static void ndpi_check_skype(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; // const u_int8_t *packet_payload = packet->payload; u_int32_t payload_len = packet->payload_packet_len; #if 0 printf("[len=%u][%02X %02X %02X %02X]\n", payload_len, packet->payload[0] & 0xFF, packet->payload[1] & 0xFF, packet->payload[2] & 0xFF, packet->payload[3] & 0xFF); #endif if(packet->udp != NULL) { flow->l4.udp.skype_packet_id++; if(flow->l4.udp.skype_packet_id < 5) { /* skype-to-skype */ if(((payload_len == 3) && ((packet->payload[2] & 0x0F)== 0x0d)) || ((payload_len >= 16) && (packet->payload[0] != 0x30) /* Avoid invalid SNMP detection */ && (packet->payload[2] == 0x02))) { NDPI_LOG(NDPI_PROTOCOL_SKYPE, ndpi_struct, NDPI_LOG_DEBUG, "Found skype.\n"); ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE, NDPI_REAL_PROTOCOL); } return; } NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SKYPE); return; } else if(packet->tcp != NULL) { flow->l4.tcp.skype_packet_id++; if(flow->l4.tcp.skype_packet_id < 3) { ; /* Too early */ } else if((flow->l4.tcp.skype_packet_id == 3) /* We have seen the 3-way handshake */ && flow->l4.tcp.seen_syn && flow->l4.tcp.seen_syn_ack && flow->l4.tcp.seen_ack) { if((payload_len == 8) || (payload_len == 3)) { NDPI_LOG(NDPI_PROTOCOL_SKYPE, ndpi_struct, NDPI_LOG_DEBUG, "Found skype.\n"); ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE, NDPI_REAL_PROTOCOL); } /* printf("[SKYPE] [id: %u][len: %d]\n", flow->l4.tcp.skype_packet_id, payload_len); */ } else NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SKYPE); return; } }
static void ndpi_check_citrix(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; u_int32_t payload_len = packet->payload_packet_len; #if 0 printf("[len=%u][%02X %02X %02X %02X]\n", payload_len, packet->payload[0] & 0xFF, packet->payload[1] & 0xFF, packet->payload[2] & 0xFF, packet->payload[3] & 0xFF); #endif if(packet->tcp != NULL) { flow->l4.tcp.citrix_packet_id++; if((flow->l4.tcp.citrix_packet_id == 3) /* We have seen the 3-way handshake */ && flow->l4.tcp.seen_syn && flow->l4.tcp.seen_syn_ack && flow->l4.tcp.seen_ack) { if(payload_len == 6) { char citrix_header[] = { 0x07, 0x07, 0x49, 0x43, 0x41, 0x00 }; if(memcmp(packet->payload, citrix_header, sizeof(citrix_header)) == 0) { NDPI_LOG(NDPI_PROTOCOL_CITRIX, ndpi_struct, NDPI_LOG_DEBUG, "Found citrix.\n"); ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_CITRIX, NDPI_REAL_PROTOCOL); } return; } else if(payload_len > 4) { char citrix_header[] = { 0x1a, 0x43, 0x47, 0x50, 0x2f, 0x30, 0x31 }; if((memcmp(packet->payload, citrix_header, sizeof(citrix_header)) == 0) || (ndpi_strnstr(packet->payload, "Citrix.TcpProxyService", payload_len) != NULL)) { NDPI_LOG(NDPI_PROTOCOL_CITRIX, ndpi_struct, NDPI_LOG_DEBUG, "Found citrix.\n"); ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_CITRIX, NDPI_REAL_PROTOCOL); } return; } NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_CITRIX); } else if(flow->l4.tcp.citrix_packet_id > 3) NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_CITRIX); return; } }
void ndpi_search_collectd(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; u_int len = 0; NDPI_LOG(NDPI_PROTOCOL_COLLECTD, ndpi_struct, NDPI_LOG_DEBUG, "search collectd.\n"); if (packet->udp == NULL) return; while(len < packet->payload_packet_len) { // u_int16_t elem_type = ntohs(*((u_int16_t*)&packet->payload[len])); u_int16_t elem_len = ntohs(*((u_int16_t*)&packet->payload[len+2])); if (elem_len == 0) break; len += elem_len; } if(len == packet->payload_packet_len) { NDPI_LOG(NDPI_PROTOCOL_COLLECTD, ndpi_struct, NDPI_LOG_DEBUG, "found COLLECTD.\n"); ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_COLLECTD, NDPI_REAL_PROTOCOL); } else { NDPI_LOG(NDPI_PROTOCOL_COLLECTD, ndpi_struct, NDPI_LOG_DEBUG, "exclude COLLECTD.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_COLLECTD); } }
