/src/ndpi/src/lib/protocols/nest_log_sink.c

Source
/*
 * nest_log_sink.c
 *
 * Copyright (C) 2009-11 - ipoque GmbH
 * Copyright (C) 2011-25 - ntop.org
 * Copyright (C) 2018 - eGloo Incorporated
 *
 * This file is part of nDPI, an open source deep packet inspection
 * library based on the OpenDPI and PACE technology by ipoque GmbH
 *
 * nDPI is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * nDPI is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.
 *
 */

#include "ndpi_protocol_ids.h"

#define NDPI_CURRENT_PROTO      NDPI_PROTOCOL_NEST_LOG_SINK

#include "ndpi_api.h"
#include "ndpi_private.h"

#define NEST_LOG_SINK_PORT          11095
#define NEST_LOG_SINK_MIN_LEN       8
#define NEST_LOG_SINK_MIN_MATCH     3

static void ndpi_search_nest_log_sink(struct ndpi_detection_module_struct *ndpi_struct,
                                      struct ndpi_flow_struct *flow)
{
    struct ndpi_packet_struct *packet = &ndpi_struct->packet;

    NDPI_LOG_DBG(ndpi_struct, "search nest_log_sink\n");

    if (packet->payload_packet_len < NEST_LOG_SINK_MIN_LEN) {
        NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
        return;
    }

    if (ntohs(packet->tcp->source) != NEST_LOG_SINK_PORT &&
            ntohs(packet->tcp->dest) != NEST_LOG_SINK_PORT) {
        NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
        return;
    }

    if (packet->payload[1] <= 0x02 &&
            (packet->payload[2] == 0x00 || packet->payload[2] == 0x10) &&
            packet->payload[3] == 0x13)
        flow->l4.tcp.nest_log_sink_matches++;

    if (flow->l4.tcp.nest_log_sink_matches == NEST_LOG_SINK_MIN_MATCH) {
        NDPI_LOG_INFO(ndpi_struct, "found nest_log_sink\n");
        ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NEST_LOG_SINK, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
    }
}

void init_nest_log_sink_dissector(struct ndpi_detection_module_struct *ndpi_struct)
{
  register_dissector("NEST_LOG_SINK", ndpi_struct,
                     ndpi_search_nest_log_sink,
                     NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
                     1, NDPI_PROTOCOL_NEST_LOG_SINK);
}

Line	Count	Source
1		/*
2		* nest_log_sink.c
3		*
4		* Copyright (C) 2009-11 - ipoque GmbH
5		* Copyright (C) 2011-25 - ntop.org
6		* Copyright (C) 2018 - eGloo Incorporated
7		*
8		* This file is part of nDPI, an open source deep packet inspection
9		* library based on the OpenDPI and PACE technology by ipoque GmbH
10		*
11		* nDPI is free software: you can redistribute it and/or modify
12		* it under the terms of the GNU Lesser General Public License as published by
13		* the Free Software Foundation, either version 3 of the License, or
14		* (at your option) any later version.
15		*
16		* nDPI is distributed in the hope that it will be useful,
17		* but WITHOUT ANY WARRANTY; without even the implied warranty of
18		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19		* GNU Lesser General Public License for more details.
20		*
21		* You should have received a copy of the GNU Lesser General Public License
22		* along with nDPI. If not, see <http://www.gnu.org/licenses/>.
23		*
24		*/
25
26		#include "ndpi_protocol_ids.h"
27
28		#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_NEST_LOG_SINK
29
30		#include "ndpi_api.h"
31		#include "ndpi_private.h"
32
33	4.98M	#define NEST_LOG_SINK_PORT 11095
34	2.29M	#define NEST_LOG_SINK_MIN_LEN 8
35	14.3k	#define NEST_LOG_SINK_MIN_MATCH 3
36
37		static void ndpi_search_nest_log_sink(struct ndpi_detection_module_struct *ndpi_struct,
38		struct ndpi_flow_struct *flow)
39	2.29M	{
40	2.29M	struct ndpi_packet_struct *packet = &ndpi_struct->packet;
41
42	2.29M	NDPI_LOG_DBG(ndpi_struct, "search nest_log_sink\n");
43
44	2.29M	if (packet->payload_packet_len < NEST_LOG_SINK_MIN_LEN) {
45	629k	NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
46	629k	return;
47	629k	}
48
49	1.66M	if (ntohs(packet->tcp->source) != NEST_LOG_SINK_PORT &&
50	1.66M	ntohs(packet->tcp->dest) != NEST_LOG_SINK_PORT) {
51	1.64M	NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
52	1.64M	return;
53	1.64M	}
54
55	14.3k	if (packet->payload[1] <= 0x02 &&
56	8.24k	(packet->payload[2] == 0x00 \|\| packet->payload[2] == 0x10) &&
57	5.74k	packet->payload[3] == 0x13)
58	3.15k	flow->l4.tcp.nest_log_sink_matches++;
59
60	14.3k	if (flow->l4.tcp.nest_log_sink_matches == NEST_LOG_SINK_MIN_MATCH) {
61	777	NDPI_LOG_INFO(ndpi_struct, "found nest_log_sink\n");
62	777	ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NEST_LOG_SINK, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
63	777	}
64	14.3k	}
65
66		void init_nest_log_sink_dissector(struct ndpi_detection_module_struct *ndpi_struct)
67	8.03k	{
68	8.03k	register_dissector("NEST_LOG_SINK", ndpi_struct,
69	8.03k	ndpi_search_nest_log_sink,
70	8.03k	NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
71	8.03k	1, NDPI_PROTOCOL_NEST_LOG_SINK);
72	8.03k	}

Coverage Report

Created: 2025-11-02 06:47