static void ndpi_search_sopcast_udp(struct ndpi_detection_module_struct
*ndpi_struct, struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &flow->packet;
// struct ndpi_id_struct *src=ndpi_struct->src;
// struct ndpi_id_struct *dst=ndpi_struct->dst;
NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "search sopcast. \n");
if (packet->payload_packet_len == 52 && packet->payload[0] == 0xff
&& packet->payload[1] == 0xff && packet->payload[2] == 0x01
&& packet->payload[8] == 0x02 && packet->payload[9] == 0xff
&& packet->payload[10] == 0x00 && packet->payload[11] == 0x2c
&& packet->payload[12] == 0x00 && packet->payload[13] == 0x00 && packet->payload[14] == 0x00) {
NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "found sopcast with if I. \n");
ndpi_int_sopcast_add_connection(ndpi_struct, flow);
return;
}
if ((packet->payload_packet_len == 80 || packet->payload_packet_len == 28 || packet->payload_packet_len == 94)
&& packet->payload[0] == 0x00 && (packet->payload[2] == 0x02 || packet->payload[2] == 0x01)
&& packet->payload[8] == 0x01 && packet->payload[9] == 0xff
&& packet->payload[10] == 0x00 && packet->payload[11] == 0x14
&& packet->payload[12] == 0x00 && packet->payload[13] == 0x00) {
NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "found sopcast with if II. \n");
ndpi_int_sopcast_add_connection(ndpi_struct, flow);
return;
}
/* this case has been seen once. Please revome this comment, if you see it another time */
if (packet->payload_packet_len == 60 && packet->payload[0] == 0x00
&& packet->payload[2] == 0x01
&& packet->payload[8] == 0x03 && packet->payload[9] == 0xff
&& packet->payload[10] == 0x00 && packet->payload[11] == 0x34
&& packet->payload[12] == 0x00 && packet->payload[13] == 0x00 && packet->payload[14] == 0x00) {
NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "found sopcast with if III. \n");
ndpi_int_sopcast_add_connection(ndpi_struct, flow);
return;
}
if (packet->payload_packet_len == 42 && packet->payload[0] == 0x00
&& packet->payload[1] == 0x02 && packet->payload[2] == 0x01
&& packet->payload[3] == 0x07 && packet->payload[4] == 0x03
&& packet->payload[8] == 0x06
&& packet->payload[9] == 0x01 && packet->payload[10] == 0x00
&& packet->payload[11] == 0x22 && packet->payload[12] == 0x00 && packet->payload[13] == 0x00) {
NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "found sopcast with if IV. \n");
ndpi_int_sopcast_add_connection(ndpi_struct, flow);
return;
}
if (packet->payload_packet_len == 28 && packet->payload[0] == 0x00
&& packet->payload[1] == 0x0c && packet->payload[2] == 0x01
&& packet->payload[3] == 0x07 && packet->payload[4] == 0x00
&& packet->payload[8] == 0x01
&& packet->payload[9] == 0x01 && packet->payload[10] == 0x00
&& packet->payload[11] == 0x14 && packet->payload[12] == 0x00 && packet->payload[13] == 0x00) {
NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "found sopcast with if V. \n");
ndpi_int_sopcast_add_connection(ndpi_struct, flow);
return;
}
/* this case has been seen once. Please revome this comment, if you see it another time */
if (packet->payload_packet_len == 286 && packet->payload[0] == 0x00
&& packet->payload[1] == 0x02 && packet->payload[2] == 0x01
&& packet->payload[3] == 0x07 && packet->payload[4] == 0x03
&& packet->payload[8] == 0x06
&& packet->payload[9] == 0x01 && packet->payload[10] == 0x01
&& packet->payload[11] == 0x16 && packet->payload[12] == 0x00 && packet->payload[13] == 0x00) {
NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "found sopcast with if VI. \n");
ndpi_int_sopcast_add_connection(ndpi_struct, flow);
return;
}
if (packet->payload_packet_len == 76 && packet->payload[0] == 0xff
&& packet->payload[1] == 0xff && packet->payload[2] == 0x01
&& packet->payload[8] == 0x0c && packet->payload[9] == 0xff
&& packet->payload[10] == 0x00 && packet->payload[11] == 0x44
&& packet->payload[16] == 0x01 && packet->payload[15] == 0x01
&& packet->payload[12] == 0x00 && packet->payload[13] == 0x00 && packet->payload[14] == 0x00) {
NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "found sopcast with if VII. \n");
ndpi_int_sopcast_add_connection(ndpi_struct, flow);
return;
}
/* Attention please: no asymmetric detection necessary. This detection works asymmetrically as well. */
NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "exclude sopcast. \n");
