From 19e96f7dd2ea8a201614239b51fb32134c51352e Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Wed, 26 Aug 2015 16:09:24 +0200 Subject: Fixes #83. Critical fix: due to an invalid endianess conversion some protocol were not properly indetified --- src/include/ndpi_typedefs.h | 8 ++--- src/lib/ndpi_main.c | 61 +++++++++++++++++++++------------- src/lib/protocols/skype.c | 4 +-- src/lib/protocols/tcp_udp.c | 4 +-- tests/result/NTPv3.pcap.out | 4 +-- tests/result/README.txt | 5 --- tests/result/starcraft_battle.pcap.out | 11 +++--- 7 files changed, 52 insertions(+), 45 deletions(-) delete mode 100644 tests/result/README.txt diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 8ea4650a6..7f82d0a28 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -672,12 +672,10 @@ typedef struct ndpi_flow_struct { u_int16_t protocol_stack_info; /* init parameter, internal used to set up timestamp,... */ - u_int16_t guessed_protocol_id; + u_int16_t guessed_protocol_id, guessed_host_proto_id; - u_int8_t protocol_id_already_guessed:1; - u_int8_t init_finished:1; - u_int8_t setup_packet_direction:1; - u_int8_t packet_direction:1; /* if ndpi_struct->direction_detect_disable == 1 */ + u_int8_t protocol_id_already_guessed:1, host_already_guessed:1, init_finished:1, setup_packet_direction:1, packet_direction:1; + /* if ndpi_struct->direction_detect_disable == 1 */ /* tcp sequence number connection tracking */ u_int32_t next_tcp_seq_nr[2]; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 5fb0b6cd8..fc5042b0f 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1670,10 +1670,10 @@ u_int16_t ndpi_network_ptree_match(struct ndpi_detection_module_struct *ndpi_str prefix_t prefix; patricia_node_t *node; - pin->s_addr = ntohl(pin->s_addr); /* Make sure all in network byte order otherwise compares wont work */ + /* Make sure all in network byte order otherwise compares wont work */ fill_prefix_v4(&prefix, pin, 32, ((patricia_tree_t*)ndpi_struct->protocols_ptree)->maxbits); node = ndpi_patricia_search_best(ndpi_struct->protocols_ptree, &prefix); - + return(node ? node->value.user_value : NDPI_PROTOCOL_UNKNOWN); } @@ -1736,7 +1736,7 @@ static void ndpi_init_ptree_ipv4(struct ndpi_detection_module_struct *ndpi_str, struct in_addr pin; patricia_node_t *node; - pin.s_addr = ntohl(host_list[i].network); + pin.s_addr = htonl(host_list[i].network); if((node = add_to_ptree(ptree, AF_INET, &pin, host_list[i].cidr /* bits */)) != NULL) node->value.user_value = host_list[i].value; } @@ -1745,19 +1745,19 @@ static void ndpi_init_ptree_ipv4(struct ndpi_detection_module_struct *ndpi_str, /* ******************************************* */ static int ndpi_add_host_ip_subprotocol(struct ndpi_detection_module_struct *ndpi_struct, - char *value, int protocol_id) { + char *value, int protocol_id) { - patricia_node_t *node; - struct in_addr pin; - - inet_pton(AF_INET, value, &pin); - pin.s_addr = ntohl(pin.s_addr); - - if((node = add_to_ptree(ndpi_struct->protocols_ptree, AF_INET, &pin, 32)) != NULL) { - node->value.user_value = protocol_id; - } + patricia_node_t *node; + struct in_addr pin; + + inet_pton(AF_INET, value, &pin); + pin.s_addr = ntohl(pin.s_addr); + + if((node = add_to_ptree(ndpi_struct->protocols_ptree, AF_INET, &pin, 32)) != NULL) { + node->value.user_value = protocol_id; + } - return(0); + return(0); } #endif @@ -1891,13 +1891,16 @@ u_int16_t ndpi_guess_protocol_id(struct ndpi_detection_module_struct *ndpi_struc ndpi_default_ports_tree_node_t node; if(sport && dport) { - node.default_port = sport; + int low = ndpi_min(sport, dport); + int high = ndpi_max(sport, dport); + + node.default_port = low; /* Check server port first */ ret = ndpi_tfind(&node, (proto == IPPROTO_TCP) ? (void*)&ndpi_struct->tcpRoot : (void*)&ndpi_struct->udpRoot, ndpi_default_ports_tree_node_t_cmp); if(ret == NULL) { - node.default_port = dport; + node.default_port = high; ret = ndpi_tfind(&node, (proto == IPPROTO_TCP) ? (void*)&ndpi_struct->tcpRoot : (void*)&ndpi_struct->udpRoot, ndpi_default_ports_tree_node_t_cmp); @@ -3418,23 +3421,33 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct } else ret.protocol = flow->detected_protocol_stack[0]; - - if((ret.master_protocol == NDPI_PROTOCOL_UNKNOWN) && flow->packet.iph) { - struct in_addr pin = { flow->packet.iph->saddr }; - - if((ret.master_protocol = ndpi_network_ptree_match(ndpi_struct, &pin)) == NDPI_PROTOCOL_UNKNOWN) { + if((ret.protocol == NDPI_PROTOCOL_UNKNOWN) + && flow->packet.iph + && (!flow->host_already_guessed)) { + struct in_addr pin; + + pin.s_addr = flow->packet.iph->saddr; + if((flow->guessed_host_proto_id = ndpi_network_ptree_match(ndpi_struct, &pin)) == NDPI_PROTOCOL_UNKNOWN) { pin.s_addr = flow->packet.iph->daddr; - ret.master_protocol = ndpi_network_ptree_match(ndpi_struct, &pin); + flow->guessed_host_proto_id = ndpi_network_ptree_match(ndpi_struct, &pin); } + + flow->host_already_guessed = 1; + } + +#if 0 - /* Swap proocols in case of success */ + /* Swap protocols in case of success */ if(ret.master_protocol != NDPI_PROTOCOL_UNKNOWN) { u_int16_t t = ret.master_protocol; ret.master_protocol = ret.protocol; ret.protocol = t; } - } +#endif + + if((ret.protocol == NDPI_PROTOCOL_UNKNOWN) && (ret.master_protocol != NDPI_PROTOCOL_UNKNOWN)) + ret.protocol = flow->guessed_host_proto_id; return(ret); } diff --git a/src/lib/protocols/skype.c b/src/lib/protocols/skype.c index 7f201569c..e3bd00332 100644 --- a/src/lib/protocols/skype.c +++ b/src/lib/protocols/skype.c @@ -40,8 +40,8 @@ u_int8_t is_skype_flow(struct ndpi_detection_module_struct *ndpi_struct, Skype connections are identified by some SSL-like communications without SSL certificate being exchanged */ - if(is_skype_host(ndpi_struct, ntohl(packet->iph->saddr)) - || is_skype_host(ndpi_struct, ntohl(packet->iph->daddr))) { + if(is_skype_host(ndpi_struct, packet->iph->saddr) + || is_skype_host(ndpi_struct, packet->iph->daddr)) { return(1); } } diff --git a/src/lib/protocols/tcp_udp.c b/src/lib/protocols/tcp_udp.c index 1eb9c8773..7ca276dca 100644 --- a/src/lib/protocols/tcp_udp.c +++ b/src/lib/protocols/tcp_udp.c @@ -37,9 +37,9 @@ u_int ndpi_search_tcp_or_udp_raw(struct ndpi_detection_module_struct *ndpi_struc } } - if((rc = ndpi_host_ptree_match(ndpi_struct, saddr)) != NDPI_PROTOCOL_UNKNOWN) return(rc); + if((rc = ndpi_host_ptree_match(ndpi_struct, htonl(saddr))) != NDPI_PROTOCOL_UNKNOWN) return(rc); - return(ndpi_host_ptree_match(ndpi_struct, daddr)); + return(ndpi_host_ptree_match(ndpi_struct, htonl(daddr))); } void ndpi_search_tcp_or_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) diff --git a/tests/result/NTPv3.pcap.out b/tests/result/NTPv3.pcap.out index 91d817e5e..dcf9eafda 100644 --- a/tests/result/NTPv3.pcap.out +++ b/tests/result/NTPv3.pcap.out @@ -1,3 +1,3 @@ -NTP 1 90 1 +Quic 1 90 1 - 1 UDP 78.46.76.2:80 <-> 175.144.140.29:123 [proto: 9/NTP][1 pkts/90 bytes] + 1 UDP 78.46.76.2:80 <-> 175.144.140.29:123 [proto: 188/Quic][1 pkts/90 bytes] diff --git a/tests/result/README.txt b/tests/result/README.txt deleted file mode 100644 index 08992145b..000000000 --- a/tests/result/README.txt +++ /dev/null @@ -1,5 +0,0 @@ -Place here test results for pcaps used for regressions testing - -Example - -for pcap/myprotocol.pcap add result/myprotocol.result diff --git a/tests/result/starcraft_battle.pcap.out b/tests/result/starcraft_battle.pcap.out index 918647cef..4cbdb5ceb 100644 --- a/tests/result/starcraft_battle.pcap.out +++ b/tests/result/starcraft_battle.pcap.out @@ -4,7 +4,8 @@ HTTP 450 294880 19 SSDP 11 4984 1 WorldOfWarcraft 9 880 1 IGMP 2 120 1 -SSL 43 2903 13 +SSL 27 1803 9 +Skype 16 1100 4 Google 12 1467 2 Quic 6 475 1 Starcraft 236 51494 6 @@ -27,10 +28,10 @@ Starcraft 236 51494 6 16 TCP 192.168.1.100:3530 <-> 2.228.46.112:80 [proto: 7/HTTP][29 pkts/25102 bytes][Host: bnetcmsus-a.akamaihd.net] 17 TCP 192.168.1.100:3532 <-> 2.228.46.112:80 [proto: 7/HTTP][4 pkts/386 bytes] 18 TCP 192.168.1.100:3534 <-> 2.228.46.112:80 [proto: 7/HTTP][1 pkts/66 bytes] - 19 TCP 192.168.1.100:3489 <-> 2.228.46.104:443 [proto: 91/SSL][4 pkts/275 bytes] + 19 TCP 192.168.1.100:3489 <-> 2.228.46.104:443 [proto: 125/Skype][4 pkts/275 bytes] 20 TCP 192.168.1.100:3481 <-> 2.228.46.114:443 [proto: 91/SSL][4 pkts/275 bytes] 21 TCP 192.168.1.100:3479 <-> 2.228.46.114:443 [proto: 91/SSL][4 pkts/275 bytes] - 22 TCP 192.168.1.100:3491 <-> 2.228.46.104:443 [proto: 91/SSL][4 pkts/275 bytes] + 22 TCP 192.168.1.100:3491 <-> 2.228.46.104:443 [proto: 125/Skype][4 pkts/275 bytes] 23 TCP 80.239.186.26:80 <-> 192.168.1.100:3515 [proto: 7/HTTP][10 pkts/1224 bytes][Host: nydus.battle.net] 24 TCP 80.239.186.21:80 <-> 192.168.1.100:3519 [proto: 7/HTTP][9 pkts/979 bytes][Host: eu.launcher.battle.net] 25 TCP 80.239.186.26:80 <-> 192.168.1.100:3521 [proto: 7/HTTP][10 pkts/1224 bytes][Host: nydus.battle.net] @@ -54,8 +55,8 @@ Starcraft 236 51494 6 43 TCP 192.168.1.100:3529 <-> 2.228.46.112:80 [proto: 7/HTTP][29 pkts/25102 bytes][Host: bnetcmsus-a.akamaihd.net] 44 TCP 192.168.1.100:3531 <-> 2.228.46.112:80 [proto: 7/HTTP][29 pkts/25102 bytes][Host: bnetcmsus-a.akamaihd.net] 45 TCP 192.168.1.100:3533 <-> 2.228.46.112:80 [proto: 7/HTTP][4 pkts/386 bytes] - 46 TCP 192.168.1.100:3492 <-> 2.228.46.104:443 [proto: 91/SSL][4 pkts/275 bytes] - 47 TCP 192.168.1.100:3490 <-> 2.228.46.104:443 [proto: 91/SSL][4 pkts/275 bytes] + 46 TCP 192.168.1.100:3492 <-> 2.228.46.104:443 [proto: 125/Skype][4 pkts/275 bytes] + 47 TCP 192.168.1.100:3490 <-> 2.228.46.104:443 [proto: 125/Skype][4 pkts/275 bytes] 48 TCP 192.168.1.100:3482 <-> 2.228.46.114:443 [proto: 91/SSL][4 pkts/275 bytes] 49 TCP 192.168.1.100:3480 <-> 2.228.46.114:443 [proto: 91/SSL][4 pkts/275 bytes] 50 TCP 12.129.222.54:80 <-> 192.168.1.100:3512 [proto: 7.76/HTTP.WorldOfWarcraft][9 pkts/880 bytes][Host: us.scan.worldofwarcraft.com] -- cgit v1.2.3 From 5f1b82d696d7b81fa587bd2e9c6bfa83a93f2184 Mon Sep 17 00:00:00 2001 From: Beyers Cronje Date: Thu, 27 Aug 2015 01:18:32 +0200 Subject: Ensure usage of struct in_addr is in network byte order. Closes issue #81 --- src/lib/ndpi_main.c | 24 +++++++++--------------- tests/result/starcraft_battle.pcap.out | 11 +++++------ 2 files changed, 14 insertions(+), 21 deletions(-) diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index fc5042b0f..5639ed620 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1666,7 +1666,7 @@ static int fill_prefix_v4(prefix_t *p, struct in_addr *a, int b, int mb) { /* ******************************************* */ -u_int16_t ndpi_network_ptree_match(struct ndpi_detection_module_struct *ndpi_struct, struct in_addr *pin) { +u_int16_t ndpi_network_ptree_match(struct ndpi_detection_module_struct *ndpi_struct, struct in_addr *pin /* network byte order */) { prefix_t prefix; patricia_node_t *node; @@ -1679,7 +1679,7 @@ u_int16_t ndpi_network_ptree_match(struct ndpi_detection_module_struct *ndpi_str /* ******************************************* */ -u_int16_t ndpi_host_ptree_match(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t host) { +u_int16_t ndpi_host_ptree_match(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t host /* network byte order */) { struct in_addr pin; pin.s_addr = host; @@ -1700,11 +1700,9 @@ u_int8_t ndpi_is_tor_flow(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_packet_struct *packet = &flow->packet; if(packet->tcp != NULL) { - if(flow->packet.iph) { - struct in_addr saddr = { packet->iph->saddr }; - struct in_addr daddr = { packet->iph->daddr }; - if(tor_ptree_match(ndpi_struct, &saddr) - || tor_ptree_match(ndpi_struct, &daddr)) { + if(packet->iph) { + if(tor_ptree_match(ndpi_struct, (struct in_addr *)&packet->iph->saddr) + || tor_ptree_match(ndpi_struct, (struct in_addr *)&packet->iph->daddr)) { return(1); } } @@ -1751,7 +1749,6 @@ static int ndpi_add_host_ip_subprotocol(struct ndpi_detection_module_struct *ndp struct in_addr pin; inet_pton(AF_INET, value, &pin); - pin.s_addr = ntohl(pin.s_addr); if((node = add_to_ptree(ndpi_struct->protocols_ptree, AF_INET, &pin, 32)) != NULL) { node->value.user_value = protocol_id; @@ -3424,12 +3421,9 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct if((ret.protocol == NDPI_PROTOCOL_UNKNOWN) && flow->packet.iph && (!flow->host_already_guessed)) { - struct in_addr pin; - pin.s_addr = flow->packet.iph->saddr; - if((flow->guessed_host_proto_id = ndpi_network_ptree_match(ndpi_struct, &pin)) == NDPI_PROTOCOL_UNKNOWN) { - pin.s_addr = flow->packet.iph->daddr; - flow->guessed_host_proto_id = ndpi_network_ptree_match(ndpi_struct, &pin); + if((flow->guessed_host_proto_id = ndpi_network_ptree_match(ndpi_struct, (struct in_addr *)&flow->packet.iph->saddr)) == NDPI_PROTOCOL_UNKNOWN) { + flow->guessed_host_proto_id = ndpi_network_ptree_match(ndpi_struct, (struct in_addr *)&flow->packet.iph->daddr); } flow->host_already_guessed = 1; @@ -4252,11 +4246,11 @@ ndpi_protocol ndpi_guess_undetected_protocol(struct ndpi_detection_module_struct return(ret); check_guessed_skype: - addr.s_addr = shost; + addr.s_addr = htonl(shost); if(ndpi_network_ptree_match(ndpi_struct, &addr) == NDPI_PROTOCOL_SKYPE) { ret.protocol = NDPI_PROTOCOL_SKYPE; } else { - addr.s_addr = dhost; + addr.s_addr = htonl(dhost); if(ndpi_network_ptree_match(ndpi_struct, &addr) == NDPI_PROTOCOL_SKYPE) ret.protocol = NDPI_PROTOCOL_SKYPE; } diff --git a/tests/result/starcraft_battle.pcap.out b/tests/result/starcraft_battle.pcap.out index 4cbdb5ceb..918647cef 100644 --- a/tests/result/starcraft_battle.pcap.out +++ b/tests/result/starcraft_battle.pcap.out @@ -4,8 +4,7 @@ HTTP 450 294880 19 SSDP 11 4984 1 WorldOfWarcraft 9 880 1 IGMP 2 120 1 -SSL 27 1803 9 -Skype 16 1100 4 +SSL 43 2903 13 Google 12 1467 2 Quic 6 475 1 Starcraft 236 51494 6 @@ -28,10 +27,10 @@ Starcraft 236 51494 6 16 TCP 192.168.1.100:3530 <-> 2.228.46.112:80 [proto: 7/HTTP][29 pkts/25102 bytes][Host: bnetcmsus-a.akamaihd.net] 17 TCP 192.168.1.100:3532 <-> 2.228.46.112:80 [proto: 7/HTTP][4 pkts/386 bytes] 18 TCP 192.168.1.100:3534 <-> 2.228.46.112:80 [proto: 7/HTTP][1 pkts/66 bytes] - 19 TCP 192.168.1.100:3489 <-> 2.228.46.104:443 [proto: 125/Skype][4 pkts/275 bytes] + 19 TCP 192.168.1.100:3489 <-> 2.228.46.104:443 [proto: 91/SSL][4 pkts/275 bytes] 20 TCP 192.168.1.100:3481 <-> 2.228.46.114:443 [proto: 91/SSL][4 pkts/275 bytes] 21 TCP 192.168.1.100:3479 <-> 2.228.46.114:443 [proto: 91/SSL][4 pkts/275 bytes] - 22 TCP 192.168.1.100:3491 <-> 2.228.46.104:443 [proto: 125/Skype][4 pkts/275 bytes] + 22 TCP 192.168.1.100:3491 <-> 2.228.46.104:443 [proto: 91/SSL][4 pkts/275 bytes] 23 TCP 80.239.186.26:80 <-> 192.168.1.100:3515 [proto: 7/HTTP][10 pkts/1224 bytes][Host: nydus.battle.net] 24 TCP 80.239.186.21:80 <-> 192.168.1.100:3519 [proto: 7/HTTP][9 pkts/979 bytes][Host: eu.launcher.battle.net] 25 TCP 80.239.186.26:80 <-> 192.168.1.100:3521 [proto: 7/HTTP][10 pkts/1224 bytes][Host: nydus.battle.net] @@ -55,8 +54,8 @@ Starcraft 236 51494 6 43 TCP 192.168.1.100:3529 <-> 2.228.46.112:80 [proto: 7/HTTP][29 pkts/25102 bytes][Host: bnetcmsus-a.akamaihd.net] 44 TCP 192.168.1.100:3531 <-> 2.228.46.112:80 [proto: 7/HTTP][29 pkts/25102 bytes][Host: bnetcmsus-a.akamaihd.net] 45 TCP 192.168.1.100:3533 <-> 2.228.46.112:80 [proto: 7/HTTP][4 pkts/386 bytes] - 46 TCP 192.168.1.100:3492 <-> 2.228.46.104:443 [proto: 125/Skype][4 pkts/275 bytes] - 47 TCP 192.168.1.100:3490 <-> 2.228.46.104:443 [proto: 125/Skype][4 pkts/275 bytes] + 46 TCP 192.168.1.100:3492 <-> 2.228.46.104:443 [proto: 91/SSL][4 pkts/275 bytes] + 47 TCP 192.168.1.100:3490 <-> 2.228.46.104:443 [proto: 91/SSL][4 pkts/275 bytes] 48 TCP 192.168.1.100:3482 <-> 2.228.46.114:443 [proto: 91/SSL][4 pkts/275 bytes] 49 TCP 192.168.1.100:3480 <-> 2.228.46.114:443 [proto: 91/SSL][4 pkts/275 bytes] 50 TCP 12.129.222.54:80 <-> 192.168.1.100:3512 [proto: 7.76/HTTP.WorldOfWarcraft][9 pkts/880 bytes][Host: us.scan.worldofwarcraft.com] -- cgit v1.2.3 From 8f8052735cbd1f5561ba6069c4359f1f9f50e2c1 Mon Sep 17 00:00:00 2001 From: Martin Natano Date: Fri, 28 Aug 2015 14:49:51 +0200 Subject: Make sure packet->user_agent_line.ptr is up to date before using it. Otherwise we might dereference a stale pointer. --- src/lib/protocols/steam.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/lib/protocols/steam.c b/src/lib/protocols/steam.c index fe7b9d161..7ed0eae29 100644 --- a/src/lib/protocols/steam.c +++ b/src/lib/protocols/steam.c @@ -34,6 +34,7 @@ static void ndpi_int_steam_add_connection(struct ndpi_detection_module_struct *n static void ndpi_check_steam_http(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; + NDPI_PARSE_PACKET_LINE_INFO(ndpi_struct, flow, packet); if (packet->user_agent_line.ptr != NULL && packet->user_agent_line.len >= 23 && memcmp(packet->user_agent_line.ptr, "Valve/Steam HTTP Client", 23) == 0) { -- cgit v1.2.3 From df64a1069edb62d0c370669e146da22274a803b1 Mon Sep 17 00:00:00 2001 From: Lorenzo Mangani Date: Sun, 30 Aug 2015 23:07:31 +0200 Subject: Added HEP protocol detection support (sipcapture) --- src/include/ndpi_protocol_ids.h | 3 +- src/include/ndpi_protocols.h | 2 ++ src/lib/Makefile.am | 1 + src/lib/ndpi_main.c | 8 +++++ src/lib/protocols/hep.c | 72 +++++++++++++++++++++++++++++++++++++++++ 5 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 src/lib/protocols/hep.c diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index cfb5897ba..82dfcf011 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -201,6 +201,7 @@ #define NDPI_PROTOCOL_WHATSAPP_VOICE 189 #define NDPI_PROTOCOL_STARCRAFT 213 /* Matteo Bracci */ #define NDPI_PROTOCOL_TEREDO 214 +#define NDPI_PROTOCOL_HEP 216 /* Sipcapture.org QXIP BV */ #define NDPI_CONTENT_AVI 39 #define NDPI_CONTENT_FLASH 40 @@ -263,7 +264,7 @@ #define NDPI_SERVICE_HOTSPOT_SHIELD 215 /* UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE */ -#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_SERVICE_HOTSPOT_SHIELD +#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_PROTOCOL_HEP #define NDPI_MAX_SUPPORTED_PROTOCOLS (NDPI_LAST_IMPLEMENTED_PROTOCOL + 1) #define NDPI_MAX_NUM_CUSTOM_PROTOCOLS (NDPI_NUM_BITS-NDPI_LAST_IMPLEMENTED_PROTOCOL) diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h index 6171f00bc..64d90ad6a 100644 --- a/src/include/ndpi_protocols.h +++ b/src/include/ndpi_protocols.h @@ -72,6 +72,7 @@ void ndpi_search_oscar(struct ndpi_detection_module_struct *ndpi_struct, struct void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_sip(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); +void ndpi_search_hep(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_direct_download_link_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_mail_pop_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); @@ -288,6 +289,7 @@ void init_rtsp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int void init_sflow_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_shoutcast_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_sip_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_hep_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_skinny_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_skype_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_smb_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am index 4e8b1f6c4..215f3249a 100644 --- a/src/lib/Makefile.am +++ b/src/lib/Makefile.am @@ -52,6 +52,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/guildwars.c \ protocols/h323.c \ protocols/halflife2_and_mods.c \ + protocols/hep.c \ protocols/http_activesync.c \ protocols/http.c \ protocols/iax.c \ diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 5639ed620..71dbdc557 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -833,6 +833,11 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "IPP", ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_HEP, + no_master, + no_master, "HEP", + ndpi_build_default_ports(ports_a, 9064, 0, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_b, 9063, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_HTTP, no_master, no_master, "HTTP", @@ -2250,6 +2255,9 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* SIP */ init_sip_dissector(ndpi_struct, &a, detection_bitmask); + /* HEP */ + init_hep_dissector(ndpi_struct, &a, detection_bitmask); + /* BITTORRENT */ init_bittorrent_dissector(ndpi_struct, &a, detection_bitmask); diff --git a/src/lib/protocols/hep.c b/src/lib/protocols/hep.c new file mode 100644 index 000000000..11955ae1e --- /dev/null +++ b/src/lib/protocols/hep.c @@ -0,0 +1,72 @@ +/* + * hep.c + * + * Copyright (C) 2009-2011 by ipoque GmbH + * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-15 - QXIP BV + * + * This file is part of nDPI, an open source deep packet inspection + * library based on the OpenDPI and PACE technology by ipoque GmbH + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see . + * + */ + + +#include "ndpi_protocols.h" +#ifdef NDPI_PROTOCOL_HEP + +static void ndpi_int_hep_add_connection(struct ndpi_detection_module_struct + *ndpi_struct, struct ndpi_flow_struct *flow) +{ + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HEP, NDPI_PROTOCOL_UNKNOWN); +} + +void ndpi_search_hep(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct *packet = &flow->packet; + const u_int8_t *packet_payload = packet->payload; + u_int32_t payload_len = packet->payload_packet_len; + + NDPI_LOG(NDPI_PROTOCOL_HEP, ndpi_struct, NDPI_LOG_DEBUG, "searching for HEP.\n"); + if (payload_len > 10) { + if (memcmp(packet_payload, "HEP3", 4) == 0) { + NDPI_LOG(NDPI_PROTOCOL_HEP, ndpi_struct, NDPI_LOG_DEBUG, "found HEP3.\n"); + ndpi_int_hep_add_connection(ndpi_struct, flow); + return; + } else if (memcmp(packet_payload, "HEP2", 4) == 0) { + NDPI_LOG(NDPI_PROTOCOL_HEP, ndpi_struct, NDPI_LOG_DEBUG, "found HEP2.\n"); + ndpi_int_hep_add_connection(ndpi_struct, flow); + return; + } + } + + NDPI_LOG(NDPI_PROTOCOL_HEP, ndpi_struct, NDPI_LOG_DEBUG, "exclude HEP.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_HEP); +} + + +void init_hep_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) +{ + ndpi_set_bitmask_protocol_detection("HEP", ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_HEP, + ndpi_search_hep, + NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); + + *id += 1; +} + +#endif -- cgit v1.2.3 From 50757e7afee04aeb08bec7eac8765ddfd29fc136 Mon Sep 17 00:00:00 2001 From: Lorenzo Mangani Date: Tue, 1 Sep 2015 10:02:27 +0200 Subject: Remove HEP2 match --- src/lib/protocols/hep.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/src/lib/protocols/hep.c b/src/lib/protocols/hep.c index 11955ae1e..516e430e7 100644 --- a/src/lib/protocols/hep.c +++ b/src/lib/protocols/hep.c @@ -45,11 +45,7 @@ void ndpi_search_hep(struct ndpi_detection_module_struct *ndpi_struct, struct nd NDPI_LOG(NDPI_PROTOCOL_HEP, ndpi_struct, NDPI_LOG_DEBUG, "found HEP3.\n"); ndpi_int_hep_add_connection(ndpi_struct, flow); return; - } else if (memcmp(packet_payload, "HEP2", 4) == 0) { - NDPI_LOG(NDPI_PROTOCOL_HEP, ndpi_struct, NDPI_LOG_DEBUG, "found HEP2.\n"); - ndpi_int_hep_add_connection(ndpi_struct, flow); - return; - } + } } NDPI_LOG(NDPI_PROTOCOL_HEP, ndpi_struct, NDPI_LOG_DEBUG, "exclude HEP.\n"); -- cgit v1.2.3 From ce7866a6a69ca0219ce79e4c130e6784da21b323 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Fri, 4 Sep 2015 09:00:00 +0200 Subject: Added missing symbols ndpi_get_lower_proto ndpi_is_proto --- libndpi.sym | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libndpi.sym b/libndpi.sym index 906e61bfa..33b7cdcad 100644 --- a/libndpi.sym +++ b/libndpi.sym @@ -29,3 +29,5 @@ ndpi_get_proto_by_id ndpi_get_protocol_id_master_proto ndpi_guess_protocol_id ndpi_protocol2name +ndpi_get_lower_proto +ndpi_is_proto -- cgit v1.2.3 From b383475282c4566d33e516bdfeead2244cf3c1a1 Mon Sep 17 00:00:00 2001 From: valentina Date: Sun, 20 Sep 2015 23:22:48 +0200 Subject: Fixed DCE_RPC protocol when the port is different to default port (135) --- src/lib/protocols/dcerpc.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/src/lib/protocols/dcerpc.c b/src/lib/protocols/dcerpc.c index 2537afd56..ec96d1287 100644 --- a/src/lib/protocols/dcerpc.c +++ b/src/lib/protocols/dcerpc.c @@ -18,7 +18,7 @@ * * You should have received a copy of the GNU Lesser General Public License * along with nDPI. If not, see . - * + * */ @@ -35,20 +35,23 @@ static void ndpi_int_dcerpc_add_connection(struct ndpi_detection_module_struct void ndpi_search_dcerpc(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - - if((packet->tcp != NULL) - && (packet->payload_packet_len > 64) - && ((ntohs(packet->tcp->source) == 135) || (ntohs(packet->tcp->dest) == 135)) + u_int16_t len_packet = (packet->payload[9]<<8) | packet->payload[8]; + + if((packet->tcp != NULL) + && (packet->payload_packet_len >= 64) && (packet->payload[0] == 0x05) /* version 5 */ && (packet->payload[2] < 16) /* Packet type */ - ) { - NDPI_LOG(NDPI_PROTOCOL_DCERPC, ndpi_struct, NDPI_LOG_DEBUG, "DCERPC match\n"); + && (len_packet == packet->payload_packet_len) /* Packet Length */ + ) { + NDPI_LOG(NDPI_PROTOCOL_DCERPC, ndpi_struct, NDPI_LOG_DEBUG, "DCERPC match\n"); ndpi_int_dcerpc_add_connection(ndpi_struct, flow); return; } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DCERPC); + if(packet->payload_packet_len>1){ + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DCERPC); + } } -- cgit v1.2.3 From a994722bb1649af2ae3014824455d72e9363faab Mon Sep 17 00:00:00 2001 From: Marco Gigante Date: Tue, 22 Sep 2015 15:25:09 +0200 Subject: Remove duplicated function declarations --- src/include/ndpi_main.h | 7 ------- 1 file changed, 7 deletions(-) diff --git a/src/include/ndpi_main.h b/src/include/ndpi_main.h index adec3edf1..1acc5e14f 100644 --- a/src/include/ndpi_main.h +++ b/src/include/ndpi_main.h @@ -143,13 +143,6 @@ extern int ndpi_get_protocol_id_master_proto(struct ndpi_detection_module_struct u_int16_t** tcp_master_proto, u_int16_t** udp_master_proto); -extern u_int8_t ndpi_net_match(u_int32_t ip_to_check, - u_int32_t net, - u_int32_t num_bits); - -extern u_int8_t ndpi_ips_match(u_int32_t src, u_int32_t dst, - u_int32_t net, u_int32_t num_bits); - #ifdef NDPI_ENABLE_DEBUG_MESSAGES void ndpi_debug_get_last_log_function_line(struct ndpi_detection_module_struct *ndpi_struct, const char **file, const char **func, u_int32_t * line); -- cgit v1.2.3 From f78f6b59cc52bd49d5f562c3159d302a216a0bfa Mon Sep 17 00:00:00 2001 From: valentina Date: Wed, 23 Sep 2015 00:53:25 +0200 Subject: Added some tags in order to recognize ebay --- src/lib/ndpi_content_match.c.inc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index 5e0210d71..7413b6ebf 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -7320,10 +7320,13 @@ ndpi_protocol_match host_match[] = { { ".cnn.c", "CNN", NDPI_SERVICE_CNN, NDPI_PROTOCOL_FUN }, { ".cnn.net", "CNN", NDPI_SERVICE_CNN, NDPI_PROTOCOL_FUN }, { ".dropbox.com", "DropBox", NDPI_SERVICE_DROPBOX, NDPI_PROTOCOL_SAFE }, + { ".ebay.", "eBay", NDPI_SERVICE_EBAY, NDPI_PROTOCOL_ACCEPTABLE }, { ".ebay.com", "eBay", NDPI_SERVICE_EBAY, NDPI_PROTOCOL_ACCEPTABLE }, { ".ebaystatic.com", "eBay", NDPI_SERVICE_EBAY, NDPI_PROTOCOL_ACCEPTABLE }, { ".ebaydesc.com", "eBay", NDPI_SERVICE_EBAY, NDPI_PROTOCOL_ACCEPTABLE }, { ".ebayrtm.com", "eBay", NDPI_SERVICE_EBAY, NDPI_PROTOCOL_ACCEPTABLE }, + { ".ebaystratus.com", "eBay", NDPI_SERVICE_EBAY, NDPI_PROTOCOL_ACCEPTABLE }, + { ".ebayimg.com", "eBay", NDPI_SERVICE_EBAY, NDPI_PROTOCOL_ACCEPTABLE }, { ".facebook.com", "Facebook", NDPI_SERVICE_FACEBOOK, NDPI_PROTOCOL_FUN }, { ".fbcdn.net", "Facebook", NDPI_SERVICE_FACEBOOK, NDPI_PROTOCOL_FUN }, { "fbcdn-", "Facebook", NDPI_SERVICE_FACEBOOK, NDPI_PROTOCOL_FUN }, /* fbcdn-video-a-akamaihd.net */ @@ -7365,7 +7368,7 @@ ndpi_protocol_match host_match[] = { { "wikimediafoundation.", "Wikipedia", NDPI_SERVICE_WIKIPEDIA, NDPI_PROTOCOL_ACCEPTABLE }, { ".whatsapp.net", "WhatsApp", NDPI_SERVICE_WHATSAPP, NDPI_PROTOCOL_ACCEPTABLE }, { ".yahoo.", "Yahoo", NDPI_SERVICE_YAHOO, NDPI_PROTOCOL_ACCEPTABLE }, - { "yimg.com", "Yahoo", NDPI_SERVICE_YAHOO, NDPI_PROTOCOL_ACCEPTABLE }, + { ".yimg.com", "Yahoo", NDPI_SERVICE_YAHOO, NDPI_PROTOCOL_ACCEPTABLE }, { "yahooapis.", "Yahoo", NDPI_SERVICE_YAHOO, NDPI_PROTOCOL_ACCEPTABLE }, { "youtube.", "YouTube", NDPI_SERVICE_YOUTUBE, NDPI_PROTOCOL_FUN }, { ".googlevideo.com", "YouTube", NDPI_SERVICE_YOUTUBE, NDPI_PROTOCOL_FUN }, -- cgit v1.2.3 From 76c963a70c669ae567ddad5c48fe7c67aeda5e44 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Wed, 23 Sep 2015 15:53:01 +0200 Subject: Added support for pfring_config --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 403c57417..d2dfc4357 100644 --- a/configure.ac +++ b/configure.ac @@ -46,7 +46,7 @@ fi if test -f $PCAP_HOME/libpcap/libpcap.a; then : echo "Using libpcap from $PCAP_HOME" PCAP_INC="-I $PCAP_HOME/libpcap" - PCAP_LIB="$PCAP_HOME/libpcap/libpcap.a $PCAP_HOME/lib/libpfring.a $LIBNUMA" + PCAP_LIB="$PCAP_HOME/libpcap/libpcap.a $PCAP_HOME/lib/libpfring.a $LIBNUMA `$PCAP_HOME/lib/pfring_config --libs`" AC_CHECK_LIB([rt], [clock_gettime], [PCAP_LIB="$PCAP_LIB -lrt"]) AC_CHECK_LIB([nl], [nl_handle_alloc], [PCAP_LIB="$PCAP_LIB -lnl"]) -- cgit v1.2.3 From 00bfba1d7796d38c755ab0cd28216deef97b173a Mon Sep 17 00:00:00 2001 From: Lorenzo Mangani Date: Tue, 29 Sep 2015 