From 7e38a4f79036982ee23c9d93866b07833c56d336 Mon Sep 17 00:00:00 2001 From: Alfredo Cardigliano Date: Thu, 26 Oct 2017 23:23:29 +0200 Subject: Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d9802fc2d..5aff79ae9 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ The entire procedure of adding new protocols in detail: 1. Add new protocol together with its unique ID to: src/include/ndpi_protocol_ids.h 2. Create a new protocol in: src/lib/protocols/ -3. Variables to be kept for the duration of the entire flow (as state variables) needs to be placed in: /include/ndpi_structs.h in ndpi_flow_tcp_struct (for TCP only), ndpi_flow_udp_struct (for UDP only), or ndpi_flow_struct (for both). +3. Variables to be kept for the duration of the entire flow (as state variables) need to be placed in: src/include/ndpi_typedefs.h in ndpi_flow_tcp_struct (for TCP only), ndpi_flow_udp_struct (for UDP only), or ndpi_flow_struct (for both). 4. Add a new entry for the search function for the new protocol in: src/include/ndpi_protocols.h 5. Choose (do not change anything) a selection bitmask from: src/include/ndpi_define.h 6. Add a new entry in ndpi_set_protocol_detection_bitmask2 in: src/lib/ndpi_main.c -- cgit v1.2.3 From 169aa11adc67e18a21fd81ecbb0c1c0989b346c9 Mon Sep 17 00:00:00 2001 From: Darryl Sokoloski Date: Thu, 26 Oct 2017 21:07:00 -0400 Subject: Added DHCP class identifier support. --- src/include/ndpi_typedefs.h | 1 + src/lib/protocols/dhcp.c | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 33043fde5..c79f57f4d 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1031,6 +1031,7 @@ struct ndpi_flow_struct { struct { char fingerprint[48]; + char class_ident[48]; } dhcp; } protos; diff --git a/src/lib/protocols/dhcp.c b/src/lib/protocols/dhcp.c index cdf33947e..c46cc1c91 100644 --- a/src/lib/protocols/dhcp.c +++ b/src/lib/protocols/dhcp.c @@ -104,6 +104,13 @@ void ndpi_search_dhcp_udp(struct ndpi_detection_module_struct *ndpi_struct, stru "%02X", dhcp->options[i+2+idx] & 0xFF); offset += 2; } + } else if(id == 60 /* Class Identifier */) { + char *name = (char*)&dhcp->options[i+2]; + int j = 0; + + j = ndpi_min(len, sizeof(flow->protos.dhcp.class_ident)-1); + strncpy((char*)flow->protos.dhcp.class_ident, name, j); + flow->protos.dhcp.class_ident[j] = '\0'; } else if(id == 12 /* Host Name */) { char *name = (char*)&dhcp->options[i+2]; int j = 0; -- cgit v1.2.3 From cf07c925387ce803c314513ed8e4b1810bb27a0d Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Sun, 29 Oct 2017 18:31:31 +0100 Subject: Dropbox and apple improvements Fixed warning --- example/ndpiReader.c | 2 ++ src/lib/ndpi_content_match.c.inc | 2 ++ 2 files changed, 4 insertions(+) diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 8d8ee47b0..8bc4ad1a6 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -1117,6 +1117,8 @@ static struct receiver *cutBackTo(struct receiver **receivers, u_int32_t size, u HASH_DEL(*receivers, r); free(r); } + + return(NULL); } /* *********************************************** */ diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index ba14f50f1..4a9ec63cf 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -8031,6 +8031,7 @@ ndpi_protocol_match host_match[] = { { ".cloudfront.net", "Amazon", NDPI_PROTOCOL_AMAZON, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, { ".apple.com", "Apple", NDPI_PROTOCOL_APPLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, + { ".apple-dns.net", "Apple", NDPI_PROTOCOL_APPLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, { ".mzstatic.com", "Apple", NDPI_PROTOCOL_APPLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, { ".aaplimg.com", "Apple", NDPI_PROTOCOL_APPLE, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, { ".icloud.com", "AppleiCloud", NDPI_PROTOCOL_APPLE_ICLOUD, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_ACCEPTABLE }, @@ -8048,6 +8049,7 @@ ndpi_protocol_match host_match[] = { { ".cnn.net", "CNN", NDPI_PROTOCOL_CNN, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, { ".dropbox.com", "DropBox", NDPI_PROTOCOL_DROPBOX, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE }, + { ".dropbox-dns.com", "DropBox", NDPI_PROTOCOL_DROPBOX, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE }, { "log.getdropbox.com", "DropBox", NDPI_PROTOCOL_DROPBOX, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE }, { ".ebay.", "eBay", NDPI_PROTOCOL_EBAY, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE }, /* or FUN */ -- cgit v1.2.3 From 159e6228fe9da7a9d410cb0a185d54cdee483797 Mon Sep 17 00:00:00 2001 From: Alfredo Cardigliano Date: Mon, 30 Oct 2017 11:30:09 +0100 Subject: --ndpi-proto-filter now accepts also protocol name --- example/ndpiReader.c | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 8d8ee47b0..f10c82a90 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -96,6 +96,7 @@ static struct timeval pcap_start, pcap_end; static time_t capture_for = 0; static time_t capture_until = 0; static u_int32_t num_flows; +static struct ndpi_detection_module_struct *ndpi_info_mod = NULL; struct flow_info { struct ndpi_flow_info *flow; @@ -272,8 +273,7 @@ static void help(u_int long_help) { if(long_help) { printf("\n\nSupported protocols:\n"); num_threads = 1; - setupDetection(0, NULL); - ndpi_dump_protocols(ndpi_thread_info[0].workflow->ndpi_struct); + ndpi_dump_protocols(ndpi_info_mod); } exit(!long_help); } @@ -365,34 +365,30 @@ int cmpFlows(const void *_a, const void *_b) { void extcap_config() { int i, argidx = 0; - struct ndpi_detection_module_struct *ndpi_mod; struct ndpi_proto_sorter *protos; /* -i */ - printf("arg {number=%d}{call=-i}{display=Capture Interface or Pcap File Path}{type=string}" + printf("arg {number=%d}{call=-i}{display=Capture Interface}{type=string}" "{tooltip=The interface name}\n", argidx++); printf("arg {number=%d}{call=-i}{display=Pcap File to Analyze}{type=fileselect}" "{tooltip=The pcap file to analyze (if the interface is unspecified)}\n", argidx++); - setupDetection(0, NULL); - ndpi_mod = ndpi_thread_info[0].workflow->ndpi_struct; - - protos = (struct ndpi_proto_sorter*)malloc(sizeof(struct ndpi_proto_sorter)*ndpi_mod->ndpi_num_supported_protocols); + protos = (struct ndpi_proto_sorter*)malloc(sizeof(struct ndpi_proto_sorter) * ndpi_info_mod->ndpi_num_supported_protocols); if(!protos) exit(0); - for(i=0; i<(int)ndpi_mod->ndpi_num_supported_protocols; i++) { + for(i=0; i<(int) ndpi_info_mod->ndpi_num_supported_protocols; i++) { protos[i].id = i; - snprintf(protos[i].name, sizeof(protos[i].name), "%s", ndpi_mod->proto_defaults[i].protoName); + snprintf(protos[i].name, sizeof(protos[i].name), "%s", ndpi_info_mod->proto_defaults[i].protoName); } - qsort(protos, ndpi_mod->ndpi_num_supported_protocols, sizeof(struct ndpi_proto_sorter), cmpProto); + qsort(protos, ndpi_info_mod->ndpi_num_supported_protocols, sizeof(struct ndpi_proto_sorter), cmpProto); printf("arg {number=%d}{call=-9}{display=nDPI Protocol Filter}{type=selector}" "{tooltip=nDPI Protocol to be filtered}\n", argidx); printf("value {arg=%d}{value=%d}{display=%s}\n", argidx, -1, "All Protocols (no nDPI