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOPCAST);
}
void ndpi_search_usenet_tcp(struct ndpi_detection_module_struct
*ndpi_struct, struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &flow->packet;
// struct ndpi_id_struct *src=ndpi_struct->src;
// struct ndpi_id_struct *dst=ndpi_struct->dst;
NDPI_LOG(NDPI_PROTOCOL_USENET, ndpi_struct, NDPI_LOG_DEBUG, "USENET: search usenet.\n");
NDPI_LOG(NDPI_PROTOCOL_USENET, ndpi_struct, NDPI_LOG_DEBUG, "USENET: STAGE IS %u.\n", flow->l4.tcp.usenet_stage);
// check for the first server replay
/*
200 Service available, posting allowed
201 Service available, posting prohibited
*/
if (flow->l4.tcp.usenet_stage == 0 && packet->payload_packet_len > 10
&& ((memcmp(packet->payload, "200 ", 4) == 0)
|| (memcmp(packet->payload, "201 ", 4) == 0))) {
NDPI_LOG(NDPI_PROTOCOL_USENET, ndpi_struct, NDPI_LOG_DEBUG, "USENET: found 200 or 201.\n");
flow->l4.tcp.usenet_stage = 1 + packet->packet_direction;
NDPI_LOG(NDPI_PROTOCOL_USENET, ndpi_struct, NDPI_LOG_DEBUG, "USENET: maybe hit.\n");
return;
}
/*
[C] AUTHINFO USER fred
[S] 381 Enter passphrase
[C] AUTHINFO PASS flintstone
[S] 281 Authentication accepted
*/
// check for client username
if (flow->l4.tcp.usenet_stage == 2 - packet->packet_direction) {
if (packet->payload_packet_len > 20 && (memcmp(packet->payload, "AUTHINFO USER ", 14) == 0)) {
NDPI_LOG(NDPI_PROTOCOL_USENET, ndpi_struct, NDPI_LOG_DEBUG, "USENET: username found\n");
flow->l4.tcp.usenet_stage = 3 + packet->packet_direction;
NDPI_LOG(NDPI_PROTOCOL_USENET, ndpi_struct, NDPI_LOG_DEBUG, "USENET: found usenet.\n");
ndpi_int_usenet_add_connection(ndpi_struct, flow);
return;
} else if (packet->payload_packet_len == 13 && (memcmp(packet->payload, "MODE READER\r\n", 13) == 0)) {
NDPI_LOG(NDPI_PROTOCOL_USENET, ndpi_struct, NDPI_LOG_DEBUG,
"USENET: no login necessary but we are a client.\n");
NDPI_LOG(NDPI_PROTOCOL_USENET, ndpi_struct, NDPI_LOG_DEBUG, "USENET: found usenet.\n");
ndpi_int_usenet_add_connection(ndpi_struct, flow);
return;
}
}
NDPI_LOG(NDPI_PROTOCOL_USENET, ndpi_struct, NDPI_LOG_DEBUG, "USENET: exclude usenet.\n");
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_USENET);
}
static void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &flow->packet;
// struct ndpi_id_struct *src=ndpi_struct->src;
// struct ndpi_id_struct *dst=ndpi_struct->dst;
u_int16_t filename_start;
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "search http\n");
/* set client-server_direction */
if (flow->l4.tcp.http_setup_dir == 0) {
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "initializes http to stage: 1 \n");
flow->l4.tcp.http_setup_dir = 1 + packet->packet_direction;
}
if (NDPI_COMPARE_PROTOCOL_TO_BITMASK
(ndpi_struct->generic_http_packet_bitmask, packet->detected_protocol_stack[0]) != 0) {
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG,
"protocol might be detected earlier as http jump to payload type detection\n");
goto http_parse_detection;
}
if (flow->l4.tcp.http_setup_dir == 1 + packet->packet_direction) {
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "http stage: 1\n");
if (flow->l4.tcp.http_wait_for_retransmission) {
if (!packet->tcp_retransmission) {
if (flow->packet_counter <= 5) {
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "still waiting for retransmission\n");
return;
} else {
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "retransmission not found, exclude\n");
http_bitmask_exclude(flow);
return;
}
}
}
if (flow->l4.tcp.http_stage == 0) {
filename_start = http_request_url_offset(ndpi_struct, flow);
if (filename_start == 0) {
if (packet->payload_packet_len >= 7 && memcmp(packet->payload, "HTTP/1.", 7) == 0) {
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP response found (truncated flow ?)\n");
ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP);
return;
}
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "filename not found, exclude\n");
http_bitmask_exclude(flow);
return;
}
// parse packet
ndpi_parse_packet_line_info(ndpi_struct, flow);
if (packet->parsed_lines <= 1) {
/* parse one more packet .. */
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "just one line, search next packet\n");
packet->http_method.ptr = packet->line[0].ptr;
packet->http_method.len = filename_start - 1;
flow->l4.tcp.http_stage = 1;
return;
}