01:04:46 +0200 Subject: Update README.md --- README.md | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 6209069e2..f93f0367e 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,11 @@ -# What is nDPI ? +![ntop][ntopng_logo] ![ntop][ntop_logo] +# nDPI + +## What is nDPI ? nDPI is an open source LGPLv3 library for deep-packet inspection. Based on OpenDPI it includes ntop extensions. We have tried to push them into the OpenDPI source tree but nobody answered emails so we have decided to create our own source tree -# How To Compile nDPI +### How To Compile nDPI In order to compile this library do @@ -14,7 +17,7 @@ Please note that the pre-requisites for compilation include: - GNU tools (autogen, automake, autoconf, libtool) - GNU C compiler (gcc) -# How To Add A New Protocol Dissector +### How To Add A New Protocol Dissector The entire procedure of adding new protocols in detail: @@ -30,13 +33,18 @@ The entire procedure of adding new protocols in detail: 10. ./configure 11. make -# Creating A Source File Tar Ball +### Creating A Source File Tar Ball If you want to distribute a source tar file of nDPI do: - make dist -# Acknowledgements +### Acknowledgements + +Many thanks to Radcom Ltd for supporting the development of nDPI. + + +[ntopng_logo]: https://camo.githubusercontent.com/0f789abcef232035c05e0d2e82afa3cc3be46485/687474703a2f2f7777772e6e746f702e6f72672f77702d636f6e74656e742f75706c6f6164732f323031312f30382f6e746f706e672d69636f6e2d313530783135302e706e67 -Many thanks to Radcom Ltd for supporting the development of nDPI. \ No newline at end of file +[ntop_logo]: https://camo.githubusercontent.com/58e2a1ecfff62d8ecc9d74633bd1013f26e06cba/687474703a2f2f7777772e6e746f702e6f72672f77702d636f6e74656e742f75706c6f6164732f323031352f30352f6e746f702e706e67 -- cgit v1.2.3 From e5c2fee022f54d2a517a4d043ccf5329c3b93b4d Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Sat, 3 Oct 2015 08:34:18 +0200 Subject: Travis logo changes --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index f93f0367e..b7cf9e052 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,8 @@ ![ntop][ntopng_logo] ![ntop][ntop_logo] # nDPI +[![Build Status](https://travis-ci.org/ntop/nDPI.png?branch=master)](https://travis-ci.org/zeromq/libzmq) + ## What is nDPI ? nDPI is an open source LGPLv3 library for deep-packet inspection. Based on OpenDPI it includes ntop extensions. We have tried to push them into the OpenDPI source tree but nobody answered emails so we have decided to create our own source tree -- cgit v1.2.3 From 1dc03d574195ffdd94091e2f15a77358e1119a46 Mon Sep 17 00:00:00 2001 From: Campus Date: Sun, 4 Oct 2015 14:00:47 +0200 Subject: added radio tap header identification for ieee802.11 packets --- example/ndpiReader.c | 237 +++++++++++++++++++++++++++++++++------------ src/include/linux_compat.h | 88 +++++++++++++++-- 2 files changed, 255 insertions(+), 70 deletions(-) diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 73166761f..b28c6077d 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -54,6 +54,34 @@ #include #define MAX_NUM_READER_THREADS 16 +#define IDLE_SCAN_PERIOD 10 /* msec (use detection_tick_resolution = 1000) */ +#define MAX_IDLE_TIME 30000 +#define IDLE_SCAN_BUDGET 1024 +#define NUM_ROOTS 512 +#define GTP_U_V1_PORT 2152 +#define MAX_NDPI_FLOWS 200000000 + +#ifndef ETH_P_IP +#define ETH_P_IP 0x0800 /* IPv4 */ +#endif + +#ifndef ETH_P_IPv6 +#define ETH_P_IPV6 0x86dd /* IPv6 */ +#endif + +#define VLAN 0x8100 +#define MPLS 0x8847 +#define PPPoE 0x8864 + +/* mask for FCF */ +#define WIFI_DATA 0x2 /* 0000 0010 */ +#define FCF_TYPE(fc) (((fc) >> 2) & 0x3) /* 0000 0011 = 0x3 */ +#define FCF_SUBTYPE(fc) (((fc) >> 4) & 0xF) /* 0000 1111 = 0xF */ +#define FCF_TO_DS(fc) ((fc) & 0x0100) +#define FCF_FROM_DS(fc) ((fc) & 0x0200) + +/* mask for Bad FCF presence */ +#define BAD_FCS 0x50 /* 0101 0000 */ /** * @brief Set main components necessary to the detection @@ -100,12 +128,6 @@ static u_int32_t detection_tick_resolution = 1000; static time_t capture_for = 0; static time_t capture_until = 0; -#define IDLE_SCAN_PERIOD 10 /* msec (use detection_tick_resolution = 1000) */ -#define MAX_IDLE_TIME 30000 -#define IDLE_SCAN_BUDGET 1024 - -#define NUM_ROOTS 512 - static u_int32_t num_flows; struct thread_stats { @@ -143,8 +165,6 @@ struct reader_thread { static struct reader_thread ndpi_thread_info[MAX_NUM_READER_THREADS]; -#define GTP_U_V1_PORT 2152 -#define MAX_NDPI_FLOWS 200000000 /** * @brief ID tracking */ @@ -155,10 +175,6 @@ typedef struct ndpi_id { static u_int32_t size_id_struct = 0; // ID tracking structure size -#ifndef ETH_P_IP -#define ETH_P_IP 0x0800 -#endif - // flow tracking typedef struct ndpi_flow { u_int32_t lower_ip; @@ -478,17 +494,17 @@ static void printFlow(u_int16_t thread_id, struct ndpi_flow *flow) { if(!json_flag) { #if 0 fprintf(out, "\t%s [VLAN: %u] %s:%u <-> %s:%u\n", - ipProto2Name(flow->protocol), flow->vlan_id, - flow->lower_name, ntohs(flow->lower_port), - flow->upper_name, ntohs(flow->upper_port)); + ipProto2Name(flow->protocol), flow->vlan_id, + flow->lower_name, ntohs(flow->lower_port), + flow->upper_name, ntohs(flow->upper_port)); #else fprintf(out, "\t%u", ++num_flows); fprintf(out, "\t%s %s:%u <-> %s:%u ", - ipProto2Name(flow->protocol), - flow->lower_name, ntohs(flow->lower_port), - flow->upper_name, ntohs(flow->upper_port)); + ipProto2Name(flow->protocol), + flow->lower_name, ntohs(flow->lower_port), + flow->upper_name, ntohs(flow->upper_port)); if(flow->vlan_id > 0) fprintf(out, "[VLAN: %u]", flow->vlan_id); @@ -505,7 +521,7 @@ static void printFlow(u_int16_t thread_id, struct ndpi_flow *flow) { ndpi_get_proto_name(ndpi_thread_info[thread_id].ndpi_struct, flow->detected_protocol.protocol)); fprintf(out, "[%u pkts/%llu bytes]", - flow->packets, (long long unsigned int)flow->bytes); + flow->packets, (long long unsigned int)flow->bytes); if(flow->host_server_name[0] != '\0') fprintf(out, "[Host: %s]", flow->host_server_name); if(flow->ssl.client_certificate[0] != '\0') fprintf(out, "[SSL client: %s]", flow->ssl.client_certificate); @@ -1526,85 +1542,176 @@ static void openPcapFileOrDevice(u_int16_t thread_id) { /* ***************************************************** */ static void pcap_packet_callback(u_char *args, const struct pcap_pkthdr *header, const u_char *packet) { + + /* + * Declare pointers to packet headers + */ + + /** --- Ethernet header --- **/ const struct ndpi_ethhdr *ethernet; + + /** --- ieee802.11 --- **/ + /* Radio Tap header */ + const struct ndpi_radiotap_header *radiotap; + /* LLC header */ + const struct ndpi_llc_header_proto *llc; + /* Data frame */ + const struct ndpi_wifi_data_frame *wifi_data; + + /** --- IP header --- **/ struct ndpi_iphdr *iph; + /** --- IPv6 header --- **/ struct ndpi_ip6_hdr *iph6; + + /* lengths and offsets */ + u_int16_t radio_len; + u_int16_t fc; + int wifi_data_len; + int llc_len; + u_int16_t llc_ether_type; + u_int32_t fcs; + u_int64_t time; u_int16_t type, ip_offset, ip_len; u_int16_t frag_off = 0, vlan_id = 0; u_int8_t proto = 0, vlan_packet = 0; + u_int32_t label; + u_int16_t thread_id = *((u_int16_t*)args); - // printf("[ndpiReader] pcap_packet_callback : [%u.%u.%u.%u.%u -> %u.%u.%u.%u.%u]\n", ethernet->h_dest[1],ethernet->h_dest[2],ethernet->h_dest[3],ethernet->h_dest[4],ethernet->h_dest[5],ethernet->h_source[1],ethernet->h_source[2],ethernet->h_source[3],ethernet->h_source[4],ethernet->h_source[5]); + int malformed_pkts = 0; + + /* Increment raw packet counter */ ndpi_thread_info[thread_id].stats.raw_packet_count++; if((capture_until != 0) && (header->ts.tv_sec >= capture_until)) { if(ndpi_thread_info[thread_id]._pcap_handle != NULL) pcap_breakloop(ndpi_thread_info[thread_id]._pcap_handle); - return; } + /* Check if capture is live or not */ if (!live_capture) { + if (!pcap_start.tv_sec) pcap_start.tv_sec = header->ts.tv_sec, pcap_start.tv_usec = header->ts.tv_usec; pcap_end.tv_sec = header->ts.tv_sec, pcap_end.tv_usec = header->ts.tv_usec; } + /* setting time */ time = ((uint64_t) header->ts.tv_sec) * detection_tick_resolution + header->ts.tv_usec / (1000000 / detection_tick_resolution); - - if(ndpi_thread_info[thread_id].last_time > time) { /* safety check */ - // printf("\nWARNING: timestamp bug in the pcap file (ts delta: %llu, repairing)\n", ndpi_thread_info[thread_id].last_time - time); + + /* safety check */ + if(ndpi_thread_info[thread_id].last_time > time) { + /* printf("\nWARNING: timestamp bug in the pcap file (ts delta: %llu, repairing)\n", ndpi_thread_info[thread_id].last_time - time); */ time = ndpi_thread_info[thread_id].last_time; } + /* update last time value */ ndpi_thread_info[thread_id].last_time = time; + + /*** check Data Link type ***/ + int datalink_type = ndpi_thread_info[thread_id]._pcap_datalink_type; + + switch(datalink_type) + { + case DLT_NULL : + if(ntohl(*((u_int32_t*)packet)) == 2) + type = ETH_P_IP; + else + type = ETH_P_IPV6; + + ip_offset = 4; + + case DLT_EN10MB : + ethernet = (struct ndpi_ethhdr *) packet; + ip_offset = sizeof(struct ndpi_ethhdr); + type = ntohs(ethernet->h_proto); + break; - if(ndpi_thread_info[thread_id]._pcap_datalink_type == DLT_NULL) { - if(ntohl(*((u_int32_t*)packet)) == 2) - type = ETH_P_IP; - else - type = 0x86DD; /* IPv6 */ - - ip_offset = 4; - } else if(ndpi_thread_info[thread_id]._pcap_datalink_type == DLT_EN10MB) { - ethernet = (struct ndpi_ethhdr *) packet; - ip_offset = sizeof(struct ndpi_ethhdr); - type = ntohs(ethernet->h_proto); - } else if(ndpi_thread_info[thread_id]._pcap_datalink_type == 113 /* Linux Cooked Capture */) { - type = (packet[14] << 8) + packet[15]; - ip_offset = 16; - } else - return; + /* Linux Cooked Capture - 113 */ + case DLT_LINUX_SLL : + type = (packet[14] << 8) + packet[15]; + ip_offset = 16; + break; + + /* Radiotap link-layer - 127 */ + case DLT_IEEE802_11_RADIO : + radiotap = (struct ndpi_radiotap_header *) packet; + radio_len = radiotap->len; + + /* Check Bad FCS presence */ + if((radiotap->flags & BAD_FCS) == BAD_FCS) { + malformed_pkts += 1; + ndpi_thread_info[thread_id].stats.total_discarded_bytes += header->len; + return; + } + + fcs = header->len - 4; + + /* Calculate 802.11 header length (variable) */ + wifi_data = (struct ndpi_wifi_data_frame*)( packet + radio_len); + fc = wifi_data->fc; + + /* check wifi data presence */ + if(FCF_TYPE(fc) == WIFI_DATA) { + + if((FCF_TO_DS(fc) && FCF_FROM_DS(fc) == 0x0) || + (FCF_TO_DS(fc) == 0x0 && FCF_FROM_DS(fc))) + wifi_data_len = 26; /* + 4 byte fcs */ + + /* TODO: check QoS Control for aggregated MSDU */ + + + } else /* no data frames */ + break; + + /* Check ether_type from LLC */ + llc = (struct ndpi_llc_header_proto*)(packet + wifi_data_len + radio_len); + llc_ether_type = ntohs(llc->ether_IP_type); + + /* Set IP header offset */ + ip_offset = wifi_data_len + radio_len + sizeof(struct ndpi_llc_header_proto); + break; - while(1) { - if(type == 0x8100 /* VLAN */) { + default: + return; + } + + while(1) { + if(type == VLAN) { vlan_id = ((packet[ip_offset] << 8) + packet[ip_offset+1]) & 0xFFF; type = (packet[ip_offset+2] << 8) + packet[ip_offset+3]; ip_offset += 4; vlan_packet = 1; - } else if(type == 0x8847 /* MPLS */) { - u_int32_t label = ntohl(*((u_int32_t*)&packet[ip_offset])); - + break; + } + else if(type == MPLS) { + label = ntohl(*((u_int32_t*)&packet[ip_offset])); ndpi_thread_info[thread_id].stats.mpls_count++; type = 0x800, ip_offset += 4; - + while((label & 0x100) != 0x100) { ip_offset += 4; label = ntohl(*((u_int32_t*)&packet[ip_offset])); } - } else if(type == 0x8864 /* PPPoE */) { + break; + } + else if(type == PPPoE) { ndpi_thread_info[thread_id].stats.pppoe_count++; type = 0x0800; ip_offset += 8; - } else break; - } - + } + else + break; + } /* while(1) */ + ndpi_thread_info[thread_id].stats.vlan_count += vlan_packet; + /* Check and set IP header size and total packet length */ iph = (struct ndpi_iphdr *) &packet[ip_offset]; - // just work on Ethernet packets that contain IP + /* just work on Ethernet packets that contain IP */ if(type == ETH_P_IP && header->caplen >= ip_offset) { frag_off = ntohs(iph->frag_off); @@ -1619,14 +1726,17 @@ static void pcap_packet_callback(u_char *args, const struct pcap_pkthdr *header, } } + /* Check IP version */ if(iph->version == 4) { + ip_len = ((u_short)iph->ihl * 4); iph6 = NULL; if((frag_off & 0x3FFF) != 0) { + static u_int8_t ipv4_frags_warning_used = 0; - ndpi_thread_info[thread_id].stats.fragmented_count++; + if(ipv4_frags_warning_used == 0) { if((!json_flag) && (!quiet_mode)) printf("\n\nWARNING: IPv4 fragments are not handled by this demo (nDPI supports them)\n"); ipv4_frags_warning_used = 1; @@ -1641,39 +1751,40 @@ static void pcap_packet_callback(u_char *args, const struct pcap_pkthdr *header, ip_len = sizeof(struct ndpi_ip6_hdr); if(proto == 0x3C /* IPv6 destination option */) { + u_int8_t *options = (u_int8_t*)&packet[ip_offset+ip_len]; - proto = options[0]; ip_len += 8 * (options[1] + 1); } - iph = NULL; } else { + static u_int8_t ipv4_warning_used = 0; - + v4_warning: if(ipv4_warning_used == 0) { if((!json_flag) && (!quiet_mode)) printf("\n\nWARNING: only IPv4/IPv6 packets are supported in this demo (nDPI supports both IPv4 and IPv6), all other packets will be discarded\n\n"); ipv4_warning_used = 1; } - ndpi_thread_info[thread_id].stats.total_discarded_bytes += header->len; return; } - if(decode_tunnels && (proto == IPPROTO_UDP)) { + struct ndpi_udphdr *udp = (struct ndpi_udphdr *)&packet[ip_offset+ip_len]; u_int16_t sport = ntohs(udp->source), dport = ntohs(udp->dest); if((sport == GTP_U_V1_PORT) || (dport == GTP_U_V1_PORT)) { + /* Check if it's GTPv1 */ u_int offset = ip_offset+ip_len+sizeof(struct ndpi_udphdr); u_int8_t flags = packet[offset]; u_int8_t message_type = packet[offset+1]; - - if((((flags & 0xE0) >> 5) == 1 /* GTPv1 */) && (message_type == 0xFF /* T-PDU */)) { - ip_offset = ip_offset+ip_len+sizeof(struct ndpi_udphdr)+8 /* GTPv1 header len */; - + + if((((flags & 0xE0) >> 5) == 1 /* GTPv1 */) && + (message_type == 0xFF /* T-PDU */)) { + + ip_offset = ip_offset+ip_len+sizeof(struct ndpi_udphdr)+8; /* GTPv1 header len */ if(flags & 0x04) ip_offset += 1; /* next_ext_header is present */ if(flags & 0x02) ip_offset += 4; /* sequence_number is present (it also includes next_ext_header and pdu_number) */ if(flags & 0x01) ip_offset += 1; /* pdu_number is present */ @@ -1687,8 +1798,8 @@ static void pcap_packet_callback(u_char *args, const struct pcap_pkthdr *header, } } } - - // process the packet + + /* process the packet */ packet_processing(thread_id, time, vlan_id, iph, iph6, ip_offset, header->len - ip_offset, header->len); } diff --git a/src/include/linux_compat.h b/src/include/linux_compat.h index 38601f180..e3da18c60 100644 --- a/src/include/linux_compat.h +++ b/src/include/linux_compat.h @@ -43,21 +43,90 @@ #endif #pragma pack(push, 1) /* push current alignment to stack */ -#pragma pack(1) /* set alignment to 1 byte boundary */ +#pragma pack(1) /* set alignment to 1 byte boundary */ -#pragma pack(pop) /* restore original alignment from stack */ +#pragma pack(pop) /* restore original alignment from stack */ -struct ndpi_ethhdr { + +/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */ +/* +++++++++++ Ethernet data structures +++++++++++++ */ +/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */ + +struct ndpi_ethhdr +{ u_char h_dest[6]; /* destination eth addr */ u_char h_source[6]; /* source ether addr */ u_int16_t h_proto; /* packet type ID field */ }; -struct ndpi_80211q { - u_int16_t vlanId; - u_int16_t protoType; -}; +/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */ +/* +++++++++++ ieee802.11 data structures +++++++++++ */ +/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */ + +/******* RADIO TAP *******/ +/* radiotap header */ +struct ndpi_radiotap_header +{ + u_int8_t version; /* set to 0 */ + u_int8_t pad; + u_int16_t len; + u_int32_t present; + u_int64_t MAC_timestamp; + u_int8_t flags; + +} __attribute__((__packed__)); + +/* Beacon frame */ +struct ndpi_beacon +{ + /* header -- 24 byte */ + u_int16_t fc; + u_int16_t duration; + u_char rcv_addr[6]; + u_char trsm_addr[6]; + u_char bssid[6]; + u_int16_t seq_ctrl; + /* body (variable) */ + u_int64_t timestamp; /* 802.11 Timestamp value at frame send */ + u_int16_t beacon_interval; /* Interval at which beacons are send */ + u_int16_t capability; + /** List of information elements **/ + /* union ndpi_80211_info info_element[0]; */ +} __attribute__((packed)); + + +/* Wifi data frame - TODO: specify when addr1 addr2 addr3 is rcv, trams or bssid*/ +struct ndpi_wifi_data_frame +{ + u_int16_t fc; + u_int16_t duration; + u_char addr1[6]; + u_char addr2[6]; + u_char addr3[6]; + u_int16_t seq_ctrl; +} __attribute__((packed)); + +/* Logical-Link Control header */ +struct ndpi_llc_header_proto +{ + u_int8_t dsap; + u_int8_t ssap; + u_int8_t ctl; + /* u_int8_t pad1; */ + u_int16_t org; + u_int8_t org2; + /* u_int8_t pad2; */ + u_int16_t ether_IP_type; +} __attribute__((packed)); + + +/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */ +/* ++++++++++++++ IP data structures ++++++++++++++++ */ +/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */ + + +/* IP header */ struct ndpi_iphdr { #if defined(__LITTLE_ENDIAN__) u_int8_t ihl:4, version:4; @@ -161,6 +230,11 @@ struct ndpi_ip6_hdr { struct ndpi_in6_addr ip6_dst; }; +/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */ +/* ++++++++ Transport Layer data structures +++++++++ */ +/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */ + + struct ndpi_tcphdr { u_int16_t source; u_int16_t dest; -- cgit v1.2.3 From 64a368dd8e8e6c3d643a85620ebe5c83263b08fc Mon Sep 17 00:00:00 2001 From: Thomas Fjellstrom Date: Sun, 4 Oct 2015 19:48:26 -0600 Subject: add Ubiquity AirControl 2 protocol detection --- src/include/ndpi_protocol_ids.h | 3 ++- src/include/ndpi_protocols.h | 2 ++ src/lib/Makefile.am | 1 + src/lib/ndpi_main.c | 9 ++++++++- 4 files changed, 13 insertions(+), 2 deletions(-) diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index 82dfcf011..8a94db2ce 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -202,6 +202,7 @@ #define NDPI_PROTOCOL_STARCRAFT 213 /* Matteo Bracci */ #define NDPI_PROTOCOL_TEREDO 214 #define NDPI_PROTOCOL_HEP 216 /* Sipcapture.org QXIP BV */ +#define NDPI_PROTOCOL_UBNTAC2 217 /* Ubiquity UBNT AirControl 2 - Thomas Fjellstrom */ #define NDPI_CONTENT_AVI 39 #define NDPI_CONTENT_FLASH 40 @@ -264,7 +265,7 @@ #define NDPI_SERVICE_HOTSPOT_SHIELD 215 /* UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE */ -#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_PROTOCOL_HEP +#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_PROTOCOL_UBNTAC2 #define NDPI_MAX_SUPPORTED_PROTOCOLS (NDPI_LAST_IMPLEMENTED_PROTOCOL + 1) #define NDPI_MAX_NUM_CUSTOM_PROTOCOLS (NDPI_NUM_BITS-NDPI_LAST_IMPLEMENTED_PROTOCOL) diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h index 64d90ad6a..963aac6f2 100644 --- a/src/include/ndpi_protocols.h +++ b/src/include/ndpi_protocols.h @@ -196,6 +196,7 @@ void ndpi_search_eaq(struct ndpi_detection_module_struct *ndpi_struct, struct nd void ndpi_search_kakaotalk_voice(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_mpegts(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_starcraft(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); +void ndpi_search_ubntac2(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); /* --- INIT FUNCTIONS --- */ @@ -334,5 +335,6 @@ void init_yahoo_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_in void init_zattoo_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_zmq_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_stracraft_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_ubntac2_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); #endif /* __NDPI_PROTOCOLS_INCLUDE_FILE__ */ diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am index 215f3249a..ee395f5cd 100644 --- a/src/lib/Makefile.am +++ b/src/lib/Makefile.am @@ -140,6 +140,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/tvants.c \ protocols/tvuplayer.c \ protocols/twitter.c \ + protocols/ubntac2.c \ protocols/usenet.c \ protocols/veohtv.c \ protocols/viber.c \ diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 71dbdc557..5fe7e61af 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1627,7 +1627,12 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "Starcraft", ndpi_build_default_ports(ports_a, 1119, 0, 0, 0, 0), /* TCP */ ndpi_build_default_ports(ports_b, 1119, 0, 0, 0, 0)); /* UDP */ - + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_UBNTAC2, + no_master, + no_master, "UBNTAC2", + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 10001, 0, 0, 0, 0)); /* UDP */ + /* calling function for host and content matched protocols */ init_string_based_protocols(ndpi_mod); @@ -2630,6 +2635,8 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* MPEGTS */ init_mpegts_dissector(ndpi_struct, &a, detection_bitmask); + /* UBNTAC2 */ + init_ubntac2_dissector(ndpi_struct, &a, detection_bitmask); /* ----------------------------------------------------------------- */ -- cgit v1.2.3 From 0a6d43c5f6ebc64b0e7e6efae6094096c7e9db61 Mon Sep 17 00:00:00 2001 From: Thomas Fjellstrom Date: Sun, 4 Oct 2015 19:50:47 -0600 Subject: Add Ubiquity AirControl 2 protocol detection --- src/lib/protocols/ubntac2.c | 73 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 src/lib/protocols/ubntac2.c diff --git a/src/lib/protocols/ubntac2.c b/src/lib/protocols/ubntac2.c new file mode 100644 index 000000000..75580fd15 --- /dev/null +++ b/src/lib/protocols/ubntac2.c @@ -0,0 +1,73 @@ +/* + * dhcp.c + * + * Copyright (C) 2009-2011 by ipoque GmbH + * Copyright (C) 2011-15 - ntop.org + * + * This file is part of nDPI, an open source deep packet inspection + * library based on the OpenDPI and PACE technology by ipoque GmbH + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see . + * + */ + + +#include "ndpi_protocols.h" + +#ifdef NDPI_PROTOCOL_UBNTAC2 + +static void ndpi_int_ubntac2_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +{ + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_UBNTAC2, NDPI_PROTOCOL_UNKNOWN); +} + + +void ndpi_search_ubntac2(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct *packet = &flow->packet; + +// struct ndpi_id_struct *src=ndpi_struct->src; +// struct ndpi_id_struct *dst=ndpi_struct->dst; + + /* this detection also works for asymmetric dhcp traffic */ + + NDPI_LOG(NDPI_PROTOCOL_UBNTAC2, ndpi_struct, NDPI_LOG_TRACE, "UBNTAC2 detection... plen:%i %i:%i\n", packet->payload_packet_len, ntohs(packet->udp->source), ntohs(packet->udp->dest)); + + /*check standard DHCP 0.0.0.0:68 -> 255.255.255.255:67 */ + if (packet->payload_packet_len >= 135 && + (packet->udp->source == htons(10001) || packet->udp->dest == htons(10001)) && + memcmp(&(packet->payload[36]), "UBNT", 4) == 0) { + + NDPI_LOG(NDPI_PROTOCOL_UBNTAC2, ndpi_struct, NDPI_LOG_DEBUG, "UBNT AirControl 2 request\n"); + + ndpi_int_ubntac2_add_connection(ndpi_struct, flow); + return; + } + + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_UBNTAC2); +} + + +void init_ubntac2_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) +{ + ndpi_set_bitmask_protocol_detection("UBNTAC2", ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_UBNTAC2, + ndpi_search_ubntac2, + NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); + *id += 1; +} + +#endif -- cgit v1.2.3 From a2ff20990cd22a128d260767a546c940c62ba953 Mon Sep 17 00:00:00 2001 From: Thomas Fjellstrom Date: Sun, 4 Oct 2015 19:53:25 -0600 Subject: remove traces of DHCP detector from ubntac2.c --- src/lib/protocols/ubntac2.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/lib/protocols/ubntac2.c b/src/lib/protocols/ubntac2.c index 75580fd15..f12e122d7 100644 --- a/src/lib/protocols/ubntac2.c +++ b/src/lib/protocols/ubntac2.c @@ -1,5 +1,5 @@ /* - * dhcp.c + * ubntac2.c * * Copyright (C) 2009-2011 by ipoque GmbH * Copyright (C) 2011-15 - ntop.org @@ -40,11 +40,8 @@ void ndpi_search_ubntac2(struct ndpi_detection_module_struct *ndpi_struct, struc // struct ndpi_id_struct *src=ndpi_struct->src; // struct ndpi_id_struct *dst=ndpi_struct->dst; - /* this detection also works for asymmetric dhcp traffic */ - NDPI_LOG(NDPI_PROTOCOL_UBNTAC2, ndpi_struct, NDPI_LOG_TRACE, "UBNTAC2 detection... plen:%i %i:%i\n", packet->payload_packet_len, ntohs(packet->udp->source), ntohs(packet->udp->dest)); - /*check standard DHCP 0.0.0.0:68 -> 255.255.255.255:67 */ if (packet->payload_packet_len >= 135 && (packet->udp->source == htons(10001) || packet->udp->dest == htons(10001)) && memcmp(&(packet->payload[36]), "UBNT", 4) == 0) { -- cgit v1.2.3 From 6519a1e32646f8b54bacaa7b9c9abac013c3d74c Mon Sep 17 00:00:00 2001 From: Thomas Fjellstrom Date: Sun, 4 Oct 2015 20:04:39 -0600 Subject: add ndpi_malloc, ndpi_calloc and ndpi_set_detected_protocol to list of exported symbols --- libndpi.sym | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libndpi.sym b/libndpi.sym index 33b7cdcad..43d98f630 100644 --- a/libndpi.sym +++ b/libndpi.sym @@ -31,3 +31,6 @@ ndpi_guess_protocol_id ndpi_protocol2name ndpi_get_lower_proto ndpi_is_proto +ndpi_malloc +ndpi_calloc +ndpi_set_detected_protocol -- cgit v1.2.3 From 0e436e66dee4c4b792a9ccad22e84bf6bc66b94a Mon Sep 17 00:00:00 2001 From: Luca Date: Tue, 6 Oct 2015 16:24:03 +0200 Subject: Reworked copyright to give credit to the developer --- src/lib/protocols/ubntac2.c | 33 +++++++++++++-------------------- 1 file changed, 13 insertions(+), 20 deletions(-) diff --git a/src/lib/protocols/ubntac2.c b/src/lib/protocols/ubntac2.c index f12e122d7..7763c18d1 100644 --- a/src/lib/protocols/ubntac2.c +++ b/src/lib/protocols/ubntac2.c @@ -1,11 +1,7 @@ /* * ubntac2.c * - * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org - * - * This file is part of nDPI, an open source deep packet inspection - * library based on the OpenDPI and PACE technology by ipoque GmbH + * Copyright (C) 2015 Thomas Fjellstrom * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -19,7 +15,7 @@ * * You should have received a copy of the GNU Lesser General Public License * along with nDPI. If not, see . - * + * */ @@ -35,24 +31,21 @@ static void ndpi_int_ubntac2_add_connection(struct ndpi_detection_module_struct void ndpi_search_ubntac2(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; - -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; + struct ndpi_packet_struct *packet = &flow->packet; + + NDPI_LOG(NDPI_PROTOCOL_UBNTAC2, ndpi_struct, NDPI_LOG_TRACE, "UBNTAC2 detection... plen:%i %i:%i\n", packet->payload_packet_len, ntohs(packet->udp->source), ntohs(packet->udp->dest)); - NDPI_LOG(NDPI_PROTOCOL_UBNTAC2, ndpi_struct, NDPI_LOG_TRACE, "UBNTAC2 detection... plen:%i %i:%i\n", packet->payload_packet_len, ntohs(packet->udp->source), ntohs(packet->udp->dest)); - - if (packet->payload_packet_len >= 135 && - (packet->udp->source == htons(10001) || packet->udp->dest == htons(10001)) && - memcmp(&(packet->payload[36]), "UBNT", 4) == 0) { + if (packet->payload_packet_len >= 135 && + (packet->udp->source == htons(10001) || packet->udp->dest == htons(10001)) && + memcmp(&(packet->payload[36]), "UBNT", 4) == 0) { - NDPI_LOG(NDPI_PROTOCOL_UBNTAC2, ndpi_struct, NDPI_LOG_DEBUG, "UBNT AirControl 2 request\n"); + NDPI_LOG(NDPI_PROTOCOL_UBNTAC2, ndpi_struct, NDPI_LOG_DEBUG, "UBNT AirControl 2 request\n"); - ndpi_int_ubntac2_add_connection(ndpi_struct, flow); - return; - } + ndpi_int_ubntac2_add_connection(ndpi_struct, flow); + return; + } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_UBNTAC2); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_UBNTAC2); } -- cgit v1.2.3 From 06515b43d8af6f5b05896f8b709f519990f078aa Mon Sep 17 00:00:00 2001 From: Thomas Fjellstrom Date: Thu, 8 Oct 2015 05:04:16 -0600 Subject: NDPI_PROTOCOL_KAKAOTALK_VOICE was used instead of NDPI_SERVICE_KAKAOTALK_VOICE --- src/lib/protocols/kakaotalk_voice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/protocols/kakaotalk_voice.c b/src/lib/protocols/kakaotalk_voice.c index 38596e41d..daa97cc36 100644 --- a/src/lib/protocols/kakaotalk_voice.c +++ b/src/lib/protocols/kakaotalk_voice.c @@ -56,7 +56,7 @@ void ndpi_search_kakaotalk_voice(struct ndpi_detection_module_struct *ndpi_struc } } - NDPI_LOG(NDPI_PROTOCOL_KAKAOTALK_VOICE, ndpi_struct, NDPI_LOG_DEBUG, "Exclude kakaotalk_voice.\n"); + NDPI_LOG(NDPI_SERVICE_KAKAOTALK_VOICE, ndpi_struct, NDPI_LOG_DEBUG, "Exclude kakaotalk_voice.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_SERVICE_KAKAOTALK_VOICE); } -- cgit v1.2.3 From 93f02c08dceb07cc87d642c7c6bdc2774008212f Mon Sep 17 00:00:00 2001 From: Luca Date: Fri, 9 Oct 2015 15:03:10 +0200 Subject: Fixed invalid indexes used in SMTP dissector. See https://github.com/ntop/nDPI/commit/8c4fada42f8e6dcba42281fdc129e0a32b6050dc#commitcomment-13685139 --- src/lib/protocols/mail_smtp.