diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/ndpi_main.h | 2 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 3 | ||||
| -rw-r--r-- | src/lib/Makefile.in | 3 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 503 | ||||
| -rw-r--r-- | src/lib/protocols/btlib.c | 5 | ||||
| -rw-r--r-- | src/lib/protocols/coap.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/csgo.c | 5 | ||||
| -rw-r--r-- | src/lib/protocols/directconnect.c | 1 | ||||
| -rw-r--r-- | src/lib/protocols/edonkey.c | 3 | ||||
| -rw-r--r-- | src/lib/protocols/ftp_data.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/gnutella.c | 1 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/icecast.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/memcached.c | 3 |
14 files changed, 277 insertions, 262 deletions
diff --git a/src/include/ndpi_main.h b/src/include/ndpi_main.h index e37576289..5ec98f6d9 100644 --- a/src/include/ndpi_main.h +++ b/src/include/ndpi_main.h @@ -124,7 +124,7 @@ extern "C" { u_int8_t proto, u_int16_t sport, u_int16_t dport, u_int8_t *user_defined_proto); - extern u_int8_t ndpi_is_proto(ndpi_protocol p, u_int16_t proto); + extern u_int8_t ndpi_is_proto(ndpi_protocol proto, u_int16_t p); extern u_int16_t ndpi_get_lower_proto(ndpi_protocol p); extern int ndpi_get_protocol_id_master_proto(struct ndpi_detection_module_struct *ndpi_struct, diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 1bd8fd2db..03f7bf6c3 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -360,6 +360,7 @@ typedef enum { NDPI_HTTP_METHOD_OPTIONS, NDPI_HTTP_METHOD_GET, NDPI_HTTP_METHOD_HEAD, + NDPI_HTTP_METHOD_PATCH, NDPI_HTTP_METHOD_POST, NDPI_HTTP_METHOD_PUT, NDPI_HTTP_METHOD_DELETE, @@ -1027,7 +1028,7 @@ struct ndpi_flow_struct { u_int16_t protocol_stack_info; /* init parameter, internal used to set up timestamp,... */ - u_int16_t guessed_protocol_id, guessed_host_protocol_id, guessed_category; + u_int16_t guessed_protocol_id, guessed_host_protocol_id, guessed_category, guessed_header_category; u_int8_t protocol_id_already_guessed:1, host_already_guessed:1, init_finished:1, setup_packet_direction:1, packet_direction:1, check_extra_packets:1; /* diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in index cadd65ddd..65934502d 100644 --- a/src/lib/Makefile.in +++ b/src/lib/Makefile.in @@ -58,6 +58,9 @@ clean: distclean: clean /bin/rm -f Makefile +cppcheck: + cppcheck --template='{file}:{line}:{severity}:{message}' --quiet --enable=all --force -I ../include *.c protocols/*.c + install: $(NDPI_LIBS) mkdir -p $(DESTDIR)$(libdir) cp $(NDPI_LIBS) $(DESTDIR)$(libdir)/ diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 866f65a10..14d5e5f63 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -320,110 +320,110 @@ int strncasecmp(s1, s2, n) /* Keep it in order and in sync with ndpi_protocol_category_t in ndpi_typedefs.h */ static const char* categories[] = { - "Unspecified", - "Media", - "VPN", - "Email", - "DataTransfer", - "Web", - "SocialNetwork", - "Download-FileTransfer-FileSharing", - "Game", - "Chat", - "VoIP", - "Database", - "RemoteAccess", - "Cloud", - "Network", - "Collaborative", - "RPC", - "Streaming", - "System", - "SoftwareUpdate", - "", - "", - "", - "", - "", - "Music", - "Video", - "Shopping", - "Productivity", - "FileSharing", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "", - "Mining", /* 99 */ - "Malware", - "Advertisement", - "Banned_Site", - "Site_Unavailable" + "Unspecified", + "Media", + "VPN", + "Email", + "DataTransfer", + "Web", + "SocialNetwork", + "Download-FileTransfer-FileSharing", + "Game", + "Chat", + "VoIP", + "Database", + "RemoteAccess", + "Cloud", + "Network", + "Collaborative", + "RPC", + "Streaming", + "System", + "SoftwareUpdate", + "", + "", + "", + "", + "", + "Music", + "Video", + "Shopping", + "Productivity", + "FileSharing", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "Mining", /* 99 */ + "Malware", + "Advertisement", + "Banned_Site", + "Site_Unavailable" }; /* ****************************************** */ @@ -545,7 +545,7 @@ ndpi_port_range * ndpi_build_default_ports_range(ndpi_port_range *ports, ports[i].port_low = portB_low, ports[i].port_high = portB_high; i++; ports[i].port_low = portC_low, ports[i].port_high = portC_high; i++; ports[i].port_low = portD_low, ports[i].port_high = portD_high; i++; - ports[i].port_low = portE_low, ports[i].port_high = portE_high; i++; + ports[i].port_low = portE_low, ports[i].port_high = portE_high; return(ports); } @@ -564,7 +564,7 @@ ndpi_port_range * ndpi_build_default_ports(ndpi_port_range *ports, ports[i].port_low = portB, ports[i].port_high = portB; i++; ports[i].port_low = portC, ports[i].port_high = portC; i++; ports[i].port_low = portD, ports[i].port_high = portD; i++; - ports[i].port_low = portE, ports[i].port_high = portE; i++; + ports[i].port_low = portE, ports[i].port_high = portE; return(ports); } @@ -597,11 +597,11 @@ void ndpi_set_proto_category(struct ndpi_detection_module_struct *ndpi_mod, Example: - DNS is informative as if we see a DNS request for www.facebook.com, the - returned protocol is DNS.Facebook, but Facebook isn't a real subprotocol but - rather it indicates a query for Facebook and not Facebook traffic. + returned protocol is DNS.Facebook, but Facebook isn't a real subprotocol but + rather it indicates a query for Facebook and not Facebook traffic. - HTTP/SSL are NOT informative as SSL.Facebook (likely) means that this is - SSL (HTTPS) traffic containg Facebook traffic. - */ + SSL (HTTPS) traffic containg Facebook traffic. +*/ u_int8_t ndpi_is_subprotocol_informative(struct ndpi_detection_module_struct *ndpi_mod, u_int16_t protoId) { if(protoId >= NDPI_MAX_SUPPORTED_PROTOCOLS+NDPI_MAX_NUM_CUSTOM_PROTOCOLS) @@ -619,21 +619,21 @@ u_int8_t