├── lib ├── packages ├── ubuntu │ ├── debian │ │ ├── conffiles │ │ ├── compat │ │ ├── docs │ │ ├── dirs │ │ ├── files.in │ │ ├── README │ │ ├── changelog.in │ │ ├── postrm │ │ ├── prerm │ │ ├── control.in │ │ ├── postinst │ │ ├── preinst │ │ └── rules │ ├── configure.in │ ├── Makefile │ └── Makefile.in └── homebrew │ ├── README │ └── ndpi.rb ├── tests ├── result │ ├── BGP_Cisco_hdlc_slarp.pcap.out │ ├── NTPv2.pcap.out │ ├── NTPv4.pcap.out │ ├── NTPv3.pcap.out │ ├── Oscar.pcap.out │ ├── quic.pcap.out │ ├── bt_search.pcap.out │ ├── mpegts.pcap.out │ ├── bittorrent_utp.pcap.out │ ├── mpeg.pcap.out │ ├── google_ssl.pcap.out │ ├── BGP_redist.pcap.out │ ├── snapchat.pcap.out │ ├── rx.pcap.out │ ├── teredo.pcap.out │ ├── Torcedor.pcap.out │ ├── whatsapp_login_chat.pcap.out │ ├── whatsapp_voice_and_message.pcap.out │ ├── 6in4tunnel.pcap.out │ ├── coap_mqtt.pcap.out │ ├── http_ipv6.pcap.out │ ├── KakaoTalk_talk.pcap.out │ ├── ocs.pcap.out │ ├── EAQ.pcap.out │ ├── quickplay.pcap.out │ └── Meu.pcap.out ├── pcap │ ├── README.txt │ ├── EAQ.pcap │ ├── Meu.pcap │ ├── mpeg.pcap │ ├── ocs.pcap │ ├── quic.pcap │ ├── rx.pcap │ ├── waze.pcap │ ├── NTPv2.pcap │ ├── NTPv3.pcap │ ├── NTPv4.pcap │ ├── Oscar.pcap │ ├── mpegts.pcap │ ├── skype.pcap │ ├── teredo.pcap │ ├── webex.pcap │ ├── Instagram.pcap │ ├── Torcedor.pcap │ ├── bt_search.pcap │ ├── coap_mqtt.pcap │ ├── dropbox.pcap │ ├── http_ipv6.pcap │ ├── quickplay.pcap │ ├── snapchat.pcap │ ├── 6in4tunnel.pcap │ ├── BGP_redist.pcap │ ├── bittorrent.pcap │ ├── google_ssl.pcap │ ├── KakaoTalk_chat.pcap │ ├── KakaoTalk_talk.pcap │ ├── Viber_session.pcap │ ├── bittorrent_utp.pcap │ ├── viber_mobile.pcap │ ├── skype_no_unknown.pcap │ ├── starcraft_battle.pcap │ ├── whatsapp_login_call.pcap │ ├── whatsapp_login_chat.pcap │ ├── BGP_Cisco_hdlc_slarp.pcap │ └── whatsapp_voice_and_message.pcap └── do.sh ├── doc ├── nDPI_QuickStartGuide.docx ├── nDPI_QuickStartGuide.pages └── nDPI_QuickStartGuide.pdf ├── example ├── Win32 │ ├── pcapExample.suo │ ├── pcapExample │ │ ├── pcapExample.vcxproj.user │ │ └── pcapExample.cpp │ └── pcapExample.sln ├── Makefile.am └── protos.txt ├── src ├── lib │ ├── third_party │ │ ├── include │ │ │ ├── ndpi_patricia.h │ │ │ ├── sort.h │ │ │ ├── node.h │ │ │ └── ahocorasick.h │ │ └── src │ │ │ └── sort.c │ └── protocols │ │ ├── collectd.c │ │ ├── teredo.c │ │ ├── vmware.c │ │ ├── sflow.c │ │ ├── mpegts.c │ │ ├── ubntac2.c │ │ ├── viber.c │ │ ├── corba.c │ │ ├── dcerpc.c │ │ ├── noe.c │ │ ├── hep.c │ │ ├── kakaotalk_voice.c │ │ ├── megaco.c │ │ ├── smb.c │ │ ├── stealthnet.c │ │ ├── pcanywhere.c │ │ ├── bgp.c │ │ ├── mssql.c │ │ ├── twitter.c │ │ ├── dhcpv6.c │ │ ├── openft.c │ │ ├── rsync.c │ │ ├── radius.c │ │ ├── http_activesync.c │ │ ├── ayiya.c │ │ ├── whoisdas.c │ │ ├── applejuice.c │ │ ├── dhcp.c │ │ ├── rdp.c │ │ ├── pptp.c │ │ ├── ciscovpn.c │ │ ├── tcp_udp.c │ │ ├── vhua.c │ │ ├── openvpn.c │ │ ├── ssh.c │ │ ├── vnc.c │ │ ├── telegram.c │ │ ├── world_of_kung_fu.c │ │ ├── ssdp.c │ │ ├── eaq.c │ │ ├── kontiki.c │ │ ├── halflife2_and_mods.c │ │ ├── tftp.c │ │ ├── lotus_notes.c │ │ ├── ntp.c │ │ ├── oracle.c │ │ ├── gtp.c │ │ ├── dropbox.c │ │ ├── kerberos.c │ │ └── mysql.c └── include │ ├── Makefile.am │ ├── ndpi_unix.h │ ├── ndpi_includes.h │ └── ndpi_win32.h ├── Makefile.am ├── libndpi.pc.in ├── .travis.yml ├── ChangeLog ├── .gitignore ├── README.nDPI ├── autogen.sh ├── libndpi.sym ├── README.protocols ├── README.md └── configure.ac /lib: -------------------------------------------------------------------------------- 1 | src/lib/.libs -------------------------------------------------------------------------------- /packages/ubuntu/debian/conffiles: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /packages/ubuntu/debian/compat: -------------------------------------------------------------------------------- 1 | 1 2 | -------------------------------------------------------------------------------- /packages/ubuntu/debian/docs: -------------------------------------------------------------------------------- 1 | README 2 | -------------------------------------------------------------------------------- /packages/ubuntu/debian/dirs: -------------------------------------------------------------------------------- 1 | usr/local/ndpi 2 | -------------------------------------------------------------------------------- /tests/result/BGP_Cisco_hdlc_slarp.pcap.out: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /packages/ubuntu/debian/files.in: -------------------------------------------------------------------------------- 1 | ndpi_@NDPI_VERS@_@EXTN@.deb free optional 2 | -------------------------------------------------------------------------------- /tests/pcap/README.txt: -------------------------------------------------------------------------------- 1 | Place here test pcaps used for regressions testing 2 | -------------------------------------------------------------------------------- /tests/pcap/EAQ.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/EAQ.pcap -------------------------------------------------------------------------------- /tests/pcap/Meu.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/Meu.pcap -------------------------------------------------------------------------------- /tests/pcap/mpeg.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/mpeg.pcap -------------------------------------------------------------------------------- /tests/pcap/ocs.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/ocs.pcap -------------------------------------------------------------------------------- /tests/pcap/quic.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/quic.pcap -------------------------------------------------------------------------------- /tests/pcap/rx.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/rx.pcap -------------------------------------------------------------------------------- /tests/pcap/waze.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/waze.pcap -------------------------------------------------------------------------------- /tests/pcap/NTPv2.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/NTPv2.pcap -------------------------------------------------------------------------------- /tests/pcap/NTPv3.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/NTPv3.pcap -------------------------------------------------------------------------------- /tests/pcap/NTPv4.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/NTPv4.pcap -------------------------------------------------------------------------------- /tests/pcap/Oscar.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/Oscar.pcap -------------------------------------------------------------------------------- /tests/pcap/mpegts.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/mpegts.pcap -------------------------------------------------------------------------------- /tests/pcap/skype.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/skype.pcap -------------------------------------------------------------------------------- /tests/pcap/teredo.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/teredo.pcap -------------------------------------------------------------------------------- /tests/pcap/webex.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/webex.pcap -------------------------------------------------------------------------------- /tests/pcap/Instagram.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/Instagram.pcap -------------------------------------------------------------------------------- /tests/pcap/Torcedor.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/Torcedor.pcap -------------------------------------------------------------------------------- /tests/pcap/bt_search.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/bt_search.pcap -------------------------------------------------------------------------------- /tests/pcap/coap_mqtt.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/coap_mqtt.pcap -------------------------------------------------------------------------------- /tests/pcap/dropbox.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/dropbox.pcap -------------------------------------------------------------------------------- /tests/pcap/http_ipv6.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/http_ipv6.pcap -------------------------------------------------------------------------------- /tests/pcap/quickplay.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/quickplay.pcap -------------------------------------------------------------------------------- /tests/pcap/snapchat.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/snapchat.pcap -------------------------------------------------------------------------------- /tests/pcap/6in4tunnel.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/6in4tunnel.pcap -------------------------------------------------------------------------------- /tests/pcap/BGP_redist.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/BGP_redist.pcap -------------------------------------------------------------------------------- /tests/pcap/bittorrent.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/bittorrent.pcap -------------------------------------------------------------------------------- /tests/pcap/google_ssl.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/google_ssl.pcap -------------------------------------------------------------------------------- /doc/nDPI_QuickStartGuide.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/doc/nDPI_QuickStartGuide.docx -------------------------------------------------------------------------------- /doc/nDPI_QuickStartGuide.pages: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/doc/nDPI_QuickStartGuide.pages -------------------------------------------------------------------------------- /doc/nDPI_QuickStartGuide.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/doc/nDPI_QuickStartGuide.pdf -------------------------------------------------------------------------------- /example/Win32/pcapExample.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/example/Win32/pcapExample.suo -------------------------------------------------------------------------------- /tests/pcap/KakaoTalk_chat.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/KakaoTalk_chat.pcap -------------------------------------------------------------------------------- /tests/pcap/KakaoTalk_talk.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/KakaoTalk_talk.pcap -------------------------------------------------------------------------------- /tests/pcap/Viber_session.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/Viber_session.pcap -------------------------------------------------------------------------------- /tests/pcap/bittorrent_utp.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/bittorrent_utp.pcap -------------------------------------------------------------------------------- /tests/pcap/viber_mobile.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/viber_mobile.pcap -------------------------------------------------------------------------------- /tests/pcap/skype_no_unknown.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/skype_no_unknown.pcap -------------------------------------------------------------------------------- /tests/pcap/starcraft_battle.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/starcraft_battle.pcap -------------------------------------------------------------------------------- /tests/pcap/whatsapp_login_call.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/whatsapp_login_call.pcap -------------------------------------------------------------------------------- /tests/pcap/whatsapp_login_chat.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/whatsapp_login_chat.pcap -------------------------------------------------------------------------------- /tests/pcap/BGP_Cisco_hdlc_slarp.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/BGP_Cisco_hdlc_slarp.pcap -------------------------------------------------------------------------------- /tests/result/NTPv2.pcap.out: -------------------------------------------------------------------------------- 1 | NTP 1 410 1 2 | 3 | 1 UDP 78.46.76.2:80 <-> 208.104.95.10:123 [proto: 9/NTP][1 pkts/410 bytes] 4 | -------------------------------------------------------------------------------- /tests/result/NTPv4.pcap.out: -------------------------------------------------------------------------------- 1 | NTP 1 90 1 2 | 3 | 1 UDP 78.46.76.11:123 <-> 85.22.62.120:123 [proto: 9/NTP][1 pkts/90 bytes] 4 | -------------------------------------------------------------------------------- /tests/pcap/whatsapp_voice_and_message.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/tests/pcap/whatsapp_voice_and_message.pcap -------------------------------------------------------------------------------- /tests/result/NTPv3.pcap.out: -------------------------------------------------------------------------------- 1 | Quic 1 90 1 2 | 3 | 1 UDP 78.46.76.2:80 <-> 175.144.140.29:123 [proto: 188/Quic][1 pkts/90 bytes] 4 | -------------------------------------------------------------------------------- /src/lib/third_party/include/ndpi_patricia.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aperezdc/nDPI/dev/src/lib/third_party/include/ndpi_patricia.h -------------------------------------------------------------------------------- /tests/result/Oscar.pcap.out: -------------------------------------------------------------------------------- 1 | Oscar 71 9386 1 2 | 3 | 1 TCP 10.30.29.3:63357 <-> 178.237.24.249:443 [proto: 69/Oscar][71 pkts/9386 bytes] 4 | -------------------------------------------------------------------------------- /tests/result/quic.pcap.out: -------------------------------------------------------------------------------- 1 | Quic 413 254874 1 2 | 3 | 1 UDP 216.58.212.101:443 <-> 192.168.1.109:57833 [proto: 188/Quic][413 pkts/254874 bytes] 4 | -------------------------------------------------------------------------------- /packages/ubuntu/debian/README: -------------------------------------------------------------------------------- 1 | This directory contains the files needed to build the package 2 | named 'nprobe' for the Debian GNU/Linux distribution. 3 | -------------------------------------------------------------------------------- /tests/result/bt_search.pcap.out: -------------------------------------------------------------------------------- 1 | BitTorrent 2 322 1 2 | 3 | 1 UDP 192.168.0.102:6771 <-> 239.192.152.143:6771 [proto: 37/BitTorrent][2 pkts/322 bytes] 4 | -------------------------------------------------------------------------------- /tests/result/mpegts.pcap.out: -------------------------------------------------------------------------------- 1 | MPEG_TS 1 1362 1 2 | 3 | 1 UDP 230.200.201.23:1234 <-> 10.1.16.48:40737 [VLAN: 3359][proto: 198/MPEG_TS][1 pkts/1362 bytes] 4 | -------------------------------------------------------------------------------- /tests/result/bittorrent_utp.pcap.out: -------------------------------------------------------------------------------- 1 | BitTorrent 86 41489 1 2 | 3 | 1 UDP 192.168.1.5:40959 <-> 82.243.113.43:64969 [proto: 37/BitTorrent][86 pkts/41489 bytes] 4 | -------------------------------------------------------------------------------- /packages/ubuntu/debian/changelog.in: -------------------------------------------------------------------------------- 1 | ndpi (@NDPI_VERS@-@SVN_RELEASE@) stable; urgency=high 2 | * Last packaged version 3 | 4 | -- Luca Deri @DATE@ 5 | -------------------------------------------------------------------------------- /tests/result/mpeg.pcap.out: -------------------------------------------------------------------------------- 1 | MPEG 19 10643 1 2 | 3 | 1 TCP 46.101.157.119:80 <-> 192.168.80.160:55804 [proto: 7.42/HTTP.MPEG][19 pkts/10643 bytes][Host: luca.ntop.org] 4 | -------------------------------------------------------------------------------- /tests/result/google_ssl.pcap.out: -------------------------------------------------------------------------------- 1 | Google 28 9108 1 2 | 3 | 1 TCP 216.58.212.100:443 <-> 172.31.3.224:42835 [proto: 91.126/SSL.Google][28 pkts/9108 bytes][SSL server: www.google.com] 4 | -------------------------------------------------------------------------------- /Makefile.am: -------------------------------------------------------------------------------- 1 | ACLOCAL_AMFLAGS = -I m4 2 | 3 | SUBDIRS = src/lib example 4 | 5 | pkgconfigdir = $(libdir)/pkgconfig 6 | pkgconfig_DATA = libndpi.pc 7 | 8 | EXTRA_DIST = libndpi.sym autogen.sh 9 | -------------------------------------------------------------------------------- /example/Win32/pcapExample/pcapExample.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | -------------------------------------------------------------------------------- /tests/result/BGP_redist.pcap.out: -------------------------------------------------------------------------------- 1 | BGP 2 322 2 2 | 3 | 1 TCP 2.2.2.2:179 <-> 4.4.4.4:63535 [proto: 13/BGP][1 pkts/163 bytes] 4 | 2 TCP 2.2.2.2:179 <-> 5.5.5.5:49433 [proto: 13/BGP][1 pkts/159 bytes] 5 | -------------------------------------------------------------------------------- /packages/homebrew/README: -------------------------------------------------------------------------------- 1 | === HOMEBREW PACKAGE === 2 | 3 | NB: Work in progress 4 | 5 | - SUBMIT FORMULA 6 | cp ndpi.rb /usr/local/Library/Formula/ 7 | 8 | - INSTALL FORMULA 9 | #check the formula 10 | brew audit ndpi 11 | brew install -vd ndpi -------------------------------------------------------------------------------- /example/Win32/pcapExample/pcapExample.cpp: -------------------------------------------------------------------------------- 1 | // pcapExample.cpp : Defines the entry point for the console application. 2 | // 3 | 4 | #include "stdafx.h" 5 | 6 | 7 | int _tmain(int argc, _TCHAR* argv[]) 8 | { 9 | return 0; 10 | } 11 | 12 | -------------------------------------------------------------------------------- /src/lib/third_party/include/sort.h: -------------------------------------------------------------------------------- 1 | /* This is a function ported from the Linux kernel lib/sort.c */ 2 | 3 | void sort(void *base, size_t num, size_t len, 4 | int (*cmp_func)(const void *, const void *), 5 | void (*swap_func)(void *, void *, int size)); 6 | 7 | -------------------------------------------------------------------------------- /packages/ubuntu/debian/postrm: -------------------------------------------------------------------------------- 1 | #!/bin/sh -e 2 | 3 | set -e 4 | 5 | #\/bin/rm /etc/ld.so.conf.d/nprobe.conf 6 | /sbin/ldconfig 7 | 8 | # Not needed: upstart does it 9 | if [ "$1" = "purge" ] ; then 10 | update-rc.d nprobe remove >/dev/null 11 | fi 12 | 13 | exit 0 14 | -------------------------------------------------------------------------------- /libndpi.pc.in: -------------------------------------------------------------------------------- 1 | prefix=@prefix@ 2 | exec_prefix=@exec_prefix@ 3 | libdir=@libdir@ 4 | includedir=@includedir@ 5 | 6 | Name: libndpi 7 | Description: deep packet inspection library 8 | Version: @VERSION@ 9 | Libs: -L${libdir} -lndpi 10 | Cflags: -I${includedir}/libndpi-@VERSION@ 11 | -------------------------------------------------------------------------------- /src/include/Makefile.am: -------------------------------------------------------------------------------- 1 | library_includedir=$(includedir)/libndpi-1.4/libndpi 2 | 3 | library_include_HEADERS = ndpi_api.h \ 4 | ndpi_define.h \ 5 | ndpi_typedefs.h \ 6 | ndpi_main.h \ 7 | ndpi_protocol_ids.h \ 8 | ndpi_protocols.h \ 9 | ndpi_win32.h \ 10 | ndpi_includes.h 11 | -------------------------------------------------------------------------------- /example/Makefile.am: -------------------------------------------------------------------------------- 1 | bin_PROGRAMS = ndpiReader 2 | 3 | AM_CPPFLAGS = -I$(top_srcdir)/src/include @PCAP_INC@ 4 | AM_CFLAGS = @PTHREAD_CFLAGS@ 5 | 6 | LDADD = $(top_builddir)/src/lib/libndpi.la @JSON_C_LIB@ @PTHREAD_LIBS@ @PCAP_LIB@ 7 | AM_LDFLAGS = -static 8 | 9 | ndpiReader_SOURCES = ndpiReader.c 10 | 11 | ndpiReader.o: ndpiReader.c 12 | 13 | -------------------------------------------------------------------------------- /packages/ubuntu/debian/prerm: -------------------------------------------------------------------------------- 1 | #!/bin/sh -e 2 | 3 | # Only shut the daemon down if we're really removing the package. If this is 4 | # an upgrade, we will instead do a restart in the postinst... this keeps nprobe 5 | # from being left shut down for a long time, which could pose problems. 6 | case "$1" in 7 | upgrade) 8 | ;; 9 | *) 10 | /etc/init.d/nprobe stop 11 | ;; 12 | esac 13 | 14 | exit 0 -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: c 2 | 3 | compiler: 4 | - clang 5 | - gcc 6 | 7 | install: 8 | - sudo apt-get update || true 9 | - sudo apt-get install build-essential 10 | - sudo apt-get install libpcap-dev libtool autoconf automake autogen 11 | 12 | before_script: 13 | - ./autogen.sh 14 | 15 | script: 16 | - ./configure 17 | - make 18 | 19 | after_script: 20 | - cd tests 21 | - ./do.sh 22 | -------------------------------------------------------------------------------- /tests/result/snapchat.pcap.out: -------------------------------------------------------------------------------- 1 | SSL_No_Cert 22 2879 1 2 | Snapchat 34 7320 2 3 | 4 | 1 TCP 10.8.0.1:56193 <-> 74.125.136.141:443 [proto: 91.199/SSL.Snapchat][17 pkts/3943 bytes][SSL client: feelinsonice-hrd.appspot.com] 5 | 2 TCP 10.8.0.1:44536 <-> 74.125.136.141:443 [proto: 91.199/SSL.Snapchat][17 pkts/3377 bytes][SSL client: feelinsonice-hrd.appspot.com] 6 | 3 TCP 10.8.0.1:33233 <-> 74.125.136.141:443 [proto: 64/SSL_No_Cert][22 pkts/2879 bytes] 7 | -------------------------------------------------------------------------------- /tests/result/rx.pcap.out: -------------------------------------------------------------------------------- 1 | RX 132 26475 5 2 | 3 | 1 UDP 192.167.206.124:7002 <-> 131.114.219.168:38331 [proto: 223/RX][3 pkts/519 bytes] 4 | 2 UDP 192.167.206.124:7002 <-> 131.114.219.168:41559 [proto: 223/RX][3 pkts/519 bytes] 5 | 3 UDP 192.167.206.124:7003 <-> 131.114.219.168:7001 [proto: 223/RX][27 pkts/9919 bytes] 6 | 4 UDP 131.114.219.168:7001 <-> 192.167.206.241:7000 [proto: 223/RX][79 pkts/12376 bytes] 7 | 5 UDP 192.167.206.124:7000 <-> 131.114.219.168:7001 [proto: 223/RX][20 pkts/3142 bytes] 8 | -------------------------------------------------------------------------------- /tests/result/teredo.pcap.out: -------------------------------------------------------------------------------- 1 | Teredo 24 2574 5 2 | 3 | 1 UDP 194.136.28.76:3544 <-> 10.112.16.106:52513 [proto: 214/Teredo][4 pkts/508 bytes] 4 | 2 UDP 194.136.28.76:3544 <-> 10.112.16.89:60381 [proto: 214/Teredo][2 pkts/254 bytes] 5 | 3 UDP 10.112.16.67:51812 <-> 194.136.28.76:3544 [proto: 214/Teredo][14 pkts/1304 bytes] 6 | 4 UDP 10.112.16.64:56154 <-> 194.136.28.76:3544 [proto: 214/Teredo][2 pkts/254 bytes] 7 | 5 UDP 194.136.28.76:3544 <-> 10.112.16.92:63448 [proto: 214/Teredo][2 pkts/254 bytes] 8 | -------------------------------------------------------------------------------- /ChangeLog: -------------------------------------------------------------------------------- 1 | 2014-03-21: 2 | - improved support for eDonkey/eMule/Kademlia 3 | - improved support for PPLive 4 | 5 | 2014-03-20: 6 | - code optimizations 7 | - consistency improvements 8 | - added support for new applications: Pando Media Booster 9 | - improved support for Steam 10 | - added support for new web services: Wikipedia, MSN, Amazon, eBay, CNN 11 | 12 | 2014-03-19: 13 | - added new protocols: FTP, code improvements 14 | 15 | 2014-03-17: 16 | - added new protocols: SOCKSv4, SOCKSv5, RTMP 17 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.[oa] 2 | *~ 3 | *o.cmd 4 | *.lo 5 | *.obj 6 | *o.cmd 7 | *.ko 8 | *.swp 9 | *.in 10 | *.la 11 | .libs 12 | .dirstamp 13 | stamp-h1 14 | /configure 15 | /config.guess 16 | /config.h 17 | /config.h.in 18 | /config.sub 19 | /config.log 20 | /config.status 21 | /depcomp 22 | /install-sh 23 | /ltmain.sh 24 | /missing 25 | /Makefile 26 | /libndpi.pc 27 | /libtool 28 | /src/lib/Makefile 29 | /src/include/Makefile 30 | /example/ndpiReader 31 | /example/Makefile 32 | /aclocal.m4 33 | /m4/libtool.m4 34 | /m4/ltoptions.m4 35 | /m4/ltsugar.m4 36 | /m4/ltversion.m4 37 | /m4/lt~obsolete.m4 38 | -------------------------------------------------------------------------------- /example/protos.txt: -------------------------------------------------------------------------------- 1 | # Format: 2 | # :,:,.....@ 3 | 4 | tcp:81,tcp:8181@HTTP 5 | udp:5061-5062@SIP 6 | tcp:860,udp:860,tcp:3260,udp:3260@iSCSI 7 | tcp:3000@ntop 8 | 9 | # Subprotocols 10 | # Format: 11 | # host:"",host:"",.....@ 12 | 13 | host:"googlesyndacation.com"@Google 14 | host:"venere.com"@Venere 15 | host:"kataweb.it",host:"repubblica.it"@Repubblica 16 | host:"ntop"@ntop 17 | # IP based Subprotocols 18 | # Format: 19 | # ip:,ip:,.....@ 20 | 21 | ip:213.75.170.11@CustomProtocol 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /README.nDPI: -------------------------------------------------------------------------------- 1 | rerequisites for Compilation 2 | ----------------------------- 3 | 4 | Prerequisites 5 | - GNU autotools/libtool 6 | - libpcap or PF_RING (optional but recommended) 7 | 8 | On Ubuntu/Debian 9 | - apt-get install build-essential 10 | - apt-get install git autoconf automake autogen libpcap-dev libtool 11 | 12 | On Fedora/CentOS 13 | - yum groupinstall "Development tools" 14 | - yum install git autoconf automake autogen libpcap-devel libtool 15 | 16 | On MacOSX (using http://brew.sh) 17 | brew install autoconf automake libtool git 18 | 19 | On FreeBSD 20 | - pkg install autoconf automake libtool gmake git 21 | -------------------------------------------------------------------------------- /tests/result/Torcedor.pcap.out: -------------------------------------------------------------------------------- 1 | HTTP 4 216 1 2 | SSL 26 1558 2 3 | Torcedor 55 67338 3 4 | 5 | 1 TCP 10.8.0.1:55944 <-> 52.25.136.177:80 [proto: 7.192/HTTP.Torcedor][7 pkts/1118 bytes][Host: usuario.timtorcedor.com.br] 6 | 2 TCP 10.8.0.1:53114 <-> 31.13.85.8:443 [proto: 91/SSL][4 pkts/216 bytes] 7 | 3 TCP 10.8.0.1:56117 <-> 52.25.136.177:80 [proto: 7.192/HTTP.Torcedor][23 pkts/33056 bytes][Host: usuario.timtorcedor.com.br] 8 | 4 TCP 10.8.0.1:40016 <-> 158.85.58.105:443 [proto: 91/SSL][22 pkts/1342 bytes] 9 | 5 TCP 10.8.0.1:33415 <-> 187.109.32.201:80 [proto: 7/HTTP][4 pkts/216 bytes] 10 | 6 TCP 10.8.0.1:39422 <-> 54.149.207.220:80 [proto: 7.192/HTTP.Torcedor][25 pkts/33164 bytes][Host: usuario.timtorcedor.com.br] 11 | -------------------------------------------------------------------------------- /packages/ubuntu/debian/control.in: -------------------------------------------------------------------------------- 1 | Source: ndpi 2 | Section: free 3 | Priority: optional 4 | Maintainer: Luca Deri 5 | Standards-Version: @NDPI_VERSION@ 6 | Build-Depends: 7 | Build-Conflicts: 8 | 9 | Package: ndpi 10 | Architecture: @EXTN@ 11 | Depends: pfring (=@PFRING_VERS@-@PFRING_SVN_RELEASE@), libnuma 12 | Recommends: 13 | Suggests: 14 | Pre-Depends: 15 | Conflicts: 16 | Provides: 17 | Replaces: 18 | Description: A network probe. 