5 files changed, 260 insertions, 133 deletions
diff --git a/src/include/Makefile.am b/src/include/Makefile.am
index 71a507ae2..05266a106 100644
--- a/src/include/Makefile.am
+++ b/src/include/Makefile.am
@@ -1,9 +1,8 @@
-
 library_includedir=$(includedir)/libndpi-1.4/libndpi
 
 library_include_HEADERS = ndpi_api.h \
-		  ndpi_debug_functions.h \
-		  ndpi_define.h \
-		  ndpi_macros.h \
-		  ndpi_protocols_osdpi.h \
-		  ndpi_public_functions.h
+		ndpi_define.h \
+		ndpi_typedefs.h \
+		ndpi_main.h \
+		ndpi_protocol_ids.h \
+		ndpi_protocols.h
diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h
index 7b4550150..c1f7fac84 100644
--- a/src/include/ndpi_api.h
+++ b/src/include/ndpi_api.h
@@ -32,26 +32,14 @@
 extern "C" {
 #endif
 
-  /**
-   * This function returns the size of the flow struct
-   * @return the size of the flow struct
-   */
-  u_int32_t ndpi_detection_get_sizeof_ndpi_flow_struct(void);
-
-  /**
-   * This function returns the size of the id struct
-   * @return the size of the id struct
-   */
-  u_int32_t ndpi_detection_get_sizeof_ndpi_id_struct(void);
-
-
   /* Public malloc/free */
   void* ndpi_malloc(unsigned long size);
   void* ndpi_calloc(unsigned long count, unsigned long size);
   void  ndpi_free(void *ptr);
   void *ndpi_realloc(void *ptr, size_t old_size, size_t new_size);
   char *ndpi_strdup(const char *s);
-  /*
+  
+  /**
    * Find the first occurrence of find in s, where the search is limited to the
    * first slen characters of s.
    */
@@ -150,14 +138,6 @@ extern "C" {
    */
   u_int8_t ndpi_detection_get_l4(const u_int8_t * l3, u_int16_t l3_len, const u_int8_t ** l4_return, u_int16_t * l4_len_return,
 				 u_int8_t * l4_protocol_return, u_int32_t flags);
-  /**
-   * returns the real protocol for the flow of the last packet given to the detection.
-   * if no real protocol could be found, the unknown protocol will be returned.
-   *
-   * @param ndpi_struct the detection module
-   * @return the protocol id of the last real protocol found in the protocol history of the flow
-   */
-  /* u_int16_t ndpi_detection_get_real_protocol_of_flow(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); */
 
   /**
    * returns true if the protocol history of the flow of the last packet given to the detection
diff --git a/src/include/ndpi_define.h b/src/include/ndpi_define.h
index f938c8ffb..cfae5f305 100644
--- a/src/include/ndpi_define.h
+++ b/src/include/ndpi_define.h
@@ -42,12 +42,6 @@
 #endif/* BYTE_ORDER */
 #endif/* __OPENBSD__ */
 
-#if 0
-#ifndef NDPI_ENABLE_DEBUG_MESSAGES
-#define NDPI_ENABLE_DEBUG_MESSAGES
-#endif
-#endif
-
 #ifdef WIN32
 #define __LITTLE_ENDIAN__ 1
 #endif
@@ -59,13 +53,6 @@
 #define __BIG_ENDIAN__
 #endif
 
-/* Kernel modules */
-#if defined(__LITTLE_ENDIAN)
-#define __LITTLE_ENDIAN__
-#endif
-#if defined(__BIG_ENDIAN)
-#define __BIG_ENDIAN__
-#endif
 /* Everything else */
 #if (defined(__BYTE_ORDER__) && defined(__ORDER_LITTLE_ENDIAN__))
 #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
@@ -165,11 +152,6 @@
 #define MAX_PACKET_COUNTER                                   65000
 #define MAX_DEFAULT_PORTS                                        5
 
