diff options
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/ndpi_main.c | 11 | ||||
| -rw-r--r-- | src/lib/protocols/stun.c | 110 | ||||
| -rw-r--r-- | src/lib/protocols/thunder.c | 292 |
3 files changed, 228 insertions, 185 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index d8047825b..af417f44f 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1148,7 +1148,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_STUN, no_master, custom_master, "STUN", ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_build_default_ports(ports_b, 3478, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_IP_IPSEC, no_master, no_master, "IPsec", @@ -1209,6 +1209,11 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "PcAnywhere", ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_WHATSAPP_VOICE, + no_master, + no_master, "WhatsApp Voice", + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); custom_master[0] = NDPI_PROTOCOL_SSL_NO_CERT, custom_master[1] = NDPI_PROTOCOL_UNKNOWN; ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_SSL, @@ -1524,8 +1529,8 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, no_master, "H323", - ndpi_build_default_ports(ports_a, 1719, 1720, 3478, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 1719, 1720, 3478, 0, 0) /* UDP */); + ndpi_build_default_ports(ports_a, 1719, 1720, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_b, 1719, 1720, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_OPENVPN, no_master, no_master, "OpenVPN", diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index 09ec4a050..c613ae242 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -27,12 +27,20 @@ #ifdef NDPI_PROTOCOL_STUN -static void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ - ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_STUN, NDPI_REAL_PROTOCOL); -} +#define MAX_NUM_STUN_PKTS 6 +struct stun_packet_header { + u_int16_t msg_type, msg_len; + u_int32_t cookie; + u_int8_t transaction_id[8]; +}; + +static void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *ndpi_struct, + u_int proto, + struct ndpi_flow_struct *flow) { + ndpi_int_add_connection(ndpi_struct, flow, proto, NDPI_REAL_PROTOCOL); +} typedef enum { NDPI_IS_STUN, @@ -40,18 +48,30 @@ typedef enum { } ndpi_int_stun_t; static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *ndpi_struct, - const u_int8_t * payload, const u_int16_t payload_length) + struct ndpi_flow_struct *flow, + const u_int8_t * payload, + const u_int16_t payload_length, + u_int8_t *is_whatsapp) { - u_int16_t a; + u_int16_t msg_type, msg_len; + struct stun_packet_header *h = (struct stun_packet_header*)payload; + if(payload_length < sizeof(struct stun_packet_header)) + return(NDPI_IS_NOT_STUN); - if((payload_length > 13) - && (strncmp((const char*)payload, (const char*)"RSP/", 4) == 0) + if((strncmp((const char*)payload, (const char*)"RSP/", 4) == 0) && (strncmp((const char*)&payload[7], (const char*)" STUN_", 6) == 0)) { NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "Found stun.\n"); - return NDPI_IS_STUN; + goto udp_stun_found; } + + msg_type = ntohs(h->msg_type) & 0x3EEF, msg_len = ntohs(h->msg_len); + if((payload_length == (msg_len+20)) + && ((msg_type <= 0x000b) /* http://www.3cx.com/blog/voip-howto/stun-details/ */)) + goto udp_stun_found; + +#ifdef ORIGINAL_CODE /* * token list of message types and attribute types from * http://wwwbs1.informatik.htw-dresden.de/svortrag/i02/Schoene/stun/stun.html @@ -68,7 +88,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * * 0x8003, 0x8004 used by facetime */ - if (payload_length >= 20 && ntohs(get_u_int16_t(payload, 2)) + 20 == payload_length && + if(payload_length >= 20 && ntohs(get_u_int16_t(payload, 2)) + 20 == payload_length && ((payload[0] == 0x00 && (payload[1] >= 0x01 && payload[1] <= 0x04)) || (payload[0] == 0x01 && ((payload[1] >= 0x01 && payload[1] <= 0x04) || (payload[1] >= 0x11 && payload[1] <= 0x15))))) { @@ -77,16 +97,16 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * u_int8_t padding = 0; NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "len and type match.\n"); - if (payload_length == 20) { + if(payload_length == 20) { NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "found stun.