diff options
Diffstat (limited to 'src/lib/protocols')
127 files changed, 618 insertions, 1251 deletions
diff --git a/src/lib/protocols/afp.c b/src/lib/protocols/afp.c index ffe303cea..a8cea6c03 100644 --- a/src/lib/protocols/afp.c +++ b/src/lib/protocols/afp.c @@ -2,7 +2,7 @@ * afp.c * * Copyright (C) 2009-11 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/aimini.c b/src/lib/protocols/aimini.c index dec8118c2..b5cea464a 100644 --- a/src/lib/protocols/aimini.c +++ b/src/lib/protocols/aimini.c @@ -2,7 +2,7 @@ * aimini.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/amqp.c b/src/lib/protocols/amqp.c index 793b3699e..66ae547d4 100644 --- a/src/lib/protocols/amqp.c +++ b/src/lib/protocols/amqp.c @@ -1,7 +1,7 @@ /* * amqp.c * - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by diff --git a/src/lib/protocols/applejuice.c b/src/lib/protocols/applejuice.c index 95e6b4458..7805b7590 100644 --- a/src/lib/protocols/applejuice.c +++ b/src/lib/protocols/applejuice.c @@ -2,7 +2,7 @@ * applejuice.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/armagetron.c b/src/lib/protocols/armagetron.c index 53c36a5f9..29bf5ce8e 100644 --- a/src/lib/protocols/armagetron.c +++ b/src/lib/protocols/armagetron.c @@ -2,7 +2,7 @@ * armagetron.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/attic/flash.c b/src/lib/protocols/attic/flash.c index eb27807d7..6e228fd8f 100644 --- a/src/lib/protocols/attic/flash.c +++ b/src/lib/protocols/attic/flash.c @@ -2,7 +2,7 @@ * flash.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/attic/ftp.c b/src/lib/protocols/attic/ftp.c index 19604089c..3b577e0fa 100644 --- a/src/lib/protocols/attic/ftp.c +++ b/src/lib/protocols/attic/ftp.c @@ -2,7 +2,7 @@ * ftp.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/attic/manolito.c b/src/lib/protocols/attic/manolito.c index 71fdaeaff..97cedede5 100644 --- a/src/lib/protocols/attic/manolito.c +++ b/src/lib/protocols/attic/manolito.c @@ -2,7 +2,7 @@ * manolito.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/attic/popo.c b/src/lib/protocols/attic/popo.c index c5b0447df..76c3a66b1 100644 --- a/src/lib/protocols/attic/popo.c +++ b/src/lib/protocols/attic/popo.c @@ -2,7 +2,7 @@ * popo.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/attic/secondlife.c b/src/lib/protocols/attic/secondlife.c index 487c03597..7a80a05c6 100644 --- a/src/lib/protocols/attic/secondlife.c +++ b/src/lib/protocols/attic/secondlife.c @@ -2,7 +2,7 @@ * secondlife.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/ayiya.c b/src/lib/protocols/ayiya.c index c44c723b5..e10d017f3 100644 --- a/src/lib/protocols/ayiya.c +++ b/src/lib/protocols/ayiya.c @@ -1,7 +1,7 @@ /* * ayiya.c * - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/battlefield.c b/src/lib/protocols/battlefield.c index b4ec74cfe..aa5c34846 100644 --- a/src/lib/protocols/battlefield.c +++ b/src/lib/protocols/battlefield.c @@ -2,7 +2,7 @@ * battlefield.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/bgp.c b/src/lib/protocols/bgp.c index aaa5730f7..6b409dbb8 100644 --- a/src/lib/protocols/bgp.c +++ b/src/lib/protocols/bgp.c @@ -1,7 +1,7 @@ /* * bgp.c * - * Copyright (C) 2016-18 - ntop.org + * Copyright (C) 2016-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/bittorrent.c b/src/lib/protocols/bittorrent.c index ad7de6b42..e33f0c7dc 100644 --- a/src/lib/protocols/bittorrent.c +++ b/src/lib/protocols/bittorrent.c @@ -2,7 +2,7 @@ * bittorrent.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/btlib.c b/src/lib/protocols/btlib.c index c85acd54c..8268e144d 100644 --- a/src/lib/protocols/btlib.c +++ b/src/lib/protocols/btlib.c @@ -1,7 +1,7 @@ /* * btlib.c * - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * Contributed by Vitaly Lavrov <vel21ripn@gmail.com> * * This file is part of nDPI, an open source deep packet inspection diff --git a/src/lib/protocols/checkmk.c b/src/lib/protocols/checkmk.c index 991885fce..4df497908 100644 --- a/src/lib/protocols/checkmk.c +++ b/src/lib/protocols/checkmk.c @@ -1,7 +1,7 @@ /* * checkmk.c * - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/ciscovpn.c b/src/lib/protocols/ciscovpn.c index d98f91e02..4a73e5728 100644 --- a/src/lib/protocols/ciscovpn.c +++ b/src/lib/protocols/ciscovpn.c @@ -48,7 +48,33 @@ void ndpi_search_ciscovpn(struct ndpi_detection_module_struct *ndpi_struct, stru NDPI_LOG_INFO(ndpi_struct, "found CISCOVPN\n"); ndpi_int_ciscovpn_add_connection(ndpi_struct, flow); return; - } + } + else if(((tsport == 443 || tdport == 443) || + (tsport == 80 || tdport == 80)) && + ((packet->payload[0] == 0x17 && + packet->payload[1] == 0x03 && + packet->payload[2] == 0x03 && + packet->payload[3] == 0x00 && + packet->payload[4] == 0x3A))) + { + /* TLS signature of Cisco AnyConnect 0X170303003A */ + NDPI_LOG_INFO(ndpi_struct, "found CISCO Anyconnect VPN\n"); + ndpi_int_ciscovpn_add_connection(ndpi_struct, flow); + return; + } + else if(((tsport == 8009 || tdport == 8009) || + (tsport == 8008 || tdport == 8008)) && + ((packet->payload[0] == 0x17 && + packet->payload[1] == 0x03 && + packet->payload[2] == 0x03 && + packet->payload[3] == 0x00 && + packet->payload[4] == 0x69))) + { + /* TCP signature of Cisco AnyConnect 0X1703030069 */ + NDPI_LOG_INFO(ndpi_struct, "found CISCO Anyconnect VPN\n"); + ndpi_int_ciscovpn_add_connection(ndpi_struct, flow); + return; + } else if( ( (usport == 10000 && udport == 10000) diff --git a/src/lib/protocols/citrix.c b/src/lib/protocols/citrix.c index 89e520815..4d0901963 100644 --- a/src/lib/protocols/citrix.c +++ b/src/lib/protocols/citrix.c @@ -1,7 +1,7 @@ /* * citrix.c * - * Copyright (C) 2012-18 - ntop.org + * Copyright (C) 2012-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/collectd.c b/src/lib/protocols/collectd.c index 6f96871ea..0fabd1a42 100644 --- a/src/lib/protocols/collectd.c +++ b/src/lib/protocols/collectd.c @@ -1,7 +1,7 @@ /* * collectd.c * - * Copyright (C) 2014-18 - ntop.org + * Copyright (C) 2014-19 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by diff --git a/src/lib/protocols/crossfire.c b/src/lib/protocols/crossfire.c index 03f3b4264..129813545 100644 --- a/src/lib/protocols/crossfire.c +++ b/src/lib/protocols/crossfire.c @@ -1,7 +1,7 @@ /* * crossfire.c * - * Copyright (C) 2012-18 - ntop.org + * Copyright (C) 2012-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/dhcp.c b/src/lib/protocols/dhcp.c index 14959bae8..6a350f856 100644 --- a/src/lib/protocols/dhcp.c +++ b/src/lib/protocols/dhcp.c @@ -1,7 +1,7 @@ /* * dhcp.c * - * Copyright (C) 2016-18 - ntop.org + * Copyright (C) 2016-19 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by diff --git a/src/lib/protocols/dhcpv6.c b/src/lib/protocols/dhcpv6.c index 77be89e40..abafb4748 100644 --- a/src/lib/protocols/dhcpv6.c +++ b/src/lib/protocols/dhcpv6.c @@ -2,7 +2,7 @@ * dhcpv6.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/directconnect.c b/src/lib/protocols/directconnect.c index 563540fba..e271b474d 100644 --- a/src/lib/protocols/directconnect.c +++ b/src/lib/protocols/directconnect.c @@ -2,7 +2,7 @@ * directconnect.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/directdownloadlink.c b/src/lib/protocols/directdownloadlink.c index cd8243786..dae952a7a 100644 --- a/src/lib/protocols/directdownloadlink.c +++ b/src/lib/protocols/directdownloadlink.c @@ -2,7 +2,7 @@ * directdownloadlink.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 6a4a02f60..86575f23e 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -1,7 +1,7 @@ /* * dns.c * - * Copyright (C) 2012-18 - ntop.org + * Copyright (C) 2012-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -30,7 +30,7 @@ #define FLAGS_MASK 0x8000 -/* #define DNS_DEBUG 1 */ +// #define DNS_DEBUG 1 /* *********************************************** */ @@ -59,23 +59,144 @@ static u_int getNameLength(u_int i, const u_int8_t *payload, u_int payloadLen) { return(off + getNameLength(i+off, payload, payloadLen)); } } -/* - allowed chars for dns names A-Z 0-9 _ - - Perl script for generation map: +/* + allowed chars for dns names A-Z 0-9 _ - + Perl script for generation map: my @M; for(my $ch=0; $ch < 256; $ch++) { - $M[$ch >> 5] |= 1 << ($ch & 0x1f) if chr($ch) =~ /[a-z0-9_-]/i; + $M[$ch >> 5] |= 1 << ($ch & 0x1f) if chr($ch) =~ /[a-z0-9_-]/i; } print join(',', map { sprintf "0x%08x",$_ } @M),"\n"; - */ +*/ static uint32_t dns_validchar[8] = { - 0x00000000,0x03ff2000,0x87fffffe,0x07fffffe,0,0,0,0 + 0x00000000,0x03ff2000,0x87fffffe,0x07fffffe,0,0,0,0 }; + +/* *********************************************** */ + +static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + struct ndpi_dns_packet_header *dns_header, + int payload_offset, u_int8_t *is_query) { + int x = payload_offset; + + memcpy(dns_header, (struct ndpi_dns_packet_header*)&flow->packet.payload[x], + sizeof(struct ndpi_dns_packet_header)); + dns_header->tr_id = ntohs(dns_header->tr_id); + dns_header->flags = ntohs(dns_header->flags); + dns_header->num_queries = ntohs(dns_header->num_queries); + dns_header->num_answers = ntohs(dns_header->num_answers); + dns_header->authority_rrs = ntohs(dns_header->authority_rrs); + dns_header->additional_rrs = ntohs(dns_header->additional_rrs); + + x += sizeof(struct ndpi_dns_packet_header); + + /* 0x0000 QUERY */ + if((dns_header->flags & FLAGS_MASK) == 0x0000) + *is_query = 1; + /* 0x8000 RESPONSE */ + else if((dns_header->flags & FLAGS_MASK) == 0x8000) + *is_query = 0; + else + return(1 /* invalid */); + + if(*is_query) { + /* DNS Request */ + if((dns_header->num_queries > 0) && (dns_header->num_queries <= NDPI_MAX_DNS_REQUESTS) + && (((dns_header->flags & 0x2800) == 0x2800 /* Dynamic DNS Update */) + || ((dns_header->num_answers == 0) && (dns_header->authority_rrs == 0)))) { + /* This is a good query */ + while(x < flow->packet.payload_packet_len) { + if(flow->packet.payload[x] == '\0') { + x++; + flow->protos.dns.query_type = get16(&x, flow->packet.payload); +#ifdef DNS_DEBUG + NDPI_LOG_DBG2(ndpi_struct, "query_type=%2d\n", flow->protos.dns.query_type); + printf("[DNS] query_type=%d\n", flow->protos.dns.query_type); +#endif + break; + } else + x++; + } + } else + return(1 /* invalid */); + } else { + /* DNS Reply */ + flow->protos.dns.reply_code = dns_header->flags & 0x0F; + + if((dns_header->num_queries > 0) && (dns_header->num_queries <= NDPI_MAX_DNS_REQUESTS) /* Don't assume that num_queries must be zero */ + && (((dns_header->num_answers > 0) && (dns_header->num_answers <= NDPI_MAX_DNS_REQUESTS)) + || ((dns_header->authority_rrs > 0) && (dns_header->authority_rrs <= NDPI_MAX_DNS_REQUESTS)) + || ((dns_header->additional_rrs > 0) && (dns_header->additional_rrs <= NDPI_MAX_DNS_REQUESTS))) + ) { + /* This is a good reply: we dissect it both for request and response */ + + /* Leave the statement below commented necessary in case of call to ndpi_get_partial_detection() */ + /* if(ndpi_struct->dns_dont_dissect_response == 0) */ { + x++; + + if(flow->packet.payload[x] != '\0') { + while((x < flow->packet.payload_packet_len) + && (flow->packet.payload[x] != '\0')) { + x++; + } + + x++; + } + + x += 4; + + if(dns_header->num_answers > 0) { + u_int16_t rsp_type; + u_int16_t num; + + for(num = 0; num < dns_header->num_answers; num++) { + u_int16_t data_len; + + if((x+6) >= flow->packet.payload_packet_len) { + break; + } + + if((data_len = getNameLength(x, flow->packet.payload, flow->packet.payload_packet_len)) == 0) { + break; + } else + x += data_len; + + rsp_type = get16(&x, flow->packet.payload); + flow->protos.dns.rsp_type = rsp_type; + + /* here x points to the response "class" field */ + if((x+12) <= flow->packet.payload_packet_len) { + x += 6; + data_len = get16(&x, flow->packet.payload); + + if(((x + data_len) <= flow->packet.payload_packet_len) + && (((rsp_type == 0x1) && (data_len == 4)) /* A */ +#ifdef NDPI_DETECTION_SUPPORT_IPV6 + || ((rsp_type == 0x1c) && (data_len == 16)) /* AAAA */ +#endif + )) { + memcpy(&flow->protos.dns.rsp_addr, flow->packet.payload + x, data_len); + } + } + + break; + } + } + } + } else + return(1 /* invalid */); + } + + /* Valid */ + return(0); +} + /* *********************************************** */ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - int x, payload_offset; + int payload_offset; u_int8_t is_query; u_int16_t s_port = 0, d_port = 0; @@ -94,191 +215,97 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd return; } - x = payload_offset; - if((s_port == 53 || d_port == 53 || d_port == 5355) - && (flow->packet.payload_packet_len > sizeof(struct ndpi_dns_packet_header)+x)) { + && (flow->packet.payload_packet_len > sizeof(struct ndpi_dns_packet_header)+payload_offset)) { struct ndpi_dns_packet_header dns_header; - int invalid = 0; - - memcpy(&dns_header, (struct ndpi_dns_packet_header*) &flow->packet.payload[x], sizeof(struct ndpi_dns_packet_header)); - dns_header.tr_id = ntohs(dns_header.tr_id); - dns_header.flags = ntohs(dns_header.flags); - dns_header.num_queries = ntohs(dns_header.num_queries); - dns_header.num_answers = ntohs(dns_header.num_answers); - dns_header.authority_rrs = ntohs(dns_header.authority_rrs); - dns_header.additional_rrs = ntohs(dns_header.additional_rrs); - x += sizeof(struct ndpi_dns_packet_header); - - /* 0x0000 QUERY */ - if((dns_header.flags & FLAGS_MASK) == 0x0000) - is_query = 1; - /* 0x8000 RESPONSE */ - else if((dns_header.flags & FLAGS_MASK) == 0x8000) - is_query = 0; - else - invalid = 1; - - if(!invalid) { - int j = 0, max_len, off; - if(is_query) { - /* DNS Request */ - if((dns_header.num_queries > 0) && (dns_header.num_queries <= NDPI_MAX_DNS_REQUESTS) - && (((dns_header.flags & 0x2800) == 0x2800 /* Dynamic DNS Update */) - || ((dns_header.num_answers == 0) && (dns_header.authority_rrs == 0)))) { - /* This is a good query */ - - while(x < flow->packet.payload_packet_len) { - if(flow->packet.payload[x] == '\0') { - x++; - flow->protos.dns.query_type = get16(&x, flow->packet.payload); -#ifdef DNS_DEBUG - NDPI_LOG_DBG2(ndpi_struct, "query_type=%2d\n", flow->protos.dns.query_type); -#endif - break; - } else - x++; - } - } else - invalid = 1; - } else { - /* DNS Reply */ - - flow->protos.dns.reply_code = dns_header.flags & 0x0F; - - if((dns_header.num_queries > 0) && (dns_header.num_queries <= NDPI_MAX_DNS_REQUESTS) /* Don't assume that num_queries must be zero */ - && (((dns_header.num_answers > 0) && (dns_header.num_answers <= NDPI_MAX_DNS_REQUESTS)) - || ((dns_header.authority_rrs > 0) && (dns_header.authority_rrs <= NDPI_MAX_DNS_REQUESTS)) - || ((dns_header.additional_rrs > 0) && (dns_header.additional_rrs <= NDPI_MAX_DNS_REQUESTS))) - ) { - /* This is a good reply: we dissect it both for request and response */ - - /* Leave the statement below commented necessary in case of call to ndpi_get_partial_detection() */ - /* if(ndpi_struct->dns_dont_dissect_response == 0) */ { - x++; - - if(flow->packet.payload[x] != '\0') { - while((x < flow->packet.payload_packet_len) - && (flow->packet.payload[x] != '\0')) { - x++; - } - - x++; - } - - x += 4; - - if(dns_header.num_answers > 0) { - u_int16_t rsp_type; - u_int16_t num; - - for(num = 0; num < dns_header.num_answers; num++) { - u_int16_t data_len; - - if((x+6) >= flow->packet.payload_packet_len) { - break; - } - - if((data_len = getNameLength(x, flow->packet.payload, flow->packet.payload_packet_len)) == 0) { - break; - } else - x += data_len; + int j = 0, max_len, off; + int invalid = search_valid_dns(ndpi_struct, flow, &dns_header, payload_offset, &is_query); + ndpi_protocol ret; + + ret.master_protocol = NDPI_PROTOCOL_UNKNOWN; + ret.app_protocol = (d_port == 5355) ? NDPI_PROTOCOL_LLMNR : NDPI_PROTOCOL_DNS; + + if(invalid) { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } - rsp_type = get16(&x, flow->packet.payload); - flow->protos.dns.rsp_type = rsp_type; + /* extract host name server */ + max_len = sizeof(flow->host_server_name)-1; + off = sizeof(struct ndpi_dns_packet_header) + payload_offset; - /* here x points to the response "class" field */ - if((x+12) <= flow->packet.payload_packet_len) { - x += 6; - data_len = get16(&x, flow->packet.payload); + while(j < max_len && off < flow->packet.payload_packet_len && flow->packet.payload[off] != '\0') { + uint8_t c, cl = flow->packet.payload[off++]; - if(((x + data_len) <= flow->packet.payload_packet_len) - && (((rsp_type == 0x1) && (data_len == 4)) /* A */ -#ifdef NDPI_DETECTION_SUPPORT_IPV6 - || ((rsp_type == 0x1c) && (data_len == 16)) /* AAAA */ -#endif - )) { - memcpy(&flow->protos.dns.rsp_addr, flow->packet.payload + x, data_len); - } - } - - break; - } - } - } - } else - invalid = 1; + if( (cl & 0xc0) != 0 || // we not support compressed names in query + off + cl >= flow->packet.payload_packet_len) { + j = 0; + break; } - if(invalid) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return; - } - - /* extract host name server */ - max_len = sizeof(flow->host_server_name)-1; - off = sizeof(struct ndpi_dns_packet_header) + payload_offset; - - while(j < max_len && off < flow->packet.payload_packet_len && flow->packet.payload[off] != '\0') { - uint8_t c, cl = flow->packet.payload[off++]; - - if( (cl & 0xc0) != 0 || // we not support compressed names in query - off + cl >= flow->packet.payload_packet_len) { - j = 0; - break; - } - - if(j && j < max_len) flow->host_server_name[j++] = '.'; - - while(j < max_len && cl != 0) { - c = flow->packet.payload[off++]; - flow->host_server_name[j++] = (dns_validchar[c >> 5] & (1 << (c & 0x1f))) ? c : '_'; - cl--; - } - } - flow->host_server_name[j] = '\0'; + if(j && j < max_len) flow->host_server_name[j++] = '.'; - if(is_query && (ndpi_struct->dns_dont_dissect_response == 0)) { - // dpi_set_detected_protocol(ndpi_struct, flow, (d_port == 5355) ? NDPI_PROTOCOL_LLMNR : NDPI_PROTOCOL_DNS, NDPI_PROTOCOL_UNKNOWN); - return; /* The response will set the verdict */ + while(j < max_len && cl != 0) { + c = flow->packet.payload[off++]; + flow->host_server_name[j++] = (dns_validchar[c >> 5] & (1 << (c & 0x1f))) ? c : '_'; + cl--; } + } + flow->host_server_name[j] = '\0'; + + if(j > 0) { + ndpi_protocol_match_result ret_match; + + ret.app_protocol = ndpi_match_host_subprotocol(ndpi_struct, flow, + (char *)flow->host_server_name, + strlen((const char*)flow->host_server_name), + &ret_match, + NDPI_PROTOCOL_DNS); + + if(ret_match.protocol_category != NDPI_PROTOCOL_CATEGORY_UNSPECIFIED) + flow->category = ret_match.protocol_category; + + if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN) + ret.master_protocol = (d_port == 5355) ? NDPI_PROTOCOL_LLMNR : NDPI_PROTOCOL_DNS; + else + ret.master_protocol = NDPI_PROTOCOL_DNS; + } + + if(is_query && (ndpi_struct->dns_dont_dissect_response == 0)) { + /* In this case we say that the protocol has been detected just to let apps carry on with their activities */ + ndpi_set_detected_protocol(ndpi_struct, flow, ret.app_protocol, ret.master_protocol); + return; /* The response will set the verdict */ + } - flow->protos.dns.num_queries = (u_int8_t)dns_header.num_queries, + flow->protos.dns.num_queries = (u_int8_t)dns_header.num_queries, flow->protos.dns.num_answers = (u_int8_t) (dns_header.num_answers + dns_header.authority_rrs + dns_header.additional_rrs); - if(j > 0) { - ndpi_protocol_match_result ret_match; - - ndpi_match_host_subprotocol(ndpi_struct, flow, - (char *)flow->host_server_name, - strlen((const char*)flow->host_server_name), - &ret_match, - NDPI_PROTOCOL_DNS); - } - #ifdef DNS_DEBUG - NDPI_LOG_DBG2(ndpi_struct, "[num_queries=%d][num_answers=%d][reply_code=%u][rsp_type=%u][host_server_name=%s]\n", - flow->protos.dns.num_queries, flow->protos.dns.num_answers, - flow->protos.dns.reply_code, flow->protos.dns.rsp_type, flow->host_server_name - ); + NDPI_LOG_DBG2(ndpi_struct, "[num_queries=%d][num_answers=%d][reply_code=%u][rsp_type=%u][host_server_name=%s]\n", + flow->protos.dns.num_queries, flow->protos.dns.num_answers, + flow->protos.dns.reply_code, flow->protos.dns.rsp_type, flow->host_server_name + ); #endif - if(flow->packet.detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { - /** - Do not set the protocol with DNS if ndpi_match_host_subprotocol() has - matched a subprotocol - **/ - NDPI_LOG_INFO(ndpi_struct, "found DNS\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, (d_port == 5355) ? NDPI_PROTOCOL_LLMNR : NDPI_PROTOCOL_DNS, NDPI_PROTOCOL_UNKNOWN); - } else { + if(flow->packet.detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { + /** + Do not set the protocol with DNS if ndpi_match_host_subprotocol() has + matched a subprotocol + **/ + NDPI_LOG_INFO(ndpi_struct, "found DNS\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, ret.app_protocol, ret.master_protocol); + } else { + if((flow->packet.detected_protocol_stack[0] == NDPI_PROTOCOL_DNS) + || (flow->packet.detected_protocol_stack[1] == NDPI_PROTOCOL_DNS)) + ; + else NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - } } } } -void init_dns_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) -{ +void init_dns_dissector(struct ndpi_detection_module_struct *ndpi_struct, + u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { ndpi_set_bitmask_protocol_detection("DNS", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_DNS, ndpi_search_dns, diff --git a/src/lib/protocols/dofus.c b/src/lib/protocols/dofus.c index 997f999a0..ec722a139 100644 --- a/src/lib/protocols/dofus.c +++ b/src/lib/protocols/dofus.c @@ -2,7 +2,7 @@ * dofus.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/drda.c b/src/lib/protocols/drda.c index 7dc24ffcc..9e0f8170d 100644 --- a/src/lib/protocols/drda.c +++ b/src/lib/protocols/drda.c @@ -1,7 +1,7 @@ /* * drda.c * - * Copyright (C) 2012-18 - ntop.org + * Copyright (C) 2012-19 - ntop.org * * This module is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by diff --git a/src/lib/protocols/eaq.c b/src/lib/protocols/eaq.c index e86b83181..10eb8f3f8 100644 --- a/src/lib/protocols/eaq.c +++ b/src/lib/protocols/eaq.c @@ -1,7 +1,7 @@ /* * eaq.c * - * Copyright (C) 2015-18 - ntop.org + * Copyright (C) 2015-19 - ntop.org * * This module is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by diff --git a/src/lib/protocols/fasttrack.c b/src/lib/protocols/fasttrack.c index 074468558..49a4abdce 100644 --- a/src/lib/protocols/fasttrack.c +++ b/src/lib/protocols/fasttrack.c @@ -2,7 +2,7 @@ * fasttrack.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/fiesta.c b/src/lib/protocols/fiesta.c index dc7a86fd4..ba567a563 100644 --- a/src/lib/protocols/fiesta.c +++ b/src/lib/protocols/fiesta.c @@ -2,7 +2,7 @@ * fiesta.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/fix.c b/src/lib/protocols/fix.c index 3cc9e070c..7dbf61b03 100644 --- a/src/lib/protocols/fix.c +++ b/src/lib/protocols/fix.c @@ -1,7 +1,7 @@ /* * fix.c * - * Copyright (C) 2017-18 - ntop.org + * Copyright (C) 2017-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/florensia.c b/src/lib/protocols/florensia.c index cca63485f..88c645951 100644 --- a/src/lib/protocols/florensia.c +++ b/src/lib/protocols/florensia.c @@ -2,7 +2,7 @@ * florensia.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/ftp_control.c b/src/lib/protocols/ftp_control.c index 893f83d68..7a3250b8c 100644 --- a/src/lib/protocols/ftp_control.c +++ b/src/lib/protocols/ftp_control.c @@ -1,7 +1,7 @@ /* * ftp_control.c * - * Copyright (C) 2016-18 - ntop.org + * Copyright (C) 2016-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/ftp_data.c b/src/lib/protocols/ftp_data.c index 3aaf6f97e..edffabb15 100644 --- a/src/lib/protocols/ftp_data.c +++ b/src/lib/protocols/ftp_data.c @@ -1,7 +1,7 @@ /* * ftp_data.c * - * Copyright (C) 2016-18 - ntop.org + * Copyright (C) 2016-19 - ntop.org * * The signature is based on the Libprotoident library. * diff --git a/src/lib/protocols/git.c b/src/lib/protocols/git.c index 1e358d79b..e8a1db577 100644 --- a/src/lib/protocols/git.c +++ b/src/lib/protocols/git.c @@ -1,7 +1,7 @@ /* * git.c * - * Copyright (C) 2012-18 - ntop.org + * Copyright (C) 2012-19 - ntop.org * * This module is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by diff --git a/src/lib/protocols/gnutella.c b/src/lib/protocols/gnutella.c index 75a8e534b..4531a717d 100644 --- a/src/lib/protocols/gnutella.c +++ b/src/lib/protocols/gnutella.c @@ -2,7 +2,7 @@ * gnutella.