NDPI_LOG_DEBUG, "BGP detected.\n"); - ndpi_int_bgp_add_connection(ndpi_struct, flow); - return; + if(packet->tcp) { + if(packet->payload_packet_len > 18 + && packet->payload[18] < 5 + && ((packet->tcp->dest == bgp_port) || (packet->tcp->source == bgp_port)) + && (get_u_int64_t(packet->payload, 0) == 0xffffffffffffffffULL) + && (get_u_int64_t(packet->payload, 8) == 0xffffffffffffffffULL) + && (ntohs(get_u_int16_t(packet->payload, 16)) <= packet->payload_packet_len)) { + + NDPI_LOG(NDPI_PROTOCOL_BGP, ndpi_struct, NDPI_LOG_DEBUG, "BGP detected.\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BGP, NDPI_PROTOCOL_UNKNOWN); + return; + } } - + /* exclude BGP */ NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_BGP); } diff --git a/src/lib/protocols/ftp_control.c b/src/lib/protocols/ftp_control.c index 7576f7567..e9ed7ee45 100644 --- a/src/lib/protocols/ftp_control.c +++ b/src/lib/protocols/ftp_control.c @@ -935,6 +935,7 @@ static int ndpi_ftp_control_check_response(const u_int8_t *payload, size_t paylo } static void ndpi_check_ftp_control(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; u_int32_t payload_len = packet->payload_packet_len; diff --git a/src/lib/protocols/smb.c b/src/lib/protocols/smb.c index 761b1125a..051aee635 100644 --- a/src/lib/protocols/smb.c +++ b/src/lib/protocols/smb.c @@ -1,8 +1,7 @@ /* * smb.c * - * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2016 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -21,32 +20,28 @@ * along with nDPI. If not, see <http://www.gnu.org/licenses/>. * */ - - #include "ndpi_protocols.h" + #ifdef NDPI_PROTOCOL_SMB -static void ndpi_int_smb_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) -{ - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMB, NDPI_PROTOCOL_UNKNOWN); -} void ndpi_search_smb_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - if(packet && packet->tcp) { + /* Check connection over TCP */ + if(packet->tcp) { NDPI_LOG(NDPI_PROTOCOL_SMB, ndpi_struct, NDPI_LOG_DEBUG, "search SMB.\n"); - - if (packet->tcp->dest == htons(445) - && packet->payload_packet_len > (32 + 4 + 4) - && (packet->payload_packet_len - 4) == ntohl(get_u_int32_t(packet->payload, 0)) - && get_u_int32_t(packet->payload, 4) == htonl(0xff534d42)) { + + if(packet->tcp->dest == htons(445) + && packet->payload_packet_len > (32 + 4 + 4) + && (packet->payload_packet_len - 4) == ntohl(get_u_int32_t(packet->payload, 0)) + && get_u_int32_t(packet->payload, 4) == htonl(0xff534d42)) { + NDPI_LOG(NDPI_PROTOCOL_SMB, ndpi_struct, NDPI_LOG_DEBUG, "found SMB.\n"); - ndpi_int_smb_add_connection(ndpi_struct, flow); - return; + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMB, NDPI_PROTOCOL_UNKNOWN); + return; } } diff --git a/src/lib/protocols/soulseek.c b/src/lib/protocols/soulseek.c index 3b4a0dd94..2e13edd3a 100644 --- a/src/lib/protocols/soulseek.c +++ b/src/lib/protocols/soulseek.c @@ -1,8 +1,7 @@ /* * soulseek.c * - * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2016 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -21,266 +20,294 @@ * along with nDPI. If not, see <http://www.gnu.org/licenses/>. * */ - - #include "ndpi_protocols.h" #ifdef NDPI_PROTOCOL_SOULSEEK -static void ndpi_int_soulseek_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) -{ - - struct ndpi_packet_struct *packet = &flow->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOULSEEK, NDPI_PROTOCOL_UNKNOWN); - - if (src != NULL) { - src->soulseek_last_safe_access_time = packet->tick_timestamp; - } - if (dst != NULL) { - dst->soulseek_last_safe_access_time = packet->tick_timestamp; - } - - return; -} -void ndpi_search_soulseek_tcp(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) +void ndpi_search_soulseek_tcp(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; struct ndpi_id_struct *src = flow->src; struct ndpi_id_struct *dst = flow->dst; - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "Soulseek: search soulseec tcp \n"); - + if(packet->tcp) { + + if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SOULSEEK) { + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "packet marked as Soulseek\n"); + if(src != NULL) + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, + " SRC bitmask: %u, packet tick %llu , last safe access timestamp: %llu\n", + NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_SOULSEEK) + != 0 ? 1 : 0, (u_int64_t) packet->tick_timestamp, (u_int64_t) src->soulseek_last_safe_access_time); + if(dst != NULL) + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, + " DST bitmask: %u, packet tick %llu , last safe ts: %llu\n", + NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_SOULSEEK) + != 0 ? 1 : 0, (u_int64_t) packet->tick_timestamp, (u_int64_t) dst->soulseek_last_safe_access_time); + + if(packet->payload_packet_len == 431) { + if(dst != NULL) { + dst->soulseek_last_safe_access_time = packet->tick_timestamp; + } + return; + } + if(packet->payload_packet_len == 12 && get_l32(packet->payload, 4) == 0x02) { + if(src != NULL) { + src->soulseek_last_safe_access_time = packet->tick_timestamp; + if(packet->tcp != NULL && src->soulseek_listen_port == 0) { + src->soulseek_listen_port = get_l32(packet->payload, 8); + return; + } + } + } - if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SOULSEEK) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "packet marked as Soulseek\n"); - if (src != NULL) - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, - " SRC bitmask: %u, packet tick %llu , last safe access timestamp: %llu\n", - NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_SOULSEEK) - != 0 ? 1 : 0, (u_int64_t) packet->tick_timestamp, (u_int64_t) src->soulseek_last_safe_access_time); - if (dst != NULL) - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, - " DST bitmask: %u, packet tick %llu , last safe ts: %llu\n", - NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_SOULSEEK) - != 0 ? 1 : 0, (u_int64_t) packet->tick_timestamp, (u_int64_t) dst->soulseek_last_safe_access_time); + if(src != NULL && ((u_int32_t)(packet->tick_timestamp - src->soulseek_last_safe_access_time) < ndpi_struct->soulseek_connection_ip_tick_timeout)) { + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, + "Soulseek: SRC update last safe access time and SKIP_FOR_TIME \n"); + src->soulseek_last_safe_access_time = packet->tick_timestamp; + } - if (packet->payload_packet_len == 431) { - if (dst != NULL) { + if(dst != NULL && ((u_int32_t)(packet->tick_timestamp - dst->soulseek_last_safe_access_time) < ndpi_struct->soulseek_connection_ip_tick_timeout)) { + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, + "Soulseek: DST update last safe access time and SKIP_FOR_TIME \n"); dst->soulseek_last_safe_access_time = packet->tick_timestamp; } - return; - } - if (packet->payload_packet_len == 12 && get_l32(packet->payload, 4) == 0x02) { - if (src != NULL) { - src->soulseek_last_safe_access_time = packet->tick_timestamp; - if (packet->tcp != NULL && src->soulseek_listen_port == 0) { - src->soulseek_listen_port = get_l32(packet->payload, 8); - return; - } - } } - if (src != NULL && ((u_int32_t) - (packet->tick_timestamp - - src->soulseek_last_safe_access_time) < - ndpi_struct->soulseek_connection_ip_tick_timeout)) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, - "Soulseek: SRC update last safe access time and SKIP_FOR_TIME \n"); - src->soulseek_last_safe_access_time = packet->tick_timestamp; - } - if (dst != NULL && ((u_int32_t) - (packet->tick_timestamp - - dst->soulseek_last_safe_access_time) < - ndpi_struct->soulseek_connection_ip_tick_timeout)) { + if(dst != NULL && dst->soulseek_listen_port != 0 && dst->soulseek_listen_port == ntohs(packet->tcp->dest) + && ((u_int32_t)(packet->tick_timestamp - dst->soulseek_last_safe_access_time) < ndpi_struct->soulseek_connection_ip_tick_timeout)) { + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, - "Soulseek: DST update last safe access time and SKIP_FOR_TIME \n"); + "Soulseek: Plain detection on Port : %u packet_tick_timestamp: %u soulseeek_last_safe_access_time: %u soulseek_connection_ip_ticktimeout: %u\n", + dst->soulseek_listen_port, packet->tick_timestamp, dst->soulseek_last_safe_access_time, ndpi_struct->soulseek_connection_ip_tick_timeout); + dst->soulseek_last_safe_access_time = packet->tick_timestamp; - } - } - + if(src != NULL) + src->soulseek_last_safe_access_time = packet->tick_timestamp; - if (dst != NULL && dst->soulseek_listen_port != 0 && dst->soulseek_listen_port == ntohs(packet->tcp->dest) - && ((u_int32_t) - (packet->tick_timestamp - dst->soulseek_last_safe_access_time) < - ndpi_struct->soulseek_connection_ip_tick_timeout)) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, - "Soulseek: Plain detection on Port : %u packet_tick_timestamp: %u soulseeek_last_safe_access_time: %u soulseek_connection_ip_ticktimeout: %u\n", - dst->soulseek_listen_port, packet->tick_timestamp, - dst->soulseek_last_safe_access_time, ndpi_struct->soulseek_connection_ip_tick_timeout); - ndpi_int_soulseek_add_connection(ndpi_struct, flow); - return; - } + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOULSEEK, NDPI_PROTOCOL_UNKNOWN); + return; + } + + if(flow->l4.tcp.soulseek_stage == 0) { - if (flow->l4.tcp.soulseek_stage == 0) { + u_int32_t index = 0; - u_int32_t index = 0; + if(packet->payload_packet_len >= 12 && packet->payload_packet_len < 300 && get_l32(packet->payload, 4) == 1) { + while (!get_u_int16_t(packet->payload, index + 2) + && (index + get_l32(packet->payload, index)) < packet->payload_packet_len - 4) { + if(get_l32(packet->payload, index) < 8) /*Minimum soulsek login msg is 8B */ + break; - if (packet->payload_packet_len >= 12 && packet->payload_packet_len < 300 && get_l32(packet->payload, 4) == 1) { - while (!get_u_int16_t(packet->payload, index + 2) - && (index + get_l32(packet->payload, index)) < packet->payload_packet_len - 4) { - if (get_l32(packet->payload, index) < 8) /*Minimum soulsek login msg is 8B */ - break; + if(index + get_l32(packet->payload, index) + 4 <= index) { + /* avoid overflow */ + break; + } - if (index + get_l32(packet->payload, index) + 4 <= index) { - /* avoid overflow */ - break; + index += get_l32(packet->payload, index) + 4; } - - index += get_l32(packet->payload, index) + 4; - } - if (index + get_l32(packet->payload, index) == - packet->payload_packet_len - 4 && !get_u_int16_t(packet->payload, 10)) { - /*This structure seems to be soulseek proto */ - index = get_l32(packet->payload, 8) + 12; // end of "user name" - if ((index + 4) <= packet->payload_packet_len && !get_u_int16_t(packet->payload, index + 2)) // for passwd len - { - index += get_l32(packet->payload, index) + 4; //end of "Passwd" - if ((index + 4 + 4) <= packet->payload_packet_len && !get_u_int16_t(packet->payload, index + 6)) // to read version,hashlen - { - index += get_l32(packet->payload, index + 4) + 8; // enf of "hash value" - if (index == get_l32(packet->payload, 0)) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, - ndpi_struct, NDPI_LOG_DEBUG, "Soulseek Login Detected\n"); - ndpi_int_soulseek_add_connection(ndpi_struct, flow); - return; + if(index + get_l32(packet->payload, index) == packet->payload_packet_len - 4 && !get_u_int16_t(packet->payload, 10)) { + /* This structure seems to be soulseek proto */ + index = get_l32(packet->payload, 8) + 12; // end of "user name" + if((index + 4) <= packet->payload_packet_len && !get_u_int16_t(packet->payload, index + 2)) // for passwd len + { + index += get_l32(packet->payload, index) + 4; //end of "Passwd" + if((index + 4 + 4) <= packet->payload_packet_len && !get_u_int16_t(packet->payload, index + 6)) // to read version,hashlen + { + index += get_l32(packet->payload, index + 4) + 8; // enf of "hash value" + if(index == get_l32(packet->payload, 0)) { + + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "Soulseek Login Detected\n"); + + if(src != NULL) + src->soulseek_last_safe_access_time = packet->tick_timestamp; + if(dst != NULL) + dst->soulseek_last_safe_access_time = packet->tick_timestamp; + + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOULSEEK, NDPI_PROTOCOL_UNKNOWN); + return; + } } - } - } + } + } } - } - if (packet->payload_packet_len > 8 - && packet->payload_packet_len < 200 && get_l32(packet->payload, 0) == packet->payload_packet_len - 4) { - //Server Messages: - const u_int32_t msgcode = get_l32(packet->payload, 4); - - if (msgcode == 0x7d) { - flow->l4.tcp.soulseek_stage = 1 + packet->packet_direction; - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "Soulseek Messages Search\n"); - return; - } else if (msgcode == 0x02 && packet->payload_packet_len == 12) { - const u_int32_t soulseek_listen_port = get_l32(packet->payload, 8); + if (packet->payload_packet_len > 8 + && packet->payload_packet_len < 200 && get_l32(packet->payload, 0) == packet->payload_packet_len - 4) { + //Server Messages: + const u_int32_t msgcode = get_l32(packet->payload, 4); - if (src != NULL) { - src->soulseek_last_safe_access_time = packet->tick_timestamp; + if(msgcode == 0x7d) { + flow->l4.tcp.soulseek_stage = 1 + packet->packet_direction; + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "Soulseek Messages Search\n"); + return; + } else if(msgcode == 0x02 && packet->payload_packet_len == 12) { + const u_int32_t soulseek_listen_port = get_l32(packet->payload, 8); + + if(src != NULL) { + src->soulseek_last_safe_access_time = packet->tick_timestamp; - if (packet->tcp != NULL && src->soulseek_listen_port == 0) { - src->soulseek_listen_port = soulseek_listen_port; - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, - NDPI_LOG_DEBUG, "\n Listen Port Saved : %u", src->soulseek_listen_port); - ndpi_int_soulseek_add_connection(ndpi_struct, flow); + if(packet->tcp != NULL && src->soulseek_listen_port == 0) { + src->soulseek_listen_port = soulseek_listen_port; + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "\n Listen Port Saved : %u", src->soulseek_listen_port); + + if(dst != NULL) + dst->soulseek_last_safe_access_time = packet->tick_timestamp; + + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOULSEEK, NDPI_PROTOCOL_UNKNOWN); + return; + } + } + } + //Peer Messages : Peer Init Message Detection + if(get_l32(packet->payload, 0) == packet->payload_packet_len - 4) { + const u_int32_t typelen = get_l32(packet->payload, packet->payload_packet_len - 9); + const u_int8_t type = packet->payload[packet->payload_packet_len - 5]; + const u_int32_t namelen = get_l32(packet->payload, 5); + if(packet->payload[4] == 0x01 && typelen == 1 + && namelen <= packet->payload_packet_len + && (4 + 1 + 4 + namelen + 4 + 1 + 4) == + packet->payload_packet_len && (type == 'F' || type == 'P' || type == 'D')) { + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "soulseek detected\n"); + + if(src != NULL) + src->soulseek_last_safe_access_time = packet->tick_timestamp; + + if(dst != NULL) + dst->soulseek_last_safe_access_time = packet->tick_timestamp; + + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOULSEEK, NDPI_PROTOCOL_UNKNOWN); return; } + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "1\n"); } - - } - //Peer Messages : Peer Init Message Detection - if (get_l32(packet->payload, 0) == packet->payload_packet_len - 4) { - const u_int32_t typelen = get_l32(packet->payload, packet->payload_packet_len - 9); - const u_int8_t type = packet->payload[packet->payload_packet_len - 5]; - const u_int32_t namelen = get_l32(packet->payload, 5); - if (packet->payload[4] == 0x01 && typelen == 1 - && namelen <= packet->payload_packet_len - && (4 + 1 + 4 + namelen + 4 + 1 + 4) == - packet->payload_packet_len && (type == 'F' || type == 'P' || type == 'D')) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "soulseek detected\n"); - ndpi_int_soulseek_add_connection(ndpi_struct, flow); + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "3\n"); + //Peer Message : Pierce Firewall + if(packet->payload_packet_len == 9 && get_l32(packet->payload, 0) == 5 + && packet->payload[4] <= 0x10 && get_u_int32_t(packet->payload, 5) != 0x00000000) { + flow->l4.tcp.soulseek_stage = 1 + packet->packet_direction; + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_TRACE, "Soulseek Size 9 Pierce Firewall\n"); return; } - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "1\n"); - } - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "3\n"); - //Peer Message : Pierce Firewall - if (packet->payload_packet_len == 9 && get_l32(packet->payload, 0) == 5 - && packet->payload[4] <= 0x10 && get_u_int32_t(packet->payload, 5) != 0x00000000) { - flow->l4.tcp.soulseek_stage = 1 + packet->packet_direction; - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_TRACE, "Soulseek Size 9 Pierce Firewall\n"); - return; } - } + if(packet->payload_packet_len > 25 && packet->payload[4] == 0x01 && !get_u_int16_t(packet->payload, 7) + && !get_u_int16_t(packet->payload, 2)) { + const u_int32_t usrlen = get_l32(packet->payload, 5); + + if(usrlen <= packet->payload_packet_len - 4 + 1 + 4 + 4 + 1 + 4) { + const u_int32_t typelen = get_l32(packet->payload, 4 + 1 + 4 + usrlen); + const u_int8_t type = packet->payload[4 + 1 + 4 + usrlen + 4]; + if(typelen == 1 && (type == 'F' || type == 'P' || type == 'D')) { + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "soulseek detected Pattern command(D|P|F).\n"); + + if(src != NULL) + src->soulseek_last_safe_access_time = packet->tick_timestamp; + if(dst != NULL) + dst->soulseek_last_safe_access_time = packet->tick_timestamp; + + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOULSEEK, NDPI_PROTOCOL_UNKNOWN); + return; + } + } + } - if (packet->payload_packet_len > 25 && packet->payload[4] == 0x01 && !get_u_int16_t(packet->payload, 7) - && !get_u_int16_t(packet->payload, 2)) { - const u_int32_t usrlen = get_l32(packet->payload, 5); - - if (usrlen <= packet->payload_packet_len - 4 + 1 + 4 + 4 + 1 + 4) { - const u_int32_t typelen = get_l32(packet->payload, 4 + 1 + 4 + usrlen); - const u_int8_t type = packet->payload[4 + 1 + 4 + usrlen + 4]; - if (typelen == 1 && (type == 'F' || type == 'P' || type == 'D')) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, - NDPI_LOG_DEBUG, "soulseek detected Pattern command(D|P|F).