From e2cfc96577be5fe97cd5ce63ac30b23cbfadce84 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Mon, 13 Feb 2017 01:29:25 +0100 Subject: Improvements for exporting info in MDNS and UBNTAC2 protocols Added test pcap file for UBNTAC2 --- example/ndpiReader.c | 2 +- example/ndpi_util.c | 6 +++++- example/ndpi_util.h | 1 + src/include/ndpi_typedefs.h | 8 ++++++++ src/lib/protocols/mdns.c | 21 +++++++++++++++----- src/lib/protocols/ubntac2.c | 35 ++++++++++++++++++++++++++++----- tests/pcap/ubntac2.pcap | Bin 0 -> 1888 bytes tests/result/skype_no_unknown.pcap.out | 2 +- tests/result/ubntac2.pcap.out | 10 ++++++++++ 9 files changed, 72 insertions(+), 13 deletions(-) create mode 100644 tests/pcap/ubntac2.pcap create mode 100644 tests/result/ubntac2.pcap.out diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 4bf786aa8..72b495912 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -387,7 +387,7 @@ static void printFlow(u_int16_t thread_id, struct ndpi_flow_info *flow) { flow->packets, (long long unsigned int) flow->bytes); if(flow->host_server_name[0] != '\0') fprintf(out, "[Host: %s]", flow->host_server_name); - + if(flow->info[0] != '\0') fprintf(out, "[%s]", flow->info); if(flow->ssh_ssl.client_info[0] != '\0') fprintf(out, "[client: %s]", flow->ssh_ssl.client_info); if(flow->ssh_ssl.server_info[0] != '\0') fprintf(out, "[server: %s]", flow->ssh_ssl.server_info); diff --git a/example/ndpi_util.c b/example/ndpi_util.c index d5cb27d5a..3397d8a92 100644 --- a/example/ndpi_util.c +++ b/example/ndpi_util.c @@ -516,8 +516,12 @@ static unsigned int packet_processing(struct ndpi_workflow * workflow, } if(n == 0) flow->bittorent_hash[0] = '\0'; + } else if(flow->detected_protocol.protocol == NDPI_PROTOCOL_MDNS) { + snprintf(flow->info, sizeof(flow->info), "%s", flow->ndpi_flow->protos.mdns.answer); + } else if(flow->detected_protocol.protocol == NDPI_PROTOCOL_UBNTAC2) { + snprintf(flow->info, sizeof(flow->info), "%s", flow->ndpi_flow->protos.ubntac2.version); } - + if((proto == IPPROTO_TCP) && (flow->detected_protocol.protocol != NDPI_PROTOCOL_DNS)) { if(flow->detected_protocol.protocol == NDPI_PROTOCOL_SSH) { snprintf(flow->ssh_ssl.client_info, sizeof(flow->ssh_ssl.client_info), "%s", diff --git a/example/ndpi_util.h b/example/ndpi_util.h index 171ab8e95..6ff17bac2 100644 --- a/example/ndpi_util.h +++ b/example/ndpi_util.h @@ -58,6 +58,7 @@ typedef struct ndpi_flow_info { // result only, not used for flow identification ndpi_protocol detected_protocol; + char info[96]; char host_server_name[192]; char bittorent_hash[41]; diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 801f1e768..68e332c23 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -960,6 +960,14 @@ struct ndpi_flow_struct { struct { char client_signature[48], server_signature[48]; } ssh; + + struct { + char answer[96]; + } mdns; + + struct { + char version[96]; + } ubntac2; } protos; /*** ALL protocol specific 