static void ndpi_search_icecast_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &flow->packet;
u_int8_t i;
NDPI_LOG(NDPI_PROTOCOL_ICECAST, ndpi_struct, NDPI_LOG_DEBUG, "search icecast.\n");
if ((packet->payload_packet_len < 500 &&
packet->payload_packet_len >= 7 && ndpi_mem_cmp(packet->payload, "SOURCE ", 7) == 0)
|| flow->l4.tcp.icecast_stage) {
ndpi_parse_packet_line_info_unix(ndpi_struct, flow);
NDPI_LOG(NDPI_PROTOCOL_ICECAST, ndpi_struct, NDPI_LOG_DEBUG, "Icecast lines=%d\n", packet->parsed_unix_lines);
for (i = 0; i < packet->parsed_unix_lines; i++) {
if (packet->unix_line[i].ptr != NULL && packet->unix_line[i].len > 4
&& ndpi_mem_cmp(packet->unix_line[i].ptr, "ice-", 4) == 0) {
NDPI_LOG(NDPI_PROTOCOL_ICECAST, ndpi_struct, NDPI_LOG_DEBUG, "Icecast detected.\n");
ndpi_int_icecast_add_connection(ndpi_struct, flow);
return;
}
}
if (packet->parsed_unix_lines < 1 && !flow->l4.tcp.icecast_stage) {
flow->l4.tcp.icecast_stage = 1;
return;
}
}
#ifdef NDPI_PROTOCOL_HTTP
if (NDPI_FLOW_PROTOCOL_EXCLUDED(ndpi_struct, flow, NDPI_PROTOCOL_HTTP)) {
goto icecast_exclude;
}
#endif
if (packet->packet_direction == flow->setup_packet_direction && flow->packet_counter < 10) {
return;
}
if (packet->packet_direction != flow->setup_packet_direction) {
/* server answer, now test Server for Icecast */
ndpi_parse_packet_line_info(ndpi_struct, flow);
if (packet->server_line.ptr != NULL && packet->server_line.len > NDPI_STATICSTRING_LEN("Icecast") &&
memcmp(packet->server_line.ptr, "Icecast", NDPI_STATICSTRING_LEN("Icecast")) == 0) {
NDPI_LOG(NDPI_PROTOCOL_ICECAST, ndpi_struct, NDPI_LOG_DEBUG, "Icecast detected.\n");
/* TODO maybe store the previous protocol type as subtype?
* e.g. ogg or mpeg
*/
ndpi_int_icecast_add_connection(ndpi_struct, flow);
return;
}
}
icecast_exclude:
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_ICECAST);
NDPI_LOG(NDPI_PROTOCOL_ICECAST, ndpi_struct, NDPI_LOG_DEBUG, "Icecast excluded.\n");
}
static void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &flow->packet;
struct ndpi_id_struct *src = flow->src;
struct ndpi_id_struct *dst = flow->dst;
int less;
u_int16_t c = 0;
u_int16_t c1 = 0;
u_int16_t port = 0;
u_int16_t sport = 0;
u_int16_t dport = 0;
u_int16_t counter = 0;
u_int16_t i = 0;
u_int16_t j = 0;
u_int16_t k = 0;
u_int16_t h;
u_int16_t http_content_ptr_len = 0;
u_int8_t space = 0;
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "irc : search irc\n");
if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC && flow->packet_counter > 70) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "exclude irc, packet_counter > 70\n");
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_IRC);
return;
}
if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC && flow->packet_counter > 30 &&
flow->l4.tcp.irc_stage2 == 0) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "packet_counter > 30, exclude irc.\n");
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_IRC);
return;
}
if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_IRC) {
if (src != NULL && ((u_int32_t)
(packet->tick_timestamp - src->irc_ts) < ndpi_struct->irc_timeout)) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "irc : save src connection packet detected\n");
src->irc_ts = packet->tick_timestamp;
} else if (dst != NULL && ((u_int32_t)
(packet->tick_timestamp - dst->irc_ts) < ndpi_struct->irc_timeout)) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "irc : save dst connection packet detected\n");
