diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_typedefs.h | 3 | ||||
| -rw-r--r-- | src/lib/protocols/mining.c | 38 |
2 files changed, 36 insertions, 5 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index da27e432b..ba2c76de4 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1166,6 +1166,9 @@ struct ndpi_detection_module_struct { /* NDPI_PROTOCOL_STUN and subprotocols */ struct ndpi_lru_cache *stun_cache; + /* NDPI_PROTOCOL_MINING and subprotocols */ + struct ndpi_lru_cache *mining_cache; + /* NDPI_PROTOCOL_MSTEAMS */ struct ndpi_lru_cache *msteams_cache; diff --git a/src/lib/protocols/mining.c b/src/lib/protocols/mining.c index bed0cc711..16b82eb7f 100644 --- a/src/lib/protocols/mining.c +++ b/src/lib/protocols/mining.c @@ -26,6 +26,16 @@ /* ************************************************************************** */ +static void cacheMiningHostTwins(struct ndpi_detection_module_struct *ndpi_struct, + u_int32_t host_keys /* network byte order */) { + if(ndpi_struct->mining_cache == NULL) ndpi_struct->mining_cache = ndpi_lru_cache_init(1024); + + if(ndpi_struct->mining_cache) + ndpi_lru_add_to_cache(ndpi_struct->mining_cache, host_keys, NDPI_PROTOCOL_MINING); +} + +/* ************************************************************************** */ + void ndpi_search_mining_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; @@ -51,6 +61,7 @@ void ndpi_search_mining_udp(struct ndpi_detection_module_struct *ndpi_struct, else { snprintf(flow->flow_extra_info, sizeof(flow->flow_extra_info), "%s", "ETH"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, NDPI_PROTOCOL_UNKNOWN); + cacheMiningHostTwins(ndpi_struct, flow->packet.iph->saddr + flow->packet.iph->daddr); return; } } @@ -60,6 +71,12 @@ void ndpi_search_mining_udp(struct ndpi_detection_module_struct *ndpi_struct, /* ************************************************************************** */ +static u_int8_t isEthPort(u_int16_t dport) { + return(((dport >= 30300) && (dport <= 30305)) ? 1 : 0); +} + +/* ************************************************************************** */ + void ndpi_search_mining_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; @@ -68,7 +85,6 @@ void ndpi_search_mining_tcp(struct ndpi_detection_module_struct *ndpi_struct, /* Check connection over TCP */ if(packet->payload_packet_len > 10) { - if(packet->tcp->source == htons(8333)) { /* Bitcoin @@ -80,15 +96,23 @@ void ndpi_search_mining_tcp(struct ndpi_detection_module_struct *ndpi_struct, if((*to_match == magic) || (*to_match == magic1)) { snprintf(flow->flow_extra_info, sizeof(flow->flow_extra_info), "%s", "ETH"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, NDPI_PROTOCOL_UNKNOWN); + cacheMiningHostTwins(ndpi_struct, flow->packet.iph->saddr + flow->packet.iph->daddr); + return; } } - if((packet->payload_packet_len > 450) + if((packet->payload_packet_len > 300) && (packet->payload_packet_len < 600) - && (packet->tcp->dest == htons(30303) /* Ethereum port */) && (packet->payload[2] == 0x04)) { - snprintf(flow->flow_extra_info, sizeof(flow->flow_extra_info), "%s", "ETH"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, NDPI_PROTOCOL_UNKNOWN); + + if(isEthPort(ntohs(packet->tcp->dest)) /* Ethereum port */) { + snprintf(flow->flow_extra_info, sizeof(flow->flow_extra_info), "%s", "ETH"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, NDPI_PROTOCOL_UNKNOWN); + cacheMiningHostTwins(ndpi_struct, flow->packet.iph->saddr + flow->packet.iph->daddr); + return; + } else + flow->guessed_protocol_id = NDPI_PROTOCOL_MINING; + } else if(ndpi_strnstr((const char *)packet->payload, "{", packet->payload_packet_len) && ( ndpi_strnstr((const char *)packet->payload, "\"eth1.0\"", packet->payload_packet_len) @@ -104,6 +128,8 @@ void ndpi_search_mining_tcp(struct ndpi_detection_module_struct *ndpi_struct, */ snprintf(flow->flow_extra_info, sizeof(flow->flow_extra_info), "%s", "ETH"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, NDPI_PROTOCOL_UNKNOWN); + cacheMiningHostTwins(ndpi_struct, flow->packet.iph->saddr + flow->packet.iph->daddr); + return; } else if(ndpi_strnstr((const char *)packet->payload, "{", packet->payload_packet_len) && (ndpi_strnstr((const char *)packet->payload, "\"method\":", packet->payload_packet_len) || ndpi_strnstr((const char *)packet->payload, "\"blob\":", packet->payload_packet_len) @@ -125,6 +151,8 @@ void ndpi_search_mining_tcp(struct ndpi_detection_module_struct *ndpi_struct, */ snprintf(flow->flow_extra_info, sizeof(flow->flow_extra_info), "%s", "ZCash/Monero"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, NDPI_PROTOCOL_UNKNOWN); + cacheMiningHostTwins(ndpi_struct, flow->packet.iph->saddr + flow->packet.iph->daddr); + return; } } |