void ndpi_search_rtcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; u_int16_t dport = 0, sport = 0; NDPI_LOG(NDPI_PROTOCOL_RTCP, ndpi_struct, NDPI_LOG_DEBUG, "search for RTCP.\n"); if(packet->tcp != NULL) { sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest); NDPI_LOG(NDPI_PROTOCOL_RTCP, ndpi_struct, NDPI_LOG_DEBUG, "calculating dport over tcp.\n"); if(packet->payload_packet_len > 13 && (sport == 554 || dport == 554) && packet->payload[0] == 0x00 && packet->payload[1] == 0x00 && packet->payload[2] == 0x01 && packet->payload[3] == 0x01 && packet->payload[4] == 0x08 && packet->payload[5] == 0x0a && packet->payload[6] == 0x00 && packet->payload[7] == 0x01) { NDPI_LOG(NDPI_PROTOCOL_RTCP, ndpi_struct, NDPI_LOG_DEBUG, "found rtcp.\n"); ndpi_int_rtcp_add_connection(ndpi_struct, flow); } } else if(packet->udp != NULL) { sport = ntohs(packet->udp->source), dport = ntohs(packet->udp->dest); NDPI_LOG(NDPI_PROTOCOL_RTCP, ndpi_struct, NDPI_LOG_DEBUG, "calculating dport over udp.\n"); if(((packet->payload_packet_len >= 28 || packet->payload_packet_len <= 1200) && ((packet->payload[0] == 0x80) && ((packet->payload[1] == 0xc8) || (packet->payload[1] == 0xc9)) && (packet->payload[2] == 0x00))) || (((packet->payload[0] == 0x81) && ((packet->payload[1] == 0xc8) || (packet->payload[1] == 0xc9)) && (packet->payload[2] == 0x00)))) { NDPI_LOG(NDPI_PROTOCOL_RTCP, ndpi_struct, NDPI_LOG_DEBUG, "found rtcp.\n"); ndpi_int_rtcp_add_connection(ndpi_struct, flow); } } else { NDPI_LOG(NDPI_PROTOCOL_RTCP, ndpi_struct, NDPI_LOG_DEBUG, "exclude RTCP.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RTCP); } }
void ndpi_search_fiesta(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; // struct ndpi_id_struct *src=ndpi_struct->src; // struct ndpi_id_struct *dst=ndpi_struct->dst; NDPI_LOG(NDPI_PROTOCOL_FIESTA, ndpi_struct, NDPI_LOG_DEBUG, "search fiesta.\n"); if (flow->l4.tcp.fiesta_stage == 0 && packet->payload_packet_len == 5 && get_u_int16_t(packet->payload, 0) == ntohs(0x0407) && (packet->payload[2] == 0x08) && (packet->payload[4] == 0x00 || packet->payload[4] == 0x01)) { NDPI_LOG(NDPI_PROTOCOL_FIESTA, ndpi_struct, NDPI_LOG_DEBUG, "maybe fiesta symmetric, first packet.\n"); flow->l4.tcp.fiesta_stage = 1 + packet->packet_direction; goto maybe_fiesta; } if (flow->l4.tcp.fiesta_stage == (2 - packet->packet_direction) && ((packet->payload_packet_len > 1 && packet->payload_packet_len - 1 == packet->payload[0]) || (packet->payload_packet_len > 3 && packet->payload[0] == 0 && get_l16(packet->payload, 1) == packet->payload_packet_len - 3))) { NDPI_LOG(NDPI_PROTOCOL_FIESTA, ndpi_struct, NDPI_LOG_DEBUG, "Maybe fiesta.\n"); goto maybe_fiesta; } if (flow->l4.tcp.fiesta_stage == (1 + packet->packet_direction)) { if (packet->payload_packet_len == 4 && get_u_int32_t(packet->payload, 0) == htonl(0x03050c01)) { goto add_fiesta; } if (packet->payload_packet_len == 5 && get_u_int32_t(packet->payload, 0) == htonl(0x04030c01) && packet->payload[4] == 0) { goto add_fiesta; } if (packet->payload_packet_len == 6 && get_u_int32_t(packet->payload, 0) == htonl(0x050e080b)) { goto add_fiesta; } if (packet->payload_packet_len == 100 && packet->payload[0] == 0x63 && packet->payload[61] == 0x52 && packet->payload[81] == 0x5a && get_u_int16_t(packet->payload, 1) == htons(0x3810) && get_u_int16_t(packet->payload, 62) == htons(0x6f75)) { goto add_fiesta; } if (packet->payload_packet_len > 3 && packet->payload_packet_len - 1 == packet->payload[0] && get_u_int16_t(packet->payload, 1) == htons(0x140c)) { goto add_fiesta; } } NDPI_LOG(NDPI_PROTOCOL_FIESTA, ndpi_struct, NDPI_LOG_DEBUG, "exclude fiesta.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_FIESTA); return; maybe_fiesta: NDPI_LOG(NDPI_PROTOCOL_FIESTA, ndpi_struct, NDPI_LOG_DEBUG, "Stage is set to %d.\n", flow->l4.tcp.fiesta_stage); return; add_fiesta: NDPI_LOG(NDPI_PROTOCOL_FIESTA, ndpi_struct, NDPI_LOG_DEBUG, "detected fiesta.\n"); ndpi_int_fiesta_add_connection(ndpi_struct, flow); return; }
static void ndpi_search_udp_msn_misc(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; struct ndpi_id_struct *src = flow->src; struct ndpi_id_struct *dst = flow->dst; /* do we have an msn login ? */ if ((src == NULL || NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_MSN) == 0) && (dst == NULL || NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_MSN) == 0)) { NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MSN); return; } /* asymmetric ft detection works */ if (packet->payload_packet_len == 20 && get_u_int32_t(packet->payload, 4) == 0 && packet->payload[9] == 0 && get_u_int16_t(packet->payload, 10) == htons(0x0100)) { NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "msn udp misc data connection detected\n"); ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); } /* asymmetric detection working. */ return; //} }
