diff options
| -rw-r--r-- | src/lib/protocols/dnscrypt.c | 19 | ||||
| -rw-r--r-- | src/lib/protocols/steam.c | 9 | ||||
| -rw-r--r-- | tests/pcap/steam_datagram_relay_ping.pcapng | bin | 0 -> 15656 bytes | |||
| -rw-r--r-- | tests/result/steam_datagram_relay_ping.pcapng.out | 7 |
4 files changed, 30 insertions, 5 deletions
diff --git a/src/lib/protocols/dnscrypt.c b/src/lib/protocols/dnscrypt.c index af147614a..a5bbd0c0e 100644 --- a/src/lib/protocols/dnscrypt.c +++ b/src/lib/protocols/dnscrypt.c @@ -38,22 +38,31 @@ void ndpi_search_dnscrypt(struct ndpi_detection_module_struct *ndpi_struct, NDPI_LOG_DBG(ndpi_struct, "search dnscrypt\n"); - if (flow->packet_counter > 3) - { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - } - /* dnscrypt protocol version 1: check magic */ if (packet->payload_packet_len >= 64 && strncmp((char*)packet->payload, "r6fnvWj8", strlen("r6fnvWj8")) == 0) { ndpi_int_dnscrypt_add_connection(ndpi_struct, flow); + return; } /* dnscrypt protocol version 1 and 2: resolver ping */ if (packet->payload_packet_len > 13 + strlen(dnscrypt_initial) && strncasecmp((char*)packet->payload + 13, dnscrypt_initial, strlen(dnscrypt_initial)) == 0) { ndpi_int_dnscrypt_add_connection(ndpi_struct, flow); + return; + } + + if ((flow->packet_direction_counter[packet->packet_direction] >= 1 && + flow->packet_direction_counter[1 - packet->packet_direction] >= 1) || + flow->packet_counter >= 10) + { + /* + * Wait for at least one packet per direction, but not more then 10 packets. + * Required as we need to wait for the server response which contains the ASCII pattern below. + */ + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; } } diff --git a/src/lib/protocols/steam.c b/src/lib/protocols/steam.c index f6c0da425..8cd3ec41f 100644 --- a/src/lib/protocols/steam.c +++ b/src/lib/protocols/steam.c @@ -113,6 +113,15 @@ static void ndpi_check_steam_udp1(struct ndpi_detection_module_struct *ndpi_stru return; } + /* Check for Steam Datagram Relay (SDR) packets. */ + if (payload_len > 8 && + ndpi_ntohll(get_u_int64_t(packet->payload, 0)) == 0x0101736470696e67 /* "\x01\x01sdping" */) + { + NDPI_LOG_INFO(ndpi_struct, "found STEAM (Steam Datagram Relay)\n"); + ndpi_int_steam_add_connection(ndpi_struct, flow); + return; + } + /* Check if we so far detected the protocol in the request or not. */ if (flow->steam_stage1 == 0) { NDPI_LOG_DBG2(ndpi_struct, "STEAM stage 0: \n"); diff --git a/tests/pcap/steam_datagram_relay_ping.pcapng b/tests/pcap/steam_datagram_relay_ping.pcapng Binary files differnew file mode 100644 index 000000000..bd5d89def --- /dev/null +++ b/tests/pcap/steam_datagram_relay_ping.pcapng diff --git a/tests/result/steam_datagram_relay_ping.pcapng.out b/tests/result/steam_datagram_relay_ping.pcapng.out new file mode 100644 index 000000000..24ce55fbf --- /dev/null +++ b/tests/result/steam_datagram_relay_ping.pcapng.out @@ -0,0 +1,7 @@ +Guessed flow protos: 0 + +DPI Packets (UDP): 1 (1.00 pkts/flow) + +Steam 2 2684 1 + + 1 UDP 192.168.2.100:52157 -> 139.45.193.10:27018 [proto: 74/Steam][cat: Game/8][2 pkts/2684 bytes -> 0 pkts/0 bytes][Goodput ratio: 97/0][2.52 sec][PLAIN TEXT (sdping)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0] |