示例#1
0
static void ndpi_search_icecast_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
  struct ndpi_packet_struct *packet = &flow->packet;
  u_int8_t i;

  NDPI_LOG(NDPI_PROTOCOL_ICECAST, ndpi_struct, NDPI_LOG_DEBUG, "search icecast.\n");

  if ((packet->payload_packet_len < 500 &&
       packet->payload_packet_len >= 7 && ndpi_mem_cmp(packet->payload, "SOURCE ", 7) == 0)
      || flow->l4.tcp.icecast_stage) {
    ndpi_parse_packet_line_info_unix(ndpi_struct, flow);
    NDPI_LOG(NDPI_PROTOCOL_ICECAST, ndpi_struct, NDPI_LOG_DEBUG, "Icecast lines=%d\n", packet->parsed_unix_lines);
    for (i = 0; i < packet->parsed_unix_lines; i++) {
      if (packet->unix_line[i].ptr != NULL && packet->unix_line[i].len > 4
	  && ndpi_mem_cmp(packet->unix_line[i].ptr, "ice-", 4) == 0) {
	NDPI_LOG(NDPI_PROTOCOL_ICECAST, ndpi_struct, NDPI_LOG_DEBUG, "Icecast detected.\n");
	ndpi_int_icecast_add_connection(ndpi_struct, flow);
	return;
      }
    }

    if (packet->parsed_unix_lines < 1 && !flow->l4.tcp.icecast_stage) {
      flow->l4.tcp.icecast_stage = 1;
      return;
    }
  }
#ifdef NDPI_PROTOCOL_HTTP
  if (NDPI_FLOW_PROTOCOL_EXCLUDED(ndpi_struct, flow, NDPI_PROTOCOL_HTTP)) {
    goto icecast_exclude;
  }
#endif

  if (packet->packet_direction == flow->setup_packet_direction && flow->packet_counter < 10) {
    return;
  }

  if (packet->packet_direction != flow->setup_packet_direction) {
    /* server answer, now test Server for Icecast */

    ndpi_parse_packet_line_info(ndpi_struct, flow);

    if (packet->server_line.ptr != NULL && packet->server_line.len > NDPI_STATICSTRING_LEN("Icecast") &&
	memcmp(packet->server_line.ptr, "Icecast", NDPI_STATICSTRING_LEN("Icecast")) == 0) {
      NDPI_LOG(NDPI_PROTOCOL_ICECAST, ndpi_struct, NDPI_LOG_DEBUG, "Icecast detected.\n");
      /* TODO maybe store the previous protocol type as subtype?
       *      e.g. ogg or mpeg
       */
      ndpi_int_icecast_add_connection(ndpi_struct, flow);
      return;
    }
  }

 icecast_exclude:
  NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_ICECAST);
  NDPI_LOG(NDPI_PROTOCOL_ICECAST, ndpi_struct, NDPI_LOG_DEBUG, "Icecast excluded.\n");
}
示例#2
0
static u_int8_t is_special_aimini_host(struct ndpi_int_one_line_struct host_line)
{
	if (host_line.ptr != NULL && host_line.len >= NDPI_STATICSTRING_LEN("X.X.X.X.aimini.net")) {
		if ((get_u_int32_t(host_line.ptr, 0) & htonl(0x00ff00ff)) == htonl(0x002e002e) &&
			(get_u_int32_t(host_line.ptr, 4) & htonl(0x00ff00ff)) == htonl(0x002e002e) &&
			memcmp(&host_line.ptr[8], "aimini.net", NDPI_STATICSTRING_LEN("aimini.net")) == 0) {
			return 1;
		}
	}
	return 0;
}
void ndpi_search_quake(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
	struct ndpi_packet_struct *packet = &flow->packet;
	
//      struct ndpi_id_struct         *src=ndpi_struct->src;
//      struct ndpi_id_struct         *dst=ndpi_struct->dst;

	if ((packet->payload_packet_len == 14
		 && get_u_int16_t(packet->payload, 0) == 0xffff && memcmp(&packet->payload[2], "getInfo", 7) == 0)
		|| (packet->payload_packet_len == 17
			&& get_u_int16_t(packet->payload, 0) == 0xffff && memcmp(&packet->payload[2], "challenge", 9) == 0)
		|| (packet->payload_packet_len > 20
			&& packet->payload_packet_len < 30
			&& get_u_int16_t(packet->payload, 0) == 0xffff && memcmp(&packet->payload[2], "getServers", 10) == 0)) {
		NDPI_LOG(NDPI_PROTOCOL_QUAKE, ndpi_struct, NDPI_LOG_DEBUG, "Quake IV detected.\n");
		ndpi_int_quake_add_connection(ndpi_struct, flow);
		return;
	}

	/* Quake III/Quake Live */
	if (packet->payload_packet_len == 15 && get_u_int32_t(packet->payload, 0) == 0xffffffff
		&& memcmp(&packet->payload[4], "getinfo", NDPI_STATICSTRING_LEN("getinfo")) == 0) {
		NDPI_LOG(NDPI_PROTOCOL_QUAKE, ndpi_struct, NDPI_LOG_DEBUG, "Quake III Arena/Quake Live detected.\n");
		ndpi_int_quake_add_connection(ndpi_struct, flow);
		return;
	}
	if (packet->payload_packet_len == 16 && get_u_int32_t(packet->payload, 0) == 0xffffffff
		&& memcmp(&packet->payload[4], "getchallenge", NDPI_STATICSTRING_LEN("getchallenge")) == 0) {
		NDPI_LOG(NDPI_PROTOCOL_QUAKE, ndpi_struct, NDPI_LOG_DEBUG, "Quake III Arena/Quake Live detected.\n");
		ndpi_int_quake_add_connection(ndpi_struct, flow);
		return;
	}
	if (packet->payload_packet_len > 20 && packet->payload_packet_len < 30
		&& get_u_int32_t(packet->payload, 0) == 0xffffffff
		&& memcmp(&packet->payload[4], "getservers", NDPI_STATICSTRING_LEN("getservers")) == 0) {
		NDPI_LOG(NDPI_PROTOCOL_QUAKE, ndpi_struct, NDPI_LOG_DEBUG, "Quake III Arena/Quake Live detected.\n");
		ndpi_int_quake_add_connection(ndpi_struct, flow);
		return;
	}



	/* ports for startup packet:
	   Quake I        26000 (starts with 0x8000)
	   Quake II       27910
	   Quake III      27960 (increases with each player)
	   Quake IV       27650
	   Quake World    27500
	   Quake Wars     ?????
	 */

	NDPI_LOG(NDPI_PROTOCOL_QUAKE, ndpi_struct, NDPI_LOG_DEBUG, "Quake excluded.\n");
	NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_QUAKE);
}
示例#4
0
static u_int8_t ndpi_int_find_xmsn(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
  struct ndpi_packet_struct *packet = &flow->packet;

  if (packet->parsed_lines > 3) {
    u_int16_t i;
    for (i = 2; i < packet->parsed_lines; i++) {
      if (packet->line[i].ptr != NULL && packet->line[i].len > NDPI_STATICSTRING_LEN("X-MSN") &&
	  memcmp(packet->line[i].ptr, "X-MSN", NDPI_STATICSTRING_LEN("X-MSN")) == 0) {
	return 1;
      }
    }
  }
  return 0;
}
示例#5
0
void ndpi_search_justin_twitch(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
	struct ndpi_packet_struct *packet = &flow->packet;
	register u_int16_t ii;
	static u_int16_t flag=0;
	u_int16_t dport=0,sport=0;
	if(packet->tcp!=NULL){
	
		sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest);
		if((sport==1935||dport==1935)&&flag==1){
			
			ndpi_int_justin_add_connection(ndpi_struct, flow);

			return ;
		}
		if ((packet->payload_packet_len > NDPI_STATICSTRING_LEN("POST /") &&
		memcmp(packet->payload, "POST /", NDPI_STATICSTRING_LEN("POST /")) == 0)||
		(packet->payload_packet_len > NDPI_STATICSTRING_LEN("GET /") &&
		memcmp(packet->payload, "GET /", NDPI_STATICSTRING_LEN("GET /")) == 0)){
			
			ndpi_parse_packet_line_info(ndpi_struct, flow);
			if(packet->host_line.ptr!=NULL&&packet->host_line.len== NDPI_STATICSTRING_LEN("www.twitch.tv")&&
			memcmp(packet->host_line.ptr,"www.twitch.tv",NDPI_STATICSTRING_LEN("www.twitch.tv"))==0){
				 flow->l4.tcp.justin_twitch_stage=1;
				 flag=1;
				ndpi_int_justin_add_connection(ndpi_struct, flow);
				
				return ;
			}
		}
   
	}
	for(ii=0;ii<packet->payload_packet_len;	++ii){
		if(packet->payload[ii]=='a'){
			if(memcmp(&packet->payload[ii + 1], "pi.twitch.tv",12)==0){
				NDPI_LOG(NDPI_PROTOCOL_JUSTIN_TWITCH, ndpi_struct, NDPI_LOG_DEBUG, "twitch  detected.\n");
				ndpi_int_justin_add_connection(ndpi_struct, flow);
				return ;
			}
		}
		if(packet->payload[ii]=='t'){
			if(memcmp(&packet->payload[ii + 1], "witch.tv", 8)==0){
				NDPI_LOG(NDPI_PROTOCOL_JUSTIN_TWITCH, ndpi_struct, NDPI_LOG_DEBUG, "twitch  detected.\n");
				ndpi_int_justin_add_connection(ndpi_struct, flow);
				return	;								
			}								
		}
	}
	
	for (ii = 0;  ii < packet->payload_packet_len ; ++ii){
		if(packet->payload[ii]=='j'){
			if (memcmp(&packet->payload[ii + 1], "ustin.tv/", 9)==0){
				NDPI_LOG(NDPI_PROTOCOL_JUSTIN_TWITCH, ndpi_struct, NDPI_LOG_DEBUG, "justin  detected.\n");
				ndpi_int_justin_add_connection(ndpi_struct, flow);
				return ;
			}
		}
	}
	NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_JUSTIN_TWITCH);
}
void ndpi_search_meebo(struct ndpi_detection_module_struct
		       *ndpi_struct, struct ndpi_flow_struct *flow)
{
  struct ndpi_packet_struct *packet = &flow->packet;
	

  // struct ndpi_id_struct *src=ndpi_struct->src;
  // struct ndpi_id_struct *dst=ndpi_struct->dst;


  NDPI_LOG(NDPI_PROTOCOL_MEEBO, ndpi_struct, NDPI_LOG_DEBUG, "search meebo.\n");

  /* catch audio/video flows which are flash (rtmp) */
  if (
#ifdef NDPI_CONTENT_FLASH
      packet->detected_protocol_stack[0] == NDPI_CONTENT_FLASH
#else
      (packet->tcp->source == htons(1935) || packet->tcp->dest == htons(1935))
#endif
      ) {

    /* TODO: once we have an amf decoder we can more directly access the rtmp fields
     *       if so, we may also exclude earlier */
    if (packet->payload_packet_len > 900) {
      if (memcmp(packet->payload + 116, "tokbox/", NDPI_STATICSTRING_LEN("tokbox/")) == 0 ||
	  memcmp(packet->payload + 316, "tokbox/", NDPI_STATICSTRING_LEN("tokbox/")) == 0) {
	NDPI_LOG(NDPI_PROTOCOL_MEEBO, ndpi_struct, NDPI_LOG_DEBUG, "found meebo/tokbox flash flow.\n");
	ndpi_int_meebo_add_connection(ndpi_struct, flow);
	return;
      }
    }

    if (flow->packet_counter < 16 && flow->packet_direction_counter[flow->setup_packet_direction] < 6) {
      NDPI_LOG(NDPI_PROTOCOL_MEEBO, ndpi_struct, NDPI_LOG_DEBUG, "need next packet.\n");
      return;
    }

    NDPI_LOG(NDPI_PROTOCOL_MEEBO, ndpi_struct, NDPI_LOG_DEBUG, "exclude meebo.\n");
    NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MEEBO);
    return;
  }

  if ((
#ifdef	NDPI_PROTOCOL_HTTP
       packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP ||
#endif
       ((packet->payload_packet_len > 3 && memcmp(packet->payload, "GET ", 4) == 0)
	|| (packet->payload_packet_len > 4 && memcmp(packet->payload, "POST ", 5) == 0))
       ) && flow->packet_counter == 1) {
    u_int8_t host_or_referer_match = 0;

    ndpi_parse_packet_line_info(ndpi_struct, flow);
    if (packet->host_line.ptr != NULL
	&& packet->host_line.len >= 9
	&& memcmp(&packet->host_line.ptr[packet->host_line.len - 9], "meebo.com", 9) == 0) {

      NDPI_LOG(NDPI_PROTOCOL_MEEBO, ndpi_struct, NDPI_LOG_DEBUG, "Found Meebo host\n");
      host_or_referer_match = 1;
    } else if (packet->host_line.ptr != NULL
	       && packet->host_line.len >= 10
	       && memcmp(&packet->host_line.ptr[packet->host_line.len - 10], "tokbox.com", 10) == 0) {

      NDPI_LOG(NDPI_PROTOCOL_MEEBO, ndpi_struct, NDPI_LOG_DEBUG, "Found tokbox host\n");
      /* set it to 2 to avoid having plain tokbox traffic detected as meebo */
      host_or_referer_match = 2;
    } else if (packet->host_line.ptr != NULL && packet->host_line.len >= NDPI_STATICSTRING_LEN("74.114.28.110")
	       && memcmp(&packet->host_line.ptr[packet->host_line.len - NDPI_STATICSTRING_LEN("74.114.28.110")],
			 "74.114.28.110", NDPI_STATICSTRING_LEN("74.114.28.110")) == 0) {