static void ndpi_check_radius(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; // const u_int8_t *packet_payload = packet->payload; u_int32_t payload_len = packet->payload_packet_len; #if 0 printf("[len=%u][%02X %02X %02X %02X]\n", payload_len, packet->payload[0] & 0xFF, packet->payload[1] & 0xFF, packet->payload[2] & 0xFF, packet->payload[3] & 0xFF); #endif if(packet->udp != NULL) { struct radius_header *h = (struct radius_header*)packet->payload; h->len = ntohs(h->len); if((payload_len > sizeof(struct radius_header)) && (h->code <= 5) && (h->len == payload_len)) { NDPI_LOG(NDPI_PROTOCOL_RADIUS, ndpi_struct, NDPI_LOG_DEBUG, "Found radius.\n"); ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_RADIUS, NDPI_REAL_PROTOCOL); return; } NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RADIUS); return; } }
void ndpi_search_twitter(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { /* Twitter AS34702 http://bgp.he.net/AS13414 */ if(flow->packet.iph) { // IPv4 u_int32_t src = ntohl(flow->packet.iph->saddr); u_int32_t dst = ntohl(flow->packet.iph->daddr); if(ndpi_ips_match(src, dst, 0xC0854C00, 22) /* 192.133.76.0/22 */ || ndpi_ips_match(src, dst, 0xC7109C00, 22) /* 199.16.156.0/22 */ || ndpi_ips_match(src, dst, 0xC73B9400, 22) /* 199.59.148.0/22 */ || ndpi_ips_match(src, dst, 0xC7603A00, 23) /* 199.96.58.0/23 */ || ndpi_ips_match(src, dst, 0xC7603E00, 23) /* 199.96.62.0/23 */ ) { ndpi_int_twitter_add_connection(ndpi_struct, flow); return; } } NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_SERVICE_TWITTER); }
void ndpi_search_dhcp_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; // struct ndpi_id_struct *src=ndpi_struct->src; // struct ndpi_id_struct *dst=ndpi_struct->dst; /* this detection also works for asymmetric dhcp traffic */ /*check standard DHCP 0.0.0.0:68 -> 255.255.255.255:67 */ if (packet->payload_packet_len >= 244 && (packet->udp->source == htons(67) || packet->udp->source == htons(68)) && (packet->udp->dest == htons(67) || packet->udp->dest == htons(68)) && get_u_int32_t(packet->payload, 236) == htonl(0x63825363) && get_u_int16_t(packet->payload, 240) == htons(0x3501)) { NDPI_LOG(NDPI_PROTOCOL_DHCP, ndpi_struct, NDPI_LOG_DEBUG, "DHCP request\n"); ndpi_int_dhcp_add_connection(ndpi_struct, flow); return; } NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DHCP); }
static inline #else __forceinline static #endif void ndpi_int_search_thunder_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; // struct ndpi_id_struct *src=ndpi_struct->src; // struct ndpi_id_struct *dst=ndpi_struct->dst; if (packet->payload_packet_len > 8 && packet->payload[0] >= 0x30 && packet->payload[0] < 0x40 && packet->payload[1] == 0 && packet->payload[2] == 0 && packet->payload[3] == 0) { if (flow->thunder_stage == 3) { NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, "THUNDER udp detected\n"); ndpi_int_thunder_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } flow->thunder_stage++; NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, "maybe thunder udp packet detected, stage increased to %u\n", flow->thunder_stage); return; } NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, "excluding thunder udp at stage %u\n", flow->thunder_stage); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_THUNDER); }
void ndpi_search_tftp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; NDPI_LOG(NDPI_PROTOCOL_TFTP, ndpi_struct, NDPI_LOG_DEBUG, "search TFTP.\n"); if (packet->payload_packet_len > 3 && flow->l4.udp.tftp_stage == 0 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x00030001) { NDPI_LOG(NDPI_PROTOCOL_TFTP, ndpi_struct, NDPI_LOG_DEBUG, "maybe tftp. need next packet.\n"); flow->l4.udp.tftp_stage = 1; return; } if (packet->payload_packet_len > 3 && (flow->l4.udp.tftp_stage == 1) && ntohl(get_u_int32_t(packet->payload, 0)) == 0x00040001) { NDPI_LOG(NDPI_PROTOCOL_TFTP, ndpi_struct, NDPI_LOG_DEBUG, "found tftp.\n"); ndpi_int_tftp_add_connection(ndpi_struct, flow); return; } if (packet->payload_packet_len > 1 && ((packet->payload[0] == 0 && packet->payload[packet->payload_packet_len - 1] == 0) || (packet->payload_packet_len == 4 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x00040000))) { NDPI_LOG(NDPI_PROTOCOL_TFTP, ndpi_struct, NDPI_LOG_DEBUG, "skip initial packet.\n"); return; } NDPI_LOG(NDPI_PROTOCOL_TFTP, ndpi_struct, NDPI_LOG_DEBUG, "exclude TFTP.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_TFTP); }
