diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/ndpi_content_match.c.inc | 5 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 134 | ||||
| -rw-r--r-- | src/lib/protocols/http.c | 152 | ||||
| -rw-r--r-- | src/lib/protocols/ntp.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/tls.c | 13 |
5 files changed, 171 insertions, 135 deletions
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index 3d188f9a0..91a91a9fd 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -9095,7 +9095,10 @@ static ndpi_category_match category_match[] = { { ".playercdn.net", "\\.playercdn" TLD, NDPI_PROTOCOL_CATEGORY_STREAMING }, { "showmax.com", "showmax" TLD, NDPI_PROTOCOL_CATEGORY_STREAMING }, { "showmax.akamaized.net", "showmax\\.akamaized" TLD, NDPI_PROTOCOL_CATEGORY_STREAMING }, - + { "skyq.sky.com", "skyq\\.sky\\.com" TLD, NDPI_PROTOCOL_CATEGORY_STREAMING }, + { "iptv.sky.", "iptv\\.sky\\." TLD, NDPI_PROTOCOL_CATEGORY_STREAMING }, + { "pcdn.skycdn.", "pcdn\\.skycdn\\." TLD, NDPI_PROTOCOL_CATEGORY_STREAMING }, + /* Hulu Streaming services AS23286 */ { "8.28.124.0/24", NULL, NDPI_PROTOCOL_CATEGORY_STREAMING }, { "8.28.125.0/24", NULL, NDPI_PROTOCOL_CATEGORY_STREAMING }, diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 7138ab9c1..40bf9ae20 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1766,7 +1766,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp 1 /* no subprotocol */, no_master, no_master, "Bloomberg", NDPI_PROTOCOL_CATEGORY_NETWORK, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_CAPWAP, 1 /* no subprotocol */, no_master, no_master, "CAPWAP", NDPI_PROTOCOL_CATEGORY_NETWORK, @@ -1950,7 +1950,7 @@ static patricia_node_t* add_to_ptree(patricia_tree_t *tree, int family, /* ******************************************* */ /* - Load a file containing IPv4 addresses in CIDR format as 'protocol_id' + Load a file containing IPv4 addresses in CIDR format as 'protocol_id' Return: the number of entries loaded or -1 in case of error */ @@ -1960,7 +1960,7 @@ int ndpi_load_ipv4_ptree(struct ndpi_detection_module_struct *ndpi_str, FILE *fd; int len; u_int num_loaded = 0; - + fd = fopen(path, "r"); if(fd == NULL) { @@ -1985,9 +1985,9 @@ int ndpi_load_ipv4_ptree(struct ndpi_detection_module_struct *ndpi_str, if(addr) { struct in_addr pin; patricia_node_t *node; - + cidr = strtok_r(NULL, "\n", &saveptr); - + pin.s_addr = inet_addr(addr); if((node = add_to_ptree(ndpi_str->protocols_ptree, AF_INET, &pin, cidr ? atoi(cidr) : 32 /* bits */)) != NULL) @@ -2013,7 +2013,7 @@ static void ndpi_init_ptree_ipv4(struct ndpi_detection_module_struct *ndpi_str, if(skip_tor_hosts && (host_list[i].value == NDPI_PROTOCOL_TOR)) continue; - + pin.s_addr = htonl(host_list[i].network); if((node = add_to_ptree(ptree, AF_INET, &pin, host_list[i].cidr /* bits */)) != NULL) @@ -2307,7 +2307,7 @@ void ndpi_finalize_initalization(struct ndpi_detection_module_struct *ndpi_str) automa = &ndpi_str->impossible_bigrams_automa; break; } - + ac_automata_finalize((AC_AUTOMATA_t*)automa->ac_automa); automa->ac_automa_finalized = 1; } @@ -3509,7 +3509,7 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n #ifdef CUSTOM_NDPI_PROTOCOLS #include "../../../nDPI-custom/custom_ndpi_main_init.c" #endif - + /* ----------------------------------------------------------------- */ ndpi_str->callback_buffer_size = a; @@ -4055,22 +4055,24 @@ void check_ndpi_udp_flow_func(struct ndpi_detection_module_struct *ndpi_str, func = ndpi_str->proto_defaults[flow->guessed_protocol_id].func; } - for(a = 0; a < ndpi_str->callback_buffer_size_udp; a++) { - if((func != ndpi_str->callback_buffer_udp[a].func) - && (ndpi_str->callback_buffer_udp[a].ndpi_selection_bitmask & *ndpi_selection_packet) == - ndpi_str->callback_buffer_udp[a].ndpi_selection_bitmask - && NDPI_BITMASK_COMPARE(flow->excluded_protocol_bitmask, - ndpi_str->callback_buffer_udp[a].excluded_protocol_bitmask) == 0 - && NDPI_BITMASK_COMPARE(ndpi_str->callback_buffer_udp[a].detection_bitmask, - detection_bitmask) != 0) { - ndpi_str->callback_buffer_udp[a].func(ndpi_str, flow); - - // NDPI_LOG_DBG(ndpi_str, "[UDP,CALL] dissector of protocol as callback_buffer idx = %d\n",a); - if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) - break; /* Stop after detecting the first protocol */ - } else - if(_ndpi_debug_callbacks) NDPI_LOG_DBG2(ndpi_str, - "[UDP,SKIP] dissector of protocol as callback_buffer idx = %d\n",a); + if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { + for(a = 0; a < ndpi_str->callback_buffer_size_udp; a++) { + if((func != ndpi_str->callback_buffer_udp[a].func) + && (ndpi_str->callback_buffer_udp[a].ndpi_selection_bitmask & *ndpi_selection_packet) == + ndpi_str->callback_buffer_udp[a].ndpi_selection_bitmask + && NDPI_BITMASK_COMPARE(flow->excluded_protocol_bitmask, + ndpi_str->callback_buffer_udp[a].excluded_protocol_bitmask) == 0 + && NDPI_BITMASK_COMPARE(ndpi_str->callback_buffer_udp[a].detection_bitmask, + detection_bitmask) != 0) { + ndpi_str->callback_buffer_udp[a].func(ndpi_str, flow); + + // NDPI_LOG_DBG(ndpi_str, "[UDP,CALL] dissector of protocol as callback_buffer idx = %d\n",a); + if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) + break; /* Stop after detecting the first protocol */ + } else + if(_ndpi_debug_callbacks) NDPI_LOG_DBG2(ndpi_str, + "[UDP,SKIP] dissector of protocol as callback_buffer idx = %d\n",a); + } } } @@ -4191,7 +4193,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st ndpi_protocol ret = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED }; *protocol_was_guessed = 0; - + if(flow == NULL) return(ret); @@ -4298,10 +4300,10 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st ret.app_protocol = NDPI_PROTOCOL_HANGOUT_DUO; } } - + if(ret.app_protocol != NDPI_PROTOCOL_UNKNOWN) - ndpi_fill_protocol_category(ndpi_str, flow, &ret); - + ndpi_fill_protocol_category(ndpi_str, flow, &ret); + return(ret); } @@ -4697,7 +4699,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct if(flow->check_extra_packets) { ndpi_process_extra_packet(ndpi_str, flow, packet, packetlen, current_tick_l, src, dst); /* Update in case of new match */ - ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0]; + ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0], ret.category = flow->category;; return(ret); } else goto ret_protocols; @@ -4796,7 +4798,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct if(flow->packet.iph) { if(flow->guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN) { u_int8_t protocol_was_guessed; - + /* ret.master_protocol = flow->guessed_protocol_id , ret.app_protocol = flow->guessed_host_protocol_id; /\* ****** *\/ */ ret = ndpi_detection_giveup(ndpi_str, flow, 0, &protocol_was_guessed); } @@ -4816,34 +4818,33 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct addr.s_addr = flow->packet.iph->daddr; flow->guessed_host_protocol_id = ndpi_network_ptree_match(ndpi_str, &addr); } + + /* + We could implement a shortcut here skipping dissectors for + protocols we have identified by other means such as with the IP + + However we do NOT stop here and skip invoking the dissectors + because we want to dissect the flow (e.g. dissect the TLS) + and extract metadata. + */ +#if SKIP_INVOKING_THE_DISSECTORS + if(flow->guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN) { + /* + We have identified a protocol using the IP address so + it is not worth to dissect the traffic as we already have + the solution + */ + ret.master_protocol = flow->guessed_protocol_id, + ret.app_protocol = flow->guessed_host_protocol_id; + } +#endif } } } if(flow->guessed_host_protocol_id > NDPI_MAX_SUPPORTED_PROTOCOLS) { /* This is a custom protocol and it has priority over everything else */ - ret.master_protocol = NDPI_PROTOCOL_UNKNOWN, ret.app_protocol = flow->guessed_host_protocol_id; - - if(flow->packet.tcp && (ret.master_protocol == NDPI_PROTOCOL_UNKNOWN)) { - /* Minimal guess for HTTP/SSL-based protocols */ - int i; - - for(i=0; i<2; i++) { - u_int16_t port = (i == 0) ? ntohs(flow->packet.tcp->dest) : ntohs(flow->packet.tcp->source); - - switch(port) { - case 80: - ret.master_protocol = NDPI_PROTOCOL_HTTP; - break; - case 443: - ret.master_protocol = NDPI_PROTOCOL_TLS; /* QUIC could also match */ - break; - } - - if(ret.master_protocol != NDPI_PROTOCOL_UNKNOWN) - break; - } - } + ret.master_protocol = flow->guessed_protocol_id, ret.app_protocol = flow->guessed_host_protocol_id; ndpi_check_flow_func(ndpi_str, flow, &ndpi_selection_packet); ndpi_fill_protocol_category(ndpi_str, flow, &ret); @@ -4893,7 +4894,7 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct && (flow->guessed_protocol_id == 0) ) { u_int8_t protocol_was_guessed; - + /* This is a TCP flow - whose first packet is NOT a SYN @@ -4905,6 +4906,13 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct ret = ndpi_detection_giveup(ndpi_str, flow, 0, &protocol_was_guessed); } + if((ret.master_protocol == NDPI_PROTOCOL_UNKNOWN) + && (ret.app_protocol != NDPI_PROTOCOL_UNKNOWN) + && (flow->guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN)) { + ret.master_protocol = ret.app_protocol; + ret.app_protocol = flow->guessed_host_protocol_id; + } + invalidate_ptr: /* Invalidate packet memory to avoid accessing the pointers below @@ -5169,7 +5177,7 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str, while((packet->content_line.len > 0) && (packet->content_line.ptr[0] == ' ')) packet->content_line.len--, packet->content_line.ptr++; - + packet->http_num_headers++; } /* "Content-Type:" header line in HTTP AGAIN. Probably a bogus response without space after ":" */ @@ -5186,14 +5194,14 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str, char separator[] = { ';', '\r', '\0' }; int i; - for(i=0; separator[i] != '\0'; i++) { + for(i=0; separator[i] != '\0'; i++) { char *c = memchr((char*)packet->content_line.ptr, separator[i], packet->content_line.len); - + if(c != NULL) packet->content_line.len = c - (char*)packet->content_line.ptr; } } - + /* "Accept:" header line in HTTP request. */ if(packet->line[packet->parsed_lines].len > 8 && strncasecmp((const char *)packet->line[packet->parsed_lines].ptr, "Accept: ", 8) == 0) { @@ -6202,7 +6210,7 @@ static u_int8_t ndpi_is_more_generic_protocol(u_int16_t previous_proto, u_int16_ if((previous_proto == NDPI_PROTOCOL_UNKNOWN) || (previous_proto == new_proto)) return(0); - + switch(previous_proto) { case NDPI_PROTOCOL_WHATSAPP_CALL: case NDPI_PROTOCOL_WHATSAPP_FILES: @@ -6307,7 +6315,7 @@ u_int16_t ndpi_match_host_subprotocol(struct ndpi_detection_module_struct *ndpi_ flow, string_to_match, string_to_match_len, master_protocol_id, ret_match, 1); unsigned long id = ret_match->protocol_category; - + if(ndpi_get_custom_category_match(ndpi_str, string_to_match, string_to_match_len, &id) != -1) { if(id != -1) { flow->category = ret_match->protocol_category = id; @@ -6593,15 +6601,15 @@ const char* ndpi_get_l4_proto_name(ndpi_l4_proto_info proto) { case ndpi_l4_proto_unknown: return(""); break; - + case ndpi_l4_proto_tcp_only: return("TCP"); break; - + case ndpi_l4_proto_udp_only: return("UDP"); break; - + case ndpi_l4_proto_tcp_and_udp: return("TCP/UDP"); break; @@ -6613,7 +6621,7 @@ const char* ndpi_get_l4_proto_name(ndpi_l4_proto_info proto) { /* ******************************************************************** */ ndpi_l4_proto_info ndpi_get_l4_proto_info(struct