diff options
| -rw-r--r-- | example/intrusion_detection.c | 4 | ||||
| -rw-r--r-- | example/ndpiReader.c | 10 | ||||
| -rw-r--r-- | example/reader_util.c | 22 | ||||
| -rw-r--r-- | example/reader_util.h | 2 | ||||
| -rw-r--r-- | src/include/ndpi_protocol_ids.h | 8 | ||||
| -rw-r--r-- | src/include/ndpi_protocols.h | 5 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 25 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 54 | ||||
| -rw-r--r-- | src/lib/protocols/ayiya.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/battlefield.c | 126 | ||||
| -rw-r--r-- | src/lib/protocols/directconnect.c | 32 | ||||
| -rw-r--r-- | src/lib/protocols/gnutella.c | 18 | ||||
| -rw-r--r-- | src/lib/protocols/irc.c | 24 | ||||
| -rw-r--r-- | src/lib/protocols/jabber.c | 16 | ||||
| -rw-r--r-- | src/lib/protocols/oscar.c | 816 | ||||
| -rw-r--r-- | src/lib/protocols/pcanywhere.c | 67 | ||||
| -rw-r--r-- | src/lib/protocols/rtsp.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/soulseek.c | 34 | ||||
| -rw-r--r-- | src/lib/protocols/thunder.c | 12 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 6 | ||||
| -rw-r--r-- | src/lib/protocols/tvants.c | 85 | ||||
| -rw-r--r-- | src/lib/protocols/zattoo.c | 12 | ||||
| -rw-r--r-- | tests/result/Oscar.pcap.out | 4 |
23 files changed, 124 insertions, 1264 deletions
diff --git a/example/intrusion_detection.c b/example/intrusion_detection.c index cce25a8b8..7296c2d29 100644 --- a/example/intrusion_detection.c +++ b/example/intrusion_detection.c @@ -154,7 +154,7 @@ double Dos_goldeneye_score(struct ndpi_flow_info* flow){ } double Dos_hulk_score(struct ndpi_flow_info* flow){ - double f = (double)flow->first_seen/1000.0, l = (double)flow->last_seen/1000.0; + double f = (double)flow->first_seen_ms/1000.0, l = (double)flow->last_seen_ms/1000.0; int n_metrics = 6; ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value)); /* duration */ @@ -308,7 +308,7 @@ double Ftp_patator_score(struct ndpi_flow_info* flow){ } double Hearthbleed_score(struct ndpi_flow_info* flow){ - double f = (double)flow->first_seen/1000.0, l = (double)flow->last_seen/1000.0; + double f = (double)flow->first_seen_ms/1000.0, l = (double)flow->last_seen_ms/1000.0; int n_metrics = 6; ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value)); /* iat_flow_max */ diff --git a/example/ndpiReader.c b/example/ndpiReader.c index b40b7d30e..211019e3b 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -998,7 +998,7 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa if(csv_fp != NULL) { float data_ratio = ndpi_data_ratio(flow->src2dst_bytes, flow->dst2src_bytes); - double f = (double)flow->first_seen, l = (double)flow->last_seen; + double f = (double)flow->first_seen_ms, l = (double)flow->last_seen_ms; /* PLEASE KEEP IN SYNC WITH printCSVHeader() */ dos_ge_score = Dos_goldeneye_score(flow); @@ -1164,8 +1164,8 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa 100.0*((float)flow->src2dst_goodput_bytes / (float)(flow->src2dst_bytes+1)), 100.0*((float)flow->dst2src_goodput_bytes / (float)(flow->dst2src_bytes+1))); - if(flow->last_seen > flow->first_seen) - fprintf(out, "[%.2f sec]", ((float)(flow->last_seen - flow->first_seen))/(float)1000); + if(flow->last_seen_ms > flow->first_seen_ms) + fprintf(out, "[%.2f sec]", ((float)(flow->last_seen_ms - flow->first_seen_ms))/(float)1000); else fprintf(out, "[< 1 sec]"); @@ -1761,7 +1761,7 @@ static void node_idle_scan_walker(const void *node, ndpi_VISIT which, int depth, return; if((which == ndpi_preorder) || (which == ndpi_leaf)) { /* Avoid walking the same node multiple times */ - if(flow->last_seen + MAX_IDLE_TIME < ndpi_thread_info[thread_id].workflow->last_time) { + if(flow->last_seen_ms + MAX_IDLE_TIME < ndpi_thread_info[thread_id].workflow->last_time) { /* update stats */ node_proto_guess_walker(node, which, depth, user_data); @@ -3182,7 +3182,7 @@ void serializerUnitTest() { break; default: printf("ERROR: Unsupported TLV key type %u\n", kt); - // exit(0); + //exit(0); return; } diff --git a/example/reader_util.c b/example/reader_util.c index 833f200bf..b4e2c943a 100644 --- a/example/reader_util.c +++ b/example/reader_util.c @@ -1222,7 +1222,7 @@ void update_tcp_flags_count(struct ndpi_flow_info* flow, struct ndpi_tcphdr* tcp @Note: ipsize = header->len - ip_offset ; rawsize = header->len */ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, - const u_int64_t time, + const u_int64_t time_ms, u_int16_t vlan_id, ndpi_packet_tunnel tunnel_type, const struct ndpi_iphdr *iph, @@ -1355,10 +1355,10 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, } } - if(flow->first_seen == 0) - flow->first_seen = time; + if(flow->first_seen_ms == 0) + flow->first_seen_ms = time_ms; - flow->last_seen = time; + flow->last_seen_ms = time_ms; /* Copy packets entropy if num packets count == 10 */ ndpi_clear_entropy_stats(flow); @@ -1410,7 +1410,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, flow->detected_protocol = ndpi_detection_process_packet(workflow->ndpi_struct, ndpi_flow, iph ? (uint8_t *)iph : (uint8_t *)iph6, - ipsize, time, src, dst); + ipsize, time_ms, src, dst); if(enough_packets || (flow->detected_protocol.app_protocol != NDPI_PROTOCOL_UNKNOWN)) { if((!enough_packets) @@ -1484,7 +1484,7 @@ struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow, int wifi_len = 0; int pyld_eth_len = 0; int check; - u_int64_t time; + u_int64_t time_ms; u_int16_t ip_offset = 0, ip_len; u_int16_t frag_off = 0, vlan_id = 0; u_int8_t proto = 0, recheck_type; @@ -1497,15 +1497,15 @@ struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow, workflow->stats.raw_packet_count++; /* setting time */ - time = ((uint64_t) header->ts.tv_sec) * TICK_RESOLUTION + header->ts.tv_usec / (1000000 / TICK_RESOLUTION); + time_ms = ((uint64_t) header->ts.tv_sec) * TICK_RESOLUTION + header->ts.tv_usec / (1000000 / TICK_RESOLUTION); /* safety check */ - if(workflow->last_time > time) { + if(workflow->last_time > time_ms) { /* printf("\nWARNING: timestamp bug in the pcap file (ts delta: %llu, repairing)\n", ndpi_thread_info[thread_id].last_time - time); */ - time = workflow->last_time; + time_ms = workflow->last_time; } /* update last time value */ - workflow->last_time = time; + workflow->last_time = time_ms; /*** check Data Link type ***/ int datalink_type; @@ -1863,7 +1863,7 @@ struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow, } /* process the packet */ - return(packet_processing(workflow, time, vlan_id, tunnel_type, iph, iph6, + return(packet_processing(workflow, time_ms, vlan_id, tunnel_type, iph, iph6, ip_offset, header->caplen - ip_offset, header->caplen, header, packet, header->ts)); } diff --git a/example/reader_util.h b/example/reader_util.h index f8302866f..bcfc1b5b6 100644 --- a/example/reader_util.h +++ b/example/reader_util.h @@ -174,7 +174,7 @@ typedef struct ndpi_flow_info { u_int32_t fin_count, src2dst_fin_count, dst2src_fin_count; u_int32_t rst_count, src2dst_rst_count, dst2src_rst_count; u_int32_t c_to_s_init_win, s_to_c_init_win; - u_int64_t first_seen, last_seen; + u_int64_t first_seen_ms, last_seen_ms; u_int64_t src2dst_bytes, dst2src_bytes; u_int64_t src2dst_goodput_bytes, dst2src_goodput_bytes; u_int32_t src2dst_packets, dst2src_packets; diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index b63f1525c..e2951ec22 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -87,7 +87,7 @@ typedef enum { NDPI_PROTOCOL_ZATTOO = 55, NDPI_PROTOCOL_SHOUTCAST = 56, NDPI_PROTOCOL_SOPCAST = 57, - NDPI_PROTOCOL_TVANTS = 58, + NDPI_PROTOCOL_FREE_58 = 58, /* Free */ NDPI_PROTOCOL_TVUPLAYER = 59, NDPI_PROTOCOL_HTTP_DOWNLOAD = 60, NDPI_PROTOCOL_QQLIVE = 61, @@ -98,9 +98,9 @@ typedef enum { NDPI_PROTOCOL_AYIYA = 66, NDPI_PROTOCOL_UNENCRYPTED_JABBER = 67, NDPI_PROTOCOL_NATS = 68, - NDPI_PROTOCOL_OSCAR = 69, + NDPI_PROTOCOL_FREE_69 = 69, /* Free */ NDPI_PROTOCOL_YAHOO = 70, - NDPI_PROTOCOL_BATTLEFIELD = 71, + NDPI_PROTOCOL_FREE_71 = 71, /* Free */ NDPI_PROTOCOL_GOOGLE_PLUS = 72, NDPI_PROTOCOL_IP_VRRP = 73, NDPI_PROTOCOL_STEAM = 74, /* Tomasz Bujlow <tomasz@skatnet.dk> */ @@ -119,7 +119,7 @@ typedef enum { NDPI_PROTOCOL_RTP = 87, NDPI_PROTOCOL_RDP = 88, NDPI_PROTOCOL_VNC = 89, - NDPI_PROTOCOL_PCANYWHERE = 90, + NDPI_PROTOCOL_FREE90 = 90, /* Free */ NDPI_PROTOCOL_TLS = 91, NDPI_PROTOCOL_SSH = 92, NDPI_PROTOCOL_USENET = 93, diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h index 29ff27959..3ef3cbf28 100644 --- a/src/include/ndpi_protocols.h +++ b/src/include/ndpi_protocols.h @@ -58,7 +58,6 @@ void init_applejuice_dissector(struct ndpi_detection_module_struct *ndpi_struct, void init_armagetron_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_ayiya_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_amqp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); -void init_battlefield_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_bgp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_bittorrent_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_lisp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); @@ -121,9 +120,7 @@ void init_ntp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int3 void init_openft_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_openvpn_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_oracle_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); -void init_oscar_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_pando_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); -void init_pcanywhere_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_postgres_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_pplive_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_ppstream_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); @@ -167,7 +164,6 @@ void