From 493d8afd8a22d61e4a75561f9317e741adc4120b Mon Sep 17 00:00:00 2001
From: Vladimir Gavrilov <105977161+0xA50C1A1@users.noreply.github.com>
Date: Tue, 3 Jun 2025 13:28:07 +0300
Subject: Hamachi: improve handshake check (#2861)

---
 src/lib/protocols/hamachi.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

(limited to 'src')

diff --git a/src/lib/protocols/hamachi.c b/src/lib/protocols/hamachi.c
index 97b00bcf5..b30f0935b 100644
--- a/src/lib/protocols/hamachi.c
+++ b/src/lib/protocols/hamachi.c
@@ -64,13 +64,15 @@ static void search_hamachi_udp(struct ndpi_detection_module_struct* ndpi_struct,
 
   NDPI_LOG_DBG(ndpi_struct, "search Hamachi over UDP\n");
 
-  /* Session starts with two such packets containing 4 bytes in 
-   * the middle - probably key exchange or something. Skip.
-   */
-  if (packet->payload_packet_len == 76 &&
-      get_u_int64_t(packet->payload, 0) == 0)
+  /* Skip initial 76-byte handshake (relay mode only) */
+  if (flow->packet_counter <= 2 && packet->payload_packet_len == 76)
   {
-    return;
+    if (get_u_int64_t(packet->payload, 0) != 0 ||
+        get_u_int64_t(packet->payload, 68) != 0)
+    {
+      goto exclude_hamachi;
+    }
+    return; /* Likely Hamachi handshake */
   }
 
   /* Empirically observed minimum */
-- 
cgit v1.2.3