aboutsummaryrefslogtreecommitdiff
path: root/tests/pcap
Commit message (Collapse)AuthorAge
...
* Improved Viber (TCP) detection. (#1547)Toni2022-05-10
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Improved Xiaomi HTTP detection. (#1546)Toni2022-05-10
| | | | | * Merged Xiaomi pcap files Signed-off-by: lns <matzeton@googlemail.com>
* Added Softether(-VPN) DDNS service detection. (#1544)Toni2022-05-09
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Improved TLS alert detection. (#1542)Toni2022-05-08
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Improved TLS application data detection. (#1541)Toni2022-05-08
| | | | | | * #1532 did fx TLS appdata detection only partially * use flow->l4.tcp.tls.message.buffer_used instead of packet->payload Signed-off-by: lns <matzeton@googlemail.com>
* Improved suspicious http user agent detection. (#1537)Toni2022-05-02
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Improved TLS application data detection. (#1532)Toni2022-04-27
| | | Signed-off-by: lns <matzeton@googlemail.com>
* XIAOMI: add detection of Xiaomi traffic (#1529)Ivan Nardi2022-04-25
| | | Most of the credits should go to @utoni (see #1521)
* Added RakNet protocol dissector. (#1527)Toni2022-04-24
| | | | | * Frame Set PDU's do not get fully dissected for the sake of simplicity Signed-off-by: lns <matzeton@googlemail.com>
* Added proprietary Agora Software Defined Real-time Network (SD-RTN) protocol ↵Toni2022-04-20
| | | | | dissector. (#1520) Signed-off-by: lns <matzeton@googlemail.com>
* Added Toca Boca protocol dissector. (#1517)Toni2022-04-19
| | | Signed-off-by: lns <matzeton@googlemail.com>
* Improved ASN.1 parsing for Keberos. Fixes #1492. (#1497)Toni2022-04-10
| | | | | | * This is a quick fix, the Kerberos protocol dissector requires some refactoring effort. Signed-off-by: Toni Uhlig <matzeton@googlemail.com> Signed-off-by: lns <matzeton@googlemail.com>
* Add support for Pluralsight site (#1503)Ivan Nardi2022-03-27
|
* [SSDP] Extract HTTP user-agent when available. (#1500)Darryl Sokoloski2022-03-27
| | | | | | [SSDP] Added capture file with UA header. [SSDP] Added pcap test output log file. Signed-off-by: Darryl Sokoloski <darryl@sokoloski.ca>
* QUIC: add support for version 2 draft 01 (#1493)Ivan Nardi2022-03-25
| | | | | | Support for v2-00 has been removed (it has never been used in real networks and it is incompatible with v2-01). Chrome already supports v2-01 in latest versions in Chrome Beta channel.
* QUIC: fix dissection of draft-34 (#1484)dev-1Ivan Nardi2022-03-09
| | | | QUIC-34 is probably not used in production, but fixing it is trivial and it doesn't add any noise to the already complex QUIC code.
* Extend tests coverage (#1476)Ivan Nardi2022-03-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Now there is at least one flow under `tests/pcap` for 249 protocols out of the 284 ones supported by nDPI. The 35 protocols without any tests are: * P2P/sharing protocols: DIRECT_DOWNLOAD_LINK, OPENFT, FASTTRACK, EDONKEY, SOPCAST, THUNDER, APPLEJUICE, DIRECTCONNECT, STEALTHNET * games: CSGO, HALFLIFE2, ARMAGETRON, CROSSFIRE, DOFUS, FIESTA, FLORENSIA, GUILDWARS, MAPLESTORY, WORLD_OF_KUNG_FU * voip/streaming: VHUA, ICECAST, SHOUTCAST, TVUPLAYER, TRUPHONE * other: AYIYA, SOAP, TARGUS_GETDATA, RPC, ZMQ, REDIS, VMWARE, NOE, LOTUS_NOTES, EGP, SAP Most of these protocols (expecially the P2P and games ones) have been inherited by OpenDPI and have not been updated since then: even if they are still used, the detection rules might be outdated. However code coverage (of `lib/protocols`) only increases from 65.6% to 68.9%. Improve Citrix, Corba, Fix, Aimini, Megaco, PPStream, SNMP and Some/IP dissection. Treat IPP as a HTTP sub protocol. Fix Cassandra false positives. Remove `NDPI_PROTOCOL_QQLIVE` and `NDPI_PROTOCOL_REMOTE_SCAN`: these protocol ids are defined but they are never used. Remove Collectd support: its code has never been called. If someone is really interested in this protocol, we can re-add it later, updating the dissector. Add decoding of PPI (Per-Packet Information) data link type.
