aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/include/ndpi_protocol_ids.h62
-rw-r--r--src/include/ndpi_protocols.h1
-rw-r--r--src/include/ndpi_typedefs.h4
-rw-r--r--src/lib/Makefile.am1
-rw-r--r--src/lib/ndpi_content_match.c.inc92
-rw-r--r--src/lib/ndpi_main.c58
-rw-r--r--src/lib/protocols/amqp.c83
-rw-r--r--src/lib/protocols/http.c277
-rw-r--r--src/lib/protocols/oscar.c2
9 files changed, 277 insertions, 303 deletions
diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h
index 7eada61e2..726736a06 100644
--- a/src/include/ndpi_protocol_ids.h
+++ b/src/include/ndpi_protocol_ids.h
@@ -1,7 +1,7 @@
/*
* ndpi_protocol_ids.h
*
- * Copyright (C) 2016 - ntop.org
+ * Copyright (C) 2011-17 - ntop.org
*
* This file is part of nDPI, an open source deep packet inspection
* library based on the OpenDPI and PACE technology by ipoque GmbH
@@ -224,49 +224,45 @@
#define NDPI_PROTOCOL_TELEGRAM 185 /* Gianluca Costa <g.costa@xplico.org> */
#define NDPI_PROTOCOL_VEVO 186
#define NDPI_PROTOCOL_PANDORA 187
-#define NDPI_PROTOCOL_QUIC 188 /* Andrea Buscarinu <andrea.buscarinu@gmail.com> - Michele Campus <michelecampus5@gmail.com> */
+#define NDPI_PROTOCOL_QUIC 188 /* Andrea Buscarinu <andrea.buscarinu@gmail.com> - Michele Campus <michelecampus5@gmail.com> */
#define NDPI_PROTOCOL_WHATSAPP_VOICE 189
-#define NDPI_PROTOCOL_EAQ 190
-
-/* 191, 192 are free */
-#define NDPI_PROTOCOL_FREE_191 191
-#define NDPI_PROTOCOL_FREE_192 192
-
+#define NDPI_PROTOCOL_EAQ 190
+#define NDPI_PROTOCOL_OOKLA 191
+#define NDPI_PROTOCOL_AMQP 192
#define NDPI_PROTOCOL_KAKAOTALK 193 /* KakaoTalk Chat (no voice call) */
#define NDPI_PROTOCOL_KAKAOTALK_VOICE 194 /* KakaoTalk Voice */
-#define NDPI_PROTOCOL_TWITCH 195 /* Edoardo Dominici <edoaramis@gmail.com> */
+#define NDPI_PROTOCOL_TWITCH 195 /* Edoardo Dominici <edoaramis@gmail.com> */
#define NDPI_PROTOCOL_QUICKPLAY 196 /* Streaming service used by various services such as hooq.tv */
+#define NDPI_PROTOCOL_WECHAT 197
-/* 197 is free */
-#define NDPI_PROTOCOL_FREE_197 197
+#define NDPI_PROTOCOL_MPEGTS 198
+#define NDPI_PROTOCOL_SNAPCHAT 199
+#define NDPI_PROTOCOL_SINA 200
+#define NDPI_PROTOCOL_HANGOUT 201
+#define NDPI_PROTOCOL_IFLIX 202 /* www.vizuamatix.com R&D team & M.Mallawaarachchie <manoj_ws@yahoo.com> */
+#define NDPI_PROTOCOL_GITHUB 203
+#define NDPI_PROTOCOL_BJNP 204
+#define NDPI_PROTOCOL_1KXUN 205
+#define NDPI_PROTOCOL_IQIYI 206
+#define NDPI_PROTOCOL_SMPP 207 /* Damir Franusic <df@release14.org> */
-#define NDPI_PROTOCOL_MPEGTS 198
-#define NDPI_PROTOCOL_SNAPCHAT 199
-#define NDPI_PROTOCOL_SINA 200
-#define NDPI_PROTOCOL_HANGOUT 201
-#define NDPI_PROTOCOL_IFLIX 202 /* www.vizuamatix.com R&D team & M.Mallawaarachchie <manoj_ws@yahoo.com> */
-#define NDPI_PROTOCOL_GITHUB 203
-#define NDPI_PROTOCOL_BJNP 204
-#define NDPI_PROTOCOL_1KXUN 205
-#define NDPI_PROTOCOL_IQIYI 206
-#define NDPI_PROTOCOL_SMPP 207 /* Damir Franusic <df@release14.org> */
+#define NDPI_PROTOCOL_DNSCRYPT 208
-/* 208 - 209 free */
-#define NDPI_PROTOCOL_FREE_208 208
-#define NDPI_PROTOCOL_FREE_209 209
+/* 209 free */
+#define NDPI_PROTOCOL_FREE_209 209
-#define NDPI_PROTOCOL_DEEZER 210
+#define NDPI_PROTOCOL_DEEZER 210
#define NDPI_PROTOCOL_INSTAGRAM 211 /* Andrea Buscarinu <andrea.buscarinu@gmail.com> */
#define NDPI_PROTOCOL_MICROSOFT 212
#define NDPI_PROTOCOL_STARCRAFT 213 /* Matteo Bracci <matteobracci1@gmail.com> */
-#define NDPI_PROTOCOL_TEREDO 214
+#define NDPI_PROTOCOL_TEREDO 214
#define NDPI_PROTOCOL_HOTSPOT_SHIELD 215
-#define NDPI_PROTOCOL_HEP 216 /* sipcapture.org QXIP BV */
+#define NDPI_PROTOCOL_HEP 216 /* sipcapture.org QXIP BV */
/* 217 is free */
-#define NDPI_PROTOCOL_FREE_217 217
+#define NDPI_PROTOCOL_FREE_217 217
-#define NDPI_PROTOCOL_OCS 218
+#define NDPI_PROTOCOL_OCS 218
#define NDPI_PROTOCOL_OFFICE_365 219
#define NDPI_PROTOCOL_CLOUDFLARE 220
#define NDPI_PROTOCOL_MS_ONE_DRIVE 221
@@ -274,11 +270,11 @@
#define NDPI_PROTOCOL_RX 223
/* 224 is free */
-#define NDPI_PROTOCOL_FREE_224 224
+#define NDPI_PROTOCOL_FREE_224 224
-#define NDPI_PROTOCOL_OPENDNS 225
-#define NDPI_PROTOCOL_GIT 226
-#define NDPI_PROTOCOL_DRDA 227
+#define NDPI_PROTOCOL_OPENDNS 225
+#define NDPI_PROTOCOL_GIT 226
+#define NDPI_PROTOCOL_DRDA 227
/* UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE */
#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_PROTOCOL_DRDA
diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h
index edf4ca3dc..b3b4092b4 100644
--- a/src/include/ndpi_protocols.h
+++ b/src/include/ndpi_protocols.h
@@ -202,6 +202,7 @@ void init_aimini_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_i
void init_applejuice_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_armagetron_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_ayiya_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
+void init_amqp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_battlefield_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_bgp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_bittorrent_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 490098086..e1fbeb71c 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -138,14 +138,12 @@ struct ndpi_snap_extension
} PACK_OFF;
PACK_ON
-struct ndpi_llc_header
+struct ndpi_llc_header_snap
{
u_int8_t dsap;
u_int8_t ssap;
u_int8_t ctrl;
-#ifdef SNAP_EXT
struct ndpi_snap_extension snap;
-#endif
} PACK_OFF;
/* ++++++++++ RADIO TAP header (for IEEE 802.11) +++++++++++++ */
diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am
index 987975c47..3770c9cfc 100644
--- a/src/lib/Makefile.am
+++ b/src/lib/Makefile.am
@@ -21,6 +21,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \
protocols/applejuice.c \
protocols/armagetron.c \
protocols/ayiya.c \
+ protocols/amqp.c \
protocols/battlefield.c \