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/gtp.c b/src/lib/protocols/gtp.c index ffe2b2498..849cd1254 100644 --- a/src/lib/protocols/gtp.c +++ b/src/lib/protocols/gtp.c @@ -1,7 +1,7 @@ /* * gtp.c * - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by diff --git a/src/lib/protocols/guildwars.c b/src/lib/protocols/guildwars.c index 1cf3888cf..0884b4305 100644 --- a/src/lib/protocols/guildwars.c +++ b/src/lib/protocols/guildwars.c @@ -2,7 +2,7 @@ * guildwars.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/halflife2_and_mods.c b/src/lib/protocols/halflife2_and_mods.c index 446703220..46edeb68a 100644 --- a/src/lib/protocols/halflife2_and_mods.c +++ b/src/lib/protocols/halflife2_and_mods.c @@ -2,7 +2,7 @@ * halflife2_and_mods.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/hangout.c b/src/lib/protocols/hangout.c index c96b36018..06edafba0 100644 --- a/src/lib/protocols/hangout.c +++ b/src/lib/protocols/hangout.c @@ -1,7 +1,7 @@ /* * hangout.c * - * Copyright (C) 2012-18 - ntop.org + * Copyright (C) 2012-19 - ntop.org * * This module is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index cd5f193db..a118477c5 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -1,7 +1,7 @@ /* * http.c * - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/http_activesync.c b/src/lib/protocols/http_activesync.c index 0bf267290..02875578a 100644 --- a/src/lib/protocols/http_activesync.c +++ b/src/lib/protocols/http_activesync.c @@ -2,7 +2,7 @@ * http_activesync.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/iax.c b/src/lib/protocols/iax.c index 104a59be4..5d07888e4 100644 --- a/src/lib/protocols/iax.c +++ b/src/lib/protocols/iax.c @@ -2,7 +2,7 @@ * iax.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/icecast.c b/src/lib/protocols/icecast.c index 0bb87b88a..249996281 100644 --- a/src/lib/protocols/icecast.c +++ b/src/lib/protocols/icecast.c @@ -2,7 +2,7 @@ * icecast.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/ipp.c b/src/lib/protocols/ipp.c index 4f4f2438f..0200d0198 100644 --- a/src/lib/protocols/ipp.c +++ b/src/lib/protocols/ipp.c @@ -2,7 +2,7 @@ * ipp.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/irc.c b/src/lib/protocols/irc.c index 12660b528..ec22ee38b 100644 --- a/src/lib/protocols/irc.c +++ b/src/lib/protocols/irc.c @@ -2,7 +2,7 @@ * irc.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/jabber.c b/src/lib/protocols/jabber.c index 3917b8b20..fe65933b1 100644 --- a/src/lib/protocols/jabber.c +++ b/src/lib/protocols/jabber.c @@ -2,7 +2,7 @@ * jabber.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/kakaotalk_voice.c b/src/lib/protocols/kakaotalk_voice.c index 1869e06db..48d5816ff 100644 --- a/src/lib/protocols/kakaotalk_voice.c +++ b/src/lib/protocols/kakaotalk_voice.c @@ -1,7 +1,7 @@ /* * kakaotalk_voice.c * - * Copyright (C) 2015-18 - ntop.org + * Copyright (C) 2015-19 - ntop.org * * This module is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by diff --git a/src/lib/protocols/kerberos.c b/src/lib/protocols/kerberos.c index 8b059a1a2..a1c271387 100644 --- a/src/lib/protocols/kerberos.c +++ b/src/lib/protocols/kerberos.c @@ -2,7 +2,7 @@ * kerberos.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/kontiki.c b/src/lib/protocols/kontiki.c index 4882c7797..002ab1cdc 100644 --- a/src/lib/protocols/kontiki.c +++ b/src/lib/protocols/kontiki.c @@ -2,7 +2,7 @@ * kontiki.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/ldap.c b/src/lib/protocols/ldap.c index 49b1a39d4..3e0a4cd1f 100644 --- a/src/lib/protocols/ldap.c +++ b/src/lib/protocols/ldap.c @@ -2,7 +2,7 @@ * ldap.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/lisp.c b/src/lib/protocols/lisp.c index 7343ca034..d33665ff7 100644 --- a/src/lib/protocols/lisp.c +++ b/src/lib/protocols/lisp.c @@ -1,7 +1,7 @@ /* * list.c * - * Copyright (C) 2017-18 - ntop.org + * Copyright (C) 2017-19 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by diff --git a/src/lib/protocols/lotus_notes.c b/src/lib/protocols/lotus_notes.c index d5f8f1310..100262caf 100644 --- a/src/lib/protocols/lotus_notes.c +++ b/src/lib/protocols/lotus_notes.c @@ -1,7 +1,7 @@ /* * lotus_notes.c * - * Copyright (C) 2012-18 - ntop.org + * Copyright (C) 2012-19 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by diff --git a/src/lib/protocols/mail_imap.c b/src/lib/protocols/mail_imap.c index 69d135943..4d87275b7 100644 --- a/src/lib/protocols/mail_imap.c +++ b/src/lib/protocols/mail_imap.c @@ -1,7 +1,7 @@ /* * mail_imap.c * - * Copyright (C) 2016-18 - ntop.org + * Copyright (C) 2016-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/mail_pop.c b/src/lib/protocols/mail_pop.c index 83847f1f8..8ed109c30 100644 --- a/src/lib/protocols/mail_pop.c +++ b/src/lib/protocols/mail_pop.c @@ -2,7 +2,7 @@ * mail_pop.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/mail_smtp.c b/src/lib/protocols/mail_smtp.c index fdc47d15c..af3d628a4 100644 --- a/src/lib/protocols/mail_smtp.c +++ b/src/lib/protocols/mail_smtp.c @@ -2,7 +2,7 @@ * mail_smtp.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/maplestory.c b/src/lib/protocols/maplestory.c index e45729b8b..23dcce461 100644 --- a/src/lib/protocols/maplestory.c +++ b/src/lib/protocols/maplestory.c @@ -2,7 +2,7 @@ * maplestory.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/mdns_proto.c b/src/lib/protocols/mdns_proto.c index 388376e19..6297bd4bb 100644 --- a/src/lib/protocols/mdns_proto.c +++ b/src/lib/protocols/mdns_proto.c @@ -1,7 +1,7 @@ /* * mdns.c * - * Copyright (C) 2016-18 - ntop.org + * Copyright (C) 2016-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/megaco.c b/src/lib/protocols/megaco.c index e4b694ea6..149a15f3a 100644 --- a/src/lib/protocols/megaco.c +++ b/src/lib/protocols/megaco.c @@ -2,7 +2,7 @@ * megaco.c * * Copyright (C) 2014 by Gianluca Costa http://www.capanalysis.net - * Copyright (C) 2012-18 - ntop.org + * Copyright (C) 2012-19 - ntop.org * * This module is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by diff --git a/src/lib/protocols/memcached.c b/src/lib/protocols/memcached.c index e527688ba..2b647b954 100644 --- a/src/lib/protocols/memcached.c +++ b/src/lib/protocols/memcached.c @@ -2,7 +2,7 @@ * memcached.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * Copyright (C) 2018 - eGloo Incorporated * * This file is part of nDPI, an open source deep packet inspection diff --git a/src/lib/protocols/mgcp.c b/src/lib/protocols/mgcp.c index 86fadcb63..198a8c61a 100644 --- a/src/lib/protocols/mgcp.c +++ b/src/lib/protocols/mgcp.c @@ -1,7 +1,7 @@ /* * mgcp.c * - * Copyright (C) 2017-18 - ntop.org + * Copyright (C) 2017-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/mpegts.c b/src/lib/protocols/mpegts.c index c1f227565..b0691412e 100644 --- a/src/lib/protocols/mpegts.c +++ b/src/lib/protocols/mpegts.c @@ -2,7 +2,7 @@ * mpegts.c (MPEG Transport Stream) * https://en.wikipedia.org/wiki/MPEG_transport_stream * - * Copyright (C) 2015-18 - ntop.org + * Copyright (C) 2015-19 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by diff --git a/src/lib/protocols/msn.c b/src/lib/protocols/msn.c index 8d52d690b..6469c7c3e 100644 --- a/src/lib/protocols/msn.c +++ b/src/lib/protocols/msn.c @@ -2,7 +2,7 @@ * msn.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/mssql_tds.c b/src/lib/protocols/mssql_tds.c index 621ea2b0e..d54704f23 100644 --- a/src/lib/protocols/mssql_tds.c +++ b/src/lib/protocols/mssql_tds.c @@ -1,7 +1,7 @@ /* * mssql.c * - * Copyright (C) 2016-18 - ntop.org + * Copyright (C) 2016-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/mysql.c b/src/lib/protocols/mysql.c index 1306c381d..948d33001 100644 --- a/src/lib/protocols/mysql.c +++ b/src/lib/protocols/mysql.c @@ -2,7 +2,7 @@ * mysql.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/nest_log_sink.c b/src/lib/protocols/nest_log_sink.c index 62e8fa75f..6732964c0 100644 --- a/src/lib/protocols/nest_log_sink.c +++ b/src/lib/protocols/nest_log_sink.c @@ -2,7 +2,7 @@ * nest_log_sink.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * Copyright (C) 2018 - eGloo Incorporated * * This file is part of nDPI, an open source deep packet inspection diff --git a/src/lib/protocols/netbios.c b/src/lib/protocols/netbios.c index 925b864ad..fd0e579c1 100644 --- a/src/lib/protocols/netbios.c +++ b/src/lib/protocols/netbios.c @@ -2,7 +2,7 @@ * netbios.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/netflow.c b/src/lib/protocols/netflow.c index 23c4bc587..74ba88277 100644 --- a/src/lib/protocols/netflow.c +++ b/src/lib/protocols/netflow.c @@ -1,7 +1,7 @@ /* * netflow.c * - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by diff --git a/src/lib/protocols/nfs.c b/src/lib/protocols/nfs.c index c9e3265a5..c767fea19 100644 --- a/src/lib/protocols/nfs.c +++ b/src/lib/protocols/nfs.c @@ -2,7 +2,7 @@ * nfs.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/non_tcp_udp.c b/src/lib/protocols/non_tcp_udp.c index b7cc4a4d0..712fc4890 100644 --- a/src/lib/protocols/non_tcp_udp.c +++ b/src/lib/protocols/non_tcp_udp.c @@ -2,7 +2,7 @@ * non_tcp_udp.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/ntp.c b/src/lib/protocols/ntp.c index 9290fbfb3..a03ed3b43 100644 --- a/src/lib/protocols/ntp.c +++ b/src/lib/protocols/ntp.c @@ -2,7 +2,7 @@ * ntp.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/openft.c b/src/lib/protocols/openft.c index 30fb1c68f..893a24ab6 100644 --- a/src/lib/protocols/openft.c +++ b/src/lib/protocols/openft.c @@ -2,7 +2,7 @@ * openft.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/openvpn.c b/src/lib/protocols/openvpn.c index 6c08bba5a..568e40cb3 100644 --- a/src/lib/protocols/openvpn.c +++ b/src/lib/protocols/openvpn.c @@ -1,7 +1,7 @@ /* * openvpn.c * - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * OpenVPN TCP / UDP Detection - 128/160 hmac * diff --git a/src/lib/protocols/oscar.c b/src/lib/protocols/oscar.c index 010a620e9..535e513a9 100644 --- a/src/lib/protocols/oscar.c +++ b/src/lib/protocols/oscar.c @@ -2,7 +2,7 @@ * oscar.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/pcanywhere.c b/src/lib/protocols/pcanywhere.c index 0d205d5f3..7851b484b 100644 --- a/src/lib/protocols/pcanywhere.c +++ b/src/lib/protocols/pcanywhere.c @@ -2,7 +2,7 @@ * pcanywhere.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/postgres.c b/src/lib/protocols/postgres.c index 089be4e31..23767ef11 100644 --- a/src/lib/protocols/postgres.c +++ b/src/lib/protocols/postgres.c @@ -2,7 +2,7 @@ * postgres.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/ppstream.c b/src/lib/protocols/ppstream.c index 20eb0d428..0f0aadbb7 100644 --- a/src/lib/protocols/ppstream.c +++ b/src/lib/protocols/ppstream.c @@ -1,7 +1,7 @@ /* * ppstream.c * - * Copyright (C) 2016-18 - ntop.org + * Copyright (C) 2016-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/pptp.c b/src/lib/protocols/pptp.c index cfe360b5b..300db5aa2 100644 --- a/src/lib/protocols/pptp.c +++ b/src/lib/protocols/pptp.c @@ -2,7 +2,7 @@ * pptp.