diff options
| -rw-r--r-- | python/Makefile.in | 7 | ||||
| -rwxr-xr-x | python/ndpi_example.py | 2 | ||||
| -rw-r--r-- | python/ndpi_typestruct.py | 336 | ||||
| -rw-r--r-- | python/ndpi_wrap.c | 23 | ||||
| -rw-r--r-- | src/lib/protocols/qq.c | 634 |
5 files changed, 205 insertions, 797 deletions
diff --git a/python/Makefile.in b/python/Makefile.in index a87ee4c2d..91b4230c7 100644 --- a/python/Makefile.in +++ b/python/Makefile.in @@ -1,6 +1,7 @@ CC=@CC@ CFLAGS=-I. -I../src/include -I./src/lib/third_party/include -shared -Wl, -LIBNDPI=../src/lib/libndpi.so.@NDPI_VERSION_SHORT@ +#LIBNDPI=../src/lib/libndpi.so.@NDPI_VERSION_SHORT@ +LIBNDPI=../src/lib/libndpi.a LDFLAGS=$(CFILE) $(LIBNDPI) -lpcap SHARE = -soname,ndpi_wrap SO=ndpi_wrap.so @@ -17,9 +18,9 @@ endif all: $(SO) -$(SO): $(CFILE) $(LIBNDPI) +$(SO): $(CFILE) $(LIBNDPI) Makefile $(CC) $(CFLAGS)$(SHARE) -o $@ $(PIC) $(LDFLAGS) - ln -s $(LIBNDPI) . +# ln -s $(LIBNDPI) . clean: /bin/rm -f $(SO) diff --git a/python/ndpi_example.py b/python/ndpi_example.py index fb0135c46..afbba43b5 100755 --- a/python/ndpi_example.py +++ b/python/ndpi_example.py @@ -166,7 +166,7 @@ def packetcaptured(packet): #filling pcap_pkthdr h.len = h.caplen = len(packet) h.ts.tv_sec = int(packet["IP"].time/1000000) - h.ts.tv_usec = round(packet["IP"].time) + h.ts.tv_usec = int(packet["IP"].time) # real work if int(packet[1].frag) == 0: # not fragmented packet diff --git a/python/ndpi_typestruct.py b/python/ndpi_typestruct.py index 942db32d5..4f8c8c236 100644 --- a/python/ndpi_typestruct.py +++ b/python/ndpi_typestruct.py @@ -1,7 +1,7 @@ # # ndpi_typestruct.h # -# Copyright (C) 2011-18 - ntop.org +# Copyright (C) 2019 - ntop.org # # nDPI is free software: you can redistribute it and/or modify # it under the terms of the GNU Lesser General Public License as published by @@ -24,7 +24,7 @@ from ctypes import * ndpi = CDLL('./ndpi_wrap.so') # NDPI_SELECTION_BITMASK_PROTOCOL_SIZE = c_uint32 -# ndpi_protocol_category_t, ndpi_protocol_breed_t e ndpi_log_level_t sono enumeratori e vengono impostati come c_int +# ndpi_protocol_category_t, ndpi_protocol_breed_t e ndpi_log_level_t are enum and are imported as c_int class ndpi_detection_module_struct(Structure): pass @@ -57,9 +57,9 @@ class ndpi_subprotocol_conf_struct(Structure): _fields_ = [("func", CFUNCTYPE(c_void_p,POINTER(ndpi_detection_module_struct),c_char_p,c_char_p,c_int))] class ndpi_automa(Structure): - _fields_ = [ - ("ac_automa", c_void_p), #Real type is AC_AUTOMATA_t - ("ac_automa_finalized", c_uint8) + _fields_ = [ + ("ac_automa", c_void_p), #Real type is AC_AUTOMATA_t + ("ac_automa_finalized", c_uint8) ] class struct_node_t(Structure): @@ -101,13 +101,13 @@ class ndpi_default_ports_tree_node_t(Structure): # NDPI_PROTOCOL_BITTORRENT class spinlock_t(Structure): - _fields_ = [("val", c_int)] #volatile mancante + _fields_ = [("val", c_int)] #missing volatile class atomic_t(Structure): - _fields_ = [("counter", c_int)] #volatile mancante + _fields_ = [("counter", c_int)] #missing volatile class time_t(Structure): - _fields_ = [("counter", c_longlong)] #piattaforma dipendente, tuttavia รจ solo un intero + _fields_ = [("counter", c_longlong)] # piattaform dependent class hash_ip4p_node(Structure): pass @@ -193,12 +193,12 @@ class custom_categories(Structure): ("ipAddresses", c_void_p), ("ipAddresses_shadow", c_void_p), # Patricia ("categories_loaded", c_uint8), - ] + ] ndpi_detection_module_struct._fields_ = [ - ("detection_bitmask", NDPI_PROTOCOL_BITMASK), - ("generic_http_packet_bitmask", NDPI_PROTOCOL_BITMASK), + ("detection_bitmask", NDPI_PROTOCOL_BITMASK), + ("generic_http_packet_bitmask", NDPI_PROTOCOL_BITMASK), ("current_ts", c_uint32), @@ -210,22 +210,22 @@ ndpi_detection_module_struct._fields_ = [ #callback function buffer ("callback_buffer", ndpi_call_function_struct * (ndpi.ndpi_wrap_ndpi_max_supported_protocols() + 1)), - ("callback_buffer_size", c_uint32), + ("callback_buffer_size", c_uint32), ("callback_buffer_tcp_no_payload", ndpi_call_function_struct * (ndpi.ndpi_wrap_ndpi_max_supported_protocols() + 1)), - ("callback_buffer_size_tcp_no_payload", c_uint32), + ("callback_buffer_size_tcp_no_payload", c_uint32), ("callback_buffer_tcp_payload", ndpi_call_function_struct * (ndpi.ndpi_wrap_ndpi_max_supported_protocols() + 1)), - ("callback_buffer_size_tcp_payload", c_uint32), + ("callback_buffer_size_tcp_payload", c_uint32), ("callback_buffer_udp", ndpi_call_function_struct * (ndpi.ndpi_wrap_ndpi_max_supported_protocols() + 1)), - ("callback_buffer_size_udp", c_uint32), + ("callback_buffer_size_udp", c_uint32), ("callback_buffer_non_tcp_udp", ndpi_call_function_struct * (ndpi.ndpi_wrap_ndpi_max_supported_protocols() + 1)), - ("callback_buffer_size_non_tcp_udp", c_uint32), + ("callback_buffer_size_non_tcp_udp", c_uint32), ("tcpRoot", POINTER(ndpi_default_ports_tree_node_t)), - ("udpRoot", POINTER(ndpi_default_ports_tree_node_t)), + ("udpRoot", POINTER(ndpi_default_ports_tree_node_t)), ("ndpi_log_level", c_uint), #default error @@ -247,14 +247,14 @@ ndpi_detection_module_struct._fields_ = [ ("subprotocol_conf", ndpi_subprotocol_conf_struct * (ndpi.ndpi_wrap_ndpi_max_supported_protocols() + 1)), ("ndpi_num_supported_protocols", c_uint), - ("ndpi_num_custom_protocols", c_uint), + ("ndpi_num_custom_protocols", c_uint), #HTTP / DNS / HTTPS host matching * / ("host_automa", ndpi_automa), #Used for DNS / HTTPS - ("content_automa", ndpi_automa), # Used for HTTP subprotocol_detection - ("subprotocol_automa", ndpi_automa), # Used for HTTP subprotocol_detection - ("bigrams_automa", ndpi_automa), #TOR - ("impossible_bigrams_automa", ndpi_automa), # TOR + ("content_automa", ndpi_automa), # Used for HTTP subprotocol_detection + ("subprotocol_automa", ndpi_automa), # Used for HTTP subprotocol_detection + ("bigrams_automa", ndpi_automa), #TOR + ("impossible_bigrams_automa", ndpi_automa), # TOR ("custom_categories", custom_categories), #IP-based protocol detection @@ -278,10 +278,10 @@ ndpi_detection_module_struct._fields_ = [ ("orb_rstp_ts_timeout", c_uint32), # yahoo ("yahoo_detect_http_connections", c_uint8), - ("yahoo_lan_video_timeout", c_uint32), - ("zattoo_connection_timeout", c_uint32), - ("jabber_stun_timeout", c_uint32), - ("jabber_file_transfer_timeout", c_uint32), + ("yahoo_lan_video_timeout", c_uint32), + ("zattoo_connection_timeout", c_uint32), + ("jabber_stun_timeout", c_uint32), + ("jabber_file_transfer_timeout", c_uint32), # ifdef NDPI_ENABLE_DEBUG_MESSAGES # define NDPI_IP_STRING_SIZE 40 @@ -297,7 +297,7 @@ ndpi_detection_module_struct._fields_ = [ # BT_ANNOUNCE ("bt_ann", POINTER(bt_announce)), - ("bt_ann_len", c_int), + ("bt_ann_len", c_int), # NDPI_PROTOCOL_OOKLA ("ookla_cache", POINTER(ndpi_lru_cache)), @@ -308,13 +308,13 @@ ndpi_detection_module_struct._fields_ = [ ("proto_defaults", ndpi_proto_defaults_t * (ndpi.ndpi_wrap_ndpi_max_supported_protocols() + ndpi.ndpi_wrap_ndpi_max_num_custom_protocols())), ("http_dont_dissect_response", c_uint8, 1), - ("dns_dont_dissect_response", c_uint8, 1), - ("direction_detect_disable", c_uint8, 1), # disable internal detection of packet direction - ("disable_metadata_export", c_uint8, 1), # No metadata is exported - ("enable_category_substring_match", c_uint8, 1), # Default is perfect match + ("dns_dont_dissect_response", c_uint8, 1), + ("direction_detect_disable", c_uint8, 1), # disable internal detection of packet direction + ("disable_metadata_export", c_uint8, 1), # No metadata is exported + ("enable_category_substring_match", c_uint8, 1), # Default is perfect match ("hyperscan", c_void_p) # Intel Hyperscan - ] +] class u6_addr(Union): # 128-bit IP6 address _fields_ = [ @@ -329,47 +329,47 @@ class ndpi_in6_addr(Structure): class ndpi_ip_addr_t(Union): _fields_ = [ - ('ipv4', c_uint32), - ('ipv4_u_int8_t', c_uint8 * 4), - ('ipv6', ndpi_in6_addr), -] + ('ipv4', c_uint32), + ('ipv4_u_int8_t', c_uint8 * 4), + ('ipv6', ndpi_in6_addr), + ] class ndpi_id_struct(Structure): _fields_ = [ - ('detected_protocol_bitmask', NDPI_PROTOCOL_BITMASK), - ('rtsp_ip_address', ndpi_ip_addr_t), - ('yahoo_video_lan_timer', c_uint32), - ('irc_port', c_uint16 * 8), - ('last_time_port_used', c_uint32 * 8), - ('irc_ts', c_uint32), - ('gnutella_ts', c_uint32), - ('battlefield_ts', c_uint32), - ('thunder_ts', c_uint32), - ('rtsp_timer', c_uint32), - ('oscar_last_safe_access_time', c_uint32), - ('zattoo_ts', c_uint32), - ('jabber_stun_or_ft_ts', c_uint32), - ('directconnect_last_safe_access_time', c_uint32), - ('soulseek_last_safe_access_time', c_uint32), - ('detected_directconnect_port', c_uint16), - ('detected_directconnect_udp_port', c_uint16), - ('detected_directconnect_ssl_port', c_uint16), - ('bt_port_t', c_uint16 * 8), - ('bt_port_u', c_uint16 * 8), - ('jabber_voice_stun_port', c_uint16 * 6), - ('jabber_file_transfer_port', c_uint16 * 2), - ('detected_gnutella_port', c_uint16), - ('detected_gnutella_udp_port1', c_uint16), - ('detected_gnutella_udp_port2', c_uint16), - ('soulseek_listen_port', c_uint16), - ('irc_number_of_port', c_uint8), - ('oscar_ssl_session_id', c_uint8 * 33), - ('jabber_voice_stun_used_ports', c_uint8), - ('yahoo_video_lan_dir', c_uint32, 1), - ('yahoo_conf_logged_in', c_uint32, 1), - ('yahoo_voice_conf_logged_in', c_uint32, 1), - ('rtsp_ts_set', c_uint32, 1), -] + ('detected_protocol_bitmask', NDPI_PROTOCOL_BITMASK), + ('rtsp_ip_address', ndpi_ip_addr_t), + ('yahoo_video_lan_timer', c_uint32), + ('irc_port', c_uint16 * 8), + ('last_time_port_used', c_uint32 * 8), + ('irc_ts', c_uint32), + ('gnutella_ts', c_uint32), + ('battlefield_ts', c_uint32), + ('thunder_ts', c_uint32), + ('rtsp_timer', c_uint32), + ('oscar_last_safe_access_time', c_uint32), + ('zattoo_ts', c_uint32), + ('jabber_stun_or_ft_ts', c_uint32), + ('directconnect_last_safe_access_time', c_uint32), + ('soulseek_last_safe_access_time', c_uint32), + ('detected_directconnect_port', c_uint16), + ('detected_directconnect_udp_port', c_uint16), + ('detected_directconnect_ssl_port', c_uint16), + ('bt_port_t', c_uint16 * 8), + ('bt_port_u', c_uint16 * 8), + ('jabber_voice_stun_port', c_uint16 * 6), + ('jabber_file_transfer_port', c_uint16 * 2), + ('detected_gnutella_port', c_uint16), + ('detected_gnutella_udp_port1', c_uint16), + ('detected_gnutella_udp_port2', c_uint16), + ('soulseek_listen_port', c_uint16), + ('irc_number_of_port', c_uint8), + ('oscar_ssl_session_id', c_uint8 * 33), + ('jabber_voice_stun_used_ports', c_uint8), + ('yahoo_video_lan_dir', c_uint32, 1), + ('yahoo_conf_logged_in', c_uint32, 1), + ('yahoo_voice_conf_logged_in', c_uint32, 1), + ('rtsp_ts_set', c_uint32, 1), + ] #struct flow class ndpi_flow_tcp_struct(Structure): @@ -433,7 +433,7 @@ class ndpi_flow_tcp_struct(Structure): ('ppstream_stage', c_uint32, 3), ('memcached_matches', c_uint8), ('nest_log_sink_matches', c_uint8), -] + ] class ndpi_flow_udp_struct(Structure): _fields_ = [ @@ -542,119 +542,119 @@ class tinc_cache_entry(Structure): ('src_address', c_uint32), ('dst_address', c_uint32), ('dst_port', c_uint16), -] + ] class struct_ndpi_int_one_line_struct(Structure): _fields_ = [ - ('ptr', POINTER(c_uint8)), - ('len', c_uint16), -] + ('ptr', POINTER(c_uint8)), + ('len', c_uint16), + ] class struct_ndpi_iphdr_little_end(Structure): _fields_ = [ - ('ihl', c_uint8, 4), - ('version', c_uint8, 4), - ('tos', c_uint8), - ('tot_len', c_uint16), - ('id', c_uint16), - ('frag_off', c_uint16), - ('ttl', c_uint8), - ('protocol', c_uint8), - ('check', c_uint16), - ('saddr', c_uint32), - ('daddr', c_uint32)] + ('ihl', c_uint8, 4), + ('version', c_uint8, 4), + ('tos', c_uint8), + ('tot_len', c_uint16), + ('id', c_uint16), + ('frag_off', c_uint16), + ('ttl', c_uint8), + ('protocol', c_uint8), + ('check', c_uint16), + ('saddr', c_uint32), + ('daddr', c_uint32)] class struct_ndpi_ip6_hdrctl(Structure): _fields_ = [ - ('ip6_un1_flow', c_uint32), - ('ip6_un1_plen', c_uint16), - ('ip6_un1_nxt', c_uint8), - ('ip6_un1_hlim', c_uint8), -] + ('ip6_un1_flow', c_uint32), + ('ip6_un1_plen', c_uint16), + ('ip6_un1_nxt', c_uint8), + ('ip6_un1_hlim', c_uint8), + ] class struct_ndpi_ipv6hdr(Structure): _fields_ = [ - ('ip6_hdr', struct_ndpi_ip6_hdrctl), - ('ip6_src', ndpi_in6_addr), - ('ip6_dst', ndpi_in6_addr), -] + ('ip6_hdr', struct_ndpi_ip6_hdrctl), + ('ip6_src', ndpi_in6_addr), + ('ip6_dst', ndpi_in6_addr), + ] class struct_ndpi_tcphdr(Structure): _fields_ = [ - ('source', c_uint16), - ('dest', c_uint16), - ('seq', c_uint32), - ('ack_seq', c_uint32), - ('res1', c_uint16, 4), - ('doff', c_uint16, 4), - ('fin', c_uint16, 1), - ('syn', c_uint16, 1), - ('rst', c_uint16, 1), - ('psh', c_uint16, 1), - ('ack', c_uint16, 1), - ('urg', c_uint16, 1), - ('ece', c_uint16, 1), - ('cwr', c_uint16, 1), - ('window', c_uint16), - ('check', c_uint16), - ('urg_ptr', c_uint16), -] + ('source', c_uint16), + ('dest', c_uint16), + ('seq', c_uint32), + ('ack_seq', c_uint32), + ('res1', c_uint16, 4), + ('doff', c_uint16, 4), + ('fin', c_uint16, 1), + ('syn', c_uint16, 1), + ('rst', c_uint16, 1), + ('psh', c_uint16, 1), + ('ack', c_uint16, 1), + ('urg', c_uint16, 1), + ('ece', c_uint16, 1), + ('cwr', c_uint16, 1), + ('window', c_uint16), + ('check', c_uint16), + ('urg_ptr', c_uint16), + ] class struct_ndpi_udphdr(Structure): _fields_ = [ - ('source', c_uint16), - ('dest', c_uint16), - ('len', c_uint16), - ('check', c_uint16), -] + ('source', c_uint16), + ('dest', c_uint16), + ('len', c_uint16), + ('check', c_uint16), + ] class ndpi_packet_struct(Structure): _fields_ = [ - ('iph', POINTER(struct_ndpi_iphdr_little_end)), - ('iphv6', POINTER(struct_ndpi_ipv6hdr)), - ('tcp', POINTER(struct_ndpi_tcphdr)), - ('udp', POINTER(struct_ndpi_udphdr)), - ('generic_l4_ptr', POINTER(c_uint8)), - ('payload', POINTER(c_uint8)), - ('tick_timestamp', c_uint32), - ('tick_timestamp_l', c_uint64), - ('detected_protocol_stack', c_uint16 * 2), - ('detected_subprotocol_stack', c_uint8 * 2), - ('protocol_stack_info', c_uint16), - ('line', struct_ndpi_int_one_line_struct * 64), - ('host_line', struct_ndpi_int_one_line_struct), - ('forwarded_line', struct_ndpi_int_one_line_struct), - ('referer_line', struct_ndpi_int_one_line_struct), - ('content_line', struct_ndpi_int_one_line_struct), - ('accept_line', struct_ndpi_int_one_line_struct), - ('user_agent_line', struct_ndpi_int_one_line_struct), - ('http_url_name', struct_ndpi_int_one_line_struct), - ('http_encoding', struct_ndpi_int_one_line_struct), - ('http_transfer_encoding', struct_ndpi_int_one_line_struct), - ('http_contentlen', struct_ndpi_int_one_line_struct), - ('http_cookie', struct_ndpi_int_one_line_struct), - ('http_origin', struct_ndpi_int_one_line_struct), - ('http_x_session_type', struct_ndpi_int_one_line_struct), - ('server_line', struct_ndpi_int_one_line_struct), - ('http_method', struct_ndpi_int_one_line_struct), - ('http_response', struct_ndpi_int_one_line_struct), - ('http_num_headers', c_uint8), - ('l3_packet_len', c_uint16), - ('l4_packet_len', c_uint16), - ('payload_packet_len', c_uint16), - ('actual_payload_len', c_uint16), - ('num_retried_bytes', c_uint16), - ('parsed_lines', c_uint16), - ('parsed_unix_lines', c_uint16), - ('empty_line_position', c_uint16), - ('tcp_retransmission', c_uint8), - ('l4_protocol', c_uint8), - ('ssl_certificate_detected', c_uint8, 4), - ('ssl_certificate_num_checks', c_uint8, 4), - ('packet_lines_parsed_complete', c_uint8, 1), - ('packet_direction', c_uint8, 1), - ('empty_line_position_set', c_uint8, 