-/**********************
- * detection features *
- **********************/
-/* #define NDPI_SELECT_DETECTION_WITH_REAL_PROTOCOL ( 1 << 0 ) */
-
 #define NDPI_DIRECTCONNECT_CONNECTION_IP_TICK_TIMEOUT          600
 #define NDPI_IRC_CONNECTION_TIMEOUT                            120
 #define NDPI_GNUTELLA_CONNECTION_TIMEOUT                       60
diff --git a/src/include/ndpi_main.h b/src/include/ndpi_main.h
index cb6d9b629..c570a5833 100644
--- a/src/include/ndpi_main.h
+++ b/src/include/ndpi_main.h
@@ -34,6 +34,7 @@
 #endif
 #include <ctype.h>
 #include <time.h>
+#include <arpa/inet.h>
 
 
 #ifndef WIN32
@@ -50,12 +51,11 @@
 #include <limits.h>
 #endif
 
-#include "ndpi_win32.h"
-#include "ndpi_unix.h"
 #include "ndpi_define.h"
 #include "ndpi_protocol_ids.h"
 #include "ndpi_typedefs.h"
 #include "ndpi_protocols.h"
+#include "ndpi_api.h"
 
 
 void *ndpi_tdelete(const void * __restrict, void ** __restrict,
@@ -90,43 +90,40 @@ void ndpi_set_detected_protocol(struct ndpi_detection_module_struct *ndpi_struct
 				u_int16_t upper_detected_protocol,
                                 u_int16_t lower_detected_protocol);
 
-
-/* function to parse a packet which has line based information into a line based structure
- * this function will also set some well known line pointers like:
- *  - host, user agent, empty line,....
- */
 extern void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow);
 extern void ndpi_parse_packet_line_info_any(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow);
+
 extern u_int16_t ndpi_check_for_email_address(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int16_t counter);
-extern void ndpi_int_change_packet_protocol(struct ndpi_detection_module_struct *ndpi_struct,
-					    struct ndpi_flow_struct *flow,
+
+extern void ndpi_int_change_packet_protocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow,
 					    u_int16_t upper_detected_protocol,
 					    u_int16_t lower_detected_protocol);
-extern void ndpi_int_change_protocol(struct ndpi_detection_module_struct *ndpi_struct,
-				     struct ndpi_flow_struct *flow,
+extern void ndpi_int_change_protocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow,
 				     u_int16_t upper_detected_protocol,
 				     u_int16_t lower_detected_protocol);
-extern void ndpi_set_proto_defaults(struct ndpi_detection_module_struct *ndpi_mod,
-				    ndpi_protocol_breed_t protoBreed, u_int16_t protoId,
-				    u_int16_t tcp_alias_protoId[2], u_int16_t udp_alias_protoId[2],
-				    char *protoName,
+extern void ndpi_set_proto_defaults(struct ndpi_detection_module_struct *ndpi_mod, ndpi_protocol_breed_t protoBreed, u_int16_t protoId,
+				    u_int16_t tcp_alias_protoId[2], u_int16_t udp_alias_protoId[2], char *protoName,
 				    ndpi_port_range *tcpDefPorts, ndpi_port_range *udpDefPorts);
+
 extern void ndpi_int_reset_packet_protocol(struct ndpi_packet_struct *packet);
 extern void ndpi_int_reset_protocol(struct ndpi_flow_struct *flow);
+
 extern int ndpi_packet_src_ip_eql(const struct ndpi_packet_struct *packet, const ndpi_ip_addr_t * ip);
 extern int ndpi_packet_dst_ip_eql(const struct ndpi_packet_struct *packet, const ndpi_ip_addr_t * ip);
 extern void ndpi_packet_src_ip_get(const struct ndpi_packet_struct *packet, ndpi_ip_addr_t * ip);
 extern void ndpi_packet_dst_ip_get(const struct ndpi_packet_struct *packet, ndpi_ip_addr_t * ip);
+
 extern char *ndpi_get_ip_string(struct ndpi_detection_module_struct *ndpi_struct, const ndpi_ip_addr_t * ip);
-extern char *ndpi_get_packet_src_ip_string(struct ndpi_detection_module_struct *ndpi_struct,
-					   const struct ndpi_packet_struct *packet);
+extern char *ndpi_get_packet_src_ip_string(struct ndpi_detection_module_struct *ndpi_struct, const struct ndpi_packet_struct *packet);
 extern char* ndpi_get_proto_by_id(struct ndpi_detection_module_struct *ndpi_mod, u_int id);
+
 extern u_int16_t ndpi_guess_protocol_id(struct ndpi_detection_module_struct *ndpi_struct,
 					u_int8_t proto, u_int16_t sport, u_int16_t dport);
+
 extern u_int8_t ndpi_is_proto(ndpi_protocol p, u_int16_t proto);
+
 extern u_int16_t ndpi_get_lower_proto(ndpi_protocol p);
-extern int ndpi_get_protocol_id_master_proto(struct ndpi_detection_module_struct *ndpi_struct,
-					     u_int16_t protocol_id,
+extern int ndpi_get_protocol_id_master_proto(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t protocol_id,
 					     u_int16_t** tcp_master_proto,
 					     u_int16_t** udp_master_proto);
 