dst->irc_ts = packet->tick_timestamp;
}
}
if (((dst != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_IRC)
&& ((u_int32_t)
(packet->tick_timestamp - dst->irc_ts)) <
ndpi_struct->irc_timeout)) || (src != NULL
&&
NDPI_COMPARE_PROTOCOL_TO_BITMASK
(src->detected_protocol_bitmask, NDPI_PROTOCOL_IRC)
&& ((u_int32_t)
(packet->tick_timestamp - src->irc_ts)) < ndpi_struct->irc_timeout)) {
if (packet->tcp != NULL) {
sport = packet->tcp->source;
dport = packet->tcp->dest;
}
if (dst != NULL) {
for (counter = 0; counter < dst->irc_number_of_port; counter++) {
if (dst->irc_port[counter] == sport || dst->irc_port[counter] == dport) {
dst->last_time_port_used[counter] = packet->tick_timestamp;
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE,
"dest port matched with the DCC port and the flow is marked as IRC");
ndpi_int_irc_add_connection(ndpi_struct, flow);
return;
}
}
}
if (src != NULL) {
for (counter = 0; counter < src->irc_number_of_port; counter++) {
if (src->irc_port[counter] == sport || src->irc_port[counter] == dport) {
src->last_time_port_used[counter] = packet->tick_timestamp;
ndpi_int_irc_add_connection(ndpi_struct, flow);
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE,
"Source port matched with the DCC port and the flow is marked as IRC");
return;
}
}
}
}
if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC
&& flow->packet_counter == 2 && (packet->payload_packet_len > 400 && packet->payload_packet_len < 1381)) {
for (c1 = 50; c1 < packet->payload_packet_len - 23; c1++) {
if (packet->payload[c1] == 'i' || packet->payload[c1] == 'd') {
if ((memcmp(&packet->payload[c1], "irc.hackthissite.org0", 21)
== 0)
|| (memcmp(&packet->payload[c1], "irc.gamepad.ca1", 15) == 0)
|| (memcmp(&packet->payload[c1], "dungeon.axenet.org0", 19)
== 0)
|| (memcmp(&packet->payload[c1], "dazed.nuggethaus.net", 20)
== 0)
|| (memcmp(&packet->payload[c1], "irc.indymedia.org", 17)
== 0)
|| (memcmp(&packet->payload[c1], "irc.cccp-project.net", 20)
== 0)
|| (memcmp(&packet->payload[c1], "dirc.followell.net0", 19)
== 0)
|| (memcmp(&packet->payload[c1], "irc.discostars.de1", 18)
== 0)
|| (memcmp(&packet->payload[c1], "irc.rizon.net", 13) == 0)) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE,
"IRC SSL detected with :- irc.hackthissite.org0 | irc.gamepad.ca1 | dungeon.axenet.org0 "
"| dazed.nuggethaus.net | irc.indymedia.org | irc.discostars.de1 ");
ndpi_int_irc_add_connection(ndpi_struct, flow);
break;
}
}
}
}
if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC &&
ndpi_search_irc_ssl_detect_ninty_percent_but_very_fast(ndpi_struct, flow) != 0) {
return;
}
if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC && flow->packet_counter < 20
&& packet->payload_packet_len >= 8) {
if (get_u_int8_t(packet->payload, packet->payload_packet_len - 1) == 0x0a
|| (ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len - 2)) == 0x0a00)) {
if (memcmp(packet->payload, ":", 1) == 0) {
if (packet->payload[packet->payload_packet_len - 2] != 0x0d
&& packet->payload[packet->payload_packet_len - 1] == 0x0a) {
ndpi_parse_packet_line_info_unix(ndpi_struct, flow);
packet->parsed_lines = packet->parsed_unix_lines;
for (i = 0; i < packet->parsed_lines; i++) {
packet->line[i] = packet->unix_line[i];
packet->line[i].ptr = packet->unix_line[i].ptr;
packet->line[i].len = packet->unix_line[i].len;
}
} else if (packet->payload[packet->payload_packet_len - 2] == 0x0d) {
ndpi_parse_packet_line_info(ndpi_struct, flow);
} else {
flow->l4.tcp.irc_3a_counter++;
}
for (i = 0; i < packet->parsed_lines; i++) {
if (packet->line[i].ptr[0] == ':') {
flow->l4.tcp.irc_3a_counter++;
if (flow->l4.tcp.irc_3a_counter == 7) { /* ':' == 0x3a */
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "0x3a. seven times. found irc.");
ndpi_int_irc_add_connection(ndpi_struct, flow);
goto detected_irc;
}
}
}
if (flow->l4.tcp.irc_3a_counter == 7) { /* ':' == 0x3a */
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "0x3a. seven times. found irc.");
ndpi_int_irc_add_connection(ndpi_struct, flow);
goto detected_irc;
}
}
if ((memcmp(packet->payload, "USER ", 5) == 0)
|| (memcmp(packet->payload, "NICK ", 5) == 0)
|| (memcmp(packet->payload, "PASS ", 5) == 0)
|| (memcmp(packet->payload, ":", 1) == 0 && ndpi_check_for_NOTICE_or_PRIVMSG(ndpi_struct, flow) != 0)
|| (memcmp(packet->payload, "PONG ", 5) == 0)
|| (memcmp(packet->payload, "PING ", 5) == 0)
|| (memcmp(packet->payload, "JOIN ", 5) == 0)
|| (memcmp(packet->payload, "NOTICE ", 7) == 0)
|| (memcmp(packet->payload, "PRIVMSG ", 8) == 0)
|| (memcmp(packet->payload, "VERSION ", 8) == 0)) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE,
"USER, NICK, PASS, NOTICE, PRIVMSG one time");
if (flow->l4.tcp.irc_stage == 2) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "found irc");
ndpi_int_irc_add_connection(ndpi_struct, flow);
flow->l4.tcp.irc_stage = 3;
}
if (flow->l4.tcp.irc_stage == 1) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "second time, stage=2");
flow->l4.tcp.irc_stage = 2;
}
if (flow->l4.tcp.irc_stage == 0) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "first time, stage=1");
flow->l4.tcp.irc_stage = 1;
}
/* irc packets can have either windows line breaks (0d0a) or unix line breaks (0a) */
if (packet->payload[packet->payload_packet_len - 2] == 0x0d
&& packet->payload[packet->payload_packet_len - 1] == 0x0a) {
ndpi_parse_packet_line_info(ndpi_struct, flow);
if (packet->parsed_lines > 1) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE,
"packet contains more than one line");
for (c = 1; c < packet->parsed_lines; c++) {
if (packet->line[c].len > 4 && (memcmp(packet->line[c].ptr, "NICK ", 5) == 0
|| memcmp(packet->line[c].ptr, "USER ", 5) == 0)) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct,
NDPI_LOG_TRACE, "two icq signal words in the same packet");
ndpi_int_irc_add_connection(ndpi_struct, flow);
flow->l4.tcp.irc_stage = 3;
return;
}
}
}
} else if (packet->payload[packet->payload_packet_len - 1] == 0x0a) {
ndpi_parse_packet_line_info_unix(ndpi_struct, flow);
if (packet->parsed_unix_lines > 1) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE,
"packet contains more than one line");
for (c = 1; c < packet->parsed_unix_lines; c++) {
if (packet->unix_line[c].len > 4 && (memcmp(packet->unix_line[c].ptr, "NICK ", 5) == 0
|| memcmp(packet->unix_line[c].ptr, "USER ",
5) == 0)) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE,
"two icq signal words in the same packet");
ndpi_int_irc_add_connection(ndpi_struct, flow);
flow->l4.tcp.irc_stage = 3;
return;
}
}
}
}
}
}
}
/**
* Trying to primarily detect the HTTP Web based IRC chat patterns based on the HTTP headers
* during the User login time.When the HTTP data gets posted using the POST method ,patterns
* will be searched in the HTTP content.
*/
if ((flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC) && (flow->l4.tcp.irc_stage == 0)
&& (packet->payload_packet_len > 5)) {
//HTTP POST Method being employed
if (memcmp(packet->payload, "POST ", 5) == 0) {
ndpi_parse_packet_line_info(ndpi_struct, flow);
if (packet->parsed_lines) {
u_int16_t http_header_len = (packet->line[packet->parsed_lines - 1].ptr - packet->payload) + 2;
if (packet->payload_packet_len > http_header_len) {
http_content_ptr_len = packet->payload_packet_len - http_header_len;
}
if ((ndpi_check_for_IRC_traces(packet->line[0].ptr, packet->line[0].len))
|| ((packet->http_url_name.ptr)
&& (ndpi_check_for_IRC_traces(packet->http_url_name.ptr, packet->http_url_name.len)))
|| ((packet->referer_line.ptr)
&& (ndpi_check_for_IRC_traces(packet->referer_line.ptr, packet->referer_line.len)))) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE,
"IRC detected from the Http URL/ Referer header ");
flow->l4.tcp.irc_stage = 1;
// HTTP POST Request body is not in the same packet.
if (!http_content_ptr_len) {
return;
}
}
}
}
}
if ((flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC) && (flow->l4.tcp.irc_stage == 1)) {
if ((((packet->payload_packet_len - http_content_ptr_len) > 10)
&& (memcmp(packet->payload + http_content_ptr_len, "interface=", 10) == 0)
&& (ndpi_check_for_Nickname(ndpi_struct, flow) != 0))
|| (((packet->payload_packet_len - http_content_ptr_len) > 5)
&& (memcmp(packet->payload + http_content_ptr_len, "item=", 5) == 0)
&& (ndpi_check_for_cmd(ndpi_struct, flow) != 0))) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "IRC Nickname, cmd, one time");
ndpi_int_irc_add_connection(ndpi_struct, flow);
return;
}
}
detected_irc:
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "detected_irc:");
if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_IRC) {
/* maybe this can be deleted at the end */
if (packet->payload[packet->payload_packet_len - 2] != 0x0d
&& packet->payload[packet->payload_packet_len - 1] == 0x0a) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG,
"ndpi_parse_packet_line_info_unix(ndpi_struct, flow);");
ndpi_parse_packet_line_info_unix(ndpi_struct, flow);
packet->parsed_lines = packet->parsed_unix_lines;
for (i = 0; i < packet->parsed_lines; i++) {
packet->line[i] = packet->unix_line[i];
packet->line[i].ptr = packet->unix_line[i].ptr;
packet->line[i].len = packet->unix_line[i].len;
}
} else if (packet->payload[packet->payload_packet_len - 2] == 0x0d) {
ndpi_parse_packet_line_info(ndpi_struct, flow);
} else {
return;
}
for (i = 0; i < packet->parsed_lines; i++) {
if (packet->line[i].len > 6 && memcmp(packet->line[i].ptr, "NOTICE ", 7) == 0) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "NOTICE");
for (j = 7; j < packet->line[i].len - 8; j++) {
if (packet->line[i].ptr[j] == ':') {
if (memcmp(&packet->line[i].ptr[j + 1], "DCC SEND ", 9) == 0
|| memcmp(&packet->line[i].ptr[j + 1], "DCC CHAT ", 9) == 0) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE,
"found NOTICE and DCC CHAT or DCC SEND.");
}
}
}
}
if (packet->payload_packet_len > 0 && packet->payload[0] == 0x3a /* 0x3a = ':' */ ) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "3a");
for (j = 1; j < packet->line[i].len - 9; j++) {
if (packet->line[i].ptr[j] == ' ') {
j++;
if (packet->line[i].ptr[j] == 'P') {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "P");
j++;
if (memcmp(&packet->line[i].ptr[j], "RIVMSG ", 7) == 0)
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "RIVMSG");
h = j + 7;
goto read_privmsg;
}
}
}
}
if (packet->line[i].len > 7 && (memcmp(packet->line[i].ptr, "PRIVMSG ", 8) == 0)) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "PRIVMSG ");
h = 7;
read_privmsg:
for (j = h; j < packet->line[i].len - 9; j++) {
if (packet->line[i].ptr[j] == ':') {
if (memcmp(&packet->line[i].ptr[j + 1], "xdcc ", 5) == 0) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "xdcc should match.");
}
j += 2;
if (memcmp(&packet->line[i].ptr[j], "DCC ", 4) == 0) {
j += 4;
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "found DCC.");
if (memcmp(&packet->line[i].ptr[j], "SEND ", 5) == 0
|| (memcmp(&packet->line[i].ptr[j], "CHAT", 4) == 0)
|| (memcmp(&packet->line[i].ptr[j], "chat", 4) == 0)
|| (memcmp(&packet->line[i].ptr[j], "sslchat", 7) == 0)
|| (memcmp(&packet->line[i].ptr[j], "TSEND", 5) == 0)) {
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE,
"found CHAT,chat,sslchat,TSEND.");
j += 4;
while (packet->line[i].len > j &&
((packet->line[i].ptr[j] >= 'a' && packet->line[i].ptr[j] <= 'z')
|| (packet->line[i].ptr[j] >= 'A' && packet->line[i].ptr[j] <= 'Z')
|| (packet->line[i].ptr[j] >= '0' && packet->line[i].ptr[j] <= '9')
|| (packet->line[i].ptr[j] >= ' ')
|| (packet->line[i].ptr[j] >= '.')
|| (packet->line[i].ptr[j] >= '-'))) {
if (packet->line[i].ptr[j] == ' ') {
space++;
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "space %u.", space);
}
if (space == 3) {
j++;
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "read port.");
if (src != NULL) {
k = j;
port =
ntohs_ndpi_bytestream_to_number
(&packet->line[i].ptr[j], packet->payload_packet_len - j, &j);
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "port %u.",
port);
j = k;
// hier jetzt überlegen, wie die ports abgespeichert werden sollen
if (src->irc_number_of_port < 16)
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE,
"src->irc_number_of_port < 16.");
if (src->irc_number_of_port < 16 && port != 0) {
if (!ndpi_is_duplicate(src, port)) {
src->irc_port[src->irc_number_of_port]
= port;
src->irc_number_of_port++;
NDPI_LOG
(NDPI_PROTOCOL_IRC,
ndpi_struct,
NDPI_LOG_DEBUG, "found port=%d",
ntohs(get_u_int16_t(src->irc_port, 0)));
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG,
"jjeeeeeeeeeeeeeeeeeeeeeeeee");
}
src->irc_ts = packet->tick_timestamp;
} else if (port != 0 && src->irc_number_of_port == 16) {
if (!ndpi_is_duplicate(src, port)) {
less = 0;
NDPI_IRC_FIND_LESS(src->last_time_port_used, less);
src->irc_port[less] = port;
NDPI_LOG
(NDPI_PROTOCOL_IRC,
ndpi_struct,
NDPI_LOG_DEBUG, "found port=%d",
ntohs(get_u_int16_t(src->irc_port, 0)));
}
src->irc_ts = packet->tick_timestamp;
}
if (dst == NULL) {
break;
}
}
if (dst != NULL) {
port = ntohs_ndpi_bytestream_to_number
(&packet->line[i].ptr[j], packet->payload_packet_len - j, &j);
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "port %u.",
port);
// hier das gleiche wie oben.
/* hier werden 16 ports pro irc flows mitgespeichert. könnte man denn nicht ein-
* fach an die dst oder src einen flag setzten, dass dieser port für eine bestimmte
* zeit ein irc-port bleibt?
*/
if (dst->irc_number_of_port < 16 && port != 0) {
if (!ndpi_is_duplicate(dst, port)) {
dst->irc_port[dst->irc_number_of_port]
= port;
dst->irc_number_of_port++;
NDPI_LOG
(NDPI_PROTOCOL_IRC,
ndpi_struct,
NDPI_LOG_DEBUG, "found port=%d",
ntohs(get_u_int16_t(dst->irc_port, 0)));
NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG,
"juuuuuuuuuuuuuuuu");
}
dst->irc_ts = packet->tick_timestamp;
} else if (port != 0 && dst->irc_number_of_port == 16) {
if (!ndpi_is_duplicate(dst, port)) {
less = 0;
NDPI_IRC_FIND_LESS(dst->last_time_port_used, less);
dst->irc_port[less] = port;
NDPI_LOG
(NDPI_PROTOCOL_IRC,
ndpi_struct,
NDPI_LOG_DEBUG, "found port=%d",
ntohs(get_u_int16_t(dst->irc_port, 0)));
}
dst->irc_ts = packet->tick_timestamp;
}
break;
}
}
j++;
}
}
}
}
}
}
}
}
}
static void ndpi_search_yahoo_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
struct ndpi_packet_struct *packet = &flow->packet;
struct ndpi_id_struct *src = flow->src;
struct ndpi_id_struct *dst = flow->dst;
const struct ndpi_yahoo_header *yahoo = (struct ndpi_yahoo_header *) packet->payload;
if (packet->payload_packet_len == 0) {
return;
}
/* packet must be at least 20 bytes long */
if (packet->payload_packet_len >= 20
&& memcmp(yahoo->YMSG_str, "YMSG", 4) == 0 && ((packet->payload_packet_len - 20) == ntohs(yahoo->len)
|| check_ymsg(packet->payload, packet->payload_packet_len))) {
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO FOUND\n");
flow->yahoo_detection_finished = 2;
if (ntohs(yahoo->service) == 24 || ntohs(yahoo->service) == 152 || ntohs(yahoo->service) == 74) {
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO conference or chat invite found");
if (src != NULL) {
src->yahoo_conf_logged_in = 1;
}
if (dst != NULL) {
dst->yahoo_conf_logged_in = 1;
}
}
if (ntohs(yahoo->service) == 27 || ntohs(yahoo->service) == 155 || ntohs(yahoo->service) == 160) {
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO conference or chat logoff found");
if (src != NULL) {
src->yahoo_conf_logged_in = 0;
src->yahoo_voice_conf_logged_in = 0;
}
}
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO");
ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
return;
} else if (flow->yahoo_detection_finished == 2 && packet->detected_protocol_stack[0] == NDPI_PROTOCOL_YAHOO) {
return;
} else if (packet->payload_packet_len == 4 && memcmp(yahoo->YMSG_str, "YMSG", 4) == 0) {
flow->l4.tcp.yahoo_sip_comm = 1;
return;
} else if (flow->l4.tcp.yahoo_sip_comm && packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN
&& flow->packet_counter < 3) {
return;
}
/* now test for http login, at least 100 a bytes packet */
if (ndpi_struct->yahoo_detect_http_connections != 0 && packet->payload_packet_len > 100) {
if (memcmp(packet->payload, "POST /relay?token=", 18) == 0
|| memcmp(packet->payload, "GET /relay?token=", 17) == 0
|| memcmp(packet->payload, "GET /?token=", 12) == 0
|| memcmp(packet->payload, "HEAD /relay?token=", 18) == 0) {
if ((src != NULL
&& NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO)
!= 0) || (dst != NULL
&& NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO)
!= 0)) {
/* this is mostly a file transfer */
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO");
ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
return;
}
}
if (memcmp(packet->payload, "POST ", 5) == 0) {
u_int16_t a;
ndpi_parse_packet_line_info(ndpi_struct, flow);
if ((packet->user_agent_line.len >= 21)
&& (memcmp(packet->user_agent_line.ptr, "YahooMobileMessenger/", 21) == 0)) {
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO(Mobile)");
ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
return;
}
if (NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_YAHOO)
&& packet->parsed_lines > 5
&& memcmp(&packet->payload[5], "/Messenger.", 11) == 0
&& packet->line[1].len >= 17
&& ndpi_mem_cmp(packet->line[1].ptr, "Connection: Close",
17) == 0 && packet->line[2].len >= 6
&& ndpi_mem_cmp(packet->line[2].ptr, "Host: ", 6) == 0
&& packet->line[3].len >= 16
&& ndpi_mem_cmp(packet->line[3].ptr, "Content-Length: ",
16) == 0 && packet->line[4].len >= 23
&& ndpi_mem_cmp(packet->line[4].ptr, "User-Agent: Mozilla/5.0",
23) == 0 && packet->line[5].len >= 23
&& ndpi_mem_cmp(packet->line[5].ptr, "Cache-Control: no-cache", 23) == 0) {
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE,
"YAHOO HTTP POST P2P FILETRANSFER FOUND\n");
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO");
ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
return;
}
if (packet->host_line.ptr != NULL && packet->host_line.len >= 26 &&
ndpi_mem_cmp(packet->host_line.ptr, "filetransfer.msg.yahoo.com", 26) == 0) {
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO HTTP POST FILETRANSFER FOUND\n");
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO");
ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
return;
}
/* now check every line */
for (a = 0; a < packet->parsed_lines; a++) {
if (packet->line[a].len >= 4 && ndpi_mem_cmp(packet->line[a].ptr, "YMSG", 4) == 0) {
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct,
NDPI_LOG_TRACE,
"YAHOO HTTP POST FOUND, line is: %.*s\n", packet->line[a].len, packet->line[a].ptr);
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO");
ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
return;
}
}
if (packet->parsed_lines > 8 && packet->line[8].len > 250 && packet->line[8].ptr != NULL) {
if (memcmp(packet->line[8].ptr, "<Session ", 9) == 0) {
if (ndpi_check_for_YmsgCommand(packet->line[8].len, packet->line[8].ptr)) {
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG,
"found HTTP Proxy Yahoo Chat <Ymsg Command= pattern \n");
ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
return;
}
}
}
}
if (memcmp(packet->payload, "GET /Messenger.", 15) == 0) {
if ((src != NULL
&& NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO)
!= 0) || (dst != NULL
&& NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO)
!= 0)) {
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO HTTP GET /Messenger. match\n");
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO");
ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
return;
}
}
if ((memcmp(packet->payload, "GET /", 5) == 0)) {
ndpi_parse_packet_line_info(ndpi_struct, flow);
if ((packet->user_agent_line.ptr != NULL
&& packet->user_agent_line.len >= NDPI_STATICSTRING_LEN("YahooMobileMessenger/")
&& memcmp(packet->user_agent_line.ptr, "YahooMobileMessenger/",
NDPI_STATICSTRING_LEN("YahooMobileMessenger/")) == 0)
|| (packet->user_agent_line.len >= 15
&& (memcmp(packet->user_agent_line.ptr, "Y!%20Messenger/", 15) == 0))) {
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO(Mobile)");
ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
return;
}
if (packet->host_line.ptr != NULL && packet->host_line.len >= NDPI_STATICSTRING_LEN("msg.yahoo.com") &&
memcmp(&packet->host_line.ptr[packet->host_line.len - NDPI_STATICSTRING_LEN("msg.yahoo.com")],
"msg.yahoo.com", NDPI_STATICSTRING_LEN("msg.yahoo.com")) == 0) {
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO");
ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
return;
}
}
}
/* found another http login command for yahoo, it is like OSCAR */
/* detect http connections */
if (packet->payload_packet_len > 50 && (memcmp(packet->payload, "content-length: ", 16) == 0)) {
ndpi_parse_packet_line_info(ndpi_struct, flow);
if (packet->parsed_lines > 2 && packet->line[1].len == 0) {
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "first line is empty.\n");
if (packet->line[2].len > 13 && memcmp(packet->line[2].ptr, "<Ymsg Command=", 14) == 0) {
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO web chat found\n");
ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
return;
}
}
}
if (packet->payload_packet_len > 38 && memcmp(packet->payload, "CONNECT scs.msg.yahoo.com:5050 HTTP/1.", 38) == 0) {
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO-HTTP FOUND\n");
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO");
ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
return;
}
if ((src != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO) != 0)
|| (dst != NULL
&& NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO) != 0)) {
if (packet->payload_packet_len == 6 && memcmp(packet->payload, "YAHOO!", 6) == 0) {
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO");
ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
return;
}
/* asymmetric detection for SNDIMG not done yet.
