/src/ndpi/src/lib/protocols/sbe.c

Source
/*
 * sbe.c
 *
 * Copyright (C) 2026 - ntop.org
 *
 * nDPI is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * nDPI is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.
 *
 */

#include "ndpi_protocol_ids.h"

#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SBE

#include "ndpi_api.h"
#include "ndpi_define.h"
#include "ndpi_private.h"
#include "ndpi_typedefs.h"

#include <stdint.h>

PACK_ON
struct SOFH {
  // Simple Open Framing Header
  uint32_t message_length;
  uint16_t encoding_type;
} PACK_OFF;

PACK_ON
struct SBE {
  // Simple Binary Encoding
  uint16_t block_length;
  uint16_t template_id;
  uint16_t schema_id;
  uint16_t version;
} PACK_OFF;

/**
 * SBE Protocol:
 *   SBE Header
 *   Root block (fixed fields)
 *   Repeating groups
 *     group header
 *     elements
 *   Variable fields
 *     length + bytes
 */

static void ndpi_int_sbe_add_connection(struct ndpi_detection_module_struct * const ndpi_struct,
                                        struct ndpi_flow_struct * const flow)
{
  NDPI_LOG_INFO(ndpi_struct, "found SBE (Simple Binary Encoding)\n");
  if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) {
    ndpi_set_detected_protocol_keeping_master(ndpi_struct, flow, NDPI_PROTOCOL_SBE, NDPI_CONFIDENCE_DPI);
  } else {
    ndpi_set_detected_protocol(ndpi_struct, flow,
                               NDPI_PROTOCOL_SBE,
                               NDPI_PROTOCOL_UNKNOWN,
                               NDPI_CONFIDENCE_DPI);
  }
}

void ndpi_search_sbe(struct ndpi_detection_module_struct *ndpi_struct,
                     struct ndpi_flow_struct *flow)
{
  struct ndpi_packet_struct * const packet = &ndpi_struct->packet;

  NDPI_LOG_DBG(ndpi_struct, "search SBE (Simple Binary Encoding)\n");

  if (packet->payload_packet_len < sizeof(struct SOFH) + sizeof(struct SBE)) {
    NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
    return;
  }
  struct SOFH const * const header = (struct SOFH *)&packet->payload[0];

  int is_little_endian;
  if (header->encoding_type == ntohs(0xEB50)) {
    is_little_endian = 1;
  } else if (header->encoding_type == ntohs(0x50EB)) {
    is_little_endian = 0;
  } else {
    NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
    return;
  }

  if (packet->udp != NULL && packet->payload_packet_len != ntohl(header->message_length)) {
    NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
    return;
  }
  if (packet->tcp != NULL && packet->payload_packet_len > ntohl(header->message_length)) {
    NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
    return;
  }

  struct SBE const * const sbe = (struct SBE *)(header + 1);
  const uint16_t block_length = (is_little_endian == 0 ? be16toh(sbe->block_length)
                                                       : le16toh(sbe->block_length));
  if (packet->payload_packet_len < block_length + sizeof(*header) + sizeof(*sbe)) {
    NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
    return;
  }

  ndpi_int_sbe_add_connection(ndpi_struct, flow);
}

void init_sbe_dissector(struct ndpi_detection_module_struct *ndpi_struct)
{
  ndpi_register_dissector("SimpleBinaryEncoding", ndpi_struct,
                          ndpi_search_sbe,
                          NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
                          1, NDPI_PROTOCOL_SBE);
}

