diff options
26 files changed, 511 insertions, 82 deletions
@@ -1,6 +1,6 @@ # What is nDPI ? -nDPI is an open source GPLv3 library for deep-packet inspection. Based on OpenDPI it includes ntop extensions. We have tried to push them into the OpenDPI source tree but nobody answered emails so we have decided to create our own source tree +nDPI is an open source LGPLv3 library for deep-packet inspection. Based on OpenDPI it includes ntop extensions. We have tried to push them into the OpenDPI source tree but nobody answered emails so we have decided to create our own source tree # How To Compile nDPI @@ -35,3 +35,4 @@ The entire procedure of adding new protocols in detail: If you want to distribute a source tar file of nDPI do: - make dist + diff --git a/configure.ac b/configure.ac index 59a45f5f9..3c310a1d4 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT([libndpi], [1.6.0]) +AC_INIT([libndpi], [1.6.1]) AC_CONFIG_MACRO_DIR([m4]) diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index 29578b043..717db6136 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -236,9 +236,15 @@ #define NDPI_SERVICE_VIBER NDPI_PROTOCOL_VIBER /* Tomasz Bujlow <tomasz@skatnet.dk> */ #define NDPI_SERVICE_YAHOO NDPI_PROTOCOL_YAHOO /* Tomasz Bujlow <tomasz@skatnet.dk> */ #define NDPI_SERVICE_PANDORA 187 +#define NDPI_PROTOCOL_EAQ 190 +#define NDPI_SERVICE_MEU 191 +#define NDPI_SERVICE_TORCEDOR 192 +#define NDPI_SERVICE_KAKAOTALK 193 /* KakaoTalk Chat (no voice call) */ +#define NDPI_SERVICE_KAKAOTALK_VOICE 194 /* KakaoTalk Voice */ +#define NDPI_SERVICE_TWITCH 195 /* Edoardo Dominici <edoaramis@gmail.com> */ -/* UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE (NDPI_PROTOCOL_WHATSAPP_VOICE) */ -#define NDPI_LAST_IMPLEMENTED_PROTOCOL 189 +/* UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE */ +#define NDPI_LAST_IMPLEMENTED_PROTOCOL 195 #define NDPI_MAX_SUPPORTED_PROTOCOLS (NDPI_LAST_IMPLEMENTED_PROTOCOL + 1) #define NDPI_MAX_NUM_CUSTOM_PROTOCOLS (NDPI_NUM_BITS-NDPI_LAST_IMPLEMENTED_PROTOCOL) diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h index 4fc0516d8..691118309 100644 --- a/src/include/ndpi_protocols.h +++ b/src/include/ndpi_protocols.h @@ -178,5 +178,7 @@ void ndpi_search_twitter(struct ndpi_detection_module_struct *ndpi_struct, struc void ndpi_search_vhua(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_telegram(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_quic(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); +void ndpi_search_eaq(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); +void ndpi_search_kakaotalk_voice(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); #endif /* __NDPI_PROTOCOLS_INCLUDE_FILE__ */ diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index a75b7c4cb..e4883d92e 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -373,23 +373,18 @@ struct ndpi_flow_tcp_struct { #ifdef NDPI_PROTOCOL_MAIL_IMAP u_int32_t mail_imap_stage:3; #endif - #ifdef NDPI_PROTOCOL_SKYPE u_int8_t skype_packet_id; #endif - #ifdef NDPI_PROTOCOL_CITRIX u_int8_t citrix_packet_id; #endif - #ifdef NDPI_PROTOCOL_LOTUS_NOTES u_int8_t lotus_notes_packet_id; #endif - #ifdef NDPI_PROTOCOL_TEAMVIEWER u_int8_t teamviewer_stage; #endif - #ifdef NDPI_PROTOCOL_ZMQ u_int8_t prev_zmq_pkt_len; u_char prev_zmq_pkt[10]; @@ -439,6 +434,10 @@ struct ndpi_flow_udp_struct { #ifdef NDPI_PROTOCOL_TEAMVIEWER u_int8_t teamviewer_stage; #endif +#ifdef NDPI_PROTOCOL_EAQ + u_int8_t eaq_pkt_id; + u_int32_t eaq_sequence; +#endif } #if !defined(WIN32) __attribute__ ((__packed__)) @@ -619,8 +618,10 @@ typedef struct ndpi_detection_module_struct { u_int ndpi_num_custom_protocols; /* HTTP/DNS/HTTPS host matching */ - ndpi_automa host_automa, content_automa, bigrams_automa, impossible_bigrams_automa; - + ndpi_automa host_automa, /* Used for DNS/HTTPS */ + content_automa, /* Used for HTTP subprotocol_detection */ + subprotocol_automa, /* Used for HTTP subprotocol_detection */ + bigrams_automa, impossible_bigrams_automa; /* TOR */ /* IP-based protocol detection */ void *protocols_ptree; diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am index 86aeb6c68..5cebcdff1 100644 --- a/src/lib/Makefile.am +++ b/src/lib/Makefile.am @@ -39,6 +39,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/dns.c \ protocols/dofus.c \ protocols/dropbox.c \ + protocols/eaq.c \ protocols/edonkey.c \ protocols/fasttrack.c \ protocols/fiesta.c \ @@ -59,6 +60,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/ipp.c \ protocols/irc.c \ protocols/jabber.c \ + protocols/kakaotalk_voice.c \ protocols/kerberos.c \ protocols/kontiki.c \ protocols/ldap.c \ diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index 1a75240a9..805984898 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -7214,6 +7214,74 @@ static ndpi_network host_protocol_list[] = { { 0xDF1273E5, 32, NDPI_PROTOCOL_TOR }, { 0xDF85F4CA, 32, NDPI_PROTOCOL_TOR }, { 0xDFE57B41, 32, NDPI_PROTOCOL_TOR }, + +/* + Twitch ingestion servers : + https://api.twitch.tv/kraken/ingests + Edoardo Dominici edoaramis@gmail.com +*/ +{ 0xB92ACC5D, 32, NDPI_SERVICE_TWITCH }, +{ 0xB92ACC92, 32, NDPI_SERVICE_TWITCH }, +{ 0xB92ACCA4, 32, NDPI_SERVICE_TWITCH }, +{ 0xB92ACCCD, 32, NDPI_SERVICE_TWITCH }, +{ 0xB92ACC30, 32, NDPI_SERVICE_TWITCH }, +{ 0xC709FE15, 32, NDPI_SERVICE_TWITCH }, +{ 0xC709FE19, 32, NDPI_SERVICE_TWITCH }, +{ 0xBCACD305, 32, NDPI_SERVICE_TWITCH }, +{ 0xC0104616, 32, NDPI_SERVICE_TWITCH }, +{ 0xC010461D, 32, NDPI_SERVICE_TWITCH }, +{ 0xC0104650, 32, NDPI_SERVICE_TWITCH }, +{ 0xC0104651, 32, NDPI_SERVICE_TWITCH }, +{ 0xC709FEA3, 32, NDPI_SERVICE_TWITCH }, +{ 0xC709FE87, 32, NDPI_SERVICE_TWITCH }, +{ 0xB92ACD85, 32, NDPI_SERVICE_TWITCH }, +{ 0xB92ACDA4, 