void ndpi_search_justin_twitch(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; register u_int16_t ii; static u_int16_t flag=0; u_int16_t dport=0,sport=0; if(packet->tcp!=NULL){ sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest); if((sport==1935||dport==1935)&&flag==1){ ndpi_int_justin_add_connection(ndpi_struct, flow); return ; } if ((packet->payload_packet_len > NDPI_STATICSTRING_LEN("POST /") && memcmp(packet->payload, "POST /", NDPI_STATICSTRING_LEN("POST /")) == 0)|| (packet->payload_packet_len > NDPI_STATICSTRING_LEN("GET /") && memcmp(packet->payload, "GET /", NDPI_STATICSTRING_LEN("GET /")) == 0)){ ndpi_parse_packet_line_info(ndpi_struct, flow); if(packet->host_line.ptr!=NULL&&packet->host_line.len== NDPI_STATICSTRING_LEN("www.twitch.tv")&& memcmp(packet->host_line.ptr,"www.twitch.tv",NDPI_STATICSTRING_LEN("www.twitch.tv"))==0){ flow->l4.tcp.justin_twitch_stage=1; flag=1; ndpi_int_justin_add_connection(ndpi_struct, flow); return ; } } } for(ii=0;ii<packet->payload_packet_len; ++ii){ if(packet->payload[ii]=='a'){ if(memcmp(&packet->payload[ii + 1], "pi.twitch.tv",12)==0){ NDPI_LOG(NDPI_PROTOCOL_JUSTIN_TWITCH, ndpi_struct, NDPI_LOG_DEBUG, "twitch detected.\n"); ndpi_int_justin_add_connection(ndpi_struct, flow); return ; } } if(packet->payload[ii]=='t'){ if(memcmp(&packet->payload[ii + 1], "witch.tv", 8)==0){ NDPI_LOG(NDPI_PROTOCOL_JUSTIN_TWITCH, ndpi_struct, NDPI_LOG_DEBUG, "twitch detected.\n"); ndpi_int_justin_add_connection(ndpi_struct, flow); return ; } } } for (ii = 0; ii < packet->payload_packet_len ; ++ii){ if(packet->payload[ii]=='j'){ if (memcmp(&packet->payload[ii + 1], "ustin.tv/", 9)==0){ NDPI_LOG(NDPI_PROTOCOL_JUSTIN_TWITCH, ndpi_struct, NDPI_LOG_DEBUG, "justin detected.\n"); ndpi_int_justin_add_connection(ndpi_struct, flow); return ; } } } NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_JUSTIN_TWITCH); }
static void ndpi_search_icecast_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; u_int8_t i; NDPI_LOG(NDPI_PROTOCOL_ICECAST, ndpi_struct, NDPI_LOG_DEBUG, "search icecast.\n"); if ((packet->payload_packet_len < 500 && packet->payload_packet_len >= 7 && ndpi_mem_cmp(packet->payload, "SOURCE ", 7) == 0) || flow->l4.tcp.icecast_stage) { ndpi_parse_packet_line_info_unix(ndpi_struct, flow); NDPI_LOG(NDPI_PROTOCOL_ICECAST, ndpi_struct, NDPI_LOG_DEBUG, "Icecast lines=%d\n", packet->parsed_unix_lines); for (i = 0; i < packet->parsed_unix_lines; i++) { if (packet->unix_line[i].ptr != NULL && packet->unix_line[i].len > 4 && ndpi_mem_cmp(packet->unix_line[i].ptr, "ice-", 4) == 0) { NDPI_LOG(NDPI_PROTOCOL_ICECAST, ndpi_struct, NDPI_LOG_DEBUG, "Icecast detected.\n"); ndpi_int_icecast_add_connection(ndpi_struct, flow); return; } } if (packet->parsed_unix_lines < 1 && !flow->l4.tcp.icecast_stage) { flow->l4.tcp.icecast_stage = 1; return; } } #ifdef NDPI_PROTOCOL_HTTP if (NDPI_FLOW_PROTOCOL_EXCLUDED(ndpi_struct, flow, NDPI_PROTOCOL_HTTP)) { goto icecast_exclude; } #endif if (packet->packet_direction == flow->setup_packet_direction && flow->packet_counter < 10) { return; } if (packet->packet_direction != flow->setup_packet_direction) { /* server answer, now test Server for Icecast */ ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->server_line.ptr != NULL && packet->server_line.len > NDPI_STATICSTRING_LEN("Icecast") && memcmp(packet->server_line.ptr, "Icecast", NDPI_STATICSTRING_LEN("Icecast")) == 0) { NDPI_LOG(NDPI_PROTOCOL_ICECAST, ndpi_struct, NDPI_LOG_DEBUG, "Icecast detected.\n"); /* TODO maybe store the previous protocol type as subtype? * e.g. ogg or mpeg */ ndpi_int_icecast_add_connection(ndpi_struct, flow); return; } } icecast_exclude: NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_ICECAST); NDPI_LOG(NDPI_PROTOCOL_ICECAST, ndpi_struct, NDPI_LOG_DEBUG, "Icecast excluded.\n"); }
static inline #else __forceinline static #endif void ndpi_int_search_thunder_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; // struct ndpi_id_struct *src=ndpi_struct->src; // struct ndpi_id_struct *dst=ndpi_struct->dst; if (packet->payload_packet_len > 8 && packet->payload[0] >= 0x30 && packet->payload[0] < 0x40 && packet->payload[1] == 0 && packet->payload[2] == 0 && packet->payload[3] == 0) { if (flow->thunder_stage == 3) { NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, "THUNDER tcp detected\n"); ndpi_int_thunder_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } flow->thunder_stage++; NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, "maybe thunder tcp packet detected, stage increased to %u\n", flow->thunder_stage); return; } if (flow->thunder_stage == 0 && packet->payload_packet_len > 17 && memcmp(packet->payload, "POST / HTTP/1.1\r\n", 17) == 0) { ndpi_parse_packet_line_info(ndpi_struct, flow); NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, "maybe thunder http POST packet detected, parsed packet lines: %u, empty line set %u (at: %u)\n", packet->parsed_lines, packet->empty_line_position_set, packet->empty_line_position); if (packet->empty_line_position_set != 0 && packet->content_line.ptr != NULL && packet->content_line.len == 24 && memcmp(packet->content_line.ptr, "application/octet-stream", 24) == 0 && packet->empty_line_position_set < (packet->payload_packet_len - 8) && packet->payload[packet->empty_line_position + 2] >= 0x30 && packet->payload[packet->empty_line_position + 2] < 0x40 && packet->payload[packet->empty_line_position + 3] == 0x00 && packet->payload[packet->empty_line_position + 4] == 0x00 && packet->payload[packet->empty_line_position + 5] == 0x00) { NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, "maybe thunder http POST packet application does match\n"); ndpi_int_thunder_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } } NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, "excluding thunder tcp at stage %u\n", flow->thunder_stage); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_THUNDER); }
static inline #else __forceinline static #endif void ndpi_int_search_thunder_http(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; struct ndpi_id_struct *src = flow->src; struct ndpi_id_struct *dst = flow->dst; if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_THUNDER) { if (src != NULL && ((u_int32_t) (packet->tick_timestamp - src->thunder_ts) < ndpi_struct->thunder_timeout)) { NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, "thunder : save src connection packet detected\n"); src->thunder_ts = packet->tick_timestamp; } else if (dst != NULL && ((u_int32_t) (packet->tick_timestamp - dst->thunder_ts) < ndpi_struct->thunder_timeout)) { NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, "thunder : save dst connection packet detected\n"); dst->thunder_ts = packet->tick_timestamp; } return; } if (packet->payload_packet_len > 5 && memcmp(packet->payload, "GET /", 5) == 0 && NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_THUNDER)) { NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, "HTTP packet detected.\n"); ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->parsed_lines > 7 && packet->parsed_lines < 11 && packet->line[1].len > 10 && memcmp(packet->line[1].ptr, "Accept: */*", 11) == 0 && packet->line[2].len > 22 && memcmp(packet->line[2].ptr, "Cache-Control: no-cache", 23) == 0 && packet->line[3].len > 16 && memcmp(packet->line[3].ptr, "Connection: close", 17) == 0 && packet->line[4].len > 6 && memcmp(packet->line[4].ptr, "Host: ", 6) == 0 && packet->line[5].len > 15 && memcmp(packet->line[5].ptr, "Pragma: no-cache", 16) == 0 && packet->user_agent_line.ptr != NULL && packet->user_agent_line.len > 49 && memcmp(packet->user_agent_line.ptr, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)", 50) == 0) { NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, "Thunder HTTP download detected, adding flow.\n"); ndpi_int_thunder_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); } } }
void ndpi_search_fasttrack_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; // struct ndpi_id_struct *src=ndpi_struct->src; // struct ndpi_id_struct *dst=ndpi_struct->dst; if (packet->payload_packet_len > 6 && ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len - 2)) == 0x0d0a) { NDPI_LOG(NDPI_PROTOCOL_FASTTRACK, ndpi_struct, NDPI_LOG_TRACE, "detected 0d0a at the end of the packet.\n"); if (memcmp(packet->payload, "GIVE ", 5) == 0 && packet->payload_packet_len >= 8) { u_int16_t i; for (i = 5; i < (packet->payload_packet_len - 2); i++) { // make shure that the argument to GIVE is numeric if (!(packet->payload[i] >= '0' && packet->payload[i] <= '9')) { goto exclude_fasttrack; } } NDPI_LOG(NDPI_PROTOCOL_FASTTRACK, ndpi_struct, NDPI_LOG_TRACE, "FASTTRACK GIVE DETECTED\n"); ndpi_int_fasttrack_add_connection(ndpi_struct, flow); return; } if (packet->payload_packet_len > 50 && memcmp(packet->payload, "GET /", 5) == 0) { u_int8_t a = 0; NDPI_LOG(NDPI_PROTOCOL_FASTTRACK, ndpi_struct, NDPI_LOG_TRACE, "detected GET /. \n"); ndpi_parse_packet_line_info(ndpi_struct, flow); for (a = 0; a < packet->parsed_lines; a++) { if ((packet->line[a].len > 17 && memcmp(packet->line[a].ptr, "X-Kazaa-Username: "******"User-Agent: PeerEnabler/", 24) == 0)) { NDPI_LOG(NDPI_PROTOCOL_FASTTRACK, ndpi_struct, NDPI_LOG_TRACE, "detected X-Kazaa-Username: || User-Agent: PeerEnabler/\n"); ndpi_int_fasttrack_add_connection(ndpi_struct, flow); return; } } } } exclude_fasttrack: NDPI_LOG(NDPI_PROTOCOL_FASTTRACK, ndpi_struct, NDPI_LOG_TRACE, "fasttrack/kazaa excluded.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_FASTTRACK); }
static void ndpi_search_openft_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; // struct ndpi_id_struct *src=ndpi_struct->src; // struct ndpi_id_struct *dst=ndpi_struct->dst; if (packet->payload_packet_len > 5 && memcmp(packet->payload, "GET /", 5) == 0) { NDPI_LOG(NDPI_PROTOCOL_OPENFT, ndpi_struct, NDPI_LOG_DEBUG, "HTTP packet detected.\n"); ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->parsed_lines >= 2 && packet->line[1].len > 13 && ndpi_mem_cmp(packet->line[1].ptr, "X-OpenftAlias:", 14) == 0) { NDPI_LOG(NDPI_PROTOCOL_OPENFT, ndpi_struct, NDPI_LOG_DEBUG, "OpenFT detected.\n"); ndpi_int_openft_add_connection(ndpi_struct, flow); return; } } NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_OPENFT); }
static void ndpi_search_aimini(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; // struct ndpi_id_struct *src=ndpi_struct->src; // struct ndpi_id_struct *dst=ndpi_struct->dst; NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "search aimini.\n"); if (packet->udp != NULL) { if (flow->l4.udp.aimini_stage == 0) { if (packet->payload_packet_len == 64 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010b) { flow->l4.udp.aimini_stage = 1; NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 1.\n"); return; } if (packet->payload_packet_len == 136 && (ntohs(get_u_int16_t(packet->payload, 0)) == 0x01c9 || ntohs(get_u_int16_t(packet->payload, 0)) == 0x0165)) { flow->l4.udp.aimini_stage = 4; NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 4.\n"); return; } if (packet->payload_packet_len == 88 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0101) { flow->l4.udp.aimini_stage = 7; NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 7.\n"); return; } if (packet->payload_packet_len == 104 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0102) { flow->l4.udp.aimini_stage = 10; NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 10.\n"); return; } if (packet->payload_packet_len == 32 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x01ca) { flow->l4.udp.aimini_stage = 13; NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 13.\n"); return; } if (packet->payload_packet_len == 16 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010c) { flow->l4.udp.aimini_stage = 16; NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 16.\n"); return; } } /* first packet chronology: (len, value): (64, 0x010b), (>100, 0x0115), (16, 0x010c || 64, 0x010b || 88, 0x0115), * (16, 0x010c || 64, 0x010b || >100, 0x0115) */ if (flow->l4.udp.aimini_stage == 1 && packet->payload_packet_len > 100 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0115) { flow->l4.udp.aimini_stage = 2; NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 2.\n"); return; } if (flow->l4.udp.aimini_stage == 2 && ((packet->payload_packet_len == 16 && get_u_int16_t(packet->payload, 0) == htons(0x010c)) || (packet->payload_packet_len == 64 && get_u_int16_t(packet->payload, 0) == htons(0x010b)) || (packet->payload_packet_len == 88 && get_u_int16_t(packet->payload, 0) == ntohs(0x0115)))) { flow->l4.udp.aimini_stage = 3; NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 3.\n"); return; } if (flow->l4.udp.aimini_stage == 3 && ((packet->payload_packet_len == 16 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010c) || (packet->payload_packet_len == 64 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010b) || (packet->payload_packet_len > 100 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0115))) { NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "found aimini (64, 0x010b), (>300, 0x0115), " "(16, 0x010c || 64, 0x010b), (16, 0x010c || 64, 0x010b || >100, 0x0115).\n"); ndpi_int_aimini_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } /* second packet chronology: (len, value): (136, 0x01c9), (136, 0x01c9),(136, 0x01c9),(136, 0x01c9 || 32, 0x01ca) */ if (flow->l4.udp.aimini_stage == 4 && packet->payload_packet_len == 136 && (ntohs(get_u_int16_t(packet->payload, 0)) == 0x01c9 || ntohs(get_u_int16_t(packet->payload, 0)) == 0x0165)) { flow->l4.udp.aimini_stage = 5; NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 5.\n"); return; } if (flow->l4.udp.aimini_stage == 5 && (packet->payload_packet_len == 136 && (ntohs(get_u_int16_t(packet->payload, 0)) == 0x01c9 || ntohs(get_u_int16_t(packet->payload, 0)) == 0x0165))) { flow->l4.udp.aimini_stage = 6; NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 6.\n"); return; } if (flow->l4.udp.aimini_stage == 6 && ((packet->payload_packet_len == 136 && ((ntohs(get_u_int16_t(packet->payload, 0)) == 0x0165) || ntohs(get_u_int16_t(packet->payload, 0)) == 0x01c9)) || (packet->payload_packet_len == 32 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x01ca))) { NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "found aimini (136, 0x01c9), (136, 0x01c9)," "(136, 0x01c9),(136, 0x01c9 || 32, 0x01ca).\n"); ndpi_int_aimini_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } /* third packet chronology: (len, value): (88, 0x0101), (88, 0x0101),(88, 0x0101),(88, 0x0101) */ if (flow->l4.udp.aimini_stage == 7 && packet->payload_packet_len == 88 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0101) { flow->l4.udp.aimini_stage = 8; NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 8.\n"); return; } if (flow->l4.udp.aimini_stage == 8 && (packet->payload_packet_len == 88 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0101)) { flow->l4.udp.aimini_stage = 9; NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 9.\n"); return; } if (flow->l4.udp.aimini_stage == 9 && (packet->payload_packet_len == 88 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0101)) { NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "found aimini (88, 0x0101), (88, 0x0101)," "(88, 0x0101),(88, 0x0101).\n"); ndpi_int_aimini_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } /* fourth packet chronology: (len, value): (104, 0x0102), (104, 0x0102), (104, 0x0102), (104, 0x0102) */ if (flow->l4.udp.aimini_stage == 10 && packet->payload_packet_len == 104 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0102) { flow->l4.udp.aimini_stage = 11; NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 11.\n"); return; } if (flow->l4.udp.aimini_stage == 11 && (packet->payload_packet_len == 104 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0102)) { flow->l4.udp.aimini_stage = 12; NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 12.\n"); return; } if (flow->l4.udp.aimini_stage == 12 && ((packet->payload_packet_len == 104 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0102) || (packet->payload_packet_len == 32 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x01ca))) { NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "found aimini (104, 0x0102), (104, 0x0102), " "(104, 0x0102), (104, 0x0102).\n"); ndpi_int_aimini_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } /* fifth packet chronology (len, value): (32,0x01ca), (32,0x01ca), (32,0x01ca), ((136, 0x0166) || (32,0x01ca)) */ if (flow->l4.udp.aimini_stage == 13 && packet->payload_packet_len == 32 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x01ca) { flow->l4.udp.aimini_stage = 14; NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 14.\n"); return; } if (flow->l4.udp.aimini_stage == 14 && ((packet->payload_packet_len == 32 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x01ca) || (packet->payload_packet_len == 136 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0166))) { flow->l4.udp.aimini_stage = 15; NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 15.\n"); return; } if (flow->l4.udp.aimini_stage == 15 && ((packet->payload_packet_len == 136 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0166) || (packet->payload_packet_len == 32 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x01ca))) { NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "found aimini (32,0x01ca), (32,0x01ca), (32,0x01ca), ((136, 0x0166)||(32,0x01ca)).\n"); ndpi_int_aimini_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } /* sixth packet chronology (len, value): (16, 0x010c), (16, 0x010c), (16, 0x010c), (16, 0x010c) */ if (flow->l4.udp.aimini_stage == 16 && packet->payload_packet_len == 16 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010c) { flow->l4.udp.aimini_stage = 17; NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 17.\n"); return; } if (flow->l4.udp.aimini_stage == 17 && (packet->payload_packet_len == 16 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010c)) { flow->l4.udp.aimini_stage = 18; NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 18.\n"); return; } if (flow->l4.udp.aimini_stage == 18 && (packet->payload_packet_len == 16 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010c)) { NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "found aimini (16, 0x010c), (16, 0x010c), (16, 0x010c), (16, 0x010c).\n"); ndpi_int_aimini_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } } else if (packet->tcp != NULL) { if ((packet->payload_packet_len > NDPI_STATICSTRING_LEN("GET /player/") && (memcmp(packet->payload, "GET /player/", NDPI_STATICSTRING_LEN("GET /player/")) == 0)) || (packet->payload_packet_len > NDPI_STATICSTRING_LEN("GET /play/?fid=") && (memcmp(packet->payload, "GET /play/?fid=", NDPI_STATICSTRING_LEN("GET /play/?fid=")) == 0))) { NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "HTTP packet detected.\n"); ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->host_line.ptr != NULL && packet->host_line.len > 11 && (memcmp(&packet->host_line.ptr[packet->host_line.len - 11], ".aimini.net", 11) == 0)) { NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "AIMINI HTTP traffic detected.\n"); ndpi_int_aimini_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } } if (packet->payload_packet_len > 100) { if (memcmp(packet->payload, "GET /", NDPI_STATICSTRING_LEN("GET /")) == 0) { if (memcmp(&packet->payload[NDPI_STATICSTRING_LEN("GET /")], "play/", NDPI_STATICSTRING_LEN("play/")) == 0 || memcmp(&packet->payload[NDPI_STATICSTRING_LEN("GET /")], "download/", NDPI_STATICSTRING_LEN("download/")) == 0) { ndpi_parse_packet_line_info(ndpi_struct, flow); if (is_special_aimini_host(packet->host_line) == 1) { NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "AIMINI HTTP traffic detected.\n"); ndpi_int_aimini_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } } } else if (memcmp(packet->payload, "POST /", NDPI_STATICSTRING_LEN("POST /")) == 0) { if (memcmp(&packet->payload[NDPI_STATICSTRING_LEN("POST /")], "upload/", NDPI_STATICSTRING_LEN("upload/")) == 0) { ndpi_parse_packet_line_info(ndpi_struct, flow); if (is_special_aimini_host(packet->host_line) == 1) { NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "AIMINI HTTP traffic detected.\n"); ndpi_int_aimini_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } } } } } NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "exclude aimini.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_AIMINI); }