filtering)"); - for(i=0; i<(int)ndpi_mod->ndpi_num_supported_protocols; i++) + for(i=0; i<(int)ndpi_info_mod->ndpi_num_supported_protocols; i++) printf("value {arg=%d}{value=%d}{display=%s (%d)}\n", argidx, protos[i].id, protos[i].name, protos[i].id); @@ -578,7 +574,8 @@ static void parseOptions(int argc, char **argv) { break; case '9': - extcap_packet_filter = atoi(optarg); + extcap_packet_filter = ndpi_get_proto_by_name(ndpi_info_mod, optarg); + if (extcap_packet_filter == NDPI_PROTOCOL_UNKNOWN) extcap_packet_filter = atoi(optarg); break; default: @@ -3123,6 +3120,9 @@ int main(int argc, char **argv) { automataUnitTest(); + ndpi_info_mod = ndpi_init_detection_module(); + if (ndpi_info_mod == NULL) return -1; + memset(ndpi_thread_info, 0, sizeof(ndpi_thread_info)); parseOptions(argc, argv); @@ -3153,6 +3153,7 @@ int main(int argc, char **argv) { if(results_path) free(results_path); if(results_file) fclose(results_file); if(extcap_dumper) pcap_dump_close(extcap_dumper); + if(ndpi_info_mod) ndpi_exit_detection_module(ndpi_info_mod); return 0; } -- cgit v1.2.3 From a0980228efa9cb4c2546dbbaaa9475db04f59cce Mon Sep 17 00:00:00 2001 From: Vitaly Lavrov Date: Tue, 31 Oct 2017 22:04:14 +0300 Subject: Bug fix. Protocol SIP: command 'CANCEL sip:' is not recognized. Add sip.pcap for tests ( Source: https://wiki.wireshark.org/SIP ). --- src/lib/protocols/sip.c | 2 +- tests/pcap/sip.pcap | Bin 0 -> 50975 bytes tests/result/sip.pcap.out | 8 ++++++++ 3 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 tests/pcap/sip.pcap create mode 100644 tests/result/sip.pcap.out diff --git a/src/lib/protocols/sip.c b/src/lib/protocols/sip.c index 94386d61e..67459f562 100644 --- a/src/lib/protocols/sip.c +++ b/src/lib/protocols/sip.c @@ -121,7 +121,7 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct } if ((memcmp(packet_payload, "CANCEL ", 7) == 0 || memcmp(packet_payload, "cancel ", 7) == 0) - && (memcmp(&packet_payload[4], "SIP:", 4) == 0 || memcmp(&packet_payload[4], "sip:", 4) == 0)) { + && (memcmp(&packet_payload[7], "SIP:", 4) == 0 || memcmp(&packet_payload[7], "sip:", 4) == 0)) { NDPI_LOG(NDPI_PROTOCOL_SIP, ndpi_struct, NDPI_LOG_DEBUG, "found sip CANCEL.\n"); ndpi_int_sip_add_connection(ndpi_struct, flow, 0); return; diff --git a/tests/pcap/sip.pcap b/tests/pcap/sip.pcap new file mode 100644 index 000000000..8cd7f4761 Binary files /dev/null and b/tests/pcap/sip.pcap differ diff --git a/tests/result/sip.pcap.out b/tests/result/sip.pcap.out new file mode 100644 index 000000000..8f1dfb3d2 --- /dev/null +++ b/tests/result/sip.pcap.out @@ -0,0 +1,8 @@ +RTP 9 1926 1 +SIP 102 47087 2 +RTCP 1 146 1 + + 1 UDP 192.168.1.2:5060 <-> 212.242.33.35:5060 [proto: 100/SIP][53 pkts/21940 bytes <-> 31 pkts/15635 bytes] + 2 UDP 192.168.1.2:5060 <-> 200.68.120.81:5060 [proto: 100/SIP][15 pkts/7568 bytes <-> 3 pkts/1944 bytes] + 3 UDP 192.168.1.2:30000 -> 212.242.33.36:40392 [proto: 87/RTP][9 pkts/1926 bytes -> 0 pkts/0 bytes] + 4 UDP 192.168.1.2:30001 -> 212.242.33.36:40393 [proto: 165/RTCP][1 pkts/146 bytes -> 0 pkts/0 bytes] -- cgit v1.2.3 From a488c9b7dc6d1e08ef09f681349923853ff142ae Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Fri, 3 Nov 2017 09:32:43 +0100 Subject: Fixes #485 --- src/lib/ndpi_content_match.c.inc | 2 +- src/lib/protocols/ssl.c | 2 +- src/lib/protocols/tor.c | 28 ++++++++++++++++++---------- 3 files changed, 20 insertions(+), 12 deletions(-) diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index 4a9ec63cf..1ee97381e 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -8434,7 +8434,7 @@ static const char *ndpi_en_bigrams[] = { "lz", "nz", "oz", "pz", "rz", "tz", "uz", "zz", NULL }; static const char *ndpi_en_impossible_bigrams[] = { - "bk", "bq", "bx", "cb", "cf", "cg", "cj", "cp", "cv", "cw", "cx", "dx", "fk", "fq", "fv", "fx", "ee", + "bk", "bq", "bx", "cb", "cf", "cg", "cj", "cp", "cv", "cw", "cx", "dx", "fk", "fq", "fv", "fx", /* "ee", removed it can be found in 'meeting' */ "fz", "gq", "gv", "gx", "hh", "hk", "hv", "hx", "hz", "iy", "jb", "jc", "jd", "jf", "jg", "jh", "jk", "jl", "jm", "jn", "jp", "jq", "jr", /* "js", */ "jt", "jv", "jw", "jx", "jy", "jz", "kg", "kq", "kv", "kx", "kz", "lq", "lx", "mg", "mj", "mq", "mx", "mz", "pq", "pv", "px", "qb", "qc", "qd", "qe", "qf", "ii", diff --git a/src/lib/protocols/ssl.c b/src/lib/protocols/ssl.c index 5afca5389..231bde1eb 100644 --- a/src/lib/protocols/ssl.c +++ b/src/lib/protocols/ssl.c @@ -641,7 +641,7 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc return; } else if((packet->payload_packet_len == 4) && (packet->payload[0] == 'W') - && (packet->payload[1] == 'A')){ + && (packet->payload[1] == 'A')) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN); return; } else { diff --git a/src/lib/protocols/tor.c b/src/lib/protocols/tor.c index f6987ef19..95233e471 100644 --- a/src/lib/protocols/tor.c +++ b/src/lib/protocols/tor.c @@ -16,14 +16,23 @@ static void ndpi_int_tor_add_connection(struct ndpi_detection_module_struct int ndpi_is_ssl_tor(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow, char *certificate) { - + struct ndpi_flow_struct *flow, char *certificate) { int prev_num = 0, numbers_found = 0, num_found = 0, i, len; char dummy[48], *dot, *name; - if((certificate == NULL) - || (strlen(certificate) < 6) - || (strncmp(certificate, "www.", 4))) + if(certificate == NULL) + return(0); + else + len = strlen(certificate); + + /* Check if it ends in .com or .net */ + if(strcmp(&certificate[len-4], ".com") && strcmp(&certificate[len-4], ".net")) + return(0); + + if((len < 6) + || (!strncmp(certificate, "*.", 2)) /* Wildcard certificate */ + || (strncmp(certificate, "www.", 4)) /* Not starting with www.... */ + ) return(0); // printf("***** [SSL] %s(): %s\n", __FUNCTION__, certificate); @@ -55,13 +64,12 @@ int ndpi_is_ssl_tor(struct ndpi_detection_module_struct *ndpi_struct, } else prev_num = 0; - if(ndpi_match_bigram(ndpi_struct, &ndpi_struct->impossible_bigrams_automa, &name[i])) { - ndpi_int_tor_add_connection(ndpi_struct, flow); - return(1); - } - + if(ndpi_match_bigram(ndpi_struct, &ndpi_struct->bigrams_automa, &name[i])) { num_found++; + } else if(ndpi_match_bigram(ndpi_struct, &ndpi_struct->impossible_bigrams_automa, &name[i])) { + ndpi_int_tor_add_connection(ndpi_struct, flow); + return(1); } } -- cgit v1.2.3 From c9f32ee76dbc5e323d321b088562df980d2f525f Mon Sep 17 00:00:00 2001 From: Luca Date: Fri, 3 Nov 2017 17:15:04 +0100 Subject: Fixed begin/end type when capturing live traffic --- example/ndpiReader.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 710839261..40153e168 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -2301,11 +2301,8 @@ static void pcap_process_packet(u_char *args, return; } - /* Check if capture is live or not */ - if(!live_capture) { - if(!pcap_start.tv_sec) pcap_start.tv_sec = header->ts.tv_sec, pcap_start.tv_usec = header->ts.tv_usec; - pcap_end.tv_sec = header->ts.tv_sec, pcap_end.tv_usec = header->ts.tv_usec; - } + if(!pcap_start.tv_sec) pcap_start.tv_sec = header->ts.tv_sec, pcap_start.tv_usec = header->ts.tv_usec; + pcap_end.tv_sec = header->ts.tv_sec, pcap_end.tv_usec = header->ts.tv_usec; /* Idle flows cleanup */ if(live_capture) { -- cgit v1.2.3