protocols/bgp.c \
protocols/bittorrent.c \
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index 1ad13fbd2..85cfc0ec9 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -79,6 +79,17 @@ static ndpi_network host_protocol_list[] = {
{ 0xA92F2320 /* 169.47.35.32/27 */, 27, NDPI_PROTOCOL_WHATSAPP },
+ /*
+ WeChat
+ 203.205.147.171
+ 203.205.147.173
+ 203.205.151.162
+ */
+
+ { 0xCBCD93AB /* 203.205.147.171/32 */, 32, NDPI_PROTOCOL_WECHAT },
+ { 0xCBCD93AD /* 203.205.147.173/32 */, 32, NDPI_PROTOCOL_WECHAT },
+ { 0xCBCD97A2 /* 203.205.151.162/32 */, 32, NDPI_PROTOCOL_WECHAT },
+
/*
OpenDNS, LLC
origin AS36692, AS30607
@@ -823,6 +834,21 @@ static ndpi_network host_protocol_list[] = {
{ 0x959AA000 /* 149.154.160.0/20 */, 20, NDPI_PROTOCOL_TELEGRAM },
/*
+ BitTorrent
+ */
+
+ { 0xB9381424 /* 185.56.20.36/32 */, 32, NDPI_PROTOCOL_BITTORRENT },
+ { 0xC0DEED0A /* 192.222.237.10/32 */, 32, NDPI_PROTOCOL_BITTORRENT },
+ { 0x4DDEAE14 /* 77.222.174.20/32 */, 32, NDPI_PROTOCOL_BITTORRENT },
+ { 0x25779CBD /* 37.119.156.189/32 */, 32, NDPI_PROTOCOL_BITTORRENT },
+ { 0x05277C26 /* 5.39.124.38/32 */, 32, NDPI_PROTOCOL_BITTORRENT },
+ { 0x4FC0AB43 /* 79.192.171.67/32 */, 32, NDPI_PROTOCOL_BITTORRENT },
+ { 0xAC100010 /* 172.16.0.16/32 */, 32, NDPI_PROTOCOL_BITTORRENT },
+ { 0xB2A4F550 /* 178.164.245.80/32 */, 32, NDPI_PROTOCOL_BITTORRENT },
+ { 0xAE597B3E /* 174.89.123.62/32 */, 32, NDPI_PROTOCOL_BITTORRENT },
+
+
+ /*
Tor
http://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv
From 02/17/2017
@@ -7941,14 +7967,18 @@ ndpi_protocol_match host_match[] = {
{ "amazonaws.com", "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
{ "amazon-adsystem.com", "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
{ ".cloudfront.net", "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
+
{ ".apple.com", "Apple", NDPI_PROTOCOL_APPLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
{ ".mzstatic.com", "Apple", NDPI_PROTOCOL_APPLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
{ ".icloud.com", "AppleiCloud", NDPI_PROTOCOL_APPLE_ICLOUD, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
{ "itunes.apple.com", "AppleiTunes", NDPI_PROTOCOL_APPLE_ITUNES, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_FUN },
+
{ ".cnn.c", "CNN", NDPI_PROTOCOL_CNN, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_FUN },
{ ".cnn.net", "CNN", NDPI_PROTOCOL_CNN, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_FUN },
+
{ ".dropbox.com", "DropBox", NDPI_PROTOCOL_DROPBOX, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE },
{ "log.getdropbox.com", "DropBox", NDPI_PROTOCOL_DROPBOX, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_SAFE },
+
{ ".ebay.", "eBay", NDPI_PROTOCOL_EBAY, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
{ ".ebay.com", "eBay", NDPI_PROTOCOL_EBAY, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
{ ".ebaystatic.com", "eBay", NDPI_PROTOCOL_EBAY, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
@@ -7956,11 +7986,15 @@ ndpi_protocol_match host_match[] = {
{ ".ebayrtm.com", "eBay", NDPI_PROTOCOL_EBAY, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
{ ".ebaystratus.com", "eBay", NDPI_PROTOCOL_EBAY, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
{ ".ebayimg.com", "eBay", NDPI_PROTOCOL_EBAY, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
+
{ "facebook.com", "Facebook", NDPI_PROTOCOL_FACEBOOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN },
{ "fbstatic-a.akamaihd.net", "Facebook", NDPI_PROTOCOL_FACEBOOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN },
{ ".fbcdn.net", "Facebook", NDPI_PROTOCOL_FACEBOOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN },
{ "fbcdn-", "Facebook", NDPI_PROTOCOL_FACEBOOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN }, /* fbcdn-video-a-akamaihd.net */
{ ".facebook.net", "Facebook", NDPI_PROTOCOL_FACEBOOK, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN },
+
+ { ".speedtest.net", "Ookla", NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_CATEGORY_NETWORK_TOOL, NDPI_PROTOCOL_ACCEPTABLE },
+
{ ".google.", "Google", NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
{ ".gstatic.com", "Google", NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
{ ".googlesyndication.com", "Google", NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
@@ -7974,18 +8008,25 @@ ndpi_protocol_match host_match[] = {
{ "googleapis.com", "Google", NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
{ "ggpht.com", "Google", NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
{ "1e100.net", "Google", NDPI_PROTOCOL_GOOGLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
+
{ "maps.google.", "GoogleMaps", NDPI_PROTOCOL_GOOGLE_MAPS, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
{ "maps.gstatic.com", "GoogleMaps", NDPI_PROTOCOL_GOOGLE_MAPS, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
+
{ ".gmail.", "GMail", NDPI_PROTOCOL_GMAIL, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NDPI_PROTOCOL_SAFE },
{ "mail.google.", "GMail", NDPI_PROTOCOL_GMAIL, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NDPI_PROTOCOL_SAFE },
+
{ "mail.outlook.com", "Hotmail", NDPI_PROTOCOL_HOTMAIL, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NDPI_PROTOCOL_SAFE },
+
{ ".last.fm", "LastFM", NDPI_PROTOCOL_LASTFM, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_FUN },
+
{ "msn.com", "MSN", NDPI_PROTOCOL_MSN, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_FUN },
+
{ "netflix.com", "NetFlix", NDPI_PROTOCOL_NETFLIX, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
{ "nflxext.com", "NetFlix", NDPI_PROTOCOL_NETFLIX, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
{ "nflximg.com", "NetFlix", NDPI_PROTOCOL_NETFLIX, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
