static void ndpi_int_ssl_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow, u_int32_t protocol)
{
if (protocol != NDPI_PROTOCOL_SSL) {
ndpi_int_add_connection(ndpi_struct, flow, protocol, NDPI_CORRELATED_PROTOCOL);
} else {
struct ndpi_packet_struct *packet = &flow->packet;
if(packet->tcp != NULL) {
switch(protocol) {
case NDPI_PROTOCOL_SSL:
case NDPI_PROTOCOL_SSL_NO_CERT:
{
/*
In case of SSL there are probably sub-protocols
such as IMAPS that can be otherwise detected
*/
u_int16_t sport = ntohs(packet->tcp->source);
u_int16_t dport = ntohs(packet->tcp->dest);
if((sport == 465) || (dport == 465)) protocol = NDPI_PROTOCOL_MAIL_SMTPS;
else if((sport == 993) || (dport == 993)) protocol = NDPI_PROTOCOL_MAIL_IMAPS;
else if((sport == 995) || (dport == 995)) protocol = NDPI_PROTOCOL_MAIL_POPS;
}
break;
}
}
ndpi_int_add_connection(ndpi_struct, flow, protocol, NDPI_REAL_PROTOCOL);
}
}
static void ndpi_check_skype(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &flow->packet;
// const u_int8_t *packet_payload = packet->payload;
u_int32_t payload_len = packet->payload_packet_len;
/*
Skype AS8220
212.161.8.0/24
*/
if(is_skype_flow(ndpi_struct, flow)) {
ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE, NDPI_REAL_PROTOCOL);
return;
}
if(packet->udp != NULL) {
flow->l4.udp.skype_packet_id++;
if(flow->l4.udp.skype_packet_id < 5) {
/* skype-to-skype */
if(((payload_len == 3) && ((packet->payload[2] & 0x0F)== 0x0d))
|| ((payload_len >= 16)
&& (packet->payload[0] != 0x30) /* Avoid invalid SNMP detection */
&& (packet->payload[2] == 0x02))) {
NDPI_LOG(NDPI_PROTOCOL_SKYPE, ndpi_struct, NDPI_LOG_DEBUG, "Found skype.\n");
ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE, NDPI_REAL_PROTOCOL);
}
return;
}
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SKYPE);
return;
} else if(packet->tcp != NULL) {
flow->l4.tcp.skype_packet_id++;
if(flow->l4.tcp.skype_packet_id < 3) {
; /* Too early */
} else if((flow->l4.tcp.skype_packet_id == 3)
/* We have seen the 3-way handshake */
&& flow->l4.tcp.seen_syn
&& flow->l4.tcp.seen_syn_ack
&& flow->l4.tcp.seen_ack) {
if((payload_len == 8) || (payload_len == 3)) {
//printf("[SKYPE] %u/%u\n", ntohs(packet->tcp->source), ntohs(packet->tcp->dest));
NDPI_LOG(NDPI_PROTOCOL_SKYPE, ndpi_struct, NDPI_LOG_DEBUG, "Found skype.\n");
ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE, NDPI_REAL_PROTOCOL);
}
/* printf("[SKYPE] [id: %u][len: %d]\n", flow->l4.tcp.skype_packet_id, payload_len); */
} else
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SKYPE);
return;
}
}
void ndpi_search_openvpn(struct ndpi_detection_module_struct* ndpi_struct,
struct ndpi_flow_struct* flow) {
struct ndpi_packet_struct* packet = &flow->packet;
u_int16_t dport = 0, sport = 0;
if (packet->udp != NULL) {
sport = ntohs(packet->udp->source), dport = ntohs(packet->udp->dest);
if ((packet->payload_packet_len >= 25) && (sport == 443 || dport == 443) &&
(packet->payload[0] == 0x17 && packet->payload[1] == 0x01 &&
packet->payload[2] == 0x00 && packet->payload[3] == 0x00)) {
NDPI_LOG(NDPI_PROTOCOL_OPENVPN, ndpi_struct, NDPI_LOG_DEBUG,
"found openvpn udp 443.\n");
ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_OPENVPN,
NDPI_REAL_PROTOCOL);
return;
}
if ( ( (packet->payload_packet_len > 40) ||
(packet->payload_packet_len <= 14) ) && // hard-reset
