From 19e96f7dd2ea8a201614239b51fb32134c51352e Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Wed, 26 Aug 2015 16:09:24 +0200 Subject: Fixes #83. Critical fix: due to an invalid endianess conversion some protocol were not properly indetified --- src/include/ndpi_typedefs.h | 8 +++--- src/lib/ndpi_main.c | 61 +++++++++++++++++++++++++++------------------ src/lib/protocols/skype.c | 4 +-- src/lib/protocols/tcp_udp.c | 4 +-- 4 files changed, 44 insertions(+), 33 deletions(-) (limited to 'src') diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 8ea4650a6..7f82d0a28 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -672,12 +672,10 @@ typedef struct ndpi_flow_struct { u_int16_t protocol_stack_info; /* init parameter, internal used to set up timestamp,... */ - u_int16_t guessed_protocol_id; + u_int16_t guessed_protocol_id, guessed_host_proto_id; - u_int8_t protocol_id_already_guessed:1; - u_int8_t init_finished:1; - u_int8_t setup_packet_direction:1; - u_int8_t packet_direction:1; /* if ndpi_struct->direction_detect_disable == 1 */ + u_int8_t protocol_id_already_guessed:1, host_already_guessed:1, init_finished:1, setup_packet_direction:1, packet_direction:1; + /* if ndpi_struct->direction_detect_disable == 1 */ /* tcp sequence number connection tracking */ u_int32_t next_tcp_seq_nr[2]; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 5fb0b6cd8..fc5042b0f 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1670,10 +1670,10 @@ u_int16_t ndpi_network_ptree_match(struct ndpi_detection_module_struct *ndpi_str prefix_t prefix; patricia_node_t *node; - pin->s_addr = ntohl(pin->s_addr); /* Make sure all in network byte order otherwise compares wont work */ + /* Make sure all in network byte order otherwise compares wont work */ fill_prefix_v4(&prefix, pin, 32, ((patricia_tree_t*)ndpi_struct->protocols_ptree)->maxbits); node = ndpi_patricia_search_best(ndpi_struct->protocols_ptree, &prefix); - + return(node ? node->value.user_value : NDPI_PROTOCOL_UNKNOWN); } @@ -1736,7 +1736,7 @@ static void ndpi_init_ptree_ipv4(struct ndpi_detection_module_struct *ndpi_str, struct in_addr pin; patricia_node_t *node; - pin.s_addr = ntohl(host_list[i].network); + pin.s_addr = htonl(host_list[i].network); if((node = add_to_ptree(ptree, AF_INET, &pin, host_list[i].cidr /* bits */)) != NULL) node->value.user_value = host_list[i].value; } @@ -1745,19 +1745,19 @@ static void ndpi_init_ptree_ipv4(struct ndpi_detection_module_struct *ndpi_str, /* ******************************************* */ static int ndpi_add_host_ip_subprotocol(struct ndpi_detection_module_struct *ndpi_struct, - char *value, int protocol_id) { + char *value, int protocol_id) { - patricia_node_t *node; - struct in_addr pin; - - inet_pton(AF_INET, value, &pin); - pin.s_addr = ntohl(pin.s_addr); - - if((node = add_to_ptree(ndpi_struct->protocols_ptree, AF_INET, &pin, 32)) != NULL) { - node->value.user_value = protocol_id; - } + patricia_node_t *node; + struct in_addr pin; + + inet_pton(AF_INET, value, &pin); + pin.s_addr = ntohl(pin.s_addr); + + if((node = add_to_ptree(ndpi_struct->protocols_ptree, AF_INET, &pin, 32)) != NULL) { + node->value.user_value = protocol_id; + } - return(0); + return(0); } #endif @@ -1891,13 +1891,16 @@ u_int16_t ndpi_guess_protocol_id(struct ndpi_detection_module_struct *ndpi_struc ndpi_default_ports_tree_node_t node; if(sport && dport) { - node.default_port = sport; + int low = ndpi_min(sport, dport); + int high = ndpi_max(sport, dport); + + node.default_port = low; /* Check server port first */ ret = ndpi_tfind(&node, (proto == IPPROTO_TCP) ? (void*)&ndpi_struct->tcpRoot : (void*)&ndpi_struct->udpRoot, ndpi_default_ports_tree_node_t_cmp); if(ret == NULL) { - node.default_port = dport; + node.default_port = high; ret = ndpi_tfind(&node, (proto == IPPROTO_TCP) ? (void*)&ndpi_struct->tcpRoot : (void*)&ndpi_struct->udpRoot, ndpi_default_ports_tree_node_t_cmp); @@ -3418,23 +3421,33 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct } else ret.protocol = flow->detected_protocol_stack[0]; - - if((ret.master_protocol == NDPI_PROTOCOL_UNKNOWN) && flow->packet.iph) { - struct in_addr pin = { flow->packet.iph->saddr }; - - if((ret.master_protocol = ndpi_network_ptree_match(ndpi_struct, &pin)) == NDPI_PROTOCOL_UNKNOWN) { + if((ret.protocol == NDPI_PROTOCOL_UNKNOWN) + && flow->packet.iph + && (!flow->host_already_guessed)) { + struct in_addr pin; + + pin.s_addr = flow->packet.iph->saddr; + if((flow->guessed_host_proto_id = ndpi_network_ptree_match(ndpi_struct, &pin)) == NDPI_PROTOCOL_UNKNOWN) { pin.s_addr = flow->packet.iph->daddr; - ret.master_protocol = ndpi_network_ptree_match(ndpi_struct, &pin); + flow->guessed_host_proto_id = ndpi_network_ptree_match(ndpi_struct, &pin); } + + flow->host_already_guessed = 1; + } + +#if 0 - /* Swap proocols in case of success */ + /* Swap protocols in case of success */ if(ret.master_protocol != NDPI_PROTOCOL_UNKNOWN) { u_int16_t t = ret.master_protocol; ret.master_protocol = ret.protocol; ret.protocol = t; } - } +#endif + + if((ret.protocol == NDPI_PROTOCOL_UNKNOWN) && (ret.master_protocol != NDPI_PROTOCOL_UNKNOWN)) + ret.protocol = flow->guessed_host_proto_id; return(ret); } diff --git a/src/lib/protocols/skype.c b/src/lib/protocols/skype.c index 7f201569c..e3bd00332 100644 --- a/src/lib/protocols/skype.c +++ b/src/lib/protocols/skype.c @@ -40,8 +40,8 @@ u_int8_t is_skype_flow(struct ndpi_detection_module_struct *ndpi_struct, Skype connections are identified by some SSL-like communications without SSL certificate being exchanged */ - if(is_skype_host(ndpi_struct, ntohl(packet->iph->saddr)) - || is_skype_host(ndpi_struct, ntohl(packet->iph->daddr))) { + if(is_skype_host(ndpi_struct, packet->iph->saddr) + || is_skype_host(ndpi_struct, packet->iph->daddr)) { return(1); } } diff --git a/src/lib/protocols/tcp_udp.c b/src/lib/protocols/tcp_udp.c index 1eb9c8773..7ca276dca 100644 --- a/src/lib/protocols/tcp_udp.c +++ b/src/lib/protocols/tcp_udp.c @@ -37,9 +37,9 @@ u_int ndpi_search_tcp_or_udp_raw(struct ndpi_detection_module_struct *ndpi_struc } } - if((rc = ndpi_host_ptree_match(ndpi_struct, saddr)) != NDPI_PROTOCOL_UNKNOWN) return(rc); + if((rc = ndpi_host_ptree_match(ndpi_struct, htonl(saddr))) != NDPI_PROTOCOL_UNKNOWN) return(rc); - return(ndpi_host_ptree_match(ndpi_struct, daddr)); + return(ndpi_host_ptree_match(ndpi_struct, htonl(daddr))); } void ndpi_search_tcp_or_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -- cgit v1.2.3 From 5f1b82d696d7b81fa587bd2e9c6bfa83a93f2184 Mon Sep 17 00:00:00 2001 From: Beyers Cronje Date: Thu, 27 Aug 2015 01:18:32 +0200 Subject: Ensure usage of struct in_addr is in network byte order. Closes issue #81 --- src/lib/ndpi_main.c | 24 +++++++++--------------- tests/result/starcraft_battle.pcap.out | 11 +++++------ 2 files changed, 14 insertions(+), 21 deletions(-) (limited to 'src') diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index fc5042b0f..5639ed620 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1666,7 +1666,7 @@ static int fill_prefix_v4(prefix_t *p, struct in_addr *a, int b, int mb) { /* ******************************************* */ -u_int16_t ndpi_network_ptree_match(struct ndpi_detection_module_struct *ndpi_struct, struct in_addr *pin) { +u_int16_t ndpi_network_ptree_match(struct ndpi_detection_module_struct *ndpi_struct, struct in_addr *pin /* network byte order */) { prefix_t prefix; patricia_node_t *node; @@ -1679,7 +1679,7 @@ u_int16_t ndpi_network_ptree_match(struct ndpi_detection_module_struct *ndpi_str /* ******************************************* */ -u_int16_t ndpi_host_ptree_match(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t host) { +u_int16_t ndpi_host_ptree_match(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t host /* network byte order */) { struct in_addr pin; pin.s_addr = host; @@ -1700,11 +1700,9 @@ u_int8_t ndpi_is_tor_flow(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_packet_struct *packet = &flow->packet; if(packet->tcp != NULL) { - if(flow->packet.iph) { - struct in_addr saddr = { packet->iph->saddr }; - struct in_addr daddr = { packet->iph->daddr }; - if(tor_ptree_match(ndpi_struct, &saddr) - || tor_ptree_match(ndpi_struct, &daddr)) { + if(packet->iph) { + if(tor_ptree_match(ndpi_struct, (struct in_addr *)&packet->iph->saddr) + || tor_ptree_match(ndpi_struct, (struct in_addr *)&packet->iph->daddr)) { return(1); } } @@ -1751,7 +1749,6 @@ static int ndpi_add_host_ip_subprotocol(struct ndpi_detection_module_struct *ndp struct in_addr pin; inet_pton(AF_INET, value, &pin); - pin.s_addr = ntohl(pin.s_addr); if((node = add_to_ptree(ndpi_struct->protocols_ptree, AF_INET, &pin, 32)) != NULL) { node->value.user_value = protocol_id; @@ -3424,12 +3421,9 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct if((ret.protocol == NDPI_PROTOCOL_UNKNOWN) && flow->packet.iph && (!flow->host_already_guessed)) { - struct in_addr pin; - pin.s_addr = flow->packet.iph->saddr; - if((flow->guessed_host_proto_id = ndpi_network_ptree_match(ndpi_struct, &pin)) == NDPI_PROTOCOL_UNKNOWN) { - pin.s_addr = flow->packet.iph->daddr; - flow->guessed_host_proto_id = ndpi_network_ptree_match(ndpi_struct, &pin); + if((flow->guessed_host_proto_id = ndpi_network_ptree_match(ndpi_struct, (struct in_addr *)&flow->packet.iph->saddr)) == NDPI_PROTOCOL_UNKNOWN) { + flow->guessed_host_proto_id = ndpi_network_ptree_match(ndpi_struct, (struct in_addr *)&flow->packet.iph->daddr); } flow->host_already_guessed = 1; @@ -4252,11 +4246,11 @@ ndpi_protocol ndpi_guess_undetected_protocol(struct ndpi_detection_module_struct return(ret); check_guessed_skype: - addr.s_addr = shost; + addr.s_addr = htonl(shost); if(ndpi_network_ptree_match(ndpi_struct, &addr) == NDPI_PROTOCOL_SKYPE) { ret.protocol = NDPI_PROTOCOL_SKYPE; } else { - addr.s_addr = dhost; + addr.s_addr = htonl(dhost); if(ndpi_network_ptree_match(ndpi_struct, &addr) == NDPI_PROTOCOL_SKYPE) ret.protocol = NDPI_PROTOCOL_SKYPE; } diff --git a/tests/result/starcraft_battle.pcap.out b/tests/result/starcraft_battle.pcap.out index 4cbdb5ceb..918647cef 100644 --- a/tests/result/starcraft_battle.pcap.out +++ b/tests/result/starcraft_battle.pcap.out @@ -4,8 +4,7 @@ HTTP 450 294880 19 SSDP 11 4984 1 WorldOfWarcraft 9 880 1 IGMP 2 120 1 -SSL 27 1803 9 -Skype 16 1100 4 +SSL 43 2903 13 Google 12 1467 2 Quic 6 475 1 Starcraft 236 51494 6 @@ -28,10 +27,10 @@ Starcraft 236 51494 6 16 TCP 192.168.1.100:3530 <-> 2.228.46.112:80 [proto: 7/HTTP][29 pkts/25102 bytes][Host: bnetcmsus-a.akamaihd.net] 17 TCP 192.168.1.100:3532 <-> 2.228.46.112:80 [proto: 7/HTTP][4 pkts/386 bytes] 18 TCP 192.168.1.100:3534 <-> 2.228.46.112:80 [proto: 7/HTTP][1 pkts/66 bytes] - 19 TCP 192.168.1.100:3489 <-> 2.228.46.104:443 [proto: 125/Skype][4 pkts/275 bytes] + 19 TCP 192.168.1.100:3489 <-> 2.228.46.104:443 [proto: 91/SSL][4 pkts/275 bytes] 20 TCP 192.168.1.100:3481 <-> 2.228.46.114:443 [proto: 91/SSL][4 pkts/275 bytes] 21 TCP 192.168.1.100:3479 <-> 2.228.46.114:443 [proto: 91/SSL][4 pkts/275 bytes] - 22 TCP 192.168.1.100:3491 <-> 2.228.46.104:443 [proto: 125/Skype][4 pkts/275 bytes] + 22 TCP 192.168.1.100:3491 <-> 2.228.46.104:443 [proto: 91/SSL][4 pkts/275 bytes] 23 TCP 80.239.186.26:80 <-> 192.168.1.100:3515 [proto: 7/HTTP][10 pkts/1224 bytes][Host: nydus.battle.net] 24 TCP 80.239.186.21:80 <-> 192.168.1.100:3519 [proto: 7/HTTP][9 pkts/979 bytes][Host: eu.launcher.battle.net] 25 TCP 80.239.186.26:80 <-> 192.168.1.100:3521 [proto: 7/HTTP][10 pkts/1224 bytes][Host: nydus.battle.net] @@ -55,8 +54,8 @@ Starcraft 236 51494 6 43 TCP 192.168.1.100:3529 <-> 2.228.46.112:80 [proto: 7/HTTP][29 pkts/25102 bytes][Host: bnetcmsus-a.akamaihd.net] 44 TCP 192.168.1.100:3531 <-> 2.228.46.112:80 [proto: 7/HTTP][29 pkts/25102 bytes][Host: bnetcmsus-a.akamaihd.net] 45 TCP 192.168.1.100:3533 <-> 2.228.46.112:80 [proto: 7/HTTP][4 pkts/386 bytes] - 46 TCP 192.168.1.100:3492 <-> 2.228.46.104:443 [proto: 125/Skype][4 pkts/275 bytes] - 47 TCP 192.168.1.100:3490 <-> 2.228.46.104:443 [proto: 125/Skype][4 pkts/275 bytes] + 46 TCP 192.168.1.100:3492 <-> 2.228.46.104:443 [proto: 91/SSL][4 pkts/275 bytes] + 47 TCP 192.168.1.100:3490 <-> 2.228.46.104:443 [proto: 91/SSL][4 pkts/275 bytes] 48 TCP 192.168.1.100:3482 <-> 2.228.46.114:443 [proto: 91/SSL][4 pkts/275 bytes] 49 TCP 192.168.1.100:3480 <-> 2.228.46.114:443 [proto: 91/SSL][4 pkts/275 bytes] 50 TCP 12.129.222.54:80 <-> 192.168.1.100:3512 [proto: 7.76/HTTP.WorldOfWarcraft][9 pkts/880 bytes][Host: us.scan.worldofwarcraft.com] -- cgit v1.2.3 From 8f8052735cbd1f5561ba6069c4359f1f9f50e2c1 Mon Sep 17 00:00:00 2001 From: Martin Natano Date: Fri, 28 Aug 2015 14:49:51 +0200 Subject: Make sure packet->user_agent_line.ptr is up to date before using it. Otherwise we might dereference a stale pointer. --- src/lib/protocols/steam.c | 1 + 1 file changed, 1 insertion(+) (limited to 'src') diff --git a/src/lib/protocols/steam.c b/src/lib/protocols/steam.c index fe7b9d161..7ed0eae29 100644 --- a/src/lib/protocols/steam.c +++ b/src/lib/protocols/steam.c @@ -34,6 +34,7 @@ static void ndpi_int_steam_add_connection(struct ndpi_detection_module_struct *n static void ndpi_check_steam_http(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; + NDPI_PARSE_PACKET_LINE_INFO(ndpi_struct, flow, packet); if (packet->user_agent_line.ptr != NULL && packet->user_agent_line.len >= 23 && memcmp(packet->user_agent_line.ptr, "Valve/Steam HTTP Client", 23) == 0) { -- cgit v1.2.3 From df64a1069edb62d0c370669e146da22274a803b1 Mon Sep 17 00:00:00 2001 From: Lorenzo Mangani Date: Sun, 30 Aug 2015 23:07:31 +0200 Subject: Added HEP protocol detection support (sipcapture) --- src/include/ndpi_protocol_ids.h | 3 +- src/include/ndpi_protocols.h | 2 ++ src/lib/Makefile.am | 1 + src/lib/ndpi_main.c | 8 +++++ src/lib/protocols/hep.c | 72 +++++++++++++++++++++++++++++++++++++++++ 5 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 src/lib/protocols/hep.c (limited to 'src') diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index cfb5897ba..82dfcf011 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -201,6 +201,7 @@ #define NDPI_PROTOCOL_WHATSAPP_VOICE 189 #define NDPI_PROTOCOL_STARCRAFT 213 /* Matteo Bracci */ #define NDPI_PROTOCOL_TEREDO 214 +#define NDPI_PROTOCOL_HEP 216 /* Sipcapture.org QXIP BV */ #define NDPI_CONTENT_AVI 39 #define NDPI_CONTENT_FLASH 40 @@ -263,7 +264,7 @@ #define NDPI_SERVICE_HOTSPOT_SHIELD 215 /* UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE */ -#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_SERVICE_HOTSPOT_SHIELD +#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_PROTOCOL_HEP #define NDPI_MAX_SUPPORTED_PROTOCOLS (NDPI_LAST_IMPLEMENTED_PROTOCOL + 1) #define NDPI_MAX_NUM_CUSTOM_PROTOCOLS (NDPI_NUM_BITS-NDPI_LAST_IMPLEMENTED_PROTOCOL) diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h index 6171f00bc..64d90ad6a 100644 --- a/src/include/ndpi_protocols.h +++ b/src/include/ndpi_protocols.h @@ -72,6 +72,7 @@ void ndpi_search_oscar(struct ndpi_detection_module_struct *ndpi_struct, struct void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_sip(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); +void