19 | 20 | Package: ndpi-dev 21 | Section: libdevel 22 | Architecture: all 23 | Depends: ndpi (= ${binary:Version}), ${misc:Depends} 24 | Conflicts: 25 | Description: development library and header files for ndpi 26 | Headers, static libraries, and documentation for the ndpi library 27 | 28 | 29 | -------------------------------------------------------------------------------- /packages/ubuntu/debian/postinst: -------------------------------------------------------------------------------- 1 | #!/bin/sh -e 2 | 3 | case "$1" in 4 | configure) 5 | # continue below 6 | ;; 7 | 8 | abort-upgrade|abort-remove|abort-deconfigure) 9 | exit 0 10 | ;; 11 | 12 | *) 13 | echo "postinst called with unknown argument \`$1'" >&2 14 | exit 0 15 | ;; 16 | esac 17 | 18 | umask 022 19 | 20 | # Update shared libs 21 | echo "/usr/local/lib\n" > /etc/ld.so.conf.d/nprobe.conf 22 | echo "Rebuilding ld cache..." 23 | /sbin/ldconfig 24 | 25 | echo "Adding the nprobe startup script" 26 | update-rc.d nprobe defaults 93 >/dev/null 27 | 28 | echo "Making the /etc/nprobe directory..." 29 | mkdir -p /etc/nprobe/ 30 | 31 | echo "Making the /var/log/nprobe directory..." 32 | mkdir -p /var/log/nprobe 33 | 34 | exit 0 35 | -------------------------------------------------------------------------------- /packages/ubuntu/debian/preinst: -------------------------------------------------------------------------------- 1 | #! /bin/sh 2 | # preinst script for nbox 3 | # 4 | # see: dh_installdeb(1) 5 | 6 | set -e 7 | 8 | # summary of how this script can be called: 9 | # * `install' 10 | # * `install' 11 | # * `upgrade' 12 | # * `abort-upgrade' 13 | 14 | case "$1" in 15 | install|upgrade) 16 | if test -f /usr/local/sbin/nprobe; then 17 | rm /usr/local/sbin/nprobe 18 | fi 19 | ;; 20 | 21 | abort-upgrade) 22 | ;; 23 | 24 | *) 25 | echo "preinst called with unknown argument \`$1'" >&2 26 | exit 0 27 | ;; 28 | esac 29 | 30 | # dh_installdeb will replace this with shell code automatically 31 | # generated by other debhelper scripts. 32 | 33 | 34 | 35 | exit 0 36 | -------------------------------------------------------------------------------- /autogen.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | 4 | /bin/rm -f configure config.h config.h.in src/lib/Makefile.in 5 | 6 | AUTOCONF=$(which autoconf) 7 | AUTOMAKE=$(which automake) 8 | LIBTOOL=$(which libtool) 9 | LIBTOOLIZE=$(which libtoolize) 10 | AUTORECONF=$(which autoreconf) 11 | 12 | if test -z $AUTOCONF; then 13 | echo "autoconf is missing: please install it and try again" 14 | exit 15 | fi 16 | 17 | if test -z $AUTOMAKE; then 18 | echo "automake is missing: please install it and try again" 19 | exit 20 | fi 21 | 22 | if test -z $LIBTOOL && test -z $LIBTOOLIZE ; then 23 | echo "libtool and libtoolize is missing: please install it and try again" 24 | exit 25 | fi 26 | 27 | if test -z $AUTORECONF; then 28 | echo "autoreconf is missing: please install it and try again" 29 | exit 30 | fi 31 | 32 | autoreconf -ivf 33 | ./configure $* 34 | -------------------------------------------------------------------------------- /tests/do.sh: -------------------------------------------------------------------------------- 1 | 2 | READER=../example/ndpiReader 3 | 4 | RC=0 5 | PCAPS=`cd pcap; /bin/ls *.pcap` 6 | 7 | build_results() { 8 | for f in $PCAPS; do 9 | #echo $f 10 | # create result files if not present 11 | [ ! -f result/$f.out ] && $READER -q -i pcap/$f -w result/$f.out -v 1 12 | done 13 | } 14 | 15 | check_results() { 16 | for f in $PCAPS; do 17 | if [ -f result/$f.out ]; then 18 | CMD="$READER -q -i pcap/$f -w /tmp/reader.out -v 1" 19 | $CMD 20 | NUM_DIFF=`diff result/$f.out /tmp/reader.out | wc -l` 21 | 22 | if [ $NUM_DIFF -eq 0 ]; then 23 | printf "%-32s\tOK\n" "$f" 24 | else 25 | printf "%-32s\tERROR\n" "$f" 26 | echo "$CMD" 27 | diff result/$f.out /tmp/reader.out 28 | RC=1 29 | fi 30 | 31 | /bin/rm /tmp/reader.out 32 | fi 33 | done 34 | } 35 | 36 | build_results 37 | check_results 38 | 39 | exit $RC 40 | -------------------------------------------------------------------------------- /packages/ubuntu/configure.in: -------------------------------------------------------------------------------- 1 | AC_INIT([Makefile.in], 1.0) 2 | 3 | NDPI_VERS=`cat ../../config.h | grep -w VERSION | cut -d \" -f 2` 4 | PFRING_VERS=`cat $HOME/PF_RING/kernel/linux/pf_ring.h | grep RING_VERSION | head -1 | cut -d '"' -f 2` 5 | SVN_RELEASE=`svn info ../.. | grep "^Revision"|cut -d " " -f 2` 6 | PFRING_SVN_RELEASE=`svn info $HOME/PF_RING | grep "^Revision"|cut -d " " -f 2` 7 | MACHINE=`uname -m` 8 | 9 | if test $MACHINE = "x86_64"; then 10 | EXTN="amd64" 11 | else 12 | EXTN="i386" 13 | fi 14 | 15 | DATE=`date -R` 16 | KERNEL=`uname -r` 17 | 18 | AC_SUBST(NDPI_VERS) 19 | AC_SUBST(PFRING_VERS) 20 | AC_SUBST(MACHINE) 21 | AC_SUBST(EXTN) 22 | AC_SUBST(DATE) 23 | AC_SUBST(KERNEL) 24 | AC_SUBST(SVN_RELEASE) 25 | AC_SUBST(PFRING_SVN_RELEASE) 26 | 27 | AC_CONFIG_FILES(Makefile) 28 | AC_CONFIG_FILES(debian/changelog) 29 | AC_CONFIG_FILES(debian/files) 30 | AC_CONFIG_FILES(debian/control) 31 | 32 | AC_OUTPUT 33 | -------------------------------------------------------------------------------- /tests/result/whatsapp_login_chat.pcap.out: -------------------------------------------------------------------------------- 1 | MDNS 2 202 2 2 | DHCP 6 2052 1 3 | DropBox 2 1088 1 4 | Apple 50 23466 2 5 | WhatsApp 32 3243 2 6 | Spotify 1 86 1 7 | 8 | 1 UDP 192.168.2.1:17500 <-> 192.168.2.255:17500 [proto: 121/DropBox][2 pkts/1088 bytes] 9 | 2 UDP [fe80::189c:c31b:1298:224]:5353 <-> [ff02::fb]:5353 [proto: 8/MDNS][1 pkts/111 bytes] 10 | 3 UDP 192.168.2.1:53 <-> 192.168.2.4:61697 [proto: 5.142/DNS.WhatsApp][2 pkts/280 bytes][Host: e12.whatsapp.net] 11 | 4 TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.140/SSL.Apple][44 pkts/21371 bytes] 12 | 5 UDP 0.0.0.0:68 <-> 255.255.255.255:67 [proto: 18/DHCP][6 pkts/2052 bytes] 13 | 6 TCP 192.168.2.4:49206 <-> 158.85.58.15:5222 [proto: 142/WhatsApp][30 pkts/2963 bytes] 14 | 7 UDP 192.168.2.1:57621 <-> 192.168.2.255:57621 [proto: 156/Spotify][1 pkts/86 bytes] 15 | 8 TCP 192.168.2.4:49193 <-> 17.110.229.14:5223 [proto: 140/Apple][6 pkts/2095 bytes] 16 | 9 UDP 192.168.2.4:5353 <-> 224.0.0.251:5353 [proto: 8/MDNS][1 pkts/91 bytes] 17 | -------------------------------------------------------------------------------- /example/Win32/pcapExample.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual C++ Express 2010 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "pcapExample", "pcapExample\pcapExample.vcxproj", "{F6A2C0AE-2110-438A-87E4-7C1CFCE064C6}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Release|Win32 = Release|Win32 10 | EndGlobalSection 11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 12 | {F6A2C0AE-2110-438A-87E4-7C1CFCE064C6}.Debug|Win32.ActiveCfg = Debug|Win32 13 | {F6A2C0AE-2110-438A-87E4-7C1CFCE064C6}.Debug|Win32.Build.0 = Debug|Win32 14 | {F6A2C0AE-2110-438A-87E4-7C1CFCE064C6}.Release|Win32.ActiveCfg = Release|Win32 15 | {F6A2C0AE-2110-438A-87E4-7C1CFCE064C6}.Release|Win32.Build.0 = Release|Win32 16 | EndGlobalSection 17 | GlobalSection(SolutionProperties) = preSolution 18 | HideSolutionNode = FALSE 19 | EndGlobalSection 20 | EndGlobal 21 | -------------------------------------------------------------------------------- /libndpi.sym: -------------------------------------------------------------------------------- 1 | ndpi_dump_protocols 2 | ndpi_get_proto_name 3 | ndpi_free 4 | ndpi_guess_undetected_protocol 5 | ndpi_tfind 6 | ndpi_tsearch 7 | ndpi_set_protocol_detection_bitmask2 8 | ndpi_detection_get_sizeof_ndpi_id_struct 9 | ndpi_detection_get_sizeof_ndpi_flow_struct 10 | ndpi_load_protocols_file 11 | ndpi_tdestroy 12 | ndpi_exit_detection_module 13 | ndpi_l4_detection_process_packet 14 | ndpi_detection_process_packet 15 | ndpi_twalk 16 | ndpi_tdelete 17 | ndpi_revision 18 | ndpi_init_detection_module 19 | ndpi_get_num_supported_protocols 20 | ndpi_set_proto_defaults 21 | ndpi_get_protocol_id 22 | ndpi_find_port_based_protocol 23 | ndpi_get_http_method 24 | ndpi_get_http_url 25 | ndpi_get_http_content_type 26 | ndpi_free_flow 27 | ndpi_get_proto_breed 28 | ndpi_get_proto_breed_name 29 | ndpi_get_proto_by_id 30 | ndpi_get_protocol_id_master_proto 31 | ndpi_guess_protocol_id 32 | ndpi_protocol2name 33 | ndpi_get_lower_proto 34 | ndpi_is_proto 35 | ndpi_malloc 36 | ndpi_calloc 37 | ndpi_set_detected_protocol 38 | ndpi_match_string_subprotocol 39 | -------------------------------------------------------------------------------- /packages/homebrew/ndpi.rb: -------------------------------------------------------------------------------- 1 | class Ndpi < Formula 2 | desc "Deep Packet Inspection (DPI) library" 3 | homepage "http://www.ntop.org/products/ndpi/" 4 | url "https://downloads.sourceforge.net/project/ntop/nDPI/nDPI-1.7.tar.gz" 5 | sha256 "714b745103a072462130b0e14cf31b2eb5270f580b7c839da5cf5ea75150262d" 6 | 7 | bottle do 8 | cellar :any 9 | sha256 "e9464d314479ba3e7a91422e0bc606cfd5f6e72e94d6441cc4fa30e9c925da5c" => :yosemite 10 | sha256 "1d6b1d860669b42766baa276ed948c342e2fa4fd28663ba64a90fd0e200ba9c4" => :mavericks 11 | sha256 "b814918b4fb9588de7126061ce4ac3eb41a5c3eee27c7432b669f6dc6921bfde" => :mountain_lion 12 | end 13 | 14 | depends_on "autoconf" => :build 15 | depends_on "automake" => :build 16 | depends_on "pkg-config" => :build 17 | depends_on "libtool" => :build 18 | depends_on "json-c" 19 | 20 | def install 21 | system "./autogen.sh" 22 | system "./configure", "--prefix=#{prefix}" 23 | system "make" 24 | system "make", "install" 25 | end 26 | 27 | test do 28 | system "#{bin}/ndpiReader", "-i", test_fixtures("test.pcap") 29 | end 30 | end 31 | -------------------------------------------------------------------------------- /README.protocols: -------------------------------------------------------------------------------- 1 | Tor 2 | --- 3 | 4 | Tor protocol can use SSL to hide itself. These are examples: 5 | 6 | TCP 37.128.208.46:9001 <-> 172.16.253.130:2078 [VLAN: 0][proto: 91/SSL][132 pkts/93834 bytes][SSL client: www.jwrpsthzrih.com] 7 | TCP 172.16.253.130:2021 <-> 75.147.140.249:443 [VLAN: 0][proto: 91/SSL][28 pkts/8053 bytes][SSL client: www.5akw23dx.com] 8 | TCP 172.16.253.130:2077 <-> 77.247.181.163:443 [VLAN: 0][proto: 91/SSL][136 pkts/94329 bytes][SSL client: www.fk4pprq42hsvl2wey.com] 9 | 10 | It can be detected by analyzing the SSL client certificate and checking the name that does not match to a real host in 11 | addition of begin a bit weird. As doing DNS resolution is not a task for nDPI we let applications do and then recognize 12 | SSL-tunnelled connections. 13 | 14 | See http://www.netresec.com/?page=Blog&month=2013-04&post=Detecting-TOR-Communication-in-Network-Traffic 15 | 16 | For this reason nDPI uses a heuristic, non-DNS based, approach to detect tor communications. If possible, apps 17 | should validate the certificate using the DNS. This is not something nDPI can afford to do for performance 18 | reasons 19 | -------------------------------------------------------------------------------- /tests/result/whatsapp_voice_and_message.pcap.out: -------------------------------------------------------------------------------- 1 | STUN 44 5916 8 2 | WhatsApp 217 22139 5 3 | 4 | 1 UDP 10.8.0.1:53620 <-> 31.13.84.48:3478 [proto: 78/STUN][5 pkts/676 bytes] 5 | 2 UDP 10.8.0.1:53620 <-> 31.13.74.48:3478 [proto: 78/STUN][5 pkts/676 bytes] 6 | 3 UDP 10.8.0.1:53620 <-> 31.13.64.48:3478 [proto: 78/STUN][5 pkts/676 bytes] 7 | 4 UDP 10.8.0.1:53620 <-> 31.13.73.48:3478 [proto: 78/STUN][9 pkts/1184 bytes] 8 | 5 UDP 10.8.0.1:53620 <-> 31.13.79.192:3478 [proto: 78/STUN][5 pkts/676 bytes] 9 | 6 UDP 10.8.0.1:53620 <-> 31.13.93.48:3478 [proto: 78/STUN][5 pkts/676 bytes] 10 | 7 TCP 10.8.0.1:42241 <-> 173.192.222.189:5222 [proto: 142/WhatsApp][62 pkts/5609 bytes] 11 | 8 TCP 10.8.0.1:35480 <-> 184.173.179.46:443 [proto: 142/WhatsApp][46 pkts/4990 bytes] 12 | 9 TCP 10.8.0.1:44819 <-> 158.85.58.42:5222 [proto: 142/WhatsApp][30 pkts/4709 bytes] 13 | 10 TCP 10.8.0.1:51570 <-> 158.85.5.199:443 [proto: 142/WhatsApp][27 pkts/2220 bytes] 14 | 11 TCP 10.8.0.1:49721 <-> 158.85.58.109:5222 [proto: 142/WhatsApp][52 pkts/4611 bytes] 15 | 12 UDP 10.8.0.1:53620 <-> 173.252.121.1:3478 [proto: 78/STUN][5 pkts/676 bytes] 16 | 13 UDP 10.8.0.1:53620 <-> 179.60.192.48:3478 [proto: 78/STUN][5 pkts/676 bytes] 17 | -------------------------------------------------------------------------------- /packages/ubuntu/debian/rules: -------------------------------------------------------------------------------- 1 | #!/usr/bin/make -f 2 | 3 | # Uncomment this to turn on verbose mode. 4 | # export DH_VERBOSE=1 5 | 6 | # 7 | # debian/compat 8 | # We should use at least comparibily version 5 9 | # but this requires the whole building process 10 | # to be remade and this is something we leave 11 | # to when we will have more time 12 | # http://www.tin.org/bin/man.cgi?section=7&topic=debhelper 13 | # 14 | 15 | package=ndpi 16 | 17 | build: build-stamp 18 | build-stamp: 19 | dh_testdir 20 | 21 | clean: 22 | dh_testdir 23 | dh_testroot 24 | dh_clean 25 | 26 | install: build 27 | dh_testdir 28 | dh_testroot 29 | dh_clean -k 30 | dh_installdirs 31 | 32 | # Build architecture-independent files here. 33 | binary-indep: build install 34 | # We have nothing to do by default. 35 | 36 | # Build architecture-dependent files here. 37 | binary-arch: build install 38 | dh_testdir 39 | dh_testroot 40 | dh_clean -k 41 | dh_installdirs 42 | dh_installinit 43 | dh_installman 44 | # install the files into debian/tmp. 45 | cp -r ./usr/ ./debian/tmp 46 | cp -r ./ndpi-dev/* ./debian/ndpi-dev/ 47 | -find ./debian/tmp -name .svn -exec /bin/rm -rf {} ';' 48 | -find ./debian/tmp -executable -type f |xargs strip 49 | dh_link 50 | dh_strip 51 | dh_compress 52 | dh_fixperms 53 | dh_installdeb 54 | dh_gencontrol 55 | dh_md5sums 56 | dh_builddeb 57 | 58 | binary: binary-indep binary-arch 59 | .PHONY: build clean binary-indep binary-arch binary install 60 | -------------------------------------------------------------------------------- /tests/result/6in4tunnel.pcap.out: -------------------------------------------------------------------------------- 1 | HTTP 10 1792 1 2 | IMAPS 4 516 2 3 | SSL 28 15397 1 4 | ICMPV6 48 7862 3 5 | Facebook 37 14726 3 6 | 7 | 1 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:443 <-> [2a03:2880:1010:6f03:face:b00c::2]:53234 [proto: 91.119/SSL.Facebook][33 pkts/13926 bytes][SSL client: www.facebook.com] 8 | 2 UDP [2001:470:1f16:13f::2]:6404 <-> [2a03:2880:fffe:b:face:b00c::99]:53 [proto: 5.119/DNS.Facebook][2 pkts/394 bytes][Host: star.c10r.facebook.com] 9 | 3 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:443 <-> [2604:a880:1:20::224:b001]:60205 [proto: 91/SSL][28 pkts/15397 bytes][SSL client: mail.tomasu.net] 10 | 4 ICMPV6 [2001:470:1f16:13f::2]:0 <-> [2604:a880:1:20::224:b001]:0 [proto: 102/ICMPV6][1 pkts/200 bytes] 11 | 5 ICMPV6 [2a03:2880:1010:6f03:face:b00c::2]:0 <-> [2001:470:1f17:13f:3e97:eff:fe73:4dec]:0 [proto: 102/ICMPV6][1 pkts/1314 bytes] 12 | 6 TCP [2604:a880:1:20::224:b001]:993 <-> [2001:470:1f17:13f:6d69:c72:7313:616f]:35610 [proto: 51/IMAPS][2 pkts/258 bytes] 13 | 7 ICMPV6 [2001:470:1f17:13f:3e97:eff:fe73:4dec]:0 <-> [2604:a880:1:20::224:b001]:0 [proto: 102/ICMPV6][46 pkts/6348 bytes] 14 | 8 TCP [2604:a880:1:20::224:b001]:993 <-> [2001:470:1f17:13f:6d69:c72:7313:616f]:56381 [proto: 51/IMAPS][2 pkts/258 bytes] 15 | 9 UDP [2001:470:1f16:13f::2]:53959 <-> [2a03:2880:fffe:b:face:b00c::99]:53 [proto: 5.119/DNS.Facebook][2 pkts/406 bytes][Host: star.c10r.facebook.com] 16 | 10 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:80 <-> [2604:a880:1:20::224:b001]:41538 [proto: 7/HTTP][10 pkts/1792 bytes][Host: mail.tomasu.net] 17 | -------------------------------------------------------------------------------- /src/include/ndpi_unix.h: -------------------------------------------------------------------------------- 1 | /* 2 | * ndpi_unix.h 3 | * 4 | * Copyright (C) 2011-15 - ntop.org 5 | * Copyright (C) 2009-2011 by ipoque GmbH 6 | * 7 | * This file is part of nDPI, an open source deep packet inspection 8 | * library based on the OpenDPI and PACE technology by ipoque GmbH 9 | * 10 | * nDPI is free software: you can redistribute it and/or modify 11 | * it under the terms of the GNU Lesser General Public License as published by 12 | * the Free Software Foundation, either version 3 of the License, or 13 | * (at your option) any later version. 14 | * 15 | * nDPI is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU Lesser General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU Lesser General Public License 21 | * along with nDPI. If not, see . 22 | * 23 | */ 24 | 25 | #ifndef __NDPI_UNIX_INCLUDE_FILE__ 26 | #define __NDPI_UNIX_INCLUDE_FILE__ 27 | 28 | #if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) 29 | #include 30 | #if defined(__NetBSD__) || defined(__OpenBSD__) 31 | #include 32 | #if defined(__OpenBSD__) 33 | #include 34 | #endif 35 | #endif 36 | #endif 37 | 38 | #ifndef WIN32 39 | #include 40 | #include 41 | #include 42 | #endif 43 | 44 | #endif /* __NDPI_UNIX_INCLUDE_FILE__ */ 45 | -------------------------------------------------------------------------------- /packages/ubuntu/Makefile: -------------------------------------------------------------------------------- 1 | # 2 | # Change it according to your setup 3 | # 4 | NDPI_HOME=$(PWD)/../.. 5 | NDPI_BUILD=${NDPI_HOME}/packages/ubuntu 6 | 7 | all: clean ndpi 8 | 9 | ndpi: 10 | \rm -rf ./usr ./debian/tmp ./debian/ndpi-dev 11 | mkdir -p ./usr/local ./debian/ndpi-dev 12 | mkdir -p ./usr/local/ndpi/lib ./usr/local/ndpi/bin ./ndpi-dev/usr/local/include/ndpi/ 13 | cd ${NDPI_HOME}; ./autogen.sh; ./configure; make 14 | cp $(NDPI_HOME)/lib/libndpi.a $(NDPI_HOME)/lib/libndpi.so* ./usr/local/ndpi/lib/ 15 | cp $(NDPI_HOME)/example/ndpiReader ./usr/local/ndpi/bin/ 16 | cp $(NDPI_HOME)/src/include/*.h ndpi-dev/usr/local/include/ndpi/ 17 | -rm -fr ndpi-dev/usr/local/include/nprobe/ndpi/.svn ndpi-dev/usr/local/include/ndpi/Makefile* ndpi-dev/usr/local/include/ndpi/ndpi_win32.h* ndpi-dev/usr/local/include/ndpi/include 18 | -find ./usr/local/lib -name "*.la" -exec /bin/rm {} ';' 19 | @echo 20 | @find . -name "*~" -exec /bin/rm {} ';' 21 | dpkg-buildpackage -rfakeroot -d -us -uc 22 | dpkg-sig --sign builder -k 7921DF34 ../ndpi*deb 23 | @\rm -f ../ndpi*dsc ../ndpi*.gz ../ndpi*changes 24 | @/bin/mv ../ndpi*deb . 25 | @echo 26 | @echo "Package built." 27 | @/bin/ls ndpi*deb 28 | @echo "-------------------------------" 29 | -dpkg --contents ndpi*amd64.deb 30 | @echo "-------------------------------" 31 | @echo "-------------------------------" 32 | -dpkg --contents ndpi*all.deb 33 | @echo "-------------------------------" 34 | 35 | distclean: 36 | echo "dummy distclean" 37 | 38 | install: 39 | echo "dummy install" 40 | 41 | clean: 42 | -rm -rf *~ *deb debian/tmp ./usr 43 | -------------------------------------------------------------------------------- /packages/ubuntu/Makefile.in: -------------------------------------------------------------------------------- 1 | # 2 | # Change it according to your setup 3 | # 4 | NDPI_HOME=$(PWD)/../.. 5 | NDPI_BUILD=${NDPI_HOME}/packages/ubuntu 6 | 7 | all: clean ndpi 8 | 9 | ndpi: 10 | \rm -rf ./usr ./debian/tmp ./debian/ndpi-dev 11 | mkdir -p ./usr/local ./debian/ndpi-dev 12 | mkdir -p ./usr/local/ndpi/lib ./usr/local/ndpi/bin ./ndpi-dev/usr/local/include/ndpi/ 13 | cd ${NDPI_HOME}; ./autogen.sh; ./configure; make 14 | cp $(NDPI_HOME)/lib/libndpi.a $(NDPI_HOME)/lib/libndpi.so* ./usr/local/ndpi/lib/ 15 | cp $(NDPI_HOME)/example/ndpiReader ./usr/local/ndpi/bin/ 16 | cp $(NDPI_HOME)/src/include/*.h ndpi-dev/usr/local/include/ndpi/ 17 | -rm -fr ndpi-dev/usr/local/include/nprobe/ndpi/.svn ndpi-dev/usr/local/include/ndpi/Makefile* ndpi-dev/usr/local/include/ndpi/ndpi_win32.h* ndpi-dev/usr/local/include/ndpi/include 18 | -find ./usr/local/lib -name "*.la" -exec /bin/rm {} ';' 19 | @echo 20 | @find . -name "*~" -exec /bin/rm {} ';' 21 | dpkg-buildpackage -rfakeroot -d -us -uc 22 | dpkg-sig --sign builder -k 7921DF34 ../ndpi*deb 23 | @\rm -f ../ndpi*dsc ../ndpi*.gz ../ndpi*changes 24 | @/bin/mv ../ndpi*deb . 25 | @echo 26 | @echo "Package built." 27 | @/bin/ls ndpi*deb 28 | @echo "-------------------------------" 29 | -dpkg --contents ndpi*amd64.deb 30 | @echo "-------------------------------" 31 | @echo "-------------------------------" 32 | -dpkg --contents ndpi*all.deb 33 | @echo "-------------------------------" 34 | 35 | distclean: 36 | echo "dummy distclean" 37 | 38 | install: 39 | echo "dummy install" 40 | 41 | clean: 42 | -rm -rf *~ *deb debian/tmp ./usr 43 | -------------------------------------------------------------------------------- /tests/result/coap_mqtt.pcap.out: -------------------------------------------------------------------------------- 1 | COAP 819 82290 12 2 | MQTT 7695 668291 4 3 | 4 | 1 UDP [2001:da8:215:1171:a10b:cb48:8f83:57f6]:5683 <-> [2001:620:8:35d9::10]:61043 [proto: 27/COAP][1 pkts/86 bytes] 5 | 2 UDP [2001:da8:215:1171:a10b:cb48:8f83:57f6]:5683 <-> [2001:620:8:35d9::10]:61045 [proto: 27/COAP][1 pkts/86 bytes] 6 | 3 UDP [2001:da8:215:1171:a10b:cb48:8f83:57f6]:5683 <-> [2001:620:8:35d9::10]:61047 [proto: 27/COAP][1 pkts/90 bytes] 7 | 4 UDP 192.168.56.1:50318 <-> 192.168.56.101:17500 [proto: 27/COAP][200 pkts/20220 bytes] 8 | 5 UDP 192.168.56.1:50312 <-> 192.168.56.101:17500 [proto: 27/COAP][200 pkts/20194 bytes] 9 | 6 TCP 192.168.56.1:53523 <-> 192.168.56.101:17501 [proto: 222/MQTT][1926 pkts/167126 bytes] 10 | 7 UDP [bbbb::1]:33499 <-> [bbbb::3]:5683 [proto: 27/COAP][4 pkts/404 bytes] 11 | 8 UDP [bbbb::1]:46819 <-> [bbbb::3]:5683 [proto: 27/COAP][6 pkts/467 bytes] 12 | 9 UDP [2001:da8:215:1171:a10b:cb48:8f83:57f6]:5683 <-> [2001:620:8:35d9::10]:61044 [proto: 27/COAP][1 pkts/86 bytes] 13 | 10 UDP [2001:da8:215:1171:a10b:cb48:8f83:57f6]:5683 <-> [2001:620:8:35d9::10]:61046 [proto: 27/COAP][1 pkts/86 bytes] 14 | 11 UDP 192.168.56.1:50311 <-> 192.168.56.101:17500 [proto: 27/COAP][200 pkts/20120 bytes] 15 | 12 UDP 192.168.56.1:50319 <-> 192.168.56.101:17500 [proto: 27/COAP][200 pkts/20142 bytes] 16 | 13 TCP 192.168.56.1:53522 <-> 192.168.56.101:17501 [proto: 222/MQTT][1922 pkts/166928 bytes] 17 | 14 TCP 192.168.56.1:53528 <-> 192.168.56.101:17501 [proto: 222/MQTT][1928 pkts/167509 bytes] 18 | 15 TCP 192.168.56.1:53524 <-> 192.168.56.101:17501 [proto: 222/MQTT][1919 pkts/166728 bytes] 19 | 16 UDP [bbbb::1]:50250 <-> [bbbb::3]:5683 [proto: 27/COAP][4 pkts/309 bytes] 20 | -------------------------------------------------------------------------------- /src/lib/protocols/collectd.c: -------------------------------------------------------------------------------- 1 | /* 2 | * collectd.c 3 | * 4 | * Copyright (C) 2014 - ntop.org 5 | * 6 | * nDPI is free software: you can redistribute it and/or modify 7 | * it under the terms of the GNU Lesser General Public License as published by 8 | * the Free Software Foundation, either version 3 of the License, or 9 | * (at your option) any later version. 10 | * 11 | * nDPI is distributed in the hope that it will be useful, 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | * GNU Lesser General Public License for more details. 15 | * 16 | * You should have received a copy of the GNU Lesser General Public License 17 | * along with nDPI. If not, see . 18 | * 19 | */ 20 | 21 | 22 | #include "ndpi_protocols.h" 23 | 24 | #ifdef NDPI_PROTOCOL_COLLECTD 25 | 26 | void ndpi_search_collectd(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 27 | { 28 | struct ndpi_packet_struct *packet = &flow->packet; 29 | u_int len = 0; 30 | 31 | NDPI_LOG(NDPI_PROTOCOL_COLLECTD, ndpi_struct, NDPI_LOG_DEBUG, "search collectd.\n"); 32 | 33 | if (packet->udp == NULL) return; 34 | 35 | 36 | while(len < packet->payload_packet_len) { 37 | // u_int16_t elem_type = ntohs(*((u_int16_t*)&packet->payload[len])); 38 | u_int16_t elem_len = ntohs(*((u_int16_t*)&packet->payload[len+2])); 39 | 40 | if (elem_len == 0) break; 41 | 42 | len += elem_len; 43 | } 44 | 45 | if(len == packet->payload_packet_len) { 46 | NDPI_LOG(NDPI_PROTOCOL_COLLECTD, ndpi_struct, NDPI_LOG_DEBUG, "found COLLECTD.\n"); 47 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_COLLECTD, NDPI_PROTOCOL_UNKNOWN); 48 | } else { 49 | NDPI_LOG(NDPI_PROTOCOL_COLLECTD, ndpi_struct, NDPI_LOG_DEBUG, "exclude COLLECTD.\n"); 50 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_COLLECTD); 51 | } 52 | } 53 | 54 | #endif 55 | -------------------------------------------------------------------------------- /src/lib/protocols/teredo.c: -------------------------------------------------------------------------------- 1 | /* 2 | * teredo.c 3 | * 4 | * Copyright (C) 2015 - ntop.org 5 | * 6 | * nDPI is free software: you can redistribute it and/or modify 7 | * it under the terms of the GNU Lesser General Public License as published by 8 | * the Free Software Foundation, either version 3 of the License, or 9 | * (at your option) any later version. 10 | * 11 | * nDPI is distributed in the hope that it will be useful, 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | * GNU Lesser General Public License for more details. 15 | * 16 | * You should have received a copy of the GNU Lesser General Public License 17 | * along with nDPI. If not, see . 18 | * 19 | */ 20 | 21 | 22 | #include "ndpi_protocols.h" 23 | 24 | #ifdef NDPI_PROTOCOL_TEREDO 25 | 26 | /* https://en.wikipedia.org/wiki/Teredo_tunneling */ 27 | void ndpi_search_teredo(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 28 | { 29 | struct ndpi_packet_struct *packet = &flow->packet; 30 | 31 | if(packet->udp 32 | && ((ntohs(packet->udp->source) == 3544) || (ntohs(packet->udp->dest) == 3544)) 33 | && (packet->payload_packet_len >= 40 /* IPv6 header */)) 34 | ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TEREDO, NDPI_PROTOCOL_UNKNOWN); 35 | else 36 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_TEREDO); 37 | } 38 | 39 | 40 | void init_teredo_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 41 | { 42 | ndpi_set_bitmask_protocol_detection("TEREDO", ndpi_struct, detection_bitmask, *id, 43 | NDPI_PROTOCOL_TEREDO, 44 | ndpi_search_teredo, 45 | NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD, 46 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 47 | ADD_TO_DETECTION_BITMASK); 48 | 49 | *id += 1; 50 | } 51 | 52 | #endif 53 | -------------------------------------------------------------------------------- /src/include/ndpi_includes.h: -------------------------------------------------------------------------------- 1 | /* 2 | * ndpi_includes.h 3 | * 4 | * Copyright (C) 2011-15 - ntop.org 5 | * 6 | * This file is part of nDPI, an open source deep packet inspection 7 | * library based on the OpenDPI and PACE technology by ipoque GmbH 8 | * 9 | * nDPI is free software: you can redistribute it and/or modify 10 | * it under the terms of the GNU Lesser General Public License as published by 11 | * the Free Software Foundation, either version 3 of the License, or 12 | * (at your option) any later version. 13 | * 14 | * nDPI is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU Lesser General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU Lesser General Public License 20 | * along with nDPI. If not, see . 