From d233459195b1c43b85226cc79032b4bf4b51d33a Mon Sep 17 00:00:00 2001
From: Alexis La Goutte <alexis.lagoutte@gmail.com>
Date: Tue, 10 May 2016 20:01:20 +0200
Subject: QUIC: Remove a wrong heuritics

There is always the QUIC version on first frame
---
 src/lib/protocols/quic.c               | 51 +---------------------------------
 tests/result/NTPv3.pcap.out            |  4 +--
 tests/result/starcraft_battle.pcap.out |  5 ++--
 3 files changed, 5 insertions(+), 55 deletions(-)

diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c
index 103a8e817..b67aa991c 100644
--- a/src/lib/protocols/quic.c
+++ b/src/lib/protocols/quic.c
@@ -69,39 +69,6 @@ static int connect_id(const unsigned char pflags)
         return cid_len + 1;
 }
 
-static int sequence(const unsigned char *payload)
-{
-    unsigned char conv[6] = {0};
-    u_int seq_value = -1;
-    int seq_lens;
-    int cid_offs;
-    int i;
-
-        // Search SEQ bytes length.
-        switch (payload[0] & QUIC_SEQ_MASK)
-        {
-           case SEQ_LEN_6: seq_lens = 6; break;
-           case SEQ_LEN_4: seq_lens = 4; break;
-           case SEQ_LEN_2: seq_lens = 2; break;
-           case SEQ_LEN_1: seq_lens = 1; break;
-           default:
-               return -1;
-        }
-        // Retrieve SEQ offset.
-        cid_offs = connect_id(payload[0]);
-
-        if (cid_offs >= 0 && seq_lens > 0)
-        {
-            for (i = 0; i < seq_lens; i++)
-                conv[i] = payload[cid_offs + i];
-
-        seq_value = SEQ_CONV(conv);
-        }
-
-        // Return SEQ dec value;
-        return seq_value;
-}
-
 void ndpi_search_quic(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
 {
     struct ndpi_packet_struct *packet = &flow->packet;
@@ -118,23 +85,7 @@ void ndpi_search_quic(struct ndpi_detection_module_struct *ndpi_struct, struct n
 	NDPI_LOG(NDPI_PROTOCOL_QUIC, ndpi_struct, NDPI_LOG_DEBUG, "exclude quic.\n");
 	NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_QUIC);
 
-
-	// Settings without version. First check if PUBLIC FLAGS & SEQ bytes are 0x0. SEQ must be 1 at least.
-	if ((packet->payload[0] == 0x00 && packet->payload[1] != 0x00) || ((packet->payload[0] & QUIC_NO_V_RES_RSV) == 0))
-	{
-	  if (sequence(packet->payload) < 1)
-	  {
-
-	    NDPI_LOG(NDPI_PROTOCOL_QUIC, ndpi_struct, NDPI_LOG_DEBUG, "exclude quic.\n");
-	    NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_QUIC);
-	  }
-
-	  NDPI_LOG(NDPI_PROTOCOL_QUIC, ndpi_struct, NDPI_LOG_DEBUG, "found quic.\n");
-	  ndpi_int_quic_add_connection(ndpi_struct, flow);
-	}
-
-	// Check if version, than the CID length.
-	else if (packet->payload[0] & QUIC_VER_MASK)
+        if (packet->payload[0] & QUIC_VER_MASK)
 	{
 	  // Skip CID length.
 	  ver_offs = connect_id(packet->payload[0]);
diff --git a/tests/result/NTPv3.pcap.out b/tests/result/NTPv3.pcap.out
index d7937ec96..91d817e5e 100644
--- a/tests/result/NTPv3.pcap.out
+++ b/tests/result/NTPv3.pcap.out
@@ -1,3 +1,3 @@
-QUIC	1	90	1
+NTP	1	90	1
 
-	1	UDP 78.46.76.2:80 <-> 175.144.140.29:123 [proto: 188/QUIC][1 pkts/90 bytes]
+	1	UDP 78.46.76.2:80 <-> 175.144.140.29:123 [proto: 9/NTP][1 pkts/90 bytes]
diff --git a/tests/result/starcraft_battle.pcap.out b/tests/result/starcraft_battle.pcap.out
index fe08da9b8..af94d88b9 100644
--- a/tests/result/starcraft_battle.pcap.out
+++ b/tests/result/starcraft_battle.pcap.out
@@ -6,8 +6,7 @@ HTTPDownload	179	134204	1
 WorldOfWarcraft	9	880	1
 IGMP	2	120	1
 SSL	41	2782	12
-Google	14	1588	3
-QUIC	6	475	1
+Google	20	2063	4
 Starcraft	236	51494	6
 
 	1	TCP 80.239.186.21:80 <-> 192.168.1.100:3516 [proto: 7/HTTP][12 pkts/3680 bytes][Host: eu.launcher.battle.net]
@@ -40,7 +39,7 @@ Starcraft	236	51494	6
 	28	TCP 80.239.186.26:443 <-> 192.168.1.100:3476 [proto: 91/SSL][1 pkts/60 bytes]
 	29	TCP 80.239.186.40:443 <-> 192.168.1.100:3478 [proto: 91/SSL][1 pkts/60 bytes]
 	30	TCP 192.168.1.100:3508 <-> 87.248.221.254:80 [proto: 7.60/HTTP.HTTPDownload][179 pkts/134204 bytes][Host: llnw.blizzard.com]
-	31	UDP 173.194.40.22:443 <-> 192.168.1.100:53568 [proto: 188/QUIC][6 pkts/475 bytes]
+	31	UDP 173.194.40.22:443 <-> 192.168.1.100:53568 [proto: 188.126/QUIC.Google][6 pkts/475 bytes]
 	32	UDP 192.168.1.100:55468 <-> 192.168.1.254:53 [proto: 5/DNS][4 pkts/556 bytes][Host: bnetcmsus-a.akamaihd.net]
 	33	UDP 192.168.1.100:58818 <-> 192.168.1.254:53 [proto: 5/DNS][4 pkts/432 bytes][Host: 91.252.30.192.in-addr.arpa]
 	34	UDP 192.168.1.100:58844 <-> 192.168.1.254:53 [proto: 5/DNS][2 pkts/210 bytes][Host: 40.186.239.80.in-addr.arpa]
-- 
cgit v1.2.3