\n"); - ndpi_int_soulseek_add_connection(ndpi_struct, flow); + } else if(flow->l4.tcp.soulseek_stage == 2 - packet->packet_direction) { + if(packet->payload_packet_len > 8) { + if((packet->payload[0] || packet->payload[1]) && get_l32(packet->payload, 4) == 9) { + /* 9 is search result */ + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "soulseek detected Second Pkt\n"); + + if(src != NULL) + src->soulseek_last_safe_access_time = packet->tick_timestamp; + if(dst != NULL) + dst->soulseek_last_safe_access_time = packet->tick_timestamp; + + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOULSEEK, NDPI_PROTOCOL_UNKNOWN); return; } + if(get_l32(packet->payload, 0) == packet->payload_packet_len - 4) { + const u_int32_t msgcode = get_l32(packet->payload, 4); + if(msgcode == 0x03 && packet->payload_packet_len >= 12) //Server Message : Get Peer Address + { + const u_int32_t usrlen = get_l32(packet->payload, 8); + if(usrlen <= packet->payload_packet_len && 4 + 4 + 4 + usrlen == packet->payload_packet_len) { + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "Soulseek Request Get Peer Address Detected\n"); + + if(src != NULL) + src->soulseek_last_safe_access_time = packet->tick_timestamp; + if(dst != NULL) + dst->soulseek_last_safe_access_time = packet->tick_timestamp; + + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOULSEEK, NDPI_PROTOCOL_UNKNOWN); + return; + } + } + } } - } - } else if (flow->l4.tcp.soulseek_stage == 2 - packet->packet_direction) { - if (packet->payload_packet_len > 8) { - if ((packet->payload[0] || packet->payload[1]) && get_l32(packet->payload, 4) == 9) { - /* 9 is search result */ - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "soulseek detected Second Pkt\n"); - ndpi_int_soulseek_add_connection(ndpi_struct, flow); + if(packet->payload_packet_len == 8 && get_l32(packet->payload, 4) == 0x00000004) { + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "soulseek detected\n"); + + if(src != NULL) + src->soulseek_last_safe_access_time = packet->tick_timestamp; + if(dst != NULL) + dst->soulseek_last_safe_access_time = packet->tick_timestamp; + + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOULSEEK, NDPI_PROTOCOL_UNKNOWN); return; } - if (get_l32(packet->payload, 0) == packet->payload_packet_len - 4) { - const u_int32_t msgcode = get_l32(packet->payload, 4); - if (msgcode == 0x03 && packet->payload_packet_len >= 12) //Server Message : Get Peer Address - { - const u_int32_t usrlen = get_l32(packet->payload, 8); - if (usrlen <= packet->payload_packet_len && 4 + 4 + 4 + usrlen == packet->payload_packet_len) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, - NDPI_LOG_DEBUG, "Soulseek Request Get Peer Address Detected\n"); - ndpi_int_soulseek_add_connection(ndpi_struct, flow); - return; - } - } + + if(packet->payload_packet_len == 4 + && get_u_int16_t(packet->payload, 2) == 0x00 && get_u_int16_t(packet->payload, 0) != 0x00) { + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "soulseek detected\n"); + + if(src != NULL) + src->soulseek_last_safe_access_time = packet->tick_timestamp; + if(dst != NULL) + dst->soulseek_last_safe_access_time = packet->tick_timestamp; + + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOULSEEK, NDPI_PROTOCOL_UNKNOWN); + return; + } else if(packet->payload_packet_len == 4) { + flow->l4.tcp.soulseek_stage = 3; + return; + } + } else if(flow->l4.tcp.soulseek_stage == 1 + packet->packet_direction) { + if(packet->payload_packet_len > 8) { + if(packet->payload[4] == 0x03 && get_l32(packet->payload, 5) == 0x00000031) { + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "soulseek detected Second Pkt with SIGNATURE :: 0x0331000000 \n"); + + if(src != NULL) + src->soulseek_last_safe_access_time = packet->tick_timestamp; + if(dst != NULL) + dst->soulseek_last_safe_access_time = packet->tick_timestamp; + + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOULSEEK, NDPI_PROTOCOL_UNKNOWN); + return; + } } } + if(flow->l4.tcp.soulseek_stage == 3 && packet->payload_packet_len == 8 && !get_u_int32_t(packet->payload, 4)) { - if (packet->payload_packet_len == 8 && get_l32(packet->payload, 4) == 0x00000004) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "soulseek detected\n"); - ndpi_int_soulseek_add_connection(ndpi_struct, flow); - return; - } + NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "soulseek detected bcz of 8B pkt\n"); - if (packet->payload_packet_len == 4 - && get_u_int16_t(packet->payload, 2) == 0x00 && get_u_int16_t(packet->payload, 0) != 0x00) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "soulseek detected\n"); - ndpi_int_soulseek_add_connection(ndpi_struct, flow); - return; - } else if (packet->payload_packet_len == 4) { - flow->l4.tcp.soulseek_stage = 3; + if(src != NULL) + src->soulseek_last_safe_access_time = packet->tick_timestamp; + if(dst != NULL) + dst->soulseek_last_safe_access_time = packet->tick_timestamp; + + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOULSEEK, NDPI_PROTOCOL_UNKNOWN); return; } - } else if (flow->l4.tcp.soulseek_stage == 1 + packet->packet_direction) { - if (packet->payload_packet_len > 8) { - if (packet->payload[4] == 0x03 && get_l32(packet->payload, 5) == 0x00000031) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, - NDPI_LOG_DEBUG, "soulseek detected Second Pkt with SIGNATURE :: 0x0331000000 \n"); - ndpi_int_soulseek_add_connection(ndpi_struct, flow); - return; - } + if(flow->l4.tcp.soulseek_stage && flow->packet_counter < 11) { + } else { + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOULSEEK); } } - if (flow->l4.tcp.soulseek_stage == 3 && packet->payload_packet_len == 8 && !get_u_int32_t(packet->payload, 4)) { - - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "soulseek detected bcz of 8B pkt\n"); - ndpi_int_soulseek_add_connection(ndpi_struct, flow); - return; - } - if (flow->l4.tcp.soulseek_stage && flow->packet_counter < 11) { - } else { - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOULSEEK); - } } diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index 1b2bb9843..caebeb066 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -21,9 +21,8 @@ * along with nDPI. If not, see <http://www.gnu.org/licenses/>. * */ - - #include "ndpi_protocols.h" + #ifdef NDPI_PROTOCOL_STUN @@ -87,6 +86,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * */ while(offset < payload_length) { + u_int16_t attribute = ntohs(*((u_int16_t*)&payload[offset])); u_int16_t len = ntohs(*((u_int16_t*)&payload[offset+2])); @@ -120,13 +120,12 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * break; default: - /* This means this STUN packet cannot be confused with whatsapp voice */ - can_this_be_whatsapp_voice = 0; - break; + /* This means this STUN packet cannot be confused with whatsapp voice */ + can_this_be_whatsapp_voice = 0; + break; } offset += len + 4; } - goto udp_stun_found; } @@ -239,7 +238,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * udp_stun_found: if(can_this_be_whatsapp_voice) - flow->num_stun_udp_pkts++; + flow->num_stun_udp_pkts++; return((flow->num_stun_udp_pkts < MAX_NUM_STUN_PKTS) ? NDPI_IS_NOT_STUN : NDPI_IS_STUN); } diff --git a/src/lib/protocols/tor.c b/src/lib/protocols/tor.c index 2152da328..c9ab55542 100644 --- a/src/lib/protocols/tor.c +++ b/src/lib/protocols/tor.c @@ -5,8 +5,6 @@ * Copyright (C) 2013 Remy Mudingay <mudingay@ill.fr> * */ - - #include "ndpi_api.h" #ifdef NDPI_PROTOCOL_TOR @@ -19,6 +17,7 @@ static void ndpi_int_tor_add_connection(struct ndpi_detection_module_struct int ndpi_is_ssl_tor(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, char *certificate) { + int prev_num = 0, numbers_found = 0, num_found = 0, i, len; char dummy[48], *dot, *name; diff --git a/src/lib/protocols/vmware.c b/src/lib/protocols/vmware.c index a6cbe5dc9..9ef3ccd2f 100644 --- a/src/lib/protocols/vmware.c +++ b/src/lib/protocols/vmware.c @@ -1,7 +1,7 @@ /* * vmware.c * - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2016 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -17,8 +17,6 @@ * along with nDPI. If not, see <http://www.gnu.org/licenses/>. * */ - - #include "ndpi_api.h" #ifdef NDPI_PROTOCOL_VMWARE @@ -29,29 +27,30 @@ void ndpi_search_vmware(struct ndpi_detection_module_struct *ndpi_struct, struct struct ndpi_packet_struct *packet = &flow->packet; /* Check whether this is an VMWARE flow */ - if(packet->udp != NULL && (packet->payload_packet_len == 66) - && (ntohs(packet->udp->dest) == 902) - && ((packet->payload[0] & 0xFF) == 0xA4)) { - NDPI_LOG(NDPI_PROTOCOL_VMWARE, ndpi_struct, NDPI_LOG_DEBUG, "Found vmware.\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VMWARE, NDPI_PROTOCOL_UNKNOWN); - } else { - NDPI_LOG(NDPI_PROTOCOL_VMWARE, ndpi_struct, NDPI_LOG_DEBUG, "exclude vmware.