From ef1a84fb39ddd8163d4824d8893145dc60ed6a56 Mon Sep 17 00:00:00 2001 From: "Yoni.Linder" Date: Wed, 10 May 2017 17:23:23 +0300 Subject: ndpi someip initial version with hardcoded port enforcing --- src/lib/ndpi_main.c | 8 ++ src/lib/protocols/SOMEIP.c | 229 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 237 insertions(+) create mode 100644 src/lib/protocols/SOMEIP.c (limited to 'src/lib') diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 52a7d7222..c18723c87 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1571,6 +1571,11 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "MQTT", NDPI_PROTOCOL_CATEGORY_RPC, ndpi_build_default_ports(ports_a, 1883, 8883, 0, 0, 0), /* TCP */ ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0)); /* UDP */ + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SOMEIP, + no_master, + no_master, "SOME/IP", NDPI_PROTOCOL_CATEGORY_RPC, + ndpi_build_default_ports(ports_a, 30491, 30501, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 30491, 30501, 30490, 0, 0)); /* UDP */ ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_RX, no_master, no_master, "RX", NDPI_PROTOCOL_CATEGORY_RPC, @@ -2691,6 +2696,9 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* MQTT */ init_mqtt_dissector(ndpi_struct, &a, detection_bitmask); + /* MQTT */ + init_someip_dissector(ndpi_struct, &a, detection_bitmask); + /* RX */ init_rx_dissector(ndpi_struct, &a, detection_bitmask); diff --git a/src/lib/protocols/SOMEIP.c b/src/lib/protocols/SOMEIP.c new file mode 100644 index 000000000..84fdfada7 --- /dev/null +++ b/src/lib/protocols/SOMEIP.c @@ -0,0 +1,229 @@ +/* + * SOMEIP.c + * + * Copyright (C) 2016 Sorin Zamfir + * + * This file is part of nDPI, an open source deep packet inspection + * library based on the OpenDPI and PACE technology by ipoque GmbH + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your omessage_typeion) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see . + * + */ + +#include "ndpi_protocols.h" +#ifdef NDPI_PROTOCOL_SOMEIP + +/** + * The type of control messages in mqtt version 3.1.1 + * see http://docs.oasis-open.org/mqtt/mqtt/v3.1.1 + */ +enum SOMEIP_MESSAGE_TYPES { + REQUEST = 0x00, + REQUEST_NO_RETURN = 0x01, + NOTIFICATION = 0x02, + REQUEST_ACK = 0x40, + REQUEST_NO_RETURN_ACK = 0x41, + NOTIFICATION_ACK = 0x42, + RESPONSE = 0x80, + ERROR = 0x81, + RESPONSE_ACK = 0xc0, + ERROR_ACK = 0xc1 +}; + +enum SOMEIP_RETURN_CODES { + E_OK = 0x00, + E_NOT_OK = 0x01, + E_UNKNOWN_SERVICE = 0x02, + E_UNKNOWN_METHOD = 0x03, + E_NOT_READY = 0x04, + E_NOT_REACHABLE = 0x05, + E_TIMEOUT = 0x06, + E_WRONG_PROTOCOL_VERSION = 0x07, + E_WRONG_INTERFACE_VERSION = 0x08, + E_MALFORMED_MESSAGE = 0x09, + E_WRONG_MESSAGE_TYPE = 0x0a +}; + +enum SPECIAL_MESSAGE_IDS { + MSG_MAGIC_COOKIE = 0xffff0000, + MSG_MAGIC_COOKIE_ACK = 0xffff8000, + MSG_SD = 0xffff8100 +}; + + +/** + * Entry point when protocol is identified. + */ +static void ndpi_int_someip_add_connection (struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) +{ + ndpi_set_detected_protocol(ndpi_struct,flow,NDPI_PROTOCOL_SOMEIP,NDPI_PROTOCOL_UNKNOWN); + NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found.\n"); +} + +/** + * Dissector function that searches SOME/IP headers + */ +void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow) +{ + + //####Maybe check carrier protocols?#### + NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP search called...\n"); + struct ndpi_packet_struct *packet = &flow->packet; + if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { + return; + } + /*NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP detection...\n"); + if (flow->packet_counter > 10) { + NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. mandatory header not found!\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); + return; + } + ####This block drops flows with over 10 packets. Why? Probably just an auto-drop in case nothing else catches it. Necessary for SOME/IP? Good question.#### + */ + + NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "====>>>> SOME/IP Service ID: %02x%02x%02x%02x [len: %u]\n", + packet->payload[3], packet->payload[2], packet->payload[1], packet->payload[0], packet->payload_packet_len); + //####I switched the endianity on these since the Message ID is 32 bit. Might be a wrong move?#### + if (packet->payload_packet_len < 16) { + NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. mandatory header not found (not enough data for all fields)\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); + return; + } + /*if (packet->payload_packet_len > 258) { + NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. maximum packet size exceeded!\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); + return; + } + ####Maximum packet size in SOMEIP depends on the carrier protocol, and I'm not certain how well enforced it is, so let's leave that for round 2#### + */ + + + + // we extract the remaining length + u_int32_t someip_len = (u_int32_t) (packet->payload[4]+(packet->payload[5]<<8)+(packet->payload[6]<<16)+(packet->payload[7]<<24)); + if (packet->payload_packet_len != (someip_len + 8)) { + NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. Length field invalid!\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); + return; + } + + + // check protocol version. ####CHECK IF ENDIANITY IS CORRECT#### + u_int8_t protocol_version = (u_int8_t) (packet->payload[15]); + NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG,"====>>>> SOME/IP protocol version: [%d]\n",protocol_version); + if (protocol_version != 0x01){ + NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. invalid protocol version!\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); + return; + } + + //####Read Interface Version, for later use. CHECK IF ENDIANITY IS CORRECT#### + u_int8_t interface_version = (packet->payload[14]); + + + // we extract the message type. ####CHECK IF ENDIANITY IS CORRECT#### + u_int8_t message_type = (u_int8_t) (packet->payload[13]); + NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG,"====>>>> SOME/IP message type: [%d]\n",message_type); + if ((message_type != 0x00) && (message_type != 0x01) && (message_type != 0x02) && (message_type != 0x40) && (message_type != 0x41) && + (message_type != 0x42) && (message_type != 0x80) && (message_type != 0x81) && (message_type != 0xc0) && (message_type != 0xc1)) { + NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. invalid message type!