From 72efa329db996a45f394457238b218252bae3e00 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Tue, 31 May 2016 12:20:25 +0200 Subject: Enhanced fragments support in ndpiReader Improved RX protocol dissection and removed port guess as it caused false positives. --- example/ndpiReader.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'example/ndpiReader.c') diff --git a/example/ndpiReader.c b/example/ndpiReader.c index f558d7b0d..1939d70cd 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -769,7 +769,9 @@ static void printResults(u_int64_t tot_usec) { memset(&cumulative_stats, 0, sizeof(cumulative_stats)); for(thread_id = 0; thread_id < num_threads; thread_id++) { - if(ndpi_thread_info[thread_id].workflow->stats.total_wire_bytes == 0) continue; + if((ndpi_thread_info[thread_id].workflow->stats.total_wire_bytes == 0) + && (ndpi_thread_info[thread_id].workflow->stats.raw_packet_count == 0)) + continue; for(i=0; indpi_flows_root[i], node_proto_guess_walker, &thread_id); -- cgit v1.2.3 From 0b7a392b302a606b60ad4d46dfcdc9930af338fa Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Tue, 7 Jun 2016 17:14:16 +0200 Subject: Restored code harvested in https://github.com/ntop/nDPI/commit/60e7e19dab72a37d57bc7854e702264e7d25886d#diff-0856ce19e6ed4e80946656d41f7edd65L135 DNS reply dissection can now be controlled by a preference as demonstrated in ndpiReader.c --- example/ndpiReader.c | 10 ++- src/include/ndpi_typedefs.h | 8 +- src/lib/protocols/dns.c | 186 +++++++++++++++++++++++++++++++------------- 3 files changed, 145 insertions(+), 59 deletions(-) (limited to 'example/ndpiReader.c') diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 1939d70cd..e51407592 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -620,8 +620,8 @@ static void debug_printf(u_int32_t protocol, void *id_struct, static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) { NDPI_PROTOCOL_BITMASK all; - struct ndpi_workflow_prefs prefs; + memset(&prefs, 0, sizeof(prefs)); prefs.decode_tunnels = decode_tunnels; prefs.num_roots = NUM_ROOTS; @@ -630,9 +630,13 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) { memset(&ndpi_thread_info[thread_id], 0, sizeof(ndpi_thread_info[thread_id])); ndpi_thread_info[thread_id].workflow = ndpi_workflow_init(&prefs, pcap_handle); - /* ndpi_thread_info[thread_id].workflow->ndpi_struct->http_dont_dissect_response = 1; */ - ndpi_workflow_set_flow_detected_callback(ndpi_thread_info[thread_id].workflow, on_protocol_discovered, (void *)(uintptr_t)thread_id); + /* Preferences */ + ndpi_thread_info[thread_id].workflow->ndpi_struct->http_dont_dissect_response = 0; + ndpi_thread_info[thread_id].workflow->ndpi_struct->dns_dissect_response = 1; + + ndpi_workflow_set_flow_detected_callback(ndpi_thread_info[thread_id].workflow, + on_protocol_discovered, (void *)(uintptr_t)thread_id); // enable all protocols NDPI_BITMASK_SET_ALL(all); diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 62a4f3083..8ec1453fc 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -849,8 +849,8 @@ struct ndpi_detection_module_struct { ndpi_proto_defaults_t proto_defaults[NDPI_MAX_SUPPORTED_PROTOCOLS+NDPI_MAX_NUM_CUSTOM_PROTOCOLS]; - u_int8_t http_dont_dissect_response:1; - u_int8_t direction_detect_disable:1; /* disable internal detection of packet direction */ + u_int8_t http_dont_dissect_response:1, dns_dissect_response:1, + direction_detect_disable:1; /* disable