void ndpi_search_pando(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; /* Break after 20 packets. */ if (flow->packet_counter > 20) { NDPI_LOG(NDPI_PROTOCOL_PANDO, ndpi_struct, NDPI_LOG_TRACE, "PANDO excluded.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_PANDO); return; } /* skip marked or retransmitted packets */ if (packet->tcp_retransmission != 0) { return; } if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_PANDO) { return; } NDPI_LOG(NDPI_PROTOCOL_PANDO, ndpi_struct, NDPI_LOG_TRACE, "PANDO detection...\n"); ndpi_check_pando_tcp(ndpi_struct, flow); if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_PANDO) { return; } ndpi_check_pando_udp(ndpi_struct, flow); }
void ndpi_search_direct_download_link_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; // struct ndpi_id_struct *src=ndpi_struct->src; // struct ndpi_id_struct *dst=ndpi_struct->dst; #if 0 if (ndpi_struct->direct_download_link_counter_callback != NULL) { if (packet->detected_protocol == NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK) { /* skip packets not requests from the client to the server */ if (packet->packet_direction == flow->l4.tcp.ddlink_server_direction) { search_ddl_domains(ndpi_struct, flow); // do the detection again in order to get the URL in keep alive streams } else { // just count the packet ndpi_struct->direct_download_link_counter_callback(flow->hash_id_number, packet->l3_packet_len); } } return; } #endif // do not detect again if it is already ddl if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK) { if (search_ddl_domains(ndpi_struct, flow) != 0) { return; } NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK); } }
void ndpi_search_telegram(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; u_int16_t dport /* , sport */; NDPI_LOG(NDPI_PROTOCOL_TELEGRAM, ndpi_struct, NDPI_LOG_TRACE, "TELEGRAM detection...\n"); if (packet->payload_packet_len == 0) return; if (packet->tcp != NULL) { if (packet->payload_packet_len > 56) { dport = ntohs(packet->tcp->dest); /* sport = ntohs(packet->tcp->source); */ if (packet->payload[0] == 0xef && ( dport == 443 || dport == 80 || dport == 25 )) { if (packet->payload[1] == 0x7f) { ndpi_int_telegram_add_connection(ndpi_struct, flow); } else if (packet->payload[1]*4 <= packet->payload_packet_len - 1) { ndpi_int_telegram_add_connection(ndpi_struct, flow); } return; } } } NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_TELEGRAM); }
/* this detection also works asymmetrically */ static void ndpi_search_ssdp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; // struct ndpi_id_struct *src=ndpi_struct->src; // struct ndpi_id_struct *dst=ndpi_struct->dst; NDPI_LOG(NDPI_PROTOCOL_SSDP, ndpi_struct, NDPI_LOG_DEBUG, "search ssdp.\n"); if (packet->udp != NULL) { if (packet->payload_packet_len > 100) { if ((memcmp(packet->payload, "M-SEARCH * HTTP/1.1", 19) == 0) || memcmp(packet->payload, "NOTIFY * HTTP/1.1", 17) == 0) { NDPI_LOG(NDPI_PROTOCOL_SSDP, ndpi_struct, NDPI_LOG_DEBUG, "found ssdp.\n"); ndpi_int_ssdp_add_connection(ndpi_struct, flow); return; } #define SSDP_HTTP "HTTP/1.1 200 OK\r\n" if(memcmp(packet->payload, SSDP_HTTP, strlen(SSDP_HTTP)) == 0) { NDPI_LOG(NDPI_PROTOCOL_SSDP, ndpi_struct, NDPI_LOG_DEBUG, "found ssdp.\n"); ndpi_int_ssdp_add_connection(ndpi_struct, flow); return; } } } NDPI_LOG(NDPI_PROTOCOL_SSDP, ndpi_struct, NDPI_LOG_DEBUG, "ssdp excluded.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SSDP); }
void ndpi_search_skinny(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; u_int16_t dport = 0, sport = 0; const char pattern_9_bytes[9] = { 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; const char pattern_8_bytes[8] = { 0x38, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; const char keypadmsg_8_bytes[8] = { 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; const char selectmsg_8_bytes[8] = { 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; NDPI_LOG(NDPI_PROTOCOL_SKINNY, ndpi_struct, NDPI_LOG_DEBUG, "search for SKINNY.\n"); if(packet->tcp != NULL) { sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest); NDPI_LOG(NDPI_PROTOCOL_SKINNY, ndpi_struct, NDPI_LOG_DEBUG, "calculating SKINNY over tcp.