21 | * 22 | */ 23 | 24 | #ifndef __NDPI_INCLUDES_H__ 25 | #define __NDPI_INCLUDES_H__ 26 | 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | 35 | #ifdef WIN32 36 | #include "ndpi_win32.h" 37 | #else 38 | #include 39 | #include 40 | #include 41 | #include 42 | #include 43 | #include 44 | #include 45 | #include 46 | #include 47 | 48 | #if !defined __APPLE__ && !defined __FreeBSD__ && !defined __NetBSD__ && !defined __OpenBSD__ 49 | #include 50 | #include 51 | 52 | #if defined __FreeBSD__ || defined __NetBSD__ || defined __OpenBSD__ 53 | #include 54 | 55 | #if defined __NetBSD__ || defined __OpenBSD__ 56 | #include 57 | 58 | #ifdef __OpenBSD__ 59 | #include 60 | 61 | #endif 62 | #endif 63 | #endif 64 | #endif 65 | 66 | #endif /* Win32 */ 67 | 68 | #endif /* __NDPI_INCLUDES_H__ */ 69 | -------------------------------------------------------------------------------- /tests/result/http_ipv6.pcap.out: -------------------------------------------------------------------------------- 1 | SSL 106 39646 11 2 | Facebook 22 10202 2 3 | Quic 65 16479 2 4 | 5 | 1 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:33062 <-> [2a00:1450:400b:c02::9a]:443 [proto: 91/SSL][2 pkts/172 bytes] 6 | 2 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a03:b0c0:3:d0::70:1001]:37486 [proto: 91/SSL][19 pkts/7014 bytes][SSL client: www.ntop.org] 7 | 3 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a03:b0c0:3:d0::70:1001]:37488 [proto: 91/SSL][17 pkts/6842 bytes][SSL client: www.ntop.org] 8 | 4 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a03:b0c0:3:d0::70:1001]:37494 [proto: 91/SSL][18 pkts/6928 bytes][SSL client: www.ntop.org] 9 | 5 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a03:b0c0:3:d0::70:1001]:37506 [proto: 91/SSL][26 pkts/15617 bytes][SSL client: www.ntop.org] 10 | 6 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a00:1450:4006:804::200e]:40526 [proto: 91/SSL][2 pkts/172 bytes] 11 | 7 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a00:1450:4001:803::1017]:41776 [proto: 91/SSL][14 pkts/2213 bytes] 12 | 8 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a02:26f0:ad:197::236]:53132 [proto: 91.119/SSL.Facebook][12 pkts/5187 bytes][SSL client: s-static.ak.facebook.com] 13 | 9 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a02:26f0:ad:197::236]:53134 [proto: 91.119/SSL.Facebook][10 pkts/5015 bytes][SSL client: s-static.ak.facebook.com] 14 | 10 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a00:1450:4006:803::2008]:58660 [proto: 91/SSL][2 pkts/172 bytes] 15 | 11 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a00:1450:4001:803::1012]:59690 [proto: 91/SSL][2 pkts/172 bytes] 16 | 12 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:60124 <-> [2a02:26f0:ad:1a1::eed]:443 [proto: 91/SSL][2 pkts/172 bytes] 17 | 13 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:40308 <-> [2a03:2880:1010:3f20:face:b00c::25de]:443 [proto: 91/SSL][2 pkts/172 bytes] 18 | 14 UDP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:443 <-> [2a00:1450:4001:803::1017]:45931 [proto: 188/Quic][62 pkts/15977 bytes] 19 | 15 UDP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:55145 <-> [2a00:1450:400b:c02::5f]:443 [proto: 188/Quic][3 pkts/502 bytes] 20 | -------------------------------------------------------------------------------- /src/lib/protocols/vmware.c: -------------------------------------------------------------------------------- 1 | /* 2 | * vmware.c 3 | * 4 | * Copyright (C) 2011-15 - ntop.org 5 | * 6 | * nDPI is free software: you can redistribute it and/or modify 7 | * it under the terms of the GNU Lesser General Public License as published by 8 | * the Free Software Foundation, either version 3 of the License, or 9 | * (at your option) any later version. 10 | * 11 | * nDPI is distributed in the hope that it will be useful, 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | * GNU Lesser General Public License for more details. 15 | * 16 | * You should have received a copy of the GNU Lesser General Public License 17 | * along with nDPI. If not, see . 18 | * 19 | */ 20 | 21 | 22 | #include "ndpi_api.h" 23 | 24 | #ifdef NDPI_PROTOCOL_VMWARE 25 | 26 | 27 | void ndpi_search_vmware(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 28 | { 29 | struct ndpi_packet_struct *packet = &flow->packet; 30 | 31 | /* Check whether this is an VMWARE flow */ 32 | if((packet->payload_packet_len == 66) 33 | && (ntohs(packet->udp->dest) == 902) 34 | && ((packet->payload[0] & 0xFF) == 0xA4)) { 35 | NDPI_LOG(NDPI_PROTOCOL_VMWARE, ndpi_struct, NDPI_LOG_DEBUG, "Found vmware.\n"); 36 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VMWARE, NDPI_PROTOCOL_UNKNOWN); 37 | } else { 38 | NDPI_LOG(NDPI_PROTOCOL_VMWARE, ndpi_struct, NDPI_LOG_DEBUG, "exclude vmware.\n"); 39 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_VMWARE); 40 | } 41 | } 42 | 43 | 44 | void init_vmware_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 45 | { 46 | ndpi_set_bitmask_protocol_detection("VMWARE", ndpi_struct, detection_bitmask, *id, 47 | NDPI_PROTOCOL_VMWARE, 48 | ndpi_search_vmware, 49 | NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD, 50 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 51 | ADD_TO_DETECTION_BITMASK); 52 | 53 | *id += 1; 54 | } 55 | 56 | #endif 57 | 58 | -------------------------------------------------------------------------------- /tests/result/KakaoTalk_talk.pcap.out: -------------------------------------------------------------------------------- 1 | Unknown 4 396 1 2 | HTTP 5 280 1 3 | QQ 15 1727 1 4 | SSL_No_Cert 74 14132 2 5 | RTP 2991 398751 2 6 | SSL 8 1378 3 7 | Facebook 2 197 1 8 | Google 4 359 4 9 | HTTP_Proxy 16 1838 2 10 | Tor 40 10538 1 11 | KakaoTalk_Voice 44 6196 2 12 | 13 | 1 TCP 10.24.82.188:34533 <-> 120.28.26.242:80 [proto: 7/HTTP][5 pkts/280 bytes] 14 | 2 TCP 10.24.82.188:38380 <-> 173.194.117.229:443 [proto: 91.126/SSL.Google][1 pkts/56 bytes] 15 | 3 TCP 10.24.82.188:51021 <-> 103.246.57.251:8080 [proto: 131/HTTP_Proxy][11 pkts/1488 bytes] 16 | 4 UDP 10.188.1.1:53 <-> 10.24.82.188:25223 [proto: 5.119/DNS.Facebook][2 pkts/197 bytes][Host: mqtt.facebook.com] 17 | 5 TCP 173.252.88.128:443 <-> 10.24.82.188:59912 [proto: 91/SSL][2 pkts/124 bytes] 18 | 6 TCP 173.252.88.128:443 <-> 10.24.82.188:59954 [proto: 64/SSL_No_Cert][29 pkts/4024 bytes] 19 | 7 TCP 10.24.82.188:53974 <-> 203.205.151.233:8080 [proto: 131/HTTP_Proxy][5 pkts/350 bytes] 20 | 8 TCP 110.76.143.50:8080 <-> 10.24.82.188:32968 [proto: 64/SSL_No_Cert][45 pkts/10108 bytes] 21 | 9 TCP 139.150.0.125:443 <-> 10.24.82.188:46947 [proto: 91/SSL][5 pkts/1198 bytes] 22 | 10 TCP 173.194.72.188:5228 <-> 10.24.82.188:34686 [proto: 126/Google][1 pkts/164 bytes] 23 | 11 TCP 110.76.143.50:9001 <-> 10.24.82.188:58857 [proto: 163/Tor][40 pkts/10538 bytes] 24 | 12 TCP 173.252.122.1:443 <-> 10.24.82.188:52123 [proto: 91/SSL][1 pkts/56 bytes] 25 | 13 TCP 10.24.82.188:48489 <-> 203.205.147.215:80 [proto: 7.48/HTTP.QQ][15 pkts/1727 bytes][Host: hkminorshort.weixin.qq.com] 26 | 14 UDP 1.201.1.174:23047 <-> 10.24.82.188:10269 [proto: 194/KakaoTalk_Voice][22 pkts/3112 bytes] 27 | 15 UDP 1.201.1.174:23046 <-> 10.24.82.188:10268 [proto: 87/RTP][1488 pkts/198510 bytes] 28 | 16 UDP 1.201.1.174:23045 <-> 10.24.82.188:11321 [proto: 194/KakaoTalk_Voice][22 pkts/3084 bytes] 29 | 17 UDP 1.201.1.174:23044 <-> 10.24.82.188:11320 [proto: 87/RTP][1503 pkts/200241 bytes] 30 | 18 TCP 216.58.220.174:443 <-> 10.24.82.188:49217 [proto: 91.126/SSL.Google][1 pkts/83 bytes] 31 | 19 TCP 216.58.220.161:443 <-> 10.24.82.188:56697 [proto: 91.126/SSL.Google][1 pkts/56 bytes] 32 | 33 | 34 | Undetected flows: 35 | 1 TCP 10.24.82.188:58916 <-> 54.255.185.236:5222 [proto: 0/Unknown][4 pkts/396 bytes] 36 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ![ntop][ntopng_logo] ![ntop][ntop_logo] 2 | # nDPI 3 | 4 | [![Build Status](https://travis-ci.org/ntop/nDPI.png?branch=master)](https://travis-ci.org/ntop/nDPI) 5 | 6 | ## What is nDPI ? 7 | 8 | nDPI is an open source LGPLv3 library for deep-packet inspection. Based on OpenDPI it includes ntop extensions. We have tried to push them into the OpenDPI source tree but nobody answered emails so we have decided to create our own source tree 9 | 10 | ### How To Compile nDPI 11 | 12 | In order to compile this library do 13 | 14 | - ./autogen.sh 15 | - ./configure 16 | - make 17 | 18 | Please note that the pre-requisites for compilation include: 19 | - GNU tools (autogen, automake, autoconf, libtool) 20 | - GNU C compiler (gcc) 21 | 22 | ### How To Add A New Protocol Dissector 23 | 24 | The entire procedure of adding new protocols in detail: 25 | 26 | 1. Add new protocol together with its unique ID to: src/include/ndpi_protocols_osdpi.h 27 | 2. Create a new protocol in: src/lib/protocols/ 28 | 3. Variables to be kept for the duration of the entire flow (as state variables) needs to be placed in: /include/ndpi_structs.h in ndpi_flow_tcp_struct (for TCP only), ndpi_flow_udp_struct (for UDP only), or ndpi_flow_struct (for both). 29 | 4. Add a new entry for the search function for the new protocol in: src/include/ndpi_protocols.h 30 | 5. Choose (do not change anything) a selection bitmask from: src/include/ndpi_define.h 31 | 6. Add a new entry in ndpi_set_protocol_detection_bitmask2 in: src/lib/ndpi_main.c 32 | 7. Set protocol default ports in ndpi_init_protocol_defaults in: src/lib/ndpi_main.c 33 | 8. Add the new protocol file to: src/lib/Makefile.am 34 | 9. ./autogen.sh 35 | 10. ./configure 36 | 11. make 37 | 38 | ### Creating A Source File Tar Ball 39 | 40 | If you want to distribute a source tar file of nDPI do: 41 | 42 | - make dist 43 | 44 | [ntopng_logo]: https://camo.githubusercontent.com/0f789abcef232035c05e0d2e82afa3cc3be46485/687474703a2f2f7777772e6e746f702e6f72672f77702d636f6e74656e742f75706c6f6164732f323031312f30382f6e746f706e672d69636f6e2d313530783135302e706e67 45 | 46 | [ntop_logo]: https://camo.githubusercontent.com/58e2a1ecfff62d8ecc9d74633bd1013f26e06cba/687474703a2f2f7777772e6e746f702e6f72672f77702d636f6e74656e742f75706c6f6164732f323031352f30352f6e746f702e706e67 47 | -------------------------------------------------------------------------------- /tests/result/ocs.pcap.out: -------------------------------------------------------------------------------- 1 | Unknown 8 480 2 2 | DNS 3 214 3 3 | HTTP 13 1019 2 4 | SSL 45 5771 3 5 | Google 14 2349 3 6 | OCS 863 57552 7 7 | 8 | 1 TCP 192.168.180.2:42590 <-> 178.248.208.210:80 [proto: 7.218/HTTP.OCS][83 pkts/5408 bytes][Host: www.ocs.fr] 9 | 2 TCP 192.168.180.2:48250 <-> 178.248.208.54:80 [proto: 7.218/HTTP.OCS][6 pkts/1092 bytes][Host: ocu03.labgency.ws] 10 | 3 TCP 192.168.180.2:41223 <-> 216.58.208.46:443 [proto: 91/SSL][13 pkts/1448 bytes] 11 | 4 UDP 192.168.180.2:38472 <-> 8.8.8.8:53 [proto: 5.218/DNS.OCS][1 pkts/63 bytes][Host: ocu03.labgency.ws] 12 | 5 TCP 192.168.180.2:39263 <-> 23.21.230.199:443 [proto: 91/SSL][20 pkts/2715 bytes][SSL client: settings.crashlytics.com] 13 | 6 UDP 192.168.180.2:48770 <-> 8.8.8.8:53 [proto: 5.126/DNS.Google][1 pkts/72 bytes][Host: android.clients.google.com] 14 | 7 TCP 192.168.180.2:47803 <-> 64.233.166.95:443 [proto: 91/SSL][12 pkts/1608 bytes] 15 | 8 UDP 192.168.180.2:1291 <-> 8.8.8.8:53 [proto: 5/DNS][1 pkts/67 bytes][Host: api.eu01.capptain.com] 16 | 9 UDP 192.168.180.2:2589 <-> 8.8.8.8:53 [proto: 5.218/DNS.OCS][1 pkts/61 bytes][Host: ocs.labgency.ws] 17 | 10 UDP 192.168.180.2:3621 <-> 8.8.8.8:53 [proto: 5/DNS][1 pkts/77 bytes][Host: xmpp.device06.eu01.capptain.com] 18 | 11 UDP 192.168.180.2:11793 <-> 8.8.8.8:53 [proto: 5.126/DNS.Google][1 pkts/65 bytes][Host: play.googleapis.com] 19 | 12 TCP 192.168.180.2:36680 <-> 178.248.208.54:443 [proto: 91.218/SSL.OCS][20 pkts/6089 bytes][SSL client: ocs.labgency.ws] 20 | 13 TCP 192.168.180.2:53356 <-> 137.135.129.206:80 [proto: 7/HTTP][6 pkts/479 bytes] 21 | 14 UDP 192.168.180.2:24245 <-> 8.8.8.8:53 [proto: 5.218/DNS.OCS][1 pkts/56 bytes][Host: www.ocs.fr] 22 | 15 TCP 192.168.180.2:49881 <-> 178.248.208.54:80 [proto: 7.218/HTTP.OCS][751 pkts/44783 bytes][Host: ocu03.labgency.ws] 23 | 16 UDP 192.168.180.2:40097 <-> 8.8.8.8:53 [proto: 5/DNS][1 pkts/70 bytes][Host: settings.crashlytics.com] 24 | 17 TCP 192.168.180.2:32946 <-> 64.233.184.188:443 [proto: 91.126/SSL.Google][12 pkts/2212 bytes][SSL client: mtalk.google.com] 25 | 18 TCP 192.168.180.2:44959 <-> 137.135.129.206:80 [proto: 7/HTTP][7 pkts/540 bytes] 26 | 27 | 28 | Undetected flows: 29 | 1 TCP 192.168.180.2:46166 <-> 137.135.131.52:5122 [proto: 0/Unknown][6 pkts/360 bytes] 30 | 2 TCP 192.168.180.2:47699 <-> 64.233.184.188:5228 [proto: 0/Unknown][2 pkts/120 bytes] 31 | -------------------------------------------------------------------------------- /src/lib/protocols/sflow.c: -------------------------------------------------------------------------------- 1 | /* 2 | * sflow.c 3 | * 4 | * Copyright (C) 2011-15 - ntop.org 5 | * 6 | * nDPI is free software: you can redistribute it and/or modify 7 | * it under the terms of the GNU Lesser General Public License as published by 8 | * the Free Software Foundation, either version 3 of the License, or 9 | * (at your option) any later version. 10 | * 11 | * nDPI is distributed in the hope that it will be useful, 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | * GNU Lesser General Public License for more details. 15 | * 16 | * You should have received a copy of the GNU Lesser General Public License 17 | * along with nDPI. If not, see . 18 | * 19 | */ 20 | 21 | 22 | #include "ndpi_api.h" 23 | 24 | #ifdef NDPI_PROTOCOL_SFLOW 25 | 26 | static void ndpi_check_sflow(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 27 | { 28 | struct ndpi_packet_struct *packet = &flow->packet; 29 | // const u_int8_t *packet_payload = packet->payload; 30 | u_int32_t payload_len = packet->payload_packet_len; 31 | 32 | if((packet->udp != NULL) 33 | && (payload_len >= 24) 34 | /* Version */ 35 | && (packet->payload[0] == 0) && (packet->payload[1] == 0) && (packet->payload[2] == 0) 36 | && ((packet->payload[3] == 2) || (packet->payload[3] == 5))) { 37 | NDPI_LOG(NDPI_PROTOCOL_SFLOW, ndpi_struct, NDPI_LOG_DEBUG, "Found sflow.\n"); 38 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SFLOW, NDPI_PROTOCOL_UNKNOWN); 39 | return; 40 | } 41 | } 42 | 43 | void ndpi_search_sflow(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 44 | { 45 | NDPI_LOG(NDPI_PROTOCOL_SFLOW, ndpi_struct, NDPI_LOG_DEBUG, "sflow detection...\n"); 46 | ndpi_check_sflow(ndpi_struct, flow); 47 | } 48 | 49 | 50 | void init_sflow_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 51 | { 52 | ndpi_set_bitmask_protocol_detection("sFlow", ndpi_struct, detection_bitmask, *id, 53 | NDPI_PROTOCOL_SFLOW, 54 | ndpi_search_sflow, 55 | NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD, 56 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 57 | ADD_TO_DETECTION_BITMASK); 58 | 59 | *id += 1; 60 | } 61 | 62 | #endif 63 | -------------------------------------------------------------------------------- /src/lib/protocols/mpegts.c: -------------------------------------------------------------------------------- 1 | /* 2 | * mpegts.c (MPEG Transport Stream) 3 | * https://en.wikipedia.org/wiki/MPEG_transport_stream 4 | * 5 | * Copyright (C) 2015 - ntop.org 6 | * 7 | * nDPI is free software: you can redistribute it and/or modify 8 | * it under the terms of the GNU Lesser General Public License as published by 9 | * the Free Software Foundation, either version 3 of the License, or 10 | * (at your option) any later version. 11 | * 12 | * nDPI is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | * GNU Lesser General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU Lesser General Public License 18 | * along with nDPI. If not, see . 19 | * 20 | */ 21 | 22 | 23 | #include "ndpi_api.h" 24 | 25 | #ifdef NDPI_PROTOCOL_MPEGTS 26 | 27 | void ndpi_search_mpegts(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 28 | { 29 | struct ndpi_packet_struct *packet = &flow->packet; 30 | u_int16_t dport = 0, sport = 0; 31 | 32 | NDPI_LOG(NDPI_PROTOCOL_MPEGTS, ndpi_struct, NDPI_LOG_DEBUG, "search for MPEGTS.\n"); 33 | 34 | if((packet->udp != NULL) && ((packet->payload_packet_len % 188) == 0)) { 35 | u_int i, num_chunks = packet->payload_packet_len / 188; 36 | 37 | for(i=0; ipayload[offset] != 0x47) goto no_mpegts; 41 | } 42 | 43 | /* This looks MPEG TS */ 44 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MPEGTS, NDPI_PROTOCOL_UNKNOWN); 45 | return; 46 | } 47 | 48 | no_mpegts: 49 | NDPI_LOG(NDPI_PROTOCOL_MPEGTS, ndpi_struct, NDPI_LOG_DEBUG, "Excluded MPEGTS.\n"); 50 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MPEGTS); 51 | } 52 | 53 | 54 | void init_mpegts_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 55 | { 56 | ndpi_set_bitmask_protocol_detection("MPEG_TS", ndpi_struct, detection_bitmask, *id, 57 | NDPI_PROTOCOL_MPEGTS, 58 | ndpi_search_mpegts, 59 | NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD, 60 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 61 | ADD_TO_DETECTION_BITMASK); 62 | 63 | *id += 1; 64 | } 65 | 66 | #endif 67 | -------------------------------------------------------------------------------- /src/lib/protocols/ubntac2.c: -------------------------------------------------------------------------------- 1 | /* 2 | * ubntac2.c 3 | * 4 | * Copyright (C) 2015 Thomas Fjellstrom 5 | * 6 | * nDPI is free software: you can redistribute it and/or modify 7 | * it under the terms of the GNU Lesser General Public License as published by 8 | * the Free Software Foundation, either version 3 of the License, or 9 | * (at your option) any later version. 10 | * 11 | * nDPI is distributed in the hope that it will be useful, 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | * GNU Lesser General Public License for more details. 15 | * 16 | * You should have received a copy of the GNU Lesser General Public License 17 | * along with nDPI. If not, see . 18 | * 19 | */ 20 | 21 | 22 | #include "ndpi_protocols.h" 23 | 24 | #ifdef NDPI_PROTOCOL_UBNTAC2 25 | 26 | static void ndpi_int_ubntac2_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 27 | { 28 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_UBNTAC2, NDPI_PROTOCOL_UNKNOWN); 29 | } 30 | 31 | 32 | void ndpi_search_ubntac2(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 33 | { 34 | struct ndpi_packet_struct *packet = &flow->packet; 35 | 36 | NDPI_LOG(NDPI_PROTOCOL_UBNTAC2, ndpi_struct, NDPI_LOG_TRACE, "UBNTAC2 detection... plen:%i %i:%i\n", packet->payload_packet_len, ntohs(packet->udp->source), ntohs(packet->udp->dest)); 37 | 38 | if (packet->payload_packet_len >= 135 && 39 | (packet->udp->source == htons(10001) || packet->udp->dest == htons(10001)) && 40 | memcmp(&(packet->payload[36]), "UBNT", 4) == 0) { 41 | 42 | NDPI_LOG(NDPI_PROTOCOL_UBNTAC2, ndpi_struct, NDPI_LOG_DEBUG, "UBNT AirControl 2 request\n"); 43 | 44 | ndpi_int_ubntac2_add_connection(ndpi_struct, flow); 45 | return; 46 | } 47 | 48 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_UBNTAC2); 49 | } 50 | 51 | 52 | void init_ubntac2_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 53 | { 54 | ndpi_set_bitmask_protocol_detection("UBNTAC2", ndpi_struct, detection_bitmask, *id, 55 | NDPI_PROTOCOL_UBNTAC2, 56 | ndpi_search_ubntac2, 57 | NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD, 58 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 59 | ADD_TO_DETECTION_BITMASK); 60 | *id += 1; 61 | } 62 | 63 | #endif 64 | -------------------------------------------------------------------------------- /src/lib/protocols/viber.c: -------------------------------------------------------------------------------- 1 | /* 2 | * viber.c 3 | * 4 | * Copyright (C) 2013 Remy Mudingay 5 | * Copyright (C) 2013 - 2014 ntop.org 6 | * 7 | * This module is free software: you can redistribute it and/or modify 8 | * it under the terms of the GNU Lesser General Public License as published by 9 | * the Free Software Foundation, either version 3 of the License, or 10 | * (at your option) any later version. 11 | * 12 | * This module is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | * GNU Lesser General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU Lesser General Public License. 18 | * If not, see . 19 | */ 20 | 21 | 22 | #include "ndpi_api.h" 23 | 24 | #ifdef NDPI_PROTOCOL_VIBER 25 | 26 | void ndpi_search_viber(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 27 | { 28 | struct ndpi_packet_struct *packet = &flow->packet; 29 | 30 | NDPI_LOG(NDPI_PROTOCOL_VIBER, ndpi_struct, NDPI_LOG_DEBUG, "search for VIBER.\n"); 31 | 32 | if(packet->udp != NULL) { 33 | NDPI_LOG(NDPI_PROTOCOL_VIBER, ndpi_struct, NDPI_LOG_DEBUG, "calculating dport over udp.\n"); 34 | 35 | if((packet->payload_packet_len == 12 && packet->payload[2] == 0x03 && packet->payload[3] == 0x00) 36 | || (packet->payload_packet_len == 20 && packet->payload[2] == 0x09 && packet->payload[3] == 0x00) 37 | || ((packet->payload_packet_len < 135) && (packet->payload[0] == 0x11))) { 38 | NDPI_LOG(NDPI_PROTOCOL_VIBER, ndpi_struct, NDPI_LOG_DEBUG, "found VIBER.\n"); 39 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VIBER, NDPI_PROTOCOL_UNKNOWN); 40 | return; 41 | } 42 | } 43 | 44 | NDPI_LOG(NDPI_PROTOCOL_VIBER, ndpi_struct, NDPI_LOG_DEBUG, "exclude VIBER.\n"); 45 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_VIBER); 46 | } 47 | 48 | 49 | void init_viber_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 50 | { 51 | ndpi_set_bitmask_protocol_detection("VIBER", ndpi_struct, detection_bitmask, *id, 52 | NDPI_PROTOCOL_VIBER, 53 | ndpi_search_viber, 54 | NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD, 55 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 56 | ADD_TO_DETECTION_BITMASK); 57 | 58 | *id += 1; 59 | } 60 | 61 | 62 | #endif 63 | -------------------------------------------------------------------------------- /src/include/ndpi_win32.h: -------------------------------------------------------------------------------- 1 | /* 2 | * ndpi_win32.h 3 | * 4 | * Copyright (C) 2011-15 - ntop.org 5 | * Copyright (C) 2009-2011 by ipoque GmbH 6 | * 7 | * This file is part of nDPI, an open source deep packet inspection 8 | * library based on the OpenDPI and PACE technology by ipoque GmbH 9 | * 10 | * nDPI is free software: you can redistribute it and/or modify 11 | * it under the terms of the GNU Lesser General Public License as published by 12 | * the Free Software Foundation, either version 3 of the License, or 13 | * (at your option) any later version. 14 | * 15 | * nDPI is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU Lesser General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU Lesser General Public License 21 | * along with nDPI. If not, see . 22 | * 23 | */ 24 | 25 | #ifndef __NDPI_WIN32_H__ 26 | #define __NDPI_WIN32_H__ 27 | 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include /* getopt from: http://www.pwilson.net/sample.html. */ 33 | #include /* for getpid() and the exec..() family */ 34 | #include 35 | 36 | #ifndef _CRT_SECURE_NO_WARNINGS 37 | #define _CRT_SECURE_NO_WARNINGS 38 | #endif 39 | 40 | #define _WS2TCPIP_H_ /* Avoid compilation problems */ 41 | 42 | extern char* strsep(char **sp, const char *sep); 43 | 44 | typedef unsigned char u_char; 45 | typedef unsigned short u_short; 46 | typedef unsigned int uint; 47 | typedef unsigned long u_long; 48 | typedef u_char u_int8_t; 49 | typedef u_short u_int16_t; 50 | typedef uint u_int32_t; 51 | typedef uint u_int; 52 | typedef unsigned __int64 u_int64_t; 53 | 54 | #define pthread_t HANDLE 55 | #define pthread_mutex_t HANDLE 56 | #define pthread_rwlock_t pthread_mutex_t 57 | #define pthread_rwlock_init pthread_mutex_init 58 | #define pthread_rwlock_wrlock pthread_mutex_lock 59 | #define pthread_rwlock_rdlock pthread_mutex_lock 60 | #define pthread_rwlock_unlock pthread_mutex_unlock 61 | #define pthread_rwlock_destroy pthread_mutex_destroy 62 | 63 | #define gmtime_r(a, b) memcpy(b, gmtime(a), sizeof(struct tm)) 64 | 65 | extern unsigned long waitForNextEvent(unsigned long ulDelay /* ms */); 66 | 67 | #define sleep(a /* sec */) waitForNextEvent(1000*a /* ms */) 68 | 69 | #endif /* __NDPI_WIN32_H__ */ 70 | -------------------------------------------------------------------------------- /src/lib/protocols/corba.c: -------------------------------------------------------------------------------- 1 | /* 2 | * corba.c 3 | * 4 | * Copyright (C) 2013 Remy Mudingay 5 | * 6 | * This module is free software: you can redistribute it and/or modify 7 | * it under the terms of the GNU Lesser General Public License as published by 8 | * the Free Software Foundation, either version 3 of the License, or 9 | * (at your option) any later version. 10 | * 11 | * This module is distributed in the hope that it will be useful, 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | * GNU Lesser General Public License for more details. 15 | * 16 | * You should have received a copy of the GNU Lesser General Public License. 17 | * If not, see . 18 | * 19 | */ 20 | 21 | 22 | #include "ndpi_api.h" 23 | 24 | #ifdef NDPI_PROTOCOL_CORBA 25 | static void ndpi_int_corba_add_connection(struct ndpi_detection_module_struct 26 | *ndpi_struct, struct ndpi_flow_struct *flow) 27 | { 28 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CORBA, NDPI_PROTOCOL_UNKNOWN); 29 | } 30 | void ndpi_search_corba(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 31 | { 32 | struct ndpi_packet_struct *packet = &flow->packet; 33 | 34 | NDPI_LOG(NDPI_PROTOCOL_CORBA, ndpi_struct, NDPI_LOG_DEBUG, "search for CORBA.\n"); 35 | if(packet->tcp != NULL) { 36 | NDPI_LOG(NDPI_PROTOCOL_CORBA, ndpi_struct, NDPI_LOG_DEBUG, "calculating CORBA over tcp.\n"); 37 | /* Corba General Inter-ORB Protocol -> GIOP */ 38 | if ((packet->payload_packet_len >= 24 && packet->payload_packet_len <= 144) && 39 | memcmp(packet->payload, "GIOP", 4) == 0) { 40 | NDPI_LOG(NDPI_PROTOCOL_CORBA, ndpi_struct, NDPI_LOG_DEBUG, "found corba.\n"); 41 | ndpi_int_corba_add_connection(ndpi_struct, flow); 42 | } 43 | } else { 44 | NDPI_LOG(NDPI_PROTOCOL_CORBA, ndpi_struct, NDPI_LOG_DEBUG, "exclude CORBA.\n"); 45 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_CORBA); 46 | } 47 | } 48 | 49 | 50 | void init_corba_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 51 | { 52 | ndpi_set_bitmask_protocol_detection("Corba", ndpi_struct, detection_bitmask, *id, 53 | NDPI_PROTOCOL_CORBA, 54 | ndpi_search_corba, 55 | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, 56 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 57 | ADD_TO_DETECTION_BITMASK); 58 | *id += 1; 59 | } 60 | #endif 61 | -------------------------------------------------------------------------------- /src/lib/protocols/dcerpc.c: -------------------------------------------------------------------------------- 1 | /* 2 | * dcerpc.c 3 | * 4 | * Copyright (C) 2011-13 by ntop.org 5 | * 6 | * This file is part of nDPI, an open source deep packet inspection 7 | * library based on the OpenDPI and PACE technology by ipoque GmbH 8 | * 9 | * nDPI is free software: you can redistribute it and/or modify 10 | * it under the terms of the GNU Lesser General Public License as published by 11 | * the Free Software Foundation, either version 3 of the License, or 12 | * (at your option) any later version. 13 | * 14 | * nDPI is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU Lesser General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU Lesser General Public License 20 | * along with nDPI. If not, see . 