From f8badefa90f0d58b95d261321c85ae879dc578e5 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Sat, 28 May 2016 11:00:32 +0200 Subject: Update homebrew 1.8 formula --- packages/homebrew/ndpi.rb | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/packages/homebrew/ndpi.rb b/packages/homebrew/ndpi.rb index d7c17f500..a3ea00458 100644 --- a/packages/homebrew/ndpi.rb +++ b/packages/homebrew/ndpi.rb @@ -1,14 +1,15 @@ class Ndpi < Formula desc "Deep Packet Inspection (DPI) library" homepage "http://www.ntop.org/products/ndpi/" - url "https://downloads.sourceforge.net/project/ntop/nDPI/nDPI-1.7.tar.gz" - sha256 "714b745103a072462130b0e14cf31b2eb5270f580b7c839da5cf5ea75150262d" + url "https://downloads.sourceforge.net/project/ntop/nDPI/nDPI-1.8.tgz" + sha256 "f490137a7387b69d0d55e990f2150b86d7b5eaae870e5326e8c2f18c17412443" bottle do cellar :any - sha256 "e9464d314479ba3e7a91422e0bc606cfd5f6e72e94d6441cc4fa30e9c925da5c" => :yosemite - sha256 "1d6b1d860669b42766baa276ed948c342e2fa4fd28663ba64a90fd0e200ba9c4" => :mavericks - sha256 "b814918b4fb9588de7126061ce4ac3eb41a5c3eee27c7432b669f6dc6921bfde" => :mountain_lion + sha256 "05053767fc3c70557745c348c7352e7c2716c040ca54c5cf8d5306167c878fcb" => :el_capitan + sha256 "34c0269039a0079820eeed862daa28158d9291f73f640a9415da60746d69a662" => :yosemite + sha256 "a2af4dc62c24313593b3a20e45ca9d2d49f8efc0ea5e52fd064001ea441b93e4" => :mavericks + sha256 "1bb200268a4d9df9bbe5d33bc773ee3bcf4b5d4fa00c76a040f16318438c284f" => :mountain_lion end depends_on "autoconf" => :build -- cgit v1.2.3 From 074e489fe3569d4d6d2ab9446373aa9ce53b68b4 Mon Sep 17 00:00:00 2001 From: Michael Scherer Date: Sun, 29 May 2016 10:09:07 +0200 Subject: Fix typo --- README.protocols | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.protocols b/README.protocols index 27d8c6408..1c77df15b 100644 --- a/README.protocols +++ b/README.protocols @@ -8,7 +8,7 @@ TCP 172.16.253.130:2021 <-> 75.147.140.249:443 [VLAN: 0][proto: 91/SSL][28 pkts/ TCP 172.16.253.130:2077 <-> 77.247.181.163:443 [VLAN: 0][proto: 91/SSL][136 pkts/94329 bytes][SSL client: www.fk4pprq42hsvl2wey.com] It can be detected by analyzing the SSL client certificate and checking the name that does not match to a real host in -addition of begin a bit weird. As doing DNS resolution is not a task for nDPI we let applications do and then recognize +addition of being a bit weird. As doing DNS resolution is not a task for nDPI we let applications do and then recognize SSL-tunnelled connections. See http://www.netresec.com/?page=Blog&month=2013-04&post=Detecting-TOR-Communication-in-Network-Traffic -- cgit v1.2.3 From a79b338208566c48d74a453710fef02611f13b8f Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Mon, 30 May 2016 09:09:00 +0200 Subject: Compilation fix due t pack/unpack --- src/lib/protocols/rx.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/lib/protocols/rx.c b/src/lib/protocols/rx.c index 319dd6d4d..505f0627b 100644 --- a/src/lib/protocols/rx.c +++ b/src/lib/protocols/rx.c @@ -30,7 +30,8 @@ /* See http://web.mit.edu/kolya/afs/rx/rx-spec for procotol description. */ /* The should be no need for explicit packing, but just in case... */ -struct __attribute__((__packed__)) ndpi_rx_header { +PACK_ON +struct ndpi_rx_header { u_int32_t conn_epoch; u_int32_t conn_id; u_int32_t call_number; @@ -42,7 +43,7 @@ struct __attribute__((__packed__)) ndpi_rx_header { u_int8_t security; u_int16_t checksum; u_int16_t service_id; -}; +} PACK_OFF; /* Type values */ #define DATA 1 -- cgit v1.2.3 From 72efa329db996a45f394457238b218252bae3e00 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Tue, 31 May 2016 12:20:25 +0200 Subject: Enhanced fragments support in ndpiReader Improved RX protocol dissection and removed port guess as it caused false positives. --- example/ndpiReader.c | 4 +++- example/ndpi_util.c | 2 +- src/lib/ndpi_main.c | 7 +++++-- src/lib/protocols/rx.c | 5 ++--- 4 files changed, 11 insertions(+), 7 deletions(-) diff --git a/example/ndpiReader.c b/example/ndpiReader.c index f558d7b0d..1939d70cd 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -769,7 +769,9 @@ static void printResults(u_int64_t tot_usec) { memset(&cumulative_stats, 0, sizeof(cumulative_stats)); for(thread_id = 0; thread_id < num_threads; thread_id++) { - if(ndpi_thread_info[thread_id].workflow->stats.total_wire_bytes == 0) continue; + if((ndpi_thread_info[thread_id].workflow->stats.total_wire_bytes == 0) + && (ndpi_thread_info[thread_id].workflow->stats.raw_packet_count == 0)) + continue; for(i=0; indpi_flows_root[i], node_proto_guess_walker, &thread_id); diff --git a/example/ndpi_util.c b/example/ndpi_util.c index 939b3efd0..57a6505e9 100644 --- a/example/ndpi_util.c +++ b/example/ndpi_util.c @@ -736,7 +736,7 @@ void ndpi_workflow_process_packet (struct ndpi_workflow * workflow, goto iph_check; } - if((frag_off & 0x3FFF) != 0) { + if((frag_off & 0x1FFF) != 0) { static u_int8_t ipv4_frags_warning_used = 0; workflow->stats.fragmented_count++; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 2c4b491ed..fa32146a9 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1532,8 +1532,11 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp ndpi_build_default_ports(ports_a, 1883, 8883, 0, 0, 0), /* TCP */ ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0); - ports_b[0].port_low = 7000; - ports_b[0].port_high = 7032; /* See https://www-01.ibm.com/support/docview.wss?uid=swg21044407 */ + /* Port guess is disabled as this is UDP and we can figure our immediately looking + at the RX header, is this is RX or not + + See https://www-01.ibm.com/support/docview.wss?uid=swg21044407 + */ ndpi_set_proto_defaults(ndpi_mod,NDPI_PROTOCOL_ACCEPTABLE,NDPI_PROTOCOL_RX, no_master, no_master, "RX", diff --git a/src/lib/protocols/rx.c b/src/lib/protocols/rx.c index 505f0627b..9d27d5e18 100644 --- a/src/lib/protocols/rx.c +++ b/src/lib/protocols/rx.c @@ -109,7 +109,7 @@ void ndpi_check_rx(struct ndpi_detection_module_struct *ndpi_struct, **/ /* TYPE field */ - if((header->type < DATA) && (header->type > VERSION)) { + if((header->type < DATA) || (header->type > VERSION)) { NDPI_LOG(NDPI_PROTOCOL_RX, ndpi_struct, NDPI_LOG_DEBUG, "excluding RX\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RX); return; @@ -171,8 +171,7 @@ void ndpi_check_rx(struct ndpi_detection_module_struct *ndpi_struct, security: /* SECURITY field */ - if(header->security != 0 && header->security != 1 && - header->security != 2 && header->security != 3) + if(header->security > 3) { NDPI_LOG(NDPI_PROTOCOL_RX, ndpi_struct, NDPI_LOG_DEBUG, "excluding RX\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RX); -- cgit v1.2.3 From 787be6ec081227665f3803b46bebf9496b5a5f23 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Tue, 31 May 2016 12:32:47 +0200 Subject: Improved teredo detection by discarding packets sent towards multicast addresses --- src/lib/protocols/teredo.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/lib/protocols/teredo.c b/src/lib/protocols/teredo.c index 9fb2c6483..762aac7de 100644 --- a/src/lib/protocols/teredo.c +++ b/src/lib/protocols/teredo.c @@ -29,6 +29,8 @@ void ndpi_search_teredo(struct ndpi_detection_module_struct *ndpi_struct, struct struct ndpi_packet_struct *packet = &flow->packet; if(packet->udp + && packet->iph + && ((ntohl(packet->iph->daddr) & 0xF0000000) != 0xE0000000 /* Not a multicast address */) && ((ntohs(packet->udp->source) == 3544) || (ntohs(packet->udp->dest) == 3544)) && (packet->payload_packet_len >= 40 /* IPv6 header */)) ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TEREDO, NDPI_PROTOCOL_UNKNOWN); -- cgit v1.2.3 From 8c50b9692e9e024884ad3435170fb1b8d3558a24 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Tue, 31 May 2016 12:47:51 +0200 Subject: Improved bigram detection (used by Tor) --- src/lib/ndpi_content_match.c.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index ce56b79a6..1b2461451 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -7541,7 +7541,7 @@ static const char *ndpi_en_bigrams[] = { static const char *ndpi_en_impossible_bigrams[] = { "bk", "bq", "bx", "cb", "cf", "cg", "cj", "cp", "cv", "cw", "cx", "dx", "fk", "fq", "fv", "fx", "ee", "fz", "gq", "gv", "gx", "hh", "hk", "hv", "hx", "hz", "iy", "jb", "jc", "jd", "jf", "jg", "jh", "jk", - "jl", "jm", "jn", "jp", "jq", "jr", "js", "jt", "jv", "jw", "jx", "jy", "jz", "kg", "kq", "kv", "kx", + "jl", "jm", "jn", "jp", "jq", "jr", /* "js", */ "jt", "jv", "jw", "jx", "jy", "jz", "kg", "kq", "kv", "kx", "kz", "lq", "lx", "mg", "mj", "mq", "mx", "mz", "pq", "pv", "px", "qb", "qc", "qd", "qe", "qf", "ii", "qg", "qh", "qj", "qk", "ql", "qm", "qn", "qo", "qp", "qr", "qs", "qt", "qv", "qw", "qx", "qy", "uu", "qz", "sx", "sz", "tq", "tx", "vb", "vc", "vd", "vf", "vg", "vh", "vj", "vk", "vm", "vn", "vp", "bw", -- cgit v1.2.3 From 2379443ef55986604f77711caab5c3118a26f791 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Tue, 31 May 2016 12:58:44 +0200 Subject: Fix on multicast address check on teredo --- src/lib/protocols/teredo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/protocols/teredo.c b/src/lib/protocols/teredo.c index 762aac7de..079d1fbcd 100644 --- a/src/lib/protocols/teredo.c +++ b/src/lib/protocols/teredo.c @@ -30,7 +30,7 @@ void ndpi_search_teredo(struct ndpi_detection_module_struct *ndpi_struct, struct if(packet->udp && packet->iph - && ((ntohl(packet->iph->daddr) & 0xF0000000) != 0xE0000000 /* Not a multicast address */) + && ((ntohl(packet->iph->daddr) & 0xF0000000) == 0xE0000000 /* A multicast address */) && ((ntohs(packet->udp->source) == 3544) || (ntohs(packet->udp->dest) == 3544)) && (packet->payload_packet_len >= 40 /* IPv6 header */)) ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TEREDO, NDPI_PROTOCOL_UNKNOWN); -- cgit v1.2.3 From 0b7a392b302a606b60ad4d46dfcdc9930af338fa Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Tue, 7 Jun 2016 17:14:16 +0200 Subject: Restored code harvested in https://github.com/ntop/nDPI/commit/60e7e19dab72a37d57bc7854e702264e7d25886d#diff-0856ce19e6ed4e80946656d41f7edd65L135 DNS reply dissection can now be controlled by a preference as demonstrated in ndpiReader.c --- example/ndpiReader.c | 10 ++- src/include/ndpi_typedefs.h | 8 +- src/lib/protocols/dns.c | 186 +++++++++++++++++++++++++++++++------------- 3 files changed, 145 insertions(+), 59 deletions(-) diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 1939d70cd..e51407592 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -620,8 +620,8 @@ static void debug_printf(u_int32_t protocol, void *id_struct, static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) { NDPI_PROTOCOL_BITMASK all; - struct ndpi_workflow_prefs prefs; + memset(&prefs, 0, sizeof(prefs)); prefs.decode_tunnels = decode_tunnels; prefs.num_roots = NUM_ROOTS; @@ -630,9 +630,13 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) { memset(&ndpi_thread_info[thread_id], 0, sizeof(ndpi_thread_info[thread_id])); ndpi_thread_info[thread_id].workflow = ndpi_workflow_init(&prefs, pcap_handle); - /* ndpi_thread_info[thread_id].workflow->ndpi_struct->http_dont_dissect_response = 1; */ - ndpi_workflow_set_flow_detected_callback(ndpi_thread_info[thread_id].workflow, on_protocol_discovered, (void *)(uintptr_t)thread_id); + /* Preferences */ + ndpi_thread_info[thread_id].workflow->ndpi_struct->http_dont_dissect_response = 0; + ndpi_thread_info[thread_id].workflow->ndpi_struct->dns_dissect_response = 1; + + ndpi_workflow_set_flow_detected_callback(ndpi_thread_info[thread_id].workflow, + on_protocol_discovered, (void *)(uintptr_t)thread_id); // enable all protocols NDPI_BITMASK_SET_ALL(all); diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 62a4f3083..8ec1453fc 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -849,8 +849,8 @@ struct ndpi_detection_module_struct { ndpi_proto_defaults_t proto_defaults[NDPI_MAX_SUPPORTED_PROTOCOLS+NDPI_MAX_NUM_CUSTOM_PROTOCOLS]; - u_int8_t http_dont_dissect_response:1; - u_int8_t direction_detect_disable:1; /* disable internal detection of packet direction */ + u_int8_t http_dont_dissect_response:1, dns_dissect_response:1, + direction_detect_disable:1; /* disable internal detection of packet direction */ }; struct ndpi_flow_struct { @@ -911,8 +911,8 @@ struct ndpi_flow_struct { /* the only fields useful for nDPI and ntopng */ struct { - u_int8_t num_answers, ret_code; - u_int16_t query_type; + u_int8_t num_queries, num_answers, reply_code; + u_int16_t query_type, query_class, rsp_type; } dns; struct { diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 98df46481..4c7f315c3 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -3,8 +3,6 @@ * * Copyright (C) 2012-16 - ntop.org * - * Michele Campus - - * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH * @@ -29,37 +27,60 @@ #define FLAGS_MASK 0x8000 -void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ +/* #define DNS_DEBUG 1 */ + +/* *********************************************** */ +static u_int16_t get16(int *i, const u_int8_t *payload) { + u_int16_t v = *(u_int16_t*)&payload[*i]; + + (*i) += 2; + + return(ntohs(v)); +} + +/* *********************************************** */ + +static u_int getNameLength(u_int i, const u_int8_t *payload, u_int payloadLen) { + if(payload[i] == 0x00) + return(1); + else if(payload[i] == 0xC0) + return(2); + else { + u_int8_t len = payload[i]; + u_int8_t off = len + 1; + + if(off == 0) /* Bad packet */ + return(0); + else + return(off + getNameLength(i+off, payload, payloadLen)); + } +} + +/* *********************************************** */ + +void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { int x; - u_int8_t is_query, ret_code; - u_int16_t s_port = 0; - u_int16_t d_port = 0; + u_int8_t is_query; + u_int16_t s_port = 0, d_port = 0; NDPI_LOG(NDPI_PROTOCOL_DNS, ndpi_struct, NDPI_LOG_DEBUG, "search DNS.\n"); - if(flow->packet.udp != NULL) - { + if(flow->packet.udp != NULL) { s_port = ntohs(flow->packet.udp->source); d_port = ntohs(flow->packet.udp->dest); x = 0; - } - else if(flow->packet.tcp != NULL) /* pkt size > 512 bytes */ - { + } else if(flow->packet.tcp != NULL) /* pkt size > 512 bytes */ { s_port = ntohs(flow->packet.tcp->source); d_port = ntohs(flow->packet.tcp->dest); x = 2; - } - else - { + } else { NDPI_LOG(NDPI_PROTOCOL_DNS, ndpi_struct, NDPI_LOG_DEBUG, "exclude DNS.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DNS); } if((s_port == 53 || d_port == 53 || d_port == 5355) - && (flow->packet.payload_packet_len > sizeof(struct ndpi_dns_packet_header))) - { + && (flow->packet.payload_packet_len > sizeof(struct ndpi_dns_packet_header))) { struct ndpi_dns_packet_header dns_header; int invalid = 0; @@ -70,6 +91,7 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd dns_header.num_answers = ntohs(dns_header.num_answers); dns_header.authority_rrs = ntohs(dns_header.authority_rrs); dns_header.additional_rrs = ntohs(dns_header.additional_rrs); + x += sizeof(struct ndpi_dns_packet_header); /* 0x0000 QUERY */ if((dns_header.flags & FLAGS_MASK) == 0x0000) @@ -87,33 +109,85 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd && (((dns_header.flags & 0x2800) == 0x2800 /* Dynamic DNS Update */) || ((dns_header.num_answers == 0) && (dns_header.authority_rrs == 0)))) { /* This is a good query */ + + if(dns_header.num_queries > 0) { + while(x < flow->packet.payload_packet_len) { + if(flow->packet.payload[x] == '\0') { + x++; + flow->protos.dns.query_type = get16(&x, flow->packet.payload); +#ifdef DNS_DEBUG + printf("[%s:%d] query_type=%2d\n", __FILE__, __LINE__, flow->protos.dns.query_type); +#endif + break; + } else + x++; + } + } } else invalid = 1; + + if(ndpi_struct->dns_dissect_response) + return; /* The response will set the verdict */ } else { /* DNS Reply */ + + flow->protos.dns.reply_code = dns_header.flags & 0x0F; + if((dns_header.num_queries > 0) && (dns_header.num_queries <= NDPI_MAX_DNS_REQUESTS) /* Don't assume that num_queries must be zero */ && (((dns_header.num_answers > 0) && (dns_header.num_answers <= NDPI_MAX_DNS_REQUESTS)) || ((dns_header.authority_rrs > 0) && (dns_header.authority_rrs <= NDPI_MAX_DNS_REQUESTS)) || ((dns_header.additional_rrs > 0) && (dns_header.additional_rrs <= NDPI_MAX_DNS_REQUESTS))) ) { /* This is a good reply */ - } else - invalid = 1; + if(ndpi_struct->dns_dissect_response) { + x++; + + if(flow->packet.payload[x] != '\0') { + while((x < flow->packet.payload_packet_len) + && (flow->packet.payload[x] != '\0')) { + x++; + } + + x++; + } + + x += 4; + + if(dns_header.num_answers > 0) { + u_int16_t rsp_type; + u_int16_t num; + + for(num = 0; num < dns_header.num_answers; num++) { + u_int16_t data_len; + + if((x+6) >= flow->packet.payload_packet_len) { + break; + } + + if((data_len = getNameLength(x, flow->packet.payload, flow->packet.payload_packet_len)) == 0) { + break; + } else + x += data_len; + + rsp_type = get16(&x, flow->packet.payload); + flow->protos.dns.rsp_type = rsp_type; + break; + } + } + } + } } - } - if(invalid) { - NDPI_LOG(NDPI_PROTOCOL_DNS, ndpi_struct, NDPI_LOG_DEBUG, "exclude DNS.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DNS); - return; - } + if(invalid) { + NDPI_LOG(NDPI_PROTOCOL_DNS, ndpi_struct, NDPI_LOG_DEBUG, "exclude DNS.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DNS); + return; + } - /* extract host name server */ - ret_code = (is_query == 0) ? 0 : (dns_header.flags & 0x0F); - int j = 0; - int off = sizeof(struct ndpi_dns_packet_header) + 1; - while(flow->packet.payload[off] != '\0' && off < flow->packet.payload_packet_len) - { + /* extract host name server */ + int j = 0, off = sizeof(struct ndpi_dns_packet_header) + 1; + + while(flow->packet.payload[off] != '\0' && off < flow->packet.payload_packet_len) { flow->host_server_name[j] = flow->packet.payload[off]; if(j < strlen((char*)flow->host_server_name)) { if(flow->host_server_name[j] < ' ') @@ -121,31 +195,39 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd j++; } off++; - } - flow->host_server_name[j] = '\0'; + } + flow->host_server_name[j] = '\0'; + + flow->protos.dns.num_queries = (u_int8_t)dns_header.num_queries, + flow->protos.dns.num_answers = (u_int8_t) (dns_header.num_answers + dns_header.authority_rrs + dns_header.additional_rrs); - flow->protos.dns.num_answers = (u_int8_t) (dns_header.num_answers + dns_header.authority_rrs + dns_header.additional_rrs); - flow->protos.dns.ret_code = ret_code; +#ifdef DNS_DEBUG + printf("[%s:%d] [num_queries=%d][num_answers=%d][reply_code=%u][rsp_type=%u][host_server_name=%s]\n", + __FILE__, __LINE__, + flow->protos.dns.num_queries, flow->protos.dns.num_answers, + flow->protos.dns.reply_code, flow->protos.dns.rsp_type, flow->host_server_name + ); +#endif - if(j > 0) - ndpi_match_host_subprotocol(ndpi_struct, flow, - (char *)flow->host_server_name, - strlen((const char*)flow->host_server_name), - NDPI_PROTOCOL_DNS); + if(j > 0) + ndpi_match_host_subprotocol(ndpi_struct, flow, + (char *)flow->host_server_name, + strlen((const char*)flow->host_server_name), + NDPI_PROTOCOL_DNS); - if(flow->packet.detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) - { - /** - Do not set the protocol with DNS if ndpi_match_host_subprotocol() has - matched a subprotocol - **/ - NDPI_LOG(NDPI_PROTOCOL_DNS, ndpi_struct, NDPI_LOG_DEBUG, "found DNS.\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, (d_port == 5355) ? NDPI_PROTOCOL_LLMNR : NDPI_PROTOCOL_DNS, NDPI_PROTOCOL_UNKNOWN); - } else { - NDPI_LOG(NDPI_PROTOCOL_DNS, ndpi_struct, NDPI_LOG_DEBUG, "exclude DNS.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DNS); + if(flow->packet.detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { + /** + Do not set the protocol with DNS if ndpi_match_host_subprotocol() has + matched a subprotocol + **/ + NDPI_LOG(NDPI_PROTOCOL_DNS, ndpi_struct, NDPI_LOG_DEBUG, "found DNS.\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, (d_port == 5355) ? NDPI_PROTOCOL_LLMNR : NDPI_PROTOCOL_DNS, NDPI_PROTOCOL_UNKNOWN); + } else { + NDPI_LOG(NDPI_PROTOCOL_DNS, ndpi_struct, NDPI_LOG_DEBUG, "exclude DNS.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DNS); + } } - } + } } void init_dns_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) -- cgit v1.2.3 From ed09d78ed9a9b52dc655559c9019e929c7967f39 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Sun, 12 Jun 2016 21:01:59 +0200 Subject: Added 1e100.net to Google --- src/lib/ndpi_content_match.c.