ndpi_free_flow_info_half: 333| 54.8k|void ndpi_free_flow_info_half(struct ndpi_flow_info *flow) { 334| 54.8k| if(flow->ndpi_flow) { ndpi_flow_free(flow->ndpi_flow); flow->ndpi_flow = NULL; } ------------------ | Branch (334:6): [True: 42.2k, False: 12.6k] ------------------ 335| 54.8k|} ndpi_stats_free: 339| 7.15k|void ndpi_stats_free(ndpi_stats_t *s) { 340| 7.15k| if (s->protocol_counter) ndpi_free(s->protocol_counter); ------------------ | Branch (340:7): [True: 7.12k, False: 29] ------------------ 341| 7.15k| if (s->protocol_counter_bytes) ndpi_free(s->protocol_counter_bytes); ------------------ | Branch (341:7): [True: 7.12k, False: 33] ------------------ 342| 7.15k| if (s->protocol_flows) ndpi_free(s->protocol_flows); ------------------ | Branch (342:7): [True: 7.13k, False: 23] ------------------ 343| 7.15k| if (s->fpc_protocol_counter) ndpi_free(s->fpc_protocol_counter); ------------------ | Branch (343:7): [True: 7.12k, False: 33] ------------------ 344| 7.15k| if (s->fpc_protocol_counter_bytes) ndpi_free(s->fpc_protocol_counter_bytes); ------------------ | Branch (344:7): [True: 7.12k, False: 29] ------------------ 345| 7.15k| if (s->fpc_protocol_flows) ndpi_free(s->fpc_protocol_flows); ------------------ | Branch (345:7): [True: 7.11k, False: 42] ------------------ 346| | 347| 7.15k| s->num_protocols = 0; 348| 7.15k|} ndpi_stats_init: 350| 7.15k|int ndpi_stats_init(ndpi_stats_t *s, uint32_t num_protocols) { 351| 7.15k| memset(s, 0, sizeof(*s)); 352| 7.15k| s->num_protocols = num_protocols; 353| | 354| 7.15k| s->protocol_counter = ndpi_calloc(num_protocols, sizeof(u_int64_t)); 355| 7.15k| s->protocol_counter_bytes = ndpi_calloc(num_protocols, sizeof(u_int64_t)); 356| 7.15k| s->protocol_flows = ndpi_calloc(num_protocols, sizeof(u_int32_t)); 357| 7.15k| s->fpc_protocol_counter = ndpi_calloc(num_protocols, sizeof(u_int64_t)); 358| 7.15k| s->fpc_protocol_counter_bytes = ndpi_calloc(num_protocols, sizeof(u_int64_t)); 359| 7.15k| s->fpc_protocol_flows = ndpi_calloc(num_protocols, sizeof(u_int32_t)); 360| | 361| 7.15k| if(!s->protocol_counter || !s->protocol_counter_bytes || !s->protocol_flows || ------------------ | Branch (361:6): [True: 29, False: 7.12k] | Branch (361:30): [True: 29, False: 7.09k] | Branch (361:60): [True: 22, False: 7.07k] ------------------ 362| 7.07k| !s->fpc_protocol_counter || !s->fpc_protocol_counter_bytes || !s->fpc_protocol_flows) { ------------------ | Branch (362:6): [True: 31, False: 7.04k] | Branch (362:34): [True: 22, False: 7.02k] | Branch (362:68): [True: 33, False: 6.99k] ------------------ 363| | 364| 166| LOG(NDPI_LOG_ERROR, "[NDPI] %s: error allocating memory for ndpi_stats\n", __FUNCTION__); ------------------ | | 498| 166|#define LOG(...) {} ------------------ 365| 166| return 0; 366| 166| } 367| 6.99k| return 1; 368| 7.15k|} ndpi_stats_reset: 370| 6.99k|void ndpi_stats_reset(ndpi_stats_t *s) { 371| 6.99k| memset(s->flow_count, 0, sizeof(s->flow_count)); 372| 6.99k| s->guessed_flow_protocols = 0; 373| 6.99k| s->raw_packet_count = 0; 374| 6.99k| s->ip_packet_count = 0; 375| 6.99k| s->total_wire_bytes = 0; 376| 6.99k| s->total_ip_bytes = 0; 377| 6.99k| s->total_discarded_bytes = 0; 378| 6.99k| s->ndpi_flow_count = 0; 379| 6.99k| s->tcp_count = 0; 380| 6.99k| s->udp_count = 0; 381| 6.99k| s->mpls_count = 0; 382| 6.99k| s->pppoe_count = 0; 383| 6.99k| s->vlan_count = 0; 384| 6.99k| s->fragmented_count = 0; 385| 6.99k| s->max_packet_len = 0; 386| 6.99k| s->num_dissector_calls = 0; 387| | 388| 6.99k| memset(s->packet_len, 0, sizeof(s->packet_len)); 389| 6.99k| memset(s->dpi_packet_count, 0, sizeof(s->dpi_packet_count)); 390| 6.99k| memset(s->flow_confidence, 0, sizeof(s->flow_confidence)); 391| 6.99k| memset(s->fpc_flow_confidence, 0, sizeof(s->fpc_flow_confidence)); 392| 6.99k| memset(s->category_counter, 0, sizeof(s->category_counter)); 393| 6.99k| memset(s->category_counter_bytes, 0, sizeof(s->category_counter_bytes)); 394| 6.99k| memset(s->category_flows, 0, sizeof(s->category_flows)); 395| 6.99k| memset(s->lru_stats, 0, sizeof(s->lru_stats)); 396| 6.99k| memset(s->automa_stats, 0, sizeof(s->automa_stats)); 397| 6.99k| memset(s->patricia_stats, 0, sizeof(s->patricia_stats)); 398| 6.99k| memset(s->hash_stats, 0, sizeof(s->hash_stats)); 399| | 400| 6.99k| if (s->protocol_counter) memset(s->protocol_counter, 0, sizeof(u_int64_t) * s->num_protocols); ------------------ | Branch (400:7): [True: 6.99k, False: 0] ------------------ 401| 6.99k| if (s->protocol_counter_bytes) memset(s->protocol_counter_bytes, 0, sizeof(u_int64_t) * s->num_protocols); ------------------ | Branch (401:7): [True: 6.99k, False: 0] ------------------ 402| 6.99k| if (s->protocol_flows) memset(s->protocol_flows, 0, sizeof(u_int32_t) * s->num_protocols); ------------------ | Branch (402:7): [True: 6.99k, False: 0] ------------------ 403| 6.99k| if (s->fpc_protocol_counter) memset(s->fpc_protocol_counter, 0, sizeof(u_int64_t) * s->num_protocols); ------------------ | Branch (403:7): [True: 6.99k, False: 0] ------------------ 404| 6.99k| if (s->fpc_protocol_counter_bytes) memset(s->fpc_protocol_counter_bytes, 0, sizeof(u_int64_t) * s->num_protocols); ------------------ | Branch (404:7): [True: 6.99k, False: 0] ------------------ 405| 6.99k| if (s->fpc_protocol_flows) memset(s->fpc_protocol_flows, 0, sizeof(u_int32_t) * s->num_protocols); ------------------ | Branch (405:7): [True: 6.99k, False: 0] ------------------ 406| 6.99k|} ndpi_workflow_init: 413| 7.20k| struct ndpi_global_context *g_ctx) { 414| 7.20k| struct ndpi_detection_module_struct * module; 415| 7.20k| struct ndpi_workflow * workflow; 416| | 417| 7.20k| module = ndpi_init_detection_module(g_ctx); 418| | 419| 7.20k| if(module == NULL) { ------------------ | Branch (419:6): [True: 46, False: 7.15k] ------------------ 420| 46| LOG(NDPI_LOG_ERROR, "global structure initialization failed\n"); ------------------ | | 498| 46|#define LOG(...) {} ------------------ 421| 46| return NULL; 422| 46| } 423| | 424| 7.15k| workflow = ndpi_calloc(1, sizeof(struct ndpi_workflow)); 425| 7.15k| if(workflow == NULL) { ------------------ | Branch (425:6): [True: 1, False: 7.15k] ------------------ 426| 1| LOG(NDPI_LOG_ERROR, "global structure initialization failed\n"); ------------------ | | 498| 1|#define LOG(...) {} ------------------ 427| 1| ndpi_exit_detection_module(module); 428| 1| return NULL; 429| 1| } 430| | 431| 7.15k| workflow->pcap_handle = pcap_handle; 432| 7.15k| workflow->prefs = *prefs; 433| 7.15k| workflow->ndpi_struct = module; 434| | 435| 7.15k| ndpi_set_user_data(module, workflow); 436| | 437| 7.15k| if(do_init_flows_root) { ------------------ | Branch (437:6): [True: 7.15k, False: 0] ------------------ 438| 7.15k| workflow->ndpi_flows_root = ndpi_calloc(workflow->prefs.num_roots, sizeof(void *)); 439| | 440| 7.15k| if(!workflow->ndpi_flows_root) { ------------------ | Branch (440:8): [True: 1, False: 7.15k] ------------------ 441| 1| ndpi_exit_detection_module(module); 442| 1| ndpi_free(workflow); 443| 1| return NULL; 444| 1| } 445| 7.15k| } 446| | 447| 7.15k| workflow->ndpi_serialization_format = serialization_format; 448| | 449| 7.15k| return workflow; 450| 7.15k|} ndpi_flow_info_freer: 454| 37.4k|void ndpi_flow_info_freer(void *node) { 455| 37.4k| struct ndpi_flow_info *flow = (struct ndpi_flow_info*)node; 456| | 457| 37.4k| ndpi_flow_info_free_data(flow); 458| 37.4k| ndpi_free(flow); 459| 37.4k|} ndpi_flow_info_free_data: 581| 44.6k|void ndpi_flow_info_free_data(struct ndpi_flow_info *flow) { 582| 44.6k| ndpi_free_flow_info_half(flow); 583| 44.6k| ndpi_term_serializer(&flow->ndpi_flow_serializer); 584| 44.6k| ndpi_free_flow_data_analysis(flow); 585| 44.6k| ndpi_free_flow_tls_data(flow); 586| | 587| |#ifdef DIRECTION_BINS 588| | ndpi_free_bin(&flow->payload_len_bin_src2dst); 589| | ndpi_free_bin(&flow->payload_len_bin_dst2src); 590| |#else 591| 44.6k| ndpi_free_bin(&flow->payload_len_bin); 592| 44.6k|#endif 593| | 594| 44.6k| if(flow->src_name) ndpi_free(flow->src_name); ------------------ | Branch (594:6): [True: 42.0k, False: 2.57k] ------------------ 595| 44.6k| if(flow->dst_name) ndpi_free(flow->dst_name); ------------------ | Branch (595:6): [True: 41.9k, False: 2.68k] ------------------ 596| 44.6k| if(flow->tcp_fingerprint) ndpi_free(flow->tcp_fingerprint); ------------------ | Branch (596:6): [True: 1.52k, False: 43.1k] ------------------ 597| 44.6k| if(flow->risk_str) ndpi_free(flow->risk_str); ------------------ | Branch (597:6): [True: 6.73k, False: 37.9k] ------------------ 598| 44.6k| if(flow->flow_payload) ndpi_free(flow->flow_payload); ------------------ | Branch (598:6): [True: 0, False: 44.6k] ------------------ 599| 44.6k|} ndpi_workflow_free: 603| 7.15k|void ndpi_workflow_free(struct ndpi_workflow * workflow) { 604| 7.15k| u_int i; 605| | 606| 648k| for(i=0; iprefs.num_roots; i++) ------------------ | Branch (606:12): [True: 641k, False: 7.15k] ------------------ 607| 641k| ndpi_tdestroy(workflow->ndpi_flows_root[i], ndpi_flow_info_freer); 608| | 609| 7.15k| if(addr_dump_path != NULL) ------------------ | Branch (609:6): [True: 7.15k, False: 0] ------------------ 610| 7.15k| ndpi_cache_address_dump(workflow->ndpi_struct, addr_dump_path, 0); 611| | 612| 7.15k| ndpi_exit_detection_module(workflow->ndpi_struct); 613| 7.15k| ndpi_free(workflow->ndpi_flows_root); 614| | 615| 7.15k| ndpi_stats_free(&workflow->stats); 616| | 617| 7.15k| ndpi_free(workflow); 618| 7.15k|} ndpi_workflow_node_cmp: 629| 223k|int ndpi_workflow_node_cmp(const void *a, const void *b) { 630| 223k| const struct ndpi_flow_info *fa = (const struct ndpi_flow_info*)a; 631| 223k| const struct ndpi_flow_info *fb = (const struct ndpi_flow_info*)b; 632| | 633| 223k| if(fa->hashval < fb->hashval) return(-1); else if(fa->hashval > fb->hashval) return(1); ------------------ | Branch (633:6): [True: 53.4k, False: 170k] | Branch (633:53): [True: 51.4k, False: 118k] ------------------ 634| | 635| | /* Flows have the same hash */ 636| | 637| 118k| if(fa->vlan_id < fb->vlan_id ) return(-1); else { if(fa->vlan_id > fb->vlan_id ) return(1); } ------------------ | Branch (637:6): [True: 149, False: 118k] | Branch (637:60): [True: 90, False: 118k] ------------------ 638| 118k| if(fa->protocol < fb->protocol ) return(-1); else { if(fa->protocol > fb->protocol ) return(1); } ------------------ | Branch (638:6): [True: 16, False: 118k] | Branch (638:60): [True: 14, False: 118k] ------------------ 639| | 640| 118k| int r; 641| 118k| r = cmp_n32(fa->src_ip, fb->src_ip); if(r) return r; ------------------ | Branch (641:43): [True: 32.8k, False: 85.4k] ------------------ 642| 85.4k| r = cmp_n16(fa->src_port, fb->src_port) ; if(r) return r; ------------------ | Branch (642:48): [True: 4.96k, False: 80.4k] ------------------ 643| 80.4k| r = cmp_n32(fa->dst_ip, fb->dst_ip); if(r) return r; ------------------ | Branch (643:43): [True: 482, False: 79.9k] ------------------ 644| 79.9k| r = cmp_n16(fa->dst_port, fb->dst_port); 645| | 646| 79.9k| return(r); 647| 80.4k|} is_ndpi_proto: 1075| 165k|u_int8_t is_ndpi_proto(struct ndpi_flow_info *flow, u_int16_t id) { 1076| 165k| if((flow->detected_protocol.proto.master_protocol == id) ------------------ | Branch (1076:6): [True: 698, False: 164k] ------------------ 1077| 164k| || (flow->detected_protocol.proto.app_protocol == id)) ------------------ | Branch (1077:9): [True: 19.1k, False: 145k] ------------------ 1078| 19.8k| return(1); 1079| 145k| else 1080| 145k| return(0); 1081| 165k|} correct_csv_data_field: 1085| 352|void correct_csv_data_field(char* data) { 1086| | /* Replace , with ; to avoid issues with CSVs */ 1087| 352| u_int i; 1088| 3.81k| for(i=0; data[i] != '\0'; i++) if(data[i] == ',') data[i] = ';'; ------------------ | Branch (1088:12): [True: 3.46k, False: 352] | Branch (1088:37): [True: 791, False: 2.67k] ------------------ 1089| 352|} plen2slot: 1093| 88.3k|u_int8_t plen2slot(u_int16_t plen) { 1094| | /* 1095| | Slots [32 bytes lenght] 1096| | 0..31, 32..63 ... 1097| | */ 1098| | 1099| 88.3k| if(plen > PLEN_MAX) ------------------ | | 57| 88.3k|#define PLEN_MAX 1504 ------------------ | Branch (1099:6): [True: 427, False: 87.9k] ------------------ 1100| 427| return(PLEN_NUM_BINS-1); ------------------ | | 59| 427|#define PLEN_NUM_BINS 48 /* 47*32 = 1504 */ ------------------ 1101| 87.9k| else 1102| 87.9k| return(plen/PLEN_BIN_LEN); ------------------ | | 58| 87.9k|#define PLEN_BIN_LEN 32 ------------------ 1103| 88.3k|} process_ndpi_collected_info: 1291| 10.2k|void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_flow_info *flow) { 1292| 10.2k| u_int i; 1293| 10.2k| char out[512], *s; 1294| | 1295| 10.2k| if(!flow->ndpi_flow) return; ------------------ | Branch (1295:6): [True: 0, False: 10.2k] ------------------ 1296| | 1297| 10.2k| flow->info_type = INFO_INVALID; 1298| | 1299| 10.2k| s = ndpi_get_flow_risk_info(flow->ndpi_flow, out, sizeof(out), 0 /* text */); 1300| | 1301| 10.2k| if(s != NULL) ------------------ | Branch (1301:6): [True: 7.24k, False: 3.01k] ------------------ 1302| 7.24k| flow->risk_str = ndpi_strdup(s); 1303| | 1304| 10.2k| flow->confidence = flow->ndpi_flow->confidence; 1305| | 1306| 10.2k| flow->num_dissector_calls = flow->ndpi_flow->num_dissector_calls; 1307| | 1308| 10.2k| ndpi_snprintf(flow->host_server_name, sizeof(flow->host_server_name), "%s", 1309| 10.2k| flow->ndpi_flow->host_server_name); 1310| | 1311| 10.2k| if(ndpi_stack_contains(&flow->detected_protocol.protocol_stack, NDPI_PROTOCOL_MINING)) { ------------------ | Branch (1311:6): [True: 0, False: 10.2k] ------------------ 1312| 0| ndpi_snprintf(flow->mining.currency, sizeof(flow->mining.currency), "%s", 1313| 0| flow->ndpi_flow->protos.mining.currency); 1314| 0| } 1315| | 1316| 10.2k| flow->risk = flow->ndpi_flow->risk; 1317| | 1318| 10.2k| if(ndpi_stack_contains(&flow->detected_protocol.protocol_stack, NDPI_PROTOCOL_DHCP)) { ------------------ | Branch (1318:6): [True: 98, False: 10.1k] ------------------ 1319| 98| if(flow->ndpi_flow->protos.dhcp.fingerprint[0] != '\0') ------------------ | Branch (1319:8): [True: 93, False: 5] ------------------ 1320| 93| flow->dhcp_fingerprint = ndpi_strdup(flow->ndpi_flow->protos.dhcp.fingerprint); 1321| | 1322| 98| if(flow->ndpi_flow->protos.dhcp.class_ident[0] != '\0') ------------------ | Branch (1322:8): [True: 84, False: 14] ------------------ 1323| 84| flow->dhcp_class_ident = ndpi_strdup(flow->ndpi_flow->protos.dhcp.class_ident); 1324| 10.1k| } else if(ndpi_stack_contains(&flow->detected_protocol.protocol_stack, NDPI_PROTOCOL_BITTORRENT) && ------------------ | Branch (1324:13): [True: 1.54k, False: 8.61k] ------------------ 1325| 1.54k| !ndpi_stack_contains(&flow->detected_protocol.protocol_stack, NDPI_PROTOCOL_DNS) && ------------------ | Branch (1325:13): [True: 1.54k, False: 0] ------------------ 1326| 1.54k| !ndpi_stack_contains(&flow->detected_protocol.protocol_stack, NDPI_PROTOCOL_TLS)) { ------------------ | Branch (1326:13): [True: 1.54k, False: 0] ------------------ 1327| 1.54k| u_int j; 1328| | 1329| 1.54k| if(flow->ndpi_flow->protos.bittorrent.hash[0] != '\0') { ------------------ | Branch (1329:8): [True: 1.53k, False: 15] ------------------ 1330| 1.53k| u_int avail = sizeof(flow->ndpi_flow->protos.bittorrent.hash) * 2 + 1; 1331| 1.53k| flow->bittorent_hash = ndpi_malloc(avail); 1332| | 1333| 1.53k| if(flow->bittorent_hash) { ------------------ | Branch (1333:10): [True: 1.44k, False: 92] ------------------ 1334| 30.2k| for(i=0, j = 0; i < sizeof(flow->ndpi_flow->protos.bittorrent.hash); i++) { ------------------ | Branch (1334:25): [True: 28.8k, False: 1.44k] ------------------ 1335| 28.8k| snprintf(&flow->bittorent_hash[j], avail-j, "%02x", 1336| 28.8k| flow->ndpi_flow->protos.bittorrent.hash[i]); 1337| | 1338| 28.8k| j += 2; 1339| 28.8k| } 1340| | 1341| 1.44k| flow->bittorent_hash[j] = '\0'; 1342| 1.44k| } 1343| 1.53k| } 1344| 1.54k| } 1345| | /* TIVOCONNECT */ 1346| 8.61k| else if(ndpi_stack_contains(&flow->detected_protocol.protocol_stack, NDPI_PROTOCOL_TIVOCONNECT)) { ------------------ | Branch (1346:11): [True: 11, False: 8.60k] ------------------ 1347| 11| flow->info_type = INFO_TIVOCONNECT; 1348| 11| ndpi_snprintf(flow->tivoconnect.identity_uuid, sizeof(flow->tivoconnect.identity_uuid), 1349| 11| "%s", flow->ndpi_flow->protos.tivoconnect.identity_uuid); 1350| 11| ndpi_snprintf(flow->tivoconnect.machine, sizeof(flow->tivoconnect.machine), 1351| 11| "%s", flow->ndpi_flow->protos.tivoconnect.machine); 1352| 11| ndpi_snprintf(flow->tivoconnect.platform, sizeof(flow->tivoconnect.platform), 1353| 11| "%s", flow->ndpi_flow->protos.tivoconnect.platform); 1354| 11| ndpi_snprintf(flow->tivoconnect.services, sizeof(flow->tivoconnect.services), 1355| 11| "%s", flow->ndpi_flow->protos.tivoconnect.services); 1356| 11| } 1357| | /* SOFTETHER */ 1358| 8.60k| else if(ndpi_stack_contains(&flow->detected_protocol.protocol_stack, NDPI_PROTOCOL_SOFTETHER) && ------------------ | Branch (1358:11): [True: 0, False: 8.60k] ------------------ 1359| 0| !ndpi_stack_contains(&flow->detected_protocol.protocol_stack, NDPI_PROTOCOL_HTTP)) { ------------------ | Branch (1359:7): [True: 0, False: 0] ------------------ 1360| 0| flow->info_type = INFO_SOFTETHER; 1361| 0| ndpi_snprintf(flow->softether.ip, sizeof(flow->softether.ip), "%s", 1362| 0| flow->ndpi_flow->protos.softether.ip); 1363| 0| ndpi_snprintf(flow->softether.port, sizeof(flow->softether.port), "%s", 1364| 0| flow->ndpi_flow->protos.softether.port); 1365| 0| ndpi_snprintf(flow->softether.hostname, sizeof(flow->softether.hostname), "%s", 1366| 0| flow->ndpi_flow->protos.softether.hostname); 1367| 0| ndpi_snprintf(flow->softether.fqdn, sizeof(flow->softether.fqdn), "%s", 1368| 0| flow->ndpi_flow->protos.softether.fqdn); 1369| 0| } 1370| | /* SERVICE_LOCATION */ 1371| 8.60k| else if(ndpi_stack_contains(&flow->detected_protocol.protocol_stack, NDPI_PROTOCOL_SERVICE_LOCATION)) { ------------------ | Branch (1371:11): [True: 1, False: 8.60k] ------------------ 1372| 1| size_t i; 1373| | 1374| 1| flow->info_type = INFO_GENERIC; 1375| 1| flow->info[0] = 0; 1376| 1| if (flow->ndpi_flow->protos.slp.url_count > 0) ------------------ | Branch (1376:9): [True: 0, False: 1] ------------------ 1377| 0| strncat(flow->info, "URL(s): ", sizeof(flow->info)-1); 1378| | 1379| 1| for (i = 0; i < flow->ndpi_flow->protos.slp.url_count; ++i) { ------------------ | Branch (1379:17): [True: 0, False: 1] ------------------ 1380| 0| size_t length = strlen(flow->info); 1381| | 1382| 0| strncat(flow->info + length, flow->ndpi_flow->protos.slp.url[i], 1383| 0| sizeof(flow->info) - length); 1384| 0| length = strlen(flow->info); 1385| | 1386| 0| if (i < (size_t)flow->ndpi_flow->protos.slp.url_count - 1) ------------------ | Branch (1386:11): [True: 0, False: 0] ------------------ 1387| 0| strncat(flow->info + length, ", ", sizeof(flow->info) - length); 1388| 0| } 1389| 1| } 1390| | /* NATPMP */ 1391| 8.60k| else if(ndpi_stack_contains(&flow->detected_protocol.protocol_stack, NDPI_PROTOCOL_NATPMP)) { ------------------ | Branch (1391:11): [True: 0, False: 8.60k] ------------------ 1392| 0| flow->info_type = INFO_NATPMP; 1393| 0| flow->natpmp.result_code = flow->ndpi_flow->protos.natpmp.result_code; 1394| 0| flow->natpmp.internal_port = flow->ndpi_flow->protos.natpmp.internal_port; 1395| 0| flow->natpmp.external_port = flow->ndpi_flow->protos.natpmp.external_port; 1396| 0| inet_ntop(AF_INET, &flow->ndpi_flow->protos.natpmp.external_address.ipv4, &flow->natpmp.ip[0], sizeof(flow->natpmp.ip)); 1397| 0| } 1398| | /* DISCORD */ 1399| 8.60k| else if(ndpi_stack_contains(&flow->detected_protocol.protocol_stack, NDPI_PROTOCOL_DISCORD) && ------------------ | Branch (1399:11): [True: 0, False: 8.60k] ------------------ 1400| 0| !ndpi_stack_is_tls_like(&flow->detected_protocol.protocol_stack) && ------------------ | Branch (1400:11): [True: 0, False: 0] ------------------ 1401| 0| flow->ndpi_flow->protos.discord.client_ip[0] != '\0') { ------------------ | Branch (1401:11): [True: 0, False: 0] ------------------ 1402| 0| flow->info_type = INFO_GENERIC; 1403| 0| ndpi_snprintf(flow->info, sizeof(flow->info), "Client IP: %s", 1404| 0| flow->ndpi_flow->protos.discord.client_ip); 1405| 0| } 1406| | /* DNS */ 1407| 8.60k| else if(ndpi_stack_contains(&flow->detected_protocol.protocol_stack, NDPI_PROTOCOL_DNS)) { ------------------ | Branch (1407:11): [True: 1.37k, False: 7.22k] ------------------ 1408| 1.37k| if(flow->ndpi_flow->protos.dns.is_rsp_addr_ipv6[0] == 0) ------------------ | Branch (1408:8): [True: 1.37k, False: 0] ------------------ 1409| 1.37k| { 1410| 1.37k| flow->info_type = INFO_GENERIC; 1411| 1.37k| inet_ntop(AF_INET, &flow->ndpi_flow->protos.dns.rsp_addr[0].ipv4, flow->info, sizeof(flow->info)); 1412| 1.37k| } else { 1413| 0| flow->info_type = INFO_GENERIC; 1414| 0| inet_ntop(AF_INET6, &flow->ndpi_flow->protos.dns.rsp_addr[0].ipv6, flow->info, sizeof(flow->info)); 1415| | 1416| | /* For consistency across platforms replace :0: with :: */ 1417| 0| ndpi_patchIPv6Address(flow->info); 1418| 0| } 1419| | 1420| 1.37k| if(flow->ndpi_flow->protos.dns.geolocation_iata_code[0] != '\0') ------------------ | Branch (1420:8): [True: 0, False: 1.37k] ------------------ 1421| 0| strcpy(flow->dns.geolocation_iata_code, flow->ndpi_flow->protos.dns.geolocation_iata_code); 1422| | 1423| 1.37k| if(flow->ndpi_flow->protos.dns.ptr_domain_name[0] != '\0') ------------------ | Branch (1423:8): [True: 0, False: 1.37k] ------------------ 1424| 0| strcpy(flow->dns.ptr_domain_name, flow->ndpi_flow->protos.dns.ptr_domain_name); 1425| | 1426| 1.37k| flow->dns.transaction_id = flow->ndpi_flow->protos.dns.transaction_id; 1427| | 1428| |#if 0 1429| | if(0) { 1430| | u_int8_t i; 1431| | 1432| | for(i=0; indpi_flow->protos.dns.num_rsp_addr; i++) { 1433| | char buf[64]; 1434| | 1435| | if(flow->ndpi_flow->protos.dns.is_rsp_addr_ipv6[i] == 0) { 1436| | inet_ntop(AF_INET, &flow->ndpi_flow->protos.dns.rsp_addr[i].ipv4, buf, sizeof(buf)); 1437| | } else { 1438| | inet_ntop(AF_INET6, &flow->ndpi_flow->protos.dns.rsp_addr[i].ipv6, buf, sizeof(buf)); 1439| | } 1440| | 1441| | printf("(%s) %s [ttl: %u]\n", flow->host_server_name, buf, flow->ndpi_flow->protos.dns.rsp_addr_ttl[i]); 1442| | } 1443| | } 1444| |#endif 1445| 1.37k| } 1446| | /* MDNS */ 1447| 7.22k| else if(ndpi_stack_contains(&flow->detected_protocol.protocol_stack, NDPI_PROTOCOL_MDNS)) { ------------------ | Branch (1447:11): [True: 2, False: 7.21k] ------------------ 1448| 2| flow->info_type = INFO_GENERIC; 1449| 2| ndpi_snprintf(flow->info, sizeof(flow->info), "%s", flow->ndpi_flow->host_server_name); 1450| 2| } 1451| | /* UBNTAC2 */ 1452| 7.21k| else if(ndpi_stack_contains(&flow->detected_protocol.protocol_stack, NDPI_PROTOCOL_UBNTAC2)) { ------------------ | Branch (1452:11): [True: 0, False: 7.21k] ------------------ 1453| 0| flow->info_type = INFO_GENERIC; 1454| 0| ndpi_snprintf(flow->info, sizeof(flow->info), "%s", flow->ndpi_flow->protos.ubntac2.version); 1455| 0| } 1456| | /* FTP, IMAP, SMTP, POP3 */ 1457| 7.21k| else if(!ndpi_stack_is_tls_like(&flow->detected_protocol.protocol_stack) && ------------------ | Branch (1457:11): [True: 4.92k, False: 2.29k] ------------------ 1458| 4.92k| (ndpi_stack_contains(&flow->detected_protocol.protocol_stack, NDPI_PROTOCOL_FTP_CONTROL) || ------------------ | Branch (1458:12): [True: 0, False: 4.92k] ------------------ 1459| 4.92k| ndpi_stack_contains(&flow->detected_protocol.protocol_stack, NDPI_PROTOCOL_MAIL_IMAP) || ------------------ | Branch (1459:5): [True: 0, False: 4.92k] ------------------ 1460| 4.92k| ndpi_stack_contains(&flow->detected_protocol.protocol_stack, NDPI_PROTOCOL_MAIL_POP) || ------------------ | Branch (1460:5): [True: 0, False: 4.92k] ------------------ 1461| 4.92k| ndpi_stack_contains(&flow->detected_protocol.protocol_stack, NDPI_PROTOCOL_MAIL_SMTP))) { ------------------ | Branch (1461:5): [True: 0, False: 4.92k] ------------------ 1462| 0| flow->info_type = INFO_FTP_IMAP_POP_SMTP; 1463| 0| ndpi_snprintf(flow->ftp_imap_pop_smtp.username, 1464| 0| sizeof(flow->ftp_imap_pop_smtp.username), 1465| 0| "%s", flow->ndpi_flow->l4.tcp.ftp_imap_pop_smtp.username); 1466| 0| ndpi_snprintf(flow->ftp_imap_pop_smtp.password, 1467| 0| sizeof(flow->ftp_imap_pop_smtp.password), 1468| 0| "%s", flow->ndpi_flow->l4.tcp.ftp_imap_pop_smtp.password); 1469| 0| flow->ftp_imap_pop_smtp.auth_failed = 1470| 0| flow->ndpi_flow->l4.tcp.ftp_imap_pop_smtp.auth_failed; 1471| 0| } 1472| | /* TFTP */ 1473| 7.21k| else if(ndpi_stack_contains(&flow->detected_protocol.protocol_stack, NDPI_PROTOCOL_TFTP)) { ------------------ | Branch (1473:11): [True: 0, False: 7.21k] ------------------ 1474| 0| flow->info_type = INFO_GENERIC; 1475| 0| if(flow->ndpi_flow->protos.tftp.filename[0] != '\0') ------------------ | Branch (1475:8): [True: 0, False: 0] ------------------ 1476| 0| ndpi_snprintf(flow->info, sizeof(flow->info), "Filename: %s", 1477| 0| flow->ndpi_flow->protos.tftp.filename); 1478| 0| } 1479| | /* KERBEROS */ 1480| 7.21k| else if(ndpi_stack_contains(&flow->detected_protocol.protocol_stack, NDPI_PROTOCOL_KERBEROS)) { ------------------ | Branch (1480:11): [True: 14, False: 7.20k] ------------------ 1481| 14| flow->info_type = INFO_KERBEROS; 1482| 14| ndpi_snprintf(flow->kerberos.domain, 1483| 14| sizeof(flow->kerberos.domain), 1484| 14| "%s", flow->ndpi_flow->protos.kerberos.domain); 1485| 14| ndpi_snprintf(flow->kerberos.hostname, 1486| 14| sizeof(flow->kerberos.hostname), 1487| 14| "%s", flow->ndpi_flow->protos.kerberos.hostname); 1488| 14| ndpi_snprintf(flow->kerberos.username, 1489| 14| sizeof(flow->kerberos.username), 1490| 14| "%s", flow->ndpi_flow->protos.kerberos.username); 1491| | /* COLLECTD */ 1492| 7.20k| } else if(ndpi_stack_contains(&flow->detected_protocol.protocol_stack, NDPI_PROTOCOL_COLLECTD)) { ------------------ | Branch (1492:13): [True: 3, False: 7.20k] ------------------ 1493| 3| flow->info_type = INFO_GENERIC; 1494| 3| if(flow->ndpi_flow->protos.collectd.client_username[0] != '\0') ------------------ | Branch (1494:8): [True: 0, False: 3] ------------------ 1495| 0| ndpi_snprintf(flow->info, sizeof(flow->info), "Username: %s", 1496| 0| flow->ndpi_flow->protos.collectd.client_username); 1497| 3| } 1498| | /* SIP */ 1499| 7.20k| else if(ndpi_stack_contains(&flow->detected_protocol.protocol_stack, NDPI_PROTOCOL_SIP)) { ------------------ | Branch (1499:11): [True: 37, False: 7.16k] ------------------ 1500| 37| flow->info_type = INFO_SIP; 1501| 37| if(flow->ndpi_flow->protos.sip.from) ------------------ | Branch (1501:8): [True: 11, False: 26] ------------------ 1502| 11| ndpi_snprintf(flow->sip.from, sizeof(flow->sip.from), "%s", flow->ndpi_flow->protos.sip.from); 1503| 37| if(flow->ndpi_flow->protos.sip.from_imsi[0] != '\0') ------------------ | Branch (1503:8): [True: 0, False: 37] ------------------ 1504| 0| ndpi_snprintf(flow->sip.from_imsi, sizeof(flow->sip.from_imsi), "%s", flow->ndpi_flow->protos.sip.from_imsi); 1505| 37| if(flow->ndpi_flow->protos.sip.to) ------------------ | Branch (1505:8): [True: 14, False: 23] ------------------ 1506| 14| ndpi_snprintf(flow->sip.to, sizeof(flow->sip.to), "%s", flow->ndpi_flow->protos.sip.to); 1507| 37| if(flow->ndpi_flow->protos.sip.to_imsi[0] != '\0') ------------------ | Branch (1507:8): [True: 0, False: 37] ------------------ 1508| 0| ndpi_snprintf(flow->sip.to_imsi, sizeof(flow->sip.to_imsi), "%s", flow->ndpi_flow->protos.sip.to_imsi); 1509| 37| } 1510| | /* BFCP */ 1511| 7.16k| else if(ndpi_stack_contains(&flow->detected_protocol.protocol_stack, NDPI_PROTOCOL_BFCP)) { ------------------ | Branch (1511:11): [True: 1, False: 7.16k] ------------------ 1512| 1| flow->info_type = INFO_BFCP; 1513| 1| flow->bfcp.conference_id = flow->ndpi_flow->protos.bfcp.conference_id; 1514| 1| flow->bfcp.user_id = flow->ndpi_flow->protos.bfcp.user_id; 1515| 1| } 1516| | /* TELNET */ 1517| 7.16k| else if(ndpi_stack_contains(&flow->detected_protocol.protocol_stack, NDPI_PROTOCOL_TELNET)) { ------------------ | Branch (1517:11): [True: 0, False: 7.16k] ------------------ 1518| 0| if(flow->ndpi_flow->protos.telnet.username[0] != '\0') ------------------ | Branch (1518:8): [True: 0, False: 0] ------------------ 1519| 0| flow->telnet.username = ndpi_strdup(flow->ndpi_flow->protos.telnet.username); 1520| 0| if(flow->ndpi_flow->protos.telnet.password[0] != '\0') ------------------ | Branch (1520:8): [True: 0, False: 0] ------------------ 1521| 0| flow->telnet.password = ndpi_strdup(flow->ndpi_flow->protos.telnet.password); 1522| 7.16k| } else if(ndpi_stack_contains(&flow->detected_protocol.protocol_stack, NDPI_PROTOCOL_SSH)) { ------------------ | Branch (1522:13): [True: 0, False: 7.16k] ------------------ 1523| 0| ndpi_snprintf(flow->host_server_name, 1524| 0| sizeof(flow->host_server_name), "%s", 1525| 0| flow->ndpi_flow->protos.ssh.client_signature); 1526| 0| ndpi_snprintf(flow->ssh_tls.server_info, sizeof(flow->ssh_tls.server_info), "%s", 1527| 0| flow->ndpi_flow->protos.ssh.server_signature); 1528| | 1529| 0| if(flow->ndpi_flow->protos.ssh.hassh_client[0] != '\0') ------------------ | Branch (1529:8): [True: 0, False: 0] ------------------ 1530| 0| ndpi_snprintf(flow->ssh_tls.client_hassh, sizeof(flow->ssh_tls.client_hassh), "%s", 1531| 0| flow->ndpi_flow->protos.ssh.hassh_client); 1532| | 1533| 0| if(flow->ndpi_flow->protos.ssh.hassh_server[0] != '\0') ------------------ | Branch (1533:8): [True: 0, False: 0] ------------------ 1534| 0| ndpi_snprintf(flow->ssh_tls.server_hassh, sizeof(flow->ssh_tls.server_hassh), "%s", 1535| 0| flow->ndpi_flow->protos.ssh.hassh_server); 1536| | 1537| 0| if(flow->ndpi_flow->protos.ssh.key_exchange_method) ------------------ | Branch (1537:8): [True: 0, False: 0] ------------------ 1538| 0| ndpi_snprintf(flow->ssh_tls.ssh_key_exchange_method, 1539| 0| sizeof(flow->ssh_tls.ssh_key_exchange_method), "%s", 1540| 0| flow->ndpi_flow->protos.ssh.key_exchange_method); 1541| 0| } 1542| | /* TLS/QUIC/DTLS/MAIL_S/FTPS */ 1543| 7.16k| else if(ndpi_stack_is_tls_like(&flow->detected_protocol.protocol_stack)) { ------------------ | Branch (1543:11): [True: 2.29k, False: 4.87k] ------------------ 1544| 2.29k| flow->ssh_tls.ssl_version = flow->ndpi_flow->protos.tls_quic.ssl_version; 1545| 2.29k| flow->ssh_tls.quic_version = flow->ndpi_flow->protos.tls_quic.quic_version; 1546| | 1547| 2.29k| if(ndpi_stack_contains(&flow->detected_protocol.protocol_stack, NDPI_PROTOCOL_QUIC)) ------------------ | Branch (1547:8): [True: 252, False: 2.04k] ------------------ 1548| 252| flow->idle_timeout_sec = flow->ndpi_flow->protos.tls_quic.quic_idle_timeout_sec; 1549| | 1550| 2.29k| if(flow->ndpi_flow->protos.tls_quic.server_names_len > 0 && flow->ndpi_flow->protos.tls_quic.server_names) ------------------ | Branch (1550:8): [True: 577, False: 1.71k] | Branch (1550:65): [True: 571, False: 6] ------------------ 1551| 571| flow->ssh_tls.server_names = ndpi_strdup(flow->ndpi_flow->protos.tls_quic.server_names); 1552| | 1553| 2.29k| flow->ssh_tls.notBefore = flow->ndpi_flow->protos.tls_quic.notBefore; 1554| 2.29k| flow->ssh_tls.notAfter = flow->ndpi_flow->protos.tls_quic.notAfter; 1555| 2.29k| ndpi_snprintf(flow->ssh_tls.ja4_client, sizeof(flow->ssh_tls.ja4_client), "%s", 1556| 2.29k| flow->ndpi_flow->protos.tls_quic.ja4_client); 1557| | 1558| 2.29k| if(flow->ndpi_flow->ndpi.client_fingerprint) ------------------ | Branch (1558:8): [True: 1.26k, False: 1.03k] ------------------ 1559| 1.26k| flow->ndpi_client_fingerprint = ndpi_strdup(flow->ndpi_flow->ndpi.client_fingerprint); 1560| | 1561| 2.29k| if(flow->ndpi_flow->ndpi.server_fingerprint) ------------------ | Branch (1561:8): [True: 1.21k, False: 1.08k] ------------------ 1562| 1.21k| flow->ndpi_server_fingerprint = ndpi_strdup(flow->ndpi_flow->ndpi.server_fingerprint); 1563| | 1564| 2.29k| if(flow->ndpi_flow->protos.tls_quic.ja4_client_raw) ------------------ | Branch (1564:8): [True: 0, False: 2.29k] ------------------ 1565| 0| flow->ssh_tls.ja4_client_raw = ndpi_strdup(flow->ndpi_flow->protos.tls_quic.ja4_client_raw); 1566| | 1567| 2.29k| ndpi_snprintf(flow->ssh_tls.ja3_server, sizeof(flow->ssh_tls.ja3_server), "%s", 1568| 2.29k| flow->ndpi_flow->protos.tls_quic.ja3_server); 1569| 2.29k| flow->ssh_tls.server_unsafe_cipher = flow->ndpi_flow->protos.tls_quic.server_unsafe_cipher; 1570| 2.29k| flow->ssh_tls.server_cipher = flow->ndpi_flow->protos.tls_quic.server_cipher; 1571| | 1572| 2.29k| if(flow->ndpi_flow->protos.tls_quic.fingerprint_set) { ------------------ | Branch (1572:8): [True: 651, False: 1.64k] ------------------ 1573| 651| memcpy(flow->ssh_tls.sha1_cert_fingerprint, 1574| 651| flow->ndpi_flow->protos.tls_quic.sha1_certificate_fingerprint, 20); 1575| 651| flow->ssh_tls.sha1_cert_fingerprint_set = 1; 1576| 651| } 1577| | 1578| 2.29k| flow->ssh_tls.browser_heuristics = flow->ndpi_flow->protos.tls_quic.browser_heuristics; 1579| | 1580| 2.29k| if(flow->ndpi_flow->protos.tls_quic.issuerDN) ------------------ | Branch (1580:8): [True: 392, False: 1.90k] ------------------ 1581| 392| flow->ssh_tls.tls_issuerDN = ndpi_strdup(flow->ndpi_flow->protos.tls_quic.issuerDN); 1582| | 1583| 2.29k| if(flow->ndpi_flow->protos.tls_quic.subjectDN) ------------------ | Branch (1583:8): [True: 581, False: 1.71k] ------------------ 1584| 581| flow->ssh_tls.tls_subjectDN = ndpi_strdup(flow->ndpi_flow->protos.tls_quic.subjectDN); 1585| | 1586| 2.29k| flow->ssh_tls.encrypted_ch.version = flow->ndpi_flow->protos.tls_quic.encrypted_ch.version; 1587| | 1588| 2.29k| if(flow->ndpi_flow->protos.tls_quic.tls_supported_versions) { ------------------ | Branch (1588:8): [True: 13, False: 2.27k] ------------------ 1589| 13| if((flow->ssh_tls.tls_supported_versions = ndpi_strdup(flow->ndpi_flow->protos.tls_quic.tls_supported_versions)) != NULL) ------------------ | Branch (1589:10): [True: 12, False: 1] ------------------ 1590| 12| correct_csv_data_field(flow->ssh_tls.tls_supported_versions); 1591| 13| } 1592| | 1593| 2.29k| if(flow->ndpi_flow->protos.tls_quic.advertised_alpns) { ------------------ | Branch (1593:8): [True: 349, False: 1.94k] ------------------ 1594| 349| if((flow->ssh_tls.advertised_alpns = ndpi_strdup(flow->ndpi_flow->protos.tls_quic.advertised_alpns)) != NULL) ------------------ | Branch (1594:10): [True: 327, False: 22] ------------------ 1595| 327| correct_csv_data_field(flow->ssh_tls.advertised_alpns); 1596| 349| } 1597| | 1598| 2.29k| if(flow->ndpi_flow->protos.tls_quic.negotiated_alpn) { ------------------ | Branch (1598:8): [True: 15, False: 2.27k] ------------------ 1599| 15| if((flow->ssh_tls.negotiated_alpn = ndpi_strdup(flow->ndpi_flow->protos.tls_quic.negotiated_alpn)) != NULL) ------------------ | Branch (1599:10): [True: 13, False: 2] ------------------ 1600| 13| correct_csv_data_field(flow->ssh_tls.negotiated_alpn); 1601| 15| } 1602| | 1603| 2.29k| if(flow->protocol == IPPROTO_TCP) { ------------------ | Branch (1603:8): [True: 2.04k, False: 252] ------------------ 1604| 2.04k| if(enable_doh_dot_detection) { ------------------ | Branch (1604:10): [True: 2.04k, False: 0] ------------------ 1605| | /* For TLS we use TLS block lenght instead of payload lenght */ 1606| 2.04k| ndpi_reset_bin(&flow->payload_len_bin); 1607| | 1608| 2.04k| for(i=0; indpi_flow->l4.tcp.tls.num_tls_blocks; i++) { ------------------ | Branch (1608:11): [True: 0, False: 2.04k] ------------------ 1609| 0| u_int16_t len = abs(flow->ndpi_flow->l4.tcp.tls.tls_blocks[i].len); 1610| | 1611| | /* printf("[TLS_LEN] %u\n", len); */ 1612| 0| ndpi_inc_bin(&flow->payload_len_bin, plen2slot(len), 1); 1613| 0| } 1614| 2.04k| } 1615| | 1616| 2.04k| flow->tls.num_blocks = flow->ndpi_flow->l4.tcp.tls.num_tls_blocks; 1617| 2.04k| if(flow->tls.num_blocks > 0) { ------------------ | Branch (1617:10): [True: 0, False: 2.04k] ------------------ 1618| 0| u_int len = sizeof(struct ndpi_tls_block)*flow->tls.num_blocks; 1619| | 1620| 0| flow->tls.blocks = (struct ndpi_tls_block*)malloc(len); 1621| 0| if(flow->tls.blocks != NULL) ------------------ | Branch (1621:5): [True: 0, False: 0] ------------------ 1622| 0| memcpy(flow->tls.blocks, flow->ndpi_flow->l4.tcp.tls.tls_blocks, len); 1623| 0| else 1624| 0| flow->tls.num_blocks = 0; 1625| 0| } 1626| 2.04k| } 1627| 2.29k| } 1628| | /* FASTCGI */ 1629| 4.87k| else if(ndpi_stack_contains(&flow->detected_protocol.protocol_stack, NDPI_PROTOCOL_FASTCGI)) { ------------------ | Branch (1629:11): [True: 0, False: 4.87k] ------------------ 1630| 0| flow->info_type = INFO_FASTCGI; 1631| 0| flow->fast_cgi.method = flow->ndpi_flow->protos.fast_cgi.method; 1632| 0| ndpi_snprintf(flow->fast_cgi.user_agent, sizeof(flow->fast_cgi.user_agent), "%s", flow->ndpi_flow->protos.fast_cgi.user_agent); 1633| 0| ndpi_snprintf(flow->fast_cgi.url, sizeof(flow->fast_cgi.url), "%s", flow->ndpi_flow->protos.fast_cgi.url); 1634| 0| } 1635| | 1636| 10.2k| if(!monitoring_enabled) { ------------------ | Branch (1636:6): [True: 10.2k, False: 0] ------------------ 1637| 10.2k| add_to_address_port_list(&flow->stun.mapped_address, &flow->ndpi_flow->stun.mapped_address); 1638| 10.2k| add_to_address_port_list(&flow->stun.peer_address, &flow->ndpi_flow->stun.peer_address); 1639| 10.2k| add_to_address_port_list(&flow->stun.relayed_address, &flow->ndpi_flow->stun.relayed_address); 1640| 10.2k| add_to_address_port_list(&flow->stun.response_origin, &flow->ndpi_flow->stun.response_origin); 1641| 10.2k| add_to_address_port_list(&flow->stun.other_address, &flow->ndpi_flow->stun.other_address); 1642| 10.2k| } 1643| | 1644| 10.2k| flow->multimedia_flow_types |= flow->ndpi_flow->flow_multimedia_types; 1645| | 1646| 10.2k| if(flow->ndpi_flow->tcp.fingerprint) { ------------------ | Branch (1646:6): [True: 1.62k, False: 8.63k] ------------------ 1647| 1.62k| char buf[128]; 1648| | 1649| 1.62k| snprintf(buf, sizeof(buf), "%s/%s", flow->ndpi_flow->tcp.fingerprint, 1650| 1.62k| ndpi_print_os_hint(flow->ndpi_flow->tcp.os_hint)); 1651| 1.62k| flow->tcp_fingerprint = ndpi_strdup(buf); 1652| 1.62k| } 1653| | 1654| | /* HTTP metadata are "global" not in `flow->ndpi_flow->protos` union; for example, we can have 1655| | HTTP/BitTorrent and in that case we want to export also HTTP attributes */ 1656| 10.2k| if(ndpi_stack_is_http_like(&flow->detected_protocol.protocol_stack)) { /* HTTP, HTTP_PROXY, HTTP_CONNECT */ ------------------ | Branch (1656:6): [True: 40, False: 10.2k] ------------------ 1657| 40| if(flow->ndpi_flow->http.url != NULL) { ------------------ | Branch (1657:8): [True: 11, False: 29] ------------------ 1658| 11| ndpi_snprintf(flow->http.url, sizeof(flow->http.url), "%s", flow->ndpi_flow->http.url); 1659| 11| } 1660| | 1661| 40| flow->http.response_status_code = flow->ndpi_flow->http.response_status_code; 1662| 40| ndpi_snprintf(flow->http.content_type, sizeof(flow->http.content_type), "%s", flow->ndpi_flow->http.content_type ? flow->ndpi_flow->http.content_type : ""); ------------------ | Branch (1662:83): [True: 2, False: 38] ------------------ 1663| 40| ndpi_snprintf(flow->http.server, sizeof(flow->http.server), "%s", flow->ndpi_flow->http.server ? flow->ndpi_flow->http.server : ""); ------------------ | Branch (1663:71): [True: 16, False: 24] ------------------ 1664| 40| ndpi_snprintf(flow->http.request_content_type, sizeof(flow->http.request_content_type), "%s", flow->ndpi_flow->http.request_content_type ? flow->ndpi_flow->http.request_content_type : ""); ------------------ | Branch (1664:99): [True: 0, False: 40] ------------------ 1665| 40| ndpi_snprintf(flow->http.nat_ip, sizeof(flow->http.nat_ip), "%s", flow->ndpi_flow->http.nat_ip ? flow->ndpi_flow->http.nat_ip : ""); ------------------ | Branch (1665:71): [True: 0, False: 40] ------------------ 1666| 40| ndpi_snprintf(flow->http.filename, sizeof(flow->http.filename), "%s", flow->ndpi_flow->http.filename ? flow->ndpi_flow->http.filename : ""); ------------------ | Branch (1666:75): [True: 0, False: 40] ------------------ 1667| 40| ndpi_snprintf(flow->http.username, sizeof(flow->http.username), "%s", flow->ndpi_flow->http.username ? flow->ndpi_flow->http.username : ""); ------------------ | Branch (1667:75): [True: 0, False: 40] ------------------ 1668| 40| ndpi_snprintf(flow->http.password, sizeof(flow->http.password), "%s", flow->ndpi_flow->http.password ? flow->ndpi_flow->http.password : ""); ------------------ | Branch (1668:75): [True: 0, False: 40] ------------------ 1669| 40| } 1670| | 1671| 10.2k| if(ndpi_stack_contains(&flow->detected_protocol.protocol_stack, NDPI_PROTOCOL_RTP)) ------------------ | Branch (1671:6): [True: 20, False: 10.2k] ------------------ 1672| 20| memcpy(&flow->rtp, &flow->ndpi_flow->rtp, sizeof(flow->rtp)); 1673| | 1674| 10.2k| ndpi_snprintf(flow->http.user_agent, 1675| 10.2k| sizeof(flow->http.user_agent), 1676| 10.2k| "%s", (flow->ndpi_flow->http.user_agent ? flow->ndpi_flow->http.user_agent : "")); ------------------ | Branch (1676:24): [True: 42, False: 10.2k] ------------------ 1677| | 1678| 10.2k| { 1679| 10.2k| ndpi_ip_addr_t ip_addr; 1680| 10.2k| struct ndpi_address_cache_item *c; 1681| | 1682| 10.2k| memset(&ip_addr, 0, sizeof(ip_addr)); 1683| | 1684| 10.2k| if(flow->ip_version == 4) ------------------ | Branch (1684:8): [True: 10.0k, False: 209] ------------------ 1685| 10.0k| ip_addr.ipv4 = flow->dst_ip; 1686| 209| else 1687| 209| memcpy(&ip_addr.ipv6, &flow->dst_ip6, sizeof(struct ndpi_in6_addr)); 1688| | 1689| 10.2k| c = ndpi_cache_address_find(workflow->ndpi_struct, ip_addr); 1690| | 1691| 10.2k| if(c) { ------------------ | Branch (1691:8): [True: 0, False: 10.2k] ------------------ 1692| 0| flow->server_hostname = ndpi_strdup(c->hostname); 1693| 0| } 1694| 10.2k| } 1695| | 1696| 10.2k| if (workflow->ndpi_serialization_format != ndpi_serialization_format_unknown) { ------------------ | Branch (1696:7): [True: 10.2k, False: 0] ------------------ 1697| 10.2k| if (ndpi_flow2json(workflow->ndpi_struct, flow->ndpi_flow, ------------------ | Branch (1697:9): [True: 0, False: 10.2k] ------------------ 1698| 10.2k| flow->ip_version, flow->protocol, 1699| 10.2k| flow->vlan_id, 1700| 10.2k| flow->src_ip, flow->dst_ip, 1701| 10.2k| &flow->src_ip6, &flow->dst_ip6, 1702| 10.2k| flow->src_port, flow->dst_port, 1703| 10.2k| flow->detected_protocol, 1704| 10.2k| &flow->ndpi_flow_serializer) != 0) { 1705| 0| LOG(NDPI_LOG_ERROR, "flow2json failed\n"); ------------------ | | 498| 0|#define LOG(...) {} ------------------ 1706| 0| return; 1707| 0| } 1708| | 1709| 10.2k| ndpi_serialize_string_uint32(&flow->ndpi_flow_serializer, "detection_completed", flow->detection_completed); 1710| 10.2k| ndpi_serialize_string_uint32(&flow->ndpi_flow_serializer, "check_extra_packets", flow->check_extra_packets); 1711| | 1712| 10.2k| if(flow->ndpi_flow->state == NDPI_STATE_MONITORING) { ------------------ | Branch (1712:8): [True: 0, False: 10.2k] ------------------ 1713| 0| serialize_monitoring_metadata(flow); 1714| 0| } 1715| | 1716| 10.2k| if(flow->server_hostname) ------------------ | Branch (1716:8): [True: 0, False: 10.2k] ------------------ 1717| 0| ndpi_serialize_string_string(&flow->ndpi_flow_serializer, "server_hostname", flow->server_hostname); 1718| 10.2k| } 1719| | 1720| 10.2k| if(flow->detection_completed && (!flow->check_extra_packets)) { ------------------ | Branch (1720:6): [True: 10.2k, False: 0] | Branch (1720:35): [True: 10.2k, False: 0] ------------------ 1721| 10.2k| flow->flow_payload = flow->ndpi_flow->flow_payload, flow->flow_payload_len = flow->ndpi_flow->flow_payload_len; 1722| 10.2k| flow->ndpi_flow->flow_payload = NULL; /* We'll free the memory */ 1723| | 1724| 10.2k| if(workflow->flow_callback != NULL) ------------------ | Branch (1724:8): [True: 0, False: 10.2k] ------------------ 1725| 0| workflow->flow_callback(workflow, flow, workflow->flow_callback_userdata); 1726| | 1727| 10.2k| if(fingerprint_fp) ------------------ | Branch (1727:8): [True: 0, False: 10.2k] ------------------ 1728| 0| dump_flow_fingerprint(workflow, flow); 1729| | 1730| 10.2k| ndpi_free_flow_info_half(flow); 1731| 10.2k| } 1732| 10.2k|} update_tcp_flags_count: 1749| 92.5k|void update_tcp_flags_count(struct ndpi_flow_info* flow, struct ndpi_tcphdr* tcp, u_int8_t src_to_dst_direction){ 1750| 92.5k| if(tcp->cwr){ ------------------ | Branch (1750:6): [True: 12.4k, False: 80.1k] ------------------ 1751| 12.4k| flow->cwr_count++; 1752| 12.4k| src_to_dst_direction ? flow->src2dst_cwr_count++ : flow->dst2src_cwr_count++; ------------------ | Branch (1752:5): [True: 12.1k, False: 233] ------------------ 1753| 12.4k| } 1754| 92.5k| if(tcp->ece){ ------------------ | Branch (1754:6): [True: 20.7k, False: 71.8k] ------------------ 1755| 20.7k| flow->ece_count++; 1756| 20.7k| src_to_dst_direction ? flow->src2dst_ece_count++ : flow->dst2src_ece_count++; ------------------ | Branch (1756:5): [True: 20.4k, False: 249] ------------------ 1757| 20.7k| } 1758| 92.5k| if(tcp->rst){ ------------------ | Branch (1758:6): [True: 26.2k, False: 66.2k] ------------------ 1759| 26.2k| flow->rst_count++; 1760| 26.2k| src_to_dst_direction ? flow->src2dst_rst_count++ : flow->dst2src_rst_count++; ------------------ | Branch (1760:5): [True: 25.4k, False: 773] ------------------ 1761| 26.2k| } 1762| 92.5k| if(tcp->ack){ ------------------ | Branch (1762:6): [True: 61.8k, False: 30.7k] ------------------ 1763| 61.8k| flow->ack_count++; 1764| 61.8k| src_to_dst_direction ? flow->src2dst_ack_count++ : flow->dst2src_ack_count++; ------------------ | Branch (1764:5): [True: 39.6k, False: 22.1k] ------------------ 1765| 61.8k| } 1766| 92.5k| if(tcp->fin){ ------------------ | Branch (1766:6): [True: 22.9k, False: 69.5k] ------------------ 1767| 22.9k| flow->fin_count++; 1768| 22.9k| src_to_dst_direction ? flow->src2dst_fin_count++ : flow->dst2src_fin_count++; ------------------ | Branch (1768:5): [True: 22.1k, False: 812] ------------------ 1769| 22.9k| } 1770| 92.5k| if(tcp->syn){ ------------------ | Branch (1770:6): [True: 27.0k, False: 65.5k] ------------------ 1771| 27.0k| flow->syn_count++; 1772| 27.0k| src_to_dst_direction ? flow->src2dst_syn_count++ : flow->dst2src_syn_count++; ------------------ | Branch (1772:5): [True: 24.6k, False: 2.39k] ------------------ 1773| 27.0k| } 1774| 92.5k| if(tcp->psh){ ------------------ | Branch (1774:6): [True: 38.8k, False: 53.6k] ------------------ 1775| 38.8k| flow->psh_count++; 1776| 38.8k| src_to_dst_direction ? flow->src2dst_psh_count++ : flow->dst2src_psh_count++; ------------------ | Branch (1776:5): [True: 29.2k, False: 9.60k] ------------------ 1777| 38.8k| } 1778| 92.5k| if(tcp->urg){ ------------------ | Branch (1778:6): [True: 21.6k, False: 70.8k] ------------------ 1779| 21.6k| flow->urg_count++; 1780| 21.6k| src_to_dst_direction ? flow->src2dst_urg_count++ : flow->dst2src_urg_count++; ------------------ | Branch (1780:5): [True: 21.4k, False: 228] ------------------ 1781| 21.6k| } 1782| 92.5k|} ndpi_is_datalink_supported: 2067| 7.25k|int ndpi_is_datalink_supported(int datalink_type) { 2068| | /* Keep in sync with the similar switch in ndpi_workflow_process_packet */ 2069| 7.25k| switch(datalink_type) { 2070| 117| case DLT_NULL: ------------------ | Branch (2070:3): [True: 117, False: 7.13k] ------------------ 2071| 127| case DLT_PPP_SERIAL: ------------------ | Branch (2071:3): [True: 10, False: 7.24k] ------------------ 2072| 135| case DLT_C_HDLC: ------------------ | Branch (2072:3): [True: 8, False: 7.24k] ------------------ 2073| 154| case DLT_PPP: ------------------ | Branch (2073:3): [True: 19, False: 7.23k] ------------------ 2074| 154|#ifdef DLT_IPV4 2075| 164| case DLT_IPV4: ------------------ | Branch (2075:3): [True: 10, False: 7.24k] ------------------ 2076| 164|#endif 2077| 164|#ifdef DLT_IPV6 2078| 173| case DLT_IPV6: ------------------ | Branch (2078:3): [True: 9, False: 7.24k] ------------------ 2079| 173|#endif 2080| 7.00k| case DLT_EN10MB: ------------------ | Branch (2080:3): [True: 6.83k, False: 417] ------------------ 2081| 7.13k| case DLT_LINUX_SLL: ------------------ | Branch (2081:3): [True: 124, False: 7.12k] ------------------ 2082| 7.16k| case DLT_IEEE802_11_RADIO: ------------------ | Branch (2082:3): [True: 35, False: 7.21k] ------------------ 2083| 7.18k| case DLT_RAW: ------------------ | Branch (2083:3): [True: 17, False: 7.23k] ------------------ 2084| 7.19k| case DLT_PPI: ------------------ | Branch (2084:3): [True: 12, False: 7.23k] ------------------ 2085| 7.20k| case LINKTYPE_LINUX_SLL2: ------------------ | | 502| 7.20k|#define LINKTYPE_LINUX_SLL2 276 ------------------ | Branch (2085:3): [True: 10, False: 7.24k] ------------------ 2086| 7.20k| return 1; 2087| 46| default: ------------------ | Branch (2087:3): [True: 46, False: 7.20k] ------------------ 2088| 46| return 0; 2089| 7.25k| } 2090| 7.25k|} ndpi_workflow_process_packet: 2209| 168k| struct ndpi_flow_info **flow) { 2210| | /* 2211| | * Declare pointers to packet headers 2212| | */ 2213| | /* --- Ethernet header --- */ 2214| 168k| const struct ndpi_ethhdr *ethernet; 2215| | /* --- LLC header --- */ 2216| 168k| const struct ndpi_llc_header_snap *llc; 2217| | 2218| | /* --- Cisco HDLC header --- */ 2219| 168k| const struct ndpi_chdlc *chdlc; 2220| | 2221| | /* --- Radio Tap header --- */ 2222| 168k| const struct ndpi_radiotap_header *radiotap; 2223| | /* --- Wifi header --- */ 2224| 168k| const struct ndpi_wifi_header *wifi; 2225| | 2226| | /* --- MPLS header --- */ 2227| 168k| union mpls { 2228| 168k| uint32_t u32; 2229| 168k| struct ndpi_mpls_header mpls; 2230| 168k| } mpls; 2231| | 2232| | /** --- IP header --- **/ 2233| 168k| struct ndpi_iphdr *iph; 2234| | /** --- IPv6 header --- **/ 2235| 168k| struct ndpi_ipv6hdr *iph6; 2236| | 2237| 168k| struct ndpi_proto nproto; 2238| 168k| ndpi_packet_tunnel tunnel_type = ndpi_no_tunnel; 2239| | 2240| | /* lengths and offsets */ 2241| 168k| u_int32_t eth_offset = 0, dlt; 2242| 168k| u_int16_t radio_len, header_length; 2243| 168k| u_int16_t fc; 2244| 168k| u_int16_t type = 0; 2245| 168k| int wifi_len = 0; 2246| 168k| int pyld_eth_len = 0; 2247| 168k| int check; 2248| 168k| u_int64_t time_ms; 2249| 168k| u_int16_t ip_offset = 0, ip_len; 2250| 168k| u_int16_t frag_off = 0, vlan_id = 0; 2251| 168k| u_int8_t proto = 0, recheck_type; 2252| 168k| u_int8_t ip_ver, ppp_type; 2253| | /*u_int32_t label;*/ 2254| | 2255| | /* counters */ 2256| 168k| u_int8_t vlan_packet = 0; 2257| | 2258| 168k| *flow_risk = 0 /* NDPI_NO_RISK */; 2259| 168k| *flow = NULL; 2260| | 2261| 168k| memset(&nproto, '\0', sizeof(nproto)); 2262| | 2263| 168k| if((addr_dump_path != NULL) && (workflow->stats.raw_packet_count == 0)) { ------------------ | Branch (2263:6): [True: 168k, False: 0] | Branch (2263:34): [True: 6.96k, False: 161k] ------------------ 2264| | /* At the first packet flush expired cached addresses */ 2265| 6.96k| ndpi_cache_address_flush_expired(workflow->ndpi_struct, header->ts.tv_sec); 2266| 6.96k| } 2267| | 2268| | /* Increment raw packet counter */ 2269| 168k| workflow->stats.raw_packet_count++; 2270| | 2271| | /* setting time */ 2272| 168k| time_ms = ((uint64_t) header->ts.tv_sec) * TICK_RESOLUTION + header->ts.tv_usec / (1000000 / TICK_RESOLUTION); ------------------ | | 77| 168k|#define TICK_RESOLUTION 1000 ------------------ time_ms = ((uint64_t) header->ts.tv_sec) * TICK_RESOLUTION + header->ts.tv_usec / (1000000 / TICK_RESOLUTION); ------------------ | | 77| 168k|#define TICK_RESOLUTION 1000 ------------------ 2273| | 2274| | /* safety check */ 2275| 168k| if(workflow->last_time > time_ms) { ------------------ | Branch (2275:6): [True: 118k, False: 49.5k] ------------------ 2276| | /* printf("\nWARNING: timestamp bug in the pcap file (ts delta: %llu, repairing)\n", ndpi_thread_info[thread_id].last_time - time); */ 2277| 118k| time_ms = workflow->last_time; 2278| 118k| } 2279| | /* update last time value */ 2280| 168k| workflow->last_time = time_ms; 2281| | 2282| | /*** check Data Link type ***/ 2283| 168k| int datalink_type; 2284| | 2285| |#ifdef USE_DPDK 2286| | datalink_type = DLT_EN10MB; 2287| |#else 2288| 168k| datalink_type = (int)pcap_datalink(workflow->pcap_handle); 2289| 168k|#endif 2290| | 2291| 168k| datalink_check: 2292| | // 20 for min iph and 8 for min UDP 2293| 168k| if(header->caplen < eth_offset + 28) ------------------ | Branch (2293:6): [True: 20.7k, False: 147k] ------------------ 2294| 20.7k| return(nproto); /* Too short */ 2295| | 2296| | /* Keep in sync with ndpi_is_datalink_supported() */ 2297| 147k| switch(datalink_type) { 2298| 497| case DLT_NULL: ------------------ | Branch (2298:3): [True: 497, False: 146k] ------------------ 2299| 497| if(ntohl(*((u_int32_t*)&packet[eth_offset])) == 2) ------------------ | Branch (2299:8): [True: 4, False: 493] ------------------ 2300| 4| type = ETH_P_IP; ------------------ | | 364| 4|#define ETH_P_IP 0x0800 /* IPv4 */ ------------------ 2301| 493| else 2302| 493| type = ETH_P_IPV6; ------------------ | | 368| 493|#define ETH_P_IPV6 0x86dd /* IPv6 */ ------------------ 2303| | 2304| 497| ip_offset = 4 + eth_offset; 2305| 497| break; 2306| | 2307| | /* Cisco PPP in HDLC-like framing - 50 */ 2308| 111| case DLT_PPP_SERIAL: ------------------ | Branch (2308:3): [True: 111, False: 147k] ------------------ 2309| 111| chdlc = (struct ndpi_chdlc *) &packet[eth_offset]; 2310| 111| ip_offset = eth_offset + sizeof(struct ndpi_chdlc); /* CHDLC_OFF = 4 */ 2311| 111| type = ntohs(chdlc->proto_code); 2312| 111| break; 2313| | 2314| | /* Cisco PPP - 9 or 104 */ 2315| 71| case DLT_C_HDLC: ------------------ | Branch (2315:3): [True: 71, False: 147k] ------------------ 2316| 2.35k| case DLT_PPP: ------------------ | Branch (2316:3): [True: 2.28k, False: 144k] ------------------ 2317| 2.35k| if(packet[0] == 0x0f || packet[0] == 0x8f) { ------------------ | Branch (2317:8): [True: 1, False: 2.35k] | Branch (2317:29): [True: 1, False: 2.35k] ------------------ 2318| 2| chdlc = (struct ndpi_chdlc *) &packet[eth_offset]; 2319| 2| ip_offset = eth_offset + sizeof(struct ndpi_chdlc); /* CHDLC_OFF = 4 */ 2320| 2| type = ntohs(chdlc->proto_code); 2321| 2.35k| } else { 2322| 2.35k| ip_offset = eth_offset + 2; 2323| 2.35k| ppp_type = ntohs(*((u_int16_t*)&packet[eth_offset])); 2324| 2.35k| if(ppp_type == 0x0021) ------------------ | Branch (2324:10): [True: 2, False: 2.34k] ------------------ 2325| 2| type = ETH_P_IP; ------------------ | | 364| 2|#define ETH_P_IP 0x0800 /* IPv4 */ ------------------ 2326| 2.34k| else if(ppp_type == 0x0057) ------------------ | Branch (2326:15): [True: 6, False: 2.34k] ------------------ 2327| 6| type = ETH_P_IPV6; ------------------ | | 368| 6|#define ETH_P_IPV6 0x86dd /* IPv6 */ ------------------ 2328| 2.34k| else 2329| 2.34k| return(nproto); 2330| 2.35k| } 2331| 10| break; 2332| | 2333| 10|#ifdef DLT_IPV4 2334| 240| case DLT_IPV4: ------------------ | Branch (2334:3): [True: 240, False: 147k] ------------------ 2335| 240| type = ETH_P_IP; ------------------ | | 364| 240|#define ETH_P_IP 0x0800 /* IPv4 */ ------------------ 2336| 240| ip_offset = eth_offset; 2337| 240| break; 2338| 0|#endif 2339| | 2340| 0|#ifdef DLT_IPV6 2341| 203| case DLT_IPV6: ------------------ | Branch (2341:3): [True: 203, False: 147k] ------------------ 2342| 203| type = ETH_P_IPV6; ------------------ | | 368| 203|#define ETH_P_IPV6 0x86dd /* IPv6 */ ------------------ 2343| 203| ip_offset = eth_offset; 2344| 203| break; 2345| 0|#endif 2346| | 2347| | /* IEEE 802.3 Ethernet - 1 */ 2348| 142k| case DLT_EN10MB: ------------------ | Branch (2348:3): [True: 142k, False: 5.18k] ------------------ 2349| 142k| ethernet = (struct ndpi_ethhdr *) &packet[eth_offset]; 2350| 142k| ip_offset = sizeof(struct ndpi_ethhdr) + eth_offset; 2351| 142k| check = ntohs(ethernet->h_proto); 2352| | 2353| 142k| if(check <= 1500) ------------------ | Branch (2353:8): [True: 6.11k, False: 135k] ------------------ 2354| 6.11k| pyld_eth_len = check; 2355| 135k| else if(check >= 1536) ------------------ | Branch (2355:13): [True: 135k, False: 3] ------------------ 2356| 135k| type = check; 2357| | 2358| 142k| if(pyld_eth_len != 0) { ------------------ | Branch (2358:8): [True: 5.95k, False: 136k] ------------------ 2359| 5.95k| llc = (struct ndpi_llc_header_snap *)(&packet[ip_offset]); 2360| | /* check for LLC layer with SNAP extension */ 2361| 5.95k| if(llc->dsap == SNAP || llc->ssap == SNAP) { ------------------ | | 50| 11.9k|#define SNAP 0XAA ------------------ if(llc->dsap == SNAP || llc->ssap == SNAP) { ------------------ | | 50| 5.94k|#define SNAP 0XAA ------------------ | Branch (2361:10): [True: 3, False: 5.94k] | Branch (2361:31): [True: 2, False: 5.94k] ------------------ 2362| 5| type = llc->snap.proto_ID; 2363| 5| ip_offset += + 8; 2364| 5| } 2365| | /* No SNAP extension - Spanning Tree pkt must be discarted */ 2366| 5.94k| else if(llc->dsap == BSTP || llc->ssap == BSTP) { ------------------ | | 51| 11.8k|#define BSTP 0x42 /* Bridge Spanning Tree Protocol */ ------------------ else if(llc->dsap == BSTP || llc->ssap == BSTP) { ------------------ | | 51| 5.94k|#define BSTP 0x42 /* Bridge Spanning Tree Protocol */ ------------------ | Branch (2366:15): [True: 1, False: 5.94k] | Branch (2366:36): [True: 2, False: 5.94k] ------------------ 2367| 3| goto v4_warning; 2368| 3| } 2369| 5.95k| } 2370| 142k| break; 2371| | 2372| | /* Linux Cooked Capture - 113 */ 2373| 142k| case DLT_LINUX_SLL: ------------------ | Branch (2373:3): [True: 499, False: 146k] ------------------ 2374| 499| type = (packet[eth_offset+14] << 8) + packet[eth_offset+15]; 2375| 499| ip_offset = 16 + eth_offset; 2376| 499| break; 2377| | 2378| | /* Linux Cooked Capture v2 - 276 */ 2379| 276| case LINKTYPE_LINUX_SLL2: ------------------ | | 502| 276|#define LINKTYPE_LINUX_SLL2 276 ------------------ | Branch (2379:3): [True: 276, False: 147k] ------------------ 2380| 276| type = (packet[eth_offset+10] << 8) + packet[eth_offset+11]; 2381| 276| ip_offset = 20 + eth_offset; 2382| 276| break; 2383| | 2384| | /* Radiotap link-layer - 127 */ 2385| 672| case DLT_IEEE802_11_RADIO: ------------------ | Branch (2385:3): [True: 672, False: 146k] ------------------ 2386| 672| radiotap = (struct ndpi_radiotap_header *) &packet[eth_offset]; 2387| 672| radio_len = radiotap->len; 2388| | 2389| | /* Check Bad FCS presence */ 2390| 672| if((radiotap->flags & BAD_FCS) == BAD_FCS) { ------------------ | | 64| 672|#define BAD_FCS 0x50 /* 0101 0000 */ ------------------ if((radiotap->flags & BAD_FCS) == BAD_FCS) { ------------------ | | 64| 672|#define BAD_FCS 0x50 /* 0101 0000 */ ------------------ | Branch (2390:8): [True: 21, False: 651] ------------------ 2391| 21| workflow->stats.total_discarded_bytes += header->len; 2392| 21| return(nproto); 2393| 21| } 2394| | 2395| 651| if(header->caplen < (eth_offset + radio_len + sizeof(struct ndpi_wifi_header))) ------------------ | Branch (2395:8): [True: 314, False: 337] ------------------ 2396| 314| return(nproto); 2397| | 2398| | /* Calculate 802.11 header length (variable) */ 2399| 337| wifi = (struct ndpi_wifi_header*)( packet + eth_offset + radio_len); 2400| 337| fc = wifi->fc; 2401| | 2402| | /* check wifi data presence */ 2403| 337| if(FCF_TYPE(fc) == WIFI_DATA) { ------------------ | | 58| 337|#define FCF_TYPE(fc) (((fc) >> 2) & 0x3) /* 0000 0011 = 0x3 */ ------------------ if(FCF_TYPE(fc) == WIFI_DATA) { ------------------ | | 57| 337|#define WIFI_DATA 0x2 /* 0000 0010 */ ------------------ | Branch (2403:8): [True: 216, False: 121] ------------------ 2404| 216| if((FCF_TO_DS(fc) && FCF_FROM_DS(fc) == 0x0) || ------------------ | | 60| 432|#define FCF_TO_DS(fc) ((fc) & 0x0100) | | ------------------ | | | Branch (60:30): [True: 7, False: 209] | | ------------------ ------------------ if((FCF_TO_DS(fc) && FCF_FROM_DS(fc) == 0x0) || ------------------ | | 61| 7|#define FCF_FROM_DS(fc) ((fc) & 0x0200) ------------------ | Branch (2404:28): [True: 3, False: 4] ------------------ 2405| 213| (FCF_TO_DS(fc) == 0x0 && FCF_FROM_DS(fc))) ------------------ | | 60| 213|#define FCF_TO_DS(fc) ((fc) & 0x0100) ------------------ (FCF_TO_DS(fc) == 0x0 && FCF_FROM_DS(fc))) ------------------ | | 61| 209|#define FCF_FROM_DS(fc) ((fc) & 0x0200) | | ------------------ | | | Branch (61:30): [True: 76, False: 133] | | ------------------ ------------------ | Branch (2405:4): [True: 209, False: 4] ------------------ 2406| 79| wifi_len = 26; /* + 4 byte fcs */ 2407| 216| } else /* no data frames */ 2408| 121| return(nproto); 2409| | 2410| | /* Check ether_type from LLC */ 2411| 216| if(header->caplen < (eth_offset + wifi_len + radio_len + sizeof(struct ndpi_llc_header_snap))) ------------------ | Branch (2411:8): [True: 3, False: 213] ------------------ 2412| 3| return(nproto); 2413| 213| llc = (struct ndpi_llc_header_snap*)(packet + eth_offset + wifi_len + radio_len); 2414| 213| if(llc->dsap == SNAP) ------------------ | | 50| 213|#define SNAP 0XAA ------------------ | Branch (2414:8): [True: 0, False: 213] ------------------ 2415| 0| type = ntohs(llc->snap.proto_ID); 2416| | 2417| | /* Set IP header offset */ 2418| 213| ip_offset = wifi_len + radio_len + sizeof(struct ndpi_llc_header_snap) + eth_offset; 2419| 213| break; 2420| | 2421| 233| case DLT_RAW: ------------------ | Branch (2421:3): [True: 233, False: 147k] ------------------ 2422| 233| ip_offset = eth_offset; 2423| | /* Heuristic: no explicit field with next protocol */ 2424| 233| ip_ver = (packet[ip_offset] & 0xF0) >> 4; 2425| 233| if(ip_ver == 4) ------------------ | Branch (2425:8): [True: 10, False: 223] ------------------ 2426| 10| type = ETH_P_IP; ------------------ | | 364| 10|#define ETH_P_IP 0x0800 /* IPv4 */ ------------------ 2427| 223| else if(ip_ver == 6) ------------------ | Branch (2427:13): [True: 9, False: 214] ------------------ 2428| 9| type = ETH_P_IPV6; ------------------ | | 368| 9|#define ETH_P_IPV6 0x86dd /* IPv6 */ ------------------ 2429| 214| else 2430| 214| return(nproto); 2431| | 2432| 19| break; 2433| | 2434| 97| case DLT_PPI: ------------------ | Branch (2434:3): [True: 97, False: 147k] ------------------ 2435| 97| header_length = le16toh(*(u_int16_t *)&packet[eth_offset + 2]); 2436| 97| dlt = le32toh(*(u_int32_t *)&packet[eth_offset + 4]); 2437| 97| if(dlt != DLT_EN10MB) /* Handle only standard ethernet, for the time being */ ------------------ | Branch (2437:8): [True: 96, False: 1] ------------------ 2438| 96| return(nproto); 2439| 1| datalink_type = DLT_EN10MB; 2440| 1| eth_offset += header_length; 2441| 1| goto datalink_check; 2442| | 2443| 0| default: ------------------ | Branch (2443:3): [True: 0, False: 147k] ------------------ 2444| | /* 2445| | * We shoudn't be here, because we already checked that this datalink is supported. 2446| | * Should ndpi_is_datalink_supported() be updated? 2447| | */ 2448| 0| printf("Unknown datalink %d\n", datalink_type); 2449| 0| return(nproto); 2450| 147k| } 2451| | 2452| 146k| ether_type_check: 2453| 146k| recheck_type = 0; 2454| | 2455| | /* check ether type */ 2456| 146k| switch(type) { 2457| 2.42k| case ETH_P_VLAN: ------------------ | | 372| 2.42k|#define ETH_P_VLAN 0x8100 ------------------ | Branch (2457:3): [True: 2.42k, False: 144k] ------------------ 2458| 2.42k| if(ip_offset+4 >= (int)header->caplen) ------------------ | Branch (2458:8): [True: 0, False: 2.42k] ------------------ 2459| 0| return(nproto); 2460| 2.42k| vlan_id = ((packet[ip_offset] << 8) + packet[ip_offset+1]) & 0xFFF; 2461| 2.42k| type = (packet[ip_offset+2] << 8) + packet[ip_offset+3]; 2462| 2.42k| ip_offset += 4; 2463| 2.42k| vlan_packet = 1; 2464| | 2465| | // double tagging for 802.1Q 2466| 4.78k| while((type == 0x8100) && (((bpf_u_int32)ip_offset+4) < header->caplen)) { ------------------ | Branch (2466:11): [True: 2.36k, False: 2.42k] | Branch (2466:31): [True: 2.36k, False: 0] ------------------ 2467| 2.36k| vlan_id = ((packet[ip_offset] << 8) + packet[ip_offset+1]) & 0xFFF; 2468| 2.36k| type = (packet[ip_offset+2] << 8) + packet[ip_offset+3]; 2469| 2.36k| ip_offset += 4; 2470| 2.36k| } 2471| 2.42k| recheck_type = 1; 2472| 2.42k| break; 2473| | 2474| 4| case ETH_P_MPLS_UNI: ------------------ | | 376| 4|#define ETH_P_MPLS_UNI 0x8847 ------------------ | Branch (2474:3): [True: 4, False: 146k] ------------------ 2475| 6| case ETH_P_MPLS_MULTI: ------------------ | | 380| 6|#define ETH_P_MPLS_MULTI 0x8848 ------------------ | Branch (2475:3): [True: 2, False: 146k] ------------------ 2476| 6| if(ip_offset+4 >= (int)header->caplen) ------------------ | Branch (2476:8): [True: 0, False: 6] ------------------ 2477| 0| return(nproto); 2478| 6| mpls.u32 = *((uint32_t *) &packet[ip_offset]); 2479| 6| mpls.u32 = ntohl(mpls.u32); 2480| 6| workflow->stats.mpls_count++; 2481| 6| type = ETH_P_IP, ip_offset += 4; ------------------ | | 364| 6|#define ETH_P_IP 0x0800 /* IPv4 */ ------------------ 2482| | 2483| 23| while(!mpls.mpls.s && (((bpf_u_int32)ip_offset) + 4 < header->caplen)) { ------------------ | Branch (2483:11): [True: 18, False: 5] | Branch (2483:27): [True: 17, False: 1] ------------------ 2484| 17| mpls.u32 = *((uint32_t *) &packet[ip_offset]); 2485| 17| mpls.u32 = ntohl(mpls.u32); 2486| 17| ip_offset += 4; 2487| 17| } 2488| 6| recheck_type = 1; 2489| 6| break; 2490| | 2491| 0| case ETH_P_PPPoE: ------------------ | | 384| 0|#define ETH_P_PPPoE 0x8864 ------------------ | Branch (2491:3): [True: 0, False: 146k] ------------------ 2492| 0| workflow->stats.pppoe_count++; 2493| 0| type = ETH_P_IP; ------------------ | | 364| 0|#define ETH_P_IP 0x0800 /* IPv4 */ ------------------ 2494| 0| ip_offset += 8; 2495| 0| recheck_type = 1; 2496| 0| break; 2497| | 2498| 130k| case ETH_P_IP: ------------------ | | 364| 130k|#define ETH_P_IP 0x0800 /* IPv4 */ ------------------ | Branch (2498:3): [True: 130k, False: 16.0k] ------------------ 2499| 132k| case ETH_P_IPV6: ------------------ | | 368| 132k|#define ETH_P_IPV6 0x86dd /* IPv6 */ ------------------ | Branch (2499:3): [True: 2.40k, False: 144k] ------------------ 2500| | /* Good let's keep decoding */ 2501| 132k| break; 2502| | 2503| 11.1k| default: ------------------ | Branch (2503:3): [True: 11.1k, False: 135k] ------------------ 2504| 11.1k| return(nproto); 2505| 146k| } 2506| | 2507| 135k| if(recheck_type) ------------------ | Branch (2507:6): [True: 2.42k, False: 132k] ------------------ 2508| 2.42k| goto ether_type_check; 2509| | 2510| 132k| workflow->stats.vlan_count += vlan_packet; 2511| | 2512| 133k| iph_check: 2513| | /* Check and set IP header size and total packet length */ 2514| 133k| if(header->caplen < ip_offset + sizeof(struct ndpi_iphdr)) ------------------ | Branch (2514:6): [True: 84, False: 132k] ------------------ 2515| 84| return(nproto); /* Too short for next IP header*/ 2516| | 2517| 132k| iph = (struct ndpi_iphdr *) &packet[ip_offset]; 2518| | 2519| | /* just work on Ethernet packets that contain IP */ 2520| 132k| if(type == ETH_P_IP && header->caplen >= ip_offset) { ------------------ | | 364| 265k|#define ETH_P_IP 0x0800 /* IPv4 */ ------------------ | Branch (2520:6): [True: 130k, False: 2.40k] | Branch (2520:26): [True: 130k, False: 0] ------------------ 2521| 130k| frag_off = ntohs(iph->frag_off); 2522| | 2523| 130k| proto = iph->protocol; 2524| 130k| if(header->caplen < header->len) { ------------------ | Branch (2524:8): [True: 15.2k, False: 115k] ------------------ 2525| 15.2k| static u_int8_t cap_warning_used = 0; 2526| | 2527| 15.2k| if(cap_warning_used == 0) { ------------------ | Branch (2527:10): [True: 1, False: 15.2k] ------------------ 2528| 1| if(!workflow->prefs.quiet_mode) ------------------ | Branch (2528:5): [True: 1, False: 0] ------------------ 2529| 1| LOG(NDPI_LOG_DEBUG, ------------------ | | 498| 1|#define LOG(...) {} ------------------ 2530| 1| "\n\nWARNING: packet capture size is smaller than packet size, DETECTION MIGHT NOT WORK CORRECTLY\n\n"); 2531| 1| cap_warning_used = 1; 2532| 1| } 2533| 15.2k| } 2534| 130k| } 2535| | 2536| 132k| if(iph->version == IPVERSION) { ------------------ | Branch (2536:6): [True: 129k, False: 3.27k] ------------------ 2537| 129k| ip_len = ((u_int16_t)iph->ihl * 4); 2538| 129k| iph6 = NULL; 2539| | 2540| 129k| if(iph->protocol == IPPROTO_IPV6 ------------------ | Branch (2540:8): [True: 1, False: 129k] ------------------ 2541| 129k| || iph->protocol == NDPI_IPIP_PROTOCOL_TYPE ------------------ | | 127| 129k|#define NDPI_IPIP_PROTOCOL_TYPE 0x04 ------------------ | Branch (2541:11): [True: 37, False: 129k] ------------------ 2542| 129k| ) { 2543| 38| ip_offset += ip_len; 2544| 38| if(ip_len > 0) ------------------ | Branch (2544:10): [True: 37, False: 1] ------------------ 2545| 37| goto iph_check; 2546| 38| } 2547| | 2548| 129k| if((frag_off & 0x1FFF) != 0) { ------------------ | Branch (2548:8): [True: 1.78k, False: 127k] ------------------ 2549| 1.78k| static u_int8_t ipv4_frags_warning_used = 0; 2550| 1.78k| workflow->stats.fragmented_count++; 2551| | 2552| 1.78k| if(ipv4_frags_warning_used == 0) { ------------------ | Branch (2552:10): [True: 1, False: 1.78k] ------------------ 2553| 1| if(!workflow->prefs.quiet_mode) ------------------ | Branch (2553:5): [True: 0, False: 1] ------------------ 2554| 0| LOG(NDPI_LOG_DEBUG, "\n\nWARNING: IPv4 fragments are not handled by this demo (nDPI supports them)\n"); ------------------ | | 498| 0|#define LOG(...) {} ------------------ 2555| 1| ipv4_frags_warning_used = 1; 2556| 1| } 2557| | 2558| 1.78k| workflow->stats.total_discarded_bytes += header->len; 2559| 1.78k| return(nproto); 2560| 1.78k| } 2561| 129k| } else if(iph->version == 6) { ------------------ | Branch (2561:13): [True: 1.96k, False: 1.31k] ------------------ 2562| 1.96k| if(header->caplen < ip_offset + sizeof(struct ndpi_ipv6hdr)) ------------------ | Branch (2562:8): [True: 1, False: 1.96k] ------------------ 2563| 1| return(nproto); /* Too short for IPv6 header*/ 2564| | 2565| 1.96k| iph6 = (struct ndpi_ipv6hdr *)&packet[ip_offset]; 2566| 1.96k| proto = iph6->ip6_hdr.ip6_un1_nxt; 2567| 1.96k| ip_len = ntohs(iph6->ip6_hdr.ip6_un1_plen); 2568| | 2569| 1.96k| if(header->caplen < (ip_offset + sizeof(struct ndpi_ipv6hdr) + ntohs(iph6->ip6_hdr.ip6_un1_plen))) ------------------ | Branch (2569:8): [True: 121, False: 1.84k] ------------------ 2570| 121| return(nproto); /* Too short for IPv6 payload*/ 2571| | 2572| 1.84k| const u_int8_t *l4ptr = (((const u_int8_t *) iph6) + sizeof(struct ndpi_ipv6hdr)); 2573| 1.84k| u_int16_t ipsize = header->caplen - ip_offset; 2574| | 2575| 1.84k| if(ndpi_handle_ipv6_extension_headers(NULL, iph6, ipsize - sizeof(struct ndpi_ipv6hdr), &l4ptr, &ip_len, &proto) != 0) { ------------------ | Branch (2575:8): [True: 26, False: 1.81k] ------------------ 2576| 26| return(nproto); 2577| 26| } 2578| | 2579| 1.81k| if(proto == IPPROTO_IPV6 ------------------ | Branch (2579:8): [True: 1, False: 1.81k] ------------------ 2580| 1.81k| || proto == NDPI_IPIP_PROTOCOL_TYPE ------------------ | | 127| 1.81k|#define NDPI_IPIP_PROTOCOL_TYPE 0x04 ------------------ | Branch (2580:11): [True: 2, False: 1.81k] ------------------ 2581| 1.81k| ) { 2582| 3| if(l4ptr > packet) { /* Better safe than sorry */ ------------------ | Branch (2582:10): [True: 3, False: 0] ------------------ 2583| 3| ip_offset = (l4ptr - packet); 2584| 3| goto iph_check; 2585| 3| } 2586| 3| } 2587| | 2588| 1.81k| iph = NULL; 2589| 1.81k| } else { 2590| 1.31k| static u_int8_t ipv4_warning_used = 0; 2591| | 2592| 1.32k| v4_warning: 2593| 1.32k| if(ipv4_warning_used == 0) { ------------------ | Branch (2593:8): [True: 1, False: 1.32k] ------------------ 2594| 1| if(!workflow->prefs.quiet_mode) ------------------ | Branch (2594:10): [True: 0, False: 1] ------------------ 2595| 0| LOG(NDPI_LOG_DEBUG, ------------------ | | 498| 0|#define LOG(...) {} ------------------ 2596| 1| "\n\nWARNING: only IPv4/IPv6 packets are supported in this demo (nDPI supports both IPv4 and IPv6), all other packets will be discarded\n\n"); 2597| 1| ipv4_warning_used = 1; 2598| 1| } 2599| | 2600| 1.32k| workflow->stats.total_discarded_bytes += header->len; 2601| 1.32k| return(nproto); 2602| 1.31k| } 2603| | 2604| 129k| if(workflow->prefs.decode_tunnels && (proto == IPPROTO_UDP)) { ------------------ | Branch (2604:6): [True: 43.4k, False: 86.2k] | Branch (2604:40): [True: 11.6k, False: 31.7k] ------------------ 2605| 11.6k| if(header->caplen < ip_offset + ip_len + sizeof(struct ndpi_udphdr)) ------------------ | Branch (2605:8): [True: 10, False: 11.6k] ------------------ 2606| 10| return(nproto); /* Too short for UDP header*/ 2607| 11.6k| else { 2608| 11.6k| struct ndpi_udphdr *udp = (struct ndpi_udphdr *)&packet[ip_offset+ip_len]; 2609| 11.6k| u_int16_t sport = ntohs(udp->source), dport = ntohs(udp->dest); 2610| | 2611| 11.6k| if(((sport == GTP_U_V1_PORT) || (dport == GTP_U_V1_PORT)) && ------------------ | | 66| 11.6k|#define GTP_U_V1_PORT 2152 ------------------ if(((sport == GTP_U_V1_PORT) || (dport == GTP_U_V1_PORT)) && ------------------ | | 66| 11.3k|#define GTP_U_V1_PORT 2152 ------------------ | Branch (2611:11): [True: 309, False: 11.3k] | Branch (2611:39): [True: 1.31k, False: 10.0k] ------------------ 2612| 1.62k| (ip_offset + ip_len + sizeof(struct ndpi_udphdr) + 8 /* Minimum GTPv1 header len */ < header->caplen)) { ------------------ | Branch (2612:10): [True: 1.61k, False: 14] ------------------ 2613| | /* Check if it's GTPv1 */ 2614| 1.61k| u_int offset = ip_offset+ip_len+sizeof(struct ndpi_udphdr); 2615| 1.61k| u_int8_t flags = packet[offset]; 2616| 1.61k| u_int8_t message_type = packet[offset+1]; 2617| 1.61k| u_int8_t exts_parsing_error = 0; 2618| | 2619| 1.61k| if((((flags & 0xE0) >> 5) == 1 /* GTPv1 */) && ------------------ | Branch (2619:5): [True: 1.45k, False: 162] ------------------ 2620| 1.45k| (message_type == 0xFF /* T-PDU */)) { ------------------ | Branch (2620:5): [True: 1.43k, False: 13] ------------------ 2621| | 2622| 1.43k| offset += 8; /* GTPv1 header len */ 2623| 1.43k| if(flags & 0x07) ------------------ | Branch (2623:7): [True: 11, False: 1.42k] ------------------ 2624| 11| offset += 4; /* sequence_number + pdu_number + next_ext_header fields */ 2625| | /* Extensions parsing */ 2626| 1.43k| if(flags & 0x04) { ------------------ | Branch (2626:7): [True: 9, False: 1.43k] ------------------ 2627| 9| unsigned int ext_length = 0; 2628| | 2629| 50| while(offset < header->caplen) { ------------------ | Branch (2629:12): [True: 50, False: 0] ------------------ 2630| 50| ext_length = packet[offset] << 2; 2631| 50| offset += ext_length; 2632| 50| if(offset >= header->caplen || ext_length == 0) { ------------------ | Branch (2632:11): [True: 6, False: 44] | Branch (2632:39): [True: 2, False: 42] ------------------ 2633| 8| exts_parsing_error = 1; 2634| 8| break; 2635| 8| } 2636| 42| if(packet[offset - 1] == 0) ------------------ | Branch (2636:11): [True: 1, False: 41] ------------------ 2637| 1| break; 2638| 42| } 2639| 9| } 2640| | 2641| 1.43k| if(offset < header->caplen && !exts_parsing_error) { ------------------ | Branch (2641:7): [True: 1.43k, False: 6] | Branch (2641:34): [True: 1.43k, False: 2] ------------------ 2642| | /* Ok, valid GTP-U */ 2643| 1.43k| tunnel_type = ndpi_gtp_tunnel; 2644| 1.43k| ip_offset = offset; 2645| 1.43k| iph = (struct ndpi_iphdr *)&packet[ip_offset]; 2646| 1.43k| if(iph->version == 6) { ------------------ | Branch (2646:9): [True: 6, False: 1.42k] ------------------ 2647| 6| iph6 = (struct ndpi_ipv6hdr *)&packet[ip_offset]; 2648| 6| iph = NULL; 2649| 6| if(header->caplen < ip_offset + sizeof(struct ndpi_ipv6hdr)) ------------------ | Branch (2649:18): [True: 1, False: 5] ------------------ 2650| 1| return(nproto); 2651| 1.42k| } else if(iph->version != IPVERSION) { ------------------ | Branch (2651:16): [True: 8, False: 1.41k] ------------------ 2652| | // printf("WARNING: not good (packet_id=%u)!\n", (unsigned int)workflow->stats.raw_packet_count); 2653| 8| goto v4_warning; 2654| 1.41k| } else { 2655| 1.41k| if(header->caplen < ip_offset + sizeof(struct ndpi_iphdr)) ------------------ | Branch (2655:18): [True: 3, False: 1.41k] ------------------ 2656| 3| return(nproto); 2657| 1.41k| } 2658| 1.43k| } 2659| 1.43k| } 2660| 10.0k| } else if((sport == TZSP_PORT) || (dport == TZSP_PORT)) { ------------------ | | 68| 10.0k|#define TZSP_PORT 37008 ------------------ } else if((sport == TZSP_PORT) || (dport == TZSP_PORT)) { ------------------ | | 68| 10.0k|#define TZSP_PORT 37008 ------------------ | Branch (2660:17): [True: 1, False: 10.0k] | Branch (2660:41): [True: 4, False: 10.0k] ------------------ 2661| | /* https://en.wikipedia.org/wiki/TZSP */ 2662| 5| if(header->caplen < ip_offset + ip_len + sizeof(struct ndpi_udphdr) + 4) ------------------ | Branch (2662:5): [True: 0, False: 5] ------------------ 2663| 0| return(nproto); /* Too short for TZSP*/ 2664| | 2665| 5| u_int offset = ip_offset+ip_len+sizeof(struct ndpi_udphdr); 2666| 5| u_int8_t version = packet[offset]; 2667| 5| u_int8_t ts_type = packet[offset+1]; 2668| 5| u_int16_t encapsulates = ntohs(*((u_int16_t*)&packet[offset+2])); 2669| | 2670| 5| tunnel_type = ndpi_tzsp_tunnel; 2671| | 2672| 5| if((version == 1) && (ts_type == 0) && (encapsulates == 1)) { ------------------ | Branch (2672:5): [True: 0, False: 5] | Branch (2672:23): [True: 0, False: 0] | Branch (2672:41): [True: 0, False: 0] ------------------ 2673| 0| u_int8_t stop = 0; 2674| | 2675| 0| offset += 4; 2676| | 2677| 0| while((!stop) && (offset < header->caplen)) { ------------------ | Branch (2677:10): [True: 0, False: 0] | Branch (2677:21): [True: 0, False: 0] ------------------ 2678| 0| u_int8_t tag_type = packet[offset]; 2679| 0| u_int8_t tag_len; 2680| | 2681| 0| switch(tag_type) { 2682| 0| case 0: /* PADDING Tag */ ------------------ | Branch (2682:6): [True: 0, False: 0] ------------------ 2683| 0| tag_len = 1; 2684| 0| break; 2685| 0| case 1: /* END Tag */ ------------------ | Branch (2685:6): [True: 0, False: 0] ------------------ 2686| 0| tag_len = 1, stop = 1; 2687| 0| break; 2688| 0| default: ------------------ | Branch (2688:6): [True: 0, False: 0] ------------------ 2689| 0| if(offset + 1 >= header->caplen) ------------------ | Branch (2689:11): [True: 0, False: 0] ------------------ 2690| 0| return(nproto); /* Invalid packet */ 2691| 0| tag_len = packet[offset+1]; 2692| 0| break; 2693| 0| } 2694| | 2695| 0| offset += tag_len; 2696| | 2697| 0| if(offset >= header->caplen) ------------------ | Branch (2697:9): [True: 0, False: 0] ------------------ 2698| 0| return(nproto); /* Invalid packet */ 2699| 0| else { 2700| 0| eth_offset = offset; 2701| 0| goto datalink_check; 2702| 0| } 2703| 0| } 2704| 0| } 2705| 10.0k| } else if((sport == NDPI_CAPWAP_DATA_PORT) || (dport == NDPI_CAPWAP_DATA_PORT)) { ------------------ | | 67| 10.0k|#define NDPI_CAPWAP_DATA_PORT 5247 ------------------ } else if((sport == NDPI_CAPWAP_DATA_PORT) || (dport == NDPI_CAPWAP_DATA_PORT)) { ------------------ | | 67| 10.0k|#define NDPI_CAPWAP_DATA_PORT 5247 ------------------ | Branch (2705:17): [True: 45, False: 10.0k] | Branch (2705:53): [True: 2, False: 10.0k] ------------------ 2706| | /* We dissect ONLY CAPWAP traffic */ 2707| 47| u_int offset = ip_offset+ip_len+sizeof(struct ndpi_udphdr); 2708| | 2709| 47| if((offset+1) < header->caplen) { ------------------ | Branch (2709:5): [True: 47, False: 0] ------------------ 2710| 47| uint8_t preamble = packet[offset]; 2711| | 2712| 47| if((preamble & 0x0F) == 0) { /* CAPWAP header */ ------------------ | Branch (2712:7): [True: 37, False: 10] ------------------ 2713| 37| u_int16_t msg_len = (packet[offset+1] & 0xF8) >> 1; 2714| | 2715| 37| offset += msg_len; 2716| | 2717| 37| if((offset + 32 < header->caplen) && ------------------ | Branch (2717:9): [True: 35, False: 2] ------------------ 2718| 35| (packet[offset + 1] == 0x08)) { ------------------ | Branch (2718:9): [True: 0, False: 35] ------------------ 2719| | /* IEEE 802.11 Data */ 2720| 0| offset += 24; 2721| | /* LLC header is 8 bytes */ 2722| 0| type = ntohs((u_int16_t)*((u_int16_t*)&packet[offset+6])); 2723| | 2724| 0| ip_offset = offset + 8; 2725| | 2726| 0| tunnel_type = ndpi_capwap_tunnel; 2727| 0| goto iph_check; 2728| 0| } 2729| 37| } 2730| 47| } 2731| 10.0k| }else if(ndpi_is_valid_vxlan(header, packet, ip_offset, ip_len)){ ------------------ | Branch (2731:16): [True: 0, False: 10.0k] ------------------ 2732| 0| tunnel_type = ndpi_vxlan_tunnel; 2733| 0| eth_offset = ndpi_skip_vxlan(ip_offset, ip_len); 2734| 0| goto datalink_check; 2735| 0| } 2736| 11.6k| } 2737| 117k| } else if(workflow->prefs.decode_tunnels && (proto == IPPROTO_GRE)) { ------------------ | Branch (2737:13): [True: 31.7k, False: 86.2k] | Branch (2737:47): [True: 15, False: 31.7k] ------------------ 2738| 15| if(header->caplen < ip_offset + ip_len + sizeof(struct ndpi_gre_basehdr)) ------------------ | Branch (2738:8): [True: 1, False: 14] ------------------ 2739| 1| return(nproto); /* Too short for GRE header*/ 2740| 14| u_int32_t offset = 0; 2741| 14| if((offset = ndpi_is_valid_gre_tunnel(header, packet, ip_offset, ip_len))) { ------------------ | Branch (2741:8): [True: 7, False: 7] ------------------ 2742| 7| tunnel_type = ndpi_gre_tunnel; 2743| 7| struct ndpi_gre_basehdr *grehdr = (struct ndpi_gre_basehdr*)&packet[ip_offset + ip_len]; 2744| 7| if(grehdr->protocol == ntohs(ETH_P_IP) || grehdr->protocol == ntohs(ETH_P_IPV6)) { ------------------ | Branch (2744:10): [True: 0, False: 7] | Branch (2744:49): [True: 0, False: 7] ------------------ 2745| 0| ip_offset = offset; 2746| 0| goto iph_check; 2747| 7| } else if(grehdr->protocol == NDPI_GRE_PROTO_PPP) { // ppp protocol ------------------ | | 630| 7|#define NDPI_GRE_PROTO_PPP ntohs(0x880b) ------------------ | Branch (2747:17): [True: 0, False: 7] ------------------ 2748| 0| ip_offset = offset + NDPI_PPP_HDRLEN; ------------------ | | 631| 0|#define NDPI_PPP_HDRLEN 4 /* octets for standard ppp header */ ------------------ 2749| 0| goto iph_check; 2750| 7| } else { 2751| 7| eth_offset = offset; 2752| 7| goto datalink_check; 2753| 7| } 2754| 7| } else { 2755| 7| return(nproto); 2756| 7| } 2757| 14| } 2758| | 2759| | /* process the packet */ 2760| 129k| return(packet_processing(workflow, time_ms, vlan_id, tunnel_type, iph, iph6, 2761| 129k| header->caplen - ip_offset, 2762| 129k| header->caplen, header, packet, header->ts, 2763| 129k| flow_risk, flow)); 2764| 129k|} reader_util.c:ndpi_free_flow_data_analysis: 566| 44.6k|static void ndpi_free_flow_data_analysis(struct ndpi_flow_info *flow) { 567| 44.6k| if(flow->iat_c_to_s) ndpi_free_data_analysis(flow->iat_c_to_s, 1); ------------------ | Branch (567:6): [True: 41.8k, False: 2.76k] ------------------ 568| 44.6k| if(flow->iat_s_to_c) ndpi_free_data_analysis(flow->iat_s_to_c, 1); ------------------ | Branch (568:6): [True: 41.9k, False: 2.71k] ------------------ 569| | 570| 44.6k| if(flow->pktlen_c_to_s) ndpi_free_data_analysis(flow->pktlen_c_to_s, 1); ------------------ | Branch (570:6): [True: 42.0k, False: 2.59k] ------------------ 571| 44.6k| if(flow->pktlen_s_to_c) ndpi_free_data_analysis(flow->pktlen_s_to_c, 1); ------------------ | Branch (571:6): [True: 41.6k, False: 2.95k] ------------------ 572| | 573| 44.6k| if(flow->iat_flow) ndpi_free_data_analysis(flow->iat_flow, 1); ------------------ | Branch (573:6): [True: 41.7k, False: 2.93k] ------------------ 574| | 575| 44.6k| if(flow->entropy) ndpi_free(flow->entropy); ------------------ | Branch (575:6): [True: 0, False: 44.6k] ------------------ 576| 44.6k| if(flow->last_entropy) ndpi_free(flow->last_entropy); ------------------ | Branch (576:6): [True: 0, False: 44.6k] ------------------ 577| 44.6k|} reader_util.c:ndpi_free_flow_tls_data: 463| 44.6k|static void ndpi_free_flow_tls_data(struct ndpi_flow_info *flow) { 464| 44.6k| if(flow->tls.blocks) ------------------ | Branch (464:6): [True: 0, False: 44.6k] ------------------ 465| 0| ndpi_free(flow->tls.blocks); 466| | 467| 44.6k| if(flow->dhcp_fingerprint) { ------------------ | Branch (467:6): [True: 87, False: 44.5k] ------------------ 468| 87| ndpi_free(flow->dhcp_fingerprint); 469| 87| flow->dhcp_fingerprint = NULL; 470| 87| } 471| | 472| 44.6k| if(flow->dhcp_class_ident) { ------------------ | Branch (472:6): [True: 77, False: 44.5k] ------------------ 473| 77| ndpi_free(flow->dhcp_class_ident); 474| 77| flow->dhcp_class_ident = NULL; 475| 77| } 476| | 477| 44.6k| if(flow->server_hostname) { ------------------ | Branch (477:6): [True: 0, False: 44.6k] ------------------ 478| 0| ndpi_free(flow->server_hostname); 479| 0| flow->server_hostname = NULL; 480| 0| } 481| | 482| 44.6k| if(flow->bittorent_hash) { ------------------ | Branch (482:6): [True: 1.44k, False: 43.1k] ------------------ 483| 1.44k| ndpi_free(flow->bittorent_hash); 484| 1.44k| flow->bittorent_hash = NULL; 485| 1.44k| } 486| | 487| 44.6k| if(flow->telnet.username) { ------------------ | Branch (487:6): [True: 0, False: 44.6k] ------------------ 488| 0| ndpi_free(flow->telnet.username); 489| 0| flow->telnet.username = NULL; 490| 0| } 491| | 492| 44.6k| if(flow->telnet.password) { ------------------ | Branch (492:6): [True: 0, False: 44.6k] ------------------ 493| 0| ndpi_free(flow->telnet.password); 494| 0| flow->telnet.password = NULL; 495| 0| } 496| | 497| 44.6k| if(flow->ssh_tls.server_names) { ------------------ | Branch (497:6): [True: 543, False: 44.0k] ------------------ 498| 543| ndpi_free(flow->ssh_tls.server_names); 499| 543| flow->ssh_tls.server_names = NULL; 500| 543| } 501| | 502| 44.6k| if(flow->ssh_tls.advertised_alpns) { ------------------ | Branch (502:6): [True: 327, False: 44.3k] ------------------ 503| 327| ndpi_free(flow->ssh_tls.advertised_alpns); 504| 327| flow->ssh_tls.advertised_alpns = NULL; 505| 327| } 506| | 507| 44.6k| if(flow->ssh_tls.negotiated_alpn) { ------------------ | Branch (507:6): [True: 13, False: 44.6k] ------------------ 508| 13| ndpi_free(flow->ssh_tls.negotiated_alpn); 509| 13| flow->ssh_tls.negotiated_alpn = NULL; 510| 13| } 511| | 512| 44.6k| if(flow->ssh_tls.tls_supported_versions) { ------------------ | Branch (512:6): [True: 12, False: 44.6k] ------------------ 513| 12| ndpi_free(flow->ssh_tls.tls_supported_versions); 514| 12| flow->ssh_tls.tls_supported_versions = NULL; 515| 12| } 516| | 517| 44.6k| if(flow->ssh_tls.tls_issuerDN) { ------------------ | Branch (517:6): [True: 373, False: 44.2k] ------------------ 518| 373| ndpi_free(flow->ssh_tls.tls_issuerDN); 519| 373| flow->ssh_tls.tls_issuerDN = NULL; 520| 373| } 521| | 522| 44.6k| if(flow->ssh_tls.tls_subjectDN) { ------------------ | Branch (522:6): [True: 553, False: 44.0k] ------------------ 523| 553| ndpi_free(flow->ssh_tls.tls_subjectDN); 524| 553| flow->ssh_tls.tls_subjectDN = NULL; 525| 553| } 526| | 527| 44.6k| if(flow->ssh_tls.ja4_client_raw) { ------------------ | Branch (527:6): [True: 0, False: 44.6k] ------------------ 528| 0| ndpi_free(flow->ssh_tls.ja4_client_raw); 529| 0| flow->ssh_tls.ja4_client_raw = NULL; 530| 0| } 531| | 532| 44.6k| if(flow->ndpi_client_fingerprint) { ------------------ | Branch (532:6): [True: 1.21k, False: 43.4k] ------------------ 533| 1.21k| ndpi_free(flow->ndpi_client_fingerprint); 534| 1.21k| flow->ndpi_client_fingerprint = NULL; 535| 1.21k| } 536| | 537| 44.6k| if(flow->ndpi_server_fingerprint) { ------------------ | Branch (537:6): [True: 1.15k, False: 43.4k] ------------------ 538| 1.15k| ndpi_free(flow->ndpi_server_fingerprint); 539| 1.15k| flow->ndpi_server_fingerprint = NULL; 540| 1.15k| } 541| | 542| 44.6k| if(flow->stun.mapped_address.aps) { ------------------ | Branch (542:6): [True: 63, False: 44.5k] ------------------ 543| 63| ndpi_free(flow->stun.mapped_address.aps); 544| 63| flow->stun.mapped_address.aps = NULL; 545| 63| } 546| 44.6k| if(flow->stun.other_address.aps) { ------------------ | Branch (546:6): [True: 0, False: 44.6k] ------------------ 547| 0| ndpi_free(flow->stun.other_address.aps); 548| 0| flow->stun.other_address.aps = NULL; 549| 0| } 550| 44.6k| if(flow->stun.peer_address.aps) { ------------------ | Branch (550:6): [True: 0, False: 44.6k] ------------------ 551| 0| ndpi_free(flow->stun.peer_address.aps); 552| 0| flow->stun.peer_address.aps = NULL; 553| 0| } 554| 44.6k| if(flow->stun.relayed_address.aps) { ------------------ | Branch (554:6): [True: 0, False: 44.6k] ------------------ 555| 0| ndpi_free(flow->stun.relayed_address.aps); 556| 0| flow->stun.relayed_address.aps = NULL; 557| 0| } 558| 44.6k| if(flow->stun.response_origin.aps) { ------------------ | Branch (558:6): [True: 0, False: 44.6k] ------------------ 559| 0| ndpi_free(flow->stun.response_origin.aps); 560| | flow->stun.response_origin.aps = NULL; 561| 0| } 562| 44.6k|} reader_util.c:cmp_n32: 620| 198k|static inline int cmp_n32(uint32_t a,uint32_t b) { 621| 198k| return a == b ? 0 : ntohl(a) < ntohl(b) ? -1:1; ------------------ | Branch (621:9): [True: 165k, False: 33.3k] | Branch (621:22): [True: 18.4k, False: 14.9k] ------------------ 622| 198k|} reader_util.c:cmp_n16: 623| 165k|static inline int cmp_n16(uint16_t a,uint16_t b) { 624| 165k| return a == b ? 0 : ntohs(a) < ntohs(b) ? -1:1; ------------------ | Branch (624:9): [True: 160k, False: 4.96k] | Branch (624:22): [True: 557, False: 4.40k] ------------------ 625| 165k|} reader_util.c:add_to_address_port_list: 1145| 51.2k|{ 1146| 51.2k| int new_num; 1147| 51.2k| void *new_buf; 1148| 51.2k| unsigned int i; 1149| | 1150| 51.2k| if(ap->port == 0) ------------------ | Branch (1150:6): [True: 51.2k, False: 70] ------------------ 1151| 51.2k| return; 1152| | 1153| | /* Avoid saving duplicates */ 1154| 70| for(i = 0; i < list->num_aps; i++) ------------------ | Branch (1154:14): [True: 0, False: 70] ------------------ 1155| 0| if(memcmp(&list->aps[i], ap, sizeof(*ap)) == 0) ------------------ | Branch (1155:8): [True: 0, False: 0] ------------------ 1156| 0| return; 1157| | 1158| 70| if(list->num_aps == list->num_aps_allocated) { ------------------ | Branch (1158:6): [True: 70, False: 0] ------------------ 1159| 70| new_num = 1 + list->num_aps_allocated * 2; 1160| 70| new_buf = ndpi_realloc(list->aps, 1161| 70| new_num * sizeof(ndpi_address_port)); 1162| 70| if(!new_buf) ------------------ | Branch (1162:8): [True: 7, False: 63] ------------------ 1163| 7| return; 1164| 63| list->aps = new_buf; 1165| 63| list->num_aps_allocated = new_num; 1166| 63| } 1167| 63| memcpy(&list->aps[list->num_aps++], ap, sizeof(ndpi_address_port)); 1168| 63|} reader_util.c:ndpi_is_valid_vxlan: 2092| 10.0k|static bool ndpi_is_valid_vxlan(const struct pcap_pkthdr *header, const u_char *packet, u_int16_t ip_offset, u_int16_t ip_len){ 2093| 10.0k| if(header->caplen < ip_offset + ip_len + sizeof(struct ndpi_udphdr) + sizeof(struct ndpi_vxlanhdr)) { ------------------ | Branch (2093:6): [True: 29, False: 9.98k] ------------------ 2094| 29| return false; 2095| 29| } 2096| 9.98k| u_int32_t vxlan_dst_port = ntohs(4789); 2097| 9.98k| struct ndpi_udphdr *udp = (struct ndpi_udphdr *)&packet[ip_offset+ip_len]; 2098| 9.98k| u_int offset = ip_offset + ip_len + sizeof(struct ndpi_udphdr); 2099| | /** 2100| | * rfc-7348 2101| | * VXLAN Header: This is an 8-byte field that has: 2102| | 2103| | - Flags (8 bits): where the I flag MUST be set to 1 for a valid 2104| | VXLAN Network ID (VNI). The other 7 bits (designated "R") are 2105| | reserved fields and MUST be set to zero on transmission and 2106| | ignored on receipt. 2107| | 2108| | - VXLAN Segment ID/VXLAN Network Identifier (VNI): this is a 2109| | 24-bit value used to designate the individual VXLAN overlay 2110| | network on which the communicating VMs are situated. VMs in 2111| | different VXLAN overlay networks cannot communicate with each 2112| | other. 2113| | 2114| | - Reserved fields (24 bits and 8 bits): MUST be set to zero on 2115| | transmission and ignored on receipt. 2116| | VXLAN Header: 2117| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2118| | |R|R|R|R|I|R|R|R| Reserved | 2119| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2120| | | VXLAN Network Identifier (VNI) | Reserved | 2121| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2122| | */ 2123| 9.98k| if((udp->dest == vxlan_dst_port || udp->source == vxlan_dst_port) && ------------------ | Branch (2123:7): [True: 1, False: 9.98k] | Branch (2123:38): [True: 1, False: 9.98k] ------------------ 2124| 2| (packet[offset] == 0x8) && ------------------ | Branch (2124:5): [True: 0, False: 2] ------------------ 2125| 0| (packet[offset + 1] == 0x0) && ------------------ | Branch (2125:5): [True: 0, False: 0] ------------------ 2126| 0| (packet[offset + 2] == 0x0) && ------------------ | Branch (2126:5): [True: 0, False: 0] ------------------ 2127| 0| (packet[offset + 3] == 0x0) && ------------------ | Branch (2127:5): [True: 0, False: 0] ------------------ 2128| 0| (packet[offset + 7] == 0x0)) { ------------------ | Branch (2128:5): [True: 0, False: 0] ------------------ 2129| 0| return true; 2130| 0| } 2131| 9.98k| return false; 2132| 9.98k|} reader_util.c:ndpi_is_valid_gre_tunnel: 2140| 14| const u_int16_t ip_len) { 2141| 14| uint32_t offset = ip_offset + ip_len; 2142| 14| struct ndpi_gre_basehdr *grehdr = (struct ndpi_gre_basehdr*)&packet[offset]; 2143| 14| offset += sizeof(struct ndpi_gre_basehdr); 2144| | /* 2145| | The GRE flags are encoded in the first two octets. Bit 0 is the 2146| | most significant bit, bit 15 is the least significant bit. Bits 2147| | 13 through 15 are reserved for the Version field. Bits 9 through 2148| | 12 are reserved for future use and MUST be transmitted as zero. 2149| | */ 2150| 14| if(NDPI_GRE_IS_FLAGS(grehdr->flags)) ------------------ | | 625| 14|#define NDPI_GRE_IS_FLAGS(f) ((f) & NDPI_GRE_FLAGS) | | ------------------ | | | | 616| 14|#define NDPI_GRE_FLAGS ntohs(0x0078) | | ------------------ | | | Branch (625:31): [True: 4, False: 10] | | ------------------ ------------------ 2151| 4| return 0; 2152| 10| if(NDPI_GRE_IS_REC(grehdr->flags)) ------------------ | | 624| 10|#define NDPI_GRE_IS_REC(f) ((f) & NDPI_GRE_REC) | | ------------------ | | | | 614| 10|#define NDPI_GRE_REC ntohs(0x0700) | | ------------------ | | | Branch (624:29): [True: 1, False: 9] | | ------------------ ------------------ 2153| 1| return 0; 2154| | /*GRE rfc 2890 that update 1701*/ 2155| 9| if(NDPI_GRE_IS_VERSION_0(grehdr->flags)) { ------------------ | | 627| 9|#define NDPI_GRE_IS_VERSION_0(f) (((f) & NDPI_GRE_VERSION) == ntohs(0x0000)) | | ------------------ | | | | 617| 9|#define NDPI_GRE_VERSION ntohs(0x0007) | | ------------------ | | | Branch (627:34): [True: 7, False: 2] | | ------------------ ------------------ 2156| 7| if(NDPI_GRE_IS_CSUM(grehdr->flags)) { ------------------ | | 619| 7|#define NDPI_GRE_IS_CSUM(f) ((f) & NDPI_GRE_CSUM) | | ------------------ | | | | 609| 7|#define NDPI_GRE_CSUM ntohs(0x8000) | | ------------------ | | | Branch (619:30): [True: 2, False: 5] | | ------------------ ------------------ 2157| 2| if(header->caplen < offset + 4) ------------------ | Branch (2157:10): [True: 0, False: 2] ------------------ 2158| 0| return 0; 2159| | /*checksum field and offset field*/ 2160| 2| offset += 4; 2161| 2| } 2162| 7| if(NDPI_GRE_IS_KEY(grehdr->flags)) { ------------------ | | 621| 7|#define NDPI_GRE_IS_KEY(f) ((f) & NDPI_GRE_KEY) | | ------------------ | | | | 611| 7|#define NDPI_GRE_KEY ntohs(0x2000) | | ------------------ | | | Branch (621:29): [True: 3, False: 4] | | ------------------ ------------------ 2163| 3| if(header->caplen < offset + 4) ------------------ | Branch (2163:10): [True: 0, False: 3] ------------------ 2164| 0| return 0; 2165| 3| offset += 4; 2166| 3| } 2167| 7| if(NDPI_GRE_IS_SEQ(grehdr->flags)) { ------------------ | | 622| 7|#define NDPI_GRE_IS_SEQ(f) ((f) & NDPI_GRE_SEQ) | | ------------------ | | | | 612| 7|#define NDPI_GRE_SEQ ntohs(0x1000) | | ------------------ | | | Branch (622:29): [True: 3, False: 4] | | ------------------ ------------------ 2168| 3| if(header->caplen < offset + 4) ------------------ | Branch (2168:10): [True: 0, False: 3] ------------------ 2169| 0| return 0; 2170| 3| offset += 4; 2171| 3| } 2172| 7| } else if(NDPI_GRE_IS_VERSION_1(grehdr->flags)) { /*rfc-2637 section 4.1 enhanced gre*/ ------------------ | | 628| 2|#define NDPI_GRE_IS_VERSION_1(f) (((f) & NDPI_GRE_VERSION) == ntohs(0x0001)) | | ------------------ | | | | 617| 2|#define NDPI_GRE_VERSION ntohs(0x0007) | | ------------------ | | | Branch (628:34): [True: 1, False: 1] | | ------------------ ------------------ 2173| 1| if(NDPI_GRE_IS_CSUM(grehdr->flags)) ------------------ | | 619| 1|#define NDPI_GRE_IS_CSUM(f) ((f) & NDPI_GRE_CSUM) | | ------------------ | | | | 609| 1|#define NDPI_GRE_CSUM ntohs(0x8000) | | ------------------ | | | Branch (619:30): [True: 0, False: 1] | | ------------------ ------------------ 2174| 0| return 0; 2175| 1| if(NDPI_GRE_IS_ROUTING(grehdr->flags)) ------------------ | | 620| 1|#define NDPI_GRE_IS_ROUTING(f) ((f) & NDPI_GRE_ROUTING) | | ------------------ | | | | 610| 1|#define NDPI_GRE_ROUTING ntohs(0x4000) | | ------------------ | | | Branch (620:32): [True: 1, False: 0] | | ------------------ ------------------ 2176| 1| return 0; 2177| 0| if(!NDPI_GRE_IS_KEY(grehdr->flags)) ------------------ | | 621| 0|#define NDPI_GRE_IS_KEY(f) ((f) & NDPI_GRE_KEY) | | ------------------ | | | | 611| 0|#define NDPI_GRE_KEY ntohs(0x2000) | | ------------------ ------------------ | Branch (2177:8): [True: 0, False: 0] ------------------ 2178| 0| return 0; 2179| 0| if(NDPI_GRE_IS_STRICT(grehdr->flags)) ------------------ | | 623| 0|#define NDPI_GRE_IS_STRICT(f) ((f) & NDPI_GRE_STRICT) | | ------------------ | | | | 613| 0|#define NDPI_GRE_STRICT ntohs(0x0800) | | ------------------ | | | Branch (623:31): [True: 0, False: 0] | | ------------------ ------------------ 2180| 0| return 0; 2181| 0| if(grehdr->protocol != NDPI_GRE_PROTO_PPP) ------------------ | | 630| 0|#define NDPI_GRE_PROTO_PPP ntohs(0x880b) ------------------ | Branch (2181:8): [True: 0, False: 0] ------------------ 2182| 0| return 0; 2183| | /*key field*/ 2184| 0| if(header->caplen < offset + 4) ------------------ | Branch (2184:8): [True: 0, False: 0] ------------------ 2185| 0| return 0; 2186| 0| offset += 4; 2187| 0| if(NDPI_GRE_IS_SEQ(grehdr->flags)) { ------------------ | | 622| 0|#define NDPI_GRE_IS_SEQ(f) ((f) & NDPI_GRE_SEQ) | | ------------------ | | | | 612| 0|#define NDPI_GRE_SEQ ntohs(0x1000) | | ------------------ | | | Branch (622:29): [True: 0, False: 0] | | ------------------ ------------------ 2188| 0| if(header->caplen < offset + 4) ------------------ | Branch (2188:10): [True: 0, False: 0] ------------------ 2189| 0| return 0; 2190| 0| offset += 4; 2191| 0| } 2192| 0| if(NDPI_GRE_IS_ACK(grehdr->flags)) { ------------------ | | 626| 0|#define NDPI_GRE_IS_ACK(f) ((f) & NDPI_GRE_ACK) | | ------------------ | | | | 615| 0|#define NDPI_GRE_ACK ntohs(0x0080) | | ------------------ | | | Branch (626:29): [True: 0, False: 0] | | ------------------ ------------------ 2193| 0| if(header->caplen < offset + 4) ------------------ | Branch (2193:10): [True: 0, False: 0] ------------------ 2194| 0| return 0; 2195| 0| offset += 4; 2196| 0| } 2197| 1| } else { /*support only ver 0, 1*/ 2198| 1| return 0; 2199| 1| } 2200| 7| return offset; 2201| 9|} reader_util.c:packet_processing: 1804| 129k| struct ndpi_flow_info **flow_ext) { 1805| 129k| struct ndpi_flow_info *flow = NULL; 1806| 129k| struct ndpi_flow_struct *ndpi_flow = NULL; 1807| 129k| u_int8_t proto; 1808| 129k| struct ndpi_tcphdr *tcph = NULL; 1809| 129k| struct ndpi_udphdr *udph = NULL; 1810| 129k| u_int16_t sport, dport, payload_len = 0; 1811| 129k| u_int8_t *payload; 1812| 129k| u_int8_t src_to_dst_direction = 1; 1813| 129k| u_int8_t begin_or_end_tcp = 0; 1814| 129k| struct ndpi_proto nproto; 1815| | 1816| 129k| memset(&nproto, '\0', sizeof(nproto)); 1817| | 1818| 129k| if(workflow->prefs.ignore_vlanid) ------------------ | Branch (1818:6): [True: 57.4k, False: 72.2k] ------------------ 1819| 57.4k| vlan_id = 0; 1820| | 1821| 129k| if(iph) ------------------ | Branch (1821:6): [True: 127k, False: 1.81k] ------------------ 1822| 127k| flow = get_ndpi_flow_info(workflow, IPVERSION, vlan_id, 1823| 127k| tunnel_type, iph, NULL, 1824| 127k| ipsize, 1825| 127k| ntohs(iph->tot_len) ? (ntohs(iph->tot_len) - (iph->ihl * 4)) : ipsize - (iph->ihl * 4) /* TSO */, ------------------ | Branch (1825:10): [True: 127k, False: 130] ------------------ 1826| 127k| iph->ihl * 4, 1827| 127k| &tcph, &udph, &sport, &dport, 1828| 127k| &proto, 1829| 127k| &payload, &payload_len, &src_to_dst_direction, when); 1830| 1.81k| else 1831| 1.81k| flow = get_ndpi_flow_info6(workflow, vlan_id, 1832| 1.81k| tunnel_type, iph6, ipsize, 1833| 1.81k| &tcph, &udph, &sport, &dport, 1834| 1.81k| &proto, 1835| 1.81k| &payload, &payload_len, &src_to_dst_direction, when); 1836| | 1837| 129k| if(flow != NULL) { ------------------ | Branch (1837:6): [True: 117k, False: 12.1k] ------------------ 1838| 117k| pkt_timeval tdiff; 1839| | 1840| 117k| workflow->stats.ip_packet_count++; 1841| 117k| workflow->stats.total_wire_bytes += rawsize + 24 /* CRC etc */, 1842| 117k| workflow->stats.total_ip_bytes += rawsize; 1843| 117k| ndpi_flow = flow->ndpi_flow; 1844| | 1845| 117k| if(tcph != NULL){ ------------------ | Branch (1845:8): [True: 92.5k, False: 24.9k] ------------------ 1846| 92.5k| update_tcp_flags_count(flow, tcph, src_to_dst_direction); 1847| 92.5k| if(tcph->syn && !flow->src2dst_bytes){ ------------------ | Branch (1847:10): [True: 27.0k, False: 65.5k] | Branch (1847:23): [True: 9.10k, False: 17.8k] ------------------ 1848| 9.10k| flow->c_to_s_init_win = rawsize; 1849| 83.4k| }else if(tcph->syn && tcph->ack && flow->src2dst_bytes == flow->c_to_s_init_win){ ------------------ | Branch (1849:16): [True: 17.8k, False: 65.5k] | Branch (1849:29): [True: 2.57k, False: 15.3k] | Branch (1849:42): [True: 1.96k, False: 611] ------------------ 1850| 1.96k| flow->s_to_c_init_win = rawsize; 1851| 1.96k| } 1852| 92.5k| } 1853| | 1854| 117k| if((tcph != NULL) && (tcph->fin || tcph->rst || tcph->syn)) ------------------ | Branch (1854:8): [True: 92.5k, False: 24.9k] | Branch (1854:27): [True: 22.9k, False: 69.5k] | Branch (1854:40): [True: 5.73k, False: 63.8k] | Branch (1854:53): [True: 6.37k, False: 57.4k] ------------------ 1855| 35.0k| begin_or_end_tcp = 1; 1856| | 1857| 117k| if(flow->flow_last_pkt_time.tv_sec) { ------------------ | Branch (1857:8): [True: 76.2k, False: 41.2k] ------------------ 1858| 76.2k| ndpi_timer_sub(&when, &flow->flow_last_pkt_time, &tdiff); 1859| | 1860| 76.2k| if(flow->iat_flow ------------------ | Branch (1860:10): [True: 71.2k, False: 4.95k] ------------------ 1861| 71.2k| && (tdiff.tv_sec >= 0) /* Discard backward time */ ------------------ | Branch (1861:6): [True: 66.0k, False: 5.23k] ------------------ 1862| 76.2k| ) { 1863| 66.0k| u_int64_t ms = ndpi_timeval_to_milliseconds(tdiff); 1864| | 1865| 66.0k| if(ms > 0) ------------------ | Branch (1865:5): [True: 27.2k, False: 38.7k] ------------------ 1866| 27.2k| ndpi_data_add_value(flow->iat_flow, ms); 1867| 66.0k| } 1868| 76.2k| } 1869| | 1870| 117k| flow->flow_last_pkt_time = when; 1871| | 1872| 117k| if(src_to_dst_direction) { ------------------ | Branch (1872:8): [True: 90.0k, False: 27.4k] ------------------ 1873| 90.0k| if(flow->src2dst_last_pkt_time.tv_sec) { ------------------ | Branch (1873:10): [True: 48.9k, False: 41.0k] ------------------ 1874| 48.9k| ndpi_timer_sub(&when, &flow->src2dst_last_pkt_time, &tdiff); 1875| | 1876| 48.9k| if(flow->iat_c_to_s ------------------ | Branch (1876:5): [True: 45.6k, False: 3.33k] ------------------ 1877| 45.6k| && (tdiff.tv_sec >= 0) /* Discard backward time */ ------------------ | Branch (1877:8): [True: 41.7k, False: 3.85k] ------------------ 1878| 48.9k| ) { 1879| 41.7k| u_int64_t ms = ndpi_timeval_to_milliseconds(tdiff); 1880| | 1881| 41.7k| ndpi_data_add_value(flow->iat_c_to_s, ms); 1882| 41.7k| } 1883| 48.9k| } 1884| | 1885| 90.0k| ndpi_data_add_value(flow->pktlen_c_to_s, rawsize); 1886| 90.0k| flow->src2dst_packets++, flow->src2dst_bytes += rawsize, flow->src2dst_goodput_bytes += payload_len; 1887| 90.0k| flow->src2dst_last_pkt_time = when; 1888| | 1889| |#ifdef DIRECTION_BINS 1890| | if(payload_len && (flow->src2dst_packets < MAX_NUM_BIN_PKTS)) 1891| | ndpi_inc_bin(&flow->payload_len_bin_src2dst, plen2slot(payload_len)); 1892| |#endif 1893| 90.0k| } else { 1894| 27.4k| if(flow->dst2src_last_pkt_time.tv_sec && (!begin_or_end_tcp)) { ------------------ | Branch (1894:10): [True: 17.4k, False: 10.0k] | Branch (1894:48): [True: 16.2k, False: 1.17k] ------------------ 1895| 16.2k| ndpi_timer_sub(&when, &flow->dst2src_last_pkt_time, &tdiff); 1896| | 1897| 16.2k| if(flow->iat_s_to_c) { ------------------ | Branch (1897:5): [True: 15.1k, False: 1.10k] ------------------ 1898| 15.1k| u_int64_t ms = ndpi_timeval_to_milliseconds(tdiff); 1899| | 1900| 15.1k| ndpi_data_add_value(flow->iat_s_to_c, ms); 1901| 15.1k| } 1902| 16.2k| } 1903| 27.4k| ndpi_data_add_value(flow->pktlen_s_to_c, rawsize); 1904| 27.4k| flow->dst2src_packets++, flow->dst2src_bytes += rawsize, flow->dst2src_goodput_bytes += payload_len; 1905| 27.4k| flow->risk &= ~(1ULL << NDPI_UNIDIRECTIONAL_TRAFFIC); /* Clear bit */ 1906| 27.4k| flow->dst2src_last_pkt_time = when; 1907| | 1908| |#ifdef DIRECTION_BINS 1909| | if(payload_len && (flow->dst2src_packets < MAX_NUM_BIN_PKTS)) 1910| | ndpi_inc_bin(&flow->payload_len_bin_dst2src, plen2slot(payload_len)); 1911| |#endif 1912| 27.4k| } 1913| | 1914| 117k|#ifndef DIRECTION_BINS 1915| 117k| if(payload_len && ((flow->src2dst_packets+flow->dst2src_packets) < MAX_NUM_BIN_PKTS)) { ------------------ | | 60| 88.3k|#define MAX_NUM_BIN_PKTS 256 ------------------ | Branch (1915:8): [True: 88.3k, False: 29.0k] | Branch (1915:23): [True: 88.3k, False: 0] ------------------ 1916| |#if 0 1917| | /* Discard packets until the protocol is detected */ 1918| | if(flow->detected_protocol.proto.app_protocol != NDPI_PROTOCOL_UNKNOWN) 1919| |#endif 1920| 88.3k| ndpi_inc_bin(&flow->payload_len_bin, plen2slot(payload_len), 1); 1921| 88.3k| } 1922| 117k|#endif 1923| | 1924| 117k| if(enable_payload_analyzer && (payload_len > 0)) ------------------ | Branch (1924:8): [True: 0, False: 117k] | Branch (1924:35): [True: 0, False: 0] ------------------ 1925| 0| ndpi_payload_analyzer(flow, 1926| 0| payload, payload_len, 1927| 0| workflow->stats.ip_packet_count); 1928| | 1929| 117k| if(enable_flow_stats) { ------------------ | Branch (1929:8): [True: 0, False: 117k] ------------------ 1930| | /* Update BD, distribution and mean. */ 1931| 0| ndpi_flow_update_byte_count(flow, payload, payload_len, src_to_dst_direction); 1932| 0| ndpi_flow_update_byte_dist_mean_var(flow, payload, payload_len, src_to_dst_direction); 1933| | /* Update SPLT scores for first 32 packets. */ 1934| 0| if((flow->entropy->src2dst_pkt_count+flow->entropy->dst2src_pkt_count) <= max_num_packets_per_flow) { ------------------ | Branch (1934:10): [True: 0, False: 0] ------------------ 1935| 0| if(flow->bidirectional) ------------------ | Branch (1935:12): [True: 0, False: 0] ------------------ 1936| 0| flow->entropy->score = ndpi_classify(flow->entropy->src2dst_pkt_len, flow->entropy->src2dst_pkt_time, 1937| 0| flow->entropy->dst2src_pkt_len, flow->entropy->dst2src_pkt_time, 1938| 0| flow->entropy->src2dst_start, flow->entropy->dst2src_start, 1939| 0| max_num_packets_per_flow, ntohs(flow->src_port), ntohs(flow->dst_port), 1940| 0| flow->src2dst_packets, flow->dst2src_packets, 1941| 0| flow->entropy->src2dst_opackets, flow->entropy->dst2src_opackets, 1942| 0| flow->entropy->src2dst_l4_bytes, flow->entropy->dst2src_l4_bytes, 1, 1943| 0| flow->entropy->src2dst_byte_count, flow->entropy->dst2src_byte_count); 1944| 0| else 1945| 0| flow->entropy->score = ndpi_classify(flow->entropy->src2dst_pkt_len, flow->entropy->src2dst_pkt_time, 1946| 0| NULL, NULL, flow->entropy->src2dst_start, flow->entropy->src2dst_start, 1947| 0| max_num_packets_per_flow, ntohs(flow->src_port), ntohs(flow->dst_port), 1948| 0| flow->src2dst_packets, 0, 1949| 0| flow->entropy->src2dst_opackets, 0, 1950| 0| flow->entropy->src2dst_l4_bytes, 0, 1, 1951| 0| flow->entropy->src2dst_byte_count, NULL); 1952| 0| } 1953| 0| } 1954| | 1955| 117k| if(flow->first_seen_ms == 0) ------------------ | Branch (1955:8): [True: 37.4k, False: 79.9k] ------------------ 1956| 37.4k| flow->first_seen_ms = time_ms; 1957| | 1958| 117k| flow->last_seen_ms = time_ms; 1959| | 1960| | /* Copy packets entropy if num packets count == 10 */ 1961| 117k| ndpi_clear_entropy_stats(flow); 1962| | /* Reset IAT reeference times (see https://github.com/ntop/nDPI/pull/1316) */ 1963| 117k| if(((flow->src2dst_packets + flow->dst2src_packets) % max_num_packets_per_flow) == 0) { ------------------ | Branch (1963:8): [True: 4.09k, False: 113k] ------------------ 1964| 4.09k| memset(&flow->src2dst_last_pkt_time, '\0', sizeof(flow->src2dst_last_pkt_time)); 1965| 4.09k| memset(&flow->dst2src_last_pkt_time, '\0', sizeof(flow->dst2src_last_pkt_time)); 1966| 4.09k| memset(&flow->flow_last_pkt_time, '\0', sizeof(flow->flow_last_pkt_time)); 1967| 4.09k| } 1968| | 1969| 117k| if((human_readeable_string_len != 0) && (!flow->has_human_readeable_strings)) { ------------------ | Branch (1969:8): [True: 117k, False: 0] | Branch (1969:45): [True: 77.3k, False: 40.0k] ------------------ 1970| 77.3k| u_int8_t skip = 0; 1971| | 1972| 77.3k| if(proto == IPPROTO_TCP && ------------------ | Branch (1972:10): [True: 54.7k, False: 22.6k] ------------------ 1973| 54.7k| (is_ndpi_proto(flow, NDPI_PROTOCOL_TLS) || ------------------ | Branch (1973:4): [True: 17.1k, False: 37.6k] ------------------ 1974| 37.6k| is_ndpi_proto(flow, NDPI_PROTOCOL_SSH))) { ------------------ | Branch (1974:4): [True: 0, False: 37.6k] ------------------ 1975| 17.1k| if((flow->src2dst_packets+flow->dst2src_packets) < 10 /* MIN_NUM_ENCRYPT_SKIP_PACKETS */) ------------------ | Branch (1975:5): [True: 6.69k, False: 10.4k] ------------------ 1976| 6.69k| skip = 1; /* Skip initial negotiation packets */ 1977| 17.1k| } 1978| | 1979| 77.3k| if((!skip) && ((flow->src2dst_packets+flow->dst2src_packets) < 100)) { ------------------ | Branch (1979:10): [True: 70.6k, False: 6.69k] | Branch (1979:21): [True: 70.6k, False: 25] ------------------ 1980| 70.6k| if(ndpi_has_human_readable_string((char*)packet, header->caplen, ------------------ | Branch (1980:5): [True: 22.8k, False: 47.7k] ------------------ 1981| 70.6k| human_readeable_string_len, 1982| 70.6k| flow->human_readeable_string_buffer, 1983| 70.6k| sizeof(flow->human_readeable_string_buffer)) == 1) 1984| 22.8k| flow->has_human_readeable_strings = 1; 1985| 70.6k| } 1986| 77.3k| } else { 1987| 40.0k| if(proto == IPPROTO_TCP && ------------------ | Branch (1987:10): [True: 37.8k, False: 2.20k] ------------------ 1988| 37.8k| (is_ndpi_proto(flow, NDPI_PROTOCOL_TLS) || ------------------ | Branch (1988:11): [True: 2.76k, False: 35.0k] ------------------ 1989| 35.0k| is_ndpi_proto(flow, NDPI_PROTOCOL_SSH))) ------------------ | Branch (1989:11): [True: 1, False: 35.0k] ------------------ 1990| 2.76k| flow->has_human_readeable_strings = 0; 1991| 40.0k| } 1992| 117k| } else { // flow is NULL 1993| 12.1k| workflow->stats.total_discarded_bytes += header->len; 1994| 12.1k| return(nproto); 1995| 12.1k| } 1996| | 1997| 117k| if(!flow->detection_completed) { ------------------ | Branch (1997:6): [True: 89.4k, False: 27.9k] ------------------ 1998| 89.4k| struct ndpi_flow_input_info input_info; 1999| | 2000| 89.4k| u_int enough_packets = 2001| 89.4k| ((proto == IPPROTO_UDP && (max_num_udp_dissected_pkts > 0 && flow->src2dst_packets + flow->dst2src_packets >= max_num_udp_dissected_pkts)) || ------------------ | Branch (2001:9): [True: 17.0k, False: 72.4k] | Branch (2001:34): [True: 17.0k, False: 0] | Branch (2001:68): [True: 6, False: 17.0k] ------------------ 2002| 89.4k| (proto == IPPROTO_TCP && (max_num_tcp_dissected_pkts > 0 && flow->src2dst_packets + flow->dst2src_packets >= max_num_tcp_dissected_pkts))) ? 1 : 0; ------------------ | Branch (2002:9): [True: 69.8k, False: 19.5k] | Branch (2002:34): [True: 69.8k, False: 0] | Branch (2002:68): [True: 8, False: 69.8k] ------------------ 2003| | 2004| |#if 0 2005| | printf("%s()\n", __FUNCTION__); 2006| |#endif 2007| | 2008| 89.4k| if(proto == IPPROTO_TCP) ------------------ | Branch (2008:8): [True: 69.8k, False: 19.5k] ------------------ 2009| 69.8k| workflow->stats.dpi_packet_count[0]++; 2010| 19.5k| else if(proto == IPPROTO_UDP) ------------------ | Branch (2010:13): [True: 17.0k, False: 2.53k] ------------------ 2011| 17.0k| workflow->stats.dpi_packet_count[1]++; 2012| 2.53k| else 2013| 2.53k| workflow->stats.dpi_packet_count[2]++; 2014| 89.4k| flow->dpi_packets++; 2015| | 2016| 89.4k| memset(&input_info, '\0', sizeof(input_info)); /* To be sure to set to "unknown" any fields */ 2017| | /* Set here any information (easily) available; in this trivial example we don't have any */ 2018| 89.4k| input_info.in_pkt_dir = NDPI_IN_PKT_DIR_UNKNOWN; ------------------ | | 645| 89.4k|#define NDPI_IN_PKT_DIR_UNKNOWN 0 /**< The application doesn't provide this kind of information */ ------------------ 2019| 89.4k| input_info.seen_flow_beginning = NDPI_FLOW_BEGINNING_UNKNOWN; ------------------ | | 654| 89.4k|#define NDPI_FLOW_BEGINNING_UNKNOWN 0 /**< The application doesn't provide this kind of information */ ------------------ 2020| 89.4k| alloc_size_stats = 1; 2021| 89.4k| flow->detected_protocol = ndpi_detection_process_packet(workflow->ndpi_struct, ndpi_flow, 2022| 89.4k| iph ? (uint8_t *)iph : (uint8_t *)iph6, ------------------ | Branch (2022:12): [True: 87.9k, False: 1.49k] ------------------ 2023| 89.4k| ipsize, time_ms, &input_info); 2024| | 2025| 89.4k| if(monitoring_enabled) ------------------ | Branch (2025:8): [True: 0, False: 89.4k] ------------------ 2026| 0| process_ndpi_monitoring_info(flow); 2027| 89.4k| if(flow->detected_protocol.state == NDPI_STATE_CLASSIFIED || ------------------ | Branch (2027:8): [True: 10.2k, False: 79.2k] ------------------ 2028| 79.2k| enough_packets) { ------------------ | Branch (2028:8): [True: 14, False: 79.2k] ------------------ 2029| | 2030| 10.2k| flow->detection_completed = 1; 2031| | 2032| 10.2k| if(flow->detected_protocol.state != NDPI_STATE_CLASSIFIED) { ------------------ | Branch (2032:10): [True: 14, False: 10.2k] ------------------ 2033| 14| flow->detected_protocol = ndpi_detection_giveup(workflow->ndpi_struct, flow->ndpi_flow); 2034| 14| } 2035| | 2036| 10.2k| if(flow->ndpi_flow->protocol_was_guessed) workflow->stats.guessed_flow_protocols++; ------------------ | Branch (2036:10): [True: 142, False: 10.1k] ------------------ 2037| 10.2k| process_ndpi_collected_info(workflow, flow); 2038| 10.2k| } 2039| | 2040| | /* Let's try to save client-server direction */ 2041| 89.4k| flow->current_pkt_from_client_to_server = input_info.in_pkt_dir; 2042| | 2043| 89.4k| alloc_size_stats = 0; 2044| 89.4k| } else { 2045| 27.9k| flow->current_pkt_from_client_to_server = NDPI_IN_PKT_DIR_UNKNOWN; /* Unknown */ ------------------ | | 645| 27.9k|#define NDPI_IN_PKT_DIR_UNKNOWN 0 /**< The application doesn't provide this kind of information */ ------------------ 2046| 27.9k| } 2047| | 2048| |#if 0 2049| | if(flow->risk != 0) { 2050| | FILE *r = fopen("/tmp/e", "a"); 2051| | 2052| | if(r) { 2053| | fprintf(r, "->>> %u [%08X]\n", flow->risk, flow->risk); 2054| | fclose(r); 2055| | } 2056| | } 2057| |#endif 2058| | 2059| 117k| *flow_risk = flow->risk; 2060| 117k| *flow_ext = flow; 2061| | 2062| 117k| return(flow->detected_protocol); 2063| 129k|} reader_util.c:get_ndpi_flow_info: 750| 129k| pkt_timeval when) { 751| 129k| u_int32_t idx, hashval; 752| 129k| struct ndpi_flow_info flow; 753| 129k| void *ret; 754| 129k| const u_int8_t *l3, *l4; 755| 129k| u_int32_t l4_data_len = 0XFEEDFACE; 756| | 757| | /* 758| | Note: to keep things simple (ndpiReader is just a demo app) 759| | we handle IPv6 a-la-IPv4. 760| | */ 761| 129k| if(version == IPVERSION) { ------------------ | Branch (761:6): [True: 127k, False: 1.81k] ------------------ 762| 127k| if(ipsize < 20) ------------------ | Branch (762:8): [True: 0, False: 127k] ------------------ 763| 0| return NULL; 764| | 765| 127k| if((iph->ihl * 4) > ipsize || ipsize < ntohs(iph->tot_len) ------------------ | Branch (765:8): [True: 2, False: 127k] | Branch (765:35): [True: 1.83k, False: 125k] ------------------ 766| 127k| /* || (iph->frag_off & htons(0x1FFF)) != 0 */) 767| 1.83k| return NULL; 768| | 769| 125k| l3 = (const u_int8_t*)iph; 770| 125k| } else { 771| 1.81k| if(l4_offset > ipsize) ------------------ | Branch (771:8): [True: 0, False: 1.81k] ------------------ 772| 0| return NULL; 773| | 774| 1.81k| l3 = (const u_int8_t*)iph6; 775| 1.81k| } 776| 127k| if(ipsize < l4_offset + l4_packet_len) ------------------ | Branch (776:6): [True: 13, False: 127k] ------------------ 777| 13| return NULL; 778| | 779| 127k| *proto = iph->protocol; 780| | 781| 127k| if(l4_packet_len < 64) ------------------ | Branch (781:6): [True: 84.4k, False: 43.2k] ------------------ 782| 84.4k| workflow->stats.packet_len[0]++; 783| 43.2k| else if(l4_packet_len >= 64 && l4_packet_len < 128) ------------------ | Branch (783:11): [True: 43.2k, False: 0] | Branch (783:34): [True: 10.8k, False: 32.3k] ------------------ 784| 10.8k| workflow->stats.packet_len[1]++; 785| 32.3k| else if(l4_packet_len >= 128 && l4_packet_len < 256) ------------------ | Branch (785:11): [True: 32.3k, False: 0] | Branch (785:35): [True: 14.2k, False: 18.0k] ------------------ 786| 14.2k| workflow->stats.packet_len[2]++; 787| 18.0k| else if(l4_packet_len >= 256 && l4_packet_len < 1024) ------------------ | Branch (787:11): [True: 18.0k, False: 0] | Branch (787:35): [True: 9.57k, False: 8.51k] ------------------ 788| 9.57k| workflow->stats.packet_len[3]++; 789| 8.51k| else if(l4_packet_len >= 1024 && l4_packet_len < 1500) ------------------ | Branch (789:11): [True: 8.51k, False: 0] | Branch (789:36): [True: 8.08k, False: 429] ------------------ 790| 8.08k| workflow->stats.packet_len[4]++; 791| 429| else if(l4_packet_len >= 1500) ------------------ | Branch (791:11): [True: 429, False: 0] ------------------ 792| 429| workflow->stats.packet_len[5]++; 793| | 794| 127k| if(l4_packet_len > workflow->stats.max_packet_len) ------------------ | Branch (794:6): [True: 12.1k, False: 115k] ------------------ 795| 12.1k| workflow->stats.max_packet_len = l4_packet_len; 796| | 797| 127k| l4 =& ((const u_int8_t *) l3)[l4_offset]; 798| | 799| 127k| if(*proto == IPPROTO_TCP && l4_packet_len >= sizeof(struct ndpi_tcphdr)) { ------------------ | Branch (799:6): [True: 99.1k, False: 28.6k] | Branch (799:31): [True: 99.0k, False: 100] ------------------ 800| 99.0k| u_int tcp_len; 801| | 802| | // TCP 803| 99.0k| workflow->stats.tcp_count++; 804| 99.0k| *tcph = (struct ndpi_tcphdr *)l4; 805| 99.0k| *sport = ntohs((*tcph)->source), *dport = ntohs((*tcph)->dest); 806| 99.0k| tcp_len = ndpi_min(4*(*tcph)->doff, l4_packet_len); ------------------ | | 113| 99.0k|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 70.2k, False: 28.7k] | | ------------------ ------------------ 807| 99.0k| *payload = (u_int8_t*)&l4[tcp_len]; 808| 99.0k| *payload_len = ndpi_max(0, l4_packet_len-4*(*tcph)->doff); ------------------ | | 114| 99.0k|#define ndpi_max(a,b) ((a > b) ? a : b) | | ------------------ | | | Branch (114:26): [True: 598, False: 98.4k] | | ------------------ ------------------ 809| 99.0k| l4_data_len = l4_packet_len - sizeof(struct ndpi_tcphdr); 810| 99.0k| } else if(*proto == IPPROTO_UDP && l4_packet_len >= sizeof(struct ndpi_udphdr)) { ------------------ | Branch (810:13): [True: 24.9k, False: 3.81k] | Branch (810:38): [True: 24.9k, False: 1] ------------------ 811| | // UDP 812| 24.9k| workflow->stats.udp_count++; 813| 24.9k| *udph = (struct ndpi_udphdr *)l4; 814| 24.9k| *sport = ntohs((*udph)->source), *dport = ntohs((*udph)->dest); 815| 24.9k| *payload = (u_int8_t*)&l4[sizeof(struct ndpi_udphdr)]; 816| 24.9k| *payload_len = (l4_packet_len > sizeof(struct ndpi_udphdr)) ? l4_packet_len-sizeof(struct ndpi_udphdr) : 0; ------------------ | Branch (816:20): [True: 24.9k, False: 7] ------------------ 817| 24.9k| l4_data_len = l4_packet_len - sizeof(struct ndpi_udphdr); 818| 24.9k| } else if(*proto == IPPROTO_ICMP) { ------------------ | Branch (818:13): [True: 1.41k, False: 2.40k] ------------------ 819| 1.41k| *payload = (u_int8_t*)&l4[sizeof(struct ndpi_icmphdr )]; 820| 1.41k| *payload_len = (l4_packet_len > sizeof(struct ndpi_icmphdr)) ? l4_packet_len-sizeof(struct ndpi_icmphdr) : 0; ------------------ | Branch (820:20): [True: 1.24k, False: 165] ------------------ 821| 1.41k| l4_data_len = l4_packet_len - sizeof(struct ndpi_icmphdr); 822| 1.41k| *sport = *dport = 0; 823| 2.40k| } else if(*proto == IPPROTO_ICMPV6) { ------------------ | Branch (823:13): [True: 87, False: 2.31k] ------------------ 824| 87| *payload = (u_int8_t*)&l4[sizeof(struct ndpi_icmp6hdr)]; 825| 87| *payload_len = (l4_packet_len > sizeof(struct ndpi_icmp6hdr)) ? l4_packet_len-sizeof(struct ndpi_icmp6hdr) : 0; ------------------ | Branch (825:20): [True: 86, False: 1] ------------------ 826| 87| l4_data_len = l4_packet_len - sizeof(struct ndpi_icmp6hdr); 827| 87| *sport = *dport = 0; 828| 2.31k| } else { 829| 2.31k| *payload = NULL; 830| 2.31k| *payload_len = 0; 831| | // non tcp/udp protocols 832| 2.31k| *sport = *dport = 0; 833| 2.31k| l4_data_len = 0; 834| 2.31k| } 835| | 836| 127k| flow.protocol = iph->protocol, flow.vlan_id = vlan_id; 837| 127k| flow.src_ip = iph->saddr, flow.dst_ip = iph->daddr; 838| 127k| flow.src_port = htons(*sport), flow.dst_port = htons(*dport); 839| 127k| flow.hashval = hashval = flow.protocol + ntohl(flow.src_ip) + ntohl(flow.dst_ip) 840| 127k| + ntohs(flow.src_port) + ntohs(flow.dst_port); 841| | 842| |#if 0 843| | { 844| | char ip1[48],ip2[48]; 845| | inet_ntop(AF_INET, &flow.src_ip, ip1, sizeof(ip1)); 846| | inet_ntop(AF_INET, &flow.dst_ip, ip2, sizeof(ip2)); 847| | printf("hashval=%u [%u][%u][%s:%u][%s:%u]\n", hashval, flow.protocol, flow.vlan_id, 848| | ip1, ntohs(flow.src_port), ip2, ntohs(flow.dst_port)); 849| | } 850| |#endif 851| | 852| 127k| idx = hashval % workflow->prefs.num_roots; 853| 127k| ret = ndpi_tfind(&flow, &workflow->ndpi_flows_root[idx], ndpi_workflow_node_cmp); 854| | 855| | /* to avoid two nodes in one binary tree for a flow */ 856| 127k| int is_changed = 0; 857| 127k| if(ret == NULL) { ------------------ | Branch (857:6): [True: 75.2k, False: 52.5k] ------------------ 858| 75.2k| u_int32_t orig_src_ip = flow.src_ip; 859| 75.2k| u_int16_t orig_src_port = flow.src_port; 860| 75.2k| u_int32_t orig_dst_ip = flow.dst_ip; 861| 75.2k| u_int16_t orig_dst_port = flow.dst_port; 862| | 863| 75.2k| flow.src_ip = orig_dst_ip; 864| 75.2k| flow.src_port = orig_dst_port; 865| 75.2k| flow.dst_ip = orig_src_ip; 866| 75.2k| flow.dst_port = orig_src_port; 867| | 868| 75.2k| is_changed = 1; 869| | 870| 75.2k| ret = ndpi_tfind(&flow, &workflow->ndpi_flows_root[idx], ndpi_workflow_node_cmp); 871| 75.2k| } 872| | 873| 127k| if(ret == NULL) { ------------------ | Branch (873:6): [True: 47.7k, False: 79.9k] ------------------ 874| 47.7k| if(workflow->stats.ndpi_flow_count == workflow->prefs.max_ndpi_flows) { ------------------ | Branch (874:8): [True: 534, False: 47.2k] ------------------ 875| 534| LOG(NDPI_LOG_ERROR, ------------------ | | 498| 534|#define LOG(...) {} ------------------ 876| 534| "maximum flow count (%u) has been exceeded\n", 877| 534| workflow->prefs.max_ndpi_flows); 878| 534| return NULL; 879| 47.2k| } else { 880| 47.2k| struct ndpi_flow_info *newflow = (struct ndpi_flow_info*)ndpi_malloc(sizeof(struct ndpi_flow_info)); 881| | 882| 47.2k| if(newflow == NULL) { ------------------ | Branch (882:10): [True: 2.60k, False: 44.6k] ------------------ 883| 2.60k| LOG(NDPI_LOG_ERROR, "[NDPI] %s(1): not enough memory\n", __FUNCTION__); ------------------ | | 498| 2.60k|#define LOG(...) {} ------------------ 884| 2.60k| return(NULL); 885| 2.60k| } else 886| 44.6k| workflow->num_allocated_flows++; 887| | 888| 44.6k| memset(newflow, 0, sizeof(struct ndpi_flow_info)); 889| 44.6k| newflow->flow_id = flow_id++; 890| 44.6k| newflow->hashval = hashval; 891| 44.6k| newflow->tunnel_type = tunnel_type; 892| 44.6k| newflow->protocol = iph->protocol, newflow->vlan_id = vlan_id; 893| 44.6k| newflow->src_ip = iph->saddr, newflow->dst_ip = iph->daddr; 894| 44.6k| newflow->src_port = htons(*sport), newflow->dst_port = htons(*dport); 895| 44.6k| newflow->ip_version = version; 896| 44.6k| newflow->iat_c_to_s = ndpi_alloc_data_analysis(DATA_ANALUYSIS_SLIDING_WINDOW), ------------------ | | 54| 44.6k|#define DATA_ANALUYSIS_SLIDING_WINDOW 32 ------------------ 897| 44.6k| newflow->iat_s_to_c = ndpi_alloc_data_analysis(DATA_ANALUYSIS_SLIDING_WINDOW); ------------------ | | 54| 44.6k|#define DATA_ANALUYSIS_SLIDING_WINDOW 32 ------------------ 898| 44.6k| newflow->pktlen_c_to_s = ndpi_alloc_data_analysis(DATA_ANALUYSIS_SLIDING_WINDOW), ------------------ | | 54| 44.6k|#define DATA_ANALUYSIS_SLIDING_WINDOW 32 ------------------ 899| 44.6k| newflow->pktlen_s_to_c = ndpi_alloc_data_analysis(DATA_ANALUYSIS_SLIDING_WINDOW), ------------------ | | 54| 44.6k|#define DATA_ANALUYSIS_SLIDING_WINDOW 32 ------------------ 900| 44.6k| newflow->iat_flow = ndpi_alloc_data_analysis(DATA_ANALUYSIS_SLIDING_WINDOW); ------------------ | | 54| 44.6k|#define DATA_ANALUYSIS_SLIDING_WINDOW 32 ------------------ 901| | 902| |#ifdef DIRECTION_BINS 903| | ndpi_init_bin(&newflow->payload_len_bin_src2dst, ndpi_bin_family8, PLEN_NUM_BINS); 904| | ndpi_init_bin(&newflow->payload_len_bin_dst2src, ndpi_bin_family8, PLEN_NUM_BINS); 905| |#else 906| 44.6k| ndpi_init_bin(&newflow->payload_len_bin, ndpi_bin_family8, PLEN_NUM_BINS); ------------------ | | 59| 44.6k|#define PLEN_NUM_BINS 48 /* 47*32 = 1504 */ ------------------ 907| 44.6k|#endif 908| | 909| 44.6k| if (version == 4 || version == 6) { ------------------ | Branch (909:11): [True: 43.2k, False: 1.43k] | Branch (909:27): [True: 1.43k, False: 0] ------------------ 910| 44.6k| uint16_t inet_addrlen = (version == 4) ? INET_ADDRSTRLEN : INET6_ADDRSTRLEN; ------------------ | Branch (910:33): [True: 43.2k, False: 1.43k] ------------------ 911| 44.6k| newflow->src_name = ndpi_malloc(inet_addrlen); 912| 44.6k| newflow->dst_name = ndpi_malloc(inet_addrlen); 913| | 914| 44.6k| if(version == 4) { ------------------ | Branch (914:12): [True: 43.2k, False: 1.43k] ------------------ 915| 43.2k| if (newflow->src_name) ------------------ | Branch (915:15): [True: 40.7k, False: 2.48k] ------------------ 916| 40.7k| inet_ntop(AF_INET, &newflow->src_ip, newflow->src_name, inet_addrlen); 917| 43.2k| if (newflow->dst_name) ------------------ | Branch (917:15): [True: 40.6k, False: 2.57k] ------------------ 918| 40.6k| inet_ntop(AF_INET, &newflow->dst_ip, newflow->dst_name, inet_addrlen); 919| 43.2k| } else if (version == 6) { ------------------ | Branch (919:20): [True: 1.43k, False: 0] ------------------ 920| 1.43k| newflow->src_ip6 = *(struct ndpi_in6_addr *)&iph6->ip6_src; 921| 1.43k| newflow->dst_ip6 = *(struct ndpi_in6_addr *)&iph6->ip6_dst; 922| | 923| 1.43k| if (newflow->src_name) ------------------ | Branch (923:15): [True: 1.33k, False: 94] ------------------ 924| 1.33k| inet_ntop(AF_INET6, &newflow->src_ip6, newflow->src_name, inet_addrlen); 925| 1.43k| if (newflow->dst_name) ------------------ | Branch (925:15): [True: 1.33k, False: 102] ------------------ 926| 1.33k| inet_ntop(AF_INET6, &newflow->dst_ip6, newflow->dst_name, inet_addrlen); 927| | 928| | /* For consistency across platforms replace :0: with :: */ 929| 1.43k| if (newflow->src_name) ndpi_patchIPv6Address(newflow->src_name); ------------------ | Branch (929:15): [True: 1.33k, False: 94] ------------------ 930| 1.43k| if (newflow->dst_name) ndpi_patchIPv6Address(newflow->dst_name); ------------------ | Branch (930:15): [True: 1.33k, False: 102] ------------------ 931| 1.43k| } 932| 44.6k| } 933| | 934| 44.6k| if((newflow->ndpi_flow = ndpi_flow_malloc(SIZEOF_FLOW_STRUCT)) == NULL) { ------------------ | | 34| 44.6k|#define SIZEOF_FLOW_STRUCT ( sizeof(struct ndpi_flow_struct) ) ------------------ | Branch (934:10): [True: 2.34k, False: 42.2k] ------------------ 935| 2.34k| LOG(NDPI_LOG_ERROR, "[NDPI] %s(2): not enough memory\n", __FUNCTION__); ------------------ | | 498| 2.34k|#define LOG(...) {} ------------------ 936| 2.34k| ndpi_flow_info_free_data(newflow); 937| 2.34k| ndpi_free(newflow); 938| 2.34k| return(NULL); 939| 2.34k| } else 940| 42.2k| memset(newflow->ndpi_flow, 0, SIZEOF_FLOW_STRUCT); ------------------ | | 34| 42.2k|#define SIZEOF_FLOW_STRUCT ( sizeof(struct ndpi_flow_struct) ) ------------------ 941| | 942| 42.2k| if (workflow->ndpi_serialization_format != ndpi_serialization_format_unknown) ------------------ | Branch (942:9): [True: 42.2k, False: 0] ------------------ 943| 42.2k| { 944| 42.2k| if (ndpi_init_serializer(&newflow->ndpi_flow_serializer, ------------------ | Branch (944:11): [True: 2.54k, False: 39.7k] ------------------ 945| 42.2k| workflow->ndpi_serialization_format) != 0) 946| 2.54k| { 947| 2.54k| LOG(NDPI_LOG_ERROR, "ndpi serializer init failed\n"); ------------------ | | 498| 2.54k|#define LOG(...) {} ------------------ 948| 2.54k| ndpi_flow_info_free_data(newflow); 949| 2.54k| ndpi_free(newflow); 950| 2.54k| return(NULL); 951| 2.54k| } 952| 42.2k| } 953| | 954| 39.7k| if(ndpi_tsearch(newflow, &workflow->ndpi_flows_root[idx], ndpi_workflow_node_cmp) == NULL) { /* Add */ ------------------ | Branch (954:10): [True: 2.29k, False: 37.4k] ------------------ 955| 2.29k| ndpi_flow_info_free_data(newflow); 956| 2.29k| ndpi_free(newflow); 957| 2.29k| return(NULL); 958| 2.29k| } 959| 37.4k| workflow->stats.ndpi_flow_count++; 960| 37.4k| if(*proto == IPPROTO_TCP) ------------------ | Branch (960:10): [True: 23.4k, False: 14.0k] ------------------ 961| 23.4k| workflow->stats.flow_count[0]++; 962| 14.0k| else if(*proto == IPPROTO_UDP) ------------------ | Branch (962:15): [True: 11.8k, False: 2.19k] ------------------ 963| 11.8k| workflow->stats.flow_count[1]++; 964| 2.19k| else 965| 2.19k| workflow->stats.flow_count[2]++; 966| | 967| 37.4k| if(enable_flow_stats) { ------------------ | Branch (967:10): [True: 0, False: 37.4k] ------------------ 968| 0| newflow->entropy = ndpi_calloc(1, sizeof(struct ndpi_entropy)); 969| 0| newflow->last_entropy = ndpi_calloc(1, sizeof(struct ndpi_entropy)); 970| 0| if(!newflow->entropy || !newflow->last_entropy) { ------------------ | Branch (970:12): [True: 0, False: 0] | Branch (970:33): [True: 0, False: 0] ------------------ 971| 0| ndpi_tdelete(newflow, &workflow->ndpi_flows_root[idx], ndpi_workflow_node_cmp); 972| 0| ndpi_flow_info_free_data(newflow); 973| 0| ndpi_free(newflow); 974| 0| return(NULL); 975| 0| } 976| 0| newflow->entropy->src2dst_pkt_len[newflow->entropy->src2dst_pkt_count] = l4_data_len; 977| 0| newflow->entropy->src2dst_pkt_time[newflow->entropy->src2dst_pkt_count] = when; 978| 0| if(newflow->entropy->src2dst_pkt_count == 0) { ------------------ | Branch (978:12): [True: 0, False: 0] ------------------ 979| 0| newflow->entropy->src2dst_start = when; 980| 0| } 981| 0| newflow->entropy->src2dst_pkt_count++; 982| | // Non zero app data. 983| 0| if(l4_data_len != 0XFEEDFACE && l4_data_len != 0) { ------------------ | Branch (983:12): [True: 0, False: 0] | Branch (983:41): [True: 0, False: 0] ------------------ 984| 0| newflow->entropy->src2dst_opackets++; 985| 0| newflow->entropy->src2dst_l4_bytes += l4_data_len; 986| 0| } 987| 0| } 988| 37.4k| return newflow; 989| 37.4k| } 990| 79.9k| } else { 991| 79.9k| struct ndpi_flow_info *rflow = *(struct ndpi_flow_info**)ret; 992| | 993| 79.9k| if(is_changed) { ------------------ | Branch (993:8): [True: 27.4k, False: 52.5k] ------------------ 994| 27.4k| *src_to_dst_direction = 0, rflow->bidirectional |= 1; 995| 27.4k| } 996| 52.5k| else { 997| 52.5k| *src_to_dst_direction = 1; 998| 52.5k| } 999| 79.9k| if(enable_flow_stats) { ------------------ | Branch (999:8): [True: 0, False: 79.9k] ------------------ 1000| 0| if(*src_to_dst_direction) { ------------------ | Branch (1000:10): [True: 0, False: 0] ------------------ 1001| 0| if(rflow->entropy->src2dst_pkt_count < max_num_packets_per_flow) { ------------------ | Branch (1001:12): [True: 0, False: 0] ------------------ 1002| 0| rflow->entropy->src2dst_pkt_len[rflow->entropy->src2dst_pkt_count] = l4_data_len; 1003| 0| rflow->entropy->src2dst_pkt_time[rflow->entropy->src2dst_pkt_count] = when; 1004| 0| rflow->entropy->src2dst_l4_bytes += l4_data_len; 1005| 0| rflow->entropy->src2dst_pkt_count++; 1006| 0| } 1007| | // Non zero app data. 1008| 0| if(l4_data_len != 0XFEEDFACE && l4_data_len != 0) { ------------------ | Branch (1008:12): [True: 0, False: 0] | Branch (1008:41): [True: 0, False: 0] ------------------ 1009| 0| rflow->entropy->src2dst_opackets++; 1010| 0| } 1011| 0| } else { 1012| 0| if(rflow->entropy->dst2src_pkt_count < max_num_packets_per_flow) { ------------------ | Branch (1012:12): [True: 0, False: 0] ------------------ 1013| 0| rflow->entropy->dst2src_pkt_len[rflow->entropy->dst2src_pkt_count] = l4_data_len; 1014| 0| rflow->entropy->dst2src_pkt_time[rflow->entropy->dst2src_pkt_count] = when; 1015| 0| if(rflow->entropy->dst2src_pkt_count == 0) { ------------------ | Branch (1015:14): [True: 0, False: 0] ------------------ 1016| 0| rflow->entropy->dst2src_start = when; 1017| 0| } 1018| 0| rflow->entropy->dst2src_l4_bytes += l4_data_len; 1019| 0| rflow->entropy->dst2src_pkt_count++; 1020| 0| } 1021| | // Non zero app data. 1022| 0| if(l4_data_len != 0XFEEDFACE && l4_data_len != 0) { ------------------ | Branch (1022:12): [True: 0, False: 0] | Branch (1022:41): [True: 0, False: 0] ------------------ 1023| 0| rflow->entropy->dst2src_opackets++; 1024| 0| } 1025| 0| } 1026| 0| } 1027| | 1028| 79.9k| return(rflow); 1029| 79.9k| } 1030| 127k|} reader_util.c:get_ndpi_flow_info6: 1046| 1.81k| pkt_timeval when) { 1047| 1.81k| struct ndpi_iphdr iph; 1048| | 1049| 1.81k| if(ipsize < 40) ------------------ | Branch (1049:6): [True: 0, False: 1.81k] ------------------ 1050| 0| return(NULL); 1051| 1.81k| memset(&iph, 0, sizeof(iph)); 1052| 1.81k| iph.version = IPVERSION; 1053| 1.81k| iph.saddr = iph6->ip6_src.u6_addr.u6_addr32[2] + iph6->ip6_src.u6_addr.u6_addr32[3]; 1054| 1.81k| iph.daddr = iph6->ip6_dst.u6_addr.u6_addr32[2] + iph6->ip6_dst.u6_addr.u6_addr32[3]; 1055| 1.81k| u_int8_t l4proto = iph6->ip6_hdr.ip6_un1_nxt; 1056| 1.81k| u_int16_t ip_len = ntohs(iph6->ip6_hdr.ip6_un1_plen); 1057| 1.81k| const u_int8_t *l4ptr = (((const u_int8_t *) iph6) + sizeof(struct ndpi_ipv6hdr)); 1058| 1.81k| if(ipsize < sizeof(struct ndpi_ipv6hdr) + ip_len) ------------------ | Branch (1058:6): [True: 4, False: 1.81k] ------------------ 1059| 4| return(NULL); 1060| 1.81k| if(ndpi_handle_ipv6_extension_headers(NULL, iph6, ipsize - sizeof(struct ndpi_ipv6hdr), &l4ptr, &ip_len, &l4proto) != 0) { ------------------ | Branch (1060:6): [True: 1, False: 1.81k] ------------------ 1061| 1| return(NULL); 1062| 1| } 1063| 1.81k| iph.protocol = l4proto; 1064| | 1065| 1.81k| return(get_ndpi_flow_info(workflow, 6, vlan_id, tunnel_type, 1066| 1.81k| &iph, iph6, ipsize, 1067| 1.81k| ip_len, l4ptr - (const u_int8_t *)iph6, 1068| 1.81k| tcph, udph, sport, dport, 1069| 1.81k| proto, payload, 1070| 1.81k| payload_len, src_to_dst_direction, when)); 1071| 1.81k|} reader_util.c:ndpi_clear_entropy_stats: 1740| 117k|ndpi_clear_entropy_stats(struct ndpi_flow_info *flow) { 1741| 117k| if(enable_flow_stats) { ------------------ | Branch (1741:6): [True: 0, False: 117k] ------------------ 1742| 0| if(flow->entropy->src2dst_pkt_count + flow->entropy->dst2src_pkt_count == max_num_packets_per_flow) { ------------------ | Branch (1742:8): [True: 0, False: 0] ------------------ 1743| 0| memcpy(flow->last_entropy, flow->entropy, sizeof(struct ndpi_entropy)); 1744| 0| memset(flow->entropy, 0x00, sizeof(struct ndpi_entropy)); 1745| 0| } 1746| 0| } 1747| 117k|} fuzz_set_alloc_callbacks: 31| 7.28k|{ 32| 7.28k| ndpi_set_memory_alloction_functions(malloc_wrapper, 33| 7.28k| free_wrapper, 34| 7.28k| calloc_wrapper, 35| 7.28k| realloc_wrapper, 36| | /* Aligned allocations are used only by croaring, 37| | but no during fuzzing. So no point to set 38| | these two wrappers here */ 39| 7.28k| NULL, NULL, 40| 7.28k| malloc_wrapper, 41| 7.28k| free_wrapper); 42| 7.28k|} fuzz_set_alloc_seed: 44| 7.28k|{ 45| 7.28k| mem_alloc_state = seed; 46| 7.28k|} fuzz_set_alloc_callbacks_and_seed: 48| 7.28k|{ 49| 7.28k| fuzz_set_alloc_callbacks(); 50| 7.28k| fuzz_set_alloc_seed(seed); 51| 7.28k|} buffer_to_file: 91| 7.28k|{ 92| 7.28k| return fmemopen((void *)data, size, "rw"); 93| 7.28k|} fuzz_common_code.c:malloc_wrapper: 17| 17.6M|static void *malloc_wrapper(size_t size) { 18| 17.6M| return (fastrand () % 16) ? malloc (size) : NULL; ------------------ | Branch (18:10): [True: 16.5M, False: 1.10M] ------------------ 19| 17.6M|} fuzz_common_code.c:fastrand: 11| 959M|{ 12| 959M| if(!mem_alloc_state) return 1; /* No failures */ ------------------ | Branch (12:6): [True: 1.59M, False: 957M] ------------------ 13| 957M| mem_alloc_state = (214013 * mem_alloc_state + 2531011); 14| 957M| return (mem_alloc_state >> 16) & 0x7FFF; 15| 959M|} fuzz_common_code.c:free_wrapper: 20| 899M|static void free_wrapper(void *freeable) { 21| 899M| free(freeable); 22| 899M|} fuzz_common_code.c:calloc_wrapper: 23| 941M|static void *calloc_wrapper(size_t nmemb, size_t size) { 24| 941M| return (fastrand () % 16) ? calloc (nmemb, size) : NULL; ------------------ | Branch (24:10): [True: 882M, False: 58.7M] ------------------ 25| 941M|} fuzz_common_code.c:realloc_wrapper: 26| 28.6k|static void *realloc_wrapper(void *ptr, size_t size) { 27| 28.6k| return (fastrand () % 16) ? realloc (ptr, size) : NULL; ------------------ | Branch (27:10): [True: 27.3k, False: 1.32k] ------------------ 28| 28.6k|} LLVMFuzzerTestOneInput: 20| 7.29k|extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { 21| 7.29k| FuzzedDataProvider fuzzed_data(data, size); 22| 7.29k| ndpi_workflow *w; 23| 7.29k| struct ndpi_global_context *g_ctx; 24| 7.29k| struct ndpi_workflow_prefs prefs; 25| 7.29k| pcap_t *pcap_handle; 26| 7.29k| ndpi_serialization_format serialization_format; 27| 7.29k| ndpi_risk flow_risk; 28| 7.29k| struct ndpi_flow_info *flow = NULL; /* unused */ 29| 7.29k| const u_char *pkt; 30| 7.29k| struct pcap_pkthdr *header; 31| 7.29k| int r; 32| 7.29k| char errbuf[PCAP_ERRBUF_SIZE]; 33| 7.29k| FILE *fd; 34| | 35| | 36| | /* Data structure: 8 bytes header for random values + pcap file */ 37| 7.29k| if(size < 8) ------------------ | Branch (37:6): [True: 4, False: 7.28k] ------------------ 38| 4| return 0; 39| | 40| | /* To allow memory allocation failures */ 41| 7.28k| fuzz_set_alloc_callbacks_and_seed(size); 42| | 43| 7.28k| prefs.decode_tunnels = fuzzed_data.ConsumeBool(); 44| 7.28k| prefs.quiet_mode = fuzzed_data.ConsumeBool(); 45| 7.28k| prefs.ignore_vlanid = fuzzed_data.ConsumeBool(); 46| 7.28k| prefs.num_roots = fuzzed_data.ConsumeIntegral(); 47| 7.28k| if(prefs.num_roots == 0) ------------------ | Branch (47:6): [True: 1.02k, False: 6.26k] ------------------ 48| 1.02k| prefs.num_roots = 1; 49| 7.28k| prefs.max_ndpi_flows = fuzzed_data.ConsumeIntegral(); 50| | 51| 7.28k| serialization_format = static_cast(fuzzed_data.ConsumeIntegralInRange(1, 4)); 52| | 53| | /* byte8 is still unused */ 54| | 55| 7.28k| enable_doh_dot_detection = 1; 56| | 57| 7.28k| fd = buffer_to_file(data + 8, size - 8); 58| 7.28k| if(fd == NULL) { ------------------ | Branch (58:6): [True: 0, False: 7.28k] ------------------ 59| 0| return 0; 60| 0| } 61| | 62| 7.28k| pcap_handle = pcap_fopen_offline(fd, errbuf); 63| 7.28k| if(pcap_handle == NULL) { ------------------ | Branch (63:6): [True: 36, False: 7.25k] ------------------ 64| 36| fclose(fd); 65| 36| return 0; 66| 36| } 67| 7.25k| if(ndpi_is_datalink_supported(pcap_datalink(pcap_handle)) == 0) { ------------------ | Branch (67:6): [True: 46, False: 7.20k] ------------------ 68| 46| pcap_close(pcap_handle); 69| 46| return 0; 70| 46| } 71| | 72| 7.20k| g_ctx = ndpi_global_init(); 73| | 74| 7.20k| w = ndpi_workflow_init(&prefs, pcap_handle, 1, serialization_format, g_ctx); 75| 7.20k| if(w) { ------------------ | Branch (75:6): [True: 7.15k, False: 48] ------------------ 76| 7.15k| ndpi_finalize_initialization(w->ndpi_struct); 77| | 78| 7.15k| if(ndpi_stats_init(&w->stats, ndpi_get_num_protocols(w->ndpi_struct))) { ------------------ | Branch (78:8): [True: 6.99k, False: 166] ------------------ 79| 6.99k| header = NULL; 80| | 81| 6.99k| r = pcap_next_ex(pcap_handle, &header, &pkt); 82| 175k| while (r > 0) { ------------------ | Branch (82:14): [True: 168k, False: 6.99k] ------------------ 83| 168k| ndpi_workflow_process_packet(w, header, pkt, &flow_risk, &flow); 84| 168k| r = pcap_next_ex(pcap_handle, &header, &pkt); 85| 168k| } 86| | 87| 6.99k| ndpi_stats_reset(&w->stats); 88| 6.99k| } 89| 7.15k| ndpi_workflow_free(w); 90| 7.15k| } 91| 7.20k| pcap_close(pcap_handle); 92| | 93| 7.20k| ndpi_global_deinit(g_ctx); 94| | 95| 7.20k| return 0; 96| 7.25k|} ndpi_init_data_analysis: 41| 209k|void ndpi_init_data_analysis(struct ndpi_analyze_struct *ret, u_int16_t _max_series_len) { 42| 209k| memset(ret, 0, sizeof(*ret)); 43| | 44| 209k| if(_max_series_len > MAX_SERIES_LEN) _max_series_len = MAX_SERIES_LEN; ------------------ | | 2044| 209k|#define MAX_SERIES_LEN 512 ------------------ if(_max_series_len > MAX_SERIES_LEN) _max_series_len = MAX_SERIES_LEN; ------------------ | | 2044| 0|#define MAX_SERIES_LEN 512 ------------------ | Branch (44:6): [True: 0, False: 209k] ------------------ 45| 209k| ret->num_values_array_len = _max_series_len; 46| | 47| 209k| if(ret->num_values_array_len > 0) { ------------------ | Branch (47:6): [True: 209k, False: 0] ------------------ 48| 209k| if((ret->values = (u_int64_t *)ndpi_calloc(ret->num_values_array_len, ------------------ | Branch (48:8): [True: 13.5k, False: 195k] ------------------ 49| 209k| sizeof(u_int64_t))) == NULL) 50| 13.5k| ret->num_values_array_len = 0; 51| 209k| } 52| 209k|} ndpi_alloc_data_analysis: 56| 223k|struct ndpi_analyze_struct* ndpi_alloc_data_analysis(u_int16_t _max_series_len) { 57| 223k| struct ndpi_analyze_struct *ret = ndpi_malloc(sizeof(struct ndpi_analyze_struct)); 58| | 59| 223k| if(ret != NULL) ------------------ | Branch (59:6): [True: 209k, False: 13.9k] ------------------ 60| 209k| ndpi_init_data_analysis(ret, _max_series_len); 61| | 62| 223k| return(ret); 63| 223k|} ndpi_free_data_analysis: 81| 209k|void ndpi_free_data_analysis(struct ndpi_analyze_struct *d, u_int8_t free_pointer) { 82| 209k| if(d && d->values) ndpi_free(d->values); ------------------ | Branch (82:6): [True: 209k, False: 0] | Branch (82:11): [True: 195k, False: 13.5k] ------------------ 83| 209k| if(free_pointer) ndpi_free(d); ------------------ | Branch (83:6): [True: 209k, False: 0] ------------------ 84| 209k|} ndpi_data_add_value: 112| 201k|void ndpi_data_add_value(struct ndpi_analyze_struct *s, const u_int64_t value) { 113| 201k| if(!s) ------------------ | Branch (113:6): [True: 7.05k, False: 194k] ------------------ 114| 7.05k| return; 115| | 116| 194k| if(s->num_data_entries > 0) { ------------------ | Branch (116:6): [True: 127k, False: 67.2k] ------------------ 117| 127k| u_int64_t last = ndpi_data_last(s); 118| | 119| 127k| s->jitter_total += (last > value) ? (last - value) : (value - last); ------------------ | Branch (119:24): [True: 33.5k, False: 93.7k] ------------------ 120| 127k| } 121| | 122| 194k| if(s->sum_total == 0) ------------------ | Branch (122:6): [True: 80.6k, False: 113k] ------------------ 123| 80.6k| s->min_val = s->max_val = value; 124| 113k| else { 125| 113k| if(value < s->min_val) s->min_val = value; ------------------ | Branch (125:8): [True: 16.8k, False: 96.9k] ------------------ 126| 113k| if(value > s->max_val) s->max_val = value; ------------------ | Branch (126:8): [True: 17.0k, False: 96.8k] ------------------ 127| 113k| } 128| | 129| 194k| s->sum_total += value, s->num_data_entries++; 130| | 131| 194k| if(s->num_values_array_len) { ------------------ | Branch (131:6): [True: 181k, False: 12.7k] ------------------ 132| 181k| s->values[s->next_value_insert_index] = value; 133| | 134| 181k| if(++s->next_value_insert_index == s->num_values_array_len) ------------------ | Branch (134:8): [True: 286, False: 181k] ------------------ 135| 286| s->next_value_insert_index = 0; 136| 181k| } 137| | 138| | /* 139| | Optimized stddev calculation 140| | 141| | https://www.khanacademy.org/math/probability/data-distributions-a1/summarizing-spread-distributions/a/calculating-standard-deviation-step-by-step 142| | https://math.stackexchange.com/questions/683297/how-to-calculate-standard-deviation-without-detailed-historical-data 143| | http://mathcentral.uregina.ca/QQ/database/QQ.09.02/carlos1.html 144| | */ 145| 194k| s->stddev.sum_square_total += (u_int64_t)value * (u_int64_t)value; 146| 194k|} ndpi_data_last: 176| 127k|u_int64_t ndpi_data_last(struct ndpi_analyze_struct *s) { 177| 127k| if((!s) || (s->num_data_entries == 0) || (s->num_values_array_len == 0)) ------------------ | Branch (177:6): [True: 0, False: 127k] | Branch (177:14): [True: 0, False: 127k] | Branch (177:44): [True: 8.34k, False: 118k] ------------------ 178| 8.34k| return(0); 179| | 180| 118k| if(s->next_value_insert_index == 0) ------------------ | Branch (180:6): [True: 264, False: 118k] ------------------ 181| 264| return(s->values[s->num_values_array_len-1]); 182| 118k| else 183| 118k| return(s->values[s->next_value_insert_index-1]); 184| 118k|} ndpi_init_bin: 375| 44.6k|int ndpi_init_bin(struct ndpi_bin *b, enum ndpi_bin_family f, u_int16_t num_bins) { 376| 44.6k| if(!b) ------------------ | Branch (376:6): [True: 0, False: 44.6k] ------------------ 377| 0| return(-1); 378| | 379| 44.6k| b->num_bins = num_bins, b->family = f, b->is_empty = 1; 380| | 381| 44.6k| switch(f) { ------------------ | Branch (381:10): [True: 44.6k, False: 0] ------------------ 382| 44.6k| case ndpi_bin_family8: ------------------ | Branch (382:3): [True: 44.6k, False: 0] ------------------ 383| 44.6k| if((b->u.bins8 = (u_int8_t*)ndpi_calloc(num_bins, sizeof(u_int8_t))) == NULL) ------------------ | Branch (383:8): [True: 2.63k, False: 42.0k] ------------------ 384| 2.63k| return(-1); 385| 42.0k| break; 386| | 387| 42.0k| case ndpi_bin_family16: ------------------ | Branch (387:3): [True: 0, False: 44.6k] ------------------ 388| 0| if((b->u.bins16 = (u_int16_t*)ndpi_calloc(num_bins, sizeof(u_int16_t))) == NULL) ------------------ | Branch (388:8): [True: 0, False: 0] ------------------ 389| 0| return(-1); 390| 0| break; 391| | 392| 0| case ndpi_bin_family32: ------------------ | Branch (392:3): [True: 0, False: 44.6k] ------------------ 393| 0| if((b->u.bins32 = (u_int32_t*)ndpi_calloc(num_bins, sizeof(u_int32_t))) == NULL) ------------------ | Branch (393:8): [True: 0, False: 0] ------------------ 394| 0| return(-1); 395| 0| break; 396| | 397| 0| case ndpi_bin_family64: ------------------ | Branch (397:3): [True: 0, False: 44.6k] ------------------ 398| 0| if((b->u.bins64 = (u_int64_t*)ndpi_calloc(num_bins, sizeof(u_int64_t))) == NULL) ------------------ | Branch (398:8): [True: 0, False: 0] ------------------ 399| 0| return(-1); 400| 0| break; 401| 44.6k| } 402| | 403| 42.0k| return(0); 404| 44.6k|} ndpi_free_bin: 408| 44.6k|void ndpi_free_bin(struct ndpi_bin *b) { 409| 44.6k| if(!b || !b->u.bins8) ------------------ | Branch (409:6): [True: 0, False: 44.6k] | Branch (409:12): [True: 2.63k, False: 42.0k] ------------------ 410| 2.63k| return; 411| | 412| 42.0k| switch(b->family) { ------------------ | Branch (412:10): [True: 42.0k, False: 0] ------------------ 413| 42.0k| case ndpi_bin_family8: ------------------ | Branch (413:3): [True: 42.0k, False: 0] ------------------ 414| 42.0k| ndpi_free(b->u.bins8); 415| 42.0k| break; 416| 0| case ndpi_bin_family16: ------------------ | Branch (416:3): [True: 0, False: 42.0k] ------------------ 417| 0| ndpi_free(b->u.bins16); 418| 0| break; 419| 0| case ndpi_bin_family32: ------------------ | Branch (419:3): [True: 0, False: 42.0k] ------------------ 420| 0| ndpi_free(b->u.bins32); 421| 0| break; 422| 0| case ndpi_bin_family64: ------------------ | Branch (422:3): [True: 0, False: 42.0k] ------------------ 423| 0| ndpi_free(b->u.bins64); 424| 0| break; 425| 42.0k| } 426| 42.0k|} ndpi_inc_bin: 503| 88.3k|void ndpi_inc_bin(struct ndpi_bin *b, u_int16_t slot_id, u_int64_t val) { 504| 88.3k| if(!b || !b->u.bins8 || b->num_bins == 0) ------------------ | Branch (504:6): [True: 0, False: 88.3k] | Branch (504:12): [True: 5.28k, False: 83.0k] | Branch (504:27): [True: 0, False: 83.0k] ------------------ 505| 5.28k| return; 506| | 507| 83.0k| b->is_empty = 0; 508| | 509| 83.0k| if(slot_id >= b->num_bins) slot_id = b->num_bins - 1; ------------------ | Branch (509:6): [True: 0, False: 83.0k] ------------------ 510| | 511| 83.0k| switch(b->family) { ------------------ | Branch (511:10): [True: 83.0k, False: 0] ------------------ 512| 83.0k| case ndpi_bin_family8: ------------------ | Branch (512:3): [True: 83.0k, False: 0] ------------------ 513| 83.0k| b->u.bins8[slot_id] += (u_int8_t)val; 514| 83.0k| break; 515| 0| case ndpi_bin_family16: ------------------ | Branch (515:3): [True: 0, False: 83.0k] ------------------ 516| 0| b->u.bins16[slot_id] += (u_int16_t)val; 517| 0| break; 518| 0| case ndpi_bin_family32: ------------------ | Branch (518:3): [True: 0, False: 83.0k] ------------------ 519| 0| b->u.bins32[slot_id] += (u_int32_t)val; 520| 0| break; 521| 0| case ndpi_bin_family64: ------------------ | Branch (521:3): [True: 0, False: 83.0k] ------------------ 522| 0| b->u.bins64[slot_id] += (u_int64_t)val; 523| 0| break; 524| 83.0k| } 525| 83.0k|} ndpi_reset_bin: 551| 2.04k|void ndpi_reset_bin(struct ndpi_bin *b) { 552| 2.04k| if(!b || !b->u.bins8) ------------------ | Branch (552:6): [True: 0, False: 2.04k] | Branch (552:12): [True: 109, False: 1.93k] ------------------ 553| 109| return; 554| | 555| 1.93k| b->is_empty = 1; 556| | 557| 1.93k| switch(b->family) { ------------------ | Branch (557:10): [True: 1.93k, False: 0] ------------------ 558| 1.93k| case ndpi_bin_family8: ------------------ | Branch (558:3): [True: 1.93k, False: 0] ------------------ 559| 1.93k| memset(b->u.bins8, 0, sizeof(u_int8_t)*b->num_bins); 560| 1.93k| break; 561| 0| case ndpi_bin_family16: ------------------ | Branch (561:3): [True: 0, False: 1.93k] ------------------ 562| 0| memset(b->u.bins16, 0, sizeof(u_int16_t)*b->num_bins); 563| 0| break; 564| 0| case ndpi_bin_family32: ------------------ | Branch (564:3): [True: 0, False: 1.93k] ------------------ 565| 0| memset(b->u.bins32, 0, sizeof(u_int32_t)*b->num_bins); 566| 0| break; 567| 0| case ndpi_bin_family64: ------------------ | Branch (567:3): [True: 0, False: 1.93k] ------------------ 568| 0| memset(b->u.bins64, 0, sizeof(u_int64_t)*b->num_bins); 569| 0| break; 570| 1.93k| } 571| 1.93k|} ndpi_lru_cache_init: 39| 54.3k|struct ndpi_lru_cache *ndpi_lru_cache_init(u_int32_t num_entries, u_int32_t ttl, int shared) { 40| 54.3k| struct ndpi_lru_cache *c = (struct ndpi_lru_cache *) ndpi_calloc(1, sizeof(struct ndpi_lru_cache)); 41| | 42| 54.3k| if(!c) ------------------ | Branch (42:6): [True: 3.28k, False: 51.1k] ------------------ 43| 3.28k| return(NULL); 44| | 45| 51.1k| c->ttl = ttl & 0x7FFFFFFF; 46| 51.1k| c->shared = !!shared; 47| | 48| 51.1k|#ifdef USE_GLOBAL_CONTEXT 49| 51.1k| if(c->shared) { ------------------ | Branch (49:6): [True: 0, False: 51.1k] ------------------ 50| 0| if(pthread_mutex_init(&c->mutex, NULL) != 0) { ------------------ | Branch (50:8): [True: 0, False: 0] ------------------ 51| 0| ndpi_free(c); 52| 0| return(NULL); 53| 0| } 54| 0| } 55| 51.1k|#endif 56| | 57| 51.1k| c->entries = (struct ndpi_lru_cache_entry *) ndpi_calloc(num_entries, sizeof(struct ndpi_lru_cache_entry)); 58| | 59| 51.1k| if(!c->entries) { ------------------ | Branch (59:6): [True: 3.55k, False: 47.5k] ------------------ 60| 3.55k| ndpi_free(c); 61| 3.55k| return(NULL); 62| 3.55k| } else 63| 47.5k| c->num_entries = num_entries; 64| | 65| 47.5k| return(c); 66| 51.1k|} ndpi_lru_free_cache: 70| 47.5k|void ndpi_lru_free_cache(struct ndpi_lru_cache *c) { 71| 47.5k| ndpi_free(c->entries); 72| 47.5k| ndpi_free(c); 73| 47.5k|} ndpi_lru_find_cache: 104| 31.5k| u_int16_t *value, u_int8_t clean_key_when_found, u_int32_t now_sec) { 105| 31.5k| u_int32_t slot = ndpi_quick_hash((unsigned char *)&key, sizeof(key)) % c->num_entries; 106| 31.5k| u_int8_t ret; 107| | 108| 31.5k| __lru_cache_lock(c); 109| | 110| 31.5k| c->stats.n_search++; 111| 31.5k| if(c->entries[slot].is_full && c->entries[slot].key == key && ------------------ | Branch (111:6): [True: 655, False: 30.8k] | Branch (111:34): [True: 640, False: 15] ------------------ 112| 640| now_sec >= c->entries[slot].timestamp && ------------------ | Branch (112:6): [True: 529, False: 111] ------------------ 113| 529| (c->ttl == 0 || now_sec - c->entries[slot].timestamp <= c->ttl)) { ------------------ | Branch (113:7): [True: 0, False: 529] | Branch (113:22): [True: 428, False: 101] ------------------ 114| 428| *value = c->entries[slot].value; 115| | 116| 428| if(clean_key_when_found) ------------------ | Branch (116:8): [True: 0, False: 428] ------------------ 117| 0| c->entries[slot].is_full = 0; 118| | 119| 428| c->stats.n_found++; 120| 428| ret = 1; 121| 428| } else 122| 31.0k| ret = 0; 123| | 124| 31.5k| __lru_cache_unlock(c); 125| | 126| 31.5k| return ret; 127| 31.5k|} ndpi_lru_add_to_cache: 131| 13.0k|void ndpi_lru_add_to_cache(struct ndpi_lru_cache *c, u_int64_t key, u_int16_t value, u_int32_t now_sec) { 132| 13.0k| u_int32_t slot = ndpi_quick_hash((unsigned char *)&key, sizeof(key)) % c->num_entries; 133| | 134| 13.0k| __lru_cache_lock(c); 135| | 136| 13.0k| c->stats.n_insert++; 137| 13.0k| c->entries[slot].is_full = 1, c->entries[slot].key = key, 138| 13.0k| c->entries[slot].value = value, c->entries[slot].timestamp = now_sec; 139| | 140| 13.0k| __lru_cache_unlock(c); 141| 13.0k|} ndpi_cache_address_find: 496| 10.2k| ndpi_ip_addr_t ip_addr) { 497| 10.2k| if(ndpi_struct->address_cache == NULL) return(NULL); ------------------ | Branch (497:6): [True: 10.2k, False: 0] ------------------ 498| | 499| 0| return(ndpi_address_cache_find(ndpi_struct->address_cache, ip_addr, 0)); 500| 10.2k|} ndpi_cache_address_dump: 504| 7.15k|bool ndpi_cache_address_dump(struct ndpi_detection_module_struct *ndpi_struct, char *path, u_int32_t epoch_now) { 505| 7.15k| if(ndpi_struct->address_cache == NULL) return(false); ------------------ | Branch (505:6): [True: 7.15k, False: 0] ------------------ 506| | 507| 0| return(ndpi_address_cache_dump(ndpi_struct->address_cache, path, epoch_now)); 508| 7.15k|} ndpi_cache_address_flush_expired: 526| 6.96k|u_int32_t ndpi_cache_address_flush_expired(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t epoch_now) { 527| 6.96k| if(ndpi_struct->address_cache == NULL) ------------------ | Branch (527:6): [True: 6.96k, False: 0] ------------------ 528| 6.96k| return(0); 529| 0| else 530| 0| return(ndpi_address_cache_flush_expired(ndpi_struct->address_cache, epoch_now)); 531| 6.96k|} ndpi_cache.c:__lru_cache_lock: 78| 44.5k|{ 79| 44.5k|#ifdef USE_GLOBAL_CONTEXT 80| 44.5k| if(c->shared) { ------------------ | Branch (80:6): [True: 0, False: 44.5k] ------------------ 81| 0| pthread_mutex_lock(&c->mutex); 82| 0| } 83| |#else 84| | (void)c; 85| |#endif 86| 44.5k|} ndpi_cache.c:__lru_cache_unlock: 91| 44.5k|{ 92| 44.5k|#ifdef USE_GLOBAL_CONTEXT 93| 44.5k| if(c->shared) { ------------------ | Branch (93:6): [True: 0, False: 44.5k] ------------------ 94| 0| pthread_mutex_unlock(&c->mutex); 95| 0| } 96| |#else 97| | (void)c; 98| |#endif 99| 44.5k|} ndpi_timer_sub: 655| 141k|{ 656| 141k| result->tv_sec = (unsigned long long)a->tv_sec - (unsigned long long)b->tv_sec; 657| 141k| result->tv_usec = (unsigned long long)a->tv_usec - (unsigned long long)b->tv_usec; 658| 141k| if(result->tv_usec < 0) { ------------------ | Branch (658:6): [True: 15.0k, False: 126k] ------------------ 659| 15.0k| --result->tv_sec; 660| 15.0k| result->tv_usec += 1000000; 661| 15.0k| } 662| 141k|} ndpi_timeval_to_milliseconds: 686| 122k|{ 687| 122k| u_int64_t sec = ts.tv_sec; 688| 122k| u_int64_t usec = ts.tv_usec; 689| 122k| return usec / 1000 + sec * 1000; 690| 122k|} ndpi_set_default_config: 281| 7.17k|{ 282| 7.17k| const struct cfg_param *c; 283| | 284| 7.17k| if(ndpi_bitmask_alloc(&cfg->detection_bitmask, max_internal_proto) != 0 || ------------------ | Branch (284:6): [True: 1, False: 7.17k] ------------------ 285| 7.17k| ndpi_bitmask_alloc(&cfg->debug_bitmask, max_internal_proto) != 0 || ------------------ | Branch (285:6): [True: 3, False: 7.16k] ------------------ 286| 7.16k| ndpi_bitmask_alloc(&cfg->ip_list_bitmask, max_internal_proto) != 0 || ------------------ | Branch (286:6): [True: 3, False: 7.16k] ------------------ 287| 7.16k| ndpi_bitmask_alloc(&cfg->monitoring, max_internal_proto) != 0 || ------------------ | Branch (287:6): [True: 2, False: 7.16k] ------------------ 288| 7.16k| ndpi_bitmask_alloc(&cfg->flowrisk_bitmask, NDPI_MAX_RISK) != 0 || ------------------ | Branch (288:6): [True: 2, False: 7.16k] ------------------ 289| 7.16k| ndpi_bitmask_alloc(&cfg->flowrisk_info_bitmask, NDPI_MAX_RISK) != 0) ------------------ | Branch (289:6): [True: 1, False: 7.15k] ------------------ 290| 12| return -1; 291| | 292| 851k| for(c = &cfg_params[0]; c && c->param; c++) { ------------------ | Branch (292:27): [True: 851k, False: 0] | Branch (292:32): [True: 844k, False: 7.15k] ------------------ 293| | cfg_ops[c->type].fn_set(NULL, (void *)((char *)cfg + c->offset), 294| 844k| c->default_value, c->min_value, c->max_value, c->proto, c->param); 295| 844k| } 296| 7.15k| return 0; 297| 7.17k|} ndpi_config.c:_set_param_enable_disable: 459| 508k| const char *proto, const char *param) { 460| 508k| int *variable = (int *)_variable; 461| | 462| 508k| (void)ndpi_str; 463| 508k| (void)min_value; 464| 508k| (void)max_value; 465| 508k| (void)proto; 466| 508k| (void)param; 467| | 468| 508k| if(strcmp(value, "1") == 0 || ------------------ | Branch (468:6): [True: 50.1k, False: 458k] ------------------ 469| 458k| strcmp(value, "enable") == 0) { ------------------ | Branch (469:6): [True: 343k, False: 114k] ------------------ 470| 393k| *variable = 1; 471| 393k| return NDPI_CFG_OK; 472| 393k| } 473| | 474| 114k| if(strcmp(value, "0") == 0 || ------------------ | Branch (474:6): [True: 7.15k, False: 107k] ------------------ 475| 114k| strcmp(value, "disable") == 0) { ------------------ | Branch (475:6): [True: 107k, False: 0] ------------------ 476| 114k| *variable = 0; 477| 114k| return NDPI_CFG_OK; 478| 114k| } 479| | 480| 0| return NDPI_CFG_INVALID_PARAM; 481| 114k|} ndpi_config.c:_set_param_int: 507| 286k| const char *proto, const char *param) { 508| 286k| int *variable = (int *)_variable; 509| 286k| const char *errstrp; 510| 286k| long val; 511| | 512| 286k| (void)ndpi_str; 513| 286k| (void)proto; 514| 286k| (void)param; 515| | 516| 286k| val = ndpi_strtonum(value, LONG_MIN, LONG_MAX, &errstrp, 0); 517| 286k| if(errstrp) { ------------------ | Branch (517:6): [True: 0, False: 286k] ------------------ 518| 0| return NDPI_CFG_INVALID_PARAM; 519| 0| } 520| | 521| | /* Min and max values are set in the code, so we can convert them 522| | to integers without too many checks...