void ndpi_search_veohtv_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; // struct ndpi_id_struct *src=ndpi_struct->src; // struct ndpi_id_struct *dst=ndpi_struct->dst; if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP_APPLICATION_VEOHTV) return; if (flow->l4.tcp.veoh_tv_stage == 1 || flow->l4.tcp.veoh_tv_stage == 2) { if (packet->packet_direction != flow->setup_packet_direction && packet->payload_packet_len > NDPI_STATICSTRING_LEN("HTTP/1.1 20") && memcmp(packet->payload, "HTTP/1.1 ", NDPI_STATICSTRING_LEN("HTTP/1.1 ")) == 0 && (packet->payload[NDPI_STATICSTRING_LEN("HTTP/1.1 ")] == '2' || packet->payload[NDPI_STATICSTRING_LEN("HTTP/1.1 ")] == '3' || packet->payload[NDPI_STATICSTRING_LEN("HTTP/1.1 ")] == '4' || packet->payload[NDPI_STATICSTRING_LEN("HTTP/1.1 ")] == '5')) { #ifdef NDPI_CONTENT_FLASH ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->detected_protocol_stack[0] == NDPI_CONTENT_FLASH && packet->server_line.ptr != NULL && packet->server_line.len > NDPI_STATICSTRING_LEN("Veoh-") && memcmp(packet->server_line.ptr, "Veoh-", NDPI_STATICSTRING_LEN("Veoh-")) == 0) { NDPI_LOG(NDPI_PROTOCOL_HTTP_APPLICATION_VEOHTV, ndpi_struct, NDPI_LOG_DEBUG, "VeohTV detected.\n"); ndpi_int_veohtv_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } #endif if (flow->l4.tcp.veoh_tv_stage == 2) { NDPI_ADD_PROTOCOL_TO_BITMASK (flow->excluded_protocol_bitmask, NDPI_PROTOCOL_HTTP_APPLICATION_VEOHTV); return; } NDPI_LOG(NDPI_PROTOCOL_HTTP_APPLICATION_VEOHTV, ndpi_struct, NDPI_LOG_DEBUG, "VeohTV detected.\n"); ndpi_int_veohtv_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } else if (flow->packet_direction_counter [(flow->setup_packet_direction == 1) ? 0 : 1] > 3) { if (flow->l4.tcp.veoh_tv_stage == 2) { NDPI_ADD_PROTOCOL_TO_BITMASK (flow->excluded_protocol_bitmask, NDPI_PROTOCOL_HTTP_APPLICATION_VEOHTV); return; } NDPI_LOG(NDPI_PROTOCOL_HTTP_APPLICATION_VEOHTV, ndpi_struct, NDPI_LOG_DEBUG, "VeohTV detected.\n"); ndpi_int_veohtv_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } else { if (flow->packet_counter > 10) { if (flow->l4.tcp.veoh_tv_stage == 2) { NDPI_ADD_PROTOCOL_TO_BITMASK (flow->excluded_protocol_bitmask, NDPI_PROTOCOL_HTTP_APPLICATION_VEOHTV); return; } NDPI_LOG(NDPI_PROTOCOL_HTTP_APPLICATION_VEOHTV, ndpi_struct, NDPI_LOG_DEBUG, "VeohTV detected.\n"); ndpi_int_veohtv_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } return; } } else if (packet->udp) { /* UDP packets from Veoh Client Player * * packet starts with 16 byte random? value * then a 4 byte mode value * values between 21 and 26 has been seen * then a 4 byte counter */ if (packet->payload_packet_len == 28 && get_u_int32_t(packet->payload, 16) == htonl(0x00000021) && get_u_int32_t(packet->payload, 20) == htonl(0x00000000) && get_u_int32_t(packet->payload, 24) == htonl(0x01040000)) { NDPI_LOG(NDPI_PROTOCOL_HTTP_APPLICATION_VEOHTV, ndpi_struct, NDPI_LOG_DEBUG, "UDP VeohTV found.\n"); ndpi_int_veohtv_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } } NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_HTTP_APPLICATION_VEOHTV); }
static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; struct ndpi_id_struct *src = flow->src; struct ndpi_id_struct *dst = flow->dst; u_int16_t plen; u_int16_t status = 0; NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "search msn tcp.\n"); #ifdef NDPI_PROTOCOL_SSL if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) { NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "msn ssl ft test\n"); if (flow->packet_counter < 10) { } if (flow->packet_counter == 7 && packet->payload_packet_len > 300) { if (memcmp(packet->payload + 24, "MSNSLP", 6) == 0 || (get_u_int32_t(packet->payload, 0) == htonl(0x30000000) && get_u_int32_t(packet->payload, 4) == 0x00000000)) { NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "detected MSN File Transfer, ifdef ssl.\n"); ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } } if (flow->packet_counter >= 5 && flow->packet_counter <= 10 && (get_u_int32_t(packet->payload, 0) == htonl(0x18000000) && get_u_int32_t(packet->payload, 4) == 0x00000000)) { flow->l4.tcp.msn_ssl_ft++; NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "increased msn ft ssl stage to: %u at packet nr: %u\n", flow->l4.tcp.msn_ssl_ft, flow->packet_counter); if (flow->l4.tcp.msn_ssl_ft == 2) { NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "detected MSN File Transfer, ifdef ssl 2.\n"); ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); } return; } } #endif /* we detect the initial connection only ! */ /* match: "VER " ..... "CVR" x 0x0d 0x0a * len should be small, lets say less than 100 bytes * x is now "0", but can be increased */ /* now we have a look at the first packet only. */ if (flow->packet_counter == 1 #ifdef NDPI_PROTOCOL_SSL || ((packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) && flow->packet_counter <= 3) #endif ) { /* this part is working asymmetrically */ if (packet->payload_packet_len > 32 && (packet->payload[0] == 0x02 || packet->payload[0] == 0x00) && (ntohl(get_u_int32_t(packet->payload, 8)) == 0x2112a442 || ntohl(get_u_int32_t(packet->payload, 4)) == 0x2112a442) && ((ntohl(get_u_int32_t(packet->payload, 24)) == 0x000f0004 && ntohl(get_u_int32_t(packet->payload, 28)) == 0x72c64bc6) || (ntohl(get_u_int32_t(packet->payload, 20)) == 0x000f0004 && ntohl(get_u_int32_t(packet->payload, 24)) == 0x72c64bc6))) { NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "found MSN in packets that also contain voice.messenger.live.com.\n"); /* TODO this is an alternative pattern for video detection */ /* if (packet->payload_packet_len > 100 && get_u_int16_t(packet->payload, 86) == htons(0x05dc)) { */ if (packet->payload_packet_len > 101 && packet->payload[101] == 0x02) { ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); } else { ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); } return; } /* this case works asymmetrically */ if (packet->payload_packet_len > 10 && packet->payload_packet_len < 100) { if (get_u_int8_t(packet->payload, packet->payload_packet_len - 2) == 0x0d && get_u_int8_t(packet->payload, packet->payload_packet_len - 1) == 0x0a) { /* The MSNP string is used in XBOX clients. */ if (memcmp(packet->payload, "VER ", 4) == 0) { if (memcmp(&packet->payload[packet->payload_packet_len - 6], "CVR", 3) == 0 || memcmp(&packet->payload[packet->payload_packet_len - 8], "MSNP", 4) == 0) { NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "found MSN by pattern VER...CVR/MSNP ODOA.\n"); ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } if (memcmp(&packet->payload[4], "MSNFT", 5) == 0) { NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "found MSN FT by pattern VER MSNFT...0d0a.\n"); ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } } } } if ( #ifdef NDPI_PROTOCOL_HTTP packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP || #endif memcmp(packet->payload, "GET ", NDPI_STATICSTRING_LEN("GET ")) == 0 || memcmp(packet->payload, "POST ", NDPI_STATICSTRING_LEN("POST ")) == 0) { ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->user_agent_line.ptr != NULL && packet->user_agent_line.len > NDPI_STATICSTRING_LEN("Messenger/") && memcmp(packet->user_agent_line.ptr, "Messenger/", NDPI_STATICSTRING_LEN("Messenger/")) == 0) { ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } } #ifdef NDPI_PROTOCOL_HTTP /* we have to examine two http packets */ if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP) { } #endif /* not seen this pattern in any trace */ /* now test for http login, at least 100 a bytes packet */ if (packet->payload_packet_len > 100) { if ( #ifdef NDPI_PROTOCOL_HTTP packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP || #endif memcmp(packet->payload, "POST http://", 12) == 0) { /* scan packet if not already done... */ ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->content_line.ptr != NULL && ((packet->content_line.len == NDPI_STATICSTRING_LEN("application/x-msn-messenger") && memcmp(packet->content_line.ptr, "application/x-msn-messenger", NDPI_STATICSTRING_LEN("application/x-msn-messenger")) == 0) || (packet->content_line.len >= NDPI_STATICSTRING_LEN("text/x-msnmsgr") && memcmp(packet->content_line.ptr, "text/x-msnmsgr", NDPI_STATICSTRING_LEN("text/x-msnmsgr")) == 0))) { NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "found MSN by pattern POST http:// .... application/x-msn-messenger.\n"); ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } } } /* now test for http login that uses a gateway, at least 400 a bytes packet */ /* for this case the asymmetric detection is asym (1) */ if (packet->payload_packet_len > 400) { if (( #ifdef NDPI_PROTOCOL_HTTP packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP || #endif (memcmp(packet->payload, "POST ", 5) == 0))) { u_int16_t c; if (memcmp(&packet->payload[5], "http://", 7) == 0) { /* * We are searching for a paten "POST http://gateway.messenger.hotmail.com/gateway/gateway.dll" or * "POST http://<some ip addres here like 172.0.0.0>/gateway/gateway.dll" * POST http:// is 12 byte so we are searching for 13 to 70 byte for this paten. */ for (c = 13; c < 50; c++) { if (memcmp(&packet->payload[c], "/", 1) == 0) { if (memcmp(&packet->payload[c], "/gateway/gateway.dll", 20) == 0) { NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "found pattern http://.../gateway/gateway.ddl.\n"); status = 1; break; } } } } else if ((memcmp(&packet->payload[5], "/gateway/gateway.dll", 20) == 0)) { NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "found pattern http://.../gateway/gateway.ddl.\n"); status = 1; } } if (status) { u_int16_t a; ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->content_line.ptr != NULL && ((packet->content_line.len == 23 && memcmp(packet->content_line.ptr, "text/xml; charset=utf-8", 23) == 0) || (packet->content_line.len == 24 && memcmp(packet->content_line.ptr, "text/html; charset=utf-8", 24) == 0) || (packet->content_line.len == 33 && memcmp(packet->content_line.ptr, "application/x-www-form-urlencoded", 33) == 0) )) { if ((src != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_MSN) != 0) || (dst != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_MSN) != 0)) { NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "found MSN with pattern text/xml; charset=utf-8.\n"); ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } for (a = 0; a < packet->parsed_lines; a++) { if (packet->line[a].len >= 4 && (memcmp(packet->line[a].ptr, "CVR ", 4) == 0 || memcmp(packet->line[a].ptr, "VER ", 4) == 0 || memcmp(packet->line[a].ptr, "ANS ", 4) == 0)) { NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "found MSN with pattern text/sml; charset0utf-8.\n"); NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "MSN xml CVS / VER / ANS found\n"); ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } } } } } /* asym (1) ; possibly occurs in symmetric cases also. */ if (flow->packet_counter <= 10 && (flow->packet_direction_counter[0] <= 2 || flow->packet_direction_counter[1] <= 2) && packet->payload_packet_len > 100) { /* not necessary to check the length, because this has been done : >400. */ if ( #ifdef NDPI_PROTOCOL_HTTP packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP || #endif (memcmp(packet->payload, "HTTP/1.0 200 OK", 15) == 0) || (memcmp(packet->payload, "HTTP/1.1 200 OK", 15) == 0) ) { ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->content_line.ptr != NULL && ((packet->content_line.len == NDPI_STATICSTRING_LEN("application/x-msn-messenger") && memcmp(packet->content_line.ptr, "application/x-msn-messenger", NDPI_STATICSTRING_LEN("application/x-msn-messenger")) == 0) || (packet->content_line.len >= NDPI_STATICSTRING_LEN("text/x-msnmsgr") && memcmp(packet->content_line.ptr, "text/x-msnmsgr", NDPI_STATICSTRING_LEN("text/x-msnmsgr")) == 0))) { NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "HTTP/1.0 200 OK .... application/x-msn-messenger.\n"); ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } if (ndpi_int_find_xmsn(ndpi_struct, flow) == 1) { NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "HTTP/1.0 200 OK .... X-MSN.\n"); ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } } } /* did not find any trace with this pattern !!!!! */ /* now block proxy connection */ if (packet->payload_packet_len >= 42) { if (memcmp(packet->payload, "CONNECT messenger.hotmail.com:1863 HTTP/1.", 42) == 0) { NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "found MSN with pattern CONNECT messenger.hotmail.com:1863 HTTP/1..\n"); ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } } if (packet->payload_packet_len >= 18) { if (memcmp(packet->payload, "USR ", 4) == 0 || memcmp(packet->payload, "ANS ", 4) == 0) { /* now we must see a number */ const u_int16_t endlen = packet->payload_packet_len - 12; plen = 4; while (1) { if (packet->payload[plen] == ' ') { break; } if (packet->payload[plen] < '0' || packet->payload[plen] > '9') { goto ndpi_msn_exclude; } plen++; if (plen >= endlen) { goto ndpi_msn_exclude; } } while (plen < endlen) { if (ndpi_check_for_email_address(ndpi_struct, flow, plen) != 0) { NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "found mail address\n"); break; } if (packet->payload_packet_len > plen + 1 && (packet->payload[plen] < 20 || packet->payload[plen] > 128)) { goto ndpi_msn_exclude; } plen++; if (plen >= endlen) { goto ndpi_msn_exclude; } } NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "found MSN with pattern USR/ANS ...mail_address.\n"); ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } } } /* finished examining the first packet only. */ /* asym (1) ; possibly occurs in symmetric cases also. */ if (flow->packet_counter <= 10 && (flow->packet_direction_counter[0] <= 2 || flow->packet_direction_counter[1] <= 2) && packet->payload_packet_len > 100) { /* not necessary to check the length, because this has been done : >400. */ if ( #ifdef NDPI_PROTOCOL_HTTP packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP || #endif (memcmp(packet->payload, "HTTP/1.0 200 OK", 15) == 0) || (memcmp(packet->payload, "HTTP/1.1 200 OK", 15) == 0) ) { ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->content_line.ptr != NULL && ((packet->content_line.len == NDPI_STATICSTRING_LEN("application/x-msn-messenger") && memcmp(packet->content_line.ptr, "application/x-msn-messenger", NDPI_STATICSTRING_LEN("application/x-msn-messenger")) == 0) || (packet->content_line.len >= NDPI_STATICSTRING_LEN("text/x-msnmsgr") && memcmp(packet->content_line.ptr, "text/x-msnmsgr", NDPI_STATICSTRING_LEN("text/x-msnmsgr")) == 0))) { NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "HTTP/1.0 200 OK .... application/x-msn-messenger.\n"); ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } if (ndpi_int_find_xmsn(ndpi_struct, flow) == 1) { NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "HTTP/1.0 200 OK .... X-MSN.\n"); ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } } } /* finished examining the secone packet only */ /* direct user connection (file transfer,...) */ if ((src != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_MSN) != 0) || (dst != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_MSN) != 0)) { if (flow->packet_counter == 1 && packet->payload_packet_len > 12 && memcmp(packet->payload, "recipientid=", 12) == 0) { NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_DEBUG, "detected file transfer.\n"); ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } } /* MSN File Transfer of MSN 8.1 and 8.5 * first packet with length 4 and pattern 0x04000000 * second packet (in the same direction), with length 56 and pattern 0x00000000 from payload[16] * third packet (in the opposite direction to 1 & 2), with length 4 and pattern 0x30000000 */ if (flow->l4.tcp.msn_stage == 0) { /* asymmetric detection to this pattern is asym (2) */ if ((packet->payload_packet_len == 4 || packet->payload_packet_len == 8) && get_u_int32_t(packet->payload, 0) == htonl(0x04000000)) { NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_DEBUG, "maybe first TCP MSN detected\n"); if (packet->payload_packet_len == 8 && get_u_int32_t(packet->payload, 4) == htonl(0x666f6f00)) { flow->l4.tcp.msn_stage = 5 + packet->packet_direction; return; } flow->l4.tcp.msn_stage = 1 + packet->packet_direction; return; } /* asymmetric detection to this pattern is asym (2) */ } else if (flow->l4.tcp.msn_stage == 1 + packet->packet_direction) { if (packet->payload_packet_len > 10 && get_u_int32_t(packet->payload, 0) == htonl(0x666f6f00)) { ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "MSN File Transfer detected 1\n"); return; } /* did not see this pattern in any trace */ if (packet->payload_packet_len == 56 && get_u_int32_t(packet->payload, 16) == 0) { NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_DEBUG, "maybe Second TCP MSN detected\n"); flow->l4.tcp.msn_stage = 3 + packet->packet_direction; return; } } else if (flow->l4.tcp.msn_stage == 2 - packet->packet_direction && packet->payload_packet_len == 4 && get_u_int32_t(packet->payload, 0) == htonl(0x30000000)) { ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "MSN File Transfer detected 2\n"); return; } else if ((flow->l4.tcp.msn_stage == 3 + packet->packet_direction) || (flow->l4.tcp.msn_stage == 4 - packet->packet_direction)) { if (packet->payload_packet_len == 4 && get_u_int32_t(packet->payload, 0) == htonl(0x30000000)) { ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "MSN File Transfer detected 2\n"); return; } } else if (flow->l4.tcp.msn_stage == 6 - packet->packet_direction) { if ((packet->payload_packet_len == 4) && (get_u_int32_t(packet->payload, 0) == htonl(0x10000000) || get_u_int32_t(packet->payload, 0) == htonl(0x30000000))) { ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "MSN File Transfer detected 3\n"); return; } } else if (flow->l4.tcp.msn_stage == 5 + packet->packet_direction) { if ((packet->payload_packet_len == 20) && get_u_int32_t(packet->payload, 0) == htonl(0x10000000)) { ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "MSN File Transfer detected 3\n"); return; } } NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "msn 7.\n"); if (flow->packet_counter <= MAX_PACKETS_FOR_MSN) { if (packet->tcp->source == htons(443) || packet->tcp->dest == htons(443)) { if (packet->payload_packet_len > 300) { if (memcmp(&packet->payload[40], "INVITE MSNMSGR", 14) == 0 || memcmp(&packet->payload[56], "INVITE MSNMSGR", 14) == 0 || memcmp(&packet->payload[172], "INVITE MSNMSGR", 14) == 0) { ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "MSN File Transfer detected 3\n"); return; } } return; } /* For no n port 443 flows exclude flow bitmask after first packet itself */ } NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "exclude msn.\n"); ndpi_msn_exclude: NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MSN); }
