diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_protocol_ids.h | 7 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 7 | ||||
| -rw-r--r-- | src/lib/protocols/rtp.c | 71 | ||||
| -rw-r--r-- | src/lib/protocols/stun.c | 65 |
4 files changed, 130 insertions, 20 deletions
diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index 8a94db2ce..9bccf743b 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -202,7 +202,10 @@ #define NDPI_PROTOCOL_STARCRAFT 213 /* Matteo Bracci <matteobracci1@gmail.com> */ #define NDPI_PROTOCOL_TEREDO 214 #define NDPI_PROTOCOL_HEP 216 /* Sipcapture.org QXIP BV */ -#define NDPI_PROTOCOL_UBNTAC2 217 /* Ubiquity UBNT AirControl 2 - Thomas Fjellstrom <thomas+ndpi@fjellstrom.ca> */ +#define NDPI_PROTOCOL_UBNTAC2 217 /* Ubiquity UBNT AirControl 2 - Thomas Fjellstrom <thomas+ndpi@fjellstrom.ca> */ +#define NDPI_PROTOCOL_MS_LYNC 218 + + #define NDPI_CONTENT_AVI 39 #define NDPI_CONTENT_FLASH 40 @@ -265,7 +268,7 @@ #define NDPI_SERVICE_HOTSPOT_SHIELD 215 /* UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE */ -#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_PROTOCOL_UBNTAC2 +#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_PROTOCOL_MS_LYNC #define NDPI_MAX_SUPPORTED_PROTOCOLS (NDPI_LAST_IMPLEMENTED_PROTOCOL + 1) #define NDPI_MAX_NUM_CUSTOM_PROTOCOLS (NDPI_NUM_BITS-NDPI_LAST_IMPLEMENTED_PROTOCOL) diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 5fe7e61af..0aad7bdb4 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1627,11 +1627,16 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "Starcraft", ndpi_build_default_ports(ports_a, 1119, 0, 0, 0, 0), /* TCP */ ndpi_build_default_ports(ports_b, 1119, 0, 0, 0, 0)); /* UDP */ - ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_UBNTAC2, + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_UBNTAC2, no_master, no_master, "UBNTAC2", ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ ndpi_build_default_ports(ports_b, 10001, 0, 0, 0, 0)); /* UDP */ + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_MS_LYNC, + no_master, + no_master, "Lync", + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ /* calling function for host and content matched protocols */ init_string_based_protocols(ndpi_mod); diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c index 6dae41bbb..66630c192 100644 --- a/src/lib/protocols/rtp.c +++ b/src/lib/protocols/rtp.c @@ -27,28 +27,83 @@ #ifdef NDPI_PROTOCOL_RTP +/* http://www.myskypelab.com/2014/05/microsoft-lync-wireshark-plugin.html */ + +static u_int8_t isValidMSRTPType(u_int8_t payloadType) { + switch(payloadType) { + case 0: /* G.711 u-Law */ + case 3: /* GSM 6.10 */ + case 4: /* G.723.1 */ + case 8: /* G.711 A-Law */ + case 9: /* G.722 */ + case 13: /* Comfort Noise */ + case 97: /* Redundant Audio Data Payload */ + case 101: /* DTMF */ + case 103: /* SILK Narrowband */ + case 104: /* SILK Wideband */ + case 111: /* Siren */ + case 112: /* G.722.1 */ + case 114: /* RT Audio Wideband */ + case 115: /* RT Audio Narrowband */ + case 116: /* G.726 */ + case 117: /* G.722 */ + case 118: /* Comfort Noise Wideband */ + case 34: /* H.263 [MS-H26XPF] */ + case 121: /* RT Video */ + case 122: /* H.264 [MS-H264PF] */ + case 123: /* H.264 FEC [MS-H264PF] */ + case 127: /* x-data */ + return(1 /* RTP */); + break; + + case 200: /* RTCP PACKET SENDER */ + case 201: /* RTCP PACKET RECEIVER */ + case 202: /* RTCP Source Description */ + case 203: /* RTCP Bye */ + return(2 /* RTCP */); + break; + + default: + return(0); + } +} static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, const u_int8_t * payload, const u_int16_t payload_len) { //struct ndpi_packet_struct *packet = &flow->packet; - u_int8_t payload_type = payload[1] & 0x7F; + u_int8_t payloadType, payload_type = payload[1] & 0x7F; u_int32_t *ssid = (u_int32_t*)&payload[8]; /* Check whether this is an RTP flow */ if((payload_len >= 12) && ((payload[0] & 0xFF) == 0x80) /* RTP magic byte[1] */ && ((payload_type < 72) || (payload_type > 76)) - && (payload_type < 128 /* http://anonsvn.wireshark.org/wireshark/trunk/epan/dissectors/packet-rtp.c */) - && (*ssid != 0) + && ((payload_type <= 34) + || ((payload_type >= 96) && (payload_type <= 127)) + /* http://www.iana.org/assignments/rtp-parameters/rtp-parameters.xhtml */ + ) + && (*ssid != 0) ) { - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "Found rtp.\n"); + NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "Found RTP.