*/ 523| 286k| if(min_value && max_value && ------------------ | Branch (523:6): [True: 286k, False: 0] | Branch (523:19): [True: 286k, False: 0] ------------------ 524| 286k| (val < strtol(min_value, NULL, 0) || val > strtol(max_value, NULL, 0))) ------------------ | Branch (524:7): [True: 0, False: 286k] | Branch (524:43): [True: 0, False: 286k] ------------------ 525| 0| return NDPI_CFG_INVALID_PARAM; 526| | 527| 286k| *variable = val; 528| | 529| 286k| return NDPI_CFG_OK; 530| 286k|} ndpi_config.c:_set_param_protocol_enable_disable: 694| 28.6k|{ 695| 28.6k| struct ndpi_bitmask *bitmask = (struct ndpi_bitmask *)_variable; 696| 28.6k| u_int16_t proto_id; 697| | 698| 28.6k| (void)ndpi_str; 699| 28.6k| (void)min_value; 700| 28.6k| (void)max_value; 701| 28.6k| (void)param; 702| | 703| 28.6k| if(strcmp(proto, "any") == 0 || ------------------ | Branch (703:6): [True: 0, False: 28.6k] ------------------ 704| 28.6k| strcmp(proto, "all") == 0 || ------------------ | Branch (704:6): [True: 0, False: 28.6k] ------------------ 705| 28.6k| strcmp(proto, "$PROTO_NAME_OR_ID") == 0) { ------------------ | Branch (705:6): [True: 28.6k, False: 0] ------------------ 706| 28.6k| if(strcmp(value, "1") == 0 || ------------------ | Branch (706:8): [True: 14.3k, False: 14.3k] ------------------ 707| 14.3k| strcmp(value, "enable") == 0) { ------------------ | Branch (707:8): [True: 0, False: 14.3k] ------------------ 708| 14.3k| ndpi_bitmask_set_all(bitmask); 709| 14.3k| return NDPI_CFG_OK; 710| 14.3k| } 711| 14.3k| if(strcmp(value, "0") == 0 || ------------------ | Branch (711:8): [True: 0, False: 14.3k] ------------------ 712| 14.3k| strcmp(value, "disable") == 0) { ------------------ | Branch (712:8): [True: 14.3k, False: 0] ------------------ 713| 14.3k| ndpi_bitmask_reset(bitmask); 714| 14.3k| return NDPI_CFG_OK; 715| 14.3k| } 716| 14.3k| } 717| | 718| 0| proto_id = __get_proto_id(ndpi_str, proto); 719| 0| if(proto_id == NDPI_PROTOCOL_UNKNOWN) ------------------ | Branch (719:6): [True: 0, False: 0] ------------------ 720| 0| return NDPI_CFG_INVALID_PARAM; 721| | 722| 0| if(strcmp(value, "1") == 0 || ------------------ | Branch (722:6): [True: 0, False: 0] ------------------ 723| 0| strcmp(value, "enable") == 0) { ------------------ | Branch (723:6): [True: 0, False: 0] ------------------ 724| 0| ndpi_bitmask_set(bitmask, proto_id); 725| 0| return NDPI_CFG_OK; 726| 0| } 727| 0| if(strcmp(value, "0") == 0 || ------------------ | Branch (727:6): [True: 0, False: 0] ------------------ 728| 0| strcmp(value, "disable") == 0) { ------------------ | Branch (728:6): [True: 0, False: 0] ------------------ 729| 0| ndpi_bitmask_clear(bitmask, proto_id); 730| 0| return NDPI_CFG_OK; 731| 0| } 732| 0| return NDPI_CFG_INVALID_PARAM; 733| 0|} ndpi_config.c:_set_param_filename_config: 591| 7.15k| const char *proto, const char *param) { 592| 7.15k| int rc; 593| 7.15k| FILE *fd; 594| | 595| 7.15k| rc = _set_param_filename(ndpi_str, _variable, value, min_value, max_value, proto, param); 596| 7.15k| if(rc != 0 || value == NULL || ndpi_str == NULL) ------------------ | Branch (596:6): [True: 0, False: 7.15k] | Branch (596:17): [True: 7.15k, False: 0] | Branch (596:34): [True: 0, False: 0] ------------------ 597| 7.15k| return rc; 598| | 599| 0| fd = fopen(value, "r"); 600| | 601| 0| if(fd == NULL) ------------------ | Branch (601:6): [True: 0, False: 0] ------------------ 602| 0| return NDPI_CFG_INVALID_PARAM; /* It shoudn't happen because we already checked it */ 603| | 604| 0| rc = load_config_file_fd(ndpi_str, fd); 605| | 606| 0| fclose(fd); 607| | 608| 0| if(rc < 0) ------------------ | Branch (608:6): [True: 0, False: 0] ------------------ 609| 0| return rc; 610| | 611| 0| return NDPI_CFG_OK; 612| 0|} ndpi_config.c:_set_param_filename: 565| 7.15k| const char *proto, const char *param) { 566| 7.15k| char *variable = (char *)_variable; 567| | 568| 7.15k| (void)ndpi_str; 569| 7.15k| (void)min_value; 570| 7.15k| (void)max_value; 571| 7.15k| (void)proto; 572| 7.15k| (void)param; 573| | 574| 7.15k| if(value == NULL) { /* Valid value */ ------------------ | Branch (574:6): [True: 7.15k, False: 0] ------------------ 575| 7.15k| variable[0] = '\0'; 576| 7.15k| return NDPI_CFG_OK; 577| 7.15k| } 578| | 579| 0| if(access(value, F_OK) != 0) ------------------ | Branch (579:6): [True: 0, False: 0] ------------------ 580| 0| return NDPI_CFG_INVALID_PARAM; 581| | 582| 0| strncpy(variable, value, CFG_MAX_LEN); ------------------ | | 184| 0|#define CFG_MAX_LEN 256 ------------------ 583| 0| return NDPI_CFG_OK; 584| 0|} ndpi_config.c:_set_param_flowrisk_enable_disable: 761| 14.3k|{ 762| 14.3k| struct ndpi_bitmask *bitmask = (struct ndpi_bitmask *)_variable; 763| 14.3k| ndpi_risk_enum flowrisk_id; 764| 14.3k| char param[128] = {0}; 765| | 766| 14.3k| (void)ndpi_str; 767| 14.3k| (void)min_value; 768| 14.3k| (void)max_value; 769| 14.3k| (void)proto; 770| | 771| 14.3k| if(strncmp(_param, "flow_risk.", 10) != 0) ------------------ | Branch (771:6): [True: 0, False: 14.3k] ------------------ 772| 0| return NDPI_CFG_INVALID_PARAM; 773| | 774| 14.3k| _param += 10; /* Strip initial "flow_risk." */ 775| | 776| 14.3k| if(strlen(_param) > 5 && ------------------ | Branch (776:6): [True: 14.3k, False: 0] ------------------ 777| 14.3k| strncmp(_param + (strlen(_param) - 5), ".info", 5) == 0) ------------------ | Branch (777:6): [True: 7.15k, False: 7.15k] ------------------ 778| 7.15k| memcpy(param, _param, ndpi_min(strlen(_param) - 5, sizeof(param) - 1)); /* Strip trailing ".info" */ ------------------ | | 113| 7.15k|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 7.15k, False: 0] | | ------------------ ------------------ 779| 7.15k| else 780| 7.15k| strncpy(param, _param, sizeof(param) - 1); 781| | 782| 14.3k| if(strcmp(param, "any") == 0 || ------------------ | Branch (782:6): [True: 0, False: 14.3k] ------------------ 783| 14.3k| strcmp(param, "all") == 0 || ------------------ | Branch (783:6): [True: 0, False: 14.3k] ------------------ 784| 14.3k| strcmp(param, "$FLOWRISK_NAME_OR_ID") == 0) { ------------------ | Branch (784:6): [True: 14.3k, False: 0] ------------------ 785| 14.3k| if(strcmp(value, "1") == 0 || ------------------ | Branch (785:8): [True: 0, False: 14.3k] ------------------ 786| 14.3k| strcmp(value, "enable") == 0) { ------------------ | Branch (786:8): [True: 14.3k, False: 0] ------------------ 787| 14.3k| ndpi_bitmask_set_all(bitmask); 788| 14.3k| return NDPI_CFG_OK; 789| 14.3k| } 790| 0| if(strcmp(value, "0") == 0 || ------------------ | Branch (790:8): [True: 0, False: 0] ------------------ 791| 0| strcmp(value, "disable") == 0) { ------------------ | Branch (791:8): [True: 0, False: 0] ------------------ 792| 0| ndpi_bitmask_reset(bitmask); 793| 0| return NDPI_CFG_OK; 794| 0| } 795| 0| } 796| | 797| 0| flowrisk_id = __get_flowrisk_id(param); 798| 0| if(flowrisk_id == NDPI_NO_RISK) ------------------ | Branch (798:6): [True: 0, False: 0] ------------------ 799| 0| return NDPI_CFG_INVALID_PARAM; 800| | 801| 0| if(strcmp(value, "1") == 0 || ------------------ | Branch (801:6): [True: 0, False: 0] ------------------ 802| 0| strcmp(value, "enable") == 0) { ------------------ | Branch (802:6): [True: 0, False: 0] ------------------ 803| 0| ndpi_bitmask_set(bitmask, flowrisk_id); 804| 0| return NDPI_CFG_OK; 805| 0| } 806| 0| if(strcmp(value, "0") == 0 || ------------------ | Branch (806:6): [True: 0, False: 0] ------------------ 807| 0| strcmp(value, "disable") == 0) { ------------------ | Branch (807:6): [True: 0, False: 0] ------------------ 808| 0| ndpi_bitmask_clear(bitmask, flowrisk_id); 809| 0| return NDPI_CFG_OK; 810| 0| } 811| 0| return NDPI_CFG_INVALID_PARAM; 812| 0|} ndpi_domain_classify_alloc: 34| 21.3k|ndpi_domain_classify* ndpi_domain_classify_alloc() { 35| 21.3k| ndpi_domain_classify *s = (ndpi_domain_classify*)ndpi_malloc(sizeof(ndpi_domain_classify)); 36| | 37| 21.3k| if(!s) ------------------ | Branch (37:6): [True: 355, False: 21.0k] ------------------ 38| 355| return NULL; 39| | 40| 21.0k| if(ndpi_hash_init(&s->domains) != 0) { ------------------ | Branch (40:6): [True: 389, False: 20.6k] ------------------ 41| 389| ndpi_free(s); 42| 389| return(NULL); 43| 389| } 44| | 45| 20.6k| return((ndpi_domain_classify*)s); 46| 21.0k|} ndpi_domain_classify_free: 50| 21.3k|void ndpi_domain_classify_free(ndpi_domain_classify *s) { 51| 21.3k| if(!s) ------------------ | Branch (51:6): [True: 761, False: 20.6k] ------------------ 52| 761| return; 53| | 54| 20.6k| ndpi_hash_free(&s->domains); 55| | 56| 20.6k| ndpi_free(s); 57| 20.6k|} ndpi_domain_classify_add: 77| 1.78M| char *domain) { 78| 1.78M|#ifdef ENCODE_DATA 79| 1.78M| u_int32_t out_len; 80| 1.78M| char out[256]; 81| 1.78M|#endif 82| | 83| 1.78M| if((!s) || (!domain)) ------------------ | Branch (83:6): [True: 0, False: 1.78M] | Branch (83:14): [True: 0, False: 1.78M] ------------------ 84| 0| return(false); 85| | 86| | /* Skip initial string . in domain names */ 87| 1.78M| while(domain[0] == '.') domain++; ------------------ | Branch (87:9): [True: 0, False: 1.78M] ------------------ 88| | 89| | //printf("%s\n", domain); 90| | // fprintf(stdout, "."); fflush(stdout); 91| | 92| 1.78M|#ifdef ENCODE_DATA 93| 1.78M| if(ndpi_str) { ------------------ | Branch (93:6): [True: 1.78M, False: 0] ------------------ 94| 1.78M| out_len = ndpi_encode_domain(ndpi_str, domain, out, sizeof(out)); 95| | 96| 1.78M| ndpi_hash_add_entry(&s->domains, out, out_len, class_id, NULL); 97| 1.78M| } else 98| 0| ndpi_hash_add_entry(&s->domains, domain, strlen(domain), class_id, NULL); 99| |#else 100| | ndpi_hash_add_entry(&s->domains, domain, strlen(domain), class_id, NULL); 101| |#endif 102| | 103| | return(true); 104| 1.78M|} ndpi_domain_classify_hostname: 152| 15.8k| const char *hostname) { 153| 15.8k| const char *dot; 154| 15.8k| const char *item; 155| | 156| | // ndpi_enable_loaded_categories(ndpi_mod); /* Make sure they have been enabled */ 157| | 158| 15.8k| *class_id = 0; /* Unknown class_id */ 159| | 160| 15.8k| if(!hostname || !s) return(false); ------------------ | Branch (160:6): [True: 0, False: 15.8k] | Branch (160:19): [True: 0, False: 15.8k] ------------------ 161| 15.8k| if(strlen(hostname) == 0) return(false); ------------------ | Branch (161:6): [True: 2.97k, False: 12.8k] ------------------ 162| 12.8k| if((dot = strrchr(hostname, '.')) == NULL) return(false); ------------------ | Branch (162:6): [True: 2.30k, False: 10.5k] ------------------ 163| 10.5k| if((!strcmp(dot, ".arpa")) || (!strcmp(dot, ".local"))) return(false); ------------------ | Branch (163:6): [True: 20, False: 10.5k] | Branch (163:33): [True: 509, False: 10.0k] ------------------ 164| | 165| 10.0k| item = hostname; 166| | 167| 19.1k| while(true) { ------------------ | Branch (167:9): [True: 19.1k, Folded] ------------------ 168| 19.1k| char *next; 169| | 170| | /* This looks like a match so let's check the hash now */ 171| 19.1k|#ifdef ENCODE_DATA 172| 19.1k| if(ndpi_mod) { ------------------ | Branch (172:8): [True: 19.1k, False: 0] ------------------ 173| 19.1k| char out[256]; 174| 19.1k| u_int32_t out_len = ndpi_encode_domain(ndpi_mod, item, out, sizeof(out)); 175| | 176| 19.1k| if(ndpi_hash_find_entry(s->domains, out, out_len, class_id) == 0) ------------------ | Branch (176:10): [True: 0, False: 19.1k] ------------------ 177| 0| return(true); 178| 19.1k| } else { 179| 0| if(ndpi_hash_find_entry(s->domains, item, strlen(item), class_id) == 0) ------------------ | Branch (179:10): [True: 0, False: 0] ------------------ 180| 0| return(true); 181| 0| } 182| |#else 183| | if(ndpi_hash_find_entry(s->domains, item, strlen(item), class_id) == 0) 184| | return(true); 185| |#endif 186| | 187| 19.1k| next = strchr(item, '.'); 188| | 189| 19.1k| if(!next) ------------------ | Branch (189:8): [True: 0, False: 19.1k] ------------------ 190| 0| break; 191| 19.1k| else { 192| 19.1k| item = &next[1]; 193| | 194| 19.1k| if(strchr(item, '.') == NULL) ------------------ | Branch (194:10): [True: 10.0k, False: 9.11k] ------------------ 195| 10.0k| break; /* e.g. .com */ 196| 19.1k| } 197| 19.1k| } 198| | 199| 10.0k| if(ndpi_mod != NULL) { ------------------ | Branch (199:6): [True: 10.0k, False: 0] ------------------ 200| | /* Last resort: domain match with wildcard (e.g. google.) */ 201| 10.0k| const char *domain_name = ndpi_get_host_domain(ndpi_mod, hostname); 202| | 203| 10.0k| if(domain_name != NULL) { ------------------ | Branch (203:8): [True: 10.0k, False: 0] ------------------ 204| 10.0k| char buf[256], *dot; 205| | 206| 10.0k| snprintf(buf, sizeof(buf), "%s", domain_name); 207| 10.0k| dot = strchr(buf, '.'); 208| | 209| 10.0k| if(dot != NULL) { ------------------ | Branch (209:10): [True: 10.0k, False: 0] ------------------ 210| 10.0k| dot[1] = '\0'; 211| | 212| 10.0k|#ifdef ENCODE_DATA 213| 10.0k| char out[256]; 214| 10.0k| u_int32_t out_len = ndpi_encode_domain(ndpi_mod, buf, out, sizeof(out)); 215| | 216| 10.0k| if(ndpi_hash_find_entry(s->domains, out, out_len, class_id) == 0) ------------------ | Branch (216:5): [True: 0, False: 10.0k] ------------------ 217| 0| return(true); 218| |#else 219| | if(ndpi_hash_find_entry(s->domains, item, strlen(item), class_id) == 0) 220| | return(true); 221| |#endif 222| 10.0k| } 223| 10.0k| } 224| 10.0k| } 225| | 226| | /* Not found */ 227| 10.0k| return(false); 228| 10.0k|} ndpi_get_host_domain_suffix: 96| 1.80M| u_int64_t *domain_id /* out */) { 97| 1.80M| char *dot, *prev_dot; 98| | 99| 1.80M| if(!ndpi_str || !hostname || !domain_id) ------------------ | Branch (99:6): [True: 0, False: 1.80M] | Branch (99:19): [True: 0, False: 1.80M] | Branch (99:32): [True: 0, False: 1.80M] ------------------ 100| 0| return NULL; 101| | 102| 1.80M| *domain_id = 0; 103| | 104| 1.80M| if(ndpi_str->public_domain_suffixes == NULL) ------------------ | Branch (104:6): [True: 1.80M, False: 0] ------------------ 105| 1.80M| return(hostname); 106| | 107| 0| prev_dot = dot = strrchr(hostname, '.'); 108| | 109| 0| while(dot != NULL) { ------------------ | Branch (109:9): [True: 0, False: 0] ------------------ 110| 0| while((dot != hostname) && (dot[0] != '.')) ------------------ | Branch (110:11): [True: 0, False: 0] | Branch (110:32): [True: 0, False: 0] ------------------ 111| 0| dot--; 112| | 113| 0| if((dot == hostname) ------------------ | Branch (113:8): [True: 0, False: 0] ------------------ 114| 0| || (ndpi_hash_find_entry(ndpi_str->public_domain_suffixes, ------------------ | Branch (114:11): [True: 0, False: 0] ------------------ 115| 0| &dot[1], strlen(&dot[1]), domain_id) != 0)) { 116| | /* Not found: end of search */ 117| 0| return(&prev_dot[1]); 118| 0| } 119| | 120| 0| prev_dot = dot; 121| 0| dot--; 122| 0| } 123| | 124| 0| return(hostname); 125| 0|} ndpi_get_host_domain: 135| 36.6k| const char *hostname) { 136| 36.6k| const char *ret; 137| 36.6k| char *dot, *first_dc; 138| 36.6k| u_int64_t domain_id, len; 139| | 140| 36.6k| if(!ndpi_str || !hostname) ------------------ | Branch (140:6): [True: 0, False: 36.6k] | Branch (140:19): [True: 0, False: 36.6k] ------------------ 141| 0| return NULL; 142| | 143| 36.6k| if(ndpi_str->public_domain_suffixes == NULL) ------------------ | Branch (143:6): [True: 36.6k, False: 0] ------------------ 144| 36.6k| return(hostname); 145| | 146| 0| len = strlen(hostname); 147| 0| if(len == 0) ------------------ | Branch (147:6): [True: 0, False: 0] ------------------ 148| 0| return(hostname); 149| 0| else 150| 0| len--; 151| | 152| 0| if((isdigit(hostname[len])) || (hostname[len] == ']' /* IPv6 address [...] */ )) ------------------ | Branch (152:6): [True: 0, False: 0] | Branch (152:34): [True: 0, False: 0] ------------------ 153| 0| return(hostname); 154| | 155| 0| if((first_dc = strchr(hostname, ':')) != NULL) { ------------------ | Branch (155:6): [True: 0, False: 0] ------------------ 156| 0| char *last_dc = strchr(hostname, ':'); 157| | 158| 0| if((last_dc != NULL) && (first_dc != last_dc)) ------------------ | Branch (158:8): [True: 0, False: 0] | Branch (158:29): [True: 0, False: 0] ------------------ 159| 0| return(hostname); /* Numeric IPv6 address */ 160| 0| } 161| | 162| 0| ret = ndpi_get_host_domain_suffix(ndpi_str, hostname, &domain_id); 163| | 164| 0| if((ret == NULL) || (ret == hostname)) ------------------ | Branch (164:6): [True: 0, False: 0] | Branch (164:23): [True: 0, False: 0] ------------------ 165| 0| return(hostname); 166| | 167| 0| if(strcmp(ret, "in-addr.arpa") == 0) ------------------ | Branch (167:6): [True: 0, False: 0] ------------------ 168| 0| return(ret); 169| | 170| 0| dot = ndpi_strrstr(hostname, ret); 171| | 172| 0| if(dot == NULL || dot == hostname) ------------------ | Branch (172:6): [True: 0, False: 0] | Branch (172:21): [True: 0, False: 0] ------------------ 173| 0| return(hostname); 174| | 175| 0| dot--; 176| 0| while(dot != hostname) { ------------------ | Branch (176:9): [True: 0, False: 0] ------------------ 177| 0| dot--; 178| | 179| 0| if(dot[0] == '.') ------------------ | Branch (179:8): [True: 0, False: 0] ------------------ 180| 0| return(&dot[1]); 181| 0| } 182| | 183| 0| return(hostname); 184| 0|} ndpi_load_tcp_fingerprints: 38| 6.79k|void ndpi_load_tcp_fingerprints(struct ndpi_detection_module_struct *ndpi_str) { 39| | 40| 6.79k| if(ndpi_str->tcp_fingerprint_hashmap || ------------------ | Branch (40:6): [True: 0, False: 6.79k] ------------------ 41| 6.79k| ndpi_hash_init(&ndpi_str->tcp_fingerprint_hashmap) == 0) { ------------------ | Branch (41:6): [True: 6.26k, False: 536] ------------------ 42| 6.26k| u_int i; 43| | 44| 419k| for(i=0; tcp_fps[i].fingerprint != NULL; i++) ------------------ | Branch (44:14): [True: 413k, False: 6.26k] ------------------ 45| 413k| ndpi_add_tcp_fingerprint(ndpi_str, (char*)tcp_fps[i].fingerprint, tcp_fps[i].os); 46| 6.26k| } 47| 6.79k|} ndpi_get_os_from_tcp_fingerprint: 52| 6.44k| char *tcp_fingerprint) { 53| 6.44k| if(tcp_fingerprint && (ndpi_str->tcp_fingerprint_hashmap != NULL)) { ------------------ | Branch (53:6): [True: 6.02k, False: 428] | Branch (53:25): [True: 5.60k, False: 412] ------------------ 54| 5.60k| u_int64_t ret; 55| | 56| 5.60k| if(ndpi_hash_find_entry(ndpi_str->tcp_fingerprint_hashmap, ------------------ | Branch (56:8): [True: 189, False: 5.42k] ------------------ 57| 5.60k| tcp_fingerprint, strlen(tcp_fingerprint), &ret) == 0) 58| 189| return(ret); 59| 5.60k| } 60| | 61| 6.26k| return(ndpi_os_unknown); 62| 6.44k|} ndpi_add_tcp_fingerprint: 75| 413k| char *fingerprint, ndpi_os os) { 76| 413k| u_int len; 77| 413k| u_int64_t ret; 78| | 79| 413k| len = strlen(fingerprint); 80| | 81| 413k| if((ndpi_str->tcp_fingerprint_hashmap != NULL) ------------------ | Branch (81:6): [True: 413k, False: 0] ------------------ 82| 413k| && (ndpi_hash_find_entry(ndpi_str->tcp_fingerprint_hashmap, fingerprint, len, &ret) == 0)) { ------------------ | Branch (82:9): [True: 11.1k, False: 402k] ------------------ 83| | /* Duplicate fingerprint found */ 84| 11.1k| return(-1); 85| 402k| } else { 86| 402k| if(ndpi_hash_add_entry(&ndpi_str->tcp_fingerprint_hashmap, fingerprint, len, ------------------ | Branch (86:8): [True: 354k, False: 47.9k] ------------------ 87| 402k| (u_int64_t)os, NULL) == 0) { 88| 354k| return(0); 89| 354k| } else 90| 47.9k| return(-2); 91| 402k| } 92| 413k|} ndpi_compute_ndpi_flow_fingerprint: 242| 10.1k| struct ndpi_flow_struct *flow) { 243| 10.1k| if(ndpi_str->cfg.ndpi_fingerprint_enabled && ------------------ | Branch (243:6): [True: 10.1k, False: 0] ------------------ 244| 10.1k| (flow->ndpi.client_fingerprint == NULL) && ------------------ | Branch (244:6): [True: 10.1k, False: 0] ------------------ 245| 10.1k| ndpi_stack_is_tls_like(&flow->protocol_stack) && ------------------ | Branch (245:6): [True: 2.21k, False: 7.89k] ------------------ 246| | /* 247| | We need TCP & TLS handshake. What should we do if we don't have them? 248| | For the time being, keep calculating the fingerprint if we have at least 249| | one of them. That means: 250| | * we might have a fingerprint also for DTS/QUIC 251| | * no fingerprint for mid-flows 252| | TODO: is that what we really want? 253| | */ 254| 2.21k| (flow->tcp.fingerprint || flow->protos.tls_quic.ja4_ndpi_client[0] != '\0')) { ------------------ | Branch (254:7): [True: 953, False: 1.26k] | Branch (254:32): [True: 382, False: 884] ------------------ 255| 1.33k| char *l4_fp = "no_l4_fp"; 256| 1.33k| char *l7_pf = "no_app_fp_cli"; 257| 1.33k| char *l7_pf_tls_blocks = ""; 258| 1.33k| char *l7_pf_server = "no_app_fp_srv"; 259| 1.33k| u_int8_t sha_hash[NDPI_SHA256_BLOCK_SIZE]; 260| 1.33k| size_t s; 261| 1.33k| u_int8_t fp_buf[128]; 262| 1.33k| char l7_pf_tls_blocks_buf[256]; 263| | 264| 1.33k| if((!ndpi_str->cfg.tls_ndpifp_ignore_tcp_fingerprint) ------------------ | Branch (264:8): [True: 1.33k, False: 0] ------------------ 265| 1.33k| && (flow->tcp.fingerprint != NULL)) ------------------ | Branch (265:11): [True: 953, False: 382] ------------------ 266| 953| l4_fp = flow->tcp.fingerprint; 267| | 268| 1.33k| if(flow->protos.tls_quic.ja4_ndpi_client[0] != '\0') ------------------ | Branch (268:8): [True: 1.00k, False: 329] ------------------ 269| 1.00k| l7_pf = flow->protos.tls_quic.ja4_ndpi_client; 270| | 271| 1.33k| if(ndpi_str->cfg.tls_max_num_blocks_to_analyze > 0) ------------------ | Branch (271:8): [True: 0, False: 1.33k] ------------------ 272| 0| l7_pf_tls_blocks = ndpi_compute_tls_blocks_flow_fingerprint(flow, 273| 0| l7_pf_tls_blocks_buf, sizeof(l7_pf_tls_blocks_buf)); 274| | 275| 1.33k| if(ndpi_str->cfg.ndpi_fingerprint_format == NDPI_CLIENT_SERVER_NDPI_FINGERPRINT) { ------------------ | Branch (275:8): [True: 0, False: 1.33k] ------------------ 276| 0| if(flow->protos.tls_quic.sha1_certificate_fingerprint[0] != '\0') ------------------ | Branch (276:10): [True: 0, False: 0] ------------------ 277| 0| l7_pf_server = (char*)flow->protos.tls_quic.sha1_certificate_fingerprint; 278| 0| else { 279| 0| if(flow->protos.tls_quic.ja3_server[0] != '\0') ------------------ | Branch (279:5): [True: 0, False: 0] ------------------ 280| 0| l7_pf_server = flow->protos.tls_quic.ja3_server; 281| 0| } 282| 0| } 283| | 284| 1.33k| s = snprintf((char*)fp_buf, sizeof(fp_buf)-1, "%s-%s%s-%s", 285| 1.33k| l4_fp, l7_pf, l7_pf_tls_blocks, l7_pf_server); 286| | 287| 1.33k| if(ndpi_str->cfg.tls_ndpifp_ignore_sni_extension) ------------------ | Branch (287:8): [True: 0, False: 1.33k] ------------------ 288| 0| fp_buf[strlen(l4_fp)+4] = '_'; 289| | 290| |#if 0 291| | fprintf(stderr, "#### [sport=%u] %s\n", ntohs(flow->c_port), fp_buf); 292| |#endif 293| | 294| 1.33k| if(s > 0) { ------------------ | Branch (294:8): [True: 1.33k, False: 0] ------------------ 295| 1.33k| s = ndpi_min(s, sizeof(fp_buf)-1); ------------------ | | 113| 1.33k|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 1.33k, False: 0] | | ------------------ ------------------ 296| 1.33k| ndpi_sha256(fp_buf, s, sha_hash); 297| | 298| 1.33k| ndpi_snprintf((char*)fp_buf, sizeof(fp_buf), 299| 1.33k| "%02x%02x%02x%02x%02x%02x%02x%02x" 300| 1.33k| "%02x%02x%02x%02x%02x%02x%02x%02x", 301| 1.33k| sha_hash[0], sha_hash[1], sha_hash[2], sha_hash[3], 302| 1.33k| sha_hash[4], sha_hash[5], sha_hash[6], sha_hash[7], 303| 1.33k| sha_hash[8], sha_hash[9], sha_hash[10], sha_hash[11], 304| 1.33k| sha_hash[12], sha_hash[13], sha_hash[14], sha_hash[15] 305| 1.33k| ); 306| | 307| 1.33k| flow->ndpi.client_fingerprint = ndpi_strdup((char*)fp_buf); 308| | 309| 1.33k| if((flow->ndpi.client_fingerprint != NULL) ------------------ | Branch (309:10): [True: 1.26k, False: 73] ------------------ 310| 1.26k| && (ndpi_str->ndpifp_custom_protos != NULL)) { ------------------ | Branch (310:6): [True: 0, False: 1.26k] ------------------ 311| 0| u_int64_t proto_id; 312| 0| ndpi_list *extra_data = NULL; 313| | 314| | /* This protocol has been defined in protos.txt-like files */ 315| 0| if(ndpi_hash_find_entry_extra(ndpi_str->ndpifp_custom_protos, ------------------ | Branch (315:5): [True: 0, False: 0] ------------------ 316| 0| flow->ndpi.client_fingerprint, strlen(flow->ndpi.client_fingerprint), 317| 0| &proto_id, &extra_data) == 0) { 318| | 319| 0| proto_id = ndpi_compare_flow_tls_blocks(ndpi_str, flow, extra_data, proto_id); 320| | 321| 0| if(proto_id != NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (321:7): [True: 0, False: 0] ------------------ 322| 0| ndpi_set_detected_protocol(ndpi_str, flow, proto_id, 323| 0| ndpi_get_master_proto(ndpi_str, flow), 324| 0| NDPI_CONFIDENCE_CUSTOM_RULE); 325| | 326| 0| flow->category = ndpi_str->proto_defaults[proto_id].protoCategory, 327| 0| flow->breed = ndpi_str->proto_defaults[proto_id].protoBreed; 328| 0| } 329| 0| } 330| 0| } 331| 1.33k| } 332| 1.33k| } 333| | 334| 10.1k| return(flow->ndpi.client_fingerprint); 335| 10.1k|} ndpi_free_geoip: 74| 7.20k|{ 75| |#ifdef HAVE_MAXMINDDB 76| | if (ndpi_str->mmdb_city_loaded) 77| | MMDB_close((MMDB_s *)ndpi_str->mmdb_city); 78| | if (ndpi_str->mmdb_as_loaded) 79| | MMDB_close((MMDB_s *)ndpi_str->mmdb_as); 80| | 81| | ndpi_free(ndpi_str->mmdb_city); 82| | ndpi_free(ndpi_str->mmdb_as); 83| |#else 84| 7.20k| (void)ndpi_str; 85| 7.20k|#endif 86| 7.20k|} ndpi_quick_hash: 37| 44.5k|u_int32_t ndpi_quick_hash(const unsigned char *str, u_int str_len) { 38| 44.5k| u_int32_t hash = 5381, i; 39| | 40| 401k| for(i=0; inum_internal_protocols) ------------------ | Branch (412:6): [True: 58.5k, False: 0] ------------------ 413| 58.5k| return(user_proto_id); 414| 0| else { 415| 0| u_int idx, idx_max = ndpi_str->num_supported_protocols - ndpi_str->num_internal_protocols; 416| | 417| | /* TODO: improve it and remove linear scan */ 418| 0| for(idx = 0; idx < idx_max; idx++) { ------------------ | Branch (418:18): [True: 0, False: 0] ------------------ 419| 0| if(ndpi_str->ndpi_to_user_proto_id[idx] == 0) ------------------ | Branch (419:10): [True: 0, False: 0] ------------------ 420| 0| break; 421| 0| else if(ndpi_str->ndpi_to_user_proto_id[idx] == user_proto_id) { ------------------ | Branch (421:15): [True: 0, False: 0] ------------------ 422| 0| return(idx + ndpi_str->num_internal_protocols); 423| 0| } 424| 0| } 425| 0| } 426| | 427| 0| return(0); 428| 58.5k|} ndpi_map_ndpi_id_to_user_proto_id: 434| 432k| u_int16_t ndpi_proto_id) { 435| |#if 0 /* Too much verbose... */ 436| | NDPI_LOG_DBG2(ndpi_str, "[DEBUG] ***** %s(%u)\n", __FUNCTION__, ndpi_proto_id); 437| |#endif 438| | 439| 432k| if((!ndpi_str) || (ndpi_proto_id == NDPI_PROTOCOL_UNKNOWN)) ------------------ | Branch (439:6): [True: 0, False: 432k] | Branch (439:21): [True: 283k, False: 148k] ------------------ 440| 283k| return(NDPI_PROTOCOL_UNKNOWN); 441| | 442| 148k| if(!ndpi_is_custom_protocol(ndpi_str, ndpi_proto_id)) ------------------ | Branch (442:6): [True: 148k, False: 0] ------------------ 443| 148k| return(ndpi_proto_id); 444| 0| else if(ndpi_proto_id < ndpi_str->num_supported_protocols) { ------------------ | Branch (444:11): [True: 0, False: 0] ------------------ 445| 0| u_int idx = ndpi_proto_id - ndpi_str->num_internal_protocols; 446| | 447| 0| if(idx < ndpi_str->num_supported_protocols) ------------------ | Branch (447:8): [True: 0, False: 0] ------------------ 448| 0| return(ndpi_str->ndpi_to_user_proto_id[idx]); 449| 0| } 450| | 451| 0| return(0); 452| 148k|} ndpi_build_default_ports_range: 459| 28.7k| u_int16_t portE_low, u_int16_t portE_high) { 460| 28.7k| int i = 0; 461| | 462| 28.7k| ports[i].port_low = portA_low, ports[i].port_high = portA_high, ports[i].is_custom = 0; 463| 28.7k| i++; 464| 28.7k| ports[i].port_low = portB_low, ports[i].port_high = portB_high, ports[i].is_custom = 0; 465| 28.7k| i++; 466| 28.7k| ports[i].port_low = portC_low, ports[i].port_high = portC_high, ports[i].is_custom = 0; 467| 28.7k| i++; 468| 28.7k| ports[i].port_low = portD_low, ports[i].port_high = portD_high, ports[i].is_custom = 0; 469| 28.7k| i++; 470| 28.7k| ports[i].port_low = portE_low, ports[i].port_high = portE_high, ports[i].is_custom = 0; 471| | 472| 28.7k| return(ports); 473| 28.7k|} ndpi_build_default_ports: 479| 28.5M| u_int16_t portD, u_int16_t portE) { 480| 28.5M| int i = 0; 481| | 482| 28.5M| ports[i].port_low = portA, ports[i].port_high = portA, ports[i].is_custom = 0; 483| 28.5M| i++; 484| 28.5M| ports[i].port_low = portB, ports[i].port_high = portB, ports[i].is_custom = 0; 485| 28.5M| i++; 486| 28.5M| ports[i].port_low = portC, ports[i].port_high = portC, ports[i].is_custom = 0; 487| 28.5M| i++; 488| 28.5M| ports[i].port_low = portD, ports[i].port_high = portD, ports[i].is_custom = 0; 489| 28.5M| i++; 490| 28.5M| ports[i].port_low = portE, ports[i].port_high = portE, ports[i].is_custom = 0; 491| | 492| 28.5M| return(ports); 493| 28.5M|} exclude_dissector: 580| 2.35M| u_int16_t dissector_idx, const char *_file, const char *_func, int _line) { 581| |#ifdef NDPI_ENABLE_DEBUG_MESSAGES 582| | /* TODO */ 583| | if(ndpi_str->cfg.log_level >= NDPI_LOG_DEBUG && ndpi_str->ndpi_debug_printf != NULL) { 584| | (*(ndpi_str->ndpi_debug_printf))(ndpi_str->callback_buffer[dissector_idx].first_protocol_id, 585| | ndpi_str, NDPI_LOG_DEBUG, _file, _func, _line, "exclude %s\n", 586| | ndpi_str->callback_buffer[dissector_idx].name); 587| | } 588| |#else 589| 2.35M| __ndpi_unused_param(ndpi_str); ------------------ | | 390| 2.35M|#define __ndpi_unused_param(x) (void)(x) ------------------ 590| 2.35M| __ndpi_unused_param(_file); ------------------ | | 390| 2.35M|#define __ndpi_unused_param(x) (void)(x) ------------------ 591| 2.35M| __ndpi_unused_param(_func); ------------------ | | 390| 2.35M|#define __ndpi_unused_param(x) (void)(x) ------------------ 592| 2.35M| __ndpi_unused_param(_line); ------------------ | | 390| 2.35M|#define __ndpi_unused_param(x) (void)(x) ------------------ 593| 2.35M|#endif 594| 2.35M| dissector_bitmask_set(&flow->excluded_dissectors_bitmask, dissector_idx); 595| 2.35M|} is_proto_enabled: 600| 17.1M|{ 601| 17.1M| if(protoId < 0) ------------------ | Branch (601:6): [True: 0, False: 17.1M] ------------------ 602| 0| return 0; 603| | /* Custom protocols are always enabled */ 604| 17.1M| if(ndpi_is_custom_protocol(ndpi_str, protoId)) ------------------ | Branch (604:6): [True: 0, False: 17.1M] ------------------ 605| 0| return 1; 606| 17.1M| if(ndpi_bitmask_is_set(&ndpi_str->cfg.detection_bitmask, protoId)) ------------------ | Branch (606:6): [True: 17.1M, False: 0] ------------------ 607| 17.1M| return 1; 608| 0| return 0; 609| 17.1M|} ndpi_set_proto_subprotocols: 614| 64.5k|{ 615| 64.5k| va_list ap; 616| 64.5k| int current_arg = protoId; 617| 64.5k| size_t i = 0; 618| | 619| 64.5k| va_start(ap, protoId); 620| 287k| while (current_arg != NDPI_PROTOCOL_NO_MORE_SUBPROTOCOLS) { ------------------ | | 509| 287k|#define NDPI_PROTOCOL_NO_MORE_SUBPROTOCOLS (-1) ------------------ | Branch (620:10): [True: 222k, False: 64.5k] ------------------ 621| 222k| ndpi_str->proto_defaults[protoId].subprotocol_count++; 622| 222k| current_arg = va_arg(ap, int); 623| 222k| } 624| 64.5k| va_end(ap); 625| | 626| 64.5k| ndpi_str->proto_defaults[protoId].subprotocols = NULL; 627| | 628| | /* The last protocol is not a subprotocol. */ 629| 64.5k| ndpi_str->proto_defaults[protoId].subprotocol_count--; 630| | /* No subprotocol was set before NDPI_NO_MORE_SUBPROTOCOLS. */ 631| 64.5k| if(ndpi_str->proto_defaults[protoId].subprotocol_count == 0) { ------------------ | Branch (631:6): [True: 0, False: 64.5k] ------------------ 632| 0| return; 633| 0| } 634| | 635| 64.5k| ndpi_str->proto_defaults[protoId].subprotocols = 636| 64.5k| ndpi_malloc(sizeof(protoId) * ndpi_str->proto_defaults[protoId].subprotocol_count); 637| 64.5k| if(!ndpi_str->proto_defaults[protoId].subprotocols) { ------------------ | Branch (637:6): [True: 3.68k, False: 60.8k] ------------------ 638| 3.68k| ndpi_str->proto_defaults[protoId].subprotocol_count = 0; 639| 3.68k| return; 640| 3.68k| } 641| | 642| 64.5k| va_start(ap, protoId); 643| 60.8k| current_arg = va_arg(ap, int); 644| | 645| 205k| while (current_arg != NDPI_PROTOCOL_NO_MORE_SUBPROTOCOLS) { ------------------ | | 509| 205k|#define NDPI_PROTOCOL_NO_MORE_SUBPROTOCOLS (-1) ------------------ | Branch (645:10): [True: 144k, False: 60.8k] ------------------ 646| 144k| ndpi_str->proto_defaults[protoId].subprotocols[i++] = current_arg; 647| 144k| current_arg = va_arg(ap, int); 648| 144k| } 649| | 650| | va_end(ap); 651| 60.8k|} ndpi_set_proto_defaults: 689| 14.2M| u_int8_t is_custom_protocol) { 690| 14.2M| int j; 691| | 692| | /* There is no real limit on protocols number/id; the hard limit being the u_int16_t 693| | data typer used for the ids... 694| | */ 695| | 696| 14.2M| if(protoId >= ndpi_str->proto_defaults_num_allocated) { ------------------ | Branch (696:6): [True: 7.18k, False: 14.2M] ------------------ 697| 7.18k| int new_num; 698| 7.18k| ndpi_proto_defaults_t *new_ptr; 699| | 700| 7.18k| new_num = ndpi_max(512, ndpi_nearest_power_of_two(protoId + 1)); ------------------ | | 114| 7.18k|#define ndpi_max(a,b) ((a > b) ? a : b) | | ------------------ | | | Branch (114:26): [True: 7.18k, False: 0] | | ------------------ ------------------ 701| 7.18k| new_num = ndpi_min(new_num, 65535); /* ndpi_str->proto_defaults_num_allocated is uint16_t */ ------------------ | | 113| 7.18k|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 7.18k, False: 0] | | ------------------ ------------------ 702| 7.18k| new_ptr = ndpi_realloc(ndpi_str->proto_defaults, 703| 7.18k| new_num * sizeof(ndpi_proto_defaults_t)); 704| 7.18k| if(!new_ptr) { ------------------ | Branch (704:8): [True: 7, False: 7.17k] ------------------ 705| 7| NDPI_LOG_DBG(ndpi_str, "Realloc error\n"); ------------------ | | 596| 7|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 706| 7| return -1; 707| 7| } 708| | 709| 7.17k| memset(&new_ptr[ndpi_str->proto_defaults_num_allocated], '\0', 710| 7.17k| sizeof(ndpi_proto_defaults_t) * (new_num - ndpi_str->proto_defaults_num_allocated)); 711| 7.17k| ndpi_str->proto_defaults = new_ptr; 712| 7.17k| ndpi_str->proto_defaults_num_allocated = new_num; 713| 7.17k| } 714| | 715| 14.2M| if(ndpi_str->proto_defaults[protoId].protoName[0] != '\0') { ------------------ | Branch (715:6): [True: 10.8M, False: 3.40M] ------------------ 716| 10.8M| if(strcasecmp(ndpi_str->proto_defaults[protoId].protoName, protoName) != 0) { ------------------ | Branch (716:8): [True: 0, False: 10.8M] ------------------ 717| 0| NDPI_LOG_ERR(ndpi_str, "Error. Same protocol id %d with different names [%s][%s]!\n", ------------------ | | 593| 0|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 718| 0| protoId, ndpi_str->proto_defaults[protoId].protoName, protoName); 719| 10.8M| } else { 720| 10.8M| NDPI_LOG_DBG2(ndpi_str, "[NDPI] %s/protoId=%d: already initialized. Ignoring it\n", protoName, protoId); ------------------ | | 597| 10.8M|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 721| 10.8M| } 722| 10.8M| return 0; 723| 10.8M| } 724| | 725| 3.40M| strncpy(ndpi_str->proto_defaults[protoId].protoName, 726| 3.40M| protoName, 727| 3.40M| sizeof(ndpi_str->proto_defaults[protoId].protoName) - 1); 728| 3.40M| ndpi_str->proto_defaults[protoId].protoName[sizeof(ndpi_str->proto_defaults[protoId].protoName) - 1] = '\0'; 729| | 730| 3.40M| ndpi_str->proto_defaults[protoId].isClearTextProto = is_cleartext; 731| | /* 732| | is_appprotocol=1 means that this is only an application protocol layered 733| | on top of a network protocol. Example WhatsApp=1, TLS=0 734| | */ 735| 3.40M| ndpi_str->proto_defaults[protoId].isAppProtocol = is_app_protocol; 736| 3.40M| ndpi_str->proto_defaults[protoId].isCustomProto = is_custom_protocol; 737| 3.40M| ndpi_str->proto_defaults[protoId].performIPcheck = 0; 738| 3.40M| ndpi_str->proto_defaults[protoId].protoCategory = protoCategory; 739| 3.40M| ndpi_str->proto_defaults[protoId].protoId = protoId; 740| 3.40M| ndpi_str->proto_defaults[protoId].protoBreed = breed; 741| 3.40M| ndpi_str->proto_defaults[protoId].qoeCategory = qoeCategory; 742| 3.40M| ndpi_str->proto_defaults[protoId].subprotocols = NULL; 743| 3.40M| ndpi_str->proto_defaults[protoId].subprotocol_count = 0; 744| | 745| 20.4M| for(j = 0; j < MAX_DEFAULT_PORTS; j++) { ------------------ | | 89| 20.4M|#define MAX_DEFAULT_PORTS 5 ------------------ | Branch (745:14): [True: 17.0M, False: 3.40M] ------------------ 746| 17.0M| ndpi_str->proto_defaults[protoId].tcp_default_ports[j] = tcpDefPorts[j]; 747| 17.0M| ndpi_str->proto_defaults[protoId].udp_default_ports[j] = udpDefPorts[j]; 748| 17.0M| } 749| | 750| 3.40M| ndpi_str->num_supported_protocols++; 751| 3.40M| if(is_custom_protocol) ------------------ | Branch (751:6): [True: 0, False: 3.40M] ------------------ 752| 0| ndpi_str->num_custom_protocols++; 753| 3.40M| else 754| 3.40M| ndpi_str->num_internal_protocols++; 755| | 756| 3.40M| return 0; 757| 14.2M|} load_protocol_match: 983| 11.7M| ndpi_protocol_match const * const match) { 984| | 985| 11.7M| if(!is_proto_enabled(ndpi_str, match->protocol_id)) { ------------------ | Branch (985:6): [True: 0, False: 11.7M] ------------------ 986| 0| NDPI_LOG_DBG(ndpi_str, "[NDPI] Skip protocol match for %s/protoId=%d: disabled\n", ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 987| 0| match->string_to_match, match->protocol_id); 988| 0| return; 989| 0| } 990| | 991| 11.7M| ndpi_add_host_url_subprotocol(ndpi_str, match->string_to_match, 992| 11.7M| match->protocol_id, match->protocol_category, 993| 11.7M| match->protocol_breed, match->level); 994| 11.7M|} ac_domain_match_handler: 3030| 4.86k|int ac_domain_match_handler(AC_MATCH_t *m, AC_TEXT_t *txt, AC_REP_t *match) { 3031| 4.86k| AC_PATTERN_t *pattern = m->patterns; 3032| 4.86k| int i,start,end = m->position; 3033| | 3034| 6.97k| for(i=0; i < m->match_num && i < 32; i++,pattern++) { ------------------ | Branch (3034:12): [True: 4.86k, False: 2.10k] | Branch (3034:32): [True: 4.86k, False: 0] ------------------ 3035| | /* 3036| | * See ac_automata_exact_match() 3037| | * The bit is set if the pattern exactly matches AND 3038| | * the length of the pattern is longer than that of the previous one. 3039| | * Skip shorter (less precise) templates. 3040| | */ 3041| 4.86k| if(!(m->match_map & (1u << i))) ------------------ | Branch (3041:8): [True: 0, False: 4.86k] ------------------ 3042| 0| continue; 3043| 4.86k| start = end - pattern->length; 3044| | 3045| 4.86k| MATCH_DEBUG_INFO("[NDPI] Searching: [to search: %.*s/%u][pattern: %s%.*s%s/%u l:%u] %d-%d\n", 3046| 4.86k| txt->length, txt->astring,(unsigned int) txt->length, 3047| 4.86k| m->patterns[0].rep.from_start ? "^":"", 3048| 4.86k| (unsigned int) pattern->length, pattern->astring, 3049| 4.86k| m->patterns[0].rep.at_end ? "$":"", (unsigned int) pattern->length,m->patterns[0].rep.level, 3050| 4.86k| start,end); 3051| | 3052| 4.86k| if(start == 0 && end == txt->length) { ------------------ | Branch (3052:8): [True: 4.57k, False: 289] | Branch (3052:22): [True: 2.76k, False: 1.81k] ------------------ 3053| 2.76k| *match = pattern->rep; txt->match.last = pattern; 3054| 2.76k| MATCH_DEBUG_INFO("[NDPI] Searching: Found exact match. Proto %d \n",pattern->rep.number); 3055| 2.76k| return 1; 3056| 2.76k| } 3057| | /* pattern is DOMAIN.NAME and string x.DOMAIN.NAME ? */ 3058| 2.10k| if(start >= 1 && !ndpi_is_middle_string_char(pattern->astring[0])) { ------------------ | Branch (3058:8): [True: 289, False: 1.81k] | Branch (3058:22): [True: 272, False: 17] ------------------ 3059| | /* 3060| | The patch below allows in case of pattern ws.amazon.com 3061| | to avoid matching aws.amazon.com whereas a.ws.amazon.com 3062| | has to match 3063| | */ 3064| 272| if(txt->astring[start-1] == '.') { ------------------ | Branch (3064:10): [True: 142, False: 130] ------------------ 3065| 142| if(!txt->match.last || txt->match.last->rep.level < pattern->rep.level) { ------------------ | Branch (3065:5): [True: 139, False: 3] | Branch (3065:25): [True: 3, False: 0] ------------------ 3066| 142| txt->match.last = pattern; *match = pattern->rep; 3067| 142| MATCH_DEBUG_INFO("[NDPI] Searching: Found domain match (pre). Proto %d \n",pattern->rep.number); 3068| 142| } 3069| 142| } 3070| 272| continue; 3071| 272| } 3072| | 3073| | /* pattern is -DOMAIN.NAME and string x-DOMAIN.NAME ? */ 3074| 1.83k| if(start >= 1 && pattern->astring[0] == '-') { ------------------ | Branch (3074:8): [True: 17, False: 1.81k] | Branch (3074:22): [True: 0, False: 17] ------------------ 3075| 0| if(txt->astring[start] == '-') { ------------------ | Branch (3075:10): [True: 0, False: 0] ------------------ 3076| 0| if(!txt->match.last || txt->match.last->rep.level < pattern->rep.level) { ------------------ | Branch (3076:5): [True: 0, False: 0] | Branch (3076:25): [True: 0, False: 0] ------------------ 3077| 0| txt->match.last = pattern; *match = pattern->rep; 3078| 0| MATCH_DEBUG_INFO("[NDPI] Searching: Found domain match (pre -). Proto %d \n",pattern->rep.number); 3079| 0| } 3080| 0| } 3081| 0| continue; 3082| 0| } 3083| | 3084| | /* pattern is DOMAIN. and string DOMAIN.SOMETHING ? or 3085| | DOMAIN- and DOMAIN-SOMETHING */ 3086| 1.83k| if(start == 0 && ndpi_is_middle_string_char(pattern->astring[pattern->length - 1])) { ------------------ | Branch (3086:8): [True: 1.81k, False: 17] | Branch (3086:22): [True: 0, False: 1.81k] ------------------ 3087| 0| if(!txt->match.last || txt->match.last->rep.level < pattern->rep.level) { ------------------ | Branch (3087:10): [True: 0, False: 0] | Branch (3087:30): [True: 0, False: 0] ------------------ 3088| 0| txt->match.last = pattern; *match = pattern->rep; 3089| 0| MATCH_DEBUG_INFO("[NDPI] Searching: Found domain match (post). Proto %d \n",pattern->rep.number); 3090| 0| } 3091| 0| continue; 3092| 0| } 3093| 1.83k| } 3094| | 3095| 2.10k| return 0; 3096| 4.86k|} ndpi_fill_prefix_v4: 3182| 183M|int ndpi_fill_prefix_v4(ndpi_prefix_t *p, const struct in_addr *a, int b, int mb) { 3183| 183M| memset(p, 0, sizeof(ndpi_prefix_t)); 3184| | 3185| 183M| if(b < 0 || b > mb) ------------------ | Branch (3185:6): [True: 0, False: 183M] | Branch (3185:15): [True: 0, False: 183M] ------------------ 3186| 0| return(-1); 3187| | 3188| 183M| p->add.sin.s_addr = a->s_addr, p->family = AF_INET, p->bitlen = b, p->ref_count = 0; 3189| | 3190| 183M| return(0); 3191| 183M|} ndpi_fill_prefix_v6: 3195| 127M|int ndpi_fill_prefix_v6(ndpi_prefix_t *prefix, const struct in6_addr *addr, int bits, int maxbits) { 3196| 127M| memset(prefix, 0, sizeof(ndpi_prefix_t)); 3197| | 3198| 127M| if(bits < 0 || bits > maxbits) ------------------ | Branch (3198:6): [True: 0, False: 127M] | Branch (3198:18): [True: 0, False: 127M] ------------------ 3199| 0| return -1; 3200| | 3201| 127M| memcpy(&prefix->add.sin6, addr, (maxbits + 7) / 8); 3202| 127M| prefix->family = AF_INET6, prefix->bitlen = bits, prefix->ref_count = 0; 3203| | 3204| 127M| return 0; 3205| 127M|} ndpi_is_public_ipv4: 3259| 105k|u_int8_t ndpi_is_public_ipv4(u_int32_t a /* host byte order */) { 3260| 105k| if( ((a & 0xFF000000) == 0x0A000000 /* 10.0.0.0/8 */) ------------------ | Branch (3260:9): [True: 11.7k, False: 94.0k] ------------------ 3261| 94.0k| || ((a & 0xFFF00000) == 0xAC100000 /* 172.16.0.0/12 */) ------------------ | Branch (3261:5): [True: 212, False: 93.8k] ------------------ 3262| 93.8k| || ((a & 0xFFFF0000) == 0xC0A80000 /* 192.168.0.0/16 */) ------------------ | Branch (3262:5): [True: 41.3k, False: 52.4k] ------------------ 3263| 52.4k| || ((a & 0xFF000000) == 0x7F000000 /* 127.0.0.0/8 */) ------------------ | Branch (3263:5): [True: 25, False: 52.4k] ------------------ 3264| 52.4k| || ((a & 0xF0000000) == 0xE0000000 /* 224.0.0.0/4 */) ------------------ | Branch (3264:5): [True: 1.83k, False: 50.5k] ------------------ 3265| 105k| ) 3266| 55.1k| return(0); 3267| 50.5k| else 3268| 50.5k| return(1); 3269| 105k|} ndpi_network_port_ptree_match: 3324| 57.9k| u_int16_t port /* network byte order */) { 3325| 57.9k| ndpi_prefix_t prefix; 3326| 57.9k| ndpi_patricia_node_t *node; 3327| | 3328| 57.9k| if(!ndpi_str || !ndpi_str->protocols) ------------------ | Branch (3328:6): [True: 0, False: 57.9k] | Branch (3328:19): [True: 0, False: 57.9k] ------------------ 3329| 0| return(NDPI_PROTOCOL_UNKNOWN); 3330| | 3331| 57.9k| if(ndpi_str->num_custom_protocols == 0) { ------------------ | Branch (3331:6): [True: 57.9k, False: 0] ------------------ 3332| | /* 3333| | In case we don't have defined any custom protocol we check the ptree 3334| | only in case of public IP addresses as in ndpi_content_match.c.inc 3335| | we only have public IP addresses. Instead with custom protocols, users 3336| | might have defined private protocols hence we should not skip 3337| | the checks below 3338| | */ 3339| | 3340| 57.9k| if(ndpi_is_public_ipv4(ntohl(pin->s_addr)) == 0) ------------------ | Branch (3340:8): [True: 24.8k, False: 33.1k] ------------------ 3341| 24.8k| return(NDPI_PROTOCOL_UNKNOWN); /* Non public IP */ 3342| 57.9k| } 3343| | 3344| | /* Make sure all in network byte order otherwise compares wont work */ 3345| 33.1k| ndpi_fill_prefix_v4(&prefix, pin, 32, 3346| 33.1k| ((ndpi_patricia_tree_t *) ndpi_str->protocols->v4)->maxbits); 3347| 33.1k| node = ndpi_patricia_search_best(ndpi_str->protocols->v4, &prefix); 3348| | 3349| 33.1k| if(node) { ------------------ | Branch (3349:6): [True: 11.1k, False: 22.0k] ------------------ 3350| 11.1k| int i; 3351| 11.1k| struct patricia_uv16_list *item; 3352| | 3353| 11.1k| for(i=0; ivalue.u.uv16[i].additional_user_value == 0) ------------------ | Branch (3354:10): [True: 11.1k, False: 0] ------------------ 3355| 0| || (node->value.u.uv16[i].additional_user_value == port)) ------------------ | Branch (3355:6): [True: 0, False: 0] ------------------ 3356| 11.1k| return(node->value.u.uv16[i].user_value); 3357| 11.1k| } 3358| | 3359| | /* 3360| | If we're here it means that we don't have 3361| | enough room for our custom value so we need 3362| | to check the custom_user_data pointer. 3363| | */ 3364| 0| item = (struct patricia_uv16_list*)node->data; 3365| | 3366| 0| while(item != NULL) { ------------------ | Branch (3366:11): [True: 0, False: 0] ------------------ 3367| 0| if(item->value.additional_user_value == port) ------------------ | Branch (3367:10): [True: 0, False: 0] ------------------ 3368| 0| return(item->value.user_value); 3369| 0| else 3370| 0| item = item->next; 3371| 0| } 3372| 0| } 3373| | 3374| 22.0k| return(NDPI_PROTOCOL_UNKNOWN); 3375| 33.1k|} ndpi_network_port_ptree6_match: 3382| 1.94k|{ 3383| 1.94k| ndpi_prefix_t prefix; 3384| 1.94k| ndpi_patricia_node_t *node; 3385| | 3386| 1.94k| if(!ndpi_str || !ndpi_str->protocols) ------------------ | Branch (3386:6): [True: 0, False: 1.94k] | Branch (3386:19): [True: 0, False: 1.94k] ------------------ 3387| 0| return(NDPI_PROTOCOL_UNKNOWN); 3388| | 3389| | /* TODO: check on "private" addresses? */ 3390| | 3391| | /* Make sure all in network byte order otherwise compares wont work */ 3392| 1.94k| ndpi_fill_prefix_v6(&prefix, pin, 128, 3393| 1.94k| ((ndpi_patricia_tree_t *) ndpi_str->protocols->v6)->maxbits); 3394| 1.94k| node = ndpi_patricia_search_best(ndpi_str->protocols->v6, &prefix); 3395| | 3396| 1.94k| if(node) { ------------------ | Branch (3396:6): [True: 317, False: 1.62k] ------------------ 3397| 317| int i; 3398| 317| struct patricia_uv16_list *item; 3399| | 3400| 317| for(i=0; ivalue.u.uv16[i].additional_user_value == 0) ------------------ | Branch (3401:10): [True: 317, False: 0] ------------------ 3402| 0| || (node->value.u.uv16[i].additional_user_value == port)) ------------------ | Branch (3402:6): [True: 0, False: 0] ------------------ 3403| 317| return(node->value.u.uv16[i].user_value); 3404| 317| } 3405| | 3406| | /* 3407| | If we're here it means that we don't have 3408| | enough room for our custom value so we need 3409| | to check the custom_user_data pointer. 3410| | */ 3411| 0| item = (struct patricia_uv16_list*)node->data; 3412| | 3413| 0| while(item != NULL) { ------------------ | Branch (3413:11): [True: 0, False: 0] ------------------ 3414| 0| if(item->value.additional_user_value == port) ------------------ | Branch (3414:10): [True: 0, False: 0] ------------------ 3415| 0| return(item->value.user_value); 3416| 0| else 3417| 0| item = item->next; 3418| 0| } 3419| 0| } 3420| | 3421| 1.62k| return(NDPI_PROTOCOL_UNKNOWN); 3422| 1.94k|} ndpi_network_risk_ptree_match: 3427| 4.64k| struct in_addr *pin /* network byte order */) { 3428| 4.64k| ndpi_prefix_t prefix; 3429| 4.64k| ndpi_patricia_node_t *node; 3430| | 3431| 4.64k| if(!ndpi_str || !ndpi_str->ip_risk) ------------------ | Branch (3431:6): [True: 0, False: 4.64k] | Branch (3431:19): [True: 0, False: 4.64k] ------------------ 3432| 0| return(NDPI_NO_RISK); 3433| | 3434| | /* Make sure all in network byte order otherwise compares wont work */ 3435| 4.64k| ndpi_fill_prefix_v4(&prefix, pin, 32, 3436| 4.64k| ((ndpi_patricia_tree_t *) ndpi_str->ip_risk->v4)->maxbits); 3437| 4.64k| node = ndpi_patricia_search_best(ndpi_str->ip_risk->v4, &prefix); 3438| | 3439| 4.64k| if(node) ------------------ | Branch (3439:6): [True: 38, False: 4.61k] ------------------ 3440| 38| return((ndpi_risk_enum)node->value.u.uv16[0].user_value); 3441| | 3442| 4.61k| return(NDPI_NO_RISK); 3443| 4.64k|} ndpi_network_risk_ptree_match6: 3448| 1.11k| struct in6_addr *pin) { 3449| 1.11k| ndpi_prefix_t prefix; 3450| 1.11k| ndpi_patricia_node_t *node; 3451| | 3452| | /* Make sure all in network byte order otherwise compares wont work */ 3453| 1.11k| ndpi_fill_prefix_v6(&prefix, pin, 128, 3454| 1.11k| ((ndpi_patricia_tree_t *) ndpi_str->ip_risk->v6)->maxbits); 3455| 1.11k| node = ndpi_patricia_search_best(ndpi_str->ip_risk->v6, &prefix); 3456| | 3457| 1.11k| if(node) ------------------ | Branch (3457:6): [True: 0, False: 1.11k] ------------------ 3458| 0| return((ndpi_risk_enum)node->value.u.uv16[0].user_value); 3459| | 3460| 1.11k| return(NDPI_NO_RISK); 3461| 1.11k|} ndpi_global_init: 4134| 7.20k|struct ndpi_global_context *ndpi_global_init(void) { 4135| |#ifndef USE_GLOBAL_CONTEXT 4136| | return NULL; 4137| |#else 4138| 7.20k| struct ndpi_global_context *g_ctx = ndpi_calloc(1, sizeof(struct ndpi_global_context)); 4139| | 4140| 7.20k| if(g_ctx == NULL) ------------------ | Branch (4140:6): [True: 402, False: 6.80k] ------------------ 4141| 402| return(NULL); 4142| | 4143| | /* Global caches (if any) are initialized during the initialization 4144| | of the local context(s) */ 4145| | 4146| | /* Note that we don't have yet an easy way to log from this function */ 4147| | 4148| 6.80k| return g_ctx; 4149| 7.20k|#endif 4150| 7.20k|} ndpi_global_deinit: 4154| 7.20k|void ndpi_global_deinit(struct ndpi_global_context *g_ctx) { 4155| | 4156| | /* Note that we don't have yet an easy way to log from this function */ 4157| | 4158| 7.20k| if(g_ctx) { ------------------ | Branch (4158:6): [True: 6.80k, False: 402] ------------------ 4159| | 4160| | /* Global caches are freed here, so that we are able to get statistics even 4161| | after the uninitialization of all the local contexts */ 4162| | 4163| 6.80k| if(g_ctx->ookla_global_cache) ------------------ | Branch (4163:8): [True: 0, False: 6.80k] ------------------ 4164| 0| ndpi_lru_free_cache(g_ctx->ookla_global_cache); 4165| 6.80k| if(g_ctx->bittorrent_global_cache) ------------------ | Branch (4165:8): [True: 0, False: 6.80k] ------------------ 4166| 0| ndpi_lru_free_cache(g_ctx->bittorrent_global_cache); 4167| 6.80k| if(g_ctx->stun_global_cache) ------------------ | Branch (4167:8): [True: 0, False: 6.80k] ------------------ 4168| 0| ndpi_lru_free_cache(g_ctx->stun_global_cache); 4169| 6.80k| if(g_ctx->tls_cert_global_cache) ------------------ | Branch (4169:8): [True: 0, False: 6.80k] ------------------ 4170| 0| ndpi_lru_free_cache(g_ctx->tls_cert_global_cache); 4171| 6.80k| if(g_ctx->mining_global_cache) ------------------ | Branch (4171:8): [True: 0, False: 6.80k] ------------------ 4172| 0| ndpi_lru_free_cache(g_ctx->mining_global_cache); 4173| 6.80k| if(g_ctx->msteams_global_cache) ------------------ | Branch (4173:8): [True: 0, False: 6.80k] ------------------ 4174| 0| ndpi_lru_free_cache(g_ctx->msteams_global_cache); 4175| 6.80k| if(g_ctx->fpc_dns_global_cache) ------------------ | Branch (4175:8): [True: 0, False: 6.80k] ------------------ 4176| 0| ndpi_lru_free_cache(g_ctx->fpc_dns_global_cache); 4177| 6.80k| if(g_ctx->signal_global_cache) ------------------ | Branch (4177:8): [True: 0, False: 6.80k] ------------------ 4178| 0| ndpi_lru_free_cache(g_ctx->signal_global_cache); 4179| | 4180| 6.80k| ndpi_free(g_ctx); 4181| 6.80k| } 4182| 7.20k|} ndpi_init_detection_module: 4186| 7.20k|struct ndpi_detection_module_struct *ndpi_init_detection_module(struct ndpi_global_context *g_ctx) { 4187| 7.20k| struct ndpi_detection_module_struct *ndpi_str = ndpi_calloc(1, sizeof(struct ndpi_detection_module_struct)); 4188| 7.20k| int i; 4189| | 4190| 7.20k| if(ndpi_str == NULL) { ------------------ | Branch (4190:6): [True: 3, False: 7.20k] ------------------ 4191| | /* Logging this error is a bit tricky. At this point, we can't use NDPI_LOG* 4192| | functions yet, we don't have a custom log function and, as a library, 4193| | we shouldn't use stdout/stderr. Since this error is quite unlikely, 4194| | simply avoid any logs at all */ 4195| 3| return(NULL); 4196| 3| } 4197| | 4198| |#ifdef WIN32 4199| | /* Required to use getaddrinfo on Windows */ 4200| | WSADATA wsaData; 4201| | WSAStartup(MAKEWORD(2, 2), &wsaData); 4202| |#endif 4203| | 4204| |#ifdef NDPI_ENABLE_DEBUG_MESSAGES 4205| | set_ndpi_debug_function(ndpi_str, (ndpi_debug_function_ptr) ndpi_debug_printf); 4206| |#endif /* NDPI_ENABLE_DEBUG_MESSAGES */ 4207| | 4208| 7.20k| if((ndpi_str->protocols = ndpi_ptree_create()) == NULL) { ------------------ | Branch (4208:6): [True: 1, False: 7.20k] ------------------ 4209| 1| NDPI_LOG_ERR(ndpi_str, "[NDPI] Error allocating tree\n"); ------------------ | | 593| 1|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 4210| 1| ndpi_exit_detection_module(ndpi_str); 4211| 1| return NULL; 4212| 1| } 4213| | 4214| 7.20k| ndpi_str->ip_risk_mask = ndpi_ptree_create(); 4215| | 4216| 7.20k| ndpi_str->g_ctx = g_ctx; 4217| | 4218| 7.20k| ndpi_str->user_data = NULL; 4219| | 4220| 7.20k| ndpi_str->tcp_max_retransmission_window_size = NDPI_DEFAULT_MAX_TCP_RETRANSMISSION_WINDOW_SIZE; ------------------ | | 518| 7.20k|#define NDPI_DEFAULT_MAX_TCP_RETRANSMISSION_WINDOW_SIZE 0x10000 ------------------ 4221| | 4222| 7.20k| ndpi_str->num_supported_protocols = 0; 4223| 7.20k| ndpi_str->num_custom_protocols = 0; 4224| 7.20k| ndpi_str->num_internal_protocols = 0; 4225| | 4226| | /* We don't really need to check if these init functions fail; the code 4227| | correctly handles that case (due only to memory allocation failures) */ 4228| 7.20k| ndpi_str->host_automa.ac_automa = ac_automata_init(ac_domain_match_handler); 4229| 7.20k| ndpi_str->host_risk_mask_automa.ac_automa = ac_automata_init(ac_domain_match_handler); 4230| 7.20k| ndpi_str->common_alpns_automa.ac_automa = ac_automata_init(ac_domain_match_handler); 4231| 7.20k| ndpi_str->tls_cert_subject_automa.ac_automa = ac_automata_init(NULL); 4232| 7.20k| ndpi_str->risky_domain_automa.ac_automa = NULL; /* Initialized on demand */ 4233| | 4234| 7.20k| ndpi_str->malicious_ja4_hashmap = NULL; /* Initialized on demand */ 4235| 7.20k| ndpi_str->malicious_sha1_hashmap = NULL; /* Initialized on demand */ 4236| 7.20k| ndpi_str->ja4_custom_protos = NULL; /* Initialized on demand */ 4237| 7.20k| ndpi_str->ndpifp_custom_protos = NULL; /* Initialized on demand */ 4238| 7.20k| ndpi_str->http_url_hashmap = NULL; /* Initialized on demand */ 4239| | 4240| 7.20k| ndpi_str->trusted_issuer_dn = NULL; /* Initialized on demand */ 4241| | 4242| 7.20k| ndpi_str->custom_categories.sc_hostnames = ndpi_domain_classify_alloc(); 4243| 7.20k| if(!ndpi_str->custom_categories.sc_hostnames) { ------------------ | Branch (4243:6): [True: 15, False: 7.18k] ------------------ 4244| 15| ndpi_exit_detection_module(ndpi_str); 4245| 15| return(NULL); 4246| 15| } 4247| 7.18k| ndpi_str->custom_categories.sc_hostnames_shadow = ndpi_domain_classify_alloc(); 4248| 7.18k| if(!ndpi_str->custom_categories.sc_hostnames_shadow) { ------------------ | Branch (4248:6): [True: 5, False: 7.18k] ------------------ 4249| 5| ndpi_exit_detection_module(ndpi_str); 4250| 5| return(NULL); 4251| 5| } 4252| | 4253| 7.18k| ndpi_str->custom_categories.ipAddresses = ndpi_patricia_new(32 /* IPv4 */); 4254| 7.18k| ndpi_str->custom_categories.ipAddresses_shadow = ndpi_patricia_new(32 /* IPv4 */); 4255| 7.18k| ndpi_str->custom_categories.ipAddresses6 = ndpi_patricia_new(128 /* IPv6 */); 4256| 7.18k| ndpi_str->custom_categories.ipAddresses6_shadow = ndpi_patricia_new(128 /* IPv6 */); 4257| | 4258| 7.18k| if(ndpi_str->host_automa.ac_automa) ------------------ | Branch (4258:6): [True: 6.43k, False: 745] ------------------ 4259| 6.43k| ac_automata_feature(ndpi_str->host_automa.ac_automa,AC_FEATURE_LC); ------------------ | | 256| 6.43k|#define AC_FEATURE_LC 2 ------------------ 4260| | 4261| 7.18k| if(ndpi_str->tls_cert_subject_automa.ac_automa) ------------------ | Branch (4261:6): [True: 6.32k, False: 854] ------------------ 4262| 6.32k| ac_automata_feature(ndpi_str->tls_cert_subject_automa.ac_automa,AC_FEATURE_LC); ------------------ | | 256| 6.32k|#define AC_FEATURE_LC 2 ------------------ 4263| | 4264| 7.18k| if(ndpi_str->host_risk_mask_automa.ac_automa) ------------------ | Branch (4264:6): [True: 6.37k, False: 807] ------------------ 4265| 6.37k| ac_automata_feature(ndpi_str->host_risk_mask_automa.ac_automa,AC_FEATURE_LC); ------------------ | | 256| 6.37k|#define AC_FEATURE_LC 2 ------------------ 4266| | 4267| 7.18k| if(ndpi_str->common_alpns_automa.ac_automa) ------------------ | Branch (4267:6): [True: 6.32k, False: 860] ------------------ 4268| 6.32k| ac_automata_feature(ndpi_str->common_alpns_automa.ac_automa,AC_FEATURE_LC); ------------------ | | 256| 6.32k|#define AC_FEATURE_LC 2 ------------------ 4269| | 4270| | /* ahocorasick debug */ 4271| | /* Needed ac_automata_enable_debug(1) for show debug */ 4272| 7.18k| if(ndpi_str->host_automa.ac_automa) ------------------ | Branch (4272:6): [True: 6.43k, False: 745] ------------------ 4273| 6.43k| ac_automata_name(ndpi_str->host_automa.ac_automa,"host",AC_FEATURE_DEBUG); ------------------ | | 255| 6.43k|#define AC_FEATURE_DEBUG 1 ------------------ 4274| | 4275| 7.18k| if(ndpi_str->tls_cert_subject_automa.ac_automa) ------------------ | Branch (4275:6): [True: 6.32k, False: 854] ------------------ 4276| 6.32k| ac_automata_name(ndpi_str->tls_cert_subject_automa.ac_automa,"tls_cert",AC_FEATURE_DEBUG); ------------------ | | 255| 6.32k|#define AC_FEATURE_DEBUG 1 ------------------ 4277| | 4278| 7.18k| if(ndpi_str->host_risk_mask_automa.ac_automa) ------------------ | Branch (4278:6): [True: 6.37k, False: 807] ------------------ 4279| 6.37k| ac_automata_name(ndpi_str->host_risk_mask_automa.ac_automa,"content",AC_FEATURE_DEBUG); ------------------ | | 255| 6.37k|#define AC_FEATURE_DEBUG 1 ------------------ 4280| | 4281| 7.18k| if(ndpi_str->common_alpns_automa.ac_automa) ------------------ | Branch (4281:6): [True: 6.32k, False: 860] ------------------ 4282| 6.32k| ac_automata_name(ndpi_str->common_alpns_automa.ac_automa,"content",AC_FEATURE_DEBUG); ------------------ | | 255| 6.32k|#define AC_FEATURE_DEBUG 1 ------------------ 4283| | 4284| 7.18k| if((ndpi_str->custom_categories.ipAddresses == NULL) || (ndpi_str->custom_categories.ipAddresses_shadow == NULL) || ------------------ | Branch (4284:6): [True: 2, False: 7.17k] | Branch (4284:59): [True: 1, False: 7.17k] ------------------ 4285| 7.17k| (ndpi_str->custom_categories.ipAddresses6 == NULL) || (ndpi_str->custom_categories.ipAddresses6_shadow == NULL)) { ------------------ | Branch (4285:6): [True: 2, False: 7.17k] | Branch (4285:60): [True: 1, False: 7.17k] ------------------ 4286| 6| NDPI_LOG_ERR(ndpi_str, "[NDPI] Error allocating Patricia trees\n"); ------------------ | | 593| 6|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 4287| 6| ndpi_exit_detection_module(ndpi_str); 4288| 6| return(NULL); 4289| 6| } 4290| | 4291| 43.0k| for(i = 0; i < NUM_CUSTOM_CATEGORIES; i++) ------------------ | | 1369| 43.0k|#define NUM_CUSTOM_CATEGORIES 5 ------------------ | Branch (4291:14): [True: 35.8k, False: 7.17k] ------------------ 4292| 35.8k| ndpi_snprintf(ndpi_str->custom_category_labels[i], CUSTOM_CATEGORY_LABEL_LEN, "User custom category %u", ------------------ | | 1370| 35.8k|#define CUSTOM_CATEGORY_LABEL_LEN 32 ------------------ 4293| 35.8k| (unsigned int) (i + 1)); 4294| | 4295| | /* 4296| | *** Note that we don't know if a (internal) protocol is enabled or not until `ndpi_finalize_initialization()` *** 4297| | */ 4298| | 4299| | /* Build `ndpi_str->proto_defaults[]` array. This array does NOT depend on protocols being enable or not! */ 4300| 7.17k| init_protocol_defaults(ndpi_str); 4301| | 4302| | /* At this point, we MUST have loaded ALL the internal protocols and NONE of 4303| | the custom protocols! 4304| | Only the first **consecutive** `ndpi_str->num_supported_protocols` entries in the 4305| | array `ndpi_str->proto_defaults[]` MUST have been initialized! 4306| | In other words, all the other functions can safely access to `ndpi_str->num_supported_protocols` and 4307| | `ndpi_str->num_internal_protocols` 4308| | 4309| | Sanity checks 4310| | */ 4311| 3.40M| for(i = 0; i < (int)ndpi_str->num_supported_protocols; i++) { ------------------ | Branch (4311:14): [True: 3.39M, False: 7.17k] ------------------ 4312| 3.39M| if(ndpi_str->proto_defaults[i].protoName[0] == '\0' || ------------------ | Branch (4312:8): [True: 4, False: 3.39M] ------------------ 4313| 3.39M| ndpi_str->proto_defaults[i].isCustomProto) { ------------------ | Branch (4313:8): [True: 0, False: 3.39M] ------------------ 4314| 4| NDPI_LOG_ERR(ndpi_str, "INTERNAL ERROR protocols %d/%d %d\n", ------------------ | | 593| 4|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 4315| 4| i, ndpi_str->num_supported_protocols, 4316| 4| ndpi_str->proto_defaults[i].isCustomProto); 4317| 4| ndpi_exit_detection_module(ndpi_str); 4318| 4| return(NULL); 4319| 4| } 4320| 3.39M| } 4321| 7.17k| if(ndpi_str->num_supported_protocols != ndpi_str->num_internal_protocols) { ------------------ | Branch (4321:6): [True: 0, False: 7.17k] ------------------ 4322| 0| ndpi_exit_detection_module(ndpi_str); 4323| 0| return(NULL); 4324| 0| } 4325| | 4326| | /* When we know the number of internal protocols, we can set the default configuration 4327| | (we need the number to proper initialize the bitmasks)*/ 4328| 7.17k| if(ndpi_set_default_config(&ndpi_str->cfg, ------------------ | Branch (4328:6): [True: 12, False: 7.15k] ------------------ 4329| 7.17k| ndpi_str->num_internal_protocols) != 0) { 4330| 12| NDPI_LOG_ERR(ndpi_str, "Error allocating set_default_config\n"); ------------------ | | 593| 12|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 4331| 12| ndpi_exit_detection_module(ndpi_str); 4332| 12| return(NULL); 4333| 12| } 4334| | 4335| 7.15k| return(ndpi_str); 4336| 7.17k|} is_monitoring_enabled: 4399| 11.0k|{ 4400| 11.0k| if(ndpi_bitmask_is_set(&ndpi_str->cfg.monitoring, protoId) == 0) ------------------ | Branch (4400:6): [True: 11.0k, False: 0] ------------------ 4401| 11.0k| return 0; 4402| 0| return 1; 4403| 11.0k|} ndpi_finalize_initialization: 4407| 7.15k|int ndpi_finalize_initialization(struct ndpi_detection_module_struct *ndpi_str) { 4408| 7.15k| u_int i; 4409| | 4410| 7.15k| if(!ndpi_str) ------------------ | Branch (4410:6): [True: 0, False: 7.15k] ------------------ 4411| 0| return -1; 4412| | 4413| 7.15k| if(ndpi_str->finalized) /* Already finalized */ ------------------ | Branch (4413:6): [True: 0, False: 7.15k] ------------------ 4414| 0| return 0; 4415| | 4416| 7.15k| load_string_based_protocols(ndpi_str); 4417| | 4418| 7.15k| if(dissectors_init(ndpi_str)) { ------------------ | Branch (4418:6): [True: 163, False: 6.99k] ------------------ 4419| 163| NDPI_LOG_ERR(ndpi_str, "Error dissectors_init\n"); ------------------ | | 593| 163|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 4420| 163| return -1; 4421| 163| } 4422| | 4423| 6.99k| load_default_ports(ndpi_str); 4424| | 4425| 6.99k| if(!ndpi_str->custom_categories.categories_loaded) ------------------ | Branch (4425:6): [True: 6.99k, False: 0] ------------------ 4426| 6.99k| ndpi_enable_loaded_categories(ndpi_str); 4427| | 4428| 6.99k| validate_protocol_initialization(ndpi_str); 4429| | 4430| 6.99k| if(ndpi_str->cfg.libgcrypt_init) { ------------------ | Branch (4430:6): [True: 6.99k, False: 0] ------------------ 4431| 6.99k| if(!gcry_control(GCRYCTL_INITIALIZATION_FINISHED_P)) { ------------------ | | 24| 6.99k|#define GCRYCTL_INITIALIZATION_FINISHED_P 1,0 ------------------ | Branch (4431:8): [True: 6.99k, False: 0] ------------------ 4432| 6.99k| const char *gcrypt_ver = gcry_check_version(NULL); 4433| 6.99k| if(!gcrypt_ver) { ------------------ | Branch (4433:10): [True: 0, False: 6.99k] ------------------ 4434| 0| NDPI_LOG_ERR(ndpi_str, "Error initializing libgcrypt\n"); ------------------ | | 593| 0|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 4435| 0| } 4436| 6.99k| NDPI_LOG_DBG(ndpi_str, "Libgcrypt %s\n", gcrypt_ver); ------------------ | | 596| 6.99k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 4437| | /* Tell Libgcrypt that initialization has completed. */ 4438| 6.99k| gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); ------------------ | | 25| 6.99k|#define GCRYCTL_INITIALIZATION_FINISHED 2 ------------------ 4439| 6.99k| } 4440| 6.99k| } else { 4441| 0| NDPI_LOG_DBG(ndpi_str, "Libgcrypt initialization skipped\n"); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 4442| 0| } 4443| | 4444| | /* Hard-coded lists */ 4445| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, host_protocol_list); 4446| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, host_protocol_list_6); 4447| | 4448| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_AKAMAI)) { ------------------ | Branch (4448:6): [True: 6.99k, False: 0] ------------------ 4449| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_akamai_protocol_list); 4450| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_akamai_protocol_list_6); 4451| 6.99k| } 4452| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_AMAZON_AWS)) { ------------------ | Branch (4452:6): [True: 6.99k, False: 0] ------------------ 4453| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_amazon_aws_protocol_list); 4454| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_amazon_aws_protocol_list_6); 4455| 6.99k| } 4456| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_AWS_API_GATEWAY)) { ------------------ | Branch (4456:6): [True: 6.99k, False: 0] ------------------ 4457| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_aws_api_gateway_protocol_list); 4458| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_aws_api_gateway_protocol_list_6); 4459| 6.99k| } 4460| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_AWS_KINESIS)) { ------------------ | Branch (4460:6): [True: 6.99k, False: 0] ------------------ 4461| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_aws_kinesis_protocol_list); 4462| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_aws_kinesis_protocol_list_6); 4463| 6.99k| } 4464| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_AWS_EC2)) { ------------------ | Branch (4464:6): [True: 6.99k, False: 0] ------------------ 4465| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_aws_ec2_protocol_list); 4466| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_aws_ec2_protocol_list_6); 4467| 6.99k| } 4468| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_AWS_S3)) { ------------------ | Branch (4468:6): [True: 6.99k, False: 0] ------------------ 4469| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_aws_s3_protocol_list); 4470| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_aws_s3_protocol_list_6); 4471| 6.99k| } 4472| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_AWS_CLOUDFRONT)) { ------------------ | Branch (4472:6): [True: 6.99k, False: 0] ------------------ 4473| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_aws_cloudfront_protocol_list); 4474| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_aws_cloudfront_protocol_list_6); 4475| 6.99k| } 4476| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_AWS_DYNAMODB)) { ------------------ | Branch (4476:6): [True: 6.99k, False: 0] ------------------ 4477| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_aws_dynamodb_protocol_list); 4478| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_aws_dynamodb_protocol_list_6); 4479| 6.99k| } 4480| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_MICROSOFT_AZURE)) { ------------------ | Branch (4480:6): [True: 6.99k, False: 0] ------------------ 4481| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_microsoft_azure_protocol_list); 4482| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_microsoft_azure_protocol_list_6); 4483| 6.99k| } 4484| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_CACHEFLY)) { ------------------ | Branch (4484:6): [True: 6.99k, False: 0] ------------------ 4485| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_cachefly_protocol_list); 4486| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_cachefly_protocol_list_6); 4487| 6.99k| } 4488| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_CLOUDFLARE)) { ------------------ | Branch (4488:6): [True: 6.99k, False: 0] ------------------ 4489| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_cloudflare_protocol_list); 4490| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_cloudflare_protocol_list_6); 4491| 6.99k| } 4492| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_DIGITALOCEAN)) { ------------------ | Branch (4492:6): [True: 6.99k, False: 0] ------------------ 4493| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_digitalocean_protocol_list); 4494| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_digitalocean_protocol_list_6); 4495| 6.99k| } 4496| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_GOOGLE)) { ------------------ | Branch (4496:6): [True: 6.99k, False: 0] ------------------ 4497| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_google_protocol_list); 4498| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_google_protocol_list_6); 4499| 6.99k| } 4500| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_GOOGLE_CLOUD)) { ------------------ | Branch (4500:6): [True: 6.99k, False: 0] ------------------ 4501| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_google_cloud_protocol_list); 4502| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_google_cloud_protocol_list_6); 4503| 6.99k| } 4504| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_MICROSOFT_365)) { ------------------ | Branch (4504:6): [True: 6.99k, False: 0] ------------------ 4505| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_microsoft_365_protocol_list); 4506| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_microsoft_365_protocol_list_6); 4507| 6.99k| } 4508| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_MS_ONE_DRIVE)) { ------------------ | Branch (4508:6): [True: 6.99k, False: 0] ------------------ 4509| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_ms_one_drive_protocol_list); 4510| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_ms_one_drive_protocol_list_6); 4511| 6.99k| } 4512| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_MS_OUTLOOK)) { ------------------ | Branch (4512:6): [True: 6.99k, False: 0] ------------------ 4513| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_ms_outlook_protocol_list); 4514| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_ms_outlook_protocol_list_6); 4515| 6.99k| } 4516| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_MSTEAMS)) { ------------------ | Branch (4516:6): [True: 6.99k, False: 0] ------------------ 4517| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_msteams_protocol_list); 4518| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_msteams_protocol_list_6); 4519| 6.99k| } 4520| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_TOR)) { ------------------ | Branch (4520:6): [True: 6.99k, False: 0] ------------------ 4521| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_tor_protocol_list); 4522| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_tor_protocol_list_6); 4523| 6.99k| } 4524| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_WHATSAPP)) { ------------------ | Branch (4524:6): [True: 6.99k, False: 0] ------------------ 4525| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_whatsapp_protocol_list); 4526| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_whatsapp_protocol_list_6); 4527| 6.99k| } 4528| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_ETHEREUM)) { ------------------ | Branch (4528:6): [True: 6.99k, False: 0] ------------------ 4529| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_ethereum_protocol_list); 4530| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_ethereum_protocol_list_6); 4531| 6.99k| } 4532| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_ZOOM)) { ------------------ | Branch (4532:6): [True: 6.99k, False: 0] ------------------ 4533| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_zoom_protocol_list); 4534| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_zoom_protocol_list_6); 4535| 6.99k| } 4536| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_MULLVAD)) { ------------------ | Branch (4536:6): [True: 6.99k, False: 0] ------------------ 4537| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_mullvad_protocol_list); 4538| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_mullvad_protocol_list_6); 4539| 6.99k| } 4540| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_NORDVPN)) { ------------------ | Branch (4540:6): [True: 6.99k, False: 0] ------------------ 4541| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_nordvpn_protocol_list); 4542| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_nordvpn_protocol_list_6); 4543| 6.99k| } 4544| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_SURFSHARK)) { ------------------ | Branch (4544:6): [True: 6.99k, False: 0] ------------------ 4545| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_surfshark_protocol_list); 4546| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_surfshark_protocol_list_6); 4547| 6.99k| } 4548| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_TELEGRAM)) { ------------------ | Branch (4548:6): [True: 6.99k, False: 0] ------------------ 4549| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_telegram_protocol_list); 4550| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_telegram_protocol_list_6); 4551| 6.99k| } 4552| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_APPLE)) { ------------------ | Branch (4552:6): [True: 6.99k, False: 0] ------------------ 4553| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_apple_protocol_list); 4554| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_apple_protocol_list_6); 4555| 6.99k| } 4556| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_TWITTER)) { ------------------ | Branch (4556:6): [True: 6.99k, False: 0] ------------------ 4557| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_twitter_protocol_list); 4558| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_twitter_protocol_list_6); 4559| 6.99k| } 4560| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_NETFLIX)) { ------------------ | Branch (4560:6): [True: 6.99k, False: 0] ------------------ 4561| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_netflix_protocol_list); 4562| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_netflix_protocol_list_6); 4563| 6.99k| } 4564| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_WEBEX)) { ------------------ | Branch (4564:6): [True: 6.99k, False: 0] ------------------ 4565| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_webex_protocol_list); 4566| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_webex_protocol_list_6); 4567| 6.99k| } 4568| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_TEAMVIEWER)) { ------------------ | Branch (4568:6): [True: 6.99k, False: 0] ------------------ 4569| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_teamviewer_protocol_list); 4570| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_teamviewer_protocol_list_6); 4571| 6.99k| } 4572| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_FACEBOOK)) { ------------------ | Branch (4572:6): [True: 6.99k, False: 0] ------------------ 4573| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_facebook_protocol_list); 4574| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_facebook_protocol_list_6); 4575| 6.99k| } 4576| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_TENCENT)) { ------------------ | Branch (4576:6): [True: 6.99k, False: 0] ------------------ 4577| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_tencent_protocol_list); 4578| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_tencent_protocol_list_6); 4579| 6.99k| } 4580| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_OPENDNS)) { ------------------ | Branch (4580:6): [True: 6.99k, False: 0] ------------------ 4581| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_opendns_protocol_list); 4582| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_opendns_protocol_list_6); 4583| 6.99k| } 4584| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_DROPBOX)) { ------------------ | Branch (4584:6): [True: 6.99k, False: 0] ------------------ 4585| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_dropbox_protocol_list); 4586| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_dropbox_protocol_list_6); 4587| 6.99k| } 4588| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_BLIZZARD)) { ------------------ | Branch (4588:6): [True: 6.99k, False: 0] ------------------ 4589| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_blizzard_protocol_list); 4590| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_blizzard_protocol_list_6); 4591| 6.99k| } 4592| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_CANONICAL)) { ------------------ | Branch (4592:6): [True: 6.99k, False: 0] ------------------ 4593| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_canonical_protocol_list); 4594| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_canonical_protocol_list_6); 4595| 6.99k| } 4596| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_TWITCH)) { ------------------ | Branch (4596:6): [True: 6.99k, False: 0] ------------------ 4597| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_twitch_protocol_list); 4598| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_twitch_protocol_list_6); 4599| 6.99k| } 4600| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_HOTSPOT_SHIELD)) { ------------------ | Branch (4600:6): [True: 6.99k, False: 0] ------------------ 4601| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_hotspot_shield_protocol_list); 4602| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_hotspot_shield_protocol_list_6); 4603| 6.99k| } 4604| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_STEAM)) { ------------------ | Branch (4604:6): [True: 6.99k, False: 0] ------------------ 4605| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_steam_protocol_list); 4606| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_steam_protocol_list_6); 4607| 6.99k| } 4608| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_BLOOMBERG)) { ------------------ | Branch (4608:6): [True: 6.99k, False: 0] ------------------ 4609| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_bloomberg_protocol_list); 4610| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_bloomberg_protocol_list_6); 4611| 6.99k| } 4612| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_EDGECAST)) { ------------------ | Branch (4612:6): [True: 6.99k, False: 0] ------------------ 4613| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_edgecast_protocol_list); 4614| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_edgecast_protocol_list_6); 4615| 6.99k| } 4616| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_GOTO)) { ------------------ | Branch (4616:6): [True: 6.99k, False: 0] ------------------ 4617| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_goto_protocol_list); 4618| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_goto_protocol_list_6); 4619| 6.99k| } 4620| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_RIOTGAMES)) { ------------------ | Branch (4620:6): [True: 6.99k, False: 0] ------------------ 4621| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_riotgames_protocol_list); 4622| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_riotgames_protocol_list_6); 4623| 6.99k| } 4624| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_THREEMA)) { ------------------ | Branch (4624:6): [True: 6.99k, False: 0] ------------------ 4625| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_threema_protocol_list); 4626| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_threema_protocol_list_6); 4627| 6.99k| } 4628| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_ALIBABA)) { ------------------ | Branch (4628:6): [True: 6.99k, False: 0] ------------------ 4629| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_alibaba_protocol_list); 4630| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_alibaba_protocol_list_6); 4631| 6.99k| } 4632| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_AVAST)) { ------------------ | Branch (4632:6): [True: 6.99k, False: 0] ------------------ 4633| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_avast_protocol_list); 4634| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_avast_protocol_list_6); 4635| 6.99k| } 4636| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_DISCORD)) { ------------------ | Branch (4636:6): [True: 6.99k, False: 0] ------------------ 4637| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_discord_protocol_list); 4638| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_discord_protocol_list_6); 4639| 6.99k| } 4640| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_LINE)) { ------------------ | Branch (4640:6): [True: 6.99k, False: 0] ------------------ 4641| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_line_protocol_list); 4642| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_line_protocol_list_6); 4643| 6.99k| } 4644| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_VK)) { ------------------ | Branch (4644:6): [True: 6.99k, False: 0] ------------------ 4645| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_vk_protocol_list); 4646| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_vk_protocol_list_6); 4647| 6.99k| } 4648| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_YANDEX)) { ------------------ | Branch (4648:6): [True: 6.99k, False: 0] ------------------ 4649| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_yandex_protocol_list); 4650| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_yandex_protocol_list_6); 4651| 6.99k| } 4652| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_YANDEX_CLOUD)) { ------------------ | Branch (4652:6): [True: 6.99k, False: 0] ------------------ 4653| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_yandex_cloud_protocol_list); 4654| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_yandex_cloud_protocol_list_6); 4655| 6.99k| } 4656| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_DISNEYPLUS)) { ------------------ | Branch (4656:6): [True: 6.99k, False: 0] ------------------ 4657| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_disneyplus_protocol_list); 4658| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_disneyplus_protocol_list_6); 4659| 6.99k| } 4660| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_HULU)) { ------------------ | Branch (4660:6): [True: 6.99k, False: 0] ------------------ 4661| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_hulu_protocol_list); 4662| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_hulu_protocol_list_6); 4663| 6.99k| } 4664| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_EPICGAMES)) { ------------------ | Branch (4664:6): [True: 6.99k, False: 0] ------------------ 4665| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_epicgames_protocol_list); 4666| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_epicgames_protocol_list_6); 4667| 6.99k| } 4668| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_NVIDIA)) { ------------------ | Branch (4668:6): [True: 6.99k, False: 0] ------------------ 4669| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_nvidia_protocol_list); 4670| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_nvidia_protocol_list_6); 4671| 6.99k| } 4672| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_ROBLOX)) { ------------------ | Branch (4672:6): [True: 6.99k, False: 0] ------------------ 4673| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_roblox_protocol_list); 4674| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_roblox_protocol_list_6); 4675| 6.99k| } 4676| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_IMO)) { ------------------ | Branch (4676:6): [True: 6.99k, False: 0] ------------------ 4677| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_imo_protocol_list); 4678| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_imo_protocol_list_6); 4679| 6.99k| } 4680| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_BADOO)) { ------------------ | Branch (4680:6): [True: 6.99k, False: 0] ------------------ 4681| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_badoo_protocol_list); 4682| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_badoo_protocol_list_6); 4683| 6.99k| } 4684| 6.99k| if(is_ip_list_enabled(ndpi_str, NDPI_PROTOCOL_GITHUB)) { ------------------ | Branch (4684:6): [True: 6.99k, False: 0] ------------------ 4685| 6.99k| ndpi_init_ptree_ipv4(ndpi_str->protocols->v4, ndpi_protocol_github_protocol_list); 4686| 6.99k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->protocols->v6, ndpi_protocol_github_protocol_list_6); 4687| 6.99k| } 4688| | 4689| 6.99k| if(ndpi_str->cfg.flow_risk_lists_enabled) { ------------------ | Branch (4689:6): [True: 6.99k, False: 0] ------------------ 4690| 6.99k| if((ndpi_str->ip_risk = ndpi_ptree_create()) == NULL) { ------------------ | Branch (4690:8): [True: 195, False: 6.79k] ------------------ 4691| 195| NDPI_LOG_ERR(ndpi_str, "[NDPI] Error allocating risk tree\n"); ------------------ | | 593| 195|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 4692| 195| return -1; 4693| 195| } 4694| | 4695| 6.79k| if(ndpi_str->cfg.risk_anonymous_subscriber_list_icloudprivaterelay_enabled) { ------------------ | Branch (4695:8): [True: 6.79k, False: 0] ------------------ 4696| 6.79k| ndpi_init_ptree_ipv4(ndpi_str->ip_risk->v4, ndpi_anonymous_subscriber_icloud_private_relay_protocol_list); 4697| 6.79k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->ip_risk->v6, ndpi_anonymous_subscriber_icloud_private_relay_protocol_list_6); 4698| 6.79k| } 4699| | 4700| 6.79k| if(ndpi_str->cfg.risk_anonymous_subscriber_list_tor_exit_nodes_enabled) { ------------------ | Branch (4700:8): [True: 6.79k, False: 0] ------------------ 4701| 6.79k| ndpi_init_ptree_ipv4(ndpi_str->ip_risk->v4, ndpi_anonymous_subscriber_tor_exit_nodes_protocol_list); 4702| 6.79k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->ip_risk->v6, ndpi_anonymous_subscriber_tor_exit_nodes_protocol_list_6); 4703| 6.79k| } 4704| | 4705| 6.79k| if(ndpi_str->cfg.risk_crawler_bot_list_enabled) { ------------------ | Branch (4705:8): [True: 6.79k, False: 0] ------------------ 4706| 6.79k| ndpi_init_ptree_ipv4(ndpi_str->ip_risk->v4, ndpi_http_crawler_bot_protocol_list); 4707| 6.79k| ndpi_init_ptree_ipv6(ndpi_str, ndpi_str->ip_risk->v6, ndpi_http_crawler_bot_protocol_list_6); 4708| 6.79k| } 4709| 6.79k| } 4710| | 4711| 6.79k| ndpi_add_domain_risk_exceptions(ndpi_str); 4712| | 4713| 6.79k| load_common_alpns(ndpi_str); 4714| | 4715| 6.79k| ndpi_load_tcp_fingerprints(ndpi_str); 4716| | 4717| 6.79k| if(ndpi_str->cfg.ookla_cache_num_entries > 0) { ------------------ | Branch (4717:6): [True: 6.79k, False: 0] ------------------ 4718| 6.79k| if(ndpi_str->cfg.ookla_cache_scope == NDPI_LRUCACHE_SCOPE_GLOBAL) { ------------------ | Branch (4718:8): [True: 0, False: 6.79k] ------------------ 4719| 0| if(!ndpi_str->g_ctx->ookla_global_cache) { ------------------ | Branch (4719:10): [True: 0, False: 0] ------------------ 4720| 0| ndpi_str->g_ctx->ookla_global_cache = ndpi_lru_cache_init(ndpi_str->cfg.ookla_cache_num_entries, 4721| 0| ndpi_str->cfg.ookla_cache_ttl, 1); 4722| 0| } 4723| 0| ndpi_str->ookla_cache = ndpi_str->g_ctx->ookla_global_cache; 4724| 6.79k| } else { 4725| 6.79k| ndpi_str->ookla_cache = ndpi_lru_cache_init(ndpi_str->cfg.ookla_cache_num_entries, 4726| 6.79k| ndpi_str->cfg.ookla_cache_ttl, 0); 4727| 6.79k| } 4728| 6.79k| if(!ndpi_str->ookla_cache) { ------------------ | Branch (4728:8): [True: 862, False: 5.93k] ------------------ 4729| 862| NDPI_LOG_ERR(ndpi_str, "Error allocating lru cache (num_entries %u)\n", ------------------ | | 593| 862|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 4730| 862| ndpi_str->cfg.ookla_cache_num_entries); 4731| 862| } 4732| 6.79k| } 4733| | 4734| 6.79k| if(ndpi_str->cfg.signal_cache_num_entries > 0) { ------------------ | Branch (4734:6): [True: 6.79k, False: 0] ------------------ 4735| 6.79k| if(ndpi_str->cfg.signal_cache_scope == NDPI_LRUCACHE_SCOPE_GLOBAL) { ------------------ | Branch (4735:8): [True: 0, False: 6.79k] ------------------ 4736| 0| if(!ndpi_str->g_ctx->signal_global_cache) { ------------------ | Branch (4736:10): [True: 0, False: 0] ------------------ 4737| 0| ndpi_str->g_ctx->signal_global_cache = ndpi_lru_cache_init(ndpi_str->cfg.signal_cache_num_entries, 4738| 0| ndpi_str->cfg.signal_cache_ttl, 1); 4739| 0| } 4740| 0| ndpi_str->signal_cache = ndpi_str->g_ctx->signal_global_cache; 4741| 6.79k| } else { 4742| 6.79k| ndpi_str->signal_cache = ndpi_lru_cache_init(ndpi_str->cfg.signal_cache_num_entries, 4743| 6.79k| ndpi_str->cfg.signal_cache_ttl, 0); 4744| 6.79k| } 4745| 6.79k| if(!ndpi_str->signal_cache) { ------------------ | Branch (4745:8): [True: 710, False: 6.08k] ------------------ 4746| 710| NDPI_LOG_ERR(ndpi_str, "Error allocating lru cache (num_entries %u)\n", ------------------ | | 593| 710|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 4747| 710| ndpi_str->cfg.signal_cache_num_entries); 4748| 710| } 4749| 6.79k| } 4750| | 4751| 6.79k| if(ndpi_str->cfg.bittorrent_cache_num_entries > 0) { ------------------ | Branch (4751:6): [True: 6.79k, False: 0] ------------------ 4752| 6.79k| if(ndpi_str->cfg.bittorrent_cache_scope == NDPI_LRUCACHE_SCOPE_GLOBAL) { ------------------ | Branch (4752:8): [True: 0, False: 6.79k] ------------------ 4753| 0| if(!ndpi_str->g_ctx->bittorrent_global_cache) { ------------------ | Branch (4753:10): [True: 0, False: 0] ------------------ 4754| 0| ndpi_str->g_ctx->bittorrent_global_cache = ndpi_lru_cache_init(ndpi_str->cfg.bittorrent_cache_num_entries, 4755| 0| ndpi_str->cfg.bittorrent_cache_ttl, 1); 4756| 0| } 4757| 0| ndpi_str->bittorrent_cache = ndpi_str->g_ctx->bittorrent_global_cache; 4758| 6.79k| } else { 4759| 6.79k| ndpi_str->bittorrent_cache = ndpi_lru_cache_init(ndpi_str->cfg.bittorrent_cache_num_entries, 4760| 6.79k| ndpi_str->cfg.bittorrent_cache_ttl, 0); 4761| 6.79k| } 4762| 6.79k| if(!ndpi_str->bittorrent_cache) { ------------------ | Branch (4762:8): [True: 844, False: 5.95k] ------------------ 4763| 844| NDPI_LOG_ERR(ndpi_str, "Error allocating lru cache (num_entries %u)\n", ------------------ | | 593| 844|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 4764| 844| ndpi_str->cfg.bittorrent_cache_num_entries); 4765| 844| } 4766| 6.79k| } 4767| 6.79k| if(ndpi_str->cfg.stun_cache_num_entries > 0) { ------------------ | Branch (4767:6): [True: 6.79k, False: 0] ------------------ 4768| 6.79k| if(ndpi_str->cfg.stun_cache_scope == NDPI_LRUCACHE_SCOPE_GLOBAL) { ------------------ | Branch (4768:8): [True: 0, False: 6.79k] ------------------ 4769| 0| if(!ndpi_str->g_ctx->stun_global_cache) { ------------------ | Branch (4769:10): [True: 0, False: 0] ------------------ 4770| 0| ndpi_str->g_ctx->stun_global_cache = ndpi_lru_cache_init(ndpi_str->cfg.stun_cache_num_entries, 4771| 0| ndpi_str->cfg.stun_cache_ttl, 1); 4772| 0| } 4773| 0| ndpi_str->stun_cache = ndpi_str->g_ctx->stun_global_cache; 4774| 6.79k| } else { 4775| 6.79k| ndpi_str->stun_cache = ndpi_lru_cache_init(ndpi_str->cfg.stun_cache_num_entries, 4776| 6.79k| ndpi_str->cfg.stun_cache_ttl, 0); 4777| 6.79k| } 4778| 6.79k| if(!ndpi_str->stun_cache) { ------------------ | Branch (4778:8): [True: 874, False: 5.92k] ------------------ 4779| 874| NDPI_LOG_ERR(ndpi_str, "Error allocating lru cache (num_entries %u)\n", ------------------ | | 593| 874|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 4780| 874| ndpi_str->cfg.stun_cache_num_entries); 4781| 874| } 4782| 6.79k| } 4783| 6.79k| if(ndpi_str->cfg.tls_cert_cache_num_entries > 0) { ------------------ | Branch (4783:6): [True: 6.79k, False: 0] ------------------ 4784| 6.79k| if(ndpi_str->cfg.tls_cert_cache_scope == NDPI_LRUCACHE_SCOPE_GLOBAL) { ------------------ | Branch (4784:8): [True: 0, False: 6.79k] ------------------ 4785| 0| if(!ndpi_str->g_ctx->tls_cert_global_cache) { ------------------ | Branch (4785:10): [True: 0, False: 0] ------------------ 4786| 0| ndpi_str->g_ctx->tls_cert_global_cache = ndpi_lru_cache_init(ndpi_str->cfg.tls_cert_cache_num_entries, 4787| 0| ndpi_str->cfg.tls_cert_cache_ttl, 1); 4788| 0| } 4789| 0| ndpi_str->tls_cert_cache = ndpi_str->g_ctx->tls_cert_global_cache; 4790| 6.79k| } else { 4791| 6.79k| ndpi_str->tls_cert_cache = ndpi_lru_cache_init(ndpi_str->cfg.tls_cert_cache_num_entries, 4792| 6.79k| ndpi_str->cfg.tls_cert_cache_ttl, 0); 4793| 6.79k| } 4794| 6.79k| if(!ndpi_str->tls_cert_cache) { ------------------ | Branch (4794:8): [True: 761, False: 6.03k] ------------------ 4795| 761| NDPI_LOG_ERR(ndpi_str, "Error allocating lru cache (num_entries %u)\n", ------------------ | | 593| 761|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 4796| 761| ndpi_str->cfg.tls_cert_cache_num_entries); 4797| 761| } 4798| 6.79k| } 4799| 6.79k| if(ndpi_str->cfg.mining_cache_num_entries > 0) { ------------------ | Branch (4799:6): [True: 6.79k, False: 0] ------------------ 4800| 6.79k| if(ndpi_str->cfg.mining_cache_scope == NDPI_LRUCACHE_SCOPE_GLOBAL) { ------------------ | Branch (4800:8): [True: 0, False: 6.79k] ------------------ 4801| 0| if(!ndpi_str->g_ctx->mining_global_cache) { ------------------ | Branch (4801:10): [True: 0, False: 0] ------------------ 4802| 0| ndpi_str->g_ctx->mining_global_cache = ndpi_lru_cache_init(ndpi_str->cfg.mining_cache_num_entries, 4803| 0| ndpi_str->cfg.mining_cache_ttl, 1); 4804| 0| } 4805| 0| ndpi_str->mining_cache = ndpi_str->g_ctx->mining_global_cache; 4806| 6.79k| } else { 4807| 6.79k| ndpi_str->mining_cache = ndpi_lru_cache_init(ndpi_str->cfg.mining_cache_num_entries, 4808| 6.79k| ndpi_str->cfg.mining_cache_ttl, 0); 4809| 6.79k| } 4810| 6.79k| if(!ndpi_str->mining_cache) { ------------------ | Branch (4810:8): [True: 881, False: 5.91k] ------------------ 4811| 881| NDPI_LOG_ERR(ndpi_str, "Error allocating lru cache (num_entries %u)\n", ------------------ | | 593| 881|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 4812| 881| ndpi_str->cfg.mining_cache_num_entries); 4813| 881| } 4814| 6.79k| } 4815| 6.79k| if(ndpi_str->cfg.msteams_cache_num_entries > 0) { ------------------ | Branch (4815:6): [True: 6.79k, False: 0] ------------------ 4816| 6.79k| if(ndpi_str->cfg.msteams_cache_scope == NDPI_LRUCACHE_SCOPE_GLOBAL) { ------------------ | Branch (4816:8): [True: 0, False: 6.79k] ------------------ 4817| 0| if(!ndpi_str->g_ctx->msteams_global_cache) { ------------------ | Branch (4817:10): [True: 0, False: 0] ------------------ 4818| 0| ndpi_str->g_ctx->msteams_global_cache = ndpi_lru_cache_init(ndpi_str->cfg.msteams_cache_num_entries, 4819| 0| ndpi_str->cfg.msteams_cache_ttl, 1); 4820| 0| } 4821| 0| ndpi_str->msteams_cache = ndpi_str->g_ctx->msteams_global_cache; 4822| 6.79k| } else { 4823| 6.79k| ndpi_str->msteams_cache = ndpi_lru_cache_init(ndpi_str->cfg.msteams_cache_num_entries, 4824| 6.79k| ndpi_str->cfg.msteams_cache_ttl, 0); 4825| 6.79k| } 4826| 6.79k| if(!ndpi_str->msteams_cache) { ------------------ | Branch (4826:8): [True: 988, False: 5.81k] ------------------ 4827| 988| NDPI_LOG_ERR(ndpi_str, "Error allocating lru cache (num_entries %u)\n", ------------------ | | 593| 988|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 4828| 988| ndpi_str->cfg.msteams_cache_num_entries); 4829| 988| } 4830| 6.79k| } 4831| | 4832| 6.79k| if(ndpi_str->cfg.fpc_dns_cache_num_entries > 0) { ------------------ | Branch (4832:6): [True: 6.79k, False: 0] ------------------ 4833| 6.79k| if(ndpi_str->cfg.fpc_dns_cache_scope == NDPI_LRUCACHE_SCOPE_GLOBAL) { ------------------ | Branch (4833:8): [True: 0, False: 6.79k] ------------------ 4834| 0| if(!ndpi_str->g_ctx->fpc_dns_global_cache) { ------------------ | Branch (4834:10): [True: 0, False: 0] ------------------ 4835| 0| ndpi_str->g_ctx->fpc_dns_global_cache = ndpi_lru_cache_init(ndpi_str->cfg.fpc_dns_cache_num_entries, 4836| 0| ndpi_str->cfg.fpc_dns_cache_ttl, 1); 4837| 0| } 4838| 0| ndpi_str->fpc_dns_cache = ndpi_str->g_ctx->fpc_dns_global_cache; 4839| 6.79k| } else { 4840| 6.79k| ndpi_str->fpc_dns_cache = ndpi_lru_cache_init(ndpi_str->cfg.fpc_dns_cache_num_entries, 4841| 6.79k| ndpi_str->cfg.fpc_dns_cache_ttl, 0); 4842| 6.79k| } 4843| 6.79k| if(!ndpi_str->fpc_dns_cache) { ------------------ | Branch (4843:8): [True: 917, False: 5.88k] ------------------ 4844| 917| NDPI_LOG_ERR(ndpi_str, "Error allocating lru fpc_dns_cache (num_entries %u)\n", ------------------ | | 593| 917|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 4845| 917| ndpi_str->cfg.fpc_dns_cache_num_entries); 4846| | 4847| 917| } 4848| 6.79k| } 4849| | 4850| 6.79k| ndpi_automa * const automa[] = { &ndpi_str->host_automa, 4851| 6.79k| &ndpi_str->tls_cert_subject_automa, 4852| 6.79k| &ndpi_str->host_risk_mask_automa, 4853| 6.79k| &ndpi_str->common_alpns_automa }; 4854| | 4855| 33.9k| for(i = 0; i < NDPI_ARRAY_LENGTH(automa); ++i) { ------------------ | | 132| 33.9k|#define NDPI_ARRAY_LENGTH(array) (sizeof(array) / sizeof((array)[0])) ------------------ | Branch (4855:14): [True: 27.1k, False: 6.79k] ------------------ 4856| 27.1k| ndpi_automa *a = automa[i]; 4857| | 4858| 27.1k| if(a && a->ac_automa) ------------------ | Branch (4858:8): [True: 27.1k, False: 0] | Branch (4858:13): [True: 24.1k, False: 3.03k] ------------------ 4859| 24.1k| ac_automata_finalize((AC_AUTOMATA_t *) a->ac_automa); 4860| 27.1k| } 4861| | 4862| 6.79k| if(ndpi_str->cfg.track_payload_enabled) ------------------ | Branch (4862:6): [True: 0, False: 6.79k] ------------------ 4863| 0| ndpi_str->max_payload_track_len = 1024; /* track up to X payload bytes */ 4864| | 4865| | /* Reset hash statistics: we are interested only on "runtime" search/found, 4866| | not the ones during the init phase. 4867| | Example: ndpi_add_tcp_fingerprint() where we call ndpi_hash_find_entry() to 4868| | avoid duplicates. 4869| | TODO: similar code for the other hashes? */ 4870| 6.79k| if(ndpi_str->tcp_fingerprint_hashmap) { ------------------ | Branch (4870:6): [True: 6.26k, False: 536] ------------------ 4871| 6.26k| ndpi_str->tcp_fingerprint_hashmap->stats.n_found = 0; 4872| 6.26k| ndpi_str->tcp_fingerprint_hashmap->stats.n_search = 0; 4873| 6.26k| } 4874| 6.79k| if(ndpi_str->public_domain_suffixes) { ------------------ | Branch (4874:6): [True: 0, False: 6.79k] ------------------ 4875| 0| ndpi_str->public_domain_suffixes->stats.n_found = 0; 4876| 0| ndpi_str->public_domain_suffixes->stats.n_search = 0; 4877| 0| } 4878| | 4879| 6.79k| ndpi_str->finalized = 1; 4880| | 4881| 6.79k| return 0; 4882| 6.99k|} ndpi_add_string_value_to_automa: 4899| 164k|int ndpi_add_string_value_to_automa(void *_automa, char *str, u_int32_t num) { 4900| 164k| AC_PATTERN_t ac_pattern; 4901| 164k| AC_AUTOMATA_t *automa = (AC_AUTOMATA_t *) _automa; 4902| 164k| AC_ERROR_t rc; 4903| | 4904| 164k| if(automa == NULL) ------------------ | Branch (4904:6): [True: 19.4k, False: 145k] ------------------ 4905| 19.4k| return(-1); 4906| | 4907| 145k| memset(&ac_pattern, 0, sizeof(ac_pattern)); 4908| 145k| ac_pattern.astring = str; 4909| 145k| ac_pattern.rep.number = num; 4910| 145k| ac_pattern.length = strlen(ac_pattern.astring); 4911| | 4912| 145k| rc = ac_automata_add(automa, &ac_pattern); 4913| 145k| return(rc == ACERR_SUCCESS ? 0 : (rc == ACERR_DUPLICATE_PATTERN ? -2 : -1)); ------------------ | Branch (4913:10): [True: 56.3k, False: 88.8k] | Branch (4913:37): [True: 0, False: 88.8k] ------------------ 4914| 164k|} ndpi_match_string_value: 5051| 580| u_int match_len, u_int32_t *num) { 5052| 580| int rc = ndpi_match_string_common((AC_AUTOMATA_t *)automa, string_to_match, 5053| 580| match_len, num, NULL, NULL); 5054| 580| if(rc < 0) return rc; ------------------ | Branch (5054:6): [True: 57, False: 523] ------------------ 5055| 523| return rc ? 0 : -1; ------------------ | Branch (5055:10): [True: 0, False: 523] ------------------ 5056| 580|} ndpi_match_custom_category: 5064| 15.8k| ndpi_protocol_breed_t *breed) { 5065| 15.8k| char buf[128]; 5066| 15.8k| u_int64_t class_id; 5067| 15.8k| u_int max_len = sizeof(buf)-1; 5068| | 5069| 15.8k| if(!ndpi_str->custom_categories.categories_loaded) ------------------ | Branch (5069:6): [True: 0, False: 15.8k] ------------------ 5070| 0| ndpi_enable_loaded_categories(ndpi_str); 5071| | 5072| 15.8k| if(name_len > max_len) name_len = max_len; ------------------ | Branch (5072:6): [True: 506, False: 15.3k] ------------------ 5073| 15.8k| memcpy(buf, name, name_len); 5074| 15.8k| buf[name_len] = '\0'; 5075| | 5076| 15.8k| if(ndpi_domain_classify_hostname(ndpi_str, ndpi_str->custom_categories.sc_hostnames, ------------------ | Branch (5076:6): [True: 0, False: 15.8k] ------------------ 5077| 15.8k| &class_id, buf)) { 5078| 0| *category = (ndpi_protocol_category_t)(class_id & 0xFFFF); 5079| 0| *breed = (ndpi_protocol_breed_t)((class_id & 0xFFFF0000) >> 16); 5080| 0| return(0); 5081| 0| } else 5082| 15.8k| return(-1); /* Not found */ 5083| 15.8k|} ndpi_get_custom_category_match: 5090| 11.6k| ndpi_protocol_breed_t *breed) { 5091| 11.6k| char ipbuf[64], *ptr; 5092| 11.6k| struct in_addr pin; 5093| 11.6k| struct in6_addr pin6; 5094| 11.6k| ndpi_prefix_t prefix; 5095| 11.6k| ndpi_patricia_node_t *node; 5096| 11.6k| u_int cp_len = ndpi_min(sizeof(ipbuf) - 1, name_len); ------------------ | | 113| 11.6k|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 1.02k, False: 10.6k] | | ------------------ ------------------ 5097| | 5098| 11.6k| *category = NDPI_PROTOCOL_CATEGORY_UNSPECIFIED; 5099| 11.6k| *breed = NDPI_PROTOCOL_ACCEPTABLE; 5100| | 5101| 11.6k| if(!ndpi_str->custom_categories.categories_loaded) ------------------ | Branch (5101:6): [True: 0, False: 11.6k] ------------------ 5102| 0| ndpi_enable_loaded_categories(ndpi_str); 5103| | 5104| 11.6k| if(cp_len > 0) { ------------------ | Branch (5104:6): [True: 8.66k, False: 2.97k] ------------------ 5105| 8.66k| memcpy(ipbuf, name_or_ip, cp_len); 5106| 8.66k| ipbuf[cp_len] = '\0'; 5107| 8.66k| } else { 5108| 2.97k| ipbuf[0] = '\0'; 5109| 2.97k| } 5110| | 5111| 11.6k| ptr = strrchr(ipbuf, '/'); 5112| | 5113| 11.6k| if(ptr) ------------------ | Branch (5113:6): [True: 385, False: 11.2k] ------------------ 5114| 385| ptr[0] = '\0'; 5115| | 5116| 11.6k| if(inet_pton(AF_INET, ipbuf, &pin) == 1) { ------------------ | Branch (5116:6): [True: 38, False: 11.5k] ------------------ 5117| | /* Search IPv4 */ 5118| | 5119| | /* Make sure all in network byte order otherwise compares wont work */ 5120| 38| ndpi_fill_prefix_v4(&prefix, &pin, 32, 5121| 38| ((ndpi_patricia_tree_t *) ndpi_str->custom_categories.ipAddresses)->maxbits); 5122| 38| node = ndpi_patricia_search_best(ndpi_str->custom_categories.ipAddresses, &prefix); 5123| | 5124| 38| if(node) { ------------------ | Branch (5124:8): [True: 0, False: 38] ------------------ 5125| 0| *category = node->value.u.uv32.user_value; 5126| | /* TODO: breed */ 5127| 0| return(0); 5128| 0| } 5129| 38| return(-1); 5130| 11.5k| } else if(inet_pton(AF_INET6, ipbuf, &pin6) == 1) { ------------------ | Branch (5130:13): [True: 171, False: 11.4k] ------------------ 5131| | /* Search IPv6 */ 5132| 171| ndpi_fill_prefix_v6(&prefix, &pin6, 128, 5133| 171| ((ndpi_patricia_tree_t *) ndpi_str->custom_categories.ipAddresses6)->maxbits); 5134| 171| node = ndpi_patricia_search_best(ndpi_str->custom_categories.ipAddresses6, &prefix); 5135| | 5136| 171| if(node) { ------------------ | Branch (5136:8): [True: 0, False: 171] ------------------ 5137| 0| *category = node->value.u.uv32.user_value; 5138| | /* TODO: breed */ 5139| 0| return(0); 5140| 0| } 5141| 171| return(-1); 5142| 11.4k| } else { 5143| | /* Search Host */ 5144| 11.4k| return(ndpi_match_custom_category(ndpi_str, name_or_ip, name_len, category, breed)); 5145| 11.4k| } 5146| 11.6k|} ndpi_exit_detection_module: 5150| 7.20k|void ndpi_exit_detection_module(struct ndpi_detection_module_struct *ndpi_str) { 5151| 7.20k| if(ndpi_str != NULL) { ------------------ | Branch (5151:6): [True: 7.20k, False: 0] ------------------ 5152| 7.20k| unsigned int i; 5153| | 5154| | /* Unload plugins (if any) */ 5155| 7.20k| ndpi_unload_protocol_plugins(ndpi_str); 5156| | 5157| 7.20k| ndpi_bitmask_free(&ndpi_str->cfg.detection_bitmask); 5158| 7.20k| ndpi_bitmask_free(&ndpi_str->cfg.debug_bitmask); 5159| 7.20k| ndpi_bitmask_free(&ndpi_str->cfg.ip_list_bitmask); 5160| 7.20k| ndpi_bitmask_free(&ndpi_str->cfg.monitoring); 5161| 7.20k| ndpi_bitmask_free(&ndpi_str->cfg.flowrisk_bitmask); 5162| 7.20k| ndpi_bitmask_free(&ndpi_str->cfg.flowrisk_info_bitmask); 5163| | 5164| 3.68M| for (i = 0; i < ndpi_str->proto_defaults_num_allocated; i++) { ------------------ | Branch (5164:17): [True: 3.67M, False: 7.20k] ------------------ 5165| 3.67M| if(ndpi_str->proto_defaults[i].subprotocols != NULL) ------------------ | Branch (5165:10): [True: 60.8k, False: 3.61M] ------------------ 5166| 60.8k| ndpi_free(ndpi_str->proto_defaults[i].subprotocols); 5167| 3.67M| } 5168| 7.20k| ndpi_free(ndpi_str->proto_defaults); 5169| | 5170| 7.20k| ndpi_free(ndpi_str->ndpi_to_user_proto_id); 5171| | 5172| |#ifdef HAVE_NBPF 5173| | for(i = 0; (i < MAX_NBPF_CUSTOM_PROTO) && (ndpi_str->nbpf_custom_proto[i].tree != NULL); i++) 5174| | nbpf_free(ndpi_str->nbpf_custom_proto[i].tree); 5175| |#endif 5176| | 5177| | /* NDPI_PROTOCOL_TINC */ 5178| 7.20k| if(ndpi_str->tinc_cache) ------------------ | Branch (5178:8): [True: 0, False: 7.20k] ------------------ 5179| 0| cache_free((cache_t)(ndpi_str->tinc_cache)); 5180| | 5181| 7.20k| if(!ndpi_str->cfg.ookla_cache_scope && ------------------ | Branch (5181:8): [True: 7.20k, False: 0] ------------------ 5182| 7.20k| ndpi_str->ookla_cache) ------------------ | Branch (5182:8): [True: 5.93k, False: 1.26k] ------------------ 5183| 5.93k| ndpi_lru_free_cache(ndpi_str->ookla_cache); 5184| | 5185| 7.20k| if(!ndpi_str->cfg.signal_cache_scope && ------------------ | Branch (5185:8): [True: 7.20k, False: 0] ------------------ 5186| 7.20k| ndpi_str->signal_cache) ------------------ | Branch (5186:8): [True: 6.08k, False: 1.11k] ------------------ 5187| 6.08k| ndpi_lru_free_cache(ndpi_str->signal_cache); 5188| | 5189| 7.20k| if(!ndpi_str->cfg.bittorrent_cache_scope && ------------------ | Branch (5189:8): [True: 7.20k, False: 0] ------------------ 5190| 7.20k| ndpi_str->bittorrent_cache) ------------------ | Branch (5190:8): [True: 5.95k, False: 1.24k] ------------------ 5191| 5.95k| ndpi_lru_free_cache(ndpi_str->bittorrent_cache); 5192| | 5193| 7.20k| if(!ndpi_str->cfg.stun_cache_scope && ------------------ | Branch (5193:8): [True: 7.20k, False: 0] ------------------ 5194| 7.20k| ndpi_str->stun_cache) ------------------ | Branch (5194:8): [True: 5.92k, False: 1.27k] ------------------ 5195| 5.92k| ndpi_lru_free_cache(ndpi_str->stun_cache); 5196| | 5197| 7.20k| if(!ndpi_str->cfg.tls_cert_cache_scope && ------------------ | Branch (5197:8): [True: 7.20k, False: 0] ------------------ 5198| 7.20k| ndpi_str->tls_cert_cache) ------------------ | Branch (5198:8): [True: 6.03k, False: 1.16k] ------------------ 5199| 6.03k| ndpi_lru_free_cache(ndpi_str->tls_cert_cache); 5200| | 5201| 7.20k| if(!ndpi_str->cfg.mining_cache_scope && ------------------ | Branch (5201:8): [True: 7.20k, False: 0] ------------------ 5202| 7.20k| ndpi_str->mining_cache) ------------------ | Branch (5202:8): [True: 5.91k, False: 1.28k] ------------------ 5203| 5.91k| ndpi_lru_free_cache(ndpi_str->mining_cache); 5204| | 5205| 7.20k| if(!ndpi_str->cfg.msteams_cache_scope && ------------------ | Branch (5205:8): [True: 7.20k, False: 0] ------------------ 5206| 7.20k| ndpi_str->msteams_cache) ------------------ | Branch (5206:8): [True: 5.81k, False: 1.39k] ------------------ 5207| 5.81k| ndpi_lru_free_cache(ndpi_str->msteams_cache); 5208| | 5209| 7.20k| if(!ndpi_str->cfg.fpc_dns_cache_scope && ------------------ | Branch (5209:8): [True: 7.20k, False: 0] ------------------ 5210| 7.20k| ndpi_str->fpc_dns_cache) ------------------ | Branch (5210:8): [True: 5.88k, False: 1.32k] ------------------ 5211| 5.88k| ndpi_lru_free_cache(ndpi_str->fpc_dns_cache); 5212| | 5213| 7.20k| if(ndpi_str->protocols) ndpi_ptree_destroy(ndpi_str->protocols); ------------------ | Branch (5213:8): [True: 7.20k, False: 1] ------------------ 5214| 7.20k| if(ndpi_str->ip_risk_mask) ndpi_ptree_destroy(ndpi_str->ip_risk_mask); ------------------ | Branch (5214:8): [True: 5.91k, False: 1.29k] ------------------ 5215| 7.20k| if(ndpi_str->ip_risk) ndpi_ptree_destroy(ndpi_str->ip_risk); ------------------ | Branch (5215:8): [True: 6.79k, False: 403] ------------------ 5216| | 5217| 7.20k| if(ndpi_str->udpRoot != NULL) ndpi_tdestroy(ndpi_str->udpRoot, ndpi_free); ------------------ | Branch (5217:8): [True: 6.99k, False: 208] ------------------ 5218| 7.20k| if(ndpi_str->tcpRoot != NULL) ndpi_tdestroy(ndpi_str->tcpRoot, ndpi_free); ------------------ | Branch (5218:8): [True: 6.99k, False: 208] ------------------ 5219| | 5220| 7.20k| if(ndpi_str->host_automa.ac_automa != NULL) ------------------ | Branch (5220:8): [True: 6.45k, False: 748] ------------------ 5221| 6.45k| ac_automata_release((AC_AUTOMATA_t *) ndpi_str->host_automa.ac_automa, 5222| 6.45k| 1 /* free patterns strings memory */); 5223| | 5224| 7.20k| if(ndpi_str->risky_domain_automa.ac_automa != NULL) ------------------ | Branch (5224:8): [True: 0, False: 7.20k] ------------------ 5225| 0| ac_automata_release((AC_AUTOMATA_t *) ndpi_str->risky_domain_automa.ac_automa, 5226| 0| 1 /* free patterns strings memory */); 5227| | 5228| 7.20k| if(ndpi_str->tls_cert_subject_automa.ac_automa != NULL) ------------------ | Branch (5228:8): [True: 6.34k, False: 858] ------------------ 5229| 6.34k| ac_automata_release((AC_AUTOMATA_t *) ndpi_str->tls_cert_subject_automa.ac_automa, 0); 5230| | 5231| 7.20k| if(ndpi_str->malicious_ja4_hashmap != NULL) ------------------ | Branch (5231:8): [True: 0, False: 7.20k] ------------------ 5232| 0| ndpi_hash_free(&ndpi_str->malicious_ja4_hashmap); 5233| | 5234| 7.20k| if(ndpi_str->malicious_sha1_hashmap != NULL) ------------------ | Branch (5234:8): [True: 0, False: 7.20k] ------------------ 5235| 0| ndpi_hash_free(&ndpi_str->malicious_sha1_hashmap); 5236| | 5237| 7.20k| if(ndpi_str->tcp_fingerprint_hashmap != NULL) ------------------ | Branch (5237:8): [True: 6.26k, False: 939] ------------------ 5238| 6.26k| ndpi_hash_free(&ndpi_str->tcp_fingerprint_hashmap); 5239| | 5240| 7.20k| ndpi_domain_classify_free(ndpi_str->custom_categories.sc_hostnames_shadow); 5241| 7.20k| ndpi_domain_classify_free(ndpi_str->custom_categories.sc_hostnames); 5242| | 5243| 7.20k| if(ndpi_str->custom_categories.ipAddresses != NULL) ------------------ | Branch (5243:8): [True: 7.17k, False: 23] ------------------ 5244| 7.17k| ndpi_patricia_destroy((ndpi_patricia_tree_t *) ndpi_str->custom_categories.ipAddresses, free_ptree_data); 5245| | 5246| 7.20k| if(ndpi_str->custom_categories.ipAddresses_shadow != NULL) ------------------ | Branch (5246:8): [True: 6.70k, False: 500] ------------------ 5247| 6.70k| ndpi_patricia_destroy((ndpi_patricia_tree_t *) ndpi_str->custom_categories.ipAddresses_shadow, free_ptree_data); 5248| | 5249| 7.20k| if(ndpi_str->custom_categories.ipAddresses6 != NULL) ------------------ | Branch (5249:8): [True: 7.17k, False: 24] ------------------ 5250| 7.17k| ndpi_patricia_destroy((ndpi_patricia_tree_t *) ndpi_str->custom_categories.ipAddresses6, free_ptree_data); 5251| | 5252| 7.20k| if(ndpi_str->custom_categories.ipAddresses6_shadow != NULL) ------------------ | Branch (5252:8): [True: 6.73k, False: 470] ------------------ 5253| 6.73k| ndpi_patricia_destroy((ndpi_patricia_tree_t *) ndpi_str->custom_categories.ipAddresses6_shadow, free_ptree_data); 5254| | 5255| 7.20k| if(ndpi_str->host_risk_mask_automa.ac_automa != NULL) ------------------ | Branch (5255:8): [True: 6.38k, False: 822] ------------------ 5256| 6.38k| ac_automata_release((AC_AUTOMATA_t *) ndpi_str->host_risk_mask_automa.ac_automa, 5257| 6.38k| 1 /* free patterns strings memory */); 5258| | 5259| 7.20k| if(ndpi_str->common_alpns_automa.ac_automa != NULL) ------------------ | Branch (5259:8): [True: 6.33k, False: 865] ------------------ 5260| 6.33k| ac_automata_release((AC_AUTOMATA_t *) ndpi_str->common_alpns_automa.ac_automa, 5261| 6.33k| 1 /* free patterns strings memory */); 5262| | 5263| 7.20k| if(ndpi_str->trusted_issuer_dn) { ------------------ | Branch (5263:8): [True: 0, False: 7.20k] ------------------ 5264| 0| ndpi_list *head = ndpi_str->trusted_issuer_dn; 5265| | 5266| 0| while(head != NULL) { ------------------ | Branch (5266:13): [True: 0, False: 0] ------------------ 5267| 0| ndpi_list *next; 5268| | 5269| 0| if(head->value) ndpi_free(head->value); ------------------ | Branch (5269:5): [True: 0, False: 0] ------------------ 5270| 0| next = head->next; 5271| 0| ndpi_free(head); 5272| 0| head = next; 5273| 0| } 5274| 0| } 5275| | 5276| |#ifdef CUSTOM_NDPI_PROTOCOLS 5277| |#include "../../../nDPI-custom/ndpi_exit_detection_module.c" 5278| |#endif 5279| | 5280| 7.20k| ndpi_free_geoip(ndpi_str); 5281| | 5282| 7.20k| if(ndpi_str->callback_buffer) ------------------ | Branch (5282:8): [True: 7.08k, False: 115] ------------------ 5283| 7.08k| ndpi_free(ndpi_str->callback_buffer); 5284| | 5285| 7.20k| if(ndpi_str->callback_buffer_tcp_payload) ------------------ | Branch (5285:8): [True: 6.99k, False: 208] ------------------ 5286| 6.99k| ndpi_free(ndpi_str->callback_buffer_tcp_payload); 5287| | 5288| 7.20k| if(ndpi_str->public_domain_suffixes) ------------------ | Branch (5288:8): [True: 0, False: 7.20k] ------------------ 5289| 0| ndpi_hash_free(&ndpi_str->public_domain_suffixes); 5290| | 5291| 7.20k| if(ndpi_str->ja4_custom_protos) ------------------ | Branch (5291:8): [True: 0, False: 7.20k] ------------------ 5292| 0| ndpi_hash_free(&ndpi_str->ja4_custom_protos); 5293| | 5294| 7.20k| if(ndpi_str->ndpifp_custom_protos) ------------------ | Branch (5294:8): [True: 0, False: 7.20k] ------------------ 5295| 0| ndpi_hash_free(&ndpi_str->ndpifp_custom_protos); 5296| | 5297| 7.20k| if(ndpi_str->http_url_hashmap) ------------------ | Branch (5297:8): [True: 0, False: 7.20k] ------------------ 5298| 0| ndpi_hash_free(&ndpi_str->http_url_hashmap); 5299| | 5300| 7.20k| if(ndpi_str->address_cache) ------------------ | Branch (5300:8): [True: 0, False: 7.20k] ------------------ 5301| 0| ndpi_term_address_cache(ndpi_str->address_cache); 5302| | 5303| 7.20k| if(ndpi_str->dns_hostname.cache) ------------------ | Branch (5303:8): [True: 0, False: 7.20k] ------------------ 5304| 0| ndpi_filter_free(ndpi_str->dns_hostname.cache); 5305| | 5306| 7.20k| if(ndpi_str->dns_hostname.cache_shadow) ------------------ | Branch (5306:8): [True: 0, False: 7.20k] ------------------ 5307| 0| ndpi_filter_free(ndpi_str->dns_hostname.cache_shadow); 5308| | 5309| 7.20k| ndpi_free(ndpi_str); 5310| 7.20k| } 5311| | 5312| |#ifdef WIN32 5313| | WSACleanup(); 5314| |#endif 5315| 7.20k|} ndpi_get_num_protocols: 5426| 7.15k|u_int ndpi_get_num_protocols(struct ndpi_detection_module_struct *ndpi_str) { 5427| 7.15k| if(!ndpi_str || !ndpi_str->finalized) ------------------ | Branch (5427:6): [True: 0, False: 7.15k] | Branch (5427:19): [True: 358, False: 6.79k] ------------------ 5428| 358| return 0; 5429| 6.79k| return ndpi_str->num_supported_protocols; 5430| 7.15k|} ndpi_is_custom_protocol: 5435| 17.3M|{ 5436| 17.3M| if(!ndpi_str || proto_id >= ndpi_str->proto_defaults_num_allocated) ------------------ | Branch (5436:6): [True: 0, False: 17.3M] | Branch (5436:19): [True: 0, False: 17.3M] ------------------ 5437| 0| return false; 5438| | 5439| 17.3M| return(ndpi_str->proto_defaults[proto_id].isCustomProto ? true : false); ------------------ | Branch (5439:10): [True: 0, False: 17.3M] ------------------ 5440| 17.3M|} ndpi_add_host_risk_mask: 5505| 414k| char *host, ndpi_risk mask) { 5506| 414k| AC_PATTERN_t ac_pattern; 5507| 414k| AC_ERROR_t rc; 5508| 414k| u_int len; 5509| 414k| char *host_dup = NULL; 5510| | 5511| 414k| if((ndpi_str == NULL) || (ndpi_str->host_risk_mask_automa.ac_automa == NULL) || (host == NULL)) ------------------ | Branch (5511:6): [True: 0, False: 414k] | Branch (5511:28): [True: 46.1k, False: 368k] | Branch (5511:83): [True: 0, False: 368k] ------------------ 5512| 46.1k| return(-2); 5513| | 5514| | /* Zap heading/trailing quotes */ 5515| 368k| switch(host[0]) { ------------------ | Branch (5515:10): [True: 0, False: 368k] ------------------ 5516| 0| case '"': ------------------ | Branch (5516:3): [True: 0, False: 368k] ------------------ 5517| 0| case '\'': ------------------ | Branch (5517:3): [True: 0, False: 368k] ------------------ 5518| 0| { 5519| 0| int len; 5520| | 5521| 0| host = &host[1]; 5522| 0| len = strlen(host); 5523| 0| if(len > 0) ------------------ | Branch (5523:10): [True: 0, False: 0] ------------------ 5524| 0| host[len-1] = '\0'; 5525| 0| } 5526| | 5527| 0| break; 5528| 368k| } 5529| | 5530| 368k| host_dup = ndpi_strdup(host); 5531| 368k| if(!host_dup) ------------------ | Branch (5531:6): [True: 24.0k, False: 344k] ------------------ 5532| 24.0k| return(-1); 5533| | 5534| 344k| memset(&ac_pattern, 0, sizeof(ac_pattern)); 5535| | 5536| 344k| len = strlen(host); 5537| | 5538| 344k| ac_pattern.astring = host_dup; 5539| 344k| ac_pattern.length = len; 5540| 344k| ac_pattern.rep.number64 = (ndpi_risk)mask; 5541| 344k| ac_pattern.rep.level = ndpi_domain_level(host); 5542| 344k| ac_pattern.rep.at_end = 0; 5543| 344k| ac_pattern.rep.dot = memchr(host,'.',len) != NULL; 5544| | 5545| 344k| rc = ac_automata_add(ndpi_str->host_risk_mask_automa.ac_automa, &ac_pattern); 5546| | 5547| 344k| if(rc != ACERR_SUCCESS) { ------------------ | Branch (5547:6): [True: 182k, False: 162k] ------------------ 5548| 182k| ndpi_free(host_dup); 5549| | 5550| 182k| if(rc != ACERR_DUPLICATE_PATTERN) ------------------ | Branch (5550:8): [True: 182k, False: 0] ------------------ 5551| 182k| return (-2); 5552| 182k| } 5553| | 5554| 162k| return(0); 5555| 344k|} ndpi_register_dissector: 6718| 1.82M|{ 6719| 1.82M| va_list ap; 6720| 1.82M| int i, dissector_enabled = 0, first_protocol_id = -1; 6721| 1.82M| u_int32_t idx = ndpi_str->callback_buffer_num; 6722| | 6723| 1.82M| if(idx >= NDPI_MAX_NUM_DISSECTORS) { ------------------ | | 273| 1.82M|#define NDPI_MAX_NUM_DISSECTORS 288 /* Multiple of 32 */ ------------------ | Branch (6723:6): [True: 0, False: 1.82M] ------------------ 6724| | /* 6725| | * You need to increase NDPI_MAX_NUM_DISSECTORS define and recompile everything! 6726| | * Please note that custom protocols are independent from NDPI_MAX_NUM_DISSECTORS, so 6727| | * if you hit this error is because you are already changing the code 6728| | * (adding a new dissector)... 6729| | */ 6730| 0| NDPI_LOG_ERR(ndpi_str, "[NDPI] Internal Error. Too many dissectors!!\n"); ------------------ | | 593| 0|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 6731| | /* Not sure what to do here...*/ 6732| 0| return; 6733| 0| } 6734| | 6735| 1.82M| va_start(ap, num_protocol_ids); 6736| 3.74M| for(i = 0; i < num_protocol_ids; i++) { ------------------ | Branch (6736:14): [True: 1.92M, False: 1.82M] ------------------ 6737| 1.92M| int ndpi_protocol_id = va_arg(ap, int); 6738| | 6739| 1.92M| if(!is_proto_enabled(ndpi_str, ndpi_protocol_id)) { ------------------ | Branch (6739:8): [True: 0, False: 1.92M] ------------------ 6740| 0| NDPI_LOG_DBG(ndpi_str, "Protocol %d not enabled for dissector %s\n", ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 6741| 0| ndpi_protocol_id, dissector_name); 6742| 1.92M| } else { 6743| 1.92M| if(ndpi_str->proto_defaults[ndpi_protocol_id].dissector_idx != 0) { ------------------ | Branch (6743:10): [True: 0, False: 1.92M] ------------------ 6744| 0|#if 1 6745| | /* Overwrite the existing function dissector */ 6746| 0| ndpi_str->callback_buffer[ndpi_str->proto_defaults[ndpi_protocol_id].dissector_idx].func = func; 6747| 0| return; 6748| |#else 6749| | NDPI_LOG_ERR(ndpi_str, "Internal error: protocol %d/%s has been already registered (%d/%d)\n", 6750| | ndpi_protocol_id, dissector_name, 6751| | ndpi_str->proto_defaults[ndpi_protocol_id].dissector_idx, 6752| | idx); 6753| |#endif 6754| 1.92M| } else { 6755| 1.92M| if(first_protocol_id == -1) ------------------ | Branch (6755:12): [True: 1.82M, False: 99.2k] ------------------ 6756| 1.82M| first_protocol_id = ndpi_protocol_id; 6757| | 6758| 1.92M| ndpi_str->proto_defaults[ndpi_protocol_id].dissector_idx = idx; 6759| 1.92M| } 6760| | 6761| 1.92M| dissector_enabled = 1; 6762| 1.92M| } 6763| 1.92M| } 6764| 1.82M| va_end(ap); 6765| | 6766| 1.82M| if(dissector_enabled) { ------------------ | Branch (6766:6): [True: 1.82M, False: 0] ------------------ 6767| 1.82M| NDPI_LOG_DBG2(ndpi_str, "Dissector %s enabled. Registering %d...\n", dissector_name, idx); ------------------ | | 597| 1.82M|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 6768| | 6769| 1.82M| memcpy(ndpi_str->callback_buffer[idx].name, dissector_name, 6770| 1.82M| ndpi_min(sizeof(ndpi_str->callback_buffer[idx].name) - 1, strlen(dissector_name))); ------------------ | | 113| 1.82M|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 42.5k, False: 1.77M] | | ------------------ ------------------ 6771| 1.82M| ndpi_str->callback_buffer[idx].func = func; 6772| 1.82M| ndpi_str->callback_buffer[idx].dissector_idx = idx; 6773| 1.82M| ndpi_str->callback_buffer[idx].ndpi_selection_bitmask = ndpi_selection_bitmask; 6774| 1.82M| ndpi_str->callback_buffer[idx].first_protocol_id = first_protocol_id; /* Just for logging */ 6775| | 6776| 1.82M| ndpi_str->callback_buffer_num++; 6777| 1.82M| } else { 6778| 0| NDPI_LOG_DBG(ndpi_str, "Dissector %s disabled\n", dissector_name); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 6779| 0| } 6780| 1.82M| return; 6781| 1.82M|} ndpi_handle_ipv6_extension_headers: 7729| 5.05k| u_int16_t *l4len, u_int8_t *nxt_hdr) { 7730| 5.05k|#ifndef HAVE_USDT 7731| 5.05k| __ndpi_unused_param(ip6h); ------------------ | | 390| 5.05k|#define __ndpi_unused_param(x) (void)(x) ------------------ 7732| 5.05k|#endif 7733| | 7734| 5.18k| while(l3len > 1 && (*nxt_hdr == 0 || *nxt_hdr == 43 || *nxt_hdr == 44 || *nxt_hdr == 60 || *nxt_hdr == 135 || *nxt_hdr == 59)) { ------------------ | Branch (7734:9): [True: 5.17k, False: 6] | Branch (7734:23): [True: 127, False: 5.04k] | Branch (7734:40): [True: 6, False: 5.04k] | Branch (7734:58): [True: 7, False: 5.03k] | Branch (7734:76): [True: 7, False: 5.02k] | Branch (7734:94): [True: 6, False: 5.02k] | Branch (7734:113): [True: 0, False: 5.02k] ------------------ 7735| 153| u_int16_t ehdr_len, frag_offset; 7736| | 7737| | // no next header 7738| 153| if(*nxt_hdr == 59) { ------------------ | Branch (7738:8): [True: 0, False: 153] ------------------ 7739| 0| return(1); 7740| 0| } 7741| | 7742| | // fragment extension header has fixed size of 8 bytes and the first byte is the next header type 7743| 153| if(*nxt_hdr == 44) { ------------------ | Branch (7743:8): [True: 7, False: 146] ------------------ 7744| 7| if(*l4len < 8) { ------------------ | Branch (7744:10): [True: 0, False: 7] ------------------ 7745| 0| return(1); 7746| 0| } 7747| | 7748| 7| if(l3len < 5) { ------------------ | Branch (7748:10): [True: 0, False: 7] ------------------ 7749| 0| return 1; 7750| 0| } 7751| 7| l3len -= 5; 7752| | 7753| 7| if(ndpi_str) { ------------------ | Branch (7753:10): [True: 1, False: 6] ------------------ 7754| 1| uint16_t offlg = ntohs(*(u_int16_t *)((*l4ptr) + 2)); 7755| 1| if((offlg & 0xfff8) != 0 || (offlg & 0x0001) != 0) { ------------------ | Branch (7755:12): [True: 0, False: 1] | Branch (7755:37): [True: 0, False: 1] ------------------ 7756| 0| NDPI_LOG_DBG(ndpi_str, "IP(v6) fragment\n"); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 7757| | 7758| 0| NDPI_DTRACE1(fragment_ipv6, ------------------ | | 33| 0| #define NDPI_DTRACE1(name, a) ((void)0) ------------------ 7759| 0| ip6h /* IPV6 header */); 7760| 0| } 7761| 1| } 7762| | 7763| 7| *nxt_hdr = (*l4ptr)[0]; 7764| 7| frag_offset = ntohs(*(u_int16_t *)((*l4ptr) + 2)) >> 3; 7765| | // Handle ipv6 fragments as the ipv4 ones: keep the first fragment, drop the others 7766| 7| if(frag_offset != 0) ------------------ | Branch (7766:10): [True: 1, False: 6] ------------------ 7767| 1| return(1); 7768| 6| *l4len -= 8; 7769| 6| (*l4ptr) += 8; 7770| 6| continue; 7771| 7| } 7772| | 7773| | // the other extension headers have one byte for the next header type 7774| | // and one byte for the extension header length in 8 byte steps minus the first 8 bytes 7775| 146| if(*l4len < 2) { ------------------ | Branch (7775:8): [True: 6, False: 140] ------------------ 7776| 6| return(1); 7777| 6| } 7778| | 7779| 140| ehdr_len = (*l4ptr)[1]; 7780| 140| ehdr_len *= 8; 7781| 140| ehdr_len += 8; 7782| | 7783| 140| if(ehdr_len > l3len) { ------------------ | Branch (7783:8): [True: 12, False: 128] ------------------ 7784| 12| return 1; 7785| 12| } 7786| 128| l3len -= ehdr_len; 7787| | 7788| 128| if(*l4len < ehdr_len) { ------------------ | Branch (7788:8): [True: 8, False: 120] ------------------ 7789| 8| return(1); 7790| 8| } 7791| | 7792| 120| *nxt_hdr = (*l4ptr)[0]; 7793| | 7794| 120| *l4len -= ehdr_len; 7795| 120| (*l4ptr) += ehdr_len; 7796| 120| } 7797| | 7798| 5.02k| return(0); 7799| 5.05k|} iph_is_valid_and_not_fragmented: 7805| 80.4k| const struct ndpi_iphdr *iph, const u_int16_t ipsize) { 7806| | /* 7807| | returned value: 7808| | 0: fragmented 7809| | 1: not fragmented 7810| | */ 7811| | 7812| 80.4k| if((ntohs(iph->frag_off) & 0x2000) || ------------------ | Branch (7812:6): [True: 149, False: 80.3k] ------------------ 7813| 80.3k| (ntohs(iph->frag_off) & 0x1fff)) { ------------------ | Branch (7813:6): [True: 70, False: 80.2k] ------------------ 7814| 219| NDPI_LOG_DBG(ndpi_str, "IP(v4) fragment\n"); ------------------ | | 596| 219|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 7815| | 7816| 219| NDPI_DTRACE1(fragment_ipv4, ------------------ | | 33| 219| #define NDPI_DTRACE1(name, a) ((void)0) ------------------ 7817| 219| iph /* IPV4 header */); 7818| 219| } 7819| | 7820| | //#ifdef REQUIRE_FULL_PACKETS 7821| | 7822| 80.4k| if(iph->protocol == IPPROTO_UDP) { ------------------ | Branch (7822:6): [True: 17.4k, False: 63.0k] ------------------ 7823| 17.4k| if((ipsize < iph->ihl * 4) ------------------ | Branch (7823:8): [True: 0, False: 17.4k] ------------------ 7824| 17.4k| || (ipsize < ntohs(iph->tot_len)) ------------------ | Branch (7824:11): [True: 0, False: 17.4k] ------------------ 7825| 17.4k| || (ntohs(iph->tot_len) < iph->ihl * 4) ------------------ | Branch (7825:11): [True: 3, False: 17.4k] ------------------ 7826| 17.4k| || (iph->frag_off & htons(0x1FFF)) != 0) { ------------------ | Branch (7826:11): [True: 1, False: 17.4k] ------------------ 7827| 4| return(0); 7828| 4| } 7829| 17.4k| } 7830| | //#endif 7831| | 7832| 80.4k| return(1); 7833| 80.4k|} ndpi_free_flow_data_protos: 7925| 42.2k|void ndpi_free_flow_data_protos(struct ndpi_flow_struct* flow) { 7926| 42.2k| if(flow) { ------------------ | Branch (7926:6): [True: 42.2k, False: 0] ------------------ 7927| 42.2k| if(flow_is_proto(flow, NDPI_PROTOCOL_QUIC) || ------------------ | Branch (7927:8): [True: 1.48k, False: 40.8k] ------------------ 7928| 40.8k| flow_is_proto(flow, NDPI_PROTOCOL_TLS) || ------------------ | Branch (7928:8): [True: 4.25k, False: 36.5k] ------------------ 7929| 36.5k| flow_is_proto(flow, NDPI_PROTOCOL_DTLS) || ------------------ | Branch (7929:8): [True: 0, False: 36.5k] ------------------ 7930| 36.5k| flow_is_proto(flow, NDPI_PROTOCOL_MAIL_SMTPS) || ------------------ | Branch (7930:8): [True: 10, False: 36.5k] ------------------ 7931| 36.5k| flow_is_proto(flow, NDPI_PROTOCOL_MAIL_POPS) || ------------------ | Branch (7931:8): [True: 1, False: 36.5k] ------------------ 7932| 36.5k| flow_is_proto(flow, NDPI_PROTOCOL_MAIL_IMAPS) || ------------------ | Branch (7932:8): [True: 444, False: 36.1k] ------------------ 7933| 36.1k| flow_is_proto(flow, NDPI_PROTOCOL_FTPS)) { ------------------ | Branch (7933:8): [True: 0, False: 36.1k] ------------------ 7934| 6.19k| if(flow->protos.tls_quic.server_names) ------------------ | Branch (7934:10): [True: 572, False: 5.61k] ------------------ 7935| 572| ndpi_free(flow->protos.tls_quic.server_names); 7936| | 7937| 6.19k| if(flow->protos.tls_quic.advertised_alpns) ------------------ | Branch (7937:10): [True: 1.35k, False: 4.83k] ------------------ 7938| 1.35k| ndpi_free(flow->protos.tls_quic.advertised_alpns); 7939| | 7940| 6.19k| if(flow->protos.tls_quic.negotiated_alpn) ------------------ | Branch (7940:10): [True: 15, False: 6.17k] ------------------ 7941| 15| ndpi_free(flow->protos.tls_quic.negotiated_alpn); 7942| | 7943| 6.19k| if(flow->protos.tls_quic.tls_supported_versions) ------------------ | Branch (7943:10): [True: 22, False: 6.16k] ------------------ 7944| 22| ndpi_free(flow->protos.tls_quic.tls_supported_versions); 7945| | 7946| 6.19k| if(flow->protos.tls_quic.issuerDN) ------------------ | Branch (7946:10): [True: 395, False: 5.79k] ------------------ 7947| 395| ndpi_free(flow->protos.tls_quic.issuerDN); 7948| | 7949| 6.19k| if(flow->protos.tls_quic.subjectDN) ------------------ | Branch (7949:10): [True: 584, False: 5.60k] ------------------ 7950| 584| ndpi_free(flow->protos.tls_quic.subjectDN); 7951| | 7952| 6.19k| if(flow->protos.tls_quic.ja4_client_raw) ------------------ | Branch (7952:10): [True: 0, False: 6.19k] ------------------ 7953| 0| ndpi_free(flow->protos.tls_quic.ja4_client_raw); 7954| | 7955| 6.19k| if(flow->protos.tls_quic.ja_client) ------------------ | Branch (7955:10): [True: 0, False: 6.19k] ------------------ 7956| 0| ndpi_free(flow->protos.tls_quic.ja_client); 7957| | 7958| 6.19k| if(flow->protos.tls_quic.ja_server) ------------------ | Branch (7958:10): [True: 0, False: 6.19k] ------------------ 7959| 0| ndpi_free(flow->protos.tls_quic.ja_server); 7960| 6.19k| } 7961| | 7962| 42.2k| if(flow_is_proto(flow, NDPI_PROTOCOL_SSH)) { ------------------ | Branch (7962:8): [True: 3, False: 42.2k] ------------------ 7963| 3| if(flow->protos.ssh.client_key_exchange_algorithms) ------------------ | Branch (7963:10): [True: 0, False: 3] ------------------ 7964| 0| ndpi_free(flow->protos.ssh.client_key_exchange_algorithms); 7965| | 7966| 3| if(flow->protos.ssh.server_key_exchange_algorithms) ------------------ | Branch (7966:10): [True: 0, False: 3] ------------------ 7967| 0| ndpi_free(flow->protos.ssh.server_key_exchange_algorithms); 7968| | 7969| 3| if(flow->protos.ssh.key_exchange_method) ------------------ | Branch (7969:10): [True: 0, False: 3] ------------------ 7970| 0| ndpi_free(flow->protos.ssh.key_exchange_method); 7971| 3| } 7972| | 7973| 42.2k| if(flow_is_proto(flow, NDPI_PROTOCOL_SIP)) { ------------------ | Branch (7973:8): [True: 37, False: 42.2k] ------------------ 7974| 37| if(flow->protos.sip.from) ------------------ | Branch (7974:10): [True: 11, False: 26] ------------------ 7975| 11| ndpi_free(flow->protos.sip.from); 7976| 37| if(flow->protos.sip.to) ------------------ | Branch (7976:10): [True: 14, False: 23] ------------------ 7977| 14| ndpi_free(flow->protos.sip.to); 7978| 37| } 7979| | 7980| 42.2k| if (flow_is_proto(flow, NDPI_PROTOCOL_SSDP)) { ------------------ | Branch (7980:9): [True: 512, False: 41.7k] ------------------ 7981| 512| if(flow->protos.ssdp.bootid) ------------------ | Branch (7981:10): [True: 0, False: 512] ------------------ 7982| 0| ndpi_free(flow->protos.ssdp.bootid); 7983| | 7984| 512| if(flow->protos.ssdp.usn) ------------------ | Branch (7984:10): [True: 4, False: 508] ------------------ 7985| 4| ndpi_free(flow->protos.ssdp.usn); 7986| | 7987| 512| if(flow->protos.ssdp.cache_controle) ------------------ | Branch (7987:10): [True: 2, False: 510] ------------------ 7988| 2| ndpi_free(flow->protos.ssdp.cache_controle); 7989| | 7990| 512| if(flow->protos.ssdp.location) ------------------ | Branch (7990:10): [True: 0, False: 512] ------------------ 7991| 0| ndpi_free(flow->protos.ssdp.location); 7992| | 7993| 512| if(flow->protos.ssdp.securelocation_upnp) ------------------ | Branch (7993:10): [True: 4, False: 508] ------------------ 7994| 4| ndpi_free(flow->protos.ssdp.securelocation_upnp); 7995| | 7996| 512| if(flow->protos.ssdp.nt) ------------------ | Branch (7996:10): [True: 8, False: 504] ------------------ 7997| 8| ndpi_free(flow->protos.ssdp.nt); 7998| | 7999| 512| if(flow->protos.ssdp.nts) ------------------ | Branch (7999:10): [True: 0, False: 512] ------------------ 8000| 0| ndpi_free(flow->protos.ssdp.nts); 8001| | 8002| 512| if(flow->protos.ssdp.server) ------------------ | Branch (8002:10): [True: 1, False: 511] ------------------ 8003| 1| ndpi_free(flow->protos.ssdp.server); 8004| | 8005| 512| if(flow->protos.ssdp.method) ------------------ | Branch (8005:10): [True: 481, False: 31] ------------------ 8006| 481| ndpi_free(flow->protos.ssdp.method); 8007| | 8008| 512| if(flow->protos.ssdp.man) ------------------ | Branch (8008:10): [True: 418, False: 94] ------------------ 8009| 418| ndpi_free(flow->protos.ssdp.man); 8010| | 8011| 512| if(flow->protos.ssdp.mx) ------------------ | Branch (8011:10): [True: 415, False: 97] ------------------ 8012| 415| ndpi_free(flow->protos.ssdp.mx); 8013| | 8014| 512| if(flow->protos.ssdp.st) ------------------ | Branch (8014:10): [True: 414, False: 98] ------------------ 8015| 414| ndpi_free(flow->protos.ssdp.st); 8016| | 8017| 512| if(flow->protos.ssdp.user_agent) ------------------ | Branch (8017:10): [True: 40, False: 472] ------------------ 8018| 40| ndpi_free(flow->protos.ssdp.user_agent); 8019| 512| } 8020| 42.2k| } 8021| 42.2k|} ndpi_free_flow_data: 8025| 42.2k|void ndpi_free_flow_data(struct ndpi_flow_struct* flow) { 8026| 42.2k| if(flow) { ------------------ | Branch (8026:6): [True: 42.2k, False: 0] ------------------ 8027| 42.2k| if(flow->num_risk_infos) { ------------------ | Branch (8027:8): [True: 14.1k, False: 28.1k] ------------------ 8028| 14.1k| u_int i; 8029| | 8030| 37.6k| for(i=0; inum_risk_infos; i++) ------------------ | Branch (8030:16): [True: 23.4k, False: 14.1k] ------------------ 8031| 23.4k| ndpi_free(flow->risk_infos[i].info); 8032| 14.1k| } 8033| | 8034| 42.2k| if(flow->tcp.fingerprint) ------------------ | Branch (8034:8): [True: 6.02k, False: 36.2k] ------------------ 8035| 6.02k| ndpi_free(flow->tcp.fingerprint); 8036| | 8037| 42.2k| if((flow->l4_proto == IPPROTO_TCP) && flow->l4.tcp.tls.tls_blocks) ------------------ | Branch (8037:8): [True: 21.7k, False: 20.5k] | Branch (8037:43): [True: 0, False: 21.7k] ------------------ 8038| 0| ndpi_free(flow->l4.tcp.tls.tls_blocks); 8039| | 8040| 42.2k| if(flow->tcp.fingerprint_raw) ------------------ | Branch (8040:8): [True: 0, False: 42.2k] ------------------ 8041| 0| ndpi_free(flow->tcp.fingerprint_raw); 8042| | 8043| 42.2k| if(flow->ndpi.client_fingerprint) ------------------ | Branch (8043:8): [True: 1.26k, False: 41.0k] ------------------ 8044| 1.26k| ndpi_free(flow->ndpi.client_fingerprint); 8045| | 8046| 42.2k| if(flow->ndpi.server_fingerprint) ------------------ | Branch (8046:8): [True: 1.48k, False: 40.8k] ------------------ 8047| 1.48k| ndpi_free(flow->ndpi.server_fingerprint); 8048| | 8049| 42.2k| if(flow->http.url) ------------------ | Branch (8049:8): [True: 888, False: 41.4k] ------------------ 8050| 888| ndpi_free(flow->http.url); 8051| | 8052| 42.2k| if(flow->http.content_type) ------------------ | Branch (8052:8): [True: 2, False: 42.2k] ------------------ 8053| 2| ndpi_free(flow->http.content_type); 8054| | 8055| 42.2k| if(flow->http.request_content_type) ------------------ | Branch (8055:8): [True: 47, False: 42.2k] ------------------ 8056| 47| ndpi_free(flow->http.request_content_type); 8057| | 8058| 42.2k| if(flow->http.referer) ------------------ | Branch (8058:8): [True: 14, False: 42.2k] ------------------ 8059| 14| ndpi_free(flow->http.referer); 8060| | 8061| 42.2k| if(flow->http.host) ------------------ | Branch (8061:8): [True: 977, False: 41.3k] ------------------ 8062| 977| ndpi_free(flow->http.host); 8063| | 8064| 42.2k| if(flow->http.user_agent) ------------------ | Branch (8064:8): [True: 185, False: 42.1k] ------------------ 8065| 185| ndpi_free(flow->http.user_agent); 8066| | 8067| 42.2k| if(flow->http.nat_ip) ------------------ | Branch (8067:8): [True: 2, False: 42.2k] ------------------ 8068| 2| ndpi_free(flow->http.nat_ip); 8069| | 8070| 42.2k| if(flow->http.detected_os) ------------------ | Branch (8070:8): [True: 47, False: 42.2k] ------------------ 8071| 47| ndpi_free(flow->http.detected_os); 8072| | 8073| 42.2k| if(flow->http.server) ------------------ | Branch (8073:8): [True: 25, False: 42.2k] ------------------ 8074| 25| ndpi_free(flow->http.server); 8075| | 8076| 42.2k| if(flow->http.filename) ------------------ | Branch (8076:8): [True: 0, False: 42.2k] ------------------ 8077| 0| ndpi_free(flow->http.filename); 8078| | 8079| 42.2k| if(flow->http.username) ------------------ | Branch (8079:8): [True: 0, False: 42.2k] ------------------ 8080| 0| ndpi_free(flow->http.username); 8081| | 8082| 42.2k| if(flow->http.password) ------------------ | Branch (8082:8): [True: 0, False: 42.2k] ------------------ 8083| 0| ndpi_free(flow->http.password); 8084| | 8085| 42.2k| if(flow->kerberos_buf.pktbuf) ------------------ | Branch (8085:8): [True: 1, False: 42.2k] ------------------ 8086| 1| ndpi_free(flow->kerberos_buf.pktbuf); 8087| | 8088| 42.2k| if(flow->monit) ------------------ | Branch (8088:8): [True: 0, False: 42.2k] ------------------ 8089| 0| ndpi_free(flow->monit); 8090| | 8091| 42.2k| ndpi_free_flow_data_protos(flow); 8092| | 8093| 42.2k| if(flow->tls_quic.message[0].buffer) ------------------ | Branch (8093:8): [True: 12.3k, False: 29.9k] ------------------ 8094| 12.3k| ndpi_free(flow->tls_quic.message[0].buffer); 8095| 42.2k| if(flow->tls_quic.message[1].buffer) ------------------ | Branch (8095:8): [True: 6.35k, False: 35.9k] ------------------ 8096| 6.35k| ndpi_free(flow->tls_quic.message[1].buffer); 8097| | 8098| 42.2k| if(flow->l4_proto == IPPROTO_UDP) { ------------------ | Branch (8098:8): [True: 11.4k, False: 30.8k] ------------------ 8099| 11.4k| if(flow->l4.udp.quic_reasm_buf) ------------------ | Branch (8099:10): [True: 0, False: 11.4k] ------------------ 8100| 0| ndpi_free(flow->l4.udp.quic_reasm_buf); 8101| 11.4k| if(flow->l4.udp.quic_reasm_buf_bitmap) ------------------ | Branch (8101:10): [True: 0, False: 11.4k] ------------------ 8102| 0| ndpi_free(flow->l4.udp.quic_reasm_buf_bitmap); 8103| 11.4k| } 8104| | 8105| 42.2k| if(flow->flow_payload != NULL) ------------------ | Branch (8105:8): [True: 0, False: 42.2k] ------------------ 8106| 0| ndpi_free(flow->flow_payload); 8107| | 8108| 42.2k| if(flow->tls_quic.obfuscated_heur_state) ------------------ | Branch (8108:8): [True: 0, False: 42.2k] ------------------ 8109| 0| ndpi_free(flow->tls_quic.obfuscated_heur_state); 8110| 42.2k| } 8111| 42.2k|} current_pkt_from_client_to_server: 8521| 177k|{ 8522| 177k| return ndpi_str->packet.packet_direction == flow->client_packet_direction; 8523| 177k|} current_pkt_from_server_to_client: 8529| 20.4k|{ 8530| 20.4k| return ndpi_str->packet.packet_direction != flow->client_packet_direction; 8531| 20.4k|} check_ndpi_other_flow_func: 8883| 2.25k|{ 8884| 2.25k| return check_ndpi_detection_func(ndpi_str, flow, *ndpi_selection_packet, 8885| 2.25k| ndpi_str->callback_buffer_non_tcp_udp, 8886| 2.25k| ndpi_str->callback_buffer_size_non_tcp_udp); 8887| 2.25k|} ndpi_guess_host_protocol_id: 8933| 34.9k| struct ndpi_flow_struct *flow) { 8934| 34.9k| struct ndpi_packet_struct *packet = &ndpi_str->packet; 8935| 34.9k| u_int16_t ret = NDPI_PROTOCOL_UNKNOWN; 8936| 34.9k| int use_client = ndpi_str->cfg.use_client_ip_in_guess; 8937| | 8938| 34.9k| if(packet->iph) { ------------------ | Branch (8938:6): [True: 33.8k, False: 1.11k] ------------------ 8939| 33.8k| struct in_addr addr; 8940| | 8941| | /* guess host protocol; server first */ 8942| 33.8k| addr.s_addr = flow->s_address.v4; 8943| 33.8k| ret = ndpi_network_port_ptree_match(ndpi_str, &addr, flow->s_port); 8944| | 8945| 33.8k| if(ret == NDPI_PROTOCOL_UNKNOWN && use_client) { ------------------ | Branch (8945:8): [True: 24.1k, False: 9.64k] | Branch (8945:40): [True: 24.1k, False: 0] ------------------ 8946| 24.1k| addr.s_addr = flow->c_address.v4; 8947| 24.1k| ret = ndpi_network_port_ptree_match(ndpi_str, &addr, flow->c_port); 8948| 24.1k| } 8949| 33.8k| } else { 8950| 1.11k| struct in6_addr addr; 8951| | 8952| 1.11k| addr = *(struct in6_addr *)&flow->s_address.v6; 8953| 1.11k| ret = ndpi_network_port_ptree6_match(ndpi_str, &addr, flow->s_port); 8954| | 8955| 1.11k| if(ret == NDPI_PROTOCOL_UNKNOWN && use_client) { ------------------ | Branch (8955:8): [True: 823, False: 294] | Branch (8955:40): [True: 823, False: 0] ------------------ 8956| 823| addr = *(struct in6_addr *)&flow->c_address.v6; 8957| 823| ret = ndpi_network_port_ptree6_match(ndpi_str, &addr, flow->c_port); 8958| 823| } 8959| 1.11k| } 8960| | 8961| 34.9k| return(ret); 8962| 34.9k|} search_into_bittorrent_cache: 9200| 3.16k| struct ndpi_flow_struct *flow) { 9201| | 9202| |#ifdef BITTORRENT_CACHE_DEBUG 9203| | printf("[%s:%u] search_into_bittorrent_cache(%u, %u) [bt_check_performed=%d]\n", 9204| | __FILE__, __LINE__, ntohs(flow->c_port), ntohs(flow->s_port), 9205| | flow->bt_check_performed); 9206| |#endif 9207| | 9208| 3.16k| if(flow->bt_check_performed /* Do the check once */) ------------------ | Branch (9208:6): [True: 438, False: 2.73k] ------------------ 9209| 438| return(0); 9210| | 9211| 2.73k| if(ndpi_struct->bittorrent_cache) { ------------------ | Branch (9211:6): [True: 2.23k, False: 498] ------------------ 9212| 2.23k| u_int16_t cached_proto; 9213| 2.23k| u_int8_t found = 0; 9214| 2.23k| u_int64_t key, key1, key2; 9215| | 9216| 2.23k| flow->bt_check_performed = 1; 9217| | 9218| | /* Check cached communications */ 9219| 2.23k| key = make_bittorrent_peers_key(flow); 9220| 2.23k| key1 = make_bittorrent_host_key(flow, 1, 0), key2 = make_bittorrent_host_key(flow, 0, 0); 9221| | 9222| 2.23k| found = 9223| 2.23k| ndpi_lru_find_cache(ndpi_struct->bittorrent_cache, key, &cached_proto, 0 /* Don't remove it as it can be used for other connections */, ndpi_get_current_time(flow)) ------------------ | Branch (9223:7): [True: 5, False: 2.22k] ------------------ 9224| 2.22k| || ndpi_lru_find_cache(ndpi_struct->bittorrent_cache, key1, &cached_proto, 0 /* Don't remove it as it can be used for other connections */, ndpi_get_current_time(flow)) ------------------ | Branch (9224:10): [True: 33, False: 2.19k] ------------------ 9225| 2.19k| || ndpi_lru_find_cache(ndpi_struct->bittorrent_cache, key2, &cached_proto, 0 /* Don't remove it as it can be used for other connections */, ndpi_get_current_time(flow)); ------------------ | Branch (9225:10): [True: 8, False: 2.18k] ------------------ 9226| | 9227| |#ifdef BITTORRENT_CACHE_DEBUG 9228| | printf("[BitTorrent] *** [%s] SEARCHING ports %u / %u [0x%llx][0x%llx][0x%llx][found: %u]\n", 9229| | flow->l4_proto == IPPROTO_UDP ? "UDP": "TCP", 9230| | ntohs(flow->c_port), ntohs(flow->s_port), 9231| | (long long unsigned int)key, (long long unsigned int)key1, (long long unsigned int)key2, found); 9232| |#endif 9233| | 9234| 2.23k| return(found); 9235| 2.23k| } 9236| | 9237| 498| return(0); 9238| 2.73k|} ndpi_detection_giveup: 9705| 14|ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow) { 9706| | 9707| | /* *** We can't access ndpi_str->packet from this function!! *** */ 9708| | 9709| 14| if(!ndpi_str || !flow) { ------------------ | Branch (9709:6): [True: 0, False: 14] | Branch (9709:19): [True: 0, False: 14] ------------------ 9710| 0| ndpi_protocol p; 9711| 0| memset(&p, '\0', sizeof(p)); 9712| 0| return(p); 9713| 0| } 9714| | 9715| 14| ndpi_internal_detection_giveup(ndpi_str, flow); 9716| | 9717| 14| return create_public_results(ndpi_str, flow); 9718| 14|} ndpi_load_ip_category: 9740| 1.78M| void *user_data) { 9741| 1.78M| ndpi_patricia_node_t *node = NULL; 9742| 1.78M| int bits = 32, is_ipv6 = 0; 9743| 1.78M| char *ptr; 9744| 1.78M| char ipbuf[128]; 9745| | 9746| 1.78M| if(ip_address_and_mask[0] == '[') { ------------------ | Branch (9746:6): [True: 0, False: 1.78M] ------------------ 9747| 0| is_ipv6 = 1; 9748| 0| bits = 128; 9749| 0| ip_address_and_mask++; /* Strip '[' */ 9750| 0| } 9751| | 9752| 1.78M| strncpy(ipbuf, ip_address_and_mask, sizeof(ipbuf) - 1); 9753| 1.78M| ipbuf[sizeof(ipbuf) - 1] = '\0'; 9754| | 9755| 1.78M| ptr = strrchr(ipbuf, '/'); 9756| | 9757| 1.78M| if(ptr) { ------------------ | Branch (9757:6): [True: 0, False: 1.78M] ------------------ 9758| 0| *(ptr++) = '\0'; 9759| 0| if(atoi(ptr) >= 0 && atoi(ptr) <= 32) ------------------ | Branch (9759:8): [True: 0, False: 0] | Branch (9759:26): [True: 0, False: 0] ------------------ 9760| 0| bits = atoi(ptr); 9761| 0| } 9762| 1.78M| ptr = strrchr(ipbuf, ']'); 9763| 1.78M| if(ptr) ------------------ | Branch (9763:6): [True: 0, False: 1.78M] ------------------ 9764| 0| *ptr = '\0'; /* Strip ']' */ 9765| | 9766| 1.78M| if(!is_ipv6 && ndpi_str->custom_categories.ipAddresses_shadow) { ------------------ | Branch (9766:6): [True: 1.78M, False: 0] | Branch (9766:18): [True: 1.78M, False: 0] ------------------ 9767| 1.78M| struct in_addr pin; 9768| | 9769| 1.78M| if(inet_pton(AF_INET, ipbuf, &pin) != 1) { ------------------ | Branch (9769:8): [True: 1.78M, False: 0] ------------------ 9770| 1.78M| NDPI_LOG_DBG2(ndpi_str, "Invalid ip4/ip4+netmask: %s\n", ip_address_and_mask); ------------------ | | 597| 1.78M|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 9771| 1.78M| return(-1); 9772| 1.78M| } 9773| | 9774| 0| node = add_to_ptree(ndpi_str->custom_categories.ipAddresses_shadow, AF_INET, &pin, bits); 9775| 0| } else if(is_ipv6 && ndpi_str->custom_categories.ipAddresses6_shadow) { ------------------ | Branch (9775:13): [True: 0, False: 0] | Branch (9775:24): [True: 0, False: 0] ------------------ 9776| 0| struct in6_addr pin6; 9777| | 9778| 0| if(inet_pton(AF_INET6, ipbuf, &pin6) != 1) { ------------------ | Branch (9778:8): [True: 0, False: 0] ------------------ 9779| 0| NDPI_LOG_DBG2(ndpi_str, "Invalid ip6/ip6+netmask: %s\n", ip_address_and_mask); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 9780| 0| return(-1); 9781| 0| } 9782| 0| node = add_to_ptree(ndpi_str->custom_categories.ipAddresses6_shadow, AF_INET6, &pin6, bits); 9783| 0| } else { 9784| 0| return(-1); 9785| 0| } 9786| | 9787| 0| if(node != NULL) { ------------------ | Branch (9787:6): [True: 0, False: 0] ------------------ 9788| 0| node->value.u.uv32.user_value = (u_int16_t)category, node->value.u.uv32.additional_user_value = 0; 9789| 0| node->custom_user_data = user_data; 9790| 0| } 9791| | 9792| | 9793| 0| return(0); 9794| 1.78M|} ndpi_load_hostname_category: 9801| 1.78M| ndpi_protocol_breed_t breed) { 9802| 1.78M| if(ndpi_str->custom_categories.sc_hostnames_shadow == NULL) ------------------ | Branch (9802:6): [True: 0, False: 1.78M] ------------------ 9803| 0| return(-1); 9804| | 9805| 1.78M| return(ndpi_domain_classify_add(ndpi_str, ndpi_str->custom_categories.sc_hostnames_shadow, ------------------ | Branch (9805:10): [True: 1.78M, False: 0] ------------------ 9806| 1.78M| (breed & 0xFFFF) << 16 | (category & 0xFFFF), 9807| 1.78M| (char*)name_to_add) ? 0 : -1); 9808| 1.78M|} ndpi_load_category: 9816| 1.78M| void *user_data) { 9817| 1.78M| int rv; 9818| | 9819| | /* Try to load as IP address first */ 9820| 1.78M| rv = ndpi_load_ip_category(ndpi_struct, ip_or_name, category, user_data); /* TODO: breed */ 9821| | 9822| 1.78M| if(rv < 0) { ------------------ | Branch (9822:6): [True: 1.78M, False: 0] ------------------ 9823| | /* 9824| | IP load failed, load as hostname 9825| | 9826| | NOTE: 9827| | we cannot add user_data here as with Aho-Corasick this 9828| | information would not be used 9829| | */ 9830| 1.78M| rv = ndpi_load_hostname_category(ndpi_struct, ip_or_name, category, breed); 9831| 1.78M| } 9832| | 9833| 1.78M| return(rv); 9834| 1.78M|} ndpi_enable_loaded_categories: 9838| 6.99k|int ndpi_enable_loaded_categories(struct ndpi_detection_module_struct *ndpi_str) { 9839| 6.99k| int i; 9840| 6.99k| static char *built_in = "built-in"; 9841| | 9842| 6.99k| if(ndpi_str->custom_categories.categories_loaded) ------------------ | Branch (9842:6): [True: 0, False: 6.99k] ------------------ 9843| 0| return(-1); /* Already loaded */ 9844| | 9845| | /* First add the nDPI known categories matches */ 9846| 1.79M| for(i = 0; category_match[i].string_to_match != NULL; i++) ------------------ | Branch (9846:14): [True: 1.78M, False: 6.99k] ------------------ 9847| 1.78M| ndpi_load_category(ndpi_str, category_match[i].string_to_match, 9848| 1.78M| category_match[i].protocol_category, 9849| 1.78M| category_match[i].protocol_breed, 9850| 1.78M| built_in); 9851| | 9852| 6.99k| ndpi_domain_classify_free(ndpi_str->custom_categories.sc_hostnames); 9853| 6.99k| ndpi_str->custom_categories.sc_hostnames = ndpi_str->custom_categories.sc_hostnames_shadow; 9854| 6.99k| ndpi_str->custom_categories.sc_hostnames_shadow = ndpi_domain_classify_alloc(); 9855| | 9856| 6.99k| if(ndpi_str->custom_categories.ipAddresses != NULL) ------------------ | Branch (9856:6): [True: 6.99k, False: 0] ------------------ 9857| 6.99k| ndpi_patricia_destroy((ndpi_patricia_tree_t *) ndpi_str->custom_categories.ipAddresses, free_ptree_data); 9858| | 9859| 6.99k| if(ndpi_str->custom_categories.ipAddresses6 != NULL) ------------------ | Branch (9859:6): [True: 6.99k, False: 0] ------------------ 9860| 6.99k| ndpi_patricia_destroy((ndpi_patricia_tree_t *) ndpi_str->custom_categories.ipAddresses6, free_ptree_data); 9861| | 9862| 6.99k| ndpi_str->custom_categories.ipAddresses = ndpi_str->custom_categories.ipAddresses_shadow; 9863| 6.99k| ndpi_str->custom_categories.ipAddresses_shadow = ndpi_patricia_new(32 /* IPv4 */); 9864| | 9865| 6.99k| ndpi_str->custom_categories.ipAddresses6 = ndpi_str->custom_categories.ipAddresses6_shadow; 9866| 6.99k| ndpi_str->custom_categories.ipAddresses6_shadow = ndpi_patricia_new(128 /* IPv6 */); 9867| | 9868| 6.99k| ndpi_str->custom_categories.categories_loaded = 1; 9869| | 9870| 6.99k| return(0); 9871| 6.99k|} ndpi_fill_ip_protocol_category: 9919| 33.8k| ndpi_protocol *ret) { 9920| 33.8k| bool match_client = true; 9921| | 9922| 33.8k| ret->custom_category_userdata = NULL; 9923| | 9924| 33.8k| if(ndpi_str->custom_categories.categories_loaded && ------------------ | Branch (9924:6): [True: 33.8k, False: 0] ------------------ 9925| 33.8k| ndpi_str->custom_categories.ipAddresses) { ------------------ | Branch (9925:6): [True: 33.8k, False: 0] ------------------ 9926| | 9927| 33.8k| ndpi_prefix_t prefix; 9928| 33.8k| ndpi_patricia_node_t *node; 9929| | 9930| 33.8k| if(saddr == 0) ------------------ | Branch (9930:8): [True: 296, False: 33.5k] ------------------ 9931| 296| node = NULL; 9932| 33.5k| else { 9933| | /* Make sure all in network byte order otherwise compares wont work */ 9934| 33.5k| ndpi_fill_prefix_v4(&prefix, (struct in_addr *) &saddr, 32, 9935| 33.5k| ((ndpi_patricia_tree_t *) ndpi_str->custom_categories.ipAddresses)->maxbits); 9936| 33.5k| node = ndpi_patricia_search_best(ndpi_str->custom_categories.ipAddresses, &prefix); 9937| 33.5k| } 9938| | 9939| 33.8k| if(node == NULL) { ------------------ | Branch (9939:8): [True: 33.8k, False: 0] ------------------ 9940| 33.8k| if(daddr != 0) { ------------------ | Branch (9940:10): [True: 33.4k, False: 403] ------------------ 9941| 33.4k| ndpi_fill_prefix_v4(&prefix, (struct in_addr *) &daddr, 32, 9942| 33.4k| ((ndpi_patricia_tree_t *) ndpi_str->custom_categories.ipAddresses)->maxbits); 9943| 33.4k| node = ndpi_patricia_search_best(ndpi_str->custom_categories.ipAddresses, &prefix); 9944| 33.4k| match_client = false; 9945| 33.4k| } 9946| 33.8k| } else { 9947| 0| match_client = true; 9948| 0| } 9949| | 9950| 33.8k| if(node) { ------------------ | Branch (9950:8): [True: 0, False: 33.8k] ------------------ 9951| 0| ret->category = (ndpi_protocol_category_t) node->value.u.uv32.user_value; 9952| 0| ret->custom_category_userdata = node->custom_user_data; 9953| | 9954| 0| if((ret->category == NDPI_PROTOCOL_CATEGORY_MALWARE) && (match_client == false)) { ------------------ | Branch (9954:10): [True: 0, False: 0] | Branch (9954:63): [True: 0, False: 0] ------------------ 9955| 0| ndpi_set_risk(ndpi_str, flow, NDPI_MALWARE_HOST_CONTACTED, "Client contacted malware host"); 9956| 0| } 9957| | 9958| 0| return(1); 9959| 0| } 9960| 33.8k| } 9961| | 9962| 33.8k| ret->category = ndpi_get_proto_category(ndpi_str, *ret); 9963| | 9964| 33.8k| return(0); 9965| 33.8k|} ndpi_fill_ipv6_protocol_category: 9972| 1.11k| ndpi_protocol *ret) { 9973| 1.11k| bool match_client = true; 9974| | 9975| 1.11k| ret->custom_category_userdata = NULL; 9976| | 9977| 1.11k| if(ndpi_str->custom_categories.categories_loaded && ------------------ | Branch (9977:6): [True: 1.11k, False: 0] ------------------ 9978| 1.11k| ndpi_str->custom_categories.ipAddresses6) { ------------------ | Branch (9978:6): [True: 1.11k, False: 0] ------------------ 9979| | 9980| 1.11k| ndpi_prefix_t prefix; 9981| 1.11k| ndpi_patricia_node_t *node; 9982| | 9983| 1.11k| ndpi_fill_prefix_v6(&prefix, saddr, 128, 9984| 1.11k| ((ndpi_patricia_tree_t *) ndpi_str->custom_categories.ipAddresses6)->maxbits); 9985| 1.11k| node = ndpi_patricia_search_best(ndpi_str->custom_categories.ipAddresses6, &prefix); 9986| | 9987| 1.11k| if(node == NULL) { ------------------ | Branch (9987:8): [True: 1.11k, False: 0] ------------------ 9988| 1.11k| ndpi_fill_prefix_v6(&prefix, daddr, 128, 9989| 1.11k| ((ndpi_patricia_tree_t *) ndpi_str->custom_categories.ipAddresses6)->maxbits); 9990| 1.11k| node = ndpi_patricia_search_best(ndpi_str->custom_categories.ipAddresses6, &prefix); 9991| 1.11k| match_client = false; 9992| 1.11k| } else { 9993| 0| match_client = true; 9994| 0| } 9995| | 9996| 1.11k| if(node) { ------------------ | Branch (9996:8): [True: 0, False: 1.11k] ------------------ 9997| 0| ret->category = (ndpi_protocol_category_t) node->value.u.uv32.user_value; 9998| 0| ret->custom_category_userdata = node->custom_user_data; 9999| | 10000| 0| if((ret->category == NDPI_PROTOCOL_CATEGORY_MALWARE) && (match_client == false)) { ------------------ | Branch (10000:10): [True: 0, False: 0] | Branch (10000:63): [True: 0, False: 0] ------------------ 10001| 0| ndpi_set_risk(ndpi_str, flow, NDPI_MALWARE_HOST_CONTACTED, "Client contacted malware host"); 10002| 0| } 10003| | 10004| 0| return(1); 10005| 0| } 10006| 1.11k| } 10007| | 10008| 1.11k| ret->category = ndpi_get_proto_category(ndpi_str, *ret); 10009| | 10010| 1.11k| return(0); 10011| 1.11k|} fill_protocol_category_and_breed: 10015| 15.2k|void fill_protocol_category_and_breed(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow) { 10016| | 10017| 15.2k| ndpi_protocol ret; 10018| | 10019| 15.2k| ret.category = flow->category; 10020| 15.2k| ret.proto.master_protocol = flow->detected_protocol_stack[1]; 10021| 15.2k| ret.proto.app_protocol = flow->detected_protocol_stack[0]; 10022| | 10023| 15.2k| if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) ------------------ | Branch (10023:6): [True: 0, False: 15.2k] ------------------ 10024| 0| return; 10025| | 10026| 15.2k| if(ndpi_str->custom_categories.categories_loaded) { ------------------ | Branch (10026:6): [True: 15.2k, False: 0] ------------------ 10027| 15.2k| if(flow->guessed_header_category != NDPI_PROTOCOL_CATEGORY_UNSPECIFIED) { ------------------ | Branch (10027:8): [True: 0, False: 15.2k] ------------------ 10028| 0| flow->category = flow->guessed_header_category; 10029| 0| flow->breed = get_proto_breed(ndpi_str, ret.proto); 10030| 0| return; 10031| 0| } 10032| | 10033| 15.2k| if(flow->host_server_name[0] != '\0') { ------------------ | Branch (10033:8): [True: 4.40k, False: 10.8k] ------------------ 10034| 4.40k| ndpi_protocol_category_t category; 10035| 4.40k| ndpi_protocol_breed_t breed; 10036| 4.40k| int rc = ndpi_match_custom_category(ndpi_str, flow->host_server_name, 10037| 4.40k| strlen(flow->host_server_name), &category, &breed); 10038| 4.40k| if(rc == 0) { ------------------ | Branch (10038:10): [True: 0, False: 4.40k] ------------------ 10039| 0| flow->category = category; 10040| 0| flow->breed = breed; 10041| 0| return; 10042| 0| } 10043| 4.40k| } 10044| 15.2k| } 10045| | 10046| 15.2k| flow->category = ndpi_get_proto_category(ndpi_str, ret); 10047| 15.2k| flow->breed = get_proto_breed(ndpi_str, ret.proto); 10048| 15.2k|} ndpi_detection_process_packet: 10735| 89.4k| struct ndpi_flow_input_info *input_info) { 10736| | 10737| 89.4k| if(!flow || !ndpi_str || ndpi_str->finalized != 1) { ------------------ | Branch (10737:6): [True: 0, False: 89.4k] | Branch (10737:15): [True: 0, False: 89.4k] | Branch (10737:28): [True: 10.0k, False: 79.4k] ------------------ 10738| 10.0k| ndpi_protocol ret; 10739| 10.0k| memset(&ret, 0, sizeof(ret)); 10740| 10.0k| return(ret); 10741| 10.0k| } 10742| | 10743| | /* The application shoudn't provide further packets after it gets NDPI_STATE_CLASSIFIED: 10744| | return the already known classification */ 10745| 79.4k| if(flow->state == NDPI_STATE_CLASSIFIED) { ------------------ | Branch (10745:6): [True: 0, False: 79.4k] ------------------ 10746| 0| return create_public_results(ndpi_str, flow); 10747| 0| } 10748| | 10749| 79.4k| ndpi_internal_detection_process_packet(ndpi_str, flow, packet_data, 10750| 79.4k| packetlen, current_time_ms, 10751| 79.4k| input_info); 10752| | 10753| 79.4k| return create_public_results(ndpi_str, flow); 10754| 79.4k|} ndpi_parse_packet_line_info: 11032| 43.8k|void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow) { 11033| 43.8k| u_int32_t a; 11034| 43.8k| struct ndpi_packet_struct *packet = &ndpi_str->packet; 11035| | 11036| 43.8k| if((packet->payload_packet_len < 3) || (packet->payload == NULL)) ------------------ | Branch (11036:6): [True: 134, False: 43.7k] | Branch (11036:42): [True: 0, False: 43.7k] ------------------ 11037| 134| return; 11038| | 11039| 43.7k| if(packet->packet_lines_parsed_complete != 0) ------------------ | Branch (11039:6): [True: 12.0k, False: 31.6k] ------------------ 11040| 12.0k| return; 11041| | 11042| 31.6k| if((flow->l4.tcp.three_way_handshake.syn_time != 0) /* Check only if 3WH was observed */ ------------------ | Branch (11042:6): [True: 11.4k, False: 20.2k] ------------------ 11043| 11.4k| && (flow->l4.tcp.three_way_handshake.ack_time != 0) ------------------ | Branch (11043:9): [True: 2.14k, False: 9.27k] ------------------ 11044| 2.14k| && ((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP) || (flow->detected_protocol_stack[1] == NDPI_PROTOCOL_HTTP)) ------------------ | Branch (11044:10): [True: 24, False: 2.11k] | Branch (11044:70): [True: 9, False: 2.10k] ------------------ 11045| 33| && (flow->http.method != NDPI_HTTP_METHOD_UNKNOWN) ------------------ | Branch (11045:9): [True: 2, False: 31] ------------------ 11046| 2| && (flow->http.response_status_code == 0 /* Response code not observed yet */) ------------------ | Branch (11046:9): [True: 2, False: 0] ------------------ 11047| 31.6k| ) { 11048| 2| u_int64_t tdiff_ms = packet->current_time_ms - flow->l4.tcp.three_way_handshake.ack_time; 11049| | 11050| 2| if((tdiff_ms > 3000 /* 3 sec */) && (!ndpi_isset_risk(flow, NDPI_SLOW_DOS))) { ------------------ | Branch (11050:8): [True: 1, False: 1] | Branch (11050:41): [True: 1, False: 0] ------------------ 11051| 1| char buf[64]; 11052| | 11053| 1| snprintf(buf, sizeof(buf), "Slow HTTP Req. (Slowloris): %.1f sec", tdiff_ms/1000.); 11054| 1| ndpi_set_risk(ndpi_str, flow, NDPI_SLOW_DOS, buf); 11055| 1| } 11056| 2| } 11057| | 11058| 31.6k| packet->packet_lines_parsed_complete = 1; 11059| 31.6k| ndpi_reset_packet_line_info(packet); 11060| | 11061| 31.6k| packet->line[packet->parsed_lines].ptr = packet->payload; 11062| 31.6k| packet->line[packet->parsed_lines].len = 0; 11063| | 11064| 5.62M| for(a = 0; ((a+1) < packet->payload_packet_len) && (packet->parsed_lines < NDPI_MAX_PARSE_LINES_PER_PACKET); a++) { ------------------ | | 86| 5.58M|#define NDPI_MAX_PARSE_LINES_PER_PACKET 64 ------------------ | Branch (11064:14): [True: 5.58M, False: 31.6k] | Branch (11064:54): [True: 5.58M, False: 0] ------------------ 11065| 5.58M| if((packet->payload[a] == 0x0d) && (packet->payload[a+1] == 0x0a)) { ------------------ | Branch (11065:8): [True: 51.6k, False: 5.53M] | Branch (11065:40): [True: 24.0k, False: 27.5k] ------------------ 11066| | /* If end of line char sequence CR+NL "\r\n", process line */ 11067| | 11068| 24.0k| flow->http.request_header_observed = 1; 11069| | 11070| 24.0k| if(((a + 3) < packet->payload_packet_len) ------------------ | Branch (11070:10): [True: 17.4k, False: 6.58k] ------------------ 11071| 17.4k| && (packet->payload[a+2] == 0x0d) ------------------ | Branch (11071:6): [True: 936, False: 16.5k] ------------------ 11072| 936| && (packet->payload[a+3] == 0x0a)) { ------------------ | Branch (11072:6): [True: 895, False: 41] ------------------ 11073| | /* \r\n\r\n */ 11074| 895| int diff; /* No unsigned ! */ 11075| 895| u_int32_t a1 = a + 4; 11076| | 11077| 895| diff = packet->payload_packet_len - a1; 11078| | 11079| 895| if(diff > 0) { ------------------ | Branch (11079:5): [True: 889, False: 6] ------------------ 11080| 889| diff = ndpi_min((unsigned int)diff, sizeof(flow->initial_binary_bytes)); ------------------ | | 113| 889|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 547, False: 342] | | ------------------ ------------------ 11081| 889| memcpy(&flow->initial_binary_bytes, &packet->payload[a1], diff); 11082| 889| flow->initial_binary_bytes_len = diff; 11083| 889| } 11084| 895| } 11085| | 11086| 24.0k| packet->line[packet->parsed_lines].len = 11087| 24.0k| (u_int16_t)(((size_t) &packet->payload[a]) - ((size_t) packet->line[packet->parsed_lines].ptr)); 11088| | 11089| 24.0k| parse_single_packet_line(ndpi_str); 11090| | 11091| 24.0k| if(packet->line[packet->parsed_lines].len == 0) { ------------------ | Branch (11091:10): [True: 899, False: 23.1k] ------------------ 11092| 899| packet->empty_line_position = a; 11093| 899| packet->empty_line_position_set = 1; 11094| 899| } 11095| | 11096| 24.0k| if(packet->parsed_lines >= (NDPI_MAX_PARSE_LINES_PER_PACKET - 1)) ------------------ | | 86| 24.0k|#define NDPI_MAX_PARSE_LINES_PER_PACKET 64 ------------------ | Branch (11096:10): [True: 4, False: 24.0k] ------------------ 11097| 4| return; 11098| | 11099| 24.0k| packet->parsed_lines++; 11100| 24.0k| packet->line[packet->parsed_lines].ptr = &packet->payload[a + 2]; 11101| 24.0k| packet->line[packet->parsed_lines].len = 0; 11102| | 11103| 24.0k| a++; /* next char in the payload */ 11104| 24.0k| } 11105| 5.58M| } 11106| | 11107| 31.6k| if(packet->parsed_lines >= 1) { ------------------ | Branch (11107:6): [True: 13.8k, False: 17.8k] ------------------ 11108| 13.8k| packet->line[packet->parsed_lines].len = 11109| 13.8k| (u_int16_t)(((size_t) &packet->payload[packet->payload_packet_len]) - 11110| 13.8k| ((size_t) packet->line[packet->parsed_lines].ptr)); 11111| | 11112| 13.8k| parse_single_packet_line(ndpi_str); 11113| 13.8k| packet->parsed_lines++; 11114| 13.8k| } 11115| 31.6k|} ndpi_parse_packet_line_info_any: 11119| 67|void ndpi_parse_packet_line_info_any(struct ndpi_detection_module_struct *ndpi_str) { 11120| 67| struct ndpi_packet_struct *packet = &ndpi_str->packet; 11121| 67| u_int32_t a; 11122| 67| u_int16_t end = packet->payload_packet_len; 11123| | 11124| 67| if(packet->packet_lines_parsed_complete != 0) ------------------ | Branch (11124:6): [True: 24, False: 43] ------------------ 11125| 24| return; 11126| | 11127| 43| packet->packet_lines_parsed_complete = 1; 11128| 43| packet->parsed_lines = 0; 11129| | 11130| 43| if(packet->payload_packet_len == 0) ------------------ | Branch (11130:6): [True: 0, False: 43] ------------------ 11131| 0| return; 11132| | 11133| 43| packet->line[packet->parsed_lines].ptr = packet->payload; 11134| 43| packet->line[packet->parsed_lines].len = 0; 11135| | 11136| 4.90k| for(a = 0; a < end; a++) { ------------------ | Branch (11136:14): [True: 4.86k, False: 39] ------------------ 11137| 4.86k| if(packet->payload[a] == 0x0a) { ------------------ | Branch (11137:8): [True: 81, False: 4.78k] ------------------ 11138| 81| packet->line[packet->parsed_lines].len = (u_int16_t)(((size_t) &packet->payload[a]) - ((size_t) packet->line[packet->parsed_lines].ptr)); 11139| | 11140| 81| if(a > 0 && packet->payload[a - 1] == 0x0d) ------------------ | Branch (11140:10): [True: 80, False: 1] | Branch (11140:19): [True: 6, False: 74] ------------------ 11141| 6| packet->line[packet->parsed_lines].len--; 11142| | 11143| 81| if(packet->parsed_lines >= (NDPI_MAX_PARSE_LINES_PER_PACKET - 1)) ------------------ | | 86| 81|#define NDPI_MAX_PARSE_LINES_PER_PACKET 64 ------------------ | Branch (11143:10): [True: 0, False: 81] ------------------ 11144| 0| break; 11145| | 11146| 81| packet->parsed_lines++; 11147| 81| packet->line[packet->parsed_lines].ptr = &packet->payload[a + 1]; 11148| 81| packet->line[packet->parsed_lines].len = 0; 11149| | 11150| 81| if((a + 1) >= packet->payload_packet_len) ------------------ | Branch (11150:10): [True: 4, False: 77] ------------------ 11151| 4| break; 11152| | 11153| | //a++; 11154| 81| } 11155| 4.86k| } 11156| 43|} ndpi_set_detected_protocol_keeping_master: 11170| 1.82k| ndpi_confidence_t confidence) { 11171| 1.82k| u_int16_t master; 11172| | 11173| 1.82k| master = flow->detected_protocol_stack[1] ? flow->detected_protocol_stack[1] : flow->detected_protocol_stack[0]; ------------------ | Branch (11173:12): [True: 81, False: 1.74k] ------------------ 11174| | 11175| 1.82k| if (master != NDPI_PROTOCOL_UNKNOWN) ------------------ | Branch (11175:7): [True: 162, False: 1.66k] ------------------ 11176| 162| ndpi_set_detected_protocol(ndpi_str, flow, detected_protocol, master, confidence); 11177| 1.66k| else 11178| 1.66k| ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_UNKNOWN, detected_protocol, confidence); 11179| 1.82k|} ndpi_set_detected_protocol: 11185| 18.3k| ndpi_confidence_t confidence) { 11186| | 11187| 18.3k| if(flow->state == NDPI_STATE_MONITORING) { ------------------ | Branch (11187:6): [True: 0, False: 18.3k] ------------------ 11188| 0| NDPI_LOG_ERR(ndpi_str, "Impossible to update classification while in monitoring state! %d/%d->%d/%d\n", ------------------ | | 593| 0|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 11189| 0| flow->detected_protocol_stack[1], flow->detected_protocol_stack[0], 11190| 0| upper_detected_protocol, lower_detected_protocol); 11191| 0| return; 11192| 0| } 11193| | 11194| 18.3k| ndpi_int_change_protocol(flow, upper_detected_protocol, lower_detected_protocol, confidence); 11195| 18.3k| ndpi_reconcile_protocols(ndpi_str, flow); 11196| | 11197| 18.3k| proto_stack_update(&flow->protocol_stack, flow->detected_protocol_stack[1], flow->detected_protocol_stack[0]); 11198| | 11199| 18.3k| flow->state = NDPI_STATE_PARTIAL; 11200| 18.3k|} proto_stack_reset: 11260| 1.28k|{ 11261| 1.28k| unsigned int i; 11262| | 11263| |#ifdef DEBUG_STACK 11264| | printf("%s\n", __func__); 11265| |#endif 11266| 1.28k| for(i = 0; i < s->protos_num; i++) ------------------ | Branch (11266:14): [True: 0, False: 1.28k] ------------------ 11267| 0| s->protos[i] = NDPI_PROTOCOL_UNKNOWN; 11268| 1.28k| s->protos_num = 0; 11269| 1.28k|} ndpi_stack_contains: 11387| 187k|{ 11388| 187k| unsigned int i; 11389| | 11390| 187k| if(!s) ------------------ | Branch (11390:6): [True: 0, False: 187k] ------------------ 11391| 0| return false; 11392| 386k| for(i = 0; i < s->protos_num; i++) ------------------ | Branch (11392:14): [True: 202k, False: 183k] ------------------ 11393| 202k| if(s->protos[i] == proto_id) ------------------ | Branch (11393:10): [True: 3.36k, False: 199k] ------------------ 11394| 3.36k| return true; 11395| 183k| return false; 11396| 187k|} ndpi_stack_is_tls_like: 11401| 81.1k|{ 11402| 81.1k| unsigned int i; 11403| | 11404| 81.1k| if(!s) ------------------ | Branch (11404:6): [True: 0, False: 81.1k] ------------------ 11405| 0| return false; 11406| 114k| for(i = 0; i < s->protos_num; i++) ------------------ | Branch (11406:14): [True: 45.9k, False: 68.2k] ------------------ 11407| 45.9k| if(s->protos[i] == NDPI_PROTOCOL_TLS || ------------------ | Branch (11407:10): [True: 10.1k, False: 35.7k] ------------------ 11408| 35.7k| s->protos[i] == NDPI_PROTOCOL_DTLS || ------------------ | Branch (11408:10): [True: 0, False: 35.7k] ------------------ 11409| 35.7k| s->protos[i] == NDPI_PROTOCOL_QUIC || ------------------ | Branch (11409:10): [True: 2.23k, False: 33.4k] ------------------ 11410| 33.4k| s->protos[i] == NDPI_PROTOCOL_MAIL_SMTPS || ------------------ | Branch (11410:10): [True: 13, False: 33.4k] ------------------ 11411| 33.4k| s->protos[i] == NDPI_PROTOCOL_MAIL_POPS || ------------------ | Branch (11411:10): [True: 4, False: 33.4k] ------------------ 11412| 33.4k| s->protos[i] == NDPI_PROTOCOL_MAIL_IMAPS || ------------------ | Branch (11412:10): [True: 468, False: 32.9k] ------------------ 11413| 32.9k| s->protos[i] == NDPI_PROTOCOL_FTPS) ------------------ | Branch (11413:10): [True: 0, False: 32.9k] ------------------ 11414| 12.9k| return true; 11415| 68.2k| return false; 11416| 81.1k|} ndpi_stack_is_http_like: 11421| 10.2k|{ 11422| 10.2k| unsigned int i; 11423| | 11424| 10.2k| if(!s) ------------------ | Branch (11424:6): [True: 0, False: 10.2k] ------------------ 11425| 0| return false; 11426| 21.1k| for(i = 0; i < s->protos_num; i++) ------------------ | Branch (11426:14): [True: 10.8k, False: 10.2k] ------------------ 11427| 10.8k| if(s->protos[i] == NDPI_PROTOCOL_HTTP || ------------------ | Branch (11427:10): [True: 40, False: 10.8k] ------------------ 11428| 10.8k| s->protos[i] == NDPI_PROTOCOL_HTTP_CONNECT || ------------------ | Branch (11428:10): [True: 0, False: 10.8k] ------------------ 11429| 10.8k| s->protos[i] == NDPI_PROTOCOL_HTTP_PROXY) ------------------ | Branch (11429:10): [True: 0, False: 10.8k] ------------------ 11430| 40| return true; 11431| 10.2k| return false; 11432| 10.2k|} ndpi_protocol2id: 11701| 10.2k|char *ndpi_protocol2id(ndpi_master_app_protocol proto, char *buf, u_int buf_len) { 11702| 10.2k| if((proto.master_protocol != NDPI_PROTOCOL_UNKNOWN) && (proto.master_protocol != proto.app_protocol)) { ------------------ | Branch (11702:6): [True: 1.25k, False: 9.00k] | Branch (11702:58): [True: 1.25k, False: 0] ------------------ 11703| 1.25k| if(proto.app_protocol != NDPI_PROTOCOL_UNKNOWN) ------------------ | Branch (11703:8): [True: 1.25k, False: 0] ------------------ 11704| 1.25k| ndpi_snprintf(buf, buf_len, "%u.