| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| | |
|
| | |
|
| |
|
|
| |
We should check if the initialization was fine or not
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is the first step into providing (more) configuration options in nDPI.
The idea is to have a simple way to configure (most of) nDPI: only one
function (`ndpi_set_config()`) to set any configuration parameters
(in the present or on in the future) and we try to keep this function
prototype as agnostic as possible.
You can configure the library:
* via API, using `ndpi_set_config()`
* via a configuration file, in a text format
This way, anytime we need to add a new configuration parameter:
* we don't need to add two public functions (a getter and a setter)
* we don't break API/ABI compatibility of the library; even changing
the parameter type (from integer to a list of integer, for example)
doesn't break the compatibility.
The complete list of configuration options is provided in
`doc/configuration_parameters.md`.
As a first example, two configuration knobs are provided:
* the ability to enable/disable the extraction of the sha1 fingerprint of
the TLS certificates.
* the upper limit on the number of packets per flow that will be subject
to inspection
|
| |
|
|
|
|
|
|
|
|
| |
- ndpi_load_domain_suffixes()
- ndpi_get_host_domain_suffix()
whose goal is to find the domain name of a hostname. Example:
www.bbc.co.uk -> co.uk
mail.apple.com -> com
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove some unreached/duplicated code.
Add error checking for `atoi()` calls.
About `isdigit()` and similar functions. The warning reported is:
```
Negative Character Value help
isdigit() is invoked here with an argument of signed type char, but only
has defined behavior for int arguments that are either representable
as unsigned char or equal to the value of macro EOF(-1).
Casting the argument to unsigned char will avoid the undefined behavior.
In a number of libc implementations, isdigit() is implemented using lookup
tables (arrays): passing in a negative value can result in a read underrun.
```
Switching to our macros fix that.
Add a check to `check_symbols.sh` to avoid using the original functions
from libc.
|
| |
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
|
|
| |
* support for using a new flow callback invoked before the flow memory is free'd
* minor fixes
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We shouldn't have the same default port associated with multiple
protocols. The key reason is that we use only one of them (for
classification by-port, for example) and which one we really use
depends on the internal order of the protocolsi's initialization (which
is unknown to the user).
We have 3 port collisions:
* 8009: AJP and CiscoVPN
* 445: SMBv1 and SMBv23
* 8080: HTTP_Connect and HTTP_Proxy
I think that the two last cases don't really matter...
About the first one: it seems that CiscoVPN is retired from 2011/2014
(see
https://www.cisco.com/c/en/us/obsolete/security/cisco-vpn-client.html)
and superseded by AnyConnect, which uses different ports (see
https://community.cisco.com/t5/network-security/what-protocols-are-used-on-anyconnect-mobility-client/td-p/4713525).
Therefore it should be safe to remove 8009 from the CiscoVPN default
ports.
|
| |
|
|
|
| |
* Add Ceph protocol dissector
* Update protocols.rst
|
| |
|
|
|
|
|
| |
* Add HL7 protocol dissector
* Small fixes
* Small fixes
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add IEC62056 (DLMS/COSEM) protocol dissector
* Fix detection on big endian architectures
* Update protocols.rst
* Add ndpi_crc16_x25 to fuzz/fuzz_alg_crc32_md5.c
* Update pcap sample
* Remove empty .out file
* iec62056: add some documentation
---------
Co-authored-by: Nardi Ivan <nardi.ivan@gmail.com>
|
| |
|
|
|
| |
* Remove Google Hangouts/Duo support
* Update protocols.rst
|
| |
|
|
|
|
|
|
|
| |
* Add NoMachine protocol dissector
* Fix detection on big endian architectures
* Make NoMachine over UDP check more strict
* Small fixes
|
| |
|
|
|
| |
* Added ndpi_sha256.c to the Windows project
* Added ndpi_sha256() nDPI API call
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* Add WebDAV detection support
* Add pcap example
* Update test results
* Remove redundant checks
* Add WebDAV related HTTP methods to fuzz/dictionary.dict
* Add note about WebDAV
|
| | |
|
| |
|
|
|
|
|
| |
* Add JSON-RPC protocol dissector
* Small fixes
* Improve detection
|
| | |
|
| |
|
|
|
|
|
| |
* Rename NDPI_PROTOCOL_RPC to NDPI_PROTOCOL_MS_RPCH
* Add protocol description
* Improve MS-RPCH detection
|
| |
|
|
|
|
|
| |
* Add UFTP protocol dissector
* Update docs
* Merge pcap files
|
| |
|
|
|
| |
* Add HiSLIP protocol dissector
* Fix error
|
| |
|
|
|
|
|
|
|
| |
* Add PROFINET/IO protocol dissector
* Add LE (Little Endian) to the file name
* Rework dissector
* Remove redundant check
|
| |
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| | |
|
| |
|
|
|
|
|
| |
Keep looking for RTP packets but remove the monitoring concept.