ndpi_search_hep(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_direct_download_link_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_mail_pop_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); @@ -288,6 +289,7 @@ void init_rtsp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int void init_sflow_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_shoutcast_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_sip_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_hep_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_skinny_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_skype_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_smb_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am index 4e8b1f6c4..215f3249a 100644 --- a/src/lib/Makefile.am +++ b/src/lib/Makefile.am @@ -52,6 +52,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/guildwars.c \ protocols/h323.c \ protocols/halflife2_and_mods.c \ + protocols/hep.c \ protocols/http_activesync.c \ protocols/http.c \ protocols/iax.c \ diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 5639ed620..71dbdc557 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -833,6 +833,11 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "IPP", ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_HEP, + no_master, + no_master, "HEP", + ndpi_build_default_ports(ports_a, 9064, 0, 0, 0, 0) /* TCP */, + ndpi_build_default_ports(ports_b, 9063, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_HTTP, no_master, no_master, "HTTP", @@ -2250,6 +2255,9 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* SIP */ init_sip_dissector(ndpi_struct, &a, detection_bitmask); + /* HEP */ + init_hep_dissector(ndpi_struct, &a, detection_bitmask); + /* BITTORRENT */ init_bittorrent_dissector(ndpi_struct, &a, detection_bitmask); diff --git a/src/lib/protocols/hep.c b/src/lib/protocols/hep.c new file mode 100644 index 000000000..11955ae1e --- /dev/null +++ b/src/lib/protocols/hep.c @@ -0,0 +1,72 @@ +/* + * hep.c + * + * Copyright (C) 2009-2011 by ipoque GmbH + * Copyright (C) 2011-15 - ntop.org + * Copyright (C) 2011-15 - QXIP BV + * + * This file is part of nDPI, an open source deep packet inspection + * library based on the OpenDPI and PACE technology by ipoque GmbH + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see . + * + */ + + +#include "ndpi_protocols.h" +#ifdef NDPI_PROTOCOL_HEP + +static void ndpi_int_hep_add_connection(struct ndpi_detection_module_struct + *ndpi_struct, struct ndpi_flow_struct *flow) +{ + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HEP, NDPI_PROTOCOL_UNKNOWN); +} + +void ndpi_search_hep(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct *packet = &flow->packet; + const u_int8_t *packet_payload = packet->payload; + u_int32_t payload_len = packet->payload_packet_len; + + NDPI_LOG(NDPI_PROTOCOL_HEP, ndpi_struct, NDPI_LOG_DEBUG, "searching for HEP.\n"); + if (payload_len > 10) { + if (memcmp(packet_payload, "HEP3", 4) == 0) { + NDPI_LOG(NDPI_PROTOCOL_HEP, ndpi_struct, NDPI_LOG_DEBUG, "found HEP3.\n"); + ndpi_int_hep_add_connection(ndpi_struct, flow); + return; + } else if (memcmp(packet_payload, "HEP2", 4) == 0) { + NDPI_LOG(NDPI_PROTOCOL_HEP, ndpi_struct, NDPI_LOG_DEBUG, "found HEP2.\n"); + ndpi_int_hep_add_connection(ndpi_struct, flow); + return; + } + } + + NDPI_LOG(NDPI_PROTOCOL_HEP, ndpi_struct, NDPI_LOG_DEBUG, "exclude HEP.\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_HEP); +} + + +void init_hep_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) +{ + ndpi_set_bitmask_protocol_detection("HEP", ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_HEP, + ndpi_search_hep, + NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); + + *id += 1; +} + +#endif -- cgit v1.2.3 From 50757e7afee04aeb08bec7eac8765ddfd29fc136 Mon Sep 17 00:00:00 2001 From: Lorenzo Mangani Date: Tue, 1 Sep 2015 10:02:27 +0200 Subject: Remove HEP2 match --- src/lib/protocols/hep.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'src') diff --git a/src/lib/protocols/hep.c b/src/lib/protocols/hep.c index 11955ae1e..516e430e7 100644 --- a/src/lib/protocols/hep.c +++ b/src/lib/protocols/hep.c @@ -45,11 +45,7 @@ void ndpi_search_hep(struct ndpi_detection_module_struct *ndpi_struct, struct nd NDPI_LOG(NDPI_PROTOCOL_HEP, ndpi_struct, NDPI_LOG_DEBUG, "found HEP3.\n"); ndpi_int_hep_add_connection(ndpi_struct, flow); return; - } else if (memcmp(packet_payload, "HEP2", 4) == 0) { - NDPI_LOG(NDPI_PROTOCOL_HEP, ndpi_struct, NDPI_LOG_DEBUG, "found HEP2.\n"); - ndpi_int_hep_add_connection(ndpi_struct, flow); - return; - } + } } NDPI_LOG(NDPI_PROTOCOL_HEP, ndpi_struct, NDPI_LOG_DEBUG, "exclude HEP.\n"); -- cgit v1.2.3 From b383475282c4566d33e516bdfeead2244cf3c1a1 Mon Sep 17 00:00:00 2001 From: valentina Date: Sun, 20 Sep 2015 23:22:48 +0200 Subject: Fixed DCE_RPC protocol when the port is different to default port (135) --- src/lib/protocols/dcerpc.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) (limited to 'src') diff --git a/src/lib/protocols/dcerpc.c b/src/lib/protocols/dcerpc.c index 2537afd56..ec96d1287 100644 --- a/src/lib/protocols/dcerpc.c +++ b/src/lib/protocols/dcerpc.c @@ -18,7 +18,7 @@ * * You should have received a copy of the GNU Lesser General Public License * along with nDPI. If not, see . - * + * */ @@ -35,20 +35,23 @@ static void ndpi_int_dcerpc_add_connection(struct ndpi_detection_module_struct void ndpi_search_dcerpc(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - - if((packet->tcp != NULL) - && (packet->payload_packet_len > 64) - && ((ntohs(packet->tcp->source) == 135) || (ntohs(packet->tcp->dest) == 135)) + u_int16_t len_packet = (packet->payload[9]<<8) | packet->payload[8]; + + if((packet->tcp != NULL) + && (packet->payload_packet_len >= 64) && (packet->payload[0] == 0x05) /* version 5 */ && (packet->payload[2] < 16) /* Packet type */ - ) { - NDPI_LOG(NDPI_PROTOCOL_DCERPC, ndpi_struct, NDPI_LOG_DEBUG, "DCERPC match\n"); + && (len_packet == packet->payload_packet_len) /* Packet Length */ + ) { + NDPI_LOG(NDPI_PROTOCOL_DCERPC, ndpi_struct, NDPI_LOG_DEBUG, "DCERPC match\n"); ndpi_int_dcerpc_add_connection(ndpi_struct, flow); return; } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DCERPC); + if(packet->payload_packet_len>1){ + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DCERPC); + } } -- cgit v1.2.3 From a994722bb1649af2ae3014824455d72e9363faab Mon Sep 17 00:00:00 2001 From: Marco Gigante Date: Tue, 22 Sep 2015 15:25:09 +0200 Subject: Remove duplicated function declarations --- src/include/ndpi_main.h | 7 ------- 1 file changed, 7 deletions(-) (limited to 'src') diff --git a/src/include/ndpi_main.h b/src/include/ndpi_main.h index adec3edf1..1acc5e14f 100644 --- a/src/include/ndpi_main.h +++ b/src/include/ndpi_main.h @@ -143,13 +143,6 @@ extern int ndpi_get_protocol_id_master_proto(struct ndpi_detection_module_struct u_int16_t** tcp_master_proto, u_int16_t** udp_master_proto); -extern u_int8_t ndpi_net_match(u_int32_t ip_to_check, - u_int32_t net, - u_int32_t num_bits); - -extern u_int8_t ndpi_ips_match(u_int32_t src, u_int32_t dst, - u_int32_t net, u_int32_t num_bits); - #ifdef NDPI_ENABLE_DEBUG_MESSAGES void ndpi_debug_get_last_log_function_line(struct ndpi_detection_module_struct *ndpi_struct, const char **file, const char **func, u_int32_t * line); -- cgit v1.2.3 From f78f6b59cc52bd49d5f562c3159d302a216a0bfa Mon Sep 17 00:00:00 2001 From: valentina Date: Wed, 23 Sep 2015 00:53:25 +0200 Subject: Added some tags in order to recognize ebay --- src/lib/ndpi_content_match.c.inc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index 5e0210d71..7413b6ebf 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -7320,10 +7320,13 @@ ndpi_protocol_match host_match[] = { { ".cnn.c", "CNN", NDPI_SERVICE_CNN, NDPI_PROTOCOL_FUN }, { ".cnn.net", "CNN", NDPI_SERVICE_CNN, NDPI_PROTOCOL_FUN }, { ".dropbox.com", "DropBox", NDPI_SERVICE_DROPBOX, NDPI_PROTOCOL_SAFE }, + { ".ebay.", "eBay", NDPI_SERVICE_EBAY, NDPI_PROTOCOL_ACCEPTABLE }, { ".ebay.com", "eBay", NDPI_SERVICE_EBAY, NDPI_PROTOCOL_ACCEPTABLE }, { ".ebaystatic.com", "eBay", NDPI_SERVICE_EBAY, NDPI_PROTOCOL_ACCEPTABLE }, { ".ebaydesc.com", "eBay", NDPI_SERVICE_EBAY, NDPI_PROTOCOL_ACCEPTABLE }, { ".ebayrtm.com", "eBay", NDPI_SERVICE_EBAY, NDPI_PROTOCOL_ACCEPTABLE }, + { ".ebaystratus.com", "eBay", NDPI_SERVICE_EBAY, NDPI_PROTOCOL_ACCEPTABLE }, + { ".ebayimg.com", "eBay", NDPI_SERVICE_EBAY, NDPI_PROTOCOL_ACCEPTABLE }, { ".facebook.com", "Facebook", NDPI_SERVICE_FACEBOOK, NDPI_PROTOCOL_FUN }, { ".fbcdn.net", "Facebook", NDPI_SERVICE_FACEBOOK, NDPI_PROTOCOL_FUN }, { "fbcdn-", "Facebook", NDPI_SERVICE_FACEBOOK, NDPI_PROTOCOL_FUN }, /* fbcdn-video-a-akamaihd.net */ @@ -7365,7 +7368,7 @@ ndpi_protocol_match host_match[] = { { "wikimediafoundation.", "Wikipedia", NDPI_SERVICE_WIKIPEDIA, NDPI_PROTOCOL_ACCEPTABLE }, { ".whatsapp.net", "WhatsApp", NDPI_SERVICE_WHATSAPP, NDPI_PROTOCOL_ACCEPTABLE }, { ".yahoo.", "Yahoo", NDPI_SERVICE_YAHOO, NDPI_PROTOCOL_ACCEPTABLE }, - { "yimg.com", "Yahoo", NDPI_SERVICE_YAHOO, NDPI_PROTOCOL_ACCEPTABLE }, + { ".yimg.com", "Yahoo", NDPI_SERVICE_YAHOO, NDPI_PROTOCOL_ACCEPTABLE }, { "yahooapis.", "Yahoo", NDPI_SERVICE_YAHOO, NDPI_PROTOCOL_ACCEPTABLE }, { "youtube.", "YouTube", NDPI_SERVICE_YOUTUBE, NDPI_PROTOCOL_FUN }, { ".googlevideo.com", "YouTube", NDPI_SERVICE_YOUTUBE, NDPI_PROTOCOL_FUN }, -- cgit v1.2.3 From 1dc03d574195ffdd94091e2f15a77358e1119a46 Mon Sep 17 00:00:00 2001 From: Campus Date: Sun, 4 Oct 2015 14:00:47 +0200 Subject: added radio tap header identification for ieee802.11 packets --- example/ndpiReader.c | 237 +++++++++++++++++++++++++++++++++------------ src/include/linux_compat.h | 88 +++++++++++++++-- 2 files changed, 255 insertions(+), 70 deletions(-) (limited to 'src') diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 73166761f..b28c6077d 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -54,6 +54,34 @@ #include #define MAX_NUM_READER_THREADS 16 +#define IDLE_SCAN_PERIOD 10 /* msec (use detection_tick_resolution = 1000) */ +#define MAX_IDLE_TIME 30000 +#define IDLE_SCAN_BUDGET 1024 +#define NUM_ROOTS 512 +#define GTP_U_V1_PORT 2152 +#define MAX_NDPI_FLOWS 200000000 + +#ifndef ETH_P_IP +#define ETH_P_IP 0x0800 /* IPv4 */ +#endif + +#ifndef ETH_P_IPv6 +#define ETH_P_IPV6 0x86dd /* IPv6 */ +#endif + +#define VLAN 0x8100 +#define MPLS 0x8847 +#define PPPoE 0x8864 + +/* mask for FCF */ +#define WIFI_DATA 0x2 /* 0000 0010 */ +#define FCF_TYPE(fc) (((fc) >> 2) & 0x3) /* 0000 0011 = 0x3 */ +#define FCF_SUBTYPE(fc) (((fc) >> 4) & 0xF) /* 0000 1111 = 0xF */ +#define FCF_TO_DS(fc) ((fc) & 0x0100) +#define FCF_FROM_DS(fc) ((fc) & 0x0200) + +/* mask for Bad FCF presence */ +#define BAD_FCS 0x50 /* 0101 0000 */ /** * @brief Set main components necessary to the detection @@ -100,12 +128,6 @@ static u_int32_t detection_tick_resolution = 1000; static time_t capture_for = 0; static time_t capture_until = 0; -#define IDLE_SCAN_PERIOD 10 /* msec (use detection_tick_resolution = 1000) */ -#define MAX_IDLE_TIME 30000 -#define IDLE_SCAN_BUDGET 1024 - -#define NUM_ROOTS 512 - static u_int32_t num_flows; struct thread_stats { @@ -143,8 +165,6 @@ struct reader_thread { static struct reader_thread ndpi_thread_info[MAX_NUM_READER_THREADS]; -#define GTP_U_V1_PORT 2152 -#define MAX_NDPI_FLOWS 200000000 /** * @brief ID tracking */ @@ -155,10 +175,6 @@ typedef struct ndpi_id { static u_int32_t size_id_struct = 0; // ID tracking structure size -#ifndef ETH_P_IP -#define ETH_P_IP 0x0800 -#endif - // flow tracking typedef struct ndpi_flow { u_int32_t lower_ip; @@ -478,17 +494,17 @@ static void printFlow(u_int16_t thread_id, struct ndpi_flow *flow) { if(!json_flag) { #if 0 fprintf(out, "\t%s [VLAN: %u] %s:%u <-> %s:%u\n", - ipProto2Name(flow->protocol), flow->vlan_id, - flow->lower_name, ntohs(flow->lower_port), - flow->upper_name, ntohs(flow->upper_port)); + ipProto2Name(flow->protocol), flow->vlan_id, + flow->lower_name, ntohs(flow->lower_port), + flow->upper_name, ntohs(flow->upper_port)); #else fprintf(out, "\t%u", ++num_flows); fprintf(out, "\t%s %s:%u <-> %s:%u ", - ipProto2Name(flow->protocol), - flow->lower_name, ntohs(flow->lower_port), - flow->upper_name, ntohs(flow->upper_port)); + ipProto2Name(flow->protocol), + flow->lower_name, ntohs(flow->lower_port), + flow->upper_name, ntohs(flow->upper_port)); if(flow->vlan_id > 0) fprintf(out, "[VLAN: %u]", flow->vlan_id); @@ -505,7 +521,7 @@ static void printFlow(u_int16_t thread_id, struct ndpi_flow *flow) { ndpi_get_proto_name(ndpi_thread_info[thread_id].ndpi_struct, flow->detected_protocol.protocol)); fprintf(out, "[%u pkts/%llu bytes]", - flow->packets, (long long unsigned int)flow->bytes); + flow->packets, (long long unsigned int)flow->bytes); if(flow->host_server_name[0] != '\0') fprintf(out, "[Host: %s]", flow->host_server_name); if(flow->ssl.client_certificate[0] != '\0') fprintf(out, "[SSL client: %s]", flow->ssl.client_certificate); @@ -1526,85 +1542,176 @@ static void openPcapFileOrDevice(u_int16_t thread_id) { /* ***************************************************** */ static void pcap_packet_callback(u_char *args, const struct pcap_pkthdr *header, const u_char *packet) { + + /* + * Declare pointers to packet headers + */ + + /** --- Ethernet header --- **/ const struct ndpi_ethhdr *ethernet; + + /** --- ieee802.11 --- **/ + /* Radio Tap header */ + const struct ndpi_radiotap_header *radiotap; + /* LLC header */ + const struct ndpi_llc_header_proto *llc; + /* Data frame */ + const struct ndpi_wifi_data_frame *wifi_data; + + /** --- IP header --- **/ struct ndpi_iphdr *iph; + /** --- IPv6 header --- **/ struct ndpi_ip6_hdr *iph6; + + /* lengths and offsets */ + u_int16_t radio_len; + u_int16_t fc; + int wifi_data_len; + int llc_len; + u_int16_t llc_ether_type; + u_int32_t fcs; + u_int64_t time; u_int16_t type, ip_offset, ip_len; u_int16_t frag_off = 0, vlan_id = 0; u_int8_t proto = 0, vlan_packet = 0; + u_int32_t label; + u_int16_t thread_id = *((u_int16_t*)args); - // printf("[ndpiReader] pcap_packet_callback : [%u.%u.%u.%u.%u -> %u.%u.%u.%u.