(sport == 1194 || dport == 1194) &&
(packet->payload[0] == 0x30 || packet->payload[0] == 0x31 ||
packet->payload[0] == 0x32 || packet->payload[0] == 0x33 ||
packet->payload[0] == 0x34 || packet->payload[0] == 0x35 ||
packet->payload[0] == 0x36 || packet->payload[0] == 0x37 ||
packet->payload[0] == 0x38 || packet->payload[0] == 0x39)) {
NDPI_LOG(NDPI_PROTOCOL_OPENVPN, ndpi_struct, NDPI_LOG_DEBUG,
"found openvpn broadcast udp STD.\n");
ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_OPENVPN,
NDPI_REAL_PROTOCOL);
return;
}
}
if (packet->tcp != NULL) {
sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest);
if ((packet->payload_packet_len >= 40) &&
(sport == 1194 || dport == 1194) &&
((packet->payload[0] == 0x00) && (packet->payload[1] == 0x2a) &&
(packet->payload[2] == 0x38))) {
NDPI_LOG(NDPI_PROTOCOL_OPENVPN, ndpi_struct, NDPI_LOG_DEBUG,
"found openvpn broadcast udp STD.\n");
ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_OPENVPN,
NDPI_REAL_PROTOCOL);
return;
}
}
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask,
NDPI_PROTOCOL_OPENVPN);
}
static void ndpi_check_citrix(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &flow->packet;
u_int32_t payload_len = packet->payload_packet_len;
#if 0
printf("[len=%u][%02X %02X %02X %02X]\n", payload_len,
packet->payload[0] & 0xFF,
packet->payload[1] & 0xFF,
packet->payload[2] & 0xFF,
packet->payload[3] & 0xFF);
#endif
if(packet->tcp != NULL) {
flow->l4.tcp.citrix_packet_id++;
if((flow->l4.tcp.citrix_packet_id == 3)
/* We have seen the 3-way handshake */
&& flow->l4.tcp.seen_syn
&& flow->l4.tcp.seen_syn_ack
&& flow->l4.tcp.seen_ack) {
if(payload_len == 6) {
char citrix_header[] = { 0x07, 0x07, 0x49, 0x43, 0x41, 0x00 };
if(memcmp(packet->payload, citrix_header, sizeof(citrix_header)) == 0) {
NDPI_LOG(NDPI_PROTOCOL_CITRIX, ndpi_struct, NDPI_LOG_DEBUG, "Found citrix.\n");
ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_CITRIX, NDPI_REAL_PROTOCOL);
}
return;
} else if(payload_len > 4) {
char citrix_header[] = { 0x1a, 0x43, 0x47, 0x50, 0x2f, 0x30, 0x31 };
if((memcmp(packet->payload, citrix_header, sizeof(citrix_header)) == 0)
|| (ndpi_strnstr(packet->payload, "Citrix.TcpProxyService", payload_len) != NULL)) {
NDPI_LOG(NDPI_PROTOCOL_CITRIX, ndpi_struct, NDPI_LOG_DEBUG, "Found citrix.\n");
ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_CITRIX, NDPI_REAL_PROTOCOL);
}
return;
}
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_CITRIX);
} else if(flow->l4.tcp.citrix_packet_id > 3)
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_CITRIX);
return;
}
}
static void ndpi_int_http_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
u_int32_t protocol)
{
if (protocol != NDPI_PROTOCOL_HTTP) {
ndpi_int_add_connection(ndpi_struct, flow, protocol, NDPI_CORRELATED_PROTOCOL);
} else {
ndpi_int_reset_protocol(flow);
ndpi_int_add_connection(ndpi_struct, flow, protocol, NDPI_REAL_PROTOCOL);
}
flow->http_detected = 1;
}
static void ndpi_int_ppstream_add_connection(struct ndpi_detection_module_struct
*ndpi_struct,
struct ndpi_flow_struct *flow)
{
ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_PPSTREAM,
NDPI_REAL_PROTOCOL);
}
static void ndpi_check_netflow(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &flow->packet;
// const u_int8_t *packet_payload = packet->payload;