\n"); - return NDPI_IS_STUN; + goto udp_stun_found; } a = 20; while (a < payload_length) { - if (old && payload_length >= a + 4 + if(old && payload_length >= a + 4 && ((payload[a] == 0x00 && ((payload[a + 1] >= 0x01 && payload[a + 1] <= 0x16) || payload[a + 1] == 0x19 @@ -103,16 +123,16 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * a += ((payload[a + 2] << 8) + payload[a + 3] + 4); mod = a % 4; - if (mod) { + if(mod) { padding = 4 - mod; } - if (a == payload_length || (padding && (a + padding) == payload_length)) { + if(a == payload_length || (padding && (a + padding) == payload_length)) { NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "found stun.\n"); - return NDPI_IS_STUN; + goto udp_stun_found; } - } else if (payload_length >= a + padding + 4 - && + } else if(payload_length >= a + padding + 4 + && ((payload[a + padding] == 0x00 && ((payload[a + 1 + padding] >= 0x01 && payload[a + 1 + padding] <= 0x16) || payload[a + 1 + padding] == 0x19 || payload[a + 1 + padding] == 0x20 @@ -125,7 +145,11 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * || payload[a + 1 + padding] == 0x20 || payload[a + 1 + padding] == 0x22 || payload[a + 1 + padding] == 0x28 || payload[a + 1 + padding] == 0x2a || payload[a + 1 + padding] == 0x29 || payload[a + 1 + padding] == 0x50 - || payload[a + 1 + padding] == 0x54 || payload[a + 1 + padding] == 0x55)))) { + || payload[a + 1 + padding] == 0x54 || payload[a + 1 + padding] == 0x55)) + || ((payload[a + padding] == 0x40) && (payload[a + padding + 1] == 0x00)) + )) { + if((payload[a + padding] == 0x40) && (payload[a + padding + 1] == 0x00)) + goto udp_stun_found; NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "New STUN - attribute match.\n"); @@ -133,56 +157,70 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * a += ((payload[a + 2 + padding] << 8) + payload[a + 3 + padding] + 4); padding = 0; mod = a % 4; - if (mod) { + if(mod) { a += 4 - mod; } - if (a == payload_length) { + if(a == payload_length) { NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "found stun.\n"); - return NDPI_IS_STUN; + goto udp_stun_found; } } else { break; } } } +#endif + - return NDPI_IS_NOT_STUN; + if((flow->num_stun_udp_pkts > 0) && ((payload[0] == 0x80) || (payload[0] == 0x81))) { + *is_whatsapp = 1; + return NDPI_IS_STUN; /* This is WhatsApp Voice */ + } else + return NDPI_IS_NOT_STUN; + + udp_stun_found: + flow->num_stun_udp_pkts++; + + return((flow->num_stun_udp_pkts < MAX_NUM_STUN_PKTS) ? NDPI_IS_NOT_STUN : NDPI_IS_STUN); } void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - + u_int8_t is_whatsapp = 0; NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "search stun.\n"); - - if (packet->tcp) { - + if(packet->tcp) { /* STUN may be encapsulated in TCP packets */ - if (packet->payload_packet_len >= 2 + 20 && + if(packet->payload_packet_len >= 2 + 20 && ntohs(get_u_int16_t(packet->payload, 0)) + 2 == packet->payload_packet_len) { - + /* TODO there could be several STUN packets in a single TCP packet so maybe the detection could be * improved by checking only the STUN packet of given length */ - if (ndpi_int_check_stun(ndpi_struct, packet->payload + 2, packet->payload_packet_len - 2) == - NDPI_IS_STUN) { + if(ndpi_int_check_stun(ndpi_struct, flow, packet->payload + 2, + packet->payload_packet_len - 2, &is_whatsapp) == NDPI_IS_STUN) { NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "found TCP stun.\n"); - ndpi_int_stun_add_connection(ndpi_struct, flow); + ndpi_int_stun_add_connection(ndpi_struct, NDPI_PROTOCOL_STUN, flow); return; } } } - if (ndpi_int_check_stun(ndpi_struct, packet->payload, packet->payload_packet_len) == NDPI_IS_STUN) { + + if(ndpi_int_check_stun(ndpi_struct, flow, packet->payload, + packet->payload_packet_len, &is_whatsapp) == NDPI_IS_STUN) { NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "found UDP stun.\n"); - ndpi_int_stun_add_connection(ndpi_struct, flow); + ndpi_int_stun_add_connection(ndpi_struct, + is_whatsapp ? NDPI_PROTOCOL_WHATSAPP_VOICE : NDPI_PROTOCOL_STUN, flow); return; } - NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "exclude stun.