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/qq.c b/src/lib/protocols/qq.c index 8c6805572..51f6d2859 100644 --- a/src/lib/protocols/qq.c +++ b/src/lib/protocols/qq.c @@ -1,7 +1,7 @@ /* * qq.c * - * Copyright (C) 2009-2011 by ipoque GmbH + * Copyright (C) 2009-2011 * Copyright (C) 2011-18 - ntop.org * * This file is part of nDPI, an open source deep packet inspection @@ -37,627 +37,29 @@ static void ndpi_int_qq_add_connection(struct ndpi_detection_module_struct *ndpi } -/* - * a qq client packet looks like this: - * - * TCP packets starts with 16 bit length, then the normal packets follows - * - * 0 1 byte packet tag (usually 0x02) - * 1 2 byte client tag (client version) - * 3 2 byte command - * 5 2 byte sequence number - * 7 4 byte userid - * 11 x bytes data - * LAST 1 byte packet tail (usually 0x03) - * - * a qq server packet looks like this: - * - * TCP packets starts with 16 bit length, then the normal packets follows - * - * 0 1 byte packet tag (usually 0x02) - * 1 2 byte source tag (client version, might also be a server id) - * 3 2 byte command (usually reply to client request, so same command id) - * 5 2 byte sequence number - * LAST 1 byte packet tail (usually 0x03) - * - * NOTE: there are other qq versions which uses different packet types! - */ - -/* - * these are some currently known client ids (or server ids) - * new ids might be added here if the traffic is really QQ - */ -static const u_int16_t ndpi_valid_qq_versions[] = { - 0x0100, 0x05a5, 0x062e, 0x06d5, 0x072e, 0x0801, 0x087d, 0x08d2, 0x0961, - 0x0a1d, 0x0b07, 0x0b2f, 0x0b35, 0x0b37, 0x0c0b, 0x0c0d, 0x0c21, 0x0c49, - 0x0d05, 0x0d51, 0x0d55, 0x0d61, 0x0e1b, 0x0e35, 0x0f15, 0x0f4b, 0x0f5f, - 0x1105, 0x111b, 0x111d, 0x1131, 0x113f, 0x115b, 0x1203, 0x1205, 0x120b, - 0x1251, 0x1412, 0x1441, 0x1501, 0x1549, 0x163a, 0x1801, 0x180d, 0x1c27, - 0x1e0d -}; - -/** - * this functions checks whether the packet is a valid qq packet - * it can handle tcp and udp packets - */ - -#if !defined(WIN32) -static inline -#elif defined(MINGW_GCC) -__mingw_forceinline static -#else -__forceinline static -#endif -u_int8_t ndpi_is_valid_qq_packet(const struct ndpi_packet_struct *packet) -{ - u_int8_t real_start = 0; - u_int16_t command; - u_int8_t ids, found = 0; - u_int16_t version_id; - - if (packet->payload_packet_len < 9) - return 0; - - /* for tcp the length is prefixed */ - if (packet->tcp) { - if (ntohs(get_u_int16_t(packet->payload, 0)) != packet->payload_packet_len) { - return 0; - } - real_start = 2; - } - - /* packet usually starts with 0x02 */ - if (packet->payload[real_start] != 0x02) { - return 0; - } - - /* packet usually ends with 0x03 */ - if (packet->payload[packet->payload_packet_len - 1] != 0x03) { - return 0; - } - - version_id = ntohs(get_u_int16_t(packet->payload, real_start + 1)); - - if (version_id == 0) { - return 0; - } - - /* check for known version id */ - for (ids = 0; ids < sizeof(ndpi_valid_qq_versions) / sizeof(ndpi_valid_qq_versions[0]); ids++) { - if (version_id == ndpi_valid_qq_versions[ids]) { - found = 1; - break; - } - } - - if (!found) - return 0; - - command = ntohs(get_u_int16_t(packet->payload, real_start + 3)); - - /* these are some known commands, not all need to be checked - since many are used with already established connections */ - - switch (command) { - case 0x0091: /* get server */ - case 0x00ba: /* login token */ - case 0x00dd: /* password verify */ - case 0x00e5: - case 0x00a4: - case 0x0030: - case 0x001d: - case 0x0001: - case 0x0062: - case 0x0002: - case 0x0022: - case 0x0029: - break; - default: - return 0; - break; - } - - return 1; -} - -/* - * some file transfer packets look like this - * - * 0 1 byte packet tag (usually 0x04) - * 1 2 byte client tag (client version) - * 3 2 byte length (this is speculative) - * LAST 1 byte packet tail (usually 0x03) - * - */ -/** - * this functions checks whether the packet is a valid qq file transfer packet - * it can handle tcp and udp packets - */ - -#if !defined(WIN32) -static inline -#elif defined(MINGW_GCC) -__mingw_forceinline static -#else -__forceinline static -#endif -u_int8_t ndpi_is_valid_qq_ft_packet(const struct ndpi_packet_struct *packet) -{ - u_int8_t ids, found = 0; - u_int16_t version_id; - - if (packet->payload_packet_len < 9) - return 0; - - /* file transfer packets may start with 0x00 (control), 0x03 (data), 0x04 (agent) */ - - if (packet->payload[0] != 0x04 && packet->payload[0] != 0x03 && packet->payload[0] != 0x00) { - return 0; - } - - version_id = ntohs(get_u_int16_t(packet->payload, 1)); - - if (version_id == 0) { - return 0; - } - - /* check for known version id */ - for (ids = 0; ids < sizeof(ndpi_valid_qq_versions) / sizeof(ndpi_valid_qq_versions[0]); ids++) { - if (version_id == ndpi_valid_qq_versions[ids]) { - found = 1; - break; - } - } - - if (!found) - return 0; - - if (packet->payload[0] == 0x04) { - - if (ntohs(get_u_int16_t(packet->payload, 3)) != packet->payload_packet_len) { - return 0; - } - - /* packet usually ends with 0x03 */ - if (packet->payload[packet->payload_packet_len - 1] != 0x03) { - return 0; - } - } else if (packet->payload[0] == 0x03) { - /* TODO currently not detected */ - return 0; - } else if (packet->payload[0] == 0x00) { - - /* packet length check, there might be other lengths */ - if (packet->payload_packet_len != 84) { - return 0; - } - - /* packet usually ends with 0x0c ? */ - if (packet->payload[packet->payload_packet_len - 1] != 0x0c) { - return 0; - } - } - return 1; -} - -static void ndpi_search_qq_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ - struct ndpi_packet_struct *packet = &flow->packet; - - static const u_int16_t p8000_patt_02[15] = // maybe version numbers - { 0x1549, 0x1801, 0x180d, 0x0961, 0x01501, 0x0e35, 0x113f, 0x0b37, 0x1131, 0x163a, 0x1e0d, 0x3619, 0x371b, 0x3823,}; - u_int16_t no_of_patterns = 14, index = 0; - - - NDPI_LOG_DBG(ndpi_struct, "search qq udp\n"); - - - if (flow->qq_stage <= 3) { - if ((packet->payload_packet_len == 27 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0300 - && packet->payload[2] == 0x01) - || (packet->payload_packet_len == 84 && ((ntohs(get_u_int16_t(packet->payload, 0)) == 0x000e - && packet->payload[2] == 0x35) - || (ntohs(get_u_int16_t(packet->payload, 0)) == 0x0015 - && packet->payload[2] == 0x01) - || (ntohs(get_u_int16_t(packet->payload, 0)) == 0x000b - && packet->payload[2] == 0x37) - || (ntohs(get_u_int16_t(packet->payload, 0)) == 0x0015 - && packet->payload[2] == 0x49))) - || (packet->payload_packet_len > 10 - && ((get_u_int16_t(packet->payload, 0) == htons(0x000b) && packet->payload[2] == 0x37) - || (get_u_int32_t(packet->payload, 0) == htonl(0x04163a00) - && packet->payload[packet->payload_packet_len - 1] == 0x03 - && packet->payload[4] == packet->payload_packet_len)))) { - /* - if (flow->qq_stage == 3 && flow->detected_protocol == NDPI_PROTOCOL_QQ) { - if (flow->packet_direction_counter[0] > 0 && flow->packet_direction_counter[1] > 0) { - flow->protocol_subtype = NDPI_PROTOCOL_QQ_SUBTYPE_AUDIO; - return; - } else if (flow->packet_counter < 10) { - return; - } - } */ - flow->qq_stage++; - if (flow->qq_stage == 3) { - NDPI_LOG_INFO(ndpi_struct, "found qq udp pattern 030001 or 000e35 four times\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - return; - } - if (packet->payload_packet_len > 2 && (packet->payload[0] == 0x02 || packet->payload[0] == 0x04)) { - u_int16_t pat = ntohs(get_u_int16_t(packet->payload, 1)); - for (index = 0; index < no_of_patterns; index++) { - if (pat == p8000_patt_02[index] && packet->payload[packet->payload_packet_len - 1] == 0x03) { - flow->qq_stage++; - // maybe we can test here packet->payload[4] == packet->payload_packet_len - if (flow->qq_stage == 3) { - NDPI_LOG_INFO(ndpi_struct, "found qq udp pattern 02 ... 03 four times\n"); - /* - if (packet->payload[0] == 0x04) { - ndpi_int_qq_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); - return; - } */ - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - return; - } - } - } - if (packet->payload_packet_len == 84 && (packet->payload[0] == 0 || packet->payload[0] == 0x03)) { - u_int16_t pat = ntohs(get_u_int16_t(packet->payload, 1)); - for (index = 0; index < no_of_patterns; index++) { - if (pat == p8000_patt_02[index]) { - flow->qq_stage++; - /* - if (flow->qq_stage == 3 && flow->packet_direction_counter[0] > 0 && - flow->packet_direction_counter[1] > 0) { - NDPI_LOG_DBG(ndpi_struct, "found qq udp pattern four times\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); - return; - } else */ if (flow->qq_stage == 3) { - NDPI_LOG_INFO(ndpi_struct, "found qq udp pattern four times\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - return; - } - } - } - if (packet->payload_packet_len > 2 && packet->payload[0] == 0x04 - && ((ntohs(get_u_int16_t(packet->payload, 1)) == 0x1549 - || ntohs(get_u_int16_t(packet->payload, 1)) == 0x1801 || ntohs(get_u_int16_t(packet->payload, 1)) == 0x0961) - || - (packet->payload_packet_len > 16 - && (ntohs(get_u_int16_t(packet->payload, 1)) == 0x180d || ntohs(get_u_int16_t(packet->payload, 1)) == 0x096d) - && ntohl(get_u_int32_t(packet->payload, 12)) == 0x28000000 - && ntohs(get_u_int16_t(packet->payload, 3)) == packet->payload_packet_len)) - && packet->payload[packet->payload_packet_len - 1] == 0x03) { - flow->qq_stage++; - if (flow->qq_stage == 3) { - NDPI_LOG_INFO(ndpi_struct, - "found qq udp pattern 04 1159 ... 03 four times.\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - return; - } - if (packet->payload_packet_len > 2 && (packet->payload[0] == 0x06 || packet->payload[0] == 0x02) - && ntohs(get_u_int16_t(packet->payload, 1)) == 0x0100 - && (packet->payload[packet->payload_packet_len - 1] == 0x00 - || packet->payload[packet->payload_packet_len - 1] == 0x03)) { - flow->qq_stage++; - if (flow->qq_stage == 3) { - NDPI_LOG_INFO(ndpi_struct, - "found qq udp pattern 02/06 0100 ... 03/00 four times.\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - return; - } - - if (packet->payload_packet_len > 2 && (packet->payload[0] == 0x02) - && ntohs(get_u_int16_t(packet->payload, 1)) == 0x1131 && packet->payload[packet->payload_packet_len - 1] == 0x03) { - flow->qq_stage++; - if (flow->qq_stage == 3) { - NDPI_LOG_INFO(ndpi_struct, - "found qq udp pattern 02 1131 ... 03 four times.\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - return; - } - - if (packet->payload_packet_len > 5 && get_u_int16_t(packet->payload, 0) == htons(0x0203) && - ntohs(get_u_int16_t(packet->payload, 2)) == packet->payload_packet_len && - get_u_int16_t(packet->payload, 4) == htons(0x0b0b)) { - flow->qq_stage++; - if (flow->qq_stage == 3) { - NDPI_LOG_INFO(ndpi_struct, - "found qq udp pattern 0203[packet_length_0b0b] three times.\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - return; - } - - if (packet->udp->dest == htons(9000) || packet->udp->source == htons(9000)) { - if (packet->payload_packet_len > 3 - && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0202 - && ntohs(get_u_int16_t(packet->payload, 2)) == packet->payload_packet_len) { - flow->qq_stage++; - if (flow->qq_stage == 3) { - NDPI_LOG_INFO(ndpi_struct, - "found qq udp pattern 02 02 <length> four times.