      NDPI_LOG(NDPI_PROTOCOL_MEEBO, ndpi_struct, NDPI_LOG_DEBUG, "Found meebo IP\n");
      host_or_referer_match = 1;
    } else if (packet->referer_line.ptr != NULL &&
	       packet->referer_line.len >= NDPI_STATICSTRING_LEN("http://www.meebo.com/") &&
	       memcmp(packet->referer_line.ptr, "http://www.meebo.com/",
		      NDPI_STATICSTRING_LEN("http://www.meebo.com/")) == 0) {

      NDPI_LOG(NDPI_PROTOCOL_MEEBO, ndpi_struct, NDPI_LOG_DEBUG, "Found meebo referer\n");
      host_or_referer_match = 1;
    } else if (packet->referer_line.ptr != NULL &&
	       packet->referer_line.len >= NDPI_STATICSTRING_LEN("http://mee.tokbox.com/") &&
	       memcmp(packet->referer_line.ptr, "http://mee.tokbox.com/",
		      NDPI_STATICSTRING_LEN("http://mee.tokbox.com/")) == 0) {

      NDPI_LOG(NDPI_PROTOCOL_MEEBO, ndpi_struct, NDPI_LOG_DEBUG, "Found tokbox referer\n");
      host_or_referer_match = 1;
    } else if (packet->referer_line.ptr != NULL &&
	       packet->referer_line.len >= NDPI_STATICSTRING_LEN("http://74.114.28.110/") &&
	       memcmp(packet->referer_line.ptr, "http://74.114.28.110/",
		      NDPI_STATICSTRING_LEN("http://74.114.28.110/")) == 0) {

      NDPI_LOG(NDPI_PROTOCOL_MEEBO, ndpi_struct, NDPI_LOG_DEBUG, "Found meebo IP referer\n");
      host_or_referer_match = 1;
    }

    if (host_or_referer_match) {
      if (host_or_referer_match == 1) {
	NDPI_LOG(NDPI_PROTOCOL_MEEBO, ndpi_struct, NDPI_LOG_DEBUG,
		 "Found Meebo traffic based on host/referer\n");
	ndpi_int_meebo_add_connection(ndpi_struct, flow);
	return;
      }
    }
  }

  if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_MEEBO) {
    NDPI_LOG(NDPI_PROTOCOL_MEEBO, ndpi_struct, NDPI_LOG_DEBUG,
	     "in case that ssl meebo has been detected return.\n");
    return;
  }

  if (flow->packet_counter < 5 && packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN
      && NDPI_COMPARE_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SSL) == 0) {
    NDPI_LOG(NDPI_PROTOCOL_MEEBO, ndpi_struct, NDPI_LOG_DEBUG, "ssl not yet excluded. need next packet.\n");
    return;
  }
#ifdef NDPI_CONTENT_FLASH
  if (flow->packet_counter < 5 && packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN &&
      !NDPI_FLOW_PROTOCOL_EXCLUDED(ndpi_struct, flow, NDPI_CONTENT_FLASH)) {
    NDPI_LOG(NDPI_PROTOCOL_MEEBO, ndpi_struct, NDPI_LOG_DEBUG, "flash not yet excluded. need next packet.\n");
    return;
  }
#endif

  NDPI_LOG(NDPI_PROTOCOL_MEEBO, ndpi_struct, NDPI_LOG_DEBUG, "exclude meebo.\n");
  NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MEEBO);
}
示例#7
0
文件: ftp.c 项目: aming2007/nDPI
static u_int8_t search_ftp(struct ndpi_detection_module_struct *ndpi_struct,
			   struct ndpi_flow_struct *flow)
{

	struct ndpi_packet_struct *packet = &flow->packet;

	u_int8_t current_ftp_code = 0;

	//      struct ndpi_id_struct         *src=ndpi_struct->src;
	//      struct ndpi_id_struct         *dst=ndpi_struct->dst;

	/* initiate client direction flag */
	if (flow->packet_counter == 1) {
		if (flow->l4.tcp.seen_syn) {
			flow->l4.tcp.ftp_client_direction =
			    flow->setup_packet_direction;
		} else {
			/* no syn flag seen so guess */
			if (packet->payload_packet_len > 0) {
				if (packet->payload[0] >= '0'
				    && packet->payload[0] <= '9') {
					/* maybe server side */
					flow->l4.tcp.ftp_client_direction =
					    1 - packet->packet_direction;
				} else {
					flow->l4.tcp.ftp_client_direction =
					    packet->packet_direction;
				}
			}
		}
	}

	if (packet->packet_direction == flow->l4.tcp.ftp_client_direction) {
		if (packet->payload_packet_len > NDPI_STATICSTRING_LEN("USER ")
		    &&
		    (memcmp
		     (packet->payload, "USER ",
		      NDPI_STATICSTRING_LEN("USER ")) == 0
		     || memcmp(packet->payload, "user ",
			       NDPI_STATICSTRING_LEN("user ")) == 0)) {

			NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG,
				 "FTP: found USER command\n");
			flow->l4.tcp.ftp_codes_seen |= FTP_USER_CMD;
			current_ftp_code = FTP_USER_CMD;
		} else if (packet->payload_packet_len >=
			   NDPI_STATICSTRING_LEN("FEAT")
			   &&
			   (memcmp
			    (packet->payload, "FEAT",
			     NDPI_STATICSTRING_LEN("FEAT")) == 0
			    || memcmp(packet->payload, "feat",
				      NDPI_STATICSTRING_LEN("feat")) == 0)) {

			NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG,
				 "FTP: found FEAT command\n");
			flow->l4.tcp.ftp_codes_seen |= FTP_FEAT_CMD;
			current_ftp_code = FTP_FEAT_CMD;
		} else if (!ndpi_int_check_possible_ftp_command(packet)) {
			return 0;
		}
	} else {
		if (packet->payload_packet_len > NDPI_STATICSTRING_LEN("220 ")
		    &&
		    (memcmp
		     (packet->payload, "220 ",
		      NDPI_STATICSTRING_LEN("220 ")) == 0
		     || memcmp(packet->payload, "220-",
			       NDPI_STATICSTRING_LEN("220-")) == 0)) {

			NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG,
				 "FTP: found 220 reply code\n");
			flow->l4.tcp.ftp_codes_seen |= FTP_220_CODE;
			current_ftp_code = FTP_220_CODE;
		} else if (packet->payload_packet_len >
			   NDPI_STATICSTRING_LEN("331 ")
			   &&
			   (memcmp
			    (packet->payload, "331 ",
			     NDPI_STATICSTRING_LEN("331 ")) == 0
			    || memcmp(packet->payload, "331-",
				      NDPI_STATICSTRING_LEN("331-")) == 0)) {

			NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG,
				 "FTP: found 331 reply code\n");
			flow->l4.tcp.ftp_codes_seen |= FTP_331_CODE;
			current_ftp_code = FTP_331_CODE;
		} else if (packet->payload_packet_len >
			   NDPI_STATICSTRING_LEN("211 ")
			   &&
			   (memcmp
			    (packet->payload, "211 ",
			     NDPI_STATICSTRING_LEN("211 ")) == 0
			    || memcmp(packet->payload, "211-",
				      NDPI_STATICSTRING_LEN("211-")) == 0)) {

			NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG,
				 "FTP: found 211reply code\n");
			flow->l4.tcp.ftp_codes_seen |= FTP_211_CODE;
			current_ftp_code = FTP_211_CODE;
		} else if (!ndpi_int_check_possible_ftp_reply(packet)) {
			if ((flow->l4.tcp.ftp_codes_seen & FTP_CODES) == 0 ||
			    (!ndpi_int_check_possible_ftp_continuation_reply
			     (packet))) {
				return 0;
			}
		}
	}

	if ((flow->l4.tcp.ftp_codes_seen & FTP_COMMANDS) != 0
	    && (flow->l4.tcp.ftp_codes_seen & FTP_CODES) != 0) {

		NDPI_LOG(NDPI_PROTOCOL_FTP, ndpi_struct, NDPI_LOG_DEBUG,
			 "FTP detected\n");
		ndpi_int_ftp_add_connection(ndpi_struct, flow);
		return 1;
	}

	/* if no valid code has been seen for the first packets reject */
	if (flow->l4.tcp.ftp_codes_seen == 0 && flow->packet_counter > 3)
		return 0;

	/* otherwise wait more packets, wait more for traffic on known ftp port */
	if ((packet->packet_direction == flow->setup_packet_direction
	     && packet->tcp && packet->tcp->dest == htons(21))
	    || (packet->packet_direction != flow->setup_packet_direction
		&& packet->tcp && packet->tcp->source == htons(21))) {
		/* flow to known ftp port */

		/* wait much longer if this was a 220 code, initial messages might be long */
		if (current_ftp_code == FTP_220_CODE) {
			if (flow->packet_counter > 40)
				return 0;
		} else {
			if (flow->packet_counter > 20)
				return 0;
		}
	} else {
		/* wait much longer if this was a 220 code, initial messages might be long */
		if (current_ftp_code == FTP_220_CODE) {
			if (flow->packet_counter > 20)
				return 0;
		} else {
			if (flow->packet_counter > 10)
				return 0;
		}
	}

	return 2;
}
示例#8
0
static void ndpi_search_aimini(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
	struct ndpi_packet_struct *packet = &flow->packet;
	//    struct ndpi_id_struct         *src=ndpi_struct->src;
	//    struct ndpi_id_struct         *dst=ndpi_struct->dst;


	NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "search aimini.\n");

	if (packet->udp != NULL) {
		if (flow->l4.udp.aimini_stage == 0) {
			if (packet->payload_packet_len == 64 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010b) {
				flow->l4.udp.aimini_stage = 1;
				NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 1.\n");
				return;
			}
			if (packet->payload_packet_len == 136
				&& (ntohs(get_u_int16_t(packet->payload, 0)) == 0x01c9 || ntohs(get_u_int16_t(packet->payload, 0)) == 0x0165)) {
				flow->l4.udp.aimini_stage = 4;
				NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 4.\n");
				return;
			}
			if (packet->payload_packet_len == 88 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0101) {
				flow->l4.udp.aimini_stage = 7;
				NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 7.\n");
				return;
			}
			if (packet->payload_packet_len == 104 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0102) {
				flow->l4.udp.aimini_stage = 10;
				NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 10.\n");
				return;
			}
			if (packet->payload_packet_len == 32 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x01ca) {
				flow->l4.udp.aimini_stage = 13;
				NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 13.\n");
				return;
			}
			if (packet->payload_packet_len == 16 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010c) {
				flow->l4.udp.aimini_stage = 16;
				NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 16.\n");
				return;
			}
		}
		/* first packet chronology: (len, value): (64, 0x010b), (>100, 0x0115), (16, 0x010c || 64, 0x010b || 88, 0x0115),
		 * (16, 0x010c || 64, 0x010b || >100, 0x0115)
		 */
		if (flow->l4.udp.aimini_stage == 1 && packet->payload_packet_len > 100
			&& ntohs(get_u_int16_t(packet->payload, 0)) == 0x0115) {
			flow->l4.udp.aimini_stage = 2;
			NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 2.\n");
			return;
		}
		if (flow->l4.udp.aimini_stage == 2 &&
			((packet->payload_packet_len == 16 && get_u_int16_t(packet->payload, 0) == htons(0x010c)) ||
			 (packet->payload_packet_len == 64 && get_u_int16_t(packet->payload, 0) == htons(0x010b)) ||
			 (packet->payload_packet_len == 88 && get_u_int16_t(packet->payload, 0) == ntohs(0x0115)))) {
			flow->l4.udp.aimini_stage = 3;
			NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 3.\n");
			return;
		}
		if (flow->l4.udp.aimini_stage == 3
			&& ((packet->payload_packet_len == 16 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010c)
				|| (packet->payload_packet_len == 64 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010b)
				|| (packet->payload_packet_len > 100 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0115))) {
			NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "found aimini (64, 0x010b), (>300, 0x0115), "
					"(16, 0x010c || 64, 0x010b), (16, 0x010c || 64, 0x010b || >100, 0x0115).\n");
			ndpi_int_aimini_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
			return;
		}

		/* second packet chronology: (len, value): (136, 0x01c9), (136, 0x01c9),(136, 0x01c9),(136, 0x01c9 || 32, 0x01ca) */

		if (flow->l4.udp.aimini_stage == 4 && packet->payload_packet_len == 136
			&& (ntohs(get_u_int16_t(packet->payload, 0)) == 0x01c9 || ntohs(get_u_int16_t(packet->payload, 0)) == 0x0165)) {
			flow->l4.udp.aimini_stage = 5;
			NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 5.\n");
			return;
		}
		if (flow->l4.udp.aimini_stage == 5 && (packet->payload_packet_len == 136
											   && (ntohs(get_u_int16_t(packet->payload, 0)) == 0x01c9
												   || ntohs(get_u_int16_t(packet->payload, 0)) == 0x0165))) {
			flow->l4.udp.aimini_stage = 6;
			NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 6.\n");
			return;
		}
		if (flow->l4.udp.aimini_stage == 6 && ((packet->payload_packet_len == 136
												&& ((ntohs(get_u_int16_t(packet->payload, 0)) == 0x0165)
													|| ntohs(get_u_int16_t(packet->payload, 0)) == 0x01c9))
											   || (packet->payload_packet_len == 32
												   && ntohs(get_u_int16_t(packet->payload, 0)) == 0x01ca))) {
			NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG,
					"found aimini (136, 0x01c9), (136, 0x01c9)," "(136, 0x01c9),(136, 0x01c9 || 32, 0x01ca).\n");
			ndpi_int_aimini_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
			return;
		}

