/src/ndpi/src/lib/protocols/vnc.c

Source
/*
 * vnc.c
 *
 * Copyright (C) 2016-22 - ntop.org
 *
 * This file is part of nDPI, an open source deep packet inspection
 * library based on the OpenDPI and PACE technology by ipoque GmbH
 *
 * nDPI is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * nDPI is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.
 *
 */
#include "ndpi_protocol_ids.h"

#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_VNC

#include "ndpi_api.h"
#include "ndpi_private.h"

static void ndpi_search_vnc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
  struct ndpi_packet_struct *packet = &ndpi_struct->packet;

  NDPI_LOG_DBG(ndpi_struct, "search vnc\n");
  /* search over TCP */
  if(packet->tcp) {

    if(flow->l4.tcp.vnc_stage == 0) {
      if((packet->payload_packet_len == 12) &&
   (((memcmp(packet->payload, "RFB 003.", 7) == 0) && (packet->payload[11] == 0x0a))
    ||
    ((memcmp(packet->payload, "RFB 004.", 7) == 0) && (packet->payload[11] == 0x0a)))) {
  NDPI_LOG_DBG2(ndpi_struct, "reached vnc stage one\n");
  flow->l4.tcp.vnc_stage = 1 + packet->packet_direction;
  return;
      }
    } else if(flow->l4.tcp.vnc_stage == 2 - packet->packet_direction) {

      if((packet->payload_packet_len == 12) &&
   (((memcmp(packet->payload, "RFB 003.", 7) == 0) && (packet->payload[11] == 0x0a))
    ||
    ((memcmp(packet->payload, "RFB 004.", 7) == 0) && (packet->payload[11] == 0x0a)))) {    
  NDPI_LOG_INFO(ndpi_struct, "found vnc\n");
  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VNC, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
  ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found VNC"); /* Remote assistance */
  return;
      }
    }
  }
  NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}


void init_vnc_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id)
{
  ndpi_set_bitmask_protocol_detection("VNC", ndpi_struct, *id,
              NDPI_PROTOCOL_VNC,
              ndpi_search_vnc_tcp,
              NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
              SAVE_DETECTION_BITMASK_AS_UNKNOWN,
              ADD_TO_DETECTION_BITMASK);

  *id += 1;
}

Line	Count	Source
1		/*
2		* vnc.c
3		*
4		* Copyright (C) 2016-22 - ntop.org
5		*
6		* This file is part of nDPI, an open source deep packet inspection
7		* library based on the OpenDPI and PACE technology by ipoque GmbH
8		*
9		* nDPI is free software: you can redistribute it and/or modify
10		* it under the terms of the GNU Lesser General Public License as published by
11		* the Free Software Foundation, either version 3 of the License, or
12		* (at your option) any later version.
13		*
14		* nDPI is distributed in the hope that it will be useful,
15		* but WITHOUT ANY WARRANTY; without even the implied warranty of
16		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17		* GNU Lesser General Public License for more details.
18		*
19		* You should have received a copy of the GNU Lesser General Public License
20		* along with nDPI. If not, see <http://www.gnu.org/licenses/>.
21		*
22		*/
23		#include "ndpi_protocol_ids.h"
24
25	86.0k	#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_VNC
26
27		#include "ndpi_api.h"
28		#include "ndpi_private.h"
29
30		static void ndpi_search_vnc_tcp(struct ndpi_detection_module_struct ndpi_struct, struct ndpi_flow_struct flow)
31	86.1k	{
32	86.1k	struct ndpi_packet_struct *packet = &ndpi_struct->packet;
33
34	86.1k	NDPI_LOG_DBG(ndpi_struct, "search vnc\n");
35		/* search over TCP */
36	86.1k	if(packet->tcp) {
37
38	86.1k	if(flow->l4.tcp.vnc_stage == 0) {
39	86.1k	if((packet->payload_packet_len == 12) &&
40	86.1k	(((memcmp(packet->payload, "RFB 003.", 7) == 0) && (packet->payload[11] == 0x0a))
41	1.87k	\|\|
42	1.87k	((memcmp(packet->payload, "RFB 004.", 7) == 0) && (packet->payload[11] == 0x0a)))) {
43	58	NDPI_LOG_DBG2(ndpi_struct, "reached vnc stage one\n");
44	58	flow->l4.tcp.vnc_stage = 1 + packet->packet_direction;
45	58	return;
46	58	}
47	86.1k	} else if(flow->l4.tcp.vnc_stage == 2 - packet->packet_direction) {
48
49	20	if((packet->payload_packet_len == 12) &&
50	20	(((memcmp(packet->payload, "RFB 003.", 7) == 0) && (packet->payload[11] == 0x0a))
51	17	\|\|
52	17	((memcmp(packet->payload, "RFB 004.", 7) == 0) && (packet->payload[11] == 0x0a)))) {
53	14	NDPI_LOG_INFO(ndpi_struct, "found vnc\n");
54	14	ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VNC, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
55	14	ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found VNC"); /* Remote assistance */
56	14	return;
57	14	}
58	20	}
59	86.1k	}
60	86.0k	NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
61	86.0k	}
62
63
64		void init_vnc_dissector(struct ndpi_detection_module_struct ndpi_struct, u_int32_t id)
65	16.7k	{
66	16.7k	ndpi_set_bitmask_protocol_detection("VNC", ndpi_struct, *id,
67	16.7k	NDPI_PROTOCOL_VNC,
68	16.7k	ndpi_search_vnc_tcp,
69	16.7k	NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
70	16.7k	SAVE_DETECTION_BITMASK_AS_UNKNOWN,
71	16.7k	ADD_TO_DETECTION_BITMASK);
72
73	16.7k	*id += 1;
74	16.7k	}

Coverage Report

Created: 2024-01-13 07:07