diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/include/linux_compat.h | 88 | ||||
| -rw-r--r-- | src/include/ndpi_main.h | 7 | ||||
| -rw-r--r-- | src/include/ndpi_protocol_ids.h | 4 | ||||
| -rw-r--r-- | src/include/ndpi_protocols.h | 4 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 8 | ||||
| -rw-r--r-- | src/lib/Makefile.am | 2 | ||||
| -rw-r--r-- | src/lib/ndpi_content_match.c.inc | 8 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 92 | ||||
| -rw-r--r-- | src/lib/protocols/dcerpc.c | 19 | ||||
| -rw-r--r-- | src/lib/protocols/hep.c | 68 | ||||
| -rw-r--r-- | src/lib/protocols/kakaotalk_voice.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/mail_smtp.c | 8 | ||||
| -rw-r--r-- | src/lib/protocols/skype.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/steam.c | 1 | ||||
| -rw-r--r-- | src/lib/protocols/tcp_udp.c | 4 | ||||
| -rw-r--r-- | src/lib/protocols/ubntac2.c | 63 |
16 files changed, 308 insertions, 74 deletions
diff --git a/src/include/linux_compat.h b/src/include/linux_compat.h index 1410cda67..0497b31d0 100644 --- a/src/include/linux_compat.h +++ b/src/include/linux_compat.h @@ -43,21 +43,90 @@ #endif #pragma pack(push, 1) /* push current alignment to stack */ -#pragma pack(1) /* set alignment to 1 byte boundary */ +#pragma pack(1) /* set alignment to 1 byte boundary */ -#pragma pack(pop) /* restore original alignment from stack */ +#pragma pack(pop) /* restore original alignment from stack */ -struct ndpi_ethhdr { + +/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */ +/* +++++++++++ Ethernet data structures +++++++++++++ */ +/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */ + +struct ndpi_ethhdr +{ u_char h_dest[6]; /* destination eth addr */ u_char h_source[6]; /* source ether addr */ u_int16_t h_proto; /* packet type ID field */ }; -struct ndpi_80211q { - u_int16_t vlanId; - u_int16_t protoType; -}; +/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */ +/* +++++++++++ ieee802.11 data structures +++++++++++ */ +/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */ + +/******* RADIO TAP *******/ +/* radiotap header */ +struct ndpi_radiotap_header +{ + u_int8_t version; /* set to 0 */ + u_int8_t pad; + u_int16_t len; + u_int32_t present; + u_int64_t MAC_timestamp; + u_int8_t flags; + +} __attribute__((__packed__)); + +/* Beacon frame */ +struct ndpi_beacon +{ + /* header -- 24 byte */ + u_int16_t fc; + u_int16_t duration; + u_char rcv_addr[6]; + u_char trsm_addr[6]; + u_char bssid[6]; + u_int16_t seq_ctrl; + /* body (variable) */ + u_int64_t timestamp; /* 802.11 Timestamp value at frame send */ + u_int16_t beacon_interval; /* Interval at which beacons are send */ + u_int16_t capability; + /** List of information elements **/ + /* union ndpi_80211_info info_element[0]; */ +} __attribute__((packed)); + + +/* Wifi data frame - TODO: specify when addr1 addr2 addr3 is rcv, trams or bssid*/ +struct ndpi_wifi_data_frame +{ + u_int16_t fc; + u_int16_t duration; + u_char addr1[6]; + u_char addr2[6]; + u_char addr3[6]; + u_int16_t seq_ctrl; +} __attribute__((packed)); + +/* Logical-Link Control header */ +struct ndpi_llc_header_proto +{ + u_int8_t dsap; + u_int8_t ssap; + u_int8_t ctl; + /* u_int8_t pad1; */ + u_int16_t org; + u_int8_t org2; + /* u_int8_t pad2; */ + u_int16_t ether_IP_type; +} __attribute__((packed)); + + +/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */ +/* ++++++++++++++ IP data structures ++++++++++++++++ */ +/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */ + + +/* IP header */ struct ndpi_iphdr { #if defined(__LITTLE_ENDIAN__) u_int8_t ihl:4, version:4; @@ -166,6 +235,11 @@ struct ndpi_ip6_hdr { struct ndpi_in6_addr ip6_dst; }; +/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */ +/* ++++++++ Transport Layer data structures +++++++++ */ +/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */ + + struct ndpi_tcphdr { u_int16_t source; u_int16_t dest; diff --git a/src/include/ndpi_main.h b/src/include/ndpi_main.h index adec3edf1..1acc5e14f 100644 --- a/src/include/ndpi_main.h +++ b/src/include/ndpi_main.h @@ -143,13 +143,6 @@ extern int ndpi_get_protocol_id_master_proto(struct ndpi_detection_module_struct u_int16_t** tcp_master_proto, u_int16_t** udp_master_proto); -extern u_int8_t ndpi_net_match(u_int32_t ip_to_check, - u_int32_t net, - u_int32_t num_bits); - -extern u_int8_t ndpi_ips_match(u_int32_t src, u_int32_t dst, - u_int32_t net, u_int32_t num_bits); - #ifdef NDPI_ENABLE_DEBUG_MESSAGES void ndpi_debug_get_last_log_function_line(struct ndpi_detection_module_struct *ndpi_struct, const char **file, const char **func, u_int32_t * line); diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index cfb5897ba..8a94db2ce 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -201,6 +201,8 @@ #define NDPI_PROTOCOL_WHATSAPP_VOICE 189 #define NDPI_PROTOCOL_STARCRAFT 213 /* Matteo Bracci <matteobracci1@gmail.com> */ #define NDPI_PROTOCOL_TEREDO 214 +#define NDPI_PROTOCOL_HEP 216 /* Sipcapture.org QXIP BV */ +#define NDPI_PROTOCOL_UBNTAC2 217 /* Ubiquity UBNT AirControl 2 - Thomas Fjellstrom <thomas+ndpi@fjellstrom.ca> */ #define NDPI_CONTENT_AVI 39 #define NDPI_CONTENT_FLASH 40 @@ -263,7 +265,7 @@ #define NDPI_SERVICE_HOTSPOT_SHIELD 215 /* UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE */ -#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_SERVICE_HOTSPOT_SHIELD +#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_PROTOCOL_UBNTAC2 #define NDPI_MAX_SUPPORTED_PROTOCOLS (NDPI_LAST_IMPLEMENTED_PROTOCOL + 1) #define NDPI_MAX_NUM_CUSTOM_PROTOCOLS (NDPI_NUM_BITS-NDPI_LAST_IMPLEMENTED_PROTOCOL) diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h index 6171f00bc..963aac6f2 100644 --- a/src/include/ndpi_protocols.h +++ b/src/include/ndpi_protocols.h @@ -72,6 +72,7 @@ void ndpi_search_oscar(struct ndpi_detection_module_struct *ndpi_struct, struct void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_sip(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); +void ndpi_search_hep(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_direct_download_link_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_mail_pop_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); @@ -195,6 +196,7 @@ void ndpi_search_eaq(struct ndpi_detection_module_struct *ndpi_struct, struct nd void ndpi_search_kakaotalk_voice(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_mpegts(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_starcraft(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); +void ndpi_search_ubntac2(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); /* --- INIT FUNCTIONS --- */ @@ -288,6 +290,7 @@ void init_rtsp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int void