aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/include/linux_compat.h88
-rw-r--r--src/include/ndpi_main.h7
-rw-r--r--src/include/ndpi_protocol_ids.h4
-rw-r--r--src/include/ndpi_protocols.h4
-rw-r--r--src/include/ndpi_typedefs.h8
-rw-r--r--src/lib/Makefile.am2
-rw-r--r--src/lib/ndpi_content_match.c.inc8
-rw-r--r--src/lib/ndpi_main.c92
-rw-r--r--src/lib/protocols/dcerpc.c19
-rw-r--r--src/lib/protocols/hep.c68
-rw-r--r--src/lib/protocols/kakaotalk_voice.c2
-rw-r--r--src/lib/protocols/mail_smtp.c8
-rw-r--r--src/lib/protocols/skype.c4
-rw-r--r--src/lib/protocols/steam.c1
-rw-r--r--src/lib/protocols/tcp_udp.c4
-rw-r--r--src/lib/protocols/ubntac2.c63
16 files changed, 308 insertions, 74 deletions
diff --git a/src/include/linux_compat.h b/src/include/linux_compat.h
index 1410cda67..0497b31d0 100644
--- a/src/include/linux_compat.h
+++ b/src/include/linux_compat.h
@@ -43,21 +43,90 @@
#endif
#pragma pack(push, 1) /* push current alignment to stack */
-#pragma pack(1) /* set alignment to 1 byte boundary */
+#pragma pack(1) /* set alignment to 1 byte boundary */
-#pragma pack(pop) /* restore original alignment from stack */
+#pragma pack(pop) /* restore original alignment from stack */
-struct ndpi_ethhdr {
+
+/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */
+/* +++++++++++ Ethernet data structures +++++++++++++ */
+/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */
+
+struct ndpi_ethhdr
+{
u_char h_dest[6]; /* destination eth addr */
u_char h_source[6]; /* source ether addr */
u_int16_t h_proto; /* packet type ID field */
};
-struct ndpi_80211q {
- u_int16_t vlanId;
- u_int16_t protoType;
-};
+/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */
+/* +++++++++++ ieee802.11 data structures +++++++++++ */
+/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */
+
+/******* RADIO TAP *******/
+/* radiotap header */
+struct ndpi_radiotap_header
+{
+ u_int8_t version; /* set to 0 */
+ u_int8_t pad;
+ u_int16_t len;
+ u_int32_t present;
+ u_int64_t MAC_timestamp;
+ u_int8_t flags;
+
+} __attribute__((__packed__));
+
+/* Beacon frame */
+struct ndpi_beacon
+{
+ /* header -- 24 byte */
+ u_int16_t fc;
+ u_int16_t duration;
+ u_char rcv_addr[6];
+ u_char trsm_addr[6];
+ u_char bssid[6];
+ u_int16_t seq_ctrl;
+ /* body (variable) */
+ u_int64_t timestamp; /* 802.11 Timestamp value at frame send */
+ u_int16_t beacon_interval; /* Interval at which beacons are send */
+ u_int16_t capability;
+ /** List of information elements **/
+ /* union ndpi_80211_info info_element[0]; */
+} __attribute__((packed));
+
+
+/* Wifi data frame - TODO: specify when addr1 addr2 addr3 is rcv, trams or bssid*/
+struct ndpi_wifi_data_frame
+{
+ u_int16_t fc;
+ u_int16_t duration;
+ u_char addr1[6];
+ u_char addr2[6];
+ u_char addr3[6];
+ u_int16_t seq_ctrl;
+} __attribute__((packed));
+
+/* Logical-Link Control header */
+struct ndpi_llc_header_proto
+{
+ u_int8_t dsap;
+ u_int8_t ssap;
+ u_int8_t ctl;
+ /* u_int8_t pad1; */
+ u_int16_t org;
+ u_int8_t org2;
+ /* u_int8_t pad2; */
+ u_int16_t ether_IP_type;
+} __attribute__((packed));
+
+
+/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */
+/* ++++++++++++++ IP data structures ++++++++++++++++ */
+/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */
+
+
+/* IP header */
struct ndpi_iphdr {
#if defined(__LITTLE_ENDIAN__)
u_int8_t ihl:4, version:4;
@@ -166,6 +235,11 @@ struct ndpi_ip6_hdr {
struct ndpi_in6_addr ip6_dst;
};