void ndpi_search_ipp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; // struct ndpi_id_struct *src=ndpi_struct->src; // struct ndpi_id_struct *dst=ndpi_struct->dst; u_int8_t i; NDPI_LOG(NDPI_PROTOCOL_IPP, ndpi_struct, NDPI_LOG_DEBUG, "search ipp\n"); if (packet->payload_packet_len > 20) { NDPI_LOG(NDPI_PROTOCOL_IPP, ndpi_struct, NDPI_LOG_DEBUG, "searching for a payload with a pattern like 'number(1to8)blanknumber(1to3)ipp://.\n"); /* this pattern means that there is a printer saying that his state is idle, * means that he is not printing anything at the moment */ i = 0; if (packet->payload[i] < '0' || packet->payload[i] > '9') { NDPI_LOG(NDPI_PROTOCOL_IPP, ndpi_struct, NDPI_LOG_DEBUG, "payload does not begin with a number.\n"); goto search_for_next_pattern; } for (;;) { i++; if (! ((packet->payload[i] >= '0' && packet->payload[i] <= '9') || (packet->payload[i] >= 'a' && packet->payload[i] <= 'f') || (packet->payload[i] >= 'A' && packet->payload[i] <= 'F')) || i > 8) { NDPI_LOG(NDPI_PROTOCOL_IPP, ndpi_struct, NDPI_LOG_DEBUG, "read symbols while the symbol is a number.\n"); break; } } if (packet->payload[i++] != ' ') { NDPI_LOG(NDPI_PROTOCOL_IPP, ndpi_struct, NDPI_LOG_DEBUG, "there is no blank following the number.\n"); goto search_for_next_pattern; } if (packet->payload[i] < '0' || packet->payload[i] > '9') { NDPI_LOG(NDPI_PROTOCOL_IPP, ndpi_struct, NDPI_LOG_DEBUG, "no number following the blank.\n"); goto search_for_next_pattern; } for (;;) { i++; if (packet->payload[i] < '0' || packet->payload[i] > '9' || i > 12) { NDPI_LOG(NDPI_PROTOCOL_IPP, ndpi_struct, NDPI_LOG_DEBUG, "read symbols while the symbol is a number.\n"); break; } } if (memcmp(&packet->payload[i], " ipp://", 7) != 0) { NDPI_LOG(NDPI_PROTOCOL_IPP, ndpi_struct, NDPI_LOG_DEBUG, "the string ' ipp://' does not follow.\n"); goto search_for_next_pattern; } NDPI_LOG(NDPI_PROTOCOL_IPP, ndpi_struct, NDPI_LOG_DEBUG, "found ipp\n"); ndpi_int_ipp_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } search_for_next_pattern: if (packet->payload_packet_len > 3 && memcmp(packet->payload, "POST", 4) == 0) { ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->content_line.ptr != NULL && packet->content_line.len > 14 && memcmp(packet->content_line.ptr, "application/ipp", 15) == 0) { NDPI_LOG(NDPI_PROTOCOL_IPP, ndpi_struct, NDPI_LOG_DEBUG, "found ipp via POST ... application/ipp.\n"); ndpi_int_ipp_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } } NDPI_LOG(NDPI_PROTOCOL_IPP, ndpi_struct, NDPI_LOG_DEBUG, "no ipp detected.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_IPP); }
static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; // struct ndpi_id_struct *src = flow->src; // struct ndpi_id_struct *dst = flow->dst; u_int16_t a = 0; if (packet->payload_packet_len == 1 && packet->payload[0] == 0x13) { /* reset stage back to 0 so we will see the next packet here too */ flow->bittorrent_stage = 0; return 0; } if (flow->packet_counter == 2 && packet->payload_packet_len > 20) { if (memcmp(&packet->payload[0], "BitTorrent protocol", 19) == 0) { NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, NDPI_LOG_TRACE, "BT: plain BitTorrent protocol detected\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION, NDPI_REAL_PROTOCOL); return 1; } } if (packet->payload_packet_len > 20) { /* test for match 0x13+"BitTorrent protocol" */ if (packet->payload[0] == 0x13) { if (memcmp(&packet->payload[1], "BitTorrent protocol", 19) == 0) { NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, NDPI_LOG_TRACE, "BT: plain BitTorrent protocol detected\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION, NDPI_REAL_PROTOCOL); return 1; } } } if (packet->payload_packet_len > 23 && memcmp(packet->payload, "GET /webseed?info_hash=", 23) == 0) { NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, NDPI_LOG_TRACE, "BT: plain webseed BitTorrent protocol detected\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION, NDPI_CORRELATED_PROTOCOL); return 1; } /* seen Azureus as server for webseed, possibly other servers existing, to implement */ /* is Server: hypertracker Bittorrent? */ /* no asymmetric detection possible for answer of pattern "GET /data?fid=". */ if (packet->payload_packet_len > 60 && memcmp(packet->payload, "GET /data?fid=", 14) == 0 && memcmp(&packet->payload[54], "&size=", 6) == 0) { NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, NDPI_LOG_TRACE, "BT: plain Bitcomet persistent seed protocol detected\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION, NDPI_CORRELATED_PROTOCOL); return 1; } if (packet->payload_packet_len > 90 && (memcmp(packet->payload, "GET ", 4) == 0 || memcmp(packet->payload, "POST ", 5) == 0)) { const u_int8_t *ptr = &packet->payload[4]; u_int16_t len = packet->payload_packet_len - 4; a = 0; /* parse complete get packet here into line structure elements */ ndpi_parse_packet_line_info(ndpi_struct, flow); /* answer to this pattern is HTTP....Server: hypertracker */ if (packet->user_agent_line.ptr != NULL && ((packet->user_agent_line.len > 8 && memcmp(packet->user_agent_line.ptr, "Azureus ", 8) == 0) || (packet->user_agent_line.len >= 10 && memcmp(packet->user_agent_line.ptr, "BitTorrent", 10) == 0) || (packet->user_agent_line.len >= 11 && memcmp(packet->user_agent_line.ptr, "BTWebClient", 11) == 0))) { NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, NDPI_LOG_TRACE, "Azureus /Bittorrent user agent line detected\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION, NDPI_CORRELATED_PROTOCOL); return 1; } if (packet->user_agent_line.ptr != NULL && (packet->user_agent_line.len >= 9 && memcmp(packet->user_agent_line.ptr, "Shareaza ", 9) == 0) && (packet->parsed_lines > 8 && packet->line[8].ptr != 0 && packet->line[8].len >= 9 && memcmp(packet->line[8].ptr, "X-Queue: ", 9) == 0)) { NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, NDPI_LOG_TRACE, "Bittorrent Shareaza detected.\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION, NDPI_CORRELATED_PROTOCOL); return 1; } /* this is a self built client, not possible to catch asymmetrically */ if ((packet->parsed_lines == 10 || (packet->parsed_lines == 11 && packet->line[11].len == 0)) && packet->user_agent_line.ptr != NULL && packet->user_agent_line.len > 12 && memcmp(packet->user_agent_line.ptr, "Mozilla/4.0 ", 12) == 0 && packet->host_line.ptr != NULL && packet->host_line.len >= 7 && packet->line[2].ptr != NULL && packet->line[2].len > 14 && memcmp(packet->line[2].ptr, "Keep-Alive: 300", 15) == 0 && packet->line[3].ptr != NULL && packet->line[3].len > 21 && memcmp(packet->line[3].ptr, "Connection: Keep-alive", 22) == 0 && packet->line[4].ptr != NULL && packet->line[4].len > 10 && (memcmp(packet->line[4].ptr, "Accpet: */*", 11) == 0 || memcmp(packet->line[4].ptr, "Accept: */*", 11) == 0) && packet->line[5].ptr != NULL && packet->line[5].len > 12 && memcmp(packet->line[5].ptr, "Range: bytes=", 13) == 0 && packet->line[7].ptr != NULL && packet->line[7].len > 15 && memcmp(packet->line[7].ptr, "Pragma: no-cache", 16) == 0 && packet->line[8].ptr != NULL && packet->line[8].len > 22 && memcmp(packet->line[8].ptr, "Cache-Control: no-cache", 23) == 0) { NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, NDPI_LOG_TRACE, "Bitcomet LTS detected\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, NDPI_PROTOCOL_UNSAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION, NDPI_CORRELATED_PROTOCOL); return 1; } /* FlashGet pattern */ if (packet->parsed_lines == 8 && packet->user_agent_line.ptr != NULL && packet->user_agent_line.len > (sizeof("Mozilla/4.0 (compatible; MSIE 6.0;") - 1) && memcmp(packet->user_agent_line.ptr, "Mozilla/4.0 (compatible; MSIE 6.0;", sizeof("Mozilla/4.0 (compatible; MSIE 6.0;") - 1) == 0 && packet->host_line.ptr != NULL && packet->host_line.len >= 7 && packet->line[2].ptr != NULL && packet->line[2].len == 11 && memcmp(packet->line[2].ptr, "Accept: */*", 11) == 0 && packet->line[3].ptr != NULL && packet->line[3].len >= (sizeof("Referer: ") - 1) && memcmp(packet->line[3].ptr, "Referer: ", sizeof("Referer: ") - 1) == 0 && packet->line[5].ptr != NULL && packet->line[5].len > 13 && memcmp(packet->line[5].ptr, "Range: bytes=", 13) == 0 && packet->line[6].ptr != NULL && packet->line[6].len > 21 && memcmp(packet->line[6].ptr, "Connection: Keep-Alive", 22) == 0) { NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, NDPI_LOG_TRACE, "FlashGet detected\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, NDPI_PROTOCOL_UNSAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION, NDPI_CORRELATED_PROTOCOL); return 1; } if (packet->parsed_lines == 7 && packet->user_agent_line.ptr != NULL && packet->user_agent_line.len > (sizeof("Mozilla/4.0 (compatible; MSIE 6.0;") - 1) && memcmp(packet->user_agent_line.ptr, "Mozilla/4.0 (compatible; MSIE 6.0;", sizeof("Mozilla/4.0 (compatible; MSIE 6.0;") - 1) == 0 && packet->host_line.ptr != NULL && packet->host_line.len >= 7 && packet->line[2].ptr != NULL && packet->line[2].len == 11 && memcmp(packet->line[2].ptr, "Accept: */*", 11) == 0 && packet->line[3].ptr != NULL && packet->line[3].len >= (sizeof("Referer: ") - 1) && memcmp(packet->line[3].ptr, "Referer: ", sizeof("Referer: ") - 1) == 0 && packet->line[5].ptr != NULL && packet->line[5].len > 21 && memcmp(packet->line[5].ptr, "Connection: Keep-Alive", 22) == 0) { NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, NDPI_LOG_TRACE, "FlashGet detected\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, NDPI_PROTOCOL_UNSAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION, NDPI_CORRELATED_PROTOCOL); return 1; } /* answer to this pattern is not possible to implement asymmetrically */ while (1) { if (len < 50 || ptr[0] == 0x0d) { goto ndpi_end_bt_tracker_check; } if (memcmp(ptr, "info_hash=", 10) == 0) { break; } len--; ptr++; } NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, NDPI_LOG_TRACE, " BT stat: tracker info hash found\n"); /* len is > 50, so save operation here */ len -= 10; ptr += 10; /* parse bt hash */ for (a = 0; a < 20; a++) { if (len < 3) { goto ndpi_end_bt_tracker_check; } if (*ptr == '%') { u_int8_t x1 = 0xFF; u_int8_t x2 = 0xFF; if (ptr[1] >= '0' && ptr[1] <= '9') { x1 = ptr[1] - '0'; } if (ptr[1] >= 'a' && ptr[1] <= 'f') { x1 = 10 + ptr[1] - 'a'; } if (ptr[1] >= 'A' && ptr[1] <= 'F') { x1 = 10 + ptr[1] - 'A'; } if (ptr[2] >= '0' && ptr[2] <= '9') { x2 = ptr[2] - '0'; } if (ptr[2] >= 'a' && ptr[2] <= 'f') { x2 = 10 + ptr[2] - 'a'; } if (ptr[2] >= 'A' && ptr[2] <= 'F') { x2 = 10 + ptr[2] - 'A'; } if (x1 == 0xFF || x2 == 0xFF) { goto ndpi_end_bt_tracker_check; } ptr += 3; len -= 3; } else if (*ptr >= 32 && *ptr < 127) { ptr++; len--; } else { goto ndpi_end_bt_tracker_check; } } NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, NDPI_LOG_TRACE, " BT stat: tracker info hash parsed\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION, NDPI_CORRELATED_PROTOCOL); return 1; } ndpi_end_bt_tracker_check: if (packet->payload_packet_len == 80) { /* Warez 80 Bytes Packet * +----------------+---------------+-----------------+-----------------+ * |20 BytesPattern | 32 Bytes Value| 12 BytesPattern | 16 Bytes Data | * +----------------+---------------+-----------------+-----------------+ * 20 BytesPattern : 4c 00 00 00 ff ff ff ff 57 00 00 00 00 00 00 00 20 00 00 00 * 12 BytesPattern : 28 23 00 00 01 00 00 00 10 00 00 00 * */ static const char pattern_20_bytes[20] = { 0x4c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0x57, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00 }; static const char pattern_12_bytes[12] = { 0x28, 0x23, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00 }; /* did not see this pattern anywhere */ if ((memcmp(&packet->payload[0], pattern_20_bytes, 20) == 0) && (memcmp(&packet->payload[52], pattern_12_bytes, 12) == 0)) { NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, NDPI_LOG_TRACE, "BT: Warez - Plain BitTorrent protocol detected\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION, NDPI_REAL_PROTOCOL); return 1; } } else if (packet->payload_packet_len > 50) { if (memcmp(packet->payload, "GET", 3) == 0) { ndpi_parse_packet_line_info(ndpi_struct, flow); /* haven't fount this pattern anywhere */ if (packet->host_line.ptr != NULL && packet->host_line.len >= 9 && memcmp(packet->host_line.ptr, "ip2p.com:", 9) == 0) { NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, NDPI_LOG_TRACE, "BT: Warez - Plain BitTorrent protocol detected due to Host: ip2p.com: pattern\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION, NDPI_CORRELATED_PROTOCOL); return 1; } } } return 0; }
void ndpi_search_worldofwarcraft(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; struct ndpi_id_struct *src = flow->src; struct ndpi_id_struct *dst = flow->dst; NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, NDPI_LOG_DEBUG, "Search World of Warcraft.\n"); if (packet->tcp != NULL) { /* if ((packet->payload_packet_len > NDPI_STATICSTRING_LEN("POST /") && memcmp(packet->payload, "POST /", NDPI_STATICSTRING_LEN("POST /")) == 0) || (packet->payload_packet_len > NDPI_STATICSTRING_LEN("GET /") && memcmp(packet->payload, "GET /", NDPI_STATICSTRING_LEN("GET /")) == 0)) { ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->user_agent_line.ptr != NULL && packet->user_agent_line.len == NDPI_STATICSTRING_LEN("Blizzard Web Client") && memcmp(packet->user_agent_line.ptr, "Blizzard Web Client", NDPI_STATICSTRING_LEN("Blizzard Web Client")) == 0) { ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow); NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, NDPI_LOG_DEBUG, "World of Warcraft: Web Client found\n"); return; } } */ if (packet->payload_packet_len > NDPI_STATICSTRING_LEN("GET /") && memcmp(packet->payload, "GET /", NDPI_STATICSTRING_LEN("GET /")) == 0) { ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->user_agent_line.ptr != NULL && packet->host_line.ptr != NULL && packet->user_agent_line.len > NDPI_STATICSTRING_LEN("Blizzard Downloader") && packet->host_line.len > NDPI_STATICSTRING_LEN("worldofwarcraft.com") && memcmp(packet->user_agent_line.ptr, "Blizzard Downloader", NDPI_STATICSTRING_LEN("Blizzard Downloader")) == 0 && memcmp(&packet->host_line.ptr[packet->host_line.len - NDPI_STATICSTRING_LEN("worldofwarcraft.com")], "worldofwarcraft.com", NDPI_STATICSTRING_LEN("worldofwarcraft.com")) == 0) { ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow); NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, NDPI_LOG_DEBUG, "World of Warcraft: Web Client found\n"); return; } } if (packet->payload_packet_len == 50 && memcmp(&packet->payload[2], "WORLD OF WARCRAFT CONNECTION", NDPI_STATICSTRING_LEN("WORLD OF WARCRAFT CONNECTION")) == 0) { ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow); NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, NDPI_LOG_DEBUG, "World of Warcraft: Login found\n"); return; } if (packet->tcp->dest == htons(3724) && packet->payload_packet_len < 70 && packet->payload_packet_len > 40 && (memcmp(&packet->payload[4], "WoW", 3) == 0 || memcmp(&packet->payload[5], "WoW", 3) == 0)) { ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow); NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, NDPI_LOG_DEBUG, "World of Warcraft: Login found\n"); return; } if (NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_WORLDOFWARCRAFT) != 0) { if (packet->tcp->source == htons(3724) && packet->payload_packet_len == 8 && get_u_int32_t(packet->payload, 0) == htonl(0x0006ec01)) { ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow); NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, NDPI_LOG_DEBUG, "World of Warcraft: connection detected\n"); return; } } /* for some well known WoW ports check another pattern */ if (flow->l4.tcp.wow_stage == 0) { if (ndpi_int_is_wow_port(packet->tcp->source) && packet->payload_packet_len >= 14 && ntohs(get_u_int16_t(packet->payload, 0)) == (packet->payload_packet_len - 2)) { if (get_u_int32_t(packet->payload, 2) == htonl(0xec010100)) { NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, NDPI_LOG_DEBUG, "probably World of Warcraft, waiting for final packet\n"); flow->l4.tcp.wow_stage = 2; return; } else if (packet->payload_packet_len == 41 && (get_u_int16_t(packet->payload, 2) == htons(0x0085) || get_u_int16_t(packet->payload, 