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index 1b2461451..aa806751b 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -7291,6 +7291,7 @@ ndpi_protocol_match host_match[] = { { "googleadservices.", "Google", NDPI_SERVICE_GOOGLE, NDPI_PROTOCOL_ACCEPTABLE }, { "googleapis.com", "Google", NDPI_SERVICE_GOOGLE, NDPI_PROTOCOL_ACCEPTABLE }, { "ggpht.com", "Google", NDPI_SERVICE_GOOGLE, NDPI_PROTOCOL_ACCEPTABLE }, + { "1e100.net", "Google", NDPI_SERVICE_GOOGLE, NDPI_PROTOCOL_ACCEPTABLE }, { "maps.google.", "GoogleMaps", NDPI_SERVICE_GOOGLE_MAPS, NDPI_PROTOCOL_ACCEPTABLE }, { "maps.gstatic.com", "GoogleMaps", NDPI_SERVICE_GOOGLE_MAPS, NDPI_PROTOCOL_ACCEPTABLE }, { ".gmail.", "GMail", NDPI_SERVICE_GMAIL, NDPI_PROTOCOL_SAFE }, -- cgit v1.2.3 From 6c83cd627f13649a62dc9d5821fb5a0397951b81 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Tue, 14 Jun 2016 20:25:23 +0200 Subject: Enhanced string boundary check to avoid crashes with malformed packets --- src/lib/protocols/dns.c | 8 +++++--- src/lib/protocols/netbios.c | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 4c7f315c3..f95ebbc36 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -185,15 +185,17 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd } /* extract host name server */ - int j = 0, off = sizeof(struct ndpi_dns_packet_header) + 1; + int j = 0, max_len = sizeof(flow->host_server_name)-1, off = sizeof(struct ndpi_dns_packet_header) + 1; while(flow->packet.payload[off] != '\0' && off < flow->packet.payload_packet_len) { flow->host_server_name[j] = flow->packet.payload[off]; - if(j < strlen((char*)flow->host_server_name)) { + if(j < max_len) { if(flow->host_server_name[j] < ' ') flow->host_server_name[j] = '.'; j++; - } + } else + break; + off++; } flow->host_server_name[j] = '\0'; diff --git a/src/lib/protocols/netbios.c b/src/lib/protocols/netbios.c index 9c2283a81..ca649782b 100644 --- a/src/lib/protocols/netbios.c +++ b/src/lib/protocols/netbios.c @@ -324,7 +324,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc NDPI_LOG_DEBUG, "found netbios with checked ip-address.\n"); if(netbios_name_interpret((char*)&packet->payload[12], name, sizeof(name)) > 0) - snprintf((char*)flow->host_server_name, sizeof(flow->host_server_name), "%s", name); + snprintf((char*)flow->host_server_name, sizeof(flow->host_server_name)-1, "%s", name); ndpi_int_netbios_add_connection(ndpi_struct, flow); return; -- cgit v1.2.3 From adbba699887af89e89e14d55ea614677750b02f4 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Sun, 19 Jun 2016 21:25:58 +0200 Subject: Removed false positives from CoAP protocol Improved DNS detection Added misisng default DropBox port Fix for #154 Added sample pcap of Tor traffic for regression testing --- example/ndpiReader.c | 2 +- src/lib/ndpi_main.c | 5 +++++ src/lib/protocols/coap.c | 38 +++++++++++++++++++++++++++----------- src/lib/protocols/dns.c | 18 ++++++++++-------- src/lib/protocols/dropbox.c | 1 - src/lib/protocols/tor.c | 7 ++++--- tests/pcap/tor.pcap | Bin 0 -> 3155084 bytes tests/result/tor.pcap.out | 17 +++++++++++++++++ 8 files changed, 64 insertions(+), 24 deletions(-) create mode 100644 tests/pcap/tor.pcap create mode 100644 tests/result/tor.pcap.out diff --git a/example/ndpiReader.c b/example/ndpiReader.c index e51407592..deb61b681 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -633,7 +633,7 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) { /* Preferences */ ndpi_thread_info[thread_id].workflow->ndpi_struct->http_dont_dissect_response = 0; - ndpi_thread_info[thread_id].workflow->ndpi_struct->dns_dissect_response = 1; + ndpi_thread_info[thread_id].workflow->ndpi_struct->dns_dissect_response = 0; ndpi_workflow_set_flow_detected_callback(ndpi_thread_info[thread_id].workflow, on_protocol_discovered, (void *)(uintptr_t)thread_id); diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index fa32146a9..cbac5cf8b 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1365,6 +1365,11 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "QUIC", ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 443, 80, 0, 0, 0) /* UDP */); + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DROPBOX, + no_master, + no_master, "Dropbox", + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_b, 17500, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_EAQ, no_master, no_master, "EAQ", diff --git a/src/lib/protocols/coap.c b/src/lib/protocols/coap.c index cddf31b7e..5f8e97863 100644 --- a/src/lib/protocols/coap.c +++ b/src/lib/protocols/coap.c @@ -72,7 +72,7 @@ struct ndpi_coap_hdr [164] = "5.04 Gateway Timeout", [165] = "5.05 Proxying Not Supported" **/ - + /** * Entry point when protocol is identified. @@ -83,6 +83,20 @@ static void ndpi_int_coap_add_connection (struct ndpi_detection_module_struct *n ndpi_set_detected_protocol(ndpi_struct,flow,NDPI_PROTOCOL_COAP,NDPI_PROTOCOL_UNKNOWN); } +/** + * Check if the default port is acceptable + * + * UDP Port 5683 (mandatory) + * UDP Ports 61616-61631 compressed 6lowPAN + */ +static int isCoAPport(u_int16_t port) { + if((port == 5683) + || ((port >= 61616) && (port <= 61631))) + return(1); + else + return(0); +} + /** * Dissector function that searches CoAP headers */ @@ -91,22 +105,24 @@ void ndpi_search_coap (struct ndpi_detection_module_struct *ndpi_struct, { struct ndpi_packet_struct *packet = &flow->packet; struct ndpi_coap_hdr * h = (struct ndpi_coap_hdr*) packet->payload; - + if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { return; } // search for udp packet if(packet->udp != NULL) { - - // header too short - if(packet->payload_packet_len < 4) { - + u_int16_t s_port = ntohs(flow->packet.udp->source); + u_int16_t d_port = ntohs(flow->packet.udp->dest); + + if((!isCoAPport(s_port) && !isCoAPport(s_port)) + || (packet->payload_packet_len < 4) // header too short + ) { NDPI_LOG(NDPI_PROTOCOL_COAP, ndpi_struct, NDPI_LOG_DEBUG, "excluding Coap\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_COAP); return; } - + NDPI_LOG(NDPI_PROTOCOL_COAP, ndpi_struct, NDPI_LOG_DEBUG, "calculating coap over udp.\n"); // check values in header @@ -116,21 +132,21 @@ void ndpi_search_coap (struct ndpi_detection_module_struct *ndpi_struct, if((h->code >= 0 && h->code <= 5) || (h->code >= 65 && h->code <= 69) || (h->code >= 128 && h->code <= 134) || (h->code >= 140 && h->code <= 143) || (h->code >= 160 && h->code <= 165)) { - + NDPI_LOG(NDPI_PROTOCOL_COAP, ndpi_struct, NDPI_LOG_DEBUG, "Coap found...\n"); ndpi_int_coap_add_connection(ndpi_struct,flow); return; } } } - } + } } - + NDPI_LOG(NDPI_PROTOCOL_COAP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding Coap ...\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_COAP); return; - } + /** * Entry point for the ndpi library */ diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index f95ebbc36..7ee114579 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -126,8 +126,6 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd } else invalid = 1; - if(ndpi_struct->dns_dissect_response) - return; /* The response will set the verdict */ } else { /* DNS Reply */ @@ -198,11 +196,18 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd off++; } + flow->host_server_name[j] = '\0'; flow->protos.dns.num_queries = (u_int8_t)dns_header.num_queries, flow->protos.dns.num_answers = (u_int8_t) (dns_header.num_answers + dns_header.authority_rrs + dns_header.additional_rrs); + if(j > 0) + ndpi_match_host_subprotocol(ndpi_struct, flow, + (char *)flow->host_server_name, + strlen((const char*)flow->host_server_name), + NDPI_PROTOCOL_DNS); + #ifdef DNS_DEBUG printf("[%s:%d] [num_queries=%d][num_answers=%d][reply_code=%u][rsp_type=%u][host_server_name=%s]\n", __FILE__, __LINE__, @@ -210,14 +215,11 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd flow->protos.dns.reply_code, flow->protos.dns.rsp_type, flow->host_server_name ); #endif - - if(j > 0) - ndpi_match_host_subprotocol(ndpi_struct, flow, - (char *)flow->host_server_name, - strlen((const char*)flow->host_server_name), - NDPI_PROTOCOL_DNS); if(flow->packet.detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { + if(is_query && ndpi_struct->dns_dissect_response) + return; /* The response will set the verdict */ + /** Do not set the protocol with DNS if ndpi_match_host_subprotocol() has matched a subprotocol diff --git a/src/lib/protocols/dropbox.c b/src/lib/protocols/dropbox.c index f51de95d2..3e53b4224 100644 --- a/src/lib/protocols/dropbox.c +++ b/src/lib/protocols/dropbox.c @@ -44,7 +44,6 @@ static void ndpi_check_dropbox(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t payload_len = packet->payload_packet_len; if(packet->udp != NULL) { - u_int16_t dropbox_port = htons(DB_LSP_PORT); if((packet->udp->source == dropbox_port) diff --git a/src/lib/protocols/tor.c b/src/lib/protocols/tor.c index 7903bf511..cb926d5f0 100644 --- a/src/lib/protocols/tor.c +++ b/src/lib/protocols/tor.c @@ -24,7 +24,7 @@ int ndpi_is_ssl_tor(struct ndpi_detection_module_struct *ndpi_struct, if((certificate == NULL) || (strlen(certificate) < 6) - || !(strncmp(certificate, "www.", 4))) + || (strncmp(certificate, "www.", 4))) return(0); // printf("***** [SSL] %s(): %s\n", __FUNCTION__, certificate); @@ -39,10 +39,11 @@ int ndpi_is_ssl_tor(struct ndpi_detection_module_struct *ndpi_struct, len = strlen(name); - if(len > 6) { + if(len >= 5) { for(i = 0; name[i+1] != '\0'; i++) { + // printf("***** [SSL] %s(): [%d][%c]", __FUNCTION__, i, name[i]); + if((name[i] >= '0') && (name[i] <= '9')) { - if(prev_num != 1) { numbers_found++; diff --git a/tests/pcap/tor.pcap b/tests/pcap/tor.pcap new file mode 100644 index 000000000..bf5b43649 Binary files /dev/null and b/tests/pcap/tor.pcap differ diff --git a/tests/result/tor.pcap.out b/tests/result/tor.pcap.out new file mode 100644 index 000000000..b6008355d --- /dev/null +++ b/tests/result/tor.pcap.out @@ -0,0 +1,17 @@ +NetBIOS 1 252 1 +DHCPV6 6 906 1 +DropBox 10 1860 1 +Skype 1 60 1 +Tor 3676 3014362 7 + + 1 UDP 192.168.1.1:17500 <-> 192.168.1.255:17500 [proto: 121/DropBox][10 pkts/1860 bytes] + 2 UDP [fe80::c583:1972:5728:7323]:547 <-> [ff02::1:2]:546 [proto: 103/DHCPV6][6 pkts/906 bytes] + 3 TCP 212.83.155.250:443 <-> 192.168.1.252:51174 [proto: 163/Tor][32 pkts/10431 bytes][SSL client: www.t3i3ru.com] + 4 TCP 46.59.52.31:443 <-> 192.168.1.252:51111 [proto: 163/Tor][34 pkts/11142 bytes][SSL client: www.e6r5p57kbafwrxj3plz.com] + 5 TCP 91.143.93.242:443 <-> 192.168.1.252:51175 [proto: 163/Tor][38 pkts/12520 bytes][SSL client: www.gfu7hbxpfp.com] + 6 TCP 157.56.30.46:443 <-> 192.168.1.252:51104 [proto: 91.125/SSL.Skype][1 pkts/60 bytes] + 7 UDP 192.168.1.252:138 <-> 192.168.1.255:138 [proto: 10/NetBIOS][1 pkts/252 bytes] + 8 TCP 38.229.70.53:443 <-> 192.168.1.252:51112 [proto: 163/Tor][1576 pkts/1388792 bytes][SSL client: www.q4cyamnc6mtokjurvdclt.com] + 9 TCP 38.229.70.53:443 <-> 192.168.1.252:51176 [proto: 163/Tor][1826 pkts/1513278 bytes][SSL client: www.jmts2id.com] + 10 TCP 62.210.137.230:443 <-> 192.168.1.252:51185 [proto: 163/Tor][29 pkts/9661 bytes][SSL client: www.6gyip7tqim7sieb.com] + 11 TCP 91.143.93.242:443 <-> 192.168.1.252:51110 [proto: 163/Tor][141 pkts/68538 bytes][SSL client: www.ct7ctrgb6cr7.com] -- cgit v1.2.3 From d0665bb301d58d13fb2d1ae1eff6a645a9dbddac Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Sun, 19 Jun 2016 