\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - return; - } - - } - } - - if (ndpi_is_valid_qq_packet(packet)) { - flow->qq_stage++; - if (flow->qq_stage == 3) { - NDPI_LOG_INFO(ndpi_struct, "found qq over udp\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - NDPI_LOG_DBG2(ndpi_struct, "found qq packet stage %d\n", flow->qq_stage); - return; - } - - if (ndpi_is_valid_qq_ft_packet(packet)) { - flow->qq_stage++; - if (flow->qq_stage == 3) { - NDPI_LOG_INFO(ndpi_struct, "found qq ft over udp\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - return; - } - - if (flow->qq_stage && flow->packet_counter <= 5) { - return; - } - - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); -} - - - -#if !defined(WIN32) -static inline -#elif defined(MINGW_GCC) -__mingw_forceinline static -#else -__forceinline static -#endif -void ndpi_search_qq_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ - struct ndpi_packet_struct *packet = &flow->packet; - u_int16_t i = 0; - - NDPI_LOG_DBG(ndpi_struct, "search qq tcp\n"); - - if (packet->payload_packet_len == 39 && get_u_int32_t(packet->payload, 0) == htonl(0x27000000) && - get_u_int16_t(packet->payload, 4) == htons(0x0014) && get_u_int32_t(packet->payload, 11) != 0 && - get_u_int16_t(packet->payload, packet->payload_packet_len - 2) == htons(0x0000)) { - if (flow->qq_stage == 4) { - NDPI_LOG_INFO(ndpi_struct, "found qq over tcp - maybe ft/audio/video\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - flow->qq_stage = 4; - return; - } - - if ((packet->payload_packet_len > 4 && ntohs(get_u_int16_t(packet->payload, 0)) == packet->payload_packet_len - && get_u_int16_t(packet->payload, 2) == htons(0x0212) && packet->payload[4] == 0x0b) - || (packet->payload_packet_len > 6 && packet->payload[0] == 0x02 - && packet->payload[packet->payload_packet_len - 1] == 0x03 - && ntohs(get_u_int16_t(packet->payload, 1)) == packet->payload_packet_len - && (get_u_int16_t(packet->payload, 3) == htons(0x0605) || get_u_int16_t(packet->payload, 3) == htons(0x0608)) - && packet->payload[5] == 0x00) - || (packet->payload_packet_len > 9 && get_u_int32_t(packet->payload, 0) == htonl(0x04154900) - && get_l16(packet->payload, 4) == packet->payload_packet_len - && packet->payload[packet->payload_packet_len - 1] == 0x03) - || (packet->payload_packet_len > 9 && get_u_int32_t(packet->payload, 0) == htonl(0x040e3500) - && get_l16(packet->payload, 4) == packet->payload_packet_len - && packet->payload[9] == 0x33 && packet->payload[packet->payload_packet_len - 1] == 0x03) - || (packet->payload_packet_len > 9 && get_u_int32_t(packet->payload, 0) == htonl(0x040e0215) - && get_l16(packet->payload, 4) == packet->payload_packet_len - && packet->payload[9] == 0x33 && packet->payload[packet->payload_packet_len - 1] == 0x03) - || (packet->payload_packet_len > 6 && get_u_int32_t(packet->payload, 2) == htonl(0x020d5500) - && ntohs(get_u_int16_t(packet->payload, 0)) == packet->payload_packet_len - && packet->payload[packet->payload_packet_len - 1] == 0x03) - || (packet->payload_packet_len > 6 && get_u_int16_t(packet->payload, 0) == htons(0x0418) - && packet->payload[2] == 0x01 - && ntohs(get_u_int16_t(packet->payload, 3)) == packet->payload_packet_len - && packet->payload[packet->payload_packet_len - 1] == 0x03) - || (packet->payload_packet_len > 6 && get_u_int16_t(packet->payload, 0) == htons(0x0411) - && packet->payload[2] == 0x31 - && ntohs(get_u_int16_t(packet->payload, 3)) == packet->payload_packet_len - && packet->payload[packet->payload_packet_len - 1] == 0x03) - || (packet->payload_packet_len > 6 && ntohs(get_u_int16_t(packet->payload, 0)) == packet->payload_packet_len - && get_u_int16_t(packet->payload, 2) == htons(0x0211) && packet->payload[4] == 0x31 - && packet->payload[packet->payload_packet_len - 1] == 0x03) - || (packet->payload_packet_len > 6 && ntohs(get_u_int16_t(packet->payload, 0)) == packet->payload_packet_len - && get_u_int16_t(packet->payload, 2) == htons(0x0218) && packet->payload[4] == 0x01 - && packet->payload[packet->payload_packet_len - 1] == 0x03) - || (packet->payload_packet_len > 10 && get_u_int32_t(packet->payload, 0) == htonl(0x04163a00) - && packet->payload[packet->payload_packet_len - 1] == 0x03 - && packet->payload[4] == packet->payload_packet_len) - ) { - flow->qq_stage++; - if (flow->qq_stage == 3) { - NDPI_LOG_INFO(ndpi_struct, "found qq over tcp\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - return; - } - - if (ndpi_is_valid_qq_packet(packet)) { - flow->qq_stage++; - if (flow->qq_stage == 3) { - NDPI_LOG_INFO(ndpi_struct, "found qq over tcp\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - return; - } - - if (ndpi_is_valid_qq_ft_packet(packet)) { - flow->qq_stage++; - if (flow->qq_stage == 3) { - NDPI_LOG_INFO(ndpi_struct, "found qq ft over tcp\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - return; - } - - if (packet->payload_packet_len == 2) { - flow->l4.tcp.qq_nxt_len = ntohs(get_u_int16_t(packet->payload, 0)); - return; - } - if (packet->payload_packet_len > 5 && (((flow->l4.tcp.qq_nxt_len == packet->payload_packet_len + 2) - && packet->payload[0] == 0x02 - && packet->payload[packet->payload_packet_len - 1] == 0x03 - && get_u_int16_t(packet->payload, 1) == htons(0x0f5f)) - || (ntohs(get_u_int16_t(packet->payload, 0)) == packet->payload_packet_len - && packet->payload[2] == 0x02 - && packet->payload[packet->payload_packet_len - 1] == 0x03 - && get_u_int16_t(packet->payload, 3) == htons(0x0f5f)))) { - flow->qq_stage++; - if (flow->qq_stage == 3) { - NDPI_LOG_INFO(ndpi_struct, "found qq udp pattern 02 ... 03 four times\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - return; - - } - if (packet->payload_packet_len > 2 && packet->payload[0] == 0x04 && ((get_u_int16_t(packet->payload, 1) == htons(0x1549) - || get_u_int16_t(packet->payload, - 1) == htons(0x1801) - || get_u_int16_t(packet->payload, - 1) == htons(0x0961)) - || (packet->payload_packet_len > 16 - && (get_u_int16_t(packet->payload, 1) == - htons(0x180d) - || get_u_int16_t(packet->payload, - 1) == htons(0x096d)) - && get_u_int32_t(packet->payload, - 12) == htonl(0x28000000) - && ntohs(get_u_int16_t(packet->payload, 3)) == - packet->payload_packet_len)) - && packet->payload[packet->payload_packet_len - 1] == 0x03) { - flow->qq_stage++; - if (flow->qq_stage == 3) { - NDPI_LOG_INFO(ndpi_struct, - "found qq udp pattern 04 1159 ... 03 four times.\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - return; - } - - - - if (packet->payload_packet_len > 100 - && ((memcmp(packet->payload, "GET", 3) == 0) || (memcmp(packet->payload, "POST", 4) == 0))) { - NDPI_LOG_DBG2(ndpi_struct, "found GET or POST\n"); - if (memcmp(packet->payload, "GET /qqfile/qq", 14) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found qq over tcp GET /qqfile/qq\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - ndpi_parse_packet_line_info(ndpi_struct, flow); - - if (packet->user_agent_line.ptr != NULL - && (packet->user_agent_line.len > 7 && memcmp(packet->user_agent_line.ptr, "QQClient", 8) == 0)) { - NDPI_LOG_INFO(ndpi_struct, "found qq over tcp GET...QQClient\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - for (i = 0; i < packet->parsed_lines; i++) { - if (packet->line[i].len > 3 && memcmp(packet->line[i].ptr, "QQ: ", 4) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found qq over tcp GET...QQ: \n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - } - if (packet->host_line.ptr != NULL) { - NDPI_LOG_DBG2(ndpi_struct, "host line ptr\n"); - if (packet->host_line.len > 11 && memcmp(&packet->host_line.ptr[0], "www.qq.co.za", 12) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found qq over tcp Host: www.qq.co.za\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - } - } - if (flow->qq_stage == 0 && packet->payload_packet_len == 82 - && get_u_int32_t(packet->payload, 0) == htonl(0x0000004e) && get_u_int32_t(packet->payload, 4) == htonl(0x01010000)) { - for (i = 8; i < 82; i++) { - if (packet->payload[i] != 0x00) { - break; - } - if (i == 81) { - NDPI_LOG_INFO(ndpi_struct, "found qq Mail\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - } - } - if (flow->qq_stage == 0 && packet->payload_packet_len == 182 && get_u_int32_t(packet->payload, 0) == htonl(0x000000b2) - && get_u_int32_t(packet->payload, 4) == htonl(0x01020000) - && get_u_int32_t(packet->payload, 8) == htonl(0x04015151) && get_u_int32_t(packet->payload, 12) == htonl(0x4d61696c)) { - NDPI_LOG_INFO(ndpi_struct, "found qq Mail\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - if (packet->payload_packet_len == 204 && flow->qq_stage == 0 && get_u_int32_t(packet->payload, 200) == htonl(0xfbffffff)) { - for (i = 0; i < 200; i++) { - NDPI_LOG_DBG2(ndpi_struct, "i = %u\n", i); - if (packet->payload[i] != 0) { - break; - } - if (i == 199) { - NDPI_LOG_INFO(ndpi_struct, "found qq chat or file transfer\n"); - ndpi_int_qq_add_connection(ndpi_struct, flow); - return; - } - } - } - - if (NDPI_COMPARE_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_HTTP) != 0) { - - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_QQ); - NDPI_LOG_DBG(ndpi_struct, "QQ tcp excluded; len %u\n", - packet->payload_packet_len); - } - -} - - void ndpi_search_qq(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - - if (packet->udp != NULL && flow->detected_protocol_stack[0] != NDPI_PROTOCOL_QQ) - ndpi_search_qq_udp(ndpi_struct, flow); - if (packet->tcp != NULL && flow->detected_protocol_stack[0] != NDPI_PROTOCOL_QQ) - ndpi_search_qq_tcp(ndpi_struct, flow); + NDPI_LOG_DBG(ndpi_struct, "search QQ\n"); + + if ((packet->payload_packet_len == 72 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x02004800) || + (packet->payload_packet_len == 64 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x02004000) || + (packet->payload_packet_len == 60 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x02004200) || + (packet->payload_packet_len == 84 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x02005a00) || + (packet->payload_packet_len == 56 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x02003800) || + (packet->payload_packet_len >= 39 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x28000000)) { + NDPI_LOG_INFO(ndpi_struct, "found QQ\n"); + ndpi_int_qq_add_connection(ndpi_struct, flow); + } else { + if(flow->num_processed_pkts > 4) + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + } } -void init_qq_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) +void init_qq_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, + NDPI_PROTOCOL_BITMASK *detection_bitmask) { ndpi_set_bitmask_protocol_detection("QQ", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_QQ, diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index 87378ea61..86464ddbd 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -1,7 +1,7 @@ /* * quic.c * - * Copyright (C) 2012-18 - ntop.org + * Copyright (C) 2012-19 - ntop.org * * This module is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by diff --git a/src/lib/protocols/radius.c b/src/lib/protocols/radius.c index 209e71177..b64767700 100644 --- a/src/lib/protocols/radius.c +++ b/src/lib/protocols/radius.c @@ -1,7 +1,7 @@ /* * radius.c * - * Copyright (C) 2012-18 - ntop.org + * Copyright (C) 2012-19 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by diff --git a/src/lib/protocols/rdp.c b/src/lib/protocols/rdp.c index bc59ea1fb..e766bc67b 100644 --- a/src/lib/protocols/rdp.c +++ b/src/lib/protocols/rdp.c @@ -2,7 +2,7 @@ * rdp.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/redis_net.c b/src/lib/protocols/redis_net.c index cb1e2e39b..d1c314903 100644 --- a/src/lib/protocols/redis_net.c +++ b/src/lib/protocols/redis_net.c @@ -1,7 +1,7 @@ /* * redis.c * - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c index 90b73ab1e..6cf9e8068 100644 --- a/src/lib/protocols/rtp.c +++ b/src/lib/protocols/rtp.c @@ -2,7 +2,7 @@ * rtp.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/rtsp.c b/src/lib/protocols/rtsp.c index 9620dd504..3969d80ed 100644 --- a/src/lib/protocols/rtsp.c +++ b/src/lib/protocols/rtsp.c @@ -2,7 +2,7 @@ * rtsp.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/rx.c b/src/lib/protocols/rx.c index 522d9ef5c..cfa0dec97 100644 --- a/src/lib/protocols/rx.c +++ b/src/lib/protocols/rx.c @@ -1,7 +1,7 @@ /* * rx.c * - * Copyright (C) 2012-18 - ntop.org + * Copyright (C) 2012-19 - ntop.org * * Giovanni Mascellani <gio@debian.org> * diff --git a/src/lib/protocols/sflow.c b/src/lib/protocols/sflow.c index cb1acff8d..6330e178c 100644 --- a/src/lib/protocols/sflow.c +++ b/src/lib/protocols/sflow.c @@ -1,7 +1,7 @@ /* * sflow.c * - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by diff --git a/src/lib/protocols/shoutcast.c b/src/lib/protocols/shoutcast.c index 10486c0bd..dd4521ddd 100644 --- a/src/lib/protocols/shoutcast.c +++ b/src/lib/protocols/shoutcast.c @@ -2,7 +2,7 @@ * shoutcast.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/sip.c b/src/lib/protocols/sip.c index 2583dbfdf..94423df01 100644 --- a/src/lib/protocols/sip.c +++ b/src/lib/protocols/sip.c @@ -2,7 +2,7 @@ * sip.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/skype.c b/src/lib/protocols/skype.c index 45a86f05f..8ada5d997 100644 --- a/src/lib/protocols/skype.c +++ b/src/lib/protocols/skype.c @@ -1,7 +1,7 @@ /* * skype.c * - * Copyright (C) 2017-18 - ntop.org + * Copyright (C) 2017-19 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -23,13 +23,6 @@ #include "ndpi_api.h" -static void ndpi_skype_report_protocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - /* printf("-> payload_len=%u\n", flow->packet.payload_packet_len); */ - - NDPI_LOG_INFO(ndpi_struct, "found skype\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_CALL, NDPI_PROTOCOL_SKYPE); -} - static int is_port(u_int16_t a, u_int16_t b, u_int16_t c) { return(((a == c) || (b == c)) ? 