// parsed_lines > 1 here
if (packet->line[0].len >= (9 + filename_start)
&& memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) {
packet->http_url_name.ptr = &packet->payload[filename_start];
packet->http_url_name.len = packet->line[0].len - (filename_start + 9);
packet->http_method.ptr = packet->line[0].ptr;
packet->http_method.len = filename_start - 1;
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "http structure detected, adding\n");
ndpi_int_http_add_connection(ndpi_struct, flow, (filename_start == 8) ? NDPI_PROTOCOL_HTTP_CONNECT : NDPI_PROTOCOL_HTTP);
check_content_type_and_change_protocol(ndpi_struct, flow);
/* HTTP found, look for host... */
if (packet->host_line.ptr != NULL) {
/* aaahh, skip this direction and wait for a server reply here */
flow->l4.tcp.http_stage = 2;
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP START HOST found\n");
return;
}
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP START HOST found\n");
/* host not found, check in next packet after */
flow->l4.tcp.http_stage = 1;
return;
}
} else if (flow->l4.tcp.http_stage == 1) {
/* SECOND PAYLOAD TRAFFIC FROM CLIENT, FIRST PACKET MIGHT HAVE BEEN HTTP... */
/* UNKNOWN TRAFFIC, HERE FOR HTTP again.. */
// parse packet
ndpi_parse_packet_line_info(ndpi_struct, flow);
if (packet->parsed_lines <= 1) {
/* wait some packets in case request is split over more than 2 packets */
if (flow->packet_counter < 5) {
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG,
"line still not finished, search next packet\n");
return;
} else {
/* stop parsing here */
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG,
"HTTP: PACKET DOES NOT HAVE A LINE STRUCTURE\n");
http_bitmask_exclude(flow);
return;
}
}
if (packet->line[0].len >= 9 && memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) {
ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP);
check_content_type_and_change_protocol(ndpi_struct, flow);
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG,
"HTTP START HTTP found in 2. packet, check host here...\n");
/* HTTP found, look for host... */
flow->l4.tcp.http_stage = 2;
return;
}
}
} else {
/* We have received a response for a previously identified partial HTTP request */
if((packet->parsed_lines == 1) && (packet->packet_direction == 1 /* server -> client */)) {
/*
In apache if you do "GET /\n\n" the response comes without any header so we can assume that
this can be the case
*/
ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP);
return;
}
}
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP: REQUEST NOT HTTP CONFORM\n");
http_bitmask_exclude(flow);
return;
http_parse_detection:
if (flow->l4.tcp.http_setup_dir == 1 + packet->packet_direction) {
/* we have something like http here, so check for host and content type if possible */
if (flow->l4.tcp.http_stage == 0 || flow->l4.tcp.http_stage == 3) {
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP RUN MAYBE NEXT GET/POST...\n");
// parse packet
ndpi_parse_packet_line_info(ndpi_struct, flow);
/* check for url here */
filename_start = http_request_url_offset(ndpi_struct, flow);
if (filename_start != 0 && packet->parsed_lines > 1 && packet->line[0].len >= (9 + filename_start)
&& memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) {
packet->http_url_name.ptr = &packet->payload[filename_start];
packet->http_url_name.len = packet->line[0].len - (filename_start + 9);
packet->http_method.ptr = packet->line[0].ptr;
packet->http_method.len = filename_start - 1;
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "next http action, "
"resetting to http and search for other protocols later.\n");
ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP);
}
check_content_type_and_change_protocol(ndpi_struct, flow);
/* HTTP found, look for host... */
if (packet->host_line.ptr != NULL) {
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG,
"HTTP RUN MAYBE NEXT HOST found, skipping all packets from this direction\n");
/* aaahh, skip this direction and wait for a server reply here */
flow->l4.tcp.http_stage = 2;
return;
}
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG,
"HTTP RUN MAYBE NEXT HOST NOT found, scanning one more packet from this direction\n");
flow->l4.tcp.http_stage = 1;
} else if (flow->l4.tcp.http_stage == 1) {
// parse packet and maybe find a packet info with host ptr,...