Line	Count	Source
1		/*
2		* sbe.c
3		*
4		* Copyright (C) 2026 - ntop.org
5		*
6		* nDPI is free software: you can redistribute it and/or modify
7		* it under the terms of the GNU Lesser General Public License as published by
8		* the Free Software Foundation, either version 3 of the License, or
9		* (at your option) any later version.
10		*
11		* nDPI is distributed in the hope that it will be useful,
12		* but WITHOUT ANY WARRANTY; without even the implied warranty of
13		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14		* GNU Lesser General Public License for more details.
15		*
16		* You should have received a copy of the GNU Lesser General Public License
17		* along with nDPI. If not, see <http://www.gnu.org/licenses/>.
18		*
19		*/
20
21		#include "ndpi_protocol_ids.h"
22
23		#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SBE
24
25		#include "ndpi_api.h"
26		#include "ndpi_define.h"
27		#include "ndpi_private.h"
28		#include "ndpi_typedefs.h"
29
30		#include <stdint.h>
31
32		PACK_ON
33		struct SOFH {
34		// Simple Open Framing Header
35		uint32_t message_length;
36		uint16_t encoding_type;
37		} PACK_OFF;
38
39		PACK_ON
40		struct SBE {
41		// Simple Binary Encoding
42		uint16_t block_length;
43		uint16_t template_id;
44		uint16_t schema_id;
45		uint16_t version;
46		} PACK_OFF;
47
48		/**
49		* SBE Protocol:
50		* SBE Header
51		* Root block (fixed fields)
52		* Repeating groups
53		* group header
54		* elements
55		* Variable fields
56		* length + bytes
57		*/
58
59		static void ndpi_int_sbe_add_connection(struct ndpi_detection_module_struct * const ndpi_struct,
60		struct ndpi_flow_struct * const flow)
61	336	{
62	336	NDPI_LOG_INFO(ndpi_struct, "found SBE (Simple Binary Encoding)\n");
63	336	if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) {
64	0	ndpi_set_detected_protocol_keeping_master(ndpi_struct, flow, NDPI_PROTOCOL_SBE, NDPI_CONFIDENCE_DPI);
65	336	} else {
66	336	ndpi_set_detected_protocol(ndpi_struct, flow,
67	336	NDPI_PROTOCOL_SBE,
68	336	NDPI_PROTOCOL_UNKNOWN,
69	336	NDPI_CONFIDENCE_DPI);
70	336	}
71	336	}
72
73		void ndpi_search_sbe(struct ndpi_detection_module_struct *ndpi_struct,
74		struct ndpi_flow_struct *flow)
75	4.09M	{
76	4.09M	struct ndpi_packet_struct * const packet = &ndpi_struct->packet;
77
78	4.09M	NDPI_LOG_DBG(ndpi_struct, "search SBE (Simple Binary Encoding)\n");
79
80	4.09M	if (packet->payload_packet_len < sizeof(struct SOFH) + sizeof(struct SBE)) {
81	1.29M	NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
82	1.29M	return;
83	1.29M	}
84	2.80M	struct SOFH const * const header = (struct SOFH *)&packet->payload[0];
85
86	2.80M	int is_little_endian;
87	2.80M	if (header->encoding_type == ntohs(0xEB50)) {
88	1.04k	is_little_endian = 1;
89	2.80M	} else if (header->encoding_type == ntohs(0x50EB)) {
90	276	is_little_endian = 0;
91	2.80M	} else {
92	2.80M	NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
93	2.80M	return;
94	2.80M	}
95
96	1.32k	if (packet->udp != NULL && packet->payload_packet_len != ntohl(header->message_length)) {
97	485	NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
98	485	return;
99	485	}
100	840	if (packet->tcp != NULL && packet->payload_packet_len > ntohl(header->message_length)) {
101	138	NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
102	138	return;
103	138	}
104
105	702	struct SBE const * const sbe = (struct SBE *)(header + 1);
106	702	const uint16_t block_length = (is_little_endian == 0 ? be16toh(sbe->block_length)
107	702	: le16toh(sbe->block_length));
108	702	if (packet->payload_packet_len < block_length + sizeof(header) + sizeof(sbe)) {
109	366	NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
110	366	return;
111	366	}
112
113	336	ndpi_int_sbe_add_connection(ndpi_struct, flow);
114	336	}
115
116		void init_sbe_dissector(struct ndpi_detection_module_struct *ndpi_struct)
117	20.3k	{
118	20.3k	ndpi_register_dissector("SimpleBinaryEncoding", ndpi_struct,
119	20.3k	ndpi_search_sbe,
120	20.3k	NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
121	20.3k	1, NDPI_PROTOCOL_SBE);
122	20.3k	}

Coverage Report

Created: 2026-06-25 07:00