{ "nflximg.net", "NetFlix", NDPI_PROTOCOL_NETFLIX, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
{ "nflxvideo.net", "NetFlix", NDPI_PROTOCOL_NETFLIX, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
+
{ ".skype.", "Skype", NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE },
{ ".skypeassets.", "Skype", NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE },
{ ".skypedata.", "Skype", NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE },
@@ -7995,20 +8036,27 @@ ndpi_protocol_match host_match[] = {
{ "e7768.b.akamaiedge.net", "Skype", NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE },
{ "e4593.dspg.akamaiedge.net", "Skype", NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE },
{ "e4593.g.akamaiedge.net", "Skype", NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE },
+
{ ".tuenti.com", "Tuenti", NDPI_PROTOCOL_TUENTI, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
+
{ ".twttr.com", "Twitter", NDPI_PROTOCOL_TWITTER, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
{ "twitter.", "Twitter", NDPI_PROTOCOL_TWITTER, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
{ "twimg.com", "Twitter", NDPI_PROTOCOL_TWITTER, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+
{ ".viber.com", "Viber", NDPI_PROTOCOL_VIBER, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE },
{ ".cdn.viber.com", "Viber", NDPI_PROTOCOL_VIBER, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE },
+
{ "wikipedia.", "Wikipedia", NDPI_PROTOCOL_WIKIPEDIA, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
{ "wikimedia.", "Wikipedia", NDPI_PROTOCOL_WIKIPEDIA, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
{ "mediawiki.", "Wikipedia", NDPI_PROTOCOL_WIKIPEDIA, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
{ "wikimediafoundation.", "Wikipedia", NDPI_PROTOCOL_WIKIPEDIA, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
+
{ ".whatsapp.", "WhatsApp", NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE },
+
{ ".yahoo.", "Yahoo", NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
{ ".yimg.com", "Yahoo", NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
{ "yahooapis.", "Yahoo", NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
+
{ "youtube.", "YouTube", NDPI_PROTOCOL_YOUTUBE, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
{ "youtu.be.", "YouTube", NDPI_PROTOCOL_YOUTUBE, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
{ "yt3.ggpht.com", "YouTube", NDPI_PROTOCOL_YOUTUBE, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
@@ -8017,17 +8065,26 @@ ndpi_protocol_match host_match[] = {
{ "youtube-nocookie.", "YouTube", NDPI_PROTOCOL_YOUTUBE, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
{ "ggpht.com", "YouTube", NDPI_PROTOCOL_YOUTUBE, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
{ "googleusercontent.com", "YouTube", NDPI_PROTOCOL_YOUTUBE, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
+
{ ".vevo.com", "Vevo", NDPI_PROTOCOL_VEVO, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
+
{ ".spotify.", "Spotify", NDPI_PROTOCOL_SPOTIFY, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
+
{ ".pandora.com", "Pandora", NDPI_PROTOCOL_PANDORA, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
+
{ ".torproject.org", "Tor", NDPI_PROTOCOL_TOR, NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS },
+
{ ".kakao.com", "KakaoTalk", NDPI_PROTOCOL_KAKAOTALK, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_FUN },
+
{ "ttvnw.net", "Twitch", NDPI_PROTOCOL_TWITCH, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
{ "static-cdn.jtvnw.net", "Twitch", NDPI_PROTOCOL_TWITCH, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
{ "www-cdn.jtvnw.net", "Twitch", NDPI_PROTOCOL_TWITCH, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
+
{ "quickplay.com", "QuickPlay", NDPI_PROTOCOL_QUICKPLAY, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
+
{ ".qq.com", "QQ", NDPI_PROTOCOL_QQ, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN },
{ ".gtimg.com", "QQ", NDPI_PROTOCOL_QQ, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN },
+
{ ".weibo.com", "Sina(Weibo)", NDPI_PROTOCOL_SINA, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN },
{ ".sinaimg.cn", "Sina", NDPI_PROTOCOL_SINA, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN },
{ ".sinajs.cn", "Sina", NDPI_PROTOCOL_SINA, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN },
@@ -8048,6 +8105,7 @@ ndpi_protocol_match host_match[] = {
{ "instagramstatic-", "Instagram", NDPI_PROTOCOL_INSTAGRAM, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_FUN },
{ ".waze.com", "Waze", NDPI_PROTOCOL_WAZE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
+
{ ".deezer.com", "Deezer", NDPI_PROTOCOL_DEEZER, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
{ ".microsoft.com", "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_SYSTEM, NDPI_PROTOCOL_ACCEPTABLE },
@@ -8056,17 +8114,22 @@ ndpi_protocol_match host_match[] = {
{ ".webtrends.com", "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
{ ".msecnd.net", "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
{ ".visualstudio.com", "Microsoft", NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE },
+
{ "bn1301.storage.live.com", "MS_OneDrive", NDPI_PROTOCOL_MS_ONE_DRIVE,NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE },
{ "*.gateway.messenger.live.com", "MS_OneDrive", NDPI_PROTOCOL_MS_ONE_DRIVE, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE },
{ "skyapi.live.net", "MS_OneDrive", NDPI_PROTOCOL_MS_ONE_DRIVE, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE },
{ "d.docs.live.net", "MS_OneDrive", NDPI_PROTOCOL_MS_ONE_DRIVE, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE },
+
{ "update.microsoft.com", "WindowsUpdate", NDPI_PROTOCOL_WINDOWS_UPDATE, NDPI_PROTOCOL_CATEGORY_SYSTEM, NDPI_PROTOCOL_ACCEPTABLE },
