From b603cb453069708a5e9e9f54312f25d889fd7232 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Sat, 26 Oct 2019 10:54:32 +0200 Subject: nDPI TLS improvements using the server certificate --- src/lib/protocols/stun.c | 1 - src/lib/protocols/tls.c | 31 ++++++++++++++++++++++++++----- 2 files changed, 26 insertions(+), 6 deletions(-) (limited to 'src/lib/protocols') diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index 448062f47..fbb0578f8 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -38,7 +38,6 @@ struct stun_packet_header { u_int8_t transaction_id[8]; }; - /* ************************************************************ */ u_int32_t get_stun_lru_key(struct ndpi_flow_struct *flow, u_int8_t rev) { diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 261f2ab28..c65d4fc69 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -67,7 +67,7 @@ static u_int32_t ndpi_tls_refine_master_protocol(struct ndpi_detection_module_st struct ndpi_flow_struct *flow, u_int32_t protocol) { struct ndpi_packet_struct *packet = &flow->packet; - protocol = NDPI_PROTOCOL_TLS; + // protocol = NDPI_PROTOCOL_TLS; if(packet->tcp != NULL) { switch(protocol) { @@ -424,9 +424,25 @@ int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct, if(num_dots >= 1) { if(!ndpi_struct->disable_metadata_export) { + ndpi_protocol_match_result ret_match; + u_int16_t subproto; + stripCertificateTrailer(buffer, buffer_len); snprintf(flow->protos.stun_ssl.ssl.server_certificate, sizeof(flow->protos.stun_ssl.ssl.server_certificate), "%s", buffer); + +#ifdef DEBUG_TLS + printf("[server_certificate: %s]\n", flow->protos.stun_ssl.ssl.server_certificate); +#endif + + subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, + flow->protos.stun_ssl.ssl.server_certificate, + strlen(flow->protos.stun_ssl.ssl.server_certificate), + &ret_match, + NDPI_PROTOCOL_TLS); + + if(subproto != NDPI_PROTOCOL_UNKNOWN) + ndpi_set_detected_protocol(ndpi_struct, flow, subproto, NDPI_PROTOCOL_TLS); } return(1 /* Server Certificate */); @@ -1111,11 +1127,16 @@ int tlsDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s NDPI_LOG_DBG2(ndpi_struct, "***** [SSL] %s\n", certificate); #endif ndpi_protocol_match_result ret_match; - u_int16_t subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, certificate, - strlen(certificate), - &ret_match, - NDPI_PROTOCOL_TLS); + u_int16_t subproto; + if(certificate[0] == '\0') + subproto = NDPI_PROTOCOL_UNKNOWN; + else + subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, certificate, + strlen(certificate), + &ret_match, + NDPI_PROTOCOL_TLS); + if(subproto != NDPI_PROTOCOL_UNKNOWN) { /* If we've detected the subprotocol from client certificate but haven't had a chance * to see the server certificate yet, set up extra packet processing to wait -- cgit v1.2.3 From 64804a2a24b0a7bfdca3b3262d184048990ad0d6 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Sun, 27 Oct 2019 12:23:57 +0100 Subject: Fixed some false positivies with skype and stun-based protocols --- src/lib/protocols/skype.c | 10 ++++++++-- src/lib/protocols/stun.c | 48 ++++++++++++++++++++++++++--------------------- 2 files changed, 35 insertions(+), 23 deletions(-) (limited to 'src/lib/protocols') diff --git a/src/lib/protocols/skype.c b/src/lib/protocols/skype.c index 8ada5d997..890a20cb9 100644 --- a/src/lib/protocols/skype.c +++ b/src/lib/protocols/skype.c @@ -32,11 +32,17 @@ static void ndpi_check_skype(struct ndpi_detection_module_struct *ndpi_struct, s // const u_int8_t *packet_payload = packet->payload; u_int32_t payload_len = packet->payload_packet_len; - if(flow->host_server_name[0] != '\0') + /* No need to do ntohl() with 0xFFFFFFFF */ + if(packet->iph && (packet->iph->daddr == 0xFFFFFFFF /* 255.255.255.255 */)) { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; + } + if(flow->host_server_name[0] != '\0') + return; + // UDP check - if(packet->udp != NULL) { + if(packet->udp != NULL) { flow->l4.udp.skype_packet_id++; if(flow->l4.udp.skype_packet_id < 5) { diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index fbb0578f8..e95965f6b 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -146,9 +146,15 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * int rc; /* STUN over TCP does not look good */ - if (flow->packet.tcp) + if(flow->packet.tcp) return(NDPI_IS_NOT_STUN); + /* No need to do ntohl() with 0xFFFFFFFF */ + if(flow->packet.iph && (flow->packet.iph->daddr == 0xFFFFFFFF /* 255.255.255.255 */)) { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return(NDPI_IS_NOT_STUN);; + } + if(payload_length >= 512) { return(NDPI_IS_NOT_STUN); } else if(payload_length < sizeof(struct stun_packet_header)) { @@ -173,7 +179,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * return(NDPI_IS_NOT_STUN); /* https://www.iana.org/assignments/stun-parameters/stun-parameters.xhtml */ - if ((msg_type & 0x3EEF) > 