2) == htons(0x0034) || get_u_int16_t(packet->payload, 2) == htons(0x1960))) { NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, NDPI_LOG_DEBUG, "maybe World of Warcraft, need next\n"); flow->l4.tcp.wow_stage = 1; return; } } } if (flow->l4.tcp.wow_stage == 1) { if (packet->payload_packet_len == 325 && ntohs(get_u_int16_t(packet->payload, 0)) == (packet->payload_packet_len - 2) && get_u_int16_t(packet->payload, 4) == 0 && (get_u_int16_t(packet->payload, packet->payload_packet_len - 3) == htons(0x2331) || get_u_int16_t(packet->payload, 67) == htons(0x2331)) && (memcmp (&packet->payload[packet->payload_packet_len - 18], "\x94\xec\xff\xfd\x67\x62\xd4\x67\xfb\xf9\xdd\xbd\xfd\x01\xc0\x8f\xf9\x81", 18) == 0 || memcmp(&packet->payload[packet->payload_packet_len - 30], "\x94\xec\xff\xfd\x67\x62\xd4\x67\xfb\xf9\xdd\xbd\xfd\x01\xc0\x8f\xf9\x81", 18) == 0)) { ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow); NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, NDPI_LOG_DEBUG, "World of Warcraft: connection detected\n"); return; } if (packet->payload_packet_len > 32 && ntohs(get_u_int16_t(packet->payload, 0)) == (packet->payload_packet_len - 2)) { if (get_u_int16_t(packet->payload, 4) == 0) { NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, NDPI_LOG_DEBUG, "probably World of Warcraft, waiting for final packet\n"); flow->l4.tcp.wow_stage = 2; return; } else if (get_u_int32_t(packet->payload, 2) == htonl(0x12050000)) { NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, NDPI_LOG_DEBUG, "probably World of Warcraft, waiting for final packet\n"); flow->l4.tcp.wow_stage = 2; return; } } } if (flow->l4.tcp.wow_stage == 2) { if (packet->payload_packet_len == 4) { ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow); NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, NDPI_LOG_DEBUG, "World of Warcraft: connection detected\n"); return; } else if (packet->payload_packet_len > 4 && packet->payload_packet_len <= 16 && packet->payload[4] == 0x0c) { ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow); NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, NDPI_LOG_DEBUG, "World of Warcraft: connection detected\n"); return; } else if (flow->packet_counter < 3) { NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, NDPI_LOG_DEBUG, "waiting for final packet\n"); return; } } if (flow->l4.tcp.wow_stage == 0 && packet->tcp->dest == htons(1119)) { /* special log in port for battle.net/world of warcraft */ if (packet->payload_packet_len >= 77 && get_u_int32_t(packet->payload, 0) == htonl(0x40000aed) && get_u_int32_t(packet->payload, 4) == htonl(0xea070aed)) { ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow); NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, NDPI_LOG_DEBUG, "World of Warcraft: connection detected\n"); return; } } } NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_WORLDOFWARCRAFT); }
static void ndpi_search_yahoo_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; struct ndpi_id_struct *src = flow->src; struct ndpi_id_struct *dst = flow->dst; const struct ndpi_yahoo_header *yahoo = (struct ndpi_yahoo_header *) packet->payload; if (packet->payload_packet_len == 0) { return; } /* packet must be at least 20 bytes long */ if (packet->payload_packet_len >= 20 && memcmp(yahoo->YMSG_str, "YMSG", 4) == 0 && ((packet->payload_packet_len - 20) == ntohs(yahoo->len) || check_ymsg(packet->payload, packet->payload_packet_len))) { NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO FOUND\n"); flow->yahoo_detection_finished = 2; if (ntohs(yahoo->service) == 24 || ntohs(yahoo->service) == 152 || ntohs(yahoo->service) == 74) { NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO conference or chat invite found"); if (src != NULL) { src->yahoo_conf_logged_in = 1; } if (dst != NULL) { dst->yahoo_conf_logged_in = 1; } } if (ntohs(yahoo->service) == 27 || ntohs(yahoo->service) == 155 || ntohs(yahoo->service) == 160) { NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO conference or chat logoff found"); if (src != NULL) { src->yahoo_conf_logged_in = 0; src->yahoo_voice_conf_logged_in = 0; } } NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } else if (flow->yahoo_detection_finished == 2 && packet->detected_protocol_stack[0] == NDPI_PROTOCOL_YAHOO) { return; } else if (packet->payload_packet_len == 4 && memcmp(yahoo->YMSG_str, "YMSG", 4) == 0) { flow->l4.tcp.yahoo_sip_comm = 1; return; } else if (flow->l4.tcp.yahoo_sip_comm && packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN && flow->packet_counter < 3) { return; } /* now test for http login, at least 100 a bytes packet */ if (ndpi_struct->yahoo_detect_http_connections != 0 && packet->payload_packet_len > 100) { if (memcmp(packet->payload, "POST /relay?token=", 18) == 0 || memcmp(packet->payload, "GET /relay?token=", 17) == 0 || memcmp(packet->payload, "GET /?token=", 12) == 0 || memcmp(packet->payload, "HEAD /relay?token=", 18) == 0) { if ((src != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO) != 0) || (dst != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO) != 0)) { /* this is mostly a file transfer */ NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } } if (memcmp(packet->payload, "POST ", 5) == 0) { u_int16_t a; ndpi_parse_packet_line_info(ndpi_struct, flow); if ((packet->user_agent_line.len >= 21) && (memcmp(packet->user_agent_line.ptr, "YahooMobileMessenger/", 21) == 0)) { NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO(Mobile)"); ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } if (NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_YAHOO) && packet->parsed_lines > 5 && memcmp(&packet->payload[5], "/Messenger.", 11) == 0 && packet->line[1].len >= 17 && memcmp(packet->line[1].ptr, "Connection: Close", 17) == 0 && packet->line[2].len >= 6 && memcmp(packet->line[2].ptr, "Host: ", 6) == 0 && packet->line[3].len >= 16 && memcmp(packet->line[3].ptr, "Content-Length: ", 16) == 0 && packet->line[4].len >= 23 && memcmp(packet->line[4].ptr, "User-Agent: Mozilla/5.0", 23) == 0 && packet->line[5].len >= 23 && memcmp(packet->line[5].ptr, "Cache-Control: no-cache", 23) == 0) { NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO HTTP POST P2P FILETRANSFER FOUND\n"); NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } if (packet->host_line.ptr != NULL && packet->host_line.len >= 26 && memcmp(packet->host_line.ptr, "filetransfer.msg.yahoo.com", 26) == 0) { NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO HTTP POST FILETRANSFER FOUND\n"); NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } /* now check every line */ for (a = 0; a < packet->parsed_lines; a++) { if (packet->line[a].len >= 4 && memcmp(packet->line[a].ptr, "YMSG", 4) == 0) { NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO HTTP POST FOUND, line is: %.*s\n", packet->line[a].len, packet->line[a].ptr); NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } } if (packet->parsed_lines > 8 && packet->line[8].len > 250 && packet->line[8].ptr != NULL) { if (memcmp(packet->line[8].ptr, "<Session ", 9) == 0) { if (ndpi_check_for_YmsgCommand(packet->line[8].len, packet->line[8].ptr)) { NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found HTTP Proxy Yahoo Chat <Ymsg Command= pattern \n"); ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } } } } if (memcmp(packet->payload, "GET /Messenger.", 15) == 0) { if ((src != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO) != 0) || (dst != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO) != 0)) { NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO HTTP GET /Messenger. match\n"); NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } } if ((memcmp(packet->payload, "GET /", 5) == 0)) { ndpi_parse_packet_line_info(ndpi_struct, flow); if ((packet->user_agent_line.ptr != NULL && packet->user_agent_line.len >= NDPI_STATICSTRING_LEN("YahooMobileMessenger/") && memcmp(packet->user_agent_line.ptr, "YahooMobileMessenger/", NDPI_STATICSTRING_LEN("YahooMobileMessenger/")) == 0) || (packet->user_agent_line.len >= 15 && (memcmp(packet->user_agent_line.ptr, "Y!%20Messenger/", 15) == 0))) { NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO(Mobile)"); ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } if (packet->host_line.ptr != NULL && packet->host_line.len >= NDPI_STATICSTRING_LEN("msg.yahoo.com") && memcmp(&packet->host_line.ptr[packet->host_line.len - NDPI_STATICSTRING_LEN("msg.yahoo.com")], "msg.yahoo.com", NDPI_STATICSTRING_LEN("msg.yahoo.com")) == 0) { NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } } } /* found another http login command for yahoo, it is like OSCAR */ /* detect http connections */ if (packet->payload_packet_len > 50 && (memcmp(packet->payload, "content-length: ", 16) == 0)) { ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->parsed_lines > 2 && packet->line[1].len == 0) { NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "first line is empty.\n"); if (packet->line[2].len > 13 && memcmp(packet->line[2].ptr, "<Ymsg Command=", 14) == 0) { NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO web chat found\n"); ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } } } if (packet->payload_packet_len > 38 && memcmp(packet->payload, "CONNECT scs.msg.yahoo.com:5050 HTTP/1.", 38) == 0) { NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO-HTTP FOUND\n"); NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } if ((src != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO) != 0) || (dst != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO) != 0)) { if (packet->payload_packet_len == 6 && memcmp(packet->payload, "YAHOO!", 6) == 0) { NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } /* asymmetric detection for SNDIMG not done yet. * See ./Yahoo8.1-VideoCall-LAN.pcap and ./Yahoo-VideoCall-inPublicIP.pcap */ if (packet->payload_packet_len == 8 && (memcmp(packet->payload, "<SNDIMG>", 8) == 0 || memcmp(packet->payload, "<REQIMG>", 8) == 0 || memcmp(packet->payload, "<RVWCFG>", 8) == 0 || memcmp(packet->payload, "<RUPCFG>", 8) == 0)) { NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO SNDIMG or REQIMG or RVWCFG or RUPCFG FOUND\n"); if (src != NULL) { if (memcmp(packet->payload, "<SNDIMG>", 8) == 0) { src->yahoo_video_lan_dir = 0; } else { src->yahoo_video_lan_dir = 1; } src->yahoo_video_lan_timer = packet->tick_timestamp; } if (dst != NULL) { if (memcmp(packet->payload, "<SNDIMG>", 8) == 0) { dst->yahoo_video_lan_dir = 0; } else { dst->yahoo_video_lan_dir = 1; } dst->yahoo_video_lan_timer = packet->tick_timestamp; } NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO subtype VIDEO"); ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } if (src != NULL && packet->tcp->dest == htons(5100) && ((u_int32_t) (packet->tick_timestamp - src->yahoo_video_lan_timer) < ndpi_struct->yahoo_lan_video_timeout)) { if (src->yahoo_video_lan_dir == 1) { NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "IMG MARKED"); return; } } if (dst != NULL && packet->tcp->dest == htons(5100) && ((u_int32_t) (packet->tick_timestamp - dst->yahoo_video_lan_timer) < ndpi_struct->yahoo_lan_video_timeout)) { if (dst->yahoo_video_lan_dir == 0) { NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "IMG MARKED"); return; } } } /* detect YAHOO over HTTP proxy */ #ifdef NDPI_PROTOCOL_HTTP if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP) #endif { if (flow->l4.tcp.yahoo_http_proxy_stage == 0) { NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "YAHOO maybe HTTP proxy packet 1 => need next packet\n"); flow->l4.tcp.yahoo_http_proxy_stage = 1 + packet->packet_direction; return; } if (flow->l4.tcp.yahoo_http_proxy_stage == 1 + packet->packet_direction) { if ((packet->payload_packet_len > 250) && (memcmp(packet->payload, "<Session ", 9) == 0)) { if (ndpi_check_for_YmsgCommand(packet->payload_packet_len, packet->payload)) { NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found HTTP Proxy Yahoo Chat <Ymsg Command= pattern \n"); ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } } NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "YAHOO maybe HTTP proxy still initial direction => need next packet\n"); return; } if (flow->l4.tcp.yahoo_http_proxy_stage == 2 - packet->packet_direction) { ndpi_parse_packet_line_info_any(ndpi_struct, flow); if (packet->parsed_lines >= 9) { if (packet->line[4].ptr != NULL && packet->line[4].len >= 9 && packet->line[8].ptr != NULL && packet->line[8].len >= 6 && memcmp(packet->line[4].ptr, "<Session ", 9) == 0 && memcmp(packet->line[8].ptr, "<Ymsg ", 6) == 0) { NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO over HTTP proxy"); ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } } } } NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_YAHOO); }
void ndpi_search_meebo(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; // struct ndpi_id_struct *src=ndpi_struct->src; // struct ndpi_id_struct *dst=ndpi_struct->dst; NDPI_LOG(NDPI_PROTOCOL_MEEBO, ndpi_struct, NDPI_LOG_DEBUG, "search meebo.\n"); /* catch audio/video flows which are flash (rtmp) */ if ( #ifdef NDPI_CONTENT_FLASH packet->detected_protocol_stack[0] == NDPI_CONTENT_FLASH #else (packet->tcp->source == htons(1935) || packet->tcp->dest == htons(1935)) #endif ) { /* TODO: once we have an amf decoder we can more directly access the rtmp fields * if so, we may also exclude earlier */ if (packet->payload_packet_len > 900) { if (memcmp(packet->payload + 116, "tokbox/", NDPI_STATICSTRING_LEN("tokbox/")) == 0 || memcmp(packet->payload + 316, "tokbox/", NDPI_STATICSTRING_LEN("tokbox/")) == 0) { NDPI_LOG(NDPI_PROTOCOL_MEEBO, ndpi_struct, NDPI_LOG_DEBUG, "found meebo/tokbox flash flow.\n"); ndpi_int_meebo_add_connection(ndpi_struct, flow); return; } } if (flow->packet_counter < 16 && flow->packet_direction_counter[flow->setup_packet_direction] < 6) { NDPI_LOG(NDPI_PROTOCOL_MEEBO, ndpi_struct, NDPI_LOG_DEBUG, "need next packet.\n"); return; } NDPI_LOG(NDPI_PROTOCOL_MEEBO, ndpi_struct, NDPI_LOG_DEBUG, "exclude meebo.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MEEBO); return; } if (( #ifdef NDPI_PROTOCOL_HTTP packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP || #endif ((packet->payload_packet_len > 3 && memcmp(packet->payload, "GET ", 4) == 0) || (packet->payload_packet_len > 4 && memcmp(packet->payload, "POST ", 5) == 0)) ) && flow->packet_counter == 1) { u_int8_t host_or_referer_match = 0; ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->host_line.ptr != NULL && packet->host_line.len >= 9 && memcmp(&packet->host_line.ptr[packet->host_line.len - 9], "meebo.com", 9) == 0) { NDPI_LOG(NDPI_PROTOCOL_MEEBO, ndpi_struct, NDPI_LOG_DEBUG, "Found Meebo host\n"); host_or_referer_match = 1; } else if (packet->host_line.ptr != NULL && packet->host_line.len >= 10 && memcmp(&packet->host_line.ptr[packet->host_line.len - 10], "tokbox.com", 10) == 0) { NDPI_LOG(NDPI_PROTOCOL_MEEBO, ndpi_struct, NDPI_LOG_DEBUG, "Found tokbox host\n"); /* set it to 2 to avoid having plain tokbox traffic detected as meebo */ host_or_referer_match = 2; } else if (packet->host_line.ptr != NULL && packet->host_line.len >= NDPI_STATICSTRING_LEN("74.114.28.110") && memcmp(&packet->host_line.ptr[packet->host_line.len - NDPI_STATICSTRING_LEN("74.114.28.110")], "74.114.28.110", NDPI_STATICSTRING_LEN("74.114.28.110")) == 0) { NDPI_LOG(NDPI_PROTOCOL_MEEBO, ndpi_struct, NDPI_LOG_DEBUG, "Found meebo IP\n"); host_or_referer_match = 1; } else if (packet->referer_line.ptr != NULL && packet->referer_line.len >= NDPI_STATICSTRING_LEN("http://www.meebo.com/") && memcmp(packet->referer_line.ptr, "http://www.meebo.com/", NDPI_STATICSTRING_LEN("http://www.meebo.com/")) == 0) { NDPI_LOG(NDPI_PROTOCOL_MEEBO, ndpi_struct, NDPI_LOG_DEBUG, "Found meebo referer\n"); host_or_referer_match = 1; } else if (packet->referer_line.ptr != NULL && packet->referer_line.len >= NDPI_STATICSTRING_LEN("http://mee.tokbox.com/") && memcmp(packet->referer_line.ptr, "http://mee.tokbox.com/", NDPI_STATICSTRING_LEN("http://mee.tokbox.com/")) == 0) { NDPI_LOG(NDPI_PROTOCOL_MEEBO, ndpi_struct, NDPI_LOG_DEBUG, "Found tokbox referer\n"); host_or_referer_match = 1; } else if (packet->referer_line.ptr != NULL && packet->referer_line.len >= NDPI_STATICSTRING_LEN("http://74.114.28.110/") && memcmp(packet->referer_line.ptr, "http://74.114.28.110/", NDPI_STATICSTRING_LEN("http://74.114.28.110/")) == 0) { NDPI_LOG(NDPI_PROTOCOL_MEEBO, ndpi_struct, NDPI_LOG_DEBUG, "Found meebo IP referer\n"); host_or_referer_match = 1; } if (host_or_referer_match) { if (host_or_referer_match == 1) { NDPI_LOG(NDPI_PROTOCOL_MEEBO, ndpi_struct, NDPI_LOG_DEBUG, "Found Meebo traffic based on host/referer\n"); ndpi_int_meebo_add_connection(ndpi_struct, flow); return; } } } if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_MEEBO) { NDPI_LOG(NDPI_PROTOCOL_MEEBO, ndpi_struct, NDPI_LOG_DEBUG, "in case that ssl meebo has been detected return.\n"); return; } if (flow->packet_counter < 5 && packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN && NDPI_COMPARE_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SSL) == 0) { NDPI_LOG(NDPI_PROTOCOL_MEEBO, ndpi_struct, NDPI_LOG_DEBUG, "ssl not yet excluded. need next packet.\n"); return; } #ifdef NDPI_CONTENT_FLASH if (flow->packet_counter < 5 && packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN && !NDPI_FLOW_PROTOCOL_EXCLUDED(ndpi_struct, flow, NDPI_CONTENT_FLASH)) { NDPI_LOG(NDPI_PROTOCOL_MEEBO, ndpi_struct, NDPI_LOG_DEBUG, "flash not yet excluded. need next packet.\n"); return; } #endif NDPI_LOG(NDPI_PROTOCOL_MEEBO, ndpi_struct, NDPI_LOG_DEBUG, "exclude meebo.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MEEBO); }