We will re-introduce a more general concept of "flow in monitoring
state" later.
The function was disabled by default.
Some configuration knobs will be provided when/if #2190 is merged.
|
| | |
|
| | |
|
| |
|
| |
See: #2191
|
| |
|
|
| |
* Add ISO 9506-1 MMS protocol dissector
* Fix detection on big-endian architectures
|
| |
|
|
|
|
|
| |
* Add Beckhoff ADS protocol dissector
* Remove redundant le32toh
* Fix detection on big-endian architectures
|
| |
|
|
|
|
| |
Extract only the headers that we really need/use.
Avoid too many `strcmp`; the algorithm might be a little bit
overwhelming right now but it might be useful if we have further headers
in the future.
|
| |
|
| |
See: b08c787fe
|
| |
|
|
|
|
|
| |
We need to take into account retransmissions: they increase
`flow->all_packets_counter` counter but not `flows->packet_counter`
one.
Therefore, the right way to check for 3WH + RST pattern involves checking
for `flows->packet_counter == 0`
|
| |
|
|
|
|
|
| |
* Add Schneider Electric’s UMAS detection support
* Swap proto IDs in ndpi_set_detected_protocol
* Update unit test result
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
* Add Omron FINS protocol dissector
* Add a kludge to avoid invalid FINS over UDP detection as SkypeTeams and RTP
* Update unit test results
* Update protocols.rst
* Remove dummy flows from fins.pcap
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Rework S7Comm dissector; add S7Comm Plus support
* Cleanup s7comm.c
* Improve S7Comm Plus detection
* s7comm/s7commplus: faster detection
---------
Co-authored-by: 0xA50C1A1 <mage.wizard88@gmail.com>
Co-authored-by: Nardi Ivan <nardi.ivan@gmail.com>
|
| | |
|
| |
|
|
|
|
| |
Keep demultiplexing STUN/RTP/RTCP packets after DTLS ones.
We might end up processing the session a little longer, because we will
process the STUN/RTP/RTCP packets after the DTLS handshake.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add HART-IP protocol dissector
* Update docs
* Update protocols.rst
* Reuse free proto id and re-run tests
* docs: move HART-IP to top of list
---------
Co-authored-by: 0xA50C1A1 <mage.wizard88@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add IEEE 1588-2008 (PTPv2) dissector
PTPv2 is a time synchronization protocol in computer networks, similar to NTP.
* Add default protocol ports
* Update default test result for PTPv2
* Update copyright
---------
Co-authored-by: 0xA50C1A1 <mage.wizard88@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* Remove Google+ support
Google+ was discontiued in 2019, so I think that its protocol id can be freed for reuse.
* Fix typo
* Update tests
---------
Co-authored-by: 0xA50C1A1 <mage.wizard88@gmail.com>
|
| |
|
|
| |
We are loading the same AS list as GOTO
See #2150
|
| |
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
|
|
| |
1) Public API/headers in `src/include/` [as it has always been]
2) Private API/headers in `src/lib/`
Try to keep the "ndpi_" prefix only for the public functions
|
| |
|
|
|
|
|
|
|
|
| |
We are not able to remove custom rules: remove the empty stubs (which
originate from the original OpenDPI code).
`ndpi_guess_protocol_id()` is only called on the first packet of the
flow, so the bitmask `flow->excluded_protocol_bitmask` is always empty,
since we didn't call any dissectors yet.
Move another hash function to the dedicated source file.
|