diff options
| -rw-r--r-- | src/lib/protocols/h323.c | 122 | ||||
| -rw-r--r-- | tests/cfgs/default/pcap/h323_tcp.pcap | bin | 0 -> 1123 bytes | |||
| -rw-r--r-- | tests/cfgs/default/result/h323.pcap.out | 8 | ||||
| -rw-r--r-- | tests/cfgs/default/result/h323_tcp.pcap.out | 28 | ||||
| -rw-r--r-- | tests/cfgs/default/result/rtmp.pcap.out | 2 |
5 files changed, 88 insertions, 72 deletions
diff --git a/src/lib/protocols/h323.c b/src/lib/protocols/h323.c index 4cafd4392..ecab1cac6 100644 --- a/src/lib/protocols/h323.c +++ b/src/lib/protocols/h323.c @@ -26,94 +26,82 @@ #include "ndpi_api.h" #include "ndpi_private.h" +static void ndpi_int_h323_add_connection(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) +{ + NDPI_LOG_INFO(ndpi_struct, "found H323\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_H323, + NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); +} -struct tpkt { - u_int8_t version, reserved; - u_int16_t len; -}; - -static void ndpi_search_h323(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +static void ndpi_search_h323(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int16_t dport = 0, sport = 0; NDPI_LOG_DBG(ndpi_struct, "search H323\n"); - /* - The TPKT protocol is used by ISO 8072 (on port 102) - and H.323. So this check below is to avoid ambiguities - */ - if((packet->tcp != NULL) && (packet->tcp->dest != ntohs(102))) { - NDPI_LOG_DBG2(ndpi_struct, "calculated dport over tcp\n"); - - /* H323 */ - if(packet->payload_packet_len > 5 - && (packet->payload[0] == 0x03) - && (packet->payload[1] == 0x00)) { - struct tpkt *t = (struct tpkt*)packet->payload; - u_int16_t len = ntohs(t->len); - - if(packet->payload_packet_len == len) { - flow->h323_valid_packets++; - - if(flow->h323_valid_packets >= 2) { - NDPI_LOG_INFO(ndpi_struct, "found H323 broadcast\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_H323, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - } - } else { - /* This is not H.323 */ - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return; + /* TPKT header length + Q.931 header length without IE */ + if ((packet->payload_packet_len) > 10 && (packet->tcp != NULL)) { + if ((packet->payload[0] == 0x03) && + (packet->payload[1] == 0x00) && + (ntohs(get_u_int16_t(packet->payload, 2)) == packet->payload_packet_len)) + { + /* Check Q.931 Protocol Discriminator and call reference value length */ + if ((packet->payload[4] == 0x08) && ((packet->payload[5] & 0xF) <= 3)) { + ndpi_int_h323_add_connection(ndpi_struct, flow); + return; } } - } else if(packet->udp != NULL) { + } else if (packet->udp != NULL) { sport = ntohs(packet->udp->source), dport = ntohs(packet->udp->dest); NDPI_LOG_DBG2(ndpi_struct, "calculated dport over udp\n"); - if(packet->payload_packet_len >= 6 && packet->payload[0] == 0x80 && packet->payload[1] == 0x08 && - (packet->payload[2] == 0xe7 || packet->payload[2] == 0x26) && - packet->payload[4] == 0x00 && packet->payload[5] == 0x00) - { - NDPI_LOG_INFO(ndpi_struct, "found H323 broadcast\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_H323, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - return; - } + if (packet->payload_packet_len >= 6 && packet->payload[0] == 0x80 && + packet->payload[1] == 0x08 && + (packet->payload[2] == 0xe7 || packet->payload[2] == 0x26) && + packet->payload[4] == 0x00 && packet->payload[5] == 0x00) + { + ndpi_int_h323_add_connection(ndpi_struct, flow); + return; + } /* H323 */ - if(sport == 1719 || dport == 1719) { - if((packet->payload_packet_len > 5) - && (packet->payload[0] == 0x16) - && (packet->payload[1] == 0x80) - && (packet->payload[4] == 0x06) - && (packet->payload[5] == 0x00)) { - NDPI_LOG_INFO(ndpi_struct, "found H323 broadcast\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_H323, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - return; - } else if(packet->payload_packet_len >= 20 && packet->payload_packet_len <= 117) { - /* This check is quite generic: let's check another packet...*/ - flow->h323_valid_packets++; - if(flow->h323_valid_packets >= 2) { - NDPI_LOG_INFO(ndpi_struct, "found H323 broadcast\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_H323, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - } + if (sport == 1719 || dport == 1719) { + if ((packet->payload_packet_len > 5) && (packet->payload[0] == 0x16) && + (packet->payload[1] == 0x80) && (packet->payload[4] == 0x06) && + (packet->payload[5] == 0x00)) + { + ndpi_int_h323_add_connection(ndpi_struct, flow); + return; + } else if (packet->payload_packet_len >= 20 && + packet->payload_packet_len <= 117) { + /* This check is quite generic: let's check another packet...