static void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; struct ndpi_id_struct *src = flow->src; struct ndpi_id_struct *dst = flow->dst; int less; u_int16_t c = 0; u_int16_t c1 = 0; u_int16_t port = 0; u_int16_t sport = 0; u_int16_t dport = 0; u_int16_t counter = 0; u_int16_t i = 0; u_int16_t j = 0; u_int16_t k = 0; u_int16_t h; u_int16_t http_content_ptr_len = 0; u_int8_t space = 0; NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "irc : search irc\n"); if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC && flow->packet_counter > 70) { NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "exclude irc, packet_counter > 70\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_IRC); return; } if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC && flow->packet_counter > 30 && flow->l4.tcp.irc_stage2 == 0) { NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "packet_counter > 30, exclude irc.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_IRC); return; } if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_IRC) { if (src != NULL && ((u_int32_t) (packet->tick_timestamp - src->irc_ts) < ndpi_struct->irc_timeout)) { NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "irc : save src connection packet detected\n"); src->irc_ts = packet->tick_timestamp; } else if (dst != NULL && ((u_int32_t) (packet->tick_timestamp - dst->irc_ts) < ndpi_struct->irc_timeout)) { NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "irc : save dst connection packet detected\n"); dst->irc_ts = packet->tick_timestamp; } } if (((dst != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_IRC) && ((u_int32_t) (packet->tick_timestamp - dst->irc_ts)) < ndpi_struct->irc_timeout)) || (src != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK (src->detected_protocol_bitmask, NDPI_PROTOCOL_IRC) && ((u_int32_t) (packet->tick_timestamp - src->irc_ts)) < ndpi_struct->irc_timeout)) { if (packet->tcp != NULL) { sport = packet->tcp->source; dport = packet->tcp->dest; } if (dst != NULL) { for (counter = 0; counter < dst->irc_number_of_port; counter++) { if (dst->irc_port[counter] == sport || dst->irc_port[counter] == dport) { dst->last_time_port_used[counter] = packet->tick_timestamp; NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "dest port matched with the DCC port and the flow is marked as IRC"); ndpi_int_irc_add_connection(ndpi_struct, flow); return; } } } if (src != NULL) { for (counter = 0; counter < src->irc_number_of_port; counter++) { if (src->irc_port[counter] == sport || src->irc_port[counter] == dport) { src->last_time_port_used[counter] = packet->tick_timestamp; ndpi_int_irc_add_connection(ndpi_struct, flow); NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "Source port matched with the DCC port and the flow is marked as IRC"); return; } } } } if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC && flow->packet_counter == 2 && (packet->payload_packet_len > 400 && packet->payload_packet_len < 1381)) { for (c1 = 50; c1 < packet->payload_packet_len - 23; c1++) { if (packet->payload[c1] == 'i' || packet->payload[c1] == 'd') { if ((memcmp(&packet->payload[c1], "irc.hackthissite.org0", 21) == 0) || (memcmp(&packet->payload[c1], "irc.gamepad.ca1", 15) == 0) || (memcmp(&packet->payload[c1], "dungeon.axenet.org0", 19) == 0) || (memcmp(&packet->payload[c1], "dazed.nuggethaus.net", 20) == 0) || (memcmp(&packet->payload[c1], "irc.indymedia.org", 17) == 0) || (memcmp(&packet->payload[c1], "irc.cccp-project.net", 20) == 0) || (memcmp(&packet->payload[c1], "dirc.followell.net0", 19) == 0) || (memcmp(&packet->payload[c1], "irc.discostars.de1", 18) == 0) || (memcmp(&packet->payload[c1], "irc.rizon.net", 13) == 0)) { NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "IRC SSL detected with :- irc.hackthissite.org0 | irc.gamepad.ca1 | dungeon.axenet.org0 " "| dazed.nuggethaus.net | irc.indymedia.org | irc.discostars.de1 "); ndpi_int_irc_add_connection(ndpi_struct, flow); break; } } } } if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC && ndpi_search_irc_ssl_detect_ninty_percent_but_very_fast(ndpi_struct, flow) != 0) { return; } if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC && flow->packet_counter < 20 && packet->payload_packet_len >= 8) { if (get_u_int8_t(packet->payload, packet->payload_packet_len - 1) == 0x0a || (ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len - 2)) == 0x0a00)) { if (memcmp(packet->payload, ":", 1) == 0) { if (packet->payload[packet->payload_packet_len - 2] != 0x0d && packet->payload[packet->payload_packet_len - 1] == 0x0a) { ndpi_parse_packet_line_info_unix(ndpi_struct, flow); packet->parsed_lines = packet->parsed_unix_lines; for (i = 0; i < packet->parsed_lines; i++) { packet->line[i] = packet->unix_line[i]; packet->line[i].ptr = packet->unix_line[i].ptr; packet->line[i].len = packet->unix_line[i].len; } } else if (packet->payload[packet->payload_packet_len - 2] == 0x0d) { ndpi_parse_packet_line_info(ndpi_struct, flow); } else { flow->l4.tcp.irc_3a_counter++; } for (i = 0; i < packet->parsed_lines; i++) { if (packet->line[i].ptr[0] == ':') { flow->l4.tcp.irc_3a_counter++; if (flow->l4.tcp.irc_3a_counter == 7) { /* ':' == 0x3a */ NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "0x3a. seven times. found irc."); ndpi_int_irc_add_connection(ndpi_struct, flow); goto detected_irc; } } } if (flow->l4.tcp.irc_3a_counter == 7) { /* ':' == 0x3a */ NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "0x3a. seven times. found irc."); ndpi_int_irc_add_connection(ndpi_struct, flow); goto detected_irc; } } if ((memcmp(packet->payload, "USER ", 5) == 0) || (memcmp(packet->payload, "NICK ", 5) == 0) || (memcmp(packet->payload, "PASS ", 5) == 0) || (memcmp(packet->payload, ":", 1) == 0 && ndpi_check_for_NOTICE_or_PRIVMSG(ndpi_struct, flow) != 0) || (memcmp(packet->payload, "PONG ", 5) == 0) || (memcmp(packet->payload, "PING ", 5) == 0) || (memcmp(packet->payload, "JOIN ", 5) == 0) || (memcmp(packet->payload, "NOTICE ", 7) == 0) || (memcmp(packet->payload, "PRIVMSG ", 8) == 0) || (memcmp(packet->payload, "VERSION ", 8) == 0)) { NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "USER, NICK, PASS, NOTICE, PRIVMSG one time"); if (flow->l4.tcp.irc_stage == 2) { NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "found irc"); ndpi_int_irc_add_connection(ndpi_struct, flow); flow->l4.tcp.irc_stage = 3; } if (flow->l4.tcp.irc_stage == 1) { NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "second time, stage=2"); flow->l4.tcp.irc_stage = 2; } if (flow->l4.tcp.irc_stage == 0) { NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "first time, stage=1"); flow->l4.tcp.irc_stage = 1; } /* irc packets can have either windows line breaks (0d0a) or unix line breaks (0a) */ if (packet->payload[packet->payload_packet_len - 2] == 0x0d && packet->payload[packet->payload_packet_len - 1] == 0x0a) { ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->parsed_lines > 1) { NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "packet contains more than one line"); for (c = 1; c < packet->parsed_lines; c++) { if (packet->line[c].len > 4 && (memcmp(packet->line[c].ptr, "NICK ", 5) == 0 || memcmp(packet->line[c].ptr, "USER ", 5) == 0)) { NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "two icq signal words in the same packet"); ndpi_int_irc_add_connection(ndpi_struct, flow); flow->l4.tcp.irc_stage = 3; return; } } } } else if (packet->payload[packet->payload_packet_len - 1] == 0x0a) { ndpi_parse_packet_line_info_unix(ndpi_struct, flow); if (packet->parsed_unix_lines > 1) { NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "packet contains more than one line"); for (c = 1; c < packet->parsed_unix_lines; c++) { if (packet->unix_line[c].len > 4 && (memcmp(packet->unix_line[c].ptr, "NICK ", 5) == 0 || memcmp(packet->unix_line[c].ptr, "USER ", 5) == 0)) { NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "two icq signal words in the same packet"); ndpi_int_irc_add_connection(ndpi_struct, flow); flow->l4.tcp.irc_stage = 3; return; } } } } } } } /** * Trying to primarily detect the HTTP Web based IRC chat patterns based on the HTTP headers * during the User login time.When the HTTP data gets posted using the POST method ,patterns * will be searched in the HTTP content. */ if ((flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC) && (flow->l4.tcp.irc_stage == 0) && (packet->payload_packet_len > 5)) { //HTTP POST Method being employed if (memcmp(packet->payload, "POST ", 5) == 0) { ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->parsed_lines) { u_int16_t http_header_len = (packet->line[packet->parsed_lines - 1].ptr - packet->payload) + 2; if (packet->payload_packet_len > http_header_len) { http_content_ptr_len = packet->payload_packet_len - http_header_len; } if ((ndpi_check_for_IRC_traces(packet->line[0].ptr, packet->line[0].len)) || ((packet->http_url_name.ptr) && (ndpi_check_for_IRC_traces(packet->http_url_name.ptr, packet->http_url_name.len))) || ((packet->referer_line.ptr) && (ndpi_check_for_IRC_traces(packet->referer_line.ptr, packet->referer_line.len)))) { NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "IRC detected from the Http URL/ Referer header "); flow->l4.tcp.irc_stage = 1; // HTTP POST Request body is not in the same packet. if (!http_content_ptr_len) { return; } } } } } if ((flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC) && (flow->l4.tcp.irc_stage == 1)) { if ((((packet->payload_packet_len - http_content_ptr_len) > 10) && (memcmp(packet->payload + http_content_ptr_len, "interface=", 10) == 0) && (ndpi_check_for_Nickname(ndpi_struct, flow) != 0)) || (((packet->payload_packet_len - http_content_ptr_len) > 5) && (memcmp(packet->payload + http_content_ptr_len, "item=", 5) == 0) && (ndpi_check_for_cmd(ndpi_struct, flow) != 0))) { NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "IRC Nickname, cmd, one time"); ndpi_int_irc_add_connection(ndpi_struct, flow); return; } } detected_irc: NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "detected_irc:"); if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_IRC) { /* maybe this can be deleted at the end */ if (packet->payload[packet->payload_packet_len - 2] != 0x0d && packet->payload[packet->payload_packet_len - 1] == 0x0a) { NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "ndpi_parse_packet_line_info_unix(ndpi_struct, flow);"); ndpi_parse_packet_line_info_unix(ndpi_struct, flow); packet->parsed_lines = packet->parsed_unix_lines; for (i = 0; i < packet->parsed_lines; i++) { packet->line[i] = packet->unix_line[i]; packet->line[i].ptr = packet->unix_line[i].ptr; packet->line[i].len = packet->unix_line[i].len; } } else if (packet->payload[packet->payload_packet_len - 2] == 0x0d) { ndpi_parse_packet_line_info(ndpi_struct, flow); } else { return; } for (i = 0; i < packet->parsed_lines; i++) { if (packet->line[i].len > 6 && memcmp(packet->line[i].ptr, "NOTICE ", 7) == 0) { NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "NOTICE"); for (j = 7; j < packet->line[i].len - 8; j++) { if (packet->line[i].ptr[j] == ':') { if (memcmp(&packet->line[i].ptr[j + 1], "DCC SEND ", 9) == 0 || memcmp(&packet->line[i].ptr[j + 1], "DCC CHAT ", 9) == 0) { NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "found NOTICE and DCC CHAT or DCC SEND."); } } } } if (packet->payload_packet_len > 0 && packet->payload[0] == 0x3a /* 0x3a = ':' */ ) { NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "3a"); for (j = 1; j < packet->line[i].len - 9; j++) { if (packet->line[i].ptr[j] == ' ') { j++; if (packet->line[i].ptr[j] == 'P') { NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "P"); j++; if (memcmp(&packet->line[i].ptr[j], "RIVMSG ", 7) == 0) NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "RIVMSG"); h = j + 7; goto read_privmsg; } } } } if (packet->line[i].len > 7 && (memcmp(packet->line[i].ptr, "PRIVMSG ", 8) == 0)) { NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "PRIVMSG "); h = 7; read_privmsg: for (j = h; j < packet->line[i].len - 9; j++) { if (packet->line[i].ptr[j] == ':') { if (memcmp(&packet->line[i].ptr[j + 1], "xdcc ", 5) == 0) { NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "xdcc should match."); } j += 2; if (memcmp(&packet->line[i].ptr[j], "DCC ", 4) == 0) { j += 4; NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "found DCC."); if (memcmp(&packet->line[i].ptr[j], "SEND ", 5) == 0 || (memcmp(&packet->line[i].ptr[j], "CHAT", 4) == 0) || (memcmp(&packet->line[i].ptr[j], "chat", 4) == 0) || (memcmp(&packet->line[i].ptr[j], "sslchat", 7) == 0) || (memcmp(&packet->line[i].ptr[j], "TSEND", 5) == 0)) { NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "found CHAT,chat,sslchat,TSEND."); j += 4; while (packet->line[i].len > j && ((packet->line[i].ptr[j] >= 'a' && packet->line[i].ptr[j] <= 'z') || (packet->line[i].ptr[j] >= 'A' && packet->line[i].ptr[j] <= 'Z') || (packet->line[i].ptr[j] >= '0' && packet->line[i].ptr[j] <= '9') || (packet->line[i].ptr[j] >= ' ') || (packet->line[i].ptr[j] >= '.') || (packet->line[i].ptr[j] >= '-'))) { if (packet->line[i].ptr[j] == ' ') { space++; NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "space %u.", space); } if (space == 3) { j++; NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "read port."); if (src != NULL) { k = j; port = ntohs_ndpi_bytestream_to_number (&packet->line[i].ptr[j], packet->payload_packet_len - j, &j); NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "port %u.", port); j = k; // hier jetzt überlegen, wie die ports abgespeichert werden sollen if (src->irc_number_of_port < 16) NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "src->irc_number_of_port < 16."); if (src->irc_number_of_port < 16 && port != 0) { if (!ndpi_is_duplicate(src, port)) { src->irc_port[src->irc_number_of_port] = port; src->irc_number_of_port++; NDPI_LOG (NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "found port=%d", ntohs(get_u_int16_t(src->irc_port, 0))); NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "jjeeeeeeeeeeeeeeeeeeeeeeeee"); } src->irc_ts = packet->tick_timestamp; } else if (port != 0 && src->irc_number_of_port == 16) { if (!ndpi_is_duplicate(src, port)) { less = 0; NDPI_IRC_FIND_LESS(src->last_time_port_used, less); src->irc_port[less] = port; NDPI_LOG (NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "found port=%d", ntohs(get_u_int16_t(src->irc_port, 0))); } src->irc_ts = packet->tick_timestamp; } if (dst == NULL) { break; } } if (dst != NULL) { port = ntohs_ndpi_bytestream_to_number (&packet->line[i].ptr[j], packet->payload_packet_len - j, &j); NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "port %u.", port); // hier das gleiche wie oben. /* hier werden 16 ports pro irc flows mitgespeichert. könnte man denn nicht ein- * fach an die dst oder src einen flag setzten, dass dieser port für eine bestimmte * zeit ein irc-port bleibt? */ if (dst->irc_number_of_port < 16 && port != 0) { if (!ndpi_is_duplicate(dst, port)) { dst->irc_port[dst->irc_number_of_port] = port; dst->irc_number_of_port++; NDPI_LOG (NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "found port=%d", ntohs(get_u_int16_t(dst->irc_port, 0))); NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "juuuuuuuuuuuuuuuu"); } dst->irc_ts = packet->tick_timestamp; } else if (port != 0 && dst->irc_number_of_port == 16) { if (!ndpi_is_duplicate(dst, port)) { less = 0; NDPI_IRC_FIND_LESS(dst->last_time_port_used, less); dst->irc_port[less] = port; NDPI_LOG (NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "found port=%d", ntohs(get_u_int16_t(dst->irc_port, 0))); } dst->irc_ts = packet->tick_timestamp; } break; } } j++; } } } } } } } } }
static u_int8_t check_for_http(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; NDPI_LOG(NDPI_PROTOCOL_GADUGADU, ndpi_struct, NDPI_LOG_DEBUG, "Gadu-Gadu: check for http.\n"); if (packet->payload_packet_len < 50) { NDPI_LOG(NDPI_PROTOCOL_GADUGADU, ndpi_struct, NDPI_LOG_DEBUG, "Gadu-Gadu: Packet too small.\n"); return 0; } else if (memcmp(packet->payload, "GET /appsvc/appmsg", 18) == 0) { NDPI_LOG(NDPI_PROTOCOL_GADUGADU, ndpi_struct, NDPI_LOG_DEBUG, "Gadu-Gadu: GET FOUND\n"); parse_gg_foneno(ndpi_struct, flow); // parse packet ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->parsed_lines <= 1) { return 0; } if (packet->host_line.ptr == NULL) { return 0; } if (!(packet->host_line.len >= 19 && memcmp(packet->host_line.ptr, "appmsg.gadu-gadu.pl", 19) == 0)) { return 0; } NDPI_LOG(NDPI_PROTOCOL_GADUGADU, ndpi_struct, NDPI_LOG_DEBUG, "Gadu-Gadu: Is gadugadu host FOUND %s\n", packet->host_line.ptr); ndpi_int_gadugadu_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); } else if (memcmp(packet->payload, "POST /send/message/", 15) == 0) { NDPI_LOG(NDPI_PROTOCOL_GADUGADU, ndpi_struct, NDPI_LOG_DEBUG, "Gadu-Gadu: GET FOUND\n"); // parse packet ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->parsed_lines <= 1) { return 0; } if (packet->host_line.ptr == NULL) { return 0; } if (!(packet->host_line.len >= 17 && memcmp(packet->host_line.ptr, "life.gadu-gadu.pl", 17) == 0)) { return 0; } NDPI_LOG(NDPI_PROTOCOL_GADUGADU, ndpi_struct, NDPI_LOG_DEBUG, "Gadu-Gadu: Is gadugadu post FOUND %s\n", packet->host_line.ptr); ndpi_int_gadugadu_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); } else if (memcmp(packet->payload, "GET /rotate_token", 17) == 0) { NDPI_LOG(NDPI_PROTOCOL_GADUGADU, ndpi_struct, NDPI_LOG_DEBUG, "Gadu-Gadu: GET FOUND\n"); // parse packet ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->parsed_lines <= 1) { return 0; } if (packet->host_line.ptr == NULL) { return 0; } if (!(packet->host_line.len >= 13 && memcmp(packet->host_line.ptr, "sms.orange.pl", 13) == 0)) { return 0; } NDPI_LOG(NDPI_PROTOCOL_GADUGADU, ndpi_struct, NDPI_LOG_DEBUG, "Gadu-Gadu: gadugadu sms FOUND %s\n", packet->host_line.ptr); ndpi_int_gadugadu_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); } else if ((memcmp(packet->payload, "GET /nowosci.xml", NDPI_STATICSTRING_LEN("GET /nowosci.xml")) == 0) || (memcmp(packet->payload, "GET /gadu-gadu.xml", NDPI_STATICSTRING_LEN("GET /gadu-gadu.xml")) == 0) || (memcmp(packet->payload, "POST /access_token", NDPI_STATICSTRING_LEN("POST /access_token")) == 0)) { ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->user_agent_line.ptr == NULL) { return 0; } if (!(packet->user_agent_line.len >= NDPI_STATICSTRING_LEN("Gadu-Gadu Client") && memcmp(packet->user_agent_line.ptr, "Gadu-Gadu Client", NDPI_STATICSTRING_LEN("Gadu-Gadu Client")) == 0)) { return 0; } NDPI_LOG(NDPI_PROTOCOL_GADUGADU, ndpi_struct, NDPI_LOG_DEBUG, "Gadu-Gadu: gadugadu FOUND %s\n", packet->user_agent_line.ptr); ndpi_int_gadugadu_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); } return 1; }