init_telnet_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i void init_tftp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_thunder_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_tor_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); -void init_tvants_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_tvuplayer_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_usenet_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_upnp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); @@ -182,7 +178,6 @@ void init_world_of_warcraft_dissector(struct ndpi_detection_module_struct *ndpi_ void init_world_of_kung_fu_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_xbox_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_xdmcp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); -void init_yahoo_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_zattoo_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_zmq_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_stracraft_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index dc1aa208e..febce1a25 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -509,18 +509,12 @@ struct ndpi_id_struct { /* NDPI_PROTOCOL_GNUTELLA */ u_int32_t gnutella_ts; - /* NDPI_PROTOCOL_BATTLEFIELD */ - u_int32_t battlefield_ts; - /* NDPI_PROTOCOL_THUNDER */ u_int32_t thunder_ts; /* NDPI_PROTOCOL_RTSP */ u_int32_t rtsp_timer; - /* NDPI_PROTOCOL_OSCAR */ - u_int32_t oscar_last_safe_access_time; - /* NDPI_PROTOCOL_ZATTOO */ u_int32_t zattoo_ts; @@ -561,9 +555,6 @@ struct ndpi_id_struct { /* NDPI_PROTOCOL_IRC */ u_int8_t irc_number_of_port; - /* NDPI_PROTOCOL_OSCAR */ - u_int8_t oscar_ssl_session_id[33]; - /* NDPI_PROTOCOL_UNENCRYPTED_JABBER */ u_int8_t jabber_voice_stun_used_ports; @@ -733,15 +724,9 @@ struct ndpi_flow_tcp_struct { /* ************************************************** */ struct ndpi_flow_udp_struct { - /* NDPI_PROTOCOL_BATTLEFIELD */ - u_int32_t battlefield_msg_id; - /* NDPI_PROTOCOL_SNMP */ u_int32_t snmp_msg_id; - /* NDPI_PROTOCOL_BATTLEFIELD */ - u_int32_t battlefield_stage:3; - /* NDPI_PROTOCOL_SNMP */ u_int32_t snmp_stage:2; @@ -802,8 +787,7 @@ struct ndpi_packet_struct { const u_int8_t *generic_l4_ptr; /* is set only for non tcp-udp traffic */ const u_int8_t *payload; - u_int32_t tick_timestamp; - u_int64_t tick_timestamp_l; + u_int64_t current_time_ms; u_int16_t detected_protocol_stack[NDPI_PROTOCOL_SIZE]; u_int8_t detected_subprotocol_stack[NDPI_PROTOCOL_SIZE]; @@ -1074,16 +1058,12 @@ struct ndpi_detection_module_struct { u_int32_t irc_timeout; /* gnutella parameters */ u_int32_t gnutella_timeout; - /* battlefield parameters */ - u_int32_t battlefield_timeout; /* thunder parameters */ u_int32_t thunder_timeout; /* SoulSeek parameters */ u_int32_t soulseek_connection_ip_tick_timeout; /* rtsp parameters */ u_int32_t rtsp_connection_timeout; - /* tvants parameters */ - u_int32_t tvants_connection_timeout; /* rstp */ u_int32_t orb_rstp_ts_timeout; /* yahoo */ @@ -1330,9 +1310,6 @@ struct ndpi_flow_struct { /* NDPI_PROTOCOL_THUNDER */ u_int8_t thunder_stage:2; // 0 - 3 - /* NDPI_PROTOCOL_OSCAR */ - u_int8_t oscar_ssl_voice_stage:3, oscar_video_voice:1; - /* NDPI_PROTOCOL_FLORENSIA */ u_int8_t florensia_stage:1; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index a116765bc..a91222bea 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -902,8 +902,8 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, no_master, "Sopcast", NDPI_PROTOCOL_CATEGORY_VIDEO, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); - ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_TVANTS, 0 /* can_have_a_subprotocol */, - no_master, no_master, "Tvants", NDPI_PROTOCOL_CATEGORY_VIDEO, + ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_FREE_58, 0 /* can_have_a_subprotocol */, + no_master, no_master, "Free58", NDPI_PROTOCOL_CATEGORY_VIDEO, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_TVUPLAYER, 0 /* can_have_a_subprotocol */, @@ -944,12 +944,12 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp 0 /* can_have_a_subprotocol */, no_master, no_master, "Unencrypted_Jabber", NDPI_PROTOCOL_CATEGORY_WEB, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); - ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_OSCAR, 0 /* can_have_a_subprotocol */, - no_master, no_master, "Oscar", NDPI_PROTOCOL_CATEGORY_CHAT, + ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_FREE_69, 0 /* can_have_a_subprotocol */, + no_master, no_master, "Free69", NDPI_PROTOCOL_CATEGORY_CHAT, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); - ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_BATTLEFIELD, 0 /* can_have_a_subprotocol */, - no_master, no_master, "BattleField", NDPI_PROTOCOL_CATEGORY_GAME, + ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_FREE_71, 0 /* can_have_a_subprotocol */, + no_master, no_master, "Free71", NDPI_PROTOCOL_CATEGORY_GAME, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_IP_VRRP, 0 /* can_have_a_subprotocol */, @@ -1026,10 +1026,9 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, no_master, "VNC", NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS, ndpi_build_default_ports(ports_a, 5900, 5901, 5800, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); - ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_PCANYWHERE, - 0 /* can_have_a_subprotocol */, no_master, no_master, "PcAnywhere", - NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS, - ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, + ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_FREE90, 0 /* can_have_a_subprotocol */, + no_master, no_master, "Free90", NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS, + ndpi_build_default_ports(ports_a, 5900, 5901, 5800, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_ZOOM, 0 /* can_have_a_subprotocol */, no_master, no_master, "Zoom", NDPI_PROTOCOL_CATEGORY_VIDEO, @@ -1044,7 +1043,6 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, no_master, "WhatsApp", NDPI_PROTOCOL_CATEGORY_CHAT, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); - ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_TLS, 1 /* can_have_a_subprotocol */, no_master, no_master, "TLS", NDPI_PROTOCOL_CATEGORY_WEB, ndpi_build_default_ports(ports_a, 443, 0, 0, 0, 0) /* TCP */, @@ -1971,12 +1969,8 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs NDPI_DIRECTCONNECT_CONNECTION_IP_TICK_TIMEOUT * ndpi_str->ticks_per_second; ndpi_str->rtsp_connection_timeout = NDPI_RTSP_CONNECTION_TIMEOUT * ndpi_str->ticks_per_second; - ndpi_str->tvants_connection_timeout = NDPI_TVANTS_CONNECTION_TIMEOUT * ndpi_str->ticks_per_second; ndpi_str->irc_timeout = NDPI_IRC_CONNECTION_TIMEOUT * ndpi_str->ticks_per_second; ndpi_str->gnutella_timeout = NDPI_GNUTELLA_CONNECTION_TIMEOUT * ndpi_str->ticks_per_second; - - ndpi_str->battlefield_timeout = NDPI_BATTLEFIELD_CONNECTION_TIMEOUT * ndpi_str->ticks_per_second; - ndpi_str->thunder_timeout = NDPI_THUNDER_CONNECTION_TIMEOUT * ndpi_str->ticks_per_second; ndpi_str->zattoo_connection_timeout = NDPI_ZATTOO_CONNECTION_TIMEOUT * ndpi_str->ticks_per_second; ndpi_str->jabber_stun_timeout = NDPI_JABBER_STUN_TIMEOUT * ndpi_str->ticks_per_second; @@ -2831,9 +2825,6 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* NATS */ init_nats_dissector(ndpi_str, &a, detection_bitmask); - /* OSCAR */ - init_oscar_dissector(ndpi_str, &a, detection_bitmask); - /* APPLEJUICE */ init_applejuice_dissector(ndpi_str, &a, detection_bitmask); @@ -2873,9 +2864,6 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* NON_TCP_UDP */ init_non_tcp_udp_dissector(ndpi_str, &a, detection_bitmask); - /* TVANTS */ - init_tvants_dissector(ndpi_str, &a, detection_bitmask); - /* SOPCAST */ init_sopcast_dissector(ndpi_str, &a, detection_bitmask); @@ -2960,12 +2948,6 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* BGP */ init_bgp_dissector(ndpi_str, &a, detection_bitmask); - /* BATTLEFIELD */ - init_battlefield_dissector(ndpi_str, &a, detection_bitmask); - - /* PCANYWHERE */ - init_pcanywhere_dissector(ndpi_str, &a, detection_bitmask); - /* SNMP */ init_snmp_dissector(ndpi_str, &a, detection_bitmask); @@ -4097,7 +4079,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st void ndpi_process_extra_packet(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, const unsigned char *packet, const unsigned short packetlen, - const u_int64_t current_tick_l, struct ndpi_id_struct *src, struct ndpi_id_struct *dst) { + const u_int64_t current_time_ms, struct ndpi_id_struct *src, struct ndpi_id_struct *dst) { if(flow == NULL) return; @@ -4109,8 +4091,7 @@ void ndpi_process_extra_packet(struct ndpi_detection_module_struct *ndpi_str, st return; } - flow->packet.tick_timestamp_l = current_tick_l; - flow->packet.tick_timestamp = (u_int32_t)(current_tick_l / ndpi_str->ticks_per_second); + flow->packet.current_time_ms = current_time_ms; /* parse packet */ flow->packet.iph = (struct ndpi_iphdr *) packet; @@ -4398,7 +4379,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s if(ndpi_str->msteams_cache) ndpi_lru_add_to_cache(ndpi_str->msteams_cache, flow->packet.iph->saddr, - flow->packet.tick_timestamp & 0xFFFF /* 16 bit */); + (flow->packet.current_time_ms / 1000) & 0xFFFF /* 16 bit */); } break; @@ -4411,7 +4392,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s if(ndpi_lru_find_cache(ndpi_str->msteams_cache, flow->packet.iph->saddr, &when, 0 /* Don't remove it as it can be used for other connections */)) { - u_int16_t tdiff = (flow->packet.tick_timestamp & 0xFFFF) - when; + u_int16_t tdiff = ((flow->packet.current_time_ms /1000) & 0xFFFF) - when; if(tdiff < 60 /* sec */) { // printf("====>> NDPI_PROTOCOL_SKYPE(_CALL) -> NDPI_PROTOCOL_MSTEAMS [%u]\n", tdiff); @@ -4420,7 +4401,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s /* Refresh cache */ ndpi_lru_add_to_cache(ndpi_str->msteams_cache, flow->packet.iph->saddr, - flow->packet.tick_timestamp & 0xFFFF /* 16 bit */); + (flow->packet.current_time_ms / 1000) & 0xFFFF /* 16 bit */); } } } @@ -4432,7 +4413,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow, const unsigned char *packet, - const unsigned short packetlen, const u_int64_t current_tick_l, + const unsigned short packetlen, const u_int64_t current_time_ms, struct ndpi_id_struct *src, struct ndpi_id_struct *dst) { NDPI_SELECTION_BITMASK_PROTOCOL_SIZE ndpi_selection_packet; u_int32_t a; @@ -4457,7 +4438,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { if(flow->check_extra_packets) { - ndpi_process_extra_packet(ndpi_str, flow, packet, packetlen, current_tick_l, src, dst); + ndpi_process_extra_packet(ndpi_str, flow, packet, packetlen, current_time_ms, src, dst); /* Update in case of new match */ ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0], ret.category = flow->category; @@ -4473,8 +4454,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct goto invalidate_ptr; } - flow->packet.tick_timestamp_l = current_tick_l; - flow->packet.tick_timestamp = (u_int32_t)(current_tick_l / ndpi_str->ticks_per_second); + flow->packet.current_time_ms = current_time_ms; /* parse packet */ flow->packet.iph = (struct ndpi_iphdr *) packet; diff --git a/src/lib/protocols/ayiya.c b/src/lib/protocols/ayiya.c index b0ebc3749..b810da2d1 100644 --- a/src/lib/protocols/ayiya.c +++ b/src/lib/protocols/ayiya.c @@ -57,7 +57,7 @@ void ndpi_search_ayiya(struct ndpi_detection_module_struct *ndpi_struct, struct u_int32_t epoch = ntohl(a->epoch), now; u_int32_t fiveyears = 86400 * 365 * 5; - now = flow->packet.tick_timestamp; + now = flow->packet.current_time_ms; if((epoch >= (now - fiveyears)) && (epoch <= (now+86400 /* 1 day */))) { NDPI_LOG_INFO(ndpi_struct, "found AYIYA\n"); diff --git a/src/lib/protocols/battlefield.c b/src/lib/protocols/battlefield.c deleted file mode 100644 index 14768cdb3..000000000 --- a/src/lib/protocols/battlefield.c +++ /dev/null @@ -1,126 +0,0 @@ -/* - * battlefield.c - * - * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-20 - ntop.org - * - * This file is part of nDPI, an open source deep packet inspection - * library based on the OpenDPI and PACE technology by ipoque GmbH - * - * nDPI is free software: you can redistribute it and/or modify - * it under the terms of the GNU Lesser General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * nDPI is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with nDPI. If not, see <http://www.gnu.org/licenses/>. - * - */ - -#include "ndpi_protocol_ids.h" - -#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_BATTLEFIELD - -#include "ndpi_api.h" - -static void ndpi_int_battlefield_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ - struct ndpi_packet_struct *packet = &flow->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BATTLEFIELD, NDPI_PROTOCOL_UNKNOWN); - - if (src != NULL) { - src->battlefield_ts = packet->tick_timestamp; - } - if (dst != NULL) { - dst->battlefield_ts = packet->tick_timestamp; - } -} - -void ndpi_search_battlefield(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ - struct ndpi_packet_struct *packet = &flow->packet; - - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - - if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_BATTLEFIELD) { - if (src != NULL && ((u_int32_t) - (packet->tick_timestamp - src->battlefield_ts) < ndpi_struct->battlefield_timeout)) { - NDPI_LOG_DBG2(ndpi_struct, - "battlefield : save src connection packet detected\n"); - src->battlefield_ts = packet->tick_timestamp; - } else if (dst != NULL && ((u_int32_t) - (packet->tick_timestamp - dst->battlefield_ts) < ndpi_struct->battlefield_timeout)) { - NDPI_LOG_DBG2(ndpi_struct, - "battlefield : save dst connection packet detected\n"); - dst->battlefield_ts = packet->tick_timestamp; - } - return; - } - - if (NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_BATTLEFIELD)) { - if (flow->l4.udp.battlefield_stage == 0 || flow->l4.udp.battlefield_stage == 1 + packet->packet_direction) { - if (packet->payload_packet_len > 8 && get_u_int16_t(packet->payload, 0) == htons(0xfefd)) { - flow->l4.udp.battlefield_msg_id = get_u_int32_t(packet->payload, 2); - flow->l4.udp.battlefield_stage = 1 + packet->packet_direction; - return; - } - } else if (flow->l4.udp.battlefield_stage == 2 - packet->packet_direction) { - if (packet->payload_packet_len > 8 && get_u_int32_t(packet->payload, 0) == flow->l4.udp.battlefield_msg_id) { - NDPI_LOG_INFO(ndpi_struct, "found Battlefield message and reply detected\n"); - ndpi_int_battlefield_add_connection(ndpi_struct, flow); - return; - } - } - } - - if (flow->l4.udp.battlefield_stage == 0) { - if (packet->payload_packet_len == 46 && packet->payload[2] == 0 && packet->payload[4] == 0 - && get_u_int32_t(packet->payload, 7) == htonl(0x98001100)) { - flow->l4.udp.battlefield_stage = 3 + packet->packet_direction; - return; - } - } else if (flow->l4.udp.battlefield_stage == 4 - packet->packet_direction) { - if (packet->payload_packet_len == 7 - && (packet->payload[0] == 0x02 || packet->payload[packet->payload_packet_len - 1] == 0xe0)) { - NDPI_LOG_INFO(ndpi_struct, "found Battlefield message and reply detected\n"); - ndpi_int_battlefield_add_connection(ndpi_struct, flow); - return; - } - } - - if (packet->payload_packet_len == 18 && memcmp(&packet->payload[5], "battlefield2\x00", 13) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found Battlefield 2 hello packet detected\n"); - ndpi_int_battlefield_add_connection(ndpi_struct, flow); - return; - } else if (packet->payload_packet_len > 10 && - (memcmp(packet->payload, "\x11\x20\x00\x01\x00\x00\x50\xb9\x10\x11", 10) == 0 - || memcmp(packet->payload, "\x11\x20\x00\x01\x00\x00\x30\xb9\x10\x11", 10) == 0 - || memcmp(packet->payload, "\x11\x20\x00\x01\x00\x00\xa0\x98\x00\x11", 10) == 0)) { - NDPI_LOG_INFO(ndpi_struct, "found Battlefield safe pattern detected\n"); - ndpi_int_battlefield_add_connection(ndpi_struct, flow); - return; - } - - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); -} - - -void init_battlefield_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) -{ - ndpi_set_bitmask_protocol_detection("BattleField", ndpi_struct, detection_bitmask, *id, - NDPI_PROTOCOL_BATTLEFIELD, - ndpi_search_battlefield, - NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, - SAVE_DETECTION_BITMASK_AS_UNKNOWN, - ADD_TO_DETECTION_BITMASK); - *id += 1; -} diff --git a/src/lib/protocols/directconnect.c b/src/lib/protocols/directconnect.c index 07e9f70f3..e93214228 100644 --- a/src/lib/protocols/directconnect.c +++ b/src/lib/protocols/directconnect.c @@ -85,7 +85,7 @@ static void ndpi_int_directconnect_add_connection(struct ndpi_detection_module_s ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN); if(src != NULL) { - src->directconnect_last_safe_access_time = packet->tick_timestamp; + src->directconnect_last_safe_access_time = packet->current_time_ms; if(connection_type == DIRECT_CONNECT_TYPE_PEER) { if(packet->tcp != NULL && flow->setup_packet_direction != packet->packet_direction && src->detected_directconnect_port == 0) { @@ -101,7 +101,7 @@ static void ndpi_int_directconnect_add_connection(struct ndpi_detection_module_s } if(dst != NULL) { - dst->directconnect_last_safe_access_time = packet->tick_timestamp; + dst->directconnect_last_safe_access_time = packet->current_time_ms; if(connection_type == DIRECT_CONNECT_TYPE_PEER) { if(packet->tcp != NULL && flow->setup_packet_direction == packet->packet_direction && dst->detected_directconnect_port == 0) { @@ -162,9 +162,9 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n if(src != NULL) { if(src->detected_directconnect_port == packet->tcp->source) { if((u_int32_t) - (packet->tick_timestamp - + (packet->current_time_ms - src->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - src->directconnect_last_safe_access_time = packet->tick_timestamp; + src->directconnect_last_safe_access_time = packet->current_time_ms; NDPI_LOG_INFO(ndpi_struct, "found DC using port %d\n", ntohs(src->detected_directconnect_port)); ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN); return; @@ -176,9 +176,9 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n } if(src->detected_directconnect_ssl_port == packet->tcp->dest) { if((u_int32_t) - (packet->tick_timestamp - + (packet->current_time_ms - src->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - src->directconnect_last_safe_access_time = packet->tick_timestamp; + src->directconnect_last_safe_access_time = packet->current_time_ms; NDPI_LOG_INFO(ndpi_struct, "found DC using port %d\n", ntohs(src->detected_directconnect_ssl_port)); ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN); return; @@ -194,9 +194,9 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n if(dst != NULL) { if(dst->detected_directconnect_port == packet->tcp->dest) { if((u_int32_t) - (packet->tick_timestamp - + (packet->current_time_ms - dst->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - dst->directconnect_last_safe_access_time = packet->tick_timestamp; + dst->directconnect_last_safe_access_time = packet->current_time_ms; NDPI_LOG_INFO(ndpi_struct, "found DC using port %d\n", ntohs(dst->detected_directconnect_port)); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN); return; @@ -208,9 +208,9 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n } if(dst->detected_directconnect_ssl_port == packet->tcp->dest) { if((u_int32_t) - (packet->tick_timestamp - + (packet->current_time_ms - dst->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - dst->directconnect_last_safe_access_time = packet->tick_timestamp; + dst->directconnect_last_safe_access_time = packet->current_time_ms; NDPI_LOG_DBG(ndpi_struct, "found DC using port %d\n", ntohs(dst->detected_directconnect_ssl_port)); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN); return; @@ -319,10 +319,10 @@ static void ndpi_search_directconnect_udp(struct ndpi_detection_module_struct if(dst != NULL && dst->detected_directconnect_udp_port == packet->udp->dest) { if((u_int32_t) - (packet->tick_timestamp - + (packet->current_time_ms - dst->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - dst->directconnect_last_safe_access_time = packet->tick_timestamp; + dst->directconnect_last_safe_access_time = packet->current_time_ms; NDPI_LOG_INFO(ndpi_struct, "found DC using udp port %d\n", ntohs(dst->detected_directconnect_udp_port)); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN); return; @@ -405,16 +405,16 @@ void ndpi_search_directconnect(struct ndpi_detection_module_struct if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_DIRECTCONNECT) { if(src != NULL && ((u_int32_t) - (packet->tick_timestamp - + (packet->current_time_ms - src->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout)) { - src->directconnect_last_safe_access_time = packet->tick_timestamp; + src->directconnect_last_safe_access_time = packet->current_time_ms; } else if(dst != NULL && ((u_int32_t) - (packet->tick_timestamp - + (packet->current_time_ms - dst->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout)) { - dst->directconnect_last_safe_access_time = packet->tick_timestamp; + dst->directconnect_last_safe_access_time = packet->current_time_ms; } else { packet->detected_protocol_stack[0] = NDPI_PROTOCOL_UNKNOWN; NDPI_LOG_DBG2(ndpi_struct, "skipping as unknown due to timeout\n"); diff --git a/src/lib/protocols/gnutella.c b/src/lib/protocols/gnutella.c index 68313d668..18c5b2f2b 100644 --- a/src/lib/protocols/gnutella.c +++ b/src/lib/protocols/gnutella.c @@ -41,7 +41,7 @@ static void ndpi_int_gnutella_add_connection(struct ndpi_detection_module_struct NDPI_LOG_INFO(ndpi_struct, "found GNUTELLA\n"); if (src != NULL) { - src->gnutella_ts = packet->tick_timestamp; + src->gnutella_ts = packet->current_time_ms; if (packet->udp != NULL) { if (!src->detected_gnutella_udp_port1) { src->detected_gnutella_udp_port1 = (packet->udp->source); @@ -58,7 +58,7 @@ static void ndpi_int_gnutella_add_connection(struct ndpi_detection_module_struct } } if (dst != NULL) { - dst->gnutella_ts = packet->tick_timestamp; + dst->gnutella_ts = packet->current_time_ms; } } @@ -74,19 +74,19 @@ void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, stru if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_GNUTELLA) { if (src != NULL && ((u_int32_t) - (packet->tick_timestamp - src->gnutella_ts) < ndpi_struct->gnutella_timeout)) { + (packet->current_time_ms - src->gnutella_ts) < ndpi_struct->gnutella_timeout)) { NDPI_LOG_DBG2(ndpi_struct, "save src connection packet detected\n"); - src->gnutella_ts = packet->tick_timestamp; + src->gnutella_ts = packet->current_time_ms; } else if (dst != NULL && ((u_int32_t) - (packet->tick_timestamp - dst->gnutella_ts) < ndpi_struct->gnutella_timeout)) { + (packet->current_time_ms - dst->gnutella_ts) < ndpi_struct->gnutella_timeout)) { NDPI_LOG_DBG2(ndpi_struct, "save dst connection packet detected\n"); - dst->gnutella_ts = packet->tick_timestamp; + dst->gnutella_ts = packet->current_time_ms; } - if (src != NULL && (packet->tick_timestamp - src->gnutella_ts) > ndpi_struct->gnutella_timeout) { + if (src != NULL && (packet->current_time_ms - src->gnutella_ts) > ndpi_struct->gnutella_timeout) { src->detected_gnutella_udp_port1 = 0; src->detected_gnutella_udp_port2 = 0; } - if (dst != NULL && (packet->tick_timestamp - dst->gnutella_ts) > ndpi_struct->gnutella_timeout) { + if (dst != NULL && (packet->current_time_ms - dst->gnutella_ts) > ndpi_struct->gnutella_timeout) { dst->detected_gnutella_udp_port1 = 0; dst->detected_gnutella_udp_port2 = 0; } @@ -236,7 +236,7 @@ void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, stru } else if (packet->udp != NULL) { if (src != NULL && (packet->udp->source == src->detected_gnutella_udp_port1 || packet->udp->source == src->detected_gnutella_udp_port2) && - (packet->tick_timestamp - src->gnutella_ts) < ndpi_struct->gnutella_timeout) { + (packet->current_time_ms - src->gnutella_ts) < ndpi_struct->gnutella_timeout) { NDPI_LOG_DBG2(ndpi_struct, "port based detection\n\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow); } diff --git a/src/lib/protocols/irc.c b/src/lib/protocols/irc.c index 2ebb929fa..e1cc59be2 100644 --- a/src/lib/protocols/irc.c +++ b/src/lib/protocols/irc.c @@ -399,25 +399,25 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc } if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_IRC) { if (src != NULL && ((u_int32_t) - (packet->tick_timestamp - src->irc_ts) < ndpi_struct->irc_timeout)) { + (packet->current_time_ms - src->irc_ts) < ndpi_struct->irc_timeout)) { NDPI_LOG_DBG2(ndpi_struct, "irc : save src connection packet detected\n"); - src->irc_ts = packet->tick_timestamp; + src->irc_ts = packet->current_time_ms; } else if (dst != NULL && ((u_int32_t) - (packet->tick_timestamp - dst->irc_ts) < ndpi_struct->irc_timeout)) { + (packet->current_time_ms - dst->irc_ts) < ndpi_struct->irc_timeout)) { NDPI_LOG_DBG2(ndpi_struct, "irc : save dst connection packet detected\n"); - dst->irc_ts = packet->tick_timestamp; + dst->irc_ts = packet->current_time_ms; } } if (((dst != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_IRC) && ((u_int32_t) - (packet->tick_timestamp - dst->irc_ts)) < + (packet->current_time_ms - dst->irc_ts)) < ndpi_struct->irc_timeout)) || (src != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK (src->detected_protocol_bitmask, NDPI_PROTOCOL_IRC) && ((u_int32_t) - (packet->tick_timestamp - src->irc_ts)) < ndpi_struct->irc_timeout)) { + (packet->current_time_ms - src->irc_ts)) < ndpi_struct->irc_timeout)) { if (packet->tcp != NULL) { sport = packet->tcp->source; dport = packet->tcp->dest; @@ -425,7 +425,7 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc if (dst != NULL) { for (counter = 0; counter < dst->irc_number_of_port; counter++) { if (dst->irc_port[counter] == sport || dst->irc_port[counter] == dport) { - dst->last_time_port_used[counter] = packet->tick_timestamp; + dst->last_time_port_used[counter] = packet->current_time_ms; NDPI_LOG_INFO(ndpi_struct, "found IRC: dest port matched with the DCC port"); ndpi_int_irc_add_connection(ndpi_struct, flow); return; @@ -435,7 +435,7 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc if (src != NULL) { for (counter = 0; counter < src->irc_number_of_port; counter++) { if (src->irc_port[counter] == sport || src->irc_port[counter] == dport) { - src->last_time_port_used[counter] = packet->tick_timestamp; + src->last_time_port_used[counter] = packet->current_time_ms; NDPI_LOG_INFO(ndpi_struct, "found IRC: Source port matched with the DCC port"); ndpi_int_irc_add_connection(ndpi_struct, flow); return; @@ -716,7 +716,7 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc NDPI_LOG_DBG2(ndpi_struct, "found port=%d jjeeeeeeeeeeeeeeeeeeeeeeeee", ntohs(get_u_int16_t(src->irc_port, 0))); } - src->irc_ts = packet->tick_timestamp; + src->irc_ts = packet->current_time_ms; } else if (port != 0 && src->irc_number_of_port == NDPI_PROTOCOL_IRC_MAXPORT) { if (!ndpi_is_duplicate(src, port)) { less = 0; @@ -724,7 +724,7 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc src->irc_port[less] = port; NDPI_LOG_DBG2(ndpi_struct, "found port=%d", ntohs(get_u_int16_t(src->irc_port, 0))); } - src->irc_ts = packet->tick_timestamp; + src->irc_ts = packet->current_time_ms; } if (dst == NULL) { break; @@ -747,7 +747,7 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc NDPI_LOG_DBG2(ndpi_struct, "found port=%d", ntohs(get_u_int16_t(dst->irc_port, 0))); NDPI_LOG_DBG2(ndpi_struct, "juuuuuuuuuuuuuuuu"); } - dst->irc_ts = packet->tick_timestamp; + dst->irc_ts = packet->current_time_ms; } else if (port != 0 && dst->irc_number_of_port == NDPI_PROTOCOL_IRC_MAXPORT) { if (!ndpi_is_duplicate(dst, port)) { less = 0; @@ -756,7 +756,7 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc NDPI_LOG_DBG2(ndpi_struct, "found port=%d", ntohs(get_u_int16_t(dst->irc_port, 0))); } - dst->irc_ts = packet->tick_timestamp; + dst->irc_ts = packet->current_time_ms; } break; diff --git a/src/lib/protocols/jabber.c b/src/lib/protocols/jabber.c index 9302f84d7..ecf29c54f 100644 --- a/src/lib/protocols/jabber.c +++ b/src/lib/protocols/jabber.c @@ -81,9 +81,9 @@ void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, st ntohs(src->jabber_file_transfer_port[0]), ntohs(src->jabber_file_transfer_port[1])); if (((u_int32_t) - (packet->tick_timestamp - src->jabber_stun_or_ft_ts)) >= ndpi_struct->jabber_file_transfer_timeout) { + (packet->current_time_ms - src->jabber_stun_or_ft_ts)) >= ndpi_struct->jabber_file_transfer_timeout) { NDPI_LOG_DBG2(ndpi_struct, "JABBER src stun timeout %u %u\n", - src->jabber_stun_or_ft_ts, packet->tick_timestamp); + src->jabber_stun_or_ft_ts, packet->current_time_ms); src->jabber_file_transfer_port[0] = 0; src->jabber_file_transfer_port[1] = 0; } else if (src->jabber_file_transfer_port[0] == packet->tcp->dest @@ -101,9 +101,9 @@ void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, st ntohs(dst->jabber_file_transfer_port[0]), ntohs(dst->jabber_file_transfer_port[1])); if (((u_int32_t) - (packet->tick_timestamp - dst->jabber_stun_or_ft_ts)) >= ndpi_struct->jabber_file_transfer_timeout) { + (packet->current_time_ms - dst->jabber_stun_or_ft_ts)) >= ndpi_struct->jabber_file_transfer_timeout) { NDPI_LOG_DBG2(ndpi_struct, "JABBER dst stun timeout %u %u\n", - dst->jabber_stun_or_ft_ts, packet->tick_timestamp); + dst->jabber_stun_or_ft_ts, packet->current_time_ms); dst->jabber_file_transfer_port[0] = 