internal detection of packet direction */ }; struct ndpi_flow_struct { @@ -911,8 +911,8 @@ struct ndpi_flow_struct { /* the only fields useful for nDPI and ntopng */ struct { - u_int8_t num_answers, ret_code; - u_int16_t query_type; + u_int8_t num_queries, num_answers, reply_code; + u_int16_t query_type, query_class, rsp_type; } dns; struct { diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 98df46481..4c7f315c3 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -3,8 +3,6 @@ * * Copyright (C) 2012-16 - ntop.org * - * Michele Campus - - * * This file is part of nDPI, an open source deep packet inspection * library based on the OpenDPI and PACE technology by ipoque GmbH * @@ -29,37 +27,60 @@ #define FLAGS_MASK 0x8000 -void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ +/* #define DNS_DEBUG 1 */ + +/* *********************************************** */ +static u_int16_t get16(int *i, const u_int8_t *payload) { + u_int16_t v = *(u_int16_t*)&payload[*i]; + + (*i) += 2; + + return(ntohs(v)); +} + +/* *********************************************** */ + +static u_int getNameLength(u_int i, const u_int8_t *payload, u_int payloadLen) { + if(payload[i] == 0x00) + return(1); + else if(payload[i] == 0xC0) + return(2); + else { + u_int8_t len = payload[i]; + u_int8_t off = len + 1; + + if(off == 0) /* Bad packet */ + return(0); + else + return(off + getNameLength(i+off, payload, payloadLen)); + } +} + +/* *********************************************** */ + +void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { int x; - u_int8_t is_query, ret_code; - u_int16_t s_port = 0; - u_int16_t d_port = 0; + u_int8_t is_query; + u_int16_t s_port = 0, d_port = 0; NDPI_LOG(NDPI_PROTOCOL_DNS, ndpi_struct, NDPI_LOG_DEBUG, "search DNS.\n"); - if(flow->packet.udp != NULL) - { + if(flow->packet.udp != NULL) { s_port = ntohs(flow->packet.udp->source); d_port = ntohs(flow->packet.udp->dest); x = 0; - } - else if(flow->packet.tcp != NULL) /* pkt size > 512 bytes */ - { + } else if(flow->packet.tcp != NULL) /* pkt size > 512 bytes */ { s_port = ntohs(flow->packet.tcp->source); d_port = ntohs(flow->packet.tcp->dest); x = 2; - } - else - { + } else { NDPI_LOG(NDPI_PROTOCOL_DNS, ndpi_struct, NDPI_LOG_DEBUG, "exclude DNS.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DNS); } if((s_port == 53 || d_port == 53 || d_port == 5355) - && (flow->packet.payload_packet_len > sizeof(struct ndpi_dns_packet_header))) - { + && (flow->packet.payload_packet_len > sizeof(struct ndpi_dns_packet_header))) { struct ndpi_dns_packet_header dns_header; int invalid = 0; @@ -70,6 +91,7 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd dns_header.num_answers = ntohs(dns_header.num_answers); dns_header.authority_rrs = ntohs(dns_header.authority_rrs); dns_header.additional_rrs = ntohs(dns_header.additional_rrs); + x += sizeof(struct ndpi_dns_packet_header); /* 0x0000 QUERY */ if((dns_header.flags & FLAGS_MASK) == 0x0000) @@ -87,33 +109,85 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd && (((dns_header.flags & 0x2800) == 0x2800 /* Dynamic DNS Update */) || ((dns_header.num_answers == 0) && (dns_header.authority_rrs == 0)))) { /* This is a good query */ + + if(dns_header.num_queries > 0) { + while(x < flow->packet.payload_packet_len) { + if(flow->packet.payload[x] == '\0') { + x++; + flow->protos.dns.query_type = get16(&x, flow->packet.payload); +#ifdef DNS_DEBUG + printf("[%s:%d] query_type=%2d\n", __FILE__, __LINE__, flow->protos.dns.query_type); +#endif + break; + } else + x++; + } + } } else invalid = 1; + + if(ndpi_struct->dns_dissect_response) + return; /* The response will set the verdict */ } else { /* DNS Reply */ + + flow->protos.dns.reply_code = dns_header.flags & 0x0F; + if((dns_header.num_queries > 0) && (dns_header.num_queries <= NDPI_MAX_DNS_REQUESTS) /* Don't assume that num_queries must be zero */ && (((dns_header.num_answers > 0) && (dns_header.num_answers <= NDPI_MAX_DNS_REQUESTS)) || ((dns_header.authority_rrs > 0) && (dns_header.authority_rrs <= NDPI_MAX_DNS_REQUESTS)) || ((dns_header.additional_rrs > 0) && (dns_header.additional_rrs <= NDPI_MAX_DNS_REQUESTS))) ) { /* This is a good reply */ - } else - invalid = 1; + if(ndpi_struct->dns_dissect_response) { + x++; + + if(flow->packet.payload[x] != '\0') { + while((x < flow->packet.payload_packet_len) + && (flow->packet.payload[x] != '\0')) { + x++; + } + + x++; + } + + x += 4; + + if(dns_header.num_answers > 0) { + u_int16_t rsp_type; + u_int16_t num; + + for(num = 0; num < dns_header.num_answers; num++) { + u_int16_t data_len; + + if((x+6) >= flow->packet.payload_packet_len) { + break; + } + + if((data_len = getNameLength(x, flow->packet.payload, flow->packet.payload_packet_len)) == 0) { + break; + } else + x += data_len; + + rsp_type = get16(&x, flow->packet.payload); + flow->protos.dns.rsp_type = rsp_type; + break; + } + } + } + } } - } - if(invalid) { - NDPI_LOG(NDPI_PROTOCOL_DNS, ndpi_struct, NDPI_LOG_DEBUG, "exclude DNS.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DNS); - return; - } + if(invalid) { + NDPI_LOG(NDPI_PROTOCOL_DNS, ndpi_struct, NDPI_LOG_DEBUG, "exclude DNS.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DNS); + return; + } - /* extract host name server */ - ret_code = (is_query == 0) ? 0 : (dns_header.flags & 0x0F); - int j = 0; - int off = sizeof(struct ndpi_dns_packet_header) + 1; - while(flow->packet.payload[off] != '\0' && off < flow->packet.payload_packet_len) - { + /* extract host name server */ + int j = 0, off = sizeof(struct ndpi_dns_packet_header) + 1; + + while(flow->packet.payload[off] != '\0' && off < flow->packet.payload_packet_len) { flow->host_server_name[j] = flow->packet.payload[off]; if(j < strlen((char*)flow->host_server_name)) { if(flow->host_server_name[j] < ' ') @@ -121,31 +195,39 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd j++; } off++; - } - flow->host_server_name[j] = '\0'; + } + flow->host_server_name[j] = '\0'; + + flow->protos.dns.num_queries = (u_int8_t)dns_header.num_queries, + flow->protos.dns.num_answers = (u_int8_t) (dns_header.num_answers + dns_header.authority_rrs + dns_header.additional_rrs); - flow->protos.dns.num_answers = (u_int8_t) (dns_header.num_answers + dns_header.authority_rrs + dns_header.additional_rrs); - flow->protos.dns.ret_code = ret_code; +#ifdef DNS_DEBUG + printf("[%s:%d] [num_queries=%d][num_answers=%d][reply_code=%u][rsp_type=%u][host_server_name=%s]\n", + __FILE__, __LINE__, + flow->protos.dns.num_queries, flow->protos.dns.num_answers, + flow->protos.dns.reply_code, flow->protos.dns.rsp_type, flow->host_server_name + ); +#endif - if(j > 0) - ndpi_match_host_subprotocol(ndpi_struct, flow, - (char *)flow->host_server_name, - strlen((const char*)flow->host_server_name), - NDPI_PROTOCOL_DNS); + if(j > 0) + ndpi_match_host_subprotocol(ndpi_struct, flow, + (char *)flow->host_server_name, + strlen((const char*)flow->host_server_name), + NDPI_PROTOCOL_DNS); - if(flow->packet.detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) - { - /** - Do not set the protocol with DNS if ndpi_match_host_subprotocol() has - matched a subprotocol - **/ - NDPI_LOG(NDPI_PROTOCOL_DNS, ndpi_struct, NDPI_LOG_DEBUG, "found DNS.