%u]\n", ethernet->h_dest[1],ethernet->h_dest[2],ethernet->h_dest[3],ethernet->h_dest[4],ethernet->h_dest[5],ethernet->h_source[1],ethernet->h_source[2],ethernet->h_source[3],ethernet->h_source[4],ethernet->h_source[5]); + int malformed_pkts = 0; + + /* Increment raw packet counter */ ndpi_thread_info[thread_id].stats.raw_packet_count++; if((capture_until != 0) && (header->ts.tv_sec >= capture_until)) { if(ndpi_thread_info[thread_id]._pcap_handle != NULL) pcap_breakloop(ndpi_thread_info[thread_id]._pcap_handle); - return; } + /* Check if capture is live or not */ if (!live_capture) { + if (!pcap_start.tv_sec) pcap_start.tv_sec = header->ts.tv_sec, pcap_start.tv_usec = header->ts.tv_usec; pcap_end.tv_sec = header->ts.tv_sec, pcap_end.tv_usec = header->ts.tv_usec; } + /* setting time */ time = ((uint64_t) header->ts.tv_sec) * detection_tick_resolution + header->ts.tv_usec / (1000000 / detection_tick_resolution); - - if(ndpi_thread_info[thread_id].last_time > time) { /* safety check */ - // printf("\nWARNING: timestamp bug in the pcap file (ts delta: %llu, repairing)\n", ndpi_thread_info[thread_id].last_time - time); + + /* safety check */ + if(ndpi_thread_info[thread_id].last_time > time) { + /* printf("\nWARNING: timestamp bug in the pcap file (ts delta: %llu, repairing)\n", ndpi_thread_info[thread_id].last_time - time); */ time = ndpi_thread_info[thread_id].last_time; } + /* update last time value */ ndpi_thread_info[thread_id].last_time = time; + + /*** check Data Link type ***/ + int datalink_type = ndpi_thread_info[thread_id]._pcap_datalink_type; + + switch(datalink_type) + { + case DLT_NULL : + if(ntohl(*((u_int32_t*)packet)) == 2) + type = ETH_P_IP; + else + type = ETH_P_IPV6; + + ip_offset = 4; + + case DLT_EN10MB : + ethernet = (struct ndpi_ethhdr *) packet; + ip_offset = sizeof(struct ndpi_ethhdr); + type = ntohs(ethernet->h_proto); + break; - if(ndpi_thread_info[thread_id]._pcap_datalink_type == DLT_NULL) { - if(ntohl(*((u_int32_t*)packet)) == 2) - type = ETH_P_IP; - else - type = 0x86DD; /* IPv6 */ - - ip_offset = 4; - } else if(ndpi_thread_info[thread_id]._pcap_datalink_type == DLT_EN10MB) { - ethernet = (struct ndpi_ethhdr *) packet; - ip_offset = sizeof(struct ndpi_ethhdr); - type = ntohs(ethernet->h_proto); - } else if(ndpi_thread_info[thread_id]._pcap_datalink_type == 113 /* Linux Cooked Capture */) { - type = (packet[14] << 8) + packet[15]; - ip_offset = 16; - } else - return; + /* Linux Cooked Capture - 113 */ + case DLT_LINUX_SLL : + type = (packet[14] << 8) + packet[15]; + ip_offset = 16; + break; + + /* Radiotap link-layer - 127 */ + case DLT_IEEE802_11_RADIO : + radiotap = (struct ndpi_radiotap_header *) packet; + radio_len = radiotap->len; + + /* Check Bad FCS presence */ + if((radiotap->flags & BAD_FCS) == BAD_FCS) { + malformed_pkts += 1; + ndpi_thread_info[thread_id].stats.total_discarded_bytes += header->len; + return; + } + + fcs = header->len - 4; + + /* Calculate 802.11 header length (variable) */ + wifi_data = (struct ndpi_wifi_data_frame*)( packet + radio_len); + fc = wifi_data->fc; + + /* check wifi data presence */ + if(FCF_TYPE(fc) == WIFI_DATA) { + + if((FCF_TO_DS(fc) && FCF_FROM_DS(fc) == 0x0) || + (FCF_TO_DS(fc) == 0x0 && FCF_FROM_DS(fc))) + wifi_data_len = 26; /* + 4 byte fcs */ + + /* TODO: check QoS Control for aggregated MSDU */ + + + } else /* no data frames */ + break; + + /* Check ether_type from LLC */ + llc = (struct ndpi_llc_header_proto*)(packet + wifi_data_len + radio_len); + llc_ether_type = ntohs(llc->ether_IP_type); + + /* Set IP header offset */ + ip_offset = wifi_data_len + radio_len + sizeof(struct ndpi_llc_header_proto); + break; - while(1) { - if(type == 0x8100 /* VLAN */) { + default: + return; + } + + while(1) { + if(type == VLAN) { vlan_id = ((packet[ip_offset] << 8) + packet[ip_offset+1]) & 0xFFF; type = (packet[ip_offset+2] << 8) + packet[ip_offset+3]; ip_offset += 4; vlan_packet = 1; - } else if(type == 0x8847 /* MPLS */) { - u_int32_t label = ntohl(*((u_int32_t*)&packet[ip_offset])); - + break; + } + else if(type == MPLS) { + label = ntohl(*((u_int32_t*)&packet[ip_offset])); ndpi_thread_info[thread_id].stats.mpls_count++; type = 0x800, ip_offset += 4; - + while((label & 0x100) != 0x100) { ip_offset += 4; label = ntohl(*((u_int32_t*)&packet[ip_offset])); } - } else if(type == 0x8864 /* PPPoE */) { + break; + } + else if(type == PPPoE) { ndpi_thread_info[thread_id].stats.pppoe_count++; type = 0x0800; ip_offset += 8; - } else break; - } - + } + else + break; + } /* while(1) */ + ndpi_thread_info[thread_id].stats.vlan_count += vlan_packet; + /* Check and set IP header size and total packet length */ iph = (struct ndpi_iphdr *) &packet[ip_offset]; - // just work on Ethernet packets that contain IP + /* just work on Ethernet packets that contain IP */ if(type == ETH_P_IP && header->caplen >= ip_offset) { frag_off = ntohs(iph->frag_off); @@ -1619,14 +1726,17 @@ static void pcap_packet_callback(u_char *args, const struct pcap_pkthdr *header, } } + /* Check IP version */ if(iph->version == 4) { + ip_len = ((u_short)iph->ihl * 4); iph6 = NULL; if((frag_off & 0x3FFF) != 0) { + static u_int8_t ipv4_frags_warning_used = 0; - ndpi_thread_info[thread_id].stats.fragmented_count++; + if(ipv4_frags_warning_used == 0) { if((!json_flag) && (!quiet_mode)) printf("\n\nWARNING: IPv4 fragments are not handled by this demo (nDPI supports them)\n"); ipv4_frags_warning_used = 1; @@ -1641,39 +1751,40 @@ static void pcap_packet_callback(u_char *args, const struct pcap_pkthdr *header, ip_len = sizeof(struct ndpi_ip6_hdr); if(proto == 0x3C /* IPv6 destination option */) { + u_int8_t *options = (u_int8_t*)&packet[ip_offset+ip_len]; - proto = options[0]; ip_len += 8 * (options[1] + 1); } - iph = NULL; } else { + static u_int8_t ipv4_warning_used = 0; - + v4_warning: if(ipv4_warning_used == 0) { if((!json_flag) && (!quiet_mode)) printf("\n\nWARNING: only IPv4/IPv6 packets are supported in this demo (nDPI supports both IPv4 and IPv6), all other packets will be discarded\n\n"); ipv4_warning_used = 1; } - ndpi_thread_info[thread_id].stats.total_discarded_bytes += header->len; return; } - if(decode_tunnels && (proto == IPPROTO_UDP)) { + struct ndpi_udphdr *udp = (struct ndpi_udphdr *)&packet[ip_offset+ip_len]; u_int16_t sport = ntohs(udp->source), dport = ntohs(udp->dest); if((sport == GTP_U_V1_PORT) || (dport == GTP_U_V1_PORT)) { + /* Check if it's GTPv1 */ u_int offset = ip_offset+ip_len+sizeof(struct ndpi_udphdr); u_int8_t flags = packet[offset]; u_int8_t message_type = packet[offset+1]; - - if((((flags & 0xE0) >> 5) == 1 /* GTPv1 */) && (message_type == 0xFF /* T-PDU */)) { - ip_offset = ip_offset+ip_len+sizeof(struct ndpi_udphdr)+8 /* GTPv1 header len */; - + + if((((flags & 0xE0) >> 5) == 1 /* GTPv1 */) && + (message_type == 0xFF /* T-PDU */)) { + + ip_offset = ip_offset+ip_len+sizeof(struct ndpi_udphdr)+8; /* GTPv1 header len */ if(flags & 0x04) ip_offset += 1; /* next_ext_header is present */ if(flags & 0x02) ip_offset += 4; /* sequence_number is present (it also includes next_ext_header and pdu_number) */ if(flags & 0x01) ip_offset += 1; /* pdu_number is present */ @@ -1687,8 +1798,8 @@ static void pcap_packet_callback(u_char *args, const struct pcap_pkthdr *header, } } } - - // process the packet + + /* process the packet */ packet_processing(thread_id, time, vlan_id, iph, iph6, ip_offset, header->len - ip_offset, header->len); } diff --git a/src/include/linux_compat.h b/src/include/linux_compat.h index 38601f180..e3da18c60 100644 --- a/src/include/linux_compat.h +++ b/src/include/linux_compat.h @@ -43,21 +43,90 @@ #endif #pragma pack(push, 1) /* push current alignment to stack */ -#pragma pack(1) /* set alignment to 1 byte boundary */ +#pragma pack(1) /* set alignment to 1 byte boundary */ -#pragma pack(pop) /* restore original alignment from stack */ +#pragma pack(pop) /* restore original alignment from stack */ -struct ndpi_ethhdr { + +/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */ +/* +++++++++++ Ethernet data structures +++++++++++++ */ +/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */ + +struct ndpi_ethhdr +{ u_char h_dest[6]; /* destination eth addr */ u_char h_source[6]; /* source ether addr */ u_int16_t h_proto; /* packet type ID field */ }; -struct ndpi_80211q { - u_int16_t vlanId; - u_int16_t protoType; -}; +/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */ +/* +++++++++++ ieee802.11 data structures +++++++++++ */ +/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */ + +/******* RADIO TAP *******/ +/* radiotap header */ +struct ndpi_radiotap_header +{ + u_int8_t version; /* set to 0 */ + u_int8_t pad; + u_int16_t len; + u_int32_t present; + u_int64_t MAC_timestamp; + u_int8_t flags; + +} __attribute__((__packed__)); + +/* Beacon frame */ +struct ndpi_beacon +{ + /* header -- 24 byte */ + u_int16_t fc; + u_int16_t duration; + u_char rcv_addr[6]; + u_char trsm_addr[6]; + u_char bssid[6]; + u_int16_t seq_ctrl; + /* body (variable) */ + u_int64_t timestamp; /* 802.11 Timestamp value at frame send */ + u_int16_t beacon_interval; /* Interval at which beacons are send */ + u_int16_t capability; + /** List of information elements **/ + /* union ndpi_80211_info info_element[0]; */ +} __attribute__((packed)); + + +/* Wifi data frame - TODO: specify when addr1 addr2 addr3 is rcv, trams or bssid*/ +struct ndpi_wifi_data_frame +{ + u_int16_t fc; + u_int16_t duration; + u_char addr1[6]; + u_char addr2[6]; + u_char addr3[6]; + u_int16_t seq_ctrl; +} __attribute__((packed)); + +/* Logical-Link Control header */ +struct ndpi_llc_header_proto +{ + u_int8_t dsap; + u_int8_t ssap; + u_int8_t ctl; + /* u_int8_t pad1; */ + u_int16_t org; + u_int8_t org2; + /* u_int8_t pad2; */ + u_int16_t ether_IP_type; +} __attribute__((packed)); + + +/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */ +/* ++++++++++++++ IP data structures ++++++++++++++++ */ +/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */ + + +/* IP header */ struct ndpi_iphdr { #if defined(__LITTLE_ENDIAN__) u_int8_t ihl:4, version:4; @@ -161,6 +230,11 @@ struct ndpi_ip6_hdr { struct ndpi_in6_addr ip6_dst; }; +/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */ +/* ++++++++ Transport Layer data structures +++++++++ */ +/* ++++++++++++++++++++++++++++++++++++++++++++++++++ */ + + struct ndpi_tcphdr { u_int16_t source; u_int16_t dest; -- cgit v1.2.3 From 64a368dd8e8e6c3d643a85620ebe5c83263b08fc Mon Sep 17 00:00:00 2001 From: Thomas Fjellstrom Date: Sun, 4 Oct 2015 19:48:26 -0600 Subject: add Ubiquity AirControl 2 protocol detection --- src/include/ndpi_protocol_ids.h | 3 ++- src/include/ndpi_protocols.h | 2 ++ src/lib/Makefile.am | 1 + src/lib/ndpi_main.c | 9 ++++++++- 4 files changed, 13 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index 82dfcf011..8a94db2ce 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -202,6 +202,7 @@ #define NDPI_PROTOCOL_STARCRAFT 213 /* Matteo Bracci */ #define NDPI_PROTOCOL_TEREDO 214 #define NDPI_PROTOCOL_HEP 216 /* Sipcapture.org QXIP BV */ +#define NDPI_PROTOCOL_UBNTAC2 217 /* Ubiquity UBNT AirControl 2 - Thomas Fjellstrom */ #define NDPI_CONTENT_AVI 39 #define NDPI_CONTENT_FLASH 40 @@ -264,7 +265,7 @@ #define NDPI_SERVICE_HOTSPOT_SHIELD 215 /* UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE UPDATE */ -#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_PROTOCOL_HEP +#define NDPI_LAST_IMPLEMENTED_PROTOCOL NDPI_PROTOCOL_UBNTAC2 #define NDPI_MAX_SUPPORTED_PROTOCOLS (NDPI_LAST_IMPLEMENTED_PROTOCOL + 1) #define NDPI_MAX_NUM_CUSTOM_PROTOCOLS (NDPI_NUM_BITS-NDPI_LAST_IMPLEMENTED_PROTOCOL) diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h index 64d90ad6a..963aac6f2 100644 --- a/src/include/ndpi_protocols.h +++ b/src/include/ndpi_protocols.h @@ -196,6 +196,7 @@ void ndpi_search_eaq(struct ndpi_detection_module_struct *ndpi_struct, struct nd void ndpi_search_kakaotalk_voice(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_mpegts(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); void ndpi_search_starcraft(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); +void ndpi_search_ubntac2(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); /* --- INIT FUNCTIONS --- */ @@ -334,5 +335,6 @@ void init_yahoo_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_in void init_zattoo_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_zmq_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); void init_stracraft_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); +void init_ubntac2_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask); #endif /* __NDPI_PROTOCOLS_INCLUDE_FILE__ */ diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am index 215f3249a..ee395f5cd 100644 --- a/src/lib/Makefile.am +++ b/src/lib/Makefile.am @@ -140,6 +140,7 @@ libndpi_la_SOURCES = ndpi_content_match.c.inc \ protocols/tvants.c \ protocols/tvuplayer.c \ protocols/twitter.c \ + protocols/ubntac2.c \ protocols/usenet.c \ protocols/veohtv.c \ protocols/viber.c \ diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 71dbdc557..5fe7e61af 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1627,7 +1627,12 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "Starcraft", ndpi_build_default_ports(ports_a, 1119, 0, 0, 0, 0), /* TCP */ ndpi_build_default_ports(ports_b, 1119, 0, 0, 0, 0)); /* UDP */ - + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_UBNTAC2, + no_master, + no_master, "UBNTAC2", + ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ + ndpi_build_default_ports(ports_b, 10001, 0, 0, 0, 0)); /* UDP */ + /* calling function for host and content matched protocols */ init_string_based_protocols(ndpi_mod); @@ -2630,6 +2635,8 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n /* MPEGTS */ init_mpegts_dissector(ndpi_struct, &a, detection_bitmask); + /* UBNTAC2 */ + init_ubntac2_dissector(ndpi_struct, &a, detection_bitmask); /* ----------------------------------------------------------------- */ -- cgit v1.2.3 From 0a6d43c5f6ebc64b0e7e6efae6094096c7e9db61 Mon Sep 17 00:00:00 2001 From: Thomas Fjellstrom Date: Sun, 4 Oct 2015 19:50:47 -0600 Subject: Add Ubiquity AirControl 2 protocol detection --- src/lib/protocols/ubntac2.c | 73 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 src/lib/protocols/ubntac2.c (limited to 'src') diff --git a/src/lib/protocols/ubntac2.c b/src/lib/protocols/ubntac2.c new file mode 100644 index 000000000..75580fd15 --- /dev/null +++ b/src/lib/protocols/ubntac2.c @@ -0,0 +1,73 @@ +/* + * dhcp.c + * + * Copyright (C) 2009-2011 by ipoque GmbH + * Copyright (C) 2011-15 - ntop.org + * + * This file is part of nDPI, an open source deep packet inspection + * library based on the OpenDPI and PACE technology by ipoque GmbH + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see . + * + */ + + +#include "ndpi_protocols.h" + +#ifdef NDPI_PROTOCOL_UBNTAC2 + +static void ndpi_int_ubntac2_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +{ + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_UBNTAC2, NDPI_PROTOCOL_UNKNOWN); +} + + +void ndpi_search_ubntac2(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +{ + struct ndpi_packet_struct *packet = &flow->packet; + +// struct ndpi_id_struct *src=ndpi_struct->src; +// struct ndpi_id_struct *dst=ndpi_struct->dst; + + /* this detection also works for asymmetric dhcp traffic */ + + NDPI_LOG(NDPI_PROTOCOL_UBNTAC2, ndpi_struct, NDPI_LOG_TRACE, "UBNTAC2 detection... plen:%i %i:%i\n", packet->payload_packet_len, ntohs(packet->udp->source), ntohs(packet->udp->dest)); + + /*check standard DHCP 0.0.0.0:68 -> 255.255.255.255:67 */ + if (packet->payload_packet_len >= 135 && + (packet->udp->source == htons(10001) || packet->udp->dest == htons(10001)) && + memcmp(&(packet->payload[36]), "UBNT", 4) == 0) { + + NDPI_LOG(NDPI_PROTOCOL_UBNTAC2, ndpi_struct, NDPI_LOG_DEBUG, "UBNT AirControl 2 request\n"); + + ndpi_int_ubntac2_add_connection(ndpi_struct, flow); + return; + } + + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_UBNTAC2); +} + + +void init_ubntac2_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) +{ + ndpi_set_bitmask_protocol_detection("UBNTAC2", ndpi_struct, detection_bitmask, *id, + NDPI_PROTOCOL_UBNTAC2, + ndpi_search_ubntac2, + NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD, + SAVE_DETECTION_BITMASK_AS_UNKNOWN, + ADD_TO_DETECTION_BITMASK); + *id += 1; +} + +#endif -- cgit v1.2.3 From a2ff20990cd22a128d260767a546c940c62ba953 Mon Sep 17 00:00:00 2001 From: Thomas Fjellstrom Date: Sun, 4 Oct 2015 19:53:25 -0600 Subject: remove traces of DHCP detector from ubntac2.c --- src/lib/protocols/ubntac2.