1 : 0); } @@ -60,7 +53,11 @@ static void ndpi_check_skype(struct ndpi_detection_module_struct *ndpi_struct, s ((payload_len >= 16) && (packet->payload[0] != 0x30) /* Avoid invalid SNMP detection */ && (packet->payload[2] == 0x02))) { - ndpi_skype_report_protocol(ndpi_struct, flow); + + if(is_port(sport, dport, 8801)) + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZOOM, NDPI_PROTOCOL_UNKNOWN); + else + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_CALL, NDPI_PROTOCOL_SKYPE); } } @@ -90,7 +87,7 @@ static void ndpi_check_skype(struct ndpi_detection_module_struct *ndpi_struct, s /* printf("[SKYPE] %u/%u\n", ntohs(packet->tcp->source), ntohs(packet->tcp->dest)); */ NDPI_LOG_INFO(ndpi_struct, "found skype\n"); - ndpi_skype_report_protocol(ndpi_struct, flow); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_CALL, NDPI_PROTOCOL_SKYPE); } else { // printf("NO [SKYPE] payload_len=%u\n", payload_len); } diff --git a/src/lib/protocols/smb.c b/src/lib/protocols/smb.c index c6b0676b6..71305cd13 100644 --- a/src/lib/protocols/smb.c +++ b/src/lib/protocols/smb.c @@ -1,7 +1,7 @@ /* * smb.c * - * Copyright (C) 2016-18 - ntop.org + * Copyright (C) 2016-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/smpp.c b/src/lib/protocols/smpp.c index 444516cd3..c188bd91f 100644 --- a/src/lib/protocols/smpp.c +++ b/src/lib/protocols/smpp.c @@ -2,7 +2,7 @@ * smpp.c * * Copyright (C) 2016 - Damir Franusic <df@release14.org> - * Copyright (C) 2016-18 - ntop.org + * Copyright (C) 2016-19 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by diff --git a/src/lib/protocols/snmp_proto.c b/src/lib/protocols/snmp_proto.c index 77ad4d233..e7ea61590 100644 --- a/src/lib/protocols/snmp_proto.c +++ b/src/lib/protocols/snmp_proto.c @@ -2,7 +2,7 @@ * snmp.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/socks45.c b/src/lib/protocols/socks45.c index 36c18ef54..15cd06bc5 100644 --- a/src/lib/protocols/socks45.c +++ b/src/lib/protocols/socks45.c @@ -1,7 +1,7 @@ /* * socks4.c * - * Copyright (C) 2016-18 - ntop.org + * Copyright (C) 2016-19 - ntop.org * Copyright (C) 2014 Tomasz Bujlow <tomasz@skatnet.dk> * * The signature is based on the Libprotoident library. diff --git a/src/lib/protocols/sopcast.c b/src/lib/protocols/sopcast.c index c40213bf7..530bceab1 100644 --- a/src/lib/protocols/sopcast.c +++ b/src/lib/protocols/sopcast.c @@ -2,7 +2,7 @@ * sopcast.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/soulseek.c b/src/lib/protocols/soulseek.c index de1b548be..be4d2e0e9 100644 --- a/src/lib/protocols/soulseek.c +++ b/src/lib/protocols/soulseek.c @@ -1,7 +1,7 @@ /* * soulseek.c * - * Copyright (C) 2016-18 - ntop.org + * Copyright (C) 2016-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/ssdp.c b/src/lib/protocols/ssdp.c index 6b2bbd188..b5cef8b91 100644 --- a/src/lib/protocols/ssdp.c +++ b/src/lib/protocols/ssdp.c @@ -2,7 +2,7 @@ * ssdp.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/starcraft.c b/src/lib/protocols/starcraft.c index 8c344d78d..9cc8abb10 100644 --- a/src/lib/protocols/starcraft.c +++ b/src/lib/protocols/starcraft.c @@ -2,7 +2,7 @@ * starcraft.c * * Copyright (C) 2015 - Matteo Bracci <matteobracci1@gmail.com> -* Copyright (C) 2015-18 - ntop.org +* Copyright (C) 2015-19 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by diff --git a/src/lib/protocols/stealthnet.c b/src/lib/protocols/stealthnet.c index 00c7ba648..d9f137914 100644 --- a/src/lib/protocols/stealthnet.c +++ b/src/lib/protocols/stealthnet.c @@ -2,7 +2,7 @@ * stealthnet.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/steam.c b/src/lib/protocols/steam.c index 0a737baf9..6e1034aee 100644 --- a/src/lib/protocols/steam.c +++ b/src/lib/protocols/steam.c @@ -1,6 +1,7 @@ /* * steam.c * + * Copyright (C) 2011-19 - ntop.org * Copyright (C) 2014 Tomasz Bujlow <tomasz@skatnet.dk> * * The signature is mostly based on the Libprotoident library @@ -242,52 +243,55 @@ static void ndpi_check_steam_udp3(struct ndpi_detection_module_struct *ndpi_stru void ndpi_search_steam(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - /* Break after 20 packets. */ - if (flow->packet_counter > 20) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return; - } - - /* skip marked or retransmitted packets */ - if (packet->tcp_retransmission != 0) { - return; - } - - if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STEAM) { - return; - } - - NDPI_LOG_DBG(ndpi_struct, "search STEAM\n"); - ndpi_check_steam_http(ndpi_struct, flow); + if(flow->packet.udp != NULL) { + if(flow->packet_counter > 5) { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + + ndpi_check_steam_udp1(ndpi_struct, flow); - if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STEAM) { - return; - } - - ndpi_check_steam_tcp(ndpi_struct, flow); + if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STEAM) + return; - if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STEAM) { - return; - } + ndpi_check_steam_udp2(ndpi_struct, flow); - ndpi_check_steam_udp1(ndpi_struct, flow); + if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STEAM) + return; - if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STEAM) { - return; - } + ndpi_check_steam_udp3(ndpi_struct, flow); + } else { + /* Break after 10 packets. */ + if(flow->packet_counter > 10) { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + + + /* skip marked or retransmitted packets */ + if(packet->tcp_retransmission != 0) { + return; + } + + if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STEAM) + return; + + NDPI_LOG_DBG(ndpi_struct, "search STEAM\n"); + ndpi_check_steam_http(ndpi_struct, flow); - ndpi_check_steam_udp2(ndpi_struct, flow); + if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STEAM) + return; + + ndpi_check_steam_tcp(ndpi_struct, flow); - if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STEAM) { - return; + if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STEAM) + return; } - - ndpi_check_steam_udp3(ndpi_struct, flow); } -void init_steam_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) -{ +void init_steam_dissector(struct ndpi_detection_module_struct *ndpi_struct, + u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { ndpi_set_bitmask_protocol_detection("Steam", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_STEAM, ndpi_search_steam, diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index 9df041c26..448062f47 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -1,8 +1,7 @@ /* * stun.c * - * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH @@ -39,24 +38,6 @@ struct stun_packet_header { u_int8_t transaction_id[8]; }; -/* ************************************************************ */ - -static u_int8_t is_stun_based_proto(u_int16_t proto) { - - switch(proto) { - case NDPI_PROTOCOL_WHATSAPP: - case NDPI_PROTOCOL_WHATSAPP_VOICE: - case NDPI_PROTOCOL_WHATSAPP_VIDEO: - case NDPI_PROTOCOL_MESSENGER: - case NDPI_PROTOCOL_HANGOUT_DUO: - case NDPI_PROTOCOL_SKYPE_CALL: - case NDPI_PROTOCOL_SIGNAL: - case NDPI_PROTOCOL_STUN: - return(1); - } - - return(0); -} /* ************************************************************ */ @@ -71,7 +52,7 @@ u_int32_t get_stun_lru_key(struct ndpi_flow_struct *flow, u_int8_t rev) { void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, - u_int app_proto, u_int proto) { + u_int proto, u_int app_proto) { if(ndpi_struct->stun_cache == NULL) ndpi_struct->stun_cache = ndpi_lru_cache_init(1024); @@ -101,12 +82,12 @@ void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *ndpi_stru } else { if(app_proto != NDPI_PROTOCOL_STUN) { /* No sense to ass STUN, but only subprotocols */ - + #ifdef DEBUG_LRU printf("[LRU] ADDING %u / %u.%u [%u -> %u]\n", key, proto, app_proto, ntohs(flow->packet.udp->source), ntohs(flow->packet.udp->dest)); #endif - + ndpi_lru_add_to_cache(ndpi_struct->stun_cache, key, app_proto); ndpi_lru_add_to_cache(ndpi_struct->stun_cache, key_rev, app_proto); } @@ -160,19 +141,14 @@ static int is_messenger_ip_address(u_int32_t host) { static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, const u_int8_t * payload, - const u_int16_t payload_length, - u_int8_t *is_whatsapp, - u_int8_t *is_messenger, - u_int8_t *is_duo - ) { + const u_int16_t payload_length) { u_int16_t msg_type, msg_len; struct stun_packet_header *h = (struct stun_packet_header*)payload; - u_int8_t can_this_be_whatsapp_voice = 1; - + int rc; + /* STUN over TCP does not look good */ - if(flow->packet.tcp) return(NDPI_IS_NOT_STUN); - - *is_whatsapp = 0, *is_messenger = 0, *is_duo = 0; + if (flow->packet.tcp) + return(NDPI_IS_NOT_STUN); if(payload_length >= 512) { return(NDPI_IS_NOT_STUN); @@ -180,8 +156,8 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * /* This looks like an invalid packet */ if(flow->protos.stun_ssl.stun.num_udp_pkts > 0) { - *is_whatsapp = 1; - return(NDPI_IS_STUN); /* This is WhatsApp Voice */ + flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL; + return(NDPI_IS_STUN); } else return(NDPI_IS_NOT_STUN); } @@ -192,26 +168,40 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * goto udp_stun_found; } - msg_type = ntohs(h->msg_type) /* & 0x3EEF */, msg_len = ntohs(h->msg_len); + msg_type = ntohs(h->msg_type), msg_len = ntohs(h->msg_len); + if(msg_type == 0) + return(NDPI_IS_NOT_STUN); + /* https://www.iana.org/assignments/stun-parameters/stun-parameters.xhtml */ - if(msg_type > 0x000C) { + if ((msg_type & 0x3EEF) > 0x000B && msg_type != 0x0800) { #ifdef DEBUG_STUN printf("[STUN] msg_type = %04X\n", msg_type); #endif - - if(is_stun_based_proto(flow->guessed_host_protocol_id)) { - /* - In this case we have the detected the typical STUN pattern - of modern protocols where the flow starts as STUN and becomes - something else that has nothing to do with STUN anymore - */ - ndpi_int_stun_add_connection(ndpi_struct, flow, - flow->guessed_host_protocol_id, - NDPI_PROTOCOL_STUN); - return(NDPI_IS_STUN); + + /* + If we're here it's because this does not look like STUN anymore + as this was a flow that started as STUN and turned into something + else. Let's investigate what is that about + */ + if (payload[0] == 0x16) { + /* Let's check if this is DTLS used by some socials */ + struct ndpi_packet_struct *packet = &flow->packet; + u_int16_t total_len, version = htons(*((u_int16_t*) &packet->payload[1])); + + switch (version) { + case 0xFEFF: /* DTLS 1.0 */ + case 0xFEFD: /* DTLS 1.2 */ + total_len = ntohs(*((u_int16_t*) &packet->payload[11])) + 13; + + if (payload_length == total_len) { + /* This is DTLS and the only protocol we know behaves like this is signal */ + flow->guessed_host_protocol_id = NDPI_PROTOCOL_SIGNAL; + return(NDPI_IS_STUN); + } + } } - + return(NDPI_IS_NOT_STUN); } @@ -222,46 +212,32 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * printf("[STUN] Here we go\n");; #endif - if(ndpi_struct->stun_cache) { + if (ndpi_struct->stun_cache) { u_int16_t proto; u_int32_t key = get_stun_lru_key(flow, 0); - int rc = ndpi_lru_find_cache(ndpi_struct->stun_cache, key, &proto, 0 /* Don't remove it as it can be used for other connections */); + int rc = ndpi_lru_find_cache(ndpi_struct->stun_cache, key, &proto, + 0 /* Don't remove it as it can be used for other connections */); #ifdef DEBUG_LRU printf("[LRU] Searching %u\n", key); #endif - if(!rc) { + if (!rc) { key = get_stun_lru_key(flow, 1); - rc = ndpi_lru_find_cache(ndpi_struct->stun_cache, key, &proto, 0 /* Don't remove it as it can be used for other connections */); + rc = ndpi_lru_find_cache(ndpi_struct->stun_cache, key, &proto, + 0 /* Don't remove it as it can be used for other connections */); #ifdef DEBUG_LRU - printf("[LRU] Searching %u\n", key); + printf("[LRU] Searching %u\n", key); #endif } - if(rc) { + if (rc) { #ifdef DEBUG_LRU printf("[LRU] Cache FOUND %u / %u\n", key, proto); #endif - flow->guessed_host_protocol_id = proto, flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; - - switch(proto) { - case NDPI_PROTOCOL_WHATSAPP: - *is_whatsapp = 1; - break; - case NDPI_PROTOCOL_MESSENGER: - *is_messenger = 