init_sflow_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_shoutcast_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_sip_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_hep_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_skinny_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_skype_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_smb_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); @@ -332,5 +335,6 @@ void init_yahoo_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_in void init_zattoo_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_zmq_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_stracraft_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_ubntac2_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); #endif /* __NDPI_PROTOCOLS_INCLUDE_FILE__ */ diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 8ea4650a6..7f82d0a28 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -672,12 +672,10 @@ typedef struct ndpi_flow_struct { u_int16_t protocol_stack_info; /* init parameter, internal used to set up timestamp,... */ - u_int16_t guessed_protocol_id; + u_int16_t guessed_protocol_id, guessed_host_proto_id; - u_int8_t protocol_id_already_guessed:1; - u_int8_t init_finished:1; - u_int8_t setup_packet_direction:1; - u_int8_t packet_direction:1; /* if ndpi_struct->direction_detect_disable == 1 */ + u_int8_t protocol_id_already_guessed:1, host_already_guessed:1, init_finished:1, setup_packet_direction:1, packet_direction:1; + /* if ndpi_struct->direction_detect_disable == 1 */ /* tcp sequence number connection tracking */ u_int32_t next_tcp_seq_nr[2]; diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am index 4e8b1f6c4..ee395f5cd 100644 --- a/src/lib/Makefile.am +++ b/src/lib/Makefile.am @@ -52,6 +52,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/guildwars.c \ protocols/h323.c \ protocols/halflife2_and_mods.c \ + protocols/hep.c \ protocols/http_activesync.c \ protocols/http.c \ protocols/iax.c \ @@ -139,6 +140,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/tvants.c \ protocols/tvuplayer.c \ protocols/twitter.c \ + protocols/ubntac2.c \ protocols/usenet.c \ protocols/veohtv.c \ protocols/viber.c \ diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index 5e0210d71..c2d219e5f 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -7320,10 +7320,13 @@ ndpi_protocol_match host_match[] = { { ".cnn.c", "CNN", NDPI_SERVICE_CNN, NDPI_PROTOCOL_FUN }, { ".cnn.net", "CNN", NDPI_SERVICE_CNN, NDPI_PROTOCOL_FUN }, { ".dropbox.com", "DropBox", NDPI_SERVICE_DROPBOX, NDPI_PROTOCOL_SAFE }, + { ".ebay.", "eBay", NDPI_SERVICE_EBAY, NDPI_PROTOCOL_ACCEPTABLE }, { ".ebay.com", "eBay", NDPI_SERVICE_EBAY, NDPI_PROTOCOL_ACCEPTABLE }, { ".ebaystatic.com", "eBay", NDPI_SERVICE_EBAY, NDPI_PROTOCOL_ACCEPTABLE }, { ".ebaydesc.com", "eBay", NDPI_SERVICE_EBAY, NDPI_PROTOCOL_ACCEPTABLE }, { ".ebayrtm.com", "eBay", NDPI_SERVICE_EBAY, NDPI_PROTOCOL_ACCEPTABLE }, + { ".ebaystratus.com", "eBay", NDPI_SERVICE_EBAY, NDPI_PROTOCOL_ACCEPTABLE }, + { ".ebayimg.com", "eBay", NDPI_SERVICE_EBAY, NDPI_PROTOCOL_ACCEPTABLE }, { ".facebook.com", "Facebook", NDPI_SERVICE_FACEBOOK, NDPI_PROTOCOL_FUN }, { ".fbcdn.net", "Facebook", NDPI_SERVICE_FACEBOOK, NDPI_PROTOCOL_FUN }, { "fbcdn-", "Facebook", NDPI_SERVICE_FACEBOOK, NDPI_PROTOCOL_FUN }, /* fbcdn-video-a-akamaihd.net */ @@ -7349,7 +7352,7 @@ ndpi_protocol_match