ndpi_parse_packet_line_info(ndpi_struct, flow);
check_content_type_and_change_protocol(ndpi_struct, flow);
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP RUN second packet scanned\n");
/* HTTP found, look for host... */
flow->l4.tcp.http_stage = 2;
}
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG,
"HTTP skipping client packets after second packet\n");
return;
}
/* server response */
if (flow->l4.tcp.http_stage > 0) {
/* first packet from server direction, might have a content line */
ndpi_parse_packet_line_info(ndpi_struct, flow);
check_content_type_and_change_protocol(ndpi_struct, flow);
if (packet->empty_line_position_set != 0 || flow->l4.tcp.http_empty_line_seen == 1) {
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "empty line. check_http_payload.\n");
check_http_payload(ndpi_struct, flow);
}
if (flow->l4.tcp.http_stage == 2) {
flow->l4.tcp.http_stage = 3;
} else {
flow->l4.tcp.http_stage = 0;
}
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG,
"HTTP response first or second packet scanned,new stage is: %u\n", flow->l4.tcp.http_stage);
return;
} else {
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP response next packet skipped\n");
}
}
static void check_content_type_and_change_protocol(struct ndpi_detection_module_struct
*ndpi_struct, struct ndpi_flow_struct *flow)
{
#ifdef NDPI_PROTOCOL_MPEG
struct ndpi_packet_struct *packet = &flow->packet;
#endif
#ifdef NDPI_PROTOCOL_AVI
#endif
// struct ndpi_id_struct *src=ndpi_struct->src;
// struct ndpi_id_struct *dst=ndpi_struct->dst;
u_int8_t a;
if (packet->content_line.ptr != NULL && packet->content_line.len != 0) {
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "Content Type Line found %.*s\n",
packet->content_line.len, packet->content_line.ptr);
#ifdef NDPI_PROTOCOL_MPEG
if (NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_MPEG) != 0)
mpeg_parse_packet_contentline(ndpi_struct, flow);
#endif
#ifdef NDPI_PROTOCOL_FLASH
if (NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_FLASH) != 0)
flash_parse_packet_contentline(ndpi_struct, flow);
#endif
#ifdef NDPI_PROTOCOL_QUICKTIME
if (NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_QUICKTIME) != 0)
qt_parse_packet_contentline(ndpi_struct, flow);
#endif
#ifdef NDPI_PROTOCOL_REALMEDIA
if (NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_REALMEDIA) != 0)
realmedia_parse_packet_contentline(ndpi_struct, flow);
#endif
#ifdef NDPI_PROTOCOL_WINDOWSMEDIA
if (NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_WINDOWSMEDIA) != 0)
windowsmedia_parse_packet_contentline(ndpi_struct, flow);
#endif
#ifdef NDPI_PROTOCOL_MMS
if (NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_MMS) != 0)
mms_parse_packet_contentline(ndpi_struct, flow);
#endif
#ifdef NDPI_PROTOCOL_OFF
if (NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_OFF) != 0)
off_parse_packet_contentline(ndpi_struct, flow);
#endif
#ifdef NDPI_PROTOCOL_OGG
if (NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_OGG) != 0)
ogg_parse_packet_contentline(ndpi_struct, flow);
#endif
#ifdef NDPI_PROTOCOL_MOVE
if (NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_MOVE) != 0)
move_parse_packet_contentline(ndpi_struct, flow);
#endif
}
/* check user agent here too */
if (packet->user_agent_line.ptr != NULL && packet->user_agent_line.len != 0) {
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "User Agent Type Line found %.*s\n",
packet->user_agent_line.len, packet->user_agent_line.ptr);
#ifdef NDPI_PROTOCOL_XBOX
if (NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_XBOX) != 0)
xbox_parse_packet_useragentline(ndpi_struct, flow);
#endif
#ifdef NDPI_PROTOCOL_WINDOWS_UPDATE
if (NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_WINDOWS_UPDATE) != 0)
windows_update_packet_useragentline(ndpi_struct, flow);
#endif
#ifdef NDPI_PROTOCOL_WINDOWSMEDIA
if (NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_WINDOWSMEDIA) != 0)
winmedia_parse_packet_useragentline(ndpi_struct, flow);
#endif
}
/* check for host line */
if (packet->host_line.ptr != NULL) {
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HOST Line found %.*s\n",