@@ -135,6 +132,4 @@ void ndpi_debug_get_last_log_function_line(struct ndpi_detection_module_struct *
 					   const char **file, const char **func, u_int32_t * line);
 #endif
 
-#include "ndpi_api.h"
-
 #endif	/* __NDPI_MAIN_INCLUDE_FILE__ */
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 63013230c..47df3f0b2 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -22,82 +22,247 @@
  *
  */
 
-#ifndef __NDPI_TYPEDEFS_FILE__
-#define __NDPI_TYPEDEFS_FILE__
+#ifndef __NDPI_TYPEDEFS_H__
+#define __NDPI_TYPEDEFS_H__
 
-typedef enum {
+#include "ndpi_define.h"
+
+#define BT_ANNOUNCE
+#define _WS2TCPIP_H_ /* Avoid compilation problems */
+#define SNAP_EXT
+
+
+/* NDPI_LOG_LEVEL */
+typedef enum
+{
   NDPI_LOG_ERROR,
   NDPI_LOG_TRACE,
   NDPI_LOG_DEBUG
 } ndpi_log_level_t;
 
-typedef void (*ndpi_debug_function_ptr) (u_int32_t protocol,
-					 void *module_struct, ndpi_log_level_t log_level,
-					 const char *format, ...);
-#define BT_ANNOUNCE
-
-typedef enum {
+/* NDPI_VISIT */
+typedef enum
+{
   ndpi_preorder,
   ndpi_postorder,
   ndpi_endorder,
   ndpi_leaf
 } ndpi_VISIT;
 
-typedef struct node_t {
+/* NDPI_NODE */
+typedef struct node_t
+{
   char *key;
   struct node_t *left, *right;
 } ndpi_node;
 
+/* NDPI_MASK_SIZE */
 typedef u_int32_t ndpi_ndpi_mask;
 
-typedef struct ndpi_protocol_bitmask_struct {
-  ndpi_ndpi_mask  fds_bits[NDPI_NUM_FDS_BITS];
+/* NDPI_PROTO_BITMASK_STRUCT */
+typedef struct ndpi_protocol_bitmask_struct
+{
+  ndpi_ndpi_mask fds_bits[NDPI_NUM_FDS_BITS];
 } ndpi_protocol_bitmask_struct_t;
 