ndpi_is_subprotocol_informative(struct ndpi_detection_module_struct *nd /* ********************************************************************************** */ void ndpi_exclude_protocol(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, - u_int16_t protocol_id, - const char *_file, const char *_func,int _line) { + struct ndpi_flow_struct *flow, + u_int16_t protocol_id, + const char *_file, const char *_func,int _line) { if(protocol_id < NDPI_MAX_SUPPORTED_PROTOCOLS+NDPI_MAX_NUM_CUSTOM_PROTOCOLS) { #ifdef NDPI_ENABLE_DEBUG_MESSAGES - if( ndpi_struct && - ndpi_struct->ndpi_log_level >= NDPI_LOG_DEBUG && - ndpi_struct->ndpi_debug_printf != NULL) { + if( ndpi_struct && + ndpi_struct->ndpi_log_level >= NDPI_LOG_DEBUG && + ndpi_struct->ndpi_debug_printf != NULL) { - (*(ndpi_struct->ndpi_debug_printf))(protocol_id, ndpi_struct, NDPI_LOG_DEBUG, - _file, _func, _line, "exclude %s\n",ndpi_get_proto_name(ndpi_struct, protocol_id)); - } + (*(ndpi_struct->ndpi_debug_printf))(protocol_id, ndpi_struct, NDPI_LOG_DEBUG, + _file, _func, _line, "exclude %s\n",ndpi_get_proto_name(ndpi_struct, protocol_id)); + } #endif - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, protocol_id); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, protocol_id); } } @@ -718,8 +718,7 @@ static void addDefaultPort(struct ndpi_detection_module_struct *ndpi_mod, ndpi_proto_defaults_t *def, u_int8_t customUserProto, ndpi_default_ports_tree_node_t **root, - const char *_func, int _line) -{ + const char *_func, int _line) { ndpi_default_ports_tree_node_t *ret; u_int16_t port; @@ -736,7 +735,7 @@ static void addDefaultPort(struct ndpi_detection_module_struct *ndpi_mod, if(ret != node) { NDPI_LOG_DBG(ndpi_mod, "[NDPI] %s:%d found duplicate for port %u: overwriting it with new value\n", - _func, _line, port); + _func, _line, port); ret->proto = def; ndpi_free(node); @@ -860,8 +859,8 @@ void ndpi_init_protocol_match(struct ndpi_detection_module_struct *ndpi_mod, if(ndpi_mod->proto_defaults[match->protocol_id].protoName == NULL) { if(match->protocol_id == NDPI_PROTOCOL_GENERIC) ndpi_mod->proto_defaults[match->protocol_id].protoName = ndpi_strdup(NDPI_CONST_GENERIC_PROTOCOL_NAME); - else - ndpi_mod->proto_defaults[match->protocol_id].protoName = ndpi_strdup(match->proto_name); + else + ndpi_mod->proto_defaults[match->protocol_id].protoName = ndpi_strdup(match->proto_name); ndpi_mod->proto_defaults[match->protocol_id].protoId = match->protocol_id; ndpi_mod->proto_defaults[match->protocol_id].protoCategory = match->protocol_category; @@ -2113,7 +2112,7 @@ static int ac_match_handler(AC_MATCH_t *m, AC_TEXT_t *txt, AC_REP_t *match) { The patch below allows in case of pattern ws.amazon.com to avoid matching aws.amazon.com whereas a.ws.amazon.com has to match - */ + */ if(whatfound && (whatfound != buf) && (m->patterns->astring[0] != '.') /* The searched patter does not start with . */ && strchr(m->patterns->astring, '.') /* The matched pattern has a . (e.g. numeric or sym IPs) */ @@ -2133,8 +2132,8 @@ static int ac_match_handler(AC_MATCH_t *m, AC_TEXT_t *txt, AC_REP_t *match) { || (strncmp(buf, m->patterns->astring, min_len) == 0) /* begins with */ ) { #ifdef MATCH_DEBUG - printf("Found match [%s][%s] [len: %u][proto_id: %u]\n", - buf, m->patterns->astring, min_len , *matching_protocol_id); + printf("Found match [%s][%s] [len: %u][proto_id: %u]\n", + buf, m->patterns->astring, min_len , *matching_protocol_id); #endif return(1); /* If the pattern found matches the string at the beginning we stop here */ } else @@ -2174,16 +2173,6 @@ u_int16_t ndpi_network_ptree_match(struct ndpi_detection_module_struct *ndpi_str /* ******************************************* */ -/* u_int16_t ndpi_host_ptree_match(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t host /\* network byte order *\/) { */ -/* struct in_addr pin; */ - -/* pin.s_addr = host; */ - -/* return(ndpi_network_ptree_match(ndpi_struct, &pin)); */ -/* } */ - -/* ******************************************* */ - #if 0 static u_int8_t tor_ptree_match(struct ndpi_detection_module_struct *ndpi_struct, struct in_addr *pin) { return((ndpi_network_ptree_match(ndpi_struct, pin) == NDPI_PROTOCOL_TOR) ? 1 : 0); @@ -2269,23 +2258,23 @@ void set_ndpi_free(void (*__ndpi_free)(void *ptr)) { _ndpi_free = __ndpi_ void set_ndpi_flow_free(void (*__ndpi_flow_free)(void *ptr)) { _ndpi_flow_free = __ndpi_flow_free; } void ndpi_debug_printf(unsigned int proto, struct ndpi_detection_module_struct *ndpi_str, - ndpi_log_level_t log_level, const char *file_name, const char *func_name, int line_number, - const char * format, ...) + ndpi_log_level_t log_level, const char *file_name, const char *func_name, int line_number, + const char * format, ...) { #ifdef NDPI_ENABLE_DEBUG_MESSAGES va_list args; #define MAX_STR_LEN 250 char str[MAX_STR_LEN]; if(ndpi_str != NULL && log_level > NDPI_LOG_ERROR && - proto > 0 && proto < NDPI_MAX_SUPPORTED_PROTOCOLS && - !NDPI_ISSET(&ndpi_str->debug_bitmask,proto)) return; + proto > 0 && proto < NDPI_MAX_SUPPORTED_PROTOCOLS && + !NDPI_ISSET(&ndpi_str->debug_bitmask,proto)) return; va_start(args, format); vsnprintf(str,sizeof(str)-1, format, args); va_end(args); if(ndpi_str != NULL) { printf("%s:%s:%-3u - [%s]: %s", - file_name, func_name, line_number, ndpi_get_proto_name(ndpi_str, proto), str); + file_name, func_name, line_number, ndpi_get_proto_name(ndpi_str, proto), str); } else { printf("Proto: %u, %s", proto, str); } @@ -2380,7 +2369,7 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(void) { for(i=0; i<NUM_CUSTOM_CATEGORIES; i++) snprintf(ndpi_str->custom_category_labels[i], - CUSTOM_CATEGORY_LABEL_LEN, "User custom category %u", i+1); + CUSTOM_CATEGORY_LABEL_LEN, "User custom category %u", (unsigned int)(i+1)); return