packet->host_line.len, packet->host_line.ptr);
#ifdef NDPI_PROTOCOL_QQ
if (NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_QQ) != 0) {
qq_parse_packet_URL_and_hostname(ndpi_struct, flow);
}
#endif
parseHttpSubprotocol(ndpi_struct, flow);
}
/* check for accept line */
if (packet->accept_line.ptr != NULL) {
NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "Accept Line found %.*s\n",
packet->accept_line.len, packet->accept_line.ptr);
#ifdef NDPI_PROTOCOL_RTSP
if (NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_RTSP) != 0) {
rtsp_parse_packet_acceptline(ndpi_struct, flow);
}
#endif
}
/* search for line startin with "Icy-MetaData" */
#ifdef NDPI_PROTOCOL_MPEG
for (a = 0; a < packet->parsed_lines; a++) {
if (packet->line[a].len > 11 && memcmp(packet->line[a].ptr, "Icy-MetaData", 12) == 0) {
NDPI_LOG(NDPI_PROTOCOL_MPEG, ndpi_struct, NDPI_LOG_DEBUG, "MPEG: Icy-MetaData found.\n");
ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_MPEG);
return;
}
}
#ifdef NDPI_PROTOCOL_AVI
#endif
#endif
}
static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
const u_int8_t * payload, const u_int16_t payload_len)
{
struct ndpi_packet_struct *packet = &flow->packet;
u_int8_t stage;
u_int16_t seqnum = ntohs(get_u_int16_t(payload, 2));
NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "search rtp.\n");
if (payload_len == 4 && get_u_int32_t(packet->payload, 0) == 0 && flow->packet_counter < 8) {
NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "need next packet, maybe ClearSea out calls.\n");
return;
}
if (payload_len == 5 && memcmp(payload, "hello", 5) == 0) {
NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG,
"need next packet, initial hello packet of SIP out calls.\n");
return;
}
if (payload_len == 1 && payload[0] == 0) {
NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG,
"need next packet, payload_packet_len == 1 && payload[0] == 0.\n");
return;
}
if (payload_len == 3 && memcmp(payload, "png", 3) == 0) {
/* weird packet found in Ninja GlobalIP trace */
NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "skipping packet with len = 3 and png payload.\n");
return;
}
if (payload_len < 12) {
NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "minimal packet size for rtp packets: 12.\n");
goto exclude_rtp;
}
if (payload_len == 12 && get_u_int32_t(payload, 0) == 0 && get_u_int32_t(payload, 4) == 0 && get_u_int32_t(payload, 8) == 0) {
NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "skipping packet with len = 12 and only 0-bytes.\n");
return;
}
if ((payload[0] & 0xc0) == 0xc0 || (payload[0] & 0xc0) == 0x40 || (payload[0] & 0xc0) == 0x00) {
NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "version = 3 || 1 || 0, maybe first rtp packet.\n");
return;
}
if ((payload[0] & 0xc0) != 0x80) {
NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct,
NDPI_LOG_DEBUG, "rtp version must be 2, first two bits of a packets must be 10.\n");
goto exclude_rtp;
}
/* rtp_payload_type are the last seven bits of the second byte */
if (flow->rtp_payload_type[packet->packet_direction] != (payload[1] & 0x7F)) {
NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "payload_type has changed, reset stages.\n");
packet->packet_direction == 0 ? (flow->rtp_stage1 = 0) : (flow->rtp_stage2 = 0);
}
/* first bit of first byte is not part of payload_type */
flow->rtp_payload_type[packet->packet_direction] = payload[1] & 0x7F;
stage = (packet->packet_direction == 0 ? flow->rtp_stage1 : flow->rtp_stage2);
if (stage > 0) {
NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct,
NDPI_LOG_DEBUG, "stage = %u.\n", packet->packet_direction == 0 ? flow->rtp_stage1 : flow->rtp_stage2);
if (flow->rtp_ssid[packet->packet_direction] != get_u_int32_t(payload, 8)) {
NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "ssid has changed, goto exclude rtp.\n");
goto exclude_rtp;
}
if (seqnum == flow->rtp_seqnum[packet->packet_direction]) {
NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "maybe \"retransmission\", need next packet.\n");
return;
} else if ((u_int16_t) (seqnum - flow->rtp_seqnum[packet->packet_direction]) < RTP_MAX_OUT_OF_ORDER) {
NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG,
"new packet has larger sequence number (within valid range)\n");
update_seq(ndpi_struct, flow, packet->packet_direction, seqnum);
} else if ((u_int16_t) (flow->rtp_seqnum[packet->packet_direction] - seqnum) < RTP_MAX_OUT_OF_ORDER) {
NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG,
"new packet has smaller sequence number (within valid range)\n");
init_seq(ndpi_struct, flow, packet->packet_direction, seqnum, 1);
} else {
NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG,
"sequence number diff is too big, goto exclude rtp.\n");
goto exclude_rtp;
}
} else {
NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct,
NDPI_LOG_DEBUG, "rtp_ssid[%u] = %u.\n", packet->packet_direction,
flow->rtp_ssid[packet->packet_direction]);
flow->rtp_ssid[packet->packet_direction] = get_u_int32_t(payload, 8);
if (flow->packet_counter < 3) {
NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "packet_counter < 3, need next packet.\n");
}
init_seq(ndpi_struct, flow, packet->packet_direction, seqnum, 1);
}
if (seqnum <= 3) {
NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct,
NDPI_LOG_DEBUG, "sequence_number = %u, too small, need next packet, return.\n", seqnum);
return;
}
if (stage == 3) {
NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "add connection I.\n");
ndpi_int_rtp_add_connection(ndpi_struct, flow);
} else {
packet->packet_direction == 0 ? flow->rtp_stage1++ : flow->rtp_stage2++;
NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "stage[%u]++; need next packet.\n",
packet->packet_direction);
}
return;
exclude_rtp:
#ifdef NDPI_PROTOCOL_STUN
if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STUN
|| packet->real_protocol_read_only == NDPI_PROTOCOL_STUN) {
NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "STUN: is detected, need next packet.\n");
return;
}
#endif /* NDPI_PROTOCOL_STUN */
NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "exclude rtp.\n");
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RTP);
}
static void ndpi_search_rtp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &flow->packet;
if (packet->udp) {
ndpi_rtp_search(ndpi_struct, flow, packet->payload, packet->payload_packet_len);
} else if (packet->tcp) {
/* skip special packets seen at yahoo traces */
if (packet->payload_packet_len >= 20 && ntohs(get_u_int16_t(packet->payload, 2)) + 20 == packet->payload_packet_len &&
packet->payload[0] == 0x90 && packet->payload[1] >= 0x01 && packet->payload[1] <= 0x07) {
if (flow->packet_counter == 2)
flow->l4.tcp.rtp_special_packets_seen = 1;
NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG,
"skipping STUN-like, special yahoo packets with payload[0] == 0x90.\n");
return;
}
#ifdef NDPI_PROTOCOL_STUN
/* TODO the rtp detection sometimes doesn't exclude rtp
* so for TCP flows only run the detection if STUN has been
* detected (or RTP is already detected)
* If flows will be seen which start directly with RTP
* we can remove this restriction
*/
if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STUN
|| packet->detected_protocol_stack[0] == NDPI_PROTOCOL_RTP) {
/* RTP may be encapsulated in TCP packets */
if (packet->payload_packet_len >= 2 && ntohs(get_u_int16_t(packet->payload, 0)) + 2 == packet->payload_packet_len) {
/* TODO there could be several RTP packets in a single TCP packet so maybe the detection could be
* improved by checking only the RTP packet of given length */
ndpi_rtp_search(ndpi_struct, flow, packet->payload + 2, packet->payload_packet_len - 2);
return;
}
}
if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN && flow->l4.tcp.rtp_special_packets_seen == 1) {
if (packet->payload_packet_len >= 4 && ntohl(get_u_int32_t(packet->payload, 0)) + 4 == packet->payload_packet_len) {
/* TODO there could be several RTP packets in a single TCP packet so maybe the detection could be
* improved by checking only the RTP packet of given length */
ndpi_rtp_search(ndpi_struct, flow, packet->payload + 4, packet->payload_packet_len - 4);
return;
}
}
if (NDPI_FLOW_PROTOCOL_EXCLUDED(ndpi_struct, flow, NDPI_PROTOCOL_STUN)) {
NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "exclude rtp.\n");