0x000B && msg_type != 0x0800) { + if((msg_type & 0x3EEF) > 0x000B && msg_type != 0x0800) { #ifdef DEBUG_STUN printf("[STUN] msg_type = %04X\n", msg_type); #endif @@ -183,7 +189,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * as this was a flow that started as STUN and turned into something else. Let's investigate what is that about */ - if (payload[0] == 0x16) { + if(payload[0] == 0x16) { /* Let's check if this is DTLS used by some socials */ struct ndpi_packet_struct *packet = &flow->packet; u_int16_t total_len, version = htons(*((u_int16_t*) &packet->payload[1])); @@ -193,7 +199,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * case 0xFEFD: /* DTLS 1.2 */ total_len = ntohs(*((u_int16_t*) &packet->payload[11])) + 13; - if (payload_length == total_len) { + if(payload_length == total_len) { /* This is DTLS and the only protocol we know behaves like this is signal */ flow->guessed_host_protocol_id = NDPI_PROTOCOL_SIGNAL; return(NDPI_IS_STUN); @@ -211,7 +217,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * printf("[STUN] Here we go\n");; #endif - if (ndpi_struct->stun_cache) { + if(ndpi_struct->stun_cache) { u_int16_t proto; u_int32_t key = get_stun_lru_key(flow, 0); int rc = ndpi_lru_find_cache(ndpi_struct->stun_cache, key, &proto, @@ -221,7 +227,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * printf("[LRU] Searching %u\n", key); #endif - if (!rc) { + if(!rc) { key = get_stun_lru_key(flow, 1); rc = ndpi_lru_find_cache(ndpi_struct->stun_cache, key, &proto, 0 /* Don't remove it as it can be used for other connections */); @@ -231,7 +237,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * #endif } - if (rc) { + if(rc) { #ifdef DEBUG_LRU printf("[LRU] Cache FOUND %u / %u\n", key, proto); #endif @@ -252,18 +258,18 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * if(msg_type == 0x01 /* Binding Request */) { flow->protos.stun_ssl.stun.num_binding_requests++; - if (!msg_len && flow->guessed_host_protocol_id == NDPI_PROTOCOL_GOOGLE) + if(!msg_len && flow->guessed_host_protocol_id == NDPI_PROTOCOL_GOOGLE) flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO; else flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; - if (!msg_len) { + if(!msg_len) { /* flow->protos.stun_ssl.stun.num_udp_pkts++; */ return(NDPI_IS_NOT_STUN); /* This to keep analyzing STUN instead of giving up */ } } - if (!msg_len && flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN) { + if(!msg_len && flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN) { NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return(NDPI_IS_NOT_STUN); } @@ -279,7 +285,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * return(NDPI_IS_STUN); /* This is WhatsApp Call */ } - if (payload[0] != 0x80 && (msg_len + 20) > payload_length) + if(payload[0] != 0x80 && (msg_len + 20) > payload_length) return(NDPI_IS_NOT_STUN); else { switch(flow->guessed_protocol_id) { @@ -295,8 +301,8 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * } } - if (payload_length == (msg_len+20)) { - if ((msg_type & 0x3EEF) <= 0x000B) /* http://www.3cx.com/blog/voip-howto/stun-details/ */ { + if(payload_length == (msg_len+20)) { + if((msg_type & 0x3EEF) <= 0x000B) /* http://www.3cx.com/blog/voip-howto/stun-details/ */ { u_int offset = 20; /* @@ -313,7 +319,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * u_int16_t len = ntohs(*((u_int16_t*)&payload[offset+2])); u_int16_t x = (len + 4) % 4; - if (x) + if(x) len += 4-x; #ifdef DEBUG_STUN @@ -351,10 +357,10 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * printf("==> [%s]\n", flow->host_server_name); #endif - if (strstr((char*) flow->host_server_name, "google.com") != NULL) { + if(strstr((char*) flow->host_server_name, "google.com") != NULL) { flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO; return(NDPI_IS_STUN); - } else if (strstr((char*) flow->host_server_name, "whispersystems.org") != NULL) { + } else if(strstr((char*) flow->host_server_name, "whispersystems.org") != NULL) { flow->guessed_host_protocol_id = NDPI_PROTOCOL_SIGNAL; return(NDPI_IS_STUN); } @@ -363,8 +369,8 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * break; case 0xC057: /* Messeger */ - if (msg_type == 0x0001) { - if ((msg_len == 100) || (msg_len == 104)) { + if(msg_type == 0x0001) { + if((msg_len == 100) || (msg_len == 104)) { flow->guessed_host_protocol_id = NDPI_PROTOCOL_MESSENGER; return(NDPI_IS_STUN); } else if(msg_len == 76) { @@ -415,7 +421,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * break; case 0x8070: /* Implementation Version */ - if (len == 4 && ((offset+7) < payload_length) + if(len == 4 && ((offset+7) < payload_length) && (payload[offset+4] == 0x00) && (payload[offset+5] == 0x00) && (payload[offset+6] == 0x00) && ((payload[offset+7] == 0x02) || (payload[offset+7] == 0x03))) { #ifdef DEBUG_STUN @@ -449,7 +455,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * } } - if ((flow->protos.stun_ssl.stun.num_udp_pkts > 0) && (msg_type <= 0x00FF)) { + if((flow->protos.stun_ssl.stun.num_udp_pkts > 0) && (msg_type <= 0x00FF)) { flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL; return(NDPI_IS_STUN); } else @@ -506,7 +512,7 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n if(ndpi_int_check_stun(ndpi_struct, flow, packet->payload, packet->payload_packet_len) == NDPI_IS_STUN) { udp_stun_match: - if (flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) + if(flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; if(flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN) { -- cgit v1.2.3 From fd38b752c4012c654dc51e8f835b83ee48c380ed Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Sun, 27 Oct 2019 19:03:23 +0100 Subject: Added capwap support --- src/include/ndpi_protocols.h | 1 + src/lib/ndpi_main.c | 13 +++-- src/lib/protocols/bittorrent.c | 31 ++++++++--- src/lib/protocols/capwap.c | 123 +++++++++++++++++++++++++++++++++++++++++ src/lib/protocols/skype.c | 1 + tests/pcap/capwap.pcap | Bin 0 -> 109690 bytes tests/result/1kxun.pcap.out | 109 ++++++++++++++++++------------------ tests/result/capwap.pcap.out | 8 +++ 8 files changed, 218 insertions(+), 68 deletions(-) create mode 100644 src/lib/protocols/capwap.c create mode 100644 tests/pcap/capwap.pcap create mode 100644 tests/result/capwap.pcap.out (limited to 'src/lib/protocols') diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h index ea0abe173..b42eff4c4 100644 --- a/src/include/ndpi_protocols.h +++ b/src/include/ndpi_protocols.h @@ -210,6 +210,7 @@ void init_memcached_dissector(struct ndpi_detection_module_struct *ndpi_struct, void init_nest_log_sink_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_ookla_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_modbus_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_capwap_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_line_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_wireguard_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_targus_getdata_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 2c05d8f84..25d81c142 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1770,7 +1770,9 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp 1 /* no subprotocol */, no_master, no_master, "CAPWAP", NDPI_PROTOCOL_CATEGORY_NETWORK, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + // ndpi_build_default_ports(ports_b, 5246, 5247, 0, 0, 0) /* UDP */ + ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */ + ); /* calling function for host and content matched protocols */ init_string_based_protocols(ndpi_str); @@ -3242,9 +3244,6 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* TEAMSPEAK */ init_teamspeak_dissector(ndpi_str, &a, detection_bitmask); - /* VIBER */ - init_viber_dissector(ndpi_str, &a, detection_bitmask); - /* TOR */ init_tor_dissector(ndpi_str, &a, detection_bitmask); @@ -3356,8 +3355,14 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* MODBUS */ init_modbus_dissector(ndpi_str, &a, detection_bitmask); + /* CAPWAP */ + init_capwap_dissector(ndpi_str, &a, detection_bitmask); + /*** Put false-positive sensitive protocols at the end ***/ + /* VIBER */ + init_viber_dissector(ndpi_str, &a, detection_bitmask); + /* SKYPE */ init_skype_dissector(ndpi_str, &a, detection_bitmask); diff --git a/src/lib/protocols/bittorrent.c b/src/lib/protocols/bittorrent.c index e33f0c7dc..bea7622a0 100644 --- a/src/lib/protocols/bittorrent.c +++ b/src/lib/protocols/bittorrent.c @@ -376,19 +376,32 @@ static void ndpi_int_search_bittorrent_tcp(struct ndpi_detection_module_struct * return; } +static u_int8_t is_port(u_int16_t a, u_int16_t b, u_int16_t what) { + return(((what == a) || (what == b)) ? 1 : 0); +} + void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; char *bt_proto = NULL; /* This is broadcast */ - if(packet->iph - && (((packet->iph->saddr == 0xFFFFFFFF) || (packet->iph->daddr == 0xFFFFFFFF)) - || (packet->udp - && ((ntohs(packet->udp->source) == 3544) /* teredo.c */ - || (ntohs(packet->udp->dest) == 3544))))) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return; + if(packet->iph) { + + if((packet->iph->saddr == 0xFFFFFFFF) || (packet->iph->daddr == 0xFFFFFFFF)) + goto exclude_bt; + + + if(packet->udp) { + u_int16_t sport = ntohs(packet->udp->source), dport = ntohs(packet->udp->dest); + + if(is_port(sport, dport, 3544) /* teredo */ + || is_port(sport, dport, 5246) || is_port(sport, dport, 5247)/* CAPWAP */) { + exclude_bt: + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + } } if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_BITTORRENT) { @@ -397,8 +410,8 @@ void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, st if((packet->tcp != NULL) && (packet->tcp_retransmission == 0 || packet->num_retried_bytes)) { ndpi_int_search_bittorrent_tcp(ndpi_struct, flow); - } - else