		/* third packet chronology: (len, value): (88, 0x0101), (88, 0x0101),(88, 0x0101),(88, 0x0101) */

		if (flow->l4.udp.aimini_stage == 7 && packet->payload_packet_len == 88
			&& ntohs(get_u_int16_t(packet->payload, 0)) == 0x0101) {
			flow->l4.udp.aimini_stage = 8;
			NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 8.\n");
			return;
		}
		if (flow->l4.udp.aimini_stage == 8
			&& (packet->payload_packet_len == 88 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0101)) {
			flow->l4.udp.aimini_stage = 9;
			NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 9.\n");
			return;
		}
		if (flow->l4.udp.aimini_stage == 9
			&& (packet->payload_packet_len == 88 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0101)) {
			NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG,
					"found aimini (88, 0x0101), (88, 0x0101)," "(88, 0x0101),(88, 0x0101).\n");
			ndpi_int_aimini_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
			return;
		}

		/* fourth packet chronology: (len, value): (104, 0x0102), (104, 0x0102), (104, 0x0102), (104, 0x0102) */

		if (flow->l4.udp.aimini_stage == 10 && packet->payload_packet_len == 104
			&& ntohs(get_u_int16_t(packet->payload, 0)) == 0x0102) {
			flow->l4.udp.aimini_stage = 11;
			NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 11.\n");
			return;
		}
		if (flow->l4.udp.aimini_stage == 11
			&& (packet->payload_packet_len == 104 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0102)) {
			flow->l4.udp.aimini_stage = 12;
			NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 12.\n");
			return;
		}
		if (flow->l4.udp.aimini_stage == 12
			&& ((packet->payload_packet_len == 104 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0102)
				|| (packet->payload_packet_len == 32 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x01ca))) {
			NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG,
					"found aimini (104, 0x0102), (104, 0x0102), " "(104, 0x0102), (104, 0x0102).\n");
			ndpi_int_aimini_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
			return;
		}

		/* fifth packet chronology (len, value): (32,0x01ca), (32,0x01ca), (32,0x01ca), ((136, 0x0166) || (32,0x01ca)) */

		if (flow->l4.udp.aimini_stage == 13 && packet->payload_packet_len == 32
			&& ntohs(get_u_int16_t(packet->payload, 0)) == 0x01ca) {
			flow->l4.udp.aimini_stage = 14;
			NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 14.\n");
			return;
		}
		if (flow->l4.udp.aimini_stage == 14
			&& ((packet->payload_packet_len == 32 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x01ca)
				|| (packet->payload_packet_len == 136 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0166))) {
			flow->l4.udp.aimini_stage = 15;
			NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 15.\n");
			return;
		}
		if (flow->l4.udp.aimini_stage == 15
			&& ((packet->payload_packet_len == 136 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0166)
				|| (packet->payload_packet_len == 32 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x01ca))) {
			NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG,
					"found aimini (32,0x01ca), (32,0x01ca), (32,0x01ca), ((136, 0x0166)||(32,0x01ca)).\n");
			ndpi_int_aimini_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
			return;
		}

		/* sixth packet chronology (len, value): (16, 0x010c), (16, 0x010c), (16, 0x010c), (16, 0x010c) */

		if (flow->l4.udp.aimini_stage == 16 && packet->payload_packet_len == 16
			&& ntohs(get_u_int16_t(packet->payload, 0)) == 0x010c) {
			flow->l4.udp.aimini_stage = 17;
			NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 17.\n");
			return;
		}
		if (flow->l4.udp.aimini_stage == 17
			&& (packet->payload_packet_len == 16 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010c)) {
			flow->l4.udp.aimini_stage = 18;
			NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 18.\n");
			return;
		}
		if (flow->l4.udp.aimini_stage == 18
			&& (packet->payload_packet_len == 16 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010c)) {
			NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG,
					"found aimini (16, 0x010c), (16, 0x010c), (16, 0x010c), (16, 0x010c).\n");
			ndpi_int_aimini_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
			return;
		}
	} else if (packet->tcp != NULL) {
		if ((packet->payload_packet_len > NDPI_STATICSTRING_LEN("GET /player/") &&
			 (memcmp(packet->payload, "GET /player/", NDPI_STATICSTRING_LEN("GET /player/")) == 0)) ||
			(packet->payload_packet_len > NDPI_STATICSTRING_LEN("GET /play/?fid=") &&
			 (memcmp(packet->payload, "GET /play/?fid=", NDPI_STATICSTRING_LEN("GET /play/?fid=")) == 0))) {
			NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "HTTP packet detected.\n");
			ndpi_parse_packet_line_info(ndpi_struct, flow);
			if (packet->host_line.ptr != NULL && packet->host_line.len > 11
				&& (memcmp(&packet->host_line.ptr[packet->host_line.len - 11], ".aimini.net", 11) == 0)) {
				NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "AIMINI HTTP traffic detected.\n");
				ndpi_int_aimini_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
				return;
			}
		}
		if (packet->payload_packet_len > 100) {
			if (memcmp(packet->payload, "GET /", NDPI_STATICSTRING_LEN("GET /")) == 0) {
				if (memcmp(&packet->payload[NDPI_STATICSTRING_LEN("GET /")], "play/",
						   NDPI_STATICSTRING_LEN("play/")) == 0 ||
					memcmp(&packet->payload[NDPI_STATICSTRING_LEN("GET /")], "download/",
						   NDPI_STATICSTRING_LEN("download/")) == 0) {
					ndpi_parse_packet_line_info(ndpi_struct, flow);
					if (is_special_aimini_host(packet->host_line) == 1) {
						NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG,
								"AIMINI HTTP traffic detected.\n");
						ndpi_int_aimini_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
						return;
					}
				}
			} else if (memcmp(packet->payload, "POST /", NDPI_STATICSTRING_LEN("POST /")) == 0) {
				if (memcmp(&packet->payload[NDPI_STATICSTRING_LEN("POST /")], "upload/",
						   NDPI_STATICSTRING_LEN("upload/")) == 0) {
					ndpi_parse_packet_line_info(ndpi_struct, flow);
					if (is_special_aimini_host(packet->host_line) == 1) {
						NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG,
								"AIMINI HTTP traffic detected.\n");
						ndpi_int_aimini_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
						return;
					}
				}
			}
		}
	}

	NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "exclude aimini.\n");
	NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_AIMINI);

}
示例#9
0
文件: jabber.c 项目: houcy/nDPI-1
void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
  struct ndpi_packet_struct *packet = &flow->packet;
  struct ndpi_id_struct *src = flow->src;
  struct ndpi_id_struct *dst = flow->dst;

  u_int16_t x;

  NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_TRACE, "JABBER detection....\n");

  /* search for jabber file transfer */
  /* this part is working asymmetrically */
  if (packet->tcp != NULL && packet->tcp->syn != 0 && packet->payload_packet_len == 0) {
    NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_DEBUG, "check jabber syn\n");
    if (src != NULL && src->jabber_file_transfer_port[0] != 0) {
      NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_DEBUG,
	       "src jabber ft port set, ports are: %u, %u\n", ntohs(src->jabber_file_transfer_port[0]),
	       ntohs(src->jabber_file_transfer_port[1]));
      if (((u_int32_t)
	   (packet->tick_timestamp - src->jabber_stun_or_ft_ts)) >= ndpi_struct->jabber_file_transfer_timeout) {
	NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct,
		 NDPI_LOG_DEBUG, "JABBER src stun timeout %u %u\n", src->jabber_stun_or_ft_ts,
		 packet->tick_timestamp);
	src->jabber_file_transfer_port[0] = 0;
	src->jabber_file_transfer_port[1] = 0;
      } else if (src->jabber_file_transfer_port[0] == packet->tcp->dest
		 || src->jabber_file_transfer_port[0] == packet->tcp->source
		 || src->jabber_file_transfer_port[1] == packet->tcp->dest
		 || src->jabber_file_transfer_port[1] == packet->tcp->source) {
	NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_DEBUG,
		 "found jabber file transfer.\n");

	ndpi_int_jabber_add_connection(ndpi_struct, flow,
				       NDPI_PROTOCOL_UNENCRYPED_JABBER);
      }
    }
    if (dst != NULL && dst->jabber_file_transfer_port[0] != 0) {
      NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_DEBUG,
	       "dst jabber ft port set, ports are: %u, %u\n", ntohs(dst->jabber_file_transfer_port[0]),
	       ntohs(dst->jabber_file_transfer_port[1]));
      if (((u_int32_t)
	   (packet->tick_timestamp - dst->jabber_stun_or_ft_ts)) >= ndpi_struct->jabber_file_transfer_timeout) {
	NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct,
		 NDPI_LOG_DEBUG, "JABBER dst stun timeout %u %u\n", dst->jabber_stun_or_ft_ts,
		 packet->tick_timestamp);
	dst->jabber_file_transfer_port[0] = 0;
	dst->jabber_file_transfer_port[1] = 0;
      } else if (dst->jabber_file_transfer_port[0] == packet->tcp->dest
		 || dst->jabber_file_transfer_port[0] == packet->tcp->source
		 || dst->jabber_file_transfer_port[1] == packet->tcp->dest
		 || dst->jabber_file_transfer_port[1] == packet->tcp->source) {
	NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_DEBUG,
		 "found jabber file transfer.\n");

	ndpi_int_jabber_add_connection(ndpi_struct, flow,
				       NDPI_PROTOCOL_UNENCRYPED_JABBER);
      }
    }
    return;
  }

  if (packet->tcp != 0 && packet->payload_packet_len == 0) {
    return;
  }


  /* this part parses a packet and searches for port=. it works asymmetrically. */
  if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNENCRYPED_JABBER) {
    u_int16_t lastlen;
    u_int16_t j_port = 0;
    /* check for google jabber voip connections ... */
    /* need big packet */
    if (packet->payload_packet_len < 100) {
      NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_DEBUG, "packet too small, return.\n");
      return;
    }
    /* need message to or type for file-transfer */
    if (memcmp(packet->payload, "<iq from=\"", 8) == 0 || memcmp(packet->payload, "<iq from=\'", 8) == 0) {
      NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_DEBUG, "JABBER <iq from=\".\n");
      lastlen = packet->payload_packet_len - 11;
      for (x = 10; x < lastlen; x++) {
	if (packet->payload[x] == 'p') {
	  if (memcmp(&packet->payload[x], "port=", 5) == 0) {
	    NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_DEBUG, "port=\n");
	    if (src != NULL) {
	      src->jabber_stun_or_ft_ts = packet->tick_timestamp;
	    }

	    if (dst != NULL) {
	      dst->jabber_stun_or_ft_ts = packet->tick_timestamp;
	    }
	    x += 6;
	    j_port = ntohs_ndpi_bytestream_to_number(&packet->payload[x], packet->payload_packet_len, &x);
	    NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct,
		     NDPI_LOG_DEBUG, "JABBER port : %u\n", ntohs(j_port));
	    if (src != NULL) {
	      if (src->jabber_file_transfer_port[0] == 0 || src->jabber_file_transfer_port[0] == j_port) {
		NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct,
			 NDPI_LOG_DEBUG, "src->jabber_file_transfer_port[0] = j_port = %u;\n",
			 ntohs(j_port));
		src->jabber_file_transfer_port[0] = j_port;
	      } else {
		NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct,
			 NDPI_LOG_DEBUG, "src->jabber_file_transfer_port[1] = j_port = %u;\n",
			 ntohs(j_port));
		src->jabber_file_transfer_port[1] = j_port;
	      }
	    }
	    if (dst != NULL) {
	      if (dst->jabber_file_transfer_port[0] == 0 || dst->jabber_file_transfer_port[0] == j_port) {
		NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct,
			 NDPI_LOG_DEBUG, "dst->jabber_file_transfer_port[0] = j_port = %u;\n",
			 ntohs(j_port));
		dst->jabber_file_transfer_port[0] = j_port;
	      } else {
		NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct,
			 NDPI_LOG_DEBUG, "dst->jabber_file_transfer_port[1] = j_port = %u;\n",
			 ntohs(j_port));
		dst->jabber_file_transfer_port[1] = j_port;
	      }
	    }
	  }


	}
      }

    } else if (memcmp(packet->payload, "<iq to=\"", 8) == 0 || memcmp(packet->payload, "<iq to=\'", 8) == 0
	       || memcmp(packet->payload, "<iq type=", 9) == 0) {
      NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_DEBUG, "JABBER <iq to=\"/type=\"\n");
      lastlen = packet->payload_packet_len - 21;
      for (x = 8; x < lastlen; x++) {
	/* invalid character */
	if (packet->payload[x] < 32 || packet->payload[x] > 127) {
	  return;
	}
	if (packet->payload[x] == '@') {
	  NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_DEBUG, "JABBER @\n");
	  break;
	}
      }
      if (x >= lastlen) {
	return;
      }

      lastlen = packet->payload_packet_len - 10;
      for (; x < lastlen; x++) {
	if (packet->payload[x] == 'p') {
	  if (memcmp(&packet->payload[x], "port=", 5) == 0) {
	    NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_DEBUG, "port=\n");
	    if (src != NULL) {
	      src->jabber_stun_or_ft_ts = packet->tick_timestamp;
	    }

	    if (dst != NULL) {
	      dst->jabber_stun_or_ft_ts = packet->tick_timestamp;
	    }

	    x += 6;
	    j_port = ntohs_ndpi_bytestream_to_number(&packet->payload[x], packet->payload_packet_len, &x);
	    NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct,
		     NDPI_LOG_DEBUG, "JABBER port : %u\n", ntohs(j_port));

	    if (src != NULL && src->jabber_voice_stun_used_ports < JABBER_MAX_STUN_PORTS - 1) {
	      if (packet->payload[5] == 'o') {
		src->jabber_voice_stun_port[src->jabber_voice_stun_used_ports++]
		  = j_port;
	      } else {
		if (src->jabber_file_transfer_port[0] == 0
		    || src->jabber_file_transfer_port[0] == j_port) {
		  NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_DEBUG,
			   "src->jabber_file_transfer_port[0] = j_port = %u;\n", ntohs(j_port));
		  src->jabber_file_transfer_port[0] = j_port;
		} else {
		  NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct,
			   NDPI_LOG_DEBUG, "src->jabber_file_transfer_port[1] = j_port = %u;\n",
			   ntohs(j_port));
		  src->jabber_file_transfer_port[1] = j_port;
		}
	      }
	    }

	    if (dst != NULL && dst->jabber_voice_stun_used_ports < JABBER_MAX_STUN_PORTS - 1) {
	      if (packet->payload[5] == 'o') {
		dst->jabber_voice_stun_port[dst->jabber_voice_stun_used_ports++]
		  = j_port;
	      } else {
		if (dst->jabber_file_transfer_port[0] == 0
		    || dst->jabber_file_transfer_port[0] == j_port) {
		  NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_DEBUG,
			   "dst->jabber_file_transfer_port[0] = j_port = %u;\n", ntohs(j_port));
		  dst->jabber_file_transfer_port[0] = j_port;
		} else {
		  NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct,
			   NDPI_LOG_DEBUG, "dst->jabber_file_transfer_port[1] = j_port = %u;\n",
			   ntohs(j_port));
		  dst->jabber_file_transfer_port[1] = j_port;
		}
	      }
	    }
	    return;
	  }
	}
      }
    }
    return;
  }


