diff options
Diffstat (limited to 'src/lib/protocols/blizzard.c')
| -rw-r--r-- | src/lib/protocols/blizzard.c | 38 |
1 files changed, 35 insertions, 3 deletions
diff --git a/src/lib/protocols/blizzard.c b/src/lib/protocols/blizzard.c index 62d434360..6c566a4a6 100644 --- a/src/lib/protocols/blizzard.c +++ b/src/lib/protocols/blizzard.c @@ -31,6 +31,8 @@ static void search_blizzard_tcp(struct ndpi_detection_module_struct* ndpi_struct { struct ndpi_packet_struct* packet = &ndpi_struct->packet; char wow_string[] = "WORLD OF WARCRAFT CONNECTION"; + char overwatch2_string_c[] = "HELLO PRO CLIENT\0"; + char overwatch2_string_s[] = "HELLO PRO SERVER\0"; NDPI_LOG_DBG(ndpi_struct, "search Blizzard\n"); @@ -53,7 +55,7 @@ static void search_blizzard_tcp(struct ndpi_detection_module_struct* ndpi_struct /* Pattern found on Hearthstone */ if(packet->payload_packet_len >= 8 && le32toh(*(uint32_t *)&packet->payload[4]) == (u_int32_t)(packet->payload_packet_len - 8)) { - NDPI_LOG_INFO(ndpi_struct, "Found Blizzard\n"); + NDPI_LOG_INFO(ndpi_struct, "Found Blizzard (Hearthstone)\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BLIZZARD, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); return; } @@ -68,6 +70,18 @@ static void search_blizzard_tcp(struct ndpi_detection_module_struct* ndpi_struct return; } + /* Pattern found on Overwatch2 */ + if((packet->payload_packet_len == NDPI_STATICSTRING_LEN(overwatch2_string_c) && + memcmp(packet->payload, overwatch2_string_c, NDPI_STATICSTRING_LEN(overwatch2_string_c)) == 0) || + (packet->payload_packet_len == NDPI_STATICSTRING_LEN(overwatch2_string_s) && + memcmp(packet->payload, overwatch2_string_s, NDPI_STATICSTRING_LEN(overwatch2_string_s)) == 0)) { + NDPI_LOG_INFO(ndpi_struct, "Found Blizzard (overwatch2)\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BLIZZARD, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); + return; + } + + /* TODO: other patterns */ + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } @@ -86,14 +100,32 @@ static void search_blizzard_udp(struct ndpi_detection_module_struct* ndpi_struct /* First pkt send by the server */ (packet->payload_packet_len == 15 && packet->payload[14] == 1)) { - NDPI_LOG_INFO(ndpi_struct, "Found Blizzard\n"); + NDPI_LOG_INFO(ndpi_struct, "Found Blizzard (Warcraft Ramble; pattern 1)\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BLIZZARD, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); return; } /* First pkt send by the client */ if(packet->payload_packet_len == 23 && ndpi_match_strprefix(packet->payload, packet->payload_packet_len, "\xff\xff\xff\xff\xa3\x1f\xb6\x1e\x00\x00\x40\x01\x00\x00\x00\x00\x00\x00\x00\x04\x03\x02\x01")) { - NDPI_LOG_INFO(ndpi_struct, "Found Blizzard\n"); + NDPI_LOG_INFO(ndpi_struct, "Found Blizzard (Warcraft Ramble; pattern 2)\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BLIZZARD, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); + return; + } + + /* Patterns found on Overwatch2 */ + /* Some kind of ping */ + if(flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_BLIZZARD && + packet->payload_packet_len == 40 && + *(uint32_t *)&packet->payload[17] == 0 /* Seq number starting from 0 */) { + NDPI_LOG_INFO(ndpi_struct, "Found Blizzard (overwatch2; pattern 1)\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BLIZZARD, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); + return; + } + if(flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_BLIZZARD && + packet->payload_packet_len == 50 && + ((*(uint64_t *)&packet->payload[32] == 0 && *(uint64_t *)&packet->payload[40] == 0) /* First pkt from client */ || + (*(uint64_t *)&packet->payload[0] == 0 && *(uint64_t *)&packet->payload[8] == 0)) /* First pkt from server */) { + NDPI_LOG_INFO(ndpi_struct, "Found Blizzard (overwatch2; pattern 2)\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BLIZZARD, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); return; } |