1), -] + ('iph', POINTER(struct_ndpi_iphdr_little_end)), + ('iphv6', POINTER(struct_ndpi_ipv6hdr)), + ('tcp', POINTER(struct_ndpi_tcphdr)), + ('udp', POINTER(struct_ndpi_udphdr)), + ('generic_l4_ptr', POINTER(c_uint8)), + ('payload', POINTER(c_uint8)), + ('tick_timestamp', c_uint32), + ('tick_timestamp_l', c_uint64), + ('detected_protocol_stack', c_uint16 * 2), + ('detected_subprotocol_stack', c_uint8 * 2), + ('protocol_stack_info', c_uint16), + ('line', struct_ndpi_int_one_line_struct * 64), + ('host_line', struct_ndpi_int_one_line_struct), + ('forwarded_line', struct_ndpi_int_one_line_struct), + ('referer_line', struct_ndpi_int_one_line_struct), + ('content_line', struct_ndpi_int_one_line_struct), + ('accept_line', struct_ndpi_int_one_line_struct), + ('user_agent_line', struct_ndpi_int_one_line_struct), + ('http_url_name', struct_ndpi_int_one_line_struct), + ('http_encoding', struct_ndpi_int_one_line_struct), + ('http_transfer_encoding', struct_ndpi_int_one_line_struct), + ('http_contentlen', struct_ndpi_int_one_line_struct), + ('http_cookie', struct_ndpi_int_one_line_struct), + ('http_origin', struct_ndpi_int_one_line_struct), + ('http_x_session_type', struct_ndpi_int_one_line_struct), + ('server_line', struct_ndpi_int_one_line_struct), + ('http_method', struct_ndpi_int_one_line_struct), + ('http_response', struct_ndpi_int_one_line_struct), + ('http_num_headers', c_uint8), + ('l3_packet_len', c_uint16), + ('l4_packet_len', c_uint16), + ('payload_packet_len', c_uint16), + ('actual_payload_len', c_uint16), + ('num_retried_bytes', c_uint16), + ('parsed_lines', c_uint16), + ('parsed_unix_lines', c_uint16), + ('empty_line_position', c_uint16), + ('tcp_retransmission', c_uint8), + ('l4_protocol', c_uint8), + ('ssl_certificate_detected', c_uint8, 4), + ('ssl_certificate_num_checks', c_uint8, 4), + ('packet_lines_parsed_complete', c_uint8, 1), + ('packet_direction', c_uint8, 1), + ('empty_line_position_set', c_uint8, 1), + ] ndpi_flow_struct._fields_ = [ ("detected_protocol_stack", c_uint16 * ndpi.ndpi_wrap_ndpi_procol_size()), @@ -685,15 +685,15 @@ ndpi_flow_struct._fields_ = [ # Pointer to src or dst that identifies the server of this connection ("server_id", ndpi_id_struct), - # HTTP host or DNS query + # HTTP host or DNS query ("host_server_name", c_ubyte * 256), # This structure below will not not stay inside the protos - # structure below as HTTP is used by many subprotocols - # such as FaceBook, Google... so it is hard to know - # when to use it or not. Thus we leave it outside for the - # time being. + # structure below as HTTP is used by many subprotocols + # such as FaceBook, Google... so it is hard to know + # when to use it or not. Thus we leave it outside for the + # time being. ("http", http), diff --git a/python/ndpi_wrap.c b/python/ndpi_wrap.c index c8f7fdd96..7a052ddff 100644 --- a/python/ndpi_wrap.c +++ b/python/ndpi_wrap.c @@ -23,33 +23,38 @@ #include "ndpi_main.h" int ndpi_wrap_get_api_version(){ - return NDPI_API_VERSION; + return NDPI_API_VERSION; } int ndpi_wrap_ndpi_num_fds_bits(){ - return NDPI_NUM_FDS_BITS; + return NDPI_NUM_FDS_BITS; } int ndpi_wrap_num_custom_categories(){ - return NUM_CUSTOM_CATEGORIES; + return NUM_CUSTOM_CATEGORIES; } int ndpi_wrap_custom_category_label_len(){ - return CUSTOM_CATEGORY_LABEL_LEN; + return CUSTOM_CATEGORY_LABEL_LEN; } int ndpi_wrap_ndpi_max_supported_protocols(){ - return NDPI_MAX_SUPPORTED_PROTOCOLS; + return NDPI_MAX_SUPPORTED_PROTOCOLS; } int ndpi_wrap_ndpi_max_num_custom_protocols(){ - return NDPI_MAX_NUM_CUSTOM_PROTOCOLS; + return NDPI_MAX_NUM_CUSTOM_PROTOCOLS; } int ndpi_wrap_ndpi_procol_size(){ - return NDPI_PROTOCOL_SIZE; + return NDPI_PROTOCOL_SIZE; } void ndpi_wrap_NDPI_BITMASK_SET_ALL(NDPI_PROTOCOL_BITMASK* bitmask){ - NDPI_ONE(bitmask); -}
\ No newline at end of file + NDPI_ONE(bitmask); +} + +void dummy() { + /* Dummy call just to cause linker to include the ndpi library */ + ndpi_tfind(NULL, NULL, NULL); +} diff --git a/src/lib/protocols/qq.c b/src/lib/protocols/qq.c index ced05216e..51f6d2859 100644 --- a/src/lib/protocols/qq.c +++ b/src/lib/protocols/qq.c @@ -1,8 +1,8 @@ /* * qq.c * - * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-19 - ntop.org + * Copyright (C) 2009-2011 + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -37,627 +37,29 @@ static void ndpi_int_qq_add_connection(struct ndpi_detection_module_struct *ndpi } -/* - * a qq client packet looks like this: - * - * TCP packets starts with 16 bit length, then the normal packets follows - * - * 0 1 byte packet tag (usually 0x02) - * 1 2 byte client tag (client version) - * 3 2 byte command - * 5 2 byte sequence number - * 7 4 byte userid - * 11 x bytes data - * LAST 1 byte packet tail (usually 0x03) - * - * a qq server packet looks like this: - * - * TCP packets starts with 16 bit length, then the normal packets follows - * - * 0 1 byte packet tag (usually 0x02) - * 1 2 byte source tag (client version, might also be a server id) - * 3 2 byte command (usually reply to client request, so same command id) - * 5 2 byte sequence number - * LAST 1 byte packet tail (usually 0x03) - * - * NOTE: there are other qq versions which uses