static void ndpi_search_zattoo(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; struct ndpi_id_struct *src = flow->src; struct ndpi_id_struct *dst = flow->dst; u_int16_t i; if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_ZATTOO) { if (src != NULL && ((u_int32_t) (packet->tick_timestamp - src->zattoo_ts) < ndpi_struct->zattoo_connection_timeout)) { src->zattoo_ts = packet->tick_timestamp; } if (dst != NULL && ((u_int32_t) (packet->tick_timestamp - dst->zattoo_ts) < ndpi_struct->zattoo_connection_timeout)) { dst->zattoo_ts = packet->tick_timestamp; } return; } if (packet->tcp != NULL) { if (packet->payload_packet_len > 50 && memcmp(packet->payload, "GET /frontdoor/fd?brand=Zattoo&v=", 33) == 0) { NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "add connection over tcp with pattern GET /frontdoor/fd?brand=Zattoo&v=\n"); ndpi_int_zattoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } if (packet->payload_packet_len > 50 && memcmp(packet->payload, "GET /ZattooAdRedirect/redirect.jsp?user="******"add connection over tcp with pattern GET /ZattooAdRedirect/redirect.jsp?user=\n"); ndpi_int_zattoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } if (packet->payload_packet_len > 50 && (memcmp(packet->payload, "POST /channelserver/player/channel/update HTTP/1.1", 50) == 0 || memcmp(packet->payload, "GET /epg/query", 14) == 0)) { ndpi_parse_packet_line_info(ndpi_struct, flow); for (i = 0; i < packet->parsed_lines; i++) { if (packet->line[i].len >= 18 && (ndpi_mem_cmp(packet->line[i].ptr, "User-Agent: Zattoo", 18) == 0)) { NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "add connection over tcp with pattern POST /channelserver/player/channel/update HTTP/1.1\n"); ndpi_int_zattoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } } } else if (packet->payload_packet_len > 50 && (memcmp(packet->payload, "GET /", 5) == 0 || memcmp(packet->payload, "POST /", NDPI_STATICSTRING_LEN("POST /")) == 0)) { /* TODO to avoid searching currently only a specific length and offset is used * that might be changed later */ ndpi_parse_packet_line_info(ndpi_struct, flow); if (ndpi_int_zattoo_user_agent_set(ndpi_struct, flow)) { ndpi_int_zattoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } } else if (packet->payload_packet_len > 50 && memcmp(packet->payload, "POST http://", 12) == 0) { ndpi_parse_packet_line_info(ndpi_struct, flow); // test for unique character of the zattoo header if (packet->parsed_lines == 4 && packet->host_line.ptr != NULL) { u_int32_t ip; u_int16_t bytes_read = 0; ip = ndpi_bytestream_to_ipv4(&packet->payload[12], packet->payload_packet_len, &bytes_read); // and now test the firt 5 bytes of the payload for zattoo pattern if (ip == packet->iph->daddr && packet->empty_line_position_set != 0 && ((packet->payload_packet_len - packet->empty_line_position) > 10) && packet->payload[packet->empty_line_position + 2] == 0x03 && packet->payload[packet->empty_line_position + 3] == 0x04 && packet->payload[packet->empty_line_position + 4] == 0x00 && packet->payload[packet->empty_line_position + 5] == 0x04 && packet->payload[packet->empty_line_position + 6] == 0x0a && packet->payload[packet->empty_line_position + 7] == 0x00) { NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "add connection over tcp with pattern POST http://\n"); ndpi_int_zattoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } } } else if (flow->zattoo_stage == 0) { if (packet->payload_packet_len > 50 && packet->payload[0] == 0x03 && packet->payload[1] == 0x04 && packet->payload[2] == 0x00 && packet->payload[3] == 0x04 && packet->payload[4] == 0x0a && packet->payload[5] == 0x00) { flow->zattoo_stage = 1 + packet->packet_direction; NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "need next packet, seen pattern 0x030400040a00\n"); return; } /* the following is is searching for flash, not for zattoo. cust1 wants to do so. */ } else if (flow->zattoo_stage == 2 - packet->packet_direction && packet->payload_packet_len > 50 && packet->payload[0] == 0x03 && packet->payload[1] == 0x04) { NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "add connection over tcp with 0x0304.\n"); ndpi_int_zattoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } else if (flow->zattoo_stage == 1 + packet->packet_direction) { if (packet->payload_packet_len > 500 && packet->payload[0] == 0x00 && packet->payload[1] == 0x00) { flow->zattoo_stage = 3 + packet->packet_direction; NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "need next packet, seen pattern 0x0000\n"); return; } if (packet->payload_packet_len > 50 && packet->payload[0] == 0x03 && packet->payload[1] == 0x04 && packet->payload[2] == 0x00 && packet->payload[3] == 0x04 && packet->payload[4] == 0x0a && packet->payload[5] == 0x00) { } NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "need next packet, seen pattern 0x030400040a00\n"); return; } else if (flow->zattoo_stage == 4 - packet->packet_direction && packet->payload_packet_len > 50 && packet->payload[0] == 0x03 && packet->payload[1] == 0x04) { NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "add connection over tcp with 0x0304.\n"); ndpi_int_zattoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } else if (flow->zattoo_stage == 5 + packet->packet_direction && (packet->payload_packet_len == 125)) { NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "detected zattoo.\n"); ndpi_int_zattoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } else if (flow->zattoo_stage == 6 - packet->packet_direction && packet->payload_packet_len == 1412) { NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "found zattoo.\n"); ndpi_int_zattoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "ZATTOO: discarted the flow (TCP): packet_size: %u; Flowstage: %u\n", packet->payload_packet_len, flow->zattoo_stage); } else if (packet->udp != NULL) { if (packet->payload_packet_len > 20 && (packet->udp->dest == htons(5003) || packet->udp->source == htons(5003)) && (get_u_int16_t(packet->payload, 0) == htons(0x037a) || get_u_int16_t(packet->payload, 0) == htons(0x0378) || get_u_int16_t(packet->payload, 0) == htons(0x0305) || get_u_int32_t(packet->payload, 0) == htonl(0x03040004) || get_u_int32_t(packet->payload, 0) == htonl(0x03010005))) { if (++flow->zattoo_stage == 2) { NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "add connection over udp.\n"); ndpi_int_zattoo_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "need next packet udp.\n"); return; } NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "ZATTOO: discarded the flow (UDP): packet_size: %u; Flowstage: %u\n", packet->payload_packet_len, flow->zattoo_stage); } NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "exclude zattoo.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_ZATTOO); }
/* return 0 if nothing has been detected return 1 if it is a megaupload packet */ u_int8_t search_ddl_domains(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; // struct ndpi_id_struct *src=ndpi_struct->src; // struct ndpi_id_struct *dst=ndpi_struct->dst; u_int16_t filename_start = 0; u_int8_t i = 1; u_int16_t host_line_len_without_port; if (packet->payload_packet_len < 100) { NDPI_LOG(NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK, ndpi_struct, NDPI_LOG_DEBUG, "DDL: Packet too small.\n"); goto end_ddl_nothing_found; } if (memcmp(packet->payload, "POST ", 5) == 0) { filename_start = 5; // POST NDPI_LOG(NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK, ndpi_struct, NDPI_LOG_DEBUG, "DDL: POST FOUND\n"); } else if (memcmp(packet->payload, "GET ", 4) == 0) { filename_start = 4; // GET NDPI_LOG(NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK, ndpi_struct, NDPI_LOG_DEBUG, "DDL: GET FOUND\n"); } else { goto end_ddl_nothing_found; } // parse packet ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->host_line.ptr == NULL) { NDPI_LOG(NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK, ndpi_struct, NDPI_LOG_DEBUG, "DDL: NO HOST FOUND\n"); goto end_ddl_nothing_found; } NDPI_LOG(NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK, ndpi_struct, NDPI_LOG_DEBUG, "DDL: Host: found\n"); if (packet->line[0].len < 9 + filename_start || memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) != 0) { NDPI_LOG(NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK, ndpi_struct, NDPI_LOG_DEBUG, "DDL: PACKET NOT HTTP CONFORM.\nXXX%.*sXXX\n", 8, &packet->line[0].ptr[packet->line[0].len - 9]); goto end_ddl_nothing_found; } // BEGIN OF AUTOMATED CODE GENERATION // first see if we have ':port' at the end of the line host_line_len_without_port = packet->host_line.len; if (host_line_len_without_port >= i && packet->host_line.ptr[host_line_len_without_port - i] >= '0' && packet->host_line.ptr[packet->host_line.len - i] <= '9') { i = 2; while (host_line_len_without_port >= i && packet->host_line.ptr[host_line_len_without_port - i] >= '0' && packet->host_line.ptr[host_line_len_without_port - i] <= '9') { NDPI_LOG(NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK, ndpi_struct, NDPI_LOG_DEBUG, "DDL: number found\n"); i++; } if (host_line_len_without_port >= i && packet->host_line.ptr[host_line_len_without_port - i] == ':') { NDPI_LOG(NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK, ndpi_struct, NDPI_LOG_DEBUG, "DDL: ':' found\n"); host_line_len_without_port = host_line_len_without_port - i; } } // then start automated code generation if (host_line_len_without_port >= 0 + 4 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 0 - 4], ".com", 4) == 0) { if (host_line_len_without_port >= 4 + 1 && packet->host_line.ptr[host_line_len_without_port - 4 - 1] == 'd') { if (host_line_len_without_port >= 5 + 6 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 6], "4share", 6) == 0 && (packet->host_line.ptr[host_line_len_without_port - 5 - 6 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 5 - 6 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 5 + 8 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 8], "fileclou", 8) == 0 && (packet->host_line.ptr[host_line_len_without_port - 5 - 8 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 5 - 8 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 5 + 5 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 5], "uploa", 5) == 0) { if (host_line_len_without_port >= 10 + 6 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 10 - 6], "files-", 6) == 0 && (packet->host_line.ptr[host_line_len_without_port - 10 - 6 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 10 - 6 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 10 + 4 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 10 - 4], "mega", 4) == 0 && (packet->host_line.ptr[host_line_len_without_port - 10 - 4 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 10 - 4 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 10 + 5 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 10 - 5], "rapid", 5) == 0 && (packet->host_line.ptr[host_line_len_without_port - 10 - 5 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 10 - 5 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 10 + 5 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 10 - 5], "turbo", 5) == 0 && (packet->host_line.ptr[host_line_len_without_port - 10 - 5 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 10 - 5 - 1] == '.')) { goto end_ddl_found; } goto end_ddl_nothing_found; } goto end_ddl_nothing_found; } if (host_line_len_without_port >= 4 + 1 && packet->host_line.ptr[host_line_len_without_port - 4 - 1] == 'o') { if (host_line_len_without_port >= 5 + 6 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 6], "badong", 6) == 0 && (packet->host_line.ptr[host_line_len_without_port - 5 - 6 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 5 - 6 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 5 + 5 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 5], "fileh", 5) == 0 && (packet->host_line.ptr[host_line_len_without_port - 5 - 5 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 5 - 5 - 1] == '.')) { goto end_ddl_found; } goto end_ddl_nothing_found; } if (host_line_len_without_port >= 4 + 1 && packet->host_line.ptr[host_line_len_without_port - 4 - 1] == 'g') { if (host_line_len_without_port >= 5 + 2 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 2], "in", 2) == 0) { if (host_line_len_without_port >= 7 + 4 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 7 - 4], "shar", 4) == 0) { if (host_line_len_without_port >= 11 + 4 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 11 - 4], "best", 4) == 0 && (packet->host_line.ptr[host_line_len_without_port - 11 - 4 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 11 - 4 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 11 + 5 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 11 - 5], "quick", 5) == 0 && (packet->host_line.ptr[host_line_len_without_port - 11 - 5 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 11 - 5 - 1] == '.')) { goto end_ddl_found; } goto end_ddl_nothing_found; } if (host_line_len_without_port >= 7 + 6 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 7 - 6], "upload", 6) == 0 && (packet->host_line.ptr[host_line_len_without_port - 7 - 6 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 7 - 6 - 1] == '.')) { goto end_ddl_found; } goto end_ddl_nothing_found; } if (host_line_len_without_port >= 5 + 7 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 7], "sharebi", 7) == 0 && (packet->host_line.ptr[host_line_len_without_port - 5 - 7 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 5 - 7 - 1] == '.')) { goto end_ddl_found; } goto end_ddl_nothing_found; } if (host_line_len_without_port >= 4 + 8 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 4 - 8], "bigfilez", 8) == 0 && (packet->host_line.ptr[host_line_len_without_port - 4 - 8 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 4 - 8 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 4 + 1 && packet->host_line.ptr[host_line_len_without_port - 4 - 1] == 'e') { if (host_line_len_without_port >= 5 + 3 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 3], "fil", 3) == 0) { if (host_line_len_without_port >= 8 + 2 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 8 - 2], "mo", 2) == 0) { if (host_line_len_without_port >= 10 + 5 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 10 - 5], "china", 5) == 0 && (packet->host_line.ptr[host_line_len_without_port - 10 - 5 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 10 - 5 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 8 + 2 + 1 && (packet->host_line.ptr[host_line_len_without_port - 8 - 2 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 8 - 2 - 1] == '.')) { goto end_ddl_found; } } if (host_line_len_without_port >= 8 + 3 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 8 - 3], "hot", 3) == 0 && (packet->host_line.ptr[host_line_len_without_port - 8 - 3 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 8 - 3 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 8 + 6 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 8 - 6], "keepmy", 6) == 0 && (packet->host_line.ptr[host_line_len_without_port - 8 - 6 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 8 - 6 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 8 + 1 && packet->host_line.ptr[host_line_len_without_port - 8 - 1] == 'e') { if (host_line_len_without_port >= 9 + 3 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 9 - 3], "sav", 3) == 0 && (packet->host_line.ptr[host_line_len_without_port - 9 - 3 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 9 - 3 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 9 + 5 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 9 - 5], "sendm", 5) == 0 && (packet->host_line.ptr[host_line_len_without_port - 9 - 5 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 9 - 5 - 1] == '.')) { goto end_ddl_found; } goto end_ddl_nothing_found; } if (host_line_len_without_port >= 8 + 8 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 8 - 8], "sharebig", 8) == 0 && (packet->host_line.ptr[host_line_len_without_port - 8 - 8 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 8 - 8 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 8 + 3 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 8 - 3], "up-", 3) == 0 && (packet->host_line.ptr[host_line_len_without_port - 8 - 3 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 8 - 3 - 1] == '.')) { goto end_ddl_found; } goto end_ddl_nothing_found; } if (host_line_len_without_port >= 5 + 1 && packet->host_line.ptr[host_line_len_without_port - 5 - 1] == 'r') { if (host_line_len_without_port >= 6 + 3 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 6 - 3], "sha", 3) == 0) { if (host_line_len_without_port >= 9 + 1 && packet->host_line.ptr[host_line_len_without_port - 9 - 1] == '-') { if (host_line_len_without_port >= 10 + 4 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 10 - 4], "easy", 4) == 0 && (packet->host_line.ptr[host_line_len_without_port - 10 - 4 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 10 - 4 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 10 + 4 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 10 - 4], "fast", 4) == 0 && (packet->host_line.ptr[host_line_len_without_port - 10 - 4 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 10 - 4 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 10 + 4 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 10 - 4], "live", 4) == 0 && (packet->host_line.ptr[host_line_len_without_port - 10 - 4 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 10 - 4 - 1] == '.')) { goto end_ddl_found; } goto end_ddl_nothing_found; } if (host_line_len_without_port >= 9 + 4 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 9 - 4], "ftp2", 4) == 0 && (packet->host_line.ptr[host_line_len_without_port - 9 - 4 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 9 - 4 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 9 + 4 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 9 - 4], "gige", 4) == 0 && (packet->host_line.ptr[host_line_len_without_port - 9 - 4 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 9 - 4 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 9 + 4 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 9 - 4], "mega", 4) == 0 && (packet->host_line.ptr[host_line_len_without_port - 9 - 4 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 9 - 4 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 9 + 5 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 9 - 5], "rapid", 5) == 0 && (packet->host_line.ptr[host_line_len_without_port - 9 - 5 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 9 - 5 - 1] == '.')) { goto end_ddl_found; } goto end_ddl_nothing_found; } if (host_line_len_without_port >= 6 + 7 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 6 - 7], "mediafi", 7) == 0 && (packet->host_line.ptr[host_line_len_without_port - 6 - 7 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 6 - 7 - 1] == '.')) { goto end_ddl_found; } goto end_ddl_nothing_found; } if (host_line_len_without_port >= 5 + 7 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 