\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, (d_port == 5355) ? NDPI_PROTOCOL_LLMNR : NDPI_PROTOCOL_DNS, NDPI_PROTOCOL_UNKNOWN); - } else { - NDPI_LOG(NDPI_PROTOCOL_DNS, ndpi_struct, NDPI_LOG_DEBUG, "exclude DNS.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DNS); + if(flow->packet.detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { + /** + Do not set the protocol with DNS if ndpi_match_host_subprotocol() has + matched a subprotocol + **/ + NDPI_LOG(NDPI_PROTOCOL_DNS, ndpi_struct, NDPI_LOG_DEBUG, "found DNS.\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, (d_port == 5355) ? NDPI_PROTOCOL_LLMNR : NDPI_PROTOCOL_DNS, NDPI_PROTOCOL_UNKNOWN); + } else { + NDPI_LOG(NDPI_PROTOCOL_DNS, ndpi_struct, NDPI_LOG_DEBUG, "exclude DNS.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DNS); + } } - } + } } void init_dns_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) -- cgit v1.2.3 From adbba699887af89e89e14d55ea614677750b02f4 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Sun, 19 Jun 2016 21:25:58 +0200 Subject: Removed false positives from CoAP protocol Improved DNS detection Added misisng default DropBox port Fix for #154 Added sample pcap of Tor traffic for regression testing --- example/ndpiReader.c | 2 +- src/lib/ndpi_main.c | 5 +++++ src/lib/protocols/coap.c | 38 +++++++++++++++++++++++++++----------- src/lib/protocols/dns.c | 18 ++++++++++-------- src/lib/protocols/dropbox.c | 1 - src/lib/protocols/tor.c | 7 ++++--- tests/pcap/tor.pcap | Bin 0 -> 3155084 bytes tests/result/tor.pcap.out | 17 +++++++++++++++++ 8 files changed, 64 insertions(+), 24 deletions(-) create mode 100644 tests/pcap/tor.pcap create mode 100644 tests/result/tor.pcap.out (limited to 'example/ndpiReader.c') diff --git a/example/ndpiReader.c b/example/ndpiReader.c index e51407592..deb61b681 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -633,7 +633,7 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) { /* Preferences */ ndpi_thread_info[thread_id].workflow->ndpi_struct->http_dont_dissect_response = 0; - ndpi_thread_info[thread_id].workflow->ndpi_struct->dns_dissect_response = 1; + ndpi_thread_info[thread_id].workflow->ndpi_struct->dns_dissect_response = 0; ndpi_workflow_set_flow_detected_callback(ndpi_thread_info[thread_id].workflow, on_protocol_discovered, (void *)(uintptr_t)thread_id); diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index fa32146a9..cbac5cf8b 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1365,6 +1365,11 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "QUIC", ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 443, 80, 0, 0, 0) /* UDP */); + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DROPBOX, + no_master, + no_master, "Dropbox", + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_b, 17500, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_EAQ, no_master, no_master, "EAQ", diff --git a/src/lib/protocols/coap.c b/src/lib/protocols/coap.c