/src/ndpi/src/lib/protocols/armagetron.c
Line | Count | Source |
1 | | /* |
2 | | * armagetron.c |
3 | | * |
4 | | * Copyright (C) 2009-11 - ipoque GmbH |
5 | | * Copyright (C) 2011-22 - ntop.org |
6 | | * |
7 | | * This file is part of nDPI, an open source deep packet inspection |
8 | | * library based on the OpenDPI and PACE technology by ipoque GmbH |
9 | | * |
10 | | * nDPI is free software: you can redistribute it and/or modify |
11 | | * it under the terms of the GNU Lesser General Public License as published by |
12 | | * the Free Software Foundation, either version 3 of the License, or |
13 | | * (at your option) any later version. |
14 | | * |
15 | | * nDPI is distributed in the hope that it will be useful, |
16 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
17 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
18 | | * GNU Lesser General Public License for more details. |
19 | | * |
20 | | * You should have received a copy of the GNU Lesser General Public License |
21 | | * along with nDPI. If not, see <http://www.gnu.org/licenses/>. |
22 | | * |
23 | | */ |
24 | | |
25 | | #include "ndpi_protocol_ids.h" |
26 | | |
27 | 157k | #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_ARMAGETRON |
28 | | |
29 | | #include "ndpi_api.h" |
30 | | |
31 | | |
32 | | static void ndpi_int_armagetron_add_connection(struct ndpi_detection_module_struct *ndpi_struct, |
33 | | struct ndpi_flow_struct *flow) |
34 | 12 | { |
35 | 12 | ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ARMAGETRON, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); |
36 | 12 | } |
37 | | |
38 | | static void ndpi_search_armagetron_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) |
39 | 157k | { |
40 | 157k | struct ndpi_packet_struct *packet = &ndpi_struct->packet; |
41 | | |
42 | 157k | NDPI_LOG_DBG(ndpi_struct, "search armagetron\n"); |
43 | | |
44 | 157k | if (packet->payload_packet_len > 10) { |
45 | | /* login request */ |
46 | 137k | if (get_u_int32_t(packet->payload, 0) == htonl(0x000b0000)) { |
47 | 44 | const u_int16_t dataLength = ntohs(get_u_int16_t(packet->payload, 4)); |
48 | 44 | if (dataLength == 0 || dataLength * 2 + 8 != packet->payload_packet_len) |
49 | 32 | goto exclude; |
50 | 12 | if (get_u_int16_t(packet->payload, 6) == htons(0x0008) |
51 | 12 | && get_u_int16_t(packet->payload, packet->payload_packet_len - 2) == 0) { |
52 | 2 | NDPI_LOG_INFO(ndpi_struct, "found armagetron\n"); |
53 | 2 | ndpi_int_armagetron_add_connection(ndpi_struct, flow); |
54 | 2 | return; |
55 | 2 | } |
56 | 12 | } |
57 | | /* sync_msg */ |
58 | 137k | if (packet->payload_packet_len == 16 && get_u_int16_t(packet->payload, 0) == htons(0x001c) |
59 | 137k | && get_u_int16_t(packet->payload, 2) != 0) { |
60 | 108 | const u_int16_t dataLength = ntohs(get_u_int16_t(packet->payload, 4)); |
61 | 108 | if (dataLength != 4) |
62 | 52 | goto exclude; |
63 | 56 | if (get_u_int32_t(packet->payload, 6) == htonl(0x00000500) && get_u_int32_t(packet->payload, 6 + 4) == htonl(0x00010000) |
64 | 56 | && get_u_int16_t(packet->payload, packet->payload_packet_len - 2) == 0) { |
65 | 5 | NDPI_LOG_INFO(ndpi_struct, "found armagetron\n"); |
66 | 5 | ndpi_int_armagetron_add_connection(ndpi_struct, flow); |
67 | 5 | return; |
68 | 5 | } |
69 | 56 | } |
70 | | |
71 | | /* net_sync combination */ |
72 | 136k | if (packet->payload_packet_len > 50 && get_u_int16_t(packet->payload, 0) == htons(0x0018) |
73 | 136k | && get_u_int16_t(packet->payload, 2) != 0) { |
74 | 1.29k | u_int16_t val; |
75 | 1.29k | const u_int16_t dataLength = ntohs(get_u_int16_t(packet->payload, 4)); |
76 | 1.29k | if (dataLength == 0 || dataLength * 2 + 8 > packet->payload_packet_len) |
77 | 1.08k | goto exclude; |
78 | 205 | val = get_u_int16_t(packet->payload, 6 + 2); |
79 | 205 | if (val == get_u_int16_t(packet->payload, 6 + 6)) { |
80 | 136 | val = ntohs(get_u_int16_t(packet->payload, 6 + 8)); |
81 | 136 | if ((6 + 10 + val + 4) < packet->payload_packet_len |
82 | 136 | && (get_u_int32_t(packet->payload, 6 + 10 + val) == htonl(0x00010000) |
83 | 104 | || get_u_int32_t(packet->payload, 6 + 10 + val) == htonl(0x00000001)) |
84 | 136 | && get_u_int16_t(packet->payload, packet->payload_packet_len - 2) == 0) { |
85 | 5 | NDPI_LOG_INFO(ndpi_struct, "found armagetron\n"); |
86 | 5 | ndpi_int_armagetron_add_connection(ndpi_struct, flow); |
87 | 5 | return; |
88 | 5 | } |
89 | 136 | } |
90 | 205 | } |
91 | 136k | } |
92 | | |
93 | 157k | exclude: |
94 | 157k | NDPI_EXCLUDE_PROTO(ndpi_struct, flow); |
95 | 157k | } |
96 | | |
97 | | |
98 | | |
99 | | void init_armagetron_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id) |
100 | 8.55k | { |
101 | 8.55k | ndpi_set_bitmask_protocol_detection("Armagetron", ndpi_struct, *id, |
102 | 8.55k | NDPI_PROTOCOL_ARMAGETRON, |
103 | 8.55k | ndpi_search_armagetron_udp, |
104 | 8.55k | NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, |
105 | 8.55k | SAVE_DETECTION_BITMASK_AS_UNKNOWN, |
106 | 8.55k | ADD_TO_DETECTION_BITMASK); |
107 | | |
108 | 8.55k | *id += 1; |
109 | 8.55k | } |