if(packet->udp != NULL) { + } else if(packet->udp != NULL) { + /* UDP */ char *bt_search = "BT-SEARCH * HTTP/1.1\r\n"; if((ntohs(packet->udp->source) < 1024) diff --git a/src/lib/protocols/capwap.c b/src/lib/protocols/capwap.c new file mode 100644 index 000000000..bfad1a593 --- /dev/null +++ b/src/lib/protocols/capwap.c @@ -0,0 +1,123 @@ +/* + * capwap.c + * + * Copyright (C) 2019 - ntop.org + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see . + * + */ + + +#include "ndpi_protocol_ids.h" + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_CAPWAP + +#include "ndpi_api.h" + +#define NDPI_CAPWAP_CONTROL_PORT 5246 +#define NDPI_CAPWAP_DATA_PORT 5247 + + +static void ndpi_int_capwap_add_connection(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CAPWAP, NDPI_PROTOCOL_UNKNOWN); +} + +/* ************************************************** */ + +static void ndpi_search_setup_capwap(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; + u_int16_t sport, dport; + + if(!packet->iph) { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } + + sport = ntohs(packet->udp->source), dport = ntohs(packet->udp->dest); + + if((dport == NDPI_CAPWAP_CONTROL_PORT) + && (packet->iph->daddr == 0xFFFFFFFF) + && (packet->payload_packet_len >= 16) + && (packet->payload[0] == 0x0) + && (packet->payload[8] == 6 /* Mac len */) + ) + goto capwap_found; + + if(((sport == NDPI_CAPWAP_CONTROL_PORT) || (dport == NDPI_CAPWAP_CONTROL_PORT)) + && ((packet->payload[0] == 0x0) || (packet->payload[0] == 0x1)) + ) { + u_int16_t msg_len, offset, to_add; + + if(packet->payload[0] == 0x0) + offset = 13, to_add = 13; + else + offset = 15, to_add = 17; + + msg_len = ntohs(*(u_int16_t*)&packet->payload[offset]); + + if((msg_len+to_add) == packet->payload_packet_len) + goto capwap_found; + } + + if( + (((dport == NDPI_CAPWAP_DATA_PORT) && (packet->iph->daddr != 0xFFFFFFFF)) || (sport == NDPI_CAPWAP_DATA_PORT)) + && (packet->payload_packet_len >= 16) + && (packet->payload[0] == 0x0) + ) { + u_int8_t is_80211_data = (packet->payload[9] & 0x0C) >> 2; + + + if((sport == NDPI_CAPWAP_DATA_PORT) && (is_80211_data == 2 /* IEEE 802.11 Data */)) + goto capwap_found; + else if(dport == NDPI_CAPWAP_DATA_PORT) { + u_int16_t msg_len = ntohs(*(u_int16_t*)&packet->payload[13]); + + if((packet->payload[8] == 1 /* Mac len */) + || (packet->payload[8] == 6 /* Mac len */) + || (packet->payload[8] == 4 /* Wireless len */) + || ((msg_len+15) == packet->payload_packet_len)) + goto capwap_found; + } + } + + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + + capwap_found: + ndpi_int_capwap_add_connection(ndpi_struct, flow); +} + +void ndpi_search_capwap(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct *packet = &flow->packet; + + if(packet->udp && (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN)) + ndpi_search_setup_capwap(ndpi_struct, flow); +} + + +void init_capwap_dissector(struct ndpi_detection_module_struct *ndpi_struct, + u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) +{ + ndpi_set_bitmask_protocol_detection("CAPWAP", ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_CAPWAP, + ndpi_search_capwap, + NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); + + *id += 1; +} diff --git a/src/lib/protocols/skype.c b/src/lib/protocols/skype.c index 890a20cb9..e758fd5b8 100644 --- a/src/lib/protocols/skype.c +++ b/src/lib/protocols/skype.c @@ -58,6 +58,7 @@ static void ndpi_check_skype(struct ndpi_detection_module_struct *ndpi_struct, s if(((payload_len == 3) && ((packet->payload[2] & 0x0F)== 0x0d)) || ((payload_len >= 16) && (packet->payload[0] != 0x30) /* Avoid invalid SNMP detection */ + && (packet->payload[0] != 0x0) /* Avoid invalid CAPWAP detection */ && (packet->payload[2] == 0x02))) { if(is_port(sport, dport, 8801)) diff --git a/tests/pcap/capwap.pcap b/tests/pcap/capwap.pcap new file mode 100644 index 000000000..efe90696d Binary files /dev/null and b/tests/pcap/capwap.pcap differ diff --git a/tests/result/1kxun.pcap.out b/tests/result/1kxun.pcap.out index 37e76c97d..f6c4c9f86 100644 --- a/tests/result/1kxun.pcap.out +++ b/tests/result/1kxun.pcap.out @@ -1,4 +1,4 @@ -Unknown 22 6088 12 +Unknown 24 6428 14 DNS 5 638 2 HTTP 945 530967 19 MDNS 1 82 1 @@ -7,7 +7,6 @@ NetBIOS 31 3589 8 SSDP 143 36951 13 DHCP 24 8208 5 QQ 28 5216 2 -STUN 2 340 2 RTP 2 132 1 TLS 105 21914 7 DHCPV6 10 980 3 @@ -88,55 +87,53 @@ JA3 Host Stats: 66 UDP [fe80::e034:7be:d8f9:6197]:49766 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/182 bytes -> 0 pkts/0 bytes][Host: charming-pc][PLAIN TEXT (charming)] 67 UDP [fe80::5d92:62a8:ebde:1319]:49735 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/178 bytes -> 0 pkts/0 bytes][Host: wangs-ltw] 68 UDP [fe80::5d92:62a8:ebde:1319]:58468 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/178 bytes -> 0 pkts/0 bytes][Host: wangs-ltw] - 