-#ifdef NDPI_DETECTION_SUPPORT_IPV6
-struct ndpi_ip6_addr {
-  union {
-    u_int8_t u6_addr8[16];
-    u_int16_t u6_addr16[8];
-    u_int32_t u6_addr32[4];
-    u_int64_t u6_addr64[2];
-  } ndpi_v6_u;
-
-#define ndpi_v6_addr		ndpi_v6_u.u6_addr8
-#define ndpi_v6_addr16		ndpi_v6_u.u6_addr16
-#define ndpi_v6_addr32		ndpi_v6_u.u6_addr32
-#define ndpi_v6_addr64		ndpi_v6_u.u6_addr64
-};
+/* NDPI_DEBUG_FUNCTION_PTR (cast) */
+typedef void (*ndpi_debug_function_ptr) (u_int32_t protocol, void *module_struct,
+					 ndpi_log_level_t log_level, const char *format, ...);
 
-struct ndpi_ipv6hdr {
-  /* use userspace and kernelspace compatible compile parameters */
-#if defined(__LITTLE_ENDIAN__)
-  u_int8_t priority:4, version:4;
+
+/* ************************************************************ */
+/* ******************* NDPI NETWORKS HEADERS ****************** */
+/* ************************************************************ */
+
+/* ++++++++++++++++++++++++ Cisco headers +++++++++++++++++++++ */
+
+/* Cisco HDLC */
+struct ndpi_chdlc
+{
+  u_int8_t addr;          /* 0x0F (Unicast) - 0x8F (Broadcast) */
+  u_int8_t ctrl;          /* always 0x00                       */
+  u_int16_t proto_code;   /* protocol type (e.g. 0x0800 IP)    */
+} __attribute__((packed));
+
+/* SLARP - Serial Line ARP http://tinyurl.com/qa54e95 */
+struct ndpi_slarp
+{
+  /* address requests (0x00)
+     address replies  (0x01)
+     keep-alive       (0x02)
+  */
+  u_int32_t slarp_type;
+  u_int32_t addr_1;
+  u_int32_t addr_2;
+} __attribute__((packed));
+
+/* Cisco Discovery Protocol http://tinyurl.com/qa6yw9l */
+struct ndpi_cdp
+{
+  u_int8_t version;
+  u_int8_t ttl;
+  u_int16_t checksum;
+  u_int16_t type;
+  u_int16_t length;
+} __attribute__((packed));
+
+
+/* +++++++++++++++ Ethernet header (IEEE 802.3) +++++++++++++++ */
+struct ndpi_ethhdr 
+{
+  u_char h_dest[6];       /* destination eth addr */
+  u_char h_source[6];     /* source ether addr    */
+  u_int16_t h_lt;          /* data length (<= 1500) or type ID proto (>=1536) */
+} __attribute__((packed));
+
+/* +++++++++++++++++++ LLC header (IEEE 802.2) ++++++++++++++++ */
+struct ndpi_snap_extension
+{
+    u_int16_t   oui;
+    u_int8_t    oui2;
+    u_int16_t   proto_ID;              
+} __attribute__((packed));
+
+struct ndpi_llc_header
+{
+  u_int8_t    dsap; 
+  u_int8_t    ssap;
+  u_int8_t    ctrl;
+#ifdef SNAP_EXT
+  struct ndpi_snap_extension snap;
+#endif
+} __attribute__((packed));
+
+
+/* ++++++++++ RADIO TAP header (for IEEE 802.11) +++++++++++++ */
+struct ndpi_radiotap_header 
+{
+  u_int8_t  version;         /* set to 0 */
+  u_int8_t  pad;
+  u_int16_t len;
+  u_int32_t present;
+  u_int64_t MAC_timestamp;
+  u_int8_t flags;
+  
+} __attribute__((packed));
+
+/* ++++++++++++ Wireless header (IEEE 802.11) ++++++++++++++++ */
+struct ndpi_wifi_header
+{
+  u_int16_t fc;
+  u_int16_t duration;
+  u_char rcvr[6];
+  u_char trsm[6];
+  u_char dest[6];
+  u_int16_t seq_ctrl;
+  /* u_int64_t ccmp - for data encription only - check fc.flag */
+} __attribute__((packed));
+
+
+
+/* +++++++++++++++++++++++ MPLS header +++++++++++++++++++++++ */
+struct ndpi_mpls_header
+{
+  u_int32_t label:20, exp:3, s:1, ttl:8;
+} __attribute__((packed));
+
+
+  
+/* ++++++++++++++++++++++++ IP header ++++++++++++++++++++++++ */
+struct ndpi_iphdr {
+#if defined(__LITTLE_ENDIAN__) 
+  u_int8_t ihl:4, version:4;
 #elif defined(__BIG_ENDIAN__)
-  u_int8_t version:4, priority:4;
+  u_int8_t version:4, ihl:4;
 #else
 # error "Byte order must be defined"
 #endif
+  u_int8_t tos;
+  u_int16_t tot_len;
+  u_int16_t id;
+  u_int16_t frag_off;
+  u_int8_t ttl;
+  u_int8_t protocol;
+  u_int16_t check;
+  u_int32_t saddr;
+  u_int32_t daddr;
+} __attribute__((packed));
+
+
+/* +++++++++++++++++++++++ IPv6 header +++++++++++++++++++++++ */
+/* rfc3542 */
+
+struct ndpi_in6_addr
+{
+  union
+  {
+    u_int8_t   u6_addr8[16];
+    u_int16_t  u6_addr16[8];
+    u_int32_t  u6_addr32[4];
+  } u6_addr;  /* 128-bit IP6 address */
+};
 