different packet types! - */ - -/* - * these are some currently known client ids (or server ids) - * new ids might be added here if the traffic is really QQ - */ -static const u_int16_t ndpi_valid_qq_versions[] = { - 0x0100, 0x05a5, 0x062e, 0x06d5, 0x072e, 0x0801, 0x087d, 0x08d2, 0x0961, - 0x0a1d, 0x0b07, 0x0b2f, 0x0b35, 0x0b37, 0x0c0b, 0x0c0d, 0x0c21, 0x0c49, - 0x0d05, 0x0d51, 0x0d55, 0x0d61, 0x0e1b, 0x0e35, 0x0f15, 0x0f4b, 0x0f5f, - 0x1105, 0x111b, 0x111d, 0x1131, 0x113f, 0x115b, 0x1203, 0x1205, 0x120b, - 0x1251, 0x1412, 0x1441, 0x1501, 0x1549, 0x163a, 0x1801, 0x180d, 0x1c27, - 0x1e0d -}; - -/** - * this functions checks whether the packet is a valid qq packet - * it can handle tcp and udp packets - */ - -#if !defined(WIN32) -static inline -#elif defined(MINGW_GCC) -__mingw_forceinline static -#else -__forceinline static -#endif -u_int8_t ndpi_is_valid_qq_packet(const struct ndpi_packet_struct *packet) -{ - u_int8_t real_start = 0; - u_int16_t command; - u_int8_t ids, found = 0; - u_int16_t version_id; - - if (packet->payload_packet_len < 9) - return 0; - - /* for tcp the length is prefixed */ - if (packet->tcp) { - if (ntohs(get_u_int16_t(packet->payload, 0)) != packet->payload_packet_len) { - return 0; - } - real_start = 2; - } - - /* packet usually starts with 0x02 */ - if (packet->payload[real_start] != 0x02) { - return 0; - } - - /* packet usually ends with 0x03 */ - if (packet->payload[packet->payload_packet_len - 1] != 0x03) { - return 0; - } - - version_id = ntohs(get_u_int16_t(packet->payload, real_start + 1)); - - if (version_id == 0) { - return 0; - } - - /* check for known version id */ - for (ids = 0; ids < sizeof(ndpi_valid_qq_versions) / sizeof(ndpi_valid_qq_versions[0]); ids++) { - if (version_id == ndpi_valid_qq_versions[ids]) { - found = 1; - break; - } - } - - if (!found) - return 0; - - command = ntohs(get_u_int16_t(packet->payload, real_start + 3)); - - /* these are some known commands, not all need to be checked - since many are used with already established connections */ - - switch (command) { - case 0x0091: /* get server */ - case 0x00ba: /* login token */ - case 0x00dd: /* password verify */ - case 0x00e5: - case 0x00a4: - case 0x0030: - case 0x001d: - case 0x0001: - case 0x0062: - case 0x0002: - case 0x0022: - case 0x0029: - break; - default: - return 0; - break; - } - - return 1; -} - -/* - * some file transfer packets look like this - * - * 0 1 byte packet tag (usually 0x04) - * 1 2 byte client tag (client version) - * 3 2 byte length (this is speculative) - * LAST 1 byte packet tail (usually 0x03) - * - */ -/** - * this functions checks whether the packet is a valid qq file transfer packet - * it can handle tcp and udp packets - */ - -#if !defined(WIN32) -static inline -#elif defined(MINGW_GCC) -__mingw_forceinline static -#else -__forceinline static -#endif -u_int8_t ndpi_is_valid_qq_ft_packet(const struct ndpi_packet_struct *packet) -{ - u_int8_t ids, found = 0; - u_int16_t version_id; - - if (packet->payload_packet_len < 9) - return 0; - - /* file transfer packets may start with 0x00 (control), 0x03 (data), 0x04 (agent) */ - - if (packet->payload[0] != 0x04 && packet->payload[0] != 0x03 && packet->payload[0] != 0x00) { - return 0; - } - - version_id = ntohs(get_u_int16_t(packet->payload, 1)); - - if (version_id == 0) { - return 0; - } - - /* check for known version id */ - for (ids = 0; ids < sizeof(ndpi_valid_qq_versions) / sizeof(ndpi_valid_qq_versions[0]); ids++) { - if (version_id == ndpi_valid_qq_versions[ids]) { - found = 1; - break; - } - } - - if (!found) - return 0; - - if (packet->payload[0] == 0x04) { - - if (ntohs(get_u_int16_t(packet->payload, 3)) != packet->payload_packet_len) { - return 0; - } - - /* packet usually ends with 0x03 */ - if (packet->payload[packet->payload_packet_len - 1] != 0x03) { - return 0; - } - } else if (packet->payload[0] == 0x03) { - /* TODO currently not detected */ - return 0; - } else if (packet->payload[0] == 0x00) { - - /* packet length check, there might be other lengths */ - if (packet->payload_packet_len != 84) { - return 0; - } - - /* packet usually ends with 0x0c ? */ - if (packet->payload[packet->payload_packet_len - 1] != 0x0c) { - return 0; - } - } - return 1; -} - -static void ndpi_search_qq_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ - struct ndpi_packet_struct *packet = &flow->packet; - - static const u_int16_t p8000_patt_02[15] = // maybe version numbers - { 0x1549, 0x1801, 0x180d, 0x0961, 0x01501, 0x0e35, 0x113f, 0x0b37, 0x1131, 0x163a, 0x1e0d, 0x3619, 0x371b, 0x3823,}; - u_int16_t no_of_patterns = 14, index = 0; - - - NDPI_LOG_DBG(ndpi_struct, "search qq udp\n"); - - - if (flow->qq_stage <= 3) { - if ((packet->payload_packet_len == 27 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0300 - && packet->payload[2] == 0x01) - || (packet->payload_packet_len == 84 && ((ntohs(get_u_int16_t(packet->payload, 0)) == 0x000e - && packet->payload[2] == 0x35) - || (ntohs(get_u_int16_t(packet->payload, 0)) == 0x0015 - && packet->payload[2] == 0x01) - || (ntohs(get_u_int16_t(packet->payload, 0)) == 0x000b - && packet->payload[2] == 