diff options
Diffstat (limited to 'src/lib/protocols/bittorrent.c')
| -rw-r--r-- | src/lib/protocols/bittorrent.c | 111 |
1 files changed, 52 insertions, 59 deletions
diff --git a/src/lib/protocols/bittorrent.c b/src/lib/protocols/bittorrent.c index a88b1cce5..81fc3baf6 100644 --- a/src/lib/protocols/bittorrent.c +++ b/src/lib/protocols/bittorrent.c @@ -2,7 +2,7 @@ * bittorrent.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -23,8 +23,14 @@ */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" + #ifdef NDPI_PROTOCOL_BITTORRENT + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_BITTORRENT + +#include "ndpi_api.h" + #define NDPI_PROTOCOL_UNSAFE_DETECTION 0 #define NDPI_PROTOCOL_SAFE_DETECTION 1 @@ -59,15 +65,15 @@ static void ndpi_add_connection_as_bittorrent(struct ndpi_detection_module_struc const char *bt_hash = NULL; /* 20 bytes long */ if(bt_offset == -1) { - const char *bt_magic = ndpi_strnstr((const char *)flow->packet.payload, + const char *bt_magic = ndpi_strnstr((const char *)flow->packet.payload, "BitTorrent protocol", flow->packet.payload_packet_len); if(bt_magic) bt_hash = &bt_magic[19]; } else bt_hash = (const char*)&flow->packet.payload[28]; - - if(bt_hash) memcpy(flow->bittorent_hash, bt_hash, 20); + + if(bt_hash) memcpy(flow->protos.bittorrent.hash, bt_hash, 20); } ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BITTORRENT, NDPI_PROTOCOL_UNKNOWN); @@ -87,10 +93,9 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module if(flow->packet_counter == 2 && packet->payload_packet_len > 20) { if(memcmp(&packet->payload[0], "BitTorrent protocol", 19) == 0) { - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, - ndpi_struct, NDPI_LOG_TRACE, "BT: plain BitTorrent protocol detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found BT: plain\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, 19, 1, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); return 1; } } @@ -99,19 +104,18 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module /* test for match 0x13+"BitTorrent protocol" */ if(packet->payload[0] == 0x13) { if(memcmp(&packet->payload[1], "BitTorrent protocol", 19) == 0) { - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, NDPI_LOG_TRACE, "BT: plain BitTorrent protocol detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found BT: plain\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, 20, 1, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); return 1; } } } if(packet->payload_packet_len > 23 && memcmp(packet->payload, "GET /webseed?info_hash=", 23) == 0) { - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, - NDPI_LOG_TRACE, "BT: plain webseed BitTorrent protocol detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found BT: plain webseed\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); return 1; } /* seen Azureus as server for webseed, possibly other servers existing, to implement */ @@ -119,10 +123,9 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module /* no asymmetric detection possible for answer of pattern "GET /data?fid=". */ if(packet->payload_packet_len > 60 && memcmp(packet->payload, "GET /data?fid=", 14) == 0 && memcmp(&packet->payload[54], "&size=", 6) == 0) { - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, - NDPI_LOG_TRACE, "BT: plain Bitcomet persistent seed protocol detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found BT: plain Bitcomet persistent seed\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); return 1; } @@ -140,10 +143,9 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module && ((packet->user_agent_line.len > 8 && memcmp(packet->user_agent_line.ptr, "Azureus ", 8) == 0) || (packet->user_agent_line.len >= 10 && memcmp(packet->user_agent_line.ptr, "BitTorrent", 10) == 0) || (packet->user_agent_line.len >= 11 && memcmp(packet->user_agent_line.ptr, "BTWebClient", 11) == 0))) { - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, - NDPI_LOG_TRACE, "Azureus /Bittorrent user agent line detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found BT: Azureus /Bittorrent user agent\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); return 1; } @@ -151,10 +153,9 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module && (packet->user_agent_line.len >= 9 && memcmp(packet->user_agent_line.ptr, "Shareaza ", 9) == 0) && (packet->parsed_lines > 8 && packet->line[8].ptr != 0 && packet->line[8].len >= 9 && memcmp(packet->line[8].ptr, "X-Queue: ", 9) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, - NDPI_LOG_TRACE, "Bittorrent Shareaza detected.\n"); + NDPI_LOG_INFO(ndpi_struct, "found BT: Shareaza detected\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); return 1; } @@ -186,9 +187,9 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module && packet->line[8].ptr != NULL && packet->line[8].len > 22 && memcmp(packet->line[8].ptr, "Cache-Control: no-cache", 23) == 0) { - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, NDPI_LOG_TRACE, "Bitcomet LTS detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found BT: Bitcomet LTS\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_UNSAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); + NDPI_PROTOCOL_UNSAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); return 1; } @@ -211,9 +212,9 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module && packet->line[6].ptr != NULL && packet->line[6].len > 21 && memcmp(packet->line[6].ptr, "Connection: Keep-Alive", 22) == 0) { - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, NDPI_LOG_TRACE, "FlashGet detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found BT: FlashGet\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_UNSAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); + NDPI_PROTOCOL_UNSAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); return 