diff options
Diffstat (limited to 'src/include')
| -rw-r--r-- | src/include/Makefile.am | 2 | ||||
| -rw-r--r-- | src/include/ndpi_api.h | 310 | ||||
| -rw-r--r-- | src/include/ndpi_define.h.in (renamed from src/include/ndpi_define.h) | 83 | ||||
| -rw-r--r-- | src/include/ndpi_main.h | 8 | ||||
| -rw-r--r-- | src/include/ndpi_protocol_ids.h | 489 | ||||
| -rw-r--r-- | src/include/ndpi_protocols.h | 23 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 270 | ||||
| -rw-r--r-- | src/include/ndpi_win32.h | 12 |
8 files changed, 731 insertions, 466 deletions
diff --git a/src/include/Makefile.am b/src/include/Makefile.am index cd901f58b..6eeca93b4 100644 --- a/src/include/Makefile.am +++ b/src/include/Makefile.am @@ -1,4 +1,4 @@ -library_includedir=$(includedir)/libndpi-1.4/libndpi +library_includedir=$(includedir)/libndpi-@VERSION@/libndpi library_include_HEADERS = ndpi_api.h \ ndpi_define.h \ diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h index b380c8b03..25a7612f2 100644 --- a/src/include/ndpi_api.h +++ b/src/include/ndpi_api.h @@ -1,7 +1,7 @@ /* * ndpi_api.h * - * Copyright (C) 2011-16 - ntop.org + * Copyright (C) 2011-17 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -31,6 +31,9 @@ extern "C" { #endif +#define SIZEOF_ID_STRUCT (sizeof(struct ndpi_id_struct)) +#define SIZEOF_FLOW_STRUCT (sizeof(struct ndpi_flow_struct)) + #define NDPI_DETECTION_ONLY_IPV4 ( 1 << 0 ) #define NDPI_DETECTION_ONLY_IPV6 ( 1 << 1 ) @@ -39,20 +42,20 @@ extern "C" { #define SAVE_DETECTION_BITMASK_AS_UNKNOWN 1 #define NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN 0 - + /** * Check if a string is encoded with punycode * ( https://tools.ietf.org/html/rfc3492 ) * * @par buff = pointer to the string to ckeck * @par len = len of the string - * @return 1 if the string is punycoded; + * @return 1 if the string is punycoded; * else 0 * */ int check_punycode_string(char * buff , int len); - + /** * Get the size of the flow struct * @@ -61,16 +64,16 @@ extern "C" { */ u_int32_t ndpi_detection_get_sizeof_ndpi_flow_struct(void); - + /** - * Get the size of the id struct + * Get the size of the id struct * * @return the size of the id struct - * + * */ u_int32_t ndpi_detection_get_sizeof_ndpi_id_struct(void); - + /** * nDPI personal allocation and free functions **/ @@ -79,8 +82,9 @@ extern "C" { void * ndpi_realloc(void *ptr, size_t old_size, size_t new_size); char * ndpi_strdup(const char *s); void ndpi_free(void *ptr); + void * ndpi_flow_malloc(size_t size); + void ndpi_flow_free(void *ptr); - /** * Search the first occurrence of substring -find- in -s- * The search is limited to the first -slen- characters of the string @@ -94,7 +98,19 @@ extern "C" { */ char* ndpi_strnstr(const char *s, const char *find, size_t slen); - + /** + * Same as ndpi_strnstr but case insensitive + * + * @par s = string to parse + * @par find = string to match with -s- + * @par slen = max length to match between -s- and -find- + * @return a pointer to the beginning of the located substring; + * NULL if the substring is not found + * + */ + char* ndpi_strncasestr(const char *s, const char *find, size_t slen); + + /** * Returns the nDPI protocol id for IP-based protocol detection * @@ -102,7 +118,7 @@ extern "C" { * @par pin = IP host address (MUST BE in network byte order): * See man(7) ip for details * @return the nDPI protocol ID - * + * */ u_int16_t ndpi_network_ptree_match(struct ndpi_detection_module_struct *ndpi_struct, struct in_addr *pin); @@ -113,9 +129,9 @@ extern "C" { * @par ndpi_mod = the struct created for the protocol detection * @par match = the struct passed to match the protocol * - */ + */ void ndpi_init_protocol_match(struct ndpi_detection_module_struct *ndpi_mod, ndpi_protocol_match *match); - + /** * Returns a new initialized detection module * @@ -123,7 +139,7 @@ extern "C" { * */ struct ndpi_detection_module_struct *ndpi_init_detection_module(void); - + /** * Frees the memory allocated in the specified flow * @@ -132,7 +148,7 @@ extern "C" { */ void ndpi_free_flow(struct ndpi_flow_struct *flow); - + /** * Enables cache support. * In nDPI is used for some protocol (i.e. Skype) @@ -144,7 +160,7 @@ extern "C" { */ void ndpi_enable_cache(struct ndpi_detection_module_struct *ndpi_mod, char* host, u_int port); - + /** * Destroys the detection module * @@ -176,7 +192,7 @@ extern "C" { const NDPI_SELECTION_BITMASK_PROTOCOL_SIZE ndpi_selection_bitmask, u_int8_t b_save_bitmask_unknow, u_int8_t b_add_detection_bitmask); - + /** * Sets the protocol bitmask2 @@ -188,7 +204,7 @@ extern "C" { void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *ndpi_struct, const NDPI_PROTOCOL_BITMASK * detection_bitmask); - + /** * Function to be called before we give up with detection for a given flow. * This function reduces the NDPI_UNKNOWN_PROTOCOL detection @@ -196,12 +212,34 @@ extern "C" { * @par ndpi_struct = the detection module * @par flow = the flow given for the detection module * @return the detected protocol even if the flow is not completed; - * + * */ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); - + /** + * Processes an extra packet in order to get more information for a given protocol + * (like SSL getting both client and server certificate even if we already know after + * seeing the client certificate what the protocol is) + * + * @par ndpi_struct = the detection module + * @par flow = pointer to the connection state machine + * @par packet = unsigned char pointer to the Layer 3 (IP header) + * @par packetlen = the length of the packet + * @par current_tick = the current timestamp for the packet + * @par src = pointer to the source subscriber state machine + * @par dst = pointer to the destination subscriber state machine + * @return void + * + */ + void ndpi_process_extra_packet(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + const unsigned char *packet, + const unsigned short packetlen, + const u_int64_t current_tick, + struct ndpi_id_struct *src, + struct ndpi_id_struct *dst); + /** * Processes one packet and returns the ID of the detected protocol. * This is the MAIN PACKET PROCESSING FUNCTION. @@ -226,52 +264,6 @@ extern "C" { /** - * Processes one packet of L4 and returns the ID of the detected protocol. - * L3 and L4 packet headers are passed in the arguments while payload - * points to the L4 body. - * This function mimics ndpi_detection_process_packet behaviour. - * - * @par ndpi_struct = the detection module - * @par flow = pointer to the connection state machine - * @par iph = IP packet header for IPv4 or NULL - * @par iph6 = IP packet header for IPv6 or NULL - * @par tcp = TCP packet header for TCP or NULL - * @par udp = UDP packet header for UDP or NULL - * @par src_to_dst_direction = order of src/dst state machines in a flow. - * @par l4_proto = L4 protocol of the packet. - * @par src = pointer to the source subscriber state machine - * @par dst = pointer to the destination subscriber state machine - * @par sport = source port of L4 packet, used for protocol guessing. - * @par dport = destination port of L4 packet, used for protocol guessing. - * @par current_tick_l = the current timestamp for the packet - * @par payload = unsigned char pointer to the Layer 4 (TCP/UDP body) - * @par payload_len = the length of the payload - * @return the detected ID of the protocol - * - * NOTE: in a current implementation flow->src and flow->dst are swapped with - * the src_to_dst_direction flag while ndpi_detection_process_packet does not swap - * these values. - * - */ - -ndpi_protocol ndpi_l4_detection_process_packet(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - const struct ndpi_iphdr *iph, - struct ndpi_ipv6hdr *iph6, - struct ndpi_tcphdr *tcp, - struct ndpi_udphdr *udp, - u_int8_t src_to_dst_direction, - u_int8_t l4_proto, - struct ndpi_id_struct *src, - u_int16_t sport, - struct ndpi_id_struct *dst, - u_int16_t dport, - const u_int64_t current_tick_l, - u_int8_t *payload, u_int16_t payload_len); - - - - /** * Get the main protocol of the passed flows for the detected module * * @@ -283,13 +275,13 @@ ndpi_protocol ndpi_l4_detection_process_packet(struct ndpi_detection_module_stru u_int16_t ndpi_get_flow_masterprotocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); - + /** * Query the pointer to the layer 4 packet * * @par l3 = pointer to the layer 3 data * @par l3_len = length of the layer 3 data - * @par l4_return = address to the pointer of the layer 4 data if return value == 0, else undefined + * @par l4_return = address to the pointer of the layer 4 data if return value == 0, else undefined * @par l4_len_return = length of the layer 4 data if return value == 0, else undefined * @par