21:29:19 +0200 Subject: Recomputed results due to the previous commit --- tests/result/Instagram.pcap.out | 6 +++--- tests/result/Viber_session.pcap.out | 4 ++-- tests/result/coap_mqtt.pcap.out | 11 +++++----- tests/result/dropbox.pcap.out | 35 +++++++++++++++---------------- tests/result/skype.pcap.out | 12 +++++------ tests/result/skype_no_unknown.pcap.out | 12 +++++------ tests/result/tor.pcap.out | 4 ++-- tests/result/viber_mobile.pcap.out | 4 ++-- tests/result/whatsapp_login_call.pcap.out | 4 ++-- tests/result/whatsapp_login_chat.pcap.out | 4 ++-- 10 files changed, 48 insertions(+), 48 deletions(-) diff --git a/tests/result/Instagram.pcap.out b/tests/result/Instagram.pcap.out index 3e349a331..ee5183ccf 100644 --- a/tests/result/Instagram.pcap.out +++ b/tests/result/Instagram.pcap.out @@ -2,10 +2,10 @@ Unknown 1 66 1 HTTP 266 245342 7 ICMP 5 510 1 SSL 103 62597 5 -DropBox 5 725 2 +Dropbox 5 725 2 Instagram 363 255094 16 - 1 UDP 192.168.0.106:17500 <-> 192.168.0.255:17500 [proto: 121/DropBox][1 pkts/145 bytes] + 1 UDP 192.168.0.106:17500 <-> 192.168.0.255:17500 [proto: 121/Dropbox][1 pkts/145 bytes] 2 UDP 8.8.8.8:53 <-> 192.168.0.103:26540 [proto: 5.211/DNS.Instagram][2 pkts/298 bytes][Host: igcdn-photos-g-a.akamaihd.net] 3 UDP 8.8.8.8:53 <-> 192.168.0.103:27124 [proto: 5.211/DNS.Instagram][1 pkts/85 bytes][Host: photos-b.ak.instagram.com] 4 TCP 31.13.93.52:443 <-> 192.168.0.103:33763 [proto: 91/SSL][11 pkts/5397 bytes] @@ -20,7 +20,7 @@ Instagram 363 255094 16 13 TCP 192.168.0.103:57966 <-> 82.85.26.185:80 [proto: 7/HTTP][3 pkts/198 bytes] 14 TCP 192.168.0.103:58052 <-> 82.85.26.162:80 [proto: 7.211/HTTP.Instagram][75 pkts/57239 bytes][Host: photos-g.ak.instagram.com] 15 TCP 173.252.107.4:443 <-> 192.168.0.103:56382 [proto: 91.211/SSL.Instagram][17 pkts/2647 bytes][SSL client: telegraph-ash.instagram.com] - 16 UDP 192.168.0.106:17500 <-> 255.255.255.255:17500 [proto: 121/DropBox][4 pkts/580 bytes] + 16 UDP 192.168.0.106:17500 <-> 255.255.255.255:17500 [proto: 121/Dropbox][4 pkts/580 bytes] 17 UDP 8.8.8.8:53 <-> 192.168.0.103:33603 [proto: 5.211/DNS.Instagram][2 pkts/298 bytes][Host: igcdn-photos-a-a.akamaihd.net] 18 TCP 31.13.93.52:443 <-> 192.168.0.103:33936 [proto: 91/SSL][68 pkts/45688 bytes] 19 TCP 31.13.93.52:443 <-> 192.168.0.103:33934 [proto: 91/SSL][12 pkts/6044 bytes] diff --git a/tests/result/Viber_session.pcap.out b/tests/result/Viber_session.pcap.out index 89bdd3a92..e73acc6f4 100644 --- a/tests/result/Viber_session.pcap.out +++ b/tests/result/Viber_session.pcap.out @@ -3,7 +3,7 @@ HTTP 14 862 8 SSL_No_Cert 34 4141 1 ICMP 2 196 1 SSL 109 11647 10 -DropBox 1 97 1 +Dropbox 1 97 1 GMail 21 1891 1 Google 50 4084 5 Viber 4163 392492 4 @@ -37,7 +37,7 @@ Viber 4163 392492 4 27 UDP 54.169.63.186:7987 <-> 192.168.200.222:48564 [proto: 144/Viber][2 pkts/138 bytes] 28 UDP 54.169.63.186:7985 <-> 192.168.200.222:48564 [proto: 144/Viber][4143 pkts/390781 bytes] 29 TCP 93.184.221.200:80 <-> 192.168.200.222:50854 [proto: 7/HTTP][1 pkts/60 bytes] - 30 TCP 108.160.172.205:443 <-> 192.168.200.222:51765 [proto: 91.121/SSL.DropBox][1 pkts/97 bytes] + 30 TCP 108.160.172.205:443 <-> 192.168.200.222:51765 [proto: 91.121/SSL.Dropbox][1 pkts/97 bytes] 31 TCP 107.22.192.179:443 <-> 192.168.200.222:52269 [proto: 91/SSL][16 pkts/1419 bytes][SSL client: settings.crashlytics.com] diff --git a/tests/result/coap_mqtt.pcap.out b/tests/result/coap_mqtt.pcap.out index 2e6f7abc9..67e3d3077 100644 --- a/tests/result/coap_mqtt.pcap.out +++ b/tests/result/coap_mqtt.pcap.out @@ -1,18 +1,19 @@ -COAP 819 82290 12 +COAP 19 1614 8 +Dropbox 800 80676 4 MQTT 7695 668291 4 1 UDP [2001:da8:215:1171:a10b:cb48:8f83:57f6]:5683 <-> [2001:620:8:35d9::10]:61043 [proto: 27/COAP][1 pkts/86 bytes] 2 UDP [2001:da8:215:1171:a10b:cb48:8f83:57f6]:5683 <-> [2001:620:8:35d9::10]:61045 [proto: 27/COAP][1 pkts/86 bytes] 3 UDP [2001:da8:215:1171:a10b:cb48:8f83:57f6]:5683 <-> [2001:620:8:35d9::10]:61047 [proto: 27/COAP][1 pkts/90 bytes] - 4 UDP 192.168.56.1:50318 <-> 192.168.56.101:17500 [proto: 27/COAP][200 pkts/20220 bytes] - 5 UDP 192.168.56.1:50312 <-> 192.168.56.101:17500 [proto: 27/COAP][200 pkts/20194 bytes] + 4 UDP 192.168.56.1:50318 <-> 192.168.56.101:17500 [proto: 121/Dropbox][200 pkts/20220 bytes] + 5 UDP 192.168.56.1:50312 <-> 192.168.56.101:17500 [proto: 121/Dropbox][200 pkts/20194 bytes] 6 TCP 192.168.56.1:53523 <-> 192.168.56.101:17501 [proto: 222/MQTT][1926 pkts/167126 bytes] 7 UDP [bbbb::1]:33499 <-> [bbbb::3]:5683 [proto: 27/COAP][4 pkts/404 bytes] 8 UDP [bbbb::1]:46819 <-> [bbbb::3]:5683 [proto: 27/COAP][6 pkts/467 bytes] 9 UDP [2001:da8:215:1171:a10b:cb48:8f83:57f6]:5683 <-> [2001:620:8:35d9::10]:61044 [proto: 27/COAP][1 pkts/86 bytes] 10 UDP [2001:da8:215:1171:a10b:cb48:8f83:57f6]:5683 <-> [2001:620:8:35d9::10]:61046 [proto: 27/COAP][1 pkts/86 bytes] - 11 UDP 192.168.56.1:50311 <-> 192.168.56.101:17500 [proto: 27/COAP][200 pkts/20120 bytes] - 12 UDP 192.168.56.1:50319 <-> 192.168.56.101:17500 [proto: 27/COAP][200 pkts/20142 bytes] + 11 UDP 192.168.56.1:50311 <-> 192.168.56.101:17500 [proto: 121/Dropbox][200 pkts/20120 bytes] + 12 UDP 192.168.56.1:50319 <-> 192.168.56.101:17500 [proto: 121/Dropbox][200 pkts/20142 bytes] 13 TCP 192.168.56.1:53522 <-> 192.168.56.101:17501 [proto: 222/MQTT][1922 pkts/166928 bytes] 14 TCP 192.168.56.1:53528 <-> 192.168.56.101:17501 [proto: 222/MQTT][1928 pkts/167509 bytes] 15 TCP 192.168.56.1:53524 <-> 192.168.56.101:17501 [proto: 222/MQTT][1919 pkts/166728 bytes] diff --git a/tests/result/dropbox.pcap.out b/tests/result/dropbox.pcap.out index 343ba0ad5..c8b862513 100644 --- a/tests/result/dropbox.pcap.out +++ b/tests/result/dropbox.pcap.out @@ -1,17 +1,16 @@ MDNS 16 1648 1 SSDP 140 61108 22 -COAP 800 80676 4 -DropBox 304 165446 12 +Dropbox 1104 246122 16 - 1 UDP 192.168.1.105:33189 <-> 192.168.1.254:53 [proto: 5.121/DNS.DropBox][4 pkts/744 bytes][Host: notify.dropbox.com] - 2 UDP 192.168.1.105:17500 <-> 192.168.1.255:17500 [proto: 121/DropBox][6 pkts/1422 bytes] - 3 TCP 192.168.1.105:59975 <-> 108.160.172.204:443 [proto: 91.121/SSL.DropBox][34 pkts/18026 bytes][SSL client: client.dropbox.com] - 4 UDP 192.168.1.105:36173 <-> 192.168.1.254:53 [proto: 5.121/DNS.DropBox][8 pkts/1390 bytes][Host: log.getdropbox.com] - 5 TCP 192.168.1.105:46394 <-> 162.125.17.131:443 [proto: 91.121/SSL.DropBox][22 pkts/11392 bytes][SSL client: notify.dropbox.com] - 6 UDP 192.168.1.105:50789 <-> 192.168.1.254:53 [proto: 5.121/DNS.DropBox][4 pkts/792 bytes][Host: d.dropbox.com] - 7 UDP 192.168.1.105:55407 <-> 192.168.1.254:53 [proto: 5.121/DNS.DropBox][4 pkts/822 bytes][Host: client.dropbox.com] - 8 UDP 192.168.56.1:50318 <-> 192.168.56.101:17500 [proto: 27/COAP][200 pkts/20220 bytes] - 9 UDP 192.168.56.1:50312 <-> 192.168.56.101:17500 [proto: 27/COAP][200 pkts/20194 bytes] + 1 UDP 192.168.1.105:33189 <-> 192.168.1.254:53 [proto: 5.121/DNS.Dropbox][4 pkts/744 bytes][Host: notify.dropbox.com] + 2 UDP 192.168.1.105:17500 <-> 192.168.1.255:17500 [proto: 121/Dropbox][6 pkts/1422 bytes] + 3 TCP 192.168.1.105:59975 <-> 108.160.172.204:443 [proto: 91.121/SSL.Dropbox][34 pkts/18026 bytes][SSL client: client.dropbox.com] + 4 UDP 192.168.1.105:36173 <-> 192.168.1.254:53 [proto: 5.121/DNS.Dropbox][8 pkts/1390 bytes][Host: log.getdropbox.com] + 5 TCP 192.168.1.105:46394 <-> 162.125.17.131:443 [proto: 91.121/SSL.Dropbox][22 pkts/11392 bytes][SSL client: notify.dropbox.com] + 6 UDP 192.168.1.105:50789 <-> 192.168.1.254:53 [proto: 5.121/DNS.Dropbox][4 pkts/792 bytes][Host: d.dropbox.com] + 7 UDP 192.168.1.105:55407 <-> 192.168.1.254:53 [proto: 5.121/DNS.Dropbox][4 pkts/822 bytes][Host: client.dropbox.com] + 8 UDP 192.168.56.1:50318 <-> 192.168.56.101:17500 [proto: 121/Dropbox][200 pkts/20220 bytes] + 9 UDP 192.168.56.1:50312 <-> 192.168.56.101:17500 [proto: 121/Dropbox][200 pkts/20194 bytes] 10 UDP 192.168.1.101:1280 <-> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes] 11 UDP 192.168.1.101:1346 <-> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes] 12 UDP 192.168.1.101:1650 <-> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes] @@ -20,14 +19,14 @@ DropBox 304 165446 12 15 UDP 192.168.1.101:2604 <-> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes] 16 UDP 192.168.1.101:3412 <-> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes] 17 UDP 192.168.1.101:4974 <-> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes] - 18 UDP 192.168.1.105:49112 <-> 192.168.1.254:53 [proto: 5.121/DNS.DropBox][4 pkts/774 bytes][Host: client-cf.dropbox.com] - 19 UDP 192.168.1.105:17500 <-> 255.255.255.255:17500 [proto: 121/DropBox][6 pkts/1422 bytes] + 18 UDP 192.168.1.105:49112 <-> 192.168.1.254:53 [proto: 5.121/DNS.Dropbox][4 pkts/774 bytes][Host: client-cf.dropbox.com] + 19 UDP 192.168.1.105:17500 <-> 255.255.255.255:17500 [proto: 121/Dropbox][6 pkts/1422 bytes] 20 UDP 239.255.255.250:1900 <-> 192.168.1.254:50828 [proto: 12/SSDP][44 pkts/19936 bytes] - 21 UDP 192.168.56.1:50311 <-> 192.168.56.101:17500 [proto: 27/COAP][200 pkts/20120 bytes] - 22 UDP 192.168.56.1:50319 <-> 192.168.56.101:17500 [proto: 27/COAP][200 pkts/20142 bytes] + 21 UDP 192.168.56.1:50311 <-> 192.168.56.101:17500 [proto: 121/Dropbox][200 pkts/20120 bytes] + 22 UDP 192.168.56.1:50319 <-> 192.168.56.101:17500 [proto: 121/Dropbox][200 pkts/20142 bytes] 23 UDP 192.168.1.106:57268 <-> 239.255.255.250:1900 [proto: 12/SSDP][16 pkts/2632 bytes] - 24 TCP 54.240.174.31:443 <-> 192.168.1.105:44949 [proto: 91.121/SSL.DropBox][138 pkts/97302 bytes][SSL client: client-cf.dropbox.com] - 25 TCP 192.168.1.105:36226 <-> 108.160.172.195:80 [proto: 7.121/HTTP.DropBox][20 pkts/3928 bytes][Host: log.getdropbox.com] + 24 TCP 54.240.174.31:443 <-> 192.168.1.105:44949 [proto: 91.121/SSL.Dropbox][138 pkts/97302 bytes][SSL client: client-cf.dropbox.com] + 25 TCP 192.168.1.105:36226 <-> 108.160.172.195:80 [proto: 7.121/HTTP.Dropbox][20 pkts/3928 bytes][Host: log.getdropbox.com] 26 UDP 192.168.1.101:2169 <-> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes] 27 UDP 192.168.1.101:2141 <-> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes] 28 UDP 192.168.1.101:2159 <-> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes] @@ -41,4 +40,4 @@ DropBox 304 165446 12 36 UDP 192.168.1.101:4169 <-> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes] 37 UDP 192.168.1.106:5353 <-> 224.0.0.251:5353 [proto: 8/MDNS][16 pkts/1648 bytes] 38 UDP 192.168.1.101:4625 <-> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes] - 39 TCP 192.168.1.105:47747 <-> 108.160.172.225:443 [proto: 91.121/SSL.DropBox][54 pkts/27432 bytes][SSL client: d.dropbox.com] + 