aboutsummaryrefslogtreecommitdiff
path: root/src/lib/protocols
Commit message (Collapse)AuthorAge
* Z39.50: avoid false positives (#2938)Ivan Nardi2025-08-08
| | | Close #2540
* HTTP: fix protocol stack for some proxy flows (#2935)Ivan Nardi2025-08-07
|
* Add Mudfish protocol dissector (#2932)Toni2025-08-06
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Minor hostanme cache optimizationLuca Deri2025-08-06
|
* Code cleanupLuca2025-08-05
|
* Implemented NDPI_UNRESOLVED_HOSTNAME flow risk for detecting flows ↵Luca2025-08-04
| | | | | | | | | | | | | | (TLS/QUIC/HTTP) whose hostname was not previously resolved via DNS. Added new API calls - bool ndpi_cache_hostname_ip(struct ndpi_detection_module_struct *ndpi_struct, ndpi_ip_addr_t *ip_addr, char *hostname); - bool ndpi_cache_find_hostname_ip(struct ndpi_detection_module_struct *ndpi_struct, ndpi_ip_addr_t *ip_addr, char *hostname); - void ndpi_cache_hostname_ip_swap(struct ndpi_detection_module_struct *ndpi_struct); Usage example: - ./example/ndpiReader --cfg hostname_dns_check,1 -i tests/pcap/netflix.pcap
* Add the concept of protocols stack: more than 2 protocols per flow (#2913)Ivan Nardi2025-08-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The idea is to remove the limitation of only two protocols ("master" and "app") in the flow classifcation. This is quite handy expecially for STUN flows and, in general, for any flows where there is some kind of transitionf from a cleartext protocol to TLS: HTTP_PROXY -> TLS/Youtube; SMTP -> SMTPS (via STARTTLS msg). In the vast majority of the cases, the protocol stack is simply Master/Application. Examples of real stacks (from the unit tests) different from the standard "master/app": * "STUN.WhatsAppCall.SRTP": a WA call * "STUN.DTLS.GoogleCall": a Meet call * "Telegram.STUN.DTLS.TelegramVoip": a Telegram call * "SMTP.SMTPS.Google": a SMTP connection to Google server started in cleartext and updated to TLS * "HTTP.Google.ntop": a HTTP connection to a Google domain (match via "Host" header) and to a ntop server (match via "Server" header) The logic to create the stack is still a bit coarse: we have a decade of code try to push everything in only ywo protocols... Therefore, the content of the stack is still **highly experimental** and might change in the next future; do you have any suggestions? It is quite likely that the legacy fields "master_protocol" and "app_protocol" will be there for a long time. Add some helper to use the stack: ``` ndpi_stack_get_upper_proto(); ndpi_stack_get_lower_proto(); bool ndpi_stack_contains(struct ndpi_proto_stack *s, u_int16_t proto_id); bool ndpi_stack_is_tls_like(struct ndpi_proto_stack *s); bool ndpi_stack_is_http_like(struct ndpi_proto_stack *s); ``` Be sure new stack logic is compatible with legacy code: ``` assert(ndpi_stack_get_upper_proto(&flow->detected_protocol.protocol_stack) == ndpi_get_upper_proto(flow->detected_protocol)); assert(ndpi_stack_get_lower_proto(&flow->detected_protocol.protocol_stack) == ndpi_get_lower_proto(flow->detected_protocol)); ```
* Whois/DAS: avoid false positives (#2925)Ivan Nardi2025-07-30
| | | Close #2922
* TypoLuca Deri2025-07-18
|
* Fix JA4 fingerprinting (#2915)Adrian Pekar2025-07-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Fix JA4 ALPN fingerprint to use first and last characters According to the JA4 specification (line 2139), the ALPN field should contain the first and last characters of the first ALPN extension value. Currently, nDPI uses the first and second characters (alpn[0] and alpn[1]), which produces incorrect fingerprints that don't match other JA4 implementations like Wireshark. For example, with ALPN 'http/1.1': - Current (incorrect): 'ht' (first + second char) - Fixed (correct): 'h1' (first + last char) This change ensures nDPI's JA4 implementation conforms to the official specification and maintains interoperability with other JA4 tools. Fixes: Incorrect JA4 ALPN fingerprint generation * Fix JA4 ALPN implementation to correctly parse first ALPN protocol The previous fix attempted to use strlen(ja->client.alpn)-1 but this was insufficient because nDPI modifies the ALPN string by: 1. Adding null terminators that truncate the last character 2. Converting semicolons to dashes, affecting multi-protocol ALPNs This complete fix: - Adds alpn_original_last field to store the true last character - Captures the last character of the FIRST ALPN protocol only (before ;/,) - Preserves the original character before nDPI's string modifications Now correctly implements JA4 spec: first + last characters of first ALPN protocol Examples: - ALPN 'h2;http/1.1' -> 'h2' (not 'h.' or 'h1') - ALPN 'http/1.1' -> 'h1' (not 'ht' or 'h.') Fixes: #2914 * Fix JA4 SNI detection to properly handle missing SNI extensions Previously, nDPI incorrectly set JA4 SNI flag to 'd' (domain present) for flows without any SNI extension. This was because the logic only checked for NDPI_NUMERIC_IP_HOST risk (set when SNI contains IP) but didn't distinguish between missing SNI and domain SNI. Now properly detects: - No SNI extension → 'i' flag - SNI with IP address → 'i' flag - SNI with domain → 'd' flag This matches the JA4 specification.