{ ".windowsupdate.com", "WindowsUpdate", NDPI_PROTOCOL_WINDOWS_UPDATE, NDPI_PROTOCOL_CATEGORY_SYSTEM, NDPI_PROTOCOL_ACCEPTABLE },
{ "worldofwarcraft.com", "WorldOfWarcraft", NDPI_PROTOCOL_WORLDOFWARCRAFT, NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_FUN },
+
{ ".anchorfree.", "HotspotShield", NDPI_PROTOCOL_HOTSPOT_SHIELD, NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS },
{ "hotspotshield.com", "HotspotShield", NDPI_PROTOCOL_HOTSPOT_SHIELD, NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS },
+
{ ".webex.com", "Webex", NDPI_PROTOCOL_WEBEX, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE },
+
{ ".ocsdomain.com", "OCS", NDPI_PROTOCOL_OCS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_FUN },
{ "ocs.fr", "OCS", NDPI_PROTOCOL_OCS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_FUN },
{ ".ocs.fr", "OCS", NDPI_PROTOCOL_OCS, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_FUN },
@@ -8082,16 +8145,6 @@ ndpi_protocol_match host_match[] = {
{ "evsecure-crl.verisign.com", "Office365", NDPI_PROTOCOL_OFFICE_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE },
{ ".omniroot.com", "Office365", NDPI_PROTOCOL_OFFICE_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE },
-#if 0
- /* The lines below are not just for Office 365 so they cannot be used for this purpose */
- { ".verisign.com", "Office365", NDPI_PROTOCOL_OFFICE_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE },
- { ".symcb.com", "Office365", NDPI_PROTOCOL_OFFICE_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE },
- { ".symcd.com", "Office365", NDPI_PROTOCOL_OFFICE_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE },
- { ".verisign.net", "Office365", NDPI_PROTOCOL_OFFICE_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE },
- { ".geotrust.com", "Office365", NDPI_PROTOCOL_OFFICE_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE },
- { ".entrust.net", "Office365", NDPI_PROTOCOL_OFFICE_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE },
- { ".public-trust.com", "Office365", NDPI_PROTOCOL_OFFICE_365, NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_ACCEPTABLE },
-#endif
/* http://www.urlquery.net/report.php?id=1453233646161 */
{ "lifedom.top", "Cloudflare", NDPI_PROTOCOL_CLOUDFLARE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
{ "coby.ns.cloudflare.com", "Cloudflare", NDPI_PROTOCOL_CLOUDFLARE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE },
@@ -8122,17 +8175,30 @@ ndpi_protocol_match host_match[] = {
{ ".qiyi.com", "iQIYI", NDPI_PROTOCOL_IQIYI, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
{ ".71.am", "iQIYI", NDPI_PROTOCOL_IQIYI, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
{ ".qiyipic.com", "iQIYI", NDPI_PROTOCOL_IQIYI, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
+
{ ".ppstream.com", "PPStream", NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
{ ".pps.tv", "PPStream", NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
+
{ ".1kxun.", "1kxun", NDPI_PROTOCOL_1KXUN, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
{ "tcad.wedolook.com", "1kxun", NDPI_PROTOCOL_1KXUN, NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_FUN },
{ ".steampowered.com", "Steam", NDPI_PROTOCOL_STEAM, NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_FUN },
{ "steamcommunity.com", "Steam", NDPI_PROTOCOL_STEAM, NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_FUN },
{ ".steamcontent.com", "Steam", NDPI_PROTOCOL_STEAM, NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_FUN },
- { ".steamstatic.com", "Steam", NDPI_PROTOCOL_STEAM, NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_FUN },
- { "steamcommunity-a.akamaihd.net", "Steam", NDPI_PROTOCOL_STEAM, NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_FUN },
+ { ".steamstatic.com", "Steam", NDPI_PROTOCOL_STEAM, NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_FUN },
+ { "steamcommunity-a.akamaihd.net", "Steam", NDPI_PROTOCOL_STEAM, NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_FUN },
+
+ { ".wechat.com", "WeChat", NDPI_PROTOCOL_WECHAT, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN },
+ { ".wechat.org", "WeChat", NDPI_PROTOCOL_WECHAT, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN },
+ { ".wechatapp.com", "WeChat", NDPI_PROTOCOL_WECHAT, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN },
+ { ".we.chat", "WeChat", NDPI_PROTOCOL_WECHAT, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN },
+ { ".wx.", "WeChat", NDPI_PROTOCOL_WECHAT, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN },
+ { ".weixin.", "WeChat", NDPI_PROTOCOL_WECHAT, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN },
+ { ".mmsns.qpic.cn", "WeChat", NDPI_PROTOCOL_WECHAT, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN },
+
+ { "dnscrypt.org", "DNScrypt", NDPI_PROTOCOL_DNSCRYPT, NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_ACCEPTABLE },
+ { "torrent.", "BitTorrent", NDPI_PROTOCOL_BITTORRENT, NDPI_PROTOCOL_CATEGORY_P2P, NDPI_PROTOCOL_ACCEPTABLE },
{ NULL, 0 }
};
@@ -8205,6 +8271,8 @@ ndpi_protocol_match content_match[] = {
- www.qbtxzhetq4s2f.com
- www.fgd2iwya7vinfutj5wq5we.net
+ See also DGA (Domain Generation Algorithm)
+
In essence www.<name>.com|net
To do things properly we should check if host name in the certificate
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 8783ef6cd..b318ce566 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -187,7 +187,7 @@ static void ndpi_tdestroy_recurse(ndpi_node* root, void (*free_action)(void *))
void ndpi_tdestroy(void *vrootp, void (*freefct)(void *))
{
ndpi_node *root = (ndpi_node *) vrootp;
-
+
if(root != NULL)
ndpi_tdestroy_recurse(root, freefct);
}
@@ -338,7 +338,7 @@ void ndpi_flow_free(void *ptr) { if(_ndpi_flow_free) _ndpi_flow_free(ptr); else
