diff options
Diffstat (limited to 'src/lib/protocols')
| -rw-r--r-- | src/lib/protocols/directconnect.c | 246 | ||||
| -rw-r--r-- | src/lib/protocols/gnutella.c | 65 | ||||
| -rw-r--r-- | src/lib/protocols/icecast.c | 5 | ||||
| -rw-r--r-- | src/lib/protocols/irc.c | 146 | ||||
| -rw-r--r-- | src/lib/protocols/jabber.c | 186 | ||||
| -rw-r--r-- | src/lib/protocols/thunder.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/world_of_warcraft.c | 16 |
7 files changed, 15 insertions, 653 deletions
diff --git a/src/lib/protocols/directconnect.c b/src/lib/protocols/directconnect.c index 55a3f8145..ea418f36d 100644 --- a/src/lib/protocols/directconnect.c +++ b/src/lib/protocols/directconnect.c @@ -77,151 +77,23 @@ static void ndpi_int_directconnect_add_connection(struct ndpi_detection_module_s struct ndpi_flow_struct *flow, const u_int8_t connection_type) { - - struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - - if(src != NULL) { - src->directconnect_last_safe_access_time = packet->current_time_ms; - if(connection_type == DIRECT_CONNECT_TYPE_PEER) { - if(packet->tcp != NULL - && flow->setup_packet_direction != packet->packet_direction && src->detected_directconnect_port == 0) { - src->detected_directconnect_port = packet->tcp->source; - NDPI_LOG_DBG2(ndpi_struct, "DC tcp PORT %u for src\n", ntohs(src->detected_directconnect_port)); - } - if(packet->udp != NULL && src->detected_directconnect_udp_port == 0) { - src->detected_directconnect_udp_port = packet->udp->source; - NDPI_LOG_DBG2(ndpi_struct, "DC udp PORT %u for src\n", ntohs(src->detected_directconnect_port)); - - } - } - - } - if(dst != NULL) { - dst->directconnect_last_safe_access_time = packet->current_time_ms; - if(connection_type == DIRECT_CONNECT_TYPE_PEER) { - if(packet->tcp != NULL - && flow->setup_packet_direction == packet->packet_direction && dst->detected_directconnect_port == 0) { - /* DST PORT MARKING CAN LEAD TO PORT MISSDETECTIONS - * seen at large customer http servers, where someone has send faked DC tcp packets - * to the server - */ - - /* - dst->detected_directconnect_port = packet->tcp->dest; - NDPI_LOG_DBG2(ndpi_struct, - "DC tcp PORT %u for dst\n", - ntohs (dst->detected_directconnect_port)); - */ - } - } - } } static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_DIRECTCONNECT) { if(packet->payload_packet_len >= 40 && memcmp(&packet->payload[0], "BINF", 4) == 0) { - u_int16_t ssl_port = parse_binf_message(ndpi_struct, - &packet->payload[4], - packet->payload_packet_len - 4); - if(dst != NULL && ssl_port) - dst->detected_directconnect_ssl_port = ssl_port; - - if(src != NULL && ssl_port) - src->detected_directconnect_ssl_port = ssl_port; + parse_binf_message(ndpi_struct, + &packet->payload[4], + packet->payload_packet_len - 4); } - if((packet->payload_packet_len >= 38 && packet->payload_packet_len <= 42) - && memcmp(&packet->payload[0], "DCTM", 4) == 0 && memcmp(&packet->payload[15], "ADCS", 4) == 0) { - u_int16_t bytes_read = 0; - if(dst != NULL) { - dst->detected_directconnect_ssl_port = - ntohs_ndpi_bytestream_to_number(&packet->payload[25], 5, &bytes_read); - NDPI_LOG_DBG2(ndpi_struct, "DC ssl port parsed %d\n", ntohs(dst->detected_directconnect_ssl_port)); - } - if(src != NULL) { - src->detected_directconnect_ssl_port = - ntohs_ndpi_bytestream_to_number(&packet->payload[25], 5, &bytes_read); - NDPI_LOG_DBG2(ndpi_struct, "DC ssl port parsed %d\n", ntohs(src->detected_directconnect_ssl_port)); - } - - - } return; } - if(src != NULL) { - if(src->detected_directconnect_port == packet->tcp->source) { - if((u_int32_t) - (packet->current_time_ms - - src->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - src->directconnect_last_safe_access_time = packet->current_time_ms; - NDPI_LOG_INFO(ndpi_struct, "found DC using port %d\n", ntohs(src->detected_directconnect_port)); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - return; - } else { - src->detected_directconnect_port = 0; - NDPI_LOG_DBG2(ndpi_struct, "resetting src port due to timeout\n"); - return; - } - } - if(src->detected_directconnect_ssl_port == packet->tcp->dest) { - if((u_int32_t) - (packet->current_time_ms - - src->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - src->directconnect_last_safe_access_time = packet->current_time_ms; - NDPI_LOG_INFO(ndpi_struct, "found DC using port %d\n", ntohs(src->detected_directconnect_ssl_port)); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - return; - } else { - src->detected_directconnect_ssl_port = 0; - NDPI_LOG_DBG2(ndpi_struct, "resetting src port due to timeout\n"); - return; - } - } - - } - - if(dst != NULL) { - if(dst->detected_directconnect_port == packet->tcp->dest) { - if((u_int32_t) - (packet->current_time_ms - - dst->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - dst->directconnect_last_safe_access_time = packet->current_time_ms; - NDPI_LOG_INFO(ndpi_struct, "found DC using port %d\n", ntohs(dst->detected_directconnect_port)); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - return; - } else { - dst->detected_directconnect_port = 0; - NDPI_LOG_DBG(ndpi_struct, "resetting dst port due to timeout\n"); - return; - } - } - if(dst->detected_directconnect_ssl_port == packet->tcp->dest) { - if((u_int32_t) - (packet->current_time_ms - - dst->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - dst->directconnect_last_safe_access_time = packet->current_time_ms; - NDPI_LOG_DBG(ndpi_struct, "found DC using port %d\n", ntohs(dst->detected_directconnect_ssl_port)); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - return; - } else { - dst->detected_directconnect_ssl_port = 0; - NDPI_LOG_DBG2(ndpi_struct, "resetting dst port due to timeout\n"); - return; - } - } - - } if(flow->directconnect_stage == 0) { @@ -308,124 +180,15 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n } -static void ndpi_search_directconnect_udp(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) -{ - struct ndpi_packet_struct *packet = &ndpi_struct->packet; - - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - int pos, count = 0; - - if(dst != NULL && dst->detected_directconnect_udp_port == packet->udp->dest) { - if((u_int32_t) - (packet->current_time_ms - - dst->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - - dst->directconnect_last_safe_access_time = packet->current_time_ms; - NDPI_LOG_INFO(ndpi_struct, "found DC using udp port %d\n", ntohs(dst->detected_directconnect_udp_port)); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - return; - } else { - dst->detected_directconnect_udp_port = 0; - NDPI_LOG_DBG2(ndpi_struct, "resetting dst udp port due to timeout\n"); - return; - } - } - - if(packet->payload_packet_len > 58) { - if(src != NULL - && NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_DIRECTCONNECT)) { - if(packet->payload[0] == '$' - && packet->payload[packet->payload_packet_len - 1] == '|' - && memcmp(&packet->payload[1], "SR ", 3) == 0) { - pos = packet->payload_packet_len - 2; - if(packet->payload[pos] == ')') { - while (pos > 0 && packet->payload[pos] != '(' && count < 21) { - pos--; - count++; - } - if(packet->payload[pos] == '(') { - pos = pos - 44; - if(pos > 2 && memcmp(&packet->payload[pos], "TTH:", 4) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found DC udp\n"); - ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_TYPE_PEER); - return; - } - } - } - flow->directconnect_stage++; - if(flow->directconnect_stage < 3) - return; - } - - } - if(dst != NULL - && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_DIRECTCONNECT)) { - if(packet->payload[0] == '$' - && packet->payload[packet->payload_packet_len - 1] == '|' - && memcmp(&packet->payload[1], "SR ", 3) == 0) { - pos = packet->payload_packet_len - 2; - if(packet->payload[pos] == ')') { - while (pos > 0 && packet->payload[pos] != '(' && count < 21) { - pos--; - count++; - } - if(packet->payload[pos] == '(') { - pos = pos - 44; - if(pos > 2 && memcmp(&packet->payload[pos], "TTH:", 4) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found DC udp\n"); - ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_TYPE_PEER); - return; - } - } - } - flow->directconnect_stage++; - if(flow->directconnect_stage < 3) - return; - } - } - - } - NDPI_LOG_DBG(ndpi_struct, "excluded DC at stage %d \n", flow->directconnect_stage); - - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DIRECTCONNECT); - - -} - void ndpi_search_directconnect(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; NDPI_LOG_DBG(ndpi_struct, "search DC\n"); - if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_DIRECTCONNECT) { - if(src != NULL && ((u_int32_t) - (packet->current_time_ms - - src->directconnect_last_safe_access_time) < - ndpi_struct->directconnect_connection_ip_tick_timeout)) { - src->directconnect_last_safe_access_time = packet->current_time_ms; - - } else if(dst != NULL && ((u_int32_t) - (packet->current_time_ms - - dst->directconnect_last_safe_access_time) < - ndpi_struct->directconnect_connection_ip_tick_timeout)) { - dst->directconnect_last_safe_access_time = packet->current_time_ms; - } else { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_UNKNOWN); - NDPI_LOG_DBG2(ndpi_struct, "skipping as unknown due to timeout\n"); - } - return; - } - if(packet->tcp != NULL) { ndpi_search_directconnect_tcp(ndpi_struct, flow); - } else if(packet->udp != NULL) { - ndpi_search_directconnect_udp(ndpi_struct, flow); } } @@ -435,7 +198,8 @@ void init_directconnect_dissector(struct ndpi_detection_module_struct *ndpi_stru ndpi_set_bitmask_protocol_detection("DirectConnect", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_DIRECTCONNECT, ndpi_search_directconnect, - NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, + /* TODO: UDP?*/ + NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); diff --git a/src/lib/protocols/gnutella.c b/src/lib/protocols/gnutella.c index 2af76085f..ecb93d53f 100644 --- a/src/lib/protocols/gnutella.c +++ b/src/lib/protocols/gnutella.c @@ -33,67 +33,18 @@ static void ndpi_int_gnutella_add_connection(struct ndpi_detection_module_struct struct ndpi_flow_struct *flow, ndpi_confidence_t confidence) { - struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GNUTELLA, NDPI_PROTOCOL_UNKNOWN, confidence); NDPI_LOG_INFO(ndpi_struct, "found GNUTELLA\n"); - - if (src != NULL) { - src->gnutella_ts = packet->current_time_ms; - if (packet->udp != NULL) { - if (!src->detected_gnutella_udp_port1) { - src->detected_gnutella_udp_port1 = (packet->udp->source); - NDPI_LOG_DBG2(ndpi_struct, - "GNUTELLA UDP PORT1 DETECTED as %u\n", src->detected_gnutella_udp_port1); - - } else if ((ntohs(packet->udp->source) != src->detected_gnutella_udp_port1) - && !src->detected_gnutella_udp_port2) { - src->detected_gnutella_udp_port2 = (packet->udp->source); - NDPI_LOG_DBG2(ndpi_struct, - "GNUTELLA UDP PORT2 DETECTED as %u\n", src->detected_gnutella_udp_port2); - - } - } - } - if (dst != NULL) { - dst->gnutella_ts = packet->current_time_ms; - } } void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; u_int16_t c; NDPI_LOG_DBG(ndpi_struct, "search GNUTELLA\n"); - if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_GNUTELLA) { - if (src != NULL && ((u_int32_t) - (packet->current_time_ms - src->gnutella_ts) < ndpi_struct->gnutella_timeout)) { - NDPI_LOG_DBG2(ndpi_struct, "save src connection packet detected\n"); - src->gnutella_ts = packet->current_time_ms; - } else if (dst != NULL && ((u_int32_t) - (packet->current_time_ms - dst->gnutella_ts) < ndpi_struct->gnutella_timeout)) { - NDPI_LOG_DBG2(ndpi_struct, "save dst connection packet detected\n"); - dst->gnutella_ts = packet->current_time_ms; - } - if (src != NULL && (packet->current_time_ms - src->gnutella_ts) > ndpi_struct->gnutella_timeout) { - src->detected_gnutella_udp_port1 = 0; - src->detected_gnutella_udp_port2 = 0; - } - if (dst != NULL && (packet->current_time_ms - dst->gnutella_ts) > ndpi_struct->gnutella_timeout) { - dst->detected_gnutella_udp_port1 = 0; - dst->detected_gnutella_udp_port2 = 0; - } - - return; - } - /* skip packets without payload */ if (packet->payload_packet_len < 2) { return; @@ -234,12 +185,6 @@ void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, stru } } } else if (packet->udp != NULL) { - if (src != NULL && (packet->udp->source == src->detected_gnutella_udp_port1 || - packet->udp->source == src->detected_gnutella_udp_port2) && - (packet->current_time_ms - src->gnutella_ts) < ndpi_struct->gnutella_timeout) { - NDPI_LOG_DBG2(ndpi_struct, "port based detection\n\n"); - ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - } /* observations: * all the following patterns send out many packets which are the only ones of their flows, * often on the very beginning of the traces, or flows with many packets in one direction only. @@ -333,20 +278,18 @@ void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, stru if (flow->packet_counter == 2 && (packet->payload_packet_len == 33 || packet->payload_packet_len == 22) && flow->l4.tcp.gnutella_msg_id[0] == packet->payload[0] && flow->l4.tcp.gnutella_msg_id[1] == packet->payload[2] - && flow->l4.tcp.gnutella_msg_id[2] == packet->payload[4] - && NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_GNUTELLA)) { + && flow->l4.tcp.gnutella_msg_id[2] == packet->payload[4]) { NDPI_LOG_DBG2(ndpi_struct, "GNUTELLA DETECTED due to message ID match (NEONet protocol)\n"); - ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI_SRC_DST_ID); + ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); return; } } else if (flow->l4.tcp.gnutella_stage == 2 - packet->packet_direction) { if (flow->packet_counter == 2 && (packet->payload_packet_len == 10 || packet->payload_packet_len == 75) && flow->l4.tcp.gnutella_msg_id[0] == packet->payload[0] && flow->l4.tcp.gnutella_msg_id[1] == packet->payload[2] - && flow->l4.tcp.gnutella_msg_id[2] == packet->payload[4] - && NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_GNUTELLA)) { + && flow->l4.tcp.gnutella_msg_id[2] == packet->payload[4]) { NDPI_LOG_DBG2(ndpi_struct, "GNUTELLA DETECTED due to message ID match (NEONet protocol)\n"); - ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI_SRC_DST_ID); + ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); return; } } diff --git a/src/lib/protocols/icecast.c b/src/lib/protocols/icecast.c index 61dafc2d6..ce8b20c12 100644 --- a/src/lib/protocols/icecast.c +++ b/src/lib/protocols/icecast.c @@ -60,10 +60,6 @@ void ndpi_search_icecast_tcp(struct ndpi_detection_module_struct *ndpi_struct, s } } - if(NDPI_FLOW_PROTOCOL_EXCLUDED(ndpi_struct, flow, NDPI_PROTOCOL_HTTP)) { - goto icecast_exclude; - } - if(flow == NULL) return; if((packet->packet_direction == flow->setup_packet_direction) @@ -89,7 +85,6 @@ void ndpi_search_icecast_tcp(struct ndpi_detection_module_struct *ndpi_struct, s } } - icecast_exclude: NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/irc.c b/src/lib/protocols/irc.c index 6ff3af836..33c41a4c3 100644 --- a/src/lib/protocols/irc.c +++ b/src/lib/protocols/irc.c @@ -29,38 +29,11 @@ #include "ndpi_api.h" -#define NDPI_IRC_FIND_LESS(time_err,less) {int t1 = 0; \ - u_int32_t timestamp = time_err[0]; \ - for(t1=0;t1 < NDPI_PROTOCOL_IRC_MAXPORT;t1++) { \ - if(timestamp > time_err[t1]) { \ - timestamp = time_err[t1]; \ - less = t1;}}} - static void ndpi_int_irc_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, ndpi_confidence_t confidence) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_IRC, NDPI_PROTOCOL_UNKNOWN, confidence); } - - -#if !defined(WIN32) -static inline -#elif defined(MINGW_GCC) -__mingw_forceinline static -#else -__forceinline static -#endif -u_int8_t ndpi_is_duplicate(struct ndpi_id_struct *id_t, u_int16_t port) -{ - int index = 0; - while (index < id_t->irc_number_of_port) { - if (port == id_t->irc_port[index]) - return 1; - index++; - } - return 0; -} - static u_int8_t ndpi_check_for_NOTICE_or_PRIVMSG(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -369,17 +342,9 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - int less; u_int16_t c = 0; - u_int16_t port = 0; - u_int16_t sport = 0; - u_int16_t dport = 0; - u_int16_t counter = 0; u_int16_t i = 0; u_int16_t j = 0; - u_int16_t k = 0; u_int16_t h; u_int16_t http_content_ptr_len = 0; u_int8_t space = 0; @@ -391,53 +356,6 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc return; } - if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_IRC) { - if (src != NULL && ((u_int32_t) - (packet->current_time_ms - src->irc_ts) < ndpi_struct->irc_timeout)) { - NDPI_LOG_DBG2(ndpi_struct, "irc : save src connection packet detected\n"); - src->irc_ts = packet->current_time_ms; - } else if (dst != NULL && ((u_int32_t) - (packet->current_time_ms - dst->irc_ts) < ndpi_struct->irc_timeout)) { - NDPI_LOG_DBG2(ndpi_struct, "irc : save dst connection packet detected\n"); - dst->irc_ts = packet->current_time_ms; - } - } - - if (((dst != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_IRC) - && ((u_int32_t) - (packet->current_time_ms - dst->irc_ts)) < - ndpi_struct->irc_timeout)) || (src != NULL - && - NDPI_COMPARE_PROTOCOL_TO_BITMASK - (src->detected_protocol_bitmask, NDPI_PROTOCOL_IRC) - && ((u_int32_t) - (packet->current_time_ms - src->irc_ts)) < ndpi_struct->irc_timeout)) { - if (packet->tcp != NULL) { - sport = packet->tcp->source; - dport = packet->tcp->dest; - } - if (dst != NULL) { - for (counter = 0; counter < dst->irc_number_of_port; counter++) { - if (dst->irc_port[counter] == sport || dst->irc_port[counter] == dport) { - dst->last_time_port_used[counter] = packet->current_time_ms; - NDPI_LOG_INFO(ndpi_struct, "found IRC: dest port matched with the DCC port"); - ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - return; - } - } - } - if (src != NULL) { - for (counter = 0; counter < src->irc_number_of_port; counter++) { - if (src->irc_port[counter] == sport || src->irc_port[counter] == dport) { - src->last_time_port_used[counter] = packet->current_time_ms; - NDPI_LOG_INFO(ndpi_struct, "found IRC: Source port matched with the DCC port"); - ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - return; - } - } - } - } - if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC && ndpi_search_irc_ssl_detect_ninety_percent_but_very_fast(ndpi_struct, flow) != 0) { return; @@ -667,70 +585,6 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc if (space == 3) { j++; NDPI_LOG_DBG2(ndpi_struct, "read port."); - if (src != NULL) { - k = j; - port = - ntohs_ndpi_bytestream_to_number - (&packet->line[i].ptr[j], packet->payload_packet_len - j, &j); - NDPI_LOG_DBG2(ndpi_struct, "port %u.", - port); - j = k; - // hier jetzt überlegen, wie die ports abgespeichert werden sollen - if (src->irc_number_of_port < NDPI_PROTOCOL_IRC_MAXPORT) - NDPI_LOG_DBG2(ndpi_struct, "src->irc_number_of_port < NDPI_PROTOCOL_IRC_MAXPORT."); - if (src->irc_number_of_port < NDPI_PROTOCOL_IRC_MAXPORT && port != 0) { - if (!ndpi_is_duplicate(src, port)) { - src->irc_port[src->irc_number_of_port] - = port; - src->irc_number_of_port++; - NDPI_LOG_DBG2(ndpi_struct, "found port=%d jjeeeeeeeeeeeeeeeeeeeeeeeee", - ntohs(get_u_int16_t(src->irc_port, 0))); - } - src->irc_ts = packet->current_time_ms; - } else if (port != 0 && src->irc_number_of_port == NDPI_PROTOCOL_IRC_MAXPORT) { - if (!ndpi_is_duplicate(src, port)) { - less = 0; - NDPI_IRC_FIND_LESS(src->last_time_port_used, less); - src->irc_port[less] = port; - NDPI_LOG_DBG2(ndpi_struct, "found port=%d", ntohs(get_u_int16_t(src->irc_port, 0))); - } - src->irc_ts = packet->current_time_ms; - } - if (dst == NULL) { - break; - } - } - if (dst != NULL) { - port = ntohs_ndpi_bytestream_to_number - (&packet->line[i].ptr[j], packet->payload_packet_len - j, &j); - NDPI_LOG_DBG2(ndpi_struct, "port %u.", port); - // hier das gleiche wie oben. - /* hier werden NDPI_PROTOCOL_IRC_MAXPORT ports pro irc flows mitgespeichert. könnte man denn nicht ein- - * fach an die dst oder src einen flag setzten, dass dieser port für eine bestimmte - * zeit ein irc-port bleibt? - */ - if (dst->irc_number_of_port < NDPI_PROTOCOL_IRC_MAXPORT && port != 0) { - if (!ndpi_is_duplicate(dst, port)) { - dst->irc_port[dst->irc_number_of_port] - = port; - dst->irc_number_of_port++; - NDPI_LOG_DBG2(ndpi_struct, "found port=%d", ntohs(get_u_int16_t(dst->irc_port, 0))); - NDPI_LOG_DBG2(ndpi_struct, "juuuuuuuuuuuuuuuu"); - } - dst->irc_ts = packet->current_time_ms; - } else if (port != 0 && dst->irc_number_of_port == NDPI_PROTOCOL_IRC_MAXPORT) { - if (!ndpi_is_duplicate(dst, port)) { - less = 0; - NDPI_IRC_FIND_LESS(dst->last_time_port_used, less); - dst->irc_port[less] = port; - - NDPI_LOG_DBG2(ndpi_struct, "found port=%d", ntohs(get_u_int16_t(dst->irc_port, 0))); - } - dst->irc_ts = packet->current_time_ms; - } - - break; - } } diff --git a/src/lib/protocols/jabber.c b/src/lib/protocols/jabber.c index a5e5a069e..89dd3c8db 100644 --- a/src/lib/protocols/jabber.c +++ b/src/lib/protocols/jabber.c @@ -65,9 +65,6 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - u_int16_t x; NDPI_LOG_DBG(ndpi_struct, "search JABBER\n"); @@ -76,193 +73,10 @@ void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, st return; } - /* search for jabber file transfer */ - /* this part is working asymmetrically */ - if (packet->tcp != NULL && packet->tcp->syn != 0 && packet->payload_packet_len == 0) { - NDPI_LOG_DBG2(ndpi_struct, "check jabber syn\n"); - if (src != NULL && src->jabber_file_transfer_port[0] != 0) { - NDPI_LOG_DBG2(ndpi_struct, "src jabber ft port set, ports are: %u, %u\n", - ntohs(src->jabber_file_transfer_port[0]), - ntohs(src->jabber_file_transfer_port[1])); - if (((u_int32_t) - (packet->current_time_ms - src->jabber_stun_or_ft_ts)) >= ndpi_struct->jabber_file_transfer_timeout) { - NDPI_LOG_DBG2(ndpi_struct, "JABBER src stun timeout %u %u\n", - src->jabber_stun_or_ft_ts, packet->current_time_ms); - src->jabber_file_transfer_port[0] = 0; - src->jabber_file_transfer_port[1] = 0; - } else if (src->jabber_file_transfer_port[0] == packet->tcp->dest - || src->jabber_file_transfer_port[0] == packet->tcp->source - || src->jabber_file_transfer_port[1] == packet->tcp->dest - || src->jabber_file_transfer_port[1] == packet->tcp->source) { - NDPI_LOG_INFO(ndpi_struct, "found jabber file transfer\n"); - - ndpi_int_jabber_add_connection(ndpi_struct, flow, - NDPI_PROTOCOL_JABBER, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - } - } - if (dst != NULL && dst->jabber_file_transfer_port[0] != 