aboutsummaryrefslogtreecommitdiff
path: root/src/lib/protocols
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/protocols')
-rw-r--r--src/lib/protocols/dns.c44
-rw-r--r--src/lib/protocols/ftp_data.c50
-rw-r--r--src/lib/protocols/http.c279
-rw-r--r--src/lib/protocols/quic.c4
-rw-r--r--src/lib/protocols/ssl.c10
-rw-r--r--src/lib/protocols/whatsapp.c34
6 files changed, 97 insertions, 324 deletions
diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c
index e282eb4d3..d17acd2bd 100644
--- a/src/lib/protocols/dns.c
+++ b/src/lib/protocols/dns.c
@@ -59,7 +59,19 @@ static u_int getNameLength(u_int i, const u_int8_t *payload, u_int payloadLen) {
return(off + getNameLength(i+off, payload, payloadLen));
}
}
+/*
+ allowed chars for dns names A-Z 0-9 _ -
+ Perl script for generation map:
+ my @M;
+ for(my $ch=0; $ch < 256; $ch++) {
+ $M[$ch >> 5] |= 1 << ($ch & 0x1f) if chr($ch) =~ /[a-z0-9_-]/i;
+ }
+ print join(',', map { sprintf "0x%08x",$_ } @M),"\n";
+ */
+static uint32_t dns_validchar[8] = {
+ 0x00000000,0x03ff2000,0x87fffffe,0x07fffffe,0,0,0,0
+};
/* *********************************************** */
void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
@@ -108,6 +120,7 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd
invalid = 1;
if(!invalid) {
+ int j = 0, max_len, off;
if(is_query) {
/* DNS Request */
if((dns_header.num_queries > 0) && (dns_header.num_queries <= NDPI_MAX_DNS_REQUESTS)
@@ -187,28 +200,31 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd
}
/* extract host name server */
- int j = 0, max_len = sizeof(flow->host_server_name)-1, off = sizeof(struct ndpi_dns_packet_header) + 1 + payload_offset;
- while(off < flow->packet.payload_packet_len && flow->packet.payload[off] != '\0') {
- flow->host_server_name[j] = flow->packet.payload[off];
- if(j < max_len) {
- if(flow->host_server_name[j] < ' ')
- flow->host_server_name[j] = '.';
- j++;
- } else
- break;
-
- off++;
+ max_len = sizeof(flow->host_server_name)-1;
+ off = sizeof(struct ndpi_dns_packet_header) + payload_offset;
+
+ while(j < max_len && off < flow->packet.payload_packet_len && flow->packet.payload[off] != '\0') {
+ uint8_t c,cl = flow->packet.payload[off++];
+ if( (cl & 0xc0) != 0 || // we not support compressed names in query
+ off + cl >= flow->packet.payload_packet_len) {
+ j = 0; break;
+ }
+ if(j && j < max_len) flow->host_server_name[j++] = '.';
+ while(j < max_len && cl != 0) {
+ c = flow->packet.payload[off++];
+ flow->host_server_name[j++] = dns_validchar[c >> 5] & (1 << (c & 0x1f)) ? c:'_';
+ cl--;
+ }
}
+ flow->host_server_name[j] = '\0';
if(is_query && (ndpi_struct->dns_dont_dissect_response == 0)) {
// dpi_set_detected_protocol(ndpi_struct, flow, (d_port == 5355) ? NDPI_PROTOCOL_LLMNR : NDPI_PROTOCOL_DNS, NDPI_PROTOCOL_UNKNOWN);
return; /* The response will set the verdict */
}
-
- flow->host_server_name[j] = '\0';
flow->protos.dns.num_queries = (u_int8_t)dns_header.num_queries,
- flow->protos.dns.num_answers = (u_int8_t) (dns_header.num_answers + dns_header.authority_rrs + dns_header.additional_rrs);
+ flow->protos.dns.num_answers = (u_int8_t) (dns_header.num_answers + dns_header.authority_rrs + dns_header.additional_rrs);
if(j > 0) {
ndpi_protocol_match_result ret_match;
diff --git a/src/lib/protocols/ftp_data.c b/src/lib/protocols/ftp_data.c
index 8d3e6fa8c..7c646c363 100644
--- a/src/lib/protocols/ftp_data.c
+++ b/src/lib/protocols/ftp_data.c
@@ -49,16 +49,22 @@ static int ndpi_match_ftp_data_directory(struct ndpi_detection_module_struct *nd
struct ndpi_packet_struct *packet = &flow->packet;
u_int32_t payload_len = packet->payload_packet_len;
