diff options
| -rw-r--r-- | example/ndpiReader.c | 96 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 12 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 25 |
3 files changed, 90 insertions, 43 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 7fc5f9d98..bd5760efe 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -727,23 +727,27 @@ static struct ndpi_flow *get_ndpi_flow(u_int16_t thread_id, const u_int8_t version, u_int16_t vlan_id, const struct ndpi_iphdr *iph, + const struct ndpi_ip6_hdr *iph6, u_int16_t ip_offset, u_int16_t ipsize, u_int16_t l4_packet_len, + struct ndpi_tcphdr **tcph, + struct ndpi_udphdr **udph, + u_int16_t *sport, u_int16_t *dport, struct ndpi_id_struct **src, struct ndpi_id_struct **dst, u_int8_t *proto, - const struct ndpi_ip6_hdr *iph6) { + u_int8_t **payload, + u_int16_t *payload_len, + u_int8_t *src_to_dst_direction) { u_int32_t idx, l4_offset; - struct ndpi_tcphdr *tcph = NULL; - struct ndpi_udphdr *udph = NULL; u_int32_t lower_ip; u_int32_t upper_ip; u_int16_t lower_port; u_int16_t upper_port; struct ndpi_flow flow; void *ret; - u_int8_t *l3; + u_int8_t *l3, *l4; /* Note: to keep things simple (ndpiReader is just a demo app) @@ -789,19 +793,25 @@ static struct ndpi_flow *get_ndpi_flow(u_int16_t thread_id, } *proto = iph->protocol; + l4 = ((u_int8_t *) l3 + l4_offset); if(iph->protocol == 6 && l4_packet_len >= 20) { + u_int tcp_len; + ndpi_thread_info[thread_id].stats.tcp_count++; // tcp - tcph = (struct ndpi_tcphdr *) ((u_int8_t *) l3 + l4_offset); + *tcph = (struct ndpi_tcphdr *)l4; + *sport = ntohs((*tcph)->source), *dport = ntohs((*tcph)->dest); + if(iph->saddr < iph->daddr) { - lower_port = tcph->source; - upper_port = tcph->dest; + lower_port = (*tcph)->source, upper_port = (*tcph)->dest; + *src_to_dst_direction = 1; } else { - lower_port = tcph->dest; - upper_port = tcph->source; + lower_port = (*tcph)->dest; + upper_port = (*tcph)->source; + *src_to_dst_direction = 0; if(iph->saddr == iph->daddr) { if(lower_port > upper_port) { u_int16_t p = lower_port; @@ -811,18 +821,38 @@ static struct ndpi_flow *get_ndpi_flow(u_int16_t thread_id, } } } + + tcp_len = ndpi_min(4*(*tcph)->doff, l4_packet_len); + *payload = &l4[tcp_len]; + *payload_len = ndpi_max(0, l4_packet_len-4*(*tcph)->doff); } else if(iph->protocol == 17 && l4_packet_len >= 8) { // udp ndpi_thread_info[thread_id].stats.udp_count++; - udph = (struct ndpi_udphdr *) ((u_int8_t *) l3 + l4_offset); + *udph = (struct ndpi_udphdr *)l4; + *sport = ntohs((*udph)->source), *dport = ntohs((*udph)->dest); + *payload = &l4[sizeof(struct ndpi_udphdr)]; + *payload_len = ndpi_max(0, l4_packet_len-sizeof(struct ndpi_udphdr)); + if(iph->saddr < iph->daddr) { - lower_port = udph->source; - upper_port = udph->dest; + lower_port = (*udph)->source, upper_port = (*udph)->dest; + *src_to_dst_direction = 1; } else { - lower_port = udph->dest; - upper_port = udph->source; + lower_port = (*udph)->dest, upper_port = (*udph)->source; + + *src_to_dst_direction = 0; + + if(iph->saddr == iph->daddr) { + if(lower_port > upper_port) { + u_int16_t p = lower_port; + + lower_port = upper_port; + upper_port = p; + } + } } + + *sport = ntohs(lower_port), *dport = ntohs(upper_port); } else { // non tcp/udp protocols lower_port = 0; @@ -892,8 +922,7 @@ static struct ndpi_flow *get_ndpi_flow(u_int16_t thread_id, *src = newflow->src_id, *dst = newflow->dst_id; // printFlow(thread_id, newflow); - - return newflow ; + return newflow; } } else { struct ndpi_flow *flow = *(struct ndpi_flow**)ret; @@ -914,9 +943,15 @@ static struct ndpi_flow *get_ndpi_flow6(u_int16_t thread_id, u_int16_t vlan_id, const struct ndpi_ip6_hdr *iph6, u_int16_t ip_offset, + struct ndpi_tcphdr **tcph, + struct ndpi_udphdr **udph, + u_int16_t *sport, u_int16_t *dport, struct ndpi_id_struct **src, struct ndpi_id_struct **dst, - u_int8_t *proto) { + u_int8_t *proto, + u_int8_t **payload, + u_int16_t *payload_len, + u_int8_t *src_to_dst_direction) { struct ndpi_iphdr iph; memset(&iph, 0, sizeof(iph)); @@ -931,10 +966,11 @@ static struct ndpi_flow *get_ndpi_flow6(u_int16_t