u_int32_t payload_len = packet->payload_packet_len;
time_t now;
struct timeval now_tv;
if((packet->udp != NULL)
&& (payload_len >= 24)
&& (packet->payload[0] == 0)
&& ((packet->payload[1] == 5)
|| (packet->payload[1] == 9)
|| (packet->payload[1] == 10 /* IPFIX */))
&& (packet->payload[3] <= 48 /* Flow count */)) {
u_int32_t when, *_when;
_when = (u_int32_t*)&packet->payload[8]; /* Sysuptime */
when = ntohl(*_when);
do_gettimeofday(&now_tv);
now = now_tv.tv_sec;
if((when >= 946684800 /* 1/1/2000 */) && (when <= now)) {
NDPI_LOG(NDPI_PROTOCOL_NETFLOW, ndpi_struct, NDPI_LOG_DEBUG, "Found netflow.\n");
ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_NETFLOW, NDPI_REAL_PROTOCOL);
return;
}
}
}
void ndpi_search_collectd(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &flow->packet;
u_int len = 0;
NDPI_LOG(NDPI_PROTOCOL_COLLECTD, ndpi_struct, NDPI_LOG_DEBUG, "search collectd.\n");
if (packet->udp == NULL) return;
while(len < packet->payload_packet_len) {
// u_int16_t elem_type = ntohs(*((u_int16_t*)&packet->payload[len]));
u_int16_t elem_len = ntohs(*((u_int16_t*)&packet->payload[len+2]));
if (elem_len == 0) break;
len += elem_len;
}
if(len == packet->payload_packet_len) {
NDPI_LOG(NDPI_PROTOCOL_COLLECTD, ndpi_struct, NDPI_LOG_DEBUG, "found COLLECTD.\n");
ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_COLLECTD, NDPI_REAL_PROTOCOL);
} else {
NDPI_LOG(NDPI_PROTOCOL_COLLECTD, ndpi_struct, NDPI_LOG_DEBUG, "exclude COLLECTD.\n");
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_COLLECTD);
}
}
static void ndpi_int_shoutcast_add_connection(struct ndpi_detection_module_struct
*ndpi_struct,
struct ndpi_flow_struct *flow)
{
ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SHOUTCAST,
NDPI_CORRELATED_PROTOCOL);
}
void ndpi_search_ayiya(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &flow->packet;
if(packet->udp && (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN)) {
/* Ayiya is udp based, port 5072 */
if ((packet->udp->source == htons(5072) || packet->udp->dest == htons(5072))
/* check for ayiya new packet */
&& (packet->payload_packet_len > 44)
) {
/* FINISH */
struct ayiya *a = (struct ayiya*)packet->payload;
u_int32_t epoch = ntohl(a->epoch), now;
u_int32_t fireyears = 86400 * 365 * 5;
now = flow->packet.tick_timestamp;
if((epoch >= (now - fireyears)) && (epoch <= (now+86400 /* 1 day */)))
ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_AYIYA, NDPI_REAL_PROTOCOL);
return;
}
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_AYIYA);
}
}
static void ndpi_int_gnutella_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
ndpi_protocol_type_t protocol_type)
{
struct ndpi_packet_struct *packet = &flow->packet;
struct ndpi_id_struct *src = flow->src;
struct ndpi_id_struct *dst = flow->dst;
ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_GNUTELLA, protocol_type);
if (src != NULL) {
src->gnutella_ts = packet->tick_timestamp;
if (packet->udp != NULL) {
if (!src->detected_gnutella_udp_port1) {
src->detected_gnutella_udp_port1 = (packet->udp->source);
NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct,
NDPI_LOG_DEBUG, "GNUTELLA UDP PORT1 DETECTED as %u\n",
src->detected_gnutella_udp_port1);
} else if ((ntohs(packet->udp->source) != src->detected_gnutella_udp_port1)
&& !src->detected_gnutella_udp_port2) {