1; } @@ -232,9 +233,9 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module && packet->line[5].ptr != NULL && packet->line[5].len > 21 && memcmp(packet->line[5].ptr, "Connection: Keep-Alive", 22) == 0) { - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, NDPI_LOG_TRACE, "FlashGet detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found BT: FlashGet\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_UNSAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); + NDPI_PROTOCOL_UNSAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); return 1; } @@ -250,8 +251,7 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module ptr++; } - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, - NDPI_LOG_TRACE, " BT stat: tracker info hash found\n"); + NDPI_LOG_DBG2(ndpi_struct, " BT stat: tracker info hash found\n"); /* len is > 50, so save operation here */ len -= 10; @@ -300,10 +300,9 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module } } - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, - NDPI_LOG_TRACE, " BT stat: tracker info hash parsed\n"); + NDPI_LOG_INFO(ndpi_struct, "found BT: tracker info hash parsed\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); return 1; } @@ -329,10 +328,9 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module /* did not see this pattern anywhere */ if((memcmp(&packet->payload[0], pattern_20_bytes, 20) == 0) && (memcmp(&packet->payload[52], pattern_12_bytes, 12) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, - NDPI_LOG_TRACE, "BT: Warez - Plain BitTorrent protocol detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found BT: Warez - Plain\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); return 1; } } @@ -344,11 +342,9 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module /* haven't fount this pattern anywhere */ if(packet->host_line.ptr != NULL && packet->host_line.len >= 9 && memcmp(packet->host_line.ptr, "ip2p.com:", 9) == 0) { - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, - ndpi_struct, NDPI_LOG_TRACE, - "BT: Warez - Plain BitTorrent protocol detected due to Host: ip2p.com: pattern\n"); + NDPI_LOG_INFO(ndpi_struct, "found BT: Warez - Plain Host: ip2p.com: pattern\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); return 1; } } @@ -370,13 +366,11 @@ static void ndpi_int_search_bittorrent_tcp(struct ndpi_detection_module_struct * /* exclude stage 0 detection from next run */ flow->bittorrent_stage = 1; if(ndpi_int_search_bittorrent_tcp_zero(ndpi_struct, flow) != 0) { - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, NDPI_LOG_DEBUG, - "stage 0 has detected something, returning\n"); + NDPI_LOG_DBG2(ndpi_struct, "stage 0 has detected something, returning\n"); return; } - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, NDPI_LOG_DEBUG, - "stage 0 has no direct detection, fall through\n"); + NDPI_LOG_DBG2(ndpi_struct, "stage 0 has no direct detection, fall through\n"); } return; } @@ -387,15 +381,15 @@ void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, st char *bt_proto = NULL; /* This is broadcast */ - if(packet->iph + if(packet->iph && (((packet->iph->saddr == 0xFFFFFFFF) || (packet->iph->daddr == 0xFFFFFFFF)) - || (packet->udp + || (packet->udp && ((ntohs(packet->udp->source) == 3544) /* teredo.c */ || (ntohs(packet->udp->dest) == 3544))))) { - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_BITTORRENT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } - + if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_BITTORRENT) { /* check for tcp retransmission here */ @@ -441,7 +435,8 @@ void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, st /* Heuristic */ bt_proto = ndpi_strnstr((const char *)&packet->payload[20], "BitTorrent protocol", packet->payload_packet_len-20); goto bittorrent_found; - } else if(((v1_version & 0x0f) == 1) + /* CSGO/DOTA conflict */ + } else if(flow->packet_counter > 8 && ((v1_version & 0x0f) == 1) && ((v1_version >> 4) < 5 /* ST_NUM_STATES */) && (v1_extension < 3 /* EXT_NUM_EXT */) && (v1_window_size < 32768 /* 32k */) @@ -466,8 +461,8 @@ void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, st if(flow->bittorrent_stage < 10) { /* We have detected bittorrent but we need to wait until we get a hash */ - - if(packet->payload_packet_len > 19 /* min size */) { + + if(packet->payload_packet_len > 19 /* min size */) { if(ndpi_strnstr((const char *)packet->payload, ":target20:", packet->payload_packet_len) || ndpi_strnstr((const char *)packet->payload, ":find_node1:", packet->payload_packet_len) || ndpi_strnstr((const char *)packet->payload, "d1:ad2:id20:", packet->payload_packet_len) @@ -475,23 +470,21 @@ void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, st || ndpi_strnstr((const char *)packet->payload, ":filter64", packet->payload_packet_len) || ndpi_strnstr((const char *)packet->payload, "d1:rd2:id20:", packet->payload_packet_len) || (bt_proto = ndpi_strnstr((const char *)packet->payload, "BitTorrent protocol", packet->payload_packet_len)) - ) { + ) { bittorrent_found: if(bt_proto && (packet->payload_packet_len > 47)) - memcpy(flow->bittorent_hash, &bt_proto[27], 20); + memcpy(flow->protos.bittorrent.hash, &bt_proto[27], 20); - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, - ndpi_struct, NDPI_LOG_TRACE, "BT: plain BitTorrent protocol detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found BT: plain\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 0, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); return; } - } + } return; } - - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_BITTORRENT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } } } |