/src/ndpi/src/lib/protocols/gnutella.c

Source
/*
 * gnutella.c
 *
 * Copyright (C) 2009-11 - ipoque GmbH
 * Copyright (C) 2011-25 - ntop.org
 *
 * This file is part of nDPI, an open source deep packet inspection
 * library based on the OpenDPI and PACE technology by ipoque GmbH
 *
 * nDPI is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * nDPI is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.
 * 
 */

#include "ndpi_protocol_ids.h"

#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_GNUTELLA

#include "ndpi_api.h"
#include "ndpi_private.h"


static void ndpi_int_gnutella_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
               struct ndpi_flow_struct *flow,
               ndpi_confidence_t confidence)
{
  NDPI_LOG_INFO(ndpi_struct, "found GNUTELLA\n");
  ndpi_set_detected_protocol_keeping_master(ndpi_struct, flow, NDPI_PROTOCOL_GNUTELLA,
              confidence);
}

static void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
  struct ndpi_packet_struct *packet = &ndpi_struct->packet;

  NDPI_LOG_DBG(ndpi_struct, "search GNUTELLA\n");

  if (packet->tcp != NULL) {
    if (packet->payload_packet_len > 17 && memcmp(packet->payload, "GNUTELLA CONNECT/", 17) == 0) {
      ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI);
      /* Extract some metadata HTTP-like */
      ndpi_parse_packet_line_info(ndpi_struct, flow);
      if(packet->user_agent_line.ptr != NULL)
        ndpi_user_agent_set(flow, packet->user_agent_line.ptr, packet->user_agent_line.len);
      return;
    }
  } else if (packet->udp != NULL) {
    /* Check for Mojito-DHT encapsulated gnutella (gtk-gnutella). */
    if (packet->payload_packet_len > 23) {
      u_int32_t gnutella_payload_len = le32toh(get_u_int32_t(packet->payload, 19));

      if (gnutella_payload_len == (u_int32_t)packet->payload_packet_len - 23 &&
          ((packet->payload_packet_len > 27 &&
           ntohl(get_u_int32_t(packet->payload, 24)) == 0x47544b47 /* GTKG */) ||
           ntohl(get_u_int32_t(packet->payload, packet->payload_packet_len - 4)) == 0x82514b40)) {
        NDPI_LOG_DBG2(ndpi_struct, "detected mojito-dht/gnutella udp\n");
        ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI);
        return;
      }
    }

    if (packet->payload_packet_len >= 4 && memcmp(packet->payload, "GND\x10", 4) == 0) {
      NDPI_LOG_DBG2(ndpi_struct, "detected gnutella udp, GND (2)\n");
      ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI);
      return;
    }
  }

  NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
}


void init_gnutella_dissector(struct ndpi_detection_module_struct *ndpi_struct)
{
  register_dissector("Gnutella", ndpi_struct,
                     ndpi_search_gnutella,
                     NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
                     1, NDPI_PROTOCOL_GNUTELLA);
}


Line	Count	Source
1		/*
2		* gnutella.c
3		*
4		* Copyright (C) 2009-11 - ipoque GmbH
5		* Copyright (C) 2011-25 - ntop.org
6		*
7		* This file is part of nDPI, an open source deep packet inspection
8		* library based on the OpenDPI and PACE technology by ipoque GmbH
9		*
10		* nDPI is free software: you can redistribute it and/or modify
11		* it under the terms of the GNU Lesser General Public License as published by
12		* the Free Software Foundation, either version 3 of the License, or
13		* (at your option) any later version.
14		*
15		* nDPI is distributed in the hope that it will be useful,
16		* but WITHOUT ANY WARRANTY; without even the implied warranty of
17		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18		* GNU Lesser General Public License for more details.
19		*
20		* You should have received a copy of the GNU Lesser General Public License
21		* along with nDPI. If not, see <http://www.gnu.org/licenses/>.
22		*
23		*/
24
25		#include "ndpi_protocol_ids.h"
26
27		#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_GNUTELLA
28
29		#include "ndpi_api.h"
30		#include "ndpi_private.h"
31
32
33		static void ndpi_int_gnutella_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
34		struct ndpi_flow_struct *flow,
35		ndpi_confidence_t confidence)
36	52.1k	{
37	52.1k	NDPI_LOG_INFO(ndpi_struct, "found GNUTELLA\n");
38	52.1k	ndpi_set_detected_protocol_keeping_master(ndpi_struct, flow, NDPI_PROTOCOL_GNUTELLA,
39	52.1k	confidence);
40	52.1k	}
41
42		static void ndpi_search_gnutella(struct ndpi_detection_module_struct ndpi_struct, struct ndpi_flow_struct flow)
43	3.01M	{
44	3.01M	struct ndpi_packet_struct *packet = &ndpi_struct->packet;
45
46	3.01M	NDPI_LOG_DBG(ndpi_struct, "search GNUTELLA\n");
47
48	3.01M	if (packet->tcp != NULL) {
49	2.30M	if (packet->payload_packet_len > 17 && memcmp(packet->payload, "GNUTELLA CONNECT/", 17) == 0) {
50	4.42k	ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI);
51		/* Extract some metadata HTTP-like */
52	4.42k	ndpi_parse_packet_line_info(ndpi_struct, flow);
53	4.42k	if(packet->user_agent_line.ptr != NULL)
54	4.04k	ndpi_user_agent_set(flow, packet->user_agent_line.ptr, packet->user_agent_line.len);
55	4.42k	return;
56	4.42k	}
57	2.30M	} else if (packet->udp != NULL) {
58		/* Check for Mojito-DHT encapsulated gnutella (gtk-gnutella). */
59	711k	if (packet->payload_packet_len > 23) {
60	575k	u_int32_t gnutella_payload_len = le32toh(get_u_int32_t(packet->payload, 19));
61
62	575k	if (gnutella_payload_len == (u_int32_t)packet->payload_packet_len - 23 &&
63	34.2k	((packet->payload_packet_len > 27 &&
64	34.2k	ntohl(get_u_int32_t(packet->payload, 24)) == 0x47544b47 /* GTKG */) \|\|
65	34.2k	ntohl(get_u_int32_t(packet->payload, packet->payload_packet_len - 4)) == 0x82514b40)) {
66	27.3k	NDPI_LOG_DBG2(ndpi_struct, "detected mojito-dht/gnutella udp\n");
67	27.3k	ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI);
68	27.3k	return;
69	27.3k	}
70	575k	}
71
72	684k	if (packet->payload_packet_len >= 4 && memcmp(packet->payload, "GND\x10", 4) == 0) {
73	20.3k	NDPI_LOG_DBG2(ndpi_struct, "detected gnutella udp, GND (2)\n");
74	20.3k	ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI);
75	20.3k	return;
76	20.3k	}
77	684k	}
78
79	2.96M	NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
80	2.96M	}
81
82
83		void init_gnutella_dissector(struct ndpi_detection_module_struct *ndpi_struct)
84	8.03k	{
85	8.03k	register_dissector("Gnutella", ndpi_struct,
86	8.03k	ndpi_search_gnutella,
87	8.03k	NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
88	8.03k	1, NDPI_PROTOCOL_GNUTELLA);
89	8.03k	}
90

Coverage Report

Created: 2025-11-02 06:47