\n"); if (dport == 2000 && ((packet->payload_packet_len == 24 && memcmp(&packet->payload[0], keypadmsg_8_bytes, 8) == 0) || ((packet->payload_packet_len == 64) && memcmp(&packet->payload[0], pattern_8_bytes, 8) == 0))) { NDPI_LOG(NDPI_PROTOCOL_SKINNY, ndpi_struct, NDPI_LOG_DEBUG, "found skinny.\n"); ndpi_int_skinny_add_connection(ndpi_struct, flow); } else if (sport == 2000 && ((packet->payload_packet_len == 28 && memcmp(&packet->payload[0], selectmsg_8_bytes, 8) == 0 ) || (packet->payload_packet_len == 44 && memcmp(&packet->payload[0], pattern_9_bytes, 9) == 0))) { NDPI_LOG(NDPI_PROTOCOL_SKINNY, ndpi_struct, NDPI_LOG_DEBUG, "found skinny.\n"); ndpi_int_skinny_add_connection(ndpi_struct, flow); } } else { NDPI_LOG(NDPI_PROTOCOL_SKINNY, ndpi_struct, NDPI_LOG_DEBUG, "exclude SKINNY.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SKINNY); } }
void ndpi_search_rsync(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; u_int16_t dport = 0, sport = 0; NDPI_LOG(NDPI_PROTOCOL_RSYNC, ndpi_struct, NDPI_LOG_DEBUG, "search for RSYNC.\n"); if(packet->tcp != NULL) { sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest); NDPI_LOG(NDPI_PROTOCOL_RSYNC, ndpi_struct, NDPI_LOG_DEBUG, "calculating RSYNC over tcp.\n"); /* * Should match: memcmp(packet->payload, "@RSYN NCD: 28", 14) == 0) */ if (packet->payload_packet_len == 12 && packet->payload[0] == 0x40 && packet->payload[1] == 0x52 && packet->payload[2] == 0x53 && packet->payload[3] == 0x59 && packet->payload[4] == 0x4e && packet->payload[5] == 0x43 && packet->payload[6] == 0x44 && packet->payload[7] == 0x3a ) { NDPI_LOG(NDPI_PROTOCOL_RSYNC, ndpi_struct, NDPI_LOG_DEBUG, "found rsync.\n"); ndpi_int_rsync_add_connection(ndpi_struct, flow); } } else { NDPI_LOG(NDPI_PROTOCOL_RSYNC, ndpi_struct, NDPI_LOG_DEBUG, "exclude RSYNC.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RSYNC); } }
void ndpi_search_oracle(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; u_int16_t dport = 0, sport = 0; NDPI_LOG(NDPI_PROTOCOL_ORACLE, ndpi_struct, NDPI_LOG_DEBUG, "search for ORACLE.\n"); if(packet->tcp != NULL) { sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest); NDPI_LOG(NDPI_PROTOCOL_ORACLE, ndpi_struct, NDPI_LOG_DEBUG, "calculating ORACLE over tcp.\n"); /* Oracle Database 9g,10g,11g */ if ((dport == 1521 || sport == 1521) && (((packet->payload[0] == 0x07) && (packet->payload[1] == 0xff) && (packet->payload[2] == 0x00)) || ((packet->payload_packet_len >= 232) && ((packet->payload[0] == 0x00) || (packet->payload[0] == 0x01)) && (packet->payload[1] != 0x00) && (packet->payload[2] == 0x00) && (packet->payload[3] == 0x00)))) { NDPI_LOG(NDPI_PROTOCOL_ORACLE, ndpi_struct, NDPI_LOG_DEBUG, "found oracle.\n"); ndpi_int_oracle_add_connection(ndpi_struct, flow); } else if (packet->payload_packet_len == 213 && packet->payload[0] == 0x00 && packet->payload[1] == 0xd5 && packet->payload[2] == 0x00 && packet->payload[3] == 0x00 ) { NDPI_LOG(NDPI_PROTOCOL_ORACLE, ndpi_struct, NDPI_LOG_DEBUG, "found oracle.\n"); ndpi_int_oracle_add_connection(ndpi_struct, flow); } } else { NDPI_LOG(NDPI_PROTOCOL_ORACLE, ndpi_struct, NDPI_LOG_DEBUG, "exclude ORACLE.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_ORACLE); } }
void ndpi_search_vnc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; // struct ndpi_id_struct *src=ndpi_struct->src; // struct ndpi_id_struct *dst=ndpi_struct->dst; if (flow->l4.tcp.vnc_stage == 0) { if (packet->payload_packet_len == 12 && memcmp(packet->payload, "RFB 003.00", 10) == 0 && packet->payload[11] == 0x0a) { NDPI_LOG(NDPI_PROTOCOL_VNC, ndpi_struct, NDPI_LOG_DEBUG, "reached vnc stage one\n"); flow->l4.tcp.vnc_stage = 1 + packet->packet_direction; return; } } else if (flow->l4.tcp.vnc_stage == 2 - packet->packet_direction) { if (packet->payload_packet_len == 12 && memcmp(packet->payload, "RFB 003.00", 10) == 0 && packet->payload[11] == 0x0a) { NDPI_LOG(NDPI_PROTOCOL_VNC, ndpi_struct, NDPI_LOG_DEBUG, "found vnc\n"); ndpi_int_vnc_add_connection(ndpi_struct, flow); return; } } NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_VNC); }