1; - break; - case NDPI_PROTOCOL_HANGOUT_DUO: - *is_duo = 1; - break; - case NDPI_PROTOCOL_SKYPE_CALL: - flow->protos.stun_ssl.stun.is_skype = 1; - break; - } - + flow->guessed_host_protocol_id = proto; return(NDPI_IS_STUN); } else { #ifdef DEBUG_LRU @@ -277,48 +253,40 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * if(msg_type == 0x01 /* Binding Request */) { flow->protos.stun_ssl.stun.num_binding_requests++; - if((msg_len == 0) && (flow->guessed_host_protocol_id == NDPI_PROTOCOL_GOOGLE)) + if (!msg_len && flow->guessed_host_protocol_id == NDPI_PROTOCOL_GOOGLE) flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO; else - flow->guessed_host_protocol_id = NDPI_PROTOCOL_STUN; + flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; - if(msg_len == 0) { + if (!msg_len) { /* flow->protos.stun_ssl.stun.num_udp_pkts++; */ return(NDPI_IS_NOT_STUN); /* This to keep analyzing STUN instead of giving up */ } } - if((msg_len == 0) && (flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN)) { + if (!msg_len && flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN) { NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return(NDPI_IS_NOT_STUN); } flow->protos.stun_ssl.stun.num_udp_pkts++; - /* - printf("[msg_type: %04X][payload_length: %u][num_binding_request: %u]\n", - msg_type, payload_length, flow->protos.stun_ssl.stun.num_binding_requests); - */ - - if(((payload[0] == 0x80) - && (payload_length < 512) - && ((msg_len+20) <= payload_length)) /* WhatsApp Voice */) { - *is_whatsapp = 1; - return(NDPI_IS_STUN); /* This is WhatsApp Voice */ - } else if((payload[0] == 0x90) - && (((msg_len+11) == payload_length) /* WhatsApp Video */ - || (flow->protos.stun_ssl.stun.num_binding_requests >= 4))) { - *is_whatsapp = 2; - return(NDPI_IS_STUN); /* This is WhatsApp Video */ + if((payload[0] == 0x80 && payload_length < 512 && ((msg_len+20) <= payload_length))) { + flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL; + return(NDPI_IS_STUN); /* This is WhatsApp Call */ + } else if((payload[0] == 0x90) && (((msg_len+11) == payload_length) || + (flow->protos.stun_ssl.stun.num_binding_requests >= 4))) { + flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL; + return(NDPI_IS_STUN); /* This is WhatsApp Call */ } - if((payload[0] != 0x80) && ((msg_len+20) > payload_length)) + if (payload[0] != 0x80 && (msg_len + 20) > payload_length) return(NDPI_IS_NOT_STUN); else { switch(flow->guessed_protocol_id) { case NDPI_PROTOCOL_HANGOUT_DUO: case NDPI_PROTOCOL_MESSENGER: - case NDPI_PROTOCOL_WHATSAPP_VOICE: + case NDPI_PROTOCOL_WHATSAPP_CALL: /* Don't overwrite the protocol with sub-STUN protocols */ break; @@ -328,210 +296,189 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * } } - if(payload_length == (msg_len+20)) { - if(msg_type <= 0x000b) /* http://www.3cx.com/blog/voip-howto/stun-details/ */ { + if (payload_length == (msg_len+20)) { + if ((msg_type & 0x3EEF) <= 0x000B) /* http://www.3cx.com/blog/voip-howto/stun-details/ */ { u_int offset = 20; - // printf("[%02X][%02X][%02X][%02X][payload_length: %u]\n", payload[offset], payload[offset+1], payload[offset+2], payload[offset+3],payload_length); - /* - This can either be the standard RTCP or Ms Lync RTCP that - later will become Ms Lync RTP. In this case we need to - be careful before deciding about the protocol before dissecting the packet + This can either be the standard RTCP or Ms Lync RTCP that + later will become Ms Lync RTP. In this case we need to + be careful before deciding about the protocol before dissecting the packet - MS Lync = Skype - https://en.wikipedia.org/wiki/Skype_for_Business - */ + MS Lync = Skype + https://en.wikipedia.org/wiki/Skype_for_Business + */ while((offset+2) < payload_length) { - u_int16_t attribute = ntohs(*((u_int16_t*)&payload[offset])); - u_int16_t len = ntohs(*((u_int16_t*)&payload[offset+2])); - u_int16_t x = (len + 4) % 4; + u_int16_t attribute = ntohs(*((u_int16_t*)&payload[offset])); + u_int16_t len = ntohs(*((u_int16_t*)&payload[offset+2])); + u_int16_t x = (len + 4) % 4; - if(x != 0) - len += 4-x; + if (x) + len += 4-x; #ifdef DEBUG_STUN - printf("==> Attribute: %04X\n", attribute); + printf("==> Attribute: %04X\n", attribute); #endif - switch(attribute) { - case 0x0008: /* Message Integrity */ - case 0x0020: /* XOR-MAPPED-ADDRESSES */ - case 0x4000: - case 0x4001: - case 0x4002: - /* These are the only messages apparently whatsapp voice can use */ + switch(attribute) { + case 0x0103: + flow->guessed_host_protocol_id = NDPI_PROTOCOL_ZOOM; + return(NDPI_IS_STUN); break; + + case 0x4000: + case 0x4001: + case 0x4002: + /* These are the only messages apparently whatsapp voice can use */ + flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL; + return(NDPI_IS_STUN); + break; - case 0x0014: /* Realm */ - { - u_int16_t realm_len = ntohs(*((u_int16_t*)&payload[offset+2])); + case 0x0014: /* Realm */ + { + u_int16_t realm_len = ntohs(*((u_int16_t*)&payload[offset+2])); - if(flow->host_server_name[0] == '\0') { - u_int j, i = (realm_len > sizeof(flow->host_server_name)) ? sizeof(flow->host_server_name) : realm_len; - u_int k = offset+4; + if(flow->host_server_name[0] == '\0') { + u_int j, i = (realm_len > sizeof(flow->host_server_name)) ? sizeof(flow->host_server_name) : realm_len; + u_int k = offset+4; - memset(flow->host_server_name, 0, sizeof(flow->host_server_name)); + memset(flow->host_server_name, 0, sizeof(flow->host_server_name)); - for(j=0; j<i; j++) - flow->host_server_name[j] = payload[k++]; + for(j=0; j<i; j++) + flow->host_server_name[j] = payload[k++]; #ifdef DEBUG_STUN - printf("==> [%s]\n", flow->host_server_name); + printf("==> [%s]\n", flow->host_server_name); #endif - if(strstr((char*)flow->host_server_name, "google.com") != NULL) { - *is_duo = 1; - flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO, flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; - return(NDPI_IS_STUN); - } else if(strstr((char*)flow->host_server_name, "whispersystems.org") != NULL) { - flow->guessed_host_protocol_id = NDPI_PROTOCOL_SIGNAL, flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; - return(NDPI_IS_STUN); - } - } - } - break; - - case 0xC057: /* Messeger */ - if(msg_type == 0x0001) { - if((msg_len == 100) || (msg_len == 104)) { - *is_messenger = 1; - return(NDPI_IS_STUN); - } else if(msg_len == 76) { + if (strstr((char*) flow->host_server_name, "google.com") != NULL) { + flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO; + return(NDPI_IS_STUN); + } else if (strstr((char*) flow->host_server_name, "whispersystems.org") != NULL) { + flow->guessed_host_protocol_id = NDPI_PROTOCOL_SIGNAL; + return(NDPI_IS_STUN); + } + } + } + break; + + case 0xC057: /* Messeger */ + if (msg_type == 0x0001) { + if ((msg_len == 100) || (msg_len == 104)) { + flow->guessed_host_protocol_id = NDPI_PROTOCOL_MESSENGER; + return(NDPI_IS_STUN); + } else if(msg_len == 76) { #if 0 - *is_duo = 1; - - if(1) { - flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO, flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; - return(NDPI_IS_NOT_STUN); /* This case is found also with signal traffic */ - } else - return(NDPI_IS_STUN); + if(1) { + flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO; + return(NDPI_IS_NOT_STUN); /* This case is found also with signal traffic */ + } else + return(NDPI_IS_STUN); #endif - } - } - break; - - case 0x8054: /* Candidate Identifier */ - if((len == 4) - && ((offset+7) < payload_length) - && (payload[offset+5] == 0x00) - && (payload[offset+6] == 0x00) - && (payload[offset+7] == 0x00)) { - /* Either skype for business or "normal" skype with multiparty call */ + } + } + break; + + case 0x8054: /* Candidate Identifier */ + if((len == 4) + && ((offset+7) < payload_length) + && (payload[offset+5] == 0x00) + && (payload[offset+6] == 0x00) + && (payload[offset+7] == 0x00)) { + /* Either skype for business or "normal" skype with multiparty call */ #ifdef DEBUG_STUN - printf("==> Skype found\n"); + printf("==> Skype found\n"); #endif - flow->guessed_protocol_id = NDPI_PROTOCOL_SKYPE_CALL; - flow->protos.stun_ssl.stun.is_skype = 1; - return(NDPI_IS_STUN); - } - break; - - case 0x8055: /* MS Service Quality (skype?) */ - break; - - /* Proprietary fields found on skype calls */ - case 0x24DF: - case 0x3802: - case 0x8036: - case 0x8095: - case 0x0800: - case 0x8006: /* This is found on skype calls) */ - /* printf("====>>>> %04X\n", attribute); */ + flow->guessed_host_protocol_id = NDPI_PROTOCOL_SKYPE_CALL; + return(NDPI_IS_STUN); + } + + break; + + case 0x8055: /* MS Service Quality (skype?) */ + break; + + /* Proprietary fields found on skype calls */ + case 0x24DF: + case 0x3802: + case 0x8036: + case 0x8095: + case 0x0800: + case 0x8006: /* This is found on skype calls) */ + /* printf("====>>>> %04X\n", attribute); */ #ifdef DEBUG_STUN - printf("==> Skype (2) found\n"); + printf("==> Skype (2) found\n"); #endif - flow->guessed_protocol_id = NDPI_PROTOCOL_SKYPE_CALL; - flow->protos.stun_ssl.stun.is_skype = 1; - return(NDPI_IS_STUN); - break; + flow->guessed_host_protocol_id = NDPI_PROTOCOL_SKYPE_CALL; + return(NDPI_IS_STUN); + break; - case 0x8070: /* Implementation Version */ - if((len == 4) - && ((offset+7) < payload_length) - && (payload[offset+4] == 0x00) - && (payload[offset+5] == 0x00) - && (payload[offset+6] == 0x00) - && ((payload[offset+7] == 0x02) || (payload[offset+7] == 0x03)) - ) { - flow->guessed_protocol_id = NDPI_PROTOCOL_SKYPE_CALL; - flow->protos.stun_ssl.stun.is_skype = 1; + case 0x8070: /* Implementation Version */ + if (len == 4 && ((offset+7) < payload_length) + && (payload[offset+4] == 0x00) && (payload[offset+5] == 0x00) && (payload[offset+6] == 0x00) && + ((payload[offset+7] == 0x02) || (payload[offset+7] == 0x03))) { #ifdef DEBUG_STUN - printf("==> Skype (3) found\n"); + printf("==> Skype (3) found\n"); #endif - return(NDPI_IS_STUN); - } - break; + flow->guessed_host_protocol_id = NDPI_PROTOCOL_SKYPE_CALL; + return(NDPI_IS_STUN); + } + break; - case 0xFF03: - can_this_be_whatsapp_voice = 0; - flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO; - break; + case 0xFF03: + flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO; + return(NDPI_IS_STUN); + break; - default: - /* This means this STUN packet cannot be confused with whatsapp voice */ + default: #ifdef DEBUG_STUN - printf("==> %04X\n", attribute); + printf("==> %04X\n", attribute); #endif - can_this_be_whatsapp_voice = 0; - break; - } + break; + } - offset += len + 4; + offset += len + 4; } + goto udp_stun_found; } else if(msg_type == 0x0800) { - *is_whatsapp = 1; - return(NDPI_IS_STUN); /* This is WhatsApp */ + flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL; + return(NDPI_IS_STUN); } } - if((flow->protos.stun_ssl.stun.num_udp_pkts > 0) && (msg_type <= 0x00FF)) { - *is_whatsapp = 1; - return(NDPI_IS_STUN); /* This is WhatsApp Voice */ + if ((flow->protos.stun_ssl.stun.num_udp_pkts > 0) && (msg_type <= 0x00FF)) { + flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL; + return(NDPI_IS_STUN); } else return(NDPI_IS_NOT_STUN); - udp_stun_found: - if(can_this_be_whatsapp_voice) { - struct ndpi_packet_struct *packet = &flow->packet; - int rc; - - flow->protos.stun_ssl.stun.num_processed_pkts++; -#ifdef DEBUG_STUN - printf("==>> NDPI_PROTOCOL_WHATSAPP_VOICE\n"); -#endif +udp_stun_found: + flow->protos.stun_ssl.stun.num_processed_pkts++; - if((ntohs(packet->udp->source) == 3478) || (ntohs(packet->udp->dest) == 3478)) { - flow->guessed_host_protocol_id = (is_messenger_ip_address(ntohl(packet->iph->saddr)) || is_messenger_ip_address(ntohl(packet->iph->daddr))) ? - NDPI_PROTOCOL_MESSENGER : NDPI_PROTOCOL_WHATSAPP_VOICE; - } else - flow->guessed_host_protocol_id = (is_google_ip_address(ntohl(packet->iph->saddr)) || is_google_ip_address(ntohl(packet->iph->daddr))) - ? NDPI_PROTOCOL_HANGOUT_DUO : NDPI_PROTOCOL_WHATSAPP_VOICE; + struct ndpi_packet_struct *packet = &flow->packet; - rc = (flow->protos.stun_ssl.stun.num_udp_pkts < MAX_NUM_STUN_PKTS) ? NDPI_IS_NOT_STUN : NDPI_IS_STUN; +#ifdef