void * ndpi_realloc(void *ptr, size_t old_size, size_t new_size)
{
void *ret = ndpi_malloc(new_size);
-
+
if(!ret)
return(ret);
else {
@@ -477,9 +477,9 @@ static int ndpi_default_ports_tree_node_t_cmp(const void *a, const void *b)
{
ndpi_default_ports_tree_node_t *fa = (ndpi_default_ports_tree_node_t*)a;
ndpi_default_ports_tree_node_t *fb = (ndpi_default_ports_tree_node_t*)b;
-
+
//printf("[NDPI] %s(%d, %d)\n", __FUNCTION__, fa->default_port, fb->default_port);
-
+
return((fa->default_port == fb->default_port) ? 0 : ((fa->default_port < fb->default_port) ? -1 : 1));
}
@@ -488,7 +488,7 @@ static int ndpi_default_ports_tree_node_t_cmp(const void *a, const void *b)
void ndpi_default_ports_tree_node_t_walker(const void *node, const ndpi_VISIT which, const int depth)
{
ndpi_default_ports_tree_node_t *f = *(ndpi_default_ports_tree_node_t **)node;
-
+
printf("<%d>Walk on node %s (%u)\n",
depth,
@@ -902,7 +902,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_BITTORRENT,
no_master,
no_master, "BitTorrent", NDPI_PROTOCOL_CATEGORY_P2P,
- ndpi_build_default_ports(ports_a, 51413, 0, 0, 0, 0) /* TCP */,
+ ndpi_build_default_ports(ports_a, 51413, 53646, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 6771, 51413, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TEREDO,
no_master,
@@ -1016,7 +1016,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_HTTP_DOWNLOAD,
no_master,
- no_master, "HTTPDownload", NDPI_PROTOCOL_CATEGORY_FILE_TRANSFER,
+ no_master, "HTTP_Download", NDPI_PROTOCOL_CATEGORY_FILE_TRANSFER,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_QQLIVE,
@@ -1606,12 +1606,23 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
no_master, "SMPP", NDPI_PROTOCOL_CATEGORY_P2P,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */
-
- /* To be removed as soon as we define new protocols */
- ndpi_init_placeholder_proto(ndpi_mod, ports_a, ports_b, no_master, NDPI_PROTOCOL_FREE_191);
- ndpi_init_placeholder_proto(ndpi_mod, ports_a, ports_b, no_master, NDPI_PROTOCOL_FREE_192);
- ndpi_init_placeholder_proto(ndpi_mod, ports_a, ports_b, no_master, NDPI_PROTOCOL_FREE_197);
- ndpi_init_placeholder_proto(ndpi_mod, ports_a, ports_b, no_master, NDPI_PROTOCOL_FREE_208);
+ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_OOKLA,
+ no_master,
+ no_master, "Ookla", NDPI_PROTOCOL_CATEGORY_NETWORK_TOOL,
+ ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */
+ ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */
+ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_AMQP,
+ no_master,
+ no_master, "AMQP", NDPI_PROTOCOL_CATEGORY_RPC,
+ ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */
+ ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */
+ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DNSCRYPT,
+ no_master,
+ no_master, "DNScrypt", NDPI_PROTOCOL_CATEGORY_NETWORK,
+ ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */
+ ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */
+
+/* To be removed as soon as we define new protocols */
ndpi_init_placeholder_proto(ndpi_mod, ports_a, ports_b, no_master, NDPI_PROTOCOL_FREE_209);
ndpi_init_placeholder_proto(ndpi_mod, ports_a, ports_b, no_master, NDPI_PROTOCOL_FREE_217);
ndpi_init_placeholder_proto(ndpi_mod, ports_a, ports_b, no_master, NDPI_PROTOCOL_FREE_224);
@@ -2706,6 +2717,9 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n
/* BITTORRENT */
init_bittorrent_dissector(ndpi_struct, &a, detection_bitmask);
+ /* AMQP */
+ init_amqp_dissector(ndpi_struct, &a, detection_bitmask);
+
/* ----------------------------------------------------------------- */
@@ -3293,8 +3307,8 @@ void check_ndpi_tcp_flow_func(struct ndpi_detection_module_struct *ndpi_struct,
&& NDPI_BITMASK_COMPARE(ndpi_struct->callback_buffer_tcp_payload[a].detection_bitmask,
detection_bitmask) != 0) {
ndpi_struct->callback_buffer_tcp_payload[a].func(ndpi_struct, flow);
-
-
+
+
if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN)
break; /* Stop after detecting the first protocol */
}
@@ -3359,7 +3373,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
if(flow->protos.ssl.client_certificate[0] != '\0') {
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSL, NDPI_PROTOCOL_UNKNOWN);
- } else {
+ } else {
if((flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN)
&& (flow->packet.l4_protocol == IPPROTO_TCP)
&& (flow->l4.tcp.ssl_stage > 1))
@@ -3497,9 +3511,9 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
/* guess protocol */
flow->guessed_protocol_id = (int16_t) ndpi_guess_protocol_id(ndpi_struct, protocol, sport, dport, &user_defined_proto);
-
+
if(user_defined_proto && flow->guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN) {
-
+
if(flow->packet.iph) {
/* guess host protocol */
flow->guessed_host_protocol_id = ndpi_network_ptree_match(ndpi_struct, (struct in_addr *)&flow->packet.iph->saddr);
@@ -3508,7 +3522,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
if(flow->guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN)
/* ret.master_protocol = flow->guessed_protocol_id , ret.app_protocol = flow->guessed_host_protocol_id; /\* ****** *\/ */
ret = ndpi_detection_giveup(ndpi_struct, flow);
-
+
return(ret);
}
} else {
@@ -3520,7 +3534,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
}
}
}
-
+
check_ndpi_flow_func(ndpi_struct, flow, &ndpi_selection_packet);
a = flow->packet.detected_protocol_stack[0];
@@ -4123,7 +4137,7 @@ void ndpi_int_change_protocol(struct ndpi_detection_module_struct *ndpi_struct,
/* flow->packet.detected_protocol_stack[0] = flow->guessed_host_protocol_id; */
/* /\* master proto for packet *\/ */
/* flow->packet.detected_protocol_stack[1] = flow->guessed_protocol_id; */
-
+
/* } */
/* } */
@@ -4358,7 +4372,7 @@ ndpi_protocol ndpi_guess_undetected_protocol(struct ndpi_detection_module_struct