\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); + return; + } + + // we extract the return code. ####CHECK IF ENDIANITY IS CORRECT#### + u_int8_t return_code = (u_int8_t) (packet->payload[12]); + NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG,"====>>>> SOME/IP return code: [%d]\n",return_code); + if ((return_code > 0x3f)) { + NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. invalid return code!\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); + return; + } + + //we extract the Message ID and Request ID and check for special cases + u_int32_t message_id = (u_int32_t) (packet->payload[0]+(packet->payload[1]<<8)+(packet->payload[2]<<16)+(packet->payload[3]<<24)); + u_int32_t request_id = (u_int32_t) (packet->payload[8]+(packet->payload[9]<<8)+(packet->payload[10]<<16)+(packet->payload[11]<<24)); + + if (message_id == MSG_MAGIC_COOKIE){ + if (someip_len == 0x08) && (request_id == 0xDEADBEEF) && (interface_version == 0x01) && + (message_type == 0x01) && (return_code == 0x00){ + NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found Magic Cookie\n",message_type); + ndpi_int_someip_add_connection(ndpi_struct,flow); + return; + } + else{ + NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP, invalid header for Magic Cookie\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); + return; + } + } + + if (message_id == MSG_MAGIC_COOKIE_ACK){ + if (someip_len == 0x08) && (request_id == 0xDEADBEEF) && (interface_version == 0x01) && + (message_type == 0x02) && (return_code == 0x00){ + NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found Magic Cookie ACK\n",message_type); + ndpi_int_someip_add_connection(ndpi_struct,flow); + return; + } + else{ + NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP, invalid header for Magic Cookie ACK\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); + return; + } + } + + if (message_id == MSG_SD){ + //####Service Discovery message. Fill in later!#### + } + + //Filtering by port as per request. This is PURELY for demo purposes and the rest of the check must be filled in later on! + if (packet->l4_protocol == IPPROTO_UDP){ + if ((packet->udp->dest == 30491) || (packet->udp->dest == 30501) || (packet->udp->dest == 30490)) { + NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found\n",message_type); + ndpi_int_someip_add_connection(ndpi_struct,flow); + } + } + if (packet->l4_protocol == IPPROTO_TCP){ + if ((packet->tcp->dest == 30491) || (packet->tcp->dest == 30501)) { + NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found\n",message_type); + ndpi_int_someip_add_connection(ndpi_struct,flow); + } + } + + + + + NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Reached the end without confirming SOME/IP ...\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); + return; +} +/** + * Entry point for the ndpi library + */ +void init_someip_dissector (struct ndpi_detection_module_struct *ndpi_struct, + u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) +{ + NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP dissector init...\n"); + ndpi_set_bitmask_protocol_detection ("MQTT", ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_SOMEIP, + ndpi_search_someip, + NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); + *id +=1; +} + +#endif // NDPI_PROTOCOL_SOMEIP + -- cgit v1.2.3 From 87b49c524993bf17de1a207b4473d439c4071b24 Mon Sep 17 00:00:00 2001 From: alexei-argus Date: Wed, 10 May 2017 18:05:27 +0300 Subject: Fix build errors --- src/lib/Makefile.am | 1 + src/lib/protocols/SOMEIP.c | 8 ++++---- 2 files changed, 5 insertions(+), 4 deletions(-) (limited to 'src/lib') diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am index 375e9ce48..3bf808f44 100644 --- a/src/lib/Makefile.am +++ b/src/lib/Makefile.am @@ -158,6 +158,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/zeromq.c \ protocols/smpp.c \ protocols/tinc.c \ + protocols/someip.c \ third_party/include/actypes.h \ third_party/include/ahocorasick.h \ third_party/include/ndpi_patricia.h \ diff --git a/src/lib/protocols/SOMEIP.c b/src/lib/protocols/SOMEIP.c index 84fdfada7..54c2d568f 100644 --- a/src/lib/protocols/SOMEIP.c +++ b/src/lib/protocols/SOMEIP.c @@ -158,8 +158,8 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, u_int32_t request_id = (u_int32_t) (packet->payload[8]+(packet->payload[9]<<8)+(packet->payload[10]<<16)+(packet->payload[11]<<24)); if (message_id == MSG_MAGIC_COOKIE){ - if (someip_len == 0x08) && (request_id == 0xDEADBEEF) && (interface_version == 0x01) && - (message_type == 0x01) && (return_code == 0x00){ + if ((someip_len == 0x08) && (request_id == 0xDEADBEEF) && (interface_version == 0x01) && + (message_type == 0x01) && (return_code == 0x00)){ NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found Magic Cookie\n",message_type); ndpi_int_someip_add_connection(ndpi_struct,flow); return; @@ -172,8 +172,8 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, } if (message_id == MSG_MAGIC_COOKIE_ACK){ - if (someip_len == 0x08) && (request_id == 0xDEADBEEF) && (interface_version == 0x01) && - (message_type == 0x02) && (return_code == 0x00){ + if ((someip_len == 0x08) && (request_id == 0xDEADBEEF) && (interface_version == 0x01) && + (message_type == 0x02) && (return_code == 0x00)){ NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found Magic Cookie ACK\n",message_type); ndpi_int_someip_add_connection(ndpi_struct,flow); return; -- cgit v1.2.3 From bc7f0b368670f8c067c04c43a3fa9c6c81af77d4 Mon Sep 17 00:00:00 2001 From: "Yoni.Linder" Date: Mon, 15 May 2017 10:18:46 +0300 Subject: endianity for ports --- src/lib/protocols/SOMEIP.