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_VMWARE); + if(packet->udp != NULL) { + if((packet->payload_packet_len == 66) + && (ntohs(packet->udp->dest) == 902) + && ((packet->payload[0] & 0xFF) == 0xA4)) { + NDPI_LOG(NDPI_PROTOCOL_VMWARE, ndpi_struct, NDPI_LOG_DEBUG, "Found vmware.\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VMWARE, NDPI_PROTOCOL_UNKNOWN); + } + else { + NDPI_LOG(NDPI_PROTOCOL_VMWARE, ndpi_struct, NDPI_LOG_DEBUG, "exclude vmware.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_VMWARE); + } } } + void init_vmware_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) + { + ndpi_set_bitmask_protocol_detection("VMWARE", ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_VMWARE, + ndpi_search_vmware, + NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); -void init_vmware_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) -{ - ndpi_set_bitmask_protocol_detection("VMWARE", ndpi_struct, detection_bitmask, *id, - NDPI_PROTOCOL_VMWARE, - ndpi_search_vmware, - NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD, - SAVE_DETECTION_BITMASK_AS_UNKNOWN, - ADD_TO_DETECTION_BITMASK); - - *id += 1; -} + *id += 1; + } #endif - diff --git a/src/lib/protocols/whoisdas.c b/src/lib/protocols/whoisdas.c index 2b086bb2f..968449cbd 100644 --- a/src/lib/protocols/whoisdas.c +++ b/src/lib/protocols/whoisdas.c @@ -1,7 +1,7 @@ /* * whoisdas.c * - * Copyright (C) 2013 - ntop.org + * Copyright (C) 2016 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -17,44 +17,43 @@ * along with nDPI. If not, see <http://www.gnu.org/licenses/>. * */ - - #include "ndpi_protocols.h" + #ifdef NDPI_PROTOCOL_WHOIS_DAS void ndpi_search_whois_das(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - u_int16_t sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest); - if ((packet->tcp != NULL) - && ( - ((sport == 43) || (dport == 43)) - || - ((sport == 4343) || (dport == 4343)) - ) - ) { - if(packet->payload_packet_len > 0) { - u_int max_len = sizeof(flow->host_server_name)-1; - u_int i, j; + if(packet->tcp != NULL) { + u_int16_t sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest); + + if(((sport == 43) || (dport == 43)) || ((sport == 4343) || (dport == 4343))) { - for(i=strlen((const char *)flow->host_server_name), j=0; (i<max_len) && (j<packet->payload_packet_len); i++, j++) { - if((packet->payload[j] == '\n') || (packet->payload[j] == '\r')) break; + if(packet->payload_packet_len > 0) { + + u_int max_len = sizeof(flow->host_server_name) - 1; + u_int i, j; + + for(i=strlen((const char *)flow->host_server_name), j=0; (i<max_len) && (j<packet->payload_packet_len); i++, j++) { - flow->host_server_name[i] = packet->payload[j]; + if((packet->payload[j] == '\n') || (packet->payload[j] == '\r')) break; + + flow->host_server_name[i] = packet->payload[j]; + } + + flow->host_server_name[i] = '\0'; + flow->server_id = ((sport == 43) || (sport == 4343)) ? flow->src : flow->dst; + + NDPI_LOG(NDPI_PROTOCOL_WHOIS_DAS, ndpi_struct, NDPI_LOG_DEBUG, "[WHOIS/DAS] %s\n", flow->host_server_name); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHOIS_DAS, NDPI_PROTOCOL_UNKNOWN); + return; } - - flow->host_server_name[i] = '\0'; - flow->server_id = ((sport == 43) || (sport == 4343)) ? flow->src : flow->dst; - - NDPI_LOG(NDPI_PROTOCOL_WHOIS_DAS, ndpi_struct, NDPI_LOG_DEBUG, "[WHOIS/DAS] %s\n", flow->host_server_name); } - - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHOIS_DAS, NDPI_PROTOCOL_UNKNOWN); - } else { - NDPI_LOG(NDPI_PROTOCOL_WHOIS_DAS, ndpi_struct, NDPI_LOG_TRACE, "WHOIS Excluded.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_WHOIS_DAS); } + /* exclude WHOIS */ + NDPI_LOG(NDPI_PROTOCOL_WHOIS_DAS, ndpi_struct, NDPI_LOG_TRACE, "WHOIS Excluded.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_WHOIS_DAS); } diff --git a/src/lib/protocols/yahoo.c b/src/lib/protocols/yahoo.c index 40805b1b1..569fca940 100644 --- a/src/lib/protocols/yahoo.c +++ b/src/lib/protocols/yahoo.c @@ -1,8 +1,7 @@ /* * yahoo.c * - * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2016 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -21,8 +20,6 @@ * along with nDPI. If not, see <http://www.gnu.org/licenses/>. * */ - - #include "ndpi_api.h" #ifdef NDPI_PROTOCOL_YAHOO @@ -54,383 +51,360 @@ static u_int8_t ndpi_check_for_YmsgCommand(u_int16_t len, const u_int8_t * ptr) return 0; } -static void ndpi_int_yahoo_add_connection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow/* , ndpi_protocol_type_t protocol_type */) -{ - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); -} -#if !defined(WIN32) +#ifndef WIN32 static inline #else __forceinline static #endif u_int8_t check_ymsg(const u_int8_t * payload, u_int16_t payload_packet_len) { - const struct ndpi_yahoo_header *yahoo = (struct ndpi_yahoo_header *) payload; - + u_int16_t yahoo_len_parsed = 0; do { u_int16_t ylen = ntohs(yahoo->len); - + yahoo_len_parsed += 20 + ylen; /* possible overflow here: 20 + ylen = 0x10000 --> 0 --> infinite loop */ - if (ylen >= payload_packet_len || yahoo_len_parsed >= payload_packet_len) + if(ylen >= payload_packet_len || yahoo_len_parsed >= payload_packet_len) break; yahoo = (struct ndpi_yahoo_header *) (payload + yahoo_len_parsed); } - while (memcmp(yahoo->YMSG_str, "YMSG", 4) == 0); + while(memcmp(yahoo->YMSG_str, "YMSG", 4) == 0); - if (yahoo_len_parsed == payload_packet_len) + if(yahoo_len_parsed == payload_packet_len) return 1; + return 0; } static void ndpi_search_yahoo_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - struct ndpi_id_struct *src = flow->src; struct ndpi_id_struct *dst = flow->dst; const struct ndpi_yahoo_header *yahoo = (struct ndpi_yahoo_header *) packet->payload; - if (packet->payload_packet_len == 0) { - return; - } - - /* packet must be at least 20 bytes long */ - if (packet->payload_packet_len >= 20 - && memcmp(yahoo->YMSG_str, "YMSG", 4) == 0 && ((packet->payload_packet_len - 20) == ntohs(yahoo->len) - || check_ymsg(packet->payload, packet->payload_packet_len))) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO FOUND\n"); - flow->yahoo_detection_finished = 2; - if (ntohs(yahoo->service) == 24 || ntohs(yahoo->service) == 152 || ntohs(yahoo->service) == 74) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO conference or chat invite found"); - if (src != NULL) { - src->yahoo_conf_logged_in = 1; - } - if (dst != NULL) { - dst->yahoo_conf_logged_in = 1; - } - } - if (ntohs(yahoo->service) == 27 || ntohs(yahoo->service) == 155 || ntohs(yahoo->service) == 160) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO conference or chat logoff found"); - if (src != NULL) { - src->yahoo_conf_logged_in = 0; - src->yahoo_voice_conf_logged_in = 0; - } - } - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); - ndpi_int_yahoo_add_connection(ndpi_struct, flow); - return; - } else if (flow->yahoo_detection_finished == 2 && packet->detected_protocol_stack[0] == NDPI_PROTOCOL_YAHOO) { - return; - } else if (packet->payload_packet_len == 4 && memcmp(yahoo->YMSG_str, "YMSG", 4) == 0) { - flow->l4.tcp.yahoo_sip_comm = 1; - return; - } else if (flow->l4.tcp.yahoo_sip_comm && packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN - && flow->packet_counter < 3) { - return; - } - - /* now test for http login, at least 100 a bytes packet */ - if (ndpi_struct->yahoo_detect_http_connections != 0 && packet->payload_packet_len > 100) { - if (memcmp(packet->payload, "POST /relay?token=", 18) == 0 - || memcmp(packet->payload, "GET /relay?token=", 17) == 0 - || memcmp(packet->payload, "GET /?token=", 12) == 0 - || memcmp(packet->payload, "HEAD /relay?token=", 18) == 0) { - if ((src != NULL - && NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO) - != 0) || (dst != NULL - && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO) - != 0)) { - /* this is mostly a file transfer */ - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); - ndpi_int_yahoo_add_connection(ndpi_struct, flow); - return; - } - } - if (memcmp(packet->payload, "POST ", 5) == 0) { - u_int16_t a; - ndpi_parse_packet_line_info(ndpi_struct, flow); - - if ((packet->user_agent_line.len >= 21) - && (memcmp(packet->user_agent_line.ptr, "YahooMobileMessenger/", 21) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO(Mobile)"); - ndpi_int_yahoo_add_connection(ndpi_struct, flow); - return; - } - - if (NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_YAHOO) - && packet->parsed_lines > 5 - && memcmp(&packet->payload[5], "/Messenger.", 11) == 0 - && packet->line[1].len >= 17 - && memcmp(packet->line[1].ptr, "Connection: Close", - 17) == 0 && packet->line[2].len >= 6 - && memcmp(packet->line[2].ptr, "Host: ", 6) == 0 - && packet->line[3].len >= 16 - && memcmp(packet->line[3].ptr, "Content-Length: ", - 16) == 0 && packet->line[4].len >= 23 - && memcmp(packet->line[4].ptr, "User-Agent: Mozilla/5.0", - 23) == 0 && packet->line[5].len >= 23 - && memcmp(packet->line[5].ptr, "Cache-Control: no-cache", 23) == 0) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, - "YAHOO HTTP POST P2P FILETRANSFER FOUND\n"); - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); - ndpi_int_yahoo_add_connection(ndpi_struct, flow); - return; - } - - if (packet->host_line.ptr != NULL && packet->host_line.len >= 26 && - memcmp(packet->host_line.ptr, "filetransfer.msg.yahoo.com", 26) == 0) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO HTTP POST FILETRANSFER FOUND\n"); - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); - ndpi_int_yahoo_add_connection(ndpi_struct, flow); - return; - } - /* now check every line */ - for (a = 0; a < packet->parsed_lines; a++) { - if (packet->line[a].len >= 4 && memcmp(packet->line[a].ptr, "YMSG", 4) == 0) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, - NDPI_LOG_TRACE, - "YAHOO HTTP POST FOUND, line is: %.