32, NDPI_SERVICE_TWITCH }, +{ 0xC010419A, 32, NDPI_SERVICE_TWITCH }, +{ 0xC01041AD, 32, NDPI_SERVICE_TWITCH }, +{ 0xC0104172, 32, NDPI_SERVICE_TWITCH }, +{ 0xB92ACD68, 32, NDPI_SERVICE_TWITCH }, +{ 0xB92ACD55, 32, NDPI_SERVICE_TWITCH }, +{ 0xC0104219, 32, NDPI_SERVICE_TWITCH }, +{ 0xC010421A, 32, NDPI_SERVICE_TWITCH }, +{ 0xC010421B, 32, NDPI_SERVICE_TWITCH }, +{ 0xBCACD205, 32, NDPI_SERVICE_TWITCH }, +{ 0xBCACCB05, 32, NDPI_SERVICE_TWITCH }, +{ 0xC010413C, 32, NDPI_SERVICE_TWITCH }, +{ 0xC010413D, 32, NDPI_SERVICE_TWITCH }, +{ 0xC010413E, 32, NDPI_SERVICE_TWITCH }, +{ 0xBCACD105, 32, NDPI_SERVICE_TWITCH }, +{ 0xBCACD005, 32, NDPI_SERVICE_TWITCH }, +{ 0xBCACCA05, 32, NDPI_SERVICE_TWITCH }, +{ 0xB92ACD06, 32, NDPI_SERVICE_TWITCH }, +{ 0xB92ACD14, 32, NDPI_SERVICE_TWITCH }, +{ 0xB92ACCF3, 32, NDPI_SERVICE_TWITCH }, +{ 0xC709F9C7, 32, NDPI_SERVICE_TWITCH }, +{ 0xC709F9C9, 32, NDPI_SERVICE_TWITCH }, +{ 0xC709F9CB, 32, NDPI_SERVICE_TWITCH }, +{ 0xC709FBA4, 32, NDPI_SERVICE_TWITCH }, +{ 0xC709FBA6, 32, NDPI_SERVICE_TWITCH }, +{ 0xC709FBAA, 32, NDPI_SERVICE_TWITCH }, +{ 0xC709FBB1, 32, NDPI_SERVICE_TWITCH }, +{ 0xC709FBE8, 32, NDPI_SERVICE_TWITCH }, +{ 0xC709FBE9, 32, NDPI_SERVICE_TWITCH }, +{ 0xC709FBEA, 32, NDPI_SERVICE_TWITCH }, +{ 0xC709FBEB, 32, NDPI_SERVICE_TWITCH }, +{ 0xC709FBFB, 32, NDPI_SERVICE_TWITCH }, +{ 0xC709FBFC, 32, NDPI_SERVICE_TWITCH }, +{ 0xC709FBFD, 32, NDPI_SERVICE_TWITCH }, +{ 0xC709FBFE, 32, NDPI_SERVICE_TWITCH }, +{ 0xC709FF4B, 32, NDPI_SERVICE_TWITCH }, +{ 0xC709FF4C, 32, NDPI_SERVICE_TWITCH }, +{ 0xC709F974, 32, NDPI_SERVICE_TWITCH }, +{ 0xC709F976, 32, NDPI_SERVICE_TWITCH }, +{ 0xC709F978, 32, NDPI_SERVICE_TWITCH }, +{ 0xC709F97D, 32, NDPI_SERVICE_TWITCH }, +{ 0xC709F985, 32, NDPI_SERVICE_TWITCH }, +{ 0xC709F986, 32, NDPI_SERVICE_TWITCH }, +{ 0xC709F987, 32, NDPI_SERVICE_TWITCH }, +{ 0xC709F98C, 32, NDPI_SERVICE_TWITCH }, +{ 0xC709F9C5, 32, NDPI_SERVICE_TWITCH }, + { 0x0, 0, 0 } }; @@ -7295,6 +7363,12 @@ ndpi_protocol_match host_match[] = { { ".spotify.", "Spotify", NDPI_PROTOCOL_SPOTIFY, NDPI_PROTOCOL_FUN }, { ".pandora.com", "Pandora", NDPI_SERVICE_PANDORA, NDPI_PROTOCOL_FUN }, { ".torproject.org", "Tor", NDPI_PROTOCOL_TOR, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS }, + { "appmeutim.tim.com.br", "Meu", NDPI_SERVICE_MEU, NDPI_PROTOCOL_ACCEPTABLE }, + { ".timtorcedor.com.br", "Torcedor", NDPI_SERVICE_TORCEDOR, NDPI_PROTOCOL_ACCEPTABLE }, + { ".kakao.com", "KakaoTalk", NDPI_SERVICE_KAKAOTALK, NDPI_PROTOCOL_FUN }, + { "ttvnw.net", "Twitch", NDPI_SERVICE_TWITCH, NDPI_PROTOCOL_FUN }, + { "static-cdn.jtvnw.net", "Twitch", NDPI_SERVICE_TWITCH, NDPI_PROTOCOL_FUN }, + { "www-cdn.jtvnw.net", "Twitch", NDPI_SERVICE_TWITCH, NDPI_PROTOCOL_FUN }, { NULL, 0 } }; @@ -7339,6 +7413,7 @@ ndpi_protocol_match content_match[] = { { "audio/webm", NULL, NDPI_CONTENT_WEBM, NDPI_PROTOCOL_FUN }, { "video/webm", NULL, NDPI_CONTENT_WEBM, NDPI_PROTOCOL_FUN }, { "application/x-rtsp-tunnelled", NULL, NDPI_PROTOCOL_RTSP, NDPI_PROTOCOL_FUN }, + { "application/vnd.apple.mpegurl", NULL, NDPI_SERVICE_TWITCH, NDPI_PROTOCOL_FUN }, { NULL, 0 } }; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 5724b2522..a8d5dfc5f 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1466,6 +1466,16 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "Quic", ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 443, 80, 0, 0, 0) /* UDP */); + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_EAQ, + no_master, + no_master, "EAQ", + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_b, 6000, 0, 0, 0, 0) /* UDP */); + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_SERVICE_KAKAOTALK_VOICE, + no_master, + no_master, "KakaoTalk_Voice", + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); custom_master[0] = NDPI_PROTOCOL_HTTP, custom_master[1] = NDPI_PROTOCOL_UNKNOWN; custom_master1[0] = NDPI_PROTOCOL_DNS, custom_master1[1] = NDPI_PROTOCOL_UNKNOWN; @@ -3562,6 +3572,24 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n ADD_TO_DETECTION_BITMASK); #endif +#ifdef NDPI_PROTOCOL_EAQ + ndpi_set_bitmask_protocol_detection("EAQ", ndpi_struct, detection_bitmask, a++, + NDPI_PROTOCOL_EAQ, + ndpi_search_eaq, + NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); +#endif + +#ifdef NDPI_SERVICE_KAKAOTALK_VOICE + ndpi_set_bitmask_protocol_detection("KakaoTalk_Voice", ndpi_struct, detection_bitmask, a++, + NDPI_SERVICE_KAKAOTALK_VOICE, + ndpi_search_kakaotalk_voice, + NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); +#endif + ndpi_struct->callback_buffer_size = a; NDPI_LOG(NDPI_PROTOCOL_UNKNOWN, ndpi_struct, NDPI_LOG_DEBUG, diff --git a/src/lib/protocols/eaq.c b/src/lib/protocols/eaq.c new file mode 100644 index 000000000..1cdcc8f2b --- /dev/null +++ b/src/lib/protocols/eaq.c @@ -0,0 +1,73 @@ +/* + * eaq.c + * + * Copyright (C) 2015 - ntop.org + * + * This module is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This module is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License. + * If not, see <http://www.gnu.org/licenses/>. + * + */ + + +/* + EAQ: Entitade Aferidora da Qualidade de Banda Larga + + http://www.brasilbandalarga.com.br + */ +#include "ndpi_api.h" + +#define EAQ_DEFAULT_PORT 6000 +#define EAQ_DEFAULT_SIZE 16 + +#ifdef NDPI_PROTOCOL_EAQ +static void ndpi_int_eaq_add_connection(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_EAQ, NDPI_REAL_PROTOCOL); +} + + +void ndpi_search_eaq(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; + u_int16_t sport = ntohs(packet->udp->source), dport = ntohs(packet->udp->dest); + unsigned char *vers; + int ver_offs; + + if((packet->payload_packet_len != EAQ_DEFAULT_SIZE) + || ((sport != EAQ_DEFAULT_PORT) && (dport != EAQ_DEFAULT_PORT))) { + exclude_eaq: + NDPI_LOG(NDPI_PROTOCOL_EAQ, ndpi_struct, NDPI_LOG_DEBUG, "Exclude eaq.