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src/lib') diff --git a/src/lib/protocols/SOMEIP.c b/src/lib/protocols/SOMEIP.c index 54c2d568f..62abc1cd0 100644 --- a/src/lib/protocols/SOMEIP.c +++ b/src/lib/protocols/SOMEIP.c @@ -191,13 +191,13 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, //Filtering by port as per request. This is PURELY for demo purposes and the rest of the check must be filled in later on! if (packet->l4_protocol == IPPROTO_UDP){ - if ((packet->udp->dest == 30491) || (packet->udp->dest == 30501) || (packet->udp->dest == 30490)) { + if ((packet->udp->dest == ntohs(30491)) || (packet->udp->dest == ntohs(30501)) || (packet->udp->dest == ntohs(30490))) { NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found\n",message_type); ndpi_int_someip_add_connection(ndpi_struct,flow); } } if (packet->l4_protocol == IPPROTO_TCP){ - if ((packet->tcp->dest == 30491) || (packet->tcp->dest == 30501)) { + if ((packet->tcp->dest == ntohs(30491)) || (packet->tcp->dest == ntohs(30501))) { NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found\n",message_type); ndpi_int_someip_add_connection(ndpi_struct,flow); } @@ -217,7 +217,7 @@ void init_someip_dissector (struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP dissector init...\n"); - ndpi_set_bitmask_protocol_detection ("MQTT", ndpi_struct, detection_bitmask, *id, + ndpi_set_bitmask_protocol_detection ("SOME/IP", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_SOMEIP, ndpi_search_someip, NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD, -- cgit v1.2.3 From 62a65aa4ccea8896890aa11ef5f8f24159d92e3d Mon Sep 17 00:00:00 2001 From: alexei-argus Date: Thu, 18 May 2017 10:40:15 +0300 Subject: Fix case-sensitivity issue --- src/lib/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/lib') diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am index 3bf808f44..3af5881b7 100644 --- a/src/lib/Makefile.am +++ b/src/lib/Makefile.am @@ -158,7 +158,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/zeromq.c \ protocols/smpp.c \ protocols/tinc.c \ - protocols/someip.c \ + protocols/SOMEIP.c \ third_party/include/actypes.h \ third_party/include/ahocorasick.h \ third_party/include/ndpi_patricia.h \ -- cgit v1.2.3 From ae959f2d78feec6f66d29add46789078199acb93 Mon Sep 17 00:00:00 2001 From: "Yoni.Linder" Date: Fri, 19 May 2017 10:57:27 +0300 Subject: SOMEIP debug + bug fixes --- example/ndpiReader.c | 1 + src/lib/protocols/SOMEIP.c | 52 +++++++++++++++++++++++++++++----------------- 2 files changed, 34 insertions(+), 19 deletions(-) (limited to 'src/lib') diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 6d5f5d5ee..ecb023d96 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -1114,6 +1114,7 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) { // enable all protocols NDPI_BITMASK_SET_ALL(all); + printf("Setting up detection..."); ndpi_set_protocol_detection_bitmask2(ndpi_thread_info[thread_id].workflow->ndpi_struct, &all); // clear memory for results diff --git a/src/lib/protocols/SOMEIP.c b/src/lib/protocols/SOMEIP.c index 62abc1cd0..7637cf768 100644 --- a/src/lib/protocols/SOMEIP.c +++ b/src/lib/protocols/SOMEIP.c @@ -80,6 +80,9 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, { //####Maybe check carrier protocols?#### + + printf("trying to SOMEIP 1..."); + NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP search called...\n"); struct ndpi_packet_struct *packet = &flow->packet; if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { @@ -94,9 +97,15 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, ####This block drops flows with over 10 packets. Why? Probably just an auto-drop in case nothing else catches it. Necessary for SOME/IP? Good question.#### */ - NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "====>>>> SOME/IP Service ID: %02x%02x%02x%02x [len: %u]\n", - packet->payload[3], packet->payload[2], packet->payload[1], packet->payload[0], packet->payload_packet_len); - //####I switched the endianity on these since the Message ID is 32 bit. Might be a wrong move?#### + //we extract the Message ID and Request ID and check for special cases later + u_int32_t message_id = (u_int32_t) ((packet->payload[0]<<24)+(packet->payload[1]<<16)+(packet->payload[2]<<8)+packet->payload[3]); + u_int32_t request_id = (u_int32_t) ((packet->payload[8]<<24)+(packet->payload[9]<<16)+(packet->payload[10]<<8)+packet->payload[11]); + + + printf("trying to SOMEIP 2..."); + + NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "====>>>> SOME/IP Message ID: %08x [len: %u]\n", + message_id, packet->payload_packet_len); if (packet->payload_packet_len < 16) { NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. mandatory header not found (not enough data for all fields)\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); @@ -111,18 +120,19 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, */ - + printf("trying to SOMEIP 3..."); + // we extract the remaining length - u_int32_t someip_len = (u_int32_t) (packet->payload[4]+(packet->payload[5]<<8)+(packet->payload[6]<<16)+(packet->payload[7]<<24)); + u_int32_t someip_len = (u_int32_t) ((packet->payload[4]<<24) + (packet->payload[5]<<16) + (packet->payload[6]<<8) +packet->payload[7]); if (packet->payload_packet_len != (someip_len + 8)) { NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. Length field invalid!\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); return; } + printf("trying to SOMEIP 4..."); - // check protocol version. ####CHECK IF ENDIANITY IS CORRECT#### - u_int8_t protocol_version = (u_int8_t) (packet->payload[15]); + u_int8_t protocol_version = (u_int8_t) (packet->payload[12]); NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG,"====>>>> SOME/IP protocol version: [%d]\n",protocol_version); if (protocol_version != 0x01){ NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. invalid protocol version!\n"); @@ -130,12 +140,11 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, return; } - //####Read Interface Version, for later use. CHECK IF ENDIANITY IS CORRECT#### - u_int8_t interface_version = (packet->payload[14]); - + u_int8_t interface_version = (packet->payload[13]); + + printf("trying to SOMEIP 5..."); - // we extract the message type. ####CHECK IF ENDIANITY IS CORRECT#### - u_int8_t message_type = (u_int8_t) (packet->payload[13]); + u_int8_t message_type = (u_int8_t) (packet->payload[14]); NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG,"====>>>> SOME/IP message type: [%d]\n",message_type); if ((message_type != 0x00) && (message_type != 0x01) && (message_type != 0x02) && (message_type != 0x40) && (message_type != 0x41) && (message_type != 0x42) && (message_type != 0x80) && (message_type != 0x81) && (message_type != 0xc0) && (message_type != 0xc1)) { @@ -144,18 +153,17 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, return; } - // we extract the return code. ####CHECK IF ENDIANITY IS CORRECT#### - u_int8_t return_code = (u_int8_t) (packet->payload[12]); + printf("trying to SOMEIP 6..."); + + u_int8_t return_code = (u_int8_t) (packet->payload[15]); NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG,"====>>>> SOME/IP return code: [%d]\n",return_code); if ((return_code > 0x3f)) { NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. invalid return code!