39 TCP 192.168.1.105:47747 <-> 108.160.172.225:443 [proto: 91.121/SSL.Dropbox][54 pkts/27432 bytes][SSL client: d.dropbox.com] diff --git a/tests/result/skype.pcap.out b/tests/result/skype.pcap.out index abcece480..06dd715fc 100644 --- a/tests/result/skype.pcap.out +++ b/tests/result/skype.pcap.out @@ -6,7 +6,7 @@ SSDP 101 38156 6 ICMP 8 656 1 IGMP 5 258 4 SSL 88 8268 6 -DropBox 38 17948 5 +Dropbox 38 17948 5 Skype 2307 491376 244 Apple 15 2045 2 AppleiCloud 88 20520 2 @@ -33,8 +33,8 @@ Spotify 5 430 1 19 UDP 192.168.1.34:13021 <-> 111.221.77.176:40020 [proto: 125/Skype][1 pkts/73 bytes] 20 TCP 192.168.1.34:50110 <-> 91.190.216.125:12350 [proto: 125/Skype][6 pkts/377 bytes] 21 TCP 91.190.216.23:12350 <-> 192.168.1.34:50126 [proto: 125/Skype][20 pkts/5160 bytes] - 22 UDP 192.168.1.34:17500 <-> 192.168.1.255:17500 [proto: 121/DropBox][6 pkts/3264 bytes] - 23 UDP 192.168.1.92:17500 <-> 192.168.1.255:17500 [proto: 121/DropBox][5 pkts/2720 bytes] + 22 UDP 192.168.1.34:17500 <-> 192.168.1.255:17500 [proto: 121/Dropbox][6 pkts/3264 bytes] + 23 UDP 192.168.1.92:17500 <-> 192.168.1.255:17500 [proto: 121/Dropbox][5 pkts/2720 bytes] 24 TCP 192.168.1.34:50113 <-> 71.238.7.203:18767 [proto: 125/Skype][14 pkts/1152 bytes] 25 TCP 192.168.1.34:50116 <-> 81.83.77.141:17639 [proto: 125/Skype][19 pkts/1510 bytes] 26 UDP 157.56.52.18:33033 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/71 bytes] @@ -210,8 +210,8 @@ Spotify 5 430 1 196 UDP 192.168.1.92:57621 <-> 192.168.1.255:57621 [proto: 156/Spotify][5 pkts/430 bytes] 197 UDP 192.168.1.1:53 <-> 192.168.1.34:49990 [proto: 5.125/DNS.Skype][7 pkts/616 bytes][Host: 335.0.7.7.3.rst6.r.skype.net] 198 TCP 192.168.1.34:50145 <-> 157.56.53.51:12350 [proto: 125/Skype][8 pkts/608 bytes] - 199 UDP 192.168.1.34:17500 <-> 255.255.255.255:17500 [proto: 121/DropBox][6 pkts/3264 bytes] - 200 UDP 192.168.1.92:17500 <-> 255.255.255.255:17500 [proto: 121/DropBox][5 pkts/2720 bytes] + 199 UDP 192.168.1.34:17500 <-> 255.255.255.255:17500 [proto: 121/Dropbox][6 pkts/3264 bytes] + 200 UDP 192.168.1.92:17500 <-> 255.255.255.255:17500 [proto: 121/Dropbox][5 pkts/2720 bytes] 201 UDP 192.168.1.34:13021 <-> 213.199.179.146:33033 [proto: 125/Skype][1 pkts/67 bytes] 202 UDP 192.168.1.1:53 <-> 192.168.1.34:51802 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: b.config.skype.com] 203 UDP 192.168.1.1:53 <-> 192.168.1.34:52714 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: b.config.skype.com] @@ -284,7 +284,7 @@ Spotify 5 430 1 270 TCP 192.168.1.34:50111 <-> 91.190.216.125:443 [proto: 125/Skype][20 pkts/1516 bytes] 271 TCP 192.168.1.34:50123 <-> 80.14.46.121:4415 [proto: 125/Skype][18 pkts/1506 bytes] 272 TCP 192.168.1.34:50141 <-> 80.14.46.121:4415 [proto: 125/Skype][15 pkts/1237 bytes] - 273 TCP 192.168.1.34:49445 <-> 108.160.170.46:443 [proto: 91.121/SSL.DropBox][16 pkts/5980 bytes] + 273 TCP 192.168.1.34:49445 <-> 108.160.170.46:443 [proto: 91.121/SSL.Dropbox][16 pkts/5980 bytes] 274 TCP 192.168.1.34:50058 <-> 111.221.74.47:443 [proto: 125/Skype][14 pkts/1208 bytes] 275 TCP 192.168.1.34:50100 <-> 111.221.74.46:443 [proto: 125/Skype][13 pkts/1109 bytes] 276 TCP 192.168.1.34:50035 <-> 213.199.179.175:40021 [proto: 125/Skype][17 pkts/1304 bytes] diff --git a/tests/result/skype_no_unknown.pcap.out b/tests/result/skype_no_unknown.pcap.out index c307ca471..aa087f692 100644 --- a/tests/result/skype_no_unknown.pcap.out +++ b/tests/result/skype_no_unknown.pcap.out @@ -6,7 +6,7 @@ SSDP 40 14100 3 ICMP 4 328 1 IGMP 4 226 4 SSL 79 7742 6 -DropBox 16 7342 5 +Dropbox 16 7342 5 Skype 1585 362654 220 Apple 84 20699 2 @@ -23,9 +23,9 @@ Apple 84 20699 2 11 UDP 192.168.1.34:13021 <-> 111.221.77.149:40016 [proto: 125/Skype][1 pkts/75 bytes] 12 UDP 192.168.1.34:13021 <-> 111.221.77.171:40030 [proto: 125/Skype][1 pkts/64 bytes] 13 UDP 192.168.1.34:13021 <-> 111.221.77.173:40012 [proto: 125/Skype][1 pkts/79 bytes] - 14 UDP 192.168.1.34:17500 <-> 192.168.1.255:17500 [proto: 121/DropBox][2 pkts/1088 bytes] + 14 UDP 192.168.1.34:17500 <-> 192.168.1.255:17500 [proto: 121/Dropbox][2 pkts/1088 bytes] 15 TCP 192.168.1.34:51284 <-> 91.190.218.125:12350 [proto: 125/Skype][6 pkts/423 bytes] - 16 UDP 192.168.1.92:17500 <-> 192.168.1.255:17500 [proto: 121/DropBox][2 pkts/1088 bytes] + 16 UDP 192.168.1.92:17500 <-> 192.168.1.255:17500 [proto: 121/Dropbox][2 pkts/1088 bytes] 17 TCP 192.168.1.34:51296 <-> 91.190.216.125:12350 [proto: 125/Skype][6 pkts/479 bytes] 18 TCP 192.168.1.34:51289 <-> 71.238.7.203:18767 [proto: 125/Skype][17 pkts/1369 bytes] 19 UDP 157.56.52.18:33033 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/77 bytes] @@ -123,7 +123,7 @@ Apple 84 20699 2 111 TCP 192.168.1.34:51302 <-> 91.190.216.125:443 [proto: 125/Skype][10 pkts/599 bytes] 112 UDP 192.168.1.34:13021 <-> 111.221.77.146:33033 [proto: 125/Skype][1 pkts/70 bytes] 113 UDP 111.221.74.18:33033 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/67 bytes] - 114 TCP 192.168.1.34:51222 <-> 108.160.163.108:443 [proto: 91.121/SSL.DropBox][8 pkts/2990 bytes] + 114 TCP 192.168.1.34:51222 <-> 108.160.163.108:443 [proto: 91.121/SSL.Dropbox][8 pkts/2990 bytes] 115 TCP 192.168.1.34:51259 <-> 111.221.77.142:443 [proto: 125/Skype][14 pkts/1253 bytes] 116 TCP 192.168.1.34:51283 <-> 111.221.74.48:443 [proto: 91.125/SSL.Skype][3 pkts/206 bytes] 117 TCP 192.168.1.34:51258 <-> 213.199.179.176:40021 [proto: 125/Skype][19 pkts/1496 bytes] @@ -188,8 +188,8 @@ Apple 84 20699 2 176 UDP 192.168.1.34:13021 <-> 157.55.235.175:40023 [proto: 125/Skype][1 pkts/74 bytes] 177 UDP 192.168.1.1:53 <-> 192.168.1.34:49864 [proto: 5.125/DNS.Skype][7 pkts/511 bytes][Host: api.skype.com] 178 TCP 149.13.32.15:13392 <-> 192.168.1.34:51316 [proto: 125/Skype][14 pkts/1176 bytes] - 179 UDP 192.168.1.34:17500 <-> 255.255.255.255:17500 [proto: 121/DropBox][2 pkts/1088 bytes] - 180 UDP 192.168.1.92:17500 <-> 255.255.255.255:17500 [proto: 121/DropBox][2 pkts/1088 bytes] + 179 UDP 192.168.1.34:17500 <-> 255.255.255.255:17500 [proto: 121/Dropbox][2 pkts/1088 bytes] + 180 UDP 192.168.1.92:17500 <-> 255.255.255.255:17500 [proto: 121/Dropbox][2 pkts/1088 bytes] 181 UDP 192.168.1.34:13021 <-> 213.199.179.146:33033 [proto: 125/Skype][1 pkts/75 bytes] 182 UDP 192.168.1.1:53 <-> 192.168.1.34:53372 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: 335.0.7.7.3.rst11.r.skype.net] 183 UDP 192.168.1.92:53826 <-> 192.168.1.255:137 [proto: 10/NetBIOS][1 pkts/92 bytes] diff --git a/tests/result/tor.pcap.out b/tests/result/tor.pcap.out index b6008355d..499e771a4 100644 --- a/tests/result/tor.pcap.out +++ b/tests/result/tor.pcap.out @@ -1,10 +1,10 @@ NetBIOS 1 252 1 DHCPV6 6 906 1 -DropBox 10 1860 1 +Dropbox 10 1860 1 Skype 1 60 1 Tor 3676 3014362 7 - 1 UDP 192.168.1.1:17500 <-> 192.168.1.255:17500 [proto: 121/DropBox][10 pkts/1860 bytes] + 1 UDP 192.168.1.1:17500 <-> 192.168.1.255:17500 [proto: 121/Dropbox][10 pkts/1860 bytes] 2 UDP [fe80::c583:1972:5728:7323]:547 <-> [ff02::1:2]:546 [proto: 103/DHCPV6][6 pkts/906 bytes] 3 TCP 212.83.155.250:443 <-> 192.168.1.252:51174 [proto: 163/Tor][32 pkts/10431 bytes][SSL client: www.t3i3ru.com] 4 TCP 46.59.52.31:443 <-> 192.168.1.252:51111 [proto: 163/Tor][34 pkts/11142 bytes][SSL client: www.e6r5p57kbafwrxj3plz.com] diff --git a/tests/result/viber_mobile.pcap.out b/tests/result/viber_mobile.pcap.out index df601dd7d..e08572565 100644 --- a/tests/result/viber_mobile.pcap.out +++ b/tests/result/viber_mobile.pcap.out @@ -6,7 +6,7 @@ SSL_No_Cert 36 5874 1 ICMP 4 518 3 SSL 90 22731 8 Facebook 39 16382 2 -DropBox 2 163 1 +Dropbox 2 163 1 GMail 35 14773 2 Google 75 17027 7 WhatsApp 31 6224 2 @@ -82,7 +82,7 @@ Viber 10081 1413446 4 68 TCP 93.184.221.200:80 <-> 192.168.200.222:50854 [proto: 7/HTTP][5 pkts/300 bytes] 69 UDP 192.168.200.222:39413 <-> 81.192.42.247:15057 [proto: 37/BitTorrent][1 pkts/146 bytes] 70 UDP 92.245.59.202:12998 <-> 192.168.200.222:39413 [proto: 37/BitTorrent][2 pkts/505 bytes] - 71 TCP 108.160.172.205:443 <-> 192.168.200.222:51765 [proto: 91.121/SSL.DropBox][2 pkts/163 bytes] + 71 TCP 108.160.172.205:443 <-> 192.168.200.222:51765 [proto: 91.121/SSL.Dropbox][2 pkts/163 bytes] 72 TCP 107.22.192.179:443 <-> 192.168.200.222:52269 [proto: 91/SSL][26 pkts/10057 bytes][SSL client: settings.crashlytics.com] diff --git a/tests/result/whatsapp_login_call.pcap.out b/tests/result/whatsapp_login_call.pcap.out index fd2edb823..41ec89cdf 100644 --- a/tests/result/whatsapp_login_call.pcap.out +++ b/tests/result/whatsapp_login_call.pcap.out @@ -4,7 +4,7 @@ DHCP 10 3420 1 STUN 97 11786 16 ICMP 10 700 1 SSL 8 589 2 -DropBox 4 2176 1 +Dropbox 4 2176 1 Apple 127 28102 20 WhatsApp 182 25154 2 AppleiTunes 85 28087 2 @@ -12,7 +12,7 @@ Spotify 3 258 1 WhatsAppVoice 706 91156 4 1 UDP [fe80::da30:62ff:fe56:1c]:5353 <-> [ff02::fb]:5353 [proto: 8/MDNS][2 pkts/258 bytes] - 2 UDP 192.168.2.1:17500 <-> 192.168.2.255:17500 [proto: 121/DropBox][4 pkts/2176 bytes] + 2 UDP 192.168.2.1:17500 <-> 192.168.2.255:17500 [proto: 121/Dropbox][4 pkts/2176 bytes] 3 ICMP 192.168.2.4:0 <-> 91.253.176.65:0 [proto: 81/ICMP][10 pkts/700 bytes] 4 UDP 192.168.2.4:52794 <-> 91.253.176.65:9665 [proto: 189/WhatsAppVoice][198 pkts/30418 bytes] 5 UDP 173.252.114.1:3478 <-> 192.168.2.4:52794 [proto: 78/STUN][5 pkts/676 bytes] diff --git a/tests/result/whatsapp_login_chat.pcap.out b/tests/result/whatsapp_login_chat.pcap.out index 0a904dd54..13c56555a 100644 --- a/tests/result/whatsapp_login_chat.pcap.out +++ b/tests/result/whatsapp_login_chat.pcap.out @@ -1,11 +1,11 @@ MDNS 2 202 2 DHCP 6 2052 1 -DropBox 2 1088 1 +Dropbox 2 1088 1 Apple 50 23466 2 WhatsApp 32 3243 2 Spotify 1 86 1 - 1 UDP 192.168.2.1:17500 <-> 192.168.2.255:17500 [proto: 121/DropBox][2 pkts/1088 bytes] + 1 UDP 192.168.2.1:17500 <-> 192.168.2.255:17500 [proto: 121/Dropbox][2 pkts/1088 bytes] 2 UDP [fe80::189c:c31b:1298:224]:5353 <-> [ff02::fb]:5353 [proto: 8/MDNS][1 pkts/111 bytes] 3 UDP 192.168.2.1:53 <-> 192.168.2.4:61697 [proto: 5.142/DNS.WhatsApp][2 pkts/280 bytes][Host: e12.whatsapp.net] 4 TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.140/SSL.Apple][44 pkts/21371 bytes] -- cgit v1.2.3 From b318d191a51af7638b1e64924a214e91fa9aa09e Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Thu, 23 Jun 2016 23:53:03 +0200 Subject: Removed variables not used --- src/lib/ndpi_main.