| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
| |
Fix: 2c7fb9179
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Attribute 0xC057 is defined in the Google public implementation of
webrtc (which is used by Google products but also by other applications)
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Regardless of the name, the removed trace doesn't contain meaningful
Hangout traffic.
Remove last piece of sub-classifiction based only on ip addresses.
|
| | |
|
| |
|
|
|
| |
The two fields `flow->flow_type` and `flow->protos.rtp.stream_type` are
pretty much identical: rename the former in `flow->flow_multimedia_type`
and remove the latter.
|
| | |
|
| |
|
|
|
|
|
| |
Try avoiding false positives: look for 3 RTP packets before classifing
the flow as such.
Add a generic function `is_rtp_or_rtcp()` to identify RTP/RTCP packets also
in other dissectors (see 3608ab01b commit message for an example)
|
| |
|
|
|
| |
fixed 'handle leak' in ndpi_load_malicious_sha1_file and removed the redundant comparison ndpi_search_eaq
Co-authored-by: Ivan Kapranov <i.kapranov@securitycode.ru>
|
| | |
|
| | |
|
| |
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| | |
|
| | |
|
| |
|
|
| |
TCP framing is optional
|
| | |
|
| | |
|
| |
|
|
| |
Look for RTP packets in the STUN sessions.
TODO: tell RTP from RTCP
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Found while fuzzing
|
| |
|
|
|
|
| |
See: https://www.rfc-editor.org/rfc/rfc9369.txt
Old v2-01 version has been removed, since it has never been really used.
|
| |
|
|
|
| |
* fixed numtrunc error in protocols/tls.c
* fixed build error for tls.c
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add bitcoing protocol dissector.
* remove bitcoin protcol detection from mining.c
* add a new bitcoin deissector.
* add a new category: Cryptocurrency.
Signed-off-by: Mahmoud Maatuq <mahmoudmatook.mm@gmail.com>
* Remove useless checks and add missing windows and docs file.
Signed-off-by: Mahmoud Maatuq <mahmoudmatook.mm@gmail.com>
* update affected tests.
Signed-off-by: Mahmoud Maatuq <mahmoudmatook.mm@gmail.com>
* add a brief version.
Add notes on the difference between normal bitcoin protocol and the
mining protocol.
Signed-off-by: Mahmoud Maatuq <mahmoudmatook.mm@gmail.com>
* update enable_payload_stat test after dev rebasing.
Signed-off-by: Mahmoud Maatuq <mahmoudmatook.mm@gmail.com>
---------
Signed-off-by: Mahmoud Maatuq <mahmoudmatook.mm@gmail.com>
|
| |
|
|
|
|
| |
In the main dissector callbacks the flow protocols are (almost) always
unknown. Only two exceptions:
* extra dissection data path
* HTTP sub-protocols
|
| | |
|
| |
|
|
|
|
|
| |
The goal is to have Zoom flows classified as "Encrypted" and not as
"Cleartext".
Start documenting the list of protocols supported by nDPI;
format, verbosity and content are still a work-in-progress.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The goal if to correlate the right request-response pair, exporting
metadata from only one transaction (for example, the right url & return
state pair)
As a nice side effect, the code should be much cleaner, but that is a
matter of taste.
Two differences respect to the previous code:
* as it happens in the CI, if in the flow there are only one response
(before) and one request (after), only the metadata of the response are
saved/exported
* for performance reasons, we don't call `ndpi_parse_packet_line_info()`
anymore for ALL packets triggering the HTTP dissector, but only for the
packets that we already know belong to an HTTP flow. This is the reason
for the changes in RTSP/SOAP/... code
|
| |
|
|
|
| |
For a lot of protocols, reduce the number of packets after which the
protocols dissector gives up.
The values are quite arbitary, tring to not impact on classification
|
| |
|
| |
Add support for Facebook crawler
|
| |
|
|
| |
that in DNS (instead) are not permitted
|
| | |
|
| |
|
|
|
| |
Old nDPI versions were able to detect XBOX flows over HTTP via
user-agent matching. This feature has been removed from a long time
(89d548f9d, at very least)
|
| |
|
|
| |
It was the only remaining LRU cache without IPv6 support.
See 81e1ea545ca465cda064e7cc80333fe7f0ef2aff
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The checks `isValidMSRTPType(..) == 1` is a subset of
`is_valid_rtp_payload_type()` so this if-branch is never reached.
More importantly, the article describing how to detect Microsoft Lync and
Skype for Business is from 2014. These payload types are static or they
are in the dynamic range: in both cases, these values might be used (and
they are used indeed) pretty much by every application.
Bottom line: we can't use PT alone to identify a specific protocol.
Keep the list, since it is used to tell audio streams from video ones.
|
| | |
|
| | |
|
| |
|
|
| |
Signed-off-by: lns <matzeton@googlemail.com>
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`ndpi_guess_undetected_protocol()/ndpi_internal_guess_undetected_protocol()`
is a strange function:
* it is exported by the library and it is actively used by `ntopng`
* it is intrinsecally ipv4-only
* it returns basically something like "classification_by_ip"/"classification_by_port"
(these information have already been calculated in `ndpi_do_guess()`...)
* it access the bittorrent LRU caches (similarly to
`ndpi_detection_giveup()` but without all the other caches...)
So:
* make the interface IPv4/6 agnostic
* use the classifications already available
This work will allow to make the Bittorrent caches IPV6-aware (see
81e1ea5).
Handle Dropbox classification "by-port" in the "standard" way.
|
| |
|
|
| |
Signed-off-by: lns <matzeton@googlemail.com>
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
| |
Signed-off-by: lns <matzeton@googlemail.com>
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
|
| |
Add support for flows with "caching_sha2_password" authentication plugin.
See #1924
|