/*
* jabber.c
*
* Copyright (C) 2009-11 - ipoque GmbH
* Copyright (C) 2011-21 - ntop.org
*
* This file is part of nDPI, an open source deep packet inspection
* library based on the OpenDPI and PACE technology by ipoque GmbH
*
* nDPI is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* nDPI is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with nDPI. If not, see .
*
*/
#include "ndpi_protocol_ids.h"
#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_JABBER
#include "ndpi_api.h"
struct jabber_string {
char *string;
u_int ndpi_protocol;
};
static struct jabber_string jabber_strings[] = {
{ "='im.truphone.com'", NDPI_PROTOCOL_TRUPHONE },
{ "=\"im.truphone.com\"", NDPI_PROTOCOL_TRUPHONE },
{ NULL, 0 }
};
static void ndpi_int_jabber_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
u_int32_t protocol)
{
ndpi_set_detected_protocol(ndpi_struct, flow, protocol, NDPI_PROTOCOL_UNKNOWN);
}
static void check_content_type_and_change_protocol(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow, u_int16_t x)
{
struct ndpi_packet_struct *packet = &ndpi_struct->packet;
int i, left = packet->payload_packet_len-x;
if(left <= 0) return;
for(i=0; jabber_strings[i].string != NULL; i++) {
if(ndpi_strnstr((const char*)&packet->payload[x], jabber_strings[i].string, left) != NULL) {
ndpi_int_jabber_add_connection(ndpi_struct, flow, jabber_strings[i].ndpi_protocol);
return;
}
}
}
void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &ndpi_struct->packet;
struct ndpi_id_struct *src = flow->src;
struct ndpi_id_struct *dst = flow->dst;
u_int16_t x;
NDPI_LOG_DBG(ndpi_struct, "search JABBER\n");
if (flow->packet_counter > 5) {
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
return;
}
/* search for jabber file transfer */
/* this part is working asymmetrically */
if (packet->tcp != NULL && packet->tcp->syn != 0 && packet->payload_packet_len == 0) {
NDPI_LOG_DBG2(ndpi_struct, "check jabber syn\n");
if (src != NULL && src->jabber_file_transfer_port[0] != 0) {
NDPI_LOG_DBG2(ndpi_struct, "src jabber ft port set, ports are: %u, %u\n",
ntohs(src->jabber_file_transfer_port[0]),
ntohs(src->jabber_file_transfer_port[1]));
if (((u_int32_t)
(packet->current_time_ms - src->jabber_stun_or_ft_ts)) >= ndpi_struct->jabber_file_transfer_timeout) {
NDPI_LOG_DBG2(ndpi_struct, "JABBER src stun timeout %u %u\n",
src->jabber_stun_or_ft_ts, packet->current_time_ms);
src->jabber_file_transfer_port[0] = 0;
src->jabber_file_transfer_port[1] = 0;
} else if (src->jabber_file_transfer_port[0] == packet->tcp->dest
|| src->jabber_file_transfer_port[0] == packet->tcp->source
|| src->jabber_file_transfer_port[1] == packet->tcp->dest
|| src->jabber_file_transfer_port[1] == packet->tcp->source) {
NDPI_LOG_INFO(ndpi_struct, "found jabber file transfer\n");
ndpi_int_jabber_add_connection(ndpi_struct, flow,
NDPI_PROTOCOL_JABBER);
}
}
if (dst != NULL && dst->jabber_file_transfer_port[0] != 0) {
NDPI_LOG_DBG2(ndpi_struct, "dst jabber ft port set, ports are: %u, %u\n",
ntohs(dst->jabber_file_transfer_port[0]),
ntohs(dst->jabber_file_transfer_port[1]));
if (((u_int32_t)
(packet->current_time_ms - dst->jabber_stun_or_ft_ts)) >= ndpi_struct->jabber_file_transfer_timeout) {
NDPI_LOG_DBG2(ndpi_struct, "JABBER dst stun timeout %u %u\n",
dst->jabber_stun_or_ft_ts, packet->current_time_ms);
dst->jabber_file_transfer_port[0] = 0;
dst->jabber_file_transfer_port[1] = 0;
} else if (dst->jabber_file_transfer_port[0] == packet->tcp->dest
|| dst->jabber_file_transfer_port[0] == packet->tcp->source
|| dst->jabber_file_transfer_port[1] == packet->tcp->dest
|| dst->jabber_file_transfer_port[1] == packet->tcp->source) {
NDPI_LOG_INFO(ndpi_struct, "found jabber file transfer\n");
ndpi_int_jabber_add_connection(ndpi_struct, flow,
NDPI_PROTOCOL_JABBER);
}
}
return;
}
if (packet->tcp != 0 && packet->payload_packet_len == 0) {
return;
}
/* this part parses a packet and searches for port=. it works asymmetrically. */
if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_JABBER) {
u_int16_t lastlen;
u_int16_t j_port = 0;
/* check for google jabber voip connections ... */
/* need big packet */
if (packet->payload_packet_len < 100) {
NDPI_LOG_DBG2(ndpi_struct, "packet too small, return\n");
return;
}
/* need message to or type for file-transfer */
if (memcmp(packet->payload, "payload, "payload_packet_len - 11;
for (x = 10; x < lastlen; x++) {
if (packet->payload[x] == 'p') {
if (memcmp(&packet->payload[x], "port=", 5) == 0) {
NDPI_LOG_DBG2(ndpi_struct, "port=\n");