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index cbac5cf8b..7a6a34fb3 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -3285,8 +3285,6 @@ ndpi_protocol ndpi_l4_detection_process_packet(struct ndpi_detection_module_stru flow->packet.iphv6 || #endif flow->packet.iph)) { - u_int32_t saddr, daddr; - flow->protocol_id_already_guessed = 1; flow->guessed_protocol_id = (int16_t)ndpi_guess_protocol_id(ndpi_struct, l4_proto, sport, dport); @@ -4478,7 +4476,6 @@ static int ndpi_automa_match_string_subprotocol(struct ndpi_detection_module_str u_int8_t is_host_match) { int matching_protocol_id = ndpi_match_string_subprotocol(ndpi_struct, string_to_match, string_to_match_len, is_host_match); struct ndpi_packet_struct *packet = &flow->packet; - AC_TEXT_t ac_input_text; #ifdef DEBUG { -- cgit v1.2.3 From 0f089bd49a8bfa1e57e862cef1352c6514f4719f Mon Sep 17 00:00:00 2001 From: Campus Date: Fri, 24 Jun 2016 13:19:14 +0200 Subject: added git protocol dissector and pcap for test --- src/include/ndpi_protocol_ids.h | 3 +- src/include/ndpi_protocols.h | 2 + src/lib/Makefile.am | 1 + src/lib/ndpi_main.c | 19 +++++-- src/lib/protocols/git.c | 118 ++++++++++++++++++++++++++++++++++++++++ tests/pcap/git.pcap | Bin 0 -> 77264 bytes tests/result/git.pcap.out | 3 + 7 files changed, 139 insertions(+), 7 deletions(-) create mode 100644 src/lib/protocols/git.c create mode 100644 tests/pcap/git.pcap create mode 100644 tests/result/git.pcap.out diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index 4e06da989..adc56fc11 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -273,8 +273,9 @@ #define NDPI_PROTOCOL_RX 223 #define NDPI_SERVICE_WEIBO 224 #define NDPI_SERVICE_OPENDNS 225 +#define NDPI_PROTOCOL_GIT 226 /* UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE */ -#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_SERVICE_OPENDNS +#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_PROTOCOL_GIT #define NDPI_MAX_SUPPORTED_PROTOCOLS (NDPI_LAST_IMPLEMENTED_PROTOCOL + 1) #define NDPI_MAX_NUM_CUSTOM_PROTOCOLS (NDPI_NUM_BITS-NDPI_LAST_IMPLEMENTED_PROTOCOL) diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h index 9298bf22a..04121347f 100644 --- a/src/include/ndpi_protocols.h +++ b/src/include/ndpi_protocols.h @@ -194,6 +194,7 @@ void ndpi_search_ubntac2(struct ndpi_detection_module_struct *ndpi_struct, struc void ndpi_search_coap(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_mqtt (struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_rx(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); +void ndpi_search_git(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); /* --- INIT FUNCTIONS --- */ void init_afp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_aimini_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); @@ -334,4 +335,5 @@ void init_ubntac2_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_ void init_coap_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_mqtt_dissector (struct ndpi_detection_module_struct *ndpi_struct,u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_rx_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_git_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); #endif /* __NDPI_PROTOCOLS_H__ */ diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am index d83fdd5c0..bd336fd99 100644 --- a/src/lib/Makefile.am +++ b/src/lib/Makefile.am @@ -155,6 +155,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/coap.c \ protocols/mqtt.c \ protocols/rx.c \ + protocols/git.c \ third_party/include/actypes.h \ third_party/include/ahocorasick.h \ third_party/include/node.h \ diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index cbac5cf8b..58374849e 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1531,22 +1531,26 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "COAP", ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ ndpi_build_default_ports(ports_b, 5683, 5684, 0, 0, 0)); /* UDP */ - ndpi_set_proto_defaults(ndpi_mod,NDPI_PROTOCOL_ACCEPTABLE,NDPI_PROTOCOL_MQTT, + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MQTT, no_master, no_master, "MQTT", ndpi_build_default_ports(ports_a, 1883, 8883, 0, 0, 0), /* TCP */ - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0); + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ /* Port guess is disabled as this is UDP and we can figure our immediately looking at the RX header, is this is RX or not See https://www-01.ibm.com/support/docview.wss?uid=swg21044407 */ - ndpi_set_proto_defaults(ndpi_mod,NDPI_PROTOCOL_ACCEPTABLE,NDPI_PROTOCOL_RX, + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_RX, no_master, no_master, "RX", ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ - ports_b); /* UDP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_GIT, + no_master, + no_master, "Git", + ndpi_build_default_ports(ports_a, 9418, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ /* calling function for host and content matched protocols */ init_string_based_protocols(ndpi_mod); @@ -2325,7 +2329,7 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* SSDP */ init_ssdp_dissector(ndpi_struct, &a, detection_bitmask); -/* WORLD_OF_WARCRAFT */ + /* WORLD_OF_WARCRAFT */ init_world_of_warcraft_dissector(ndpi_struct, &a, detection_bitmask); /* POSTGRES */ @@ -2559,6 +2563,9 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* RX */ init_rx_dissector(ndpi_struct, &a, detection_bitmask); + /* GIT */ + init_git_dissector(ndpi_struct, &a, detection_bitmask); + /* Put false-positive sensitive protocols at the end */ /* SKYPE */ diff --git a/src/lib/protocols/git.c b/src/lib/protocols/git.c new file mode 100644 index 000000000..63479b26a --- /dev/null +++ b/src/lib/protocols/git.c @@ -0,0 +1,118 @@ +/* + * git.c + * + * Copyright (C) 2012-16 - ntop.org + * + * This module is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This module is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License. + * If not, see . + * + */ +#include +#include "ndpi_api.h" + +#ifdef NDPI_PROTOCOL_GIT + +#define GIT_PORT 9418 + +/* read all the length even if there is a null byte inside */ +u_int16_t read_all_len(char * s, u_int16_t git_len) +{ + char * p = s; + int c = 0; + while(*p && c < git_len-4) { + c++; + p++; + if(!*p) { + if(c < git_len-4) { + p++; + c++; + } + } + } + return c; +} + +void ndpi_search_git(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct * packet = &flow->packet; + const u_int8_t * pp = packet->payload; + u_int16_t payload_len = packet->payload_packet_len; + + u_int8_t * git_pkt_len_buff = NULL; + u_int8_t * git_pkt_data = NULL; + u_int16_t git_len = 0, count = 0 , is_git = 0; + + if(packet->tcp != NULL) { + + if((ntohs(packet->tcp->source) == GIT_PORT || + ntohs(packet->tcp->dest) == GIT_PORT)) { + + git_pkt_len_buff = malloc(4 * sizeof(u_int8_t)); + + do { + memcpy(git_pkt_len_buff, pp, 4); + git_len = (int)strtol(git_pkt_len_buff, NULL, 16); + + if(git_pkt_len_buff[0] == 48 && + git_pkt_len_buff[1] == 48 && + git_pkt_len_buff[2] == 48 && + git_pkt_len_buff[3] == 48) + /* Terminator packet */ + count += 4; + else { + git_pkt_data = malloc((git_len-4) * sizeof(u_int8_t)); + memcpy(git_pkt_data, pp+4, git_len-4); + u_int16_t data_len = read_all_len(git_pkt_data, git_len); + free(git_pkt_data); + + if(git_len != data_len+4) + goto no_git; + else { + count += git_len; + pp += git_len; + } + } + } while(count < payload_len); + } + else goto no_git; + } + else goto no_git; + + NDPI_LOG(NDPI_PROTOCOL_GIT, ndpi_struct, NDPI_LOG_DEBUG, "found Git.\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GIT, NDPI_PROTOCOL_UNKNOWN); + return; + + no_git: + NDPI_LOG(NDPI_PROTOCOL_GIT, ndpi_struct, NDPI_LOG_DEBUG, "exclude Git.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_GIT); +} + + +/* ***************************************************************** */ + + +void init_git_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, + NDPI_PROTOCOL_BITMASK *detection_bitmask) +{ + ndpi_set_bitmask_protocol_detection("Git", ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_GIT, + ndpi_search_git, + NDPI_SELECTION_BITMASK_PROTOCOL_TCP_WITH_PAYLOAD, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); + + *id += 1; +} + +#endif /* NDPI_PROTOCOL_GIT */ diff --git a/tests/pcap/git.pcap b/tests/pcap/git.pcap new file mode 100644 index 000000000..b32a255ef Binary files /dev/null and b/tests/pcap/git.pcap differ diff --git a/tests/result/git.pcap.out b/tests/result/git.pcap.out new file mode 100644 index 000000000..665dad5a8 --- /dev/null +++ b/tests/result/git.pcap.out @@ -0,0 +1,3 @@ +Git 90 74005 1 + + 1 TCP 5.153.231.21:9418 <-> 192.168.0.77:47991 [proto: 226/Git][90 pkts/74005 bytes] -- cgit v1.2.3 From ff6b19382191941be442349bb55e90c15da818e6 Mon Sep 17 00:00:00 2001 From: Campus Date: Fri, 24 Jun 2016 13:45:43 +0200 Subject: minor fixes - deleted useless part on git and quic protos --- src/lib/protocols/bittorrent.c | 9 +++------ src/lib/protocols/dropbox.c | 2 +- src/lib/protocols/git.c | 2 +- src/lib/protocols/quic.c | 13 ------------- src/lib/protocols/tor.c | 2 +- 5 files changed, 6 insertions(+), 22 deletions(-) diff --git a/src/lib/protocols/bittorrent.c b/src/lib/protocols/bittorrent.c index 6ac9ec69a..0eebe07ee 100644 --- a/src/lib/protocols/bittorrent.c +++ b/src/lib/protocols/bittorrent.c @@ -53,8 +53,7 @@ static u_int8_t is_utp_pkt(const u_int8_t *payload, u_int payload_len) { static void ndpi_add_connection_as_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, int bt_offset, int check_hash, - const u_int8_t save_detection, const u_int8_t encrypted_connection/* , */ - /* ndpi_protocol_type_t protocol_type */) + const u_int8_t save_detection, const u_int8_t encrypted_connection) { if(check_hash) { const char *bt_hash = NULL; /* 20 bytes long */ @@ -92,8 +91,7 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, NDPI_LOG_TRACE, "BT: plain BitTorrent protocol detected\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, 19, 1, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION/* , */ - /* NDPI_REAL_PROTOCOL */); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); return 1; } } @@ -125,8 +123,7 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, NDPI_LOG_TRACE, "BT: plain Bitcomet persistent seed protocol detected\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION/* , */ - /* NDPI_CORRELATED_PROTOCOL */); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); return 1; } diff --git a/src/lib/protocols/dropbox.c b/src/lib/protocols/dropbox.c index 3e53b4224..d8babfb1b 100644 --- a/src/lib/protocols/dropbox.c +++ b/src/lib/protocols/dropbox.c @@ -1,7 +1,7 @@ /* * dropbox.c * - * Copyright (C) 2011-13 by ntop.org + * Copyright (C) 2012-16 by ntop.org * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH diff --git a/src/lib/protocols/git.c b/src/lib/protocols/git.c index 63479b26a..8cde52912 100644 --- a/src/lib/protocols/git.c +++ b/src/lib/protocols/git.c @@ -51,7 +51,7 @@ void ndpi_search_git(struct ndpi_detection_module_struct *ndpi_struct, u_int8_t * git_pkt_len_buff = NULL; u_int8_t * git_pkt_data = NULL; - u_int16_t git_len = 0, count = 0 , is_git = 0; + u_int16_t git_len = 0, count = 0; if(packet->tcp != NULL) { diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index ac443951b..200f9024b 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -22,7 +22,6 @@ * */ - #include "ndpi_api.h" #ifdef NDPI_PROTOCOL_QUIC @@ -38,18 +37,6 @@ static int quic_ports(u_int16_t sport, u_int16_t dport) /* ***************************************************************** */ -static int quic_payload(const u_int8_t *payload) { - if((payload[0] == 'Q') - && isdigit(payload[1]) - && isdigit(payload[2]) - && isdigit(payload[3])) - return(1); - - return(0); -} - -/* ***************************************************************** */ - static int quic_len(u_int8_t l) { switch(l) { case 0: diff --git a/src/lib/protocols/tor.c b/src/lib/protocols/tor.c index cb926d5f0..2152da328 100644 --- a/src/lib/protocols/tor.c +++ b/src/lib/protocols/tor.c @@ -1,7 +1,7 @@ /* * tor.c * - * Copyright (C) 2015 ntop.org + * Copyright (C) 2016 ntop.org * Copyright (C) 2013 Remy Mudingay * */ -- cgit v1.2.3 From 87717dd77f3c16d6b1a997a257ed442435ee93ec Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Thu, 30 Jun 2016 17:03:36 +0200 Subject: Added QUICK subprotocol support --- src/lib/protocols/quic.