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_STUN); + if(flow->num_stun_udp_pkts >= MAX_NUM_STUN_PKTS) { + NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "exclude stun.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_STUN); + } } #endif diff --git a/src/lib/protocols/thunder.c b/src/lib/protocols/thunder.c index 3784bb781..b771fcf8d 100644 --- a/src/lib/protocols/thunder.c +++ b/src/lib/protocols/thunder.c @@ -29,183 +29,183 @@ static void ndpi_int_thunder_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, ndpi_protocol_type_t protocol_type) { - struct ndpi_packet_struct *packet = &flow->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - - ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_THUNDER, protocol_type); - - if (src != NULL) { - src->thunder_ts = packet->tick_timestamp; - } - if (dst != NULL) { - dst->thunder_ts = packet->tick_timestamp; - } + struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_id_struct *src = flow->src; + struct ndpi_id_struct *dst = flow->dst; + + ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_THUNDER, protocol_type); + + if (src != NULL) { + src->thunder_ts = packet->tick_timestamp; + } + if (dst != NULL) { + dst->thunder_ts = packet->tick_timestamp; + } } #if !defined(WIN32) - static inline +static inline #else __forceinline static #endif - void ndpi_int_search_thunder_udp(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) +void ndpi_int_search_thunder_udp(struct ndpi_detection_module_struct + *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &flow->packet; -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; - - if (packet->payload_packet_len > 8 && packet->payload[0] >= 0x30 - && packet->payload[0] < 0x40 && packet->payload[1] == 0 && packet->payload[2] == 0 && packet->payload[3] == 0) { - if (flow->thunder_stage == 3) { - NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, "THUNDER udp detected\n"); - ndpi_int_thunder_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); - return; - } - - flow->thunder_stage++; - NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, - "maybe thunder udp packet detected, stage increased to %u\n", flow->thunder_stage); - return; - } - - NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, - "excluding thunder udp at stage %u\n", flow->thunder_stage); - - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_THUNDER); + // struct ndpi_id_struct *src=ndpi_struct->src; + // struct ndpi_id_struct *dst=ndpi_struct->dst; + + if (packet->payload_packet_len > 8 && packet->payload[0] >= 0x30 + && packet->payload[0] < 0x40 && packet->payload[1] == 0 && packet->payload[2] == 0 && packet->payload[3] == 0) { + if (flow->thunder_stage == 3) { + NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, "THUNDER udp detected\n"); + ndpi_int_thunder_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); + return; + } + + flow->thunder_stage++; + NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, + "maybe thunder udp packet detected, stage increased to %u\n", flow->thunder_stage); + return; + } + + NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, + "excluding thunder udp at stage %u\n", flow->thunder_stage); + + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_THUNDER); } #if !defined(WIN32) - static inline +static inline #else __forceinline static #endif - void ndpi_int_search_thunder_tcp(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) +void ndpi_int_search_thunder_tcp(struct ndpi_detection_module_struct + *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &flow->packet; -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; - - if (packet->payload_packet_len > 8 && packet->payload[0] >= 0x30 - && packet->payload[0] < 0x40 && packet->payload[1] == 0 && packet->payload[2] == 0 && packet->payload[3] == 0) { - if (flow->thunder_stage == 3) { - NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, "THUNDER tcp detected\n"); - ndpi_int_thunder_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); - return; - } - - flow->thunder_stage++; - NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, - "maybe thunder tcp packet detected, stage increased to %u\n", flow->thunder_stage); - return; - } - - if (flow->thunder_stage == 0 && packet->payload_packet_len > 17 - && memcmp(packet->payload, "POST / HTTP/1.1\r\n", 17) == 0) { - ndpi_parse_packet_line_info(ndpi_struct, flow); - - NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, - "maybe thunder http POST packet detected, parsed packet lines: %u, empty line set %u (at: %u)\n", - packet->parsed_lines, packet->empty_line_position_set, packet->empty_line_position); - - if (packet->empty_line_position_set != 0 && - packet->content_line.ptr != NULL && - packet->content_line.len == 24 && - memcmp(packet->content_line.ptr, "application/octet-stream", - 24) == 0 && packet->empty_line_position_set < (packet->payload_packet_len - 8) - && packet->payload[packet->empty_line_position + 2] >= 0x30 - && packet->payload[packet->empty_line_position + 2] < 0x40 - && packet->payload[packet->empty_line_position + 3] == 0x00 - && packet->payload[packet->empty_line_position + 4] == 0x00 - && packet->payload[packet->empty_line_position + 5] == 0x00) { - NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, - "maybe thunder http POST packet application does match\n"); - ndpi_int_thunder_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); - return; - } - } - NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, - "excluding thunder tcp at stage %u\n", flow->thunder_stage); - - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_THUNDER); + // struct ndpi_id_struct *src=ndpi_struct->src; + // struct ndpi_id_struct *dst=ndpi_struct->dst; + + if (packet->payload_packet_len > 8 && packet->payload[0] >= 0x30 + && packet->payload[0] < 0x40 && packet->payload[1] == 0 && packet->payload[2] == 0 && packet->payload[3] == 0) { + if (flow->thunder_stage == 3) { + NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, "THUNDER tcp detected\n"); + ndpi_int_thunder_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); + return; + } + + flow->thunder_stage++; + NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, + "maybe thunder tcp packet detected, stage increased to %u\n", flow->thunder_stage); + return; + } + + if (flow->thunder_stage == 0 && packet->payload_packet_len > 17 + && memcmp(packet->payload, "POST / HTTP/1.1\r\n", 17) == 0) { + ndpi_parse_packet_line_info(ndpi_struct, flow); + + NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, + "maybe thunder http POST packet detected, parsed packet lines: %u, empty line set %u (at: %u)\n", + packet->parsed_lines, packet->empty_line_position_set, packet->empty_line_position); + + if (packet->empty_line_position_set != 0 && + packet->content_line.ptr != NULL && + packet->content_line.len == 24 && + memcmp(packet->content_line.ptr, "application/octet-stream", + 24) == 0 && packet->empty_line_position_set < (packet->payload_packet_len - 8) + && packet->payload[packet->empty_line_position + 2] >= 0x30 + && packet->payload[packet->empty_line_position + 2] < 0x40 + && packet->payload[packet->empty_line_position + 3] == 0x00 + && packet->payload[packet->empty_line_position + 4] == 0x00 + && packet->payload[packet->empty_line_position + 5] == 0x00) { + NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, + "maybe thunder http POST packet application does match\n"); + ndpi_int_thunder_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); + return; + } + } + NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, + "excluding thunder tcp at stage %u\n", flow->thunder_stage); + + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_THUNDER); } #if !defined(WIN32) - static inline +static inline #else __forceinline static #endif - void ndpi_int_search_thunder_http(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) +void ndpi_int_search_thunder_http(struct ndpi_detection_module_struct + *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; - struct ndpi_id_struct *src = flow->src; - struct ndpi_id_struct *dst = flow->dst; - - - if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_THUNDER) { - if (src != NULL && ((u_int32_t) - (packet->tick_timestamp - src->thunder_ts) < ndpi_struct->thunder_timeout)) { - NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, - "thunder : save src connection packet detected\n"); - src->thunder_ts = packet->tick_timestamp; - } else if (dst != NULL && ((u_int32_t) - (packet->tick_timestamp - dst->thunder_ts) < ndpi_struct->thunder_timeout)) { - NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, - "thunder : save dst connection packet detected\n"); - dst->thunder_ts = packet->tick_timestamp; - } - return; - } - - if (packet->payload_packet_len > 5 - && memcmp(packet->payload, "GET /", 5) == 0 && NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_THUNDER)) { - NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, "HTTP packet detected.