aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
* Add Ripe Atlas probe protocol.add/ripe_atlasToni Uhlig2024-06-17
| | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added protocol - JRMI - Java Remote Method Invocation (#2470)Mark Jeffery2024-06-15
|
* Improved detection of Android connectiity checksLuca2024-06-12
|
* Added NDPI_PROTOCOL_NTOP assert and removed percentage comparison (#2460)Mark Jeffery2024-06-10
| | | Close #2413
* Zoom: fix integer overflow (#2469)Ivan Nardi2024-06-10
| | | | | | | | | | | | | | ``` AddressSanitizer:DEADLYSIGNAL ================================================================= ==29508==ERROR: AddressSanitizer: SEGV on unknown address 0x50710145d51d (pc 0x55cb788f25fe bp 0x7ffcfefa15f0 sp 0x7ffcfefa1240 T0) ==29508==The signal is caused by a READ memory access. #0 0x55cb788f25fe in ndpi_search_zoom /home/ivan/svnrepos/nDPI/src/lib/protocols/zoom.c:210:24 #1 0x55cb787e9418 in check_ndpi_detection_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:7174:6 #2 0x55cb7883f753 in check_ndpi_udp_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:7209:10 #3 0x55cb7883bc9d in ndpi_check_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:7240:12 ``` Found by oss-fuzzer See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=69520
* RTP/STUN: look for STUN packets after RTP/RTCP classification (#2465)Ivan Nardi2024-06-07
| | | | | | | | | | After a flow has been classified as RTP or RTCP, nDPI might analyse more packets to look for STUN/DTLS packets, i.e. to try to tell if this flow is a "pure" RTP/RTCP flow or if the RTP/RTCP packets are multiplexed with STUN/DTLS. Useful for proper (sub)classification when the beginning of the flows are not captured or if there are lost packets in the the captured traffic. Disabled by default
* Zoom: faster detection of P2P flows (#2467)Ivan Nardi2024-06-07
|
* STUN: add support for Microsoft Multiplexed TURN channels (#2464)Ivan Nardi2024-06-05
|
* TLS: add support for DTLS (over STUN) over TCP (#2463)Ivan Nardi2024-06-05
| | | | | TODO: TCP reassembler on top of UDP reassembler See: #2414
* CI: more parallel work (#2459)Ivan Nardi2024-06-05
|
* Update unit tests results (#2466)Ivan Nardi2024-06-05
|
* Fixes accounting of number of processed packets in ↵Luca Deri2024-06-04
| | | | ndpi_internal_detection_process_packet()
* RTP: fix detection over TCP (#2462)Ivan Nardi2024-05-29
| | | | | | RFC4571 is not the only way to wrap RTP messages in TCP streams. For example, when RTP is encapsulated over TURN flows (i.e. via DATA attribute) there is no additional framing. See also 6127e0490
* support rtp/rtcp over tcp (#2422) (#2457)Maatuq2024-05-28
| | | | | Support rtp/rtcp over tcp as per rfc4571. Signed-off-by: mmaatuq <mahmoudmatook.mm@gmail.com>
* Add ZUG consensus protocol dissector. (#2458)Toni2024-05-28
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* CiscoVPN: we detect it only over UDP (#2454)Ivan Nardi2024-05-28
| | | The original code handled also TCP/TLS, but it was removed in 6fc29b3ae
* Improved Kafka dissector. (#2456)Toni2024-05-27
| | | | | | | | | * detect more Kafka request packet's * requires less flow memory * same detection behavior as before e.g. no asym detection implemented (can be done by dissecting responses, requires more effort) Signed-off-by: Toni Uhlig <matzeton@googlemail.com> Co-authored-by: Nardi Ivan <nardi.ivan@gmail.com>