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index 200f9024b..6e1ad77cc 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -106,6 +106,12 @@ void ndpi_search_quic(struct ndpi_detection_module_struct *ndpi_struct, flow->host_server_name[j++] = packet->payload[sni_offset]; sni_offset++, len--; } + + ndpi_match_host_subprotocol(ndpi_struct, flow, + (char *)flow->host_server_name, + strlen((const char*)flow->host_server_name), + NDPI_PROTOCOL_QUIC); + } break; -- cgit v1.2.3 From 0e49eb1d17c33b784359f8dbdbb59041cac7aaab Mon Sep 17 00:00:00 2001 From: Campus Date: Sat, 2 Jul 2016 18:29:02 +0200 Subject: added drda protocol - fix quic output after commit 87717dd77f3c16d6b1a997a257ed442435ee93ec --- src/include/ndpi_protocol_ids.h | 3 +- src/include/ndpi_protocols.h | 2 + src/lib/Makefile.am | 9 ++-- src/lib/ndpi_main.c | 83 +++++++++++++------------------ src/lib/protocols/drda.c | 106 ++++++++++++++++++++++++++++++++++++++++ tests/pcap/drda_db2.pcap | Bin 0 -> 7323 bytes tests/result/drda_db2.pcap.out | 3 ++ tests/result/quic.pcap.out | 21 ++++---- 8 files changed, 164 insertions(+), 63 deletions(-) create mode 100644 src/lib/protocols/drda.c create mode 100755 tests/pcap/drda_db2.pcap create mode 100644 tests/result/drda_db2.pcap.out diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index adc56fc11..58253e9ce 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -274,8 +274,9 @@ #define NDPI_SERVICE_WEIBO 224 #define NDPI_SERVICE_OPENDNS 225 #define NDPI_PROTOCOL_GIT 226 +#define NDPI_PROTOCOL_DRDA 227 /* UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE */ -#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_PROTOCOL_GIT +#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_PROTOCOL_DRDA #define NDPI_MAX_SUPPORTED_PROTOCOLS (NDPI_LAST_IMPLEMENTED_PROTOCOL + 1) #define NDPI_MAX_NUM_CUSTOM_PROTOCOLS (NDPI_NUM_BITS-NDPI_LAST_IMPLEMENTED_PROTOCOL) diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h index 04121347f..82d5bdb69 100644 --- a/src/include/ndpi_protocols.h +++ b/src/include/ndpi_protocols.h @@ -195,6 +195,7 @@ void ndpi_search_coap(struct ndpi_detection_module_struct *ndpi_struct, struct n void ndpi_search_mqtt (struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_rx(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_git(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); +void ndpi_search_drda(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); /* --- INIT FUNCTIONS --- */ void init_afp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_aimini_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); @@ -336,4 +337,5 @@ void init_coap_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int void init_mqtt_dissector (struct ndpi_detection_module_struct *ndpi_struct,u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_rx_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_git_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_drda_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); #endif /* __NDPI_PROTOCOLS_H__ */ diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am index bd336fd99..18c195dbe 100644 --- a/src/lib/Makefile.am +++ b/src/lib/Makefile.am @@ -26,6 +26,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/bittorrent.c \ protocols/ciscovpn.c \ protocols/citrix.c \ + protocols/coap.c \ protocols/collectd.c \ protocols/corba.c \ protocols/crossfire.c \ @@ -36,6 +37,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/directdownloadlink.c \ protocols/dns.c \ protocols/dofus.c \ + protocols/drda.c \ protocols/dropbox.c \ protocols/eaq.c \ protocols/edonkey.c \ @@ -45,6 +47,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/florensia.c \ protocols/ftp_control.c \ protocols/ftp_data.c \ + protocols/git.c \ protocols/gnutella.c \ protocols/gtp.c \ protocols/guildwars.c \ @@ -74,6 +77,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/mgcp.c \ protocols/mms.c \ protocols/mpegts.c \ + protocols/mqtt.c \ protocols/msn.c \ protocols/mssql.c \ protocols/mysql.c \ @@ -104,6 +108,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/rtmp.c \ protocols/rtp.c \ protocols/rtsp.c \ + protocols/rx.c \ protocols/sflow.c \ protocols/shoutcast.c \ protocols/sip.c \ @@ -152,10 +157,6 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/yahoo.c \ protocols/zattoo.c \ protocols/zeromq.c \ - protocols/coap.c \ - protocols/mqtt.c \ - protocols/rx.c \ - protocols/git.c \ third_party/include/actypes.h \ third_party/include/ahocorasick.h \ third_party/include/node.h \ diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 84232a313..f97a2fffc 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1459,43 +1459,43 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_WHOIS_DAS, no_master, no_master, "Whois-DAS", - ndpi_build_default_ports(ports_a, 43, 4343, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_build_default_ports(ports_a, 43, 4343, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_COLLECTD, no_master, no_master, "Collectd", - ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 25826, 0, 0, 0, 0) /* UDP */); + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 25826, 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SOCKS, no_master, no_master, "SOCKS", - ndpi_build_default_ports(ports_a, 1080, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 1080, 0, 0, 0, 0) /* UDP */); + ndpi_build_default_ports(ports_a, 1080, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 1080, 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TFTP, no_master, no_master, "TFTP", - ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 69, 0, 0, 0, 0) /* UDP */); + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 69, 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_RTMP, no_master, no_master, "RTMP", - ndpi_build_default_ports(ports_a, 1935, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_build_default_ports(ports_a, 1935, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_PANDO, no_master, no_master, "Pando_Media_Booster", - ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MEGACO, no_master, no_master, "Megaco", - ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 2944 , 0, 0, 0, 0) /* UDP */); + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 2944 , 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_REDIS, no_master, no_master, "Redis", - ndpi_build_default_ports(ports_a, 6379, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 0 , 0, 0, 0, 0) /* UDP */); + ndpi_build_default_ports(ports_a, 6379, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0 , 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_ZMQ, no_master, no_master, "ZeroMQ", @@ -1514,13 +1514,13 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_UBNTAC2, no_master, no_master, "UBNTAC2", - ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ - ndpi_build_default_ports(ports_b, 10001, 0, 0, 0, 0)); /* UDP */ + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 10001, 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_MS_LYNC, no_master, no_master, "Lync", - ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_VIBER, no_master, no_master, "Viber", @@ -1536,21 +1536,22 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "MQTT", ndpi_build_default_ports(ports_a, 1883, 8883, 0, 0, 0), /* TCP */ ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ - /* Port guess is disabled as this is UDP and we can figure our immediately looking - at the RX header, is this is RX or not - - See https://www-01.ibm.com/support/docview.wss?uid=swg21044407 - */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_RX, no_master, no_master, "RX", - ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_GIT, no_master, no_master, "Git", - ndpi_build_default_ports(ports_a, 9418, 0, 0, 0, 0), /* TCP */ - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ + ndpi_build_default_ports(ports_a, 9418, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DRDA, + no_master, + no_master, "DRDA", + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ + /* calling function for host and content matched protocols */ init_string_based_protocols(ndpi_mod); @@ -2566,7 +2567,10 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* GIT */ init_git_dissector(ndpi_struct, &a, detection_bitmask); - /* Put false-positive sensitive protocols at the end */ + /* DRDA */ + init_drda_dissector(ndpi_struct, &a, detection_bitmask); + + /*** Put false-positive sensitive protocols at the end ***/ /* SKYPE */ init_skype_dissector(ndpi_struct, &a, detection_bitmask); @@ -4578,25 +4582,6 @@ char* ndpi_revision() { return(NDPI_GIT_RELEASE); } #ifdef WIN32 -/* - int pthread_mutex_init(pthread_mutex_t *mutex, void *unused) { - unused = NULL; - *mutex = CreateMutex(NULL, FALSE, NULL); - return *mutex == NULL ? -1 : 0; - } - - int pthread_mutex_destroy(pthread_mutex_t *mutex) { - return CloseHandle(*mutex) == 0 ? -1 : 0; - } - - int pthread_mutex_lock(pthread_mutex_t *mutex) { - return WaitForSingleObject(*mutex, INFINITE) == WAIT_OBJECT_0 ? 