7], "gigasiz", 7) == 0 && (packet->host_line.ptr[host_line_len_without_port - 5 - 7 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 5 - 7 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 5 + 8 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 8], "sendspac", 8) == 0 && (packet->host_line.ptr[host_line_len_without_port - 5 - 8 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 5 - 8 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 5 + 7 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 7], "sharebe", 7) == 0 && (packet->host_line.ptr[host_line_len_without_port - 5 - 7 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 5 - 7 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 5 + 11 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 11], "sharebigfli", 11) == 0 && (packet->host_line.ptr[host_line_len_without_port - 5 - 11 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 5 - 11 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 5 + 8 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 8], "fileserv", 8) == 0 && (packet->host_line.ptr[host_line_len_without_port - 5 - 8 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 5 - 8 - 1] == '.')) { goto end_ddl_found; } goto end_ddl_nothing_found; } if (host_line_len_without_port >= 4 + 1 && packet->host_line.ptr[host_line_len_without_port - 4 - 1] == 's') { if (host_line_len_without_port >= 5 + 1 && packet->host_line.ptr[host_line_len_without_port - 5 - 1] == 'e') { if (host_line_len_without_port >= 6 + 10 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 6 - 10], "depositfil", 10) == 0 && (packet->host_line.ptr[host_line_len_without_port - 6 - 10 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 6 - 10 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 6 + 8 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 6 - 8], "megashar", 8) == 0 && (packet->host_line.ptr[host_line_len_without_port - 6 - 8 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 6 - 8 - 1] == '.')) { goto end_ddl_found; } goto end_ddl_nothing_found; } if (host_line_len_without_port >= 5 + 10 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 10], "fileupyour", 10) == 0 && (packet->host_line.ptr[host_line_len_without_port - 5 - 10 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 5 - 10 - 1] == '.')) { goto end_ddl_found; } goto end_ddl_nothing_found; } if (host_line_len_without_port >= 4 + 11 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 4 - 11], "filefactory", 11) == 0 && (packet->host_line.ptr[host_line_len_without_port - 4 - 11 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 4 - 11 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 4 + 1 && packet->host_line.ptr[host_line_len_without_port - 4 - 1] == 't') { if (host_line_len_without_port >= 5 + 8 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 8], "filefron", 8) == 0 && (packet->host_line.ptr[host_line_len_without_port - 5 - 8 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 5 - 8 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 5 + 10 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 10], "uploadingi", 10) == 0 && (packet->host_line.ptr[host_line_len_without_port - 5 - 10 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 5 - 10 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 5 + 11 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 11], "yourfilehos", 11) == 0 && (packet->host_line.ptr[host_line_len_without_port - 5 - 11 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 5 - 11 - 1] == '.')) { goto end_ddl_found; } goto end_ddl_nothing_found; } if (host_line_len_without_port >= 4 + 1 && packet->host_line.ptr[host_line_len_without_port - 4 - 1] == 'r') { if (host_line_len_without_port >= 5 + 8 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 8], "mytempdi", 8) == 0 && (packet->host_line.ptr[host_line_len_without_port - 5 - 8 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 5 - 8 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 5 + 10 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 10], "uploadpowe", 10) == 0 && (packet->host_line.ptr[host_line_len_without_port - 5 - 10 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 5 - 10 - 1] == '.')) { goto end_ddl_found; } goto end_ddl_nothing_found; } if (host_line_len_without_port >= 4 + 9 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 4 - 9], "mega.1280", 9) == 0 && (packet->host_line.ptr[host_line_len_without_port - 4 - 9 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 4 - 9 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 4 + 9 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 4 - 9], "filesonic", 9) == 0 && (packet->host_line.ptr[host_line_len_without_port - 4 - 9 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 4 - 9 - 1] == '.')) { goto end_ddl_found; } goto end_ddl_nothing_found; } if (host_line_len_without_port >= 0 + 4 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 0 - 4], ".net", 4) == 0) { if (host_line_len_without_port >= 4 + 7 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 4 - 7], "badongo", 7) == 0 && (packet->host_line.ptr[host_line_len_without_port - 4 - 7 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 4 - 7 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 4 + 1 && packet->host_line.ptr[host_line_len_without_port - 4 - 1] == 'd') { if (host_line_len_without_port >= 5 + 3 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 3], "loa", 3) == 0) { if (host_line_len_without_port >= 8 + 5 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 8 - 5], "fast-", 5) == 0 && (packet->host_line.ptr[host_line_len_without_port - 8 - 5 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 8 - 5 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 8 + 2 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 8 - 2], "up", 2) == 0) { if (host_line_len_without_port >= 10 + 5 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 10 - 5], "file-", 5) == 0 && (packet->host_line.ptr[host_line_len_without_port - 10 - 5 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 10 - 5 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 10 + 6 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 10 - 6], "simple", 6) == 0 && (packet->host_line.ptr[host_line_len_without_port - 10 - 6 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 10 - 6 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 10 + 3 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 10 - 3], "wii", 3) == 0 && (packet->host_line.ptr[host_line_len_without_port - 10 - 3 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 10 - 3 - 1] == '.')) { goto end_ddl_found; } goto end_ddl_nothing_found; } goto end_ddl_nothing_found; } if (host_line_len_without_port >= 5 + 7 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 7], "filesen", 7) == 0 && (packet->host_line.ptr[host_line_len_without_port - 5 - 7 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 5 - 7 - 1] == '.')) { goto end_ddl_found; } goto end_ddl_nothing_found; } if (host_line_len_without_port >= 4 + 5 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 4 - 5], "filer", 5) == 0 && (packet->host_line.ptr[host_line_len_without_port - 4 - 5 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 4 - 5 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 4 + 9 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 4 - 9], "livedepot", 9) == 0 && (packet->host_line.ptr[host_line_len_without_port - 4 - 9 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 4 - 9 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 4 + 1 && packet->host_line.ptr[host_line_len_without_port - 4 - 1] == 'e') { if (host_line_len_without_port >= 5 + 5 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 5], "mofil", 5) == 0 && (packet->host_line.ptr[host_line_len_without_port - 5 - 5 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 5 - 5 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 5 + 17 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 17], "odsiebie.najlepsz", 17) == 0 && (packet->host_line.ptr[host_line_len_without_port - 5 - 17 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 5 - 17 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 5 + 5 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 5 - 5], "zshar", 5) == 0 && (packet->host_line.ptr[host_line_len_without_port - 5 - 5 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 5 - 5 - 1] == '.')) { goto end_ddl_found; } goto end_ddl_nothing_found; } goto end_ddl_nothing_found; } if (host_line_len_without_port >= 0 + 1 && packet->host_line.ptr[host_line_len_without_port - 0 - 1] == 'u') { if (host_line_len_without_port >= 1 + 6 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 1 - 6], "data.h", 6) == 0 && (packet->host_line.ptr[host_line_len_without_port - 1 - 6 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 1 - 6 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 1 + 2 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 1 - 2], ".r", 2) == 0) { if (host_line_len_without_port >= 3 + 10 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 3 - 10], "filearchiv", 10) == 0 && (packet->host_line.ptr[host_line_len_without_port - 3 - 10 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 3 - 10 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 3 + 8 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 3 - 8], "filepost", 8) == 0 && (packet->host_line.ptr[host_line_len_without_port - 3 - 8 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 3 - 8 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 3 + 7 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 3 - 7], "ifolder", 7) == 0 && (packet->host_line.ptr[host_line_len_without_port - 3 - 7 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 3 - 7 - 1] == '.')) { goto end_ddl_found; } goto end_ddl_nothing_found; } goto end_ddl_nothing_found; } if (host_line_len_without_port >= 0 + 11 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 0 - 11], "filehost.tv", 11) == 0 && (packet->host_line.ptr[host_line_len_without_port - 0 - 11 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 0 - 11 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 0 + 3 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 0 - 3], ".to", 3) == 0) { if (host_line_len_without_port >= 3 + 1 && packet->host_line.ptr[host_line_len_without_port - 3 - 1] == 'e') { if (host_line_len_without_port >= 4 + 7 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 4 - 7], "filesaf", 7) == 0 && (packet->host_line.ptr[host_line_len_without_port - 4 - 7 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 4 - 7 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 4 + 8 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 4 - 8], "sharebas", 8) == 0 && (packet->host_line.ptr[host_line_len_without_port - 4 - 8 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 4 - 8 - 1] == '.')) { goto end_ddl_found; } goto end_ddl_nothing_found; } if (host_line_len_without_port >= 3 + 5 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 3 - 5], "files", 5) == 0 && (packet->host_line.ptr[host_line_len_without_port - 3 - 5 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 3 - 5 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 3 + 1 && packet->host_line.ptr[host_line_len_without_port - 3 - 1] == 'd') { if (host_line_len_without_port >= 4 + 3 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 4 - 3], "loa", 3) == 0) { if (host_line_len_without_port >= 7 + 7 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 7 - 7], "file-up", 7) == 0 && (packet->host_line.ptr[host_line_len_without_port - 7 - 7 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 7 - 7 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 4 + 3 + 1 && (packet->host_line.ptr[host_line_len_without_port - 4 - 3 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 4 - 3 - 1] == '.')) { goto end_ddl_found; } } if (host_line_len_without_port >= 4 + 7 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 4 - 7], "uploade", 7) == 0 && (packet->host_line.ptr[host_line_len_without_port - 4 - 7 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 4 - 7 - 1] == '.')) { goto end_ddl_found; } goto end_ddl_nothing_found; } goto end_ddl_nothing_found; } if (host_line_len_without_port >= 0 + 1 && packet->host_line.ptr[host_line_len_without_port - 0 - 1] == 'z') { if (host_line_len_without_port >= 1 + 14 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 1 - 14], "leteckaposta.c", 14) == 0 && (packet->host_line.ptr[host_line_len_without_port - 1 - 14 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 1 - 14 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 1 + 12 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 1 - 12], "yourfiles.bi", 12) == 0 && (packet->host_line.ptr[host_line_len_without_port - 1 - 12 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 1 - 12 - 1] == '.')) { goto end_ddl_found; } goto end_ddl_nothing_found; } if (host_line_len_without_port >= 0 + 1 && packet->host_line.ptr[host_line_len_without_port - 0 - 1] == 'n') { if (host_line_len_without_port >= 1 + 9 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 1 - 9], "netload.i", 9) == 0 && (packet->host_line.ptr[host_line_len_without_port - 1 - 9 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 1 - 9 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 1 + 2 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 1 - 2], ".v", 2) == 0) { if (host_line_len_without_port >= 3 + 7 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 3 - 7], "4shared", 7) == 0 && (packet->host_line.ptr[host_line_len_without_port - 3 - 7 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 3 - 7 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 3 + 9 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 3 - 9], "megashare", 9) == 0 && (packet->host_line.ptr[host_line_len_without_port - 3 - 9 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 3 - 9 - 1] == '.')) { goto end_ddl_found; } goto end_ddl_nothing_found; } goto end_ddl_nothing_found; } if (host_line_len_without_port >= 0 + 3 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 0 - 3], ".de", 3) == 0) { if (host_line_len_without_port >= 3 + 5 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 3 - 5], "share", 5) == 0) { if (host_line_len_without_port >= 8 + 5 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 8 - 5], "rapid", 5) == 0 && (packet->host_line.ptr[host_line_len_without_port - 8 - 5 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 8 - 5 - 1] == '.')) { goto end_ddl_found; } if (host_line_len_without_port >= 8 + 5 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 8 - 5], "ultra", 5) == 0 && (packet->host_line.ptr[host_line_len_without_port - 8 - 5 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 8 - 5 - 1] == '.')) { goto end_ddl_found; } goto end_ddl_nothing_found; } if (host_line_len_without_port >= 3 + 15 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 3 - 15], "uploadyourfiles", 15) == 0 && (packet->host_line.ptr[host_line_len_without_port - 3 - 15 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 3 - 15 - 1] == '.')) { goto end_ddl_found; } goto end_ddl_nothing_found; } if (host_line_len_without_port >= 0 + 14 + 1 && memcmp((void *) &packet->host_line.ptr[host_line_len_without_port - 0 - 14], "speedshare.org", 14) == 0 && (packet->host_line.ptr[host_line_len_without_port - 0 - 14 - 1] == ' ' || packet->host_line.ptr[host_line_len_without_port - 0 - 14 - 1] == '.')) { goto end_ddl_found; } // END OF AUTOMATED CODE GENERATION /* This is the hard way. We do this in order to find the download of services when other domains are involved. This is not significant if ddl is blocked. --> then the link can not be started because the ads are not viewed. But when ddl is only limited then the download is the important part. */ end_ddl_nothing_found: NDPI_LOG(NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK, ndpi_struct, NDPI_LOG_DEBUG, "Nothing Found\n"); return 0; end_ddl_found: NDPI_LOG(NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK, ndpi_struct, NDPI_LOG_DEBUG, "DDL: DIRECT DOWNLOAD LINK FOUND\n"); ndpi_int_direct_download_link_add_connection(ndpi_struct, flow); return 1; }