host_match[] = { { "nflxext.com", "NetFlix", NDPI_SERVICE_NETFLIX, NDPI_PROTOCOL_FUN }, { "nflximg.com", "NetFlix", NDPI_SERVICE_NETFLIX, NDPI_PROTOCOL_FUN }, { "nflximg.net", "NetFlix", NDPI_SERVICE_NETFLIX, NDPI_PROTOCOL_FUN }, - + { "nflxvideo.net", "NetFlix", NDPI_SERVICE_NETFLIX, NDPI_PROTOCOL_FUN }, { ".skype.", "Skype", NDPI_SERVICE_SKYPE, NDPI_PROTOCOL_ACCEPTABLE }, { ".skypeassets.", "Skype", NDPI_SERVICE_SKYPE, NDPI_PROTOCOL_ACCEPTABLE }, { ".skypedata.", "Skype", NDPI_SERVICE_SKYPE, NDPI_PROTOCOL_ACCEPTABLE }, @@ -7365,7 +7368,7 @@ ndpi_protocol_match host_match[] = { { "wikimediafoundation.", "Wikipedia", NDPI_SERVICE_WIKIPEDIA, NDPI_PROTOCOL_ACCEPTABLE }, { ".whatsapp.net", "WhatsApp", NDPI_SERVICE_WHATSAPP, NDPI_PROTOCOL_ACCEPTABLE }, { ".yahoo.", "Yahoo", NDPI_SERVICE_YAHOO, NDPI_PROTOCOL_ACCEPTABLE }, - { "yimg.com", "Yahoo", NDPI_SERVICE_YAHOO, NDPI_PROTOCOL_ACCEPTABLE }, + { ".yimg.com", "Yahoo", NDPI_SERVICE_YAHOO, NDPI_PROTOCOL_ACCEPTABLE }, { "yahooapis.", "Yahoo", NDPI_SERVICE_YAHOO, NDPI_PROTOCOL_ACCEPTABLE }, { "youtube.", "YouTube", NDPI_SERVICE_YOUTUBE, NDPI_PROTOCOL_FUN }, { ".googlevideo.com", "YouTube", NDPI_SERVICE_YOUTUBE, NDPI_PROTOCOL_FUN }, @@ -7417,6 +7420,7 @@ ndpi_protocol_match host_match[] = { { "worldofwarcraft.com", "WorldOfWarcraft", NDPI_PROTOCOL_WORLDOFWARCRAFT, NDPI_PROTOCOL_FUN }, { ".anchorfree.", "HotspotShield", NDPI_SERVICE_HOTSPOT_SHIELD, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS }, { "hotspotshield.com", "HotspotShield", NDPI_SERVICE_HOTSPOT_SHIELD, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS }, + { ".webex.com", "Webex", NDPI_PROTOCOL_WEBEX, NDPI_PROTOCOL_ACCEPTABLE }, { NULL, 0 } }; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 5fb0b6cd8..5fe7e61af 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -833,6 +833,11 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "IPP", ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_HEP, + no_master, + no_master, "HEP", + ndpi_build_default_ports(ports_a, 9064, 0, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_b, 9063, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_HTTP, no_master, no_master, "HTTP", @@ -1622,7 +1627,12 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "Starcraft", ndpi_build_default_ports(ports_a, 1119, 0, 0, 0, 0), /* TCP */ ndpi_build_default_ports(ports_b, 1119, 0, 0, 0, 0)); /* UDP */ - + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_UBNTAC2, + no_master, + no_master, "UBNTAC2", + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 10001, 0, 0, 0, 0)); /* UDP */ + /* calling function for host and content matched protocols */ init_string_based_protocols(ndpi_mod); @@ -1666,20 +1676,20 @@ static int fill_prefix_v4(prefix_t *p, struct in_addr *a, int b, int mb) { /* ******************************************* */ -u_int16_t ndpi_network_ptree_match(struct ndpi_detection_module_struct *ndpi_struct, struct in_addr *pin) { +u_int16_t ndpi_network_ptree_match(struct ndpi_detection_module_struct *ndpi_struct, struct in_addr *pin /* network byte order */) { prefix_t prefix; patricia_node_t *node; - pin->s_addr = ntohl(pin->s_addr); /* Make sure all in network byte order otherwise compares wont work */ + /* Make sure all in network byte order otherwise compares wont work */ fill_prefix_v4(&prefix, pin, 32, ((patricia_tree_t*)ndpi_struct->protocols_ptree)->maxbits); node = ndpi_patricia_search_best(ndpi_struct->protocols_ptree, &prefix); - + return(node ? node->value.user_value : NDPI_PROTOCOL_UNKNOWN); } /* ******************************************* */ -u_int16_t ndpi_host_ptree_match(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t host) { +u_int16_t ndpi_host_ptree_match(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t host /* network byte order */) { struct in_addr pin; pin.s_addr = host; @@ -1700,11 +1710,9 @@ u_int8_t ndpi_is_tor_flow(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_packet_struct *packet = &flow->packet; if(packet->tcp != NULL) { - if(flow->packet.iph) { - struct in_addr saddr = { packet->iph->saddr }; - struct in_addr daddr = { packet->iph->daddr }; - if(tor_ptree_match(ndpi_struct, &saddr) - || tor_ptree_match(ndpi_struct, &daddr)) { + if(packet->iph) { + if(tor_ptree_match(ndpi_struct, (struct in_addr *)&packet->iph->saddr) + || tor_ptree_match(ndpi_struct, (struct in_addr *)&packet->iph->daddr)) { return(1); } } @@ -1736,7 +1744,7 @@ static void ndpi_init_ptree_ipv4(struct ndpi_detection_module_struct *ndpi_str, struct in_addr pin; patricia_node_t *node; - pin.s_addr = ntohl(host_list[i].network); + pin.s_addr = htonl(host_list[i].network); if((node = add_to_ptree(ptree, AF_INET, &pin, host_list[i].cidr /* bits */)) != NULL) node->value.user_value = host_list[i].value; } @@ -1745,19 +1753,18 @@ static void ndpi_init_ptree_ipv4(struct ndpi_detection_module_struct *ndpi_str, /* ******************************************* */ static int ndpi_add_host_ip_subprotocol(struct ndpi_detection_module_struct *ndpi_struct, - char *value, int protocol_id) { - - patricia_node_t *node; - struct in_addr pin; + char *value, int protocol_id) { - inet_pton(AF_INET, value, &pin); - pin.s_addr = ntohl(pin.s_addr); - - if((node = add_to_ptree(ndpi_struct->protocols_ptree, AF_INET, &pin, 32)) != NULL) { - node->value.user_value = protocol_id; - } + patricia_node_t *node; + struct in_addr pin; + + inet_pton(AF_INET, value, &pin); + + if((node = add_to_ptree(ndpi_struct->protocols_ptree, AF_INET, &pin, 32)) != NULL) { + node->value.user_value = protocol_id; + } - return(0); + return(0); } #endif @@ -1891,13 +1898,16 @@ u_int16_t ndpi_guess_protocol_id(struct ndpi_detection_module_struct *ndpi_struc ndpi_default_ports_tree_node_t node; if(sport && dport) { - node.default_port = sport; + int low = ndpi_min(sport, dport); + int high = ndpi_max(sport, dport); + + node.default_port = low; /* Check server port first */ ret = ndpi_tfind(&node, (proto == IPPROTO_TCP) ? (void*)&ndpi_struct->tcpRoot : (void*)&ndpi_struct->udpRoot, ndpi_default_ports_tree_node_t_cmp); if(ret == NULL) { - node.default_port = dport; + node.default_port = high; ret = ndpi_tfind(&node, (proto == IPPROTO_TCP) ? (void*)&ndpi_struct->tcpRoot : (void*)&ndpi_struct->udpRoot, ndpi_default_ports_tree_node_t_cmp); @@ -2250,6 +2260,9 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* SIP */ init_sip_dissector(ndpi_struct, &a, detection_bitmask); + /* HEP */ + init_hep_dissector(ndpi_struct, &a, detection_bitmask); + /* BITTORRENT */ init_bittorrent_dissector(ndpi_struct, &a, detection_bitmask); @@ -2622,6 +2635,8 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* MPEGTS */ init_mpegts_dissector(ndpi_struct, &a, detection_bitmask); + /* UBNTAC2 */ + init_ubntac2_dissector(ndpi_struct, &a, detection_bitmask); /* ----------------------------------------------------------------- */ @@ -3418,23 +3433,30 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct } else ret.protocol = flow->detected_protocol_stack[0]; - - if((ret.master_protocol == NDPI_PROTOCOL_UNKNOWN) && flow->packet.iph) { - struct in_addr pin = { flow->packet.iph->saddr }; - - if((ret.master_protocol = ndpi_network_ptree_match(ndpi_struct, &pin)) == NDPI_PROTOCOL_UNKNOWN) { - pin.s_addr = flow->packet.iph->daddr; - ret.master_protocol = ndpi_network_ptree_match(ndpi_struct, &pin); + if((ret.protocol == NDPI_PROTOCOL_UNKNOWN) + && flow->packet.iph + && (!flow->host_already_guessed)) { + + if((flow->guessed_host_proto_id = ndpi_network_ptree_match(ndpi_struct, (struct in_addr *)&flow->packet.iph->saddr)) == NDPI_PROTOCOL_UNKNOWN) { + flow->guessed_host_proto_id = ndpi_network_ptree_match(ndpi_struct, (struct in_addr *)&flow->packet.iph->daddr); } + + flow->host_already_guessed = 1; + } + +#if 0 - /* Swap proocols in case of success */ + /* Swap protocols in case of success */ if(ret.master_protocol != NDPI_PROTOCOL_UNKNOWN) { u_int16_t t = ret.master_protocol; ret.master_protocol = ret.protocol; ret.protocol = t; } - } +#endif + + if((ret.protocol == NDPI_PROTOCOL_UNKNOWN) && (ret.master_protocol != NDPI_PROTOCOL_UNKNOWN)) + ret.protocol = flow->guessed_host_proto_id; return(ret); } @@ -4239,11 +4261,11 @@ ndpi_protocol ndpi_guess_undetected_protocol(struct ndpi_detection_module_struct return(ret); check_guessed_skype: - addr.s_addr = shost; + addr.s_addr = htonl(shost); if(ndpi_network_ptree_match(ndpi_struct, &addr) == NDPI_PROTOCOL_SKYPE) { ret.protocol = NDPI_PROTOCOL_SKYPE; } else { - addr.s_addr = dhost; + addr.s_addr = htonl(dhost); if(ndpi_network_ptree_match(ndpi_struct, &addr) == NDPI_PROTOCOL_SKYPE) ret.protocol = NDPI_PROTOCOL_SKYPE; } diff --git a/src/lib/protocols/dcerpc.c b/src/lib/protocols/dcerpc.c index 2537afd56..ec96d1287 100644 --- a/src/lib/protocols/dcerpc.c +++ b/src/lib/protocols/dcerpc.c @@ -18,7 +18,7 @@ * * You should have received a copy of the GNU Lesser General Public License * along with nDPI. If not, see <http://www.gnu.org/licenses/>. - * + * */ @@ -35,20 +35,23 @@ static void ndpi_int_dcerpc_add_connection(struct ndpi_detection_module_struct void ndpi_search_dcerpc(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - - if((packet->tcp != NULL) - && (packet->payload_packet_len > 64) - && ((ntohs(packet->tcp->source) == 135) || (ntohs(packet->tcp->dest) == 135)) + u_int16_t len_packet = (packet->payload[9]<<8) | packet->payload[8]; + + if((packet->tcp != NULL) + && (packet->payload_packet_len >= 64) && (packet->payload[0] == 0x05) /* version 5 */ && (packet->payload[2] < 16) /* Packet type */ - ) { - NDPI_LOG(NDPI_PROTOCOL_DCERPC, ndpi_struct, NDPI_LOG_DEBUG, "DCERPC match\n"); + && (len_packet == packet->payload_packet_len) /* Packet Length */ + ) { + NDPI_LOG(NDPI_PROTOCOL_DCERPC, ndpi_struct, NDPI_LOG_DEBUG, "DCERPC match\n"); ndpi_int_dcerpc_add_connection(ndpi_struct, flow); return; } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DCERPC); + if(packet->payload_packet_len>1){ + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DCERPC); + } } diff --git a/src/lib/protocols/hep.c b/src/lib/protocols/hep.c new file mode 100644 index 000000000..516e430e7 --- /dev/null +++ b/src/lib/protocols/hep.c @@ -0,0 +1,68 @@ +/* + * hep.c + * + * Copyright (C) 2009-2011 by ipoque GmbH + * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-15 - QXIP BV + * + * This file is part of nDPI, an open source deep packet inspection + * library based on the OpenDPI and PACE technology by ipoque GmbH + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see <http://www.gnu.org/licenses/>. + * + */ + + +#include "ndpi_protocols.h" +#ifdef NDPI_PROTOCOL_HEP + +static void ndpi_int_hep_add_connection(struct ndpi_detection_module_struct + *ndpi_struct, struct ndpi_flow_struct *flow) +{ + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HEP, NDPI_PROTOCOL_UNKNOWN); +} + +void ndpi_search_hep(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct *packet = &flow->packet; + const u_int8_t *packet_payload = packet->payload; + u_int32_t payload_len = packet->payload_packet_len; + + NDPI_LOG(NDPI_PROTOCOL_HEP, ndpi_struct, NDPI_LOG_DEBUG, "searching for HEP.\n"); + if (payload_len > 10) { + if (memcmp(packet_payload, "HEP3", 4) == 0) { + NDPI_LOG(NDPI_PROTOCOL_HEP, ndpi_struct, NDPI_LOG_DEBUG, "found HEP3.\n"); + ndpi_int_hep_add_connection(ndpi_struct, flow); + return; + } + } + + NDPI_LOG(NDPI_PROTOCOL_HEP, ndpi_struct, NDPI_LOG_DEBUG, "exclude HEP.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_HEP); +} + + +void init_hep_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) +{ + ndpi_set_bitmask_protocol_detection("HEP", ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_HEP, + ndpi_search_hep, + NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); + + *id += 1; +} + +#endif diff --git a/src/lib/protocols/kakaotalk_voice.c b/src/lib/protocols/kakaotalk_voice.c index 38596e41d..daa97cc36 100644 --- a/src/lib/protocols/kakaotalk_voice.c +++ b/src/lib/protocols/kakaotalk_voice.c @@ -56,7 +56,7 @@ void ndpi_search_kakaotalk_voice(struct ndpi_detection_module_struct *ndpi_struc } } - NDPI_LOG(NDPI_PROTOCOL_KAKAOTALK_VOICE, ndpi_struct, NDPI_LOG_DEBUG, "Exclude kakaotalk_voice.\n"); + NDPI_LOG(NDPI_SERVICE_KAKAOTALK_VOICE, ndpi_struct, NDPI_LOG_DEBUG, "Exclude kakaotalk_voice.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_SERVICE_KAKAOTALK_VOICE); } diff --git a/src/lib/protocols/mail_smtp.c b/src/lib/protocols/mail_smtp.c index 37846930e..422ed0dc2 100644 --- a/src/lib/protocols/mail_smtp.c +++ b/src/lib/protocols/mail_smtp.c @@ -117,10 +117,10 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct && (packet->line[a].ptr[1] == 'T' || packet->line[a].ptr[1] == 't') && (packet->line[a].ptr[2] == 'A' || packet->line[a].ptr[2] == 'a') && (packet->line[a].ptr[3] == 'R' || packet->line[a].ptr[3] == 'r') - && (packet->line[a].ptr[4] == 'T' || packet->line[a].ptr[0] == 't') - && (packet->line[a].ptr[5] == 'T' || packet->line[a].ptr[1] == 't') - && (packet->line[a].ptr[6] == 'L' || packet->line[a].ptr[2] == 'l') - && (packet->line[a].ptr[7] == 'S' || packet->line[a].ptr[3] == 's')) { + && (packet->line[a].ptr[4] == 'T' || packet->line[a].ptr[4] == 't') + && (packet->line[a].ptr[5] == 'T' || packet->line[a].ptr[5] == 't') + && (packet->line[a].ptr[6] == 'L' || packet->line[a].ptr[6] == 'l') + && (packet->line[a].ptr[7] == 'S' || packet->line[a].ptr[7] == 's')) { flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_STARTTLS; } } diff --git a/src/lib/protocols/skype.c b/src/lib/protocols/skype.c