diff options
| -rw-r--r-- | example/reader_util.c | 7 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 4 | ||||
| -rw-r--r-- | src/lib/protocols/tftp.c | 17 | ||||
| -rw-r--r-- | tests/pcap/tftp.pcap | bin | 32811 -> 33032 bytes | |||
| -rw-r--r-- | tests/result/tftp.pcap.out | 15 |
5 files changed, 35 insertions, 8 deletions
diff --git a/example/reader_util.c b/example/reader_util.c index eb0ba1b5b..a81f87f6b 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -1118,6 +1118,13 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl flow->ftp_imap_pop_smtp.auth_failed = flow->ndpi_flow->l4.tcp.ftp_imap_pop_smtp.auth_failed; } + /* TFTP */ + else if(is_ndpi_proto(flow, NDPI_PROTOCOL_TFTP)) { + flow->info_type = INFO_GENERIC; + if(flow->ndpi_flow->protos.tftp.filename[0] != '\0') + ndpi_snprintf(flow->info, sizeof(flow->info), "Filename: %s", + flow->ndpi_flow->protos.tftp.filename); + } /* KERBEROS */ else if(is_ndpi_proto(flow, NDPI_PROTOCOL_KERBEROS)) { flow->info_type = INFO_KERBEROS; diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 74e937138..19fc04759 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1287,6 +1287,10 @@ struct ndpi_flow_struct { } ssh; struct { + char filename[128]; + } tftp; + + struct { u_int8_t username_detected:1, username_found:1, password_detected:1, password_found:1, _pad:4; diff --git a/src/lib/protocols/tftp.c b/src/lib/protocols/tftp.c index 07f2ca07f..f5aa32e62 100644 --- a/src/lib/protocols/tftp.c +++ b/src/lib/protocols/tftp.c @@ -67,9 +67,11 @@ void ndpi_search_tftp(struct ndpi_detection_module_struct { char const * const possible_modes[] = { "netascii", "octet", "mail" }; uint8_t mode_found = 0, mode_idx; - for(mode_idx = 0; mode_idx < sizeof(possible_modes) / sizeof(possible_modes[0]); ++mode_idx) + size_t mode_len; + + for(mode_idx = 0; mode_idx < NDPI_ARRAY_LENGTH(possible_modes); ++mode_idx) { - size_t const mode_len = strlen(possible_modes[mode_idx]); + mode_len = strlen(possible_modes[mode_idx]); if (packet->payload_packet_len < mode_len + 1 /* mode is a nul terminated string */) { @@ -89,6 +91,17 @@ void ndpi_search_tftp(struct ndpi_detection_module_struct return; } + /* Dissect RRQ/WWQ filename. */ + size_t filename_len = packet->payload_packet_len - 2 /* Opcode */ - mode_len - 1 /* NUL */; + + if (filename_len == 0 || packet->payload[2] == '\0' || ndpi_is_printable_buffer(&packet->payload[2], filename_len - 1) == 0) + { + ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid TFTP RR/WR header: Source/Destination file missing"); + } else { + memcpy(flow->protos.tftp.filename, &packet->payload[2], ndpi_min(filename_len, sizeof(flow->protos.tftp.filename) - 1)); + flow->protos.tftp.filename[filename_len] = '\0'; + } + /* We have seen enough and do not need any more TFTP packets. */ NDPI_LOG_INFO(ndpi_struct, "found tftp (RRQ/WWQ)\n"); ndpi_int_tftp_add_connection(ndpi_struct, flow); diff --git a/tests/pcap/tftp.pcap b/tests/pcap/tftp.pcap Binary files differindex 9c3cb2cbf..c2e93ceab 100644 --- a/tests/pcap/tftp.pcap +++ b/tests/pcap/tftp.pcap diff --git a/tests/result/tftp.pcap.out b/tests/result/tftp.pcap.out index 7b14618ca..7ab3f8aca 100644 --- a/tests/result/tftp.pcap.out +++ b/tests/result/tftp.pcap.out @@ -1,11 +1,14 @@ Guessed flow protos: 0 -DPI Packets (UDP): 10 (2.50 pkts/flow) -Confidence DPI : 4 (flows) +DPI Packets (UDP): 13 (1.86 pkts/flow) +Confidence DPI : 7 (flows) -TFTP 104 31123 4 +TFTP 107 31296 7 - 1 UDP 192.168.0.10:3445 <-> 192.168.0.253:50618 [proto: 96/TFTP][ClearText][Confidence: DPI][cat: DataTransfer/4][49 pkts/26853 bytes <-> 49 pkts/2940 bytes][Goodput ratio: 92/7][0.18 sec][bytes