diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_typedefs.h | 7 | ||||
| -rw-r--r-- | src/lib/protocols/ntp.c | 13 |
2 files changed, 17 insertions, 3 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 8404daa2e..3553df9a3 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -722,7 +722,12 @@ typedef struct ndpi_flow_struct { u_int8_t bad_packet /* the received packet looks bad */; u_int16_t query_type, query_class, rsp_type; } dns; - + + struct { + u_int8_t request_code; + u_int8_t version; + } ntp; + struct { char client_certificate[48], server_certificate[48]; } ssl; diff --git a/src/lib/protocols/ntp.c b/src/lib/protocols/ntp.c index 8a2a8aa25..233317a57 100644 --- a/src/lib/protocols/ntp.c +++ b/src/lib/protocols/ntp.c @@ -46,14 +46,23 @@ void ndpi_search_ntp_udp(struct ndpi_detection_module_struct *ndpi_struct, struc NDPI_LOG(NDPI_PROTOCOL_NTP, ndpi_struct, NDPI_LOG_DEBUG, "NTP port detected\n"); - if (packet->payload_packet_len != 48) - goto exclude_ntp; + // It's not correct because packets could be bigger + //if (packet->payload_packet_len != 48) + // goto exclude_ntp; NDPI_LOG(NDPI_PROTOCOL_NTP, ndpi_struct, NDPI_LOG_DEBUG, "NTP length detected\n"); if ((((packet->payload[0] & 0x38) >> 3) <= 4)) { NDPI_LOG(NDPI_PROTOCOL_NTP, ndpi_struct, NDPI_LOG_DEBUG, "detected NTP."); + + // 38 in binary representation is 00111000 + flow->protos.ntp.version = (packet->payload[0] & 0x38) >> 3; + + if (flow->protos.ntp.version == 2) { + flow->protos.ntp.request_code = packet->payload[3]; + } + ndpi_int_ntp_add_connection(ndpi_struct, flow); return; } |