+/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */
+/* ++++++++ Transport Layer data structures +++++++++ */
+/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */
+
+
struct ndpi_tcphdr {
u_int16_t source;
u_int16_t dest;
diff --git a/src/include/ndpi_main.h b/src/include/ndpi_main.h
index adec3edf1..1acc5e14f 100644
--- a/src/include/ndpi_main.h
+++ b/src/include/ndpi_main.h
@@ -143,13 +143,6 @@ extern int ndpi_get_protocol_id_master_proto(struct ndpi_detection_module_struct
u_int16_t** tcp_master_proto,
u_int16_t** udp_master_proto);
-extern u_int8_t ndpi_net_match(u_int32_t ip_to_check,
- u_int32_t net,
- u_int32_t num_bits);
-
-extern u_int8_t ndpi_ips_match(u_int32_t src, u_int32_t dst,
- u_int32_t net, u_int32_t num_bits);
-
#ifdef NDPI_ENABLE_DEBUG_MESSAGES
void ndpi_debug_get_last_log_function_line(struct ndpi_detection_module_struct *ndpi_struct,
const char **file, const char **func, u_int32_t * line);
diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h
index cfb5897ba..8a94db2ce 100644
--- a/src/include/ndpi_protocol_ids.h
+++ b/src/include/ndpi_protocol_ids.h
@@ -201,6 +201,8 @@
#define NDPI_PROTOCOL_WHATSAPP_VOICE 189
#define NDPI_PROTOCOL_STARCRAFT 213 /* Matteo Bracci <matteobracci1@gmail.com> */
#define NDPI_PROTOCOL_TEREDO 214
+#define NDPI_PROTOCOL_HEP 216 /* Sipcapture.org QXIP BV */
+#define NDPI_PROTOCOL_UBNTAC2 217 /* Ubiquity UBNT AirControl 2 - Thomas Fjellstrom <thomas+ndpi@fjellstrom.ca> */
#define NDPI_CONTENT_AVI 39
#define NDPI_CONTENT_FLASH 40
@@ -263,7 +265,7 @@
#define NDPI_SERVICE_HOTSPOT_SHIELD 215
/* UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE */
-#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_SERVICE_HOTSPOT_SHIELD
+#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_PROTOCOL_UBNTAC2
#define NDPI_MAX_SUPPORTED_PROTOCOLS (NDPI_LAST_IMPLEMENTED_PROTOCOL + 1)
#define NDPI_MAX_NUM_CUSTOM_PROTOCOLS (NDPI_NUM_BITS-NDPI_LAST_IMPLEMENTED_PROTOCOL)
diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h
index 6171f00bc..963aac6f2 100644
--- a/src/include/ndpi_protocols.h
+++ b/src/include/ndpi_protocols.h
@@ -72,6 +72,7 @@ void ndpi_search_oscar(struct ndpi_detection_module_struct *ndpi_struct, struct
void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow);
void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow);
void ndpi_search_sip(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow);
+void ndpi_search_hep(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow);
void ndpi_search_direct_download_link_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow);
void ndpi_search_mail_pop_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow);
void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow);
@@ -195,6 +196,7 @@ void ndpi_search_eaq(struct ndpi_detection_module_struct *ndpi_struct, struct nd
void ndpi_search_kakaotalk_voice(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow);
void ndpi_search_mpegts(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow);
void ndpi_search_starcraft(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow);
+void ndpi_search_ubntac2(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow);
/* --- INIT FUNCTIONS --- */
@@ -288,6 +290,7 @@ void init_rtsp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int
void init_sflow_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_shoutcast_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_sip_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