void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; struct ndpi_id_struct *src = flow->src; struct ndpi_id_struct *dst = flow->dst; u_int16_t c; if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_GNUTELLA) { if (src != NULL && ((u_int32_t) (packet->tick_timestamp - src->gnutella_ts) < ndpi_struct->gnutella_timeout)) { NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG, "gnutella : save src connection packet detected\n"); src->gnutella_ts = packet->tick_timestamp; } else if (dst != NULL && ((u_int32_t) (packet->tick_timestamp - dst->gnutella_ts) < ndpi_struct->gnutella_timeout)) { NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG, "gnutella : save dst connection packet detected\n"); dst->gnutella_ts = packet->tick_timestamp; } if (src != NULL && (packet->tick_timestamp - src->gnutella_ts) > ndpi_struct->gnutella_timeout) { src->detected_gnutella_udp_port1 = 0; src->detected_gnutella_udp_port2 = 0; } if (dst != NULL && (packet->tick_timestamp - dst->gnutella_ts) > ndpi_struct->gnutella_timeout) { dst->detected_gnutella_udp_port1 = 0; dst->detected_gnutella_udp_port2 = 0; } return; } /* skip packets without payload */ if (packet->payload_packet_len < 2) { return; } if (packet->tcp != NULL) { /* this case works asymmetrically */ if (packet->payload_packet_len > 10 && memcmp(packet->payload, "GNUTELLA/", 9) == 0) { NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE, "GNUTELLA DETECTED\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } /* this case works asymmetrically */ if (packet->payload_packet_len > 17 && memcmp(packet->payload, "GNUTELLA CONNECT/", 17) == 0) { NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE, "GNUTELLA DETECTED\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } if (packet->payload_packet_len > 50 && ((memcmp(packet->payload, "GET /get/", 9) == 0) || (memcmp(packet->payload, "GET /uri-res/", 13) == 0) )) { ndpi_parse_packet_line_info(ndpi_struct, flow); for (c = 0; c < packet->parsed_lines; c++) { if ((packet->line[c].len > 19 && memcmp(packet->line[c].ptr, "User-Agent: Gnutella", 20) == 0) || (packet->line[c].len > 10 && memcmp(packet->line[c].ptr, "X-Gnutella-", 11) == 0) || (packet->line[c].len > 7 && memcmp(packet->line[c].ptr, "X-Queue:", 8) == 0) || (packet->line[c].len > 36 && memcmp(packet->line[c].ptr, "Content-Type: application/x-gnutella-", 37) == 0)) { NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG, "DETECTED GNUTELLA GET.\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } } } if (packet->payload_packet_len > 50 && ((memcmp(packet->payload, "GET / HTTP", 9) == 0))) { ndpi_parse_packet_line_info(ndpi_struct, flow); if ((packet->user_agent_line.ptr != NULL && packet->user_agent_line.len > 15 && memcmp(packet->user_agent_line.ptr, "BearShare Lite ", 15) == 0) || (packet->accept_line.ptr != NULL && packet->accept_line.len > 24 && memcmp(packet->accept_line.ptr, "application n/x-gnutella", 24) == 0)) { NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG, "DETECTED GNUTELLA GET.\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); } } /* haven't found this pattern in any trace. */ if (packet->payload_packet_len > 50 && ((memcmp(packet->payload, "GET /get/", 9) == 0) || (memcmp(packet->payload, "GET /uri-res/", 13) == 0))) { c = 8; while (c < (packet->payload_packet_len - 9)) { if (packet->payload[c] == '?') break; c++; } if (c < (packet->payload_packet_len - 9) && memcmp(&packet->payload[c], "urn:sha1:", 9) == 0) { NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE, "detected GET /get/ or GET /uri-res/.\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); } } /* answer to this packet is HTTP/1.1 ..... Content-Type: application/x-gnutella-packets, * it is searched in the upper paragraph. */ if (packet->payload_packet_len > 30 && memcmp(packet->payload, "HEAD /gnutella/push-proxy?", 26) == 0) { NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE, "detected HEAD /gnutella/push-proxy?\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } /* haven't found any trace with this pattern */ if (packet->payload_packet_len == 46 && memcmp(packet->payload, "\x50\x55\x53\x48\x20\x67\x75\x69\x64\x3a", 10) == 0) { NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE, "detected \x50\x55\x53\x48\x20\x67\x75\x69\x64\x3a\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } /* haven't found any trace with this pattern */ if (packet->payload_packet_len > 250 && memcmp(packet->payload, "GET /gnutella/", 14) == 0) //PATTERN IS :: GET /gnutella/tigertree/v3?urn:tree:tiger/: { const u_int16_t end = packet->payload_packet_len - 3; c = 13; while (c < end) { if ((memcmp(&packet->payload[14], "tigertree/", 10) == 0) || (end - c > 18 && memcmp(&packet->payload[c], "\r\nUser-Agent: Foxy", 18) == 0) || (end - c > 44 && memcmp(&packet->payload[c], "\r\nAccept: application/tigertree-breadthfirst", 44) == 0) || (end - c > 10 && memcmp(&packet->payload[c], "\r\nX-Queue:", 10) == 0) || (end - c > 13 && memcmp(&packet->payload[c], "\r\nX-Features:", 13) == 0)) { NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE, "FOXY :: GNUTELLA GET 2 DETECTED\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); return; } c++; } } /* haven't found any trace with this pattern */ if (packet->payload_packet_len > 1 && packet->payload[packet->payload_packet_len - 1] == 0x0a && packet->payload[packet->payload_packet_len - 2] == 0x0a) { if (packet->payload_packet_len > 3 && memcmp(packet->payload, "GIV", 3) == 0) { NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE, "MORPHEUS GIV DETECTED\n"); /* Not Excludeing the flow now.. We shall Check the next Packet too for Gnutella Patterns */ return; } } /* might be super tricky new ssl gnutella transmission, but the certificate is strange... */ if (packet->payload_packet_len == 46 && get_u_int32_t(packet->payload, 0) == htonl(0x802c0103) && get_u_int32_t(packet->payload, 4) == htonl(0x01000300) && get_u_int32_t(packet->payload, 8) == htonl(0x00002000) && get_u_int16_t(packet->payload, 12) == htons(0x0034)) { NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE, "detected gnutella len == 46.\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } if (packet->payload_packet_len == 49 && memcmp(packet->payload, "\x80\x2f\x01\x03\x01\x00\x06\x00\x00\x00\x20\x00\x00\x34\x00\x00\xff\x4d\x6c", 19) == 0) { NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE, "detected gnutella len == 49.\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } if (packet->payload_packet_len == 89 && memcmp(&packet->payload[43], "\x20\x4d\x6c", 3) == 0 && memcmp(packet->payload, "\x16\x03\x01\x00\x54\x01\x00\x00\x50\x03\x01\x4d\x6c", 13) == 0 && memcmp(&packet->payload[76], "\x00\x02\x00\x34\x01\x00\x00\x05", 8) == 0) { NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE, "detected gnutella asymmetrically len == 388.\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } else if (packet->payload_packet_len == 82) { if (get_u_int32_t(packet->payload, 0) == htonl(0x16030100) && get_u_int32_t(packet->payload, 4) == htonl(0x4d010000) && get_u_int16_t(packet->payload, 8) == htons(0x4903) && get_u_int16_t(packet->payload, 76) == htons(0x0002) && get_u_int32_t(packet->payload, 78) == htonl(0x00340100)) { NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE, "detected len == 82.\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } } } else if (packet->udp != NULL) { if (src != NULL && (packet->udp->source == src->detected_gnutella_udp_port1 || packet->udp->source == src->detected_gnutella_udp_port2) && (packet->tick_timestamp - src->gnutella_ts) < ndpi_struct->gnutella_timeout) { NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG, "port based detection\n\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); } /* observations: * all the following patterns send out many packets which are the only ones of their flows, * often on the very beginning of the traces, or flows with many packets in one direction only. * but then suddenly, one gets an answer as you can see in netpeker-gnutella-rpc.pcap packet 11483. * Maybe gnutella tries to send out keys? */ if (packet->payload_packet_len == 23 && packet->payload[15] == 0x00 && packet->payload[16] == 0x41 && packet->payload[17] == 0x01 && packet->payload[18] == 0x00 && packet->payload[19] == 0x00 && packet->payload[20] == 0x00 && packet->payload[21] == 0x00 && packet->payload[22] == 0x00) { NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG, "detected gnutella udp, len = 23.\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } if (packet->payload_packet_len == 35 && packet->payload[25] == 0x49 && packet->payload[26] == 0x50 && packet->payload[27] == 0x40 && packet->payload[28] == 0x83 && packet->payload[29] == 0x53 && packet->payload[30] == 0x43 && packet->payload[31] == 0x50 && packet->payload[32] == 0x41) { NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG, "detected gnutella udp, len = 35.\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } if (packet->payload_packet_len == 32 && (memcmp(&packet->payload[16], "\x31\x01\x00\x09\x00\x00\x00\x4c\x49\x4d\x45", 11) == 0)) { NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG, "detected gnutella udp, len = 32.\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } if (packet->payload_packet_len == 34 && (memcmp(&packet->payload[25], "SCP@", 4) == 0) && (memcmp(&packet->payload[30], "DNA@", 4) == 0)) { NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG, "detected gnutella udp, len = 34.\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } if ((packet->payload_packet_len == 73 || packet->payload_packet_len == 96) && memcmp(&packet->payload[32], "urn:sha1:", 9) == 0) { NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG, "detected gnutella udp, len = 73,96.\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } if (memcmp(packet->payload, "GND", 3) == 0) { if ((packet->payload_packet_len == 8 && (memcmp(&packet->payload[6], "\x01\x00", 2) == 0)) || (packet->payload_packet_len == 11 && (memcmp(&packet->payload[6], "\x01\x01\x08\x50\x49", 5) == 0)) || (packet->payload_packet_len == 17 && (memcmp (&packet->payload[6], "\x01\x01\x4c\x05\x50", 5) == 0)) || (packet->payload_packet_len == 28 && (memcmp(&packet->payload[6], "\x01\x01\x54\x0f\x51\x4b\x52\x50\x06\x52", 10) == 0)) || (packet->payload_packet_len == 41 && (memcmp(&packet->payload[6], "\x01\x01\x5c\x1b\x50\x55\x53\x48\x48\x10", 10) == 0)) || (packet->payload_packet_len > 200 && packet->payload_packet_len < 300 && packet->payload[3] == 0x03) || (packet->payload_packet_len > 300 && (packet->payload[3] == 0x01 || packet->payload[3] == 0x03))) { NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG, "detected gnutella udp, GND.\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } } if ((packet->payload_packet_len == 32) && memcmp(&packet->payload[16], "\x31\x01\x00\x09\x00\x00\x00", 7) == 0) { NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG, "detected gnutella udp, len = 32 ii.\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } if ((packet->payload_packet_len == 23) && memcmp(&packet->payload[16], "\x00\x01\x00\x00\x00\x00\x00", 7) == 0) { NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG, "detected gnutella udp, len = 23 ii.\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } } //neonet detection follows /* haven't found any trace with this pattern */ if (packet->tcp != NULL && ntohs(packet->tcp->source) >= 1024 && ntohs(packet->tcp->dest) >= 1024) { if (flow->l4.tcp.gnutella_stage == 0) { if (flow->packet_counter == 1 && (packet->payload_packet_len == 11 || packet->payload_packet_len == 33 || packet->payload_packet_len == 37)) { flow->l4.tcp.gnutella_msg_id[0] = packet->payload[4]; flow->l4.tcp.gnutella_msg_id[1] = packet->payload[6]; flow->l4.tcp.gnutella_msg_id[2] = packet->payload[8]; flow->l4.tcp.gnutella_stage = 1 + packet->packet_direction; return; } } else if (flow->l4.tcp.gnutella_stage == 1 + packet->packet_direction) { if (flow->packet_counter == 2 && (packet->payload_packet_len == 33 || packet->payload_packet_len == 22) && flow->l4.tcp.gnutella_msg_id[0] == packet->payload[0] && flow->l4.tcp.gnutella_msg_id[1] == packet->payload[2] && flow->l4.tcp.gnutella_msg_id[2] == packet->payload[4] && NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_GNUTELLA)) { NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE, "GNUTELLA DETECTED due to message ID match (NEONet protocol)\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } } else if (flow->l4.tcp.gnutella_stage == 2 - packet->packet_direction) { if (flow->packet_counter == 2 && (packet->payload_packet_len == 10 || packet->payload_packet_len == 75) && flow->l4.tcp.gnutella_msg_id[0] == packet->payload[0] && flow->l4.tcp.gnutella_msg_id[1] == packet->payload[2] && flow->l4.tcp.gnutella_msg_id[2] == packet->payload[4] && NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_GNUTELLA)) { NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE, "GNUTELLA DETECTED due to message ID match (NEONet protocol)\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } } } NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_GNUTELLA); }
static void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; // struct ndpi_id_struct *src=ndpi_struct->src; // struct ndpi_id_struct *dst=ndpi_struct->dst; u_int16_t filename_start; NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "search http\n"); /* set client-server_direction */ if (flow->l4.tcp.http_setup_dir == 0) { NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "initializes http to stage: 1 \n"); flow->l4.tcp.http_setup_dir = 1 + packet->packet_direction; } if (NDPI_COMPARE_PROTOCOL_TO_BITMASK (ndpi_struct->generic_http_packet_bitmask, packet->detected_protocol_stack[0]) != 0) { NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "protocol might be detected earlier as http jump to payload type detection\n"); goto http_parse_detection; } if (flow->l4.tcp.http_setup_dir == 1 + packet->packet_direction) { NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "http stage: 1\n"); if (flow->l4.tcp.http_wait_for_retransmission) { if (!packet->tcp_retransmission) { if (flow->packet_counter <= 5) { NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "still waiting for retransmission\n"); return; } else { NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "retransmission not found, exclude\n"); http_bitmask_exclude(flow); return; } } } if (flow->l4.tcp.http_stage == 0) { filename_start = http_request_url_offset(ndpi_struct, flow); if (filename_start == 0) { if (packet->payload_packet_len >= 7 && memcmp(packet->payload, "HTTP/1.", 7) == 0) { NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP response found (truncated flow ?)\n"); ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); return; } NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "filename not found, exclude\n"); http_bitmask_exclude(flow); return; } // parse packet ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->parsed_lines <= 1) { /* parse one more packet .. */ NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "just one line, search next packet\n"); packet->http_method.ptr = packet->line[0].ptr; packet->http_method.len = filename_start - 1; flow->l4.tcp.http_stage = 1; return; } // parsed_lines > 1 here if (packet->line[0].len >= (9 + filename_start) && memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) { packet->http_url_name.ptr = &packet->payload[filename_start]; packet->http_url_name.len = packet->line[0].len - (filename_start + 9); packet->http_method.ptr = packet->line[0].ptr; packet->http_method.len = filename_start - 1; NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "http structure detected, adding\n"); ndpi_int_http_add_connection(ndpi_struct, flow, (filename_start == 8) ? NDPI_PROTOCOL_HTTP_CONNECT : NDPI_PROTOCOL_HTTP); check_content_type_and_change_protocol(ndpi_struct, flow); /* HTTP found, look for host... */ if (packet->host_line.ptr != NULL) { /* aaahh, skip this direction and wait for a server reply here */ flow->l4.tcp.http_stage = 2; NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP START HOST found\n"); return; } NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP START HOST found\n"); /* host not found, check in next packet after */ flow->l4.tcp.http_stage = 1; return; } } else if (flow->l4.tcp.http_stage == 1) { /* SECOND PAYLOAD TRAFFIC FROM CLIENT, FIRST PACKET MIGHT HAVE BEEN HTTP... */ /* UNKNOWN TRAFFIC, HERE FOR HTTP again.. */ // parse packet ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->parsed_lines <= 1) { /* wait some packets in case request is split over more than 2 packets */ if (flow->packet_counter < 5) { NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "line still not finished, search next packet\n"); return; } else { /* stop parsing here */ NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP: PACKET DOES NOT HAVE A LINE STRUCTURE\n"); http_bitmask_exclude(flow); return; } } if (packet->line[0].len >= 9 && memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) { ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); check_content_type_and_change_protocol(ndpi_struct, flow); NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP START HTTP found in 2. packet, check host here...\n"); /* HTTP found, look for host... */ flow->l4.tcp.http_stage = 2; return; } } } else { /* We have received a response for a previously identified partial HTTP request */ if((packet->parsed_lines == 1) && (packet->packet_direction == 1 /* server -> client */)) { /* In apache if you do "GET /\n\n" the response comes without any header so we can assume that this can be the case */ ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); return; } } NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP: REQUEST NOT HTTP CONFORM\n"); http_bitmask_exclude(flow); return; http_parse_detection: if (flow->l4.tcp.http_setup_dir == 1 + packet->packet_direction) { /* we have something like http here, so check for host and content type if possible */ if (flow->l4.tcp.http_stage == 0 || flow->l4.tcp.http_stage == 3) { NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP RUN MAYBE NEXT GET/POST...\n"); // parse packet ndpi_parse_packet_line_info(ndpi_struct, flow); /* check for url here */ filename_start = http_request_url_offset(ndpi_struct, flow); if (filename_start != 0 && packet->parsed_lines > 1 && packet->line[0].len >= (9 + filename_start) && memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) { packet->http_url_name.ptr = &packet->payload[filename_start]; packet->http_url_name.len = packet->line[0].len - (filename_start + 9); packet->http_method.ptr = packet->line[0].ptr; packet->http_method.len = filename_start - 1; NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "next http action, " "resetting to http and search for other protocols later.\n"); ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); } check_content_type_and_change_protocol(ndpi_struct, flow); /* HTTP found, look for host... */ if (packet->host_line.ptr != NULL) { NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP RUN MAYBE NEXT HOST found, skipping all packets from this direction\n"); /* aaahh, skip this direction and wait for a server reply here */ flow->l4.tcp.http_stage = 2; return; } NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP RUN MAYBE NEXT HOST NOT found, scanning one more packet from this direction\n"); flow->l4.tcp.http_stage = 1; } else if (flow->l4.tcp.http_stage == 1) { // parse packet and maybe find a packet info with host ptr,... ndpi_parse_packet_line_info(ndpi_struct, flow); check_content_type_and_change_protocol(ndpi_struct, flow); NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP RUN second packet scanned\n"); /* HTTP found, look for host... */ flow->l4.tcp.http_stage = 2; } NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP skipping client packets after second packet\n"); return; } /* server response */ if (flow->l4.tcp.http_stage > 0) { /* first packet from server direction, might have a content line */ ndpi_parse_packet_line_info(ndpi_struct, flow); check_content_type_and_change_protocol(ndpi_struct, flow); if (packet->empty_line_position_set != 0 || flow->l4.tcp.http_empty_line_seen == 1) { NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "empty line. check_http_payload.\n"); check_http_payload(ndpi_struct, flow); } if (flow->l4.tcp.http_stage == 2) { flow->l4.tcp.http_stage = 3; } else { flow->l4.tcp.http_stage = 0; } NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP response first or second packet scanned,new stage is: %u\n", flow->l4.tcp.http_stage); return; } else { NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP response next packet skipped\n"); } }