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/lib/protocols/mail_smtp.c b/src/lib/protocols/mail_smtp.c index 37846930e..422ed0dc2 100644 --- a/src/lib/protocols/mail_smtp.c +++ b/src/lib/protocols/mail_smtp.c @@ -117,10 +117,10 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct && (packet->line[a].ptr[1] == 'T' || packet->line[a].ptr[1] == 't') && (packet->line[a].ptr[2] == 'A' || packet->line[a].ptr[2] == 'a') && (packet->line[a].ptr[3] == 'R' || packet->line[a].ptr[3] == 'r') - && (packet->line[a].ptr[4] == 'T' || packet->line[a].ptr[0] == 't') - && (packet->line[a].ptr[5] == 'T' || packet->line[a].ptr[1] == 't') - && (packet->line[a].ptr[6] == 'L' || packet->line[a].ptr[2] == 'l') - && (packet->line[a].ptr[7] == 'S' || packet->line[a].ptr[3] == 's')) { + && (packet->line[a].ptr[4] == 'T' || packet->line[a].ptr[4] == 't') + && (packet->line[a].ptr[5] == 'T' || packet->line[a].ptr[5] == 't') + && (packet->line[a].ptr[6] == 'L' || packet->line[a].ptr[6] == 'l') + && (packet->line[a].ptr[7] == 'S' || packet->line[a].ptr[7] == 's')) { flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_STARTTLS; } } -- cgit v1.2.3 From cf2c59b1d756d0343b8bd4d4b149d5e8ab2343f1 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Sun, 11 Oct 2015 17:44:41 +0200 Subject: Fixed travis link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b7cf9e052..4061e3231 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ ![ntop][ntopng_logo] ![ntop][ntop_logo] # nDPI -[![Build Status](https://travis-ci.org/ntop/nDPI.png?branch=master)](https://travis-ci.org/zeromq/libzmq) +[![Build Status](https://travis-ci.org/ntop/nDPI.png?branch=master)](https://travis-ci.org/ntop/nDPI) ## What is nDPI ? -- cgit v1.2.3 From 88d466e58e00b54827ac1702639664d335509922 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Sun, 11 Oct 2015 17:55:56 +0200 Subject: Added fix for Webex protol detection --- src/lib/ndpi_content_match.c.inc | 1 + tests/pcap/webex.pcap | Bin 0 -> 890207 bytes tests/result/webex.pcap.out | 68 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 69 insertions(+) create mode 100644 tests/pcap/webex.pcap create mode 100644 tests/result/webex.pcap.out diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index 7413b6ebf..73e99c94e 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -7420,6 +7420,7 @@ ndpi_protocol_match host_match[] = { { "worldofwarcraft.com", "WorldOfWarcraft", NDPI_PROTOCOL_WORLDOFWARCRAFT, NDPI_PROTOCOL_FUN }, { ".anchorfree.", "HotspotShield", NDPI_SERVICE_HOTSPOT_SHIELD, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS }, { "hotspotshield.com", "HotspotShield", NDPI_SERVICE_HOTSPOT_SHIELD, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS }, + { ".webex.com", "Webex", NDPI_PROTOCOL_WEBEX, NDPI_PROTOCOL_ACCEPTABLE }, { NULL, 0 } }; diff --git a/tests/pcap/webex.pcap b/tests/pcap/webex.pcap new file mode 100644 index 000000000..82981bd0d Binary files /dev/null and b/tests/pcap/webex.pcap differ diff --git a/tests/result/webex.pcap.out b/tests/result/webex.pcap.out new file mode 100644 index 000000000..7d9c790f1 --- /dev/null +++ b/tests/result/webex.pcap.out @@ -0,0 +1,68 @@ +Unknown 16 1171 1 +HTTP 22 3182 2 +SSL_No_Cert 90 10682 5 +SSL 169 18825 18 +SIP 22 15356 1 +Google 17 6375 1 +Webex 1244 809312 29 + + 1 TCP 10.8.0.1:51135 <-> 62.109.224.120:443 [proto: 91/SSL][11 pkts/697 bytes] + 2 TCP 10.8.0.1:51155 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][513 pkts/344086 bytes][SSL server: *.webex.com] + 3 TCP 10.8.0.1:51195 <-> 62.109.224.120:443 [proto: 91/SSL][5 pkts/353 bytes] + 4 TCP 10.8.0.1:51370 <-> 64.68.105.97:443 [proto: 91.141/SSL.Webex][16 pkts/7099 bytes][SSL server: *.webex.com] + 5 TCP 10.8.0.1:51833 <-> 62.109.229.158:443 [proto: 91/SSL][8 pkts/639 bytes] + 6 TCP 10.8.0.1:51839 <-> 62.109.229.158:443 [proto: 91/SSL][8 pkts/639 bytes] + 7 TCP 10.8.0.1:51857 <-> 62.109.229.158:443 [proto: 91.141/SSL.Webex][50 pkts/10360 bytes][SSL server: *.webex.com] + 8 TCP 10.8.0.1:51859 <-> 62.109.229.158:443 [proto: 91/SSL][3 pkts/182 bytes] + 9 TCP 10.8.0.1:41757 <-> 114.29.213.212:443 [proto: 91/SSL][11 pkts/697 bytes] + 10 TCP 10.8.0.1:47135 <-> 114.29.202.139:443 [proto: 91/SSL][11 pkts/697 bytes] + 11 TCP 10.8.0.1:47841 <-> 114.29.200.11:443 [proto: 91.141/SSL.Webex][11 pkts/4584 bytes][SSL server: *.webex.com] + 12 TCP 10.8.0.1:59757 <-> 78.46.237.91:80 [proto: 7/HTTP][10 pkts/1391 bytes][Host: cp.pushwoosh.com] + 13 TCP 107.20.242.44:443 <-> 10.133.206.47:59447 [proto: 91/SSL][3 pkts/174 bytes] + 14 TCP 10.8.0.1:55665 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][22 pkts/6555 bytes][SSL server: *.webex.com] + 15 TCP 10.8.0.1:55669 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][23 pkts/6641 bytes][SSL server: *.webex.com] + 16 TCP 10.8.0.1:55671 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][22 pkts/6555 bytes][SSL server: *.webex.com] + 17 TCP 10.8.0.1:55687 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][22 pkts/6555 bytes][SSL server: *.webex.com] + 18 TCP 10.8.0.1:37129 <-> 64.68.105.98:443 [proto: 91.141/SSL.Webex][18 pkts/7207 bytes][SSL server: *.webex.com] + 19 TCP 10.8.0.1:37139 <-> 64.68.105.98:443 [proto: 91/SSL][11 pkts/697 bytes] + 20 TCP 10.8.0.1:33511 <-> 80.74.110.68:443 [proto: 91/SSL][8 pkts/668 bytes] + 21 TCP 10.8.0.1:33551 <-> 80.74.110.68:443 [proto: 64/SSL_No_Cert][21 pkts/2530 bytes] + 22 TCP 10.8.0.1:33553 <-> 80.74.110.68:443 [proto: 64/SSL_No_Cert][20 pkts/2475 bytes] + 23 TCP 10.8.0.1:33559 <-> 80.74.110.68:443 [proto: 64/SSL_No_Cert][13 pkts/1733 bytes] + 24 TCP 10.8.0.1:41351 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][9 pkts/905 bytes][SSL client: radcom.webex.com] + 25 TCP 10.8.0.1:41419 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][14 pkts/8239 bytes][SSL server: *.webex.com] + 26 TCP 10.8.0.1:45814 <-> 62.109.231.3:443 [proto: 91.141/SSL.Webex][16 pkts/7968 bytes][SSL server: *.webex.com] + 27 TCP 10.8.0.1:51134 <-> 62.109.224.120:443 [proto: 91/SSL][11 pkts/697 bytes] + 28 TCP 10.8.0.1:51154 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][105 pkts/19286 bytes][SSL server: *.webex.com] + 29 TCP 10.8.0.1:51190 <-> 62.109.224.120:443 [proto: 91/SSL][11 pkts/717 bytes] + 30 TCP 10.8.0.1:51194 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][24 pkts/35888 bytes][SSL server: *.webex.com] + 31 TCP 10.8.0.1:52219 <-> 64.68.121.100:443 [proto: 91.141/SSL.Webex][15 pkts/5217 bytes][SSL server: *.webex.com] + 32 TCP 10.8.0.1:41726 <-> 114.29.213.212:443 [proto: 91/SSL][8 pkts/515 bytes] + 33 TCP 10.8.0.1:55969 <-> 64.68.121.99:443 [proto: 91.141/SSL.Webex][15 pkts/5217 bytes][SSL server: *.webex.com] + 34 TCP 10.8.0.1:57647 <-> 64.68.121.153:443 [proto: 91.141/SSL.Webex][14 pkts/7796 bytes][SSL server: *.webex.com] + 35 TCP 10.8.0.1:47116 <-> 114.29.202.139:443 [proto: 91.141/SSL.Webex][13 pkts/4692 bytes][SSL server: *.webex.com] + 36 TCP 10.8.0.1:59756 <-> 78.46.237.91:80 [proto: 7/HTTP][12 pkts/1791 bytes][Host: cp.pushwoosh.com] + 37 TCP 10.8.0.1:51646 <-> 114.29.204.49:443 [proto: 91.141/SSL.Webex][17 pkts/5293 bytes][SSL server: *.webex.com] + 38 TCP 10.8.0.1:51676 <-> 114.29.204.49:443 [proto: 91/SSL][11 pkts/697 bytes] + 39 TCP 10.8.0.1:52730 <-> 173.243.4.76:443 [proto: 91.141/SSL.Webex][17 pkts/7990 bytes][SSL server: *.webex.com] + 40 TCP 10.8.0.1:43433 <-> 216.58.208.40:443 [proto: 91.126/SSL.Google][17 pkts/6375 bytes][SSL client: ssl.google-analytics.com] + 41 TCP 10.8.0.1:47498 <-> 209.197.222.159:443 [proto: 91.141/SSL.Webex][14 pkts/7796 bytes][SSL server: *.webex.com] + 42 TCP 185.63.147.10:443 <-> 10.133.206.47:54651 [proto: 91/SSL][3 pkts/174 bytes] + 43 UDP 10.8.0.1:64538 <-> 172.16.1.75:5060 [proto: 100/SIP][22 pkts/15356 bytes] + 44 TCP 10.133.206.47:33459 <-> 80.74.110.68:443 [proto: 91/SSL][5 pkts/317 bytes] + 45 TCP 10.8.0.1:33512 <-> 80.74.110.68:443 [proto: 64/SSL_No_Cert][18 pkts/1972 bytes] + 46 TCP 10.8.0.1:33554 <-> 80.74.110.68:443 [proto: 64/SSL_No_Cert][18 pkts/1972 bytes] + 47 TCP 10.8.0.1:49048 <-> 23.44.253.243:443 [proto: 91.141/SSL.Webex][14 pkts/5202 bytes][SSL server: www.webex.com] + 48 TCP 10.8.0.1:41346 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][95 pkts/92236 bytes][SSL client: radcom.webex.com] + 49 TCP 10.8.0.1:41348 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][56 pkts/109696 bytes][SSL client: radcom.webex.com] + 50 TCP 10.8.0.1:41350 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][11 pkts/1013 bytes][SSL client: radcom.webex.com] + 51 TCP 10.8.0.1:41354 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][26 pkts/26384 bytes][SSL server: *.webex.com] + 52 TCP 10.8.0.1:41358 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][38 pkts/42482 bytes][SSL server: *.webex.com] + 53 TCP 10.8.0.1:41386 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][17 pkts/8401 bytes][SSL server: *.webex.com] + 54 TCP 10.8.0.1:41394 <-> 64.68.105.103:443 [proto: 91/SSL][11 pkts/697 bytes] + 55 TCP 10.8.0.1:46211 <-> 54.241.32.14:443 [proto: 91/SSL][30 pkts/9568 bytes][SSL client: api.crittercism.com] + 56 TCP 10.8.0.1:44492 <-> 64.68.104.140:443 [proto: 91.141/SSL.Webex][17 pkts/7969 bytes][SSL server: *.webex.com] + + +Undetected flows: + 1 UDP 10.8.0.1:51772 <-> 62.109.229.158:9000 [proto: 0/Unknown][16 pkts/1171 bytes] -- cgit v1.2.3 From 4ec03b7e8798810593995e23c291239a46b9092f Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Sun, 11 Oct 2015 18:35:51 +0200 Subject: Added TZSP encapsulation support --- example/ndpiReader.c | 129 ++++++++++++++++++++++++++++++++------------------- 1 file changed, 82 insertions(+), 47 deletions(-) diff --git a/example/ndpiReader.c b/example/ndpiReader.c index b28c6077d..71bb1f352 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -59,6 +59,7 @@ #define IDLE_SCAN_BUDGET 1024 #define NUM_ROOTS 512 #define GTP_U_V1_PORT 2152 +#define TZSP_PORT 37008 #define MAX_NDPI_FLOWS 200000000 #ifndef ETH_P_IP @@ -223,7 +224,7 @@ static void help(u_int long_help) { #endif " -d | Disable protocol guess and use only DPI\n" " -q | Quiet mode\n" - " -t | Dissect GTP tunnels\n" + " -t | Dissect GTP/TZSP tunnels\n" " -r | Print nDPI version and git revision\n" " -w | Write test output on the specified file. This is useful for\n" " | testing purposes in order to compare results across runs\n" @@ -1541,12 +1542,13 @@ static void openPcapFileOrDevice(u_int16_t thread_id) { /* ***************************************************** */ -static void pcap_packet_callback(u_char *args, const struct pcap_pkthdr *header, const u_char *packet) { +static void pcap_packet_callback(u_char *args, + const struct pcap_pkthdr *header, + const u_char *packet) { - /* + /* * Declare pointers to packet headers */ - /** --- Ethernet header --- **/ const struct ndpi_ethhdr *ethernet; @@ -1564,13 +1566,14 @@ static void pcap_packet_callback(u_char *args, const struct pcap_pkthdr *header, struct ndpi_ip6_hdr *iph6; /* lengths and offsets */ + u_int16_t eth_offset = 0; u_int16_t radio_len; u_int16_t fc; int wifi_data_len; int llc_len; u_int16_t llc_ether_type; u_int32_t fcs; - + u_int64_t time; u_int16_t type, ip_offset, ip_len; u_int16_t frag_off = 0, vlan_id = 0; @@ -1580,7 +1583,7 @@ static void pcap_packet_callback(u_char *args, const struct pcap_pkthdr *header, u_int16_t thread_id = *((u_int16_t*)args); int malformed_pkts = 0; - + /* Increment raw packet counter */ ndpi_thread_info[thread_id].stats.raw_packet_count++; @@ -1592,7 +1595,6 @@ static void pcap_packet_callback(u_char *args, const struct pcap_pkthdr *header, /* Check if capture is live or not */ if (!live_capture) { - if (!pcap_start.tv_sec) pcap_start.tv_sec = header->ts.tv_sec, pcap_start.tv_usec = header->ts.tv_usec; pcap_end.tv_sec = header->ts.tv_sec, pcap_end.tv_usec = header->ts.tv_usec; } @@ -1600,84 +1602,81 @@ static void pcap_packet_callback(u_char *args, const struct pcap_pkthdr *header, /* setting time */ time = ((uint64_t) header->ts.tv_sec) * detection_tick_resolution + header->ts.tv_usec / (1000000 / detection_tick_resolution); - + /* safety check */ - if(ndpi_thread_info[thread_id].last_time > time) { + if(ndpi_thread_info[thread_id].last_time > time) { /* printf("\nWARNING: timestamp bug in the pcap file (ts delta: %llu, repairing)\n", ndpi_thread_info[thread_id].last_time - time); */ time = ndpi_thread_info[thread_id].last_time; } /* update last time value */ ndpi_thread_info[thread_id].last_time = time; - + /*** check Data Link type ***/ int datalink_type = ndpi_thread_info[thread_id]._pcap_datalink_type; - switch(datalink_type) - { + datalink_check: + switch(datalink_type) { case DLT_NULL : - if(ntohl(*((u_int32_t*)packet)) == 2) + if(ntohl(*((u_int32_t*)&packet[eth_offset])) == 2) type = ETH_P_IP; else type = ETH_P_IPV6; - - ip_offset = 4; + + ip_offset = 4 + eth_offset; case DLT_EN10MB : - ethernet = (struct ndpi_ethhdr *) packet; - ip_offset = sizeof(struct ndpi_ethhdr); + ethernet = (struct ndpi_ethhdr *) &packet[eth_offset]; + ip_offset = sizeof(struct ndpi_ethhdr) + eth_offset; type = ntohs(ethernet->h_proto); break; /* Linux Cooked Capture - 113 */ case DLT_LINUX_SLL : - type = (packet[14] << 8) + packet[15]; - ip_offset = 16; + type = (packet[eth_offset+14] << 8) + packet[eth_offset+15]; + ip_offset = 16 + eth_offset; break; /* Radiotap link-layer - 127 */ case DLT_IEEE802_11_RADIO : - radiotap = (struct ndpi_radiotap_header *) packet; + radiotap = (struct ndpi_radiotap_header *) &packet[eth_offset]; radio_len = radiotap->len; - + /* Check Bad FCS presence */ if((radiotap->flags & BAD_FCS) == BAD_FCS) { malformed_pkts += 1; ndpi_thread_info[thread_id].stats.total_discarded_bytes += header->len; return; } - + fcs = header->len - 4; /* Calculate 802.11 header length (variable) */ - wifi_data = (struct ndpi_wifi_data_frame*)( packet + radio_len); + wifi_data = (struct ndpi_wifi_data_frame*)( packet + eth_offset + radio_len); fc = wifi_data->fc; /* check wifi data presence */ if(FCF_TYPE(fc) == WIFI_DATA) { - if((FCF_TO_DS(fc) && FCF_FROM_DS(fc) == 0x0) || (FCF_TO_DS(fc) == 0x0 && FCF_FROM_DS(fc))) wifi_data_len = 26; /* + 4 byte fcs */ - - /* TODO: check QoS Control for aggregated MSDU */ - + /* TODO: check QoS Control for aggregated MSDU */ } else /* no data frames */ break; - + /* Check ether_type from LLC */ - llc = (struct ndpi_llc_header_proto*)(packet + wifi_data_len + radio_len); + llc = (struct ndpi_llc_header_proto*)(packet + eth_offset + wifi_data_len + radio_len); llc_ether_type = ntohs(llc->ether_IP_type); - + /* Set IP header offset */ - ip_offset = wifi_data_len + radio_len + sizeof(struct ndpi_llc_header_proto); + ip_offset = wifi_data_len + radio_len + sizeof(struct ndpi_llc_header_proto) + eth_offset; break; default: return; } - - while(1) { + + while(1) { if(type == VLAN) { vlan_id = ((packet[ip_offset] << 8) + packet[ip_offset+1]) & 0xFFF; type = (packet[ip_offset+2] << 8) + packet[ip_offset+3]; @@ -1689,7 +1688,7 @@ static void pcap_packet_callback(u_char *args, const struct pcap_pkthdr *header, label = ntohl(*((u_int32_t*)&packet[ip_offset])); ndpi_thread_info[thread_id].stats.mpls_count++; type = 0x800, ip_offset += 4; - + while((label & 0x100) != 0x100) { ip_offset += 4; label = ntohl(*((u_int32_t*)&packet[ip_offset])); @@ -1705,10 +1704,10 @@ static void pcap_packet_callback(u_char *args, const struct pcap_pkthdr *header, else break; } /* while(1) */ - + ndpi_thread_info[thread_id].stats.vlan_count += vlan_packet; - /* Check and set IP header size and total packet length */ + /* Check and set IP header size and total packet length */ iph = (struct ndpi_iphdr *) &packet[ip_offset]; /* just work on Ethernet packets that contain IP */ @@ -1728,12 +1727,11 @@ static void pcap_packet_callback(u_char *args, const struct pcap_pkthdr *header, /* Check IP version */ if(iph->version == 4) { - ip_len = ((u_short)iph->ihl * 4); iph6 = NULL; if((frag_off & 0x3FFF) != 0) { - + static u_int8_t ipv4_frags_warning_used = 0; ndpi_thread_info[thread_id].stats.fragmented_count++; @@ -1751,39 +1749,38 @@ static void pcap_packet_callback(u_char *args, const struct pcap_pkthdr *header, ip_len = sizeof(struct ndpi_ip6_hdr); if(proto == 0x3C /* IPv6 destination option */) { - + u_int8_t *options = (u_int8_t*)&packet[ip_offset+ip_len]; proto = options[0]; ip_len += 8 * (options[1] + 1); } iph = NULL; } else { - static u_int8_t ipv4_warning_used = 0; - + v4_warning: if(ipv4_warning_used == 0) { - if((!json_flag) && (!quiet_mode)) printf("\n\nWARNING: only IPv4/IPv6 packets are supported in this demo (nDPI supports both IPv4 and IPv6), all other packets will be discarded\n\n"); + if((!json_flag) && (!quiet_mode)) + printf("\n\nWARNING: only IPv4/IPv6 packets are supported in this demo (nDPI supports both IPv4 and IPv6), all other packets will be discarded\n\n"); ipv4_warning_used = 1; } ndpi_thread_info[thread_id].stats.total_discarded_bytes += header->len; return; } + if(decode_tunnels && (proto == IPPROTO_UDP)) { - struct ndpi_udphdr *udp = (struct ndpi_udphdr *)&packet[ip_offset+ip_len]; u_int16_t sport = ntohs(udp->source), dport = ntohs(udp->dest); if((sport == GTP_U_V1_PORT) || (dport == GTP_U_V1_PORT)) { - /* Check if it's GTPv1 */ u_int offset = ip_offset+ip_len+sizeof(struct ndpi_udphdr); u_int8_t flags = packet[offset]; u_int8_t message_type = packet[offset+1]; - + if((((flags & 0xE0) >> 5) == 1 /* GTPv1 */) && (message_type == 0xFF /* T-PDU */)) { - + ip_offset = ip_offset+ip_len+sizeof(struct ndpi_udphdr)+8; /* GTPv1 header len */ if(flags & 0x04) ip_offset += 1; /* next_ext_header is present */ if(flags & 0x02) ip_offset += 4; /* sequence_number is present (it also includes next_ext_header and pdu_number) */ @@ -1796,9 +1793,47 @@ static void pcap_packet_callback(u_char *args, const struct pcap_pkthdr *header, goto v4_warning; } } + } else if((sport == TZSP_PORT) || (dport == TZSP_PORT)) { + /* https://en.wikipedia.org/wiki/TZSP */ + u_int offset = ip_offset+ip_len+sizeof(struct ndpi_udphdr); + u_int8_t version = packet[offset]; + u_int8_t type = packet[offset+1]; + u_int16_t encapsulates = ntohs(*((u_int16_t*)&packet[offset+2])); + + if((version == 1) && (type == 0) && (encapsulates == 1)) { + u_int8_t stop = 0; + + offset += 4; + + while((!stop) && (offset < header->caplen)) { + u_int8_t tag_type = packet[offset]; + u_int8_t tag_len; + + switch(tag_type) { + case 0: /* PADDING Tag */ + tag_len = 1; + break; + case 1: /* END Tag */ + tag_len = 1, stop = 1; + break; + default: + tag_len = packet[offset+1]; + break; + } + + offset += tag_len; + + if(offset >= header->caplen) + return; /* Invalid packet */ + else { + eth_offset = offset; + goto datalink_check; + } + } + } } } - + /* process the packet */ packet_processing(thread_id, time, vlan_id, iph, iph6, ip_offset, header->len - ip_offset, header->len); -- cgit v1.2.3 From 72eafff843d32baaa7d8c34be19c6c560b2fc4f9 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Sun, 11 Oct 2015 22:27:03 +0200 Subject: Improvements for NetFlix detection --- src/lib/ndpi_content_match.c.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index 73e99c94e..c2d219e5f 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -7352,7 +7352,7 @@ ndpi_protocol_match host_match[] = { { "nflxext.com", "NetFlix", NDPI_SERVICE_NETFLIX, NDPI_PROTOCOL_FUN }, { "nflximg.com", "NetFlix", NDPI_SERVICE_NETFLIX, NDPI_PROTOCOL_FUN }, { "nflximg.net", "NetFlix", NDPI_SERVICE_NETFLIX, NDPI_PROTOCOL_FUN }, - + { "nflxvideo.net", "NetFlix", NDPI_SERVICE_NETFLIX, NDPI_PROTOCOL_FUN }, { ".skype.", "Skype", NDPI_SERVICE_SKYPE, NDPI_PROTOCOL_ACCEPTABLE }, { ".skypeassets.", "Skype", NDPI_SERVICE_SKYPE, NDPI_PROTOCOL_ACCEPTABLE }, { ".skypedata.", "Skype", NDPI_SERVICE_SKYPE, NDPI_PROTOCOL_ACCEPTABLE }, -- cgit v1.2.3