0) { - NDPI_LOG_DBG2(ndpi_struct, "dst jabber ft port set, ports are: %u, %u\n", - ntohs(dst->jabber_file_transfer_port[0]), - ntohs(dst->jabber_file_transfer_port[1])); - if (((u_int32_t) - (packet->current_time_ms - dst->jabber_stun_or_ft_ts)) >= ndpi_struct->jabber_file_transfer_timeout) { - NDPI_LOG_DBG2(ndpi_struct, "JABBER dst stun timeout %u %u\n", - dst->jabber_stun_or_ft_ts, packet->current_time_ms); - dst->jabber_file_transfer_port[0] = 0; - dst->jabber_file_transfer_port[1] = 0; - } else if (dst->jabber_file_transfer_port[0] == packet->tcp->dest - || dst->jabber_file_transfer_port[0] == packet->tcp->source - || dst->jabber_file_transfer_port[1] == packet->tcp->dest - || dst->jabber_file_transfer_port[1] == packet->tcp->source) { - NDPI_LOG_INFO(ndpi_struct, "found jabber file transfer\n"); - - ndpi_int_jabber_add_connection(ndpi_struct, flow, - NDPI_PROTOCOL_JABBER, NDPI_CONFIDENCE_DPI_SRC_DST_ID); - } - } - return; - } - if (packet->tcp != 0 && packet->payload_packet_len == 0) { return; } - - /* this part parses a packet and searches for port=. it works asymmetrically. */ - if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_JABBER) { - u_int16_t lastlen; - u_int16_t j_port = 0; - /* check for google jabber voip connections ... */ - /* need big packet */ - if (packet->payload_packet_len < 100) { - NDPI_LOG_DBG2(ndpi_struct, "packet too small, return\n"); - return; - } - /* need message to or type for file-transfer */ - if (memcmp(packet->payload, "<iq from=\"", 10) == 0 || memcmp(packet->payload, "<iq from=\'", 10) == 0) { - NDPI_LOG_DBG2(ndpi_struct, "JABBER <iq from=\"\n"); - lastlen = packet->payload_packet_len - 11; - for (x = 10; x < lastlen; x++) { - if (packet->payload[x] == 'p') { - if (memcmp(&packet->payload[x], "port=", 5) == 0) { - NDPI_LOG_DBG2(ndpi_struct, "port=\n"); - if (src != NULL) { - src->jabber_stun_or_ft_ts = packet->current_time_ms; - } - - if (dst != NULL) { - dst->jabber_stun_or_ft_ts = packet->current_time_ms; - } - x += 6; - j_port = ntohs_ndpi_bytestream_to_number(&packet->payload[x], packet->payload_packet_len, &x); - NDPI_LOG_DBG2(ndpi_struct, "JABBER port : %u\n", ntohs(j_port)); - if (src != NULL) { - if (src->jabber_file_transfer_port[0] == 0 || src->jabber_file_transfer_port[0] == j_port) { - NDPI_LOG_DBG2(ndpi_struct, "src->jabber_file_transfer_port[0] = j_port = %u;\n", - ntohs(j_port)); - src->jabber_file_transfer_port[0] = j_port; - } else { - NDPI_LOG_DBG2(ndpi_struct, "src->jabber_file_transfer_port[1] = j_port = %u;\n", - ntohs(j_port)); - src->jabber_file_transfer_port[1] = j_port; - } - } - if (dst != NULL) { - if (dst->jabber_file_transfer_port[0] == 0 || dst->jabber_file_transfer_port[0] == j_port) { - NDPI_LOG_DBG2(ndpi_struct, "dst->jabber_file_transfer_port[0] = j_port = %u;\n", - ntohs(j_port)); - dst->jabber_file_transfer_port[0] = j_port; - } else { - NDPI_LOG_DBG2(ndpi_struct, "dst->jabber_file_transfer_port[1] = j_port = %u;\n", - ntohs(j_port)); - dst->jabber_file_transfer_port[1] = j_port; - } - } - } - - - } - } - - } else if (memcmp(packet->payload, "<iq to=\"", 8) == 0 || memcmp(packet->payload, "<iq to=\'", 8) == 0 - || memcmp(packet->payload, "<iq type=", 9) == 0) { - NDPI_LOG_DBG2(ndpi_struct, "JABBER <iq to=\"/type=\"\n"); - lastlen = packet->payload_packet_len - 21; - for (x = 8; x < lastlen; x++) { - /* invalid character */ - if (packet->payload[x] < 32 || packet->payload[x] > 127) { - return; - } - if (packet->payload[x] == '@') { - NDPI_LOG_DBG2(ndpi_struct, "JABBER @\n"); - break; - } - } - if (x >= lastlen) { - return; - } - - lastlen = packet->payload_packet_len - 10; - for (; x < lastlen; x++) { - if (packet->payload[x] == 'p') { - if (memcmp(&packet->payload[x], "port=", 