/src/ndpi/src/lib/protocols/apple_push.c

Source
/*
 * apple_push.c
 *
 * Copyright (C) 2018 by ntop.org
 *
 * This file is part of nDPI, an open source deep packet inspection
 * library based on the OpenDPI and PACE technology by ipoque GmbH
 *
 * nDPI is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * nDPI is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.
 *
 */

#include "ndpi_protocol_ids.h"

#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_APPLE_PUSH

#include "ndpi_api.h"
#include "ndpi_private.h"

static int is_apple_push_addr(const struct ndpi_packet_struct *packet)
{
  if(packet->iph) {
    /* 17.0.0.0/8 */
    if(((ntohl(packet->iph->saddr) & 0xFF000000 /* 255.0.0.0 */) == 0x11000000) ||
       ((ntohl(packet->iph->daddr) & 0xFF000000 /* 255.0.0.0 */) == 0x11000000))
      return 1;
  } else if(packet->iphv6) {
    /* 2620:149:a44::/48 */
    if(((packet->iphv6->ip6_src.u6_addr.u6_addr32[0] == ntohl(0x26200149)) &&
        ((packet->iphv6->ip6_src.u6_addr.u6_addr32[1] & htonl (0xffff0000)) == ntohl(0x0a440000))) ||
       ((packet->iphv6->ip6_dst.u6_addr.u6_addr32[0] == ntohl(0x26200149)) &&
        ((packet->iphv6->ip6_dst.u6_addr.u6_addr32[1] & htonl (0xffff0000)) == ntohl(0x0a440000))))
      return 1;
    /* 2403:300:a42::/48 */
    if(((packet->iphv6->ip6_src.u6_addr.u6_addr32[0] == ntohl(0x24030300)) &&
        ((packet->iphv6->ip6_src.u6_addr.u6_addr32[1] & htonl (0xffff0000)) == ntohl(0x0a420000))) ||
       ((packet->iphv6->ip6_dst.u6_addr.u6_addr32[0] == ntohl(0x24030300)) &&
        ((packet->iphv6->ip6_dst.u6_addr.u6_addr32[1] & htonl (0xffff0000)) == ntohl(0x0a420000))))
      return 1;
    /* 2403:300:a51::/48 */
    if(((packet->iphv6->ip6_src.u6_addr.u6_addr32[0] == ntohl(0x24030300)) &&
        ((packet->iphv6->ip6_src.u6_addr.u6_addr32[1] & htonl (0xffff0000)) == ntohl(0x0a510000))) ||
       ((packet->iphv6->ip6_dst.u6_addr.u6_addr32[0] == ntohl(0x24030300)) &&
        ((packet->iphv6->ip6_dst.u6_addr.u6_addr32[1] & htonl (0xffff0000)) == ntohl(0x0a510000))))
      return 1;
    /* 2a01:b740:a42::/48 */
    if(((packet->iphv6->ip6_src.u6_addr.u6_addr32[0] == ntohl(0x2a0ab740)) &&
        ((packet->iphv6->ip6_src.u6_addr.u6_addr32[1] & htonl (0xffff0000)) == ntohl(0x0a420000))) ||
       ((packet->iphv6->ip6_dst.u6_addr.u6_addr32[0] == ntohl(0x2a0ab740)) &&
        ((packet->iphv6->ip6_dst.u6_addr.u6_addr32[1] & htonl (0xffff0000)) == ntohl(0x0a420000))))
      return 1;

  }
  return 0;
}


static void ndpi_check_apple_push(struct ndpi_detection_module_struct *ndpi_struct,
          struct ndpi_flow_struct *flow) {
  struct ndpi_packet_struct *packet = &ndpi_struct->packet;

  /* https://support.apple.com/en-us/HT203609 */
  if(is_apple_push_addr(packet)) {
    u_int16_t apple_push_port       = ntohs(5223);
    u_int16_t notification_apn_port = ntohs(2197);
  
    if((packet->tcp->source == apple_push_port) || (packet->tcp->dest == apple_push_port) ||
       (packet->tcp->source == notification_apn_port) || (packet->tcp->dest == notification_apn_port)) {
      NDPI_LOG_INFO(ndpi_struct, "found apple_push\n");
      ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_APPLE_PUSH, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
      return;
    }
  }

  NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
}

static void ndpi_search_apple_push(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
  NDPI_LOG_DBG(ndpi_struct, "search apple_push\n");

  ndpi_check_apple_push(ndpi_struct, flow);
}


void init_apple_push_dissector(struct ndpi_detection_module_struct *ndpi_struct)
{
  register_dissector("APPLE_PUSH", ndpi_struct,
                     ndpi_search_apple_push,
                     NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
                     1, NDPI_PROTOCOL_APPLE_PUSH);
}


Line	Count	Source
1		/*
2		* apple_push.c
3		*
4		* Copyright (C) 2018 by ntop.org
5		*
6		* This file is part of nDPI, an open source deep packet inspection
7		* library based on the OpenDPI and PACE technology by ipoque GmbH
8		*
9		* nDPI is free software: you can redistribute it and/or modify
10		* it under the terms of the GNU Lesser General Public License as published by
11		* the Free Software Foundation, either version 3 of the License, or
12		* (at your option) any later version.
13		*
14		* nDPI is distributed in the hope that it will be useful,
15		* but WITHOUT ANY WARRANTY; without even the implied warranty of
16		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17		* GNU Lesser General Public License for more details.
18		*
19		* You should have received a copy of the GNU Lesser General Public License
20		* along with nDPI. If not, see <http://www.gnu.org/licenses/>.
21		*
22		*/
23
24		#include "ndpi_protocol_ids.h"
25
26		#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_APPLE_PUSH
27
28		#include "ndpi_api.h"
29		#include "ndpi_private.h"
30
31		static int is_apple_push_addr(const struct ndpi_packet_struct *packet)
32	1.79M	{
33	1.79M	if(packet->iph) {
34		/* 17.0.0.0/8 */
35	1.76M	if(((ntohl(packet->iph->saddr) & 0xFF000000 /* 255.0.0.0 */) == 0x11000000) \|\|
36	1.76M	((ntohl(packet->iph->daddr) & 0xFF000000 /* 255.0.0.0 */) == 0x11000000))
37	4.35k	return 1;
38	1.76M	} else if(packet->iphv6) {
39		/* 2620:149:a44::/48 */
40	33.1k	if(((packet->iphv6->ip6_src.u6_addr.u6_addr32[0] == ntohl(0x26200149)) &&
41	33.1k	((packet->iphv6->ip6_src.u6_addr.u6_addr32[1] & htonl (0xffff0000)) == ntohl(0x0a440000))) \|\|
42	33.1k	((packet->iphv6->ip6_dst.u6_addr.u6_addr32[0] == ntohl(0x26200149)) &&
43	33.1k	((packet->iphv6->ip6_dst.u6_addr.u6_addr32[1] & htonl (0xffff0000)) == ntohl(0x0a440000))))
44	3	return 1;
45		/* 2403:300:a42::/48 */
46	33.1k	if(((packet->iphv6->ip6_src.u6_addr.u6_addr32[0] == ntohl(0x24030300)) &&
47	33.1k	((packet->iphv6->ip6_src.u6_addr.u6_addr32[1] & htonl (0xffff0000)) == ntohl(0x0a420000))) \|\|
48	33.1k	((packet->iphv6->ip6_dst.u6_addr.u6_addr32[0] == ntohl(0x24030300)) &&
49	33.1k	((packet->iphv6->ip6_dst.u6_addr.u6_addr32[1] & htonl (0xffff0000)) == ntohl(0x0a420000))))
50	4	return 1;
51		/* 2403:300:a51::/48 */
52	33.1k	if(((packet->iphv6->ip6_src.u6_addr.u6_addr32[0] == ntohl(0x24030300)) &&
53	33.1k	((packet->iphv6->ip6_src.u6_addr.u6_addr32[1] & htonl (0xffff0000)) == ntohl(0x0a510000))) \|\|
54	33.1k	((packet->iphv6->ip6_dst.u6_addr.u6_addr32[0] == ntohl(0x24030300)) &&
55	33.1k	((packet->iphv6->ip6_dst.u6_addr.u6_addr32[1] & htonl (0xffff0000)) == ntohl(0x0a510000))))
56	2	return 1;
57		/* 2a01:b740:a42::/48 */
58	33.1k	if(((packet->iphv6->ip6_src.u6_addr.u6_addr32[0] == ntohl(0x2a0ab740)) &&
59	33.1k	((packet->iphv6->ip6_src.u6_addr.u6_addr32[1] & htonl (0xffff0000)) == ntohl(0x0a420000))) \|\|
60	33.1k	((packet->iphv6->ip6_dst.u6_addr.u6_addr32[0] == ntohl(0x2a0ab740)) &&
61	33.1k	((packet->iphv6->ip6_dst.u6_addr.u6_addr32[1] & htonl (0xffff0000)) == ntohl(0x0a420000))))
62	2	return 1;
63
64	33.1k	}
65	1.79M	return 0;
66	1.79M	}
67
68
69		static void ndpi_check_apple_push(struct ndpi_detection_module_struct *ndpi_struct,
70	1.79M	struct ndpi_flow_struct *flow) {
71	1.79M	struct ndpi_packet_struct *packet = &ndpi_struct->packet;
72
73		/* https://support.apple.com/en-us/HT203609 */
74	1.79M	if(is_apple_push_addr(packet)) {
75	4.36k	u_int16_t apple_push_port = ntohs(5223);
76	4.36k	u_int16_t notification_apn_port = ntohs(2197);
77
78	4.36k	if((packet->tcp->source == apple_push_port) \|\| (packet->tcp->dest == apple_push_port) \|\|
79	4.36k	(packet->tcp->source == notification_apn_port) \|\| (packet->tcp->dest == notification_apn_port)) {
80	349	NDPI_LOG_INFO(ndpi_struct, "found apple_push\n");
81	349	ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_APPLE_PUSH, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
82	349	return;
83	349	}
84	4.36k	}
85
86	1.79M	NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
87	1.79M	}
88
89		static void ndpi_search_apple_push(struct ndpi_detection_module_struct ndpi_struct, struct ndpi_flow_struct flow)
90	1.79M	{
91	1.79M	NDPI_LOG_DBG(ndpi_struct, "search apple_push\n");
92
93	1.79M	ndpi_check_apple_push(ndpi_struct, flow);
94	1.79M	}
95
96
97		void init_apple_push_dissector(struct ndpi_detection_module_struct *ndpi_struct)
98	16.8k	{
99	16.8k	register_dissector("APPLE_PUSH", ndpi_struct,
100	16.8k	ndpi_search_apple_push,
101	16.8k	NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
102	16.8k	1, NDPI_PROTOCOL_APPLE_PUSH);
103	16.8k	}
104

Coverage Report

Created: 2025-08-03 06:32