src->detected_gnutella_udp_port2 = (packet->udp->source);
NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct,
NDPI_LOG_DEBUG, "GNUTELLA UDP PORT2 DETECTED as %u\n",
src->detected_gnutella_udp_port2);
}
}
}
if (dst != NULL) {
dst->gnutella_ts = packet->tick_timestamp;
}
}
static void ndpi_int_skinny_add_connection(struct ndpi_detection_module_struct
*ndpi_struct,
struct ndpi_flow_struct *flow)
{
ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SKINNY,
NDPI_CORRELATED_PROTOCOL);
}
static void ndpi_check_radius(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &flow->packet;
// const u_int8_t *packet_payload = packet->payload;
u_int32_t payload_len = packet->payload_packet_len;
#if 0
printf("[len=%u][%02X %02X %02X %02X]\n", payload_len,
packet->payload[0] & 0xFF,
packet->payload[1] & 0xFF,
packet->payload[2] & 0xFF,
packet->payload[3] & 0xFF);
#endif
if(packet->udp != NULL) {
struct radius_header *h = (struct radius_header*)packet->payload;
h->len = ntohs(h->len);
if((payload_len > sizeof(struct radius_header))
&& (h->code <= 5)
&& (h->len == payload_len)) {
NDPI_LOG(NDPI_PROTOCOL_RADIUS, ndpi_struct, NDPI_LOG_DEBUG, "Found radius.\n");
ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_RADIUS, NDPI_REAL_PROTOCOL);
return;
}
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RADIUS);
return;
}
}
static void ndpi_int_ftp_add_connection(struct ndpi_detection_module_struct
*ndpi_struct,
struct ndpi_flow_struct *flow)
{
ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_FTP,
NDPI_REAL_PROTOCOL);
}
static void ndpi_int_teamspeak_add_connection(struct ndpi_detection_module_struct
*ndpi_struct,
struct ndpi_flow_struct *flow)
{
ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TEAMSPEAK,
NDPI_REAL_PROTOCOL);
}
static void ndpi_int_dropbox_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
u_int8_t due_to_correlation)
{
ndpi_int_add_connection(ndpi_struct, flow,
NDPI_PROTOCOL_DROPBOX,
due_to_correlation ? NDPI_CORRELATED_PROTOCOL : NDPI_REAL_PROTOCOL);
}
static void ndpi_int_ipp_add_connection(struct ndpi_detection_module_struct
*ndpi_struct,
struct ndpi_flow_struct *flow,
ndpi_protocol_type_t protocol_type)
{
ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_IPP,
protocol_type);
}
static void ndpi_int_spotify_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
u_int8_t due_to_correlation)
{
ndpi_int_add_connection(ndpi_struct, flow,
NDPI_PROTOCOL_SPOTIFY,
due_to_correlation ? NDPI_CORRELATED_PROTOCOL : NDPI_REAL_PROTOCOL);
}
static void ndpi_int_direct_download_link_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &flow->packet;
ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK, NDPI_CORRELATED_PROTOCOL);
flow->l4.tcp.ddlink_server_direction = packet->packet_direction;
}
static void ndpi_int_veohtv_add_connection(struct ndpi_detection_module_struct
*ndpi_struct,
struct ndpi_flow_struct *flow,
ndpi_protocol_type_t protocol_type)
{
ndpi_int_add_connection(ndpi_struct, flow,
NDPI_PROTOCOL_HTTP_APPLICATION_VEOHTV,
protocol_type);
}
static void ndpi_int_world_of_kung_fu_add_connection(struct
ndpi_detection_module_struct
*ndpi_struct, struct ndpi_flow_struct
*flow)
{
ndpi_int_add_connection(ndpi_struct, flow,
NDPI_PROTOCOL_WORLD_OF_KUNG_FU,
NDPI_REAL_PROTOCOL);
}
static void ndpi_int_teamview_add_connection(struct ndpi_detection_module_struct