  /* search for jabber here */
  /* this part is working asymmetrically */
  if ((packet->payload_packet_len > 13 && memcmp(packet->payload, "<?xml version=", 14) == 0)
      || (packet->payload_packet_len >= NDPI_STATICSTRING_LEN("<stream:stream ")
	  && memcmp(packet->payload, "<stream:stream ", NDPI_STATICSTRING_LEN("<stream:stream ")) == 0)) {
    int start = packet->payload_packet_len-13;

    if(ndpi_strnstr((const char *)&packet->payload[13], "xmlns:stream='http://etherx.jabber.org/streams'", start)
       || ndpi_strnstr((const char *)&packet->payload[13], "xmlns:stream=\"http://etherx.jabber.org/streams\"", start)) {
  
      /* Protocol family */
      ndpi_int_jabber_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNENCRYPED_JABBER);

      /* search for subprotocols */
      check_content_type_and_change_protocol(ndpi_struct, flow, 13);
      return;
    }
  }
  
  if (flow->packet_counter < 3) {
    NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct,
	     NDPI_LOG_DEBUG, "packet_counter: %u\n", flow->packet_counter);
    return;
  }

  NDPI_LOG(NDPI_PROTOCOL_UNENCRYPED_JABBER, ndpi_struct, NDPI_LOG_TRACE, "JABBER Excluded.\n");
  NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_UNENCRYPED_JABBER);

#ifdef NDPI_PROTOCOL_TRUPHONE
  NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_TRUPHONE);
#endif
}
示例#10
0
static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct
					  *ndpi_struct, struct ndpi_flow_struct *flow)
{
  struct ndpi_packet_struct *packet = &flow->packet;
	
  struct ndpi_id_struct *src = flow->src;
  struct ndpi_id_struct *dst = flow->dst;
  if (packet->payload_packet_len >= 10 && packet->payload[0] == 0x2a) {

    /* if is a oscar connection, 10 bytes long */

    /* OSCAR Connection :: Connection detected at initial packets only
     * +----+----+------+------+---------------+
     * |0x2a|Code|SeqNum|PktLen|ProtcolVersion |
     * +----+----+------+------+---------------+
     * Code 1 Byte : 0x01 Oscar Connection
     * SeqNum and PktLen are 2 Bytes each and ProtcolVersion: 0x00000001
     * */
    if (get_u_int8_t(packet->payload, 1) == 0x01 && get_u_int16_t(packet->payload, 4) == htons(packet->payload_packet_len - 6)
	&& get_u_int32_t(packet->payload, 6) == htonl(0x0000000001)) {
      NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR Connection FOUND \n");
      ndpi_int_oscar_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
      return;
    }

    /* OSCAR IM
     * +----+----+------+------+----------+-----------+
     * |0x2a|Code|SeqNum|PktLen|FNACfamily|FNACsubtype|
     * +----+----+------+------+----------+-----------+
     * Code 1 Byte : 0x02 SNAC Header Code;
     * SeqNum and PktLen are 2 Bytes each
     * FNACfamily   2 Byte : 0x0004 IM Messaging
     * FNACEsubtype 2 Byte : 0x0006 IM Outgoing Message, 0x000c IM Message Acknowledgment
     * */
    if (packet->payload[1] == 0x02
	&& ntohs(get_u_int16_t(packet->payload, 4)) >=
	packet->payload_packet_len - 6 && get_u_int16_t(packet->payload, 6) == htons(0x0004)
	&& (get_u_int16_t(packet->payload, 8) == htons(0x0006)
	    || get_u_int16_t(packet->payload, 8) == htons(0x000c))) {
      NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR IM Detected \n");
      ndpi_int_oscar_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
      return;
    }
  }


  /* detect http connections */
  if (packet->payload_packet_len >= 18) {
    if ((packet->payload[0] == 'P') && (memcmp(packet->payload, "POST /photo/upload", 18) == 0)) {
      NDPI_PARSE_PACKET_LINE_INFO(ndpi_struct, flow, packet);
      if (packet->host_line.len >= 18 && packet->host_line.ptr != NULL) {
	if (memcmp(packet->host_line.ptr, "lifestream.aol.com", 18) == 0) {
	  NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG,
		   "OSCAR over HTTP found, POST method\n");
	  ndpi_int_oscar_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
	  return;
	}
      }
    }
  }
  if (packet->payload_packet_len > 40) {
    if ((packet->payload[0] == 'G') && (memcmp(packet->payload, "GET /", 5) == 0)) {
      if ((memcmp(&packet->payload[5], "aim/fetchEvents?aimsid=", 23) == 0) ||
	  (memcmp(&packet->payload[5], "aim/startSession?", 17) == 0) ||
	  (memcmp(&packet->payload[5], "aim/gromit/aim_express", 22) == 0) ||
	  (memcmp(&packet->payload[5], "b/ss/aolwpaim", 13) == 0) ||
	  (memcmp(&packet->payload[5], "hss/storage/aimtmpshare", 23) == 0)) {
	NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR over HTTP found, GET /aim/\n");
	ndpi_int_oscar_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
	return;
      }

      if ((memcmp(&packet->payload[5], "aim", 3) == 0) || (memcmp(&packet->payload[5], "im", 2) == 0)) {
	NDPI_PARSE_PACKET_LINE_INFO(ndpi_struct, flow, packet);
	if (packet->user_agent_line.len > 15 && packet->user_agent_line.ptr != NULL &&
	    ((memcmp(packet->user_agent_line.ptr, "mobileAIM/", 10) == 0) ||
	     (memcmp(packet->user_agent_line.ptr, "ICQ/", 4) == 0) ||
	     (memcmp(packet->user_agent_line.ptr, "mobileICQ/", 10) == 0) ||
	     (memcmp(packet->user_agent_line.ptr, "AIM%20Free/", NDPI_STATICSTRING_LEN("AIM%20Free/")) == 0) ||
	     (memcmp(packet->user_agent_line.ptr, "AIM/", 4) == 0))) {
	  NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR over HTTP found\n");
	  ndpi_int_oscar_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
	  return;
	}
      }
      NDPI_PARSE_PACKET_LINE_INFO(ndpi_struct, flow, packet);
      if (packet->referer_line.ptr != NULL && packet->referer_line.len >= 22) {

	if (memcmp(&packet->referer_line.ptr[packet->referer_line.len - NDPI_STATICSTRING_LEN("WidgetMain.swf")],
		   "WidgetMain.swf", NDPI_STATICSTRING_LEN("WidgetMain.swf")) == 0) {
	  u_int16_t i;
	  for (i = 0; i < (packet->referer_line.len - 22); i++) {
	    if (packet->referer_line.ptr[i] == 'a') {
	      if (memcmp(&packet->referer_line.ptr[i + 1], "im/gromit/aim_express", 21) == 0) {
		NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG,
			 "OSCAR over HTTP found : aim/gromit/aim_express\n");
		ndpi_int_oscar_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
		return;
	      }
	    }
	  }
	}
      }
    }
    if (memcmp(packet->payload, "CONNECT ", 8) == 0) {
      if (memcmp(packet->payload, "CONNECT login.icq.com:443 HTTP/1.", 33) == 0) {
	NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR ICQ-HTTP FOUND\n");
	ndpi_int_oscar_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
	return;
      }
      if (memcmp(packet->payload, "CONNECT login.oscar.aol.com:5190 HTTP/1.", 40) == 0) {
	NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR AIM-HTTP FOUND\n");
	ndpi_int_oscar_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
	return;
      }

    }
  }

  if (packet->payload_packet_len > 43
      && memcmp(packet->payload, "GET http://http.proxy.icq.com/hello HTTP/1.", 43) == 0) {
    NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR ICQ-HTTP PROXY FOUND\n");
    ndpi_int_oscar_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
    return;
  }

  if (packet->payload_packet_len > 46
      && memcmp(packet->payload, "GET http://aimhttp.oscar.aol.com/hello HTTP/1.", 46) == 0) {
    NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR AIM-HTTP PROXY FOUND\n");
    ndpi_int_oscar_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
    return;
  }

  if (packet->payload_packet_len > 5 && get_u_int32_t(packet->payload, 0) == htonl(0x05010003)) {
    NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "Maybe OSCAR Picturetransfer\n");
    return;
  }

  if (packet->payload_packet_len == 10 && get_u_int32_t(packet->payload, 0) == htonl(0x05000001) &&
      get_u_int32_t(packet->payload, 4) == 0) {
    NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "Maybe OSCAR Picturetransfer\n");
    return;
  }

  if (packet->payload_packet_len >= 70 &&
      memcmp(&packet->payload[packet->payload_packet_len - 26],
	     "\x67\x00\x65\x00\x74\x00\x43\x00\x61\x00\x74\x00\x61\x00\x6c\x00\x6f\x00\x67", 19) == 0) {
    NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR PICTURE TRANSFER\n");
    ndpi_int_oscar_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
    return;
  }

  if (NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_OSCAR) != 0) {

    if (flow->packet_counter == 1
	&&
	((packet->payload_packet_len == 9
	  && memcmp(packet->payload, "\x00\x09\x00\x00\x83\x01\xc0\x00\x00", 9) == 0)
	 || (packet->payload_packet_len == 13
	     && (memcmp(packet->payload, "\x00\x0d\x00\x87\x01\xc0", 6) == 0
		 || memcmp(packet->payload, "\x00\x0d\x00\x87\x01\xc1", 6) == 0)))) {
      flow->oscar_video_voice = 1;
    }
    if (flow->oscar_video_voice && ntohs(get_u_int16_t(packet->payload, 0)) == packet->payload_packet_len
	&& packet->payload[2] == 0x00 && packet->payload[3] == 0x00) {
    }

    if (packet->payload_packet_len >= 70 && ntohs(get_u_int16_t(packet->payload, 4)) == packet->payload_packet_len) {
      if (memcmp(packet->payload, "OFT", 3) == 0 &&
	  ((packet->payload[3] == '3' && ((memcmp(&packet->payload[4], "\x01\x00\x01\x01", 4) == 0)
					  || (memcmp(&packet->payload[6], "\x01\x01\x00", 3) == 0)))
	   || (packet->payload[3] == '2' && ((memcmp(&packet->payload[6], "\x01\x01", 2)
					      == 0)
					     )))) {
	// FILE TRANSFER PATTERN:: OFT3 or OFT2
	NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR FILE TRANSFER\n");
	ndpi_int_oscar_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
	return;
      }

      if (memcmp(packet->payload, "ODC2", 4) == 0 && memcmp(&packet->payload[6], "\x00\x01\x00\x06", 4) == 0) {
	//PICTURE TRANSFER PATTERN EXMAPLE::
	//4f 44 43 32 00 4c 00 01 00 06 00 00 00 00 00 00  ODC2.L..........
	NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR PICTURE TRANSFER\n");
	ndpi_int_oscar_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
	return;
      }
    }
    if (packet->payload_packet_len > 40 && (memcmp(&packet->payload[2], "\x04\x4a\x00", 3) == 0)
	&& (memcmp(&packet->payload[6], "\x00\x00", 2) == 0)
	&& packet->payload[packet->payload_packet_len - 15] == 'F'
	&& packet->payload[packet->payload_packet_len - 12] == 'L'
	&& (memcmp(&packet->payload[packet->payload_packet_len - 6], "DEST", 4) == 0)
	&& (memcmp(&packet->payload[packet->payload_packet_len - 2], "\x00\x00", 2) == 0)) {
      NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR PICTURE TRANSFER\n");
      ndpi_int_oscar_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
      if (ntohs(packet->tcp->dest) == 443 || ntohs(packet->tcp->source) == 443) {
	flow->oscar_ssl_voice_stage = 1;
      }
      return;

    }
  }
  if (flow->packet_counter < 3 && packet->payload_packet_len > 11 && (memcmp(packet->payload, "\x00\x37\x04\x4a", 4)
								      || memcmp(packet->payload, "\x00\x0a\x04\x4a",
										4))) {
    return;
  }


  if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_OSCAR) {
    NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_OSCAR);
    return;
  }
}
示例#11
0
static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
  struct ndpi_packet_struct *packet = &flow->packet;
	
  struct ndpi_id_struct *src = flow->src;
  struct ndpi_id_struct *dst = flow->dst;

  u_int16_t plen;
  u_int16_t status = 0;

  NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "search msn tcp.\n");
#ifdef NDPI_PROTOCOL_SSL
  if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) {
    NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "msn ssl ft test\n");
    if (flow->packet_counter < 10) {
    }

    if (flow->packet_counter == 7 && packet->payload_packet_len > 300) {
      if (memcmp(packet->payload + 24, "MSNSLP", 6) == 0
	  || (get_u_int32_t(packet->payload, 0) == htonl(0x30000000) && get_u_int32_t(packet->payload, 4) == 0x00000000)) {
	NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "detected MSN File Transfer, ifdef ssl.\n");
	ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
	return;
      }
    }
    if (flow->packet_counter >= 5 && flow->packet_counter <= 10 && (get_u_int32_t(packet->payload, 0) == htonl(0x18000000)
								    && get_u_int32_t(packet->payload, 4) == 0x00000000)) {
      flow->l4.tcp.msn_ssl_ft++;
      NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE,
	       "increased msn ft ssl stage to: %u at packet nr: %u\n", flow->l4.tcp.msn_ssl_ft,
	       flow->packet_counter);
      if (flow->l4.tcp.msn_ssl_ft == 2) {
	NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE,
		 "detected MSN File Transfer, ifdef ssl 2.\n");
	ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
      }
      return;
    }
  }
#endif



  /* we detect the initial connection only ! */
  /* match: "VER " ..... "CVR" x 0x0d 0x0a
   * len should be small, lets say less than 100 bytes
   * x is now "0", but can be increased
   */
  /* now we have a look at the first packet only. */
  if (flow->packet_counter == 1
#ifdef NDPI_PROTOCOL_SSL
      || ((packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) && flow->packet_counter <= 3)
#endif
      ) {

    /* this part is working asymmetrically */
    if (packet->payload_packet_len > 32 && (packet->payload[0] == 0x02 || packet->payload[0] == 0x00)
	&& (ntohl(get_u_int32_t(packet->payload, 8)) == 0x2112a442 || ntohl(get_u_int32_t(packet->payload, 4)) == 0x2112a442)
	&& ((ntohl(get_u_int32_t(packet->payload, 24)) == 0x000f0004 && ntohl(get_u_int32_t(packet->payload, 28)) == 0x72c64bc6)
	    || (ntohl(get_u_int32_t(packet->payload, 20)) == 0x000f0004
		&& ntohl(get_u_int32_t(packet->payload, 24)) == 0x72c64bc6))) {
      NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE,
	       "found MSN in packets that also contain voice.messenger.live.com.\n");

      /* TODO this is an alternative pattern for video detection */
      /*          if (packet->payload_packet_len > 100 &&
		  get_u_int16_t(packet->payload, 86) == htons(0x05dc)) { */
      if (packet->payload_packet_len > 101 && packet->payload[101] == 0x02) {
	ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
      } else {
	ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
      }

      return;
    }

    /* this case works asymmetrically */
    if (packet->payload_packet_len > 10 && packet->payload_packet_len < 100) {
      if (get_u_int8_t(packet->payload, packet->payload_packet_len - 2) == 0x0d
	  && get_u_int8_t(packet->payload, packet->payload_packet_len - 1) == 0x0a) {
	/* The MSNP string is used in XBOX clients. */
	if (memcmp(packet->payload, "VER ", 4) == 0) {

	  if (memcmp(&packet->payload[packet->payload_packet_len - 6], "CVR",
		     3) == 0 || memcmp(&packet->payload[packet->payload_packet_len - 8], "MSNP", 4) == 0) {
	    NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE,
		     "found MSN by pattern VER...CVR/MSNP ODOA.\n");
	    ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
	    return;
	  }
	  if (memcmp(&packet->payload[4], "MSNFT", 5) == 0) {
	    NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE,
		     "found MSN FT by pattern VER MSNFT...0d0a.\n");
	    ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
	    return;
	  }
	}
      }
    }

    if (
#ifdef NDPI_PROTOCOL_HTTP
	packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP ||
#endif
	memcmp(packet->payload, "GET ", NDPI_STATICSTRING_LEN("GET ")) == 0 ||
	memcmp(packet->payload, "POST ", NDPI_STATICSTRING_LEN("POST ")) == 0) {
      ndpi_parse_packet_line_info(ndpi_struct, flow);
      if (packet->user_agent_line.ptr != NULL &&
	  packet->user_agent_line.len > NDPI_STATICSTRING_LEN("Messenger/") &&
	  memcmp(packet->user_agent_line.ptr, "Messenger/", NDPI_STATICSTRING_LEN("Messenger/")) == 0) {
	ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
	return;
      }
    }
#ifdef NDPI_PROTOCOL_HTTP
    /* we have to examine two http packets */
    if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP) {
    }
#endif
    /* not seen this pattern in any trace */
    /* now test for http login, at least 100 a bytes packet */
    if (packet->payload_packet_len > 100) {
      if (
#ifdef NDPI_PROTOCOL_HTTP
	  packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP ||
#endif
	  memcmp(packet->payload, "POST http://", 12) == 0) {
	/* scan packet if not already done... */
	ndpi_parse_packet_line_info(ndpi_struct, flow);

	if (packet->content_line.ptr != NULL &&
	    ((packet->content_line.len == NDPI_STATICSTRING_LEN("application/x-msn-messenger") &&
	      memcmp(packet->content_line.ptr, "application/x-msn-messenger",
		     NDPI_STATICSTRING_LEN("application/x-msn-messenger")) == 0) ||
	     (packet->content_line.len >= NDPI_STATICSTRING_LEN("text/x-msnmsgr") &&
	      memcmp(packet->content_line.ptr, "text/x-msnmsgr",
		     NDPI_STATICSTRING_LEN("text/x-msnmsgr")) == 0))) {
	  NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE,
		   "found MSN by pattern POST http:// .... application/x-msn-messenger.\n");
	  ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
	  return;
	}
      }
    }

    /* now test for http login that uses a gateway, at least 400 a bytes packet */
    /* for this case the asymmetric detection is asym (1) */
    if (packet->payload_packet_len > 400) {
      if ((
#ifdef NDPI_PROTOCOL_HTTP
	   packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP ||
#endif
	   (memcmp(packet->payload, "POST ", 5) == 0))) {
	u_int16_t c;
	if (memcmp(&packet->payload[5], "http://", 7) == 0) {
	  /*
	   * We are searching for a paten "POST http://gateway.messenger.hotmail.com/gateway/gateway.dll" or
	   * "POST http://<some ip addres here like 172.0.0.0>/gateway/gateway.dll"
	   * POST http:// is 12 byte so we are searching for 13 to 70 byte for this paten.
	   */
	  for (c = 13; c < 50; c++) {
	    if (memcmp(&packet->payload[c], "/", 1) == 0) {
	      if (memcmp(&packet->payload[c], "/gateway/gateway.dll", 20) == 0) {
		NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE,
			 "found  pattern http://.../gateway/gateway.ddl.\n");
		status = 1;
		break;
	      }
	    }
	  }
	} else if ((memcmp(&packet->payload[5], "/gateway/gateway.dll", 20) == 0)) {
	  NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE,
		   "found  pattern http://.../gateway/gateway.ddl.\n");
	  status = 1;
	}
      }
      if (status) {
	u_int16_t a;

	ndpi_parse_packet_line_info(ndpi_struct, flow);

	if (packet->content_line.ptr != NULL
	    &&
	    ((packet->content_line.len == 23
	      && memcmp(packet->content_line.ptr, "text/xml; charset=utf-8", 23) == 0)
	     ||
	     (packet->content_line.len == 24
	      && memcmp(packet->content_line.ptr, "text/html; charset=utf-8", 24) == 0)
	     ||
	     (packet->content_line.len == 33
	      && memcmp(packet->content_line.ptr, "application/x-www-form-urlencoded", 33) == 0)
	     )) {
	  if ((src != NULL
	       && NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_MSN)
	       != 0) || (dst != NULL
			 && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask,
							     NDPI_PROTOCOL_MSN)
			 != 0)) {
	    NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE,
		     "found MSN with pattern text/xml; charset=utf-8.\n");
	    ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
	    return;
	  }
	  for (a = 0; a < packet->parsed_lines; a++) {
	    if (packet->line[a].len >= 4 &&
		(memcmp(packet->line[a].ptr, "CVR ", 4) == 0
		 || memcmp(packet->line[a].ptr, "VER ",
			   4) == 0 || memcmp(packet->line[a].ptr, "ANS ", 4) == 0)) {
	      NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE,
		       "found MSN with pattern text/sml; charset0utf-8.\n");
	      NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct,
		       NDPI_LOG_TRACE, "MSN xml CVS / VER / ANS found\n");
	      ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
	      return;
	    }
	  }
	}
      }
    }
    /* asym (1) ; possibly occurs in symmetric cases also. */
    if (flow->packet_counter <= 10 &&
	(flow->packet_direction_counter[0] <= 2 || flow->packet_direction_counter[1] <= 2)
	&& packet->payload_packet_len > 100) {
      /* not necessary to check the length, because this has been done : >400. */
      if (
#ifdef NDPI_PROTOCOL_HTTP
	  packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP ||
#endif
	  (memcmp(packet->payload, "HTTP/1.0 200 OK", 15) == 0) ||
	  (memcmp(packet->payload, "HTTP/1.1 200 OK", 15) == 0)
	  ) {

	ndpi_parse_packet_line_info(ndpi_struct, flow);

	if (packet->content_line.ptr != NULL &&
	    ((packet->content_line.len == NDPI_STATICSTRING_LEN("application/x-msn-messenger") &&
	      memcmp(packet->content_line.ptr, "application/x-msn-messenger",
		     NDPI_STATICSTRING_LEN("application/x-msn-messenger")) == 0) ||
	     (packet->content_line.len >= NDPI_STATICSTRING_LEN("text/x-msnmsgr") &&
	      memcmp(packet->content_line.ptr, "text/x-msnmsgr",
		     NDPI_STATICSTRING_LEN("text/x-msnmsgr")) == 0))) {
	  NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE,
		   "HTTP/1.0 200 OK .... application/x-msn-messenger.\n");
	  ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
	  return;
	}
	if (ndpi_int_find_xmsn(ndpi_struct, flow) == 1) {
	  NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "HTTP/1.0 200 OK .... X-MSN.\n");
	  ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
	  return;
	}
      }
    }


    /* did not find any trace with this pattern !!!!! */
    /* now block proxy connection */
    if (packet->payload_packet_len >= 42) {
      if (memcmp(packet->payload, "CONNECT messenger.hotmail.com:1863 HTTP/1.", 42) == 0) {
	NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE,
		 "found MSN  with pattern CONNECT messenger.hotmail.com:1863 HTTP/1..\n");
	ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
	return;
      }
    }

    if (packet->payload_packet_len >= 18) {

      if (memcmp(packet->payload, "USR ", 4) == 0 || memcmp(packet->payload, "ANS ", 4) == 0) {
	/* now we must see a number */
	const u_int16_t endlen = packet->payload_packet_len - 12;
	plen = 4;
	while (1) {
	  if (packet->payload[plen] == ' ') {
	    break;
	  }
	  if (packet->payload[plen] < '0' || packet->payload[plen] > '9') {
	    goto ndpi_msn_exclude;
	  }
	  plen++;
	  if (plen >= endlen) {
	    goto ndpi_msn_exclude;
	  }
	}

	while (plen < endlen) {
	  if (ndpi_check_for_email_address(ndpi_struct, flow, plen) != 0) {
	    NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "found mail address\n");
	    break;
	  }
	  if (packet->payload_packet_len > plen + 1
	      && (packet->payload[plen] < 20 || packet->payload[plen] > 128)) {
	    goto ndpi_msn_exclude;
	  }
	  plen++;
	  if (plen >= endlen) {
	    goto ndpi_msn_exclude;
	  }

	}
	NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE,
		 "found MSN  with pattern USR/ANS ...mail_address.\n");
	ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
	return;
      }
    }
  }

  /* finished examining the first packet only. */


  /* asym (1) ; possibly occurs in symmetric cases also. */
  if (flow->packet_counter <= 10 &&
      (flow->packet_direction_counter[0] <= 2 || flow->packet_direction_counter[1] <= 2) &&
      packet->payload_packet_len > 100) {
    /* not necessary to check the length, because this has been done : >400. */
    if (
#ifdef NDPI_PROTOCOL_HTTP
	packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP ||
#endif
	(memcmp(packet->payload, "HTTP/1.0 200 OK", 15) == 0) ||
	(memcmp(packet->payload, "HTTP/1.1 200 OK", 15) == 0)
	) {

      ndpi_parse_packet_line_info(ndpi_struct, flow);

      if (packet->content_line.ptr != NULL &&
	  ((packet->content_line.len == NDPI_STATICSTRING_LEN("application/x-msn-messenger") &&
	    memcmp(packet->content_line.ptr, "application/x-msn-messenger",
		   NDPI_STATICSTRING_LEN("application/x-msn-messenger")) == 0) ||
	   (packet->content_line.len >= NDPI_STATICSTRING_LEN("text/x-msnmsgr") &&
	    memcmp(packet->content_line.ptr, "text/x-msnmsgr", NDPI_STATICSTRING_LEN("text/x-msnmsgr")) == 0))) {
	NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE,
		 "HTTP/1.0 200 OK .... application/x-msn-messenger.\n");
	ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
	return;
      }
      if (ndpi_int_find_xmsn(ndpi_struct, flow) == 1) {
	NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "HTTP/1.0 200 OK .... X-MSN.\n");
	ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
	return;
      }
    }
  }