%u", proto.master_protocol, proto.app_protocol); 11705| 0| else 11706| 0| ndpi_snprintf(buf, buf_len, "%u", proto.master_protocol); 11707| 1.25k| } else 11708| 9.00k| ndpi_snprintf(buf, buf_len, "%u", proto.app_protocol); 11709| | 11710| 10.2k| return(buf); 11711| 10.2k|} ndpi_protocol2name: 11716| 10.2k| ndpi_master_app_protocol proto, char *buf, u_int buf_len) { 11717| 10.2k| if((proto.master_protocol != NDPI_PROTOCOL_UNKNOWN) && (proto.master_protocol != proto.app_protocol)) { ------------------ | Branch (11717:6): [True: 1.25k, False: 9.00k] | Branch (11717:58): [True: 1.25k, False: 0] ------------------ 11718| 1.25k| if(proto.app_protocol != NDPI_PROTOCOL_UNKNOWN) ------------------ | Branch (11718:8): [True: 1.25k, False: 0] ------------------ 11719| 1.25k| ndpi_snprintf(buf, buf_len, "%s.%s", ndpi_get_proto_name(ndpi_str, proto.master_protocol), 11720| 1.25k| ndpi_get_proto_name(ndpi_str, proto.app_protocol)); 11721| 0| else 11722| 0| ndpi_snprintf(buf, buf_len, "%s", ndpi_get_proto_name(ndpi_str, proto.master_protocol)); 11723| 1.25k| } else 11724| 9.00k| ndpi_snprintf(buf, buf_len, "%s", ndpi_get_proto_name(ndpi_str, proto.app_protocol)); 11725| | 11726| 10.2k| return(buf); 11727| 10.2k|} ndpi_confidence_get_name: 11782| 9.62k|{ 11783| 9.62k| switch(confidence) { 11784| 0| case NDPI_CONFIDENCE_UNKNOWN: ------------------ | Branch (11784:3): [True: 0, False: 9.62k] ------------------ 11785| 0| return "Unknown"; 11786| | 11787| 73| case NDPI_CONFIDENCE_MATCH_BY_PORT: ------------------ | Branch (11787:3): [True: 73, False: 9.55k] ------------------ 11788| 73| return "Match by port"; 11789| | 11790| 0| case NDPI_CONFIDENCE_DPI_PARTIAL: ------------------ | Branch (11790:3): [True: 0, False: 9.62k] ------------------ 11791| 0| return "DPI (partial)"; 11792| | 11793| 0| case NDPI_CONFIDENCE_DPI_PARTIAL_CACHE: ------------------ | Branch (11793:3): [True: 0, False: 9.62k] ------------------ 11794| 0| return "DPI (partial cache)"; 11795| | 11796| 16| case NDPI_CONFIDENCE_DPI_CACHE: ------------------ | Branch (11796:3): [True: 16, False: 9.61k] ------------------ 11797| 16| return "DPI (cache)"; 11798| | 11799| 9.47k| case NDPI_CONFIDENCE_DPI: ------------------ | Branch (11799:3): [True: 9.47k, False: 158] ------------------ 11800| 9.47k| return "DPI"; 11801| | 11802| 0| case NDPI_CONFIDENCE_NBPF: ------------------ | Branch (11802:3): [True: 0, False: 9.62k] ------------------ 11803| 0| return "nBPF"; 11804| | 11805| 69| case NDPI_CONFIDENCE_MATCH_BY_IP: ------------------ | Branch (11805:3): [True: 69, False: 9.55k] ------------------ 11806| 69| return "Match by IP"; 11807| | 11808| 0| case NDPI_CONFIDENCE_DPI_AGGRESSIVE: ------------------ | Branch (11808:3): [True: 0, False: 9.62k] ------------------ 11809| 0| return "DPI (aggressive)"; 11810| | 11811| 0| case NDPI_CONFIDENCE_CUSTOM_RULE: ------------------ | Branch (11811:3): [True: 0, False: 9.62k] ------------------ 11812| 0| return "Match by custom rule"; 11813| | 11814| 0| default: ------------------ | Branch (11814:3): [True: 0, False: 9.62k] ------------------ 11815| | return NULL; 11816| 9.62k| } 11817| 9.62k|} ndpi_category_get_name: 11847| 10.2k| ndpi_protocol_category_t category) { 11848| 10.2k| if((!ndpi_str) || (category >= NDPI_PROTOCOL_NUM_CATEGORIES)) { ------------------ | Branch (11848:6): [True: 0, False: 10.2k] | Branch (11848:21): [True: 0, False: 10.2k] ------------------ 11849| 0| static char b[24]; 11850| | 11851| 0| if(!ndpi_str) ------------------ | Branch (11851:8): [True: 0, False: 0] ------------------ 11852| 0| ndpi_snprintf(b, sizeof(b), "NULL nDPI"); 11853| 0| else 11854| 0| ndpi_snprintf(b, sizeof(b), "Invalid category %d", (int) category); 11855| 0| return(b); 11856| 0| } 11857| | 11858| 10.2k| if((category >= NDPI_PROTOCOL_CATEGORY_CUSTOM_1) && (category <= NDPI_PROTOCOL_CATEGORY_CUSTOM_5)) { ------------------ | Branch (11858:6): [True: 1.24k, False: 9.01k] | Branch (11858:55): [True: 0, False: 1.24k] ------------------ 11859| 0| switch((int)category) { ------------------ | Branch (11859:12): [True: 0, False: 0] ------------------ 11860| 0| case NDPI_PROTOCOL_CATEGORY_CUSTOM_1: ------------------ | Branch (11860:5): [True: 0, False: 0] ------------------ 11861| 0| return(ndpi_str->custom_category_labels[0]); 11862| 0| case NDPI_PROTOCOL_CATEGORY_CUSTOM_2: ------------------ | Branch (11862:5): [True: 0, False: 0] ------------------ 11863| 0| return(ndpi_str->custom_category_labels[1]); 11864| 0| case NDPI_PROTOCOL_CATEGORY_CUSTOM_3: ------------------ | Branch (11864:5): [True: 0, False: 0] ------------------ 11865| 0| return(ndpi_str->custom_category_labels[2]); 11866| 0| case NDPI_PROTOCOL_CATEGORY_CUSTOM_4: ------------------ | Branch (11866:5): [True: 0, False: 0] ------------------ 11867| 0| return(ndpi_str->custom_category_labels[3]); 11868| 0| case NDPI_PROTOCOL_CATEGORY_CUSTOM_5: ------------------ | Branch (11868:5): [True: 0, False: 0] ------------------ 11869| 0| return(ndpi_str->custom_category_labels[4]); 11870| 0| } 11871| 0| } 11872| 10.2k| return(categories[category]); 11873| 10.2k|} ndpi_get_proto_category: 11896| 50.1k| ndpi_protocol proto) { 11897| | 11898| 50.1k| if(proto.category != NDPI_PROTOCOL_CATEGORY_UNSPECIFIED) ------------------ | Branch (11898:6): [True: 0, False: 50.1k] ------------------ 11899| 0| return(proto.category); 11900| | 11901| |#if 0 11902| | proto.proto.master_protocol = ndpi_map_user_proto_id_to_ndpi_id(ndpi_str, proto.proto.master_protocol), 11903| | proto.proto.app_protocol = ndpi_map_user_proto_id_to_ndpi_id(ndpi_str, proto.proto.app_protocol); 11904| |#endif 11905| | 11906| | /* Simple rule: sub protocol first, master after, with some exceptions (i.e. mail) */ 11907| | 11908| 50.1k| if(category_or_breed_depends_on_master(proto.proto.master_protocol)) { ------------------ | Branch (11908:6): [True: 3, False: 50.1k] ------------------ 11909| 3| if(ndpi_is_valid_protoId(ndpi_str, proto.proto.master_protocol)) ------------------ | Branch (11909:8): [True: 3, False: 0] ------------------ 11910| 3| return(ndpi_str->proto_defaults[proto.proto.master_protocol].protoCategory); 11911| 50.1k| } else if((proto.proto.master_protocol == NDPI_PROTOCOL_UNKNOWN) || ------------------ | Branch (11911:13): [True: 47.4k, False: 2.69k] ------------------ 11912| 50.1k| (ndpi_str->proto_defaults[proto.proto.app_protocol].protoCategory != NDPI_PROTOCOL_CATEGORY_UNSPECIFIED)) { ------------------ | Branch (11912:6): [True: 2.69k, False: 0] ------------------ 11913| 50.1k| if(ndpi_is_valid_protoId(ndpi_str, proto.proto.app_protocol)) ------------------ | Branch (11913:8): [True: 50.1k, False: 0] ------------------ 11914| 50.1k| return(ndpi_str->proto_defaults[proto.proto.app_protocol].protoCategory); 11915| 50.1k| } else if(ndpi_is_valid_protoId(ndpi_str, proto.proto.master_protocol)) ------------------ | Branch (11915:13): [True: 0, False: 0] ------------------ 11916| 0| return(ndpi_str->proto_defaults[proto.proto.master_protocol].protoCategory); 11917| | 11918| 0| return(NDPI_PROTOCOL_CATEGORY_UNSPECIFIED); 11919| 50.1k|} get_proto_category: 11924| 377| ndpi_master_app_protocol proto) { 11925| | 11926| | /* Simple rule: sub protocol first, master after, with some exceptions (i.e. mail) */ 11927| | 11928| 377| if(category_or_breed_depends_on_master(proto.master_protocol)) { ------------------ | Branch (11928:6): [True: 0, False: 377] ------------------ 11929| 0| if(ndpi_is_valid_protoId(ndpi_str, proto.master_protocol)) ------------------ | Branch (11929:8): [True: 0, False: 0] ------------------ 11930| 0| return(ndpi_str->proto_defaults[proto.master_protocol].protoCategory); 11931| 377| } else if((proto.master_protocol == NDPI_PROTOCOL_UNKNOWN) || ------------------ | Branch (11931:13): [True: 0, False: 377] ------------------ 11932| 377| (ndpi_str->proto_defaults[proto.app_protocol].protoCategory != NDPI_PROTOCOL_CATEGORY_UNSPECIFIED)) { ------------------ | Branch (11932:13): [True: 377, False: 0] ------------------ 11933| 377| if(ndpi_is_valid_protoId(ndpi_str, proto.app_protocol)) ------------------ | Branch (11933:8): [True: 377, False: 0] ------------------ 11934| 377| return(ndpi_str->proto_defaults[proto.app_protocol].protoCategory); 11935| 377| } else if(ndpi_is_valid_protoId(ndpi_str, proto.master_protocol)) ------------------ | Branch (11935:13): [True: 0, False: 0] ------------------ 11936| 0| return(ndpi_str->proto_defaults[proto.master_protocol].protoCategory); 11937| | 11938| 0| return(NDPI_PROTOCOL_CATEGORY_UNSPECIFIED); 11939| 377|} ndpi_get_proto_name: 11944| 21.7k| u_int16_t proto_id) { 11945| 21.7k| if(!ndpi_str) return("Unknown"); ------------------ | Branch (11945:6): [True: 0, False: 21.7k] ------------------ 11946| | 11947| 21.7k| proto_id = ndpi_map_user_proto_id_to_ndpi_id(ndpi_str, proto_id); 11948| | 11949| 21.7k| if(!ndpi_is_valid_protoId(ndpi_str, proto_id) || ------------------ | Branch (11949:6): [True: 0, False: 21.7k] ------------------ 11950| 21.7k| ndpi_str->proto_defaults[proto_id].protoName[0] == '\0') ------------------ | Branch (11950:6): [True: 0, False: 21.7k] ------------------ 11951| 0| proto_id = NDPI_PROTOCOL_UNKNOWN; 11952| | 11953| 21.7k| return(ndpi_str->proto_defaults[proto_id].protoName); 11954| 21.7k|} ndpi_get_proto_breed: 11959| 36.7k| u_int16_t proto_id) { 11960| | 11961| 36.7k| if(!ndpi_str) return(NDPI_PROTOCOL_UNRATED); ------------------ | Branch (11961:6): [True: 0, False: 36.7k] ------------------ 11962| | 11963| 36.7k| proto_id = ndpi_map_user_proto_id_to_ndpi_id(ndpi_str, proto_id); 11964| | 11965| 36.7k| if(!ndpi_is_valid_protoId(ndpi_str, proto_id) || ------------------ | Branch (11965:6): [True: 0, False: 36.7k] ------------------ 11966| 36.7k| ndpi_str->proto_defaults[proto_id].protoName[0] == '\0') ------------------ | Branch (11966:6): [True: 0, False: 36.7k] ------------------ 11967| 0| proto_id = NDPI_PROTOCOL_UNKNOWN; 11968| | 11969| 36.7k| return(ndpi_str->proto_defaults[proto_id].protoBreed); 11970| 36.7k|} get_proto_breed: 11975| 64.8k| ndpi_master_app_protocol proto) { 11976| | 11977| | /* Simple rule: sub protocol first, master after, with some exceptions (i.e. mail) */ 11978| | 11979| 64.8k| if(category_or_breed_depends_on_master(proto.master_protocol)) { ------------------ | Branch (11979:6): [True: 3, False: 64.8k] ------------------ 11980| 3| if(ndpi_is_valid_protoId(ndpi_str, proto.master_protocol)) ------------------ | Branch (11980:8): [True: 3, False: 0] ------------------ 11981| 3| return(ndpi_str->proto_defaults[proto.master_protocol].protoBreed); 11982| 64.8k| } else if((proto.master_protocol == NDPI_PROTOCOL_UNKNOWN) || ------------------ | Branch (11982:13): [True: 61.8k, False: 3.07k] ------------------ 11983| 64.8k| (ndpi_str->proto_defaults[proto.app_protocol].protoBreed != NDPI_PROTOCOL_UNRATED)) { ------------------ | Branch (11983:6): [True: 3.07k, False: 0] ------------------ 11984| 64.8k| if(ndpi_is_valid_protoId(ndpi_str, proto.app_protocol)) ------------------ | Branch (11984:8): [True: 64.8k, False: 0] ------------------ 11985| 64.8k| return(ndpi_str->proto_defaults[proto.app_protocol].protoBreed); 11986| 64.8k| } else if(ndpi_is_valid_protoId(ndpi_str, proto.master_protocol)) ------------------ | Branch (11986:13): [True: 0, False: 0] ------------------ 11987| 0| return(ndpi_str->proto_defaults[proto.master_protocol].protoBreed); 11988| | 11989| 0| return(NDPI_PROTOCOL_UNRATED); 11990| 64.8k|} ndpi_get_proto_breed_name: 11994| 10.2k|char *ndpi_get_proto_breed_name(ndpi_protocol_breed_t breed_id) { 11995| 10.2k| switch(breed_id) { 11996| 2.04k| case NDPI_PROTOCOL_SAFE: ------------------ | Branch (11996:3): [True: 2.04k, False: 8.21k] ------------------ 11997| 2.04k| return("Safe"); 11998| 7.23k| case NDPI_PROTOCOL_ACCEPTABLE: ------------------ | Branch (11998:3): [True: 7.23k, False: 3.02k] ------------------ 11999| 7.23k| return("Acceptable"); 12000| 228| case NDPI_PROTOCOL_FUN: ------------------ | Branch (12000:3): [True: 228, False: 10.0k] ------------------ 12001| 228| return("Fun"); 12002| 118| case NDPI_PROTOCOL_UNSAFE: ------------------ | Branch (12002:3): [True: 118, False: 10.1k] ------------------ 12003| 118| return("Unsafe"); 12004| 1| case NDPI_PROTOCOL_POTENTIALLY_DANGEROUS: ------------------ | Branch (12004:3): [True: 1, False: 10.2k] ------------------ 12005| 1| return("Potentially_Dangerous"); 12006| 0| case NDPI_PROTOCOL_TRACKER_ADS: ------------------ | Branch (12006:3): [True: 0, False: 10.2k] ------------------ 12007| 0| return("Tracker_Ads"); 12008| 0| case NDPI_PROTOCOL_DANGEROUS: ------------------ | Branch (12008:3): [True: 0, False: 10.2k] ------------------ 12009| 0| return("Dangerous"); 12010| 631| case NDPI_PROTOCOL_UNRATED: ------------------ | Branch (12010:3): [True: 631, False: 9.62k] ------------------ 12011| 631| return("Unrated"); 12012| 0| default: ------------------ | Branch (12012:3): [True: 0, False: 10.2k] ------------------ 12013| 0| return("???"); 12014| 10.2k| } 12015| 10.2k|} ndpi_strnstr: 12219| 43.1k|{ 12220| 43.1k| if (!haystack || !needle) { ------------------ | Branch (12220:7): [True: 4, False: 43.1k] | Branch (12220:20): [True: 0, False: 43.1k] ------------------ 12221| 4| return NULL; 12222| 4| } 12223| | 12224| 43.1k| return (char *)ndpi_memmem(haystack, strnlen(haystack, len), needle, strlen(needle)); 12225| 43.1k|} ndpi_strncasestr: 12233| 425|const char * ndpi_strncasestr(const char *s, const char *find, size_t len) { 12234| | 12235| 425| if (!s || !find) { ------------------ | Branch (12235:7): [True: 0, False: 425] | Branch (12235:13): [True: 0, False: 425] ------------------ 12236| 0| return NULL; 12237| 0| } 12238| | 12239| 425| const size_t find_len = strlen(find); 12240| | 12241| 425| if (find_len == 0) { ------------------ | Branch (12241:7): [True: 0, False: 425] ------------------ 12242| 0| return s; 12243| 0| } 12244| | 12245| 425| const size_t s_len = strnlen(s, len); 12246| | 12247| | /* If 'find' is longer than 's', no match is possible */ 12248| 425| if (find_len > s_len) { ------------------ | Branch (12248:7): [True: 12, False: 413] ------------------ 12249| 12| return NULL; 12250| 12| } 12251| | 12252| 413| const char *const end_of_search = s + s_len - find_len + 1; 12253| | 12254| | /* Cache the lowercased first character of 'find' */ 12255| 413| const unsigned char fc = tolower((unsigned char) *find); ------------------ | Branch (12255:28): [True: 0, False: 0] | Branch (12255:28): [True: 0, False: 0] | Branch (12255:28): [Folded, False: 413] ------------------ 12256| | 12257| 20.7k| for (; s < end_of_search; ++s) { ------------------ | Branch (12257:10): [True: 20.3k, False: 412] ------------------ 12258| 20.3k| if (tolower((unsigned char)*s) == fc) { ------------------ | Branch (12258:9): [True: 0, False: 0] | Branch (12258:9): [True: 0, False: 0] | Branch (12258:9): [Folded, False: 20.3k] | Branch (12258:9): [True: 635, False: 19.7k] ------------------ 12259| 635| if (strncasecmp(s + 1, find + 1, find_len - 1) == 0) { ------------------ | Branch (12259:11): [True: 1, False: 634] ------------------ 12260| 1| return s; 12261| 1| } 12262| 635| } 12263| 20.3k| } 12264| | 12265| 412| return NULL; 12266| 413|} ndpi_match_prefix: 12271| 4.07k| size_t payload_len, const char *str, size_t str_len) { 12272| 4.07k| int rc = str_len <= payload_len ? memcmp(payload, str, str_len) == 0 : 0; ------------------ | Branch (12272:12): [True: 4.07k, False: 0] ------------------ 12273| | 12274| 4.07k| return(rc); 12275| 4.07k|} ndpi_match_string_subprotocol: 12280| 23.5k| u_int string_to_match_len, ndpi_protocol_match_result *ret_match) { 12281| 23.5k| ndpi_automa *automa = &ndpi_str->host_automa; 12282| 23.5k| int rc; 12283| | 12284| 23.5k| if(!ndpi_str) return(NDPI_PROTOCOL_UNKNOWN); ------------------ | Branch (12284:6): [True: 0, False: 23.5k] ------------------ 12285| | 12286| 23.5k| if((automa->ac_automa == NULL) || (string_to_match_len == 0)) ------------------ | Branch (12286:6): [True: 1.98k, False: 21.5k] | Branch (12286:37): [True: 5.65k, False: 15.9k] ------------------ 12287| 7.63k| return(NDPI_PROTOCOL_UNKNOWN); 12288| | 12289| 15.9k| rc = ndpi_match_string_common(((AC_AUTOMATA_t *) automa->ac_automa), 12290| 15.9k| string_to_match,string_to_match_len, &ret_match->protocol_id, 12291| 15.9k| &ret_match->protocol_category, &ret_match->protocol_breed); 12292| 15.9k| return rc < 0 ? rc : (int)ret_match->protocol_id; ------------------ | Branch (12292:10): [True: 14.5k, False: 1.34k] ------------------ 12293| 23.5k|} ndpi_match_host_subprotocol: 12364| 11.6k| int update_flow_classification) { 12365| 11.6k| u_int16_t rc, string_to_match_len, bkp_len; 12366| 11.6k| int ret; 12367| 11.6k| ndpi_protocol_category_t category; 12368| 11.6k| ndpi_protocol_breed_t breed; 12369| 11.6k| char buf[256], *string_to_match, *bkp; 12370| | 12371| 11.6k| if(!ndpi_str) return(-1); ------------------ | Branch (12371:6): [True: 0, False: 11.6k] ------------------ 12372| | 12373| 11.6k| snprintf(buf, sizeof(buf), "%.*s", _string_to_match_len, _string_to_match); 12374| 11.6k| string_to_match = bkp = buf; 12375| 11.6k| string_to_match_len = bkp_len = strlen(string_to_match); 12376| 11.6k| memset(ret_match, 0, sizeof(*ret_match)); 12377| | 12378| | /* Match host first... */ 12379| 11.6k| if((rc = ndpi_automa_match_string_subprotocol(ndpi_str, string_to_match, string_to_match_len, ret_match)) == NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (12379:6): [True: 11.4k, False: 151] ------------------ 12380| 11.4k| string_to_match = (char*)ndpi_get_host_domain(ndpi_str, buf); 12381| 11.4k| string_to_match_len = strlen(string_to_match); 12382| | 12383| | /* In case of failure try the domain name as last resort */ 12384| 11.4k| rc = ndpi_automa_match_string_subprotocol(ndpi_str, string_to_match, string_to_match_len, ret_match); 12385| 11.4k| } 12386| | 12387| 11.6k| category = ret_match->protocol_category; 12388| 11.6k| breed = ret_match->protocol_breed; 12389| | 12390| 11.6k| ret = ndpi_get_custom_category_match(ndpi_str, string_to_match, string_to_match_len, &category, &breed); 12391| 11.6k| if((ret == -1) /* Luck yet */ ------------------ | Branch (12391:6): [True: 11.6k, False: 0] ------------------ 12392| 11.6k| && (ndpi_str->public_domain_suffixes != NULL /* Domains loaded */) ------------------ | Branch (12392:9): [True: 0, False: 11.6k] ------------------ 12393| 0| && (bkp_len != string_to_match_len /* domain != _string_to_match */) ------------------ | Branch (12393:9): [True: 0, False: 0] ------------------ 12394| 11.6k| ) { 12395| | /* As very last resort we try with the original name and not with the domain */ 12396| 0| ret = ndpi_get_custom_category_match(ndpi_str, bkp, bkp_len, &category, &breed); 12397| 0| } 12398| | 12399| 11.6k| if(ret != -1) { ------------------ | Branch (12399:6): [True: 0, False: 11.6k] ------------------ 12400| 0| ret_match->protocol_category = category; 12401| 0| ret_match->protocol_breed = breed; 12402| 0| rc = master_protocol_id; 12403| 0| } 12404| | 12405| 11.6k| if(update_flow_classification && ret_match->protocol_id != NDPI_PROTOCOL_UNKNOWN ) { ------------------ | Branch (12405:6): [True: 8.88k, False: 2.75k] | Branch (12405:36): [True: 85, False: 8.79k] ------------------ 12406| 85| ndpi_set_detected_protocol(ndpi_str, flow, ret_match->protocol_id, master_protocol_id, NDPI_CONFIDENCE_DPI); 12407| | 12408| 85| if(ret_match->protocol_id == NDPI_PROTOCOL_OOKLA) { ------------------ | Branch (12408:8): [True: 0, False: 85] ------------------ 12409| 0| ookla_add_to_cache(ndpi_str, flow); 12410| 0| } 12411| 85| } 12412| 11.6k| if(!category_or_breed_depends_on_master(master_protocol_id) && ------------------ | Branch (12412:6): [True: 9.40k, False: 2.23k] ------------------ 12413| 9.40k| ret_match->protocol_category != NDPI_PROTOCOL_CATEGORY_UNSPECIFIED) ------------------ | Branch (12413:6): [True: 85, False: 9.31k] ------------------ 12414| 85| flow->category = ret_match->protocol_category; 12415| 11.6k| if(ret_match->protocol_breed != NDPI_PROTOCOL_UNRATED) ------------------ | Branch (12415:6): [True: 151, False: 11.4k] ------------------ 12416| 151| flow->breed = ret_match->protocol_breed; 12417| | 12418| 11.6k| if(ndpi_str->risky_domain_automa.ac_automa != NULL) { ------------------ | Branch (12418:6): [True: 0, False: 11.6k] ------------------ 12419| 0| u_int32_t proto_id; 12420| 0| u_int16_t rc1 = ndpi_match_string_common(ndpi_str->risky_domain_automa.ac_automa, 12421| 0| string_to_match, string_to_match_len, 12422| 0| &proto_id, NULL, NULL); 12423| 0| if(rc1 > 0) { ------------------ | Branch (12423:8): [True: 0, False: 0] ------------------ 12424| 0| if(is_flowrisk_info_enabled(ndpi_str, NDPI_RISKY_DOMAIN)) { ------------------ | Branch (12424:10): [True: 0, False: 0] ------------------ 12425| 0| char str[64] = { '\0' }; 12426| 0| const size_t len = ndpi_min(_string_to_match_len, sizeof(str) - 1); ------------------ | | 113| 0|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 0] | | ------------------ ------------------ 12427| | 12428| 0| memcpy(str, _string_to_match, len); 12429| 0| str[len] = '\0'; 12430| 0| ndpi_set_risk(ndpi_str, flow, NDPI_RISKY_DOMAIN, str); 12431| 0| } else { 12432| 0| ndpi_set_risk(ndpi_str, flow, NDPI_RISKY_DOMAIN, NULL); 12433| 0| } 12434| 0| } 12435| 0| } 12436| | 12437| | /* Add punycode check */ 12438| 11.6k| if(ndpi_check_punycode_string(string_to_match, string_to_match_len)) { ------------------ | Branch (12438:6): [True: 0, False: 11.6k] ------------------ 12439| 0| if(is_flowrisk_info_enabled(ndpi_str, NDPI_PUNYCODE_IDN)) { ------------------ | Branch (12439:8): [True: 0, False: 0] ------------------ 12440| 0| char str[64] = { '\0' }; 12441| 0| const size_t len = ndpi_min(_string_to_match_len, sizeof(str) - 1); ------------------ | | 113| 0|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 0] | | ------------------ ------------------ 12442| | 12443| 0| memcpy(str, _string_to_match, len); 12444| 0| str[len] = '\0'; 12445| 0| ndpi_set_risk(ndpi_str, flow, NDPI_PUNYCODE_IDN, str); 12446| 0| } else { 12447| 0| ndpi_set_risk(ndpi_str, flow, NDPI_PUNYCODE_IDN, NULL); 12448| 0| } 12449| 0| } 12450| | 12451| 11.6k| return(rc); 12452| 11.6k|} ndpi_match_hostname_protocol: 12458| 8.83k| u_int16_t master_protocol, char *name, u_int name_len) { 12459| 8.83k| ndpi_protocol_match_result ret_match; 12460| 8.83k| u_int16_t subproto, what_len; 12461| 8.83k| char *what; 12462| | 12463| 8.83k| if(!ndpi_struct) return(0); ------------------ | Branch (12463:6): [True: 0, False: 8.83k] ------------------ 12464| | 12465| 8.83k| if((name_len > 2) && (name[0] == '*') && (name[1] == '.')) ------------------ | Branch (12465:6): [True: 5.81k, False: 3.02k] | Branch (12465:24): [True: 473, False: 5.33k] | Branch (12465:44): [True: 472, False: 1] ------------------ 12466| 472| what = &name[1], what_len = name_len - 1; 12467| 8.36k| else 12468| 8.36k| what = name, what_len = name_len; 12469| | 12470| 8.83k| subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, what, what_len, 12471| 8.83k| &ret_match, master_protocol, 1); 12472| | 12473| 8.83k| if(subproto != NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (12473:6): [True: 85, False: 8.75k] ------------------ 12474| 85| return(1); 12475| 85| } else 12476| 8.75k| return(0); 12477| 8.83k|} ndpi_match_bigram: 12494| 552k|int ndpi_match_bigram(const char *str) { 12495| 552k| return ndpi_match_xgram(bigrams_bitmap, 2, str); 12496| 552k|} ndpi_match_impossible_bigram: 12498| 25.0k|int ndpi_match_impossible_bigram(const char *str) { 12499| 25.0k| return ndpi_match_xgram(impossible_bigrams_bitmap, 2, str); 12500| 25.0k|} ndpi_match_trigram: 12504| 8.67k|int ndpi_match_trigram(const char *str) { 12505| 8.67k| return ndpi_match_xgram(trigrams_bitmap, 3, str); 12506| 8.67k|} ndpi_get_current_time: 12551| 44.6k|{ 12552| 44.6k| if(flow) ------------------ | Branch (12552:6): [True: 44.6k, False: 0] ------------------ 12553| 44.6k| return(flow->last_packet_time_ms / 1000); 12554| | 12555| 0| return 0; 12556| 44.6k|} ndpi_ptree_create: 12599| 21.3k|ndpi_ptree_t *ndpi_ptree_create(void) { 12600| 21.3k| ndpi_ptree_t *tree = (ndpi_ptree_t *) ndpi_malloc(sizeof(ndpi_ptree_t)); 12601| | 12602| 21.3k| if(tree) { ------------------ | Branch (12602:6): [True: 20.9k, False: 415] ------------------ 12603| 20.9k| tree->v4 = ndpi_patricia_new(32); 12604| 20.9k| tree->v6 = ndpi_patricia_new(128); 12605| | 12606| 20.9k| if((!tree->v4) || (!tree->v6)) { ------------------ | Branch (12606:8): [True: 559, False: 20.4k] | Branch (12606:23): [True: 512, False: 19.9k] ------------------ 12607| 1.07k| ndpi_ptree_destroy(tree); 12608| 1.07k| return(NULL); 12609| 1.07k| } 12610| 20.9k| } 12611| | 12612| 20.3k| return(tree); 12613| 21.3k|} ndpi_ptree_destroy: 12617| 20.9k|void ndpi_ptree_destroy(ndpi_ptree_t *tree) { 12618| 20.9k| if(tree) { ------------------ | Branch (12618:6): [True: 20.9k, False: 0] ------------------ 12619| 20.9k| if(tree->v4) ------------------ | Branch (12619:8): [True: 20.4k, False: 559] ------------------ 12620| 20.4k| ndpi_patricia_destroy(tree->v4, free_ptree_data); 12621| | 12622| 20.9k| if(tree->v6) ------------------ | Branch (12622:8): [True: 20.4k, False: 523] ------------------ 12623| 20.4k| ndpi_patricia_destroy(tree->v6, free_ptree_data); 12624| | 12625| 20.9k| ndpi_free(tree); 12626| 20.9k| } 12627| 20.9k|} ndpi_sha256: 12714| 17.1k|void ndpi_sha256(const u_char *data, size_t data_len, u_int8_t sha_hash[32]) { 12715| 17.1k| ndpi_SHA256_CTX sha_ctx; 12716| | 12717| 17.1k| ndpi_sha256_init(&sha_ctx); 12718| 17.1k| ndpi_sha256_update(&sha_ctx, data, data_len); 12719| 17.1k| ndpi_sha256_final(&sha_ctx, sha_hash); 12720| 17.1k|} ends_with: 12738| 48.0k| char *str, char *ends) { 12739| 48.0k| u_int str_len = str ? strlen(str) : 0; ------------------ | Branch (12739:19): [True: 48.0k, False: 0] ------------------ 12740| 48.0k| u_int8_t ends_len = strlen(ends); 12741| 48.0k| u_int8_t rc; 12742| | 12743| 48.0k| if(str_len < ends_len) return(0); ------------------ | Branch (12743:6): [True: 20.7k, False: 27.3k] ------------------ 12744| | 12745| 27.3k| rc = (strncmp(&str[str_len-ends_len], ends, ends_len) != 0) ? 0 : 1; ------------------ | Branch (12745:8): [True: 27.2k, False: 30] ------------------ 12746| | 12747| 27.3k| NDPI_LOG_DBG2(ndpi_struct, "[DGA] %s / %s [rc: %u]\n", str, ends, rc); ------------------ | | 597| 27.3k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 12748| | 12749| 27.3k| return(rc); 12750| 48.0k|} ndpi_check_dga_name: 12784| 10.0k| u_int8_t flow_fully_classified) { 12785| | 12786| | /* Get domain name if ndpi_load_domain_suffixes(..) has been called */ 12787| 10.0k| char *name = (char*)ndpi_get_host_domain(ndpi_str, _name); 12788| | 12789| 10.0k| if(ndpi_dga_function != NULL) { ------------------ | Branch (12789:6): [True: 0, False: 10.0k] ------------------ 12790| | /* A custom DGA function is defined */ 12791| 0| int rc = ndpi_dga_function(name, is_hostname); 12792| | 12793| 0| if(rc) { ------------------ | Branch (12793:8): [True: 0, False: 0] ------------------ 12794| 0| if(flow) ------------------ | Branch (12794:10): [True: 0, False: 0] ------------------ 12795| 0| ndpi_set_risk(ndpi_str, flow, NDPI_SUSPICIOUS_DGA_DOMAIN, _name); 12796| 0| } 12797| | 12798| 0| return(rc); 12799| 10.0k| } else { 12800| 10.0k| int len, rc = 0, trigram_char_skip = 0; 12801| 10.0k| u_int8_t max_num_char_repetitions = 0, last_char = 0, num_char_repetitions = 0, num_dots = 0, num_trigram_dots = 0; 12802| 10.0k| u_int8_t max_domain_element_len = 0, curr_domain_element_len = 0, first_element_is_numeric = 1; 12803| 10.0k| ndpi_protocol_match_result ret_match; 12804| | 12805| 10.0k| if((!name) ------------------ | Branch (12805:8): [True: 0, False: 10.0k] ------------------ 12806| 10.0k| || (strchr(name, '_') != NULL) ------------------ | Branch (12806:11): [True: 620, False: 9.46k] ------------------ 12807| 9.46k| || (strchr(name, '-') != NULL) ------------------ | Branch (12807:11): [True: 313, False: 9.14k] ------------------ 12808| 9.14k| || (ends_with(ndpi_str, name, "in-addr.arpa")) ------------------ | Branch (12808:11): [True: 0, False: 9.14k] ------------------ 12809| 9.14k| || (ends_with(ndpi_str, name, "ip6.arpa")) ------------------ | Branch (12809:11): [True: 2, False: 9.14k] ------------------ 12810| | /* Ignore TLD .local .lan and .home */ 12811| 9.14k| || (ends_with(ndpi_str, name, ".local")) ------------------ | Branch (12811:11): [True: 14, False: 9.13k] ------------------ 12812| 9.13k| || (ends_with(ndpi_str, name, ".lan")) ------------------ | Branch (12812:11): [True: 4, False: 9.12k] ------------------ 12813| 9.12k| || (ends_with(ndpi_str, name, ".home")) ------------------ | Branch (12813:11): [True: 2, False: 9.12k] ------------------ 12814| 10.0k| ) 12815| 955| return(0); 12816| | 12817| 9.12k| if(flow && (flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN || flow_fully_classified)) ------------------ | Branch (12817:8): [True: 9.12k, False: 0] | Branch (12817:17): [True: 285, False: 8.84k] | Branch (12817:78): [True: 66, False: 8.77k] ------------------ 12818| 351| return(0); /* Ignore DGA check for protocols already fully detected */ 12819| | 12820| 8.77k| if(check_subproto && ------------------ | Branch (12820:8): [True: 440, False: 8.33k] ------------------ 12821| 440| ndpi_match_string_subprotocol(ndpi_str, name, strlen(name), &ret_match) > 0) ------------------ | Branch (12821:8): [True: 0, False: 440] ------------------ 12822| 0| return(0); /* Ignore DGA for known domain names */ 12823| | 12824| 8.77k| if(ndpi_isdigit(name[0])) { ------------------ | | 2526| 8.77k|#define ndpi_isdigit(ch) ((ch) >= '0' && (ch) <= '9') | | ------------------ | | | Branch (2526:27): [True: 5.74k, False: 3.03k] | | | Branch (2526:42): [True: 47, False: 5.69k] | | ------------------ ------------------ 12825| 47| struct in_addr ip_addr; 12826| | 12827| 47| ip_addr.s_addr = inet_addr(name); 12828| 47| if(strcmp(inet_ntoa(ip_addr), name) == 0) ------------------ | Branch (12828:10): [True: 3, False: 44] ------------------ 12829| 3| return(0); /* Ignore numeric IPs */ 12830| 47| } 12831| | 12832| 8.77k| if(strncmp(name, "www.", 4) == 0) ------------------ | Branch (12832:8): [True: 899, False: 7.87k] ------------------ 12833| 899| name = &name[4]; 12834| | 12835| 8.77k| NDPI_LOG_DBG2(ndpi_str, "[DGA] check %s\n", name); ------------------ | | 597| 8.77k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 12836| | 12837| 8.77k| len = strlen(name); 12838| | 12839| 8.77k| if(len >= 5) { ------------------ | Branch (12839:8): [True: 5.63k, False: 3.13k] ------------------ 12840| 5.63k| int num_found = 0, num_impossible = 0, num_bigram_checks = 0, 12841| 5.63k| num_trigram_found = 0, num_trigram_checked = 0, num_dash = 0, 12842| 5.63k| num_digits = 0, num_vowels = 0, num_trigram_vowels = 0, num_words = 0, skip_next_bigram = 0; 12843| 5.63k| char tmp[128], *word, *tok_tmp; 12844| 5.63k| u_int i, j, max_tmp_len = sizeof(tmp)-1; 12845| | 12846| 5.63k| len = ndpi_snprintf(tmp, max_tmp_len, "%s", name); 12847| | 12848| 5.63k| if(len < 0) { ------------------ | Branch (12848:10): [True: 0, False: 5.63k] ------------------ 12849| 0| NDPI_LOG_DBG2(ndpi_str, "[DGA] too short"); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 12850| 0| return(0); 12851| 0| } else 12852| 5.63k| tmp[(u_int)len < max_tmp_len ? (u_int)len : max_tmp_len] = '\0'; ------------------ | Branch (12852:6): [True: 5.63k, False: 0] ------------------ 12853| | 12854| 97.2k| for(i=0, j=0; (i<(u_int)len) && (j= '0' && (ch) <= '9') | | ------------------ | | | Branch (2526:27): [True: 52.2k, False: 1.36k] | | | Branch (2526:42): [True: 2.72k, False: 49.5k] | | ------------------ ------------------ 12861| 50.8k| first_element_is_numeric = 0; 12862| 53.5k| } 12863| | 12864| 91.6k| if(ndpi_is_vowel(tmp[j])) ------------------ | Branch (12864:5): [True: 26.7k, False: 64.8k] ------------------ 12865| 26.7k| num_vowels++; 12866| | 12867| 91.6k| if(last_char == tmp[j]) { ------------------ | Branch (12867:5): [True: 17.9k, False: 73.6k] ------------------ 12868| 17.9k| if(++num_char_repetitions > max_num_char_repetitions) ------------------ | Branch (12868:7): [True: 11.3k, False: 6.62k] ------------------ 12869| 11.3k| max_num_char_repetitions = num_char_repetitions; 12870| 17.9k| } else 12871| 73.6k| num_char_repetitions = 1, last_char = tmp[j]; 12872| | 12873| 91.6k| if(ndpi_isdigit(tmp[j])) { ------------------ | | 2526| 91.6k|#define ndpi_isdigit(ch) ((ch) >= '0' && (ch) <= '9') | | ------------------ | | | Branch (2526:27): [True: 82.2k, False: 9.37k] | | | Branch (2526:42): [True: 4.92k, False: 77.3k] | | ------------------ ------------------ 12874| 4.92k| num_digits++; 12875| | 12876| 4.92k| if(((j+2)<(u_int)len) && ndpi_isdigit(tmp[j+1]) && (tmp[j+2] == '.')) { ------------------ | | 2526| 9.60k|#define ndpi_isdigit(ch) ((ch) >= '0' && (ch) <= '9') | | ------------------ | | | Branch (2526:27): [True: 3.90k, False: 772] | | | Branch (2526:42): [True: 2.80k, False: 1.10k] | | ------------------ ------------------ | Branch (12876:7): [True: 4.68k, False: 246] | Branch (12876:55): [True: 58, False: 2.74k] ------------------ 12877| | /* Check if there are too many digits */ 12878| 58| if(num_digits < 4) ------------------ | Branch (12878:9): [True: 18, False: 40] ------------------ 12879| 18| return(0); /* Double digits */ 12880| 58| } 12881| 4.92k| } 12882| | 12883| 91.6k| switch(tmp[j]) { 12884| 7.10k| case '.': ------------------ | Branch (12884:2): [True: 7.10k, False: 84.5k] ------------------ 12885| 7.10k| case '-': ------------------ | Branch (12885:2): [True: 0, False: 91.6k] ------------------ 12886| 7.10k| case '_': ------------------ | Branch (12886:2): [True: 0, False: 91.6k] ------------------ 12887| 7.60k| case '/': ------------------ | Branch (12887:2): [True: 495, False: 91.1k] ------------------ 12888| 7.70k| case ')': ------------------ | Branch (12888:2): [True: 102, False: 91.5k] ------------------ 12889| 7.88k| case '(': ------------------ | Branch (12889:2): [True: 175, False: 91.4k] ------------------ 12890| 7.91k| case ';': ------------------ | Branch (12890:2): [True: 37, False: 91.5k] ------------------ 12891| 8.25k| case ':': ------------------ | Branch (12891:2): [True: 339, False: 91.2k] ------------------ 12892| 8.44k| case '[': ------------------ | Branch (12892:2): [True: 190, False: 91.4k] ------------------ 12893| 8.47k| case ']': ------------------ | Branch (12893:2): [True: 32, False: 91.6k] ------------------ 12894| 9.40k| case ' ': ------------------ | Branch (12894:2): [True: 922, False: 90.7k] ------------------ 12895| | /* 12896| | Domain/word separator chars 12897| | 12898| | NOTE: 12899| | this function is used also to detect other type of issues 12900| | such as invalid/suspiciuous user agent 12901| | */ 12902| 9.40k| if(curr_domain_element_len > max_domain_element_len) ------------------ | Branch (12902:7): [True: 5.61k, False: 3.78k] ------------------ 12903| 5.61k| max_domain_element_len = curr_domain_element_len; 12904| | 12905| 9.40k| curr_domain_element_len = 0; 12906| 9.40k| break; 12907| | 12908| 82.2k| default: ------------------ | Branch (12908:2): [True: 82.2k, False: 9.40k] ------------------ 12909| 82.2k| curr_domain_element_len++; 12910| 82.2k| break; 12911| 91.6k| } 12912| | 12913| 91.6k| j++; 12914| 91.6k| } 12915| | 12916| 5.61k| if(num_dots == 0) /* Doesn't look like a domain name */ ------------------ | Branch (12916:10): [True: 1.37k, False: 4.24k] ------------------ 12917| 1.37k| return(0); 12918| | 12919| 4.24k| if(curr_domain_element_len > max_domain_element_len) ------------------ | Branch (12919:10): [True: 363, False: 3.88k] ------------------ 12920| 363| max_domain_element_len = curr_domain_element_len; 12921| | 12922| 4.24k| NDPI_LOG_DBG2(ndpi_str, "[DGA] [max_num_char_repetitions: %u][max_domain_element_len: %u]\n", ------------------ | | 597| 4.24k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 12923| 4.24k| max_num_char_repetitions, max_domain_element_len); 12924| | 12925| 4.24k| if( 12926| 4.24k| (is_hostname ------------------ | Branch (12926:4): [True: 4.24k, False: 0] ------------------ 12927| 4.24k| && (num_dots > 5) ------------------ | Branch (12927:7): [True: 21, False: 4.22k] ------------------ 12928| 21| && (!first_element_is_numeric) ------------------ | Branch (12928:7): [True: 19, False: 2] ------------------ 12929| 4.24k| ) 12930| 4.22k| || (max_num_char_repetitions > 5 /* num or consecutive repeated chars */) ------------------ | Branch (12930:6): [True: 264, False: 3.96k] ------------------ 12931| | /* 12932| | In case of a name with too many consecutive chars an alert is triggered 12933| | This is the case for instance of the wildcard DNS query used by NetBIOS 12934| | (ckaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa) and that can be exploited 12935| | for reflection attacks 12936| | - https://www.akamai.com/uk/en/multimedia/documents/state-of-the-internet/ddos-reflection-netbios-name-server-rpc-portmap-sentinel-udp-threat-advisory.pdf 12937| | - http://ubiqx.org/cifs/NetBIOS.html 12938| | */ 12939| 3.96k| || ((max_domain_element_len >= 19 /* word too long. Example bbcbedxhgjmdobdprmen.com */) && ((num_char_repetitions > 1) || (num_digits > 1))) ------------------ | Branch (12939:7): [True: 32, False: 3.93k] | Branch (12939:96): [True: 11, False: 21] | Branch (12939:126): [True: 5, False: 16] ------------------ 12940| 4.24k| ) { 12941| 299| if(flow) { ------------------ | Branch (12941:5): [True: 299, False: 0] ------------------ 12942| 299| ndpi_set_risk(ndpi_str, flow, NDPI_SUSPICIOUS_DGA_DOMAIN, _name); 12943| 299| } 12944| | 12945| 299| NDPI_LOG_DBG2(ndpi_str, "[DGA] Found!"); ------------------ | | 597| 299|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 12946| | 12947| 299| return(1); 12948| 299| } 12949| | 12950| 3.94k| tmp[j] = '\0'; 12951| 3.94k| len = j; 12952| | 12953| 3.94k| u_int max_num_consecutive_digits_first_word = 0, num_word = 0; 12954| | 12955| 11.8k| for(word = strtok_r(tmp, ".", &tok_tmp); ; word = strtok_r(NULL, ".", &tok_tmp)) { 12956| 11.8k| u_int num_consecutive_digits = 0, word_len; 12957| | 12958| 11.8k| if(!word) break; else num_word++; ------------------ | Branch (12958:5): [True: 1.57k, False: 10.2k] ------------------ 12959| | 12960| 10.2k| num_words++; 12961| | 12962| 10.2k| if(num_words > 2) ------------------ | Branch (12962:5): [True: 2.37k, False: 7.89k] ------------------ 12963| 2.37k| break; /* Stop after the 2nd word of the domain name */ 12964| | 12965| 7.89k| if((word_len = strlen(word)) < 5) continue; ------------------ | Branch (12965:5): [True: 5.78k, False: 2.10k] ------------------ 12966| | 12967| 2.10k| if((word_len < 10) && (ends_with(ndpi_str, word, "cdn") /* Content Delivery Network ? */)) ------------------ | Branch (12967:5): [True: 424, False: 1.68k] | Branch (12967:24): [True: 2, False: 422] ------------------ 12968| 2| continue; /* Ignore names (not too long) that end with cdn [ ssl.p.jwpcdn.com or www.awxcdn.com ] */ 12969| | 12970| 2.10k| NDPI_LOG_DBG2(ndpi_str, "[DGA] word(%s) [%s][len: %u]\n", word, name, (unsigned int)strlen(word)); ------------------ | | 597| 2.10k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 12971| | 12972| 2.10k| trigram_char_skip = 0; 12973| | 12974| 27.3k| for(i = 0; word[i+1] != '\0'; i++) { ------------------ | Branch (12974:13): [True: 25.2k, False: 2.10k] ------------------ 12975| 25.2k| if(ndpi_isdigit(word[i])) ------------------ | | 2526| 25.2k|#define ndpi_isdigit(ch) ((ch) >= '0' && (ch) <= '9') | | ------------------ | | | Branch (2526:27): [True: 24.8k, False: 340] | | | Branch (2526:42): [True: 2.00k, False: 22.8k] | | ------------------ ------------------ 12976| 2.00k| num_consecutive_digits++; 12977| 23.2k| else { 12978| 23.2k| if((num_word == 1) && (num_consecutive_digits > max_num_consecutive_digits_first_word)) ------------------ | Branch (12978:9): [True: 19.4k, False: 3.76k] | Branch (12978:28): [True: 671, False: 18.7k] ------------------ 12979| 671| max_num_consecutive_digits_first_word = num_consecutive_digits; 12980| | 12981| 23.2k| num_consecutive_digits = 0; 12982| 23.2k| } 12983| | 12984| 25.2k| switch(word[i]) { ------------------ | Branch (12984:11): [True: 162, False: 25.0k] ------------------ 12985| 0| case '-': ------------------ | Branch (12985:4): [True: 0, False: 25.2k] ------------------ 12986| 0| num_dash++; 12987| | /* 12988| | Let's check for double+consecutive -- 12989| | that are usually ok 12990| | r2---sn-uxaxpu5ap5-2n5e.gvt1.com 12991| | */ 12992| 0| if(word[i+1] == '-') ------------------ | Branch (12992:9): [True: 0, False: 0] ------------------ 12993| 0| return(0); /* Double dash */ 12994| 0| continue; 12995| | 12996| 0| case '_': ------------------ | Branch (12996:4): [True: 0, False: 25.2k] ------------------ 12997| 162| case ':': ------------------ | Branch (12997:4): [True: 162, False: 25.0k] ------------------ 12998| 162| continue; 12999| 0| break; 13000| | 13001| 0| case '.': ------------------ | Branch (13001:4): [True: 0, False: 25.2k] ------------------ 13002| 0| continue; 13003| 0| break; 13004| 25.2k| } 13005| | 13006| 25.0k| num_bigram_checks++; 13007| | 13008| 25.0k| NDPI_LOG_DBG2(ndpi_str, "[DGA] checking %c%c\n", word[i], word[i+1]); ------------------ | | 597| 25.0k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 13009| | 13010| 25.0k| if(ndpi_match_impossible_bigram(&word[i])) { ------------------ | Branch (13010:7): [True: 633, False: 24.4k] ------------------ 13011| 633| NDPI_LOG_DBG2(ndpi_str, "[DGA] IMPOSSIBLE %s\n", &word[i]); ------------------ | | 597| 633|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 13012| | 13013| 633| num_impossible++; 13014| 24.4k| } else { 13015| 24.4k| if(!skip_next_bigram) { ------------------ | Branch (13015:9): [True: 14.6k, False: 9.77k] ------------------ 13016| 14.6k| if(ndpi_match_bigram(&word[i])) { ------------------ | Branch (13016:11): [True: 10.6k, False: 4.01k] ------------------ 13017| 10.6k| num_found++, skip_next_bigram = 1; 13018| 10.6k| } 13019| 14.6k| } else 13020| 9.77k| skip_next_bigram = 0; 13021| 24.4k| } 13022| | 13023| 25.0k| if((num_trigram_dots < 2) && (word[i+2] != '\0')) { ------------------ | Branch (13023:7): [True: 25.0k, False: 0] | Branch (13023:33): [True: 22.9k, False: 2.10k] ------------------ 13024| 22.9k| NDPI_LOG_DBG2(ndpi_str, "[DGA] %s [trigram_char_skip: %u]\n", &word[i], trigram_char_skip); ------------------ | | 597| 22.9k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 13025| | 13026| 22.9k| if(ndpi_is_trigram_char(word[i]) && ndpi_is_trigram_char(word[i+1]) && ndpi_is_trigram_char(word[i+2])) { ------------------ | Branch (13026:9): [True: 21.0k, False: 1.88k] | Branch (13026:42): [True: 20.3k, False: 709] | Branch (13026:77): [True: 19.5k, False: 837] ------------------ 13027| 19.5k| if(trigram_char_skip) { ------------------ | Branch (13027:11): [True: 10.8k, False: 8.67k] ------------------ 13028| 10.8k| trigram_char_skip--; 13029| 10.8k| } else { 13030| 8.67k| num_trigram_checked++; 13031| | 13032| 8.67k| if(ndpi_match_trigram(&word[i])) ------------------ | Branch (13032:6): [True: 6.65k, False: 2.02k] ------------------ 13033| 6.65k| num_trigram_found++, trigram_char_skip = 2 /* 1 char overlap */; 13034| 2.02k| else 13035| 2.02k| NDPI_LOG_DBG2(ndpi_str, "[DGA] NO Trigram %c%c%c\n", word[i], word[i+1], word[i+2]); ------------------ | | 597| 2.02k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 13036| | 13037| | /* Count vowels */ 13038| 8.67k| num_trigram_vowels += ndpi_is_vowel(word[i]) + ndpi_is_vowel(word[i+1]) + ndpi_is_vowel(word[i+2]); 13039| 8.67k| } 13040| 19.5k| } else { 13041| 3.43k| if(word[i] == '.') ------------------ | Branch (13041:11): [True: 0, False: 3.43k] ------------------ 13042| 0| num_trigram_dots++; 13043| | 13044| 3.43k| trigram_char_skip = 0; 13045| 3.43k| } 13046| 22.9k| } 13047| 25.0k| } /* for */ 13048| | 13049| 2.10k| if((num_word == 1) && (num_consecutive_digits > max_num_consecutive_digits_first_word)) ------------------ | Branch (13049:5): [True: 1.65k, False: 451] | Branch (13049:24): [True: 5, False: 1.64k] ------------------ 13050| 5| max_num_consecutive_digits_first_word = num_consecutive_digits; 13051| 2.10k| } /* for */ 13052| | 13053| 3.94k| NDPI_LOG_DBG2(ndpi_str, "[DGA] max_num_consecutive_digits_first_word=%u\n", max_num_consecutive_digits_first_word); ------------------ | | 597| 3.94k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 13054| | 13055| 3.94k| NDPI_LOG_DBG2(ndpi_str, "[DGA] [%s][num_found: %u][num_impossible: %u][num_digits: %u][num_bigram_checks: %u][num_vowels: %u/%u][num_trigram_vowels: %u][num_trigram_found: %u/%u][vowels: %u][rc: %u]\n", ------------------ | | 597| 3.94k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 13056| 3.94k| name, num_found, num_impossible, num_digits, num_bigram_checks, num_vowels, len, num_trigram_vowels, 13057| 3.94k| num_trigram_checked, num_trigram_found, num_vowels, rc); 13058| | 13059| 3.94k| if((len > 16) && (num_dots < 3) && ((num_vowels*4) < (len-num_dots))) { ------------------ | Branch (13059:10): [True: 1.68k, False: 2.26k] | Branch (13059:24): [True: 1.67k, False: 13] | Branch (13059:42): [True: 70, False: 1.60k] ------------------ 13060| 70| if((num_trigram_checked > 2) && (num_trigram_vowels >= (num_trigram_found-1))) ------------------ | Branch (13060:5): [True: 60, False: 10] | Branch (13060:34): [True: 59, False: 1] ------------------ 13061| 59| ; /* skip me */ 13062| 11| else 13063| 11| rc = 1; 13064| 70| } 13065| | 13066| 3.94k| if(num_bigram_checks ------------------ | Branch (13066:10): [True: 2.05k, False: 1.89k] ------------------ 13067| | /* We already checked num_dots > 0 */ 13068| 2.05k| && ((num_found == 0) || ((num_digits > 5) && (num_words <= 3) && (num_impossible > 0)) ------------------ | Branch (13068:7): [True: 106, False: 1.95k] | Branch (13068:28): [True: 16, False: 1.93k] | Branch (13068:48): [True: 16, False: 0] | Branch (13068:68): [True: 4, False: 12] ------------------ 13069| 1.94k| || enough(num_found, num_impossible) ------------------ | Branch (13069:10): [True: 24, False: 1.92k] ------------------ 13070| 1.92k| || ((num_trigram_checked > 2) ------------------ | Branch (13070:11): [True: 1.26k, False: 656] ------------------ 13071| 1.26k| && ((num_trigram_found < (num_trigram_checked/2)) ------------------ | Branch (13071:8): [True: 183, False: 1.08k] ------------------ 13072| 1.08k| || ((num_trigram_vowels < (num_trigram_found-1)) && (num_dash == 0) && (num_dots > 1) && (num_impossible > 0))) ------------------ | Branch (13072:12): [True: 3, False: 1.08k] | Branch (13072:60): [True: 3, False: 0] | Branch (13072:79): [True: 1, False: 2] | Branch (13072:97): [True: 0, False: 1] ------------------ 13073| 1.92k| ) 13074| 2.05k| ) 13075| 3.94k| ) 13076| 317| rc = 1; 13077| | 13078| 3.94k| if((num_trigram_checked > 2) && (num_vowels == 0)) ------------------ | Branch (13078:10): [True: 1.30k, False: 2.64k] | Branch (13078:39): [True: 4, False: 1.29k] ------------------ 13079| 4| rc = 1; 13080| | 13081| 3.94k| if(num_dash > 2) ------------------ | Branch (13081:10): [True: 0, False: 3.94k] ------------------ 13082| 0| rc = 0; 13083| | 13084| | /* Skip names whose first word item has at least 3 consecutive digits */ 13085| 3.94k| if(max_num_consecutive_digits_first_word > 2) ------------------ | Branch (13085:10): [True: 157, False: 3.79k] ------------------ 13086| 157| rc = 0; 13087| | 13088| 3.94k| if(rc) ------------------ | Branch (13088:10): [True: 322, False: 3.62k] ------------------ 13089| 322| NDPI_LOG_DBG2(ndpi_str, "[DGA] %s [num_found: %u][num_impossible: %u]\n", ------------------ | | 597| 322|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 13090| 3.94k| name, num_found, num_impossible); 13091| 3.94k| } 13092| | 13093| 7.08k| NDPI_LOG_DBG2(ndpi_str, "[DGA] Result: %u\n", rc); ------------------ | | 597| 7.08k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 13094| | 13095| 7.08k| if(rc && flow) ------------------ | Branch (13095:8): [True: 322, False: 6.76k] | Branch (13095:14): [True: 322, False: 0] ------------------ 13096| 322| ndpi_set_risk(ndpi_str, flow, NDPI_SUSPICIOUS_DGA_DOMAIN, _name); 13097| | 13098| 7.08k| return(rc); 13099| 8.77k| } 13100| 10.0k|} ndpi_risk2severity: 13104| 55.8k|ndpi_risk_info* ndpi_risk2severity(ndpi_risk_enum risk) { 13105| 55.8k| return(&ndpi_known_risks[risk]); 13106| 55.8k|} ndpi_hostname_sni_set: 13129| 11.1k| int normalize) { 13130| 11.1k| char *dst, *double_column; 13131| 11.1k| size_t len, i; 13132| | 13133| 11.1k| len = ndpi_min(value_len, sizeof(flow->host_server_name) - 1); ------------------ | | 113| 11.1k|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 10.4k, False: 660] | | ------------------ ------------------ 13134| 11.1k| dst = flow->host_server_name; 13135| | 13136| 11.1k| if(!normalize) { ------------------ | Branch (13136:6): [True: 0, False: 11.1k] ------------------ 13137| 0| memcpy(dst,&value[value_len - len],len); 13138| 0| dst[len] = '\0'; 13139| 11.1k| } else { 13140| 148k| for(i = 0; i < len; i++) { ------------------ | Branch (13140:16): [True: 137k, False: 10.4k] ------------------ 13141| 137k| char c = value[value_len - len + i]; 13142| 137k| if(!c) break; ------------------ | Branch (13142:10): [True: 713, False: 137k] ------------------ 13143| 137k| if(normalize & NDPI_HOSTNAME_NORM_LC) c = tolower(c); ------------------ | | 512| 137k|#define NDPI_HOSTNAME_NORM_LC 1 ------------------ | Branch (13143:10): [True: 137k, False: 0] | Branch (13143:49): [True: 0, False: 0] | Branch (13143:49): [True: 0, False: 0] | Branch (13143:49): [Folded, False: 137k] ------------------ 13144| 137k| if(normalize & NDPI_HOSTNAME_NORM_REPLACE_IC) { ------------------ | | 513| 137k|#define NDPI_HOSTNAME_NORM_REPLACE_IC 2 ------------------ | Branch (13144:10): [True: 122k, False: 14.6k] ------------------ 13145| 122k| if (c == '\t') c = ' '; ------------------ | Branch (13145:13): [True: 112, False: 122k] ------------------ 13146| 122k| if (ndpi_isprint(c) == 0) ------------------ | | 2529| 122k|#define ndpi_isprint(ch) ((ch) >= 0x20 && (ch) <= 0x7e) | | ------------------ | | | Branch (2529:27): [True: 111k, False: 11.0k] | | | Branch (2529:43): [True: 111k, False: 24] | | ------------------ ------------------ | Branch (13146:13): [True: 11.1k, False: 111k] ------------------ 13147| 11.1k| c = '?'; 13148| 122k| } 13149| 137k| dst[i] = c; 13150| 137k| } 13151| | 13152| 11.1k| dst[i] = '\0'; 13153| 11.1k| if(normalize & NDPI_HOSTNAME_NORM_STRIP_PORT) { ------------------ | | 515| 11.1k|#define NDPI_HOSTNAME_NORM_STRIP_PORT 8 /* Used by SSDP/HTTP, for the time being */ ------------------ | Branch (13153:8): [True: 1.48k, False: 9.66k] ------------------ 13154| | /* Skip port in "239.255.255.250:1900", "[ff02::c]:1900" or "domain.com:1900" */ 13155| 1.48k| double_column = strrchr(dst, ':'); 13156| 1.48k| if(double_column) { ------------------ | Branch (13156:10): [True: 688, False: 798] ------------------ 13157| 688| if(dst[0] == '[' && ------------------ | Branch (13157:12): [True: 2, False: 686] ------------------ 13158| 2| dst[double_column - dst - 1] == ']' && ------------------ | Branch (13158:12): [True: 0, False: 2] ------------------ 13159| 0| is_valid_port(double_column + 1)) { ------------------ | Branch (13159:12): [True: 0, False: 0] ------------------ 13160| 0| *double_column = '\0'; 13161| 0| i = double_column - dst; 13162| 688| } else { 13163| | /* It can still be a literal IPV6 address (without port)*/ 13164| 688| struct in6_addr addr6; 13165| | 13166| 688| if(inet_pton(AF_INET6, dst, &addr6) != 1 && ------------------ | Branch (13166:14): [True: 688, False: 0] ------------------ 13167| 688| is_valid_port(double_column + 1)) { ------------------ | Branch (13167:14): [True: 452, False: 236] ------------------ 13168| 452| *double_column = '\0'; 13169| 452| i = double_column - dst; 13170| 452| } 13171| 688| } 13172| 688| } 13173| | 13174| 1.48k| } 13175| 11.1k| if(normalize & NDPI_HOSTNAME_NORM_STRIP_EOLSP) { ------------------ | | 514| 11.1k|#define NDPI_HOSTNAME_NORM_STRIP_EOLSP 4 ------------------ | Branch (13175:8): [True: 10.4k, False: 660] ------------------ 13176| | /* Removing spaces at the end of a line */ 13177| 10.5k| while(i > 0 && dst[i-1] == ' ') ------------------ | Branch (13177:13): [True: 7.06k, False: 3.49k] | Branch (13177:22): [True: 71, False: 6.99k] ------------------ 13178| 71| dst[--i] = '\0'; 13179| 10.4k| } 13180| 11.1k| } 13181| | 13182| 11.1k| NDPI_DTRACE2(hostname_set, dst, flow); ------------------ | | 34| 11.1k| #define NDPI_DTRACE2(name, a, b) ((void)0) ------------------ 13183| | 13184| 11.1k| return dst; 13185| 11.1k|} ndpi_user_agent_set: 13190| 213| const u_int8_t *value, size_t value_len) { 13191| 213| if(flow->http.user_agent != NULL) { ------------------ | Branch (13191:6): [True: 10, False: 203] ------------------ 13192| | /* Already set: ignore double set */ 13193| 10| return NULL; 13194| 10| } 13195| 203| if(value_len == 0) { ------------------ | Branch (13195:6): [True: 0, False: 203] ------------------ 13196| 0| return NULL; 13197| 0| } 13198| | 13199| 203| flow->http.user_agent = ndpi_malloc(value_len + 1); 13200| 203| if(flow->http.user_agent != NULL) { ------------------ | Branch (13200:6): [True: 185, False: 18] ------------------ 13201| 185| memcpy(flow->http.user_agent, value, value_len); 13202| 185| flow->http.user_agent[value_len] = '\0'; 13203| 185| } 13204| | 13205| 203| return flow->http.user_agent; 13206| 203|} ndpi_seen_flow_beginning: 13211| 42.7k|{ 13212| 42.7k| if(flow->l4_proto == IPPROTO_TCP && ------------------ | Branch (13212:6): [True: 42.7k, False: 0] ------------------ 13213| 42.7k| (flow->l4.tcp.seen_syn == 0 || flow->l4.tcp.seen_syn_ack == 0 || ------------------ | Branch (13213:7): [True: 26.3k, False: 16.3k] | Branch (13213:37): [True: 14.8k, False: 1.51k] ------------------ 13214| 1.51k| flow->l4.tcp.seen_ack == 0)) ------------------ | Branch (13214:7): [True: 73, False: 1.44k] ------------------ 13215| 41.2k| return 0; 13216| 1.44k| return 1; 13217| 42.7k|} ndpi_set_user_data: 13221| 7.15k|void ndpi_set_user_data(struct ndpi_detection_module_struct *ndpi_str, void *user_data) { 13222| 7.15k| if (ndpi_str == NULL) ------------------ | Branch (13222:7): [True: 0, False: 7.15k] ------------------ 13223| 0| return; 13224| | 13225| 7.15k| if (ndpi_str->user_data != NULL) ------------------ | Branch (13225:7): [True: 0, False: 7.15k] ------------------ 13226| 0| NDPI_LOG_ERR(ndpi_str, "%s", "User data is already set. Overwriting.") ------------------ | | 593| 0|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 13227| | 13228| 7.15k| ndpi_str->user_data = user_data; 13229| 7.15k|} ndpi_main.c:dissector_bitmask_set: 287| 2.35M|static void dissector_bitmask_set(struct ndpi_dissector_bitmask *b, u_int16_t bit) { 288| 2.35M| b->fds[bit / 32] |= (1ul << (bit % 32)); 289| 2.35M|} ndpi_main.c:ndpi_add_host_url_subprotocol: 921| 11.7M| ndpi_protocol_breed_t breed, u_int8_t level) { 922| 11.7M|#ifndef NDPI_ENABLE_DEBUG_MESSAGES 923| 11.7M| NDPI_LOG_DBG2(ndpi_str, "[NDPI] Adding [%s][%d]\n", value, protocol_id); ------------------ | | 597| 11.7M|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 924| 11.7M|#endif 925| | 926| 11.7M| return string_to_automa((AC_AUTOMATA_t *)ndpi_str->host_automa.ac_automa, 927| 11.7M| value, protocol_id, category, breed, level, 1); 928| | 929| 11.7M|} ndpi_main.c:string_to_automa: 872| 11.7M| u_int8_t add_ends_with) { 873| 11.7M| AC_PATTERN_t ac_pattern; 874| 11.7M| AC_ERROR_t rc; 875| 11.7M| u_int len; 876| 11.7M| char *value_dup = NULL; 877| | 878| 11.7M| if((ac_automa == NULL) || (value == NULL) || !*value) ------------------ | Branch (878:6): [True: 1.21M, False: 10.5M] | Branch (878:29): [True: 0, False: 10.5M] | Branch (878:48): [True: 0, False: 10.5M] ------------------ 879| 1.21M| return(-2); 880| | 881| 10.5M| value_dup = ndpi_strdup(value); 882| 10.5M| if(!value_dup) ------------------ | Branch (882:6): [True: 661k, False: 9.86M] ------------------ 883| 661k| return(-1); 884| | 885| 9.86M| memset(&ac_pattern, 0, sizeof(ac_pattern)); 886| | 887| 9.86M| len = strlen(value); 888| | 889| 9.86M| ac_pattern.astring = value_dup; 890| 9.86M| ac_pattern.length = len; 891| 9.86M| ac_pattern.rep.number = protocol_id; 892| 9.86M| ac_pattern.rep.category = (u_int16_t) category; 893| 9.86M| ac_pattern.rep.breed = (u_int16_t) breed; 894| 9.86M| ac_pattern.rep.level = level ? level : ndpi_domain_level(value); ------------------ | Branch (894:29): [True: 5.87k, False: 9.85M] ------------------ 895| 9.86M| ac_pattern.rep.at_end = add_ends_with && !ndpi_is_middle_string_char(value[len-1]); /* len != 0 */ ------------------ | Branch (895:29): [True: 9.86M, False: 0] | Branch (895:46): [True: 9.49M, False: 373k] ------------------ 896| 9.86M| ac_pattern.rep.dot = memchr(value,'.',len) != NULL; 897| | 898| |#ifdef MATCH_DEBUG 899| | printf("Adding to %s %lx [%s%s][protocol_id: %u][category: %u][breed: %u][level: %u]\n", 900| | ac_automa->name,(unsigned long int)ac_automa, 901| | ac_pattern.astring,ac_pattern.rep.at_end? "$":"", protocol_id, category, breed,ac_pattern.rep.level); 902| |#endif 903| | 904| 9.86M| rc = ac_automata_add(ac_automa, &ac_pattern); 905| | 906| 9.86M| if(rc != ACERR_SUCCESS) { ------------------ | Branch (906:6): [True: 6.14M, False: 3.72M] ------------------ 907| 6.14M| ndpi_free(value_dup); 908| | 909| 6.14M| if(rc != ACERR_DUPLICATE_PATTERN) ------------------ | Branch (909:8): [True: 6.14M, False: 0] ------------------ 910| 6.14M| return (-2); 911| 6.14M| } 912| | 913| 3.72M| return(0); 914| 9.86M|} ndpi_main.c:ndpi_is_middle_string_char: 827| 9.86M|static u_int8_t ndpi_is_middle_string_char(char c) { 828| 9.86M| switch(c) { 829| 344k| case '.': ------------------ | Branch (829:3): [True: 344k, False: 9.52M] ------------------ 830| 373k| case '-': ------------------ | Branch (830:3): [True: 29.6k, False: 9.83M] ------------------ 831| 373k| return(1); 832| | 833| 9.49M| default: ------------------ | Branch (833:3): [True: 9.49M, False: 373k] ------------------ 834| 9.49M| return(0); 835| 9.86M| } 836| 9.86M|} ndpi_main.c:add_to_ptree: 3465| 310M|static ndpi_patricia_node_t* add_to_ptree(ndpi_patricia_tree_t *tree, int family, void *addr, int bits) { 3466| 310M| ndpi_prefix_t prefix; 3467| 310M| ndpi_patricia_node_t *node; 3468| | 3469| 310M| if(family == AF_INET) ------------------ | Branch (3469:6): [True: 183M, False: 127M] ------------------ 3470| 183M| ndpi_fill_prefix_v4(&prefix, (struct in_addr *) addr, bits, tree->maxbits); 3471| 127M| else 3472| 127M| ndpi_fill_prefix_v6(&prefix, (struct in6_addr *) addr, bits, tree->maxbits); 3473| | 3474| 310M| node = ndpi_patricia_lookup(tree, &prefix); 3475| | /* if(node) memset(&node->value, 0, sizeof(node->value)); */ 3476| | 3477| 310M| return(node); 3478| 310M|} ndpi_main.c:init_protocol_defaults: 1214| 7.17k|static void init_protocol_defaults(struct ndpi_detection_module_struct *ndpi_str) { 1215| 7.17k| ndpi_port_range ports_a[MAX_DEFAULT_PORTS], ports_b[MAX_DEFAULT_PORTS]; 1216| | 1217| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_UNRATED, NDPI_PROTOCOL_UNKNOWN, 1218| 7.17k| "Unknown", NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1219| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1220| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1221| 7.17k| 0); 1222| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_UNSAFE, NDPI_PROTOCOL_FTP_CONTROL, 1223| 7.17k| "FTP_CONTROL", NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1224| 7.17k| ndpi_build_default_ports(ports_a, 21, 0, 0, 0, 0) /* TCP */, 1225| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1226| 7.17k| 0); 1227| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_FTP_DATA, 1228| 7.17k| "FTP_DATA", NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1229| 7.17k| ndpi_build_default_ports(ports_a, 20, 0, 0, 0, 0) /* TCP */, 1230| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1231| 7.17k| 0); 1232| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_UNSAFE, NDPI_PROTOCOL_MAIL_POP, 1233| 7.17k| "POP3", NDPI_PROTOCOL_CATEGORY_MAIL, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1234| 7.17k| ndpi_build_default_ports(ports_a, 110, 0, 0, 0, 0) /* TCP */, 1235| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1236| 7.17k| 0); 1237| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_MAIL_POPS, 1238| 7.17k| "POPS", NDPI_PROTOCOL_CATEGORY_MAIL, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1239| 7.17k| ndpi_build_default_ports(ports_a, 995, 0, 0, 0, 0) /* TCP */, 1240| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1241| 7.17k| 0); 1242| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MAIL_SMTP, 1243| 7.17k| "SMTP", NDPI_PROTOCOL_CATEGORY_MAIL, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1244| 7.17k| ndpi_build_default_ports(ports_a, 25, 587, 0, 0, 0) /* TCP */, 1245| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1246| 7.17k| 0); 1247| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_MAIL_SMTPS, 1248| 7.17k| "SMTPS", NDPI_PROTOCOL_CATEGORY_MAIL, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1249| 7.17k| ndpi_build_default_ports(ports_a, 465, 0, 0, 0, 0) /* TCP */, 1250| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1251| 7.17k| 0); 1252| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_UNSAFE, NDPI_PROTOCOL_MAIL_IMAP, 1253| 7.17k| "IMAP", NDPI_PROTOCOL_CATEGORY_MAIL, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1254| 7.17k| ndpi_build_default_ports(ports_a, 143, 0, 0, 0, 0) /* TCP */, 1255| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1256| 7.17k| 0); 1257| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_MAIL_IMAPS, 1258| 7.17k| "IMAPS", NDPI_PROTOCOL_CATEGORY_MAIL, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1259| 7.17k| ndpi_build_default_ports(ports_a, 993, 0, 0, 0, 0) /* TCP */, 1260| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1261| 7.17k| 0); 1262| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DNS, 1263| 7.17k| "DNS", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1264| 7.17k| ndpi_build_default_ports(ports_a, 53, 0, 0, 0, 0) /* TCP */, 1265| 7.17k| ndpi_build_default_ports(ports_b, 53, 0, 0, 0, 0) /* UDP */, 1266| 7.17k| 0); 1267| 7.17k| ndpi_set_proto_subprotocols(ndpi_str, NDPI_PROTOCOL_DNS, 1268| 7.17k| NDPI_PROTOCOL_MATCHED_BY_CONTENT, ------------------ | | 510| 7.17k|#define NDPI_PROTOCOL_MATCHED_BY_CONTENT (-2) ------------------ 1269| 7.17k| NDPI_PROTOCOL_NO_MORE_SUBPROTOCOLS); /* NDPI_PROTOCOL_DNS can have (content-matched) subprotocols */ ------------------ | | 509| 7.17k|#define NDPI_PROTOCOL_NO_MORE_SUBPROTOCOLS (-1) ------------------ 1270| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_IPP, 1271| 7.17k| "IPP", NDPI_PROTOCOL_CATEGORY_SYSTEM_OS, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1272| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1273| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1274| 7.17k| 0); 1275| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_IMO, 1276| 7.17k| "IMO", NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_QOE_CATEGORY_VOIP_CALLS, 1277| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1278| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1279| 7.17k| 0); 1280| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_HTTP, 1281| 7.17k| "HTTP", NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1282| 7.17k| ndpi_build_default_ports(ports_a, 80, 0 /* ntop */, 0, 0, 0) /* TCP */, 1283| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1284| 7.17k| 0); 1285| 7.17k| ndpi_set_proto_subprotocols(ndpi_str, NDPI_PROTOCOL_HTTP, 1286| 7.17k| NDPI_PROTOCOL_WEBSOCKET, 1287| 7.17k| NDPI_PROTOCOL_CROSSFIRE, NDPI_PROTOCOL_SOAP, 1288| 7.17k| NDPI_PROTOCOL_BITTORRENT, 1289| 7.17k| NDPI_PROTOCOL_ZATTOO, 1290| 7.17k| NDPI_PROTOCOL_IRC, 1291| 7.17k| NDPI_PROTOCOL_IPP, 1292| 7.17k| NDPI_PROTOCOL_MPEGDASH, 1293| 7.17k| NDPI_PROTOCOL_RTSP, 1294| 7.17k| NDPI_PROTOCOL_APACHE_THRIFT, 1295| 7.17k| NDPI_PROTOCOL_JSON_RPC, 1296| 7.17k| NDPI_PROTOCOL_HL7, 1297| 7.17k| NDPI_PROTOCOL_MATCHED_BY_CONTENT, ------------------ | | 510| 7.17k|#define NDPI_PROTOCOL_MATCHED_BY_CONTENT (-2) ------------------ 1298| 7.17k| NDPI_PROTOCOL_NO_MORE_SUBPROTOCOLS); /* NDPI_PROTOCOL_HTTP can have (content-matched) subprotocols */ ------------------ | | 509| 7.17k|#define NDPI_PROTOCOL_NO_MORE_SUBPROTOCOLS (-1) ------------------ 1299| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MDNS, 1300| 7.17k| "MDNS", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1301| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1302| 7.17k| ndpi_build_default_ports(ports_b, 5353, 5354, 0, 0, 0) /* UDP */, 1303| 7.17k| 0); 1304| 7.17k| ndpi_set_proto_subprotocols(ndpi_str, NDPI_PROTOCOL_MDNS, 1305| 7.17k| NDPI_PROTOCOL_MATCHED_BY_CONTENT, ------------------ | | 510| 7.17k|#define NDPI_PROTOCOL_MATCHED_BY_CONTENT (-2) ------------------ 1306| 7.17k| NDPI_PROTOCOL_NO_MORE_SUBPROTOCOLS); /* NDPI_PROTOCOL_MDNS can have (content-matched) subprotocols */ ------------------ | | 509| 7.17k|#define NDPI_PROTOCOL_NO_MORE_SUBPROTOCOLS (-1) ------------------ 1307| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_NTP, 1308| 7.17k| "NTP", NDPI_PROTOCOL_CATEGORY_SYSTEM_OS, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1309| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1310| 7.17k| ndpi_build_default_ports(ports_b, 123, 0, 0, 0, 0) /* UDP */, 1311| 7.17k| 0); 1312| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_NETBIOS, 1313| 7.17k| "NetBIOS", NDPI_PROTOCOL_CATEGORY_SYSTEM_OS, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1314| 7.17k| ndpi_build_default_ports(ports_a, 139, 0, 0, 0, 0) /* TCP */, 1315| 7.17k| ndpi_build_default_ports(ports_b, 137, 138, 139, 0, 0) /* UDP */, 1316| 7.17k| 0); 1317| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_NFS, 1318| 7.17k| "NFS", NDPI_PROTOCOL_CATEGORY_DATA_TRANSFER, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1319| 7.17k| ndpi_build_default_ports(ports_a, 2049, 0, 0, 0, 0) /* TCP */, 1320| 7.17k| ndpi_build_default_ports(ports_b, 2049, 0, 0, 0, 0) /* UDP */, 1321| 7.17k| 0); 1322| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SSDP, 1323| 7.17k| "SSDP", NDPI_PROTOCOL_CATEGORY_SYSTEM_OS, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1324| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1325| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1326| 7.17k| 0); 1327| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_BGP, 1328| 7.17k| "BGP", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1329| 7.17k| ndpi_build_default_ports(ports_a, 179, 2605, 0, 0, 0) /* TCP */, 1330| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1331| 7.17k| 0); 1332| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SNMP, 1333| 7.17k| "SNMP", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1334| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1335| 7.17k| ndpi_build_default_ports(ports_b, 161, 162, 0, 0, 0) /* UDP */, 1336| 7.17k| 0); 1337| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_XDMCP, 1338| 7.17k| "XDMCP", NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS, NDPI_PROTOCOL_QOE_CATEGORY_REMOTE_ACCESS, 1339| 7.17k| ndpi_build_default_ports(ports_a, 177, 0, 0, 0, 0) /* TCP */, 1340| 7.17k| ndpi_build_default_ports(ports_b, 177, 0, 0, 0, 0) /* UDP */, 1341| 7.17k| 0); 1342| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_DANGEROUS, NDPI_PROTOCOL_SMBV1, 1343| 7.17k| "SMBv1", NDPI_PROTOCOL_CATEGORY_SYSTEM_OS, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1344| 7.17k| ndpi_build_default_ports(ports_a, 445, 0, 0, 0, 0) /* TCP */, 1345| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1346| 7.17k| 0); 1347| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SYSLOG, 1348| 7.17k| "Syslog", NDPI_PROTOCOL_CATEGORY_SYSTEM_OS, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1349| 7.17k| ndpi_build_default_ports(ports_a, 514, 601, 6514, 0, 0) /* TCP */, 1350| 7.17k| ndpi_build_default_ports(ports_b, 514, 0, 0, 0, 0) /* UDP */, 1351| 7.17k| 0); 1352| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DHCP, 1353| 7.17k| "DHCP", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1354| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1355| 7.17k| ndpi_build_default_ports(ports_b, 67, 68, 0, 0, 0) /* UDP */, 1356| 7.17k| 0); 1357| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_POSTGRES, 1358| 7.17k| "PostgreSQL", NDPI_PROTOCOL_CATEGORY_DATABASE, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1359| 7.17k| ndpi_build_default_ports(ports_a, 5432, 0, 0, 0, 0) /* TCP */, 1360| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1361| 7.17k| 0); 1362| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MYSQL, 1363| 7.17k| "MySQL", NDPI_PROTOCOL_CATEGORY_DATABASE, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1364| 7.17k| ndpi_build_default_ports(ports_a, 3306, 0, 0, 0, 0) /* TCP */, 1365| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1366| 7.17k| 0); 1367| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_NATS, 1368| 7.17k| "Nats", NDPI_PROTOCOL_CATEGORY_RPC, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1369| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1370| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1371| 7.17k| 0); 1372| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_AMONG_US, 1373| 7.17k| "AmongUs", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 1374| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1375| 7.17k| ndpi_build_default_ports(ports_b, 22023, 0, 0, 0, 0) /* UDP */, 1376| 7.17k| 0); 1377| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_NTOP, 1378| 7.17k| "ntop", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1379| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1380| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1381| 7.17k| 0); 1382| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_VMWARE, 1383| 7.17k| "VMware", NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS, NDPI_PROTOCOL_QOE_CATEGORY_REMOTE_ACCESS, 1384| 7.17k| ndpi_build_default_ports(ports_a, 903, 0, 0, 0, 0) /* TCP */, 1385| 7.17k| ndpi_build_default_ports(ports_b, 902, 903, 0, 0, 0) /* UDP */, 1386| 7.17k| 0); 1387| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS, NDPI_PROTOCOL_GNUTELLA, 1388| 7.17k| "Gnutella", NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1389| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1390| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1391| 7.17k| 0); 1392| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_UNSAFE, NDPI_PROTOCOL_EDONKEY, 1393| 7.17k| "eDonkey", NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1394| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1395| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1396| 7.17k| 0); 1397| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_BITTORRENT, 1398| 7.17k| "BitTorrent", NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1399| 7.17k| ndpi_build_default_ports_range(ports_a, 6881, 6889, 51413, 51413, 53646, 53646, 6969, 6969, 0, 0) /* TCP */, 1400| 7.17k| ndpi_build_default_ports_range(ports_b, 6881, 6889, 51413, 51413, 6771, 6771, 0, 0, 0, 0) /* UDP */, 1401| 7.17k| 0); 1402| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_GOOGLE, 1403| 7.17k| "Google", NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1404| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1405| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1406| 7.17k| 0); 1407| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MSTEAMS_CALL, 1408| 7.17k| "TeamsCall", NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_QOE_CATEGORY_VOIP_CALLS, 1409| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1410| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1411| 7.17k| 0); 1412| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_TIKTOK, 1413| 7.17k| "TikTok", NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1414| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1415| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1416| 7.17k| 0); 1417| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TEREDO, 1418| 7.17k| "Teredo", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1419| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1420| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1421| 7.17k| 0); 1422| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_WECHAT, 1423| 7.17k| "WeChat", NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1424| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1425| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1426| 7.17k| 0); 1427| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MEMCACHED, 1428| 7.17k| "Memcached", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1429| 7.17k| ndpi_build_default_ports(ports_a, 11211, 0, 0, 0, 0) /* TCP */, 1430| 7.17k| ndpi_build_default_ports(ports_b, 11211, 0, 0, 0, 0) /* UDP */, 1431| 7.17k| 0); 1432| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SMBV23, 1433| 7.17k| "SMBv23", NDPI_PROTOCOL_CATEGORY_SYSTEM_OS, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1434| 7.17k| ndpi_build_default_ports(ports_a, 445, 0, 0, 0, 0) /* TCP */, 1435| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1436| 7.17k| 0); 1437| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_UNSAFE, NDPI_PROTOCOL_MINING, 1438| 7.17k| "Mining", NDPI_PROTOCOL_CATEGORY_MINING, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1439| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1440| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1441| 7.17k| 0); 1442| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_NEST_LOG_SINK, 1443| 7.17k| "NestLogSink", NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1444| 7.17k| ndpi_build_default_ports(ports_a, 11095, 0, 0, 0, 0) /* TCP */, 1445| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1446| 7.17k| 0); 1447| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MODBUS, 1448| 7.17k| "Modbus", NDPI_PROTOCOL_CATEGORY_IOT_SCADA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1449| 7.17k| ndpi_build_default_ports(ports_a, 502, 0, 0, 0, 0) /* TCP */, 1450| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1451| 7.17k| 0); 1452| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_WHATSAPP_CALL, 1453| 7.17k| "WhatsAppCall", NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_QOE_CATEGORY_VOIP_CALLS, 1454| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1455| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1456| 7.17k| 0); 1457| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DATASAVER, 1458| 7.17k| "DataSaver", NDPI_PROTOCOL_CATEGORY_WEB /* dummy */, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1459| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1460| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1461| 7.17k| 0); 1462| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SIGNAL, 1463| 7.17k| "Signal", NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1464| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1465| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1466| 7.17k| 0); 1467| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DOH_DOT, 1468| 7.17k| "DoH_DoT", NDPI_PROTOCOL_CATEGORY_NETWORK /* dummy */, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1469| 7.17k| ndpi_build_default_ports(ports_a, 853, 0, 0, 0, 0) /* TCP */, 1470| 7.17k| ndpi_build_default_ports(ports_b, 784, 853, 0, 0, 0) /* UDP */, 1471| 7.17k| 0); 1472| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_REDDIT, 1473| 7.17k| "Reddit", NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1474| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1475| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1476| 7.17k| 0); 1477| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_WIREGUARD, 1478| 7.17k| "WireGuard", NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1479| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1480| 7.17k| ndpi_build_default_ports(ports_b, 51820, 0, 0, 0, 0) /* UDP */, 1481| 7.17k| 0); 1482| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_XBOX, 1483| 7.17k| "Xbox", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 1484| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1485| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1486| 7.17k| 0); 1487| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_PLAYSTATION, 1488| 7.17k| "Playstation", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 1489| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1490| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1491| 7.17k| 0); 1492| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_QQ, 1493| 7.17k| "QQ", NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1494| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1495| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1496| 7.17k| 0); 1497| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_RTSP, 1498| 7.17k| "RTSP", NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1499| 7.17k| ndpi_build_default_ports(ports_a, 554, 0, 0, 0, 0) /* TCP */, 1500| 7.17k| ndpi_build_default_ports(ports_b, 554, 0, 0, 0, 0) /* UDP */, 1501| 7.17k| 0); 1502| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_ICECAST, 1503| 7.17k| "IceCast", NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1504| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1505| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1506| 7.17k| 0); 1507| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_CPHA, 1508| 7.17k| "CPHA", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1509| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1510| 7.17k| ndpi_build_default_ports(ports_b, 8116, 0, 0, 0, 0) /* UDP */, 1511| 7.17k| 0); 1512| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_ZATTOO, 1513| 7.17k| "Zattoo", NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_QOE_CATEGORY_LIVE_STREAMING, 1514| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1515| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1516| 7.17k| 0); 1517| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DISCORD, 1518| 7.17k| "Discord", NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1519| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1520| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1521| 7.17k| 0); 1522| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_PLURALSIGHT, 1523| 7.17k| "Pluralsight", NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_QOE_CATEGORY_LIVE_STREAMING, 1524| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1525| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1526| 7.17k| 0); 1527| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_OCSP, 1528| 7.17k| "OCSP", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1529| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1530| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1531| 7.17k| 0); 1532| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_VXLAN, 1533| 7.17k| "VXLAN", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1534| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1535| 7.17k| ndpi_build_default_ports(ports_b, 4789, 0, 0, 0, 0) /* UDP */, 1536| 7.17k| 0); 1537| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_UNSAFE, NDPI_PROTOCOL_IRC, 1538| 7.17k| "IRC", NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1539| 7.17k| ndpi_build_default_ports(ports_a, 194, 0, 0, 0, 0) /* TCP */, 1540| 7.17k| ndpi_build_default_ports(ports_b, 194, 0, 0, 0, 0) /* UDP */, 1541| 7.17k| 0); 1542| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MERAKI_CLOUD, 1543| 7.17k| "MerakiCloud", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1544| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1545| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1546| 7.17k| 0); 1547| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_JABBER, 1548| 7.17k| "Jabber", NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1549| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1550| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1551| 7.17k| 0); 1552| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DISNEYPLUS, 1553| 7.17k| "DisneyPlus", NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_QOE_CATEGORY_BUFFERED_STREAMING, 1554| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1555| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1556| 7.17k| 0); 1557| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_IP_VRRP, 1558| 7.17k| "VRRP", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1559| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1560| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1561| 7.17k| 0); 1562| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_STEAM, 1563| 7.17k| "Steam", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 1564| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1565| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1566| 7.17k| 0); 1567| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MELSEC, 1568| 7.17k| "MELSEC", NDPI_PROTOCOL_CATEGORY_IOT_SCADA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1569| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1570| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1571| 7.17k| 0); 1572| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_WORLDOFWARCRAFT, 1573| 7.17k| "WorldOfWarcraft", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 1574| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1575| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1576| 7.17k| 0); 1577| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS, NDPI_PROTOCOL_HOTSPOT_SHIELD, 1578| 7.17k| "HotspotShield", NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1579| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1580| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1581| 7.17k| 0); 1582| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_UNSAFE, NDPI_PROTOCOL_TELNET, 1583| 7.17k| "Telnet", NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS, NDPI_PROTOCOL_QOE_CATEGORY_REMOTE_ACCESS, 1584| 7.17k| ndpi_build_default_ports(ports_a, 23, 0, 0, 0, 0) /* TCP */, 1585| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1586| 7.17k| 0); 1587| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_STUN, 1588| 7.17k| "STUN", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1589| 7.17k| ndpi_build_default_ports(ports_a, 3478, 0, 0, 0, 0) /* TCP */, 1590| 7.17k| ndpi_build_default_ports(ports_b, 3478, 0, 0, 0, 0) /* UDP */, 1591| 7.17k| 0); 1592| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 0 /* nw proto */, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_IPSEC, 1593| 7.17k| "IPSec", NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1594| 7.17k| ndpi_build_default_ports(ports_a, 500, 0, 0, 0, 0) /* TCP */, 1595| 7.17k| ndpi_build_default_ports(ports_b, 500, 4500, 0, 0, 0) /* UDP */, 1596| 7.17k| 0); 1597| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_IP_GRE, 1598| 7.17k| "GRE", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1599| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1600| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1601| 7.17k| 0); 1602| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_IP_ICMP, 1603| 7.17k| "ICMP", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1604| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1605| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1606| 7.17k| 0); 1607| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_IP_IGMP, 1608| 7.17k| "IGMP", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1609| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1610| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1611| 7.17k| 0); 1612| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_IP_EGP, 1613| 7.17k| "EGP", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1614| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1615| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1616| 7.17k| 0); 1617| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_IP_PGM, 1618| 7.17k| "PGM", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1619| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1620| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1621| 7.17k| 0); 1622| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_IP_SCTP, 1623| 7.17k| "SCTP", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1624| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1625| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1626| 7.17k| 0); 1627| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_IP_OSPF, 1628| 7.17k| "IP_OSPF", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1629| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1630| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1631| 7.17k| 0); 1632| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_IP_IP_IN_IP, 1633| 7.17k| "IP_in_IP", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1634| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1635| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1636| 7.17k| 0); 1637| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_RTP, 1638| 7.17k| "RTP", NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1639| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1640| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1641| 7.17k| 0); 1642| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_RDP, 1643| 7.17k| "RDP", NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS, NDPI_PROTOCOL_QOE_CATEGORY_REMOTE_ACCESS, 1644| 7.17k| ndpi_build_default_ports(ports_a, 3389, 0, 0, 0, 0) /* TCP */, 1645| 7.17k| ndpi_build_default_ports(ports_b, 3389, 0, 0, 0, 0) /* UDP */, 1646| 7.17k| 0); 1647| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_VNC, 1648| 7.17k| "VNC", NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS, NDPI_PROTOCOL_QOE_CATEGORY_REMOTE_ACCESS, 1649| 7.17k| ndpi_build_default_ports(ports_a, 5900, 5901, 5800, 0, 0) /* TCP */, 1650| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1651| 7.17k| 0); 1652| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_TUMBLR, 1653| 7.17k| "Tumblr", NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1654| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1655| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1656| 7.17k| 0); 1657| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_ZOOM, 1658| 7.17k| "Zoom", NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_QOE_CATEGORY_LIVE_STREAMING, 1659| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1660| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1661| 7.17k| 0); 1662| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_WHATSAPP_FILES, 1663| 7.17k| "WhatsAppFiles", NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1664| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1665| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1666| 7.17k| 0); 1667| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_WHATSAPP, 1668| 7.17k| "WhatsApp", NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1669| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1670| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1671| 7.17k| 0); 1672| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 0 /* nw proto */, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_TLS, 1673| 7.17k| "TLS", NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1674| 7.17k| ndpi_build_default_ports(ports_a, 443, 0, 0, 0, 0) /* TCP */, 1675| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1676| 7.17k| 0); 1677| 7.17k| ndpi_set_proto_subprotocols(ndpi_str, NDPI_PROTOCOL_TLS, 1678| 7.17k| NDPI_PROTOCOL_MATCHED_BY_CONTENT, ------------------ | | 510| 7.17k|#define NDPI_PROTOCOL_MATCHED_BY_CONTENT (-2) ------------------ 1679| 7.17k| NDPI_PROTOCOL_NO_MORE_SUBPROTOCOLS); /* NDPI_PROTOCOL_TLS can have (content-matched) subprotocols */ ------------------ | | 509| 7.17k|#define NDPI_PROTOCOL_NO_MORE_SUBPROTOCOLS (-1) ------------------ 1680| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 0 /* nw proto */, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_DTLS, 1681| 7.17k| "DTLS", NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1682| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1683| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1684| 7.17k| 0); 1685| 7.17k| ndpi_set_proto_subprotocols(ndpi_str, NDPI_PROTOCOL_DTLS, 1686| 7.17k| NDPI_PROTOCOL_MATCHED_BY_CONTENT, ------------------ | | 510| 7.17k|#define NDPI_PROTOCOL_MATCHED_BY_CONTENT (-2) ------------------ 1687| 7.17k| NDPI_PROTOCOL_NO_MORE_SUBPROTOCOLS); /* NDPI_PROTOCOL_DTLS can have (content-matched) subprotocols */ ------------------ | | 509| 7.17k|#define NDPI_PROTOCOL_NO_MORE_SUBPROTOCOLS (-1) ------------------ 1688| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 0 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SSH, 1689| 7.17k| "SSH", NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS, NDPI_PROTOCOL_QOE_CATEGORY_REMOTE_ACCESS, 1690| 7.17k| ndpi_build_default_ports(ports_a, 22, 0, 0, 0, 0) /* TCP */, 1691| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1692| 7.17k| 0); 1693| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_USENET, 1694| 7.17k| "Usenet", NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1695| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1696| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1697| 7.17k| 0); 1698| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MGCP, 1699| 7.17k| "MGCP", NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_QOE_CATEGORY_VOIP_CALLS, 1700| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1701| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1702| 7.17k| 0); 1703| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_IAX, 1704| 7.17k| "IAX", NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_QOE_CATEGORY_VOIP_CALLS, 1705| 7.17k| ndpi_build_default_ports(ports_a, 4569, 0, 0, 0, 0) /* TCP */, 1706| 7.17k| ndpi_build_default_ports(ports_b, 4569, 0, 0, 0, 0) /* UDP */, 1707| 7.17k| 0); 1708| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_AFP, 1709| 7.17k| "AFP", NDPI_PROTOCOL_CATEGORY_DATA_TRANSFER, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1710| 7.17k| ndpi_build_default_ports(ports_a, 548, 0, 0, 0, 0) /* TCP */, 1711| 7.17k| ndpi_build_default_ports(ports_b, 548, 0, 0, 0, 0) /* UDP */, 1712| 7.17k| 0); 1713| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_HULU, 1714| 7.17k| "Hulu", NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_QOE_CATEGORY_BUFFERED_STREAMING, 1715| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1716| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1717| 7.17k| 0); 1718| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_CHECKMK, 1719| 7.17k| "CHECKMK", NDPI_PROTOCOL_CATEGORY_DATA_TRANSFER, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1720| 7.17k| ndpi_build_default_ports(ports_a, 6556, 0, 0, 0, 0) /* TCP */, 1721| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1722| 7.17k| 0); 1723| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SIP, 1724| 7.17k| "SIP", NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_QOE_CATEGORY_VOIP_CALLS, 1725| 7.17k| ndpi_build_default_ports_range(ports_a, 5060, 5061, 0, 0, 0, 0, 0, 0, 0, 0) /* TCP */, 1726| 7.17k| ndpi_build_default_ports_range(ports_b, 5060, 5061, 0, 0, 0, 0, 0, 0, 0, 0) /* UDP */, 1727| 7.17k| 0); 1728| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TRUPHONE, 1729| 7.17k| "TruPhone", NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_QOE_CATEGORY_VOIP_CALLS, 1730| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1731| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1732| 7.17k| 0); 1733| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_IP_ICMPV6, 1734| 7.17k| "ICMPV6", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1735| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1736| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1737| 7.17k| 0); 1738| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DHCPV6, 1739| 7.17k| "DHCPV6", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1740| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1741| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1742| 7.17k| 0); 1743| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_ARMAGETRON, 1744| 7.17k| "Armagetron", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 1745| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1746| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1747| 7.17k| 0); 1748| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_CROSSFIRE, 1749| 7.17k| "Crossfire", NDPI_PROTOCOL_CATEGORY_RPC, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1750| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1751| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1752| 7.17k| 0); 1753| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DOFUS, 1754| 7.17k| "Dofus", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 1755| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1756| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1757| 7.17k| 0); 1758| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_GUILDWARS2, 1759| 7.17k| "GuildWars2", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 1760| 7.17k| ndpi_build_default_ports(ports_a, 6112, 0, 0, 0, 0) /* TCP */, 1761| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1762| 7.17k| 0); 1763| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_AMAZON_ALEXA, 1764| 7.17k| "AmazonAlexa", NDPI_PROTOCOL_CATEGORY_VIRTUAL_ASSISTANT, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1765| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1766| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1767| 7.17k| 0); 1768| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_KERBEROS, 1769| 7.17k| "Kerberos", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1770| 7.17k| ndpi_build_default_ports(ports_a, 88, 0, 0, 0, 0) /* TCP */, 1771| 7.17k| ndpi_build_default_ports(ports_b, 88, 0, 0, 0, 0) /* UDP */, 1772| 7.17k| 0); 1773| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_LDAP, 1774| 7.17k| "LDAP", NDPI_PROTOCOL_CATEGORY_SYSTEM_OS, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1775| 7.17k| ndpi_build_default_ports(ports_a, 389, 0, 0, 0, 0) /* TCP */, 1776| 7.17k| ndpi_build_default_ports(ports_b, 389, 0, 0, 0, 0) /* UDP */, 1777| 7.17k| 0); 1778| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_NEXON, 1779| 7.17k| "Nexon", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 1780| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1781| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1782| 7.17k| 0); 1783| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MSSQL_TDS, 1784| 7.17k| "MsSQL-TDS", NDPI_PROTOCOL_CATEGORY_DATABASE, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1785| 7.17k| ndpi_build_default_ports(ports_a, 1433, 1434, 0, 0, 0) /* TCP */, 1786| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1787| 7.17k| 0); 1788| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_PPTP, 1789| 7.17k| "PPTP", NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1790| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1791| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1792| 7.17k| 0); 1793| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_IP_AH, 1794| 7.17k| "AH", NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1795| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1796| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1797| 7.17k| 0); 1798| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_IP_ESP, 1799| 7.17k| "ESP", NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1800| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1801| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1802| 7.17k| 0); 1803| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MS_RPCH, 1804| 7.17k| "MS-RPCH", NDPI_PROTOCOL_CATEGORY_RPC, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1805| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1806| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1807| 7.17k| 0); 1808| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_NETFLOW, 1809| 7.17k| "NetFlow", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1810| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1811| 7.17k| ndpi_build_default_ports(ports_b, 2055, 0, 0, 0, 0) /* UDP */, 1812| 7.17k| 0); 1813| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SFLOW, 1814| 7.17k| "sFlow", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1815| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1816| 7.17k| ndpi_build_default_ports(ports_b, 6343, 0, 0, 0, 0) /* UDP */, 1817| 7.17k| 0); 1818| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_HTTP_CONNECT, 1819| 7.17k| "HTTP_Connect", NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1820| 7.17k| ndpi_build_default_ports(ports_a, 8080, 0, 0, 0, 0) /* TCP */, 1821| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1822| 7.17k| 0); 1823| 7.17k| ndpi_set_proto_subprotocols(ndpi_str, NDPI_PROTOCOL_HTTP_CONNECT, 1824| 7.17k| NDPI_PROTOCOL_MATCHED_BY_CONTENT, ------------------ | | 510| 7.17k|#define NDPI_PROTOCOL_MATCHED_BY_CONTENT (-2) ------------------ 1825| 7.17k| NDPI_PROTOCOL_NO_MORE_SUBPROTOCOLS); /* NDPI_PROTOCOL_HTTP_CONNECT can have (content-matched) subprotocols */ ------------------ | | 509| 7.17k|#define NDPI_PROTOCOL_NO_MORE_SUBPROTOCOLS (-1) ------------------ 1826| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_HTTP_PROXY, 1827| 7.17k| "HTTP_Proxy", NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1828| 7.17k| ndpi_build_default_ports(ports_a, 8080, 3128, 0, 0, 0) /* TCP */, 1829| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1830| 7.17k| 0); 1831| 7.17k| ndpi_set_proto_subprotocols(ndpi_str, NDPI_PROTOCOL_HTTP_PROXY, 1832| 7.17k| NDPI_PROTOCOL_MATCHED_BY_CONTENT, ------------------ | | 510| 7.17k|#define NDPI_PROTOCOL_MATCHED_BY_CONTENT (-2) ------------------ 1833| 7.17k| NDPI_PROTOCOL_NO_MORE_SUBPROTOCOLS); /* NDPI_PROTOCOL_HTTP_PROXY can have (content-matched) subprotocols */ ------------------ | | 509| 7.17k|#define NDPI_PROTOCOL_NO_MORE_SUBPROTOCOLS (-1) ------------------ 1834| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_CITRIX, 1835| 7.17k| "Citrix", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1836| 7.17k| ndpi_build_default_ports(ports_a, 1494, 2598, 0, 0, 0) /* TCP */, 1837| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1838| 7.17k| 0); 1839| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_WEBEX, 1840| 7.17k| "Webex", NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_QOE_CATEGORY_VOIP_CALLS, 1841| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1842| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1843| 7.17k| 0); 1844| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_RADIUS, 1845| 7.17k| "Radius", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1846| 7.17k| ndpi_build_default_ports(ports_a, 1812, 1813, 0, 0, 0) /* TCP */, 1847| 7.17k| ndpi_build_default_ports(ports_b, 1812, 1813, 0, 0, 0) /* UDP */, 1848| 7.17k| 0); 1849| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TEAMVIEWER, 1850| 7.17k| "TeamViewer", NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS, NDPI_PROTOCOL_QOE_CATEGORY_REMOTE_ACCESS, 1851| 7.17k| ndpi_build_default_ports(ports_a, 5938, 0, 0, 0, 0) /* TCP */, 1852| 7.17k| ndpi_build_default_ports(ports_b, 5938, 0, 0, 0, 0) /* UDP */, 1853| 7.17k| 0); 1854| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_HCL_NOTES, 1855| 7.17k| "HCL_Notes", NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1856| 7.17k| ndpi_build_default_ports(ports_a, 1352, 0, 0, 0, 0) /* TCP */, 1857| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1858| 7.17k| 0); 1859| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SAP, 1860| 7.17k| "SAP", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1861| 7.17k| ndpi_build_default_ports(ports_a, 3201, 0, 0, 0, 0) /* TCP */, 1862| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, /* Missing dissector: port based only */ 1863| 7.17k| 0); 1864| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_GTP, 1865| 7.17k| "GTP", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1866| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1867| 7.17k| ndpi_build_default_ports(ports_b, 2152, 2123, 0, 0, 0) /* UDP */, 1868| 7.17k| 0); 1869| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_GTP_C, 1870| 7.17k| "GTP_C", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1871| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1872| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1873| 7.17k| 0); 1874| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_GTP_U, 1875| 7.17k| "GTP_U", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1876| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1877| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1878| 7.17k| 0); 1879| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_GTP_PRIME, 1880| 7.17k| "GTP_PRIME", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1881| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1882| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1883| 7.17k| 0); 1884| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_HSRP, 1885| 7.17k| "HSRP", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1886| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1887| 7.17k| ndpi_build_default_ports(ports_b, 1985, 0, 0, 0, 0) /* UDP */, 1888| 7.17k| 0); 1889| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_WSD, 1890| 7.17k| "WSD", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1891| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1892| 7.17k| ndpi_build_default_ports(ports_b, 3702, 0, 0, 0, 0) /* UDP */, 1893| 7.17k| 0); 1894| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_ETHERNET_IP, 1895| 7.17k| "EthernetIP", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1896| 7.17k| ndpi_build_default_ports(ports_a, 44818, 0, 0, 0, 0) /* TCP */, 1897| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1898| 7.17k| 0); 1899| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TELEGRAM, 1900| 7.17k| "Telegram", NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1901| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1902| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1903| 7.17k| 0); 1904| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_QUIC, 1905| 7.17k| "QUIC", NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1906| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1907| 7.17k| ndpi_build_default_ports(ports_b, 443, 0, 0, 0, 0) /* UDP */, 1908| 7.17k| 0); 1909| 7.17k| ndpi_set_proto_subprotocols(ndpi_str, NDPI_PROTOCOL_QUIC, 1910| 7.17k| NDPI_PROTOCOL_MATCHED_BY_CONTENT, ------------------ | | 510| 7.17k|#define NDPI_PROTOCOL_MATCHED_BY_CONTENT (-2) ------------------ 1911| 7.17k| NDPI_PROTOCOL_NO_MORE_SUBPROTOCOLS); /* NDPI_PROTOCOL_QUIC can have (content-matched) subprotocols */ ------------------ | | 509| 7.17k|#define NDPI_PROTOCOL_NO_MORE_SUBPROTOCOLS (-1) ------------------ 1912| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DIAMETER, 1913| 7.17k| "Diameter", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1914| 7.17k| ndpi_build_default_ports(ports_a, 3868, 0, 0, 0, 0) /* TCP */, 1915| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1916| 7.17k| 0); 1917| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_APPLE_PUSH, 1918| 7.17k| "ApplePush", NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1919| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1920| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1921| 7.17k| 0); 1922| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DROPBOX, 1923| 7.17k| "Dropbox", NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1924| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1925| 7.17k| ndpi_build_default_ports(ports_b, 17500, 0, 0, 0, 0) /* UDP */, 1926| 7.17k| 0); 1927| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_SONOS, 1928| 7.17k| "Sonos", NDPI_PROTOCOL_CATEGORY_MUSIC, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1929| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1930| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1931| 7.17k| 0); 1932| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_SPOTIFY, 1933| 7.17k| "Spotify", NDPI_PROTOCOL_CATEGORY_MUSIC, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1934| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1935| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1936| 7.17k| 0); 1937| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_LISP, 1938| 7.17k| "LISP", NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1939| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1940| 7.17k| ndpi_build_default_ports(ports_b, 4342, 4341, 0, 0, 0) /* UDP */, 1941| 7.17k| 0); 1942| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_EAQ, 1943| 7.17k| "EAQ", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1944| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1945| 7.17k| ndpi_build_default_ports(ports_b, 6000, 0, 0, 0, 0) /* UDP */, 1946| 7.17k| 0); 1947| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_KAKAOTALK_VOICE, 1948| 7.17k| "KakaoTalk_Voice", NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_QOE_CATEGORY_VOIP_CALLS, 1949| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1950| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1951| 7.17k| 0); 1952| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_MPEGTS, 1953| 7.17k| "MPEG_TS", NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1954| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1955| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1956| 7.17k| 0); 1957| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MIKROTIK, 1958| 7.17k| "Mikrotik", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1959| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1960| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1961| 7.17k| 0); 1962| | /* http://en.wikipedia.org/wiki/Link-local_Multicast_Name_Resolution */ 1963| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_LLMNR, 1964| 7.17k| "LLMNR", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1965| 7.17k| ndpi_build_default_ports(ports_a, 5355, 0, 0, 0, 0) /* TCP */, 1966| 7.17k| ndpi_build_default_ports(ports_b, 5355, 0, 0, 0, 0) /* UDP */, /* Missing dissector: port based only */ 1967| 7.17k| 0); 1968| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_TOCA_BOCA, 1969| 7.17k| "TocaBoca", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 1970| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1971| 7.17k| ndpi_build_default_ports(ports_b, 5055, 0, 0, 0, 0) /* UDP */, 1972| 7.17k| 0); 1973| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_H323, 1974| 7.17k| "H323", NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_QOE_CATEGORY_VOIP_CALLS, 1975| 7.17k| ndpi_build_default_ports(ports_a, 1719, 1720, 0, 0, 0) /* TCP */, 1976| 7.17k| ndpi_build_default_ports(ports_b, 1719, 1720, 0, 0, 0) /* UDP */, 1977| 7.17k| 0); 1978| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_OPENVPN, 1979| 7.17k| "OpenVPN", NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1980| 7.17k| ndpi_build_default_ports(ports_a, 1194, 0, 0, 0, 0) /* TCP */, 1981| 7.17k| ndpi_build_default_ports(ports_b, 1194, 0, 0, 0, 0) /* UDP */, 1982| 7.17k| 0); 1983| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_NOE, 1984| 7.17k| "NOE", NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_QOE_CATEGORY_VOIP_CALLS, 1985| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1986| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1987| 7.17k| 0); 1988| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_CISCOVPN, 1989| 7.17k| "CiscoVPN", NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 1990| 7.17k| ndpi_build_default_ports(ports_a, 10000, 8008, 0, 0, 0) /* TCP */, 1991| 7.17k| ndpi_build_default_ports(ports_b, 10000, 0, 0, 0, 0) /* UDP */, 1992| 7.17k| 0); 1993| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_TEAMSPEAK, 1994| 7.17k| "TeamSpeak", NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_QOE_CATEGORY_VOIP_CALLS, 1995| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 1996| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 1997| 7.17k| 0); 1998| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_POTENTIALLY_DANGEROUS, NDPI_PROTOCOL_TOR, 1999| 7.17k| "Tor", NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2000| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2001| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2002| 7.17k| 0); 2003| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SKINNY, 2004| 7.17k| "CiscoSkinny", NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_QOE_CATEGORY_VOIP_CALLS, 2005| 7.17k| ndpi_build_default_ports(ports_a, 2000, 0, 0, 0, 0) /* TCP */, 2006| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2007| 7.17k| 0); 2008| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_RTCP, 2009| 7.17k| "RTCP", NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_QOE_CATEGORY_VOIP_CALLS, 2010| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2011| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2012| 7.17k| 0); 2013| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_RSYNC, 2014| 7.17k| "RSYNC", NDPI_PROTOCOL_CATEGORY_DATA_TRANSFER, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2015| 7.17k| ndpi_build_default_ports(ports_a, 873, 0, 0, 0, 0) /* TCP */, 2016| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2017| 7.17k| 0); 2018| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_ORACLE, 2019| 7.17k| "Oracle", NDPI_PROTOCOL_CATEGORY_DATABASE, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2020| 7.17k| ndpi_build_default_ports(ports_a, 1521, 0, 0, 0, 0) /* TCP */, 2021| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2022| 7.17k| 0); 2023| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_CORBA, 2024| 7.17k| "Corba", NDPI_PROTOCOL_CATEGORY_RPC, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2025| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2026| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2027| 7.17k| 0); 2028| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_CANONICAL, 2029| 7.17k| "Canonical", NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2030| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2031| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2032| 7.17k| 0); 2033| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_WHOIS_DAS, 2034| 7.17k| "Whois-DAS", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2035| 7.17k| ndpi_build_default_ports(ports_a, 43, 4343, 0, 0, 0), /* TCP */ 2036| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0), /* UDP */ 2037| 7.17k| 0); 2038| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SD_RTN, 2039| 7.17k| "SD-RTN", NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2040| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ 2041| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0), /* UDP */ 2042| 7.17k| 0); 2043| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SOCKS, 2044| 7.17k| "SOCKS", NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2045| 7.17k| ndpi_build_default_ports(ports_a, 1080, 0, 0, 0, 0), /* TCP */ 2046| 7.17k| ndpi_build_default_ports(ports_b, 1080, 0, 0, 0, 0), /* UDP */ 2047| 7.17k| 0); 2048| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TFTP, 2049| 7.17k| "TFTP", NDPI_PROTOCOL_CATEGORY_DATA_TRANSFER, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2050| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ 2051| 7.17k| ndpi_build_default_ports(ports_b, 69, 0, 0, 0, 0), /* UDP */ 2052| 7.17k| 0); 2053| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_RTMP, 2054| 7.17k| "RTMP", NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2055| 7.17k| ndpi_build_default_ports(ports_a, 1935, 0, 0, 0, 0), /* TCP */ 2056| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0), /* UDP */ 2057| 7.17k| 0); 2058| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_PINTEREST, 2059| 7.17k| "Pinterest", NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2060| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ 2061| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0), /* UDP */ 2062| 7.17k| 0); 2063| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MEGACO, 2064| 7.17k| "Megaco", NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_QOE_CATEGORY_VOIP_CALLS, 2065| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ 2066| 7.17k| ndpi_build_default_ports(ports_b, 2944, 0, 0, 0, 0), /* UDP */ 2067| 7.17k| 0); 2068| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_RESP, 2069| 7.17k| "RESP", NDPI_PROTOCOL_CATEGORY_DATABASE, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2070| 7.17k| ndpi_build_default_ports(ports_a, 6379, 0, 0, 0, 0), /* TCP */ 2071| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0), /* UDP */ 2072| 7.17k| 0); 2073| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_ZMQ, 2074| 7.17k| "ZeroMQ", NDPI_PROTOCOL_CATEGORY_RPC, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2075| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ 2076| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0), /* UDP */ 2077| 7.17k| 0); 2078| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_OSPF, 2079| 7.17k| "OSPF", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2080| 7.17k| ndpi_build_default_ports(ports_a, 2604, 0, 0, 0, 0), /* TCP */ 2081| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0), /* UDP */ 2082| 7.17k| 0); 2083| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_BLIZZARD, 2084| 7.17k| "Blizzard", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 2085| 7.17k| ndpi_build_default_ports(ports_a, 1119, 0, 0, 0, 0), /* TCP */ 2086| 7.17k| ndpi_build_default_ports(ports_b, 1119, 0, 0, 0, 0), /* UDP */ 2087| 7.17k| 0); 2088| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_UBNTAC2, 2089| 7.17k| "UBNTAC2", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2090| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ 2091| 7.17k| ndpi_build_default_ports(ports_b, 10001, 0, 0, 0, 0), /* UDP */ 2092| 7.17k| 0); 2093| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_VIBER, 2094| 7.17k| "Viber", NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2095| 7.17k| ndpi_build_default_ports(ports_a, 7985, 5242, 5243, 4244, 0), /* TCP */ 2096| 7.17k| ndpi_build_default_ports(ports_b, 7985, 7987, 5242, 5243, 4244), /* UDP */ 2097| 7.17k| 0); 2098| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_COAP, 2099| 7.17k| "COAP", NDPI_PROTOCOL_CATEGORY_RPC, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2100| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ 2101| 7.17k| ndpi_build_default_ports(ports_b, 5683, 5684, 0, 0, 0), /* UDP */ 2102| 7.17k| 0); 2103| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MQTT, 2104| 7.17k| "MQTT", NDPI_PROTOCOL_CATEGORY_RPC, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2105| 7.17k| ndpi_build_default_ports(ports_a, 1883, 8883, 0, 0, 0), /* TCP */ 2106| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0), /* UDP */ 2107| 7.17k| 0); 2108| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SOMEIP, 2109| 7.17k| "SOMEIP", NDPI_PROTOCOL_CATEGORY_RPC, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2110| 7.17k| ndpi_build_default_ports(ports_a, 30491, 30501, 0, 0, 0), /* TCP */ 2111| 7.17k| ndpi_build_default_ports(ports_b, 30491, 30501, 30490, 0, 0), /* UDP */ 2112| 7.17k| 0); 2113| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_RX, 2114| 7.17k| "RX", NDPI_PROTOCOL_CATEGORY_RPC, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2115| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ 2116| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0), /* UDP */ 2117| 7.17k| 0); 2118| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_GIT, 2119| 7.17k| "Git", NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2120| 7.17k| ndpi_build_default_ports(ports_a, 9418, 0, 0, 0, 0), /* TCP */ 2121| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0), /* UDP */ 2122| 7.17k| 0); 2123| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DRDA, 2124| 7.17k| "DRDA", NDPI_PROTOCOL_CATEGORY_DATABASE, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2125| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ 2126| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0), /* UDP */ 2127| 7.17k| 0); 2128| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_GOOGLE_MEET, 2129| 7.17k| "GoogleMeet", NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2130| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2131| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2132| 7.17k| 0); 2133| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_GOOGLE_CALL, 2134| 7.17k| "GoogleCall", NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_QOE_CATEGORY_VOIP_CALLS, 2135| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2136| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2137| 7.17k| 0); 2138| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_BJNP, 2139| 7.17k| "BJNP", NDPI_PROTOCOL_CATEGORY_SYSTEM_OS, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2140| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2141| 7.17k| ndpi_build_default_ports(ports_b, 8612, 0, 0, 0, 0) /* UDP */, 2142| 7.17k| 0); 2143| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SMPP, 2144| 7.17k| "SMPP", NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2145| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ 2146| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0), /* UDP */ 2147| 7.17k| 0); 2148| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_OOKLA, 2149| 7.17k| "Ookla", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2150| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ 2151| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0), /* UDP */ 2152| 7.17k| 0); 2153| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_AMQP, 2154| 7.17k| "AMQP", NDPI_PROTOCOL_CATEGORY_RPC, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2155| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ 2156| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0), /* UDP */ 2157| 7.17k| 0); 2158| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DNSCRYPT, 2159| 7.17k| "DNScrypt", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2160| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ 2161| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0), /* UDP */ 2162| 7.17k| 0); 2163| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TINC, 2164| 7.17k| "TINC", NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2165| 7.17k| ndpi_build_default_ports(ports_a, 655, 0, 0, 0, 0) /* TCP */, 2166| 7.17k| ndpi_build_default_ports(ports_b, 655, 0, 0, 0, 0) /* UDP */, 2167| 7.17k| 0); 2168| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_FIX, 2169| 7.17k| "FIX", NDPI_PROTOCOL_CATEGORY_RPC, NDPI_PROTOCOL_QOE_CATEGORY_HFT, 2170| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2171| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2172| 7.17k| 0); 2173| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_NINTENDO, 2174| 7.17k| "Nintendo", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 2175| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2176| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2177| 7.17k| 0); 2178| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_VALVE_SDR, 2179| 7.17k| "SteamDatagramRelay", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 2180| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2181| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2182| 7.17k| 0); 2183| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_AJP, 2184| 7.17k| "AJP", NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2185| 7.17k| ndpi_build_default_ports(ports_a, 8009, 8010, 0, 0, 0) /* TCP */, 2186| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2187| 7.17k| 0); 2188| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TARGUS_GETDATA, 2189| 7.17k| "TargusDataspeed", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2190| 7.17k| ndpi_build_default_ports(ports_a, 5001, 5201, 0, 0, 0) /* TCP */, 2191| 7.17k| ndpi_build_default_ports(ports_b, 5001, 5201, 0, 0, 0) /* UDP */, /* Missing dissector: port based only */ 2192| 7.17k| 0); 2193| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_AMAZON_VIDEO, 2194| 7.17k| "AmazonVideo", NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2195| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2196| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2197| 7.17k| 0); 2198| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DNP3, 2199| 7.17k| "DNP3", NDPI_PROTOCOL_CATEGORY_IOT_SCADA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2200| 7.17k| ndpi_build_default_ports(ports_a, 20000, 0, 0, 0, 0) /* TCP */, 2201| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2202| 7.17k| 0); 2203| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_IEC60870, 2204| 7.17k| "IEC60870", NDPI_PROTOCOL_CATEGORY_IOT_SCADA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2205| 7.17k| ndpi_build_default_ports(ports_a, 2404, 0, 0, 0, 0) /* TCP */, 2206| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2207| 7.17k| 0); 2208| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_BLOOMBERG, 2209| 7.17k| "Bloomberg", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2210| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2211| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2212| 7.17k| 0); 2213| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_CAPWAP, 2214| 7.17k| "CAPWAP", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2215| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2216| 7.17k| ndpi_build_default_ports(ports_b, 5246, 5247, 0, 0, 0) /* UDP */, 2217| 7.17k| 0); 2218| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_ZABBIX, 2219| 7.17k| "Zabbix", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2220| 7.17k| ndpi_build_default_ports(ports_a, 10050, 10051, 0, 0, 0) /* TCP */, 2221| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2222| 7.17k| 0); 2223| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_S7COMM, 2224| 7.17k| "S7Comm", NDPI_PROTOCOL_CATEGORY_IOT_SCADA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2225| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2226| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2227| 7.17k| 0); 2228| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_MSTEAMS, 2229| 7.17k| "Teams", NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2230| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2231| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2232| 7.17k| 0); 2233| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_WEBSOCKET, 2234| 7.17k| "WebSocket", NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2235| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2236| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2237| 7.17k| 0); 2238| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_ANYDESK, 2239| 7.17k| "AnyDesk", NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS, NDPI_PROTOCOL_QOE_CATEGORY_REMOTE_ACCESS, 2240| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2241| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2242| 7.17k| 0); 2243| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SOAP, 2244| 7.17k| "SOAP", NDPI_PROTOCOL_CATEGORY_RPC, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2245| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2246| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2247| 7.17k| 0); 2248| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MONGODB, 2249| 7.17k| "MongoDB", NDPI_PROTOCOL_CATEGORY_DATABASE, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2250| 7.17k| ndpi_build_default_ports(ports_a, 27017, 0, 0, 0, 0) /* TCP */, 2251| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2252| 7.17k| 0); 2253| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_APPLE_SIRI, 2254| 7.17k| "AppleSiri", NDPI_PROTOCOL_CATEGORY_VIRTUAL_ASSISTANT, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2255| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2256| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2257| 7.17k| 0); 2258| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SNAPCHAT_CALL, 2259| 7.17k| "SnapchatCall", NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_QOE_CATEGORY_VOIP_CALLS, 2260| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2261| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2262| 7.17k| 0); 2263| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_HPVIRTGRP, 2264| 7.17k| "HP_VIRTGRP", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2265| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2266| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2267| 7.17k| 0); 2268| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_GENSHIN_IMPACT, 2269| 7.17k| "GenshinImpact", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 2270| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2271| 7.17k| ndpi_build_default_ports(ports_b, 22102, 0, 0, 0, 0) /* UDP */, 2272| 7.17k| 0); 2273| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_ACTIVISION, 2274| 7.17k| "Activision", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 2275| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2276| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2277| 7.17k| 0); 2278| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_FORTICLIENT, 2279| 7.17k| "FortiClient", NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2280| 7.17k| ndpi_build_default_ports(ports_a, 8013, 8014, 0, 0, 0) /* TCP */, 2281| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2282| 7.17k| 0); 2283| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_Z3950, 2284| 7.17k| "Z3950", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2285| 7.17k| ndpi_build_default_ports(ports_a, 210, 0, 0, 0, 0) /* TCP */, 2286| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2287| 7.17k| 0); 2288| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_LIKEE, 2289| 7.17k| "Likee", NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2290| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2291| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2292| 7.17k| 0); 2293| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_GITLAB, 2294| 7.17k| "GitLab", NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2295| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2296| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2297| 7.17k| 0); 2298| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_AVAST_SECUREDNS, 2299| 7.17k| "AVASTSecureDNS", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2300| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ 2301| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0), /* UDP */ 2302| 7.17k| 0); 2303| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_CASSANDRA, 2304| 7.17k| "Cassandra", NDPI_PROTOCOL_CATEGORY_DATABASE, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2305| 7.17k| ndpi_build_default_ports(ports_a, 7000, 9042, 0, 0, 0) /* TCP */, 2306| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2307| 7.17k| 0); 2308| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_FACEBOOK_VOIP, 2309| 7.17k| "FacebookVoip", NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_QOE_CATEGORY_VOIP_CALLS, 2310| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2311| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2312| 7.17k| 0); 2313| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SIGNAL_VOIP, 2314| 7.17k| "SignalVoip", NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_QOE_CATEGORY_VOIP_CALLS, 2315| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2316| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2317| 7.17k| 0); 2318| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MICROSOFT_AZURE, 2319| 7.17k| "Azure", NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2320| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2321| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2322| 7.17k| 0); 2323| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_GOOGLE_CLOUD, 2324| 7.17k| "GoogleCloud", NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2325| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2326| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2327| 7.17k| 0); 2328| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_TENCENT, 2329| 7.17k| "Tencent", NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2330| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2331| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2332| 7.17k| 0); 2333| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_RAKNET, 2334| 7.17k| "RakNet", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 2335| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ 2336| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2337| 7.17k| 0); 2338| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_XIAOMI, 2339| 7.17k| "Xiaomi", NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2340| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2341| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2342| 7.17k| 0); 2343| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_EDGECAST, 2344| 7.17k| "Edgecast", NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2345| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2346| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2347| 7.17k| 0); 2348| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_CACHEFLY, 2349| 7.17k| "Cachefly", NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2350| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2351| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2352| 7.17k| 0); 2353| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SOFTETHER, 2354| 7.17k| "Softether", NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2355| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2356| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2357| 7.17k| 0); 2358| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_MPEGDASH, 2359| 7.17k| "MpegDash", NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2360| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2361| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2362| 7.17k| 0); 2363| | /* 2364| | Note: removed RSH port 514 as TCP/514 is often used for syslog and RSH is as such on;y 2365| | if both source and destination ports are 514. So we removed the default for RSH and used with syslog 2366| | */ 2367| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_UNSAFE, NDPI_PROTOCOL_RSH, 2368| 7.17k| "RSH", NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS, NDPI_PROTOCOL_QOE_CATEGORY_REMOTE_ACCESS, 2369| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2370| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2371| 7.17k| 0); 2372| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_IP_PIM, 2373| 7.17k| "IP_PIM", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2374| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2375| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2376| 7.17k| 0); 2377| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_COLLECTD, 2378| 7.17k| "collectd", NDPI_PROTOCOL_CATEGORY_SYSTEM_OS, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2379| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2380| 7.17k| ndpi_build_default_ports(ports_b, 25826, 0, 0, 0, 0) /* UDP */, 2381| 7.17k| 0); 2382| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_I3D, 2383| 7.17k| "i3D", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 2384| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2385| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2386| 7.17k| 0); 2387| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_RIOTGAMES, 2388| 7.17k| "RiotGames", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 2389| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2390| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2391| 7.17k| 0); 2392| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_ULTRASURF, 2393| 7.17k| "UltraSurf", NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2394| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2395| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2396| 7.17k| 0); 2397| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 0 /* nw proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_THREEMA, 2398| 7.17k| "Threema", NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2399| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2400| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2401| 7.17k| 0); 2402| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_ALICLOUD, 2403| 7.17k| "AliCloud", NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2404| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2405| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2406| 7.17k| 0); 2407| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 0 /* nw proto */, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_AVAST, 2408| 7.17k| "AVAST", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2409| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2410| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2411| 7.17k| 0); 2412| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_TIVOCONNECT, 2413| 7.17k| "TiVoConnect", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2414| 7.17k| ndpi_build_default_ports(ports_a, 2190, 0, 0, 0, 0) /* TCP */, 2415| 7.17k| ndpi_build_default_ports(ports_b, 2190, 0, 0, 0, 0) /* UDP */, 2416| 7.17k| 0); 2417| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_KISMET, 2418| 7.17k| "Kismet", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2419| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2420| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2421| 7.17k| 0); 2422| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_FASTCGI, 2423| 7.17k| "FastCGI", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2424| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2425| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2426| 7.17k| 0); 2427| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 0 /* nw proto */, NDPI_PROTOCOL_UNSAFE, NDPI_PROTOCOL_FTPS, 2428| 7.17k| "FTPS", NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2429| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2430| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2431| 7.17k| 0); 2432| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_NATPMP, 2433| 7.17k| "NAT-PMP", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2434| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2435| 7.17k| ndpi_build_default_ports(ports_b, 5351, 0, 0, 0, 0) /* UDP */, 2436| 7.17k| 0); 2437| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_SYNCTHING, 2438| 7.17k| "Syncthing", NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2439| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2440| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2441| 7.17k| 0); 2442| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 0 /* nw proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_CRYNET, 2443| 7.17k| "CryNetwork", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 2444| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2445| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2446| 7.17k| 0); 2447| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_LINE, 2448| 7.17k| "Line", NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2449| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2450| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2451| 7.17k| 0); 2452| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_LINE_CALL, 2453| 7.17k| "LineCall", NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_QOE_CATEGORY_VOIP_CALLS, 2454| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2455| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2456| 7.17k| 0); 2457| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MUNIN, 2458| 7.17k| "Munin", NDPI_PROTOCOL_CATEGORY_SYSTEM_OS, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2459| 7.17k| ndpi_build_default_ports(ports_a, 4949, 0, 0, 0, 0) /* TCP */, 2460| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2461| 7.17k| 0); 2462| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_ELASTICSEARCH, 2463| 7.17k| "Elasticsearch", NDPI_PROTOCOL_CATEGORY_SYSTEM_OS, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2464| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2465| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2466| 7.17k| 0); 2467| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TUYA_LP, 2468| 7.17k| "TuyaLP", NDPI_PROTOCOL_CATEGORY_IOT_SCADA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2469| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2470| 7.17k| ndpi_build_default_ports(ports_b, 6667, 0, 0, 0, 0) /* UDP */, 2471| 7.17k| 0); 2472| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TPLINK_SHP, 2473| 7.17k| "TPLINK_SHP", NDPI_PROTOCOL_CATEGORY_IOT_SCADA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2474| 7.17k| ndpi_build_default_ports(ports_a, 9999, 0, 0, 0, 0) /* TCP */, 2475| 7.17k| ndpi_build_default_ports(ports_b, 9999, 0, 0, 0, 0) /* UDP */, 2476| 7.17k| 0); 2477| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TAILSCALE, 2478| 7.17k| "Tailscale", NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2479| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2480| 7.17k| ndpi_build_default_ports(ports_b, 41641, 0, 0, 0, 0) /* UDP */, 2481| 7.17k| 0); 2482| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_SOURCE_ENGINE, 2483| 7.17k| "Source_Engine", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 2484| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2485| 7.17k| ndpi_build_default_ports(ports_b, 27015, 0, 0, 0, 0) /* UDP */, 2486| 7.17k| 0); 2487| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_BACNET, 2488| 7.17k| "BACnet", NDPI_PROTOCOL_CATEGORY_IOT_SCADA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2489| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2490| 7.17k| ndpi_build_default_ports(ports_b, 47808, 0, 0, 0, 0) /* UDP */, 2491| 7.17k| 0); 2492| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_OICQ, 2493| 7.17k| "OICQ", NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2494| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2495| 7.17k| ndpi_build_default_ports(ports_b, 8000, 0, 0, 0, 0) /* UDP */, 2496| 7.17k| 0); 2497| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_HOTS, 2498| 7.17k| "Heroes_of_the_Storm", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 2499| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2500| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2501| 7.17k| 0); 2502| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SRTP, 2503| 7.17k| "SRTP", NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2504| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2505| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2506| 7.17k| 0); 2507| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_BITCOIN, 2508| 7.17k| "BITCOIN", NDPI_PROTOCOL_CATEGORY_CRYPTO_BLOCKCHAIN, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2509| 7.17k| ndpi_build_default_ports(ports_a, 8333, 0, 0, 0, 0) /* TCP */, 2510| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2511| 7.17k| 0); 2512| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_PROTONVPN, 2513| 7.17k| "ProtonVPN", NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2514| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2515| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2516| 7.17k| 0); 2517| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_APACHE_THRIFT, 2518| 7.17k| "Thrift", NDPI_PROTOCOL_CATEGORY_RPC, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2519| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2520| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2521| 7.17k| 0); 2522| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_ROBLOX, 2523| 7.17k| "Roblox", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 2524| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2525| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2526| 7.17k| 0); 2527| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SERVICE_LOCATION, 2528| 7.17k| "Service_Location_Protocol", NDPI_PROTOCOL_CATEGORY_RPC, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2529| 7.17k| ndpi_build_default_ports(ports_a, 427, 0, 0, 0, 0) /* TCP */, 2530| 7.17k| ndpi_build_default_ports(ports_b, 427, 0, 0, 0, 0) /* UDP */, 2531| 7.17k| 0); 2532| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MULLVAD, 2533| 7.17k| "Mullvad", NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2534| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2535| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2536| 7.17k| 0); 2537| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_OPERA_VPN, 2538| 7.17k| "OperaVPN", NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2539| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2540| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2541| 7.17k| 0); 2542| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_HTTP2, 2543| 7.17k| "HTTP2", NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2544| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2545| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2546| 7.17k| 0); 2547| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_HAPROXY, 2548| 7.17k| "HAProxy", NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2549| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2550| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2551| 7.17k| 0); 2552| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_RMCP, 2553| 7.17k| "RMCP", NDPI_PROTOCOL_CATEGORY_SYSTEM_OS, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2554| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2555| 7.17k| ndpi_build_default_ports(ports_b, 623, 0, 0, 0, 0) /* UDP */, 2556| 7.17k| 0); 2557| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_CAN, 2558| 7.17k| "Controller_Area_Network", NDPI_PROTOCOL_CATEGORY_SYSTEM_OS, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2559| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2560| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2561| 7.17k| 0); 2562| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_PROTOBUF, 2563| 7.17k| "Protobuf", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2564| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2565| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2566| 7.17k| 0); 2567| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_ETHEREUM, 2568| 7.17k| "ETHEREUM", NDPI_PROTOCOL_CATEGORY_CRYPTO_BLOCKCHAIN, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2569| 7.17k| ndpi_build_default_ports(ports_a, 30303, 0, 0, 0, 0) /* TCP */, 2570| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2571| 7.17k| 0); 2572| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TELEGRAM_VOIP, 2573| 7.17k| "TelegramVoip", NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_QOE_CATEGORY_VOIP_CALLS, 2574| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2575| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2576| 7.17k| 0); 2577| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TESLA_SERVICES, 2578| 7.17k| "TeslaServices", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2579| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2580| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2581| 7.17k| 0); 2582| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_PTPV2, 2583| 7.17k| "PTPv2", NDPI_PROTOCOL_CATEGORY_SYSTEM_OS, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2584| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2585| 7.17k| ndpi_build_default_ports(ports_b, 319, 320, 0, 0, 0) /* UDP */, 2586| 7.17k| 0); 2587| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_HART_IP, 2588| 7.17k| "HART-IP", NDPI_PROTOCOL_CATEGORY_IOT_SCADA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2589| 7.17k| ndpi_build_default_ports(ports_a, 5094, 0, 0, 0, 0) /* TCP */, 2590| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2591| 7.17k| 0); 2592| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_RTPS, 2593| 7.17k| "RTPS", NDPI_PROTOCOL_CATEGORY_RPC, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2594| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2595| 7.17k| ndpi_build_default_ports(ports_b, 7401, 0, 0, 0, 0) /* UDP */, 2596| 7.17k| 0); 2597| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_OPC_UA, 2598| 7.17k| "OPC-UA", NDPI_PROTOCOL_CATEGORY_IOT_SCADA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2599| 7.17k| ndpi_build_default_ports(ports_a, 4840, 0, 0, 0, 0) /* TCP */, 2600| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2601| 7.17k| 0); 2602| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_S7COMM_PLUS, 2603| 7.17k| "S7CommPlus", NDPI_PROTOCOL_CATEGORY_IOT_SCADA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2604| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2605| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2606| 7.17k| 0); 2607| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_FINS, 2608| 7.17k| "FINS", NDPI_PROTOCOL_CATEGORY_IOT_SCADA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2609| 7.17k| ndpi_build_default_ports(ports_a, 9600, 0, 0, 0, 0) /* TCP */, 2610| 7.17k| ndpi_build_default_ports(ports_b, 9600, 0, 0, 0, 0) /* UDP */, 2611| 7.17k| 0); 2612| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_ETHERSIO, 2613| 7.17k| "EtherSIO", NDPI_PROTOCOL_CATEGORY_IOT_SCADA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2614| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2615| 7.17k| ndpi_build_default_ports(ports_b, 6060, 0, 0, 0, 0) /* UDP */, 2616| 7.17k| 0); 2617| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_UMAS, 2618| 7.17k| "UMAS", NDPI_PROTOCOL_CATEGORY_IOT_SCADA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2619| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2620| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2621| 7.17k| 0); 2622| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_BECKHOFF_ADS, 2623| 7.17k| "BeckhoffADS", NDPI_PROTOCOL_CATEGORY_IOT_SCADA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2624| 7.17k| ndpi_build_default_ports(ports_a, 48898, 0, 0, 0, 0) /* TCP */, 2625| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2626| 7.17k| 0); 2627| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_ISO9506_1_MMS, 2628| 7.17k| "ISO9506-1-MMS", NDPI_PROTOCOL_CATEGORY_IOT_SCADA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2629| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2630| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2631| 7.17k| 0); 2632| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_IEEE_C37118, 2633| 7.17k| "IEEE-C37118", NDPI_PROTOCOL_CATEGORY_IOT_SCADA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2634| 7.17k| ndpi_build_default_ports(ports_a, 4712, 0, 0, 0, 0) /* TCP */, 2635| 7.17k| ndpi_build_default_ports(ports_b, 4713, 0, 0, 0, 0) /* UDP */, 2636| 7.17k| 0); 2637| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_ETHERSBUS, 2638| 7.17k| "Ether-S-Bus", NDPI_PROTOCOL_CATEGORY_IOT_SCADA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2639| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2640| 7.17k| ndpi_build_default_ports(ports_b, 5050, 0, 0, 0, 0) /* UDP */, 2641| 7.17k| 0); 2642| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MONERO, 2643| 7.17k| "Monero", NDPI_PROTOCOL_CATEGORY_CRYPTO_BLOCKCHAIN, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2644| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2645| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2646| 7.17k| 0); 2647| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DCERPC, 2648| 7.17k| "DCERPC", NDPI_PROTOCOL_CATEGORY_RPC, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2649| 7.17k| ndpi_build_default_ports(ports_a, 135, 0, 0, 0, 0) /* TCP */, 2650| 7.17k| ndpi_build_default_ports(ports_b, 135, 0, 0, 0, 0) /* UDP */, 2651| 7.17k| 0); 2652| 7.17k| ndpi_set_proto_subprotocols(ndpi_str, NDPI_PROTOCOL_DCERPC, 2653| 7.17k| NDPI_PROTOCOL_PROFINET_IO, 2654| 7.17k| NDPI_PROTOCOL_MATCHED_BY_CONTENT, ------------------ | | 510| 7.17k|#define NDPI_PROTOCOL_MATCHED_BY_CONTENT (-2) ------------------ 2655| 7.17k| NDPI_PROTOCOL_NO_MORE_SUBPROTOCOLS); ------------------ | | 509| 7.17k|#define NDPI_PROTOCOL_NO_MORE_SUBPROTOCOLS (-1) ------------------ 2656| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_PROFINET_IO, 2657| 7.17k| "PROFINET_IO", NDPI_PROTOCOL_CATEGORY_IOT_SCADA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2658| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2659| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2660| 7.17k| 0); 2661| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_HISLIP, 2662| 7.17k| "HiSLIP", NDPI_PROTOCOL_CATEGORY_IOT_SCADA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2663| 7.17k| ndpi_build_default_ports(ports_a, 4880, 0, 0, 0, 0) /* TCP */, 2664| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2665| 7.17k| 0); 2666| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_UFTP, 2667| 7.17k| "UFTP", NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2668| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2669| 7.17k| ndpi_build_default_ports(ports_b, 1044, 0, 0, 0, 0) /* UDP */, 2670| 7.17k| 0); 2671| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_OPENFLOW, 2672| 7.17k| "OpenFlow", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2673| 7.17k| ndpi_build_default_ports(ports_a, 6653, 0, 0, 0, 0) /* TCP */, 2674| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2675| 7.17k| 0); 2676| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_JSON_RPC, 2677| 7.17k| "JSON-RPC", NDPI_PROTOCOL_CATEGORY_RPC, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2678| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2679| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2680| 7.17k| 0); 2681| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_WEBDAV, 2682| 7.17k| "WebDAV", NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2683| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0), /* TCP */ 2684| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0), /* UDP */ 2685| 7.17k| 0); 2686| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_APACHE_KAFKA, 2687| 7.17k| "Kafka", NDPI_PROTOCOL_CATEGORY_RPC, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2688| 7.17k| ndpi_build_default_ports(ports_a, 9092, 0, 0, 0, 0) /* TCP */, 2689| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2690| 7.17k| 0); 2691| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_NOMACHINE, 2692| 7.17k| "NoMachine", NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS, NDPI_PROTOCOL_QOE_CATEGORY_REMOTE_ACCESS, 2693| 7.17k| ndpi_build_default_ports(ports_a, 4000, 0, 0, 0, 0) /* TCP */, 2694| 7.17k| ndpi_build_default_ports(ports_b, 4000, 0, 0, 0, 0) /* UDP */, 2695| 7.17k| 0); 2696| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_IEC62056, 2697| 7.17k| "IEC62056", NDPI_PROTOCOL_CATEGORY_IOT_SCADA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2698| 7.17k| ndpi_build_default_ports(ports_a, 4059, 0, 0, 0, 0) /* TCP */, 2699| 7.17k| ndpi_build_default_ports(ports_b, 4059, 0, 0, 0, 0) /* UDP */, 2700| 7.17k| 0); 2701| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_HL7, 2702| 7.17k| "HL7", NDPI_PROTOCOL_CATEGORY_HEALTH, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2703| 7.17k| ndpi_build_default_ports(ports_a, 2575, 0, 0, 0, 0) /* TCP */, 2704| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2705| 7.17k| 0); 2706| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DICOM, 2707| 7.17k| "DICOM", NDPI_PROTOCOL_CATEGORY_HEALTH, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2708| 7.17k| ndpi_build_default_ports(ports_a, 104, 0, 0, 0, 0) /* TCP */, 2709| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2710| 7.17k| 0); 2711| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_CEPH, 2712| 7.17k| "Ceph", NDPI_PROTOCOL_CATEGORY_DATA_TRANSFER, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2713| 7.17k| ndpi_build_default_ports(ports_a, 3300, 6789, 0, 0, 0) /* TCP */, 2714| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2715| 7.17k| 0); 2716| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_ROUGHTIME, 2717| 7.17k| "Roughtime", NDPI_PROTOCOL_CATEGORY_SYSTEM_OS, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2718| 