64 bit variables here ***/ diff --git a/src/lib/protocols/mdns.c b/src/lib/protocols/mdns.c index b3184c26f..0692b3252 100644 --- a/src/lib/protocols/mdns.c +++ b/src/lib/protocols/mdns.c @@ -63,13 +63,26 @@ static int ndpi_int_check_mdns_payload(struct ndpi_detection_module_struct ntohs(get_u_int16_t(packet->payload, 6)) <= NDPI_MAX_MDNS_REQUESTS) { NDPI_LOG(NDPI_PROTOCOL_MDNS, ndpi_struct, NDPI_LOG_DEBUG, "found MDNS with question query.\n"); - return 1; - + return 1; } else if((packet->payload[2] & 0x80) != 0 && ntohs(get_u_int16_t(packet->payload, 4)) == 0 && ntohs(get_u_int16_t(packet->payload, 6)) <= NDPI_MAX_MDNS_REQUESTS && ntohs(get_u_int16_t(packet->payload, 6)) != 0) { + char answer[256]; + int i, j, len; + + for(i=13, j=0; (packet->payload[i] != 0) && (i < packet->payload_packet_len) && (i < (sizeof(answer)-1)); i++) + answer[j++] = (packet->payload[i] < 13) ? '.' : packet->payload[i]; + + answer[j] = '\0'; + + /* printf("==> [%d] %s\n", j, answer); */ + + len = ndpi_min(sizeof(flow->protos.mdns.answer)-1, j); + strncpy(flow->protos.mdns.answer, (const char *)answer, len); + flow->protos.mdns.answer[len] = '\0'; + NDPI_LOG(NDPI_PROTOCOL_MDNS, ndpi_struct, NDPI_LOG_DEBUG, "found MDNS with answer query.\n"); return 1; } @@ -87,14 +100,12 @@ void ndpi_search_mdns(struct ndpi_detection_module_struct *ndpi_struct, struct n */ /* check if UDP packet */ - if(packet->udp != NULL) { - + if(packet->udp != NULL) { /* read destination port */ dport = ntohs(packet->udp->dest); /* check standard MDNS ON port 5353 */ if(dport == 5353 && packet->payload_packet_len >= 12) { - /* mdns protocol must have destination address 224.0.0.251 */ if(packet->iph != NULL && ntohl(packet->iph->daddr) == 0xe00000fb) { diff --git a/src/lib/protocols/ubntac2.c b/src/lib/protocols/ubntac2.c index b465e0a30..7196ee884 100644 --- a/src/lib/protocols/ubntac2.c +++ b/src/lib/protocols/ubntac2.c @@ -37,12 +37,37 @@ void ndpi_search_ubntac2(struct ndpi_detection_module_struct *ndpi_struct, struc if(packet->udp) { if(packet->payload_packet_len >= 135 && - (packet->udp->source == htons(10001) || packet->udp->dest == htons(10001)) && - memcmp(&(packet->payload[36]), "UBNT", 4) == 0) { + (packet->udp->source == htons(10001) || packet->udp->dest == htons(10001))) { + int found = 0; - NDPI_LOG(NDPI_PROTOCOL_UBNTAC2, ndpi_struct, NDPI_LOG_DEBUG, "UBNT AirControl 2 request\n"); - - ndpi_int_ubntac2_add_connection(ndpi_struct, flow); + if(memcmp(&(packet->payload[36]), "UBNT", 4) == 0) { + found = 36+5; + } else if(memcmp(&(packet->payload[49]), "ubnt", 4) == 0) { + found = 49+5; + } + + if(found) { + char version[256]; + int i, j, len; + + found += packet->payload[found+1] + 4; /* Skip model name */ + found++; /* Skip len*/ + + if(found < packet->payload_packet_len) { + for(i=found, j=0; (packet->payload[i] != 0) && (i < packet->payload_packet_len) && (i < (sizeof(version)-1)); i++) + version[j++] = packet->payload[i]; + + version[j] = '\0'; + + len = ndpi_min(sizeof(flow->protos.ubntac2.version)-1, j); + strncpy(flow->protos.ubntac2.version, (const char *)version, len); + flow->protos.ubntac2.version[len] = '\0'; + } + + NDPI_LOG(NDPI_PROTOCOL_UBNTAC2, ndpi_struct, NDPI_LOG_DEBUG, "UBNT AirControl 2 request\n"); + + ndpi_int_ubntac2_add_connection(ndpi_struct, flow); + } return; } } diff --git a/tests/pcap/ubntac2.pcap b/tests/pcap/ubntac2.pcap new file mode 100644 index 000000000..254700b61 Binary files /dev/null and b/tests/pcap/ubntac2.pcap differ diff --git a/tests/result/skype_no_unknown.pcap.out b/tests/result/skype_no_unknown.pcap.out index 49579d00a..d8b67aab0 100644 --- a/tests/result/skype_no_unknown.pcap.out +++ b/tests/result/skype_no_unknown.pcap.out @@ -239,7 +239,7 @@ MS_OneDrive 348 181687 1 226 TCP 192.168.1.34:51255 <-> 157.55.130.142:40005 [proto: 125/Skype][17 pkts/1322 bytes] 227 UDP 239.255.255.250:1900 <-> 192.168.0.254:1025 [proto: 12/SSDP][36 pkts/13402 bytes] 228 TCP 192.168.1.34:51253 <-> 64.4.23.166:443 [proto: 91/SSL][14 pkts/1432 bytes] - 229 UDP 192.168.1.92:5353 <-> 224.0.0.251:5353 [proto: 8/MDNS][1 pkts/142 bytes] + 229 UDP 192.168.1.92:5353 <-> 224.0.0.251:5353 [proto: 8/MDNS][1 pkts/142 bytes][Lucas-iMac.local] 230 UDP 192.168.1.34:13021 <-> 64.4.23.145:40027 [proto: 125/Skype][1 pkts/73 bytes] 231 UDP 192.168.1.34:13021 <-> 64.4.23.142:40023 [proto: 125/Skype][1 pkts/72 bytes] 232 UDP 192.168.1.34:13021 <-> 64.4.23.140:40003 [proto: 125/Skype][1 pkts/67 bytes] diff --git a/tests/result/ubntac2.pcap.out b/tests/result/ubntac2.pcap.out new file mode 100644 index 000000000..02e7d8e59 --- /dev/null +++ b/tests/result/ubntac2.pcap.out @@ -0,0 +1,10 @@ +UBNTAC2 8 1736 8 + + 1 UDP 192.168.1.1:42838 <-> 255.255.255.255:10001 [proto: 31/UBNTAC2][1 pkts/217 bytes][UniFiSecurityGateway.ER-e120.v4.3.33.4936086.161203.2031] + 2 UDP 192.168.1.1:47746 <-> 255.255.255.255:10001 [proto: 31/UBNTAC2][1 pkts/217 bytes][UniFiSecurityGateway.ER-e120.v4.3.33.4936086.161203.2031] + 3 UDP 192.168.1.1:52220 <-> 255.255.255.255:10001 [proto: 31/UBNTAC2][1 pkts/217 bytes][UniFiSecurityGateway.ER-e120.v4.3.33.4936086.161203.2031] + 4 UDP 192.168.1.1:59772 <-> 255.255.255.255:10001 [proto: 31/UBNTAC2][1 pkts/217 bytes][UniFiSecurityGateway.ER-e120.v4.3.33.4936086.161203.2031] + 5 UDP 192.168.1.1:34085 <-> 255.255.255.255:10001 [proto: 31/UBNTAC2][1 pkts/217 bytes][UniFiSecurityGateway.ER-e120.v4.3.33.4936086.161203.2031] + 6 UDP 192.168.1.1:44641 <-> 255.255.255.255:10001 [proto: 31/UBNTAC2][1 pkts/217 bytes][UniFiSecurityGateway.ER-e120.v4.3.33.4936086.161203.2031] + 7 UDP 192.168.1.1:47871 <-> 255.255.255.255:10001 [proto: 31/UBNTAC2][1 pkts/217 bytes][UniFiSecurityGateway.ER-e120.v4.3.33.4936086.161203.2031] + 8 UDP 192.168.1.1:55321 <-> 255.255.255.255:10001 [proto: 31/UBNTAC2][1 pkts/217 bytes][UniFiSecurityGateway.ER-e120.v4.3.33.4936086.161203.2031] -- cgit v1.2.3