ndpi_str; } @@ -2679,7 +2668,7 @@ static ndpi_default_ports_tree_node_t* ndpi_get_guessed_protocol_id(struct ndpi_ These are UDP protocols that must fit a single packet and thus that if have NOT been detected they cannot be guessed as they have been excluded - */ +*/ u_int8_t is_udp_guessable_protocol(u_int16_t l7_guessed_proto) { switch(l7_guessed_proto) { case NDPI_PROTOCOL_QUIC: @@ -2698,8 +2687,8 @@ u_int16_t ndpi_guess_protocol_id(struct ndpi_detection_module_struct *ndpi_struc struct ndpi_flow_struct *flow, u_int8_t proto, u_int16_t sport, u_int16_t dport, u_int8_t *user_defined_proto) { - *user_defined_proto = 0; /* Default */ + if(sport && dport) { ndpi_default_ports_tree_node_t *found = ndpi_get_guessed_protocol_id(ndpi_struct, proto, sport, dport); @@ -2829,7 +2818,7 @@ int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_mod, if(ndpi_mod->ndpi_num_custom_protocols >= (NDPI_MAX_NUM_CUSTOM_PROTOCOLS-1)) { NDPI_LOG_ERR(ndpi_mod, "Too many protocols defined (%u): skipping protocol %s\n", - ndpi_mod->ndpi_num_custom_protocols, proto); + ndpi_mod->ndpi_num_custom_protocols, proto); return(-2); } @@ -2909,14 +2898,14 @@ int ndpi_load_protocols_file(struct ndpi_detection_module_struct *ndpi_mod, char fd = fopen(path, "r"); if(fd == NULL) { - NDPI_LOG_ERR(ndpi_mod, "Unable to open file %s [%s]", path, strerror(errno)); + NDPI_LOG_ERR(ndpi_mod, "Unable to open file %s [%s]\n", path, strerror(errno)); goto error; } buffer = ndpi_malloc(buffer_len); if(buffer == NULL) { - NDPI_LOG_ERR(ndpi_mod, "Memory allocation failure"); + NDPI_LOG_ERR(ndpi_mod, "Memory allocation failure\n"); goto close_fd; } @@ -2933,7 +2922,7 @@ int ndpi_load_protocols_file(struct ndpi_detection_module_struct *ndpi_mod, char buffer = ndpi_realloc(old_buffer, old_buffer_len, buffer_len); if(buffer == NULL) { - NDPI_LOG_ERR(ndpi_mod, "Memory allocation failure"); + NDPI_LOG_ERR(ndpi_mod, "Memory allocation failure\n"); free(old_buffer); goto close_fd; } @@ -2983,17 +2972,17 @@ void ndpi_set_bitmask_protocol_detection(char * label, if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(*detection_bitmask, ndpi_protocol_id) != 0) { #ifdef DEBUG NDPI_LOG_DBG2(ndpi_struct - "[NDPI] ndpi_set_bitmask_protocol_detection: %s : [callback_buffer] idx= %u, [proto_defaults] protocol_id=%u\n", - label, idx, ndpi_protocol_id); + "[NDPI] ndpi_set_bitmask_protocol_detection: %s : [callback_buffer] idx= %u, [proto_defaults] protocol_id=%u\n", + label, idx, ndpi_protocol_id); #endif if(ndpi_struct->proto_defaults[ndpi_protocol_id].protoIdx != 0) { NDPI_LOG_DBG2(ndpi_struct, - "[NDPI] Internal error: protocol %s/%u has been already registered\n", label, ndpi_protocol_id); + "[NDPI] Internal error: protocol %s/%u has been already registered\n", label, ndpi_protocol_id); #ifdef DEBUG } else { NDPI_LOG_DBG2(ndpi_struct, - "[NDPI] Adding %s with protocol id %d\n", label, ndpi_protocol_id); + "[NDPI] Adding %s with protocol id %d\n", label, ndpi_protocol_id); #endif } @@ -3023,8 +3012,7 @@ void ndpi_set_bitmask_protocol_detection(char * label, /* ******************************************************************** */ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *ndpi_struct, - const NDPI_PROTOCOL_BITMASK * dbm) -{ + const NDPI_PROTOCOL_BITMASK * dbm) { NDPI_PROTOCOL_BITMASK detection_bitmask_local; NDPI_PROTOCOL_BITMASK *detection_bitmask = &detection_bitmask_local; u_int32_t a = 0; @@ -3501,7 +3489,7 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n ndpi_struct->callback_buffer_size = a; NDPI_LOG_DBG2(ndpi_struct, - "callback_buffer_size is %u\n", ndpi_struct->callback_buffer_size); + "callback_buffer_size is %u\n", ndpi_struct->callback_buffer_size); /* now build the specific buffer for tcp, udp and non_tcp_udp */ ndpi_struct->callback_buffer_size_tcp_payload = 0; @@ -3512,8 +3500,8 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_COMPLETE_TRAFFIC)) != 0) { if(_ndpi_debug_callbacks) NDPI_LOG_DBG2(ndpi_struct, - "callback_buffer_tcp_payload, adding buffer %u as entry %u\n", a, - ndpi_struct->callback_buffer_size_tcp_payload); + "callback_buffer_tcp_payload, adding buffer %u as entry %u\n", a, + ndpi_struct->callback_buffer_size_tcp_payload); memcpy(&ndpi_struct->callback_buffer_tcp_payload[ndpi_struct->callback_buffer_size_tcp_payload], &ndpi_struct->callback_buffer[a], sizeof(struct ndpi_call_function_struct)); @@ -3522,7 +3510,7 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n if((ndpi_struct-> callback_buffer[a].ndpi_selection_bitmask & NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) == 0) { if(_ndpi_debug_callbacks) NDPI_LOG_DBG2(ndpi_struct, - "\tcallback_buffer_tcp_no_payload, additional adding buffer %u to no_payload process\n", a); + "\tcallback_buffer_tcp_no_payload, additional adding buffer %u to no_payload process\n", a); memcpy(&ndpi_struct->callback_buffer_tcp_no_payload [ndpi_struct->callback_buffer_size_tcp_no_payload], &ndpi_struct->callback_buffer[a], @@ -3539,7 +3527,7 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n NDPI_SELECTION_BITMASK_PROTOCOL_COMPLETE_TRAFFIC)) != 0) { if(_ndpi_debug_callbacks) NDPI_LOG_DBG2(ndpi_struct, - "callback_buffer_size_udp: adding buffer : %u as entry %u\n", a, ndpi_struct->callback_buffer_size_udp); + "callback_buffer_size_udp: adding buffer : %u as entry %u\n", a, ndpi_struct->callback_buffer_size_udp); memcpy(&ndpi_struct->callback_buffer_udp[ndpi_struct->callback_buffer_size_udp], &ndpi_struct->callback_buffer[a], sizeof(struct ndpi_call_function_struct)); @@ -3556,7 +3544,7 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n || (ndpi_struct-> callback_buffer[a].ndpi_selection_bitmask & NDPI_SELECTION_BITMASK_PROTOCOL_COMPLETE_TRAFFIC) != 0) { if(_ndpi_debug_callbacks) NDPI_LOG_DBG2(ndpi_struct, - "callback_buffer_non_tcp_udp: adding buffer : %u as entry %u\n", a, ndpi_struct->callback_buffer_size_non_tcp_udp); + "callback_buffer_non_tcp_udp: adding buffer : %u as entry %u\n", a, ndpi_struct->callback_buffer_size_non_tcp_udp); memcpy(&ndpi_struct->callback_buffer_non_tcp_udp[ndpi_struct->callback_buffer_size_non_tcp_udp], &ndpi_struct->callback_buffer[a], sizeof(struct ndpi_call_function_struct)); @@ -3744,11 +3732,10 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str #endif /* NDPI_DETECTION_SUPPORT_IPV6 */ } - if(flow) { + if(flow) ndpi_apply_flow_protocol_to_packet(flow, &flow->packet); - } else { + else ndpi_int_reset_packet_protocol(&flow->packet); - } l3len = flow->packet.l3_packet_len; @@ -3756,7 +3743,7 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str if(flow->packet.iph != NULL) { #endif /* NDPI_DETECTION_SUPPORT_IPV6 */ - decaps_iph =flow->packet.iph; + decaps_iph = flow->packet.iph; #ifdef NDPI_DETECTION_SUPPORT_IPV6 } @@ -3833,7 +3820,7 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str flow->guessed_host_protocol_id = backup2; NDPI_LOG_DBG(ndpi_struct, - "tcp syn packet for unknown protocol, reset detection state\n"); + "tcp syn packet for unknown protocol, reset detection state\n"); } } else { /* tcp header not complete */ @@ -3862,8 +3849,6 @@ void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_struct, const struct ndpi_tcphdr *tcph = packet->tcp; const struct ndpi_udphdr *udph = flow->packet.udp; - u_int8_t proxy_enabled = 0; - packet->tcp_retransmission = 0, packet->packet_direction = 0; if(ndpi_struct->direction_detect_disable) { @@ -3908,7 +3893,7 @@ void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_struct, flow->l4.tcp.seen_ack = 1; } if((flow->next_tcp_seq_nr[0] == 0 && flow->next_tcp_seq_nr[1] == 0) - || (proxy_enabled && (flow->next_tcp_seq_nr[0] == 0 || flow->next_tcp_seq_nr[1] == 0))) { + || (flow->next_tcp_seq_nr[0] == 0 || flow->next_tcp_seq_nr[1] == 0)) { /* initialize tcp sequence counters */ /* the ack flag needs to be set to get valid sequence numbers from the other * direction. Usually it will catch the second packet syn+ack but it works @@ -3920,9 +3905,8 @@ void ndpi_connection_tracking(struct ndpi_detection_module_struct *ndpi_struct, if(tcph->ack != 0) { flow->next_tcp_seq_nr[flow->packet.packet_direction] = ntohl(tcph->seq) + (tcph->syn ? 1 : packet->payload_packet_len); - if(!proxy_enabled) { - flow->next_tcp_seq_nr[1 -flow->packet.packet_direction] = ntohl(tcph->ack_seq); - } + + flow->next_tcp_seq_nr[1 -flow->packet.packet_direction] = ntohl(tcph->ack_seq); } } else if(packet->payload_packet_len > 0) { /* check tcp sequence counters */ @@ -4057,7 +4041,7 @@ void check_ndpi_udp_flow_func(struct ndpi_detection_module_struct *ndpi_struct, break; /* Stop after detecting the first protocol */ } else if(_ndpi_debug_callbacks) NDPI_LOG_DBG2(ndpi_struct, - "[UDP,SKIP] dissector of protocol as callback_buffer idx = %d\n",a); + "[UDP,SKIP] dissector of protocol as callback_buffer idx = %d\n",a); } } @@ -4169,7 +4153,7 @@ static ndpi_protocol ndpi_process_partial_detection(struct ndpi_detection_module struct ndpi_flow_struct *flow) { ndpi_protocol ret; ndpi_protocol_match_result ret_match; - + ret.master_protocol = flow->guessed_protocol_id; ret.app_protocol = ndpi_match_host_subprotocol(ndpi_struct, flow, (char *)flow->host_server_name, @@ -4181,11 +4165,12 @@ static ndpi_protocol ndpi_process_partial_detection(struct ndpi_detection_module ret.category = flow->category; else ret.category = ret_match.protocol_category; - + if(ret.app_protocol == NDPI_PROTOCOL_UNKNOWN) ret.app_protocol = ret.master_protocol; ndpi_fill_protocol_category(ndpi_struct, flow, &ret); + ndpi_int_change_protocol(ndpi_struct, flow, ret.app_protocol, ret.master_protocol); return(ret); @@ -4196,7 +4181,7 @@ static ndpi_protocol ndpi_process_partial_detection(struct ndpi_detection_module /* You can call this function at any time in case of unknown match to see if there is a partial match that has been prevented by the current nDPI preferences configuration - */ +*/ ndpi_protocol ndpi_get_partial_detection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { if((flow->guessed_protocol_id == NDPI_PROTOCOL_HTTP) @@ -4215,7 +4200,7 @@ ndpi_protocol ndpi_get_partial_detection(struct ndpi_detection_module_struct *nd NDPI_PROTOCOL_CATEGORY_UNSPECIFIED }; if(flow) ret.category = flow->category; - + return(ret); } } @@ -4230,7 +4215,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st return(ret); else ret.category = flow->category; - + /* TODO: add the remaining stage_XXXX protocols */ if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { u_int16_t guessed_protocol_id, guessed_host_protocol_id; @@ -4279,6 +4264,20 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st && (flow->protos.stun_ssl.stun.num_processed_pkts > 0)) guessed_protocol_id = NDPI_PROTOCOL_STUN; + + if(flow->host_server_name[0] != '\0') { + ndpi_protocol_match_result ret_match; + + ndpi_match_host_subprotocol(ndpi_struct, flow, + (char *)flow->host_server_name, + strlen((const char*)flow->host_server_name), + &ret_match, + NDPI_PROTOCOL_DNS); + + if(ret_match.protocol_id != NDPI_PROTOCOL_UNKNOWN) + guessed_host_protocol_id = ret_match.protocol_id; + } + ndpi_int_change_protocol(ndpi_struct, flow, guessed_host_protocol_id, guessed_protocol_id); @@ -4409,7 +4408,7 @@ void ndpi_load_ip_category(struct ndpi_detection_module_struct *ndpi_struct, * */ int ndpi_load_hostname_category(struct ndpi_detection_module_struct *ndpi_struct, - char *name, ndpi_protocol_category_t category) { + char *name, ndpi_protocol_category_t category) { if(name == NULL) return(-1); @@ -4433,18 +4432,8 @@ int ndpi_load_hostname_category(struct