diff options
| -rw-r--r-- | src/include/ndpi_protocols.h | 4 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 3 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 63 | ||||
| -rw-r--r-- | src/lib/protocols/bittorrent.c | 8 | ||||
| -rw-r--r-- | tests/pcap/zoom2.pcap | bin | 0 -> 9198496 bytes | |||
| -rw-r--r-- | tests/result/zoom2.pcap.out | 21 |
6 files changed, 88 insertions, 11 deletions
diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h index 69f7e3b4b..5e27076e3 100644 --- a/src/include/ndpi_protocols.h +++ b/src/include/ndpi_protocols.h @@ -62,7 +62,6 @@ void init_bgp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 void init_bittorrent_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); int ndpi_search_into_bittorrent_cache(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int32_t saddr, u_int16_t sport, u_int32_t daddr, u_int16_t dport); -u_int32_t ndpi_bittorrent_hash_funct(u_int32_t ip, u_int16_t port); void init_lisp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_teredo_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_ciscovpn_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); @@ -220,4 +219,7 @@ void init_z3950_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_in void init_avast_securedns_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_cassandra_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +/* ndpi_main.c */ +extern u_int32_t ndpi_ip_port_hash_funct(u_int32_t ip, u_int16_t port); + #endif /* __NDPI_PROTOCOLS_H__ */ diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 13e6874e7..17924b241 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1113,6 +1113,9 @@ struct ndpi_detection_module_struct { /* NDPI_PROTOCOL_BITTORRENT */ struct ndpi_lru_cache *bittorrent_cache; + /* NDPI_PROTOCOL_ZOOM */ + struct ndpi_lru_cache *zoom_cache; + /* NDPI_PROTOCOL_STUN and subprotocols */ struct ndpi_lru_cache *stun_cache; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 1cd867327..2e528b6a4 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -2772,6 +2772,9 @@ void ndpi_exit_detection_module(struct ndpi_detection_module_struct *ndpi_str) { if(ndpi_str->bittorrent_cache) ndpi_lru_free_cache(ndpi_str->bittorrent_cache); + if(ndpi_str->zoom_cache) + ndpi_lru_free_cache(ndpi_str->zoom_cache); + if(ndpi_str->stun_cache) ndpi_lru_free_cache(ndpi_str->stun_cache); @@ -5007,7 +5010,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s /* ********************************************************************************* */ -u_int32_t ndpi_bittorrent_hash_funct(u_int32_t ip, u_int16_t port) { +u_int32_t ndpi_ip_port_hash_funct(u_int32_t ip, u_int16_t port) { return(ip + 3 * port); } @@ -5038,7 +5041,7 @@ int ndpi_search_into_bittorrent_cache(struct ndpi_detection_module_struct *ndpi_ flow->bt_check_performed = 1; /* Check cached communications */ - key1 = ndpi_bittorrent_hash_funct(saddr, sport), key2 = ndpi_bittorrent_hash_funct(daddr, dport); + key1 = ndpi_ip_port_hash_funct(saddr, sport), key2 = ndpi_ip_port_hash_funct(daddr, dport); found = ndpi_lru_find_cache(ndpi_struct->bittorrent_cache, saddr+daddr, &cached_proto, 0 /* Don't remove it as it can be used for other connections */) @@ -5062,14 +5065,50 @@ int ndpi_search_into_bittorrent_cache(struct ndpi_detection_module_struct *ndpi_ /* ********************************************************************************* */ +/* #define ZOOM_CACHE_DEBUG */ + +static u_int8_t ndpi_search_into_zoom_cache(struct ndpi_detection_module_struct *ndpi_struct, + u_int32_t daddr /* Network byte order */) { + +#ifdef ZOOM_CACHE_DEBUG + printf("[%s:%u] ndpi_search_into_zoom_cache(%08X, %u)\n", + __FILE__, __LINE__, daddr, dport); +#endif + + if(ndpi_struct->zoom_cache) { + u_int16_t