0x37) - || (ntohs(get_u_int16_t(packet->payload, 0)) == 0x0015 - && packet->payload[2] == 0x49))) - || (packet->payload_packet_len > 10 - && ((get_u_int16_t(packet->payload, 0) == htons(0x000b) && packet->payload[2] == 0x37) - || (get_u_int32_t(packet->payload, 0) == htonl(0x04163a00) - && packet->payload[packet->payload_packet_len - 1] == 0x03 - && packet->payload[4] == packet->payload_packet_len)))) { - /* - if (flow->qq_stage == 3 && flow->detected_protocol == NDPI_PROTOCOL_QQ) { - if (flow->packet_direction_counter[0] > 0 && flow->packet_direction_counter[1] > 0) { - flow->protocol_subtype = NDPI_PROTOCOL_QQ_SUBTYPE_AUDIO; - return; - } else if (flow->packet_counter < 10) { - return; - } - } */ - flow->qq_stage++; - if (flow->qq_stage == 3) { - NDPI_LOG_INFO(ndpi_struct, "found qq udp pattern 030001 or 000e35 four times\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - return; - } - if (packet->payload_packet_len > 2 && (packet->payload[0] == 0x02 || packet->payload[0] == 0x04)) { - u_int16_t pat = ntohs(get_u_int16_t(packet->payload, 1)); - for (index = 0; index < no_of_patterns; index++) { - if (pat == p8000_patt_02[index] && packet->payload[packet->payload_packet_len - 1] == 0x03) { - flow->qq_stage++; - // maybe we can test here packet->payload[4] == packet->payload_packet_len - if (flow->qq_stage == 3) { - NDPI_LOG_INFO(ndpi_struct, "found qq udp pattern 02 ... 03 four times\n"); - /* - if (packet->payload[0] == 0x04) { - ndpi_int_qq_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); - return; - } */ - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - return; - } - } - } - if (packet->payload_packet_len == 84 && (packet->payload[0] == 0 || packet->payload[0] == 0x03)) { - u_int16_t pat = ntohs(get_u_int16_t(packet->payload, 1)); - for (index = 0; index < no_of_patterns; index++) { - if (pat == p8000_patt_02[index]) { - flow->qq_stage++; - /* - if (flow->qq_stage == 3 && flow->packet_direction_counter[0] > 0 && - flow->packet_direction_counter[1] > 0) { - NDPI_LOG_DBG(ndpi_struct, "found qq udp pattern four times\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); - return; - } else */ if (flow->qq_stage == 3) { - NDPI_LOG_INFO(ndpi_struct, "found qq udp pattern four times\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - return; - } - } - } - if (packet->payload_packet_len > 2 && packet->payload[0] == 0x04 - && ((ntohs(get_u_int16_t(packet->payload, 1)) == 0x1549 - || ntohs(get_u_int16_t(packet->payload, 1)) == 0x1801 || ntohs(get_u_int16_t(packet->payload, 1)) == 0x0961) - || - (packet->payload_packet_len > 16 - && (ntohs(get_u_int16_t(packet->payload, 1)) == 0x180d || ntohs(get_u_int16_t(packet->payload, 1)) == 0x096d) - && ntohl(get_u_int32_t(packet->payload, 12)) == 0x28000000 - && ntohs(get_u_int16_t(packet->payload, 3)) == packet->payload_packet_len)) - && packet->payload[packet->payload_packet_len - 1] == 0x03) { - flow->qq_stage++; - if (flow->qq_stage == 3) { - NDPI_LOG_INFO(ndpi_struct, - "found qq udp pattern 04 1159 ... 03 four times.\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - return; - } - if (packet->payload_packet_len > 2 && (packet->payload[0] == 0x06 || packet->payload[0] == 0x02) - && ntohs(get_u_int16_t(packet->payload, 1)) == 0x0100 - && (packet->payload[packet->payload_packet_len - 1] == 0x00 - || packet->payload[packet->payload_packet_len - 1] == 0x03)) { - flow->qq_stage++; - if (flow->qq_stage == 3) { - NDPI_LOG_INFO(ndpi_struct, - "found qq udp pattern 02/06 0100 ... 03/00 four times.\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - return; - } - - if (packet->payload_packet_len > 2 && (packet->payload[0] == 0x02) - && ntohs(get_u_int16_t(packet->payload, 1)) == 0x1131 && packet->payload[packet->payload_packet_len - 1] == 0x03) { - flow->qq_stage++; - if (flow->qq_stage == 3) { - NDPI_LOG_INFO(ndpi_struct, - "found qq udp pattern 02 1131 ... 03 four times.\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - return; - } - - if (packet->payload_packet_len > 5 && get_u_int16_t(packet->payload, 0) == htons(0x0203) && - ntohs(get_u_int16_t(packet->payload, 2)) == packet->payload_packet_len && - get_u_int16_t(packet->payload, 4) == htons(0x0b0b)) { - flow->qq_stage++; - if (flow->qq_stage == 3) { - NDPI_LOG_INFO(ndpi_struct, - "found qq udp pattern 0203[packet_length_0b0b] three times.\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - return; - } - - if (packet->udp->dest == htons(9000) || packet->udp->source == htons(9000)) { - if (packet->payload_packet_len > 3 - && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0202 - && ntohs(get_u_int16_t(packet->payload, 2)) == packet->payload_packet_len) { - flow->qq_stage++; - if (flow->qq_stage == 3) { - NDPI_LOG_INFO(ndpi_struct, - "found qq udp pattern 02 02 <length> four times.