* Rename Messenger to FacebookMessenger (#2453)Vladimir Gavrilov2024-05-23
|
* fuzz: fix build of oss-introspector (#2452)Ivan Nardi2024-05-22
|
* Sync unit tests resultsNardi Ivan2024-05-22
|
* More NDPI_PROBING_ATTEMPT changesLuca2024-05-22
|
* Added NDPI_PROBING_ATTEMPT riskLuca2024-05-22
|
* Replace ndpi_strnstr() implementation with an optimal one (#2447)Vladimir Gavrilov2024-05-22
|
* Enlarged bufferLuca Deri2024-05-22
|
* DTLS: fix JA4 fingerprint (#2446)Ivan Nardi2024-05-21
|
* Remove unused code. (#2450)Toni2024-05-21
| | | | | | | | | * some `#ifdef`ed code dates back to 2019, 2020 and 2021 * some function signatures were still present in `ndpi_main.h` which may cause linker errors for libnDPI dependee's * return an error while trying to serialize a double instead of `fprintf(stderr, ...)` Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* DTLS: add support for DTLS 1.3 (#2445)Ivan Nardi2024-05-21
|
* Follow-up of 2093ac5bf (#2451)Ivan Nardi2024-05-21
|
* CI: enable parallel tests (for x86_64, at least) (#2444)Ivan Nardi2024-05-20
| | | | | | | | | | | | | | | | | | | TODO: enable parallel tests when using docker with no-x86_64 archs. When I tried the obviuos solutions: ``` NDPI_FORCE_PARALLEL_UTESTS=1 NDPI_SKIP_PARALLEL_BAR=1 make check VERBOSE=1 ``` I got: ``` Run configuration "caches_cfg" [--cfg=lru.ookla.size,0 --cfg=lru.msteams.ttl,1] ookla.pcap /bin/sh: 1: run_single_pcap: not found teams.pcap /bin/sh: 1: run_single_pcap: not found Run configuration "caches_global" [--cfg=lru.ookla.scope,1 --cfg=lru.bittorrent.scope,1 --cfg=lru.stun.scope,1 --cfg=lru.tls_cert.scope,1 --cfg=lru.mining.scope,1 --cfg=lru.msteams.scope,1 --cfg=lru.stun_zoom.scope,1] bittorrent.pcap /bin/sh: 1: run_single_pcap: not found lru_ipv6_caches.pcapng /bin/sh: 1: run_single_pcap: not found mining.pcapng /bin/sh: 1: run_single_pcap: not found ... ```
* Small fixes after API cleanup done in c63446e59 (#2449)Ivan Nardi2024-05-20
|
* Minor dissector optimizationsLuca Deri2024-05-20
|
* Added dpi.compute_entropy configuration parameterLuca Deri2024-05-18
|
* Cleaned up APILuca Deri2024-05-17
| | | | | | | | | Removed - int ndpi_load_ipv4_ptree_file(ndpi_ptree_t *tree, const char *path, u_int16_t protocol_id); - int ndpi_load_ipv6_ptree_file(ndpi_ptree_t *tree, const char *path, u_int16_t protocol_id); Added (it supports both IPv4 and v6) + int ndpi_load_ptree_file(ndpi_ptree_t *tree, const char *path, u_int16_t protocol_id);
* CI: add support for ubuntu-24.04 runners (#2443)Ivan Nardi2024-05-16
|
* Add Call of Duty Mobile support (#2438)Vladimir Gavrilov2024-05-15
|
* Parallel execution of unit tests (#2435)Ivan Nardi2024-05-15
| | | | | | | | | | | | | | | | | | | | | | | | Running unit tests is quite a bottleneck while developing or while waiting for GitHub CI results... Try to run the tests in parallel, using the `parallel` tool. By default, tests still run one after the other, as usual; to enable parallel execution you need `NDPI_FORCE_PARALLEL_UTESTS=1 ./tests/do.sh` Please note that the output is quite different in parallel mode! A big part of the script has been rewritten to avoid code dupication between "serial" and "parallel" path On my notebook: ``` ivan@ivan-Latitude-E6540:~/svnrepos/nDPI(parallel)$ time ./tests/do.sh [...] real 3m12,684s [...] ivan@ivan-Latitude-E6540:~/svnrepos/nDPI(parallel)$ time NDPI_FORCE_PARALLEL_UTESTS=1 ./tests/do.sh [...] real 0m58,463s ```