\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); return; } - - //we extract the Message ID and Request ID and check for special cases - u_int32_t message_id = (u_int32_t) (packet->payload[0]+(packet->payload[1]<<8)+(packet->payload[2]<<16)+(packet->payload[3]<<24)); - u_int32_t request_id = (u_int32_t) (packet->payload[8]+(packet->payload[9]<<8)+(packet->payload[10]<<16)+(packet->payload[11]<<24)); + + printf("trying to SOMEIP 7..."); if (message_id == MSG_MAGIC_COOKIE){ if ((someip_len == 0x08) && (request_id == 0xDEADBEEF) && (interface_version == 0x01) && @@ -170,6 +178,8 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, return; } } + + printf("trying to SOMEIP 8..."); if (message_id == MSG_MAGIC_COOKIE_ACK){ if ((someip_len == 0x08) && (request_id == 0xDEADBEEF) && (interface_version == 0x01) && @@ -185,6 +195,8 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, } } + printf("trying to SOMEIP 9..."); + if (message_id == MSG_SD){ //####Service Discovery message. Fill in later!#### } @@ -194,16 +206,18 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, if ((packet->udp->dest == ntohs(30491)) || (packet->udp->dest == ntohs(30501)) || (packet->udp->dest == ntohs(30490))) { NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found\n",message_type); ndpi_int_someip_add_connection(ndpi_struct,flow); + return; } } if (packet->l4_protocol == IPPROTO_TCP){ if ((packet->tcp->dest == ntohs(30491)) || (packet->tcp->dest == ntohs(30501))) { NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found\n",message_type); ndpi_int_someip_add_connection(ndpi_struct,flow); + return; } } - + printf("trying to SOMEIP 10..."); NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Reached the end without confirming SOME/IP ...\n"); -- cgit v1.2.3 From 7d39ba212471cbbfe5bb695dd43bbf4927239817 Mon Sep 17 00:00:00 2001 From: "Yoni.Linder" Date: Fri, 19 May 2017 11:42:57 +0300 Subject: removed debug prints, changed line of documentation --- example/ndpiReader.c | 1 - src/lib/ndpi_main.c | 2 +- src/lib/protocols/SOMEIP.c | 23 ----------------------- 3 files changed, 1 insertion(+), 25 deletions(-) (limited to 'src/lib') diff --git a/example/ndpiReader.c b/example/ndpiReader.c index ecb023d96..6d5f5d5ee 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -1114,7 +1114,6 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) { // enable all protocols NDPI_BITMASK_SET_ALL(all); - printf("Setting up detection..."); ndpi_set_protocol_detection_bitmask2(ndpi_thread_info[thread_id].workflow->ndpi_struct, &all); // clear memory for results diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index c18723c87..8ff3855af 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -2696,7 +2696,7 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* MQTT */ init_mqtt_dissector(ndpi_struct, &a, detection_bitmask); - /* MQTT */ + /* SOME/IP */ init_someip_dissector(ndpi_struct, &a, detection_bitmask); /* RX */ diff --git a/src/lib/protocols/SOMEIP.c b/src/lib/protocols/SOMEIP.c index 7637cf768..e857371f9 100644 --- a/src/lib/protocols/SOMEIP.c +++ b/src/lib/protocols/SOMEIP.c @@ -81,8 +81,6 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, //####Maybe check carrier protocols?#### - printf("trying to SOMEIP 1..."); - NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP search called...\n"); struct ndpi_packet_struct *packet = &flow->packet; if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { @@ -101,9 +99,6 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, u_int32_t message_id = (u_int32_t) ((packet->payload[0]<<24)+(packet->payload[1]<<16)+(packet->payload[2]<<8)+packet->payload[3]); u_int32_t request_id = (u_int32_t) ((packet->payload[8]<<24)+(packet->payload[9]<<16)+(packet->payload[10]<<8)+packet->payload[11]); - - printf("trying to SOMEIP 2..."); - NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "====>>>> SOME/IP Message ID: %08x [len: %u]\n", message_id, packet->payload_packet_len); if (packet->payload_packet_len < 16) { @@ -119,9 +114,6 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, ####Maximum packet size in SOMEIP depends on the carrier protocol, and I'm not certain how well enforced it is, so let's leave that for round 2#### */ - - printf("trying to SOMEIP 3..."); - // we extract the remaining length u_int32_t someip_len = (u_int32_t) ((packet->payload[4]<<24) + (packet->payload[5]<<16) + (packet->payload[6]<<8) +packet->payload[7]); if (packet->payload_packet_len != (someip_len + 8)) { @@ -130,8 +122,6 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, return; } - printf("trying to SOMEIP 4..."); - u_int8_t protocol_version = (u_int8_t) (packet->payload[12]); NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG,"====>>>> SOME/IP protocol version: [%d]\n",protocol_version); if (protocol_version != 0x01){ @@ -142,8 +132,6 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, u_int8_t interface_version = (packet->payload[13]); - printf("trying to SOMEIP 5..."); - u_int8_t message_type = (u_int8_t) (packet->payload[14]); NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG,"====>>>> SOME/IP message type: [%d]\n",message_type); if ((message_type != 0x00) && (message_type != 0x01) && (message_type != 0x02) && (message_type != 0x40) && (message_type != 0x41) && @@ -153,8 +141,6 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, return; } - printf("trying to SOMEIP 6..."); - u_int8_t return_code = (u_int8_t) (packet->payload[15]); NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG,"====>>>> SOME/IP return code: [%d]\n",return_code); if ((return_code > 0x3f)) { @@ -162,8 +148,6 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); return; } - - printf("trying to SOMEIP 7..."); if (message_id == MSG_MAGIC_COOKIE){ if ((someip_len == 0x08) && (request_id == 0xDEADBEEF) && (interface_version == 0x01) && @@ -178,8 +162,6 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, return; } } - - printf("trying to SOMEIP 8..."); if (message_id == MSG_MAGIC_COOKIE_ACK){ if ((someip_len == 0x08) && (request_id == 0xDEADBEEF) && (interface_version == 0x01) && @@ -195,8 +177,6 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, } } - printf("trying to SOMEIP 9..."); - if (message_id == MSG_SD){ //####Service Discovery message. Fill in later!