\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - return; - } - - } - } - - if (ndpi_is_valid_qq_packet(packet)) { - flow->qq_stage++; - if (flow->qq_stage == 3) { - NDPI_LOG_INFO(ndpi_struct, "found qq over udp\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - NDPI_LOG_DBG2(ndpi_struct, "found qq packet stage %d\n", flow->qq_stage); - return; - } - - if (ndpi_is_valid_qq_ft_packet(packet)) { - flow->qq_stage++; - if (flow->qq_stage == 3) { - NDPI_LOG_INFO(ndpi_struct, "found qq ft over udp\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - return; - } - - if (flow->qq_stage && flow->packet_counter <= 5) { - return; - } - - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); -} - - - -#if !defined(WIN32) -static inline -#elif defined(MINGW_GCC) -__mingw_forceinline static -#else -__forceinline static -#endif -void ndpi_search_qq_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ - struct ndpi_packet_struct *packet = &flow->packet; - u_int16_t i = 0; - - NDPI_LOG_DBG(ndpi_struct, "search qq tcp\n"); - - if (packet->payload_packet_len == 39 && get_u_int32_t(packet->payload, 0) == htonl(0x27000000) && - get_u_int16_t(packet->payload, 4) == htons(0x0014) && get_u_int32_t(packet->payload, 11) != 0 && - get_u_int16_t(packet->payload, packet->payload_packet_len - 2) == htons(0x0000)) { - if (flow->qq_stage == 4) { - NDPI_LOG_INFO(ndpi_struct, "found qq over tcp - maybe ft/audio/video\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - flow->qq_stage = 4; - return; - } - - if ((packet->payload_packet_len > 4 && ntohs(get_u_int16_t(packet->payload, 0)) == packet->payload_packet_len - && get_u_int16_t(packet->payload, 2) == htons(0x0212) && packet->payload[4] == 0x0b) - || (packet->payload_packet_len > 6 && packet->payload[0] == 0x02 - && packet->payload[packet->payload_packet_len - 1] == 0x03 - && ntohs(get_u_int16_t(packet->payload, 1)) == packet->payload_packet_len - && (get_u_int16_t(packet->payload, 3) == htons(0x0605) || get_u_int16_t(packet->payload, 3) == htons(0x0608)) - && packet->payload[5] == 0x00) - || (packet->payload_packet_len > 9 && get_u_int32_t(packet->payload, 0) == htonl(0x04154900) - && get_l16(packet->payload, 4) == packet->payload_packet_len - && packet->payload[packet->payload_packet_len - 1] == 0x03) - || (packet->payload_packet_len > 9 && get_u_int32_t(packet->payload, 0) == htonl(0x040e3500) - && get_l16(packet->payload, 4) == packet->payload_packet_len - && packet->payload[9] == 0x33 && packet->payload[packet->payload_packet_len - 1] == 0x03) - || (packet->payload_packet_len > 9 && get_u_int32_t(packet->payload, 0) == htonl(0x040e0215) - && get_l16(packet->payload, 4) == packet->payload_packet_len - && packet->payload[9] == 0x33 && packet->payload[packet->payload_packet_len - 1] == 0x03) - || (packet->payload_packet_len > 6 && get_u_int32_t(packet->payload, 2) == htonl(0x020d5500) - && ntohs(get_u_int16_t(packet->payload, 0)) == packet->payload_packet_len - && packet->payload[packet->payload_packet_len - 1] == 0x03) - || (packet->payload_packet_len > 6 && get_u_int16_t(packet->payload, 0) == htons(0x0418) - && packet->payload[2] == 0x01 - && ntohs(get_u_int16_t(packet->payload, 3)) == packet->payload_packet_len - && packet->payload[packet->payload_packet_len - 1] == 0x03) - || (packet->payload_packet_len > 6 && get_u_int16_t(packet->payload, 0) == htons(0x0411) - && packet->payload[2] == 0x31 - && ntohs(get_u_int16_t(packet->payload, 3)) == packet->payload_packet_len - && packet->payload[packet->payload_packet_len - 1] == 0x03) - || (packet->payload_packet_len > 6 && ntohs(get_u_int16_t(packet->payload, 0)) == packet->payload_packet_len - && get_u_int16_t(packet->payload, 2) == htons(0x0211) && packet->payload[4] == 0x31 - && packet->payload[packet->payload_packet_len - 1] == 0x03) - || (packet->payload_packet_len > 6 && ntohs(get_u_int16_t(packet->payload, 0)) == packet->payload_packet_len - && get_u_int16_t(packet->payload, 2) == htons(0x0218) && packet->payload[4] == 0x01 - && packet->payload[packet->payload_packet_len - 1] == 0x03) - || (packet->payload_packet_len > 10 && get_u_int32_t(packet->payload, 0) == htonl(0x04163a00) - && packet->payload[packet->payload_packet_len - 1] == 0x03 - && packet->payload[4] == packet->payload_packet_len) - ) { - flow->qq_stage++; - if (flow->qq_stage == 3) { - NDPI_LOG_INFO(ndpi_struct, "found qq over tcp\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - return; - } - - if (ndpi_is_valid_qq_packet(packet)) { - flow->qq_stage++; - if (flow->qq_stage == 3) { - NDPI_LOG_INFO(ndpi_struct, "found qq over tcp\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - return; - } - - if (ndpi_is_valid_qq_ft_packet(packet)) { - flow->qq_stage++; - if (flow->qq_stage == 3) { - NDPI_LOG_INFO(ndpi_struct, "found qq ft over tcp\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - return; - } - - if (packet->payload_packet_len == 2) { - flow->l4.tcp.qq_nxt_len = ntohs(get_u_int16_t(packet->payload, 0)); - return; - } - if (packet->payload_packet_len > 5 && (((flow->l4.tcp.qq_nxt_len == packet->payload_packet_len + 2) - && packet->payload[0] == 0x02 - && packet->payload[packet->payload_packet_len - 1] == 0x03 - && get_u_int16_t(packet->payload, 1) == htons(0x0f5f)) - || (ntohs(get_u_int16_t(packet->payload, 0)) == packet->payload_packet_len - && packet->payload[2] == 0x02 - && packet->payload[packet->payload_packet_len - 1] == 0x03 - && get_u_int16_t(packet->payload, 3) == htons(0x0f5f)))) { - flow->qq_stage++; - if (flow->qq_stage == 3) { - NDPI_LOG_INFO(ndpi_struct, "found qq udp pattern 02 ... 