ndpi_detection_module_struct *ndpi_struct struct hs_list *h = (struct hs_list*)malloc(sizeof(struct hs_list)); if(h) { - char tmp[256]; int i, j; - for(i=0, j=0; (j<sizeof(tmp)) && (name[i] != '\0'); i++) { - if(name[i] == '.') - tmp[j++] = '\\'; - - tmp[j++] = name[i]; - } - - tmp[j] = '\0'; - h->expression = ndpi_strdup(name), h->id = (unsigned int)category; if(h->expression == NULL) { free(h); @@ -4507,7 +4496,8 @@ int ndpi_enable_loaded_categories(struct ndpi_detection_module_struct *ndpi_str) ndpi_str->custom_categories.hostnames = (struct hs*)malloc(sizeof(struct hs)); if(ndpi_str->custom_categories.hostnames == NULL) { - free(expressions), free(ids); + free(expressions); + free(ids); return(-1); /* Failed */ } @@ -4563,31 +4553,32 @@ int ndpi_enable_loaded_categories(struct ndpi_detection_module_struct *ndpi_str) /* ********************************************************************************* */ int ndpi_fill_ip_protocol_category(struct ndpi_detection_module_struct *ndpi_struct, - u_int32_t saddr, - u_int32_t daddr, - ndpi_protocol *ret) { + u_int32_t saddr, + u_int32_t daddr, + ndpi_protocol *ret) { if(ndpi_struct->custom_categories.categories_loaded) { - prefix_t prefix; - patricia_node_t *node; + prefix_t prefix; + patricia_node_t *node; + + /* Make sure all in network byte order otherwise compares wont work */ + fill_prefix_v4(&prefix, (struct in_addr *)&saddr, + 32, ((patricia_tree_t*)ndpi_struct->protocols_ptree)->maxbits); + node = ndpi_patricia_search_best(ndpi_struct->custom_categories.ipAddresses, &prefix); - /* Make sure all in network byte order otherwise compares wont work */ - fill_prefix_v4(&prefix, (struct in_addr *)&saddr, + if(!node) { + fill_prefix_v4(&prefix, (struct in_addr *)&daddr, 32, ((patricia_tree_t*)ndpi_struct->protocols_ptree)->maxbits); node = ndpi_patricia_search_best(ndpi_struct->custom_categories.ipAddresses, &prefix); + } - if(!node) { - fill_prefix_v4(&prefix, (struct in_addr *)&daddr, - 32, ((patricia_tree_t*)ndpi_struct->protocols_ptree)->maxbits); - node = ndpi_patricia_search_best(ndpi_struct->custom_categories.ipAddresses, &prefix); - } - - if(node) { - ret->category = (ndpi_protocol_category_t)node->value.user_value; - return 1; - } + if(node) { + ret->category = (ndpi_protocol_category_t)node->value.user_value; + return 1; + } } - + ret->category = ndpi_get_proto_category(ndpi_struct, *ret); + return 0; } @@ -4597,12 +4588,10 @@ void ndpi_fill_protocol_category(struct ndpi_detection_module_struct *ndpi_struc struct ndpi_flow_struct *flow, ndpi_protocol *ret) { if(ndpi_struct->custom_categories.categories_loaded) { - if(flow->packet.iph) { - if(ndpi_fill_ip_protocol_category(ndpi_struct, flow->packet.iph->saddr, flow->packet.iph->daddr, ret)) { - flow->category = ret->category; - return; - } - } + if(flow->guessed_header_category != NDPI_PROTOCOL_CATEGORY_UNSPECIFIED) { + flow->category = ret->category = flow->guessed_header_category; + return; + } if(flow->host_server_name[0] != '\0') { unsigned long id; @@ -4642,14 +4631,14 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct ndpi_protocol ret = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED }; if(ndpi_struct->ndpi_log_level >= NDPI_LOG_TRACE) - NDPI_LOG(flow ? flow->detected_protocol_stack[0]:NDPI_PROTOCOL_UNKNOWN, - ndpi_struct, NDPI_LOG_TRACE, "START packet processing\n"); + NDPI_LOG(flow ? flow->detected_protocol_stack[0]:NDPI_PROTOCOL_UNKNOWN, + ndpi_struct, NDPI_LOG_TRACE, "START packet processing\n"); if(flow == NULL) return(ret); else ret.category = flow->category; - + flow->num_processed_pkts++; if(flow->server_id == NULL) flow->server_id = dst; /* Default */ @@ -4731,6 +4720,14 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct flow->guessed_protocol_id = (int16_t) ndpi_guess_protocol_id(ndpi_struct, flow, protocol, sport, dport, &user_defined_proto); flow->guessed_host_protocol_id = ndpi_guess_host_protocol_id(ndpi_struct, flow); + if(ndpi_struct->custom_categories.categories_loaded && flow->packet.iph) { + ndpi_protocol ret = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED }; + + ndpi_fill_ip_protocol_category(ndpi_struct, flow->packet.iph->saddr, flow->packet.iph->daddr, &ret); + flow->guessed_header_category = ret.category; + } else + flow->guessed_header_category = NDPI_PROTOCOL_CATEGORY_UNSPECIFIED; + if(flow->guessed_protocol_id >= (NDPI_MAX_SUPPORTED_PROTOCOLS-1)) { /* This is a custom protocol and it has priority over everything else */ ret.master_protocol = NDPI_PROTOCOL_UNKNOWN, @@ -4790,10 +4787,14 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct if(a != NDPI_PROTOCOL_UNKNOWN) { int i; - for(i=0; (i<sizeof(flow->host_server_name)) && (flow->host_server_name[i] != '\0'); i++) - flow->host_server_name[i] = tolower(flow->host_server_name[i]); - - flow->host_server_name[i] ='\0'; + for(i=0; i<sizeof(flow->host_server_name); i++) { + if(flow->host_server_name[i] != '\0') + flow->host_server_name[i] = tolower(flow->host_server_name[i]); + else { + flow->host_server_name[i] ='\0'; + break; + } + } } ret_protocols: @@ -4812,7 +4813,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct && (ret.app_protocol == NDPI_PROTOCOL_UNKNOWN) && flow->packet.tcp && (flow->packet.tcp->syn == 0) - ) { + ) { /* This is a TCP flow - whose first packet is NOT a SYN @@ -5025,7 +5026,7 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_struc for(a = 0; a < packet->payload_packet_len; a++) { if((a + 1) == packet->payload_packet_len) - return; /* Return if only one byte remains (prevent invalid reads past end-of-buffer) */ + return; /* Return if only one byte remains (prevent invalid reads past end-of-buffer) */ if(get_u_int16_t(packet->payload, a) == ntohs(0x0d0a)) { /* If end of line char sequence CR+NL "\r\n", process