aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/lib/ndpi_content_match.c.inc1
-rw-r--r--src/lib/ndpi_main.c19
-rw-r--r--src/lib/protocols/ssl.c34
-rw-r--r--src/lib/protocols/stun.c16
4 files changed, 54 insertions, 16 deletions
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index e39fc3939..71e236d37 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -706,6 +706,7 @@ static ndpi_network host_protocol_list[] = {
{ 0x287F816D /* 40.126.129.109 */, 32, NDPI_PROTOCOL_SKYPE },
{ 0x4237DF00 /* 65.55.223.0 */, 26, NDPI_PROTOCOL_SKYPE },
{ 0x17600000 /* 23.96.0.0 */, 13, NDPI_PROTOCOL_SKYPE },
+ { 0x34724A05 /* 52.114.74.5 */, 32, NDPI_PROTOCOL_SKYPE },
/*
Blizzard Entertainment, Inc
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 6f3d03a48..8e9bb53fc 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -3971,6 +3971,12 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
if((guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN)
|| (guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN)) {
+
+ if((guessed_protocol_id == 0)
+ && (flow->protos.stun_ssl.stun.num_binding_requests > 0)
+ && (flow->protos.stun_ssl.stun.num_processed_pkts > 0))
+ guessed_protocol_id = NDPI_PROTOCOL_STUN;
+
ndpi_int_change_protocol(ndpi_struct, flow,
guessed_host_protocol_id,
guessed_protocol_id);
@@ -3988,16 +3994,25 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st
&& (flow->guessed_protocol_id == NDPI_PROTOCOL_STUN)) {
check_stun_export:
if(flow->protos.stun_ssl.stun.num_processed_pkts > 0) {
- if(flow->protos.stun_ssl.stun.num_processed_pkts >= NDPI_MIN_NUM_STUN_DETECTION) {
+ if(/* (flow->protos.stun_ssl.stun.num_processed_pkts >= NDPI_MIN_NUM_STUN_DETECTION) */
+ flow->protos.stun_ssl.stun.is_skype) {
u_int16_t proto = (flow->protos.stun_ssl.stun.num_binding_requests < 4) ? NDPI_PROTOCOL_SKYPE_CALL_IN : NDPI_PROTOCOL_SKYPE_CALL_OUT;
ndpi_set_detected_protocol(ndpi_struct, flow, proto, NDPI_PROTOCOL_SKYPE);
} else
- ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_STUN, flow->guessed_host_protocol_id);
+ ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_host_protocol_id, NDPI_PROTOCOL_STUN);
}
}
ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0];
+
+ if(ret.master_protocol == NDPI_PROTOCOL_STUN) {
+ if(ret.app_protocol == NDPI_PROTOCOL_FACEBOOK)
+ ret.app_protocol = NDPI_PROTOCOL_MESSENGER;
+ else if(ret.app_protocol == NDPI_PROTOCOL_GOOGLE)
+ ret.app_protocol = NDPI_PROTOCOL_HANGOUT;
+ }
+
ndpi_fill_protocol_category(ndpi_struct, flow, &ret);
return(ret);
diff --git a/src/lib/protocols/ssl.c b/src/lib/protocols/ssl.c
index d7f7a9687..25d535a57 100644
--- a/src/lib/protocols/ssl.c
+++ b/src/lib/protocols/ssl.c
@@ -249,7 +249,7 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
offset++;
compression_len = packet->payload[offset];
offset++;
-
+
#ifdef CERTIFICATE_DEBUG
printf("SSL [compression_len: %u]\n", compression_len);
#endif
@@ -260,7 +260,7 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
if(offset < total_len) {
extensions_len = ntohs(*((u_int16_t*)&packet->payload[offset]));
offset += 2;
-
+
#ifdef CERTIFICATE_DEBUG
printf("SSL [extensions_len: %u]\n", extensions_len);
#endif
@@ -282,7 +282,7 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
#ifdef CERTIFICATE_DEBUG
printf("SSL [extension_id: %u][extension_len: %u]\n", extension_id, extension_len);
#endif
-
+
if(extension_id == 0) {
#if 1
u_int16_t len;
@@ -316,7 +316,7 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct,
snprintf(flow->protos.stun_ssl.ssl.client_certificate,
