diff options
| -rw-r--r-- | src/include/ndpi_protocol_ids.h | 4 | ||||
| -rw-r--r-- | src/lib/protocols/oscar.c | 101 | ||||
| -rw-r--r-- | tests/result/Instagram.pcap.out | 43 |
3 files changed, 95 insertions, 53 deletions
diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index 1df8578fe..06b3d6e52 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -257,11 +257,11 @@ #define NDPI_SERVICE_TIMRECARGA 208 #define NDPI_SERVICE_TIMBETA 209 #define NDPI_SERVICE_DEEZER 210 -#define NDPI_SERVICE_INSTAGRAM 211 /* Andrea Buscarinu <andrea.buscarinu@gmail.com> +#define NDPI_SERVICE_INSTAGRAM 211 /* Andrea Buscarinu <andrea.buscarinu@gmail.com> */ /* UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE */ #define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_SERVICE_INSTAGRAM -#define NDPI_MAX_SUPPORTED_PROTOCOLS (NDPI_LAST_IMPLEMENTED_PROTOCOL + 1) +#define NDPI_MAX_SUPPORTED_PROTOCOLS (NDPI_LAST_IMPLEMENTED_PROTOCOL + 1) #define NDPI_MAX_NUM_CUSTOM_PROTOCOLS (NDPI_NUM_BITS-NDPI_LAST_IMPLEMENTED_PROTOCOL) #endif diff --git a/src/lib/protocols/oscar.c b/src/lib/protocols/oscar.c index 3750239af..f5ce1dc18 100644 --- a/src/lib/protocols/oscar.c +++ b/src/lib/protocols/oscar.c @@ -19,7 +19,7 @@ * * You should have received a copy of the GNU Lesser General Public License * along with nDPI. If not, see <http://www.gnu.org/licenses/>. - * + * */ @@ -38,15 +38,15 @@ #define SCREEN_NAME 0x0001 #define PASSWD 0x0002 #define CLIENT_NAME 0x0003 -#define BOS 0x0005 -#define LOGIN_COOKIE 0x0006 -#define MAJOR_VERSION 0x0017 -#define MINOR_VERSION 0x0018 -#define POINT_VERSION 0x0019 -#define BUILD_NUM 0x001a +#define BOS 0x0005 +#define LOGIN_COOKIE 0x0006 +#define MAJOR_VERSION 0x0017 +#define MINOR_VERSION 0x0018 +#define POINT_VERSION 0x0019 +#define BUILD_NUM 0x001a #define MULTICONN_FLAGS 0x004a #define CLIENT_LANG 0x00OF -#define CLIENT_CNTRY 0x00OE +#define CLIENT_CNTRY 0x00OE #define CLIENT_RECONNECT 0x0094 /* Family */ @@ -91,7 +91,7 @@ static void ndpi_int_oscar_add_connection(struct ndpi_detection_module_struct *n /** Oscar connection work on FLAP protocol. - + FLAP is a low-level communications protocol that facilitates the development of higher-level, datagram-oriented, communications layers. It is used on the TCP connection between all clients and servers. Here is format of FLAP datagram @@ -99,7 +99,7 @@ static void ndpi_int_oscar_add_connection(struct ndpi_detection_module_struct *n static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - + int excluded = 0; u_int8_t channel; u_int16_t family; @@ -108,10 +108,10 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct u_int32_t req_ID; struct ndpi_packet_struct * packet = &flow->packet; - + struct ndpi_id_struct * src = flow->src; struct ndpi_id_struct * dst = flow->dst; - + /* FLAP__Header * * [ 6 byte FLAP header ] @@ -122,27 +122,27 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct * [ 4 byte of data ] * * */ - if (packet->payload_packet_len >= 6 && packet->payload[0] == 0x2a) + if (packet->payload_packet_len >= 6 && packet->payload[0] == 0x2a) { - + /* FLAP__FRAME_TYPE (Channel)*/ u_int8_t channel = get_u_int8_t(packet->payload, 1); - - /* + + /* Initialize the FLAP connection. - + SIGNON -> FLAP__SIGNON_FRAME +--------------------------------------------------+ + FLAP__Header | 6 byte + + FlapVersion | 4 byte (Always 1 = 0x00000001) + + TLVs | [Class: FLAP__SIGNON_TAGS] TLVs + - +--------------------------------------------------+ + +--------------------------------------------------+ */ if (channel == SIGNON && get_u_int16_t(packet->payload, 4) == htons(packet->payload_packet_len - 6) && get_u_int32_t(packet->payload, 6) == htonl(FLAPVERSION)) { - + /* No TLVs */ if(packet->payload_packet_len == 10) { @@ -178,9 +178,9 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct if(get_u_int16_t(packet->payload, packet->payload_packet_len - 5) == htons(MULTICONN_FLAGS)) /* MULTICONN_FLAGS */ { if(get_u_int16_t(packet->payload, packet->payload_packet_len - 3) == htons(0x0001)) - if(get_u_int8_t(packet->payload, packet->payload_packet_len - 1) == htons(0x00) || - get_u_int8_t(packet->payload, packet->payload_packet_len - 1) == htons(0x01) || - get_u_int8_t(packet->payload, packet->payload_packet_len - 1) == htons(0x03)) + if((get_u_int8_t(packet->payload, packet->payload_packet_len - 1) == 0x00) || + (get_u_int8_t(packet->payload, packet->payload_packet_len - 1) == 0x01) || + (get_u_int8_t(packet->payload, packet->payload_packet_len - 1) == 0x03)) { NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR - Login \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); @@ -222,25 +222,25 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR - Client_Reconnect \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; - } + } } - - /* + + /* Messages using the FLAP connection, usually a SNAC message. - DATA -> FLAP__DATA_FRAME + DATA -> FLAP__DATA_FRAME +-------------------------+ + FLAP__Header | 6 byte + + SNAC__Header | 10 byte + + snac | + +-------------------------+ - + SNAC__Header +----------------------------------------------+ + ID | 4 byte (2 foodgroup + 2 type) + + FLAGS | 2 byte + + requestId | 4 byte + - +----------------------------------------------+ + +----------------------------------------------+ */ if (channel == DATA) { @@ -248,12 +248,12 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct type = get_u_int16_t(packet->payload, 8); flag = get_u_int16_t(packet->payload, 10); req_ID = get_u_int32_t(packet->payload, 12); - + /* Family 0x0001 */ if (family == htons(GE_SE_CTL)) { switch (type) { - + case (0x0001): break; case (0x0002): break; case (0x0003): break; @@ -289,7 +289,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct if (family == htons(LOC_SRV)) { switch (type) { - + case (0x0001): break; case (0x0002): break; case (0x0003): break; @@ -312,7 +312,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct if (family == htons(BUDDY_LIST)) { switch (type) { - + case (0x0001): break; case (0x0002): break; case (0x0003): break; @@ -332,7 +332,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct if (family == htons(IM)) { switch (type) { - + case (0x0001): break; case (0x0002): break; case (0x0003): break; @@ -353,7 +353,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct if (family == htons(IS)) { switch (type) { - + case (0x0001): break; case (0x0002): break; case (0x0003): break; @@ -364,7 +364,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct if (family == htons(ACC_ADM)) { switch (type) { - + case (0x0001): break; case (0x0002): break; case (0x0003): break; @@ -381,7 +381,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct if (family == htons(POPUP)) { switch (type) { - + case (0x0001): break; case (0x0002): break; default: excluded = 1; @@ -391,7 +391,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct if (family == htons(PMS)) { switch (type) { - + case (0x0001): break; case (0x0002): break; case (0x0003): break; @@ -410,7 +410,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct if (family == htons(USS)) { switch (type) { - + case (0x0001): break; case (0x0002): break; case (0x0003): break; @@ -422,7 +422,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct if (family == htons(CHAT_ROOM_SETUP)) { switch (type) { - + case (0x0001): break; case (0x0002): break; case (0x0003): break; @@ -439,7 +439,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct if (family == htons(CHAT_ROOM_ACT)) { switch (type) { - + case (0x0001): break; case (0x0002): break; case (0x0003): break; @@ -456,7 +456,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct if (family == htons(USER_SRCH)) { switch (type) { - + case (0x0001): break; case (0x0002): break; case (0x0003): break; @@ -469,7 +469,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct if (family == htons(BUDDY_ICON_SERVER)) { switch (type) { - + case (0x0001): break; case (0x0002): break; case (0x0003): break; @@ -484,7 +484,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct if (family == htons(SERVER_STORED_INFO)) { switch (type) { - + case (0x0001): break; case (0x0002): break; case (0x0003): break; @@ -513,7 +513,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct if (family == htons(ICQ)) { switch (type) { - + case (0x0001): break; case (0x0002): break; case (0x0003): break; @@ -524,7 +524,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct if (family == htons(SERVER_STORED_INFO)) { switch (type) { - + case (0x0001): break; case (0x0002): break; case (0x0003): break; @@ -546,14 +546,14 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct if (family == htons(SERVER_STORED_INFO)) { switch (type) { - + case (0x0001): break; case (0x0002): break; case (0x0003): break; default: excluded = 1; } } - + if(excluded == 1) { NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "exclude oscar.\n"); @@ -572,7 +572,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } } } - /* + /* ERROR -> FLAP__ERROR_CHANNEL_0x03 A FLAP error - rare */ @@ -582,7 +582,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } - /* + /* Close down the FLAP connection gracefully. SIGNOFF: FLAP__SIGNOFF_CHANNEL_0x04 */ @@ -592,7 +592,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } - /* + /* Send a heartbeat to server to help keep connection open. KEEP_ALIVE: FLAP__KEEP_ALIVE_CHANNEL_0x05 */ @@ -787,7 +787,6 @@ void ndpi_search_oscar(struct ndpi_detection_module_struct *ndpi_struct, struct void init_oscar_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { - ndpi_set_bitmask_protocol_detection("Oscar", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_OSCAR, ndpi_search_oscar, diff --git a/tests/result/Instagram.pcap.out b/tests/result/Instagram.pcap.out new file mode 100644 index 000000000..a00f2c2d8 --- /dev/null +++ b/tests/result/Instagram.pcap.out @@ -0,0 +1,43 @@ +Unknown 1 66 1 +DNS 6 990 3 +HTTP 266 245342 7 +ICMP 5 510 1 +SSL 167 89440 9 +DropBox 5 725 2 +Instagram 293 227261 9 + + 1 UDP 192.168.0.106:17500 <-> 192.168.0.255:17500 [proto: 121/DropBox][1 pkts/145 