line */ packet->line[packet->parsed_lines].len = (u_int16_t)(((unsigned long) &packet->payload[a]) - ((unsigned long) packet->line[packet->parsed_lines].ptr)); @@ -5056,8 +5057,8 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_struc /* "Server:" header line in HTTP response */ if(packet->line[packet->parsed_lines].len > NDPI_STATICSTRING_LEN("Server:") + 1 - && strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Server:", NDPI_STATICSTRING_LEN("Server:")) == 0) { - // some stupid clients omit a space and place the servername directly after the colon + && strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Server:", NDPI_STATICSTRING_LEN("Server:")) == 0) { + // some stupid clients omit a space and place the servername directly after the colon if(packet->line[packet->parsed_lines].ptr[NDPI_STATICSTRING_LEN("Server:")] == ' ') { packet->server_line.ptr = &packet->line[packet->parsed_lines].ptr[NDPI_STATICSTRING_LEN("Server:") + 1]; @@ -5072,7 +5073,7 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_struc /* "Host:" header line in HTTP request */ if(packet->line[packet->parsed_lines].len > 6 && strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, - "Host:", 5) == 0) { + "Host:", 5) == 0) { // some stupid clients omit a space and place the hostname directly after the colon if(packet->line[packet->parsed_lines].ptr[5] == ' ') { packet->host_line.ptr = &packet->line[packet->parsed_lines].ptr[6]; @@ -5085,7 +5086,7 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_struc } /* "X-Forwarded-For:" header line in HTTP request. Commonly used for HTTP proxies. */ if(packet->line[packet->parsed_lines].len > 17 - && strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "X-Forwarded-For:", 16) == 0) { + && strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "X-Forwarded-For:", 16) == 0) { // some stupid clients omit a space and place the hostname directly after the colon if(packet->line[packet->parsed_lines].ptr[16] == ' ') { packet->forwarded_line.ptr = &packet->line[packet->parsed_lines].ptr[17]; @@ -5098,58 +5099,58 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_struc } /* "Content-Type:" header line in HTTP. */ if(packet->line[packet->parsed_lines].len > 14 - && (strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Content-Type: ", 14) == 0 - || strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Content-type: ", 14) == 0)) { + && (strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Content-Type: ", 14) == 0 + || strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Content-type: ", 14) == 0)) { packet->content_line.ptr = &packet->line[packet->parsed_lines].ptr[14]; packet->content_line.len = packet->line[packet->parsed_lines].len - 14; packet->http_num_headers++; } /* "Content-Type:" header line in HTTP AGAIN. Probably a bogus response without space after ":" */ if(packet->line[packet->parsed_lines].len > 13 - && strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Content-type:", 13) == 0) { + && strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Content-type:", 13) == 0) { packet->content_line.ptr = &packet->line[packet->parsed_lines].ptr[13]; packet->content_line.len = packet->line[packet->parsed_lines].len - 13; packet->http_num_headers++; } /* "Accept:" header line in HTTP request. */ if(packet->line[packet->parsed_lines].len > 8 - && strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Accept: ", 8) == 0) { + && strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Accept: ", 8) == 0) { packet->accept_line.ptr = &packet->line[packet->parsed_lines].ptr[8]; packet->accept_line.len = packet->line[packet->parsed_lines].len - 8; packet->http_num_headers++; } /* "Referer:" header line in HTTP request. */ if(packet->line[packet->parsed_lines].len > 9 - && strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Referer: ", 9) == 0) { + && strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Referer: ", 9) == 0) { packet->referer_line.ptr = &packet->line[packet->parsed_lines].ptr[9]; packet->referer_line.len = packet->line[packet->parsed_lines].len - 9; packet->http_num_headers++; } /* "User-Agent:" header line in HTTP request. */ if(packet->line[packet->parsed_lines].len > 12 - && (strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "User-Agent: ", 12) == 0 - || strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "User-agent: ", 12) == 0)) { + && (strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "User-Agent: ", 12) == 0 + || strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "User-agent: ", 12) == 0)) { packet->user_agent_line.ptr = &packet->line[packet->parsed_lines].ptr[12]; packet->user_agent_line.len = packet->line[packet->parsed_lines].len - 12; packet->http_num_headers++; } /* "Content-Encoding:" header line in HTTP response (and request?). */ if(packet->line[packet->parsed_lines].len > 18 - && strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Content-Encoding: ", 18) == 0) { + && strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Content-Encoding: ", 18) == 0) { packet->http_encoding.ptr = &packet->line[packet->parsed_lines].ptr[18]; packet->http_encoding.len = packet->line[packet->parsed_lines].len - 18; packet->http_num_headers++; } /* "Transfer-Encoding:" header line in HTTP. */ if(packet->line[packet->parsed_lines].len > 19 - && strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Transfer-Encoding: ", 19) == 0) { + && strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Transfer-Encoding: ", 19) == 0) { packet->http_transfer_encoding.ptr = &packet->line[packet->parsed_lines].ptr[19]; packet->http_transfer_encoding.len = packet->line[packet->parsed_lines].len - 19; packet->http_num_headers++; } /* "Content-Length:" header line in HTTP. */ if(packet->line[packet->parsed_lines].len > 16 - && ((strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Content-Length: ", 16) == 0) + && ((strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Content-Length: ", 16) == 0) || (strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "content-length: ", 16) == 0))) { packet->http_contentlen.ptr = &packet->line[packet->parsed_lines].ptr[16]; packet->http_contentlen.len = packet->line[packet->parsed_lines].len - 16; @@ -5157,21 +5158,21 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_struc } /* "Cookie:" header line in HTTP. */ if(packet->line[packet->parsed_lines].len > 8 - && strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Cookie: ", 8) == 0) { + && strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Cookie: ", 8) == 0) { packet->http_cookie.ptr = &packet->line[packet->parsed_lines].ptr[8]; packet->http_cookie.len = packet->line[packet->parsed_lines].len - 8; packet->http_num_headers++; } /* "Origin:" header line in HTTP. */ if(packet->line[packet->parsed_lines].len > 8 - && strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Origin: ", 8) == 0) { + && strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Origin: ", 8) == 0) { packet->http_origin.ptr = &packet->line[packet->parsed_lines].ptr[8]; packet->http_origin.len = packet->line[packet->parsed_lines].len - 8; packet->http_num_headers++; } /* "X-Session-Type:" header line in HTTP. */ if(packet->line[packet->parsed_lines].len > 16 - && strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "X-Session-Type: ", 16) == 0) { + && strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "X-Session-Type: ", 16) == 0) { packet->http_x_session_type.ptr = &packet->line[packet->parsed_lines].ptr[16]; packet->http_x_session_type.len = packet->line[packet->parsed_lines].len - 16; packet->http_num_headers++; @@ -5684,8 +5685,8 @@ char *ndpi_get_packet_dst_ip_string(struct ndpi_detection_module_struct *ndpi_st /* ****************************************************** */ u_int16_t ntohs_ndpi_bytestream_to_number(const u_int8_t * str, - u_int16_t max_chars_to_read, u_int16_t * bytes_read) -{ + u_int16_t max_chars_to_read, + u_int16_t * bytes_read) { u_int16_t val = ndpi_bytestream_to_number(str, max_chars_to_read, bytes_read); return ntohs(val); } @@ -5773,7 +5774,7 @@ ndpi_protocol ndpi_guess_undetected_protocol(struct ndpi_detection_module_struct /* ****************************************************** */ char* ndpi_protocol2id(struct ndpi_detection_module_struct *ndpi_mod, - ndpi_protocol proto, char *buf, u_int buf_len) { + ndpi_protocol proto, char *buf, u_int buf_len) { if((proto.master_protocol != NDPI_PROTOCOL_UNKNOWN) && (proto.master_protocol != proto.app_protocol)) { if(proto.app_protocol != NDPI_PROTOCOL_UNKNOWN) @@ -5894,7 +5895,7 @@ ndpi_protocol_category_t ndpi_get_proto_category(struct ndpi_detection_module_st return proto.category; /* simple rule: sub protocol first, master after */ else if((proto.master_protocol == NDPI_PROTOCOL_UNKNOWN) || - (ndpi_mod->proto_defaults[proto.app_protocol].protoCategory != NDPI_PROTOCOL_CATEGORY_UNSPECIFIED)) + (ndpi_mod->proto_defaults[proto.app_protocol].protoCategory != NDPI_PROTOCOL_CATEGORY_UNSPECIFIED)) return ndpi_mod->proto_defaults[proto.app_protocol].protoCategory; else return ndpi_mod->proto_defaults[proto.master_protocol].protoCategory; @@ -6100,7 +6101,7 @@ static int ndpi_automa_match_string_subprotocol(struct ndpi_detection_module_str u_int16_t master_protocol_id, ndpi_protocol_match_result *ret_match, u_int8_t is_host_match) { - int matching_protocol_id = NDPI_PROTOCOL_UNKNOWN; + int matching_protocol_id; struct ndpi_packet_struct *packet = &flow->packet; #ifndef HAVE_HYPERSCAN @@ -6110,17 +6111,19 @@ static int ndpi_automa_match_string_subprotocol(struct ndpi_detection_module_str #else struct hs *hs = (struct hs*)ndpi_struct->hyperscan; hs_error_t status; + + matching_protocol_id = NDPI_PROTOCOL_UNKNOWN; /* TODO HYPERSCAN In case of match fill up ret_match and set flow protocol + category - */ + */ status = hs_scan(hs->database, string_to_match, string_to_match_len, 0, hs->scratch, hyperscanEventHandler, &matching_protocol_id); if(status == HS_SUCCESS) { NDPI_LOG_DBG2(ndpi_struct, "[NDPI] Hyperscan engine completed normally. Result: %s [%d][%s]\n", - ndpi_get_proto_name(ndpi_struct, matching_protocol_id), matching_protocol_id, string_to_match); + ndpi_get_proto_name(ndpi_struct, matching_protocol_id), matching_protocol_id, string_to_match); } else if(status == HS_SCAN_TERMINATED) { NDPI_LOG_DBG2(ndpi_struct, "[NDPI] Hyperscan engine was terminated by callback. Result: %s [%d][%s]\n", ndpi_get_proto_name(ndpi_struct, matching_protocol_id), matching_protocol_id, string_to_match); @@ -6142,7 +6145,7 @@ static int ndpi_automa_match_string_subprotocol(struct ndpi_detection_module_str m[len] = '\0'; NDPI_LOG_DBG2(ndpi_struct, "[NDPI] ndpi_match_host_subprotocol(%s): %s\n", - m, ndpi_struct->proto_defaults[matching_protocol_id].protoName); + m, ndpi_struct->proto_defaults[matching_protocol_id].protoName); } #endif @@ -6355,7 +6358,7 @@ void ndpi_lru_add_to_cache(struct ndpi_lru_cache *c, u_int32_t key) { - Leave fields empty/zero when information is missing (e.g. with ICMP ports are zero) - The hash_buf most be 30+1 bits or longer - Return code: 0 = OK, -1 otherwise - */ +*/ int ndpi_flowv4_flow_hash(u_int8_t l4_proto, u_int32_t src_ip, u_int32_t dst_ip, u_int16_t src_port, u_int16_t dst_port, diff --git a/src/lib/protocols/btlib.c b/src/lib/protocols/btlib.c index 5992c1b28..ea06a6348 100644 --- a/src/lib/protocols/btlib.c +++ b/src/lib/protocols/btlib.c @@ -204,8 +204,7 @@ void cb_data(bt_parse_data_cb_t *cbd,int *ret) { if(cbd->t == 0) return; if(cbd->t == 