aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--wireshark/ndpi.lua90
1 files changed, 88 insertions, 2 deletions
diff --git a/wireshark/ndpi.lua b/wireshark/ndpi.lua
index bab43abe8..a05ca0493 100644
--- a/wireshark/ndpi.lua
+++ b/wireshark/ndpi.lua
@@ -34,6 +34,7 @@ ntop_fds.client_nw_rtt = ProtoField.new("TCP client network RTT (msec)", "nt
ntop_fds.server_nw_rtt = ProtoField.new("TCP server network RTT (msec)", "ntop.latency.server_rtt", ftypes.FLOAT, nil, base.NONE)
ntop_fds.appl_latency_rtt = ProtoField.new("Application Latency RTT (msec)", "ntop.latency.appl_rtt", ftypes.FLOAT, nil, base.NONE)
+local f_eth_source = Field.new("eth.src")
local f_eth_trailer = Field.new("eth.trailer")
local f_vlan_id = Field.new("vlan.id")
local f_arp_opcode = Field.new("arp.opcode")
@@ -54,6 +55,7 @@ local f_tcp_lost_segment = Field.new('tcp.analysis.lost_segment') -- packet dro
local f_rpc_xid = Field.new('rpc.xid')
local f_rpc_msgtyp = Field.new('rpc.msgtyp')
local f_user_agent = Field.new('http.user_agent')
+local f_dhcp_request_item = Field.new('bootp.option.request_list_item')
local ndpi_protos = {}
local ndpi_flows = {}
@@ -88,6 +90,8 @@ local tot_ssl_flows = 0
local http_ua = {}
local tot_http_ua_flows = 0
+local dhcp_fingerprints = {}
+
local min_nw_client_RRT = {}
local min_nw_server_RRT = {}
local max_nw_client_RRT = {}
@@ -320,6 +324,9 @@ function ndpi_proto.init()
-- HTTP
http_ua = {}
tot_http_ua_flows = 0
+
+ -- DHCP
+ dhcp_fingerprints = {}
-- DNS
dns_responses_ok = {}
@@ -530,6 +537,24 @@ end
-- ###############################################
+function dhcp_dissector(tvb, pinfo, tree)
+ local req_item = f_dhcp_request_item()
+
+ if(req_item ~= nil) then
+ local srckey = tostring(f_eth_source())
+ local req_table = { f_dhcp_request_item() }
+ local fingerprint = ""
+
+ for k,v in pairs(req_table) do
+ fingerprint = fingerprint .. string.format("%02X", v.value)
+ end
+
+ dhcp_fingerprints[srckey] = fingerprint
+ end
+end
+
+-- ###############################################
+
function dns_dissector(tvb, pinfo, tree)
local dns_response = f_dns_response()
if(dns_response ~= nil) then
@@ -892,6 +917,7 @@ function ndpi_proto.dissector(tvb, pinfo, tree)
vlan_dissector(tvb, pinfo, tree)
ssl_dissector(tvb, pinfo, tree)
http_dissector(tvb, pinfo, tree)
+ dhcp_dissector(tvb, pinfo, tree)
dns_dissector(tvb, pinfo, tree)
rpc_dissector(tvb, pinfo, tree)
end
@@ -1203,6 +1229,65 @@ end
-- ###############################################
+local function dhcp_dialog_menu()
+ local win = TextWindow.new("DHCP Fingerprinting");
+ local label = ""
+ local tot = 0
+ local i
+ local fingeprints = {
+ ['017903060F77FC'] = 'iOS',
+ ['017903060F77FC5F2C2E'] = 'MacOS',
+ ['0103060F775FFC2C2E2F'] = 'MacOS',
+ ['0103060F775FFC2C2E'] = 'MacOS',
+ ['0603010F0C2C51452B1242439607'] = 'HP LaserJet',
+ ['01032C06070C0F16363A3B45122B7751999A'] = 'HP LaserJet',
+ ['0103063633'] = 'Windows',
+ ['0103060F1F212B2C2E2F79F9FC'] = 'Windows',
+ ['0103060C0F1C2A'] = 'Linux',
+ ['011C02030F06770C2C2F1A792A79F921FC2A'] = 'Linux',
+ ['0102030F060C2C'] = 'Apple AirPort',
+ ['010F03062C2E2F1F2179F92B'] = 'Windows'
+ }
+
+ if(dhcp_fingerprints ~= {}) then
+ i = 0
+ label = label .. "Client\t\tKnown Fingerprint\n"
+ for k,v in pairsByValues(dhcp_fingerprints, rev) do
+ local os = fingeprints[v]
+
+ if(os ~= nil) then
+ local os = " ["..os.."]"
+ label = label .. k.."\t"..v..os.."\n"
+ if(i == 50) then break else i = i + 1 end
+ end
+ end
+
+ i = 0
+ for k,v in pairsByValues(dhcp_fingerprints, rev) do
+ local os = fingeprints[v]
+
+ if(os == nil) then
+ if(i == 0) then
+ label = label .. "\n\nClient\t\tUnknown Fingerprint\n"
+ end
+
+ label = label .. k.."\t"..v.."\n"
+ if(i == 50) then break else i = i + 1 end
+ end
+ end
+
+
+
+ else
+ label = "No DHCP fingerprints detected"
+ end
+
+ win:set(label)
+ win:add_button("Clear", function() win:clear() end)
+end
+
+-- ###############################################
+
local function ssl_dialog_menu()
local win = TextWindow.new("SSL Server Contacts");
local label = ""
@@ -1271,12 +1356,13 @@ end
-- ###############################################
register_menu("ntop/ARP", arp_dialog_menu, MENU_TOOLS_UNSORTED)
-register_menu("ntop/VLAN", vlan_dialog_menu, MENU_TOOLS_UNSORTED)
-register_menu("ntop/IP-MAC", ip_mac_dialog_menu, MENU_TOOLS_UNSORTED)
+register_menu("ntop/DHCP", dhcp_dialog_menu, MENU_TOOLS_UNSORTED)
register_menu("ntop/DNS", dns_dialog_menu, MENU_TOOLS_UNSORTED)
register_menu("ntop/HTTP UA", http_ua_dialog_menu, MENU_TOOLS_UNSORTED)
+register_menu("ntop/IP-MAC", ip_mac_dialog_menu, MENU_TOOLS_UNSORTED)
register_menu("ntop/SSL", ssl_dialog_menu, MENU_TOOLS_UNSORTED)
register_menu("ntop/TCP Analysis", tcp_dialog_menu, MENU_TOOLS_UNSORTED)
+register_menu("ntop/VLAN", vlan_dialog_menu, MENU_TOOLS_UNSORTED)
register_menu("ntop/Latency/Network", rtt_dialog_menu, MENU_TOOLS_UNSORTED)
register_menu("ntop/Latency/Application", appl_rtt_dialog_menu, MENU_TOOLS_UNSORTED)