7.17k| ndpi_build_default_ports(ports_a, 2002, 0, 0, 0, 0) /* TCP */, 2719| 7.17k| ndpi_build_default_ports(ports_b, 2002, 0, 0, 0, 0) /* UDP */, 2720| 7.17k| 0); 2721| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_KCP, 2722| 7.17k| "KCP", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2723| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2724| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2725| 7.17k| 0); 2726| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_MUMBLE, 2727| 7.17k| "Mumble", NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_QOE_CATEGORY_VOIP_CALLS, 2728| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2729| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2730| 7.17k| 0); 2731| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 0 /* nw proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_YOJIMBO, 2732| 7.17k| "Yojimbo", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 2733| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2734| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2735| 7.17k| 0); 2736| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_STOMP, 2737| 7.17k| "STOMP", NDPI_PROTOCOL_CATEGORY_RPC, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2738| 7.17k| ndpi_build_default_ports(ports_a, 61613, 0, 0, 0, 0) /* TCP */, 2739| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2740| 7.17k| 0); 2741| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_RADMIN, 2742| 7.17k| "Radmin", NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS, NDPI_PROTOCOL_QOE_CATEGORY_REMOTE_ACCESS, 2743| 7.17k| ndpi_build_default_ports(ports_a, 4899, 0, 0, 0, 0) /* TCP */, 2744| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2745| 7.17k| 0); 2746| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_RAFT, 2747| 7.17k| "Raft", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2748| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2749| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2750| 7.17k| 0); 2751| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_CIP, 2752| 7.17k| "CIP", NDPI_PROTOCOL_CATEGORY_IOT_SCADA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2753| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2754| 7.17k| ndpi_build_default_ports(ports_b, 2222, 0, 0, 0, 0) /* UDP */, 2755| 7.17k| 0); 2756| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_GEARMAN, 2757| 7.17k| "Gearman", NDPI_PROTOCOL_CATEGORY_RPC, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2758| 7.17k| ndpi_build_default_ports(ports_a, 4730, 0, 0, 0, 0) /* TCP */, 2759| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2760| 7.17k| 0); 2761| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_TENCENTGAMES, 2762| 7.17k| "TencentGames", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 2763| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2764| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2765| 7.17k| 0); 2766| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_GAIJIN, 2767| 7.17k| "GaijinEntertainment", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 2768| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2769| 7.17k| ndpi_build_default_ports(ports_b, 20011, 0, 0, 0, 0) /* UDP */, 2770| 7.17k| 0); 2771| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_C1222, 2772| 7.17k| "ANSI_C1222", NDPI_PROTOCOL_CATEGORY_IOT_SCADA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2773| 7.17k| ndpi_build_default_ports(ports_a, 1153, 0, 0, 0, 0) /* TCP */, 2774| 7.17k| ndpi_build_default_ports(ports_b, 1153, 0, 0, 0, 0) /* UDP */, 2775| 7.17k| 0); 2776| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DLEP, 2777| 7.17k| "DLEP", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2778| 7.17k| ndpi_build_default_ports(ports_a, 854, 0, 0, 0, 0) /* TCP */, 2779| 7.17k| ndpi_build_default_ports(ports_b, 854, 0, 0, 0, 0) /* UDP */, 2780| 7.17k| 0); 2781| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_BFD, 2782| 7.17k| "BFD", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2783| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2784| 7.17k| ndpi_build_default_ports(ports_b, 3784, 3785, 0, 0, 0) /* UDP */, 2785| 7.17k| 0); 2786| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_NETEASE_GAMES, 2787| 7.17k| "NetEaseGames", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 2788| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2789| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2790| 7.17k| 0); 2791| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_PATHOFEXILE, 2792| 7.17k| "PathofExile", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 2793| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2794| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2795| 7.17k| 0); 2796| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_PFCP, 2797| 7.17k| "PFCP", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2798| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2799| 7.17k| ndpi_build_default_ports(ports_b, 8805, 0, 0, 0, 0) /* UDP */, 2800| 7.17k| 0); 2801| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_FLUTE, 2802| 7.17k| "FLUTE", NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2803| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2804| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2805| 7.17k| 0); 2806| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_LOLWILDRIFT, 2807| 7.17k| "LoLWildRift", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 2808| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2809| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2810| 7.17k| 0); 2811| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_TESO, 2812| 7.17k| "TES_Online", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 2813| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2814| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2815| 7.17k| 0); 2816| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_LDP, 2817| 7.17k| "LDP", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2818| 7.17k| ndpi_build_default_ports(ports_a, 646, 0, 0, 0, 0) /* TCP */, 2819| 7.17k| ndpi_build_default_ports(ports_b, 646, 0, 0, 0, 0) /* UDP */, 2820| 7.17k| 0); 2821| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_KNXNET_IP, 2822| 7.17k| "KNXnet_IP", NDPI_PROTOCOL_CATEGORY_IOT_SCADA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2823| 7.17k| ndpi_build_default_ports(ports_a, 3671, 0, 0, 0, 0) /* TCP */, 2824| 7.17k| ndpi_build_default_ports(ports_b, 3671, 0, 0, 0, 0) /* UDP */, 2825| 7.17k| 0); 2826| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_EGD, 2827| 7.17k| "EthernetGlobalData", NDPI_PROTOCOL_CATEGORY_IOT_SCADA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2828| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2829| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2830| 7.17k| 0); 2831| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_BFCP, 2832| 7.17k| "BFCP", NDPI_PROTOCOL_CATEGORY_VIDEO, NDPI_PROTOCOL_QOE_CATEGORY_LIVE_STREAMING, 2833| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2834| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2835| 7.17k| 0); 2836| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_IQIYI, 2837| 7.17k| "iQIYI", NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_QOE_CATEGORY_BUFFERED_STREAMING, 2838| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2839| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2840| 7.17k| 0); 2841| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_VIBER_VOIP, 2842| 7.17k| "ViberVoip", NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_QOE_CATEGORY_VOIP_CALLS, 2843| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2844| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2845| 7.17k| 0); 2846| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_COD_MOBILE, 2847| 7.17k| "CoD_Mobile", NDPI_PROTOCOL_CATEGORY_GAME, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 2848| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2849| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2850| 7.17k| 0); 2851| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_ZUG, 2852| 7.17k| "ZUG", NDPI_PROTOCOL_CATEGORY_CRYPTO_BLOCKCHAIN, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2853| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2854| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2855| 7.17k| 0); 2856| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_JRMI, 2857| 7.17k| "JRMI", NDPI_PROTOCOL_CATEGORY_RPC, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2858| 7.17k| ndpi_build_default_ports(ports_a, 1099, 0, 0, 0, 0) /* TCP */, 2859| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2860| 7.17k| 0); 2861| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_RIPE_ATLAS, 2862| 7.17k| "RipeAtlas", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2863| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2864| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2865| 7.17k| 0); 2866| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_HLS, 2867| 7.17k| "HLS", NDPI_PROTOCOL_CATEGORY_MEDIA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2868| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2869| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2870| 7.17k| 0); 2871| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_CLICKHOUSE, 2872| 7.17k| "ClickHouse", NDPI_PROTOCOL_CATEGORY_DATABASE, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2873| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2874| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2875| 7.17k| 0); 2876| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_NANO, 2877| 7.17k| "Nano", NDPI_PROTOCOL_CATEGORY_CRYPTO_BLOCKCHAIN, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2878| 7.17k| ndpi_build_default_ports(ports_a, 7075, 0, 0, 0, 0) /* TCP */, 2879| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2880| 7.17k| 0); 2881| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_OPENWIRE, 2882| 7.17k| "OpenWire", NDPI_PROTOCOL_CATEGORY_RPC, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2883| 7.17k| ndpi_build_default_ports(ports_a, 61616, 0, 0, 0, 0), /* TCP */ 2884| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0), /* UDP */ 2885| 7.17k| 0); 2886| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_CNP_IP, 2887| 7.17k| "CNP-IP", NDPI_PROTOCOL_CATEGORY_IOT_SCADA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2888| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2889| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2890| 7.17k| 0); 2891| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_ATG, 2892| 7.17k| "ATG", NDPI_PROTOCOL_CATEGORY_IOT_SCADA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2893| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2894| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2895| 7.17k| 0); 2896| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TRDP, 2897| 7.17k| "TRDP", NDPI_PROTOCOL_CATEGORY_IOT_SCADA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2898| 7.17k| ndpi_build_default_ports(ports_a, 17225, 0, 0, 0, 0) /* TCP */, 2899| 7.17k| ndpi_build_default_ports(ports_b, 17224, 17225, 0, 0, 0) /* UDP */, 2900| 7.17k| 0); 2901| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_LUSTRE, 2902| 7.17k| "Lustre", NDPI_PROTOCOL_CATEGORY_DATA_TRANSFER, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2903| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2904| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2905| 7.17k| 0); 2906| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DINGTALK, 2907| 7.17k| "DingTalk", NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2908| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2909| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2910| 7.17k| 0); 2911| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_PALTALK, 2912| 7.17k| "Paltalk", NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2913| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2914| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2915| 7.17k| 0); 2916| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MS_OUTLOOK, 2917| 7.17k| "Outlook", NDPI_PROTOCOL_CATEGORY_MAIL, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2918| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2919| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2920| 7.17k| 0); 2921| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_MICROSOFT, 2922| 7.17k| "Microsoft", NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2923| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2924| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2925| 7.17k| 0); 2926| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MICROSOFT_365, 2927| 7.17k| "Microsoft365", NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2928| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2929| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2930| 7.17k| 0); 2931| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MS_ONE_DRIVE, 2932| 7.17k| "MS_OneDrive", NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2933| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2934| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2935| 7.17k| 0); 2936| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_LAGOFAST, 2937| 7.17k| "LagoFast", NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 2938| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2939| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2940| 7.17k| 0); 2941| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_GEARUP_BOOSTER, 2942| 7.17k| "GearUP_Booster", NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 2943| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2944| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2945| 7.17k| 0); 2946| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_SAFE, NDPI_PROTOCOL_MSDO, 2947| 7.17k| "MSDO", NDPI_PROTOCOL_CATEGORY_SW_UPDATE, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2948| 7.17k| ndpi_build_default_ports(ports_a, 7680, 0, 0, 0, 0) /* TCP */, 2949| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2950| 7.17k| 0); 2951| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_HAMACHI, 2952| 7.17k| "Hamachi", NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2953| 7.17k| ndpi_build_default_ports(ports_a, 12975, 32976, 0, 0, 0) /* TCP */, 2954| 7.17k| ndpi_build_default_ports(ports_b, 17771, 0, 0, 0, 0) /* UDP */, 2955| 7.17k| 0); 2956| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_GLBP, 2957| 7.17k| "GLBP", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2958| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2959| 7.17k| ndpi_build_default_ports(ports_b, 3222, 0, 0, 0, 0) /* UDP */, 2960| 7.17k| 0); 2961| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_EASYWEATHER, 2962| 7.17k| "EasyWeather", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2963| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2964| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2965| 7.17k| 0); 2966| 7.17k| ndpi_set_proto_defaults(ndpi_str, 0 /* encrypted */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MUDFISH, 2967| 7.17k| "Mudfish", NDPI_PROTOCOL_CATEGORY_VPN, NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING, 2968| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2969| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2970| 7.17k| 0); 2971| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_TRISTATION, 2972| 7.17k| "TriStation", NDPI_PROTOCOL_CATEGORY_IOT_SCADA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2973| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2974| 7.17k| ndpi_build_default_ports(ports_b, 1501, 1502, 0, 0, 0) /* UDP */, 2975| 7.17k| 0); 2976| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_SAMSUNG_SDP, 2977| 7.17k| "SamsungSDP", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2978| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2979| 7.17k| ndpi_build_default_ports(ports_b, 15600, 0, 0, 0, 0) /* UDP */, 2980| 7.17k| 0); 2981| 7.17k| ndpi_set_proto_defaults(ndpi_str,1 ,0 ,NDPI_PROTOCOL_ACCEPTABLE,NDPI_PROTOCOL_MATTER, 2982| 7.17k| "Matter",NDPI_PROTOCOL_CATEGORY_IOT_SCADA, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2983| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */ , 2984| 7.17k| ndpi_build_default_ports(ports_b, 5540, 5542, 0, 0, 0) /* UDP */, 2985| 7.17k| 0); 2986| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 , 1 , NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_AWS_DYNAMODB, 2987| 7.17k| "AWS_DynamoDB", NDPI_PROTOCOL_CATEGORY_DATABASE, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2988| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */ , 2989| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2990| 7.17k| 0); 2991| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 , 1 , NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_AKAMAI, 2992| 7.17k| "Akamai", NDPI_PROTOCOL_CATEGORY_DATABASE, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2993| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */ , 2994| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 2995| 7.17k| 0); 2996| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* app proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_JSON, 2997| 7.17k| "JSON", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 2998| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 2999| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 3000| 7.17k| 0); 3001| 7.17k| ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 1 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MSGPACK, 3002| 7.17k| "MessagePack", NDPI_PROTOCOL_CATEGORY_NETWORK, NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED, 3003| 7.17k| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 3004| 7.17k| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 3005| 7.17k| 0); 3006| | 3007| |#ifdef CUSTOM_NDPI_PROTOCOLS 3008| |#include "../../../nDPI-custom/custom_ndpi_main.c" 3009| |#endif 3010| | 3011| | /* calling function for host and content matched protocols */ 3012| 7.17k| init_string_based_protocols(ndpi_str); 3013| 7.17k|} ndpi_main.c:init_string_based_protocols: 1059| 7.17k|static void init_string_based_protocols(struct ndpi_detection_module_struct *ndpi_str) { 1060| 7.17k| int i; 1061| | 1062| | /* Sanity checks */ 1063| 7.17k| self_check_host_match(ndpi_str, host_match); 1064| 7.17k| self_check_host_match(ndpi_str, teams_host_match); 1065| 7.17k| self_check_host_match(ndpi_str, outlook_host_match); 1066| 7.17k| self_check_host_match(ndpi_str, ms_onedrive_host_match); 1067| 7.17k| self_check_host_match(ndpi_str, microsoft365_host_match); 1068| 7.17k| self_check_host_match(ndpi_str, azure_host_match); 1069| 7.17k| self_check_host_match(ndpi_str, microsoft_host_match); 1070| 7.17k| self_check_host_match(ndpi_str, aws_api_gateway_host_match); 1071| 7.17k| self_check_host_match(ndpi_str, aws_cloudfront_host_match); 1072| 7.17k| self_check_host_match(ndpi_str, aws_cognito_host_match); 1073| 7.17k| self_check_host_match(ndpi_str, aws_ec2_host_match); 1074| 7.17k| self_check_host_match(ndpi_str, aws_emr_host_match); 1075| 7.17k| self_check_host_match(ndpi_str, aws_s3_host_match); 1076| 7.17k| self_check_host_match(ndpi_str, github_host_match); 1077| 7.17k| self_check_host_match(ndpi_str, githubcopilot_host_match); 1078| 7.17k| self_check_host_match(ndpi_str, githubpackages_host_match); 1079| 7.17k| self_check_host_match(ndpi_str, githubactions_host_match); 1080| | 1081| 6.42M| for(i = 0; host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1081:14): [True: 6.41M, False: 7.17k] ------------------ 1082| 6.41M| init_app_protocol(ndpi_str, &host_match[i]); 1083| 78.9k| for(i = 0; teams_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1083:14): [True: 71.7k, False: 7.17k] ------------------ 1084| 71.7k| init_app_protocol(ndpi_str, &teams_host_match[i]); 1085| 64.5k| for(i = 0; outlook_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1085:14): [True: 57.4k, False: 7.17k] ------------------ 1086| 57.4k| init_app_protocol(ndpi_str, &outlook_host_match[i]); 1087| 86.1k| for(i = 0; ms_onedrive_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1087:14): [True: 78.9k, False: 7.17k] ------------------ 1088| 78.9k| init_app_protocol(ndpi_str, &ms_onedrive_host_match[i]); 1089| 911k| for(i = 0; microsoft365_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1089:14): [True: 904k, False: 7.17k] ------------------ 1090| 904k| init_app_protocol(ndpi_str, µsoft365_host_match[i]); 1091| 193k| for(i = 0; azure_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1091:14): [True: 186k, False: 7.17k] ------------------ 1092| 186k| init_app_protocol(ndpi_str, &azure_host_match[i]); 1093| 28.7k| for(i = 0; microsoft_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1093:14): [True: 21.5k, False: 7.17k] ------------------ 1094| 21.5k| init_app_protocol(ndpi_str, µsoft_host_match[i]); 1095| 251k| for(i = 0; aws_api_gateway_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1095:14): [True: 243k, False: 7.17k] ------------------ 1096| 243k| init_app_protocol(ndpi_str, &aws_api_gateway_host_match[i]); 1097| 14.3k| for(i = 0; aws_cloudfront_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1097:14): [True: 7.17k, False: 7.17k] ------------------ 1098| 7.17k| init_app_protocol(ndpi_str, &aws_cloudfront_host_match[i]); 1099| 279k| for(i = 0; aws_cognito_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1099:14): [True: 272k, False: 7.17k] ------------------ 1100| 272k| init_app_protocol(ndpi_str, &aws_cognito_host_match[i]); 1101| 28.7k| for(i = 0; aws_ec2_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1101:14): [True: 21.5k, False: 7.17k] ------------------ 1102| 21.5k| init_app_protocol(ndpi_str, &aws_ec2_host_match[i]); 1103| 717k| for(i = 0; aws_emr_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1103:14): [True: 710k, False: 7.17k] ------------------ 1104| 710k| init_app_protocol(ndpi_str, &aws_emr_host_match[i]); 1105| 2.18M| for(i = 0; aws_s3_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1105:14): [True: 2.18M, False: 7.17k] ------------------ 1106| 2.18M| init_app_protocol(ndpi_str, &aws_s3_host_match[i]); 1107| 43.0k| for(i = 0; github_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1107:14): [True: 35.8k, False: 7.17k] ------------------ 1108| 35.8k| init_app_protocol(ndpi_str, &github_host_match[i]); 1109| 21.5k| for(i = 0; githubcopilot_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1109:14): [True: 14.3k, False: 7.17k] ------------------ 1110| 14.3k| init_app_protocol(ndpi_str, &githubcopilot_host_match[i]); 1111| 121k| for(i = 0; githubpackages_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1111:14): [True: 114k, False: 7.17k] ------------------ 1112| 114k| init_app_protocol(ndpi_str, &githubpackages_host_match[i]); 1113| 437k| for(i = 0; githubactions_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1113:14): [True: 430k, False: 7.17k] ------------------ 1114| 430k| init_app_protocol(ndpi_str, &githubactions_host_match[i]); 1115| | 1116| | /* ************************ */ 1117| | 1118| 7.17k| if(!ndpi_xgrams_inited) { ------------------ | Branch (1118:6): [True: 1, False: 7.17k] ------------------ 1119| 1| ndpi_xgrams_inited = 1; 1120| 1| ndpi_xgrams_init(ndpi_str,bigrams_bitmap,sizeof(bigrams_bitmap), 1121| 1| ndpi_en_bigrams,sizeof(ndpi_en_bigrams)/sizeof(ndpi_en_bigrams[0]), 2); 1122| | 1123| 1| ndpi_xgrams_init(ndpi_str,impossible_bigrams_bitmap,sizeof(impossible_bigrams_bitmap), 1124| 1| ndpi_en_impossible_bigrams,sizeof(ndpi_en_impossible_bigrams)/sizeof(ndpi_en_impossible_bigrams[0]), 2); 1125| 1| ndpi_xgrams_init(ndpi_str,trigrams_bitmap,sizeof(trigrams_bitmap), 1126| 1| ndpi_en_trigrams,sizeof(ndpi_en_trigrams)/sizeof(ndpi_en_trigrams[0]), 3); 1127| 1| } 1128| 7.17k|} ndpi_main.c:self_check_host_match: 1000| 121k| ndpi_protocol_match *hosts) { 1001| 121k| u_int32_t i, j; 1002| | 1003| 11.8M| for(i = 0; hosts[i].string_to_match != NULL; i++) { ------------------ | Branch (1003:14): [True: 11.7M, False: 121k] ------------------ 1004| 11.7M| if(hosts[i].string_to_match[0] == '.') { ------------------ | Branch (1004:8): [True: 0, False: 11.7M] ------------------ 1005| 0| NDPI_LOG_ERR(ndpi_str, ------------------ | | 593| 0|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1006| 0| "[NDPI] INTERNAL ERROR Invalid string detected '%s'. It can not start with '.'\n", 1007| 0| hosts[i].string_to_match); 1008| 0| } 1009| 6.64G| for(j = 0; hosts[j].string_to_match != NULL; j++) { ------------------ | Branch (1009:16): [True: 6.63G, False: 11.7M] ------------------ 1010| 6.63G| if((i != j) && (strcmp(hosts[i].string_to_match, hosts[j].string_to_match) == 0)) { ------------------ | Branch (1010:10): [True: 6.62G, False: 11.7M] | Branch (1010:22): [True: 0, False: 6.62G] ------------------ 1011| 0| NDPI_LOG_ERR(ndpi_str, ------------------ | | 593| 0|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1012| 0| "[NDPI] INTERNAL ERROR duplicate string detected '%s' [id: %u, id %u]\n", 1013| 0| hosts[i].string_to_match, i, j); 1014| 0| } 1015| 6.63G| } 1016| 11.7M| } 1017| 121k|} ndpi_main.c:init_app_protocol: 934| 11.7M| ndpi_protocol_match const * const match) { 935| 11.7M| ndpi_port_range ports_a[MAX_DEFAULT_PORTS], ports_b[MAX_DEFAULT_PORTS]; 936| 11.7M| ndpi_protocol_qoe_category_t qoeCategory; 937| | 938| 11.7M| switch(match->protocol_category) { 939| 746k| case NDPI_PROTOCOL_CATEGORY_WEB: ------------------ | Branch (939:3): [True: 746k, False: 11.0M] ------------------ 940| 746k| qoeCategory = NDPI_PROTOCOL_QOE_CATEGORY_WEB_BROWSING; 941| 746k| break; 942| | 943| 581k| case NDPI_PROTOCOL_CATEGORY_GAME: ------------------ | Branch (943:3): [True: 581k, False: 11.1M] ------------------ 944| 581k| qoeCategory = NDPI_PROTOCOL_QOE_CATEGORY_ONLINE_GAMING; 945| 581k| break; 946| | 947| 172k| case NDPI_PROTOCOL_CATEGORY_VOIP: ------------------ | Branch (947:3): [True: 172k, False: 11.5M] ------------------ 948| 172k| qoeCategory = NDPI_PROTOCOL_QOE_CATEGORY_VOIP_CALLS; 949| 172k| break; 950| | 951| 14.3k| case NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS: ------------------ | Branch (951:3): [True: 14.3k, False: 11.7M] ------------------ 952| 14.3k| qoeCategory = NDPI_PROTOCOL_QOE_CATEGORY_REMOTE_ACCESS; 953| 14.3k| break; 954| | 955| 143k| case NDPI_PROTOCOL_CATEGORY_MEDIA: ------------------ | Branch (955:3): [True: 143k, False: 11.6M] ------------------ 956| 753k| case NDPI_PROTOCOL_CATEGORY_STREAMING: ------------------ | Branch (956:3): [True: 609k, False: 11.1M] ------------------ 957| 1.03M| case NDPI_PROTOCOL_CATEGORY_MUSIC: ------------------ | Branch (957:3): [True: 279k, False: 11.4M] ------------------ 958| 1.24M| case NDPI_PROTOCOL_CATEGORY_VIDEO: ------------------ | Branch (958:3): [True: 215k, False: 11.5M] ------------------ 959| 1.24M| qoeCategory = NDPI_PROTOCOL_QOE_CATEGORY_BUFFERED_STREAMING; 960| 1.24M| break; 961| | 962| 9.00M| default: ------------------ | Branch (962:3): [True: 9.00M, False: 2.76M] ------------------ 963| 9.00M| qoeCategory = NDPI_PROTOCOL_QOE_CATEGORY_UNSPECIFIED; 964| 9.00M| break; 965| 11.7M| } 966| | 967| 11.7M| ndpi_set_proto_defaults(ndpi_str, 968| 11.7M| 0, /* isClearTextProto */ 969| 11.7M| 1, /* isAppProtocol */ 970| 11.7M| match->protocol_breed, 971| 11.7M| match->protocol_id, 972| 11.7M| match->proto_name, 973| 11.7M| match->protocol_category, 974| 11.7M| qoeCategory, 975| 11.7M| ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, 976| 11.7M| ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */, 977| 11.7M| 0 /* Internal protocol, no custom */); 978| 11.7M|} ndpi_main.c:ndpi_xgrams_init: 1032| 3|{ 1033| 3| unsigned int i,j,c; 1034| 10.7k| for(i=0;i < sn && src[i]; i++) { ------------------ | Branch (1034:11): [True: 10.7k, False: 0] | Branch (1034:21): [True: 10.7k, False: 3] ------------------ 1035| 42.2k| for(j=0,c=0; j < l; j++) { ------------------ | Branch (1035:18): [True: 31.4k, False: 10.7k] ------------------ 1036| 31.4k| unsigned char a = (unsigned char)src[i][j]; 1037| 31.4k| if(a < 'a' || a > 'z') { ------------------ | Branch (1037:10): [True: 0, False: 31.4k] | Branch (1037:21): [True: 0, False: 31.4k] ------------------ 1038| 0| NDPI_LOG_ERR(ndpi_str, ------------------ | | 593| 0|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1039| 0| "[NDPI] INTERNAL ERROR ndpi_xgrams_init %u: c%u %c\n", 1040| 0| i,j,a); 1041| 0| abort(); 1042| 0| } 1043| 31.4k| c *= XGRAMS_C; ------------------ | | 1021| 31.4k|#define XGRAMS_C 26 ------------------ 1044| 31.4k| c += a - 'a'; 1045| 31.4k| } 1046| 10.7k| if(src[i][l]) { ------------------ | Branch (1046:8): [True: 0, False: 10.7k] ------------------ 1047| 0| NDPI_LOG_ERR(ndpi_str, ------------------ | | 593| 0|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1048| 0| "[NDPI] INTERNAL ERROR ndpi_xgrams_init %u: c[%d] != 0\n", 1049| 0| i,l); 1050| 0| abort(); 1051| 0| } 1052| 10.7k| if((c >> 3) >= dn) abort(); ------------------ | Branch (1052:8): [True: 0, False: 10.7k] ------------------ 1053| 10.7k| dst[c >> 5] |= 1u << (c & 0x1f); 1054| 10.7k| } 1055| 3|} ndpi_main.c:load_string_based_protocols: 1132| 7.15k|static void load_string_based_protocols(struct ndpi_detection_module_struct *ndpi_str) { 1133| 7.15k| int i; 1134| | 1135| 6.40M| for(i = 0; host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1135:14): [True: 6.39M, False: 7.15k] ------------------ 1136| 6.39M| load_protocol_match(ndpi_str, &host_match[i]); 1137| 78.7k| for(i = 0; teams_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1137:14): [True: 71.5k, False: 7.15k] ------------------ 1138| 71.5k| load_protocol_match(ndpi_str, &teams_host_match[i]); 1139| 64.4k| for(i = 0; outlook_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1139:14): [True: 57.2k, False: 7.15k] ------------------ 1140| 57.2k| load_protocol_match(ndpi_str, &outlook_host_match[i]); 1141| 85.8k| for(i = 0; ms_onedrive_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1141:14): [True: 78.7k, False: 7.15k] ------------------ 1142| 78.7k| load_protocol_match(ndpi_str, &ms_onedrive_host_match[i]); 1143| 908k| for(i = 0; microsoft365_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1143:14): [True: 901k, False: 7.15k] ------------------ 1144| 901k| load_protocol_match(ndpi_str, µsoft365_host_match[i]); 1145| 193k| for(i = 0; azure_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1145:14): [True: 186k, False: 7.15k] ------------------ 1146| 186k| load_protocol_match(ndpi_str, &azure_host_match[i]); 1147| 28.6k| for(i = 0; microsoft_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1147:14): [True: 21.4k, False: 7.15k] ------------------ 1148| 21.4k| load_protocol_match(ndpi_str, µsoft_host_match[i]); 1149| 250k| for(i = 0; aws_api_gateway_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1149:14): [True: 243k, False: 7.15k] ------------------ 1150| 243k| load_protocol_match(ndpi_str, &aws_api_gateway_host_match[i]); 1151| 14.3k| for(i = 0; aws_cloudfront_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1151:14): [True: 7.15k, False: 7.15k] ------------------ 1152| 7.15k| load_protocol_match(ndpi_str, &aws_cloudfront_host_match[i]); 1153| 279k| for(i = 0; aws_cognito_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1153:14): [True: 271k, False: 7.15k] ------------------ 1154| 271k| load_protocol_match(ndpi_str, &aws_cognito_host_match[i]); 1155| 28.6k| for(i = 0; aws_ec2_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1155:14): [True: 21.4k, False: 7.15k] ------------------ 1156| 21.4k| load_protocol_match(ndpi_str, &aws_ec2_host_match[i]); 1157| 715k| for(i = 0; aws_emr_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1157:14): [True: 708k, False: 7.15k] ------------------ 1158| 708k| load_protocol_match(ndpi_str, &aws_emr_host_match[i]); 1159| 2.18M| for(i = 0; aws_s3_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1159:14): [True: 2.17M, False: 7.15k] ------------------ 1160| 2.17M| load_protocol_match(ndpi_str, &aws_s3_host_match[i]); 1161| 42.9k| for(i = 0; github_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1161:14): [True: 35.7k, False: 7.15k] ------------------ 1162| 35.7k| load_protocol_match(ndpi_str, &github_host_match[i]); 1163| 21.4k| for(i = 0; githubcopilot_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1163:14): [True: 14.3k, False: 7.15k] ------------------ 1164| 14.3k| load_protocol_match(ndpi_str, &githubcopilot_host_match[i]); 1165| 121k| for(i = 0; githubpackages_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1165:14): [True: 114k, False: 7.15k] ------------------ 1166| 114k| load_protocol_match(ndpi_str, &githubpackages_host_match[i]); 1167| 436k| for(i = 0; githubactions_host_match[i].string_to_match != NULL; i++) ------------------ | Branch (1167:14): [True: 429k, False: 7.15k] ------------------ 1168| 429k| load_protocol_match(ndpi_str, &githubactions_host_match[i]); 1169| | 1170| | /* ************************ */ 1171| | 1172| 171k| for(i = 0; tls_certificate_match[i].string_to_match != NULL; i++) { ------------------ | Branch (1172:14): [True: 164k, False: 7.15k] ------------------ 1173| 164k| if(!is_proto_enabled(ndpi_str, tls_certificate_match[i].protocol_id)) { ------------------ | Branch (1173:8): [True: 0, False: 164k] ------------------ 1174| 0| NDPI_LOG_DBG(ndpi_str, "[NDPI] Skip tls cert match for %s/protoId=%d: disabled\n", ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1175| 0| tls_certificate_match[i].string_to_match, tls_certificate_match[i].protocol_id); 1176| 0| continue; 1177| 0| } 1178| | /* Note: string_to_match is not malloc'ed here as ac_automata_release is 1179| | * called with free_pattern = 0 */ 1180| 164k| ndpi_add_string_value_to_automa(ndpi_str->tls_cert_subject_automa.ac_automa, 1181| 164k| tls_certificate_match[i].string_to_match, 1182| 164k| tls_certificate_match[i].protocol_id); 1183| 164k| } 1184| 7.15k|} ndpi_main.c:load_default_ports: 656| 6.99k|{ 657| 6.99k| unsigned int protoId; 658| 6.99k| int j; 659| | 660| 3.32M| for(protoId = 0; protoId < ndpi_str->num_supported_protocols; protoId++) { ------------------ | Branch (660:20): [True: 3.31M, False: 6.99k] ------------------ 661| 3.31M| if(!is_proto_enabled(ndpi_str, protoId)) { ------------------ | Branch (661:8): [True: 0, False: 3.31M] ------------------ 662| 0| NDPI_LOG_DBG(ndpi_str, "Skip default ports for protoId=%d: disabled\n", ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 663| 0| ndpi_str->proto_defaults[protoId].protoName, protoId); 664| 0| continue; 665| 0| } 666| | 667| 19.8M| for(j = 0; j < MAX_DEFAULT_PORTS; j++) { ------------------ | | 89| 19.8M|#define MAX_DEFAULT_PORTS 5 ------------------ | Branch (667:16): [True: 16.5M, False: 3.31M] ------------------ 668| 16.5M| if(ndpi_str->proto_defaults[protoId].udp_default_ports[j].port_low != 0) ------------------ | Branch (668:10): [True: 839k, False: 15.7M] ------------------ 669| 839k| addDefaultPort(ndpi_str, &ndpi_str->proto_defaults[protoId].udp_default_ports[j], 670| 839k| protoId, ndpi_str->proto_defaults[protoId].isCustomProto, &ndpi_str->udpRoot); 671| | 672| 16.5M| if(ndpi_str->proto_defaults[protoId].tcp_default_ports[j].port_low != 0) ------------------ | Branch (672:10): [True: 979k, False: 15.5M] ------------------ 673| 979k| addDefaultPort(ndpi_str, &ndpi_str->proto_defaults[protoId].tcp_default_ports[j], 674| 979k| protoId, ndpi_str->proto_defaults[protoId].isCustomProto, &ndpi_str->tcpRoot); 675| 16.5M| } 676| 3.31M| } 677| 6.99k|} ndpi_main.c:addDefaultPort: 776| 1.81M| default_ports_tree_node_t **root) { 777| 1.81M| u_int32_t port; 778| | 779| 3.47M| for(port = range->port_low; port <= range->port_high; port++) { ------------------ | Branch (779:31): [True: 1.90M, False: 1.57M] ------------------ 780| 1.90M| default_ports_tree_node_t *node = 781| 1.90M| (default_ports_tree_node_t *) ndpi_malloc(sizeof(default_ports_tree_node_t)); 782| 1.90M| default_ports_tree_node_t *ret; 783| | 784| 1.90M| if(!node) { ------------------ | Branch (784:8): [True: 115k, False: 1.78M] ------------------ 785| 115k| NDPI_LOG_ERR(ndpi_str, "Not enough memory\n"); ------------------ | | 593| 115k|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 786| 115k| break; 787| 115k| } 788| | 789| 1.78M| node->proto_idx = proto_idx, node->default_port = port, node->customUserProto = customUserProto | range->is_custom; 790| 1.78M| ret = (default_ports_tree_node_t *) ndpi_tsearch(node, 791| 1.78M| (void *) root, 792| 1.78M| default_ports_tree_node_t_cmp); /* Add it to the tree */ 793| | 794| 1.78M| if(ret == NULL) { ------------------ | Branch (794:8): [True: 112k, False: 1.67M] ------------------ 795| 112k| NDPI_LOG_ERR(ndpi_str, "Error searching for port %u\n", port); ------------------ | | 593| 112k|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 796| 112k| ndpi_free(node); 797| 112k| break; 798| 112k| } 799| | 800| 1.67M| if(ret != node) { ------------------ | Branch (800:8): [True: 11.5k, False: 1.66M] ------------------ 801| 11.5k| NDPI_LOG_DBG(ndpi_str, "Found duplicate for port %u: overwriting it with new value\n", ------------------ | | 596| 11.5k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 802| 11.5k| port); 803| | /* Overwriting -> custom rules wins over "default"/hard-coded default ports */ 804| | 805| 11.5k| ret->customUserProto |= (customUserProto | range->is_custom); 806| 11.5k| ret->proto_idx = proto_idx; 807| 11.5k| ndpi_free(node); 808| 11.5k| return(-1); /* Duplicates found */ 809| 11.5k| } 810| 1.67M| } 811| | 812| 1.80M| return(0); 813| 1.81M|} ndpi_main.c:default_ports_tree_node_t_cmp: 761| 18.6M|static int default_ports_tree_node_t_cmp(const void *a, const void *b) { 762| 18.6M| default_ports_tree_node_t *fa = (default_ports_tree_node_t *) a; 763| 18.6M| default_ports_tree_node_t *fb = (default_ports_tree_node_t *) b; 764| | 765| | //printf("[NDPI] %s(%d, %d)\n", __FUNCTION__, fa->default_port, fb->default_port); 766| | 767| 18.6M| return((fa->default_port == fb->default_port) ? 0 : ((fa->default_port < fb->default_port) ? -1 : 1)); ------------------ | Branch (767:10): [True: 29.0k, False: 18.6M] | Branch (767:56): [True: 4.58M, False: 14.0M] ------------------ 768| 18.6M|} ndpi_main.c:validate_protocol_initialization: 1188| 6.99k|static void validate_protocol_initialization(struct ndpi_detection_module_struct *ndpi_str) { 1189| 6.99k| u_int i; 1190| | 1191| 3.32M| for(i = 0; i < ndpi_str->num_supported_protocols; i++) { ------------------ | Branch (1191:14): [True: 3.31M, False: 6.99k] ------------------ 1192| 3.31M| if(ndpi_str->proto_defaults[i].protoName[0] == '\0') { ------------------ | Branch (1192:8): [True: 0, False: 3.31M] ------------------ 1193| 0| NDPI_LOG_ERR(ndpi_str, ------------------ | | 593| 0|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1194| 0| "[NDPI] INTERNAL ERROR missing protoName initialization for [protoId=%d]: recovering\n", i); 1195| 3.31M| } else { 1196| 3.31M| if((i != NDPI_PROTOCOL_UNKNOWN) && ------------------ | Branch (1196:10): [True: 3.30M, False: 6.99k] ------------------ 1197| 3.30M| (ndpi_str->proto_defaults[i].protoCategory == NDPI_PROTOCOL_CATEGORY_UNSPECIFIED) && ------------------ | Branch (1197:3): [True: 0, False: 3.30M] ------------------ 1198| 0| !ndpi_str->proto_defaults[i].isCustomProto /* We can't yet specify category in custom protocols */) { ------------------ | Branch (1198:3): [True: 0, False: 0] ------------------ 1199| 0| NDPI_LOG_ERR(ndpi_str, ------------------ | | 593| 0|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1200| 0| "[NDPI] INTERNAL ERROR missing category [protoId=%d/%s] initialization: recovering\n", 1201| 0| i, ndpi_str->proto_defaults[i].protoName); 1202| 0| } 1203| 3.31M| if(i != ndpi_str->proto_defaults[i].protoId) { ------------------ | Branch (1203:10): [True: 0, False: 3.31M] ------------------ 1204| 0| NDPI_LOG_ERR(ndpi_str, ------------------ | | 593| 0|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1205| 0| "[NDPI] INTERNAL ERROR non-coherent id %d/%d [%s]: recovering\n", 1206| 0| i, ndpi_str->proto_defaults[i].protoId, ndpi_str->proto_defaults[i].protoName); 1207| 0| } 1208| 3.31M| } 1209| 3.31M| } 1210| 6.99k|} ndpi_main.c:ndpi_init_ptree_ipv4: 3580| 447k|static void ndpi_init_ptree_ipv4(ndpi_patricia_tree_t *ptree, ndpi_network host_list[]) { 3581| 447k| int i; 3582| | 3583| 183M| for(i = 0; host_list[i].network != 0x0; i++) { ------------------ | Branch (3583:14): [True: 183M, False: 447k] ------------------ 3584| 183M| struct in_addr pin; 3585| 183M| ndpi_patricia_node_t *node; 3586| | 3587| 183M| pin.s_addr = htonl(host_list[i].network); 3588| 183M| if((node = add_to_ptree(ptree, AF_INET, &pin, host_list[i].cidr /* bits */)) != NULL) { ------------------ | Branch (3588:8): [True: 151M, False: 31.2M] ------------------ 3589| | /* 3590| | Two main cases: 3591| | 1) ip -> protocol: uv16[0].user_value = protocol; uv16[0].additional_user_value = 0; 3592| | 2) ip -> risk: uv16[0].user_value = risk; uv16[0].additional_user_value = 0; 3593| | */ 3594| 151M| node->value.u.uv16[0].user_value = host_list[i].value, node->value.u.uv16[0].additional_user_value = 0; 3595| 151M| } 3596| 183M| } 3597| 447k|} ndpi_main.c:ndpi_init_ptree_ipv6: 3602| 447k| ndpi_patricia_tree_t *ptree, ndpi_network6 host_list[]) { 3603| 447k| int i; 3604| | 3605| 127M| for(i = 0; host_list[i].network != NULL; i++) { ------------------ | Branch (3605:14): [True: 127M, False: 447k] ------------------ 3606| 127M| int rc; 3607| 127M| struct in6_addr pin; 3608| 127M| ndpi_patricia_node_t *node; 3609| | 3610| 127M| rc = inet_pton(AF_INET6, host_list[i].network, &pin); 3611| 127M| if (rc != 1) { ------------------ | Branch (3611:9): [True: 0, False: 127M] ------------------ 3612| 0| NDPI_LOG_ERR(ndpi_str, "Invalid ipv6 address [%s]: %d\n", host_list[i].network, rc); ------------------ | | 593| 0|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 3613| 0| continue; 3614| 0| } 3615| | 3616| 127M| if((node = add_to_ptree(ptree, AF_INET6, &pin, host_list[i].cidr /* bits */)) != NULL) { ------------------ | Branch (3616:8): [True: 106M, False: 20.7M] ------------------ 3617| 106M| node->value.u.uv16[0].user_value = host_list[i].value, node->value.u.uv16[0].additional_user_value = 0; 3618| 106M| } 3619| 127M| } 3620| 447k|} ndpi_main.c:is_ip_list_enabled: 4387| 419k|{ 4388| 419k| if(ndpi_bitmask_is_set(&ndpi_str->cfg.ip_list_bitmask, protoId) == 0) ------------------ | Branch (4388:6): [True: 0, False: 419k] ------------------ 4389| 0| return 0; 4390| | 4391| 419k| ndpi_str->proto_defaults[protoId].performIPcheck = 1; 4392| | 4393| 419k| return 1; 4394| 419k|} ndpi_main.c:ndpi_add_domain_risk_exceptions: 4345| 6.79k|static void ndpi_add_domain_risk_exceptions(struct ndpi_detection_module_struct *ndpi_str) { 4346| 6.79k| const char *domains[] = { 4347| 6.79k| ".local", 4348| 6.79k| ".work", 4349| | /* DGA's are used for caching */ 4350| 6.79k| "akamaihd.net", 4351| 6.79k| "dropboxusercontent.com", 4352| | NULL /* End */ 4353| 6.79k| }; 4354| 6.79k| const ndpi_risk risks_to_mask[] = { 4355| 6.79k| NDPI_SUSPICIOUS_DGA_DOMAIN, 4356| 6.79k| NDPI_BINARY_APPLICATION_TRANSFER, 4357| 6.79k| NDPI_NUMERIC_IP_HOST, 4358| 6.79k| NDPI_MALICIOUS_FINGERPRINT, 4359| 6.79k| NDPI_NO_RISK /* End */ 4360| 6.79k| }; 4361| 6.79k| u_int i; 4362| 6.79k| ndpi_risk mask = ((ndpi_risk)-1); 4363| | 4364| 33.9k| for(i=0; risks_to_mask[i] != NDPI_NO_RISK; i++) ------------------ | Branch (4364:12): [True: 27.1k, False: 6.79k] ------------------ 4365| 27.1k| mask &= ~(1ULL << risks_to_mask[i]); 4366| | 4367| 33.9k| for(i=0; domains[i] != NULL; i++) ------------------ | Branch (4367:12): [True: 27.1k, False: 6.79k] ------------------ 4368| 27.1k| ndpi_add_host_risk_mask(ndpi_str, (char*)domains[i], mask); 4369| | 4370| 6.08M| for(i=0; host_match[i].string_to_match != NULL; i++) { ------------------ | Branch (4370:12): [True: 6.07M, False: 6.79k] ------------------ 4371| 6.07M| switch(host_match[i].protocol_category) { 4372| 47.5k| case NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK: ------------------ | Branch (4372:5): [True: 47.5k, False: 6.03M] ------------------ 4373| 387k| case NDPI_PROTOCOL_CATEGORY_CYBERSECURITY: ------------------ | Branch (4373:5): [True: 339k, False: 5.73M] ------------------ 4374| 387k| ndpi_add_host_risk_mask(ndpi_str, (char*)host_match[i].string_to_match, mask); 4375| 387k| break; 4376| | 4377| 5.69M| default: ------------------ | Branch (4377:5): [True: 5.69M, False: 387k] ------------------ 4378| | /* Nothing to do */ 4379| 5.69M| break; 4380| 6.07M| } 4381| 6.07M| } 4382| 6.79k|} ndpi_main.c:ndpi_match_string_common: 4983| 16.5k| ndpi_protocol_breed_t *breed) { 4984| 16.5k| AC_REP_t match = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, NDPI_PROTOCOL_UNRATED, 0, 0, 0, 0, 0 }; 4985| 16.5k| AC_TEXT_t ac_input_text; 4986| 16.5k| int rc; 4987| | 4988| 16.5k| if(protocol_id) *protocol_id = NDPI_PROTOCOL_UNKNOWN; ------------------ | Branch (4988:6): [True: 16.5k, False: 0] ------------------ 4989| | 4990| 16.5k| if((automa == NULL) || (string_to_match == NULL) || (string_to_match[0] == '\0')) { ------------------ | Branch (4990:6): [True: 57, False: 16.4k] | Branch (4990:26): [True: 0, False: 16.4k] | Branch (4990:55): [True: 0, False: 16.4k] ------------------ 4991| 57| return(-2); 4992| 57| } 4993| | 4994| 16.4k| if(automa->automata_open) { ------------------ | Branch (4994:6): [True: 14.5k, False: 1.87k] ------------------ 4995| |#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION 4996| | printf("[%s:%d] [NDPI] Internal error: please call ndpi_finalize_initialization()\n", __FILE__, __LINE__); 4997| |#endif 4998| 14.5k| return(-1); 4999| 14.5k| } 5000| | 5001| 1.87k| ac_input_text.astring = string_to_match, ac_input_text.length = string_len; 5002| 1.87k| ac_input_text.option = 0; 5003| 1.87k| rc = ac_automata_search(automa, &ac_input_text, &match); 5004| | 5005| 1.87k| if(protocol_id) ------------------ | Branch (5005:6): [True: 1.87k, False: 0] ------------------ 5006| 1.87k| *protocol_id = rc ? match.number : NDPI_PROTOCOL_UNKNOWN; ------------------ | Branch (5006:20): [True: 157, False: 1.71k] ------------------ 5007| | 5008| 1.87k| if(category) ------------------ | Branch (5008:6): [True: 1.34k, False: 523] ------------------ 5009| 1.34k| *category = rc ? match.category : 0; ------------------ | Branch (5009:17): [True: 157, False: 1.19k] ------------------ 5010| | 5011| 1.87k| if(breed) ------------------ | Branch (5011:6): [True: 1.34k, False: 523] ------------------ 5012| 1.34k| *breed = rc ? match.breed : 0; ------------------ | Branch (5012:14): [True: 157, False: 1.19k] ------------------ 5013| | 5014| 1.87k| return rc; 5015| 16.4k|} ndpi_main.c:ndpi_domain_level: 855| 10.2M|static u_int8_t ndpi_domain_level(const char *name) { 856| 10.2M| u_int8_t level = 1, state = 0; 857| 10.2M| char c; 858| 248M| while((c = *name++) != '\0') { ------------------ | Branch (858:9): [True: 238M, False: 10.2M] ------------------ 859| 238M| c = c == '-' ? 2 : (c == '.' ? 1:0); ------------------ | Branch (859:9): [True: 10.0M, False: 228M] | Branch (859:25): [True: 21.0M, False: 207M] ------------------ 860| 238M| level += ndpi_domain_level_automat[state][3]; 861| 238M| state = ndpi_domain_level_automat[state][(u_int8_t)c]; 862| 238M| if(!state) break; ------------------ | Branch (862:8): [True: 0, False: 238M] ------------------ 863| 238M| } 864| 10.2M| return state >= 2 ? level:0; ------------------ | Branch (864:10): [True: 10.2M, False: 0] ------------------ 865| 10.2M|} ndpi_main.c:dissectors_init: 6785| 7.15k|static int dissectors_init(struct ndpi_detection_module_struct *ndpi_str) { 6786| 7.15k| struct call_function_struct *all_cb = NULL; 6787| | 6788| 7.15k| ndpi_str->callback_buffer = ndpi_calloc(NDPI_MAX_NUM_DISSECTORS, sizeof(struct call_function_struct)); ------------------ | | 273| 7.15k|#define NDPI_MAX_NUM_DISSECTORS 288 /* Multiple of 32 */ ------------------ 6789| 7.15k| if(!ndpi_str->callback_buffer) return 1; ------------------ | Branch (6789:6): [True: 70, False: 7.08k] ------------------ 6790| | 6791| | /* HTTP */ 6792| 7.08k| init_http_dissector(ndpi_str); 6793| | 6794| | /* BLIZZARD */ 6795| 7.08k| init_blizzard_dissector(ndpi_str); 6796| | 6797| | /* TLS+DTLS */ 6798| 7.08k| init_tls_dissector(ndpi_str); 6799| | 6800| | /* RTP */ 6801| 7.08k| init_rtp_dissector(ndpi_str); 6802| | 6803| | /* RTSP */ 6804| 7.08k| init_rtsp_dissector(ndpi_str); 6805| | 6806| | /* RDP */ 6807| 7.08k| init_rdp_dissector(ndpi_str); 6808| | 6809| | /* STUN */ 6810| 7.08k| init_stun_dissector(ndpi_str); 6811| | 6812| | /* SIP */ 6813| 7.08k| init_sip_dissector(ndpi_str); 6814| | 6815| | /* Mudfish */ 6816| 7.08k| init_mudfish_dissector(ndpi_str); 6817| | 6818| | /* IMO */ 6819| 7.08k| init_imo_dissector(ndpi_str); 6820| | 6821| | /* Teredo */ 6822| 7.08k| init_teredo_dissector(ndpi_str); 6823| | 6824| | /* EDONKEY */ 6825| 7.08k| init_edonkey_dissector(ndpi_str); 6826| | 6827| | /* GNUTELLA */ 6828| 7.08k| init_gnutella_dissector(ndpi_str); 6829| | 6830| | /* NATS */ 6831| 7.08k| init_nats_dissector(ndpi_str); 6832| | 6833| | /* SOCKS */ 6834| 7.08k| init_socks_dissector(ndpi_str); 6835| | 6836| | /* IRC */ 6837| 7.08k| init_irc_dissector(ndpi_str); 6838| | 6839| | /* JABBER */ 6840| 7.08k| init_jabber_dissector(ndpi_str); 6841| | 6842| | /* MAIL_POP */ 6843| 7.08k| init_mail_pop_dissector(ndpi_str); 6844| | 6845| | /* MAIL_IMAP */ 6846| 7.08k| init_mail_imap_dissector(ndpi_str); 6847| | 6848| | /* MAIL_SMTP */ 6849| 7.08k| init_mail_smtp_dissector(ndpi_str); 6850| | 6851| | /* USENET */ 6852| 7.08k| init_usenet_dissector(ndpi_str); 6853| | 6854| | /* DNS */ 6855| 7.08k| init_dns_dissector(ndpi_str); 6856| | 6857| | /* VMWARE */ 6858| 7.08k| init_vmware_dissector(ndpi_str); 6859| | 6860| | /* NON_TCP_UDP */ 6861| 7.08k| init_non_tcp_udp_dissector(ndpi_str); 6862| | 6863| | /* IAX */ 6864| 7.08k| init_iax_dissector(ndpi_str); 6865| | 6866| | /* Media Gateway Control Protocol */ 6867| 7.08k| init_mgcp_dissector(ndpi_str); 6868| | 6869| | /* ZATTOO */ 6870| 7.08k| init_zattoo_dissector(ndpi_str); 6871| | 6872| | /* QQ */ 6873| 7.08k| init_qq_dissector(ndpi_str); 6874| | 6875| | /* SSH */ 6876| 7.08k| init_ssh_dissector(ndpi_str); 6877| | 6878| | /* VNC */ 6879| 7.08k| init_vnc_dissector(ndpi_str); 6880| | 6881| | /* VXLAN */ 6882| 7.08k| init_vxlan_dissector(ndpi_str); 6883| | 6884| | /* TEAMVIEWER */ 6885| 7.08k| init_teamviewer_dissector(ndpi_str); 6886| | 6887| | /* DHCP */ 6888| 7.08k| init_dhcp_dissector(ndpi_str); 6889| | 6890| | /* STEAM */ 6891| 7.08k| init_steam_dissector(ndpi_str); 6892| | 6893| | /* XBOX */ 6894| 7.08k| init_xbox_dissector(ndpi_str); 6895| | 6896| | /* SMB */ 6897| 7.08k| init_smb_dissector(ndpi_str); 6898| | 6899| | /* MINING */ 6900| 7.08k| init_mining_dissector(ndpi_str); 6901| | 6902| | /* TELNET */ 6903| 7.08k| init_telnet_dissector(ndpi_str); 6904| | 6905| | /* NTP */ 6906| 7.08k| init_ntp_dissector(ndpi_str); 6907| | 6908| | /* NFS */ 6909| 7.08k| init_nfs_dissector(ndpi_str); 6910| | 6911| | /* SSDP */ 6912| 7.08k| init_ssdp_dissector(ndpi_str); 6913| | 6914| | /* POSTGRES */ 6915| 7.08k| init_postgres_dissector(ndpi_str); 6916| | 6917| | /* MYSQL */ 6918| 7.08k| init_mysql_dissector(ndpi_str); 6919| | 6920| | /* BGP */ 6921| 7.08k| init_bgp_dissector(ndpi_str); 6922| | 6923| | /* SNMP */ 6924| 7.08k| init_snmp_dissector(ndpi_str); 6925| | 6926| | /* ICECAST */ 6927| 7.08k| init_icecast_dissector(ndpi_str); 6928| | 6929| | /* KERBEROS */ 6930| 7.08k| init_kerberos_dissector(ndpi_str); 6931| | 6932| | /* SYSLOG */ 6933| 7.08k| init_syslog_dissector(ndpi_str); 6934| | 6935| | /* NETBIOS */ 6936| 7.08k| init_netbios_dissector(ndpi_str); 6937| | 6938| | /* IPP */ 6939| 7.08k| init_ipp_dissector(ndpi_str); 6940| | 6941| | /* LDAP */ 6942| 7.08k| init_ldap_dissector(ndpi_str); 6943| | 6944| | /* XDMCP */ 6945| 7.08k| init_xdmcp_dissector(ndpi_str); 6946| | 6947| | /* TFTP */ 6948| 7.08k| init_tftp_dissector(ndpi_str); 6949| | 6950| | /* MSSQL_TDS */ 6951| 7.08k| init_mssql_tds_dissector(ndpi_str); 6952| | 6953| | /* PPTP */ 6954| 7.08k| init_pptp_dissector(ndpi_str); 6955| | 6956| | /* DHCPV6 */ 6957| 7.08k| init_dhcpv6_dissector(ndpi_str); 6958| | 6959| | /* AFP */ 6960| 7.08k| init_afp_dissector(ndpi_str); 6961| | 6962| | /* check_mk */ 6963| 7.08k| init_checkmk_dissector(ndpi_str); 6964| | 6965| | /* cpha */ 6966| 7.08k| init_cpha_dissector(ndpi_str); 6967| | 6968| | /* NEXON */ 6969| 7.08k| init_nexon_dissector(ndpi_str); 6970| | 6971| | /* DOFUS */ 6972| 7.08k| init_dofus_dissector(ndpi_str); 6973| | 6974| | /* CROSSIFIRE */ 6975| 7.08k| init_crossfire_dissector(ndpi_str); 6976| | 6977| | /* Guild Wars 2 */ 6978| 7.08k| init_guildwars2_dissector(ndpi_str); 6979| | 6980| | /* ARMAGETRON */ 6981| 7.08k| init_armagetron_dissector(ndpi_str); 6982| | 6983| | /* DROPBOX */ 6984| 7.08k| init_dropbox_dissector(ndpi_str); 6985| | 6986| | /* SONOS */ 6987| 7.08k| init_sonos_dissector(ndpi_str); 6988| | 6989| | /* SPOTIFY */ 6990| 7.08k| init_spotify_dissector(ndpi_str); 6991| | 6992| | /* RADIUS */ 6993| 7.08k| init_radius_dissector(ndpi_str); 6994| | 6995| | /* CITRIX */ 6996| 7.08k| init_citrix_dissector(ndpi_str); 6997| | 6998| | /* HCL Notes */ 6999| 7.08k| init_hcl_notes_dissector(ndpi_str); 7000| | 7001| | /* GTP */ 7002| 7.08k| init_gtp_dissector(ndpi_str); 7003| | 7004| | /* HSRP */ 7005| 7.08k| init_hsrp_dissector(ndpi_str); 7006| | 7007| | /* DCERPC */ 7008| 7.08k| init_dcerpc_dissector(ndpi_str); 7009| | 7010| | /* NETFLOW */ 7011| 7.08k| init_netflow_dissector(ndpi_str); 7012| | 7013| | /* SFLOW */ 7014| 7.08k| init_sflow_dissector(ndpi_str); 7015| | 7016| | /* H323 */ 7017| 7.08k| init_h323_dissector(ndpi_str); 7018| | 7019| | /* OPENVPN */ 7020| 7.08k| init_openvpn_dissector(ndpi_str); 7021| | 7022| | /* NOE */ 7023| 7.08k| init_noe_dissector(ndpi_str); 7024| | 7025| | /* CISCOVPN */ 7026| 7.08k| init_ciscovpn_dissector(ndpi_str); 7027| | 7028| | /* TEAMSPEAK */ 7029| 7.08k| init_teamspeak_dissector(ndpi_str); 7030| | 7031| | /* SKINNY */ 7032| 7.08k| init_skinny_dissector(ndpi_str); 7033| | 7034| | /* RSYNC */ 7035| 7.08k| init_rsync_dissector(ndpi_str); 7036| | 7037| | /* WHOIS_DAS */ 7038| 7.08k| init_whois_das_dissector(ndpi_str); 7039| | 7040| | /* ORACLE */ 7041| 7.08k| init_oracle_dissector(ndpi_str); 7042| | 7043| | /* CORBA */ 7044| 7.08k| init_corba_dissector(ndpi_str); 7045| | 7046| | /* RTMP */ 7047| 7.08k| init_rtmp_dissector(ndpi_str); 7048| | 7049| | /* FTP_CONTROL */ 7050| 7.08k| init_ftp_control_dissector(ndpi_str); 7051| | 7052| | /* FTP_DATA */ 7053| 7.08k| init_ftp_data_dissector(ndpi_str); 7054| | 7055| | /* MEGACO */ 7056| 7.08k| init_megaco_dissector(ndpi_str); 7057| | 7058| | /* RESP */ 7059| 7.08k| init_resp_dissector(ndpi_str); 7060| | 7061| | /* ZMQ */ 7062| 7.08k| init_zmq_dissector(ndpi_str); 7063| | 7064| | /* TELEGRAM */ 7065| 7.08k| init_telegram_dissector(ndpi_str); 7066| | 7067| | /* QUIC */ 7068| 7.08k| init_quic_dissector(ndpi_str); 7069| | 7070| | /* DIAMETER */ 7071| 7.08k| init_diameter_dissector(ndpi_str); 7072| | 7073| | /* EAQ */ 7074| 7.08k| init_eaq_dissector(ndpi_str); 7075| | 7076| | /* KAKAOTALK_VOICE */ 7077| 7.08k| init_kakaotalk_voice_dissector(ndpi_str); 7078| | 7079| | /* MIKROTIK */ 7080| 7.08k| init_mikrotik_dissector(ndpi_str); 7081| | 7082| | /* MPEGTS */ 7083| 7.08k| init_mpegts_dissector(ndpi_str); 7084| | 7085| | /* UBNTAC2 */ 7086| 7.08k| init_ubntac2_dissector(ndpi_str); 7087| | 7088| | /* COAP */ 7089| 7.08k| init_coap_dissector(ndpi_str); 7090| | 7091| | /* MQTT */ 7092| 7.08k| init_mqtt_dissector(ndpi_str); 7093| | 7094| | /* SOME/IP */ 7095| 7.08k| init_someip_dissector(ndpi_str); 7096| | 7097| | /* RX */ 7098| 7.08k| init_rx_dissector(ndpi_str); 7099| | 7100| | /* GIT */ 7101| 7.08k| init_git_dissector(ndpi_str); 7102| | 7103| | /* DRDA */ 7104| 7.08k| init_drda_dissector(ndpi_str); 7105| | 7106| | /* BJNP */ 7107| 7.08k| init_bjnp_dissector(ndpi_str); 7108| | 7109| | /* SMPP */ 7110| 7.08k| init_smpp_dissector(ndpi_str); 7111| | 7112| | /* TINC */ 7113| 7.08k| init_tinc_dissector(ndpi_str); 7114| | 7115| | /* FIX */ 7116| 7.08k| init_fix_dissector(ndpi_str); 7117| | 7118| | /* NINTENDO */ 7119| 7.08k| init_nintendo_dissector(ndpi_str); 7120| | 7121| | /* MODBUS */ 7122| 7.08k| init_modbus_dissector(ndpi_str); 7123| | 7124| | /* CAPWAP */ 7125| 7.08k| init_capwap_dissector(ndpi_str); 7126| | 7127| | /* ZABBIX */ 7128| 7.08k| init_zabbix_dissector(ndpi_str); 7129| | 7130| | /*** Put false-positive sensitive protocols at the end ***/ 7131| | 7132| | /* VIBER */ 7133| 7.08k| init_viber_dissector(ndpi_str); 7134| | 7135| | /* BITTORRENT */ 7136| 7.08k| init_bittorrent_dissector(ndpi_str); 7137| | 7138| | /* WHATSAPP */ 7139| 7.08k| init_whatsapp_dissector(ndpi_str); 7140| | 7141| | /* OOKLA */ 7142| 7.08k| init_ookla_dissector(ndpi_str); 7143| | 7144| | /* AMQP */ 7145| 7.08k| init_amqp_dissector(ndpi_str); 7146| | 7147| | /* Steam Datagram Relay */ 7148| 7.08k| init_valve_sdr_dissector(ndpi_str); 7149| | 7150| | /* LISP */ 7151| 7.08k| init_lisp_dissector(ndpi_str); 7152| | 7153| | /* AJP */ 7154| 7.08k| init_ajp_dissector(ndpi_str); 7155| | 7156| | /* Memcached */ 7157| 7.08k| init_memcached_dissector(ndpi_str); 7158| | 7159| | /* Nest Log Sink */ 7160| 7.08k| init_nest_log_sink_dissector(ndpi_str); 7161| | 7162| | /* WireGuard VPN */ 7163| 7.08k| init_wireguard_dissector(ndpi_str); 7164| | 7165| | /* Amazon_Video */ 7166| 7.08k| init_amazon_video_dissector(ndpi_str); 7167| | 7168| | /* S7 comm */ 7169| 7.08k| init_s7comm_dissector(ndpi_str); 7170| | 7171| | /* IEC 60870-5-104 */ 7172| 7.08k| init_104_dissector(ndpi_str); 7173| | 7174| | /* DNP3 */ 7175| 7.08k| init_dnp3_dissector(ndpi_str); 7176| | 7177| | /* WEBSOCKET */ 7178| 7.08k| init_websocket_dissector(ndpi_str); 7179| | 7180| | /* SOAP */ 7181| 7.08k| init_soap_dissector(ndpi_str); 7182| | 7183| | /* DNScrypt */ 7184| 7.08k| init_dnscrypt_dissector(ndpi_str); 7185| | 7186| | /* MongoDB */ 7187| 7.08k| init_mongodb_dissector(ndpi_str); 7188| | 7189| | /* AmongUS */ 7190| 7.08k| init_among_us_dissector(ndpi_str); 7191| | 7192| | /* HP Virtual Machine Group Management */ 7193| 7.08k| init_hpvirtgrp_dissector(ndpi_str); 7194| | 7195| | /* Genshin Impact */ 7196| 7.08k| init_genshin_impact_dissector(ndpi_str); 7197| | 7198| | /* Z39.50 international standard client–server, application layer communications protocol */ 7199| 7.08k| init_z3950_dissector(ndpi_str); 7200| | 7201| | /* AVAST SecureDNS */ 7202| 7.08k| init_avast_securedns_dissector(ndpi_str); 7203| | 7204| | /* Cassandra */ 7205| 7.08k| init_cassandra_dissector(ndpi_str); 7206| | 7207| | /* EthernetIP */ 7208| 7.08k| init_ethernet_ip_dissector(ndpi_str); 7209| | 7210| | /* WSD */ 7211| 7.08k| init_wsd_dissector(ndpi_str); 7212| | 7213| | /* TocaBoca */ 7214| 7.08k| init_toca_boca_dissector(ndpi_str); 7215| | 7216| | /* SD-RTN Software Defined Real-time Network */ 7217| 7.08k| init_sd_rtn_dissector(ndpi_str); 7218| | 7219| | /* RakNet */ 7220| 7.08k| init_raknet_dissector(ndpi_str); 7221| | 7222| | /* Xiaomi */ 7223| 7.08k| init_xiaomi_dissector(ndpi_str); 7224| | 7225| | /* MpegDash */ 7226| 7.08k| init_mpegdash_dissector(ndpi_str); 7227| | 7228| | /* RSH */ 7229| 7.08k| init_rsh_dissector(ndpi_str); 7230| | 7231| | /* IPsec */ 7232| 7.08k| init_ipsec_dissector(ndpi_str); 7233| | 7234| | /* collectd */ 7235| 7.08k| init_collectd_dissector(ndpi_str); 7236| | 7237| | /* i3D */ 7238| 7.08k| init_i3d_dissector(ndpi_str); 7239| | 7240| | /* RiotGames */ 7241| 7.08k| init_riotgames_dissector(ndpi_str); 7242| | 7243| | /* UltraSurf */ 7244| 7.08k| init_ultrasurf_dissector(ndpi_str); 7245| | 7246| | /* Threema */ 7247| 7.08k| init_threema_dissector(ndpi_str); 7248| | 7249| | /* AliCloud */ 7250| 7.08k| init_alicloud_dissector(ndpi_str); 7251| | 7252| | /* AVAST */ 7253| 7.08k| init_avast_dissector(ndpi_str); 7254| | 7255| | /* Softether */ 7256| 7.08k| init_softether_dissector(ndpi_str); 7257| | 7258| | /* Activision */ 7259| 7.08k| init_activision_dissector(ndpi_str); 7260| | 7261| | /* Discord */ 7262| 7.08k| init_discord_dissector(ndpi_str); 7263| | 7264| | /* TiVoConnect */ 7265| 7.08k| init_tivoconnect_dissector(ndpi_str); 7266| | 7267| | /* Kismet */ 7268| 7.08k| init_kismet_dissector(ndpi_str); 7269| | 7270| | /* FastCGI */ 7271| 7.08k| init_fastcgi_dissector(ndpi_str); 7272| | 7273| | /* NATPMP */ 7274| 7.08k| init_natpmp_dissector(ndpi_str); 7275| | 7276| | /* Syncthing */ 7277| 7.08k| init_syncthing_dissector(ndpi_str); 7278| | 7279| | /* CryNetwork */ 7280| 7.08k| init_crynet_dissector(ndpi_str); 7281| | 7282| | /* Line voip */ 7283| 7.08k| init_line_dissector(ndpi_str); 7284| | 7285| | /* Munin */ 7286| 7.08k| init_munin_dissector(ndpi_str); 7287| | 7288| | /* Elasticsearch */ 7289| 7.08k| init_elasticsearch_dissector(ndpi_str); 7290| | 7291| | /* TUYA LP */ 7292| 7.08k| init_tuya_lp_dissector(ndpi_str); 7293| | 7294| | /* TPLINK_SHP */ 7295| 7.08k| init_tplink_shp_dissector(ndpi_str); 7296| | 7297| | /* Meraki Cloud */ 7298| 7.08k| init_merakicloud_dissector(ndpi_str); 7299| | 7300| | /* Tailscale */ 7301| 7.08k| init_tailscale_dissector(ndpi_str); 7302| | 7303| | /* Source Engine */ 7304| 7.08k| init_source_engine_dissector(ndpi_str); 7305| | 7306| | /* BACnet */ 7307| 7.08k| init_bacnet_dissector(ndpi_str); 7308| | 7309| | /* OICQ */ 7310| 7.08k| init_oicq_dissector(ndpi_str); 7311| | 7312| | /* Heroes of the Storm */ 7313| 7.08k| init_hots_dissector(ndpi_str); 7314| | 7315| | /* EpicGames */ 7316| 7.08k| init_epicgames_dissector(ndpi_str); 7317| | 7318| | /*BITCOIN*/ 7319| 7.08k| init_bitcoin_dissector(ndpi_str); 7320| | 7321| | /* Apache Thrift */ 7322| 7.08k| init_apache_thrift_dissector(ndpi_str); 7323| | 7324| | /* Service Location Protocol */ 7325| 7.08k| init_slp_dissector(ndpi_str); 7326| | 7327| | /* HTTP/2 */ 7328| 7.08k| init_http2_dissector(ndpi_str); 7329| | 7330| | /* HAProxy */ 7331| 7.08k| init_haproxy_dissector(ndpi_str); 7332| | 7333| | /* RMCP */ 7334| 7.08k| init_rmcp_dissector(ndpi_str); 7335| | 7336| | /* Controller Area Network */ 7337| 7.08k| init_can_dissector(ndpi_str); 7338| | 7339| | /* Protobuf */ 7340| 7.08k| init_protobuf_dissector(ndpi_str); 7341| | 7342| | /* ETHEREUM */ 7343| 7.08k| init_ethereum_dissector(ndpi_str); 7344| | 7345| | /* Precision Time Protocol v2 */ 7346| 7.08k| init_ptpv2_dissector(ndpi_str); 7347| | 7348| | /* Highway Addressable Remote Transducer over IP */ 7349| 7.08k| init_hart_ip_dissector(ndpi_str); 7350| | 7351| | /* Real-time Publish-Subscribe Protocol */ 7352| 7.08k| init_rtps_dissector(ndpi_str); 7353| | 7354| | /* OPC Unified Architecture */ 7355| 7.08k| init_opc_ua_dissector(ndpi_str); 7356| | 7357| | /* Factory Interface Network Service */ 7358| 7.08k| init_fins_dissector(ndpi_str); 7359| | 7360| | /* Ether-S-I/O */ 7361| 7.08k| init_ethersio_dissector(ndpi_str); 7362| | 7363| | /* Automation Device Specification */ 7364| 7.08k| init_beckhoff_ads_dissector(ndpi_str); 7365| | 7366| | /* Manufacturing Message Specification */ 7367| 7.08k| init_iso9506_1_mms_dissector(ndpi_str); 7368| | 7369| | /* IEEE C37.118 Synchrophasor Protocol */ 7370| 7.08k| init_ieee_c37118_dissector(ndpi_str); 7371| | 7372| | /* Ether-S-Bus */ 7373| 7.08k| init_ethersbus_dissector(ndpi_str); 7374| | 7375| | /* Monero Protocol */ 7376| 7.08k| init_monero_dissector(ndpi_str); 7377| | 7378| | /* PROFINET/IO */ 7379| 7.08k| init_profinet_io_dissector(ndpi_str); 7380| | 7381| | /* HiSLIP */ 7382| 7.08k| init_hislip_dissector(ndpi_str); 7383| | 7384| | /* UFTP */ 7385| 7.08k| init_uftp_dissector(ndpi_str); 7386| | 7387| | /* OpenFlow */ 7388| 7.08k| init_openflow_dissector(ndpi_str); 7389| | 7390| | /* JSON-RPC */ 7391| 7.08k| init_json_rpc_dissector(ndpi_str); 7392| | 7393| | /* Apache Kafka */ 7394| 7.08k| init_kafka_dissector(ndpi_str); 7395| | 7396| | /* NoMachine */ 7397| 7.08k| init_nomachine_dissector(ndpi_str); 7398| | 7399| | /* IEC 62056 */ 7400| 7.08k| init_iec62056_dissector(ndpi_str); 7401| | 7402| | /* HL7 */ 7403| 7.08k| init_hl7_dissector(ndpi_str); 7404| | 7405| | /* DICOM */ 7406| 7.08k| init_dicom_dissector(ndpi_str); 7407| | 7408| | /* Ceph */ 7409| 7.08k| init_ceph_dissector(ndpi_str); 7410| | 7411| | /* Roughtime */ 7412| 7.08k| init_roughtime_dissector(ndpi_str); 7413| | 7414| | /* KCP */ 7415| 7.08k| init_kcp_dissector(ndpi_str); 7416| | 7417| | /* Mumble */ 7418| 7.08k| init_mumble_dissector(ndpi_str); 7419| | 7420| | /* Zoom */ 7421| 7.08k| init_zoom_dissector(ndpi_str); 7422| | 7423| | /* Yojimbo */ 7424| 7.08k| init_yojimbo_dissector(ndpi_str); 7425| | 7426| | /* STOMP */ 7427| 7.08k| init_stomp_dissector(ndpi_str); 7428| | 7429| | /* RDP */ 7430| 7.08k| init_radmin_dissector(ndpi_str); 7431| | 7432| | /* Raft */ 7433| 7.08k| init_raft_dissector(ndpi_str); 7434| | 7435| | /* CIP (Common Industrial Protocol) */ 7436| 7.08k| init_cip_dissector(ndpi_str); 7437| | 7438| | /* Gearman */ 7439| 7.08k| init_gearman_dissector(ndpi_str); 7440| | 7441| | /* Tencent Games */ 7442| 7.08k| init_tencent_games_dissector(ndpi_str); 7443| | 7444| | /* Gaijin Entertainment */ 7445| 7.08k| init_gaijin_dissector(ndpi_str); 7446| | 7447| | /* ANSI C12.22 / IEEE 1703 */ 7448| 7.08k| init_c1222_dissector(ndpi_str); 7449| | 7450| | /* Dynamic Link Exchange Protocol */ 7451| 7.08k| init_dlep_dissector(ndpi_str); 7452| | 7453| | /* Bidirectional Forwarding Detection */ 7454| 7.08k| init_bfd_dissector(ndpi_str); 7455| | 7456| | /* NetEase Games */ 7457| 7.08k| init_netease_games_dissector(ndpi_str); 7458| | 7459| | /* Path of Exile */ 7460| 7.08k| init_pathofexile_dissector(ndpi_str); 7461| | 7462| | /* Packet Forwarding Control Protocol */ 7463| 7.08k| init_pfcp_dissector(ndpi_str); 7464| | 7465| | /* File Delivery over Unidirectional Transport */ 7466| 7.08k| init_flute_dissector(ndpi_str); 7467| | 7468| | /* League of Legends: Wild Rift */ 7469| 7.08k| init_lolwildrift_dissector(ndpi_str); 7470| | 7471| | /* The Elder Scrolls Online */ 7472| 7.08k| init_teso_dissector(ndpi_str); 7473| | 7474| | /* Label Distribution Protocol */ 7475| 7.08k| init_ldp_dissector(ndpi_str); 7476| | 7477| | /* KNXnet/IP */ 7478| 7.08k| init_knxnet_ip_dissector(ndpi_str); 7479| | 7480| | /* Binary Floor Control Protocol */ 7481| 7.08k| init_bfcp_dissector(ndpi_str); 7482| | 7483| | /* iQIYI */ 7484| 7.08k| init_iqiyi_dissector(ndpi_str); 7485| | 7486| | /* Ethernet Global Data */ 7487| 7.08k| init_egd_dissector(ndpi_str); 7488| | 7489| | /* Call of Duty: Mobile */ 7490| 7.08k| init_cod_mobile_dissector(ndpi_str); 7491| | 7492| | /* ZUG */ 7493| 7.08k| init_zug_dissector(ndpi_str); 7494| | 7495| | /* JRMI Java Remote Method Invocation*/ 7496| 7.08k| init_jrmi_dissector(ndpi_str); 7497| | 7498| | /* (Magellan) Ripe Atlas */ 7499| 7.08k| init_ripe_atlas_dissector(ndpi_str); 7500| | 7501| | /* Cloudflare WARP */ 7502| 7.08k| init_cloudflare_warp_dissector(ndpi_str); 7503| | 7504| | /* Nano Cryptocurrency Protocol */ 7505| 7.08k| init_nano_dissector(ndpi_str); 7506| | 7507| | /* OpenWire */ 7508| 7.08k| init_openwire_dissector(ndpi_str); 7509| | 7510| | /* ISO/IEC 14908-4 */ 7511| 7.08k| init_cnp_ip_dissector(ndpi_str); 7512| | 7513| | /* ATG */ 7514| 7.08k| init_atg_dissector(ndpi_str); 7515| | 7516| | /* Train Real Time Data Protocol */ 7517| 7.08k| init_trdp_dissector(ndpi_str); 7518| | 7519| | /* Lustre */ 7520| 7.08k| init_lustre_dissector(ndpi_str); 7521| | 7522| | /* DingTalk */ 7523| 7.08k| init_dingtalk_dissector(ndpi_str); 7524| | 7525| | /* Paltalk */ 7526| 7.08k| init_paltalk_dissector(ndpi_str); 7527| | 7528| | /* LagoFast */ 7529| 7.08k| init_lagofast_dissector(ndpi_str); 7530| | 7531| | /* GearUP Booster */ 7532| 7.08k| init_gearup_booster_dissector(ndpi_str); 7533| | 7534| | /* Microsoft Delivery Optimization */ 7535| 7.08k| init_msdo_dissector(ndpi_str); 7536| | 7537| | /* MELSEC Communication Protocol */ 7538| 7.08k| init_melsec_dissector(ndpi_str); 7539| | 7540| | /* Hamachi */ 7541| 7.08k| init_hamachi_dissector(ndpi_str); 7542| | 7543| | /* Gateway Load Balancing Protocol */ 7544| 7.08k| init_glbp_dissector(ndpi_str); 7545| | 7546| | /* EasyWeather Wifi Protocol */ 7547| 7.08k| init_easyweather_dissector(ndpi_str); 7548| | 7549| | /* TriStation Safety Instrumented Systems dissector */ 7550| 7.08k| init_tristation_dissector(ndpi_str); 7551| | 7552| | /* Samsung Service Discovery Protocol */ 7553| 7.08k| init_samsung_sdp_dissector(ndpi_str); 7554| | 7555| | /* MATTER */ 7556| 7.08k| init_matter_dissector(ndpi_str); 7557| | 7558| | /* JSON */ 7559| 7.08k| init_json_dissector(ndpi_str); 7560| | 7561| | /* MessagePack */ 7562| 7.08k| init_msgpack_dissector(ndpi_str); 7563| | 7564| |#ifdef CUSTOM_NDPI_PROTOCOLS 7565| |#include "../../../nDPI-custom/custom_ndpi_main_init.c" 7566| |#endif 7567| | 7568| | /* ----------------------------------------------------------------- */ 7569| | 7570| 7.08k| ndpi_init_protocol_plugins(ndpi_str); 7571| | 7572| 7.08k| ndpi_str->callback_buffer_size = ndpi_str->callback_buffer_num; 7573| | 7574| | /* Resize callback_buffer */ 7575| 7.08k| all_cb = ndpi_calloc(ndpi_str->callback_buffer_size+1,sizeof(struct call_function_struct)); 7576| 7.08k| if(all_cb) { ------------------ | Branch (7576:6): [True: 6.66k, False: 422] ------------------ 7577| 6.66k| memcpy((char *)all_cb,(char *)ndpi_str->callback_buffer, (ndpi_str->callback_buffer_size+1) * sizeof(struct call_function_struct)); 7578| 6.66k| ndpi_free(ndpi_str->callback_buffer); 7579| 6.66k| ndpi_str->callback_buffer = all_cb; 7580| 6.66k| } 7581| | 7582| 7.08k| NDPI_LOG_DBG2(ndpi_str, "callback_buffer_size is %u\n", ndpi_str->callback_buffer_size); ------------------ | | 597| 7.08k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 7583| | /* Calculating the size of an array for callback functions */ 7584| 7.08k| ndpi_enabled_callbacks_init(ndpi_str, 1); 7585| 7.08k| all_cb = ndpi_calloc(ndpi_str->callback_buffer_size_tcp_payload + 7586| 7.08k| ndpi_str->callback_buffer_size_tcp_no_payload + 7587| 7.08k| ndpi_str->callback_buffer_size_udp + 7588| 7.08k| ndpi_str->callback_buffer_size_non_tcp_udp, 7589| 7.08k| sizeof(struct call_function_struct)); 7590| 7.08k| if(!all_cb) return 1; ------------------ | Branch (7590:6): [True: 93, False: 6.99k] ------------------ 7591| | 7592| 6.99k| ndpi_str->callback_buffer_tcp_payload = all_cb; 7593| 6.99k| all_cb += ndpi_str->callback_buffer_size_tcp_payload; 7594| 6.99k| ndpi_str->callback_buffer_tcp_no_payload = all_cb; 7595| 6.99k| all_cb += ndpi_str->callback_buffer_size_tcp_no_payload; 7596| 6.99k| ndpi_str->callback_buffer_udp = all_cb; 7597| 6.99k| all_cb += ndpi_str->callback_buffer_size_udp; 7598| 6.99k| ndpi_str->callback_buffer_non_tcp_udp = all_cb; 7599| | 7600| 6.99k| ndpi_enabled_callbacks_init(ndpi_str, 0); 7601| | 7602| 6.99k| NDPI_LOG_DBG(ndpi_str, "Tot num dissectors: %d (TCP: %d, TCP_NO_PAYLOAD: %d, UDP: %d, NO_TCP_UDP: %d)\n", ------------------ | | 596| 6.99k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 7603| 6.99k| ndpi_str->callback_buffer_size, 7604| 6.99k| ndpi_str->callback_buffer_size_tcp_payload, 7605| 6.99k| ndpi_str->callback_buffer_size_tcp_no_payload, 7606| 6.99k| ndpi_str->callback_buffer_size_udp, 7607| 6.99k| ndpi_str->callback_buffer_size_non_tcp_udp); 7608| | 7609| 6.99k| return 0; 7610| 7.08k|} ndpi_main.c:ndpi_enabled_callbacks_init: 7656| 14.0k| int count_only) { 7657| 14.0k| uint32_t a; 7658| | 7659| | /* now build the specific buffer for tcp, udp and non_tcp_udp */ 7660| 14.0k| ndpi_str->callback_buffer_size_tcp_payload = 0; 7661| 14.0k| ndpi_str->callback_buffer_size_tcp_no_payload = 0; 7662| | 7663| 3.63M| for(a = 0; a < ndpi_str->callback_buffer_size; a++) { ------------------ | Branch (7663:14): [True: 3.61M, False: 14.0k] ------------------ 7664| 3.61M| if(!ndpi_proto_cb_tcp_payload(ndpi_str,a)) continue; ------------------ | Branch (7664:8): [True: 1.36M, False: 2.25M] ------------------ 7665| 2.25M| if(!count_only) { ------------------ | Branch (7665:8): [True: 1.11M, False: 1.13M] ------------------ 7666| 1.11M| NDPI_LOG_DBG2(ndpi_str, "callback_buffer_tcp_payload, adding buffer %u as entry %u\n", a, ------------------ | | 597| 1.11M|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 7667| 1.11M| ndpi_str->callback_buffer_size_tcp_payload); 7668| 1.11M| memcpy(&ndpi_str->callback_buffer_tcp_payload[ndpi_str->callback_buffer_size_tcp_payload], 7669| 1.11M| &ndpi_str->callback_buffer[a], sizeof(struct call_function_struct)); 7670| 1.11M| } 7671| 2.25M| ndpi_str->callback_buffer_size_tcp_payload++; 7672| 2.25M| } 7673| | 7674| 3.63M| for(a = 0; a < ndpi_str->callback_buffer_size; a++) { ------------------ | Branch (7674:14): [True: 3.61M, False: 14.0k] ------------------ 7675| 3.61M| if(!ndpi_proto_cb_tcp_nopayload(ndpi_str,a)) continue; ------------------ | Branch (7675:8): [True: 3.61M, False: 0] ------------------ 7676| 0| if(!count_only) { ------------------ | Branch (7676:8): [True: 0, False: 0] ------------------ 7677| 0| NDPI_LOG_DBG2(ndpi_str, ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 7678| 0| "\tcallback_buffer_tcp_no_payload, additional adding buffer %u to no_payload process\n", a); 7679| 0| memcpy(&ndpi_str->callback_buffer_tcp_no_payload[ndpi_str->callback_buffer_size_tcp_no_payload], 7680| 0| &ndpi_str->callback_buffer[a], sizeof(struct call_function_struct)); 7681| 0| } 7682| 0| ndpi_str->callback_buffer_size_tcp_no_payload++; 7683| 0| } 7684| | 7685| 14.0k| ndpi_str->callback_buffer_size_udp = 0; 7686| | 7687| 3.63M| for(a = 0; a < ndpi_str->callback_buffer_size; a++) { ------------------ | Branch (7687:14): [True: 3.61M, False: 14.0k] ------------------ 7688| 3.61M| if(!ndpi_proto_cb_udp(ndpi_str,a)) continue; ------------------ | Branch (7688:8): [True: 1.42M, False: 2.19M] ------------------ 7689| 2.19M| if(!count_only) { ------------------ | Branch (7689:8): [True: 1.09M, False: 1.10M] ------------------ 7690| 1.09M| NDPI_LOG_DBG2(ndpi_str, "callback_buffer_size_udp: adding buffer : %u\n", a); ------------------ | | 597| 1.09M|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 7691| | 7692| 1.09M| memcpy(&ndpi_str->callback_buffer_udp[ndpi_str->callback_buffer_size_udp], &ndpi_str->callback_buffer[a], 7693| 1.09M| sizeof(struct call_function_struct)); 7694| 1.09M| } 7695| 2.19M| ndpi_str->callback_buffer_size_udp++; 7696| 2.19M| } 7697| | 7698| 14.0k| ndpi_str->callback_buffer_size_non_tcp_udp = 0; 7699| | 7700| 3.63M| for(a = 0; a < ndpi_str->callback_buffer_size; a++) { ------------------ | Branch (7700:14): [True: 3.61M, False: 14.0k] ------------------ 7701| 3.61M| if(!ndpi_proto_cb_other(ndpi_str,a)) continue; ------------------ | Branch (7701:8): [True: 3.60M, False: 14.0k] ------------------ 7702| 14.0k| if(!count_only) { ------------------ | Branch (7702:8): [True: 6.99k, False: 7.08k] ------------------ 7703| 6.99k| NDPI_LOG_DBG2(ndpi_str, "callback_buffer_non_tcp_udp: adding buffer : %u\n", a); ------------------ | | 597| 6.99k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 7704| | 7705| 6.99k| memcpy(&ndpi_str->callback_buffer_non_tcp_udp[ndpi_str->callback_buffer_size_non_tcp_udp], 7706| 6.99k| &ndpi_str->callback_buffer[a], sizeof(struct call_function_struct)); 7707| 6.99k| } 7708| 14.0k| ndpi_str->callback_buffer_size_non_tcp_udp++; 7709| 14.0k| } 7710| 14.0k|} ndpi_main.c:ndpi_proto_cb_tcp_payload: 7614| 3.61M|static inline int ndpi_proto_cb_tcp_payload(const struct ndpi_detection_module_struct *ndpi_str, uint32_t idx) { 7615| 3.61M| return (ndpi_str->callback_buffer[idx].ndpi_selection_bitmask & 7616| 3.61M| (NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP | ------------------ | | 605| 3.61M|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) ------------------ 7617| 3.61M| NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP | ------------------ | | 607| 3.61M|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) ------------------ 7618| 3.61M| NDPI_SELECTION_BITMASK_PROTOCOL_COMPLETE_TRAFFIC)) != 0; ------------------ | | 612| 3.61M|#define NDPI_SELECTION_BITMASK_PROTOCOL_COMPLETE_TRAFFIC (1<<8) ------------------ 7619| 3.61M|} ndpi_main.c:ndpi_proto_cb_tcp_nopayload: 7623| 3.61M|static inline int ndpi_proto_cb_tcp_nopayload(const struct ndpi_detection_module_struct *ndpi_str, uint32_t idx) { 7624| 3.61M| return (ndpi_str->callback_buffer[idx].ndpi_selection_bitmask & ------------------ | Branch (7624:10): [True: 2.25M, False: 1.36M] ------------------ 7625| 3.61M| (NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP | ------------------ | | 605| 3.61M|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) ------------------ 7626| 3.61M| NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP | ------------------ | | 607| 3.61M|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) ------------------ 7627| 3.61M| NDPI_SELECTION_BITMASK_PROTOCOL_COMPLETE_TRAFFIC)) != 0 ------------------ | | 612| 3.61M|#define NDPI_SELECTION_BITMASK_PROTOCOL_COMPLETE_TRAFFIC (1<<8) ------------------ 7628| 2.25M| && (ndpi_str->callback_buffer[idx].ndpi_selection_bitmask & ------------------ | Branch (7628:8): [True: 0, False: 2.25M] ------------------ 7629| 2.25M| NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) == 0; ------------------ | | 608| 2.25M|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) ------------------ 7630| 3.61M|} ndpi_main.c:ndpi_proto_cb_udp: 7634| 3.61M|static inline int ndpi_proto_cb_udp(const struct ndpi_detection_module_struct *ndpi_str, uint32_t idx) { 7635| 3.61M| return (ndpi_str->callback_buffer[idx].ndpi_selection_bitmask & 7636| 3.61M| (NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP | ------------------ | | 606| 3.61M|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) ------------------ 7637| 3.61M| NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP | ------------------ | | 607| 3.61M|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) ------------------ 7638| 3.61M| NDPI_SELECTION_BITMASK_PROTOCOL_COMPLETE_TRAFFIC)) != 0; ------------------ | | 612| 3.61M|#define NDPI_SELECTION_BITMASK_PROTOCOL_COMPLETE_TRAFFIC (1<<8) ------------------ 7639| 3.61M|} ndpi_main.c:ndpi_proto_cb_other: 7643| 3.61M|static inline int ndpi_proto_cb_other(const struct ndpi_detection_module_struct *ndpi_str, uint32_t idx) { 7644| 3.61M| return (ndpi_str->callback_buffer[idx].ndpi_selection_bitmask & ------------------ | Branch (7644:10): [True: 14.0k, False: 3.60M] ------------------ 7645| 3.61M| (NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP | ------------------ | | 605| 3.61M|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) ------------------ 7646| 3.61M| NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP | ------------------ | | 606| 3.61M|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) ------------------ 7647| 3.61M| NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP)) == 0 ------------------ | | 607| 3.61M|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) ------------------ 7648| 3.60M| || 7649| 3.60M| (ndpi_str->callback_buffer[idx].ndpi_selection_bitmask & ------------------ | Branch (7649:5): [True: 0, False: 3.60M] ------------------ 7650| 3.60M| NDPI_SELECTION_BITMASK_PROTOCOL_COMPLETE_TRAFFIC) != 0; ------------------ | | 612| 3.60M|#define NDPI_SELECTION_BITMASK_PROTOCOL_COMPLETE_TRAFFIC (1<<8) ------------------ 7651| 3.61M|} ndpi_main.c:flow_is_proto: 269| 392k|static inline u_int8_t flow_is_proto(struct ndpi_flow_struct *flow, u_int16_t p) { 270| 392k| return((flow->detected_protocol_stack[0] == p) || (flow->detected_protocol_stack[1] == p)); ------------------ | Branch (270:10): [True: 6.63k, False: 385k] | Branch (270:53): [True: 110, False: 385k] ------------------ 271| 392k|} ndpi_main.c:check_ndpi_detection_func: 8825| 66.8k| uint32_t callback_buffer_size) { 8826| 66.8k| void *func = NULL; 8827| 66.8k| u_int32_t num_calls = 0; 8828| | /* First callback is associated to classification by-port, 8829| | if we don't already have a partial classification */ 8830| 66.8k| u_int16_t fast_callback_protocol_id = flow->fast_callback_protocol_id ? flow->fast_callback_protocol_id : flow->guessed_protocol_id; ------------------ | Branch (8830:41): [True: 24, False: 66.8k] ------------------ 8831| 66.8k| u_int16_t dissector_idx = ndpi_str->proto_defaults[fast_callback_protocol_id].dissector_idx; 8832| 66.8k| u_int32_t a; 8833| | 8834| 66.8k| if(fast_callback_protocol_id != NDPI_PROTOCOL_UNKNOWN && ------------------ | Branch (8834:6): [True: 25.8k, False: 41.0k] ------------------ 8835| 25.8k| ndpi_str->callback_buffer[dissector_idx].func && ------------------ | Branch (8835:6): [True: 25.8k, False: 0] ------------------ 8836| 25.8k| !dissector_bitmask_is_set(&flow->excluded_dissectors_bitmask, dissector_idx) && ------------------ | Branch (8836:6): [True: 20.1k, False: 5.64k] ------------------ 8837| 20.1k| (ndpi_str->callback_buffer[dissector_idx].ndpi_selection_bitmask & ndpi_selection_packet) == ------------------ | Branch (8837:6): [True: 13.5k, False: 6.62k] ------------------ 8838| 20.1k| ndpi_str->callback_buffer[dissector_idx].ndpi_selection_bitmask) { 8839| | 8840| 13.5k| ndpi_str->current_dissector_idx = dissector_idx; 8841| 13.5k| ndpi_str->callback_buffer[dissector_idx].func(ndpi_str, flow); 8842| 13.5k| func = ndpi_str->callback_buffer[dissector_idx].func; 8843| 13.5k| num_calls++; 8844| 13.5k| } 8845| | 8846| 66.8k| if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) ------------------ | Branch (8846:6): [True: 58.5k, False: 8.29k] ------------------ 8847| 58.5k| { 8848| | /* TODO: optimize as today we're doing a linear scan */ 8849| | 8850| 5.67M| for (a = 0; a < callback_buffer_size; a++) { ------------------ | Branch (8850:19): [True: 5.62M, False: 49.2k] ------------------ 8851| 5.62M| dissector_idx = callback_buffer[a].dissector_idx; 8852| | 8853| 5.62M| if((func != callback_buffer[a].func) && ------------------ | Branch (8853:12): [True: 5.61M, False: 5.16k] ------------------ 8854| 5.61M| (callback_buffer[a].ndpi_selection_bitmask & ndpi_selection_packet) == ------------------ | Branch (8854:5): [True: 5.35M, False: 264k] ------------------ 8855| 5.61M| callback_buffer[a].ndpi_selection_bitmask && 8856| 5.35M| !dissector_bitmask_is_set(&flow->excluded_dissectors_bitmask, dissector_idx)) ------------------ | Branch (8856:5): [True: 2.84M, False: 2.51M] ------------------ 8857| 2.84M| { 8858| 2.84M| ndpi_str->current_dissector_idx = dissector_idx; 8859| 2.84M| callback_buffer[a].func(ndpi_str, flow); 8860| 2.84M| num_calls++; 8861| | 8862| 2.84M| if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) ------------------ | Branch (8862:9): [True: 9.28k, False: 2.83M] ------------------ 8863| 9.28k| { 8864| 9.28k| break; /* Stop after the first detected protocol. */ 8865| 9.28k| } 8866| 2.84M| } 8867| 5.62M| } 8868| 58.5k| } 8869| | 8870| 66.8k| num_calls += check_ndpi_subprotocols(ndpi_str, flow, ndpi_selection_packet, 8871| 66.8k| flow->detected_protocol_stack[0]); 8872| 66.8k| num_calls += check_ndpi_subprotocols(ndpi_str, flow, ndpi_selection_packet, 8873| 66.8k| flow->detected_protocol_stack[1]); 8874| | 8875| 66.8k| return num_calls; 8876| 66.8k|} ndpi_main.c:dissector_bitmask_is_set: 293| 5.39M|static int dissector_bitmask_is_set(const struct ndpi_dissector_bitmask *b, u_int16_t bit) { 294| 5.39M| return b->fds[bit / 32] & (1ul << (bit % 32)); 295| 5.39M|} ndpi_main.c:check_ndpi_subprotocols: 8789| 133k|{ 8790| 133k| u_int32_t num_calls = 0, a; 8791| | 8792| 133k| if(detected_protocol == NDPI_PROTOCOL_UNKNOWN) ------------------ | Branch (8792:6): [True: 113k, False: 20.4k] ------------------ 8793| 113k| return num_calls; 8794| | 8795| 41.7k| for (a = 0; a < ndpi_str->proto_defaults[detected_protocol].subprotocol_count; a++) { ------------------ | Branch (8795:15): [True: 21.2k, False: 20.4k] ------------------ 8796| 21.2k| u_int16_t subproto_id = ndpi_str->proto_defaults[detected_protocol].subprotocols[a]; 8797| | 8798| 21.2k| if(subproto_id == (uint16_t)NDPI_PROTOCOL_MATCHED_BY_CONTENT || ------------------ | | 510| 42.5k|#define NDPI_PROTOCOL_MATCHED_BY_CONTENT (-2) ------------------ | Branch (8798:8): [True: 8.45k, False: 12.8k] ------------------ 8799| 12.8k| subproto_id == flow->detected_protocol_stack[0] || ------------------ | Branch (8799:8): [True: 144, False: 12.6k] ------------------ 8800| 12.6k| subproto_id == flow->detected_protocol_stack[1]) { ------------------ | Branch (8800:8): [True: 0, False: 12.6k] ------------------ 8801| 8.59k| continue; 8802| 8.59k| } 8803| | 8804| 12.6k| u_int16_t subproto_index = ndpi_str->proto_defaults[subproto_id].dissector_idx; 8805| | 8806| 12.6k| if(subproto_index > 0 && ------------------ | Branch (8806:8): [True: 12.6k, False: 0] ------------------ 8807| 12.6k| (ndpi_str->callback_buffer[subproto_index].ndpi_selection_bitmask & ndpi_selection_packet) == ------------------ | Branch (8807:8): [True: 12.6k, False: 0] ------------------ 8808| 12.6k| ndpi_str->callback_buffer[subproto_index].ndpi_selection_bitmask && 8809| 12.6k| !dissector_bitmask_is_set(&flow->excluded_dissectors_bitmask, subproto_index)) { ------------------ | Branch (8809:8): [True: 11.6k, False: 1.00k] ------------------ 8810| 11.6k| ndpi_str->current_dissector_idx = subproto_index; 8811| 11.6k| ndpi_str->callback_buffer[subproto_index].func(ndpi_str, flow); 8812| 11.6k| num_calls++; 8813| 11.6k| } 8814| 12.6k| } 8815| | 8816| 20.4k| return num_calls; 8817| 133k|} ndpi_main.c:ndpi_internal_detection_giveup: 9613| 773|static void ndpi_internal_detection_giveup(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow) { 9614| 773| u_int16_t cached_proto; 9615| | 9616| | /* *** We can't access ndpi_str->packet from this function!! *** */ 9617| | 9618| 773| if(flow->state == NDPI_STATE_CLASSIFIED) ------------------ | Branch (9618:6): [True: 0, False: 773] ------------------ 9619| 0| return; 9620| | 9621| | /* Ensure that we don't change our mind if detection is already complete */ 9622| 773| if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (9622:6): [True: 0, False: 773] ------------------ 9623| | /* Reason: public "ndpi_detection_giveup", already classified */ 9624| 0| internal_giveup(ndpi_str, flow); 9625| 0| return; 9626| 0| } 9627| | 9628| | /* Partial classification */ 9629| 773| if(flow->fast_callback_protocol_id != NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (9629:6): [True: 0, False: 773] ------------------ 9630| 0| ndpi_set_detected_protocol(ndpi_str, flow, flow->fast_callback_protocol_id, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL); 9631| 0| } 9632| | 9633| | /* Check some caches */ 9634| | 9635| | /* Does it looks like BitTorrent? */ 9636| 773| if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN && ------------------ | Branch (9636:6): [True: 773, False: 0] ------------------ 9637| 773| search_into_bittorrent_cache(ndpi_str, flow)) { ------------------ | Branch (9637:6): [True: 0, False: 773] ------------------ 9638| 0| ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_BITTORRENT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL_CACHE); 9639| 0| } 9640| | /* Does it looks like some Mining protocols? */ 9641| 773| if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN && ------------------ | Branch (9641:6): [True: 773, False: 0] ------------------ 9642| 773| ndpi_str->mining_cache && ------------------ | Branch (9642:6): [True: 712, False: 61] ------------------ 9643| 712| ndpi_lru_find_cache(ndpi_str->mining_cache, mining_make_lru_cache_key(flow), ------------------ | Branch (9643:6): [True: 0, False: 712] ------------------ 9644| 712| &cached_proto, 0 /* Don't remove it as it can be used for other connections */, 9645| 712| ndpi_get_current_time(flow))) { 9646| 0| ndpi_set_detected_protocol(ndpi_str, flow, cached_proto, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL_CACHE); 9647| 0| } 9648| | 9649| | /* Does it looks like Ookla? */ 9650| 773| if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN && ------------------ | Branch (9650:6): [True: 773, False: 0] ------------------ 9651| 773| ntohs(flow->s_port) == 8080 && ookla_search_into_cache(ndpi_str, flow)) { ------------------ | Branch (9651:6): [True: 0, False: 773] | Branch (9651:37): [True: 0, False: 0] ------------------ 9652| 0| ndpi_set_detected_protocol(ndpi_str, flow, NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_PARTIAL_CACHE); 9653| 0| } 9654| | 9655| | /* TODO: not sure about the best "order" among fully encrypted logic, classification by-port and classification by-ip...*/ 9656| 773| if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN && ------------------ | Branch (9656:6): [True: 773, False: 0] ------------------ 9657| 773| flow->first_pkt_fully_encrypted == 1) { ------------------ | Branch (9657:6): [True: 0, False: 773] ------------------ 9658| 0| ndpi_set_risk(ndpi_str, flow, NDPI_OBFUSCATED_TRAFFIC, "Fully Encrypted"); 9659| 0| } 9660| | 9661| | /* If guess_ip_before_port is enabled, classify by-ip first */ 9662| 773| if((ndpi_str->cfg.guess_ip_before_port)) ------------------ | Branch (9662:6): [True: 0, False: 773] ------------------ 9663| 0| { 9664| 0| if((ndpi_str->cfg.guess_on_giveup & NDPI_GIVEUP_GUESS_BY_IP) && ------------------ | | 817| 0|#define NDPI_GIVEUP_GUESS_BY_IP 0x02 ------------------ | Branch (9664:10): [True: 0, False: 0] ------------------ 9665| 0| flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN && ------------------ | Branch (9665:10): [True: 0, False: 0] ------------------ 9666| 0| flow->guessed_protocol_id_by_ip != NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (9666:3): [True: 0, False: 0] ------------------ 9667| | 9668| 0| ndpi_set_detected_protocol(ndpi_str, flow, 9669| 0| flow->guessed_protocol_id_by_ip, 9670| 0| flow->detected_protocol_stack[1], 9671| 0| NDPI_CONFIDENCE_MATCH_BY_IP); 9672| 0| } 9673| 0| } 9674| | /* Classification by-port */ 9675| 773| if((ndpi_str->cfg.guess_on_giveup & NDPI_GIVEUP_GUESS_BY_PORT) && ------------------ | | 816| 773|#define NDPI_GIVEUP_GUESS_BY_PORT 0x01 ------------------ | Branch (9675:6): [True: 773, False: 0] ------------------ 9676| 773| flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN && ------------------ | Branch (9676:6): [True: 773, False: 0] ------------------ 9677| 773| flow->guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (9677:6): [True: 73, False: 700] ------------------ 9678| 73| ndpi_set_detected_protocol(ndpi_str, flow, flow->guessed_protocol_id, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_MATCH_BY_PORT); 9679| 73| } 9680| | /* Classification by-ip, as last effort if guess_ip_before_port is disabled*/ 9681| 773| if(!(ndpi_str->cfg.guess_ip_before_port) && ------------------ | Branch (9681:6): [True: 773, False: 0] ------------------ 9682| 773| (ndpi_str->cfg.guess_on_giveup & NDPI_GIVEUP_GUESS_BY_IP) && ------------------ | | 817| 773|#define NDPI_GIVEUP_GUESS_BY_IP 0x02 ------------------ | Branch (9682:6): [True: 773, False: 0] ------------------ 9683| 773| flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN && ------------------ | Branch (9683:6): [True: 700, False: 73] ------------------ 9684| 700| flow->guessed_protocol_id_by_ip != NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (9684:6): [True: 69, False: 631] ------------------ 9685| | 9686| 69| ndpi_set_detected_protocol(ndpi_str, flow, 9687| 69| flow->guessed_protocol_id_by_ip, 9688| 69| flow->detected_protocol_stack[1], 9689| 69| NDPI_CONFIDENCE_MATCH_BY_IP); 9690| 69| } 9691| | 9692| 773| if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (9692:6): [True: 142, False: 631] ------------------ 9693| 142| flow->protocol_was_guessed = 1; 9694| 142| fill_protocol_category_and_breed(ndpi_str, flow); 9695| 142| } 9696| | 9697| | /* Reason: public "ndpi_detection_giveup" */ 9698| 773| internal_giveup(ndpi_str, flow); 9699| | 9700| 773| return; 9701| 773|} ndpi_main.c:internal_giveup: 9402| 10.2k| struct ndpi_flow_struct *flow) { 9403| | 9404| 10.2k| if(flow->already_gaveup) { ------------------ | Branch (9404:6): [True: 0, False: 10.2k] ------------------ 9405| |#if 0 9406| | NDPI_LOG_ERR(ndpi_struct, "%s() - Already called!\n", __FUNCTION__); /* We shoudn't be here ...*/ 9407| |#endif 9408| 0| return; 9409| 0| } 9410| 10.2k| flow->already_gaveup = 1; 9411| | 9412| 10.2k| NDPI_LOG_DBG2(ndpi_struct, "\n"); ------------------ | | 597| 10.2k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 9413| | 9414| | /* This (internal) function is expected to be called for **every** flows, 9415| | exactly once, as **last** code processing the flow itself */ 9416| | 9417| | /* TODO: this function is similar to ndpi_detection_giveup(). We should try to unify them 9418| | or to have two more distinct logics... 9419| | The/A critical point is that ndpi_detection_giveup() is public and it is always used by 9420| | any programs linking to libnDPI: we must be sure to not change the external behavior 9421| | */ 9422| | 9423| | /* *** 9424| | * *** We can't access ndpi_str->packet from this function!! 9425| | * ***/ 9426| | 9427| 10.2k| if(!ndpi_is_multi_or_broadcast(flow) && ------------------ | Branch (9427:6): [True: 8.69k, False: 1.56k] ------------------ 9428| 8.69k| !is_unidir_traffic_exception(flow)) { ------------------ | Branch (9428:6): [True: 8.69k, False: 2] ------------------ 9429| | 9430| 8.69k| if(flow->packet_direction_complete_counter[flow->client_packet_direction] == 0) ------------------ | Branch (9430:8): [True: 629, False: 8.06k] ------------------ 9431| 629| ndpi_set_risk(ndpi_struct, flow, NDPI_UNIDIRECTIONAL_TRAFFIC, "No client to server traffic"); 9432| 8.06k| else if(flow->packet_direction_complete_counter[!flow->client_packet_direction] == 0) ------------------ | Branch (9432:13): [True: 4.87k, False: 3.18k] ------------------ 9433| 4.87k| ndpi_set_risk(ndpi_struct, flow, NDPI_UNIDIRECTIONAL_TRAFFIC, "No server to client traffic"); 9434| 8.69k| } 9435| | 9436| 10.2k| if(flow->l4_proto == IPPROTO_TCP) { ------------------ | Branch (9436:6): [True: 4.73k, False: 5.52k] ------------------ 9437| 4.73k| check_tcp_flags(ndpi_struct, flow); 9438| 4.73k| check_probing_attempt(ndpi_struct, flow); 9439| 4.73k| } 9440| | 9441| 10.2k| if((flow->confidence != NDPI_CONFIDENCE_MATCH_BY_PORT) ------------------ | Branch (9441:6): [True: 10.1k, False: 73] ------------------ 9442| 10.1k| && (flow->confidence != NDPI_CONFIDENCE_MATCH_BY_IP)) { ------------------ | Branch (9442:9): [True: 10.1k, False: 69] ------------------ 9443| 10.1k| ndpi_compute_ndpi_flow_fingerprint(ndpi_struct, flow); 9444| 10.1k| } 9445| | 9446| 10.2k| if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (9446:6): [True: 9.62k, False: 631] ------------------ 9447| 9.62k| check_proto_on_non_std_port_risk(ndpi_struct, flow); 9448| 9.62k| } 9449| | 9450| 10.2k| if(!ndpi_is_custom_protocol(ndpi_struct, flow->detected_protocol_stack[0]) ------------------ | Branch (9450:6): [True: 10.2k, False: 0] ------------------ 9451| 10.2k| && ndpi_struct->proto_defaults[flow->detected_protocol_stack[0]].performIPcheck ------------------ | Branch (9451:9): [True: 1.32k, False: 8.93k] ------------------ 9452| 1.32k| && (flow->detected_protocol_stack[0] != flow->guessed_protocol_id_by_ip)) { ------------------ | Branch (9452:9): [True: 376, False: 945] ------------------ 9453| | /* Handle exceptions */ 9454| 376| bool trigger_risk = false; 9455| | 9456| 376| if((flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) ------------------ | Branch (9456:8): [True: 376, False: 0] ------------------ 9457| 376| && (flow->guessed_protocol_id_by_ip != NDPI_PROTOCOL_UNKNOWN)) { ------------------ | Branch (9457:11): [True: 26, False: 350] ------------------ 9458| | /* 9459| | Check if a known service is serverd by an IP that 9460| | belong to the service organization 9461| | */ 9462| | 9463| 26| trigger_risk = true; 9464| | 9465| 26| switch(flow->detected_protocol_stack[0]) { 9466| 0| case NDPI_PROTOCOL_MSTEAMS_CALL: ------------------ | Branch (9466:7): [True: 0, False: 26] ------------------ 9467| 0| case NDPI_PROTOCOL_MSTEAMS: ------------------ | Branch (9467:7): [True: 0, False: 26] ------------------ 9468| 0| case NDPI_PROTOCOL_MS_OUTLOOK: ------------------ | Branch (9468:7): [True: 0, False: 26] ------------------ 9469| 0| case NDPI_PROTOCOL_MICROSOFT: ------------------ | Branch (9469:7): [True: 0, False: 26] ------------------ 9470| 0| case NDPI_PROTOCOL_MICROSOFT_365: ------------------ | Branch (9470:7): [True: 0, False: 26] ------------------ 9471| 0| switch(flow->guessed_protocol_id_by_ip) { ------------------ | Branch (9471:9): [True: 0, False: 0] ------------------ 9472| 0| case NDPI_PROTOCOL_MICROSOFT_AZURE: ------------------ | Branch (9472:2): [True: 0, False: 0] ------------------ 9473| 0| case NDPI_PROTOCOL_MS_OUTLOOK: ------------------ | Branch (9473:2): [True: 0, False: 0] ------------------ 9474| 0| case NDPI_PROTOCOL_MSTEAMS: ------------------ | Branch (9474:2): [True: 0, False: 0] ------------------ 9475| 0| trigger_risk = false; 9476| 0| break; 9477| 0| } 9478| 0| break; 9479| | 9480| 0| case NDPI_PROTOCOL_AMAZON_AWS: ------------------ | Branch (9480:7): [True: 0, False: 26] ------------------ 9481| 0| switch(flow->guessed_protocol_id_by_ip) { ------------------ | Branch (9481:9): [True: 0, False: 0] ------------------ 9482| 0| case NDPI_PROTOCOL_AWS_COGNITO: ------------------ | Branch (9482:2): [True: 0, False: 0] ------------------ 9483| 0| case NDPI_PROTOCOL_AWS_API_GATEWAY: ------------------ | Branch (9483:2): [True: 0, False: 0] ------------------ 9484| 0| case NDPI_PROTOCOL_AWS_KINESIS: ------------------ | Branch (9484:2): [True: 0, False: 0] ------------------ 9485| 0| case NDPI_PROTOCOL_AWS_EC2: ------------------ | Branch (9485:2): [True: 0, False: 0] ------------------ 9486| 0| case NDPI_PROTOCOL_AWS_EMR: ------------------ | Branch (9486:2): [True: 0, False: 0] ------------------ 9487| 0| case NDPI_PROTOCOL_AWS_S3: ------------------ | Branch (9487:2): [True: 0, False: 0] ------------------ 9488| 0| case NDPI_PROTOCOL_AWS_CLOUDFRONT: ------------------ | Branch (9488:2): [True: 0, False: 0] ------------------ 9489| 0| case NDPI_PROTOCOL_AWS_DYNAMODB: ------------------ | Branch (9489:2): [True: 0, False: 0] ------------------ 9490| 0| trigger_risk = false; 9491| 0| break; 9492| 0| } 9493| 0| break; 9494| | 9495| 0| case NDPI_PROTOCOL_FACEBOOK: ------------------ | Branch (9495:7): [True: 0, False: 26] ------------------ 9496| 0| case NDPI_PROTOCOL_FACEBOOK_MESSENGER: ------------------ | Branch (9496:7): [True: 0, False: 26] ------------------ 9497| 0| case NDPI_PROTOCOL_FACEBOOK_VOIP: ------------------ | Branch (9497:7): [True: 0, False: 26] ------------------ 9498| 0| case NDPI_PROTOCOL_FACEBOOK_REEL_STORY: ------------------ | Branch (9498:7): [True: 0, False: 26] ------------------ 9499| 0| if(flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_FACEBOOK) ------------------ | Branch (9499:5): [True: 0, False: 0] ------------------ 9500| 0| trigger_risk = false; 9501| 0| break; 9502| | 9503| 0| case NDPI_PROTOCOL_GMAIL: ------------------ | Branch (9503:7): [True: 0, False: 26] ------------------ 9504| 0| case NDPI_PROTOCOL_GOOGLE_MAPS: ------------------ | Branch (9504:7): [True: 0, False: 26] ------------------ 9505| 0| case NDPI_PROTOCOL_YOUTUBE: ------------------ | Branch (9505:7): [True: 0, False: 26] ------------------ 9506| 0| case NDPI_PROTOCOL_YOUTUBE_KIDS: ------------------ | Branch (9506:7): [True: 0, False: 26] ------------------ 9507| 0| case NDPI_PROTOCOL_GOOGLE: ------------------ | Branch (9507:7): [True: 0, False: 26] ------------------ 9508| 0| case NDPI_PROTOCOL_YOUTUBE_UPLOAD: ------------------ | Branch (9508:7): [True: 0, False: 26] ------------------ 9509| 0| case NDPI_PROTOCOL_PLAYSTORE: ------------------ | Branch (9509:7): [True: 0, False: 26] ------------------ 9510| 0| switch(flow->guessed_protocol_id_by_ip) { ------------------ | Branch (9510:9): [True: 0, False: 0] ------------------ 9511| 0| case NDPI_PROTOCOL_GOOGLE_CLOUD: ------------------ | Branch (9511:2): [True: 0, False: 0] ------------------ 9512| 0| trigger_risk = false; 9513| 0| break; 9514| 0| } 9515| 0| break; 9516| | 9517| 0| case NDPI_PROTOCOL_APPLE: ------------------ | Branch (9517:7): [True: 0, False: 26] ------------------ 9518| 0| case NDPI_PROTOCOL_APPLE_ICLOUD: ------------------ | Branch (9518:7): [True: 0, False: 26] ------------------ 9519| 0| case NDPI_PROTOCOL_APPLE_ITUNES: ------------------ | Branch (9519:7): [True: 0, False: 26] ------------------ 9520| 0| case NDPI_PROTOCOL_APPLESTORE: ------------------ | Branch (9520:7): [True: 0, False: 26] ------------------ 9521| 0| case NDPI_PROTOCOL_APPLE_PUSH: ------------------ | Branch (9521:7): [True: 0, False: 26] ------------------ 9522| 0| case NDPI_PROTOCOL_APPLE_SIRI: ------------------ | Branch (9522:7): [True: 0, False: 26] ------------------ 9523| 0| case NDPI_PROTOCOL_APPLETVPLUS: ------------------ | Branch (9523:7): [True: 0, False: 26] ------------------ 9524| 0| switch(flow->guessed_protocol_id_by_ip) { ------------------ | Branch (9524:9): [True: 0, False: 0] ------------------ 9525| 0| case NDPI_PROTOCOL_APPLE: ------------------ | Branch (9525:2): [True: 0, False: 0] ------------------ 9526| 0| case NDPI_PROTOCOL_AKAMAI: ------------------ | Branch (9526:2): [True: 0, False: 0] ------------------ 9527| 0| trigger_risk = false; 9528| 0| break; 9529| 0| } 9530| 0| break; 9531| | 9532| 26| default: ------------------ | Branch (9532:7): [True: 26, False: 0] ------------------ 9533| 26| trigger_risk = false; 9534| 26| break; 9535| 26| } 9536| 350| } else if((flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) ------------------ | Branch (9536:15): [True: 350, False: 0] ------------------ 9537| 350| && (flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_UNKNOWN)) { ------------------ | Branch (9537:11): [True: 350, False: 0] ------------------ 9538| | /* 9539| | Check if a known service has an unknown IP 9540| | Example www.apple.com is not handled by an Apple server 9541| | */ 9542| 350| switch(flow->detected_protocol_stack[0]) { 9543| | /* Microsoft */ 9544| 0| case NDPI_PROTOCOL_MSTEAMS_CALL: ------------------ | Branch (9544:7): [True: 0, False: 350] ------------------ 9545| 0| case NDPI_PROTOCOL_MSTEAMS: ------------------ | Branch (9545:7): [True: 0, False: 350] ------------------ 9546| 0| case NDPI_PROTOCOL_MS_OUTLOOK: ------------------ | Branch (9546:7): [True: 0, False: 350] ------------------ 9547| 0| case NDPI_PROTOCOL_MICROSOFT: ------------------ | Branch (9547:7): [True: 0, False: 350] ------------------ 9548| 0| case NDPI_PROTOCOL_MICROSOFT_365: ------------------ | Branch (9548:7): [True: 0, False: 350] ------------------ 9549| 0| case NDPI_PROTOCOL_MICROSOFT_AZURE: ------------------ | Branch (9549:7): [True: 0, False: 350] ------------------ 9550| | /* Amazon */ 9551| 0| case NDPI_PROTOCOL_AMAZON_AWS: ------------------ | Branch (9551:7): [True: 0, False: 350] ------------------ 9552| 0| case NDPI_PROTOCOL_AWS_COGNITO: ------------------ | Branch (9552:7): [True: 0, False: 350] ------------------ 9553| 0| case NDPI_PROTOCOL_AWS_API_GATEWAY: ------------------ | Branch (9553:7): [True: 0, False: 350] ------------------ 9554| 0| case NDPI_PROTOCOL_AWS_KINESIS: ------------------ | Branch (9554:7): [True: 0, False: 350] ------------------ 9555| 0| case NDPI_PROTOCOL_AWS_EC2: ------------------ | Branch (9555:7): [True: 0, False: 350] ------------------ 9556| 0| case NDPI_PROTOCOL_AWS_EMR: ------------------ | Branch (9556:7): [True: 0, False: 350] ------------------ 9557| 0| case NDPI_PROTOCOL_AWS_S3: ------------------ | Branch (9557:7): [True: 0, False: 350] ------------------ 9558| 0| case NDPI_PROTOCOL_AWS_CLOUDFRONT: ------------------ | Branch (9558:7): [True: 0, False: 350] ------------------ 9559| 0| case NDPI_PROTOCOL_AWS_DYNAMODB: ------------------ | Branch (9559:7): [True: 0, False: 350] ------------------ 9560| | /* Meta */ 9561| 0| case NDPI_PROTOCOL_FACEBOOK: ------------------ | Branch (9561:7): [True: 0, False: 350] ------------------ 9562| 0| case NDPI_PROTOCOL_FACEBOOK_MESSENGER: ------------------ | Branch (9562:7): [True: 0, False: 350] ------------------ 9563| 0| case NDPI_PROTOCOL_FACEBOOK_VOIP: ------------------ | Branch (9563:7): [True: 0, False: 350] ------------------ 9564| 0| case NDPI_PROTOCOL_FACEBOOK_REEL_STORY: ------------------ | Branch (9564:7): [True: 0, False: 350] ------------------ 9565| | /* Google */ 9566| 0| case NDPI_PROTOCOL_GMAIL: ------------------ | Branch (9566:7): [True: 0, False: 350] ------------------ 9567| 0| case NDPI_PROTOCOL_GOOGLE_MAPS: ------------------ | Branch (9567:7): [True: 0, False: 350] ------------------ 9568| 0| case NDPI_PROTOCOL_YOUTUBE: ------------------ | Branch (9568:7): [True: 0, False: 350] ------------------ 9569| 0| case NDPI_PROTOCOL_YOUTUBE_KIDS: ------------------ | Branch (9569:7): [True: 0, False: 350] ------------------ 9570| 1| case NDPI_PROTOCOL_GOOGLE: ------------------ | Branch (9570:7): [True: 1, False: 349] ------------------ 9571| 1| case NDPI_PROTOCOL_YOUTUBE_UPLOAD: ------------------ | Branch (9571:7): [True: 0, False: 350] ------------------ 9572| 1| case NDPI_PROTOCOL_PLAYSTORE: ------------------ | Branch (9572:7): [True: 0, False: 350] ------------------ 9573| | /* Apple */ 9574| 1| case NDPI_PROTOCOL_APPLE: ------------------ | Branch (9574:7): [True: 0, False: 350] ------------------ 9575| 1| case NDPI_PROTOCOL_APPLE_ICLOUD: ------------------ | Branch (9575:7): [True: 0, False: 350] ------------------ 9576| 1| case NDPI_PROTOCOL_APPLE_ITUNES: ------------------ | Branch (9576:7): [True: 0, False: 350] ------------------ 9577| 1| case NDPI_PROTOCOL_APPLESTORE: ------------------ | Branch (9577:7): [True: 0, False: 350] ------------------ 9578| 1| case NDPI_PROTOCOL_APPLE_PUSH: ------------------ | Branch (9578:7): [True: 0, False: 350] ------------------ 9579| 1| case NDPI_PROTOCOL_APPLE_SIRI: ------------------ | Branch (9579:7): [True: 0, False: 350] ------------------ 9580| 1| case NDPI_PROTOCOL_APPLETVPLUS: ------------------ | Branch (9580:7): [True: 0, False: 350] ------------------ 9581| 1| trigger_risk = true; 9582| 1| break; 9583| | 9584| 349| default: ------------------ | Branch (9584:7): [True: 349, False: 1] ------------------ 9585| 349| trigger_risk = false; 9586| 349| break; 9587| 350| } 9588| 350| } 9589| | 9590| 376| if(trigger_risk) ------------------ | Branch (9590:8): [True: 1, False: 375] ------------------ 9591| 1| ndpi_set_risk(ndpi_struct, flow, NDPI_MISMATCHING_PROTOCOL_WITH_IP, 9592| 1| "nDPI protocol does not match the server IP address"); 9593| 376| } 9594| | 9595| 10.2k| NDPI_DTRACE5(flow_classified, ------------------ | | 37| 10.2k| #define NDPI_DTRACE5(name, a, b, c, d, e) ((void)0) ------------------ 9596| 10.2k| flow->detected_protocol_stack[0], /* proto_master */ 9597| 10.2k| flow->detected_protocol_stack[1], /* proto_app */ 9598| 10.2k| flow->confidence, 9599| 10.2k| flow->category, 9600| 10.2k| flow); 9601| | 9602| 10.2k| if(flow->state == NDPI_STATE_CLASSIFIED) { ------------------ | Branch (9602:6): [True: 0, False: 10.2k] ------------------ 9603| 0| NDPI_LOG_ERR(ndpi_struct, "Already classified!\n"); /* We shoudn't be here ...*/ ------------------ | | 593| 0|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 9604| 0| } 9605| | /* Monitoring flows never move to classified state */ 9606| 10.2k| if(flow->state != NDPI_STATE_MONITORING) { ------------------ | Branch (9606:6): [True: 10.2k, False: 0] ------------------ 9607| 10.2k| flow->state = NDPI_STATE_CLASSIFIED; 9608| 10.2k| } 9609| 10.2k|} ndpi_main.c:ndpi_is_multi_or_broadcast: 8442| 10.2k|static u_int8_t ndpi_is_multi_or_broadcast(struct ndpi_flow_struct *flow) { 8443| | 8444| 10.2k| if(!flow->is_ipv6) { ------------------ | Branch (8444:6): [True: 10.0k, False: 209] ------------------ 8445| | /* IPv4 */ 8446| 10.0k| u_int32_t daddr = ntohl(flow->s_address.v4); 8447| | 8448| 10.0k| if(((daddr & 0xF0000000) == 0xE0000000 /* multicast 224.0.0.0/4 */) ------------------ | Branch (8448:8): [True: 493, False: 9.55k] ------------------ 8449| 9.55k| || ((daddr & 0x000000FF) == 0x000000FF /* last byte is 0xFF, not super correct, but a good approximation */) ------------------ | Branch (8449:11): [True: 855, False: 8.70k] ------------------ 8450| 8.70k| || ((daddr & 0x000000FF) == 0x00000000 /* last byte is 0x00, not super correct, but a good approximation */) ------------------ | Branch (8450:11): [True: 216, False: 8.48k] ------------------ 8451| 8.48k| || (daddr == 0xFFFFFFFF)) ------------------ | Branch (8451:11): [True: 0, False: 8.48k] ------------------ 8452| 1.56k| return(1); 8453| 10.0k| } else { 8454| | /* IPv6 */ 8455| | 8456| 209| if((ntohl((*(u_int32_t *)&flow->s_address.v6)) & 0xFF000000) == 0xFF000000) ------------------ | Branch (8456:8): [True: 1, False: 208] ------------------ 8457| 1| return(1); 8458| 209| } 8459| | 8460| 8.69k| return(0); 8461| 10.2k|} ndpi_main.c:is_unidir_traffic_exception: 9331| 8.69k|static int is_unidir_traffic_exception(struct ndpi_flow_struct *flow) { 9332| | 9333| 8.69k| switch(flow->detected_protocol_stack[0]) { ------------------ | Branch (9333:10): [True: 29, False: 8.66k] ------------------ 9334| 1| case NDPI_PROTOCOL_NETFLOW: ------------------ | Branch (9334:3): [True: 1, False: 8.69k] ------------------ 9335| 1| case NDPI_PROTOCOL_SFLOW: ------------------ | Branch (9335:3): [True: 0, False: 8.69k] ------------------ 9336| 2| case NDPI_PROTOCOL_COLLECTD: ------------------ | Branch (9336:3): [True: 1, False: 8.69k] ------------------ 9337| 2| return 1; 9338| | 9339| 7| case NDPI_PROTOCOL_SYSLOG: ------------------ | Branch (9339:3): [True: 7, False: 8.68k] ------------------ 9340| 7| case NDPI_PROTOCOL_MDNS: ------------------ | Branch (9340:3): [True: 0, False: 8.69k] ------------------ 9341| 7| case NDPI_PROTOCOL_SONOS: ------------------ | Branch (9341:3): [True: 0, False: 8.69k] ------------------ 9342| 27| case NDPI_PROTOCOL_RTP: ------------------ | Branch (9342:3): [True: 20, False: 8.67k] ------------------ 9343| 27| if(flow->l4_proto == IPPROTO_UDP) ------------------ | Branch (9343:8): [True: 0, False: 27] ------------------ 9344| 0| return 1; 9345| 8.69k| } 9346| 8.69k| return 0; 9347| 8.69k|} ndpi_main.c:check_tcp_flags: 9242| 4.73k|static void check_tcp_flags(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { 9243| | // printf("[TOTAL] %u / %u [tot: %u]\n", flow->packet_direction_complete_counter[0], flow->packet_direction_complete_counter[1], flow->all_packets_counter); 9244| 4.73k| bool is_probing = false; 9245| | 9246| 4.73k| if((flow->l4.tcp.cli2srv_tcp_flags & TH_SYN) ------------------ | | 56| 4.73k|#define TH_SYN 0x02 ------------------ | Branch (9246:6): [True: 1.64k, False: 3.09k] ------------------ 9247| 1.64k| && (flow->l4.tcp.srv2cli_tcp_flags & TH_RST) ------------------ | | 57| 1.64k|#define TH_RST 0x04 ------------------ | Branch (9247:9): [True: 84, False: 1.55k] ------------------ 9248| 84| && (flow->packet_counter == 0 /* Ignore connections terminated by RST but that exchanged data (3WH + RST) */)) ------------------ | Branch (9248:9): [True: 0, False: 84] ------------------ 9249| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_TCP_ISSUES, "Connection refused (server)"), is_probing = true; 9250| 4.73k| else if((flow->l4.tcp.cli2srv_tcp_flags & TH_SYN) ------------------ | | 56| 4.73k|#define TH_SYN 0x02 ------------------ | Branch (9250:11): [True: 1.64k, False: 3.09k] ------------------ 9251| 1.64k| && (flow->l4.tcp.cli2srv_tcp_flags & TH_RST) ------------------ | | 57| 1.64k|#define TH_RST 0x04 ------------------ | Branch (9251:7): [True: 425, False: 1.21k] ------------------ 9252| 425| && (flow->packet_counter == 0 /* Ignore connections terminated by RST but that exchanged data (3WH + RST) */)) ------------------ | Branch (9252:7): [True: 0, False: 425] ------------------ 9253| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_TCP_ISSUES, "Connection refused (client)"), is_probing = true; 9254| 4.73k| else if((flow->l4.tcp.srv2cli_tcp_flags & TH_RST) && (flow->packet_direction_complete_counter[1 /* server -> client */] == 1)) ------------------ | | 57| 4.73k|#define TH_RST 0x04 ------------------ | Branch (9254:11): [True: 343, False: 4.39k] | Branch (9254:56): [True: 24, False: 319] ------------------ 9255| 24| ndpi_set_risk(ndpi_struct, flow, NDPI_TCP_ISSUES, "Connection refused"), is_probing = true; 9256| | 9257| 4.73k| if(is_probing) ------------------ | Branch (9257:6): [True: 24, False: 4.71k] ------------------ 9258| 24| ndpi_set_risk(ndpi_struct, flow, NDPI_PROBING_ATTEMPT, "TCP probing attempt"); 9259| 4.73k|} ndpi_main.c:check_probing_attempt: 9264| 4.73k| struct ndpi_flow_struct *flow) { 9265| | /* TODO: check UDP traffic too */ 9266| | 9267| 4.73k| if(flow->l4_proto == IPPROTO_TCP) { ------------------ | Branch (9267:6): [True: 4.73k, False: 0] ------------------ 9268| 4.73k| u_int64_t tdiff_ms; 9269| | 9270| 4.73k| if(flow->l4.tcp.three_way_handshake.syn_ack_time && flow->l4.tcp.three_way_handshake.syn_time) { ------------------ | Branch (9270:8): [True: 1.55k, False: 3.18k] | Branch (9270:57): [True: 1.01k, False: 536] ------------------ 9271| 1.01k| if(flow->l4.tcp.three_way_handshake.syn_ack_time > flow->l4.tcp.three_way_handshake.syn_time) ------------------ | Branch (9271:10): [True: 478, False: 537] ------------------ 9272| 478| tdiff_ms = flow->l4.tcp.three_way_handshake.syn_ack_time - flow->l4.tcp.three_way_handshake.syn_time; 9273| 537| else /* out of order */ 9274| 537| tdiff_ms = flow->l4.tcp.three_way_handshake.syn_time - flow->l4.tcp.three_way_handshake.syn_ack_time; 9275| | 9276| 1.01k| if(tdiff_ms > 1500 /* 1.5 sec */) { ------------------ | Branch (9276:10): [True: 32, False: 983] ------------------ 9277| 32| char buf[64]; 9278| | 9279| 32| snprintf(buf, sizeof(buf), "Slow TCP 3WH (SYN_ACK): %.1f sec", tdiff_ms/1000.); 9280| 32| ndpi_set_risk(ndpi_str, flow, NDPI_SLOW_DOS, buf); 9281| 32| } 9282| 1.01k| } 9283| | 9284| 4.73k| if(flow->l4.tcp.three_way_handshake.ack_time && flow->l4.tcp.three_way_handshake.syn_ack_time) { ------------------ | Branch (9284:8): [True: 4.14k, False: 594] | Branch (9284:53): [True: 1.51k, False: 2.62k] ------------------ 9285| 1.51k| if(flow->l4.tcp.three_way_handshake.ack_time > flow->l4.tcp.three_way_handshake.syn_ack_time) ------------------ | Branch (9285:10): [True: 118, False: 1.39k] ------------------ 9286| 118| tdiff_ms = flow->l4.tcp.three_way_handshake.ack_time - flow->l4.tcp.three_way_handshake.syn_ack_time; 9287| 1.39k| else 9288| 1.39k| tdiff_ms = flow->l4.tcp.three_way_handshake.syn_ack_time - flow->l4.tcp.three_way_handshake.ack_time; 9289| | 9290| 1.51k| if(tdiff_ms > 1500 /* 1.5 sec */) { ------------------ | Branch (9290:10): [True: 66, False: 1.45k] ------------------ 9291| 66| char buf[64]; 9292| | 9293| 66| snprintf(buf, sizeof(buf), "Slow TCP 3WH (ACK): %.1f sec", tdiff_ms/1000.); 9294| 66| ndpi_set_risk(ndpi_str, flow, NDPI_SLOW_DOS, buf); 9295| 66| } 9296| 1.51k| } 9297| 4.73k| } 9298| | 9299| 4.73k| if((flow->l4_proto == IPPROTO_TCP) ------------------ | Branch (9299:6): [True: 4.73k, False: 0] ------------------ 9300| 4.73k| && (flow->l4.tcp.cli2srv_tcp_flags & TH_PUSH) ------------------ | | 58| 4.73k|#define TH_PUSH 0x08 ------------------ | Branch (9300:9): [True: 3.46k, False: 1.27k] ------------------ 9301| 3.46k| && (flow->l4.tcp.srv2cli_tcp_flags & TH_PUSH)) { ------------------ | | 58| 3.46k|#define TH_PUSH 0x08 ------------------ | Branch (9301:9): [True: 1.60k, False: 1.85k] ------------------ 9302| 1.60k| if(flow->packet_direction_counter[0] ------------------ | Branch (9302:8): [True: 1.60k, False: 2] ------------------ 9303| 1.60k| && flow->packet_direction_counter[1]) { ------------------ | Branch (9303:11): [True: 1.60k, False: 3] ------------------ 9304| | /* Both directions observed */ 9305| | /* Nothing to do */ 9306| 1.60k| } else { 9307| | /* Skipping rules where an early match might be confused with a probing attempt */ 9308| 5| if(flow->confidence == NDPI_CONFIDENCE_DPI) { ------------------ | Branch (9308:10): [True: 5, False: 0] ------------------ 9309| 5| switch(flow->detected_protocol_stack[0]) { ------------------ | Branch (9309:9): [True: 3, False: 2] ------------------ 9310| 0| case NDPI_PROTOCOL_SSH: ------------------ | Branch (9310:2): [True: 0, False: 5] ------------------ 9311| 0| if(flow->protos.ssh.hassh_server[0] == '\0') ------------------ | Branch (9311:7): [True: 0, False: 0] ------------------ 9312| 0| ndpi_set_risk(ndpi_str, flow, NDPI_PROBING_ATTEMPT, "SSH Probing"); 9313| 0| break; 9314| | 9315| 3| case NDPI_PROTOCOL_TLS: ------------------ | Branch (9315:2): [True: 3, False: 2] ------------------ 9316| 3| case NDPI_PROTOCOL_MAIL_SMTPS: ------------------ | Branch (9316:2): [True: 0, False: 5] ------------------ 9317| 3| case NDPI_PROTOCOL_MAIL_POPS: ------------------ | Branch (9317:2): [True: 0, False: 5] ------------------ 9318| 3| case NDPI_PROTOCOL_MAIL_IMAPS: ------------------ | Branch (9318:2): [True: 0, False: 5] ------------------ 9319| 3| case NDPI_PROTOCOL_DTLS: ------------------ | Branch (9319:2): [True: 0, False: 5] ------------------ 9320| 3| if(flow->host_server_name[0] == '\0') ------------------ | Branch (9320:7): [True: 2, False: 1] ------------------ 9321| 2| ndpi_set_risk(ndpi_str, flow, NDPI_PROBING_ATTEMPT, "TLS Probing"); 9322| 3| break; 9323| 5| } 9324| 5| } 9325| 5| } 9326| 1.60k| } 9327| 4.73k|} ndpi_main.c:check_proto_on_non_std_port_risk: 10345| 9.62k|{ 10346| 9.62k| default_ports_tree_node_t *found; 10347| 9.62k| ndpi_port_range *default_ports; 10348| 9.62k| ndpi_master_app_protocol proto; 10349| 9.62k| int is_udp = (flow->l4_proto == IPPROTO_UDP); 10350| 9.62k| int is_tcp = (flow->l4_proto == IPPROTO_TCP); 10351| | 10352| | /* This function can NOT access &ndpi_str->packet! */ 10353| | 10354| 9.62k| if(!is_flowrisk_enabled(ndpi_str, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT)) ------------------ | Branch (10354:6): [True: 0, False: 9.62k] ------------------ 10355| 0| return; 10356| | 10357| 9.62k| proto.app_protocol = flow->detected_protocol_stack[0]; 10358| 9.62k| proto.master_protocol = flow->detected_protocol_stack[1]; 10359| | 10360| | /* Exceptions: 10361| | * STUN has a default port (used for TURN) but all p2p traffic is on random ports 10362| | * OOkla aggressive detection is over TLS but on port 8080 (which is not a default port) 10363| | */ 10364| 9.62k| if(proto.master_protocol == NDPI_PROTOCOL_STUN || ------------------ | Branch (10364:6): [True: 1.16k, False: 8.46k] ------------------ 10365| 8.46k| proto.app_protocol == NDPI_PROTOCOL_STUN) ------------------ | Branch (10365:6): [True: 7, False: 8.45k] ------------------ 10366| 1.17k| return; 10367| 8.45k| if(proto.app_protocol == NDPI_PROTOCOL_OOKLA && ------------------ | Branch (10367:6): [True: 6, False: 8.44k] ------------------ 10368| 6| flow->confidence == NDPI_CONFIDENCE_DPI_AGGRESSIVE) ------------------ | Branch (10368:6): [True: 0, False: 6] ------------------ 10369| 0| return; 10370| | 10371| 8.45k| if(is_udp) ------------------ | Branch (10371:6): [True: 3.22k, False: 5.23k] ------------------ 10372| 3.22k| found = ndpi_get_guessed_protocol_id(ndpi_str, IPPROTO_UDP, 10373| 3.22k| ntohs(flow->c_port), 10374| 3.22k| ntohs(flow->s_port)), 10375| 3.22k| default_ports = ndpi_str->proto_defaults[proto.master_protocol ? proto.master_protocol : proto.app_protocol].udp_default_ports; ------------------ | Branch (10375:48): [True: 18, False: 3.20k] ------------------ 10376| 5.23k| else if(is_tcp) ------------------ | Branch (10376:11): [True: 4.30k, False: 932] ------------------ 10377| 4.30k| found = ndpi_get_guessed_protocol_id(ndpi_str, IPPROTO_TCP, 10378| 4.30k| ntohs(flow->c_port), 10379| 4.30k| ntohs(flow->s_port)), 10380| 4.30k| default_ports = ndpi_str->proto_defaults[proto.master_protocol ? proto.master_protocol : proto.app_protocol].tcp_default_ports; ------------------ | Branch (10380:48): [True: 72, False: 4.23k] ------------------ 10381| 932| else 10382| 932| found = NULL, default_ports = NULL; 10383| | 10384| 8.45k| if(found ------------------ | Branch (10384:6): [True: 3.34k, False: 5.10k] ------------------ 10385| 3.34k| && (found->proto_idx != NDPI_PROTOCOL_UNKNOWN) ------------------ | Branch (10385:9): [True: 3.34k, False: 0] ------------------ 10386| 3.34k| && (found->proto_idx != proto.master_protocol) ------------------ | Branch (10386:9): [True: 3.30k, False: 45] ------------------ 10387| 3.30k| && (found->proto_idx != proto.app_protocol) ------------------ | Branch (10387:9): [True: 581, False: 2.72k] ------------------ 10388| 8.45k| ) { 10389| | // printf("******** %u / %u\n", found->proto_idx, proto.master_protocol); 10390| | 10391| 581| if(!check_protocol_port_mismatch_exceptions(found, &proto)) { ------------------ | Branch (10391:8): [True: 581, False: 0] ------------------ 10392| | /* 10393| | Before triggering the alert we need to make some extra checks 10394| | - the protocol found is not running on the port we have found 10395| | (i.e. two or more protools share the same default port) 10396| | */ 10397| 581| u_int8_t found = 0, i; 10398| | 10399| 1.02k| for(i=0; (i= ntohs(flow->s_port) && ------------------ | Branch (10400:12): [True: 101, False: 345] ------------------ 10401| 101| default_ports[i].port_high <= ntohs(flow->s_port)) { ------------------ | Branch (10401:12): [True: 3, False: 98] ------------------ 10402| 3| found = 1; 10403| 3| break; 10404| 3| } 10405| 446| } /* for */ 10406| | 10407| 581| if(!found) { ------------------ | Branch (10407:10): [True: 578, False: 3] ------------------ 10408| 578| default_ports_tree_node_t *r = ndpi_get_guessed_protocol_id(ndpi_str, flow->l4_proto, 10409| 578| ntohs(flow->c_port), ntohs(flow->s_port)); 10410| | 10411| 578| if((r == NULL) ------------------ | Branch (10411:12): [True: 0, False: 578] ------------------ 10412| 578| || ((r->proto_idx != proto.app_protocol) && (r->proto_idx != proto.master_protocol))) { ------------------ | Branch (10412:16): [True: 578, False: 0] | Branch (10412:56): [True: 578, False: 0] ------------------ 10413| 578| if(default_ports && (default_ports[0].port_low != 0)) { ------------------ | Branch (10413:14): [True: 578, False: 0] | Branch (10413:31): [True: 404, False: 174] ------------------ 10414| 404| char str[64]; 10415| 404| int only_custom = 1; 10416| | 10417| | /* "Default ports" set via custom rules are ignored */ 10418| 847| for(i = 0; i < MAX_DEFAULT_PORTS && (default_ports[i].port_low != 0); i++) ------------------ | | 89| 1.69k|#define MAX_DEFAULT_PORTS 5 ------------------ | Branch (10418:24): [True: 845, False: 2] | Branch (10418:49): [True: 443, False: 402] ------------------ 10419| 443| if(!default_ports[i].is_custom) ------------------ | Branch (10419:18): [True: 443, False: 0] ------------------ 10420| 443| only_custom = 0; 10421| | 10422| 404| if(!only_custom) ------------------ | Branch (10422:16): [True: 404, False: 0] ------------------ 10423| 404| ndpi_set_risk(ndpi_str, flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT, 10424| 404| ndpi_expected_ports_str(default_ports, str, sizeof(str))); 10425| 404| } 10426| 578| } 10427| 578| } 10428| 581| } 10429| 7.87k| } else if((!is_ntop_protocol(&proto)) && default_ports && (default_ports[0].port_low != 0)) { ------------------ | Branch (10429:13): [True: 7.87k, False: 0] | Branch (10429:44): [True: 6.94k, False: 932] | Branch (10429:61): [True: 6.21k, False: 722] ------------------ 10430| 6.21k| u_int8_t found = 0, i, num_loops = 0; 10431| | 10432| 9.13k| check_default_ports: 10433| 24.3k| for(i=0; (i= ntohs(flow->c_port) && ------------------ | Branch (10434:11): [True: 4.63k, False: 13.9k] ------------------ 10435| 4.63k| default_ports[i].port_high <= ntohs(flow->c_port)) || ------------------ | Branch (10435:11): [True: 716, False: 3.91k] ------------------ 10436| 17.8k| (default_ports[i].port_low >= ntohs(flow->s_port) && ------------------ | Branch (10436:11): [True: 8.00k, False: 9.84k] ------------------ 10437| 8.00k| default_ports[i].port_high <= ntohs(flow->s_port))) { ------------------ | Branch (10437:11): [True: 2.59k, False: 5.41k] ------------------ 10438| 3.31k| found = 1; 10439| 3.31k| break; 10440| 3.31k| } 10441| 18.5k| } /* for */ 10442| | 10443| 9.13k| if((num_loops == 0) && (!found)) { ------------------ | Branch (10443:8): [True: 6.21k, False: 2.91k] | Branch (10443:28): [True: 2.91k, False: 3.30k] ------------------ 10444| 2.91k| if(is_udp) ------------------ | Branch (10444:10): [True: 209, False: 2.70k] ------------------ 10445| 209| default_ports = ndpi_str->proto_defaults[proto.app_protocol].udp_default_ports; 10446| 2.70k| else 10447| 2.70k| default_ports = ndpi_str->proto_defaults[proto.app_protocol].tcp_default_ports; 10448| | 10449| 2.91k| num_loops = 1; 10450| 2.91k| goto check_default_ports; 10451| 2.91k| } 10452| | 10453| 6.21k| if(!found) { ------------------ | Branch (10453:8): [True: 2.90k, False: 3.31k] ------------------ 10454| 2.90k| default_ports_tree_node_t *r = ndpi_get_guessed_protocol_id(ndpi_str, flow->l4_proto, 10455| 2.90k| ntohs(flow->c_port), ntohs(flow->s_port)); 10456| | 10457| 2.90k| if((r == NULL) ------------------ | Branch (10457:10): [True: 2.90k, False: 0] ------------------ 10458| 0| || ((r->proto_idx != proto.app_protocol) ------------------ | Branch (10458:14): [True: 0, False: 0] ------------------ 10459| 2.90k| && (r->proto_idx != proto.master_protocol))) { ------------------ | Branch (10459:17): [True: 0, False: 0] ------------------ 10460| 2.90k| if(proto.app_protocol != NDPI_PROTOCOL_FTP_DATA) { ------------------ | Branch (10460:12): [True: 2.90k, False: 6] ------------------ 10461| 2.90k| ndpi_port_range *default_ports; 10462| | 10463| 2.90k| if(is_udp) ------------------ | Branch (10463:14): [True: 209, False: 2.69k] ------------------ 10464| 209| default_ports = ndpi_str->proto_defaults[proto.master_protocol ? proto.master_protocol : proto.app_protocol].udp_default_ports; ------------------ | Branch (10464:54): [True: 3, False: 206] ------------------ 10465| 2.69k| else if(is_tcp) ------------------ | Branch (10465:19): [True: 2.69k, False: 0] ------------------ 10466| 2.69k| default_ports = ndpi_str->proto_defaults[proto.master_protocol ? proto.master_protocol : proto.app_protocol].tcp_default_ports; ------------------ | Branch (10466:54): [True: 18, False: 2.67k] ------------------ 10467| 0| else 10468| 0| default_ports = NULL; 10469| | 10470| 2.90k| if(default_ports && (default_ports[0].port_low != 0)) { ------------------ | Branch (10470:14): [True: 2.90k, False: 0] | Branch (10470:31): [True: 2.90k, False: 0] ------------------ 10471| 2.90k| char str[64]; 10472| 2.90k| int only_custom = 1; 10473| | 10474| | /* "Default ports" set via custom rules are ignored */ 10475| 10.5k| for(i = 0; i < MAX_DEFAULT_PORTS && (default_ports[i].port_low != 0); i++) ------------------ | | 89| 21.0k|#define MAX_DEFAULT_PORTS 5 ------------------ | Branch (10475:24): [True: 10.5k, False: 12] | Branch (10475:49): [True: 7.62k, False: 2.89k] ------------------ 10476| 7.62k| if(!default_ports[i].is_custom) ------------------ | Branch (10476:18): [True: 7.62k, False: 0] ------------------ 10477| 7.62k| only_custom = 0; 10478| | 10479| 2.90k| if(!only_custom) ------------------ | Branch (10479:16): [True: 2.90k, False: 0] ------------------ 10480| 2.90k| ndpi_set_risk(ndpi_str, flow, NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT, 10481| 2.90k| ndpi_expected_ports_str(default_ports, str, sizeof(str))); 10482| 2.90k| } 10483| 2.90k| } 10484| 2.90k| } 10485| 2.90k| } 10486| 6.21k| } 10487| 8.45k|} ndpi_main.c:ndpi_get_guessed_protocol_id: 5320| 42.7k| u_int8_t proto, u_int16_t sport, u_int16_t dport) { 5321| 42.7k| default_ports_tree_node_t node; 5322| | /* Set use_sport to config value if direction detection is enabled */ 5323| 42.7k| int use_sport = ndpi_str->cfg.use_client_port_in_guess; 5324| | 5325| 42.7k| if(sport && dport) { ------------------ | Branch (5325:6): [True: 42.4k, False: 213] | Branch (5325:15): [True: 42.2k, False: 195] ------------------ 5326| 42.2k| const void *ret; 5327| | 5328| 42.2k| node.default_port = dport; /* Check server port first */ 5329| 42.2k| ret = ndpi_tfind(&node, (proto == IPPROTO_TCP) ? (void *) &ndpi_str->tcpRoot : (void *) &ndpi_str->udpRoot, ------------------ | Branch (5329:29): [True: 27.6k, False: 14.6k] ------------------ 5330| 42.2k| default_ports_tree_node_t_cmp); 5331| | 5332| 42.2k| if(ret == NULL && use_sport) { ------------------ | Branch (5332:8): [True: 25.8k, False: 16.4k] | Branch (5332:23): [True: 25.8k, False: 0] ------------------ 5333| 25.8k| node.default_port = sport; 5334| 25.8k| ret = ndpi_tfind(&node, (proto == IPPROTO_TCP) ? (void *) &ndpi_str->tcpRoot : (void *) &ndpi_str->udpRoot, ------------------ | Branch (5334:31): [True: 18.6k, False: 7.19k] ------------------ 5335| 25.8k| default_ports_tree_node_t_cmp); 5336| 25.8k| } 5337| | 5338| 42.2k| if(ret) ------------------ | Branch (5338:8): [True: 17.5k, False: 24.7k] ------------------ 5339| 17.5k| return(*(default_ports_tree_node_t **) ret); 5340| 42.2k| } 5341| | 5342| 25.1k| return(NULL); 5343| 42.7k|} ndpi_main.c:check_protocol_port_mismatch_exceptions: 10162| 581| const ndpi_master_app_protocol *returned_proto) { 10163| | /* 10164| | For TLS (and other protocols) it is not simple to guess the exact protocol so before 10165| | triggering an alert we need to make sure what we have exhausted all the possible 10166| | options available 10167| | */ 10168| | 10169| 581| if(is_ntop_protocol(returned_proto)) return(1); ------------------ | Branch (10169:6): [True: 0, False: 581] ------------------ 10170| | 10171| 581| if(returned_proto->master_protocol == NDPI_PROTOCOL_TLS) { ------------------ | Branch (10171:6): [True: 1, False: 580] ------------------ 10172| 1| switch(expected_proto->proto_idx) { ------------------ | Branch (10172:12): [True: 0, False: 1] ------------------ 10173| 0| case NDPI_PROTOCOL_MAIL_IMAPS: ------------------ | Branch (10173:5): [True: 0, False: 1] ------------------ 10174| 0| case NDPI_PROTOCOL_MAIL_POPS: ------------------ | Branch (10174:5): [True: 0, False: 1] ------------------ 10175| 0| case NDPI_PROTOCOL_MAIL_SMTPS: ------------------ | Branch (10175:5): [True: 0, False: 1] ------------------ 10176| 0| return(1); /* This is a reasonable exception */ 10177| 0| break; 10178| 1| } 10179| 1| } 10180| | 10181| 581| return(0); 10182| 581|} ndpi_main.c:ndpi_expected_ports_str: 10305| 3.30k|static char* ndpi_expected_ports_str(ndpi_port_range *default_ports, char *str, u_int str_len) { 10306| 3.30k| int rc; 10307| | 10308| 3.30k| str[0] = '\0'; 10309| | 10310| 3.30k| if(default_ports[0].port_low != 0) { ------------------ | Branch (10310:6): [True: 3.30k, False: 0] ------------------ 10311| 3.30k| u_int8_t i, offset; 10312| | 10313| 3.30k| offset = snprintf(str, str_len, "Expected on port "); 10314| | 10315| 11.3k| for(i=0; (i 0) ? "," : "", ------------------ | Branch (10321:9): [True: 4.76k, False: 1.72k] ------------------ 10322| 6.48k| default_ports[i].port_low); 10323| 1.58k| else 10324| 1.58k| rc = snprintf(&str[offset], str_len-offset, "%s%u-%u", 10325| 1.58k| (i > 0) ? "," : "", ------------------ | Branch (10325:23): [True: 0, False: 1.58k] ------------------ 10326| 1.58k| default_ports[i].port_low, 10327| 1.58k| default_ports[i].port_high); 10328| | 10329| 8.06k| if(rc > 0) ------------------ | Branch (10329:10): [True: 8.06k, False: 0] ------------------ 10330| 8.06k| offset += rc; 10331| 0| else 10332| 0| break; 10333| 8.06k| } 10334| | 10335| 3.30k| str[offset] = '\0'; 10336| 3.30k| } 10337| | 10338| 3.30k| return(str); 10339| 3.30k|} ndpi_main.c:is_ntop_protocol: 10081| 8.45k|static int is_ntop_protocol(const ndpi_master_app_protocol *proto) { 10082| 8.45k| if((proto->master_protocol == NDPI_PROTOCOL_HTTP) && (proto->app_protocol == NDPI_PROTOCOL_NTOP)) ------------------ | Branch (10082:6): [True: 12, False: 8.44k] | Branch (10082:56): [True: 0, False: 12] ------------------ 10083| 0| return(1); 10084| 8.45k| else 10085| 8.45k| return(0); 10086| 8.45k|} ndpi_main.c:create_public_results: 9377| 79.4k|{ 9378| 79.4k| ndpi_protocol ret; 9379| 79.4k| unsigned int i; 9380| | 9381| 79.4k| ret.proto.master_protocol = ndpi_map_ndpi_id_to_user_proto_id(ndpi_str, flow->detected_protocol_stack[1]); 9382| 79.4k| ret.proto.app_protocol = ndpi_map_ndpi_id_to_user_proto_id(ndpi_str, flow->detected_protocol_stack[0]); 9383| 79.4k| ret.protocol_stack.protos_num = flow->protocol_stack.protos_num; 9384| 114k| for(i = 0; i < ret.protocol_stack.protos_num; i++) { ------------------ | Branch (9384:14): [True: 35.3k, False: 79.4k] ------------------ 9385| 35.3k| ret.protocol_stack.protos[i] = ndpi_map_ndpi_id_to_user_proto_id(ndpi_str, flow->protocol_stack.protos[i]); 9386| 35.3k| } 9387| 79.4k| ret.protocol_by_ip = ndpi_map_ndpi_id_to_user_proto_id(ndpi_str, flow->guessed_protocol_id_by_ip); 9388| 79.4k| ret.custom_category_userdata = flow->custom_category_userdata; 9389| 79.4k| ret.category = flow->category; 9390| 79.4k| ret.breed = flow->breed; 9391| 79.4k| ret.fpc.proto.master_protocol = ndpi_map_ndpi_id_to_user_proto_id(ndpi_str, flow->fpc.proto.master_protocol); 9392| 79.4k| ret.fpc.proto.app_protocol = ndpi_map_ndpi_id_to_user_proto_id(ndpi_str, flow->fpc.proto.app_protocol); 9393| 79.4k| ret.fpc.confidence = flow->fpc.confidence; 9394| 79.4k| ret.state = flow->state; 9395| | 9396| 79.4k| return ret; 9397| 79.4k|} ndpi_main.c:ndpi_internal_detection_process_packet: 10496| 79.4k| struct ndpi_flow_input_info *input_info) { 10497| 79.4k| struct ndpi_packet_struct *packet; 10498| 79.4k| NDPI_SELECTION_BITMASK_PROTOCOL_SIZE ndpi_selection_packet; ------------------ | | 87| 79.4k|#define NDPI_SELECTION_BITMASK_PROTOCOL_SIZE u_int32_t ------------------ 10499| 79.4k| u_int32_t num_calls = 0; 10500| | 10501| 79.4k| flow->num_processed_pkts++; 10502| 79.4k| packet = &ndpi_str->packet; 10503| | 10504| 79.4k| NDPI_LOG_DBG(ndpi_str, "[%d/%d cat:%d breed:%d] START packet processing\n", ------------------ | | 596| 79.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 10505| 79.4k| flow->detected_protocol_stack[0], 10506| 79.4k| flow->detected_protocol_stack[1], 10507| 79.4k| flow->category, 10508| 79.4k| flow->breed); 10509| | 10510| 79.4k| if(flow->monit) ------------------ | Branch (10510:6): [True: 0, False: 79.4k] ------------------ 10511| 0| memset(flow->monit, '\0', sizeof(*flow->monit)); 10512| | 10513| 79.4k| if(ndpi_init_packet(ndpi_str, flow, current_time_ms, packet_data, packetlen, input_info) != 0) ------------------ | Branch (10513:6): [True: 701, False: 78.7k] ------------------ 10514| 701| return; 10515| | 10516| 78.7k| connection_tracking(ndpi_str, flow); 10517| | 10518| | /* At this point, we updated ndpi_str->input_info->in_pkt_dir */ 10519| | 10520| 78.7k| if(ndpi_str->cfg.max_packets_to_process > 0 && ------------------ | Branch (10520:6): [True: 78.7k, False: 0] ------------------ 10521| 78.7k| flow->num_processed_pkts >= ndpi_str->cfg.max_packets_to_process && ------------------ | Branch (10521:6): [True: 24, False: 78.6k] ------------------ 10522| 24| flow->state != NDPI_STATE_MONITORING) { ------------------ | Branch (10522:6): [True: 24, False: 0] ------------------ 10523| | 10524| | /* Reason: too many packets */ 10525| | /* We are stopping and we might not have a proper classification: 10526| | this is the reason we call ndpi_internal_detection_giveup() instead of internal_giveup() */ 10527| 24| ndpi_internal_detection_giveup(ndpi_str, flow); 10528| | 10529| 24| return; /* Avoid spending too much time with this flow */ 10530| 24| } 10531| | 10532| 78.6k| ndpi_str->current_ts = current_time_ms; 10533| | 10534| 78.6k| if(flow->extra_packets_func) { ------------------ | Branch (10534:6): [True: 11.8k, False: 66.8k] ------------------ 10535| 11.8k| process_extra_packet(ndpi_str, flow); 10536| | 10537| 11.8k| if(flow->extra_packets_func == NULL) { ------------------ | Branch (10537:8): [True: 2.90k, False: 8.91k] ------------------ 10538| | /* Reason: extra dissection ended */ 10539| 2.90k| internal_giveup(ndpi_str, flow); 10540| 2.90k| } 10541| | 10542| 11.8k| return; 10543| 66.8k| } else if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (10543:13): [True: 0, False: 66.8k] ------------------ 10544| 0| goto ret_protocols; 10545| 0| } 10546| | 10547| 66.8k| if(flow->num_processed_pkts == 1) { ------------------ | Branch (10547:6): [True: 34.9k, False: 31.9k] ------------------ 10548| | /* first packet of this flow to be analyzed */ 10549| | 10550| |#ifdef HAVE_NBPF 10551| | if(ndpi_str->nbpf_custom_proto[0].tree != NULL) { 10552| | u_int8_t i; 10553| | nbpf_pkt_info_t t; 10554| | 10555| | memset(&t, 0, sizeof(t)); 10556| | 10557| | if(packet->iphv6 != NULL) { 10558| | t.tuple.eth_type = 0x86DD; 10559| | t.tuple.ip_version = 6; 10560| | memcpy(&t.tuple.ip_src.v6, &packet->iphv6->ip6_src, 16); 10561| | memcpy(&t.tuple.ip_dst.v6, &packet->iphv6->ip6_dst, 16); 10562| | } else { 10563| | t.tuple.eth_type = 0x0800; 10564| | t.tuple.ip_version = 4; 10565| | t.tuple.ip_src.v4 = packet->iph->saddr; 10566| | t.tuple.ip_dst.v4 = packet->iph->daddr; 10567| | } 10568| | 10569| | t.tuple.l3_proto = flow->l4_proto; 10570| | 10571| | if(packet->tcp) 10572| | t.tuple.l4_src_port = packet->tcp->source, t.tuple.l4_dst_port = packet->tcp->dest; 10573| | else if(packet->udp) 10574| | t.tuple.l4_src_port = packet->udp->source, t.tuple.l4_dst_port = packet->udp->dest; 10575| | 10576| | for(i=0; (inbpf_custom_proto[i].tree != NULL); i++) { 10577| | if(nbpf_match(ndpi_str->nbpf_custom_proto[i].tree, &t)) { 10578| | /* match found */ 10579| | ndpi_set_detected_protocol(ndpi_str, flow, 10580| | ndpi_str->nbpf_custom_proto[i].l7_protocol, 10581| | NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_NBPF); 10582| | fill_protocol_category_and_breed(ndpi_str, flow); 10583| | /* Reason: nBPF match */ 10584| | internal_giveup(ndpi_str, flow); 10585| | 10586| | return; 10587| | } 10588| | } 10589| | } 10590| |#endif 10591| 34.9k| } 10592| | 10593| | /* build ndpi_selection packet bitmask */ 10594| 66.8k| ndpi_selection_packet = NDPI_SELECTION_BITMASK_PROTOCOL_COMPLETE_TRAFFIC; ------------------ | | 612| 66.8k|#define NDPI_SELECTION_BITMASK_PROTOCOL_COMPLETE_TRAFFIC (1<<8) ------------------ 10595| 66.8k| if(packet->iph != NULL) ------------------ | Branch (10595:6): [True: 65.7k, False: 1.14k] ------------------ 10596| 65.7k| ndpi_selection_packet |= NDPI_SELECTION_BITMASK_PROTOCOL_IP | NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6; ------------------ | | 604| 65.7k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IP (1<<0) ------------------ ndpi_selection_packet |= NDPI_SELECTION_BITMASK_PROTOCOL_IP | NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6; ------------------ | | 611| 65.7k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) ------------------ 10597| | 10598| 66.8k| if(packet->tcp != NULL) ------------------ | Branch (10598:6): [True: 52.2k, False: 14.6k] ------------------ 10599| 52.2k| ndpi_selection_packet |= 10600| 52.2k| (NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP); ------------------ | | 605| 52.2k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) ------------------ (NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP); ------------------ | | 607| 52.2k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) ------------------ 10601| | 10602| 66.8k| if(packet->udp != NULL) ------------------ | Branch (10602:6): [True: 12.3k, False: 54.5k] ------------------ 10603| 12.3k| ndpi_selection_packet |= 10604| 12.3k| (NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP); ------------------ | | 606| 12.3k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) ------------------ (NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP); ------------------ | | 607| 12.3k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) ------------------ 10605| | 10606| 66.8k| if(packet->payload_packet_len != 0) ------------------ | Branch (10606:6): [True: 52.4k, False: 14.4k] ------------------ 10607| 52.4k| ndpi_selection_packet |= NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD; ------------------ | | 608| 52.4k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) ------------------ 10608| | 10609| 66.8k| if(packet->tcp_retransmission == 0) ------------------ | Branch (10609:6): [True: 65.3k, False: 1.56k] ------------------ 10610| 65.3k| ndpi_selection_packet |= NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION; ------------------ | | 609| 65.3k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) ------------------ 10611| | 10612| 66.8k| if(packet->iphv6 != NULL) ------------------ | Branch (10612:6): [True: 1.14k, False: 65.7k] ------------------ 10613| 1.14k| ndpi_selection_packet |= NDPI_SELECTION_BITMASK_PROTOCOL_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6; ------------------ | | 610| 1.14k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV6 (1<<6) ------------------ ndpi_selection_packet |= NDPI_SELECTION_BITMASK_PROTOCOL_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6; ------------------ | | 611| 1.14k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) ------------------ 10614| | 10615| 66.8k| if(!flow->protocol_id_already_guessed) { ------------------ | Branch (10615:6): [True: 34.9k, False: 31.9k] ------------------ 10616| 34.9k| flow->protocol_id_already_guessed = 1; 10617| | 10618| 34.9k| if(do_guess(ndpi_str, flow) == -1) { ------------------ | Branch (10618:8): [True: 0, False: 34.9k] ------------------ 10619| | 10620| 0| fill_protocol_category_and_breed(ndpi_str, flow); 10621| | 10622| 0| fpc_check_eval(ndpi_str, flow); 10623| | 10624| | /* Reason: custom rules */ 10625| 0| internal_giveup(ndpi_str, flow); 10626| | 10627| 0| return; 10628| 0| } 10629| 34.9k| } 10630| | 10631| 66.8k| num_calls = ndpi_check_flow_func(ndpi_str, flow, &ndpi_selection_packet); 10632| | 10633| 66.8k|ret_protocols: 10634| | 10635| | /* Don't overwrite the category if already set */ 10636| 66.8k| if(flow->category == NDPI_PROTOCOL_CATEGORY_UNSPECIFIED && ------------------ | Branch (10636:6): [True: 64.3k, False: 2.49k] ------------------ 10637| 64.3k| flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (10637:6): [True: 15.0k, False: 49.2k] ------------------ 10638| 15.0k| fill_protocol_category_and_breed(ndpi_str, flow); 10639| 15.0k| } 10640| 66.8k| if(flow->breed == NDPI_PROTOCOL_UNRATED) { ------------------ | Branch (10640:6): [True: 49.2k, False: 17.5k] ------------------ 10641| 49.2k| ndpi_master_app_protocol proto; 10642| 49.2k| proto.app_protocol = flow->detected_protocol_stack[0]; 10643| 49.2k| proto.master_protocol = flow->detected_protocol_stack[1]; 10644| 49.2k| flow->breed = get_proto_breed(ndpi_str, proto); 10645| 49.2k| } 10646| | 10647| 66.8k| if(!flow->tree_risk_checked) { ------------------ | Branch (10647:6): [True: 34.9k, False: 31.9k] ------------------ 10648| 34.9k| ndpi_risk_enum net_risk = NDPI_NO_RISK; 10649| | 10650| | /* Right now, all the 3 supported risks are only about the *client* ip. 10651| | Don't check the server ip, to try avoiding false positives */ 10652| | 10653| 34.9k| if(ndpi_str->ip_risk && ndpi_str->ip_risk->v4 ------------------ | Branch (10653:8): [True: 34.9k, False: 0] | Branch (10653:29): [True: 34.9k, False: 0] ------------------ 10654| 34.9k| && packet->iph ------------------ | Branch (10654:11): [True: 33.8k, False: 1.11k] ------------------ 10655| 33.8k| && ndpi_is_public_ipv4(ntohl(packet->iph->saddr)) ------------------ | Branch (10655:11): [True: 10.1k, False: 23.6k] ------------------ 10656| 10.1k| && ndpi_is_public_ipv4(ntohl(packet->iph->daddr))) { ------------------ | Branch (10656:11): [True: 4.64k, False: 5.54k] ------------------ 10657| 4.64k| struct in_addr addr; 10658| | 10659| 4.64k| addr.s_addr = flow->c_address.v4; 10660| 4.64k| net_risk = ndpi_network_risk_ptree_match(ndpi_str, &addr); 10661| 30.2k| } else if(ndpi_str->ip_risk && ndpi_str->ip_risk->v6 && ------------------ | Branch (10661:15): [True: 30.2k, False: 0] | Branch (10661:36): [True: 30.2k, False: 0] ------------------ 10662| 30.2k| packet->iphv6) { /* TODO: some checks on "local" addresses? */ ------------------ | Branch (10662:15): [True: 1.11k, False: 29.1k] ------------------ 10663| 1.11k| struct in6_addr addr; 10664| | 10665| 1.11k| addr = *(struct in6_addr *)&flow->c_address.v6; 10666| 1.11k| net_risk = ndpi_network_risk_ptree_match6(ndpi_str, &addr); 10667| 1.11k| } 10668| | 10669| 34.9k| if(net_risk != NDPI_NO_RISK) ------------------ | Branch (10669:8): [True: 38, False: 34.8k] ------------------ 10670| 38| ndpi_set_risk(ndpi_str, flow, net_risk, NULL); 10671| | 10672| 34.9k| flow->tree_risk_checked = 1; 10673| 34.9k| } 10674| | 10675| 66.8k| flow->num_dissector_calls += num_calls; 10676| | 10677| 66.8k| if(ndpi_str->cfg.fully_encrypted_heuristic && ------------------ | Branch (10677:6): [True: 0, False: 66.8k] ------------------ 10678| 0| flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN && /* Only for unknown traffic */ ------------------ | Branch (10678:6): [True: 0, False: 0] ------------------ 10679| 0| flow->packet_counter == 1 && packet->payload_packet_len > 0) { ------------------ | Branch (10679:6): [True: 0, False: 0] | Branch (10679:35): [True: 0, False: 0] ------------------ 10680| 0| flow->first_pkt_fully_encrypted = fully_enc_heuristic(ndpi_str, flow); 10681| 0| } 10682| | 10683| 66.8k| if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN ------------------ | Branch (10683:6): [True: 49.2k, False: 17.5k] ------------------ 10684| 49.2k| && (packet->payload_packet_len > 0) ------------------ | Branch (10684:9): [True: 34.8k, False: 14.4k] ------------------ 10685| 34.8k| && (flow->packet_counter <= 5)) { ------------------ | Branch (10685:9): [True: 28.4k, False: 6.36k] ------------------ 10686| 28.4k| ndpi_search_portable_executable(ndpi_str, flow); 10687| 28.4k| ndpi_search_elf(ndpi_str, flow); 10688| 28.4k| ndpi_search_shellscript(ndpi_str, flow); 10689| 28.4k| } 10690| | 10691| 66.8k| if(ndpi_str->cfg.compute_entropy && ------------------ | Branch (10691:6): [True: 66.8k, False: 0] ------------------ 10692| 66.8k| flow->skip_entropy_check == 0 && ------------------ | Branch (10692:6): [True: 66.8k, False: 0] ------------------ 10693| 66.8k| flow->first_pkt_fully_encrypted == 0 && ------------------ | Branch (10693:6): [True: 66.8k, False: 0] ------------------ 10694| 66.8k| flow->packet_counter < 5 && ------------------ | Branch (10694:6): [True: 57.4k, False: 9.42k] ------------------ 10695| | /* The following protocols do their own entropy calculation/classification. */ 10696| 57.4k| flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IP_ICMP) { ------------------ | Branch (10696:6): [True: 56.6k, False: 750] ------------------ 10697| | 10698| 56.6k| if (/* We are not interest into entropy for encrypted flows */ 10699| 56.6k| !ndpi_stack_is_tls_like(&flow->protocol_stack) && ------------------ | Branch (10699:9): [True: 50.5k, False: 6.11k] ------------------ 10700| 50.5k| flow->detected_protocol_stack[0] != NDPI_PROTOCOL_HTTP && ------------------ | Branch (10700:9): [True: 49.5k, False: 1.00k] ------------------ 10701| 49.5k| flow->detected_protocol_stack[1] != NDPI_PROTOCOL_HTTP) { ------------------ | Branch (10701:9): [True: 49.3k, False: 268] ------------------ 10702| 49.3k| flow->entropy = ndpi_entropy(packet->payload, packet->payload_packet_len); 10703| 49.3k| } 10704| | 10705| 56.6k| ndpi_entropy2risk(ndpi_str, flow); 10706| 56.6k| } 10707| | 10708| | /* First Packet Classification */ 10709| 66.8k| if(flow->all_packets_counter == 1) { ------------------ | Branch (10709:6): [True: 34.9k, False: 31.9k] ------------------ 10710| 34.9k| fpc_check_eval(ndpi_str, flow); 10711| 34.9k| } 10712| | 10713| 66.8k| if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN && ------------------ | Branch (10713:6): [True: 17.5k, False: 49.2k] ------------------ 10714| 17.5k| flow->extra_packets_func == NULL) { ------------------ | Branch (10714:6): [True: 6.57k, False: 10.9k] ------------------ 10715| | /* Reason: "normal" classification, without extra dissection */ 10716| 6.57k| internal_giveup(ndpi_str, flow); 10717| 6.57k| } 10718| | 10719| 66.8k| if(num_calls == 0 && ------------------ | Branch (10719:6): [True: 16.7k, False: 50.1k] ------------------ 10720| | /* It is common to don't trigger any dissectors for pure TCP ACKs 10721| | and for for retransmissions */ 10722| 16.7k| (packet->tcp_retransmission == 0 && packet->payload_packet_len != 0)) { ------------------ | Branch (10722:7): [True: 15.1k, False: 1.56k] | Branch (10722:42): [True: 735, False: 14.4k] ------------------ 10723| | /* Reason: no more dissector and no extra dissection */ 10724| | /* We are stopping and we might not have a proper classification: 10725| | this is the reason we call ndpi_internal_detection_giveup() instead of internal_giveup() */ 10726| 735| ndpi_internal_detection_giveup(ndpi_str, flow); 10727| 735| } 10728| 66.8k|} ndpi_main.c:ndpi_init_packet: 8120| 79.4k| struct ndpi_flow_input_info *input_info) { 8121| 79.4k| struct ndpi_packet_struct *packet = &ndpi_str->packet; 8122| 79.4k| const struct ndpi_iphdr *decaps_iph = NULL; 8123| 79.4k| u_int16_t l3len; 8124| 79.4k| u_int16_t l4len, l4_packet_len; 8125| 79.4k| const u_int8_t *l4ptr; 8126| 79.4k| u_int8_t l4protocol; 8127| 79.4k| u_int8_t l4_result; 8128| | 8129| | /* need at least 20 bytes for ip header */ 8130| 79.4k| if(packetlen < 20) ------------------ | Branch (8130:6): [True: 0, False: 79.4k] ------------------ 8131| 0| return 1; 8132| | 8133| 79.4k| packet->current_time_ms = current_time_ms; 8134| | 8135| 79.4k| ndpi_str->input_info = input_info; 8136| | 8137| 79.4k| packet->iph = (const struct ndpi_iphdr *)packet_data; 8138| | 8139| | /* reset payload_packet_len, will be set if ipv4 tcp or udp */ 8140| 79.4k| packet->payload = NULL; 8141| 79.4k| packet->payload_packet_len = 0; 8142| 79.4k| packet->l3_packet_len = packetlen; 8143| | 8144| 79.4k| packet->tcp = NULL, packet->udp = NULL; 8145| 79.4k| packet->iphv6 = NULL; 8146| | 8147| 79.4k| l3len = packet->l3_packet_len; 8148| | 8149| 79.4k| ndpi_reset_packet_line_info(packet); 8150| 79.4k| packet->packet_lines_parsed_complete = 0; 8151| 79.4k| packet->http_check_content = 0; 8152| | 8153| 79.4k| if(packet->iph != NULL) ------------------ | Branch (8153:6): [True: 79.4k, False: 0] ------------------ 8154| 79.4k| decaps_iph = packet->iph; 8155| | 8156| 79.4k| if(decaps_iph && (decaps_iph->version == 4 /* IPVERSION */) && (decaps_iph->ihl >= 5)) { ------------------ | Branch (8156:6): [True: 79.4k, False: 0] | Branch (8156:20): [True: 78.0k, False: 1.40k] | Branch (8156:66): [True: 77.9k, False: 66] ------------------ 8157| 77.9k| NDPI_LOG_DBG2(ndpi_str, "ipv4 header\n"); ------------------ | | 597| 77.9k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 8158| 77.9k| } else if(decaps_iph && decaps_iph->version == 6 && l3len >= sizeof(struct ndpi_ipv6hdr) && ------------------ | Branch (8158:13): [True: 1.46k, False: 0] | Branch (8158:27): [True: 1.40k, False: 66] | Branch (8158:55): [True: 1.40k, False: 0] ------------------ 8159| 1.40k| (ndpi_str->ip_version_limit & NDPI_DETECTION_ONLY_IPV4) == 0) { ------------------ | | 36| 1.40k|#define NDPI_DETECTION_ONLY_IPV4 ( 1 << 0 ) ------------------ | Branch (8159:6): [True: 1.40k, False: 0] ------------------ 8160| 1.40k| NDPI_LOG_DBG2(ndpi_str, "ipv6 header\n"); ------------------ | | 597| 1.40k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 8161| 1.40k| packet->iphv6 = (struct ndpi_ipv6hdr *)packet->iph; 8162| 1.40k| packet->iph = NULL; 8163| 1.40k| } else { 8164| 66| packet->iph = NULL; 8165| 66| return(1); 8166| 66| } 8167| | 8168| | /* needed: 8169| | * - unfragmented packets 8170| | * - ip header <= packet len 8171| | * - ip total length >= packet len 8172| | */ 8173| | 8174| 79.3k| l4ptr = NULL; 8175| 79.3k| l4len = 0; 8176| 79.3k| l4protocol = 0; 8177| | 8178| 79.3k| l4_result = 8179| 79.3k| ndpi_detection_get_l4_internal(ndpi_str, (const u_int8_t *) decaps_iph, l3len, &l4ptr, &l4len, &l4protocol, 0); 8180| | 8181| 79.3k| if(l4_result != 0) { ------------------ | Branch (8181:6): [True: 4, False: 79.3k] ------------------ 8182| 4| return(1); 8183| 4| } 8184| | 8185| 79.3k| l4_packet_len = l4len; 8186| 79.3k| flow->l4_proto = l4protocol; 8187| | 8188| | /* TCP / UDP detection */ 8189| 79.3k| if(l4protocol == IPPROTO_TCP) { ------------------ | Branch (8189:6): [True: 60.7k, False: 18.5k] ------------------ 8190| 60.7k| u_int16_t tcp_header_len; 8191| | 8192| 60.7k| if(l4_packet_len < sizeof(struct ndpi_tcphdr) /* min size of tcp */) ------------------ | Branch (8192:8): [True: 65, False: 60.7k] ------------------ 8193| 65| return(1); 8194| | 8195| | /* tcp */ 8196| 60.7k| packet->tcp = (struct ndpi_tcphdr *) l4ptr; 8197| 60.7k| tcp_header_len = packet->tcp->doff * 4; 8198| | 8199| 60.7k| if(l4_packet_len >= tcp_header_len) { ------------------ | Branch (8199:8): [True: 60.2k, False: 419] ------------------ 8200| 60.2k| if(ndpi_str->cfg.tcp_fingerprint_enabled && ------------------ | Branch (8200:10): [True: 60.2k, False: 0] ------------------ 8201| 60.2k| flow->tcp.fingerprint == NULL) { ------------------ | Branch (8201:10): [True: 39.8k, False: 20.4k] ------------------ 8202| 39.8k| u_int8_t *t = (u_int8_t*)packet->tcp; 8203| 39.8k| u_int16_t flags = ntohs(*((u_int16_t*)&t[12])) & 0xFFF; 8204| 39.8k| u_int16_t syn_mask = TH_SYN | TH_ECE | TH_CWR; ------------------ | | 56| 39.8k|#define TH_SYN 0x02 ------------------ u_int16_t syn_mask = TH_SYN | TH_ECE | TH_CWR; ------------------ | | 61| 39.8k|#define TH_ECE 0x40 ------------------ u_int16_t syn_mask = TH_SYN | TH_ECE | TH_CWR; ------------------ | | 62| 39.8k|#define TH_CWR 0x80 ------------------ 8205| | 8206| 39.8k| if((flags & syn_mask) && ((flags & TH_ACK) == 0)) { ------------------ | | 59| 15.1k|#define TH_ACK 0x10 ------------------ | Branch (8206:5): [True: 15.1k, False: 24.6k] | Branch (8206:27): [True: 10.5k, False: 4.59k] ------------------ 8207| 10.5k| char fingerprint[128], options_fp[128]; 8208| 10.5k| u_int8_t i, fp_idx = 0, options_fp_len = 0; 8209| | 8210| 10.5k| if(tcp_header_len >= sizeof(struct ndpi_tcphdr)) { ------------------ | Branch (8210:7): [True: 6.44k, False: 4.14k] ------------------ 8211| 6.44k| u_int8_t *options = (u_int8_t*)(&t[sizeof(struct ndpi_tcphdr)]); 8212| 6.44k| u_int8_t options_len = tcp_header_len - sizeof(struct ndpi_tcphdr); 8213| 6.44k| u_int16_t tcp_win = ntohs(packet->tcp->window); 8214| 6.44k| u_int8_t ip_ttl; 8215| 6.44k| u_int8_t sha_hash[NDPI_SHA256_BLOCK_SIZE]; 8216| 6.44k| u_int32_t tcp_mss = 0, tcp_wscale = 0; 8217| 6.44k| int rc; 8218| | 8219| 6.44k| if(packet->iph) ------------------ | Branch (8219:9): [True: 6.44k, False: 1] ------------------ 8220| 6.44k| ip_ttl = packet->iph->ttl; 8221| 1| else 8222| 1| ip_ttl = packet->iphv6->ip6_hdr.ip6_un1_hlim; 8223| | 8224| 6.44k| if(ip_ttl <= 32) ip_ttl = 32; ------------------ | Branch (8224:9): [True: 38, False: 6.41k] ------------------ 8225| 6.41k| else if(ip_ttl <= 64) ip_ttl = 64; ------------------ | Branch (8225:14): [True: 6.31k, False: 96] ------------------ 8226| 96| else if(ip_ttl <= 128) ip_ttl = 128; ------------------ | Branch (8226:14): [True: 84, False: 12] ------------------ 8227| 12| else if(ip_ttl <= 192) ip_ttl = 192; ------------------ | Branch (8227:14): [True: 6, False: 6] ------------------ 8228| 6| else ip_ttl = 255; 8229| | 8230| 6.44k| switch(ndpi_str->cfg.tcp_fingerprint_format) { ------------------ | Branch (8230:13): [True: 6.44k, False: 0] ------------------ 8231| 6.44k| case NDPI_NATIVE_TCP_FINGERPRINT: ------------------ | Branch (8231:6): [True: 6.44k, False: 0] ------------------ 8232| 6.44k| fp_idx = snprintf(fingerprint, sizeof(fingerprint), "%u_%u_%u_", flags, ip_ttl, tcp_win); 8233| 6.44k| break; 8234| | 8235| 0| case NDPI_MUONFP_TCP_FINGERPRINT: ------------------ | Branch (8235:6): [True: 0, False: 6.44k] ------------------ 8236| 0| fp_idx = snprintf(fingerprint, sizeof(fingerprint), "%u:", tcp_win); 8237| 0| break; 8238| 6.44k| } 8239| | 8240| 6.44k| if(options_len == 0) { ------------------ | Branch (8240:9): [True: 80, False: 6.36k] ------------------ 8241| 80| const char *msg; 8242| | 8243| | /* 8244| | Massive Internet scanner detected. Examples: 8245| | - https://zmap.io 8246| | - https://github.com/robertdavidgraham/masscan 8247| | */ 8248| | 8249| 80| if(tcp_win == 1024) ------------------ | Branch (8249:11): [True: 1, False: 79] ------------------ 8250| 1| msg = "Massive scanner detected (probably masscan)"; 8251| 79| else if(tcp_win == 65535) ------------------ | Branch (8251:16): [True: 6, False: 73] ------------------ 8252| 6| msg = "Massive scanner detected (probably zmap)"; 8253| 73| else 8254| 73| msg = "Massive scanner detected"; 8255| | 8256| 80| ndpi_set_risk(ndpi_str, flow, NDPI_MALICIOUS_FINGERPRINT, (char*)msg); 8257| 6.36k| } else { 8258| |#ifdef DEBUG_TCP_OPTIONS 8259| | printf("Options len: %u\n", options_len); 8260| |#endif 8261| 37.2k| for(i=0; icfg.tcp_fingerprint_format == NDPI_NATIVE_TCP_FINGERPRINT) { ------------------ | Branch (8268:6): [True: 31.0k, False: 0] ------------------ 8269| 31.0k| rc = snprintf(&options_fp[options_fp_len], sizeof(options_fp)-options_fp_len, "%02x", kind); 8270| | 8271| 31.0k| if((rc < 0) || ((int)(options_fp_len + rc) == sizeof(options_fp))) ------------------ | Branch (8271:8): [True: 0, False: 31.0k] | Branch (8271:20): [True: 167, False: 30.9k] ------------------ 8272| 167| break; 8273| | 8274| 30.9k| options_fp_len += rc; 8275| 30.9k| } else if(ndpi_str->cfg.tcp_fingerprint_format == NDPI_MUONFP_TCP_FINGERPRINT) { ------------------ | Branch (8275:13): [True: 0, False: 0] ------------------ 8276| 0| if(fp_idx >= sizeof(fingerprint)) ------------------ | Branch (8276:8): [True: 0, False: 0] ------------------ 8277| 0| break; 8278| | 8279| 0| rc = snprintf(&fingerprint[fp_idx], sizeof(fingerprint)-fp_idx, "%s%u", (i > 0) ? "-" : "", kind); ------------------ | Branch (8279:77): [True: 0, False: 0] ------------------ 8280| | 8281| 0| if((rc < 0) || ((int)(fp_idx + rc) == sizeof(fingerprint))) ------------------ | Branch (8281:8): [True: 0, False: 0] | Branch (8281:20): [True: 0, False: 0] ------------------ 8282| 0| break; 8283| | 8284| 0| fp_idx += rc; 8285| 0| } 8286| | 8287| 30.9k| if(kind == 0) /* EOL */ { ------------------ | Branch (8287:6): [True: 4.61k, False: 26.3k] ------------------ 8288| 4.61k| i++; 8289| 4.61k| continue; 8290| 26.3k| } else if(kind == 1) /* NOP */ ------------------ | Branch (8290:13): [True: 6.36k, False: 19.9k] ------------------ 8291| 6.36k| i++; 8292| 19.9k| else if((i+1) < options_len) { ------------------ | Branch (8292:11): [True: 19.9k, False: 15] ------------------ 8293| 19.9k| u_int8_t len = options[i+1]; 8294| | 8295| |#ifdef DEBUG_TCP_OPTIONS 8296| | printf("\tOption len: %u\n", len); 8297| |#endif 8298| | 8299| 19.9k| if(len == 0) ------------------ | Branch (8299:8): [True: 5.22k, False: 14.7k] ------------------ 8300| 5.22k| continue; 8301| 14.7k| else if(kind == 8) { ------------------ | Branch (8301:13): [True: 2.40k, False: 12.3k] ------------------ 8302| 2.40k| switch(ndpi_str->cfg.tcp_fingerprint_format) { ------------------ | Branch (8302:14): [True: 2.40k, False: 0] ------------------ 8303| 2.40k| case NDPI_NATIVE_TCP_FINGERPRINT: ------------------ | Branch (8303:7): [True: 2.40k, False: 0] ------------------ 8304| | /* Timestamp: ignore it */ 8305| 2.40k| break; 8306| | 8307| 0| case NDPI_MUONFP_TCP_FINGERPRINT: ------------------ | Branch (8307:7): [True: 0, False: 2.40k] ------------------ 8308| | /* Nothing to do */ 8309| 0| break; 8310| 2.40k| } 8311| 12.3k| } else if(len > 2) { ------------------ | Branch (8311:15): [True: 9.71k, False: 2.58k] ------------------ 8312| 9.71k| int j = i+2; 8313| 9.71k| u_int8_t opt_len = len - 2; 8314| | 8315| 9.71k| if(((kind == 2 /* Maximum segment size */) || (kind == 3 /* TCP window scale */)) && ------------------ | Branch (8315:11): [True: 2.49k, False: 7.22k] | Branch (8315:53): [True: 2.57k, False: 4.64k] ------------------ 8316| 5.07k| j + opt_len - 1 < options_len){ ------------------ | Branch (8316:10): [True: 4.79k, False: 280] ------------------ 8317| 4.79k| u_int32_t val = 0; 8318| | 8319| 4.79k| if(opt_len == 1) ------------------ | Branch (8319:12): [True: 2.32k, False: 2.47k] ------------------ 8320| 2.32k| val = options[j]; 8321| 2.47k| else if(opt_len == 2) ------------------ | Branch (8321:17): [True: 2.42k, False: 43] ------------------ 8322| 2.42k| val = (options[j] << 8) + options[j+1]; 8323| 43| else if(opt_len == 3) ------------------ | Branch (8323:17): [True: 11, False: 32] ------------------ 8324| 11| val = (options[j] << 16) + (options[j+1] << 8) + options[j+2]; 8325| 32| else if(opt_len == 4) ------------------ | Branch (8325:17): [True: 1, False: 31] ------------------ 8326| 1| val = ((u_int32_t)options[j] << 24) + (options[j+1] << 16) + (options[j+2] << 8) + options[j+3]; 8327| | 8328| 4.79k| if(kind == 2) ------------------ | Branch (8328:12): [True: 2.45k, False: 2.33k] ------------------ 8329| 2.45k| tcp_mss = val; 8330| 2.33k| else if(kind == 3) ------------------ | Branch (8330:17): [True: 2.33k, False: 0] ------------------ 8331| 2.33k| tcp_wscale = val; 8332| 4.79k| } 8333| | 8334| 9.71k| if(ndpi_str->cfg.tcp_fingerprint_format == NDPI_NATIVE_TCP_FINGERPRINT) { ------------------ | Branch (8334:10): [True: 9.71k, False: 0] ------------------ 8335| 34.2k| while((opt_len > 0) && (j < options_len)) { ------------------ | Branch (8335:15): [True: 29.4k, False: 4.85k] | Branch (8335:32): [True: 24.6k, False: 4.83k] ------------------ 8336| 24.6k| rc = snprintf(&options_fp[options_fp_len], sizeof(options_fp)-options_fp_len, "%02x", options[j]); 8337| 24.6k| if((rc < 0) || ((int)(options_fp_len + rc) == sizeof(options_fp))) break; ------------------ | Branch (8337:7): [True: 0, False: 24.6k] | Branch (8337:19): [True: 24, False: 24.5k] ------------------ 8338| | 8339| 24.5k| options_fp_len += rc; 8340| 24.5k| j++, opt_len--; 8341| 24.5k| } 8342| 9.71k| } 8343| 9.71k| } 8344| | 8345| 14.7k| i += len; 8346| 14.7k| } else 8347| 15| break; 8348| 30.9k| } /* for */ 8349| | 8350| 6.36k| if((options_len == 4) && (tcp_mss > 0)) { ------------------ | Branch (8350:11): [True: 3.24k, False: 3.12k] | Branch (8350:33): [True: 17, False: 3.22k] ------------------ 8351| | /* 8352| | Not inherently malicious, but unusual for modern general-purpose OSes. 8353| | More suspicious if coming from a device that should support full TCP options (e.g., a Windows/Linux server). 