+void init_hep_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_skinny_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_skype_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_smb_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
@@ -332,5 +335,6 @@ void init_yahoo_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_in
void init_zattoo_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_zmq_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
void init_stracraft_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
+void init_ubntac2_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
#endif /* __NDPI_PROTOCOLS_INCLUDE_FILE__ */
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 8ea4650a6..7f82d0a28 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -672,12 +672,10 @@ typedef struct ndpi_flow_struct {
u_int16_t protocol_stack_info;
/* init parameter, internal used to set up timestamp,... */
- u_int16_t guessed_protocol_id;
+ u_int16_t guessed_protocol_id, guessed_host_proto_id;
- u_int8_t protocol_id_already_guessed:1;
- u_int8_t init_finished:1;
- u_int8_t setup_packet_direction:1;
- u_int8_t packet_direction:1; /* if ndpi_struct->direction_detect_disable == 1 */
+ u_int8_t protocol_id_already_guessed:1, host_already_guessed:1, init_finished:1, setup_packet_direction:1, packet_direction:1;
+ /* if ndpi_struct->direction_detect_disable == 1 */
/* tcp sequence number connection tracking */
u_int32_t next_tcp_seq_nr[2];
diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am
index 4e8b1f6c4..ee395f5cd 100644
--- a/src/lib/Makefile.am
+++ b/src/lib/Makefile.am
@@ -52,6 +52,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \
protocols/guildwars.c \
protocols/h323.c \
protocols/halflife2_and_mods.c \
+ protocols/hep.c \
protocols/http_activesync.c \
protocols/http.c \
protocols/iax.c \
@@ -139,6 +140,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \
protocols/tvants.c \
protocols/tvuplayer.c \
protocols/twitter.c \
+ protocols/ubntac2.c \
protocols/usenet.c \
protocols/veohtv.c \
protocols/viber.c \
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index 5e0210d71..c2d219e5f 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -7320,10 +7320,13 @@ ndpi_protocol_match host_match[] = {
{ ".cnn.c", "CNN", NDPI_SERVICE_CNN, NDPI_PROTOCOL_FUN },
{ ".cnn.net", "CNN", NDPI_SERVICE_CNN, NDPI_PROTOCOL_FUN },
{ ".dropbox.com", "DropBox", NDPI_SERVICE_DROPBOX, NDPI_PROTOCOL_SAFE },
+ { ".ebay.", "eBay", NDPI_SERVICE_EBAY, NDPI_PROTOCOL_ACCEPTABLE },
{ ".ebay.com", "eBay", NDPI_SERVICE_EBAY, NDPI_PROTOCOL_ACCEPTABLE },
{ ".ebaystatic.com", "eBay", NDPI_SERVICE_EBAY, NDPI_PROTOCOL_ACCEPTABLE },
{ ".ebaydesc.com", "eBay", NDPI_SERVICE_EBAY, NDPI_PROTOCOL_ACCEPTABLE },
{ ".ebayrtm.com", "eBay", NDPI_SERVICE_EBAY, NDPI_PROTOCOL_ACCEPTABLE },
+ { ".ebaystratus.com", "eBay", NDPI_SERVICE_EBAY, NDPI_PROTOCOL_ACCEPTABLE },
+ { ".ebayimg.com", "eBay", NDPI_SERVICE_EBAY, NDPI_PROTOCOL_ACCEPTABLE },
{ ".facebook.com", "Facebook", NDPI_SERVICE_FACEBOOK, NDPI_PROTOCOL_FUN },
{ ".fbcdn.net", "Facebook", NDPI_SERVICE_FACEBOOK, NDPI_PROTOCOL_FUN },
{ "fbcdn-", "Facebook", NDPI_SERVICE_FACEBOOK, NDPI_PROTOCOL_FUN }, /* fbcdn-video-a-akamaihd.net */
@@ -7349,7 +7352,7 @@ ndpi_protocol_match host_match[] = {
{ "nflxext.com", "NetFlix", NDPI_SERVICE_NETFLIX, NDPI_PROTOCOL_FUN },
{ "nflximg.com", "NetFlix", NDPI_SERVICE_NETFLIX, NDPI_PROTOCOL_FUN },