- if((payload_len >= 4)
- && ((packet->payload[0] == '-') || (packet->payload[0] == 'd'))
- && ((packet->payload[1] == '-') || (packet->payload[1] == 'r'))
- && ((packet->payload[2] == '-') || (packet->payload[2] == 'w'))
- && ((packet->payload[3] == '-') || (packet->payload[3] == 'x'))) {
-
- return 1;
+ if(payload_len > 10) {
+ int i;
+
+ if(!((packet->payload[0] == '-') || (packet->payload[0] == 'd')))
+ return(0);
+
+ for(i=0; i<9; i += 3)
+ if(((packet->payload[1+i] == '-') || (packet->payload[1+i] == 'r'))
+ && ((packet->payload[2+i] == '-') || (packet->payload[2+i] == 'w'))
+ && ((packet->payload[3+i] == '-') || (packet->payload[3+i] == 'x'))) {
+ ;
+ } else
+ return 0;
}
- return 0;
+ return 1;
}
static int ndpi_match_file_header(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
@@ -220,16 +226,24 @@ static int ndpi_match_file_header(struct ndpi_detection_module_struct *ndpi_stru
static void ndpi_check_ftp_data(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
struct ndpi_packet_struct *packet = &flow->packet;
- if((packet->payload_packet_len > 0)
- && (ndpi_match_file_header(ndpi_struct, flow)
- || ndpi_match_ftp_data_directory(ndpi_struct, flow)
- || ndpi_match_ftp_data_port(ndpi_struct, flow)
- )
- ) {
- NDPI_LOG_INFO(ndpi_struct, "found FTP_DATA request\n");
- ndpi_int_ftp_data_add_connection(ndpi_struct, flow);
- } else
- NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+ /*
+ Make sure we see the beginning of the connection as otherwise we might have
+ false positive results
+ */
+ if(flow->l4.tcp.seen_syn) {
+ if((packet->payload_packet_len > 0)
+ && (ndpi_match_file_header(ndpi_struct, flow)
+ || ndpi_match_ftp_data_directory(ndpi_struct, flow)
+ || ndpi_match_ftp_data_port(ndpi_struct, flow)
+ )
+ ) {
+ NDPI_LOG_INFO(ndpi_struct, "found FTP_DATA request\n");
+ ndpi_int_ftp_data_add_connection(ndpi_struct, flow);
+ return;
+ }
+ }
+
+ NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}
void ndpi_search_ftp_data(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 4ce80f9c9..fc392c2b7 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -65,93 +65,6 @@ static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *nd
flow->http_detected = 1, flow->guessed_category = category;
}
-#ifdef NDPI_CONTENT_CATEGORY_FLASH
-static void flash_check_http_payload(struct ndpi_detection_module_struct
- *ndpi_struct, struct ndpi_flow_struct *flow)
-{
- struct ndpi_packet_struct *packet = &flow->packet;
- const u_int8_t *pos;
-
- if(packet->empty_line_position_set == 0 || (packet->empty_line_position + 10) > (packet->payload_packet_len))
- return;
-
- pos = &packet->payload[packet->empty_line_position] + 2;
-
- if(memcmp(pos, "FLV", 3) == 0 && pos[3] == 0x01 && (pos[4] == 0x01 || pos[4] == 0x04 || pos[4] == 0x05)
- && pos[5] == 0x00 && pos[6] == 0x00 && pos[7] == 0x00 && pos[8] == 0x09) {
-
- NDPI_LOG_INFO(ndpi_struct, "found Flash content in HTTP\n");
- ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_CONTENT_CATEGORY_FLASH);
- }
-}
-#endif
-
-#ifdef NDPI_CONTENT_CATEGORY_AVI
-static void avi_check_http_payload(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
-{
- struct ndpi_packet_struct *packet = &flow->packet;
-
-
- NDPI_LOG_DBG2(ndpi_struct, "called avi_check_http_payload: %u %u %u\n",
- packet->empty_line_position_set, flow->l4.tcp.http_empty_line_seen, packet->empty_line_position);
-
- if(packet->empty_line_position_set == 0 && flow->l4.tcp.http_empty_line_seen == 0)
- return;
-
- if(packet->empty_line_position_set != 0 && ((packet->empty_line_position + 20) > (packet->payload_packet_len))
- && flow->l4.tcp.http_empty_line_seen == 0) {