static void ndpi_search_steam(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; // struct ndpi_id_struct *src=ndpi_struct->src; // struct ndpi_id_struct *dst=ndpi_struct->dst; if (flow->l4.tcp.steam_stage == 0) { if (packet->payload_packet_len == 4 && ntohl(get_u_int32_t(packet->payload, 0)) <= 0x07 && ntohs(packet->tcp->dest) >= 27030 && ntohs(packet->tcp->dest) <= 27040) { flow->l4.tcp.steam_stage = 1 + packet->packet_direction; NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "steam stage 1\n"); return; } } else if (flow->l4.tcp.steam_stage == 2 - packet->packet_direction) { if ((packet->payload_packet_len == 1 || packet->payload_packet_len == 5) && packet->payload[0] == 0x01) { ndpi_int_steam_add_connection(ndpi_struct, flow); NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "steam detected\n"); return; } } NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "steam excluded.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_STEAM); }
void ndpi_search_guildwars_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; // struct ndpi_id_struct *src=ndpi_struct->src; // struct ndpi_id_struct *dst=ndpi_struct->dst; NDPI_LOG(NDPI_PROTOCOL_GUILDWARS, ndpi_struct, NDPI_LOG_DEBUG, "search guildwars.\n"); if (packet->payload_packet_len == 64 && get_u_int16_t(packet->payload, 1) == ntohs(0x050c) && memcmp(&packet->payload[50], "@2&P", 4) == 0) { NDPI_LOG(NDPI_PROTOCOL_GUILDWARS, ndpi_struct, NDPI_LOG_DEBUG, "GuildWars version 29.350: found.\n"); ndpi_int_guildwars_add_connection(ndpi_struct, flow); return; } if (packet->payload_packet_len == 16 && get_u_int16_t(packet->payload, 1) == ntohs(0x040c) && get_u_int16_t(packet->payload, 4) == ntohs(0xa672) && packet->payload[8] == 0x01 && packet->payload[12] == 0x04) { NDPI_LOG(NDPI_PROTOCOL_GUILDWARS, ndpi_struct, NDPI_LOG_DEBUG, "GuildWars version 29.350: found.\n"); ndpi_int_guildwars_add_connection(ndpi_struct, flow); return; } if (packet->payload_packet_len == 21 && get_u_int16_t(packet->payload, 0) == ntohs(0x0100) && get_u_int32_t(packet->payload, 5) == ntohl(0xf1001000) && packet->payload[9] == 0x01) { NDPI_LOG(NDPI_PROTOCOL_GUILDWARS, ndpi_struct, NDPI_LOG_DEBUG, "GuildWars version 216.107.245.50: found.\n"); ndpi_int_guildwars_add_connection(ndpi_struct, flow); return; } NDPI_LOG(NDPI_PROTOCOL_GUILDWARS, ndpi_struct, NDPI_LOG_DEBUG, "exclude guildwars.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_GUILDWARS); }
void ndpi_search_ayiya(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; if(packet->udp && (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN)) { /* Ayiya is udp based, port 5072 */ if ((packet->udp->source == htons(5072) || packet->udp->dest == htons(5072)) /* check for ayiya new packet */ && (packet->payload_packet_len > 44) ) { /* FINISH */ struct ayiya *a = (struct ayiya*)packet->payload; u_int32_t epoch = ntohl(a->epoch), now; u_int32_t fireyears = 86400 * 365 * 5; now = flow->packet.tick_timestamp; if((epoch >= (now - fireyears)) && (epoch <= (now+86400 /* 1 day */))) ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_AYIYA, NDPI_REAL_PROTOCOL); return; } NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_AYIYA); } }
void ndpi_search_justin_twitch(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; register u_int16_t ii; static u_int16_t flag=0; u_int16_t dport=0,sport=0; if(packet->tcp!=NULL){ sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest); if((sport==1935||dport==1935)&&flag==1){ ndpi_int_justin_add_connection(ndpi_struct, flow); return ; } if ((packet->payload_packet_len > NDPI_STATICSTRING_LEN("POST /") && memcmp(packet->payload, "POST /", NDPI_STATICSTRING_LEN("POST /")) == 0)|| (packet->payload_packet_len > NDPI_STATICSTRING_LEN("GET /") && memcmp(packet->payload, "GET /", NDPI_STATICSTRING_LEN("GET /")) == 0)){ ndpi_parse_packet_line_info(ndpi_struct, flow); if(packet->host_line.ptr!=NULL&&packet->host_line.len== NDPI_STATICSTRING_LEN("www.twitch.tv")&& memcmp(packet->host_line.ptr,"www.twitch.tv",NDPI_STATICSTRING_LEN("www.twitch.tv"))==0){ flow->l4.tcp.justin_twitch_stage=1; flag=1; ndpi_int_justin_add_connection(ndpi_struct, flow); return ; } } } for(ii=0;ii<packet->payload_packet_len; ++ii){ if(packet->payload[ii]=='a'){ if(memcmp(&packet->payload[ii + 1], "pi.twitch.tv",12)==0){ NDPI_LOG(NDPI_PROTOCOL_JUSTIN_TWITCH, ndpi_struct, NDPI_LOG_DEBUG, "twitch detected.\n"); ndpi_int_justin_add_connection(ndpi_struct, flow); return ; } } if(packet->payload[ii]=='t'){ if(memcmp(&packet->payload[ii + 1], "witch.tv", 8)==0){ NDPI_LOG(NDPI_PROTOCOL_JUSTIN_TWITCH, ndpi_struct, NDPI_LOG_DEBUG, "twitch detected.\n"); ndpi_int_justin_add_connection(ndpi_struct, flow); return ; } } } for (ii = 0; ii < packet->payload_packet_len ; ++ii){ if(packet->payload[ii]=='j'){ if (memcmp(&packet->payload[ii + 1], "ustin.tv/", 9)==0){ NDPI_LOG(NDPI_PROTOCOL_JUSTIN_TWITCH, ndpi_struct, NDPI_LOG_DEBUG, "justin detected.\n"); ndpi_int_justin_add_connection(ndpi_struct, flow); return ; } } } NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_JUSTIN_TWITCH); }