#### } @@ -217,9 +197,6 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, } } - printf("trying to SOMEIP 10..."); - - NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Reached the end without confirming SOME/IP ...\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); return; -- cgit v1.2.3 From 6029510ee7623ec55a28d0505db4b5b3ad4ec931 Mon Sep 17 00:00:00 2001 From: alexei-argus Date: Fri, 19 May 2017 13:36:39 +0300 Subject: Add CR comments --- src/lib/protocols/SOMEIP.c | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) (limited to 'src/lib') diff --git a/src/lib/protocols/SOMEIP.c b/src/lib/protocols/SOMEIP.c index e857371f9..9c12343e8 100644 --- a/src/lib/protocols/SOMEIP.c +++ b/src/lib/protocols/SOMEIP.c @@ -24,6 +24,7 @@ #include "ndpi_protocols.h" #ifdef NDPI_PROTOCOL_SOMEIP +// CR: these MQTT references are no longer relevant, rigth? /** * The type of control messages in mqtt version 3.1.1 * see http://docs.oasis-open.org/mqtt/mqtt/v3.1.1 @@ -82,10 +83,13 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, //####Maybe check carrier protocols?#### NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP search called...\n"); + // CR: can packet be const? struct ndpi_packet_struct *packet = &flow->packet; if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { return; } + // CR: let's reach a decision in this issue. + /*NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP detection...\n"); if (flow->packet_counter > 10) { NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. mandatory header not found!\n"); @@ -115,6 +119,7 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, */ // we extract the remaining length + // CR: cast the payload to unsigned int, then use ntohl u_int32_t someip_len = (u_int32_t) ((packet->payload[4]<<24) + (packet->payload[5]<<16) + (packet->payload[6]<<8) +packet->payload[7]); if (packet->payload_packet_len != (someip_len + 8)) { NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. Length field invalid!\n"); @@ -124,6 +129,7 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, u_int8_t protocol_version = (u_int8_t) (packet->payload[12]); NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG,"====>>>> SOME/IP protocol version: [%d]\n",protocol_version); + // CR: don't use magic numbers, convert this to a constant instead if (protocol_version != 0x01){ NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. invalid protocol version!\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); @@ -134,6 +140,8 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, u_int8_t message_type = (u_int8_t) (packet->payload[14]); NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG,"====>>>> SOME/IP message type: [%d]\n",message_type); + + // CR: don't use magic numbers, convert these to constants instead if ((message_type != 0x00) && (message_type != 0x01) && (message_type != 0x02) && (message_type != 0x40) && (message_type != 0x41) && (message_type != 0x42) && (message_type != 0x80) && (message_type != 0x81) && (message_type != 0xc0) && (message_type != 0xc1)) { NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. invalid message type!\n"); @@ -142,7 +150,8 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, } u_int8_t return_code = (u_int8_t) (packet->payload[15]); - NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG,"====>>>> SOME/IP return code: [%d]\n",return_code); + NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG,"====>>>> SOME/IP return code: [%d]\n", return_code); + // CR: don't use magic numbers, convert this to a constant instead if ((return_code > 0x3f)) { NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. invalid return code!\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); @@ -150,10 +159,11 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, } if (message_id == MSG_MAGIC_COOKIE){ + // CR: don't use magic numbers, convert these to constants instead if ((someip_len == 0x08) && (request_id == 0xDEADBEEF) && (interface_version == 0x01) && (message_type == 0x01) && (return_code == 0x00)){ NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found Magic Cookie\n",message_type); - ndpi_int_someip_add_connection(ndpi_struct,flow); + ndpi_int_someip_add_connection(ndpi_struct, flow); return; } else{ @@ -164,10 +174,11 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, } if (message_id == MSG_MAGIC_COOKIE_ACK){ + // CR: don't use magic numbers, convert these to constants instead if ((someip_len == 0x08) && (request_id == 0xDEADBEEF) && (interface_version == 0x01) && (message_type == 0x02) && (return_code == 0x00)){ NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found Magic Cookie ACK\n",message_type); - ndpi_int_someip_add_connection(ndpi_struct,flow); + ndpi_int_someip_add_connection(ndpi_struct, flow); return; } else{ @@ -178,21 +189,26 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, } if (message_id == MSG_SD){ + // CR: let's talk about this (i.e. what should be here right now? what documentation should we leave behind?) //####Service Discovery message. Fill in later!