/src/ndpi/src/lib/protocols/vnc.c

Source
/*
 * vnc.c
 *
 * Copyright (C) 2016-22 - ntop.org
 *
 * This file is part of nDPI, an open source deep packet inspection
 * library based on the OpenDPI and PACE technology by ipoque GmbH
 *
 * nDPI is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * nDPI is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.
 *
 */
#include "ndpi_protocol_ids.h"

#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_VNC

#include "ndpi_api.h"
#include "ndpi_private.h"

static void ndpi_search_vnc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
  struct ndpi_packet_struct *packet = &ndpi_struct->packet;

  NDPI_LOG_DBG(ndpi_struct, "search vnc\n");
  /* search over TCP */
  if(packet->tcp) {

    if(flow->l4.tcp.vnc_stage == 0) {
      if((packet->payload_packet_len == 12) &&
   (((memcmp(packet->payload, "RFB 003.", 7) == 0) && (packet->payload[11] == 0x0a))
    ||
    ((memcmp(packet->payload, "RFB 004.", 7) == 0) && (packet->payload[11] == 0x0a)))) {
  NDPI_LOG_DBG2(ndpi_struct, "reached vnc stage one\n");
  flow->l4.tcp.vnc_stage = 1 + packet->packet_direction;
  return;
      }
    } else if(flow->l4.tcp.vnc_stage == 2 - packet->packet_direction) {

      if((packet->payload_packet_len == 12) &&
   (((memcmp(packet->payload, "RFB 003.", 7) == 0) && (packet->payload[11] == 0x0a))
    ||
    ((memcmp(packet->payload, "RFB 004.", 7) == 0) && (packet->payload[11] == 0x0a)))) {    
  NDPI_LOG_INFO(ndpi_struct, "found vnc\n");
  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VNC, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
  ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found VNC"); /* Remote assistance */
  return;
      }
    }
  }
  NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
}


void init_vnc_dissector(struct ndpi_detection_module_struct *ndpi_struct)
{
  ndpi_register_dissector("VNC", ndpi_struct,
                     ndpi_search_vnc_tcp,
                     NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
                     1, NDPI_PROTOCOL_VNC);
}

Line	Count	Source
1		/*
2		* vnc.c
3		*
4		* Copyright (C) 2016-22 - ntop.org
5		*
6		* This file is part of nDPI, an open source deep packet inspection
7		* library based on the OpenDPI and PACE technology by ipoque GmbH
8		*
9		* nDPI is free software: you can redistribute it and/or modify
10		* it under the terms of the GNU Lesser General Public License as published by
11		* the Free Software Foundation, either version 3 of the License, or
12		* (at your option) any later version.
13		*
14		* nDPI is distributed in the hope that it will be useful,
15		* but WITHOUT ANY WARRANTY; without even the implied warranty of
16		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17		* GNU Lesser General Public License for more details.
18		*
19		* You should have received a copy of the GNU Lesser General Public License
20		* along with nDPI. If not, see <http://www.gnu.org/licenses/>.
21		*
22		*/
23		#include "ndpi_protocol_ids.h"
24
25		#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_VNC
26
27		#include "ndpi_api.h"
28		#include "ndpi_private.h"
29
30		static void ndpi_search_vnc_tcp(struct ndpi_detection_module_struct ndpi_struct, struct ndpi_flow_struct flow)
31	0	{
32	0	struct ndpi_packet_struct *packet = &ndpi_struct->packet;
33
34	0	NDPI_LOG_DBG(ndpi_struct, "search vnc\n");
35		/* search over TCP */
36	0	if(packet->tcp) {
37
38	0	if(flow->l4.tcp.vnc_stage == 0) {
39	0	if((packet->payload_packet_len == 12) &&
40	0	(((memcmp(packet->payload, "RFB 003.", 7) == 0) && (packet->payload[11] == 0x0a))
41	0	\|\|
42	0	((memcmp(packet->payload, "RFB 004.", 7) == 0) && (packet->payload[11] == 0x0a)))) {
43	0	NDPI_LOG_DBG2(ndpi_struct, "reached vnc stage one\n");
44	0	flow->l4.tcp.vnc_stage = 1 + packet->packet_direction;
45	0	return;
46	0	}
47	0	} else if(flow->l4.tcp.vnc_stage == 2 - packet->packet_direction) {
48
49	0	if((packet->payload_packet_len == 12) &&
50	0	(((memcmp(packet->payload, "RFB 003.", 7) == 0) && (packet->payload[11] == 0x0a))
51	0	\|\|
52	0	((memcmp(packet->payload, "RFB 004.", 7) == 0) && (packet->payload[11] == 0x0a)))) {
53	0	NDPI_LOG_INFO(ndpi_struct, "found vnc\n");
54	0	ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VNC, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
55	0	ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found VNC"); /* Remote assistance */
56	0	return;
57	0	}
58	0	}
59	0	}
60	0	NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
61	0	}
62
63
64		void init_vnc_dissector(struct ndpi_detection_module_struct *ndpi_struct)
65	1	{
66	1	ndpi_register_dissector("VNC", ndpi_struct,
67	1	ndpi_search_vnc_tcp,
68	1	NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
69	1	1, NDPI_PROTOCOL_VNC);
70	1	}

Coverage Report

Created: 2026-04-04 07:03