1) { - - DEBUG_TRACE(printf("%s %lld\n",cbd->buf,cbd->v.i)); + DEBUG_TRACE(printf("%s %lld\n",cbd->buf, (long long)cbd->v.i)); if(STREQ(cbd->buf,"a.port")) { p->a.port = (u_int16_t)(cbd->v.i & 0xffff); @@ -234,7 +233,7 @@ void cb_data(bt_parse_data_cb_t *cbd,int *ret) { p->h_mint = 1; return; } - DEBUG_TRACE(printf("UNKNOWN %s %lld\n",cbd->buf,cbd->v.i)); + DEBUG_TRACE(printf("UNKNOWN %s %lld\n",cbd->buf, (long long)cbd->v.i)); return; } if(cbd->t != 2) { diff --git a/src/lib/protocols/coap.c b/src/lib/protocols/coap.c index cf5061bbe..c99ab5fc1 100644 --- a/src/lib/protocols/coap.c +++ b/src/lib/protocols/coap.c @@ -130,7 +130,7 @@ void ndpi_search_coap (struct ndpi_detection_module_struct *ndpi_struct, if(h->version == 1) { if(h->type == CON || h->type == NO_CON || h->type == ACK || h->type == RST ) { if(h->tkl < 8) { - if((h->code >= 0 && h->code <= 5) || (h->code >= 65 && h->code <= 69) || + if((/* h->code >= 0 && */ h->code <= 5) || (h->code >= 65 && h->code <= 69) || (h->code >= 128 && h->code <= 134) || (h->code >= 140 && h->code <= 143) || (h->code >= 160 && h->code <= 165)) { diff --git a/src/lib/protocols/csgo.c b/src/lib/protocols/csgo.c index 7f4479419..f316f96b7 100644 --- a/src/lib/protocols/csgo.c +++ b/src/lib/protocols/csgo.c @@ -30,6 +30,11 @@ void ndpi_search_csgo(struct ndpi_detection_module_struct* ndpi_struct, struct n struct ndpi_packet_struct* packet = &flow->packet; if (packet->udp != NULL) { + if (packet->payload_packet_len < sizeof(uint32_t)) { + NDPI_LOG_DBG2(ndpi_struct, "Short csgo packet\n"); + return; + } + uint32_t w = htonl(get_u_int32_t(packet->payload, 0)); NDPI_LOG_DBG2(ndpi_struct, "CSGO: word %08x\n", w); diff --git a/src/lib/protocols/directconnect.c b/src/lib/protocols/directconnect.c index 5088685e4..19582724d 100644 --- a/src/lib/protocols/directconnect.c +++ b/src/lib/protocols/directconnect.c @@ -318,7 +318,6 @@ static void ndpi_search_directconnect_udp(struct ndpi_detection_module_struct struct ndpi_id_struct *dst = flow->dst; int pos, count = 0; - if (dst != NULL && dst->detected_directconnect_udp_port == packet->udp->dest) { if ((u_int32_t) (packet->tick_timestamp - diff --git a/src/lib/protocols/edonkey.c b/src/lib/protocols/edonkey.c index 547bafc5f..ca5abebad 100644 --- a/src/lib/protocols/edonkey.c +++ b/src/lib/protocols/edonkey.c @@ -177,7 +177,6 @@ static void ndpi_check_edonkey(struct ndpi_detection_module_struct *ndpi_struct, /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ flow->edonkey_stage = packet->packet_direction + 1; } - } else { NDPI_LOG_DBG2(ndpi_struct, "EDONKEY stage %u: \n", flow->edonkey_stage); @@ -187,7 +186,7 @@ static void ndpi_check_edonkey(struct ndpi_detection_module_struct *ndpi_struct, } /* This is a packet in another direction. Check if we find the proper response. */ - if((payload_len == 0) || (ndpi_edonkey_payload_check(packet->payload, payload_len))) { + if(ndpi_edonkey_payload_check(packet->payload, payload_len)) { NDPI_LOG_INFO(ndpi_struct, "found EDONKEY\n"); ndpi_int_edonkey_add_connection(ndpi_struct, flow); } else { diff --git a/src/lib/protocols/ftp_data.c b/src/lib/protocols/ftp_data.c index 7c646c363..3aaf6f97e 100644 --- a/src/lib/protocols/ftp_data.c +++ b/src/lib/protocols/ftp_data.c @@ -62,9 +62,11 @@ static int ndpi_match_ftp_data_directory(struct ndpi_detection_module_struct *nd ; } else return 0; + + return 1; } - return 1; + return 0; } static int ndpi_match_file_header(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { diff --git a/src/lib/protocols/gnutella.c b/src/lib/protocols/gnutella.c index 5bc2980cc..75a8e534b 100644 --- a/src/lib/protocols/gnutella.c +++ b/src/lib/protocols/gnutella.c @@ -68,7 +68,6 @@ void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, stru struct ndpi_id_struct *src = flow->src; struct ndpi_id_struct *dst = flow->dst; - u_int16_t c; NDPI_LOG_DBG(ndpi_struct, "search GNUTELLA\n"); diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 33ef9e2ed..e715dd499 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -184,6 +184,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ case 'P': switch(flow->packet.http_method.ptr[1]) { + case 'A': flow->http.method = NDPI_HTTP_METHOD_PATCH; break; case 'O': flow->http.method = NDPI_HTTP_METHOD_POST; break; case 'U': flow->http.method = NDPI_HTTP_METHOD_PUT; break; } @@ -414,6 +415,7 @@ static struct l_string { STATIC_STRING_L("OPTIONS "), STATIC_STRING_L("HEAD "), STATIC_STRING_L("PUT "), + STATIC_STRING_L("PATCH "), STATIC_STRING_L("DELETE "), STATIC_STRING_L("CONNECT "), STATIC_STRING_L("PROPFIND "), diff --git a/src/lib/protocols/icecast.c b/src/lib/protocols/icecast.c index 515d5b572..0bb87b88a 100644 --- a/src/lib/protocols/icecast.c +++ b/src/lib/protocols/icecast.c @@ -64,6 +64,8 @@ void ndpi_search_icecast_tcp(struct ndpi_detection_module_struct *ndpi_struct, s goto icecast_exclude; } + if(flow == NULL) return; + if((packet->packet_direction == flow->setup_packet_direction) && (flow->packet_counter < 10)) { return; diff --git a/src/lib/protocols/memcached.c b/src/lib/protocols/memcached.c index e9deb5cc9..44a8b0858 100644 --- a/src/lib/protocols/memcached.c +++ b/src/lib/protocols/memcached.c @@ -89,7 +89,7 @@ #define MEMCACHED_MIN_MATCH 2 /* Minimum number of command/responses required */ -#define MEMCACHED_MATCH(cr) memcmp(offset, cr, cr ## _LEN) +#define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) static void ndpi_int_memcached_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -105,6 +105,7 @@ void ndpi_search_memcached( { struct ndpi_packet_struct *packet = &flow->packet; const u_int8_t *offset = packet->payload; + const u_int16_t length = packet->payload_packet_len; u_int8_t *matches; NDPI_LOG_DBG(ndpi_struct, "search memcached\n"); |