| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| | |
|
| |
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
|
| |
The main goal is to have the "real" application (if any; i.e.
Signal/Whatsapp/Telegram/...) always as "application" protocol and not
as "master" one
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
* Improve TencentGames detection
* Add more signatures
|
| |
|
|
|
| |
We are able to demultiplex RTP packets in STUN flows since 3608ab01b, at
least; no need to explicity call the RTP dissector
|
| | |
|
| |
|
|
|
| |
* Add FLUTE protocol dissector
* Add flute.c to MSVC project
|
| |
|
|
|
|
| |
Tradeoff between key comparison efficiency (i.e. no `memcmp`) and key
length.
At least in the ipv4 cases, we have no more different entries with the
same key.
|
| | |
|
| | |
|
| |
|
| |
Tradeoff: performance (i.e. number of packets) vs sub-classification
|
| |
|
| |
Same logic already used for Signal/Whatsapp/Line/Facebook/...
|
| |
|
|
|
| |
* Add Path of Exile protocol dissector
* Update protocols.rst
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The basic idea is to have the following logic:
* pattern "DOMAIN" matches the domain itself (i.e exact match) *and* any
subdomains (i.e. "ANYTHING.DOMAIN")
* pattern "DOMAIN." matches *also* any strings for which is a prefix
[please, note that this kind of match is handy but it is quite
dangerous...]
* pattern "-DOMAIN" matches *also* any strings for which is a postfix
Examples:
* pattern "wikipedia.it":
* "wikipiedia.it" -> OK
* "foo.wikipedia.it -> OK
* "foowikipedia.it -> NO MATCH
* "wikipedia.it.com -> NO MATCH
* pattern "wikipedia.":
* "wikipedia.it" -> OK
* "foo.wikipedia.it -> OK
* "foowikipedia.it -> NO MATCH
* "wikipedia.it.com -> OK
* pattern "-wikipedia.it":
* "wikipedia.it" -> NO MATCH
* "foo.wikipedia.it -> NO MATCH
* "0001-wikipedia.it -> OK
* "foo.0001-wikipedia.it -> OK
Bottom line:
* exact match
* prefix with "." (always, implicit)
* prefix with "-" (only if esplicitly set)
* postfix with "." (only if esplicitly set)
That means that the patterns cannot start with '.' anymore.
Close #2330
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Is quite rare to have a SNI or an ALPN on Client Hello of STUN/DTLS/SRTP
traffic
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Follow up of 31c706c3dbbf0afc4c8e0a6d0bb6f20796296549 and
75485e177ccc4fafcc62dd46c6917d5b735cf7d2.
Allow fast classification by ip, but give time to other dissectors to
kick in (for example, the TLS code for the Telegram Web flows).
Even if we don't classify it anymore at the very first packet (i.e. SYN)
we fully classify Telegram traffic at the first packet with payload, as
*any* other protocol.
This way, we always have the proper category, the proper confidence
for the UDP flows and we don't overwrite previous classifications (TLS
or ICMP)
Remove old and stale identification logic for TCP flows
|
| |
|
|
| |
path (#2320)
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
* Add ANSI C12.22 protocol dissector
* Add UDP sample
|
| |
|
|
|
|
|
| |
Skype has been using standard protocols (STUN/ICE or TLS) for a long,
long time, now. Long gone are the days of Skype as a distribuited
protocol.
See: #2166
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
* Add detection of Gaijin Entertainment games
* Short NDPI_PROTOCOL_GAIJINENTERTAINMENT to NDPI_PROTOCOL_GAIJIN
* Add default UDP port for Gaijin Entertainment games
* Remove NDPI_PROTOCOL_CROSSOUT protocol id
|
| | |
|
| | |
|
| |
|
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
| |
protocol
|
| | |
|
| |
|
|
|
| |
* Rename redis_net.c to resp.c
* Fix RESP detection
|
| |
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
|
| |
* Improve MySQL detection
* Update copyright
|
| |
|
|
|
| |
* Add Radmin protocol dissector
* Update test results
|
| | |
|