sizeof(flow->protos.stun_ssl.ssl.client_certificate), "%s", buffer);
}
-
+
/* We're happy now */
return(2 /* Client Certificate */);
}
@@ -342,7 +342,7 @@ int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi
if((packet->payload_packet_len > 9) && (packet->payload[0] == 0x16)) {
char certificate[64];
int rc;
-
+
certificate[0] = '\0';
rc = getSSLcertificate(ndpi_struct, flow, certificate, sizeof(certificate));
packet->ssl_certificate_num_checks++;
@@ -400,7 +400,7 @@ int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s
strlen(certificate),
&ret_match,
NDPI_PROTOCOL_SSL);
-
+
if(subproto != NDPI_PROTOCOL_UNKNOWN) {
/* If we've detected the subprotocol from client certificate but haven't had a chance
* to see the server certificate yet, set up extra packet processing to wait
@@ -408,7 +408,7 @@ int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s
if(((flow->l4.tcp.ssl_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) && ((flow->l4.tcp.ssl_seen_server_cert != 1) && (flow->protos.stun_ssl.ssl.server_certificate[0] == '\0'))) {
sslInitExtraPacketProcessing(0, flow);
}
-
+
ndpi_set_detected_protocol(ndpi_struct, flow, subproto,
ndpi_ssl_refine_master_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSL));
return(rc); /* Fix courtesy of Gianluca Costa <g.costa@xplico.org> */
@@ -523,13 +523,10 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct
struct ndpi_packet_struct *packet = &flow->packet;
if((packet->payload_packet_len >= 5)
- && (packet->payload[0] == 0x16)
+ && ((packet->payload[0] == 0x16) || packet->payload[0] == 0x17)
&& (packet->payload[1] == 0x03)
- && ((packet->payload[2] == 0x00)
- || (packet->payload[2] == 0x01)
- || (packet->payload[2] == 0x02)
- || (packet->payload[2] == 0x03)
- )) {
+ && ((packet->payload[2] == 0x00) || (packet->payload[2] == 0x01) ||
+ (packet->payload[2] == 0x02) || (packet->payload[2] == 0x03))) {
u_int32_t temp;
NDPI_LOG_DBG2(ndpi_struct, "search sslv3\n");
// SSLv3 Record
@@ -691,6 +688,17 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc
flow->l4.tcp.ssl_stage = 1 + packet->packet_direction;
return;
}
+
+ // Application Data pkt
+ if(packet->payload[0] == 0x17 && packet->payload[1] == 0x03
+ && (packet->payload[2] == 0x00 || packet->payload[2] == 0x01 ||
+ packet->payload[2] == 0x02 || packet->payload[2] == 0x03)) {
+ if(packet->payload_packet_len - ntohs(get_u_int16_t(packet->payload, 3)) == 5) {
+ NDPI_LOG_DBG2(ndpi_struct, "TLS len match\n");
+ flow->l4.tcp.ssl_stage = 1 + packet->packet_direction;
+ return;
+ }
+ }
}
if(packet->payload_packet_len > 40 &&
diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
index ad6a585f9..cb1322e5e 100644
--- a/src/lib/protocols/stun.c
+++ b/src/lib/protocols/stun.c
@@ -106,7 +106,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
case 0x4002:
/* These are the only messages apparently whatsapp voice can use */
break;
-
+
case 0x8054: /* Candidate Identifier */
if((len == 4)
&& ((offset+7) < payload_length)
@@ -119,6 +119,20 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
}
break;
+ case 0x8055: /* MS Service Quality (skype?) */
+ break;
+
+ /* Proprietary fields found on skype calls */
+ case 0x24DF:
+ case 0x3802:
+ case 0x8036:
+ case 0x8095:
+ case 0x0800:
+ /* printf("====>>>> %04X\n", attribute); */
+ flow->protos.stun_ssl.stun.is_skype = 1;
+ return(NDPI_IS_STUN);
+ break;
+
case 0x8070: /* Implementation Version */
if((len == 4)
&& ((offset+7) < payload_length)
Powered by cgit, Themed by Ted Yin.