static void ndpi_search_mysql_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; // struct ndpi_id_struct *src=ndpi_struct->src; // struct ndpi_id_struct *dst=ndpi_struct->dst; if (packet->payload_packet_len > 37 //min length && get_u_int16_t(packet->payload, 0) == packet->payload_packet_len - 4 //first 3 bytes are length && get_u_int8_t(packet->payload, 2) == 0x00 //3rd byte of packet length && get_u_int8_t(packet->payload, 3) == 0x00 //packet sequence number is 0 for startup packet && get_u_int8_t(packet->payload, 5) > 0x30 //server version > 0 && get_u_int8_t(packet->payload, 5) < 0x37 //server version < 7 && get_u_int8_t(packet->payload, 6) == 0x2e //dot ) { u_int32_t a; for (a = 7; a + 31 < packet->payload_packet_len; a++) { if (packet->payload[a] == 0x00) { if (get_u_int8_t(packet->payload, a + 13) == 0x00 //filler byte && get_u_int64_t(packet->payload, a + 19) == 0x0ULL //13 more && get_u_int32_t(packet->payload, a + 27) == 0x0 //filler bytes && get_u_int8_t(packet->payload, a + 31) == 0x0) { NDPI_LOG(NDPI_PROTOCOL_MYSQL, ndpi_struct, NDPI_LOG_DEBUG, "MySQL detected.\n"); ndpi_int_mysql_add_connection(ndpi_struct, flow); return; } break; } } } NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MYSQL); }
static void ndpi_search_xdmcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; // struct ndpi_id_struct *src=ndpi_struct->src; // struct ndpi_id_struct *dst=ndpi_struct->dst; NDPI_LOG(NDPI_PROTOCOL_XDMCP, ndpi_struct, NDPI_LOG_DEBUG, "search xdmcp.\n"); if (packet->tcp != NULL && (ntohs(packet->tcp->dest) >= 6000 && ntohs(packet->tcp->dest) <= 6005) && packet->payload_packet_len == 48 && packet->payload[0] == 0x6c && packet->payload[1] == 0x00 && ntohs(get_u_int16_t(packet->payload, 6)) == 0x1200 && ntohs(get_u_int16_t(packet->payload, 8)) == 0x1000) { NDPI_LOG(NDPI_PROTOCOL_XDMCP, ndpi_struct, NDPI_LOG_DEBUG, "found xdmcp over tcp.\n"); ndpi_int_xdmcp_add_connection(ndpi_struct, flow); return; } if (packet->udp != NULL && ntohs(packet->udp->dest) == 177 && packet->payload_packet_len >= 6 && packet->payload_packet_len == 6 + ntohs(get_u_int16_t(packet->payload, 4)) && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0001 && ntohs(get_u_int16_t(packet->payload, 2)) == 0x0002) { NDPI_LOG(NDPI_PROTOCOL_XDMCP, ndpi_struct, NDPI_LOG_DEBUG, "found xdmcp over udp.\n"); ndpi_int_xdmcp_add_connection(ndpi_struct, flow); return; } NDPI_LOG(NDPI_PROTOCOL_XDMCP, ndpi_struct, NDPI_LOG_DEBUG, "exclude xdmcp.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_XDMCP); }
/* this detection also works asymmetrically */ void ndpi_search_telnet_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { // struct ndpi_packet_struct *packet = &flow->packet; // struct ndpi_id_struct *src=ndpi_struct->src; // struct ndpi_id_struct *dst=ndpi_struct->dst; NDPI_LOG(NDPI_PROTOCOL_TELNET, ndpi_struct, NDPI_LOG_DEBUG, "search telnet.\n"); if (search_iac(ndpi_struct, flow) == 1) { if (flow->l4.tcp.telnet_stage == 2) { NDPI_LOG(NDPI_PROTOCOL_TELNET, ndpi_struct, NDPI_LOG_DEBUG, "telnet identified.\n"); ndpi_int_telnet_add_connection(ndpi_struct, flow); return; } flow->l4.tcp.telnet_stage++; NDPI_LOG(NDPI_PROTOCOL_TELNET, ndpi_struct, NDPI_LOG_DEBUG, "telnet stage %u.\n", flow->l4.tcp.telnet_stage); return; } if ((flow->packet_counter < 12 && flow->l4.tcp.telnet_stage > 0) || flow->packet_counter < 6) { return; } else { NDPI_LOG(NDPI_PROTOCOL_TELNET, ndpi_struct, NDPI_LOG_DEBUG, "telnet excluded.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_TELNET); } return; }