-  u_int8_t flow_lbl[3];
+struct ndpi_ipv6hdr
+{
+  union
+  {
+    struct ndpi_ip6_hdrctl
+    {
+      u_int32_t ip6_un1_flow;
+      u_int16_t ip6_un1_plen;
+      u_int8_t ip6_un1_nxt;
+      u_int8_t ip6_un1_hlim;
+    } ip6_un1;
+    u_int8_t ip6_un2_vfc;
+  } ip6_ctlun;
+  struct ndpi_in6_addr ip6_src;
+  struct ndpi_in6_addr ip6_dst;
+} __attribute__((packed));
+
+
+
+/* +++++++++++++++++++++++ TCP header +++++++++++++++++++++++ */
+struct ndpi_tcphdr
+{
+  u_int16_t source;
+  u_int16_t dest;
+  u_int32_t seq;
+  u_int32_t ack_seq;
+#if defined(__LITTLE_ENDIAN__)
+  u_int16_t res1:4, doff:4, fin:1, syn:1, rst:1, psh:1, ack:1, urg:1, ece:1, cwr:1;
+#elif defined(__BIG_ENDIAN__)
+  u_int16_t doff:4, res1:4, cwr:1, ece:1, urg:1, ack:1, psh:1, rst:1, syn:1, fin:1;
+#else
+# error "Byte order must be defined"
+#endif  
+  u_int16_t window;
+  u_int16_t check;
+  u_int16_t urg_ptr;
+} __attribute__((packed));
+
+/* +++++++++++++++++++++++ UDP header +++++++++++++++++++++++ */
+struct ndpi_udphdr
+{
+  u_int16_t source;
+  u_int16_t dest;
+  u_int16_t len;
+  u_int16_t check;
+} __attribute__((packed));
 
-  u_int16_t payload_len;
-  u_int8_t nexthdr;
-  u_int8_t hop_limit;
 
-  struct ndpi_ip6_addr saddr;
-  struct ndpi_ip6_addr daddr;
-};
-#endif
 
-typedef union {
+typedef union
+{
   u_int32_t ipv4;
   u_int8_t ipv4_u_int8_t[4];
 #ifdef NDPI_DETECTION_SUPPORT_IPV6
-  struct ndpi_ip6_addr ipv6;
+  struct ndpi_in6_addr ipv6;
 #endif
 } ndpi_ip_addr_t;
 