*/ + flow->h323_valid_packets++; + if (flow->h323_valid_packets >= 2) { + ndpi_int_h323_add_connection(ndpi_struct, flow); + return; + } } else { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return; + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; } } } - - if(flow->packet_counter > 5) + + if (flow->packet_counter > 5) NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } -void init_h323_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id) +void init_h323_dissector(struct ndpi_detection_module_struct *ndpi_struct, + u_int32_t *id) { - ndpi_set_bitmask_protocol_detection("H323", ndpi_struct, *id, - NDPI_PROTOCOL_H323, - ndpi_search_h323, - NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, - SAVE_DETECTION_BITMASK_AS_UNKNOWN, - ADD_TO_DETECTION_BITMASK); + ndpi_set_bitmask_protocol_detection("H323", ndpi_struct, *id, + NDPI_PROTOCOL_H323, + ndpi_search_h323, + NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); *id += 1; } diff --git a/tests/cfgs/default/pcap/h323_tcp.pcap b/tests/cfgs/default/pcap/h323_tcp.pcap Binary files differnew file mode 100644 index 000000000..936de84bd --- /dev/null +++ b/tests/cfgs/default/pcap/h323_tcp.pcap diff --git a/tests/cfgs/default/result/h323.pcap.out b/tests/cfgs/default/result/h323.pcap.out index 5d776a1e3..a86b15ae4 100644 --- a/tests/cfgs/default/result/h323.pcap.out +++ b/tests/cfgs/default/result/h323.pcap.out @@ -1,9 +1,9 @@ Guessed flow protos: 0 -DPI Packets (TCP): 2 (2.00 pkts/flow) +DPI Packets (TCP): 1 (1.00 pkts/flow) DPI Packets (UDP): 2 (2.00 pkts/flow) Confidence DPI : 2 (flows) -Num dissector calls: 242 (121.00 diss/flow) +Num dissector calls: 118 (59.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) @@ -17,7 +17,7 @@ Automa domain: 0/0 (search/found) Automa tls cert: 0/0 (search/found) Automa risk mask: 0/0 (search/found) Automa common alpns: 0/0 (search/found) -Patricia risk mask: 0/0 (search/found) +Patricia risk mask: 2/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 2/0 (search/found) Patricia risk IPv6: 0/0 (search/found) @@ -27,4 +27,4 @@ Patricia protocols IPv6: 0/0 (search/found) H323 12 1825 2 1 UDP 17.2.0.124:2034 <-> 17.2.0.161:1719 [proto: 158/H323][IP: 140/Apple][ClearText][Confidence: DPI][DPI packets: 2][cat: VoIP/10][3 pkts/665 bytes <-> 7 pkts/853 bytes][Goodput ratio: 81/65][80.21 sec][bytes ratio: -0.124 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 247/336 288/13362 330/70142 42/25418][Pkt Len c2s/s2c min/avg/max/stddev: 80/67 222/122 411/176 139/48][PLAIN TEXT (@333333330)][Plen Bins: 20,20,10,10,30,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] - 2 TCP 17.2.0.124:3032 <-> 17.2.0.122:1720 [proto: 158/H323][IP: 140/Apple][ClearText][Confidence: DPI][DPI packets: 2][cat: VoIP/10][1 pkts/207 bytes <-> 1 pkts/100 bytes][Goodput ratio: 74/46][0.06 sec][PLAIN TEXT (5295672)][Plen Bins: 0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 TCP 17.2.0.124:3032 <-> 17.2.0.122:1720 [proto: 158/H323][IP: 140/Apple][ClearText][Confidence: DPI][DPI packets: 1][cat: VoIP/10][1 pkts/207 bytes <-> 1 pkts/100 bytes][Goodput ratio: 74/46][0.06 sec][PLAIN TEXT (5295672)][Plen Bins: 0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/h323_tcp.pcap.out b/tests/cfgs/default/result/h323_tcp.pcap.out new file mode 100644 index 000000000..ac9342439 --- /dev/null +++ b/tests/cfgs/default/result/h323_tcp.pcap.out @@ -0,0 +1,28 @@ +Guessed flow protos: 0 + +DPI Packets (TCP): 3 (3.00 pkts/flow) +Confidence DPI : 1 (flows) +Num dissector calls: 1 (1.00 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache zoom: 0/0/0 (insert/search/found) +LRU cache stun: 0/0/0 (insert/search/found) +LRU cache tls_cert: 0/0/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache stun_zoom: 0/0/0 (insert/search/found) +Automa host: 0/0 (search/found) +Automa domain: 0/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 0/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 2/0 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +H323 10 939 1 + + 1 TCP 10.1.6.18:1720 <-> 10.1.3.143:32803 [proto: 158/H323][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 3][cat: VoIP/10][5 pkts/509 bytes <-> 5 pkts/430 bytes][Goodput ratio: 44/37][1.04 sec][bytes ratio: 0.084 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 60/17 261/261 627/627 217/225][Pkt Len c2s/s2c min/avg/max/stddev: 60/54 102/86 151/214 35/64][PLAIN TEXT (m.jemec)][Plen Bins: 0,0,50,25,0,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/default/result/rtmp.pcap.out b/tests/cfgs/default/result/rtmp.pcap.out index 5b86003a2..46f09504d 100644 --- a/tests/cfgs/default/result/rtmp.pcap.out +++ b/tests/cfgs/default/result/rtmp.pcap.out @@ -2,7 +2,7 @@ Guessed flow protos: 0 DPI Packets (TCP): 8 (8.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 154 (154.00 diss/flow) +Num dissector calls: 155 (155.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) |