l4_protocol_return = protocol of the layer 4 data if return value == 0, undefined otherwise * @par flags = limit operation on ipv4 or ipv6 packets. Possible values: NDPI_DETECTION_ONLY_IPV4 - NDPI_DETECTION_ONLY_IPV6 - 0 (any) @@ -301,29 +293,15 @@ ndpi_protocol ndpi_l4_detection_process_packet(struct ndpi_detection_module_stru u_int8_t *l4_protocol_return, u_int32_t flags); -#if 0 - /** - * returns true if the protocol history of the flow of the last packet given to the detection - * contains the given protocol. - * - * @param ndpi_struct the detection module - * @return 1 if protocol has been found, 0 otherwise - * - */ - u_int8_t ndpi_detection_flow_protocol_history_contains_protocol(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - u_int16_t protocol_id); -#endif - /** * Search and return the protocol based on matched ports - * + * * @par ndpi_struct = the detection module * @par shost = source address in host byte order * @par sport = source port number * @par dhost = destination address in host byte order * @par dport = destination port number - * @return the struct ndpi_protocol that match the port base protocol + * @return the struct ndpi_protocol that match the port base protocol * */ ndpi_protocol ndpi_find_port_based_protocol(struct ndpi_detection_module_struct *ndpi_struct/* , u_int8_t proto */, @@ -332,17 +310,17 @@ ndpi_protocol ndpi_l4_detection_process_packet(struct ndpi_detection_module_stru u_int32_t dhost, u_int16_t dport); - + /** * Search and return the protocol guessed that is undetected - * + * * @par ndpi_struct = the detection module * @par proto = the l4 protocol number * @par shost = source address in host byte order * @par sport = source port number * @par dhost = destination address in host byte order * @par dport = destination port number - * @return the struct ndpi_protocol that match the port base protocol + * @return the struct ndpi_protocol that match the port base protocol * */ ndpi_protocol ndpi_guess_undetected_protocol(struct ndpi_detection_module_struct *ndpi_struct, @@ -355,7 +333,7 @@ ndpi_protocol ndpi_l4_detection_process_packet(struct ndpi_detection_module_stru /** * Check if the string passed match with a protocol - * + * * @par ndpi_struct = the detection module * @par string_to_match = the string to match * @par string_to_match_len = the length of the string @@ -371,7 +349,7 @@ ndpi_protocol ndpi_l4_detection_process_packet(struct ndpi_detection_module_stru /** * Check if the host passed match with a protocol - * + * * @par ndpi_struct = the detection module * @par flow = the flow where match the host * @par string_to_match = the string to match @@ -389,7 +367,7 @@ ndpi_protocol ndpi_l4_detection_process_packet(struct ndpi_detection_module_stru /** * Check if the string content passed match with a protocol - * + * * @par ndpi_struct = the detection module * @par flow = the flow where match the host * @par string_to_match = the string to match @@ -404,21 +382,34 @@ ndpi_protocol ndpi_l4_detection_process_packet(struct ndpi_detection_module_stru u_int string_to_match_len, u_int16_t master_protocol_id); - + + /** + * Exclude protocol from search + * + * @par ndpi_struct = the detection module + * @par flow = the flow where match the host + * @par master_protocol_id = value of the ID associated to the master protocol detected + * + */ + void ndpi_exclude_protocol(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + u_int16_t master_protocol_id, + const char *_file, const char *_func,int _line); + + /** * Check if the string -bigram_to_match- match with a bigram of -automa- * - * @par ndpi_struct = the detection module + * @par ndpi_mod = the detection module * @par automa = the struct ndpi_automa for the bigram * @par bigram_to_match = the bigram string to match * @return 0 * */ - int ndpi_match_bigram(struct ndpi_detection_module_struct *ndpi_struct, + int ndpi_match_bigram(struct ndpi_detection_module_struct *ndpi_mod, ndpi_automa *automa, char *bigram_to_match); - /** * Write the protocol name in the buffer -buf- as master_protocol.protocol * @@ -432,13 +423,69 @@ ndpi_protocol ndpi_l4_detection_process_packet(struct ndpi_detection_module_stru char* ndpi_protocol2name(struct ndpi_detection_module_struct *ndpi_mod, ndpi_protocol proto, char *buf, u_int buf_len); /** + * Find out if a given category is custom/user-defined + * + * @par category = the category associated to the protocol + * @return 1 if this is a custom user category, 0 otherwise + * + */ + int ndpi_is_custom_category(ndpi_protocol_category_t category); + + /** + * Overwrite a protocol category defined by nDPI with the custom category + * + * @par ndpi_mod = the detection module + * @par protoId = the protocol identifier to overwrite + * @par breed = the breed to be associated to the protocol + * + */ + void ndpi_set_proto_breed(struct ndpi_detection_module_struct *ndpi_mod, + u_int16_t protoId, ndpi_protocol_breed_t breed); + + /** + * Overwrite a protocol category defined by nDPI with the custom category + * + * @par ndpi_mod = the detection module + * @par protoId = the protocol identifier to overwrite + * @par category = the category associated to the protocol + * + */ + void ndpi_set_proto_category(struct ndpi_detection_module_struct *ndpi_mod, + u_int16_t protoId, ndpi_protocol_category_t protoCategory); + + /** + * Check if subprotocols of the specified master protocol are just + * informative (and not real) + * + * @par mod = the detection module + * @par protoId = the (master) protocol identifier to query + * @return 1 = the subprotocol is informative, 0 otherwise. + * + */ + u_int8_t ndpi_is_subprotocol_informative(struct ndpi_detection_module_struct *ndpi_mod, + u_int16_t protoId); + + /** * Get protocol category as string * + * @par mod = the detection module * @par category = the category associated to the protocol * @return the string name of the category * */ - const char* ndpi_category_str(ndpi_protocol_category_t category); + const char* ndpi_category_get_name(struct ndpi_detection_module_struct *ndpi_mod, + ndpi_protocol_category_t category); + + /** + * Set protocol category string + * + * @par mod = the detection module + * @par category = the category associated to the protocol + * @paw name = the string name of the category + * + */ + void ndpi_category_set_name(struct ndpi_detection_module_struct *ndpi_mod, + ndpi_protocol_category_t category, char *name); /** * Get protocol category @@ -448,7 +495,7 @@ ndpi_protocol ndpi_l4_detection_process_packet(struct ndpi_detection_module_stru * @return the protocol category */ ndpi_protocol_category_t ndpi_get_proto_category(struct ndpi_detection_module_struct *ndpi_mod, ndpi_protocol proto); - + /** * Get the protocol name associated to the ID * @@ -470,13 +517,13 @@ ndpi_protocol ndpi_l4_detection_process_packet(struct ndpi_detection_module_stru */ ndpi_protocol_breed_t ndpi_get_proto_breed(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t proto); - + /** * Return the string name of the protocol breed * * @par ndpi_struct = the detection module * @par breed_id = the breed ID associated to the protocol - * @return the string name of the breed ID + * @return the string name of the breed ID * */ char* ndpi_get_proto_breed_name(struct ndpi_detection_module_struct *ndpi_struct, ndpi_protocol_breed_t breed_id); @@ -486,20 +533,31 @@ ndpi_protocol ndpi_l4_detection_process_packet(struct ndpi_detection_module_stru * Return the ID of the protocol * * @par ndpi_mod = the detection module - * @par proto = the ID of the protocol - * @return the string name of the breed ID + * @par proto = the protocol name + * @return the ID of the protocol * */ int ndpi_get_protocol_id(struct ndpi_detection_module_struct *ndpi_mod, char *proto); /** + * Return the ID of the category + * + * @par ndpi_mod = the detection module + * @par proto = the category name + * @return the ID of the category + * + */ + int ndpi_get_category_id(struct ndpi_detection_module_struct *ndpi_mod, char *cat); + + + /** * Write the list of the supported protocols * * @par ndpi_mod = the detection module */ void ndpi_dump_protocols(struct ndpi_detection_module_struct *mod); - + /** * Read a file and load the protocols @@ -523,12 +581,12 @@ ndpi_protocol ndpi_l4_detection_process_packet(struct ndpi_detection_module_stru * Get the total number of the supported protocols * * @par ndpi_mod = the detection module - * @return the number of protocols + * @return the number of protocols * */ u_int ndpi_get_num_supported_protocols(struct ndpi_detection_module_struct *ndpi_mod); - + /** * Get the nDPI version release * @@ -559,7 +617,7 @@ ndpi_protocol ndpi_l4_detection_process_packet(struct