aboutsummaryrefslogtreecommitdiff
path: root/src/lib/protocols/afp.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/protocols/afp.c')
-rw-r--r--src/lib/protocols/afp.c70
1 files changed, 41 insertions, 29 deletions
diff --git a/src/lib/protocols/afp.c b/src/lib/protocols/afp.c
index 74b98b8d0..1a5914fc9 100644
--- a/src/lib/protocols/afp.c
+++ b/src/lib/protocols/afp.c
@@ -2,7 +2,7 @@
* afp.c
*
* Copyright (C) 2009-2011 by ipoque GmbH
- * Copyright (C) 2011-15 - ntop.org
+ * Copyright (C) 2011-16 - ntop.org
*
* This file is part of nDPI, an open source deep packet inspection
* library based on the OpenDPI and PACE technology by ipoque GmbH
@@ -27,6 +27,12 @@
#ifdef NDPI_PROTOCOL_AFP
+struct afpHeader {
+ u_int8_t flags, command;
+ u_int16_t requestId;
+ u_int32_t dataOffset, length, reserved;
+};
+
static void ndpi_int_afp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_AFP, NDPI_PROTOCOL_UNKNOWN);
@@ -36,36 +42,42 @@ static void ndpi_int_afp_add_connection(struct ndpi_detection_module_struct *ndp
void ndpi_search_afp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &flow->packet;
- // struct ndpi_id_struct *src = flow->src;
- // struct ndpi_id_struct *dst = flow->dst;
-
- /*
- * this will detect the OpenSession command of the Data Stream Interface (DSI) protocol
- * which is exclusively used by the Apple Filing Protocol (AFP) on TCP/IP networks
- */
- if (packet->payload_packet_len >= 22 && get_u_int16_t(packet->payload, 0) == htons(0x0004) &&
- get_u_int16_t(packet->payload, 2) == htons(0x0001) && get_u_int32_t(packet->payload, 4) == 0 &&
- get_u_int32_t(packet->payload, 8) == htonl(packet->payload_packet_len - 16) &&
- get_u_int32_t(packet->payload, 12) == 0 && get_u_int16_t(packet->payload, 16) == htons(0x0104)) {
-
- NDPI_LOG(NDPI_PROTOCOL_AFP, ndpi_struct, NDPI_LOG_DEBUG, "AFP: DSI OpenSession detected.\n");
- ndpi_int_afp_add_connection(ndpi_struct, flow);
- return;
- }
- /*
- * detection of GetStatus command of DSI protocol
- */
- if (packet->payload_packet_len >= 18 && get_u_int16_t(packet->payload, 0) == htons(0x0003) &&
- get_u_int16_t(packet->payload, 2) == htons(0x0001) && get_u_int32_t(packet->payload, 4) == 0 &&
- get_u_int32_t(packet->payload, 8) == htonl(packet->payload_packet_len - 16) &&
- get_u_int32_t(packet->payload, 12) == 0 && get_u_int16_t(packet->payload, 16) == htons(0x0f00)) {
-
- NDPI_LOG(NDPI_PROTOCOL_AFP, ndpi_struct, NDPI_LOG_DEBUG, "AFP: DSI GetStatus detected.\n");
- ndpi_int_afp_add_connection(ndpi_struct, flow);
- return;
- }
+ if (packet->payload_packet_len >= sizeof(struct afpHeader)) {
+ struct afpHeader *h = (struct afpHeader*)packet->payload;
+
+ if(packet->payload_packet_len > 128) {
+ /*
+ When we transfer a large data chunk, unless we have observed
+ the initial connection, we need to discard these packets
+ as they are not an indication that this flow is not AFP
+ */
+ return;
+ }
+ /*
+ * this will detect the OpenSession command of the Data Stream Interface (DSI) protocol
+ * which is exclusively used by the Apple Filing Protocol (AFP) on TCP/IP networks
+ */
+ if (packet->payload_packet_len >= 22 && get_u_int16_t(packet->payload, 0) == htons(0x0004) &&
+ get_u_int16_t(packet->payload, 2) == htons(0x0001) && get_u_int32_t(packet->payload, 4) == 0 &&
+ get_u_int32_t(packet->payload, 8) == htonl(packet->payload_packet_len - 16) &&
+ get_u_int32_t(packet->payload, 12) == 0 && get_u_int16_t(packet->payload, 16) == htons(0x0104)) {
+
+ NDPI_LOG(NDPI_PROTOCOL_AFP, ndpi_struct, NDPI_LOG_DEBUG, "AFP: DSI OpenSession detected.\n");
+ ndpi_int_afp_add_connection(ndpi_struct, flow);
+ return;
+ }
+
+ if((h->flags <= 1)
+ && ((h->command >= 1) && (h->command <= 8))
+ && (h->reserved == 0)
+ && (packet->payload_packet_len >= (sizeof(struct afpHeader)+ntohl(h->length)))) {
+ NDPI_LOG(NDPI_PROTOCOL_AFP, ndpi_struct, NDPI_LOG_DEBUG, "AFP: DSI detected.\n");
+ ndpi_int_afp_add_connection(ndpi_struct, flow);
+ return;
+ }
+ }
NDPI_LOG(NDPI_PROTOCOL_AFP, ndpi_struct, NDPI_LOG_DEBUG, "AFP excluded.\n");
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_AFP);
Powered by cgit, Themed by Ted Yin.