| Commit message (Collapse) | Author | Age |
|---|
| | |
|
| |
|
|
|
| |
Is quite rare to have a SNI or an ALPN on Client Hello of STUN/DTLS/SRTP
traffic
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Follow up of 31c706c3dbbf0afc4c8e0a6d0bb6f20796296549 and
75485e177ccc4fafcc62dd46c6917d5b735cf7d2.
Allow fast classification by ip, but give time to other dissectors to
kick in (for example, the TLS code for the Telegram Web flows).
Even if we don't classify it anymore at the very first packet (i.e. SYN)
we fully classify Telegram traffic at the first packet with payload, as
*any* other protocol.
This way, we always have the proper category, the proper confidence
for the UDP flows and we don't overwrite previous classifications (TLS
or ICMP)
Remove old and stale identification logic for TCP flows
|
| |
|
|
| |
path (#2320)
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
* Add ANSI C12.22 protocol dissector
* Add UDP sample
|
| |
|
|
|
|
|
| |
Skype has been using standard protocols (STUN/ICE or TLS) for a long,
long time, now. Long gone are the days of Skype as a distribuited
protocol.
See: #2166
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
* Add detection of Gaijin Entertainment games
* Short NDPI_PROTOCOL_GAIJINENTERTAINMENT to NDPI_PROTOCOL_GAIJIN
* Add default UDP port for Gaijin Entertainment games
* Remove NDPI_PROTOCOL_CROSSOUT protocol id
|
| | |
|
| | |
|
| |
|
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
| |
protocol
|
| | |
|
| |
|
|
|
| |
* Rename redis_net.c to resp.c
* Fix RESP detection
|
| |
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
|
| |
* Improve MySQL detection
* Update copyright
|
| |
|
|
|
| |
* Add Radmin protocol dissector
* Update test results
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
QUIC decryption fails when the Client Hello is split into multiple UDP
packets and these packets have different Destination Connection IDs
(because the server told the client to switch to a different CID; see
RFC 9000 7.2)
```
The Destination Connection ID field from the first Initial packet sent by
a client is used to determine packet protection keys for Initial packets.
[..]
Upon first receiving an Initial or Retry packet from the server, the
client uses the Source Connection ID supplied by the server as the
Destination Connection ID for subsequent packets
```
From a logical point of view, the ciphers used for decryption should be
initialized only once, with the first Initial pkt sent by the client and
kept for later usage with the following packets (if any).
However it seems that we can safely initialize them at each packet, if
we keep using the DCID of the **first** packet sent by the client.
Keep initializing the ciphers at each packet greatly simplifie this patch.
This issue has been undetected for so long because:
* in the vast majority of the cases we only decrypt one packet per flow;
* the available traces with the Client Hello split into multiple packets
(i.e. cases where we need to decrypt at least two packets per flow) were
created in a simple test environment to simulate Post-Quantum handshake,
and in that scenario the client sent all the packets (with the same
DCID) before any reply from the server.
However, in the last months all major browsers started supporting PQ
key, so it is now common to have split CH in real traffic.
Please note that in the attached example, the CH is split into 2
(in-order) fragments (in different UDP packets) and the second one in
turn is divided into 9 (out-of-order) CRYPTO frames; the reassembler
code works out-of-the-box even in this (new) scenario.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid collisions between user-ids and internal-ids protocols in the
`example/protos.txt` file.
Add a new value for the classification confidence:
`NDPI_CONFIDENCE_CUSTOM_RULE`
With `./example/ndpiReader -p example/protos.txt -H` we now see also the
custom protocols and their internal/external ids:
```
nDPI supported protocols:
Id Userd-id Protocol Layer_4 Nw_Proto Breed Category
0 0 Unknown TCP X Unrated Unspecified
...
387 387 Mumble UDP X Fun VoIP
388 388 iSCSI TCP Acceptable Unspecified
389 389 Kibana TCP Acceptable Unspecified
390 390 TestProto TCP Acceptable Unspecified
391 391 HomeRouter TCP Acceptable Unspecified
392 392 CustomProtocol TCP Acceptable Unspecified
393 393 AmazonPrime TCP Acceptable Unspecified
394 394 CustomProtocolA TCP Acceptable Unspecified
395 395 CustomProtocolB TCP Acceptable Unspecified
396 800 CustomProtocolC TCP Acceptable Unspecified
397 1024 CustomProtocolD TCP Acceptable Unspecified
398 2048 CustomProtocolE TCP Acceptable Unspecified
399 2049 CustomProtocolF TCP Acceptable Unspecified
400 2050 CustomProtocolG TCP Acceptable Unspecified
401 65535 CustomProtocolH TCP Acceptable Unspecified
```
We likely need to take a better look in general at the iteration between
internal and external protocols ids...
This PR fixes the issue observed in
https://github.com/ntop/nDPI/pull/2274#discussion_r1460674874 and in
https://github.com/ntop/nDPI/pull/2275.
|
| |
|
|
|
| |
* Add ElectronicArts detection support
* Merge electronicarts.pcapng into sites.pcapng
|
| |
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| | |
|
| |
|
|
|
|
|
| |
* Fix detection of new Cassandra versions
* Add Cassandra Internode Communication protocol support
* Add default port for Cassandra Internode Communication protocol
|
| |
|
| |
Move it from the RTP code and extend it
|
| |
|
|
|
| |
When switching to (D)TLS dissector from the STUN one, we need to clear
any flow risks set from the latter (because we don't have anymore
`NDPI_PROTOCOL_STUN` in the classification results)
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Clean up Steam dissector
* Add Steam Datagram Relay dissector
* Update docs
* Update test results
* Remove csgo.c from MSVC project
* Small fixes
* Add Steam TLS pcap sample
* Merge Steam pcap samples into single one
* Fix typo
* Update test results
|
| |
|
|
|
| |
* Enable/disable sub-classification of DNS flows
* Enable/disable processing of DNS responses
|
| | |
|
| |
|
|
|
|
| |
* fix header length check: we must take into account optional extension
header
* it seems the check on UTPv1 header is weak only in the DATA case: wait
for multiple packets only in that case
|
| |
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
|
|
|
| |
* Fix typo in protocols.rst
* Add PIA (Private Internet Access) support
* Update ndpi_main.c
|
| |
|
| |
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
|
| |
|
|
|
|
| |
Having smaller traces help fuzzing: we want the fuzzers to mutate
"interesting" packets analyzed by nDPI, i.e. the first packets of each
flows.
Try hard to keep the same classification and extraction capabilities
|
| | |
|
| | |
|
| |
|
|
|
| |
* Add Ceph protocol dissector
* Update protocols.rst
|
| |
|
|
|
|
|
| |
* Add HL7 protocol dissector
* Small fixes
* Small fixes
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add IEC62056 (DLMS/COSEM) protocol dissector
* Fix detection on big endian architectures
* Update protocols.rst
* Add ndpi_crc16_x25 to fuzz/fuzz_alg_crc32_md5.c
* Update pcap sample
* Remove empty .out file
* iec62056: add some documentation
---------
Co-authored-by: Nardi Ivan <nardi.ivan@gmail.com>
|
| |
|
|
|
| |
* Remove Google Hangouts/Duo support
* Update protocols.rst
|