*s\n", packet->line[a].len, packet->line[a].ptr); - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); - ndpi_int_yahoo_add_connection(ndpi_struct, flow); - return; + + if(packet->tcp) { + + if(packet->payload_packet_len > 0) { + /* packet must be at least 20 bytes long */ + if(packet->payload_packet_len >= 20 + && memcmp(yahoo->YMSG_str, "YMSG", 4) == 0 && ((packet->payload_packet_len - 20) == ntohs(yahoo->len) + || check_ymsg(packet->payload, packet->payload_packet_len))) { + + NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO FOUND\n"); + flow->yahoo_detection_finished = 2; + + if(ntohs(yahoo->service) == 24 || ntohs(yahoo->service) == 152 || ntohs(yahoo->service) == 74) { + NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO conference or chat invite found"); + + if(src != NULL) + src->yahoo_conf_logged_in = 1; + if(dst != NULL) + dst->yahoo_conf_logged_in = 1; } - } - if (packet->parsed_lines > 8 && packet->line[8].len > 250 && packet->line[8].ptr != NULL) { - if (memcmp(packet->line[8].ptr, "<Session ", 9) == 0) { - if (ndpi_check_for_YmsgCommand(packet->line[8].len, packet->line[8].ptr)) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, - "found HTTP Proxy Yahoo Chat <Ymsg Command= pattern \n"); - ndpi_int_yahoo_add_connection(ndpi_struct, flow); - return; + if(ntohs(yahoo->service) == 27 || ntohs(yahoo->service) == 155 || ntohs(yahoo->service) == 160) { + NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO conference or chat logoff found"); + if(src != NULL) { + src->yahoo_conf_logged_in = 0; + src->yahoo_voice_conf_logged_in = 0; } } - } - } - if (memcmp(packet->payload, "GET /Messenger.", 15) == 0) { - if ((src != NULL - && NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO) - != 0) || (dst != NULL - && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO) - != 0)) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO HTTP GET /Messenger. match\n"); NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); - ndpi_int_yahoo_add_connection(ndpi_struct, flow); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); return; - } - } - - if ((memcmp(packet->payload, "GET /", 5) == 0)) { - ndpi_parse_packet_line_info(ndpi_struct, flow); - if ((packet->user_agent_line.ptr != NULL - && packet->user_agent_line.len >= NDPI_STATICSTRING_LEN("YahooMobileMessenger/") - && memcmp(packet->user_agent_line.ptr, "YahooMobileMessenger/", - NDPI_STATICSTRING_LEN("YahooMobileMessenger/")) == 0) - || (packet->user_agent_line.len >= 15 - && (memcmp(packet->user_agent_line.ptr, "Y!%20Messenger/", 15) == 0))) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO(Mobile)"); - ndpi_int_yahoo_add_connection(ndpi_struct, flow); + + } else if(flow->yahoo_detection_finished == 2 && packet->detected_protocol_stack[0] == NDPI_PROTOCOL_YAHOO) { return; - } - if (packet->host_line.ptr != NULL && packet->host_line.len >= NDPI_STATICSTRING_LEN("msg.yahoo.com") && - memcmp(&packet->host_line.ptr[packet->host_line.len - NDPI_STATICSTRING_LEN("msg.yahoo.com")], - "msg.yahoo.com", NDPI_STATICSTRING_LEN("msg.yahoo.com")) == 0) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); - ndpi_int_yahoo_add_connection(ndpi_struct, flow); + } else if(packet->payload_packet_len == 4 && memcmp(yahoo->YMSG_str, "YMSG", 4) == 0) { + flow->l4.tcp.yahoo_sip_comm = 1; return; - } - - } - - } - /* found another http login command for yahoo, it is like OSCAR */ - /* detect http connections */ - - if (packet->payload_packet_len > 50 && (memcmp(packet->payload, "content-length: ", 16) == 0)) { - ndpi_parse_packet_line_info(ndpi_struct, flow); - if (packet->parsed_lines > 2 && packet->line[1].len == 0) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "first line is empty.\n"); - if (packet->line[2].len > 13 && memcmp(packet->line[2].ptr, "<Ymsg Command=", 14) == 0) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO web chat found\n"); - ndpi_int_yahoo_add_connection(ndpi_struct, flow); + } else if(flow->l4.tcp.yahoo_sip_comm && packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN + && flow->packet_counter < 3) { return; } - } - } - if (packet->payload_packet_len > 38 && memcmp(packet->payload, "CONNECT scs.msg.yahoo.com:5050 HTTP/1.", 38) == 0) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO-HTTP FOUND\n"); - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); - ndpi_int_yahoo_add_connection(ndpi_struct, flow); - return; - } + /* now test for http login, at least 100 a bytes packet */ + if(ndpi_struct->yahoo_detect_http_connections != 0 && packet->payload_packet_len > 100) { + if(memcmp(packet->payload, "POST /relay?token=", 18) == 0 + || memcmp(packet->payload, "GET /relay?token=", 17) == 0 + || memcmp(packet->payload, "GET /?token=", 12) == 0 + || memcmp(packet->payload, "HEAD /relay?token=", 18) == 0) { + if((src != NULL + && NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO) + != 0) || (dst != NULL + && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO) + != 0)) { + /* this is mostly a file transfer */ + NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); + return; + } + } + if(memcmp(packet->payload, "POST ", 5) == 0) { + u_int16_t a; + ndpi_parse_packet_line_info(ndpi_struct, flow); + + if ((packet->user_agent_line.len >= 21) + && (memcmp(packet->user_agent_line.ptr, "YahooMobileMessenger/", 21) == 0)) { + NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO(Mobile)"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); + return; + } + + if (NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_YAHOO) + && packet->parsed_lines > 5 + && memcmp(&packet->payload[5], "/Messenger.", 11) == 0 + && packet->line[1].len >= 17 + && memcmp(packet->line[1].ptr, "Connection: Close", + 17) == 0 && packet->line[2].len >= 6 + && memcmp(packet->line[2].ptr, "Host: ", 6) == 0 + && packet->line[3].len >= 16 + && memcmp(packet->line[3].ptr, "Content-Length: ", + 16) == 0 && packet->line[4].len >= 23 + && memcmp(packet->line[4].ptr, "User-Agent: Mozilla/5.0", + 23) == 0 && packet->line[5].len >= 23 + && memcmp(packet->line[5].ptr, "Cache-Control: no-cache", 23) == 0) { + NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, + "YAHOO HTTP POST P2P FILETRANSFER FOUND\n"); + NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); + return; + } - if ((src != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO) != 0) - || (dst != NULL - && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO) != 0)) { - if (packet->payload_packet_len == 6 && memcmp(packet->payload, "YAHOO!", 6) == 0) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); - ndpi_int_yahoo_add_connection(ndpi_struct, flow); - return; - } - /* asymmetric detection for SNDIMG not done yet. - * See ./Yahoo8.1-VideoCall-LAN.pcap and ./Yahoo-VideoCall-inPublicIP.pcap */ - - - if (packet->payload_packet_len == 8 - && (memcmp(packet->payload, "<SNDIMG>", 8) == 0 || memcmp(packet->payload, "<REQIMG>", 8) == 0 - || memcmp(packet->payload, "<RVWCFG>", 8) == 0 || memcmp(packet->payload, "<RUPCFG>", 8) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, - "YAHOO SNDIMG or REQIMG or RVWCFG or RUPCFG FOUND\n"); - if (src != NULL) { - if (memcmp(packet->payload, "<SNDIMG>", 8) == 0) { - src->yahoo_video_lan_dir = 0; - } else { - src->yahoo_video_lan_dir = 1; + if (packet->host_line.ptr != NULL && packet->host_line.len >= 26 && + memcmp(packet->host_line.ptr, "filetransfer.msg.yahoo.com", 26) == 0) { + NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO HTTP POST FILETRANSFER FOUND\n"); + NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); + return; + } + /* now check every line */ + for (a = 0; a < packet->parsed_lines; a++) { + if (packet->line[a].len >= 4 && memcmp(packet->line[a].ptr, "YMSG", 4) == 0) { + NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, + NDPI_LOG_TRACE, + "YAHOO HTTP POST FOUND, line is: %.