* Internal crypto: increase size of authentication buffer (#1468)Ivan Nardi2022-03-02
| | | | | | | Some QUIC flows are not properly decoded while using internal crypto code: the authentication buffer is too small. The new value (like the old one) is arbitrary. Close #1463
* Add ICMP checksum check and set risk if mismatch detected. (#1464)Toni2022-03-02
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* DTLS: fix access to certificate cache (#1450)Ivan Nardi2022-02-21
| | | | | | | | | | | | | | | | ``` protocols/tls.c:650:54: runtime error: member access within null pointer of type 'const struct ndpi_tcphdr' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior protocols/tls.c:650:54 in protocols/tls.c:650:54: runtime error: load of null pointer of type 'const u_int16_t' (aka 'const unsigned short') SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior protocols/tls.c:650:54 in AddressSanitizer:DEADLYSIGNAL ================================================================= ==47401==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55f7a61b661c bp 0x7f38190f91b0 sp 0x7f38190f70e0 T1) ==47401==The signal is caused by a READ memory access. ==47401==Hint: address points to the zero page. #0 0x55f7a61b661c in processCertificateElements /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:650:41 #1 0x55f7a61ac3cc in processCertificate /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:792:7 #2 0x55f7a61d34e1 in processTLSBlock /home/ivan/svnrepos/nDPI/src/lib/protocols/tls.c:846:13 ```
* Added newflow risk NDPI_HTTP_CRAWLER_BOTLuca Deri2022-02-17
|
* HSRP: add support for IPv6 (#1440)Ivan Nardi2022-02-09
|
* Added VXLAN dissector (#1439)Dmytrii Vitman2022-02-09
| | | * RFC 7348
* Add few scripts to easily update some IPs lists (#1436)Ivan Nardi2022-02-09
| | | | | | | | | | | | | | | | | | | | | | | | * Add few scripts to easily update some IPs lists Some IPs lists should be updated frequently: try to easy the process. The basic idea is taken from d59fefd0 and a8fe74e5 (for Azure addresses): one specific .c.inc file and one script for each protocol. Add the possibility to don't load a specific list. Rename the old NDPI_PROTOCOL_HOTMAIL id to NDPI_PROTOCOL_MS_OUTLOOK, to identify Hotmail/Outlook/Exchange flows. TODO: ipv6 Remove the 9 addresses associated to BitTorrent: they have been added in e2f21116 but it is not clear why all the traffic to/from these ips should be classified as BitTorrent. * Added quotes * Added quotes Co-authored-by: Luca Deri <lucaderi@users.noreply.github.com>
* Added HSRP protocol detectionLuca Deri2022-02-08
| | | | Removed attic directory now obsolete
* Improved MDNS/LLMNR detection. (#1437)Toni2022-02-07
| | | | | | * Checking for port 5353/5355 is not enough. * Added additional multicast address and header checks. Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* Added new IDN/Punycode risk for spotting internationalized domain namesLuca2022-02-03
|
* Remove Playstation VUE protocol (#1426)Ivan Nardi2022-01-30
| | | | PS VUE service has been discontinued on January 30, 2020 https://en.wikipedia.org/wiki/PlayStation_Vue
* Extend protocols support (#1422)Ivan Nardi2022-01-29
| | | | | | | | | | | | | | | | | | Add detection of AccuWeather site/app and Google Classroom. Improve detection of Azure, Zattoo, Whatsapp, MQTT and LDAP. Fix some RX false positives. Fix some "Uncommon TLS ALPN"-risk false positives. Fix "confidence" value for some Zoom/Torrent classifications. Minor fix in Lua script for Wireshark extcap. Update .gitignore file. Let GitHub correctly detect the language type of *.inc files. Zattoo example has been provided by @subhajit-cdot in #1148.
* Improved Zoom protocol detectionLuca Deri2022-01-23
|
* Added EthernetIP dissectorLuca Deri2022-01-12
|
* GTP: fix some false positives (#1394)Ivan Nardi2022-01-08
|
* Added support for Log4J/Log4Shell detection in nDPI via a new flow risk ↵Luca Deri2021-12-23
| | | | named NDPI_POSSIBLE_EXPLOIT
* A final(?) effort to reduce memory usage per flow (#1389)Ivan Nardi2021-12-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Remove some unused fields and re-organize other ones. In particular: * Update the parameters of `ndpi_ssl_version2str()` function * Zattoo, Thunder: these timestamps aren't really used. * Ftp/mail: these protocols are dissected only over TCP. * Attention must be paid to TLS.Bittorrent flows to avoid invalid read/write to `flow->protos.bittorrent.hash` field. This is the last(?) commit of a long series (see 22241a1d, 227e586e, 730c2360, a8ffcd8b) aiming to reduce library memory consumption. Before, at nDPI 4.0 (more precisly, at a6b10cf7, because memory stats were wrong until that commit): ``` nDPI Memory statistics: nDPI Memory (once): 221.15 KB Flow Memory (per flow): 2.94 KB ``` Now: ``` nDPI Memory statistics: nDPI Memory (once): 231.71 KB Flow Memory (per flow): 1008 B <--------- ``` i.e. memory usage per flow has been reduced by 66%, dropping below the psychological threshold of 1 KB. To further reduce this value, we probably need to look into #1279: let's fight this battle another day.