cached_proto; + u_int8_t found = ndpi_lru_find_cache(ndpi_struct->zoom_cache, daddr, &cached_proto, + 0 /* Don't remove it as it can be used for other connections */); + +#ifdef ZOOM_CACHE_DEBUG + printf("[Zoom] *** [TCP] SEARCHING host %u [found: %u]\n", daddr, found); +#endif + + return(found); + } + + return(0); +} + +/* ********************************************************************************* */ + +static void ndpi_add_connection_as_zoom(struct ndpi_detection_module_struct *ndpi_struct, + u_int32_t daddr /* Network byte order */) { + if(ndpi_struct->zoom_cache == NULL) + ndpi_struct->zoom_cache = ndpi_lru_cache_init(512); + + if(ndpi_struct->zoom_cache) + ndpi_lru_add_to_cache(ndpi_struct->zoom_cache, daddr, NDPI_PROTOCOL_ZOOM); +} + +/* ********************************************************************************* */ + ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, u_int8_t enable_guess, u_int8_t *protocol_was_guessed) { ndpi_protocol ret = {NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED}; u_int16_t guessed_protocol_id = NDPI_PROTOCOL_UNKNOWN, guessed_host_protocol_id = NDPI_PROTOCOL_UNKNOWN; - - /* - *** We can't access ndpi_str->packet from this function!! *** - */ + + /* *** We can't access ndpi_str->packet from this function!! *** */ *protocol_was_guessed = 0; @@ -5215,6 +5254,12 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st flow->daddr, flow->dport)) { /* This looks like BitTorrent */ ret.app_protocol = NDPI_PROTOCOL_BITTORRENT; + } else if((flow->l4_proto == IPPROTO_UDP) /* Zoom/UDP used for video */ + && (((ntohs(flow->sport) == 8801 /* Zoom port */) && ndpi_search_into_zoom_cache(ndpi_str, flow->saddr)) + || ((ntohs(flow->dport) == 8801 /* Zoom port */) && ndpi_search_into_zoom_cache(ndpi_str, flow->daddr)) + )) { + /* This looks like Zoom */ + ret.app_protocol = NDPI_PROTOCOL_ZOOM; } } @@ -5782,6 +5827,12 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct if(num_calls == 0) flow->fail_with_unknown = 1; + /* Zoom cache */ + if((ret.app_protocol == NDPI_PROTOCOL_ZOOM) + && (flow->l4_proto == IPPROTO_TCP) + && (ndpi_str->packet.iph != NULL)) + ndpi_add_connection_as_zoom(ndpi_str, ndpi_str->packet.iph->daddr); + return(ret); } diff --git a/src/lib/protocols/bittorrent.c b/src/lib/protocols/bittorrent.c index fae1f6f46..a88fe7ad9 100644 --- a/src/lib/protocols/bittorrent.c +++ b/src/lib/protocols/bittorrent.c @@ -134,9 +134,9 @@ static void ndpi_add_connection_as_bittorrent(struct ndpi_detection_module_struc u_int32_t key1, key2, i; if(packet->udp) - key1 = ndpi_bittorrent_hash_funct(packet->iph->saddr, packet->udp->source), key2 = ndpi_bittorrent_hash_funct(packet->iph->daddr, packet->udp->dest); + key1 = ndpi_ip_port_hash_funct(packet->iph->saddr, packet->udp->source), key2 = ndpi_ip_port_hash_funct(packet->iph->daddr, packet->udp->dest); else - key1 = ndpi_bittorrent_hash_funct(packet->iph->saddr, packet->tcp->source), key2 = ndpi_bittorrent_hash_funct(packet->iph->daddr, packet->tcp->dest); + key1 = ndpi_ip_port_hash_funct(packet->iph->saddr, packet->tcp->source), key2 = ndpi_ip_port_hash_funct(packet->iph->daddr, packet->tcp->dest); ndpi_lru_add_to_cache(ndpi_struct->bittorrent_cache, key1, NDPI_PROTOCOL_BITTORRENT); ndpi_lru_add_to_cache(ndpi_struct->bittorrent_cache, key2, NDPI_PROTOCOL_BITTORRENT); @@ -149,9 +149,9 @@ static void ndpi_add_connection_as_bittorrent(struct ndpi_detection_module_struc /* Also add +2 ports of the sender in order to catch additional sockets open by the same client */ for(i=0; i<2; i++) { if(packet->udp) - key1 = ndpi_bittorrent_hash_funct(packet->iph->saddr, htons(ntohs(packet->udp->source)+1)); + key1 = ndpi_ip_port_hash_funct(packet->iph->saddr, htons(ntohs(packet->udp->source)+1)); else - key1 = ndpi_bittorrent_hash_funct(packet->iph->saddr, htons(ntohs(packet->tcp->source)+1)); + key1 = ndpi_ip_port_hash_funct(packet->iph->saddr, htons(ntohs(packet->tcp->source)+1)); ndpi_lru_add_to_cache(ndpi_struct->bittorrent_cache, key1, NDPI_PROTOCOL_BITTORRENT); } diff --git a/tests/pcap/zoom2.pcap b/tests/pcap/zoom2.pcap Binary files differnew file mode 100644 index 000000000..e91ef61a5 --- /dev/null +++ b/tests/pcap/zoom2.pcap diff --git a/tests/result/zoom2.pcap.out b/tests/result/zoom2.pcap.out new file mode 100644 index 000000000..8a052d40b --- /dev/null +++ b/tests/result/zoom2.pcap.out @@ -0,0 +1,21 @@ +Guessed flow protos: 3 + +DPI Packets (TCP): 8 (8.00 pkts/flow) +DPI Packets (UDP): 75 (25.00 pkts/flow) +DPI Packets (other): 1 (1.00 pkts/flow) +Confidence Unknown : 3 (flows) +Confidence DPI : 2 (flows) + +ICMP 27 1890 1 +Zoom 11950 9004950 4 + +JA3 Host Stats: + IP Address # JA3C + 1 192.168.1.178 1 + + + 1 UDP 192.168.1.178:60653 <-> 144.195.73.154:8801 [proto: 189/Zoom][Encrypted][Confidence: Unknown][cat: Video/26][3824 pkts/4162390 bytes <-> 4907 pkts/4203451 bytes][Goodput ratio: 96/95][40.59 sec][bytes ratio: -0.005 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 6/6 101/100 10/10][Pkt Len c2s/s2c min/avg/max/stddev: 94/60 1088/857 1339/1339 242/271][PLAIN TEXT (replace)][Plen Bins: 0,2,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,1,1,74,3,1,0,1,9,1,0,0,0,0,0,0,0,0,0] + 2 UDP 192.168.1.178:58117 <-> 144.195.73.154:8801 [proto: 189/Zoom][Encrypted][Confidence: Unknown][cat: Video/26][1283 pkts/302584 bytes <-> 947 pkts/159626 bytes][Goodput ratio: 82/75][39.98 sec][bytes ratio: 0.309 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 28/36 141/131 26/34][Pkt Len c2s/s2c min/avg/max/stddev: 106/60 236/169 376/369 87/64][PLAIN TEXT (replace)][Plen Bins: 0,1,64,18,7,0,0,4,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 TCP 192.168.1.178:50076 <-> 144.195.73.154:443 [proto: 91.189/TLS.Zoom][Encrypted][Confidence: DPI][cat: Video/26][491 pkts/108525 bytes <-> 411 pkts/58625 bytes][Goodput ratio: 70/54][44.41 sec][Hostname/SNI: zoomsjccv154mmr.sjc.zoom.us][bytes ratio: 0.299 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 75/109 1466/1467 185/193][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 221/143 1506/1506 285/210][Risk: ** TLS (probably) not carrying HTTPS **][Risk Score: 10][TLSv1.2][JA3C: 832952db10f1453442636675bed2702b][ServerNames: *.sjc.zoom.us][JA3S: 8aca82d60194883e764ab2743e60c380][Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1][Subject: C=US, ST=California, L=San Jose, O=Zoom Video Communications, Inc., CN=*.sjc.zoom.us][Certificate SHA-1: 43:42:0A:34:FD:F6:7A:FC:E9:C1:95:D8:E0:79:7E:17:B9:65:B0:A7][Firefox][Validity: 2021-04-13 00:00:00 - 2022-04-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,15,17,13,5,3,8,2,1,0,1,0,1,1,3,1,2,4,2,0,0,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,10,0,0] + 4 UDP 192.168.1.178:57953 <-> 144.195.73.154:8801 [proto: 189/Zoom][Encrypted][Confidence: Unknown][cat: Video/26][43 pkts/5229 bytes <-> 44 pkts/4520 bytes][Goodput ratio: 65/59][39.68 sec][bytes ratio: 0.073 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 941/849 3580/3749 1440/1522][Pkt Len c2s/s2c min/avg/max/stddev: 69/60 122/103 185/133 41/28][PLAIN TEXT (replace)][Plen Bins: 35,2,43,13,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 5 ICMP 192.168.1.178:0 -> 144.195.73.154:0 [proto: 81/ICMP][ClearText][Confidence: DPI][cat: Network/14][27 pkts/1890 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][0.15 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 6/0 20/0 6/0][Pkt Len c2s/s2c min/avg/max/stddev: 70/0 70/0 70/0 0/0][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |