diff options
| -rw-r--r-- | example/ndpiReader.c | 2 | ||||
| -rw-r--r-- | example/ndpiSimpleIntegration.c | 38 | ||||
| -rw-r--r-- | example/reader_util.c | 49 | ||||
| -rw-r--r-- | fuzz/fuzz_process_packet.c | 8 | ||||
| -rw-r--r-- | src/include/ndpi_api.h.in | 22 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 50 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 37 | ||||
| -rw-r--r-- | src/lib/protocols/directconnect.c | 246 | ||||
| -rw-r--r-- | src/lib/protocols/gnutella.c | 65 | ||||
| -rw-r--r-- | src/lib/protocols/icecast.c | 5 | ||||
| -rw-r--r-- | src/lib/protocols/irc.c | 146 | ||||
| -rw-r--r-- | src/lib/protocols/jabber.c | 186 | ||||
| -rw-r--r-- | src/lib/protocols/thunder.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/world_of_warcraft.c | 16 |
14 files changed, 31 insertions, 843 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index c84e88fcd..f21fbc86a 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -2911,7 +2911,7 @@ static void printResults(u_int64_t processing_time_usec, u_int64_t setup_time_us if(!quiet_mode) { printf("\nnDPI Memory statistics:\n"); printf("\tnDPI Memory (once): %-13s\n", formatBytes(ndpi_get_ndpi_detection_module_size(), buf, sizeof(buf))); - printf("\tFlow Memory (per flow): %-13s\n", formatBytes( ndpi_detection_get_sizeof_ndpi_flow_struct() + 2*ndpi_detection_get_sizeof_ndpi_id_struct(), buf, sizeof(buf))); + printf("\tFlow Memory (per flow): %-13s\n", formatBytes( ndpi_detection_get_sizeof_ndpi_flow_struct(), buf, sizeof(buf))); printf("\tActual Memory: %-13s\n", formatBytes(current_ndpi_memory, buf, sizeof(buf))); printf("\tPeak Memory: %-13s\n", formatBytes(max_ndpi_memory, buf, sizeof(buf))); printf("\tSetup Time: %lu msec\n", (unsigned long)(setup_time_usec/1000)); diff --git a/example/ndpiSimpleIntegration.c b/example/ndpiSimpleIntegration.c index d8a83dc47..57b51450c 100644 --- a/example/ndpiSimpleIntegration.c +++ b/example/ndpiSimpleIntegration.c @@ -85,8 +85,6 @@ struct nDPI_flow_info { struct ndpi_proto guessed_protocol; struct ndpi_flow_struct * ndpi_flow; - struct ndpi_id_struct * ndpi_src; - struct ndpi_id_struct * ndpi_dst; }; struct nDPI_workflow { @@ -190,8 +188,6 @@ static void ndpi_flow_info_freer(void * const node) { struct nDPI_flow_info * const flow = (struct nDPI_flow_info *)node; - ndpi_free(flow->ndpi_dst); - ndpi_free(flow->ndpi_src); ndpi_flow_free(flow->ndpi_flow); ndpi_free(flow); } @@ -505,10 +501,6 @@ static void ndpi_process_packet(uint8_t * const args, void * tree_result; struct nDPI_flow_info * flow_to_process; - int direction_changed = 0; - struct ndpi_id_struct * ndpi_src; - struct ndpi_id_struct * ndpi_dst; - const struct ndpi_ethhdr * ethernet; const struct ndpi_iphdr * ip; struct ndpi_ipv6hdr * ip6; @@ -753,9 +745,6 @@ static void ndpi_process_packet(uint8_t * const args, flow.dst_port = orig_src_port; tree_result = ndpi_tfind(&flow, &workflow->ndpi_flows_active[hashed_index], ndpi_workflow_node_cmp); - if (tree_result != NULL) { - direction_changed = 1; - } flow.ip_tuple.u32.src[0] = orig_src_ip[0]; flow.ip_tuple.u32.src[1] = orig_src_ip[1]; @@ -800,20 +789,6 @@ static void ndpi_process_packet(uint8_t * const args, } memset(flow_to_process->ndpi_flow, 0, SIZEOF_FLOW_STRUCT); - flow_to_process->ndpi_src = (struct ndpi_id_struct *)ndpi_calloc(1, SIZEOF_ID_STRUCT); - if (flow_to_process->ndpi_src == NULL) { - fprintf(stderr, "[%8llu, %d, %4u] Not enough memory for src id struct\n", - workflow->packets_captured, reader_thread->array_index, flow_to_process->flow_id); - return; - } - - flow_to_process->ndpi_dst = (struct ndpi_id_struct *)ndpi_calloc(1, SIZEOF_ID_STRUCT); - if (flow_to_process->ndpi_dst == NULL) { - fprintf(stderr, "[%8llu, %d, %4u] Not enough memory for dst id struct\n", - workflow->packets_captured, reader_thread->array_index, flow_to_process->flow_id); - return; - } - printf("[%8llu, %d, %4u] new %sflow\n", workflow->packets_captured, thread_index, flow_to_process->flow_id, (flow_to_process->is_midstream_flow != 0 ? "midstream-" : "")); @@ -821,19 +796,8 @@ static void ndpi_process_packet(uint8_t * const args, /* Possible Leak, but should not happen as we'd abort earlier. */ return; } - - ndpi_src = flow_to_process->ndpi_src; - ndpi_dst = flow_to_process->ndpi_dst; } else { flow_to_process = *(struct nDPI_flow_info **)tree_result; - - if (direction_changed != 0) { - ndpi_src = flow_to_process->ndpi_dst; - ndpi_dst = flow_to_process->ndpi_src; - } else { - ndpi_src = flow_to_process->ndpi_src; - ndpi_dst = flow_to_process->ndpi_dst; - } } flow_to_process->packets_processed++; @@ -884,7 +848,7 @@ static void ndpi_process_packet(uint8_t * const args, flow_to_process->detected_l7_protocol = ndpi_detection_process_packet(workflow->ndpi_struct, flow_to_process->ndpi_flow, ip != NULL ? (uint8_t *)ip : (uint8_t *)ip6, - ip_size, time_ms, ndpi_src, ndpi_dst); + ip_size, time_ms); if (ndpi_is_protocol_detected(workflow->ndpi_struct, flow_to_process->detected_l7_protocol) != 0 && diff --git a/example/reader_util.c b/example/reader_util.c index d47b5a5ec..3340170ef 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -300,8 +300,6 @@ void ndpi_report_payload_stats() { void ndpi_free_flow_info_half(struct ndpi_flow_info *flow) { if(flow->ndpi_flow) { ndpi_flow_free(flow->ndpi_flow); flow->ndpi_flow = NULL; } - if(flow->src_id) { ndpi_free(flow->src_id); flow->src_id = NULL; } - if(flow->dst_id) { ndpi_free(flow->dst_id); flow->dst_id = NULL; } } /* ***************************************************** */ @@ -699,8 +697,6 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow struct ndpi_tcphdr **tcph, struct ndpi_udphdr **udph, u_int16_t *sport, u_int16_t *dport, - struct ndpi_id_struct **src, - struct ndpi_id_struct **dst, u_int8_t *proto, u_int8_t **payload, u_int16_t *payload_len, @@ -878,30 +874,6 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow } else memset(newflow->ndpi_flow, 0, SIZEOF_FLOW_STRUCT); - if((newflow->src_id = ndpi_malloc(SIZEOF_ID_STRUCT)) == NULL) { - LOG(NDPI_LOG_ERROR, "[NDPI] %s(3): not enough memory\n", __FUNCTION__); -#ifdef DIRECTION_BINS - ndpi_free_bin(&newflow->payload_len_bin_src2dst), ndpi_free_bin(&newflow->payload_len_bin_dst2src); -#else - ndpi_free_bin(&newflow->payload_len_bin); -#endif - ndpi_free(newflow); - return(NULL); - } else - memset(newflow->src_id, 0, SIZEOF_ID_STRUCT); - - if((newflow->dst_id = ndpi_malloc(SIZEOF_ID_STRUCT)) == NULL) { - LOG(NDPI_LOG_ERROR, "[NDPI] %s(4): not enough memory\n", __FUNCTION__); -#ifdef DIRECTION_BINS - ndpi_free_bin(&newflow->payload_len_bin_src2dst), ndpi_free_bin(&newflow->payload_len_bin_dst2src); -#else - ndpi_free_bin(&newflow->payload_len_bin); -#endif - ndpi_free(newflow); - return(NULL); - } else - memset(newflow->dst_id, 0, SIZEOF_ID_STRUCT); - ndpi_tsearch(newflow, &workflow->ndpi_flows_root[idx], ndpi_workflow_node_cmp); /* Add */ workflow->stats.ndpi_flow_count++; if(*proto == IPPROTO_TCP) @@ -911,8 +883,6 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow else workflow->stats.flow_count[2]++; - *src = newflow->src_id, *dst = newflow->dst_id; - if(enable_flow_stats) { newflow->entropy = ndpi_calloc(1, sizeof(struct ndpi_entropy)); newflow->last_entropy = ndpi_calloc(1, sizeof(struct ndpi_entropy)); @@ -939,9 +909,9 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow && rflow->src_port == htons(*sport) && rflow->dst_port == htons(*dport) ) - *src = rflow->dst_id, *dst = rflow->src_id, *src_to_dst_direction = 0, rflow->bidirectional = 1; + *src_to_dst_direction = 0, rflow->bidirectional = 1; else - *src = rflow->src_id, *dst = rflow->dst_id, *src_to_dst_direction = 1; + *src_to_dst_direction = 1; } else { if(rflow->src_ip == iph->saddr @@ -949,9 +919,9 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow && rflow->src_port == htons(*sport) && rflow->dst_port == htons(*dport) ) - *src = rflow->src_id, *dst = rflow->dst_id, *src_to_dst_direction = 1; + *src_to_dst_direction = 1; else - *src = rflow->dst_id, *dst = rflow->src_id, *src_to_dst_direction = 0, rflow->bidirectional = 1; + *src_to_dst_direction = 0, rflow->bidirectional = 1; } if(enable_flow_stats) { if(src_to_dst_direction) { @@ -997,8 +967,6 @@ static struct ndpi_flow_info *get_ndpi_flow_info6(struct ndpi_workflow * workflo struct ndpi_tcphdr **tcph, struct ndpi_udphdr **udph, u_int16_t *sport, u_int16_t *dport, - struct ndpi_id_struct **src, - struct ndpi_id_struct **dst, u_int8_t *proto, u_int8_t **payload, u_int16_t *payload_len, @@ -1024,7 +992,7 @@ static struct ndpi_flow_info *get_ndpi_flow_info6(struct ndpi_workflow * workflo &iph, iph6, ip_offset, ipsize, ip_len, l4ptr - (const u_int8_t *)iph6, tcph, udph, sport, dport, - src, dst, proto, payload, + proto, payload, payload_len, src_to_dst_direction, when)); } @@ -1347,7 +1315,6 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, pkt_timeval when, ndpi_risk *flow_risk, FILE * csv_fp) { - struct ndpi_id_struct *src, *dst; struct ndpi_flow_info *flow = NULL; struct ndpi_flow_struct *ndpi_flow = NULL; u_int8_t proto; @@ -1369,13 +1336,13 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, ntohs(iph->tot_len) - (iph->ihl * 4), iph->ihl * 4, &tcph, &udph, &sport, &dport, - &src, &dst, &proto, + &proto, &payload, &payload_len, &src_to_dst_direction, when); else flow = get_ndpi_flow_info6(workflow, vlan_id, tunnel_type, iph6, ip_offset, ipsize, &tcph, &udph, &sport, &dport, - &src, &dst, &proto, + &proto, &payload, &payload_len, &src_to_dst_direction, when); if(flow != NULL) { @@ -1563,7 +1530,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, flow->detected_protocol = ndpi_detection_process_packet(workflow->ndpi_struct, ndpi_flow, iph ? (uint8_t *)iph : (uint8_t *)iph6, - ipsize, time_ms, src, dst); + ipsize, time_ms); if(enough_packets || (flow->detected_protocol.app_protocol != NDPI_PROTOCOL_UNKNOWN)) { if((!enough_packets) diff --git a/fuzz/fuzz_process_packet.c b/fuzz/fuzz_process_packet.c index b8780b7a8..8841c0a1c 100644 --- a/fuzz/fuzz_process_packet.c +++ b/fuzz/fuzz_process_packet.c @@ -4,8 +4,6 @@ #include <stdio.h> struct ndpi_detection_module_struct *ndpi_info_mod = NULL; -struct ndpi_id_struct *src; -struct ndpi_id_struct *dst; int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { uint8_t protocol_was_guessed; @@ -16,8 +14,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { NDPI_BITMASK_SET_ALL(all); NDPI_BITMASK_SET_ALL(debug_bitmask); ndpi_set_protocol_detection_bitmask2(ndpi_info_mod, &all); - src = ndpi_malloc(SIZEOF_ID_STRUCT); - dst = ndpi_malloc(SIZEOF_ID_STRUCT); ndpi_set_log_level(ndpi_info_mod, 4); ndpi_set_debug_bitmask(ndpi_info_mod, debug_bitmask); ndpi_finalize_initialization(ndpi_info_mod); @@ -25,9 +21,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { struct ndpi_flow_struct *ndpi_flow = ndpi_flow_malloc(SIZEOF_FLOW_STRUCT); memset(ndpi_flow, 0, SIZEOF_FLOW_STRUCT); - memset(src, 0, SIZEOF_ID_STRUCT); - memset(dst, 0, SIZEOF_ID_STRUCT); - ndpi_detection_process_packet(ndpi_info_mod, ndpi_flow, Data, Size, 0, src, dst); + ndpi_detection_process_packet(ndpi_info_mod, ndpi_flow, Data, Size, 0); ndpi_detection_giveup(ndpi_info_mod, ndpi_flow, 1, &protocol_was_guessed); ndpi_free_flow(ndpi_flow); diff --git a/src/include/ndpi_api.h.in b/src/include/ndpi_api.h.in index e0b813597..ed468f6d8 100644 --- a/src/include/ndpi_api.h.in +++ b/src/include/ndpi_api.h.in @@ -36,7 +36,6 @@ extern "C" { */ #define NDPI_API_VERSION @NDPI_API_VERSION@ -#define SIZEOF_ID_STRUCT ( sizeof(struct ndpi_id_struct) ) #define SIZEOF_FLOW_STRUCT ( sizeof(struct ndpi_flow_struct) ) #define NDPI_DETECTION_ONLY_IPV4 ( 1 << 0 ) @@ -76,15 +75,6 @@ extern "C" { /** - * Get the size of the id struct - * - * @return the size of the id struct - * - */ - u_int32_t ndpi_detection_get_sizeof_ndpi_id_struct(void); - - - /** * Get the size of the flow tcp struct * * @return the size of the flow tcp struct @@ -303,8 +293,6 @@ extern "C" { * @par packet = unsigned char pointer to the Layer 3 (IP header) * @par packetlen = the length of the packet * @par packet_time_ms = the current timestamp for the packet (expressed in msec) - * @par src = pointer to the source subscriber state machine - * @par dst = pointer to the destination subscriber state machine * @return void * */ @@ -312,9 +300,7 @@ extern "C" { struct ndpi_flow_struct *flow, const unsigned char *packet, const unsigned short packetlen, - const u_int64_t packet_time_ms, - struct ndpi_id_struct *src, - struct ndpi_id_struct *dst); + const u_int64_t packet_time_ms); /** * Processes one packet and returns the ID of the detected protocol. @@ -325,8 +311,6 @@ extern "C" { * @par packet = unsigned char pointer to the Layer 3 (IP header) * @par packetlen = the length of the packet * @par packet_time_ms = the current timestamp for the packet (expressed in msec) - * @par src = pointer to the source subscriber state machine - * @par dst = pointer to the destination subscriber state machine * @return the detected ID of the protocol * */ @@ -334,9 +318,7 @@ extern "C" { struct ndpi_flow_struct *flow, const unsigned char *packet, const unsigned short packetlen, - const u_int64_t packet_time_ms, - struct ndpi_id_struct *src, - struct ndpi_id_struct *dst); + const u_int64_t packet_time_ms); /** * Get the main protocol of the passed flows for the detected module * diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index bdbc622d5..c5e98ec78 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -530,52 +530,6 @@ struct ndpi_lru_cache { struct ndpi_lru_cache_entry *entries; }; -struct ndpi_id_struct { - /** - detected_protocol_bitmask: - access this bitmask to find out whether an id has used skype or not - if a flag is set here, it will not be reset - to compare this, use: - **/ - NDPI_PROTOCOL_BITMASK detected_protocol_bitmask; - - /* NDPI_PROTOCOL_IRC_MAXPORT % 2 must be 0 */ - /* NDPI_PROTOCOL_IRC */ -#define NDPI_PROTOCOL_IRC_MAXPORT 8 - u_int16_t irc_port[NDPI_PROTOCOL_IRC_MAXPORT]; - u_int32_t last_time_port_used[NDPI_PROTOCOL_IRC_MAXPORT]; - u_int32_t irc_ts; - - /* NDPI_PROTOCOL_GNUTELLA */ - u_int32_t gnutella_ts; - - /* NDPI_PROTOCOL_JABBER */ - u_int32_t jabber_stun_or_ft_ts; - - /* NDPI_PROTOCOL_DIRECTCONNECT */ - u_int32_t directconnect_last_safe_access_time; - - /* NDPI_PROTOCOL_DIRECTCONNECT */ - u_int16_t detected_directconnect_port; - u_int16_t detected_directconnect_udp_port; - u_int16_t detected_directconnect_ssl_port; - - /* NDPI_PROTOCOL_JABBER */ -#define JABBER_MAX_STUN_PORTS 6 - u_int16_t jabber_voice_stun_port[JABBER_MAX_STUN_PORTS]; - u_int16_t jabber_file_transfer_port[2]; - - /* NDPI_PROTOCOL_GNUTELLA */ - u_int16_t detected_gnutella_udp_port1; - u_int16_t detected_gnutella_udp_port2; - - /* NDPI_PROTOCOL_IRC */ - u_int8_t irc_number_of_port; - - /* NDPI_PROTOCOL_JABBER */ - u_int8_t jabber_voice_stun_used_ports; -}; - /* ************************************************** */ struct ndpi_flow_tcp_struct { @@ -850,7 +804,6 @@ typedef enum { NDPI_CONFIDENCE_UNKNOWN = 0, /* Unknown classification */ NDPI_CONFIDENCE_MATCH_BY_PORT, /* Classification obtained looking only at the L4 ports */ NDPI_CONFIDENCE_MATCH_BY_IP, /* Classification obtained looking only at the L3 addresses */ - NDPI_CONFIDENCE_DPI_SRC_DST_ID, /* Classification results based on ndpi_id_struct structures */ NDPI_CONFIDENCE_DPI_CACHE, /* Classification results based on same LRU cache (i.e. correlation among sessions) */ NDPI_CONFIDENCE_DPI, /* Deep packet inspection */ @@ -1399,9 +1352,6 @@ struct ndpi_flow_struct { /* NDPI_PROTOCOL_TINC */ u_int8_t tinc_state; struct tinc_cache_entry tinc_cache_entry; - - struct ndpi_id_struct *src; - struct ndpi_id_struct *dst; }; #define NDPI_PROTOCOL_DEFAULT_LEVEL 0 diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 200486bf0..063b65a54 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -246,12 +246,6 @@ u_int32_t ndpi_detection_get_sizeof_ndpi_flow_struct(void) { /* *********************************************************************************** */ -u_int32_t ndpi_detection_get_sizeof_ndpi_id_struct(void) { - return(sizeof(struct ndpi_id_struct)); -} - -/* *********************************************************************************** */ - u_int32_t ndpi_detection_get_sizeof_ndpi_flow_tcp_struct(void) { return(sizeof(struct ndpi_flow_tcp_struct)); } @@ -5279,7 +5273,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st void ndpi_process_extra_packet(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, const unsigned char *packet_data, const unsigned short packetlen, - const u_int64_t current_time_ms, struct ndpi_id_struct *src, struct ndpi_id_struct *dst) { + const u_int64_t current_time_ms) { if(flow == NULL) return; @@ -5287,9 +5281,6 @@ void ndpi_process_extra_packet(struct ndpi_detection_module_struct *ndpi_str, st if(ndpi_init_packet(ndpi_str, flow, current_time_ms, packet_data, packetlen) != 0) return; - /* detect traffic for tcp or udp only */ - flow->src = src, flow->dst = dst; - ndpi_connection_tracking(ndpi_str, flow); /* call the extra packet function (which may add more data/info to flow) */ @@ -5633,8 +5624,7 @@ static int ndpi_do_guess(struct ndpi_detection_module_struct *ndpi_str, struct n ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, const unsigned char *packet_data, - const unsigned short packetlen, const u_int64_t current_time_ms, - struct ndpi_id_struct *src, struct ndpi_id_struct *dst) { + const unsigned short packetlen, const u_int64_t current_time_ms) { struct ndpi_packet_struct *packet = &ndpi_str->packet; NDPI_SELECTION_BITMASK_PROTOCOL_SIZE ndpi_selection_packet; u_int32_t num_calls = 0; @@ -5664,7 +5654,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct ret.app_protocol = flow->detected_protocol_stack[0]; if(flow->check_extra_packets) { - ndpi_process_extra_packet(ndpi_str, flow, packet_data, packetlen, current_time_ms, src, dst); + ndpi_process_extra_packet(ndpi_str, flow, packet_data, packetlen, current_time_ms); /* Update in case of new match */ ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0], @@ -5679,9 +5669,6 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct if(ndpi_init_packet(ndpi_str, flow, current_time_ms, packet_data, packetlen) != 0) return ret; - /* detect traffic for tcp or udp only */ - flow->src = src, flow->dst = dst; - ndpi_connection_tracking(ndpi_str, flow); /* build ndpi_selection packet bitmask */ @@ -6419,23 +6406,7 @@ u_int8_t ndpi_detection_get_l4(const u_int8_t *l3, u_int16_t l3_len, const u_int void ndpi_set_detected_protocol(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, u_int16_t upper_detected_protocol, u_int16_t lower_detected_protocol, ndpi_confidence_t confidence) { - struct ndpi_id_struct *src = flow->src, *dst = flow->dst; - ndpi_int_change_protocol(ndpi_str, flow, upper_detected_protocol, lower_detected_protocol, confidence); - - if(src != NULL) { - NDPI_ADD_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, upper_detected_protocol); - - if(lower_detected_protocol != NDPI_PROTOCOL_UNKNOWN) - NDPI_ADD_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, lower_detected_protocol); - } - - if(dst != NULL) { - NDPI_ADD_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, upper_detected_protocol); - - if(lower_detected_protocol != NDPI_PROTOCOL_UNKNOWN) - NDPI_ADD_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, lower_detected_protocol); - } } /* ********************************************************************************* */ @@ -6857,8 +6828,6 @@ const char *ndpi_confidence_get_name(ndpi_confidence_t confidence) return "Match by port"; case NDPI_CONFIDENCE_MATCH_BY_IP: return "Match by IP"; - case NDPI_CONFIDENCE_DPI_SRC_DST_ID: - return "DPI (src/dst ids)"; case NDPI_CONFIDENCE_DPI_CACHE: return "DPI (cache)"; case NDPI_CONFIDENCE_DPI: diff --git a/src/lib/protocols/directconnect.c b/src/lib/protocols/directconnect.c index 55a3f8145..ea418f36d 100644 --- a/src/lib/protocols/directconnect.c +++ b/src/lib/protocols/directconnect.c @@ -77,151 +77,23 @@ static void ndpi_int_directconnect_add_connection(struct ndpi_detection_module_s struct ndpi_flow_struct *flow, const u_int8_t connection_type) { - - struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - - if(src != NULL) { - src->directconnect_last_safe_access_time = packet->current_time_ms; - if(connection_type == DIRECT_CONNECT_TYPE_PEER) { - if(packet->tcp != NULL - && flow->setup_packet_direction != packet->packet_direction && src->detected_directconnect_port == 0) { - src->detected_directconnect_port = packet->tcp->source; - NDPI_LOG_DBG2(ndpi_struct, "DC tcp PORT %u for src\n", ntohs(src->detected_directconnect_port)); - } - if(packet->udp != NULL && src->detected_directconnect_udp_port == 0) { - src->detected_directconnect_udp_port = packet->udp->source; - NDPI_LOG_DBG2(ndpi_struct, "DC udp PORT %u for src\n", ntohs(src->detected_directconnect_port)); - - } - } - - } - if(dst != NULL) { - dst->directconnect_last_safe_access_time = packet->current_time_ms; - if(connection_type == DIRECT_CONNECT_TYPE_PEER) { - if(packet->tcp != NULL - && flow->setup_packet_direction == packet->packet_direction && dst->detected_directconnect_port == 0) { - /* DST PORT MARKING CAN LEAD TO PORT MISSDETECTIONS - * seen at large customer http servers, where someone has send faked DC tcp packets - * to the server - */ - - /* - dst->detected_directconnect_port = packet->tcp->dest; - NDPI_LOG_DBG2(ndpi_struct, - "DC tcp PORT %u for dst\n", - ntohs (dst->detected_directconnect_port)); - */ - } - } - } } static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_DIRECTCONNECT) { if(packet->payload_packet_len >= 40 && memcmp(&packet->payload[0], "BINF", 4) == 0) { - u_int16_t ssl_port = parse_binf_message(ndpi_struct, - &packet->payload[4], - packet->payload_packet_len - 4); - if(dst != NULL && ssl_port) - dst->detected_directconnect_ssl_port = ssl_port; - - if(src != NULL && ssl_port) - src->detected_directconnect_ssl_port = ssl_port; + parse_binf_message(ndpi_struct, + &packet->payload[4], + packet->payload_packet_len - 4); } - if((packet->payload_packet_len >= 38 && packet->payload_packet_len <= 42) - && memcmp(&packet->payload[0], "DCTM", 4) == 0 && memcmp(&packet->payload[15], "ADCS", 4) == 0) { - u_int16_t bytes_read = 0; - if(dst != NULL) { - dst->detected_directconnect_ssl_port = - ntohs_ndpi_bytestream_to_number(&packet->payload[25], 5, &bytes_read); - NDPI_LOG_DBG2(ndpi_struct, "DC ssl port parsed %d\n", ntohs(dst->detected_directconnect_ssl_port)); - } - if(src != NULL) { - src->detected_directconnect_ssl_port = - ntohs_ndpi_bytestream_to_number(&packet->payload[25], 5, &bytes_read); - NDPI_LOG_DBG2(ndpi_struct, "DC ssl port parsed %d\n", ntohs(src->detected_directconnect_ssl_port)); - } - - - } return; } - if(src != NULL) { - if(src->detected_directconnect_port == packet->tcp->source) { - if((u_int32_t) - (packet->current_time_ms - - src->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - src->directconnect_last_safe_access_time = packet->current_time_ms; - NDPI_LOG_INFO(ndpi_struct, "found DC using port %d\n", ntohs(src->detected_directconnect_port)); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - return; - } else { - src->detected_directconnect_port = 0; - NDPI_LOG_DBG2(ndpi_struct, "resetting src port due to timeout\n"); - return; - } - } - if(src->detected_directconnect_ssl_port == packet->tcp->dest) { - if((u_int32_t) - (packet->current_time_ms - - src->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - src->directconnect_last_safe_access_time = packet->current_time_ms; - NDPI_LOG_INFO(ndpi_struct, "found DC using port %d\n", ntohs(src->detected_directconnect_ssl_port)); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - return; - } else { - src->detected_directconnect_ssl_port = 0; - NDPI_LOG_DBG2(ndpi_struct, "resetting src port due to timeout\n"); - return; - } - } - - } - - if(dst != NULL) { - if(dst->detected_directconnect_port == packet->tcp->dest) { - if((u_int32_t) - (packet->current_time_ms - - dst->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - dst->directconnect_last_safe_access_time = packet->current_time_ms; - NDPI_LOG_INFO(ndpi_struct, "found DC using port %d\n", ntohs(dst->detected_directconnect_port)); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - return; - } else { - dst->detected_directconnect_port = 0; - NDPI_LOG_DBG(ndpi_struct, "resetting dst port due to timeout\n"); - return; - } - } - if(dst->detected_directconnect_ssl_port == packet->tcp->dest) { - if((u_int32_t) - (packet->current_time_ms - - dst->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - dst->directconnect_last_safe_access_time = packet->current_time_ms; - NDPI_LOG_DBG(ndpi_struct, "found DC using port %d\n", ntohs(dst->detected_directconnect_ssl_port)); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - return; - } else { - dst->detected_directconnect_ssl_port = 0; - NDPI_LOG_DBG2(ndpi_struct, "resetting dst port due to timeout\n"); - return; - } - } - - } if(flow->directconnect_stage == 0) { @@ -308,124 +180,15 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n } -static void ndpi_search_directconnect_udp(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) -{ - struct ndpi_packet_struct *packet = &ndpi_struct->packet; - - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - int pos, count = 0; - - if(dst != NULL && dst->detected_directconnect_udp_port == packet->udp->dest) { - if((u_int32_t) - (packet->current_time_ms - - dst->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - - dst->directconnect_last_safe_access_time = packet->current_time_ms; - NDPI_LOG_INFO(ndpi_struct, "found DC using udp port %d\n", ntohs(dst->detected_directconnect_udp_port)); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - return; - } else { - dst->detected_directconnect_udp_port = 0; - NDPI_LOG_DBG2(ndpi_struct, "resetting dst udp port due to timeout\n"); - return; - } - } - - if(packet->payload_packet_len > 58) { - if(src != NULL - && NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_DIRECTCONNECT)) { - if(packet->payload[0] == '$' - && packet->payload[packet->payload_packet_len - 1] == '|' - && memcmp(&packet->payload[1], "SR ", 3) == 0) { - pos = packet->payload_packet_len - 2; - if(packet->payload[pos] == ')') { - while (pos > 0 && packet->payload[pos] != '(' && count < 21) { - pos--; - count++; - } - if(packet->payload[pos] == '(') { - pos = pos - 44; - if(pos > 2 && memcmp(&packet->payload[pos], "TTH:", 4) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found DC udp\n"); - ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_TYPE_PEER); - return; - } - } - } - flow->directconnect_stage++; - if(flow->directconnect_stage < 3) - return; - } - - } - if(dst != NULL - && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_DIRECTCONNECT)) { - if(packet->payload[0] == '$' - && packet->payload[packet->payload_packet_len - 1] == '|' - && memcmp(&packet->payload[1], "SR ", 3) == 0) { - pos = packet->payload_packet_len - 2; - if(packet->payload[pos] == ')') { - while (pos > 0 && packet->payload[pos] != '(' && count < 21) { - pos--; - count++; - } - if(packet->payload[pos] == '(') { - pos = pos - 44; - if(pos > 2 && memcmp(&packet->payload[pos], "TTH:", 4) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found DC udp\n"); - ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_TYPE_PEER); - return; - } - } - } - flow->directconnect_stage++; - if(flow->directconnect_stage < 3) - return; - } - } - - } - NDPI_LOG_DBG(ndpi_struct, "excluded DC at stage %d \n", flow->directconnect_stage); - - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DIRECTCONNECT); - - -} - void ndpi_search_directconnect(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; NDPI_LOG_DBG(ndpi_struct, "search DC\n"); - if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_DIRECTCONNECT) { - if(src != NULL && ((u_int32_t) - (packet->current_time_ms - - src->directconnect_last_safe_access_time) < - ndpi_struct->directconnect_connection_ip_tick_timeout)) { - src->directconnect_last_safe_access_time = packet->current_time_ms; - - } else if(dst != NULL && ((u_int32_t) - (packet->current_time_ms - - dst->directconnect_last_safe_access_time) < - ndpi_struct->directconnect_connection_ip_tick_timeout)) { - dst->directconnect_last_safe_access_time = packet->current_time_ms; - } else { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_UNKNOWN); - NDPI_LOG_DBG2(ndpi_struct, "skipping as unknown due to timeout\n"); - } - return; - } - if(packet->tcp != NULL) { ndpi_search_directconnect_tcp(ndpi_struct, flow); - } else if(packet->udp != NULL) { - ndpi_search_directconnect_udp(ndpi_struct, flow); } } @@ -435,7 +198,8 @@ void init_directconnect_dissector(struct ndpi_detection_module_struct *ndpi_stru ndpi_set_bitmask_protocol_detection("DirectConnect", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_DIRECTCONNECT, ndpi_search_directconnect, - NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, + /* TODO: UDP?*/ + NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); diff --git a/src/lib/protocols/gnutella.c b/src/lib/protocols/gnutella.c index 2af76085f..ecb93d53f 100644 --- a/src/lib/protocols/gnutella.c +++ b/src/lib/protocols/gnutella.c @@ -33,67 +33,18 @@ static void ndpi_int_gnutella_add_connection(struct ndpi_detection_module_struct struct ndpi_flow_struct *flow, ndpi_confidence_t confidence) { - struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GNUTELLA, NDPI_PROTOCOL_UNKNOWN, confidence); NDPI_LOG_INFO(ndpi_struct, "found GNUTELLA\n"); - - if (src != NULL) { - src->gnutella_ts = packet->current_time_ms; - if (packet->udp != NULL) { - if (!src->detected_gnutella_udp_port1) { - src->detected_gnutella_udp_port1 = (packet->udp->source); - NDPI_LOG_DBG2(ndpi_struct, - "GNUTELLA UDP PORT1 DETECTED as %u\n", src->detected_gnutella_udp_port1); - - } else if ((ntohs(packet->udp->source) != src->detected_gnutella_udp_port1) - && !src->detected_gnutella_udp_port2) { - src->detected_gnutella_udp_port2 = (packet->udp->source); - NDPI_LOG_DBG2(ndpi_struct, - "GNUTELLA UDP PORT2 DETECTED as %u\n", src->detected_gnutella_udp_port2); - - } - } - } - if (dst != NULL) { - dst->gnutella_ts = packet->current_time_ms; - } } void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; u_int16_t c; NDPI_LOG_DBG(ndpi_struct, "search GNUTELLA\n"); - if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_GNUTELLA) { - if (src != NULL && ((u_int32_t) - (packet->current_time_ms - src->gnutella_ts) < ndpi_struct->gnutella_timeout)) { - NDPI_LOG_DBG2(ndpi_struct, "save src connection packet detected\n"); - src->gnutella_ts = packet->current_time_ms; - } else if (dst != NULL && ((u_int32_t) - (packet->current_time_ms - dst->gnutella_ts) < ndpi_struct->gnutella_timeout)) { - NDPI_LOG_DBG2(ndpi_struct, "save dst connection packet detected\n"); - dst->gnutella_ts = packet->current_time_ms; - } - if (src != NULL && (packet->current_time_ms - src->gnutella_ts) > ndpi_struct->gnutella_timeout) { - src->detected_gnutella_udp_port1 = 0; - src->detected_gnutella_udp_port2 = 0; - } - if (dst != NULL && (packet->current_time_ms - dst->gnutella_ts) > ndpi_struct->gnutella_timeout) { - dst->detected_gnutella_udp_port1 = 0; - dst->detected_gnutella_udp_port2 = 0; - } - - return; - } - /* skip packets without payload */ if (packet->payload_packet_len < 2) { return; @@ -234,12 +185,6 @@ void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, stru } } } else if (packet->udp != NULL) { - if (src != NULL && (packet->udp->source == src->detected_gnutella_udp_port1 || - packet->udp->source == src->detected_gnutella_udp_port2) && - (packet->current_time_ms - src->gnutella_ts) < ndpi_struct->gnutella_timeout) { - NDPI_LOG_DBG2(ndpi_struct, "port based detection\n\n"); - ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - } /* observations: * all the following patterns send out many packets which are the only ones of their flows, * often on the very beginning of the traces, or flows with many packets in one direction only. @@ -333,20 +278,18 @@ void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, stru if (flow->packet_counter == 2 && (packet->payload_packet_len == 33 || packet->payload_packet_len == 22) && flow->l4.tcp.gnutella_msg_id[0] == packet->payload[0] && flow->l4.tcp.gnutella_msg_id[1] == packet->payload[2] - && flow->l4.tcp.gnutella_msg_id[2] == packet->payload[4] - && NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_GNUTELLA)) { + && flow->l4.tcp.gnutella_msg_id[2] == packet->payload[4]) { NDPI_LOG_DBG2(ndpi_struct, "GNUTELLA DETECTED due to message ID match (NEONet protocol)\n"); - ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI_SRC_DST_ID); + ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); return; } } else if (flow->l4.tcp.gnutella_stage == 2 - packet->packet_direction) { if (flow->packet_counter == 2 && (packet->payload_packet_len == 10 || packet->payload_packet_len == 75) && flow->l4.tcp.gnutella_msg_id[0] == packet->payload[0] && flow->l4.tcp.gnutella_msg_id[1] == packet->payload[2] - && flow->l4.tcp.gnutella_msg_id[2] == packet->payload[4] - && NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_GNUTELLA)) { + && flow->l4.tcp.gnutella_msg_id[2] == packet->payload[4]) { NDPI_LOG_DBG2(ndpi_struct, "GNUTELLA DETECTED due to message ID match (NEONet protocol)\n"); - ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI_SRC_DST_ID); + ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); return; } } diff --git a/src/lib/protocols/icecast.c b/src/lib/protocols/icecast.c index 61dafc2d6..ce8b20c12 100644 --- a/src/lib/protocols/icecast.c +++ b/src/lib/protocols/icecast.c @@ -60,10 +60,6 @@ void ndpi_search_icecast_tcp(struct ndpi_detection_module_struct *ndpi_struct, s } } - if(NDPI_FLOW_PROTOCOL_EXCLUDED(ndpi_struct, flow, NDPI_PROTOCOL_HTTP)) { - goto icecast_exclude; - } - if(flow == NULL) return; if((packet->packet_direction == flow->setup_packet_direction) @@ -89,7 +85,6 @@ void ndpi_search_icecast_tcp(struct ndpi_detection_module_struct *ndpi_struct, s } } - icecast_exclude: NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/irc.c b/src/lib/protocols/irc.c index 6ff3af836..33c41a4c3 100644 --- a/src/lib/protocols/irc.c +++ b/src/lib/protocols/irc.c @@ -29,38 +29,11 @@ #include "ndpi_api.h" -#define NDPI_IRC_FIND_LESS(time_err,less) {int t1 = 0; \ - u_int32_t timestamp = time_err[0]; \ - for(t1=0;t1 < NDPI_PROTOCOL_IRC_MAXPORT;t1++) { \ - if(timestamp > time_err[t1]) { \ - timestamp = time_err[t1]; \ - less = t1;}}} - static void ndpi_int_irc_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, ndpi_confidence_t confidence) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_IRC, NDPI_PROTOCOL_UNKNOWN, confidence); } - - -#if !defined(WIN32) -static inline -#elif defined(MINGW_GCC) -__mingw_forceinline static -#else -__forceinline static -#endif -u_int8_t ndpi_is_duplicate(struct ndpi_id_struct *id_t, u_int16_t port) -{ - int index = 0; - while (index < id_t->irc_number_of_port) { - if (port == id_t->irc_port[index]) - return 1; - index++; - } - return 0; -} - static u_int8_t ndpi_check_for_NOTICE_or_PRIVMSG(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -369,17 +342,9 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - int less; u_int16_t c = 0; - u_int16_t port = 0; - u_int16_t sport = 0; - u_int16_t dport = 0; - u_int16_t counter = 0; u_int16_t i = 0; u_int16_t j = 0; - u_int16_t k = 0; u_int16_t h; u_int16_t http_content_ptr_len = 0; u_int8_t space = 0; @@ -391,53 +356,6 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc return; } - if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_IRC) { - if (src != NULL && ((u_int32_t) - (packet->current_time_ms - src->irc_ts) < ndpi_struct->irc_timeout)) { - NDPI_LOG_DBG2(ndpi_struct, "irc : save src connection packet detected\n"); - src->irc_ts = packet->current_time_ms; - } else if (dst != NULL && ((u_int32_t) - (packet->current_time_ms - dst->irc_ts) < ndpi_struct->irc_timeout)) { - NDPI_LOG_DBG2(ndpi_struct, "irc : save dst connection packet detected\n"); - dst->irc_ts = packet->current_time_ms; - } - } - - if (((dst != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_IRC) - && ((u_int32_t) - (packet->current_time_ms - dst->irc_ts)) < - ndpi_struct->irc_timeout)) || (src != NULL - && - NDPI_COMPARE_PROTOCOL_TO_BITMASK - (src->detected_protocol_bitmask, NDPI_PROTOCOL_IRC) - && ((u_int32_t) - (packet->current_time_ms - src->irc_ts)) < ndpi_struct->irc_timeout)) { - if (packet->tcp != NULL) { - sport = packet->tcp->source; - dport = packet->tcp->dest; - } - if (dst != NULL) { - for (counter = 0; counter < dst->irc_number_of_port; counter++) { - if (dst->irc_port[counter] == sport || dst->irc_port[counter] == dport) { - dst->last_time_port_used[counter] = packet->current_time_ms; - NDPI_LOG_INFO(ndpi_struct, "found IRC: dest port matched with the DCC port"); - ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - return; - } - } - } - if (src != NULL) { - for (counter = 0; counter < src->irc_number_of_port; counter++) { - if (src->irc_port[counter] == sport || src->irc_port[counter] == dport) { - src->last_time_port_used[counter] = packet->current_time_ms; - NDPI_LOG_INFO(ndpi_struct, "found IRC: Source port matched with the DCC port"); - ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - return; - } - } - } - } - if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC && ndpi_search_irc_ssl_detect_ninety_percent_but_very_fast(ndpi_struct, flow) != 0) { return; @@ -667,70 +585,6 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc if (space == 3) { j++; NDPI_LOG_DBG2(ndpi_struct, "read port."); - if (src != NULL) { - k = j; - port = - ntohs_ndpi_bytestream_to_number - (&packet->line[i].ptr[j], packet->payload_packet_len - j, &j); - NDPI_LOG_DBG2(ndpi_struct, "port %u.", - port); - j = k; - // hier jetzt überlegen, wie die ports abgespeichert werden sollen - if (src->irc_number_of_port < NDPI_PROTOCOL_IRC_MAXPORT) - NDPI_LOG_DBG2(ndpi_struct, "src->irc_number_of_port < NDPI_PROTOCOL_IRC_MAXPORT."); - if (src->irc_number_of_port < NDPI_PROTOCOL_IRC_MAXPORT && port != 0) { - if (!ndpi_is_duplicate(src, port)) { - src->irc_port[src->irc_number_of_port] - = port; - src->irc_number_of_port++; - NDPI_LOG_DBG2(ndpi_struct, "found port=%d jjeeeeeeeeeeeeeeeeeeeeeeeee", - ntohs(get_u_int16_t(src->irc_port, 0))); - } - src->irc_ts = packet->current_time_ms; - } else if (port != 0 && src->irc_number_of_port == NDPI_PROTOCOL_IRC_MAXPORT) { - if (!ndpi_is_duplicate(src, port)) { - less = 0; - NDPI_IRC_FIND_LESS(src->last_time_port_used, less); - src->irc_port[less] = port; - NDPI_LOG_DBG2(ndpi_struct, "found port=%d", ntohs(get_u_int16_t(src->irc_port, 0))); - } - src->irc_ts = packet->current_time_ms; - } - if (dst == NULL) { - break; - } - } - if (dst != NULL) { - port = ntohs_ndpi_bytestream_to_number - (&packet->line[i].ptr[j], packet->payload_packet_len - j, &j); - NDPI_LOG_DBG2(ndpi_struct, "port %u.", port); - // hier das gleiche wie oben. - /* hier werden NDPI_PROTOCOL_IRC_MAXPORT ports pro irc flows mitgespeichert. könnte man denn nicht ein- - * fach an die dst oder src einen flag setzten, dass dieser port für eine bestimmte - * zeit ein irc-port bleibt? - */ - if (dst->irc_number_of_port < NDPI_PROTOCOL_IRC_MAXPORT && port != 0) { - if (!ndpi_is_duplicate(dst, port)) { - dst->irc_port[dst->irc_number_of_port] - = port; - dst->irc_number_of_port++; - NDPI_LOG_DBG2(ndpi_struct, "found port=%d", ntohs(get_u_int16_t(dst->irc_port, 0))); - NDPI_LOG_DBG2(ndpi_struct, "juuuuuuuuuuuuuuuu"); - } - dst->irc_ts = packet->current_time_ms; - } else if (port != 0 && dst->irc_number_of_port == NDPI_PROTOCOL_IRC_MAXPORT) { - if (!ndpi_is_duplicate(dst, port)) { - less = 0; - NDPI_IRC_FIND_LESS(dst->last_time_port_used, less); - dst->irc_port[less] = port; - - NDPI_LOG_DBG2(ndpi_struct, "found port=%d", ntohs(get_u_int16_t(dst->irc_port, 0))); - } - dst->irc_ts = packet->current_time_ms; - } - - break; - } } diff --git a/src/lib/protocols/jabber.c b/src/lib/protocols/jabber.c index a5e5a069e..89dd3c8db 100644 --- a/src/lib/protocols/jabber.c +++ b/src/lib/protocols/jabber.c @@ -65,9 +65,6 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - u_int16_t x; NDPI_LOG_DBG(ndpi_struct, "search JABBER\n"); @@ -76,193 +73,10 @@ void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, st return; } - /* search for jabber file transfer */ - /* this part is working asymmetrically */ - if (packet->tcp != NULL && packet->tcp->syn != 0 && packet->payload_packet_len == 0) { - NDPI_LOG_DBG2(ndpi_struct, "check jabber syn\n"); - if (src != NULL && src->jabber_file_transfer_port[0] != 0) { - NDPI_LOG_DBG2(ndpi_struct, "src jabber ft port set, ports are: %u, %u\n", - ntohs(src->jabber_file_transfer_port[0]), - ntohs(src->jabber_file_transfer_port[1])); - if (((u_int32_t) - (packet->current_time_ms - src->jabber_stun_or_ft_ts)) >= ndpi_struct->jabber_file_transfer_timeout) { - NDPI_LOG_DBG2(ndpi_struct, "JABBER src stun timeout %u %u\n", - src->jabber_stun_or_ft_ts, packet->current_time_ms); - src->jabber_file_transfer_port[0] = 0; - src->jabber_file_transfer_port[1] = 0; - } else if (src->jabber_file_transfer_port[0] == packet->tcp->dest - || src->jabber_file_transfer_port[0] == packet->tcp->source - || src->jabber_file_transfer_port[1] == packet->tcp->dest - || src->jabber_file_transfer_port[1] == packet->tcp->source) { - NDPI_LOG_INFO(ndpi_struct, "found jabber file transfer\n"); - - ndpi_int_jabber_add_connection(ndpi_struct, flow, - NDPI_PROTOCOL_JABBER, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - } - } - if (dst != NULL && dst->jabber_file_transfer_port[0] != 0) { - NDPI_LOG_DBG2(ndpi_struct, "dst jabber ft port set, ports are: %u, %u\n", - ntohs(dst->jabber_file_transfer_port[0]), - ntohs(dst->jabber_file_transfer_port[1])); - if (((u_int32_t) - (packet->current_time_ms - dst->jabber_stun_or_ft_ts)) >= ndpi_struct->jabber_file_transfer_timeout) { - NDPI_LOG_DBG2(ndpi_struct, "JABBER dst stun timeout %u %u\n", - dst->jabber_stun_or_ft_ts, packet->current_time_ms); - dst->jabber_file_transfer_port[0] = 0; - dst->jabber_file_transfer_port[1] = 0; - } else if (dst->jabber_file_transfer_port[0] == packet->tcp->dest - || dst->jabber_file_transfer_port[0] == packet->tcp->source - || dst->jabber_file_transfer_port[1] == packet->tcp->dest - || dst->jabber_file_transfer_port[1] == packet->tcp->source) { - NDPI_LOG_INFO(ndpi_struct, "found jabber file transfer\n"); - - ndpi_int_jabber_add_connection(ndpi_struct, flow, - NDPI_PROTOCOL_JABBER, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - } - } - return; - } - if (packet->tcp != 0 && packet->payload_packet_len == 0) { return; } - - /* this part parses a packet and searches for port=. it works asymmetrically. */ - if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_JABBER) { - u_int16_t lastlen; - u_int16_t j_port = 0; - /* check for google jabber voip connections ... */ - /* need big packet */ - if (packet->payload_packet_len < 100) { - NDPI_LOG_DBG2(ndpi_struct, "packet too small, return\n"); - return; - } - /* need message to or type for file-transfer */ - if (memcmp(packet->payload, "<iq from=\"", 10) == 0 || memcmp(packet->payload, "<iq from=\'", 10) == 0) { - NDPI_LOG_DBG2(ndpi_struct, "JABBER <iq from=\"\n"); - lastlen = packet->payload_packet_len - 11; - for (x = 10; x < lastlen; x++) { - if (packet->payload[x] == 'p') { - if (memcmp(&packet->payload[x], "port=", 5) == 0) { - NDPI_LOG_DBG2(ndpi_struct, "port=\n"); - if (src != NULL) { - src->jabber_stun_or_ft_ts = packet->current_time_ms; - } - - if (dst != NULL) { - dst->jabber_stun_or_ft_ts = packet->current_time_ms; - } - x += 6; - j_port = ntohs_ndpi_bytestream_to_number(&packet->payload[x], packet->payload_packet_len, &x); - NDPI_LOG_DBG2(ndpi_struct, "JABBER port : %u\n", ntohs(j_port)); - if (src != NULL) { - if (src->jabber_file_transfer_port[0] == 0 || src->jabber_file_transfer_port[0] == j_port) { - NDPI_LOG_DBG2(ndpi_struct, "src->jabber_file_transfer_port[0] = j_port = %u;\n", - ntohs(j_port)); - src->jabber_file_transfer_port[0] = j_port; - } else { - NDPI_LOG_DBG2(ndpi_struct, "src->jabber_file_transfer_port[1] = j_port = %u;\n", - ntohs(j_port)); - src->jabber_file_transfer_port[1] = j_port; - } - } - if (dst != NULL) { - if (dst->jabber_file_transfer_port[0] == 0 || dst->jabber_file_transfer_port[0] == j_port) { - NDPI_LOG_DBG2(ndpi_struct, "dst->jabber_file_transfer_port[0] = j_port = %u;\n", - ntohs(j_port)); - dst->jabber_file_transfer_port[0] = j_port; - } else { - NDPI_LOG_DBG2(ndpi_struct, "dst->jabber_file_transfer_port[1] = j_port = %u;\n", - ntohs(j_port)); - dst->jabber_file_transfer_port[1] = j_port; - } - } - } - - - } - } - - } else if (memcmp(packet->payload, "<iq to=\"", 8) == 0 || memcmp(packet->payload, "<iq to=\'", 8) == 0 - || memcmp(packet->payload, "<iq type=", 9) == 0) { - NDPI_LOG_DBG2(ndpi_struct, "JABBER <iq to=\"/type=\"\n"); - lastlen = packet->payload_packet_len - 21; - for (x = 8; x < lastlen; x++) { - /* invalid character */ - if (packet->payload[x] < 32 || packet->payload[x] > 127) { - return; - } - if (packet->payload[x] == '@') { - NDPI_LOG_DBG2(ndpi_struct, "JABBER @\n"); - break; - } - } - if (x >= lastlen) { - return; - } - - lastlen = packet->payload_packet_len - 10; - for (; x < lastlen; x++) { - if (packet->payload[x] == 'p') { - if (memcmp(&packet->payload[x], "port=", 5) == 0) { - NDPI_LOG_DBG2(ndpi_struct, "port=\n"); - if (src != NULL) { - src->jabber_stun_or_ft_ts = packet->current_time_ms; - } - - if (dst != NULL) { - dst->jabber_stun_or_ft_ts = packet->current_time_ms; - } - - x += 6; - j_port = ntohs_ndpi_bytestream_to_number(&packet->payload[x], packet->payload_packet_len, &x); - NDPI_LOG_DBG2(ndpi_struct, "JABBER port : %u\n", ntohs(j_port)); - - if (src != NULL && src->jabber_voice_stun_used_ports < JABBER_MAX_STUN_PORTS - 1) { - if (packet->payload[5] == 'o') { - src->jabber_voice_stun_port[src->jabber_voice_stun_used_ports++] - = j_port; - } else { - if (src->jabber_file_transfer_port[0] == 0 - || src->jabber_file_transfer_port[0] == j_port) { - NDPI_LOG_DBG2(ndpi_struct, "src->jabber_file_transfer_port[0] = j_port = %u;\n", - ntohs(j_port)); - src->jabber_file_transfer_port[0] = j_port; - } else { - NDPI_LOG_DBG2(ndpi_struct, "src->jabber_file_transfer_port[1] = j_port = %u;\n", - ntohs(j_port)); - src->jabber_file_transfer_port[1] = j_port; - } - } - } - - if (dst != NULL && dst->jabber_voice_stun_used_ports < JABBER_MAX_STUN_PORTS - 1) { - if (packet->payload[5] == 'o') { - dst->jabber_voice_stun_port[dst->jabber_voice_stun_used_ports++] - = j_port; - } else { - if (dst->jabber_file_transfer_port[0] == 0 - || dst->jabber_file_transfer_port[0] == j_port) { - NDPI_LOG_DBG2(ndpi_struct, "dst->jabber_file_transfer_port[0] = j_port = %u;\n", - ntohs(j_port)); - dst->jabber_file_transfer_port[0] = j_port; - } else { - NDPI_LOG_DBG2(ndpi_struct, "dst->jabber_file_transfer_port[1] = j_port = %u;\n", - ntohs(j_port)); - dst->jabber_file_transfer_port[1] = j_port; - } - } - } - return; - } - } - } - } - return; - } - - /* search for jabber here */ /* this part is working asymmetrically */ if ((packet->payload_packet_len > 13 && memcmp(packet->payload, "<?xml version=", 14) == 0) diff --git a/src/lib/protocols/thunder.c b/src/lib/protocols/thunder.c index 7b5625511..caafa4e4c 100644 --- a/src/lib/protocols/thunder.c +++ b/src/lib/protocols/thunder.c @@ -135,11 +135,9 @@ void ndpi_int_search_thunder_http(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; if (packet->payload_packet_len > 5 - && memcmp(packet->payload, "GET /", 5) == 0 && NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_THUNDER)) { + && memcmp(packet->payload, "GET /", 5) == 0) { NDPI_LOG_DBG2(ndpi_struct, "HTTP packet detected\n"); ndpi_parse_packet_line_info(ndpi_struct, flow); diff --git a/src/lib/protocols/world_of_warcraft.c b/src/lib/protocols/world_of_warcraft.c index 2d35fe7ab..8b6da51f9 100644 --- a/src/lib/protocols/world_of_warcraft.c +++ b/src/lib/protocols/world_of_warcraft.c @@ -56,9 +56,6 @@ void ndpi_search_worldofwarcraft(struct ndpi_detection_module_struct { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - NDPI_LOG_DBG(ndpi_struct, "search World of Warcraft\n"); if (packet->tcp != NULL) { @@ -108,14 +105,11 @@ void ndpi_search_worldofwarcraft(struct ndpi_detection_module_struct return; } - if (NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_WORLDOFWARCRAFT) != 0) { - if (packet->tcp->source == htons(3724) - && packet->payload_packet_len == 8 && get_u_int32_t(packet->payload, 0) == htonl(0x0006ec01)) { - ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow); - NDPI_LOG_INFO(ndpi_struct, "World of Warcraft: connection detected\n"); - return; - } - + if (packet->tcp->source == htons(3724) + && packet->payload_packet_len == 8 && get_u_int32_t(packet->payload, 0) == htonl(0x0006ec01)) { + ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow); + NDPI_LOG_INFO(ndpi_struct, "World of Warcraft: connection detected\n"); + return; } /* for some well known WoW ports |