{ "nflximg.net", "NetFlix", NDPI_SERVICE_NETFLIX, NDPI_PROTOCOL_FUN },
-
+ { "nflxvideo.net", "NetFlix", NDPI_SERVICE_NETFLIX, NDPI_PROTOCOL_FUN },
{ ".skype.", "Skype", NDPI_SERVICE_SKYPE, NDPI_PROTOCOL_ACCEPTABLE },
{ ".skypeassets.", "Skype", NDPI_SERVICE_SKYPE, NDPI_PROTOCOL_ACCEPTABLE },
{ ".skypedata.", "Skype", NDPI_SERVICE_SKYPE, NDPI_PROTOCOL_ACCEPTABLE },
@@ -7365,7 +7368,7 @@ ndpi_protocol_match host_match[] = {
{ "wikimediafoundation.", "Wikipedia", NDPI_SERVICE_WIKIPEDIA, NDPI_PROTOCOL_ACCEPTABLE },
{ ".whatsapp.net", "WhatsApp", NDPI_SERVICE_WHATSAPP, NDPI_PROTOCOL_ACCEPTABLE },
{ ".yahoo.", "Yahoo", NDPI_SERVICE_YAHOO, NDPI_PROTOCOL_ACCEPTABLE },
- { "yimg.com", "Yahoo", NDPI_SERVICE_YAHOO, NDPI_PROTOCOL_ACCEPTABLE },
+ { ".yimg.com", "Yahoo", NDPI_SERVICE_YAHOO, NDPI_PROTOCOL_ACCEPTABLE },
{ "yahooapis.", "Yahoo", NDPI_SERVICE_YAHOO, NDPI_PROTOCOL_ACCEPTABLE },
{ "youtube.", "YouTube", NDPI_SERVICE_YOUTUBE, NDPI_PROTOCOL_FUN },
{ ".googlevideo.com", "YouTube", NDPI_SERVICE_YOUTUBE, NDPI_PROTOCOL_FUN },
@@ -7417,6 +7420,7 @@ ndpi_protocol_match host_match[] = {
{ "worldofwarcraft.com", "WorldOfWarcraft", NDPI_PROTOCOL_WORLDOFWARCRAFT, NDPI_PROTOCOL_FUN },
{ ".anchorfree.", "HotspotShield", NDPI_SERVICE_HOTSPOT_SHIELD, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS },
{ "hotspotshield.com", "HotspotShield", NDPI_SERVICE_HOTSPOT_SHIELD, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS },
+ { ".webex.com", "Webex", NDPI_PROTOCOL_WEBEX, NDPI_PROTOCOL_ACCEPTABLE },
{ NULL, 0 }
};
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 5fb0b6cd8..5fe7e61af 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -833,6 +833,11 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
no_master, "IPP",
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
+ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_HEP,
+ no_master,
+ no_master, "HEP",
+ ndpi_build_default_ports(ports_a, 9064, 0, 0, 0, 0) /* TCP */,
+ ndpi_build_default_ports(ports_b, 9063, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_HTTP,
no_master,
no_master, "HTTP",
@@ -1622,7 +1627,12 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
no_master, "Starcraft",
ndpi_build_default_ports(ports_a, 1119, 0, 0, 0, 0), /* TCP */
ndpi_build_default_ports(ports_b, 1119, 0, 0, 0, 0)); /* UDP */
-
+ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_UBNTAC2,
+ no_master,
+ no_master, "UBNTAC2",
+ ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */
+ ndpi_build_default_ports(ports_b, 10001, 0, 0, 0, 0)); /* UDP */
+
/* calling function for host and content matched protocols */
init_string_based_protocols(ndpi_mod);
@@ -1666,20 +1676,20 @@ static int fill_prefix_v4(prefix_t *p, struct in_addr *a, int b, int mb) {
/* ******************************************* */
-u_int16_t ndpi_network_ptree_match(struct ndpi_detection_module_struct *ndpi_struct, struct in_addr *pin) {
+u_int16_t ndpi_network_ptree_match(struct ndpi_detection_module_struct *ndpi_struct, struct in_addr *pin /* network byte order */) {
prefix_t prefix;
patricia_node_t *node;
- pin->s_addr = ntohl(pin->s_addr); /* Make sure all in network byte order otherwise compares wont work */
+ /* Make sure all in network byte order otherwise compares wont work */
fill_prefix_v4(&prefix, pin, 32, ((patricia_tree_t*)ndpi_struct->protocols_ptree)->maxbits);
node = ndpi_patricia_search_best(ndpi_struct->protocols_ptree, &prefix);
-
+
return(node ? node->value.user_value : NDPI_PROTOCOL_UNKNOWN);