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'src') diff --git a/src/lib/protocols/ubntac2.c b/src/lib/protocols/ubntac2.c index 75580fd15..f12e122d7 100644 --- a/src/lib/protocols/ubntac2.c +++ b/src/lib/protocols/ubntac2.c @@ -1,5 +1,5 @@ /* - * dhcp.c + * ubntac2.c * * Copyright (C) 2009-2011 by ipoque GmbH * Copyright (C) 2011-15 - ntop.org @@ -40,11 +40,8 @@ void ndpi_search_ubntac2(struct ndpi_detection_module_struct *ndpi_struct, struc // struct ndpi_id_struct *src=ndpi_struct->src; // struct ndpi_id_struct *dst=ndpi_struct->dst; - /* this detection also works for asymmetric dhcp traffic */ - NDPI_LOG(NDPI_PROTOCOL_UBNTAC2, ndpi_struct, NDPI_LOG_TRACE, "UBNTAC2 detection... plen:%i %i:%i\n", packet->payload_packet_len, ntohs(packet->udp->source), ntohs(packet->udp->dest)); - /*check standard DHCP 0.0.0.0:68 -> 255.255.255.255:67 */ if (packet->payload_packet_len >= 135 && (packet->udp->source == htons(10001) || packet->udp->dest == htons(10001)) && memcmp(&(packet->payload[36]), "UBNT", 4) == 0) { -- cgit v1.2.3 From 0e436e66dee4c4b792a9ccad22e84bf6bc66b94a Mon Sep 17 00:00:00 2001 From: Luca Date: Tue, 6 Oct 2015 16:24:03 +0200 Subject: Reworked copyright to give credit to the developer --- src/lib/protocols/ubntac2.c | 33 +++++++++++++-------------------- 1 file changed, 13 insertions(+), 20 deletions(-) (limited to 'src') diff --git a/src/lib/protocols/ubntac2.c b/src/lib/protocols/ubntac2.c index f12e122d7..7763c18d1 100644 --- a/src/lib/protocols/ubntac2.c +++ b/src/lib/protocols/ubntac2.c @@ -1,11 +1,7 @@ /* * ubntac2.c * - * Copyright (C) 2009-2011 by ipoque GmbH - * Copyright (C) 2011-15 - ntop.org - * - * This file is part of nDPI, an open source deep packet inspection - * library based on the OpenDPI and PACE technology by ipoque GmbH + * Copyright (C) 2015 Thomas Fjellstrom * * nDPI is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by @@ -19,7 +15,7 @@ * * You should have received a copy of the GNU Lesser General Public License * along with nDPI. If not, see . - * + * */ @@ -35,24 +31,21 @@ static void ndpi_int_ubntac2_add_connection(struct ndpi_detection_module_struct void ndpi_search_ubntac2(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; - -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; + struct ndpi_packet_struct *packet = &flow->packet; + + NDPI_LOG(NDPI_PROTOCOL_UBNTAC2, ndpi_struct, NDPI_LOG_TRACE, "UBNTAC2 detection... plen:%i %i:%i\n", packet->payload_packet_len, ntohs(packet->udp->source), ntohs(packet->udp->dest)); - NDPI_LOG(NDPI_PROTOCOL_UBNTAC2, ndpi_struct, NDPI_LOG_TRACE, "UBNTAC2 detection... plen:%i %i:%i\n", packet->payload_packet_len, ntohs(packet->udp->source), ntohs(packet->udp->dest)); - - if (packet->payload_packet_len >= 135 && - (packet->udp->source == htons(10001) || packet->udp->dest == htons(10001)) && - memcmp(&(packet->payload[36]), "UBNT", 4) == 0) { + if (packet->payload_packet_len >= 135 && + (packet->udp->source == htons(10001) || packet->udp->dest == htons(10001)) && + memcmp(&(packet->payload[36]), "UBNT", 4) == 0) { - NDPI_LOG(NDPI_PROTOCOL_UBNTAC2, ndpi_struct, NDPI_LOG_DEBUG, "UBNT AirControl 2 request\n"); + NDPI_LOG(NDPI_PROTOCOL_UBNTAC2, ndpi_struct, NDPI_LOG_DEBUG, "UBNT AirControl 2 request\n"); - ndpi_int_ubntac2_add_connection(ndpi_struct, flow); - return; - } + ndpi_int_ubntac2_add_connection(ndpi_struct, flow); + return; + } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_UBNTAC2); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_UBNTAC2); } -- cgit v1.2.3 From 06515b43d8af6f5b05896f8b709f519990f078aa Mon Sep 17 00:00:00 2001 From: Thomas Fjellstrom Date: Thu, 8 Oct 2015 05:04:16 -0600 Subject: NDPI_PROTOCOL_KAKAOTALK_VOICE was used instead of NDPI_SERVICE_KAKAOTALK_VOICE --- src/lib/protocols/kakaotalk_voice.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/lib/protocols/kakaotalk_voice.c b/src/lib/protocols/kakaotalk_voice.c index 38596e41d..daa97cc36 100644 --- a/src/lib/protocols/kakaotalk_voice.c +++ b/src/lib/protocols/kakaotalk_voice.c @@ -56,7 +56,7 @@ void ndpi_search_kakaotalk_voice(struct ndpi_detection_module_struct *ndpi_struc } } - NDPI_LOG(NDPI_PROTOCOL_KAKAOTALK_VOICE, ndpi_struct, NDPI_LOG_DEBUG, "Exclude kakaotalk_voice.\n"); + NDPI_LOG(NDPI_SERVICE_KAKAOTALK_VOICE, ndpi_struct, NDPI_LOG_DEBUG, "Exclude kakaotalk_voice.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_SERVICE_KAKAOTALK_VOICE); } -- cgit v1.2.3 From 93f02c08dceb07cc87d642c7c6bdc2774008212f Mon Sep 17 00:00:00 2001 From: Luca Date: Fri, 9 Oct 2015 15:03:10 +0200 Subject: Fixed invalid indexes used in SMTP dissector. See https://github.com/ntop/nDPI/commit/8c4fada42f8e6dcba42281fdc129e0a32b6050dc#commitcomment-13685139 --- src/lib/protocols/mail_smtp.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/lib/protocols/mail_smtp.c b/src/lib/protocols/mail_smtp.c index 37846930e..422ed0dc2 100644 --- a/src/lib/protocols/mail_smtp.c +++ b/src/lib/protocols/mail_smtp.c @@ -117,10 +117,10 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct && (packet->line[a].ptr[1] == 'T' || packet->line[a].ptr[1] == 't') && (packet->line[a].ptr[2] == 'A' || packet->line[a].ptr[2] == 'a') && (packet->line[a].ptr[3] == 'R' || packet->line[a].ptr[3] == 'r') - && (packet->line[a].ptr[4] == 'T' || packet->line[a].ptr[0] == 't') - && (packet->line[a].ptr[5] == 'T' || packet->line[a].ptr[1] == 't') - && (packet->line[a].ptr[6] == 'L' || packet->line[a].ptr[2] == 'l') - && (packet->line[a].ptr[7] == 'S' || packet->line[a].ptr[3] == 's')) { + && (packet->line[a].ptr[4] == 'T' || packet->line[a].ptr[4] == 't') + && (packet->line[a].ptr[5] == 'T' || packet->line[a].ptr[5] == 't') + && (packet->line[a].ptr[6] == 'L' || packet->line[a].ptr[6] == 'l') + && (packet->line[a].ptr[7] == 'S' || packet->line[a].ptr[7] == 's')) { flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_STARTTLS; } } -- cgit v1.2.3 From 88d466e58e00b54827ac1702639664d335509922 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Sun, 11 Oct 2015 17:55:56 +0200 Subject: Added fix for Webex protol detection --- src/lib/ndpi_content_match.c.inc | 1 + tests/pcap/webex.pcap | Bin 0 -> 890207 bytes tests/result/webex.pcap.out | 68 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 69 insertions(+) create mode 100644 tests/pcap/webex.pcap create mode 100644 tests/result/webex.pcap.out (limited to 'src') diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index 7413b6ebf..73e99c94e 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -7420,6 +7420,7 @@ ndpi_protocol_match host_match[] = { { "worldofwarcraft.com", "WorldOfWarcraft", NDPI_PROTOCOL_WORLDOFWARCRAFT, NDPI_PROTOCOL_FUN }, { ".anchorfree.", "HotspotShield", NDPI_SERVICE_HOTSPOT_SHIELD, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS }, { "hotspotshield.com", "HotspotShield", NDPI_SERVICE_HOTSPOT_SHIELD, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS }, + { ".webex.com", "Webex", NDPI_PROTOCOL_WEBEX, NDPI_PROTOCOL_ACCEPTABLE }, { NULL, 0 } }; diff --git a/tests/pcap/webex.pcap b/tests/pcap/webex.pcap new file mode 100644 index 000000000..82981bd0d Binary files /dev/null and b/tests/pcap/webex.pcap differ diff --git a/tests/result/webex.pcap.out b/tests/result/webex.pcap.out new file mode 100644 index 000000000..7d9c790f1 --- /dev/null +++ b/tests/result/webex.pcap.out @@ -0,0 +1,68 @@ +Unknown 16 1171 1 +HTTP 22 3182 2 +SSL_No_Cert 90 10682 5 +SSL 169 18825 18 +SIP 22 15356 1 +Google 17 6375 1 +Webex 1244 809312 29 + + 1 TCP 10.8.0.1:51135 <-> 62.109.224.120:443 [proto: 91/SSL][11 pkts/697 bytes] + 2 TCP 10.8.0.1:51155 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][513 pkts/344086 bytes][SSL server: *.webex.com] + 3 TCP 10.8.0.1:51195 <-> 62.109.224.120:443 [proto: 91/SSL][5 pkts/353 bytes] + 4 TCP 10.8.0.1:51370 <-> 64.68.105.97:443 [proto: 91.141/SSL.Webex][16 pkts/7099 bytes][SSL server: *.webex.com] + 5 TCP 10.8.0.1:51833 <-> 62.109.229.158:443 [proto: 91/SSL][8 pkts/639 bytes] + 6 TCP 10.8.0.1:51839 <-> 62.109.229.158:443 [proto: 91/SSL][8 pkts/639 bytes] + 7 TCP 10.8.0.1:51857 <-> 62.109.229.158:443 [proto: 91.141/SSL.Webex][50 pkts/10360 bytes][SSL server: *.webex.com] + 8 TCP 10.8.0.1:51859 <-> 62.109.229.158:443 [proto: 91/SSL][3 pkts/182 bytes] + 9 TCP 10.8.0.1:41757 <-> 114.29.213.212:443 [proto: 91/SSL][11 pkts/697 bytes] + 10 TCP 10.8.0.1:47135 <-> 114.29.202.139:443 [proto: 91/SSL][11 pkts/697 bytes] + 11 TCP 10.8.0.1:47841 <-> 114.29.200.11:443 [proto: 91.141/SSL.Webex][11 pkts/4584 bytes][SSL server: *.webex.com] + 12 TCP 10.8.0.1:59757 <-> 78.46.237.91:80 [proto: 7/HTTP][10 pkts/1391 bytes][Host: cp.pushwoosh.com] + 13 TCP 107.20.242.44:443 <-> 10.133.206.47:59447 [proto: 91/SSL][3 pkts/174 bytes] + 14 TCP 10.8.0.1:55665 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][22 pkts/6555 bytes][SSL server: *.webex.com] + 15 TCP 10.8.0.1:55669 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][23 pkts/6641 bytes][SSL server: *.webex.com] + 16 TCP 10.8.0.1:55671 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][22 pkts/6555 bytes][SSL server: *.webex.com] + 17 TCP 10.8.0.1:55687 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][22 pkts/6555 bytes][SSL server: *.webex.com] + 18 TCP 10.8.0.1:37129 <-> 64.68.105.98:443 [proto: 91.141/SSL.Webex][18 pkts/7207 bytes][SSL server: *.webex.com] + 19 TCP 10.8.0.1:37139 <-> 64.68.105.98:443 [proto: 91/SSL][11 pkts/697 bytes] + 20 TCP 10.8.0.1:33511 <-> 80.74.110.68:443 [proto: 91/SSL][8 pkts/668 bytes] + 21 TCP 10.8.0.1:33551 <-> 80.74.110.68:443 [proto: 64/SSL_No_Cert][21 pkts/2530 bytes] + 22 TCP 10.8.0.1:33553 <-> 80.74.110.68:443 [proto: 64/SSL_No_Cert][20 pkts/2475 bytes] + 23 TCP 10.8.0.1:33559 <-> 80.74.110.68:443 [proto: 64/SSL_No_Cert][13 pkts/1733 bytes] + 24 TCP 10.8.0.1:41351 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][9 pkts/905 bytes][SSL client: radcom.webex.com] + 25 TCP 10.8.0.1:41419 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][14 pkts/8239 bytes][SSL server: *.webex.com] + 26 TCP 10.8.0.1:45814 <-> 62.109.231.3:443 [proto: 91.141/SSL.Webex][16 pkts/7968 bytes][SSL server: *.webex.com] + 27 TCP 10.8.0.1:51134 <-> 62.109.224.120:443 [proto: 91/SSL][11 pkts/697 bytes] + 28 TCP 10.8.0.1:51154 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][105 pkts/19286 bytes][SSL server: *.webex.com] + 29 TCP 10.8.0.1:51190 <-> 62.109.224.120:443 [proto: 91/SSL][11 pkts/717 bytes] + 30 TCP 10.8.0.1:51194 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][24 pkts/35888 bytes][SSL server: *.webex.com] + 31 TCP 10.8.0.1:52219 <-> 64.68.121.100:443 [proto: 91.141/SSL.Webex][15 pkts/5217 bytes][SSL server: *.webex.com] + 32 TCP 10.8.0.1:41726 <-> 114.29.213.212:443 [proto: 91/SSL][8 pkts/515 bytes] + 33 TCP 10.8.0.1:55969 <-> 64.68.121.99:443 [proto: 91.141/SSL.Webex][15 pkts/5217 bytes][SSL server: *.webex.com] + 34 TCP 10.8.0.1:57647 <-> 64.68.121.153:443 [proto: 91.141/SSL.Webex][14 pkts/7796 bytes][SSL server: *.webex.com] + 35 TCP 10.8.0.1:47116 <-> 114.29.202.139:443 [proto: 91.141/SSL.Webex][13 pkts/4692 bytes][SSL server: *.webex.com] + 36 TCP 10.8.0.1:59756 <-> 78.46.237.91:80 [proto: 7/HTTP][12 pkts/1791 bytes][Host: cp.pushwoosh.com] + 37 TCP 10.8.0.1:51646 <-> 114.29.204.49:443 [proto: 91.141/SSL.Webex][17 pkts/5293 bytes][SSL server: *.webex.com] + 38 TCP 10.8.0.1:51676 <-> 114.29.204.49:443 [proto: 91/SSL][11 pkts/697 bytes] + 39 TCP 10.8.0.1:52730 <-> 173.243.4.76:443 [proto: 91.141/SSL.Webex][17 pkts/7990 bytes][SSL server: *.webex.com] + 40 TCP 10.8.0.1:43433 <-> 216.58.208.40:443 [proto: 91.126/SSL.Google][17 pkts/6375 bytes][SSL client: ssl.google-analytics.com] + 41 TCP 10.8.0.1:47498 <-> 209.197.222.159:443 [proto: 91.141/SSL.Webex][14 pkts/7796 bytes][SSL server: *.webex.com] + 42 TCP 185.63.147.10:443 <-> 10.133.206.47:54651 [proto: 91/SSL][3 pkts/174 bytes] + 43 UDP 10.8.0.1:64538 <-> 172.16.1.75:5060 [proto: 100/SIP][22 pkts/15356 bytes] + 44 TCP 10.133.206.47:33459 <-> 80.74.110.68:443 [proto: 91/SSL][5 pkts/317 bytes] + 45 TCP 10.8.0.1:33512 <-> 80.74.110.68:443 [proto: 64/SSL_No_Cert][18 pkts/1972 bytes] + 46 TCP 10.8.0.1:33554 <-> 80.74.110.68:443 [proto: 64/SSL_No_Cert][18 pkts/1972 bytes] + 47 TCP 10.8.0.1:49048 <-> 23.44.253.243:443 [proto: 91.141/SSL.Webex][14 pkts/5202 bytes][SSL server: www.webex.com] + 48 TCP 10.8.0.1:41346 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][95 pkts/92236 bytes][SSL client: radcom.webex.com] + 49 TCP 10.8.0.1:41348 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][56 pkts/109696 bytes][SSL client: radcom.webex.com] + 50 TCP 10.8.0.1:41350 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][11 pkts/1013 bytes][SSL client: radcom.webex.com] + 51 TCP 10.8.0.1:41354 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][26 pkts/26384 bytes][SSL server: *.webex.com] + 52 TCP 10.8.0.1:41358 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][38 pkts/42482 bytes][SSL server: *.webex.com] + 53 TCP 10.8.0.1:41386 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][17 pkts/8401 bytes][SSL server: *.webex.com] + 54 TCP 10.8.0.1:41394 <-> 64.68.105.103:443 [proto: 91/SSL][11 pkts/697 bytes] + 55 TCP 10.8.0.1:46211 <-> 54.241.32.14:443 [proto: 91/SSL][30 pkts/9568 bytes][SSL client: api.crittercism.com] + 56 TCP 10.8.0.1:44492 <-> 64.68.104.140:443 [proto: 91.141/SSL.Webex][17 pkts/7969 bytes][SSL server: *.webex.com] + + +Undetected flows: + 1 UDP 10.8.0.1:51772 <-> 62.109.229.158:9000 [proto: 0/Unknown][16 pkts/1171 bytes] -- cgit v1.2.3 From 72eafff843d32baaa7d8c34be19c6c560b2fc4f9 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Sun, 11 Oct 2015 22:27:03 +0200 Subject: Improvements for NetFlix detection --- src/lib/ndpi_content_match.c.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc index 73e99c94e..c2d219e5f 100644 --- a/src/lib/ndpi_content_match.c.inc +++ b/src/lib/ndpi_content_match.c.inc @@ -7352,7 +7352,7 @@ ndpi_protocol_match host_match[] = { { "nflxext.com", "NetFlix", NDPI_SERVICE_NETFLIX, NDPI_PROTOCOL_FUN }, { "nflximg.com", "NetFlix", NDPI_SERVICE_NETFLIX, NDPI_PROTOCOL_FUN }, { "nflximg.net", "NetFlix", NDPI_SERVICE_NETFLIX, NDPI_PROTOCOL_FUN }, - + { "nflxvideo.net", "NetFlix", NDPI_SERVICE_NETFLIX, NDPI_PROTOCOL_FUN }, { ".skype.", "Skype", NDPI_SERVICE_SKYPE, NDPI_PROTOCOL_ACCEPTABLE }, { ".skypeassets.", "Skype", NDPI_SERVICE_SKYPE, NDPI_PROTOCOL_ACCEPTABLE }, { ".skypedata.", "Skype", NDPI_SERVICE_SKYPE, NDPI_PROTOCOL_ACCEPTABLE }, -- cgit v1.2.3