ndpi_detection_module_stru */ ndpi_http_method ndpi_get_http_method(struct ndpi_detection_module_struct *ndpi_mod, struct ndpi_flow_struct *flow); - + /** * Get the HTTP url * @@ -582,7 +640,7 @@ ndpi_protocol ndpi_l4_detection_process_packet(struct ndpi_detection_module_stru char* ndpi_get_http_content_type(struct ndpi_detection_module_struct *ndpi_mod, struct ndpi_flow_struct *flow); #endif - + #ifdef NDPI_PROTOCOL_TOR /** * Check if the flow could be detected as TOR protocol @@ -592,7 +650,7 @@ ndpi_protocol ndpi_l4_detection_process_packet(struct ndpi_detection_module_stru * @par certificate = the ssl certificate * @return 1 if the flow is TOR; * 0 else - * + * */ int ndpi_is_ssl_tor(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, char *certificate); @@ -603,7 +661,7 @@ ndpi_protocol ndpi_l4_detection_process_packet(struct ndpi_detection_module_stru * Init Aho-Corasick automata * * @return The requested automata, or NULL if an error occurred - * + * */ void* ndpi_init_automa(void); @@ -612,7 +670,7 @@ ndpi_protocol ndpi_l4_detection_process_packet(struct ndpi_detection_module_stru * Free Aho-Corasick automata allocated with ndpi_init_automa(); * * @par The automata initialized with ndpi_init_automa(); - * + * */ void ndpi_free_automa(void *_automa); @@ -622,8 +680,20 @@ ndpi_protocol ndpi_l4_detection_process_packet(struct ndpi_detection_module_stru * * @par The automata initialized with ndpi_init_automa(); * @par The (sub)string to search + * @par The number associated with this string + * @return 0 in case of no error, or -1 if an error occurred. + * + */ + int ndpi_add_string_value_to_automa(void *_automa, char *str, unsigned long num); + + + /** + * Add a string to match to an automata. Same as ndpi_add_string_value_to_automa() with num set to 1 + * + * @par The automata initialized with ndpi_init_automa(); + * @par The (sub)string to search * @return 0 in case of no error, or -1 if an error occurred. - * + * */ int ndpi_add_string_to_automa(void *_automa, char *str); @@ -632,7 +702,7 @@ ndpi_protocol ndpi_l4_detection_process_packet(struct ndpi_detection_module_stru * Finalize the automa (necessary before start searching) * * @par The automata initialized with ndpi_init_automa(); - * + * */ void ndpi_finalize_automa(void *_automa); @@ -643,16 +713,32 @@ ndpi_protocol ndpi_l4_detection_process_packet(struct ndpi_detection_module_stru * @par The automata initialized with ndpi_init_automa(); * @par The (sub)string to search * @return 0 in case of match, or -1 if no match, or -2 if an error occurred. - * + * */ int ndpi_match_string(void *_automa, char *string_to_match); + /** + * Add a string to match to an automata + * + * @par The automata initialized with ndpi_init_automa(); + * @par The (sub)string to search + * @par The id associated with the matched string or 0 id not found. + * @return 0 in case of match, or -1 if no match, or -2 if an error occurred. + * + */ + int ndpi_match_string_id(void *_automa, char *string_to_match, unsigned long *id); + + /* Utility functions to set ndpi malloc/free/print wrappers */ void set_ndpi_malloc(void* (*__ndpi_malloc)(size_t size)); void set_ndpi_free(void (*__ndpi_free)(void *ptr)); + void set_ndpi_flow_malloc(void* (*__ndpi_flow_malloc)(size_t size)); + void set_ndpi_flow_free(void (*__ndpi_flow_free)(void *ptr)); void set_ndpi_debug_function(struct ndpi_detection_module_struct *ndpi_str, ndpi_debug_function_ptr ndpi_debug_printf); - + void * ndpi_malloc(size_t size); + void * ndpi_calloc(unsigned long count, size_t size); + void ndpi_free(void *ptr); #ifdef __cplusplus } #endif diff --git a/src/include/ndpi_define.h b/src/include/ndpi_define.h.in index b632712a1..c6c1f4481 100644 --- a/src/include/ndpi_define.h +++ b/src/include/ndpi_define.h.in @@ -1,6 +1,6 @@ /* * - * Copyright (C) 2011-16 - ntop.org + * Copyright (C) 2011-17 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -180,24 +180,67 @@ #define NDPI_SOULSEEK_CONNECTION_IP_TICK_TIMEOUT 600 #ifdef NDPI_ENABLE_DEBUG_MESSAGES -#define NDPI_LOG(proto, m, log_level, args...) \ - { \ + #define NDPI_LOG(proto, m, log_level, args...) \ + { \ struct ndpi_detection_module_struct *mod = (struct ndpi_detection_module_struct*) m; \ - if(mod != NULL) { \ - mod->ndpi_debug_print_file=__FILE__; \ - mod->ndpi_debug_print_function=__FUNCTION__; \ - mod->ndpi_debug_print_line=__LINE__; \ - (*(mod->ndpi_debug_printf))(proto, mod, log_level, args); \ - } \ + if(mod != NULL && mod->ndpi_debug_printf != NULL) \ + (*(mod->ndpi_debug_printf))(proto, mod, log_level, __FILE__, __FUNCTION__, __LINE__, args); \ } -#else /* NDPI_ENABLE_DEBUG_MESSAGES */ -#ifdef WIN32 -#define NDPI_LOG(...) {} -#else -#define NDPI_LOG(proto, mod, log_level, args...) {} -#endif + + /* We must define NDPI_CURRENT_PROTO before include ndpi_main.h !!! + * + * #include "ndpi_protocol_ids.h" + * #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_XXXX + * #include "ndpi_api.h" + * + */ + + #ifndef NDPI_CURRENT_PROTO + #define NDPI_CURRENT_PROTO NDPI_PROTO_UNKNOWN + #endif + + #define NDPI_LOG_ERR(mod, args...) \ + if(mod && mod->ndpi_log_level >= NDPI_LOG_ERROR) { \ + if(mod != NULL && mod->ndpi_debug_printf != NULL) \ + (*(mod->ndpi_debug_printf))(NDPI_CURRENT_PROTO, mod, NDPI_LOG_ERROR , __FILE__, __FUNCTION__, __LINE__, args); \ + } + + #define NDPI_LOG_INFO(mod, args...) \ + if(mod && mod->ndpi_log_level >= NDPI_LOG_TRACE) { \ + if(mod != NULL && mod->ndpi_debug_printf != NULL) \ + (*(mod->ndpi_debug_printf))(NDPI_CURRENT_PROTO, mod, NDPI_LOG_TRACE , __FILE__, __FUNCTION__, __LINE__, args); \ + } + + #define NDPI_LOG_DBG(mod, args...) \ + if(mod && mod->ndpi_log_level >= NDPI_LOG_DEBUG) { \ + if(mod != NULL && mod->ndpi_debug_printf != NULL) \ + (*(mod->ndpi_debug_printf))(NDPI_CURRENT_PROTO, mod, NDPI_LOG_DEBUG , __FILE__, __FUNCTION__, __LINE__, args); \ + } + + #define NDPI_LOG_DBG2(mod, args...) \ + if(mod && mod->ndpi_log_level >= NDPI_LOG_DEBUG_EXTRA) { \ + if(mod != NULL && mod->ndpi_debug_printf != NULL) \ + (*(mod->ndpi_debug_printf))(NDPI_CURRENT_PROTO, mod, NDPI_LOG_DEBUG_EXTRA , __FILE__, __FUNCTION__, __LINE__, args); \ + } + +#else /* not defined NDPI_ENABLE_DEBUG_MESSAGES */ +# ifdef WIN32 +# define NDPI_LOG(...) {} +# define NDPI_LOG_ERR(...) {} +# define NDPI_LOG_INFO(...) {} +# define NDPI_LOG_DBG(...) {} +# define NDPI_LOG_DBG2(...) {} +# else +# define NDPI_LOG(proto, mod, log_level, args...) {} +# define NDPI_LOG_ERR(mod, args...) {} +# define NDPI_LOG_INFO(mod, args...) {} +# define NDPI_LOG_DBG(mod, args...) {} +# define NDPI_LOG_DBG2(mod, args...) {} +# endif #endif /* NDPI_ENABLE_DEBUG_MESSAGES */ +#define NDPI_EXCLUDE_PROTO(mod,flow) ndpi_exclude_protocol(mod, flow, NDPI_CURRENT_PROTO, __FILE__, __FUNCTION__, __LINE__) + /** * macro for getting the string len of a static string * @@ -215,9 +258,9 @@ #define howmanybits(x, y) (((x)+((y)-1))/(y)) -#define NDPI_SET(p, n) ((p)->fds_bits[(n)/NDPI_BITS] |= (1 << (((u_int32_t)n) % NDPI_BITS))) -#define NDPI_CLR(p, n) ((p)->fds_bits[(n)/NDPI_BITS] &= ~(1 << (((u_int32_t)n) % NDPI_BITS))) -#define NDPI_ISSET(p, n) ((p)->fds_bits[(n)/NDPI_BITS] & (1 << (((u_int32_t)n) % NDPI_BITS))) +#define NDPI_SET(p, n) ((p)->fds_bits[(n)/NDPI_BITS] |= (1ul << (((u_int32_t)n) % NDPI_BITS))) +#define NDPI_CLR(p, n) ((p)->fds_bits[(n)/NDPI_BITS] &= ~(1ul << (((u_int32_t)n) % NDPI_BITS))) +#define NDPI_ISSET(p, n) ((p)->fds_bits[(n)/NDPI_BITS] & (1ul << (((u_int32_t)n) % NDPI_BITS))) #define NDPI_ZERO(p) memset((char *)(p), 0, sizeof(*(p))) #define NDPI_ONE(p) memset((char *)(p), 0xFF, sizeof(*(p))) @@ -290,4 +333,8 @@ #define NDPI_MAX_DNS_REQUESTS 16 +#define NDPI_MAJOR @NDPI_MAJOR@ +#define NDPI_MINOR @NDPI_MINOR@ +#define NDPI_PATCH @NDPI_PATCH@ + #endif /* __NDPI_DEFINE_INCLUDE_FILE__ */ diff --git a/src/include/ndpi_main.h b/src/include/ndpi_main.h index cd96af5d8..2440060df 100644 --- a/src/include/ndpi_main.h +++ b/src/include/ndpi_main.h @@ -24,12 +24,13 @@ #ifndef __NDPI_MAIN_H__ #define __NDPI_MAIN_H__ +#include "ndpi_config.h" #include "ndpi_includes.h" #include "ndpi_define.h" #include "ndpi_protocol_ids.h" #include "ndpi_typedefs.h" -#include "ndpi_protocols.h" #include "ndpi_api.h" +#include "ndpi_protocols.h" #ifdef __cplusplus extern "C" { @@ -106,7 +107,10 @@ extern "C" { extern int ndpi_get_protocol_id_master_proto(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t protocol_id, u_int16_t** tcp_master_proto, u_int16_t** udp_master_proto); - +#ifdef NDPI_PROTOCOL_NETBIOS + int ndpi_netbios_name_interpret(char *in, char *out, u_int out_len); +#endif + #ifdef NDPI_ENABLE_DEBUG_MESSAGES void ndpi_debug_get_last_log_function_line(struct ndpi_detection_module_struct *ndpi_struct, const char **file, const char **func, u_int32_t * line); diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index 0bc70ff5d..c8871509b 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -1,7 +1,8 @@ + /* * ndpi_protocol_ids.h * - * Copyright (C) 2016 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -30,248 +31,258 @@ #define __NDPI_PROTOCOLS_DEFAULT_H__ #define NDPI_DETECTION_SUPPORT_IPV6 -#define NDPI_PROTOCOL_HISTORY_SIZE 2 - -#define NDPI_PROTOCOL_UNKNOWN 0 - -#define NDPI_PROTOCOL_NO_MASTER_PROTO NDPI_PROTOCOL_UNKNOWN - -#define NDPI_PROTOCOL_IP_VRRP 73 -#define NDPI_PROTOCOL_IP_IPSEC 79 -#define NDPI_PROTOCOL_IP_GRE 80 -#define NDPI_PROTOCOL_IP_ICMP 81 -#define NDPI_PROTOCOL_IP_IGMP 82 -#define NDPI_PROTOCOL_IP_EGP 83 -#define NDPI_PROTOCOL_IP_SCTP 84 -#define NDPI_PROTOCOL_IP_OSPF 85 -#define NDPI_PROTOCOL_IP_IP_IN_IP 86 -#define NDPI_PROTOCOL_IP_ICMPV6 102 - -#define NDPI_PROTOCOL_HTTP 7 -#define NDPI_PROTOCOL_HTTP_DOWNLOAD 60 -#define NDPI_PROTOCOL_SSL_NO_CERT 64 /* SSL without certificate (Skype, Ultrasurf?) - ntop.org */ -#define NDPI_PROTOCOL_SSL 91 -#define NDPI_PROTOCOL_HTTP_APPLICATION_ACTIVESYNC 110 -#define NDPI_PROTOCOL_HTTP_CONNECT 130 -#define NDPI_PROTOCOL_HTTP_PROXY 131 - - -#define NDPI_PROTOCOL_FTP_CONTROL 1 /* Tomasz Bujlow <tomasz@skatnet.dk> */ -#define NDPI_PROTOCOL_MAIL_POP 2 -#define NDPI_PROTOCOL_MAIL_SMTP 3 -#define NDPI_PROTOCOL_MAIL_IMAP 4 -#define NDPI_PROTOCOL_DNS 5 -#define NDPI_PROTOCOL_IPP 6 -#define NDPI_PROTOCOL_MDNS 8 -#define NDPI_PROTOCOL_NTP 9 -#define NDPI_PROTOCOL_NETBIOS 10 -#define NDPI_PROTOCOL_NFS 11 -#define NDPI_PROTOCOL_SSDP 12 -#define NDPI_PROTOCOL_BGP 13 -#define NDPI_PROTOCOL_SNMP 14 -#define NDPI_PROTOCOL_XDMCP 15 -#define NDPI_PROTOCOL_SMB 16 -#define NDPI_PROTOCOL_SYSLOG 17 -#define NDPI_PROTOCOL_DHCP 18 -#define NDPI_PROTOCOL_POSTGRES 19 -#define NDPI_PROTOCOL_MYSQL 20 -#define NDPI_SERVICE_HOTMAIL 21 -#define NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK 22 -#define NDPI_PROTOCOL_MAIL_POPS 23 -#define NDPI_PROTOCOL_APPLEJUICE 24 -#define NDPI_PROTOCOL_DIRECTCONNECT 25 -#define NDPI_PROTOCOL_SOCRATES 26 -#define NDPI_PROTOCOL_COAP 27 -#define NDPI_PROTOCOL_VMWARE 28 -#define NDPI_PROTOCOL_MAIL_SMTPS 29 -#define NDPI_PROTOCOL_FILETOPIA 30 -#define NDPI_PROTOCOL_UBNTAC2 31 /* Ubiquity UBNT AirControl 2 - Thomas Fjellstrom <thomas+ndpi@fjellstrom.ca> */ -#define NDPI_PROTOCOL_KONTIKI 32 -#define NDPI_PROTOCOL_OPENFT 33 -#define NDPI_PROTOCOL_FASTTRACK 34 -#define NDPI_PROTOCOL_GNUTELLA 35 -#define NDPI_PROTOCOL_EDONKEY 36 /* Tomasz Bujlow <tomasz@skatnet.dk> */ -#define NDPI_PROTOCOL_BITTORRENT 37 -#define NDPI_PROTOCOL_EPP 38 -#define NDPI_PROTOCOL_XBOX 47 -#define NDPI_PROTOCOL_QQ 48 -#define NDPI_PROTOCOL_MOVE 49 -#define NDPI_PROTOCOL_RTSP 50 -#define NDPI_PROTOCOL_MAIL_IMAPS 51 -#define NDPI_PROTOCOL_ICECAST 52 -#define NDPI_PROTOCOL_PPLIVE 53 /* Tomasz Bujlow <tomasz@skatnet.dk> */ -#define NDPI_PROTOCOL_PPSTREAM 54 -#define NDPI_PROTOCOL_ZATTOO 55 -#define NDPI_PROTOCOL_SHOUTCAST 56 -#define NDPI_PROTOCOL_SOPCAST 57 -#define NDPI_PROTOCOL_TVANTS 58 -#define NDPI_PROTOCOL_TVUPLAYER 59 -#define NDPI_PROTOCOL_QQLIVE 61 -#define NDPI_PROTOCOL_THUNDER 62 -#define NDPI_PROTOCOL_SOULSEEK 63 -#define NDPI_PROTOCOL_IRC 65 -#define NDPI_PROTOCOL_AYIYA 66 -#define NDPI_PROTOCOL_UNENCRYPED_JABBER 67 -#define NDPI_PROTOCOL_MSN 68 -#define NDPI_PROTOCOL_OSCAR 69 -#define NDPI_PROTOCOL_YAHOO 70 -#define NDPI_PROTOCOL_BATTLEFIELD 71 -#define NDPI_PROTOCOL_QUAKE 72 -#define NDPI_PROTOCOL_STEAM 74 /* Tomasz Bujlow <tomasz@skatnet.dk> */ -#define NDPI_PROTOCOL_HALFLIFE2 75 -#define NDPI_PROTOCOL_WORLDOFWARCRAFT 76 -#define NDPI_PROTOCOL_TELNET 77 -#define NDPI_PROTOCOL_STUN 78 -#define NDPI_PROTOCOL_RTP 87 -#define NDPI_PROTOCOL_RDP 88 -#define NDPI_PROTOCOL_VNC 89 -#define NDPI_PROTOCOL_PCANYWHERE 90 -#define NDPI_PROTOCOL_SSH 92 -#define NDPI_PROTOCOL_USENET 93 -#define NDPI_PROTOCOL_MGCP 94 -#define NDPI_PROTOCOL_IAX 95 -#define NDPI_PROTOCOL_TFTP 96 -#define NDPI_PROTOCOL_AFP 97 -#define NDPI_PROTOCOL_STEALTHNET 98 -#define NDPI_PROTOCOL_AIMINI 99 -#define NDPI_PROTOCOL_SIP 100 -#define NDPI_PROTOCOL_TRUPHONE 101 -#define NDPI_PROTOCOL_DHCPV6 103 -#define NDPI_PROTOCOL_ARMAGETRON 104 -#define NDPI_PROTOCOL_CROSSFIRE 105 -#define NDPI_PROTOCOL_DOFUS 106 -#define NDPI_PROTOCOL_FIESTA 107 -#define NDPI_PROTOCOL_FLORENSIA 108 -#define NDPI_PROTOCOL_GUILDWARS 109 -#define NDPI_PROTOCOL_KERBEROS 111 -#define NDPI_PROTOCOL_LDAP 112 -#define NDPI_PROTOCOL_MAPLESTORY 113 -#define NDPI_PROTOCOL_MSSQL_TDS 114 -#define NDPI_PROTOCOL_PPTP 115 -#define NDPI_PROTOCOL_WARCRAFT3 116 -#define NDPI_PROTOCOL_WORLD_OF_KUNG_FU 117 -#define NDPI_SERVICE_SLACK 118 -#define NDPI_PROTOCOL_DROPBOX 121 -#define NDPI_PROTOCOL_SKYPE 125 -#define NDPI_PROTOCOL_DCERPC 127 -#define NDPI_PROTOCOL_NETFLOW 128 -#define NDPI_PROTOCOL_SFLOW 129 -#define NDPI_PROTOCOL_CITRIX 132 -#define NDPI_PROTOCOL_SKYFILE_PREPAID 136 -#define NDPI_PROTOCOL_SKYFILE_RUDICS 137 -#define NDPI_PROTOCOL_SKYFILE_POSTPAID 138 -#define NDPI_PROTOCOL_CITRIX_ONLINE 139 -#define NDPI_PROTOCOL_WEBEX 141 -#define NDPI_PROTOCOL_VIBER 144 -#define NDPI_PROTOCOL_RADIUS 146 -#define NDPI_SERVICE_WINDOWS_UPDATE 147 -#define NDPI_PROTOCOL_TEAMVIEWER 148 /* xplico.org */ -#define NDPI_PROTOCOL_LOTUS_NOTES 150 -#define NDPI_PROTOCOL_SAP 151 -#define NDPI_PROTOCOL_GTP 152 -#define NDPI_PROTOCOL_UPNP 153 -#define NDPI_PROTOCOL_LLMNR 154 -#define NDPI_PROTOCOL_REMOTE_SCAN 155 -#define NDPI_PROTOCOL_SPOTIFY 156 -#define NDPI_PROTOCOL_H323 158 /* Remy Mudingay <mudingay@ill.fr> */ -#define NDPI_PROTOCOL_OPENVPN 159 /* Remy Mudingay <mudingay@ill.fr> */ -#define NDPI_PROTOCOL_NOE 160 /* Remy Mudingay <mudingay@ill.fr> */ -#define NDPI_PROTOCOL_CISCOVPN 161 /* Remy Mudingay <mudingay@ill.fr> */ -#define NDPI_PROTOCOL_TEAMSPEAK 162 /* Remy Mudingay <mudingay@ill.fr> */ -#define NDPI_PROTOCOL_TOR 163 /* Remy Mudingay <mudingay@ill.fr> */ -#define NDPI_PROTOCOL_SKINNY 164 /* Remy Mudingay <mudingay@ill.fr> */ -#define NDPI_PROTOCOL_RTCP 165 /* Remy Mudingay <mudingay@ill.fr> */ -#define NDPI_PROTOCOL_RSYNC 166 /* Remy Mudingay <mudingay@ill.fr> */ -#define NDPI_PROTOCOL_ORACLE 167 /* Remy Mudingay <mudingay@ill.fr> */ -#define NDPI_PROTOCOL_CORBA 168 /* Remy Mudingay <mudingay@ill.fr> */ -#define NDPI_PROTOCOL_UBUNTUONE 169 /* Remy Mudingay <mudingay@ill.fr> */ -#define NDPI_PROTOCOL_WHOIS_DAS 170 -#define NDPI_PROTOCOL_COLLECTD 171 -#define NDPI_PROTOCOL_SOCKS 172 /* Tomasz Bujlow <tomasz@skatnet.dk> */ -#define NDPI_PROTOCOL_MS_LYNC 173 -#define NDPI_PROTOCOL_RTMP 174 /* Tomasz Bujlow <tomasz@skatnet.dk> */ -#define NDPI_PROTOCOL_FTP_DATA 175 /* Tomasz Bujlow <tomasz@skatnet.dk> */ -#define NDPI_PROTOCOL_ZMQ 177 -#define NDPI_PROTOCOL_MEGACO 181 /* Gianluca Costa <g.costa@xplico.org> */ -#define NDPI_PROTOCOL_REDIS 182 -#define NDPI_PROTOCOL_PANDO 183 /* Tomasz Bujlow <tomasz@skatnet.dk> */ -#define NDPI_PROTOCOL_VHUA 184 -#define NDPI_PROTOCOL_TELEGRAM 185 /* Gianluca Costa <g.costa@xplico.org> */ -#define NDPI_PROTOCOL_QUIC 188 /* Andrea Buscarinu <andrea.buscarinu@gmail.com> - Michele Campus <michelecampus5@gmail.com> */ -#define NDPI_PROTOCOL_WHATSAPP_VOICE 189 - +#define NDPI_PROTOCOL_SIZE 2 +#define NDPI_PROTOCOL_UNKNOWN 0 -#define NDPI_CONTENT_AVI 39 -#define NDPI_CONTENT_FLASH 40 -#define NDPI_CONTENT_OGG 41 -#define NDPI_CONTENT_MPEG 42 -#define NDPI_CONTENT_QUICKTIME 43 -#define NDPI_CONTENT_REALMEDIA 44 -#define NDPI_CONTENT_WINDOWSMEDIA 45 -#define NDPI_CONTENT_MMS 46 -#define NDPI_CONTENT_WEBM 157 +#define NDPI_PROTOCOL_NO_MASTER_PROTO NDPI_PROTOCOL_UNKNOWN -#define NDPI_SERVICE_FACEBOOK 119 -#define NDPI_SERVICE_TWITTER 120 -#define NDPI_SERVICE_GMAIL 122 -#define NDPI_SERVICE_GOOGLE_MAPS 123 -#define NDPI_SERVICE_YOUTUBE 124 -#define NDPI_SERVICE_VEVO 186 -#define NDPI_SERVICE_GOOGLE 126 -#define NDPI_SERVICE_NETFLIX 133 -#define NDPI_SERVICE_LASTFM 134 -#define NDPI_SERVICE_WAZE 135 -#define NDPI_SERVICE_APPLE 140 -#define NDPI_SERVICE_WHATSAPP 142 -#define NDPI_SERVICE_APPLE_ICLOUD 143 -#define NDPI_SERVICE_APPLE_ITUNES 145 -#define NDPI_SERVICE_TUENTI 149 -#define NDPI_SERVICE_WIKIPEDIA 176 /* Tomasz Bujlow <tomasz@skatnet.dk> */ -#define NDPI_SERVICE_MSN NDPI_PROTOCOL_MSN /* Tomasz Bujlow <tomasz@skatnet.dk> */ -#define NDPI_SERVICE_AMAZON 178 /* Tomasz Bujlow <tomasz@skatnet.dk> */ -#define NDPI_SERVICE_EBAY 179 /* Tomasz Bujlow <tomasz@skatnet.dk> */ -#define NDPI_SERVICE_CNN 180 /* Tomasz Bujlow <tomasz@skatnet.dk> */ -#define NDPI_SERVICE_DROPBOX NDPI_PROTOCOL_DROPBOX /* Tomasz Bujlow <tomasz@skatnet.dk> */ -#define NDPI_SERVICE_SKYPE NDPI_PROTOCOL_SKYPE /* Tomasz Bujlow <tomasz@skatnet.dk> */ -#define NDPI_SERVICE_VIBER NDPI_PROTOCOL_VIBER -#define NDPI_SERVICE_YAHOO NDPI_PROTOCOL_YAHOO /* Tomasz Bujlow <tomasz@skatnet.dk> */ -#define NDPI_SERVICE_PANDORA 187 -#define NDPI_PROTOCOL_EAQ 190 -#define NDPI_PROTOCOL_GIT 191 -#define NDPI_PROTOCOL_DRDA 192 -#define NDPI_SERVICE_KAKAOTALK 193 /* KakaoTalk Chat (no voice call) */ -#define NDPI_SERVICE_KAKAOTALK_VOICE 194 /* KakaoTalk Voice */ -#define NDPI_SERVICE_TWITCH 195 /* Edoardo Dominici <edoaramis@gmail.com> */ -#define NDPI_SERVICE_QUICKPLAY 196 /* Streaming service used by various services such as hooq.tv */ -#define NDPI_SERVICE_OPENDNS 197 -#define NDPI_PROTOCOL_MPEGTS 198 -#define NDPI_SERVICE_SNAPCHAT 199 -#define NDPI_SERVICE_DEEZER 200 -#define NDPI_SERVICE_INSTAGRAM 201 /* Andrea Buscarinu <andrea.buscarinu@gmail.com> */ -#define NDPI_SERVICE_MICROSOFT 202 -#define NDPI_SERVICE_HOTSPOT_SHIELD 203 -#define NDPI_SERVICE_OCS 204 -#define NDPI_SERVICE_OFFICE_365 205 -#define NDPI_SERVICE_CLOUDFLARE 206 -#define NDPI_SERVICE_MS_ONE_DRIVE 207 -#define NDPI_PROTOCOL_MQTT 208 -#define NDPI_PROTOCOL_RX 209 -#define NDPI_SERVICE_SINA 210 -#define NDPI_PROTOCOL_STARCRAFT 211 /* Matteo Bracci <matteobracci1@gmail.com> */ -#define NDPI_PROTOCOL_TEREDO 212 -#define NDPI_PROTOCOL_HEP 213 /* Sipcapture.org QXIP BV */ -#define NDPI_SERVICE_HANGOUT 214 -#define NDPI_SERVICE_IFLIX 215 /* www.vizuamatix.com R&D team & M.Mallawaarachchie <manoj_ws@yahoo.com> */ -#define NDPI_SERVICE_GITHUB 216 -#define NDPI_PROTOCOL_BJNP 217 -#define NDPI_SERVICE_1KXUN 218 -#define NDPI_SERVICE_IQIYI 219 -#define NDPI_PROTOCOL_SMPP 220 /* Damir Franusic <df@release14.org> */ +#define NDPI_PROTOCOL_UNKNOWN 0 +#define NDPI_PROTOCOL_FTP_CONTROL 1 /* Tomasz Bujlow <tomasz@skatnet.dk> */ +#define NDPI_PROTOCOL_MAIL_POP 2 +#define NDPI_PROTOCOL_MAIL_SMTP 3 +#define NDPI_PROTOCOL_MAIL_IMAP 4 +#define NDPI_PROTOCOL_DNS 5 +#define NDPI_PROTOCOL_IPP 6 +#define NDPI_PROTOCOL_HTTP 7 +#define NDPI_PROTOCOL_MDNS 8 +#define NDPI_PROTOCOL_NTP 9 +#define NDPI_PROTOCOL_NETBIOS 10 +#define NDPI_PROTOCOL_NFS 11 +#define NDPI_PROTOCOL_SSDP 12 +#define NDPI_PROTOCOL_BGP 13 +#define NDPI_PROTOCOL_SNMP 14 +#define NDPI_PROTOCOL_XDMCP 15 +#define NDPI_PROTOCOL_SMB 16 +#define NDPI_PROTOCOL_SYSLOG 17 +#define NDPI_PROTOCOL_DHCP 18 +#define NDPI_PROTOCOL_POSTGRES 19 +#define NDPI_PROTOCOL_MYSQL 20 +#define NDPI_PROTOCOL_HOTMAIL 21 +#define NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK 22 +#define NDPI_PROTOCOL_MAIL_POPS 23 +#define NDPI_PROTOCOL_APPLEJUICE 24 +#define NDPI_PROTOCOL_DIRECTCONNECT 25 +#define NDPI_PROTOCOL_SOCRATES 26 +#define NDPI_PROTOCOL_COAP 27 +#define NDPI_PROTOCOL_VMWARE 28 +#define NDPI_PROTOCOL_MAIL_SMTPS 29 +#define NDPI_PROTOCOL_FILETOPIA 30 +#define NDPI_PROTOCOL_UBNTAC2 31 /* Ubiquity UBNT AirControl 2 - Thomas Fjellstrom <thomas+ndpi@fjellstrom.ca> */ +#define NDPI_PROTOCOL_KONTIKI 32 +#define NDPI_PROTOCOL_OPENFT 33 +#define NDPI_PROTOCOL_FASTTRACK 34 +#define NDPI_PROTOCOL_GNUTELLA 35 +#define NDPI_PROTOCOL_EDONKEY 36 /* Tomasz Bujlow <tomasz@skatnet.dk> */ +#define NDPI_PROTOCOL_BITTORRENT 37 +#define NDPI_PROTOCOL_EPP 38 +#define NDPI_CONTENT_AVI 39 +#define NDPI_CONTENT_FLASH 40 +#define NDPI_CONTENT_OGG 41 +#define NDPI_CONTENT_MPEG 42 +#define NDPI_CONTENT_QUICKTIME 43 +#define NDPI_CONTENT_REALMEDIA 44 +#define NDPI_CONTENT_WINDOWSMEDIA 45 +#define NDPI_CONTENT_MMS 46 +#define NDPI_PROTOCOL_XBOX 47 +#define NDPI_PROTOCOL_QQ 48 +#define NDPI_PROTOCOL_MOVE 49 +#define NDPI_PROTOCOL_RTSP 50 +#define NDPI_PROTOCOL_MAIL_IMAPS 51 +#define NDPI_PROTOCOL_ICECAST 52 +#define NDPI_PROTOCOL_PPLIVE 53 /* Tomasz Bujlow <tomasz@skatnet.dk> */ +#define NDPI_PROTOCOL_PPSTREAM 54 +#define NDPI_PROTOCOL_ZATTOO 55 +#define NDPI_PROTOCOL_SHOUTCAST 56 +#define NDPI_PROTOCOL_SOPCAST 57 +#define NDPI_PROTOCOL_TVANTS 58 +#define NDPI_PROTOCOL_TVUPLAYER 59 +#define NDPI_PROTOCOL_HTTP_DOWNLOAD 60 +#define NDPI_PROTOCOL_QQLIVE 61 +#define NDPI_PROTOCOL_THUNDER 62 +#define NDPI_PROTOCOL_SOULSEEK 63 +#define NDPI_PROTOCOL_SSL_NO_CERT 64 +#define NDPI_PROTOCOL_IRC 65 +#define NDPI_PROTOCOL_AYIYA 66 +#define NDPI_PROTOCOL_UNENCRYPTED_JABBER 67 +#define NDPI_PROTOCOL_MSN 68 +#define NDPI_PROTOCOL_OSCAR 69 +#define NDPI_PROTOCOL_YAHOO 70 +#define NDPI_PROTOCOL_BATTLEFIELD 71 +#define NDPI_PROTOCOL_GOOGLE_PLUS 72 +#define NDPI_PROTOCOL_IP_VRRP 73 +#define NDPI_PROTOCOL_STEAM 74 /* Tomasz Bujlow <tomasz@skatnet.dk> */ +#define NDPI_PROTOCOL_HALFLIFE2 75 +#define NDPI_PROTOCOL_WORLDOFWARCRAFT 76 +#define NDPI_PROTOCOL_TELNET 77 +#define NDPI_PROTOCOL_STUN 78 +#define NDPI_PROTOCOL_IP_IPSEC 79 +#define NDPI_PROTOCOL_IP_GRE 80 +#define NDPI_PROTOCOL_IP_ICMP 81 +#define NDPI_PROTOCOL_IP_IGMP 82 +#define NDPI_PROTOCOL_IP_EGP 83 +#define NDPI_PROTOCOL_IP_SCTP 84 +#define NDPI_PROTOCOL_IP_OSPF 85 +#define NDPI_PROTOCOL_IP_IP_IN_IP 86 +#define NDPI_PROTOCOL_RTP 87 +#define NDPI_PROTOCOL_RDP 88 +#define NDPI_PROTOCOL_VNC 89 +#define NDPI_PROTOCOL_PCANYWHERE 90 +#define NDPI_PROTOCOL_SSL 91 +#define NDPI_PROTOCOL_SSH 92 +#define NDPI_PROTOCOL_USENET 93 +#define NDPI_PROTOCOL_MGCP 94 +#define NDPI_PROTOCOL_IAX 95 +#define NDPI_PROTOCOL_TFTP 96 +#define NDPI_PROTOCOL_AFP 97 +#define NDPI_PROTOCOL_STEALTHNET 98 +#define NDPI_PROTOCOL_AIMINI 99 +#define NDPI_PROTOCOL_SIP 100 +#define NDPI_PROTOCOL_TRUPHONE 101 +#define NDPI_PROTOCOL_IP_ICMPV6 102 +#define NDPI_PROTOCOL_DHCPV6 103 +#define NDPI_PROTOCOL_ARMAGETRON 104 +#define NDPI_PROTOCOL_CROSSFIRE 105 +#define NDPI_PROTOCOL_DOFUS 106 +#define NDPI_PROTOCOL_FIESTA 107 +#define NDPI_PROTOCOL_FLORENSIA 108 +#define NDPI_PROTOCOL_GUILDWARS 109 +#define NDPI_PROTOCOL_HTTP_APPLICATION_ACTIVESYNC 110 /*avoid large declarations in the future*/ +#define NDPI_PROTOCOL_KERBEROS 111 +#define NDPI_PROTOCOL_LDAP 112 +#define NDPI_PROTOCOL_MAPLESTORY 113 +#define NDPI_PROTOCOL_MSSQL_TDS 114 +#define NDPI_PROTOCOL_PPTP 115 +#define NDPI_PROTOCOL_WARCRAFT3 116 +#define NDPI_PROTOCOL_WORLD_OF_KUNG_FU 117 +#define NDPI_PROTOCOL_SLACK 118 +#define NDPI_PROTOCOL_FACEBOOK 119 +#define NDPI_PROTOCOL_TWITTER 120 +#define NDPI_PROTOCOL_DROPBOX 121 +#define NDPI_PROTOCOL_GMAIL 122 +#define NDPI_PROTOCOL_GOOGLE_MAPS 123 +#define NDPI_PROTOCOL_YOUTUBE 124 +#define NDPI_PROTOCOL_SKYPE 125 +#define NDPI_PROTOCOL_GOOGLE 126 +#define NDPI_PROTOCOL_DCERPC 127 +#define NDPI_PROTOCOL_NETFLOW 128 +#define NDPI_PROTOCOL_SFLOW 129 +#define NDPI_PROTOCOL_HTTP_CONNECT 130 +#define NDPI_PROTOCOL_HTTP_PROXY 131 +#define NDPI_PROTOCOL_CITRIX 132 +#define NDPI_PROTOCOL_NETFLIX 133 +#define NDPI_PROTOCOL_LASTFM 134 +#define NDPI_PROTOCOL_WAZE 135 +#define NDPI_PROTOCOL_YOUTUBE_UPLOAD 136 /* Upload files to youtube */ +#define NDPI_PROTOCOL_ICQ 137 +#define NDPI_PROTOCOL_CHECKMK 138 +#define NDPI_PROTOCOL_CITRIX_ONLINE 139 +#define NDPI_PROTOCOL_APPLE 140 +#define NDPI_PROTOCOL_WEBEX 141 +#define NDPI_PROTOCOL_WHATSAPP 142 +#define NDPI_PROTOCOL_APPLE_ICLOUD 143 +#define NDPI_PROTOCOL_VIBER 144 +#define NDPI_PROTOCOL_APPLE_ITUNES 145 +#define NDPI_PROTOCOL_RADIUS 146 +#define NDPI_PROTOCOL_WINDOWS_UPDATE 147 +#define NDPI_PROTOCOL_TEAMVIEWER 148 /* xplico.org */ +#define NDPI_PROTOCOL_TUENTI 149 +#define NDPI_PROTOCOL_LOTUS_NOTES 150 +#define NDPI_PROTOCOL_SAP 151 +#define NDPI_PROTOCOL_GTP 152 +#define NDPI_PROTOCOL_UPNP 153 +#define NDPI_PROTOCOL_LLMNR 154 +#define NDPI_PROTOCOL_REMOTE_SCAN 155 +#define NDPI_PROTOCOL_SPOTIFY 156 +#define NDPI_CONTENT_WEBM 157 +#define NDPI_PROTOCOL_H323 158 /* Remy Mudingay <mudingay@ill.fr> */ +#define NDPI_PROTOCOL_OPENVPN 159 /* Remy Mudingay <mudingay@ill.fr> */ +#define NDPI_PROTOCOL_NOE 160 /* Remy Mudingay <mudingay@ill.fr> */ +#define NDPI_PROTOCOL_CISCOVPN 161 /* Remy Mudingay <mudingay@ill.fr> */ +#define NDPI_PROTOCOL_TEAMSPEAK 162 /* Remy Mudingay <mudingay@ill.fr> */ +#define NDPI_PROTOCOL_TOR 163 /* Remy Mudingay <mudingay@ill.fr> */ +#define NDPI_PROTOCOL_SKINNY 164 /* Remy Mudingay <mudingay@ill.fr> */ +#define NDPI_PROTOCOL_RTCP 165 /* Remy Mudingay <mudingay@ill.fr> */ +#define NDPI_PROTOCOL_RSYNC 166 /* Remy Mudingay <mudingay@ill.fr> */ +#define NDPI_PROTOCOL_ORACLE 167 /* Remy Mudingay <mudingay@ill.fr> */ +#define NDPI_PROTOCOL_CORBA 168 /* Remy Mudingay <mudingay@ill.fr> */ +#define NDPI_PROTOCOL_UBUNTUONE 169 /* Remy Mudingay <mudingay@ill.fr> */ +#define NDPI_PROTOCOL_WHOIS_DAS 170 +#define NDPI_PROTOCOL_COLLECTD 171 +#define NDPI_PROTOCOL_SOCKS 172 /* Tomasz Bujlow <tomasz@skatnet.dk> */ +#define NDPI_PROTOCOL_NINTENDO 173 +#define NDPI_PROTOCOL_RTMP 174 /* Tomasz Bujlow <tomasz@skatnet.dk> */ +#define NDPI_PROTOCOL_FTP_DATA 175 /* Tomasz Bujlow <tomasz@skatnet.dk> */ +#define NDPI_PROTOCOL_WIKIPEDIA 176 /* Tomasz