\n"); - ndpi_parse_packet_line_info(ndpi_struct, flow); - - if (packet->parsed_lines > 7 - && packet->parsed_lines < 11 - && packet->line[1].len > 10 - && memcmp(packet->line[1].ptr, "Accept: */*", 11) == 0 - && packet->line[2].len > 22 - && memcmp(packet->line[2].ptr, "Cache-Control: no-cache", - 23) == 0 && packet->line[3].len > 16 - && memcmp(packet->line[3].ptr, "Connection: close", 17) == 0 - && packet->line[4].len > 6 - && memcmp(packet->line[4].ptr, "Host: ", 6) == 0 - && packet->line[5].len > 15 - && memcmp(packet->line[5].ptr, "Pragma: no-cache", 16) == 0 - && packet->user_agent_line.ptr != NULL - && packet->user_agent_line.len > 49 - && memcmp(packet->user_agent_line.ptr, - "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)", 50) == 0) { - NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, - "Thunder HTTP download detected, adding flow.\n"); - ndpi_int_thunder_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); - } - } + struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_id_struct *src = flow->src; + struct ndpi_id_struct *dst = flow->dst; + + + if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_THUNDER) { + if (src != NULL && ((u_int32_t) + (packet->tick_timestamp - src->thunder_ts) < ndpi_struct->thunder_timeout)) { + NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, + "thunder : save src connection packet detected\n"); + src->thunder_ts = packet->tick_timestamp; + } else if (dst != NULL && ((u_int32_t) + (packet->tick_timestamp - dst->thunder_ts) < ndpi_struct->thunder_timeout)) { + NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, + "thunder : save dst connection packet detected\n"); + dst->thunder_ts = packet->tick_timestamp; + } + return; + } + + if (packet->payload_packet_len > 5 + && memcmp(packet->payload, "GET /", 5) == 0 && NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_THUNDER)) { + NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, "HTTP packet detected.\n"); + ndpi_parse_packet_line_info(ndpi_struct, flow); + + if (packet->parsed_lines > 7 + && packet->parsed_lines < 11 + && packet->line[1].len > 10 + && memcmp(packet->line[1].ptr, "Accept: */*", 11) == 0 + && packet->line[2].len > 22 + && memcmp(packet->line[2].ptr, "Cache-Control: no-cache", + 23) == 0 && packet->line[3].len > 16 + && memcmp(packet->line[3].ptr, "Connection: close", 17) == 0 + && packet->line[4].len > 6 + && memcmp(packet->line[4].ptr, "Host: ", 6) == 0 + && packet->line[5].len > 15 + && memcmp(packet->line[5].ptr, "Pragma: no-cache", 16) == 0 + && packet->user_agent_line.ptr != NULL + && packet->user_agent_line.len > 49 + && memcmp(packet->user_agent_line.ptr, + "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)", 50) == 0) { + NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, + "Thunder HTTP download detected, adding flow.\n"); + ndpi_int_thunder_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); + } + } } void ndpi_search_thunder(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; - // - //struct ndpi_id_struct *src = flow->src; - //struct ndpi_id_struct *dst = flow->dst; - - if (packet->tcp != NULL) { - ndpi_int_search_thunder_http(ndpi_struct, flow); - ndpi_int_search_thunder_tcp(ndpi_struct, flow); - } else if (packet->udp != NULL) { - ndpi_int_search_thunder_udp(ndpi_struct, flow); - } + struct ndpi_packet_struct *packet = &flow->packet; + // + //struct ndpi_id_struct *src = flow->src; + //struct ndpi_id_struct *dst = flow->dst; + + if (packet->tcp != NULL) { + ndpi_int_search_thunder_http(ndpi_struct, flow); + ndpi_int_search_thunder_tcp(ndpi_struct, flow); + } else if (packet->udp != NULL) { + ndpi_int_search_thunder_udp(ndpi_struct, flow); + } } #endif |