aboutsummaryrefslogtreecommitdiff
path: root/src/lib/protocols
Commit message (Collapse)AuthorAge
...
* Add Ripe Atlas probe protocol. (#2473)Toni2024-06-17
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Zoom: harden RTP/RTCP detectionNardi Ivan2024-06-17
|
* Zoom: remove "stun_zoom" LRU cacheNardi Ivan2024-06-17
| | | | | Since 070a0908b we are able to detect P2P calls directly from the packet content, without any correlation among flows
* Update main Readme and remove commented out code (#2471)Ivan Nardi2024-06-17
| | | | Avoid that useless code is copy-and-pasted into new dissector, as in https://github.com/ntop/nDPI/pull/2470#discussion_r1639384434
* Added protocol - JRMI - Java Remote Method Invocation (#2470)Mark Jeffery2024-06-15
|
* Improved detection of Android connectiity checksLuca2024-06-12
|
* Zoom: fix integer overflow (#2469)Ivan Nardi2024-06-10
| | | | | | | | | | | | | | ``` AddressSanitizer:DEADLYSIGNAL ================================================================= ==29508==ERROR: AddressSanitizer: SEGV on unknown address 0x50710145d51d (pc 0x55cb788f25fe bp 0x7ffcfefa15f0 sp 0x7ffcfefa1240 T0) ==29508==The signal is caused by a READ memory access. #0 0x55cb788f25fe in ndpi_search_zoom /home/ivan/svnrepos/nDPI/src/lib/protocols/zoom.c:210:24 #1 0x55cb787e9418 in check_ndpi_detection_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:7174:6 #2 0x55cb7883f753 in check_ndpi_udp_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:7209:10 #3 0x55cb7883bc9d in ndpi_check_flow_func /home/ivan/svnrepos/nDPI/src/lib/ndpi_main.c:7240:12 ``` Found by oss-fuzzer See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=69520
* RTP/STUN: look for STUN packets after RTP/RTCP classification (#2465)Ivan Nardi2024-06-07
| | | | | | | | | | After a flow has been classified as RTP or RTCP, nDPI might analyse more packets to look for STUN/DTLS packets, i.e. to try to tell if this flow is a "pure" RTP/RTCP flow or if the RTP/RTCP packets are multiplexed with STUN/DTLS. Useful for proper (sub)classification when the beginning of the flows are not captured or if there are lost packets in the the captured traffic. Disabled by default
* Zoom: faster detection of P2P flows (#2467)Ivan Nardi2024-06-07
|
* STUN: add support for Microsoft Multiplexed TURN channels (#2464)Ivan Nardi2024-06-05
|
* TLS: add support for DTLS (over STUN) over TCP (#2463)Ivan Nardi2024-06-05
| | | | | TODO: TCP reassembler on top of UDP reassembler See: #2414
* RTP: fix detection over TCP (#2462)Ivan Nardi2024-05-29
| | | | | | RFC4571 is not the only way to wrap RTP messages in TCP streams. For example, when RTP is encapsulated over TURN flows (i.e. via DATA attribute) there is no additional framing. See also 6127e0490
* support rtp/rtcp over tcp (#2422) (#2457)Maatuq2024-05-28
| | | | | Support rtp/rtcp over tcp as per rfc4571. Signed-off-by: mmaatuq <mahmoudmatook.mm@gmail.com>
* Add ZUG consensus protocol dissector. (#2458)Toni2024-05-28
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* CiscoVPN: we detect it only over UDP (#2454)Ivan Nardi2024-05-28
| | | The original code handled also TCP/TLS, but it was removed in 6fc29b3ae
* Improved Kafka dissector. (#2456)Toni2024-05-27
| | | | | | | | | * detect more Kafka request packet's * requires less flow memory * same detection behavior as before e.g. no asym detection implemented (can be done by dissecting responses, requires more effort) Signed-off-by: Toni Uhlig <matzeton@googlemail.com> Co-authored-by: Nardi Ivan <nardi.ivan@gmail.com>
* DTLS: fix JA4 fingerprint (#2446)Ivan Nardi2024-05-21
|
* DTLS: add support for DTLS 1.3 (#2445)Ivan Nardi2024-05-21
|
* Follow-up of 2093ac5bf (#2451)Ivan Nardi2024-05-21
|
* Minor dissector optimizationsLuca Deri2024-05-20
|
* Add Call of Duty Mobile support (#2438)Vladimir Gavrilov2024-05-15
|
* H323: improve detection and avoid false positives (#2432)Ivan Nardi2024-05-11
|
* Add Ethernet Global Data support (#2437)Vladimir Gavrilov2024-05-11
|
* IRC: simplify detection (#2423)Ivan Nardi2024-05-11
| | | | | | | | | | | | | | | | IRC has its best times well behind, but there are still some servers using it. We should try to simplify the detection logic, still based on OpenDPI logic. Let's start with some easy changes: * try to detect TLS connection via standard hostname/SNI matching, removing an old heuristic (we have never had any trace matching it); * add some basic server names; * once we detect that the flow is IRC, we don't have to perform anything else; * remove HTTP stuff; real HTTP flows never trigger that data path * use `ndpi_memmem()` when possible
* Viber: add detection of voip calls and avoid false positives (#2434)Ivan Nardi2024-05-11
|
* Line: use common helper to detect RTP/RTCP packets (#2429)Ivan Nardi2024-05-10
| | | | Add an explicit upper limit on the number of packets processed before giving up.