Bujlow <tomasz@skatnet.dk> */ +#define NDPI_PROTOCOL_ZMQ 177 +#define NDPI_PROTOCOL_AMAZON 178 /* Tomasz Bujlow <tomasz@skatnet.dk> */ +#define NDPI_PROTOCOL_EBAY 179 /* Tomasz Bujlow <tomasz@skatnet.dk> */ +#define NDPI_PROTOCOL_CNN 180 /* Tomasz Bujlow <tomasz@skatnet.dk> */ +#define NDPI_PROTOCOL_MEGACO 181 /* Gianluca Costa <g.costa@xplico.org> */ +#define NDPI_PROTOCOL_REDIS 182 +#define NDPI_PROTOCOL_PANDO 183 /* Tomasz Bujlow <tomasz@skatnet.dk> */ +#define NDPI_PROTOCOL_VHUA 184 +#define NDPI_PROTOCOL_TELEGRAM 185 /* Gianluca Costa <g.costa@xplico.org> */ +#define NDPI_PROTOCOL_VEVO 186 +#define NDPI_PROTOCOL_PANDORA 187 +#define NDPI_PROTOCOL_QUIC 188 /* Andrea Buscarinu <andrea.buscarinu@gmail.com> - Michele Campus <michelecampus5@gmail.com> */ +#define NDPI_PROTOCOL_WHATSAPP_VOICE 189 +#define NDPI_PROTOCOL_EAQ 190 +#define NDPI_PROTOCOL_OOKLA 191 +#define NDPI_PROTOCOL_AMQP 192 +#define NDPI_PROTOCOL_KAKAOTALK 193 /* KakaoTalk Chat (no voice call) */ +#define NDPI_PROTOCOL_KAKAOTALK_VOICE 194 /* KakaoTalk Voice */ +#define NDPI_PROTOCOL_TWITCH 195 /* Edoardo Dominici <edoaramis@gmail.com> */ +#define NDPI_PROTOCOL_QUICKPLAY 196 /* Streaming service used by various services such as hooq.tv */ +#define NDPI_PROTOCOL_WECHAT 197 +#define NDPI_PROTOCOL_MPEGTS 198 +#define NDPI_PROTOCOL_SNAPCHAT 199 +#define NDPI_PROTOCOL_SINA 200 +#define NDPI_PROTOCOL_HANGOUT 201 +#define NDPI_PROTOCOL_IFLIX 202 /* www.vizuamatix.com R&D team & M.Mallawaarachchie <manoj_ws@yahoo.com> */ +#define NDPI_PROTOCOL_GITHUB 203 +#define NDPI_PROTOCOL_BJNP 204 +#define NDPI_PROTOCOL_1KXUN 205 +#define NDPI_PROTOCOL_IQIYI 206 +#define NDPI_PROTOCOL_SMPP 207 /* Damir Franusic <df@release14.org> */ +#define NDPI_PROTOCOL_DNSCRYPT 208 +#define NDPI_PROTOCOL_TINC 209 /* William Guglielmo <william@deselmo.com> */ +#define NDPI_PROTOCOL_DEEZER 210 +#define NDPI_PROTOCOL_INSTAGRAM 211 /* Andrea Buscarinu <andrea.buscarinu@gmail.com> */ +#define NDPI_PROTOCOL_MICROSOFT 212 +#define NDPI_PROTOCOL_STARCRAFT 213 /* Matteo Bracci <matteobracci1@gmail.com> */ +#define NDPI_PROTOCOL_TEREDO 214 +#define NDPI_PROTOCOL_HOTSPOT_SHIELD 215 +#define NDPI_PROTOCOL_HEP 216 /* sipcapture.org QXIP BV */ +#define NDPI_PROTOCOL_GOOGLE_DRIVE 217 +#define NDPI_PROTOCOL_OCS 218 +#define NDPI_PROTOCOL_OFFICE_365 219 +#define NDPI_PROTOCOL_CLOUDFLARE 220 +#define NDPI_PROTOCOL_MS_ONE_DRIVE 221 +#define NDPI_PROTOCOL_MQTT 222 +#define NDPI_PROTOCOL_RX 223 +#define NDPI_PROTOCOL_APPLESTORE 224 +#define NDPI_PROTOCOL_OPENDNS 225 +#define NDPI_PROTOCOL_GIT 226 +#define NDPI_PROTOCOL_DRDA 227 +#define NDPI_PROTOCOL_PLAYSTORE 228 +#define NDPI_PROTOCOL_SOMEIP 229 +#define NDPI_PROTOCOL_FIX 230 +#define NDPI_PROTOCOL_PLAYSTATION 231 +#define NDPI_PROTOCOL_PASTEBIN 232 /* Paulo Angelo <pa@pauloangelo.com> */ +#define NDPI_PROTOCOL_LINKEDIN 233 /* Paulo Angelo <pa@pauloangelo.com> */ +#define NDPI_PROTOCOL_SOUNDCLOUD 234 +#define NDPI_PROTOCOL_CSGO 235 /* Counter-Strike Global Offensive, Dota 2 */ +#define NDPI_PROTOCOL_LISP 236 +#define NDPI_PROTOCOL_DIAMETER 237 +#define NDPI_PROTOCOL_APPLE_PUSH 238 +#define NDPI_PROTOCOL_GOOGLE_SERVICES 239 +#define NDPI_PROTOCOL_AMAZON_VIDEO 240 +#define NDPI_PROTOCOL_GOOGLE_DOCS 241 /* UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE */ -#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_PROTOCOL_SMPP +#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_PROTOCOL_GOOGLE_DOCS -#define NDPI_MAX_SUPPORTED_PROTOCOLS (NDPI_LAST_IMPLEMENTED_PROTOCOL + 1) -#define NDPI_MAX_NUM_CUSTOM_PROTOCOLS (NDPI_NUM_BITS-NDPI_LAST_IMPLEMENTED_PROTOCOL) +#define NDPI_MAX_SUPPORTED_PROTOCOLS (NDPI_LAST_IMPLEMENTED_PROTOCOL + 1) +#define NDPI_MAX_NUM_CUSTOM_PROTOCOLS (NDPI_NUM_BITS-NDPI_LAST_IMPLEMENTED_PROTOCOL) #endif diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h index f34a12f13..3268488e1 100644 --- a/src/include/ndpi_protocols.h +++ b/src/include/ndpi_protocols.h @@ -1,7 +1,7 @@ /* * ndpi_protocols.h * - * Copyright (C) 2011-16 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -44,6 +44,7 @@ ndpi_port_range* ndpi_build_default_ports(ndpi_port_range *ports, /* TCP/UDP protocols */ u_int ndpi_search_tcp_or_udp_raw(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, u_int8_t protocol, u_int32_t saddr, u_int32_t daddr, u_int16_t sport, u_int16_t dport); @@ -51,7 +52,9 @@ u_int ndpi_search_tcp_or_udp_raw(struct ndpi_detection_module_struct *ndpi_struc void ndpi_search_tcp_or_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); /* Applications and other protocols. */ +void ndpi_search_diameter(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); +void ndpi_search_lisp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_edonkey(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_fasttrack_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); @@ -138,6 +141,7 @@ void ndpi_search_pptp(struct ndpi_detection_module_struct *ndpi_struct, struct n void ndpi_search_stealthnet(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_dhcpv6_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_afp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); +void ndpi_search_checkmk(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_aimini(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_florensia(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_maplestory(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); @@ -189,21 +193,27 @@ void ndpi_search_starcraft(struct ndpi_detection_module_struct *ndpi_struct, str void ndpi_search_ubntac2(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_coap(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_mqtt (struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); +void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_rx(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_git(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_drda(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_bjnp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); -void ndpi_search_kxun(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_smpp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); +void ndpi_search_tinc(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); +void ndpi_search_fix(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); +void ndpi_search_csgo(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); /* --- INIT FUNCTIONS --- */ +void init_diameter_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_afp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_aimini_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_applejuice_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_armagetron_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_ayiya_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_amqp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_battlefield_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_bgp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_bittorrent_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_lisp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_teredo_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_ciscovpn_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_citrix_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); @@ -330,11 +340,18 @@ void init_stracraft_dissector(struct ndpi_detection_module_struct *ndpi_struct, void init_ubntac2_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_coap_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_mqtt_dissector (struct ndpi_detection_module_struct *ndpi_struct,u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_someip_dissector (struct ndpi_detection_module_struct *ndpi_struct,u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_rx_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_git_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_hangout_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_drda_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_bjnp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); -void init_kxun_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_smpp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_tinc_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_fix_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_nintendo_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_csgo_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_checkmk_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_apple_push_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); + #endif /* __NDPI_PROTOCOLS_H__ */ diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 0c07dd137..7ad9757a4 