#### } + // CR: while this is for demo purposes, the port numbers are as specified in the SOME/IP document, so we should change the + // comment to reflect this. + // Also, don't use magic numbers, use constants. + //Filtering by port as per request. This is PURELY for demo purposes and the rest of the check must be filled in later on! if (packet->l4_protocol == IPPROTO_UDP){ if ((packet->udp->dest == ntohs(30491)) || (packet->udp->dest == ntohs(30501)) || (packet->udp->dest == ntohs(30490))) { NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found\n",message_type); - ndpi_int_someip_add_connection(ndpi_struct,flow); + ndpi_int_someip_add_connection(ndpi_struct, flow); return; } } if (packet->l4_protocol == IPPROTO_TCP){ if ((packet->tcp->dest == ntohs(30491)) || (packet->tcp->dest == ntohs(30501))) { NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found\n",message_type); - ndpi_int_someip_add_connection(ndpi_struct,flow); + ndpi_int_someip_add_connection(ndpi_struct, flow); return; } } -- cgit v1.2.3 From 0aa5ebde5d0a03dbc4c941f129efb42a8c010457 Mon Sep 17 00:00:00 2001 From: "Yoni.Linder" Date: Fri, 19 May 2017 14:16:21 +0300 Subject: CR comments and fixes --- src/lib/protocols/SOMEIP.c | 79 +++++++++++++++++++++++++++------------------- 1 file changed, 47 insertions(+), 32 deletions(-) (limited to 'src/lib') diff --git a/src/lib/protocols/SOMEIP.c b/src/lib/protocols/SOMEIP.c index 9c12343e8..a0d347417 100644 --- a/src/lib/protocols/SOMEIP.c +++ b/src/lib/protocols/SOMEIP.c @@ -24,11 +24,7 @@ #include "ndpi_protocols.h" #ifdef NDPI_PROTOCOL_SOMEIP -// CR: these MQTT references are no longer relevant, rigth? -/** - * The type of control messages in mqtt version 3.1.1 - * see http://docs.oasis-open.org/mqtt/mqtt/v3.1.1 - */ +// CR: these MQTT references are no longer relevant, rigth? ANS: true. enum SOMEIP_MESSAGE_TYPES { REQUEST = 0x00, REQUEST_NO_RETURN = 0x01, @@ -53,7 +49,8 @@ enum SOMEIP_RETURN_CODES { E_WRONG_PROTOCOL_VERSION = 0x07, E_WRONG_INTERFACE_VERSION = 0x08, E_MALFORMED_MESSAGE = 0x09, - E_WRONG_MESSAGE_TYPE = 0x0a + E_WRONG_MESSAGE_TYPE = 0x0a, + E_RETURN_CODE_LEGAL_THRESHOLD = 0x40 //return codes from 0x40 (inclusive) and upwards are illegal. }; enum SPECIAL_MESSAGE_IDS { @@ -62,6 +59,21 @@ enum SPECIAL_MESSAGE_IDS { MSG_SD = 0xffff8100 }; +enum PROTOCOL_VERSION{ + LEGAL_PROTOCOL_VERSION = 0x01 +}; + +enum MAGIC_COOKIE_CONSTANTS{ + MC_REQUEST_ID = 0xDEADBEEF, + MC_LENGTH = 0x08, + MC_INTERFACE_VERSION = 0x01 +}; + +enum DEFAULT_PROTOCOL_PORTS{ + PORT_DEFAULT_CLIENT = 30491, + PORT_DEFAULT_SERVER = 30501, + PORT_DEFAULT_SD = 30490 +}; /** * Entry point when protocol is identified. @@ -83,12 +95,12 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, //####Maybe check carrier protocols?#### NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP search called...\n"); - // CR: can packet be const? - struct ndpi_packet_struct *packet = &flow->packet; + // CR: can packet be const? ANS: Probably yeah, needs testing but I changed it. + struct const ndpi_packet_struct *packet = &flow->packet; if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { return; } - // CR: let's reach a decision in this issue. + // CR: let's reach a decision in this issue. ANS: I think it's unnecessary and would get dropped on length checks or whatever, so we can remove this. /*NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP detection...\n"); if (flow->packet_counter > 10) { @@ -100,8 +112,8 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, */ //we extract the Message ID and Request ID and check for special cases later - u_int32_t message_id = (u_int32_t) ((packet->payload[0]<<24)+(packet->payload[1]<<16)+(packet->payload[2]<<8)+packet->payload[3]); - u_int32_t request_id = (u_int32_t) ((packet->payload[8]<<24)+(packet->payload[9]<<16)+(packet->payload[10]<<8)+packet->payload[11]); + u_int32_t message_id = ntohl(*((u_int32_t *)packet->payload[0])); + u_int32_t request_id = ntohl(*((u_int32_t *)packet->payload[8])); NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "====>>>> SOME/IP Message ID: %08x [len: %u]\n", message_id, packet->payload_packet_len); @@ -119,8 +131,8 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, */ // we extract the remaining length - // CR: cast the payload to unsigned int, then use ntohl - u_int32_t someip_len = (u_int32_t) ((packet->payload[4]<<24) + (packet->payload[5]<<16) + (packet->payload[6]<<8) +packet->payload[7]); + // CR: cast the payload to unsigned int, then use ntohl ANS: done + u_int32_t someip_len = ntohl(*((u_int32_t *)packet->payload[4])); if (packet->payload_packet_len != (someip_len + 8)) { NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. Length field invalid!\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); @@ -129,8 +141,8 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, u_int8_t protocol_version = (u_int8_t) (packet->payload[12]); NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG,"====>>>> SOME/IP protocol version: [%d]\n",protocol_version); - // CR: don't use magic numbers, convert this to a constant instead - if (protocol_version != 0x01){ + // CR: don't use magic numbers, convert this to a constant instead ANS: done + if (protocol_version != LEGAL_PROTOCOL_VERSION){ NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. invalid protocol version!\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); return; @@ -141,9 +153,10 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, u_int8_t message_type = (u_int8_t) (packet->payload[14]); NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG,"====>>>> SOME/IP message type: [%d]\n",message_type); - // CR: don't use magic numbers, convert these to constants instead - if ((message_type != 0x00) && (message_type != 0x01) && (message_type != 0x02) && (message_type != 0x40) && (message_type != 0x41) && - (message_type != 0x42) && (message_type != 0x80) && (message_type != 0x81) && (message_type != 0xc0) && (message_type != 0xc1)) { + // CR: don't use magic numbers, convert these to constants instead ANS: done + if ((message_type != REQUEST) && (message_type != REQUEST_NO_RETURN) && (message_type != NOTIFICATION) && (message_type != REQUEST_ACK) && + (message_type != REQUEST_NO_RETURN_ACK) && (message_type != NOTIFICATION_ACK) && (message_type != RESPONSE) && + (message_type != ERROR) && (message_type != RESPONSE_ACK) && (message_type != ERROR_ACK)) { NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. invalid message type!\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); return; @@ -151,17 +164,17 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, u_int8_t return_code = (u_int8_t) (packet->payload[15]); NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG,"====>>>> SOME/IP return code: [%d]\n", return_code); - // CR: don't use magic numbers, convert this to a constant instead - if ((return_code > 0x3f)) { + // CR: don't use magic numbers, convert this to a constant instead ANS: done + if ((return_code >= E_RETURN_CODE_LEGAL_THRESHOLD)) { NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. invalid return code!