*s\n", packet->line[a].len, packet->line[a].ptr); + NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); + return; + } + } + if (packet->parsed_lines > 8 && packet->line[8].len > 250 && packet->line[8].ptr != NULL) { + if (memcmp(packet->line[8].ptr, "<Session ", 9) == 0) { + if (ndpi_check_for_YmsgCommand(packet->line[8].len, packet->line[8].ptr)) { + NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, + "found HTTP Proxy Yahoo Chat <Ymsg Command= pattern \n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); + return; + } + } + } } - src->yahoo_video_lan_timer = packet->tick_timestamp; - } - if (dst != NULL) { - if (memcmp(packet->payload, "<SNDIMG>", 8) == 0) { - dst->yahoo_video_lan_dir = 0; - } else { - dst->yahoo_video_lan_dir = 1; + if(memcmp(packet->payload, "GET /Messenger.", 15) == 0) { + if((src != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO) != 0) + || (dst != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO) != 0)) { + + NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO HTTP GET /Messenger. match\n"); + NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); + return; + } } - dst->yahoo_video_lan_timer = packet->tick_timestamp; + if((memcmp(packet->payload, "GET /", 5) == 0)) { + ndpi_parse_packet_line_info(ndpi_struct, flow); + if((packet->user_agent_line.ptr != NULL && packet->user_agent_line.len >= NDPI_STATICSTRING_LEN("YahooMobileMessenger/") + && memcmp(packet->user_agent_line.ptr, "YahooMobileMessenger/", NDPI_STATICSTRING_LEN("YahooMobileMessenger/")) == 0) + || (packet->user_agent_line.len >= 15 && (memcmp(packet->user_agent_line.ptr, "Y!%20Messenger/", 15) == 0))) { + + NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO(Mobile)"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); + return; + } + if(packet->host_line.ptr != NULL && packet->host_line.len >= NDPI_STATICSTRING_LEN("msg.yahoo.com") && + memcmp(&packet->host_line.ptr[packet->host_line.len - NDPI_STATICSTRING_LEN("msg.yahoo.com")], "msg.yahoo.com", NDPI_STATICSTRING_LEN("msg.yahoo.com")) == 0) { + NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); + return; + } + } } - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO subtype VIDEO"); - ndpi_int_yahoo_add_connection(ndpi_struct, flow); - return; - } - if (src != NULL && packet->tcp->dest == htons(5100) - && ((u_int32_t) - (packet->tick_timestamp - src->yahoo_video_lan_timer) < ndpi_struct->yahoo_lan_video_timeout)) { - if (src->yahoo_video_lan_dir == 1) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); - ndpi_int_yahoo_add_connection(ndpi_struct, flow); - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "IMG MARKED"); - return; + /* found another http login command for yahoo, it is like OSCAR */ + /* detect http connections */ + if (packet->payload_packet_len > 50 && (memcmp(packet->payload, "content-length: ", 16) == 0)) { + + ndpi_parse_packet_line_info(ndpi_struct, flow); + + if (packet->parsed_lines > 2 && packet->line[1].len == 0) { + + NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "first line is empty.\n"); + if (packet->line[2].len > 13 && memcmp(packet->line[2].ptr, "<Ymsg Command=", 14) == 0) { + + NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO web chat found\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); + return; + } + } } - } - if (dst != NULL && packet->tcp->dest == htons(5100) - && ((u_int32_t) - (packet->tick_timestamp - dst->yahoo_video_lan_timer) < ndpi_struct->yahoo_lan_video_timeout)) { - if (dst->yahoo_video_lan_dir == 0) { + if (packet->payload_packet_len > 38 && memcmp(packet->payload, "CONNECT scs.msg.yahoo.com:5050 HTTP/1.", 38) == 0) { + + NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO-HTTP FOUND\n"); NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); - ndpi_int_yahoo_add_connection(ndpi_struct, flow); - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "IMG MARKED"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); return; } - } - } + if ((src != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO) != 0) + || (dst != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO) != 0)) { + if (packet->payload_packet_len == 6 && memcmp(packet->payload, "YAHOO!", 6) == 0) { + + NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); + return; + } + /* asymmetric detection for SNDIMG not done yet. + * See ./Yahoo8.1-VideoCall-LAN.pcap and ./Yahoo-VideoCall-inPublicIP.pcap */ + + if (packet->payload_packet_len == 8 && (memcmp(packet->payload, "<SNDIMG>", 8) == 0 || memcmp(packet->payload, "<REQIMG>", 8) == 0 + || memcmp(packet->payload, "<RVWCFG>", 8) == 0 || memcmp(packet->payload, "<RUPCFG>", 8) == 0)) { + + NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO SNDIMG or REQIMG or RVWCFG or RUPCFG FOUND\n"); + + if(src != NULL) { + if (memcmp(packet->payload, "<SNDIMG>", 8) == 0) { + src->yahoo_video_lan_dir = 0; + } else { + src->yahoo_video_lan_dir = 1; + } + src->yahoo_video_lan_timer = packet->tick_timestamp; + } + if(dst != NULL) { + if (memcmp(packet->payload, "<SNDIMG>", 8) == 0) { + dst->yahoo_video_lan_dir = 0; + } else { + dst->yahoo_video_lan_dir = 1; + } + dst->yahoo_video_lan_timer = packet->tick_timestamp; - /* detect YAHOO over HTTP proxy */ + } + NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO subtype VIDEO"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); + return; + } + if(src != NULL && packet->tcp->dest == htons(5100) + && ((u_int32_t) (packet->tick_timestamp - src->yahoo_video_lan_timer) < ndpi_struct->yahoo_lan_video_timeout)) { + + if (src->yahoo_video_lan_dir == 1) { + + NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); + NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "IMG MARKED"); + return; + } + } + if (dst != NULL && packet->tcp->dest == htons(5100) + && ((u_int32_t) (packet->tick_timestamp - dst->yahoo_video_lan_timer) < ndpi_struct->yahoo_lan_video_timeout)) { + if (dst->yahoo_video_lan_dir == 0) { + + NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); + NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "IMG MARKED"); + return; + } + } + } + /* detect YAHOO over HTTP proxy */ #ifdef NDPI_PROTOCOL_HTTP - if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP) + if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP) #endif - { - - if (flow->l4.tcp.yahoo_http_proxy_stage == 0) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, - "YAHOO maybe HTTP proxy packet 1 => need next packet\n"); - flow->l4.tcp.yahoo_http_proxy_stage = 1 + packet->packet_direction; - return; - } - if (flow->l4.tcp.yahoo_http_proxy_stage == 1 + packet->packet_direction) { - if ((packet->payload_packet_len > 250) && (memcmp(packet->payload, "<Session ", 9) == 0)) { - if (ndpi_check_for_YmsgCommand(packet->payload_packet_len, packet->payload)) { + { + if (flow->l4.tcp.yahoo_http_proxy_stage == 0) { + NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, - "found HTTP Proxy Yahoo Chat <Ymsg Command= pattern \n"); - ndpi_int_yahoo_add_connection(ndpi_struct, flow); + "YAHOO maybe HTTP proxy packet 1 => need next packet\n"); + flow->l4.tcp.yahoo_http_proxy_stage = 1 + packet->packet_direction; return; } - } - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, - "YAHOO maybe HTTP proxy still initial direction => need next packet\n"); - return; - } - if (flow->l4.tcp.yahoo_http_proxy_stage == 2 - packet->packet_direction) { + if (flow->l4.tcp.yahoo_http_proxy_stage == 1 + packet->packet_direction) { + if ((packet->payload_packet_len > 250) && (memcmp(packet->payload, "<Session ", 9) == 0)) { + if (ndpi_check_for_YmsgCommand(packet->payload_packet_len, packet->payload)) { + + NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found HTTP Proxy Yahoo Chat <Ymsg Command= pattern \n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); + return; + } + } + NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "YAHOO maybe HTTP proxy still initial direction => need next packet\n"); + return; + } + if (flow->l4.tcp.yahoo_http_proxy_stage == 2 - packet->packet_direction) { - ndpi_parse_packet_line_info_any(ndpi_struct, flow); + ndpi_parse_packet_line_info_any(ndpi_struct, flow); - if (packet->parsed_lines >= 9) { + if (packet->parsed_lines >= 9) { - if (packet->line[4].ptr != NULL && packet->line[4].len >= 9 && - packet->line[8].ptr != NULL && packet->line[8].len >= 6 && - memcmp(packet->line[4].ptr, "<Session ", 9) == 0 && - memcmp(packet->line[8].ptr, "<Ymsg ", 6) == 0) { + if (packet->line[4].ptr != NULL && packet->line[4].len >= 9 && + packet->line[8].ptr != NULL && packet->line[8].len >= 6 && + memcmp(packet->line[4].ptr, "<Session ", 9) == 0 && + memcmp(packet->line[8].ptr, "<Ymsg ", 6) == 0) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO over HTTP proxy"); - ndpi_int_yahoo_add_connection(ndpi_struct, flow); - return; + NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO over HTTP proxy"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); + return; + } + } } } - } } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_YAHOO); -} - - -#if !defined(WIN32) -static inline -#else -__forceinline static -#endif -void ndpi_search_yahoo_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ - - - - struct ndpi_id_struct *src = flow->src; - if (src == NULL || NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO) == 0) { - goto