+/* ************************************************************ */
+/* ******************* ********************* ****************** */
+/* ************************************************************ */
 
 #ifdef NDPI_PROTOCOL_BITTORRENT
 typedef struct spinlock {
@@ -152,16 +317,13 @@ typedef enum {
 } ndpi_http_method;
 
 typedef struct ndpi_id_struct {
-  /* detected_protocol_bitmask:
-   * access this bitmask to find out whether an id has used skype or not
-   * if a flag is set here, it will not be resetted
-   * to compare this, use:
-   * if (NDPI_BITMASK_COMPARE(id->detected_protocol_bitmask,
-   *                            NDPI_PROTOCOL_BITMASK_XXX) != 0)
-   * {
-   *      // protocol XXX detected on this id
-   * }
-   */
+
+  /**
+      detected_protocol_bitmask:
+      access this bitmask to find out whether an id has used skype or not
+      if a flag is set here, it will not be resetted
+      to compare this, use:
+  **/
   NDPI_PROTOCOL_BITMASK detected_protocol_bitmask;
 #ifdef NDPI_PROTOCOL_RTSP
   ndpi_ip_addr_t rtsp_ip_address;
@@ -672,26 +834,34 @@ typedef struct ndpi_flow_struct {
   u_int16_t guessed_protocol_id, guessed_host_proto_id;
 
   u_int8_t protocol_id_already_guessed:1, host_already_guessed:1, init_finished:1, setup_packet_direction:1, packet_direction:1; 
-  /* if ndpi_struct->direction_detect_disable == 1 */
-  /* tcp sequence number connection tracking */
+
+  /* 
+     if ndpi_struct->direction_detect_disable == 1
+     tcp sequence number connection tracking 
+  */
   u_int32_t next_tcp_seq_nr[2];
 
-  /* the tcp / udp / other l4 value union
-   * this is used to reduce the number of bytes for tcp or udp protocol states
-   * */
+  /* 
+     the tcp / udp / other l4 value union
+     used to reduce the number of bytes for tcp or udp protocol states 
+  */
   union {
     struct ndpi_flow_tcp_struct tcp;
     struct ndpi_flow_udp_struct udp;
   } l4;
 
-  struct ndpi_id_struct *server_id; /* 
-				       Pointer to src or dst
-				       that identifies the 
-				       server of this connection
-				    */
-  u_char host_server_name[256]; /* HTTP host or DNS query   */ 
-  u_char detected_os[32];       /* Via HTTP User-Agent      */
-  u_char nat_ip[24];            /* Via HTTP X-Forwarded-For */
+  /* 
+     Pointer to src or dst
+     that identifies the 
+     server of this connection
+  */
+  struct ndpi_id_struct *server_id;
+  /* HTTP host or DNS query */ 
+  u_char host_server_name[256];
+  /* Via HTTP User-Agent */
+  u_char detected_os[32];
+  /* Via HTTP X-Forwarded-For */
+  u_char nat_ip[24];    
 
   /* 
      This structure below will not not stay inside the protos
@@ -721,7 +891,8 @@ typedef struct ndpi_flow_struct {
       char client_certificate[48], server_certificate[48];
     } ssl;
   } protos;
-  /* ALL protocol specific 64 bit variables here */
+  
+  /*** ALL protocol specific 64 bit variables here ***/
 
   /* protocols which have marked a connection as this connection cannot be protocol XXX, multiple u_int64_t */
   NDPI_PROTOCOL_BITMASK excluded_protocol_bitmask;
@@ -811,4 +982,4 @@ typedef struct ndpi_flow_struct {
   struct ndpi_id_struct *dst;
 } ndpi_flow_struct_t;
 
-#endif/* __NDPI_TYPEDEFS_FILE__ */
+#endif/* __NDPI_TYPEDEFS_H__ */