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_EAQ); + return; + } + + if(packet->udp != NULL) { + u_int32_t seq = (packet->payload[0] * 1000) + (packet->payload[1] * 100) + (packet->payload[2] * 10) + packet->payload[3]; + + if(flow->l4.udp.eaq_pkt_id == 0) + flow->l4.udp.eaq_sequence = seq; + else { + if((flow->l4.udp.eaq_sequence == seq) || ((flow->l4.udp.eaq_sequence+1) == seq)) { + ; /* Looks good */ + } else + goto exclude_eaq; + } + + if(++flow->l4.udp.eaq_pkt_id == 4) { + /* We have collected enough packets so we assume it's EAQ */ + NDPI_LOG(NDPI_PROTOCOL_EAQ, ndpi_struct, NDPI_LOG_DEBUG, "found eaq.\n"); + ndpi_int_eaq_add_connection(ndpi_struct, flow); + } + } else + goto exclude_eaq; +} +#endif diff --git a/src/lib/protocols/kakaotalk_voice.c b/src/lib/protocols/kakaotalk_voice.c new file mode 100644 index 000000000..dfda5c849 --- /dev/null +++ b/src/lib/protocols/kakaotalk_voice.c @@ -0,0 +1,59 @@ +/* + * kakaotalk_voice.c + * + * Copyright (C) 2015 - ntop.org + * + * This module is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This module is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License. + * If not, see <http://www.gnu.org/licenses/>. + * + */ + + +/* + KakaoTalk (call only) + + http://www.kakao.com/services/talk/voices +*/ +#include "ndpi_api.h" + + +#ifdef NDPI_SERVICE_KAKAOTALK_VOICE +void ndpi_search_kakaotalk_voice(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; + unsigned char *vers; + int ver_offs; + + if(packet->udp != NULL) { + if((packet->payload[0] == 0x81) + || (packet->payload[1] == 0xC8) + || (packet->payload[2] == 0x00) + || (packet->payload[3] == 0x0C)) { + /* Looks good so far */ + + /* + inetnum: 1.201.0.0 - 1.201.255.255 + netname: KINXINC-KR + */ + + if(((ntohl(packet->iph->saddr) & 0xFFFF0000 /* 255.255.0.0 */) == 0x01C90000 /* 1.201.0.0/16 */) + || ((ntohl(packet->iph->daddr) & 0xFFFF0000 /* 255.255.0.0 */) == 0x01C90000 /* 1.201.0.0/16 */)) { + ndpi_int_add_connection(ndpi_struct, flow, NDPI_SERVICE_KAKAOTALK_VOICE, NDPI_REAL_PROTOCOL); + return; + } + } + } + + NDPI_LOG(NDPI_PROTOCOL_KAKAOTALK_VOICE, ndpi_struct, NDPI_LOG_DEBUG, "Exclude kakaotalk_voice.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_SERVICE_KAKAOTALK_VOICE); +} +#endif diff --git a/src/lib/protocols/rtcp.c b/src/lib/protocols/rtcp.c index 02875648a..f618261dd 100644 --- a/src/lib/protocols/rtcp.c +++ b/src/lib/protocols/rtcp.c @@ -35,6 +35,19 @@ void ndpi_search_rtcp(struct ndpi_detection_module_struct *ndpi_struct, struct n ndpi_int_rtcp_add_connection(ndpi_struct, flow); } } else if(packet->udp != NULL) { + /* Let's check first the RTCP packet length */ + u_int16_t len, offset = 0, rtcp_section_len; + + while(offset < packet->payload_packet_len) { + len = packet->payload[2+offset] * 256 + packet->payload[2+offset+1]; + rtcp_section_len = (len + 1) * 4; + + if((offset+rtcp_section_len) > packet->payload_packet_len) + goto exclude_rtcp; + else + offset += rtcp_section_len; + } + sport = ntohs(packet->udp->source), dport = ntohs(packet->udp->dest); NDPI_LOG(NDPI_PROTOCOL_RTCP, ndpi_struct, NDPI_LOG_DEBUG, "calculating dport over udp.\n"); if(((packet->payload_packet_len >= 28 || packet->payload_packet_len <= 1200) && @@ -45,6 +58,8 @@ void ndpi_search_rtcp(struct ndpi_detection_module_struct *ndpi_struct, struct n ndpi_int_rtcp_add_connection(ndpi_struct, flow); } } else { + exclude_rtcp: + NDPI_LOG(NDPI_PROTOCOL_RTCP, ndpi_struct, NDPI_LOG_DEBUG, "exclude RTCP.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RTCP); } diff --git a/src/lib/protocols/ssl.c b/src/lib/protocols/ssl.c index c61c039c1..f4b70ed62 100644 --- a/src/lib/protocols/ssl.c +++ b/src/lib/protocols/ssl.c @@ -25,7 +25,7 @@ #include "ndpi_api.h" -// #define CERTIFICATE_DEBUG 1 +/* #define CERTIFICATE_DEBUG 1 */ #ifdef NDPI_PROTOCOL_SSL @@ -134,6 +134,14 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, char *buffer, int buffer_len) { struct ndpi_packet_struct *packet = &flow->packet; +#ifdef CERTIFICATE_DEBUG + { + static u_int8_t id = 0; + + printf("-> [%u] %02X\n", ++id, packet->payload[0] & 0xFF); + } +#endif + /* Nothing matched so far: let's decode the certificate with some heuristics Patches courtesy of Denys Fedoryshchenko <nuclearcat@nuclearcat.com> @@ -145,7 +153,7 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, memset(buffer, 0, buffer_len); /* Truncate total len, search at least in incomplete packet */ - if (total_len > packet->payload_packet_len) + if(total_len > packet->payload_packet_len) total_len = packet->payload_packet_len; /* At least "magic" 3 bytes, null for string end, otherwise no need to waste cpu cycles */ @@ -282,38 +290,41 @@ int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s if(!packet->iph /* IPv4 */) return(-1); - if((packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) - || (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL)) { - char certificate[64]; - int rc; + if((packet->payload_packet_len > 9) + && (packet->payload[0] == 0x16 /* consider only specific SSL packets (handshake) */)) { + if((packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) + || (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL)) { + char certificate[64]; + int rc; - certificate[0] = '\0'; - rc = getSSLcertificate(ndpi_struct, flow, certificate, sizeof(certificate)); - packet->ssl_certificate_num_checks++; + certificate[0] = '\0'; + rc = getSSLcertificate(ndpi_struct, flow, certificate, sizeof(certificate)); + packet->ssl_certificate_num_checks++; - if(rc > 0) { - packet->ssl_certificate_detected++; + if(rc > 0) { + packet->ssl_certificate_detected++; #ifdef