- flow->l4.tcp.http_empty_line_seen = 1;
- return;
- }
-
- if(flow->l4.tcp.http_empty_line_seen == 1) {
- if(packet->payload_packet_len > 20 && memcmp(packet->payload, "RIFF", 4) == 0
- && memcmp(packet->payload + 8, "AVI LIST", 8) == 0) {
- NDPI_LOG_INFO(ndpi_struct, "found Avi content in HTTP\n");
- ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_CONTENT_CATEGORY_AVI);
- }
- flow->l4.tcp.http_empty_line_seen = 0;
- return;
- }
-
- /**
- for reference see http://msdn.microsoft.com/archive/default.asp?url=/archive/en-us/directx9_c/directx/htm/avirifffilereference.asp
- **/
- if(packet->empty_line_position_set != 0) {
-
- u_int32_t p = packet->empty_line_position + 2;
-
- // check for avi header
- NDPI_LOG_DBG2(ndpi_struct, "p = %u\n", p);
-
- if((p + 16) <= packet->payload_packet_len && memcmp(&packet->payload[p], "RIFF", 4) == 0
- && memcmp(&packet->payload[p + 8], "AVI LIST", 8) == 0) {
- NDPI_LOG_INFO(ndpi_struct, "found Avi content in HTTP\n");
- ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_CONTENT_CATEGORY_AVI);
- }
- }
-}
-#endif
-
-static void teamviewer_check_http_payload(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
-{
- struct ndpi_packet_struct *packet = &flow->packet;
- const u_int8_t *pos;
-
- NDPI_LOG_DBG2(ndpi_struct, "called teamviewer_check_http_payload: %u %u %u\n",
- packet->empty_line_position_set, flow->l4.tcp.http_empty_line_seen, packet->empty_line_position);
-
- if(packet->empty_line_position_set == 0 || (packet->empty_line_position + 5) > (packet->payload_packet_len))
- return;
-
- pos = &packet->payload[packet->empty_line_position] + 2;
-
- if(pos[0] == 0x17 && pos[1] == 0x24) {
- NDPI_LOG_INFO(ndpi_struct, "found TeamViewer content in HTTP\n");
- ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TEAMVIEWER);
- }
-}
-
static void rtsp_parse_packet_acceptline(struct ndpi_detection_module_struct
*ndpi_struct, struct ndpi_flow_struct *flow)
{
@@ -260,25 +173,25 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
}
if(flow->packet.http_method.len < 3)
- flow->http.method = HTTP_METHOD_UNKNOWN;
+ flow->http.method = NDPI_HTTP_METHOD_UNKNOWN;
else {
switch(flow->packet.http_method.ptr[0]) {
- case 'O': flow->http.method = HTTP_METHOD_OPTIONS; break;
- case 'G': flow->http.method = HTTP_METHOD_GET; break;
- case 'H': flow->http.method = HTTP_METHOD_HEAD; break;
+ case 'O': flow->http.method = NDPI_HTTP_METHOD_OPTIONS; break;
+ case 'G': flow->http.method = NDPI_HTTP_METHOD_GET; break;
+ case 'H': flow->http.method = NDPI_HTTP_METHOD_HEAD; break;
case 'P':
switch(flow->packet.http_method.ptr[1]) {
- case 'O': flow->http.method = HTTP_METHOD_POST; break;
- case 'U': flow->http.method = HTTP_METHOD_PUT; break;
+ case 'O': flow->http.method = NDPI_HTTP_METHOD_POST; break;
+ case 'U': flow->http.method = NDPI_HTTP_METHOD_PUT; break;
}
break;
- case 'D': flow->http.method = HTTP_METHOD_DELETE; break;
- case 'T': flow->http.method = HTTP_METHOD_TRACE; break;
- case 'C': flow->http.method = HTTP_METHOD_CONNECT; break;
+ case 'D': flow->http.method = NDPI_HTTP_METHOD_DELETE; break;
+ case 'T': flow->http.method = NDPI_HTTP_METHOD_TRACE; break;
+ case 'C': flow->http.method = NDPI_HTTP_METHOD_CONNECT; break;
default:
- flow->http.method = HTTP_METHOD_UNKNOWN;
+ flow->http.method = NDPI_HTTP_METHOD_UNKNOWN;
break;
}
}
@@ -461,15 +374,6 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
}
}
- /* search for line startin with "Icy-MetaData" */
- for (a = 0; a < packet->parsed_lines; a++) {
- if(packet->line[a].len > 11 && memcmp(packet->line[a].ptr, "Icy-MetaData", 12) == 0) {