if(rc != NDPI_PROTOCOL_UNKNOWN) {
ret.app_protocol = rc,
ret.master_protocol = ndpi_guess_protocol_id(ndpi_struct, proto, sport, dport, &user_defined_proto);
-
+
if(ret.app_protocol == ret.master_protocol)
ret.master_protocol = NDPI_PROTOCOL_UNKNOWN;
diff --git a/src/lib/protocols/amqp.c b/src/lib/protocols/amqp.c
new file mode 100644
index 000000000..72bbc0a38
--- /dev/null
+++ b/src/lib/protocols/amqp.c
@@ -0,0 +1,83 @@
+/*
+ * amqp.c
+ *
+ * Copyright (C) 2011-17 - ntop.org
+ *
+ * nDPI is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * nDPI is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with nDPI. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+
+#include "ndpi_protocols.h"
+#ifdef NDPI_PROTOCOL_AMQP
+
+PACK_ON
+struct amqp_header {
+ u_int8_t ptype;
+ u_int16_t channel;
+ u_int32_t length;
+ u_int16_t class_id, method;
+} PACK_OFF;
+
+static void ndpi_int_amqp_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
+ struct ndpi_flow_struct *flow/* , */
+ /* ndpi_protocol_type_t protocol_type */) {
+ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_AMQP, NDPI_PROTOCOL_UNKNOWN);
+}
+
+void ndpi_search_amqp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
+ struct ndpi_packet_struct *packet = &flow->packet;
+
+ NDPI_LOG(NDPI_PROTOCOL_AMQP, ndpi_struct, NDPI_LOG_DEBUG, "search amqp. \n");
+
+ if (packet->tcp != NULL) {
+ if(packet->payload_packet_len > sizeof(struct amqp_header)) {
+ struct amqp_header *h = (struct amqp_header*)packet->payload;
+
+ if(h->ptype <= 3) {
+ u_int32_t length = htonl(h->length);
+
+ if(((length+8) >= packet->payload_packet_len)
+ && (length < 32768) /* Upper bound */) {
+ u_int16_t class_id = htons(h->class_id);
+
+ if((class_id >= 10) /* Connection */
+ && (class_id <= 110) /* Tunnel */) {
+ u_int16_t method = htons(h->method);
+
+ if(method <= 120 /* Method basic NACK */) {
+ NDPI_LOG(NDPI_PROTOCOL_AMQP, ndpi_struct, NDPI_LOG_DEBUG, "found amqp over tcp. \n");
+ ndpi_int_amqp_add_connection(ndpi_struct, flow);
+ return;
+ }
+ }
+ }
+ }
+ }
+ }
+}
+
+
+void init_amqp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) {
+ ndpi_set_bitmask_protocol_detection("AMQP", ndpi_struct, detection_bitmask, *id,
+ NDPI_PROTOCOL_AMQP,
+ ndpi_search_amqp,
+ NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD,
+ SAVE_DETECTION_BITMASK_AS_UNKNOWN,
+ ADD_TO_DETECTION_BITMASK);
+
+ *id += 1;
+}
+
+#endif
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index 1bef7f8f5..0b734fa84 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -63,7 +63,6 @@ static void flash_check_http_payload(struct ndpi_detection_module_struct
pos = &packet->payload[packet->empty_line_position] + 2;
-
if(memcmp(pos, "FLV", 3) == 0 && pos[3] == 0x01 && (pos[4] == 0x01 || pos[4] == 0x04 || pos[4] == 0x05)
&& pos[5] == 0x00 && pos[6] == 0x00 && pos[7] == 0x00 && pos[8] == 0x09) {
@@ -330,7 +329,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
return;
}
}
-
+
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "User Agent Type Line found %.*s\n",
packet->user_agent_line.len, packet->user_agent_line.ptr);
}
@@ -341,7 +340,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HOST Line found %.*s\n",
packet->host_line.len, packet->host_line.ptr);
-
+
/* call ndpi_match_host_subprotocol to see if there is a match with known-host http subprotocol */
if((ndpi_struct->http_dont_dissect_response) || flow->http_detected)
ndpi_match_host_subprotocol(ndpi_struct, flow,
@@ -357,13 +356,13 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
len = ndpi_min(packet->forwarded_line.len, sizeof(flow->nat_ip)-1);
strncpy((char*)flow->nat_ip, (char*)packet->forwarded_line.ptr, len);
flow->nat_ip[len] = '\0';
-
+
if(ndpi_struct->http_dont_dissect_response)
parseHttpSubprotocol(ndpi_struct, flow);
/**
check result of host subprotocol detection
-
+
if "detected" in flow == 0 then "detected" = "guess"
else "guess" = "detected"
**/
@@ -386,7 +385,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_
(char *)packet->http_origin.ptr,
packet->http_origin.len,
NDPI_PROTOCOL_HTTP);
-
+
if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) {
if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_HTTP) {
ndpi_int_http_add_connection(ndpi_struct, flow, packet->detected_protocol_stack[0]);
@@ -534,225 +533,6 @@ static void http_bitmask_exclude(struct ndpi_flow_struct *flow)
#endif
}
-void _org_ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
-{
- struct ndpi_packet_struct *packet = &flow->packet;
-
- u_int16_t filename_start;
-
- NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "search http\n");
-
- /* set client-server_direction */
- if(flow->l4.tcp.http_setup_dir == 0) {
- NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "initializes http to stage: 1 \n");
- flow->l4.tcp.http_setup_dir = 1 + packet->packet_direction;
- }
-
- if(NDPI_COMPARE_PROTOCOL_TO_BITMASK
- (ndpi_struct->generic_http_packet_bitmask, packet->detected_protocol_stack[0]) != 0) {
- NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG,
- "protocol might be detected earlier as http jump to payload type detection\n");
- goto http_parse_detection;
- }
-
- if(flow->l4.tcp.http_setup_dir == 1 + packet->packet_direction) {
- NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "http stage: 1\n");
-
- if(flow->l4.tcp.http_wait_for_retransmission) {
- if(!packet->tcp_retransmission) {
- if(flow->packet_counter <= 5) {
- NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "still waiting for retransmission\n");
- return;
- } else {
- NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "retransmission not found, exclude\n");
- http_bitmask_exclude(flow);
- return;
- }
- }
- }
-
- if(flow->l4.tcp.http_stage == 0) {