69 UDP 192.168.119.1:56861 -> 255.255.255.255:5678 [proto: 78/STUN][cat: Network/14][1 pkts/177 bytes -> 0 pkts/0 bytes][PLAIN TEXT (6.35.1 )] - 70 TCP 192.168.115.8:49581 <-> 64.233.189.128:80 [proto: 7.126/HTTP.Google][cat: Web/5][2 pkts/110 bytes <-> 1 pkts/66 bytes] - 71 UDP [fe80::4568:efbc:40b1:1346]:50194 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/176 bytes -> 0 pkts/0 bytes][Host: kevin-pc] - 72 UDP [fe80::4568:efbc:40b1:1346]:57148 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/176 bytes -> 0 pkts/0 bytes][Host: kevin-pc] - 73 UDP [fe80::5d92:62a8:ebde:1319]:61172 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/174 bytes -> 0 pkts/0 bytes][Host: sonusav][PLAIN TEXT (sonusav)] - 74 UDP [fe80::5d92:62a8:ebde:1319]:53938 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: isatap][PLAIN TEXT (isatap)] - 75 UDP [fe80::5d92:62a8:ebde:1319]:63659 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: isatap][PLAIN TEXT (isatap)] - 76 UDP [fe80::edf5:240a:c8c0:8312]:53962 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: ro_x1c] - 77 UDP [fe80::edf5:240a:c8c0:8312]:61603 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: ro_x1c] - 78 UDP 192.168.119.2:43786 -> 255.255.255.255:5678 [proto: 78/STUN][cat: Network/14][1 pkts/163 bytes -> 0 pkts/0 bytes][PLAIN TEXT (6.35.4 )] - 79 UDP 192.168.5.49:61548 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/150 bytes -> 0 pkts/0 bytes][Host: caesar-thinkpad][PLAIN TEXT (caesar)] - 80 UDP 192.168.5.49:64568 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/150 bytes -> 0 pkts/0 bytes][Host: caesar-thinkpad][PLAIN TEXT (caesar)] - 81 UDP 192.168.3.95:51451 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/144 bytes -> 0 pkts/0 bytes][Host: ____________] - 82 UDP 192.168.3.95:54888 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/144 bytes -> 0 pkts/0 bytes][Host: ____________] - 83 UDP 192.168.3.95:58779 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/144 bytes -> 0 pkts/0 bytes][Host: ____________] - 84 UDP 192.168.5.50:57143 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/142 bytes -> 0 pkts/0 bytes][Host: charming-pc][PLAIN TEXT (charming)] - 85 UDP 192.168.5.50:62756 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/142 bytes -> 0 pkts/0 bytes][Host: charming-pc][PLAIN TEXT (charming)] - 86 UDP 192.168.5.48:59797 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/140 bytes -> 0 pkts/0 bytes][Host: kasper-mac][PLAIN TEXT (Kasper)] - 87 UDP 192.168.3.236:62069 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: wangs-ltw] - 88 UDP 192.168.3.236:65496 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: wangs-ltw] - 89 UDP 192.168.5.9:58456 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: joanna-pc][PLAIN TEXT (Joanna)] - 90 UDP 192.168.5.9:62822 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: joanna-pc][PLAIN TEXT (Joanna)] - 91 UDP 192.168.101.33:58456 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: joanna-pc][PLAIN TEXT (Joanna)] - 92 UDP 192.168.101.33:62822 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: joanna-pc][PLAIN TEXT (Joanna)] - 93 UDP 192.168.5.37:54506 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: notebook][PLAIN TEXT (notebook)] - 94 UDP 192.168.5.37:56366 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: notebook][PLAIN TEXT (notebook)] - 95 UDP 192.168.5.41:54470 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: kevin-pc] - 96 UDP 192.168.5.44:58702 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: jason-pc] - 97 UDP 192.168.5.44:59571 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: jason-pc] - 98 UDP 192.168.5.57:64428 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: usher-pc] - 99 UDP 192.168.5.57:65150 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: usher-pc] - 100 UDP 192.168.3.236:51714 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/132 bytes -> 0 pkts/0 bytes][Host: isatap][PLAIN TEXT (isatap)] - 101 UDP 192.168.3.236:56043 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/132 bytes -> 0 pkts/0 bytes][Host: isatap][PLAIN TEXT (isatap)] - 102 UDP 192.168.5.47:53962 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/132 bytes -> 0 pkts/0 bytes][Host: ro_x1c] - 103 UDP 192.168.5.47:61603 -> 224.0.0.252:5355 [proto: 87/RTP][cat: Media/1][2 pkts/132 bytes -> 0 pkts/0 bytes] - 104 TCP 192.168.5.16:53605 -> 68.233.253.133:80 [proto: 7/HTTP][cat: Web/5][2 pkts/126 bytes -> 0 pkts/0 bytes] - 105 TCP 192.168.5.16:53622 <-> 192.168.115.75:443 [proto: 91/TLS][cat: Web/5][1 pkts/60 bytes <-> 1 pkts/60 bytes] - 106 UDP [fe80::f65c:89ff:fe89:e607]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][cat: Network/14][1 pkts/98 bytes -> 0 pkts/0 bytes] - 107 UDP 192.168.5.45:59461 -> 192.168.255.255:137 [proto: 10/NetBIOS][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Host: gfile][PLAIN TEXT ( EHEGEJEMEFCACACACACACACACACACA)] - 108 UDP 192.168.5.45:59789 -> 192.168.255.255:137 [proto: 10/NetBIOS][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Host: sanji-lifebook-][PLAIN TEXT ( FDEBEOEKEJ)] - 109 UDP [fe80::e034:7be:d8f9:6197]:57143 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/91 bytes -> 0 pkts/0 bytes][Host: charming-pc][PLAIN TEXT (charming)] - 110 UDP [fe80::e034:7be:d8f9:6197]:62756 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/91 bytes -> 0 pkts/0 bytes][Host: charming-pc][PLAIN TEXT (charming)] - 111 UDP 192.168.5.16:123 -> 17.253.26.125:123 [proto: 9/NTP][cat: System/18][1 pkts/90 bytes -> 0 pkts/0 bytes] - 112 UDP 192.168.5.64:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][1 pkts/82 bytes -> 0 pkts/0 bytes][PLAIN TEXT (googlecast)] - 113 UDP 192.168.5.50:49766 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/71 bytes -> 0 pkts/0 bytes][Host: charming-pc][PLAIN TEXT (charming)] - 114 UDP 192.168.5.50:50030 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/71 bytes -> 0 pkts/0 bytes][Host: charming-pc][PLAIN TEXT (charming)] - 115 UDP 192.168.5.41:55593 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/68 bytes -> 0 pkts/0 bytes][Host: kevin-pc] - 116 UDP 192.168.5.44:59062 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/68 bytes -> 0 pkts/0 bytes][Host: jason-pc] - 117 UDP 192.168.3.236:59730 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/67 bytes -> 0 pkts/0 bytes][Host: sonusav][PLAIN TEXT (sonusav)] + 69 TCP 192.168.115.8:49581 <-> 64.233.189.128:80 [proto: 7.126/HTTP.Google][cat: Web/5][2 pkts/110 bytes <-> 1 pkts/66 bytes] + 70 UDP [fe80::4568:efbc:40b1:1346]:50194 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/176 bytes -> 0 pkts/0 bytes][Host: kevin-pc] + 71 UDP [fe80::4568:efbc:40b1:1346]:57148 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/176 bytes -> 0 pkts/0 bytes][Host: kevin-pc] + 72 UDP [fe80::5d92:62a8:ebde:1319]:61172 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/174 bytes -> 0 pkts/0 bytes][Host: sonusav][PLAIN TEXT (sonusav)] + 73 UDP [fe80::5d92:62a8:ebde:1319]:53938 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: isatap][PLAIN TEXT (isatap)] + 74 UDP [fe80::5d92:62a8:ebde:1319]:63659 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: isatap][PLAIN TEXT (isatap)] + 75 UDP [fe80::edf5:240a:c8c0:8312]:53962 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: ro_x1c] + 76 UDP [fe80::edf5:240a:c8c0:8312]:61603 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: ro_x1c] + 77 UDP 192.168.5.49:61548 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/150 bytes -> 0 pkts/0 bytes][Host: caesar-thinkpad][PLAIN TEXT (caesar)] + 78 UDP 192.168.5.49:64568 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/150 bytes -> 0 pkts/0 bytes][Host: caesar-thinkpad][PLAIN TEXT (caesar)] + 79 UDP 192.168.3.95:51451 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/144 bytes -> 0 pkts/0 bytes][Host: ____________] + 80 UDP 192.168.3.95:54888 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/144 bytes -> 0 pkts/0 bytes][Host: ____________] + 81 UDP 192.168.3.95:58779 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/144 bytes -> 0 pkts/0 bytes][Host: ____________] + 82 UDP 192.168.5.50:57143 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/142 bytes -> 0 pkts/0 bytes][Host: charming-pc][PLAIN TEXT (charming)] + 83 UDP 192.168.5.50:62756 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/142 bytes -> 0 pkts/0 bytes][Host: charming-pc][PLAIN TEXT (charming)] + 84 UDP 192.168.5.48:59797 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/140 bytes -> 0 pkts/0 bytes][Host: kasper-mac][PLAIN TEXT (Kasper)] + 85 UDP 192.168.3.236:62069 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: wangs-ltw] + 86 UDP 192.168.3.236:65496 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: wangs-ltw] + 87 UDP 192.168.5.9:58456 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: joanna-pc][PLAIN TEXT (Joanna)] + 88 UDP 192.168.5.9:62822 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: joanna-pc][PLAIN TEXT (Joanna)] + 89 UDP 192.168.101.33:58456 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: joanna-pc][PLAIN TEXT (Joanna)] + 90 UDP 192.168.101.33:62822 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: joanna-pc][PLAIN TEXT (Joanna)] + 91 UDP 192.168.5.37:54506 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: notebook][PLAIN TEXT (notebook)] + 92 UDP 192.168.5.37:56366 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: notebook][PLAIN TEXT (notebook)] + 93 UDP 192.168.5.41:54470 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: kevin-pc] + 94 UDP 192.168.5.44:58702 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: jason-pc] + 95 UDP 192.168.5.44:59571 