\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RTP, NDPI_PROTOCOL_UNKNOWN); - } else { - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "exclude rtp.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RTP); - } + return; + } else if((payload_len >= 12) + && ((payload[0] & 0xFF) == 0x80) /* RTP magic byte[1] */ + && (payloadType = isValidMSRTPType(payload[1] & 0xFF))) { + if(payloadType == 1 /* RTP */) { + NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "Found MS Lync\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MS_LYNC, NDPI_PROTOCOL_UNKNOWN); + } else /* RTCP */ { + NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "Found MS RTCP\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RTCP, NDPI_PROTOCOL_UNKNOWN); + } + } + + /* No luck this time */ + NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "exclude rtp.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RTP); } void ndpi_search_rtp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index 97b3efd67..69e1cad52 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -50,7 +50,8 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * struct ndpi_flow_struct *flow, const u_int8_t * payload, const u_int16_t payload_length, - u_int8_t *is_whatsapp) { + u_int8_t *is_whatsapp, + u_int8_t *is_lync) { u_int16_t msg_type, msg_len; struct stun_packet_header *h = (struct stun_packet_header*)payload; @@ -68,10 +69,51 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * if((payload[0] != 0x80) && ((msg_len+20) > payload_length)) return(NDPI_IS_NOT_STUN); + /* printf("msg_type=%04X, msg_len=%u\n", msg_type, msg_len); */ + if((payload_length == (msg_len+20)) - && ((msg_type <= 0x000b) /* http://www.3cx.com/blog/voip-howto/stun-details/ */)) - goto udp_stun_found; + && ((msg_type <= 0x000b) /* http://www.3cx.com/blog/voip-howto/stun-details/ */)) { + u_int offset = 20; + + /* + This can either be the standard RTCP or Ms Lync RTCP that + later will becomg Ms Lync RTP. In this case we need to + be careful before deciding about the protocol before dissecting the packet + */ + + while(offset < payload_length) { + u_int16_t attribute = ntohs(*((u_int16_t*)&payload[offset])); + u_int16_t len = ntohs(*((u_int16_t*)&payload[offset+2])); + + switch(attribute) { + case 0x8054: /* Candidate Identifier */ + if((len == 4) + && (payload[offset+4] == 0x31) + && (payload[offset+5] == 0x00) + && (payload[offset+6] == 0x00) + && (payload[offset+7] == 0x00)) { + *is_lync = 1; + return(NDPI_IS_STUN); + } + break; + + case 0x8070: /* Implementation Version */ + if((len == 4) + && (payload[offset+4] == 0x00) + && (payload[offset+5] == 0x00) + && (payload[offset+6] == 0x00) + && (payload[offset+7] == 0x02)) { + *is_lync = 1; + return(NDPI_IS_STUN); + } + break; + } + offset += len + 4; + } + goto udp_stun_found; + } + #ifdef ORIGINAL_CODE /* * token list of message types and attribute types from @@ -191,7 +233,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - u_int8_t is_whatsapp = 0; + u_int8_t is_whatsapp = 0, is_lync = 0; NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "search stun.\n"); @@ -205,7 +247,7 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n * improved by checking only the STUN packet of given length */ if(ndpi_int_check_stun(ndpi_struct, flow, packet->payload + 2, - packet->payload_packet_len - 2, &is_whatsapp) == NDPI_IS_STUN) { + packet->payload_packet_len - 2, &is_whatsapp, &is_lync) == NDPI_IS_STUN) { NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "found TCP stun.\n"); ndpi_int_stun_add_connection(ndpi_struct, NDPI_PROTOCOL_STUN, flow); return; @@ -214,10 +256,15 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n } if(ndpi_int_check_stun(ndpi_struct, flow, packet->payload, - packet->payload_packet_len, &is_whatsapp) == NDPI_IS_STUN) { - NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "found UDP stun.\n"); - ndpi_int_stun_add_connection(ndpi_struct, - is_whatsapp ? NDPI_PROTOCOL_WHATSAPP_VOICE : NDPI_PROTOCOL_STUN, flow); + packet->payload_packet_len, &is_whatsapp, &is_lync) == NDPI_IS_STUN) { + if(is_lync) { + NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "Found MS Lync\n"); + ndpi_int_stun_add_connection(ndpi_struct, NDPI_PROTOCOL_MS_LYNC, flow); + } else { + NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "found UDP stun.\n"); + ndpi_int_stun_add_connection(ndpi_struct, + is_whatsapp ? NDPI_PROTOCOL_WHATSAPP_VOICE : NDPI_PROTOCOL_STUN, flow); + } return; } |