\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); return; } if (message_id == MSG_MAGIC_COOKIE){ - // CR: don't use magic numbers, convert these to constants instead - if ((someip_len == 0x08) && (request_id == 0xDEADBEEF) && (interface_version == 0x01) && - (message_type == 0x01) && (return_code == 0x00)){ + // CR: don't use magic numbers, convert these to constants instead ANS:done + if ((someip_len == MC_LENGTH) && (request_id == MC_REQUEST_ID) && (interface_version == MC_INTERFACE_VERSION) && + (message_type == REQUEST_NO_RETURN\) && (return_code == E_OK)){ NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found Magic Cookie\n",message_type); ndpi_int_someip_add_connection(ndpi_struct, flow); return; @@ -174,9 +187,9 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, } if (message_id == MSG_MAGIC_COOKIE_ACK){ - // CR: don't use magic numbers, convert these to constants instead - if ((someip_len == 0x08) && (request_id == 0xDEADBEEF) && (interface_version == 0x01) && - (message_type == 0x02) && (return_code == 0x00)){ + // CR: don't use magic numbers, convert these to constants instead ANS: done + if ((someip_len == MC_LENGTH) && (request_id == MC_REQUEST_ID) && (interface_version == MC_INTERFACE_VERSION\) && + (message_type == REQUEST_NO_RETURN) && (return_code == E_OK)){ NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found Magic Cookie ACK\n",message_type); ndpi_int_someip_add_connection(ndpi_struct, flow); return; @@ -189,24 +202,26 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, } if (message_id == MSG_SD){ - // CR: let's talk about this (i.e. what should be here right now? what documentation should we leave behind?) + // CR: let's talk about this (i.e. what should be here right now? what documentation should we leave behind?) ANS: a TON of stuff. SD is basically another protocol built ontop SOMEIP. at the very least I expect it to be as long as everything else we've done already. //####Service Discovery message. Fill in later!#### } // CR: while this is for demo purposes, the port numbers are as specified in the SOME/IP document, so we should change the - // comment to reflect this. - // Also, don't use magic numbers, use constants. + // comment to reflect this. ANS: done + // Also, don't use magic numbers, use constants. ANS: done - //Filtering by port as per request. This is PURELY for demo purposes and the rest of the check must be filled in later on! + //Filtering by port. + //This check is NOT a 100% thing - these ports are mentioned in the documentation but the documentation also states they haven't been approved by IANA yet, and that the user is free to use different ports. + //This is is PURELY for demo purposes and the rest of the check must be filled in later on! if (packet->l4_protocol == IPPROTO_UDP){ - if ((packet->udp->dest == ntohs(30491)) || (packet->udp->dest == ntohs(30501)) || (packet->udp->dest == ntohs(30490))) { + if ((packet->udp->dest == ntohs(PORT_DEFAULT_CLIENT)) || (packet->udp->dest == ntohs(PORT_DEFAULT_SERVER)) || (packet->udp->dest == ntohs(PORT_DEFAULT_SD))) { NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found\n",message_type); ndpi_int_someip_add_connection(ndpi_struct, flow); return; } } if (packet->l4_protocol == IPPROTO_TCP){ - if ((packet->tcp->dest == ntohs(30491)) || (packet->tcp->dest == ntohs(30501))) { + if ((packet->tcp->dest == ntohs(PORT_DEFAULT_CLIENT)) || (packet->tcp->dest == ntohs(PORT_DEFAULT_SERVER))) { NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found\n",message_type); ndpi_int_someip_add_connection(ndpi_struct, flow); return; -- cgit v1.2.3 From 8ec286743361a0e7944c24c90f600a2b842df661 Mon Sep 17 00:00:00 2001 From: alexei-argus Date: Fri, 19 May 2017 14:33:05 +0300 Subject: CR fixes --- src/lib/protocols/SOMEIP.c | 40 ++++++---------------------------------- 1 file changed, 6 insertions(+), 34 deletions(-) (limited to 'src/lib') diff --git a/src/lib/protocols/SOMEIP.c b/src/lib/protocols/SOMEIP.c index a0d347417..7e33048c8 100644 --- a/src/lib/protocols/SOMEIP.c +++ b/src/lib/protocols/SOMEIP.c @@ -24,7 +24,6 @@ #include "ndpi_protocols.h" #ifdef NDPI_PROTOCOL_SOMEIP -// CR: these MQTT references are no longer relevant, rigth? ANS: true. enum SOMEIP_MESSAGE_TYPES { REQUEST = 0x00, REQUEST_NO_RETURN = 0x01, @@ -95,25 +94,14 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, //####Maybe check carrier protocols?#### NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP search called...\n"); - // CR: can packet be const? ANS: Probably yeah, needs testing but I changed it. struct const ndpi_packet_struct *packet = &flow->packet; if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { return; } - // CR: let's reach a decision in this issue. ANS: I think it's unnecessary and would get dropped on length checks or whatever, so we can remove this. - - /*NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP detection...\n"); - if (flow->packet_counter > 10) { - NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. mandatory header not found!\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); - return; - } - ####This block drops flows with over 10 packets. Why? Probably just an auto-drop in case nothing else catches it. Necessary for SOME/IP? Good question.#### - */ //we extract the Message ID and Request ID and check for special cases later - u_int32_t message_id = ntohl(*((u_int32_t *)packet->payload[0])); - u_int32_t request_id = ntohl(*((u_int32_t *)packet->payload[8])); + u_int32_t message_id = ntohl(*((u_int32_t *)&packet->payload[0])); + u_int32_t request_id = ntohl(*((u_int32_t *)&packet->payload[8])); NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "====>>>> SOME/IP Message ID: %08x [len: %u]\n", message_id, packet->payload_packet_len); @@ -122,17 +110,11 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); return; } - /*if (packet->payload_packet_len > 258) { - NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. maximum packet size exceeded!