- NDPI_LOG_INFO(ndpi_struct, "found MPEG: Icy-MetaData\n");
- ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_CONTENT_CATEGORY_MPEG);
- return;
- }
- }
-
if(packet->content_line.ptr != NULL && packet->content_line.len != 0) {
NDPI_LOG_DBG2(ndpi_struct, "Content Type line found %.*s\n",
packet->content_line.len, packet->content_line.ptr);
@@ -486,20 +390,8 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
ndpi_int_http_add_connection(ndpi_struct, flow, packet->detected_protocol_stack[0]);
}
-static void check_http_payload(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
-{
- NDPI_LOG_DBG2(ndpi_struct, "called check_http_payload\n");
-
-#ifdef NDPI_CONTENT_CATEGORY_FLASH
- if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_CONTENT_CATEGORY_FLASH) != 0)
- flash_check_http_payload(ndpi_struct, flow);
-#endif
-#ifdef NDPI_CONTENT_CATEGORY_AVI
- if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_CONTENT_CATEGORY_AVI) != 0)
- avi_check_http_payload(ndpi_struct, flow);
-#endif
-
- teamviewer_check_http_payload(ndpi_struct, flow);
+static void check_http_payload(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
+ /* Add here your paylod code check */
}
/**
@@ -557,25 +449,6 @@ static u_int16_t http_request_url_offset(struct ndpi_detection_module_struct *nd
static void http_bitmask_exclude_other(struct ndpi_flow_struct *flow)
{
-#ifdef NDPI_CONTENT_CATEGORY_MPEG
- NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_CONTENT_CATEGORY_MPEG);
-#endif
-#ifdef NDPI_CONTENT_CATEGORY_QUICKTIME
- NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_CONTENT_CATEGORY_QUICKTIME);
-#endif
-#ifdef NDPI_CONTENT_CATEGORY_WINDOWSMEDIA
- NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_CONTENT_CATEGORY_WINDOWSMEDIA);
-#endif
-#ifdef NDPI_CONTENT_CATEGORY_REALMEDIA
- NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_CONTENT_CATEGORY_REALMEDIA);
-#endif
-#ifdef NDPI_CONTENT_CATEGORY_AVI
- NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_CONTENT_CATEGORY_AVI);
-#endif
-#ifdef NDPI_CONTENT_CATEGORY_OGG
- NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_CONTENT_CATEGORY_OGG);
-#endif
-
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_XBOX);
}
@@ -949,7 +822,7 @@ void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struct,
ndpi_http_method ndpi_get_http_method(struct ndpi_detection_module_struct *ndpi_mod,
struct ndpi_flow_struct *flow) {
if(!flow)
- return(HTTP_METHOD_UNKNOWN);
+ return(NDPI_HTTP_METHOD_UNKNOWN);
else
return(flow->http.method);
}
@@ -985,130 +858,4 @@ void init_http_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int
SAVE_DETECTION_BITMASK_AS_UNKNOWN,
ADD_TO_DETECTION_BITMASK);
*id += 1;
-
-#if 0
- ndpi_set_bitmask_protocol_detection("HTTP_Proxy", ndpi_struct, detection_bitmask, *id,
- NDPI_PROTOCOL_HTTP_PROXY,
- ndpi_search_http_tcp,
- NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD,
- SAVE_DETECTION_BITMASK_AS_UNKNOWN,
- ADD_TO_DETECTION_BITMASK);
- *id += 1;
-
-#ifdef NDPI_CONTENT_CATEGORY_MPEG
- ndpi_set_bitmask_protocol_detection("MPEG", ndpi_struct, detection_bitmask, *id,
- NDPI_CONTENT_CATEGORY_MPEG,
- ndpi_search_http_tcp,
- NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD,
- NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN,
- ADD_TO_DETECTION_BITMASK);
-
- *id += 1;
-#endif
-#ifdef NDPI_CONTENT_CATEGORY_FLASH
- ndpi_set_bitmask_protocol_detection("Flash", ndpi_struct, detection_bitmask, *id,
- NDPI_CONTENT_CATEGORY_FLASH,
- ndpi_search_http_tcp,
- NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD,
- NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN,
- ADD_TO_DETECTION_BITMASK);