21 | * 22 | */ 23 | 24 | 25 | #include "ndpi_api.h" 26 | 27 | #ifdef NDPI_PROTOCOL_DCERPC 28 | 29 | static void ndpi_int_dcerpc_add_connection(struct ndpi_detection_module_struct 30 | *ndpi_struct, struct ndpi_flow_struct *flow) 31 | { 32 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DCERPC, NDPI_PROTOCOL_UNKNOWN); 33 | } 34 | 35 | void ndpi_search_dcerpc(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 36 | { 37 | struct ndpi_packet_struct *packet = &flow->packet; 38 | 39 | if((packet->tcp != NULL) 40 | && (packet->payload_packet_len >= 64) 41 | && (packet->payload[0] == 0x05) /* version 5 */ 42 | && (packet->payload[2] < 16) /* Packet type */ 43 | && (((packet->payload[9]<<8) | packet->payload[8]) == packet->payload_packet_len) /* Packet Length */ 44 | ) { 45 | NDPI_LOG(NDPI_PROTOCOL_DCERPC, ndpi_struct, NDPI_LOG_DEBUG, "DCERPC match\n"); 46 | ndpi_int_dcerpc_add_connection(ndpi_struct, flow); 47 | return; 48 | } 49 | 50 | if(packet->payload_packet_len>1){ 51 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DCERPC); 52 | } 53 | } 54 | 55 | 56 | void init_dcerpc_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 57 | { 58 | ndpi_set_bitmask_protocol_detection("DCE_RPC", ndpi_struct, detection_bitmask, *id, 59 | NDPI_PROTOCOL_DCERPC, 60 | ndpi_search_dcerpc, 61 | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, 62 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 63 | ADD_TO_DETECTION_BITMASK); 64 | *id += 1; 65 | } 66 | 67 | #endif 68 | -------------------------------------------------------------------------------- /src/lib/protocols/noe.c: -------------------------------------------------------------------------------- 1 | /* 2 | * noe.c (Alcatel new office environment) 3 | * 4 | * Copyright (C) 2013 Remy Mudingay 5 | * 6 | */ 7 | 8 | 9 | #include "ndpi_api.h" 10 | 11 | #ifdef NDPI_PROTOCOL_NOE 12 | 13 | static void ndpi_int_noe_add_connection(struct ndpi_detection_module_struct 14 | *ndpi_struct, struct ndpi_flow_struct *flow) 15 | { 16 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NOE, NDPI_PROTOCOL_UNKNOWN); 17 | } 18 | 19 | void ndpi_search_noe(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 20 | { 21 | struct ndpi_packet_struct *packet = &flow->packet; 22 | 23 | NDPI_LOG(NDPI_PROTOCOL_NOE, ndpi_struct, NDPI_LOG_DEBUG, "search for NOE.\n"); 24 | 25 | if(packet->udp != NULL) { 26 | NDPI_LOG(NDPI_PROTOCOL_NOE, ndpi_struct, NDPI_LOG_DEBUG, "calculating dport over udp.\n"); 27 | 28 | if (packet->payload_packet_len == 1 && ( packet->payload[0] == 0x05 || packet->payload[0] == 0x04 )) { 29 | NDPI_LOG(NDPI_PROTOCOL_NOE, ndpi_struct, NDPI_LOG_DEBUG, "found noe.\n"); 30 | ndpi_int_noe_add_connection(ndpi_struct, flow); 31 | return; 32 | } else if((packet->payload_packet_len == 5 || packet->payload_packet_len == 12) && 33 | (packet->payload[0] == 0x07 ) && 34 | (packet->payload[1] == 0x00 ) && 35 | (packet->payload[2] != 0x00 ) && 36 | (packet->payload[3] == 0x00 )) { 37 | NDPI_LOG(NDPI_PROTOCOL_NOE, ndpi_struct, NDPI_LOG_DEBUG, "found noe.\n"); 38 | ndpi_int_noe_add_connection(ndpi_struct, flow); 39 | } else if((packet->payload_packet_len >= 25) && 40 | (packet->payload[0] == 0x00 && 41 | packet->payload[1] == 0x06 && 42 | packet->payload[2] == 0x62 && 43 | packet->payload[3] == 0x6c)) { 44 | NDPI_LOG(NDPI_PROTOCOL_NOE, ndpi_struct, NDPI_LOG_DEBUG, "found noe.\n"); 45 | ndpi_int_noe_add_connection(ndpi_struct, flow); 46 | } 47 | } else { 48 | NDPI_LOG(NDPI_PROTOCOL_NOE, ndpi_struct, NDPI_LOG_DEBUG, "exclude NOE.\n"); 49 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_NOE); 50 | } 51 | } 52 | 53 | 54 | void init_noe_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 55 | { 56 | ndpi_set_bitmask_protocol_detection("NOE", ndpi_struct, detection_bitmask, *id, 57 | NDPI_PROTOCOL_NOE, 58 | ndpi_search_noe, 59 | NDPI_SELECTION_BITMASK_PROTOCOL_TCP_OR_UDP_WITH_PAYLOAD, 60 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 61 | ADD_TO_DETECTION_BITMASK); 62 | 63 | *id += 1; 64 | } 65 | 66 | #endif 67 | -------------------------------------------------------------------------------- /src/lib/third_party/src/sort.c: -------------------------------------------------------------------------------- 1 | /* 2 | * A fast, small, non-recursive O(nlog n) sort for the Linux kernel 3 | * 4 | * Jan 23 2005 Matt Mackall 5 | */ 6 | 7 | #ifdef WIN32 8 | #include 9 | typedef uint32_t u_int32_t; 10 | #endif 11 | 12 | #include 13 | #include 14 | #include 15 | 16 | /* This is a function ported from the Linux kernel lib/sort.c */ 17 | 18 | static void u_int32_t_swap(void *a, void *b, int size) 19 | { 20 | u_int32_t t = *(u_int32_t *)a; 21 | *(u_int32_t *)a = *(u_int32_t *)b; 22 | *(u_int32_t *)b = t; 23 | } 24 | 25 | static void generic_swap(void *_a, void *_b, int size) 26 | { 27 | char t; 28 | char *a = (char*)_a; 29 | char *b = (char*)_b; 30 | 31 | do { 32 | t = *a; 33 | *a++ = *b; 34 | *b++ = t; 35 | } while (--size > 0); 36 | } 37 | 38 | /** 39 | * sort - sort an array of elements 40 | * @base: pointer to data to sort 41 | * @num: number of elements 42 | * @size: size of each element 43 | * @cmp_func: pointer to comparison function 44 | * @swap_func: pointer to swap function or NULL 45 | * 46 | * This function does a heapsort on the given array. You may provide a 47 | * swap_func function optimized to your element type. 48 | * 49 | * Sorting time is O(n log n) both on average and worst-case. While 50 | * qsort is about 20% faster on average, it suffers from exploitable 51 | * O(n*n) worst-case behavior and extra memory requirements that make 52 | * it less suitable for kernel use. 53 | */ 54 | 55 | void sort(void *_base, size_t num, size_t size, 56 | int (*cmp_func)(const void *, const void *), 57 | void (*swap_func)(void *, void *, int size)) 58 | { 59 | /* pre-scale counters for performance */ 60 | int i = (num/2 - 1) * size, n = num * size, c, r; 61 | char *base = (char*)_base; 62 | 63 | if (!swap_func) 64 | swap_func = (size == 4 ? u_int32_t_swap : generic_swap); 65 | 66 | /* heapify */ 67 | for ( ; i >= 0; i -= size) { 68 | for (r = i; r * 2 + size < n; r = c) { 69 | c = r * 2 + size; 70 | if (c < n - size && 71 | cmp_func(base + c, base + c + size) < 0) 72 | c += size; 73 | if (cmp_func(base + r, base + c) >= 0) 74 | break; 75 | swap_func(base + r, base + c, size); 76 | } 77 | } 78 | 79 | /* sort */ 80 | for (i = n - size; i > 0; i -= size) { 81 | swap_func(base, base + i, size); 82 | for (r = 0; r * 2 + size < i; r = c) { 83 | c = r * 2 + size; 84 | if (c < i - size && 85 | cmp_func(base + c, base + c + size) < 0) 86 | c += size; 87 | if (cmp_func(base + r, base + c) >= 0) 88 | break; 89 | swap_func(base + r, base + c, size); 90 | } 91 | } 92 | } 93 | -------------------------------------------------------------------------------- /src/lib/protocols/hep.c: -------------------------------------------------------------------------------- 1 | /* 2 | * hep.c 3 | * 4 | * Copyright (C) 2009-2011 by ipoque GmbH 5 | * Copyright (C) 2011-15 - ntop.org 6 | * Copyright (C) 2011-15 - QXIP BV 7 | * 8 | * This file is part of nDPI, an open source deep packet inspection 9 | * library based on the OpenDPI and PACE technology by ipoque GmbH 10 | * 11 | * nDPI is free software: you can redistribute it and/or modify 12 | * it under the terms of the GNU Lesser General Public License as published by 13 | * the Free Software Foundation, either version 3 of the License, or 14 | * (at your option) any later version. 15 | * 16 | * nDPI is distributed in the hope that it will be useful, 17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | * GNU Lesser General Public License for more details. 20 | * 21 | * You should have received a copy of the GNU Lesser General Public License 22 | * along with nDPI. If not, see . 23 | * 24 | */ 25 | 26 | 27 | #include "ndpi_protocols.h" 28 | #ifdef NDPI_PROTOCOL_HEP 29 | 30 | static void ndpi_int_hep_add_connection(struct ndpi_detection_module_struct 31 | *ndpi_struct, struct ndpi_flow_struct *flow) 32 | { 33 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HEP, NDPI_PROTOCOL_UNKNOWN); 34 | } 35 | 36 | void ndpi_search_hep(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 37 | { 38 | struct ndpi_packet_struct *packet = &flow->packet; 39 | const u_int8_t *packet_payload = packet->payload; 40 | u_int32_t payload_len = packet->payload_packet_len; 41 | 42 | NDPI_LOG(NDPI_PROTOCOL_HEP, ndpi_struct, NDPI_LOG_DEBUG, "searching for HEP.\n"); 43 | if (payload_len > 10) { 44 | if (memcmp(packet_payload, "HEP3", 4) == 0) { 45 | NDPI_LOG(NDPI_PROTOCOL_HEP, ndpi_struct, NDPI_LOG_DEBUG, "found HEP3.\n"); 46 | ndpi_int_hep_add_connection(ndpi_struct, flow); 47 | return; 48 | } 49 | } 50 | 51 | NDPI_LOG(NDPI_PROTOCOL_HEP, ndpi_struct, NDPI_LOG_DEBUG, "exclude HEP.\n"); 52 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_HEP); 53 | } 54 | 55 | 56 | void init_hep_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 57 | { 58 | ndpi_set_bitmask_protocol_detection("HEP", ndpi_struct, detection_bitmask, *id, 59 | NDPI_PROTOCOL_HEP, 60 | ndpi_search_hep, 61 | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD, 62 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 63 | ADD_TO_DETECTION_BITMASK); 64 | 65 | *id += 1; 66 | } 67 | 68 | #endif 69 | -------------------------------------------------------------------------------- /src/lib/third_party/include/node.h: -------------------------------------------------------------------------------- 1 | /* 2 | * node.h: automata node header file 3 | * This file is part of multifast. 4 | * 5 | Copyright 2010-2012 Kamiar Kanani 6 | 7 | multifast is free software: you can redistribute it and/or modify 8 | it under the terms of the GNU Lesser General Public License as published by 9 | the Free Software Foundation, either version 3 of the License, or 10 | (at your option) any later version. 11 | 12 | multifast is distributed in the hope that it will be useful, 13 | but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | GNU Lesser General Public License for more details. 16 | 17 | You should have received a copy of the GNU Lesser General Public License 18 | along with multifast. If not, see . 19 | */ 20 | 21 | #ifndef _NODE_H_ 22 | #define _NODE_H_ 23 | 24 | #include "actypes.h" 25 | 26 | /* Forward Declaration */ 27 | struct edge; 28 | 29 | /* automata node */ 30 | typedef struct ac_node 31 | { 32 | int id; /* Node ID : for debugging purpose */ 33 | short int final; /* 0: no ; 1: yes, it is a final node */ 34 | struct ac_node * failure_node; /* The failure node of this node */ 35 | unsigned short depth; /* depth: distance between this node and the root */ 36 | 37 | /* Matched patterns */ 38 | AC_PATTERN_t * matched_patterns; /* Array of matched patterns */ 39 | unsigned short matched_patterns_num; /* Number of matched patterns at this node */ 40 | unsigned short matched_patterns_max; /* Max capacity of allocated memory for matched_patterns */ 41 | 42 | /* Outgoing Edges */ 43 | struct edge * outgoing; /* Array of outgoing edges */ 44 | unsigned short outgoing_degree; /* Number of outgoing edges */ 45 | unsigned short outgoing_max; /* Max capacity of allocated memory for outgoing */ 46 | } AC_NODE_t; 47 | 48 | /* The Edge of the Node */ 49 | struct edge 50 | { 51 | AC_ALPHABET_t alpha; /* Edge alpha */ 52 | struct ac_node * next; /* Target of the edge */ 53 | }; 54 | 55 | 56 | AC_NODE_t * node_create (void); 57 | AC_NODE_t * node_create_next (AC_NODE_t * thiz, AC_ALPHABET_t alpha); 58 | void node_register_matchstr (AC_NODE_t * thiz, AC_PATTERN_t * str); 59 | void node_register_outgoing (AC_NODE_t * thiz, AC_NODE_t * next, AC_ALPHABET_t alpha); 60 | AC_NODE_t * node_find_next (AC_NODE_t * thiz, AC_ALPHABET_t alpha); 61 | AC_NODE_t * node_findbs_next (AC_NODE_t * thiz, AC_ALPHABET_t alpha); 62 | void node_release (AC_NODE_t * thiz); 63 | void node_assign_id (AC_NODE_t * thiz); 64 | void node_sort_edges (AC_NODE_t * thiz); 65 | 66 | #endif 67 | -------------------------------------------------------------------------------- /src/lib/protocols/kakaotalk_voice.c: -------------------------------------------------------------------------------- 1 | /* 2 | * kakaotalk_voice.c 3 | * 4 | * Copyright (C) 2015 - ntop.org 5 | * 6 | * This module is free software: you can redistribute it and/or modify 7 | * it under the terms of the GNU Lesser General Public License as published by 8 | * the Free Software Foundation, either version 3 of the License, or 9 | * (at your option) any later version. 10 | * 11 | * This module is distributed in the hope that it will be useful, 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | * GNU Lesser General Public License for more details. 15 | * 16 | * You should have received a copy of the GNU Lesser General Public License. 17 | * If not, see . 18 | * 19 | */ 20 | 21 | 22 | /* 23 | KakaoTalk (call only) 24 | 25 | http://www.kakao.com/services/talk/voices 26 | */ 27 | #include "ndpi_api.h" 28 | 29 | 30 | #ifdef NDPI_SERVICE_KAKAOTALK_VOICE 31 | void ndpi_search_kakaotalk_voice(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { 32 | struct ndpi_packet_struct *packet = &flow->packet; 33 | 34 | if(packet->iph 35 | && packet->udp 36 | && (packet->payload_packet_len >= 4) 37 | ) { 38 | if((packet->payload[0] == 0x81) 39 | || (packet->payload[1] == 0xC8) 40 | || (packet->payload[2] == 0x00) 41 | || (packet->payload[3] == 0x0C)) { 42 | /* Looks good so far */ 43 | 44 | /* 45 | inetnum: 1.201.0.0 - 1.201.255.255 46 | netname: KINXINC-KR 47 | */ 48 | 49 | if(((ntohl(packet->iph->saddr) & 0xFFFF0000 /* 255.255.0.0 */) == 0x01C90000 /* 1.201.0.0/16 */) 50 | || ((ntohl(packet->iph->daddr) & 0xFFFF0000 /* 255.255.0.0 */) == 0x01C90000 /* 1.201.0.0/16 */)) { 51 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_SERVICE_KAKAOTALK_VOICE, NDPI_PROTOCOL_UNKNOWN); 52 | return; 53 | } 54 | } 55 | } 56 | 57 | NDPI_LOG(NDPI_SERVICE_KAKAOTALK_VOICE, ndpi_struct, NDPI_LOG_DEBUG, "Exclude kakaotalk_voice.\n"); 58 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_SERVICE_KAKAOTALK_VOICE); 59 | } 60 | 61 | 62 | void init_kakaotalk_voice_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 63 | { 64 | ndpi_set_bitmask_protocol_detection("KakaoTalk_Voice", ndpi_struct, detection_bitmask, *id, 65 | NDPI_SERVICE_KAKAOTALK_VOICE, 66 | ndpi_search_kakaotalk_voice, 67 | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, 68 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 69 | ADD_TO_DETECTION_BITMASK); 70 | *id += 1; 71 | } 72 | 73 | #endif 74 | -------------------------------------------------------------------------------- /src/lib/protocols/megaco.c: -------------------------------------------------------------------------------- 1 | /* 2 | * megaco.c 3 | * 4 | * Copyright (C) 2014 by Gianluca Costa http://www.capanalysis.net 5 | * Copyright (C) 2012-15 - ntop.org 6 | * 7 | * This module is free software: you can redistribute it and/or modify 8 | * it under the terms of the GNU Lesser General Public License as published by 9 | * the Free Software Foundation, either version 3 of the License, or 10 | * (at your option) any later version. 11 | * 12 | * This module is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | * GNU Lesser General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU Lesser General Public License. 18 | * If not, see . 19 | */ 20 | 21 | 22 | #include "ndpi_api.h" 23 | 24 | #ifdef NDPI_PROTOCOL_MEGACO 25 | 26 | void ndpi_search_megaco(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 27 | { 28 | struct ndpi_packet_struct *packet = &flow->packet; 29 | 30 | NDPI_LOG(NDPI_PROTOCOL_MEGACO, ndpi_struct, NDPI_LOG_DEBUG, "search for MEGACO.\n"); 31 | 32 | if(packet->udp != NULL) { 33 | if((packet->payload_packet_len > 4 && packet->payload[0] == '!' && packet->payload[1] == '/' && 34 | packet->payload[2] == '1' && packet->payload[3] == ' ' && packet->payload[4] == '[') 35 | || (packet->payload_packet_len > 9 && packet->payload[0] == 'M' && packet->payload[1] == 'E' && 36 | packet->payload[2] == 'G' && packet->payload[3] == 'A' && packet->payload[4] == 'C' && 37 | packet->payload[5] == 'O' && packet->payload[6] == '/' && 38 | packet->payload[7] == '1' && packet->payload[8] == ' ' && packet->payload[9] == '[')) { 39 | NDPI_LOG(NDPI_PROTOCOL_MEGACO, ndpi_struct, NDPI_LOG_DEBUG, "found MEGACO.\n"); 40 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MEGACO, NDPI_PROTOCOL_UNKNOWN); 41 | return; 42 | } 43 | } 44 | 45 | NDPI_LOG(NDPI_PROTOCOL_MEGACO, ndpi_struct, NDPI_LOG_DEBUG, "exclude MEGACO.\n"); 46 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MEGACO); 47 | } 48 | 49 | 50 | void init_megaco_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 51 | { 52 | ndpi_set_bitmask_protocol_detection("Megaco", ndpi_struct, detection_bitmask, *id, 53 | NDPI_PROTOCOL_MEGACO, 54 | ndpi_search_megaco, 55 | NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD, 56 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 57 | ADD_TO_DETECTION_BITMASK); 58 | 59 | *id += 1; 60 | } 61 | #endif 62 | -------------------------------------------------------------------------------- /src/lib/protocols/smb.c: -------------------------------------------------------------------------------- 1 | /* 2 | * smb.c 3 | * 4 | * Copyright (C) 2009-2011 by ipoque GmbH 5 | * Copyright (C) 2011-15 - ntop.org 6 | * 7 | * This file is part of nDPI, an open source deep packet inspection 8 | * library based on the OpenDPI and PACE technology by ipoque GmbH 9 | * 10 | * nDPI is free software: you can redistribute it and/or modify 11 | * it under the terms of the GNU Lesser General Public License as published by 12 | * the Free Software Foundation, either version 3 of the License, or 13 | * (at your option) any later version. 14 | * 15 | * nDPI is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU Lesser General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU Lesser General Public License 21 | * along with nDPI. If not, see . 22 | * 23 | */ 24 | 25 | 26 | #include "ndpi_protocols.h" 27 | #ifdef NDPI_PROTOCOL_SMB 28 | 29 | static void ndpi_int_smb_add_connection(struct ndpi_detection_module_struct 30 | *ndpi_struct, struct ndpi_flow_struct *flow) 31 | { 32 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMB, NDPI_PROTOCOL_UNKNOWN); 33 | } 34 | 35 | void ndpi_search_smb_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 36 | { 37 | struct ndpi_packet_struct *packet = &flow->packet; 38 | 39 | if(packet && packet->tcp) { 40 | NDPI_LOG(NDPI_PROTOCOL_SMB, ndpi_struct, NDPI_LOG_DEBUG, "search SMB.\n"); 41 | 42 | if (packet->tcp->dest == htons(445) 43 | && packet->payload_packet_len > (32 + 4 + 4) 44 | && (packet->payload_packet_len - 4) == ntohl(get_u_int32_t(packet->payload, 0)) 45 | && get_u_int32_t(packet->payload, 4) == htonl(0xff534d42)) { 46 | NDPI_LOG(NDPI_PROTOCOL_SMB, ndpi_struct, NDPI_LOG_DEBUG, "found SMB.\n"); 47 | ndpi_int_smb_add_connection(ndpi_struct, flow); 48 | return; 49 | 50 | } 51 | } 52 | 53 | NDPI_LOG(NDPI_PROTOCOL_SMB, ndpi_struct, NDPI_LOG_DEBUG, "exclude SMB.\n"); 54 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SMB); 55 | } 56 | 57 | 58 | void init_smb_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 59 | { 60 | ndpi_set_bitmask_protocol_detection("SMB", ndpi_struct, detection_bitmask, *id, 61 | NDPI_PROTOCOL_SMB, 62 | ndpi_search_smb_tcp, 63 | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, 64 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 65 | ADD_TO_DETECTION_BITMASK); 66 | 67 | *id += 1; 68 | } 69 | 70 | #endif 71 | -------------------------------------------------------------------------------- /src/lib/protocols/stealthnet.c: -------------------------------------------------------------------------------- 1 | /* 2 | * stealthnet.c 3 | * 4 | * Copyright (C) 2009-2011 by ipoque GmbH 5 | * Copyright (C) 2011-15 - ntop.org 6 | * 7 | * This file is part of nDPI, an open source deep packet inspection 8 | * library based on the OpenDPI and PACE technology by ipoque GmbH 9 | * 10 | * nDPI is free software: you can redistribute it and/or modify 11 | * it under the terms of the GNU Lesser General Public License as published by 12 | * the Free Software Foundation, either version 3 of the License, or 13 | * (at your option) any later version. 14 | * 15 | * nDPI is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU Lesser General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU Lesser General Public License 21 | * along with nDPI. If not, see . 22 | * 23 | */ 24 | 25 | 26 | #include "ndpi_protocols.h" 27 | 28 | #ifdef NDPI_PROTOCOL_STEALTHNET 29 | 30 | 31 | static void ndpi_int_stealthnet_add_connection(struct ndpi_detection_module_struct 32 | *ndpi_struct, struct ndpi_flow_struct *flow) 33 | { 34 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_STEALTHNET, NDPI_PROTOCOL_UNKNOWN); 35 | } 36 | 37 | void ndpi_search_stealthnet(struct ndpi_detection_module_struct 38 | *ndpi_struct, struct ndpi_flow_struct *flow) 39 | { 40 | struct ndpi_packet_struct *packet = &flow->packet; 41 | 42 | 43 | // struct ndpi_id_struct *src = flow->src; 44 | // struct ndpi_id_struct *dst = flow->dst; 45 | 46 | 47 | if (packet->payload_packet_len > 40 48 | && memcmp(packet->payload, "LARS REGENSBURGER'S FILE SHARING PROTOCOL", 41) == 0) { 49 | NDPI_LOG(NDPI_PROTOCOL_STEALTHNET, ndpi_struct, NDPI_LOG_DEBUG, "found stealthnet\n"); 50 | ndpi_int_stealthnet_add_connection(ndpi_struct, flow); 51 | return; 52 | } 53 | 54 | NDPI_LOG(NDPI_PROTOCOL_STEALTHNET, ndpi_struct, NDPI_LOG_DEBUG, "exclude stealthnet.\n"); 55 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_STEALTHNET); 56 | 57 | } 58 | 59 | 60 | void init_stealthnet_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 61 | { 62 | 63 | ndpi_set_bitmask_protocol_detection("Stealthnet", ndpi_struct, detection_bitmask, *id, 64 | NDPI_PROTOCOL_STEALTHNET, 65 | ndpi_search_stealthnet, 66 | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, 67 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 68 | ADD_TO_DETECTION_BITMASK); 69 | 70 | *id += 1; 71 | } 72 | 73 | #endif 74 | -------------------------------------------------------------------------------- /tests/result/EAQ.pcap.out: -------------------------------------------------------------------------------- 1 | Google 23 11743 2 2 | EAQ 174 10092 29 3 | 4 | 1 TCP 10.8.0.1:40467 <-> 173.194.119.24:80 [proto: 7.126/HTTP.Google][14 pkts/10589 bytes][Host: www.google.com.br] 5 | 2 UDP 10.8.0.1:34687 <-> 200.194.141.68:6000 [proto: 190/EAQ][5 pkts/290 bytes] 6 | 3 UDP 10.8.0.1:36577 <-> 200.194.149.68:6000 [proto: 190/EAQ][4 pkts/232 bytes] 7 | 4 TCP 10.8.0.1:53497 <-> 173.194.119.48:80 [proto: 7.126/HTTP.Google][9 pkts/1154 bytes][Host: www.google.com] 8 | 5 UDP 10.8.0.1:37985 <-> 200.194.129.67:6000 [proto: 190/EAQ][5 pkts/290 bytes] 9 | 6 UDP 10.8.0.1:39221 <-> 200.194.137.67:6000 [proto: 190/EAQ][5 pkts/290 bytes] 10 | 7 UDP 10.8.0.1:39185 <-> 200.194.132.67:6000 [proto: 190/EAQ][10 pkts/580 bytes] 11 | 8 UDP 10.8.0.1:43641 <-> 200.194.148.68:6000 [proto: 190/EAQ][10 pkts/580 bytes] 12 | 9 UDP 10.8.0.1:43979 <-> 200.194.132.66:6000 [proto: 190/EAQ][10 pkts/580 bytes] 13 | 10 UDP 10.8.0.1:48563 <-> 200.194.141.67:6000 [proto: 190/EAQ][5 pkts/290 bytes] 14 | 11 UDP 10.8.0.1:48890 <-> 200.185.125.226:6000 [proto: 190/EAQ][10 pkts/580 bytes] 15 | 12 UDP 10.8.0.1:50175 <-> 200.194.149.67:6000 [proto: 190/EAQ][4 pkts/232 bytes] 16 | 13 UDP 10.8.0.1:51569 <-> 200.194.148.67:6000 [proto: 190/EAQ][10 pkts/580 bytes] 17 | 14 UDP 10.8.0.1:53059 <-> 200.194.133.68:6000 [proto: 190/EAQ][4 pkts/232 bytes] 18 | 15 UDP 10.8.0.1:59959 <-> 200.194.137.68:6000 [proto: 190/EAQ][5 pkts/290 bytes] 19 | 16 UDP 10.8.0.1:60013 <-> 200.194.136.67:6000 [proto: 190/EAQ][4 pkts/232 bytes] 20 | 17 UDP 10.8.0.1:33356 <-> 200.194.149.66:6000 [proto: 190/EAQ][4 pkts/232 bytes] 21 | 18 UDP 10.8.0.1:36552 <-> 200.194.136.66:6000 [proto: 190/EAQ][4 pkts/232 bytes] 22 | 19 UDP 10.8.0.1:40058 <-> 200.194.134.67:6000 [proto: 190/EAQ][4 pkts/232 bytes] 23 | 20 UDP 10.8.0.1:41438 <-> 200.194.141.66:6000 [proto: 190/EAQ][5 pkts/290 bytes] 24 | 21 UDP 10.8.0.1:42620 <-> 200.194.148.66:6000 [proto: 190/EAQ][10 pkts/580 bytes] 25 | 22 UDP 10.8.0.1:43934 <-> 200.194.136.68:6000 [proto: 190/EAQ][4 pkts/232 bytes] 26 | 23 UDP 10.8.0.1:47346 <-> 200.194.134.66:6000 [proto: 190/EAQ][4 pkts/232 bytes] 27 | 24 UDP 10.8.0.1:47714 <-> 200.194.129.68:6000 [proto: 190/EAQ][5 pkts/290 bytes] 28 | 25 UDP 10.8.0.1:48666 <-> 200.194.129.66:6000 [proto: 190/EAQ][5 pkts/290 bytes] 29 | 26 UDP 10.8.0.1:52257 <-> 200.185.138.146:6000 [proto: 190/EAQ][10 pkts/580 bytes] 30 | 27 UDP 10.8.0.1:52726 <-> 200.194.132.68:6000 [proto: 190/EAQ][10 pkts/580 bytes] 31 | 28 UDP 10.8.0.1:53354 <-> 200.194.137.66:6000 [proto: 190/EAQ][5 pkts/290 bytes] 32 | 29 UDP 10.8.0.1:56128 <-> 200.194.133.66:6000 [proto: 190/EAQ][5 pkts/290 bytes] 33 | 30 UDP 10.8.0.1:57004 <-> 200.194.133.67:6000 [proto: 190/EAQ][4 pkts/232 bytes] 34 | 31 UDP 10.8.0.1:59098 <-> 200.194.134.68:6000 [proto: 190/EAQ][4 pkts/232 bytes] 35 | -------------------------------------------------------------------------------- /src/lib/protocols/pcanywhere.c: -------------------------------------------------------------------------------- 1 | /* 2 | * pcanywhere.c 3 | * 4 | * Copyright (C) 2009-2011 by ipoque GmbH 5 | * Copyright (C) 2011-15 - ntop.org 6 | * 7 | * This file is part of nDPI, an open source deep packet inspection 8 | * library based on the OpenDPI and PACE technology by ipoque GmbH 9 | * 10 | * nDPI is free software: you can redistribute it and/or modify 11 | * it under the terms of the GNU Lesser General Public License as published by 12 | * the Free Software Foundation, either version 3 of the License, or 13 | * (at your option) any later version. 14 | * 15 | * nDPI is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU Lesser General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU Lesser General Public License 21 | * along with nDPI. If not, see . 22 | * 23 | */ 24 | 25 | 26 | #include "ndpi_protocols.h" 27 | #ifdef NDPI_PROTOCOL_PCANYWHERE 28 | 29 | static void ndpi_int_pcanywhere_add_connection(struct ndpi_detection_module_struct 30 | *ndpi_struct, struct ndpi_flow_struct *flow) 31 | { 32 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PCANYWHERE, NDPI_PROTOCOL_UNKNOWN); 33 | } 34 | 35 | void ndpi_search_pcanywhere(struct ndpi_detection_module_struct 36 | *ndpi_struct, struct ndpi_flow_struct *flow) 37 | { 38 | struct ndpi_packet_struct *packet = &flow->packet; 39 | 40 | // struct ndpi_id_struct *src=ndpi_struct->src; 41 | // struct ndpi_id_struct *dst=ndpi_struct->dst; 42 | 43 | if (packet->udp != NULL && packet->udp->dest == htons(5632) 44 | && packet->payload_packet_len == 2 45 | && (memcmp(packet->payload, "NQ", 2) == 0 || memcmp(packet->payload, "ST", 2) == 0)) { 46 | NDPI_LOG(NDPI_PROTOCOL_PCANYWHERE, ndpi_struct, NDPI_LOG_DEBUG, 47 | "PC Anywhere name or status query detected.\n"); 48 | ndpi_int_pcanywhere_add_connection(ndpi_struct, flow); 49 | return; 50 | } 51 | 52 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_PCANYWHERE); 53 | } 54 | 55 | 56 | void init_pcanywhere_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 57 | { 58 | ndpi_set_bitmask_protocol_detection("PcAnywhere", ndpi_struct, detection_bitmask, *id, 59 | NDPI_PROTOCOL_PCANYWHERE, 60 | ndpi_search_pcanywhere, 61 | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, 62 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 63 | ADD_TO_DETECTION_BITMASK); 64 | 65 | *id += 1; 66 | } 67 | 68 | #endif 69 | -------------------------------------------------------------------------------- /src/lib/protocols/bgp.c: -------------------------------------------------------------------------------- 1 | /* 2 | * bgp.c 3 | * 4 | * Copyright (C) 2009-2011 by ipoque GmbH 5 | * Copyright (C) 2011-15 - ntop.org 6 | * 7 | * This file is part of nDPI, an open source deep packet inspection 8 | * library based on the OpenDPI and PACE technology by ipoque GmbH 9 | * 10 | * nDPI is free software: you can redistribute it and/or modify 11 | * it under the terms of the GNU Lesser General Public License as published by 12 | * the Free Software Foundation, either version 3 of the License, or 13 | * (at your option) any later version. 14 | * 15 | * nDPI is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU Lesser General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU Lesser General Public License 21 | * along with nDPI. If not, see . 22 | * 23 | */ 24 | 25 | 26 | #include "ndpi_protocols.h" 27 | #ifdef NDPI_PROTOCOL_BGP 28 | 29 | 30 | static void ndpi_int_bgp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 31 | { 32 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BGP, NDPI_PROTOCOL_UNKNOWN); 33 | } 34 | 35 | /* this detection also works asymmetrically */ 36 | void ndpi_search_bgp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 37 | { 38 | struct ndpi_packet_struct *packet = &flow->packet; 39 | u_int16_t bgp_port = htons(179); 40 | 41 | if(packet->tcp 42 | && (packet->payload[18] < 5) 43 | && ((packet->tcp->dest == bgp_port) || (packet->tcp->source == bgp_port)) 44 | && (packet->payload_packet_len > 18) 45 | && (get_u_int64_t(packet->payload, 0) == 0xffffffffffffffffULL) 46 | && (get_u_int64_t(packet->payload, 8) == 0xffffffffffffffffULL) 47 | && (ntohs(get_u_int16_t(packet->payload, 16)) <= packet->payload_packet_len) 48 | ) { 49 | NDPI_LOG(NDPI_PROTOCOL_BGP, ndpi_struct, NDPI_LOG_DEBUG, "BGP detected.\n"); 50 | ndpi_int_bgp_add_connection(ndpi_struct, flow); 51 | return; 52 | } 53 | 54 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_BGP); 55 | } 56 | 57 | 58 | void init_bgp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 59 | { 60 | ndpi_set_bitmask_protocol_detection("BGP", ndpi_struct, detection_bitmask, *id, 61 | NDPI_PROTOCOL_BGP, 62 | ndpi_search_bgp, 63 | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, 64 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 65 | ADD_TO_DETECTION_BITMASK); 66 | *id += 1; 67 | } 68 | 69 | 70 | #endif 71 | -------------------------------------------------------------------------------- /src/lib/protocols/mssql.c: -------------------------------------------------------------------------------- 1 | /* 2 | * mssql.c 3 | * 4 | * Copyright (C) 2009-2011 by ipoque GmbH 5 | * Copyright (C) 2011-15 - ntop.org 6 | * 7 | * This file is part of nDPI, an open source deep packet inspection 8 | * library based on the OpenDPI and PACE technology by ipoque GmbH 9 | * 10 | * nDPI is free software: you can redistribute it and/or modify 11 | * it under the terms of the GNU Lesser General Public License as published by 12 | * the Free Software Foundation, either version 3 of the License, or 13 | * (at your option) any later version. 14 | * 15 | * nDPI is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU Lesser General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU Lesser General Public License 21 | * along with nDPI. If not, see . 22 | * 23 | */ 24 | 25 | 26 | #include "ndpi_protocols.h" 27 | 28 | #ifdef NDPI_PROTOCOL_MSSQL 29 | 30 | static void ndpi_int_mssql_add_connection(struct ndpi_detection_module_struct 31 | *ndpi_struct, struct ndpi_flow_struct *flow) 32 | { 33 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MSSQL, NDPI_PROTOCOL_UNKNOWN); 34 | } 35 | 36 | void ndpi_search_mssql(struct ndpi_detection_module_struct 37 | *ndpi_struct, struct ndpi_flow_struct *flow) 38 | { 39 | struct ndpi_packet_struct *packet = &flow->packet; 40 | 41 | NDPI_LOG(NDPI_PROTOCOL_MSSQL, ndpi_struct, NDPI_LOG_DEBUG, "search mssql.\n"); 42 | 43 | if (packet->payload_packet_len > 51 && ntohs(get_u_int32_t(packet->payload, 0)) == 0x1201 44 | && ntohs(get_u_int16_t(packet->payload, 2)) == packet->payload_packet_len 45 | && ntohl(get_u_int32_t(packet->payload, 4)) == 0x00000100 && memcmp(&packet->payload[41], "sqlexpress", 10) == 0) { 46 | NDPI_LOG(NDPI_PROTOCOL_MSSQL, ndpi_struct, NDPI_LOG_DEBUG, "found mssql.\n"); 47 | ndpi_int_mssql_add_connection(ndpi_struct, flow); 48 | return; 49 | } 50 | 51 | NDPI_LOG(NDPI_PROTOCOL_MSSQL, ndpi_struct, NDPI_LOG_DEBUG, "exclude mssql.\n"); 52 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MSSQL); 53 | } 54 | 55 | 56 | void init_mssql_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 57 | { 58 | ndpi_set_bitmask_protocol_detection("MsSQL", ndpi_struct, detection_bitmask, *id, 59 | NDPI_PROTOCOL_MSSQL, 60 | ndpi_search_mssql, 61 | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, 62 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 63 | ADD_TO_DETECTION_BITMASK); 64 | 65 | *id += 1; 66 | } 67 | 68 | #endif 69 | -------------------------------------------------------------------------------- /src/lib/protocols/twitter.c: -------------------------------------------------------------------------------- 1 | /* 2 | * twitter.c 3 | * 4 | * Copyright (C) 2014 - ntop.org 5 | * 6 | * This file is part of nDPI, an open source deep packet inspection 7 | * library based on the OpenDPI and PACE technology by ipoque GmbH 8 | * 9 | * nDPI is free software: you can redistribute it and/or modify 10 | * it under the terms of the GNU Lesser General Public License as published by 11 | * the Free Software Foundation, either version 3 of the License, or 12 | * (at your option) any later version. 13 | * 14 | * nDPI is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU Lesser General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU Lesser General Public License 20 | * along with nDPI. If not, see . 21 | * 22 | */ 23 | 24 | 25 | #include "ndpi_protocols.h" 26 | 27 | #ifdef NDPI_SERVICE_TWITTER 28 | 29 | static void ndpi_int_twitter_add_connection(struct ndpi_detection_module_struct 30 | *ndpi_struct, struct ndpi_flow_struct *flow) 31 | { 32 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_SERVICE_TWITTER, NDPI_PROTOCOL_UNKNOWN); 33 | } 34 | 35 | 36 | void ndpi_search_twitter(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 37 | { 38 | 39 | /* 40 | Twitter AS34702 41 | 42 | http://bgp.he.net/AS13414 43 | */ 44 | if(flow->packet.iph) { 45 | // IPv4 46 | u_int32_t src = ntohl(flow->packet.iph->saddr); 47 | u_int32_t dst = ntohl(flow->packet.iph->daddr); 48 | 49 | if(ndpi_ips_match(src, dst, 0xC0854C00, 22) /* 192.133.76.0/22 */ 50 | || ndpi_ips_match(src, dst, 0xC7109C00, 22) /* 199.16.156.0/22 */ 51 | || ndpi_ips_match(src, dst, 0xC73B9400, 22) /* 199.59.148.0/22 */ 52 | || ndpi_ips_match(src, dst, 0xC7603A00, 23) /* 199.96.58.0/23 */ 53 | || ndpi_ips_match(src, dst, 0xC7603E00, 23) /* 199.96.62.0/23 */ 54 | ) { 55 | ndpi_int_twitter_add_connection(ndpi_struct, flow); 56 | return; 57 | } 58 | } 59 | 60 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_SERVICE_TWITTER); 61 | } 62 | 63 | 64 | void init_twitter_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 65 | { 66 | ndpi_set_bitmask_protocol_detection("TWITTER", ndpi_struct, detection_bitmask, *id, 67 | NDPI_SERVICE_TWITTER, 68 | ndpi_search_twitter, 69 | NDPI_SELECTION_BITMASK_PROTOCOL_TCP, 70 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 71 | ADD_TO_DETECTION_BITMASK); 72 | 73 | *id += 1; 74 | } 75 | 76 | #endif 77 | -------------------------------------------------------------------------------- /src/lib/protocols/dhcpv6.c: -------------------------------------------------------------------------------- 1 | /* 2 | * dhcpv6.c 3 | * 4 | * Copyright (C) 2009-2011 by ipoque GmbH 5 | * Copyright (C) 2011-15 - ntop.org 6 | * 7 | * This file is part of nDPI, an open source deep packet inspection 8 | * library based on the OpenDPI and PACE technology by ipoque GmbH 9 | * 10 | * nDPI is free software: you can redistribute it and/or modify 11 | * it under the terms of the GNU Lesser General Public License as published by 12 | * the Free Software Foundation, either version 3 of the License, or 13 | * (at your option) any later version. 14 | * 15 | * nDPI is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU Lesser General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU Lesser General Public License 21 | * along with nDPI. If not, see . 22 | * 23 | */ 24 | 25 | 26 | 27 | /* include files */ 28 | 29 | #include "ndpi_protocols.h" 30 | #ifdef NDPI_PROTOCOL_DHCPV6 31 | 32 | static void ndpi_int_dhcpv6_add_connection(struct ndpi_detection_module_struct *ndpi_struct, 33 | struct ndpi_flow_struct *flow) 34 | { 35 | 36 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DHCPV6, NDPI_PROTOCOL_UNKNOWN); 37 | } 38 | 39 | void ndpi_search_dhcpv6_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 40 | { 41 | struct ndpi_packet_struct *packet = &flow->packet; 42 | 43 | // struct ndpi_id_struct *src=ndpi_struct->src; 44 | // struct ndpi_id_struct *dst=ndpi_struct->dst; 45 | 46 | if (packet->payload_packet_len >= 4 && 47 | (packet->udp->source == htons(546) || packet->udp->source == htons(547)) && 48 | (packet->udp->dest == htons(546) || packet->udp->dest == htons(547)) && 49 | packet->payload[0] >= 1 && packet->payload[0] <= 13) { 50 | 51 | NDPI_LOG(NDPI_PROTOCOL_DHCPV6, ndpi_struct, NDPI_LOG_DEBUG, "DHCPv6 detected.\n"); 52 | ndpi_int_dhcpv6_add_connection(ndpi_struct, flow); 53 | return; 54 | } 55 | 56 | NDPI_LOG(NDPI_PROTOCOL_DHCPV6, ndpi_struct, NDPI_LOG_DEBUG, "DHCPv6 excluded.\n"); 57 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DHCPV6); 58 | } 59 | 60 | 61 | void init_dhcpv6_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 62 | { 63 | ndpi_set_bitmask_protocol_detection("DHCPV6", ndpi_struct, detection_bitmask, *id, 64 | NDPI_PROTOCOL_DHCPV6, 65 | ndpi_search_dhcpv6_udp, 66 | NDPI_SELECTION_BITMASK_PROTOCOL_V6_UDP_WITH_PAYLOAD, 67 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 68 | ADD_TO_DETECTION_BITMASK); 69 | *id += 1; 70 | } 71 | 72 | #endif 73 | -------------------------------------------------------------------------------- /src/lib/protocols/openft.c: -------------------------------------------------------------------------------- 1 | /* 2 | * openft.c 3 | * 4 | * Copyright (C) 2009-2011 by ipoque GmbH 5 | * Copyright (C) 2011-15 - ntop.org 6 | * 7 | * This file is part of nDPI, an open source deep packet inspection 8 | * library based on the OpenDPI and PACE technology by ipoque GmbH 9 | * 10 | * nDPI is free software: you can redistribute it and/or modify 11 | * it under the terms of the GNU Lesser General Public License as published by 12 | * the Free Software Foundation, either version 3 of the License, or 13 | * (at your option) any later version. 14 | * 15 | * nDPI is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU Lesser General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU Lesser General Public License 21 | * along with nDPI. If not, see . 22 | * 23 | */ 24 | 25 | 26 | #include "ndpi_protocols.h" 27 | #ifdef NDPI_PROTOCOL_OPENFT 28 | 29 | static void ndpi_int_openft_add_connection(struct ndpi_detection_module_struct 30 | *ndpi_struct, struct ndpi_flow_struct *flow) 31 | { 32 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OPENFT, NDPI_PROTOCOL_UNKNOWN); 33 | } 34 | 35 | void ndpi_search_openft_tcp(struct ndpi_detection_module_struct 36 | *ndpi_struct, struct ndpi_flow_struct *flow) 37 | { 38 | struct ndpi_packet_struct *packet = &flow->packet; 39 | 40 | // struct ndpi_id_struct *src=ndpi_struct->src; 41 | // struct ndpi_id_struct *dst=ndpi_struct->dst; 42 | 43 | if (packet->payload_packet_len > 5 && memcmp(packet->payload, "GET /", 5) == 0) { 44 | NDPI_LOG(NDPI_PROTOCOL_OPENFT, ndpi_struct, NDPI_LOG_DEBUG, "HTTP packet detected.\n"); 45 | ndpi_parse_packet_line_info(ndpi_struct, flow); 46 | if (packet->parsed_lines >= 2 47 | && packet->line[1].len > 13 && memcmp(packet->line[1].ptr, "X-OpenftAlias:", 14) == 0) { 48 | NDPI_LOG(NDPI_PROTOCOL_OPENFT, ndpi_struct, NDPI_LOG_DEBUG, "OpenFT detected.\n"); 49 | ndpi_int_openft_add_connection(ndpi_struct, flow); 50 | return; 51 | } 52 | } 53 | 54 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_OPENFT); 55 | } 56 | 57 | 58 | void init_openft_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 59 | { 60 | ndpi_set_bitmask_protocol_detection("OpenFT", ndpi_struct, detection_bitmask, *id, 61 | NDPI_PROTOCOL_OPENFT, 62 | ndpi_search_openft_tcp, 63 | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, 64 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 65 | ADD_TO_DETECTION_BITMASK); 66 | 67 | *id += 1; 68 | } 69 | 70 | #endif 71 | -------------------------------------------------------------------------------- /tests/result/quickplay.pcap.out: -------------------------------------------------------------------------------- 1 | HTTP 2 1469 1 2 | QQ 12 4781 5 3 | Facebook 6 1740 3 4 | Google 2 378 1 5 | QuickPlay 133 96179 11 6 | 7 | 1 TCP 120.28.26.231:80 <-> 10.54.169.250:33277 [proto: 7.126/HTTP.Google][2 pkts/378 bytes][Host: clients3.google.com] 8 | 2 TCP 120.28.35.41:80 <-> 10.54.169.250:50669 [proto: 7.196/HTTP.QuickPlay][4 pkts/3680 bytes][Host: api-singtelhawk.quickplay.com] 9 | 3 TCP 120.28.35.40:80 <-> 10.54.169.250:52007 [proto: 7.196/HTTP.QuickPlay][4 pkts/2735 bytes][Host: vod-singtelhawk.quickplay.com] 10 | 4 TCP 120.28.35.40:80 <-> 10.54.169.250:52009 [proto: 7.196/HTTP.QuickPlay][65 pkts/45902 bytes][Host: vod-singtelhawk.quickplay.com] 11 | 5 TCP 120.28.35.40:80 <-> 10.54.169.250:52017 [proto: 7.196/HTTP.QuickPlay][8 pkts/6032 bytes][Host: vod-singtelhawk.quickplay.com] 12 | 6 TCP 120.28.35.40:80 <-> 10.54.169.250:52019 [proto: 7.196/HTTP.QuickPlay][25 pkts/19606 bytes][Host: vod-singtelhawk.quickplay.com] 13 | 7 TCP 120.28.35.40:80 <-> 10.54.169.250:52021 [proto: 7.196/HTTP.QuickPlay][4 pkts/2754 bytes][Host: vod-singtelhawk.quickplay.com] 14 | 8 TCP 203.205.147.215:80 <-> 10.54.169.250:35670 [proto: 7.48/HTTP.QQ][2 pkts/943 bytes][Host: hkminorshort.weixin.qq.com] 15 | 9 TCP 203.205.129.101:80 <-> 10.54.169.250:42762 [proto: 7.48/HTTP.QQ][2 pkts/877 bytes][Host: hkextshort.weixin.qq.com] 16 | 10 TCP 173.252.74.22:80 <-> 10.54.169.250:52285 [proto: 7.119/HTTP.Facebook][2 pkts/582 bytes][Host: www.facebook.com] 17 | 11 TCP 31.13.68.49:80 <-> 10.54.169.250:44793 [proto: 7.119/HTTP.Facebook][2 pkts/576 bytes][Host: www.facebook.com] 18 | 12 TCP 120.28.5.18:80 <-> 10.54.169.250:33064 [proto: 7.196/HTTP.QuickPlay][2 pkts/467 bytes][Host: api-singtelhawk.quickplay.com] 19 | 13 TCP 54.179.140.65:80 <-> 10.54.169.250:56381 [proto: 7/HTTP][2 pkts/1469 bytes][Host: api.account.xiaomi.com] 20 | 14 TCP 120.28.5.41:80 <-> 10.54.169.250:44256 [proto: 7.196/HTTP.QuickPlay][3 pkts/2311 bytes][Host: play-singtelhawk.quickplay.com] 21 | 15 TCP 120.28.35.41:80 <-> 10.54.169.250:50668 [proto: 7.196/HTTP.QuickPlay][4 pkts/3360 bytes][Host: api-singtelhawk.quickplay.com] 22 | 16 TCP 120.28.35.40:80 <-> 10.54.169.250:52018 [proto: 7.196/HTTP.QuickPlay][7 pkts/5048 bytes][Host: vod-singtelhawk.quickplay.com] 23 | 17 TCP 120.28.35.40:80 <-> 10.54.169.250:52022 [proto: 7.196/HTTP.QuickPlay][7 pkts/4284 bytes][Host: vod-singtelhawk.quickplay.com] 24 | 18 TCP 203.205.129.101:80 <-> 10.54.169.250:42761 [proto: 7.48/HTTP.QQ][2 pkts/641 bytes][Host: hkextshort.weixin.qq.com] 25 | 19 TCP 173.252.74.22:80 <-> 10.54.169.250:52288 [proto: 7.119/HTTP.Facebook][2 pkts/582 bytes][Host: www.facebook.com] 26 | 20 TCP 203.205.151.160:80 <-> 10.54.169.250:54883 [proto: 7.48/HTTP.QQ][3 pkts/1337 bytes][Host: hkextshort.weixin.qq.com] 27 | 21 TCP 203.205.151.160:80 <-> 10.54.169.250:54885 [proto: 7.48/HTTP.QQ][3 pkts/983 bytes][Host: hkextshort.weixin.qq.com] 28 | -------------------------------------------------------------------------------- /src/lib/protocols/rsync.c: -------------------------------------------------------------------------------- 1 | /* 2 | * rsync.c 3 | * 4 | * Copyright (C) 2013 Remy Mudingay 5 | * 6 | * This module is free software: you can redistribute it and/or modify 7 | * it under the terms of the GNU Lesser General Public License as published by 8 | * the Free Software Foundation, either version 3 of the License, or 9 | * (at your option) any later version. 10 | * 11 | * This module is distributed in the hope that it will be useful, 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | * GNU Lesser General Public License for more details. 15 | * 16 | * You should have received a copy of the GNU Lesser General Public License. 17 | * If not, see . 18 | * 19 | */ 20 | 21 | 22 | #include "ndpi_api.h" 23 | 24 | 25 | #ifdef NDPI_PROTOCOL_RSYNC 26 | static void ndpi_int_rsync_add_connection(struct ndpi_detection_module_struct 27 | *ndpi_struct, struct ndpi_flow_struct *flow) 28 | { 29 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RSYNC, NDPI_PROTOCOL_UNKNOWN); 30 | } 31 | 32 | void ndpi_search_rsync(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 33 | { 34 | struct ndpi_packet_struct *packet = &flow->packet; 35 | 36 | NDPI_LOG(NDPI_PROTOCOL_RSYNC, ndpi_struct, NDPI_LOG_DEBUG, "search for RSYNC.\n"); 37 | 38 | if(packet->tcp != NULL) { 39 | NDPI_LOG(NDPI_PROTOCOL_RSYNC, ndpi_struct, NDPI_LOG_DEBUG, "calculating RSYNC over tcp.\n"); 40 | /* 41 | * Should match: memcmp(packet->payload, "@RSYN NCD: 28", 14) == 0) 42 | */ 43 | if (packet->payload_packet_len == 12 && packet->payload[0] == 0x40 && 44 | packet->payload[1] == 0x52 && packet->payload[2] == 0x53 && 45 | packet->payload[3] == 0x59 && packet->payload[4] == 0x4e && 46 | packet->payload[5] == 0x43 && packet->payload[6] == 0x44 && 47 | packet->payload[7] == 0x3a ) { 48 | NDPI_LOG(NDPI_PROTOCOL_RSYNC, ndpi_struct, NDPI_LOG_DEBUG, "found rsync.\n"); 49 | ndpi_int_rsync_add_connection(ndpi_struct, flow); 50 | } 51 | } else { 52 | NDPI_LOG(NDPI_PROTOCOL_RSYNC, ndpi_struct, NDPI_LOG_DEBUG, "exclude RSYNC.\n"); 53 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RSYNC); 54 | } 55 | } 56 | 57 | 58 | void init_rsync_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 59 | { 60 | ndpi_set_bitmask_protocol_detection("RSYNC", ndpi_struct, detection_bitmask, *id, 61 | NDPI_PROTOCOL_RSYNC, 62 | ndpi_search_rsync, 63 | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, 64 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 65 | ADD_TO_DETECTION_BITMASK); 66 | 67 | *id += 1; 68 | } 69 | 70 | #endif 71 | -------------------------------------------------------------------------------- /src/lib/protocols/radius.c: -------------------------------------------------------------------------------- 1 | /* 2 | * radius.c 3 | * 4 | * Copyright (C) 2012-15 - ntop.org 5 | * 6 | * nDPI is free software: you can redistribute it and/or modify 7 | * it under the terms of the GNU Lesser General Public License as published by 8 | * the Free Software Foundation, either version 3 of the License, or 9 | * (at your option) any later version. 10 | * 11 | * nDPI is distributed in the hope that it will be useful, 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | * GNU Lesser General Public License for more details. 15 | * 16 | * You should have received a copy of the GNU Lesser General Public License 17 | * along with nDPI. If not, see . 18 | * 19 | */ 20 | 21 | 22 | #include "ndpi_api.h" 23 | 24 | #ifdef NDPI_PROTOCOL_RADIUS 25 | 26 | struct radius_header { 27 | u_int8_t code; 28 | u_int8_t packet_id; 29 | u_int16_t len; 30 | }; 31 | 32 | static void ndpi_check_radius(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 33 | { 34 | struct ndpi_packet_struct *packet = &flow->packet; 35 | // const u_int8_t *packet_payload = packet->payload; 36 | u_int32_t payload_len = packet->payload_packet_len; 37 | 38 | if(packet->udp != NULL) { 39 | struct radius_header *h = (struct radius_header*)packet->payload; 40 | 41 | if((payload_len > sizeof(struct radius_header)) 42 | && (h->code > 0) 43 | && (h->code <= 5) 44 | && (ntohs(h->len) == payload_len)) { 45 | NDPI_LOG(NDPI_PROTOCOL_RADIUS, ndpi_struct, NDPI_LOG_DEBUG, "Found radius.\n"); 46 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RADIUS, NDPI_PROTOCOL_UNKNOWN); 47 | 48 | return; 49 | } 50 | 51 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RADIUS); 52 | return; 53 | } 54 | } 55 | 56 | void ndpi_search_radius(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 57 | { 58 | struct ndpi_packet_struct *packet = &flow->packet; 59 | 60 | NDPI_LOG(NDPI_PROTOCOL_RADIUS, ndpi_struct, NDPI_LOG_DEBUG, "radius detection...\n"); 61 | 62 | /* skip marked packets */ 63 | if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_RADIUS) 64 | ndpi_check_radius(ndpi_struct, flow); 65 | } 66 | 67 | 68 | void init_radius_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 69 | { 70 | ndpi_set_bitmask_protocol_detection("Radius", ndpi_struct, detection_bitmask, *id, 71 | NDPI_PROTOCOL_RADIUS, 72 | ndpi_search_radius, 73 | NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD, 74 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 75 | ADD_TO_DETECTION_BITMASK); 76 | 77 | *id += 1; 78 | } 79 | 80 | #endif 81 | -------------------------------------------------------------------------------- /src/lib/protocols/http_activesync.c: -------------------------------------------------------------------------------- 1 | /* 2 | * http_activesync.c 3 | * 4 | * Copyright (C) 2009-2011 by ipoque GmbH 5 | * Copyright (C) 2011-15 - ntop.org 6 | * 7 | * This file is part of nDPI, an open source deep packet inspection 8 | * library based on the OpenDPI and PACE technology by ipoque GmbH 9 | * 10 | * nDPI is free software: you can redistribute it and/or modify 11 | * it under the terms of the GNU Lesser General Public License as published by 12 | * the Free Software Foundation, either version 3 of the License, or 13 | * (at your option) any later version. 14 | * 15 | * nDPI is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU Lesser General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU Lesser General Public License 21 | * along with nDPI. If not, see . 22 | * 23 | */ 24 | 25 | 26 | 27 | #include "ndpi_protocols.h" 28 | #ifdef NDPI_PROTOCOL_HTTP_APPLICATION_ACTIVESYNC 29 | static void ndpi_int_activesync_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 30 | { 31 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP_APPLICATION_ACTIVESYNC, NDPI_PROTOCOL_HTTP); 32 | } 33 | 34 | void ndpi_search_activesync(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 35 | { 36 | struct ndpi_packet_struct *packet = &flow->packet; 37 | 38 | if (packet->tcp != NULL) { 39 | 40 | if (packet->payload_packet_len > 150 41 | && ((memcmp(packet->payload, "OPTIONS /Microsoft-Server-ActiveSync?", 37) == 0) 42 | || (memcmp(packet->payload, "POST /Microsoft-Server-ActiveSync?", 34) == 0))) { 43 | ndpi_int_activesync_add_connection(ndpi_struct, flow); 44 | NDPI_LOG(NDPI_PROTOCOL_HTTP_APPLICATION_ACTIVESYNC, ndpi_struct, NDPI_LOG_DEBUG, 45 | " flow marked as ActiveSync \n"); 46 | return; 47 | } 48 | } 49 | 50 | NDPI_LOG(NDPI_PROTOCOL_HTTP_APPLICATION_ACTIVESYNC, ndpi_struct, NDPI_LOG_DEBUG, "exclude activesync\n"); 51 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_HTTP_APPLICATION_ACTIVESYNC); 52 | 53 | } 54 | 55 | 56 | void init_http_activesync_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 57 | { 58 | ndpi_set_bitmask_protocol_detection("HTTP_Application_ActiveSync", ndpi_struct, detection_bitmask, *id, 59 | NDPI_PROTOCOL_HTTP_APPLICATION_ACTIVESYNC, 60 | ndpi_search_activesync, 61 | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, 62 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 63 | ADD_TO_DETECTION_BITMASK); 64 | 65 | *id += 1; 66 | } 67 | 68 | #endif 69 | -------------------------------------------------------------------------------- /src/lib/protocols/ayiya.c: -------------------------------------------------------------------------------- 1 | /* 2 | * ayiya.c 3 | * 4 | * Copyright (C) 2011-15 - ntop.org 5 | * 6 | * This file is part of nDPI, an open source deep packet inspection 7 | * library based on the OpenDPI and PACE technology by ipoque GmbH 8 | * 9 | * nDPI is free software: you can redistribute it and/or modify 10 | * it under the terms of the GNU Lesser General Public License as published by 11 | * the Free Software Foundation, either version 3 of the License, or 12 | * (at your option) any later version. 13 | * 14 | * nDPI is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU Lesser General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU Lesser General Public License 20 | * along with nDPI. If not, see . 21 | * 22 | */ 23 | 24 | /* 25 | http://en.wikipedia.org/wiki/Anything_In_Anything 26 | http://tools.ietf.org/html/rfc4891 27 | */ 28 | 29 | 30 | #include "ndpi_protocols.h" 31 | #ifdef NDPI_PROTOCOL_AYIYA 32 | 33 | struct ayiya { 34 | u_int8_t flags[3]; 35 | u_int8_t next_header; 36 | u_int32_t epoch; 37 | u_int8_t identity[16]; 38 | u_int8_t signature[20]; 39 | }; 40 | 41 | void ndpi_search_ayiya(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 42 | { 43 | struct ndpi_packet_struct *packet = &flow->packet; 44 | 45 | if(packet->udp && (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN)) { 46 | /* Ayiya is udp based, port 5072 */ 47 | if ((packet->udp->source == htons(5072) || packet->udp->dest == htons(5072)) 48 | /* check for ayiya new packet */ 49 | && (packet->payload_packet_len > 44) 50 | ) { 51 | /* FINISH */ 52 | struct ayiya *a = (struct ayiya*)packet->payload; 53 | u_int32_t epoch = ntohl(a->epoch), now; 54 | u_int32_t fireyears = 86400 * 365 * 5; 55 | 56 | now = flow->packet.tick_timestamp; 57 | 58 | if((epoch >= (now - fireyears)) && (epoch <= (now+86400 /* 1 day */))) 59 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_AYIYA, NDPI_PROTOCOL_UNKNOWN); 60 | 61 | return; 62 | } 63 | 64 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_AYIYA); 65 | } 66 | } 67 | 68 | 69 | void init_ayiya_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 70 | { 71 | ndpi_set_bitmask_protocol_detection("Ayiya", ndpi_struct, detection_bitmask, *id, 72 | NDPI_PROTOCOL_AYIYA, 73 | ndpi_search_ayiya, 74 | NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD, 75 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 76 | ADD_TO_DETECTION_BITMASK); 77 | 78 | *id += 1; 79 | } 80 | 81 | #endif 82 | -------------------------------------------------------------------------------- /src/lib/protocols/whoisdas.c: -------------------------------------------------------------------------------- 1 | /* 2 | * whoisdas.c 3 | * 4 | * Copyright (C) 2013 - ntop.org 5 | * 6 | * nDPI is free software: you can redistribute it and/or modify 7 | * it under the terms of the GNU Lesser General Public License as published by 8 | * the Free Software Foundation, either version 3 of the License, or 9 | * (at your option) any later version. 10 | * 11 | * nDPI is distributed in the hope that it will be useful, 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | * GNU Lesser General Public License for more details. 15 | * 16 | * You should have received a copy of the GNU Lesser General Public License 17 | * along with nDPI. If not, see . 18 | * 19 | */ 20 | 21 | 22 | #include "ndpi_protocols.h" 23 | #ifdef NDPI_PROTOCOL_WHOIS_DAS 24 | 25 | void ndpi_search_whois_das(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 26 | { 27 | struct ndpi_packet_struct *packet = &flow->packet; 28 | u_int16_t sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest); 29 | 30 | if ((packet->tcp != NULL) 31 | && ( 32 | ((sport == 43) || (dport == 43)) 33 | || 34 | ((sport == 4343) || (dport == 4343)) 35 | ) 36 | ) { 37 | if(packet->payload_packet_len > 0) { 38 | u_int max_len = sizeof(flow->host_server_name)-1; 39 | u_int i, j; 40 | 41 | for(i=strlen((const char *)flow->host_server_name), j=0; (ipayload_packet_len); i++, j++) { 42 | if((packet->payload[j] == '\n') || (packet->payload[j] == '\r')) break; 43 | 44 | flow->host_server_name[i] = packet->payload[j]; 45 | } 46 | 47 | flow->host_server_name[i] = '\0'; 48 | flow->server_id = ((sport == 43) || (sport == 4343)) ? flow->src : flow->dst; 49 | 50 | NDPI_LOG(NDPI_PROTOCOL_WHOIS_DAS, ndpi_struct, NDPI_LOG_DEBUG, "[WHOIS/DAS] %s\n", flow->host_server_name); 51 | } 52 | 53 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHOIS_DAS, NDPI_PROTOCOL_UNKNOWN); 54 | } else { 55 | NDPI_LOG(NDPI_PROTOCOL_WHOIS_DAS, ndpi_struct, NDPI_LOG_TRACE, "WHOIS Excluded.\n"); 56 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_WHOIS_DAS); 57 | } 58 | } 59 | 60 | 61 | void init_whois_das_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 62 | { 63 | ndpi_set_bitmask_protocol_detection("Whois-DAS", ndpi_struct, detection_bitmask, *id, 64 | NDPI_PROTOCOL_WHOIS_DAS, 65 | ndpi_search_whois_das, 66 | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, 67 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 68 | ADD_TO_DETECTION_BITMASK); 69 | 70 | *id += 1; 71 | } 72 | 73 | #endif 74 | -------------------------------------------------------------------------------- /src/lib/protocols/applejuice.c: -------------------------------------------------------------------------------- 1 | /* 2 | * applejuice.c 3 | * 4 | * Copyright (C) 2009-2011 by ipoque GmbH 5 | * Copyright (C) 2011-15 - ntop.org 6 | * 7 | * This file is part of nDPI, an open source deep packet inspection 8 | * library based on the OpenDPI and PACE technology by ipoque GmbH 9 | * 10 | * nDPI is free software: you can redistribute it and/or modify 11 | * it under the terms of the GNU Lesser General Public License as published by 12 | * the Free Software Foundation, either version 3 of the License, or 13 | * (at your option) any later version. 14 | * 15 | * nDPI is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU Lesser General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU Lesser General Public License 21 | * along with nDPI. If not, see . 22 | * 23 | */ 24 | 25 | 26 | #include "ndpi_protocols.h" 27 | #ifdef NDPI_PROTOCOL_APPLEJUICE 28 | 29 | 30 | static void ndpi_int_applejuice_add_connection(struct ndpi_detection_module_struct *ndpi_struct, 31 | struct ndpi_flow_struct *flow) 32 | { 33 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_APPLEJUICE, NDPI_PROTOCOL_UNKNOWN); 34 | } 35 | 36 | void ndpi_search_applejuice_tcp(struct ndpi_detection_module_struct *ndpi_struct, 37 | struct ndpi_flow_struct *flow) 38 | { 39 | struct ndpi_packet_struct *packet = &flow->packet; 40 | // struct ndpi_id_struct *src=ndpi_struct->src; 41 | // struct ndpi_id_struct *dst=ndpi_struct->dst; 42 | 43 | NDPI_LOG(NDPI_PROTOCOL_APPLEJUICE, ndpi_struct, NDPI_LOG_DEBUG, "search applejuice.\n"); 44 | 45 | if ((packet->payload_packet_len > 7) && (packet->payload[6] == 0x0d) 46 | && (packet->payload[7] == 0x0a) 47 | && (memcmp(packet->payload, "ajprot", 6) == 0)) { 48 | NDPI_LOG(NDPI_PROTOCOL_APPLEJUICE, ndpi_struct, NDPI_LOG_DEBUG, "detected applejuice.\n"); 49 | ndpi_int_applejuice_add_connection(ndpi_struct, flow); 50 | return; 51 | } 52 | 53 | NDPI_LOG(NDPI_PROTOCOL_APPLEJUICE, ndpi_struct, NDPI_LOG_DEBUG, "exclude applejuice.\n"); 54 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_APPLEJUICE); 55 | } 56 | 57 | 58 | void init_applejuice_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 59 | { 60 | ndpi_set_bitmask_protocol_detection("AppleJuice", ndpi_struct, detection_bitmask, *id, 61 | NDPI_PROTOCOL_APPLEJUICE, 62 | ndpi_search_applejuice_tcp, 63 | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, 64 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 65 | ADD_TO_DETECTION_BITMASK); 66 | 67 | *id += 1; 68 | } 69 | 70 | #endif 71 | -------------------------------------------------------------------------------- /src/lib/protocols/dhcp.c: -------------------------------------------------------------------------------- 1 | /* 2 | * dhcp.c 3 | * 4 | * Copyright (C) 2009-2011 by ipoque GmbH 5 | * Copyright (C) 2011-15 - ntop.org 6 | * 7 | * This file is part of nDPI, an open source deep packet inspection 8 | * library based on the OpenDPI and PACE technology by ipoque GmbH 9 | * 10 | * nDPI is free software: you can redistribute it and/or modify 11 | * it under the terms of the GNU Lesser General Public License as published by 12 | * the Free Software Foundation, either version 3 of the License, or 13 | * (at your option) any later version. 14 | * 15 | * nDPI is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU Lesser General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU Lesser General Public License 21 | * along with nDPI. If not, see . 22 | * 23 | */ 24 | 25 | 26 | #include "ndpi_protocols.h" 27 | 28 | #ifdef NDPI_PROTOCOL_DHCP 29 | 30 | static void ndpi_int_dhcp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 31 | { 32 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DHCP, NDPI_PROTOCOL_UNKNOWN); 33 | } 34 | 35 | 36 | void ndpi_search_dhcp_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 37 | { 38 | struct ndpi_packet_struct *packet = &flow->packet; 39 | 40 | // struct ndpi_id_struct *src=ndpi_struct->src; 41 | // struct ndpi_id_struct *dst=ndpi_struct->dst; 42 | 43 | /* this detection also works for asymmetric dhcp traffic */ 44 | 45 | /*check standard DHCP 0.0.0.0:68 -> 255.255.255.255:67 */ 46 | if (packet->payload_packet_len >= 244 && (packet->udp->source == htons(67) 47 | || packet->udp->source == htons(68)) 48 | && (packet->udp->dest == htons(67) || packet->udp->dest == htons(68)) 49 | && get_u_int32_t(packet->payload, 236) == htonl(0x63825363) 50 | && get_u_int16_t(packet->payload, 240) == htons(0x3501)) { 51 | 52 | NDPI_LOG(NDPI_PROTOCOL_DHCP, ndpi_struct, NDPI_LOG_DEBUG, "DHCP request\n"); 53 | 54 | ndpi_int_dhcp_add_connection(ndpi_struct, flow); 55 | return; 56 | } 57 | 58 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DHCP); 59 | } 60 | 61 | 62 | void init_dhcp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 63 | { 64 | ndpi_set_bitmask_protocol_detection("DHCP", ndpi_struct, detection_bitmask, *id, 65 | NDPI_PROTOCOL_DHCP, 66 | ndpi_search_dhcp_udp, 67 | NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD, 68 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 69 | ADD_TO_DETECTION_BITMASK); 70 | *id += 1; 71 | } 72 | 73 | #endif 74 | -------------------------------------------------------------------------------- /src/lib/protocols/rdp.c: -------------------------------------------------------------------------------- 1 | /* 2 | * rdp.c 3 | * 4 | * Copyright (C) 2009-2011 by ipoque GmbH 5 | * Copyright (C) 2011-15 - ntop.org 6 | * 7 | * This file is part of nDPI, an open source deep packet inspection 8 | * library based on the OpenDPI and PACE technology by ipoque GmbH 9 | * 10 | * nDPI is free software: you can redistribute it and/or modify 11 | * it under the terms of the GNU Lesser General Public License as published by 12 | * the Free Software Foundation, either version 3 of the License, or 13 | * (at your option) any later version. 14 | * 15 | * nDPI is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU Lesser General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU Lesser General Public License 21 | * along with nDPI. If not, see . 22 | * 23 | */ 24 | 25 | 26 | #include "ndpi_protocols.h" 27 | #ifdef NDPI_PROTOCOL_RDP 28 | 29 | static void ndpi_int_rdp_add_connection(struct ndpi_detection_module_struct 30 | *ndpi_struct, struct ndpi_flow_struct *flow) 31 | { 32 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RDP, NDPI_PROTOCOL_UNKNOWN); 33 | } 34 | 35 | void ndpi_search_rdp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 36 | { 37 | struct ndpi_packet_struct *packet = &flow->packet; 38 | 39 | // struct ndpi_id_struct *src=ndpi_struct->src; 40 | // struct ndpi_id_struct *dst=ndpi_struct->dst; 41 | 42 | if (packet->payload_packet_len > 10 43 | && get_u_int8_t(packet->payload, 0) > 0 44 | && get_u_int8_t(packet->payload, 0) < 4 && get_u_int16_t(packet->payload, 2) == ntohs(packet->payload_packet_len) 45 | && get_u_int8_t(packet->payload, 4) == packet->payload_packet_len - 5 46 | && get_u_int8_t(packet->payload, 5) == 0xe0 47 | && get_u_int16_t(packet->payload, 6) == 0 && get_u_int16_t(packet->payload, 8) == 0 && get_u_int8_t(packet->payload, 10) == 0) { 48 | NDPI_LOG(NDPI_PROTOCOL_RDP, ndpi_struct, NDPI_LOG_DEBUG, "RDP detected.\n"); 49 | ndpi_int_rdp_add_connection(ndpi_struct, flow); 50 | return; 51 | } 52 | 53 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RDP); 54 | } 55 | 56 | 57 | void init_rdp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 58 | { 59 | ndpi_set_bitmask_protocol_detection("RDP", ndpi_struct, detection_bitmask, *id, 60 | NDPI_PROTOCOL_RDP, 61 | ndpi_search_rdp, 62 | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, 63 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 64 | ADD_TO_DETECTION_BITMASK); 65 | 66 | *id += 1; 67 | } 68 | 69 | #endif 70 | -------------------------------------------------------------------------------- /src/lib/protocols/pptp.c: -------------------------------------------------------------------------------- 1 | /* 2 | * pptp.c 3 | * 4 | * Copyright (C) 2009-2011 by ipoque GmbH 5 | * Copyright (C) 2011-15 - ntop.org 6 | * 7 | * This file is part of nDPI, an open source deep packet inspection 8 | * library based on the OpenDPI and PACE technology by ipoque GmbH 9 | * 10 | * nDPI is free software: you can redistribute it and/or modify 11 | * it under the terms of the GNU Lesser General Public License as published by 12 | * the Free Software Foundation, either version 3 of the License, or 13 | * (at your option) any later version. 14 | * 15 | * nDPI is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU Lesser General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU Lesser General Public License 21 | * along with nDPI. If not, see . 22 | * 23 | */ 24 | 25 | 26 | 27 | /* include files */ 28 | 29 | #include "ndpi_protocols.h" 30 | #ifdef NDPI_PROTOCOL_PPTP 31 | 32 | static void ndpi_int_pptp_add_connection(struct ndpi_detection_module_struct 33 | *ndpi_struct, struct ndpi_flow_struct *flow) 34 | { 35 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PPTP, NDPI_PROTOCOL_UNKNOWN); 36 | } 37 | 38 | void ndpi_search_pptp(struct ndpi_detection_module_struct 39 | *ndpi_struct, struct ndpi_flow_struct *flow) 40 | { 41 | struct ndpi_packet_struct *packet = &flow->packet; 42 | 43 | 44 | // struct ndpi_id_struct *src=ndpi_struct->src; 45 | // struct ndpi_id_struct *dst=ndpi_struct->dst; 46 | 47 | if (packet->payload_packet_len >= 10 && get_u_int16_t(packet->payload, 0) == htons(packet->payload_packet_len) 48 | && get_u_int16_t(packet->payload, 2) == htons(0x0001) /* message type: control message */ 49 | &&get_u_int32_t(packet->payload, 4) == htonl(0x1a2b3c4d) /* cookie: correct */ 50 | &&(get_u_int16_t(packet->payload, 8) == htons(0x0001) /* control type: start-control-connection-request */ 51 | )) { 52 | 53 | NDPI_LOG(NDPI_PROTOCOL_PPTP, ndpi_struct, NDPI_LOG_DEBUG, "found pptp.\n"); 54 | ndpi_int_pptp_add_connection(ndpi_struct, flow); 55 | return; 56 | } 57 | 58 | NDPI_LOG(NDPI_PROTOCOL_PPTP, ndpi_struct, NDPI_LOG_DEBUG, "exclude pptp.\n"); 59 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_PPTP); 60 | } 61 | 62 | 63 | void init_pptp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 64 | { 65 | ndpi_set_bitmask_protocol_detection("PPTP", ndpi_struct, detection_bitmask, *id, 66 | NDPI_PROTOCOL_PPTP, 67 | ndpi_search_pptp, 68 | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, 69 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 70 | ADD_TO_DETECTION_BITMASK); 71 | 72 | *id += 1; 73 | } 74 | 75 | #endif 76 | -------------------------------------------------------------------------------- /src/lib/third_party/include/ahocorasick.h: -------------------------------------------------------------------------------- 1 | /* 2 | * ahocorasick.h: the main ahocorasick header file. 3 | * This file is part of multifast. 4 | * 5 | Copyright 2010-2012 Kamiar Kanani 6 | 7 | multifast is free software: you can redistribute it and/or modify 8 | it under the terms of the GNU Lesser General Public License as published by 9 | the Free Software Foundation, either version 3 of the License, or 10 | (at your option) any later version. 11 | 12 | multifast is distributed in the hope that it will be useful, 13 | but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | GNU Lesser General Public License for more details. 16 | 17 | You should have received a copy of the GNU Lesser General Public License 18 | along with multifast. If not, see . 19 | */ 20 | 21 | #ifndef _AUTOMATA_H_ 22 | #define _AUTOMATA_H_ 23 | 24 | #include "node.h" 25 | 26 | typedef struct 27 | { 28 | /* The root of the Aho-Corasick trie */ 29 | AC_NODE_t * root; 30 | 31 | /* maintain all nodes pointers. it will be used to access or release 32 | * all nodes. */ 33 | AC_NODE_t ** all_nodes; 34 | 35 | unsigned int all_nodes_num; /* Number of all nodes in the automata */ 36 | unsigned int all_nodes_max; /* Current max allocated memory for *all_nodes */ 37 | 38 | AC_MATCH_t match; /* Any match is reported with this */ 39 | MATCH_CALBACK_f match_callback; /* Match call-back function */ 40 | 41 | /* this flag indicates that if automata is finalized by 42 | * ac_automata_finalize() or not. 1 means finalized and 0 43 | * means not finalized (is open). after finalizing automata you can not 44 | * add pattern to automata anymore. */ 45 | unsigned short automata_open; 46 | 47 | /* It is possible to feed a large input to the automata chunk by chunk to 48 | * be searched using ac_automata_search(). in fact by default automata 49 | * thinks that all chunks are related unless you do ac_automata_reset(). 50 | * followings are variables that keep track of searching state. */ 51 | AC_NODE_t * current_node; /* Pointer to current node while searching */ 52 | unsigned long base_position; /* Represents the position of current chunk 53 | related to whole input text */ 54 | 55 | /* Statistic Variables */ 56 | unsigned long total_patterns; /* Total patterns in the automata */ 57 | 58 | } AC_AUTOMATA_t; 59 | 60 | 61 | AC_AUTOMATA_t * ac_automata_init (MATCH_CALBACK_f mc); 62 | AC_ERROR_t ac_automata_add (AC_AUTOMATA_t * thiz, AC_PATTERN_t * str); 63 | void ac_automata_finalize (AC_AUTOMATA_t * thiz); 64 | int ac_automata_search (AC_AUTOMATA_t * thiz, AC_TEXT_t * str, void * param); 65 | void ac_automata_reset (AC_AUTOMATA_t * thiz); 66 | void ac_automata_release (AC_AUTOMATA_t * thiz); 67 | void ac_automata_display (AC_AUTOMATA_t * thiz, char repcast); 68 | 69 | #endif 70 | -------------------------------------------------------------------------------- /src/lib/protocols/ciscovpn.c: -------------------------------------------------------------------------------- 1 | /* 2 | * ciscovpn.c 3 | * Copyright (C) 2013 by Remy Mudingay 4 | * 5 | */ 6 | 7 | 8 | #include "ndpi_protocols.h" 9 | #ifdef NDPI_PROTOCOL_CISCOVPN 10 | 11 | static void ndpi_int_ciscovpn_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 12 | { 13 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CISCOVPN, NDPI_PROTOCOL_UNKNOWN); 14 | } 15 | 16 | void ndpi_search_ciscovpn(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 17 | { 18 | struct ndpi_packet_struct *packet = &flow->packet; 19 | u_int16_t udport = 0, usport = 0; 20 | u_int16_t tdport = 0, tsport = 0; 21 | 22 | 23 | NDPI_LOG(NDPI_PROTOCOL_CISCOVPN, ndpi_struct, NDPI_LOG_DEBUG, "search CISCOVPN.\n"); 24 | 25 | if(packet->tcp != NULL) { 26 | tsport = ntohs(packet->tcp->source), tdport = ntohs(packet->tcp->dest); 27 | NDPI_LOG(NDPI_PROTOCOL_CISCOVPN, ndpi_struct, NDPI_LOG_DEBUG, "calculated CISCOVPN over tcp ports.\n"); 28 | } 29 | if(packet->udp != NULL) { 30 | usport = ntohs(packet->udp->source), udport = ntohs(packet->udp->dest); 31 | NDPI_LOG(NDPI_PROTOCOL_CISCOVPN, ndpi_struct, NDPI_LOG_DEBUG, "calculated CISCOVPN over udp ports.\n"); 32 | } 33 | 34 | if((tdport == 10000 && tsport == 10000) || 35 | ((tsport == 443 || tdport == 443) && 36 | (packet->payload[0] == 0x17 && 37 | packet->payload[1] == 0x01 && 38 | packet->payload[2] == 0x00 && 39 | packet->payload[3] == 0x00) 40 | ) 41 | ) 42 | 43 | { 44 | /* This is a good query 17010000*/ 45 | NDPI_LOG(NDPI_PROTOCOL_CISCOVPN, ndpi_struct, NDPI_LOG_DEBUG, "found CISCOVPN.\n"); 46 | ndpi_int_ciscovpn_add_connection(ndpi_struct, flow); 47 | } 48 | else if( 49 | ( 50 | (usport == 10000 && udport == 10000) 51 | && 52 | (packet->payload[0] == 0xfe && 53 | packet->payload[1] == 0x57 && 54 | packet->payload[2] == 0x7e && 55 | packet->payload[3] == 0x2b) 56 | ) 57 | ) 58 | { 59 | 60 | 61 | /* This is a good query fe577e2b */ 62 | NDPI_LOG(NDPI_PROTOCOL_CISCOVPN, ndpi_struct, NDPI_LOG_DEBUG, "found CISCOVPN.\n"); 63 | ndpi_int_ciscovpn_add_connection(ndpi_struct, flow); 64 | } else { 65 | NDPI_LOG(NDPI_PROTOCOL_CISCOVPN, ndpi_struct, NDPI_LOG_DEBUG, "exclude CISCOVPN.\n"); 66 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_CISCOVPN); 67 | } 68 | 69 | } 70 | 71 | 72 | void init_ciscovpn_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 73 | { 74 | ndpi_set_bitmask_protocol_detection("CiscoVPN", ndpi_struct, detection_bitmask, *id, 75 | NDPI_PROTOCOL_CISCOVPN, 76 | ndpi_search_ciscovpn, 77 | NDPI_SELECTION_BITMASK_PROTOCOL_TCP_OR_UDP_WITH_PAYLOAD, 78 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 79 | ADD_TO_DETECTION_BITMASK); 80 | *id += 1; 81 | } 82 | 83 | #endif 84 | -------------------------------------------------------------------------------- /src/lib/protocols/tcp_udp.c: -------------------------------------------------------------------------------- 1 | /* 2 | * tcp_or_udp.c 3 | * 4 | * Copyright (C) 2011-15 - ntop.org 5 | * 6 | * nDPI is free software: you can redistribute it and/or modify 7 | * it under the terms of the GNU Lesser General Public License as published by 8 | * the Free Software Foundation, either version 3 of the License, or 9 | * (at your option) any later version. 10 | * 11 | * nDPI is distributed in the hope that it will be useful, 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | * GNU Lesser General Public License for more details. 15 | * 16 | * You should have received a copy of the GNU Lesser General Public License 17 | * along with nDPI. If not, see . 18 | * 19 | */ 20 | 21 | 22 | #include "ndpi_api.h" 23 | 24 | /* ndpi_main.c */ 25 | extern u_int8_t ndpi_is_tor_flow(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); 26 | 27 | u_int ndpi_search_tcp_or_udp_raw(struct ndpi_detection_module_struct *ndpi_struct, 28 | u_int8_t protocol, 29 | u_int32_t saddr, u_int32_t daddr, /* host endianess */ 30 | u_int16_t sport, u_int16_t dport) /* host endianess */ 31 | { 32 | u_int16_t rc; 33 | struct in_addr host; 34 | 35 | if(protocol == IPPROTO_UDP) { 36 | if((sport == dport) && (sport == 17500)) { 37 | return(NDPI_PROTOCOL_DROPBOX); 38 | } 39 | } 40 | 41 | host.s_addr = htonl(saddr); 42 | if((rc = ndpi_network_ptree_match(ndpi_struct, &host)) != NDPI_PROTOCOL_UNKNOWN) 43 | return (rc); 44 | 45 | host.s_addr = htonl(daddr); 46 | return (ndpi_network_ptree_match(ndpi_struct, &host)); 47 | } 48 | 49 | void ndpi_search_tcp_or_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 50 | { 51 | u_int16_t sport, dport; 52 | u_int proto; 53 | struct ndpi_packet_struct *packet = &flow->packet; 54 | 55 | if(flow->host_server_name[0] != '\0') 56 | return; 57 | 58 | if(ndpi_is_tor_flow(ndpi_struct, flow)) { 59 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TOR, NDPI_PROTOCOL_UNKNOWN); 60 | return; 61 | } 62 | 63 | if(packet->udp) sport = ntohs(packet->udp->source), dport = ntohs(packet->udp->dest); 64 | else if(packet->tcp) sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest); 65 | else sport = dport = 0; 66 | 67 | if(packet->iph /* IPv4 Only: we need to support packet->iphv6 at some point */) { 68 | proto = ndpi_search_tcp_or_udp_raw(ndpi_struct, 69 | flow->packet.iph ? flow->packet.iph->protocol : 70 | #ifdef NDPI_DETECTION_SUPPORT_IPV6 71 | flow->packet.iphv6->ip6_ctlun.ip6_un1.ip6_un1_nxt, 72 | #else 73 | 0, 74 | #endif 75 | ntohl(packet->iph->saddr), 76 | ntohl(packet->iph->daddr), 77 | sport, dport); 78 | 79 | if(proto != NDPI_PROTOCOL_UNKNOWN) 80 | ndpi_set_detected_protocol(ndpi_struct, flow, proto, NDPI_PROTOCOL_UNKNOWN); 81 | } 82 | } 83 | -------------------------------------------------------------------------------- /src/lib/protocols/vhua.c: -------------------------------------------------------------------------------- 1 | /* 2 | * vhua.c 3 | * 4 | * Copyright (C) 2011-15 - ntop.org 5 | * 6 | * nDPI is free software: you can vhuatribute it and/or modify 7 | * it under the terms of the GNU Lesser General Public License as published by 8 | * the Free Software Foundation, either version 3 of the License, or 9 | * (at your option) any later version. 10 | * 11 | * nDPI is distributed in the hope that it will be useful, 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | * GNU Lesser General Public License for more details. 15 | * 16 | * You should have received a copy of the GNU Lesser General Public License 17 | * along with nDPI. If not, see . 18 | * 19 | */ 20 | 21 | 22 | #include "ndpi_api.h" 23 | 24 | /* 25 | http://www.vhua.com 26 | 27 | Skype-like Chinese phone protocol 28 | 29 | */ 30 | 31 | #ifdef NDPI_PROTOCOL_VHUA 32 | 33 | static void ndpi_int_vhua_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { 34 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VHUA, NDPI_PROTOCOL_UNKNOWN); 35 | NDPI_LOG(NDPI_PROTOCOL_VHUA, ndpi_struct, NDPI_LOG_TRACE, "VHUA Found.\n"); 36 | } 37 | 38 | 39 | static void ndpi_check_vhua(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { 40 | struct ndpi_packet_struct *packet = &flow->packet; 41 | u_int32_t payload_len = packet->payload_packet_len; 42 | u_char p0[] = { 0x05, 0x14, 0x3a, 0x05, 0x08, 0xf8, 0xa1, 0xb1, 0x03 }; 43 | 44 | if(payload_len == 0) return; /* Shouldn't happen */ 45 | 46 | /* Break after 3 packets. */ 47 | if((flow->packet_counter > 3) 48 | || (packet->udp == NULL) 49 | || (packet->payload_packet_len < sizeof(p0))) { 50 | NDPI_LOG(NDPI_PROTOCOL_VHUA, ndpi_struct, NDPI_LOG_TRACE, "Exclude VHUA.\n"); 51 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_VHUA); 52 | } else if(memcmp(packet->payload, p0, sizeof(p0)) == 0) { 53 | ndpi_int_vhua_add_connection(ndpi_struct, flow); 54 | } 55 | } 56 | 57 | void ndpi_search_vhua(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { 58 | struct ndpi_packet_struct *packet = &flow->packet; 59 | 60 | NDPI_LOG(NDPI_PROTOCOL_VHUA, ndpi_struct, NDPI_LOG_TRACE, "VHUA detection...\n"); 61 | 62 | /* skip marked packets */ 63 | if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_VHUA) { 64 | ndpi_check_vhua(ndpi_struct, flow); 65 | } 66 | } 67 | 68 | 69 | void init_vhua_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 70 | { 71 | ndpi_set_bitmask_protocol_detection("VHUA", ndpi_struct, detection_bitmask, *id, 72 | NDPI_PROTOCOL_VHUA, 73 | ndpi_search_vhua, 74 | NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD, 75 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 76 | ADD_TO_DETECTION_BITMASK); 77 | *id += 1; 78 | } 79 | 80 | #endif 81 | -------------------------------------------------------------------------------- /src/lib/protocols/openvpn.c: -------------------------------------------------------------------------------- 1 | /* 2 | * h323.c 3 | * 4 | * Copyright (C) 2013 Remy Mudingay 5 | * 6 | */ 7 | 8 | #include "ndpi_api.h" 9 | 10 | 11 | #ifdef NDPI_PROTOCOL_OPENVPN 12 | 13 | void ndpi_search_openvpn(struct ndpi_detection_module_struct* ndpi_struct, 14 | struct ndpi_flow_struct* flow) { 15 | struct ndpi_packet_struct* packet = &flow->packet; 16 | u_int16_t dport = 0, sport = 0; 17 | 18 | if (packet->udp != NULL) { 19 | 20 | sport = ntohs(packet->udp->source), dport = ntohs(packet->udp->dest); 21 | 22 | if ((packet->payload_packet_len >= 25) && (sport == 443 || dport == 443) && 23 | (packet->payload[0] == 0x17 && packet->payload[1] == 0x01 && 24 | packet->payload[2] == 0x00 && packet->payload[3] == 0x00)) { 25 | NDPI_LOG(NDPI_PROTOCOL_OPENVPN, ndpi_struct, NDPI_LOG_DEBUG, 26 | "found openvpn udp 443.\n"); 27 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OPENVPN, NDPI_PROTOCOL_UNKNOWN); 28 | return; 29 | } 30 | 31 | if ( ( (packet->payload_packet_len > 40) || 32 | (packet->payload_packet_len <= 14) ) && // hard-reset 33 | (sport == 1194 || dport == 1194) && 34 | (packet->payload[0] == 0x30 || packet->payload[0] == 0x31 || 35 | packet->payload[0] == 0x32 || packet->payload[0] == 0x33 || 36 | packet->payload[0] == 0x34 || packet->payload[0] == 0x35 || 37 | packet->payload[0] == 0x36 || packet->payload[0] == 0x37 || 38 | packet->payload[0] == 0x38 || packet->payload[0] == 0x39)) { 39 | NDPI_LOG(NDPI_PROTOCOL_OPENVPN, ndpi_struct, NDPI_LOG_DEBUG, 40 | "found openvpn broadcast udp STD.\n"); 41 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OPENVPN, NDPI_PROTOCOL_UNKNOWN); 42 | return; 43 | } 44 | 45 | } 46 | 47 | if (packet->tcp != NULL) { 48 | 49 | sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest); 50 | 51 | if ((packet->payload_packet_len >= 40) && 52 | (sport == 1194 || dport == 1194) && 53 | ((packet->payload[0] == 0x00) && (packet->payload[1] == 0x2a) && 54 | (packet->payload[2] == 0x38))) { 55 | NDPI_LOG(NDPI_PROTOCOL_OPENVPN, ndpi_struct, NDPI_LOG_DEBUG, 56 | "found openvpn broadcast udp STD.\n"); 57 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OPENVPN, NDPI_PROTOCOL_UNKNOWN); 58 | return; 59 | } 60 | } 61 | 62 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_OPENVPN); 63 | } 64 | 65 | 66 | void init_openvpn_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 67 | { 68 | ndpi_set_bitmask_protocol_detection("OpenVPN", ndpi_struct, detection_bitmask, *id, 69 | NDPI_PROTOCOL_OPENVPN, 70 | ndpi_search_openvpn, 71 | NDPI_SELECTION_BITMASK_PROTOCOL_TCP_OR_UDP_WITH_PAYLOAD, 72 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 73 | ADD_TO_DETECTION_BITMASK); 74 | 75 | *id += 1; 76 | } 77 | 78 | #endif 79 | -------------------------------------------------------------------------------- /src/lib/protocols/ssh.c: -------------------------------------------------------------------------------- 1 | /* 2 | * ssh.c 3 | * 4 | * Copyright (C) 2009-2011 by ipoque GmbH 5 | * Copyright (C) 2011-15 - ntop.org 6 | * 7 | * This file is part of nDPI, an open source deep packet inspection 8 | * library based on the OpenDPI and PACE technology by ipoque GmbH 9 | * 10 | * nDPI is free software: you can redistribute it and/or modify 11 | * it under the terms of the GNU Lesser General Public License as published by 12 | * the Free Software Foundation, either version 3 of the License, or 13 | * (at your option) any later version. 14 | * 15 | * nDPI is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU Lesser General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU Lesser General Public License 21 | * along with nDPI. If not, see . 22 | * 23 | */ 24 | 25 | 26 | #include "ndpi_protocols.h" 27 | #ifdef NDPI_PROTOCOL_SSH 28 | 29 | static void ndpi_int_ssh_add_connection(struct ndpi_detection_module_struct 30 | *ndpi_struct, struct ndpi_flow_struct *flow){ 31 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSH, NDPI_PROTOCOL_UNKNOWN); 32 | } 33 | 34 | void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 35 | { 36 | struct ndpi_packet_struct *packet = &flow->packet; 37 | // struct ndpi_id_struct *src=ndpi_struct->src; 38 | // struct ndpi_id_struct *dst=ndpi_struct->dst; 39 | 40 | if (flow->l4.tcp.ssh_stage == 0) { 41 | if (packet->payload_packet_len > 7 && packet->payload_packet_len < 100 42 | && memcmp(packet->payload, "SSH-", 4) == 0) { 43 | NDPI_LOG(NDPI_PROTOCOL_SSH, ndpi_struct, NDPI_LOG_DEBUG, "ssh stage 0 passed\n"); 44 | flow->l4.tcp.ssh_stage = 1 + packet->packet_direction; 45 | return; 46 | } 47 | } else if (flow->l4.tcp.ssh_stage == (2 - packet->packet_direction)) { 48 | if (packet->payload_packet_len > 7 && packet->payload_packet_len < 100 49 | && memcmp(packet->payload, "SSH-", 4) == 0) { 50 | NDPI_LOG(NDPI_PROTOCOL_SSH, ndpi_struct, NDPI_LOG_DEBUG, "found ssh\n"); 51 | ndpi_int_ssh_add_connection(ndpi_struct, flow); 52 | return; 53 | 54 | } 55 | } 56 | 57 | NDPI_LOG(NDPI_PROTOCOL_SSH, ndpi_struct, NDPI_LOG_DEBUG, "excluding ssh at stage %d\n", flow->l4.tcp.ssh_stage); 58 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SSH); 59 | } 60 | 61 | 62 | void init_ssh_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 63 | { 64 | ndpi_set_bitmask_protocol_detection("SSH", ndpi_struct, detection_bitmask, *id, 65 | NDPI_PROTOCOL_SSH, 66 | ndpi_search_ssh_tcp, 67 | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, 68 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 69 | ADD_TO_DETECTION_BITMASK); 70 | 71 | *id += 1; 72 | } 73 | #endif 74 | -------------------------------------------------------------------------------- /src/lib/protocols/vnc.c: -------------------------------------------------------------------------------- 1 | /* 2 | * vnc.c 3 | * 4 | * Copyright (C) 2009-2011 by ipoque GmbH 5 | * Copyright (C) 2011-15 - ntop.org 6 | * 7 | * This file is part of nDPI, an open source deep packet inspection 8 | * library based on the OpenDPI and PACE technology by ipoque GmbH 9 | * 10 | * nDPI is free software: you can redistribute it and/or modify 11 | * it under the terms of the GNU Lesser General Public License as published by 12 | * the Free Software Foundation, either version 3 of the License, or 13 | * (at your option) any later version. 14 | * 15 | * nDPI is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU Lesser General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU Lesser General Public License 21 | * along with nDPI. If not, see . 22 | * 23 | */ 24 | 25 | 26 | #include "ndpi_protocols.h" 27 | 28 | #ifdef NDPI_PROTOCOL_VNC 29 | 30 | static void ndpi_int_vnc_add_connection(struct ndpi_detection_module_struct 31 | *ndpi_struct, struct ndpi_flow_struct *flow) 32 | { 33 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VNC, NDPI_PROTOCOL_UNKNOWN); 34 | } 35 | 36 | /* 37 | return 0 if nothing has been detected 38 | return 1 if it is a http packet 39 | */ 40 | 41 | void ndpi_search_vnc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 42 | { 43 | struct ndpi_packet_struct *packet = &flow->packet; 44 | 45 | // struct ndpi_id_struct *src=ndpi_struct->src; 46 | // struct ndpi_id_struct *dst=ndpi_struct->dst; 47 | 48 | 49 | if (flow->l4.tcp.vnc_stage == 0) { 50 | if (packet->payload_packet_len == 12 51 | && memcmp(packet->payload, "RFB 003.00", 10) == 0 && packet->payload[11] == 0x0a) { 52 | NDPI_LOG(NDPI_PROTOCOL_VNC, ndpi_struct, NDPI_LOG_DEBUG, "reached vnc stage one\n"); 53 | flow->l4.tcp.vnc_stage = 1 + packet->packet_direction; 54 | return; 55 | } 56 | } else if (flow->l4.tcp.vnc_stage == 2 - packet->packet_direction) { 57 | if (packet->payload_packet_len == 12 58 | && memcmp(packet->payload, "RFB 003.00", 10) == 0 && packet->payload[11] == 0x0a) { 59 | NDPI_LOG(NDPI_PROTOCOL_VNC, ndpi_struct, NDPI_LOG_DEBUG, "found vnc\n"); 60 | ndpi_int_vnc_add_connection(ndpi_struct, flow); 61 | return; 62 | } 63 | } 64 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_VNC); 65 | 66 | } 67 | 68 | 69 | void init_vnc_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 70 | { 71 | ndpi_set_bitmask_protocol_detection("VNC", ndpi_struct, detection_bitmask, *id, 72 | NDPI_PROTOCOL_VNC, 73 | ndpi_search_vnc_tcp, 74 | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, 75 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 76 | ADD_TO_DETECTION_BITMASK); 77 | 78 | *id += 1; 79 | } 80 | 81 | #endif 82 | -------------------------------------------------------------------------------- /src/lib/protocols/telegram.c: -------------------------------------------------------------------------------- 1 | /* 2 | * telegram.c 3 | * 4 | * Copyright (C) 2014 by Gianluca Costa xplico.org 5 | * Copyright (C) 2012-15 - ntop.org 6 | * 7 | * This file is part of nDPI, an open source deep packet inspection 8 | * library based on the OpenDPI and PACE technology by ipoque GmbH 9 | * 10 | * nDPI is free software: you can redistribute it and/or modify 11 | * it under the terms of the GNU Lesser General Public License as published by 12 | * the Free Software Foundation, either version 3 of the License, or 13 | * (at your option) any later version. 14 | * 15 | * nDPI is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU Lesser General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU Lesser General Public License 21 | * along with nDPI. If not, see . 22 | * 23 | */ 24 | 25 | 26 | #include "ndpi_protocols.h" 27 | 28 | #ifdef NDPI_PROTOCOL_TELEGRAM 29 | 30 | static void ndpi_int_telegram_add_connection(struct ndpi_detection_module_struct 31 | *ndpi_struct, struct ndpi_flow_struct *flow) 32 | { 33 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TELEGRAM, NDPI_PROTOCOL_UNKNOWN); 34 | NDPI_LOG(NDPI_PROTOCOL_TELEGRAM, ndpi_struct, NDPI_LOG_TRACE, "TELEGRAM Found.\n"); 35 | } 36 | 37 | 38 | void ndpi_search_telegram(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 39 | { 40 | struct ndpi_packet_struct *packet = &flow->packet; 41 | u_int16_t dport /* , sport */; 42 | 43 | NDPI_LOG(NDPI_PROTOCOL_TELEGRAM, ndpi_struct, NDPI_LOG_TRACE, "TELEGRAM detection...\n"); 44 | 45 | if (packet->payload_packet_len == 0) 46 | return; 47 | if (packet->tcp != NULL) { 48 | if (packet->payload_packet_len > 56) { 49 | dport = ntohs(packet->tcp->dest); 50 | /* sport = ntohs(packet->tcp->source); */ 51 | 52 | if (packet->payload[0] == 0xef && ( 53 | dport == 443 || dport == 80 || dport == 25 54 | )) { 55 | if (packet->payload[1] == 0x7f) { 56 | ndpi_int_telegram_add_connection(ndpi_struct, flow); 57 | } 58 | else if (packet->payload[1]*4 <= packet->payload_packet_len - 1) { 59 | ndpi_int_telegram_add_connection(ndpi_struct, flow); 60 | } 61 | return; 62 | } 63 | } 64 | } 65 | 66 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_TELEGRAM); 67 | } 68 | 69 | 70 | void init_telegram_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 71 | { 72 | ndpi_set_bitmask_protocol_detection("Telegram", ndpi_struct, detection_bitmask, *id, 73 | NDPI_PROTOCOL_TELEGRAM, 74 | ndpi_search_telegram, 75 | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP, 76 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 77 | ADD_TO_DETECTION_BITMASK); 78 | 79 | *id += 1; 80 | } 81 | 82 | #endif 83 | -------------------------------------------------------------------------------- /src/lib/protocols/world_of_kung_fu.c: -------------------------------------------------------------------------------- 1 | /* 2 | * world_of_kung_fu.c 3 | * 4 | * Copyright (C) 2009-2011 by ipoque GmbH 5 | * Copyright (C) 2011-15 - ntop.org 6 | * 7 | * This file is part of nDPI, an open source deep packet inspection 8 | * library based on the OpenDPI and PACE technology by ipoque GmbH 9 | * 10 | * nDPI is free software: you can redistribute it and/or modify 11 | * it under the terms of the GNU Lesser General Public License as published by 12 | * the Free Software Foundation, either version 3 of the License, or 13 | * (at your option) any later version. 14 | * 15 | * nDPI is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU Lesser General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU Lesser General Public License 21 | * along with nDPI. If not, see . 22 | * 23 | */ 24 | 25 | 26 | 27 | /* include files */ 28 | #include "ndpi_protocols.h" 29 | #ifdef NDPI_PROTOCOL_WORLD_OF_KUNG_FU 30 | 31 | static void ndpi_int_world_of_kung_fu_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 32 | { 33 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WORLD_OF_KUNG_FU, NDPI_PROTOCOL_UNKNOWN); 34 | } 35 | 36 | void ndpi_search_world_of_kung_fu(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 37 | { 38 | struct ndpi_packet_struct *packet = &flow->packet; 39 | 40 | // struct ndpi_id_struct *src=ndpi_struct->src; 41 | // struct ndpi_id_struct *dst=ndpi_struct->dst; 42 | 43 | NDPI_LOG(NDPI_PROTOCOL_WORLD_OF_KUNG_FU, ndpi_struct, NDPI_LOG_DEBUG, "search world_of_kung_fu.\n"); 44 | 45 | if ((packet->payload_packet_len == 16) 46 | && ntohl(get_u_int32_t(packet->payload, 0)) == 0x0c000000 && ntohl(get_u_int32_t(packet->payload, 4)) == 0xd2000c00 47 | && (packet->payload[9] 48 | == 0x16) && ntohs(get_u_int16_t(packet->payload, 10)) == 0x0000 && ntohs(get_u_int16_t(packet->payload, 14)) == 0x0000) { 49 | NDPI_LOG(NDPI_PROTOCOL_WORLD_OF_KUNG_FU, ndpi_struct, NDPI_LOG_DEBUG, "detected world_of_kung_fu.\n"); 50 | ndpi_int_world_of_kung_fu_add_connection(ndpi_struct, flow); 51 | return; 52 | } 53 | 54 | NDPI_LOG(NDPI_PROTOCOL_WORLD_OF_KUNG_FU, ndpi_struct, NDPI_LOG_DEBUG, "exclude world_of_kung_fu.\n"); 55 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_WORLD_OF_KUNG_FU); 56 | } 57 | 58 | 59 | void init_world_of_kung_fu_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 60 | { 61 | ndpi_set_bitmask_protocol_detection("WorldOfKungFu", ndpi_struct, detection_bitmask, *id, 62 | NDPI_PROTOCOL_WORLD_OF_KUNG_FU, 63 | ndpi_search_world_of_kung_fu, 64 | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, 65 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 66 | ADD_TO_DETECTION_BITMASK); 67 | 68 | *id += 1; 69 | } 70 | 71 | #endif 72 | -------------------------------------------------------------------------------- /src/lib/protocols/ssdp.c: -------------------------------------------------------------------------------- 1 | /* 2 | * ssdp.c 3 | * 4 | * Copyright (C) 2009-2011 by ipoque GmbH 5 | * Copyright (C) 2011-15 - ntop.org 6 | * 7 | * This file is part of nDPI, an open source deep packet inspection 8 | * library based on the OpenDPI and PACE technology by ipoque GmbH 9 | * 10 | * nDPI is free software: you can redistribute it and/or modify 11 | * it under the terms of the GNU Lesser General Public License as published by 12 | * the Free Software Foundation, either version 3 of the License, or 13 | * (at your option) any later version. 14 | * 15 | * nDPI is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU Lesser General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU Lesser General Public License 21 | * along with nDPI. If not, see . 22 | * 23 | */ 24 | 25 | 26 | #include "ndpi_protocols.h" 27 | #ifdef NDPI_PROTOCOL_SSDP 28 | 29 | 30 | static void ndpi_int_ssdp_add_connection(struct ndpi_detection_module_struct 31 | *ndpi_struct, struct ndpi_flow_struct *flow) 32 | { 33 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSDP, NDPI_PROTOCOL_UNKNOWN); 34 | } 35 | 36 | /* this detection also works asymmetrically */ 37 | void ndpi_search_ssdp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 38 | { 39 | struct ndpi_packet_struct *packet = &flow->packet; 40 | 41 | // struct ndpi_id_struct *src=ndpi_struct->src; 42 | // struct ndpi_id_struct *dst=ndpi_struct->dst; 43 | 44 | NDPI_LOG(NDPI_PROTOCOL_SSDP, ndpi_struct, NDPI_LOG_DEBUG, "search ssdp.\n"); 45 | if (packet->udp != NULL) { 46 | 47 | if (packet->payload_packet_len > 100) { 48 | if ((memcmp(packet->payload, "M-SEARCH * HTTP/1.1", 19) == 0) 49 | || memcmp(packet->payload, "NOTIFY * HTTP/1.1", 17) == 0) { 50 | 51 | 52 | NDPI_LOG(NDPI_PROTOCOL_SSDP, ndpi_struct, NDPI_LOG_DEBUG, "found ssdp.\n"); 53 | ndpi_int_ssdp_add_connection(ndpi_struct, flow); 54 | return; 55 | } 56 | 57 | #define SSDP_HTTP "HTTP/1.1 200 OK\r\n" 58 | if(memcmp(packet->payload, SSDP_HTTP, strlen(SSDP_HTTP)) == 0) { 59 | NDPI_LOG(NDPI_PROTOCOL_SSDP, ndpi_struct, NDPI_LOG_DEBUG, "found ssdp.\n"); 60 | ndpi_int_ssdp_add_connection(ndpi_struct, flow); 61 | return; 62 | } 63 | } 64 | } 65 | 66 | NDPI_LOG(NDPI_PROTOCOL_SSDP, ndpi_struct, NDPI_LOG_DEBUG, "ssdp excluded.\n"); 67 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SSDP); 68 | } 69 | 70 | 71 | void init_ssdp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 72 | { 73 | ndpi_set_bitmask_protocol_detection("SSDP", ndpi_struct, detection_bitmask, *id, 74 | NDPI_PROTOCOL_SSDP, 75 | ndpi_search_ssdp, 76 | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, 77 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 78 | ADD_TO_DETECTION_BITMASK); 79 | 80 | *id += 1; 81 | } 82 | 83 | #endif 84 | -------------------------------------------------------------------------------- /src/lib/protocols/eaq.c: -------------------------------------------------------------------------------- 1 | /* 2 | * eaq.c 3 | * 4 | * Copyright (C) 2015 - ntop.org 5 | * 6 | * This module is free software: you can redistribute it and/or modify 7 | * it under the terms of the GNU Lesser General Public License as published by 8 | * the Free Software Foundation, either version 3 of the License, or 9 | * (at your option) any later version. 10 | * 11 | * This module is distributed in the hope that it will be useful, 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | * GNU Lesser General Public License for more details. 15 | * 16 | * You should have received a copy of the GNU Lesser General Public License. 17 | * If not, see . 18 | * 19 | */ 20 | 21 | 22 | /* 23 | EAQ: Entitade Aferidora da Qualidade de Banda Larga 24 | 25 | http://www.brasilbandalarga.com.br 26 | */ 27 | #include "ndpi_api.h" 28 | 29 | #define EAQ_DEFAULT_PORT 6000 30 | #define EAQ_DEFAULT_SIZE 16 31 | 32 | #ifdef NDPI_PROTOCOL_EAQ 33 | static void ndpi_int_eaq_add_connection(struct ndpi_detection_module_struct *ndpi_struct, 34 | struct ndpi_flow_struct *flow) { 35 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_EAQ, NDPI_PROTOCOL_UNKNOWN); 36 | } 37 | 38 | 39 | void ndpi_search_eaq(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { 40 | struct ndpi_packet_struct *packet = &flow->packet; 41 | u_int16_t sport = ntohs(packet->udp->source), dport = ntohs(packet->udp->dest); 42 | 43 | if((packet->payload_packet_len != EAQ_DEFAULT_SIZE) 44 | || ((sport != EAQ_DEFAULT_PORT) && (dport != EAQ_DEFAULT_PORT))) { 45 | exclude_eaq: 46 | NDPI_LOG(NDPI_PROTOCOL_EAQ, ndpi_struct, NDPI_LOG_DEBUG, "Exclude eaq.\n"); 47 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_EAQ); 48 | return; 49 | } 50 | 51 | if(packet->udp != NULL) { 52 | u_int32_t seq = (packet->payload[0] * 1000) + (packet->payload[1] * 100) + (packet->payload[2] * 10) + packet->payload[3]; 53 | 54 | if(flow->l4.udp.eaq_pkt_id == 0) 55 | flow->l4.udp.eaq_sequence = seq; 56 | else { 57 | if((flow->l4.udp.eaq_sequence == seq) || ((flow->l4.udp.eaq_sequence+1) == seq)) { 58 | ; /* Looks good */ 59 | } else 60 | goto exclude_eaq; 61 | } 62 | 63 | if(++flow->l4.udp.eaq_pkt_id == 4) { 64 | /* We have collected enough packets so we assume it's EAQ */ 65 | NDPI_LOG(NDPI_PROTOCOL_EAQ, ndpi_struct, NDPI_LOG_DEBUG, "found eaq.\n"); 66 | ndpi_int_eaq_add_connection(ndpi_struct, flow); 67 | } 68 | } else 69 | goto exclude_eaq; 70 | } 71 | 72 | 73 | void init_eaq_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 74 | { 75 | ndpi_set_bitmask_protocol_detection("EAQ", ndpi_struct, detection_bitmask, *id, 76 | NDPI_PROTOCOL_EAQ, 77 | ndpi_search_eaq, 78 | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, 79 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 80 | ADD_TO_DETECTION_BITMASK); 81 | 82 | *id += 1; 83 | } 84 | 85 | #endif 86 | -------------------------------------------------------------------------------- /src/lib/protocols/kontiki.c: -------------------------------------------------------------------------------- 1 | /* 2 | * kontiki.c 3 | * 4 | * Copyright (C) 2009-2011 by ipoque GmbH 5 | * Copyright (C) 2011-15 - ntop.org 6 | * 7 | * This file is part of nDPI, an open source deep packet inspection 8 | * library based on the OpenDPI and PACE technology by ipoque GmbH 9 | * 10 | * nDPI is free software: you can redistribute it and/or modify 11 | * it under the terms of the GNU Lesser General Public License as published by 12 | * the Free Software Foundation, either version 3 of the License, or 13 | * (at your option) any later version. 14 | * 15 | * nDPI is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU Lesser General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU Lesser General Public License 21 | * along with nDPI. If not, see . 22 | * 23 | */ 24 | 25 | 26 | #include "ndpi_protocols.h" 27 | 28 | #ifdef NDPI_PROTOCOL_KONTIKI 29 | 30 | static void ndpi_int_kontiki_add_connection(struct ndpi_detection_module_struct *ndpi_struct, 31 | struct ndpi_flow_struct *flow) 32 | { 33 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_KONTIKI, NDPI_PROTOCOL_UNKNOWN); 34 | } 35 | 36 | void ndpi_search_kontiki(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 37 | { 38 | struct ndpi_packet_struct *packet = &flow->packet; 39 | 40 | // struct ndpi_id_struct *src=ndpi_struct->src; 41 | // struct ndpi_id_struct *dst=ndpi_struct->dst; 42 | 43 | 44 | if (packet->payload_packet_len == 4 && (get_u_int32_t(packet->payload, 0) == htonl(0x02010100))) { 45 | NDPI_LOG(NDPI_PROTOCOL_KONTIKI, ndpi_struct, NDPI_LOG_DEBUG, "Kontiki UDP detected.\n"); 46 | ndpi_int_kontiki_add_connection(ndpi_struct, flow); 47 | return; 48 | } 49 | if (packet->payload_packet_len > 0 && packet->payload[0] == 0x02) { 50 | 51 | if (packet->payload_packet_len == 20 && (get_u_int32_t(packet->payload, 16) == htonl(0x02040100))) { 52 | NDPI_LOG(NDPI_PROTOCOL_KONTIKI, ndpi_struct, NDPI_LOG_DEBUG, "Kontiki UDP detected.\n"); 53 | ndpi_int_kontiki_add_connection(ndpi_struct, flow); 54 | return; 55 | } 56 | if (packet->payload_packet_len == 16 && (get_u_int32_t(packet->payload, 12) == htonl(0x000004e4))) { 57 | NDPI_LOG(NDPI_PROTOCOL_KONTIKI, ndpi_struct, NDPI_LOG_DEBUG, "Kontiki UDP detected.\n"); 58 | ndpi_int_kontiki_add_connection(ndpi_struct, flow); 59 | return; 60 | } 61 | } 62 | 63 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_KONTIKI); 64 | } 65 | 66 | 67 | void init_kontiki_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 68 | { 69 | ndpi_set_bitmask_protocol_detection("Kontiki", ndpi_struct, detection_bitmask, *id, 70 | NDPI_PROTOCOL_KONTIKI, 71 | ndpi_search_kontiki, 72 | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, 73 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 74 | ADD_TO_DETECTION_BITMASK); 75 | 76 | *id += 1; 77 | } 78 | 79 | #endif 80 | -------------------------------------------------------------------------------- /src/lib/protocols/halflife2_and_mods.c: -------------------------------------------------------------------------------- 1 | /* 2 | * halflife2_and_mods.c 3 | * 4 | * Copyright (C) 2009-2011 by ipoque GmbH 5 | * Copyright (C) 2011-15 - ntop.org 6 | * 7 | * This file is part of nDPI, an open source deep packet inspection 8 | * library based on the OpenDPI and PACE technology by ipoque GmbH 9 | * 10 | * nDPI is free software: you can redistribute it and/or modify 11 | * it under the terms of the GNU Lesser General Public License as published by 12 | * the Free Software Foundation, either version 3 of the License, or 13 | * (at your option) any later version. 14 | * 15 | * nDPI is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU Lesser General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU Lesser General Public License 21 | * along with nDPI. If not, see . 22 | * 23 | */ 24 | 25 | 26 | #include "ndpi_protocols.h" 27 | #ifdef NDPI_PROTOCOL_HALFLIFE2 28 | 29 | 30 | static void ndpi_int_halflife2_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 31 | { 32 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HALFLIFE2, NDPI_PROTOCOL_UNKNOWN); 33 | } 34 | 35 | void ndpi_search_halflife2(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 36 | { 37 | struct ndpi_packet_struct *packet = &flow->packet; 38 | 39 | // struct ndpi_id_struct *src=ndpi_struct->src; 40 | // struct ndpi_id_struct *dst=ndpi_struct->dst; 41 | 42 | if (flow->l4.udp.halflife2_stage == 0) { 43 | if (packet->payload_packet_len >= 20 44 | && get_u_int32_t(packet->payload, 0) == 0xFFFFFFFF 45 | && get_u_int32_t(packet->payload, packet->payload_packet_len - 4) == htonl(0x30303000)) { 46 | flow->l4.udp.halflife2_stage = 1 + packet->packet_direction; 47 | NDPI_LOG(NDPI_PROTOCOL_HALFLIFE2, ndpi_struct, NDPI_LOG_DEBUG, 48 | "halflife2 client req detected, waiting for server reply\n"); 49 | return; 50 | } 51 | } else if (flow->l4.udp.halflife2_stage == 2 - packet->packet_direction) { 52 | if (packet->payload_packet_len >= 20 53 | && get_u_int32_t(packet->payload, 0) == 0xFFFFFFFF 54 | && get_u_int32_t(packet->payload, packet->payload_packet_len - 4) == htonl(0x30303000)) { 55 | ndpi_int_halflife2_add_connection(ndpi_struct, flow); 56 | NDPI_LOG(NDPI_PROTOCOL_HALFLIFE2, ndpi_struct, NDPI_LOG_DEBUG, "halflife2 server reply detected\n"); 57 | return; 58 | } 59 | } 60 | 61 | 62 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_HALFLIFE2); 63 | } 64 | 65 | 66 | void init_halflife2_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 67 | { 68 | ndpi_set_bitmask_protocol_detection("HalfLife2", ndpi_struct, detection_bitmask, *id, 69 | NDPI_PROTOCOL_HALFLIFE2, 70 | ndpi_search_halflife2, 71 | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, 72 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 73 | ADD_TO_DETECTION_BITMASK); 74 | 75 | *id += 1; 76 | } 77 | 78 | #endif 79 | -------------------------------------------------------------------------------- /src/lib/protocols/tftp.c: -------------------------------------------------------------------------------- 1 | /* 2 | * tftp.c 3 | * 4 | * Copyright (C) 2009-2011 by ipoque GmbH 5 | * Copyright (C) 2011-15 - ntop.org 6 | * 7 | * This file is part of nDPI, an open source deep packet inspection 8 | * library based on the OpenDPI and PACE technology by ipoque GmbH 9 | * 10 | * nDPI is free software: you can redistribute it and/or modify 11 | * it under the terms of the GNU Lesser General Public License as published by 12 | * the Free Software Foundation, either version 3 of the License, or 13 | * (at your option) any later version. 14 | * 15 | * nDPI is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU Lesser General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU Lesser General Public License 21 | * along with nDPI. If not, see . 22 | * 23 | */ 24 | 25 | 26 | #include "ndpi_protocols.h" 27 | #ifdef NDPI_PROTOCOL_TFTP 28 | 29 | static void ndpi_int_tftp_add_connection(struct ndpi_detection_module_struct 30 | *ndpi_struct, struct ndpi_flow_struct *flow) 31 | { 32 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TFTP, NDPI_PROTOCOL_UNKNOWN); 33 | } 34 | 35 | void ndpi_search_tftp(struct ndpi_detection_module_struct 36 | *ndpi_struct, struct ndpi_flow_struct *flow) 37 | { 38 | struct ndpi_packet_struct *packet = &flow->packet; 39 | 40 | NDPI_LOG(NDPI_PROTOCOL_TFTP, ndpi_struct, NDPI_LOG_DEBUG, "search TFTP.\n"); 41 | 42 | if (packet->payload_packet_len > 3 && flow->l4.udp.tftp_stage == 0 43 | && ntohl(get_u_int32_t(packet->payload, 0)) == 0x00030001) { 44 | NDPI_LOG(NDPI_PROTOCOL_TFTP, ndpi_struct, NDPI_LOG_DEBUG, "maybe tftp. need next packet.\n"); 45 | flow->l4.udp.tftp_stage = 1; 46 | return; 47 | } 48 | if (packet->payload_packet_len > 3 && (flow->l4.udp.tftp_stage == 1) 49 | && ntohl(get_u_int32_t(packet->payload, 0)) == 0x00040001) { 50 | 51 | NDPI_LOG(NDPI_PROTOCOL_TFTP, ndpi_struct, NDPI_LOG_DEBUG, "found tftp.\n"); 52 | ndpi_int_tftp_add_connection(ndpi_struct, flow); 53 | return; 54 | } 55 | if (packet->payload_packet_len > 1 56 | && ((packet->payload[0] == 0 && packet->payload[packet->payload_packet_len - 1] == 0) 57 | || (packet->payload_packet_len == 4 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x00040000))) { 58 | NDPI_LOG(NDPI_PROTOCOL_TFTP, ndpi_struct, NDPI_LOG_DEBUG, "skip initial packet.\n"); 59 | return; 60 | } 61 | 62 | NDPI_LOG(NDPI_PROTOCOL_TFTP, ndpi_struct, NDPI_LOG_DEBUG, "exclude TFTP.\n"); 63 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_TFTP); 64 | } 65 | 66 | 67 | void init_tftp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 68 | { 69 | ndpi_set_bitmask_protocol_detection("TFTP", ndpi_struct, detection_bitmask, *id, 70 | NDPI_PROTOCOL_TFTP, 71 | ndpi_search_tftp, 72 | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, 73 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 74 | ADD_TO_DETECTION_BITMASK); 75 | 76 | *id += 1; 77 | } 78 | 79 | #endif 80 | -------------------------------------------------------------------------------- /src/lib/protocols/lotus_notes.c: -------------------------------------------------------------------------------- 1 | /* 2 | * lotus_notes.c 3 | * 4 | * Copyright (C) 2012-15 - ntop.org 5 | * 6 | * nDPI is free software: you can redistribute it and/or modify 7 | * it under the terms of the GNU Lesser General Public License as published by 8 | * the Free Software Foundation, either version 3 of the License, or 9 | * (at your option) any later version. 10 | * 11 | * nDPI is distributed in the hope that it will be useful, 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | * GNU Lesser General Public License for more details. 15 | * 16 | * You should have received a copy of the GNU Lesser General Public License 17 | * along with nDPI. If not, see . 18 | * 19 | */ 20 | 21 | 22 | #include "ndpi_api.h" 23 | 24 | #ifdef NDPI_PROTOCOL_LOTUS_NOTES 25 | 26 | /* ************************************ */ 27 | 28 | static void ndpi_check_lotus_notes(struct ndpi_detection_module_struct *ndpi_struct, 29 | struct ndpi_flow_struct *flow) 30 | { 31 | struct ndpi_packet_struct *packet = &flow->packet; 32 | // const u_int8_t *packet_payload = packet->payload; 33 | u_int32_t payload_len = packet->payload_packet_len; 34 | 35 | if(packet->tcp != NULL) { 36 | flow->l4.tcp.lotus_notes_packet_id++; 37 | 38 | if((flow->l4.tcp.lotus_notes_packet_id == 1) 39 | /* We have seen the 3-way handshake */ 40 | && flow->l4.tcp.seen_syn 41 | && flow->l4.tcp.seen_syn_ack 42 | && flow->l4.tcp.seen_ack) { 43 | if(payload_len > 16) { 44 | char lotus_notes_header[] = { 0x00, 0x00, 0x02, 0x00, 0x00, 0x40, 0x02, 0x0F }; 45 | 46 | if(memcmp(&packet->payload[6], lotus_notes_header, sizeof(lotus_notes_header)) == 0) { 47 | NDPI_LOG(NDPI_PROTOCOL_LOTUS_NOTES, ndpi_struct, NDPI_LOG_DEBUG, "Found lotus_notes.