0 : -1; - } - - int pthread_mutex_unlock(pthread_mutex_t *mutex) { - return ReleaseMutex(*mutex) == 0 ? -1 : 0; - } -*/ /* http://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/port/gettimeofday.c;h=75a91993b74414c0a1c13a2a09ce739cb8aa8a08;hb=HEAD */ int gettimeofday(struct timeval * tp, struct timezone * tzp) { /* FILETIME of Jan 1 1970 00:00:00. */ diff --git a/src/lib/protocols/drda.c b/src/lib/protocols/drda.c new file mode 100644 index 000000000..9240e8364 --- /dev/null +++ b/src/lib/protocols/drda.c @@ -0,0 +1,106 @@ +/* + * drda.c + * + * Copyright (C) 2012-16 - ntop.org + * + * This module is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This module is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License. + * If not, see . + * + */ +#include "ndpi_api.h" + +#ifdef NDPI_PROTOCOL_DRDA + +#define DRDA_PORT 50000 + +struct ndpi_drda_hdr { + u_int16_t length; + u_int8_t magic; + u_int8_t format; + u_int16_t correlID; + u_int16_t length2; + u_int16_t code_pnt; +}; + + +void ndpi_search_drda(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct * packet = &flow->packet; + u_int16_t payload_len = packet->payload_packet_len; + u_int16_t count = 0; + + if(packet->tcp != NULL) { + + /* check port */ + if((ntohs(packet->tcp->source) == DRDA_PORT || + ntohs(packet->tcp->dest) == DRDA_PORT)) { + + struct ndpi_drda_hdr * drda = (struct ndpi_drda_hdr *) packet->payload; + + u_int16_t len = ntohs(drda->length); + + /* check first header */ + if(len - 6 != ntohs(drda->length2) && + drda->magic != 0xd0) + goto no_drda; + + /* check if there are more drda headers */ + if(payload_len > len) { + + count = len; + const u_int8_t * pp = packet->payload + len; + + while(count < payload_len) + { + /* update info */ + drda = (struct ndpi_drda_hdr *) pp; + len = ntohs(drda->length); + + if(len - 6 != ntohs(drda->length2) && + drda->magic != 0xd0) + goto no_drda; + + count += len; + } + if(count != payload_len) goto no_drda; + } + NDPI_LOG(NDPI_PROTOCOL_DRDA, ndpi_struct, NDPI_LOG_DEBUG, "found DRDA.\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DRDA, NDPI_PROTOCOL_UNKNOWN); + return; + } + } + + no_drda: + NDPI_LOG(NDPI_PROTOCOL_DRDA, ndpi_struct, NDPI_LOG_DEBUG, "exclude DRDA.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DRDA); +} + + +/* ***************************************************************** */ + + +void init_drda_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, + NDPI_PROTOCOL_BITMASK *detection_bitmask) +{ + ndpi_set_bitmask_protocol_detection("DRDA", ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_DRDA, + ndpi_search_drda, + NDPI_SELECTION_BITMASK_PROTOCOL_TCP_WITH_PAYLOAD, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); + + *id += 1; +} + +#endif /* NDPI_PROTOCOL_DRDA */ diff --git a/tests/pcap/drda_db2.pcap b/tests/pcap/drda_db2.pcap new file mode 100755 index 000000000..e91629e04 Binary files /dev/null and b/tests/pcap/drda_db2.pcap differ diff --git a/tests/result/drda_db2.pcap.out b/tests/result/drda_db2.pcap.out new file mode 100644 index 000000000..ee222fcd6 --- /dev/null +++ b/tests/result/drda_db2.pcap.out @@ -0,0 +1,3 @@ +DRDA 38 6691 1 + + 1 TCP 192.168.106.1:4847 <-> 192.168.106.128:50000 [proto: 227/DRDA][38 pkts/6691 bytes] diff --git a/tests/result/quic.pcap.out b/tests/result/quic.pcap.out index 9c56d2d75..144137339 100644 --- a/tests/result/quic.pcap.out +++ b/tests/result/quic.pcap.out @@ -1,15 +1,18 @@ Unknown 6 7072 1 -QUIC 512 341494 9 +GMail 413 254874 1 +YouTube 83 73409 4 +Google 13 12847 3 +QUIC 3 364 1 - 1 UDP 192.168.1.105:48445 <-> 216.58.214.110:443 [proto: 188/QUIC][3 pkts/2863 bytes][Host: i.ytimg.com] - 2 UDP 192.168.1.105:53817 <-> 216.58.210.225:443 [proto: 188/QUIC][2 pkts/2784 bytes][Host: yt3.ggpht.com] - 3 UDP 216.58.212.101:443 <-> 192.168.1.109:57833 [proto: 188/QUIC][413 pkts/254874 bytes][Host: mail.google.com] + 1 UDP 192.168.1.105:48445 <-> 216.58.214.110:443 [proto: 188.124/QUIC.YouTube][3 pkts/2863 bytes][Host: i.ytimg.com] + 2 UDP 192.168.1.105:53817 <-> 216.58.210.225:443 [proto: 188.126/QUIC.Google][2 pkts/2784 bytes][Host: yt3.ggpht.com] + 3 UDP 216.58.212.101:443 <-> 192.168.1.109:57833 [proto: 188.122/QUIC.GMail][413 pkts/254874 bytes][Host: mail.google.com] 4 UDP 172.217.16.3:443 <-> 192.168.1.105:40461 [proto: 188/QUIC][3 pkts/364 bytes] - 5 UDP 172.217.16.4:443 <-> 192.168.1.105:45669 [proto: 188/QUIC][5 pkts/4334 bytes][Host: www.google.com] - 6 UDP 192.168.1.105:34438 <-> 216.58.210.238:443 [proto: 188/QUIC][7 pkts/6545 bytes][Host: www.youtube.com] - 7 UDP 192.168.1.109:35236 <-> 216.58.210.206:443 [proto: 188/QUIC][69 pkts/58433 bytes][Host: www.youtube.com] - 8 UDP 192.168.1.105:40030 <-> 216.58.201.227:443 [proto: 188/QUIC][6 pkts/5729 bytes][Host: fonts.gstatic.com] - 9 UDP 192.168.1.105:55934 <-> 216.58.201.238:443 [proto: 188/QUIC][4 pkts/5568 bytes][Host: s.ytimg.com] + 5 UDP 172.217.16.4:443 <-> 192.168.1.105:45669 [proto: 188.126/QUIC.Google][5 pkts/4334 bytes][Host: www.google.com] + 6 UDP 192.168.1.105:34438 <-> 216.58.210.238:443 [proto: 188.124/QUIC.YouTube][7 pkts/6545 bytes][Host: www.youtube.com] + 7 UDP 192.168.1.109:35236 <-> 216.58.210.206:443 [proto: 188.124/QUIC.YouTube][69 pkts/58433 bytes][Host: www.youtube.com] + 8 UDP 192.168.1.105:40030 <-> 216.58.201.227:443 [proto: 188.126/QUIC.Google][6 pkts/5729 bytes][Host: fonts.gstatic.com] + 9 UDP 192.168.1.105:55934 <-> 216.58.201.238:443 [proto: 188.124/QUIC.YouTube][4 pkts/5568 bytes][Host: s.ytimg.com] Undetected flows: -- cgit v1.2.3 From 47bb46176bdd1455c74895d0935aae13756bb971 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Tue, 5 Jul 2016 19:07:16 +0200 Subject: Fix for #225 --- src/lib/protocols/git.c | 87 +++++++++++++++---------------------------------- 1 file changed, 26 insertions(+), 61 deletions(-) diff --git a/src/lib/protocols/git.c b/src/lib/protocols/git.c index 8cde52912..f3e015aef 100644 --- a/src/lib/protocols/git.c +++ b/src/lib/protocols/git.c @@ -24,76 +24,41 @@ #define GIT_PORT 9418 -/* read all the length even if there is a null byte inside */ -u_int16_t read_all_len(char * s, u_int16_t git_len) -{ - char * p = s; - int c = 0; - while(*p && c < git_len-4) { - c++; - p++; - if(!*p) { - if(c < git_len-4) { - p++; - c++; - } - } - } - return c; -} - void ndpi_search_git(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) + struct ndpi_flow_struct *flow) { struct ndpi_packet_struct * packet = &flow->packet; - const u_int8_t * pp = packet->payload; - u_int16_t payload_len = packet->payload_packet_len; - - u_int8_t * git_pkt_len_buff = NULL; - u_int8_t * git_pkt_data = NULL; - u_int16_t git_len = 0, count = 0; - if(packet->tcp != NULL) { + if((packet->tcp != NULL) && (packet->payload_packet_len > 4)) { + if((ntohs(packet->tcp->source) == GIT_PORT) + || (ntohs(packet->tcp->dest) == GIT_PORT)) { + const u_int8_t * pp = packet->payload; + u_int16_t payload_len = packet->payload_packet_len; + u_int8_t found_git = 1; + u_int16_t git_len = 0, offset = 0; + + while((offset+4) < payload_len) { + char len[5]; + u_int32_t git_pkt_len; - if((ntohs(packet->tcp->source) == GIT_PORT || - ntohs(packet->tcp->dest) == GIT_PORT)) { + memcpy(&len, &pp[offset], 4), len[4] = 0; + git_pkt_len = atoi(len); - git_pkt_len_buff = malloc(4 * sizeof(u_int8_t)); + if(payload_len < git_pkt_len) { + found_git = 0; + break; + } else + offset += git_pkt_len, payload_len -= git_pkt_len; + } - do { - memcpy(git_pkt_len_buff, pp, 4); - git_len = (int)strtol(git_pkt_len_buff, NULL, 16); - - if(git_pkt_len_buff[0] == 48 && - git_pkt_len_buff[1] == 48 && - git_pkt_len_buff[2] == 48 && - git_pkt_len_buff[3] == 48) - /* Terminator packet */ - count += 4; - else { - git_pkt_data = malloc((git_len-4) * sizeof(u_int8_t)); - memcpy(git_pkt_data, pp+4, git_len-4); - u_int16_t data_len = read_all_len(git_pkt_data, git_len); - free(git_pkt_data); - - if(git_len != data_len+4) - goto no_git; - else { - count += git_len; - pp += git_len; - } - } - } while(count < payload_len); + if(found_git) { + NDPI_LOG(NDPI_PROTOCOL_GIT, ndpi_struct, NDPI_LOG_DEBUG, "found Git.\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GIT, NDPI_PROTOCOL_UNKNOWN); + return; + } } - else goto no_git; } - else goto no_git; - NDPI_LOG(NDPI_PROTOCOL_GIT, ndpi_struct, NDPI_LOG_DEBUG, "found Git.\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GIT, NDPI_PROTOCOL_UNKNOWN); - return; - - no_git: NDPI_LOG(NDPI_PROTOCOL_GIT, ndpi_struct, NDPI_LOG_DEBUG, "exclude Git.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_GIT); } @@ -103,7 +68,7 @@ void ndpi_search_git(struct ndpi_detection_module_struct *ndpi_struct, void init_git_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, - NDPI_PROTOCOL_BITMASK *detection_bitmask) + NDPI_PROTOCOL_BITMASK *detection_bitmask) { ndpi_set_bitmask_protocol_detection("Git", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_GIT, -- cgit v1.2.3 From 31140c8da74aaceb76709c11082e4cb2e07e11e9 Mon Sep 17 00:00:00 2001 From: Simone Mainardi Date: Fri, 8 Jul 2016 15:03:40 +0200 Subject: Fixes test cases for QUIC.Google --- tests/result/http_ipv6.pcap.out | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tests/result/http_ipv6.pcap.out b/tests/result/http_ipv6.pcap.out index ab9b3e6ef..8117cef8e 100644 --- a/tests/result/http_ipv6.pcap.out +++ b/tests/result/http_ipv6.pcap.out @@ -1,6 +1,7 @@ SSL 106 39646 11 Facebook 22 10202 2 -QUIC 65 16479 2 +Google 62 15977 1 +QUIC 3 502 1 1 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:33062 <-> [2a00:1450:400b:c02::9a]:443 [proto: 91/SSL][2 pkts/172 bytes] 2 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a03:b0c0:3:d0::70:1001]:37486 [proto: 91/SSL][19 pkts/7014 bytes][SSL client: www.ntop.org] @@ -15,5 +16,5 @@ QUIC 65 16479 2 11 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a00:1450:4001:803::1012]:59690 [proto: 91/SSL][2 pkts/172 bytes] 12 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:60124 <-> [2a02:26f0:ad:1a1::eed]:443 [proto: 91/SSL][2 pkts/172 bytes] 13 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:40308 <-> [2a03:2880:1010:3f20:face:b00c::25de]:443 [proto: 91/SSL][2 pkts/172 bytes] - 14 UDP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a00:1450:4001:803::1017]:45931 [proto: 188/QUIC][62 pkts/15977 bytes][Host: www.google.it] + 14 UDP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a00:1450:4001:803::1017]:45931 [proto: 188.126/QUIC.Google][62 pkts/15977 bytes][Host: www.google.it] 15 UDP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:55145 <-> [2a00:1450:400b:c02::5f]:443 [proto: 188/QUIC][3 pkts/502 bytes] -- cgit v1.2.3