CERTIFICATE_DEBUG - printf("***** [SSL] %s\n", certificate); + printf("***** [SSL] %s\n", certificate); #endif - if(ndpi_match_string_subprotocol(ndpi_struct, flow, certificate, strlen(certificate)) != NDPI_PROTOCOL_UNKNOWN) - return(rc); /* Fix courtesy of Gianluca Costa <g.costa@xplico.org> */ + if(ndpi_match_string_subprotocol(ndpi_struct, flow, certificate, strlen(certificate)) != NDPI_PROTOCOL_UNKNOWN) + return(rc); /* Fix courtesy of Gianluca Costa <g.costa@xplico.org> */ #ifdef NDPI_PROTOCOL_TOR - if(ndpi_is_ssl_tor(ndpi_struct, flow, certificate) != 0) - return(rc); + if(ndpi_is_ssl_tor(ndpi_struct, flow, certificate) != 0) + return(rc); #endif - } + } - if(((packet->ssl_certificate_num_checks >= 2) - && flow->l4.tcp.seen_syn - && flow->l4.tcp.seen_syn_ack - && flow->l4.tcp.seen_ack /* We have seen the 3-way handshake */) - || (flow->protos.ssl.server_certificate[0] != '\0') - || (flow->protos.ssl.client_certificate[0] != '\0') - ) - ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SSL); + if(((packet->ssl_certificate_num_checks >= 2) + && flow->l4.tcp.seen_syn + && flow->l4.tcp.seen_syn_ack + && flow->l4.tcp.seen_ack /* We have seen the 3-way handshake */) + || (flow->protos.ssl.server_certificate[0] != '\0') + || (flow->protos.ssl.client_certificate[0] != '\0') + ) + ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SSL); + } } return(0); @@ -330,11 +341,11 @@ static void ssl_mark_and_payload_search_for_other_protocols(struct u_int32_t a; u_int32_t end; #if defined(NDPI_PROTOCOL_UNENCRYPED_JABBER) - if (NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_UNENCRYPED_JABBER) != 0) + if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_UNENCRYPED_JABBER) != 0) goto check_for_ssl_payload; #endif #if defined(NDPI_PROTOCOL_OSCAR) - if (NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_OSCAR) != 0) + if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_OSCAR) != 0) goto check_for_ssl_payload; #endif goto no_check_for_ssl_payload; @@ -343,10 +354,10 @@ static void ssl_mark_and_payload_search_for_other_protocols(struct end = packet->payload_packet_len - 20; for (a = 5; a < end; a++) { #ifdef NDPI_PROTOCOL_UNENCRYPED_JABBER - if (packet->payload[a] == 't') { - if (memcmp(&packet->payload[a], "talk.google.com", 15) == 0) { + if(packet->payload[a] == 't') { + if(memcmp(&packet->payload[a], "talk.google.com", 15) == 0) { NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_DEBUG, "ssl jabber packet match\n"); - if (NDPI_COMPARE_PROTOCOL_TO_BITMASK + if(NDPI_COMPARE_PROTOCOL_TO_BITMASK (ndpi_struct->detection_bitmask, NDPI_PROTOCOL_UNENCRYPED_JABBER) != 0) { ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNENCRYPED_JABBER); return; @@ -355,9 +366,9 @@ static void ssl_mark_and_payload_search_for_other_protocols(struct } #endif #ifdef NDPI_PROTOCOL_OSCAR - if (packet->payload[a] == 'A' || packet->payload[a] == 'k' || packet->payload[a] == 'c' + if(packet->payload[a] == 'A' || packet->payload[a] == 'k' || packet->payload[a] == 'c' || packet->payload[a] == 'h') { - if (((a + 19) < packet->payload_packet_len && memcmp(&packet->payload[a], "America Online Inc.", 19) == 0) + if(((a + 19) < packet->payload_packet_len && memcmp(&packet->payload[a], "America Online Inc.", 19) == 0) // || (end - c > 3 memcmp (&packet->payload[c],"AOL", 3) == 0 ) // || (end - c > 7 && memcmp (&packet->payload[c], "AOL LLC", 7) == 0) || ((a + 15) < packet->payload_packet_len && memcmp(&packet->payload[a], "kdc.uas.aol.com", 15) == 0) @@ -370,7 +381,7 @@ static void ssl_mark_and_payload_search_for_other_protocols(struct && memcmp(&packet->payload[a], "http://pki-info.aol.com/AOLMSPKI", 32) == 0)) { NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR SERVER SSL DETECTED\n"); - if (flow->dst != NULL && packet->payload_packet_len > 75) { + if(flow->dst != NULL && packet->payload_packet_len > 75) { memcpy(flow->dst->oscar_ssl_session_id, &packet->payload[44], 32); flow->dst->oscar_ssl_session_id[32] = '\0'; flow->dst->oscar_last_safe_access_time = packet->tick_timestamp; @@ -381,8 +392,8 @@ static void ssl_mark_and_payload_search_for_other_protocols(struct } } - if (packet->payload[a] == 'm' || packet->payload[a] == 's') { - if ((a + 21) < packet->payload_packet_len && + if(packet->payload[a] == 'm' || packet->payload[a] == 's') { + if((a + 21) < packet->payload_packet_len && (memcmp(&packet->payload[a], "my.screenname.aol.com", 21) == 0 || memcmp(&packet->payload[a], "sns-static.aolcdn.com", 21) == 0)) { NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR SERVER SSL DETECTED\n"); @@ -418,7 +429,7 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct // struct ndpi_id_struct *dst=flow->dst; - if ((packet->payload_packet_len >= 5) + if((packet->payload_packet_len >= 5) && (packet->payload[0] == 0x16) && (packet->payload[1] == 0x03) && ((packet->payload[2] == 0x00) @@ -429,17 +440,17 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct u_int32_t temp; NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "search sslv3\n"); // SSLv3 Record - if (packet->payload_packet_len >= 1300) { + if(packet->payload_packet_len >= 1300) { return 1; } temp = ntohs(get_u_int16_t(packet->payload, 3)) + 5; NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "temp = %u.