if (src != NULL) {
src->jabber_stun_or_ft_ts = packet->current_time_ms;
}
if (dst != NULL) {
dst->jabber_stun_or_ft_ts = packet->current_time_ms;
}
x += 6;
j_port = ntohs_ndpi_bytestream_to_number(&packet->payload[x], packet->payload_packet_len, &x);
NDPI_LOG_DBG2(ndpi_struct, "JABBER port : %u\n", ntohs(j_port));
if (src != NULL) {
if (src->jabber_file_transfer_port[0] == 0 || src->jabber_file_transfer_port[0] == j_port) {
NDPI_LOG_DBG2(ndpi_struct, "src->jabber_file_transfer_port[0] = j_port = %u;\n",
ntohs(j_port));
src->jabber_file_transfer_port[0] = j_port;
} else {
NDPI_LOG_DBG2(ndpi_struct, "src->jabber_file_transfer_port[1] = j_port = %u;\n",
ntohs(j_port));
src->jabber_file_transfer_port[1] = j_port;
}
}
if (dst != NULL) {
if (dst->jabber_file_transfer_port[0] == 0 || dst->jabber_file_transfer_port[0] == j_port) {
NDPI_LOG_DBG2(ndpi_struct, "dst->jabber_file_transfer_port[0] = j_port = %u;\n",
ntohs(j_port));
dst->jabber_file_transfer_port[0] = j_port;
} else {
NDPI_LOG_DBG2(ndpi_struct, "dst->jabber_file_transfer_port[1] = j_port = %u;\n",
ntohs(j_port));
dst->jabber_file_transfer_port[1] = j_port;
}
}
}
}
}
} else if (memcmp(packet->payload, "payload, "payload, "payload_packet_len - 21;
for (x = 8; x < lastlen; x++) {
/* invalid character */
if (packet->payload[x] < 32 || packet->payload[x] > 127) {
return;
}
if (packet->payload[x] == '@') {
NDPI_LOG_DBG2(ndpi_struct, "JABBER @\n");
break;
}
}
if (x >= lastlen) {
return;
}
lastlen = packet->payload_packet_len - 10;
for (; x < lastlen; x++) {
if (packet->payload[x] == 'p') {
if (memcmp(&packet->payload[x], "port=", 5) == 0) {
NDPI_LOG_DBG2(ndpi_struct, "port=\n");
if (src != NULL) {
src->jabber_stun_or_ft_ts = packet->current_time_ms;
}
if (dst != NULL) {
dst->jabber_stun_or_ft_ts = packet->current_time_ms;
}
x += 6;
j_port = ntohs_ndpi_bytestream_to_number(&packet->payload[x], packet->payload_packet_len, &x);
NDPI_LOG_DBG2(ndpi_struct, "JABBER port : %u\n", ntohs(j_port));
if (src != NULL && src->jabber_voice_stun_used_ports < JABBER_MAX_STUN_PORTS - 1) {
if (packet->payload[5] == 'o') {
src->jabber_voice_stun_port[src->jabber_voice_stun_used_ports++]
= j_port;
} else {
if (src->jabber_file_transfer_port[0] == 0
|| src->jabber_file_transfer_port[0] == j_port) {
NDPI_LOG_DBG2(ndpi_struct, "src->jabber_file_transfer_port[0] = j_port = %u;\n",
ntohs(j_port));
src->jabber_file_transfer_port[0] = j_port;
} else {
NDPI_LOG_DBG2(ndpi_struct, "src->jabber_file_transfer_port[1] = j_port = %u;\n",
ntohs(j_port));
src->jabber_file_transfer_port[1] = j_port;
}
}
}
if (dst != NULL && dst->jabber_voice_stun_used_ports < JABBER_MAX_STUN_PORTS - 1) {
if (packet->payload[5] == 'o') {
dst->jabber_voice_stun_port[dst->jabber_voice_stun_used_ports++]
= j_port;
} else {
if (dst->jabber_file_transfer_port[0] == 0
|| dst->jabber_file_transfer_port[0] == j_port) {
NDPI_LOG_DBG2(ndpi_struct, "dst->jabber_file_transfer_port[0] = j_port = %u;\n",
ntohs(j_port));
dst->jabber_file_transfer_port[0] = j_port;
} else {
NDPI_LOG_DBG2(ndpi_struct, "dst->jabber_file_transfer_port[1] = j_port = %u;\n",
ntohs(j_port));
dst->jabber_file_transfer_port[1] = j_port;
}
}
}
return;
}
}
}
}
return;
}
/* search for jabber here */
/* this part is working asymmetrically */
if ((packet->payload_packet_len > 13 && memcmp(packet->payload, "payload_packet_len >= NDPI_STATICSTRING_LEN("payload, "payload_packet_len-13;
if(ndpi_strnstr((const char *)&packet->payload[13], "xmlns:stream='http://etherx.jabber.org/streams'", start)
|| ndpi_strnstr((const char *)&packet->payload[13], "xmlns:stream=\"http://etherx.jabber.org/streams\"", start)) {
/* Protocol family */
ndpi_int_jabber_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_JABBER);
/* search for subprotocols */
check_content_type_and_change_protocol(ndpi_struct, flow, 13);
return;
}
}
if (flow->packet_counter < 3) {
NDPI_LOG_DBG2(ndpi_struct, "packet_counter: %u\n", flow->packet_counter);
return;
}
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
ndpi_exclude_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TRUPHONE,
__FILE__,__FUNCTION__,__LINE__);
}
void init_jabber_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
{
ndpi_set_bitmask_protocol_detection("Jabber", ndpi_struct, detection_bitmask, *id,
NDPI_PROTOCOL_JABBER,
ndpi_search_jabber_tcp,
NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITHOUT_RETRANSMISSION,
SAVE_DETECTION_BITMASK_AS_UNKNOWN,
ADD_TO_DETECTION_BITMASK);
*id += 1;
}