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -29,27 +29,24 @@ #define BT_ANNOUNCE #define SNAP_EXT - /* NDPI_LOG_LEVEL */ -typedef enum - { - NDPI_LOG_ERROR, - NDPI_LOG_TRACE, - NDPI_LOG_DEBUG - } ndpi_log_level_t; +typedef enum { + NDPI_LOG_ERROR, + NDPI_LOG_TRACE, + NDPI_LOG_DEBUG, + NDPI_LOG_DEBUG_EXTRA +} ndpi_log_level_t; /* NDPI_VISIT */ -typedef enum - { - ndpi_preorder, - ndpi_postorder, - ndpi_endorder, - ndpi_leaf - } ndpi_VISIT; +typedef enum { + ndpi_preorder, + ndpi_postorder, + ndpi_endorder, + ndpi_leaf +} ndpi_VISIT; /* NDPI_NODE */ -typedef struct node_t -{ +typedef struct node_t { char *key; struct node_t *left, *right; } ndpi_node; @@ -58,8 +55,7 @@ typedef struct node_t typedef u_int32_t ndpi_ndpi_mask; /* NDPI_PROTO_BITMASK_STRUCT */ -typedef struct ndpi_protocol_bitmask_struct -{ +typedef struct ndpi_protocol_bitmask_struct { ndpi_ndpi_mask fds_bits[NDPI_NUM_FDS_BITS]; } ndpi_protocol_bitmask_struct_t; @@ -138,14 +134,12 @@ struct ndpi_snap_extension } PACK_OFF; PACK_ON -struct ndpi_llc_header +struct ndpi_llc_header_snap { u_int8_t dsap; u_int8_t ssap; u_int8_t ctrl; -#ifdef SNAP_EXT struct ndpi_snap_extension snap; -#endif } PACK_OFF; /* ++++++++++ RADIO TAP header (for IEEE 802.11) +++++++++++++ */ @@ -170,7 +164,7 @@ struct ndpi_wifi_header u_char trsm[6]; u_char dest[6]; u_int16_t seq_ctrl; - /* u_int64_t ccmp - for data encription only - check fc.flag */ + /* u_int64_t ccmp - for data encryption only - check fc.flag */ } PACK_OFF; /* +++++++++++++++++++++++ MPLS header +++++++++++++++++++++++ */ @@ -178,7 +172,15 @@ struct ndpi_wifi_header PACK_ON struct ndpi_mpls_header { + /* Before using this strcut to parse an MPLS header, you will need to convert + * the 4-byte data to the correct endianess with ntohl(). */ +#if defined(__LITTLE_ENDIAN__) + u_int32_t ttl:8, s:1, exp:3, label:20; +#elif defined(__BIG_ENDIAN__) u_int32_t label:20, exp:3, s:1, ttl:8; +#else +# error "Byte order must be defined" +#endif } PACK_OFF; /* ++++++++++++++++++++++++ IP header ++++++++++++++++++++++++ */ @@ -206,34 +208,27 @@ struct ndpi_iphdr { /* +++++++++++++++++++++++ IPv6 header +++++++++++++++++++++++ */ /* rfc3542 */ -struct ndpi_in6_addr -{ - union - { +struct ndpi_in6_addr { + union { u_int8_t u6_addr8[16]; u_int16_t u6_addr16[8]; u_int32_t u6_addr32[4]; } u6_addr; /* 128-bit IP6 address */ }; -PACK_ON -struct ndpi_ipv6hdr -{ - union - { - struct ndpi_ip6_hdrctl - { - u_int32_t ip6_un1_flow; - u_int16_t ip6_un1_plen; - u_int8_t ip6_un1_nxt; - u_int8_t ip6_un1_hlim; - } ip6_un1; - u_int8_t ip6_un2_vfc; - } ip6_ctlun; +struct ndpi_ip6_hdrctl { + u_int32_t ip6_un1_flow; + u_int16_t ip6_un1_plen; + u_int8_t ip6_un1_nxt; + u_int8_t ip6_un1_hlim; +}; +/* PACK_ON */ +struct ndpi_ipv6hdr { + struct ndpi_ip6_hdrctl ip6_hdr; struct ndpi_in6_addr ip6_src; struct ndpi_in6_addr ip6_dst; -} PACK_OFF; +} /* PACK_OFF */; /* +++++++++++++++++++++++ TCP header +++++++++++++++++++++++ */ @@ -286,6 +281,28 @@ typedef union #endif } ndpi_ip_addr_t; + +/* +++++++++++++++++++++++ ICMP header +++++++++++++++++++++++ */ + +PACK_ON +struct ndpi_icmphdr { + u_int8_t type;/* message type */ + u_int8_t code;/* type sub-code */ + u_int16_t checksum; + union { + struct { + u_int16_t id; + u_int16_t sequence; + } echo; /* echo datagram */ + + u_int32_t gateway; /* gateway address */ + struct { + u_int16_t _unused; + u_int16_t mtu; + } frag;/* path mtu discovery */ + } un; +} PACK_OFF; + /* ************************************************************ */ /* ******************* ********************* ****************** */ /* ************************************************************ */ @@ -332,6 +349,18 @@ struct bt_announce { // 192 bytes }; #endif +#ifdef NDPI_PROTOCOL_TINC + +#define TINC_CACHE_MAX_SIZE 10 + +PACK_ON struct tinc_cache_entry { + u_int32_t src_address; + u_int32_t dst_address; + u_int16_t dst_port; +} PACK_OFF; + +#endif + typedef enum { HTTP_METHOD_UNKNOWN = 0, HTTP_METHOD_OPTIONS, @@ -348,7 +377,7 @@ struct ndpi_id_struct { /** detected_protocol_bitmask: access this bitmask to find out whether an id has used skype or not - if a flag is set here, it will not be resetted + if a flag is set here, it will not be reset to compare this, use: **/ NDPI_PROTOCOL_BITMASK detected_protocol_bitmask; @@ -385,7 +414,7 @@ struct ndpi_id_struct { #ifdef NDPI_PROTOCOL_ZATTOO u_int32_t zattoo_ts; #endif -#ifdef NDPI_PROTOCOL_UNENCRYPED_JABBER +#ifdef NDPI_PROTOCOL_UNENCRYPTED_JABBER u_int32_t jabber_stun_or_ft_ts; #endif #ifdef NDPI_PROTOCOL_DIRECTCONNECT @@ -404,7 +433,7 @@ struct ndpi_id_struct { u_int16_t bt_port_t[NDPI_BT_PORTS]; u_int16_t bt_port_u[NDPI_BT_PORTS]; #endif -#ifdef NDPI_PROTOCOL_UNENCRYPED_JABBER +#ifdef NDPI_PROTOCOL_UNENCRYPTED_JABBER #define JABBER_MAX_STUN_PORTS 6 u_int16_t jabber_voice_stun_port[JABBER_MAX_STUN_PORTS]; u_int16_t jabber_file_transfer_port[2]; @@ -425,7 +454,7 @@ struct ndpi_id_struct { #ifdef NDPI_PROTOCOL_OSCAR u_int8_t oscar_ssl_session_id[33]; #endif -#ifdef NDPI_PROTOCOL_UNENCRYPED_JABBER +#ifdef NDPI_PROTOCOL_UNENCRYPTED_JABBER u_int8_t jabber_voice_stun_used_ports; #endif #ifdef NDPI_PROTOCOL_SIP @@ -654,8 +683,8 @@ struct ndpi_packet_struct { u_int32_t tick_timestamp; u_int64_t tick_timestamp_l; - u_int16_t detected_protocol_stack[NDPI_PROTOCOL_HISTORY_SIZE]; - u_int8_t detected_subprotocol_stack[NDPI_PROTOCOL_HISTORY_SIZE]; + u_int16_t detected_protocol_stack[NDPI_PROTOCOL_SIZE]; + u_int8_t detected_subprotocol_stack[NDPI_PROTOCOL_SIZE]; #ifndef WIN32 @@ -664,6 +693,7 @@ struct ndpi_packet_struct { u_int16_t protocol_stack_info; struct ndpi_int_one_line_struct line[NDPI_MAX_PARSE_LINES_PER_PACKET]; + /* HTTP headers */ struct ndpi_int_one_line_struct host_line; struct ndpi_int_one_line_struct forwarded_line; struct ndpi_int_one_line_struct referer_line; @@ -679,7 +709,8 @@ struct ndpi_packet_struct { struct ndpi_int_one_line_struct http_x_session_type; struct ndpi_int_one_line_struct server_line; struct ndpi_int_one_line_struct http_method; - struct ndpi_int_one_line_struct http_response; + struct ndpi_int_one_line_struct http_response; /* the first "word" in this pointer is the response code in the packet (200, etc) */ + u_int8_t http_num_headers; /* number of found (valid) header lines in HTTP request or response */ u_int16_t l3_packet_len; u_int16_t l4_packet_len; @@ -719,12 +750,13 @@ typedef struct { } ndpi_port_range; typedef enum { - NDPI_PROTOCOL_SAFE = 0, /* Safe protocol with encryption */ - NDPI_PROTOCOL_ACCEPTABLE, /* Ok but not encrypted */ - NDPI_PROTOCOL_FUN, /* Pure fun protocol */ - NDPI_PROTOCOL_UNSAFE, /* Protocol with a safe version existing what should be used instead */ - NDPI_PROTOCOL_POTENTIALLY_DANGEROUS, /* Be prepared to troubles */ - NDPI_PROTOCOL_UNRATED /* No idea */ + NDPI_PROTOCOL_SAFE = 0, /* Surely doesn't provide risks for the network. (e.g., a news site) */ + NDPI_PROTOCOL_ACCEPTABLE, /* Probably doesn't provide risks, but could be malicious (e.g., Dropbox) */ + NDPI_PROTOCOL_FUN, /* Pure fun protocol, which may be prohibited by the user policy (e.g., Netflix) */ + NDPI_PROTOCOL_UNSAFE, /* Probably provides risks, but could be a normal traffic. Unencrypted protocols with clear pass should be here (e.g., telnet) */ + NDPI_PROTOCOL_POTENTIALLY_DANGEROUS, /* Surely is dangerous (ex. Tor). Be prepared to troubles */ + NDPI_PROTOCOL_TRACKER_ADS, /* Trackers, Advertisements... */ + NDPI_PROTOCOL_UNRATED /* No idea, not implemented or impossible to classify */ } ndpi_protocol_breed_t; #define NUM_BREEDS (NDPI_PROTOCOL_UNRATED+1) @@ -734,12 +766,11 @@ typedef enum { NDPI_PROTOCOL_CATEGORY_UNSPECIFIED = 0, /* For general services and unknown protocols */ NDPI_PROTOCOL_CATEGORY_MEDIA, /* Multimedia and streaming */ NDPI_PROTOCOL_CATEGORY_VPN, /* Virtual Private Networks */ - NDPI_PROTOCOL_CATEGORY_MAIL_SEND, /* Protocols to send emails */ - NDPI_PROTOCOL_CATEGORY_MAIL_SYNC, /* Protocols to receive or sync emails */ - NDPI_PROTOCOL_CATEGORY_FILE_TRANSFER, /* FTP and similar protocols */ - NDPI_PROTOCOL_CATEGORY_WEB, /* Web protocols and services */ + NDPI_PROTOCOL_CATEGORY_MAIL, /* Protocols to send/receive/sync emails */ + NDPI_PROTOCOL_CATEGORY_DATA_TRANSFER, /* AFS/NFS and similar protocols */ + NDPI_PROTOCOL_CATEGORY_WEB, /* Web/mobile protocols and services */ NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, /* Social networks */ - NDPI_PROTOCOL_CATEGORY_P2P, /* File sharing and P2P */ + NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, /* Download, FTP, file transfer/sharing */ NDPI_PROTOCOL_CATEGORY_GAME, /* Online games */ NDPI_PROTOCOL_CATEGORY_CHAT, /* Instant messaging */ NDPI_PROTOCOL_CATEGORY_VOIP, /* Real-time communications and conferencing */ @@ -747,15 +778,22 @@ typedef enum { NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS, /* Remote access and control */ NDPI_PROTOCOL_CATEGORY_CLOUD, /* Online cloud services */ NDPI_PROTOCOL_CATEGORY_NETWORK, /* Network infrastructure protocols */ - NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, /* Software for collaborative development */ + NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, /* Software for collaborative development, including Webmail */ NDPI_PROTOCOL_CATEGORY_RPC, /* High level network communication protocols */ - NDPI_PROTOCOL_CATEGORY_NETWORK_TOOL, /* Network administration and monitor protocols */ - NDPI_PROTOCOL_CATEGORY_SYSTEM, /* System level applications */ + NDPI_PROTOCOL_CATEGORY_STREAMING, /* Streaming protocols */ + NDPI_PROTOCOL_CATEGORY_SYSTEM_OS, /* System/Operating System level applications */ + NDPI_PROTOCOL_CATEGORY_SW_UPDATE, /* Software update */ + /* See #define NUM_CUSTOM_CATEGORIES */ + NDPI_PROTOCOL_CATEGORY_CUSTOM_1, /* User custom category 1 */ + NDPI_PROTOCOL_CATEGORY_CUSTOM_2, /* User custom category 2 */ + NDPI_PROTOCOL_CATEGORY_CUSTOM_3, /* User custom category 3 */ + NDPI_PROTOCOL_CATEGORY_CUSTOM_4, /* User custom category 4 */ + NDPI_PROTOCOL_CATEGORY_CUSTOM_5, /* User custom category 5 */ NDPI_PROTOCOL_NUM_CATEGORIES /* - NOTE: Keep this as last member - Unused as value but useful to getting the number of elements - in this datastructure + NOTE: Keep this as last member + Unused as value but useful to getting the number of elements + in this datastructure */ } ndpi_protocol_category_t; @@ -781,11 +819,14 @@ typedef struct _ndpi_automa { } ndpi_automa; typedef struct ndpi_proto { - u_int16_t master_protocol /* e.g. HTTP */, protocol /* e.g. FaceBook */; + u_int16_t master_protocol /* e.g. HTTP */, app_protocol /* e.g. FaceBook */; } ndpi_protocol; #define NDPI_PROTOCOL_NULL { NDPI_PROTOCOL_UNKNOWN , NDPI_PROTOCOL_UNKNOWN } +#define NUM_CUSTOM_CATEGORIES 5 +#define CUSTOM_CATEGORY_LABEL_LEN 32 + struct ndpi_detection_module_struct { NDPI_PROTOCOL_BITMASK detection_bitmask; NDPI_PROTOCOL_BITMASK generic_http_packet_bitmask; @@ -796,7 +837,7 @@ struct ndpi_detection_module_struct { #ifdef NDPI_ENABLE_DEBUG_MESSAGES void *user_data; #endif - + char custom_category_labels[NUM_CUSTOM_CATEGORIES][CUSTOM_CATEGORY_LABEL_LEN]; /* callback function buffer */ struct ndpi_call_function_struct callback_buffer[NDPI_MAX_SUPPORTED_PROTOCOLS + 1]; u_int32_t callback_buffer_size; @@ -815,12 +856,15 @@ struct ndpi_detection_module_struct { ndpi_default_ports_tree_node_t *tcpRoot, *udpRoot; + ndpi_log_level_t ndpi_log_level; /* default error */ + #ifdef NDPI_ENABLE_DEBUG_MESSAGES /* debug callback, only set when debug is used */ ndpi_debug_function_ptr ndpi_debug_printf; const char *ndpi_debug_print_file; const char *ndpi_debug_print_function; u_int32_t ndpi_debug_print_line; + NDPI_PROTOCOL_BITMASK debug_bitmask; #endif /* misc parameters */ @@ -880,15 +924,20 @@ struct ndpi_detection_module_struct { int bt_ann_len; #endif #endif +#ifdef NDPI_PROTOCOL_TINC + struct cache *tinc_cache; +#endif ndpi_proto_defaults_t proto_defaults[NDPI_MAX_SUPPORTED_PROTOCOLS+NDPI_MAX_NUM_CUSTOM_PROTOCOLS]; u_int8_t http_dont_dissect_response:1, dns_dissect_response:1, direction_detect_disable:1; /* disable internal detection of packet direction */ + + void *hyperscan; /* Intel Hyperscan */ }; struct ndpi_flow_struct { - u_int16_t detected_protocol_stack[NDPI_PROTOCOL_HISTORY_SIZE]; + u_int16_t detected_protocol_stack[NDPI_PROTOCOL_SIZE]; #ifndef WIN32 __attribute__ ((__packed__)) #endif @@ -897,17 +946,21 @@ struct ndpi_flow_struct { /* init parameter, internal used to set up timestamp,... */ u_int16_t guessed_protocol_id, guessed_host_protocol_id; - u_int8_t protocol_id_already_guessed:1, host_already_guessed:1, init_finished:1, setup_packet_direction:1, packet_direction:1; + u_int8_t protocol_id_already_guessed:1, host_already_guessed:1, init_finished:1, setup_packet_direction:1, packet_direction:1, check_extra_packets:1; /* - if ndpi_struct->direction_detect_disable == 1 - tcp sequence number connection tracking + if ndpi_struct->direction_detect_disable == 1 + tcp sequence number connection tracking */ u_int32_t next_tcp_seq_nr[2]; + u_int8_t max_extra_packets_to_check; + u_int8_t num_extra_packets_checked; + int (*extra_packets_func) (struct ndpi_detection_module_struct *, struct ndpi_flow_struct *flow); + /* - the tcp / udp / other l4 value union - used to reduce the number of bytes for tcp or udp protocol states + the tcp / udp / other l4 value union + used to reduce the number of bytes for tcp or udp protocol states */ union { struct ndpi_flow_tcp_struct tcp; @@ -915,34 +968,30 @@ struct ndpi_flow_struct { } l4; /* - Pointer to src or dst - that identifies the - server of this connection + Pointer to src or dst + that identifies the + server of this connection */ struct ndpi_id_struct *server_id; /* HTTP host or DNS query */ - u_char host_server_name[192]; - /* Via HTTP User-Agent */ - u_char detected_os[32]; - /* Via HTTP X-Forwarded-For */ - u_char nat_ip[24]; - /* Bittorrent hash */ - u_char bittorent_hash[20]; + u_char host_server_name[256]; /* - This structure below will not not stay inside the protos - structure below as HTTP is used by many subprotocols - such as FaceBook, Google... so it is hard to know - when to use it or not. Thus we leave it outside for the - time being. + This structure below will not not stay inside the protos + structure below as HTTP is used by many subprotocols + such as FaceBook, Google... so it is hard to know + when to use it or not. Thus we leave it outside for the + time being. */ struct { ndpi_http_method method; char *url, *content_type; + u_int8_t num_request_headers, num_response_headers; + u_int8_t request_version; /* 0=1.0 and 1=1.1. Create an enum for this? */ + u_char response_status_code[5]; /* 200, 404, etc. */ } http; union { - /* the only fields useful for nDPI and ntopng */ struct { u_int8_t num_queries, num_answers, reply_code; @@ -957,6 +1006,35 @@ struct ndpi_flow_struct { struct { char client_certificate[48], server_certificate[48]; } ssl; + + struct { + char client_signature[48], server_signature[48]; + } ssh; + + struct { + char answer[96]; + } mdns; + + struct { + char version[96]; + } ubntac2; + + struct { + /* Via HTTP User-Agent */ + u_char detected_os[32]; + /* Via HTTP X-Forwarded-For */ + u_char nat_ip[24]; + } http; + + struct { + /* Bittorrent hash */ + u_char hash[20]; + } bittorrent; + + struct { + char fingerprint[48]; + char class_ident[48]; + } dhcp; } protos; /*** ALL protocol specific 64 bit variables here ***/ @@ -1043,7 +1121,19 @@ struct ndpi_flow_struct { u_int8_t ovpn_session_id[8]; u_int8_t ovpn_counter; #endif +#ifdef NDPI_PROTOCOL_TINC + u_int8_t tinc_state; + struct tinc_cache_entry tinc_cache_entry; +#endif +#ifdef NDPI_PROTOCOL_CSGO + u_int8_t csgo_strid[18],csgo_state,csgo_s2; + u_int32_t csgo_id2; +#endif +#if defined(NDPI_PROTOCOL_1KXUN) || defined(NDPI_PROTOCOL_IQIYI) + u_int16_t kxun_counter, iqiyi_counter; +#endif + /* internal structures to save functions calls */ struct ndpi_packet_struct packet; struct ndpi_flow_struct *flow; @@ -1052,7 +1142,7 @@ struct ndpi_flow_struct { }; typedef struct { - char *string_to_match, *proto_name; + char *string_to_match, *string2_to_match, *pattern_to_match, *proto_name; int protocol_id; ndpi_protocol_category_t proto_category; ndpi_protocol_breed_t protocol_breed; diff --git a/src/include/ndpi_win32.h b/src/include/ndpi_win32.h index 175ecd57d..db309faff 100644 --- a/src/include/ndpi_win32.h +++ b/src/include/ndpi_win32.h @@ -24,7 +24,15 @@ #ifndef __NDPI_WIN32_H__ #define __NDPI_WIN32_H__ +// fix a MinGW build issue "error: multiple storage classes in declaration specifiers" due to MinGW +// defining extern for __forceinline types +#if (defined(__MINGW32__) || defined(__MINGW64__)) && defined(__GNUC__) +#define MINGW_GCC +#define __mingw_forceinline __inline__ __attribute__((__always_inline__,__gnu_inline__)) +#endif + #include <winsock2.h> +#include <windows.h> #include <ws2tcpip.h> #include <process.h> #include <io.h> @@ -40,7 +48,7 @@ #define IPVERSION 4 /* on *nix it is defined in netinet/ip.h */ -extern char* strsep(char **sp, const char *sep); +extern char* strsep(char **sp, char *sep); typedef unsigned char u_char; typedef unsigned short u_short; @@ -63,6 +71,8 @@ typedef unsigned __int64 u_int64_t; #define gmtime_r(a, b) memcpy(b, gmtime(a), sizeof(struct tm)) +#define in_addr_t unsigned long + extern unsigned long waitForNextEvent(unsigned long ulDelay /* ms */); #define sleep(a /* sec */) waitForNextEvent(1000*a /* ms */) |