DEBUG_STUN + printf("==>> NDPI_PROTOCOL_WHATSAPP_CALL\n"); +#endif - if(rc == NDPI_IS_STUN) - ndpi_int_stun_add_connection(ndpi_struct, flow, flow->guessed_host_protocol_id, NDPI_IS_STUN); + if(is_messenger_ip_address(ntohl(packet->iph->saddr)) || is_messenger_ip_address(ntohl(packet->iph->daddr))) + flow->guessed_host_protocol_id = NDPI_PROTOCOL_MESSENGER; + else if(is_google_ip_address(ntohl(packet->iph->saddr)) || is_google_ip_address(ntohl(packet->iph->daddr))) + flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO; + + rc = (flow->protos.stun_ssl.stun.num_udp_pkts < MAX_NUM_STUN_PKTS) ? NDPI_IS_NOT_STUN : NDPI_IS_STUN; - return(rc); - } else { - /* - We cannot immediately say that this is STUN as there are other protocols - like GoogleHangout that might be candidates, thus we set the - guessed protocol to STUN - */ - return(NDPI_IS_NOT_STUN); - } + return rc; } + void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - u_int8_t is_whatsapp = 0, is_messenger = 0, is_duo = 0; NDPI_LOG_DBG(ndpi_struct, "search stun\n"); @@ -550,64 +497,27 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n * improved by checking only the STUN packet of given length */ if(ndpi_int_check_stun(ndpi_struct, flow, packet->payload + 2, - packet->payload_packet_len - 2, - &is_whatsapp, &is_messenger, &is_duo) == NDPI_IS_STUN) { - if(flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; - - if(is_messenger) { - ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_MESSENGER, NDPI_PROTOCOL_STUN); - return; - } else if(is_duo) { - ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HANGOUT_DUO, NDPI_PROTOCOL_STUN); - return; - } else if(flow->guessed_host_protocol_id == NDPI_PROTOCOL_SIGNAL) { - ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SIGNAL, NDPI_PROTOCOL_STUN); - return; - } else if(flow->protos.stun_ssl.stun.is_skype || (flow->guessed_host_protocol_id = NDPI_PROTOCOL_SKYPE_CALL)) { - NDPI_LOG_INFO(ndpi_struct, "found Skype\n"); - - // if((flow->protos.stun_ssl.stun.num_processed_pkts >= 8) || (flow->protos.stun_ssl.stun.num_binding_requests >= 4)) - ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_CALL, NDPI_PROTOCOL_SKYPE); - } else { - NDPI_LOG_INFO(ndpi_struct, "found UDP stun\n"); /* Ummmmm we're in the TCP branch. This code looks bad */ - ndpi_int_stun_add_connection(ndpi_struct, flow, - is_whatsapp ? (is_whatsapp == 1 ? NDPI_PROTOCOL_WHATSAPP_VOICE : NDPI_PROTOCOL_WHATSAPP_VIDEO) : NDPI_PROTOCOL_STUN, - NDPI_PROTOCOL_UNKNOWN); - } - - return; + packet->payload_packet_len - 2) == NDPI_IS_STUN) { + goto udp_stun_match; } } } /* UDP */ if(ndpi_int_check_stun(ndpi_struct, flow, packet->payload, - packet->payload_packet_len, - &is_whatsapp, &is_messenger, &is_duo) == NDPI_IS_STUN) { - if(flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; - - if(is_messenger) { - ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_MESSENGER, NDPI_PROTOCOL_STUN); - return; - } else if(is_duo) { - ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HANGOUT_DUO, NDPI_PROTOCOL_STUN); - return; - } else if(flow->guessed_host_protocol_id == NDPI_PROTOCOL_SIGNAL) { - ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SIGNAL, NDPI_PROTOCOL_STUN); - return; - } else if(flow->protos.stun_ssl.stun.is_skype) { - NDPI_LOG_INFO(ndpi_struct, "Found Skype\n"); - - /* flow->protos.stun_ssl.stun.num_binding_requests < 4) ? NDPI_PROTOCOL_SKYPE_CALL_IN : NDPI_PROTOCOL_SKYPE_CALL_OUT */ - // if((flow->protos.stun_ssl.stun.num_udp_pkts >= 6) || (flow->protos.stun_ssl.stun.num_binding_requests >= 3)) - ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_CALL, NDPI_PROTOCOL_SKYPE); - } else { - NDPI_LOG_INFO(ndpi_struct, "found UDP stun\n"); - ndpi_int_stun_add_connection(ndpi_struct, flow, - is_whatsapp ? (is_whatsapp == 1 ? NDPI_PROTOCOL_WHATSAPP_VOICE : NDPI_PROTOCOL_WHATSAPP_VIDEO) - : NDPI_PROTOCOL_STUN, NDPI_PROTOCOL_UNKNOWN); - } + packet->payload_packet_len) == NDPI_IS_STUN) { + udp_stun_match: + if (flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) + flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; + if(flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN) { + flow->guessed_host_protocol_id = flow->guessed_protocol_id; + flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; + } + + ndpi_int_stun_add_connection(ndpi_struct, flow, + flow->guessed_protocol_id, + flow->guessed_host_protocol_id); return; } diff --git a/src/lib/protocols/syslog.c b/src/lib/protocols/syslog.c index fc51fc065..80c6a24d9 100644 --- a/src/lib/protocols/syslog.c +++ b/src/lib/protocols/syslog.c @@ -2,7 +2,7 @@ * syslog.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/tcp_udp.c b/src/lib/protocols/tcp_udp.c index 2d28182df..cb0223d18 100644 --- a/src/lib/protocols/tcp_udp.c +++ b/src/lib/protocols/tcp_udp.c @@ -1,7 +1,7 @@ /* * tcp_or_udp.c * - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by diff --git a/src/lib/protocols/teamviewer.c b/src/lib/protocols/teamviewer.c index 1fa39ff43..33de448c7 100644 --- a/src/lib/protocols/teamviewer.c +++ b/src/lib/protocols/teamviewer.c @@ -2,7 +2,7 @@ * teamviewer.c * * Copyright (C) 2012 by Gianluca Costa xplico.org - * Copyright (C) 2012-18 - ntop.org + * Copyright (C) 2012-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/telegram.c b/src/lib/protocols/telegram.c index 79be38eae..8a5425814 100644 --- a/src/lib/protocols/telegram.c +++ b/src/lib/protocols/telegram.c @@ -2,7 +2,7 @@ * telegram.c * * Copyright (C) 2014 by Gianluca Costa xplico.org - * Copyright (C) 2012-18 - ntop.org + * Copyright (C) 2012-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/telnet.c b/src/lib/protocols/telnet.c index 33d19e1dc..e293fc960 100644 --- a/src/lib/protocols/telnet.c +++ b/src/lib/protocols/telnet.c @@ -2,7 +2,7 @@ * telnet.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/teredo.c b/src/lib/protocols/teredo.c index e377d09a4..32c183a3f 100644 --- a/src/lib/protocols/teredo.c +++ b/src/lib/protocols/teredo.c @@ -1,7 +1,7 @@ /* * teredo.c * - * Copyright (C) 2015-18 - ntop.org + * Copyright (C) 2015-19 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by diff --git a/src/lib/protocols/tftp.c b/src/lib/protocols/tftp.c index f3da3463c..27578d423 100644 --- a/src/lib/protocols/tftp.c +++ b/src/lib/protocols/tftp.c @@ -2,7 +2,7 @@ * tftp.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/thunder.c b/src/lib/protocols/thunder.c index 754f68f60..193488a7d 100644 --- a/src/lib/protocols/thunder.c +++ b/src/lib/protocols/thunder.c @@ -2,7 +2,7 @@ * thunder.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/tinc.c b/src/lib/protocols/tinc.c index 7ee4105e8..a7ff297d7 100644 --- a/src/lib/protocols/tinc.c +++ b/src/lib/protocols/tinc.c @@ -2,7 +2,7 @@ * tinc.c * * Copyright (C) 2017 - William Guglielmo <william@deselmo.com> - * Copyright (C) 2017-18 - ntop.org + * Copyright (C) 2017-19 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 5be39c714..f63da2067 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -628,7 +628,7 @@ int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct, u_int8_t version_len = packet->payload[offset+4]; if(version_len == (extension_len-1)) { - /* Sanity check */ +#ifdef DEBUG_TLS u_int8_t j; for(j=0; j<version_len; j += 2) { @@ -636,6 +636,7 @@ int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct, printf("Client SSL [TLS version: 0x%04X]\n", tls_version); } +#endif } } diff --git a/src/lib/protocols/tvants.c b/src/lib/protocols/tvants.c index eafce38c4..2c31974fe 100644 --- a/src/lib/protocols/tvants.c +++ b/src/lib/protocols/tvants.c @@ -2,7 +2,7 @@ * tvants.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/tvuplayer.c b/src/lib/protocols/tvuplayer.c index ce84c7de3..b71eb1752 100644 --- a/src/lib/protocols/tvuplayer.c +++ b/src/lib/protocols/tvuplayer.c @@ -2,7 +2,7 @@ * tvuplayer.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/usenet.c b/src/lib/protocols/usenet.c index 6a2970d6e..a69c34abd 100644 --- a/src/lib/protocols/usenet.c +++ b/src/lib/protocols/usenet.c @@ -2,7 +2,7 @@ * usenet.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/vhua.c b/src/lib/protocols/vhua.c index eef5c065f..e7ede0955 100644 --- a/src/lib/protocols/vhua.c +++ b/src/lib/protocols/vhua.c @@ -1,7 +1,7 @@ /* * vhua.c * - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * nDPI is free software: you can vhuatribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by diff --git a/src/lib/protocols/viber.c b/src/lib/protocols/viber.c index 9aaa0e243..dfeeb3626 100644 --- a/src/lib/protocols/viber.c +++ b/src/lib/protocols/viber.c @@ -2,7 +2,7 @@ * viber.c * * Copyright (C) 2013 Remy Mudingay <mudingay@ill.fr> - * Copyright (C) 2013-18 - ntop.org + * Copyright (C) 2013-19 - ntop.org * * This module is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by diff --git a/src/lib/protocols/vmware.c b/src/lib/protocols/vmware.c index 138d09bbc..312265ea8 100644 --- a/src/lib/protocols/vmware.c +++ b/src/lib/protocols/vmware.c @@ -1,7 +1,7 @@ /* * vmware.c * - * Copyright (C) 2016-18 - ntop.org + * Copyright (C) 2016-19 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by diff --git a/src/lib/protocols/vnc.c b/src/lib/protocols/vnc.c index 65988bce6..e8a381154 100644 --- a/src/lib/protocols/vnc.c +++ b/src/lib/protocols/vnc.c @@ -1,7 +1,7 @@ /* * vnc.c * - * Copyright (C) 2016-18 - ntop.org + * Copyright (C) 2016-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/warcraft3.c b/src/lib/protocols/warcraft3.c index 3f970bd25..5c4699900 100644 --- a/src/lib/protocols/warcraft3.c +++ b/src/lib/protocols/warcraft3.c @@ -2,7 +2,7 @@ * warcraft3.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/whoisdas.c b/src/lib/protocols/whoisdas.c index 335aa6f65..381acc981 100644 --- a/src/lib/protocols/whoisdas.c +++ b/src/lib/protocols/whoisdas.c @@ -1,7 +1,7 @@ /* * whoisdas.c * - * Copyright (C) 2016-18 - ntop.org + * Copyright (C) 2016-19 - ntop.org * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by diff --git a/src/lib/protocols/world_of_kung_fu.c b/src/lib/protocols/world_of_kung_fu.c index d179ef526..b1312d31e 100644 --- a/src/lib/protocols/world_of_kung_fu.c +++ b/src/lib/protocols/world_of_kung_fu.c @@ -2,7 +2,7 @@ * world_of_kung_fu.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/world_of_warcraft.c b/src/lib/protocols/world_of_warcraft.c index acb010a85..39e641ffb 100644 --- a/src/lib/protocols/world_of_warcraft.c +++ b/src/lib/protocols/world_of_warcraft.c @@ -2,7 +2,7 @@ * world_of_warcraft.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/xbox.c b/src/lib/protocols/xbox.c index 768bb7322..7b03d6321 100644 --- a/src/lib/protocols/xbox.c +++ b/src/lib/protocols/xbox.c @@ -1,7 +1,7 @@ /* * xbox.c * - * Copyright (C) 2016-18 - ntop.org + * Copyright (C) 2016-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/xdmcp.c b/src/lib/protocols/xdmcp.c index 35b08b91b..753213d54 100644 --- a/src/lib/protocols/xdmcp.c +++ b/src/lib/protocols/xdmcp.c @@ -2,7 +2,7 @@ * xdmcp.c * * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-18 - ntop.org + * Copyright (C) 2011-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/yahoo.c b/src/lib/protocols/yahoo.c index 972466dc8..0852eec6e 100644 --- a/src/lib/protocols/yahoo.c +++ b/src/lib/protocols/yahoo.c @@ -1,7 +1,7 @@ /* * yahoo.c * - * Copyright (C) 2016-18 - ntop.org + * Copyright (C) 2016-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/zattoo.c b/src/lib/protocols/zattoo.c index 3b0c02d80..4f2d115ce 100644 --- a/src/lib/protocols/zattoo.c +++ b/src/lib/protocols/zattoo.c @@ -1,7 +1,7 @@ /* * zattoo.c * - * Copyright (C) 2016-18 - ntop.org + * Copyright (C) 2016-19 - ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/zeromq.c b/src/lib/protocols/zeromq.c index aa73d4a6d..8d30bc9d4 100644 --- a/src/lib/protocols/zeromq.c +++ b/src/lib/protocols/zeromq.c @@ -1,7 +1,7 @@ /* * zmq.c * - * Copyright (C) 2016-18 - ntop.org + * Copyright (C) 2016-19 - ntop.org * * nDPI is free software: you can zmqtribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by |