ratio: 0.803 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/2 3/3 9/7 2/2][Pkt Len c2s/s2c min/avg/max/stddev: 69/60 548/60 558/60 69/0][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No client to server traffic][PLAIN TEXT (Network Working Group )][Plen Bins: 51,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,48,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 UDP 192.168.0.10:3445 <-> 192.168.0.253:50618 [proto: 96/TFTP][ClearText][Confidence: DPI][cat: DataTransfer/4][49 pkts/26853 bytes <-> 49 pkts/2940 bytes][Goodput ratio: 92/7][< 1 sec][bytes ratio: 0.803 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/2 3/3 9/7 2/2][Pkt Len c2s/s2c min/avg/max/stddev: 69/60 548/60 558/60 69/0][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No client to server traffic][PLAIN TEXT (Network Working Group )][Plen Bins: 51,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,48,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 2 UDP 172.28.5.170:62058 <-> 172.28.5.91:44618 [proto: 96/TFTP][ClearText][Confidence: DPI][cat: DataTransfer/4][2 pkts/92 bytes <-> 2 pkts/1116 bytes][Goodput ratio: 9/92][0.00 sec][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][Risk Info: No server to client traffic][PLAIN TEXT (BCCCCCC)][Plen Bins: 50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 3 UDP 192.168.0.253:50618 -> 192.168.0.10:69 [proto: 96/TFTP][ClearText][Confidence: DPI][cat: DataTransfer/4][1 pkts/62 bytes -> 0 pkts/0 bytes][Goodput ratio: 32/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (1350.txt)][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 4 UDP 172.28.5.91:44618 -> 172.28.5.170:69 [proto: 96/TFTP][ClearText][Confidence: DPI][cat: DataTransfer/4][1 pkts/60 bytes -> 0 pkts/0 bytes][Goodput ratio: 30/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (zz.bin)][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 UDP 192.168.0.253:50618 -> 192.168.0.10:69 [proto: 96/TFTP][ClearText][Confidence: DPI][cat: DataTransfer/4][1 pkts/62 bytes -> 0 pkts/0 bytes][Goodput ratio: 32/0][< 1 sec][Filename: rfc1350.txt][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (1350.txt)][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 UDP 172.28.4.53:54626 -> 172.16.5.170:69 [proto: 96/TFTP][ClearText][Confidence: DPI][cat: DataTransfer/4][1 pkts/61 bytes -> 0 pkts/0 bytes][Goodput ratio: 31/0][< 1 sec][Risk: ** Malformed Packet **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No server to client traffic / Invalid TFTP RR/WR header: Source/Destination file missing][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 5 UDP 172.28.4.53:54627 -> 172.16.5.170:69 [proto: 96/TFTP][ClearText][Confidence: DPI][cat: DataTransfer/4][1 pkts/61 bytes -> 0 pkts/0 bytes][Goodput ratio: 31/0][< 1 sec][Filename: sysman.lis][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (sysman.lis)][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 6 UDP 172.28.5.91:44618 -> 172.28.5.170:69 [proto: 96/TFTP][ClearText][Confidence: DPI][cat: DataTransfer/4][1 pkts/60 bytes -> 0 pkts/0 bytes][Goodput ratio: 30/0][< 1 sec][Filename: zz.bin][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (zz.bin)][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 7 UDP 172.28.4.53:54632 -> 172.16.5.170:69 [proto: 96/TFTP][ClearText][Confidence: DPI][cat: DataTransfer/4][1 pkts/51 bytes -> 0 pkts/0 bytes][Goodput ratio: 17/0][< 1 sec][Risk: ** Malformed Packet **** Unidirectional Traffic **][Risk Score: 20][Risk Info: No server to client traffic / Invalid TFTP RR/WR header: Source/Destination file missing][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |