Changes - j0ke.net Open Build Service

Changes of Revision 79

[-] [+]	Changed	nprobe.changes
@@ -1,4 +1,12 @@ ------------------------------------------------------------------- +Tue Sep 10 09:13:20 UTC 2013 - cs@linux-administrator.com + +- update init script +- update nDPI to current svn +- update GeoIP ASnum data +- update GeoIP City data + +------------------------------------------------------------------- Tue Aug 27 18:04:00 UTC 2013 - cs@linux-administrator.com - update init script to allow running with multiple interfaces
[-] [+]	Changed	nprobe.spec ^
@@ -2,7 +2,7 @@ %define _default_patch_fuzz 3 %define reldate 130718_svn3543 %define sodate %(date +%%y%%m%%d) -%define pfringver 5.6.0 +%define pfringver 5.6.1 Name: nprobe Version: 6.13 Release: 1
	Changed	GeoIPASNum.dat.gz ^
	Changed	GeoLiteCity.dat.gz ^
	Added	PF_RING-5.6.1.tar.bz2 ^
[-] [+]	Changed	nDPI.tar.bz2/config.h.in ^
@@ -52,6 +52,9 @@ /* Define to the one symbol short name of this package. / #undef PACKAGE_TARNAME +/ Define to the home page for this package. / +#undef PACKAGE_URL + / Define to the version of this package. */ #undef PACKAGE_VERSION
[-] [+]	Changed	nDPI.tar.bz2/example/pcapReader.c ^
@@ -181,7 +181,7 @@ } // check parameters - if (_pcap_file == NULL \|\| strcmp(_pcap_file, "") == 0) { + if(_pcap_file == NULL \|\| strcmp(_pcap_file, "") == 0) { help(0); } } @@ -240,10 +240,10 @@ byte = addr & 0xff; --cp = byte % 10 + '0'; byte /= 10; - if (byte > 0) { + if(byte > 0) { --cp = byte % 10 + '0'; byte /= 10; - if (byte > 0) + if(byte > 0) --cp = byte + '0'; } --cp = '.'; @@ -273,7 +273,7 @@ static void node_print_unknown_proto_walker(const void node, ndpi_VISIT which, int depth, void user_data) { struct ndpi_flow flow = (struct ndpi_flow*)node; - if (flow->detected_protocol != 0 / UNKNOWN /) return; + if(flow->detected_protocol != 0 / UNKNOWN /) return; if((which == ndpi_preorder) \|\| (which == ndpi_leaf)) / Avoid walking the same node multiple times / printFlow(flow); @@ -282,7 +282,7 @@ static void node_print_known_proto_walker(const void node, ndpi_VISIT which, int depth, void user_data) { struct ndpi_flow flow = (struct ndpi_flow)node; - if (flow->detected_protocol == 0 / UNKNOWN /) return; + if(flow->detected_protocol == 0 / UNKNOWN /) return; if((which == ndpi_preorder) \|\| (which == ndpi_leaf)) / Avoid walking the same node multiple times / printFlow(flow); @@ -303,7 +303,7 @@ if((which == ndpi_preorder) \|\| (which == ndpi_leaf)) { / Avoid walking the same node multiple times / if(enable_protocol_guess) { - if (flow->detected_protocol == 0 / UNKNOWN /) { + if(flow->detected_protocol == 0 / UNKNOWN /) { flow->detected_protocol = ndpi_guess_undetected_protocol(ndpi_struct, flow->protocol, ntohl(flow->lower_ip), @@ -311,7 +311,7 @@ ntohl(flow->upper_ip), ntohs(flow->upper_port)); - if (flow->detected_protocol != 0) + if(flow->detected_protocol != 0) guessed_flow_protocols++; // printFlow(flow); @@ -338,12 +338,16 @@ } -static struct ndpi_flow get_ndpi_flow(const struct ndpi_iphdr iph, u_int16_t ipsize, +static struct ndpi_flow get_ndpi_flow(const u_int8_t version, + const struct ndpi_iphdr iph, + u_int16_t ip_offset, + u_int16_t ipsize, + u_int16_t l4_packet_len, struct ndpi_id_struct src, - struct ndpi_id_struct dst) + struct ndpi_id_struct dst, + u_int8_t proto) { - u_int32_t idx; - u_int16_t l4_packet_len; + u_int32_t idx, l4_offset; struct ndpi_tcphdr tcph = NULL; struct ndpi_udphdr udph = NULL; u_int32_t lower_ip; @@ -353,16 +357,16 @@ struct ndpi_flow flow; void ret; - if (ipsize < 20) - return NULL; - - if ((iph->ihl 4) > ipsize \|\| ipsize < ntohs(iph->tot_len) - \|\| (iph->frag_off & htons(0x1FFF)) != 0) - return NULL; - - l4_packet_len = ntohs(iph->tot_len) - (iph->ihl * 4); + if(version == 4) { + if(ipsize < 20) + return NULL; + + if((iph->ihl * 4) > ipsize \|\| ipsize < ntohs(iph->tot_len) + \|\| (iph->frag_off & htons(0x1FFF)) != 0) + return NULL; + } - if (iph->saddr < iph->daddr) { + if(iph->saddr < iph->daddr) { lower_ip = iph->saddr; upper_ip = iph->daddr; } else { @@ -370,19 +374,21 @@ upper_ip = iph->saddr; } - if (iph->protocol == 6 && l4_packet_len >= 20) { + proto = iph->protocol; + l4_offset = iph->ihl 4; + if(iph->protocol == 6 && l4_packet_len >= 20) { // tcp - tcph = (struct ndpi_tcphdr ) ((u_int8_t ) iph + iph->ihl * 4); - if (iph->saddr < iph->daddr) { + tcph = (struct ndpi_tcphdr ) ((u_int8_t ) iph + l4_offset); + if(iph->saddr < iph->daddr) { lower_port = tcph->source; upper_port = tcph->dest; } else { lower_port = tcph->dest; upper_port = tcph->source; } - } else if (iph->protocol == 17 && l4_packet_len >= 8) { + } else if(iph->protocol == 17 && l4_packet_len >= 8) { // udp - udph = (struct ndpi_udphdr ) ((u_int8_t ) iph + iph->ihl * 4); + udph = (struct ndpi_udphdr ) ((u_int8_t ) iph + l4_offset); if(iph->saddr < iph->daddr) { lower_port = udph->source; upper_port = udph->dest; @@ -402,11 +408,16 @@ flow.lower_port = lower_port; flow.upper_port = upper_port; + /* + printf("[NDPI] [%u][%u:%u <-> %u:%u]\n", + iph->protocol, lower_ip, lower_port, upper_ip, upper_port); + / + idx = (lower_ip + upper_ip + iph->protocol + lower_port + upper_port) % NUM_ROOTS; ret = ndpi_tfind(&flow, (void)&ndpi_flows_root[idx], node_cmp); if(ret == NULL) { - if (ndpi_flow_count == MAX_NDPI_FLOWS) { + if(ndpi_flow_count == MAX_NDPI_FLOWS) { printf("ERROR: maximum flow count (%u) has been exceeded\n", MAX_NDPI_FLOWS); exit(-1); } else { @@ -459,13 +470,32 @@ } } +static struct ndpi_flow get_ndpi_flow6(const struct ndpi_ip6_hdr iph6, + u_int16_t ip_offset, + struct ndpi_id_struct src, + struct ndpi_id_struct dst, + u_int8_t proto) +{ + struct ndpi_iphdr iph; + + memset(&iph, 0, sizeof(iph)); + iph.version = 4; + iph.saddr = iph6->ip6_src.__u6_addr.__u6_addr32[2] + iph6->ip6_src.__u6_addr.__u6_addr32[3]; + iph.daddr = iph6->ip6_dst.__u6_addr.__u6_addr32[2] + iph6->ip6_dst.__u6_addr.__u6_addr32[3]; + iph.protocol = iph6->ip6_ctlun.ip6_un1.ip6_un1_nxt; + return(get_ndpi_flow(6, &iph, ip_offset, + sizeof(struct ndpi_ip6_hdr), + ntohs(iph6->ip6_ctlun.ip6_un1.ip6_un1_plen), + src, dst, proto)); +} + static void setupDetection(void) { NDPI_PROTOCOL_BITMASK all; // init global detection structure ndpi_struct = ndpi_init_detection_module(detection_tick_resolution, malloc_wrapper, free_wrapper, debug_printf); - if (ndpi_struct == NULL) { + if(ndpi_struct == NULL) { printf("ERROR: global structure initialization failed\n"); exit(-1); } @@ -514,17 +544,26 @@ ndpi_exit_detection_module(ndpi_struct, free_wrapper); } -static unsigned int packet_processing(const u_int64_t time, const struct ndpi_iphdr iph, +static unsigned int packet_processing(const u_int64_t time, + const struct ndpi_iphdr iph, + struct ndpi_ip6_hdr iph6, + u_int16_t ip_offset, u_int16_t ipsize, u_int16_t rawsize) { struct ndpi_id_struct src, dst; struct ndpi_flow flow; struct ndpi_flow_struct ndpi_flow = NULL; u_int32_t protocol = 0; - u_int16_t frag_off = ntohs(iph->frag_off); + u_int8_t proto; - flow = get_ndpi_flow(iph, ipsize, &src, &dst); - if (flow != NULL) { + if(iph) + flow = get_ndpi_flow(4, iph, ip_offset, ipsize, + ntohs(iph->tot_len) - (iph->ihl * 4), + &src, &dst, &proto); + else + flow = get_ndpi_flow6(iph6, ip_offset, &src, &dst, &proto); + + if(flow != NULL) { ndpi_flow = flow->ndpi_flow; flow->packets++, flow->bytes += rawsize; } else @@ -535,20 +574,9 @@ if(flow->detection_completed) return; - // only handle unfragmented packets - if ((frag_off & 0x3FFF) == 0) { - // here the actual detection is performed - protocol = (const u_int32_t)ndpi_detection_process_packet(ndpi_struct, ndpi_flow, (uint8_t ) iph, ipsize, time, src, dst); - } else { - static u_int8_t frag_warning_used = 0; - - if (frag_warning_used == 0) { - printf("\n\nWARNING: fragmented ip packets are not supported and will be skipped \n\n"); - frag_warning_used = 1; - } - - return 0; - } + protocol = (const u_int32_t)ndpi_detection_process_packet(ndpi_struct, ndpi_flow, + iph ? (uint8_t )iph : (uint8_t )iph6, + ipsize, time, src, dst); if(verbose > 1) { char buf1[32], buf2[32]; @@ -563,8 +591,8 @@ flow->detected_protocol = protocol; if((flow->detected_protocol != NDPI_PROTOCOL_UNKNOWN) - \|\| (iph->protocol == IPPROTO_UDP) - \|\| ((iph->protocol == IPPROTO_TCP) && (flow->packets > 10))) { + \|\| (proto == IPPROTO_UDP) + \|\| ((proto == IPPROTO_TCP) && (flow->packets > 10))) { flow->detection_completed = 1; #if 0 @@ -596,7 +624,7 @@ if(numBits < 1024) { snprintf(buf, 32, "%lu %c", (unsigned long)numBits, unit); - } else if (numBits < 1048576) { + } else if(numBits < 1048576) { snprintf(buf, 32, "%.2f K%c", (float)(numBits)/1024, unit); } else { float tmpMBits = ((float)numBits)/1048576; @@ -659,7 +687,7 @@ printf("\n\nDetected protocols:\n"); for (i = 0; i <= ndpi_get_num_supported_protocols(ndpi_struct); i++) { - if (protocol_counter[i] > 0) { + if(protocol_counter[i] > 0) { printf("\t\x1b[31m%-20s\x1b[0m packets: \x1b[33m%-13llu\x1b[0m bytes: \x1b[34m%-13llu\x1b[0m " "flows: \x1b[36m%-13u\x1b[0m\n", ndpi_get_proto_name(ndpi_struct, i), (long long unsigned int)protocol_counter[i], @@ -683,7 +711,7 @@ static void closePcapFile(void) { - if (_pcap_handle != NULL) { + if(_pcap_handle != NULL) { pcap_close(_pcap_handle); } } @@ -711,7 +739,7 @@ _pcap_handle = pcap_open_offline(_pcap_file, _pcap_error_buffer); capture_until = 0; - if (_pcap_handle == NULL) { + if(_pcap_handle == NULL) { printf("ERROR: could not open pcap file: %s\n", _pcap_error_buffer); exit(-1); } else @@ -749,9 +777,12 @@ { const struct ndpi_ethhdr ethernet; struct ndpi_iphdr iph; + struct ndpi_ip6_hdr iph6; u_int64_t time; static u_int64_t lasttime = 0; - u_int16_t type, ip_offset; + u_int16_t type, ip_offset, ip_len; + u_int16_t frag_off = 0; + u_int8_t proto = 0; raw_packet_count++; @@ -764,7 +795,7 @@ time = ((uint64_t) header->ts.tv_sec) * detection_tick_resolution + header->ts.tv_usec / (1000000 / detection_tick_resolution); - if (lasttime > time) { + if(lasttime > time) { // printf("\nWARNING: timestamp bug in the pcap file (ts delta: %llu, repairing)\n", lasttime - time); time = lasttime; } @@ -788,60 +819,81 @@ iph = (struct ndpi_iphdr ) &packet[ip_offset]; // just work on Ethernet packets that contain IP - if (type == ETH_P_IP && header->caplen >= ip_offset) { - u_int16_t frag_off = ntohs(iph->frag_off); + if(type == ETH_P_IP && header->caplen >= ip_offset) { + frag_off = ntohs(iph->frag_off); + proto = iph->protocol; if(header->caplen < header->len) { static u_int8_t cap_warning_used = 0; - if (cap_warning_used == 0) { + if(cap_warning_used == 0) { printf("\n\nWARNING: packet capture size is smaller than packet size, DETECTION MIGHT NOT WORK CORRECTLY\n\n"); cap_warning_used = 1; } } + } + + if(iph->version == 4) { + ip_len = ((u_short)iph->ihl 4); + iph6 = NULL; - if (iph->version != 4) { - static u_int8_t ipv4_warning_used = 0; - - v4_warning: - if (ipv4_warning_used == 0) { - printf("\n\nWARNING: only IPv4 packets are supported in this demo (nDPI supports both IPv4 and IPv6), all other packets will be discarded\n\n"); - ipv4_warning_used = 1; + if((frag_off & 0x3FFF) != 0) { + static u_int8_t ipv4_frags_warning_used = 0; + + v4_frags_warning: + if(ipv4_frags_warning_used == 0) { + printf("\n\nWARNING: IPv4 fragments are not handled by this demo (nDPI supports them)\n"); + ipv4_frags_warning_used = 1; } - return; + + return; } - if(decode_tunnels && (iph->protocol == IPPROTO_UDP) && ((frag_off & 0x3FFF) == 0)) { - u_short ip_len = ((u_short)iph->ihl * 4); - struct ndpi_udphdr udp = (struct ndpi_udphdr )&packet[ip_offset+ip_len]; - u_int16_t sport = ntohs(udp->source), dport = ntohs(udp->dest); - - if((sport == GTP_U_V1_PORT) \|\| (dport == GTP_U_V1_PORT)) { - /* Check if it's GTPv1 / - u_int offset = ip_offset+ip_len+sizeof(struct ndpi_udphdr); - u_int8_t flags = packet[offset]; - u_int8_t message_type = packet[offset+1]; - - if((((flags & 0xE0) >> 5) == 1 / GTPv1 /) && (message_type == 0xFF / T-PDU /)) { - ip_offset = ip_offset+ip_len+sizeof(struct ndpi_udphdr)+8 / GTPv1 header len /; + } else if(iph->version == 6) { + iph6 = (struct ndpi_ip6_hdr )&packet[ip_offset]; + proto = iph6->ip6_ctlun.ip6_un1.ip6_un1_nxt; + ip_len = sizeof(struct ndpi_ip6_hdr); + iph = NULL; + } else { + static u_int8_t ipv4_warning_used = 0; - if(flags & 0x04) ip_offset += 1; /* next_ext_header is present / - if(flags & 0x02) ip_offset += 4; / sequence_number is present (it also includes next_ext_header and pdu_number) / - if(flags & 0x01) ip_offset += 1; / pdu_number is present / + v4_warning: + if(ipv4_warning_used == 0) { + printf("\n\nWARNING: only IPv4/IPv6 packets are supported in this demo (nDPI supports both IPv4 and IPv6), all other packets will be discarded\n\n"); + ipv4_warning_used = 1; + } - iph = (struct ndpi_iphdr ) &packet[ip_offset]; + return; + } - if (iph->version != 4) { - // printf("WARNING: not good (packet_id=%u)!\n", (unsigned int)raw_packet_count); - goto v4_warning; - } + if(decode_tunnels && (proto == IPPROTO_UDP)) { + struct ndpi_udphdr udp = (struct ndpi_udphdr )&packet[ip_offset+ip_len]; + u_int16_t sport = ntohs(udp->source), dport = ntohs(udp->dest); + + if((sport == GTP_U_V1_PORT) \|\| (dport == GTP_U_V1_PORT)) { + /* Check if it's GTPv1 / + u_int offset = ip_offset+ip_len+sizeof(struct ndpi_udphdr); + u_int8_t flags = packet[offset]; + u_int8_t message_type = packet[offset+1]; + + if((((flags & 0xE0) >> 5) == 1 / GTPv1 /) && (message_type == 0xFF / T-PDU /)) { + ip_offset = ip_offset+ip_len+sizeof(struct ndpi_udphdr)+8 / GTPv1 header len /; + + if(flags & 0x04) ip_offset += 1; / next_ext_header is present / + if(flags & 0x02) ip_offset += 4; / sequence_number is present (it also includes next_ext_header and pdu_number) / + if(flags & 0x01) ip_offset += 1; / pdu_number is present / + + iph = (struct ndpi_iphdr ) &packet[ip_offset]; + + if(iph->version != 4) { + // printf("WARNING: not good (packet_id=%u)!\n", (unsigned int)raw_packet_count); + goto v4_warning; } } - } - - // process the packet - packet_processing(time, iph, header->len - ip_offset, header->len); } + + // process the packet + packet_processing(time, iph, iph6, ip_offset, header->len - ip_offset, header->len); } static void runPcapLoop(void) @@ -921,7 +973,7 @@ __int64 t; static int tzflag; - if (tv) + if(tv) { GetSystemTimeAsFileTime(&ft); li.LowPart = ft.dwLowDateTime; @@ -933,17 +985,16 @@ tv->tv_usec = (long)(t % 1000000); } - if (tz) - { - if (!tzflag) - { - _tzset(); - tzflag++; - } - tz->tz_minuteswest = _timezone / 60; - tz->tz_dsttime = _daylight; + if(tz) { + if(!tzflag) { + _tzset(); + tzflag++; } + tz->tz_minuteswest = _timezone / 60; + tz->tz_dsttime = _daylight; + } + return 0; } #endif /* WIN32 */
[-] [+]	Changed	nDPI.tar.bz2/src/lib/ndpi_main.c ^
@@ -1013,7 +1013,7 @@ ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP /, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) / UDP /); ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_VNC, "VNC", - ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) / TCP /, + ndpi_build_default_ports(ports_a, 5900, 5901, 5800, 0, 0) / TCP /, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) / UDP /); ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_PCANYWHERE, "PcAnywhere", ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) / TCP /, @@ -3148,7 +3148,7 @@ if (NDPI_COMPARE_PROTOCOL_TO_BITMASK(detection_bitmask, NDPI_PROTOCOL_GTP) != 0) { ndpi_struct->callback_buffer[a].func = ndpi_search_gtp; ndpi_struct->callback_buffer[a].ndpi_selection_bitmask = - NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD; + NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD; NDPI_SAVE_AS_BITMASK(ndpi_struct->callback_buffer[a].detection_bitmask, NDPI_PROTOCOL_UNKNOWN); NDPI_ADD_PROTOCOL_TO_BITMASK(ndpi_struct->callback_buffer[a].detection_bitmask, NDPI_PROTOCOL_GTP); @@ -4321,7 +4321,7 @@ packet->line[packet->parsed_lines].ptr = packet->payload; packet->line[packet->parsed_lines].len = 0; - for (a = 0; a < end; a++) { + for (a = 0; (a+1) < end; a++) { if (get_u_int16_t(packet->payload, a) == ntohs(0x0d0a)) { packet->line[packet->parsed_lines].len = (u_int16_t)(((unsigned long) &packet->payload[a]) - ((unsigned long) packet->line[packet->parsed_lines].ptr)); @@ -5178,7 +5178,7 @@ /* ****************************************************** / char ndpi_get_proto_name(struct ndpi_detection_module_struct ndpi_mod, u_int16_t proto_id) { - if(proto_id > ndpi_mod->ndpi_num_supported_protocols) proto_id = NDPI_PROTOCOL_UNKNOWN; + if(proto_id >= ndpi_mod->ndpi_num_supported_protocols) proto_id = NDPI_PROTOCOL_UNKNOWN; return(ndpi_mod->proto_defaults[proto_id].protoName); } @@ -5344,7 +5344,7 @@ / ****************************************************** / char ndpi_revision() { - return("$Revision: 6649 $"); + return("$Revision: 6712 $"); } /* ****************************************************** */
[-] [+]	Changed	nDPI.tar.bz2/src/lib/protocols/dns.c ^
@@ -127,8 +127,8 @@ if(is_query) { /* DNS Request / if((header.num_queries > 0) && (header.num_queries <= NDPI_MAX_DNS_REQUESTS) - && (header.answer_rrs == 0) - && (header.authority_rrs == 0)) { + && (((header.flags & 0x2800) == 0x2800 / Dynamic DNS Update /) + \|\| ((header.answer_rrs == 0) && (header.authority_rrs == 0)))) { / This is a good query */ is_dns = 1; }
[-] [+]	Changed	nDPI.tar.bz2/src/lib/protocols/imesh.c ^
@@ -37,253 +37,254 @@ void ndpi_search_imesh_tcp_udp(struct ndpi_detection_module_struct ndpi_struct, struct ndpi_flow_struct flow) { - struct ndpi_packet_struct packet = &flow->packet; + struct ndpi_packet_struct packet = &flow->packet; - if (packet->udp != NULL) { + if (packet->udp != NULL) { - NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, "UDP FOUND\n"); + NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, "UDP FOUND\n"); - // this is the login packet - if (packet->payload_packet_len == 28 && (get_u_int32_t(packet->payload, 0)) == htonl(0x02000000) && - get_u_int32_t(packet->payload, 24) == 0 && - (packet->udp->dest == htons(1864) \|\| packet->udp->source == htons(1864))) { - NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, "iMesh Login detected\n"); - ndpi_int_imesh_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); - return; - } - if (packet->payload_packet_len == 36) { - if (get_u_int32_t(packet->payload, 0) == htonl(0x02000000) && packet->payload[4] != 0 && - packet->payload[5] == 0 && get_u_int16_t(packet->payload, 6) == htons(0x0083) && - get_u_int32_t(packet->payload, 24) == htonl(0x40000000) && - (packet->payload[packet->payload_packet_len - 1] == packet->payload[packet->payload_packet_len - 5] \|\| - packet->payload[packet->payload_packet_len - 1] - 1 == packet->payload[packet->payload_packet_len - 5] - \|\| packet->payload[packet->payload_packet_len - 1] == - packet->payload[packet->payload_packet_len - 5] - 1)) { - NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, "iMesh detected\n"); - ndpi_int_imesh_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); - return; - } - if (get_u_int16_t(packet->payload, 0) == htons(0x0200) && get_u_int16_t(packet->payload, 2) != 0 && - get_u_int32_t(packet->payload, 4) == htonl(0x02000083) && get_u_int32_t(packet->payload, 24) == htonl(0x40000000) && - (packet->payload[packet->payload_packet_len - 1] == packet->payload[packet->payload_packet_len - 5] \|\| - packet->payload[packet->payload_packet_len - 1] - 1 == packet->payload[packet->payload_packet_len - 5] - \|\| packet->payload[packet->payload_packet_len - 1] == - packet->payload[packet->payload_packet_len - 5] - 1)) { - NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, "iMesh detected\n"); - ndpi_int_imesh_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); - return; - } - } - if (packet->payload_packet_len == 24 && get_u_int16_t(packet->payload, 0) == htons(0x0200) - && get_u_int16_t(packet->payload, 2) != 0 && get_u_int32_t(packet->payload, 4) == htonl(0x03000084) && - (packet->payload[packet->payload_packet_len - 1] == packet->payload[packet->payload_packet_len - 5] \|\| - packet->payload[packet->payload_packet_len - 1] - 1 == packet->payload[packet->payload_packet_len - 5] \|\| - packet->payload[packet->payload_packet_len - 1] == packet->payload[packet->payload_packet_len - 5] - 1)) { - NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, "iMesh detected\n"); - ndpi_int_imesh_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); - return; - } - if (packet->payload_packet_len == 32 && get_u_int32_t(packet->payload, 0) == htonl(0x02000000) && - get_u_int16_t(packet->payload, 21) == 0 && get_u_int16_t(packet->payload, 26) == htons(0x0100)) { - if (get_u_int32_t(packet->payload, 4) == htonl(0x00000081) && packet->payload[11] == packet->payload[15] && - get_l16(packet->payload, 24) == htons(packet->udp->source)) { - /* packet->payload[28] = source address / - NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, "iMesh detected\n"); - ndpi_int_imesh_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); - return; - } - if (get_u_int32_t(packet->payload, 4) == htonl(0x01000082)) { - NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, "iMesh detected\n"); - ndpi_int_imesh_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); - return; - } - } - NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, "iMesh UDP packetlen: %d\n", - packet->payload_packet_len); - - } - - if (packet->tcp != NULL) { - - if (packet->payload_packet_len == 64 && get_u_int32_t(packet->payload, 0) == htonl(0x40000000) && - get_u_int32_t(packet->payload, 4) == 0 && get_u_int32_t(packet->payload, 8) == htonl(0x0000fcff) && - get_u_int32_t(packet->payload, 12) == htonl(0x04800100) && get_u_int32_t(packet->payload, 45) == htonl(0xff020000) && - get_u_int16_t(packet->payload, 49) == htons(0x001a)) { - NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, "found imesh.\n"); - ndpi_int_imesh_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); - return; - } - if (packet->payload_packet_len == 95 && get_u_int32_t(packet->payload, 0) == htonl(0x5f000000) && - get_u_int16_t(packet->payload, 4) == 0 && get_u_int16_t(packet->payload, 7) == htons(0x0004) && - get_u_int32_t(packet->payload, 20) == 0 && get_u_int32_t(packet->payload, 28) == htonl(0xc8000400) && - packet->payload[9] == 0x80 && get_u_int32_t(packet->payload, 10) == get_u_int32_t(packet->payload, 24)) { - NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, "found imesh.\n"); - ndpi_int_imesh_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); - return; - } - if (packet->payload_packet_len == 28 && get_u_int32_t(packet->payload, 0) == htonl(0x1c000000) && - get_u_int16_t(packet->payload, 10) == htons(0xfcff) && get_u_int32_t(packet->payload, 12) == htonl(0x07801800) && - (get_u_int16_t(packet->payload, packet->payload_packet_len - 2) == htons(0x1900) \|\| - get_u_int16_t(packet->payload, packet->payload_packet_len - 2) == htons(0x1a00))) { - NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, "found imesh.\n"); - ndpi_int_imesh_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); - return; - } - - NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, "TCP FOUND :: Payload %u\n", - packet->payload_packet_len); - - if (packet->actual_payload_len == 0) { - return; - } - if ((packet->actual_payload_len == 8 \|\| packet->payload_packet_len == 10) / PATTERN:: 04 00 00 00 00 00 00 00 [00 00] / - &&get_u_int32_t(packet->payload, 0) == htonl(0x04000000) - && get_u_int32_t(packet->payload, 4) == 0) { - flow->l4.tcp.imesh_stage += 2; - NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, - "IMESH FOUND :: Payload %u\n", packet->actual_payload_len); - } else if (packet->actual_payload_len == 10 / PATTERN:: ?? ?? 04\|00 00 64\|00 00 / - && (packet->payload[2] == 0x04 \|\| packet->payload[2] == 0x00) - && packet->payload[3] == 0x00 && (packet->payload[4] == 0x00 \|\| packet->payload[4] == 0x64) - && packet->payload[5] == 0x00) { - flow->l4.tcp.imesh_stage += 2; - NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, - "IMESH FOUND :: Payload %u\n", packet->actual_payload_len); - } else if (packet->actual_payload_len == 2 && packet->payload[0] == 0x06 && packet->payload[1] == 0x00) { - flow->l4.tcp.imesh_stage++; - NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, - "IMESH FOUND :: Payload %u\n", packet->actual_payload_len); - } else if (packet->actual_payload_len == 10 / PATTERN:: 06 00 04\|00 00 01\|00 00 01\|00 00 ?? 00 / - && packet->payload[0] == 0x06 - && packet->payload[1] == 0x00 && (packet->payload[2] == 0x04 \|\| packet->payload[2] == 0x00) - && packet->payload[3] == 0x00 && (packet->payload[4] == 0x00 \|\| packet->payload[4] == 0x01) - && packet->payload[5] == 0x00 && (packet->payload[6] == 0x01 \|\| packet->payload[6] == 0x00) - && packet->payload[7] == 0x00 && packet->payload[9] == 0x00) { - flow->l4.tcp.imesh_stage += 2; - NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, - "IMESH FOUND :: Payload %u\n", packet->actual_payload_len); - } else if (packet->actual_payload_len == 24 && packet->payload[0] == 0x06 // PATTERN :: 06 00 12 00 00 00 34 00 00 - && packet->payload[1] == 0x00 - && packet->payload[2] == 0x12 - && packet->payload[3] == 0x00 - && packet->payload[4] == 0x00 - && packet->payload[5] == 0x00 - && packet->payload[6] == 0x34 && packet->payload[7] == 0x00 && packet->payload[8] == 0x00) { - flow->l4.tcp.imesh_stage += 2; - NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, - "IMESH FOUND :: Payload %u\n", packet->actual_payload_len); - } else if (packet->actual_payload_len == 8 / PATTERN:: 06\|00 00 02 00 00 00 33 00 / - && (packet->payload[0] == 0x06 \|\| packet->payload[0] == 0x00) - && packet->payload[1] == 0x00 - && packet->payload[2] == 0x02 - && packet->payload[3] == 0x00 - && packet->payload[4] == 0x00 - && packet->payload[5] == 0x00 && packet->payload[6] == 0x33 && packet->payload[7] == 0x00) { - flow->l4.tcp.imesh_stage += 2; - NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, - "IMESH FOUND :: Payload %u\n", packet->actual_payload_len); - } else if (packet->payload_packet_len == 6 / PATTERN:: 02 00 00 00 33 00 / - && packet->payload[0] == 0x02 - && packet->payload[1] == 0x00 - && packet->payload[2] == 0x00 - && packet->payload[3] == 0x00 && packet->payload[4] == 0x33 && packet->payload[5] == 0x00) { - flow->l4.tcp.imesh_stage += 2; - NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, - "IMESH FOUND :: Payload %u\n", packet->actual_payload_len); - } else if (packet->actual_payload_len == 12 && packet->payload[0] == 0x06 // PATTERN : 06 00 06 00 00 00 64 00 - && packet->payload[1] == 0x00 - && packet->payload[2] == 0x06 - && packet->payload[3] == 0x00 - && packet->payload[4] == 0x00 - && packet->payload[5] == 0x00 && packet->payload[6] == 0x64 && packet->payload[7] == 0x00) { - flow->l4.tcp.imesh_stage += 2; - NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, - "IMESH FOUND :: Payload %u\n", packet->actual_payload_len); - } else if (packet->actual_payload_len == 10 / PATTERN:: 06 00 04\|01 00 00 00 01\|00 00 ?? 00 / - && packet->payload[0] == 0x06 - && packet->payload[1] == 0x00 && (packet->payload[2] == 0x04 \|\| packet->payload[2] == 0x01) - && packet->payload[3] == 0x00 - && packet->payload[4] == 0x00 - && packet->payload[5] == 0x00 && (packet->payload[6] == 0x01 \|\| packet->payload[6] == 0x00) - && packet->payload[7] == 0x00 - / && packet->payload[8]==0x00 / - && packet->payload[9] == 0x00) { - flow->l4.tcp.imesh_stage += 2; - NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, - "IMESH FOUND :: Payload %u\n", packet->actual_payload_len); - } else if ((packet->actual_payload_len == 64 \|\| packet->actual_payload_len == 52 / PATTERN:: [len] 00 00 00 00 / - \|\| packet->actual_payload_len == 95) - && get_u_int16_t(packet->payload, 0) == (packet->actual_payload_len) - && packet->payload[1] == 0x00 && packet->payload[2] == 0x00 - && packet->payload[3] == 0x00 && packet->payload[4] == 0x00) { - flow->l4.tcp.imesh_stage += 2; - NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, - "IMESH FOUND :: Payload %u\n", packet->actual_payload_len); - } else if (packet->actual_payload_len == 6 && packet->payload[0] == 0x06 // PATTERN : 06 00 04\|6c 00\|01 00 00 - && packet->payload[1] == 0x00 && (packet->payload[2] == 0x04 \|\| packet->payload[2] == 0x6c) - && (packet->payload[3] == 0x00 \|\| packet->payload[3] == 0x01) - && packet->payload[4] == 0x00 && packet->payload[5] == 0x00) { - - flow->l4.tcp.imesh_stage += 2; - NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, - "IMESH FOUND :: Payload %u\n", packet->actual_payload_len); - } else if (packet->actual_payload_len == 6 / PATTERN:: [len] ?? ee 00 00 00 / - && get_u_int16_t(packet->payload, 0) == (packet->actual_payload_len) - && packet->payload[2] == 0xee - && packet->payload[3] == 0x00 && packet->payload[4] == 0x00 && packet->payload[5] == 0x00) { - flow->l4.tcp.imesh_stage += 2; - NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, - "IMESH FOUND :: Payload %u\n", packet->actual_payload_len); - } else if (packet->actual_payload_len == 10 / PATTERN:: 06 00 00 00 00 00 00 00 / - && packet->payload[0] == 0x06 - && packet->payload[1] == 0x00 - && packet->payload[2] == 0x00 - && packet->payload[3] == 0x00 - && packet->payload[4] == 0x00 - && packet->payload[5] == 0x00 && packet->payload[6] == 0x00 && packet->payload[7] == 0x00) { - flow->l4.tcp.imesh_stage += 2; - NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, - "IMESH FOUND :: Payload %u\n", packet->actual_payload_len); - } - - - / http login / - if (packet->payload_packet_len > NDPI_STATICSTRING_LEN("POST /registration") && - memcmp(packet->payload, "POST /registration", NDPI_STATICSTRING_LEN("POST /registration")) == 0) { - ndpi_parse_packet_line_info(ndpi_struct, flow); - if (packet->parsed_lines > 6 && - packet->host_line.ptr != NULL && - packet->host_line.len == NDPI_STATICSTRING_LEN("login.bearshare.com") && - packet->line[1].ptr != NULL && - packet->line[1].len == NDPI_STATICSTRING_LEN("Authorization: Basic Og==") && - packet->line[4].ptr != NULL && - packet->line[4].len == NDPI_STATICSTRING_LEN("Accept-Encoding: identity") && - memcmp(packet->line[1].ptr, "Authorization: Basic Og==", - NDPI_STATICSTRING_LEN("Authorization: Basic Og==")) == 0 && - memcmp(packet->host_line.ptr, "login.bearshare.com", - NDPI_STATICSTRING_LEN("login.bearshare.com")) == 0 && - memcmp(packet->line[4].ptr, "Accept-Encoding: identity", - NDPI_STATICSTRING_LEN("Accept-Encoding: identity") == 0)) { - NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, "iMesh Login detected\n"); - ndpi_int_imesh_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); - return; - } - } - /give one packet tolerance for detection / - if (flow->l4.tcp.imesh_stage >= 4) { - NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, "found imesh.\n"); - ndpi_int_imesh_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); - return; - } - } - - if ((flow->packet_counter < 5) \|\| packet->actual_payload_len == 0) { - return; - } - //imesh_not_found_end: - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_IMESH); - NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, "iMesh excluded at stage %d\n", - packet->tcp != NULL ? flow->l4.tcp.imesh_stage : 0); + // this is the login packet + if (packet->payload_packet_len == 28 && (get_u_int32_t(packet->payload, 0)) == htonl(0x02000000) && + get_u_int32_t(packet->payload, 24) == 0 && + (packet->udp->dest == htons(1864) \|\| packet->udp->source == htons(1864))) { + NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, "iMesh Login detected\n"); + ndpi_int_imesh_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); + return; + } + if (packet->payload_packet_len == 36) { + if (get_u_int32_t(packet->payload, 0) == htonl(0x02000000) && packet->payload[4] != 0 && + packet->payload[5] == 0 && get_u_int16_t(packet->payload, 6) == htons(0x0083) && + get_u_int32_t(packet->payload, 24) == htonl(0x40000000) && + (packet->payload[packet->payload_packet_len - 1] == packet->payload[packet->payload_packet_len - 5] \|\| + packet->payload[packet->payload_packet_len - 1] - 1 == packet->payload[packet->payload_packet_len - 5] + \|\| packet->payload[packet->payload_packet_len - 1] == + packet->payload[packet->payload_packet_len - 5] - 1)) { + NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, "iMesh detected\n"); + ndpi_int_imesh_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); + return; + } + if (get_u_int16_t(packet->payload, 0) == htons(0x0200) && get_u_int16_t(packet->payload, 2) != 0 && + get_u_int32_t(packet->payload, 4) == htonl(0x02000083) && get_u_int32_t(packet->payload, 24) == htonl(0x40000000) && + (packet->payload[packet->payload_packet_len - 1] == packet->payload[packet->payload_packet_len - 5] \|\| + packet->payload[packet->payload_packet_len - 1] - 1 == packet->payload[packet->payload_packet_len - 5] + \|\| packet->payload[packet->payload_packet_len - 1] == + packet->payload[packet->payload_packet_len - 5] - 1)) { + NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, "iMesh detected\n"); + ndpi_int_imesh_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); + return; + } + } + if (packet->payload_packet_len == 24 && get_u_int16_t(packet->payload, 0) == htons(0x0200) + && get_u_int16_t(packet->payload, 2) != 0 && get_u_int32_t(packet->payload, 4) == htonl(0x03000084) && + (packet->payload[packet->payload_packet_len - 1] == packet->payload[packet->payload_packet_len - 5] \|\| + packet->payload[packet->payload_packet_len - 1] - 1 == packet->payload[packet->payload_packet_len - 5] \|\| + packet->payload[packet->payload_packet_len - 1] == packet->payload[packet->payload_packet_len - 5] - 1)) { + NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, "iMesh detected\n"); + ndpi_int_imesh_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); + return; + } + if (packet->payload_packet_len == 32 && get_u_int32_t(packet->payload, 0) == htonl(0x02000000) && + get_u_int16_t(packet->payload, 21) == 0 && get_u_int16_t(packet->payload, 26) == htons(0x0100)) { + if (get_u_int32_t(packet->payload, 4) == htonl(0x00000081) && packet->payload[11] == packet->payload[15] && + get_l16(packet->payload, 24) == htons(packet->udp->source)) { + / packet->payload[28] = source address / + NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, "iMesh detected\n"); + ndpi_int_imesh_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); + return; + } + if (get_u_int32_t(packet->payload, 4) == htonl(0x01000082)) { + NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, "iMesh detected\n"); + ndpi_int_imesh_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); + return; + } + } + NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, "iMesh UDP packetlen: %d\n", + packet->payload_packet_len); + + } + + if (packet->tcp != NULL) { + if (packet->payload_packet_len == 64 && get_u_int32_t(packet->payload, 0) == htonl(0x40000000) && + get_u_int32_t(packet->payload, 4) == 0 && get_u_int32_t(packet->payload, 8) == htonl(0x0000fcff) && + get_u_int32_t(packet->payload, 12) == htonl(0x04800100) && get_u_int32_t(packet->payload, 45) == htonl(0xff020000) && + get_u_int16_t(packet->payload, 49) == htons(0x001a)) { + NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, "found imesh.\n"); + ndpi_int_imesh_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); + return; + } + if (packet->payload_packet_len == 95 && get_u_int32_t(packet->payload, 0) == htonl(0x5f000000) && + get_u_int16_t(packet->payload, 4) == 0 && get_u_int16_t(packet->payload, 7) == htons(0x0004) && + get_u_int32_t(packet->payload, 20) == 0 && get_u_int32_t(packet->payload, 28) == htonl(0xc8000400) && + packet->payload[9] == 0x80 && get_u_int32_t(packet->payload, 10) == get_u_int32_t(packet->payload, 24)) { + NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, "found imesh.\n"); + ndpi_int_imesh_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); + return; + } + if (packet->payload_packet_len == 28 && get_u_int32_t(packet->payload, 0) == htonl(0x1c000000) && + get_u_int16_t(packet->payload, 10) == htons(0xfcff) && get_u_int32_t(packet->payload, 12) == htonl(0x07801800) && + (get_u_int16_t(packet->payload, packet->payload_packet_len - 2) == htons(0x1900) \|\| + get_u_int16_t(packet->payload, packet->payload_packet_len - 2) == htons(0x1a00))) { + NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, "found imesh.\n"); + ndpi_int_imesh_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); + return; + } + + NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, "TCP FOUND :: Payload %u\n", + packet->payload_packet_len); + + if (packet->actual_payload_len == 0) { + return; + } + if ((packet->actual_payload_len == 8 \|\| packet->payload_packet_len == 10) / PATTERN:: 04 00 00 00 00 00 00 00 [00 00] / + &&get_u_int32_t(packet->payload, 0) == htonl(0x04000000) + && get_u_int32_t(packet->payload, 4) == 0) { + flow->l4.tcp.imesh_stage += 2; + NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, + "IMESH FOUND :: Payload %u\n", packet->actual_payload_len); + } else if (packet->actual_payload_len == 10 / PATTERN:: ?? ?? 04\|00 00 64\|00 00 / + && (packet->payload[2] == 0x04 \|\| packet->payload[2] == 0x00) + && packet->payload[3] == 0x00 && (packet->payload[4] == 0x00 \|\| packet->payload[4] == 0x64) + && packet->payload[5] == 0x00) { + flow->l4.tcp.imesh_stage += 2; + NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, + "IMESH FOUND :: Payload %u\n", packet->actual_payload_len); + } else if (packet->actual_payload_len == 2 && packet->payload[0] == 0x06 && packet->payload[1] == 0x00) { + flow->l4.tcp.imesh_stage++; + NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, + "IMESH FOUND :: Payload %u\n", packet->actual_payload_len); + } else if (packet->actual_payload_len == 10 / PATTERN:: 06 00 04\|00 00 01\|00 00 01\|00 00 ?? 00 / + && packet->payload[0] == 0x06 + && packet->payload[1] == 0x00 && (packet->payload[2] == 0x04 \|\| packet->payload[2] == 0x00) + && packet->payload[3] == 0x00 && (packet->payload[4] == 0x00 \|\| packet->payload[4] == 0x01) + && packet->payload[5] == 0x00 && (packet->payload[6] == 0x01 \|\| packet->payload[6] == 0x00) + && packet->payload[7] == 0x00 && packet->payload[9] == 0x00) { + flow->l4.tcp.imesh_stage += 2; + NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, + "IMESH FOUND :: Payload %u\n", packet->actual_payload_len); + } else if (packet->actual_payload_len == 24 && packet->payload[0] == 0x06 // PATTERN :: 06 00 12 00 00 00 34 00 00 + && packet->payload[1] == 0x00 + && packet->payload[2] == 0x12 + && packet->payload[3] == 0x00 + && packet->payload[4] == 0x00 + && packet->payload[5] == 0x00 + && packet->payload[6] == 0x34 && packet->payload[7] == 0x00 && packet->payload[8] == 0x00) { + flow->l4.tcp.imesh_stage += 2; + NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, + "IMESH FOUND :: Payload %u\n", packet->actual_payload_len); + } else if (packet->actual_payload_len == 8 / PATTERN:: 06\|00 00 02 00 00 00 33 00 / + && (packet->payload[0] == 0x06 \|\| packet->payload[0] == 0x00) + && packet->payload[1] == 0x00 + && packet->payload[2] == 0x02 + && packet->payload[3] == 0x00 + && packet->payload[4] == 0x00 + && packet->payload[5] == 0x00 && packet->payload[6] == 0x33 && packet->payload[7] == 0x00) { + flow->l4.tcp.imesh_stage += 2; + NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, + "IMESH FOUND :: Payload %u\n", packet->actual_payload_len); + } else if (packet->payload_packet_len == 6 / PATTERN:: 02 00 00 00 33 00 / + && packet->payload[0] == 0x02 + && packet->payload[1] == 0x00 + && packet->payload[2] == 0x00 + && packet->payload[3] == 0x00 && packet->payload[4] == 0x33 && packet->payload[5] == 0x00) { + flow->l4.tcp.imesh_stage += 2; + NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, + "IMESH FOUND :: Payload %u\n", packet->actual_payload_len); + } else if (packet->actual_payload_len == 12 && packet->payload[0] == 0x06 // PATTERN : 06 00 06 00 00 00 64 00 + && packet->payload[1] == 0x00 + && packet->payload[2] == 0x06 + && packet->payload[3] == 0x00 + && packet->payload[4] == 0x00 + && packet->payload[5] == 0x00 && packet->payload[6] == 0x64 && packet->payload[7] == 0x00) { + flow->l4.tcp.imesh_stage += 2; + NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, + "IMESH FOUND :: Payload %u\n", packet->actual_payload_len); + } else if (packet->actual_payload_len == 10 / PATTERN:: 06 00 04\|01 00 00 00 01\|00 00 ?? 00 / + && packet->payload[0] == 0x06 + && packet->payload[1] == 0x00 && (packet->payload[2] == 0x04 \|\| packet->payload[2] == 0x01) + && packet->payload[3] == 0x00 + && packet->payload[4] == 0x00 + && packet->payload[5] == 0x00 && (packet->payload[6] == 0x01 \|\| packet->payload[6] == 0x00) + && packet->payload[7] == 0x00 + / && packet->payload[8]==0x00 / + && packet->payload[9] == 0x00) { + flow->l4.tcp.imesh_stage += 2; + NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, + "IMESH FOUND :: Payload %u\n", packet->actual_payload_len); + } else if ((packet->actual_payload_len == 64 \|\| packet->actual_payload_len == 52 / PATTERN:: [len] 00 00 00 00 / + \|\| packet->actual_payload_len == 95) + && get_u_int16_t(packet->payload, 0) == (packet->actual_payload_len) + && packet->payload[1] == 0x00 && packet->payload[2] == 0x00 + && packet->payload[3] == 0x00 && packet->payload[4] == 0x00) { + flow->l4.tcp.imesh_stage += 2; + NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, + "IMESH FOUND :: Payload %u\n", packet->actual_payload_len); + } else if (packet->actual_payload_len == 6 && packet->payload[0] == 0x06 // PATTERN : 06 00 04\|6c 00\|01 00 00 + && packet->payload[1] == 0x00 && (packet->payload[2] == 0x04 \|\| packet->payload[2] == 0x6c) + && (packet->payload[3] == 0x00 \|\| packet->payload[3] == 0x01) + && packet->payload[4] == 0x00 && packet->payload[5] == 0x00) { + + flow->l4.tcp.imesh_stage += 2; + NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, + "IMESH FOUND :: Payload %u\n", packet->actual_payload_len); + } else if (packet->actual_payload_len == 6 / PATTERN:: [len] ?? ee 00 00 00 / + && get_u_int16_t(packet->payload, 0) == (packet->actual_payload_len) + && packet->payload[2] == 0xee + && packet->payload[3] == 0x00 && packet->payload[4] == 0x00 && packet->payload[5] == 0x00) { + flow->l4.tcp.imesh_stage += 2; + NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, + "IMESH FOUND :: Payload %u\n", packet->actual_payload_len); + } else if (packet->actual_payload_len == 10 / PATTERN:: 06 00 00 00 00 00 00 00 / + && packet->payload[0] == 0x06 + && packet->payload[1] == 0x00 + && packet->payload[2] == 0x00 + && packet->payload[3] == 0x00 + && packet->payload[4] == 0x00 + && packet->payload[5] == 0x00 && packet->payload[6] == 0x00 && packet->payload[7] == 0x00) { + flow->l4.tcp.imesh_stage += 2; + NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, + "IMESH FOUND :: Payload %u\n", packet->actual_payload_len); + } + + + / http login / + if (packet->payload_packet_len > NDPI_STATICSTRING_LEN("POST /registration") && + memcmp(packet->payload, "POST /registration", NDPI_STATICSTRING_LEN("POST /registration")) == 0) { + ndpi_parse_packet_line_info(ndpi_struct, flow); + if (packet->parsed_lines > 6 && + packet->host_line.ptr != NULL && + packet->host_line.len == NDPI_STATICSTRING_LEN("login.bearshare.com") && + packet->line[1].ptr != NULL && + packet->line[1].len == NDPI_STATICSTRING_LEN("Authorization: Basic Og==") && + packet->line[4].ptr != NULL && + packet->line[4].len == NDPI_STATICSTRING_LEN("Accept-Encoding: identity") && + memcmp(packet->line[1].ptr, "Authorization: Basic Og==", + NDPI_STATICSTRING_LEN("Authorization: Basic Og==")) == 0 && + memcmp(packet->host_line.ptr, "login.bearshare.com", + NDPI_STATICSTRING_LEN("login.bearshare.com")) == 0 && + memcmp(packet->line[4].ptr, "Accept-Encoding: identity", + NDPI_STATICSTRING_LEN("Accept-Encoding: identity") == 0)) { + NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, "iMesh Login detected\n"); + ndpi_int_imesh_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL); + return; + } + } + /give one packet tolerance for detection / + if((flow->l4.tcp.imesh_stage >= 4) + && (flow->l4.tcp.seen_syn && flow->l4.tcp.seen_syn_ack && flow->l4.tcp.seen_ack) / We have seen the 3-way handshake */) + { + NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, "found imesh.\n"); + ndpi_int_imesh_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); + return; + } + } + + if ((flow->packet_counter < 5) \|\| packet->actual_payload_len == 0) { + return; + } + //imesh_not_found_end: + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_IMESH); + NDPI_LOG(NDPI_PROTOCOL_IMESH, ndpi_struct, NDPI_LOG_DEBUG, "iMesh excluded at stage %d\n", + packet->tcp != NULL ? flow->l4.tcp.imesh_stage : 0); } #endif
[-] [+]	Changed	nDPI.tar.bz2/src/lib/protocols/rtp.c ^
@@ -33,11 +33,14 @@ { //struct ndpi_packet_struct packet = &flow->packet; u_int8_t payload_type = payload[1] & 0x7F; - + u_int32_t ssid = (u_int32_t)&payload[8]; + / Check whether this is an RTP flow / if((payload_len >= 12) && ((payload[0] & 0xFF) == 0x80) / RTP magic byte[1] / - && ((payload_type <= 34 / PT_H263 /))) { + && ((payload_type < 128 / http://anonsvn.wireshark.org/wireshark/trunk/epan/dissectors/packet-rtp.c /)) + && (ssid != 0) + ) { NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "Found rtp.\n"); ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_RTP, NDPI_REAL_PROTOCOL); } else { @@ -50,7 +53,10 @@ { struct ndpi_packet_struct *packet = &flow->packet; - ndpi_rtp_search(ndpi_struct, flow, packet->payload, packet->payload_packet_len); + if((packet->udp != NULL) + && (ntohs(packet->udp->source) > 1023) + && (ntohs(packet->udp->dest) > 1023)) + ndpi_rtp_search(ndpi_struct, flow, packet->payload, packet->payload_packet_len); } #if 0
[-] [+]	Changed	nprobe.init ^
@@ -135,7 +135,7 @@ fi for IFACE in ${NPROBE_IFACE} ; do echo -n "instance on interface ${IFACE} " - /sbin/startproc $NPROBE_BIN -g /var/run/nprobe/nprobe-${IFACE}.pid -i ${IFACE} ${NF_VERSION} ${COLLECTOR_OPTS} ${NPROBE_OPTS} + /sbin/startproc -p /var/run/nprobe/nprobe-${IFACE}.pid $NPROBE_BIN -g /var/run/nprobe/nprobe-${IFACE}.pid -i ${IFACE} ${NF_VERSION} ${COLLECTOR_OPTS} ${NPROBE_OPTS} rc_status -v done ;;