index cddf31b7e..5f8e97863 100644 --- a/src/lib/protocols/coap.c +++ b/src/lib/protocols/coap.c @@ -72,7 +72,7 @@ struct ndpi_coap_hdr [164] = "5.04 Gateway Timeout", [165] = "5.05 Proxying Not Supported" **/ - + /** * Entry point when protocol is identified. @@ -83,6 +83,20 @@ static void ndpi_int_coap_add_connection (struct ndpi_detection_module_struct *n ndpi_set_detected_protocol(ndpi_struct,flow,NDPI_PROTOCOL_COAP,NDPI_PROTOCOL_UNKNOWN); } +/** + * Check if the default port is acceptable + * + * UDP Port 5683 (mandatory) + * UDP Ports 61616-61631 compressed 6lowPAN + */ +static int isCoAPport(u_int16_t port) { + if((port == 5683) + || ((port >= 61616) && (port <= 61631))) + return(1); + else + return(0); +} + /** * Dissector function that searches CoAP headers */ @@ -91,22 +105,24 @@ void ndpi_search_coap (struct ndpi_detection_module_struct *ndpi_struct, { struct ndpi_packet_struct *packet = &flow->packet; struct ndpi_coap_hdr * h = (struct ndpi_coap_hdr*) packet->payload; - + if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { return; } // search for udp packet if(packet->udp != NULL) { - - // header too short - if(packet->payload_packet_len < 4) { - + u_int16_t s_port = ntohs(flow->packet.udp->source); + u_int16_t d_port = ntohs(flow->packet.udp->dest); + + if((!isCoAPport(s_port) && !isCoAPport(s_port)) + || (packet->payload_packet_len < 4) // header too short + ) { NDPI_LOG(NDPI_PROTOCOL_COAP, ndpi_struct, NDPI_LOG_DEBUG, "excluding Coap\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_COAP); return; } - + NDPI_LOG(NDPI_PROTOCOL_COAP, ndpi_struct, NDPI_LOG_DEBUG, "calculating coap over udp.\n"); // check values in header @@ -116,21 +132,21 @@ void ndpi_search_coap (struct ndpi_detection_module_struct *ndpi_struct, if((h->code >= 0 && h->code <= 5) || (h->code >= 65 && h->code <= 69) || (h->code >= 128 && h->code <= 134) || (h->code >= 140 && h->code <= 143) || (h->code >= 160 && h->code <= 165)) { - + NDPI_LOG(NDPI_PROTOCOL_COAP, ndpi_struct, NDPI_LOG_DEBUG, "Coap found...\n"); ndpi_int_coap_add_connection(ndpi_struct,flow); return; } } } - } + } } - + NDPI_LOG(NDPI_PROTOCOL_COAP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding Coap ...\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_COAP); return; - } + /** * Entry point for the ndpi library */ diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index f95ebbc36..7ee114579 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -126,8 +126,6 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd } else invalid = 1; - if(ndpi_struct->dns_dissect_response) - return; /* The response will set the verdict */ } else { /* DNS Reply */ @@ -198,11 +196,18 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd off++; } + flow->host_server_name[j] = '\0'; flow->protos.dns.num_queries = (u_int8_t)dns_header.num_queries, flow->protos.dns.num_answers = (u_int8_t) (dns_header.num_answers + dns_header.authority_rrs + dns_header.additional_rrs); + if(j > 0) + ndpi_match_host_subprotocol(ndpi_struct, flow, + (char *)flow->host_server_name, + strlen((const char*)flow->host_server_name), + NDPI_PROTOCOL_DNS); + #ifdef DNS_DEBUG printf("[%s:%d] [num_queries=%d][num_answers=%d][reply_code=%u][rsp_type=%u][host_server_name=%s]\n", __FILE__, __LINE__, @@ -210,14 +215,11 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd flow->protos.dns.reply_code, flow->protos.dns.rsp_type, flow->host_server_name ); #endif - - if(j > 0) - ndpi_match_host_subprotocol(ndpi_struct, flow, - (char *)flow->host_server_name, - strlen((const char*)flow->host_server_name), - NDPI_PROTOCOL_DNS); if(flow->packet.detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { + if(is_query && ndpi_struct->dns_dissect_response) + return; /* The response will set the verdict */ + /** Do not set the protocol with DNS if ndpi_match_host_subprotocol() has matched a subprotocol diff --git a/src/lib/protocols/dropbox.c b/src/lib/protocols/dropbox.c index f51de95d2..3e53b4224 100644 --- a/src/lib/protocols/dropbox.c +++ b/src/lib/protocols/dropbox.c @@ -44,7 +44,6 @@ static void ndpi_check_dropbox(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t payload_len = packet->payload_packet_len; if(packet->udp != NULL) { - u_int16_t dropbox_port = htons(DB_LSP_PORT); if((packet->udp->source == dropbox_port) diff --git a/src/lib/protocols/tor.c b/src/lib/protocols/tor.c index 7903bf511..cb926d5f0 100644 --- a/src/lib/protocols/tor.c +++ b/src/lib/protocols/tor.c @@ -24,7 +24,7 @@ int ndpi_is_ssl_tor(struct ndpi_detection_module_struct *ndpi_struct, if((certificate == NULL) || (strlen(certificate) < 6) - || !(strncmp(certificate, "www.", 4))) + || (strncmp(certificate, "www.", 4))) return(0); // printf("***** [SSL] %s(): %s\n", __FUNCTION__, certificate); @@ -39,10 +39,11 @@ int ndpi_is_ssl_tor(struct ndpi_detection_module_struct *ndpi_struct, len = strlen(name); - if(len > 6) { + if(len >= 5) { for(i = 0; name[i+1] != '\0'; i++) { + // printf("***** [SSL] %s(): [%d][%c]", __FUNCTION__, i, name[i]); + if((name[i] >= '0') && (name[i] <= '9')) { - if(prev_num != 1) { numbers_found++; diff --git a/tests/pcap/tor.pcap b/tests/pcap/tor.pcap new file mode 100644 index 000000000..bf5b43649 Binary files /dev/null and b/tests/pcap/tor.pcap differ diff --git a/tests/result/tor.pcap.out b/tests/result/tor.pcap.out new file mode 100644 index 000000000..b6008355d --- /dev/null +++ b/tests/result/tor.pcap.out @@ -0,0 +1,17 @@ +NetBIOS 1 252 1 +DHCPV6 6 906 1 +DropBox 10 1860 1 +Skype 1 60 1 +Tor 3676 3014362 7 + + 1 UDP 192.168.1.1:17500 <-> 192.168.1.255:17500 [proto: 121/DropBox][10 pkts/1860 bytes] + 2 UDP [fe80::c583:1972:5728:7323]:547 <-> [ff02::1:2]:546 [proto: 103/DHCPV6][6 pkts/906 bytes] + 3 TCP 212.83.155.250:443 <-> 192.168.1.252:51174 [proto: 163/Tor][32 pkts/10431 bytes][SSL client: www.t3i3ru.com] + 4 TCP 46.59.52.31:443 <-> 192.168.1.252:51111 [proto: 163/Tor][34 pkts/11142 bytes][SSL client: www.e6r5p57kbafwrxj3plz.com] + 5 TCP 91.143.93.242:443 <-> 192.168.1.252:51175 [proto: 163/Tor][38 pkts/12520 bytes][SSL client: www.gfu7hbxpfp.com] + 6 TCP 157.56.30.46:443 <-> 192.168.1.252:51104 [proto: 91.125/SSL.Skype][1 pkts/60 bytes] + 7 UDP 192.168.1.252:138 <-> 192.168.1.255:138 [proto: 10/NetBIOS][1 pkts/252 bytes] + 8 TCP 38.229.70.53:443 <-> 192.168.1.252:51112 [proto: 163/Tor][1576 pkts/1388792 bytes][SSL client: www.q4cyamnc6mtokjurvdclt.com] + 9 TCP 38.229.70.53:443 <-> 192.168.1.252:51176 [proto: 163/Tor][1826 pkts/1513278 bytes][SSL client: www.jmts2id.com] + 10 TCP 62.210.137.230:443 <-> 192.168.1.252:51185 [proto: 163/Tor][29 pkts/9661 bytes][SSL client: www.6gyip7tqim7sieb.com] + 11 TCP 91.143.93.242:443 <-> 192.168.1.252:51110 [proto: 163/Tor][141 pkts/68538 bytes][SSL client: www.ct7ctrgb6cr7.com] -- cgit v1.2.3