8354| | Less suspicious if from an embedded device or legacy system. 8355| | 8356| | For this reason we ignore packets originating from private IP 8357| | that might be originated by outdated systems. 8358| | */ 8359| 17| if(packet->iphv6 /* Modern IP stack */ ------------------ | Branch (8359:6): [True: 0, False: 17] ------------------ 8360| 17| || (packet->iph ------------------ | Branch (8360:10): [True: 17, False: 0] ------------------ 8361| 17| && ndpi_is_public_ipv4(ntohl(packet->iph->saddr)))) ------------------ | Branch (8361:13): [True: 9, False: 8] ------------------ 8362| 9| ndpi_set_risk(ndpi_str, flow, NDPI_MALICIOUS_FINGERPRINT, 8363| 9| "Unusual TCP fingerprint (scanner detected?)"); 8364| 17| } 8365| 6.36k| } 8366| | 8367| |#ifdef DEBUG_TCP_OPTIONS 8368| | printf("Raw Options Fingerprint: %s\n", options_fp); 8369| |#endif 8370| | 8371| 6.44k| switch(ndpi_str->cfg.tcp_fingerprint_format) { ------------------ | Branch (8371:13): [True: 6.44k, False: 0] ------------------ 8372| 6.44k| case NDPI_NATIVE_TCP_FINGERPRINT: ------------------ | Branch (8372:6): [True: 6.44k, False: 0] ------------------ 8373| 6.44k| ndpi_sha256((const u_char*)options_fp, options_fp_len, sha_hash); 8374| | 8375| 6.44k| snprintf(&fingerprint[fp_idx], sizeof(fingerprint)-fp_idx, "%02x%02x%02x%02x%02x%02x", 8376| 6.44k| sha_hash[0], sha_hash[1], sha_hash[2], 8377| 6.44k| sha_hash[3], sha_hash[4], sha_hash[5]); 8378| 6.44k| break; 8379| | 8380| 0| case NDPI_MUONFP_TCP_FINGERPRINT: ------------------ | Branch (8380:6): [True: 0, False: 6.44k] ------------------ 8381| 0| if(fp_idx < sizeof(fingerprint)) { ------------------ | Branch (8381:11): [True: 0, False: 0] ------------------ 8382| 0| if(tcp_mss > 0) ------------------ | Branch (8382:6): [True: 0, False: 0] ------------------ 8383| 0| rc = snprintf(&fingerprint[fp_idx], sizeof(fingerprint)-fp_idx, ":%u", tcp_mss); 8384| 0| else 8385| 0| rc = snprintf(&fingerprint[fp_idx], sizeof(fingerprint)-fp_idx, ":"); 8386| | 8387| 0| if(rc > 0) { ------------------ | Branch (8387:6): [True: 0, False: 0] ------------------ 8388| 0| fp_idx += rc; 8389| | 8390| 0| if(fp_idx < sizeof(fingerprint)) { ------------------ | Branch (8390:8): [True: 0, False: 0] ------------------ 8391| 0| if(tcp_wscale > 0) ------------------ | Branch (8391:10): [True: 0, False: 0] ------------------ 8392| 0| rc = snprintf(&fingerprint[fp_idx], sizeof(fingerprint)-fp_idx, ":%u", tcp_wscale); 8393| 0| else 8394| 0| rc = snprintf(&fingerprint[fp_idx], sizeof(fingerprint)-fp_idx, ":"); 8395| | 8396| 0| if(rc > 0) ------------------ | Branch (8396:10): [True: 0, False: 0] ------------------ 8397| 0| fp_idx += rc; 8398| 0| } 8399| 0| } 8400| 0| } 8401| 0| break; 8402| 6.44k| } 8403| | 8404| 6.44k| flow->tcp.fingerprint = ndpi_strdup(fingerprint); 8405| | 8406| 6.44k| if(ndpi_str->cfg.tcp_fingerprint_raw_enabled && options_fp_len) ------------------ | Branch (8406:9): [True: 0, False: 6.44k] | Branch (8406:54): [True: 0, False: 0] ------------------ 8407| 0| flow->tcp.fingerprint_raw = ndpi_strdup(options_fp); 8408| | 8409| 6.44k| flow->tcp.os_hint = ndpi_get_os_from_tcp_fingerprint(ndpi_str, flow->tcp.fingerprint); 8410| 6.44k| } 8411| 10.5k| } 8412| 39.8k| } 8413| | 8414| 60.2k| packet->payload_packet_len = l4_packet_len - tcp_header_len; 8415| 60.2k| packet->payload = ((u_int8_t *) packet->tcp) + tcp_header_len; 8416| 60.2k| } else { 8417| | /* tcp header not complete */ 8418| 419| return(1); 8419| 419| } 8420| 60.7k| } else if(l4protocol == IPPROTO_UDP) { ------------------ | Branch (8420:13): [True: 16.1k, False: 2.39k] ------------------ 8421| 16.1k| if(l4_packet_len < 8 /* size of udp */) ------------------ | Branch (8421:8): [True: 1, False: 16.1k] ------------------ 8422| 1| return(1); 8423| 16.1k| packet->udp = (struct ndpi_udphdr *) l4ptr; 8424| 16.1k| packet->payload_packet_len = l4_packet_len - 8; 8425| 16.1k| packet->payload = ((u_int8_t *) packet->udp) + 8; 8426| 16.1k| } else if((l4protocol == IPPROTO_ICMP) || (l4protocol == IPPROTO_ICMPV6)) { ------------------ | Branch (8426:13): [True: 895, False: 1.50k] | Branch (8426:45): [True: 68, False: 1.43k] ------------------ 8427| 963| if((l4protocol == IPPROTO_ICMP && l4_packet_len < sizeof(struct ndpi_icmphdr)) || ------------------ | Branch (8427:9): [True: 895, False: 68] | Branch (8427:39): [True: 145, False: 750] ------------------ 8428| 818| (l4protocol == IPPROTO_ICMPV6 && l4_packet_len < sizeof(struct ndpi_icmp6hdr))) ------------------ | Branch (8428:9): [True: 68, False: 750] | Branch (8428:41): [True: 1, False: 67] ------------------ 8429| 146| return(1); 8430| 817| packet->payload = ((u_int8_t *) l4ptr); 8431| 817| packet->payload_packet_len = l4_packet_len; 8432| 1.43k| } else { 8433| 1.43k| packet->payload = ((u_int8_t *) l4ptr); 8434| 1.43k| packet->payload_packet_len = l4_packet_len; 8435| 1.43k| } 8436| | 8437| 78.7k| return(0); 8438| 79.3k|} ndpi_main.c:connection_tracking: 8555| 78.7k| struct ndpi_flow_struct *flow) { 8556| | /* const for gcc code optimization and cleaner code */ 8557| 78.7k| struct ndpi_packet_struct *packet = &ndpi_str->packet; 8558| 78.7k| const struct ndpi_iphdr *iph = packet->iph; 8559| 78.7k| const struct ndpi_ipv6hdr *iphv6 = packet->iphv6; 8560| 78.7k| const struct ndpi_tcphdr *tcph = packet->tcp; 8561| 78.7k| const struct ndpi_udphdr *udph = packet->udp; 8562| | 8563| 78.7k| if(ndpi_str->max_payload_track_len > 0 && packet->payload_packet_len > 0) { ------------------ | Branch (8563:6): [True: 0, False: 78.7k] | Branch (8563:45): [True: 0, False: 0] ------------------ 8564| | /* printf("LEN: %u [%s]\n", packet->payload_packet_len, packet->payload); */ 8565| | 8566| 0| if(flow->flow_payload == NULL) ------------------ | Branch (8566:8): [True: 0, False: 0] ------------------ 8567| 0| flow->flow_payload = (char*)ndpi_malloc(ndpi_str->max_payload_track_len + 1); 8568| | 8569| 0| if(flow->flow_payload != NULL) { ------------------ | Branch (8569:8): [True: 0, False: 0] ------------------ 8570| 0| u_int i; 8571| | 8572| 0| for(i=0; (ipayload_packet_len) ------------------ | Branch (8572:16): [True: 0, False: 0] ------------------ 8573| 0| && (flow->flow_payload_len < ndpi_str->max_payload_track_len); i++) { ------------------ | Branch (8573:9): [True: 0, False: 0] ------------------ 8574| 0| flow->flow_payload[flow->flow_payload_len++] = 8575| 0| (ndpi_isprint(packet->payload[i]) ------------------ | | 2529| 0|#define ndpi_isprint(ch) ((ch) >= 0x20 && (ch) <= 0x7e) | | ------------------ | | | Branch (2529:27): [True: 0, False: 0] | | | Branch (2529:43): [True: 0, False: 0] | | ------------------ ------------------ 8576| 0| || ndpi_isspace(packet->payload[i])) ? packet->payload[i] : '.'; ------------------ | | 2528| 0|#define ndpi_isspace(ch) (((ch) >= '\t' && (ch) <= '\r') || ((ch) == ' ')) | | ------------------ | | | Branch (2528:28): [True: 0, False: 0] | | | Branch (2528:44): [True: 0, False: 0] | | | Branch (2528:61): [True: 0, False: 0] | | ------------------ ------------------ 8577| 0| } 8578| 0| } 8579| 0| } 8580| | 8581| 78.7k| packet->tcp_retransmission = 0, packet->packet_direction = 0; 8582| | 8583| 78.7k| if(iph != NULL && ntohl(iph->saddr) < ntohl(iph->daddr)) ------------------ | Branch (8583:6): [True: 77.3k, False: 1.40k] | Branch (8583:21): [True: 27.9k, False: 49.3k] ------------------ 8584| 27.9k| packet->packet_direction = 1; 8585| | 8586| 78.7k| if((iphv6 != NULL) ------------------ | Branch (8586:6): [True: 1.40k, False: 77.3k] ------------------ 8587| 1.40k| && NDPI_COMPARE_IPV6_ADDRESS_STRUCTS(&iphv6->ip6_src, &iphv6->ip6_dst) != 0) ------------------ | | 102| 1.40k| ((x.u6_addr.u6_addr64[0] < y.u6_addr.u6_addr64[0]) || ((x.u6_addr.u6_addr64[0] == y.u6_addr.u6_addr64[0]) && (x.u6_addr.u6_addr64[1] < y.u6_addr.u6_addr64[1]))) | | ------------------ | | | Branch (102:4): [True: 1.40k, False: 0] | | | Branch (102:58): [True: 0, False: 0] | | | Branch (102:112): [True: 0, False: 0] | | ------------------ ------------------ | Branch (8587:9): [True: 1.40k, False: 0] ------------------ 8588| 1.40k| packet->packet_direction = 1; 8589| | 8590| 78.7k| flow->is_ipv6 = (packet->iphv6 != NULL); 8591| | 8592| 78.7k| if(tcph != NULL) { ------------------ | Branch (8592:6): [True: 60.2k, False: 18.4k] ------------------ 8593| 60.2k| u_int8_t flags = ((u_int8_t*)tcph)[13]; 8594| 60.2k| u_int16_t syn_mask = TH_SYN | TH_ECE | TH_CWR | TH_ACK; ------------------ | | 56| 60.2k|#define TH_SYN 0x02 ------------------ u_int16_t syn_mask = TH_SYN | TH_ECE | TH_CWR | TH_ACK; ------------------ | | 61| 60.2k|#define TH_ECE 0x40 ------------------ u_int16_t syn_mask = TH_SYN | TH_ECE | TH_CWR | TH_ACK; ------------------ | | 62| 60.2k|#define TH_CWR 0x80 ------------------ u_int16_t syn_mask = TH_SYN | TH_ECE | TH_CWR | TH_ACK; ------------------ | | 59| 60.2k|#define TH_ACK 0x10 ------------------ 8595| 60.2k| u_int8_t flags_3wh = flags & syn_mask; 8596| | 8597| 60.2k| if((flags_3wh & (TH_SYN|TH_ACK)) == (TH_SYN|TH_ACK)) ------------------ | | 56| 60.2k|#define TH_SYN 0x02 ------------------ if((flags_3wh & (TH_SYN|TH_ACK)) == (TH_SYN|TH_ACK)) ------------------ | | 59| 60.2k|#define TH_ACK 0x10 ------------------ if((flags_3wh & (TH_SYN|TH_ACK)) == (TH_SYN|TH_ACK)) ------------------ | | 56| 60.2k|#define TH_SYN 0x02 ------------------ if((flags_3wh & (TH_SYN|TH_ACK)) == (TH_SYN|TH_ACK)) ------------------ | | 59| 60.2k|#define TH_ACK 0x10 ------------------ | Branch (8597:8): [True: 3.56k, False: 56.7k] ------------------ 8598| 3.56k| flow->l4.tcp.three_way_handshake.syn_ack_time = packet->current_time_ms; 8599| 56.7k| else if((flags_3wh & TH_SYN) == TH_SYN) ------------------ | | 56| 56.7k|#define TH_SYN 0x02 ------------------ else if((flags_3wh & TH_SYN) == TH_SYN) ------------------ | | 56| 56.7k|#define TH_SYN 0x02 ------------------ | Branch (8599:13): [True: 15.9k, False: 40.8k] ------------------ 8600| 15.9k| flow->l4.tcp.three_way_handshake.syn_time = packet->current_time_ms; 8601| 40.8k| else if(((flags_3wh & TH_ACK) == TH_ACK) ------------------ | | 59| 40.8k|#define TH_ACK 0x10 ------------------ else if(((flags_3wh & TH_ACK) == TH_ACK) ------------------ | | 59| 40.8k|#define TH_ACK 0x10 ------------------ | Branch (8601:13): [True: 36.4k, False: 4.33k] ------------------ 8602| 36.4k| && (flow->l4.tcp.three_way_handshake.ack_time == 0)) ------------------ | Branch (8602:9): [True: 14.6k, False: 21.8k] ------------------ 8603| 14.6k| flow->l4.tcp.three_way_handshake.ack_time = packet->current_time_ms; 8604| | 8605| 60.2k| if(flags == 0) ------------------ | Branch (8605:8): [True: 337, False: 59.9k] ------------------ 8606| 337| ndpi_set_risk(ndpi_str, flow, NDPI_TCP_ISSUES, "TCP NULL scan"); 8607| 59.9k| else if(flags == (TH_FIN | TH_PUSH | TH_URG)) ------------------ | | 55| 59.9k|#define TH_FIN 0x01 ------------------ else if(flags == (TH_FIN | TH_PUSH | TH_URG)) ------------------ | | 58| 59.9k|#define TH_PUSH 0x08 ------------------ else if(flags == (TH_FIN | TH_PUSH | TH_URG)) ------------------ | | 60| 59.9k|#define TH_URG 0x20 ------------------ | Branch (8607:13): [True: 6, False: 59.9k] ------------------ 8608| 6| ndpi_set_risk(ndpi_str, flow, NDPI_TCP_ISSUES, "TCP XMAS scan"); 8609| | 8610| 60.2k| if(tcph->source != tcph->dest) ------------------ | Branch (8610:8): [True: 59.4k, False: 872] ------------------ 8611| 59.4k| packet->packet_direction = (ntohs(tcph->source) < ntohs(tcph->dest)) ? 1 : 0; ------------------ | Branch (8611:34): [True: 21.3k, False: 38.1k] ------------------ 8612| | 8613| 60.2k| if(packet->packet_direction == 0 /* cli -> srv */) { ------------------ | Branch (8613:8): [True: 38.9k, False: 21.3k] ------------------ 8614| 38.9k| if(flags == TH_FIN) ------------------ | | 55| 38.9k|#define TH_FIN 0x01 ------------------ | Branch (8614:10): [True: 74, False: 38.8k] ------------------ 8615| 74| ndpi_set_risk(ndpi_str, flow, NDPI_TCP_ISSUES, "TCP FIN scan"); 8616| | 8617| 38.9k| flow->l4.tcp.cli2srv_tcp_flags |= flags; 8618| 38.9k| } else 8619| 21.3k| flow->l4.tcp.srv2cli_tcp_flags |= flags; 8620| | 8621| 60.2k| if((ndpi_str->input_info == NULL) ------------------ | Branch (8621:8): [True: 0, False: 60.2k] ------------------ 8622| 60.2k| || ndpi_str->input_info->seen_flow_beginning == NDPI_FLOW_BEGINNING_UNKNOWN) { ------------------ | | 654| 60.2k|#define NDPI_FLOW_BEGINNING_UNKNOWN 0 /**< The application doesn't provide this kind of information */ ------------------ | Branch (8622:11): [True: 60.2k, False: 0] ------------------ 8623| 60.2k| if(tcph->syn != 0 && tcph->ack == 0 && flow->l4.tcp.seen_syn == 0 ------------------ | Branch (8623:10): [True: 19.4k, False: 40.8k] | Branch (8623:28): [True: 15.9k, False: 3.56k] | Branch (8623:46): [True: 7.25k, False: 8.66k] ------------------ 8624| 7.25k| && flow->l4.tcp.seen_syn_ack == 0 && ------------------ | Branch (8624:6): [True: 7.25k, False: 0] ------------------ 8625| 7.25k| flow->l4.tcp.seen_ack == 0) { ------------------ | Branch (8625:3): [True: 7.25k, False: 0] ------------------ 8626| 7.25k| flow->l4.tcp.seen_syn = 1; 8627| 53.0k| } else { 8628| 53.0k| if(tcph->syn != 0 && tcph->ack != 0 && flow->l4.tcp.seen_syn == 1 ------------------ | Branch (8628:5): [True: 12.2k, False: 40.8k] | Branch (8628:23): [True: 3.56k, False: 8.66k] | Branch (8628:41): [True: 2.10k, False: 1.46k] ------------------ 8629| 2.10k| && flow->l4.tcp.seen_syn_ack == 0 && ------------------ | Branch (8629:8): [True: 1.86k, False: 238] ------------------ 8630| 1.86k| flow->l4.tcp.seen_ack == 0) { ------------------ | Branch (8630:5): [True: 1.86k, False: 0] ------------------ 8631| 1.86k| flow->l4.tcp.seen_syn_ack = 1; 8632| 51.1k| } else { 8633| 51.1k| if(tcph->syn == 0 && tcph->ack == 1 && flow->l4.tcp.seen_syn == 1 && flow->l4.tcp.seen_syn_ack == 1 && ------------------ | Branch (8633:7): [True: 40.8k, False: 10.3k] | Branch (8633:25): [True: 36.4k, False: 4.33k] | Branch (8633:43): [True: 12.9k, False: 23.5k] | Branch (8633:73): [True: 10.9k, False: 2.01k] ------------------ 8634| 10.9k| flow->l4.tcp.seen_ack == 0) { ------------------ | Branch (8634:7): [True: 1.81k, False: 9.11k] ------------------ 8635| 1.81k| flow->l4.tcp.seen_ack = 1; 8636| 1.81k| } 8637| 51.1k| } 8638| 53.0k| } 8639| 60.2k| } 8640| | 8641| 60.2k| if(ndpi_str->cfg.tcp_ack_paylod_heuristic && tcp_ack_padding(packet)) { ------------------ | Branch (8641:8): [True: 0, False: 60.2k] | Branch (8641:50): [True: 0, False: 0] ------------------ 8642| 0| NDPI_LOG_DBG2(ndpi_str, "TCP ACK with zero padding. Ignoring\n"); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 8643| 0| packet->tcp_retransmission = 1; 8644| 60.2k| } else if(flow->l4.tcp.next_tcp_seq_nr[0] == 0 || flow->l4.tcp.next_tcp_seq_nr[1] == 0 || ------------------ | Branch (8644:15): [True: 32.2k, False: 28.0k] | Branch (8644:55): [True: 4.12k, False: 23.8k] ------------------ 8645| 37.4k| tcph->syn) { ------------------ | Branch (8645:8): [True: 1.03k, False: 22.8k] ------------------ 8646| | /* Initialize tcp sequence counters */ 8647| | /* If we receive multiple syn(-ack), keep the last one */ 8648| 37.4k| flow->l4.tcp.next_tcp_seq_nr[packet->packet_direction] = 8649| 37.4k| ntohl(tcph->seq) + (tcph->syn ? 1 : packet->payload_packet_len); ------------------ | Branch (8649:24): [True: 19.4k, False: 17.9k] ------------------ 8650| | 8651| | /* 8652| | Check to avoid discrepancies in case we analyze a flow that does not start with SYN... 8653| | but that is already started when nDPI being to process it. See also (***) below 8654| | */ 8655| 37.4k| if(tcph->ack != 0) ------------------ | Branch (8655:10): [True: 17.6k, False: 19.7k] ------------------ 8656| 17.6k| flow->l4.tcp.next_tcp_seq_nr[1 - packet->packet_direction] = ntohl(tcph->ack_seq); 8657| 37.4k| } else if(packet->payload_packet_len > 0) { ------------------ | Branch (8657:15): [True: 12.8k, False: 9.99k] ------------------ 8658| | /* check tcp sequence counters */ 8659| 12.8k| if(((u_int32_t)(ntohl(tcph->seq) - flow->l4.tcp.next_tcp_seq_nr[packet->packet_direction])) > ------------------ | Branch (8659:10): [True: 2.82k, False: 10.0k] ------------------ 8660| 12.8k| ndpi_str->tcp_max_retransmission_window_size) { 8661| 2.82k| if(flow->l4.tcp.last_tcp_pkt_payload_len > 0) { ------------------ | Branch (8661:5): [True: 2.07k, False: 747] ------------------ 8662| 2.07k| NDPI_LOG_DBG2(ndpi_str, "TCP Retransmission\n"); ------------------ | | 597| 2.07k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 8663| 2.07k| packet->tcp_retransmission = 1; 8664| 2.07k| } 8665| | 8666| 2.82k| if((flow->l4.tcp.next_tcp_seq_nr[packet->packet_direction] - ntohl(tcph->seq) < ------------------ | Branch (8666:5): [True: 66, False: 2.75k] ------------------ 8667| 2.82k| packet->payload_packet_len)) { 8668| 66| if(flow->num_processed_pkts > 1) /* See also (***) above */ ------------------ | Branch (8668:7): [True: 66, False: 0] ------------------ 8669| 66| flow->l4.tcp.next_tcp_seq_nr[packet->packet_direction] = ntohl(tcph->seq) + packet->payload_packet_len; 8670| 66| } 8671| 2.82k| } 8672| 10.0k| else { 8673| 10.0k| flow->l4.tcp.next_tcp_seq_nr[packet->packet_direction] = ntohl(tcph->seq) + packet->payload_packet_len; 8674| 10.0k| } 8675| 12.8k| } 8676| | 8677| 60.2k| if(tcph->rst) { ------------------ | Branch (8677:8): [True: 16.8k, False: 43.4k] ------------------ 8678| 16.8k| flow->l4.tcp.next_tcp_seq_nr[0] = 0; 8679| 16.8k| flow->l4.tcp.next_tcp_seq_nr[1] = 0; 8680| 16.8k| } 8681| | 8682| 60.2k| flow->l4.tcp.last_tcp_pkt_payload_len = packet->payload_packet_len; 8683| 60.2k| } else if(udph != NULL) { ------------------ | Branch (8683:13): [True: 16.1k, False: 2.25k] ------------------ 8684| 16.1k| if(udph->source != udph->dest) ------------------ | Branch (8684:8): [True: 14.2k, False: 1.96k] ------------------ 8685| 14.2k| packet->packet_direction = (htons(udph->source) < htons(udph->dest)) ? 1 : 0; ------------------ | Branch (8685:34): [True: 5.08k, False: 9.14k] ------------------ 8686| 16.1k| } 8687| | 8688| 78.7k| if(flow->init_finished == 0) { ------------------ | Branch (8688:6): [True: 34.9k, False: 43.7k] ------------------ 8689| 34.9k| u_int16_t s_port = 0, d_port = 0; /* Source/Dest ports */ 8690| | 8691| 34.9k| flow->init_finished = 1; 8692| | 8693| 34.9k| if(tcph != NULL) { ------------------ | Branch (8693:8): [True: 21.5k, False: 13.4k] ------------------ 8694| 21.5k| if(ndpi_str->input_info && ------------------ | Branch (8694:10): [True: 21.5k, False: 0] ------------------ 8695| 21.5k| ndpi_str->input_info->seen_flow_beginning == NDPI_FLOW_BEGINNING_SEEN) { ------------------ | | 655| 21.5k|#define NDPI_FLOW_BEGINNING_SEEN 1 /**< The application informs the library that the TCP handshake has been seen (even if its packets might not have been passed to the library) */ ------------------ | Branch (8695:3): [True: 0, False: 21.5k] ------------------ 8696| 0| flow->l4.tcp.seen_syn = 1; 8697| 0| flow->l4.tcp.seen_syn_ack = 1; 8698| 0| flow->l4.tcp.seen_ack = 1; 8699| 0| } 8700| | 8701| 21.5k| s_port = tcph->source, d_port = tcph->dest; 8702| 21.5k| } else if(udph != NULL) { ------------------ | Branch (8702:15): [True: 11.4k, False: 1.99k] ------------------ 8703| 11.4k| s_port = udph->source; 8704| 11.4k| d_port = udph->dest; 8705| 11.4k| } 8706| | 8707| | /* Client/Server direction */ 8708| | 8709| 34.9k| if(ndpi_str->input_info && ------------------ | Branch (8709:8): [True: 34.9k, False: 0] ------------------ 8710| 34.9k| ndpi_str->input_info->in_pkt_dir != NDPI_IN_PKT_DIR_UNKNOWN) { ------------------ | | 645| 34.9k|#define NDPI_IN_PKT_DIR_UNKNOWN 0 /**< The application doesn't provide this kind of information */ ------------------ | Branch (8710:8): [True: 0, False: 34.9k] ------------------ 8711| 0| if(ndpi_str->input_info->in_pkt_dir == NDPI_IN_PKT_DIR_C_TO_S) ------------------ | | 646| 0|#define NDPI_IN_PKT_DIR_C_TO_S 1 /**< Current packet is from client to server */ ------------------ | Branch (8711:10): [True: 0, False: 0] ------------------ 8712| 0| flow->client_packet_direction = packet->packet_direction; 8713| 0| else 8714| 0| flow->client_packet_direction = !packet->packet_direction; 8715| 34.9k| } else { 8716| 34.9k| if(tcph && tcph->syn) { ------------------ | Branch (8716:10): [True: 21.5k, False: 13.4k] | Branch (8716:18): [True: 8.19k, False: 13.3k] ------------------ 8717| 8.19k| if(tcph->ack == 0) { ------------------ | Branch (8717:5): [True: 6.91k, False: 1.28k] ------------------ 8718| 6.91k| flow->client_packet_direction = packet->packet_direction; 8719| 6.91k| } else { 8720| 1.28k| flow->client_packet_direction = !packet->packet_direction; 8721| 1.28k| } 8722| 26.7k| } else if(ntohs(s_port) > 1024 && ntohs(d_port) < 1024) { ------------------ | Branch (8722:17): [True: 20.5k, False: 6.16k] | Branch (8722:41): [True: 7.38k, False: 13.2k] ------------------ 8723| 7.38k| flow->client_packet_direction = packet->packet_direction; 8724| 19.3k| } else if(ntohs(s_port) < 1024 && ntohs(d_port) > 1024) { ------------------ | Branch (8724:17): [True: 6.15k, False: 13.2k] | Branch (8724:41): [True: 2.51k, False: 3.64k] ------------------ 8725| 2.51k| flow->client_packet_direction = !packet->packet_direction; 8726| 16.8k| } else { 8727| 16.8k| flow->client_packet_direction = packet->packet_direction; 8728| 16.8k| } 8729| 34.9k| } 8730| | 8731| 34.9k| if(current_pkt_from_client_to_server(ndpi_str, flow)) { ------------------ | Branch (8731:8): [True: 31.1k, False: 3.79k] ------------------ 8732| 31.1k| if(flow->is_ipv6 == 0) { ------------------ | Branch (8732:10): [True: 30.0k, False: 1.05k] ------------------ 8733| 30.0k| flow->c_address.v4 = packet->iph->saddr; 8734| 30.0k| flow->s_address.v4 = packet->iph->daddr; 8735| 30.0k| } else { 8736| 1.05k| memcpy(flow->c_address.v6, &packet->iphv6->ip6_src, 16); 8737| 1.05k| memcpy(flow->s_address.v6, &packet->iphv6->ip6_dst, 16); 8738| 1.05k| } 8739| | 8740| 31.1k| flow->c_port = s_port; 8741| 31.1k| flow->s_port = d_port; 8742| 31.1k| } else { 8743| 3.79k| if(flow->is_ipv6 == 0) { ------------------ | Branch (8743:10): [True: 3.72k, False: 62] ------------------ 8744| 3.72k| flow->c_address.v4 = packet->iph->daddr; 8745| 3.72k| flow->s_address.v4 = packet->iph->saddr; 8746| 3.72k| } else { 8747| 62| memcpy(flow->c_address.v6, &packet->iphv6->ip6_dst, 16); 8748| 62| memcpy(flow->s_address.v6, &packet->iphv6->ip6_src, 16); 8749| 62| } 8750| | 8751| 3.79k| flow->c_port = d_port; 8752| 3.79k| flow->s_port = s_port; 8753| 3.79k| } 8754| 34.9k| } 8755| | 8756| 78.7k| if(flow->packet_counter < MAX_PACKET_COUNTER && packet->payload_packet_len) { ------------------ | | 525| 157k|#define MAX_PACKET_COUNTER 65000 ------------------ | Branch (8756:6): [True: 78.7k, False: 0] | Branch (8756:51): [True: 60.8k, False: 17.8k] ------------------ 8757| 60.8k| flow->packet_counter++; 8758| 60.8k| } 8759| | 8760| 78.7k| if(flow->all_packets_counter < MAX_PACKET_COUNTER) ------------------ | | 525| 78.7k|#define MAX_PACKET_COUNTER 65000 ------------------ | Branch (8760:6): [True: 78.7k, False: 0] ------------------ 8761| 78.7k| flow->all_packets_counter++; 8762| | 8763| 78.7k| if((flow->packet_direction_counter[packet->packet_direction] < MAX_PACKET_COUNTER) ------------------ | | 525| 78.7k|#define MAX_PACKET_COUNTER 65000 ------------------ | Branch (8763:6): [True: 78.7k, False: 0] ------------------ 8764| 78.7k| && packet->payload_packet_len) { ------------------ | Branch (8764:9): [True: 60.8k, False: 17.8k] ------------------ 8765| 60.8k| flow->packet_direction_counter[packet->packet_direction]++; 8766| 60.8k| } 8767| | 8768| 78.7k| if(flow->packet_direction_complete_counter[packet->packet_direction] < MAX_PACKET_COUNTER) { ------------------ | | 525| 78.7k|#define MAX_PACKET_COUNTER 65000 ------------------ | Branch (8768:6): [True: 78.7k, False: 0] ------------------ 8769| 78.7k| flow->packet_direction_complete_counter[packet->packet_direction]++; 8770| 78.7k| } 8771| | 8772| 78.7k| if(ndpi_str->input_info && ------------------ | Branch (8772:6): [True: 78.7k, False: 0] ------------------ 8773| 78.7k| ndpi_str->input_info->in_pkt_dir == NDPI_IN_PKT_DIR_UNKNOWN) { ------------------ | | 645| 78.7k|#define NDPI_IN_PKT_DIR_UNKNOWN 0 /**< The application doesn't provide this kind of information */ ------------------ | Branch (8773:6): [True: 78.7k, False: 0] ------------------ 8774| 78.7k| if(current_pkt_from_client_to_server(ndpi_str, flow)) ------------------ | Branch (8774:8): [True: 58.9k, False: 19.7k] ------------------ 8775| 58.9k| ndpi_str->input_info->in_pkt_dir = NDPI_IN_PKT_DIR_C_TO_S; ------------------ | | 646| 58.9k|#define NDPI_IN_PKT_DIR_C_TO_S 1 /**< Current packet is from client to server */ ------------------ 8776| 19.7k| else 8777| 19.7k| ndpi_str->input_info->in_pkt_dir = NDPI_IN_PKT_DIR_S_TO_C; ------------------ | | 647| 19.7k|#define NDPI_IN_PKT_DIR_S_TO_C 2 /**< Current packet is from server to client */ ------------------ 8778| 78.7k| } 8779| | 8780| 78.7k| flow->last_packet_time_ms = packet->current_time_ms; 8781| 78.7k|} ndpi_main.c:process_extra_packet: 9723| 11.8k| struct ndpi_flow_struct *flow) { 9724| 11.8k| struct ndpi_packet_struct *packet = &ndpi_str->packet; 9725| | 9726| | /* Workaround: safety check to skip non TCP/UDP packets sent to extra dissectors (see #2762) */ 9727| 11.8k| if(((packet->udp != NULL) || (packet->tcp != NULL))) { ------------------ | Branch (9727:7): [True: 3.81k, False: 8.00k] | Branch (9727:32): [True: 8.00k, False: 0] ------------------ 9728| 11.8k| if((flow->extra_packets_func(ndpi_str, flow) == 0) || ------------------ | Branch (9728:8): [True: 2.69k, False: 9.13k] ------------------ 9729| 9.13k| (flow->state != NDPI_STATE_MONITORING && ++flow->num_extra_packets_checked == flow->max_extra_packets_to_check)) { ------------------ | Branch (9729:9): [True: 9.13k, False: 0] | Branch (9729:49): [True: 215, False: 8.91k] ------------------ 9730| | flow->extra_packets_func = NULL; /* Done */ 9731| 2.90k| } 9732| 11.8k| } 9733| 11.8k|} ndpi_main.c:do_guess: 10186| 34.9k|static int do_guess(struct ndpi_detection_module_struct *ndpi_str, struct ndpi_flow_struct *flow) { 10187| 34.9k| struct ndpi_packet_struct *packet = &ndpi_str->packet; 10188| 34.9k| u_int8_t user_defined_proto; 10189| 34.9k| ndpi_protocol ret; 10190| | 10191| 34.9k| ret.proto.master_protocol = flow->detected_protocol_stack[1]; 10192| 34.9k| ret.proto.app_protocol = flow->detected_protocol_stack[0]; 10193| 34.9k| ret.category = NDPI_PROTOCOL_CATEGORY_UNSPECIFIED; 10194| | 10195| | /* guess protocol */ 10196| 34.9k| flow->guessed_protocol_id = (int16_t) guess_protocol_id(ndpi_str, flow->l4_proto, 10197| 34.9k| ntohs(flow->c_port), ntohs(flow->s_port), 10198| 34.9k| &user_defined_proto); 10199| 34.9k| flow->guessed_protocol_id_by_ip = ndpi_guess_host_protocol_id(ndpi_str, flow); 10200| 34.9k| flow->fast_callback_protocol_id = NDPI_PROTOCOL_UNKNOWN; 10201| | 10202| 34.9k| if(ndpi_str->custom_categories.categories_loaded) { ------------------ | Branch (10202:6): [True: 34.9k, False: 0] ------------------ 10203| 34.9k| if(packet->iph) ------------------ | Branch (10203:8): [True: 33.8k, False: 1.11k] ------------------ 10204| 33.8k| ndpi_fill_ip_protocol_category(ndpi_str, flow, flow->c_address.v4, flow->s_address.v4, &ret); 10205| 1.11k| else 10206| 1.11k| ndpi_fill_ipv6_protocol_category(ndpi_str, flow, (struct in6_addr *)flow->c_address.v6, 10207| 1.11k| (struct in6_addr *)flow->s_address.v6, &ret); 10208| 34.9k| flow->guessed_header_category = ret.category; 10209| 34.9k| flow->custom_category_userdata = ret.custom_category_userdata; 10210| 34.9k| } else { 10211| 0| flow->guessed_header_category = NDPI_PROTOCOL_CATEGORY_UNSPECIFIED; 10212| 0| } 10213| | 10214| 34.9k| if(ndpi_is_custom_protocol(ndpi_str, flow->guessed_protocol_id)) { ------------------ | Branch (10214:6): [True: 0, False: 34.9k] ------------------ 10215| | /* This is a custom protocol and it has priority over everything else */ 10216| 0| ndpi_set_detected_protocol(ndpi_str, flow, 10217| 0| flow->guessed_protocol_id, 10218| 0| NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_CUSTOM_RULE); 10219| 0| return(-1); 10220| 0| } 10221| | 10222| 34.9k| if(user_defined_proto && flow->guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (10222:6): [True: 0, False: 34.9k] | Branch (10222:28): [True: 0, False: 0] ------------------ 10223| | /* This is a custom protocol/range and it has priority over everything else */ 10224| 0| ndpi_set_detected_protocol(ndpi_str, flow, 10225| 0| flow->guessed_protocol_id, 10226| 0| NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_CUSTOM_RULE); 10227| 0| return(-1); 10228| 0| } 10229| | 10230| 34.9k| if(ndpi_is_custom_protocol(ndpi_str, flow->guessed_protocol_id_by_ip)) { ------------------ | Branch (10230:6): [True: 0, False: 34.9k] ------------------ 10231| | /* This is a custom protocol and it has priority over everything else */ 10232| 0| ndpi_set_detected_protocol(ndpi_str, flow, 10233| 0| flow->guessed_protocol_id_by_ip, 10234| 0| flow->guessed_protocol_id, 10235| 0| NDPI_CONFIDENCE_CUSTOM_RULE); 10236| 0| return(-1); 10237| 0| } 10238| | 10239| 34.9k| return(0); 10240| 34.9k|} ndpi_main.c:fpc_check_eval: 10263| 34.9k|{ 10264| 34.9k| u_int16_t fpc_dns_cached_proto; 10265| | 10266| 34.9k| if(!ndpi_str->cfg.fpc_enabled) ------------------ | Branch (10266:6): [True: 0, False: 34.9k] ------------------ 10267| 0| return; 10268| | 10269| | /* Order by most reliable logic */ 10270| | 10271| | /* Custom rules on first packet */ 10272| 34.9k| if(flow->confidence == NDPI_CONFIDENCE_CUSTOM_RULE) { ------------------ | Branch (10272:6): [True: 0, False: 34.9k] ------------------ 10273| 0| fpc_update(ndpi_str, flow, flow->detected_protocol_stack[1], 10274| 0| flow->detected_protocol_stack[0], NDPI_FPC_CONFIDENCE_CUSTOM_RULE); 10275| 0| return; 10276| 0| } 10277| | 10278| | /* DPI */ 10279| 34.9k| if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (10279:6): [True: 14.3k, False: 20.5k] ------------------ 10280| 14.3k| fpc_update(ndpi_str, flow, flow->detected_protocol_stack[1], 10281| 14.3k| flow->detected_protocol_stack[0], NDPI_FPC_CONFIDENCE_DPI); 10282| 14.3k| return; 10283| 14.3k| } 10284| | 10285| | /* Check via fpc DNS cache */ 10286| 20.5k| if(ndpi_str->fpc_dns_cache && ------------------ | Branch (10286:6): [True: 18.2k, False: 2.32k] ------------------ 10287| 18.2k| ndpi_lru_find_cache(ndpi_str->fpc_dns_cache, fpc_dns_cache_key_from_flow(flow), ------------------ | Branch (10287:6): [True: 31, False: 18.2k] ------------------ 10288| 18.2k| &fpc_dns_cached_proto, 0 /* Don't remove it as it can be used for other connections */, 10289| 18.2k| ndpi_get_current_time(flow))) { 10290| 31| fpc_update(ndpi_str, flow, NDPI_PROTOCOL_UNKNOWN, 10291| 31| fpc_dns_cached_proto, NDPI_FPC_CONFIDENCE_DNS); 10292| 31| return; 10293| 31| } 10294| | 10295| | /* Check via IP */ 10296| 20.5k| if(flow->guessed_protocol_id_by_ip != NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (10296:6): [True: 6.31k, False: 14.2k] ------------------ 10297| 6.31k| fpc_update(ndpi_str, flow, NDPI_PROTOCOL_UNKNOWN, 10298| 6.31k| flow->guessed_protocol_id_by_ip, NDPI_FPC_CONFIDENCE_IP); 10299| 6.31k| return; 10300| 6.31k| } 10301| 20.5k|} ndpi_main.c:fpc_update: 10248| 20.7k|{ 10249| 20.7k| NDPI_LOG_DBG(ndpi_str, "FPC %d.%d/%s -> %d.%d/%s\n", ------------------ | | 596| 20.7k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 10250| 20.7k| flow->fpc.proto.master_protocol, flow->fpc.proto.app_protocol, 10251| 20.7k| ndpi_fpc_confidence_get_name(flow->fpc.confidence), 10252| 20.7k| fpc_master, fpc_app, 10253| 20.7k| ndpi_fpc_confidence_get_name(fpc_confidence)); 10254| 20.7k| flow->fpc.proto.master_protocol = fpc_master; 10255| 20.7k| flow->fpc.proto.app_protocol = fpc_app; 10256| 20.7k| flow->fpc.confidence = fpc_confidence; 10257| 20.7k|} ndpi_main.c:ndpi_check_flow_func: 8921| 66.8k| NDPI_SELECTION_BITMASK_PROTOCOL_SIZE *ndpi_selection_packet) { 8922| 66.8k| if(ndpi_str->packet.tcp != NULL) ------------------ | Branch (8922:6): [True: 52.2k, False: 14.6k] ------------------ 8923| 52.2k| return(check_ndpi_tcp_flow_func(ndpi_str, flow, ndpi_selection_packet)); 8924| 14.6k| else if(ndpi_str->packet.udp != NULL) ------------------ | Branch (8924:11): [True: 12.3k, False: 2.25k] ------------------ 8925| 12.3k| return(check_ndpi_udp_flow_func(ndpi_str, flow, ndpi_selection_packet)); 8926| 2.25k| else 8927| 2.25k| return(check_ndpi_other_flow_func(ndpi_str, flow, ndpi_selection_packet)); 8928| 66.8k|} ndpi_main.c:check_ndpi_tcp_flow_func: 8904| 52.2k|{ 8905| 52.2k| if(ndpi_str->packet.payload_packet_len != 0) { ------------------ | Branch (8905:6): [True: 37.8k, False: 14.4k] ------------------ 8906| 37.8k| return check_ndpi_detection_func(ndpi_str, flow, *ndpi_selection_packet, 8907| 37.8k| ndpi_str->callback_buffer_tcp_payload, 8908| 37.8k| ndpi_str->callback_buffer_size_tcp_payload); 8909| 37.8k| } else { 8910| | /* no payload */ 8911| 14.4k| return check_ndpi_detection_func(ndpi_str, flow, *ndpi_selection_packet, 8912| 14.4k| ndpi_str->callback_buffer_tcp_no_payload, 8913| 14.4k| ndpi_str->callback_buffer_size_tcp_no_payload); 8914| 14.4k| } 8915| 52.2k|} ndpi_main.c:check_ndpi_udp_flow_func: 8893| 12.3k| NDPI_SELECTION_BITMASK_PROTOCOL_SIZE *ndpi_selection_packet) { 8894| 12.3k| return check_ndpi_detection_func(ndpi_str, flow, *ndpi_selection_packet, 8895| 12.3k| ndpi_str->callback_buffer_udp, 8896| 12.3k| ndpi_str->callback_buffer_size_udp); 8897| 12.3k|} ndpi_main.c:ndpi_search_portable_executable: 10137| 28.4k| struct ndpi_flow_struct *flow) { 10138| 28.4k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 10139| 28.4k| static const uint16_t dos_signature = 0x4d5a; /* MZ */ 10140| 28.4k| static const uint32_t pe_signature = 0x50450000; /* PE */ 10141| | 10142| 28.4k| NDPI_LOG_DBG(ndpi_struct, "search Portable Executable (PE) file\n"); ------------------ | | 596| 28.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 10143| | 10144| 28.4k| if (packet->payload_packet_len < 0x3C /* offset to PE header */ + 4) ------------------ | Branch (10144:7): [True: 20.5k, False: 7.91k] ------------------ 10145| 20.5k| return; 10146| | 10147| 7.91k| if (ntohs(get_u_int16_t(packet->payload, 0)) != dos_signature) ------------------ | Branch (10147:7): [True: 7.91k, False: 0] ------------------ 10148| 7.91k| return; 10149| | 10150| 0| uint32_t const pe_offset = le32toh(get_u_int32_t(packet->payload, 0x3C)); 10151| 0| if ((u_int32_t)(packet->payload_packet_len - 4) <= pe_offset || ------------------ | Branch (10151:7): [True: 0, False: 0] ------------------ 10152| 0| be32toh(get_u_int32_t(packet->payload, pe_offset)) != pe_signature) ------------------ | Branch (10152:7): [True: 0, False: 0] ------------------ 10153| 0| return; 10154| | 10155| 0| NDPI_LOG_INFO(ndpi_struct, "found Portable Executable (PE) file\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 10156| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_BINARY_APPLICATION_TRANSFER, "Portable Executable (PE32/PE32+) found"); 10157| 0|} ndpi_main.c:ndpi_search_elf: 10113| 28.4k|{ 10114| 28.4k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 10115| 28.4k| static const uint32_t elf_signature = 0x7f454c46; /* [DEL]ELF */ 10116| 28.4k| static const uint32_t max_version = 6; 10117| | 10118| 28.4k| NDPI_LOG_DBG(ndpi_struct, "search ELF file\n"); ------------------ | | 596| 28.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 10119| | 10120| 28.4k| if (packet->payload_packet_len < 24) ------------------ | Branch (10120:7): [True: 10.3k, False: 18.1k] ------------------ 10121| 10.3k| return; 10122| | 10123| 18.1k| if (ntohl(get_u_int32_t(packet->payload, 0)) != elf_signature) ------------------ | Branch (10123:7): [True: 18.1k, False: 0] ------------------ 10124| 18.1k| return; 10125| | 10126| 0| if (le32toh(get_u_int32_t(packet->payload, 20)) > max_version) ------------------ | Branch (10126:7): [True: 0, False: 0] ------------------ 10127| 0| return; 10128| | 10129| 0| NDPI_LOG_INFO(ndpi_struct, "found ELF file\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 10130| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_BINARY_APPLICATION_TRANSFER, "ELF found"); 10131| 0|} ndpi_main.c:ndpi_search_shellscript: 10091| 28.4k| struct ndpi_flow_struct *flow) { 10092| 28.4k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 10093| | 10094| 28.4k| NDPI_LOG_DBG(ndpi_struct, "search Shellscript\n"); ------------------ | | 596| 28.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 10095| | 10096| 28.4k| if (packet->payload_packet_len < 3) ------------------ | Branch (10096:7): [True: 120, False: 28.3k] ------------------ 10097| 120| return; 10098| | 10099| 28.3k| if (packet->payload[0] != '#' || ------------------ | Branch (10099:7): [True: 28.3k, False: 3] ------------------ 10100| 3| packet->payload[1] != '!' || ------------------ | Branch (10100:7): [True: 2, False: 1] ------------------ 10101| 1| (packet->payload[2] != '/' && packet->payload[2] != ' ')) ------------------ | Branch (10101:8): [True: 1, False: 0] | Branch (10101:37): [True: 1, False: 0] ------------------ 10102| 28.3k| return; 10103| | 10104| 0| NDPI_LOG_INFO(ndpi_struct, "found Shellscript\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 10105| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, "Shellscript found"); 10106| 0|} ndpi_main.c:ndpi_reset_packet_line_info: 10052| 111k|static void ndpi_reset_packet_line_info(struct ndpi_packet_struct *packet) { 10053| 111k| packet->parsed_lines = 0, packet->empty_line_position_set = 0, packet->host_line.ptr = NULL, 10054| 111k| packet->host_line.len = 0, packet->referer_line.ptr = NULL, packet->referer_line.len = 0, 10055| 111k| packet->authorization_line.len = 0, packet->authorization_line.ptr = NULL, 10056| 111k| packet->content_line.ptr = NULL, packet->content_line.len = 0, packet->accept_line.ptr = NULL, 10057| 111k| packet->accept_line.len = 0, packet->user_agent_line.ptr = NULL, packet->user_agent_line.len = 0, 10058| 111k| packet->http_url_name.ptr = NULL, packet->http_url_name.len = 0, 10059| 111k| packet->content_disposition_line.ptr = NULL, 10060| 111k| packet->content_disposition_line.len = 0, 10061| 111k| packet->http_origin.len = 0, packet->http_origin.ptr = NULL, 10062| 111k| packet->server_line.ptr = NULL, 10063| 111k| packet->server_line.len = 0, packet->http_method.ptr = NULL, packet->http_method.len = 0, 10064| 111k| packet->http_response.ptr = NULL, packet->http_response.len = 0, 10065| 111k| packet->forwarded_line.ptr = NULL, packet->forwarded_line.len = 0; 10066| 111k| packet->upgrade_line.ptr = NULL, packet->upgrade_line.len = 0; 10067| 111k| packet->bootid.ptr = NULL, packet->bootid.len = 0; 10068| 111k| packet->usn.ptr = NULL, packet->usn.len = 0; 10069| 111k| packet->cache_controle.ptr = NULL, packet->cache_controle.len = 0; 10070| 111k| packet->location.ptr = NULL, packet->location.len = 0; 10071| 111k| packet->securelocation_upnp.ptr = NULL, packet->securelocation_upnp.len = 0; 10072| 111k| packet->nt.ptr = NULL, packet->nt.len = 0; 10073| 111k| packet->nts.ptr = NULL, packet->nts.len = 0; 10074| 111k| packet->man.ptr = NULL, packet->man.len = 0; 10075| 111k| packet->mx.ptr = NULL, packet->mx.len = 0; 10076| | packet->st.ptr = NULL, packet->st.len = 0; 10077| 111k|} ndpi_main.c:parse_single_packet_line: 10873| 37.8k|static void parse_single_packet_line(struct ndpi_detection_module_struct *ndpi_str) { 10874| 37.8k| struct ndpi_packet_struct *packet = &ndpi_str->packet; 10875| 37.8k| struct ndpi_int_one_line_struct *line; 10876| 37.8k| size_t length; 10877| 37.8k| struct header_line *hs = NULL; 10878| 37.8k| struct header_line *h; 10879| | /* Some bogus response doesn't have the space after ":". Skip leading spaces later... */ 10880| 37.8k| struct header_line headers_a[] = { { "Accept:", &packet->accept_line }, 10881| 37.8k| { "Authorization:", &packet->authorization_line }, 10882| 37.8k| { NULL, NULL} }; 10883| 37.8k| struct header_line headers_b[] = { { "BOOTID.UPNP.ORG:", &packet->bootid}, 10884| 37.8k| { NULL, NULL} }; 10885| 37.8k| struct header_line headers_u[] = { { "User-agent:", &packet->user_agent_line }, 10886| 37.8k| { "Upgrade:", &packet->upgrade_line }, 10887| 37.8k| { "USN:", &packet->usn }, 10888| 37.8k| { NULL, NULL} }; 10889| 37.8k| struct header_line headers_c[] = { { "Content-Disposition:", &packet->content_disposition_line }, 10890| 37.8k| { "Content-type:", &packet->content_line }, 10891| 37.8k| { "CACHE-CONTROL:", &packet->cache_controle}, 10892| 37.8k| { NULL, NULL} }; 10893| 37.8k| struct header_line headers_o[] = { { "Origin:", &packet->http_origin }, 10894| 37.8k| { NULL, NULL} }; 10895| 37.8k| struct header_line headers_h[] = { { "Host:", &packet->host_line }, 10896| 37.8k| { NULL, NULL} }; 10897| 37.8k| struct header_line headers_x[] = { { "X-Forwarded-For:", &packet->forwarded_line }, 10898| 37.8k| { NULL, NULL} }; 10899| 37.8k| struct header_line headers_r[] = { { "Referer:", &packet->referer_line }, 10900| 37.8k| { NULL, NULL} }; 10901| 37.8k| struct header_line headers_s[] = { { "Server:", &packet->server_line }, 10902| 37.8k| { "SECURELOCATION.UPNP.ORG:", &packet->securelocation_upnp }, 10903| 37.8k| { "ST:", &packet->st }, 10904| 37.8k| { NULL, NULL} }; 10905| 37.8k| struct header_line headers_l[] = { { "LOCATION:", &packet->location }, 10906| 37.8k| { NULL, NULL}}; 10907| 37.8k| struct header_line headers_m[] = { { "MAN:", &packet->man }, 10908| 37.8k| { "MX:", &packet->mx }, 10909| 37.8k| { NULL, NULL}}; 10910| 37.8k| struct header_line headers_n[] = { { "NT:", &packet->nt }, 10911| 37.8k| { "NTS:", &packet->nts }, 10912| 37.8k| { NULL, NULL}}; 10913| | 10914| 37.8k| line = &packet->line[packet->parsed_lines]; 10915| 37.8k| if(line->len == 0) ------------------ | Branch (10915:6): [True: 6.94k, False: 30.9k] ------------------ 10916| 6.94k| return; 10917| | 10918| | /* First line of a HTTP response parsing. Expected a "HTTP/1.? ???" */ 10919| 30.9k| if(packet->parsed_lines == 0 && line->len >= NDPI_STATICSTRING_LEN("HTTP/1.X 200 ") && ------------------ | | 98| 44.7k|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (10919:6): [True: 13.8k, False: 17.0k] | Branch (10919:35): [True: 11.3k, False: 2.43k] ------------------ 10920| 11.3k| strncasecmp((const char *)line->ptr, "HTTP/1.", NDPI_STATICSTRING_LEN("HTTP/1.")) == 0 && ------------------ | | 98| 11.3k|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (10920:6): [True: 63, False: 11.3k] ------------------ 10921| 63| line->ptr[NDPI_STATICSTRING_LEN("HTTP/1.X ")] > '0' && /* response code between 000 and 699 */ ------------------ | | 98| 63|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (10921:6): [True: 62, False: 1] ------------------ 10922| 62| line->ptr[NDPI_STATICSTRING_LEN("HTTP/1.X ")] < '6') { ------------------ | | 98| 62|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (10922:6): [True: 58, False: 4] ------------------ 10923| 58| packet->http_response.ptr = &line->ptr[NDPI_STATICSTRING_LEN("HTTP/1.1 ")]; ------------------ | | 98| 58|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ 10924| 58| packet->http_response.len = line->len - NDPI_STATICSTRING_LEN("HTTP/1.1 "); ------------------ | | 98| 58|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ 10925| 58| return; 10926| 58| } 10927| 30.8k| if(packet->parsed_lines == 0 && line->len > 0) { ------------------ | Branch (10927:6): [True: 13.7k, False: 17.0k] | Branch (10927:35): [True: 13.7k, False: 0] ------------------ 10928| | /* 10929| | Check if the file contains a : otherwise ignore the line as this 10930| | line i slike "GET /.... 10931| | */ 10932| 13.7k| if(memchr((char *)line->ptr, ':', line->len) == NULL) ------------------ | Branch (10932:8): [True: 12.3k, False: 1.38k] ------------------ 10933| 12.3k| return; 10934| 13.7k| } 10935| | 10936| 18.4k| switch(line->ptr[0]) { 10937| 27| case 'a': ------------------ | Branch (10937:3): [True: 27, False: 18.4k] ------------------ 10938| 204| case 'A': ------------------ | Branch (10938:3): [True: 177, False: 18.3k] ------------------ 10939| 204| hs = headers_a; 10940| 204| break; 10941| 24| case 'b': ------------------ | Branch (10941:3): [True: 24, False: 18.4k] ------------------ 10942| 53| case 'B': ------------------ | Branch (10942:3): [True: 29, False: 18.4k] ------------------ 10943| 53| hs = headers_b; 10944| 53| break; 10945| 15| case 'c': ------------------ | Branch (10945:3): [True: 15, False: 18.4k] ------------------ 10946| 775| case 'C': ------------------ | Branch (10946:3): [True: 760, False: 17.7k] ------------------ 10947| 775| hs = headers_c; 10948| 775| break; 10949| 4| case 'h': ------------------ | Branch (10949:3): [True: 4, False: 18.4k] ------------------ 10950| 2.27k| case 'H': ------------------ | Branch (10950:3): [True: 2.26k, False: 16.2k] ------------------ 10951| 2.27k| hs = headers_h; 10952| 2.27k| break; 10953| 113| case 'o': ------------------ | Branch (10953:3): [True: 113, False: 18.3k] ------------------ 10954| 472| case 'O': ------------------ | Branch (10954:3): [True: 359, False: 18.1k] ------------------ 10955| 472| hs = headers_o; 10956| 472| break; 10957| 11| case 'r': ------------------ | Branch (10957:3): [True: 11, False: 18.4k] ------------------ 10958| 189| case 'R': ------------------ | Branch (10958:3): [True: 178, False: 18.3k] ------------------ 10959| 189| hs = headers_r; 10960| 189| break; 10961| 14| case 's': ------------------ | Branch (10961:3): [True: 14, False: 18.4k] ------------------ 10962| 1.44k| case 'S': ------------------ | Branch (10962:3): [True: 1.43k, False: 17.0k] ------------------ 10963| 1.44k| hs = headers_s; 10964| 1.44k| break; 10965| 9| case 'u': ------------------ | Branch (10965:3): [True: 9, False: 18.4k] ------------------ 10966| 837| case 'U': ------------------ | Branch (10966:3): [True: 828, False: 17.6k] ------------------ 10967| 837| hs = headers_u; 10968| 837| break; 10969| 1| case 'x': ------------------ | Branch (10969:3): [True: 1, False: 18.4k] ------------------ 10970| 99| case 'X': ------------------ | Branch (10970:3): [True: 98, False: 18.3k] ------------------ 10971| 99| hs = headers_x; 10972| 99| break; 10973| 3| case 'l': ------------------ | Branch (10973:3): [True: 3, False: 18.4k] ------------------ 10974| 24| case 'L': ------------------ | Branch (10974:3): [True: 21, False: 18.4k] ------------------ 10975| 24| hs = headers_l; 10976| 24| break; 10977| 29| case 'm': ------------------ | Branch (10977:3): [True: 29, False: 18.4k] ------------------ 10978| 1.34k| case 'M': ------------------ | Branch (10978:3): [True: 1.31k, False: 17.1k] ------------------ 10979| 1.34k| hs = headers_m; 10980| 1.34k| break; 10981| 32| case 'n': ------------------ | Branch (10981:3): [True: 32, False: 18.4k] ------------------ 10982| 219| case 'N': ------------------ | Branch (10982:3): [True: 187, False: 18.2k] ------------------ 10983| 219| hs = headers_n; 10984| 219| break; 10985| 10.5k| default: ------------------ | Branch (10985:3): [True: 10.5k, False: 7.93k] ------------------ 10986| 10.5k| return; 10987| 18.4k| } 10988| | 10989| 16.9k| for(h = &hs[0]; h->name; h++) { ------------------ | Branch (10989:19): [True: 13.9k, False: 2.94k] ------------------ 10990| 13.9k| length = strlen(h->name); 10991| 13.9k| if(line->len > length && ------------------ | Branch (10991:8): [True: 12.5k, False: 1.38k] ------------------ 10992| 12.5k| strncasecmp((const char *)line->ptr, h->name, length) == 0) { ------------------ | Branch (10992:8): [True: 4.98k, False: 7.60k] ------------------ 10993| 4.98k| h->line->ptr = &line->ptr[length]; 10994| 4.98k| h->line->len = line->len - length; 10995| | 10996| | /* Stripping leading spaces */ 10997| 9.15k| while(h->line->len > 0 && h->line->ptr[0] == ' ') { ------------------ | Branch (10997:13): [True: 9.12k, False: 28] | Branch (10997:33): [True: 4.17k, False: 4.95k] ------------------ 10998| 4.17k| h->line->len--; 10999| 4.17k| h->line->ptr++; 11000| 4.17k| } 11001| 4.98k| if(h->line->len == 0) ------------------ | Branch (11001:10): [True: 28, False: 4.95k] ------------------ 11002| 28| h->line->ptr = NULL; 11003| | 11004| | /* Stripping trailing spaces */ 11005| 5.11k| while(h->line->len > 0 && h->line->ptr[h->line->len - 1] == ' ') { ------------------ | Branch (11005:13): [True: 5.08k, False: 28] | Branch (11005:33): [True: 134, False: 4.95k] ------------------ 11006| 134| h->line->len--; 11007| 134| } 11008| 4.98k| if(h->line->len == 0) ------------------ | Branch (11008:10): [True: 28, False: 4.95k] ------------------ 11009| 28| h->line->ptr = NULL; 11010| | 11011| 4.98k| break; 11012| 4.98k| } 11013| 13.9k| } 11014| | 11015| 7.93k| if(packet->content_line.len > 0) { ------------------ | Branch (11015:6): [True: 452, False: 7.47k] ------------------ 11016| | /* application/json; charset=utf-8 */ 11017| 452| char separator[] = {';', '\r', '\0'}; 11018| 452| int i; 11019| | 11020| 1.35k| for(i = 0; separator[i] != '\0'; i++) { ------------------ | Branch (11020:16): [True: 904, False: 452] ------------------ 11021| 904| char *c = memchr((char *) packet->content_line.ptr, separator[i], packet->content_line.len); 11022| | 11023| 904| if(c != NULL) ------------------ | Branch (11023:10): [True: 95, False: 809] ------------------ 11024| 95| packet->content_line.len = c - (char *) packet->content_line.ptr; 11025| 904| } 11026| 452| } 11027| 7.93k|} ndpi_main.c:ndpi_detection_get_l4_internal: 7849| 79.3k| u_int8_t *l4_protocol_return, u_int32_t flags) { 7850| 79.3k| const struct ndpi_iphdr *iph = NULL; 7851| 79.3k| const struct ndpi_ipv6hdr *iph_v6 = NULL; 7852| 79.3k| u_int16_t l4len = 0; 7853| 79.3k| const u_int8_t *l4ptr = NULL; 7854| 79.3k| u_int8_t l4protocol = 0; 7855| | 7856| 79.3k| if(l3 == NULL || l3_len < sizeof(struct ndpi_iphdr)) ------------------ | Branch (7856:6): [True: 0, False: 79.3k] | Branch (7856:20): [True: 0, False: 79.3k] ------------------ 7857| 0| return(1); 7858| | 7859| 79.3k| iph = (const struct ndpi_iphdr *) l3; 7860| | 7861| 79.3k| if((iph->version == 4 /* IPVERSION */) && (iph->ihl >= 5)) { ------------------ | Branch (7861:6): [True: 77.9k, False: 1.40k] | Branch (7861:45): [True: 77.9k, False: 0] ------------------ 7862| 77.9k| NDPI_LOG_DBG2(ndpi_str, "IPv4 header\n"); ------------------ | | 597| 77.9k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 7863| 77.9k| } 7864| 1.40k| else if(iph->version == 6 && l3_len >= sizeof(struct ndpi_ipv6hdr)) { ------------------ | Branch (7864:11): [True: 1.40k, False: 0] | Branch (7864:32): [True: 1.40k, False: 0] ------------------ 7865| 1.40k| NDPI_LOG_DBG2(ndpi_str, "ipv6 header\n"); ------------------ | | 597| 1.40k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 7866| 1.40k| iph_v6 = (const struct ndpi_ipv6hdr *) l3; 7867| 1.40k| iph = NULL; 7868| 1.40k| } else { 7869| 0| return(1); 7870| 0| } 7871| | 7872| 79.3k| if((flags & NDPI_DETECTION_ONLY_IPV6) && iph != NULL) { ------------------ | | 37| 79.3k|#define NDPI_DETECTION_ONLY_IPV6 ( 1 << 1 ) ------------------ | Branch (7872:6): [True: 0, False: 79.3k] | Branch (7872:44): [True: 0, False: 0] ------------------ 7873| 0| NDPI_LOG_DBG2(ndpi_str, "ipv4 header found but excluded by flag\n"); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 7874| 0| return(1); 7875| 79.3k| } else if((flags & NDPI_DETECTION_ONLY_IPV4) && iph_v6 != NULL) { ------------------ | | 36| 79.3k|#define NDPI_DETECTION_ONLY_IPV4 ( 1 << 0 ) ------------------ | Branch (7875:13): [True: 0, False: 79.3k] | Branch (7875:51): [True: 0, False: 0] ------------------ 7876| 0| NDPI_LOG_DBG2(ndpi_str, "ipv6 header found but excluded by flag\n"); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 7877| 0| return(1); 7878| 0| } 7879| | 7880| | /* 0: fragmented; 1: not fragmented */ 7881| 79.3k| if(iph != NULL && iph_is_valid_and_not_fragmented(ndpi_str, iph, l3_len)) { ------------------ | Branch (7881:6): [True: 77.9k, False: 1.40k] | Branch (7881:21): [True: 77.9k, False: 4] ------------------ 7882| 77.9k| u_int16_t len = ndpi_min(ntohs(iph->tot_len), l3_len); ------------------ | | 113| 77.9k|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 2.57k, False: 75.3k] | | ------------------ ------------------ 7883| 77.9k| u_int16_t hlen = (iph->ihl * 4); 7884| | 7885| 77.9k| l4ptr = (((const u_int8_t *) iph) + iph->ihl * 4); 7886| | 7887| 77.9k| if(len == 0) ------------------ | Branch (7887:8): [True: 110, False: 77.8k] ------------------ 7888| 110| len = l3_len; 7889| | 7890| 77.9k| l4len = (len > hlen) ? (len - hlen) : 0; ------------------ | Branch (7890:13): [True: 77.8k, False: 103] ------------------ 7891| 77.9k| l4protocol = iph->protocol; 7892| 77.9k| } 7893| | 7894| 1.40k| else if(iph_v6 != NULL && (l3_len - sizeof(struct ndpi_ipv6hdr)) >= ntohs(iph_v6->ip6_hdr.ip6_un1_plen)) { ------------------ | Branch (7894:11): [True: 1.40k, False: 4] | Branch (7894:29): [True: 1.40k, False: 0] ------------------ 7895| 1.40k| l4ptr = (((const u_int8_t *) iph_v6) + sizeof(struct ndpi_ipv6hdr)); 7896| 1.40k| l4len = ntohs(iph_v6->ip6_hdr.ip6_un1_plen); 7897| 1.40k| l4protocol = iph_v6->ip6_hdr.ip6_un1_nxt; 7898| | 7899| | // we need to handle IPv6 extension headers if present 7900| 1.40k| if(ndpi_handle_ipv6_extension_headers(ndpi_str, iph_v6, l3_len - sizeof(struct ndpi_ipv6hdr), &l4ptr, &l4len, &l4protocol) != 0) { ------------------ | Branch (7900:8): [True: 0, False: 1.40k] ------------------ 7901| 0| return(1); 7902| 0| } 7903| | 7904| 1.40k| } else { 7905| 4| return(1); 7906| 4| } 7907| | 7908| 79.3k| if(l4_return != NULL) { ------------------ | Branch (7908:6): [True: 79.3k, False: 0] ------------------ 7909| 79.3k| *l4_return = l4ptr; 7910| 79.3k| } 7911| | 7912| 79.3k| if(l4_len_return != NULL) { ------------------ | Branch (7912:6): [True: 79.3k, False: 0] ------------------ 7913| 79.3k| *l4_len_return = l4len; 7914| 79.3k| } 7915| | 7916| 79.3k| if(l4_protocol_return != NULL) { ------------------ | Branch (7916:6): [True: 79.3k, False: 0] ------------------ 7917| 79.3k| *l4_protocol_return = l4protocol; 7918| 79.3k| } 7919| | 7920| 79.3k| return(0); 7921| 79.3k|} ndpi_main.c:ndpi_reconcile_protocols: 9058| 18.3k| struct ndpi_flow_struct *flow) { 9059| 18.3k| u_int i, skip_risk = 0; 9060| | 9061| | /* This function can NOT access &ndpi_str->packet since it is called also from ndpi_detection_giveup() */ 9062| | 9063| 18.3k| if((flow->risk != 0) && (flow->risk != flow->risk_shadow)) { ------------------ | Branch (9063:6): [True: 4.23k, False: 14.1k] | Branch (9063:27): [True: 4.16k, False: 74] ------------------ 9064| | /* Trick to avoid evaluating exceptions when nothing changed */ 9065| 4.16k| ndpi_handle_risk_exceptions(ndpi_str, flow); 9066| 4.16k| flow->risk_shadow = flow->risk; 9067| 4.16k| } 9068| | 9069| | /* If we have a classification by port/ip, it means everything else failed so we 9070| | shouldn't apply any logic on top of it involving: 9071| | * different classification 9072| | * LRU cache 9073| | */ 9074| 18.3k| if(flow->confidence != NDPI_CONFIDENCE_MATCH_BY_PORT && ------------------ | Branch (9074:6): [True: 18.2k, False: 73] ------------------ 9075| 18.2k| flow->confidence != NDPI_CONFIDENCE_MATCH_BY_IP) { ------------------ | Branch (9075:6): [True: 18.2k, False: 69] ------------------ 9076| | 9077| 18.2k| switch(flow->detected_protocol_stack[0]) { ------------------ | Branch (9077:12): [True: 4.71k, False: 13.5k] ------------------ 9078| 0| case NDPI_PROTOCOL_MICROSOFT_AZURE: ------------------ | Branch (9078:5): [True: 0, False: 18.2k] ------------------ 9079| 0| ndpi_reconcile_msteams_udp(ndpi_str, flow, flow->detected_protocol_stack[1]); 9080| 0| break; 9081| | 9082| | /* 9083| | Skype for a host doing MS Teams means MS Teams 9084| | (MS Teams uses Skype as transport protocol for voice/video) 9085| | */ 9086| 0| case NDPI_PROTOCOL_MSTEAMS: ------------------ | Branch (9086:5): [True: 0, False: 18.2k] ------------------ 9087| 0| if(flow->l4_proto == IPPROTO_TCP) { ------------------ | Branch (9087:10): [True: 0, False: 0] ------------------ 9088| | // printf("====>> NDPI_PROTOCOL_MSTEAMS\n"); 9089| | 9090| 0| if(ndpi_str->msteams_cache) ------------------ | Branch (9090:12): [True: 0, False: 0] ------------------ 9091| 0| ndpi_lru_add_to_cache(ndpi_str->msteams_cache, 9092| 0| make_msteams_key(flow, 1 /* client */), 9093| 0| 0 /* dummy */, 9094| 0| ndpi_get_current_time(flow)); 9095| 0| } 9096| 0| break; 9097| | 9098| 562| case NDPI_PROTOCOL_STUN: ------------------ | Branch (9098:5): [True: 562, False: 17.6k] ------------------ 9099| 562| if(flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_MICROSOFT_AZURE) ------------------ | Branch (9099:10): [True: 5, False: 557] ------------------ 9100| 5| ndpi_reconcile_msteams_udp(ndpi_str, flow, NDPI_PROTOCOL_STUN); 9101| 562| break; 9102| | 9103| 4.08k| case NDPI_PROTOCOL_TLS: ------------------ | Branch (9103:5): [True: 4.08k, False: 14.1k] ------------------ 9104| | /* 9105| | When Teams is unable to communicate via UDP 9106| | it switches to TLS.TCP. Let's try to catch it 9107| | */ 9108| 4.08k| if((flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_MICROSOFT_AZURE) ------------------ | Branch (9108:10): [True: 22, False: 4.05k] ------------------ 9109| 22| && (flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) /* No master */ ------------------ | Branch (9109:13): [True: 22, False: 0] ------------------ 9110| 22| && ndpi_str->msteams_cache ------------------ | Branch (9110:13): [True: 18, False: 4] ------------------ 9111| 4.08k| ) { 9112| 18| u_int16_t dummy; 9113| | 9114| 18| if(ndpi_lru_find_cache(ndpi_str->msteams_cache, ------------------ | Branch (9114:12): [True: 0, False: 18] ------------------ 9115| 18| make_msteams_key(flow, 1 /* client */), 9116| 18| &dummy, 0 /* Don't remove it as it can be used for other connections */, 9117| 18| ndpi_get_current_time(flow))) { 9118| 0| ndpi_int_change_protocol(flow, 9119| 0| NDPI_PROTOCOL_MSTEAMS, NDPI_PROTOCOL_TLS, 9120| 0| NDPI_CONFIDENCE_DPI_PARTIAL); 9121| 0| } 9122| 4.06k| } else if(flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_TELEGRAM) { ------------------ | Branch (9122:17): [True: 0, False: 4.06k] ------------------ 9123| 0| ndpi_int_change_protocol(flow, 9124| 0| flow->guessed_protocol_id_by_ip, flow->detected_protocol_stack[0], 9125| 0| NDPI_CONFIDENCE_DPI_PARTIAL); 9126| 0| } 9127| 4.08k| break; 9128| | 9129| 76| case NDPI_PROTOCOL_MSTEAMS_CALL: ------------------ | Branch (9129:5): [True: 76, False: 18.1k] ------------------ 9130| 76| ndpi_reconcile_msteams_call_udp(flow); 9131| 76| break; 9132| | 9133| | /* Generic container for microsoft subprotocols */ 9134| 0| case NDPI_PROTOCOL_MICROSOFT: ------------------ | Branch (9134:5): [True: 0, False: 18.2k] ------------------ 9135| 0| switch(flow->guessed_protocol_id_by_ip) { ------------------ | Branch (9135:14): [True: 0, False: 0] ------------------ 9136| 0| case NDPI_PROTOCOL_MICROSOFT_365: ------------------ | Branch (9136:7): [True: 0, False: 0] ------------------ 9137| 0| case NDPI_PROTOCOL_MS_ONE_DRIVE: ------------------ | Branch (9137:7): [True: 0, False: 0] ------------------ 9138| 0| case NDPI_PROTOCOL_MS_OUTLOOK: ------------------ | Branch (9138:7): [True: 0, False: 0] ------------------ 9139| 0| case NDPI_PROTOCOL_MSTEAMS: ------------------ | Branch (9139:7): [True: 0, False: 0] ------------------ 9140| 0| ndpi_int_change_protocol(flow, 9141| 0| flow->guessed_protocol_id_by_ip, flow->detected_protocol_stack[1], 9142| 0| NDPI_CONFIDENCE_DPI_PARTIAL); 9143| 0| break; 9144| 0| } 9145| 0| break; 9146| | 9147| 0| case NDPI_PROTOCOL_UNKNOWN: ------------------ | Branch (9147:5): [True: 0, False: 18.2k] ------------------ 9148| 0| break; 9149| 18.2k| } /* switch */ 9150| 18.2k| } 9151| | 9152| 18.3k| switch(flow->detected_protocol_stack[0]) { ------------------ | Branch (9152:10): [True: 0, False: 18.3k] ------------------ 9153| 0| case NDPI_PROTOCOL_RDP: ------------------ | Branch (9153:3): [True: 0, False: 18.3k] ------------------ 9154| 0| ndpi_set_risk(ndpi_str, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found RDP"); /* Remote assistance */ 9155| 0| break; 9156| | 9157| 0| case NDPI_PROTOCOL_ANYDESK: ------------------ | Branch (9157:3): [True: 0, False: 18.3k] ------------------ 9158| 0| if(flow->l4_proto == IPPROTO_TCP) /* TCP only */ ------------------ | Branch (9158:8): [True: 0, False: 0] ------------------ 9159| 0| ndpi_set_risk(ndpi_str, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found AnyDesk"); /* Remote assistance */ 9160| 0| break; 9161| 18.3k| } 9162| | 9163| 55.1k| for(i=0; i<2; i++) { ------------------ | Branch (9163:12): [True: 36.7k, False: 18.3k] ------------------ 9164| 36.7k| switch(ndpi_get_proto_breed(ndpi_str, flow->detected_protocol_stack[i])) { 9165| 134| case NDPI_PROTOCOL_UNSAFE: ------------------ | Branch (9165:5): [True: 134, False: 36.6k] ------------------ 9166| 160| case NDPI_PROTOCOL_POTENTIALLY_DANGEROUS: ------------------ | Branch (9166:5): [True: 26, False: 36.7k] ------------------ 9167| 160| case NDPI_PROTOCOL_DANGEROUS: ------------------ | Branch (9167:5): [True: 0, False: 36.7k] ------------------ 9168| | 9169| 160| if(flow->detected_protocol_stack[i] == NDPI_PROTOCOL_SMBV1) { ------------------ | Branch (9169:10): [True: 0, False: 160] ------------------ 9170| | /* 9171| | Same as for smb.c we need to avoid sending warnings for 9172| | requests sent to a broadcast address that can be sent to 9173| | query old devices. As we see no MAC addresses in nDPI 9174| | it's not simple to detect this fact, so we will use some 9175| | heuristic here. 9176| | */ 9177| | 9178| 0| if(ndpi_str->packet.payload_packet_len > 86 /* SMB command */) { ------------------ | Branch (9178:5): [True: 0, False: 0] ------------------ 9179| 0| if(ndpi_str->packet.payload[86] == 0x25 /* SMB Trans */) ------------------ | Branch (9179:7): [True: 0, False: 0] ------------------ 9180| 0| skip_risk = 1; 9181| 0| } 9182| 0| } 9183| | 9184| 160| if(!skip_risk) ------------------ | Branch (9184:10): [True: 160, False: 0] ------------------ 9185| 160| ndpi_set_risk(ndpi_str, flow, NDPI_UNSAFE_PROTOCOL, NULL); 9186| 160| break; 9187| | 9188| 36.5k| default: ------------------ | Branch (9188:5): [True: 36.5k, False: 160] ------------------ 9189| | /* Nothing to do */ 9190| 36.5k| break; 9191| 36.7k| } 9192| 36.7k| } /* for */ 9193| 18.3k|} ndpi_main.c:ndpi_reconcile_msteams_udp: 8988| 5| u_int16_t master) { 8989| | /* This function can NOT access &ndpi_str->packet since it is called also from ndpi_detection_giveup(), via ndpi_reconcile_protocols() */ 8990| | 8991| 5| if(flow->l4_proto == IPPROTO_UDP) { ------------------ | Branch (8991:6): [True: 5, False: 0] ------------------ 8992| 5| u_int16_t sport = ntohs(flow->c_port); 8993| 5| u_int16_t dport = ntohs(flow->s_port); 8994| 5| u_int8_t s_match = ((sport >= 3478) && (sport <= 3481)) ? 1 : 0; ------------------ | Branch (8994:26): [True: 3, False: 2] | Branch (8994:45): [True: 2, False: 1] ------------------ 8995| 5| u_int8_t d_match = ((dport >= 3478) && (dport <= 3481)) ? 1 : 0; ------------------ | Branch (8995:26): [True: 4, False: 1] | Branch (8995:45): [True: 1, False: 3] ------------------ 8996| | 8997| 5| if(s_match || d_match) { ------------------ | Branch (8997:8): [True: 2, False: 3] | Branch (8997:19): [True: 1, False: 2] ------------------ 8998| 3| ndpi_int_change_protocol(flow, 8999| 3| NDPI_PROTOCOL_MSTEAMS_CALL, master, 9000| | /* Keep the same confidence */ 9001| 3| flow->confidence); 9002| | 9003| | 9004| 3| if(ndpi_str->msteams_cache) ------------------ | Branch (9004:10): [True: 2, False: 1] ------------------ 9005| 2| ndpi_lru_add_to_cache(ndpi_str->msteams_cache, 9006| 2| make_msteams_key(flow, s_match ? 0 /* server */ : 1 /* client */), ------------------ | Branch (9006:33): [True: 1, False: 1] ------------------ 9007| 2| 0 /* dummy */, 9008| 2| ndpi_get_current_time(flow)); 9009| | 9010| 3| } 9011| 5| } 9012| 5|} ndpi_main.c:make_msteams_key: 8966| 20|static u_int64_t make_msteams_key(struct ndpi_flow_struct *flow, u_int8_t use_client) { 8967| 20| u_int64_t key; 8968| | 8969| 20| if(use_client) { ------------------ | Branch (8969:6): [True: 19, False: 1] ------------------ 8970| 19| if(flow->is_ipv6) ------------------ | Branch (8970:8): [True: 0, False: 19] ------------------ 8971| 0| key = ndpi_quick_hash64((const char *)flow->c_address.v6, 16); 8972| 19| else 8973| 19| key = ntohl(flow->c_address.v4); 8974| 19| } else { 8975| 1| if(flow->is_ipv6) ------------------ | Branch (8975:8): [True: 0, False: 1] ------------------ 8976| 0| key = ndpi_quick_hash64((const char *)flow->s_address.v6, 16); 8977| 1| else 8978| 1| key = ntohl(flow->s_address.v4); 8979| 1| } 8980| | 8981| 20| return key; 8982| 20|} ndpi_main.c:ndpi_reconcile_msteams_call_udp: 9043| 76|static void ndpi_reconcile_msteams_call_udp(struct ndpi_flow_struct *flow) { 9044| 76| if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_MSTEAMS_CALL) { ------------------ | Branch (9044:6): [True: 76, False: 0] ------------------ 9045| 76| if(flow->l4_proto == IPPROTO_UDP) { ------------------ | Branch (9045:8): [True: 76, False: 0] ------------------ 9046| 76| u_int16_t sport = ntohs(flow->c_port); 9047| 76| u_int16_t dport = ntohs(flow->s_port); 9048| | 9049| 76| if(ndpi_reconcile_msteams_call_udp_port(flow, sport, dport) == 0) ------------------ | Branch (9049:10): [True: 42, False: 34] ------------------ 9050| 42| ndpi_reconcile_msteams_call_udp_port(flow, dport, sport); 9051| 76| } 9052| 76| } 9053| 76|} ndpi_main.c:ndpi_reconcile_msteams_call_udp_port: 9017| 118| u_int16_t sport, u_int16_t dport) { 9018| | 9019| | /* 9020| | https://extremeportal.force.com/ExtrArticleDetail?an=000101782 9021| | 9022| | Audio: UDP 50000-50019; 3478; 3479 9023| | Video: UDP 50020-50039; 3480 9024| | Sharing: UDP 50040-50059; 3481 9025| | */ 9026| | 9027| 118| if((dport == 3478) || (dport == 3479) || ((sport >= 50000) && (sport <= 50019))) ------------------ | Branch (9027:6): [True: 44, False: 74] | Branch (9027:25): [True: 0, False: 74] | Branch (9027:45): [True: 25, False: 49] | Branch (9027:65): [True: 0, False: 25] ------------------ 9028| 44| flow->flow_multimedia_types |= ndpi_multimedia_audio_flow; 9029| 74| else if((dport == 3480) || ((sport >= 50020) && (sport <= 50039))) ------------------ | Branch (9029:11): [True: 0, False: 74] | Branch (9029:31): [True: 25, False: 49] | Branch (9029:51): [True: 0, False: 25] ------------------ 9030| 0| flow->flow_multimedia_types |= ndpi_multimedia_video_flow; 9031| 74| else if((dport == 3481) || ((sport >= 50040) && (sport <= 50059))) ------------------ | Branch (9031:11): [True: 1, False: 73] | Branch (9031:31): [True: 24, False: 49] | Branch (9031:51): [True: 0, False: 24] ------------------ 9032| 1| flow->flow_multimedia_types |= ndpi_multimedia_screen_sharing_flow; 9033| 73| else { 9034| 73| flow->flow_multimedia_types = ndpi_multimedia_unknown_flow; 9035| 73| return(0); 9036| 73| } 9037| | 9038| 45| return(1); 9039| 118|} ndpi_main.c:proto_stack_update: 11274| 18.3k|{ 11275| |#ifdef DEBUG_STACK 11276| | printf("%s %d %d/%d/%d + %d/%d", 11277| | __func__, s->protos_num, 11278| | s->protos[0], s->protos[1], s->protos[2], 11279| | lower_proto, upper_proto); 11280| |#endif 11281| | 11282| | /* On the stack we want APP/SRTP instead of what we have with legacy master/app, i.e. SRTP/APP */ 11283| 18.3k| if(lower_proto == NDPI_PROTOCOL_SRTP) { ------------------ | Branch (11283:6): [True: 32, False: 18.3k] ------------------ 11284| 32| lower_proto = upper_proto; 11285| 32| upper_proto = NDPI_PROTOCOL_SRTP; 11286| 32| } 11287| | /* STUN/APP + DTLS -> STUN/DTLS/APP */ 11288| 18.3k| if(lower_proto == NDPI_PROTOCOL_UNKNOWN && ------------------ | Branch (11288:6): [True: 15.1k, False: 3.25k] ------------------ 11289| 15.1k| (upper_proto == NDPI_PROTOCOL_TLS || upper_proto == NDPI_PROTOCOL_DTLS) && ------------------ | Branch (11289:7): [True: 4.15k, False: 10.9k] | Branch (11289:43): [True: 0, False: 10.9k] ------------------ 11290| 4.15k| s->protos_num >= 2) { ------------------ | Branch (11290:6): [True: 0, False: 4.15k] ------------------ 11291| 0| lower_proto = upper_proto; 11292| 0| upper_proto = s->protos[s->protos_num - 1]; 11293| 0| } 11294| | /* RTCP + STUN/RTP -> STUN/RTP */ 11295| 18.3k| if(s->protos_num == 1 && ------------------ | Branch (11295:6): [True: 484, False: 17.8k] ------------------ 11296| 484| (s->protos[s->protos_num - 1] == NDPI_PROTOCOL_RTP || s->protos[s->protos_num - 1] == NDPI_PROTOCOL_RTCP) && ------------------ | Branch (11296:7): [True: 0, False: 484] | Branch (11296:60): [True: 0, False: 484] ------------------ 11297| 0| lower_proto == NDPI_PROTOCOL_STUN) { ------------------ | Branch (11297:6): [True: 0, False: 0] ------------------ 11298| 0| s->protos_num--; 11299| 0| } 11300| | /* STUN/APP + DTLS/APP -> STUN/DTLS/APP */ 11301| 18.3k| if(s->protos_num >= 2 && ------------------ | Branch (11301:6): [True: 169, False: 18.2k] ------------------ 11302| 169| (s->protos[s->protos_num - 1] == upper_proto)) { ------------------ | Branch (11302:6): [True: 1, False: 168] ------------------ 11303| 1| s->protos_num--; 11304| 1| } 11305| | /* RDP + TLS/RDP -> RDP/TLS */ 11306| 18.3k| if(s->protos_num == 1 && ------------------ | Branch (11306:6): [True: 484, False: 17.8k] ------------------ 11307| 484| s->protos[s->protos_num - 1] == upper_proto && ------------------ | Branch (11307:6): [True: 11, False: 473] ------------------ 11308| 11| lower_proto == NDPI_PROTOCOL_TLS) { ------------------ | Branch (11308:6): [True: 0, False: 11] ------------------ 11309| 0| lower_proto = NDPI_PROTOCOL_UNKNOWN; 11310| 0| upper_proto = NDPI_PROTOCOL_TLS; 11311| 0| } 11312| | 11313| |#ifdef DEBUG_STACK 11314| | printf(" --> %d %d/%d/%d + %d/%d", 11315| | s->protos_num, 11316| | s->protos[0], s->protos[1], s->protos[2], 11317| | lower_proto, upper_proto); 11318| |#endif 11319| | 11320| 18.3k| if(s->protos_num > 0 && s->protos[0] == lower_proto) { ------------------ | Branch (11320:6): [True: 653, False: 17.7k] | Branch (11320:27): [True: 608, False: 45] ------------------ 11321| 608| proto_stack_push(s, upper_proto); 11322| 17.7k| } else { 11323| 17.7k| if(lower_proto != NDPI_PROTOCOL_UNKNOWN) ------------------ | Branch (11323:8): [True: 2.64k, False: 15.1k] ------------------ 11324| 2.64k| proto_stack_push(s, lower_proto); 11325| 17.7k| proto_stack_push(s, upper_proto); 11326| 17.7k| } 11327| | 11328| |#ifdef DEBUG_STACK 11329| | printf(" ----> %d %d/%d/%d/%d\n", 11330| | s->protos_num, s->protos[0], s->protos[1], 11331| | s->protos[2], s->protos[3]); 11332| |#endif 11333| 18.3k|} ndpi_main.c:proto_stack_push: 11245| 21.0k|{ 11246| |#ifdef DEBUG_STACK 11247| | assert(proto != NDPI_PROTOCOL_UNKNOWN); 11248| |#endif 11249| 21.0k| if(s->protos_num < NDPI_PROTOCOL_STACK_SIZE - 1) { ------------------ | | 29| 21.0k|#define NDPI_PROTOCOL_STACK_SIZE 8 ------------------ | Branch (11249:6): [True: 21.0k, False: 0] ------------------ 11250| 21.0k| if(s->protos_num > 0 && s->protos[s->protos_num - 1] == proto) { ------------------ | Branch (11250:8): [True: 3.29k, False: 17.7k] | Branch (11250:30): [True: 38, False: 3.25k] ------------------ 11251| 38| return; 11252| 38| } 11253| 20.9k| s->protos[s->protos_num++] = proto; 11254| 20.9k| } 11255| 21.0k|} ndpi_main.c:ndpi_int_change_protocol: 11474| 18.3k| ndpi_confidence_t confidence) { 11475| 18.3k| if((upper_detected_protocol == NDPI_PROTOCOL_UNKNOWN) && (lower_detected_protocol != NDPI_PROTOCOL_UNKNOWN)) ------------------ | Branch (11475:6): [True: 3.52k, False: 14.8k] | Branch (11475:60): [True: 3.52k, False: 0] ------------------ 11476| 3.52k| upper_detected_protocol = lower_detected_protocol; 11477| | 11478| 18.3k| if(upper_detected_protocol == lower_detected_protocol) ------------------ | Branch (11478:6): [True: 8.05k, False: 10.3k] ------------------ 11479| 8.05k| lower_detected_protocol = NDPI_PROTOCOL_UNKNOWN; 11480| | 11481| 18.3k| ndpi_int_change_flow_protocol(flow, upper_detected_protocol, lower_detected_protocol, confidence); 11482| 18.3k|} ndpi_main.c:ndpi_int_change_flow_protocol: 11438| 18.3k| ndpi_confidence_t confidence) { 11439| | 11440| |#ifdef TO_IMPLEMENT_A_BETTER_CHECK 11441| | if((flow->detected_protocol_stack[0] != upper_detected_protocol) 11442| | && (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) 11443| | && (flow->detected_protocol_stack[0] != lower_detected_protocol) 11444| | && (flow->detected_protocol_stack[1] != lower_detected_protocol) 11445| | ) { 11446| | /* 11447| | When the protocol is totally different this can be an indication 11448| | that something went wrong so better start over and clanup things 11449| | as flow->protos is an union and this can lead to inconsistencies. 11450| | 11451| | TODO 11452| | In the future we should handle protocol reconfiguration better 11453| | */ 11454| | ndpi_free_flow_data_protos(flow); 11455| | memset(&flow->protos, 0, sizeof(flow->protos)); 11456| | } 11457| |#endif 11458| | 11459| 18.3k| flow->detected_protocol_stack[0] = upper_detected_protocol; 11460| 18.3k| flow->detected_protocol_stack[1] = lower_detected_protocol; 11461| | 11462| 18.3k| flow->confidence = confidence; 11463| 18.3k|} ndpi_main.c:guess_protocol_id: 5348| 34.9k| u_int8_t proto, u_int16_t sport, u_int16_t dport, u_int8_t *user_defined_proto) { 5349| 34.9k| *user_defined_proto = 0; /* Default */ 5350| | 5351| 34.9k| if(sport && dport) { ------------------ | Branch (5351:6): [True: 32.3k, False: 2.59k] | Branch (5351:15): [True: 31.6k, False: 642] ------------------ 5352| 31.6k| default_ports_tree_node_t *found = ndpi_get_guessed_protocol_id(ndpi_str, proto, sport, dport); 5353| | 5354| 31.6k| if(found != NULL) { ------------------ | Branch (5354:8): [True: 13.6k, False: 18.0k] ------------------ 5355| 13.6k| u_int16_t guessed_proto = found->proto_idx; 5356| | 5357| 13.6k| *user_defined_proto = found->customUserProto; 5358| 13.6k| return(guessed_proto); 5359| 13.6k| } 5360| 31.6k| } else { 5361| | /* No TCP/UDP */ 5362| | 5363| | /* All these calls to `is_proto_enabled()` are needed to avoid classification by-port 5364| | if the protocol is disabled */ 5365| 3.23k| switch(proto) { ------------------ | Branch (5365:12): [True: 882, False: 2.35k] ------------------ 5366| 21| case NDPI_IPSEC_PROTOCOL_ESP: ------------------ | | 118| 21|#define NDPI_IPSEC_PROTOCOL_ESP 50 ------------------ | Branch (5366:5): [True: 21, False: 3.21k] ------------------ 5367| 21| if(is_proto_enabled(ndpi_str, NDPI_PROTOCOL_IP_ESP)) ------------------ | Branch (5367:10): [True: 21, False: 0] ------------------ 5368| 21| return(NDPI_PROTOCOL_IP_ESP); 5369| 0| break; 5370| 1| case NDPI_IPSEC_PROTOCOL_AH: ------------------ | | 119| 1|#define NDPI_IPSEC_PROTOCOL_AH 51 ------------------ | Branch (5370:5): [True: 1, False: 3.23k] ------------------ 5371| 1| if(is_proto_enabled(ndpi_str, NDPI_PROTOCOL_IP_AH)) ------------------ | Branch (5371:10): [True: 1, False: 0] ------------------ 5372| 1| return(NDPI_PROTOCOL_IP_AH); 5373| 0| break; 5374| 1| case NDPI_GRE_PROTOCOL_TYPE: ------------------ | | 120| 1|#define NDPI_GRE_PROTOCOL_TYPE 0x2F ------------------ | Branch (5374:5): [True: 1, False: 3.23k] ------------------ 5375| 1| if(is_proto_enabled(ndpi_str, NDPI_PROTOCOL_IP_GRE)) ------------------ | Branch (5375:10): [True: 1, False: 0] ------------------ 5376| 1| return(NDPI_PROTOCOL_IP_GRE); 5377| 0| break; 5378| 4| case NDPI_PGM_PROTOCOL_TYPE: ------------------ | | 129| 4|#define NDPI_PGM_PROTOCOL_TYPE 0x71 ------------------ | Branch (5378:5): [True: 4, False: 3.23k] ------------------ 5379| 4| if(is_proto_enabled(ndpi_str, NDPI_PROTOCOL_IP_PGM)) ------------------ | Branch (5379:10): [True: 4, False: 0] ------------------ 5380| 4| return(NDPI_PROTOCOL_IP_PGM); 5381| 0| break; 5382| 3| case NDPI_PIM_PROTOCOL_TYPE: ------------------ | | 130| 3|#define NDPI_PIM_PROTOCOL_TYPE 0x67 ------------------ | Branch (5382:5): [True: 3, False: 3.23k] ------------------ 5383| 3| if(is_proto_enabled(ndpi_str, NDPI_PROTOCOL_IP_PIM)) ------------------ | Branch (5383:10): [True: 3, False: 0] ------------------ 5384| 3| return(NDPI_PROTOCOL_IP_PIM); 5385| 0| break; 5386| 750| case NDPI_ICMP_PROTOCOL_TYPE: ------------------ | | 121| 750|#define NDPI_ICMP_PROTOCOL_TYPE 0x01 ------------------ | Branch (5386:5): [True: 750, False: 2.48k] ------------------ 5387| 750| if(is_proto_enabled(ndpi_str, NDPI_PROTOCOL_IP_ICMP)) ------------------ | Branch (5387:10): [True: 750, False: 0] ------------------ 5388| 750| return(NDPI_PROTOCOL_IP_ICMP); 5389| 0| break; 5390| 12| case NDPI_IGMP_PROTOCOL_TYPE: ------------------ | | 122| 12|#define NDPI_IGMP_PROTOCOL_TYPE 0x02 ------------------ | Branch (5390:5): [True: 12, False: 3.22k] ------------------ 5391| 12| if(is_proto_enabled(ndpi_str, NDPI_PROTOCOL_IP_IGMP)) ------------------ | Branch (5391:10): [True: 12, False: 0] ------------------ 5392| 12| return(NDPI_PROTOCOL_IP_IGMP); 5393| 0| break; 5394| 9| case NDPI_EGP_PROTOCOL_TYPE: ------------------ | | 123| 9|#define NDPI_EGP_PROTOCOL_TYPE 0x08 ------------------ | Branch (5394:5): [True: 9, False: 3.23k] ------------------ 5395| 9| if(is_proto_enabled(ndpi_str, NDPI_PROTOCOL_IP_EGP)) ------------------ | Branch (5395:10): [True: 9, False: 0] ------------------ 5396| 9| return(NDPI_PROTOCOL_IP_EGP); 5397| 0| break; 5398| 11| case NDPI_SCTP_PROTOCOL_TYPE: ------------------ | | 126| 11|#define NDPI_SCTP_PROTOCOL_TYPE 132 ------------------ | Branch (5398:5): [True: 11, False: 3.22k] ------------------ 5399| 11| if(is_proto_enabled(ndpi_str, NDPI_PROTOCOL_IP_SCTP)) ------------------ | Branch (5399:10): [True: 11, False: 0] ------------------ 5400| 11| return(NDPI_PROTOCOL_IP_SCTP); 5401| 0| break; 5402| 1| case NDPI_OSPF_PROTOCOL_TYPE: ------------------ | | 124| 1|#define NDPI_OSPF_PROTOCOL_TYPE 0x59 ------------------ | Branch (5402:5): [True: 1, False: 3.23k] ------------------ 5403| 1| if(is_proto_enabled(ndpi_str, NDPI_PROTOCOL_IP_OSPF)) ------------------ | Branch (5403:10): [True: 1, False: 0] ------------------ 5404| 1| return(NDPI_PROTOCOL_IP_OSPF); 5405| 0| break; 5406| 1| case NDPI_IPIP_PROTOCOL_TYPE: ------------------ | | 127| 1|#define NDPI_IPIP_PROTOCOL_TYPE 0x04 ------------------ | Branch (5406:5): [True: 1, False: 3.23k] ------------------ 5407| 1| if(is_proto_enabled(ndpi_str, NDPI_PROTOCOL_IP_IP_IN_IP)) ------------------ | Branch (5407:10): [True: 1, False: 0] ------------------ 5408| 1| return(NDPI_PROTOCOL_IP_IP_IN_IP); 5409| 0| break; 5410| 67| case NDPI_ICMPV6_PROTOCOL_TYPE: ------------------ | | 128| 67|#define NDPI_ICMPV6_PROTOCOL_TYPE 0x3a ------------------ | Branch (5410:5): [True: 67, False: 3.17k] ------------------ 5411| 67| if(is_proto_enabled(ndpi_str, NDPI_PROTOCOL_IP_ICMPV6)) ------------------ | Branch (5411:10): [True: 67, False: 0] ------------------ 5412| 67| return(NDPI_PROTOCOL_IP_ICMPV6); 5413| 0| break; 5414| 1| case NDPI_VRRP_PROTOCOL_TYPE: ------------------ | | 125| 1|#define NDPI_VRRP_PROTOCOL_TYPE 112 ------------------ | Branch (5414:5): [True: 1, False: 3.23k] ------------------ 5415| 1| if(is_proto_enabled(ndpi_str, NDPI_PROTOCOL_IP_VRRP)) ------------------ | Branch (5415:10): [True: 1, False: 0] ------------------ 5416| 1| return(NDPI_PROTOCOL_IP_VRRP); 5417| 0| break; 5418| 3.23k| } 5419| 3.23k| } 5420| | 5421| 20.4k| return(NDPI_PROTOCOL_UNKNOWN); 5422| 34.9k|} ndpi_main.c:category_or_breed_depends_on_master: 11878| 127k|{ 11879| 127k| switch(proto) { ------------------ | Branch (11879:10): [True: 2.23k, False: 124k] ------------------ 11880| 0| case NDPI_PROTOCOL_MAIL_POP: ------------------ | Branch (11880:3): [True: 0, False: 127k] ------------------ 11881| 0| case NDPI_PROTOCOL_MAIL_SMTP: ------------------ | Branch (11881:3): [True: 0, False: 127k] ------------------ 11882| 0| case NDPI_PROTOCOL_MAIL_IMAP: ------------------ | Branch (11882:3): [True: 0, False: 127k] ------------------ 11883| 3| case NDPI_PROTOCOL_MAIL_POPS: ------------------ | Branch (11883:3): [True: 3, False: 127k] ------------------ 11884| 42| case NDPI_PROTOCOL_MAIL_SMTPS: ------------------ | Branch (11884:3): [True: 39, False: 127k] ------------------ 11885| 42| case NDPI_PROTOCOL_MAIL_IMAPS: ------------------ | Branch (11885:3): [True: 0, False: 127k] ------------------ 11886| 2.23k| case NDPI_PROTOCOL_DNS: ------------------ | Branch (11886:3): [True: 2.19k, False: 124k] ------------------ 11887| 2.23k| return 1; 11888| 127k| } 11889| | 11890| 124k| return 0; 11891| 127k|} ndpi_main.c:ndpi_automa_match_string_subprotocol: 12300| 23.1k| ndpi_protocol_match_result *ret_match) { 12301| 23.1k| int matching_protocol_id; 12302| | 12303| 23.1k| matching_protocol_id = 12304| 23.1k| ndpi_match_string_subprotocol(ndpi_str, string_to_match, string_to_match_len, ret_match); 12305| | 12306| 23.1k| if(matching_protocol_id < 0) ------------------ | Branch (12306:6): [True: 14.2k, False: 8.88k] ------------------ 12307| 14.2k| return NDPI_PROTOCOL_UNKNOWN; 12308| | 12309| |#ifdef NDPI_ENABLE_DEBUG_MESSAGES 12310| | { 12311| | char m[256]; 12312| | u_int len = ndpi_min(sizeof(m) - 1, string_to_match_len); 12313| | 12314| | strncpy(m, string_to_match, len); 12315| | m[len] = '\0'; 12316| | 12317| | NDPI_LOG_DBG2(ndpi_str, "[NDPI] ndpi_match_host_subprotocol(%s): %s\n", m, 12318| | ndpi_str->proto_defaults[matching_protocol_id].protoName); 12319| | } 12320| |#endif 12321| | 12322| 8.88k| if(matching_protocol_id != NDPI_PROTOCOL_UNKNOWN) ------------------ | Branch (12322:6): [True: 151, False: 8.73k] ------------------ 12323| 151| return matching_protocol_id; 12324| | 12325| |#ifdef NDPI_ENABLE_DEBUG_MESSAGES 12326| | { 12327| | char m[256]; 12328| | u_int len = ndpi_min(sizeof(m) - 1, string_to_match_len); 12329| | 12330| | strncpy(m, string_to_match, len); 12331| | m[len] = '\0'; 12332| | 12333| | NDPI_LOG_DBG2(ndpi_str, "[NTOP] Unable to find a match for '%s'\n", m); 12334| | } 12335| |#endif 12336| | 12337| 8.73k| ret_match->protocol_id = NDPI_PROTOCOL_UNKNOWN, ret_match->protocol_category = NDPI_PROTOCOL_CATEGORY_UNSPECIFIED, 12338| 8.73k| ret_match->protocol_breed = NDPI_PROTOCOL_UNRATED; 12339| | 12340| 8.73k| return(NDPI_PROTOCOL_UNKNOWN); 12341| 8.88k|} ndpi_main.c:ndpi_match_xgram: 12481| 586k|static inline int ndpi_match_xgram(unsigned int *map,unsigned int l,const char *str) { 12482| 586k| unsigned int i,c; 12483| | 12484| 1.48M| for(i=0,c=0; *str && i < l; i++) { ------------------ | Branch (12484:16): [True: 1.10M, False: 376k] | Branch (12484:24): [True: 1.06M, False: 34.8k] ------------------ 12485| 1.06M| unsigned char a = (unsigned char)(*str++); 12486| 1.06M| if(a < 'a' || a > 'z') return 0; ------------------ | Branch (12486:8): [True: 174k, False: 894k] | Branch (12486:19): [True: 458, False: 894k] ------------------ 12487| 894k| c *= XGRAMS_C; ------------------ | | 1021| 894k|#define XGRAMS_C 26 ------------------ 12488| 894k| c += a-'a'; 12489| 894k| } 12490| | 12491| 411k| return (map[c >> 5] & (1u << (c & 0x1f))) != 0; 12492| 586k|} ndpi_main.c:ndpi_is_vowel: 12763| 117k|static int ndpi_is_vowel(char c) { 12764| 117k| switch(c) { 12765| 7.83k| case 'a': ------------------ | Branch (12765:3): [True: 7.83k, False: 109k] ------------------ 12766| 12.3k| case 'e': ------------------ | Branch (12766:3): [True: 4.55k, False: 113k] ------------------ 12767| 13.3k| case 'i': ------------------ | Branch (12767:3): [True: 949, False: 116k] ------------------ 12768| 32.4k| case 'o': ------------------ | Branch (12768:3): [True: 19.1k, False: 98.5k] ------------------ 12769| 35.4k| case 'u': ------------------ | Branch (12769:3): [True: 3.00k, False: 114k] ------------------ 12770| 35.5k| case 'y': // Not a real vowel... ------------------ | Branch (12770:3): [True: 92, False: 117k] ------------------ 12771| 35.9k| case 'x': // Not a real vowel... ------------------ | Branch (12771:3): [True: 368, False: 117k] ------------------ 12772| 35.9k| return(1); 12773| | 12774| 81.7k| default: ------------------ | Branch (12774:3): [True: 81.7k, False: 35.9k] ------------------ 12775| 81.7k| return(0); 12776| 117k| } 12777| 117k|} ndpi_main.c:ndpi_is_trigram_char: 12754| 64.4k|static int ndpi_is_trigram_char(char c) { 12755| 64.4k| if(ndpi_isdigit(c) || (c == '.') || (c == '-')) ------------------ | | 2526| 128k|#define ndpi_isdigit(ch) ((ch) >= '0' && (ch) <= '9') | | ------------------ | | | Branch (2526:27): [True: 63.5k, False: 861] | | | Branch (2526:42): [True: 3.43k, False: 60.1k] | | ------------------ ------------------ | Branch (12755:25): [True: 0, False: 60.9k] | Branch (12755:39): [True: 0, False: 60.9k] ------------------ 12756| 3.43k| return(0); 12757| 60.9k| else 12758| 60.9k| return(1); 12759| 64.4k|} ndpi_main.c:enough: 12724| 1.94k|static int enough(int a, int b) { 12725| 1.94k| u_int8_t percentage = 20; 12726| | 12727| 1.94k| if(b <= 1) return(0); ------------------ | Branch (12727:6): [True: 1.92k, False: 25] ------------------ 12728| 25| if(a == 0) return(1); ------------------ | Branch (12728:6): [True: 0, False: 25] ------------------ 12729| | 12730| 25| if(b > (((a+1)*percentage)/100)) return(1); ------------------ | Branch (12730:6): [True: 24, False: 1] ------------------ 12731| | 12732| 1| return(0); 12733| 25|} ndpi_main.c:is_valid_port: 13110| 688|static int is_valid_port(const char *port_str) { 13111| 688| char *endptr; 13112| 688| long port; 13113| | 13114| | /* We can't easily use ndpi_strtonum because we want to be sure that there are no 13115| | others characters after the number */ 13116| 688| errno = 0; /* To distinguish success/failure after call */ 13117| 688| port = strtol(port_str, &endptr, 10); 13118| 688| if(errno == 0 && *endptr == '\0' && ------------------ | Branch (13118:6): [True: 685, False: 3] | Branch (13118:20): [True: 453, False: 232] ------------------ 13119| 453| (port >= 0 && port <= 65535)) { ------------------ | Branch (13119:7): [True: 452, False: 1] | Branch (13119:20): [True: 452, False: 0] ------------------ 13120| 452| return 1; 13121| 452| } 13122| 236| return 0; 13123| 688|} ndpi_set_memory_alloction_functions: 52| 7.28k| void (*__ndpi_flow_free)(void *ptr)) { 53| | 54| | /* We can't log here */ 55| | 56| 7.28k| if(__ndpi_malloc && __ndpi_free && ------------------ | Branch (56:6): [True: 7.28k, False: 0] | Branch (56:23): [True: 7.28k, False: 0] ------------------ 57| 7.28k| __ndpi_calloc && __ndpi_realloc) { ------------------ | Branch (57:6): [True: 7.28k, False: 0] | Branch (57:23): [True: 7.28k, False: 0] ------------------ 58| 7.28k| _ndpi_malloc = __ndpi_malloc; 59| 7.28k| _ndpi_free = __ndpi_free; 60| 7.28k| _ndpi_calloc = __ndpi_calloc; 61| 7.28k| _ndpi_realloc = __ndpi_realloc; 62| 7.28k| } 63| 7.28k| if(__ndpi_aligned_malloc && __ndpi_aligned_free) { ------------------ | Branch (63:6): [True: 0, False: 7.28k] | Branch (63:31): [True: 0, False: 0] ------------------ 64| 0| _ndpi_aligned_malloc = __ndpi_aligned_malloc; 65| 0| _ndpi_aligned_free = __ndpi_aligned_free; 66| 0| } 67| 7.28k| if(__ndpi_flow_malloc && __ndpi_flow_free) { ------------------ | Branch (67:6): [True: 7.28k, False: 0] | Branch (67:28): [True: 7.28k, False: 0] ------------------ 68| 7.28k| _ndpi_flow_malloc = __ndpi_flow_malloc; 69| 7.28k| _ndpi_flow_free = __ndpi_flow_free; 70| 7.28k| } 71| 7.28k|} ndpi_malloc: 81| 17.6M|void *ndpi_malloc(size_t size) { 82| 17.6M| __sync_fetch_and_add(&ndpi_tot_allocated_memory, size); 83| 17.6M| return(_ndpi_malloc ? _ndpi_malloc(size) : malloc(size)); ------------------ | Branch (83:10): [True: 17.6M, False: 0] ------------------ 84| 17.6M|} ndpi_calloc: 88| 941M|void *ndpi_calloc(size_t nmemb, size_t size) { 89| 941M| __sync_fetch_and_add(&ndpi_tot_allocated_memory, nmemb * size); 90| 941M| return(_ndpi_calloc ? _ndpi_calloc(nmemb, size) : calloc(nmemb, size)); ------------------ | Branch (90:10): [True: 941M, False: 0] ------------------ 91| 941M|} ndpi_free: 95| 899M|void ndpi_free(void *ptr) { 96| 899M| _ndpi_free ? _ndpi_free(ptr) : free(ptr); ------------------ | Branch (96:3): [True: 899M, False: 0] ------------------ 97| 899M|} ndpi_realloc: 101| 28.6k|void *ndpi_realloc(void *ptr, size_t size) { 102| 28.6k| __sync_fetch_and_add(&ndpi_tot_allocated_memory, size); 103| 28.6k| return(_ndpi_realloc ? _ndpi_realloc(ptr, size) : realloc(ptr, size)); ------------------ | Branch (103:10): [True: 28.6k, False: 0] ------------------ 104| 28.6k|} ndpi_flow_malloc: 143| 44.6k|void *ndpi_flow_malloc(size_t size) { 144| 44.6k| return(_ndpi_flow_malloc ? _ndpi_flow_malloc(size) : ndpi_malloc(size)); ------------------ | Branch (144:10): [True: 44.6k, False: 0] ------------------ 145| 44.6k|} ndpi_flow_free: 149| 42.2k|void ndpi_flow_free(void *ptr) { 150| 42.2k| if(ptr) { ------------------ | Branch (150:6): [True: 42.2k, False: 0] ------------------ 151| 42.2k| ndpi_free_flow_data((struct ndpi_flow_struct *)ptr); 152| 42.2k| _ndpi_flow_free ? _ndpi_flow_free(ptr) : ndpi_free(ptr); ------------------ | Branch (152:5): [True: 42.2k, False: 0] ------------------ 153| 42.2k| } 154| 42.2k|} ndpi_strdup: 158| 11.3M|char *ndpi_strdup(const char *s) { 159| 11.3M| if(s == NULL ){ ------------------ | Branch (159:6): [True: 0, False: 11.3M] ------------------ 160| 0| return NULL; 161| 0| } 162| | 163| 11.3M| int len = strlen(s); 164| 11.3M| char *m = ndpi_malloc(len + 1); 165| | 166| 11.3M| if(m) { ------------------ | Branch (166:6): [True: 10.6M, False: 713k] ------------------ 167| 10.6M| memcpy(m, s, len); 168| 10.6M| m[len] = '\0'; 169| 10.6M| } 170| | 171| 11.3M| return(m); 172| 11.3M|} ndpi_unload_protocol_plugins: 149| 7.20k|void ndpi_unload_protocol_plugins(struct ndpi_detection_module_struct *ndpi_struct) { 150| |#ifdef HAVE_PLUGINS 151| | u_int i; 152| | 153| | for(i=0; iproto_plugins.num_loaded_plugins; i++) 154| | dlclose(ndpi_struct->proto_plugins.plugin[i].pluginPtr); 155| |#else 156| 7.20k| __ndpi_unused_param(ndpi_struct); ------------------ | | 390| 7.20k|#define __ndpi_unused_param(x) (void)(x) ------------------ 157| 7.20k|#endif 158| 7.20k|} ndpi_init_protocol_plugins: 162| 7.08k|u_int ndpi_init_protocol_plugins(struct ndpi_detection_module_struct *ndpi_struct) { 163| |#ifdef HAVE_PLUGINS 164| | u_int i; 165| | 166| | for(i=0; iproto_plugins.num_loaded_plugins; i++) { 167| | NDPIProtocolPluginEntryPoint *pluginInfo = ndpi_struct->proto_plugins.plugin[i].entryPoint; 168| | 169| | /* Execute init function */ 170| | pluginInfo->initFctn(ndpi_struct); 171| | 172| |#ifdef NDPI_PLUGIN_DEBUG 173| | printf("Initialized plugin %s [v.%s][%s]\n", 174| | pluginInfo->protocol_name, 175| | pluginInfo->version, 176| | pluginInfo->author); 177| |#endif 178| | } 179| | return(0); 180| |#else 181| 7.08k| __ndpi_unused_param(ndpi_struct); ------------------ | | 390| 7.08k|#define __ndpi_unused_param(x) (void)(x) ------------------ 182| 7.08k| return(0); 183| 7.08k|#endif 184| 7.08k|} ndpi_htonll: 51| 11.8k|u_int64_t ndpi_htonll(u_int64_t v) { 52| 11.8k| union { u_int32_t lv[2]; u_int64_t llv; } u; 53| | 54| 11.8k| u.lv[0] = htonl(v >> 32); 55| 11.8k| u.lv[1] = htonl(v & 0xFFFFFFFFULL); 56| | 57| 11.8k| return(u.llv); 58| 11.8k|} ndpi_ntohll: 62| 14.0k|u_int64_t ndpi_ntohll(u_int64_t v) { 63| 14.0k| union { u_int32_t lv[2]; u_int64_t llv; } u; 64| | 65| 14.0k| u.llv = v; 66| | 67| 14.0k| return((u_int64_t)ntohl(u.lv[0]) << 32) | (u_int64_t)ntohl(u.lv[1]); 68| 14.0k|} ndpi_json_string_escape: 90| 286k|int ndpi_json_string_escape(const char *src, int src_len, char *dst, int dst_max_len) { 91| 286k| u_char c = 0; 92| 286k| int i, j = 0; 93| | 94| 286k| dst[j++] = '"'; 95| | 96| 2.76M| for(i = 0; i < src_len && j < dst_max_len; i++) { ------------------ | Branch (96:14): [True: 2.48M, False: 286k] | Branch (96:29): [True: 2.48M, False: 0] ------------------ 97| | 98| 2.48M| c = (u_char) src[i]; 99| | 100| 2.48M| if (c <= 0x7E) { ------------------ | Branch (100:9): [True: 2.47M, False: 8.71k] ------------------ 101| | // ASCII character (escape if required by JSON) 102| 2.47M| switch (c) { 103| 198| case '\\': ------------------ | Branch (103:7): [True: 198, False: 2.47M] ------------------ 104| 913| case '"': ------------------ | Branch (104:7): [True: 715, False: 2.47M] ------------------ 105| 2.64k| case '/': ------------------ | Branch (105:7): [True: 1.72k, False: 2.47M] ------------------ 106| 2.64k| dst[j++] = '\\'; 107| 2.64k| dst[j++] = c; 108| 2.64k| break; 109| 47| case '\b': ------------------ | Branch (109:7): [True: 47, False: 2.47M] ------------------ 110| 47| dst[j++] = '\\'; 111| 47| dst[j++] = 'b'; 112| 47| break; 113| 134| case '\t': ------------------ | Branch (113:7): [True: 134, False: 2.47M] ------------------ 114| 134| dst[j++] = '\\'; 115| 134| dst[j++] = 't'; 116| 134| break; 117| 172| case '\n': ------------------ | Branch (117:7): [True: 172, False: 2.47M] ------------------ 118| 172| dst[j++] = '\\'; 119| 172| dst[j++] = 'n'; 120| 172| break; 121| 94| case '\f': ------------------ | Branch (121:7): [True: 94, False: 2.47M] ------------------ 122| 94| dst[j++] = '\\'; 123| 94| dst[j++] = 'f'; 124| 94| break; 125| 336| case '\r': ------------------ | Branch (125:7): [True: 336, False: 2.47M] ------------------ 126| 336| dst[j++] = '\\'; 127| 336| dst[j++] = 'r'; 128| 336| break; 129| 2.47M| default: ------------------ | Branch (129:7): [True: 2.47M, False: 3.42k] ------------------ 130| 2.47M| if (c < 0x20 /* ' ' */) ------------------ | Branch (130:13): [True: 992, False: 2.47M] ------------------ 131| 992| ; // Other non-printable ASCII character (skip) 132| 2.47M| else 133| 2.47M| dst[j++] = c; // Printable ASCII character not requiring escape 134| 2.47M| } 135| | 136| 2.47M| } else if (c == 0x7F) { ------------------ | Branch (136:16): [True: 6, False: 8.70k] ------------------ 137| 6| ; // Non-printable ASCII character (skip) 138| 8.70k| } else if ((c >= 0xC2 && c <= 0xDF) && (src_len - i) >= 2 && ------------------ | Branch (138:17): [True: 6.23k, False: 2.46k] | Branch (138:30): [True: 1.34k, False: 4.89k] | Branch (138:44): [True: 1.34k, False: 2] ------------------ 139| 1.34k| ((u_char) src[i+1] >= 0x80 && (u_char) src[i+1] <= 0xBF)) { ------------------ | Branch (139:17): [True: 898, False: 446] | Branch (139:46): [True: 236, False: 662] ------------------ 140| | // 2-byte sequence (U+0080 to U+07FF) 141| 236| dst[j++] = c; 142| 236| dst[j++] = src[++i]; 143| 8.47k| } else if ((c >= 0xE0 && c <= 0xEF) && (src_len - i) >= 3 && ------------------ | Branch (143:17): [True: 4.89k, False: 3.57k] | Branch (143:30): [True: 3.33k, False: 1.56k] | Branch (143:44): [True: 3.32k, False: 10] ------------------ 144| 3.32k| ((u_char) src[i+1] >= 0x80 && (u_char) src[i+1] <= 0xBF) && ------------------ | Branch (144:17): [True: 3.02k, False: 297] | Branch (144:46): [True: 173, False: 2.85k] ------------------ 145| 173| ((u_char) src[i+2] >= 0x80 && (u_char) src[i+2] <= 0xBF)) { ------------------ | Branch (145:17): [True: 99, False: 74] | Branch (145:46): [True: 43, False: 56] ------------------ 146| | // 3-byte sequence (U+0800 to U+FFFF) 147| 43| dst[j++] = c; 148| 43| dst[j++] = src[++i]; 149| 43| dst[j++] = src[++i]; 150| 8.42k| } else if ((c >= 0xF0 && c <= 0xF4) && (src_len - i) >= 4 && ------------------ | Branch (150:17): [True: 1.56k, False: 6.86k] | Branch (150:30): [True: 368, False: 1.19k] | Branch (150:44): [True: 356, False: 12] ------------------ 151| 356| ((u_char) src[i+1] >= 0x80 && (u_char) src[i+1] <= 0xBF) && ------------------ | Branch (151:17): [True: 270, False: 86] | Branch (151:46): [True: 74, False: 196] ------------------ 152| 74| ((u_char) src[i+2] >= 0x80 && (u_char) src[i+2] <= 0xBF) && ------------------ | Branch (152:17): [True: 47, False: 27] | Branch (152:46): [True: 43, False: 4] ------------------ 153| 43| ((u_char) src[i+3] >= 0x80 && (u_char) src[i+3] <= 0xBF)) { ------------------ | Branch (153:17): [True: 18, False: 25] | Branch (153:46): [True: 9, False: 9] ------------------ 154| | // 4-byte sequence (U+10000 to U+10FFiFF) 155| 9| dst[j++] = c; 156| 9| dst[j++] = src[++i]; 157| 9| dst[j++] = src[++i]; 158| 9| dst[j++] = src[++i]; 159| 9| } 160| 2.48M| } 161| | 162| 286k| dst[j++] = '"'; 163| 286k| dst[j+1] = '\0'; 164| | 165| 286k| return(j); 166| 286k|} ndpi_reset_serializer: 170| 39.7k|void ndpi_reset_serializer(ndpi_serializer *_serializer) { 171| 39.7k| ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; 172| | 173| 39.7k| serializer->status.flags = 0; 174| | 175| 39.7k| if(serializer->fmt == ndpi_serialization_format_json) { ------------------ | Branch (175:6): [True: 23.9k, False: 15.8k] ------------------ 176| 23.9k| u_int32_t buff_diff; 177| | 178| 23.9k| serializer->status.buffer.size_used = 0; 179| 23.9k| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 180| | 181| 23.9k| if (!serializer->multiline_json_array) { ------------------ | Branch (181:9): [True: 13.8k, False: 10.0k] ------------------ 182| | /* Note: please keep a space at the beginning as it is used for arrays when an end-of-record is used */ 183| 13.8k| serializer->buffer.data[serializer->status.buffer.size_used++] = ' '; 184| 13.8k| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 185| 13.8k| } 186| 23.9k| if (!serializer->inner_json) { ------------------ | Branch (186:9): [True: 23.9k, False: 0] ------------------ 187| 23.9k| serializer->status.buffer.size_used += ndpi_snprintf((char *) &serializer->buffer.data[serializer->status.buffer.size_used], buff_diff, "{}"); 188| 23.9k| } 189| 23.9k| } else if(serializer->fmt == ndpi_serialization_format_csv) { ------------------ | Branch (189:13): [True: 5.67k, False: 10.1k] ------------------ 190| 5.67k| serializer->status.header.size_used = 0; 191| 5.67k| serializer->status.buffer.size_used = 0; 192| 10.1k| } else { /* ndpi_serialization_format_tlv */ 193| 10.1k| serializer->status.buffer.size_used = 2 * sizeof(u_int8_t); 194| 10.1k| } 195| 39.7k|} ndpi_init_serializer_ll: 220| 42.2k| u_int32_t buffer_size) { 221| 42.2k| ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; 222| | 223| 42.2k| memset(serializer, 0, sizeof(ndpi_private_serializer)); 224| | 225| 42.2k| if (fmt == ndpi_serialization_format_multiline_json) { ------------------ | Branch (225:7): [True: 10.6k, False: 31.6k] ------------------ 226| 10.6k| fmt = ndpi_serialization_format_json; 227| 10.6k| serializer->multiline_json_array = 1; 228| 31.6k| } else if (fmt == ndpi_serialization_format_inner_json) { ------------------ | Branch (228:14): [True: 0, False: 31.6k] ------------------ 229| 0| fmt = ndpi_serialization_format_json; 230| 0| serializer->inner_json = 1; 231| 0| } 232| | 233| 42.2k| serializer->fmt = fmt; 234| | 235| 42.2k| if (buffer_size < 3 || ------------------ | Branch (235:7): [True: 0, False: 42.2k] ------------------ 236| 42.2k| ndpi_init_serializer_buffer(&serializer->buffer, buffer_size) != 0) ------------------ | Branch (236:7): [True: 2.19k, False: 40.0k] ------------------ 237| 2.19k| return(-1); 238| | 239| 40.0k| if(serializer->fmt == ndpi_serialization_format_json) { ------------------ | Branch (239:6): [True: 23.9k, False: 16.1k] ------------------ 240| | /* nothing to do */ 241| | 242| 23.9k| } else if (fmt == ndpi_serialization_format_csv) { ------------------ | Branch (242:14): [True: 6.01k, False: 10.1k] ------------------ 243| 6.01k| if (ndpi_init_serializer_buffer(&serializer->header, NDPI_SERIALIZER_DEFAULT_HEADER_SIZE) != 0) { ------------------ | | 1491| 6.01k|#define NDPI_SERIALIZER_DEFAULT_HEADER_SIZE 1024 ------------------ | Branch (243:9): [True: 343, False: 5.67k] ------------------ 244| 343| ndpi_term_serializer(_serializer); 245| 343| return(-1); 246| 343| } 247| | 248| 10.1k| } else /* ndpi_serialization_format_tlv */ { 249| 10.1k| serializer->buffer.data[0] = 1; /* version */ 250| 10.1k| serializer->buffer.data[1] = (u_int8_t) fmt; 251| 10.1k| } 252| | 253| 39.7k| serializer->csv_separator[0] = ','; 254| 39.7k| serializer->csv_separator[1] = '\0'; 255| | 256| 39.7k| ndpi_reset_serializer(_serializer); 257| | 258| 39.7k| return(0); 259| 40.0k|} ndpi_init_serializer: 264| 42.2k| ndpi_serialization_format fmt) { 265| 42.2k| return(ndpi_init_serializer_ll(_serializer, fmt, NDPI_SERIALIZER_DEFAULT_BUFFER_SIZE)); ------------------ | | 1492| 42.2k|#define NDPI_SERIALIZER_DEFAULT_BUFFER_SIZE 256 ------------------ 266| 42.2k|} ndpi_term_serializer: 446| 44.9k|void ndpi_term_serializer(ndpi_serializer *_serializer) { 447| 44.9k| ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; 448| | 449| 44.9k| if(serializer->buffer.data) { ------------------ | Branch (449:6): [True: 40.0k, False: 4.88k] ------------------ 450| 40.0k| ndpi_free(serializer->buffer.data); 451| 40.0k| serializer->buffer.size = 0; 452| 40.0k| serializer->buffer.data = NULL; 453| 40.0k| } 454| | 455| 44.9k| if(serializer->header.data) { ------------------ | Branch (455:6): [True: 5.67k, False: 39.3k] ------------------ 456| 5.67k| ndpi_free(serializer->header.data); 457| 5.67k| serializer->header.size = 0; 458| | serializer->header.data = NULL; 459| 5.67k| } 460| 44.9k|} ndpi_serialize_uint32_binary: 1293| 9.62k| u_int32_t key, const char *value, u_int16_t slen) { 1294| 9.62k| ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; 1295| 9.62k| u_int32_t buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 1296| 9.62k| u_int32_t needed = 1297| 9.62k| sizeof(u_int8_t) /* type */ + 1298| 9.62k| sizeof(u_int32_t) /* key */ + 1299| 9.62k| sizeof(u_int16_t) /* len */ + 1300| 9.62k| slen; 1301| 9.62k| int rc; 1302| | 1303| 9.62k| if(serializer->fmt == ndpi_serialization_format_json) ------------------ | Branch (1303:6): [True: 5.74k, False: 3.88k] ------------------ 1304| 5.74k| needed += 24 + slen*2 /* account escape (x2) */; 1305| | 1306| 9.62k| if(buff_diff < needed) { ------------------ | Branch (1306:6): [True: 587, False: 9.04k] ------------------ 1307| 587| if(ndpi_extend_serializer_buffer(&serializer->buffer, needed - buff_diff) < 0) ------------------ | Branch (1307:8): [True: 30, False: 557] ------------------ 1308| 30| return(-1); 1309| 557| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 1310| 557| } 1311| | 1312| 9.59k| if(serializer->fmt == ndpi_serialization_format_json) { ------------------ | Branch (1312:6): [True: 5.71k, False: 3.88k] ------------------ 1313| 5.71k| ndpi_serialize_json_pre(_serializer); 1314| 5.71k| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 1315| | 1316| 5.71k| if (!(serializer->status.flags & NDPI_SERIALIZER_STATUS_LIST)) { ------------------ | | 1500| 5.71k|#define NDPI_SERIALIZER_STATUS_LIST (1 << 5) ------------------ | Branch (1316:9): [True: 5.71k, False: 0] ------------------ 1317| 5.71k| rc = ndpi_snprintf((char *) &serializer->buffer.data[serializer->status.buffer.size_used], 1318| 5.71k| buff_diff, "\"%u\":", key); 1319| 5.71k| if(rc < 0 || (u_int)rc >= buff_diff) ------------------ | Branch (1319:10): [True: 0, False: 5.71k] | Branch (1319:20): [True: 0, False: 5.71k] ------------------ 1320| 0| return(-1); 1321| 5.71k| serializer->status.buffer.size_used += rc; 1322| 5.71k| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 1323| 5.71k| } 1324| 5.71k| serializer->status.buffer.size_used += ndpi_json_string_escape(value, slen, 1325| 5.71k| (char *) &serializer->buffer.data[serializer->status.buffer.size_used], buff_diff); 1326| 5.71k| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 1327| 5.71k| if(ndpi_serialize_json_post(_serializer) != 0) ------------------ | Branch (1327:8): [True: 0, False: 5.71k] ------------------ 1328| 0| return(-1); 1329| 5.71k| } else if(serializer->fmt == ndpi_serialization_format_csv) { ------------------ | Branch (1329:13): [True: 1.65k, False: 2.23k] ------------------ 1330| 1.65k| if (ndpi_serializer_header_uint32(serializer, key) < 0) return(-1); ------------------ | Branch (1330:9): [True: 0, False: 1.65k] ------------------ 1331| 1.65k| ndpi_serialize_csv_pre(serializer); 1332| 1.65k| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 1333| 1.65k| rc = ndpi_snprintf((char *) 1334| 1.65k| &serializer->buffer.data[serializer->status.buffer.size_used], buff_diff, 1335| 1.65k| "%.*s", slen, value); 1336| 1.65k| if(rc < 0 || (u_int)rc >= buff_diff) ------------------ | Branch (1336:8): [True: 0, False: 1.65k] | Branch (1336:18): [True: 0, False: 1.65k] ------------------ 1337| 0| return(-1); 1338| 1.65k| serializer->status.buffer.size_used += rc; 1339| 2.23k| } else { 1340| 2.23k| ndpi_serialization_type kt; 1341| 2.23k| u_int8_t type = 0; 1342| 2.23k| u_int32_t type_offset = serializer->status.buffer.size_used++; 1343| | 1344| 2.23k| kt = ndpi_serialize_key_uint32(serializer, key); 1345| 2.23k| type = (kt << 4); 1346| | 1347| 2.23k| ndpi_serialize_single_string(serializer, value, slen); 1348| 2.23k| type |= ndpi_serialization_string; 1349| | 1350| 2.23k| serializer->buffer.data[type_offset] = type; 1351| 2.23k| } 1352| | 1353| 9.59k| serializer->status.flags |= NDPI_SERIALIZER_STATUS_NOT_EMPTY; ------------------ | | 1499| 9.59k|#define NDPI_SERIALIZER_STATUS_NOT_EMPTY (1 << 4) ------------------ 1354| 9.59k| return(0); 1355| 9.59k|} ndpi_serialize_uint32_string: 1360| 9.62k| u_int32_t key, const char *_value) { 1361| 9.62k| const char *value = _value ? _value : ""; ------------------ | Branch (1361:23): [True: 9.62k, False: 0] ------------------ 1362| 9.62k| return(ndpi_serialize_uint32_binary(_serializer, key, value, strlen(value))); 1363| 9.62k|} ndpi_serialize_binary_int32: 1427| 12| int32_t value) { 1428| 12| ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; 1429| 12| u_int32_t buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 1430| 12| u_int32_t needed; 1431| 12| int rc; 1432| | 1433| 12|#ifdef OPTIMIZE_NUMERIC_KEYS 1434| 12| if(ndpi_is_number(key, klen)) ------------------ | Branch (1434:6): [True: 0, False: 12] ------------------ 1435| 0| return(ndpi_serialize_uint32_int32(_serializer, atoi(key), value)); 1436| 12|#endif 1437| | 1438| 12| needed = 1439| 12| sizeof(u_int8_t) /* type */ + 1440| 12| sizeof(u_int16_t) /* key len */ + 1441| 12| klen /* key */ + 1442| 12| sizeof(u_int32_t); 1443| | 1444| 12| if(serializer->fmt == ndpi_serialization_format_json) ------------------ | Branch (1444:6): [True: 8, False: 4] ------------------ 1445| 8| needed += 16 + klen; 1446| | 1447| 12| if(buff_diff < needed) { ------------------ | Branch (1447:6): [True: 0, False: 12] ------------------ 1448| 0| if(ndpi_extend_serializer_buffer(&serializer->buffer, needed - buff_diff) < 0) ------------------ | Branch (1448:8): [True: 0, False: 0] ------------------ 1449| 0| return(-1); 1450| 0| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 1451| 0| } 1452| | 1453| 12| if(serializer->fmt == ndpi_serialization_format_json) { ------------------ | Branch (1453:6): [True: 8, False: 4] ------------------ 1454| 8| ndpi_serialize_json_pre(_serializer); 1455| 8| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 1456| | 1457| 8| if (!(serializer->status.flags & NDPI_SERIALIZER_STATUS_LIST)) { ------------------ | | 1500| 8|#define NDPI_SERIALIZER_STATUS_LIST (1 << 5) ------------------ | Branch (1457:9): [True: 8, False: 0] ------------------ 1458| 8| serializer->status.buffer.size_used += ndpi_json_string_escape(key, klen, 1459| 8| (char *) &serializer->buffer.data[serializer->status.buffer.size_used], buff_diff); 1460| 8| serializer->buffer.data[serializer->status.buffer.size_used] = ':'; 1461| 8| serializer->status.buffer.size_used++; 1462| 8| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 1463| 8| } 1464| | 1465| 8| rc = ndpi_snprintf((char *) 1466| 8| &serializer->buffer.data[serializer->status.buffer.size_used], buff_diff, "%d", value); 1467| 8| if(rc < 0 || (u_int)rc >= buff_diff) ------------------ | Branch (1467:8): [True: 0, False: 8] | Branch (1467:18): [True: 0, False: 8] ------------------ 1468| 0| return(-1); 1469| 8| serializer->status.buffer.size_used += rc; 1470| | 1471| 8| if(ndpi_serialize_json_post(_serializer) != 0) ------------------ | Branch (1471:8): [True: 0, False: 8] ------------------ 1472| 0| return(-1); 1473| 8| } else if(serializer->fmt == ndpi_serialization_format_csv) { ------------------ | Branch (1473:13): [True: 0, False: 4] ------------------ 1474| 0| if (ndpi_serializer_header_string(serializer, key, klen) < 0) return(-1); ------------------ | Branch (1474:9): [True: 0, False: 0] ------------------ 1475| 0| ndpi_serialize_csv_pre(serializer); 1476| 0| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 1477| 0| rc = ndpi_snprintf((char *) 1478| 0| &serializer->buffer.data[serializer->status.buffer.size_used], buff_diff, 1479| 0| "%d", value); 1480| 0| if(rc < 0 || (u_int)rc >= buff_diff) ------------------ | Branch (1480:8): [True: 0, False: 0] | Branch (1480:18): [True: 0, False: 0] ------------------ 1481| 0| return(-1); 1482| 0| serializer->status.buffer.size_used += rc; 1483| 4| } else { 1484| 4| if(value <= 127 && value >= -128) { ------------------ | Branch (1484:8): [True: 4, False: 0] | Branch (1484:24): [True: 4, False: 0] ------------------ 1485| 4| serializer->buffer.data[serializer->status.buffer.size_used++] = (ndpi_serialization_string << 4) | ndpi_serialization_int8; 1486| 4| ndpi_serialize_single_string(serializer, key, klen); 1487| 4| ndpi_serialize_single_uint8(serializer, value); 1488| 4| } else if(value <= 32767 && value >= -32768) { ------------------ | Branch (1488:15): [True: 0, False: 0] | Branch (1488:33): [True: 0, False: 0] ------------------ 1489| 0| serializer->buffer.data[serializer->status.buffer.size_used++] = (ndpi_serialization_string << 4) | ndpi_serialization_int16; 1490| 0| ndpi_serialize_single_string(serializer, key, klen); 1491| 0| ndpi_serialize_single_uint16(serializer, value); 1492| 0| } else { 1493| 0| serializer->buffer.data[serializer->status.buffer.size_used++] = (ndpi_serialization_string << 4) | ndpi_serialization_int32; 1494| 0| ndpi_serialize_single_string(serializer, key, klen); 1495| 0| ndpi_serialize_single_uint32(serializer, value); 1496| 0| } 1497| 4| } 1498| | 1499| 12| serializer->status.flags |= NDPI_SERIALIZER_STATUS_NOT_EMPTY; ------------------ | | 1499| 12|#define NDPI_SERIALIZER_STATUS_NOT_EMPTY (1 << 4) ------------------ 1500| | 1501| 12| return(0); 1502| 12|} ndpi_serialize_string_int32: 1507| 16| const char *key, int32_t value) { 1508| 16|#ifdef OPTIMIZE_CSV_SERIALIZATION 1509| 16| ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; 1510| | 1511| 16| if(serializer->fmt == ndpi_serialization_format_csv) { ------------------ | Branch (1511:6): [True: 4, False: 12] ------------------ 1512| | /* Key is ignored */ 1513| 4| u_int32_t buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 1514| 4| u_int16_t needed = 12 /* 10 (billion) + CVS separator + \0 */; 1515| 4| int rc; 1516| | 1517| 4| if(buff_diff < needed) { ------------------ | Branch (1517:8): [True: 0, False: 4] ------------------ 1518| 0| if(ndpi_extend_serializer_buffer(&serializer->buffer, needed - buff_diff) < 0) ------------------ | Branch (1518:10): [True: 0, False: 0] ------------------ 1519| 0| return(-1); 1520| 0| } 1521| | 1522| 4| if(!(serializer->status.flags & NDPI_SERIALIZER_STATUS_HDR_DONE)) { ------------------ | | 1502| 4|#define NDPI_SERIALIZER_STATUS_HDR_DONE (1 << 7) ------------------ | Branch (1522:8): [True: 4, False: 0] ------------------ 1523| 4| if(ndpi_serializer_header_string(serializer, key, strlen(key)) < 0) ------------------ | Branch (1523:10): [True: 0, False: 4] ------------------ 1524| 0| return(-1); 1525| 4| } 1526| | 1527| 4| ndpi_serialize_csv_pre(serializer); 1528| 4| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 1529| | 1530| 4| rc = ndpi_snprintf((char*)&serializer->buffer.data[serializer->status.buffer.size_used], 1531| 4| buff_diff, "%u", value); 1532| | 1533| 4| if(rc < 0 || (u_int)rc >= buff_diff) ------------------ | Branch (1533:8): [True: 0, False: 4] | Branch (1533:18): [True: 0, False: 4] ------------------ 1534| 0| return(-1); 1535| | 1536| 4| serializer->status.buffer.size_used += rc; 1537| | 1538| 4| return(0); 1539| 4| } else 1540| 12|#endif 1541| 12| return(ndpi_serialize_binary_int32(_serializer, key, strlen(key), value)); 1542| 16|} ndpi_serialize_binary_uint32: 1629| 120k| const char *key, u_int16_t klen, u_int32_t value) { 1630| 120k| ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; 1631| 120k| u_int32_t buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 1632| 120k| u_int32_t needed; 1633| 120k| int rc; 1634| | 1635| 120k|#ifdef OPTIMIZE_CSV_SERIALIZATION 1636| 120k| if(serializer->fmt == ndpi_serialization_format_csv) { ------------------ | Branch (1636:6): [True: 19.4k, False: 101k] ------------------ 1637| | /* Key is ignored */ 1638| 19.4k| u_int32_t buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 1639| 19.4k| u_int16_t needed; 1640| 19.4k| char _value[16]; 1641| | 1642| 19.4k| ndpi_snprintf(_value, sizeof(_value), "%u", value); 1643| 19.4k| needed = strlen(_value) + 1 /* CVS separator */; 1644| | 1645| 19.4k| if(buff_diff < needed) { ------------------ | Branch (1645:8): [True: 35, False: 19.4k] ------------------ 1646| 35| if(ndpi_extend_serializer_buffer(&serializer->buffer, needed - buff_diff) < 0) ------------------ | Branch (1646:10): [True: 2, False: 33] ------------------ 1647| 2| return(-1); 1648| 33| else 1649| 33| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 1650| 35| } 1651| | 1652| 19.4k| if(!(serializer->status.flags & NDPI_SERIALIZER_STATUS_HDR_DONE)) { ------------------ | | 1502| 19.4k|#define NDPI_SERIALIZER_STATUS_HDR_DONE (1 << 7) ------------------ | Branch (1652:8): [True: 19.4k, False: 0] ------------------ 1653| 19.4k| if(ndpi_serializer_header_string(serializer, key, klen) < 0) ------------------ | Branch (1653:10): [True: 0, False: 19.4k] ------------------ 1654| 0| return(-1); 1655| 19.4k| } 1656| | 1657| 19.4k| ndpi_serialize_csv_pre(serializer); 1658| 19.4k| needed--; 1659| 19.4k| memcpy(&serializer->buffer.data[serializer->status.buffer.size_used], _value, needed); 1660| 19.4k| serializer->status.buffer.size_used += needed; 1661| 19.4k| return(0); 1662| 19.4k| } 1663| 101k|#endif 1664| | 1665| 101k|#ifdef OPTIMIZE_NUMERIC_KEYS 1666| 101k| if(ndpi_is_number(key, klen)) ------------------ | Branch (1666:6): [True: 0, False: 101k] ------------------ 1667| 0| return(ndpi_serialize_uint32_uint32(_serializer, atoi(key), value)); 1668| 101k|#endif 1669| | 1670| 101k| needed = 1671| 101k| sizeof(u_int8_t) /* type */ + 1672| 101k| sizeof(u_int16_t) /* key len */ + 1673| 101k| klen /* key */ + 1674| 101k| sizeof(u_int32_t) + /* value (as int) */ 1675| 101k| 20 /* value (as string, in case of CSV) */ + 1676| 101k| 16 /* extra overhead for JSON */; 1677| | 1678| 101k| if(buff_diff < needed) { ------------------ | Branch (1678:6): [True: 8.33k, False: 93.1k] ------------------ 1679| 8.33k| if(ndpi_extend_serializer_buffer(&serializer->buffer, needed - buff_diff) < 0) ------------------ | Branch (1679:8): [True: 528, False: 7.80k] ------------------ 1680| 528| return(-1); 1681| 7.80k| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 1682| 7.80k| } 1683| | 1684| 100k| if(serializer->fmt == ndpi_serialization_format_json) { ------------------ | Branch (1684:6): [True: 73.5k, False: 27.3k] ------------------ 1685| 73.5k| ndpi_serialize_json_pre(_serializer); 1686| 73.5k| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 1687| | 1688| 73.5k| if (!(serializer->status.flags & NDPI_SERIALIZER_STATUS_LIST)) { ------------------ | | 1500| 73.5k|#define NDPI_SERIALIZER_STATUS_LIST (1 << 5) ------------------ | Branch (1688:9): [True: 73.5k, False: 0] ------------------ 1689| 73.5k| serializer->status.buffer.size_used += ndpi_json_string_escape(key, klen, 1690| 73.5k| (char *) &serializer->buffer.data[serializer->status.buffer.size_used], buff_diff); 1691| 73.5k| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 1692| 73.5k| serializer->buffer.data[serializer->status.buffer.size_used] = ':'; 1693| 73.5k| serializer->status.buffer.size_used++; 1694| 73.5k| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 1695| 73.5k| } 1696| | 1697| 73.5k| rc = ndpi_snprintf((char *) 1698| 73.5k| &serializer->buffer.data[serializer->status.buffer.size_used], 1699| 73.5k| buff_diff, "%u", value); 1700| 73.5k| if(rc < 0 || (u_int)rc >= buff_diff) ------------------ | Branch (1700:8): [True: 0, False: 73.5k] | Branch (1700:18): [True: 0, False: 73.5k] ------------------ 1701| 0| return(-1); 1702| 73.5k| serializer->status.buffer.size_used += rc; 1703| | 1704| 73.5k| if(ndpi_serialize_json_post(_serializer) != 0) ------------------ | Branch (1704:8): [True: 0, False: 73.5k] ------------------ 1705| 0| return(-1); 1706| 73.5k| } else if(serializer->fmt == ndpi_serialization_format_csv) { ------------------ | Branch (1706:13): [True: 0, False: 27.3k] ------------------ 1707| |#ifndef OPTIMIZE_CSV_SERIALIZATION 1708| | if (ndpi_serializer_header_string(serializer, key, klen) < 0) return(-1); 1709| | ndpi_serialize_csv_pre(serializer); 1710| | buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 1711| | rc = ndpi_snprintf((char *) 1712| | &serializer->buffer.data[serializer->status.buffer.size_used], buff_diff, 1713| | "%u", value); 1714| | if(rc < 0 || (u_int)rc >= buff_diff) 1715| | return(-1); 1716| | serializer->status.buffer.size_used += rc; 1717| |#endif 1718| 27.3k| } else { 1719| 27.3k| if(value <= 0xff) { ------------------ | Branch (1719:8): [True: 19.8k, False: 7.47k] ------------------ 1720| 19.8k| serializer->buffer.data[serializer->status.buffer.size_used++] = (ndpi_serialization_string << 4) | ndpi_serialization_uint8; 1721| 19.8k| ndpi_serialize_single_string(serializer, key, klen); 1722| 19.8k| ndpi_serialize_single_uint8(serializer, value); 1723| 19.8k| } else if(value <= 0xffff) { ------------------ | Branch (1723:15): [True: 7.47k, False: 0] ------------------ 1724| 7.47k| serializer->buffer.data[serializer->status.buffer.size_used++] = (ndpi_serialization_string << 4) | ndpi_serialization_uint16; 1725| 7.47k| ndpi_serialize_single_string(serializer, key, klen); 1726| 7.47k| ndpi_serialize_single_uint16(serializer, value); 1727| 7.47k| } else { 1728| 0| serializer->buffer.data[serializer->status.buffer.size_used++] = (ndpi_serialization_string << 4) | ndpi_serialization_uint32; 1729| 0| ndpi_serialize_single_string(serializer, key, klen); 1730| 0| ndpi_serialize_single_uint32(serializer, value); 1731| 0| } 1732| 27.3k| } 1733| | 1734| 100k| serializer->status.flags |= NDPI_SERIALIZER_STATUS_NOT_EMPTY; ------------------ | | 1499| 100k|#define NDPI_SERIALIZER_STATUS_NOT_EMPTY (1 << 4) ------------------ 1735| 100k| return(0); 1736| 100k|} ndpi_serialize_string_uint32: 1741| 120k| const char *key, u_int32_t value) { 1742| 120k| return(ndpi_serialize_binary_uint32(_serializer, key, strlen(key), value)); 1743| 120k|} ndpi_serialize_binary_float: 1856| 762| const char *format /* e.f. "%.2f" */) { 1857| 762| ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; 1858| 762| u_int32_t buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 1859| 762| u_int32_t needed; 1860| 762| int rc; 1861| | 1862| 762|#ifdef OPTIMIZE_NUMERIC_KEYS 1863| 762| if(ndpi_is_number(key, klen)) ------------------ | Branch (1863:6): [True: 0, False: 762] ------------------ 1864| 0| return(ndpi_serialize_uint32_float(_serializer, atoi(key), value, format)); 1865| 762|#endif 1866| | 1867| 762| needed = 1868| 762| sizeof(u_int8_t) /* type */ + 1869| 762| sizeof(u_int16_t) /* key len */ + 1870| 762| klen /* key */ + 1871| 762| sizeof(float) + 1872| 762| 32; /* Safety, because printing float might lead to LONG string */ 1873| | 1874| 762| if(serializer->fmt == ndpi_serialization_format_json) ------------------ | Branch (1874:6): [True: 462, False: 300] ------------------ 1875| 462| needed += 32 + klen; 1876| | 1877| 762| if(buff_diff < needed) { ------------------ | Branch (1877:6): [True: 94, False: 668] ------------------ 1878| 94| if(ndpi_extend_serializer_buffer(&serializer->buffer, needed - buff_diff) < 0) ------------------ | Branch (1878:8): [True: 8, False: 86] ------------------ 1879| 8| return(-1); 1880| 86| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 1881| 86| } 1882| | 1883| 754| if(serializer->fmt == ndpi_serialization_format_json) { ------------------ | Branch (1883:6): [True: 454, False: 300] ------------------ 1884| 454| ndpi_serialize_json_pre(_serializer); 1885| 454| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 1886| | 1887| 454| if (!(serializer->status.flags & NDPI_SERIALIZER_STATUS_LIST)) { ------------------ | | 1500| 454|#define NDPI_SERIALIZER_STATUS_LIST (1 << 5) ------------------ | Branch (1887:9): [True: 454, False: 0] ------------------ 1888| 454| serializer->status.buffer.size_used += ndpi_json_string_escape(key, klen, 1889| 454| (char *) &serializer->buffer.data[serializer->status.buffer.size_used], buff_diff); 1890| 454| serializer->buffer.data[serializer->status.buffer.size_used] = ':'; 1891| 454| serializer->status.buffer.size_used++; 1892| 454| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 1893| 454| } 1894| | 1895| 454| rc = ndpi_snprintf((char *) &serializer->buffer.data[serializer->status.buffer.size_used], buff_diff, format, value); 1896| 454| if(rc < 0 || (u_int)rc >= buff_diff) ------------------ | Branch (1896:8): [True: 0, False: 454] | Branch (1896:18): [True: 0, False: 454] ------------------ 1897| 0| return(-1); 1898| 454| serializer->status.buffer.size_used += rc; 1899| | 1900| 454| if(ndpi_serialize_json_post(_serializer) != 0) ------------------ | Branch (1900:8): [True: 0, False: 454] ------------------ 1901| 0| return(-1); 1902| 454| } else if(serializer->fmt == ndpi_serialization_format_csv) { ------------------ | Branch (1902:13): [True: 161, False: 139] ------------------ 1903| 161| if (ndpi_serializer_header_string(serializer, key, klen) < 0) return(-1); ------------------ | Branch (1903:9): [True: 0, False: 161] ------------------ 1904| 161| ndpi_serialize_csv_pre(serializer); 1905| 161| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 1906| 161| rc = ndpi_snprintf((char *) &serializer->buffer.data[serializer->status.buffer.size_used], buff_diff, format, value); 1907| 161| if(rc < 0 || (u_int)rc >= buff_diff) ------------------ | Branch (1907:8): [True: 0, False: 161] | Branch (1907:18): [True: 0, False: 161] ------------------ 1908| 0| return(-1); 1909| 161| serializer->status.buffer.size_used += rc; 1910| 161| } else { 1911| 139| serializer->buffer.data[serializer->status.buffer.size_used++] = (ndpi_serialization_string << 4) | ndpi_serialization_float; 1912| | 1913| 139| ndpi_serialize_single_string(serializer, key, klen); 1914| 139| ndpi_serialize_single_float(serializer, value); 1915| 139| } 1916| | 1917| 754| serializer->status.flags |= NDPI_SERIALIZER_STATUS_NOT_EMPTY; ------------------ | | 1499| 754|#define NDPI_SERIALIZER_STATUS_NOT_EMPTY (1 << 4) ------------------ 1918| 754| return(0); 1919| 754|} ndpi_serialize_string_float: 1997| 762| const char *format /* e.f. "%.2f" */) { 1998| 762| return(ndpi_serialize_binary_float(_serializer, key, strlen(key), value, format)); 1999| 762|} ndpi_serialize_binary_binary: 2087| 114k| u_int16_t vlen) { 2088| 114k| const char *value = _value ? _value : ""; ------------------ | Branch (2088:23): [True: 114k, False: 0] ------------------ 2089| | 2090| 114k|#ifdef OPTIMIZE_NUMERIC_KEYS 2091| 114k| if(ndpi_is_number(key, klen)) ------------------ | Branch (2091:6): [True: 0, False: 114k] ------------------ 2092| 0| return(ndpi_serialize_uint32_binary(_serializer, atoi(key), value, vlen)); 2093| 114k|#endif 2094| | 2095| 114k| return(ndpi_serialize_binary_raw(_serializer, key, klen, value, vlen, 1 /* escape */)); 2096| 114k|} ndpi_serialize_string_string_len: 2112| 137k| const char *value, u_int16_t value_len) { 2113| 137k| ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; 2114| | 2115| 137k|#ifdef OPTIMIZE_CSV_SERIALIZATION 2116| 137k| if(serializer->fmt == ndpi_serialization_format_csv) { ------------------ | Branch (2116:6): [True: 22.7k, False: 114k] ------------------ 2117| | /* Key is ignored */ 2118| 22.7k| u_int32_t buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 2119| 22.7k| u_int16_t needed = value_len + 1 /* CVS separator */; 2120| | 2121| 22.7k| if(buff_diff < needed) { ------------------ | Branch (2121:8): [True: 422, False: 22.3k] ------------------ 2122| 422| if(ndpi_extend_serializer_buffer(&serializer->buffer, needed - buff_diff) < 0) ------------------ | Branch (2122:10): [True: 32, False: 390] ------------------ 2123| 32| return(-1); 2124| 390| else 2125| 390| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 2126| 422| } 2127| | 2128| 22.7k| if(!(serializer->status.flags & NDPI_SERIALIZER_STATUS_HDR_DONE)) { ------------------ | | 1502| 22.7k|#define NDPI_SERIALIZER_STATUS_HDR_DONE (1 << 7) ------------------ | Branch (2128:8): [True: 22.7k, False: 0] ------------------ 2129| 22.7k| if(ndpi_serializer_header_string(serializer, key, strlen(key)) < 0) ------------------ | Branch (2129:10): [True: 0, False: 22.7k] ------------------ 2130| 0| return(-1); 2131| 22.7k| } 2132| | 2133| 22.7k| ndpi_serialize_csv_pre(serializer); 2134| 22.7k| needed--; 2135| 22.7k| if (needed > 0) ------------------ | Branch (2135:9): [True: 21.9k, False: 812] ------------------ 2136| 21.9k| memcpy(&serializer->buffer.data[serializer->status.buffer.size_used], value, needed); 2137| 22.7k| serializer->status.buffer.size_used += needed; 2138| 22.7k| return(0); 2139| 22.7k| } else 2140| 114k|#endif 2141| 114k| return(ndpi_serialize_binary_binary(_serializer, key, strlen(key), 2142| 114k| value, value_len)); 2143| 137k|} ndpi_serialize_string_string: 2149| 137k| const char *key, const char *_value) { 2150| 137k| const char *value = _value ? _value : ""; ------------------ | Branch (2150:23): [True: 137k, False: 20] ------------------ 2151| | 2152| 137k| return(ndpi_serialize_string_string_len(_serializer, key, value, strlen(value))); 2153| 137k|} ndpi_serialize_start_of_list_binary: 2235| 1.37k| const char *key, u_int16_t klen) { 2236| 1.37k| ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; 2237| 1.37k| u_int32_t buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 2238| 1.37k| u_int32_t needed; 2239| 1.37k| int rc; 2240| | 2241| 1.37k| if(serializer->fmt != ndpi_serialization_format_json && ------------------ | Branch (2241:6): [True: 481, False: 898] ------------------ 2242| 481| serializer->fmt != ndpi_serialization_format_tlv) ------------------ | Branch (2242:6): [True: 314, False: 167] ------------------ 2243| 314| return(-1); 2244| | 2245| 1.06k| needed = 16 + klen; 2246| | 2247| 1.06k| if(buff_diff < needed) { ------------------ | Branch (2247:6): [True: 0, False: 1.06k] ------------------ 2248| 0| if(ndpi_extend_serializer_buffer(&serializer->buffer, needed - buff_diff) < 0) ------------------ | Branch (2248:8): [True: 0, False: 0] ------------------ 2249| 0| return(-1); 2250| 0| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 2251| 0| } 2252| | 2253| 1.06k| if (serializer->fmt == ndpi_serialization_format_json) { ------------------ | Branch (2253:7): [True: 898, False: 167] ------------------ 2254| 898| ndpi_serialize_json_pre(_serializer); 2255| 898| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 2256| | 2257| 898| serializer->status.buffer.size_used += ndpi_json_string_escape(key, klen, 2258| 898| (char *) &serializer->buffer.data[serializer->status.buffer.size_used], buff_diff); 2259| | 2260| 898| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 2261| | 2262| 898| rc = ndpi_snprintf((char *) &serializer->buffer.data[serializer->status.buffer.size_used], buff_diff, ": ["); 2263| 898| if(rc < 0 || (u_int)rc >= buff_diff) ------------------ | Branch (2263:8): [True: 0, False: 898] | Branch (2263:18): [True: 0, False: 898] ------------------ 2264| 0| return(-1); 2265| 898| serializer->status.buffer.size_used += rc; 2266| | 2267| 898| serializer->status.flags |= NDPI_SERIALIZER_STATUS_LIST | NDPI_SERIALIZER_STATUS_SOL; ------------------ | | 1500| 898|#define NDPI_SERIALIZER_STATUS_LIST (1 << 5) ------------------ serializer->status.flags |= NDPI_SERIALIZER_STATUS_LIST | NDPI_SERIALIZER_STATUS_SOL; ------------------ | | 1501| 898|#define NDPI_SERIALIZER_STATUS_SOL (1 << 6) ------------------ 2268| | 2269| 898| if(ndpi_serialize_json_post(_serializer) != 0) ------------------ | Branch (2269:8): [True: 0, False: 898] ------------------ 2270| 0| return(-1); 2271| 898| } else { 2272| 167| serializer->buffer.data[serializer->status.buffer.size_used++] = ndpi_serialization_start_of_list; 2273| 167| ndpi_serialize_single_string(serializer, key, klen); 2274| 167| } 2275| | 2276| 1.06k| return(0); 2277| 1.06k|} ndpi_serialize_start_of_list: 2283| 1.37k| const char *_key) { 2284| 1.37k| const char *key = _key ? _key : ""; ------------------ | Branch (2284:21): [True: 1.37k, False: 0] ------------------ 2285| 1.37k| u_int16_t klen = strlen(key); 2286| | 2287| 1.37k| return(ndpi_serialize_start_of_list_binary(_serializer, key, klen)); 2288| 1.37k|} ndpi_serialize_end_of_list: 2293| 1.37k|int ndpi_serialize_end_of_list(ndpi_serializer *_serializer) { 2294| 1.37k| ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; 2295| | 2296| 1.37k| if(serializer->fmt != ndpi_serialization_format_json && ------------------ | Branch (2296:6): [True: 481, False: 898] ------------------ 2297| 481| serializer->fmt != ndpi_serialization_format_tlv) ------------------ | Branch (2297:6): [True: 314, False: 167] ------------------ 2298| 314| return(-1); 2299| | 2300| 1.06k| if (serializer->fmt == ndpi_serialization_format_json) { ------------------ | Branch (2300:7): [True: 898, False: 167] ------------------ 2301| 898| if(serializer->status.flags & NDPI_SERIALIZER_STATUS_SOL) /* Empty list */ ------------------ | | 1501| 898|#define NDPI_SERIALIZER_STATUS_SOL (1 << 6) ------------------ | Branch (2301:8): [True: 443, False: 455] ------------------ 2302| 443| serializer->status.flags &= ~NDPI_SERIALIZER_STATUS_SOL; ------------------ | | 1501| 443|#define NDPI_SERIALIZER_STATUS_SOL (1 << 6) ------------------ 2303| | 2304| 898| serializer->status.flags &= ~NDPI_SERIALIZER_STATUS_LIST; ------------------ | | 1500| 898|#define NDPI_SERIALIZER_STATUS_LIST (1 << 5) ------------------ 2305| 898| } else { 2306| 167| if(serializer->status.buffer.size_used == serializer->buffer.size) ------------------ | Branch (2306:8): [True: 5, False: 162] ------------------ 2307| 5| return(-1); 2308| 162| serializer->buffer.data[serializer->status.buffer.size_used++] = ndpi_serialization_end_of_list; 2309| 162| } 2310| | 2311| 1.06k| return(0); 2312| 1.06k|} ndpi_serialize_start_of_block_binary: 2318| 62.7k| const char *key, u_int16_t klen) { 2319| 62.7k| ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; 2320| 62.7k| u_int32_t buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 2321| 62.7k| u_int32_t needed; 2322| 62.7k| int rc; 2323| | 2324| 62.7k| if(serializer->fmt != ndpi_serialization_format_json && ------------------ | Branch (2324:6): [True: 25.1k, False: 37.6k] ------------------ 2325| 25.1k| serializer->fmt != ndpi_serialization_format_tlv) ------------------ | Branch (2325:6): [True: 9.72k, False: 15.4k] ------------------ 2326| 9.72k| return(-1); 2327| | 2328| 53.0k| needed = 16 + klen; 2329| | 2330| 53.0k| if(buff_diff < needed) { ------------------ | Branch (2330:6): [True: 385, False: 52.6k] ------------------ 2331| 385| if(ndpi_extend_serializer_buffer(&serializer->buffer, needed - buff_diff) < 0) ------------------ | Branch (2331:8): [True: 32, False: 353] ------------------ 2332| 32| return(-1); 2333| 353| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 2334| 353| } 2335| | 2336| 53.0k| if (serializer->fmt == ndpi_serialization_format_json) { ------------------ | Branch (2336:7): [True: 37.6k, False: 15.3k] ------------------ 2337| 37.6k| ndpi_serialize_json_pre(_serializer); 2338| 37.6k| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 2339| | 2340| 37.6k| serializer->status.buffer.size_used += ndpi_json_string_escape(key, klen, 2341| 37.6k| (char *) &serializer->buffer.data[serializer->status.buffer.size_used], buff_diff); 2342| 37.6k| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 2343| 37.6k| rc = ndpi_snprintf((char *) &serializer->buffer.data[serializer->status.buffer.size_used], buff_diff, ": {"); 2344| 37.6k| if(rc < 0 || (u_int)rc >= buff_diff) ------------------ | Branch (2344:8): [True: 0, False: 37.6k] | Branch (2344:18): [True: 0, False: 37.6k] ------------------ 2345| 0| return(-1); 2346| 37.6k| serializer->status.buffer.size_used += rc; 2347| 37.6k| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 2348| 37.6k| if(ndpi_serialize_json_post(_serializer) != 0) ------------------ | Branch (2348:8): [True: 0, False: 37.6k] ------------------ 2349| 0| return(-1); 2350| | 2351| 37.6k| serializer->status.flags |= NDPI_SERIALIZER_STATUS_SOB; ------------------ | | 1498| 37.6k|#define NDPI_SERIALIZER_STATUS_SOB (1 << 3) ------------------ 2352| 37.6k| } else /* ndpi_serialization_format_tlv */ { 2353| 15.3k| serializer->buffer.data[serializer->status.buffer.size_used++] = ndpi_serialization_start_of_block; 2354| 15.3k| ndpi_serialize_single_string(serializer, key, klen); 2355| 15.3k| } 2356| | 2357| 53.0k| return(0); 2358| 53.0k|} ndpi_serialize_start_of_block: 2364| 49.4k| const char *_key) { 2365| 49.4k| const char *key = _key ? _key : ""; ------------------ | Branch (2365:21): [True: 49.4k, False: 0] ------------------ 2366| 49.4k| u_int16_t klen = strlen(key); 2367| | 2368| 49.4k| return(ndpi_serialize_start_of_block_binary(_serializer, key, klen)); 2369| 49.4k|} ndpi_serialize_start_of_block_uint32: 2374| 13.3k|int ndpi_serialize_start_of_block_uint32(ndpi_serializer *_serializer, u_int32_t key) { 2375| 13.3k| char buf[11]; 2376| 13.3k| int written = ndpi_snprintf(buf, sizeof(buf), "%u", key); 2377| | 2378| 13.3k| if (written <= 0 || written == sizeof(buf)) ------------------ | Branch (2378:7): [True: 0, False: 13.3k] | Branch (2378:23): [True: 0, False: 13.3k] ------------------ 2379| 0| { 2380| 0| return(-1); 2381| 0| } 2382| | 2383| 13.3k| return(ndpi_serialize_start_of_block_binary(_serializer, buf, written)); 2384| 13.3k|} ndpi_serialize_end_of_block: 2389| 62.7k|int ndpi_serialize_end_of_block(ndpi_serializer *_serializer) { 2390| 62.7k| ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; 2391| 62.7k| u_int32_t buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 2392| 62.7k| u_int32_t needed; 2393| | 2394| 62.7k| if(serializer->fmt != ndpi_serialization_format_json && ------------------ | Branch (2394:6): [True: 25.1k, False: 37.6k] ------------------ 2395| 25.1k| serializer->fmt != ndpi_serialization_format_tlv) ------------------ | Branch (2395:6): [True: 9.72k, False: 15.4k] ------------------ 2396| 9.72k| return(-1); 2397| | 2398| 53.0k| needed = 4; 2399| | 2400| 53.0k| if(buff_diff < needed) { ------------------ | Branch (2400:6): [True: 80, False: 52.9k] ------------------ 2401| 80| if(ndpi_extend_serializer_buffer(&serializer->buffer, needed - buff_diff) < 0) ------------------ | Branch (2401:8): [True: 8, False: 72] ------------------ 2402| 8| return(-1); 2403| 72| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 2404| 72| } 2405| | 2406| 53.0k| if (serializer->fmt == ndpi_serialization_format_json) { ------------------ | Branch (2406:7): [True: 37.6k, False: 15.4k] ------------------ 2407| | 2408| 37.6k| if(serializer->status.flags & NDPI_SERIALIZER_STATUS_SOB) /* Empty block */ ------------------ | | 1498| 37.6k|#define NDPI_SERIALIZER_STATUS_SOB (1 << 3) ------------------ | Branch (2408:8): [True: 91, False: 37.5k] ------------------ 2409| 91| serializer->status.flags &= ~NDPI_SERIALIZER_STATUS_SOB; ------------------ | | 1498| 91|#define NDPI_SERIALIZER_STATUS_SOB (1 << 3) ------------------ 2410| | 2411| | // buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 2412| 37.6k| serializer->status.flags |= NDPI_SERIALIZER_STATUS_CEOB; ------------------ | | 1503| 37.6k|#define NDPI_SERIALIZER_STATUS_CEOB (1 << 8) ------------------ 2413| 37.6k| if(ndpi_serialize_json_post(_serializer) != 0) ------------------ | Branch (2413:8): [True: 0, False: 37.6k] ------------------ 2414| 0| return(-1); 2415| 37.6k| } else { 2416| 15.4k| serializer->buffer.data[serializer->status.buffer.size_used++] = ndpi_serialization_end_of_block; 2417| 15.4k| } 2418| | 2419| 53.0k| return(0); 2420| 53.0k|} ndpi_serializer.c:ndpi_init_serializer_buffer: 207| 48.3k|static int ndpi_init_serializer_buffer(ndpi_private_serializer_buffer *buffer, u_int32_t buffer_size) { 208| 48.3k| buffer->initial_size = buffer->size = buffer_size; 209| 48.3k| buffer->data = (u_int8_t *)ndpi_calloc(buffer->size, sizeof(u_int8_t)); 210| 48.3k| if(buffer->data == NULL) ------------------ | Branch (210:6): [True: 2.54k, False: 45.7k] ------------------ 211| 2.54k| return(-1); 212| | 213| 45.7k| return(0); 214| 48.3k|} ndpi_serializer.c:ndpi_extend_serializer_buffer: 270| 17.8k|static inline int ndpi_extend_serializer_buffer(ndpi_private_serializer_buffer *buffer, u_int32_t min_len) { 271| 17.8k| u_int32_t new_size; 272| 17.8k| void *r; 273| | 274| 17.8k| if(min_len < NDPI_SERIALIZER_DEFAULT_BUFFER_INCR) { ------------------ | | 1493| 17.8k|#define NDPI_SERIALIZER_DEFAULT_BUFFER_INCR 1024 ------------------ | Branch (274:6): [True: 17.7k, False: 22] ------------------ 275| 17.7k| if(buffer->initial_size < NDPI_SERIALIZER_DEFAULT_BUFFER_INCR) { ------------------ | | 1493| 17.7k|#define NDPI_SERIALIZER_DEFAULT_BUFFER_INCR 1024 ------------------ | Branch (275:8): [True: 17.7k, False: 0] ------------------ 276| 17.7k| if(min_len < buffer->initial_size) ------------------ | Branch (276:10): [True: 17.7k, False: 74] ------------------ 277| 17.7k| min_len = buffer->initial_size; 278| 17.7k| } else { 279| 0| min_len = NDPI_SERIALIZER_DEFAULT_BUFFER_INCR; ------------------ | | 1493| 0|#define NDPI_SERIALIZER_DEFAULT_BUFFER_INCR 1024 ------------------ 280| 0| } 281| 17.7k| } 282| | 283| 17.8k| new_size = buffer->size + min_len; 284| 17.8k| new_size = ((new_size / 4) + 1) * 4; /* required by zmq encryption */ 285| | 286| 17.8k| r = ndpi_realloc((void *) buffer->data, new_size); 287| | 288| 17.8k| if(r == NULL) ------------------ | Branch (288:6): [True: 1.09k, False: 16.7k] ------------------ 289| 1.09k| return(-1); 290| | 291| 16.7k| buffer->data = r; 292| 16.7k| buffer->size = new_size; 293| | 294| 16.7k| return(0); 295| 17.8k|} ndpi_serializer.c:ndpi_serialize_json_pre: 744| 202k|static inline void ndpi_serialize_json_pre(ndpi_serializer *_serializer) { 745| 202k| ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; 746| | 747| 202k| if(serializer->status.flags & NDPI_SERIALIZER_STATUS_EOR) { ------------------ | | 1497| 202k|#define NDPI_SERIALIZER_STATUS_EOR (1 << 2) ------------------ | Branch (747:6): [True: 0, False: 202k] ------------------ 748| 0| serializer->status.flags &= ~NDPI_SERIALIZER_STATUS_EOR; ------------------ | | 1497| 0|#define NDPI_SERIALIZER_STATUS_EOR (1 << 2) ------------------ 749| 0| if(serializer->multiline_json_array) { ------------------ | Branch (749:8): [True: 0, False: 0] ------------------ 750| 0| serializer->buffer.data[serializer->status.buffer.size_used++] = '\n'; 751| 0| } else { 752| 0| serializer->status.buffer.size_used--; /* Remove ']' */ 753| 0| serializer->buffer.data[serializer->status.buffer.size_used++] = ','; 754| 0| } 755| 0| if (!serializer->inner_json) ------------------ | Branch (755:9): [True: 0, False: 0] ------------------ 756| 0| serializer->buffer.data[serializer->status.buffer.size_used++] = '{'; 757| | 758| 202k| } else { 759| 202k| if(!serializer->multiline_json_array) { ------------------ | Branch (759:8): [True: 120k, False: 82.1k] ------------------ 760| 120k| if(serializer->status.flags & NDPI_SERIALIZER_STATUS_ARRAY) ------------------ | | 1496| 120k|#define NDPI_SERIALIZER_STATUS_ARRAY (1 << 1) ------------------ | Branch (760:10): [True: 0, False: 120k] ------------------ 761| 0| serializer->status.buffer.size_used--; /* Remove ']' */ 762| 120k| } 763| | 764| 202k| if (!serializer->inner_json) ------------------ | Branch (764:9): [True: 202k, False: 0] ------------------ 765| 202k| serializer->status.buffer.size_used--; /* Remove '}' */ 766| | 767| 202k| if(serializer->status.flags & NDPI_SERIALIZER_STATUS_LIST) { ------------------ | | 1500| 202k|#define NDPI_SERIALIZER_STATUS_LIST (1 << 5) ------------------ | Branch (767:8): [True: 455, False: 202k] ------------------ 768| 455| if(!serializer->multiline_json_array) ------------------ | Branch (768:10): [True: 245, False: 210] ------------------ 769| 245| serializer->status.buffer.size_used--; /* Remove ']' */ 770| 455| if(serializer->status.flags & NDPI_SERIALIZER_STATUS_SOL) ------------------ | | 1501| 455|#define NDPI_SERIALIZER_STATUS_SOL (1 << 6) ------------------ | Branch (770:10): [True: 455, False: 0] ------------------ 771| 455| serializer->status.flags &= ~NDPI_SERIALIZER_STATUS_SOL; ------------------ | | 1501| 455|#define NDPI_SERIALIZER_STATUS_SOL (1 << 6) ------------------ 772| 0| else 773| 0| serializer->buffer.data[serializer->status.buffer.size_used++] = ','; 774| 202k| } else { 775| 202k| if(serializer->status.flags & NDPI_SERIALIZER_STATUS_SOB) ------------------ | | 1498| 202k|#define NDPI_SERIALIZER_STATUS_SOB (1 << 3) ------------------ | Branch (775:10): [True: 37.5k, False: 164k] ------------------ 776| 37.5k| serializer->status.flags &= ~NDPI_SERIALIZER_STATUS_SOB; ------------------ | | 1498| 37.5k|#define NDPI_SERIALIZER_STATUS_SOB (1 << 3) ------------------ 777| 164k| else if(serializer->status.flags & NDPI_SERIALIZER_STATUS_COMMA) ------------------ | | 1495| 164k|#define NDPI_SERIALIZER_STATUS_COMMA (1 << 0) ------------------ | Branch (777:15): [True: 158k, False: 6.33k] ------------------ 778| 158k| serializer->buffer.data[serializer->status.buffer.size_used++] = ','; 779| 202k| } 780| 202k| } 781| 202k|} ndpi_serializer.c:ndpi_serialize_json_post: 785| 240k|static inline int ndpi_serialize_json_post(ndpi_serializer *_serializer) { 786| 240k| ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; 787| | 788| 240k| if (!serializer->multiline_json_array) { ------------------ | Branch (788:7): [True: 143k, False: 97.1k] ------------------ 789| 143k| if(serializer->status.flags & NDPI_SERIALIZER_STATUS_LIST) { ------------------ | | 1500| 143k|#define NDPI_SERIALIZER_STATUS_LIST (1 << 5) ------------------ | Branch (789:8): [True: 743, False: 142k] ------------------ 790| 743| if(serializer->status.buffer.size_used >= serializer->buffer.size) ------------------ | Branch (790:10): [True: 0, False: 743] ------------------ 791| 0| return -1; 792| 743| serializer->buffer.data[serializer->status.buffer.size_used++] = ']'; 793| 743| } 794| 143k| } 795| | 796| 240k| if(serializer->status.buffer.size_used >= serializer->buffer.size) ------------------ | Branch (796:6): [True: 0, False: 240k] ------------------ 797| 0| return -1; 798| | 799| 240k| if (!serializer->inner_json || serializer->status.flags & NDPI_SERIALIZER_STATUS_CEOB) { ------------------ | | 1503| 0|#define NDPI_SERIALIZER_STATUS_CEOB (1 << 8) ------------------ | Branch (799:7): [True: 240k, False: 0] | Branch (799:34): [True: 0, False: 0] ------------------ 800| 240k| serializer->buffer.data[serializer->status.buffer.size_used++] = '}'; 801| 240k| serializer->status.flags &= ~NDPI_SERIALIZER_STATUS_CEOB; ------------------ | | 1503| 240k|#define NDPI_SERIALIZER_STATUS_CEOB (1 << 8) ------------------ 802| 240k| } 803| | 804| 240k| if (!serializer->multiline_json_array) { ------------------ | Branch (804:7): [True: 143k, False: 97.1k] ------------------ 805| 143k| if(serializer->status.flags & NDPI_SERIALIZER_STATUS_ARRAY) { ------------------ | | 1496| 143k|#define NDPI_SERIALIZER_STATUS_ARRAY (1 << 1) ------------------ | Branch (805:8): [True: 0, False: 143k] ------------------ 806| 0| if(serializer->status.buffer.size_used >= serializer->buffer.size) ------------------ | Branch (806:10): [True: 0, False: 0] ------------------ 807| 0| return -1; 808| 0| serializer->buffer.data[serializer->status.buffer.size_used++] = ']'; 809| 0| } 810| 143k| } 811| | 812| 240k| serializer->status.flags |= NDPI_SERIALIZER_STATUS_COMMA; ------------------ | | 1495| 240k|#define NDPI_SERIALIZER_STATUS_COMMA (1 << 0) ------------------ 813| 240k| return 0; 814| 240k|} ndpi_serializer.c:ndpi_serializer_header_uint32: 313| 1.65k|static inline int ndpi_serializer_header_uint32(ndpi_private_serializer *serializer, u_int32_t key) { 314| 1.65k| int room; 315| | 316| 1.65k| if (serializer->status.flags & NDPI_SERIALIZER_STATUS_HDR_DONE) ------------------ | | 1502| 1.65k|#define NDPI_SERIALIZER_STATUS_HDR_DONE (1 << 7) ------------------ | Branch (316:7): [True: 0, False: 1.65k] ------------------ 317| 0| return(0); 318| | 319| 1.65k| room = ndpi_serializer_check_header_room(serializer, 12); 320| | 321| 1.65k| if (room < 0) ------------------ | Branch (321:7): [True: 0, False: 1.65k] ------------------ 322| 0| return(-1); 323| | 324| 1.65k| serializer->status.header.size_used += ndpi_snprintf((char *) &serializer->header.data[serializer->status.header.size_used], 325| 1.65k| room, "%s%u", (serializer->status.header.size_used > 0) ? serializer->csv_separator : "", key); ------------------ | Branch (325:19): [True: 1.65k, False: 0] ------------------ 326| | 327| 1.65k| return(0); 328| 1.65k|} ndpi_serializer.c:ndpi_serializer_check_header_room: 299| 43.9k|static inline int ndpi_serializer_check_header_room(ndpi_private_serializer *serializer, u_int32_t needed) { 300| 43.9k| u_int32_t buff_diff = serializer->header.size - serializer->status.header.size_used; 301| | 302| 43.9k| if (buff_diff < needed) ------------------ | Branch (302:7): [True: 0, False: 43.9k] ------------------ 303| 0| if (ndpi_extend_serializer_buffer(&serializer->header, needed - buff_diff) < 0) ------------------ | Branch (303:9): [True: 0, False: 0] ------------------ 304| 0| return(-1); 305| | 306| 43.9k| buff_diff = serializer->header.size - serializer->status.header.size_used; 307| | 308| 43.9k| return(buff_diff); 309| 43.9k|} ndpi_serializer.c:ndpi_serialize_csv_pre: 728| 43.9k|static inline void ndpi_serialize_csv_pre(ndpi_private_serializer *serializer) { 729| 43.9k| if(serializer->status.flags & NDPI_SERIALIZER_STATUS_EOR) { ------------------ | | 1497| 43.9k|#define NDPI_SERIALIZER_STATUS_EOR (1 << 2) ------------------ | Branch (729:6): [True: 0, False: 43.9k] ------------------ 730| 0| serializer->status.flags &= ~NDPI_SERIALIZER_STATUS_EOR; ------------------ | | 1497| 0|#define NDPI_SERIALIZER_STATUS_EOR (1 << 2) ------------------ 731| 43.9k| } else if (!(serializer->status.flags & NDPI_SERIALIZER_STATUS_NOT_EMPTY)){ ------------------ | | 1499| 43.9k|#define NDPI_SERIALIZER_STATUS_NOT_EMPTY (1 << 4) ------------------ | Branch (731:14): [True: 1.67k, False: 42.3k] ------------------ 732| | /* nothing to do */ 733| 42.3k| } else { 734| 42.3k| if(serializer->buffer.size > serializer->status.buffer.size_used) { ------------------ | Branch (734:8): [True: 42.3k, False: 0] ------------------ 735| 42.3k| serializer->buffer.data[serializer->status.buffer.size_used] = serializer->csv_separator[0]; 736| 42.3k| serializer->status.buffer.size_used++; 737| 42.3k| } 738| 42.3k| } 739| 43.9k| serializer->status.flags |= NDPI_SERIALIZER_STATUS_NOT_EMPTY; ------------------ | | 1499| 43.9k|#define NDPI_SERIALIZER_STATUS_NOT_EMPTY (1 << 4) ------------------ 740| 43.9k|} ndpi_serializer.c:ndpi_serialize_key_uint32: 818| 2.23k|static inline ndpi_serialization_type ndpi_serialize_key_uint32(ndpi_private_serializer *serializer, u_int32_t key) { 819| 2.23k| ndpi_serialization_type kt; 820| | 821| 2.23k| if(key <= 0xff) { ------------------ | Branch (821:6): [True: 2.23k, False: 0] ------------------ 822| 2.23k| ndpi_serialize_single_uint8(serializer, key); 823| 2.23k| kt = ndpi_serialization_uint8; 824| 2.23k| } else if(key <= 0xffff) { ------------------ | Branch (824:13): [True: 0, False: 0] ------------------ 825| 0| ndpi_serialize_single_uint16(serializer, key); 826| 0| kt = ndpi_serialization_uint16; 827| 0| } else { 828| 0| ndpi_serialize_single_uint32(serializer, key); 829| 0| kt = ndpi_serialization_uint32; 830| 0| } 831| | 832| 2.23k| return(kt); 833| 2.23k|} ndpi_serializer.c:ndpi_serialize_single_uint8: 465| 22.1k| u_int8_t s) { 466| 22.1k| u_int8_t v = s; 467| | 468| 22.1k| memcpy(&serializer->buffer.data[serializer->status.buffer.size_used], &v, sizeof(u_int8_t)); 469| 22.1k| serializer->status.buffer.size_used += sizeof(u_int8_t); 470| 22.1k|} ndpi_serializer.c:ndpi_serialize_single_uint16: 475| 7.47k| u_int16_t s) { 476| 7.47k| u_int16_t v = htons(s); 477| | 478| 7.47k| memcpy(&serializer->buffer.data[serializer->status.buffer.size_used], &v, sizeof(u_int16_t)); 479| 7.47k| serializer->status.buffer.size_used += sizeof(u_int16_t); 480| 7.47k|} ndpi_serializer.c:ndpi_serialize_single_float: 506| 139| float s) { 507| 139| memcpy(&serializer->buffer.data[serializer->status.buffer.size_used], &s, sizeof(s)); 508| 139| serializer->status.buffer.size_used += sizeof(float); 509| 139|} ndpi_serializer.c:ndpi_serialize_single_string: 525| 104k| const char *s, u_int16_t slen) { 526| 104k| u_int16_t l = htons(slen); 527| | 528| 104k| memcpy(&serializer->buffer.data[serializer->status.buffer.size_used], &l, sizeof(u_int16_t)); 529| 104k| serializer->status.buffer.size_used += sizeof(u_int16_t); 530| | 531| 104k| if(slen > 0) ------------------ | Branch (531:6): [True: 104k, False: 825] ------------------ 532| 104k| memcpy(&serializer->buffer.data[serializer->status.buffer.size_used], s, slen); 533| | 534| 104k| serializer->status.buffer.size_used += slen; 535| 104k|} ndpi_serializer.c:ndpi_is_number: 73| 216k|static int ndpi_is_number(const char *str, u_int32_t str_len) { 74| 216k| unsigned int i; 75| | 76| 216k| for(i = 0; i < str_len; i++) ------------------ | Branch (76:14): [True: 216k, False: 0] ------------------ 77| 216k| if(!ndpi_isdigit(str[i])) return(0); ------------------ | | 2526| 216k|#define ndpi_isdigit(ch) ((ch) >= '0' && (ch) <= '9') | | ------------------ | | | Branch (2526:27): [True: 216k, False: 0] | | | Branch (2526:42): [True: 0, False: 216k] | | ------------------ ------------------ 78| | 79| 0| return(1); 80| 216k|} ndpi_serializer.c:ndpi_serializer_header_string: 332| 42.3k|static inline int ndpi_serializer_header_string(ndpi_private_serializer *serializer, const char *key, u_int16_t klen) { 333| 42.3k| int room; 334| | 335| 42.3k| if (serializer->status.flags & NDPI_SERIALIZER_STATUS_HDR_DONE) ------------------ | | 1502| 42.3k|#define NDPI_SERIALIZER_STATUS_HDR_DONE (1 << 7) ------------------ | Branch (335:7): [True: 0, False: 42.3k] ------------------ 336| 0| return(0); 337| | 338| 42.3k| room = ndpi_serializer_check_header_room(serializer, klen + 4); 339| | 340| 42.3k| if (room < 0) ------------------ | Branch (340:7): [True: 0, False: 42.3k] ------------------ 341| 0| return(-1); 342| | 343| 42.3k| if (serializer->status.header.size_used > 0) { ------------------ | Branch (343:7): [True: 40.6k, False: 1.67k] ------------------ 344| 40.6k| int slen = strlen(serializer->csv_separator); 345| 40.6k| memcpy(&serializer->header.data[serializer->status.header.size_used], serializer->csv_separator, slen); 346| 40.6k| serializer->status.header.size_used += slen; 347| 40.6k| } 348| | 349| 42.3k| if (klen > 0) { ------------------ | Branch (349:7): [True: 42.3k, False: 0] ------------------ 350| 42.3k| memcpy(&serializer->header.data[serializer->status.header.size_used], key, klen); 351| 42.3k| serializer->status.header.size_used += klen; 352| 42.3k| } 353| | 354| 42.3k| serializer->header.data[serializer->status.header.size_used] = '\0'; 355| | 356| 42.3k| return(0); 357| 42.3k|} ndpi_serializer.c:ndpi_serialize_binary_raw: 2019| 114k| u_int8_t escape) { 2020| 114k| ndpi_private_serializer *serializer = (ndpi_private_serializer*)_serializer; 2021| 114k| u_int32_t buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 2022| 114k| u_int32_t needed; 2023| | 2024| 114k| needed = 2025| 114k| sizeof(u_int8_t) /* type */ + 2026| 114k| sizeof(u_int16_t) /* key len */ + 2027| 114k| klen + 2028| 114k| sizeof(u_int16_t) /* len */ + 2029| 114k| vlen; 2030| | 2031| 114k| if(serializer->fmt == ndpi_serialization_format_json) ------------------ | Branch (2031:6): [True: 84.5k, False: 29.9k] ------------------ 2032| 84.5k| needed += 16 + klen + vlen; 2033| | 2034| 114k| if(buff_diff < needed) { ------------------ | Branch (2034:6): [True: 7.87k, False: 106k] ------------------ 2035| 7.87k| if(ndpi_extend_serializer_buffer(&serializer->buffer, needed - buff_diff) < 0) ------------------ | Branch (2035:8): [True: 459, False: 7.42k] ------------------ 2036| 459| return(-1); 2037| 7.42k| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 2038| 7.42k| } 2039| | 2040| 114k| if(serializer->fmt == ndpi_serialization_format_json) { ------------------ | Branch (2040:6): [True: 84.2k, False: 29.7k] ------------------ 2041| 84.2k| ndpi_serialize_json_pre(_serializer); 2042| 84.2k| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 2043| | 2044| 84.2k| if (!(serializer->status.flags & NDPI_SERIALIZER_STATUS_LIST)) { ------------------ | | 1500| 84.2k|#define NDPI_SERIALIZER_STATUS_LIST (1 << 5) ------------------ | Branch (2044:9): [True: 83.8k, False: 455] ------------------ 2045| 83.8k| serializer->status.buffer.size_used += ndpi_json_string_escape(key, klen, 2046| 83.8k| (char *) &serializer->buffer.data[serializer->status.buffer.size_used], buff_diff); 2047| 83.8k| serializer->buffer.data[serializer->status.buffer.size_used] = ':'; 2048| 83.8k| serializer->status.buffer.size_used++; 2049| 83.8k| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 2050| 83.8k| } 2051| | 2052| 84.2k| if (escape) ------------------ | Branch (2052:9): [True: 84.2k, False: 0] ------------------ 2053| 84.2k| serializer->status.buffer.size_used += ndpi_json_string_escape(value, vlen, 2054| 84.2k| (char *) &serializer->buffer.data[serializer->status.buffer.size_used], buff_diff); 2055| 0| else { 2056| 0| memcpy(&serializer->buffer.data[serializer->status.buffer.size_used], value, vlen); 2057| 0| serializer->status.buffer.size_used += vlen; 2058| 0| } 2059| | 2060| 84.2k| if(ndpi_serialize_json_post(_serializer) != 0) ------------------ | Branch (2060:8): [True: 0, False: 84.2k] ------------------ 2061| 0| return(-1); 2062| 84.2k| } else if(serializer->fmt == ndpi_serialization_format_csv) { ------------------ | Branch (2062:13): [True: 0, False: 29.7k] ------------------ 2063| 0| if (ndpi_serializer_header_string(serializer, key, klen) < 0) return(-1); ------------------ | Branch (2063:9): [True: 0, False: 0] ------------------ 2064| 0| ndpi_serialize_csv_pre(serializer); 2065| 0| buff_diff = serializer->buffer.size - serializer->status.buffer.size_used; 2066| 0| memcpy(&serializer->buffer.data[serializer->status.buffer.size_used], value, vlen); 2067| 0| serializer->status.buffer.size_used += vlen; 2068| | 2069| 29.7k| } else { 2070| 29.7k| serializer->buffer.data[serializer->status.buffer.size_used++] = (ndpi_serialization_string << 4) | ndpi_serialization_string; 2071| | 2072| 29.7k| ndpi_serialize_single_string(serializer, key, klen); 2073| 29.7k| ndpi_serialize_single_string(serializer, value, vlen); 2074| 29.7k| } 2075| | 2076| 114k| serializer->status.flags |= NDPI_SERIALIZER_STATUS_NOT_EMPTY; ------------------ | | 1499| 114k|#define NDPI_SERIALIZER_STATUS_NOT_EMPTY (1 << 4) ------------------ 2077| 114k| return(0); 2078| 114k|} ntp_ts_to_string: 91| 32|void ntp_ts_to_string(uint64_t timestamp, char *buffer, size_t buffer_size) { 92| | 93| 32| if (timestamp == 0) { ------------------ | Branch (93:7): [True: 32, False: 0] ------------------ 94| 32| buffer[0] = '\0'; 95| 32| return; 96| 32| } 97| | 98| 0| ntp_t ntp; 99| | 100| 0| memcpy(&ntp, ×tamp, sizeof(uint64_t)); 101| | 102| 0| time_t sec = ntohl(ntp.seconds) - NTP_DELTA; ------------------ | | 86| 0|#define NTP_DELTA 2208988800UL ------------------ 103| 0| uint32_t usec = (uint32_t)((double)ntohl(ntp.fraction) * 1.0e9 / (double)(1LL << 32)); 104| | 105| 0| struct tm tm; 106| | 107| 0| (void)ndpi_gmtime_r(&sec, &tm); 108| 0| size_t offset = strftime(buffer, buffer_size, "%Y-%m-%d %H:%M:%S", &tm); 109| 0| snprintf(buffer + offset, buffer_size - offset, ".