ndpi_detection_module_struct *ndpi_struct, - u_int16_t ndpi_proto_id) { + u_int16_t ndpi_proto_id) { if(ndpi_proto_id < ndpi_struct->ndpi_num_supported_protocols) { u_int16_t idx = ndpi_struct->proto_defaults[ndpi_proto_id].protoIdx; NDPI_SELECTION_BITMASK_PROTOCOL_SIZE bm = ndpi_struct->callback_buffer[idx].ndpi_selection_bitmask; diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 6b26a7dc3..4382879d0 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -33,7 +33,8 @@ static void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struc /* *********************************************** */ -static int ndpi_search_http_tcp_again(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { +static int ndpi_search_http_tcp_again(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { ndpi_search_http_tcp(ndpi_struct, flow); #ifdef HTTP_DEBUG @@ -52,9 +53,46 @@ static int ndpi_search_http_tcp_again(struct ndpi_detection_module_struct *ndpi_ /* *********************************************** */ +/* https://www.freeformatter.com/mime-types-list.html */ +static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; + + if(packet->content_line.len > 0) { + u_int app_len = sizeof("application"); + + if(packet->content_line.len > app_len) { + if(ndpi_strncasestr((const char *)&packet->content_line.ptr[app_len], "mpeg", + packet->content_line.len-app_len) != NULL) { + flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_STREAMING; + return(flow->category); + } + } + + switch(packet->content_line.ptr[0]) { + case 'a': + if(strncasecmp((const char *)packet->content_line.ptr, "audio", + ndpi_min(packet->content_line.len, 5)) == 0) + flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_MEDIA; + break; + + case 'v': + if(strncasecmp((const char *)packet->content_line.ptr, "video", + ndpi_min(packet->content_line.len, 5)) == 0) + flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_MEDIA; + break; + } + } + + return(flow->category); +} + +/* *********************************************** */ + static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, - u_int16_t category) { + u_int16_t http_protocol, + ndpi_protocol_category_t category) { #ifdef HTTP_DEBUG printf("=> %s()\n", __FUNCTION__); #endif @@ -66,30 +104,36 @@ static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *nd ndpi_search_tcp_or_udp(ndpi_struct, flow); /* If no custom protocol has been detected */ - if(flow->guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN) { - ndpi_int_reset_protocol(flow); - ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id, NDPI_PROTOCOL_HTTP); - } else - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_UNKNOWN); + if((flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN) || (http_protocol != NDPI_PROTOCOL_HTTP)) + flow->guessed_host_protocol_id = http_protocol; + + category = ndpi_http_check_content(ndpi_struct, flow); + ndpi_int_reset_protocol(flow); + ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id, NDPI_PROTOCOL_HTTP); /* This is necessary to inform the core to call this dissector again */ flow->check_extra_packets = 1; flow->max_extra_packets_to_check = 5; flow->extra_packets_func = ndpi_search_http_tcp_again; - flow->http_detected = 1, flow->guessed_category = category; + flow->http_detected = 1, flow->guessed_category = flow->category = category; } +/* ************************************************************* */ + static void rtsp_parse_packet_acceptline(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - if(packet->accept_line.len >= 28 && memcmp(packet->accept_line.ptr, "application/x-rtsp-tunnelled", 28) == 0) { + if((packet->accept_line.len >= 28) + && (memcmp(packet->accept_line.ptr, "application/x-rtsp-tunnelled", 28) == 0)) { NDPI_LOG_INFO(ndpi_struct, "found RTSP accept line\n"); - ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_RTSP); + ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_RTSP, NDPI_PROTOCOL_CATEGORY_MEDIA); } } +/* ************************************************************* */ + static void setHttpUserAgent(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, char *ua) { if ( !strcmp(ua, "Windows NT 5.0")) ua = "Windows 2000"; @@ -110,7 +154,10 @@ static void setHttpUserAgent(struct ndpi_detection_module_struct *ndpi_struct, } } -static void parseHttpSubprotocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { +/* ************************************************************* */ + +static void ndpi_http_parse_subprotocol(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { if((flow->l4.tcp.http_stage == 0) || (flow->http.url && flow->http_detected)) { char *double_col = strchr((char*)flow->host_server_name, ':'); ndpi_protocol_match_result ret_match; @@ -124,13 +171,14 @@ static void parseHttpSubprotocol(struct ndpi_detection_module_struct *ndpi_struc } } +/* ************************************************************* */ + /** NOTE ndpi_parse_packet_line_info is in ndpi_main.c */ static void check_content_type_and_change_protocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_UNKNOWN); @@ -142,13 +190,12 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ /* PPStream */ if(flow->l4.tcp.ppstream_stage > 0 && flow->iqiyi_counter == 0) { NDPI_LOG_INFO(ndpi_struct, "found PPStream\n"); - /* ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_PPSTREAM); */ - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_HTTP); - } - else if(flow->iqiyi_counter > 0) { + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PPSTREAM, + NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_CATEGORY_STREAMING); + } else if(flow->iqiyi_counter > 0) { NDPI_LOG_INFO(ndpi_struct, "found iQiyi\n"); - /* ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_IQIYI); */ - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_IQIYI, NDPI_PROTOCOL_HTTP); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_IQIYI, + NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_CATEGORY_STREAMING); } #endif @@ -156,8 +203,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ /* 1KXUN */ if(flow->kxun_counter > 0) { NDPI_LOG_INFO(ndpi_struct, "found 1kxun\n"); - /* ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_1KXUN); */ - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_1KXUN, NDPI_PROTOCOL_HTTP); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_1KXUN, NDPI_PROTOCOL_CATEGORY_STREAMING); } #endif @@ -257,10 +303,9 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ setHttpUserAgent(ndpi_struct, flow, token); } } - } - else if(memcmp(ua, "netflix-ios-app", 15) == 0) { + } else if(memcmp(ua, "netflix-ios-app", 15) == 0) { NDPI_LOG_INFO(ndpi_struct, "found netflix\n"); - ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_NETFLIX); + ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_NETFLIX, NDPI_PROTOCOL_CATEGORY_STREAMING); return; } } @@ -294,7 +339,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ flow->host_server_name[len] = '\0'; flow->extra_packets_func = NULL; /* We're good now */ } - + flow->server_id = flow->dst; if(packet->forwarded_line.ptr) { @@ -305,7 +350,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ } } - parseHttpSubprotocol(ndpi_struct, flow); + ndpi_http_parse_subprotocol(ndpi_struct, flow); /** check result of host subprotocol detection @@ -344,7 +389,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_HTTP) { NDPI_LOG_INFO(ndpi_struct, "found HTTP/%s\n", ndpi_get_proto_name(ndpi_struct, packet->detected_protocol_stack[0])); - ndpi_int_http_add_connection(ndpi_struct, flow, packet->detected_protocol_stack[0]); + ndpi_int_http_add_connection(ndpi_struct, flow, packet->detected_protocol_stack[0], NDPI_PROTOCOL_CATEGORY_WEB); return; /* We