*ndpi_struct,
struct ndpi_flow_struct *flow)
{
ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TEAMVIEWER,
NDPI_REAL_PROTOCOL);
NDPI_LOG(NDPI_PROTOCOL_TEAMVIEWER, ndpi_struct, NDPI_LOG_TRACE,
"TEAMWIEWER Found.\n");
}
static void ndpi_int_ssl_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow, u_int32_t protocol)
{
if((protocol != NDPI_PROTOCOL_SSL)
&& (protocol != NDPI_PROTOCOL_SSL_NO_CERT)) {
ndpi_int_add_connection(ndpi_struct, flow, protocol, NDPI_CORRELATED_PROTOCOL);
} else {
struct ndpi_packet_struct *packet = &flow->packet;
if((flow->protos.ssl.client_certificate[0] != '\0')
|| (flow->protos.ssl.server_certificate[0] != '\0')
|| (flow->host_server_name[0] != '\0'))
protocol = NDPI_PROTOCOL_SSL;
else
protocol = NDPI_PROTOCOL_SSL_NO_CERT;
if(packet->tcp != NULL) {
switch(protocol) {
case NDPI_PROTOCOL_SSL:
case NDPI_PROTOCOL_SSL_NO_CERT:
{
/*
In case of SSL there are probably sub-protocols
such as IMAPS that can be otherwise detected
*/
u_int16_t sport = ntohs(packet->tcp->source);
u_int16_t dport = ntohs(packet->tcp->dest);
if((sport == 465) || (dport == 465)) protocol = NDPI_PROTOCOL_MAIL_SMTPS;
else if((sport == 993) || (dport == 993)) protocol = NDPI_PROTOCOL_MAIL_IMAPS;
else if((sport == 995) || (dport == 995)) protocol = NDPI_PROTOCOL_MAIL_POPS;
}
break;
}
if((protocol == NDPI_PROTOCOL_SSL_NO_CERT)
&& is_skype_flow(ndpi_struct, flow)) {
protocol = NDPI_PROTOCOL_SKYPE;
}
}
ndpi_int_add_connection(ndpi_struct, flow, protocol, NDPI_REAL_PROTOCOL);
}
}
static void ndpi_int_thunder_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow, ndpi_protocol_type_t protocol_type)
{
struct ndpi_packet_struct *packet = &flow->packet;
struct ndpi_id_struct *src = flow->src;
struct ndpi_id_struct *dst = flow->dst;
ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_THUNDER, protocol_type);
if (src != NULL) {
src->thunder_ts = packet->tick_timestamp;
}
if (dst != NULL) {
dst->thunder_ts = packet->tick_timestamp;
}
}
static void ndpi_check_lotus_notes(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &flow->packet;
// const u_int8_t *packet_payload = packet->payload;
u_int32_t payload_len = packet->payload_packet_len;
if(packet->tcp != NULL) {
flow->l4.tcp.lotus_notes_packet_id++;
#if 0
printf("[lotus_notes_packet_id: %u][len=%u][%02X %02X %02X %02X %02X %02X %02X %02X]\n",
flow->l4.tcp.lotus_notes_packet_id, payload_len,
packet->payload[6] & 0xFF,
packet->payload[7] & 0xFF,
packet->payload[8] & 0xFF,
packet->payload[9] & 0xFF,
packet->payload[10] & 0xFF,
packet->payload[11] & 0xFF,
packet->payload[12] & 0xFF,
packet->payload[13] & 0xFF
);
#endif
if((flow->l4.tcp.lotus_notes_packet_id == 1)
/* We have seen the 3-way handshake */
&& flow->l4.tcp.seen_syn
&& flow->l4.tcp.seen_syn_ack
&& flow->l4.tcp.seen_ack) {
if(payload_len > 16) {
char lotus_notes_header[] = { 0x00, 0x00, 0x02, 0x00, 0x00, 0x40, 0x02, 0x0F };
if(memcmp(&packet->payload[6], lotus_notes_header, sizeof(lotus_notes_header)) == 0) {
NDPI_LOG(NDPI_PROTOCOL_LOTUS_NOTES, ndpi_struct, NDPI_LOG_DEBUG, "Found lotus_notes.\n");
ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_LOTUS_NOTES, NDPI_REAL_PROTOCOL);
}
return;
}
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_LOTUS_NOTES);
} else if(flow->l4.tcp.lotus_notes_packet_id > 3)