%d", usec); 110| 0|} ndpi_check_punycode_string: 114| 11.6k|int ndpi_check_punycode_string(char * buffer , int len) { 115| 11.6k| int i = 0; 116| | 117| 220k| while(i < len - 3) { ------------------ | Branch (117:9): [True: 208k, False: 11.6k] ------------------ 118| 208k| if((buffer[i] == 'x') ------------------ | Branch (118:8): [True: 401, False: 208k] ------------------ 119| 401| && (buffer[i+1] == 'n') ------------------ | Branch (119:11): [True: 6, False: 395] ------------------ 120| 6| && (buffer[i+2] == '-') ------------------ | Branch (120:11): [True: 0, False: 6] ------------------ 121| 0| && (buffer[i+3] == '-')) ------------------ | Branch (121:11): [True: 0, False: 0] ------------------ 122| | // is a punycode string 123| 0| return(1); 124| 208k| i++; 125| 208k| } 126| | 127| | // not a punycode string 128| 11.6k| return 0; 129| 11.6k|} ndpi_tsearch: 137| 1.82M|{ 138| 1.82M| ndpi_node *q; 139| 1.82M| char *key = (char *)vkey; 140| 1.82M| ndpi_node **rootp = (ndpi_node **)vrootp; 141| | 142| 1.82M| if(rootp == (ndpi_node **)0) ------------------ | Branch (142:6): [True: 0, False: 1.82M] ------------------ 143| 0| return ((void *)0); 144| 19.7M| while (*rootp != (ndpi_node *)0) { /* Knuth's T1: */ ------------------ | Branch (144:10): [True: 17.9M, False: 1.81M] ------------------ 145| 17.9M| int r; 146| | 147| 17.9M| if((r = (*compar)(key, (*rootp)->key)) == 0) /* T2: */ ------------------ | Branch (147:8): [True: 11.5k, False: 17.8M] ------------------ 148| 11.5k| return ((*rootp)->key); /* we found it! */ 149| 17.8M| rootp = (r < 0) ? ------------------ | Branch (149:13): [True: 4.44M, False: 13.4M] ------------------ 150| 4.44M| &(*rootp)->left : /* T3: follow left branch */ 151| 17.8M| &(*rootp)->right; /* T4: follow right branch */ 152| 17.8M| } 153| 1.81M| q = (ndpi_node *) ndpi_malloc(sizeof(ndpi_node)); /* T5: key not found */ 154| 1.81M| if(q != (ndpi_node *)0) { /* make new node */ ------------------ | Branch (154:6): [True: 1.69M, False: 115k] ------------------ 155| 1.69M| *rootp = q; /* link new node to old */ 156| 1.69M| q->key = key; /* initialize new node */ 157| 1.69M| q->left = q->right = (ndpi_node *)0; 158| 1.69M| return ((void *)q->key); 159| 1.69M| } 160| 115k| return ((void *)0); 161| 1.81M|} ndpi_tfind: 241| 271k|{ 242| 271k| char *key = (char *)vkey; 243| 271k| ndpi_node **rootp = (ndpi_node **)vrootp; 244| | 245| 271k| if(rootp == (ndpi_node **)0) ------------------ | Branch (245:6): [True: 0, False: 271k] ------------------ 246| 0| return ((ndpi_node *)0); 247| 1.16M| while (*rootp != (ndpi_node *)0) { /* T1: */ ------------------ | Branch (247:10): [True: 995k, False: 173k] ------------------ 248| 995k| int r; 249| 995k| if((r = (*compar)(key, (*rootp)->key)) == 0) /* T2: */ ------------------ | Branch (249:8): [True: 97.5k, False: 898k] ------------------ 250| 97.5k| return (*rootp); /* key found */ 251| 898k| rootp = (r < 0) ? ------------------ | Branch (251:13): [True: 213k, False: 685k] ------------------ 252| 213k| &(*rootp)->left : /* T3: follow left branch */ 253| 898k| &(*rootp)->right; /* T4: follow right branch */ 254| 898k| } 255| 173k| return (ndpi_node *)0; 256| 271k|} ndpi_tdestroy: 273| 655k|{ 274| 655k| ndpi_node *root = (ndpi_node *) vrootp; 275| | 276| 655k| if(root != NULL) ------------------ | Branch (276:6): [True: 44.0k, False: 611k] ------------------ 277| 44.0k| ndpi_tdestroy_recurse(root, freefct); 278| 655k|} ndpi_is_safe_ssl_cipher: 301| 1.75k|u_int8_t ndpi_is_safe_ssl_cipher(u_int32_t cipher) { 302| | /* https://community.qualys.com/thread/18212-how-does-qualys-determine-the-server-cipher-suites */ 303| | 304| 1.75k| switch(cipher) { 305| | /* INSECURE */ 306| 2| case TLS_ECDHE_RSA_WITH_RC4_128_SHA: return(NDPI_CIPHER_INSECURE); ------------------ | | 182| 2|#define TLS_ECDHE_RSA_WITH_RC4_128_SHA 0xC011 ------------------ case TLS_ECDHE_RSA_WITH_RC4_128_SHA: return(NDPI_CIPHER_INSECURE); ------------------ | | 191| 2|#define NDPI_CIPHER_INSECURE 2 ------------------ | Branch (306:3): [True: 2, False: 1.75k] ------------------ 307| 3| case TLS_RSA_WITH_RC4_128_SHA: return(NDPI_CIPHER_INSECURE); ------------------ | | 32| 3|#define TLS_RSA_WITH_RC4_128_SHA 0x0005 ------------------ case TLS_RSA_WITH_RC4_128_SHA: return(NDPI_CIPHER_INSECURE); ------------------ | | 191| 3|#define NDPI_CIPHER_INSECURE 2 ------------------ | Branch (307:3): [True: 3, False: 1.75k] ------------------ 308| 2| case TLS_RSA_WITH_RC4_128_MD5: return(NDPI_CIPHER_INSECURE); ------------------ | | 31| 2|#define TLS_RSA_WITH_RC4_128_MD5 0x0004 ------------------ case TLS_RSA_WITH_RC4_128_MD5: return(NDPI_CIPHER_INSECURE); ------------------ | | 191| 2|#define NDPI_CIPHER_INSECURE 2 ------------------ | Branch (308:3): [True: 2, False: 1.75k] ------------------ 309| | 310| | /* WEAK */ 311| 2| case TLS_RSA_WITH_AES_256_GCM_SHA384: return(NDPI_CIPHER_WEAK); ------------------ | | 41| 2|#define TLS_RSA_WITH_AES_256_GCM_SHA384 0x009D ------------------ case TLS_RSA_WITH_AES_256_GCM_SHA384: return(NDPI_CIPHER_WEAK); ------------------ | | 190| 2|#define NDPI_CIPHER_WEAK 1 ------------------ | Branch (311:3): [True: 2, False: 1.75k] ------------------ 312| 1| case TLS_RSA_WITH_AES_256_CBC_SHA256: return(NDPI_CIPHER_WEAK); ------------------ | | 39| 1|#define TLS_RSA_WITH_AES_256_CBC_SHA256 0x003D ------------------ case TLS_RSA_WITH_AES_256_CBC_SHA256: return(NDPI_CIPHER_WEAK); ------------------ | | 190| 1|#define NDPI_CIPHER_WEAK 1 ------------------ | Branch (312:3): [True: 1, False: 1.75k] ------------------ 313| 3| case TLS_RSA_WITH_AES_256_CBC_SHA: return(NDPI_CIPHER_WEAK); ------------------ | | 37| 3|#define TLS_RSA_WITH_AES_256_CBC_SHA 0x0035 ------------------ case TLS_RSA_WITH_AES_256_CBC_SHA: return(NDPI_CIPHER_WEAK); ------------------ | | 190| 3|#define NDPI_CIPHER_WEAK 1 ------------------ | Branch (313:3): [True: 3, False: 1.75k] ------------------ 314| 1| case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: return(NDPI_CIPHER_WEAK); ------------------ | | 47| 1|#define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0084 ------------------ case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: return(NDPI_CIPHER_WEAK); ------------------ | | 190| 1|#define NDPI_CIPHER_WEAK 1 ------------------ | Branch (314:3): [True: 1, False: 1.75k] ------------------ 315| 1| case TLS_RSA_WITH_AES_128_GCM_SHA256: return(NDPI_CIPHER_WEAK); ------------------ | | 40| 1|#define TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C ------------------ case TLS_RSA_WITH_AES_128_GCM_SHA256: return(NDPI_CIPHER_WEAK); ------------------ | | 190| 1|#define NDPI_CIPHER_WEAK 1 ------------------ | Branch (315:3): [True: 1, False: 1.75k] ------------------ 316| 2| case TLS_RSA_WITH_AES_128_CBC_SHA256: return(NDPI_CIPHER_WEAK); ------------------ | | 38| 2|#define TLS_RSA_WITH_AES_128_CBC_SHA256 0x003C ------------------ case TLS_RSA_WITH_AES_128_CBC_SHA256: return(NDPI_CIPHER_WEAK); ------------------ | | 190| 2|#define NDPI_CIPHER_WEAK 1 ------------------ | Branch (316:3): [True: 2, False: 1.75k] ------------------ 317| 3| case TLS_RSA_WITH_AES_128_CBC_SHA: return(NDPI_CIPHER_WEAK); ------------------ | | 36| 3|#define TLS_RSA_WITH_AES_128_CBC_SHA 0x002F ------------------ case TLS_RSA_WITH_AES_128_CBC_SHA: return(NDPI_CIPHER_WEAK); ------------------ | | 190| 3|#define NDPI_CIPHER_WEAK 1 ------------------ | Branch (317:3): [True: 3, False: 1.75k] ------------------ 318| 2| case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: return(NDPI_CIPHER_WEAK); ------------------ | | 46| 2|#define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0041 ------------------ case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: return(NDPI_CIPHER_WEAK); ------------------ | | 190| 2|#define NDPI_CIPHER_WEAK 1 ------------------ | Branch (318:3): [True: 2, False: 1.75k] ------------------ 319| 2| case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: return(NDPI_CIPHER_WEAK); ------------------ | | 183| 2|#define TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0xC012 ------------------ case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: return(NDPI_CIPHER_WEAK); ------------------ | | 190| 2|#define NDPI_CIPHER_WEAK 1 ------------------ | Branch (319:3): [True: 2, False: 1.75k] ------------------ 320| 2| case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: return(NDPI_CIPHER_WEAK); ------------------ | | 79| 2|#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x0016 ------------------ case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: return(NDPI_CIPHER_WEAK); ------------------ | | 190| 2|#define NDPI_CIPHER_WEAK 1 ------------------ | Branch (320:3): [True: 2, False: 1.75k] ------------------ 321| 2| case TLS_RSA_WITH_3DES_EDE_CBC_SHA: return(NDPI_CIPHER_WEAK); ------------------ | | 35| 2|#define TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x000A ------------------ case TLS_RSA_WITH_3DES_EDE_CBC_SHA: return(NDPI_CIPHER_WEAK); ------------------ | | 190| 2|#define NDPI_CIPHER_WEAK 1 ------------------ | Branch (321:3): [True: 2, False: 1.75k] ------------------ 322| 1| case TLS_RSA_WITH_SEED_CBC_SHA: return(NDPI_CIPHER_WEAK); ------------------ | | 52| 1|#define TLS_RSA_WITH_SEED_CBC_SHA 0x0096 ------------------ case TLS_RSA_WITH_SEED_CBC_SHA: return(NDPI_CIPHER_WEAK); ------------------ | | 190| 1|#define NDPI_CIPHER_WEAK 1 ------------------ | Branch (322:3): [True: 1, False: 1.75k] ------------------ 323| 3| case TLS_RSA_WITH_IDEA_CBC_SHA: return(NDPI_CIPHER_WEAK); ------------------ | | 33| 3|#define TLS_RSA_WITH_IDEA_CBC_SHA 0x0007 ------------------ case TLS_RSA_WITH_IDEA_CBC_SHA: return(NDPI_CIPHER_WEAK); ------------------ | | 190| 3|#define NDPI_CIPHER_WEAK 1 ------------------ | Branch (323:3): [True: 3, False: 1.75k] ------------------ 324| | 325| 1.72k| default: ------------------ | Branch (325:3): [True: 1.72k, False: 32] ------------------ 326| 1.72k| return(NDPI_CIPHER_SAFE); ------------------ | | 189| 1.72k|#define NDPI_CIPHER_SAFE 0 ------------------ 327| 1.75k| } 328| 1.75k|} ndpi_cipher2str: 332| 1.61k|const char* ndpi_cipher2str(u_int32_t cipher, char unknown_cipher[8]) { 333| 1.61k| switch(cipher) { 334| 279| case TLS_NULL_WITH_NULL_NULL: return("TLS_NULL_WITH_NULL_NULL"); ------------------ | | 24| 279|#define TLS_NULL_WITH_NULL_NULL 0x0000 ------------------ | Branch (334:3): [True: 279, False: 1.33k] ------------------ 335| 1| case TLS_RSA_EXPORT_WITH_RC4_40_MD5: return("TLS_RSA_EXPORT_WITH_RC4_40_MD5"); ------------------ | | 25| 1|#define TLS_RSA_EXPORT_WITH_RC4_40_MD5 0x0003 ------------------ | Branch (335:3): [True: 1, False: 1.61k] ------------------ 336| 4| case TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: return("TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5"); ------------------ | | 26| 4|#define TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 0x0006 ------------------ | Branch (336:3): [True: 4, False: 1.60k] ------------------ 337| 1| case TLS_RSA_EXPORT_WITH_DES40_CBC_SHA: return("TLS_RSA_EXPORT_WITH_DES40_CBC_SHA"); ------------------ | | 27| 1|#define TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 0x0008 ------------------ | Branch (337:3): [True: 1, False: 1.61k] ------------------ 338| 2| case TLS_RSA_WITH_NULL_MD5: return("TLS_RSA_WITH_NULL_MD5"); ------------------ | | 28| 2|#define TLS_RSA_WITH_NULL_MD5 0x0001 ------------------ | Branch (338:3): [True: 2, False: 1.60k] ------------------ 339| 7| case TLS_RSA_WITH_NULL_SHA: return("TLS_RSA_WITH_NULL_SHA"); ------------------ | | 29| 7|#define TLS_RSA_WITH_NULL_SHA 0x0002 ------------------ | Branch (339:3): [True: 7, False: 1.60k] ------------------ 340| 1| case TLS_RSA_WITH_NULL_SHA256: return("TLS_RSA_WITH_NULL_SHA256"); ------------------ | | 30| 1|#define TLS_RSA_WITH_NULL_SHA256 0x003B ------------------ | Branch (340:3): [True: 1, False: 1.61k] ------------------ 341| 3| case TLS_RSA_WITH_RC4_128_MD5: return("TLS_RSA_WITH_RC4_128_MD5"); ------------------ | | 31| 3|#define TLS_RSA_WITH_RC4_128_MD5 0x0004 ------------------ | Branch (341:3): [True: 3, False: 1.60k] ------------------ 342| 5| case TLS_RSA_WITH_RC4_128_SHA: return("TLS_RSA_WITH_RC4_128_SHA"); ------------------ | | 32| 5|#define TLS_RSA_WITH_RC4_128_SHA 0x0005 ------------------ | Branch (342:3): [True: 5, False: 1.60k] ------------------ 343| 4| case TLS_RSA_WITH_IDEA_CBC_SHA: return("TLS_RSA_WITH_IDEA_CBC_SHA"); ------------------ | | 33| 4|#define TLS_RSA_WITH_IDEA_CBC_SHA 0x0007 ------------------ | Branch (343:3): [True: 4, False: 1.60k] ------------------ 344| 1| case TLS_RSA_WITH_DES_CBC_SHA: return("TLS_RSA_WITH_DES_CBC_SHA"); ------------------ | | 34| 1|#define TLS_RSA_WITH_DES_CBC_SHA 0x0009 ------------------ | Branch (344:3): [True: 1, False: 1.61k] ------------------ 345| 3| case TLS_RSA_WITH_3DES_EDE_CBC_SHA: return("TLS_RSA_WITH_3DES_EDE_CBC_SHA"); ------------------ | | 35| 3|#define TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x000A ------------------ | Branch (345:3): [True: 3, False: 1.60k] ------------------ 346| 5| case TLS_RSA_WITH_AES_128_CBC_SHA: return("TLS_RSA_WITH_AES_128_CBC_SHA"); ------------------ | | 36| 5|#define TLS_RSA_WITH_AES_128_CBC_SHA 0x002F ------------------ | Branch (346:3): [True: 5, False: 1.60k] ------------------ 347| 5| case TLS_RSA_WITH_AES_256_CBC_SHA: return("TLS_RSA_WITH_AES_256_CBC_SHA"); ------------------ | | 37| 5|#define TLS_RSA_WITH_AES_256_CBC_SHA 0x0035 ------------------ | Branch (347:3): [True: 5, False: 1.60k] ------------------ 348| 3| case TLS_RSA_WITH_AES_128_CBC_SHA256: return("TLS_RSA_WITH_AES_128_CBC_SHA256"); ------------------ | | 38| 3|#define TLS_RSA_WITH_AES_128_CBC_SHA256 0x003C ------------------ | Branch (348:3): [True: 3, False: 1.60k] ------------------ 349| 2| case TLS_RSA_WITH_AES_256_CBC_SHA256: return("TLS_RSA_WITH_AES_256_CBC_SHA256"); ------------------ | | 39| 2|#define TLS_RSA_WITH_AES_256_CBC_SHA256 0x003D ------------------ | Branch (349:3): [True: 2, False: 1.60k] ------------------ 350| 2| case TLS_RSA_WITH_AES_128_GCM_SHA256: return("TLS_RSA_WITH_AES_128_GCM_SHA256"); ------------------ | | 40| 2|#define TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C ------------------ | Branch (350:3): [True: 2, False: 1.60k] ------------------ 351| 3| case TLS_RSA_WITH_AES_256_GCM_SHA384: return("TLS_RSA_WITH_AES_256_GCM_SHA384"); ------------------ | | 41| 3|#define TLS_RSA_WITH_AES_256_GCM_SHA384 0x009D ------------------ | Branch (351:3): [True: 3, False: 1.60k] ------------------ 352| 1| case TLS_RSA_WITH_AES_128_CCM: return("TLS_RSA_WITH_AES_128_CCM"); ------------------ | | 42| 1|#define TLS_RSA_WITH_AES_128_CCM 0xC09C ------------------ | Branch (352:3): [True: 1, False: 1.61k] ------------------ 353| 1| case TLS_RSA_WITH_AES_256_CCM: return("TLS_RSA_WITH_AES_256_CCM"); ------------------ | | 43| 1|#define TLS_RSA_WITH_AES_256_CCM 0xC09D ------------------ | Branch (353:3): [True: 1, False: 1.61k] ------------------ 354| 1| case TLS_RSA_WITH_AES_128_CCM_8: return("TLS_RSA_WITH_AES_128_CCM_8"); ------------------ | | 44| 1|#define TLS_RSA_WITH_AES_128_CCM_8 0xC0A0 ------------------ | Branch (354:3): [True: 1, False: 1.61k] ------------------ 355| 1| case TLS_RSA_WITH_AES_256_CCM_8: return("TLS_RSA_WITH_AES_256_CCM_8"); ------------------ | | 45| 1|#define TLS_RSA_WITH_AES_256_CCM_8 0xC0A1 ------------------ | Branch (355:3): [True: 1, False: 1.61k] ------------------ 356| 3| case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: return("TLS_RSA_WITH_CAMELLIA_128_CBC_SHA"); ------------------ | | 46| 3|#define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0041 ------------------ | Branch (356:3): [True: 3, False: 1.60k] ------------------ 357| 2| case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: return("TLS_RSA_WITH_CAMELLIA_256_CBC_SHA"); ------------------ | | 47| 2|#define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0084 ------------------ | Branch (357:3): [True: 2, False: 1.60k] ------------------ 358| 1| case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256: return("TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256"); ------------------ | | 48| 1|#define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 0x00BA ------------------ | Branch (358:3): [True: 1, False: 1.61k] ------------------ 359| 0| case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256: return("TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256"); ------------------ | | 49| 0|#define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 0x00C0 ------------------ | Branch (359:3): [True: 0, False: 1.61k] ------------------ 360| 1| case TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256: return("TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256"); ------------------ | | 50| 1|#define TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 0xC07A ------------------ | Branch (360:3): [True: 1, False: 1.61k] ------------------ 361| 1| case TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384: return("TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384"); ------------------ | | 51| 1|#define TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 0xC07B ------------------ | Branch (361:3): [True: 1, False: 1.61k] ------------------ 362| 2| case TLS_RSA_WITH_SEED_CBC_SHA: return("TLS_RSA_WITH_SEED_CBC_SHA"); ------------------ | | 52| 2|#define TLS_RSA_WITH_SEED_CBC_SHA 0x0096 ------------------ | Branch (362:3): [True: 2, False: 1.60k] ------------------ 363| 1| case TLS_RSA_WITH_ARIA_128_CBC_SHA256: return("TLS_RSA_WITH_ARIA_128_CBC_SHA256"); ------------------ | | 53| 1|#define TLS_RSA_WITH_ARIA_128_CBC_SHA256 0xC03C ------------------ | Branch (363:3): [True: 1, False: 1.61k] ------------------ 364| 1| case TLS_RSA_WITH_ARIA_256_CBC_SHA384: return("TLS_RSA_WITH_ARIA_256_CBC_SHA384"); ------------------ | | 54| 1|#define TLS_RSA_WITH_ARIA_256_CBC_SHA384 0xC03D ------------------ | Branch (364:3): [True: 1, False: 1.61k] ------------------ 365| 1| case TLS_RSA_WITH_ARIA_128_GCM_SHA256: return("TLS_RSA_WITH_ARIA_128_GCM_SHA256"); ------------------ | | 55| 1|#define TLS_RSA_WITH_ARIA_128_GCM_SHA256 0xC050 ------------------ | Branch (365:3): [True: 1, False: 1.61k] ------------------ 366| 1| case TLS_RSA_WITH_ARIA_256_GCM_SHA384: return("TLS_RSA_WITH_ARIA_256_GCM_SHA384"); ------------------ | | 56| 1|#define TLS_RSA_WITH_ARIA_256_GCM_SHA384 0xC051 ------------------ | Branch (366:3): [True: 1, False: 1.61k] ------------------ 367| 1| case TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA: return("TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA"); ------------------ | | 57| 1|#define TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA 0x000E ------------------ | Branch (367:3): [True: 1, False: 1.61k] ------------------ 368| 1| case TLS_DH_RSA_WITH_DES_CBC_SHA: return("TLS_DH_RSA_WITH_DES_CBC_SHA"); ------------------ | | 58| 1|#define TLS_DH_RSA_WITH_DES_CBC_SHA 0x000F ------------------ | Branch (368:3): [True: 1, False: 1.61k] ------------------ 369| 2| case TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA: return("TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA"); ------------------ | | 59| 2|#define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA 0x0010 ------------------ | Branch (369:3): [True: 2, False: 1.60k] ------------------ 370| 1| case TLS_DH_RSA_WITH_AES_128_CBC_SHA: return("TLS_DH_RSA_WITH_AES_128_CBC_SHA"); ------------------ | | 60| 1|#define TLS_DH_RSA_WITH_AES_128_CBC_SHA 0x0031 ------------------ | Branch (370:3): [True: 1, False: 1.61k] ------------------ 371| 1| case TLS_DH_RSA_WITH_AES_256_CBC_SHA: return("TLS_DH_RSA_WITH_AES_256_CBC_SHA"); ------------------ | | 61| 1|#define TLS_DH_RSA_WITH_AES_256_CBC_SHA 0x0037 ------------------ | Branch (371:3): [True: 1, False: 1.61k] ------------------ 372| 1| case TLS_DH_RSA_WITH_AES_128_CBC_SHA256: return("TLS_DH_RSA_WITH_AES_128_CBC_SHA256"); ------------------ | | 62| 1|#define TLS_DH_RSA_WITH_AES_128_CBC_SHA256 0x003F ------------------ | Branch (372:3): [True: 1, False: 1.61k] ------------------ 373| 1| case TLS_DH_RSA_WITH_AES_256_CBC_SHA256: return("TLS_DH_RSA_WITH_AES_256_CBC_SHA256"); ------------------ | | 63| 1|#define TLS_DH_RSA_WITH_AES_256_CBC_SHA256 0x0069 ------------------ | Branch (373:3): [True: 1, False: 1.61k] ------------------ 374| 1| case TLS_DH_RSA_WITH_AES_128_GCM_SHA256: return("TLS_DH_RSA_WITH_AES_128_GCM_SHA256"); ------------------ | | 64| 1|#define TLS_DH_RSA_WITH_AES_128_GCM_SHA256 0x00A0 ------------------ | Branch (374:3): [True: 1, False: 1.61k] ------------------ 375| 1| case TLS_DH_RSA_WITH_AES_256_GCM_SHA384: return("TLS_DH_RSA_WITH_AES_256_GCM_SHA384"); ------------------ | | 65| 1|#define TLS_DH_RSA_WITH_AES_256_GCM_SHA384 0x00A1 ------------------ | Branch (375:3): [True: 1, False: 1.61k] ------------------ 376| 1| case TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA: return("TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA"); ------------------ | | 66| 1|#define TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0043 ------------------ | Branch (376:3): [True: 1, False: 1.61k] ------------------ 377| 1| case TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA: return("TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA"); ------------------ | | 67| 1|#define TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0086 ------------------ | Branch (377:3): [True: 1, False: 1.61k] ------------------ 378| 0| case TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256: return("TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256"); ------------------ | | 68| 0|#define TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 0x00BC ------------------ | Branch (378:3): [True: 0, False: 1.61k] ------------------ 379| 1| case TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256: return("TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256"); ------------------ | | 69| 1|#define TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 0x00C2 ------------------ | Branch (379:3): [True: 1, False: 1.61k] ------------------ 380| 1| case TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256: return("TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256"); ------------------ | | 70| 1|#define TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 0xC07E ------------------ | Branch (380:3): [True: 1, False: 1.61k] ------------------ 381| 1| case TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384: return("TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384"); ------------------ | | 71| 1|#define TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 0xC07F ------------------ | Branch (381:3): [True: 1, False: 1.61k] ------------------ 382| 1| case TLS_DH_RSA_WITH_SEED_CBC_SHA: return("TLS_DH_RSA_WITH_SEED_CBC_SHA"); ------------------ | | 72| 1|#define TLS_DH_RSA_WITH_SEED_CBC_SHA 0x0098 ------------------ | Branch (382:3): [True: 1, False: 1.61k] ------------------ 383| 1| case TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256: return("TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256"); ------------------ | | 73| 1|#define TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256 0xC040 ------------------ | Branch (383:3): [True: 1, False: 1.61k] ------------------ 384| 1| case TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384: return("TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384"); ------------------ | | 74| 1|#define TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384 0xC041 ------------------ | Branch (384:3): [True: 1, False: 1.61k] ------------------ 385| 1| case TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256: return("TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256"); ------------------ | | 75| 1|#define TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256 0xC054 ------------------ | Branch (385:3): [True: 1, False: 1.61k] ------------------ 386| 1| case TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384: return("TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384"); ------------------ | | 76| 1|#define TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384 0xC055 ------------------ | Branch (386:3): [True: 1, False: 1.61k] ------------------ 387| 1| case TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA: return("TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA"); ------------------ | | 77| 1|#define TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA 0x0014 ------------------ | Branch (387:3): [True: 1, False: 1.61k] ------------------ 388| 1| case TLS_DHE_RSA_WITH_DES_CBC_SHA: return("TLS_DHE_RSA_WITH_DES_CBC_SHA"); ------------------ | | 78| 1|#define TLS_DHE_RSA_WITH_DES_CBC_SHA 0x0015 ------------------ | Branch (388:3): [True: 1, False: 1.61k] ------------------ 389| 3| case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA: return("TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA"); ------------------ | | 79| 3|#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x0016 ------------------ | Branch (389:3): [True: 3, False: 1.60k] ------------------ 390| 1| case TLS_DHE_RSA_WITH_AES_128_CBC_SHA: return("TLS_DHE_RSA_WITH_AES_128_CBC_SHA"); ------------------ | | 80| 1|#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x0033 ------------------ | Branch (390:3): [True: 1, False: 1.61k] ------------------ 391| 1| case TLS_DHE_RSA_WITH_AES_256_CBC_SHA: return("TLS_DHE_RSA_WITH_AES_256_CBC_SHA"); ------------------ | | 81| 1|#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x0039 ------------------ | Branch (391:3): [True: 1, False: 1.61k] ------------------ 392| 1| case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: return("TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"); ------------------ | | 82| 1|#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0067 ------------------ | Branch (392:3): [True: 1, False: 1.61k] ------------------ 393| 0| case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: return("TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"); ------------------ | | 83| 0|#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x006B ------------------ | Branch (393:3): [True: 0, False: 1.61k] ------------------ 394| 1| case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: return("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"); ------------------ | | 84| 1|#define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x009E ------------------ | Branch (394:3): [True: 1, False: 1.61k] ------------------ 395| 1| case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: return("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"); ------------------ | | 85| 1|#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 0x009F ------------------ | Branch (395:3): [True: 1, False: 1.61k] ------------------ 396| 1| case TLS_DHE_RSA_WITH_AES_128_CCM: return("TLS_DHE_RSA_WITH_AES_128_CCM"); ------------------ | | 86| 1|#define TLS_DHE_RSA_WITH_AES_128_CCM 0xC09E ------------------ | Branch (396:3): [True: 1, False: 1.61k] ------------------ 397| 1| case TLS_DHE_RSA_WITH_AES_256_CCM: return("TLS_DHE_RSA_WITH_AES_256_CCM"); ------------------ | | 87| 1|#define TLS_DHE_RSA_WITH_AES_256_CCM 0xC09F ------------------ | Branch (397:3): [True: 1, False: 1.61k] ------------------ 398| 1| case TLS_DHE_RSA_WITH_AES_128_CCM_8: return("TLS_DHE_RSA_WITH_AES_128_CCM_8"); ------------------ | | 88| 1|#define TLS_DHE_RSA_WITH_AES_128_CCM_8 0xC0A2 ------------------ | Branch (398:3): [True: 1, False: 1.61k] ------------------ 399| 2| case TLS_DHE_RSA_WITH_AES_256_CCM_8: return("TLS_DHE_RSA_WITH_AES_256_CCM_8"); ------------------ | | 89| 2|#define TLS_DHE_RSA_WITH_AES_256_CCM_8 0xC0A3 ------------------ | Branch (399:3): [True: 2, False: 1.60k] ------------------ 400| 1| case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: return("TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA"); ------------------ | | 90| 1|#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 0x0045 ------------------ | Branch (400:3): [True: 1, False: 1.61k] ------------------ 401| 1| case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: return("TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA"); ------------------ | | 91| 1|#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 0x0088 ------------------ | Branch (401:3): [True: 1, False: 1.61k] ------------------ 402| 0| case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: return("TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256"); ------------------ | | 92| 0|#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 0x00BE ------------------ | Branch (402:3): [True: 0, False: 1.61k] ------------------ 403| 0| case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256: return("TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256"); ------------------ | | 93| 0|#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 0x00C4 ------------------ | Branch (403:3): [True: 0, False: 1.61k] ------------------ 404| 1| case TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: return("TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256"); ------------------ | | 94| 1|#define TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 0xC07C ------------------ | Branch (404:3): [True: 1, False: 1.61k] ------------------ 405| 1| case TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: return("TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384"); ------------------ | | 95| 1|#define TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 0xC07D ------------------ | Branch (405:3): [True: 1, False: 1.61k] ------------------ 406| 1| case TLS_DHE_RSA_WITH_SEED_CBC_SHA: return("TLS_DHE_RSA_WITH_SEED_CBC_SHA"); ------------------ | | 96| 1|#define TLS_DHE_RSA_WITH_SEED_CBC_SHA 0x009A ------------------ | Branch (406:3): [True: 1, False: 1.61k] ------------------ 407| 1| case TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256: return("TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256"); ------------------ | | 97| 1|#define TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 0xC044 ------------------ | Branch (407:3): [True: 1, False: 1.61k] ------------------ 408| 1| case TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384: return("TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384"); ------------------ | | 98| 1|#define TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 0xC045 ------------------ | Branch (408:3): [True: 1, False: 1.61k] ------------------ 409| 1| case TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256: return("TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256"); ------------------ | | 99| 1|#define TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 0xC052 ------------------ | Branch (409:3): [True: 1, False: 1.61k] ------------------ 410| 1| case TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384: return("TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384"); ------------------ | | 100| 1|#define TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 0xC053 ------------------ | Branch (410:3): [True: 1, False: 1.61k] ------------------ 411| 0| case TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: return("TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"); ------------------ | | 101| 0|#define TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCAA ------------------ | Branch (411:3): [True: 0, False: 1.61k] ------------------ 412| 1| case TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA: return("TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA"); ------------------ | | 102| 1|#define TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA 0x000B ------------------ | Branch (412:3): [True: 1, False: 1.61k] ------------------ 413| 1| case TLS_DH_DSS_WITH_DES_CBC_SHA: return("TLS_DH_DSS_WITH_DES_CBC_SHA"); ------------------ | | 103| 1|#define TLS_DH_DSS_WITH_DES_CBC_SHA 0x000C ------------------ | Branch (413:3): [True: 1, False: 1.61k] ------------------ 414| 1| case TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA: return("TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA"); ------------------ | | 104| 1|#define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA 0x000D ------------------ | Branch (414:3): [True: 1, False: 1.61k] ------------------ 415| 5| case TLS_DH_DSS_WITH_AES_128_CBC_SHA: return("TLS_DH_DSS_WITH_AES_128_CBC_SHA"); ------------------ | | 105| 5|#define TLS_DH_DSS_WITH_AES_128_CBC_SHA 0x0030 ------------------ | Branch (415:3): [True: 5, False: 1.60k] ------------------ 416| 1| case TLS_DH_DSS_WITH_AES_256_CBC_SHA: return("TLS_DH_DSS_WITH_AES_256_CBC_SHA"); ------------------ | | 106| 1|#define TLS_DH_DSS_WITH_AES_256_CBC_SHA 0x0036 ------------------ | Branch (416:3): [True: 1, False: 1.61k] ------------------ 417| 1| case TLS_DH_DSS_WITH_AES_128_CBC_SHA256: return("TLS_DH_DSS_WITH_AES_128_CBC_SHA256"); ------------------ | | 107| 1|#define TLS_DH_DSS_WITH_AES_128_CBC_SHA256 0x003E ------------------ | Branch (417:3): [True: 1, False: 1.61k] ------------------ 418| 1| case TLS_DH_DSS_WITH_AES_256_CBC_SHA256: return("TLS_DH_DSS_WITH_AES_256_CBC_SHA256"); ------------------ | | 108| 1|#define TLS_DH_DSS_WITH_AES_256_CBC_SHA256 0x0068 ------------------ | Branch (418:3): [True: 1, False: 1.61k] ------------------ 419| 1| case TLS_DH_DSS_WITH_AES_128_GCM_SHA256: return("TLS_DH_DSS_WITH_AES_128_GCM_SHA256"); ------------------ | | 109| 1|#define TLS_DH_DSS_WITH_AES_128_GCM_SHA256 0x00A4 ------------------ | Branch (419:3): [True: 1, False: 1.61k] ------------------ 420| 1| case TLS_DH_DSS_WITH_AES_256_GCM_SHA384: return("TLS_DH_DSS_WITH_AES_256_GCM_SHA384"); ------------------ | | 110| 1|#define TLS_DH_DSS_WITH_AES_256_GCM_SHA384 0x00A5 ------------------ | Branch (420:3): [True: 1, False: 1.61k] ------------------ 421| 1| case TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA: return("TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA"); ------------------ | | 111| 1|#define TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA 0x0042 ------------------ | Branch (421:3): [True: 1, False: 1.61k] ------------------ 422| 1| case TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA: return("TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA"); ------------------ | | 112| 1|#define TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA 0x0085 ------------------ | Branch (422:3): [True: 1, False: 1.61k] ------------------ 423| 0| case TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256: return("TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256"); ------------------ | | 113| 0|#define TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 0x00BB ------------------ | Branch (423:3): [True: 0, False: 1.61k] ------------------ 424| 0| case TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256: return("TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256"); ------------------ | | 114| 0|#define TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 0x00C1 ------------------ | Branch (424:3): [True: 0, False: 1.61k] ------------------ 425| 1| case TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256: return("TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256"); ------------------ | | 115| 1|#define TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 0xC082 ------------------ | Branch (425:3): [True: 1, False: 1.61k] ------------------ 426| 1| case TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384: return("TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384"); ------------------ | | 116| 1|#define TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 0xC083 ------------------ | Branch (426:3): [True: 1, False: 1.61k] ------------------ 427| 1| case TLS_DH_DSS_WITH_SEED_CBC_SHA: return("TLS_DH_DSS_WITH_SEED_CBC_SHA"); ------------------ | | 117| 1|#define TLS_DH_DSS_WITH_SEED_CBC_SHA 0x0097 ------------------ | Branch (427:3): [True: 1, False: 1.61k] ------------------ 428| 1| case TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256: return("TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256"); ------------------ | | 118| 1|#define TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256 0xC03E ------------------ | Branch (428:3): [True: 1, False: 1.61k] ------------------ 429| 1| case TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384: return("TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384"); ------------------ | | 119| 1|#define TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384 0xC03F ------------------ | Branch (429:3): [True: 1, False: 1.61k] ------------------ 430| 1| case TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256: return("TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256"); ------------------ | | 120| 1|#define TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256 0xC058 ------------------ | Branch (430:3): [True: 1, False: 1.61k] ------------------ 431| 1| case TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384: return("TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384"); ------------------ | | 121| 1|#define TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384 0xC059 ------------------ | Branch (431:3): [True: 1, False: 1.61k] ------------------ 432| 1| case TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA: return("TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"); ------------------ | | 122| 1|#define TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA 0x0011 ------------------ | Branch (432:3): [True: 1, False: 1.61k] ------------------ 433| 1| case TLS_DHE_DSS_WITH_DES_CBC_SHA: return("TLS_DHE_DSS_WITH_DES_CBC_SHA"); ------------------ | | 123| 1|#define TLS_DHE_DSS_WITH_DES_CBC_SHA 0x0012 ------------------ | Branch (433:3): [True: 1, False: 1.61k] ------------------ 434| 1| case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA: return("TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA"); ------------------ | | 124| 1|#define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 0x0013 ------------------ | Branch (434:3): [True: 1, False: 1.61k] ------------------ 435| 1| case TLS_DHE_DSS_WITH_AES_128_CBC_SHA: return("TLS_DHE_DSS_WITH_AES_128_CBC_SHA"); ------------------ | | 125| 1|#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0x0032 ------------------ | Branch (435:3): [True: 1, False: 1.61k] ------------------ 436| 1| case TLS_DHE_DSS_WITH_AES_256_CBC_SHA: return("TLS_DHE_DSS_WITH_AES_256_CBC_SHA"); ------------------ | | 126| 1|#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0x0038 ------------------ | Branch (436:3): [True: 1, False: 1.61k] ------------------ 437| 1| case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: return("TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"); ------------------ | | 127| 1|#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 0x0040 ------------------ | Branch (437:3): [True: 1, False: 1.61k] ------------------ 438| 0| case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: return("TLS_DHE_DSS_WITH_AES_256_CBC_SHA256"); ------------------ | | 128| 0|#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 0x006A ------------------ | Branch (438:3): [True: 0, False: 1.61k] ------------------ 439| 1| case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: return("TLS_DHE_DSS_WITH_AES_128_GCM_SHA256"); ------------------ | | 129| 1|#define TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 0x00A2 ------------------ | Branch (439:3): [True: 1, False: 1.61k] ------------------ 440| 1| case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: return("TLS_DHE_DSS_WITH_AES_256_GCM_SHA384"); ------------------ | | 130| 1|#define TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 0x00A3 ------------------ | Branch (440:3): [True: 1, False: 1.61k] ------------------ 441| 1| case TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: return("TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA"); ------------------ | | 131| 1|#define TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA 0x0044 ------------------ | Branch (441:3): [True: 1, False: 1.61k] ------------------ 442| 1| case TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: return("TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA"); ------------------ | | 132| 1|#define TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA 0x0087 ------------------ | Branch (442:3): [True: 1, False: 1.61k] ------------------ 443| 0| case TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256: return("TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256"); ------------------ | | 133| 0|#define TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 0x00BD ------------------ | Branch (443:3): [True: 0, False: 1.61k] ------------------ 444| 0| case TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256: return("TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256"); ------------------ | | 134| 0|#define TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 0x00C3 ------------------ | Branch (444:3): [True: 0, False: 1.61k] ------------------ 445| 1| case TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256: return("TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256"); ------------------ | | 135| 1|#define TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 0xC080 ------------------ | Branch (445:3): [True: 1, False: 1.61k] ------------------ 446| 1| case TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384: return("TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384"); ------------------ | | 136| 1|#define TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 0xC081 ------------------ | Branch (446:3): [True: 1, False: 1.61k] ------------------ 447| 1| case TLS_DHE_DSS_WITH_SEED_CBC_SHA: return("TLS_DHE_DSS_WITH_SEED_CBC_SHA"); ------------------ | | 137| 1|#define TLS_DHE_DSS_WITH_SEED_CBC_SHA 0x0099 ------------------ | Branch (447:3): [True: 1, False: 1.61k] ------------------ 448| 1| case TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256: return("TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256"); ------------------ | | 138| 1|#define TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 0xC042 ------------------ | Branch (448:3): [True: 1, False: 1.61k] ------------------ 449| 1| case TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384: return("TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384"); ------------------ | | 139| 1|#define TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 0xC043 ------------------ | Branch (449:3): [True: 1, False: 1.61k] ------------------ 450| 1| case TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256: return("TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256"); ------------------ | | 140| 1|#define TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 0xC056 ------------------ | Branch (450:3): [True: 1, False: 1.61k] ------------------ 451| 2| case TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384: return("TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384"); ------------------ | | 141| 2|#define TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 0xC057 ------------------ | Branch (451:3): [True: 2, False: 1.60k] ------------------ 452| 14| case TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5: return("TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5"); ------------------ | | 142| 14|#define TLS_DH_ANON_EXPORT_WITH_RC4_40_MD5 0x0017 ------------------ | Branch (452:3): [True: 14, False: 1.59k] ------------------ 453| 1| case TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA: return("TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA"); ------------------ | | 143| 1|#define TLS_DH_ANON_EXPORT_WITH_DES40_CBC_SHA 0x0019 ------------------ | Branch (453:3): [True: 1, False: 1.61k] ------------------ 454| 1| case TLS_DH_ANON_WITH_RC4_128_MD5: return("TLS_DH_ANON_WITH_RC4_128_MD5"); ------------------ | | 144| 1|#define TLS_DH_ANON_WITH_RC4_128_MD5 0x0018 ------------------ | Branch (454:3): [True: 1, False: 1.61k] ------------------ 455| 2| case TLS_DH_ANON_WITH_DES_CBC_SHA: return("TLS_DH_ANON_WITH_DES_CBC_SHA"); ------------------ | | 145| 2|#define TLS_DH_ANON_WITH_DES_CBC_SHA 0x001A ------------------ | Branch (455:3): [True: 2, False: 1.60k] ------------------ 456| 1| case TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA: return("TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA"); ------------------ | | 146| 1|#define TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA 0x001B ------------------ | Branch (456:3): [True: 1, False: 1.61k] ------------------ 457| 1| case TLS_DH_ANON_WITH_AES_128_CBC_SHA: return("TLS_DH_ANON_WITH_AES_128_CBC_SHA"); ------------------ | | 147| 1|#define TLS_DH_ANON_WITH_AES_128_CBC_SHA 0x0034 ------------------ | Branch (457:3): [True: 1, False: 1.61k] ------------------ 458| 1| case TLS_DH_ANON_WITH_AES_256_CBC_SHA: return("TLS_DH_ANON_WITH_AES_256_CBC_SHA"); ------------------ | | 148| 1|#define TLS_DH_ANON_WITH_AES_256_CBC_SHA 0x003A ------------------ | Branch (458:3): [True: 1, False: 1.61k] ------------------ 459| 1| case TLS_DH_ANON_WITH_AES_128_CBC_SHA256: return("TLS_DH_ANON_WITH_AES_128_CBC_SHA256"); ------------------ | | 149| 1|#define TLS_DH_ANON_WITH_AES_128_CBC_SHA256 0x006C ------------------ | Branch (459:3): [True: 1, False: 1.61k] ------------------ 460| 0| case TLS_DH_ANON_WITH_AES_256_CBC_SHA256: return("TLS_DH_ANON_WITH_AES_256_CBC_SHA256"); ------------------ | | 150| 0|#define TLS_DH_ANON_WITH_AES_256_CBC_SHA256 0x006D ------------------ | Branch (460:3): [True: 0, False: 1.61k] ------------------ 461| 1| case TLS_DH_ANON_WITH_AES_128_GCM_SHA256: return("TLS_DH_ANON_WITH_AES_128_GCM_SHA256"); ------------------ | | 151| 1|#define TLS_DH_ANON_WITH_AES_128_GCM_SHA256 0x00A6 ------------------ | Branch (461:3): [True: 1, False: 1.61k] ------------------ 462| 1| case TLS_DH_ANON_WITH_AES_256_GCM_SHA384: return("TLS_DH_ANON_WITH_AES_256_GCM_SHA384"); ------------------ | | 152| 1|#define TLS_DH_ANON_WITH_AES_256_GCM_SHA384 0x00A7 ------------------ | Branch (462:3): [True: 1, False: 1.61k] ------------------ 463| 1| case TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA: return("TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA"); ------------------ | | 153| 1|#define TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA 0x0046 ------------------ | Branch (463:3): [True: 1, False: 1.61k] ------------------ 464| 2| case TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA: return("TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA"); ------------------ | | 154| 2|#define TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA 0x0089 ------------------ | Branch (464:3): [True: 2, False: 1.60k] ------------------ 465| 0| case TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256: return("TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256"); ------------------ | | 155| 0|#define TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA256 0x00BF ------------------ | Branch (465:3): [True: 0, False: 1.61k] ------------------ 466| 0| case TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256: return("TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256"); ------------------ | | 156| 0|#define TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA256 0x00C5 ------------------ | Branch (466:3): [True: 0, False: 1.61k] ------------------ 467| 1| case TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256: return("TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256"); ------------------ | | 157| 1|#define TLS_DH_ANON_WITH_CAMELLIA_128_GCM_SHA256 0xC084 ------------------ | Branch (467:3): [True: 1, False: 1.61k] ------------------ 468| 1| case TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384: return("TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384"); ------------------ | | 158| 1|#define TLS_DH_ANON_WITH_CAMELLIA_256_GCM_SHA384 0xC085 ------------------ | Branch (468:3): [True: 1, False: 1.61k] ------------------ 469| 1| case TLS_DH_ANON_WITH_SEED_CBC_SHA: return("TLS_DH_ANON_WITH_SEED_CBC_SHA"); ------------------ | | 159| 1|#define TLS_DH_ANON_WITH_SEED_CBC_SHA 0x009B ------------------ | Branch (469:3): [True: 1, False: 1.61k] ------------------ 470| 1| case TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256: return("TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256"); ------------------ | | 160| 1|#define TLS_DH_ANON_WITH_ARIA_128_CBC_SHA256 0xC046 ------------------ | Branch (470:3): [True: 1, False: 1.61k] ------------------ 471| 8| case TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384: return("TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384"); ------------------ | | 161| 8|#define TLS_DH_ANON_WITH_ARIA_256_CBC_SHA384 0xC047 ------------------ | Branch (471:3): [True: 8, False: 1.60k] ------------------ 472| 1| case TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256: return("TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256"); ------------------ | | 162| 1|#define TLS_DH_ANON_WITH_ARIA_128_GCM_SHA256 0xC05A ------------------ | Branch (472:3): [True: 1, False: 1.61k] ------------------ 473| 1| case TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384: return("TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384"); ------------------ | | 163| 1|#define TLS_DH_ANON_WITH_ARIA_256_GCM_SHA384 0xC05B ------------------ | Branch (473:3): [True: 1, False: 1.61k] ------------------ 474| 1| case TLS_ECDH_RSA_WITH_NULL_SHA: return("TLS_ECDH_RSA_WITH_NULL_SHA"); ------------------ | | 164| 1|#define TLS_ECDH_RSA_WITH_NULL_SHA 0xC00B ------------------ | Branch (474:3): [True: 1, False: 1.61k] ------------------ 475| 1| case TLS_ECDH_RSA_WITH_RC4_128_SHA: return("TLS_ECDH_RSA_WITH_RC4_128_SHA"); ------------------ | | 165| 1|#define TLS_ECDH_RSA_WITH_RC4_128_SHA 0xC00C ------------------ | Branch (475:3): [True: 1, False: 1.61k] ------------------ 476| 2| case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA: return("TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA"); ------------------ | | 166| 2|#define TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 0xC00D ------------------ | Branch (476:3): [True: 2, False: 1.60k] ------------------ 477| 2| case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: return("TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"); ------------------ | | 167| 2|#define TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 0xC00E ------------------ | Branch (477:3): [True: 2, False: 1.60k] ------------------ 478| 1| case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: return("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA"); ------------------ | | 168| 1|#define TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 0xC00F ------------------ | Branch (478:3): [True: 1, False: 1.61k] ------------------ 479| 1| case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256: return("TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256"); ------------------ | | 169| 1|#define TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 0xC029 ------------------ | Branch (479:3): [True: 1, False: 1.61k] ------------------ 480| 1| case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384: return("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384"); ------------------ | | 170| 1|#define TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 0xC02A ------------------ | Branch (480:3): [True: 1, False: 1.61k] ------------------ 481| 1| case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256: return("TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"); ------------------ | | 171| 1|#define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031 ------------------ | Branch (481:3): [True: 1, False: 1.61k] ------------------ 482| 1| case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384: return("TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384"); ------------------ | | 172| 1|#define TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 0xC032 ------------------ | Branch (482:3): [True: 1, False: 1.61k] ------------------ 483| 1| case TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256: return("TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256"); ------------------ | | 173| 1|#define TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 0xC078 ------------------ | Branch (483:3): [True: 1, False: 1.61k] ------------------ 484| 1| case TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384: return("TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384"); ------------------ | | 174| 1|#define TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 0xC079 ------------------ | Branch (484:3): [True: 1, False: 1.61k] ------------------ 485| 1| case TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256: return("TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256"); ------------------ | | 175| 1|#define TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 0xC08C ------------------ | Branch (485:3): [True: 1, False: 1.61k] ------------------ 486| 1| case TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384: return("TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384"); ------------------ | | 176| 1|#define TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 0xC08D ------------------ | Branch (486:3): [True: 1, False: 1.61k] ------------------ 487| 1| case TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256: return("TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256"); ------------------ | | 177| 1|#define TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 0xC04E ------------------ | Branch (487:3): [True: 1, False: 1.61k] ------------------ 488| 1| case TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384: return("TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384"); ------------------ | | 178| 1|#define TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 0xC04F ------------------ | Branch (488:3): [True: 1, False: 1.61k] ------------------ 489| 1| case TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256: return("TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256"); ------------------ | | 179| 1|#define TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 0xC062 ------------------ | Branch (489:3): [True: 1, False: 1.61k] ------------------ 490| 1| case TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384: return("TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384"); ------------------ | | 180| 1|#define TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 0xC063 ------------------ | Branch (490:3): [True: 1, False: 1.61k] ------------------ 491| 1| case TLS_ECDHE_RSA_WITH_NULL_SHA: return("TLS_ECDHE_RSA_WITH_NULL_SHA"); ------------------ | | 181| 1|#define TLS_ECDHE_RSA_WITH_NULL_SHA 0xC010 ------------------ | Branch (491:3): [True: 1, False: 1.61k] ------------------ 492| 3| case TLS_ECDHE_RSA_WITH_RC4_128_SHA: return("TLS_ECDHE_RSA_WITH_RC4_128_SHA"); ------------------ | | 182| 3|#define TLS_ECDHE_RSA_WITH_RC4_128_SHA 0xC011 ------------------ | Branch (492:3): [True: 3, False: 1.60k] ------------------ 493| 3| case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: return("TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"); ------------------ | | 183| 3|#define TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0xC012 ------------------ | Branch (493:3): [True: 3, False: 1.60k] ------------------ 494| 1| case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: return("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"); ------------------ | | 184| 1|#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC013 ------------------ | Branch (494:3): [True: 1, False: 1.61k] ------------------ 495| 1| case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: return("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"); ------------------ | | 185| 1|#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xC014 ------------------ | Branch (495:3): [True: 1, False: 1.61k] ------------------ 496| 1| case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: return("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"); ------------------ | | 186| 1|#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027 ------------------ | Branch (496:3): [True: 1, False: 1.61k] ------------------ 497| 1| case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: return("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"); ------------------ | | 187| 1|#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 0xC028 ------------------ | Branch (497:3): [True: 1, False: 1.61k] ------------------ 498| 527| case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: return("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"); ------------------ | | 188| 527|#define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F ------------------ | Branch (498:3): [True: 527, False: 1.08k] ------------------ 499| 173| case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: return("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"); ------------------ | | 189| 173|#define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xC030 ------------------ | Branch (499:3): [True: 173, False: 1.43k] ------------------ 500| 1| case TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256: return("TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256"); ------------------ | | 190| 1|#define TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 0xC076 ------------------ | Branch (500:3): [True: 1, False: 1.61k] ------------------ 501| 1| case TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384: return("TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384"); ------------------ | | 191| 1|#define TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 0xC077 ------------------ | Branch (501:3): [True: 1, False: 1.61k] ------------------ 502| 1| case TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256: return("TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256"); ------------------ | | 192| 1|#define TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 0xC08A ------------------ | Branch (502:3): [True: 1, False: 1.61k] ------------------ 503| 1| case TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384: return("TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384"); ------------------ | | 193| 1|#define TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 0xC08B ------------------ | Branch (503:3): [True: 1, False: 1.61k] ------------------ 504| 1| case TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256: return("TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256"); ------------------ | | 194| 1|#define TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 0xC04C ------------------ | Branch (504:3): [True: 1, False: 1.61k] ------------------ 505| 1| case TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384: return("TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384"); ------------------ | | 195| 1|#define TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 0xC04D ------------------ | Branch (505:3): [True: 1, False: 1.61k] ------------------ 506| 2| case TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256: return("TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256"); ------------------ | | 196| 2|#define TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 0xC060 ------------------ | Branch (506:3): [True: 2, False: 1.60k] ------------------ 507| 1| case TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384: return("TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384"); ------------------ | | 197| 1|#define TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 0xC061 ------------------ | Branch (507:3): [True: 1, False: 1.61k] ------------------ 508| 111| case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: return("TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"); ------------------ | | 198| 111|#define TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA8 ------------------ | Branch (508:3): [True: 111, False: 1.50k] ------------------ 509| 1| case TLS_ECDH_ECDSA_WITH_NULL_SHA: return("TLS_ECDH_ECDSA_WITH_NULL_SHA"); ------------------ | | 199| 1|#define TLS_ECDH_ECDSA_WITH_NULL_SHA 0xC001 ------------------ | Branch (509:3): [True: 1, False: 1.61k] ------------------ 510| 1| case TLS_ECDH_ECDSA_WITH_RC4_128_SHA: return("TLS_ECDH_ECDSA_WITH_RC4_128_SHA"); ------------------ | | 200| 1|#define TLS_ECDH_ECDSA_WITH_RC4_128_SHA 0xC002 ------------------ | Branch (510:3): [True: 1, False: 1.61k] ------------------ 511| 1| case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: return("TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA"); ------------------ | | 201| 1|#define TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC003 ------------------ | Branch (511:3): [True: 1, False: 1.61k] ------------------ 512| 1| case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: return("TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"); ------------------ | | 202| 1|#define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 0xC004 ------------------ | Branch (512:3): [True: 1, False: 1.61k] ------------------ 513| 1| case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: return("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"); ------------------ | | 203| 1|#define TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 0xC005 ------------------ | Branch (513:3): [True: 1, False: 1.61k] ------------------ 514| 2| case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256: return("TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256"); ------------------ | | 204| 2|#define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 0xC025 ------------------ | Branch (514:3): [True: 2, False: 1.60k] ------------------ 515| 1| case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384: return("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384"); ------------------ | | 205| 1|#define TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 0xC026 ------------------ | Branch (515:3): [True: 1, False: 1.61k] ------------------ 516| 5| case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256: return("TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256"); ------------------ | | 206| 5|#define TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0xC02D ------------------ | Branch (516:3): [True: 5, False: 1.60k] ------------------ 517| 10| case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384: return("TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384"); ------------------ | | 207| 10|#define TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 0xC02E ------------------ | Branch (517:3): [True: 10, False: 1.60k] ------------------ 518| 1| case TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: return("TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256"); ------------------ | | 208| 1|#define TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 0xC074 ------------------ | Branch (518:3): [True: 1, False: 1.61k] ------------------ 519| 4| case TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: return("TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384"); ------------------ | | 209| 4|#define TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 0xC075 ------------------ | Branch (519:3): [True: 4, False: 1.60k] ------------------ 520| 1| case TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: return("TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256"); ------------------ | | 210| 1|#define TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 0xC088 ------------------ | Branch (520:3): [True: 1, False: 1.61k] ------------------ 521| 3| case TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: return("TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384"); ------------------ | | 211| 3|#define TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 0xC089 ------------------ | Branch (521:3): [True: 3, False: 1.60k] ------------------ 522| 1| case TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256: return("TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256"); ------------------ | | 212| 1|#define TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC04A ------------------ | Branch (522:3): [True: 1, False: 1.61k] ------------------ 523| 2| case TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384: return("TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384"); ------------------ | | 213| 2|#define TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 0xC04B ------------------ | Branch (523:3): [True: 2, False: 1.60k] ------------------ 524| 1| case TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256: return("TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256"); ------------------ | | 214| 1|#define TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05E ------------------ | Branch (524:3): [True: 1, False: 1.61k] ------------------ 525| 1| case TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384: return("TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384"); ------------------ | | 215| 1|#define TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 0xC05F ------------------ | Branch (525:3): [True: 1, False: 1.61k] ------------------ 526| 0| case TLS_ECDHE_ECDSA_WITH_NULL_SHA: return("TLS_ECDHE_ECDSA_WITH_NULL_SHA"); ------------------ | | 216| 0|#define TLS_ECDHE_ECDSA_WITH_NULL_SHA 0xC006 ------------------ | Branch (526:3): [True: 0, False: 1.61k] ------------------ 527| 1| case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: return("TLS_ECDHE_ECDSA_WITH_RC4_128_SHA"); ------------------ | | 217| 1|#define TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 0xC007 ------------------ | Branch (527:3): [True: 1, False: 1.61k] ------------------ 528| 1| case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: return("TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA"); ------------------ | | 218| 1|#define TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC008 ------------------ | Branch (528:3): [True: 1, False: 1.61k] ------------------ 529| 1| case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: return("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"); ------------------ | | 219| 1|#define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xC009 ------------------ | Branch (529:3): [True: 1, False: 1.61k] ------------------ 530| 2| case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: return("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"); ------------------ | | 220| 2|#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xC00A ------------------ | Branch (530:3): [True: 2, False: 1.60k] ------------------ 531| 1| case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: return("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"); ------------------ | | 221| 1|#define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023 ------------------ | Branch (531:3): [True: 1, False: 1.61k] ------------------ 532| 2| case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: return("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"); ------------------ | | 222| 2|#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC024 ------------------ | Branch (532:3): [True: 2, False: 1.60k] ------------------ 533| 2| case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: return("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"); ------------------ | | 223| 2|#define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B ------------------ | Branch (533:3): [True: 2, False: 1.60k] ------------------ 534| 1| case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: return("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"); ------------------ | | 224| 1|#define TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C ------------------ | Branch (534:3): [True: 1, False: 1.61k] ------------------ 535| 1| case TLS_ECDHE_ECDSA_WITH_AES_128_CCM: return("TLS_ECDHE_ECDSA_WITH_AES_128_CCM"); ------------------ | | 225| 1|#define TLS_ECDHE_ECDSA_WITH_AES_128_CCM 0xC0AC ------------------ | Branch (535:3): [True: 1, False: 1.61k] ------------------ 536| 1| case TLS_ECDHE_ECDSA_WITH_AES_256_CCM: return("TLS_ECDHE_ECDSA_WITH_AES_256_CCM"); ------------------ | | 226| 1|#define TLS_ECDHE_ECDSA_WITH_AES_256_CCM 0xC0AD ------------------ | Branch (536:3): [True: 1, False: 1.61k] ------------------ 537| 1| case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8: return("TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8"); ------------------ | | 227| 1|#define TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 0xC0AE ------------------ | Branch (537:3): [True: 1, False: 1.61k] ------------------ 538| 1| case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8: return("TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8"); ------------------ | | 228| 1|#define TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 0xC0AF ------------------ | Branch (538:3): [True: 1, False: 1.61k] ------------------ 539| 1| case TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256: return("TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256"); ------------------ | | 229| 1|#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 0xC072 ------------------ | Branch (539:3): [True: 1, False: 1.61k] ------------------ 540| 1| case TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384: return("TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384"); ------------------ | | 230| 1|#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 0xC073 ------------------ | Branch (540:3): [True: 1, False: 1.61k] ------------------ 541| 1| case TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256: return("TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256"); ------------------ | | 231| 1|#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 0xC086 ------------------ | Branch (541:3): [True: 1, False: 1.61k] ------------------ 542| 1| case TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384: return("TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384"); ------------------ | | 232| 1|#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 0xC087 ------------------ | Branch (542:3): [True: 1, False: 1.61k] ------------------ 543| 1| case TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256: return("TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256"); ------------------ | | 233| 1|#define TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC048 ------------------ | Branch (543:3): [True: 1, False: 1.61k] ------------------ 544| 1| case TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384: return("TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384"); ------------------ | | 234| 1|#define TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 0xC049 ------------------ | Branch (544:3): [True: 1, False: 1.61k] ------------------ 545| 2| case TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256: return("TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256"); ------------------ | | 235| 2|#define TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05C ------------------ | Branch (545:3): [True: 2, False: 1.60k] ------------------ 546| 1| case TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384: return("TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384"); ------------------ | | 236| 1|#define TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 0xC05D ------------------ | Branch (546:3): [True: 1, False: 1.61k] ------------------ 547| 1| case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: return("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"); ------------------ | | 237| 1|#define TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA9 ------------------ | Branch (547:3): [True: 1, False: 1.61k] ------------------ 548| 1| case TLS_ECDH_ANON_WITH_NULL_SHA: return("TLS_ECDH_ANON_WITH_NULL_SHA"); ------------------ | | 238| 1|#define TLS_ECDH_ANON_WITH_NULL_SHA 0xC015 ------------------ | Branch (548:3): [True: 1, False: 1.61k] ------------------ 549| 1| case TLS_ECDH_ANON_WITH_RC4_128_SHA: return("TLS_ECDH_ANON_WITH_RC4_128_SHA"); ------------------ | | 239| 1|#define TLS_ECDH_ANON_WITH_RC4_128_SHA 0xC016 ------------------ | Branch (549:3): [True: 1, False: 1.61k] ------------------ 550| 1| case TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA: return("TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA"); ------------------ | | 240| 1|#define TLS_ECDH_ANON_WITH_3DES_EDE_CBC_SHA 0xC017 ------------------ | Branch (550:3): [True: 1, False: 1.61k] ------------------ 551| 31| case TLS_ECDH_ANON_WITH_AES_128_CBC_SHA: return("TLS_ECDH_ANON_WITH_AES_128_CBC_SHA"); ------------------ | | 241| 31|#define TLS_ECDH_ANON_WITH_AES_128_CBC_SHA 0xC018 ------------------ | Branch (551:3): [True: 31, False: 1.58k] ------------------ 552| 1| case TLS_ECDH_ANON_WITH_AES_256_CBC_SHA: return("TLS_ECDH_ANON_WITH_AES_256_CBC_SHA"); ------------------ | | 242| 1|#define TLS_ECDH_ANON_WITH_AES_256_CBC_SHA 0xC019 ------------------ | Branch (552:3): [True: 1, False: 1.61k] ------------------ 553| 1| case TLS_PSK_WITH_NULL_SHA: return("TLS_PSK_WITH_NULL_SHA"); ------------------ | | 243| 1|#define TLS_PSK_WITH_NULL_SHA 0x002C ------------------ | Branch (553:3): [True: 1, False: 1.61k] ------------------ 554| 1| case TLS_PSK_WITH_NULL_SHA256: return("TLS_PSK_WITH_NULL_SHA256"); ------------------ | | 244| 1|#define TLS_PSK_WITH_NULL_SHA256 0x00B0 ------------------ | Branch (554:3): [True: 1, False: 1.61k] ------------------ 555| 1| case TLS_PSK_WITH_NULL_SHA384: return("TLS_PSK_WITH_NULL_SHA384"); ------------------ | | 245| 1|#define TLS_PSK_WITH_NULL_SHA384 0x00B1 ------------------ | Branch (555:3): [True: 1, False: 1.61k] ------------------ 556| 1| case TLS_PSK_WITH_RC4_128_SHA: return("TLS_PSK_WITH_RC4_128_SHA"); ------------------ | | 246| 1|#define TLS_PSK_WITH_RC4_128_SHA 0x008A ------------------ | Branch (556:3): [True: 1, False: 1.61k] ------------------ 557| 1| case TLS_PSK_WITH_3DES_EDE_CBC_SHA: return("TLS_PSK_WITH_3DES_EDE_CBC_SHA"); ------------------ | | 247| 1|#define TLS_PSK_WITH_3DES_EDE_CBC_SHA 0x008B ------------------ | Branch (557:3): [True: 1, False: 1.61k] ------------------ 558| 1| case TLS_PSK_WITH_AES_128_CBC_SHA: return("TLS_PSK_WITH_AES_128_CBC_SHA"); ------------------ | | 248| 1|#define TLS_PSK_WITH_AES_128_CBC_SHA 0x008C ------------------ | Branch (558:3): [True: 1, False: 1.61k] ------------------ 559| 1| case TLS_PSK_WITH_AES_256_CBC_SHA: return("TLS_PSK_WITH_AES_256_CBC_SHA"); ------------------ | | 249| 1|#define TLS_PSK_WITH_AES_256_CBC_SHA 0x008D ------------------ | Branch (559:3): [True: 1, False: 1.61k] ------------------ 560| 1| case TLS_PSK_WITH_AES_128_CBC_SHA256: return("TLS_PSK_WITH_AES_128_CBC_SHA256"); ------------------ | | 250| 1|#define TLS_PSK_WITH_AES_128_CBC_SHA256 0x00AE ------------------ | Branch (560:3): [True: 1, False: 1.61k] ------------------ 561| 1| case TLS_PSK_WITH_AES_256_CBC_SHA384: return("TLS_PSK_WITH_AES_256_CBC_SHA384"); ------------------ | | 251| 1|#define TLS_PSK_WITH_AES_256_CBC_SHA384 0x00AF ------------------ | Branch (561:3): [True: 1, False: 1.61k] ------------------ 562| 1| case TLS_PSK_WITH_AES_128_GCM_SHA256: return("TLS_PSK_WITH_AES_128_GCM_SHA256"); ------------------ | | 252| 1|#define TLS_PSK_WITH_AES_128_GCM_SHA256 0x00A8 ------------------ | Branch (562:3): [True: 1, False: 1.61k] ------------------ 563| 1| case TLS_PSK_WITH_AES_256_GCM_SHA384: return("TLS_PSK_WITH_AES_256_GCM_SHA384"); ------------------ | | 253| 1|#define TLS_PSK_WITH_AES_256_GCM_SHA384 0x00A9 ------------------ | Branch (563:3): [True: 1, False: 1.61k] ------------------ 564| 1| case TLS_PSK_WITH_AES_128_CCM: return("TLS_PSK_WITH_AES_128_CCM"); ------------------ | | 254| 1|#define TLS_PSK_WITH_AES_128_CCM 0xC0A4 ------------------ | Branch (564:3): [True: 1, False: 1.61k] ------------------ 565| 1| case TLS_PSK_WITH_AES_256_CCM: return("TLS_PSK_WITH_AES_256_CCM"); ------------------ | | 255| 1|#define TLS_PSK_WITH_AES_256_CCM 0xC0A5 ------------------ | Branch (565:3): [True: 1, False: 1.61k] ------------------ 566| 2| case TLS_PSK_WITH_AES_128_CCM_8: return("TLS_PSK_WITH_AES_128_CCM_8"); ------------------ | | 256| 2|#define TLS_PSK_WITH_AES_128_CCM_8 0xC0A8 ------------------ | Branch (566:3): [True: 2, False: 1.60k] ------------------ 567| 1| case TLS_PSK_WITH_AES_256_CCM_8: return("TLS_PSK_WITH_AES_256_CCM_8"); ------------------ | | 257| 1|#define TLS_PSK_WITH_AES_256_CCM_8 0xC0A9 ------------------ | Branch (567:3): [True: 1, False: 1.61k] ------------------ 568| 1| case TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256: return("TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256"); ------------------ | | 258| 1|#define TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 0xC094 ------------------ | Branch (568:3): [True: 1, False: 1.61k] ------------------ 569| 1| case TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384: return("TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384"); ------------------ | | 259| 1|#define TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 0xC095 ------------------ | Branch (569:3): [True: 1, False: 1.61k] ------------------ 570| 1| case TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256: return("TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256"); ------------------ | | 260| 1|#define TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 0xC08E ------------------ | Branch (570:3): [True: 1, False: 1.61k] ------------------ 571| 1| case TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384: return("TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384"); ------------------ | | 261| 1|#define TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 0xC08F ------------------ | Branch (571:3): [True: 1, False: 1.61k] ------------------ 572| 1| case TLS_PSK_WITH_ARIA_128_CBC_SHA256: return("TLS_PSK_WITH_ARIA_128_CBC_SHA256"); ------------------ | | 262| 1|#define TLS_PSK_WITH_ARIA_128_CBC_SHA256 0xC064 ------------------ | Branch (572:3): [True: 1, False: 1.61k] ------------------ 573| 3| case TLS_PSK_WITH_ARIA_256_CBC_SHA384: return("TLS_PSK_WITH_ARIA_256_CBC_SHA384"); ------------------ | | 263| 3|#define TLS_PSK_WITH_ARIA_256_CBC_SHA384 0xC065 ------------------ | Branch (573:3): [True: 3, False: 1.60k] ------------------ 574| 1| case TLS_PSK_WITH_ARIA_128_GCM_SHA256: return("TLS_PSK_WITH_ARIA_128_GCM_SHA256"); ------------------ | | 264| 1|#define TLS_PSK_WITH_ARIA_128_GCM_SHA256 0xC06A ------------------ | Branch (574:3): [True: 1, False: 1.61k] ------------------ 575| 3| case TLS_PSK_WITH_ARIA_256_GCM_SHA384: return("TLS_PSK_WITH_ARIA_256_GCM_SHA384"); ------------------ | | 265| 3|#define TLS_PSK_WITH_ARIA_256_GCM_SHA384 0xC06B ------------------ | Branch (575:3): [True: 3, False: 1.60k] ------------------ 576| 1| case TLS_PSK_WITH_CHACHA20_POLY1305_SHA256: return("TLS_PSK_WITH_CHACHA20_POLY1305_SHA256"); ------------------ | | 266| 1|#define TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAB ------------------ | Branch (576:3): [True: 1, False: 1.61k] ------------------ 577| 1| case TLS_RSA_PSK_WITH_NULL_SHA: return("TLS_RSA_PSK_WITH_NULL_SHA"); ------------------ | | 267| 1|#define TLS_RSA_PSK_WITH_NULL_SHA 0x002E ------------------ | Branch (577:3): [True: 1, False: 1.61k] ------------------ 578| 1| case TLS_RSA_PSK_WITH_NULL_SHA256: return("TLS_RSA_PSK_WITH_NULL_SHA256"); ------------------ | | 268| 1|#define TLS_RSA_PSK_WITH_NULL_SHA256 0x00B8 ------------------ | Branch (578:3): [True: 1, False: 1.61k] ------------------ 579| 1| case TLS_RSA_PSK_WITH_NULL_SHA384: return("TLS_RSA_PSK_WITH_NULL_SHA384"); ------------------ | | 269| 1|#define TLS_RSA_PSK_WITH_NULL_SHA384 0x00B9 ------------------ | Branch (579:3): [True: 1, False: 1.61k] ------------------ 580| 1| case TLS_RSA_PSK_WITH_RC4_128_SHA: return("TLS_RSA_PSK_WITH_RC4_128_SHA"); ------------------ | | 270| 1|#define TLS_RSA_PSK_WITH_RC4_128_SHA 0x0092 ------------------ | Branch (580:3): [True: 1, False: 1.61k] ------------------ 581| 1| case TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA: return("TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA"); ------------------ | | 271| 1|#define TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA 0x0093 ------------------ | Branch (581:3): [True: 1, False: 1.61k] ------------------ 582| 1| case TLS_RSA_PSK_WITH_AES_128_CBC_SHA: return("TLS_RSA_PSK_WITH_AES_128_CBC_SHA"); ------------------ | | 272| 1|#define TLS_RSA_PSK_WITH_AES_128_CBC_SHA 0x0094 ------------------ | Branch (582:3): [True: 1, False: 1.61k] ------------------ 583| 1| case TLS_RSA_PSK_WITH_AES_256_CBC_SHA: return("TLS_RSA_PSK_WITH_AES_256_CBC_SHA"); ------------------ | | 273| 1|#define TLS_RSA_PSK_WITH_AES_256_CBC_SHA 0x0095 ------------------ | Branch (583:3): [True: 1, False: 1.61k] ------------------ 584| 1| case TLS_RSA_PSK_WITH_AES_128_CBC_SHA256: return("TLS_RSA_PSK_WITH_AES_128_CBC_SHA256"); ------------------ | | 274| 1|#define TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 0x00B6 ------------------ | Branch (584:3): [True: 1, False: 1.61k] ------------------ 585| 1| case TLS_RSA_PSK_WITH_AES_256_CBC_SHA384: return("TLS_RSA_PSK_WITH_AES_256_CBC_SHA384"); ------------------ | | 275| 1|#define TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 0x00B7 ------------------ | Branch (585:3): [True: 1, False: 1.61k] ------------------ 586| 1| case TLS_RSA_PSK_WITH_AES_128_GCM_SHA256: return("TLS_RSA_PSK_WITH_AES_128_GCM_SHA256"); ------------------ | | 276| 1|#define TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 0x00AC ------------------ | Branch (586:3): [True: 1, False: 1.61k] ------------------ 587| 1| case TLS_RSA_PSK_WITH_AES_256_GCM_SHA384: return("TLS_RSA_PSK_WITH_AES_256_GCM_SHA384"); ------------------ | | 277| 1|#define TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 0x00AD ------------------ | Branch (587:3): [True: 1, False: 1.61k] ------------------ 588| 1| case TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256: return("TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256"); ------------------ | | 278| 1|#define TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 0xC098 ------------------ | Branch (588:3): [True: 1, False: 1.61k] ------------------ 589| 1| case TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384: return("TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384"); ------------------ | | 279| 1|#define TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 0xC099 ------------------ | Branch (589:3): [True: 1, False: 1.61k] ------------------ 590| 1| case TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256: return("TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256"); ------------------ | | 280| 1|#define TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 0xC092 ------------------ | Branch (590:3): [True: 1, False: 1.61k] ------------------ 591| 1| case TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384: return("TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384"); ------------------ | | 281| 1|#define TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 0xC093 ------------------ | Branch (591:3): [True: 1, False: 1.61k] ------------------ 592| 1| case TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256: return("TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256"); ------------------ | | 282| 1|#define TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 0xC068 ------------------ | Branch (592:3): [True: 1, False: 1.61k] ------------------ 593| 1| case TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384: return("TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384"); ------------------ | | 283| 1|#define TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 0xC069 ------------------ | Branch (593:3): [True: 1, False: 1.61k] ------------------ 594| 1| case TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256: return("TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256"); ------------------ | | 284| 1|#define TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 0xC06E ------------------ | Branch (594:3): [True: 1, False: 1.61k] ------------------ 595| 1| case TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384: return("TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384"); ------------------ | | 285| 1|#define TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 0xC06F ------------------ | Branch (595:3): [True: 1, False: 1.61k] ------------------ 596| 8| case TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256: return("TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256"); ------------------ | | 286| 8|#define TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAE ------------------ | Branch (596:3): [True: 8, False: 1.60k] ------------------ 597| 1| case TLS_DHE_PSK_WITH_NULL_SHA: return("TLS_DHE_PSK_WITH_NULL_SHA"); ------------------ | | 287| 1|#define TLS_DHE_PSK_WITH_NULL_SHA 0x002D ------------------ | Branch (597:3): [True: 1, False: 1.61k] ------------------ 598| 1| case TLS_DHE_PSK_WITH_NULL_SHA256: return("TLS_DHE_PSK_WITH_NULL_SHA256"); ------------------ | | 288| 1|#define TLS_DHE_PSK_WITH_NULL_SHA256 0x00B4 ------------------ | Branch (598:3): [True: 1, False: 1.61k] ------------------ 599| 1| case TLS_DHE_PSK_WITH_NULL_SHA384: return("TLS_DHE_PSK_WITH_NULL_SHA384"); ------------------ | | 289| 1|#define TLS_DHE_PSK_WITH_NULL_SHA384 0x00B5 ------------------ | Branch (599:3): [True: 1, False: 1.61k] ------------------ 600| 1| case TLS_DHE_PSK_WITH_RC4_128_SHA: return("TLS_DHE_PSK_WITH_RC4_128_SHA"); ------------------ | | 290| 1|#define TLS_DHE_PSK_WITH_RC4_128_SHA 0x008E ------------------ | Branch (600:3): [True: 1, False: 1.61k] ------------------ 601| 1| case TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA: return("TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA"); ------------------ | | 291| 1|#define TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA 0x008F ------------------ | Branch (601:3): [True: 1, False: 1.61k] ------------------ 602| 1| case TLS_DHE_PSK_WITH_AES_128_CBC_SHA: return("TLS_DHE_PSK_WITH_AES_128_CBC_SHA"); ------------------ | | 292| 1|#define TLS_DHE_PSK_WITH_AES_128_CBC_SHA 0x0090 ------------------ | Branch (602:3): [True: 1, False: 1.61k] ------------------ 603| 1| case TLS_DHE_PSK_WITH_AES_256_CBC_SHA: return("TLS_DHE_PSK_WITH_AES_256_CBC_SHA"); ------------------ | | 293| 1|#define TLS_DHE_PSK_WITH_AES_256_CBC_SHA 0x0091 ------------------ | Branch (603:3): [True: 1, False: 1.61k] ------------------ 604| 1| case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256: return("TLS_DHE_PSK_WITH_AES_128_CBC_SHA256"); ------------------ | | 294| 1|#define TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 0x00B2 ------------------ | Branch (604:3): [True: 1, False: 1.61k] ------------------ 605| 1| case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384: return("TLS_DHE_PSK_WITH_AES_256_CBC_SHA384"); ------------------ | | 295| 1|#define TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 0x00B3 ------------------ | Branch (605:3): [True: 1, False: 1.61k] ------------------ 606| 1| case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256: return("TLS_DHE_PSK_WITH_AES_128_GCM_SHA256"); ------------------ | | 296| 1|#define TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 0x00AA ------------------ | Branch (606:3): [True: 1, False: 1.61k] ------------------ 607| 1| case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384: return("TLS_DHE_PSK_WITH_AES_256_GCM_SHA384"); ------------------ | | 297| 1|#define TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 0x00AB ------------------ | Branch (607:3): [True: 1, False: 1.61k] ------------------ 608| 1| case TLS_DHE_PSK_WITH_AES_128_CCM: return("TLS_DHE_PSK_WITH_AES_128_CCM"); ------------------ | | 298| 1|#define TLS_DHE_PSK_WITH_AES_128_CCM 0xC0A6 ------------------ | Branch (608:3): [True: 1, False: 1.61k] ------------------ 609| 1| case TLS_DHE_PSK_WITH_AES_256_CCM: return("TLS_DHE_PSK_WITH_AES_256_CCM"); ------------------ | | 299| 1|#define TLS_DHE_PSK_WITH_AES_256_CCM 0xC0A7 ------------------ | Branch (609:3): [True: 1, False: 1.61k] ------------------ 610| 1| case TLS_DHE_PSK_WITH_AES_128_CCM_8: return("TLS_DHE_PSK_WITH_AES_128_CCM_8"); ------------------ | | 300| 1|#define TLS_DHE_PSK_WITH_AES_128_CCM_8 0xC0AA ------------------ | Branch (610:3): [True: 1, False: 1.61k] ------------------ 611| 3| case TLS_DHE_PSK_WITH_AES_256_CCM_8: return("TLS_DHE_PSK_WITH_AES_256_CCM_8"); ------------------ | | 301| 3|#define TLS_DHE_PSK_WITH_AES_256_CCM_8 0xC0AB ------------------ | Branch (611:3): [True: 3, False: 1.60k] ------------------ 612| 1| case TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256: return("TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256"); ------------------ | | 302| 1|#define TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 0xC096 ------------------ | Branch (612:3): [True: 1, False: 1.61k] ------------------ 613| 1| case TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384: return("TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384"); ------------------ | | 303| 1|#define TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 0xC097 ------------------ | Branch (613:3): [True: 1, False: 1.61k] ------------------ 614| 1| case TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256: return("TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256"); ------------------ | | 304| 1|#define TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 0xC090 ------------------ | Branch (614:3): [True: 1, False: 1.61k] ------------------ 615| 2| case TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384: return("TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384"); ------------------ | | 305| 2|#define TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 0xC091 ------------------ | Branch (615:3): [True: 2, False: 1.60k] ------------------ 616| 1| case TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256: return("TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256"); ------------------ | | 306| 1|#define TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 0xC066 ------------------ | Branch (616:3): [True: 1, False: 1.61k] ------------------ 617| 2| case TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384: return("TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384"); ------------------ | | 307| 2|#define TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 0xC067 ------------------ | Branch (617:3): [True: 2, False: 1.60k] ------------------ 618| 1| case TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256: return("TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256"); ------------------ | | 308| 1|#define TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 0xC06C ------------------ | Branch (618:3): [True: 1, False: 1.61k] ------------------ 619| 1| case TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384: return("TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384"); ------------------ | | 309| 1|#define TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 0xC06D ------------------ | Branch (619:3): [True: 1, False: 1.61k] ------------------ 620| 0| case TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256: return("TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256"); ------------------ | | 310| 0|#define TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAD ------------------ | Branch (620:3): [True: 0, False: 1.61k] ------------------ 621| 1| case TLS_ECDHE_PSK_WITH_NULL_SHA: return("TLS_ECDHE_PSK_WITH_NULL_SHA"); ------------------ | | 311| 1|#define TLS_ECDHE_PSK_WITH_NULL_SHA 0xC039 ------------------ | Branch (621:3): [True: 1, False: 1.61k] ------------------ 622| 1| case TLS_ECDHE_PSK_WITH_NULL_SHA256: return("TLS_ECDHE_PSK_WITH_NULL_SHA256"); ------------------ | | 312| 1|#define TLS_ECDHE_PSK_WITH_NULL_SHA256 0xC03A ------------------ | Branch (622:3): [True: 1, False: 1.61k] ------------------ 623| 1| case TLS_ECDHE_PSK_WITH_NULL_SHA384: return("TLS_ECDHE_PSK_WITH_NULL_SHA384"); ------------------ | | 313| 1|#define TLS_ECDHE_PSK_WITH_NULL_SHA384 0xC03B ------------------ | Branch (623:3): [True: 1, False: 1.61k] ------------------ 624| 1| case TLS_ECDHE_PSK_WITH_RC4_128_SHA: return("TLS_ECDHE_PSK_WITH_RC4_128_SHA"); ------------------ | | 314| 1|#define TLS_ECDHE_PSK_WITH_RC4_128_SHA 0xC033 ------------------ | Branch (624:3): [True: 1, False: 1.61k] ------------------ 625| 1| case TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA: return("TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA"); ------------------ | | 315| 1|#define TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA 0xC034 ------------------ | Branch (625:3): [True: 1, False: 1.61k] ------------------ 626| 2| case TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA: return("TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA"); ------------------ | | 316| 2|#define TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 0xC035 ------------------ | Branch (626:3): [True: 2, False: 1.60k] ------------------ 627| 1| case TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA: return("TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA"); ------------------ | | 317| 1|#define TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 0xC036 ------------------ | Branch (627:3): [True: 1, False: 1.61k] ------------------ 628| 1| case TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256: return("TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256"); ------------------ | | 318| 1|#define TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 0xC037 ------------------ | Branch (628:3): [True: 1, False: 1.61k] ------------------ 629| 1| case TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384: return("TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384"); ------------------ | | 319| 1|#define TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 0xC038 ------------------ | Branch (629:3): [True: 1, False: 1.61k] ------------------ 630| 0| case TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256: return("TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256"); ------------------ | | 320| 0|#define TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 0xD001 ------------------ | Branch (630:3): [True: 0, False: 1.61k] ------------------ 631| 0| case TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384: return("TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384"); ------------------ | | 321| 0|#define TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 0xD002 ------------------ | Branch (631:3): [True: 0, False: 1.61k] ------------------ 632| 0| case TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256: return("TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256"); ------------------ | | 322| 0|#define TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 0xD005 ------------------ | Branch (632:3): [True: 0, False: 1.61k] ------------------ 633| 0| case TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256: return("TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256"); ------------------ | | 323| 0|#define TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 0xD003 ------------------ | Branch (633:3): [True: 0, False: 1.61k] ------------------ 634| 1| case TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256: return("TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256"); ------------------ | | 324| 1|#define TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 0xC09A ------------------ | Branch (634:3): [True: 1, False: 1.61k] ------------------ 635| 1| case TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384: return("TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384"); ------------------ | | 325| 1|#define TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 0xC09B ------------------ | Branch (635:3): [True: 1, False: 1.61k] ------------------ 636| 1| case TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256: return("TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256"); ------------------ | | 326| 1|#define TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 0xC070 ------------------ | Branch (636:3): [True: 1, False: 1.61k] ------------------ 637| 1| case TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384: return("TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384"); ------------------ | | 327| 1|#define TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 0xC071 ------------------ | Branch (637:3): [True: 1, False: 1.61k] ------------------ 638| 0| case TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256: return("TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256"); ------------------ | | 328| 0|#define TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAC ------------------ | Branch (638:3): [True: 0, False: 1.61k] ------------------ 639| 1| case TLS_KRB5_EXPORT_WITH_RC4_40_MD5: return("TLS_KRB5_EXPORT_WITH_RC4_40_MD5"); ------------------ | | 329| 1|#define TLS_KRB5_EXPORT_WITH_RC4_40_MD5 0x002B ------------------ | Branch (639:3): [True: 1, False: 1.61k] ------------------ 640| 1| case TLS_KRB5_EXPORT_WITH_RC4_40_SHA: return("TLS_KRB5_EXPORT_WITH_RC4_40_SHA"); ------------------ | | 330| 1|#define TLS_KRB5_EXPORT_WITH_RC4_40_SHA 0x0028 ------------------ | Branch (640:3): [True: 1, False: 1.61k] ------------------ 641| 1| case TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5: return("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5"); ------------------ | | 331| 1|#define TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 0x002A ------------------ | Branch (641:3): [True: 1, False: 1.61k] ------------------ 642| 1| case TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA: return("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA"); ------------------ | | 332| 1|#define TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA 0x0027 ------------------ | Branch (642:3): [True: 1, False: 1.61k] ------------------ 643| 1| case TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5: return("TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5"); ------------------ | | 333| 1|#define TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 0x0029 ------------------ | Branch (643:3): [True: 1, False: 1.61k] ------------------ 644| 1| case TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA: return("TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA"); ------------------ | | 334| 1|#define TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA 0x0026 ------------------ | Branch (644:3): [True: 1, False: 1.61k] ------------------ 645| 1| case TLS_KRB5_WITH_RC4_128_MD5: return("TLS_KRB5_WITH_RC4_128_MD5"); ------------------ | | 335| 1|#define TLS_KRB5_WITH_RC4_128_MD5 0x0024 ------------------ | Branch (645:3): [True: 1, False: 1.61k] ------------------ 646| 1| case TLS_KRB5_WITH_RC4_128_SHA: return("TLS_KRB5_WITH_RC4_128_SHA"); ------------------ | | 336| 1|#define TLS_KRB5_WITH_RC4_128_SHA 0x0020 ------------------ | Branch (646:3): [True: 1, False: 1.61k] ------------------ 647| 1| case TLS_KRB5_WITH_IDEA_CBC_MD5: return("TLS_KRB5_WITH_IDEA_CBC_MD5"); ------------------ | | 337| 1|#define TLS_KRB5_WITH_IDEA_CBC_MD5 0x0025 ------------------ | Branch (647:3): [True: 1, False: 1.61k] ------------------ 648| 1| case TLS_KRB5_WITH_IDEA_CBC_SHA: return("TLS_KRB5_WITH_IDEA_CBC_SHA"); ------------------ | | 338| 1|#define TLS_KRB5_WITH_IDEA_CBC_SHA 0x0021 ------------------ | Branch (648:3): [True: 1, False: 1.61k] ------------------ 649| 1| case TLS_KRB5_WITH_DES_CBC_MD5: return("TLS_KRB5_WITH_DES_CBC_MD5"); ------------------ | | 339| 1|#define TLS_KRB5_WITH_DES_CBC_MD5 0x0022 ------------------ | Branch (649:3): [True: 1, False: 1.61k] ------------------ 650| 1| case TLS_KRB5_WITH_DES_CBC_SHA: return("TLS_KRB5_WITH_DES_CBC_SHA"); ------------------ | | 340| 1|#define TLS_KRB5_WITH_DES_CBC_SHA 0x001E ------------------ | Branch (650:3): [True: 1, False: 1.61k] ------------------ 651| 1| case TLS_KRB5_WITH_3DES_EDE_CBC_MD5: return("TLS_KRB5_WITH_3DES_EDE_CBC_MD5"); ------------------ | | 341| 1|#define TLS_KRB5_WITH_3DES_EDE_CBC_MD5 0x0023 ------------------ | Branch (651:3): [True: 1, False: 1.61k] ------------------ 652| 1| case TLS_KRB5_WITH_3DES_EDE_CBC_SHA: return("TLS_KRB5_WITH_3DES_EDE_CBC_SHA"); ------------------ | | 342| 1|#define TLS_KRB5_WITH_3DES_EDE_CBC_SHA 0x001F ------------------ | Branch (652:3): [True: 1, False: 1.61k] ------------------ 653| 1| case TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA: return("TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA"); ------------------ | | 343| 1|#define TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA 0xC01A ------------------ | Branch (653:3): [True: 1, False: 1.61k] ------------------ 654| 1| case TLS_SRP_SHA_WITH_AES_128_CBC_SHA: return("TLS_SRP_SHA_WITH_AES_128_CBC_SHA"); ------------------ | | 344| 1|#define TLS_SRP_SHA_WITH_AES_128_CBC_SHA 0xC01D ------------------ | Branch (654:3): [True: 1, False: 1.61k] ------------------ 655| 1| case TLS_SRP_SHA_WITH_AES_256_CBC_SHA: return("TLS_SRP_SHA_WITH_AES_256_CBC_SHA"); ------------------ | | 345| 1|#define TLS_SRP_SHA_WITH_AES_256_CBC_SHA 0xC020 ------------------ | Branch (655:3): [True: 1, False: 1.61k] ------------------ 656| 2| case TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA: return("TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA"); ------------------ | | 346| 2|#define TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA 0xC01B ------------------ | Branch (656:3): [True: 2, False: 1.60k] ------------------ 657| 2| case TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA: return("TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA"); ------------------ | | 347| 2|#define TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA 0xC01E ------------------ | Branch (657:3): [True: 2, False: 1.60k] ------------------ 658| 1| case TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA: return("TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA"); ------------------ | | 348| 1|#define TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA 0xC021 ------------------ | Branch (658:3): [True: 1, False: 1.61k] ------------------ 659| 1| case TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA: return("TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA"); ------------------ | | 349| 1|#define TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA 0xC01C ------------------ | Branch (659:3): [True: 1, False: 1.61k] ------------------ 660| 1| case TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA: return("TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA"); ------------------ | | 350| 1|#define TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA 0xC01F ------------------ | Branch (660:3): [True: 1, False: 1.61k] ------------------ 661| 1| case TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA: return("TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA"); ------------------ | | 351| 1|#define TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA 0xC022 ------------------ | Branch (661:3): [True: 1, False: 1.61k] ------------------ 662| 3| case TLS_ECCPWD_WITH_AES_128_GCM_SHA256: return("TLS_ECCPWD_WITH_AES_128_GCM_SHA256"); ------------------ | | 352| 3|#define TLS_ECCPWD_WITH_AES_128_GCM_SHA256 0xC0B0 ------------------ | Branch (662:3): [True: 3, False: 1.60k] ------------------ 663| 1| case TLS_ECCPWD_WITH_AES_256_GCM_SHA384: return("TLS_ECCPWD_WITH_AES_256_GCM_SHA384"); ------------------ | | 353| 1|#define TLS_ECCPWD_WITH_AES_256_GCM_SHA384 0xC0B1 ------------------ | Branch (663:3): [True: 1, False: 1.61k] ------------------ 664| 1| case TLS_ECCPWD_WITH_AES_128_CCM_SHA256: return("TLS_ECCPWD_WITH_AES_128_CCM_SHA256"); ------------------ | | 354| 1|#define TLS_ECCPWD_WITH_AES_128_CCM_SHA256 0xC0B2 ------------------ | Branch (664:3): [True: 1, False: 1.61k] ------------------ 665| 1| case TLS_ECCPWD_WITH_AES_256_CCM_SHA384: return("TLS_ECCPWD_WITH_AES_256_CCM_SHA384"); ------------------ | | 355| 1|#define TLS_ECCPWD_WITH_AES_256_CCM_SHA384 0xC0B3 ------------------ | Branch (665:3): [True: 1, False: 1.61k] ------------------ 666| 0| case TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC: return("TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC"); ------------------ | | 356| 0|#define TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC 0xC100 ------------------ | Branch (666:3): [True: 0, False: 1.61k] ------------------ 667| 0| case TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC: return("TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC"); ------------------ | | 357| 0|#define TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC 0xC101 ------------------ | Branch (667:3): [True: 0, False: 1.61k] ------------------ 668| 0| case TLS_GOSTR341112_256_WITH_28147_CNT_IMIT: return("TLS_GOSTR341112_256_WITH_28147_CNT_IMIT"); ------------------ | | 358| 0|#define TLS_GOSTR341112_256_WITH_28147_CNT_IMIT 0xC102 ------------------ | Branch (668:3): [True: 0, False: 1.61k] ------------------ 669| 0| case TLS_AES_128_GCM_SHA256: return("TLS_AES_128_GCM_SHA256"); ------------------ | | 359| 0|#define TLS_AES_128_GCM_SHA256 0x1301 ------------------ | Branch (669:3): [True: 0, False: 1.61k] ------------------ 670| 1| case TLS_AES_256_GCM_SHA384: return("TLS_AES_256_GCM_SHA384"); ------------------ | | 360| 1|#define TLS_AES_256_GCM_SHA384 0x1302 ------------------ | Branch (670:3): [True: 1, False: 1.61k] ------------------ 671| 0| case TLS_AES_128_CCM_SHA256: return("TLS_AES_128_CCM_SHA256"); ------------------ | | 361| 0|#define TLS_AES_128_CCM_SHA256 0x1304 ------------------ | Branch (671:3): [True: 0, False: 1.61k] ------------------ 672| 13| case TLS_AES_128_CCM_8_SHA256: return("TLS_AES_128_CCM_8_SHA256"); ------------------ | | 362| 13|#define TLS_AES_128_CCM_8_SHA256 0x1305 ------------------ | Branch (672:3): [True: 13, False: 1.59k] ------------------ 673| 1| case TLS_CHACHA20_POLY1305_SHA256: return("TLS_CHACHA20_POLY1305_SHA256"); ------------------ | | 363| 1|#define TLS_CHACHA20_POLY1305_SHA256 0x1303 ------------------ | Branch (673:3): [True: 1, False: 1.61k] ------------------ 674| 0| case TLS_SM4_GCM_SM3: return("TLS_SM4_GCM_SM3"); ------------------ | | 364| 0|#define TLS_SM4_GCM_SM3 0x00C6 ------------------ | Branch (674:3): [True: 0, False: 1.61k] ------------------ 675| 0| case TLS_SM4_CCM_SM3: return("TLS_SM4_CCM_SM3"); ------------------ | | 365| 0|#define TLS_SM4_CCM_SM3 0x00C7 ------------------ | Branch (675:3): [True: 0, False: 1.61k] ------------------ 676| 1| case TLS_SHA256_SHA256: return("TLS_SHA256_SHA256"); ------------------ | | 366| 1|#define TLS_SHA256_SHA256 0xC0B4 ------------------ | Branch (676:3): [True: 1, False: 1.61k] ------------------ 677| 1| case TLS_SHA384_SHA384: return("TLS_SHA384_SHA384"); ------------------ | | 367| 1|#define TLS_SHA384_SHA384 0xC0B5 ------------------ | Branch (677:3): [True: 1, False: 1.61k] ------------------ 678| 1| case TLS_EMPTY_RENEGOTIATION_INFO_SCSV: return("TLS_EMPTY_RENEGOTIATION_INFO_SCSV"); ------------------ | | 368| 1|#define TLS_EMPTY_RENEGOTIATION_INFO_SCSV 0x00FF ------------------ | Branch (678:3): [True: 1, False: 1.61k] ------------------ 679| 0| case TLS_FALLBACK_SCSV: return("TLS_FALLBACK_SCSV"); ------------------ | | 369| 0|#define TLS_FALLBACK_SCSV 0x5600 ------------------ | Branch (679:3): [True: 0, False: 1.61k] ------------------ 680| 1| case TLS_CIPHER_GREASE_RESERVED_0: return("TLS_CIPHER_GREASE_RESERVED_0"); ------------------ | | 372| 1|#define TLS_CIPHER_GREASE_RESERVED_0 0x0A0A ------------------ | Branch (680:3): [True: 1, False: 1.61k] ------------------ 681| 0| case TLS_CIPHER_GREASE_RESERVED_1: return("TLS_CIPHER_GREASE_RESERVED_1"); ------------------ | | 373| 0|#define TLS_CIPHER_GREASE_RESERVED_1 0x1A1A ------------------ | Branch (681:3): [True: 0, False: 1.61k] ------------------ 682| 0| case TLS_CIPHER_GREASE_RESERVED_2: return("TLS_CIPHER_GREASE_RESERVED_2"); ------------------ | | 374| 0|#define TLS_CIPHER_GREASE_RESERVED_2 0x2A2A ------------------ | Branch (682:3): [True: 0, False: 1.61k] ------------------ 683| 1| case TLS_CIPHER_GREASE_RESERVED_3: return("TLS_CIPHER_GREASE_RESERVED_3"); ------------------ | | 375| 1|#define TLS_CIPHER_GREASE_RESERVED_3 0x3A3A ------------------ | Branch (683:3): [True: 1, False: 1.61k] ------------------ 684| 0| case TLS_CIPHER_GREASE_RESERVED_4: return("TLS_CIPHER_GREASE_RESERVED_4"); ------------------ | | 376| 0|#define TLS_CIPHER_GREASE_RESERVED_4 0x4A4A ------------------ | Branch (684:3): [True: 0, False: 1.61k] ------------------ 685| 0| case TLS_CIPHER_GREASE_RESERVED_5: return("TLS_CIPHER_GREASE_RESERVED_5"); ------------------ | | 377| 0|#define TLS_CIPHER_GREASE_RESERVED_5 0x5A5A ------------------ | Branch (685:3): [True: 0, False: 1.61k] ------------------ 686| 0| case TLS_CIPHER_GREASE_RESERVED_6: return("TLS_CIPHER_GREASE_RESERVED_6"); ------------------ | | 378| 0|#define TLS_CIPHER_GREASE_RESERVED_6 0x6A6A ------------------ | Branch (686:3): [True: 0, False: 1.61k] ------------------ 687| 0| case TLS_CIPHER_GREASE_RESERVED_7: return("TLS_CIPHER_GREASE_RESERVED_7"); ------------------ | | 379| 0|#define TLS_CIPHER_GREASE_RESERVED_7 0x7A7A ------------------ | Branch (687:3): [True: 0, False: 1.61k] ------------------ 688| 0| case TLS_CIPHER_GREASE_RESERVED_8: return("TLS_CIPHER_GREASE_RESERVED_8"); ------------------ | | 380| 0|#define TLS_CIPHER_GREASE_RESERVED_8 0x8A8A ------------------ | Branch (688:3): [True: 0, False: 1.61k] ------------------ 689| 0| case TLS_CIPHER_GREASE_RESERVED_9: return("TLS_CIPHER_GREASE_RESERVED_9"); ------------------ | | 381| 0|#define TLS_CIPHER_GREASE_RESERVED_9 0x9A9A ------------------ | Branch (689:3): [True: 0, False: 1.61k] ------------------ 690| 0| case TLS_CIPHER_GREASE_RESERVED_A: return("TLS_CIPHER_GREASE_RESERVED_A"); ------------------ | | 382| 0|#define TLS_CIPHER_GREASE_RESERVED_A 0xAAAA ------------------ | Branch (690:3): [True: 0, False: 1.61k] ------------------ 691| 1| case TLS_CIPHER_GREASE_RESERVED_B: return("TLS_CIPHER_GREASE_RESERVED_B"); ------------------ | | 383| 1|#define TLS_CIPHER_GREASE_RESERVED_B 0xBABA ------------------ | Branch (691:3): [True: 1, False: 1.61k] ------------------ 692| 0| case TLS_CIPHER_GREASE_RESERVED_C: return("TLS_CIPHER_GREASE_RESERVED_C"); ------------------ | | 384| 0|#define TLS_CIPHER_GREASE_RESERVED_C 0xCACA ------------------ | Branch (692:3): [True: 0, False: 1.61k] ------------------ 693| 0| case TLS_CIPHER_GREASE_RESERVED_D: return("TLS_CIPHER_GREASE_RESERVED_D"); ------------------ | | 385| 0|#define TLS_CIPHER_GREASE_RESERVED_D 0xDADA ------------------ | Branch (693:3): [True: 0, False: 1.61k] ------------------ 694| 0| case TLS_CIPHER_GREASE_RESERVED_E: return("TLS_CIPHER_GREASE_RESERVED_E"); ------------------ | | 386| 0|#define TLS_CIPHER_GREASE_RESERVED_E 0xEAEA ------------------ | Branch (694:3): [True: 0, False: 1.61k] ------------------ 695| 0| case TLS_CIPHER_GREASE_RESERVED_F: return("TLS_CIPHER_GREASE_RESERVED_F"); ------------------ | | 387| 0|#define TLS_CIPHER_GREASE_RESERVED_F 0xFAFA ------------------ | Branch (695:3): [True: 0, False: 1.61k] ------------------ 696| | 697| 41| default: ------------------ | Branch (697:3): [True: 41, False: 1.57k] ------------------ 698| 41| { 699| 41| ndpi_snprintf(unknown_cipher, 8, "0X%04X", cipher); 700| 41| return(unknown_cipher); 701| 0| } 702| 1.61k| } 703| 1.61k|} ndpi_has_human_readable_string: 760| 70.6k| char *outbuf, u_int outbuf_len) { 761| 70.6k| u_int ret = 0, i, do_cr = 0, len = 0, o_idx = 0, being_o_idx = 0; 762| | 763| 70.6k| if(buffer_size <= 0) ------------------ | Branch (763:6): [True: 0, False: 70.6k] ------------------ 764| 0| return(0); 765| | 766| 70.6k| outbuf_len--; 767| 70.6k| outbuf[outbuf_len] = '\0'; 768| | 769| 10.9M| for(i=0; i> %c%c\n", ndpi_isprint(buffer[i]) ? buffer[i] : '.', ndpi_isprint(buffer[i+1]) ? buffer[i+1] : '.'); 789| 10.4M| if(do_cr) { ------------------ | Branch (789:10): [True: 342k, False: 10.0M] ------------------ 790| 342k| if(len > min_string_match_len) ------------------ | Branch (790:5): [True: 22.8k, False: 319k] ------------------ 791| 22.8k| ret = 1; 792| 319k| else { 793| 319k| o_idx = being_o_idx; 794| 319k| being_o_idx = o_idx; 795| 319k| outbuf[o_idx] = '\0'; 796| 319k| } 797| | 798| |#ifdef PRINT_STRINGS 799| | printf(" [len: %u]%s\n", len, ret ? "<-- HIT" : ""); 800| |#endif 801| | 802| 342k| if(ret) ------------------ | Branch (802:5): [True: 22.8k, False: 319k] ------------------ 803| 22.8k| break; 804| | 805| 319k| do_cr = 0, len = 0; 806| 319k| } 807| 10.4M| } 808| 10.9M| } 809| | 810| |#ifdef PRINT_STRINGS 811| | printf("=======>> Found string: %u\n", ret); 812| |#endif 813| | 814| 70.6k| return(ret); 815| 70.6k|} ndpi_get_flow_info: 851| 10.2k| ndpi_protocol const * const l7_protocol) { 852| 10.2k| char const * const app_protocol_info = ndpi_get_flow_info_by_proto_id(flow, l7_protocol->proto.app_protocol); 853| | 854| 10.2k| if(app_protocol_info != NULL) ------------------ | Branch (854:6): [True: 3.80k, False: 6.45k] ------------------ 855| 3.80k| return app_protocol_info; 856| | 857| 6.45k| return ndpi_get_flow_info_by_proto_id(flow, l7_protocol->proto.master_protocol); 858| 10.2k|} ndpi_multimedia_flowtype2str: 863| 1.21k|{ 864| 1.21k| int rc, len = 0; 865| | 866| 1.21k| if(buf == NULL || buf_len <= 1) ------------------ | Branch (866:6): [True: 0, False: 1.21k] | Branch (866:21): [True: 0, False: 1.21k] ------------------ 867| 0| return NULL; 868| | 869| 1.21k| buf[0] = '\0'; 870| | 871| 1.21k| if(m_types == ndpi_multimedia_unknown_flow) { ------------------ | Branch (871:6): [True: 1.14k, False: 66] ------------------ 872| 1.14k| rc = ndpi_snprintf(buf + len, buf_len - len, "Unknown", len > 0 ? ", " : ""); ------------------ | Branch (872:61): [True: 0, False: 1.14k] ------------------ 873| 1.14k| if(rc > 0 && len + rc < buf_len) len += rc; else return NULL; ------------------ | Branch (873:8): [True: 1.14k, False: 0] | Branch (873:18): [True: 1.14k, False: 0] ------------------ 874| 1.14k| } 875| | 876| 1.21k| if(m_types & ndpi_multimedia_audio_flow) { ------------------ | Branch (876:6): [True: 58, False: 1.15k] ------------------ 877| 58| rc = ndpi_snprintf(buf + len, buf_len - len, "%sAudio", len > 0 ? ", " : ""); ------------------ | Branch (877:61): [True: 0, False: 58] ------------------ 878| 58| if(rc > 0 && len + rc < buf_len) len += rc; else return NULL; ------------------ | Branch (878:8): [True: 58, False: 0] | Branch (878:18): [True: 58, False: 0] ------------------ 879| 58| } 880| 1.21k| if(m_types & ndpi_multimedia_video_flow) { ------------------ | Branch (880:6): [True: 8, False: 1.20k] ------------------ 881| 8| rc = ndpi_snprintf(buf + len, buf_len - len, "%sVideo", len > 0 ? ", " : ""); ------------------ | Branch (881:61): [True: 0, False: 8] ------------------ 882| 8| if(rc > 0 && len + rc < buf_len) len += rc; else return NULL; ------------------ | Branch (882:8): [True: 8, False: 0] | Branch (882:18): [True: 8, False: 0] ------------------ 883| 8| } 884| 1.21k| if(m_types & ndpi_multimedia_screen_sharing_flow) { ------------------ | Branch (884:6): [True: 0, False: 1.21k] ------------------ 885| 0| rc = ndpi_snprintf(buf + len, buf_len - len, "%sScreen Sharing", len > 0 ? ", " : ""); ------------------ | Branch (885:70): [True: 0, False: 0] ------------------ 886| 0| if(rc > 0 && len + rc < buf_len) len += rc; else return NULL; ------------------ | Branch (886:8): [True: 0, False: 0] | Branch (886:18): [True: 0, False: 0] ------------------ 887| 0| } 888| | 889| 1.21k| return buf; 890| 1.21k|} ndpi_ssl_version2str: 895| 2.74k| u_int16_t version, u_int8_t *unknown_tls_version) { 896| 2.74k| if(unknown_tls_version) ------------------ | Branch (896:6): [True: 2.74k, False: 0] ------------------ 897| 2.74k| *unknown_tls_version = 0; 898| | 899| 2.74k| if(buf == NULL || buf_len <= 1) ------------------ | Branch (899:6): [True: 0, False: 2.74k] | Branch (899:21): [True: 0, False: 2.74k] ------------------ 900| 0| return NULL; 901| | 902| 2.74k| switch(version) { ------------------ | Branch (902:10): [True: 2.65k, False: 90] ------------------ 903| 3| case 0x0300: strncpy(buf, "SSLv3", buf_len); buf[buf_len - 1] = '\0'; return buf; ------------------ | Branch (903:3): [True: 3, False: 2.74k] ------------------ 904| 1.05k| case 0x0301: strncpy(buf, "TLSv1", buf_len); buf[buf_len - 1] = '\0'; return buf; ------------------ | Branch (904:3): [True: 1.05k, False: 1.68k] ------------------ 905| 8| case 0x0302: strncpy(buf, "TLSv1.1", buf_len); buf[buf_len - 1] = '\0'; return buf; ------------------ | Branch (905:3): [True: 8, False: 2.74k] ------------------ 906| 1.57k| case 0x0303: strncpy(buf, "TLSv1.2", buf_len); buf[buf_len - 1] = '\0'; return buf; ------------------ | Branch (906:3): [True: 1.57k, False: 1.17k] ------------------ 907| 13| case 0x0304: strncpy(buf, "TLSv1.3", buf_len); buf[buf_len - 1] = '\0'; return buf; ------------------ | Branch (907:3): [True: 13, False: 2.73k] ------------------ 908| 0| case 0XFB1A: strncpy(buf, "TLSv1.3 (Fizz)", buf_len); buf[buf_len - 1] = '\0'; return buf; /* https://engineering.fb.com/security/fizz/ */ ------------------ | Branch (908:3): [True: 0, False: 2.74k] ------------------ 909| 0| case 0XFEFF: strncpy(buf, "DTLSv1.0", buf_len); buf[buf_len - 1] = '\0'; return buf; ------------------ | Branch (909:3): [True: 0, False: 2.74k] ------------------ 910| 0| case 0XFEFD: strncpy(buf, "DTLSv1.2", buf_len); buf[buf_len - 1] = '\0'; return buf; ------------------ | Branch (910:3): [True: 0, False: 2.74k] ------------------ 911| 1| case 0XFEFC: strncpy(buf, "DTLSv1.3", buf_len); buf[buf_len - 1] = '\0'; return buf; ------------------ | Branch (911:3): [True: 1, False: 2.74k] ------------------ 912| 1| case 0x0A0A: ------------------ | Branch (912:3): [True: 1, False: 2.74k] ------------------ 913| 1| case 0x1A1A: ------------------ | Branch (913:3): [True: 0, False: 2.74k] ------------------ 914| 1| case 0x2A2A: ------------------ | Branch (914:3): [True: 0, False: 2.74k] ------------------ 915| 1| case 0x3A3A: ------------------ | Branch (915:3): [True: 0, False: 2.74k] ------------------ 916| 1| case 0x4A4A: ------------------ | Branch (916:3): [True: 0, False: 2.74k] ------------------ 917| 1| case 0x5A5A: ------------------ | Branch (917:3): [True: 0, False: 2.74k] ------------------ 918| 1| case 0x6A6A: ------------------ | Branch (918:3): [True: 0, False: 2.74k] ------------------ 919| 1| case 0x7A7A: ------------------ | Branch (919:3): [True: 0, False: 2.74k] ------------------ 920| 1| case 0x8A8A: ------------------ | Branch (920:3): [True: 0, False: 2.74k] ------------------ 921| 1| case 0x9A9A: ------------------ | Branch (921:3): [True: 0, False: 2.74k] ------------------ 922| 1| case 0xAAAA: ------------------ | Branch (922:3): [True: 0, False: 2.74k] ------------------ 923| 1| case 0xBABA: ------------------ | Branch (923:3): [True: 0, False: 2.74k] ------------------ 924| 1| case 0xCACA: ------------------ | Branch (924:3): [True: 0, False: 2.74k] ------------------ 925| 1| case 0xDADA: ------------------ | Branch (925:3): [True: 0, False: 2.74k] ------------------ 926| 1| case 0xEAEA: ------------------ | Branch (926:3): [True: 0, False: 2.74k] ------------------ 927| 1| case 0xFAFA: strncpy(buf, "GREASE", buf_len); buf[buf_len - 1] = '\0'; return buf; ------------------ | Branch (927:3): [True: 0, False: 2.74k] ------------------ 928| 2.74k| } 929| | 930| 90| if((version >= 0x7f00) && (version <= 0x7fff)) { ------------------ | Branch (930:6): [True: 33, False: 57] | Branch (930:29): [True: 2, False: 31] ------------------ 931| 2| strncpy(buf, "TLSv1.3 (draft)", buf_len); 932| 2| buf[buf_len - 1] = '\0'; 933| 2| return buf; 934| 2| } 935| | 936| 88| if(unknown_tls_version) ------------------ | Branch (936:6): [True: 88, False: 0] ------------------ 937| 88| *unknown_tls_version = 1; 938| | 939| 88| ndpi_snprintf(buf, buf_len, "TLS (%04X)", version); 940| | 941| 88| return buf; 942| 90|} ndpi_patchIPv6Address: 946| 3.08k|void ndpi_patchIPv6Address(char *str) { 947| 3.08k| int i = 0, j = 0; 948| | 949| 3.08k| if (strstr(str, "::")) ------------------ | Branch (949:7): [True: 661, False: 2.42k] ------------------ 950| 661| return; 951| | 952| 91.1k| while(str[i] != '\0') { ------------------ | Branch (952:9): [True: 88.6k, False: 2.42k] ------------------ 953| 88.6k| if((str[i] == ':') ------------------ | Branch (953:8): [True: 16.7k, False: 71.8k] ------------------ 954| 16.7k| && (str[i+1] == '0') ------------------ | Branch (954:11): [True: 228, False: 16.5k] ------------------ 955| 228| && (str[i+2] == ':')) { ------------------ | Branch (955:11): [True: 190, False: 38] ------------------ 956| 190| str[j++] = ':'; 957| 190| str[j++] = ':'; 958| 190| i += 3; 959| 190| } else 960| 88.4k| str[j++] = str[i++]; 961| 88.6k| } 962| | 963| 2.42k| if(str[j] != '\0') str[j] = '\0'; ------------------ | Branch (963:6): [True: 137, False: 2.29k] ------------------ 964| 2.42k|} ndpi_user_pwd_payload_copy: 970| 851| const u_int8_t *src, u_int src_len) { 971| 851| u_int i, j=0, k = dest_len-1; 972| | 973| 8.30k| for(i=offset; (irisk)); 1175| 13.3k| ndpi_serialize_string_string(serializer, "severity", ndpi_severity2str(risk_info->severity)); 1176| 13.3k| ndpi_serialize_risk_score(serializer, r); 1177| 13.3k| ndpi_serialize_end_of_block(serializer); 1178| 13.3k| } 1179| 460k| } 1180| | 1181| 7.94k| ndpi_serialize_end_of_block(serializer); 1182| 7.94k|} ndpi_serialize_risk_score: 1187| 13.3k| ndpi_risk_enum risk) { 1188| 13.3k| u_int16_t rs, rs_client = 0, rs_server = 0; 1189| | 1190| 13.3k| if(risk == NDPI_NO_RISK) { ------------------ | Branch (1190:6): [True: 0, False: 13.3k] ------------------ 1191| 0| return; 1192| 0| } 1193| | 1194| 13.3k| ndpi_serialize_start_of_block(serializer, "risk_score"); 1195| 13.3k| rs = ndpi_risk2score(risk, &rs_client, &rs_server); 1196| 13.3k| ndpi_serialize_string_uint32(serializer, "total", rs); 1197| 13.3k| ndpi_serialize_string_uint32(serializer, "client", rs_client); 1198| 13.3k| ndpi_serialize_string_uint32(serializer, "server", rs_server); 1199| 13.3k| ndpi_serialize_end_of_block(serializer); 1200| 13.3k|} ndpi_serialize_confidence: 1206| 10.2k|{ 1207| 10.2k| if(confidence == NDPI_CONFIDENCE_UNKNOWN) { ------------------ | Branch (1207:6): [True: 631, False: 9.62k] ------------------ 1208| 631| return; 1209| 631| } 1210| | 1211| 9.62k| ndpi_serialize_start_of_block(serializer, "confidence"); 1212| 9.62k| ndpi_serialize_uint32_string(serializer, (u_int32_t)confidence, ndpi_confidence_get_name(confidence)); 1213| 9.62k| ndpi_serialize_end_of_block(serializer); 1214| 9.62k|} ndpi_serialize_proto: 1223| 10.2k|{ 1224| 10.2k| char buf[64]; 1225| | 1226| 10.2k| ndpi_serialize_risk(serializer, risk); 1227| 10.2k| ndpi_serialize_confidence(serializer, confidence); 1228| 10.2k| ndpi_serialize_string_string(serializer, "proto", ndpi_protocol2name(ndpi_struct, l7_protocol.proto, buf, sizeof(buf))); 1229| 10.2k| ndpi_serialize_string_string(serializer, "proto_id", ndpi_protocol2id(l7_protocol.proto, buf, sizeof(buf))); 1230| 10.2k| ndpi_serialize_string_string(serializer, "proto_by_ip", ndpi_get_proto_name(ndpi_struct, 1231| 10.2k| l7_protocol.protocol_by_ip)); 1232| 10.2k| if(l7_protocol.protocol_by_ip) ndpi_serialize_string_uint32(serializer, "proto_by_ip_id", l7_protocol.protocol_by_ip); ------------------ | Branch (1232:6): [True: 3.13k, False: 7.12k] ------------------ 1233| 10.2k| ndpi_serialize_string_uint32(serializer, "encrypted", ndpi_is_encrypted_proto(ndpi_struct, l7_protocol.proto)); 1234| 10.2k| ndpi_serialize_string_string(serializer, "breed", ndpi_get_proto_breed_name(l7_protocol.breed)); 1235| 10.2k| ndpi_serialize_string_uint32(serializer, "category_id", l7_protocol.category); 1236| 10.2k| ndpi_serialize_string_string(serializer, "category", ndpi_category_get_name(ndpi_struct, l7_protocol.category)); 1237| 10.2k|} ndpi_serialize_tls_blocks: 1243| 1.57k| struct ndpi_flow_struct *flow) { 1244| 1.57k| if((ndpi_struct->cfg.tls_max_num_blocks_to_analyze > 0) ------------------ | Branch (1244:6): [True: 0, False: 1.57k] ------------------ 1245| 0| && (flow->l4.tcp.tls.tls_blocks != NULL) ------------------ | Branch (1245:9): [True: 0, False: 0] ------------------ 1246| 0| && (flow->l4.tcp.tls.num_tls_blocks > 0)) { ------------------ | Branch (1246:9): [True: 0, False: 0] ------------------ 1247| 0| u_int16_t i, idx = 0; 1248| 0| int ret; 1249| 0| char buf[256]; 1250| | 1251| 0| ndpi_serialize_start_of_list(serializer, "tls_blocks"); 1252| | 1253| 0| for(i=0; i< flow->l4.tcp.tls.num_tls_blocks; i++) { ------------------ | Branch (1253:14): [True: 0, False: 0] ------------------ 1254| 0| if(!flow->l4.tcp.tls.tls_blocks[i].same_pkt) { ------------------ | Branch (1254:10): [True: 0, False: 0] ------------------ 1255| 0| if(idx > 0) { ------------------ | Branch (1255:5): [True: 0, False: 0] ------------------ 1256| 0| ndpi_serialize_string_string(serializer, "", buf); 1257| 0| idx = 0; 1258| 0| } 1259| 0| } 1260| | 1261| 0| if(ndpi_struct->cfg.tls_blocks_show_timing) ------------------ | Branch (1261:10): [True: 0, False: 0] ------------------ 1262| 0| ret = snprintf(&buf[idx], sizeof(buf)-idx-1, "%s%s=%d@%u", 1263| 0| (idx > 0) ? "," : "", ------------------ | Branch (1263:10): [True: 0, False: 0] ------------------ 1264| 0| ndpi_print_encoded_tls_block_type(flow->l4.tcp.tls.tls_blocks[i].block_type, true), 1265| 0| flow->l4.tcp.tls.tls_blocks[i].len, 1266| 0| flow->l4.tcp.tls.tls_blocks[i].msec_delta); 1267| 0| else 1268| 0| ret = snprintf(&buf[idx], sizeof(buf)-idx-1, "%s%s=%d", 1269| 0| (idx > 0) ? "," : "", ------------------ | Branch (1269:10): [True: 0, False: 0] ------------------ 1270| 0| ndpi_print_encoded_tls_block_type(flow->l4.tcp.tls.tls_blocks[i].block_type, true), 1271| 0| flow->l4.tcp.tls.tls_blocks[i].len); 1272| | 1273| 0| if(ret > 0) idx += ret; else break; ------------------ | Branch (1273:10): [True: 0, False: 0] ------------------ 1274| 0| } /* for */ 1275| | 1276| 0| if(idx > 0) ------------------ | Branch (1276:8): [True: 0, False: 0] ------------------ 1277| 0| ndpi_serialize_string_string(serializer, "", buf); 1278| | 1279| 0| ndpi_serialize_end_of_list(serializer); 1280| 0| } 1281| | 1282| |#ifdef TLS_HANDLE_SIGNATURE_ALGORITMS 1283| | ndpi_serialize_string_uint32(serializer, "sig_algs", flow->protos.tls_quic.num_tls_signature_algorithms); 1284| |#endif 1285| | 1286| 1.57k| if(flow->protos.tls_quic.ja_client != NULL) { ------------------ | Branch (1286:6): [True: 0, False: 1.57k] ------------------ 1287| 0| ndpi_tls_client_info *c = flow->protos.tls_quic.ja_client; 1288| 0| u_int16_t i; 1289| 0| char unknown_cipher[8]; 1290| | 1291| 0| ndpi_serialize_start_of_block(serializer, "client_data"); 1292| | 1293| 0| if(c->num_ciphers > 0) { ------------------ | Branch (1293:8): [True: 0, False: 0] ------------------ 1294| 0| ndpi_serialize_start_of_list(serializer, "ciphers"); 1295| | 1296| 0| for(i=0; inum_ciphers; i++) ------------------ | Branch (1296:16): [True: 0, False: 0] ------------------ 1297| 0| ndpi_serialize_string_string(serializer, "", ndpi_cipher2str(c->cipher[i], unknown_cipher)); 1298| | 1299| 0| ndpi_serialize_end_of_list(serializer); 1300| 0| } 1301| | 1302| 0| if(c->num_tls_extensions > 0) { ------------------ | Branch (1302:8): [True: 0, False: 0] ------------------ 1303| 0| char unknown_extn[8]; 1304| | 1305| 0| ndpi_serialize_start_of_list(serializer, "tls_extensions"); 1306| | 1307| 0| for(i=0; inum_tls_extensions; i++) ------------------ | Branch (1307:16): [True: 0, False: 0] ------------------ 1308| 0| ndpi_serialize_string_string(serializer, "", 1309| 0| ndpi_tls_extension2str(c->tls_extension[i], unknown_extn)); 1310| | 1311| 0| ndpi_serialize_end_of_list(serializer); 1312| 0| } 1313| | 1314| 0| if(c->num_elliptic_curve_groups > 0) { ------------------ | Branch (1314:8): [True: 0, False: 0] ------------------ 1315| 0| char unknown_group[8]; 1316| | 1317| 0| ndpi_serialize_start_of_list(serializer, "elliptic_curve_groups"); 1318| | 1319| 0| for(i=0; inum_elliptic_curve_groups; i++) ------------------ | Branch (1319:16): [True: 0, False: 0] ------------------ 1320| 0| ndpi_serialize_string_string(serializer, "", 1321| 0| ndpi_tls_elliptic_curve_groups2str(c->elliptic_curve_group[i], unknown_group)); 1322| | 1323| 0| ndpi_serialize_end_of_list(serializer); 1324| 0| } 1325| | 1326| 0| if(c->num_elliptic_curve_point_format > 0) { ------------------ | Branch (1326:8): [True: 0, False: 0] ------------------ 1327| 0| char unknown_curve[8]; 1328| | 1329| 0| ndpi_serialize_start_of_list(serializer, "elliptic_curve_point_format"); 1330| | 1331| 0| for(i=0; inum_elliptic_curve_point_format; i++) ------------------ | Branch (1331:16): [True: 0, False: 0] ------------------ 1332| 0| ndpi_serialize_string_string(serializer, "", 1333| 0| ndpi_tls_elliptic_curve2str(c->elliptic_curve_point_format[i], unknown_curve)); 1334| | 1335| 0| ndpi_serialize_end_of_list(serializer); 1336| 0| } 1337| | 1338| 0| if(c->num_signature_algorithms > 0) { ------------------ | Branch (1338:8): [True: 0, False: 0] ------------------ 1339| 0| char unknown_algo[8]; 1340| | 1341| 0| ndpi_serialize_start_of_list(serializer, "signature_algorithms"); 1342| | 1343| 0| for(i=0; inum_signature_algorithms; i++) ------------------ | Branch (1343:16): [True: 0, False: 0] ------------------ 1344| 0| ndpi_serialize_string_string(serializer, "", 1345| 0| ndpi_tls_signature_algo2str(c->signature_algorithm[i], unknown_algo)); 1346| | 1347| 0| ndpi_serialize_end_of_list(serializer); 1348| 0| } 1349| | 1350| 0| if(c->num_key_share_groups > 0) { ------------------ | Branch (1350:8): [True: 0, False: 0] ------------------ 1351| 0| char unknown_group[8]; 1352| | 1353| 0| ndpi_serialize_start_of_list(serializer, "key_share_groups"); 1354| | 1355| 0| for(i=0; inum_key_share_groups; i++) ------------------ | Branch (1355:16): [True: 0, False: 0] ------------------ 1356| 0| ndpi_serialize_string_string(serializer, "", 1357| 0| ndpi_tls_key_share_group2str(c->key_share_group[i], unknown_group)); 1358| | 1359| 0| ndpi_serialize_end_of_list(serializer); 1360| 0| } 1361| | 1362| 0| if(c->num_supported_versions > 0) { ------------------ | Branch (1362:8): [True: 0, False: 0] ------------------ 1363| 0| char unknown_version[8]; 1364| | 1365| 0| ndpi_serialize_start_of_list(serializer, "supported_versions"); 1366| | 1367| 0| for(i=0; inum_supported_versions; i++) ------------------ | Branch (1367:16): [True: 0, False: 0] ------------------ 1368| 0| ndpi_serialize_string_string(serializer, "", 1369| 0| ndpi_tls_supported_version2str(c->supported_version[i], unknown_version)); 1370| | 1371| 0| ndpi_serialize_end_of_list(serializer); 1372| 0| } 1373| | 1374| 0| ndpi_serialize_end_of_block(serializer); 1375| 0| } 1376| | 1377| 1.57k| if(flow->protos.tls_quic.ja_server != NULL) { ------------------ | Branch (1377:6): [True: 0, False: 1.57k] ------------------ 1378| 0| ndpi_tls_server_info *s = flow->protos.tls_quic.ja_server; 1379| 0| u_int16_t i; 1380| 0| char unknown_cipher[8]; 1381| | 1382| 0| ndpi_serialize_start_of_block(serializer, "server_data"); 1383| | 1384| 0| if(s->num_ciphers > 0) { ------------------ | Branch (1384:8): [True: 0, False: 0] ------------------ 1385| 0| ndpi_serialize_start_of_list(serializer, "ciphers"); 1386| | 1387| 0| for(i=0; inum_ciphers; i++) ------------------ | Branch (1387:16): [True: 0, False: 0] ------------------ 1388| 0| ndpi_serialize_string_string(serializer, "", ndpi_cipher2str(s->cipher[i], unknown_cipher)); 1389| | 1390| 0| ndpi_serialize_end_of_list(serializer); 1391| 0| } 1392| | 1393| 0| if(s->num_tls_extensions > 0) { ------------------ | Branch (1393:8): [True: 0, False: 0] ------------------ 1394| 0| char unknown_extn[8]; 1395| | 1396| 0| ndpi_serialize_start_of_list(serializer, "tls_extensions"); 1397| | 1398| 0| for(i=0; inum_tls_extensions; i++) ------------------ | Branch (1398:16): [True: 0, False: 0] ------------------ 1399| 0| ndpi_serialize_string_string(serializer, "", 1400| 0| ndpi_tls_extension2str(s->tls_extension[i], unknown_extn)); 1401| | 1402| 0| ndpi_serialize_end_of_list(serializer); 1403| 0| } 1404| | 1405| 0| if(s->num_elliptic_curve_point_format > 0) { ------------------ | Branch (1405:8): [True: 0, False: 0] ------------------ 1406| 0| char unknown_curve[8]; 1407| | 1408| 0| ndpi_serialize_start_of_list(serializer, "elliptic_curve_point_format"); 1409| | 1410| 0| for(i=0; inum_elliptic_curve_point_format; i++) ------------------ | Branch (1410:16): [True: 0, False: 0] ------------------ 1411| 0| ndpi_serialize_string_string(serializer, "", 1412| 0| ndpi_tls_elliptic_curve2str(s->elliptic_curve_point_format[i], unknown_curve)); 1413| | 1414| 0| ndpi_serialize_end_of_list(serializer); 1415| 0| } 1416| | 1417| 0| ndpi_serialize_end_of_block(serializer); 1418| 0| } 1419| 1.57k|} print_ndpi_address_port: 1502| 64|char* print_ndpi_address_port(ndpi_address_port *ap, char *buf, u_int buf_len) { 1503| 64| char ipbuf[INET6_ADDRSTRLEN]; 1504| | 1505| 64| if(ap->is_ipv6) { ------------------ | Branch (1505:6): [True: 0, False: 64] ------------------ 1506| 0| inet_ntop(AF_INET6, &ap->address, ipbuf, sizeof(ipbuf)); 1507| 64| } else { 1508| 64| inet_ntop(AF_INET, &ap->address, ipbuf, sizeof(ipbuf)); 1509| 64| } 1510| | 1511| 64| snprintf(buf, buf_len, "%s:%u", ipbuf, ap->port); 1512| | 1513| 64| return(buf); 1514| 64|} ndpi_dpi2json: 1564| 10.2k| ndpi_serializer *serializer) { 1565| 10.2k| char buf[64]; 1566| 10.2k| char const *host_server_name; 1567| 10.2k| char quic_version[16]; 1568| 10.2k| char content[64] = {0}; 1569| 10.2k| u_int i; 1570| | 1571| 10.2k| if(flow == NULL) return(-1); ------------------ | Branch (1571:6): [True: 0, False: 10.2k] ------------------ 1572| | 1573| 10.2k| ndpi_serialize_start_of_block(serializer, "ndpi"); 1574| 10.2k| ndpi_serialize_proto(ndpi_struct, serializer, flow->risk, flow->confidence, l7_protocol); 1575| | 1576| 10.2k| host_server_name = ndpi_get_flow_info(flow, &l7_protocol); 1577| | 1578| 10.2k| if (host_server_name != NULL) { ------------------ | Branch (1578:7): [True: 5.03k, False: 5.22k] ------------------ 1579| 5.03k| ndpi_serialize_string_string(serializer, "hostname", host_server_name); 1580| 5.03k| ndpi_serialize_string_string(serializer, "domainame", ndpi_get_host_domain(ndpi_struct, host_server_name)); 1581| 5.03k| } 1582| | 1583| 10.2k| if(flow->flow_multimedia_types != ndpi_multimedia_unknown_flow) { ------------------ | Branch (1583:6): [True: 38, False: 10.2k] ------------------ 1584| 38| ndpi_serialize_string_string(serializer, "stream_content", ndpi_multimedia_flowtype2str(content, sizeof(content), flow->flow_multimedia_types)); 1585| 38| } 1586| | 1587| 10.2k| switch(l7_protocol.proto.master_protocol ? l7_protocol.proto.master_protocol : l7_protocol.proto.app_protocol) { ------------------ | Branch (1587:10): [True: 1.25k, False: 9.00k] | Branch (1587:10): [True: 7.85k, False: 2.40k] ------------------ 1588| 750| case NDPI_PROTOCOL_IP_ICMP: ------------------ | Branch (1588:3): [True: 750, False: 9.50k] ------------------ 1589| 750| if(flow->entropy > 0.0f) { ------------------ | Branch (1589:8): [True: 746, False: 4] ------------------ 1590| 746| ndpi_serialize_string_float(serializer, "entropy", flow->entropy, "%.6f"); 1591| 746| } 1592| 750| break; 1593| | 1594| 98| case NDPI_PROTOCOL_DHCP: ------------------ | Branch (1594:3): [True: 98, False: 10.1k] ------------------ 1595| 98| ndpi_serialize_start_of_block(serializer, "dhcp"); 1596| 98| ndpi_serialize_string_string(serializer, "fingerprint", flow->protos.dhcp.fingerprint); 1597| 98| ndpi_serialize_string_string(serializer, "class_ident", flow->protos.dhcp.class_ident); 1598| 98| ndpi_serialize_end_of_block(serializer); 1599| 98| break; 1600| | 1601| 1.54k| case NDPI_PROTOCOL_BITTORRENT: ------------------ | Branch (1601:3): [True: 1.54k, False: 8.71k] ------------------ 1602| 1.54k| { 1603| 1.54k| u_int i, j, n = 0; 1604| 1.54k| char bittorent_hash[sizeof(flow->protos.bittorrent.hash)*2+1]; 1605| | 1606| 32.5k| for(i=0, j = 0; j < sizeof(bittorent_hash)-1; i++) { ------------------ | Branch (1606:23): [True: 30.9k, False: 1.54k] ------------------ 1607| 30.9k| snprintf(&bittorent_hash[j], 1608| 30.9k| sizeof(bittorent_hash) - j, 1609| 30.9k| "%02x", 1610| 30.9k| flow->protos.bittorrent.hash[i]); 1611| | 1612| 30.9k| j += 2, n += flow->protos.bittorrent.hash[i]; 1613| 30.9k| } 1614| | 1615| 1.54k| if(n == 0) bittorent_hash[0] = '\0'; ------------------ | Branch (1615:10): [True: 11, False: 1.53k] ------------------ 1616| | 1617| 1.54k| ndpi_serialize_start_of_block(serializer, "bittorrent"); 1618| 1.54k| ndpi_serialize_string_string(serializer, "hash", bittorent_hash); 1619| 1.54k| ndpi_serialize_end_of_block(serializer); 1620| 1.54k| } 1621| 1.54k| break; 1622| | 1623| 3| case NDPI_PROTOCOL_COLLECTD: ------------------ | Branch (1623:3): [True: 3, False: 10.2k] ------------------ 1624| 3| ndpi_serialize_start_of_block(serializer, "collectd"); 1625| 3| ndpi_serialize_string_string(serializer, "client_username", flow->protos.collectd.client_username); 1626| 3| ndpi_serialize_end_of_block(serializer); 1627| 3| break; 1628| | 1629| 1.37k| case NDPI_PROTOCOL_DNS: ------------------ | Branch (1629:3): [True: 1.37k, False: 8.88k] ------------------ 1630| 1.37k| ndpi_serialize_start_of_block(serializer, "dns"); 1631| 1.37k| ndpi_serialize_string_uint32(serializer, "num_queries", flow->protos.dns.num_queries); 1632| 1.37k| ndpi_serialize_string_uint32(serializer, "num_answers", flow->protos.dns.num_answers); 1633| 1.37k| ndpi_serialize_string_uint32(serializer, "reply_code", flow->protos.dns.reply_code); 1634| 1.37k| ndpi_serialize_string_uint32(serializer, "query_type", flow->protos.dns.query_type); 1635| 1.37k| ndpi_serialize_string_uint32(serializer, "rsp_type", flow->protos.dns.rsp_type); 1636| | 1637| 1.37k| ndpi_serialize_start_of_list(serializer, "rsp_addr"); 1638| | 1639| 2.07k| for(i=0; iprotos.dns.num_rsp_addr; i++) { ------------------ | Branch (1639:14): [True: 699, False: 1.37k] ------------------ 1640| 699| char buf[64]; 1641| 699| u_int len; 1642| | 1643| 699| if(flow->protos.dns.is_rsp_addr_ipv6[i] == 0) { ------------------ | Branch (1643:10): [True: 699, False: 0] ------------------ 1644| 699| inet_ntop(AF_INET, &flow->protos.dns.rsp_addr[i].ipv4, buf, sizeof(buf)); 1645| 699| } else { 1646| 0| inet_ntop(AF_INET6, &flow->protos.dns.rsp_addr[i].ipv6, buf, sizeof(buf)); 1647| 0| } 1648| | 1649| 699| len = strlen(buf); 1650| 699| snprintf(&buf[len], sizeof(buf)-len, ",ttl=%u", flow->protos.dns.rsp_addr_ttl[i]); 1651| 699| ndpi_serialize_string_string(serializer, "addr", buf); 1652| 699| } 1653| | 1654| 1.37k| ndpi_serialize_end_of_list(serializer); 1655| | 1656| 1.37k| ndpi_serialize_end_of_block(serializer); 1657| 1.37k| break; 1658| | 1659| 4| case NDPI_PROTOCOL_NTP: ------------------ | Branch (1659:3): [True: 4, False: 10.2k] ------------------ 1660| 4| ndpi_serialize_start_of_block(serializer, "ntp"); 1661| 12| for (i = 0; i < 2; i++) { ------------------ | Branch (1661:17): [True: 8, False: 4] ------------------ 1662| 8| ndpi_serialize_start_of_block_uint32(serializer,i); 1663| 8| ndpi_serialize_string_uint32(serializer, "leap_indicator", flow->protos.ntp[i].leap_indicator); 1664| 8| ndpi_serialize_string_uint32(serializer, "version", flow->protos.ntp[i].version); 1665| 8| ndpi_serialize_string_uint32(serializer, "mode", flow->protos.ntp[i].mode); 1666| 8| ndpi_serialize_string_uint32(serializer, "stratum", flow->protos.ntp[i].stratum); 1667| 8| ndpi_serialize_string_int32(serializer, "ppol", flow->protos.ntp[i].ppol); 1668| 8| ndpi_serialize_string_int32(serializer, "precision", flow->protos.ntp[i].precision); 1669| 8| ndpi_serialize_string_float(serializer, "root_delay", flow->protos.ntp[i].root_delay, "%f"); 1670| 8| ndpi_serialize_string_float(serializer, "root_dispersion", flow->protos.ntp[i].root_dispersion, "%f"); 1671| 8| ndpi_serialize_string_string(serializer, "ref_id", flow->protos.ntp[i].ref_id); 1672| | 1673| | 1674| 8| char timestamp[64]; 1675| 8| ntp_ts_to_string(flow->protos.ntp[i].ref_time, timestamp, sizeof timestamp); 1676| 8| ndpi_serialize_string_string(serializer, "ref_time", timestamp); 1677| 8| ntp_ts_to_string(flow->protos.ntp[i].org_time, timestamp, sizeof timestamp); 1678| 8| ndpi_serialize_string_string(serializer, "org_time", timestamp); 1679| 8| ntp_ts_to_string(flow->protos.ntp[i].rec_time, timestamp, sizeof timestamp); 1680| 8| ndpi_serialize_string_string(serializer, "rec_time", timestamp); 1681| 8| ntp_ts_to_string(flow->protos.ntp[i].trans_time, timestamp, sizeof timestamp); 1682| 8| ndpi_serialize_string_string(serializer, "trans_time", timestamp); 1683| 8| ndpi_serialize_end_of_block(serializer); 1684| 8| } 1685| 4| ndpi_serialize_end_of_block(serializer); 1686| 4| break; 1687| | 1688| 2| case NDPI_PROTOCOL_MDNS: ------------------ | Branch (1688:3): [True: 2, False: 10.2k] ------------------ 1689| 2| ndpi_serialize_start_of_block(serializer, "mdns"); 1690| 2| ndpi_serialize_end_of_block(serializer); 1691| 2| break; 1692| | 1693| 0| case NDPI_PROTOCOL_UBNTAC2: ------------------ | Branch (1693:3): [True: 0, False: 10.2k] ------------------ 1694| 0| ndpi_serialize_start_of_block(serializer, "ubntac2"); 1695| 0| ndpi_serialize_string_string(serializer, "version", flow->protos.ubntac2.version); 1696| 0| ndpi_serialize_end_of_block(serializer); 1697| 0| break; 1698| | 1699| 14| case NDPI_PROTOCOL_KERBEROS: ------------------ | Branch (1699:3): [True: 14, False: 10.2k] ------------------ 1700| 14| ndpi_serialize_start_of_block(serializer, "kerberos"); 1701| 14| ndpi_serialize_string_string(serializer, "hostname", flow->protos.kerberos.hostname); 1702| 14| ndpi_serialize_string_string(serializer, "domain", flow->protos.kerberos.domain); 1703| 14| ndpi_serialize_string_string(serializer, "username", flow->protos.kerberos.username); 1704| 14| ndpi_serialize_end_of_block(serializer); 1705| 14| break; 1706| | 1707| 0| case NDPI_PROTOCOL_SOFTETHER: ------------------ | Branch (1707:3): [True: 0, False: 10.2k] ------------------ 1708| 0| ndpi_serialize_start_of_block(serializer, "softether"); 1709| 0| ndpi_serialize_string_string(serializer, "client_ip", flow->protos.softether.ip); 1710| 0| ndpi_serialize_string_string(serializer, "client_port", flow->protos.softether.port); 1711| 0| ndpi_serialize_string_string(serializer, "hostname", flow->protos.softether.hostname); 1712| 0| ndpi_serialize_string_string(serializer, "fqdn", flow->protos.softether.fqdn); 1713| 0| ndpi_serialize_end_of_block(serializer); 1714| 0| break; 1715| | 1716| 0| case NDPI_PROTOCOL_NATPMP: ------------------ | Branch (1716:3): [True: 0, False: 10.2k] ------------------ 1717| 0| ndpi_serialize_start_of_block(serializer, "natpmp"); 1718| 0| ndpi_serialize_string_uint32(serializer, "result", flow->protos.natpmp.result_code); 1719| 0| ndpi_serialize_string_uint32(serializer, "internal_port", flow->protos.natpmp.internal_port); 1720| 0| ndpi_serialize_string_uint32(serializer, "external_port", flow->protos.natpmp.external_port); 1721| 0| inet_ntop(AF_INET, &flow->protos.natpmp.external_address.ipv4, buf, sizeof(buf)); 1722| 0| ndpi_serialize_string_string(serializer, "external_address", buf); 1723| 0| ndpi_serialize_end_of_block(serializer); 1724| 0| break; 1725| | 1726| 0| case NDPI_PROTOCOL_RSH: ------------------ | Branch (1726:3): [True: 0, False: 10.2k] ------------------ 1727| 0| ndpi_serialize_start_of_block(serializer, "rsh"); 1728| 0| ndpi_serialize_string_string(serializer, "client_username", flow->protos.rsh.client_username); 1729| 0| ndpi_serialize_string_string(serializer, "server_username", flow->protos.rsh.server_username); 1730| 0| ndpi_serialize_string_string(serializer, "command", flow->protos.rsh.command); 1731| 0| ndpi_serialize_end_of_block(serializer); 1732| 0| break; 1733| | 1734| 0| case NDPI_PROTOCOL_SNMP: ------------------ | Branch (1734:3): [True: 0, False: 10.2k] ------------------ 1735| 0| ndpi_serialize_start_of_block(serializer, "snmp"); 1736| 0| ndpi_serialize_string_uint32(serializer, "version", flow->protos.snmp.version); 1737| 0| ndpi_serialize_string_uint32(serializer, "primitive", flow->protos.snmp.primitive); 1738| 0| ndpi_serialize_string_uint32(serializer, "error_status", flow->protos.snmp.error_status); 1739| 0| ndpi_serialize_end_of_block(serializer); 1740| 0| break; 1741| | 1742| 0| case NDPI_PROTOCOL_TELNET: ------------------ | Branch (1742:3): [True: 0, False: 10.2k] ------------------ 1743| 0| ndpi_serialize_start_of_block(serializer, "telnet"); 1744| 0| ndpi_serialize_string_string(serializer, "username", flow->protos.telnet.username); 1745| 0| ndpi_serialize_string_string(serializer, "password", flow->protos.telnet.password); 1746| 0| ndpi_serialize_end_of_block(serializer); 1747| 0| break; 1748| | 1749| 0| case NDPI_PROTOCOL_TFTP: ------------------ | Branch (1749:3): [True: 0, False: 10.2k] ------------------ 1750| 0| ndpi_serialize_start_of_block(serializer, "tftp"); 1751| 0| ndpi_serialize_string_string(serializer, "filename", flow->protos.tftp.filename); 1752| 0| ndpi_serialize_end_of_block(serializer); 1753| 0| break; 1754| | 1755| 11| case NDPI_PROTOCOL_TIVOCONNECT: ------------------ | Branch (1755:3): [True: 11, False: 10.2k] ------------------ 1756| 11| ndpi_serialize_start_of_block(serializer, "tivoconnect"); 1757| 11| ndpi_serialize_string_string(serializer, "identity_uuid", flow->protos.tivoconnect.identity_uuid); 1758| 11| ndpi_serialize_string_string(serializer, "machine", flow->protos.tivoconnect.machine); 1759| 11| ndpi_serialize_string_string(serializer, "platform", flow->protos.tivoconnect.platform); 1760| 11| ndpi_serialize_string_string(serializer, "services", flow->protos.tivoconnect.services); 1761| 11| ndpi_serialize_end_of_block(serializer); 1762| 11| break; 1763| | 1764| 40| case NDPI_PROTOCOL_HTTP: ------------------ | Branch (1764:3): [True: 40, False: 10.2k] ------------------ 1765| 40| case NDPI_PROTOCOL_HTTP_CONNECT: ------------------ | Branch (1765:3): [True: 0, False: 10.2k] ------------------ 1766| 40| case NDPI_PROTOCOL_HTTP_PROXY: ------------------ | Branch (1766:3): [True: 0, False: 10.2k] ------------------ 1767| 40| ndpi_serialize_start_of_block(serializer, "http"); 1768| | 1769| 40| if(flow->http.url != NULL) { ------------------ | Branch (1769:8): [True: 11, False: 29] ------------------ 1770| 11| ndpi_serialize_string_string(serializer, "url", flow->http.url); 1771| 11| ndpi_serialize_string_uint32(serializer, "code", flow->http.response_status_code); 1772| 11| ndpi_serialize_string_string(serializer, "content_type", flow->http.content_type); 1773| 11| ndpi_serialize_string_string(serializer, "user_agent", flow->http.user_agent); 1774| 11| } 1775| | 1776| 40| if (flow->http.request_content_type != NULL) ------------------ | Branch (1776:9): [True: 0, False: 40] ------------------ 1777| 0| ndpi_serialize_string_string(serializer, "request_content_type", 1778| 0| flow->http.request_content_type); 1779| | 1780| 40| if (flow->http.detected_os != NULL) ------------------ | Branch (1780:9): [True: 0, False: 40] ------------------ 1781| 0| ndpi_serialize_string_string(serializer, "detected_os", 1782| 0| flow->http.detected_os); 1783| | 1784| 40| if (flow->http.nat_ip != NULL) ------------------ | Branch (1784:9): [True: 0, False: 40] ------------------ 1785| 0| ndpi_serialize_string_string(serializer, "nat_ip", 1786| 0| flow->http.nat_ip); 1787| | 1788| 40| ndpi_serialize_end_of_block(serializer); 1789| 40| break; 1790| | 1791| 252| case NDPI_PROTOCOL_QUIC: ------------------ | Branch (1791:3): [True: 252, False: 10.0k] ------------------ 1792| 252| ndpi_serialize_start_of_block(serializer, "quic"); 1793| | 1794| 252| ndpi_quic_version2str(quic_version, sizeof(quic_version), 1795| 252| flow->protos.tls_quic.quic_version); 1796| 252| ndpi_serialize_string_string(serializer, "quic_version", quic_version); 1797| | 1798| 252| ndpi_tls2json(ndpi_struct, serializer, flow, false); 1799| | 1800| 252| ndpi_serialize_end_of_block(serializer); 1801| 252| break; 1802| | 1803| 0| case NDPI_PROTOCOL_MAIL_IMAP: ------------------ | Branch (1803:3): [True: 0, False: 10.2k] ------------------ 1804| 0| ndpi_serialize_start_of_block(serializer, "imap"); 1805| 0| ndpi_serialize_string_string(serializer, "user", flow->l4.tcp.ftp_imap_pop_smtp.username); 1806| 0| ndpi_serialize_string_string(serializer, "password", flow->l4.tcp.ftp_imap_pop_smtp.password); 1807| 0| ndpi_serialize_string_uint32(serializer, "auth_failed", 1808| 0| flow->l4.tcp.ftp_imap_pop_smtp.auth_failed); 1809| 0| ndpi_serialize_end_of_block(serializer); 1810| 0| break; 1811| | 1812| 0| case NDPI_PROTOCOL_MAIL_POP: ------------------ | Branch (1812:3): [True: 0, False: 10.2k] ------------------ 1813| 0| ndpi_serialize_start_of_block(serializer, "pop"); 1814| 0| ndpi_serialize_string_string(serializer, "user", flow->l4.tcp.ftp_imap_pop_smtp.username); 1815| 0| ndpi_serialize_string_string(serializer, "password", flow->l4.tcp.ftp_imap_pop_smtp.password); 1816| 0| ndpi_serialize_string_uint32(serializer, "auth_failed", 1817| 0| flow->l4.tcp.ftp_imap_pop_smtp.auth_failed); 1818| 0| ndpi_serialize_end_of_block(serializer); 1819| 0| break; 1820| | 1821| 0| case NDPI_PROTOCOL_MAIL_SMTP: ------------------ | Branch (1821:3): [True: 0, False: 10.2k] ------------------ 1822| 0| ndpi_serialize_start_of_block(serializer, "smtp"); 1823| 0| ndpi_serialize_string_string(serializer, "user", flow->l4.tcp.ftp_imap_pop_smtp.username); 1824| 0| ndpi_serialize_string_string(serializer, "password", flow->l4.tcp.ftp_imap_pop_smtp.password); 1825| 0| ndpi_serialize_string_uint32(serializer, "auth_failed", 1826| 0| flow->l4.tcp.ftp_imap_pop_smtp.auth_failed); 1827| 0| ndpi_serialize_end_of_block(serializer); 1828| 0| break; 1829| | 1830| 0| case NDPI_PROTOCOL_FTP_CONTROL: ------------------ | Branch (1830:3): [True: 0, False: 10.2k] ------------------ 1831| 0| ndpi_serialize_start_of_block(serializer, "ftp"); 1832| 0| ndpi_serialize_string_string(serializer, "user", flow->l4.tcp.ftp_imap_pop_smtp.username); 1833| 0| ndpi_serialize_string_string(serializer, "password", flow->l4.tcp.ftp_imap_pop_smtp.password); 1834| 0| ndpi_serialize_string_uint32(serializer, "auth_failed", flow->l4.tcp.ftp_imap_pop_smtp.auth_failed); 1835| 0| ndpi_serialize_end_of_block(serializer); 1836| 0| break; 1837| | 1838| 0| case NDPI_PROTOCOL_MIKROTIK: ------------------ | Branch (1838:3): [True: 0, False: 10.2k] ------------------ 1839| 0| { 1840| 0| char buf[32]; 1841| | 1842| 0| ndpi_serialize_start_of_block(serializer, "mikrotik"); 1843| | 1844| 0| snprintf(buf, sizeof(buf), "%02X:%02X:%02X:%02X:%02X:%02X", 1845| 0| flow->protos.mikrotik.mac_addr[0] & 0xFF, 1846| 0| flow->protos.mikrotik.mac_addr[1] & 0xFF, 1847| 0| flow->protos.mikrotik.mac_addr[2] & 0xFF, 1848| 0| flow->protos.mikrotik.mac_addr[3] & 0xFF, 1849| 0| flow->protos.mikrotik.mac_addr[4] & 0xFF, 1850| 0| flow->protos.mikrotik.mac_addr[5] & 0xFF); 1851| | 1852| 0| ndpi_serialize_string_string(serializer, "mac_address", buf); 1853| | 1854| 0| if(flow->protos.mikrotik.identity[0] != '\0') ------------------ | Branch (1854:10): [True: 0, False: 0] ------------------ 1855| 0| ndpi_serialize_string_string(serializer, "identity", flow->protos.mikrotik.identity); 1856| | 1857| 0| if(flow->protos.mikrotik.version[0] != '\0') ------------------ | Branch (1857:10): [True: 0, False: 0] ------------------ 1858| 0| ndpi_serialize_string_string(serializer, "version", flow->protos.mikrotik.version); 1859| | 1860| 0| if(flow->protos.mikrotik.sw_id[0] != '\0') ------------------ | Branch (1860:10): [True: 0, False: 0] ------------------ 1861| 0| ndpi_serialize_string_string(serializer, "software_id", flow->protos.mikrotik.sw_id); 1862| | 1863| 0| if(flow->protos.mikrotik.board[0] != '\0') ------------------ | Branch (1863:10): [True: 0, False: 0] ------------------ 1864| 0| ndpi_serialize_string_string(serializer, "board", flow->protos.mikrotik.board); 1865| | 1866| 0| if(flow->protos.mikrotik.iface_name[0] != '\0') ------------------ | Branch (1866:10): [True: 0, False: 0] ------------------ 1867| 0| ndpi_serialize_string_string(serializer, "iface_name", flow->protos.mikrotik.iface_name); 1868| | 1869| 0| if(flow->protos.mikrotik.ipv4_addr != 0) ------------------ | Branch (1869:10): [True: 0, False: 0] ------------------ 1870| 0| ndpi_serialize_string_string(serializer, "ipv4_addr", 1871| 0| ndpi_intoav4(flow->protos.mikrotik.ipv4_addr, buf, sizeof(buf))); 1872| | 1873| 0| if(flow->protos.mikrotik.ipv6_addr.u6_addr.u6_addr64[0] != 0) ------------------ | Branch (1873:10): [True: 0, False: 0] ------------------ 1874| 0| ndpi_serialize_string_string(serializer, "ipv6_addr", 1875| 0| ndpi_intoav6(&flow->protos.mikrotik.ipv6_addr, buf, sizeof(buf))); 1876| | 1877| 0| if(flow->protos.mikrotik.uptime != 0) ------------------ | Branch (1877:10): [True: 0, False: 0] ------------------ 1878| 0| ndpi_serialize_string_uint32(serializer, "uptime", flow->protos.mikrotik.uptime); 1879| | 1880| 0| ndpi_serialize_end_of_block(serializer); 1881| 0| } 1882| 0| break; 1883| | 1884| 512| case NDPI_PROTOCOL_SSDP: ------------------ | Branch (1884:3): [True: 512, False: 9.74k] ------------------ 1885| 512| ndpi_serialize_start_of_block(serializer, "ssdp"); 1886| | 1887| 512| if (flow->protos.ssdp.method) { ------------------ | Branch (1887:9): [True: 481, False: 31] ------------------ 1888| 481| ndpi_serialize_string_string(serializer, "METHOD", flow->protos.ssdp.method); 1889| 481| } 1890| | 1891| 512| if (flow->protos.ssdp.cache_controle) { ------------------ | Branch (1891:9): [True: 2, False: 510] ------------------ 1892| 2| ndpi_serialize_string_string(serializer, "CACHE-CONTROL", flow->protos.ssdp.cache_controle); 1893| 2| } 1894| | 1895| 512| if (flow->protos.ssdp.location) { ------------------ | Branch (1895:9): [True: 0, False: 512] ------------------ 1896| 0| ndpi_serialize_string_string(serializer, "LOCATION", flow->protos.ssdp.location); 1897| 0| } 1898| | 1899| 512| if (flow->protos.ssdp.nt) { ------------------ | Branch (1899:9): [True: 8, False: 504] ------------------ 1900| 8| ndpi_serialize_string_string(serializer, "NT", flow->protos.ssdp.nt); 1901| 8| } 1902| | 1903| 512| if (flow->protos.ssdp.nts) { ------------------ | Branch (1903:9): [True: 0, False: 512] ------------------ 1904| 0| ndpi_serialize_string_string(serializer, "NTS", flow->protos.ssdp.nts); 1905| 0| } 1906| | 1907| 512| if (flow->protos.ssdp.server) { ------------------ | Branch (1907:9): [True: 1, False: 511] ------------------ 1908| 1| ndpi_serialize_string_string(serializer, "SERVER", flow->protos.ssdp.server); 1909| 1| } 1910| | 1911| 512| if (flow->protos.ssdp.usn) { ------------------ | Branch (1911:9): [True: 4, False: 508] ------------------ 1912| 4| ndpi_serialize_string_string(serializer, "USN", flow->protos.ssdp.usn); 1913| 4| } 1914| | 1915| 512| if (flow->protos.ssdp.securelocation_upnp) { ------------------ | Branch (1915:9): [True: 4, False: 508] ------------------ 1916| 4| ndpi_serialize_string_string(serializer, "SECURELOCATION.UPNP.ORG", flow->protos.ssdp.securelocation_upnp); 1917| 4| } 1918| | 1919| 512| if (flow->protos.ssdp.man) { ------------------ | Branch (1919:9): [True: 418, False: 94] ------------------ 1920| 418| ndpi_serialize_string_string(serializer, "MAN", flow->protos.ssdp.man); 1921| 418| } 1922| | 1923| 512| if (flow->protos.ssdp.mx) { ------------------ | Branch (1923:9): [True: 415, False: 97] ------------------ 1924| 415| ndpi_serialize_string_string(serializer, "MX", flow->protos.ssdp.mx); 1925| 415| } 1926| | 1927| 512| if (flow->protos.ssdp.st) { ------------------ | Branch (1927:9): [True: 414, False: 98] ------------------ 1928| 414| ndpi_serialize_string_string(serializer, "ST", flow->protos.ssdp.st); 1929| 414| } 1930| | 1931| 512| if (flow->protos.ssdp.user_agent) { ------------------ | Branch (1931:9): [True: 40, False: 472] ------------------ 1932| 40| ndpi_serialize_string_string(serializer, "USER_AGENT", flow->protos.ssdp.user_agent); 1933| 40| } 1934| | 1935| 512| ndpi_serialize_end_of_block(serializer); 1936| 512| break; 1937| | 1938| 0| case NDPI_PROTOCOL_DISCORD: ------------------ | Branch (1938:3): [True: 0, False: 10.2k] ------------------ 1939| 0| if (l7_protocol.proto.master_protocol != NDPI_PROTOCOL_TLS) { ------------------ | Branch (1939:9): [True: 0, False: 0] ------------------ 1940| 0| ndpi_serialize_start_of_block(serializer, "discord"); 1941| 0| ndpi_serialize_string_string(serializer, "client_ip", flow->protos.discord.client_ip); 1942| 0| ndpi_serialize_end_of_block(serializer); 1943| 0| } 1944| 0| break; 1945| | 1946| 0| case NDPI_PROTOCOL_SSH: ------------------ | Branch (1946:3): [True: 0, False: 10.2k] ------------------ 1947| 0| ndpi_serialize_start_of_block(serializer, "ssh"); 1948| 0| ndpi_serialize_string_string(serializer, "client_signature", flow->protos.ssh.client_signature); 1949| 0| ndpi_serialize_string_string(serializer, "server_signature", flow->protos.ssh.server_signature); 1950| | 1951| 0| if(ndpi_struct->cfg.ssh_hassh_fingerprint_enabled) { ------------------ | Branch (1951:8): [True: 0, False: 0] ------------------ 1952| 0| ndpi_serialize_string_string(serializer, "hassh_client", flow->protos.ssh.hassh_client); 1953| 0| ndpi_serialize_string_string(serializer, "hassh_server", flow->protos.ssh.hassh_server); 1954| 0| } 1955| | 1956| 0| if(ndpi_struct->cfg.ssh_hassh_data_enabled) { ------------------ | Branch (1956:8): [True: 0, False: 0] ------------------ 1957| 0| ndpi_serialize_start_of_block(serializer, "key_exchange_algorithms"); 1958| | 1959| 0| if(flow->protos.ssh.client_key_exchange_algorithms) ------------------ | Branch (1959:10): [True: 0, False: 0] ------------------ 1960| 0| ndpi_ssh_serialize_csv(serializer, flow->protos.ssh.client_key_exchange_algorithms, "client"); 1961| | 1962| 0| if(flow->protos.ssh.server_key_exchange_algorithms) ------------------ | Branch (1962:10): [True: 0, False: 0] ------------------ 1963| 0| ndpi_ssh_serialize_csv(serializer, flow->protos.ssh.server_key_exchange_algorithms, "server"); 1964| | 1965| 0| if(flow->protos.ssh.key_exchange_method) ------------------ | Branch (1965:10): [True: 0, False: 0] ------------------ 1966| 0| ndpi_serialize_string_string(serializer, 1967| 0| "key_exchange_method", 1968| 0| flow->protos.ssh.key_exchange_method); 1969| 0| ndpi_serialize_end_of_block(serializer); 1970| 0| } 1971| | 1972| 0| ndpi_serialize_end_of_block(serializer); 1973| 0| break; 1974| | 1975| 1.17k| case NDPI_PROTOCOL_STUN: ------------------ | Branch (1975:3): [True: 1.17k, False: 9.08k] ------------------ 1976| 1.17k| ndpi_serialize_start_of_block(serializer, "stun"); 1977| | 1978| 1.17k| if(flow->stun.mapped_address.port) ------------------ | Branch (1978:8): [True: 64, False: 1.11k] ------------------ 1979| 64| ndpi_serialize_string_string(serializer, "mapped_address", print_ndpi_address_port(&flow->stun.mapped_address, buf, sizeof(buf))); 1980| | 1981| 1.17k| if(flow->stun.peer_address.port) ------------------ | Branch (1981:8): [True: 0, False: 1.17k] ------------------ 1982| 0| ndpi_serialize_string_string(serializer, "peer_address", print_ndpi_address_port(&flow->stun.peer_address, buf, sizeof(buf))); 1983| | 1984| 1.17k| if(flow->stun.relayed_address.port) ------------------ | Branch (1984:8): [True: 0, False: 1.17k] ------------------ 1985| 0| ndpi_serialize_string_string(serializer, "relayed_address", print_ndpi_address_port(&flow->stun.relayed_address, buf, sizeof(buf))); 1986| | 1987| 1.17k| if(flow->stun.response_origin.port) ------------------ | Branch (1987:8): [True: 0, False: 1.17k] ------------------ 1988| 0| ndpi_serialize_string_string(serializer, "response_origin", print_ndpi_address_port(&flow->stun.response_origin, buf, sizeof(buf))); 1989| | 1990| 1.17k| if(flow->stun.other_address.port) ------------------ | Branch (1990:8): [True: 0, False: 1.17k] ------------------ 1991| 0| ndpi_serialize_string_string(serializer, "other_address", print_ndpi_address_port(&flow->stun.other_address, buf, sizeof(buf))); 1992| | 1993| 1.17k| ndpi_serialize_string_string(serializer, "multimedia_flow_types", 1994| 1.17k| ndpi_multimedia_flowtype2str(content, sizeof(content), flow->flow_multimedia_types)); 1995| | 1996| |#ifdef CUSTOM_NDPI_PROTOCOLS 1997| |#include "../../../nDPI-custom/ndpi_utils_dpi2json_stun.c" 1998| |#endif 1999| | 2000| 1.17k| ndpi_serialize_end_of_block(serializer); 2001| 1.17k| break; 2002| | 2003| 37| case NDPI_PROTOCOL_SIP: ------------------ | Branch (2003:3): [True: 37, False: 10.2k] ------------------ 2004| 37| ndpi_serialize_start_of_block(serializer, "sip"); 2005| 37| if(flow->protos.sip.from) ------------------ | Branch (2005:8): [True: 11, False: 26] ------------------ 2006| 11| ndpi_serialize_string_string(serializer, "from", flow->protos.sip.from); 2007| 37| if(flow->protos.sip.from_imsi[0] != '\0') ------------------ | Branch (2007:8): [True: 0, False: 37] ------------------ 2008| 0| ndpi_serialize_string_string(serializer, "from_imsi", flow->protos.sip.from_imsi); 2009| 37| if(flow->protos.sip.to) ------------------ | Branch (2009:8): [True: 14, False: 23] ------------------ 2010| 14| ndpi_serialize_string_string(serializer, "to", flow->protos.sip.to); 2011| 37| if(flow->protos.sip.to_imsi[0] != '\0') ------------------ | Branch (2011:8): [True: 0, False: 37] ------------------ 2012| 0| ndpi_serialize_string_string(serializer, "to_imsi", flow->protos.sip.to_imsi); 2013| 37| ndpi_serialize_end_of_block(serializer); 2014| 37| break; 2015| | 2016| 2.03k| case NDPI_PROTOCOL_TLS: ------------------ | Branch (2016:3): [True: 2.03k, False: 8.22k] ------------------ 2017| 2.03k| ndpi_tls2json(ndpi_struct, serializer, flow, true); 2018| 2.03k| break; 2019| | 2020| 0| case NDPI_PROTOCOL_DTLS: ------------------ | Branch (2020:3): [True: 0, False: 10.2k] ------------------ 2021| 0| ndpi_tls2json(ndpi_struct, serializer, flow, false); 2022| |#ifdef CUSTOM_NDPI_PROTOCOLS 2023| |#include "../../../nDPI-custom/ndpi_utils_dpi2json_dtls.c" 2024| |#endif 2025| 0| break; 2026| | 2027| |#ifdef CUSTOM_NDPI_PROTOCOLS 2028| |#include "../../../nDPI-custom/ndpi_utils_dpi2json_protos.c" 2029| |#endif 2030| 10.2k| } /* switch */ 2031| | 2032| 10.2k| if((flow->custom.plugin != NULL) ------------------ | Branch (2032:6): [True: 0, False: 10.2k] ------------------ 2033| 0| && (flow->custom.plugin->jsonExportFctn != NULL)) ------------------ | Branch (2033:9): [True: 0, False: 0] ------------------ 2034| 0| flow->custom.plugin->jsonExportFctn(ndpi_struct, flow, serializer); 2035| | 2036| 10.2k| ndpi_serialize_end_of_block(serializer); // "ndpi" 2037| | 2038| 10.2k| return(0); 2039| 10.2k|} ndpi_get_ip_proto_name: 2043| 10.2k|char *ndpi_get_ip_proto_name(u_int16_t ip_proto, char *name, unsigned int name_len) { 2044| 10.2k| if(name == NULL || name_len == 0) ------------------ | Branch (2044:6): [True: 0, False: 10.2k] | Branch (2044:22): [True: 0, False: 10.2k] ------------------ 2045| 0| return name; 2046| | 2047| 10.2k| switch (ip_proto) { 2048| 4.74k| case IPPROTO_TCP: ------------------ | Branch (2048:3): [True: 4.74k, False: 5.51k] ------------------ 2049| 4.74k| snprintf(name, name_len, "TCP"); 2050| 4.74k| break; 2051| | 2052| 4.37k| case IPPROTO_UDP: ------------------ | Branch (2052:3): [True: 4.37k, False: 5.88k] ------------------ 2053| 4.37k| snprintf(name, name_len, "UDP"); 2054| 4.37k| break; 2055| | 2056| 21| case NDPI_IPSEC_PROTOCOL_ESP: ------------------ | | 118| 21|#define NDPI_IPSEC_PROTOCOL_ESP 50 ------------------ | Branch (2056:3): [True: 21, False: 10.2k] ------------------ 2057| 21| snprintf(name, name_len, "ESP"); 2058| 21| break; 2059| | 2060| 1| case NDPI_IPSEC_PROTOCOL_AH: ------------------ | | 119| 1|#define NDPI_IPSEC_PROTOCOL_AH 51 ------------------ | Branch (2060:3): [True: 1, False: 10.2k] ------------------ 2061| 1| snprintf(name, name_len, "AH"); 2062| 1| break; 2063| | 2064| 1| case NDPI_GRE_PROTOCOL_TYPE: ------------------ | | 120| 1|#define NDPI_GRE_PROTOCOL_TYPE 0x2F ------------------ | Branch (2064:3): [True: 1, False: 10.2k] ------------------ 2065| 1| snprintf(name, name_len, "GRE"); 2066| 1| break; 2067| | 2068| 750| case NDPI_ICMP_PROTOCOL_TYPE: ------------------ | | 121| 750|#define NDPI_ICMP_PROTOCOL_TYPE 0x01 ------------------ | Branch (2068:3): [True: 750, False: 9.50k] ------------------ 2069| 750| snprintf(name, name_len, "ICMP"); 2070| 750| break; 2071| | 2072| 12| case NDPI_IGMP_PROTOCOL_TYPE: ------------------ | | 122| 12|#define NDPI_IGMP_PROTOCOL_TYPE 0x02 ------------------ | Branch (2072:3): [True: 12, False: 10.2k] ------------------ 2073| 12| snprintf(name, name_len, "IGMP"); 2074| 12| break; 2075| | 2076| 9| case NDPI_EGP_PROTOCOL_TYPE: ------------------ | | 123| 9|#define NDPI_EGP_PROTOCOL_TYPE 0x08 ------------------ | Branch (2076:3): [True: 9, False: 10.2k] ------------------ 2077| 9| snprintf(name, name_len, "EGP"); 2078| 9| break; 2079| | 2080| 11| case NDPI_SCTP_PROTOCOL_TYPE: ------------------ | | 126| 11|#define NDPI_SCTP_PROTOCOL_TYPE 132 ------------------ | Branch (2080:3): [True: 11, False: 10.2k] ------------------ 2081| 11| snprintf(name, name_len, "SCTP"); 2082| 11| break; 2083| | 2084| 4| case NDPI_PGM_PROTOCOL_TYPE: ------------------ | | 129| 4|#define NDPI_PGM_PROTOCOL_TYPE 0x71 ------------------ | Branch (2084:3): [True: 4, False: 10.2k] ------------------ 2085| 4| snprintf(name, name_len, "PGM"); 2086| 4| break; 2087| | 2088| 1| case NDPI_OSPF_PROTOCOL_TYPE: ------------------ | | 124| 1|#define NDPI_OSPF_PROTOCOL_TYPE 0x59 ------------------ | Branch (2088:3): [True: 1, False: 10.2k] ------------------ 2089| 1| snprintf(name, name_len, "OSPF"); 2090| 1| break; 2091| | 2092| 1| case NDPI_IPIP_PROTOCOL_TYPE: ------------------ | | 127| 1|#define NDPI_IPIP_PROTOCOL_TYPE 0x04 ------------------ | Branch (2092:3): [True: 1, False: 10.2k] ------------------ 2093| 1| snprintf(name, name_len, "IPIP"); 2094| 1| break; 2095| | 2096| 67| case NDPI_ICMPV6_PROTOCOL_TYPE: ------------------ | | 128| 67|#define NDPI_ICMPV6_PROTOCOL_TYPE 0x3a ------------------ | Branch (2096:3): [True: 67, False: 10.1k] ------------------ 2097| 67| snprintf(name, name_len, "ICMPV6"); 2098| 67| break; 2099| | 2100| 3| case NDPI_PIM_PROTOCOL_TYPE: ------------------ | | 130| 3|#define NDPI_PIM_PROTOCOL_TYPE 0x67 ------------------ | Branch (2100:3): [True: 3, False: 10.2k] ------------------ 2101| 3| snprintf(name, name_len, "PIM"); 2102| 3| break; 2103| | 2104| 1| case NDPI_VRRP_PROTOCOL_TYPE: ------------------ | | 125| 1|#define NDPI_VRRP_PROTOCOL_TYPE 112 ------------------ | Branch (2104:3): [True: 1, False: 10.2k] ------------------ 2105| 1| snprintf(name, name_len, "VRRP"); 2106| 1| break; 2107| | 2108| 255| default: ------------------ | Branch (2108:3): [True: 255, False: 10.0k] ------------------ 2109| 255| snprintf(name, name_len, "%d", ip_proto); 2110| 255| break; 2111| 10.2k| } 2112| | 2113| 10.2k| name[name_len - 1] = '\0'; 2114| 10.2k| return name; 2115| 10.2k|} ndpi_flow2json: 2129| 10.2k| ndpi_serializer *serializer) { 2130| 10.2k| char src_name[INET6_ADDRSTRLEN] = {'\0'}, dst_name[INET6_ADDRSTRLEN] = {'\0'}; 2131| 10.2k| char l4_proto_name[32]; 2132| | 2133| 10.2k| if(ip_version == 4) { ------------------ | Branch (2133:6): [True: 10.0k, False: 209] ------------------ 2134| 10.0k| inet_ntop(AF_INET, &src_v4, src_name, sizeof(src_name)); 2135| 10.0k| inet_ntop(AF_INET, &dst_v4, dst_name, sizeof(dst_name)); 2136| 10.0k| } else { 2137| 209| inet_ntop(AF_INET6, src_v6, src_name, sizeof(src_name)); 2138| 209| inet_ntop(AF_INET6, dst_v6, dst_name, sizeof(dst_name)); 2139| | /* For consistency across platforms replace :0: with :: */ 2140| 209| ndpi_patchIPv6Address(src_name), ndpi_patchIPv6Address(dst_name); 2141| 209| } 2142| | 2143| 10.2k| if(vlan_id != 0) ndpi_serialize_string_uint32(serializer, "vlan_id", vlan_id); ------------------ | Branch (2143:6): [True: 43, False: 10.2k] ------------------ 2144| 10.2k| ndpi_serialize_string_string(serializer, "src_ip", src_name); 2145| 10.2k| ndpi_serialize_string_string(serializer, "dest_ip", dst_name); 2146| 10.2k| if(src_port) ndpi_serialize_string_uint32(serializer, "src_port", ntohs(src_port)); ------------------ | Branch (2146:6): [True: 8.99k, False: 1.26k] ------------------ 2147| 10.2k| if(dst_port) ndpi_serialize_string_uint32(serializer, "dst_port", ntohs(dst_port)); ------------------ | Branch (2147:6): [True: 9.01k, False: 1.24k] ------------------ 2148| | 2149| 10.2k| ndpi_serialize_string_uint32(serializer, "ip", ip_version); 2150| | 2151| 10.2k| if(flow->tcp.fingerprint) ------------------ | Branch (2151:6): [True: 1.62k, False: 8.63k] ------------------ 2152| 1.62k| ndpi_serialize_string_string(serializer, "tcp_fingerprint", flow->tcp.fingerprint); 2153| | 2154| 10.2k| if(flow->tcp.fingerprint_raw) ------------------ | Branch (2154:6): [True: 0, False: 10.2k] ------------------ 2155| 0| ndpi_serialize_string_string(serializer, "tcp_fingerprint_raw", flow->tcp.fingerprint_raw); 2156| | 2157| 10.2k| if(flow->ndpi.client_fingerprint || flow->ndpi.server_fingerprint) { ------------------ | Branch (2157:6): [True: 1.26k, False: 8.99k] | Branch (2157:39): [True: 382, False: 8.61k] ------------------ 2158| 1.64k| ndpi_serialize_start_of_block(serializer, "ndpi_fingerprint"); 2159| | 2160| 1.64k| if(flow->ndpi.client_fingerprint) ------------------ | Branch (2160:8): [True: 1.26k, False: 382] ------------------ 2161| 1.26k| ndpi_serialize_string_string(serializer, "client", flow->ndpi.client_fingerprint); 2162| | 2163| 1.64k| if(flow->ndpi.server_fingerprint) ------------------ | Branch (2163:8): [True: 1.21k, False: 432] ------------------ 2164| 1.21k| ndpi_serialize_string_string(serializer, "server", flow->ndpi.server_fingerprint); 2165| | 2166| 1.64k| ndpi_serialize_end_of_block(serializer); 2167| 1.64k| } 2168| | 2169| 10.2k| ndpi_serialize_string_string(serializer, "proto", 2170| 10.2k| ndpi_get_ip_proto_name(l4_protocol, 2171| 10.2k| l4_proto_name, sizeof(l4_proto_name))); 2172| | 2173| 10.2k| return(ndpi_dpi2json(ndpi_struct, flow, l7_protocol, serializer)); 2174| 10.2k|} ndpi_validate_url: 2368| 904| char *url) { 2369| 904| char *orig_str = NULL, *str = NULL, *question_mark = strchr(url, '?'); 2370| 904| ndpi_risk_enum rc = NDPI_NO_RISK; 2371| | 2372| 904| if(question_mark) { ------------------ | Branch (2372:6): [True: 876, False: 28] ------------------ 2373| 876| char *tmp; 2374| | 2375| 876| orig_str = str = ndpi_strdup(&question_mark[1]); /* Skip ? */ 2376| | 2377| 876| if(!str) goto validate_rc; ------------------ | Branch (2377:8): [True: 11, False: 865] ------------------ 2378| | 2379| 865| str = strtok_r(str, "&", &tmp); 2380| | 2381| 2.28k| while(str != NULL) { ------------------ | Branch (2381:11): [True: 1.64k, False: 642] ------------------ 2382| 1.64k| char *value = strchr(str, '='); 2383| 1.64k| char *decoded; 2384| | 2385| 1.64k| if(!value) ------------------ | Branch (2385:10): [True: 69, False: 1.57k] ------------------ 2386| 69| break; 2387| 1.57k| else 2388| 1.57k| value = &value[1]; 2389| | 2390| 1.57k| if(value[0] != '\0') { ------------------ | Branch (2390:10): [True: 1.56k, False: 3] ------------------ 2391| 1.56k| if(!