* Added EasyWeather protocol dissector (#2912)Toni2025-07-03
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* websocket: `ndpi_set_detected_protocol()` should be called only onceIvan Nardi2025-07-02
| | | | Fix: b07a910dc
* DNS: `ndpi_match_host_subprotocol()` should be called only onceIvan Nardi2025-07-01
|
* websocket: `ndpi_set_detected_protocol()` should be called only once (#2911)Ivan Nardi2025-07-01
|
* Jabber: proper subclassification of TruPhoneIvan Nardi2025-07-01
|
* STUN: don't check `NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT` flow risk (#2901)Ivan Nardi2025-06-23
|
* Merged protocols (now free to use) into existing categoriesLuca Deri2025-06-17
| | | | | - AdultContent -> Category Adult Content - LLM -> Category Artificial Intelligence
* Add GLBP dissector (#2879)Vladimir Gavrilov2025-06-10
| | | GLBP is a Cisco proprietary first-hop redundancy protocol similar to HSRP and VRRP, but with additional load balancing capabilities.
* Simplified codeLuca Deri2025-06-09
|
* Fixes invalid SSH client/server detection based on stage and not on packet ↵Luca Deri2025-06-08
| | | | direction
* Sync unit tests results and fix `NDPI_HTTP_SUSPICIOUS_HEADER` (#2874)Ivan Nardi2025-06-08
|
* Improved HTTP risk reportLuca Deri2025-06-08
| | | | PCRE2 is now enabled (if present) by default as necessary to report some HTTP risks
* Improved HTTP risk message reportLuca Deri2025-06-05
|
* Hamachi: improve handshake check (#2861)Vladimir Gavrilov2025-06-03
|
* First step into a dynamic number of protocols (#2857)Ivan Nardi2025-06-03
| | | | | | | | | | | | | We want to get rid of the defines `NDPI_MAX_SUPPORTED_PROTOCOLS` and `NDPI_MAX_NUM_CUSTOM_PROTOCOLS`. You can use: ``` ndpi_get_num_protocols() ``` See #2136 Removed some unused functions from public API
* New API to enable/disable protocols; remove ↵Ivan Nardi2025-06-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | `ndpi_set_protocol_detection_bitmask2()` (#2853) The main goal is not to have the bitmask depending on the total number of protocols anymore: `NDPI_INTERNAL_PROTOCOL_BITMASK` depends only on internal protocols, i.e. on `NDPI_MAX_INTERNAL_PROTOCOLS`, i.e. custom-defined protocols are not counted. See #2136 Keep the old data structure `NDPI_PROTOCOL_BITMASK` with the old semantic. Since we need to change the API (and all the application code...) anyway, simplify the API: by default all the protocols are enabled. If you need otherwise, please use `ndpi_init_detection_module_ext()` instead of `ndpi_init_detection_module()` (you can find an example in the `ndpiReader` code). To update the application code you likely only need to remove these 3 lines from your code: ``` - NDPI_PROTOCOL_BITMASK all; - NDPI_BITMASK_SET_ALL(all); - ndpi_set_protocol_detection_bitmask2(ndpi_str, &all); ``` Removed an unused field and struct definition.