03 four times\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - return; - - } - if (packet->payload_packet_len > 2 && packet->payload[0] == 0x04 && ((get_u_int16_t(packet->payload, 1) == htons(0x1549) - || get_u_int16_t(packet->payload, - 1) == htons(0x1801) - || get_u_int16_t(packet->payload, - 1) == htons(0x0961)) - || (packet->payload_packet_len > 16 - && (get_u_int16_t(packet->payload, 1) == - htons(0x180d) - || get_u_int16_t(packet->payload, - 1) == htons(0x096d)) - && get_u_int32_t(packet->payload, - 12) == htonl(0x28000000) - && ntohs(get_u_int16_t(packet->payload, 3)) == - packet->payload_packet_len)) - && packet->payload[packet->payload_packet_len - 1] == 0x03) { - flow->qq_stage++; - if (flow->qq_stage == 3) { - NDPI_LOG_INFO(ndpi_struct, - "found qq udp pattern 04 1159 ... 03 four times.\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - return; - } - - - - if (packet->payload_packet_len > 100 - && ((memcmp(packet->payload, "GET", 3) == 0) || (memcmp(packet->payload, "POST", 4) == 0))) { - NDPI_LOG_DBG2(ndpi_struct, "found GET or POST\n"); - if (memcmp(packet->payload, "GET /qqfile/qq", 14) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found qq over tcp GET /qqfile/qq\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - ndpi_parse_packet_line_info(ndpi_struct, flow); - - if (packet->user_agent_line.ptr != NULL - && (packet->user_agent_line.len > 7 && memcmp(packet->user_agent_line.ptr, "QQClient", 8) == 0)) { - NDPI_LOG_INFO(ndpi_struct, "found qq over tcp GET...QQClient\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - for (i = 0; i < packet->parsed_lines; i++) { - if (packet->line[i].len > 3 && memcmp(packet->line[i].ptr, "QQ: ", 4) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found qq over tcp GET...QQ: \n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - } - if (packet->host_line.ptr != NULL) { - NDPI_LOG_DBG2(ndpi_struct, "host line ptr\n"); - if (packet->host_line.len > 11 && memcmp(&packet->host_line.ptr[0], "www.qq.co.za", 12) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found qq over tcp Host: www.qq.co.za\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - } - } - if (flow->qq_stage == 0 && packet->payload_packet_len == 82 - && get_u_int32_t(packet->payload, 0) == htonl(0x0000004e) && get_u_int32_t(packet->payload, 4) == htonl(0x01010000)) { - for (i = 8; i < 82; i++) { - if (packet->payload[i] != 0x00) { - break; - } - if (i == 81) { - NDPI_LOG_INFO(ndpi_struct, "found qq Mail\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - } - } - if (flow->qq_stage == 0 && packet->payload_packet_len == 182 && get_u_int32_t(packet->payload, 0) == htonl(0x000000b2) - && get_u_int32_t(packet->payload, 4) == htonl(0x01020000) - && get_u_int32_t(packet->payload, 8) == htonl(0x04015151) && get_u_int32_t(packet->payload, 12) == htonl(0x4d61696c)) { - NDPI_LOG_INFO(ndpi_struct, "found qq Mail\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - if (packet->payload_packet_len == 204 && flow->qq_stage == 0 && get_u_int32_t(packet->payload, 200) == htonl(0xfbffffff)) { - for (i = 0; i < 200; i++) { - NDPI_LOG_DBG2(ndpi_struct, "i = %u\n", i); - if (packet->payload[i] != 0) { - break; - } - if (i == 199) { - NDPI_LOG_INFO(ndpi_struct, "found qq chat or file transfer\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - } - } - - if (NDPI_COMPARE_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_HTTP) != 0) { - - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_QQ); - NDPI_LOG_DBG(ndpi_struct, "QQ tcp excluded; len %u\n", - packet->payload_packet_len); - } - -} - - void ndpi_search_qq(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - - if (packet->udp != NULL && flow->detected_protocol_stack[0] != NDPI_PROTOCOL_QQ) - ndpi_search_qq_udp(ndpi_struct, flow); - if (packet->tcp != NULL && flow->detected_protocol_stack[0] != NDPI_PROTOCOL_QQ) - ndpi_search_qq_tcp(ndpi_struct, flow); + NDPI_LOG_DBG(ndpi_struct, "search QQ\n"); + + if ((packet->payload_packet_len == 72 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x02004800) || + (packet->payload_packet_len == 64 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x02004000) || + (packet->payload_packet_len == 60 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x02004200) || + (packet->payload_packet_len == 84 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x02005a00) || + (packet->payload_packet_len == 56 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x02003800) || + (packet->payload_packet_len >= 39 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x28000000)) { + NDPI_LOG_INFO(ndpi_struct, "found QQ\n"); + ndpi_int_qq_add_connection(ndpi_struct, flow); + } else { + if(flow->num_processed_pkts > 4) + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + } } -void init_qq_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) +void init_qq_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, + NDPI_PROTOCOL_BITMASK *detection_bitmask) { ndpi_set_bitmask_protocol_detection("QQ", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_QQ, |