(decoded = (char*)ndpi_malloc(strlen(value)+1))) ------------------ | Branch (2391:5): [True: 21, False: 1.54k] ------------------ 2392| 21| break; 2393| | 2394| 1.54k| if(ndpi_url_decode(value, decoded) < 0) { ------------------ | Branch (2394:5): [True: 41, False: 1.50k] ------------------ 2395| | /* Invalid string */ 2396| 1.50k| } else if(decoded[0] != '\0') { ------------------ | Branch (2396:12): [True: 1.50k, False: 0] ------------------ 2397| | /* Valid string */ 2398| | 2399| 1.50k| if(ndpi_is_xss_injection(decoded)) ------------------ | Branch (2399:7): [True: 10, False: 1.49k] ------------------ 2400| 10| rc = NDPI_URL_POSSIBLE_XSS; 2401| 1.49k| else if(ndpi_is_sql_injection(decoded)) ------------------ | Branch (2401:12): [True: 123, False: 1.37k] ------------------ 2402| 123| rc = NDPI_URL_POSSIBLE_SQL_INJECTION; 2403| |#ifdef HAVE_PCRE2 2404| | else if(ndpi_is_rce_injection(decoded)) 2405| | rc = NDPI_URL_POSSIBLE_RCE_INJECTION; 2406| |#endif 2407| | 2408| |#ifdef URL_CHECK_DEBUG 2409| | printf("=>> [rc: %u] %s\n", rc, decoded); 2410| |#endif 2411| 1.50k| } 2412| | 2413| 1.54k| ndpi_free(decoded); 2414| | 2415| 1.54k| if(rc != NDPI_NO_RISK) { ------------------ | Branch (2415:5): [True: 133, False: 1.41k] ------------------ 2416| 133| if(flow != NULL) { ------------------ | Branch (2416:7): [True: 133, False: 0] ------------------ 2417| 133| char msg[128]; 2418| | 2419| 133| snprintf(msg, sizeof(msg), "Suspicious URL [%s]", url); 2420| 133| ndpi_set_risk(ndpi_str, flow, rc, msg); 2421| 133| } 2422| 133| break; 2423| 133| } 2424| 1.54k| } 2425| | 2426| 1.41k| str = strtok_r(NULL, "&", &tmp); 2427| 1.41k| } 2428| 865| } 2429| | 2430| 904| validate_rc: 2431| 904| if(orig_str) ndpi_free(orig_str); ------------------ | Branch (2431:6): [True: 865, False: 39] ------------------ 2432| | 2433| 904| if(rc == NDPI_NO_RISK) { ------------------ | Branch (2433:6): [True: 771, False: 133] ------------------ 2434| | /* Let's do an extra check */ 2435| 771| if(strstr(url, "..")) { ------------------ | Branch (2435:8): [True: 6, False: 765] ------------------ 2436| | /* 127.0.0.1/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe */ 2437| 6| rc = NDPI_HTTP_SUSPICIOUS_URL; 2438| 6| } 2439| 771| } 2440| | 2441| 904| return(rc); 2442| 904|} ndpi_risk2str: 2457| 13.3k|const char* ndpi_risk2str(ndpi_risk_enum risk) { 2458| 13.3k| static char buf[16]; 2459| | 2460| 13.3k| switch(risk) { 2461| 0| case NDPI_URL_POSSIBLE_XSS: ------------------ | Branch (2461:3): [True: 0, False: 13.3k] ------------------ 2462| 0| return("XSS Attack"); 2463| | 2464| 0| case NDPI_URL_POSSIBLE_SQL_INJECTION: ------------------ | Branch (2464:3): [True: 0, False: 13.3k] ------------------ 2465| 0| return("SQL Injection"); 2466| | 2467| 0| case NDPI_URL_POSSIBLE_RCE_INJECTION: ------------------ | Branch (2467:3): [True: 0, False: 13.3k] ------------------ 2468| 0| return("RCE Injection"); 2469| | 2470| 0| case NDPI_BINARY_APPLICATION_TRANSFER: ------------------ | Branch (2470:3): [True: 0, False: 13.3k] ------------------ 2471| 0| return("Binary App Transfer"); 2472| | 2473| 3.30k| case NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT: ------------------ | Branch (2473:3): [True: 3.30k, False: 10.0k] ------------------ 2474| 3.30k| return("Known Proto on Non Std Port"); 2475| | 2476| 1| case NDPI_TLS_SELFSIGNED_CERTIFICATE: ------------------ | Branch (2476:3): [True: 1, False: 13.3k] ------------------ 2477| 1| return("Self-signed Cert"); 2478| | 2479| 14| case NDPI_TLS_OBSOLETE_VERSION: ------------------ | Branch (2479:3): [True: 14, False: 13.2k] ------------------ 2480| 14| return("Obsolete TLS (v1.1 or older)"); 2481| | 2482| 20| case NDPI_TLS_WEAK_CIPHER: ------------------ | Branch (2482:3): [True: 20, False: 13.2k] ------------------ 2483| 20| return("Weak TLS Cipher"); 2484| | 2485| 386| case NDPI_TLS_CERTIFICATE_EXPIRED: ------------------ | Branch (2485:3): [True: 386, False: 12.9k] ------------------ 2486| 386| return("TLS Cert Expired"); 2487| | 2488| 24| case NDPI_TLS_CERTIFICATE_MISMATCH: ------------------ | Branch (2488:3): [True: 24, False: 13.2k] ------------------ 2489| 24| return("TLS Cert Mismatch"); 2490| | 2491| 33| case NDPI_HTTP_SUSPICIOUS_USER_AGENT: ------------------ | Branch (2491:3): [True: 33, False: 13.2k] ------------------ 2492| 33| return("HTTP Susp User-Agent"); 2493| | 2494| 0| case NDPI_NUMERIC_IP_HOST: ------------------ | Branch (2494:3): [True: 0, False: 13.3k] ------------------ 2495| 0| return("HTTP/TLS/QUIC Numeric Hostname/SNI"); 2496| | 2497| 0| case NDPI_HTTP_SUSPICIOUS_URL: ------------------ | Branch (2497:3): [True: 0, False: 13.3k] ------------------ 2498| 0| return("HTTP Susp URL"); 2499| | 2500| 17| case NDPI_HTTP_SUSPICIOUS_HEADER: ------------------ | Branch (2500:3): [True: 17, False: 13.2k] ------------------ 2501| 17| return("HTTP Susp Header"); 2502| | 2503| 697| case NDPI_TLS_NOT_CARRYING_HTTPS: ------------------ | Branch (2503:3): [True: 697, False: 12.6k] ------------------ 2504| 697| return("TLS (probably) Not Carrying HTTPS"); 2505| | 2506| 15| case NDPI_SUSPICIOUS_DGA_DOMAIN: ------------------ | Branch (2506:3): [True: 15, False: 13.2k] ------------------ 2507| 15| return("Susp DGA Domain name"); 2508| | 2509| 315| case NDPI_MALFORMED_PACKET: ------------------ | Branch (2509:3): [True: 315, False: 12.9k] ------------------ 2510| 315| return("Malformed Packet"); 2511| | 2512| 0| case NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER: ------------------ | Branch (2512:3): [True: 0, False: 13.3k] ------------------ 2513| 0| return("SSH Obsolete Cli Vers/Cipher"); 2514| | 2515| 0| case NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER: ------------------ | Branch (2515:3): [True: 0, False: 13.3k] ------------------ 2516| 0| return("SSH Obsolete Ser Vers/Cipher"); 2517| | 2518| 0| case NDPI_SMB_INSECURE_VERSION: ------------------ | Branch (2518:3): [True: 0, False: 13.3k] ------------------ 2519| 0| return("SMB Insecure Vers"); 2520| | 2521| 1| case NDPI_MISMATCHING_PROTOCOL_WITH_IP: ------------------ | Branch (2521:3): [True: 1, False: 13.3k] ------------------ 2522| 1| return("Mismatching Protocol with server IP address"); 2523| | 2524| 119| case NDPI_UNSAFE_PROTOCOL: ------------------ | Branch (2524:3): [True: 119, False: 13.1k] ------------------ 2525| 119| return("Unsafe Protocol"); 2526| | 2527| 61| case NDPI_DNS_SUSPICIOUS_TRAFFIC: ------------------ | Branch (2527:3): [True: 61, False: 13.2k] ------------------ 2528| 61| return("Susp DNS Traffic"); /* Exfiltration ? */ 2529| | 2530| 145| case NDPI_TLS_MISSING_SNI: ------------------ | Branch (2530:3): [True: 145, False: 13.1k] ------------------ 2531| 145| return("Missing SNI TLS Extn"); 2532| | 2533| 0| case NDPI_HTTP_SUSPICIOUS_CONTENT: ------------------ | Branch (2533:3): [True: 0, False: 13.3k] ------------------ 2534| 0| return("HTTP Susp Content"); 2535| | 2536| 0| case NDPI_RISKY_ASN: ------------------ | Branch (2536:3): [True: 0, False: 13.3k] ------------------ 2537| 0| return("Risky ASN"); 2538| | 2539| 3| case NDPI_RISKY_DOMAIN: ------------------ | Branch (2539:3): [True: 3, False: 13.3k] ------------------ 2540| 3| return("Risky Domain Name"); 2541| | 2542| 3| case NDPI_MALICIOUS_FINGERPRINT: ------------------ | Branch (2542:3): [True: 3, False: 13.3k] ------------------ 2543| 3| return("Malicious Fingerprint"); 2544| | 2545| 0| case NDPI_MALICIOUS_SHA1_CERTIFICATE: ------------------ | Branch (2545:3): [True: 0, False: 13.3k] ------------------ 2546| 0| return("Malicious SSL Cert/SHA1 Fingerp."); 2547| | 2548| 2| case NDPI_DESKTOP_OR_FILE_SHARING_SESSION: ------------------ | Branch (2548:3): [True: 2, False: 13.3k] ------------------ 2549| 2| return("Desktop/File Sharing"); 2550| | 2551| 169| case NDPI_TLS_UNCOMMON_ALPN: ------------------ | Branch (2551:3): [True: 169, False: 13.1k] ------------------ 2552| 169| return("Uncommon TLS ALPN"); 2553| | 2554| 11| case NDPI_TLS_CERT_VALIDITY_TOO_LONG: ------------------ | Branch (2554:3): [True: 11, False: 13.3k] ------------------ 2555| 11| return("TLS Cert Validity Too Long"); 2556| | 2557| 441| case NDPI_TLS_SUSPICIOUS_EXTENSION: ------------------ | Branch (2557:3): [True: 441, False: 12.8k] ------------------ 2558| 441| return("TLS Susp Extn"); 2559| | 2560| 0| case NDPI_TLS_FATAL_ALERT: ------------------ | Branch (2560:3): [True: 0, False: 13.3k] ------------------ 2561| 0| return("TLS Fatal Alert"); 2562| | 2563| 286| case NDPI_SUSPICIOUS_ENTROPY: ------------------ | Branch (2563:3): [True: 286, False: 13.0k] ------------------ 2564| 286| return("Susp Entropy"); 2565| | 2566| 116| case NDPI_CLEAR_TEXT_CREDENTIALS: ------------------ | Branch (2566:3): [True: 116, False: 13.1k] ------------------ 2567| 116| return("Clear-Text Credentials"); 2568| | 2569| 0| case NDPI_DNS_LARGE_PACKET: ------------------ | Branch (2569:3): [True: 0, False: 13.3k] ------------------ 2570| 0| return("Large DNS Packet (512+ bytes)"); 2571| | 2572| 3| case NDPI_DNS_FRAGMENTED: ------------------ | Branch (2572:3): [True: 3, False: 13.3k] ------------------ 2573| 3| return("Fragmented DNS Message"); 2574| | 2575| 523| case NDPI_INVALID_CHARACTERS: ------------------ | Branch (2575:3): [True: 523, False: 12.7k] ------------------ 2576| 523| return("Non-Printable/Invalid Chars Detected"); 2577| | 2578| 378| case NDPI_POSSIBLE_EXPLOIT: ------------------ | Branch (2578:3): [True: 378, False: 12.9k] ------------------ 2579| 378| return("Possible Exploit Attempt"); 2580| | 2581| 17| case NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE: ------------------ | Branch (2581:3): [True: 17, False: 13.2k] ------------------ 2582| 17| return("TLS Cert About To Expire"); 2583| | 2584| 0| case NDPI_PUNYCODE_IDN: ------------------ | Branch (2584:3): [True: 0, False: 13.3k] ------------------ 2585| 0| return("IDN Domain Name"); 2586| | 2587| 461| case NDPI_ERROR_CODE_DETECTED: ------------------ | Branch (2587:3): [True: 461, False: 12.8k] ------------------ 2588| 461| return("Error Code"); 2589| | 2590| 1| case NDPI_HTTP_CRAWLER_BOT: ------------------ | Branch (2590:3): [True: 1, False: 13.3k] ------------------ 2591| 1| return("Crawler/Bot"); 2592| | 2593| 0| case NDPI_ANONYMOUS_SUBSCRIBER: ------------------ | Branch (2593:3): [True: 0, False: 13.3k] ------------------ 2594| 0| return("Anonymous Subscriber"); 2595| | 2596| 5.50k| case NDPI_UNIDIRECTIONAL_TRAFFIC: ------------------ | Branch (2596:3): [True: 5.50k, False: 7.80k] ------------------ 2597| 5.50k| return("Unidirectional Traffic"); 2598| | 2599| 0| case NDPI_HTTP_OBSOLETE_SERVER: ------------------ | Branch (2599:3): [True: 0, False: 13.3k] ------------------ 2600| 0| return("HTTP Obsolete Server"); 2601| | 2602| 0| case NDPI_PERIODIC_FLOW: ------------------ | Branch (2602:3): [True: 0, False: 13.3k] ------------------ 2603| 0| return("Periodic Flow"); 2604| | 2605| 18| case NDPI_MINOR_ISSUES: ------------------ | Branch (2605:3): [True: 18, False: 13.2k] ------------------ 2606| 18| return("Minor Issues"); 2607| | 2608| 63| case NDPI_TCP_ISSUES: ------------------ | Branch (2608:3): [True: 63, False: 13.2k] ------------------ 2609| 63| return("TCP Connection Issues"); 2610| | 2611| 0| case NDPI_UNRESOLVED_HOSTNAME: ------------------ | Branch (2611:3): [True: 0, False: 13.3k] ------------------ 2612| 0| return("Unresolved hostname"); 2613| | 2614| 24| case NDPI_TLS_ALPN_SNI_MISMATCH: ------------------ | Branch (2614:3): [True: 24, False: 13.2k] ------------------ 2615| 24| return("ALPN/SNI Mismatch"); 2616| | 2617| 0| case NDPI_MALWARE_HOST_CONTACTED: ------------------ | Branch (2617:3): [True: 0, False: 13.3k] ------------------ 2618| 0| return("Client Contacted A Malware Host"); 2619| | 2620| 0| case NDPI_BINARY_DATA_TRANSFER: ------------------ | Branch (2620:3): [True: 0, False: 13.3k] ------------------ 2621| 0| return("Binary File/Data Transfer (Attempt)"); 2622| | 2623| 26| case NDPI_PROBING_ATTEMPT: ------------------ | Branch (2623:3): [True: 26, False: 13.2k] ------------------ 2624| 26| return("Probing Attempt"); 2625| | 2626| 0| case NDPI_OBFUSCATED_TRAFFIC: ------------------ | Branch (2626:3): [True: 0, False: 13.3k] ------------------ 2627| 0| return("Obfuscated Traffic"); 2628| | 2629| 109| case NDPI_SLOW_DOS: ------------------ | Branch (2629:3): [True: 109, False: 13.2k] ------------------ 2630| 109| return("(Possible) Slow DoS"); 2631| | 2632| 0| default: ------------------ | Branch (2632:3): [True: 0, False: 13.3k] ------------------ 2633| 0| ndpi_snprintf(buf, sizeof(buf), "%d", (int)risk); 2634| 0| return(buf); 2635| 13.3k| } 2636| 13.3k|} ndpi_severity2str: 2891| 13.3k|const char* ndpi_severity2str(ndpi_risk_severity s) { 2892| 13.3k| switch(s) { ------------------ | Branch (2892:10): [True: 13.3k, False: 0] ------------------ 2893| 7.40k| case NDPI_RISK_LOW: ------------------ | Branch (2893:3): [True: 7.40k, False: 5.90k] ------------------ 2894| 7.40k| return("Low"); 2895| | 2896| 3.82k| case NDPI_RISK_MEDIUM: ------------------ | Branch (2896:3): [True: 3.82k, False: 9.48k] ------------------ 2897| 3.82k| return("Medium"); 2898| | 2899| 1.70k| case NDPI_RISK_HIGH: ------------------ | Branch (2899:3): [True: 1.70k, False: 11.6k] ------------------ 2900| 1.70k| return("High"); 2901| | 2902| 378| case NDPI_RISK_SEVERE: ------------------ | Branch (2902:3): [True: 378, False: 12.9k] ------------------ 2903| 378| return("Severe"); 2904| | 2905| 0| case NDPI_RISK_CRITICAL: ------------------ | Branch (2905:3): [True: 0, False: 13.3k] ------------------ 2906| 0| return("Critical"); 2907| | 2908| 0| case NDPI_RISK_EMERGENCY: ------------------ | Branch (2908:3): [True: 0, False: 13.3k] ------------------ 2909| 0| return("Emergency"); 2910| 13.3k| } 2911| | 2912| 0| return(""); 2913| 13.3k|} ndpi_risk2score: 2919| 13.3k| u_int16_t *server_score) { 2920| 13.3k| u_int16_t score = 0; 2921| 13.3k| u_int32_t i; 2922| | 2923| 13.3k| *client_score = *server_score = 0; /* Reset values */ 2924| | 2925| 13.3k| if(risk == 0) return(0); ------------------ | Branch (2925:6): [True: 0, False: 13.3k] ------------------ 2926| | 2927| 785k| for(i = 0; i < NDPI_MAX_RISK; i++) { ------------------ | Branch (2927:14): [True: 772k, False: 13.3k] ------------------ 2928| 772k| ndpi_risk_enum r = (ndpi_risk_enum)i; 2929| | 2930| 772k| if(NDPI_ISSET_BIT(risk, r)) { ------------------ | | 109| 772k|#define NDPI_ISSET_BIT(num, n) (num & (1ULL << ( n ))) | | ------------------ | | | Branch (109:33): [True: 42.4k, False: 729k] | | ------------------ ------------------ 2931| 42.4k| ndpi_risk_info *info = ndpi_risk2severity(r); 2932| 42.4k| u_int16_t val = 0, client_score_val; 2933| | 2934| 42.4k| switch(info->severity) { ------------------ | Branch (2934:14): [True: 42.4k, False: 0] ------------------ 2935| 6.86k| case NDPI_RISK_LOW: ------------------ | Branch (2935:7): [True: 6.86k, False: 35.6k] ------------------ 2936| 6.86k| val = NDPI_SCORE_RISK_LOW; 2937| 6.86k| break; 2938| | 2939| 7.98k| case NDPI_RISK_MEDIUM: ------------------ | Branch (2939:7): [True: 7.98k, False: 34.5k] ------------------ 2940| 7.98k| val = NDPI_SCORE_RISK_MEDIUM; 2941| 7.98k| break; 2942| | 2943| 0| case NDPI_RISK_HIGH: ------------------ | Branch (2943:7): [True: 0, False: 42.4k] ------------------ 2944| 0| val = NDPI_SCORE_RISK_HIGH; 2945| 0| break; 2946| | 2947| 27.6k| case NDPI_RISK_SEVERE: ------------------ | Branch (2947:7): [True: 27.6k, False: 14.8k] ------------------ 2948| 27.6k| val = NDPI_SCORE_RISK_SEVERE; 2949| 27.6k| break; 2950| | 2951| 0| case NDPI_RISK_CRITICAL: ------------------ | Branch (2951:7): [True: 0, False: 42.4k] ------------------ 2952| 0| val = NDPI_SCORE_RISK_CRITICAL; 2953| 0| break; 2954| | 2955| 0| case NDPI_RISK_EMERGENCY: ------------------ | Branch (2955:7): [True: 0, False: 42.4k] ------------------ 2956| 0| val = NDPI_SCORE_RISK_EMERGENCY; 2957| 0| break; 2958| 42.4k| } 2959| | 2960| 42.4k| score += val; 2961| 42.4k| client_score_val = (val * info->default_client_risk_pctg) / 100; 2962| | 2963| 42.4k| *client_score += client_score_val, *server_score += (val - client_score_val); 2964| 42.4k| } 2965| 772k| } 2966| | 2967| 13.3k| return(score); 2968| 13.3k|} ndpi_http_str2method: 3062| 935|ndpi_http_method ndpi_http_str2method(const char* method, u_int16_t method_len) { 3063| 935| if(!method || method_len < 3) ------------------ | Branch (3063:6): [True: 0, False: 935] | Branch (3063:17): [True: 0, False: 935] ------------------ 3064| 0| return(NDPI_HTTP_METHOD_UNKNOWN); 3065| | 3066| 935| switch(method[0]) { ------------------ | Branch (3066:10): [True: 935, False: 0] ------------------ 3067| 0| case 'O': return(NDPI_HTTP_METHOD_OPTIONS); ------------------ | Branch (3067:3): [True: 0, False: 935] ------------------ 3068| 744| case 'G': return(NDPI_HTTP_METHOD_GET); ------------------ | Branch (3068:3): [True: 744, False: 191] ------------------ 3069| 0| case 'H': return(NDPI_HTTP_METHOD_HEAD); ------------------ | Branch (3069:3): [True: 0, False: 935] ------------------ 3070| 0| case 'L': return(NDPI_HTTP_METHOD_LOCK); ------------------ | Branch (3070:3): [True: 0, False: 935] ------------------ 3071| | 3072| 0| case 'M': ------------------ | Branch (3072:3): [True: 0, False: 935] ------------------ 3073| 0| if (method[1] == 'O') ------------------ | Branch (3073:9): [True: 0, False: 0] ------------------ 3074| 0| return(NDPI_HTTP_METHOD_MOVE); 3075| 0| else 3076| 0| return(NDPI_HTTP_METHOD_MKCOL); 3077| | 3078| 188| case 'P': ------------------ | Branch (3078:3): [True: 188, False: 747] ------------------ 3079| 188| switch(method[1]) { ------------------ | Branch (3079:12): [True: 187, False: 1] ------------------ 3080| 0| case 'A':return(NDPI_HTTP_METHOD_PATCH); ------------------ | Branch (3080:5): [True: 0, False: 188] ------------------ 3081| 187| case 'O':return(NDPI_HTTP_METHOD_POST); ------------------ | Branch (3081:5): [True: 187, False: 1] ------------------ 3082| 0| case 'U':return(NDPI_HTTP_METHOD_PUT); ------------------ | Branch (3082:5): [True: 0, False: 188] ------------------ 3083| 0| case 'R': ------------------ | Branch (3083:5): [True: 0, False: 188] ------------------ 3084| 0| if (method_len >= 5) { ------------------ | Branch (3084:11): [True: 0, False: 0] ------------------ 3085| 0| if (strncmp(method, "PROPF", 5) == 0) ------------------ | Branch (3085:13): [True: 0, False: 0] ------------------ 3086| 0| return(NDPI_HTTP_METHOD_PROPFIND); 3087| 0| else if (strncmp(method, "PROPP", 5) == 0) ------------------ | Branch (3087:18): [True: 0, False: 0] ------------------ 3088| 0| return NDPI_HTTP_METHOD_PROPPATCH; 3089| 0| } 3090| 188| } 3091| 1| break; 3092| | 3093| 1| case 'D': return(NDPI_HTTP_METHOD_DELETE); ------------------ | Branch (3093:3): [True: 0, False: 935] ------------------ 3094| 0| case 'T': return(NDPI_HTTP_METHOD_TRACE); ------------------ | Branch (3094:3): [True: 0, False: 935] ------------------ 3095| 2| case 'C': ------------------ | Branch (3095:3): [True: 2, False: 933] ------------------ 3096| 2| if (method_len == 4) ------------------ | Branch (3096:9): [True: 0, False: 2] ------------------ 3097| 0| return(NDPI_HTTP_METHOD_COPY); 3098| 2| else 3099| 2| return(NDPI_HTTP_METHOD_CONNECT); 3100| | 3101| 0| case 'R': ------------------ | Branch (3101:3): [True: 0, False: 935] ------------------ 3102| 0| if(method_len >= 11) { ------------------ | Branch (3102:8): [True: 0, False: 0] ------------------ 3103| 0| if(strncmp(method, "RPC_CONNECT", 11) == 0) { ------------------ | Branch (3103:10): [True: 0, False: 0] ------------------ 3104| 0| return(NDPI_HTTP_METHOD_RPC_CONNECT); 3105| 0| } else if(strncmp(method, "RPC_IN_DATA", 11) == 0) { ------------------ | Branch (3105:17): [True: 0, False: 0] ------------------ 3106| 0| return(NDPI_HTTP_METHOD_RPC_IN_DATA); 3107| 0| } else if(strncmp(method, "RPC_OUT_DATA", 11) == 0) { ------------------ | Branch (3107:17): [True: 0, False: 0] ------------------ 3108| 0| return(NDPI_HTTP_METHOD_RPC_OUT_DATA); 3109| 0| } 3110| 0| } 3111| 0| break; 3112| | 3113| 1| case 'U': return(NDPI_HTTP_METHOD_UNLOCK); ------------------ | Branch (3113:3): [True: 1, False: 934] ------------------ 3114| 935| } 3115| | 3116| 1| return(NDPI_HTTP_METHOD_UNKNOWN); 3117| 935|} ndpi_hash_init: 3121| 27.8k|int ndpi_hash_init(ndpi_str_hash **h) { 3122| 27.8k| if (h == NULL) ------------------ | Branch (3122:7): [True: 0, False: 27.8k] ------------------ 3123| 0| return 1; 3124| | 3125| 27.8k| *h = ndpi_calloc(1, sizeof(**h)); 3126| 27.8k| if(!*h) ------------------ | Branch (3126:6): [True: 925, False: 26.9k] ------------------ 3127| 925| return 1; 3128| 26.9k| return 0; 3129| 27.8k|} ndpi_hash_free: 3133| 26.9k|void ndpi_hash_free(ndpi_str_hash **h) { 3134| 26.9k| if(h && *h) { ------------------ | Branch (3134:6): [True: 26.9k, False: 0] | Branch (3134:11): [True: 26.9k, False: 0] ------------------ 3135| 26.9k| ndpi_str_hash_priv *h_priv = (ndpi_str_hash_priv *)((*h)->priv); 3136| 26.9k| ndpi_str_hash_priv *current, *tmp; 3137| | 3138| 1.91M| HASH_ITER(hh, h_priv, current, tmp) { ------------------ | | 1061| 26.9k|#define HASH_ITER(hh,head,el,tmp) \ | | 1062| 26.9k|for(((el)=(head)), ((tmp)=DECLTYPE(el)((head!=NULL)?(head)->hh.next:NULL)); \ | | ------------------ | | | | 57| 26.9k|#define DECLTYPE(x) (__typeof(x)) | | ------------------ | | | Branch (1062:40): [True: 13.2k, False: 13.6k] | | ------------------ | | 1063| 1.94M| (el) != NULL; ((el)=(tmp)), ((tmp)=DECLTYPE(el)((tmp!=NULL)?(tmp)->hh.next:NULL))) | | ------------------ | | | | 57| 1.91M|#define DECLTYPE(x) (__typeof(x)) | | ------------------ | | | Branch (1063:3): [True: 1.91M, False: 26.9k] | | | Branch (1063:51): [True: 1.90M, False: 13.2k] | | ------------------ ------------------ 3139| 1.91M| HASH_DEL(h_priv, current); ------------------ | | 509| 1.91M| HASH_DELETE(hh,head,delptr) | | ------------------ | | | | 449| 1.91M| HASH_DELETE_HH(hh, head, &(delptr)->hh) | | | | ------------------ | | | | | | 451| 1.91M|#define HASH_DELETE_HH(hh,head,delptrhh) \ | | | | | | 452| 1.91M|do { \ | | | | | | 453| 1.91M| struct UT_hash_handle *_hd_hh_del = (delptrhh); \ | | | | | | 454| 1.91M| if ((_hd_hh_del->prev == NULL) && (_hd_hh_del->next == NULL)) { \ | | | | | | ------------------ | | | | | | | Branch (454:7): [True: 1.91M, False: 0] | | | | | | | Branch (454:37): [True: 13.2k, False: 1.90M] | | | | | | ------------------ | | | | | | 455| 13.2k| HASH_BLOOM_FREE((head)->hh.tbl); \ | | | | | | 456| 13.2k| uthash_free((head)->hh.tbl->buckets, \ | | | | | | ------------------ | | | | | | | | 79| 13.2k|#define uthash_free(ptr,sz) ndpi_free(ptr) /* free fcn */ | | | | | | ------------------ | | | | | | 457| 13.2k| (head)->hh.tbl->num_buckets * sizeof(struct UT_hash_bucket)); \ | | | | | | 458| 13.2k| uthash_free((head)->hh.tbl, sizeof(UT_hash_table)); \ | | | | | | ------------------ | | | | | | | | 79| 13.2k|#define uthash_free(ptr,sz) ndpi_free(ptr) /* free fcn */ | | | | | | ------------------ | | | | | | 459| 13.2k| (head) = NULL; \ | | | | | | 460| 1.90M| } else { \ | | | | | | 461| 1.90M| unsigned _hd_bkt; \ | | | | | | 462| 1.90M| if (_hd_hh_del == (head)->hh.tbl->tail) { \ | | | | | | ------------------ | | | | | | | Branch (462:9): [True: 0, False: 1.90M] | | | | | | ------------------ | | | | | | 463| 0| (head)->hh.tbl->tail = HH_FROM_ELMT((head)->hh.tbl, _hd_hh_del->prev); \ | | | | | | ------------------ | | | | | | | | 137| 0|#define HH_FROM_ELMT(tbl,elp) ((UT_hash_handle*)(void*)(((char*)(elp)) + ((tbl)->hho))) | | | | | | ------------------ | | | | | | 464| 0| } \ | | | | | | 465| 1.90M| if (_hd_hh_del->prev != NULL) { \ | | | | | | ------------------ | | | | | | | Branch (465:9): [True: 0, False: 1.90M] | | | | | | ------------------ | | | | | | 466| 0| HH_FROM_ELMT((head)->hh.tbl, _hd_hh_del->prev)->next = _hd_hh_del->next; \ | | | | | | ------------------ | | | | | | | | 137| 0|#define HH_FROM_ELMT(tbl,elp) ((UT_hash_handle*)(void*)(((char*)(elp)) + ((tbl)->hho))) | | | | | | ------------------ | | | | | | 467| 1.90M| } else { \ | | | | | | 468| 1.90M| DECLTYPE_ASSIGN(head, _hd_hh_del->next); \ | | | | | | ------------------ | | | | | | | | 69| 1.90M|#define DECLTYPE_ASSIGN(dst,src) \ | | | | | | | | 70| 1.90M|do { \ | | | | | | | | 71| 1.90M| (dst) = DECLTYPE(dst)(src); \ | | | | | | | | ------------------ | | | | | | | | | | 57| 1.90M|#define DECLTYPE(x) (__typeof(x)) | | | | | | | | ------------------ | | | | | | | | 72| 1.90M|} while (0) | | | | | | | | ------------------ | | | | | | | | | Branch (72:10): [Folded, False: 1.90M] | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | 469| 1.90M| } \ | | | | | | 470| 1.90M| if (_hd_hh_del->next != NULL) { \ | | | | | | ------------------ | | | | | | | Branch (470:9): [True: 1.90M, False: 0] | | | | | | ------------------ | | | | | | 471| 1.90M| HH_FROM_ELMT((head)->hh.tbl, _hd_hh_del->next)->prev = _hd_hh_del->prev; \ | | | | | | ------------------ | | | | | | | | 137| 1.90M|#define HH_FROM_ELMT(tbl,elp) ((UT_hash_handle*)(void*)(((char*)(elp)) + ((tbl)->hho))) | | | | | | ------------------ | | | | | | 472| 1.90M| } \ | | | | | | 473| 1.90M| HASH_TO_BKT(_hd_hh_del->hashv, (head)->hh.tbl->num_buckets, _hd_bkt); \ | | | | | | ------------------ | | | | | | | | 431| 1.90M|#define HASH_TO_BKT(hashv,num_bkts,bkt) \ | | | | | | | | 432| 1.90M|do { \ | | | | | | | | 433| 1.90M| bkt = ((hashv) & ((num_bkts) - 1U)); \ | | | | | | | | 434| 1.90M|} while (0) | | | | | | | | ------------------ | | | | | | | | | Branch (434:10): [Folded, False: 1.90M] | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | 474| 1.90M| HASH_DEL_IN_BKT((head)->hh.tbl->buckets[_hd_bkt], _hd_hh_del); \ | | | | | | ------------------ | | | | | | | | 790| 1.90M|#define HASH_DEL_IN_BKT(head,delhh) \ | | | | | | | | 791| 1.90M|do { \ | | | | | | | | 792| 1.90M| UT_hash_bucket *_hd_head = &(head); \ | | | | | | | | 793| 1.90M| _hd_head->count--; \ | | | | | | | | 794| 1.90M| if (_hd_head->hh_head == (delhh)) { \ | | | | | | | | ------------------ | | | | | | | | | Branch (794:7): [True: 856k, False: 1.04M] | | | | | | | | ------------------ | | | | | | | | 795| 856k| _hd_head->hh_head = (delhh)->hh_next; \ | | | | | | | | 796| 856k| } \ | | | | | | | | 797| 1.90M| if ((delhh)->hh_prev) { \ | | | | | | | | ------------------ | | | | | | | | | Branch (797:7): [True: 1.04M, False: 856k] | | | | | | | | ------------------ | | | | | | | | 798| 1.04M| (delhh)->hh_prev->hh_next = (delhh)->hh_next; \ | | | | | | | | 799| 1.04M| } \ | | | | | | | | 800| 1.90M| if ((delhh)->hh_next) { \ | | | | | | | | ------------------ | | | | | | | | | Branch (800:7): [True: 622k, False: 1.28M] | | | | | | | | ------------------ | | | | | | | | 801| 622k| (delhh)->hh_next->hh_prev = (delhh)->hh_prev; \ | | | | | | | | 802| 622k| } \ | | | | | | | | 803| 1.90M|} while (0) | | | | | | | | ------------------ | | | | | | | | | Branch (803:10): [Folded, False: 1.90M] | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | 475| 1.90M| (head)->hh.tbl->num_items--; \ | | | | | | 476| 1.90M| } \ | | | | | | 477| 1.91M| HASH_FSCK(hh, head, "HASH_DELETE_HH"); \ | | | | | | 478| 1.91M|} while (0) | | | | | | ------------------ | | | | | | | Branch (478:10): [Folded, False: 1.91M] | | | | | | ------------------ | | | | ------------------ | | ------------------ ------------------ 3140| 1.91M| ndpi_free(current->key); 3141| 1.91M| ndpi_free(current); 3142| 1.91M| } 3143| | 3144| 26.9k| ndpi_free(*h); 3145| | *h = NULL; 3146| 26.9k| } 3147| 26.9k|} ndpi_hash_find_entry_extra: 3153| 448k| ndpi_list **extra_data /* out */) { 3154| 448k| ndpi_str_hash_priv *h_priv; 3155| 448k| ndpi_str_hash_priv *item; 3156| | 3157| 448k| if(!h || !key || key_len == 0) ------------------ | Branch (3157:6): [True: 0, False: 448k] | Branch (3157:12): [True: 0, False: 448k] | Branch (3157:20): [True: 0, False: 448k] ------------------ 3158| 0| return(2); 3159| | 3160| 448k| h_priv = (ndpi_str_hash_priv *)((h)->priv); 3161| | 3162| 448k| h->stats.n_search++; 3163| 448k| HASH_FIND(hh, h_priv, key, key_len, item); ------------------ | | 166| 448k|#define HASH_FIND(hh,head,keyptr,keylen,out) \ | | 167| 448k|do { \ | | 168| 448k| (out) = NULL; \ | | 169| 448k| if (head) { \ | | ------------------ | | | Branch (169:7): [True: 440k, False: 7.76k] | | ------------------ | | 170| 440k| unsigned _hf_hashv; \ | | 171| 440k| HASH_VALUE(keyptr, keylen, _hf_hashv); \ | | ------------------ | | | | 149| 440k|#define HASH_VALUE(keyptr,keylen,hashv) \ | | | | 150| 440k|do { \ | | | | 151| 440k| HASH_FUNCTION(keyptr, keylen, hashv); \ | | | | ------------------ | | | | | | 89| 440k|#define HASH_FUNCTION(keyptr,keylen,hashv) HASH_JEN(keyptr, keylen, hashv) | | | | | | ------------------ | | | | | | | | 648| 440k|#define HASH_JEN(key,keylen,hashv) \ | | | | | | | | 649| 440k|do { \ | | | | | | | | 650| 440k| unsigned _hj_i,_hj_j,_hj_k; \ | | | | | | | | 651| 440k| unsigned const char *_hj_key=(unsigned const char*)(key); \ | | | | | | | | 652| 440k| hashv = 0xfeedbeefu; \ | | | | | | | | 653| 440k| _hj_i = _hj_j = 0x9e3779b9u; \ | | | | | | | | 654| 440k| _hj_k = (unsigned)(keylen); \ | | | | | | | | 655| 1.13M| while (_hj_k >= 12U) { \ | | | | | | | | ------------------ | | | | | | | | | Branch (655:10): [True: 695k, False: 440k] | | | | | | | | ------------------ | | | | | | | | 656| 695k| _hj_i += (_hj_key[0] + ( (unsigned)_hj_key[1] << 8 ) \ | | | | | | | | 657| 695k| + ( (unsigned)_hj_key[2] << 16 ) \ | | | | | | | | 658| 695k| + ( (unsigned)_hj_key[3] << 24 ) ); \ | | | | | | | | 659| 695k| _hj_j += (_hj_key[4] + ( (unsigned)_hj_key[5] << 8 ) \ | | | | | | | | 660| 695k| + ( (unsigned)_hj_key[6] << 16 ) \ | | | | | | | | 661| 695k| + ( (unsigned)_hj_key[7] << 24 ) ); \ | | | | | | | | 662| 695k| hashv += (_hj_key[8] + ( (unsigned)_hj_key[9] << 8 ) \ | | | | | | | | 663| 695k| + ( (unsigned)_hj_key[10] << 16 ) \ | | | | | | | | 664| 695k| + ( (unsigned)_hj_key[11] << 24 ) ); \ | | | | | | | | 665| 695k| \ | | | | | | | | 666| 695k| HASH_JEN_MIX(_hj_i, _hj_j, hashv); \ | | | | | | | | ------------------ | | | | | | | | | | 635| 695k|#define HASH_JEN_MIX(a,b,c) \ | | | | | | | | | | 636| 695k|do { \ | | | | | | | | | | 637| 695k| a -= b; a -= c; a ^= ( c >> 13 ); \ | | | | | | | | | | 638| 695k| b -= c; b -= a; b ^= ( a << 8 ); \ | | | | | | | | | | 639| 695k| c -= a; c -= b; c ^= ( b >> 13 ); \ | | | | | | | | | | 640| 695k| a -= b; a -= c; a ^= ( c >> 12 ); \ | | | | | | | | | | 641| 695k| b -= c; b -= a; b ^= ( a << 16 ); \ | | | | | | | | | | 642| 695k| c -= a; c -= b; c ^= ( b >> 5 ); \ | | | | | | | | | | 643| 695k| a -= b; a -= c; a ^= ( c >> 3 ); \ | | | | | | | | | | 644| 695k| b -= c; b -= a; b ^= ( a << 10 ); \ | | | | | | | | | | 645| 695k| c -= a; c -= b; c ^= ( b >> 15 ); \ | | | | | | | | | | 646| 695k|} while (0) | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (646:10): [Folded, False: 695k] | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | 667| 695k| \ | | | | | | | | 668| 695k| _hj_key += 12; \ | | | | | | | | 669| 695k| _hj_k -= 12U; \ | | | | | | | | 670| 695k| } \ | | | | | | | | 671| 440k| hashv += (unsigned)(keylen); \ | | | | | | | | 672| 440k| switch ( _hj_k ) { \ | | | | | | | | 673| 146k| case 11: hashv += ( (unsigned)_hj_key[10] << 24 ); /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (673:5): [True: 146k, False: 293k] | | | | | | | | ------------------ | | | | | | | | 674| 149k| case 10: hashv += ( (unsigned)_hj_key[9] << 16 ); /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (674:5): [True: 3.12k, False: 437k] | | | | | | | | ------------------ | | | | | | | | 675| 151k| case 9: hashv += ( (unsigned)_hj_key[8] << 8 ); /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (675:5): [True: 1.53k, False: 438k] | | | | | | | | ------------------ | | | | | | | | 676| 153k| case 8: _hj_j += ( (unsigned)_hj_key[7] << 24 ); /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (676:5): [True: 1.76k, False: 438k] | | | | | | | | ------------------ | | | | | | | | 677| 160k| case 7: _hj_j += ( (unsigned)_hj_key[6] << 16 ); /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (677:5): [True: 7.78k, False: 432k] | | | | | | | | ------------------ | | | | | | | | 678| 166k| case 6: _hj_j += ( (unsigned)_hj_key[5] << 8 ); /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (678:5): [True: 5.86k, False: 434k] | | | | | | | | ------------------ | | | | | | | | 679| 171k| case 5: _hj_j += _hj_key[4]; /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (679:5): [True: 4.63k, False: 435k] | | | | | | | | ------------------ | | | | | | | | 680| 176k| case 4: _hj_i += ( (unsigned)_hj_key[3] << 24 ); /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (680:5): [True: 5.34k, False: 434k] | | | | | | | | ------------------ | | | | | | | | 681| 177k| case 3: _hj_i += ( (unsigned)_hj_key[2] << 16 ); /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (681:5): [True: 1.02k, False: 439k] | | | | | | | | ------------------ | | | | | | | | 682| 260k| case 2: _hj_i += ( (unsigned)_hj_key[1] << 8 ); /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (682:5): [True: 82.8k, False: 357k] | | | | | | | | ------------------ | | | | | | | | 683| 301k| case 1: _hj_i += _hj_key[0]; /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (683:5): [True: 40.5k, False: 399k] | | | | | | | | ------------------ | | | | | | | | 684| 440k| default: ; \ | | | | | | | | ------------------ | | | | | | | | | Branch (684:5): [True: 139k, False: 301k] | | | | | | | | ------------------ | | | | | | | | 685| 440k| } \ | | | | | | | | 686| 440k| HASH_JEN_MIX(_hj_i, _hj_j, hashv); \ | | | | | | | | ------------------ | | | | | | | | | | 635| 440k|#define HASH_JEN_MIX(a,b,c) \ | | | | | | | | | | 636| 440k|do { \ | | | | | | | | | | 637| 440k| a -= b; a -= c; a ^= ( c >> 13 ); \ | | | | | | | | | | 638| 440k| b -= c; b -= a; b ^= ( a << 8 ); \ | | | | | | | | | | 639| 440k| c -= a; c -= b; c ^= ( b >> 13 ); \ | | | | | | | | | | 640| 440k| a -= b; a -= c; a ^= ( c >> 12 ); \ | | | | | | | | | | 641| 440k| b -= c; b -= a; b ^= ( a << 16 ); \ | | | | | | | | | | 642| 440k| c -= a; c -= b; c ^= ( b >> 5 ); \ | | | | | | | | | | 643| 440k| a -= b; a -= c; a ^= ( c >> 3 ); \ | | | | | | | | | | 644| 440k| b -= c; b -= a; b ^= ( a << 10 ); \ | | | | | | | | | | 645| 440k| c -= a; c -= b; c ^= ( b >> 15 ); \ | | | | | | | | | | 646| 440k|} while (0) | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (646:10): [Folded, False: 440k] | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | 687| 440k|} while (0) | | | | | | | | ------------------ | | | | | | | | | Branch (687:10): [Folded, False: 440k] | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | 152| 440k|} while (0) | | | | ------------------ | | | | | Branch (152:10): [Folded, False: 440k] | | | | ------------------ | | ------------------ | | 172| 440k| HASH_FIND_BYHASHVALUE(hh, head, keyptr, keylen, _hf_hashv, out); \ | | ------------------ | | | | 154| 440k|#define HASH_FIND_BYHASHVALUE(hh,head,keyptr,keylen,hashval,out) \ | | | | 155| 440k|do { \ | | | | 156| 440k| (out) = NULL; \ | | | | 157| 440k| if (head) { \ | | | | ------------------ | | | | | Branch (157:7): [True: 440k, False: 0] | | | | ------------------ | | | | 158| 440k| unsigned _hf_bkt; \ | | | | 159| 440k| HASH_TO_BKT(hashval, (head)->hh.tbl->num_buckets, _hf_bkt); \ | | | | ------------------ | | | | | | 431| 440k|#define HASH_TO_BKT(hashv,num_bkts,bkt) \ | | | | | | 432| 440k|do { \ | | | | | | 433| 440k| bkt = ((hashv) & ((num_bkts) - 1U)); \ | | | | | | 434| 440k|} while (0) | | | | | | ------------------ | | | | | | | Branch (434:10): [Folded, False: 440k] | | | | | | ------------------ | | | | ------------------ | | | | 160| 440k| if (HASH_BLOOM_TEST((head)->hh.tbl, hashval) != 0) { \ | | | | ------------------ | | | | | | 209| 440k|#define HASH_BLOOM_TEST(tbl,hashv) (1) | | | | ------------------ | | | | | Branch (160:9): [True: 440k, Folded] | | | | ------------------ | | | | 161| 440k| HASH_FIND_IN_BKT((head)->hh.tbl, hh, (head)->hh.tbl->buckets[ _hf_bkt ], keyptr, keylen, hashval, out); \ | | | | ------------------ | | | | | | 746| 440k|#define HASH_FIND_IN_BKT(tbl,hh,head,keyptr,keylen_in,hashval,out) \ | | | | | | 747| 440k|do { \ | | | | | | 748| 440k| if ((head).hh_head != NULL) { \ | | | | | | ------------------ | | | | | | | Branch (748:7): [True: 283k, False: 156k] | | | | | | ------------------ | | | | | | 749| 283k| DECLTYPE_ASSIGN(out, ELMT_FROM_HH(tbl, (head).hh_head)); \ | | | | | | ------------------ | | | | | | | | 69| 283k|#define DECLTYPE_ASSIGN(dst,src) \ | | | | | | | | 70| 283k|do { \ | | | | | | | | 71| 283k| (dst) = DECLTYPE(dst)(src); \ | | | | | | | | ------------------ | | | | | | | | | | 57| 283k|#define DECLTYPE(x) (__typeof(x)) | | | | | | | | ------------------ | | | | | | | | 72| 283k|} while (0) | | | | | | | | ------------------ | | | | | | | | | Branch (72:10): [Folded, False: 283k] | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | 750| 283k| } else { \ | | | | | | 751| 156k| (out) = NULL; \ | | | | | | 752| 156k| } \ | | | | | | 753| 1.03M| while ((out) != NULL) { \ | | | | | | ------------------ | | | | | | | Branch (753:10): [True: 604k, False: 429k] | | | | | | ------------------ | | | | | | 754| 604k| if ((out)->hh.hashv == (hashval) && (out)->hh.keylen == (keylen_in)) { \ | | | | | | ------------------ | | | | | | | Branch (754:9): [True: 11.3k, False: 593k] | | | | | | | Branch (754:41): [True: 11.3k, False: 0] | | | | | | ------------------ | | | | | | 755| 11.3k| if (HASH_KEYCMP((out)->hh.key, keyptr, keylen_in) == 0) { \ | | | | | | ------------------ | | | | | | | | 93| 11.3k|#define HASH_KEYCMP(a,b,n) memcmp(a,b,n) | | | | | | ------------------ | | | | | | | Branch (755:11): [True: 11.3k, False: 0] | | | | | | ------------------ | | | | | | 756| 11.3k| break; \ | | | | | | 757| 11.3k| } \ | | | | | | 758| 11.3k| } \ | | | | | | 759| 604k| if ((out)->hh.hh_next != NULL) { \ | | | | | | ------------------ | | | | | | | Branch (759:9): [True: 320k, False: 272k] | | | | | | ------------------ | | | | | | 760| 320k| DECLTYPE_ASSIGN(out, ELMT_FROM_HH(tbl, (out)->hh.hh_next)); \ | | | | | | ------------------ | | | | | | | | 69| 320k|#define DECLTYPE_ASSIGN(dst,src) \ | | | | | | | | 70| 320k|do { \ | | | | | | | | 71| 320k| (dst) = DECLTYPE(dst)(src); \ | | | | | | | | ------------------ | | | | | | | | | | 57| 320k|#define DECLTYPE(x) (__typeof(x)) | | | | | | | | ------------------ | | | | | | | | 72| 320k|} while (0) | | | | | | | | ------------------ | | | | | | | | | Branch (72:10): [Folded, False: 320k] | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | 761| 320k| } else { \ | | | | | | 762| 272k| (out) = NULL; \ | | | | | | 763| 272k| } \ | | | | | | 764| 593k| } \ | | | | | | 765| 440k|} while (0) | | | | | | ------------------ | | | | | | | Branch (765:10): [Folded, False: 440k] | | | | | | ------------------ | | | | ------------------ | | | | 162| 440k| } \ | | | | 163| 440k| } \ | | | | 164| 440k|} while (0) | | | | ------------------ | | | | | Branch (164:10): [Folded, False: 440k] | | | | ------------------ | | ------------------ | | 173| 440k| } \ | | 174| 448k|} while (0) | | ------------------ | | | Branch (174:10): [Folded, False: 448k] | | ------------------ ------------------ 3164| | 3165| 448k| if (item != NULL) { ------------------ | Branch (3165:7): [True: 11.3k, False: 436k] ------------------ 3166| 11.3k| if(value != NULL) ------------------ | Branch (3166:8): [True: 11.3k, False: 0] ------------------ 3167| 11.3k| *value = item->value64; 3168| | 3169| 11.3k| if(extra_data != NULL) ------------------ | Branch (3169:8): [True: 0, False: 11.3k] ------------------ 3170| 0| *extra_data = &item->value_list; 3171| | 3172| 11.3k| h->stats.n_found++; 3173| 11.3k| return 0; 3174| 11.3k| } else 3175| 436k| return 1; 3176| 448k|} ndpi_hash_find_entry: 3181| 448k| u_int key_len, u_int64_t *value /* out */) { 3182| | return(ndpi_hash_find_entry_extra(h, key, key_len, value, NULL)); 3183| 448k|} ndpi_hash_add_entry: 3188| 2.18M| u_int64_t value, char *extra_data /* Allocated by caller */) { 3189| 2.18M| ndpi_str_hash_priv *h_priv; 3190| 2.18M| ndpi_str_hash_priv *item, *ret_found; 3191| | 3192| 2.18M| if(!h || !*h || !key || key_len == 0) ------------------ | Branch (3192:6): [True: 0, False: 2.18M] | Branch (3192:12): [True: 0, False: 2.18M] | Branch (3192:19): [True: 0, False: 2.18M] | Branch (3192:27): [True: 0, False: 2.18M] ------------------ 3193| 0| return(3); 3194| | 3195| 2.18M| h_priv = (ndpi_str_hash_priv *)((*h)->priv); 3196| | 3197| 2.18M| HASH_FIND(hh, h_priv, key, key_len, item); ------------------ | | 166| 2.18M|#define HASH_FIND(hh,head,keyptr,keylen,out) \ | | 167| 2.18M|do { \ | | 168| 2.18M| (out) = NULL; \ | | 169| 2.18M| if (head) { \ | | ------------------ | | | Branch (169:7): [True: 2.16M, False: 17.1k] | | ------------------ | | 170| 2.16M| unsigned _hf_hashv; \ | | 171| 2.16M| HASH_VALUE(keyptr, keylen, _hf_hashv); \ | | ------------------ | | | | 149| 2.16M|#define HASH_VALUE(keyptr,keylen,hashv) \ | | | | 150| 2.16M|do { \ | | | | 151| 2.16M| HASH_FUNCTION(keyptr, keylen, hashv); \ | | | | ------------------ | | | | | | 89| 2.16M|#define HASH_FUNCTION(keyptr,keylen,hashv) HASH_JEN(keyptr, keylen, hashv) | | | | | | ------------------ | | | | | | | | 648| 2.16M|#define HASH_JEN(key,keylen,hashv) \ | | | | | | | | 649| 2.16M|do { \ | | | | | | | | 650| 2.16M| unsigned _hj_i,_hj_j,_hj_k; \ | | | | | | | | 651| 2.16M| unsigned const char *_hj_key=(unsigned const char*)(key); \ | | | | | | | | 652| 2.16M| hashv = 0xfeedbeefu; \ | | | | | | | | 653| 2.16M| _hj_i = _hj_j = 0x9e3779b9u; \ | | | | | | | | 654| 2.16M| _hj_k = (unsigned)(keylen); \ | | | | | | | | 655| 3.23M| while (_hj_k >= 12U) { \ | | | | | | | | ------------------ | | | | | | | | | Branch (655:10): [True: 1.07M, False: 2.16M] | | | | | | | | ------------------ | | | | | | | | 656| 1.07M| _hj_i += (_hj_key[0] + ( (unsigned)_hj_key[1] << 8 ) \ | | | | | | | | 657| 1.07M| + ( (unsigned)_hj_key[2] << 16 ) \ | | | | | | | | 658| 1.07M| + ( (unsigned)_hj_key[3] << 24 ) ); \ | | | | | | | | 659| 1.07M| _hj_j += (_hj_key[4] + ( (unsigned)_hj_key[5] << 8 ) \ | | | | | | | | 660| 1.07M| + ( (unsigned)_hj_key[6] << 16 ) \ | | | | | | | | 661| 1.07M| + ( (unsigned)_hj_key[7] << 24 ) ); \ | | | | | | | | 662| 1.07M| hashv += (_hj_key[8] + ( (unsigned)_hj_key[9] << 8 ) \ | | | | | | | | 663| 1.07M| + ( (unsigned)_hj_key[10] << 16 ) \ | | | | | | | | 664| 1.07M| + ( (unsigned)_hj_key[11] << 24 ) ); \ | | | | | | | | 665| 1.07M| \ | | | | | | | | 666| 1.07M| HASH_JEN_MIX(_hj_i, _hj_j, hashv); \ | | | | | | | | ------------------ | | | | | | | | | | 635| 1.07M|#define HASH_JEN_MIX(a,b,c) \ | | | | | | | | | | 636| 1.07M|do { \ | | | | | | | | | | 637| 1.07M| a -= b; a -= c; a ^= ( c >> 13 ); \ | | | | | | | | | | 638| 1.07M| b -= c; b -= a; b ^= ( a << 8 ); \ | | | | | | | | | | 639| 1.07M| c -= a; c -= b; c ^= ( b >> 13 ); \ | | | | | | | | | | 640| 1.07M| a -= b; a -= c; a ^= ( c >> 12 ); \ | | | | | | | | | | 641| 1.07M| b -= c; b -= a; b ^= ( a << 16 ); \ | | | | | | | | | | 642| 1.07M| c -= a; c -= b; c ^= ( b >> 5 ); \ | | | | | | | | | | 643| 1.07M| a -= b; a -= c; a ^= ( c >> 3 ); \ | | | | | | | | | | 644| 1.07M| b -= c; b -= a; b ^= ( a << 10 ); \ | | | | | | | | | | 645| 1.07M| c -= a; c -= b; c ^= ( b >> 15 ); \ | | | | | | | | | | 646| 1.07M|} while (0) | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (646:10): [Folded, False: 1.07M] | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | 667| 1.07M| \ | | | | | | | | 668| 1.07M| _hj_key += 12; \ | | | | | | | | 669| 1.07M| _hj_k -= 12U; \ | | | | | | | | 670| 1.07M| } \ | | | | | | | | 671| 2.16M| hashv += (unsigned)(keylen); \ | | | | | | | | 672| 2.16M| switch ( _hj_k ) { \ | | | | | | | | 673| 334k| case 11: hashv += ( (unsigned)_hj_key[10] << 24 ); /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (673:5): [True: 334k, False: 1.83M] | | | | | | | | ------------------ | | | | | | | | 674| 600k| case 10: hashv += ( (unsigned)_hj_key[9] << 16 ); /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (674:5): [True: 265k, False: 1.90M] | | | | | | | | ------------------ | | | | | | | | 675| 949k| case 9: hashv += ( (unsigned)_hj_key[8] << 8 ); /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (675:5): [True: 349k, False: 1.81M] | | | | | | | | ------------------ | | | | | | | | 676| 1.28M| case 8: _hj_j += ( (unsigned)_hj_key[7] << 24 ); /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (676:5): [True: 335k, False: 1.83M] | | | | | | | | ------------------ | | | | | | | | 677| 1.44M| case 7: _hj_j += ( (unsigned)_hj_key[6] << 16 ); /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (677:5): [True: 158k, False: 2.01M] | | | | | | | | ------------------ | | | | | | | | 678| 1.51M| case 6: _hj_j += ( (unsigned)_hj_key[5] << 8 ); /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (678:5): [True: 69.9k, False: 2.09M] | | | | | | | | ------------------ | | | | | | | | 679| 1.52M| case 5: _hj_j += _hj_key[4]; /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (679:5): [True: 13.9k, False: 2.15M] | | | | | | | | ------------------ | | | | | | | | 680| 1.56M| case 4: _hj_i += ( (unsigned)_hj_key[3] << 24 ); /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (680:5): [True: 34.9k, False: 2.13M] | | | | | | | | ------------------ | | | | | | | | 681| 1.59M| case 3: _hj_i += ( (unsigned)_hj_key[2] << 16 ); /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (681:5): [True: 34.9k, False: 2.13M] | | | | | | | | ------------------ | | | | | | | | 682| 1.75M| case 2: _hj_i += ( (unsigned)_hj_key[1] << 8 ); /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (682:5): [True: 158k, False: 2.01M] | | | | | | | | ------------------ | | | | | | | | 683| 1.86M| case 1: _hj_i += _hj_key[0]; /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (683:5): [True: 107k, False: 2.06M] | | | | | | | | ------------------ | | | | | | | | 684| 2.16M| default: ; \ | | | | | | | | ------------------ | | | | | | | | | Branch (684:5): [True: 305k, False: 1.86M] | | | | | | | | ------------------ | | | | | | | | 685| 2.16M| } \ | | | | | | | | 686| 2.16M| HASH_JEN_MIX(_hj_i, _hj_j, hashv); \ | | | | | | | | ------------------ | | | | | | | | | | 635| 2.16M|#define HASH_JEN_MIX(a,b,c) \ | | | | | | | | | | 636| 2.16M|do { \ | | | | | | | | | | 637| 2.16M| a -= b; a -= c; a ^= ( c >> 13 ); \ | | | | | | | | | | 638| 2.16M| b -= c; b -= a; b ^= ( a << 8 ); \ | | | | | | | | | | 639| 2.16M| c -= a; c -= b; c ^= ( b >> 13 ); \ | | | | | | | | | | 640| 2.16M| a -= b; a -= c; a ^= ( c >> 12 ); \ | | | | | | | | | | 641| 2.16M| b -= c; b -= a; b ^= ( a << 16 ); \ | | | | | | | | | | 642| 2.16M| c -= a; c -= b; c ^= ( b >> 5 ); \ | | | | | | | | | | 643| 2.16M| a -= b; a -= c; a ^= ( c >> 3 ); \ | | | | | | | | | | 644| 2.16M| b -= c; b -= a; b ^= ( a << 10 ); \ | | | | | | | | | | 645| 2.16M| c -= a; c -= b; c ^= ( b >> 15 ); \ | | | | | | | | | | 646| 2.16M|} while (0) | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (646:10): [Folded, False: 2.16M] | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | 687| 2.16M|} while (0) | | | | | | | | ------------------ | | | | | | | | | Branch (687:10): [Folded, False: 2.16M] | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | 152| 2.16M|} while (0) | | | | ------------------ | | | | | Branch (152:10): [Folded, False: 2.16M] | | | | ------------------ | | ------------------ | | 172| 2.16M| HASH_FIND_BYHASHVALUE(hh, head, keyptr, keylen, _hf_hashv, out); \ | | ------------------ | | | | 154| 2.16M|#define HASH_FIND_BYHASHVALUE(hh,head,keyptr,keylen,hashval,out) \ | | | | 155| 2.16M|do { \ | | | | 156| 2.16M| (out) = NULL; \ | | | | 157| 2.16M| if (head) { \ | | | | ------------------ | | | | | Branch (157:7): [True: 2.16M, False: 0] | | | | ------------------ | | | | 158| 2.16M| unsigned _hf_bkt; \ | | | | 159| 2.16M| HASH_TO_BKT(hashval, (head)->hh.tbl->num_buckets, _hf_bkt); \ | | | | ------------------ | | | | | | 431| 2.16M|#define HASH_TO_BKT(hashv,num_bkts,bkt) \ | | | | | | 432| 2.16M|do { \ | | | | | | 433| 2.16M| bkt = ((hashv) & ((num_bkts) - 1U)); \ | | | | | | 434| 2.16M|} while (0) | | | | | | ------------------ | | | | | | | Branch (434:10): [Folded, False: 2.16M] | | | | | | ------------------ | | | | ------------------ | | | | 160| 2.16M| if (HASH_BLOOM_TEST((head)->hh.tbl, hashval) != 0) { \ | | | | ------------------ | | | | | | 209| 2.16M|#define HASH_BLOOM_TEST(tbl,hashv) (1) | | | | ------------------ | | | | | Branch (160:9): [True: 2.16M, Folded] | | | | ------------------ | | | | 161| 2.16M| HASH_FIND_IN_BKT((head)->hh.tbl, hh, (head)->hh.tbl->buckets[ _hf_bkt ], keyptr, keylen, hashval, out); \ | | | | ------------------ | | | | | | 746| 2.16M|#define HASH_FIND_IN_BKT(tbl,hh,head,keyptr,keylen_in,hashval,out) \ | | | | | | 747| 2.16M|do { \ | | | | | | 748| 2.16M| if ((head).hh_head != NULL) { \ | | | | | | ------------------ | | | | | | | Branch (748:7): [True: 1.73M, False: 438k] | | | | | | ------------------ | | | | | | 749| 1.73M| DECLTYPE_ASSIGN(out, ELMT_FROM_HH(tbl, (head).hh_head)); \ | | | | | | ------------------ | | | | | | | | 69| 1.73M|#define DECLTYPE_ASSIGN(dst,src) \ | | | | | | | | 70| 1.73M|do { \ | | | | | | | | 71| 1.73M| (dst) = DECLTYPE(dst)(src); \ | | | | | | | | ------------------ | | | | | | | | | | 57| 1.73M|#define DECLTYPE(x) (__typeof(x)) | | | | | | | | ------------------ | | | | | | | | 72| 1.73M|} while (0) | | | | | | | | ------------------ | | | | | | | | | Branch (72:10): [Folded, False: 1.73M] | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | 750| 1.73M| } else { \ | | | | | | 751| 438k| (out) = NULL; \ | | | | | | 752| 438k| } \ | | | | | | 753| 7.00M| while ((out) != NULL) { \ | | | | | | ------------------ | | | | | | | Branch (753:10): [True: 4.83M, False: 2.16M] | | | | | | ------------------ | | | | | | 754| 4.83M| if ((out)->hh.hashv == (hashval) && (out)->hh.keylen == (keylen_in)) { \ | | | | | | ------------------ | | | | | | | Branch (754:9): [True: 0, False: 4.83M] | | | | | | | Branch (754:41): [True: 0, False: 0] | | | | | | ------------------ | | | | | | 755| 0| if (HASH_KEYCMP((out)->hh.key, keyptr, keylen_in) == 0) { \ | | | | | | ------------------ | | | | | | | | 93| 0|#define HASH_KEYCMP(a,b,n) memcmp(a,b,n) | | | | | | ------------------ | | | | | | | Branch (755:11): [True: 0, False: 0] | | | | | | ------------------ | | | | | | 756| 0| break; \ | | | | | | 757| 0| } \ | | | | | | 758| 0| } \ | | | | | | 759| 4.83M| if ((out)->hh.hh_next != NULL) { \ | | | | | | ------------------ | | | | | | | Branch (759:9): [True: 3.10M, False: 1.73M] | | | | | | ------------------ | | | | | | 760| 3.10M| DECLTYPE_ASSIGN(out, ELMT_FROM_HH(tbl, (out)->hh.hh_next)); \ | | | | | | ------------------ | | | | | | | | 69| 3.10M|#define DECLTYPE_ASSIGN(dst,src) \ | | | | | | | | 70| 3.10M|do { \ | | | | | | | | 71| 3.10M| (dst) = DECLTYPE(dst)(src); \ | | | | | | | | ------------------ | | | | | | | | | | 57| 3.10M|#define DECLTYPE(x) (__typeof(x)) | | | | | | | | ------------------ | | | | | | | | 72| 3.10M|} while (0) | | | | | | | | ------------------ | | | | | | | | | Branch (72:10): [Folded, False: 3.10M] | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | 761| 3.10M| } else { \ | | | | | | 762| 1.73M| (out) = NULL; \ | | | | | | 763| 1.73M| } \ | | | | | | 764| 4.83M| } \ | | | | | | 765| 2.16M|} while (0) | | | | | | ------------------ | | | | | | | Branch (765:10): [Folded, False: 2.16M] | | | | | | ------------------ | | | | ------------------ | | | | 162| 2.16M| } \ | | | | 163| 2.16M| } \ | | | | 164| 2.16M|} while (0) | | | | ------------------ | | | | | Branch (164:10): [Folded, False: 2.16M] | | | | ------------------ | | ------------------ | | 173| 2.16M| } \ | | 174| 2.18M|} while (0) | | ------------------ | | | Branch (174:10): [Folded, False: 2.18M] | | ------------------ ------------------ 3198| | 3199| 2.18M| if(item != NULL) { ------------------ | Branch (3199:6): [True: 0, False: 2.18M] ------------------ 3200| 0| if(extra_data != NULL) { ------------------ | Branch (3200:8): [True: 0, False: 0] ------------------ 3201| | /* 3202| | If there are extra blocks to handle value64 3203| | (the protocol) is not overwritten (***) 3204| | */ 3205| 0| ndpi_list_append(&item->value_list, extra_data); 3206| 0| } else 3207| 0| item->value64 = value; 3208| | 3209| 0| return(1); /* Entry already present */ 3210| 0| } 3211| | 3212| 2.18M| item = ndpi_calloc(1, sizeof(ndpi_str_hash_priv)); 3213| 2.18M| if(item == NULL) ------------------ | Branch (3213:6): [True: 138k, False: 2.04M] ------------------ 3214| 138k| return(2); 3215| | 3216| 2.04M| ndpi_list_init(&item->value_list); 3217| 2.04M| item->key = ndpi_malloc(key_len+1); 3218| | 3219| 2.04M| if(item->key == NULL) { ------------------ | Branch (3219:6): [True: 128k, False: 1.91M] ------------------ 3220| 128k| ndpi_free(item); 3221| 128k| return(1); 3222| 1.91M| } else { 3223| 1.91M| memcpy(item->key, key, key_len); 3224| 1.91M| item->key[key_len] = '\0'; 3225| 1.91M| } 3226| | 3227| 1.91M| if(extra_data != NULL) /* Same as (***) above */ ------------------ | Branch (3227:6): [True: 0, False: 1.91M] ------------------ 3228| 0| ndpi_list_append(&item->value_list, extra_data); 3229| 1.91M| else 3230| 1.91M| item->value64 = value; 3231| | 3232| 1.91M| HASH_ADD(hh, *(ndpi_str_hash_priv **)&((*h)->priv), key[0], key_len, item); ------------------ | | 429| 1.91M| HASH_ADD_KEYPTR(hh, head, &((add)->fieldname), keylen_in, add) | | ------------------ | | | | 418| 1.91M|#define HASH_ADD_KEYPTR(hh,head,keyptr,keylen_in,add) \ | | | | 419| 1.91M|do { \ | | | | 420| 1.91M| unsigned _ha_hashv; \ | | | | 421| 1.91M| HASH_VALUE(keyptr, keylen_in, _ha_hashv); \ | | | | ------------------ | | | | | | 149| 1.91M|#define HASH_VALUE(keyptr,keylen,hashv) \ | | | | | | 150| 1.91M|do { \ | | | | | | 151| 1.91M| HASH_FUNCTION(keyptr, keylen, hashv); \ | | | | | | ------------------ | | | | | | | | 89| 1.91M|#define HASH_FUNCTION(keyptr,keylen,hashv) HASH_JEN(keyptr, keylen, hashv) | | | | | | | | ------------------ | | | | | | | | | | 648| 1.91M|#define HASH_JEN(key,keylen,hashv) \ | | | | | | | | | | 649| 1.91M|do { \ | | | | | | | | | | 650| 1.91M| unsigned _hj_i,_hj_j,_hj_k; \ | | | | | | | | | | 651| 1.91M| unsigned const char *_hj_key=(unsigned const char*)(key); \ | | | | | | | | | | 652| 1.91M| hashv = 0xfeedbeefu; \ | | | | | | | | | | 653| 1.91M| _hj_i = _hj_j = 0x9e3779b9u; \ | | | | | | | | | | 654| 1.91M| _hj_k = (unsigned)(keylen); \ | | | | | | | | | | 655| 2.86M| while (_hj_k >= 12U) { \ | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (655:10): [True: 949k, False: 1.91M] | | | | | | | | | | ------------------ | | | | | | | | | | 656| 949k| _hj_i += (_hj_key[0] + ( (unsigned)_hj_key[1] << 8 ) \ | | | | | | | | | | 657| 949k| + ( (unsigned)_hj_key[2] << 16 ) \ | | | | | | | | | | 658| 949k| + ( (unsigned)_hj_key[3] << 24 ) ); \ | | | | | | | | | | 659| 949k| _hj_j += (_hj_key[4] + ( (unsigned)_hj_key[5] << 8 ) \ | | | | | | | | | | 660| 949k| + ( (unsigned)_hj_key[6] << 16 ) \ | | | | | | | | | | 661| 949k| + ( (unsigned)_hj_key[7] << 24 ) ); \ | | | | | | | | | | 662| 949k| hashv += (_hj_key[8] + ( (unsigned)_hj_key[9] << 8 ) \ | | | | | | | | | | 663| 949k| + ( (unsigned)_hj_key[10] << 16 ) \ | | | | | | | | | | 664| 949k| + ( (unsigned)_hj_key[11] << 24 ) ); \ | | | | | | | | | | 665| 949k| \ | | | | | | | | | | 666| 949k| HASH_JEN_MIX(_hj_i, _hj_j, hashv); \ | | | | | | | | | | ------------------ | | | | | | | | | | | | 635| 949k|#define HASH_JEN_MIX(a,b,c) \ | | | | | | | | | | | | 636| 949k|do { \ | | | | | | | | | | | | 637| 949k| a -= b; a -= c; a ^= ( c >> 13 ); \ | | | | | | | | | | | | 638| 949k| b -= c; b -= a; b ^= ( a << 8 ); \ | | | | | | | | | | | | 639| 949k| c -= a; c -= b; c ^= ( b >> 13 ); \ | | | | | | | | | | | | 640| 949k| a -= b; a -= c; a ^= ( c >> 12 ); \ | | | | | | | | | | | | 641| 949k| b -= c; b -= a; b ^= ( a << 16 ); \ | | | | | | | | | | | | 642| 949k| c -= a; c -= b; c ^= ( b >> 5 ); \ | | | | | | | | | | | | 643| 949k| a -= b; a -= c; a ^= ( c >> 3 ); \ | | | | | | | | | | | | 644| 949k| b -= c; b -= a; b ^= ( a << 10 ); \ | | | | | | | | | | | | 645| 949k| c -= a; c -= b; c ^= ( b >> 15 ); \ | | | | | | | | | | | | 646| 949k|} while (0) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | Branch (646:10): [Folded, False: 949k] | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | | | 667| 949k| \ | | | | | | | | | | 668| 949k| _hj_key += 12; \ | | | | | | | | | | 669| 949k| _hj_k -= 12U; \ | | | | | | | | | | 670| 949k| } \ | | | | | | | | | | 671| 1.91M| hashv += (unsigned)(keylen); \ | | | | | | | | | | 672| 1.91M| switch ( _hj_k ) { \ | | | | | | | | | | 673| 307k| case 11: hashv += ( (unsigned)_hj_key[10] << 24 ); /* FALLTHROUGH */ \ | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (673:5): [True: 307k, False: 1.61M] | | | | | | | | | | ------------------ | | | | | | | | | | 674| 539k| case 10: hashv += ( (unsigned)_hj_key[9] << 16 ); /* FALLTHROUGH */ \ | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (674:5): [True: 232k, False: 1.68M] | | | | | | | | | | ------------------ | | | | | | | | | | 675| 845k| case 9: hashv += ( (unsigned)_hj_key[8] << 8 ); /* FALLTHROUGH */ \ | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (675:5): [True: 306k, False: 1.61M] | | | | | | | | | | ------------------ | | | | | | | | | | 676| 1.14M| case 8: _hj_j += ( (unsigned)_hj_key[7] << 24 ); /* FALLTHROUGH */ \ | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (676:5): [True: 294k, False: 1.62M] | | | | | | | | | | ------------------ | | | | | | | | | | 677| 1.28M| case 7: _hj_j += ( (unsigned)_hj_key[6] << 16 ); /* FALLTHROUGH */ \ | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (677:5): [True: 140k, False: 1.77M] | | | | | | | | | | ------------------ | | | | | | | | | | 678| 1.34M| case 6: _hj_j += ( (unsigned)_hj_key[5] << 8 ); /* FALLTHROUGH */ \ | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (678:5): [True: 61.4k, False: 1.85M] | | | | | | | | | | ------------------ | | | | | | | | | | 679| 1.35M| case 5: _hj_j += _hj_key[4]; /* FALLTHROUGH */ \ | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (679:5): [True: 12.5k, False: 1.90M] | | | | | | | | | | ------------------ | | | | | | | | | | 680| 1.38M| case 4: _hj_i += ( (unsigned)_hj_key[3] << 24 ); /* FALLTHROUGH */ \ | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (680:5): [True: 30.7k, False: 1.88M] | | | | | | | | | | ------------------ | | | | | | | | | | 681| 1.41M| case 3: _hj_i += ( (unsigned)_hj_key[2] << 16 ); /* FALLTHROUGH */ \ | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (681:5): [True: 31.4k, False: 1.88M] | | | | | | | | | | ------------------ | | | | | | | | | | 682| 1.55M| case 2: _hj_i += ( (unsigned)_hj_key[1] << 8 ); /* FALLTHROUGH */ \ | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (682:5): [True: 140k, False: 1.77M] | | | | | | | | | | ------------------ | | | | | | | | | | 683| 1.65M| case 1: _hj_i += _hj_key[0]; /* FALLTHROUGH */ \ | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (683:5): [True: 93.9k, False: 1.82M] | | | | | | | | | | ------------------ | | | | | | | | | | 684| 1.91M| default: ; \ | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (684:5): [True: 267k, False: 1.65M] | | | | | | | | | | ------------------ | | | | | | | | | | 685| 1.91M| } \ | | | | | | | | | | 686| 1.91M| HASH_JEN_MIX(_hj_i, _hj_j, hashv); \ | | | | | | | | | | ------------------ | | | | | | | | | | | | 635| 1.91M|#define HASH_JEN_MIX(a,b,c) \ | | | | | | | | | | | | 636| 1.91M|do { \ | | | | | | | | | | | | 637| 1.91M| a -= b; a -= c; a ^= ( c >> 13 ); \ | | | | | | | | | | | | 638| 1.91M| b -= c; b -= a; b ^= ( a << 8 ); \ | | | | | | | | | | | | 639| 1.91M| c -= a; c -= b; c ^= ( b >> 13 ); \ | | | | | | | | | | | | 640| 1.91M| a -= b; a -= c; a ^= ( c >> 12 ); \ | | | | | | | | | | | | 641| 1.91M| b -= c; b -= a; b ^= ( a << 16 ); \ | | | | | | | | | | | | 642| 1.91M| c -= a; c -= b; c ^= ( b >> 5 ); \ | | | | | | | | | | | | 643| 1.91M| a -= b; a -= c; a ^= ( c >> 3 ); \ | | | | | | | | | | | | 644| 1.91M| b -= c; b -= a; b ^= ( a << 10 ); \ | | | | | | | | | | | | 645| 1.91M| c -= a; c -= b; c ^= ( b >> 15 ); \ | | | | | | | | | | | | 646| 1.91M|} while (0) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | Branch (646:10): [Folded, False: 1.91M] | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | | | 687| 1.91M|} while (0) | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (687:10): [Folded, False: 1.91M] | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | 152| 1.91M|} while (0) | | | | | | ------------------ | | | | | | | Branch (152:10): [Folded, False: 1.91M] | | | | | | ------------------ | | | | ------------------ | | | | 422| 1.91M| HASH_ADD_KEYPTR_BYHASHVALUE(hh, head, keyptr, keylen_in, _ha_hashv, add); \ | | | | ------------------ | | | | | | 397| 1.91M|#define HASH_ADD_KEYPTR_BYHASHVALUE(hh,head,keyptr,keylen_in,hashval,add) \ | | | | | | 398| 1.91M|do { \ | | | | | | 399| 1.91M| IF_HASH_NONFATAL_OOM( int _ha_oomed = 0; ) \ | | | | | | ------------------ | | | | | | | | 115| 1.91M|#define IF_HASH_NONFATAL_OOM(x) x | | | | | | ------------------ | | | | | | 400| 1.91M| (add)->hh.hashv = (hashval); \ | | | | | | 401| 1.91M| (add)->hh.key = (const void*) (keyptr); \ | | | | | | 402| 1.91M| (add)->hh.keylen = (unsigned) (keylen_in); \ | | | | | | 403| 1.91M| if (!(head)) { \ | | | | | | ------------------ | | | | | | | Branch (403:7): [True: 15.4k, False: 1.90M] | | | | | | ------------------ | | | | | | 404| 15.4k| (add)->hh.next = NULL; \ | | | | | | 405| 15.4k| (add)->hh.prev = NULL; \ | | | | | | 406| 15.4k| HASH_MAKE_TABLE(hh, add, _ha_oomed); \ | | | | | | ------------------ | | | | | | | | 213| 15.4k|#define HASH_MAKE_TABLE(hh,head,oomed) \ | | | | | | | | 214| 15.4k|do { \ | | | | | | | | 215| 15.4k| (head)->hh.tbl = (UT_hash_table*)uthash_malloc(sizeof(UT_hash_table)); \ | | | | | | | | ------------------ | | | | | | | | | | 76| 15.4k|#define uthash_malloc(sz) ndpi_malloc(sz) /* malloc fcn */ | | | | | | | | ------------------ | | | | | | | | 216| 15.4k| if (!(head)->hh.tbl) { \ | | | | | | | | ------------------ | | | | | | | | | Branch (216:7): [True: 1.22k, False: 14.2k] | | | | | | | | ------------------ | | | | | | | | 217| 1.22k| HASH_RECORD_OOM(oomed); \ | | | | | | | | ------------------ | | | | | | | | | | 114| 1.22k|#define HASH_RECORD_OOM(oomed) do { (oomed) = 1; } while (0) | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (114:59): [Folded, False: 1.22k] | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | 218| 14.2k| } else { \ | | | | | | | | 219| 14.2k| uthash_bzero((head)->hh.tbl, sizeof(UT_hash_table)); \ | | | | | | | | ------------------ | | | | | | | | | | 82| 14.2k|#define uthash_bzero(a,n) memset(a,'\0',n) | | | | | | | | ------------------ | | | | | | | | 220| 14.2k| (head)->hh.tbl->tail = &((head)->hh); \ | | | | | | | | 221| 14.2k| (head)->hh.tbl->num_buckets = HASH_INITIAL_NUM_BUCKETS; \ | | | | | | | | ------------------ | | | | | | | | | | 130| 14.2k|#define HASH_INITIAL_NUM_BUCKETS 32U /* initial number of buckets */ | | | | | | | | ------------------ | | | | | | | | 222| 14.2k| (head)->hh.tbl->log2_num_buckets = HASH_INITIAL_NUM_BUCKETS_LOG2; \ | | | | | | | | ------------------ | | | | | | | | | | 131| 14.2k|#define HASH_INITIAL_NUM_BUCKETS_LOG2 5U /* lg2 of initial number of buckets */ | | | | | | | | ------------------ | | | | | | | | 223| 14.2k| (head)->hh.tbl->hho = (char*)(&(head)->hh) - (char*)(head); \ | | | | | | | | 224| 14.2k| (head)->hh.tbl->buckets = (UT_hash_bucket*)uthash_malloc( \ | | | | | | | | ------------------ | | | | | | | | | | 76| 14.2k|#define uthash_malloc(sz) ndpi_malloc(sz) /* malloc fcn */ | | | | | | | | ------------------ | | | | | | | | 225| 14.2k| HASH_INITIAL_NUM_BUCKETS * sizeof(struct UT_hash_bucket)); \ | | | | | | | | 226| 14.2k| (head)->hh.tbl->signature = HASH_SIGNATURE; \ | | | | | | | | ------------------ | | | | | | | | | | 1091| 14.2k|#define HASH_SIGNATURE 0xa0111fe1u | | | | | | | | ------------------ | | | | | | | | 227| 14.2k| if (!(head)->hh.tbl->buckets) { \ | | | | | | | | ------------------ | | | | | | | | | Branch (227:9): [True: 944, False: 13.2k] | | | | | | | | ------------------ | | | | | | | | 228| 944| HASH_RECORD_OOM(oomed); \ | | | | | | | | ------------------ | | | | | | | | | | 114| 944|#define HASH_RECORD_OOM(oomed) do { (oomed) = 1; } while (0) | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (114:59): [Folded, False: 944] | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | 229| 944| uthash_free((head)->hh.tbl, sizeof(UT_hash_table)); \ | | | | | | | | ------------------ | | | | | | | | | | 79| 944|#define uthash_free(ptr,sz) ndpi_free(ptr) /* free fcn */ | | | | | | | | ------------------ | | | | | | | | 230| 13.2k| } else { \ | | | | | | | | 231| 13.2k| uthash_bzero((head)->hh.tbl->buckets, \ | | | | | | | | ------------------ | | | | | | | | | | 82| 13.2k|#define uthash_bzero(a,n) memset(a,'\0',n) | | | | | | | | ------------------ | | | | | | | | 232| 13.2k| HASH_INITIAL_NUM_BUCKETS * sizeof(struct UT_hash_bucket)); \ | | | | | | | | 233| 13.2k| HASH_BLOOM_MAKE((head)->hh.tbl, oomed); \ | | | | | | | | 234| 13.2k| IF_HASH_NONFATAL_OOM( \ | | | | | | | | ------------------ | | | | | | | | | | 115| 26.5k|#define IF_HASH_NONFATAL_OOM(x) x | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (115:33): [True: 0, False: 13.2k] | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | 235| 13.2k| if (oomed) { \ | | | | | | | | 236| 13.2k| uthash_free((head)->hh.tbl->buckets, \ | | | | | | | | 237| 13.2k| HASH_INITIAL_NUM_BUCKETS*sizeof(struct UT_hash_bucket)); \ | | | | | | | | 238| 13.2k| uthash_free((head)->hh.tbl, sizeof(UT_hash_table)); \ | | | | | | | | 239| 13.2k| } \ | | | | | | | | 240| 13.2k| ) \ | | | | | | | | 241| 13.2k| } \ | | | | | | | | 242| 14.2k| } \ | | | | | | | | 243| 15.4k|} while (0) | | | | | | | | ------------------ | | | | | | | | | Branch (243:10): [Folded, False: 15.4k] | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | 407| 15.4k| IF_HASH_NONFATAL_OOM( if (!_ha_oomed) { ) \ | | | | | | ------------------ | | | | | | | | 115| 28.6k|#define IF_HASH_NONFATAL_OOM(x) x | | | | | | | | ------------------ | | | | | | | | | Branch (115:33): [True: 13.2k, False: 2.16k] | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | 408| 13.2k| (head) = (add); \ | | | | | | 409| 13.2k| IF_HASH_NONFATAL_OOM( } ) \ | | | | | | ------------------ | | | | | | | | 115| 28.6k|#define IF_HASH_NONFATAL_OOM(x) x | | | | | | ------------------ | | | | | | 410| 1.90M| } else { \ | | | | | | 411| 1.90M| (add)->hh.tbl = (head)->hh.tbl; \ | | | | | | 412| 1.90M| HASH_APPEND_LIST(hh, head, add); \ | | | | | | ------------------ | | | | | | | | 279| 1.90M|#define HASH_APPEND_LIST(hh, head, add) \ | | | | | | | | 280| 1.90M|do { \ | | | | | | | | 281| 1.90M| (add)->hh.next = NULL; \ | | | | | | | | 282| 1.90M| (add)->hh.prev = ELMT_FROM_HH((head)->hh.tbl, (head)->hh.tbl->tail); \ | | | | | | | | ------------------ | | | | | | | | | | 135| 1.90M|#define ELMT_FROM_HH(tbl,hhp) ((void*)(((char*)(hhp)) - ((tbl)->hho))) | | | | | | | | ------------------ | | | | | | | | 283| 1.90M| (head)->hh.tbl->tail->next = (add); \ | | | | | | | | 284| 1.90M| (head)->hh.tbl->tail = &((add)->hh); \ | | | | | | | | 285| 1.90M|} while (0) | | | | | | | | ------------------ | | | | | | | | | Branch (285:10): [Folded, False: 1.90M] | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | 413| 1.90M| } \ | | | | | | 414| 1.91M| HASH_ADD_TO_TABLE(hh, head, keyptr, keylen_in, hashval, add, _ha_oomed); \ | | | | | | ------------------ | | | | | | | | 314| 1.91M|#define HASH_ADD_TO_TABLE(hh,head,keyptr,keylen_in,hashval,add,oomed) \ | | | | | | | | 315| 1.91M|do { \ | | | | | | | | 316| 1.91M| if (!(oomed)) { \ | | | | | | | | ------------------ | | | | | | | | | Branch (316:7): [True: 1.91M, False: 2.16k] | | | | | | | | ------------------ | | | | | | | | 317| 1.91M| unsigned _ha_bkt; \ | | | | | | | | 318| 1.91M| (head)->hh.tbl->num_items++; \ | | | | | | | | 319| 1.91M| HASH_TO_BKT(hashval, (head)->hh.tbl->num_buckets, _ha_bkt); \ | | | | | | | | ------------------ | | | | | | | | | | 431| 1.91M|#define HASH_TO_BKT(hashv,num_bkts,bkt) \ | | | | | | | | | | 432| 1.91M|do { \ | | | | | | | | | | 433| 1.91M| bkt = ((hashv) & ((num_bkts) - 1U)); \ | | | | | | | | | | 434| 1.91M|} while (0) | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (434:10): [Folded, False: 1.91M] | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | 320| 1.91M| HASH_ADD_TO_BKT((head)->hh.tbl->buckets[_ha_bkt], hh, &(add)->hh, oomed); \ | | | | | | | | ------------------ | | | | | | | | | | 768| 1.91M|#define HASH_ADD_TO_BKT(head,hh,addhh,oomed) \ | | | | | | | | | | 769| 1.91M|do { \ | | | | | | | | | | 770| 1.91M| UT_hash_bucket *_ha_head = &(head); \ | | | | | | | | | | 771| 1.91M| _ha_head->count++; \ | | | | | | | | | | 772| 1.91M| (addhh)->hh_next = _ha_head->hh_head; \ | | | | | | | | | | 773| 1.91M| (addhh)->hh_prev = NULL; \ | | | | | | | | | | 774| 1.91M| if (_ha_head->hh_head != NULL) { \ | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (774:7): [True: 1.51M, False: 400k] | | | | | | | | | | ------------------ | | | | | | | | | | 775| 1.51M| _ha_head->hh_head->hh_prev = (addhh); \ | | | | | | | | | | 776| 1.51M| } \ | | | | | | | | | | 777| 1.91M| _ha_head->hh_head = (addhh); \ | | | | | | | | | | 778| 1.91M| if ((_ha_head->count >= ((_ha_head->expand_mult + 1U) * HASH_BKT_CAPACITY_THRESH)) \ | | | | | | | | | | ------------------ | | | | | | | | | | | | 132| 1.91M|#define HASH_BKT_CAPACITY_THRESH 10U /* expand when bucket count reaches */ | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (778:7): [True: 7.63k, False: 1.90M] | | | | | | | | | | ------------------ | | | | | | | | | | 779| 1.91M| && !(addhh)->tbl->noexpand) { \ | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (779:10): [True: 7.63k, False: 0] | | | | | | | | | | ------------------ | | | | | | | | | | 780| 7.63k| HASH_EXPAND_BUCKETS(addhh,(addhh)->tbl, oomed); \ | | | | | | | | | | ------------------ | | | | | | | | | | | | 834| 7.63k|#define HASH_EXPAND_BUCKETS(hh,tbl,oomed) \ | | | | | | | | | | | | 835| 7.63k|do { \ | | | | | | | | | | | | 836| 7.63k| unsigned _he_bkt; \ | | | | | | | | | | | | 837| 7.63k| unsigned _he_bkt_i; \ | | | | | | | | | | | | 838| 7.63k| struct UT_hash_handle *_he_thh, *_he_hh_nxt; \ | | | | | | | | | | | | 839| 7.63k| UT_hash_bucket *_he_new_buckets, *_he_newbkt; \ | | | | | | | | | | | | 840| 7.63k| _he_new_buckets = (UT_hash_bucket*)uthash_malloc( \ | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 76| 7.63k|#define uthash_malloc(sz) ndpi_malloc(sz) /* malloc fcn */ | | | | | | | | | | | | ------------------ | | | | | | | | | | | | 841| 7.63k| sizeof(struct UT_hash_bucket) * (tbl)->num_buckets * 2U); \ | | | | | | | | | | | | 842| 7.63k| if (!_he_new_buckets) { \ | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | Branch (842:7): [True: 638, False: 6.99k] | | | | | | | | | | | | ------------------ | | | | | | | | | | | | 843| 638| HASH_RECORD_OOM(oomed); \ | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 114| 638|#define HASH_RECORD_OOM(oomed) do { (oomed) = 1; } while (0) | | | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | | Branch (114:59): [Folded, False: 638] | | | | | | | | | | | | | | ------------------ | | | | | | | | | | | | ------------------ | | | | | | | | | | | | 844| 6.99k| } else { \ | | | | | | | | | | | | 845| 6.99k| uthash_bzero(_he_new_buckets, \ | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 82| 6.99k|#define uthash_bzero(a,n) memset(a,'\0',n) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | 846| 6.99k| sizeof(struct UT_hash_bucket) * (tbl)->num_buckets * 2U); \ | | | | | | | | | | | | 847| 6.99k| (tbl)->ideal_chain_maxlen = \ | | | | | | | | | | | | 848| 6.99k| ((tbl)->num_items >> ((tbl)->log2_num_buckets+1U)) + \ | | | | | | | | | | | | 849| 6.99k| ((((tbl)->num_items & (((tbl)->num_buckets*2U)-1U)) != 0U) ? 1U : 0U); \ | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | Branch (849:9): [True: 6.80k, False: 192] | | | | | | | | | | | | ------------------ | | | | | | | | | | | | 850| 6.99k| (tbl)->nonideal_items = 0; \ | | | | | | | | | | | | 851| 230k| for (_he_bkt_i = 0; _he_bkt_i < (tbl)->num_buckets; _he_bkt_i++) { \ | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | Branch (851:25): [True: 223k, False: 6.99k] | | | | | | | | | | | | ------------------ | | | | | | | | | | | | 852| 223k| _he_thh = (tbl)->buckets[ _he_bkt_i ].hh_head; \ | | | | | | | | | | | | 853| 1.25M| while (_he_thh != NULL) { \ | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | Branch (853:14): [True: 1.02M, False: 223k] | | | | | | | | | | | | ------------------ | | | | | | | | | | | | 854| 1.02M| _he_hh_nxt = _he_thh->hh_next; \ | | | | | | | | | | | | 855| 1.02M| HASH_TO_BKT(_he_thh->hashv, (tbl)->num_buckets * 2U, _he_bkt); \ | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 431| 1.02M|#define HASH_TO_BKT(hashv,num_bkts,bkt) \ | | | | | | | | | | | | | | 432| 1.02M|do { \ | | | | | | | | | | | | | | 433| 1.02M| bkt = ((hashv) & ((num_bkts) - 1U)); \ | | | | | | | | | | | | | | 434| 1.02M|} while (0) | | | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | | Branch (434:10): [Folded, False: 1.02M] | | | | | | | | | | | | | | ------------------ | | | | | | | | | | | | ------------------ | | | | | | | | | | | | 856| 1.02M| _he_newbkt = &(_he_new_buckets[_he_bkt]); \ | | | | | | | | | | | | 857| 1.02M| if (++(_he_newbkt->count) > (tbl)->ideal_chain_maxlen) { \ | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | Branch (857:13): [True: 144k, False: 882k] | | | | | | | | | | | | ------------------ | | | | | | | | | | | | 858| 144k| (tbl)->nonideal_items++; \ | | | | | | | | | | | | 859| 144k| if (_he_newbkt->count > _he_newbkt->expand_mult * (tbl)->ideal_chain_maxlen) { \ | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | Branch (859:15): [True: 136k, False: 8.42k] | | | | | | | | | | | | ------------------ | | | | | | | | | | | | 860| 136k| _he_newbkt->expand_mult++; \ | | | | | | | | | | | | 861| 136k| } \ | | | | | | | | | | | | 862| 144k| } \ | | | | | | | | | | | | 863| 1.02M| _he_thh->hh_prev = NULL; \ | | | | | | | | | | | | 864| 1.02M| _he_thh->hh_next = _he_newbkt->hh_head; \ | | | | | | | | | | | | 865| 1.02M| if (_he_newbkt->hh_head != NULL) { \ | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | Branch (865:13): [True: 622k, False: 404k] | | | | | | | | | | | | ------------------ | | | | | | | | | | | | 866| 622k| _he_newbkt->hh_head->hh_prev = _he_thh; \ | | | | | | | | | | | | 867| 622k| } \ | | | | | | | | | | | | 868| 1.02M| _he_newbkt->hh_head = _he_thh; \ | | | | | | | | | | | | 869| 1.02M| _he_thh = _he_hh_nxt; \ | | | | | | | | | | | | 870| 1.02M| } \ | | | | | | | | | | | | 871| 223k| } \ | | | | | | | | | | | | 872| 6.99k| uthash_free((tbl)->buckets, (tbl)->num_buckets * sizeof(struct UT_hash_bucket)); \ | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 79| 6.99k|#define uthash_free(ptr,sz) ndpi_free(ptr) /* free fcn */ | | | | | | | | | | | | ------------------ | | | | | | | | | | | | 873| 6.99k| (tbl)->num_buckets *= 2U; \ | | | | | | | | | | | | 874| 6.99k| (tbl)->log2_num_buckets++; \ | | | | | | | | | | | | 875| 6.99k| (tbl)->buckets = _he_new_buckets; \ | | | | | | | | | | | | 876| 6.99k| (tbl)->ineff_expands = ((tbl)->nonideal_items > ((tbl)->num_items >> 1)) ? \ | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | Branch (876:28): [True: 0, False: 6.99k] | | | | | | | | | | | | ------------------ | | | | | | | | | | | | 877| 6.99k| ((tbl)->ineff_expands+1U) : 0U; \ | | | | | | | | | | | | 878| 6.99k| if ((tbl)->ineff_expands > 1U) { \ | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | Branch (878:9): [True: 0, False: 6.99k] | | | | | | | | | | | | ------------------ | | | | | | | | | | | | 879| 0| (tbl)->noexpand = 1; \ | | | | | | | | | | | | 880| 0| uthash_noexpand_fyi(tbl); \ | | | | | | | | | | | | 881| 0| } \ | | | | | | | | | | | | 882| 6.99k| uthash_expand_fyi(tbl); \ | | | | | | | | | | | | 883| 6.99k| } \ | | | | | | | | | | | | 884| 7.63k|} while (0) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | Branch (884:10): [Folded, False: 7.63k] | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | | | 781| 7.63k| IF_HASH_NONFATAL_OOM( \ | | | | | | | | | | ------------------ | | | | | | | | | | | | 115| 20.3k|#define IF_HASH_NONFATAL_OOM(x) x | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | Branch (115:33): [True: 638, False: 0] | | | | | | | | | | | | | Branch (115:33): [True: 0, False: 638] | | | | | | | | | | | | | Branch (115:33): [True: 638, False: 0] | | | | | | | | | | | | | Branch (115:33): [Folded, False: 638] | | | | | | | | | | | | | Branch (115:33): [True: 638, False: 6.99k] | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | | | 782| 7.63k| if (oomed) { \ | | | | | | | | | | 783| 7.63k| HASH_DEL_IN_BKT(head,addhh); \ | | | | | | | | | | 784| 7.63k| } \ | | | | | | | | | | 785| 7.63k| ) \ | | | | | | | | | | 786| 7.63k| } \ | | | | | | | | | | 787| 1.91M|} while (0) | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (787:10): [Folded, False: 1.91M] | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | 321| 1.91M| if (oomed) { \ | | | | | | | | ------------------ | | | | | | | | | Branch (321:9): [True: 638, False: 1.91M] | | | | | | | | ------------------ | | | | | | | | 322| 638| HASH_ROLLBACK_BKT(hh, head, &(add)->hh); \ | | | | | | | | ------------------ | | | | | | | | | | 139| 638|#define HASH_ROLLBACK_BKT(hh, head, itemptrhh) \ | | | | | | | | | | 140| 638|do { \ | | | | | | | | | | 141| 638| struct UT_hash_handle *_hd_hh_item = (itemptrhh); \ | | | | | | | | | | 142| 638| unsigned _hd_bkt; \ | | | | | | | | | | 143| 638| HASH_TO_BKT(_hd_hh_item->hashv, (head)->hh.tbl->num_buckets, _hd_bkt); \ | | | | | | | | | | ------------------ | | | | | | | | | | | | 431| 638|#define HASH_TO_BKT(hashv,num_bkts,bkt) \ | | | | | | | | | | | | 432| 638|do { \ | | | | | | | | | | | | 433| 638| bkt = ((hashv) & ((num_bkts) - 1U)); \ | | | | | | | | | | | | 434| 638|} while (0) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | Branch (434:10): [Folded, False: 638] | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | | | 144| 638| (head)->hh.tbl->buckets[_hd_bkt].count++; \ | | | | | | | | | | 145| 638| _hd_hh_item->hh_next = NULL; \ | | | | | | | | | | 146| 638| _hd_hh_item->hh_prev = NULL; \ | | | | | | | | | | 147| 638|} while (0) | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (147:10): [Folded, False: 638] | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | 323| 638| HASH_DELETE_HH(hh, head, &(add)->hh); \ | | | | | | | | ------------------ | | | | | | | | | | 451| 638|#define HASH_DELETE_HH(hh,head,delptrhh) \ | | | | | | | | | | 452| 638|do { \ | | | | | | | | | | 453| 638| struct UT_hash_handle *_hd_hh_del = (delptrhh); \ | | | | | | | | | | 454| 638| if ((_hd_hh_del->prev == NULL) && (_hd_hh_del->next == NULL)) { \ | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (454:7): [True: 0, False: 638] | | | | | | | | | | | Branch (454:37): [True: 0, False: 0] | | | | | | | | | | ------------------ | | | | | | | | | | 455| 0| HASH_BLOOM_FREE((head)->hh.tbl); \ | | | | | | | | | | 456| 0| uthash_free((head)->hh.tbl->buckets, \ | | | | | | | | | | ------------------ | | | | | | | | | | | | 79| 0|#define uthash_free(ptr,sz) ndpi_free(ptr) /* free fcn */ | | | | | | | | | | ------------------ | | | | | | | | | | 457| 0| (head)->hh.tbl->num_buckets * sizeof(struct UT_hash_bucket)); \ | | | | | | | | | | 458| 0| uthash_free((head)->hh.tbl, sizeof(UT_hash_table)); \ | | | | | | | | | | ------------------ | | | | | | | | | | | | 79| 0|#define uthash_free(ptr,sz) ndpi_free(ptr) /* free fcn */ | | | | | | | | | | ------------------ | | | | | | | | | | 459| 0| (head) = NULL; \ | | | | | | | | | | 460| 638| } else { \ | | | | | | | | | | 461| 638| unsigned _hd_bkt; \ | | | | | | | | | | 462| 638| if (_hd_hh_del == (head)->hh.tbl->tail) { \ | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (462:9): [True: 638, False: 0] | | | | | | | | | | ------------------ | | | | | | | | | | 463| 638| (head)->hh.tbl->tail = HH_FROM_ELMT((head)->hh.tbl, _hd_hh_del->prev); \ | | | | | | | | | | ------------------ | | | | | | | | | | | | 137| 638|#define HH_FROM_ELMT(tbl,elp) ((UT_hash_handle*)(void*)(((char*)(elp)) + ((tbl)->hho))) | | | | | | | | | | ------------------ | | | | | | | | | | 464| 638| } \ | | | | | | | | | | 465| 638| if (_hd_hh_del->prev != NULL) { \ | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (465:9): [True: 638, False: 0] | | | | | | | | | | ------------------ | | | | | | | | | | 466| 638| HH_FROM_ELMT((head)->hh.tbl, _hd_hh_del->prev)->next = _hd_hh_del->next; \ | | | | | | | | | | ------------------ | | | | | | | | | | | | 137| 638|#define HH_FROM_ELMT(tbl,elp) ((UT_hash_handle*)(void*)(((char*)(elp)) + ((tbl)->hho))) | | | | | | | | | | ------------------ | | | | | | | | | | 467| 638| } else { \ | | | | | | | | | | 468| 0| DECLTYPE_ASSIGN(head, _hd_hh_del->next); \ | | | | | | | | | | ------------------ | | | | | | | | | | | | 69| 0|#define DECLTYPE_ASSIGN(dst,src) \ | | | | | | | | | | | | 70| 0|do { \ | | | | | | | | | | | | 71| 0| (dst) = DECLTYPE(dst)(src); \ | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 57| 0|#define DECLTYPE(x) (__typeof(x)) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | 72| 0|} while (0) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | Branch (72:10): [Folded, False: 0] | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | | | 469| 0| } \ | | | | | | | | | | 470| 638| if (_hd_hh_del->next != NULL) { \ | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (470:9): [True: 0, False: 638] | | | | | | | | | | ------------------ | | | | | | | | | | 471| 0| HH_FROM_ELMT((head)->hh.tbl, _hd_hh_del->next)->prev = _hd_hh_del->prev; \ | | | | | | | | | | ------------------ | | | | | | | | | | | | 137| 0|#define HH_FROM_ELMT(tbl,elp) ((UT_hash_handle*)(void*)(((char*)(elp)) + ((tbl)->hho))) | | | | | | | | | | ------------------ | | | | | | | | | | 472| 0| } \ | | | | | | | | | | 473| 638| HASH_TO_BKT(_hd_hh_del->hashv, (head)->hh.tbl->num_buckets, _hd_bkt); \ | | | | | | | | | | ------------------ | | | | | | | | | | | | 431| 638|#define HASH_TO_BKT(hashv,num_bkts,bkt) \ | | | | | | | | | | | | 432| 638|do { \ | | | | | | | | | | | | 433| 638| bkt = ((hashv) & ((num_bkts) - 1U)); \ | | | | | | | | | | | | 434| 638|} while (0) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | Branch (434:10): [Folded, False: 638] | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | | | 474| 638| HASH_DEL_IN_BKT((head)->hh.tbl->buckets[_hd_bkt], _hd_hh_del); \ | | | | | | | | | | ------------------ | | | | | | | | | | | | 790| 638|#define HASH_DEL_IN_BKT(head,delhh) \ | | | | | | | | | | | | 791| 638|do { \ | | | | | | | | | | | | 792| 638| UT_hash_bucket *_hd_head = &(head); \ | | | | | | | | | | | | 793| 638| _hd_head->count--; \ | | | | | | | | | | | | 794| 638| if (_hd_head->hh_head == (delhh)) { \ | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | Branch (794:7): [True: 0, False: 638] | | | | | | | | | | | | ------------------ | | | | | | | | | | | | 795| 0| _hd_head->hh_head = (delhh)->hh_next; \ | | | | | | | | | | | | 796| 0| } \ | | | | | | | | | | | | 797| 638| if ((delhh)->hh_prev) { \ | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | Branch (797:7): [True: 0, False: 638] | | | | | | | | | | | | ------------------ | | | | | | | | | | | | 798| 0| (delhh)->hh_prev->hh_next = (delhh)->hh_next; \ | | | | | | | | | | | | 799| 0| } \ | | | | | | | | | | | | 800| 638| if ((delhh)->hh_next) { \ | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | Branch (800:7): [True: 0, False: 638] | | | | | | | | | | | | ------------------ | | | | | | | | | | | | 801| 0| (delhh)->hh_next->hh_prev = (delhh)->hh_prev; \ | | | | | | | | | | | | 802| 0| } \ | | | | | | | | | | | | 803| 638|} while (0) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | Branch (803:10): [Folded, False: 638] | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | | | 475| 638| (head)->hh.tbl->num_items--; \ | | | | | | | | | | 476| 638| } \ | | | | | | | | | | 477| 638| HASH_FSCK(hh, head, "HASH_DELETE_HH"); \ | | | | | | | | | | 478| 638|} while (0) | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (478:10): [Folded, False: 638] | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | 324| 638| (add)->hh.tbl = NULL; \ | | | | | | | | 325| 638| uthash_nonfatal_oom(add); \ | | | | | | | | ------------------ | | | | | | | | | | 111| 638|#define uthash_nonfatal_oom(obj) do {} while (0) /* non-fatal OOM error */ | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (111:47): [Folded, False: 638] | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | 326| 1.91M| } else { \ | | | | | | | | 327| 1.91M| HASH_BLOOM_ADD((head)->hh.tbl, hashval); \ | | | | | | | | 328| 1.91M| HASH_EMIT_KEY(hh, head, keyptr, keylen_in); \ | | | | | | | | 329| 1.91M| } \ | | | | | | | | 330| 1.91M| } else { \ | | | | | | | | 331| 2.16k| (add)->hh.tbl = NULL; \ | | | | | | | | 332| 2.16k| uthash_nonfatal_oom(add); \ | | | | | | | | ------------------ | | | | | | | | | | 111| 2.16k|#define uthash_nonfatal_oom(obj) do {} while (0) /* non-fatal OOM error */ | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (111:47): [Folded, False: 2.16k] | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | 333| 2.16k| } \ | | | | | | | | 334| 1.91M|} while (0) | | | | | | | | ------------------ | | | | | | | | | Branch (334:10): [Folded, False: 1.91M] | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | 415| 1.91M| HASH_FSCK(hh, head, "HASH_ADD_KEYPTR_BYHASHVALUE"); \ | | | | | | 416| 1.91M|} while (0) | | | | | | ------------------ | | | | | | | Branch (416:10): [Folded, False: 1.91M] | | | | | | ------------------ | | | | ------------------ | | | | 423| 1.91M|} while (0) | | | | ------------------ | | | | | Branch (423:10): [Folded, False: 1.91M] | | | | ------------------ | | ------------------ ------------------ 3233| | 3234| 1.91M| HASH_FIND(hh, *(ndpi_str_hash_priv **)&((*h)->priv), key, key_len, ret_found); ------------------ | | 166| 1.91M|#define HASH_FIND(hh,head,keyptr,keylen,out) \ | | 167| 1.91M|do { \ | | 168| 1.91M| (out) = NULL; \ | | 169| 1.91M| if (head) { \ | | ------------------ | | | Branch (169:7): [True: 1.91M, False: 2.16k] | | ------------------ | | 170| 1.91M| unsigned _hf_hashv; \ | | 171| 1.91M| HASH_VALUE(keyptr, keylen, _hf_hashv); \ | | ------------------ | | | | 149| 1.91M|#define HASH_VALUE(keyptr,keylen,hashv) \ | | | | 150| 1.91M|do { \ | | | | 151| 1.91M| HASH_FUNCTION(keyptr, keylen, hashv); \ | | | | ------------------ | | | | | | 89| 1.91M|#define HASH_FUNCTION(keyptr,keylen,hashv) HASH_JEN(keyptr, keylen, hashv) | | | | | | ------------------ | | | | | | | | 648| 1.91M|#define HASH_JEN(key,keylen,hashv) \ | | | | | | | | 649| 1.91M|do { \ | | | | | | | | 650| 1.91M| unsigned _hj_i,_hj_j,_hj_k; \ | | | | | | | | 651| 1.91M| unsigned const char *_hj_key=(unsigned const char*)(key); \ | | | | | | | | 652| 1.91M| hashv = 0xfeedbeefu; \ | | | | | | | | 653| 1.91M| _hj_i = _hj_j = 0x9e3779b9u; \ | | | | | | | | 654| 1.91M| _hj_k = (unsigned)(keylen); \ | | | | | | | | 655| 2.86M| while (_hj_k >= 12U) { \ | | | | | | | | ------------------ | | | | | | | | | Branch (655:10): [True: 948k, False: 1.91M] | | | | | | | | ------------------ | | | | | | | | 656| 948k| _hj_i += (_hj_key[0] + ( (unsigned)_hj_key[1] << 8 ) \ | | | | | | | | 657| 948k| + ( (unsigned)_hj_key[2] << 16 ) \ | | | | | | | | 658| 948k| + ( (unsigned)_hj_key[3] << 24 ) ); \ | | | | | | | | 659| 948k| _hj_j += (_hj_key[4] + ( (unsigned)_hj_key[5] << 8 ) \ | | | | | | | | 660| 948k| + ( (unsigned)_hj_key[6] << 16 ) \ | | | | | | | | 661| 948k| + ( (unsigned)_hj_key[7] << 24 ) ); \ | | | | | | | | 662| 948k| hashv += (_hj_key[8] + ( (unsigned)_hj_key[9] << 8 ) \ | | | | | | | | 663| 948k| + ( (unsigned)_hj_key[10] << 16 ) \ | | | | | | | | 664| 948k| + ( (unsigned)_hj_key[11] << 24 ) ); \ | | | | | | | | 665| 948k| \ | | | | | | | | 666| 948k| HASH_JEN_MIX(_hj_i, _hj_j, hashv); \ | | | | | | | | ------------------ | | | | | | | | | | 635| 948k|#define HASH_JEN_MIX(a,b,c) \ | | | | | | | | | | 636| 948k|do { \ | | | | | | | | | | 637| 948k| a -= b; a -= c; a ^= ( c >> 13 ); \ | | | | | | | | | | 638| 948k| b -= c; b -= a; b ^= ( a << 8 ); \ | | | | | | | | | | 639| 948k| c -= a; c -= b; c ^= ( b >> 13 ); \ | | | | | | | | | | 640| 948k| a -= b; a -= c; a ^= ( c >> 12 ); \ | | | | | | | | | | 641| 948k| b -= c; b -= a; b ^= ( a << 16 ); \ | | | | | | | | | | 642| 948k| c -= a; c -= b; c ^= ( b >> 5 ); \ | | | | | | | | | | 643| 948k| a -= b; a -= c; a ^= ( c >> 3 ); \ | | | | | | | | | | 644| 948k| b -= c; b -= a; b ^= ( a << 10 ); \ | | | | | | | | | | 645| 948k| c -= a; c -= b; c ^= ( b >> 15 ); \ | | | | | | | | | | 646| 948k|} while (0) | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (646:10): [Folded, False: 948k] | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | 667| 948k| \ | | | | | | | | 668| 948k| _hj_key += 12; \ | | | | | | | | 669| 948k| _hj_k -= 12U; \ | | | | | | | | 670| 948k| } \ | | | | | | | | 671| 1.91M| hashv += (unsigned)(keylen); \ | | | | | | | | 672| 1.91M| switch ( _hj_k ) { \ | | | | | | | | 673| 305k| case 11: hashv += ( (unsigned)_hj_key[10] << 24 ); /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (673:5): [True: 305k, False: 1.61M] | | | | | | | | ------------------ | | | | | | | | 674| 537k| case 10: hashv += ( (unsigned)_hj_key[9] << 16 ); /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (674:5): [True: 232k, False: 1.68M] | | | | | | | | ------------------ | | | | | | | | 675| 843k| case 9: hashv += ( (unsigned)_hj_key[8] << 8 ); /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (675:5): [True: 306k, False: 1.60M] | | | | | | | | ------------------ | | | | | | | | 676| 1.13M| case 8: _hj_j += ( (unsigned)_hj_key[7] << 24 ); /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (676:5): [True: 294k, False: 1.62M] | | | | | | | | ------------------ | | | | | | | | 677| 1.27M| case 7: _hj_j += ( (unsigned)_hj_key[6] << 16 ); /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (677:5): [True: 139k, False: 1.77M] | | | | | | | | ------------------ | | | | | | | | 678| 1.34M| case 6: _hj_j += ( (unsigned)_hj_key[5] << 8 ); /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (678:5): [True: 61.4k, False: 1.85M] | | | | | | | | ------------------ | | | | | | | | 679| 1.35M| case 5: _hj_j += _hj_key[4]; /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (679:5): [True: 12.5k, False: 1.90M] | | | | | | | | ------------------ | | | | | | | | 680| 1.38M| case 4: _hj_i += ( (unsigned)_hj_key[3] << 24 ); /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (680:5): [True: 30.7k, False: 1.88M] | | | | | | | | ------------------ | | | | | | | | 681| 1.41M| case 3: _hj_i += ( (unsigned)_hj_key[2] << 16 ); /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (681:5): [True: 31.4k, False: 1.88M] | | | | | | | | ------------------ | | | | | | | | 682| 1.55M| case 2: _hj_i += ( (unsigned)_hj_key[1] << 8 ); /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (682:5): [True: 140k, False: 1.77M] | | | | | | | | ------------------ | | | | | | | | 683| 1.64M| case 1: _hj_i += _hj_key[0]; /* FALLTHROUGH */ \ | | | | | | | | ------------------ | | | | | | | | | Branch (683:5): [True: 93.9k, False: 1.82M] | | | | | | | | ------------------ | | | | | | | | 684| 1.91M| default: ; \ | | | | | | | | ------------------ | | | | | | | | | Branch (684:5): [True: 267k, False: 1.64M] | | | | | | | | ------------------ | | | | | | | | 685| 1.91M| } \ | | | | | | | | 686| 1.91M| HASH_JEN_MIX(_hj_i, _hj_j, hashv); \ | | | | | | | | ------------------ | | | | | | | | | | 635| 1.91M|#define HASH_JEN_MIX(a,b,c) \ | | | | | | | | | | 636| 1.91M|do { \ | | | | | | | | | | 637| 1.91M| a -= b; a -= c; a ^= ( c >> 13 ); \ | | | | | | | | | | 638| 1.91M| b -= c; b -= a; b ^= ( a << 8 ); \ | | | | | | | | | | 639| 1.91M| c -= a; c -= b; c ^= ( b >> 13 ); \ | | | | | | | | | | 640| 1.91M| a -= b; a -= c; a ^= ( c >> 12 ); \ | | | | | | | | | | 641| 1.91M| b -= c; b -= a; b ^= ( a << 16 ); \ | | | | | | | | | | 642| 1.91M| c -= a; c -= b; c ^= ( b >> 5 ); \ | | | | | | | | | | 643| 1.91M| a -= b; a -= c; a ^= ( c >> 3 ); \ | | | | | | | | | | 644| 1.91M| b -= c; b -= a; b ^= ( a << 10 ); \ | | | | | | | | | | 645| 1.91M| c -= a; c -= b; c ^= ( b >> 15 ); \ | | | | | | | | | | 646| 1.91M|} while (0) | | | | | | | | | | ------------------ | | | | | | | | | | | Branch (646:10): [Folded, False: 1.91M] | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | 687| 1.91M|} while (0) | | | | | | | | ------------------ | | | | | | | | | Branch (687:10): [Folded, False: 1.91M] | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | 152| 1.91M|} while (0) | | | | ------------------ | | | | | Branch (152:10): [Folded, False: 1.91M] | | | | ------------------ | | ------------------ | | 172| 1.91M| HASH_FIND_BYHASHVALUE(hh, head, keyptr, keylen, _hf_hashv, out); \ | | ------------------ | | | | 154| 1.91M|#define HASH_FIND_BYHASHVALUE(hh,head,keyptr,keylen,hashval,out) \ | | | | 155| 1.91M|do { \ | | | | 156| 1.91M| (out) = NULL; \ | | | | 157| 1.91M| if (head) { \ | | | | ------------------ | | | | | Branch (157:7): [True: 1.91M, False: 0] | | | | ------------------ | | | | 158| 1.91M| unsigned _hf_bkt; \ | | | | 159| 1.91M| HASH_TO_BKT(hashval, (head)->hh.tbl->num_buckets, _hf_bkt); \ | | | | ------------------ | | | | | | 431| 1.91M|#define HASH_TO_BKT(hashv,num_bkts,bkt) \ | | | | | | 432| 1.91M|do { \ | | | | | | 433| 1.91M| bkt = ((hashv) & ((num_bkts) - 1U)); \ | | | | | | 434| 1.91M|} while (0) | | | | | | ------------------ | | | | | | | Branch (434:10): [Folded, False: 1.91M] | | | | | | ------------------ | | | | ------------------ | | | | 160| 1.91M| if (HASH_BLOOM_TEST((head)->hh.tbl, hashval) != 0) { \ | | | | ------------------ | | | | | | 209| 1.91M|#define HASH_BLOOM_TEST(tbl,hashv) (1) | | | | ------------------ | | | | | Branch (160:9): [True: 1.91M, Folded] | | | | ------------------ | | | | 161| 1.91M| HASH_FIND_IN_BKT((head)->hh.tbl, hh, (head)->hh.tbl->buckets[ _hf_bkt ], keyptr, keylen, hashval, out); \ | | | | ------------------ | | | | | | 746| 1.91M|#define HASH_FIND_IN_BKT(tbl,hh,head,keyptr,keylen_in,hashval,out) \ | | | | | | 747| 1.91M|do { \ | | | | | | 748| 1.91M| if ((head).hh_head != NULL) { \ | | | | | | ------------------ | | | | | | | Branch (748:7): [True: 1.91M, False: 0] | | | | | | ------------------ | | | | | | 749| 1.91M| DECLTYPE_ASSIGN(out, ELMT_FROM_HH(tbl, (head).hh_head)); \ | | | | | | ------------------ | | | | | | | | 69| 1.91M|#define DECLTYPE_ASSIGN(dst,src) \ | | | | | | | | 70| 1.91M|do { \ | | | | | | | | 71| 1.91M| (dst) = DECLTYPE(dst)(src); \ | | | | | | | | ------------------ | | | | | | | | | | 57| 1.91M|#define DECLTYPE(x) (__typeof(x)) | | | | | | | | ------------------ | | | | | | | | 72| 1.91M|} while (0) | | | | | | | | ------------------ | | | | | | | | | Branch (72:10): [Folded, False: 1.91M] | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | 750| 1.91M| } else { \ | | | | | | 751| 0| (out) = NULL; \ | | | | | | 752| 0| } \ | | | | | | 753| 1.94M| while ((out) != NULL) { \ | | | | | | ------------------ | | | | | | | Branch (753:10): [True: 1.94M, False: 638] | | | | | | ------------------ | | | | | | 754| 1.94M| if ((out)->hh.hashv == (hashval) && (out)->hh.keylen == (keylen_in)) { \ | | | | | | ------------------ | | | | | | | Branch (754:9): [True: 1.91M, False: 32.3k] | | | | | | | Branch (754:41): [True: 1.91M, False: 0] | | | | | | ------------------ | | | | | | 755| 1.91M| if (HASH_KEYCMP((out)->hh.key, keyptr, keylen_in) == 0) { \ | | | | | | ------------------ | | | | | | | | 93| 1.91M|#define HASH_KEYCMP(a,b,n) memcmp(a,b,n) | | | | | | ------------------ | | | | | | | Branch (755:11): [True: 1.91M, False: 0] | | | | | | ------------------ | | | | | | 756| 1.91M| break; \ | | | | | | 757| 1.91M| } \ | | | | | | 758| 1.91M| } \ | | | | | | 759| 1.94M| if ((out)->hh.hh_next != NULL) { \ | | | | | | ------------------ | | | | | | | Branch (759:9): [True: 31.7k, False: 638] | | | | | | ------------------ | | | | | | 760| 31.7k| DECLTYPE_ASSIGN(out, ELMT_FROM_HH(tbl, (out)->hh.hh_next)); \ | | | | | | ------------------ | | | | | | | | 69| 31.7k|#define DECLTYPE_ASSIGN(dst,src) \ | | | | | | | | 70| 31.7k|do { \ | | | | | | | | 71| 31.7k| (dst) = DECLTYPE(dst)(src); \ | | | | | | | | ------------------ | | | | | | | | | | 57| 31.7k|#define DECLTYPE(x) (__typeof(x)) | | | | | | | | ------------------ | | | | | | | | 72| 31.7k|} while (0) | | | | | | | | ------------------ | | | | | | | | | Branch (72:10): [Folded, False: 31.7k] | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | 761| 31.7k| } else { \ | | | | | | 762| 638| (out) = NULL; \ | | | | | | 763| 638| } \ | | | | | | 764| 32.3k| } \ | | | | | | 765| 1.91M|} while (0) | | | | | | ------------------ | | | | | | | Branch (765:10): [Folded, False: 1.91M] | | | | | | ------------------ | | | | ------------------ | | | | 162| 1.91M| } \ | | | | 163| 1.91M| } \ | | | | 164| 1.91M|} while (0) | | | | ------------------ | | | | | Branch (164:10): [Folded, False: 1.91M] | | | | ------------------ | | ------------------ | | 173| 1.91M| } \ | | 174| 1.91M|} while (0) | | ------------------ | | | Branch (174:10): [Folded, False: 1.91M] | | ------------------ ------------------ 3235| 1.91M| if(ret_found == NULL) { ------------------ | Branch (3235:6): [True: 2.80k, False: 1.91M] ------------------ 3236| | /* The insertion failed (because of a memory allocation error) */ 3237| 2.80k| ndpi_free(item->key); 3238| 2.80k| ndpi_free(item); 3239| 2.80k| return 4; 3240| 2.80k| } 3241| | 3242| 1.91M| return 0; 3243| 1.91M|} ndpi_check_issuerdn_risk_exception: 3359| 1| char *issuerDN) { 3360| 1| if(issuerDN != NULL) { ------------------ | Branch (3360:6): [True: 1, False: 0] ------------------ 3361| 1| ndpi_list *head = ndpi_str->trusted_issuer_dn; 3362| | 3363| 1| while(head != NULL) { ------------------ | Branch (3363:11): [True: 0, False: 1] ------------------ 3364| 0| if(strcmp(issuerDN, head->value) == 0) ------------------ | Branch (3364:10): [True: 0, False: 0] ------------------ 3365| 0| return(1); /* This is a trusted DN */ 3366| 0| else 3367| 0| head = head->next; 3368| 0| } 3369| 1| } 3370| | 3371| 1| return(0 /* no exception */); 3372| 1|} is_flowrisk_enabled: 3438| 45.8k|{ 3439| 45.8k| if(ndpi_bitmask_is_set(&ndpi_str->cfg.flowrisk_bitmask, flowrisk_id) == 0) ------------------ | Branch (3439:6): [True: 0, False: 45.8k] ------------------ 3440| 0| return 0; 3441| 45.8k| return 1; 3442| 45.8k|} is_flowrisk_info_enabled: 3447| 42.7k|{ 3448| 42.7k| if(ndpi_bitmask_is_set(&ndpi_str->cfg.flowrisk_info_bitmask, flowrisk_id) == 0) ------------------ | Branch (3448:6): [True: 0, False: 42.7k] ------------------ 3449| 0| return 0; 3450| 42.7k| return 1; 3451| 42.7k|} ndpi_handle_risk_exceptions: 3456| 4.16k| struct ndpi_flow_struct *flow) { 3457| 4.16k| if(flow->risk == 0) return; /* Nothing to do */ ------------------ | Branch (3457:6): [True: 0, False: 4.16k] ------------------ 3458| | 3459| 4.16k| if((!flow->host_risk_mask_evaluated) && (!flow->ip_risk_mask_evaluated)) ------------------ | Branch (3459:6): [True: 4.15k, False: 14] | Branch (3459:43): [True: 4.14k, False: 2] ------------------ 3460| 4.14k| flow->risk_mask = (u_int64_t)-1; /* No mask */ 3461| | 3462| 4.16k| if(!flow->host_risk_mask_evaluated) { ------------------ | Branch (3462:6): [True: 4.15k, False: 14] ------------------ 3463| 4.15k| char *host = ndpi_get_flow_name(flow); 3464| | 3465| 4.15k| if(host && (host[0] != '\0')) { ------------------ | Branch (3465:8): [True: 4.15k, False: 0] | Branch (3465:16): [True: 2.59k, False: 1.55k] ------------------ 3466| | /* Check host exception */ 3467| 2.59k| ndpi_check_hostname_risk_exception(ndpi_str, flow, host); 3468| | 3469| 2.59k| if(flow->risk_mask == 0) { ------------------ | Branch (3469:10): [True: 17, False: 2.57k] ------------------ 3470| 17| u_int i; 3471| | 3472| | /* 3473| | Might be that the exception applied when some risks 3474| | were already triggered: we need to clean them up 3475| | */ 3476| 59| for(i=0; inum_risk_infos; i++) { ------------------ | Branch (3476:11): [True: 42, False: 17] ------------------ 3477| 42| if(flow->risk_infos[i].info != NULL) { ------------------ | Branch (3477:7): [True: 41, False: 1] ------------------ 3478| 41| ndpi_free(flow->risk_infos[i].info); 3479| 41| flow->risk_infos[i].info = NULL; 3480| 41| } 3481| | 3482| 42| flow->risk_infos[i].id = NDPI_NO_RISK; 3483| 42| } 3484| | 3485| 17| flow->num_risk_infos = 0; 3486| 17| } 3487| | 3488| | /* Used to avoid double checks (e.g. in DNS req/rsp) */ 3489| 2.59k| flow->host_risk_mask_evaluated = 1; 3490| 2.59k| } 3491| 4.15k| } 3492| | 3493| 4.16k| if(!flow->ip_risk_mask_evaluated) { ------------------ | Branch (3493:6): [True: 4.14k, False: 16] ------------------ 3494| 4.14k| if(flow->is_ipv6 == 0) { ------------------ | Branch (3494:8): [True: 4.13k, False: 11] ------------------ 3495| 4.13k| ndpi_check_ipv4_exception(ndpi_str, flow, flow->c_address.v4 /* Client */); 3496| 4.13k| ndpi_check_ipv4_exception(ndpi_str, flow, flow->s_address.v4 /* Server */); 3497| 4.13k| } else { 3498| 11| ndpi_check_ipv6_exception(ndpi_str, flow, (struct in6_addr *)&flow->c_address.v6 /* Client */); 3499| 11| ndpi_check_ipv6_exception(ndpi_str, flow, (struct in6_addr *)&flow->s_address.v6 /* Server */); 3500| 11| } 3501| | 3502| 4.14k| flow->ip_risk_mask_evaluated = 1; 3503| 4.14k| } 3504| | 3505| 4.16k| flow->risk &= flow->risk_mask; 3506| 4.16k|} ndpi_set_risk: 3512| 36.2k| ndpi_risk_enum r, char *risk_message) { 3513| 36.2k| if(!flow) return; ------------------ | Branch (3513:6): [True: 0, False: 36.2k] ------------------ 3514| | 3515| 36.2k| if(!is_flowrisk_enabled(ndpi_str, r)) ------------------ | Branch (3515:6): [True: 0, False: 36.2k] ------------------ 3516| 0| return; 3517| | 3518| | /* Check if the risk is not yet set */ 3519| 36.2k| if(!ndpi_isset_risk(flow, r)) { ------------------ | Branch (3519:6): [True: 27.0k, False: 9.20k] ------------------ 3520| 27.0k| ndpi_risk v = 1ull << r; 3521| | 3522| | /* In case there is an exception set, take it into account */ 3523| 27.0k| if(flow->host_risk_mask_evaluated) ------------------ | Branch (3523:8): [True: 959, False: 26.0k] ------------------ 3524| 959| v &= flow->risk_mask; 3525| | 3526| | // NDPI_SET_BIT(flow->risk, (u_int32_t)r); 3527| 27.0k| flow->risk |= v; 3528| | 3529| | /* Will be handled by ndpi_reconcile_protocols() */ 3530| | // ndpi_handle_risk_exceptions(ndpi_str, flow); 3531| | 3532| 27.0k| if(flow->risk != 0 /* check if it has been masked */) { ------------------ | Branch (3532:8): [True: 27.0k, False: 10] ------------------ 3533| 27.0k| if(is_flowrisk_info_enabled(ndpi_str, r) && ------------------ | Branch (3533:10): [True: 27.0k, False: 0] ------------------ 3534| 27.0k| risk_message != NULL) { ------------------ | Branch (3534:10): [True: 26.8k, False: 199] ------------------ 3535| 26.8k| if(flow->num_risk_infos < MAX_NUM_RISK_INFOS) { ------------------ | | 265| 26.8k|#define MAX_NUM_RISK_INFOS 8 ------------------ | Branch (3535:5): [True: 26.8k, False: 3] ------------------ 3536| 26.8k| char *s = ndpi_strdup(risk_message); 3537| | 3538| 26.8k| if(s != NULL) { ------------------ | Branch (3538:7): [True: 25.2k, False: 1.57k] ------------------ 3539| 25.2k| flow->risk_infos[flow->num_risk_infos].id = r; 3540| 25.2k| flow->risk_infos[flow->num_risk_infos].info = s; 3541| 25.2k| flow->num_risk_infos++; 3542| 25.2k| } 3543| 26.8k| } 3544| 26.8k| } 3545| 27.0k| } 3546| 27.0k| } else if(is_flowrisk_info_enabled(ndpi_str, r) && risk_message) { ------------------ | Branch (3546:13): [True: 9.20k, False: 0] | Branch (3546:54): [True: 9.20k, False: 0] ------------------ 3547| 9.20k| u_int8_t i; 3548| | 3549| 16.9k| for(i = 0; i < flow->num_risk_infos; i++) ------------------ | Branch (3549:16): [True: 16.7k, False: 139] ------------------ 3550| 16.7k| if(flow->risk_infos[i].id == r) { ------------------ | Branch (3550:10): [True: 9.06k, False: 7.70k] ------------------ 3551| 9.06k| if((flow->risk_infos[i].info != NULL) ------------------ | Branch (3551:5): [True: 8.93k, False: 127] ------------------ 3552| 8.93k| && (r != NDPI_SUSPICIOUS_ENTROPY /* Entropy changes when recomputed, so let's keep only one message */) ------------------ | Branch (3552:8): [True: 7.90k, False: 1.03k] ------------------ 3553| | /* Messages are different */ 3554| 7.90k| && strcmp(flow->risk_infos[i].info, risk_message) ------------------ | Branch (3554:8): [True: 1.54k, False: 6.36k] ------------------ 3555| 1.54k| && (strstr(flow->risk_infos[i].info, risk_message) == NULL) ------------------ | Branch (3555:8): [True: 930, False: 614] ------------------ 3556| 9.06k| ) { 3557| 930| char buf[1024]; 3558| | 3559| | /* Concatenate risks info */ 3560| 930| snprintf(buf, sizeof(buf), "%s;%s", 3561| 930| flow->risk_infos[i].info, risk_message); 3562| | 3563| 930| ndpi_free(flow->risk_infos[i].info); 3564| 930| flow->risk_infos[i].info = ndpi_strdup(buf); 3565| 930| } 3566| | 3567| 9.06k| return; 3568| 9.06k| } 3569| | 3570| | /* Risk already set without any details, but now we have a specific risk_message 3571| | that we want to save. 3572| | This might happen with NDPI_HTTP_CRAWLER_BOT which might have been set early via 3573| | IP matching (no details) and now via UA matching (with message). */ 3574| 139| if(flow->num_risk_infos < MAX_NUM_RISK_INFOS) { ------------------ | | 265| 139|#define MAX_NUM_RISK_INFOS 8 ------------------ | Branch (3574:8): [True: 139, False: 0] ------------------ 3575| 139| char *s = ndpi_strdup(risk_message); 3576| | 3577| 139| if(s != NULL) { ------------------ | Branch (3577:10): [True: 128, False: 11] ------------------ 3578| 128| flow->risk_infos[flow->num_risk_infos].id = r; 3579| 128| flow->risk_infos[flow->num_risk_infos].info = s; 3580| 128| flow->num_risk_infos++; 3581| 128| } 3582| 139| } 3583| 139| } 3584| 36.2k|} ndpi_unset_risk: 3589| 51.6k| struct ndpi_flow_struct *flow, ndpi_risk_enum r) { 3590| 51.6k| if(ndpi_isset_risk(flow, r)) { ------------------ | Branch (3590:6): [True: 2.01k, False: 49.6k] ------------------ 3591| 2.01k| u_int8_t i, j; 3592| 2.01k| ndpi_risk v = 1ull << r; 3593| | 3594| 2.01k| flow->risk &= ~v; 3595| | 3596| 2.01k| if(!is_flowrisk_info_enabled(ndpi_str, r)) ------------------ | Branch (3596:8): [True: 0, False: 2.01k] ------------------ 3597| 0| return; 3598| | 3599| 3.97k| for(i = 0; i < flow->num_risk_infos; i++) { ------------------ | Branch (3599:16): [True: 1.96k, False: 2.01k] ------------------ 3600| 1.96k| if(flow->risk_infos[i].id == r) { ------------------ | Branch (3600:10): [True: 1.90k, False: 61] ------------------ 3601| 1.90k| flow->risk_infos[i].id = 0; 3602| 1.90k| if(flow->risk_infos[i].info) { ------------------ | Branch (3602:12): [True: 1.90k, False: 0] ------------------ 3603| 1.90k| ndpi_free(flow->risk_infos[i].info); 3604| 1.90k| flow->risk_infos[i].info = NULL; 3605| 1.90k| } 3606| 1.92k| for(j = i + 1; j < flow->num_risk_infos; j++) { ------------------ | Branch (3606:24): [True: 22, False: 1.90k] ------------------ 3607| 22| flow->risk_infos[j - 1].id = flow->risk_infos[j].id; 3608| 22| flow->risk_infos[j - 1].info = flow->risk_infos[j].info; 3609| 22| } 3610| 1.90k| flow->num_risk_infos--; 3611| 1.90k| } 3612| 1.96k| } 3613| 2.01k| } 3614| 51.6k|} ndpi_isset_risk: 3618| 117k|int ndpi_isset_risk(struct ndpi_flow_struct *flow, ndpi_risk_enum r) { 3619| 117k| ndpi_risk v = 1ull << r; 3620| | 3621| 117k| return(((flow->risk & v) == v) ? 1 : 0); ------------------ | Branch (3621:10): [True: 11.2k, False: 106k] ------------------ 3622| 117k|} ndpi_is_printable_buffer: 3626| 36|int ndpi_is_printable_buffer(u_int8_t const * const buf, size_t len) { 3627| 36| int retval = 1; 3628| 36| size_t i; 3629| | 3630| 516| for(i = 0; i < len; ++i) { ------------------ | Branch (3630:14): [True: 480, False: 36] ------------------ 3631| 480| if(ndpi_isprint(buf[i]) == 0) { ------------------ | | 2529| 480|#define ndpi_isprint(ch) ((ch) >= 0x20 && (ch) <= 0x7e) | | ------------------ | | | Branch (2529:27): [True: 332, False: 148] | | | Branch (2529:43): [True: 246, False: 86] | | ------------------ ------------------ | Branch (3631:8): [True: 234, False: 246] ------------------ 3632| 234| retval = 0; 3633| 234| } 3634| 480| } 3635| | 3636| 36| return retval; 3637| 36|} ndpi_normalize_printable_string: 3641| 8.76k|int ndpi_normalize_printable_string(char * const str, size_t len) { 3642| 8.76k| int retval = 1; 3643| 8.76k| size_t i; 3644| | 3645| 271k| for(i = 0; i < len; ++i) { ------------------ | Branch (3645:14): [True: 262k, False: 8.76k] ------------------ 3646| 262k| if(ndpi_isprint(str[i]) == 0) { ------------------ | | 2529| 262k|#define ndpi_isprint(ch) ((ch) >= 0x20 && (ch) <= 0x7e) | | ------------------ | | | Branch (2529:27): [True: 207k, False: 55.0k] | | | Branch (2529:43): [True: 207k, False: 32] | | ------------------ ------------------ | Branch (3646:8): [True: 55.0k, False: 207k] ------------------ 3647| 55.0k| str[i] = '?'; 3648| 55.0k| retval = 0; 3649| 55.0k| } 3650| 262k| } 3651| | 3652| 8.76k| return retval; 3653| 8.76k|} ndpi_is_valid_hostname: 3669| 6.64k|bool ndpi_is_valid_hostname(char * const hostname, size_t len) { 3670| 6.64k| const char *p; 3671| 6.64k| size_t label_len = 0, idx = 0; 3672| 6.64k| bool has_valid_label = false; 3673| | 3674| 6.64k| if(!hostname || len == 0 || *hostname == '\0') ------------------ | Branch (3674:6): [True: 0, False: 6.64k] | Branch (3674:19): [True: 3.00k, False: 3.64k] | Branch (3674:31): [True: 65, False: 3.57k] ------------------ 3675| 3.07k| return(false); /* Empty string or NULL pointer */ 3676| | 3677| 3.57k| if(len > 253) /* Maximum length of a full hostname */ ------------------ | Branch (3677:6): [True: 45, False: 3.53k] ------------------ 3678| 45| return(false); 3679| | 3680| | /* Check each label (part between dots) */ 3681| 3.53k| p = hostname; 3682| | 3683| 58.6k| while ((idx < len) && *p) { ------------------ | Branch (3683:10): [True: 56.4k, False: 2.19k] | Branch (3683:25): [True: 56.4k, False: 52] ------------------ 3684| 56.4k| if(*p == '.') { ------------------ | Branch (3684:8): [True: 5.22k, False: 51.1k] ------------------ 3685| | /* Check previous label */ 3686| 5.22k| if(label_len == 0 || (label_len > 63)) ------------------ | Branch (3686:10): [True: 13, False: 5.21k] | Branch (3686:28): [True: 0, False: 5.21k] ------------------ 3687| 13| return(false); /* Empty label or too long */ 3688| | 3689| 5.21k| label_len = 0; 3690| 5.21k| idx++; 3691| 5.21k| p++; 3692| 5.21k| has_valid_label = true; 3693| 5.21k| continue; 3694| 5.22k| } 3695| | 3696| 51.1k| if(!(isalnum((unsigned char)*p) || *p == '-')) ------------------ | Branch (3696:10): [True: 49.8k, False: 1.35k] | Branch (3696:40): [True: 94, False: 1.26k] ------------------ 3697| 1.26k| return(false); /* Invalid character */ 3698| | 3699| | /* Check first and last character of label */ 3700| 49.9k| if(label_len == 0) { ------------------ | Branch (3700:8): [True: 8.59k, False: 41.3k] ------------------ 3701| 8.59k| if(!isalnum((unsigned char)*p)) ------------------ | Branch (3701:10): [True: 6, False: 8.59k] ------------------ 3702| 6| return(false); /* Label must start with letter or digit */ 3703| 8.59k| } 3704| | 3705| 49.9k| label_len++; 3706| 49.9k| if(label_len > 63) ------------------ | Branch (3706:8): [True: 2, False: 49.9k] ------------------ 3707| 2| return(false); /* Label too long */ 3708| | 3709| 49.9k| idx++; 3710| 49.9k| p++; 3711| 49.9k| } 3712| | 3713| | /* Check last label */ 3714| 2.24k| if(label_len == 0) ------------------ | Branch (3714:6): [True: 4, False: 2.24k] ------------------ 3715| 4| return(false); /* Ends with a dot */ 3716| | 3717| 2.24k| if(!isalnum(hostname[idx-1])) ------------------ | Branch (3717:6): [True: 2, False: 2.24k] ------------------ 3718| 2| return(false); /* Label must end with letter or digit */ 3719| | 3720| 2.24k| return(has_valid_label || len > 0); /* At least one label exists */ ------------------ | Branch (3720:10): [True: 2.22k, False: 23] | Branch (3720:29): [True: 23, False: 0] ------------------ 3721| 2.24k|} ndpi_entropy: 3725| 50.0k|float ndpi_entropy(u_int8_t const * const buf, size_t len) { 3726| 50.0k| float entropy = 0.0f; 3727| 50.0k| u_int32_t byte_counters[256]; 3728| 50.0k| size_t i; 3729| | 3730| 50.0k| memset(byte_counters, 0, sizeof(byte_counters)); 3731| | 3732| 4.40M| for(i = 0; i < len; ++i) { ------------------ | Branch (3732:14): [True: 4.35M, False: 50.0k] ------------------ 3733| 4.35M| byte_counters[buf[i]]++; 3734| 4.35M| } 3735| | 3736| 12.8M| for(i = 0; i < sizeof(byte_counters) / sizeof(byte_counters[0]); ++i) { ------------------ | Branch (3736:14): [True: 12.8M, False: 50.0k] ------------------ 3737| 12.8M| if(byte_counters[i] == 0) { ------------------ | Branch (3737:8): [True: 11.2M, False: 1.58M] ------------------ 3738| 11.2M| continue; 3739| 11.2M| } 3740| | 3741| 1.58M| float const p = (float)byte_counters[i] / len; 3742| 1.58M| entropy += p * log2f(1 / p); 3743| 1.58M| } 3744| | 3745| 50.0k| return entropy; 3746| 50.0k|} ndpi_entropy2str: 3751| 6.37k|char *ndpi_entropy2str(float entropy, char *buf, size_t len) { 3752| 6.37k| if (buf == NULL) { ------------------ | Branch (3752:7): [True: 0, False: 6.37k] ------------------ 3753| 0| return NULL; 3754| 0| } 3755| | 3756| 6.37k| static const char entropy_fmtstr[] = "Entropy: %.3f (%s?)"; 3757| 6.37k| if (NDPI_ENTROPY_ENCRYPTED_OR_RANDOM(entropy)) { ------------------ | | 101| 6.37k|#define NDPI_ENTROPY_ENCRYPTED_OR_RANDOM(entropy) (entropy >= 7.312f) | | ------------------ | | | Branch (101:51): [True: 1.17k, False: 5.20k] | | ------------------ ------------------ 3758| 1.17k| snprintf(buf, len, entropy_fmtstr, entropy, "Encrypted or Random"); 3759| 5.20k| } else if (NDPI_ENTROPY_EXECUTABLE_ENCRYPTED(entropy)) { ------------------ | | 100| 5.20k|#define NDPI_ENTROPY_EXECUTABLE_ENCRYPTED(entropy) (entropy >= 7.174f) | | ------------------ | | | Branch (100:52): [True: 304, False: 4.89k] | | ------------------ ------------------ 3760| 304| snprintf(buf, len, entropy_fmtstr, entropy, "Encrypted Executable"); 3761| 4.89k| } else if (NDPI_ENTROPY_EXECUTABLE_PACKED(entropy)) { ------------------ | | 99| 4.89k|#define NDPI_ENTROPY_EXECUTABLE_PACKED(entropy) (entropy >= 6.677f) | | ------------------ | | | Branch (99:49): [True: 649, False: 4.25k] | | ------------------ ------------------ 3762| 649| snprintf(buf, len, entropy_fmtstr, entropy, "Compressed Executable"); 3763| 4.25k| } else if (NDPI_ENTROPY_EXECUTABLE(entropy)) { ------------------ | | 98| 4.25k|#define NDPI_ENTROPY_EXECUTABLE(entropy) (entropy >= 4.941f) | | ------------------ | | | Branch (98:42): [True: 4.25k, False: 0] | | ------------------ ------------------ 3764| 4.25k| snprintf(buf, len, entropy_fmtstr, entropy, "Executable"); 3765| 4.25k| } else { 3766| 0| snprintf(buf, len, entropy_fmtstr, entropy, "Unknown"); 3767| 0| } 3768| | 3769| 6.37k| return buf; 3770| 6.37k|} ndpi_entropy2risk: 3775| 57.4k| struct ndpi_flow_struct *flow) { 3776| 57.4k| char str[64]; 3777| | 3778| 57.4k| if (NDPI_ENTROPY_PLAINTEXT(flow->entropy)) ------------------ | | 97| 57.4k|#define NDPI_ENTROPY_PLAINTEXT(entropy) (entropy < 4.941f) | | ------------------ | | | Branch (97:41): [True: 47.4k, False: 10.0k] | | ------------------ ------------------ 3779| 47.4k| goto reset_risk; 3780| | 3781| 10.0k| if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS || ------------------ | Branch (3781:7): [True: 110, False: 9.92k] ------------------ 3782| 9.92k| flow->detected_protocol_stack[1] == NDPI_PROTOCOL_TLS || ------------------ | Branch (3782:7): [True: 0, False: 9.92k] ------------------ 3783| 9.92k| flow->detected_protocol_stack[0] == NDPI_PROTOCOL_QUIC || ------------------ | Branch (3783:7): [True: 8, False: 9.91k] ------------------ 3784| 9.91k| flow->detected_protocol_stack[1] == NDPI_PROTOCOL_QUIC || ------------------ | Branch (3784:7): [True: 0, False: 9.91k] ------------------ 3785| 9.91k| flow->detected_protocol_stack[0] == NDPI_PROTOCOL_DTLS || ------------------ | Branch (3785:7): [True: 0, False: 9.91k] ------------------ 3786| 9.91k| flow->detected_protocol_stack[1] == NDPI_PROTOCOL_DTLS) { ------------------ | Branch (3786:7): [True: 0, False: 9.91k] ------------------ 3787| 118| flow->skip_entropy_check = 1; 3788| 118| goto reset_risk; 3789| 118| } 3790| | 3791| 9.91k| if (flow->confidence != NDPI_CONFIDENCE_DPI && ------------------ | Branch (3791:7): [True: 6.36k, False: 3.54k] ------------------ 3792| 6.36k| flow->confidence != NDPI_CONFIDENCE_DPI_CACHE) { ------------------ | Branch (3792:7): [True: 6.19k, False: 174] ------------------ 3793| 6.19k| ndpi_set_risk(ndpi_struct, flow, NDPI_SUSPICIOUS_ENTROPY, 3794| 6.19k| ndpi_entropy2str(flow->entropy, str, sizeof(str))); 3795| 6.19k| return; 3796| 6.19k| } 3797| | 3798| 3.72k| if (ndpi_isset_risk(flow, NDPI_MALWARE_HOST_CONTACTED) || ------------------ | Branch (3798:7): [True: 0, False: 3.72k] ------------------ 3799| 3.72k| ndpi_isset_risk(flow, NDPI_BINARY_DATA_TRANSFER) || ------------------ | Branch (3799:7): [True: 0, False: 3.72k] ------------------ 3800| 3.72k| ndpi_isset_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER) || ------------------ | Branch (3800:7): [True: 0, False: 3.72k] ------------------ 3801| 3.72k| ndpi_isset_risk(flow, NDPI_POSSIBLE_EXPLOIT) || ------------------ | Branch (3801:7): [True: 5, False: 3.71k] ------------------ 3802| 3.71k| ndpi_isset_risk(flow, NDPI_HTTP_SUSPICIOUS_CONTENT) || ------------------ | Branch (3802:7): [True: 0, False: 3.71k] ------------------ 3803| 3.71k| ndpi_isset_risk(flow, NDPI_DNS_SUSPICIOUS_TRAFFIC) || ------------------ | Branch (3803:7): [True: 8, False: 3.70k] ------------------ 3804| 3.70k| ndpi_isset_risk(flow, NDPI_MALFORMED_PACKET) || ------------------ | Branch (3804:7): [True: 26, False: 3.68k] ------------------ 3805| 3.68k| (flow->category == NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT && ------------------ | Branch (3805:8): [True: 1.52k, False: 2.16k] ------------------ 3806| 1.52k| (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP || ------------------ | Branch (3806:9): [True: 0, False: 1.52k] ------------------ 3807| 1.52k| flow->detected_protocol_stack[1] == NDPI_PROTOCOL_HTTP)) || ------------------ | Branch (3807:9): [True: 0, False: 1.52k] ------------------ 3808| 3.68k| flow->category == NDPI_PROTOCOL_CATEGORY_DATA_TRANSFER || ------------------ | Branch (3808:7): [True: 2, False: 3.67k] ------------------ 3809| 3.67k| flow->category == NDPI_PROTOCOL_CATEGORY_UNSPECIFIED || ------------------ | Branch (3809:7): [True: 97, False: 3.58k] ------------------ 3810| 3.58k| flow->category == NDPI_PROTOCOL_CATEGORY_WEB) ------------------ | Branch (3810:7): [True: 43, False: 3.53k] ------------------ 3811| 181| { 3812| 181| ndpi_set_risk(ndpi_struct, flow, NDPI_SUSPICIOUS_ENTROPY, 3813| 181| ndpi_entropy2str(flow->entropy, str, sizeof(str))); 3814| 181| return; 3815| 181| } 3816| | 3817| 51.0k|reset_risk: 3818| 51.0k| ndpi_unset_risk(ndpi_struct, flow, NDPI_SUSPICIOUS_ENTROPY); 3819| 51.0k|} icmp4_checksum: 3828| 747|u_int16_t icmp4_checksum(const u_int8_t * buf, size_t len) { 3829| 747| u_int32_t checksum = 0; 3830| | 3831| | /* 3832| | * The first two bytes of the icmp header are required. 3833| | * The next two bytes is the checksum, which we want to ignore. 3834| | */ 3835| | 3836| 44.4k| for(; len > 1; len -= 2) { ------------------ | Branch (3836:9): [True: 43.7k, False: 747] ------------------ 3837| 43.7k| checksum += get_n16bit(buf); 3838| 43.7k| buf += 2; 3839| 43.7k| } 3840| | 3841| 747| if(len == 1) { ------------------ | Branch (3841:6): [True: 29, False: 718] ------------------ 3842| 29| checksum += *buf; 3843| 29| } 3844| | 3845| 747| checksum = (checksum >> 16) + (checksum & 0xFFFF); 3846| 747| checksum += (checksum >> 16); 3847| | 3848| 747| return ~checksum; 3849| 747|} ndpi_get_flow_name: 3853| 4.15k|char* ndpi_get_flow_name(struct ndpi_flow_struct *flow) { 3854| 4.15k| if(!flow) goto no_flow_info; ------------------ | Branch (3854:6): [True: 0, False: 4.15k] ------------------ 3855| | 3856| 4.15k| if(flow->host_server_name[0] != '\0') ------------------ | Branch (3856:6): [True: 2.59k, False: 1.55k] ------------------ 3857| 2.59k| return((char*)flow->host_server_name); 3858| | 3859| 1.55k| no_flow_info: 3860| 1.55k| return((char*)""); 3861| 4.15k|} load_common_alpns: 3865| 6.79k|void load_common_alpns(struct ndpi_detection_module_struct *ndpi_str) { 3866| | /* see: https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */ 3867| 6.79k| const char* const common_alpns[] = { 3868| 6.79k| "http/0.9", "http/1.0", "http/1.1", 3869| 6.79k| "spdy/1", "spdy/2", "spdy/3", "spdy/3.1", 3870| 6.79k| "stun.turn", "stun.nat-discovery", 3871| 6.79k| "h2", "h2c", "h2-16", "h2-15", "h2-14", "h2-fb", 3872| 6.79k| "webrtc", "c-webrtc", 3873| 6.79k| "ftp", "imap", "pop3", "managesieve", "coap", 3874| 6.79k| "xmpp-client", "xmpp-server", 3875| 6.79k| "acme-tls/1", 3876| 6.79k| "mqtt", "dot", "ntske/1", "sunrpc", 3877| 6.79k| "h3", 3878| 6.79k| "smb", 3879| 6.79k| "irc", 3880| | 3881| | /* QUIC ALPNs */ 3882| 6.79k| "h3-T051", "h3-T050", 3883| 6.79k| "h3-34", "h3-33", "h3-32", "h3-31", "h3-30", "h3-29", "h3-28", "h3-27", "h3-24", "h3-22", 3884| 6.79k| "hq-34", "hq-33", "hq-32", "hq-31", "hq-30", "hq-29", "hq-28", "hq-27", "hq-interop", 3885| 6.79k| "h3-fb-05", "h1q-fb", 3886| 6.79k| "doq-i00", 3887| | 3888| | /* ApplePush */ 3889| 6.79k| "apns-security-v3", "apns-pack-v1", 3890| | 3891| | NULL /* end */ 3892| 6.79k| }; 3893| 6.79k| u_int i; 3894| | 3895| 401k| for(i=0; common_alpns[i] != NULL; i++) { ------------------ | Branch (3895:12): [True: 394k, False: 6.79k] ------------------ 3896| 394k| AC_PATTERN_t ac_pattern; 3897| | 3898| 394k| memset(&ac_pattern, 0, sizeof(ac_pattern)); 3899| 394k| ac_pattern.astring = ndpi_strdup((char*)common_alpns[i]); 3900| 394k| if(!ac_pattern.astring) { ------------------ | Branch (3900:8): [True: 24.1k, False: 370k] ------------------ 3901| 24.1k| NDPI_LOG_ERR(ndpi_str, "Unable to add %s [mem alloc error]\n", common_alpns[i]); ------------------ | | 593| 24.1k|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 3902| 24.1k| continue; 3903| 24.1k| } 3904| 370k| ac_pattern.length = strlen(common_alpns[i]); 3905| | 3906| 370k| if(ac_automata_add(ndpi_str->common_alpns_automa.ac_automa, &ac_pattern) != ACERR_SUCCESS) { ------------------ | Branch (3906:8): [True: 133k, False: 236k] ------------------ 3907| 133k| ndpi_free(ac_pattern.astring); 3908| 133k| NDPI_LOG_ERR(ndpi_str, "Unable to add %s\n", common_alpns[i]); ------------------ | | 593| 133k|# define NDPI_LOG_ERR(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 3909| 133k| } 3910| 370k| } 3911| 6.79k|} is_a_common_alpn: 3916| 4.02k| const char *alpn_to_check, u_int alpn_to_check_len) { 3917| 4.02k| ndpi_automa *automa = &ndpi_str->common_alpns_automa; 3918| | 3919| 4.02k| if(automa->ac_automa) { ------------------ | Branch (3919:6): [True: 3.81k, False: 208] ------------------ 3920| 3.81k| AC_TEXT_t ac_input_text; 3921| 3.81k| AC_REP_t match; 3922| | 3923| 3.81k| memset(&match, 0, sizeof(match)); 3924| 3.81k| ac_input_text.astring = (char*)alpn_to_check, ac_input_text.length = alpn_to_check_len; 3925| 3.81k| ac_input_text.option = 0; 3926| | 3927| 3.81k| if(ac_automata_search(automa->ac_automa, &ac_input_text, &match) > 0) ------------------ | Branch (3927:8): [True: 3.25k, False: 563] ------------------ 3928| 3.25k| return(1); 3929| 3.81k| } 3930| | 3931| 771| return(0); 3932| 4.02k|} ndpi_is_valid_protoId: 3936| 185k|u_int8_t ndpi_is_valid_protoId(const struct ndpi_detection_module_struct *ndpi_str, u_int16_t protoId) { 3937| 185k| if(!ndpi_str) ------------------ | Branch (3937:6): [True: 0, False: 185k] ------------------ 3938| 0| return 0; 3939| 185k| return(protoId >= ndpi_str->num_supported_protocols ? 0 : 1); ------------------ | Branch (3939:10): [True: 0, False: 185k] ------------------ 3940| 185k|} ndpi_is_encrypted_proto: 3945| 10.2k| ndpi_master_app_protocol proto) { 3946| 10.2k| if(proto.master_protocol == NDPI_PROTOCOL_UNKNOWN && ndpi_is_valid_protoId(ndpi_str, proto.app_protocol)) { ------------------ | Branch (3946:6): [True: 9.00k, False: 1.25k] | Branch (3946:56): [True: 9.00k, False: 0] ------------------ 3947| 9.00k| return(!ndpi_str->proto_defaults[proto.app_protocol].isClearTextProto); 3948| 9.00k| } else if(ndpi_is_valid_protoId(ndpi_str, proto.master_protocol) && ndpi_is_valid_protoId(ndpi_str, proto.app_protocol)) { ------------------ | Branch (3948:13): [True: 1.25k, False: 0] | Branch (3948:71): [True: 1.25k, False: 0] ------------------ 3949| 1.25k| if(ndpi_str->proto_defaults[proto.master_protocol].isClearTextProto ------------------ | Branch (3949:8): [True: 1.18k, False: 70] ------------------ 3950| 1.18k| && (!ndpi_str->proto_defaults[proto.app_protocol].isClearTextProto)) ------------------ | Branch (3950:11): [True: 1.14k, False: 40] ------------------ 3951| 1.14k| return(0); 3952| 110| else 3953| 110| return((ndpi_str->proto_defaults[proto.master_protocol].isClearTextProto ------------------ | Branch (3953:15): [True: 40, False: 70] ------------------ 3954| 70| && ndpi_str->proto_defaults[proto.app_protocol].isClearTextProto) ? 0 : 1); ------------------ | Branch (3954:11): [True: 40, False: 0] ------------------ 3955| 1.25k| } else 3956| 0| return(0); 3957| 10.2k|} ndpi_vsnprintf: 3979| 583k|{ 3980| |#ifdef WIN32 3981| | if((str == NULL) || (size == 0) || (format == NULL)) { 3982| | return -1; 3983| | } 3984| | 3985| | int ret = vsnprintf_s(str, size, _TRUNCATE, format, va_args); 3986| | 3987| | if(ret < 0) { 3988| | return size; 3989| | } else { 3990| | return ret; 3991| | } 3992| |#else 3993| 583k| return vsnprintf(str, size, format, va_args); 3994| 583k|#endif 3995| 583k|} ndpi_gmtime_r: 4001| 1.83k|{ 4002| |#if defined(WIN32) 4003| | gmtime_s(result, timep); 4004| | return result; 4005| |#else 4006| 1.83k| return gmtime_r(timep, result); 4007| 1.83k|#endif 4008| 1.83k|} ndpi_snprintf: 4012| 583k|int ndpi_snprintf(char * str, size_t size, char const * format, ...) { 4013| 583k| va_list va_args; 4014| | 4015| 583k| va_start(va_args, format); 4016| 583k| int rc = ndpi_vsnprintf(str, size, format, va_args); 4017| 583k| va_end(va_args); 4018| | 4019| | /* 4020| | ndpi_snprintf wraps standard snprintf, which returns the number of characters that would 4021| | have been written (not the number actually written) when the output is truncated. 4022| | So if rc >= size, only size - 1 characters were actually written, but tls_s_len is 4023| | advanced by rc. This has two consequences: 4024| | */ 4025| | 4026| 583k| if(rc >= (int)size) ------------------ | Branch (4026:6): [True: 2.67k, False: 580k] ------------------ 4027| 2.67k| rc = size - 1; 4028| | 4029| 583k| return(rc); 4030| 583k|} ndpi_get_flow_risk_info: 4046| 10.2k| u_int8_t use_json) { 4047| 10.2k| u_int i, offset = 0; 4048| 10.2k| struct ndpi_risk_information *ordered_risk_infos; 4049| | 4050| 10.2k| if((out == NULL) ------------------ | Branch (4050:6): [True: 0, False: 10.2k] ------------------ 4051| 10.2k| || (flow == NULL) ------------------ | Branch (4051:9): [True: 0, False: 10.2k] ------------------ 4052| 10.2k| || (flow->num_risk_infos == 0)) ------------------ | Branch (4052:9): [True: 2.58k, False: 7.67k] ------------------ 4053| 2.58k| return(NULL); 4054| | 4055| | /* Ordered list of flow risk infos */ 4056| 7.67k| ordered_risk_infos = ndpi_malloc(sizeof(flow->risk_infos)); 4057| 7.67k| if(!ordered_risk_infos) ------------------ | Branch (4057:6): [True: 421, False: 7.25k] ------------------ 4058| 421| return(NULL); 4059| | 4060| 7.25k| memcpy(ordered_risk_infos, flow->risk_infos, sizeof(flow->risk_infos)); 4061| 7.25k| qsort(ordered_risk_infos, flow->num_risk_infos, 4062| 7.25k| sizeof(struct ndpi_risk_information), risk_infos_pair_cmp); 4063| | 4064| 7.25k| if(use_json) { ------------------ | Branch (4064:6): [True: 0, False: 7.25k] ------------------ 4065| 0| ndpi_serializer serializer; 4066| 0| u_int32_t buffer_len; 4067| 0| char *buffer; 4068| | 4069| 0| if(ndpi_init_serializer(&serializer, ndpi_serialization_format_json) == -1) { ------------------ | Branch (4069:8): [True: 0, False: 0] ------------------ 4070| 0| ndpi_free(ordered_risk_infos); 4071| 0| return(NULL); 4072| 0| } 4073| | 4074| 0| for(i=0; inum_risk_infos; i++) ------------------ | Branch (4074:14): [True: 0, False: 0] ------------------ 4075| 0| ndpi_serialize_uint32_string(&serializer, 4076| 0| ordered_risk_infos[i].id, 4077| 0| ordered_risk_infos[i].info); 4078| | 4079| 0| buffer = ndpi_serializer_get_buffer(&serializer, &buffer_len); 4080| | 4081| 0| if(buffer && (buffer_len > 0)) { ------------------ | Branch (4081:8): [True: 0, False: 0] | Branch (4081:18): [True: 0, False: 0] ------------------ 4082| 0| u_int l = ndpi_min(out_len-1, buffer_len); ------------------ | | 113| 0|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 0] | | ------------------ ------------------ 4083| | 4084| 0| strncpy(out, buffer, l); 4085| 0| out[l] = '\0'; 4086| 0| } 4087| | 4088| 0| ndpi_term_serializer(&serializer); 4089| | 4090| 0| ndpi_free(ordered_risk_infos); 4091| 0| return(out); 4092| 7.25k| } else { 4093| 7.25k| out[0] = '\0', out_len--; 4094| | 4095| 18.9k| for(i=0; (inum_risk_infos) && (out_len > offset); i++) { ------------------ | Branch (4095:14): [True: 11.7k, False: 7.18k] | Branch (4095:42): [True: 11.6k, False: 62] ------------------ 4096| 11.6k| int rc = snprintf(&out[offset], out_len-offset, "%s%s", 4097| 11.6k| (i == 0) ? "" : ";", ------------------ | Branch (4097:4): [True: 7.25k, False: 4.41k] ------------------ 4098| 11.6k| ordered_risk_infos[i].info); 4099| | 4100| 11.6k| if(rc <= 0) ------------------ | Branch (4100:10): [True: 2, False: 11.6k] ------------------ 4101| 2| break; 4102| 11.6k| else 4103| 11.6k| offset += rc; 4104| 11.6k| } 4105| | 4106| 7.25k| if(offset > out_len) offset = out_len; ------------------ | Branch (4106:8): [True: 71, False: 7.18k] ------------------ 4107| | 4108| 7.25k| out[offset] = '\0'; 4109| | 4110| 7.25k| ndpi_free(ordered_risk_infos); 4111| 7.25k| return(out[0] == '\0' ? NULL : out); ------------------ | Branch (4111:12): [True: 2, False: 7.24k] ------------------ 4112| 7.25k| } 4113| 7.25k|} asn1_ber_decode_length: 4160| 126|int64_t asn1_ber_decode_length(const unsigned char *payload, int payload_len, u_int16_t *value_len) { 4161| 126| unsigned int value, i; 4162| | 4163| 126| if(payload_len <= 0) ------------------ | Branch (4163:6): [True: 0, False: 126] ------------------ 4164| 0| return -1; 4165| | 4166| | /* Malformed */ 4167| 126| if(payload[0] == 0xFF) ------------------ | Branch (4167:6): [True: 10, False: 116] ------------------ 4168| 10| return -1; 4169| | 4170| | /* Definite, short */ 4171| 116| if(payload[0] <= 0x80) { ------------------ | Branch (4171:6): [True: 93, False: 23] ------------------ 4172| 93| *value_len = 1; 4173| 93| return payload[0]; 4174| 93| } 4175| | /* Indefinite, unsupported */ 4176| 23| if((payload[0] & 0x7F) == 0) ------------------ | Branch (4176:6): [True: 0, False: 23] ------------------ 4177| 0| return -1; 4178| | 4179| 23| *value_len = payload[0] & 0x7F; 4180| | /* We support only 4 additional length octets */ 4181| 23| if(*value_len > 4 || ------------------ | Branch (4181:6): [True: 18, False: 5] ------------------ 4182| 5| payload_len <= *value_len + 1) ------------------ | Branch (4182:6): [True: 1, False: 4] ------------------ 4183| 19| return -1; 4184| | 4185| 4| value = 0; 4186| 12| for (i = 1; i <= *value_len; i++) { ------------------ | Branch (4186:15): [True: 8, False: 4] ------------------ 4187| 8| value |= (unsigned int)payload[i] << ((*value_len) - i) * 8; 4188| 8| } 4189| | 4190| 4| (*value_len) += 1; 4191| 4| return value; 4192| 23|} ndpi_intoav4: 4196| 19|char* ndpi_intoav4(unsigned int addr, char* buf, u_int16_t bufLen) { 4197| 19| char *cp; 4198| 19| int n; 4199| | 4200| 19| cp = &buf[bufLen]; 4201| 19| *--cp = '\0'; 4202| | 4203| 19| n = 4; 4204| 76| do { 4205| 76| u_int byte = addr & 0xff; 4206| | 4207| 76| *--cp = byte % 10 + '0'; 4208| 76| byte /= 10; 4209| 76| if(byte > 0) { ------------------ | Branch (4209:8): [True: 59, False: 17] ------------------ 4210| 59| *--cp = byte % 10 + '0'; 4211| 59| byte /= 10; 4212| 59| if(byte > 0) ------------------ | Branch (4212:10): [True: 35, False: 24] ------------------ 4213| 35| *--cp = byte + '0'; 4214| 59| } 4215| 76| if(n > 1) ------------------ | Branch (4215:8): [True: 57, False: 19] ------------------ 4216| 57| *--cp = '.'; 4217| 76| addr >>= 8; 4218| 76| } while (--n > 0); ------------------ | Branch (4218:12): [True: 57, False: 19] ------------------ 4219| | 4220| 19| return(cp); 4221| 19|} ndpi_nearest_power_of_two: 4257| 7.18k|u_int32_t ndpi_nearest_power_of_two(u_int32_t x) { 4258| 7.18k| x--; 4259| | 4260| 7.18k| x |= x >> 1; 4261| 7.18k| x |= x >> 2; 4262| 7.18k| x |= x >> 4; 4263| 7.18k| x |= x >> 8; 4264| 7.18k| x |= x >> 16; 4265| | 4266| 7.18k| x++; 4267| 7.18k| return(x); 4268| 7.18k|} tpkt_verify_hdr: 4272| 47.8k|int tpkt_verify_hdr(const struct ndpi_packet_struct * const packet) { 4273| 47.8k| return ((packet->tcp != NULL) && (packet->payload_packet_len > 4) && ------------------ | Branch (4273:11): [True: 43.4k, False: 4.37k] | Branch (4273:36): [True: 41.2k, False: 2.20k] ------------------ 4274| 41.2k| (packet->payload[0] == 3) && (packet->payload[1] == 0) && ------------------ | Branch (4274:11): [True: 111, False: 41.1k] | Branch (4274:40): [True: 40, False: 71] ------------------ 4275| 40| (get_u_int16_t(packet->payload,2) == htons(packet->payload_packet_len))); ------------------ | | 136| 40|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (4275:11): [True: 0, False: 40] ------------------ 4276| 47.8k|} ndpi_strtonum: 4281| 286k| int64_t maxval, const char **errstrp, int base) { 4282| 286k| int64_t val = 0; 4283| 286k| char* endptr; 4284| | 4285| 286k| if (minval > maxval) { ------------------ | Branch (4285:7): [True: 0, False: 286k] ------------------ 4286| 0| *errstrp = "minval > maxval"; 4287| 0| return 0; 4288| 0| } 4289| | 4290| 286k| errno = 0; /* To distinguish success/failure after call */ 4291| 286k| val = (int64_t)strtoll(numstr, &endptr, base); 4292| | 4293| 286k| if((val == LLONG_MIN && errno == ERANGE) || (val < minval)) { ------------------ | Branch (4293:7): [True: 0, False: 286k] | Branch (4293:27): [True: 0, False: 0] | Branch (4293:47): [True: 0, False: 286k] ------------------ 4294| 0| *errstrp = "value too small"; 4295| 0| return 0; 4296| 0| } 4297| | 4298| 286k| if((val == LLONG_MAX && errno == ERANGE) || (val > maxval )) { ------------------ | Branch (4298:7): [True: 0, False: 286k] | Branch (4298:27): [True: 0, False: 0] | Branch (4298:47): [True: 0, False: 286k] ------------------ 4299| 0| *errstrp = "value too large"; 4300| 0| return 0; 4301| 0| } 4302| | 4303| 286k| if(errno != 0 && val == 0) { ------------------ | Branch (4303:6): [True: 0, False: 286k] | Branch (4303:20): [True: 0, False: 0] ------------------ 4304| 0| *errstrp = "generic error"; 4305| 0| return 0; 4306| 0| } 4307| | 4308| 286k| if(endptr == numstr) { ------------------ | Branch (4308:6): [True: 0, False: 286k] ------------------ 4309| 0| *errstrp = "No digits were found"; 4310| 0| return 0; 4311| 0| } 4312| | /* Like the original strtonum, we allow further characters after the number */ 4313| | 4314| 286k| *errstrp = NULL; 4315| 286k| return val; 4316| 286k|} ndpi_memrchr: 4347| 969|void *ndpi_memrchr(const void *m, int c, size_t n) { 4348| 969| const unsigned char *s = m; 4349| | 4350| 969| c = (unsigned char)c; 4351| 76.5k| while(n--) ------------------ | Branch (4351:9): [True: 75.8k, False: 639] ------------------ 4352| 75.8k| if(s[n]==c) ------------------ | Branch (4352:8): [True: 330, False: 75.5k] ------------------ 4353| 330| return (void *)(s+n); 4354| | 4355| 639| return 0; 4356| 969|} ndpi_str_endswith: 4361| 5.67k|int ndpi_str_endswith(const char *s, const char *suffix) { 4362| 5.67k| size_t slen = strlen(s); 4363| 5.67k| size_t suffixlen = strlen(suffix); 4364| | 4365| 5.67k| return((slen >= suffixlen) && (!memcmp(&s[slen - suffixlen], suffix, suffixlen))); ------------------ | Branch (4365:10): [True: 2.35k, False: 3.31k] | Branch (4365:33): [True: 22, False: 2.33k] ------------------ 4366| 5.67k|} ndpi_compress_str: 4383| 1.80M|size_t ndpi_compress_str(const char * in, size_t len, char * out, size_t bufsize) { 4384| 1.80M| size_t ret = shoco_compress(in, len, out, bufsize); 4385| | 4386| 1.80M| if(ret > bufsize) ------------------ | Branch (4386:6): [True: 25, False: 1.80M] ------------------ 4387| 25| return(0); /* Better not to compress data (it is longer than the uncompressed data) */ 4388| | 4389| 1.80M| return(ret); 4390| 1.80M|} ndpi_encode_domain: 4428| 1.81M| const char *domain, char *out, u_int out_len) { 4429| 1.81M| u_int out_idx = 0, i, buf_shift = 0, domain_buf_len, compressed_len, suffix_len, domain_len; 4430| 1.81M| u_int32_t value = 0; 4431| 1.81M| u_char domain_buf[256], compressed[128]; 4432| 1.81M| u_int64_t domain_id = 0; 4433| 1.81M| const char *suffix; 4434| | 4435| 1.81M| if(!ndpi_domain_mapper_initialized) { ------------------ | Branch (4435:6): [True: 1, False: 1.81M] ------------------ 4436| 1| ndpi_domain_mapper_init(); 4437| 1| ndpi_domain_mapper_initialized = true; 4438| 1| } 4439| | 4440| 1.81M| domain_len = strlen(domain); 4441| | 4442| 1.81M| if(domain_len >= (out_len-3)) ------------------ | Branch (4442:6): [True: 0, False: 1.81M] ------------------ 4443| 0| return(0); 4444| | 4445| 1.81M| if(domain_len <= 4) ------------------ | Branch (4445:6): [True: 4.78k, False: 1.80M] ------------------ 4446| 4.78k| return((u_int)snprintf(out, out_len, "%s", domain)); /* Too short */ 4447| | 4448| | /* [1] Encode the domain in 6 bits */ 4449| 1.80M| suffix = ndpi_get_host_domain_suffix(ndpi_str, domain, &domain_id); 4450| | 4451| 1.80M| if(suffix == NULL) ------------------ | Branch (4451:6): [True: 0, False: 1.80M] ------------------ 4452| 0| return((u_int)snprintf(out, out_len, "%s", domain)); /* Unknown suffix */ 4453| | 4454| 1.80M| snprintf((char*)domain_buf, sizeof(domain_buf), "%s", domain); 4455| 1.80M| domain_buf_len = strlen((char*)domain_buf), suffix_len = strlen(suffix); 4456| | 4457| 1.80M| if(domain_buf_len > suffix_len) { ------------------ | Branch (4457:6): [True: 0, False: 1.80M] ------------------ 4458| 0| snprintf((char*)domain_buf, sizeof(domain_buf), "%s", domain); 4459| 0| domain_buf_len = domain_buf_len-suffix_len-1; 4460| 0| domain_buf[domain_buf_len] = '\0'; 4461| | 4462| 0| for(i=0; domain_buf[i] != '\0'; i++) { ------------------ | Branch (4462:14): [True: 0, False: 0] ------------------ 4463| 0| u_int32_t mapped_idx = ndpi_domain_mapper[domain_buf[i]]; 4464| | 4465| 0| if(mapped_idx != IGNORE_CHAR) { ------------------ | | 4403| 0|#define IGNORE_CHAR 0xFF ------------------ | Branch (4465:10): [True: 0, False: 0] ------------------ 4466| 0| mapped_idx <<= buf_shift; 4467| 0| value |= mapped_idx, buf_shift += NUM_BITS_NIBBLE; ------------------ | | 4404| 0|#define NUM_BITS_NIBBLE 6 /* each 'nibble' is encoded with 6 bits */ ------------------ 4468| | 4469| 0| if(buf_shift == NIBBLE_ELEM_OFFSET) { ------------------ | | 4405| 0|#define NIBBLE_ELEM_OFFSET 24 ------------------ | Branch (4469:5): [True: 0, False: 0] ------------------ 4470| 0| out[out_idx++] = value & 0xFF; 4471| 0| out[out_idx++] = (value >> 8) & 0xFF; 4472| 0| out[out_idx++] = (value >> 16) & 0xFF; 4473| 0| buf_shift = 0; /* Move to the next buffer */ 4474| 0| value = 0; 4475| 0| } 4476| 0| } 4477| 0| } 4478| | 4479| 0| if(buf_shift != 0) { ------------------ | Branch (4479:8): [True: 0, False: 0] ------------------ 4480| 0| u_int j, bytes = buf_shift / NUM_BITS_NIBBLE; ------------------ | | 4404| 0|#define NUM_BITS_NIBBLE 6 /* each 'nibble' is encoded with 6 bits */ ------------------ 4481| | 4482| 0| for(j = 0; j < bytes; j++) ------------------ | Branch (4482:18): [True: 0, False: 0] ------------------ 4483| 0| out[out_idx++] = (value >> (j * 8)) & 0xFF; 4484| 0| } 4485| 0| } 4486| | 4487| | /* [2] Check if compressing the string is more efficient */ 4488| 1.80M| compressed_len = ndpi_compress_str((char*)domain_buf, domain_buf_len, 4489| 1.80M| (char*)compressed, sizeof(compressed)); 4490| | 4491| 1.80M| if((compressed_len > 0) && ((out_idx == 0) || (compressed_len < out_idx))) { ------------------ | Branch (4491:6): [True: 1.80M, False: 25] | Branch (4491:31): [True: 1.80M, False: 0] | Branch (4491:49): [True: 0, False: 0] ------------------ 4492| 1.80M| if(compressed_len >= domain_len) { ------------------ | Branch (4492:8): [True: 37.7k, False: 1.77M] ------------------ 4493| | /* Compression creates a longer buffer */ 4494| 37.7k| return((u_int)snprintf(out, out_len, "%s", domain)); 4495| 1.77M| } else { 4496| 1.77M| compressed_len = ndpi_min(ndpi_min(compressed_len, sizeof(compressed)), out_len-3); ------------------ | | 113| 5.31M|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 1.77M, False: 0] | | | Branch (113:27): [True: 1.77M, False: 0] | | | Branch (113:36): [True: 1.77M, False: 0] | | ------------------ ------------------ 4497| 1.77M| memcpy(out, compressed, compressed_len); 4498| 1.77M| out_idx = compressed_len; 4499| 1.77M| } 4500| 1.80M| } 4501| | 4502| | /* Add trailer domainId value */ 4503| 1.77M| out[out_idx++] = (domain_id >> 8) & 0xFF; 4504| 1.77M| out[out_idx++] = domain_id & 0xFF; 4505| | 4506| |#ifdef DEBUG 4507| | { 4508| | u_int i; 4509| | 4510| | fprintf(stdout, "%s [len: %u][", domain, out_idx); 4511| | for(i=0; i 0 && ptr[0] == ' ') { ------------------ | Branch (4766:9): [True: 29, False: 2] | Branch (4766:25): [True: 2, False: 27] ------------------ 4767| 2| (*ptr_len)--; 4768| 2| ptr++; 4769| 2| } 4770| 29| if(*ptr_len == 0) ------------------ | Branch (4770:6): [True: 2, False: 27] ------------------ 4771| 2| return NULL; 4772| | 4773| | /* Stripping trailing spaces */ 4774| 28| while(*ptr_len > 0 && ptr[*ptr_len - 1] == ' ') { ------------------ | Branch (4774:9): [True: 28, False: 0] | Branch (4774:25): [True: 1, False: 27] ------------------ 4775| 1| (*ptr_len)--; 4776| 1| } 4777| 27| if(*ptr_len == 0) ------------------ | Branch (4777:6): [True: 0, False: 27] ------------------ 4778| 0| return NULL; 4779| | 4780| 27| return ptr; 4781| 27|} ndpi_bitmask_alloc: 4965| 42.9k|{ 4966| 42.9k| if(!b) ------------------ | Branch (4966:6): [True: 0, False: 42.9k] ------------------ 4967| 0| return -1; 4968| 42.9k| b->fds = ndpi_calloc(howmanybits(max_bits, sizeof(ndpi_ndpi_mask)), sizeof(ndpi_ndpi_mask)); ------------------ | | 104| 42.9k|#define howmanybits(x, y) (((x)+((y)-1))/(y)) ------------------ 4969| 42.9k| if(!b->fds) ------------------ | Branch (4969:6): [True: 12, False: 42.9k] ------------------ 4970| 12| return -1; 4971| 42.9k| b->max_bits = max_bits; 4972| 42.9k| b->num_fds = howmanybits(max_bits, sizeof(ndpi_ndpi_mask)); ------------------ | | 104| 42.9k|#define howmanybits(x, y) (((x)+((y)-1))/(y)) ------------------ 4973| 42.9k| return 0; 4974| 42.9k|} ndpi_bitmask_free: 4977| 43.2k|{ 4978| 43.2k| if(b) { ------------------ | Branch (4978:6): [True: 43.2k, False: 0] ------------------ 4979| 43.2k| ndpi_free(b->fds); 4980| 43.2k| b->num_fds = 0; 4981| 43.2k| } 4982| 43.2k|} ndpi_bitmask_is_set: 4997| 17.6M|{ 4998| 17.6M| if(b && b->fds && bit < b->max_bits) ------------------ | Branch (4998:6): [True: 17.6M, False: 0] | Branch (4998:11): [True: 17.6M, False: 0] | Branch (4998:21): [True: 17.6M, False: 0] ------------------ 4999| 17.6M| return b->fds[bit / 32] & (1ul << (bit % 32)); 5000| 0| return -1; 5001| 17.6M|} ndpi_bitmask_set_all: 5004| 28.6k|{ 5005| 28.6k| if(b && b->fds) ------------------ | Branch (5005:6): [True: 28.6k, False: 0] | Branch (5005:11): [True: 28.6k, False: 0] ------------------ 5006| 28.6k| memset(b->fds, 0xFF, b->num_fds * sizeof(ndpi_ndpi_mask)); 5007| 28.6k|} ndpi_bitmask_reset: 5010| 14.3k|{ 5011| 14.3k| if(b && b->fds) ------------------ | Branch (5011:6): [True: 14.3k, False: 0] | Branch (5011:11): [True: 14.3k, False: 0] ------------------ 5012| 14.3k| memset(b->fds, 0x00, b->num_fds * sizeof(ndpi_ndpi_mask)); 5013| 14.3k|} ndpi_check_is_numeric_ip: 5017| 5.49k|bool ndpi_check_is_numeric_ip(char *host) { 5018| 5.49k| unsigned char buf[sizeof(struct in6_addr)]; 5019| | 5020| 5.49k| if(inet_pton(AF_INET, host, buf) == 1) ------------------ | Branch (5020:6): [True: 0, False: 5.49k] ------------------ 5021| 0| return true; 5022| 5.49k| else if(inet_pton(AF_INET6, host, buf) == 1) ------------------ | Branch (5022:11): [True: 0, False: 5.49k] ------------------ 5023| 0| return true; 5024| 5.49k| else 5025| 5.49k| return false; 5026| 5.49k|} ndpi_get_master_proto: 5063| 17.0k| struct ndpi_flow_struct *flow) { 5064| 17.0k| if(flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN) ------------------ | Branch (5064:6): [True: 106, False: 16.8k] ------------------ 5065| 106| return flow->detected_protocol_stack[1]; 5066| 16.8k| if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) ------------------ | Branch (5066:6): [True: 5.95k, False: 10.9k] ------------------ 5067| 5.95k| return flow->detected_protocol_stack[0]; 5068| | 5069| 10.9k| return ndpi_tls_refine_master_protocol(ndpi_struct, flow); 5070| 16.8k|} ndpi_memmem: 5074| 44.1k|void* ndpi_memmem(const void* haystack, size_t haystack_len, const void* needle, size_t needle_len) { 5075| 44.1k| if (!haystack || !needle || haystack_len < needle_len) { ------------------ | Branch (5075:7): [True: 0, False: 44.1k] | Branch (5075:20): [True: 0, False: 44.1k] | Branch (5075:31): [True: 22.7k, False: 21.3k] ------------------ 5076| 22.7k| return NULL; 5077| 22.7k| } 5078| | 5079| 21.3k| if (needle_len == 0) { ------------------ | Branch (5079:7): [True: 0, False: 21.3k] ------------------ 5080| 0| return (void *)haystack; 5081| 0| } 5082| | 5083| 21.3k| if (needle_len == 1) { ------------------ | Branch (5083:7): [True: 9.88k, False: 11.4k] ------------------ 5084| 9.88k| return (void *)memchr(haystack, *(const u_int8_t *)needle, haystack_len); 5085| 9.88k| } 5086| | 5087| 11.4k| const u_int8_t *const end_of_search = (const u_int8_t *)haystack + haystack_len - needle_len + 1; 5088| | 5089| 11.4k| const u_int8_t *current = (const u_int8_t *)haystack; 5090| | 5091| 17.1k| while (1) { ------------------ | Branch (5091:10): [True: 17.1k, Folded] ------------------ 5092| | /* Find the first occurrence of the first character from the needle */ 5093| 17.1k| current = (const u_int8_t *)memchr(current, *(const u_int8_t *)needle, end_of_search - current); 5094| | 5095| 17.1k| if (!current) { ------------------ | Branch (5095:9): [True: 11.3k, False: 5.84k] ------------------ 5096| 11.3k| return NULL; 5097| 11.3k| } 5098| | 5099| | /* Check the rest of the needle for a match */ 5100| 5.84k| if (memcmp(current, needle, needle_len) == 0) { ------------------ | Branch (5100:9): [True: 131, False: 5.70k] ------------------ 5101| 131| return (void *)current; 5102| 131| } 5103| | 5104| | /* Shift one character to the right for the next search */ 5105| 5.70k| current++; 5106| 5.70k| } 5107| | 5108| 0| return NULL; 5109| 11.4k|} ndpi_memcasecmp: 5127| 1.95M|int ndpi_memcasecmp(const void *s1, const void *s2, size_t n) { 5128| 1.95M| if (s1 == NULL && s2 == NULL) { ------------------ | Branch (5128:7): [True: 0, False: 1.95M] | Branch (5128:21): [True: 0, False: 0] ------------------ 5129| 0| return 0; 5130| 0| } 5131| | 5132| 1.95M| if (s1 == NULL) { ------------------ | Branch (5132:7): [True: 0, False: 1.95M] ------------------ 5133| 0| return -1; 5134| 0| } 5135| | 5136| 1.95M| if (s2 == NULL) { ------------------ | Branch (5136:7): [True: 0, False: 1.95M] ------------------ 5137| 0| return 1; 5138| 0| } 5139| | 5140| 1.95M| if (n == 0) { ------------------ | Branch (5140:7): [True: 0, False: 1.95M] ------------------ 5141| 0| return 0; 5142| 0| } 5143| | 5144| 1.95M| const unsigned char *p1 = (const unsigned char *)s1; 5145| 1.95M| const unsigned char *p2 = (const unsigned char *)s2; 5146| | 5147| 1.95M| if (n == 1) { ------------------ | Branch (5147:7): [True: 0, False: 1.95M] ------------------ 5148| 0| return tolower(*p1) - tolower(*p2); ------------------ | Branch (5148:12): [True: 0, False: 0] | Branch (5148:12): [True: 0, False: 0] | Branch (5148:12): [Folded, False: 0] | Branch (5148:27): [True: 0, False: 0] | Branch (5148:27): [True: 0, False: 0] | Branch (5148:27): [Folded, False: 0] ------------------ 5149| 0| } 5150| | 5151| | /* Early exit optimization - check first and last bytes */ 5152| | 5153| 1.95M| int first_cmp = tolower(p1[0]) - tolower(p2[0]); ------------------ | Branch (5153:19): [True: 0, False: 0] | Branch (5153:19): [True: 0, False: 0] | Branch (5153:19): [Folded, False: 1.95M] | Branch (5153:36): [True: 0, False: 0] | Branch (5153:36): [True: 0, False: 0] | Branch (5153:36): [Folded, False: 1.95M] ------------------ 5154| 1.95M| if (first_cmp != 0) { ------------------ | Branch (5154:7): [True: 1.87M, False: 78.0k] ------------------ 5155| 1.87M| return first_cmp; 5156| 1.87M| } 5157| | 5158| 78.0k| int last_cmp = tolower(p1[n-1]) - tolower(p2[n-1]); ------------------ | Branch (5158:18): [True: 0, False: 0] | Branch (5158:18): [True: 0, False: 0] | Branch (5158:18): [Folded, False: 78.0k] | Branch (5158:37): [True: 0, False: 0] | Branch (5158:37): [True: 0, False: 0] | Branch (5158:37): [Folded, False: 78.0k] ------------------ 5159| 78.0k| if (last_cmp != 0) { ------------------ | Branch (5159:7): [True: 74.1k, False: 3.98k] ------------------ 5160| 74.1k| return last_cmp; 5161| 74.1k| } 5162| | 5163| 3.98k| size_t i; 5164| 8.86k| for (i = 1; i < n-1; i++) { ------------------ | Branch (5164:15): [True: 6.62k, False: 2.24k] ------------------ 5165| 6.62k| int cmp = tolower(p1[i]) - tolower(p2[i]); ------------------ | Branch (5165:15): [True: 0, False: 0] | Branch (5165:15): [True: 0, False: 0] | Branch (5165:15): [Folded, False: 6.62k] | Branch (5165:32): [True: 0, False: 0] | Branch (5165:32): [True: 0, False: 0] | Branch (5165:32): [Folded, False: 6.62k] ------------------ 5166| 6.62k| if (cmp != 0) { ------------------ | Branch (5166:9): [True: 1.74k, False: 4.87k] ------------------ 5167| 1.74k| return cmp; 5168| 1.74k| } 5169| 6.62k| } 5170| | 5171| 2.24k| return 0; 5172| 3.98k|} ndpi_list_init: 6053| 2.04M|void ndpi_list_init(ndpi_list *l) { 6054| 2.04M| l->value = NULL, l->next = NULL; 6055| 2.04M|} ndpi_utils.c:ndpi_tdestroy_recurse: 262| 1.69M|{ 263| 1.69M| if(root->left != NULL) ------------------ | Branch (263:6): [True: 692k, False: 1.00M] ------------------ 264| 692k| ndpi_tdestroy_recurse(root->left, free_action); 265| 1.69M| if(root->right != NULL) ------------------ | Branch (265:6): [True: 961k, False: 736k] ------------------ 266| 961k| ndpi_tdestroy_recurse(root->right, free_action); 267| | 268| 1.69M| (*free_action) ((void *) root->key); 269| 1.69M| ndpi_free(root); 270| 1.69M|} ndpi_utils.c:ndpi_is_valid_char: 732| 23.8M|static inline int ndpi_is_valid_char(char c) { 733| 23.8M| if(!ndpi_is_valid_char_tbl_init) ------------------ | Branch (733:5): [True: 1, False: 23.8M] ------------------ 734| 1| _ndpi_is_valid_char_init(); 735| 23.8M| return ndpi_is_valid_char_tbl[(unsigned char)c]; 736| 23.8M|} ndpi_utils.c:_ndpi_is_valid_char_init: 727| 1|static void _ndpi_is_valid_char_init(void) { 728| 1| int c; 729| 257| for(c=0; c < 256; c++) ndpi_is_valid_char_tbl[c] = _ndpi_is_valid_char(c); ------------------ | Branch (729:12): [True: 256, False: 1] ------------------ 730| 1| ndpi_is_valid_char_tbl_init = 1; 731| 1|} ndpi_utils.c:_ndpi_is_valid_char: 717| 256|static int _ndpi_is_valid_char(char c) { 718| 256| if(ndpi_ispunct(c) && (!ndpi_is_other_char(c))) ------------------ | | 2530| 512|#define ndpi_ispunct(ch) (((ch) >= '!' && (ch) <= '/') || \ | | ------------------ | | | Branch (2530:28): [True: 95, False: 161] | | | Branch (2530:43): [True: 15, False: 80] | | ------------------ | | 2531| 256| ((ch) >= ':' && (ch) <= '@') || \ | | ------------------ | | | Branch (2531:16): [True: 70, False: 171] | | | Branch (2531:31): [True: 7, False: 63] | | ------------------ | | 2532| 256| ((ch) >= '[' && (ch) <= '`') || \ | | ------------------ | | | Branch (2532:16): [True: 37, False: 197] | | | Branch (2532:31): [True: 6, False: 31] | | ------------------ | | 2533| 512| ((ch) >= '{' && (ch) <= '~')) | | ------------------ | | | Branch (2533:16): [True: 5, False: 223] | | | Branch (2533:31): [True: 4, False: 1] | | ------------------ ------------------ | Branch (718:25): [True: 29, False: 3] ------------------ 719| 29| return(0); 720| 227| else 721| 227| return(ndpi_isdigit(c) ------------------ | | 2526| 454|#define ndpi_isdigit(ch) ((ch) >= '0' && (ch) <= '9') | | ------------------ | | | Branch (2526:27): [True: 64, False: 163] | | | Branch (2526:42): [True: 10, False: 54] | | ------------------ ------------------ 722| 217| || ndpi_isalpha(c) ------------------ | | 2525| 444|#define ndpi_isalpha(ch) (((ch) >= 'a' && (ch) <= 'z') || ((ch) >= 'A' && (ch) <= 'Z')) | | ------------------ | | | Branch (2525:28): [True: 27, False: 190] | | | Branch (2525:43): [True: 26, False: 1] | | | Branch (2525:60): [True: 27, False: 164] | | | Branch (2525:75): [True: 26, False: 1] | | ------------------ ------------------ 723| 165| || ndpi_is_other_char(c)); ------------------ | Branch (723:8): [True: 4, False: 161] ------------------ 724| 256|} ndpi_utils.c:ndpi_is_other_char: 707| 1.21M|static inline int ndpi_is_other_char(char c) { 708| 1.21M| return((c == '.') ------------------ | Branch (708:10): [True: 36.4k, False: 1.17M] ------------------ 709| 1.17M| || (c == ' ') ------------------ | Branch (709:6): [True: 21.2k, False: 1.15M] ------------------ 710| 1.15M| || (c == '@') ------------------ | Branch (710:6): [True: 20.3k, False: 1.13M] ------------------ 711| 1.13M| || (c == '/') ------------------ | Branch (711:6): [True: 12.8k, False: 1.12M] ------------------ 712| 1.21M| ); 713| 1.21M|} ndpi_utils.c:ndpi_find_non_eng_bigrams: 740| 710k|static int ndpi_find_non_eng_bigrams(char *str) { 741| 710k| char s[3]; 742| | 743| 710k| if((ndpi_isdigit(str[0]) && ndpi_isdigit(str[1])) ------------------ | | 2526| 1.42M|#define ndpi_isdigit(ch) ((ch) >= '0' && (ch) <= '9') | | ------------------ | | | Branch (2526:27): [True: 676k, False: 33.7k] | | | Branch (2526:42): [True: 194k, False: 482k] | | ------------------ ------------------ if((ndpi_isdigit(str[0]) && ndpi_isdigit(str[1])) ------------------ | | 2526| 194k|#define ndpi_isdigit(ch) ((ch) >= '0' && (ch) <= '9') | | ------------------ | | | Branch (2526:27): [True: 185k, False: 9.32k] | | | Branch (2526:42): [True: 81.7k, False: 103k] | | ------------------ ------------------ 744| 628k| || ndpi_is_other_char(str[0]) ------------------ | Branch (744:9): [True: 43.6k, False: 585k] ------------------ 745| 585k| || ndpi_is_other_char(str[1]) ------------------ | Branch (745:9): [True: 47.3k, False: 537k] ------------------ 746| 710k| ) 747| 172k| return(1); 748| | 749| 537k| s[0] = tolower(str[0]), s[1] = tolower(str[1]), s[2] = '\0'; ------------------ | Branch (749:10): [True: 0, False: 0] | Branch (749:10): [True: 0, False: 0] | Branch (749:10): [Folded, False: 537k] | Branch (749:34): [True: 0, False: 0] | Branch (749:34): [True: 0, False: 0] | Branch (749:34): [Folded, False: 537k] ------------------ 750| | 751| 537k| return(ndpi_match_bigram(s)); 752| 710k|} ndpi_utils.c:ndpi_get_flow_info_by_proto_id: 820| 16.7k| u_int16_t proto_id) { 821| 16.7k| switch (proto_id) { ------------------ | Branch (821:11): [True: 6.17k, False: 10.5k] ------------------ 822| 0| case NDPI_PROTOCOL_WHOIS_DAS: ------------------ | Branch (822:5): [True: 0, False: 16.7k] ------------------ 823| 0| case NDPI_PROTOCOL_MAIL_SMTP: ------------------ | Branch (823:5): [True: 0, False: 16.7k] ------------------ 824| 688| case NDPI_PROTOCOL_NETBIOS: ------------------ | Branch (824:5): [True: 688, False: 16.0k] ------------------ 825| 1.20k| case NDPI_PROTOCOL_SSDP: ------------------ | Branch (825:5): [True: 512, False: 16.2k] ------------------ 826| 1.20k| case NDPI_PROTOCOL_MDNS: ------------------ | Branch (826:5): [True: 2, False: 16.7k] ------------------ 827| 2.37k| case NDPI_PROTOCOL_STUN: ------------------ | Branch (827:5): [True: 1.17k, False: 15.5k] ------------------ 828| 3.75k| case NDPI_PROTOCOL_DNS: ------------------ | Branch (828:5): [True: 1.37k, False: 15.3k] ------------------ 829| 3.85k| case NDPI_PROTOCOL_DHCP: ------------------ | Branch (829:5): [True: 98, False: 16.6k] ------------------ 830| 3.85k| case NDPI_PROTOCOL_XIAOMI: ------------------ | Branch (830:5): [True: 0, False: 16.7k] ------------------ 831| 3.85k| case NDPI_PROTOCOL_SD_RTN: ------------------ | Branch (831:5): [True: 0, False: 16.7k] ------------------ 832| 3.85k| case NDPI_PROTOCOL_COLLECTD: ------------------ | Branch (832:5): [True: 3, False: 16.7k] ------------------ 833| 3.89k| case NDPI_PROTOCOL_HTTP: ------------------ | Branch (833:5): [True: 40, False: 16.6k] ------------------ 834| 3.89k| case NDPI_PROTOCOL_HTTP_CONNECT: ------------------ | Branch (834:5): [True: 0, False: 16.7k] ------------------ 835| 3.89k| case NDPI_PROTOCOL_HTTP_PROXY: ------------------ | Branch (835:5): [True: 0, False: 16.7k] ------------------ 836| 3.89k| return flow->host_server_name; 837| | 838| 252| case NDPI_PROTOCOL_QUIC: ------------------ | Branch (838:5): [True: 252, False: 16.4k] ------------------ 839| 2.28k| case NDPI_PROTOCOL_TLS: ------------------ | Branch (839:5): [True: 2.03k, False: 14.6k] ------------------ 840| 2.28k| if(flow->protos.tls_quic.client_hello_processed != 0) ------------------ | Branch (840:10): [True: 1.13k, False: 1.14k] ------------------ 841| 1.13k| return flow->host_server_name; 842| 1.14k| break; 843| 16.7k| } 844| | 845| 11.6k| return NULL; 846| 16.7k|} ndpi_utils.c:ndpi_tls2json: 1424| 2.28k| struct ndpi_flow_struct *flow, bool is_tls_proto) { 1425| 2.28k| if(flow->protos.tls_quic.ssl_version) { ------------------ | Branch (1425:6): [True: 1.61k, False: 663] ------------------ 1426| 1.61k| char buf[64]; 1427| 1.61k| char notBefore[32], notAfter[32]; 1428| 1.61k| struct tm a, b, *before = NULL, *after = NULL; 1429| 1.61k| u_int i, off; 1430| 1.61k| u_int8_t unknown_tls_version; 1431| 1.61k| char version[16], unknown_cipher[8]; 1432| | 1433| 1.61k| ndpi_ssl_version2str(version, sizeof(version), flow->protos.tls_quic.ssl_version, &unknown_tls_version); 1434| | 1435| 1.61k| if(flow->protos.tls_quic.notBefore) ------------------ | Branch (1435:8): [True: 418, False: 1.20k] ------------------ 1436| 418| before = ndpi_gmtime_r((const time_t *)&flow->protos.tls_quic.notBefore, &a); 1437| | 1438| 1.61k| if(flow->protos.tls_quic.notAfter) ------------------ | Branch (1438:8): [True: 392, False: 1.22k] ------------------ 1439| 392| after = ndpi_gmtime_r((const time_t *)&flow->protos.tls_quic.notAfter, &b); 1440| | 1441| 1.61k| if(!unknown_tls_version) { ------------------ | Branch (1441:8): [True: 1.57k, False: 40] ------------------ 1442| 1.57k| ndpi_serialize_start_of_block(serializer, "tls"); 1443| 1.57k| ndpi_serialize_string_string(serializer, "version", version); 1444| | 1445| 1.57k| if(flow->protos.tls_quic.server_names) { ------------------ | Branch (1445:10): [True: 419, False: 1.16k] ------------------ 1446| 419| ndpi_serialize_string_string(serializer, "server_names", 1447| 419| flow->protos.tls_quic.server_names); 1448| 419| } 1449| | 1450| 1.57k| if(before) { ------------------ | Branch (1450:10): [True: 34, False: 1.54k] ------------------ 1451| 34| strftime(notBefore, sizeof(notBefore), "%Y-%m-%d %H:%M:%S", before); 1452| 34| ndpi_serialize_string_string(serializer, "notbefore", notBefore); 1453| 34| } 1454| | 1455| 1.57k| if(after) { ------------------ | Branch (1455:10): [True: 2, False: 1.57k] ------------------ 1456| 2| strftime(notAfter, sizeof(notAfter), "%Y-%m-%d %H:%M:%S", after); 1457| 2| ndpi_serialize_string_string(serializer, "notafter", notAfter); 1458| 2| } 1459| | 1460| 1.57k| ndpi_serialize_string_string(serializer, "ja3s", flow->protos.tls_quic.ja3_server); 1461| 1.57k| ndpi_serialize_string_string(serializer, "ja4", flow->protos.tls_quic.ja4_client); 1462| 1.57k| ndpi_serialize_string_uint32(serializer, "unsafe_cipher", flow->protos.tls_quic.server_unsafe_cipher); 1463| 1.57k| ndpi_serialize_string_string(serializer, "cipher", 1464| 1.57k| ndpi_cipher2str(flow->protos.tls_quic.server_cipher, unknown_cipher)); 1465| | 1466| 1.57k| if(flow->protos.tls_quic.issuerDN) ------------------ | Branch (1466:10): [True: 371, False: 1.20k] ------------------ 1467| 371| ndpi_serialize_string_string(serializer, "issuerDN", flow->protos.tls_quic.issuerDN); 1468| | 1469| 1.57k| if(flow->protos.tls_quic.subjectDN) ------------------ | Branch (1469:10): [True: 453, False: 1.12k] ------------------ 1470| 453| ndpi_serialize_string_string(serializer, "subjectDN", flow->protos.tls_quic.subjectDN); 1471| | 1472| 1.57k| if(flow->protos.tls_quic.advertised_alpns) ------------------ | Branch (1472:10): [True: 349, False: 1.23k] ------------------ 1473| 349| ndpi_serialize_string_string(serializer, "advertised_alpns", flow->protos.tls_quic.advertised_alpns); 1474| | 1475| 1.57k| if(flow->protos.tls_quic.negotiated_alpn) ------------------ | Branch (1475:10): [True: 14, False: 1.56k] ------------------ 1476| 14| ndpi_serialize_string_string(serializer, "negotiated_alpn", flow->protos.tls_quic.negotiated_alpn); 1477| | 1478| 1.57k| if(flow->protos.tls_quic.tls_supported_versions) ------------------ | Branch (1478:10): [True: 13, False: 1.56k] ------------------ 1479| 13| ndpi_serialize_string_string(serializer, "tls_supported_versions", flow->protos.tls_quic.tls_supported_versions); 1480| | 1481| 1.57k| if(flow->protos.tls_quic.sha1_certificate_fingerprint[0] != '\0') { ------------------ | Branch (1481:10): [True: 477, False: 1.10k] ------------------ 1482| 10.0k| for(i=0, off=0; i<20; i++) { ------------------ | Branch (1482:25): [True: 9.54k, False: 477] ------------------ 1483| 9.54k| int rc = ndpi_snprintf(&buf[off], sizeof(buf)-off-1,"%s%02X", (i > 0) ? ":" : "", ------------------ | Branch (1483:73): [True: 9.06k, False: 477] ------------------ 1484| 9.54k| flow->protos.tls_quic.sha1_certificate_fingerprint[i] & 0xFF); 1485| | 1486| 9.54k| if(rc <= 0) break; else off += rc; ------------------ | Branch (1486:14): [True: 0, False: 9.54k] ------------------ 1487| 9.54k| } 1488| | 1489| 477| ndpi_serialize_string_string(serializer, "fingerprint", buf); 1490| 477| } 1491| | 1492| 1.57k| if (is_tls_proto == true) ------------------ | Branch (1492:11): [True: 1.57k, False: 0] ------------------ 1493| 1.57k| ndpi_serialize_tls_blocks(ndpi_struct, serializer, flow); 1494| | 1495| 1.57k| ndpi_serialize_end_of_block(serializer); 1496| 1.57k| } 1497| 1.61k| } 1498| 2.28k|} ndpi_utils.c:ndpi_url_decode: 2219| 1.54k|static int ndpi_url_decode(const char *s, char *out) { 2220| 1.54k| char *o; 2221| 1.54k| const char *end = s + strlen(s); 2222| 1.54k| int c; 2223| | 2224| 192k| for(o = out; s <= end; o++) { ------------------ | Branch (2224:16): [True: 190k, False: 1.50k] ------------------ 2225| 190k| c = *s++; 2226| 190k| if(c == '+') c = ' '; ------------------ | Branch (2226:8): [True: 349, False: 190k] ------------------ 2227| 190k| else if(c == '%' && (!ishex(*s++)|| ------------------ | Branch (2227:13): [True: 67, False: 190k] | Branch (2227:26): [True: 35, False: 32] ------------------ 2228| 32| !ishex(*s++)|| ------------------ | Branch (2228:5): [True: 6, False: 26] ------------------ 2229| 26| (sscanf(s - 2, "%2x", (unsigned int*)&c) != 1))) ------------------ | Branch (2229:5): [True: 0, False: 26] ------------------ 2230| 41| return(-1); 2231| | 2232| 190k| if(out) *o = c; ------------------ | Branch (2232:8): [True: 190k, False: 0] ------------------ 2233| 190k| } 2234| | 2235| 1.50k| return(o - out); 2236| 1.54k|} ndpi_utils.c:ishex: 2213| 99|static int ishex(int x) { 2214| 99| return(x >= '0' && x <= '9') || (x >= 'a' && x <= 'f') || (x >= 'A' && x <= 'F'); ------------------ | Branch (2214:10): [True: 66, False: 33] | Branch (2214:22): [True: 48, False: 18] | Branch (2214:36): [True: 9, False: 42] | Branch (2214:48): [True: 7, False: 2] | Branch (2214:62): [True: 11, False: 33] | Branch (2214:74): [True: 3, False: 8] ------------------ 2215| 99|} ndpi_utils.c:ndpi_is_xss_injection: 2251| 1.50k|static int ndpi_is_xss_injection(char* query) { 2252| 1.50k| size_t qlen = strlen(query); 2253| 1.50k| return libinjection_xss(query, qlen); 2254| 1.50k|} ndpi_utils.c:ndpi_is_sql_injection: 2240| 1.49k|static int ndpi_is_sql_injection(char* query) { 2241| 1.49k| struct libinjection_sqli_state state; 2242| | 2243| 1.49k| size_t qlen = strlen(query); 2244| 1.49k| libinjection_sqli_init(&state, query, qlen, FLAG_NONE); 2245| | 2246| 1.49k| return libinjection_is_sqli(&state); 2247| 1.49k|} ndpi_utils.c:ndpi_check_hostname_risk_exception: 3379| 2.59k| char *hostname) { 3380| 2.59k| if(hostname == NULL) ------------------ | Branch (3380:6): [True: 0, False: 2.59k] ------------------ 3381| 0| return(0); 3382| 2.59k| else { 3383| 2.59k| ndpi_automa *automa = &ndpi_str->host_risk_mask_automa; 3384| 2.59k| u_int8_t ret = 0; 3385| | 3386| 2.59k| if(automa && automa->ac_automa) { ------------------ | Branch (3386:8): [True: 2.59k, False: 0] | Branch (3386:18): [True: 2.32k, False: 272] ------------------ 3387| 2.32k| AC_TEXT_t ac_input_text; 3388| 2.32k| AC_REP_t match; 3389| | 3390| 2.32k| memset(&match, 0, sizeof(match)); 3391| 2.32k| ac_input_text.astring = hostname, ac_input_text.length = strlen(hostname); 3392| 2.32k| ac_input_text.option = 0; 3393| | 3394| 2.32k| if(ac_automata_search(automa->ac_automa, &ac_input_text, &match) > 0) { ------------------ | Branch (3394:10): [True: 17, False: 2.30k] ------------------ 3395| 17| if(flow) flow->risk_mask &= match.number64; ------------------ | Branch (3395:5): [True: 17, False: 0] ------------------ 3396| 17| ret = 1; 3397| 17| } 3398| 2.32k| } 3399| | 3400| 2.59k| return(ret); 3401| 2.59k| } 3402| 2.59k|} ndpi_utils.c:ndpi_check_ipv4_exception: 3409| 8.27k| u_int32_t addr) { 3410| 8.27k| struct in_addr pin; 3411| 8.27k| u_int64_t r; 3412| | 3413| 8.27k| pin.s_addr = addr; 3414| 8.27k| r = ndpi_host_ip_risk_ptree_match(ndpi_str, &pin); 3415| | 3416| 8.27k| if(flow) flow->risk_mask &= r; ------------------ | Branch (3416:6): [True: 8.27k, False: 0] ------------------ 3417| | 3418| 8.27k| return((r != (u_int64_t)-1) ? 