- filename_start = http_request_url_offset(ndpi_struct, flow);
- if(filename_start == 0) {
- if(packet->payload_packet_len >= 7 && memcmp(packet->payload, "HTTP/1.", 7) == 0) {
- NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP response found (truncated flow ?)\n");
- ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP);
- return;
- }
-
- NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "filename not found, exclude\n");
- http_bitmask_exclude(flow);
- return;
- }
- // parse packet
- ndpi_parse_packet_line_info(ndpi_struct, flow);
-
- if(packet->parsed_lines <= 1) {
- /* parse one more packet .. */
- NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "just one line, search next packet\n");
-
- packet->http_method.ptr = packet->line[0].ptr;
- packet->http_method.len = filename_start - 1;
- flow->l4.tcp.http_stage = 1;
- return;
- }
- // parsed_lines > 1 here
- if(packet->line[0].len >= (9 + filename_start)
- && memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) {
- u_int16_t proto_id;
-
- packet->http_url_name.ptr = &packet->payload[filename_start];
- packet->http_url_name.len = packet->line[0].len - (filename_start + 9);
-
- packet->http_method.ptr = packet->line[0].ptr;
- packet->http_method.len = filename_start - 1;
-
- NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "http structure detected, adding\n");
-
- if(filename_start == 8 && (memcmp(packet->payload, "CONNECT ", 8) == 0)) /* nathan@getoffmalawn.com */
- proto_id = NDPI_PROTOCOL_HTTP_CONNECT;
- else {
- if((packet->http_url_name.len > 7) && (!strncmp((const char*)packet->http_url_name.ptr, "http://", 7)))
- proto_id = NDPI_PROTOCOL_HTTP_PROXY;
- else {
- proto_id = NDPI_PROTOCOL_HTTP;
- }
- }
-
- ndpi_int_http_add_connection(ndpi_struct, flow, proto_id);
- check_content_type_and_change_protocol(ndpi_struct, flow);
- /* HTTP found, look for host... */
- if(packet->host_line.ptr != NULL) {
- /* aaahh, skip this direction and wait for a server reply here */
- flow->l4.tcp.http_stage = 2;
- NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP START HOST found\n");
- return;
- }
- NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP START HOST found\n");
-
- /* host not found, check in next packet after */
- flow->l4.tcp.http_stage = 1;
- return;
- }
- } else if(flow->l4.tcp.http_stage == 1) {
- /* SECOND PAYLOAD TRAFFIC FROM CLIENT, FIRST PACKET MIGHT HAVE BEEN HTTP... */
- /* UNKNOWN TRAFFIC, HERE FOR HTTP again.. */
- // parse packet
- ndpi_parse_packet_line_info(ndpi_struct, flow);
-
- if(packet->parsed_lines <= 1) {
- /* wait some packets in case request is split over more than 2 packets */
- if(flow->packet_counter < 5) {
- NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG,
- "line still not finished, search next packet\n");
- return;
- } else {
- /* stop parsing here */
- NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG,
- "HTTP: PACKET DOES NOT HAVE A LINE STRUCTURE\n");
- http_bitmask_exclude(flow);
- return;
- }
- }
- // http://www.slideshare.net/DSPIP/rtsp-analysis-wireshark
- if(packet->line[0].len >= 9 && memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) {
- ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP);
- check_content_type_and_change_protocol(ndpi_struct, flow);
- NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG,
- "HTTP START HTTP found in 2. packet, check host here...\n");
- /* HTTP found, look for host... */
- flow->l4.tcp.http_stage = 2;
-
- return;
- }
- }
- } else {
- /* We have received a response for a previously identified partial HTTP request */
-
- if((packet->parsed_lines == 1) && (packet->packet_direction == 1 /* server -> client */)) {
- /*
- In apache if you do "GET /\n\n" the response comes without any header so we can assume that
- this can be the case
- */
- ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP);
- return;
- }
-
- }
-
- NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP: REQUEST NOT HTTP CONFORM\n");
- http_bitmask_exclude(flow);
- return;
-
- http_parse_detection:
- if(flow->l4.tcp.http_setup_dir == 1 + packet->packet_direction) {
- /* we have something like http here, so check for host and content type if possible */
- if(flow->l4.tcp.http_stage == 0 || flow->l4.tcp.http_stage == 3) {
- NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP RUN MAYBE NEXT GET/POST...\n");
- // parse packet
- ndpi_parse_packet_line_info(ndpi_struct, flow);
- /* check for url here */
- filename_start = http_request_url_offset(ndpi_struct, flow);
- if(filename_start != 0 && packet->parsed_lines > 1 && packet->line[0].len >= (9 + filename_start)
- && memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) {
- packet->http_url_name.ptr = &packet->payload[filename_start];
- packet->http_url_name.len = packet->line[0].len - (filename_start + 9);
-
- packet->http_method.ptr = packet->line[0].ptr;
- packet->http_method.len = filename_start - 1;
-
- NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "next http action, "
- "resetting to http and search for other protocols later.\n");
- ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP);
- }
- check_content_type_and_change_protocol(ndpi_struct, flow);
- /* HTTP found, look for host... */
- if(packet->host_line.ptr != NULL) {
- NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG,
- "HTTP RUN MAYBE NEXT HOST found, skipping all packets from this direction\n");
- /* aaahh, skip this direction and wait for a server reply here */
- flow->l4.tcp.http_stage = 2;
- return;
- }
- NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG,
- "HTTP RUN MAYBE NEXT HOST NOT found, scanning one more packet from this direction\n");
- flow->l4.tcp.http_stage = 1;
- } else if(flow->l4.tcp.http_stage == 1) {
- // parse packet and maybe find a packet info with host ptr,...
- ndpi_parse_packet_line_info(ndpi_struct, flow);
- check_content_type_and_change_protocol(ndpi_struct, flow);
- NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP RUN second packet scanned\n");
- /* HTTP found, look for host... */
- flow->l4.tcp.http_stage = 2;
- }
- NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG,
- "HTTP skipping client packets after second packet\n");
- return;
- }
- /* server response */
- if(flow->l4.tcp.http_stage > 0) {
- /* first packet from server direction, might have a content line */
- ndpi_parse_packet_line_info(ndpi_struct, flow);
- check_content_type_and_change_protocol(ndpi_struct, flow);
-
- if(packet->empty_line_position_set != 0 || flow->l4.tcp.http_empty_line_seen == 1) {
- NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "empty line. check_http_payload.\n");
- check_http_payload(ndpi_struct, flow);
- }
-
- if(flow->l4.tcp.http_stage == 2) {
- flow->l4.tcp.http_stage = 3;
- } else {
- flow->l4.tcp.http_stage = 0;
- }
- NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG,
- "HTTP response first or second packet scanned,new stage is: %u\n", flow->l4.tcp.http_stage);
- return;
- } else {
- NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP response next packet skipped\n");
- }
-}
-
/*************************************************************************************************/
static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct,
@@ -771,10 +551,10 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
filename_start = http_request_url_offset(ndpi_struct, flow);
-
if(filename_start == 0) {
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG,
"Filename HTTP not found, we look for possible truncate flow...\n");
+
if(packet->payload_packet_len >= 7 && memcmp(packet->payload, "HTTP/1.", 7) == 0) {
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG,
"HTTP response found (truncated flow ?)\n");
@@ -783,6 +563,24 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
return;
}
+ if((packet->payload_packet_len == 3) && memcmp(packet->payload, "HI\n", 3) == 0) {
+ /* This looks like Ookla: we don't give up with HTTP yet */
+ flow->l4.tcp.http_stage = 1;
+ return;
+ }
+
+ if((packet->payload_packet_len == 23) && (memcmp(packet->payload, "<policy-file-request/>", 23) == 0)) {
+ /*
+ <policy-file-request/>
+ <cross-domain-policy>
+ <allow-access-from domain="*.ookla.com" to-ports="8080"/>
+ <allow-access-from domain="*.speedtest.net" to-ports="8080"/>
+ </cross-domain-policy>
+ */
+ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_UNKNOWN);
+ return;
+ }
+
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "Exclude HTTP\n");
http_bitmask_exclude(flow);
return;
@@ -817,6 +615,13 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
packet->http_method.ptr = packet->line[0].ptr;
packet->http_method.len = filename_start - 1;
+ /* Check for Ookla */
+ if((packet->referer_line.len > 0)
+ && ndpi_strnstr((const char *)packet->referer_line.ptr, "www.speedtest.net", packet->referer_line.len)) {
+ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_HTTP);
+ return;
+ }
+
/* Check for additional field introduced by Steam */
int x = 1;
if((memcmp(packet->line[x].ptr, "x-steam-sid", 11)) == 0) {
@@ -824,7 +629,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
check_content_type_and_change_protocol(ndpi_struct, flow);
return;
}
-
+
/* Check for additional field introduced by Facebook */
x = 1;
while(packet->line[x].len != 0) {
@@ -881,8 +686,8 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
check_content_type_and_change_protocol(ndpi_struct, flow);
}
- if(filename_start == 8 && (memcmp(packet->payload, "CONNECT ", 8) == 0)) /* nathan@getoffmalawn.com */
- {
+ if(filename_start == 8 && (memcmp(packet->payload, "CONNECT ", 8) == 0)) {
+ /* nathan@getoffmalawn.com */
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP_CONNECT Found.\n");
ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP_CONNECT);
check_content_type_and_change_protocol(ndpi_struct, flow);
@@ -892,14 +697,13 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
"HTTP START Found, we will look for sub-protocols (content and host)...\n");
if(packet->host_line.ptr != NULL) {
-
/**
nDPI is pretty scrupulous about HTTP so it waits until the
HTTP response is received just to check that it conforms
with the HTTP specs. However this might be a waste of time as
in 99.99% of the cases is like that.
*/
-
+
if(ndpi_struct->http_dont_dissect_response) {
if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) /* No subprotocol found */
ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP);
@@ -911,7 +715,6 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
}
check_content_type_and_change_protocol(ndpi_struct, flow);
-
return;
}
}
@@ -922,6 +725,16 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP stage %u: \n",
flow->l4.tcp.http_stage);
+
+ if(flow->l4.tcp.http_stage == 1) {
+ if((packet->payload_packet_len > 6) && memcmp(packet->payload, "HELLO ", 6) == 0) {
+ /* This looks like Ookla */
+ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_UNKNOWN);
+ return;
+ } else
+ NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_OOKLA);
+ }
+
/**
At first check, if this is for sure a response packet (in another direction. If not, if http is detected do nothing now and return,
otherwise check the second packet for the http request
diff --git a/src/lib/protocols/oscar.c b/src/lib/protocols/oscar.c
index 869b36378..d6ca25cde 100644
--- a/src/lib/protocols/oscar.c
+++ b/src/lib/protocols/oscar.c
@@ -579,7 +579,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct
{
/* request ID */
req_ID = get_u_int32_t(packet->payload, 12);
- if((req_ID <= 4294967295))
+ if((req_ID <= ((u_int32_t)-1)))
{
NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR Detected \n");
ndpi_int_oscar_add_connection(ndpi_struct, flow);
Powered by cgit, Themed by Ted Yin.