index 7f201569c..e3bd00332 100644 --- a/src/lib/protocols/skype.c +++ b/src/lib/protocols/skype.c @@ -40,8 +40,8 @@ u_int8_t is_skype_flow(struct ndpi_detection_module_struct *ndpi_struct, Skype connections are identified by some SSL-like communications without SSL certificate being exchanged */ - if(is_skype_host(ndpi_struct, ntohl(packet->iph->saddr)) - || is_skype_host(ndpi_struct, ntohl(packet->iph->daddr))) { + if(is_skype_host(ndpi_struct, packet->iph->saddr) + || is_skype_host(ndpi_struct, packet->iph->daddr)) { return(1); } } diff --git a/src/lib/protocols/steam.c b/src/lib/protocols/steam.c index fe7b9d161..7ed0eae29 100644 --- a/src/lib/protocols/steam.c +++ b/src/lib/protocols/steam.c @@ -34,6 +34,7 @@ static void ndpi_int_steam_add_connection(struct ndpi_detection_module_struct *n static void ndpi_check_steam_http(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; + NDPI_PARSE_PACKET_LINE_INFO(ndpi_struct, flow, packet); if (packet->user_agent_line.ptr != NULL && packet->user_agent_line.len >= 23 && memcmp(packet->user_agent_line.ptr, "Valve/Steam HTTP Client", 23) == 0) { diff --git a/src/lib/protocols/tcp_udp.c b/src/lib/protocols/tcp_udp.c index 1eb9c8773..7ca276dca 100644 --- a/src/lib/protocols/tcp_udp.c +++ b/src/lib/protocols/tcp_udp.c @@ -37,9 +37,9 @@ u_int ndpi_search_tcp_or_udp_raw(struct ndpi_detection_module_struct *ndpi_struc } } - if((rc = ndpi_host_ptree_match(ndpi_struct, saddr)) != NDPI_PROTOCOL_UNKNOWN) return(rc); + if((rc = ndpi_host_ptree_match(ndpi_struct, htonl(saddr))) != NDPI_PROTOCOL_UNKNOWN) return(rc); - return(ndpi_host_ptree_match(ndpi_struct, daddr)); + return(ndpi_host_ptree_match(ndpi_struct, htonl(daddr))); } void ndpi_search_tcp_or_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/src/lib/protocols/ubntac2.c b/src/lib/protocols/ubntac2.c new file mode 100644 index 000000000..7763c18d1 --- /dev/null +++ b/src/lib/protocols/ubntac2.c @@ -0,0 +1,63 @@ +/* + * ubntac2.c + * + * Copyright (C) 2015 Thomas Fjellstrom + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see <http://www.gnu.org/licenses/>. + * + */ + + +#include "ndpi_protocols.h" + +#ifdef NDPI_PROTOCOL_UBNTAC2 + +static void ndpi_int_ubntac2_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +{ + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_UBNTAC2, NDPI_PROTOCOL_UNKNOWN); +} + + +void ndpi_search_ubntac2(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct *packet = &flow->packet; + + NDPI_LOG(NDPI_PROTOCOL_UBNTAC2, ndpi_struct, NDPI_LOG_TRACE, "UBNTAC2 detection... plen:%i %i:%i\n", packet->payload_packet_len, ntohs(packet->udp->source), ntohs(packet->udp->dest)); + + if (packet->payload_packet_len >= 135 && + (packet->udp->source == htons(10001) || packet->udp->dest == htons(10001)) && + memcmp(&(packet->payload[36]), "UBNT", 4) == 0) { + + NDPI_LOG(NDPI_PROTOCOL_UBNTAC2, ndpi_struct, NDPI_LOG_DEBUG, "UBNT AirControl 2 request\n"); + + ndpi_int_ubntac2_add_connection(ndpi_struct, flow); + return; + } + + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_UBNTAC2); +} + + +void init_ubntac2_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) +{ + ndpi_set_bitmask_protocol_detection("UBNTAC2", ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_UBNTAC2, + ndpi_search_ubntac2, + NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); + *id += 1; +} + +#endif |