}
/* ******************************************* */
-u_int16_t ndpi_host_ptree_match(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t host) {
+u_int16_t ndpi_host_ptree_match(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t host /* network byte order */) {
struct in_addr pin;
pin.s_addr = host;
@@ -1700,11 +1710,9 @@ u_int8_t ndpi_is_tor_flow(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_packet_struct *packet = &flow->packet;
if(packet->tcp != NULL) {
- if(flow->packet.iph) {
- struct in_addr saddr = { packet->iph->saddr };
- struct in_addr daddr = { packet->iph->daddr };
- if(tor_ptree_match(ndpi_struct, &saddr)
- || tor_ptree_match(ndpi_struct, &daddr)) {
+ if(packet->iph) {
+ if(tor_ptree_match(ndpi_struct, (struct in_addr *)&packet->iph->saddr)
+ || tor_ptree_match(ndpi_struct, (struct in_addr *)&packet->iph->daddr)) {
return(1);
}
}
@@ -1736,7 +1744,7 @@ static void ndpi_init_ptree_ipv4(struct ndpi_detection_module_struct *ndpi_str,
struct in_addr pin;
patricia_node_t *node;
- pin.s_addr = ntohl(host_list[i].network);
+ pin.s_addr = htonl(host_list[i].network);
if((node = add_to_ptree(ptree, AF_INET, &pin, host_list[i].cidr /* bits */)) != NULL)
node->value.user_value = host_list[i].value;
}
@@ -1745,19 +1753,18 @@ static void ndpi_init_ptree_ipv4(struct ndpi_detection_module_struct *ndpi_str,
/* ******************************************* */
static int ndpi_add_host_ip_subprotocol(struct ndpi_detection_module_struct *ndpi_struct,
- char *value, int protocol_id) {
-
- patricia_node_t *node;
- struct in_addr pin;
+ char *value, int protocol_id) {
- inet_pton(AF_INET, value, &pin);
- pin.s_addr = ntohl(pin.s_addr);
-
- if((node = add_to_ptree(ndpi_struct->protocols_ptree, AF_INET, &pin, 32)) != NULL) {
- node->value.user_value = protocol_id;
- }
+ patricia_node_t *node;
+ struct in_addr pin;
+
+ inet_pton(AF_INET, value, &pin);
+
+ if((node = add_to_ptree(ndpi_struct->protocols_ptree, AF_INET, &pin, 32)) != NULL) {
+ node->value.user_value = protocol_id;
+ }
- return(0);
+ return(0);
}
#endif
@@ -1891,13 +1898,16 @@ u_int16_t ndpi_guess_protocol_id(struct ndpi_detection_module_struct *ndpi_struc
ndpi_default_ports_tree_node_t node;
if(sport && dport) {
- node.default_port = sport;
+ int low = ndpi_min(sport, dport);
+ int high = ndpi_max(sport, dport);
+
+ node.default_port = low; /* Check server port first */
ret = ndpi_tfind(&node,
(proto == IPPROTO_TCP) ? (void*)&ndpi_struct->tcpRoot : (void*)&ndpi_struct->udpRoot,
ndpi_default_ports_tree_node_t_cmp);
if(ret == NULL) {
- node.default_port = dport;
+ node.default_port = high;
ret = ndpi_tfind(&node,
(proto == IPPROTO_TCP) ? (void*)&ndpi_struct->tcpRoot : (void*)&ndpi_struct->udpRoot,
ndpi_default_ports_tree_node_t_cmp);
@@ -2250,6 +2260,9 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n
/* SIP */
init_sip_dissector(ndpi_struct, &a, detection_bitmask);
+ /* HEP */
+ init_hep_dissector(ndpi_struct, &a, detection_bitmask);
+
/* BITTORRENT */
init_bittorrent_dissector(ndpi_struct, &a, detection_bitmask);
@@ -2622,6 +2635,8 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n
/* MPEGTS */
init_mpegts_dissector(ndpi_struct, &a, detection_bitmask);
+ /* UBNTAC2 */
+ init_ubntac2_dissector(ndpi_struct, &a, detection_bitmask);
/* ----------------------------------------------------------------- */
@@ -3418,23 +3433,30 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
} else
ret.protocol = flow->detected_protocol_stack[0];