  /* finished examining the secone packet only */
  /* direct user connection (file transfer,...) */

  if ((src != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_MSN) != 0)
      || (dst != NULL
	  && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_MSN) != 0)) {
    if (flow->packet_counter == 1 &&
	packet->payload_packet_len > 12 && memcmp(packet->payload, "recipientid=", 12) == 0) {
      NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_DEBUG, "detected file transfer.\n");
      ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
      return;
    }
  }

  /* MSN File Transfer of MSN 8.1 and 8.5
   * first packet with length 4 and pattern 0x04000000
   * second packet (in the same direction), with length 56 and pattern 0x00000000 from payload[16]
   * third packet (in the opposite direction to 1 & 2), with length 4 and pattern 0x30000000
   */
  if (flow->l4.tcp.msn_stage == 0) {
    /* asymmetric detection to this pattern is asym (2) */
    if ((packet->payload_packet_len == 4 || packet->payload_packet_len == 8)
	&& get_u_int32_t(packet->payload, 0) == htonl(0x04000000)) {
      NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_DEBUG, "maybe first TCP MSN detected\n");

      if (packet->payload_packet_len == 8 && get_u_int32_t(packet->payload, 4) == htonl(0x666f6f00)) {
	flow->l4.tcp.msn_stage = 5 + packet->packet_direction;
	return;
      }

      flow->l4.tcp.msn_stage = 1 + packet->packet_direction;
      return;
    }
    /* asymmetric detection to this pattern is asym (2) */
  } else if (flow->l4.tcp.msn_stage == 1 + packet->packet_direction) {
    if (packet->payload_packet_len > 10 && get_u_int32_t(packet->payload, 0) == htonl(0x666f6f00)) {
      ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
      NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "MSN File Transfer detected 1\n");
      return;
    }
    /* did not see this pattern in any trace */
    if (packet->payload_packet_len == 56 && get_u_int32_t(packet->payload, 16) == 0) {
      NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_DEBUG, "maybe Second TCP MSN detected\n");
      flow->l4.tcp.msn_stage = 3 + packet->packet_direction;
      return;
    }


  } else if (flow->l4.tcp.msn_stage == 2 - packet->packet_direction
	     && packet->payload_packet_len == 4 && get_u_int32_t(packet->payload, 0) == htonl(0x30000000)) {
    ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
    NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "MSN File Transfer detected 2\n");
    return;
  } else if ((flow->l4.tcp.msn_stage == 3 + packet->packet_direction)
	     || (flow->l4.tcp.msn_stage == 4 - packet->packet_direction)) {
    if (packet->payload_packet_len == 4 && get_u_int32_t(packet->payload, 0) == htonl(0x30000000)) {
      ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
      NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "MSN File Transfer detected 2\n");
      return;
    }
  } else if (flow->l4.tcp.msn_stage == 6 - packet->packet_direction) {
    if ((packet->payload_packet_len == 4) &&
	(get_u_int32_t(packet->payload, 0) == htonl(0x10000000) || get_u_int32_t(packet->payload, 0) == htonl(0x30000000))) {
      ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
      NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "MSN File Transfer detected 3\n");
      return;
    }
  } else if (flow->l4.tcp.msn_stage == 5 + packet->packet_direction) {
    if ((packet->payload_packet_len == 20) && get_u_int32_t(packet->payload, 0) == htonl(0x10000000)) {
      ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
      NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "MSN File Transfer detected 3\n");
      return;
    }
  }
  NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "msn 7.\n");
  if (flow->packet_counter <= MAX_PACKETS_FOR_MSN) {
    if (packet->tcp->source == htons(443)
	|| packet->tcp->dest == htons(443)) {
      if (packet->payload_packet_len > 300) {
	if (memcmp(&packet->payload[40], "INVITE MSNMSGR", 14) == 0
	    || memcmp(&packet->payload[56], "INVITE MSNMSGR", 14) == 0
	    || memcmp(&packet->payload[172], "INVITE MSNMSGR", 14) == 0) {
	  ndpi_int_msn_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);

	  NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "MSN File Transfer detected 3\n");
	  return;
	}
      }
      return;
    }
    /* For no
       n port 443 flows exclude flow bitmask after first packet itself */
  }
  NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "exclude msn.\n");
 ndpi_msn_exclude:
  NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MSN);
}
示例#12
0
文件: yahoo.c 项目: T-NOVA/vTC
static void ndpi_search_yahoo_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
  struct ndpi_packet_struct *packet = &flow->packet;
	
  struct ndpi_id_struct *src = flow->src;
  struct ndpi_id_struct *dst = flow->dst;

  const struct ndpi_yahoo_header *yahoo = (struct ndpi_yahoo_header *) packet->payload;
  if (packet->payload_packet_len == 0) {
    return;
  }

  /* packet must be at least 20 bytes long */
  if (packet->payload_packet_len >= 20
      && memcmp(yahoo->YMSG_str, "YMSG", 4) == 0 && ((packet->payload_packet_len - 20) == ntohs(yahoo->len)
						     || check_ymsg(packet->payload, packet->payload_packet_len))) {
    NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO FOUND\n");
    flow->yahoo_detection_finished = 2;
    if (ntohs(yahoo->service) == 24 || ntohs(yahoo->service) == 152 || ntohs(yahoo->service) == 74) {
      NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO conference or chat invite  found");
      if (src != NULL) {
	src->yahoo_conf_logged_in = 1;
      }
      if (dst != NULL) {
	dst->yahoo_conf_logged_in = 1;
      }
    }
    if (ntohs(yahoo->service) == 27 || ntohs(yahoo->service) == 155 || ntohs(yahoo->service) == 160) {
      NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO conference or chat logoff found");
      if (src != NULL) {
	src->yahoo_conf_logged_in = 0;
	src->yahoo_voice_conf_logged_in = 0;
      }
    }
    NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO");
    ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
    return;
  } else if (flow->yahoo_detection_finished == 2 && packet->detected_protocol_stack[0] == NDPI_PROTOCOL_YAHOO) {
    return;
  } else if (packet->payload_packet_len == 4 && memcmp(yahoo->YMSG_str, "YMSG", 4) == 0) {
    flow->l4.tcp.yahoo_sip_comm = 1;
    return;
  } else if (flow->l4.tcp.yahoo_sip_comm && packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN
	     && flow->packet_counter < 3) {
    return;
  }

  /* now test for http login, at least 100 a bytes packet */
  if (ndpi_struct->yahoo_detect_http_connections != 0 && packet->payload_packet_len > 100) {
    if (memcmp(packet->payload, "POST /relay?token=", 18) == 0
	|| memcmp(packet->payload, "GET /relay?token=", 17) == 0
	|| memcmp(packet->payload, "GET /?token=", 12) == 0
	|| memcmp(packet->payload, "HEAD /relay?token=", 18) == 0) {
      if ((src != NULL
	   && NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO)
	   != 0) || (dst != NULL
		     && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO)
		     != 0)) {
	/* this is mostly a file transfer */
	NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO");
	ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
	return;
      }
    }
    if (memcmp(packet->payload, "POST ", 5) == 0) {
      u_int16_t a;
      ndpi_parse_packet_line_info(ndpi_struct, flow);

      if ((packet->user_agent_line.len >= 21)
	  && (memcmp(packet->user_agent_line.ptr, "YahooMobileMessenger/", 21) == 0)) {
	NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO(Mobile)");
	ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
	return;
      }

      if (NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_YAHOO)
	  && packet->parsed_lines > 5
	  && memcmp(&packet->payload[5], "/Messenger.", 11) == 0
	  && packet->line[1].len >= 17
	  && memcmp(packet->line[1].ptr, "Connection: Close",
			  17) == 0 && packet->line[2].len >= 6
	  && memcmp(packet->line[2].ptr, "Host: ", 6) == 0
	  && packet->line[3].len >= 16
	  && memcmp(packet->line[3].ptr, "Content-Length: ",
			  16) == 0 && packet->line[4].len >= 23
	  && memcmp(packet->line[4].ptr, "User-Agent: Mozilla/5.0",
			  23) == 0 && packet->line[5].len >= 23
	  && memcmp(packet->line[5].ptr, "Cache-Control: no-cache", 23) == 0) {
	NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE,
		 "YAHOO HTTP POST P2P FILETRANSFER FOUND\n");
	NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO");
	ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
	return;
      }

      if (packet->host_line.ptr != NULL && packet->host_line.len >= 26 &&
	  memcmp(packet->host_line.ptr, "filetransfer.msg.yahoo.com", 26) == 0) {
	NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO HTTP POST FILETRANSFER FOUND\n");
	NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO");
	ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
	return;
      }
      /* now check every line */
      for (a = 0; a < packet->parsed_lines; a++) {
	if (packet->line[a].len >= 4 && memcmp(packet->line[a].ptr, "YMSG", 4) == 0) {
	  NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct,
		   NDPI_LOG_TRACE,
		   "YAHOO HTTP POST FOUND, line is: %.*s\n", packet->line[a].len, packet->line[a].ptr);
	  NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO");
	  ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
	  return;
	}
      }
      if (packet->parsed_lines > 8 && packet->line[8].len > 250 && packet->line[8].ptr != NULL) {
	if (memcmp(packet->line[8].ptr, "<Session ", 9) == 0) {
	  if (ndpi_check_for_YmsgCommand(packet->line[8].len, packet->line[8].ptr)) {
	    NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG,
		     "found HTTP Proxy Yahoo Chat <Ymsg Command= pattern  \n");
	    ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
	    return;
	  }
	}
      }
    }
    if (memcmp(packet->payload, "GET /Messenger.", 15) == 0) {
      if ((src != NULL
	   && NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO)
	   != 0) || (dst != NULL
		     && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO)
		     != 0)) {
	NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO HTTP GET /Messenger. match\n");
	NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO");
	ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
	return;
      }
    }

    if ((memcmp(packet->payload, "GET /", 5) == 0)) {
      ndpi_parse_packet_line_info(ndpi_struct, flow);
      if ((packet->user_agent_line.ptr != NULL
	   && packet->user_agent_line.len >= NDPI_STATICSTRING_LEN("YahooMobileMessenger/")
	   && memcmp(packet->user_agent_line.ptr, "YahooMobileMessenger/",
		     NDPI_STATICSTRING_LEN("YahooMobileMessenger/")) == 0)
	  || (packet->user_agent_line.len >= 15
	      && (memcmp(packet->user_agent_line.ptr, "Y!%20Messenger/", 15) == 0))) {
	NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO(Mobile)");
	ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
	return;
      }
      if (packet->host_line.ptr != NULL && packet->host_line.len >= NDPI_STATICSTRING_LEN("msg.yahoo.com") &&
	  memcmp(&packet->host_line.ptr[packet->host_line.len - NDPI_STATICSTRING_LEN("msg.yahoo.com")],
		 "msg.yahoo.com", NDPI_STATICSTRING_LEN("msg.yahoo.com")) == 0) {
	NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO");
	ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
	return;
      }

    }

  }
  /* found another http login command for yahoo, it is like OSCAR */
  /* detect http connections */

  if (packet->payload_packet_len > 50 && (memcmp(packet->payload, "content-length: ", 16) == 0)) {
    ndpi_parse_packet_line_info(ndpi_struct, flow);
    if (packet->parsed_lines > 2 && packet->line[1].len == 0) {
      NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "first line is empty.\n");
      if (packet->line[2].len > 13 && memcmp(packet->line[2].ptr, "<Ymsg Command=", 14) == 0) {
	NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO web chat found\n");
	ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
	return;
      }
    }
  }

  if (packet->payload_packet_len > 38 && memcmp(packet->payload, "CONNECT scs.msg.yahoo.com:5050 HTTP/1.", 38) == 0) {
    NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO-HTTP FOUND\n");
    NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO");
    ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
    return;
  }

  if ((src != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO) != 0)
      || (dst != NULL
	  && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO) != 0)) {
    if (packet->payload_packet_len == 6 && memcmp(packet->payload, "YAHOO!", 6) == 0) {
      NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO");
      ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
      return;
    }
    /* asymmetric detection for SNDIMG not done yet.
     * See ./Yahoo8.1-VideoCall-LAN.pcap and ./Yahoo-VideoCall-inPublicIP.pcap */


    if (packet->payload_packet_len == 8
	&& (memcmp(packet->payload, "<SNDIMG>", 8) == 0 || memcmp(packet->payload, "<REQIMG>", 8) == 0
	    || memcmp(packet->payload, "<RVWCFG>", 8) == 0 || memcmp(packet->payload, "<RUPCFG>", 8) == 0)) {
      NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE,
	       "YAHOO SNDIMG or REQIMG or RVWCFG or RUPCFG FOUND\n");
      if (src != NULL) {
	if (memcmp(packet->payload, "<SNDIMG>", 8) == 0) {
	  src->yahoo_video_lan_dir = 0;
	} else {
	  src->yahoo_video_lan_dir = 1;
	}
	src->yahoo_video_lan_timer = packet->tick_timestamp;
      }
      if (dst != NULL) {
	if (memcmp(packet->payload, "<SNDIMG>", 8) == 0) {
	  dst->yahoo_video_lan_dir = 0;
	} else {
	  dst->yahoo_video_lan_dir = 1;
	}
	dst->yahoo_video_lan_timer = packet->tick_timestamp;

      }
      NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO subtype VIDEO");
      ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
      return;
    }
    if (src != NULL && packet->tcp->dest == htons(5100)
	&& ((u_int32_t)
	    (packet->tick_timestamp - src->yahoo_video_lan_timer) < ndpi_struct->yahoo_lan_video_timeout)) {
      if (src->yahoo_video_lan_dir == 1) {
	NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO");
	ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
	NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "IMG MARKED");
	return;
      }