void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "search stun.\n"); if (packet->tcp) { /* STUN may be encapsulated in TCP packets */ if (packet->payload_packet_len >= 2 + 20 && ntohs(get_u_int16_t(packet->payload, 0)) + 2 == packet->payload_packet_len) { /* TODO there could be several STUN packets in a single TCP packet so maybe the detection could be * improved by checking only the STUN packet of given length */ if (ndpi_int_check_stun(ndpi_struct, packet->payload + 2, packet->payload_packet_len - 2) == NDPI_IS_STUN) { NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "found TCP stun.\n"); ndpi_int_stun_add_connection(ndpi_struct, flow); return; } } } if (ndpi_int_check_stun(ndpi_struct, packet->payload, packet->payload_packet_len) == NDPI_IS_STUN) { NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "found UDP stun.\n"); ndpi_int_stun_add_connection(ndpi_struct, flow); return; } NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "exclude stun.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_STUN); }
void ndpi_search_world_of_kung_fu(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; // struct ndpi_id_struct *src=ndpi_struct->src; // struct ndpi_id_struct *dst=ndpi_struct->dst; NDPI_LOG(NDPI_PROTOCOL_WORLD_OF_KUNG_FU, ndpi_struct, NDPI_LOG_DEBUG, "search world_of_kung_fu.\n"); if ((packet->payload_packet_len == 16) && ntohl(get_u_int32_t(packet->payload, 0)) == 0x0c000000 && ntohl(get_u_int32_t(packet->payload, 4)) == 0xd2000c00 && (packet->payload[9] == 0x16) && ntohs(get_u_int16_t(packet->payload, 10)) == 0x0000 && ntohs(get_u_int16_t(packet->payload, 14)) == 0x0000) { NDPI_LOG(NDPI_PROTOCOL_WORLD_OF_KUNG_FU, ndpi_struct, NDPI_LOG_DEBUG, "detected world_of_kung_fu.\n"); ndpi_int_world_of_kung_fu_add_connection(ndpi_struct, flow); return; } NDPI_LOG(NDPI_PROTOCOL_WORLD_OF_KUNG_FU, ndpi_struct, NDPI_LOG_DEBUG, "exclude world_of_kung_fu.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_WORLD_OF_KUNG_FU); }
void ndpi_search_noe(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; NDPI_LOG(NDPI_PROTOCOL_NOE, ndpi_struct, NDPI_LOG_DEBUG, "search for NOE.\n"); if(packet->udp != NULL) { NDPI_LOG(NDPI_PROTOCOL_NOE, ndpi_struct, NDPI_LOG_DEBUG, "calculating dport over udp.\n"); if (packet->payload_packet_len == 1 && ( packet->payload[0] == 0x05 || packet->payload[0] == 0x04 )) { NDPI_LOG(NDPI_PROTOCOL_NOE, ndpi_struct, NDPI_LOG_DEBUG, "found noe.\n"); ndpi_int_noe_add_connection(ndpi_struct, flow); return; } else if((packet->payload_packet_len == 5 || packet->payload_packet_len == 12) && (packet->payload[0] == 0x07 ) && (packet->payload[1] == 0x00 ) && (packet->payload[2] != 0x00 ) && (packet->payload[3] == 0x00 )) { NDPI_LOG(NDPI_PROTOCOL_NOE, ndpi_struct, NDPI_LOG_DEBUG, "found noe.\n"); ndpi_int_noe_add_connection(ndpi_struct, flow); } else if((packet->payload_packet_len >= 25) && (packet->payload[0] == 0x00 && packet->payload[1] == 0x06 && packet->payload[2] == 0x62 && packet->payload[3] == 0x6c)) { NDPI_LOG(NDPI_PROTOCOL_NOE, ndpi_struct, NDPI_LOG_DEBUG, "found noe.\n"); ndpi_int_noe_add_connection(ndpi_struct, flow); } } else { NDPI_LOG(NDPI_PROTOCOL_NOE, ndpi_struct, NDPI_LOG_DEBUG, "exclude NOE.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_NOE); } }
void ndpi_search_teamspeak(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; if (packet->udp != NULL) { usport = ntohs(packet->udp->source), udport = ntohs(packet->udp->dest); /* http://www.imfirewall.com/en/protocols/teamSpeak.htm */ if (((usport == 9987 || udport == 9987) || (usport == 8767 || udport == 8767)) && packet->payload_packet_len >= 20) { NDPI_LOG(NDPI_PROTOCOL_TEAMSPEAK, ndpi_struct, NDPI_LOG_DEBUG, "found TEAMSPEAK udp.\n"); ndpi_int_teamspeak_add_connection(ndpi_struct, flow); } } else if (packet->tcp != NULL) { tsport = ntohs(packet->tcp->source), tdport = ntohs(packet->tcp->dest); /* https://github.com/Youx/soliloque-server/wiki/Connection-packet */ if(packet->payload_packet_len >= 20) { if (((memcmp(packet->payload, "\xf4\xbe\x03\x00", 4) == 0)) || ((memcmp(packet->payload, "\xf4\xbe\x02\x00", 4) == 0)) || ((memcmp(packet->payload, "\xf4\xbe\x01\x00", 4) == 0))) { NDPI_LOG(NDPI_PROTOCOL_TEAMSPEAK, ndpi_struct, NDPI_LOG_DEBUG, "found TEAMSPEAK tcp.\n"); ndpi_int_teamspeak_add_connection(ndpi_struct, flow); } /* http://www.imfirewall.com/en/protocols/teamSpeak.htm */ } else if ((tsport == 14534 || tdport == 14534) || (tsport == 51234 || tdport == 51234)) { NDPI_LOG(NDPI_PROTOCOL_TEAMSPEAK, ndpi_struct, NDPI_LOG_DEBUG, "found TEAMSPEAK.\n"); ndpi_int_teamspeak_add_connection(ndpi_struct, flow); } } NDPI_LOG(NDPI_PROTOCOL_TEAMSPEAK, ndpi_struct, NDPI_LOG_DEBUG, "TEAMSPEAK excluded.\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_TEAMSPEAK); return; }