-
- if((ret.master_protocol == NDPI_PROTOCOL_UNKNOWN) && flow->packet.iph) {
- struct in_addr pin = { flow->packet.iph->saddr };
-
- if((ret.master_protocol = ndpi_network_ptree_match(ndpi_struct, &pin)) == NDPI_PROTOCOL_UNKNOWN) {
- pin.s_addr = flow->packet.iph->daddr;
- ret.master_protocol = ndpi_network_ptree_match(ndpi_struct, &pin);
+ if((ret.protocol == NDPI_PROTOCOL_UNKNOWN)
+ && flow->packet.iph
+ && (!flow->host_already_guessed)) {
+
+ if((flow->guessed_host_proto_id = ndpi_network_ptree_match(ndpi_struct, (struct in_addr *)&flow->packet.iph->saddr)) == NDPI_PROTOCOL_UNKNOWN) {
+ flow->guessed_host_proto_id = ndpi_network_ptree_match(ndpi_struct, (struct in_addr *)&flow->packet.iph->daddr);
}
+
+ flow->host_already_guessed = 1;
+ }
+
+#if 0
- /* Swap proocols in case of success */
+ /* Swap protocols in case of success */
if(ret.master_protocol != NDPI_PROTOCOL_UNKNOWN) {
u_int16_t t = ret.master_protocol;
ret.master_protocol = ret.protocol;
ret.protocol = t;
}
- }
+#endif
+
+ if((ret.protocol == NDPI_PROTOCOL_UNKNOWN) && (ret.master_protocol != NDPI_PROTOCOL_UNKNOWN))
+ ret.protocol = flow->guessed_host_proto_id;
return(ret);
}
@@ -4239,11 +4261,11 @@ ndpi_protocol ndpi_guess_undetected_protocol(struct ndpi_detection_module_struct
return(ret);
check_guessed_skype:
- addr.s_addr = shost;
+ addr.s_addr = htonl(shost);
if(ndpi_network_ptree_match(ndpi_struct, &addr) == NDPI_PROTOCOL_SKYPE) {
ret.protocol = NDPI_PROTOCOL_SKYPE;
} else {
- addr.s_addr = dhost;
+ addr.s_addr = htonl(dhost);
if(ndpi_network_ptree_match(ndpi_struct, &addr) == NDPI_PROTOCOL_SKYPE)
ret.protocol = NDPI_PROTOCOL_SKYPE;
}
diff --git a/src/lib/protocols/dcerpc.c b/src/lib/protocols/dcerpc.c
index 2537afd56..ec96d1287 100644
--- a/src/lib/protocols/dcerpc.c
+++ b/src/lib/protocols/dcerpc.c
@@ -18,7 +18,7 @@
*
* You should have received a copy of the GNU Lesser General Public License
* along with nDPI. If not, see <http://www.gnu.org/licenses/>.
- *
+ *
*/
@@ -35,20 +35,23 @@ static void ndpi_int_dcerpc_add_connection(struct ndpi_detection_module_struct
void ndpi_search_dcerpc(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &flow->packet;
-
- if((packet->tcp != NULL)
- && (packet->payload_packet_len > 64)
- && ((ntohs(packet->tcp->source) == 135) || (ntohs(packet->tcp->dest) == 135))
+ u_int16_t len_packet = (packet->payload[9]<<8) | packet->payload[8];
+
+ if((packet->tcp != NULL)
+ && (packet->payload_packet_len >= 64)
&& (packet->payload[0] == 0x05) /* version 5 */
&& (packet->payload[2] < 16) /* Packet type */
- ) {
- NDPI_LOG(NDPI_PROTOCOL_DCERPC, ndpi_struct, NDPI_LOG_DEBUG, "DCERPC match\n");
+ && (len_packet == packet->payload_packet_len) /* Packet Length */
+ ) {
+ NDPI_LOG(NDPI_PROTOCOL_DCERPC, ndpi_struct, NDPI_LOG_DEBUG, "DCERPC match\n");
ndpi_int_dcerpc_add_connection(ndpi_struct, flow);
return;
}
- NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DCERPC);
+ if(packet->payload_packet_len>1){
+ NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DCERPC);
+ }
}
diff --git a/src/lib/protocols/hep.c b/src/lib/protocols/hep.c
new file mode 100644
index 000000000..516e430e7
--- /dev/null
+++ b/src/lib/protocols/hep.c
@@ -0,0 +1,68 @@
+/*
+ * hep.c
+ *
+ * Copyright (C) 2009-2011 by ipoque GmbH
+ * Copyright (C) 2011-15 - ntop.org
+ * Copyright (C) 2011-15 - QXIP BV
+ *
+ * This file is part of nDPI, an open source deep packet inspection