0; dst->jabber_file_transfer_port[1] = 0; } else if (dst->jabber_file_transfer_port[0] == packet->tcp->dest @@ -143,11 +143,11 @@ void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, st if (memcmp(&packet->payload[x], "port=", 5) == 0) { NDPI_LOG_DBG2(ndpi_struct, "port=\n"); if (src != NULL) { - src->jabber_stun_or_ft_ts = packet->tick_timestamp; + src->jabber_stun_or_ft_ts = packet->current_time_ms; } if (dst != NULL) { - dst->jabber_stun_or_ft_ts = packet->tick_timestamp; + dst->jabber_stun_or_ft_ts = packet->current_time_ms; } x += 6; j_port = ntohs_ndpi_bytestream_to_number(&packet->payload[x], packet->payload_packet_len, &x); @@ -204,11 +204,11 @@ void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, st if (memcmp(&packet->payload[x], "port=", 5) == 0) { NDPI_LOG_DBG2(ndpi_struct, "port=\n"); if (src != NULL) { - src->jabber_stun_or_ft_ts = packet->tick_timestamp; + src->jabber_stun_or_ft_ts = packet->current_time_ms; } if (dst != NULL) { - dst->jabber_stun_or_ft_ts = packet->tick_timestamp; + dst->jabber_stun_or_ft_ts = packet->current_time_ms; } x += 6; diff --git a/src/lib/protocols/oscar.c b/src/lib/protocols/oscar.c deleted file mode 100644 index cba0c3bcc..000000000 --- a/src/lib/protocols/oscar.c +++ /dev/null @@ -1,816 +0,0 @@ -/* - * oscar.c - * - * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-20 - ntop.org - * - * This file is part of nDPI, an open source deep packet inspection - * library based on the OpenDPI and PACE technology by ipoque GmbH - * - * nDPI is free software: you can redistribute it and/or modify - * it under the terms of the GNU Lesser General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * nDPI is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with nDPI. If not, see <http://www.gnu.org/licenses/>. - * - */ - -#include "ndpi_protocol_ids.h" - -#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_OSCAR - -#include "ndpi_api.h" - -#define FLAPVERSION 0x00000001 - -/* Flap channels */ -#define SIGNON 0x01 -#define DATA 0x02 -#define O_ERROR 0x03 -#define SIGNOFF 0x04 -#define KEEP_ALIVE 0x05 - -/* Signon tags */ -#define SCREEN_NAME 0x0001 -#define PASSWD 0x0002 -#define CLIENT_NAME 0x0003 -#define BOS 0x0005 -#define LOGIN_COOKIE 0x0006 -#define MAJOR_VERSION 0x0017 -#define MINOR_VERSION 0x0018 -#define POINT_VERSION 0x0019 -#define BUILD_NUM 0x001a -#define MULTICONN_FLAGS 0x004a -#define CLIENT_LANG 0x00OF -#define CLIENT_CNTRY 0x00OE -#define CLIENT_RECONNECT 0x0094 - -/* Family */ -#define GE_SE_CTL 0x0001 -#define LOC_SRV 0x0002 -#define BUDDY_LIST 0x0003 -#define IM 0x0004 -#define IS 0x0006 -#define ACC_ADM 0x0007 -#define POPUP 0x0008 -#define PMS 0x0009 -#define USS 0x000b -#define CHAT_ROOM_SETUP 0x000d -#define CHAT_ROOM_ACT 0x000e -#define USER_SRCH 0x000f -#define BUDDY_ICON_SERVER 0x0010 -#define SERVER_STORED_INFO 0x0013 -#define ICQ 0x0015 -#define INIT_AUTH 0x0017 -#define EMAIL 0x0018 -#define IS_EXT 0x0085 - - -static void ndpi_int_oscar_add_connection(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) -{ - - struct ndpi_packet_struct *packet = &flow->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OSCAR, NDPI_PROTOCOL_UNKNOWN); - - if(src != NULL) { - src->oscar_last_safe_access_time = packet->tick_timestamp; - } - if(dst != NULL) { - dst->oscar_last_safe_access_time = packet->tick_timestamp; - } -} - -/** - Oscar connection work on FLAP protocol. - - FLAP is a low-level communications protocol that facilitates the development of higher-level, datagram-oriented, communications layers. - It is used on the TCP connection between all clients and servers. - Here is format of FLAP datagram -**/ -static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) -{ - - int excluded = 0; -// u_int8_t channel; - u_int16_t family; - u_int16_t type; - u_int16_t flag; - struct ndpi_packet_struct * packet = &flow->packet; - struct ndpi_id_struct * src = flow->src; - struct ndpi_id_struct * dst = flow->dst; - - /* FLAP__Header - * - * [ 6 byte FLAP header ] - * +-----------+--------------+-------------+--------------+ - * | 0x2a (1B) | Channel (1B) | SeqNum (2B) | PyldLen (2B) | - * +-----------+--------------+-------------+--------------+ - * - * [ 4 byte of data ] - * - * */ - if(packet->payload_packet_len >= 6 && packet->payload[0] == 0x2a) - { - - /* FLAP__FRAME_TYPE (Channel)*/ - u_int8_t channel = get_u_int8_t(packet->payload, 1); - - /* - Initialize the FLAP connection. - - SIGNON -> FLAP__SIGNON_FRAME - +--------------------------------------------------+ - + FLAP__Header | 6 byte + - + FlapVersion | 4 byte (Always 1 = 0x00000001) + - + TLVs | [Class: FLAP__SIGNON_TAGS] TLVs + - +--------------------------------------------------+ - */ - if(channel == SIGNON && packet->payload_packet_len >= 10 && - get_u_int16_t(packet->payload, 4) == htons(packet->payload_packet_len - 6) && - get_u_int32_t(packet->payload, 6) == htonl(FLAPVERSION)) - { - - /* No TLVs */ - if(packet->payload_packet_len == 10) - { - NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Sign In \n"); - ndpi_int_oscar_add_connection(ndpi_struct, flow); - return; - } - /* /\* SCREEN_NAME *\/ */ - /* if(get_u_int16_t(packet->payload, 10) == htons(SCREEN_NAME)) /\* packet->payload[10] == 0x00 && packet->payload[11] == 0x01 *\/ */ - /* { */ - /* NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Screen Name \n"); */ - /* ndpi_int_oscar_add_connection(ndpi_struct, flow); */ - /* return; */ - /* } */ - /* /\* PASSWD *\/ */ - /* if(get_u_int16_t(packet->payload, 10) == htons(PASSWD)) /\* packet->payload[10] == 0x00 && packet->payload[11] == 0x02 *\/ */ - /* { */ - /* NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Password (roasted) \n"); */ - /* ndpi_int_oscar_add_connection(ndpi_struct, flow); */ - /* return; */ - /* } */ - /* CLIENT_NAME */ - if(get_u_int16_t(packet->payload, 10) == htons(CLIENT_NAME)) /* packet->payload[10] == 0x00 && packet->payload[11] == 0x03 */ - { - NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Client Name \n"); - ndpi_int_oscar_add_connection(ndpi_struct, flow); - return; - } - /* LOGIN_COOKIE */ - if(get_u_int16_t(packet->payload, 10) == htons(LOGIN_COOKIE) && - get_u_int16_t(packet->payload, 12) == htons(0x0100)) - { - if(get_u_int16_t(packet->payload, packet->payload_packet_len - 5) == htons(MULTICONN_FLAGS)) /* MULTICONN_FLAGS */ - { - if(get_u_int16_t(packet->payload, packet->payload_packet_len - 3) == htons(0x0001)) - if((get_u_int8_t(packet->payload, packet->payload_packet_len - 1) == 0x00) || - (get_u_int8_t(packet->payload, packet->payload_packet_len - 1) == 0x01) || - (get_u_int8_t(packet->payload, packet->payload_packet_len - 1) == 0x03)) - { - NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Login \n"); - ndpi_int_oscar_add_connection(ndpi_struct, flow); - return; - } - } - } - /* MAJOR_VERSION */ - if(get_u_int16_t(packet->payload, 10) == htons(MAJOR_VERSION)) - { - NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Major_Version \n"); - ndpi_int_oscar_add_connection(ndpi_struct, flow); - return; - } - /* MINOR_VERSION */ - if(get_u_int16_t(packet->payload, 10) == htons(MINOR_VERSION)) - { - NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Minor_Version \n"); - ndpi_int_oscar_add_connection(ndpi_struct, flow); - return; - } - /* POINT_VERSION */ - if(get_u_int16_t(packet->payload, 10) == htons(POINT_VERSION)) - { - NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Point_Version \n"); - ndpi_int_oscar_add_connection(ndpi_struct, flow); - return; - } - /* BUILD_NUM */ - if(get_u_int16_t(packet->payload, 10) == htons(BUILD_NUM)) - { - NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Build_Num \n"); - ndpi_int_oscar_add_connection(ndpi_struct, flow); - return; - } - /* CLIENT_RECONNECT */ - if(get_u_int16_t(packet->payload, 10) == htons(CLIENT_RECONNECT)) - { - NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Client_Reconnect \n"); - ndpi_int_oscar_add_connection(ndpi_struct, flow); - return; - } - } - - /* - Messages using the FLAP connection, usually a SNAC message. - - DATA -> FLAP__DATA_FRAME - +-------------------------+ - + FLAP__Header | 6 byte + - + SNAC__Header | 10 byte + - + snac | + - +-------------------------+ - - SNAC__Header - +----------------------------------------------+ - + ID | 4 byte (2 foodgroup + 2 type) + - + FLAGS | 2 byte + - + requestId | 4 byte + - +----------------------------------------------+ - */ - if(channel == DATA) - { - if(packet->payload_packet_len >= 8) - family = get_u_int16_t(packet->payload, 6); - else - family = 0; - if(packet->payload_packet_len >= 10) - type = get_u_int16_t(packet->payload, 8); - else - type = 0; - if(family == 0 || type == 0) - { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return; - } - - /* Family 0x0001 */ - if(family == htons(GE_SE_CTL)) - { - switch (type) { - - case (0x0001): break; - case (0x0002): break; - case (0x0003): break; - case (0x0004): break; - case (0x0005): break; - case (0x0006): break; - case (0x0007): break; - case (0x0008): break; - case (0x0009): break; - case (0x000a): break; - case (0x000b): break; - case (0x000c): break; - case (0x000d): break; - case (0x000e): break; - case (0x000f): break; - case (0x0010): break; - case (0x0011): break; - case (0x0012): break; - case (0x0013): break; - case (0x0014): break; - case (0x0015): break; - case (0x0016): break; - case (0x0017): break; - case (0x0018): break; - case (0x001e): break; - case (0x001f): break; - case (0x0020): break; - case (0x0021): break; - default: excluded = 1; - } - } - /* Family 0x0002 */ - if(family == htons(LOC_SRV)) - { - switch (type) { - - case (0x0001): break; - case (0x0002): break; - case (0x0003): break; - case (0x0004): break; - case (0x0005): break; - case (0x0006): break; - case (0x0007): break; - case (0x0008): break; - case (0x0009): break; - case (0x000a): break; - case (0x000b): break; - case (0x000c): break; - case (0x000f): break; - case (0x0010): break; - case (0x0015): break; - default: excluded = 1; - } - } - /* Family 0x0003 */ - if(family == htons(BUDDY_LIST)) - { - switch (type) { - - case (0x0001): break; - case (0x0002): break; - case (0x0003): break; - case (0x0004): break; - case (0x0005): break; - case (0x0006): break; - case (0x0007): break; - case (0x0008): break; - case (0x0009): break; - case (0x000a): break; - case (0x000b): break; - case (0x000c): break; - default: excluded = 1; - } - } - /* Family 0x0004 */ - if(family == htons(IM)) - { - switch (type) { - - case (0x0001): break; - case (0x0002): break; - case (0x0003): break; - case (0x0004): break; - case (0x0005): break; - case (0x0006): break; - case (0x0007): break; - case (0x0008): break; - case (0x0009): break; - case (0x000a): break; - case (0x000b): break; - case (0x000c): break; - case (0x0014): break; - default: excluded = 1; - } - } - /* Family 0x0006 */ - if(family == htons(IS)) - { - switch (type) { - - case (0x0001): break; - case (0x0002): break; - case (0x0003): break; - default: excluded = 1; - } - } - /* Family 0x0007 */ - if(family == htons(ACC_ADM)) - { - switch (type) { - - case (0x0001): break; - case (0x0002): break; - case (0x0003): break; - case (0x0004): break; - case (0x0005): break; - case (0x0006): break; - case (0x0007): break; - case (0x0008): break; - case (0x0009): break; - default: excluded = 1; - } - } - /* Family 0x0008 */ - if(family == htons(POPUP)) - { - switch (type) { - - case (0x0001): break; - case (0x0002): break; - default: excluded = 1; - } - } - /* Family 0x0009 */ - if(family == htons(PMS)) - { - switch (type) { - - case (0x0001): break; - case (0x0002): break; - case (0x0003): break; - case (0x0004): break; - case (0x0005): break; - case (0x0006): break; - case (0x0007): break; - case (0x0008): break; - case (0x0009): break; - case (0x000a): break; - case (0x000b): break; - default: excluded = 1; - } - } - /* Family 0x000b */ - if(family == htons(USS)) - { - switch (type) { - - case (0x0001): break; - case (0x0002): break; - case (0x0003): break; - case (0x0004): break; - default: excluded = 1; - } - } - /* Family 0x000d */ - if(family == htons(CHAT_ROOM_SETUP)) - { - switch (type) { - - case (0x0001): break; - case (0x0002): break; - case (0x0003): break; - case (0x0004): break; - case (0x0005): break; - case (0x0006): break; - case (0x0007): break; - case (0x0008): break; - case (0x0009): break; - default: excluded = 1; - } - } - /* Family 0x000e */ - if(family == htons(CHAT_ROOM_ACT)) - { - switch (type) { - - case (0x0001): break; - case (0x0002): break; - case (0x0003): break; - case (0x0004): break; - case (0x0005): break; - case (0x0006): break; - case (0x0007): break; - case (0x0008): break; - case (0x0009): break; - default: excluded = 1; - } - } - /* Family 0x000f */ - if(family == htons(USER_SRCH)) - { - switch (type) { - - case (0x0001): break; - case (0x0002): break; - case (0x0003): break; - case (0x0004): break; - case (0x0005): break; - default: excluded = 1; - } - } - /* Family 0x0010 */ - if(family == htons(BUDDY_ICON_SERVER)) - { - switch (type) { - - case (0x0001): break; - case (0x0002): break; - case (0x0003): break; - case (0x0004): break; - case (0x0005): break; - case (0x0006): break; - case (0x0007): break; - default: excluded = 1; - } - } - /* Family 0x0013 */ - if(family == htons(SERVER_STORED_INFO)) - { - switch (type) { - - case (0x0001): break; - case (0x0002): break; - case (0x0003): break; - case (0x0004): break; - case (0x0005): break; - case (0x0006): break; - case (0x0007): break; - case (0x0008): break; - case (0x0009): break; - case (0x000a): break; - case (0x000e): break; - case (0x000f): break; - case (0x0011): break; - case (0x0012): break; - case (0x0014): break; - case (0x0015): break; - case (0x0016): break; - case (0x0018): break; - case (0x001a): break; - case (0x001b): break; - case (0x001c): break; - default: excluded = 1; - } - } - /* Family 0x0015 */ - if(family == htons(ICQ)) - { - switch (type) { - - case (0x0001): break; - case (0x0002): break; - case (0x0003): break; - default: excluded = 1; - } - } - /* Family 0x0017 */ - if(family == htons(INIT_AUTH)) - { - switch (type) { - - case (0x0001): break; - case (0x0002): break; - case (0x0003): break; - case (0x0004): break; - case (0x0005): break; - case (0x0006): break; - case (0x0007): break; - case (0x000a): break; - case (0x000b): break; - default: excluded = 1; - } - } - /* Family 0x0018 */ - if(family == htons(EMAIL)) - { - /* TODO */ - } - /* Family 0x0085 */ - if(family == htons(IS_EXT)) - { - switch (type) { - - case (0x0001): break; - case (0x0002): break; - case (0x0003): break; - default: excluded = 1; - } - } - - if(excluded == 1) - { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - } - - /* flag */ - if(packet->payload_packet_len >= 12) - { - flag = get_u_int16_t(packet->payload, 10); - if(flag == htons(0x0000)|| flag == htons(0x8000) || flag == htons(0x0001)) - { - if(packet->payload_packet_len >= 16) - { - /* request ID */ - // u_int32_t req_ID = get_u_int32_t(packet->payload, 12); - /* if((req_ID <= ((u_int32_t)-1))) */ - { - NDPI_LOG_INFO(ndpi_struct, "found OSCAR\n"); - ndpi_int_oscar_add_connection(ndpi_struct, flow); - return; - } - } - } - } - } - /* - ERROR -> FLAP__ERROR_CHANNEL_0x03 - A FLAP error - rare - */ - if(channel == O_ERROR) - { - NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Error frame \n"); - ndpi_int_oscar_add_connection(ndpi_struct, flow); - return; - } - /* - Close down the FLAP connection gracefully. - SIGNOFF: FLAP__SIGNOFF_CHANNEL_0x04 - */ - if(channel == SIGNOFF) - { - NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Signoff frame \n"); - ndpi_int_oscar_add_connection(ndpi_struct, flow); - return; - } - /* - Send a heartbeat to server to help keep connection open. - KEEP_ALIVE: FLAP__KEEP_ALIVE_CHANNEL_0x05 - */ - if(channel == KEEP_ALIVE) - { - NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Keep Alive frame \n"); - ndpi_int_oscar_add_connection(ndpi_struct, flow); - return; - } - } - - - /* detect http connections */ - if(packet->payload_packet_len >= 18) { - if((packet->payload[0] == 'P') && (memcmp(packet->payload, "POST /photo/upload", 18) == 0)) { - NDPI_PARSE_PACKET_LINE_INFO(ndpi_struct, flow, packet); - if(packet->host_line.len >= 18 && packet->host_line.ptr != NULL) { - if(memcmp(packet->host_line.ptr, "lifestream.aol.com", 18) == 0) { - NDPI_LOG_INFO(ndpi_struct, - "found OSCAR over HTTP, POST method\n"); - ndpi_int_oscar_add_connection(ndpi_struct, flow); - return; - } - } - } - } - if(packet->payload_packet_len > 40) { - if((packet->payload[0] == 'G') && (memcmp(packet->payload, "GET /", 5) == 0)) { - if((memcmp(&packet->payload[5], "aim/fetchEvents?aimsid=", 23) == 0) || - (memcmp(&packet->payload[5], "aim/startSession?", 17) == 0) || - (memcmp(&packet->payload[5], "aim/gromit/aim_express", 22) == 0) || - (memcmp(&packet->payload[5], "b/ss/aolwpaim", 13) == 0) || - (memcmp(&packet->payload[5], "hss/storage/aimtmpshare", 23) == 0)) { - NDPI_LOG_INFO(ndpi_struct, "found OSCAR over HTTP, GET /aim/\n"); - ndpi_int_oscar_add_connection(ndpi_struct, flow); - return; - } - - if((memcmp(&packet->payload[5], "aim", 3) == 0) || (memcmp(&packet->payload[5], "im", 2) == 0)) { - NDPI_PARSE_PACKET_LINE_INFO(ndpi_struct, flow, packet); - if(packet->user_agent_line.len > 15 && packet->user_agent_line.ptr != NULL && - ((memcmp(packet->user_agent_line.ptr, "mobileAIM/", 10) == 0) || - (memcmp(packet->user_agent_line.ptr, "ICQ/", 4) == 0) || - (memcmp(packet->user_agent_line.ptr, "mobileICQ/", 10) == 0) || - (memcmp(packet->user_agent_line.ptr, "AIM%20Free/", NDPI_STATICSTRING_LEN("AIM%20Free/")) == 0) || - (memcmp(packet->user_agent_line.ptr, "AIM/", 4) == 0))) { - NDPI_LOG_INFO(ndpi_struct, "found OSCAR over HTTP\n"); - ndpi_int_oscar_add_connection(ndpi_struct, flow); - return; - } - } - NDPI_PARSE_PACKET_LINE_INFO(ndpi_struct, flow, packet); - if(packet->referer_line.ptr != NULL && packet->referer_line.len >= 22) { - - if(memcmp(&packet->referer_line.ptr[packet->referer_line.len - NDPI_STATICSTRING_LEN("WidgetMain.swf")], - "WidgetMain.swf", NDPI_STATICSTRING_LEN("WidgetMain.swf")) == 0) { - u_int16_t i; - for (i = 0; i < (packet->referer_line.len - 22); i++) { - if(packet->referer_line.ptr[i] == 'a') { - if(memcmp(&packet->referer_line.ptr[i + 1], "im/gromit/aim_express", 21) == 0) { - NDPI_LOG_INFO(ndpi_struct, - "found OSCAR over HTTP : aim/gromit/aim_express\n"); - ndpi_int_oscar_add_connection(ndpi_struct, flow); - return; - } - } - } - } - } - } - if(memcmp(packet->payload, "CONNECT ", 8) == 0) { - if(memcmp(packet->payload, "CONNECT login.icq.com:443 HTTP/1.", 33) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found OSCAR ICQ-HTTP\n"); - ndpi_int_oscar_add_connection(ndpi_struct, flow); - return; - } - if(memcmp(packet->payload, "CONNECT login.oscar.aol.com:5190 HTTP/1.", 40) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found OSCAR AIM-HTTP\n"); - ndpi_int_oscar_add_connection(ndpi_struct, flow); - return; - } - - } - } - - if(packet->payload_packet_len > 43 - && memcmp(packet->payload, "GET http://http.proxy.icq.com/hello HTTP/1.", 43) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found OSCAR ICQ-HTTP PROXY\n"); - ndpi_int_oscar_add_connection(ndpi_struct, flow); - return; - } - - if(packet->payload_packet_len > 46 - && memcmp(packet->payload, "GET http://aimhttp.oscar.aol.com/hello HTTP/1.", 46) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found OSCAR AIM-HTTP PROXY\n"); - ndpi_int_oscar_add_connection(ndpi_struct, flow); - return; - } - - if(packet->payload_packet_len > 5 && get_u_int32_t(packet->payload, 0) == htonl(0x05010003)) { - NDPI_LOG_DBG2(ndpi_struct, "Maybe OSCAR Picturetransfer\n"); - return; - } - - if(packet->payload_packet_len == 10 && get_u_int32_t(packet->payload, 0) == htonl(0x05000001) && - get_u_int32_t(packet->payload, 4) == 0) { - NDPI_LOG_DBG2(ndpi_struct, "Maybe OSCAR Picturetransfer\n"); - return; - } - - if(packet->payload_packet_len >= 70 && - memcmp(&packet->payload[packet->payload_packet_len - 26], - "\x67\x00\x65\x00\x74\x00\x43\x00\x61\x00\x74\x00\x61\x00\x6c\x00\x6f\x00\x67", 19) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found OSCAR PICTURE TRANSFER\n"); - ndpi_int_oscar_add_connection(ndpi_struct, flow); - return; - } - - if(NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_OSCAR) != 0) { - - if(flow->packet_counter == 1 - && - ((packet->payload_packet_len == 9 - && memcmp(packet->payload, "\x00\x09\x00\x00\x83\x01\xc0\x00\x00", 9) == 0) - || (packet->payload_packet_len == 13 - && (memcmp(packet->payload, "\x00\x0d\x00\x87\x01\xc0", 6) == 0 - || memcmp(packet->payload, "\x00\x0d\x00\x87\x01\xc1", 6) == 0)))) { - flow->oscar_video_voice = 1; - } - -#if 0 - if(flow->oscar_video_voice && ntohs(get_u_int16_t(packet->payload, 0)) == packet->payload_packet_len - && packet->payload[2] == 0x00 && packet->payload[3] == 0x00) { - } -#endif - - if(packet->payload_packet_len >= 70 && ntohs(get_u_int16_t(packet->payload, 4)) == packet->payload_packet_len) { - if(memcmp(packet->payload, "OFT", 3) == 0 && - ((packet->payload[3] == '3' && ((memcmp(&packet->payload[4], "\x01\x00\x01\x01", 4) == 0) - || (memcmp(&packet->payload[6], "\x01\x01\x00", 3) == 0))) - || (packet->payload[3] == '2' && ((memcmp(&packet->payload[6], "\x01\x01", 2) - == 0) - )))) { - // FILE TRANSFER PATTERN:: OFT3 or OFT2 - NDPI_LOG_INFO(ndpi_struct, "found OSCAR FILE TRANSFER\n"); - ndpi_int_oscar_add_connection(ndpi_struct, flow); - return; - } - - if(memcmp(packet->payload, "ODC2", 4) == 0 && memcmp(&packet->payload[6], "\x00\x01\x00\x06", 4) == 0) { - //PICTURE TRANSFER PATTERN EXMAPLE:: - //4f 44 43 32 00 4c 00 01 00 06 00 00 00 00 00 00 ODC2.L.......... - NDPI_LOG_INFO(ndpi_struct, "found OSCAR PICTURE TRANSFER\n"); - ndpi_int_oscar_add_connection(ndpi_struct, flow); - return; - } - } - if(packet->payload_packet_len > 40 && (memcmp(&packet->payload[2], "\x04\x4a\x00", 3) == 0) - && (memcmp(&packet->payload[6], "\x00\x00", 2) == 0) - && packet->payload[packet->payload_packet_len - 15] == 'F' - && packet->payload[packet->payload_packet_len - 12] == 'L' - && (memcmp(&packet->payload[packet->payload_packet_len - 6], "DEST", 4) == 0) - && (memcmp(&packet->payload[packet->payload_packet_len - 2], "\x00\x00", 2) == 0)) { - NDPI_LOG_INFO(ndpi_struct, "found OSCAR PICTURE TRANSFER\n"); - ndpi_int_oscar_add_connection(ndpi_struct, flow); - if(ntohs(packet->tcp->dest) == 443 || ntohs(packet->tcp->source) == 443) { - flow->oscar_ssl_voice_stage = 1; - } - return; - - } - } - if(flow->packet_counter < 3 && packet->payload_packet_len > 11 && (memcmp(packet->payload, "\x00\x37\x04\x4a", 4) - || memcmp(packet->payload, "\x00\x0a\x04\x4a", - 4))) { - return; - } - - - if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_OSCAR) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return; - } -} - -void ndpi_search_oscar(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ - struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG_DBG(ndpi_struct, "search OSCAR\n"); - if(packet->tcp != NULL) { - ndpi_search_oscar_tcp_connect(ndpi_struct, flow); - } -} - - -void init_oscar_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) -{ - ndpi_set_bitmask_protocol_detection("Oscar", ndpi_struct, detection_bitmask, *id, - NDPI_PROTOCOL_OSCAR, - ndpi_search_oscar, - NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, - SAVE_DETECTION_BITMASK_AS_UNKNOWN, - ADD_TO_DETECTION_BITMASK); - - *id += 1; -} diff --git a/src/lib/protocols/pcanywhere.c b/src/lib/protocols/pcanywhere.c deleted file mode 100644 index 266b4c590..000000000 --- a/src/lib/protocols/pcanywhere.c +++ /dev/null @@ -1,67 +0,0 @@ -/* - * pcanywhere.c - * - * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-20 - ntop.org - * - * This file is part of nDPI, an open source deep packet inspection - * library based on the OpenDPI and PACE technology by ipoque GmbH - * - * nDPI is free software: you can redistribute it and/or modify - * it under the terms of the GNU Lesser General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * nDPI is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with nDPI. If not, see <http://www.gnu.org/licenses/>. - * - */ - - -#include "ndpi_protocol_ids.h" - -#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_PCANYWHERE - -#include "ndpi_api.h" - - -static void ndpi_int_pcanywhere_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) -{ - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PCANYWHERE, NDPI_PROTOCOL_UNKNOWN); -} - -void ndpi_search_pcanywhere(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) -{ - struct ndpi_packet_struct *packet = &flow->packet; - - if (packet->udp != NULL && packet->udp->dest == htons(5632) - && packet->payload_packet_len == 2 - && (memcmp(packet->payload, "NQ", 2) == 0 || memcmp(packet->payload, "ST", 2) == 0)) { - NDPI_LOG_INFO(ndpi_struct, "PC Anywhere name or status query detected\n"); - ndpi_int_pcanywhere_add_connection(ndpi_struct, flow); - return; - } - - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); -} - - -void init_pcanywhere_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) -{ - ndpi_set_bitmask_protocol_detection("PcAnywhere", ndpi_struct, detection_bitmask, *id, - NDPI_PROTOCOL_PCANYWHERE, - ndpi_search_pcanywhere, - NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, - SAVE_DETECTION_BITMASK_AS_UNKNOWN, - ADD_TO_DETECTION_BITMASK); - - *id += 1; -} - diff --git a/src/lib/protocols/rtsp.c b/src/lib/protocols/rtsp.c index 4b5589e6d..f2baf3056 100644 --- a/src/lib/protocols/rtsp.c +++ b/src/lib/protocols/rtsp.c @@ -75,13 +75,13 @@ void ndpi_search_rtsp_tcp_udp(struct ndpi_detection_module_struct if (dst != NULL) { NDPI_LOG_DBG2(ndpi_struct, "found dst\n"); ndpi_packet_src_ip_get(packet, &dst->rtsp_ip_address); - dst->rtsp_timer = packet->tick_timestamp; + dst->rtsp_timer = packet->current_time_ms; dst->rtsp_ts_set = 1; } if (src != NULL) { NDPI_LOG_DBG2(ndpi_struct, "found src\n"); ndpi_packet_dst_ip_get(packet, &src->rtsp_ip_address); - src->rtsp_timer = packet->tick_timestamp; + src->rtsp_timer = packet->current_time_ms; src->rtsp_ts_set = 1; } NDPI_LOG_INFO(ndpi_struct, "found RTSP\n"); diff --git a/src/lib/protocols/soulseek.c b/src/lib/protocols/soulseek.c index 042ead2b8..7ff299070 100644 --- a/src/lib/protocols/soulseek.c +++ b/src/lib/protocols/soulseek.c @@ -29,9 +29,9 @@ #define SOULSEEK_DETECT \ if(src != NULL) \ - src->soulseek_last_safe_access_time = packet->tick_timestamp; \ + src->soulseek_last_safe_access_time = packet->current_time_ms; \ if(dst != NULL) \ - dst->soulseek_last_safe_access_time = packet->tick_timestamp; \ + dst->soulseek_last_safe_access_time = packet->current_time_ms; \ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOULSEEK, NDPI_PROTOCOL_UNKNOWN) void ndpi_search_soulseek_tcp(struct ndpi_detection_module_struct *ndpi_struct, @@ -50,24 +50,24 @@ void ndpi_search_soulseek_tcp(struct ndpi_detection_module_struct *ndpi_struct, NDPI_LOG_DBG2(ndpi_struct, " SRC bitmask: %u, packet tick %llu , last safe access timestamp: %llu\n", NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_SOULSEEK) - != 0 ? 1 : 0, (long long unsigned int) packet->tick_timestamp, + != 0 ? 1 : 0, (long long unsigned int) packet->current_time_ms, (long long unsigned int) src->soulseek_last_safe_access_time); if(dst != NULL) NDPI_LOG_DBG2(ndpi_struct, " DST bitmask: %u, packet tick %llu , last safe ts: %llu\n", NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_SOULSEEK) - != 0 ? 1 : 0, (long long unsigned int) packet->tick_timestamp, + != 0 ? 1 : 0, (long long unsigned int) packet->current_time_ms, (long long unsigned int) dst->soulseek_last_safe_access_time); if(packet->payload_packet_len == 431) { if(dst != NULL) { - dst->soulseek_last_safe_access_time = packet->tick_timestamp; + dst->soulseek_last_safe_access_time = packet->current_time_ms; } return; } if(packet->payload_packet_len == 12 && get_l32(packet->payload, 4) == 0x02) { if(src != NULL) { - src->soulseek_last_safe_access_time = packet->tick_timestamp; + src->soulseek_last_safe_access_time = packet->current_time_ms; if(packet->tcp != NULL && src->soulseek_listen_port == 0) { src->soulseek_listen_port = get_l32(packet->payload, 8); return; @@ -75,30 +75,30 @@ void ndpi_search_soulseek_tcp(struct ndpi_detection_module_struct *ndpi_struct, } } - if(src != NULL && ((u_int32_t)(packet->tick_timestamp - src->soulseek_last_safe_access_time) < ndpi_struct->soulseek_connection_ip_tick_timeout)) { + if(src != NULL && ((u_int32_t)(packet->current_time_ms - src->soulseek_last_safe_access_time) < ndpi_struct->soulseek_connection_ip_tick_timeout)) { NDPI_LOG_DBG2(ndpi_struct, "Soulseek: SRC update last safe access time and SKIP_FOR_TIME \n"); - src->soulseek_last_safe_access_time = packet->tick_timestamp; + src->soulseek_last_safe_access_time = packet->current_time_ms; } - if(dst != NULL && ((u_int32_t)(packet->tick_timestamp - dst->soulseek_last_safe_access_time) < ndpi_struct->soulseek_connection_ip_tick_timeout)) { + if(dst != NULL && ((u_int32_t)(packet->current_time_ms - dst->soulseek_last_safe_access_time) < ndpi_struct->soulseek_connection_ip_tick_timeout)) { NDPI_LOG_DBG2(ndpi_struct, "Soulseek: DST update last safe access time and SKIP_FOR_TIME \n"); - dst->soulseek_last_safe_access_time = packet->tick_timestamp; + dst->soulseek_last_safe_access_time = packet->current_time_ms; } } if(dst != NULL && dst->soulseek_listen_port != 0 && dst->soulseek_listen_port == ntohs(packet->tcp->dest) - && ((u_int32_t)(packet->tick_timestamp - dst->soulseek_last_safe_access_time) < ndpi_struct->soulseek_connection_ip_tick_timeout)) { + && ((u_int32_t)(packet->current_time_ms - dst->soulseek_last_safe_access_time) < ndpi_struct->soulseek_connection_ip_tick_timeout)) { NDPI_LOG_DBG2(ndpi_struct, - "Soulseek: Plain detection on Port : %u packet_tick_timestamp: %u soulseek_last_safe_access_time: %u soulseek_connection_ip_ticktimeout: %u\n", - dst->soulseek_listen_port, packet->tick_timestamp, dst->soulseek_last_safe_access_time, ndpi_struct->soulseek_connection_ip_tick_timeout); + "Soulseek: Plain detection on Port : %u packet_current_time_ms: %u soulseek_last_safe_access_time: %u soulseek_connection_ip_ticktimeout: %u\n", + dst->soulseek_listen_port, packet->current_time_ms, dst->soulseek_last_safe_access_time, ndpi_struct->soulseek_connection_ip_tick_timeout); - dst->soulseek_last_safe_access_time = packet->tick_timestamp; + dst->soulseek_last_safe_access_time = packet->current_time_ms; if(src != NULL) - src->soulseek_last_safe_access_time = packet->tick_timestamp; + src->soulseek_last_safe_access_time = packet->current_time_ms; NDPI_LOG_INFO(ndpi_struct, "found Soulseek\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOULSEEK, NDPI_PROTOCOL_UNKNOWN); @@ -154,14 +154,14 @@ void ndpi_search_soulseek_tcp(struct ndpi_detection_module_struct *ndpi_struct, const u_int32_t soulseek_listen_port = get_l32(packet->payload, 8); if(src != NULL) { - src->soulseek_last_safe_access_time = packet->tick_timestamp; + src->soulseek_last_safe_access_time = packet->current_time_ms; if(packet->tcp != NULL && src->soulseek_listen_port == 0) { src->soulseek_listen_port = soulseek_listen_port; NDPI_LOG_DBG2(ndpi_struct, "\n Listen Port Saved : %u", src->soulseek_listen_port); if(dst != NULL) - dst->soulseek_last_safe_access_time = packet->tick_timestamp; + dst->soulseek_last_safe_access_time = packet->current_time_ms; ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOULSEEK, NDPI_PROTOCOL_UNKNOWN); return; diff --git a/src/lib/protocols/thunder.c b/src/lib/protocols/thunder.c index ea044909e..30194d153 100644 --- a/src/lib/protocols/thunder.c +++ b/src/lib/protocols/thunder.c @@ -39,10 +39,10 @@ static void ndpi_int_thunder_add_connection(struct ndpi_detection_module_struct ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_THUNDER, NDPI_PROTOCOL_UNKNOWN); if (src != NULL) { - src->thunder_ts = packet->tick_timestamp; + src->thunder_ts = packet->current_time_ms; } if (dst != NULL) { - dst->thunder_ts = packet->tick_timestamp; + dst->thunder_ts = packet->current_time_ms; } } @@ -151,15 +151,15 @@ void ndpi_int_search_thunder_http(struct ndpi_detection_module_struct if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_THUNDER) { if (src != NULL && ((u_int32_t) - (packet->tick_timestamp - src->thunder_ts) < ndpi_struct->thunder_timeout)) { + (packet->current_time_ms - src->thunder_ts) < ndpi_struct->thunder_timeout)) { NDPI_LOG_DBG2(ndpi_struct, "thunder : save src connection packet detected\n"); - src->thunder_ts = packet->tick_timestamp; + src->thunder_ts = packet->current_time_ms; } else if (dst != NULL && ((u_int32_t) - (packet->tick_timestamp - dst->thunder_ts) < ndpi_struct->thunder_timeout)) { + (packet->current_time_ms - dst->thunder_ts) < ndpi_struct->thunder_timeout)) { NDPI_LOG_DBG2(ndpi_struct, "thunder : save dst connection packet detected\n"); - dst->thunder_ts = packet->tick_timestamp; + dst->thunder_ts = packet->current_time_ms; } return; } diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 222fa480d..4f395a34d 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -349,6 +349,7 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi offset += 2; if((offset+len) < packet->payload_packet_len) { + u_int32_t time_sec = flow->packet.current_time_ms / 1000; #ifdef DEBUG_TLS u_int j; @@ -374,8 +375,9 @@ static void processCertificateElements(struct ndpi_detection_module_struct *ndpi } } - if((flow->packet.tick_timestamp < flow->protos.stun_ssl.ssl.notBefore) - || (flow->packet.tick_timestamp > flow->protos.stun_ssl.ssl.notAfter)) + + if((time_sec < flow->protos.stun_ssl.ssl.notBefore) + || (time_sec > flow->protos.stun_ssl.ssl.notAfter)) NDPI_SET_BIT(flow->risk, NDPI_TLS_CERTIFICATE_EXPIRED); /* Certificate expired */ } } diff --git a/src/lib/protocols/tvants.c b/src/lib/protocols/tvants.c deleted file mode 100644 index 74414aa06..000000000 --- a/src/lib/protocols/tvants.c +++ /dev/null @@ -1,85 +0,0 @@ -/* - * tvants.c - * - * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-20 - ntop.org - * - * This file is part of nDPI, an open source deep packet inspection - * library based on the OpenDPI and PACE technology by ipoque GmbH - * - * nDPI is free software: you can redistribute it and/or modify - * it under the terms of the GNU Lesser General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * nDPI is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with nDPI. If not, see <http://www.gnu.org/licenses/>. - * - */ - -#include "ndpi_protocol_ids.h" - -#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_TVANTS - -#include "ndpi_api.h" - -static void ndpi_int_tvants_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) -{ - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TVANTS, NDPI_PROTOCOL_UNKNOWN); -} - - - - -void ndpi_search_tvants_udp(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) -{ - struct ndpi_packet_struct *packet = &flow->packet; - - NDPI_LOG_DBG(ndpi_struct, "search tvants. \n"); - - if (packet->udp != NULL && packet->payload_packet_len > 57 - && packet->payload[0] == 0x04 && packet->payload[1] == 0x00 - && (packet->payload[2] == 0x05 || packet->payload[2] == 0x06 - || packet->payload[2] == 0x07) && packet->payload[3] == 0x00 - && packet->payload_packet_len == (packet->payload[5] << 8) + packet->payload[4] - && packet->payload[6] == 0x00 && packet->payload[7] == 0x00 - && (memcmp(&packet->payload[48], "TVANTS", 6) == 0 - || memcmp(&packet->payload[49], "TVANTS", 6) == 0 || memcmp(&packet->payload[51], "TVANTS", 6) == 0)) { - - NDPI_LOG_INFO(ndpi_struct, "found tvants over udp. \n"); - ndpi_int_tvants_add_connection(ndpi_struct, flow); - - } else if (packet->tcp != NULL && packet->payload_packet_len > 15 - && packet->payload[0] == 0x04 && packet->payload[1] == 0x00 - && packet->payload[2] == 0x07 && packet->payload[3] == 0x00 - && packet->payload_packet_len == (packet->payload[5] << 8) + packet->payload[4] - && packet->payload[6] == 0x00 && packet->payload[7] == 0x00 - && memcmp(&packet->payload[8], "TVANTS", 6) == 0) { - - NDPI_LOG_INFO(ndpi_struct, "found tvants over tcp. \n"); - ndpi_int_tvants_add_connection(ndpi_struct, flow); - - } - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - -} - - -void init_tvants_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) -{ - ndpi_set_bitmask_protocol_detection("Tvants", ndpi_struct, detection_bitmask, *id, - NDPI_PROTOCOL_TVANTS, - ndpi_search_tvants_udp, - NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD, - SAVE_DETECTION_BITMASK_AS_UNKNOWN, - ADD_TO_DETECTION_BITMASK); - - *id += 1; -} diff --git a/src/lib/protocols/zattoo.c b/src/lib/protocols/zattoo.c index fb6516458..b43dd765a 100644 --- a/src/lib/protocols/zattoo.c +++ b/src/lib/protocols/zattoo.c @@ -46,9 +46,9 @@ u_int8_t ndpi_int_zattoo_user_agent_set(struct ndpi_detection_module_struct *ndp #define ZATTOO_DETECTED \ if (src != NULL) \ - src->zattoo_ts = packet->tick_timestamp; \ + src->zattoo_ts = packet->current_time_ms; \ if (dst != NULL) \ - dst->zattoo_ts = packet->tick_timestamp; \ + dst->zattoo_ts = packet->current_time_ms; \ \ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN) @@ -63,10 +63,10 @@ void ndpi_search_zattoo(struct ndpi_detection_module_struct *ndpi_struct, struct NDPI_LOG_DBG(ndpi_struct, "search ZATTOO\n"); if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_ZATTOO) { - if(src != NULL && ((u_int32_t) (packet->tick_timestamp - src->zattoo_ts) < ndpi_struct->zattoo_connection_timeout)) - src->zattoo_ts = packet->tick_timestamp; - if (dst != NULL && ((u_int32_t) (packet->tick_timestamp - dst->zattoo_ts) < ndpi_struct->zattoo_connection_timeout)) - dst->zattoo_ts = packet->tick_timestamp; + if(src != NULL && ((u_int32_t) (packet->current_time_ms - src->zattoo_ts) < ndpi_struct->zattoo_connection_timeout)) + src->zattoo_ts = packet->current_time_ms; + if (dst != NULL && ((u_int32_t) (packet->current_time_ms - dst->zattoo_ts) < ndpi_struct->zattoo_connection_timeout)) + dst->zattoo_ts = packet->current_time_ms; return; } /* search over TCP */ diff --git a/tests/result/Oscar.pcap.out b/tests/result/Oscar.pcap.out index e64232fe9..364195c06 100644 --- a/tests/result/Oscar.pcap.out +++ b/tests/result/Oscar.pcap.out @@ -1,3 +1,3 @@ -Oscar 71 9386 1 +TLS 71 9386 1 - 1 TCP 10.30.29.3:63357 <-> 178.237.24.249:443 [proto: 69/Oscar][cat: Chat/9][38 pkts/3580 bytes <-> 33 pkts/5806 bytes][Goodput ratio: 42/68][72.45 sec][bytes ratio: -0.237 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2392/2607 58175/58215 10382/11142][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 94/176 369/1414 75/257][PLAIN TEXT (Adium/1.5.10)] + 1 TCP 10.30.29.3:63357 <-> 178.237.24.249:443 [proto: 91/TLS][cat: Web/5][38 pkts/3580 bytes <-> 33 pkts/5806 bytes][Goodput ratio: 42/68][72.45 sec][bytes ratio: -0.237 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 2392/2607 58175/58215 10382/11142][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 94/176 369/1414 75/257][PLAIN TEXT (Adium/1.5.10)] |