bytes] + 2 UDP 8.8.8.8:53 <-> 192.168.0.103:26540 [proto: 5/DNS][2 pkts/298 bytes][Host: igcdn-photos-g-a.akamaihd.net] + 3 UDP 8.8.8.8:53 <-> 192.168.0.103:27124 [proto: 5.211/DNS.Instagram][1 pkts/85 bytes][Host: photos-b.ak.instagram.com] + 4 TCP 31.13.93.52:443 <-> 192.168.0.103:33763 [proto: 91/SSL][11 pkts/5397 bytes] + 5 TCP 31.13.93.52:443 <-> 192.168.0.103:33935 [proto: 91/SSL][10 pkts/5299 bytes] + 6 TCP 2.22.236.51:80 <-> 192.168.0.103:44151 [proto: 7/HTTP][49 pkts/38684 bytes] + 7 TCP 192.168.0.103:38816 <-> 46.33.70.160:80 [proto: 7.211/HTTP.Instagram][52 pkts/58994 bytes][Host: photos-h.ak.instagram.com] + 8 TCP 77.67.29.17:80 <-> 192.168.0.103:33976 [proto: 7/HTTP][34 pkts/29039 bytes] + 9 TCP 192.168.0.103:37350 <-> 82.85.26.153:80 [proto: 7.211/HTTP.Instagram][1 pkts/324 bytes][Host: photos-a.ak.instagram.com] + 10 TCP 192.168.0.103:41181 <-> 82.85.26.154:443 [proto: 91/SSL][14 pkts/5567 bytes][SSL client: igcdn-photos-a-a.akamaihd.net] + 11 TCP 31.13.86.52:80 <-> 192.168.0.103:58216 [proto: 7/HTTP][150 pkts/153558 bytes] + 12 TCP 192.168.0.103:57936 <-> 82.85.26.162:80 [proto: 7.211/HTTP.Instagram][58 pkts/50220 bytes][Host: photos-g.ak.instagram.com] + 13 TCP 192.168.0.103:57966 <-> 82.85.26.185:80 [proto: 7/HTTP][3 pkts/198 bytes] + 14 TCP 192.168.0.103:58052 <-> 82.85.26.162:80 [proto: 7.211/HTTP.Instagram][75 pkts/57239 bytes][Host: photos-g.ak.instagram.com] + 15 TCP 173.252.107.4:443 <-> 192.168.0.103:56382 [proto: 91.211/SSL.Instagram][17 pkts/2647 bytes][SSL client: telegraph-ash.instagram.com] + 16 UDP 192.168.0.106:17500 <-> 255.255.255.255:17500 [proto: 121/DropBox][4 pkts/580 bytes] + 17 UDP 8.8.8.8:53 <-> 192.168.0.103:33603 [proto: 5/DNS][2 pkts/298 bytes][Host: igcdn-photos-a-a.akamaihd.net] + 18 TCP 31.13.93.52:443 <-> 192.168.0.103:33936 [proto: 91/SSL][68 pkts/45688 bytes] + 19 TCP 31.13.93.52:443 <-> 192.168.0.103:33934 [proto: 91/SSL][12 pkts/6044 bytes] + 20 ICMP 192.168.0.103:0 <-> 192.168.0.103:0 [proto: 81/ICMP][5 pkts/510 bytes] + 21 TCP 192.168.0.103:38817 <-> 46.33.70.160:80 [proto: 7/HTTP][3 pkts/198 bytes] + 22 TCP 192.168.0.103:40855 <-> 46.33.70.150:80 [proto: 7/HTTP][2 pkts/140 bytes] + 23 UDP 8.8.8.8:53 <-> 192.168.0.103:51219 [proto: 5/DNS][2 pkts/394 bytes][Host: igcdn-photos-h-a.akamaihd.net] + 24 TCP 192.168.0.103:44558 <-> 46.33.70.174:443 [proto: 91/SSL][17 pkts/6369 bytes][SSL client: igcdn-photos-h-a.akamaihd.net] + 25 TCP 192.168.0.103:41182 <-> 82.85.26.154:443 [proto: 91/SSL][14 pkts/5567 bytes][SSL client: igcdn-photos-a-a.akamaihd.net] + 26 TCP 192.168.0.103:41562 <-> 92.122.48.138:80 [proto: 7/HTTP][25 pkts/23525 bytes] + 27 TCP 192.168.0.103:44379 <-> 82.85.26.186:80 [proto: 7.211/HTTP.Instagram][81 pkts/53416 bytes][Host: photos-e.ak.instagram.com] + 28 TCP 192.168.0.103:58690 <-> 46.33.70.159:443 [proto: 91/SSL][2 pkts/169 bytes] + 29 TCP 192.168.0.103:60908 <-> 46.33.70.136:443 [proto: 91/SSL][19 pkts/9340 bytes][SSL client: igcdn-photos-g-a.akamaihd.net] + 30 TCP 192.168.0.103:57965 <-> 82.85.26.185:80 [proto: 7.211/HTTP.Instagram][7 pkts/4015 bytes][Host: photos-f.ak.instagram.com] + 31 TCP 192.168.0.103:58053 <-> 82.85.26.162:80 [proto: 7.211/HTTP.Instagram][1 pkts/321 bytes][Host: photos-g.ak.instagram.com] + + +Undetected flows: + 1 UDP 192.168.0.1:520 <-> 192.168.0.255:520 [proto: 0/Unknown][1 pkts/66 bytes] |