+ * library based on the OpenDPI and PACE technology by ipoque GmbH
+ *
+ * nDPI is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * nDPI is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with nDPI. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+
+#include "ndpi_protocols.h"
+#ifdef NDPI_PROTOCOL_HEP
+
+static void ndpi_int_hep_add_connection(struct ndpi_detection_module_struct
+ *ndpi_struct, struct ndpi_flow_struct *flow)
+{
+ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HEP, NDPI_PROTOCOL_UNKNOWN);
+}
+
+void ndpi_search_hep(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
+{
+ struct ndpi_packet_struct *packet = &flow->packet;
+ const u_int8_t *packet_payload = packet->payload;
+ u_int32_t payload_len = packet->payload_packet_len;
+
+ NDPI_LOG(NDPI_PROTOCOL_HEP, ndpi_struct, NDPI_LOG_DEBUG, "searching for HEP.\n");
+ if (payload_len > 10) {
+ if (memcmp(packet_payload, "HEP3", 4) == 0) {
+ NDPI_LOG(NDPI_PROTOCOL_HEP, ndpi_struct, NDPI_LOG_DEBUG, "found HEP3.\n");
+ ndpi_int_hep_add_connection(ndpi_struct, flow);
+ return;
+ }
+ }
+
+ NDPI_LOG(NDPI_PROTOCOL_HEP, ndpi_struct, NDPI_LOG_DEBUG, "exclude HEP.\n");
+ NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_HEP);
+}
+
+
+void init_hep_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
+{
+ ndpi_set_bitmask_protocol_detection("HEP", ndpi_struct, detection_bitmask, *id,
+ NDPI_PROTOCOL_HEP,
+ ndpi_search_hep,
+ NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD,
+ SAVE_DETECTION_BITMASK_AS_UNKNOWN,
+ ADD_TO_DETECTION_BITMASK);
+
+ *id += 1;
+}
+
+#endif
diff --git a/src/lib/protocols/kakaotalk_voice.c b/src/lib/protocols/kakaotalk_voice.c
index 38596e41d..daa97cc36 100644
--- a/src/lib/protocols/kakaotalk_voice.c
+++ b/src/lib/protocols/kakaotalk_voice.c
@@ -56,7 +56,7 @@ void ndpi_search_kakaotalk_voice(struct ndpi_detection_module_struct *ndpi_struc
}
}
- NDPI_LOG(NDPI_PROTOCOL_KAKAOTALK_VOICE, ndpi_struct, NDPI_LOG_DEBUG, "Exclude kakaotalk_voice.\n");
+ NDPI_LOG(NDPI_SERVICE_KAKAOTALK_VOICE, ndpi_struct, NDPI_LOG_DEBUG, "Exclude kakaotalk_voice.\n");
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_SERVICE_KAKAOTALK_VOICE);
}
diff --git a/src/lib/protocols/mail_smtp.c b/src/lib/protocols/mail_smtp.c
index 37846930e..422ed0dc2 100644
--- a/src/lib/protocols/mail_smtp.c
+++ b/src/lib/protocols/mail_smtp.c
@@ -117,10 +117,10 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct
&& (packet->line[a].ptr[1] == 'T' || packet->line[a].ptr[1] == 't')
&& (packet->line[a].ptr[2] == 'A' || packet->line[a].ptr[2] == 'a')
&& (packet->line[a].ptr[3] == 'R' || packet->line[a].ptr[3] == 'r')
- && (packet->line[a].ptr[4] == 'T' || packet->line[a].ptr[0] == 't')
- && (packet->line[a].ptr[5] == 'T' || packet->line[a].ptr[1] == 't')
- && (packet->line[a].ptr[6] == 'L' || packet->line[a].ptr[2] == 'l')
- && (packet->line[a].ptr[7] == 'S' || packet->line[a].ptr[3] == 's')) {
+ && (packet->line[a].ptr[4] == 'T' || packet->line[a].ptr[4] == 't')
+ && (packet->line[a].ptr[5] == 'T' || packet->line[a].ptr[5] == 't')
+ && (packet->line[a].ptr[6] == 'L' || packet->line[a].ptr[6] == 'l')
+ && (packet->line[a].ptr[7] == 'S' || packet->line[a].ptr[7] == 's')) {
flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_STARTTLS;
}
}
diff --git a/src/lib/protocols/skype.c b/src/lib/protocols/skype.c
index 7f201569c..e3bd00332 100644
--- a/src/lib/protocols/skype.c
+++ b/src/lib/protocols/skype.c
@@ -40,8 +40,8 @@ u_int8_t is_skype_flow(struct ndpi_detection_module_struct *ndpi_struct,