    }
    if (dst != NULL && packet->tcp->dest == htons(5100)
	&& ((u_int32_t)
	    (packet->tick_timestamp - dst->yahoo_video_lan_timer) < ndpi_struct->yahoo_lan_video_timeout)) {
      if (dst->yahoo_video_lan_dir == 0) {
	NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO");
	ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
	NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "IMG MARKED");
	return;
      }

    }
  }

  /* detect YAHOO over HTTP proxy */
#ifdef NDPI_PROTOCOL_HTTP
  if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP)
#endif
    {

      if (flow->l4.tcp.yahoo_http_proxy_stage == 0) {
	NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG,
		 "YAHOO maybe HTTP proxy packet 1 => need next packet\n");
	flow->l4.tcp.yahoo_http_proxy_stage = 1 + packet->packet_direction;
	return;
      }
      if (flow->l4.tcp.yahoo_http_proxy_stage == 1 + packet->packet_direction) {
	if ((packet->payload_packet_len > 250) && (memcmp(packet->payload, "<Session ", 9) == 0)) {
	  if (ndpi_check_for_YmsgCommand(packet->payload_packet_len, packet->payload)) {
	    NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG,
		     "found HTTP Proxy Yahoo Chat <Ymsg Command= pattern  \n");
	    ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
	    return;
	  }
	}
	NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG,
		 "YAHOO maybe HTTP proxy still initial direction => need next packet\n");
	return;
      }
      if (flow->l4.tcp.yahoo_http_proxy_stage == 2 - packet->packet_direction) {

	ndpi_parse_packet_line_info_any(ndpi_struct, flow);

	if (packet->parsed_lines >= 9) {

	  if (packet->line[4].ptr != NULL && packet->line[4].len >= 9 &&
	      packet->line[8].ptr != NULL && packet->line[8].len >= 6 &&
	      memcmp(packet->line[4].ptr, "<Session ", 9) == 0 &&
	      memcmp(packet->line[8].ptr, "<Ymsg ", 6) == 0) {

	    NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO over HTTP proxy");
	    ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
	    return;
	  }
	}
      }
    }
  NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_YAHOO);
}
示例#13
0
static u_int8_t check_for_http(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
  struct ndpi_packet_struct *packet = &flow->packet;

  NDPI_LOG(NDPI_PROTOCOL_GADUGADU, ndpi_struct, NDPI_LOG_DEBUG, "Gadu-Gadu: check for http.\n");

  if (packet->payload_packet_len < 50) {
    NDPI_LOG(NDPI_PROTOCOL_GADUGADU, ndpi_struct, NDPI_LOG_DEBUG, "Gadu-Gadu: Packet too small.\n");
    return 0;
  } else if (memcmp(packet->payload, "GET /appsvc/appmsg", 18) == 0) {
    NDPI_LOG(NDPI_PROTOCOL_GADUGADU, ndpi_struct, NDPI_LOG_DEBUG, "Gadu-Gadu: GET FOUND\n");
    parse_gg_foneno(ndpi_struct, flow);
    // parse packet
    ndpi_parse_packet_line_info(ndpi_struct, flow);
    if (packet->parsed_lines <= 1) {
      return 0;
    }
    if (packet->host_line.ptr == NULL) {
      return 0;
    }
    if (!(packet->host_line.len >= 19 && memcmp(packet->host_line.ptr, "appmsg.gadu-gadu.pl", 19) == 0)) {
      return 0;
    }
    NDPI_LOG(NDPI_PROTOCOL_GADUGADU, ndpi_struct, NDPI_LOG_DEBUG,
	     "Gadu-Gadu: Is gadugadu host FOUND %s\n", packet->host_line.ptr);

    ndpi_int_gadugadu_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);

  } else if (memcmp(packet->payload, "POST /send/message/", 15) == 0) {
    NDPI_LOG(NDPI_PROTOCOL_GADUGADU, ndpi_struct, NDPI_LOG_DEBUG, "Gadu-Gadu: GET FOUND\n");

    // parse packet
    ndpi_parse_packet_line_info(ndpi_struct, flow);
    if (packet->parsed_lines <= 1) {
      return 0;
    }
    if (packet->host_line.ptr == NULL) {
      return 0;
    }
    if (!(packet->host_line.len >= 17 && memcmp(packet->host_line.ptr, "life.gadu-gadu.pl", 17) == 0)) {
      return 0;
    }
    NDPI_LOG(NDPI_PROTOCOL_GADUGADU, ndpi_struct, NDPI_LOG_DEBUG,
	     "Gadu-Gadu: Is gadugadu post FOUND %s\n", packet->host_line.ptr);

    ndpi_int_gadugadu_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);

  } else if (memcmp(packet->payload, "GET /rotate_token", 17) == 0) {
    NDPI_LOG(NDPI_PROTOCOL_GADUGADU, ndpi_struct, NDPI_LOG_DEBUG, "Gadu-Gadu: GET FOUND\n");

    // parse packet
    ndpi_parse_packet_line_info(ndpi_struct, flow);
    if (packet->parsed_lines <= 1) {
      return 0;
    }
    if (packet->host_line.ptr == NULL) {
      return 0;
    }
    if (!(packet->host_line.len >= 13 && memcmp(packet->host_line.ptr, "sms.orange.pl", 13) == 0)) {
      return 0;
    }
    NDPI_LOG(NDPI_PROTOCOL_GADUGADU, ndpi_struct, NDPI_LOG_DEBUG,
	     "Gadu-Gadu:  gadugadu sms FOUND %s\n", packet->host_line.ptr);

    ndpi_int_gadugadu_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);

  } else if ((memcmp(packet->payload, "GET /nowosci.xml", NDPI_STATICSTRING_LEN("GET /nowosci.xml")) == 0) ||
	     (memcmp(packet->payload, "GET /gadu-gadu.xml", NDPI_STATICSTRING_LEN("GET /gadu-gadu.xml")) == 0) ||
	     (memcmp(packet->payload, "POST /access_token", NDPI_STATICSTRING_LEN("POST /access_token")) == 0)) {
    ndpi_parse_packet_line_info(ndpi_struct, flow);
    if (packet->user_agent_line.ptr == NULL) {
      return 0;
    }
    if (!(packet->user_agent_line.len >= NDPI_STATICSTRING_LEN("Gadu-Gadu Client") &&
	  memcmp(packet->user_agent_line.ptr, "Gadu-Gadu Client", NDPI_STATICSTRING_LEN("Gadu-Gadu Client")) == 0)) {
      return 0;
    }
    NDPI_LOG(NDPI_PROTOCOL_GADUGADU, ndpi_struct, NDPI_LOG_DEBUG,
	     "Gadu-Gadu:  gadugadu FOUND %s\n", packet->user_agent_line.ptr);

    ndpi_int_gadugadu_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);

  }

  return 1;

}
示例#14
0
static void ndpi_search_zattoo(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
  struct ndpi_packet_struct *packet = &flow->packet;
	

  struct ndpi_id_struct *src = flow->src;
  struct ndpi_id_struct *dst = flow->dst;

  u_int16_t i;

  if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_ZATTOO) {
    if (src != NULL && ((u_int32_t)
			(packet->tick_timestamp - src->zattoo_ts) < ndpi_struct->zattoo_connection_timeout)) {
      src->zattoo_ts = packet->tick_timestamp;
    }
    if (dst != NULL && ((u_int32_t)
			(packet->tick_timestamp - dst->zattoo_ts) < ndpi_struct->zattoo_connection_timeout)) {
      dst->zattoo_ts = packet->tick_timestamp;
    }
    return;
  }

  if (packet->tcp != NULL) {
    if (packet->payload_packet_len > 50 && memcmp(packet->payload, "GET /frontdoor/fd?brand=Zattoo&v=", 33) == 0) {
      NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct,
	       NDPI_LOG_DEBUG, "add connection over tcp with pattern GET /frontdoor/fd?brand=Zattoo&v=\n");
      ndpi_int_zattoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
      return;
    }
    if (packet->payload_packet_len > 50
	&& memcmp(packet->payload, "GET /ZattooAdRedirect/redirect.jsp?user="******"add connection over tcp with pattern GET /ZattooAdRedirect/redirect.jsp?user=\n");
      ndpi_int_zattoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
      return;
    }
    if (packet->payload_packet_len > 50
	&& (memcmp(packet->payload, "POST /channelserver/player/channel/update HTTP/1.1", 50) == 0
	    || memcmp(packet->payload, "GET /epg/query", 14) == 0)) {
      ndpi_parse_packet_line_info(ndpi_struct, flow);
      for (i = 0; i < packet->parsed_lines; i++) {
	if (packet->line[i].len >= 18 && (ndpi_mem_cmp(packet->line[i].ptr, "User-Agent: Zattoo", 18) == 0)) {
	  NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct,
		   NDPI_LOG_DEBUG,
		   "add connection over tcp with pattern POST /channelserver/player/channel/update HTTP/1.1\n");
	  ndpi_int_zattoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
	  return;
	}
      }
    } else if (packet->payload_packet_len > 50
	       && (memcmp(packet->payload, "GET /", 5) == 0
		   || memcmp(packet->payload, "POST /", NDPI_STATICSTRING_LEN("POST /")) == 0)) {
      /* TODO to avoid searching currently only a specific length and offset is used
       * that might be changed later */
      ndpi_parse_packet_line_info(ndpi_struct, flow);
      if (ndpi_int_zattoo_user_agent_set(ndpi_struct, flow)) {
	ndpi_int_zattoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
	return;
      }
    } else if (packet->payload_packet_len > 50 && memcmp(packet->payload, "POST http://", 12) == 0) {
      ndpi_parse_packet_line_info(ndpi_struct, flow);
      // test for unique character of the zattoo header
      if (packet->parsed_lines == 4 && packet->host_line.ptr != NULL) {
	u_int32_t ip;
	u_int16_t bytes_read = 0;

	ip = ndpi_bytestream_to_ipv4(&packet->payload[12], packet->payload_packet_len, &bytes_read);

	// and now test the firt 5 bytes of the payload for zattoo pattern
	if (ip == packet->iph->daddr
	    && packet->empty_line_position_set != 0
	    && ((packet->payload_packet_len - packet->empty_line_position) > 10)
	    && packet->payload[packet->empty_line_position + 2] ==
	    0x03
	    && packet->payload[packet->empty_line_position + 3] ==
	    0x04
	    && packet->payload[packet->empty_line_position + 4] ==
	    0x00
	    && packet->payload[packet->empty_line_position + 5] ==
	    0x04
	    && packet->payload[packet->empty_line_position + 6] ==
	    0x0a && packet->payload[packet->empty_line_position + 7] == 0x00) {
	  NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct,
		   NDPI_LOG_DEBUG, "add connection over tcp with pattern POST http://\n");
	  ndpi_int_zattoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
	  return;
	}
      }
    } else if (flow->zattoo_stage == 0) {

      if (packet->payload_packet_len > 50
	  && packet->payload[0] == 0x03
	  && packet->payload[1] == 0x04
	  && packet->payload[2] == 0x00
	  && packet->payload[3] == 0x04 && packet->payload[4] == 0x0a && packet->payload[5] == 0x00) {
	flow->zattoo_stage = 1 + packet->packet_direction;
	NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct,
		 NDPI_LOG_DEBUG, "need next packet, seen pattern 0x030400040a00\n");
	return;
      }
      /* the following is is searching for flash, not for zattoo. cust1 wants to do so. */
    } else if (flow->zattoo_stage == 2 - packet->packet_direction
	       && packet->payload_packet_len > 50 && packet->payload[0] == 0x03 && packet->payload[1] == 0x04) {
      NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "add connection over tcp with 0x0304.\n");
      ndpi_int_zattoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
      return;
    } else if (flow->zattoo_stage == 1 + packet->packet_direction) {
      if (packet->payload_packet_len > 500 && packet->payload[0] == 0x00 && packet->payload[1] == 0x00) {
	flow->zattoo_stage = 3 + packet->packet_direction;
	NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct,
		 NDPI_LOG_DEBUG, "need next packet, seen pattern 0x0000\n");
	return;
      }
      if (packet->payload_packet_len > 50
	  && packet->payload[0] == 0x03
	  && packet->payload[1] == 0x04
	  && packet->payload[2] == 0x00
	  && packet->payload[3] == 0x04 && packet->payload[4] == 0x0a && packet->payload[5] == 0x00) {
      }
      NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG,
	       "need next packet, seen pattern 0x030400040a00\n");
      return;
    } else if (flow->zattoo_stage == 4 - packet->packet_direction
	       && packet->payload_packet_len > 50 && packet->payload[0] == 0x03 && packet->payload[1] == 0x04) {
      NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "add connection over tcp with 0x0304.\n");
      ndpi_int_zattoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
      return;
    } else if (flow->zattoo_stage == 5 + packet->packet_direction && (packet->payload_packet_len == 125)) {
      NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "detected zattoo.\n");
      ndpi_int_zattoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
      return;
    } else if (flow->zattoo_stage == 6 - packet->packet_direction && packet->payload_packet_len == 1412) {
      NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "found zattoo.\n");
      ndpi_int_zattoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
      return;
    }
    NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG,
	     "ZATTOO: discarted the flow (TCP): packet_size: %u; Flowstage: %u\n",
	     packet->payload_packet_len, flow->zattoo_stage);

  } else if (packet->udp != NULL) {

    if (packet->payload_packet_len > 20 && (packet->udp->dest == htons(5003)
					    || packet->udp->source == htons(5003))
	&& (get_u_int16_t(packet->payload, 0) == htons(0x037a)
	    || get_u_int16_t(packet->payload, 0) == htons(0x0378)
	    || get_u_int16_t(packet->payload, 0) == htons(0x0305)
	    || get_u_int32_t(packet->payload, 0) == htonl(0x03040004)
	    || get_u_int32_t(packet->payload, 0) == htonl(0x03010005))) {
      if (++flow->zattoo_stage == 2) {
	NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "add connection over udp.\n");
	ndpi_int_zattoo_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
	return;
      }
      NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "need next packet udp.\n");
      return;
    }

    NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG,
	     "ZATTOO: discarded the flow (UDP): packet_size: %u; Flowstage: %u\n",
	     packet->payload_packet_len, flow->zattoo_stage);

  }

  NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "exclude zattoo.\n");
  NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_ZATTOO);
}
示例#15
0
文件: veohtv.c 项目: aming2007/nDPI
void ndpi_search_veohtv_tcp(struct ndpi_detection_module_struct *ndpi_struct,
			    struct ndpi_flow_struct *flow)
{
	struct ndpi_packet_struct *packet = &flow->packet;

//      struct ndpi_id_struct         *src=ndpi_struct->src;
//      struct ndpi_id_struct         *dst=ndpi_struct->dst;

	if (packet->detected_protocol_stack[0] ==
	    NDPI_PROTOCOL_HTTP_APPLICATION_VEOHTV)
		return;

	if (flow->l4.tcp.veoh_tv_stage == 1 || flow->l4.tcp.veoh_tv_stage == 2) {
		if (packet->packet_direction != flow->setup_packet_direction &&
		    packet->payload_packet_len >
		    NDPI_STATICSTRING_LEN("HTTP/1.1 20")
		    && memcmp(packet->payload, "HTTP/1.1 ",
			      NDPI_STATICSTRING_LEN("HTTP/1.1 ")) == 0
		    && (packet->payload[NDPI_STATICSTRING_LEN("HTTP/1.1 ")] ==
			'2'
			|| packet->payload[NDPI_STATICSTRING_LEN("HTTP/1.1 ")]
			== '3'
			|| packet->payload[NDPI_STATICSTRING_LEN("HTTP/1.1 ")]
			== '4'
			|| packet->payload[NDPI_STATICSTRING_LEN("HTTP/1.1 ")]
			== '5')) {
#ifdef NDPI_CONTENT_FLASH
			ndpi_parse_packet_line_info(ndpi_struct, flow);
			if (packet->detected_protocol_stack[0] ==
			    NDPI_CONTENT_FLASH
			    && packet->server_line.ptr != NULL
			    && packet->server_line.len >
			    NDPI_STATICSTRING_LEN("Veoh-")
			    && memcmp(packet->server_line.ptr, "Veoh-",
				      NDPI_STATICSTRING_LEN("Veoh-")) == 0) {
				NDPI_LOG(NDPI_PROTOCOL_HTTP_APPLICATION_VEOHTV,
					 ndpi_struct, NDPI_LOG_DEBUG,
					 "VeohTV detected.\n");
				ndpi_int_veohtv_add_connection(ndpi_struct,
							       flow,
							       NDPI_CORRELATED_PROTOCOL);
				return;
			}
#endif
			if (flow->l4.tcp.veoh_tv_stage == 2) {
				NDPI_ADD_PROTOCOL_TO_BITMASK
				    (flow->excluded_protocol_bitmask,
				     NDPI_PROTOCOL_HTTP_APPLICATION_VEOHTV);
				return;
			}
			NDPI_LOG(NDPI_PROTOCOL_HTTP_APPLICATION_VEOHTV,
				 ndpi_struct, NDPI_LOG_DEBUG,
				 "VeohTV detected.\n");
			ndpi_int_veohtv_add_connection(ndpi_struct, flow,
						       NDPI_CORRELATED_PROTOCOL);
			return;
		} else
		    if (flow->packet_direction_counter
			[(flow->setup_packet_direction == 1) ? 0 : 1] > 3) {
			if (flow->l4.tcp.veoh_tv_stage == 2) {
				NDPI_ADD_PROTOCOL_TO_BITMASK
				    (flow->excluded_protocol_bitmask,
				     NDPI_PROTOCOL_HTTP_APPLICATION_VEOHTV);
				return;
			}
			NDPI_LOG(NDPI_PROTOCOL_HTTP_APPLICATION_VEOHTV,
				 ndpi_struct, NDPI_LOG_DEBUG,
				 "VeohTV detected.\n");
			ndpi_int_veohtv_add_connection(ndpi_struct, flow,
						       NDPI_CORRELATED_PROTOCOL);
			return;
		} else {
			if (flow->packet_counter > 10) {
				if (flow->l4.tcp.veoh_tv_stage == 2) {
					NDPI_ADD_PROTOCOL_TO_BITMASK
					    (flow->excluded_protocol_bitmask,
					     NDPI_PROTOCOL_HTTP_APPLICATION_VEOHTV);
					return;
				}
				NDPI_LOG(NDPI_PROTOCOL_HTTP_APPLICATION_VEOHTV,
					 ndpi_struct, NDPI_LOG_DEBUG,
					 "VeohTV detected.\n");
				ndpi_int_veohtv_add_connection(ndpi_struct,
							       flow,
							       NDPI_CORRELATED_PROTOCOL);
				return;
			}
			return;
		}
	} else if (packet->udp) {
		/* UDP packets from Veoh Client Player
		 *
		 * packet starts with 16 byte random? value
		 * then a 4 byte mode value
		 *   values between 21 and 26 has been seen 
		 * then a 4 byte counter */

		if (packet->payload_packet_len == 28 &&
		    get_u_int32_t(packet->payload, 16) == htonl(0x00000021) &&
		    get_u_int32_t(packet->payload, 20) == htonl(0x00000000)
		    && get_u_int32_t(packet->payload, 24) == htonl(0x01040000)) {
			NDPI_LOG(NDPI_PROTOCOL_HTTP_APPLICATION_VEOHTV,
				 ndpi_struct, NDPI_LOG_DEBUG,
				 "UDP VeohTV found.\n");
			ndpi_int_veohtv_add_connection(ndpi_struct, flow,
						       NDPI_REAL_PROTOCOL);
			return;
		}
	}

	NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask,
				     NDPI_PROTOCOL_HTTP_APPLICATION_VEOHTV);
}
示例#16
0
void ndpi_search_worldofwarcraft(struct ndpi_detection_module_struct
				 *ndpi_struct, struct ndpi_flow_struct *flow)
{
  struct ndpi_packet_struct *packet = &flow->packet;

  struct ndpi_id_struct *src = flow->src;
  struct ndpi_id_struct *dst = flow->dst;

  NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, NDPI_LOG_DEBUG, "Search World of Warcraft.\n");

  if (packet->tcp != NULL) {
    /*
      if ((packet->payload_packet_len > NDPI_STATICSTRING_LEN("POST /") &&
      memcmp(packet->payload, "POST /", NDPI_STATICSTRING_LEN("POST /")) == 0) ||
      (packet->payload_packet_len > NDPI_STATICSTRING_LEN("GET /") &&
      memcmp(packet->payload, "GET /", NDPI_STATICSTRING_LEN("GET /")) == 0)) {
      ndpi_parse_packet_line_info(ndpi_struct, flow);
      if (packet->user_agent_line.ptr != NULL &&
      packet->user_agent_line.len == NDPI_STATICSTRING_LEN("Blizzard Web Client") &&
      memcmp(packet->user_agent_line.ptr, "Blizzard Web Client",
      NDPI_STATICSTRING_LEN("Blizzard Web Client")) == 0) {
      ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow);
      NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, NDPI_LOG_DEBUG,
      "World of Warcraft: Web Client found\n");
      return;
      }
      }
    */
    if (packet->payload_packet_len > NDPI_STATICSTRING_LEN("GET /")
	&& memcmp(packet->payload, "GET /", NDPI_STATICSTRING_LEN("GET /")) == 0) {
      ndpi_parse_packet_line_info(ndpi_struct, flow);
      if (packet->user_agent_line.ptr != NULL && packet->host_line.ptr != NULL
	  && packet->user_agent_line.len > NDPI_STATICSTRING_LEN("Blizzard Downloader")
	  && packet->host_line.len > NDPI_STATICSTRING_LEN("worldofwarcraft.com")
	  && memcmp(packet->user_agent_line.ptr, "Blizzard Downloader",
		    NDPI_STATICSTRING_LEN("Blizzard Downloader")) == 0
	  && memcmp(&packet->host_line.ptr[packet->host_line.len - NDPI_STATICSTRING_LEN("worldofwarcraft.com")],
		    "worldofwarcraft.com", NDPI_STATICSTRING_LEN("worldofwarcraft.com")) == 0) {
	ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow);
	NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, NDPI_LOG_DEBUG,
		 "World of Warcraft: Web Client found\n");
	return;
      }
    }
    if (packet->payload_packet_len == 50 && memcmp(&packet->payload[2], "WORLD OF WARCRAFT CONNECTION",
						   NDPI_STATICSTRING_LEN("WORLD OF WARCRAFT CONNECTION")) == 0) {
      ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow);
      NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, NDPI_LOG_DEBUG, "World of Warcraft: Login found\n");
      return;
    }
    if (packet->tcp->dest == htons(3724) && packet->payload_packet_len < 70
	&& packet->payload_packet_len > 40 && (memcmp(&packet->payload[4], "WoW", 3) == 0
					       || memcmp(&packet->payload[5], "WoW", 3) == 0)) {
      ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow);
      NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, NDPI_LOG_DEBUG, "World of Warcraft: Login found\n");
      return;
    }

    if (NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_WORLDOFWARCRAFT) != 0) {
      if (packet->tcp->source == htons(3724)
	  && packet->payload_packet_len == 8 && get_u_int32_t(packet->payload, 0) == htonl(0x0006ec01)) {
	ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow);
	NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct,
		 NDPI_LOG_DEBUG, "World of Warcraft: connection detected\n");
	return;
      }

    }

    /* for some well known WoW ports
       check another pattern */
    if (flow->l4.tcp.wow_stage == 0) {
      if (ndpi_int_is_wow_port(packet->tcp->source) &&
	  packet->payload_packet_len >= 14 &&
	  ntohs(get_u_int16_t(packet->payload, 0)) == (packet->payload_packet_len - 2)) {
	if (get_u_int32_t(packet->payload, 2) == htonl(0xec010100)) {

	  NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct,
		   NDPI_LOG_DEBUG, "probably World of Warcraft, waiting for final packet\n");
	  flow->l4.tcp.wow_stage = 2;
	  return;
	} else if (packet->payload_packet_len == 41 &&
		   (get_u_int16_t(packet->payload, 2) == htons(0x0085) ||
		    get_u_int16_t(packet->payload, 2) == htons(0x0034) ||
		    get_u_int16_t(packet->payload, 2) == htons(0x1960))) {
	  NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct,
		   NDPI_LOG_DEBUG, "maybe World of Warcraft, need next\n");
	  flow->l4.tcp.wow_stage = 1;
	  return;
	}
      }
    }

    if (flow->l4.tcp.wow_stage == 1) {
      if (packet->payload_packet_len == 325 &&
	  ntohs(get_u_int16_t(packet->payload, 0)) == (packet->payload_packet_len - 2) &&
	  get_u_int16_t(packet->payload, 4) == 0 &&
	  (get_u_int16_t(packet->payload, packet->payload_packet_len - 3) == htons(0x2331) ||
	   get_u_int16_t(packet->payload, 67) == htons(0x2331)) &&
	  (memcmp
	   (&packet->payload[packet->payload_packet_len - 18],
	    "\x94\xec\xff\xfd\x67\x62\xd4\x67\xfb\xf9\xdd\xbd\xfd\x01\xc0\x8f\xf9\x81", 18) == 0
	   || memcmp(&packet->payload[packet->payload_packet_len - 30],
		     "\x94\xec\xff\xfd\x67\x62\xd4\x67\xfb\xf9\xdd\xbd\xfd\x01\xc0\x8f\xf9\x81", 18) == 0)) {
	ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow);
	NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct,
		 NDPI_LOG_DEBUG, "World of Warcraft: connection detected\n");
	return;
      }
      if (packet->payload_packet_len > 32 &&
	  ntohs(get_u_int16_t(packet->payload, 0)) == (packet->payload_packet_len - 2)) {
	if (get_u_int16_t(packet->payload, 4) == 0) {

	  NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct,
		   NDPI_LOG_DEBUG, "probably World of Warcraft, waiting for final packet\n");
	  flow->l4.tcp.wow_stage = 2;
	  return;
	} else if (get_u_int32_t(packet->payload, 2) == htonl(0x12050000)) {
	  NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct,
		   NDPI_LOG_DEBUG, "probably World of Warcraft, waiting for final packet\n");
	  flow->l4.tcp.wow_stage = 2;
	  return;
	}
      }
    }

    if (flow->l4.tcp.wow_stage == 2) {
      if (packet->payload_packet_len == 4) {
	ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow);
	NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct,
		 NDPI_LOG_DEBUG, "World of Warcraft: connection detected\n");
	return;
      } else if (packet->payload_packet_len > 4 && packet->payload_packet_len <= 16 && packet->payload[4] == 0x0c) {
	ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow);
	NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct,
		 NDPI_LOG_DEBUG, "World of Warcraft: connection detected\n");
	return;
      } else if (flow->packet_counter < 3) {
	NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, NDPI_LOG_DEBUG, "waiting for final packet\n");
	return;
      }
    }
    if (flow->l4.tcp.wow_stage == 0 && packet->tcp->dest == htons(1119)) {
      /* special log in port for battle.net/world of warcraft */

      if (packet->payload_packet_len >= 77 &&
	  get_u_int32_t(packet->payload, 0) == htonl(0x40000aed) && get_u_int32_t(packet->payload, 4) == htonl(0xea070aed)) {

	ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow);
	NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct,
		 NDPI_LOG_DEBUG, "World of Warcraft: connection detected\n");
	return;
      }
    }
  }

  NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_WORLDOFWARCRAFT);
}