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: jason-pc] + 96 UDP 192.168.5.57:64428 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: usher-pc] + 97 UDP 192.168.5.57:65150 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: usher-pc] + 98 UDP 192.168.3.236:51714 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/132 bytes -> 0 pkts/0 bytes][Host: isatap][PLAIN TEXT (isatap)] + 99 UDP 192.168.3.236:56043 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/132 bytes -> 0 pkts/0 bytes][Host: isatap][PLAIN TEXT (isatap)] + 100 UDP 192.168.5.47:53962 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][2 pkts/132 bytes -> 0 pkts/0 bytes][Host: ro_x1c] + 101 UDP 192.168.5.47:61603 -> 224.0.0.252:5355 [proto: 87/RTP][cat: Media/1][2 pkts/132 bytes -> 0 pkts/0 bytes] + 102 TCP 192.168.5.16:53605 -> 68.233.253.133:80 [proto: 7/HTTP][cat: Web/5][2 pkts/126 bytes -> 0 pkts/0 bytes] + 103 TCP 192.168.5.16:53622 <-> 192.168.115.75:443 [proto: 91/TLS][cat: Web/5][1 pkts/60 bytes <-> 1 pkts/60 bytes] + 104 UDP [fe80::f65c:89ff:fe89:e607]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][cat: Network/14][1 pkts/98 bytes -> 0 pkts/0 bytes] + 105 UDP 192.168.5.45:59461 -> 192.168.255.255:137 [proto: 10/NetBIOS][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Host: gfile][PLAIN TEXT ( EHEGEJEMEFCACACACACACACACACACA)] + 106 UDP 192.168.5.45:59789 -> 192.168.255.255:137 [proto: 10/NetBIOS][cat: System/18][1 pkts/92 bytes -> 0 pkts/0 bytes][Host: sanji-lifebook-][PLAIN TEXT ( FDEBEOEKEJ)] + 107 UDP [fe80::e034:7be:d8f9:6197]:57143 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/91 bytes -> 0 pkts/0 bytes][Host: charming-pc][PLAIN TEXT (charming)] + 108 UDP [fe80::e034:7be:d8f9:6197]:62756 -> [ff02::1:3]:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/91 bytes -> 0 pkts/0 bytes][Host: charming-pc][PLAIN TEXT (charming)] + 109 UDP 192.168.5.16:123 -> 17.253.26.125:123 [proto: 9/NTP][cat: System/18][1 pkts/90 bytes -> 0 pkts/0 bytes] + 110 UDP 192.168.5.64:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][cat: Network/14][1 pkts/82 bytes -> 0 pkts/0 bytes][PLAIN TEXT (googlecast)] + 111 UDP 192.168.5.50:49766 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/71 bytes -> 0 pkts/0 bytes][Host: charming-pc][PLAIN TEXT (charming)] + 112 UDP 192.168.5.50:50030 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/71 bytes -> 0 pkts/0 bytes][Host: charming-pc][PLAIN TEXT (charming)] + 113 UDP 192.168.5.41:55593 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/68 bytes -> 0 pkts/0 bytes][Host: kevin-pc] + 114 UDP 192.168.5.44:59062 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/68 bytes -> 0 pkts/0 bytes][Host: jason-pc] + 115 UDP 192.168.3.236:59730 -> 224.0.0.252:5355 [proto: 154/LLMNR][cat: Network/14][1 pkts/67 bytes -> 0 pkts/0 bytes][Host: sonusav][PLAIN TEXT (sonusav)] Undetected flows: @@ -148,7 +145,9 @@ Undetected flows: 6 UDP 192.168.140.140:62976 -> 255.255.255.255:62976 [proto: 0/Unknown][1 pkts/359 bytes -> 0 pkts/0 bytes][PLAIN TEXT (Switch)] 7 UDP [fe80::4e5e:cff:feea:365]:5678 -> [ff02::1]:5678 [proto: 0/Unknown][1 pkts/197 bytes -> 0 pkts/0 bytes][PLAIN TEXT (6.35.1 )] 8 UDP [fe80::4e5e:cff:fe9a:ec54]:5678 -> [ff02::1]:5678 [proto: 0/Unknown][1 pkts/185 bytes -> 0 pkts/0 bytes][PLAIN TEXT (6.35.1 )] - 9 UDP 59.120.208.218:50151 -> 255.255.255.255:1947 [proto: 0/Unknown][2 pkts/164 bytes -> 0 pkts/0 bytes][PLAIN TEXT (AABHZW50cmljZV9)] - 10 UDP 192.168.2.186:32768 -> 255.255.255.255:1947 [proto: 0/Unknown][2 pkts/164 bytes -> 0 pkts/0 bytes][PLAIN TEXT (icRVSoU)] - 11 UDP 192.168.0.100:50925 -> 255.255.255.255:5678 [proto: 0/Unknown][1 pkts/142 bytes -> 0 pkts/0 bytes][PLAIN TEXT (6.35.1 )] - 12 UDP 59.120.208.212:32768 -> 255.255.255.255:1947 [proto: 0/Unknown][1 pkts/82 bytes -> 0 pkts/0 bytes][PLAIN TEXT (dDYcTc4)] + 9 UDP 192.168.119.1:56861 -> 255.255.255.255:5678 [proto: 0/Unknown][1 pkts/177 bytes -> 0 pkts/0 bytes][PLAIN TEXT (6.35.1 )] + 10 UDP 59.120.208.218:50151 -> 255.255.255.255:1947 [proto: 0/Unknown][2 pkts/164 bytes -> 0 pkts/0 bytes][PLAIN TEXT (AABHZW50cmljZV9)] + 11 UDP 192.168.2.186:32768 -> 255.255.255.255:1947 [proto: 0/Unknown][2 pkts/164 bytes -> 0 pkts/0 bytes][PLAIN TEXT (icRVSoU)] + 12 UDP 192.168.119.2:43786 -> 255.255.255.255:5678 [proto: 0/Unknown][1 pkts/163 bytes -> 0 pkts/0 bytes][PLAIN TEXT (6.35.4 )] + 13 UDP 192.168.0.100:50925 -> 255.255.255.255:5678 [proto: 0/Unknown][1 pkts/142 bytes -> 0 pkts/0 bytes][PLAIN TEXT (6.35.1 )] + 14 UDP 59.120.208.212:32768 -> 255.255.255.255:1947 [proto: 0/Unknown][1 pkts/82 bytes -> 0 pkts/0 bytes][PLAIN TEXT (dDYcTc4)] diff --git a/tests/result/capwap.pcap.out b/tests/result/capwap.pcap.out new file mode 100644 index 000000000..4502d93d4 --- /dev/null +++ b/tests/result/capwap.pcap.out @@ -0,0 +1,8 @@ +DNS 2 166 1 +CAPWAP 395 98343 4 + + 1 UDP 192.168.10.9:5246 <-> 