* See ./Yahoo8.1-VideoCall-LAN.pcap and ./Yahoo-VideoCall-inPublicIP.pcap */
if (packet->payload_packet_len == 8
&& (memcmp(packet->payload, "<SNDIMG>", 8) == 0 || memcmp(packet->payload, "<REQIMG>", 8) == 0
|| memcmp(packet->payload, "<RVWCFG>", 8) == 0 || memcmp(packet->payload, "<RUPCFG>", 8) == 0)) {
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE,
"YAHOO SNDIMG or REQIMG or RVWCFG or RUPCFG FOUND\n");
if (src != NULL) {
if (memcmp(packet->payload, "<SNDIMG>", 8) == 0) {
src->yahoo_video_lan_dir = 0;
} else {
src->yahoo_video_lan_dir = 1;
}
src->yahoo_video_lan_timer = packet->tick_timestamp;
}
if (dst != NULL) {
if (memcmp(packet->payload, "<SNDIMG>", 8) == 0) {
dst->yahoo_video_lan_dir = 0;
} else {
dst->yahoo_video_lan_dir = 1;
}
dst->yahoo_video_lan_timer = packet->tick_timestamp;
}
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO subtype VIDEO");
ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
return;
}
if (src != NULL && packet->tcp->dest == htons(5100)
&& ((u_int32_t)
(packet->tick_timestamp - src->yahoo_video_lan_timer) < ndpi_struct->yahoo_lan_video_timeout)) {
if (src->yahoo_video_lan_dir == 1) {
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO");
ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "IMG MARKED");
return;
}
}
if (dst != NULL && packet->tcp->dest == htons(5100)
&& ((u_int32_t)
(packet->tick_timestamp - dst->yahoo_video_lan_timer) < ndpi_struct->yahoo_lan_video_timeout)) {
if (dst->yahoo_video_lan_dir == 0) {
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO");
ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "IMG MARKED");
return;
}
}
}
/* detect YAHOO over HTTP proxy */
#ifdef NDPI_PROTOCOL_HTTP
if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP)
#endif
{
if (flow->l4.tcp.yahoo_http_proxy_stage == 0) {
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG,
"YAHOO maybe HTTP proxy packet 1 => need next packet\n");
flow->l4.tcp.yahoo_http_proxy_stage = 1 + packet->packet_direction;
return;
}
if (flow->l4.tcp.yahoo_http_proxy_stage == 1 + packet->packet_direction) {
if ((packet->payload_packet_len > 250) && (memcmp(packet->payload, "<Session ", 9) == 0)) {
if (ndpi_check_for_YmsgCommand(packet->payload_packet_len, packet->payload)) {
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG,
"found HTTP Proxy Yahoo Chat <Ymsg Command= pattern \n");
ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
return;
}
}
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG,
"YAHOO maybe HTTP proxy still initial direction => need next packet\n");
return;
}
if (flow->l4.tcp.yahoo_http_proxy_stage == 2 - packet->packet_direction) {
ndpi_parse_packet_line_info_unix(ndpi_struct, flow);
if (packet->parsed_unix_lines >= 9) {
if (packet->unix_line[4].ptr != NULL && packet->unix_line[4].len >= 9 &&
packet->unix_line[8].ptr != NULL && packet->unix_line[8].len >= 6 &&
memcmp(packet->unix_line[4].ptr, "<Session ", 9) == 0 &&
memcmp(packet->unix_line[8].ptr, "<Ymsg ", 6) == 0) {
NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO over HTTP proxy");
ndpi_int_yahoo_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
return;
}
}
}
}
NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_YAHOO);
}