\n"); 48 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_LOTUS_NOTES, NDPI_PROTOCOL_UNKNOWN); 49 | } 50 | 51 | return; 52 | } 53 | 54 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_LOTUS_NOTES); 55 | } else if(flow->l4.tcp.lotus_notes_packet_id > 3) 56 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_LOTUS_NOTES); 57 | 58 | return; 59 | } 60 | } 61 | 62 | void ndpi_search_lotus_notes(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 63 | { 64 | struct ndpi_packet_struct *packet = &flow->packet; 65 | 66 | NDPI_LOG(NDPI_PROTOCOL_LOTUS_NOTES, ndpi_struct, NDPI_LOG_DEBUG, "lotus_notes detection...\n"); 67 | 68 | /* skip marked packets */ 69 | if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_LOTUS_NOTES) 70 | ndpi_check_lotus_notes(ndpi_struct, flow); 71 | } 72 | 73 | 74 | void init_lotus_notes_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 75 | { 76 | ndpi_set_bitmask_protocol_detection("LotusNotes", ndpi_struct, detection_bitmask, *id, 77 | NDPI_PROTOCOL_LOTUS_NOTES, 78 | ndpi_search_lotus_notes, 79 | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, 80 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 81 | ADD_TO_DETECTION_BITMASK); 82 | 83 | *id += 1; 84 | } 85 | 86 | #endif 87 | -------------------------------------------------------------------------------- /src/lib/protocols/ntp.c: -------------------------------------------------------------------------------- 1 | /* 2 | * ntp.c 3 | * 4 | * Copyright (C) 2009-2011 by ipoque GmbH 5 | * Copyright (C) 2011-15 - ntop.org 6 | * 7 | * This file is part of nDPI, an open source deep packet inspection 8 | * library based on the OpenDPI and PACE technology by ipoque GmbH 9 | * 10 | * nDPI is free software: you can redistribute it and/or modify 11 | * it under the terms of the GNU Lesser General Public License as published by 12 | * the Free Software Foundation, either version 3 of the License, or 13 | * (at your option) any later version. 14 | * 15 | * nDPI is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU Lesser General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU Lesser General Public License 21 | * along with nDPI. If not, see . 22 | * 23 | */ 24 | 25 | 26 | #include "ndpi_protocols.h" 27 | #ifdef NDPI_PROTOCOL_NTP 28 | 29 | static void ndpi_int_ntp_add_connection(struct ndpi_detection_module_struct 30 | *ndpi_struct, struct ndpi_flow_struct *flow) 31 | { 32 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NTP, NDPI_PROTOCOL_UNKNOWN); 33 | } 34 | 35 | /* detection also works asymmetrically */ 36 | 37 | void ndpi_search_ntp_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 38 | { 39 | struct ndpi_packet_struct *packet = &flow->packet; 40 | 41 | // struct ndpi_id_struct *src=ndpi_struct->src; 42 | // struct ndpi_id_struct *dst=ndpi_struct->dst; 43 | 44 | if (!(packet->udp->dest == htons(123) || packet->udp->source == htons(123))) 45 | goto exclude_ntp; 46 | 47 | NDPI_LOG(NDPI_PROTOCOL_NTP, ndpi_struct, NDPI_LOG_DEBUG, "NTP port detected\n"); 48 | 49 | // It's not correct because packets could be bigger 50 | //if (packet->payload_packet_len != 48) 51 | // goto exclude_ntp; 52 | 53 | NDPI_LOG(NDPI_PROTOCOL_NTP, ndpi_struct, NDPI_LOG_DEBUG, "NTP length detected\n"); 54 | 55 | 56 | if ((((packet->payload[0] & 0x38) >> 3) <= 4)) { 57 | NDPI_LOG(NDPI_PROTOCOL_NTP, ndpi_struct, NDPI_LOG_DEBUG, "detected NTP."); 58 | 59 | // 38 in binary representation is 00111000 60 | flow->protos.ntp.version = (packet->payload[0] & 0x38) >> 3; 61 | 62 | if (flow->protos.ntp.version == 2) { 63 | flow->protos.ntp.request_code = packet->payload[3]; 64 | } 65 | 66 | ndpi_int_ntp_add_connection(ndpi_struct, flow); 67 | return; 68 | } 69 | 70 | 71 | 72 | exclude_ntp: 73 | NDPI_LOG(NDPI_PROTOCOL_NTP, ndpi_struct, NDPI_LOG_DEBUG, "NTP excluded.\n"); 74 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_NTP); 75 | } 76 | 77 | 78 | void init_ntp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 79 | { 80 | ndpi_set_bitmask_protocol_detection("NTP", ndpi_struct, detection_bitmask, *id, 81 | NDPI_PROTOCOL_NTP, 82 | ndpi_search_ntp_udp, 83 | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, 84 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 85 | ADD_TO_DETECTION_BITMASK); 86 | 87 | *id += 1; 88 | } 89 | 90 | #endif 91 | -------------------------------------------------------------------------------- /src/lib/protocols/oracle.c: -------------------------------------------------------------------------------- 1 | /* 2 | * oracle.c 3 | * 4 | * Copyright (C) 2013 Remy Mudingay 5 | * 6 | * This module is free software: you can redistribute it and/or modify 7 | * it under the terms of the GNU Lesser General Public License as published by 8 | * the Free Software Foundation, either version 3 of the License, or 9 | * (at your option) any later version. 10 | * 11 | * This module is distributed in the hope that it will be useful, 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | * GNU Lesser General Public License for more details. 15 | * 16 | * You should have received a copy of the GNU Lesser General Public License. 17 | * If not, see . 18 | * 19 | */ 20 | 21 | 22 | #include "ndpi_api.h" 23 | 24 | 25 | #ifdef NDPI_PROTOCOL_ORACLE 26 | static void ndpi_int_oracle_add_connection(struct ndpi_detection_module_struct 27 | *ndpi_struct, struct ndpi_flow_struct *flow) 28 | { 29 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ORACLE, NDPI_PROTOCOL_UNKNOWN); 30 | } 31 | 32 | void ndpi_search_oracle(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 33 | { 34 | struct ndpi_packet_struct *packet = &flow->packet; 35 | u_int16_t dport = 0, sport = 0; 36 | 37 | NDPI_LOG(NDPI_PROTOCOL_ORACLE, ndpi_struct, NDPI_LOG_DEBUG, "search for ORACLE.\n"); 38 | 39 | if(packet->tcp != NULL) { 40 | sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest); 41 | NDPI_LOG(NDPI_PROTOCOL_ORACLE, ndpi_struct, NDPI_LOG_DEBUG, "calculating ORACLE over tcp.\n"); 42 | /* Oracle Database 9g,10g,11g */ 43 | if ((dport == 1521 || sport == 1521) 44 | && (((packet->payload[0] == 0x07) && (packet->payload[1] == 0xff) && (packet->payload[2] == 0x00)) 45 | || ((packet->payload_packet_len >= 232) && ((packet->payload[0] == 0x00) || (packet->payload[0] == 0x01)) 46 | && (packet->payload[1] != 0x00) 47 | && (packet->payload[2] == 0x00) 48 | && (packet->payload[3] == 0x00)))) { 49 | NDPI_LOG(NDPI_PROTOCOL_ORACLE, ndpi_struct, NDPI_LOG_DEBUG, "found oracle.\n"); 50 | ndpi_int_oracle_add_connection(ndpi_struct, flow); 51 | } else if (packet->payload_packet_len == 213 && packet->payload[0] == 0x00 && 52 | packet->payload[1] == 0xd5 && packet->payload[2] == 0x00 && 53 | packet->payload[3] == 0x00 ) { 54 | NDPI_LOG(NDPI_PROTOCOL_ORACLE, ndpi_struct, NDPI_LOG_DEBUG, "found oracle.\n"); 55 | ndpi_int_oracle_add_connection(ndpi_struct, flow); 56 | } 57 | } else { 58 | NDPI_LOG(NDPI_PROTOCOL_ORACLE, ndpi_struct, NDPI_LOG_DEBUG, "exclude ORACLE.\n"); 59 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_ORACLE); 60 | } 61 | } 62 | 63 | 64 | void init_oracle_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 65 | { 66 | ndpi_set_bitmask_protocol_detection("Oracle", ndpi_struct, detection_bitmask, *id, 67 | NDPI_PROTOCOL_ORACLE, 68 | ndpi_search_oracle, 69 | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, 70 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 71 | ADD_TO_DETECTION_BITMASK); 72 | 73 | *id += 1; 74 | } 75 | 76 | #endif 77 | -------------------------------------------------------------------------------- /src/lib/protocols/gtp.c: -------------------------------------------------------------------------------- 1 | /* 2 | * gtp.c 3 | * 4 | * Copyright (C) 2011-15 - ntop.org 5 | * 6 | * nDPI is free software: you can redistribute it and/or modify 7 | * it under the terms of the GNU Lesser General Public License as published by 8 | * the Free Software Foundation, either version 3 of the License, or 9 | * (at your option) any later version. 10 | * 11 | * nDPI is distributed in the hope that it will be useful, 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | * GNU Lesser General Public License for more details. 15 | * 16 | * You should have received a copy of the GNU Lesser General Public License 17 | * along with nDPI. If not, see . 18 | * 19 | */ 20 | 21 | 22 | #include "ndpi_api.h" 23 | 24 | #ifdef NDPI_PROTOCOL_GTP 25 | 26 | struct gtp_header_generic { 27 | u_int8_t flags, message_type; 28 | u_int16_t message_len; 29 | u_int32_t teid; 30 | }; 31 | 32 | static void ndpi_check_gtp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 33 | { 34 | struct ndpi_packet_struct *packet = &flow->packet; 35 | // const u_int8_t *packet_payload = packet->payload; 36 | u_int32_t payload_len = packet->payload_packet_len; 37 | 38 | if((packet->udp != NULL) && (payload_len > sizeof(struct gtp_header_generic))) { 39 | u_int32_t gtp_u = ntohs(2152); 40 | u_int32_t gtp_c = ntohs(2123); 41 | u_int32_t gtp_v0 = ntohs(3386); 42 | 43 | if((packet->udp->source == gtp_u) || (packet->udp->dest == gtp_u) 44 | || (packet->udp->source == gtp_c) || (packet->udp->dest == gtp_c) 45 | || (packet->udp->source == gtp_v0) || (packet->udp->dest == gtp_v0) 46 | ) { 47 | struct gtp_header_generic *gtp = (struct gtp_header_generic*)packet->payload; 48 | u_int8_t gtp_version = (gtp->flags & 0xE0) >> 5; 49 | 50 | if((gtp_version == 0) || (gtp_version == 1) || (gtp_version == 2)) { 51 | u_int16_t message_len = ntohs(gtp->message_len); 52 | 53 | if(message_len <= (payload_len-sizeof(struct gtp_header_generic))) { 54 | NDPI_LOG(NDPI_PROTOCOL_GTP, ndpi_struct, NDPI_LOG_DEBUG, "Found gtp.\n"); 55 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GTP, NDPI_PROTOCOL_UNKNOWN); 56 | return; 57 | } 58 | } 59 | } 60 | } 61 | 62 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_GTP); 63 | return; 64 | } 65 | 66 | void ndpi_search_gtp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 67 | { 68 | struct ndpi_packet_struct *packet = &flow->packet; 69 | 70 | NDPI_LOG(NDPI_PROTOCOL_GTP, ndpi_struct, NDPI_LOG_DEBUG, "gtp detection...\n"); 71 | 72 | /* skip marked packets */ 73 | if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_GTP) 74 | ndpi_check_gtp(ndpi_struct, flow); 75 | } 76 | 77 | 78 | void init_gtp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 79 | { 80 | ndpi_set_bitmask_protocol_detection("GTP", ndpi_struct, detection_bitmask, *id, 81 | NDPI_PROTOCOL_GTP, 82 | ndpi_search_gtp, 83 | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, 84 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 85 | ADD_TO_DETECTION_BITMASK); 86 | 87 | *id += 1; 88 | } 89 | 90 | #endif 91 | -------------------------------------------------------------------------------- /tests/result/Meu.pcap.out: -------------------------------------------------------------------------------- 1 | TIM_Meu 814 658545 26 2 | 3 | 1 TCP 10.8.0.1:55226 <-> 189.40.216.95:443 [proto: 91.191/SSL.TIM_Meu][62 pkts/31584 bytes][SSL client: appmeutim.tim.com.br] 4 | 2 TCP 10.8.0.1:55230 <-> 189.40.216.95:443 [proto: 91.191/SSL.TIM_Meu][27 pkts/11642 bytes][SSL client: appmeutim.tim.com.br] 5 | 3 TCP 10.8.0.1:55232 <-> 189.40.216.95:443 [proto: 91.191/SSL.TIM_Meu][37 pkts/37269 bytes][SSL client: appmeutim.tim.com.br] 6 | 4 TCP 10.8.0.1:55234 <-> 189.40.216.95:443 [proto: 91.191/SSL.TIM_Meu][21 pkts/9350 bytes][SSL client: appmeutim.tim.com.br] 7 | 5 TCP 10.8.0.1:55236 <-> 189.40.216.95:443 [proto: 91.191/SSL.TIM_Meu][13 pkts/1181 bytes][SSL client: appmeutim.tim.com.br] 8 | 6 TCP 10.8.0.1:55238 <-> 189.40.216.95:443 [proto: 91.191/SSL.TIM_Meu][13 pkts/1181 bytes][SSL client: appmeutim.tim.com.br] 9 | 7 TCP 10.8.0.1:55250 <-> 189.40.216.95:443 [proto: 91.191/SSL.TIM_Meu][22 pkts/9903 bytes][SSL client: appmeutim.tim.com.br] 10 | 8 TCP 10.8.0.1:55252 <-> 189.40.216.95:443 [proto: 91.191/SSL.TIM_Meu][34 pkts/20796 bytes][SSL client: appmeutim.tim.com.br] 11 | 9 TCP 10.8.0.1:55254 <-> 189.40.216.95:443 [proto: 91.191/SSL.TIM_Meu][27 pkts/8864 bytes][SSL client: appmeutim.tim.com.br] 12 | 10 TCP 10.8.0.1:55262 <-> 189.40.216.95:443 [proto: 91.191/SSL.TIM_Meu][15 pkts/4486 bytes][SSL client: appmeutim.tim.com.br] 13 | 11 TCP 10.8.0.1:55264 <-> 189.40.216.95:443 [proto: 91.191/SSL.TIM_Meu][15 pkts/4486 bytes][SSL client: appmeutim.tim.com.br] 14 | 12 TCP 10.8.0.1:55268 <-> 189.40.216.95:443 [proto: 91.191/SSL.TIM_Meu][26 pkts/6969 bytes][SSL client: appmeutim.tim.com.br] 15 | 13 TCP 10.8.0.1:55270 <-> 189.40.216.95:443 [proto: 91.191/SSL.TIM_Meu][56 pkts/36838 bytes][SSL client: appmeutim.tim.com.br] 16 | 14 TCP 10.8.0.1:55272 <-> 189.40.216.95:443 [proto: 91.191/SSL.TIM_Meu][53 pkts/142338 bytes][SSL client: appmeutim.tim.com.br] 17 | 15 TCP 10.8.0.1:55276 <-> 189.40.216.95:443 [proto: 91.191/SSL.TIM_Meu][20 pkts/7059 bytes][SSL client: appmeutim.tim.com.br] 18 | 16 TCP 10.8.0.1:55227 <-> 189.40.216.95:443 [proto: 91.191/SSL.TIM_Meu][41 pkts/19844 bytes][SSL client: appmeutim.tim.com.br] 19 | 17 TCP 10.8.0.1:55231 <-> 189.40.216.95:443 [proto: 91.191/SSL.TIM_Meu][33 pkts/14083 bytes][SSL client: appmeutim.tim.com.br] 20 | 18 TCP 10.8.0.1:55233 <-> 189.40.216.95:443 [proto: 91.191/SSL.TIM_Meu][96 pkts/137364 bytes][SSL client: appmeutim.tim.com.br] 21 | 19 TCP 10.8.0.1:55235 <-> 189.40.216.95:443 [proto: 91.191/SSL.TIM_Meu][19 pkts/5178 bytes][SSL client: appmeutim.tim.com.br] 22 | 20 TCP 10.8.0.1:55237 <-> 189.40.216.95:443 [proto: 91.191/SSL.TIM_Meu][13 pkts/1181 bytes][SSL client: appmeutim.tim.com.br] 23 | 21 TCP 10.8.0.1:55239 <-> 189.40.216.95:443 [proto: 91.191/SSL.TIM_Meu][85 pkts/122532 bytes][SSL client: appmeutim.tim.com.br] 24 | 22 TCP 10.8.0.1:55251 <-> 189.40.216.95:443 [proto: 91.191/SSL.TIM_Meu][20 pkts/6243 bytes][SSL client: appmeutim.tim.com.br] 25 | 23 TCP 10.8.0.1:55253 <-> 189.40.216.95:443 [proto: 91.191/SSL.TIM_Meu][15 pkts/4486 bytes][SSL client: appmeutim.tim.com.br] 26 | 24 TCP 10.8.0.1:55255 <-> 189.40.216.95:443 [proto: 91.191/SSL.TIM_Meu][17 pkts/4594 bytes][SSL client: appmeutim.tim.com.br] 27 | 25 TCP 10.8.0.1:55263 <-> 189.40.216.95:443 [proto: 91.191/SSL.TIM_Meu][15 pkts/4486 bytes][SSL client: appmeutim.tim.com.br] 28 | 26 TCP 10.8.0.1:55273 <-> 189.40.216.95:443 [proto: 91.191/SSL.TIM_Meu][19 pkts/4608 bytes][SSL client: appmeutim.tim.com.br] 29 | -------------------------------------------------------------------------------- /configure.ac: -------------------------------------------------------------------------------- 1 | AC_INIT([libndpi], [1.7.1]) 2 | 3 | AC_CONFIG_MACRO_DIR([m4]) 4 | 5 | AM_INIT_AUTOMAKE([foreign subdir-objects]) 6 | 7 | LT_INIT 8 | 9 | AC_PROG_CC 10 | AX_PTHREAD 11 | 12 | if test -d ".git"; then : 13 | GIT_TAG=`git log -1 --format=%h` 14 | GIT_DATE=`git log -1 --format=%cd` 15 | # 16 | # On CentOS 6 `git rev-list HEAD --count` does not work 17 | # 18 | # 19 | GIT_NUM=`git log --pretty=oneline | wc -l | tr -d '[[:space:]]'` 20 | GIT_BRANCH=`git rev-parse --abbrev-ref HEAD` 21 | GIT_RELEASE="${PACKAGE_VERSION}-${GIT_BRANCH}-${GIT_NUM}-${GIT_TAG}" 22 | else 23 | GIT_RELEASE="${PACKAGE_VERSION}" 24 | GIT_DATE=`date` 25 | fi 26 | 27 | AC_DEFINE_UNQUOTED(NDPI_GIT_RELEASE, "${GIT_RELEASE}", [GIT Release]) 28 | AC_DEFINE_UNQUOTED(NDPI_GIT_DATE, "${GIT_DATE}", [Last GIT change]) 29 | 30 | AC_CHECK_HEADERS([netinet/in.h stdint.h stdlib.h string.h unistd.h]) 31 | 32 | PCAP_HOME=$HOME/PF_RING/userland 33 | 34 | if test -d $PCAP_HOME; then : 35 | echo -n "" 36 | else 37 | PCAP_HOME=`pwd`/../../PF_RING/userland 38 | fi 39 | SHORT_MACHINE=`uname -m | cut -b1-3` 40 | if test $SHORT_MACHINE = "arm"; then 41 | LIBNUMA="" 42 | else 43 | LIBNUMA="-lnuma" 44 | fi 45 | 46 | if test -f $PCAP_HOME/libpcap/libpcap.a; then : 47 | echo "Using libpcap from $PCAP_HOME" 48 | PCAP_INC="-I $PCAP_HOME/libpcap" 49 | PCAP_LIB="$PCAP_HOME/libpcap/libpcap.a $PCAP_HOME/lib/libpfring.a $LIBNUMA `$PCAP_HOME/lib/pfring_config --libs`" 50 | 51 | AC_CHECK_LIB([rt], [clock_gettime], [PCAP_LIB="$PCAP_LIB -lrt"]) 52 | AC_CHECK_LIB([nl], [nl_handle_alloc], [PCAP_LIB="$PCAP_LIB -lnl"]) 53 | else 54 | AC_CHECK_LIB([pcap], [pcap_open_live], [PCAP_LIB="-lpcap"]) 55 | 56 | if test $ac_cv_lib_pcap_pcap_open_live = "no"; then : 57 | echo "" 58 | echo "ERROR: Missing libpcap(-dev) library required to compile the example application" 59 | echo "ERROR: Please install it and try again" 60 | exit 61 | fi 62 | fi 63 | 64 | AC_ARG_ENABLE([json-c], 65 | AS_HELP_STRING([--disable-json-c], [Disable json-c support])) 66 | 67 | AS_IF([test "x$enable_json_c" != "xno"], [ 68 | PKG_CONFIG_PATH=/usr/local/share/pkgconfig:$PKG_CONFIG_PATH 69 | pkg-config --exists json-c 70 | AS_IF([test "$?" == "0"], 71 | [ 72 | CFLAGS="$CFLAGS $(pkg-config --cflags json-c)" 73 | LDFLAGS="$LDFLAGS $(pkg-config --libs json-c)" 74 | AC_CHECK_LIB(json-c, json_object_new_object, AC_DEFINE_UNQUOTED(HAVE_JSON_C, 1, [The JSON-C library is present])) 75 | ], 76 | []) 77 | ]) 78 | 79 | OLD_LIBS=$LIBS 80 | LIBS="-L/opt/napatech3/lib $LIBS" 81 | AC_CHECK_LIB([ntapi], 82 | [NT_Init], 83 | [PCAP_LIB="$PCAP_LIB -L/opt/napatech3/lib -lntapi"], 84 | [], [] ) 85 | LIBS=$OLD_LIBS 86 | 87 | 88 | AC_CHECK_LIB(pthread, pthread_setaffinity_np, AC_DEFINE_UNQUOTED(HAVE_PTHREAD_SETAFFINITY_NP, 1, [libc has pthread_setaffinity_np])) 89 | 90 | AC_CONFIG_FILES([Makefile src/lib/Makefile example/Makefile libndpi.pc]) 91 | AC_CONFIG_HEADERS(config.h) 92 | AC_SUBST(GIT_RELEASE) 93 | AC_SUBST(SVN_DATE) 94 | AC_SUBST(JSON_C_LIB) 95 | AC_SUBST(PCAP_INC) 96 | AC_SUBST(PCAP_LIB) 97 | AC_SUBST(HAVE_PTHREAD_SETAFFINITY_NP) 98 | 99 | AC_OUTPUT 100 | -------------------------------------------------------------------------------- /src/lib/protocols/dropbox.c: -------------------------------------------------------------------------------- 1 | /* 2 | * dropbox.c 3 | * 4 | * Copyright (C) 2011-13 by ntop.org 5 | * 6 | * This file is part of nDPI, an open source deep packet inspection 7 | * library based on the OpenDPI and PACE technology by ipoque GmbH 8 | * 9 | * nDPI is free software: you can redistribute it and/or modify 10 | * it under the terms of the GNU Lesser General Public License as published by 11 | * the Free Software Foundation, either version 3 of the License, or 12 | * (at your option) any later version. 13 | * 14 | * nDPI is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU Lesser General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU Lesser General Public License 20 | * along with nDPI. If not, see . 21 | * 22 | */ 23 | 24 | 25 | #include "ndpi_api.h" 26 | 27 | #ifdef NDPI_PROTOCOL_DROPBOX 28 | 29 | #define DB_LSP_PORT 17500 30 | 31 | 32 | static void ndpi_int_dropbox_add_connection(struct ndpi_detection_module_struct *ndpi_struct, 33 | struct ndpi_flow_struct *flow, 34 | u_int8_t due_to_correlation) 35 | { 36 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DROPBOX, NDPI_PROTOCOL_UNKNOWN); 37 | } 38 | 39 | 40 | static void ndpi_check_dropbox(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 41 | { 42 | struct ndpi_packet_struct *packet = &flow->packet; 43 | // const u_int8_t *packet_payload = packet->payload; 44 | u_int32_t payload_len = packet->payload_packet_len; 45 | 46 | if(packet->udp != NULL) { 47 | 48 | u_int16_t dropbox_port = htons(DB_LSP_PORT); 49 | 50 | if((packet->udp->source == dropbox_port) 51 | && (packet->udp->dest == dropbox_port)) { 52 | if(payload_len > 2) { 53 | if(strncmp((const char *)packet->payload, "{\"host_int\"", 11) == 0) { 54 | 55 | NDPI_LOG(NDPI_PROTOCOL_DROPBOX, ndpi_struct, NDPI_LOG_DEBUG, "Found dropbox.\n"); 56 | ndpi_int_dropbox_add_connection(ndpi_struct, flow, 0); 57 | return; 58 | } 59 | } 60 | } 61 | } 62 | 63 | NDPI_LOG(NDPI_PROTOCOL_DROPBOX, ndpi_struct, NDPI_LOG_DEBUG, "exclude dropbox.\n"); 64 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DROPBOX); 65 | } 66 | 67 | void ndpi_search_dropbox(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 68 | { 69 | struct ndpi_packet_struct *packet = &flow->packet; 70 | 71 | NDPI_LOG(NDPI_PROTOCOL_DROPBOX, ndpi_struct, NDPI_LOG_DEBUG, "dropbox detection...\n"); 72 | 73 | /* skip marked packets */ 74 | if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_DROPBOX) { 75 | if (packet->tcp_retransmission == 0) { 76 | ndpi_check_dropbox(ndpi_struct, flow); 77 | } 78 | } 79 | } 80 | 81 | 82 | void init_dropbox_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 83 | { 84 | ndpi_set_bitmask_protocol_detection("DROPBOX", ndpi_struct, detection_bitmask, *id, 85 | NDPI_PROTOCOL_DROPBOX, 86 | ndpi_search_dropbox, 87 | NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD, 88 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 89 | ADD_TO_DETECTION_BITMASK); 90 | *id += 1; 91 | } 92 | 93 | 94 | 95 | #endif 96 | -------------------------------------------------------------------------------- /src/lib/protocols/kerberos.c: -------------------------------------------------------------------------------- 1 | /* 2 | * kerberos.c 3 | * 4 | * Copyright (C) 2009-2011 by ipoque GmbH 5 | * Copyright (C) 2011-15 - ntop.org 6 | * 7 | * This file is part of nDPI, an open source deep packet inspection 8 | * library based on the OpenDPI and PACE technology by ipoque GmbH 9 | * 10 | * nDPI is free software: you can redistribute it and/or modify 11 | * it under the terms of the GNU Lesser General Public License as published by 12 | * the Free Software Foundation, either version 3 of the License, or 13 | * (at your option) any later version. 14 | * 15 | * nDPI is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU Lesser General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU Lesser General Public License 21 | * along with nDPI. If not, see . 22 | * 23 | */ 24 | 25 | 26 | #include "ndpi_protocols.h" 27 | 28 | #ifdef NDPI_PROTOCOL_KERBEROS 29 | 30 | static void ndpi_int_kerberos_add_connection(struct ndpi_detection_module_struct *ndpi_struct, 31 | struct ndpi_flow_struct *flow) 32 | { 33 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_KERBEROS, NDPI_PROTOCOL_UNKNOWN); 34 | } 35 | 36 | 37 | void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 38 | { 39 | struct ndpi_packet_struct *packet = &flow->packet; 40 | // struct ndpi_id_struct *src=ndpi_struct->src; 41 | // struct ndpi_id_struct *dst=ndpi_struct->dst; 42 | 43 | 44 | /* I have observed 0a,0c,0d,0e at packet->payload[19/21], maybe there are other possibilities */ 45 | if (packet->payload_packet_len >= 4 && ntohl(get_u_int32_t(packet->payload, 0)) == packet->payload_packet_len - 4) { 46 | if (packet->payload_packet_len > 19 && 47 | packet->payload[14] == 0x05 && 48 | (packet->payload[19] == 0x0a || 49 | packet->payload[19] == 0x0c || packet->payload[19] == 0x0d || packet->payload[19] == 0x0e)) { 50 | NDPI_LOG(NDPI_PROTOCOL_KERBEROS, ndpi_struct, NDPI_LOG_DEBUG, "found KERBEROS\n"); 51 | ndpi_int_kerberos_add_connection(ndpi_struct, flow); 52 | return; 53 | 54 | } 55 | if (packet->payload_packet_len > 21 && 56 | packet->payload[16] == 0x05 && 57 | (packet->payload[21] == 0x0a || 58 | packet->payload[21] == 0x0c || packet->payload[21] == 0x0d || packet->payload[21] == 0x0e)) { 59 | NDPI_LOG(NDPI_PROTOCOL_KERBEROS, ndpi_struct, NDPI_LOG_DEBUG, "found KERBEROS\n"); 60 | ndpi_int_kerberos_add_connection(ndpi_struct, flow); 61 | return; 62 | 63 | } 64 | 65 | 66 | 67 | } 68 | 69 | NDPI_LOG(NDPI_PROTOCOL_KERBEROS, ndpi_struct, NDPI_LOG_DEBUG, "no KERBEROS detected.\n"); 70 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_KERBEROS); 71 | } 72 | 73 | 74 | void init_kerberos_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 75 | { 76 | ndpi_set_bitmask_protocol_detection("Kerberos", ndpi_struct, detection_bitmask, *id, 77 | NDPI_PROTOCOL_KERBEROS, 78 | ndpi_search_kerberos, 79 | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, 80 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 81 | ADD_TO_DETECTION_BITMASK); 82 | 83 | *id += 1; 84 | } 85 | 86 | #endif 87 | -------------------------------------------------------------------------------- /src/lib/protocols/mysql.c: -------------------------------------------------------------------------------- 1 | /* 2 | * mysql.c 3 | * 4 | * Copyright (C) 2009-2011 by ipoque GmbH 5 | * Copyright (C) 2011-15 - ntop.org 6 | * 7 | * This file is part of nDPI, an open source deep packet inspection 8 | * library based on the OpenDPI and PACE technology by ipoque GmbH 9 | * 10 | * nDPI is free software: you can redistribute it and/or modify 11 | * it under the terms of the GNU Lesser General Public License as published by 12 | * the Free Software Foundation, either version 3 of the License, or 13 | * (at your option) any later version. 14 | * 15 | * nDPI is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU Lesser General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU Lesser General Public License 21 | * along with nDPI. If not, see . 22 | * 23 | */ 24 | 25 | 26 | #include "ndpi_protocols.h" 27 | 28 | #ifdef NDPI_PROTOCOL_MYSQL 29 | 30 | static void ndpi_int_mysql_add_connection(struct ndpi_detection_module_struct 31 | *ndpi_struct, struct ndpi_flow_struct *flow) 32 | { 33 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MYSQL, NDPI_PROTOCOL_UNKNOWN); 34 | } 35 | 36 | void ndpi_search_mysql_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) 37 | { 38 | struct ndpi_packet_struct *packet = &flow->packet; 39 | 40 | // struct ndpi_id_struct *src=ndpi_struct->src; 41 | // struct ndpi_id_struct *dst=ndpi_struct->dst; 42 | 43 | if (packet->payload_packet_len > 37 //min length 44 | && get_u_int16_t(packet->payload, 0) == packet->payload_packet_len - 4 //first 3 bytes are length 45 | && get_u_int8_t(packet->payload, 2) == 0x00 //3rd byte of packet length 46 | && get_u_int8_t(packet->payload, 3) == 0x00 //packet sequence number is 0 for startup packet 47 | && get_u_int8_t(packet->payload, 5) > 0x30 //server version > 0 48 | && get_u_int8_t(packet->payload, 5) < 0x37 //server version < 7 49 | && get_u_int8_t(packet->payload, 6) == 0x2e //dot 50 | ) { 51 | u_int32_t a; 52 | for (a = 7; a + 31 < packet->payload_packet_len; a++) { 53 | if (packet->payload[a] == 0x00) { 54 | if (get_u_int8_t(packet->payload, a + 13) == 0x00 //filler byte 55 | && get_u_int64_t(packet->payload, a + 19) == 0x0ULL //13 more 56 | && get_u_int32_t(packet->payload, a + 27) == 0x0 //filler bytes 57 | && get_u_int8_t(packet->payload, a + 31) == 0x0) { 58 | NDPI_LOG(NDPI_PROTOCOL_MYSQL, ndpi_struct, NDPI_LOG_DEBUG, "MySQL detected.\n"); 59 | ndpi_int_mysql_add_connection(ndpi_struct, flow); 60 | return; 61 | } 62 | break; 63 | } 64 | } 65 | } 66 | 67 | NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MYSQL); 68 | } 69 | 70 | 71 | void init_mysql_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) 72 | { 73 | ndpi_set_bitmask_protocol_detection("MySQL", ndpi_struct, detection_bitmask, *id, 74 | NDPI_PROTOCOL_MYSQL, 75 | ndpi_search_mysql_tcp, 76 | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, 77 | SAVE_DETECTION_BITMASK_AS_UNKNOWN, 78 | ADD_TO_DETECTION_BITMASK); 79 | 80 | *id += 1; 81 | } 82 | 83 | #endif 84 | --------------------------------------------------------------------------------