* Improve/add several protocols (#1383)Ivan Nardi2021-12-18
| | | | | | | | | | | | | | | | | | | Improve Microsoft, GMail, Likee, Whatsapp, DisneyPlus and Tiktok detection. Add Vimeo, Fuze, Alibaba and Firebase Crashlytics detection. Try to differentiate between Messenger/Signal standard flows (i.e chat) and their VOIP (video)calls (like we already do for Whatsapp and Snapchat). Add a partial list of some ADS/Tracking stuff. Fix Cassandra, Radius and GTP false positives. Fix DNS, Syslog and SIP false negatives. Improve GTP (sub)classification: differentiate among GTP-U, GTP_C and GTP_PRIME. Fix 3 LGTM warnings.
* QUIC: add support for QUICv2 (draft 00) (#1379)Ivan Nardi2021-12-04
| | | | It is already time to start looking at the new QUIC version. See: https://datatracker.ietf.org/doc/html/draft-ietf-quic-v2-00
* Added Salesforce detectionLuca Deri2021-11-26
|
* Fix writes to `flow->protos` union fields (#1354)Ivan Nardi2021-11-15
| | | | | | | | | | | | | | | | | | | | | | | | | We can write to `flow->protos` only after a proper classification. This issue has been found in Kerberos, DHCP, HTTP, STUN, IMO, FTP, SMTP, IMAP and POP code. There are two kinds of fixes: * write to `flow->protos` only if a final protocol has been detected * move protocol state out of `flow->protos` The hard part is to find, for each protocol, the right tradeoff between memory usage and code complexity. Handle Kerberos like DNS: if we find a request, we set the protocol and an extra callback to further parsing the reply. For all the other protocols, move the state out of `flow->protos`. This is an issue only for the FTP/MAIL stuff. Add DHCP Class Identification value to the output of ndpiReader and to the Jason serialization. Extend code coverage of fuzz tests. Close #1343 Close #1342
* Add detection of OCSP (#1370)Ivan Nardi2021-11-11
| | | | | | | | | | This protocol is detected via HTTP Content-Type header. Until 89d548f9, nDPI had a dedicated automa (`content_automa`) to classify a HTTP flow according to this header. Since then, this automa has been useless because it is always empty. Re-enable it to match only a string seems overkilling. Remove all `content_automa` leftovers.
* IMAP, POP3, SMTP: improve dissection (#1368)Ivan Nardi2021-11-11
| | | Avoid NATS false positives
* Avoid overwriting valid protocol in `ndpi_detection_giveup` (#1360)Ivan Nardi2021-10-27
| | | | | | | | | | | | | | | | | We should avoid updating any valid protocol in `ndpi_detection_giveup`; we should try to find a proper classification only if the flow is still completely unclassified. For example in the attached pcap there is a valid TLS session, recognized as such by TLS dissector. However, the `ndpi_detection_giveup`function updates it to "HTTP/TLS" (!?) simply because the server port is 80. Note that the real issue is not the wrong classification, but the wrong access to `flow->protos` union. If we already set some fields of `flow->protos` and we change the protocol in `ndpi_detection_giveup`, we might end up freeing some invalid pointers in `ndpi_free_flow_data` (no wonder this issue has been found while fuzzing #1354) Fix GIT and TLS dissectors (issues found by CI fuzzer)
* Detect invalid characters in text and set a risk. Fixes #1347. (#1363)Toni2021-10-26
| | | Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* TLS: fix a heap-buffer-overflow (#1356)Ivan Nardi2021-10-22
| | | | Revert of c3d1c697 Error reproducible with the attached pcap and valgrind
* Fix broken fuzz_process_packet fuzzer by adding a call to ↵Toni2021-10-18
| | | | | | | | | | | | ndpi_finalize_initialization(). (#1334) * fixed several memory errors (heap-overflow, unitialized memory, etc) * ability to build fuzz_process_packet with a main() allowing to replay crash data generated with fuzz_process_packet by LLVMs libfuzzer * temporarily disable fuzzing if `tests/do.sh` executed with env FUZZY_TESTING_ENABLED=1 Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
* QUIC: fix an integer overflow (#1337)Ivan Nardi2021-10-11
| | | | Long standing bug: credits to @lnslbrty for digging into it and to @aouinizied for the CI improvements
* WHOIS: enhance detection, avoiding false positives (#1320)Ivan Nardi2021-10-05
| | | We are interested only in the domain name required, not in the long reply.
* FTP: fix support for START-TLS sessionsNardi Ivan2021-09-21
| | | | | | When TLS-over-FTP is used, the credentials are encrypted. So we must not wait for the username and the password commands, otherwise we elaborate a lot of packets for nothing.
* STUN: fix extraction of Realm attributeNardi Ivan2021-09-20
| | | | While at it, improve detection of Facebook Messenger
* Added DNS fragmented test pcapLuca Deri2021-09-17
|
* Added new risk for clear text credentialsLuca Deri2021-09-10
|
Powered by cgit, Themed by Ted Yin.