* Raknet/RTP: avoid Raknet false positives and harden RTP heuristic (#2427)Ivan Nardi2024-05-09
| | | | | | | | | There is some overlap between RTP and Raknet detection: give precedence to RTP logic. Consequences: * Raknet might require a little bit more packets for some flows (not a big issue) * some very small (1-2 pkts) Raknet flows are not classified (not sure what do do about that..)
* Protobuf: fix false positives (#2428)Ivan Nardi2024-05-09
|
* Add extra entropy checks and more precise(?) analysis. (#2383)Toni2024-05-09
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Renamed radius source file to avoid name clashes on WindowsLuca Deri2024-05-07
|
* TLS: avoid setting `NDPI_TLS_SELFSIGNED_CERTIFICATE` for webrtc traffic (#2417)Ivan Nardi2024-05-06
| | | | | | See RFC8122: it is quite likely that STUN/DTLS/SRTP flows use self-signed certificates Follow-up of b287d6ec8
* Merge RTP and RTCP logic (#2416)Ivan Nardi2024-05-06
| | | | | | | | | Avoid code duplication between these two protocols. We remove support for RTCP over TCP; it is quite rare to find this kind of traffic and, more important, we have never had support for RTP over TCP: we should try to add both detecion as follow-up. Fix a message log in the LINE code
* TLS: fix Ja4 fingerprint computation (#2419)Ivan Nardi2024-05-05
| | | | | | | | | | | | | | | | | The new values has been checked against the ones reported by Wireshark. Found while fixing a Use-of-uninitialized-value error reported by oss-fuzz ``` ==7582==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x5a6549abc368 in ndpi_compute_ja4 ndpi/src/lib/protocols/tls.c:1762:10 #1 0x5a6549ab88a0 in processClientServerHello ndpi/src/lib/protocols/tls.c:2863:10 #2 0x5a6549ac1452 in processTLSBlock ndpi/src/lib/protocols/tls.c:909:5 #3 0x5a6549abf588 in ndpi_search_tls_tcp ndpi/src/lib/protocols/tls.c:1098:2 #4 0x5a65499c53ec in check_ndpi_detection_func ndpi/src/lib/ndpi_main.c:7215:6 ``` See: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=68449&q=ndpi&can=1&sort=-id
* eDonkey: improve/update classification (#2410)Ivan Nardi2024-05-04
| | | | | | | | | | eDonkey is definitely not as used as >10 years ago, but it seems it is still active. While having a basic TCP support seems easy, identification over UDP doesn't work and it is hard to do it rightly (packets might be only 2 bytes long): remove it. Credits to V.G <v.gavrilov@securitycode.ru>
* Fixes JA4 computation adding a better GREASE detect funzionLuca Deri2024-05-02
|
* DTLS: add support for Alert message type (similar to TLS) (#2406)Ivan Nardi2024-04-25
|
* Remove PPStream protocol and add iQIYI (#2403)0x41CEA552024-04-23
| | | | | | P2P video player PPStream was discontinued shortly after the purchase of PPS.tv by Baidu (iQIYI) on 2013 (see https://www.techinasia.com/report-baidu-acquires-video-rival-pps) So we remove the old `NDPI_PROTOCOL_PPSTREAM` logic and add `NDPI_PROTOCOL_IQIYI` id to handle all the iQIYI traffic, which is basically video streaming traffic. A video hosting service, called PPS.tv, is still offered by the same company: for the time being we classified both services with the same protocol id.
* Add BFCP protocol support (#2401)0x41CEA552024-04-23
|
* STUN: slightly faster sub-classification with DTLS (#2404)Ivan Nardi2024-04-23
|
* Replace my personal email with my corporate one in all my contributions (#2399)0x41CEA552024-04-20
|
* Remove obsolete protocols: tuenty, tvuplayer and kontiki (#2398)0x41CEA552024-04-19
|
* Add KNXnet/IP protocol support (#2397)0x41CEA552024-04-19
| | | | | * Add KNXnet/IP protocol support * Improve KNXnet/IP over TCP detection
* Domain Classification Improvements (#2396)Luca Deri2024-04-18
| | | | | | | | | | | | | | | | | | | * Added size_t ndpi_compress_str(const char * in, size_t len, char * out, size_t bufsize); size_t ndpi_decompress_str(const char * in, size_t len, char * out, size_t bufsize); used to compress short strings such as domain names. This code is based on https://github.com/Ed-von-Schleck/shoco * Major code rewrite for ndpi_hash and ndpi_domain_classify * Improvements to make sure custom categories are loaded and enabled * Fixed string encoding * Extended SalesForce/Cloudflare domains list
* STUN: fix attributes list iteration (#2391)Ivan Nardi2024-04-13
| | | We need to check all the attributes, to look for any possible metadata
* STUN: try to stop extra dissection earlier, if possible (#2390)Ivan Nardi2024-04-13
|
* STUN: add support for ipv6 in some metadata (#2389)Ivan Nardi2024-04-13
|
* STUN: simplify ip/port parsing (#2388)Ivan Nardi2024-04-13
| | | Add other 2 configuration options
* STUN: fix boundary checks on attribute list parsing (#2387)Ivan Nardi2024-04-12
| | | | | Restore all unit tests. Add some configuration knobs. Fix the endianess.
* Implemented STUN peer_address, relayed_address, response_origin, ↵Luca Deri2024-04-12
| | | | | | | other_address parsing Added code to ignore invalid STUN realm Extended JSON output with STUN information
* fix invalid readToni Uhlig2024-04-12
| | | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Powered by cgit, Themed by Ted Yin.