5) == 0) { - NDPI_LOG_DBG2(ndpi_struct, "port=\n"); - if (src != NULL) { - src->jabber_stun_or_ft_ts = packet->current_time_ms; - } - - if (dst != NULL) { - dst->jabber_stun_or_ft_ts = packet->current_time_ms; - } - - x += 6; - j_port = ntohs_ndpi_bytestream_to_number(&packet->payload[x], packet->payload_packet_len, &x); - NDPI_LOG_DBG2(ndpi_struct, "JABBER port : %u\n", ntohs(j_port)); - - if (src != NULL && src->jabber_voice_stun_used_ports < JABBER_MAX_STUN_PORTS - 1) { - if (packet->payload[5] == 'o') { - src->jabber_voice_stun_port[src->jabber_voice_stun_used_ports++] - = j_port; - } else { - if (src->jabber_file_transfer_port[0] == 0 - || src->jabber_file_transfer_port[0] == j_port) { - NDPI_LOG_DBG2(ndpi_struct, "src->jabber_file_transfer_port[0] = j_port = %u;\n", - ntohs(j_port)); - src->jabber_file_transfer_port[0] = j_port; - } else { - NDPI_LOG_DBG2(ndpi_struct, "src->jabber_file_transfer_port[1] = j_port = %u;\n", - ntohs(j_port)); - src->jabber_file_transfer_port[1] = j_port; - } - } - } - - if (dst != NULL && dst->jabber_voice_stun_used_ports < JABBER_MAX_STUN_PORTS - 1) { - if (packet->payload[5] == 'o') { - dst->jabber_voice_stun_port[dst->jabber_voice_stun_used_ports++] - = j_port; - } else { - if (dst->jabber_file_transfer_port[0] == 0 - || dst->jabber_file_transfer_port[0] == j_port) { - NDPI_LOG_DBG2(ndpi_struct, "dst->jabber_file_transfer_port[0] = j_port = %u;\n", - ntohs(j_port)); - dst->jabber_file_transfer_port[0] = j_port; - } else { - NDPI_LOG_DBG2(ndpi_struct, "dst->jabber_file_transfer_port[1] = j_port = %u;\n", - ntohs(j_port)); - dst->jabber_file_transfer_port[1] = j_port; - } - } - } - return; - } - } - } - } - return; - } - - /* search for jabber here */ /* this part is working asymmetrically */ if ((packet->payload_packet_len > 13 && memcmp(packet->payload, "<?xml version=", 14) == 0) diff --git a/src/lib/protocols/thunder.c b/src/lib/protocols/thunder.c index 7b5625511..caafa4e4c 100644 --- a/src/lib/protocols/thunder.c +++ b/src/lib/protocols/thunder.c @@ -135,11 +135,9 @@ void ndpi_int_search_thunder_http(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; if (packet->payload_packet_len > 5 - && memcmp(packet->payload, "GET /", 5) == 0 && NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_THUNDER)) { + && memcmp(packet->payload, "GET /", 5) == 0) { NDPI_LOG_DBG2(ndpi_struct, "HTTP packet detected\n"); ndpi_parse_packet_line_info(ndpi_struct, flow); diff --git a/src/lib/protocols/world_of_warcraft.c b/src/lib/protocols/world_of_warcraft.c index 2d35fe7ab..8b6da51f9 100644 --- a/src/lib/protocols/world_of_warcraft.c +++ b/src/lib/protocols/world_of_warcraft.c @@ -56,9 +56,6 @@ void ndpi_search_worldofwarcraft(struct ndpi_detection_module_struct { struct ndpi_packet_struct *packet = &ndpi_struct->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - NDPI_LOG_DBG(ndpi_struct, "search World of Warcraft\n"); if (packet->tcp != NULL) { @@ -108,14 +105,11 @@ void ndpi_search_worldofwarcraft(struct ndpi_detection_module_struct return; } - if (NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_WORLDOFWARCRAFT) != 0) { - if (packet->tcp->source == htons(3724) - && packet->payload_packet_len == 8 && get_u_int32_t(packet->payload, 0) == htonl(0x0006ec01)) { - ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow); - NDPI_LOG_INFO(ndpi_struct, "World of Warcraft: connection detected\n"); - return; - } - + if (packet->tcp->source == htons(3724) + && packet->payload_packet_len == 8 && get_u_int32_t(packet->payload, 0) == htonl(0x0006ec01)) { + ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow); + NDPI_LOG_INFO(ndpi_struct, "World of Warcraft: connection detected\n"); + return; } /* for some well known WoW ports |