Skype connections are identified by some SSL-like communications
without SSL certificate being exchanged
*/
- if(is_skype_host(ndpi_struct, ntohl(packet->iph->saddr))
- || is_skype_host(ndpi_struct, ntohl(packet->iph->daddr))) {
+ if(is_skype_host(ndpi_struct, packet->iph->saddr)
+ || is_skype_host(ndpi_struct, packet->iph->daddr)) {
return(1);
}
}
diff --git a/src/lib/protocols/steam.c b/src/lib/protocols/steam.c
index fe7b9d161..7ed0eae29 100644
--- a/src/lib/protocols/steam.c
+++ b/src/lib/protocols/steam.c
@@ -34,6 +34,7 @@ static void ndpi_int_steam_add_connection(struct ndpi_detection_module_struct *n
static void ndpi_check_steam_http(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
struct ndpi_packet_struct *packet = &flow->packet;
+ NDPI_PARSE_PACKET_LINE_INFO(ndpi_struct, flow, packet);
if (packet->user_agent_line.ptr != NULL
&& packet->user_agent_line.len >= 23
&& memcmp(packet->user_agent_line.ptr, "Valve/Steam HTTP Client", 23) == 0) {
diff --git a/src/lib/protocols/tcp_udp.c b/src/lib/protocols/tcp_udp.c
index 1eb9c8773..7ca276dca 100644
--- a/src/lib/protocols/tcp_udp.c
+++ b/src/lib/protocols/tcp_udp.c
@@ -37,9 +37,9 @@ u_int ndpi_search_tcp_or_udp_raw(struct ndpi_detection_module_struct *ndpi_struc
}
}
- if((rc = ndpi_host_ptree_match(ndpi_struct, saddr)) != NDPI_PROTOCOL_UNKNOWN) return(rc);
+ if((rc = ndpi_host_ptree_match(ndpi_struct, htonl(saddr))) != NDPI_PROTOCOL_UNKNOWN) return(rc);
- return(ndpi_host_ptree_match(ndpi_struct, daddr));
+ return(ndpi_host_ptree_match(ndpi_struct, htonl(daddr)));
}
void ndpi_search_tcp_or_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
diff --git a/src/lib/protocols/ubntac2.c b/src/lib/protocols/ubntac2.c
new file mode 100644
index 000000000..7763c18d1
--- /dev/null
+++ b/src/lib/protocols/ubntac2.c
@@ -0,0 +1,63 @@
+/*
+ * ubntac2.c
+ *
+ * Copyright (C) 2015 Thomas Fjellstrom
+ *
+ * nDPI is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * nDPI is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with nDPI. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+
+#include "ndpi_protocols.h"
+
+#ifdef NDPI_PROTOCOL_UBNTAC2
+
+static void ndpi_int_ubntac2_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
+{
+ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_UBNTAC2, NDPI_PROTOCOL_UNKNOWN);
+}
+
+
+void ndpi_search_ubntac2(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
+{
+ struct ndpi_packet_struct *packet = &flow->packet;
+
+ NDPI_LOG(NDPI_PROTOCOL_UBNTAC2, ndpi_struct, NDPI_LOG_TRACE, "UBNTAC2 detection... plen:%i %i:%i\n", packet->payload_packet_len, ntohs(packet->udp->source), ntohs(packet->udp->dest));
+
+ if (packet->payload_packet_len >= 135 &&
+ (packet->udp->source == htons(10001) || packet->udp->dest == htons(10001)) &&
+ memcmp(&(packet->payload[36]), "UBNT", 4) == 0) {
+
+ NDPI_LOG(NDPI_PROTOCOL_UBNTAC2, ndpi_struct, NDPI_LOG_DEBUG, "UBNT AirControl 2 request\n");
+
+ ndpi_int_ubntac2_add_connection(ndpi_struct, flow);
+ return;
+ }
+
+ NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_UBNTAC2);
+}
+
+
+void init_ubntac2_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
+{
+ ndpi_set_bitmask_protocol_detection("UBNTAC2", ndpi_struct, detection_bitmask, *id,
+ NDPI_PROTOCOL_UBNTAC2,
+ ndpi_search_ubntac2,
+ NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD,
+ SAVE_DETECTION_BITMASK_AS_UNKNOWN,
+ ADD_TO_DETECTION_BITMASK);
+ *id += 1;
+}
+
+#endif