thread_id, iph.protocol = options[0]; } - return(get_ndpi_flow(thread_id, 6, vlan_id, &iph, ip_offset, + return(get_ndpi_flow(thread_id, 6, vlan_id, &iph, iph6, ip_offset, sizeof(struct ndpi_ip6_hdr), ntohs(iph6->ip6_ctlun.ip6_un1.ip6_un1_plen), - src, dst, proto, iph6)); + tcph, udph, sport, dport, + src, dst, proto, payload, payload_len, src_to_dst_direction)); } /* ***************************************************** */ @@ -998,13 +1034,24 @@ static unsigned int packet_processing(u_int16_t thread_id, struct ndpi_flow *flow; struct ndpi_flow_struct *ndpi_flow = NULL; u_int8_t proto; - + struct ndpi_tcphdr *tcph = NULL; + struct ndpi_udphdr *udph = NULL; + u_int16_t sport, dport, payload_len; + u_int8_t *payload; + u_int8_t src_to_dst_direction= 1; + if(iph) - flow = get_ndpi_flow(thread_id, 4, vlan_id, iph, ip_offset, ipsize, + flow = get_ndpi_flow(thread_id, 4, vlan_id, iph, NULL, + ip_offset, ipsize, ntohs(iph->tot_len) - (iph->ihl * 4), - &src, &dst, &proto, NULL); + &tcph, &udph, &sport, &dport, + &src, &dst, &proto, + &payload, &payload_len, &src_to_dst_direction); else - flow = get_ndpi_flow6(thread_id, vlan_id, iph6, ip_offset, &src, &dst, &proto); + flow = get_ndpi_flow6(thread_id, vlan_id, iph6, ip_offset, + &tcph, &udph, &sport, &dport, + &src, &dst, &proto, + &payload, &payload_len, &src_to_dst_direction); if(flow != NULL) { ndpi_thread_info[thread_id].stats.ip_packet_count++; @@ -1021,7 +1068,7 @@ static unsigned int packet_processing(u_int16_t thread_id, flow->detected_protocol = ndpi_detection_process_packet(ndpi_thread_info[thread_id].ndpi_struct, ndpi_flow, iph ? (uint8_t *)iph : (uint8_t *)iph6, ipsize, time, src, dst); - + if((flow->detected_protocol.protocol != NDPI_PROTOCOL_UNKNOWN) || ((proto == IPPROTO_UDP) && (flow->packets > 8)) || ((proto == IPPROTO_TCP) && (flow->packets > 10))) { @@ -1777,7 +1824,6 @@ static void pcap_packet_callback(u_char *args, } if((frag_off & 0x3FFF) != 0) { - static u_int8_t ipv4_frags_warning_used = 0; ndpi_thread_info[thread_id].stats.fragmented_count++; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 7f93d9be7..e9fbeb49d 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -2021,7 +2021,7 @@ void ndpi_set_bitmask_protocol_detection( char * label, } /* - Set funcition and index protocol within proto_default strcuture for port protocol detection + Set function and index protocol within proto_default strcuture for port protocol detection and callback_buffer function for DPI protocol detection */ ndpi_struct->proto_defaults[ndpi_protocol_id].protoIdx = idx; @@ -2596,7 +2596,8 @@ static u_int8_t ndpi_iph_is_valid_and_not_fragmented(const struct ndpi_iphdr *ip } static u_int8_t ndpi_detection_get_l4_internal(struct ndpi_detection_module_struct *ndpi_struct, - const u_int8_t * l3, u_int16_t l3_len, const u_int8_t ** l4_return, u_int16_t * l4_len_return, + const u_int8_t * l3, u_int16_t l3_len, + const u_int8_t ** l4_return, u_int16_t * l4_len_return, u_int8_t * l4_protocol_return, u_int32_t flags) { const struct ndpi_iphdr *iph = NULL; @@ -3048,8 +3049,7 @@ void check_ndpi_tcp_flow_func(struct ndpi_detection_module_struct *ndpi_struct, ndpi_struct->callback_buffer[proto_index].excluded_protocol_bitmask) == 0 && NDPI_BITMASK_COMPARE(ndpi_struct->callback_buffer[proto_index].detection_bitmask, detection_bitmask) != 0 - && (ndpi_struct->callback_buffer[proto_index].ndpi_selection_bitmask - & *ndpi_selection_packet) == ndpi_struct->callback_buffer[proto_index].ndpi_selection_bitmask) { + && (ndpi_struct->callback_buffer[proto_index].ndpi_selection_bitmask & *ndpi_selection_packet) == ndpi_struct->callback_buffer[proto_index].ndpi_selection_bitmask) { if((flow->guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN) && (ndpi_struct->proto_defaults[flow->guessed_protocol_id].func != NULL)) ndpi_struct->proto_defaults[flow->guessed_protocol_id].func(ndpi_struct, flow), @@ -3059,8 +3059,7 @@ void check_ndpi_tcp_flow_func(struct ndpi_detection_module_struct *ndpi_struct, if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { for(a = 0; a < ndpi_struct->callback_buffer_size_tcp_payload; a++) { if((func != ndpi_struct->callback_buffer_tcp_payload[a].func) - && (ndpi_struct->callback_buffer_tcp_payload[a].ndpi_selection_bitmask - & *ndpi_selection_packet) == ndpi_struct->callback_buffer_tcp_payload[a].ndpi_selection_bitmask + && (ndpi_struct->callback_buffer_tcp_payload[a].ndpi_selection_bitmask & *ndpi_selection_packet) == ndpi_struct->callback_buffer_tcp_payload[a].ndpi_selection_bitmask && NDPI_BITMASK_COMPARE(flow->excluded_protocol_bitmask, ndpi_struct->callback_buffer_tcp_payload[a].excluded_protocol_bitmask) == 0 && NDPI_BITMASK_COMPARE(ndpi_struct->callback_buffer_tcp_payload[a].detection_bitmask, @@ -3262,7 +3261,6 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct } #if 0 - /* Swap protocols in case of success */ if(ret.master_protocol != NDPI_PROTOCOL_UNKNOWN) { u_int16_t t = ret.master_protocol; diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 583adb341..9314dba65 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -204,16 +204,16 @@ static void parseHttpSubprotocol(struct ndpi_detection_module_struct *ndpi_struc NOTE If http_dont_dissect_response = 1 dissection of HTTP response - mime types won't happen + mime types won't happen */ if(!ndpi_struct->http_dont_dissect_response) { if(flow->http.url && flow->http_detected) - ndpi_match_host_subprotocol(ndpi_struct, flow, (char *)&flow->http.url[7], + ndpi_match_host_subprotocol(ndpi_struct, flow, (char *)&flow->http.url[7], strlen((const char *)&flow->http.url[7]), NDPI_PROTOCOL_HTTP); } else - ndpi_match_host_subprotocol(ndpi_struct, flow, (char *)flow->host_server_name, + ndpi_match_host_subprotocol(ndpi_struct, flow, (char *)flow->host_server_name, strlen((const char *)flow->host_server_name), NDPI_PROTOCOL_HTTP); } @@ -247,7 +247,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ if(flow->http.url) { strncpy(flow->http.url, "http://", 7); strncpy(&flow->http.url[7], (char*)packet->host_line.ptr, packet->host_line.len); - strncpy(&flow->http.url[7+packet->host_line.len], (char*)packet->http_url_name.ptr, + strncpy(&flow->http.url[7+packet->host_line.len], (char*)packet->http_url_name.ptr, packet->http_url_name.len); flow->http.url[len-1] = '\0'; } @@ -282,8 +282,8 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ flow->http.content_type = ndpi_malloc(len); if(flow->http.content_type) { - strncpy(flow->http.content_type, (char*)packet->content_line.ptr, - packet->content_line.len); + strncpy(flow->http.content_type, (char*)packet->content_line.ptr, + packet->content_line.len); flow->http.content_type[packet->content_line.len] = '\0'; } } @@ -352,8 +352,8 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ #if 0 if((ndpi_struct->http_dont_dissect_response) || flow->http_detected) - ndpi_match_content_subprotocol(ndpi_struct, flow, - (char*)packet->user_agent_line.ptr, + ndpi_match_content_subprotocol(ndpi_struct, flow, + (char*)packet->user_agent_line.ptr, packet->user_agent_line.len, NDPI_PROTOCOL_HTTP); #endif @@ -367,11 +367,11 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ packet->host_line.len, packet->host_line.ptr); if((ndpi_struct->http_dont_dissect_response) || flow->http_detected) - ndpi_match_host_subprotocol(ndpi_struct, flow, - (char*)packet->host_line.ptr, + ndpi_match_host_subprotocol(ndpi_struct, flow, + (char*)packet->host_line.ptr, packet->host_line.len, NDPI_PROTOCOL_HTTP); - + /* Copy result for nDPI apps */ len = ndpi_min(packet->host_line.len, sizeof(flow->host_server_name)-1); strncpy((char*)flow->host_server_name, (char*)packet->host_line.ptr, len); @@ -771,6 +771,8 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct struct ndpi_packet_struct *packet = &flow->packet; u_int16_t filename_start; + packet->packet_lines_parsed_complete = 0; + /* Check if we so far detected the protocol in the request or not. */ if(flow->l4.tcp.http_stage == 0) { flow->http_detected = 0; @@ -911,6 +913,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct "HTTP START Found in 2. packet, we will look further for the response....\n"); flow->http_detected = 1; } + return; } |