- *id += 1;
-#endif
-#ifdef NDPI_CONTENT_CATEGORY_QUICKTIME
- ndpi_set_bitmask_protocol_detection("QuickTime", ndpi_struct, detection_bitmask, *id,
- NDPI_CONTENT_CATEGORY_QUICKTIME,
- ndpi_search_http_tcp,
- NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD,
- NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN,
- ADD_TO_DETECTION_BITMASK);
- *id += 1;
-#endif
-#ifdef NDPI_CONTENT_CATEGORY_REALMEDIA
- ndpi_set_bitmask_protocol_detection("RealMedia", ndpi_struct, detection_bitmask, *id,
- NDPI_CONTENT_CATEGORY_REALMEDIA,
- ndpi_search_http_tcp,
- NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD,
- NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN,
- ADD_TO_DETECTION_BITMASK);
- *id += 1;
-#endif
-#ifdef NDPI_CONTENT_CATEGORY_WINDOWSMEDIA
- ndpi_set_bitmask_protocol_detection("WindowsMedia", ndpi_struct, detection_bitmask, *id,
- NDPI_CONTENT_CATEGORY_WINDOWSMEDIA,
- ndpi_search_http_tcp,
- NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD,
- NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN,
- ADD_TO_DETECTION_BITMASK);
- *id += 1;
-#endif
-#ifdef NDPI_CONTENT_CATEGORY_MMS
- ndpi_set_bitmask_protocol_detection("MMS", ndpi_struct, detection_bitmask, *id,
- NDPI_CONTENT_CATEGORY_MMS,
- ndpi_search_http_tcp,
- NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD,
- NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN,
- ADD_TO_DETECTION_BITMASK);
- *id += 1;
-#endif
-
- ndpi_set_bitmask_protocol_detection("Xbox", ndpi_struct, detection_bitmask, *id,
- NDPI_PROTOCOL_XBOX,
- ndpi_search_http_tcp,
- NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD,
- NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN,
- ADD_TO_DETECTION_BITMASK);
- *id += 1;
-
- ndpi_set_bitmask_protocol_detection("QQ", ndpi_struct, detection_bitmask, *id,
- NDPI_PROTOCOL_QQ,
- ndpi_search_http_tcp,
- NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD,
- NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN,
- ADD_TO_DETECTION_BITMASK);
- *id += 1;
-
-#ifdef NDPI_CONTENT_CATEGORY_AVI
- ndpi_set_bitmask_protocol_detection("AVI", ndpi_struct, detection_bitmask, *id,
- NDPI_CONTENT_CATEGORY_AVI,
- ndpi_search_http_tcp,
- NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD,
- NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN,
- ADD_TO_DETECTION_BITMASK);
- *id += 1;
-#endif
-#ifdef NDPI_CONTENT_CATEGORY_OGG
- ndpi_set_bitmask_protocol_detection("OggVorbis", ndpi_struct, detection_bitmask, *id,
- NDPI_CONTENT_CATEGORY_OGG,
- ndpi_search_http_tcp,
- NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD,
- NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN,
- ADD_TO_DETECTION_BITMASK);
- *id += 1;
-#endif
-
- /* Update excluded protocol bitmask */
- NDPI_BITMASK_SET(ndpi_struct->callback_buffer[a].excluded_protocol_bitmask,
- ndpi_struct->callback_buffer[a].detection_bitmask);
-
- /*Delete protocol from excluded protocol bitmask*/
- NDPI_DEL_PROTOCOL_FROM_BITMASK(ndpi_struct->callback_buffer[a].excluded_protocol_bitmask, NDPI_PROTOCOL_UNKNOWN);
-
- NDPI_DEL_PROTOCOL_FROM_BITMASK(ndpi_struct->callback_buffer[a].excluded_protocol_bitmask, NDPI_PROTOCOL_QQ);
-
-#ifdef NDPI_CONTENT_CATEGORY_FLASH
- NDPI_DEL_PROTOCOL_FROM_BITMASK(ndpi_struct->callback_buffer[a].excluded_protocol_bitmask, NDPI_CONTENT_CATEGORY_FLASH);
-#endif
-
- NDPI_DEL_PROTOCOL_FROM_BITMASK(ndpi_struct->callback_buffer[a].excluded_protocol_bitmask, NDPI_CONTENT_CATEGORY_MMS);
-
- NDPI_DEL_PROTOCOL_FROM_BITMASK(ndpi_struct->callback_buffer[a].excluded_protocol_bitmask, NDPI_PROTOCOL_XBOX);
-