excl_yahoo_udp; + /* exclude YAHOO */ + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_YAHOO); } - excl_yahoo_udp: - - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_YAHOO); } void ndpi_search_yahoo(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "search yahoo\n"); + + if(packet->payload_packet_len > 0 && flow->yahoo_detection_finished == 0) { - if (packet->payload_packet_len > 0 && flow->yahoo_detection_finished == 0) { - if (packet->tcp != NULL && packet->tcp_retransmission == 0) { + /* search over TCP */ + if(packet->tcp != NULL && packet->tcp_retransmission == 0) { - if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN + if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN #ifdef NDPI_PROTOCOL_HTTP - || packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP + || packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP #endif #ifdef NDPI_PROTOCOL_SSL - || packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL + || packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) { #endif - ) { ndpi_search_yahoo_tcp(ndpi_struct, flow); } - } else if (packet->udp != NULL) { - ndpi_search_yahoo_udp(ndpi_struct, flow); + } + /* search over UDP */ + else if(packet->udp != NULL) { + if(flow->src == NULL || NDPI_COMPARE_PROTOCOL_TO_BITMASK(flow->src->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO) == 0) + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_YAHOO); + return; } } - if (packet->payload_packet_len > 0 && flow->yahoo_detection_finished == 2) { - if (packet->tcp != NULL && packet->tcp_retransmission == 0) { + + if(packet->payload_packet_len > 0 && flow->yahoo_detection_finished == 2) { + if(packet->tcp != NULL && packet->tcp_retransmission == 0) { + /* search over TCP */ ndpi_search_yahoo_tcp(ndpi_struct, flow); + return; } } } - void init_yahoo_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { diff --git a/src/lib/protocols/zattoo.c b/src/lib/protocols/zattoo.c index e282a1ed5..41d369cf7 100644 --- a/src/lib/protocols/zattoo.c +++ b/src/lib/protocols/zattoo.c @@ -1,8 +1,7 @@ /* * zattoo.c * - * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2016 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -21,43 +20,19 @@ * along with nDPI. If not, see <http://www.gnu.org/licenses/>. * */ - - #include "ndpi_api.h" #ifdef NDPI_PROTOCOL_ZATTOO - -static void ndpi_int_zattoo_add_connection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow/* , */ - /* ndpi_protocol_type_t protocol_type */) -{ - - struct ndpi_packet_struct *packet = &flow->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN); - - if (src != NULL) { - src->zattoo_ts = packet->tick_timestamp; - } - if (dst != NULL) { - dst->zattoo_ts = packet->tick_timestamp; - } -} - - -#if !defined(WIN32) +#ifndef WIN32 static inline #else __forceinline static #endif u_int8_t ndpi_int_zattoo_user_agent_set(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - if (flow->packet.user_agent_line.ptr != NULL && flow->packet.user_agent_line.len == 111) { - if (memcmp(flow->packet.user_agent_line.ptr + - flow->packet.user_agent_line.len - 25, "Zattoo/4", sizeof("Zattoo/4") - 1) == 0) { + if(flow->packet.user_agent_line.ptr != NULL && flow->packet.user_agent_line.len == 111) { + if(memcmp(flow->packet.user_agent_line.ptr + flow->packet.user_agent_line.len - 25, "Zattoo/4", sizeof("Zattoo/4") - 1) == 0) { NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "found zattoo useragent\n"); return 1; } @@ -68,155 +43,216 @@ u_int8_t ndpi_int_zattoo_user_agent_set(struct ndpi_detection_module_struct *ndp void ndpi_search_zattoo(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - - struct ndpi_id_struct *src = flow->src; struct ndpi_id_struct *dst = flow->dst; u_int16_t i; - if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_ZATTOO) { - if (src != NULL && ((u_int32_t) - (packet->tick_timestamp - src->zattoo_ts) < ndpi_struct->zattoo_connection_timeout)) { + if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_ZATTOO) { + if(src != NULL && ((u_int32_t) (packet->tick_timestamp - src->zattoo_ts) < ndpi_struct->zattoo_connection_timeout)) src->zattoo_ts = packet->tick_timestamp; - } - if (dst != NULL && ((u_int32_t) - (packet->tick_timestamp - dst->zattoo_ts) < ndpi_struct->zattoo_connection_timeout)) { + if (dst != NULL && ((u_int32_t) (packet->tick_timestamp - dst->zattoo_ts) < ndpi_struct->zattoo_connection_timeout)) dst->zattoo_ts = packet->tick_timestamp; - } return; } + /* search over TCP */ + if(packet->tcp != NULL) { + if(packet->payload_packet_len > 50 && memcmp(packet->payload, "GET /frontdoor/fd?brand=Zattoo&v=", 33) == 0) { - if (packet->tcp != NULL) { - if (packet->payload_packet_len > 50 && memcmp(packet->payload, "GET /frontdoor/fd?brand=Zattoo&v=", 33) == 0) { - NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, - NDPI_LOG_DEBUG, "add connection over tcp with pattern GET /frontdoor/fd?brand=Zattoo&v=\n"); - ndpi_int_zattoo_add_connection(ndpi_struct, flow); + NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "add connection over tcp with pattern GET /frontdoor/fd?brand=Zattoo&v=\n"); + + if (src != NULL) + src->zattoo_ts = packet->tick_timestamp; + if (dst != NULL) + dst->zattoo_ts = packet->tick_timestamp; + + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN); return; } - if (packet->payload_packet_len > 50 - && memcmp(packet->payload, "GET /ZattooAdRedirect/redirect.jsp?user=", 40) == 0) { - NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, - NDPI_LOG_DEBUG, "add connection over tcp with pattern GET /ZattooAdRedirect/redirect.jsp?user=\n"); - ndpi_int_zattoo_add_connection(ndpi_struct, flow); + if(packet->payload_packet_len > 50 && memcmp(packet->payload, "GET /ZattooAdRedirect/redirect.jsp?user=", 40) == 0) { + + NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "add connection over tcp with pattern GET /ZattooAdRedirect/redirect.jsp?user=\n"); + + if(src != NULL) + src->zattoo_ts = packet->tick_timestamp; + if(dst != NULL) + dst->zattoo_ts = packet->tick_timestamp; + + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN); return; } - if (packet->payload_packet_len > 50 - && (memcmp(packet->payload, "POST /channelserver/player/channel/update HTTP/1.1", 50) == 0 - || memcmp(packet->payload, "GET /epg/query", 14) == 0)) { + if(packet->payload_packet_len > 50 && (memcmp(packet->payload, "POST /channelserver/player/channel/update HTTP/1.1", 50) == 0 + || memcmp(packet->payload, "GET /epg/query", 14) == 0)) { + ndpi_parse_packet_line_info(ndpi_struct, flow); - for (i = 0; i < packet->parsed_lines; i++) { - if (packet->line[i].len >= 18 && (memcmp(packet->line[i].ptr, "User-Agent: Zattoo", 18) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, - NDPI_LOG_DEBUG, - "add connection over tcp with pattern POST /channelserver/player/channel/update HTTP/1.1\n"); - ndpi_int_zattoo_add_connection(ndpi_struct, flow); + + for(i = 0; i < packet->parsed_lines; i++) { + if(packet->line[i].len >= 18 && (memcmp(packet->line[i].ptr, "User-Agent: Zattoo", 18) == 0)) { + + NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "add connection over tcp with pattern POST /channelserver/player/channel/update HTTP/1.1\n"); + + if(src != NULL) + src->zattoo_ts = packet->tick_timestamp; + if(dst != NULL) + dst->zattoo_ts = packet->tick_timestamp; + + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN); return; } } - } else if (packet->payload_packet_len > 50 - && (memcmp(packet->payload, "GET /", 5) == 0 - || memcmp(packet->payload, "POST /", NDPI_STATICSTRING_LEN("POST /")) == 0)) { + } else if(packet->payload_packet_len > 50 && (memcmp(packet->payload, "GET /", 5) == 0 || memcmp(packet->payload, "POST /", NDPI_STATICSTRING_LEN("POST /")) == 0)) { /* TODO to avoid searching currently only a specific length and offset is used * that might be changed later */ ndpi_parse_packet_line_info(ndpi_struct, flow); - if (ndpi_int_zattoo_user_agent_set(ndpi_struct, flow)) { - ndpi_int_zattoo_add_connection(ndpi_struct, flow); + + if(ndpi_int_zattoo_user_agent_set(ndpi_struct, flow)) { + + if(src != NULL) + src->zattoo_ts = packet->tick_timestamp; + if(dst != NULL) + dst->zattoo_ts = packet->tick_timestamp; + + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN); return; } - } else if (packet->payload_packet_len > 50 && memcmp(packet->payload, "POST http://", 12) == 0) { + } else if(packet->payload_packet_len > 50 && memcmp(packet->payload, "POST http://", 12) == 0) { + ndpi_parse_packet_line_info(ndpi_struct, flow); + // test for unique character of the zattoo header - if (packet->parsed_lines == 4 && packet->host_line.ptr != NULL) { + if(packet->parsed_lines == 4 && packet->host_line.ptr != NULL) { u_int32_t ip; u_int16_t bytes_read = 0; ip = ndpi_bytestream_to_ipv4(&packet->payload[12], packet->payload_packet_len, &bytes_read); - + // and now test the firt 5 bytes of the payload for zattoo pattern - if (ip == packet->iph->daddr - && packet->empty_line_position_set != 0 - && ((packet->payload_packet_len - packet->empty_line_position) > 10) - && packet->payload[packet->empty_line_position + 2] == - 0x03 - && packet->payload[packet->empty_line_position + 3] == - 0x04 - && packet->payload[packet->empty_line_position + 4] == - 0x00 - && packet->payload[packet->empty_line_position + 5] == - 0x04 - && packet->payload[packet->empty_line_position + 6] == - 0x0a && packet->payload[packet->empty_line_position + 7] == 0x00) { - NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, - NDPI_LOG_DEBUG, "add connection over tcp with pattern POST http://\n"); - ndpi_int_zattoo_add_connection(ndpi_struct, flow); + if(ip == packet->iph->daddr + && packet->empty_line_position_set != 0 + && ((packet->payload_packet_len - packet->empty_line_position) > 10) + && packet->payload[packet->empty_line_position + 2] == + 0x03 + && packet->payload[packet->empty_line_position + 3] == + 0x04 + && packet->payload[packet->empty_line_position + 4] == + 0x00 + && packet->payload[packet->empty_line_position + 5] == + 0x04 + && packet->payload[packet->empty_line_position + 6] == + 0x0a && packet->payload[packet->empty_line_position + 7] == 0x00) { + + NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "add connection over tcp with pattern POST http://\n"); + + if(src != NULL) + src->zattoo_ts = packet->tick_timestamp; + if(dst != NULL) + dst->zattoo_ts = packet->tick_timestamp; + + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN); return; } } - } else if (flow->zattoo_stage == 0) { + } else if(flow->zattoo_stage == 0) { - if (packet->payload_packet_len > 50 - && packet->payload[0] == 0x03 - && packet->payload[1] == 0x04 - && packet->payload[2] == 0x00 - && packet->payload[3] == 0x04 && packet->payload[4] == 0x0a && packet->payload[5] == 0x00) { + if(packet->payload_packet_len > 50 + && packet->payload[0] == 0x03 + && packet->payload[1] == 0x04 + && packet->payload[2] == 0x00 + && packet->payload[3] == 0x04 && packet->payload[4] == 0x0a && packet->payload[5] == 0x00) { flow->zattoo_stage = 1 + packet->packet_direction; - NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, - NDPI_LOG_DEBUG, "need next packet, seen pattern 0x030400040a00\n"); + NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "need next packet, seen pattern 0x030400040a00\n"); return; } - /* the following is is searching for flash, not for zattoo. cust1 wants to do so. */ - } else if (flow->zattoo_stage == 2 - packet->packet_direction - && packet->payload_packet_len > 50 && packet->payload[0] == 0x03 && packet->payload[1] == 0x04) { + /* the following is searching for flash, not for zattoo. */ + } else if(flow->zattoo_stage == 2 - packet->packet_direction && packet->payload_packet_len > 50 && packet->payload[0] == 0x03 && packet->payload[1] == 0x04) { + NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "add connection over tcp with 0x0304.\n"); - ndpi_int_zattoo_add_connection(ndpi_struct, flow); + + if(src != NULL) + src->zattoo_ts = packet->tick_timestamp; + if(dst != NULL) + dst->zattoo_ts = packet->tick_timestamp; + + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN); return; - } else if (flow->zattoo_stage == 1 + packet->packet_direction) { - if (packet->payload_packet_len > 500 && packet->payload[0] == 0x00 && packet->payload[1] == 0x00) { + + } else if(flow->zattoo_stage == 1 + packet->packet_direction) { + if(packet->payload_packet_len > 500 && packet->payload[0] == 0x00 && packet->payload[1] == 0x00) { + flow->zattoo_stage = 3 + packet->packet_direction; - NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, - NDPI_LOG_DEBUG, "need next packet, seen pattern 0x0000\n"); + + NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "need next packet, seen pattern 0x0000\n"); return; } - if (packet->payload_packet_len > 50 + if(packet->payload_packet_len > 50 && packet->payload[0] == 0x03 && packet->payload[1] == 0x04 && packet->payload[2] == 0x00 && packet->payload[3] == 0x04 && packet->payload[4] == 0x0a && packet->payload[5] == 0x00) { } - NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, - "need next packet, seen pattern 0x030400040a00\n"); + NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "need next packet, seen pattern 0x030400040a00\n"); return; - } else if (flow->zattoo_stage == 4 - packet->packet_direction - && packet->payload_packet_len > 50 && packet->payload[0] == 0x03 && packet->payload[1] == 0x04) { + + } else if(flow->zattoo_stage == 4 - packet->packet_direction && packet->payload_packet_len > 50 && packet->payload[0] == 0x03 && packet->payload[1] == 0x04) { + NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "add connection over tcp with 0x0304.\n"); - ndpi_int_zattoo_add_connection(ndpi_struct, flow); + + if(src != NULL) + src->zattoo_ts = packet->tick_timestamp; + if(dst != NULL) + dst->zattoo_ts = packet->tick_timestamp; + + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN); return; - } else if (flow->zattoo_stage == 5 + packet->packet_direction && (packet->payload_packet_len == 125)) { + + } else if(flow->zattoo_stage == 5 + packet->packet_direction && (packet->payload_packet_len == 125)) { + NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "detected zattoo.\n"); - ndpi_int_zattoo_add_connection(ndpi_struct, flow); + + if(src != NULL) + src->zattoo_ts = packet->tick_timestamp; + if(dst != NULL) + dst->zattoo_ts = packet->tick_timestamp; + + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN); return; - } else if (flow->zattoo_stage == 6 - packet->packet_direction && packet->payload_packet_len == 1412) { + + } else if(flow->zattoo_stage == 6 - packet->packet_direction && packet->payload_packet_len == 1412) { NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "found zattoo.\n"); - ndpi_int_zattoo_add_connection(ndpi_struct, flow); + + if(src != NULL) + src->zattoo_ts = packet->tick_timestamp; + if(dst != NULL) + dst->zattoo_ts = packet->tick_timestamp; + + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN); return; } + NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "ZATTOO: discarted the flow (TCP): packet_size: %u; Flowstage: %u\n", packet->payload_packet_len, flow->zattoo_stage); - } else if (packet->udp != NULL) { + } + /* search over UDP */ + else if(packet->udp != NULL) { + + if(packet->payload_packet_len > 20 && (packet->udp->dest == htons(5003) || packet->udp->source == htons(5003)) + && (get_u_int16_t(packet->payload, 0) == htons(0x037a) + || get_u_int16_t(packet->payload, 0) == htons(0x0378) + || get_u_int16_t(packet->payload, 0) == htons(0x0305) + || get_u_int32_t(packet->payload, 0) == htonl(0x03040004) + || get_u_int32_t(packet->payload, 0) == htonl(0x03010005))) { + + if(++flow->zattoo_stage == 2) { - if (packet->payload_packet_len > 20 && (packet->udp->dest == htons(5003) - || packet->udp->source == htons(5003)) - && (get_u_int16_t(packet->payload, 0) == htons(0x037a) - || get_u_int16_t(packet->payload, 0) == htons(0x0378) - || get_u_int16_t(packet->payload, 0) == htons(0x0305) - || get_u_int32_t(packet->payload, 0) == htonl(0x03040004) - || get_u_int32_t(packet->payload, 0) == htonl(0x03010005))) { - if (++flow->zattoo_stage == 2) { NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "add connection over udp.\n"); - ndpi_int_zattoo_add_connection(ndpi_struct, flow); + if(src != NULL) + src->zattoo_ts = packet->tick_timestamp; + if(dst != NULL) + dst->zattoo_ts = packet->tick_timestamp; + + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN); return; } NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "need next packet udp.\n"); @@ -228,7 +264,7 @@ void ndpi_search_zattoo(struct ndpi_detection_module_struct *ndpi_struct, struct packet->payload_packet_len, flow->zattoo_stage); } - + /* exclude ZATTOO */ NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "exclude zattoo.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_ZATTOO); } diff --git a/src/lib/protocols/zeromq.c b/src/lib/protocols/zeromq.c index 2f31eb815..f4780b334 100644 --- a/src/lib/protocols/zeromq.c +++ b/src/lib/protocols/zeromq.c @@ -1,7 +1,7 @@ /* * zmq.c * - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2016 - ntop.org * * nDPI is free software: you can zmqtribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -17,8 +17,6 @@ * along with nDPI. If not, see <http://www.gnu.org/licenses/>. * */ - - #include "ndpi_api.h" #ifdef NDPI_PROTOCOL_ZMQ @@ -30,6 +28,7 @@ static void ndpi_int_zmq_add_connection(struct ndpi_detection_module_struct *ndp static void ndpi_check_zmq(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; u_int32_t payload_len = packet->payload_packet_len; u_char p0[] = { 0x00, 0x00, 0x00, 0x05, 0x01, 0x66, 0x6c, 0x6f, 0x77 }; @@ -50,7 +49,6 @@ static void ndpi_check_zmq(struct ndpi_detection_module_struct *ndpi_struct, str memcpy(flow->l4.tcp.prev_zmq_pkt, packet->payload, flow->l4.tcp.prev_zmq_pkt_len); return; /* Too early */ } - if(payload_len == 2) { if(flow->l4.tcp.prev_zmq_pkt_len == 2) { if((memcmp(packet->payload, "\01\01", 2) == 0) |