\n", temp); - if (packet->payload_packet_len == temp + if(packet->payload_packet_len == temp || (temp < packet->payload_packet_len && packet->payload_packet_len > 500)) { return 1; } - if (packet->payload_packet_len < temp && temp < 5000 && packet->payload_packet_len > 9) { + if(packet->payload_packet_len < temp && temp < 5000 && packet->payload_packet_len > 9) { /* the server hello may be split into small packets */ u_int32_t cert_start; @@ -451,14 +462,14 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "suspected start of certificate: %u\n", cert_start); - if (cert_start < packet->payload_packet_len && packet->payload[cert_start] == 0x0b) { + if(cert_start < packet->payload_packet_len && packet->payload[cert_start] == 0x0b) { NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "found 0x0b at suspected start of certificate block\n"); return 2; } } - if ((packet->payload_packet_len > temp && packet->payload_packet_len > 100) && packet->payload_packet_len > 9) { + if((packet->payload_packet_len > temp && packet->payload_packet_len > 100) && packet->payload_packet_len > 9) { /* the server hello may be split into small packets and the certificate has its own SSL Record * so temp contains only the length for the first ServerHello block */ u_int32_t cert_start; @@ -471,7 +482,7 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "suspected start of certificate: %u\n", cert_start); - if (cert_start < packet->payload_packet_len && packet->payload[cert_start] == 0x0b) { + if(cert_start < packet->payload_packet_len && packet->payload[cert_start] == 0x0b) { NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "found 0x0b at suspected start of certificate block\n"); return 2; @@ -479,49 +490,45 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct } - if (packet->payload_packet_len >= temp + 5 && (packet->payload[temp] == 0x14 || packet->payload[temp] == 0x16) + if(packet->payload_packet_len >= temp + 5 && (packet->payload[temp] == 0x14 || packet->payload[temp] == 0x16) && packet->payload[temp + 1] == 0x03) { u_int32_t temp2 = ntohs(get_u_int16_t(packet->payload, temp + 3)) + 5; - if (temp + temp2 > NDPI_MAX_SSL_REQUEST_SIZE) { + if(temp + temp2 > NDPI_MAX_SSL_REQUEST_SIZE) { return 1; } temp += temp2; NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "temp = %u.\n", temp); - if (packet->payload_packet_len == temp) { + if(packet->payload_packet_len == temp) { return 1; } - if (packet->payload_packet_len >= temp + 5 && + if(packet->payload_packet_len >= temp + 5 && packet->payload[temp] == 0x16 && packet->payload[temp + 1] == 0x03) { temp2 = ntohs(get_u_int16_t(packet->payload, temp + 3)) + 5; - if (temp + temp2 > NDPI_MAX_SSL_REQUEST_SIZE) { + if(temp + temp2 > NDPI_MAX_SSL_REQUEST_SIZE) { return 1; } temp += temp2; NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "temp = %u.\n", temp); - if (packet->payload_packet_len == temp) { + if(packet->payload_packet_len == temp) { return 1; } - if (packet->payload_packet_len >= temp + 5 && + if(packet->payload_packet_len >= temp + 5 && packet->payload[temp] == 0x16 && packet->payload[temp + 1] == 0x03) { temp2 = ntohs(get_u_int16_t(packet->payload, temp + 3)) + 5; - if (temp + temp2 > NDPI_MAX_SSL_REQUEST_SIZE) { + if(temp + temp2 > NDPI_MAX_SSL_REQUEST_SIZE) { return 1; } temp += temp2; NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "temp = %u.\n", temp); - if (temp == packet->payload_packet_len) { + if(temp == packet->payload_packet_len) { return 1; } } - } - - } - } - return 0; + return 0; } void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -533,15 +540,15 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc u_int8_t ret; - if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) { - if (flow->l4.tcp.ssl_stage == 3 && packet->payload_packet_len > 20 && flow->packet_counter < 5) { + if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) { + if(flow->l4.tcp.ssl_stage == 3 && packet->payload_packet_len > 20 && flow->packet_counter < 5) { /* this should only happen, when we detected SSL with a packet that had parts of the certificate in subsequent packets * so go on checking for certificate patterns for a couple more packets */ NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "ssl flow but check another packet for patterns\n"); ssl_mark_and_payload_search_for_other_protocols(ndpi_struct, flow); - if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) { + if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) { /* still ssl so check another packet */ return; } else { @@ -571,10 +578,10 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc } } - if (packet->payload_packet_len > 40 && flow->l4.tcp.ssl_stage == 0) { + if(packet->payload_packet_len > 40 && flow->l4.tcp.ssl_stage == 0) { NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "first ssl packet\n"); // SSLv2 Record - if (packet->payload[2] == 0x01 && packet->payload[3] == 0x03 + if(packet->payload[2] == 0x01 && packet->payload[3] == 0x03 && (packet->payload[4] == 0x00 || packet->payload[4] == 0x01 || packet->payload[4] == 0x02) && (packet->payload_packet_len - packet->payload[1] == 2)) { NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "sslv2 len match\n"); @@ -582,7 +589,7 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc return; } - if (packet->payload[0] == 0x16 && packet->payload[1] == 0x03 + if(packet->payload[0] == 0x16 && packet->payload[1] == 0x03 && (packet->payload[2] == 0x00 || packet->payload[2] == 0x01 || packet->payload[2] == 0x02) && (packet->payload_packet_len - ntohs(get_u_int16_t(packet->payload, 3)) == 5)) { // SSLv3 Record @@ -592,16 +599,16 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc } } - if (packet->payload_packet_len > 40 && + if(packet->payload_packet_len > 40 && flow->l4.tcp.ssl_stage == 1 + packet->packet_direction && flow->packet_direction_counter[packet->packet_direction] < 5) { return; } - if (packet->payload_packet_len > 40 && flow->l4.tcp.ssl_stage == 2 - packet->packet_direction) { + if(packet->payload_packet_len > 40 && flow->l4.tcp.ssl_stage == 2 - packet->packet_direction) { NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "second ssl packet\n"); // SSLv2 Record - if (packet->payload[2] == 0x01 && packet->payload[3] == 0x03 + if(packet->payload[2] == 0x01 && packet->payload[3] == 0x03 && (packet->payload[4] == 0x00 || packet->payload[4] == 0x01 || packet->payload[4] == 0x02) && (packet->payload_packet_len - 2) >= packet->payload[1]) { NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "sslv2 server len match\n"); @@ -610,21 +617,21 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc } ret = ndpi_search_sslv3_direction1(ndpi_struct, flow); - if (ret == 1) { + if(ret == 1) { NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "sslv3 server len match\n"); ssl_mark_and_payload_search_for_other_protocols(ndpi_struct, flow); return; - } else if (ret == 2) { + } else if(ret == 2) { NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "sslv3 server len match with split packet -> check some more packets for SSL patterns\n"); ssl_mark_and_payload_search_for_other_protocols(ndpi_struct, flow); - if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) { + if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) { flow->l4.tcp.ssl_stage = 3; } return; } - if (packet->payload_packet_len > 40 && flow->packet_direction_counter[packet->packet_direction] < 5) { + if(packet->payload_packet_len > 40 && flow->packet_direction_counter[packet->packet_direction] < 5) { NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "need next packet\n"); return; } diff --git a/tests/do.sh b/tests/do.sh index 5bc324aa4..764b049f9 100755 --- a/tests/do.sh +++ b/tests/do.sh @@ -20,9 +20,9 @@ check_results() { NUM_DIFF=`diff result/$f.out /tmp/reader.out | wc -l` if [ $NUM_DIFF -eq 0 ]; then - echo "$f\t OK" + printf "%-32s\tOK\n" "$f" else - echo "$f\t ERROR" + printf "%-32s\tERROR\n" "$f" echo "$CMD" diff result/$f.out /tmp/reader.out RC=1 diff --git a/tests/pcap/EAQ.pcap b/tests/pcap/EAQ.pcap Binary files differnew file mode 100644 index 000000000..c675d324d --- /dev/null +++ b/tests/pcap/EAQ.pcap diff --git a/tests/pcap/KakaoTalk_chat.pcap b/tests/pcap/KakaoTalk_chat.pcap Binary files differnew file mode 100644 index 000000000..516e4d6b2 --- /dev/null +++ b/tests/pcap/KakaoTalk_chat.pcap diff --git a/tests/pcap/KakaoTalk_talk.pcap b/tests/pcap/KakaoTalk_talk.pcap Binary files differnew file mode 100644 index 000000000..86ccd1971 --- /dev/null +++ b/tests/pcap/KakaoTalk_talk.pcap diff --git a/tests/pcap/Meu.pcap b/tests/pcap/Meu.pcap Binary files differnew file mode 100644 index 000000000..9c724928a --- /dev/null +++ b/tests/pcap/Meu.pcap diff --git a/tests/pcap/Torcedor.pcap b/tests/pcap/Torcedor.pcap Binary files differnew file mode 100644 index 000000000..7d7f03a1d --- /dev/null +++ b/tests/pcap/Torcedor.pcap diff --git a/tests/pcap/google_ssl.pcap b/tests/pcap/google_ssl.pcap Binary files differnew file mode 100644 index 000000000..8aafe9991 --- /dev/null +++ b/tests/pcap/google_ssl.pcap diff --git a/tests/pcap/mpeg.pcap b/tests/pcap/mpeg.pcap Binary files differnew file mode 100644 index 000000000..f9e21df9b --- /dev/null +++ b/tests/pcap/mpeg.pcap diff --git a/tests/result/EAQ.pcap.out b/tests/result/EAQ.pcap.out new file mode 100644 index 000000000..926bc0bb3 --- /dev/null +++ b/tests/result/EAQ.pcap.out @@ -0,0 +1,34 @@ +Google 23 11743 2 +EAQ 174 10092 29 + + 1 TCP 10.8.0.1:40467 <-> 173.194.119.24:80 [proto: 126/Google][14 pkts/10589 bytes][Host: www.google.com.br] + 2 UDP 10.8.0.1:34687 <-> 200.194.141.68:6000 [proto: 190/EAQ][5 pkts/290 bytes] + 3 UDP 10.8.0.1:36577 <-> 200.194.149.68:6000 [proto: 190/EAQ][4 pkts/232 bytes] + 4 TCP 10.8.0.1:53497 <-> 173.194.119.48:80 [proto: 126/Google][9 pkts/1154 bytes][Host: www.google.com] + 5 UDP 10.8.0.1:37985 <-> 200.194.129.67:6000 [proto: 190/EAQ][5 pkts/290 bytes] + 6 UDP 10.8.0.1:39221 <-> 200.194.137.67:6000 [proto: 190/EAQ][5 pkts/290 bytes] + 7 UDP 10.8.0.1:39185 <-> 200.194.132.67:6000 [proto: 190/EAQ][10 pkts/580 bytes] + 8 UDP 10.8.0.1:43641 <-> 200.194.148.68:6000 [proto: 190/EAQ][10 pkts/580 bytes] + 9 UDP 10.8.0.1:43979 <-> 200.194.132.66:6000 [proto: 190/EAQ][10 pkts/580 bytes] + 10 UDP 10.8.0.1:48563 <-> 200.194.141.67:6000 [proto: 190/EAQ][5 pkts/290 bytes] + 11 UDP 10.8.0.1:48890 <-> 200.185.125.226:6000 [proto: 190/EAQ][10 pkts/580 bytes] + 12 UDP 10.8.0.1:50175 <-> 200.194.149.67:6000 [proto: 190/EAQ][4 pkts/232 bytes] + 13 UDP 10.8.0.1:51569 <-> 200.194.148.67:6000 [proto: 190/EAQ][10 pkts/580 bytes] + 14 UDP 10.8.0.1:53059 <-> 200.194.133.68:6000 [proto: 190/EAQ][4 pkts/232 bytes] + 15 UDP 10.8.0.1:59959 <-> 200.194.137.68:6000 [proto: 190/EAQ][5 pkts/290 bytes] + 16 UDP 10.8.0.1:60013 <-> 200.194.136.67:6000 [proto: 190/EAQ][4 pkts/232 bytes] + 17 UDP 10.8.0.1:33356 <-> 200.194.149.66:6000 [proto: 190/EAQ][4 pkts/232 bytes] + 18 UDP 10.8.0.1:36552 <-> 200.194.136.66:6000 [proto: 190/EAQ][4 pkts/232 bytes] + 19 UDP 10.8.0.1:40058 <-> 200.194.134.67:6000 [proto: 190/EAQ][4 pkts/232 bytes] + 20 UDP 10.8.0.1:41438 <-> 200.194.141.66:6000 [proto: 190/EAQ][5 pkts/290 bytes] + 21 UDP 10.8.0.1:42620 <-> 200.194.148.66:6000 [proto: 190/EAQ][10 pkts/580 bytes] + 22 UDP 10.8.0.1:43934 <-> 200.194.136.68:6000 [proto: 190/EAQ][4 pkts/232 bytes] + 23 UDP 10.8.0.1:47346 <-> 200.194.134.66:6000 [proto: 190/EAQ][4 pkts/232 bytes] + 24 UDP 10.8.0.1:47714 <-> 200.194.129.68:6000 [proto: 190/EAQ][5 pkts/290 bytes] + 25 UDP 10.8.0.1:48666 <-> 200.194.129.66:6000 [proto: 190/EAQ][5 pkts/290 bytes] + 26 UDP 10.8.0.1:52257 <-> 200.185.138.146:6000 [proto: 190/EAQ][10 pkts/580 bytes] + 27 UDP 10.8.0.1:52726 <-> 200.194.132.68:6000 [proto: 190/EAQ][10 pkts/580 bytes] + 28 UDP 10.8.0.1:53354 <-> 200.194.137.66:6000 [proto: 190/EAQ][5 pkts/290 bytes] + 29 UDP 10.8.0.1:56128 <-> 200.194.133.66:6000 [proto: 190/EAQ][5 pkts/290 bytes] + 30 UDP 10.8.0.1:57004 <-> 200.194.133.67:6000 [proto: 190/EAQ][4 pkts/232 bytes] + 31 UDP 10.8.0.1:59098 <-> 200.194.134.68:6000 [proto: 190/EAQ][4 pkts/232 bytes] diff --git a/tests/result/KakaoTalk_chat.pcap.out b/tests/result/KakaoTalk_chat.pcap.out new file mode 100644 index 000000000..c3f1c87f6 --- /dev/null +++ b/tests/result/KakaoTalk_chat.pcap.out @@ -0,0 +1,51 @@ +Unknown 2 181 1 +DNS 2 217 1 +HTTP 15 840 2 +ICMP 1 147 1 +SSL 34 4913 5 +Facebook 211 51558 11 +Google 1 164 1 +HTTP_Proxy 26 3926 1 +KakaoTalk 55 9990 15 + + 1 UDP 10.188.1.1:53 <-> 10.24.82.188:56820 [proto: 193/KakaoTalk][2 pkts/205 bytes][Host: up-c.talk.kakao.com] + 2 UDP 10.188.1.1:53 <-> 10.24.82.188:57816 [proto: 193/KakaoTalk][2 pkts/244 bytes][Host: katalk.kakao.com] + 3 UDP 10.188.1.1:53 <-> 10.24.82.188:58810 [proto: 193/KakaoTalk][2 pkts/190 bytes][Host: item.kakao.com] + 4 TCP 10.24.82.188:34503 <-> 120.28.26.242:80 [proto: 7/HTTP][1 pkts/56 bytes] + 5 ICMP 10.188.191.1:0 <-> 10.24.82.188:0 [proto: 81/ICMP][1 pkts/147 bytes] + 6 UDP 10.188.1.1:53 <-> 10.24.82.188:4017 [proto: 119/Facebook][2 pkts/229 bytes][Host: developers.facebook.com] + 7 UDP 10.188.1.1:53 <-> 10.24.82.188:5929 [proto: 193/KakaoTalk][2 pkts/205 bytes][Host: up-p.talk.kakao.com] + 8 TCP 10.24.82.188:51021 <-> 103.246.57.251:8080 [proto: 131/HTTP_Proxy][26 pkts/3926 bytes] + 9 TCP 210.103.240.15:443 <-> 10.24.82.188:37821 [proto: 193/KakaoTalk][27 pkts/7126 bytes][SSL server: *.kakao.com] + 10 UDP 10.188.1.1:53 <-> 10.24.82.188:25117 [proto: 193/KakaoTalk][2 pkts/208 bytes][Host: up-gp.talk.kakao.com] + 11 UDP 10.188.1.1:53 <-> 10.24.82.188:29029 [proto: 193/KakaoTalk][2 pkts/205 bytes][Host: up-a.talk.kakao.com] + 12 UDP 10.188.1.1:53 <-> 10.24.82.188:35603 [proto: 193/KakaoTalk][2 pkts/215 bytes][Host: ac-talk.kakao.com] + 13 TCP 31.13.68.84:80 <-> 10.24.82.188:37553 [proto: 119/Facebook][10 pkts/1058 bytes][Host: www.facebook.com] + 14 TCP 31.13.68.84:80 <-> 10.24.82.188:37557 [proto: 119/Facebook][11 pkts/1114 bytes][Host: www.facebook.com] + 15 UDP 10.188.1.1:53 <-> 10.24.82.188:41909 [proto: 193/KakaoTalk][2 pkts/214 bytes][Host: booking.loco.kakao.com] + 16 UDP 10.188.1.1:53 <-> 10.24.82.188:43077 [proto: 193/KakaoTalk][2 pkts/178 bytes][Host: dn-l.talk.kakao.com] + 17 UDP 10.188.1.1:53 <-> 10.24.82.188:61011 [proto: 193/KakaoTalk][2 pkts/200 bytes][Host: plus-talk.kakao.com] + 18 UDP 10.188.191.1:53 <-> 10.24.82.188:61011 [proto: 193/KakaoTalk][2 pkts/200 bytes][Host: plus-talk.kakao.com] + 19 TCP 10.24.82.188:58964 <-> 54.255.253.199:5223 [proto: 91/SSL][6 pkts/1890 bytes][SSL server: *.push.samsungosp.com] + 20 UDP 10.188.1.1:53 <-> 10.24.82.188:9094 [proto: 193/KakaoTalk][2 pkts/205 bytes][Host: up-v.talk.kakao.com] + 21 TCP 173.252.97.2:443 <-> 10.24.82.188:35503 [proto: 119/Facebook][38 pkts/7591 bytes][SSL server: *.facebook.com] + 22 TCP 173.252.97.2:443 <-> 10.24.82.188:35511 [proto: 119/Facebook][36 pkts/7152 bytes][SSL server: *.facebook.com] + 23 TCP 139.150.0.125:443 <-> 10.24.82.188:46947 [proto: 91/SSL][18 pkts/2409 bytes] + 24 UDP 10.188.1.1:53 <-> 10.24.82.188:12908 [proto: 193/KakaoTalk][2 pkts/205 bytes][Host: up-m.talk.kakao.com] + 25 TCP 173.194.72.188:5228 <-> 10.24.82.188:34686 [proto: 126/Google][1 pkts/164 bytes] + 26 UDP 10.188.1.1:53 <-> 10.24.82.188:14650 [proto: 5/DNS][2 pkts/217 bytes][Host: 2.97.252.173.in-addr.arpa] + 27 UDP 10.188.1.1:53 <-> 10.24.82.188:19582 [proto: 119/Facebook][2 pkts/218 bytes][Host: graph.facebook.com] + 28 TCP 216.58.221.10:80 <-> 10.24.82.188:35922 [proto: 7/HTTP][14 pkts/784 bytes] + 29 UDP 10.188.1.1:53 <-> 10.24.82.188:24596 [proto: 119/Facebook][2 pkts/196 bytes][Host: api.facebook.com] + 30 TCP 210.103.240.15:443 <-> 10.24.82.188:42332 [proto: 91/SSL][5 pkts/280 bytes] + 31 TCP 216.58.220.174:443 <-> 10.24.82.188:49217 [proto: 91/SSL][1 pkts/83 bytes] + 32 UDP 10.188.1.1:53 <-> 10.24.82.188:38448 [proto: 193/KakaoTalk][2 pkts/190 bytes][Host: auth.kakao.com] + 33 TCP 31.13.68.70:443 <-> 10.24.82.188:43581 [proto: 119/Facebook][34 pkts/9655 bytes][SSL client: graph.facebook.com] + 34 TCP 31.13.68.84:443 <-> 10.24.82.188:45209 [proto: 119/Facebook][19 pkts/7707 bytes][SSL client: api.facebook.com] + 35 TCP 31.13.68.84:443 <-> 10.24.82.188:45211 [proto: 119/Facebook][29 pkts/9077 bytes][SSL client: developers.facebook.com] + 36 TCP 31.13.68.84:443 <-> 10.24.82.188:45213 [proto: 119/Facebook][28 pkts/7561 bytes][SSL server: *.facebook.com] + 37 TCP 31.13.68.73:443 <-> 10.24.82.188:47007 [proto: 91/SSL][4 pkts/251 bytes] + + +Undetected flows: + 1 TCP 10.24.82.188:58927 <-> 54.255.253.199:5223 [proto: 0/Unknown][2 pkts/181 bytes] diff --git a/tests/result/KakaoTalk_talk.pcap.out b/tests/result/KakaoTalk_talk.pcap.out new file mode 100644 index 000000000..cc89066ea --- /dev/null +++ b/tests/result/KakaoTalk_talk.pcap.out @@ -0,0 +1,34 @@ +Unknown 4 396 1 +HTTP 5 280 1 +SSL_No_Cert 74 14132 2 +RTP 2991 398751 2 +SSL 10 1517 5 +Facebook 2 197 1 +Google 2 220 2 +HTTP_Proxy 31 3565 3 +TOR 40 10538 1 +KakaoTalk_Voice 44 6196 2 + + 1 TCP 10.24.82.188:34533 <-> 120.28.26.242:80 [proto: 7/HTTP][5 pkts/280 bytes] + 2 TCP 10.24.82.188:38380 <-> 173.194.117.229:443 [proto: 126/Google][1 pkts/56 bytes] + 3 TCP 10.24.82.188:51021 <-> 103.246.57.251:8080 [proto: 131/HTTP_Proxy][11 pkts/1488 bytes] + 4 UDP 10.188.1.1:53 <-> 10.24.82.188:25223 [proto: 119/Facebook][2 pkts/197 bytes][Host: mqtt.facebook.com] + 5 TCP 173.252.88.128:443 <-> 10.24.82.188:59912 [proto: 91/SSL][2 pkts/124 bytes] + 6 TCP 173.252.88.128:443 <-> 10.24.82.188:59954 [proto: 64/SSL_No_Cert][29 pkts/4024 bytes] + 7 TCP 10.24.82.188:53974 <-> 203.205.151.233:8080 [proto: 131/HTTP_Proxy][5 pkts/350 bytes] + 8 TCP 110.76.143.50:8080 <-> 10.24.82.188:32968 [proto: 64/SSL_No_Cert][45 pkts/10108 bytes] + 9 TCP 139.150.0.125:443 <-> 10.24.82.188:46947 [proto: 91/SSL][5 pkts/1198 bytes] + 10 TCP 173.194.72.188:5228 <-> 10.24.82.188:34686 [proto: 126/Google][1 pkts/164 bytes] + 11 TCP 110.76.143.50:9001 <-> 10.24.82.188:58857 [proto: 163/TOR][40 pkts/10538 bytes] + 12 TCP 173.252.122.1:443 <-> 10.24.82.188:52123 [proto: 91/SSL][1 pkts/56 bytes] + 13 TCP 10.24.82.188:48489 <-> 203.205.147.215:80 [proto: 131/HTTP_Proxy][15 pkts/1727 bytes][Host: hkminorshort.weixin.qq.com] + 14 UDP 1.201.1.174:23047 <-> 10.24.82.188:10269 [proto: 194/KakaoTalk_Voice][22 pkts/3112 bytes] + 15 UDP 1.201.1.174:23046 <-> 10.24.82.188:10268 [proto: 87/RTP][1488 pkts/198510 bytes] + 16 UDP 1.201.1.174:23045 <-> 10.24.82.188:11321 [proto: 194/KakaoTalk_Voice][22 pkts/3084 bytes] + 17 UDP 1.201.1.174:23044 <-> 10.24.82.188:11320 [proto: 87/RTP][1503 pkts/200241 bytes] + 18 TCP 216.58.220.174:443 <-> 10.24.82.188:49217 [proto: 91/SSL][1 pkts/83 bytes] + 19 TCP 216.58.220.161:443 <-> 10.24.82.188:56697 [proto: 91/SSL][1 pkts/56 bytes] + + +Undetected flows: + 1 TCP 10.24.82.188:58916 <-> 54.255.185.236:5222 [proto: 0/Unknown][4 pkts/396 bytes] diff --git a/tests/result/Meu.pcap.out b/tests/result/Meu.pcap.out new file mode 100644 index 000000000..660c917e9 --- /dev/null +++ b/tests/result/Meu.pcap.out @@ -0,0 +1,28 @@ +Meu 814 658545 26 + + 1 TCP 10.8.0.1:55226 <-> 189.40.216.95:443 [proto: 191/Meu][62 pkts/31584 bytes][SSL client: appmeutim.tim.com.br] + 2 TCP 10.8.0.1:55230 <-> 189.40.216.95:443 [proto: 191/Meu][27 pkts/11642 bytes][SSL client: appmeutim.tim.com.br] + 3 TCP 10.8.0.1:55232 <-> 189.40.216.95:443 [proto: 191/Meu][37 pkts/37269 bytes][SSL client: appmeutim.tim.com.br] + 4 TCP 10.8.0.1:55234 <-> 189.40.216.95:443 [proto: 191/Meu][21 pkts/9350 bytes][SSL client: appmeutim.tim.com.br] + 5 TCP 10.8.0.1:55236 <-> 189.40.216.95:443 [proto: 191/Meu][13 pkts/1181 bytes][SSL client: appmeutim.tim.com.br] + 6 TCP 10.8.0.1:55238 <-> 189.40.216.95:443 [proto: 191/Meu][13 pkts/1181 bytes][SSL client: appmeutim.tim.com.br] + 7 TCP 10.8.0.1:55250 <-> 189.40.216.95:443 [proto: 191/Meu][22 pkts/9903 bytes][SSL client: appmeutim.tim.com.br] + 8 TCP 10.8.0.1:55252 <-> 189.40.216.95:443 [proto: 191/Meu][34 pkts/20796 bytes][SSL client: appmeutim.tim.com.br] + 9 TCP 10.8.0.1:55254 <-> 189.40.216.95:443 [proto: 191/Meu][27 pkts/8864 bytes][SSL client: appmeutim.tim.com.br] + 10 TCP 10.8.0.1:55262 <-> 189.40.216.95:443 [proto: 191/Meu][15 pkts/4486 bytes][SSL client: appmeutim.tim.com.br] + 11 TCP 10.8.0.1:55264 <-> 189.40.216.95:443 [proto: 191/Meu][15 pkts/4486 bytes][SSL client: appmeutim.tim.com.br] + 12 TCP 10.8.0.1:55268 <-> 189.40.216.95:443 [proto: 191/Meu][26 pkts/6969 bytes][SSL client: appmeutim.tim.com.br] + 13 TCP 10.8.0.1:55270 <-> 189.40.216.95:443 [proto: 191/Meu][56 pkts/36838 bytes][SSL client: appmeutim.tim.com.br] + 14 TCP 10.8.0.1:55272 <-> 189.40.216.95:443 [proto: 191/Meu][53 pkts/142338 bytes][SSL client: appmeutim.tim.com.br] + 15 TCP 10.8.0.1:55276 <-> 189.40.216.95:443 [proto: 191/Meu][20 pkts/7059 bytes][SSL client: appmeutim.tim.com.br] + 16 TCP 10.8.0.1:55227 <-> 189.40.216.95:443 [proto: 191/Meu][41 pkts/19844 bytes][SSL client: appmeutim.tim.com.br] + 17 TCP 10.8.0.1:55231 <-> 189.40.216.95:443 [proto: 191/Meu][33 pkts/14083 bytes][SSL client: appmeutim.tim.com.br] + 18 TCP 10.8.0.1:55233 <-> 189.40.216.95:443 [proto: 191/Meu][96 pkts/137364 bytes][SSL client: appmeutim.tim.com.br] + 19 TCP 10.8.0.1:55235 <-> 189.40.216.95:443 [proto: 191/Meu][19 pkts/5178 bytes][SSL client: appmeutim.tim.com.br] + 20 TCP 10.8.0.1:55237 <-> 189.40.216.95:443 [proto: 191/Meu][13 pkts/1181 bytes][SSL client: appmeutim.tim.com.br] + 21 TCP 10.8.0.1:55239 <-> 189.40.216.95:443 [proto: 191/Meu][85 pkts/122532 bytes][SSL client: appmeutim.tim.com.br] + 22 TCP 10.8.0.1:55251 <-> 189.40.216.95:443 [proto: 191/Meu][20 pkts/6243 bytes][SSL client: appmeutim.tim.com.br] + 23 TCP 10.8.0.1:55253 <-> 189.40.216.95:443 [proto: 191/Meu][15 pkts/4486 bytes][SSL client: appmeutim.tim.com.br] + 24 TCP 10.8.0.1:55255 <-> 189.40.216.95:443 [proto: 191/Meu][17 pkts/4594 bytes][SSL client: appmeutim.tim.com.br] + 25 TCP 10.8.0.1:55263 <-> 189.40.216.95:443 [proto: 191/Meu][15 pkts/4486 bytes][SSL client: appmeutim.tim.com.br] + 26 TCP 10.8.0.1:55273 <-> 189.40.216.95:443 [proto: 191/Meu][19 pkts/4608 bytes][SSL client: appmeutim.tim.com.br] diff --git a/tests/result/Torcedor.pcap.out b/tests/result/Torcedor.pcap.out new file mode 100644 index 000000000..0c5ec9e16 --- /dev/null +++ b/tests/result/Torcedor.pcap.out @@ -0,0 +1,10 @@ +HTTP 4 216 1 +SSL 26 1558 2 +Torcedor 55 67338 3 + + 1 TCP 10.8.0.1:55944 <-> 52.25.136.177:80 [proto: 192/Torcedor][7 pkts/1118 bytes][Host: usuario.timtorcedor.com.br] + 2 TCP 10.8.0.1:53114 <-> 31.13.85.8:443 [proto: 91/SSL][4 pkts/216 bytes] + 3 TCP 10.8.0.1:56117 <-> 52.25.136.177:80 [proto: 192/Torcedor][23 pkts/33056 bytes][Host: usuario.timtorcedor.com.br] + 4 TCP 10.8.0.1:40016 <-> 158.85.58.105:443 [proto: 91/SSL][22 pkts/1342 bytes] + 5 TCP 10.8.0.1:33415 <-> 187.109.32.201:80 [proto: 7/HTTP][4 pkts/216 bytes] + 6 TCP 10.8.0.1:39422 <-> 54.149.207.220:80 [proto: 192/Torcedor][25 pkts/33164 bytes][Host: usuario.timtorcedor.com.br] diff --git a/tests/result/google_ssl.pcap.out b/tests/result/google_ssl.pcap.out new file mode 100644 index 000000000..76b05e607 --- /dev/null +++ b/tests/result/google_ssl.pcap.out @@ -0,0 +1,3 @@ +Google 28 9108 1 + + 1 TCP 216.58.212.100:443 <-> 172.31.3.224:42835 [proto: 126/Google][28 pkts/9108 bytes][SSL server: www.google.com] |