* H323: improve detection and avoid false positives (#2432)Ivan Nardi2024-05-11
|
* Revert `ndpi_strnstr()` optimization introduced in a813121e0 (#2439)Ivan Nardi2024-05-11
| | | | | New implementation fails tests 11b, 12 and 13. Revert to the original (BSD) implementation (with also some basic parameters check)
* Add Ethernet Global Data support (#2437)Vladimir Gavrilov2024-05-11
|
* IRC: simplify detection (#2423)Ivan Nardi2024-05-11
| | | | | | | | | | | | | | | | IRC has its best times well behind, but there are still some servers using it. We should try to simplify the detection logic, still based on OpenDPI logic. Let's start with some easy changes: * try to detect TLS connection via standard hostname/SNI matching, removing an old heuristic (we have never had any trace matching it); * add some basic server names; * once we detect that the flow is IRC, we don't have to perform anything else; * remove HTTP stuff; real HTTP flows never trigger that data path * use `ndpi_memmem()` when possible
* Remove Vevo support (#2436)Vladimir Gavrilov2024-05-11
| | | Co-authored-by: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>
* Viber: add detection of voip calls and avoid false positives (#2434)Ivan Nardi2024-05-11
|
* `ndpi_strnstr()` optimization (#2433)Vladimir Gavrilov2024-05-10
|
* Line: use common helper to detect RTP/RTCP packets (#2429)Ivan Nardi2024-05-10
| | | | Add an explicit upper limit on the number of packets processed before giving up.
* Update README.mdLuca Deri2024-05-10
|
* Raknet/RTP: avoid Raknet false positives and harden RTP heuristic (#2427)Ivan Nardi2024-05-09
| | | | | | | | | There is some overlap between RTP and Raknet detection: give precedence to RTP logic. Consequences: * Raknet might require a little bit more packets for some flows (not a big issue) * some very small (1-2 pkts) Raknet flows are not classified (not sure what do do about that..)
* Added #ifdef for Windows builds (#2431)Luca Deri2024-05-09
|
* Protobuf: fix false positives (#2428)Ivan Nardi2024-05-09
|
* Add extra entropy checks and more precise(?) analysis. (#2383)Toni2024-05-09
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Fix a memory access error and some leaks (#2425)Ivan Nardi2024-05-08
| | | | | | | | | | | | | | | | | | | | | ``` SCARINESS: 12 (1-byte-read-heap-buffer-overflow) #0 0x557f3a5b5100 in ndpi_get_host_domain /src/ndpi/src/lib/ndpi_domains.c:158:8 #1 0x557f3a59b561 in ndpi_check_dga_name /src/ndpi/src/lib/ndpi_main.c:10412:17 #2 0x557f3a51163a in process_chlo /src/ndpi/src/lib/protocols/quic.c:1467:7 #3 0x557f3a469f4b in LLVMFuzzerTestOneInput /src/ndpi/fuzz/fuzz_quic_get_crypto_data.c:44:7 #4 0x557f3a46abc8 in NaloFuzzerTestOneInput (/out/fuzz_quic_get_crypto_data+0x4cfbc8) ``` Some notes about the leak: if the insertion into the uthash fails (because of an allocation failure), we need to free the just allocated entry. But the only way to check if the `HASH_ADD_*` failed, is to perform a new lookup: a bit costly, but we don't use that code in the fast-path. See also efb261a95c5a Credits for finding the issues to Philippe Antoine (@catenacyber) and his `nallocfuzz` fuzzing engine See: https://github.com/catenacyber/nallocfuzz See: https://github.com/google/oss-fuzz/pull/9902
Powered by cgit, Themed by Ted Yin.