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_LOTUS_NOTES);
return;
}
}
static void ndpi_int_oscar_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow, ndpi_protocol_type_t protocol_type)
{
struct ndpi_packet_struct *packet = &flow->packet;
struct ndpi_id_struct *src = flow->src;
struct ndpi_id_struct *dst = flow->dst;
ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_OSCAR, protocol_type);
if (src != NULL) {
src->oscar_last_safe_access_time = packet->tick_timestamp;
}
if (dst != NULL) {
dst->oscar_last_safe_access_time = packet->tick_timestamp;
}
}
static void ndpi_check_sflow(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &flow->packet;
const u_int8_t *packet_payload = packet->payload;
u_int32_t payload_len = packet->payload_packet_len;
if((packet->udp != NULL)
&& (payload_len >= 24)
/* Version */
&& (packet_payload[0] == 0) && (packet_payload[1] == 0) && (packet_payload[2] == 0)
&& ((packet_payload[3] == 2) || (packet_payload[3] == 5))) {
NDPI_LOG(NDPI_PROTOCOL_SFLOW, ndpi_struct, NDPI_LOG_DEBUG, "Found sflow.\n");
ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SFLOW, NDPI_REAL_PROTOCOL);
return;
}
}
static void ndpi_int_soulseek_add_connection(struct ndpi_detection_module_struct
*ndpi_struct, struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &flow->packet;
struct ndpi_id_struct *src = flow->src;
struct ndpi_id_struct *dst = flow->dst;
ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SOULSEEK, NDPI_REAL_PROTOCOL);
if (src != NULL) {
src->soulseek_last_safe_access_time = packet->tick_timestamp;
}
if (dst != NULL) {
dst->soulseek_last_safe_access_time = packet->tick_timestamp;
}
return;
}
static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow,
const u_int8_t * payload, const u_int16_t payload_len)
{
//struct ndpi_packet_struct *packet = &flow->packet;
u_int8_t payload_type = payload[1] & 0x7F;
u_int32_t *ssid = (u_int32_t*)&payload[8];
/* Check whether this is an RTP flow */
if((payload_len >= 12)
&& ((payload[0] & 0xFF) == 0x80) /* RTP magic byte[1] */
&& ((payload_type < 128 /* http://anonsvn.wireshark.org/wireshark/trunk/epan/dissectors/packet-rtp.c */))
&& (*ssid != 0)
) {
NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "Found rtp.\n");
ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_RTP, NDPI_REAL_PROTOCOL);
} else {
NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "exclude rtp.\n");
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RTP);
}
}
void ndpi_search_viber(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &flow->packet;
NDPI_LOG(NDPI_PROTOCOL_VIBER, ndpi_struct, NDPI_LOG_DEBUG, "search for VIBER.\n");
if(packet->udp != NULL) {
NDPI_LOG(NDPI_PROTOCOL_VIBER, ndpi_struct, NDPI_LOG_DEBUG, "calculating dport over udp.\n");
if((packet->payload_packet_len == 12 && packet->payload[2] == 0x03 && packet->payload[3] == 0x00)
|| (packet->payload_packet_len == 20 && packet->payload[2] == 0x09 && packet->payload[3] == 0x00)
|| ((packet->payload_packet_len < 135) && (packet->payload[0] == 0x11))) {
NDPI_LOG(NDPI_PROTOCOL_VIBER, ndpi_struct, NDPI_LOG_DEBUG, "found VIBER.\n");
ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_VIBER, NDPI_REAL_PROTOCOL);
return;
}
}
NDPI_LOG(NDPI_PROTOCOL_VIBER, ndpi_struct, NDPI_LOG_DEBUG, "exclude VIBER.\n");
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_VIBER);
}