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RTP);
} else {
NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "STUN not yet excluded, need next packet.\n");
}
#else
NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "exclude rtp.\n");
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RTP);
#endif
}
}
static void ndpi_check_pplive_udp1(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) {
struct ndpi_packet_struct *packet = &flow->packet;
u_int32_t payload_len = packet->payload_packet_len;
/* Check if we so far detected the protocol in the request or not. */
if (flow->pplive_stage1 == 0) {
NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "PPLIVE stage 0: \n");
if ((payload_len > 0) && match_first_bytes(packet->payload, "\xe9\x03\x41\x01")) {
NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "Possible PPLIVE request detected, we will look further for the response...\n");
/* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */
flow->pplive_stage1 = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2
return;
}
if ((payload_len > 0) && match_first_bytes(packet->payload, "\xe9\x03\x42\x01")) {
NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "Possible PPLIVE request detected, we will look further for the response...\n");
/* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */
flow->pplive_stage1 = packet->packet_direction + 3; // packet_direction 0: stage 3, packet_direction 1: stage 4
return;
}
if ((payload_len > 0) && match_first_bytes(packet->payload, "\x1c\x1c\x32\x01")) {
NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "Possible PPLIVE request detected, we will look further for the response...\n");
/* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */
flow->pplive_stage1 = packet->packet_direction + 5; // packet_direction 0: stage 5, packet_direction 1: stage 6
return;
}
} else if ((flow->pplive_stage1 == 1) || (flow->pplive_stage1 == 2)) {
NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "PPLIVE stage %u: \n", flow->pplive_stage1);
/* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */
if ((flow->pplive_stage1 - packet->packet_direction) == 1) {
return;
}
/* This is a packet in another direction. Check if we find the proper response. */
if ((payload_len > 0) && (match_first_bytes(packet->payload, "\xe9\x03\x42\x01") || match_first_bytes(packet->payload, "\xe9\x03\x41\x01"))) {
NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "Found PPLIVE.\n");
ndpi_int_pplive_add_connection(ndpi_struct, flow);
} else {
NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to PPLIVE, resetting the stage to 0...\n");
flow->pplive_stage1 = 0;
}
} else if ((flow->pplive_stage1 == 3) || (flow->pplive_stage1 == 4)) {
NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "PPLIVE stage %u: \n", flow->pplive_stage1);
/* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */
if ((flow->pplive_stage1 - packet->packet_direction) == 3) {
return;
}
/* This is a packet in another direction. Check if we find the proper response. */
if ((payload_len > 0) && match_first_bytes(packet->payload, "\xe9\x03\x41\x01")) {
NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "Found PPLIVE.\n");
ndpi_int_pplive_add_connection(ndpi_struct, flow);
} else {
NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to PPLIVE, resetting the stage to 0...\n");
flow->pplive_stage1 = 0;
}
} else if ((flow->pplive_stage1 == 5) || (flow->pplive_stage1 == 6)) {
NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "PPLIVE stage %u: \n", flow->pplive_stage1);
/* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */
if ((flow->pplive_stage1 - packet->packet_direction) == 5) {
return;
}
/* This is a packet in another direction. Check if we find the proper response. */
if ((payload_len > 0) && match_first_bytes(packet->payload, "\x1c\x1c\x32\x01")) {
NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "Found PPLIVE.\n");
ndpi_int_pplive_add_connection(ndpi_struct, flow);
} else {
NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to PPLIVE, resetting the stage to 0...\n");
flow->pplive_stage1 = 0;
}
}
}