* Add Hamachi protocol detection support (#2860)Vladimir Gavrilov2025-06-02
|
* BFCP: fix check on payload length and extract metadata (#2854)Ivan Nardi2025-05-26
| | | | | | We should be able to identified this protocol on the first packet, without keeping any state Close #2745
* Dofus: update detection to version 3.X (#2852)Ivan Nardi2025-05-25
| | | See #2827
* Fix some warnings reported by scan-build (#2851)Ivan Nardi2025-05-25
| | | Close #2807
* Add ndpi_memcasecmp, refactor mail protocol dissectors (#2849)Vladimir Gavrilov2025-05-24
|
* A new interface for dissectors registration (#2843)Ivan Nardi2025-05-24
| | | | | | | | | | | | | | | | | | | | | We use `registr_dissector()` instead of `ndpi_set_bitmask_protocol_detection()`. Every file in `src/lib/protocols/*.c` is a dissector. Every dissector can handle multiple protocols. The real goal is this small change: ``` struct call_function_struct { - NDPI_PROTOCOL_BITMASK detection_bitmask; ``` i.e. getting rid of another protocol bitmask: this is mandatory to try to fix #2136 (see also e845e8205b68752c997d05224d8b2fd45acde714) As a nice side effect, we remove a bitmask comparison in the hot function `check_ndpi_detection_func()` TODO: change logging configuration from per-protocol to per-dissector
* Simplify ZeroMQ detection (#2847)Vladimir Gavrilov2025-05-23
|
* Add MELSEC protocol support (#2846)Vladimir Gavrilov2025-05-23
|
* IPP: fix selection bitmask (#2845)Ivan Nardi2025-05-22
| | | | IPP is identified *only* as HTTP subprotocol, so it can't be over UDP (HTTP is only over TCP...)
* Improve BFCP detection (#2844)Vladimir Gavrilov2025-05-22
| | | Co-authored-by: Ivan Nardi <nardi.ivan@gmail.com>
* VRRP: add missing dissector registration (#2842)Ivan Nardi2025-05-21
|
* ospf, ipsec: use different ids for protocols at layer3 (#2838)Ivan Nardi2025-05-21
| | | | | | | | | | | | | | | | | | | | | | Don't use the same id for the same protocol identified via L3 info or via standard TCP/UDP detection (example: ospf ip_proto 0x59 or TCP port 2604) Before: ``` ivan@ivan-Precision-3591:~/svnrepos/nDPI(dev)$ ./example/ndpiReader -H | grep -wE 'OSPF|IPSec|AH|ESP|IP_OSPF' 79 79 IPSec UDP X Safe VPN 500,4500 500 85 85 OSPF X Acceptable Network - 2604 ``` After: ``` ivan@ivan-Precision-3591:~/svnrepos/nDPI(ospf-ipsec)$ ./example/ndpiReader -H | grep -wE 'OSPF|IPSec|AH|ESP|IP_OSPF' 79 79 IPSec UDP X Safe VPN 500,4500 500 85 85 IP_OSPF X Acceptable Network - - 116 116 AH X Safe VPN - - 117 117 ESP X Safe VPN - - 184 184 OSPF TCP X Safe Network - 2604 ```
* Drop GW1 support and add basic GW2 detection (#2836)Vladimir Gavrilov2025-05-21
|
* CrossFire: update code (#2834)Vladimir Gavrilov2025-05-21
|
* Minor simplification on protocol/dissector registration (#2833)Ivan Nardi2025-05-20
|
* Gnutella: avoid false positives (#2832)Ivan Nardi2025-05-20
|
* Gnutella: simplify code, to support only gtk-gnutella client (#2830)Ivan Nardi2025-05-20
| | | Close #2818
* Remove duplicate ALPS extension (#2821)FS2025-05-19
| | | | | * Removed dupe extension * Removed ECH from suspicious extensions
* Drop Warcraft 3 (pre Reforged) support (#2826)Vladimir Gavrilov2025-05-19
|
* TLS: register TLS dissector only once (#2825)Ivan Nardi2025-05-19
| | | | This is the first, tiny, step into a better separation between "protocols" and "dissectors"
* RTSP: simplify detection (#2822)Ivan Nardi2025-05-18
|
* Remove Half-Life 2 support; improve Source Engine protocol detection0xA50C1A12025-05-16
|
* Rename Lotus Notes to HCL Notes for product consistency0xA50C1A12025-05-15
|
* Remove Vhua support (#2816)Vladimir Gavrilov2025-05-15
|