have identified a sub-protocol so we're done */ } } @@ -352,7 +397,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ #if 0 if(flow->http_detected) - parseHttpSubprotocol(ndpi_struct, flow); + ndpi_http_parse_subprotocol(ndpi_struct, flow); #endif if(flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) @@ -374,7 +419,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ if((flow->http.content_type == NULL) && (packet->content_line.len > 0)) { int len = packet->content_line.len + 1; - + flow->http.content_type = ndpi_malloc(len); if(flow->http.content_type) { strncpy(flow->http.content_type, (char*)packet->content_line.ptr, @@ -382,7 +427,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ flow->http.content_type[packet->content_line.len] = '\0'; } } - + if(flow->http_detected) { ndpi_protocol_match_result ret_match; @@ -392,13 +437,17 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ } } - ndpi_int_http_add_connection(ndpi_struct, flow, packet->detected_protocol_stack[0]); + ndpi_int_http_add_connection(ndpi_struct, flow, packet->detected_protocol_stack[0], NDPI_PROTOCOL_CATEGORY_WEB); } +/* ************************************************************* */ + static void check_http_payload(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { /* Add here your paylod code check */ } +/* ************************************************************* */ + /** * Functions to check whether the packet begins with a valid http request * @param ndpi_struct @@ -529,7 +578,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct </cross-domain-policy> */ ookla_found: - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_UNKNOWN); + ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_CATEGORY_WEB); if(ndpi_struct->ookla_cache == NULL) ndpi_struct->ookla_cache = ndpi_lru_cache_init(1024); @@ -593,34 +642,12 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct goto ookla_found; } -#if OBSOLETE - /* Check for additional field introduced by Steam */ - int x = 1; - if(packet->line[x].len >= 11 && (memcmp(packet->line[x].ptr, "x-steam-sid", 11)) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found STEAM\n"); - ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_STEAM); - check_content_type_and_change_protocol(ndpi_struct, flow); - return; - } - - /* Check for additional field introduced by Facebook */ - x = 1; - while(packet->line[x].len != 0) { - if(packet->line[x].len >= 12 && (memcmp(packet->line[x].ptr, "X-FB-SIM-HNI", 12)) == 0) { - NDPI_LOG_INFO(ndpi_struct, "found FACEBOOK\n"); - ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_FACEBOOK); - check_content_type_and_change_protocol(ndpi_struct, flow); - return; - } - x++; - } -#endif - #if defined(NDPI_PROTOCOL_1KXUN) || defined(NDPI_PROTOCOL_IQIYI) /* check PPStream protocol or iQiyi service (iqiyi is delivered by ppstream) */ // substring in url - if(ndpi_strnstr((const char*) &packet->payload[filename_start], "iqiyi.com", (packet->payload_packet_len - filename_start)) != NULL) { + if(ndpi_strnstr((const char*) &packet->payload[filename_start], "iqiyi.com", + (packet->payload_packet_len - filename_start)) != NULL) { if(flow->kxun_counter == 0) { flow->l4.tcp.ppstream_stage++; flow->iqiyi_counter++; @@ -662,14 +689,14 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct if((packet->http_url_name.len > 7) && (!strncmp((const char*) packet->http_url_name.ptr, "http://", 7))) { NDPI_LOG_INFO(ndpi_struct, "found HTTP_PROXY\n"); - ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP_PROXY); + ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP_PROXY, NDPI_PROTOCOL_CATEGORY_WEB); check_content_type_and_change_protocol(ndpi_struct, flow); } if(filename_start == 8 && (memcmp(packet->payload, "CONNECT ", 8) == 0)) { /* nathan@getoffmalawn.com */ NDPI_LOG_INFO(ndpi_struct, "found HTTP_CONNECT\n"); - ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP_CONNECT); + ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP_CONNECT, NDPI_PROTOCOL_CATEGORY_WEB); check_content_type_and_change_protocol(ndpi_struct, flow); } @@ -684,7 +711,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct in 99.99% of the cases is like that. */ - ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); + ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_CATEGORY_WEB); flow->http_detected = 1; NDPI_LOG_DBG2(ndpi_struct, "HTTP START Found, we will look further for the response...\n"); @@ -712,7 +739,8 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_OOKLA); /** - At first check, if this is for sure a response packet (in another direction. If not, if HTTP is detected do nothing now and return, + At first check, if this is for sure a response packet + (in another direction. If not, if HTTP is detected do nothing now and return, otherwise check the second packet for the HTTP request */ if((flow->l4.tcp.http_stage - packet->packet_direction) == 1) { /* Expected a response package */ @@ -746,7 +774,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct && memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) { NDPI_LOG_INFO(ndpi_struct, "found HTTP\n"); - ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); + ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_CATEGORY_WEB); check_content_type_and_change_protocol(ndpi_struct, flow); NDPI_LOG_DBG2(ndpi_struct, @@ -768,7 +796,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct if((packet->parsed_lines == 1) && (packet->packet_direction == 1 /* server -> client */)) { /* In Apache if you do "GET /\n\n" the response comes without any header */ NDPI_LOG_INFO(ndpi_struct, "found HTTP. (apache)\n"); - ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); + ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_CATEGORY_WEB); check_content_type_and_change_protocol(ndpi_struct, flow); return; } @@ -776,7 +804,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct /* If we already detected the HTTP request, we can add the connection and then check for the sub-protocol */ if(flow->http_detected) { NDPI_LOG_INFO(ndpi_struct, "found HTTP\n"); - ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); + ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_CATEGORY_WEB); } /* Parse packet line and we look for the subprotocols */ diff --git a/src/lib/protocols/ntp.c b/src/lib/protocols/ntp.c index a03ed3b43..126dadc4c 100644 --- a/src/lib/protocols/ntp.c +++ b/src/lib/protocols/ntp.c @@ -58,8 +58,8 @@ void ndpi_search_ntp_udp(struct ndpi_detection_module_struct *ndpi_struct, struc return; } } - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 9d22a66db..23c47d7cd 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -1400,19 +1400,16 @@ void ndpi_search_tls_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct, u_int8_t ret, skip_cert_processing = 0; #ifdef DEBUG_TLS - printf("%s()\n", __FUNCTION__); + printf("==>> %u [len: %u][version: %u]\n", + flow->guessed_host_protocol_id, + packet->payload_packet_len, + flow->protos.stun_ssl.ssl.ssl_version); #endif if(packet->udp != NULL) { /* DTLS dissector */ int rc = sslTryAndRetrieveServerCertificate(ndpi_struct, flow); - -#ifdef DEBUG_TLS - printf("==>> %u [rc: %d][len: %u][%s][version: %u]\n", - flow->guessed_host_protocol_id, rc, packet->payload_packet_len, flow->protos.stun_ssl.ssl.ja3_server, - flow->protos.stun_ssl.ssl.ssl_version); -#endif - + if((rc == 0) && (flow->protos.stun_ssl.ssl.ssl_version != 0)) { flow->guessed_protocol_id = NDPI_PROTOCOL_TLS; |