\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); - return; - } - ####Maximum packet size in SOMEIP depends on the carrier protocol, and I'm not certain how well enforced it is, so let's leave that for round 2#### - */ + + //####Maximum packet size in SOMEIP depends on the carrier protocol, and I'm not certain how well enforced it is, so let's leave that for round 2#### // we extract the remaining length - // CR: cast the payload to unsigned int, then use ntohl ANS: done - u_int32_t someip_len = ntohl(*((u_int32_t *)packet->payload[4])); + u_int32_t someip_len = ntohl(*((u_int32_t *)&packet->payload[4])); if (packet->payload_packet_len != (someip_len + 8)) { NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. Length field invalid!\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); @@ -141,7 +123,6 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, u_int8_t protocol_version = (u_int8_t) (packet->payload[12]); NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG,"====>>>> SOME/IP protocol version: [%d]\n",protocol_version); - // CR: don't use magic numbers, convert this to a constant instead ANS: done if (protocol_version != LEGAL_PROTOCOL_VERSION){ NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. invalid protocol version!\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); @@ -153,7 +134,6 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, u_int8_t message_type = (u_int8_t) (packet->payload[14]); NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG,"====>>>> SOME/IP message type: [%d]\n",message_type); - // CR: don't use magic numbers, convert these to constants instead ANS: done if ((message_type != REQUEST) && (message_type != REQUEST_NO_RETURN) && (message_type != NOTIFICATION) && (message_type != REQUEST_ACK) && (message_type != REQUEST_NO_RETURN_ACK) && (message_type != NOTIFICATION_ACK) && (message_type != RESPONSE) && (message_type != ERROR) && (message_type != RESPONSE_ACK) && (message_type != ERROR_ACK)) { @@ -164,7 +144,6 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, u_int8_t return_code = (u_int8_t) (packet->payload[15]); NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG,"====>>>> SOME/IP return code: [%d]\n", return_code); - // CR: don't use magic numbers, convert this to a constant instead ANS: done if ((return_code >= E_RETURN_CODE_LEGAL_THRESHOLD)) { NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. invalid return code!\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); @@ -172,7 +151,6 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, } if (message_id == MSG_MAGIC_COOKIE){ - // CR: don't use magic numbers, convert these to constants instead ANS:done if ((someip_len == MC_LENGTH) && (request_id == MC_REQUEST_ID) && (interface_version == MC_INTERFACE_VERSION) && (message_type == REQUEST_NO_RETURN\) && (return_code == E_OK)){ NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found Magic Cookie\n",message_type); @@ -187,7 +165,6 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, } if (message_id == MSG_MAGIC_COOKIE_ACK){ - // CR: don't use magic numbers, convert these to constants instead ANS: done if ((someip_len == MC_LENGTH) && (request_id == MC_REQUEST_ID) && (interface_version == MC_INTERFACE_VERSION\) && (message_type == REQUEST_NO_RETURN) && (return_code == E_OK)){ NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found Magic Cookie ACK\n",message_type); @@ -202,14 +179,9 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, } if (message_id == MSG_SD){ - // CR: let's talk about this (i.e. what should be here right now? what documentation should we leave behind?) ANS: a TON of stuff. SD is basically another protocol built ontop SOMEIP. at the very least I expect it to be as long as everything else we've done already. - //####Service Discovery message. Fill in later!#### + NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP-SD currently not supported\n", message_type); } - // CR: while this is for demo purposes, the port numbers are as specified in the SOME/IP document, so we should change the - // comment to reflect this. ANS: done - // Also, don't use magic numbers, use constants. ANS: done - //Filtering by port. //This check is NOT a 100% thing - these ports are mentioned in the documentation but the documentation also states they haven't been approved by IANA yet, and that the user is free to use different ports. //This is is PURELY for demo purposes and the rest of the check must be filled in later on! -- cgit v1.2.3 From d4ca57884b6e85590dc71053f23b10ebfbbed2af Mon Sep 17 00:00:00 2001 From: alexei-argus Date: Fri, 19 May 2017 14:38:44 +0300 Subject: CR fixes #2 --- src/lib/protocols/SOMEIP.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src/lib') diff --git a/src/lib/protocols/SOMEIP.c b/src/lib/protocols/SOMEIP.c index 7e33048c8..adffb0c33 100644 --- a/src/lib/protocols/SOMEIP.c +++ b/src/lib/protocols/SOMEIP.c @@ -94,7 +94,7 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, //####Maybe check carrier protocols?#### NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP search called...\n"); - struct const ndpi_packet_struct *packet = &flow->packet; + const struct ndpi_packet_struct *packet = &flow->packet; if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { return; } @@ -152,7 +152,7 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, if (message_id == MSG_MAGIC_COOKIE){ if ((someip_len == MC_LENGTH) && (request_id == MC_REQUEST_ID) && (interface_version == MC_INTERFACE_VERSION) && - (message_type == REQUEST_NO_RETURN\) && (return_code == E_OK)){ + (message_type == REQUEST_NO_RETURN) && (return_code == E_OK)){ NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found Magic Cookie\n",message_type); ndpi_int_someip_add_connection(ndpi_struct, flow); return; @@ -165,7 +165,7 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, } if (message_id == MSG_MAGIC_COOKIE_ACK){ - if ((someip_len == MC_LENGTH) && (request_id == MC_REQUEST_ID) && (interface_version == MC_INTERFACE_VERSION\) && + if ((someip_len == MC_LENGTH) && (request_id == MC_REQUEST_ID) && (interface_version == MC_INTERFACE_VERSION) && (message_type == REQUEST_NO_RETURN) && (return_code == E_OK)){ NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found Magic Cookie ACK\n",message_type); ndpi_int_someip_add_connection(ndpi_struct, flow); -- cgit v1.2.3