- NDPI_BITMASK_SET(ndpi_struct->generic_http_packet_bitmask, ndpi_struct->callback_buffer[a].detection_bitmask);
-
- NDPI_DEL_PROTOCOL_FROM_BITMASK(ndpi_struct->generic_http_packet_bitmask, NDPI_PROTOCOL_UNKNOWN);
-
- /* Update callback_buffer index */
- a++;
-
-#endif
}
diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c
index 322eb9be7..d14538e0d 100644
--- a/src/lib/protocols/quic.c
+++ b/src/lib/protocols/quic.c
@@ -22,6 +22,10 @@
*
*/
+#if defined __FreeBSD__ || defined __NetBSD__ || defined __OpenBSD__
+#include <sys/endian.h>
+#endif
+
#include "ndpi_protocol_ids.h"
#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_QUIC
diff --git a/src/lib/protocols/ssl.c b/src/lib/protocols/ssl.c
index 4651b358f..ff6b47a0f 100644
--- a/src/lib/protocols/ssl.c
+++ b/src/lib/protocols/ssl.c
@@ -27,7 +27,8 @@
#include "ndpi_api.h"
-// #define CERTIFICATE_DEBUG 1
+//#define CERTIFICATE_DEBUG 1
+
#define NDPI_MAX_SSL_REQUEST_SIZE 10000
/* Skype.c */
@@ -150,9 +151,9 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
#ifdef CERTIFICATE_DEBUG
{
- static u_int8_t id = 0;
+ u_int16_t ssl_version = (packet->payload[1] << 8) + packet->payload[2];
- NDPI_LOG_DBG2(ndpi_struct,"-> [%u] %02X\n", ++id, packet->payload[0] & 0xFF);
+ printf("SSL [version: %u]\n", ssl_version);
}
#endif
@@ -232,8 +233,7 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
}
} else if(handshake_protocol == 0x01 /* Client Hello */) {
u_int offset, base_offset = 43;
- if (base_offset + 2 <= packet->payload_packet_len)
- {
+ if (base_offset + 2 <= packet->payload_packet_len) {
u_int16_t session_id_len = packet->payload[base_offset];
if((session_id_len+base_offset+2) <= total_len) {
diff --git a/src/lib/protocols/whatsapp.c b/src/lib/protocols/whatsapp.c
index 6964a8e0e..608e6576e 100644
--- a/src/lib/protocols/whatsapp.c
+++ b/src/lib/protocols/whatsapp.c
@@ -26,34 +26,26 @@
void ndpi_search_whatsapp(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow) {
struct ndpi_packet_struct *packet = &flow->packet;
- u_int8_t whatsapp_sequence[] = {
+ static u_int8_t whatsapp_sequence[] = {
0x45, 0x44, 0x0, 0x01, 0x0, 0x0, 0x02, 0x08,
0x0, 0x57, 0x41, 0x02, 0x0, 0x0, 0x0
};
NDPI_LOG_DBG(ndpi_struct, "search WhatsApp\n");
- if(flow->l4.tcp.wa_matched_so_far == 0) {
- if(memcmp(packet->payload, whatsapp_sequence, packet->payload_packet_len)) {
- NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
- } else
- flow->l4.tcp.wa_matched_so_far = packet->payload_packet_len;
+ if(flow->l4.tcp.wa_matched_so_far < sizeof(whatsapp_sequence)) {
+ size_t match_len = sizeof(whatsapp_sequence) - flow->l4.tcp.wa_matched_so_far;
+ if(packet->payload_packet_len < match_len)
+ match_len = packet->payload_packet_len;
- return;
- } else {
- if(memcmp(packet->payload, &whatsapp_sequence[flow->l4.tcp.wa_matched_so_far],
- sizeof(whatsapp_sequence)-flow->l4.tcp.wa_matched_so_far))
- NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
- else
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN);
-
- return;
- }
-
- if((packet->payload_packet_len > 240)
- && (memcmp(packet->payload, whatsapp_sequence, sizeof(whatsapp_sequence)) == 0)) {
- NDPI_LOG_INFO(ndpi_struct, "found WhatsApp\n");
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN);
+ if(!memcmp(packet->payload, &whatsapp_sequence[flow->l4.tcp.wa_matched_so_far], match_len)) {
+ flow->l4.tcp.wa_matched_so_far += match_len;
+ if(flow->l4.tcp.wa_matched_so_far == sizeof(whatsapp_sequence)) {
+ NDPI_LOG_INFO(ndpi_struct, "found WhatsApp\n");
+ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN);
+ }
+ return;
+ }
}
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
Powered by cgit, Themed by Ted Yin.