192.168.10.10:12380 [proto: 247/CAPWAP][cat: Network/14][106 pkts/26144 bytes <-> 111 pkts/37530 bytes][bytes ratio: -0.179 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1420.8/1619.1 21349/21721 3881.1/4474.6][Pkt Len c2s/s2c min/avg/max/stddev: 106/115 246.6/338.1 1499/1499 292.0/381.5][PLAIN TEXT (Cisco Systems)] + 2 UDP 192.168.10.10:12380 <-> 192.168.10.9:5247 [proto: 247/CAPWAP][cat: Network/14][170 pkts/33465 bytes <-> 3 pkts/437 bytes][bytes ratio: 0.974 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 964.3/0.0 3999/0 858.2/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 93/125 196.9/145.7 470/168 78.3/17.6] + 3 UDP 192.168.10.10:12380 -> 255.255.255.255:5246 [proto: 247/CAPWAP][cat: Network/14][4 pkts/660 bytes -> 0 pkts/0 bytes][PLAIN TEXT (838.61f)] + 4 UDP 192.168.10.10:49259 -> 255.255.255.255:53 [proto: 5/DNS][cat: Network/14][2 pkts/166 bytes -> 0 pkts/0 bytes][Host: cisco-capwap-controller][PLAIN TEXT (CAPWAP)] + 5 UDP 192.168.10.9:5246 -> 192.168.10.10:12379 [proto: 247/CAPWAP][cat: Network/14][1 pkts/107 bytes -> 0 pkts/0 bytes] -- cgit v1.2.3 From 42c8d3ac273ef92ef507a01aff8f3127840cda3b Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Tue, 29 Oct 2019 10:29:12 +0100 Subject: Added ability to defien custom protocols --- configure.seed | 12 +++++++++--- src/include/ndpi_protocol_ids.h | 9 ++++++--- src/lib/Makefile.in | 2 +- src/lib/ndpi_main.c | 10 ++++++++++ src/lib/protocols/kerberos.c | 4 ++-- 5 files changed, 28 insertions(+), 9 deletions(-) (limited to 'src/lib/protocols') diff --git a/configure.seed b/configure.seed index a3cc646f2..15c922f08 100644 --- a/configure.seed +++ b/configure.seed @@ -68,8 +68,14 @@ SYSTEM=`uname -s` if test $SYSTEM = "Darwin"; then CC=clang fi - - + +CUSTOM_NDPI= + +if test -d ../nDPI-custom; then : + CUSTOM_NDPI="-DCUSTOM_NDPI_PROTOCOLS" + AC_MSG_RESULT([Compiling with custom nDPI protocols]) +fi + AC_ARG_WITH(hyperscan, [ --with-hyperscan Enable nDPI build with Intel Hyperscan]) AS_IF([test "${with_hyperscan+set}" = set],[ @@ -155,5 +161,5 @@ AC_SUBST(PCAP_LIB) AC_SUBST(DL_LIB) AC_SUBST(DPDK_TARGET) AC_SUBST(HAVE_PTHREAD_SETAFFINITY_NP) - +AC_SUBST(CUSTOM_NDPI) AC_OUTPUT diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index 758609030..c6d486933 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -1,4 +1,3 @@ - /* * ndpi_protocol_ids.h * @@ -283,8 +282,12 @@ typedef enum { NDPI_PROTOCOL_BLOOMBERG = 246, NDPI_PROTOCOL_CAPWAP = 247, NDPI_PROTOCOL_ZABBIX = 248, - -/* + +#ifdef CUSTOM_NDPI_PROTOCOLS +#include "../../../nDPI-custom/custom_ndpi_protocol_ids.h" +#endif + + /* IMPORTANT before allocating a new identifier please fill up one of those named NDPI_PROTOCOL_FREE_XXX and not used diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in index 1a884ac9d..0c3f44838 100644 --- a/src/lib/Makefile.in +++ b/src/lib/Makefile.in @@ -14,7 +14,7 @@ prefix = @prefix@ libdir = ${prefix}/lib includedir = ${prefix}/include/ndpi CC = @CC@ -CFLAGS += -fPIC -DPIC -I../include -Ithird_party/include -DNDPI_LIB_COMPILATION -O2 -g -Wall +CFLAGS += -fPIC -DPIC -I../include -Ithird_party/include -DNDPI_LIB_COMPILATION -O2 -g -Wall @CUSTOM_NDPI@ RANLIB = ranlib OBJECTS = $(patsubst protocols/%.c, protocols/%.o, $(wildcard protocols/*.c)) $(patsubst third_party/src/%.c, third_party/src/%.o, $(wildcard third_party/src/*.c)) $(patsubst ./%.c, ./%.o, $(wildcard ./*.c)) diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index b65a1f36f..31f2e362d 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1778,6 +1778,10 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */ ); +#ifdef CUSTOM_NDPI_PROTOCOLS +#include "../../../nDPI-custom/custom_ndpi_main.c" +#endif + /* calling function for host and content matched protocols */ init_string_based_protocols(ndpi_str); @@ -1786,6 +1790,12 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp /* ****************************************************** */ +#ifdef CUSTOM_NDPI_PROTOCOLS +#include "../../../nDPI-custom/custom_ndpi_protocols.c" +#endif + +/* ****************************************************** */ + static int ac_match_handler(AC_MATCH_t *m, AC_TEXT_t *txt, AC_REP_t *match) { int min_len = (txt->length < m->patterns->length) ? txt->length : m->patterns->length; char buf[64] = { '\0' }; diff --git a/src/lib/protocols/kerberos.c b/src/lib/protocols/kerberos.c index fa73ab0ae..b7fcfb61d 100644 --- a/src/lib/protocols/kerberos.c +++ b/src/lib/protocols/kerberos.c @@ -63,8 +63,8 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct, u_int realm_len, realm_offset = cname_len + name_offset + 4, i; char cname_str[24]; - if(cname_len >= sizeof(cname_str)) - cname_len = sizeof(cname_str); + if(cname_len > sizeof(cname_str)-1) + cname_len = sizeof(cname_str)-1; strncpy(cname_str, (char*)&packet->payload[name_offset+1], cname_len); cname_str[cname_len] = '\0'; -- cgit v1.2.3