1 : 0); ------------------ | Branch (3418:10): [True: 0, False: 8.27k] ------------------ 3419| 8.27k|} ndpi_utils.c:ndpi_host_ip_risk_ptree_match: 3316| 8.27k| struct in_addr *pin /* network byte order */) { 3317| 8.27k| ndpi_prefix_t prefix; 3318| 8.27k| ndpi_patricia_node_t *node; 3319| | 3320| 8.27k| if(!ndpi_str->ip_risk_mask) ------------------ | Branch (3320:6): [True: 2.03k, False: 6.24k] ------------------ 3321| 2.03k| return((u_int64_t)-1); 3322| | 3323| | /* Make sure all in network byte order otherwise compares wont work */ 3324| 6.24k| ndpi_fill_prefix_v4(&prefix, pin, 32, 3325| 6.24k| ((ndpi_patricia_tree_t *) ndpi_str->ip_risk_mask->v4)->maxbits); 3326| 6.24k| node = ndpi_patricia_search_best(ndpi_str->ip_risk_mask->v4, &prefix); 3327| | 3328| 6.24k| if(node) ------------------ | Branch (3328:6): [True: 0, False: 6.24k] ------------------ 3329| 0| return(node->value.u.uv64); 3330| 6.24k| else 3331| 6.24k| return((u_int64_t)-1); 3332| 6.24k|} ndpi_utils.c:ndpi_check_ipv6_exception: 3425| 22| struct in6_addr *addr) { 3426| 22| u_int64_t r; 3427| | 3428| 22| r = ndpi_host_ip_risk_ptree_match6(ndpi_str, addr); 3429| | 3430| 22| if(flow) flow->risk_mask &= r; ------------------ | Branch (3430:6): [True: 22, False: 0] ------------------ 3431| | 3432| 22| return((r != (u_int64_t)-1) ? 1 : 0); ------------------ | Branch (3432:10): [True: 0, False: 22] ------------------ 3433| 22|} ndpi_utils.c:ndpi_host_ip_risk_ptree_match6: 3337| 22| struct in6_addr *pin6) { 3338| 22| ndpi_prefix_t prefix; 3339| 22| ndpi_patricia_node_t *node; 3340| | 3341| 22| if(!ndpi_str->ip_risk_mask) ------------------ | Branch (3341:6): [True: 8, False: 14] ------------------ 3342| 8| return((u_int64_t)-1); 3343| | 3344| | /* Make sure all in network byte order otherwise compares wont work */ 3345| 14| ndpi_fill_prefix_v6(&prefix, pin6, 128, 3346| 14| ((ndpi_patricia_tree_t *) ndpi_str->ip_risk_mask->v6)->maxbits); 3347| 14| node = ndpi_patricia_search_best(ndpi_str->ip_risk_mask->v6, &prefix); 3348| | 3349| 14| if(node) ------------------ | Branch (3349:6): [True: 0, False: 14] ------------------ 3350| 0| return(node->value.u.uv64); 3351| 14| else 3352| 14| return((u_int64_t)-1); 3353| 14|} ndpi_utils.c:get_n16bit: 3823| 43.7k|static inline u_int16_t get_n16bit(u_int8_t const * cbuf) { 3824| 43.7k| u_int16_t r = ((u_int16_t)cbuf[0]) | (((u_int16_t)cbuf[1]) << 8); 3825| 43.7k| return r; 3826| 43.7k|} ndpi_utils.c:risk_infos_pair_cmp: 4035| 5.64k|{ 4036| 5.64k| struct ndpi_risk_information *a = (struct ndpi_risk_information *)_a; 4037| 5.64k| struct ndpi_risk_information *b = (struct ndpi_risk_information *)_b; 4038| | 4039| 5.64k| return b->id - a->id; 4040| 5.64k|} ndpi_utils.c:ndpi_domain_mapper_init: 4408| 1|static void ndpi_domain_mapper_init() { 4409| 1| u_int i; 4410| 1| u_char idx = 1 /* start from 1 to make sure 0 is no ambiguous */; 4411| | 4412| 1| memset(ndpi_domain_mapper, IGNORE_CHAR, 256); ------------------ | | 4403| 1|#define IGNORE_CHAR 0xFF ------------------ 4413| | 4414| 27| for(i='a'; i<= 'z'; i++) ------------------ | Branch (4414:14): [True: 26, False: 1] ------------------ 4415| 26| ndpi_domain_mapper[i] = idx++; 4416| | 4417| 11| for(i='0'; i<= '9'; i++) ------------------ | Branch (4417:14): [True: 10, False: 1] ------------------ 4418| 10| ndpi_domain_mapper[i] = idx++; 4419| | 4420| 1| ndpi_domain_mapper['-'] = idx++; 4421| 1| ndpi_domain_mapper['_'] = idx++; 4422| 1| ndpi_domain_mapper['.'] = idx++; 4423| 1|} ndpi_utils.c:ndpi_tls_refine_master_protocol: 5031| 10.9k| struct ndpi_flow_struct *flow) { 5032| 10.9k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 5033| 10.9k| u_int32_t protocol; 5034| | 5035| 10.9k| if(packet->tcp != NULL) { ------------------ | Branch (5035:6): [True: 10.9k, False: 0] ------------------ 5036| | /* 5037| | In case of TLS there are probably sub-protocols 5038| | such as IMAPS that can be otherwise detected 5039| | */ 5040| 10.9k| u_int16_t sport = ntohs(packet->tcp->source); 5041| 10.9k| u_int16_t dport = ntohs(packet->tcp->dest); 5042| | 5043| 10.9k| if(flow->stun.maybe_dtls) ------------------ | Branch (5043:8): [True: 0, False: 10.9k] ------------------ 5044| 0| protocol = NDPI_PROTOCOL_DTLS; 5045| 10.9k| else if((sport == 465) || (dport == 465) || (sport == 587) || (dport == 587)) ------------------ | Branch (5045:13): [True: 0, False: 10.9k] | Branch (5045:31): [True: 43, False: 10.8k] | Branch (5045:49): [True: 0, False: 10.8k] | Branch (5045:67): [True: 0, False: 10.8k] ------------------ 5046| 43| protocol = NDPI_PROTOCOL_MAIL_SMTPS; 5047| 10.8k| else if((sport == 993) || (dport == 993) || (flow->l4.tcp.mail_imap_starttls)) ------------------ | Branch (5047:13): [True: 0, False: 10.8k] | Branch (5047:31): [True: 880, False: 10.0k] | Branch (5047:49): [True: 0, False: 10.0k] ------------------ 5048| 880| protocol = NDPI_PROTOCOL_MAIL_IMAPS; 5049| 10.0k| else if((sport == 995) || (dport == 995)) ------------------ | Branch (5049:13): [True: 1, False: 10.0k] | Branch (5049:31): [True: 0, False: 10.0k] ------------------ 5050| 1| protocol = NDPI_PROTOCOL_MAIL_POPS; 5051| 10.0k| else 5052| 10.0k| protocol = NDPI_PROTOCOL_TLS; 5053| 10.9k| } else { 5054| 0| protocol = NDPI_PROTOCOL_DTLS; 5055| 0| } 5056| | 5057| 10.9k| return protocol; 5058| 10.9k|} init_activision_dissector: 102| 7.08k|{ 103| 7.08k| ndpi_register_dissector("Activision", ndpi_struct, 104| 7.08k| ndpi_search_activision, 105| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 106| 7.08k| 1, NDPI_PROTOCOL_ACTIVISION); 107| 7.08k|} activision.c:ndpi_search_activision: 41| 3.36k|{ 42| 3.36k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 43| | 44| 3.36k| NDPI_LOG_DBG(ndpi_struct, "search activision\n"); ------------------ | | 596| 3.36k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 45| | 46| 3.36k| if (packet->payload_packet_len < 18) ------------------ | Branch (46:7): [True: 204, False: 3.15k] ------------------ 47| 204| { 48| 204| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 204|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 49| 204| return; 50| 204| } 51| | 52| 3.15k| if (flow->packet_direction_counter[packet->packet_direction] == 1) ------------------ | Branch (52:7): [True: 3.15k, False: 0] ------------------ 53| 3.15k| { 54| 3.15k| if (packet->packet_direction == 0) ------------------ | Branch (54:9): [True: 2.05k, False: 1.10k] ------------------ 55| 2.05k| { 56| 2.05k| if (ntohs(get_u_int16_t(packet->payload, 0)) != 0x0c02) ------------------ | Branch (56:11): [True: 2.05k, False: 0] ------------------ 57| 2.05k| { 58| 2.05k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 2.05k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 59| 2.05k| return; 60| 2.05k| } 61| 2.05k| } else { 62| 1.10k| if (ntohs(get_u_int16_t(packet->payload, 0)) != 0x0d02) ------------------ | Branch (62:11): [True: 1.10k, False: 1] ------------------ 63| 1.10k| { 64| 1.10k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1.10k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 65| 1.10k| return; 66| 1.10k| } 67| 1.10k| } 68| | 69| 1| if (packet->payload_packet_len < 29) ------------------ | Branch (69:9): [True: 0, False: 1] ------------------ 70| 0| { 71| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 72| 0| return; 73| 0| } 74| | 75| 1| if (ntohs(get_u_int16_t(packet->payload, 17)) == 0xc0a8 && ------------------ | Branch (75:9): [True: 0, False: 1] ------------------ 76| 1| ntohl(get_u_int32_t(packet->payload, 19)) == 0x0015020c) ------------------ | Branch (76:9): [True: 0, False: 0] ------------------ 77| 0| { 78| 0| ndpi_int_activision_add_connection(ndpi_struct, flow); 79| 0| return; 80| 0| } 81| 1| } else if (packet->packet_direction == 0) { ------------------ | Branch (81:14): [True: 0, False: 0] ------------------ 82| 0| if (packet->payload[0] != 0x29) ------------------ | Branch (82:9): [True: 0, False: 0] ------------------ 83| 0| { 84| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 85| 0| return; 86| 0| } 87| 0| } else if (packet->packet_direction == 1) { ------------------ | Branch (87:14): [True: 0, False: 0] ------------------ 88| 0| if (packet->payload[0] != 0x28) ------------------ | Branch (88:9): [True: 0, False: 0] ------------------ 89| 0| { 90| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 91| 0| return; 92| 0| } 93| 0| } 94| | 95| 1| if (flow->packet_counter > 4) ------------------ | Branch (95:7): [True: 0, False: 1] ------------------ 96| 0| { 97| 0| ndpi_int_activision_add_connection(ndpi_struct, flow); 98| 0| } 99| 1|} init_afp_dissector: 80| 7.08k|{ 81| 7.08k| ndpi_register_dissector("AFP", ndpi_struct, 82| 7.08k| ndpi_search_afp, 83| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 84| 7.08k| 1, NDPI_PROTOCOL_AFP); 85| 7.08k|} afp.c:ndpi_search_afp: 46| 14.6k|{ 47| 14.6k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 48| | 49| 14.6k| NDPI_LOG_DBG(ndpi_struct, "search AFP\n"); ------------------ | | 596| 14.6k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 50| | 51| 14.6k| if (packet->payload_packet_len >= sizeof(struct afpHeader)) { ------------------ | Branch (51:7): [True: 13.2k, False: 1.40k] ------------------ 52| 13.2k| struct afpHeader *h = (struct afpHeader*)packet->payload; 53| | 54| 13.2k| if(packet->payload_packet_len > 128) { ------------------ | Branch (54:8): [True: 3.35k, False: 9.86k] ------------------ 55| | /* 56| | When we transfer a large data chunk, unless we have observed 57| | the initial connection, we need to discard these packets 58| | as they are not an indication that this flow is not AFP 59| | */ 60| 3.35k| if(flow->packet_counter > 5) ------------------ | Branch (60:10): [True: 22, False: 3.32k] ------------------ 61| 22| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 22|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 62| 3.35k| return; 63| 3.35k| } 64| | 65| 9.86k| if((h->flags <= 1) ------------------ | Branch (65:8): [True: 873, False: 8.99k] ------------------ 66| 873| && ((h->command >= 1) && (h->command <= 8)) ------------------ | Branch (66:12): [True: 436, False: 437] | Branch (66:33): [True: 132, False: 304] ------------------ 67| 132| && (h->reserved == 0) ------------------ | Branch (67:11): [True: 9, False: 123] ------------------ 68| 9| && (packet->payload_packet_len >= (sizeof(struct afpHeader)+ntohl(h->length)))) { ------------------ | Branch (68:11): [True: 1, False: 8] ------------------ 69| 1| NDPI_LOG_INFO(ndpi_struct, "found AFP: DSI\n"); ------------------ | | 595| 1|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 70| 1| ndpi_int_afp_add_connection(ndpi_struct, flow); 71| 1| return; 72| 1| } 73| 9.86k| } 74| | 75| 11.2k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.2k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 76| 11.2k|} afp.c:ndpi_int_afp_add_connection: 40| 1|{ 41| 1| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_AFP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 42| 1|} init_ajp_dissector: 124| 7.08k|{ 125| 7.08k| ndpi_register_dissector("AJP", ndpi_struct, 126| 7.08k| ndpi_search_ajp, 127| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 128| 7.08k| 1, NDPI_PROTOCOL_AJP); 129| 7.08k|} ajp.c:ndpi_search_ajp: 113| 11.8k|{ 114| 11.8k| NDPI_LOG_DBG(ndpi_struct, "search AJP\n"); ------------------ | | 596| 11.8k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 115| 11.8k| ndpi_check_ajp(ndpi_struct, flow); 116| | 117| 11.8k| return; 118| 11.8k|} ajp.c:ndpi_check_ajp: 70| 11.8k| struct ndpi_flow_struct *flow) { 71| 11.8k| struct ajp_header ajp_hdr; 72| 11.8k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 73| | 74| 11.8k| if (packet->payload_packet_len < sizeof(ajp_hdr)) { ------------------ | Branch (74:7): [True: 734, False: 11.0k] ------------------ 75| 734| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 734|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 76| 734| return; 77| 734| } 78| | 79| 11.0k| memcpy(&ajp_hdr, packet->payload, sizeof(struct ajp_header)); 80| | 81| 11.0k| ajp_hdr.magic = ntohs(ajp_hdr.magic); 82| 11.0k| ajp_hdr.len = ntohs(ajp_hdr.len); 83| | 84| 11.0k| if (ajp_hdr.len > 0 && ajp_hdr.magic == AJP_SERVER_TO_CONTAINER) { ------------------ | Branch (84:7): [True: 10.8k, False: 173] | Branch (84:26): [True: 0, False: 10.8k] ------------------ 85| 0| if (ajp_hdr.code == AJP_FORWARD_REQUEST || ajp_hdr.code == AJP_SHUTDOWN ------------------ | Branch (85:9): [True: 0, False: 0] | Branch (85:48): [True: 0, False: 0] ------------------ 86| 0| || ajp_hdr.code == AJP_PING || ajp_hdr.code == AJP_CPING) { ------------------ | Branch (86:12): [True: 0, False: 0] | Branch (86:40): [True: 0, False: 0] ------------------ 87| | 88| 0| set_ajp_detected(ndpi_struct, flow); 89| | 90| 0| } else { 91| 0| NDPI_LOG_DBG(ndpi_struct, "Invalid AJP request type"); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 92| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 93| 0| } 94| 11.0k| } else if (ajp_hdr.len > 0 && ajp_hdr.magic == AJP_CONTAINER_TO_SERVER) { ------------------ | Branch (94:14): [True: 10.8k, False: 173] | Branch (94:33): [True: 4, False: 10.8k] ------------------ 95| 4| if (ajp_hdr.code == AJP_SEND_BODY_CHUNK || ajp_hdr.code == AJP_SEND_HEADERS ------------------ | Branch (95:9): [True: 0, False: 4] | Branch (95:48): [True: 0, False: 4] ------------------ 96| 4| || ajp_hdr.code == AJP_END_RESPONSE || ajp_hdr.code == AJP_GET_BODY_CHUNK ------------------ | Branch (96:12): [True: 0, False: 4] | Branch (96:48): [True: 0, False: 4] ------------------ 97| 4| || ajp_hdr.code == AJP_CPONG) { ------------------ | Branch (97:12): [True: 0, False: 4] ------------------ 98| | 99| 0| set_ajp_detected(ndpi_struct, flow); 100| | 101| 4| } else { 102| 4| NDPI_LOG_DBG(ndpi_struct, "Invalid AJP response type"); ------------------ | | 596| 4|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 103| 4| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 4|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 104| 4| } 105| 11.0k| } else { 106| 11.0k| NDPI_LOG_DBG(ndpi_struct,"Invalid AJP packet\n"); ------------------ | | 596| 11.0k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 107| 11.0k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.0k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 108| 11.0k| } 109| 11.0k|} init_alicloud_dissector: 72| 7.08k|{ 73| 7.08k| ndpi_register_dissector("AliCloud", ndpi_struct, 74| 7.08k| ndpi_search_alicloud, 75| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 76| 7.08k| 1, NDPI_PROTOCOL_ALICLOUD); 77| 7.08k|} alicloud.c:ndpi_search_alicloud: 40| 20.1k|{ 41| 20.1k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 42| | 43| 20.1k| NDPI_LOG_DBG(ndpi_struct, "search alicloud\n"); ------------------ | | 596| 20.1k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 44| | 45| 20.1k| if (packet->payload_packet_len < 8) ------------------ | Branch (45:7): [True: 887, False: 19.2k] ------------------ 46| 887| { 47| 887| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 887|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 48| 887| return; 49| 887| } 50| | 51| 19.2k| if (ntohl(get_u_int32_t(packet->payload, 0)) == 0xcefabeba) ------------------ | Branch (51:7): [True: 0, False: 19.2k] ------------------ 52| 0| { 53| 0| u_int32_t pdu_len = ntohl(get_u_int32_t(packet->payload, 4)); 54| | 55| 0| if (packet->payload_packet_len == 8 && pdu_len > 0) ------------------ | Branch (55:9): [True: 0, False: 0] | Branch (55:44): [True: 0, False: 0] ------------------ 56| 0| { 57| 0| ndpi_int_alicloud_add_connection(ndpi_struct, flow); 58| 0| return; 59| 0| } else if (pdu_len == (u_int32_t)packet->payload_packet_len - 8) { ------------------ | Branch (59:16): [True: 0, False: 0] ------------------ 60| 0| ndpi_int_alicloud_add_connection(ndpi_struct, flow); 61| 0| return; 62| 0| } 63| 0| } 64| | 65| 19.2k| if (flow->packet_counter > 3) ------------------ | Branch (65:7): [True: 1.96k, False: 17.2k] ------------------ 66| 1.96k| { 67| 1.96k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1.96k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 68| 1.96k| } 69| 19.2k|} init_amazon_video_dissector: 68| 7.08k|void init_amazon_video_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 69| 7.08k| ndpi_register_dissector("AMAZON_VIDEO", ndpi_struct, 70| 7.08k| ndpi_search_amazon_video, 71| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 72| 7.08k| 1, NDPI_PROTOCOL_AMAZON_VIDEO); 73| 7.08k|} amazon_video.c:ndpi_search_amazon_video: 61| 15.1k| struct ndpi_flow_struct *flow) { 62| 15.1k| NDPI_LOG_DBG(ndpi_struct, "search amazon_video\n"); ------------------ | | 596| 15.1k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 63| | 64| 15.1k| ndpi_check_amazon_video(ndpi_struct, flow); 65| 15.1k|} amazon_video.c:ndpi_check_amazon_video: 32| 15.1k| struct ndpi_flow_struct *flow) { 33| 15.1k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 34| | 35| 15.1k| NDPI_LOG_DBG(ndpi_struct, "search Amazon Prime\n"); ------------------ | | 596| 15.1k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 36| | 37| 15.1k| if(packet->payload_packet_len > 4) { ------------------ | Branch (37:6): [True: 14.3k, False: 858] ------------------ 38| 14.3k| if((packet->tcp != NULL) && ------------------ | Branch (38:8): [True: 11.0k, False: 3.25k] ------------------ 39| 11.0k| (packet->payload[0] == 0xFE && ------------------ | Branch (39:9): [True: 7, False: 11.0k] ------------------ 40| 7| packet->payload[1] == 0xED && ------------------ | Branch (40:2): [True: 0, False: 7] ------------------ 41| 0| packet->payload[2] == 0xFA && ------------------ | Branch (41:2): [True: 0, False: 0] ------------------ 42| 0| packet->payload[3] == 0xCE)) { ------------------ | Branch (42:2): [True: 0, False: 0] ------------------ 43| 0| NDPI_LOG_INFO(ndpi_struct, "found Amazon Video on TCP\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 44| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_AMAZON_VIDEO, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 45| 0| return; 46| 14.3k| } else if((packet->udp != NULL) && ------------------ | Branch (46:15): [True: 3.25k, False: 11.0k] ------------------ 47| 3.25k| (packet->payload[0] == 0xDE && ------------------ | Branch (47:9): [True: 2, False: 3.24k] ------------------ 48| 2| packet->payload[1] == 0xAD && ------------------ | Branch (48:9): [True: 0, False: 2] ------------------ 49| 0| packet->payload[2] == 0xBE && ------------------ | Branch (49:9): [True: 0, False: 0] ------------------ 50| 0| packet->payload[3] == 0xEF)) { ------------------ | Branch (50:9): [True: 0, False: 0] ------------------ 51| 0| NDPI_LOG_INFO(ndpi_struct, "found Amazon Video on UDP\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 52| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_AMAZON_VIDEO, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 53| 0| return; 54| 0| } 55| 14.3k| } 56| | 57| 15.1k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 15.1k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 58| 15.1k|} init_among_us_dissector: 51| 7.08k|{ 52| 7.08k| ndpi_register_dissector("AmongUs", ndpi_struct, 53| 7.08k| ndpi_search_among_us, 54| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 55| 7.08k| 1, NDPI_PROTOCOL_AMONG_US); 56| 7.08k|} among_us.c:ndpi_search_among_us: 36| 3.37k|{ 37| 3.37k| struct ndpi_packet_struct * const packet = &ndpi_struct->packet; 38| | 39| | /* handshake packet */ 40| 3.37k| if (packet->payload_packet_len > 9 && ------------------ | Branch (40:7): [True: 3.23k, False: 143] ------------------ 41| 3.37k| ntohl(*(u_int32_t*)&packet->payload[0]) == 0x08000100 && ------------------ | Branch (41:7): [True: 0, False: 3.23k] ------------------ 42| 3.37k| ntohl(*(u_int32_t*)&packet->payload[4]) == 0x80d90203) ------------------ | Branch (42:7): [True: 0, False: 0] ------------------ 43| 0| { 44| 0| ndpi_int_among_us_add_connection(ndpi_struct, flow); 45| 3.37k| } else { 46| 3.37k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.37k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 47| 3.37k| } 48| 3.37k|} init_amqp_dissector: 76| 7.08k|void init_amqp_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 77| 7.08k| ndpi_register_dissector("AMQP", ndpi_struct, 78| 7.08k| ndpi_search_amqp, 79| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 80| 7.08k| 1, NDPI_PROTOCOL_AMQP); 81| 7.08k|} amqp.c:ndpi_search_amqp: 42| 23.9k|static void ndpi_search_amqp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { 43| 23.9k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 44| | 45| 23.9k| NDPI_LOG_DBG(ndpi_struct, "search amqp\n"); ------------------ | | 596| 23.9k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 46| | 47| 23.9k| if(packet->payload_packet_len > sizeof(struct amqp_header)) { ------------------ | Branch (47:6): [True: 22.4k, False: 1.46k] ------------------ 48| 22.4k| struct amqp_header *h = (struct amqp_header*)packet->payload; 49| | 50| 22.4k| if(h->ptype <= 3) { ------------------ | Branch (50:7): [True: 2.04k, False: 20.4k] ------------------ 51| 2.04k| u_int32_t length = htonl(h->length); 52| | 53| 2.04k| if(((length+8) >= packet->payload_packet_len) ------------------ | Branch (53:8): [True: 2.00k, False: 35] ------------------ 54| 2.00k| && (length < 32768) /* Upper bound */) { ------------------ | Branch (54:11): [True: 38, False: 1.96k] ------------------ 55| 38| u_int16_t class_id = htons(h->class_id); 56| | 57| 38| if((class_id >= 10) /* Connection */ ------------------ | Branch (57:9): [True: 27, False: 11] ------------------ 58| 27| && (class_id <= 110) /* Tunnel */) { ------------------ | Branch (58:12): [True: 5, False: 22] ------------------ 59| 5| u_int16_t method = htons(h->method); 60| | 61| 5| if(method <= 120 /* Method basic NACK */) { ------------------ | Branch (61:10): [True: 3, False: 2] ------------------ 62| 3| NDPI_LOG_INFO(ndpi_struct, "found amqp over tcp\n"); ------------------ | | 595| 3|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 63| 3| ndpi_int_amqp_add_connection(ndpi_struct, flow); 64| 3| return; 65| 3| } 66| 5| } 67| 38| } 68| 2.04k| } 69| 22.4k| } 70| | 71| 23.9k| if(flow->packet_counter > 5) ------------------ | Branch (71:5): [True: 1.38k, False: 22.5k] ------------------ 72| 1.38k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1.38k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 73| 23.9k|} amqp.c:ndpi_int_amqp_add_connection: 38| 3| struct ndpi_flow_struct *flow) { 39| 3| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_AMQP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 40| 3|} init_armagetron_dissector: 75| 7.08k|{ 76| 7.08k| ndpi_register_dissector("Armagetron", ndpi_struct, 77| 7.08k| ndpi_search_armagetron_udp, 78| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 79| 7.08k| 1, NDPI_PROTOCOL_ARMAGETRON); 80| 7.08k|} armagetron.c:ndpi_search_armagetron_udp: 40| 4.45k|{ 41| 4.45k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 42| | 43| 4.45k| NDPI_LOG_DBG(ndpi_struct, "search armagetron\n"); ------------------ | | 596| 4.45k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 44| | 45| 4.45k| if (packet->payload_packet_len >= 8) { ------------------ | Branch (45:7): [True: 4.31k, False: 132] ------------------ 46| | /* login request */ 47| 4.31k| if (get_u_int32_t(packet->payload, 0) == htonl(0x000b0000)) { ------------------ | | 137| 4.31k|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (47:9): [True: 1, False: 4.31k] ------------------ 48| 1| const u_int16_t dataLength = ntohs(get_u_int16_t(packet->payload, 4)); 49| 1| if (dataLength * 2 + 8 == packet->payload_packet_len && ------------------ | Branch (49:11): [True: 0, False: 1] ------------------ 50| 0| get_u_int16_t(packet->payload, packet->payload_packet_len - 2) == 0) { ------------------ | | 136| 0|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (50:11): [True: 0, False: 0] ------------------ 51| 0| NDPI_LOG_INFO(ndpi_struct, "found armagetron\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 52| 0| ndpi_int_armagetron_add_connection(ndpi_struct, flow); 53| 0| return; 54| 0| } 55| 1| } 56| | /* big_server/big_request */ 57| 4.31k| if (get_u_int32_t(packet->payload, 0) == htonl(0x00330000) || ------------------ | | 137| 4.31k|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (57:9): [True: 0, False: 4.31k] ------------------ 58| 4.31k| get_u_int32_t(packet->payload, 0) == htonl(0x00350000)) { ------------------ | | 137| 4.31k|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (58:9): [True: 0, False: 4.31k] ------------------ 59| 0| const u_int16_t dataLength = ntohs(get_u_int16_t(packet->payload, 4)); 60| 0| if (dataLength * 2 + 8 == packet->payload_packet_len && ------------------ | Branch (60:11): [True: 0, False: 0] ------------------ 61| 0| get_u_int16_t(packet->payload, packet->payload_packet_len - 2) == 0) { ------------------ | | 136| 0|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (61:11): [True: 0, False: 0] ------------------ 62| 0| NDPI_LOG_INFO(ndpi_struct, "found armagetron\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 63| 0| ndpi_int_armagetron_add_connection(ndpi_struct, flow); 64| 0| return; 65| 0| } 66| 0| } 67| 4.31k| } 68| | 69| 4.45k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 4.45k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 70| 4.45k|} init_atg_dissector: 58| 7.08k|void init_atg_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 59| 7.08k| ndpi_register_dissector("ATG", ndpi_struct, 60| 7.08k| ndpi_search_atg, 61| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 62| 7.08k| 1, NDPI_PROTOCOL_ATG); 63| 7.08k|} atg.c:ndpi_search_atg: 36| 11.6k| struct ndpi_flow_struct *flow) { 37| 11.6k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 38| | 39| 11.6k| NDPI_LOG_DBG(ndpi_struct, "search for ATG\n"); ------------------ | | 596| 11.6k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 40| | 41| 11.6k| if(packet->payload_packet_len >= 8) { ------------------ | Branch (41:6): [True: 10.8k, False: 805] ------------------ 42| 10.8k| u_int16_t atg_port = ntohs(10001); 43| | 44| 10.8k| if((packet->tcp->source == atg_port) || (packet->tcp->dest == atg_port)) { ------------------ | Branch (44:8): [True: 0, False: 10.8k] | Branch (44:45): [True: 0, False: 10.8k] ------------------ 45| 0| if(packet->payload[0] == 0x01 && ------------------ | Branch (45:10): [True: 0, False: 0] ------------------ 46| 0| (packet->payload[1] == 0x49 || packet->payload[1] == 0x69 || packet->payload[1] == 0x53 || packet->payload[1] == 0x73 ) && ------------------ | Branch (46:11): [True: 0, False: 0] | Branch (46:41): [True: 0, False: 0] | Branch (46:71): [True: 0, False: 0] | Branch (46:101): [True: 0, False: 0] ------------------ 47| 0| memcmp(&packet->payload[packet->payload_packet_len - 2], "\r\n", 2) == 0) { ------------------ | Branch (47:10): [True: 0, False: 0] ------------------ 48| 0| NDPI_LOG_INFO(ndpi_struct, "found atg\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 49| 0| ndpi_int_atg_add_connection(ndpi_struct, flow); 50| 0| return; 51| 0| } 52| 0| } 53| 10.8k| } 54| | 55| 11.6k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.6k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 56| 11.6k|} init_avast_dissector: 57| 7.08k|{ 58| 7.08k| ndpi_register_dissector("AVAST", ndpi_struct, 59| 7.08k| ndpi_search_avast, 60| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 61| 7.08k| 1, NDPI_PROTOCOL_AVAST); 62| 7.08k|} avast.c:ndpi_search_avast: 37| 11.7k|{ 38| 11.7k| struct ndpi_packet_struct * packet = &ndpi_struct->packet; 39| | 40| 11.7k| if (packet->payload_packet_len < 6) ------------------ | Branch (40:7): [True: 755, False: 10.9k] ------------------ 41| 755| { 42| 755| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 755|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 43| 755| return; 44| 755| } 45| | 46| 10.9k| if (strncmp((char *)&packet->payload[0], "NOSA", NDPI_STATICSTRING_LEN("NOSA")) == 0 && ------------------ | | 98| 10.9k|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (46:7): [True: 2, False: 10.9k] ------------------ 47| 10.9k| ntohs(*(uint16_t *)&packet->payload[4]) == packet->payload_packet_len) ------------------ | Branch (47:7): [True: 0, False: 2] ------------------ 48| 0| { 49| 0| ndpi_int_avast_add_connection(ndpi_struct, flow); 50| 0| return; 51| 0| } 52| | 53| 10.9k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 10.9k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 54| 10.9k|} init_avast_securedns_dissector: 58| 7.08k|{ 59| 7.08k| ndpi_register_dissector("AVAST SecureDNS", ndpi_struct, 60| 7.08k| ndpi_search_avast_securedns, 61| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 62| 7.08k| 1, NDPI_PROTOCOL_AVAST_SECUREDNS); 63| 7.08k|} avast_securedns.c:ndpi_search_avast_securedns: 37| 3.37k|{ 38| 3.37k| struct ndpi_packet_struct * packet = &ndpi_struct->packet; 39| | 40| 3.37k| if (packet->payload_packet_len < 34 || ------------------ | Branch (40:7): [True: 502, False: 2.87k] ------------------ 41| 3.37k| ntohl(get_u_int32_t(packet->payload, 11)) != 0x00013209 || ------------------ | Branch (41:7): [True: 2.87k, False: 0] ------------------ 42| 0| flow->packet_counter > 1) ------------------ | Branch (42:7): [True: 0, False: 0] ------------------ 43| 3.37k| { 44| 3.37k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.37k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 45| 3.37k| return; 46| 3.37k| } 47| | 48| 0| if (strncasecmp((char *)&packet->payload[15], "securedns", NDPI_STATICSTRING_LEN("securedns")) == 0) ------------------ | | 98| 0|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (48:7): [True: 0, False: 0] ------------------ 49| 0| { 50| 0| ndpi_int_avast_securedns_add_connection(ndpi_struct, flow); 51| 0| return; 52| 0| } 53| | 54| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 55| 0|} init_bacnet_dissector: 91| 7.08k|{ 92| 7.08k| ndpi_register_dissector("BACnet", ndpi_struct, 93| 7.08k| ndpi_search_bacnet, 94| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 95| 7.08k| 1, NDPI_PROTOCOL_BACNET); 96| 7.08k|} bacnet.c:ndpi_search_bacnet: 55| 3.36k|{ 56| 3.36k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 57| 3.36k| struct bvlc_header const * const bvlc = (struct bvlc_header *)&packet->payload[0]; 58| | 59| 3.36k| NDPI_LOG_DBG(ndpi_struct, "search BACnet\n"); ------------------ | | 596| 3.36k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 60| | 61| 3.36k| if (packet->payload_packet_len < sizeof(*bvlc)) ------------------ | Branch (61:7): [True: 121, False: 3.23k] ------------------ 62| 121| { 63| 121| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 121|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 64| 121| return; 65| 121| } 66| | 67| 3.23k| if (bvlc->type != 0x81) ------------------ | Branch (67:7): [True: 3.22k, False: 15] ------------------ 68| 3.22k| { 69| 3.22k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.22k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 70| 3.22k| return; 71| 3.22k| } 72| | 73| 15| if (bvlc->function > 0x0b) ------------------ | Branch (73:7): [True: 3, False: 12] ------------------ 74| 3| { 75| 3| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 76| 3| return; 77| 3| } 78| | 79| 12| if (ntohs(bvlc->length) != packet->payload_packet_len) ------------------ | Branch (79:7): [True: 12, False: 0] ------------------ 80| 12| { 81| 12| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 12|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 82| 12| return; 83| 12| } 84| | 85| 0| ndpi_int_bacnet_add_connection(ndpi_struct, flow); 86| 0|} init_beckhoff_ads_dissector: 116| 7.08k|{ 117| 7.08k| ndpi_register_dissector("BeckhoffADS", ndpi_struct, 118| 7.08k| ndpi_search_beckhoff_ads, 119| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 120| 7.08k| 1, NDPI_PROTOCOL_BECKHOFF_ADS); 121| 7.08k|} beckhoff_ads.c:ndpi_search_beckhoff_ads: 73| 11.6k|{ 74| 11.6k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 75| | 76| 11.6k| NDPI_LOG_DBG(ndpi_struct, "search Beckhoff ADS\n"); ------------------ | | 596| 11.6k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 77| | 78| 11.6k| if (packet->payload_packet_len >= 38) { ------------------ | Branch (78:7): [True: 4.74k, False: 6.93k] ------------------ 79| 4.74k| struct ams_tcp_hdr const * const ams_tcp = (struct ams_tcp_hdr *)packet->payload; 80| 4.74k| u_int16_t ams_message_length = packet->payload_packet_len - sizeof(struct ams_tcp_hdr); 81| | 82| 4.74k| if ((ams_tcp->reserved != 0) || ------------------ | Branch (82:9): [True: 4.33k, False: 403] ------------------ 83| 403| (le32toh(ams_tcp->length) != ams_message_length)) ------------------ | Branch (83:9): [True: 403, False: 0] ------------------ 84| 4.74k| { 85| 4.74k| goto not_beckhoff_ads; 86| 4.74k| } 87| | 88| 0| struct ams_hdr const * const ams = (struct ams_hdr *)&packet->payload[6]; 89| 0| u_int16_t ams_data_len = ams_message_length - sizeof(struct ams_hdr); 90| | 91| 0| if (le32toh(ams->length) == ams_data_len) { ------------------ | Branch (91:9): [True: 0, False: 0] ------------------ 92| | /* Just additional checks to avoid potential 93| | * false positives */ 94| 0| if ((le16toh(ams->state_flags) != 0x0004) && ------------------ | Branch (94:11): [True: 0, False: 0] ------------------ 95| 0| (le16toh(ams->state_flags) != 0x0005)) ------------------ | Branch (95:11): [True: 0, False: 0] ------------------ 96| 0| { 97| 0| goto not_beckhoff_ads; 98| 0| } 99| | 100| 0| if ((le16toh(ams->command_id) > 0x0009) || ------------------ | Branch (100:11): [True: 0, False: 0] ------------------ 101| 0| (le32toh(ams->error_code) > 0x0000001E)) ------------------ | Branch (101:11): [True: 0, False: 0] ------------------ 102| 0| { 103| 0| goto not_beckhoff_ads; 104| 0| } 105| | 106| 0| ndpi_int_beckhoff_ads_add_connection(ndpi_struct, flow); 107| 0| return; 108| 0| } 109| 0| } 110| | 111| 11.6k|not_beckhoff_ads: 112| 11.6k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.6k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 113| 11.6k|} init_bfcp_dissector: 81| 7.08k|{ 82| 7.08k| ndpi_register_dissector("BFCP", ndpi_struct, 83| 7.08k| ndpi_search_bfcp, 84| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 85| 7.08k| 1, NDPI_PROTOCOL_BFCP); 86| 7.08k|} bfcp.c:ndpi_search_bfcp: 36| 14.9k|{ 37| 14.9k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 38| | 39| 14.9k| NDPI_LOG_DBG(ndpi_struct, "search BFCP\n"); ------------------ | | 596| 14.9k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 40| | 41| 14.9k| if (packet->payload_packet_len < 12) { ------------------ | Branch (41:7): [True: 1.03k, False: 13.9k] ------------------ 42| 1.03k| goto not_bfcp; 43| 1.03k| } 44| | 45| 13.9k| u_int8_t version = (packet->payload[0] >> 5) & 0x07; 46| 13.9k| u_int8_t reserved = (packet->payload[0] & 0x03); 47| | 48| | /* RFC4582: 1 49| | RFC8855: 1 on TCP, 2 on UDP */ 50| 13.9k| if (!(version == 1 || ------------------ | Branch (50:9): [True: 1.72k, False: 12.2k] ------------------ 51| 12.2k| (version == 2 && flow->l4_proto == IPPROTO_UDP))) { ------------------ | Branch (51:10): [True: 4.64k, False: 7.56k] | Branch (51:26): [True: 325, False: 4.32k] ------------------ 52| 11.8k| goto not_bfcp; 53| 11.8k| } 54| 2.04k| if (reserved != 0) { ------------------ | Branch (54:7): [True: 926, False: 1.12k] ------------------ 55| 926| goto not_bfcp; 56| 926| } 57| | 58| 1.12k| u_int8_t primitive = packet->payload[1]; 59| 1.12k| if (primitive < 1 || primitive > 18) { ------------------ | Branch (59:7): [True: 11, False: 1.10k] | Branch (59:24): [True: 1.07k, False: 32] ------------------ 60| 1.08k| goto not_bfcp; 61| 1.08k| } 62| | 63| 32| u_int16_t length = ntohs(get_u_int16_t(packet->payload, 2)); 64| 32| if (12 + length * 4 != packet->payload_packet_len) { ------------------ | Branch (64:7): [True: 31, False: 1] ------------------ 65| 31| goto not_bfcp; 66| 31| } 67| | 68| 1| NDPI_LOG_INFO(ndpi_struct, "found BFCP\n"); ------------------ | | 595| 1|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 69| 1| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BFCP, 70| 1| NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 71| | 72| 1| flow->protos.bfcp.conference_id = ntohl(get_u_int32_t(packet->payload, 4)); 73| 1| flow->protos.bfcp.user_id = ntohs(get_u_int16_t(packet->payload, 10)); 74| 1| return; 75| | 76| 14.9k|not_bfcp: 77| 14.9k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 14.9k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 78| 14.9k|} init_bfd_dissector: 72| 7.08k|{ 73| 7.08k| ndpi_register_dissector("BFD", ndpi_struct, 74| 7.08k| ndpi_search_bfd, 75| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 76| 7.08k| 1, NDPI_PROTOCOL_BFD); 77| 7.08k|} bfd.c:ndpi_search_bfd: 44| 3.32k|{ 45| 3.32k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 46| | 47| | /* BFD echo message */ 48| 3.32k| if (packet->payload_packet_len == 12 && ntohs(packet->udp->dest) == 3785) { ------------------ | Branch (48:7): [True: 29, False: 3.29k] | Branch (48:43): [True: 0, False: 29] ------------------ 49| 0| if (ndpi_ntohll(get_u_int64_t(packet->payload, 0)) == 1 && ------------------ | | 148| 0|#define get_u_int64_t(X,O) (*(u_int64_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (49:9): [True: 0, False: 0] ------------------ 50| 0| ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len-2)) == 0) ------------------ | Branch (50:9): [True: 0, False: 0] ------------------ 51| 0| { 52| 0| ndpi_int_bfd_add_connection(ndpi_struct, flow); 53| 0| return; 54| 0| } 55| 0| } 56| | 57| | /* BFD control message */ 58| 3.32k| if ((packet->payload_packet_len > 23 && packet->payload_packet_len <= 100) && ------------------ | Branch (58:8): [True: 3.00k, False: 323] | Branch (58:43): [True: 1.74k, False: 1.26k] ------------------ 59| 3.32k| ntohs(packet->udp->dest) == 3784) ------------------ | Branch (59:7): [True: 0, False: 1.74k] ------------------ 60| 0| { 61| 0| if (((packet->payload[0] & 0xE0) >> 5) < 2 && ------------------ | Branch (61:9): [True: 0, False: 0] ------------------ 62| 0| packet->payload[3] == (u_int8_t)packet->payload_packet_len) ------------------ | Branch (62:9): [True: 0, False: 0] ------------------ 63| 0| { 64| 0| ndpi_int_bfd_add_connection(ndpi_struct, flow); 65| 0| return; 66| 0| } 67| 0| } 68| | 69| 3.32k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.32k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 70| 3.32k|} init_bgp_dissector: 59| 7.08k|{ 60| 7.08k| ndpi_register_dissector("BGP", ndpi_struct, 61| 7.08k| ndpi_search_bgp, 62| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 63| 7.08k| 1, NDPI_PROTOCOL_BGP); 64| 7.08k|} bgp.c:ndpi_search_bgp: 34| 13.4k|{ 35| 13.4k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 36| 13.4k| u_int16_t bgp_port = htons(179); 37| | 38| 13.4k| NDPI_LOG_DBG(ndpi_struct, "search BGP\n"); ------------------ | | 596| 13.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 39| | 40| 13.4k| if(packet->tcp) { ------------------ | Branch (40:6): [True: 13.4k, False: 0] ------------------ 41| 13.4k| if(packet->payload_packet_len > 18 ------------------ | Branch (41:8): [True: 9.06k, False: 4.40k] ------------------ 42| 9.06k| && packet->payload[18] < 5 ------------------ | Branch (42:11): [True: 682, False: 8.37k] ------------------ 43| 682| && ((packet->tcp->dest == bgp_port) || (packet->tcp->source == bgp_port)) ------------------ | Branch (43:12): [True: 1, False: 681] | Branch (43:47): [True: 10, False: 671] ------------------ 44| 11| && (get_u_int64_t(packet->payload, 0) == 0xffffffffffffffffULL) ------------------ | | 148| 11|#define get_u_int64_t(X,O) (*(u_int64_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (44:11): [True: 0, False: 11] ------------------ 45| 0| && (get_u_int64_t(packet->payload, 8) == 0xffffffffffffffffULL) ------------------ | | 148| 0|#define get_u_int64_t(X,O) (*(u_int64_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (45:11): [True: 0, False: 0] ------------------ 46| 0| && (ntohs(get_u_int16_t(packet->payload, 16)) <= packet->payload_packet_len)) { ------------------ | Branch (46:11): [True: 0, False: 0] ------------------ 47| | 48| 0| NDPI_LOG_INFO(ndpi_struct, "found BGP\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 49| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BGP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 50| 0| return; 51| 0| } 52| 13.4k| } 53| | 54| 13.4k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.4k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 55| 13.4k|} init_bitcoin_dissector: 61| 7.08k|{ 62| 7.08k| ndpi_register_dissector("Bitcoin", ndpi_struct, 63| 7.08k| ndpi_search_bitcoin, 64| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 65| 7.08k| 1, NDPI_PROTOCOL_BITCOIN); 66| 7.08k|} bitcoin.c:ndpi_search_bitcoin: 36| 11.7k| struct ndpi_flow_struct *flow) { 37| 11.7k| NDPI_LOG_DBG(ndpi_struct, "search BITCOIN\n"); ------------------ | | 596| 11.7k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 38| 11.7k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 39| 11.7k| if(packet->payload_packet_len >= 4) { ------------------ | Branch (39:6): [True: 11.7k, False: 25] ------------------ 40| 11.7k| if(packet->tcp->source == htons(8333) || ------------------ | Branch (40:8): [True: 0, False: 11.7k] ------------------ 41| 11.7k| packet->tcp->dest == htons(8333)) { ------------------ | Branch (41:7): [True: 2, False: 11.6k] ------------------ 42| 2| u_int32_t ntoh_to_match = ntohl(*(u_int32_t*)packet->payload); 43| 2| switch (ntoh_to_match) { ------------------ | Branch (43:15): [True: 0, False: 2] ------------------ 44| 0| case MAIN_NET_MAGIC: ------------------ | | 29| 0|#define MAIN_NET_MAGIC 0xF9BEB4D9 ------------------ | Branch (44:9): [True: 0, False: 2] ------------------ 45| 0| case TEST_NET_MAGIC: ------------------ | | 30| 0|#define TEST_NET_MAGIC 0xFABFB5DA ------------------ | Branch (45:9): [True: 0, False: 2] ------------------ 46| 0| case TEST_3_NET_MAGIC: ------------------ | | 31| 0|#define TEST_3_NET_MAGIC 0x0B110907 ------------------ | Branch (46:9): [True: 0, False: 2] ------------------ 47| 0| case SIG_NET_MAGIC: ------------------ | | 32| 0|#define SIG_NET_MAGIC 0x0A03CF40 ------------------ | Branch (47:9): [True: 0, False: 2] ------------------ 48| 0| case NAME_COIN_NET_MAGIC: ------------------ | | 33| 0|#define NAME_COIN_NET_MAGIC 0xF9BEB4FE ------------------ | Branch (48:9): [True: 0, False: 2] ------------------ 49| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BITCOIN, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 50| 0| NDPI_LOG_INFO(ndpi_struct, "found BITCOIN\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 51| 0| return; 52| 2| } 53| 2| } 54| 11.7k| } 55| 11.7k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.7k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 56| 11.7k|} make_bittorrent_host_key: 148| 10.8k|u_int64_t make_bittorrent_host_key(struct ndpi_flow_struct *flow, int client, int offset) { 149| 10.8k| u_int64_t key; 150| | 151| | /* network byte order */ 152| 10.8k| if(flow->is_ipv6) { ------------------ | Branch (152:6): [True: 192, False: 10.6k] ------------------ 153| 192| if(client) ------------------ | Branch (153:8): [True: 96, False: 96] ------------------ 154| 96| key = (ndpi_quick_hash64((const char *)flow->c_address.v6, 16) << 16) | htons(ntohs(flow->c_port) + offset); 155| 96| else 156| 96| key = (ndpi_quick_hash64((const char *)flow->s_address.v6, 16) << 16) | flow->s_port; 157| 10.6k| } else { 158| 10.6k| if(client) ------------------ | Branch (158:8): [True: 6.95k, False: 3.74k] ------------------ 159| 6.95k| key = ((u_int64_t)flow->c_address.v4 << 32) | htons(ntohs(flow->c_port) + offset); 160| 3.74k| else 161| 3.74k| key = ((u_int64_t)flow->s_address.v4 << 32) | flow->s_port; 162| 10.6k| } 163| | 164| 10.8k| return key; 165| 10.8k|} make_bittorrent_peers_key: 169| 3.83k|u_int64_t make_bittorrent_peers_key(struct ndpi_flow_struct *flow) { 170| 3.83k| u_int64_t key; 171| | 172| | /* network byte order */ 173| 3.83k| if(flow->is_ipv6) ------------------ | Branch (173:6): [True: 96, False: 3.74k] ------------------ 174| 96| key = (ndpi_quick_hash64((const char *)flow->c_address.v6, 16) << 32) | (ndpi_quick_hash64((const char *)flow->s_address.v6, 16) & 0xFFFFFFFF); 175| 3.74k| else 176| 3.74k| key = ((u_int64_t)flow->c_address.v4 << 32) | flow->s_address.v4; 177| | 178| 3.83k| return key; 179| 3.83k|} init_bittorrent_dissector: 657| 7.08k|{ 658| 7.08k| ndpi_register_dissector("BitTorrent", ndpi_struct, 659| 7.08k| ndpi_search_bittorrent, 660| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 661| 7.08k| 1, NDPI_PROTOCOL_BITTORRENT); 662| 7.08k|} bittorrent.c:ndpi_search_bittorrent: 527| 30.6k| struct ndpi_flow_struct *flow) { 528| 30.6k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 529| 30.6k| char *bt_proto = NULL; 530| | 531| 30.6k| NDPI_LOG_DBG(ndpi_struct, "Search bittorrent\n"); ------------------ | | 596| 30.6k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 532| | 533| | /* This is broadcast */ 534| 30.6k| if(packet->iph) { ------------------ | Branch (534:6): [True: 30.3k, False: 316] ------------------ 535| 30.3k| if((packet->iph->saddr == 0xFFFFFFFF) || (packet->iph->daddr == 0xFFFFFFFF)) ------------------ | Branch (535:8): [True: 14, False: 30.3k] | Branch (535:46): [True: 165, False: 30.1k] ------------------ 536| 179| goto exclude_bt; 537| | 538| 30.1k| if(packet->udp) { ------------------ | Branch (538:8): [True: 3.43k, False: 26.7k] ------------------ 539| 3.43k| u_int16_t sport = ntohs(packet->udp->source), dport = ntohs(packet->udp->dest); 540| | 541| 3.43k| if(is_port(sport, dport, 3544) /* teredo */ ------------------ | Branch (541:10): [True: 0, False: 3.43k] ------------------ 542| 3.43k| || is_port(sport, dport, 5246) || is_port(sport, dport, 5247) /* CAPWAP */) { ------------------ | Branch (542:6): [True: 0, False: 3.43k] | Branch (542:37): [True: 36, False: 3.39k] ------------------ 543| 215| exclude_bt: 544| 215| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 215|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 545| 215| return; 546| 36| } 547| 3.43k| } 548| 30.1k| } 549| | 550| 30.4k| if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_BITTORRENT) { ------------------ | Branch (550:6): [True: 30.4k, False: 0] ------------------ 551| 30.4k| if(packet->tcp != NULL) { ------------------ | Branch (551:8): [True: 26.7k, False: 3.68k] ------------------ 552| 26.7k| ndpi_int_search_bittorrent_tcp(ndpi_struct, flow); 553| 26.7k| } else if(packet->udp != NULL) { ------------------ | Branch (553:15): [True: 3.68k, False: 0] ------------------ 554| | /* UDP */ 555| 3.68k| const char *bt_search = "BT-SEARCH * HTTP/1.1\r\n"; 556| 3.68k| const char *bt_search1 = "d1:ad2:id20:"; 557| | 558| 3.68k| if((ntohs(packet->udp->source) < 1024) ------------------ | Branch (558:10): [True: 479, False: 3.20k] ------------------ 559| 3.20k| || (ntohs(packet->udp->dest) < 1024) /* High ports only */) { ------------------ | Branch (559:6): [True: 459, False: 2.74k] ------------------ 560| 938| ndpi_skip_bittorrent(ndpi_struct, flow); 561| 938| return; 562| 938| } 563| | 564| | /* 565| | Check for uTP http://www.bittorrent.org/beps/bep_0029.html 566| | 567| | wireshark/epan/dissectors/packet-bt-utp.c 568| | */ 569| | 570| 2.74k| if( 571| 2.74k| (packet->payload_packet_len > 22 && strncmp((const char*)packet->payload, bt_search, strlen(bt_search)) == 0) || ------------------ | Branch (571:6): [True: 2.66k, False: 85] | Branch (571:41): [True: 2, False: 2.65k] ------------------ 572| 2.74k| (packet->payload_packet_len > 12 && strncmp((const char*)packet->payload, bt_search1, strlen(bt_search1)) == 0) ------------------ | Branch (572:6): [True: 2.69k, False: 46] | Branch (572:41): [True: 2, False: 2.69k] ------------------ 573| 2.74k| ) { 574| 4| ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, NDPI_CONFIDENCE_DPI); 575| 4| return; 576| 2.74k| } else if(packet->payload_packet_len >= 20) { ------------------ | Branch (576:12): [True: 2.66k, False: 75] ------------------ 577| | /* Check if this is protocol v0 */ 578| 2.66k| u_int8_t v0_extension = packet->payload[17]; 579| 2.66k| u_int8_t v0_flags = packet->payload[18]; 580| 2.66k| int rc; 581| | 582| 2.66k| if((rc = is_utpv1_pkt(packet->payload, packet->payload_packet_len)) > 0) { ------------------ | Branch (582:7): [True: 17, False: 2.65k] ------------------ 583| 17| bt_proto = ndpi_strnstr((const char *)&packet->payload[20], BITTORRENT_PROTO_STRING, packet->payload_packet_len-20); ------------------ | | 33| 17|#define BITTORRENT_PROTO_STRING "BitTorrent protocol" ------------------ 584| | /* DATA check is quite weak so in that case wait for multiple packets/confirmations */ 585| 17| if(rc == 1 || bt_proto != NULL || (rc == 2 && flow->packet_counter > 2)) { ------------------ | Branch (585:9): [True: 2, False: 15] | Branch (585:20): [True: 0, False: 15] | Branch (585:41): [True: 15, False: 0] | Branch (585:52): [True: 0, False: 15] ------------------ 586| 2| goto bittorrent_found; 587| 15| } else { 588| 15| return; 589| 15| } 590| 2.65k| } else if((packet->payload[0]== 0x60) ------------------ | Branch (590:14): [True: 9, False: 2.64k] ------------------ 591| 9| && (packet->payload[1]== 0x0) ------------------ | Branch (591:10): [True: 5, False: 4] ------------------ 592| 5| && (packet->payload[2]== 0x0) ------------------ | Branch (592:10): [True: 3, False: 2] ------------------ 593| 3| && (packet->payload[3]== 0x0) ------------------ | Branch (593:10): [True: 2, False: 1] ------------------ 594| 2| && (packet->payload[4]== 0x0)) { ------------------ | Branch (594:10): [True: 1, False: 1] ------------------ 595| | /* Heuristic */ 596| 1| bt_proto = ndpi_strnstr((const char *)&packet->payload[20], BITTORRENT_PROTO_STRING, packet->payload_packet_len-20); ------------------ | | 33| 1|#define BITTORRENT_PROTO_STRING "BitTorrent protocol" ------------------ 597| 1| goto bittorrent_found; 598| | /* CSGO/DOTA conflict */ 599| 2.64k| } else if((v0_flags < 6 /* ST_NUM_STATES */) && (v0_extension < 3 /* EXT_NUM_EXT */)) { ------------------ | Branch (599:14): [True: 273, False: 2.37k] | Branch (599:52): [True: 221, False: 52] ------------------ 600| 221| u_int32_t ts = ntohl(*((u_int32_t*)&(packet->payload[4]))); 601| 221| u_int32_t now; 602| | 603| 221| now = (u_int32_t)(packet->current_time_ms / 1000); 604| | 605| 221| if((ts < (now+86400)) && (ts > (now-86400))) { ------------------ | Branch (605:9): [True: 185, False: 36] | Branch (605:31): [True: 0, False: 185] ------------------ 606| 0| bt_proto = ndpi_strnstr((const char *)&packet->payload[20], BITTORRENT_PROTO_STRING, packet->payload_packet_len-20); ------------------ | | 33| 0|#define BITTORRENT_PROTO_STRING "BitTorrent protocol" ------------------ 607| 0| goto bittorrent_found; 608| 0| } 609| 2.42k| } else if(ndpi_strnstr((const char *)&packet->payload[20], BITTORRENT_PROTO_STRING, packet->payload_packet_len-20) ------------------ | | 33| 2.42k|#define BITTORRENT_PROTO_STRING "BitTorrent protocol" ------------------ | Branch (609:14): [True: 2, False: 2.42k] ------------------ 610| 2.42k| ) { 611| 2| goto bittorrent_found; 612| 2| } 613| | 614| 2.66k| } 615| | 616| 2.72k| flow->bittorrent_stage++; 617| | 618| 2.72k| if(flow->bittorrent_stage < 5) { ------------------ | Branch (618:10): [True: 2.69k, False: 25] ------------------ 619| | /* We have detected bittorrent but we need to wait until we get a hash */ 620| | 621| 2.69k| if(packet->payload_packet_len > 19 /* min size */) { ------------------ | Branch (621:5): [True: 2.62k, False: 75] ------------------ 622| 2.62k| if(ndpi_strnstr((const char *)packet->payload, ":target20:", packet->payload_packet_len) ------------------ | Branch (622:7): [True: 7, False: 2.61k] ------------------ 623| 2.61k| || ndpi_strnstr((const char *)packet->payload, ":find_node1:", packet->payload_packet_len) ------------------ | Branch (623:10): [True: 2, False: 2.61k] ------------------ 624| 2.61k| || ndpi_strnstr((const char *)packet->payload, "d1:ad2:id20:", packet->payload_packet_len) ------------------ | Branch (624:10): [True: 0, False: 2.61k] ------------------ 625| 2.61k| || ndpi_strnstr((const char *)packet->payload, ":info_hash20:", packet->payload_packet_len) ------------------ | Branch (625:10): [True: 2, False: 2.61k] ------------------ 626| 2.61k| || ndpi_strnstr((const char *)packet->payload, ":filter64", packet->payload_packet_len) ------------------ | Branch (626:10): [True: 1, False: 2.61k] ------------------ 627| 2.61k| || ndpi_strnstr((const char *)packet->payload, "d1:rd2:id20:", packet->payload_packet_len) ------------------ | Branch (627:10): [True: 0, False: 2.61k] ------------------ 628| 2.61k| || (bt_proto = ndpi_strnstr((const char *)packet->payload, BITTORRENT_PROTO_STRING, packet->payload_packet_len)) ------------------ | | 33| 2.61k|#define BITTORRENT_PROTO_STRING "BitTorrent protocol" ------------------ | Branch (628:10): [True: 0, False: 2.61k] ------------------ 629| 2.62k| ) { 630| 17| bittorrent_found: 631| 17| if(bt_proto != NULL && ((u_int8_t *)&bt_proto[27] - packet->payload + ------------------ | Branch (631:9): [True: 0, False: 17] | Branch (631:29): [True: 0, False: 0] ------------------ 632| 0| sizeof(flow->protos.bittorrent.hash)) < packet->payload_packet_len) { 633| 0| memcpy(flow->protos.bittorrent.hash, &bt_proto[27], sizeof(flow->protos.bittorrent.hash)); 634| 0| flow->extra_packets_func = NULL; /* Nothing else to do */ 635| 0| } 636| | 637| 17| NDPI_LOG_INFO(ndpi_struct, "found BT: plain\n"); ------------------ | | 595| 17|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 638| 17| ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 0, NDPI_CONFIDENCE_DPI); 639| 17| return; 640| 12| } 641| 2.62k| } 642| | 643| 2.68k| return; 644| 2.69k| } 645| | 646| 25| ndpi_skip_bittorrent(ndpi_struct, flow); 647| 25| } 648| 30.4k| } 649| | 650| 26.7k| if(flow->packet_counter > 5) ------------------ | Branch (650:6): [True: 1.43k, False: 25.3k] ------------------ 651| 1.43k| ndpi_skip_bittorrent(ndpi_struct, flow); 652| 26.7k|} bittorrent.c:is_port: 508| 10.2k|static u_int8_t is_port(u_int16_t a, u_int16_t b, u_int16_t what) { 509| 10.2k| return(((what == a) || (what == b)) ? 1 : 0); ------------------ | Branch (509:11): [True: 35, False: 10.2k] | Branch (509:26): [True: 1, False: 10.2k] ------------------ 510| 10.2k|} bittorrent.c:ndpi_int_search_bittorrent_tcp: 496| 26.7k|{ 497| 26.7k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 498| | 499| 26.7k| if(packet->payload_packet_len == 0) { ------------------ | Branch (499:6): [True: 0, False: 26.7k] ------------------ 500| 0| return; 501| 0| } 502| | 503| 26.7k| ndpi_int_search_bittorrent_tcp_zero(ndpi_struct, flow); 504| 26.7k|} bittorrent.c:ndpi_int_search_bittorrent_tcp_zero: 236| 26.7k|{ 237| 26.7k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 238| 26.7k| u_int16_t a = 0; 239| | 240| 26.7k| if(packet->payload_packet_len == 1 && packet->payload[0] == 0x13) { ------------------ | Branch (240:6): [True: 4, False: 26.7k] | Branch (240:41): [True: 0, False: 4] ------------------ 241| 0| return 0; 242| 0| } 243| | 244| 26.7k| if(flow->packet_counter == 2 && packet->payload_packet_len > 20) { ------------------ | Branch (244:6): [True: 4.25k, False: 22.4k] | Branch (244:35): [True: 2.57k, False: 1.68k] ------------------ 245| 2.57k| if(memcmp(&packet->payload[0], BITTORRENT_PROTO_STRING, 19) == 0) { ------------------ | | 33| 2.57k|#define BITTORRENT_PROTO_STRING "BitTorrent protocol" ------------------ | Branch (245:8): [True: 1, False: 2.57k] ------------------ 246| 1| NDPI_LOG_INFO(ndpi_struct, "found BT: plain\n"); ------------------ | | 595| 1|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 247| 1| ndpi_add_connection_as_bittorrent(ndpi_struct, flow, 19, 1, NDPI_CONFIDENCE_DPI); 248| 1| return 1; 249| 1| } 250| 2.57k| } 251| | 252| 26.7k| if(packet->payload_packet_len > 20) { ------------------ | Branch (252:6): [True: 17.1k, False: 9.54k] ------------------ 253| | /* test for match 0x13+BITTORRENT_PROTO_STRING */ 254| 17.1k| if(packet->payload[0] == 0x13) { ------------------ | Branch (254:8): [True: 1.71k, False: 15.4k] ------------------ 255| 1.71k| if(memcmp(&packet->payload[1], BITTORRENT_PROTO_STRING, 19) == 0) { ------------------ | | 33| 1.71k|#define BITTORRENT_PROTO_STRING "BitTorrent protocol" ------------------ | Branch (255:10): [True: 1.56k, False: 151] ------------------ 256| 1.56k| NDPI_LOG_INFO(ndpi_struct, "found BT: plain\n"); ------------------ | | 595| 1.56k|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 257| 1.56k| ndpi_add_connection_as_bittorrent(ndpi_struct, flow, 20, 1, NDPI_CONFIDENCE_DPI); 258| 1.56k| return 1; 259| 1.56k| } 260| 1.71k| } 261| 17.1k| } 262| | 263| 25.1k| if(packet->payload_packet_len > 23 && memcmp(packet->payload, "GET /webseed?info_hash=", 23) == 0) { ------------------ | Branch (263:6): [True: 15.1k, False: 10.0k] | Branch (263:41): [True: 38, False: 15.1k] ------------------ 264| 38| NDPI_LOG_INFO(ndpi_struct, "found BT: plain webseed\n"); ------------------ | | 595| 38|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 265| 38| ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, NDPI_CONFIDENCE_DPI); 266| 38| return 1; 267| 38| } 268| | /* seen Azureus as server for webseed, possibly other servers existing, to implement */ 269| | /* is Server: hypertracker Bittorrent? */ 270| | /* no asymmetric detection possible for answer of pattern "GET /data?fid=". */ 271| 25.1k| if(packet->payload_packet_len > 60 ------------------ | Branch (271:6): [True: 6.26k, False: 18.8k] ------------------ 272| 6.26k| && memcmp(packet->payload, "GET /data?fid=", 14) == 0 && memcmp(&packet->payload[54], "&size=", 6) == 0) { ------------------ | Branch (272:9): [True: 7, False: 6.25k] | Branch (272:63): [True: 0, False: 7] ------------------ 273| 0| NDPI_LOG_INFO(ndpi_struct, "found BT: plain Bitcomet persistent seed\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 274| 0| ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, NDPI_CONFIDENCE_DPI); 275| 0| return 1; 276| 0| } 277| | 278| | 279| 25.1k| if(packet->payload_packet_len > 90 && (memcmp(packet->payload, "GET ", 4) == 0 ------------------ | Branch (279:6): [True: 5.46k, False: 19.6k] | Branch (279:42): [True: 781, False: 4.68k] ------------------ 280| 4.68k| || memcmp(packet->payload, "POST ", 5) == 0)) { ------------------ | Branch (280:10): [True: 188, False: 4.49k] ------------------ 281| 969| const u_int8_t *ptr = &packet->payload[4]; 282| 969| u_int16_t len = packet->payload_packet_len - 4; 283| | 284| | /* parse complete get packet here into line structure elements */ 285| 969| ndpi_parse_packet_line_info(ndpi_struct, flow); 286| | /* answer to this pattern is HTTP....Server: hypertracker */ 287| 969| if(packet->user_agent_line.ptr != NULL ------------------ | Branch (287:8): [True: 203, False: 766] ------------------ 288| 203| && ((packet->user_agent_line.len > 8 && memcmp(packet->user_agent_line.ptr, "Azureus ", 8) == 0) ------------------ | Branch (288:13): [True: 193, False: 10] | Branch (288:48): [True: 1, False: 192] ------------------ 289| 202| || (packet->user_agent_line.len >= 10 && memcmp(packet->user_agent_line.ptr, "BitTorrent", 10) == 0) ------------------ | Branch (289:9): [True: 192, False: 10] | Branch (289:46): [True: 1, False: 191] ------------------ 290| 201| || (packet->user_agent_line.len >= 11 && memcmp(packet->user_agent_line.ptr, "BTWebClient", 11) == 0))) { ------------------ | Branch (290:9): [True: 191, False: 10] | Branch (290:46): [True: 7, False: 184] ------------------ 291| 9| NDPI_LOG_INFO(ndpi_struct, "found BT: Azureus /Bittorrent user agent\n"); ------------------ | | 595| 9|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 292| 9| ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, NDPI_CONFIDENCE_DPI); 293| 9| return 1; 294| 9| } 295| | 296| 960| if(packet->user_agent_line.ptr != NULL ------------------ | Branch (296:8): [True: 194, False: 766] ------------------ 297| 194| && (packet->user_agent_line.len >= 9 && memcmp(packet->user_agent_line.ptr, "Shareaza ", 9) == 0) ------------------ | Branch (297:12): [True: 184, False: 10] | Branch (297:48): [True: 6, False: 178] ------------------ 298| 6| && (packet->parsed_lines > 8 && packet->line[8].ptr != 0 ------------------ | Branch (298:12): [True: 3, False: 3] | Branch (298:40): [True: 3, False: 0] ------------------ 299| 3| && packet->line[8].len >= 9 && memcmp(packet->line[8].ptr, "X-Queue: ", 9) == 0)) { ------------------ | Branch (299:8): [True: 3, False: 0] | Branch (299:36): [True: 0, False: 3] ------------------ 300| 0| NDPI_LOG_INFO(ndpi_struct, "found BT: Shareaza detected\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 301| 0| ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, NDPI_CONFIDENCE_DPI); 302| 0| return 1; 303| 0| } 304| | 305| | /* this is a self built client, not possible to catch asymmetrically */ 306| 960| if((packet->parsed_lines == 10 || (packet->parsed_lines == 11 && packet->line[10].len == 0)) ------------------ | Branch (306:9): [True: 36, False: 924] | Branch (306:40): [True: 30, False: 894] | Branch (306:70): [True: 3, False: 27] ------------------ 307| 39| && packet->user_agent_line.ptr != NULL ------------------ | Branch (307:11): [True: 24, False: 15] ------------------ 308| 24| && packet->user_agent_line.len > 12 ------------------ | Branch (308:11): [True: 23, False: 1] ------------------ 309| 23| && memcmp(packet->user_agent_line.ptr, "Mozilla/4.0 ", ------------------ | Branch (309:11): [True: 5, False: 18] ------------------ 310| 23| 12) == 0 311| 5| && packet->host_line.ptr != NULL ------------------ | Branch (311:11): [True: 5, False: 0] ------------------ 312| 5| && packet->host_line.len >= 7 ------------------ | Branch (312:11): [True: 4, False: 1] ------------------ 313| 4| && packet->line[2].ptr != NULL ------------------ | Branch (313:11): [True: 4, False: 0] ------------------ 314| 4| && packet->line[2].len > 14 ------------------ | Branch (314:11): [True: 3, False: 1] ------------------ 315| 3| && memcmp(packet->line[2].ptr, "Keep-Alive: 300", 15) == 0 ------------------ | Branch (315:11): [True: 0, False: 3] ------------------ 316| 0| && packet->line[3].ptr != NULL ------------------ | Branch (316:11): [True: 0, False: 0] ------------------ 317| 0| && packet->line[3].len > 21 ------------------ | Branch (317:11): [True: 0, False: 0] ------------------ 318| 0| && memcmp(packet->line[3].ptr, "Connection: Keep-alive", 22) == 0 ------------------ | Branch (318:11): [True: 0, False: 0] ------------------ 319| 0| && packet->line[4].ptr != NULL ------------------ | Branch (319:11): [True: 0, False: 0] ------------------ 320| 0| && packet->line[4].len > 10 ------------------ | Branch (320:11): [True: 0, False: 0] ------------------ 321| 0| && (memcmp(packet->line[4].ptr, "Accpet: */*", 11) == 0 ------------------ | Branch (321:12): [True: 0, False: 0] ------------------ 322| 0| || memcmp(packet->line[4].ptr, "Accept: */*", 11) == 0) ------------------ | Branch (322:8): [True: 0, False: 0] ------------------ 323| | 324| 0| && packet->line[5].ptr != NULL ------------------ | Branch (324:11): [True: 0, False: 0] ------------------ 325| 0| && packet->line[5].len > 12 ------------------ | Branch (325:11): [True: 0, False: 0] ------------------ 326| 0| && memcmp(packet->line[5].ptr, "Range: bytes=", 13) == 0 ------------------ | Branch (326:11): [True: 0, False: 0] ------------------ 327| 0| && packet->line[7].ptr != NULL ------------------ | Branch (327:11): [True: 0, False: 0] ------------------ 328| 0| && packet->line[7].len > 15 ------------------ | Branch (328:11): [True: 0, False: 0] ------------------ 329| 0| && memcmp(packet->line[7].ptr, "Pragma: no-cache", 16) == 0 ------------------ | Branch (329:11): [True: 0, False: 0] ------------------ 330| 0| && packet->line[8].ptr != NULL ------------------ | Branch (330:11): [True: 0, False: 0] ------------------ 331| 0| && packet->line[8].len > 22 && memcmp(packet->line[8].ptr, "Cache-Control: no-cache", 23) == 0) { ------------------ | Branch (331:11): [True: 0, False: 0] | Branch (331:39): [True: 0, False: 0] ------------------ 332| | 333| 0| NDPI_LOG_INFO(ndpi_struct, "found BT: Bitcomet LTS\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 334| 0| ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, NDPI_CONFIDENCE_DPI); 335| 0| return 1; 336| 0| } 337| | 338| | /* FlashGet pattern */ 339| 960| if(packet->parsed_lines == 8 ------------------ | Branch (339:8): [True: 41, False: 919] ------------------ 340| 41| && packet->user_agent_line.ptr != NULL ------------------ | Branch (340:11): [True: 28, False: 13] ------------------ 341| 28| && packet->user_agent_line.len > (sizeof("Mozilla/4.0 (compatible; MSIE 6.0;") - 1) ------------------ | Branch (341:11): [True: 24, False: 4] ------------------ 342| 24| && memcmp(packet->user_agent_line.ptr, "Mozilla/4.0 (compatible; MSIE 6.0;", ------------------ | Branch (342:11): [True: 16, False: 8] ------------------ 343| 24| sizeof("Mozilla/4.0 (compatible; MSIE 6.0;") - 1) == 0 344| 16| && packet->host_line.ptr != NULL ------------------ | Branch (344:11): [True: 13, False: 3] ------------------ 345| 13| && packet->host_line.len >= 7 ------------------ | Branch (345:11): [True: 10, False: 3] ------------------ 346| 10| && packet->line[2].ptr != NULL ------------------ | Branch (346:11): [True: 10, False: 0] ------------------ 347| 10| && packet->line[2].len == 11 ------------------ | Branch (347:11): [True: 6, False: 4] ------------------ 348| 6| && memcmp(packet->line[2].ptr, "Accept: */*", 11) == 0 ------------------ | Branch (348:11): [True: 3, False: 3] ------------------ 349| 3| && packet->line[3].ptr != NULL && packet->line[3].len >= (sizeof("Referer: ") - 1) ------------------ | Branch (349:11): [True: 3, False: 0] | Branch (349:42): [True: 3, False: 0] ------------------ 350| 3| && memcmp(packet->line[3].ptr, "Referer: ", sizeof("Referer: ") - 1) == 0 ------------------ | Branch (350:11): [True: 0, False: 3] ------------------ 351| 0| && packet->line[5].ptr != NULL ------------------ | Branch (351:11): [True: 0, False: 0] ------------------ 352| 0| && packet->line[5].len > 13 ------------------ | Branch (352:11): [True: 0, False: 0] ------------------ 353| 0| && memcmp(packet->line[5].ptr, "Range: bytes=", 13) == 0 ------------------ | Branch (353:11): [True: 0, False: 0] ------------------ 354| 0| && packet->line[6].ptr != NULL ------------------ | Branch (354:11): [True: 0, False: 0] ------------------ 355| 0| && packet->line[6].len > 21 && memcmp(packet->line[6].ptr, "Connection: Keep-Alive", 22) == 0) { ------------------ | Branch (355:11): [True: 0, False: 0] | Branch (355:39): [True: 0, False: 0] ------------------ 356| | 357| 0| NDPI_LOG_INFO(ndpi_struct, "found BT: FlashGet\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 358| 0| ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, NDPI_CONFIDENCE_DPI); 359| 0| return 1; 360| 0| } 361| | 362| 960| if(packet->parsed_lines == 7 ------------------ | Branch (362:8): [True: 56, False: 904] ------------------ 363| 56| && packet->user_agent_line.ptr != NULL ------------------ | Branch (363:11): [True: 45, False: 11] ------------------ 364| 45| && packet->user_agent_line.len > (sizeof("Mozilla/4.0 (compatible; MSIE 6.0;") - 1) ------------------ | Branch (364:11): [True: 36, False: 9] ------------------ 365| 36| && memcmp(packet->user_agent_line.ptr, "Mozilla/4.0 (compatible; MSIE 6.0;", ------------------ | Branch (365:11): [True: 18, False: 18] ------------------ 366| 36| sizeof("Mozilla/4.0 (compatible; MSIE 6.0;") - 1) == 0 367| 18| && packet->host_line.ptr != NULL ------------------ | Branch (367:11): [True: 15, False: 3] ------------------ 368| 15| && packet->host_line.len >= 7 ------------------ | Branch (368:11): [True: 12, False: 3] ------------------ 369| 12| && packet->line[2].ptr != NULL ------------------ | Branch (369:11): [True: 12, False: 0] ------------------ 370| 12| && packet->line[2].len == 11 ------------------ | Branch (370:11): [True: 9, False: 3] ------------------ 371| 9| && memcmp(packet->line[2].ptr, "Accept: */*", 11) == 0 ------------------ | Branch (371:11): [True: 6, False: 3] ------------------ 372| 6| && packet->line[3].ptr != NULL && packet->line[3].len >= (sizeof("Referer: ") - 1) ------------------ | Branch (372:11): [True: 6, False: 0] | Branch (372:42): [True: 6, False: 0] ------------------ 373| 6| && memcmp(packet->line[3].ptr, "Referer: ", sizeof("Referer: ") - 1) == 0 ------------------ | Branch (373:11): [True: 3, False: 3] ------------------ 374| 3| && packet->line[5].ptr != NULL ------------------ | Branch (374:11): [True: 3, False: 0] ------------------ 375| 3| && packet->line[5].len > 21 && memcmp(packet->line[5].ptr, "Connection: Keep-Alive", 22) == 0) { ------------------ | Branch (375:11): [True: 3, False: 0] | Branch (375:39): [True: 0, False: 3] ------------------ 376| | 377| 0| NDPI_LOG_INFO(ndpi_struct, "found BT: FlashGet\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 378| 0| ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, NDPI_CONFIDENCE_DPI); 379| 0| return 1; 380| 0| } 381| | 382| | /* answer to this pattern is not possible to implement asymmetrically */ 383| 202k| while (1) { ------------------ | Branch (383:12): [True: 202k, Folded] ------------------ 384| 202k| if(len < 50 || ptr[0] == 0x0d) { ------------------ | Branch (384:10): [True: 21, False: 202k] | Branch (384:22): [True: 889, False: 201k] ------------------ 385| 910| goto ndpi_end_bt_tracker_check; 386| 910| } 387| 201k| if(memcmp(ptr, "info_hash=", 10) == 0) { ------------------ | Branch (387:10): [True: 50, False: 201k] ------------------ 388| 50| break; 389| 50| } 390| 201k| len--; 391| 201k| ptr++; 392| 201k| } 393| | 394| 50| NDPI_LOG_DBG2(ndpi_struct, " BT stat: tracker info hash found\n"); ------------------ | | 597| 50|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 395| | 396| | /* len is > 50, so save operation here */ 397| 50| len -= 10; 398| 50| ptr += 10; 399| | 400| | /* parse bt hash */ 401| 315| for (a = 0; a < 20; a++) { ------------------ | Branch (401:17): [True: 308, False: 7] ------------------ 402| 308| if(len < 3) { ------------------ | Branch (402:10): [True: 0, False: 308] ------------------ 403| 0| goto ndpi_end_bt_tracker_check; 404| 0| } 405| 308| if(*ptr == '%') { ------------------ | Branch (405:10): [True: 0, False: 308] ------------------ 406| 0| u_int8_t x1 = 0xFF; 407| 0| u_int8_t x2 = 0xFF; 408| | 409| | 410| 0| if(ptr[1] >= '0' && ptr[1] <= '9') { ------------------ | Branch (410:5): [True: 0, False: 0] | Branch (410:22): [True: 0, False: 0] ------------------ 411| 0| x1 = ptr[1] - '0'; 412| 0| } 413| 0| if(ptr[1] >= 'a' && ptr[1] <= 'f') { ------------------ | Branch (413:5): [True: 0, False: 0] | Branch (413:22): [True: 0, False: 0] ------------------ 414| 0| x1 = 10 + ptr[1] - 'a'; 415| 0| } 416| 0| if(ptr[1] >= 'A' && ptr[1] <= 'F') { ------------------ | Branch (416:5): [True: 0, False: 0] | Branch (416:22): [True: 0, False: 0] ------------------ 417| 0| x1 = 10 + ptr[1] - 'A'; 418| 0| } 419| | 420| 0| if(ptr[2] >= '0' && ptr[2] <= '9') { ------------------ | Branch (420:5): [True: 0, False: 0] | Branch (420:22): [True: 0, False: 0] ------------------ 421| 0| x2 = ptr[2] - '0'; 422| 0| } 423| 0| if(ptr[2] >= 'a' && ptr[2] <= 'f') { ------------------ | Branch (423:5): [True: 0, False: 0] | Branch (423:22): [True: 0, False: 0] ------------------ 424| 0| x2 = 10 + ptr[2] - 'a'; 425| 0| } 426| 0| if(ptr[2] >= 'A' && ptr[2] <= 'F') { ------------------ | Branch (426:5): [True: 0, False: 0] | Branch (426:22): [True: 0, False: 0] ------------------ 427| 0| x2 = 10 + ptr[2] - 'A'; 428| 0| } 429| | 430| 0| if(x1 == 0xFF || x2 == 0xFF) { ------------------ | Branch (430:5): [True: 0, False: 0] | Branch (430:19): [True: 0, False: 0] ------------------ 431| 0| goto ndpi_end_bt_tracker_check; 432| 0| } 433| 0| ptr += 3; 434| 0| len -= 3; 435| 308| } else if(*ptr >= 32 && *ptr < 127) { ------------------ | Branch (435:17): [True: 276, False: 32] | Branch (435:31): [True: 265, False: 11] ------------------ 436| 265| ptr++; 437| 265| len--; 438| 265| } else { 439| 43| goto ndpi_end_bt_tracker_check; 440| 43| } 441| 308| } 442| | 443| 7| NDPI_LOG_INFO(ndpi_struct, "found BT: tracker info hash parsed\n"); ------------------ | | 595| 7|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 444| 7| ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, NDPI_CONFIDENCE_DPI); 445| 7| return 1; 446| 50| } 447| | 448| 25.1k| ndpi_end_bt_tracker_check: 449| | 450| 25.1k| if(packet->payload_packet_len == 80) { ------------------ | Branch (450:6): [True: 7, False: 25.1k] ------------------ 451| | /* Warez 80 Bytes Packet 452| | * +----------------+---------------+-----------------+-----------------+ 453| | * |20 BytesPattern | 32 Bytes Value| 12 BytesPattern | 16 Bytes Data | 454| | * +----------------+---------------+-----------------+-----------------+ 455| | * 20 BytesPattern : 4c 00 00 00 ff ff ff ff 57 00 00 00 00 00 00 00 20 00 00 00 456| | * 12 BytesPattern : 28 23 00 00 01 00 00 00 10 00 00 00 457| | * */ 458| 7| static const u_char pattern_20_bytes[20] = { 0x4c, 0x00, 0x00, 0x00, 0xff, 459| 7| 0xff, 0xff, 0xff, 0x57, 0x00, 460| 7| 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00 461| 7| }; 462| 7| static const u_char pattern_12_bytes[12] = { 0x28, 0x23, 0x00, 0x00, 0x01, 463| 7| 0x00, 0x00, 0x00, 0x10, 0x00, 464| 7| 0x00, 0x00 465| 7| }; 466| | 467| | /* did not see this pattern anywhere */ 468| 7| if((memcmp(&packet->payload[0], pattern_20_bytes, 20) == 0) ------------------ | Branch (468:8): [True: 0, False: 7] ------------------ 469| 0| && (memcmp(&packet->payload[52], pattern_12_bytes, 12) == 0)) { ------------------ | Branch (469:11): [True: 0, False: 0] ------------------ 470| 0| NDPI_LOG_INFO(ndpi_struct, "found BT: Warez - Plain\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 471| 0| ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, NDPI_CONFIDENCE_DPI); 472| 0| return 1; 473| 0| } 474| 7| } 475| | 476| 25.1k| else if(packet->payload_packet_len > 50) { ------------------ | Branch (476:11): [True: 6.86k, False: 18.2k] ------------------ 477| 6.86k| if(memcmp(packet->payload, "GET", 3) == 0) { ------------------ | Branch (477:8): [True: 770, False: 6.09k] ------------------ 478| | 479| 770| ndpi_parse_packet_line_info(ndpi_struct, flow); 480| | /* haven't fount this pattern anywhere */ 481| 770| if(packet->host_line.ptr != NULL ------------------ | Branch (481:10): [True: 524, False: 246] ------------------ 482| 524| && packet->host_line.len >= 9 && memcmp(packet->host_line.ptr, "ip2p.com:", 9) == 0) { ------------------ | Branch (482:6): [True: 493, False: 31] | Branch (482:36): [True: 3, False: 490] ------------------ 483| 3| NDPI_LOG_INFO(ndpi_struct, "found BT: Warez - Plain Host: ip2p.com: pattern\n"); ------------------ | | 595| 3|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 484| 3| ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, NDPI_CONFIDENCE_DPI); 485| 3| return 1; 486| 3| } 487| 770| } 488| 6.86k| } 489| 25.1k| return 0; 490| 25.1k|} bittorrent.c:ndpi_skip_bittorrent: 515| 2.39k| struct ndpi_flow_struct *flow) { 516| 2.39k| if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_BITTORRENT) ------------------ | Branch (516:6): [True: 1, False: 2.39k] ------------------ 517| 1| return; 518| 2.39k| if(search_into_bittorrent_cache(ndpi_struct, flow)) ------------------ | Branch (518:6): [True: 46, False: 2.35k] ------------------ 519| 46| ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 0, NDPI_CONFIDENCE_DPI_CACHE); 520| 2.35k| else 521| 2.35k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 2.35k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 522| 2.39k|} bittorrent.c:ndpi_add_connection_as_bittorrent: 186| 1.69k| ndpi_confidence_t confidence) { 187| 1.69k| if(ndpi_struct->cfg.bittorrent_hash_enabled && ------------------ | Branch (187:6): [True: 1.69k, False: 0] ------------------ 188| 1.69k| check_hash) ------------------ | Branch (188:6): [True: 1.62k, False: 63] ------------------ 189| 1.62k| ndpi_search_bittorrent_hash(ndpi_struct, flow, bt_offset); 190| | 191| 1.69k| ndpi_set_detected_protocol_keeping_master(ndpi_struct, flow, NDPI_PROTOCOL_BITTORRENT, 192| 1.69k| confidence); 193| | 194| 1.69k| if(ndpi_struct->cfg.bittorrent_hash_enabled && ------------------ | Branch (194:6): [True: 1.69k, False: 0] ------------------ 195| 1.69k| flow->protos.bittorrent.hash[0] == '\0') { ------------------ | Branch (195:6): [True: 208, False: 1.48k] ------------------ 196| | /* Don't use just 1 as in TCP DNS more packets could be returned (e.g. ACK). */ 197| 208| flow->max_extra_packets_to_check = 3; 198| 208| flow->extra_packets_func = search_bittorrent_again; 199| 208| } 200| | 201| 1.69k| if(ndpi_struct->bittorrent_cache) { ------------------ | Branch (201:6): [True: 1.60k, False: 85] ------------------ 202| 1.60k| u_int64_t key, key1, key2, i; 203| | 204| 1.60k| key = make_bittorrent_peers_key(flow); 205| 1.60k| key1 = make_bittorrent_host_key(flow, 1, 0), key2 = make_bittorrent_host_key(flow, 0, 0); 206| | 207| 1.60k| ndpi_lru_add_to_cache(ndpi_struct->bittorrent_cache, key1, NDPI_PROTOCOL_BITTORRENT, ndpi_get_current_time(flow)); 208| 1.60k| ndpi_lru_add_to_cache(ndpi_struct->bittorrent_cache, key2, NDPI_PROTOCOL_BITTORRENT, ndpi_get_current_time(flow)); 209| | 210| | /* Now add hosts as twins */ 211| 1.60k| ndpi_lru_add_to_cache(ndpi_struct->bittorrent_cache, 212| 1.60k| key, 213| 1.60k| NDPI_PROTOCOL_BITTORRENT, 214| 1.60k| ndpi_get_current_time(flow)); 215| | 216| | /* Also add +2 ports of the sender in order to catch additional sockets open by the same client */ 217| 4.81k| for(i=0; i<2; i++) { ------------------ | Branch (217:14): [True: 3.21k, False: 1.60k] ------------------ 218| 3.21k| key1 = make_bittorrent_host_key(flow, 1, 1 + i); 219| | 220| 3.21k| ndpi_lru_add_to_cache(ndpi_struct->bittorrent_cache, key1, NDPI_PROTOCOL_BITTORRENT, ndpi_get_current_time(flow)); 221| 3.21k| } 222| | 223| |#ifdef BITTORRENT_CACHE_DEBUG 224| | printf("[BitTorrent] [%s] *** ADDED ports %u / %u [0x%llx][0x%llx]\n", 225| | flow->l4_proto == IPPROTO_TCP ? "TCP" : "UDP", 226| | ntohs(flow->c_port), ntohs(flow->s_port), 227| | (long long unsigned int)key1, (long long unsigned int)key2); 228| |#endif 229| 1.60k| } 230| 1.69k|} bittorrent.c:ndpi_search_bittorrent_hash: 125| 1.89k| struct ndpi_flow_struct *flow, int bt_offset) { 126| 1.89k| const char *bt_hash = NULL; /* 20 bytes long */ 127| 1.89k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 128| | 129| 1.89k| if(bt_offset == -1) { ------------------ | Branch (129:6): [True: 324, False: 1.56k] ------------------ 130| 324| const char *bt_magic = ndpi_strnstr((const char *)packet->payload, 131| 324| BITTORRENT_PROTO_STRING, packet->payload_packet_len); ------------------ | | 33| 324|#define BITTORRENT_PROTO_STRING "BitTorrent protocol" ------------------ 132| | 133| 324| if(bt_magic) { ------------------ | Branch (133:8): [True: 58, False: 266] ------------------ 134| 58| if(bt_magic == (const char*)&packet->payload[1]) ------------------ | Branch (134:10): [True: 54, False: 4] ------------------ 135| 54| bt_hash = (const char*)&packet->payload[28]; 136| 4| else 137| 4| bt_hash = &bt_magic[19]; 138| 58| } 139| 324| } else 140| 1.56k| bt_hash = (const char*)&packet->payload[28]; 141| | 142| 1.89k| if(bt_hash && (packet->payload_packet_len >= (20 + (bt_hash-(const char*)packet->payload)))) ------------------ | Branch (142:6): [True: 1.62k, False: 266] | Branch (142:17): [True: 1.54k, False: 80] ------------------ 143| 1.54k| memcpy(flow->protos.bittorrent.hash, bt_hash, 20); 144| 1.89k|} bittorrent.c:search_bittorrent_again: 62| 263| struct ndpi_flow_struct *flow) { 63| 263| ndpi_search_bittorrent_hash(ndpi_struct, flow, -1); 64| | 65| | /* Possibly more processing */ 66| | return flow->extra_packets_func != NULL; 67| 263|} bittorrent.c:is_utpv1_pkt: 95| 2.66k|static u_int8_t is_utpv1_pkt(const u_int8_t *payload, u_int payload_len) { 96| 2.66k| struct ndpi_utp_hdr *h = (struct ndpi_utp_hdr*)payload; 97| 2.66k| int h_length; 98| | 99| 2.66k| if(payload_len < sizeof(struct ndpi_utp_hdr)) return(0); ------------------ | Branch (99:6): [True: 0, False: 2.66k] ------------------ 100| 2.66k| h_length = get_utpv1_length(payload, payload_len); 101| 2.66k| if(h_length == -1) return(0); ------------------ | Branch (101:6): [True: 1.85k, False: 809] ------------------ 102| 809| if(h->h_version != 1) return(0); ------------------ | Branch (102:6): [True: 601, False: 208] ------------------ 103| 208| if(h->h_type > 4) return(0); ------------------ | Branch (103:6): [True: 20, False: 188] ------------------ 104| 188| if(h->next_extension > 2) return(0); ------------------ | Branch (104:6): [True: 151, False: 37] ------------------ 105| 37| if(h->h_type == 4 /* SYN */ && (h->tdiff_usec != 0 || ------------------ | Branch (105:6): [True: 1, False: 36] | Branch (105:35): [True: 1, False: 0] ------------------ 106| 1| payload_len != (u_int)h_length)) return(0); ------------------ | Branch (106:6): [True: 0, False: 0] ------------------ 107| 36| if(h->h_type == 2 /* STATE */ && ------------------ | Branch (107:6): [True: 1, False: 35] ------------------ 108| 1| payload_len != (u_int)h_length) return(0); ------------------ | Branch (108:6): [True: 1, False: 0] ------------------ 109| 35| if(h->h_type == 0 /* DATA */ && ------------------ | Branch (109:6): [True: 33, False: 2] ------------------ 110| 33| payload_len == (u_int)h_length) return(0); ------------------ | Branch (110:6): [True: 1, False: 32] ------------------ 111| 34| if(h->connection_id == 0) return(0); ------------------ | Branch (111:6): [True: 15, False: 19] ------------------ 112| 19| if(h->ts_usec == 0) return(0); ------------------ | Branch (112:6): [True: 1, False: 18] ------------------ 113| | 114| 18| if((h->window_size == 0) && (payload_len != (u_int)h_length)) ------------------ | Branch (114:6): [True: 1, False: 17] | Branch (114:31): [True: 1, False: 0] ------------------ 115| 1| return(0); 116| | 117| 17| if(h->h_type == 0) ------------------ | Branch (117:6): [True: 15, False: 2] ------------------ 118| 15| return (2); /* DATA */ 119| 2| return(1); 120| 17|} bittorrent.c:get_utpv1_length: 72| 2.66k|{ 73| 2.66k| struct ndpi_utp_hdr *h = (struct ndpi_utp_hdr*)payload; 74| 2.66k| unsigned int off, num_ext = 0; 75| 2.66k| u_int8_t ext_type = h->next_extension; 76| | 77| 2.66k| off = sizeof(struct ndpi_utp_hdr); 78| 3.34k| while(ext_type != 0 && off + 1 < payload_len) { ------------------ | Branch (78:9): [True: 2.54k, False: 809] | Branch (78:26): [True: 2.50k, False: 32] ------------------ 79| 2.50k| ext_type = payload[off]; 80| 2.50k| if(ext_type > 2) ------------------ | Branch (80:8): [True: 1.82k, False: 683] ------------------ 81| 1.82k| return -1; 82| | /* BEP-29 doesn't have any limits on the number of extensions 83| | but putting an hard limit makes sense (there are only 3 ext types) */ 84| 683| if(++num_ext > 4) ------------------ | Branch (84:8): [True: 1, False: 682] ------------------ 85| 1| return -1; 86| 682| off += 2 + payload[off + 1]; 87| 682| } 88| 841| if(ext_type == 0) ------------------ | Branch (88:6): [True: 809, False: 32] ------------------ 89| 809| return off; 90| 32| return -1; 91| 841|} init_bjnp_dissector: 44| 7.08k|{ 45| 7.08k| ndpi_register_dissector("BJNP", ndpi_struct, 46| 7.08k| ndpi_search_bjnp, 47| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 48| 7.08k| 1, NDPI_PROTOCOL_BJNP); 49| 7.08k|} bjnp.c:ndpi_search_bjnp: 36| 3.42k|{ 37| 3.42k| NDPI_LOG_DBG(ndpi_struct, "search bjnp\n"); ------------------ | | 596| 3.42k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 38| | 39| 3.42k| ndpi_check_bjnp(ndpi_struct, flow); 40| 3.42k|} bjnp.c:ndpi_check_bjnp: 16| 3.42k|{ 17| 3.42k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 18| 3.42k| u_int32_t payload_len = packet->payload_packet_len; 19| | 20| 3.42k| if(payload_len > 4) { ------------------ | Branch (20:6): [True: 3.29k, False: 124] ------------------ 21| 3.29k| if((memcmp((const char *)packet->payload, "BJNP", 4) == 0) ------------------ | Branch (21:8): [True: 1, False: 3.29k] ------------------ 22| 3.29k| || (memcmp((const char *)packet->payload, "BNJB", 4) == 0) ------------------ | Branch (22:11): [True: 1, False: 3.29k] ------------------ 23| 3.29k| || (memcmp((const char *)packet->payload, "BJNB", 4) == 0) ------------------ | Branch (23:11): [True: 3, False: 3.29k] ------------------ 24| 3.29k| || (memcmp((const char *)packet->payload, "MFNP", 4) == 0) ------------------ | Branch (24:11): [True: 3, False: 3.29k] ------------------ 25| 3.29k| ) { 26| 8| NDPI_LOG_INFO(ndpi_struct, "found bjnp\n"); ------------------ | | 595| 8|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 27| 8| ndpi_int_bjnp_add_connection(ndpi_struct, flow); 28| 8| return; 29| 8| } 30| 3.29k| } 31| | 32| 3.41k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.41k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 33| 3.41k|} bjnp.c:ndpi_int_bjnp_add_connection: 9| 8| struct ndpi_flow_struct *flow) { 10| 8| ndpi_set_detected_protocol(ndpi_struct, flow, 11| 8| NDPI_PROTOCOL_BJNP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 12| 8|} init_blizzard_dissector: 146| 7.08k|{ 147| 7.08k| ndpi_register_dissector("Blizzard", ndpi_struct, 148| 7.08k| ndpi_search_blizzard, 149| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 150| 7.08k| 1, NDPI_PROTOCOL_BLIZZARD); 151| 7.08k|} blizzard.c:ndpi_search_blizzard: 138| 23.0k|{ 139| 23.0k| if(flow->l4_proto == IPPROTO_TCP) ------------------ | Branch (139:6): [True: 15.9k, False: 7.09k] ------------------ 140| 15.9k| search_blizzard_tcp(ndpi_struct, flow); 141| 7.09k| else 142| 7.09k| search_blizzard_udp(ndpi_struct, flow); 143| 23.0k|} blizzard.c:search_blizzard_tcp: 31| 15.9k|{ 32| 15.9k| struct ndpi_packet_struct* packet = &ndpi_struct->packet; 33| 15.9k| char wow_string[] = "WORLD OF WARCRAFT CONNECTION"; 34| 15.9k| char overwatch2_string_c[] = "HELLO PRO CLIENT\0"; 35| 15.9k| char overwatch2_string_s[] = "HELLO PRO SERVER\0"; 36| | 37| 15.9k| NDPI_LOG_DBG(ndpi_struct, "search Blizzard\n"); ------------------ | | 596| 15.9k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 38| | 39| | /* Generic Battle.net traffic */ 40| 15.9k| if(flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_BLIZZARD && ------------------ | Branch (40:6): [True: 0, False: 15.9k] ------------------ 41| 0| flow->s_port == htons(1119)) { ------------------ | Branch (41:6): [True: 0, False: 0] ------------------ 42| | /* Looking for the first pkt sent by the server */ 43| 0| if(current_pkt_from_server_to_client(ndpi_struct, flow) && ------------------ | Branch (43:8): [True: 0, False: 0] ------------------ 44| 0| packet->payload_packet_len == 2 && ------------------ | Branch (44:8): [True: 0, False: 0] ------------------ 45| 0| packet->payload[0] == 0x52 && packet->payload[1] == 0x08) { ------------------ | Branch (45:8): [True: 0, False: 0] | Branch (45:38): [True: 0, False: 0] ------------------ 46| 0| NDPI_LOG_INFO(ndpi_struct, "Found Blizzard (battle.net)\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 47| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BLIZZARD, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 48| 0| return; 49| 0| } else if(flow->packet_direction_counter[packet->packet_direction] == 1) { ------------------ | Branch (49:15): [True: 0, False: 0] ------------------ 50| 0| return; 51| 0| } 52| 0| } 53| | 54| | /* Pattern found on Hearthstone */ 55| 15.9k| if(packet->payload_packet_len >= 8 && ------------------ | Branch (55:6): [True: 15.1k, False: 810] ------------------ 56| 15.9k| le32toh(*(uint32_t *)&packet->payload[4]) == (u_int32_t)(packet->payload_packet_len - 8)) { ------------------ | Branch (56:6): [True: 12, False: 15.1k] ------------------ 57| 12| NDPI_LOG_INFO(ndpi_struct, "Found Blizzard (Hearthstone)\n"); ------------------ | | 595| 12|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 58| 12| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BLIZZARD, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 59| 12| return; 60| 12| } 61| | 62| | /* Pattern found on WoW */ 63| 15.9k| if(packet->payload_packet_len >= NDPI_STATICSTRING_LEN(wow_string) && ------------------ | | 98| 31.9k|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (63:6): [True: 10.7k, False: 5.20k] ------------------ 64| 10.7k| memcmp(packet->payload, wow_string, NDPI_STATICSTRING_LEN(wow_string)) == 0) { ------------------ | | 98| 10.7k|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (64:6): [True: 11, False: 10.7k] ------------------ 65| 11| NDPI_LOG_INFO(ndpi_struct, "Found Blizzard (wow)\n"); ------------------ | | 595| 11|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 66| | /* Which id? It should be NDPI_PROTOCOL_BLIZZARD, but we already have NDPI_PROTOCOL_WORLDOFWARCRAFT. 67| | Keep using the latter for the time being.... */ 68| 11| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WORLDOFWARCRAFT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 69| 11| return; 70| 11| } 71| | 72| | /* Pattern found on Overwatch2 */ 73| 15.9k| if((packet->payload_packet_len == NDPI_STATICSTRING_LEN(overwatch2_string_c) && ------------------ | | 98| 31.9k|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (73:7): [True: 25, False: 15.9k] ------------------ 74| 25| memcmp(packet->payload, overwatch2_string_c, NDPI_STATICSTRING_LEN(overwatch2_string_c)) == 0) || ------------------ | | 98| 25|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (74:7): [True: 0, False: 25] ------------------ 75| 15.9k| (packet->payload_packet_len == NDPI_STATICSTRING_LEN(overwatch2_string_s) && ------------------ | | 98| 31.9k|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (75:7): [True: 25, False: 15.9k] ------------------ 76| 25| memcmp(packet->payload, overwatch2_string_s, NDPI_STATICSTRING_LEN(overwatch2_string_s)) == 0)) { ------------------ | | 98| 25|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (76:7): [True: 0, False: 25] ------------------ 77| 0| NDPI_LOG_INFO(ndpi_struct, "Found Blizzard (overwatch2)\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 78| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BLIZZARD, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 79| 0| return; 80| 0| } 81| | 82| | /* TODO: other patterns */ 83| | 84| 15.9k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 15.9k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 85| 15.9k|} blizzard.c:search_blizzard_udp: 88| 7.09k|{ 89| 7.09k| struct ndpi_packet_struct* packet = &ndpi_struct->packet; 90| | 91| 7.09k| NDPI_LOG_DBG(ndpi_struct, "search Blizzard\n"); ------------------ | | 596| 7.09k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 92| | 93| | /* Patterns found on Warcraft Rumble */ 94| | 95| | /* The last bytes are some kind of sequence number, always starting from 1 */ 96| 7.09k| if(/* First pkt send by the client */ 97| 7.09k| (packet->payload_packet_len == 18 && ------------------ | Branch (97:7): [True: 17, False: 7.07k] ------------------ 98| 7.09k| le32toh(*(uint32_t *)&packet->payload[14]) == 1) || ------------------ | Branch (98:7): [True: 1, False: 16] ------------------ 99| | /* First pkt send by the server */ 100| 7.08k| (packet->payload_packet_len == 15 && ------------------ | Branch (100:7): [True: 2, False: 7.08k] ------------------ 101| 2| packet->payload[14] == 1)) { ------------------ | Branch (101:7): [True: 1, False: 1] ------------------ 102| 2| NDPI_LOG_INFO(ndpi_struct, "Found Blizzard (Warcraft Ramble; pattern 1)\n"); ------------------ | | 595| 2|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 103| 2| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BLIZZARD, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 104| 2| return; 105| 2| } 106| | /* First pkt send by the client */ 107| 7.08k| if(packet->payload_packet_len == 23 && ------------------ | Branch (107:6): [True: 199, False: 6.88k] ------------------ 108| 199| ndpi_match_strprefix(packet->payload, packet->payload_packet_len, "\xff\xff\xff\xff\xa3\x1f\xb6\x1e\x00\x00\x40\x01\x00\x00\x00\x00\x00\x00\x00\x04\x03\x02\x01")) { ------------------ | | 81| 199| ndpi_match_prefix((payload), (payload_len), (str), (sizeof(str)-1)) | | ------------------ | | | Branch (81:3): [True: 3, False: 196] | | ------------------ ------------------ 109| 3| NDPI_LOG_INFO(ndpi_struct, "Found Blizzard (Warcraft Ramble; pattern 2)\n"); ------------------ | | 595| 3|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 110| 3| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BLIZZARD, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 111| 3| return; 112| 3| } 113| | 114| | /* Patterns found on Overwatch2 */ 115| | /* Some kind of ping */ 116| 7.08k| if(flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_BLIZZARD && ------------------ | Branch (116:6): [True: 0, False: 7.08k] ------------------ 117| 0| packet->payload_packet_len == 40 && ------------------ | Branch (117:6): [True: 0, False: 0] ------------------ 118| 0| *(uint32_t *)&packet->payload[17] == 0 /* Seq number starting from 0 */) { ------------------ | Branch (118:6): [True: 0, False: 0] ------------------ 119| 0| NDPI_LOG_INFO(ndpi_struct, "Found Blizzard (overwatch2; pattern 1)\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 120| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BLIZZARD, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 121| 0| return; 122| 0| } 123| 7.08k| if(flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_BLIZZARD && ------------------ | Branch (123:6): [True: 0, False: 7.08k] ------------------ 124| 0| packet->payload_packet_len == 50 && ------------------ | Branch (124:6): [True: 0, False: 0] ------------------ 125| 0| ((*(uint64_t *)&packet->payload[32] == 0 && *(uint64_t *)&packet->payload[40] == 0) /* First pkt from client */ || ------------------ | Branch (125:8): [True: 0, False: 0] | Branch (125:50): [True: 0, False: 0] ------------------ 126| 0| (*(uint64_t *)&packet->payload[0] == 0 && *(uint64_t *)&packet->payload[8] == 0)) /* First pkt from server */) { ------------------ | Branch (126:8): [True: 0, False: 0] | Branch (126:49): [True: 0, False: 0] ------------------ 127| 0| NDPI_LOG_INFO(ndpi_struct, "Found Blizzard (overwatch2; pattern 2)\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 128| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BLIZZARD, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 129| 0| return; 130| 0| } 131| | 132| | /* TODO: other patterns */ 133| | 134| 7.08k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 7.08k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 135| 7.08k|} init_c1222_dissector: 66| 7.08k|{ 67| 7.08k| ndpi_register_dissector("ANSI_C1222", ndpi_struct, 68| 7.08k| ndpi_search_c1222, 69| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 70| 7.08k| 1, NDPI_PROTOCOL_C1222); 71| 7.08k|} c1222.c:ndpi_search_c1222: 45| 14.9k|{ 46| 14.9k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 47| | 48| 14.9k| NDPI_LOG_DBG(ndpi_struct, "search ANSI C12.22\n"); ------------------ | | 596| 14.9k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 49| | 50| 14.9k| if ((packet->payload_packet_len < 50) || (packet->payload[0] != 0x60) || ------------------ | Branch (50:7): [True: 9.49k, False: 5.47k] | Branch (50:44): [True: 5.46k, False: 10] ------------------ 51| 10| ((u_int8_t)(packet->payload_packet_len-2) != packet->payload[1])) ------------------ | Branch (51:7): [True: 9, False: 1] ------------------ 52| 14.9k| { 53| 14.9k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 14.9k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 54| 14.9k| return; 55| 14.9k| } 56| | 57| 1| if (packet->payload[2] == 0xA2 && packet->payload[4] == 0x06) { ------------------ | Branch (57:7): [True: 0, False: 1] | Branch (57:37): [True: 0, False: 0] ------------------ 58| 0| ndpi_int_c1222_add_connection(ndpi_struct, flow); 59| 0| return; 60| 0| } 61| | 62| 1| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 63| 1|} init_can_dissector: 75| 7.08k|{ 76| 7.08k| ndpi_register_dissector("Controller_Area_Network", ndpi_struct, 77| 7.08k| ndpi_search_can, 78| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 79| 7.08k| 1, NDPI_PROTOCOL_CAN); 80| 7.08k|} can.c:ndpi_search_can: 50| 15.0k|{ 51| 15.0k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 52| | 53| 15.0k| NDPI_LOG_DBG(ndpi_struct, "search Controller Area Network\n"); ------------------ | | 596| 15.0k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 54| | 55| 15.0k| u_int64_t const signature = 0x49534f3131383938; // "ISO11898" 56| 15.0k| if (packet->payload_packet_len < sizeof(struct can_hdr)) { ------------------ | Branch (56:7): [True: 1.01k, False: 14.0k] ------------------ 57| 1.01k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1.01k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 58| 1.01k| return; 59| 1.01k| } 60| | 61| 14.0k| struct can_hdr const * const can_header = (struct can_hdr *)packet->payload; 62| 14.0k| if (ndpi_ntohll(can_header->signature) != signature) { ------------------ | Branch (62:7): [True: 14.0k, False: 2] ------------------ 63| 14.0k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 14.0k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 64| 14.0k| return; 65| 14.0k| } 66| | 67| 2| ndpi_int_can_add_connection(ndpi_struct, flow); 68| | 69| 2| if (can_header->version != 0x01) { ------------------ | Branch (69:7): [True: 1, False: 1] ------------------ 70| 1| ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid CAN Header"); 71| 1| } 72| 2|} can.c:ndpi_int_can_add_connection: 40| 2|{ 41| 2| NDPI_LOG_INFO(ndpi_struct, "found Controller Area Network\n"); ------------------ | | 595| 2|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 42| | 43| 2| ndpi_set_detected_protocol(ndpi_struct, flow, 44| 2| NDPI_PROTOCOL_CAN, NDPI_PROTOCOL_UNKNOWN, 45| 2| NDPI_CONFIDENCE_DPI); 46| 2|} init_capwap_dissector: 135| 7.08k|{ 136| 7.08k| ndpi_register_dissector("CAPWAP", ndpi_struct, 137| 7.08k| ndpi_search_capwap, 138| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 139| 7.08k| 1, NDPI_PROTOCOL_CAPWAP); 140| 7.08k|} capwap.c:ndpi_search_capwap: 126| 3.42k|{ 127| 3.42k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 128| | 129| 3.42k| if(packet->udp && (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN)) ------------------ | Branch (129:6): [True: 3.42k, False: 0] | Branch (129:21): [True: 3.42k, False: 0] ------------------ 130| 3.42k| ndpi_search_setup_capwap(ndpi_struct, flow); 131| 3.42k|} capwap.c:ndpi_search_setup_capwap: 65| 3.42k| struct ndpi_flow_struct *flow) { 66| 3.42k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 67| 3.42k| u_int16_t sport, dport; 68| | 69| 3.42k| sport = ntohs(packet->udp->source), dport = ntohs(packet->udp->dest); 70| | 71| 3.42k| if((dport == NDPI_CAPWAP_CONTROL_PORT) ------------------ | | 29| 3.42k|#define NDPI_CAPWAP_CONTROL_PORT 5246 ------------------ | Branch (71:6): [True: 0, False: 3.42k] ------------------ 72| 0| && (is_capwap_multicast(packet)) ------------------ | Branch (72:9): [True: 0, False: 0] ------------------ 73| 0| && (packet->payload_packet_len >= 16) ------------------ | Branch (73:9): [True: 0, False: 0] ------------------ 74| 0| && (packet->payload[0] == 0x0) ------------------ | Branch (74:9): [True: 0, False: 0] ------------------ 75| 0| && (packet->payload[8] == 6 /* Mac len */) ------------------ | Branch (75:9): [True: 0, False: 0] ------------------ 76| 3.42k| ) 77| 0| goto capwap_found; 78| | 79| 3.42k| if(((sport == NDPI_CAPWAP_CONTROL_PORT) || (dport == NDPI_CAPWAP_CONTROL_PORT)) ------------------ | | 29| 3.42k|#define NDPI_CAPWAP_CONTROL_PORT 5246 ------------------ if(((sport == NDPI_CAPWAP_CONTROL_PORT) || (dport == NDPI_CAPWAP_CONTROL_PORT)) ------------------ | | 29| 3.42k|#define NDPI_CAPWAP_CONTROL_PORT 5246 ------------------ | Branch (79:7): [True: 1, False: 3.42k] | Branch (79:46): [True: 0, False: 3.42k] ------------------ 80| 1| && ((packet->payload[0] == 0x0) || (packet->payload[0] == 0x1)) ------------------ | Branch (80:10): [True: 0, False: 1] | Branch (80:41): [True: 0, False: 1] ------------------ 81| 3.42k| ) { 82| 0| u_int16_t msg_len, offset, to_add; 83| | 84| 0| if(packet->payload[0] == 0x0) ------------------ | Branch (84:8): [True: 0, False: 0] ------------------ 85| 0| offset = 13, to_add = 13; 86| 0| else 87| 0| offset = 15, to_add = 17; 88| | 89| 0| if (packet->payload_packet_len >= offset + sizeof(u_int16_t)) { ------------------ | Branch (89:9): [True: 0, False: 0] ------------------ 90| 0| msg_len = ntohs(*(u_int16_t*)&packet->payload[offset]); 91| | 92| 0| if((msg_len+to_add) == packet->payload_packet_len) ------------------ | Branch (92:10): [True: 0, False: 0] ------------------ 93| 0| goto capwap_found; 94| 0| } 95| 0| } 96| | 97| 3.42k| if( 98| 3.42k| (((dport == NDPI_CAPWAP_DATA_PORT) && (!is_capwap_multicast(packet))) || (sport == NDPI_CAPWAP_DATA_PORT)) ------------------ | | 30| 3.42k|#define NDPI_CAPWAP_DATA_PORT 5247 ------------------ (((dport == NDPI_CAPWAP_DATA_PORT) && (!is_capwap_multicast(packet))) || (sport == NDPI_CAPWAP_DATA_PORT)) ------------------ | | 30| 3.42k|#define NDPI_CAPWAP_DATA_PORT 5247 ------------------ | Branch (98:8): [True: 3, False: 3.41k] | Branch (98:44): [True: 2, False: 1] | Branch (98:79): [True: 44, False: 3.37k] ------------------ 99| 46| && (packet->payload_packet_len >= 16) ------------------ | Branch (99:9): [True: 43, False: 3] ------------------ 100| 43| && (packet->payload[0] == 0x0) ------------------ | Branch (100:9): [True: 32, False: 11] ------------------ 101| 3.42k| ) { 102| 32| u_int8_t is_80211_data = (packet->payload[9] & 0x0C) >> 2; 103| | 104| | 105| 32| if((sport == NDPI_CAPWAP_DATA_PORT) && (is_80211_data == 2 /* IEEE 802.11 Data */)) ------------------ | | 30| 32|#define NDPI_CAPWAP_DATA_PORT 5247 ------------------ | Branch (105:8): [True: 30, False: 2] | Branch (105:44): [True: 7, False: 23] ------------------ 106| 7| goto capwap_found; 107| 25| else if(dport == NDPI_CAPWAP_DATA_PORT) { ------------------ | | 30| 25|#define NDPI_CAPWAP_DATA_PORT 5247 ------------------ | Branch (107:13): [True: 2, False: 23] ------------------ 108| 2| u_int16_t msg_len = ntohs(*(u_int16_t*)&packet->payload[13]); 109| | 110| 2| if((packet->payload[8] == 1 /* Mac len */) ------------------ | Branch (110:10): [True: 0, False: 2] ------------------ 111| 2| || (packet->payload[8] == 6 /* Mac len */) ------------------ | Branch (111:6): [True: 1, False: 1] ------------------ 112| 1| || (packet->payload[8] == 4 /* Wireless len */) ------------------ | Branch (112:6): [True: 0, False: 1] ------------------ 113| 1| || ((msg_len+15) == packet->payload_packet_len)) ------------------ | Branch (113:6): [True: 0, False: 1] ------------------ 114| 1| goto capwap_found; 115| 2| } 116| 32| } 117| | 118| 3.41k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.41k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 119| 3.41k| return; 120| | 121| 8| capwap_found: 122| 8| ndpi_int_capwap_add_connection(ndpi_struct, flow); 123| 8|} capwap.c:is_capwap_multicast: 39| 3|{ 40| | /* RFC 5115 Sec 3.3 41| | "The WTP MUST send the Discovery Request 42| | message to either the limited broadcast IP address (255.255.255.255), 43| | the well-known CAPWAP multicast address (224.0.1.140), or to the 44| | unicast IP address of the AC. For IPv6 networks, since broadcast 45| | does not exist, the use of "All ACs multicast address" (FF0X:0:0:0:0: 46| | 0:0:18C) is used instead. 47| | */ 48| 3| if(packet->iph) { ------------------ | Branch (48:6): [True: 3, False: 0] ------------------ 49| 3| if((packet->iph->daddr == 0xFFFFFFFF) || ------------------ | Branch (49:8): [True: 1, False: 2] ------------------ 50| 2| (ntohl(packet->iph->daddr) == 0XE000018C)) ------------------ | Branch (50:8): [True: 0, False: 2] ------------------ 51| 1| return 1; 52| 3| } else if(packet->iphv6) { ------------------ | Branch (52:13): [True: 0, False: 0] ------------------ 53| 0| if(((ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[0] & 0xFFF0FFFF) == 0xFF000000)) && ------------------ | Branch (53:8): [True: 0, False: 0] ------------------ 54| 0| (packet->iphv6->ip6_dst.u6_addr.u6_addr32[1] == 0) && ------------------ | Branch (54:8): [True: 0, False: 0] ------------------ 55| 0| (packet->iphv6->ip6_dst.u6_addr.u6_addr32[2] == 0) && ------------------ | Branch (55:8): [True: 0, False: 0] ------------------ 56| 0| (ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[3] == 0x0000018C))) ------------------ | Branch (56:8): [True: 0, False: 0] ------------------ 57| 0| return 1; 58| 0| } 59| 2| return 0; 60| 3|} capwap.c:ndpi_int_capwap_add_connection: 34| 8| struct ndpi_flow_struct *flow) { 35| 8| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CAPWAP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 36| 8|} init_cassandra_dissector: 95| 7.08k|void init_cassandra_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 96| 7.08k| ndpi_register_dissector("Cassandra", ndpi_struct, 97| 7.08k| ndpi_search_cassandra, 98| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 99| 7.08k| 1, NDPI_PROTOCOL_CASSANDRA); 100| 7.08k|} cassandra.c:ndpi_search_cassandra: 56| 18.8k|{ 57| 18.8k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 58| | 59| 18.8k| NDPI_LOG_DBG(ndpi_struct, "search Cassandra CQL\n"); ------------------ | | 596| 18.8k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 60| | 61| 18.8k| if (packet->payload_packet_len == 19 && ------------------ | Branch (61:7): [True: 113, False: 18.7k] ------------------ 62| 18.8k| ntohl(get_u_int32_t(packet->payload, 0)) == 0xCA552DFA) ------------------ | Branch (62:7): [True: 0, False: 113] ------------------ 63| 0| { 64| 0| NDPI_LOG_INFO(ndpi_struct, "found Cassandra Internode Communication\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 65| 0| ndpi_int_cassandra_add_connection(ndpi_struct, flow); 66| 0| return; 67| 0| } 68| | 69| 18.8k| if ((packet->payload_packet_len < 9) || ------------------ | Branch (69:7): [True: 945, False: 17.8k] ------------------ 70| 17.8k| (flow->packet_counter >= 8) || ------------------ | Branch (70:7): [True: 2, False: 17.8k] ------------------ 71| 17.8k| (!ndpi_validate_cassandra_response(packet->payload[0]) || ------------------ | Branch (71:8): [True: 0, False: 17.8k] ------------------ 72| 17.8k| !ndpi_validate_cassandra_request(packet->payload[0]))) ------------------ | Branch (72:8): [True: 0, False: 17.8k] ------------------ 73| 947| { 74| 947| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 947|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 75| 947| return; 76| 947| } 77| | 78| 17.8k| if (flow->packet_direction_counter[packet->packet_direction] > 2) { ------------------ | Branch (78:7): [True: 2.28k, False: 15.5k] ------------------ 79| 2.28k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 2.28k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 80| 2.28k| return; 81| 2.28k| } 82| | 83| | /* Looking for a 'STARTUP' message from the client, 84| | * which should always contain the CQL_VERSION string 85| | */ 86| 15.5k| if (packet->payload_packet_len > 60 && ------------------ | Branch (86:7): [True: 4.35k, False: 11.2k] ------------------ 87| 4.35k| memcmp(&packet->payload[packet->payload_packet_len-20], "CQL_VERSION", 11) == 0) ------------------ | Branch (87:7): [True: 2, False: 4.35k] ------------------ 88| 2| { 89| 2| NDPI_LOG_INFO(ndpi_struct, "found Cassandra CQL\n"); ------------------ | | 595| 2|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 90| 2| ndpi_int_cassandra_add_connection(ndpi_struct, flow); 91| 2| return; 92| 2| } 93| 15.5k|} cassandra.c:ndpi_int_cassandra_add_connection: 46| 2|{ 47| 2| NDPI_LOG_INFO(ndpi_struct, "found Cassandra CQL\n"); ------------------ | | 595| 2|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 48| | 49| 2| ndpi_set_detected_protocol(ndpi_struct, flow, 50| 2| NDPI_PROTOCOL_CASSANDRA, NDPI_PROTOCOL_UNKNOWN, 51| 2| NDPI_CONFIDENCE_DPI); 52| 2|} cassandra.c:ndpi_validate_cassandra_response: 35| 17.8k|{ 36| 17.8k| return (response >= 0x81 && response <= 0x85) ? 1 : -1; ------------------ | Branch (36:11): [True: 817, False: 17.0k] | Branch (36:31): [True: 19, False: 798] ------------------ 37| 17.8k|} cassandra.c:ndpi_validate_cassandra_request: 40| 17.8k|{ 41| 17.8k| return (request >= 0x01 && request <= 0x05) ? 1 : -1; ------------------ | Branch (41:11): [True: 16.2k, False: 1.59k] | Branch (41:30): [True: 971, False: 15.3k] ------------------ 42| 17.8k|} init_ceph_dissector: 55| 7.08k|{ 56| 7.08k| ndpi_register_dissector("Ceph", ndpi_struct, 57| 7.08k| ndpi_search_ceph, 58| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 59| 7.08k| 1, NDPI_PROTOCOL_CEPH); 60| 7.08k|} ceph.c:ndpi_search_ceph: 34| 11.6k|{ 35| 11.6k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 36| | 37| 11.6k| NDPI_LOG_DBG(ndpi_struct, "search Ceph\n"); ------------------ | | 596| 11.6k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 38| | 39| | /* The protocol starts with a handshake, where the client's request and 40| | * the server's response always contain a Ceph version string (ceph v027 41| | * for example). */ 42| 11.6k| if (packet->payload_packet_len > NDPI_STATICSTRING_LEN("ceph v") && ------------------ | | 98| 23.3k|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (42:7): [True: 10.8k, False: 791] ------------------ 43| 10.8k| memcmp(packet->payload, "ceph v", NDPI_STATICSTRING_LEN("ceph v")) == 0) ------------------ | | 98| 10.8k|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (43:7): [True: 6, False: 10.8k] ------------------ 44| 6| { 45| 6| NDPI_LOG_INFO(ndpi_struct, "found Ceph\n"); ------------------ | | 595| 6|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 46| 6| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CEPH, 47| 6| NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 48| 6| return; 49| 6| } 50| | 51| 11.6k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.6k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 52| 11.6k|} init_checkmk_dissector: 77| 7.08k|{ 78| 7.08k| ndpi_register_dissector("CHECKMK", ndpi_struct, 79| 7.08k| ndpi_search_checkmk, 80| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 81| 7.08k| 1, NDPI_PROTOCOL_CHECKMK); 82| 7.08k|} checkmk.c:ndpi_search_checkmk: 41| 14.6k|{ 42| 14.6k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 43| | 44| 14.6k| NDPI_LOG_DBG(ndpi_struct, "search Checkmk\n"); ------------------ | | 596| 14.6k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 45| | 46| 14.6k| if (packet->payload_packet_len >= 15) { ------------------ | Branch (46:7): [True: 13.2k, False: 1.40k] ------------------ 47| | 48| 13.2k| if(packet->payload_packet_len > 128) { ------------------ | Branch (48:8): [True: 3.35k, False: 9.88k] ------------------ 49| | /* 50| | When we transfer a large data chunk, unless we have observed 51| | the initial connection, we need to discard these packets 52| | as they are not an indication that this flow is not AFP 53| | */ 54| 3.35k| if(flow->packet_counter > 6) ------------------ | Branch (54:10): [True: 7, False: 3.35k] ------------------ 55| 7| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 7|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 56| 3.35k| return; 57| 3.35k| } 58| | 59| | /* 60| | * this will detect the OpenSession command of the Data Stream Interface (DSI) protocol 61| | * which is exclusively used by the Apple Filing Protocol (AFP) on TCP/IP networks 62| | */ 63| 9.88k| if (packet->payload_packet_len < 100 ------------------ | Branch (63:9): [True: 9.55k, False: 330] ------------------ 64| 9.55k| && memcmp(packet->payload, "<<>>", 14) == 0) { ------------------ | Branch (64:12): [True: 1, False: 9.55k] ------------------ 65| | 66| 1| NDPI_LOG_DBG(ndpi_struct, "Check_MK: Flow detected.\n"); ------------------ | | 596| 1|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 67| 1| ndpi_int_checkmk_add_connection(ndpi_struct, flow); 68| 1| return; 69| 1| } 70| 9.88k| } 71| | 72| 11.2k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.2k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 73| 11.2k|} checkmk.c:ndpi_int_checkmk_add_connection: 34| 1|{ 35| 1| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CHECKMK, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 36| 1|} init_cip_dissector: 66| 7.08k|void init_cip_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 67| 7.08k| ndpi_register_dissector("CIP", ndpi_struct, 68| 7.08k| ndpi_search_cip, 69| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 70| 7.08k| 1, NDPI_PROTOCOL_CIP); 71| 7.08k|} cip.c:ndpi_search_cip: 33| 3.34k| struct ndpi_flow_struct *flow) { 34| 3.34k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 35| | 36| 3.34k| NDPI_LOG_DBG(ndpi_struct, "search cip\n"); ------------------ | | 596| 3.34k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 37| | 38| 3.34k| if(packet->udp ------------------ | Branch (38:6): [True: 3.34k, False: 0] ------------------ 39| 3.34k| && (ntohs(packet->udp->source) == CIP_IO_PORT) && (ntohs(packet->udp->dest) == CIP_IO_PORT) ------------------ | | 27| 3.34k|#define CIP_IO_PORT 2222 ------------------ && (ntohs(packet->udp->source) == CIP_IO_PORT) && (ntohs(packet->udp->dest) == CIP_IO_PORT) ------------------ | | 27| 0|#define CIP_IO_PORT 2222 ------------------ | Branch (39:9): [True: 0, False: 3.34k] | Branch (39:56): [True: 0, False: 0] ------------------ 40| 0| && (packet->payload_packet_len >= 12) ------------------ | Branch (40:9): [True: 0, False: 0] ------------------ 41| 0| && (packet->payload_packet_len < 64) ------------------ | Branch (41:9): [True: 0, False: 0] ------------------ 42| 0| && (packet->payload[1] == 0x0) ------------------ | Branch (42:9): [True: 0, False: 0] ------------------ 43| 3.34k| ) { 44| 0| u_int8_t num_items = packet->payload[0], offset = 2; 45| | 46| 0| while((num_items > 0) && (packet->payload_packet_len > ((u_int32_t)offset + 4))) { ------------------ | Branch (46:11): [True: 0, False: 0] | Branch (46:30): [True: 0, False: 0] ------------------ 47| | // u_int16_t type_id = *((u_int16_t*)&packet->payload[offset]); 48| 0| u_int16_t lenght = (packet->payload[offset+3] << 8) + packet->payload[offset+2]; 49| | 50| 0| offset += 4 + lenght; 51| 0| num_items--; 52| 0| } 53| | 54| 0| if(offset == packet->payload_packet_len) { ------------------ | Branch (54:8): [True: 0, False: 0] ------------------ 55| 0| NDPI_LOG_INFO(ndpi_struct,"found cip\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 56| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CIP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 57| 0| } 58| 3.34k| } else { 59| | /* TODO add TCP dissection */ 60| 3.34k| } 61| | 62| 3.34k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.34k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 63| 3.34k|} init_ciscovpn_dissector: 69| 7.08k|{ 70| 7.08k| ndpi_register_dissector("CiscoVPN", ndpi_struct, 71| 7.08k| ndpi_search_ciscovpn, 72| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 73| 7.08k| 1, NDPI_PROTOCOL_CISCOVPN); 74| 7.08k|} ciscovpn.c:ndpi_search_ciscovpn: 40| 4.37k|{ 41| 4.37k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 42| 4.37k| u_int16_t udport, usport; 43| | 44| 4.37k| NDPI_LOG_DBG(ndpi_struct, "search CISCOVPN\n"); ------------------ | | 596| 4.37k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 45| | 46| 4.37k| usport = ntohs(packet->udp->source), udport = ntohs(packet->udp->dest); 47| | 48| 4.37k| if((usport == 10000 && udport == 10000)) { ------------------ | Branch (48:7): [True: 0, False: 4.37k] | Branch (48:26): [True: 0, False: 0] ------------------ 49| 0| if((packet->payload_packet_len >= 4) && ------------------ | Branch (49:8): [True: 0, False: 0] ------------------ 50| 0| (packet->payload[0] == 0xfe && ------------------ | Branch (50:9): [True: 0, False: 0] ------------------ 51| 0| packet->payload[1] == 0x57 && ------------------ | Branch (51:2): [True: 0, False: 0] ------------------ 52| 0| packet->payload[2] == 0x7e && ------------------ | Branch (52:2): [True: 0, False: 0] ------------------ 53| 0| packet->payload[3] == 0x2b) ------------------ | Branch (53:2): [True: 0, False: 0] ------------------ 54| 0| ) { 55| | /* This is a good query fe577e2b */ 56| 0| NDPI_LOG_INFO(ndpi_struct, "found CISCOVPN\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 57| 0| ndpi_int_ciscovpn_add_connection(ndpi_struct, flow); 58| 0| return; 59| 0| } 60| | 61| 0| if(flow->num_processed_pkts > 5) ------------------ | Branch (61:8): [True: 0, False: 0] ------------------ 62| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 63| 0| } else 64| 4.37k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 4.37k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 65| 4.37k|} init_citrix_dissector: 70| 7.08k|{ 71| 7.08k| ndpi_register_dissector("Citrix", ndpi_struct, 72| 7.08k| ndpi_search_citrix, 73| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 74| 7.08k| 1, NDPI_PROTOCOL_CITRIX); 75| 7.08k|} citrix.c:ndpi_search_citrix: 62| 13.4k|{ 63| 13.4k| NDPI_LOG_DBG(ndpi_struct, "search citrix\n"); ------------------ | | 596| 13.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 64| | 65| 13.4k| ndpi_check_citrix(ndpi_struct, flow); 66| 13.4k|} citrix.c:ndpi_check_citrix: 35| 13.4k|{ 36| 13.4k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 37| 13.4k| u_int32_t payload_len = packet->payload_packet_len; 38| | 39| 13.4k| if(payload_len == 6) { ------------------ | Branch (39:6): [True: 36, False: 13.4k] ------------------ 40| 36| char citrix_header[] = { 0x7F, 0x7F, 0x49, 0x43, 0x41, 0x00 }; 41| | 42| 36| if(memcmp(packet->payload, citrix_header, sizeof(citrix_header)) == 0) { ------------------ | Branch (42:8): [True: 0, False: 36] ------------------ 43| 0| NDPI_LOG_INFO(ndpi_struct, "found citrix\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 44| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CITRIX, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 45| 0| return; 46| 0| } 47| 13.4k| } else if(payload_len > 22) { ------------------ | Branch (47:13): [True: 8.70k, False: 4.71k] ------------------ 48| 8.70k| char citrix_header[] = { 0x1a, 0x43, 0x47, 0x50, 0x2f, 0x30, 0x31 }; 49| | 50| 8.70k| if((memcmp(packet->payload, citrix_header, sizeof(citrix_header)) == 0) ------------------ | Branch (50:8): [True: 3, False: 8.69k] ------------------ 51| 8.69k| || (ndpi_strnstr((const char *)packet->payload, "Citrix.TcpProxyService", payload_len) != NULL)) { ------------------ | Branch (51:11): [True: 0, False: 8.69k] ------------------ 52| 3| NDPI_LOG_INFO(ndpi_struct, "found citrix\n"); ------------------ | | 595| 3|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 53| 3| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CITRIX, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 54| 3| return; 55| 3| } 56| 8.70k| } 57| | 58| 13.4k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.4k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 59| 13.4k|} init_cloudflare_warp_dissector: 87| 7.08k|{ 88| 7.08k| ndpi_register_dissector("CloudflareWarp", ndpi_struct, 89| 7.08k| ndpi_search_cloudflare_warp, 90| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 91| 7.08k| 1, NDPI_PROTOCOL_CLOUDFLARE_WARP); 92| 7.08k|} cloudflare_warp.c:ndpi_search_cloudflare_warp: 39| 3.32k|{ 40| 3.32k| NDPI_LOG_DBG(ndpi_struct, "search CloudflareWarp\n"); ------------------ | | 596| 3.32k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 41| | 42| | /* https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/firewall/ */ 43| | 44| | /* Cloudflare has been using wireguard and it is moving to MASQUE: 45| | * https://blog.cloudflare.com/1111-warp-better-vpn/ 46| | * https://blog.cloudflare.com/zero-trust-warp-with-a-masque 47| | 48| | Wireguard. It is not a standard wireguard traffic: 49| | * message type seems to be 0xc1-0xc4 instead of 1-4 50| | * handshake messages are different 51| | * reserved bytes are set to 0x00 only on the very first msg, i.e 0xc1 52| | However: 53| | * for the "data" messages, the receiver_index and counter fields seems as the standard ones 54| | * the general logic (2 handshake pkts + data) seems the same 55| | 56| | TODO: Not yet available traffic sample with MASQUE 57| | 58| | Overall, it should be enough to identify it via ip and port matching 59| | */ 60| | 61| 3.32k| if(flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_CLOUDFLARE_WARP) { ------------------ | Branch (61:6): [True: 0, False: 3.32k] ------------------ 62| | /* Wireguard */ 63| 0| if(flow->s_port == ntohs(2408) || flow->c_port == ntohs(2408) || ------------------ | Branch (63:8): [True: 0, False: 0] | Branch (63:39): [True: 0, False: 0] ------------------ 64| 0| flow->s_port == ntohs(500) || flow->c_port == ntohs(500) || ------------------ | Branch (64:8): [True: 0, False: 0] | Branch (64:38): [True: 0, False: 0] ------------------ 65| 0| flow->s_port == ntohs(1701) || flow->c_port == ntohs(1701) || ------------------ | Branch (65:8): [True: 0, False: 0] | Branch (65:39): [True: 0, False: 0] ------------------ 66| 0| flow->s_port == ntohs(4500) || flow->c_port == ntohs(4500)) { ------------------ | Branch (66:8): [True: 0, False: 0] | Branch (66:39): [True: 0, False: 0] ------------------ 67| 0| ndpi_int_cloudflare_warp_add_connection(ndpi_struct, flow); 68| 0| return; 69| 0| } 70| | /* MASQUE */ 71| | /* TODO: we should check if the QUIC dissector already owns this flow, i.e 72| | if this code path is ever triggered... */ 73| 0| if(flow->s_port == ntohs(443) || flow->c_port == ntohs(443) || ------------------ | Branch (73:8): [True: 0, False: 0] | Branch (73:38): [True: 0, False: 0] ------------------ 74| 0| flow->s_port == ntohs(4443) || flow->c_port == ntohs(4443) || ------------------ | Branch (74:8): [True: 0, False: 0] | Branch (74:39): [True: 0, False: 0] ------------------ 75| 0| flow->s_port == ntohs(8443) || flow->c_port == ntohs(8443) || ------------------ | Branch (75:8): [True: 0, False: 0] | Branch (75:39): [True: 0, False: 0] ------------------ 76| 0| flow->s_port == ntohs(8095) || flow->c_port == ntohs(8095)) { ------------------ | Branch (76:8): [True: 0, False: 0] | Branch (76:39): [True: 0, False: 0] ------------------ 77| 0| ndpi_int_cloudflare_warp_add_connection(ndpi_struct, flow); 78| 0| return; 79| 0| } 80| 0| } 81| | 82| 3.32k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.32k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 83| 3.32k|} init_cnp_ip_dissector: 58| 7.08k|{ 59| 7.08k| ndpi_register_dissector("CNP-IP", ndpi_struct, 60| 7.08k| ndpi_search_cnp_ip, 61| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 62| 7.08k| 1, NDPI_PROTOCOL_CNP_IP); 63| 7.08k|} cnp-ip.c:ndpi_search_cnp_ip: 42| 3.32k|{ 43| 3.32k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 44| | 45| 3.32k| NDPI_LOG_DBG(ndpi_struct, "search CNP-IP\n"); ------------------ | | 596| 3.32k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 46| | 47| 3.32k| if (packet->payload_packet_len > 20 && packet->payload_packet_len == ntohs(get_u_int16_t(packet->payload, 0)) && ------------------ | Branch (47:7): [True: 3.09k, False: 226] | Branch (47:42): [True: 1, False: 3.09k] ------------------ 48| 1| (packet->payload[3] & 0x1F) == 0x01 && packet->payload[4] == 0 && (packet->payload[5] & 0x1F) < 0x03) ------------------ | Branch (48:7): [True: 0, False: 1] | Branch (48:46): [True: 0, False: 0] | Branch (48:73): [True: 0, False: 0] ------------------ 49| 0| { 50| 0| ndpi_int_cnp_ip_add_connection(ndpi_struct, flow); 51| 0| return; 52| 0| } 53| | 54| 3.32k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.32k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 55| 3.32k|} init_coap_dissector: 153| 7.08k|{ 154| 7.08k| ndpi_register_dissector("COAP", ndpi_struct, 155| 7.08k| ndpi_search_coap, 156| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 157| 7.08k| 1, NDPI_PROTOCOL_COAP); 158| 7.08k|} coap.c:ndpi_search_coap: 111| 3.42k|{ 112| 3.42k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 113| 3.42k| struct ndpi_coap_hdr * h = (struct ndpi_coap_hdr*) packet->payload; 114| | 115| | // search for udp packet 116| 3.42k| if(packet->udp != NULL) { ------------------ | Branch (116:6): [True: 3.42k, False: 0] ------------------ 117| 3.42k| u_int16_t s_port = ntohs(packet->udp->source); 118| 3.42k| u_int16_t d_port = ntohs(packet->udp->dest); 119| | 120| 3.42k| if((!isCoAPport(s_port) && !isCoAPport(d_port)) ------------------ | Branch (120:9): [True: 3.42k, False: 6] | Branch (120:32): [True: 3.40k, False: 11] ------------------ 121| 3.41k| || (packet->payload_packet_len < 4) ) { // header too short ------------------ | Branch (121:11): [True: 1, False: 16] ------------------ 122| 3.41k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.41k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 123| 3.41k| return; 124| 3.41k| } 125| | 126| 16| NDPI_LOG_DBG2(ndpi_struct, "calculating coap over udp\n"); ------------------ | | 597| 16|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 127| | 128| | // check values in header 129| 16| if(h->version == 1) { ------------------ | Branch (129:8): [True: 6, False: 10] ------------------ 130| 6| if(h->type == CON || h->type == NO_CON || h->type == ACK || h->type == RST ) { ------------------ | | 32| 12|#define CON 0 ------------------ if(h->type == CON || h->type == NO_CON || h->type == ACK || h->type == RST ) { ------------------ | | 33| 6|#define NO_CON 1 ------------------ if(h->type == CON || h->type == NO_CON || h->type == ACK || h->type == RST ) { ------------------ | | 34| 6|#define ACK 2 ------------------ if(h->type == CON || h->type == NO_CON || h->type == ACK || h->type == RST ) { ------------------ | | 35| 0|#define RST 3 ------------------ | Branch (130:10): [True: 6, False: 0] | Branch (130:28): [True: 0, False: 0] | Branch (130:49): [True: 0, False: 0] | Branch (130:67): [True: 0, False: 0] ------------------ 131| 6| if(h->tkl < 8) { ------------------ | Branch (131:5): [True: 5, False: 1] ------------------ 132| 5| if((/* h->code >= 0 && */ h->code <= 5) || (h->code >= 65 && h->code <= 69) || ------------------ | Branch (132:7): [True: 1, False: 4] | Branch (132:48): [True: 4, False: 0] | Branch (132:65): [True: 0, False: 4] ------------------ 133| 4| (h->code >= 128 && h->code <= 134) || (h->code >= 140 && h->code <= 143) || ------------------ | Branch (133:8): [True: 3, False: 1] | Branch (133:27): [True: 2, False: 1] | Branch (133:47): [True: 1, False: 1] | Branch (133:65): [True: 0, False: 1] ------------------ 134| 3| (h->code >= 160 && h->code <= 165)) { ------------------ | Branch (134:8): [True: 1, False: 1] | Branch (134:26): [True: 0, False: 1] ------------------ 135| | 136| 3| NDPI_LOG_INFO(ndpi_struct, "found Coap\n"); ------------------ | | 595| 3|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 137| 3| ndpi_int_coap_add_connection(ndpi_struct,flow); 138| 3| return; 139| 3| } 140| 5| } 141| 6| } 142| 6| } 143| 16| } 144| | 145| 13| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 146| 13| return; 147| 3.42k|} coap.c:isCoAPport: 98| 6.84k|static int isCoAPport(u_int16_t port) { 99| 6.84k| if((port == 5683) ------------------ | Branch (99:6): [True: 5, False: 6.84k] ------------------ 100| 6.84k| || ((port >= 61616) && (port <= 61631))) ------------------ | Branch (100:10): [True: 510, False: 6.33k] | Branch (100:29): [True: 12, False: 498] ------------------ 101| 17| return(1); 102| 6.82k| else 103| 6.82k| return(0); 104| 6.84k|} coap.c:ndpi_int_coap_add_connection: 88| 3|{ 89| 3| ndpi_set_detected_protocol(ndpi_struct,flow,NDPI_PROTOCOL_COAP,NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 90| 3|} init_cod_mobile_dissector: 74| 7.08k|{ 75| 7.08k| ndpi_register_dissector("CoD_Mobile", ndpi_struct, 76| 7.08k| ndpi_search_cod_mobile, 77| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 78| 7.08k| 1, NDPI_PROTOCOL_COD_MOBILE); 79| 7.08k|} cod_mobile.c:ndpi_search_cod_mobile: 43| 3.89k|{ 44| 3.89k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 45| | 46| 3.89k| NDPI_LOG_DBG(ndpi_struct, "search Call of Duty: Mobile\n"); ------------------ | | 596| 3.89k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 47| | 48| 3.89k| if (packet->payload_packet_len == 12 && ------------------ | Branch (48:7): [True: 30, False: 3.86k] ------------------ 49| 30| (ntohs(packet->udp->source) == 7500 || ntohs(packet->udp->dest) == 7500)) ------------------ | Branch (49:8): [True: 0, False: 30] | Branch (49:46): [True: 0, False: 30] ------------------ 50| 0| { 51| 0| if (memcmp(&packet->payload[8], "ping", 4) == 0) ------------------ | Branch (51:9): [True: 0, False: 0] ------------------ 52| 0| { 53| 0| ndpi_int_cod_mobile_add_connection(ndpi_struct, flow); 54| 0| return; 55| 0| } 56| 0| } 57| | 58| 3.89k| if (packet->payload_packet_len > 350 && packet->payload[0] == 0xCE) ------------------ | Branch (58:7): [True: 263, False: 3.63k] | Branch (58:43): [True: 16, False: 247] ------------------ 59| 16| { 60| 16| if (ndpi_memmem(packet->payload, packet->payload_packet_len, "LOC_PREFAB_LOADOUTNAME_1", ------------------ | Branch (60:10): [True: 0, False: 16] ------------------ 61| 16| NDPI_STATICSTRING_LEN("LOC_PREFAB_LOADOUTNAME_1"))) ------------------ | | 98| 16|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ 62| 0| { 63| 0| ndpi_int_cod_mobile_add_connection(ndpi_struct, flow); 64| 0| return; 65| 0| } 66| 16| } 67| | 68| 3.89k| if (flow->packet_counter >= 4) { ------------------ | Branch (68:7): [True: 54, False: 3.83k] ------------------ 69| 54| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 54|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 70| 54| } 71| 3.89k|} init_collectd_dissector: 194| 7.08k|{ 195| 7.08k| ndpi_register_dissector("collectd", ndpi_struct, 196| 7.08k| ndpi_search_collectd, 197| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 198| 7.08k| 1, NDPI_PROTOCOL_COLLECTD); 199| 7.08k|} collectd.c:ndpi_search_collectd: 132| 3.36k|{ 133| 3.36k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 134| 3.36k| u_int16_t num_blocks; 135| 3.36k| u_int16_t block_offset = 0, block_type, block_length; 136| 3.36k| u_int16_t hostname_length = 0; 137| | 138| 3.36k| NDPI_LOG_DBG(ndpi_struct, "search collectd\n"); ------------------ | | 596| 3.36k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 139| | 140| 3.75k| for (num_blocks = 0; num_blocks < COLLECTD_MAX_BLOCKS_TO_DISSECT; ------------------ | | 30| 3.75k|#define COLLECTD_MAX_BLOCKS_TO_DISSECT 5 ------------------ | Branch (140:24): [True: 3.74k, False: 1] ------------------ 141| 3.36k| ++num_blocks, block_offset += block_length) 142| 3.74k| { 143| 3.74k| block_length = npdi_int_collectd_block_size(packet, block_offset); 144| 3.74k| if (block_length == 0) ------------------ | Branch (144:9): [True: 3.03k, False: 713] ------------------ 145| 3.03k| { 146| 3.03k| break; 147| 3.03k| } 148| | 149| 713| block_type = ntohs(get_u_int16_t(packet->payload, block_offset)); 150| 713| if (ndpi_int_collectd_check_type(block_type) != 0) ------------------ | Branch (150:9): [True: 328, False: 385] ------------------ 151| 328| { 152| 328| break; 153| 385| } else { 154| 385| if (block_type == COLLECTD_TYPE_HOST) ------------------ | Branch (154:11): [True: 59, False: 326] ------------------ 155| 59| { 156| | /* 157| | * Dissect the hostname later, when we are sure that it is 158| | * the collectd protocol. 159| | */ 160| 59| if(block_length > 4) ------------------ | Branch (160:12): [True: 47, False: 12] ------------------ 161| 47| hostname_length = block_length - 4; /* Ignore type and length fields */ 162| 326| } else if (block_type == COLELCTD_TYPE_ENCR_AES256) { ------------------ | Branch (162:18): [True: 0, False: 326] ------------------ 163| | /* 164| | * The encrypted data block is a special case. 165| | * It is the only dissectable block as everything else in it 166| | * is encrypted. 167| | */ 168| 0| if (block_length != packet->payload_packet_len || ------------------ | Branch (168:13): [True: 0, False: 0] ------------------ 169| 0| block_length < COLLECTD_ENCR_AES256_MIN_BLOCK_SIZE || ------------------ | | 32| 0|#define COLLECTD_ENCR_AES256_MIN_BLOCK_SIZE 6 ------------------ | Branch (169:13): [True: 0, False: 0] ------------------ 170| 0| ndpi_int_collectd_dissect_username(flow, packet) != 0) ------------------ | Branch (170:13): [True: 0, False: 0] ------------------ 171| 0| { 172| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 173| 0| } else { 174| 0| ndpi_int_collectd_add_connection(ndpi_struct, flow); 175| 0| } 176| 0| return; 177| 0| } 178| 385| } 179| 713| } 180| | 181| 3.36k| if (num_blocks < COLLECTD_MIN_BLOCKS_REQUIRED) ------------------ | | 29| 3.36k|#define COLLECTD_MIN_BLOCKS_REQUIRED 3 ------------------ | Branch (181:7): [True: 3.36k, False: 3] ------------------ 182| 3.36k| { 183| 3.36k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.36k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 184| 3.36k| return; 185| 3.36k| } 186| | 187| 3| if (hostname_length > 0) ------------------ | Branch (187:7): [True: 2, False: 1] ------------------ 188| 2| ndpi_int_collectd_dissect_hostname(flow, packet, hostname_length); 189| | 190| 3| ndpi_int_collectd_add_connection(ndpi_struct, flow); 191| 3|} collectd.c:npdi_int_collectd_block_size: 73| 3.74k|{ 74| 3.74k| if (block_offset + 4 > packet->payload_packet_len) ------------------ | Branch (74:7): [True: 123, False: 3.62k] ------------------ 75| 123| { 76| 123| return 0; 77| 123| } 78| | 79| 3.62k| u_int16_t next_block = ntohs(get_u_int16_t(packet->payload, block_offset + 2)); 80| 3.62k| if (block_offset + next_block > packet->payload_packet_len || ------------------ | Branch (80:7): [True: 2.48k, False: 1.14k] ------------------ 81| 1.14k| (u_int16_t)(block_offset + next_block) <= block_offset /* possible overflow or next_block is zero */) ------------------ | Branch (81:7): [True: 430, False: 713] ------------------ 82| 2.91k| { 83| 2.91k| return 0; 84| 2.91k| } 85| | 86| 713| return next_block; 87| 3.62k|} collectd.c:ndpi_int_collectd_check_type: 90| 713|{ 91| 713| size_t i; 92| | 93| 6.85k| for (i = 0; i < collectd_types_length; ++i) ------------------ | Branch (93:15): [True: 6.52k, False: 328] ------------------ 94| 6.52k| { 95| 6.52k| if (block_type == collectd_types[i]) ------------------ | Branch (95:9): [True: 385, False: 6.14k] ------------------ 96| 385| { 97| 385| return 0; 98| 385| } 99| 6.52k| } 100| | 101| 328| return 1; 102| 713|} collectd.c:ndpi_int_collectd_add_connection: 63| 3|{ 64| 3| NDPI_LOG_INFO(ndpi_struct, "found collectd\n"); ------------------ | | 595| 3|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 65| 3| ndpi_set_detected_protocol(ndpi_struct, flow, 66| 3| NDPI_PROTOCOL_COLLECTD, 67| 3| NDPI_PROTOCOL_UNKNOWN, 68| 3| NDPI_CONFIDENCE_DPI); 69| 3|} collectd.c:ndpi_int_collectd_dissect_hostname: 107| 2|{ 108| 2| ndpi_hostname_sni_set(flow, &packet->payload[4], block_length, NDPI_HOSTNAME_NORM_ALL); ------------------ | | 516| 2|#define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 512| 2|#define NDPI_HOSTNAME_NORM_LC 1 | | ------------------ | | #define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 513| 2|#define NDPI_HOSTNAME_NORM_REPLACE_IC 2 | | ------------------ | | #define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 514| 2|#define NDPI_HOSTNAME_NORM_STRIP_EOLSP 4 | | ------------------ ------------------ 109| 2|} init_corba_dissector: 63| 7.08k|{ 64| 7.08k| ndpi_register_dissector("Corba", ndpi_struct, 65| 7.08k| ndpi_search_corba, 66| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 67| 7.08k| 1, NDPI_PROTOCOL_CORBA); 68| 7.08k|} corba.c:ndpi_search_corba: 35| 17.8k|{ 36| 17.8k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 37| | 38| 17.8k| NDPI_LOG_DBG(ndpi_struct, "search for Corba\n"); ------------------ | | 596| 17.8k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 39| | 40| 17.8k| if (packet->tcp != NULL && packet->payload_packet_len >= 24) { ------------------ | Branch (40:7): [True: 13.4k, False: 4.36k] | Branch (40:30): [True: 8.56k, False: 4.87k] ------------------ 41| | /* General Inter-ORB Protocol -> GIOP 42| | * Zipped Inter-ORB Protocol -> ZIOP */ 43| 8.56k| if ((memcmp(packet->payload, "GIOP", 4) == 0) || ------------------ | Branch (43:9): [True: 2, False: 8.56k] ------------------ 44| 8.56k| (memcmp(packet->payload, "ZIOP", 4) == 0)) ------------------ | Branch (44:9): [True: 1, False: 8.56k] ------------------ 45| 3| { 46| 3| ndpi_int_corba_add_connection(ndpi_struct, flow); 47| 3| return; 48| 3| } 49| 8.56k| } 50| 9.24k| else if (packet->udp != NULL && packet->payload_packet_len > 32) { ------------------ | Branch (50:12): [True: 4.36k, False: 4.87k] | Branch (50:35): [True: 3.86k, False: 503] ------------------ 51| | /* Unreliable Multicast Inter-ORB Protocol -> MIOP */ 52| 3.86k| if (memcmp(packet->payload, "MIOP", 4) == 0) { ------------------ | Branch (52:9): [True: 6, False: 3.85k] ------------------ 53| 6| ndpi_int_corba_add_connection(ndpi_struct, flow); 54| 6| return; 55| 6| } 56| 3.86k| } 57| | 58| 17.7k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 17.7k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 59| 17.7k|} corba.c:ndpi_int_corba_add_connection: 30| 9|{ 31| 9| NDPI_LOG_INFO(ndpi_struct, "found Corba\n"); ------------------ | | 595| 9|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 32| 9| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CORBA, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 33| 9|} init_cpha_dissector: 55| 7.08k|void init_cpha_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 56| 7.08k| ndpi_register_dissector("CPHA", ndpi_struct, 57| 7.08k| ndpi_search_cpha, 58| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD, /* TODO: ipv6 support? */ ------------------ | | 631| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 617| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IP | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 604| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IP (1<<0) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IP | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 59| 7.08k| 1, NDPI_PROTOCOL_CPHA); 60| 7.08k|} cpha.c:ndpi_search_cpha: 34| 3.73k|static void ndpi_search_cpha(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { 35| 3.73k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 36| 3.73k| const u_int16_t cpha_port = htons(8116); 37| | 38| 3.73k| NDPI_LOG_DBG(ndpi_struct, "search CPHA\n"); ------------------ | | 596| 3.73k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 39| | 40| 3.73k| if((packet->payload_packet_len > 20) ------------------ | Branch (40:6): [True: 3.51k, False: 221] ------------------ 41| 3.51k| && (packet->payload[0] == 0x1a) ------------------ | Branch (41:9): [True: 1, False: 3.51k] ------------------ 42| 1| && (packet->payload[1] == 0x90) ------------------ | Branch (42:9): [True: 0, False: 1] ------------------ 43| 0| && packet->udp ------------------ | Branch (43:9): [True: 0, False: 0] ------------------ 44| 0| && packet->iph ------------------ | Branch (44:9): [True: 0, False: 0] ------------------ 45| 0| && (packet->udp->source == cpha_port) ------------------ | Branch (45:9): [True: 0, False: 0] ------------------ 46| 0| && (packet->udp->dest == cpha_port) ------------------ | Branch (46:9): [True: 0, False: 0] ------------------ 47| 0| && packet->iph->saddr == 0 /* 0.0.0.0 */ ------------------ | Branch (47:9): [True: 0, False: 0] ------------------ 48| 3.73k| ) { 49| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CPHA, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 50| 0| } else 51| 3.73k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.73k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 52| 3.73k|} init_crossfire_dissector: 72| 7.08k|{ 73| 7.08k| ndpi_register_dissector("Crossfire", ndpi_struct, 74| 7.08k| ndpi_search_crossfire_tcp_udp, 75| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 76| 7.08k| 1, NDPI_PROTOCOL_CROSSFIRE); 77| 7.08k|} crossfire.c:ndpi_search_crossfire_tcp_udp: 40| 18.8k|{ 41| 18.8k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 42| | 43| 18.8k| NDPI_LOG_DBG(ndpi_struct, "search CrossFire\n"); ------------------ | | 596| 18.8k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 44| | 45| | 46| 18.8k| if (packet->udp != NULL && packet->payload_packet_len >= 8 && ------------------ | Branch (46:7): [True: 4.45k, False: 14.3k] | Branch (46:30): [True: 4.31k, False: 132] ------------------ 47| 4.31k| get_u_int32_t(packet->payload, 0) == ntohl(0xc7d91999)) ------------------ | | 137| 4.31k|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (47:7): [True: 0, False: 4.31k] ------------------ 48| 0| { 49| 0| ndpi_int_crossfire_add_connection(ndpi_struct, flow); 50| 0| return; 51| 0| } 52| | 53| | 54| 18.8k| if (packet->tcp != NULL && packet->payload_packet_len > 100 && ------------------ | Branch (54:7): [True: 14.3k, False: 4.45k] | Branch (54:30): [True: 3.74k, False: 10.6k] ------------------ 55| 3.74k| (packet->payload[0] == 0xF1 && packet->payload[packet->payload_packet_len-1] == 0xF2)) ------------------ | Branch (55:8): [True: 1, False: 3.74k] | Branch (55:38): [True: 0, False: 1] ------------------ 56| 0| { 57| | /* Login packet */ 58| 0| if (ntohl(get_u_int32_t(packet->payload, 2)) == 0x01000000) ------------------ | Branch (58:9): [True: 0, False: 0] ------------------ 59| 0| { 60| 0| ndpi_int_crossfire_add_connection(ndpi_struct, flow); 61| 0| return; 62| 0| } 63| | 64| | /* TODO: add more CrossFire TCP signatures*/ 65| 0| } 66| | 67| 18.8k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 18.8k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 68| 18.8k|} init_crynet_dissector: 105| 7.08k|{ 106| 7.08k| ndpi_register_dissector("CryNetwork", ndpi_struct, 107| 7.08k| ndpi_search_crynet, 108| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 109| 7.08k| 1, NDPI_PROTOCOL_CRYNET); 110| 7.08k|} crynet.c:ndpi_search_crynet: 41| 3.36k|{ 42| 3.36k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 43| | 44| 3.36k| NDPI_LOG_DBG(ndpi_struct, "search CryNetwork\n"); ------------------ | | 596| 3.36k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 45| | 46| 3.36k| if (packet->payload_packet_len <= 4) ------------------ | Branch (46:7): [True: 124, False: 3.23k] ------------------ 47| 124| { 48| 124| if (flow->packet_counter == 1 && ntohs(packet->udp->dest) != 61088) { ------------------ | Branch (48:9): [True: 124, False: 0] | Branch (48:38): [True: 124, False: 0] ------------------ 49| 124| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 124|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 50| 124| return; 51| 124| } 52| | 53| 0| size_t i; 54| | 55| 0| for (i = 0; i < packet->payload_packet_len; ++i) { ------------------ | Branch (55:17): [True: 0, False: 0] ------------------ 56| 0| if (ndpi_isdigit(packet->payload[i]) == 0) { ------------------ | | 2526| 0|#define ndpi_isdigit(ch) ((ch) >= '0' && (ch) <= '9') | | ------------------ | | | Branch (2526:27): [True: 0, False: 0] | | | Branch (2526:42): [True: 0, False: 0] | | ------------------ ------------------ | Branch (56:11): [True: 0, False: 0] ------------------ 57| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 58| 0| return; 59| 0| } 60| 0| } 61| | 62| 0| if (flow->packet_counter >= 10) { ------------------ | Branch (62:9): [True: 0, False: 0] ------------------ 63| 0| ndpi_int_crynet_add_connection(ndpi_struct, flow); 64| 0| return; 65| 0| } 66| | 67| 0| return; 68| 0| } 69| | 70| 3.23k| if (packet->payload_packet_len < 30) ------------------ | Branch (70:7): [True: 328, False: 2.90k] ------------------ 71| 328| { 72| 328| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 328|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 73| 328| return; 74| 328| } 75| | 76| 2.90k| if (packet->payload_packet_len != packet->payload[0] + 10 && ------------------ | Branch (76:7): [True: 2.88k, False: 26] ------------------ 77| 2.88k| packet->payload_packet_len != packet->payload[4] + 6) ------------------ | Branch (77:7): [True: 2.87k, False: 4] ------------------ 78| 2.87k| { 79| 2.87k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 2.87k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 80| 2.87k| return; 81| 2.87k| } 82| | 83| 30| if (packet->payload[0] == 0x3c && ------------------ | Branch (83:7): [True: 0, False: 30] ------------------ 84| 0| packet->payload[16] == 0x01 && ------------------ | Branch (84:7): [True: 0, False: 0] ------------------ 85| 0| packet->payload[20] == 0x07 && ------------------ | Branch (85:7): [True: 0, False: 0] ------------------ 86| 30| ntohs(get_u_int16_t(packet->payload, 24)) == 0x0307) ------------------ | Branch (86:7): [True: 0, False: 0] ------------------ 87| 0| { 88| 0| ndpi_int_crynet_add_connection(ndpi_struct, flow); 89| 0| return; 90| 0| } 91| | 92| 30| if (packet->payload[0] == 0x05 && ------------------ | Branch (92:7): [True: 0, False: 30] ------------------ 93| 0| packet->payload[4] == 0x44 && ------------------ | Branch (93:7): [True: 0, False: 0] ------------------ 94| 0| packet->payload[24] == 0x07 && ------------------ | Branch (94:7): [True: 0, False: 0] ------------------ 95| 30| ntohs(get_u_int16_t(packet->payload, 28)) == 0x0307) ------------------ | Branch (95:7): [True: 0, False: 0] ------------------ 96| 0| { 97| 0| ndpi_int_crynet_add_connection(ndpi_struct, flow); 98| 0| return; 99| 0| } 100| | 101| 30| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 30|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 102| 30|} init_dcerpc_dissector: 98| 7.08k|{ 99| 7.08k| ndpi_register_dissector("DCERPC", ndpi_struct, 100| 7.08k| ndpi_search_dcerpc, 101| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 102| 7.08k| 1, NDPI_PROTOCOL_DCERPC); 103| 7.08k|} dcerpc.c:ndpi_search_dcerpc: 82| 17.8k|{ 83| 17.8k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 84| | 85| 17.8k| NDPI_LOG_DBG(ndpi_struct, "search DCERPC\n"); ------------------ | | 596| 17.8k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 86| 17.8k| if (is_connection_oriented_dcerpc(packet) || is_connectionless_dcerpc(packet)) { ------------------ | Branch (86:7): [True: 0, False: 17.8k] | Branch (86:48): [True: 0, False: 17.8k] ------------------ 87| 0| NDPI_LOG_INFO(ndpi_struct, "found DCERPC\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 88| 0| ndpi_int_dcerpc_add_connection(ndpi_struct, flow); 89| 0| return; 90| 0| } 91| | 92| 17.8k| if(packet->payload_packet_len>1) ------------------ | Branch (92:6): [True: 17.7k, False: 112] ------------------ 93| 17.7k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 17.7k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 94| 17.8k|} dcerpc.c:is_connection_oriented_dcerpc: 39| 17.8k|{ 40| 17.8k| if((packet->tcp != NULL) ------------------ | Branch (40:6): [True: 13.4k, False: 4.37k] ------------------ 41| 13.4k| && (packet->payload_packet_len >= 64) ------------------ | Branch (41:9): [True: 4.66k, False: 8.78k] ------------------ 42| 4.66k| && (packet->payload[0] == 0x05) /* version 5 */ ------------------ | Branch (42:9): [True: 13, False: 4.65k] ------------------ 43| 13| && (packet->payload[2] < 16) /* Packet type */ ------------------ | Branch (43:9): [True: 3, False: 10] ------------------ 44| 3| && (((packet->payload[9]<<8) | packet->payload[8]) == packet->payload_packet_len) /* Packet Length */ ------------------ | Branch (44:7): [True: 0, False: 3] ------------------ 45| 17.8k| ) { 46| 0| return true; 47| 0| } 48| 17.8k| return false; 49| 17.8k|} dcerpc.c:is_connectionless_dcerpc: 52| 17.8k|{ 53| 17.8k| u_int16_t fragment_len; 54| | 55| 17.8k| if (packet->udp == NULL) ------------------ | Branch (55:7): [True: 13.4k, False: 4.37k] ------------------ 56| 13.4k| return false; 57| 4.37k| if (packet->payload_packet_len < 80) ------------------ | Branch (57:7): [True: 2.01k, False: 2.36k] ------------------ 58| 2.01k| return false; 59| 2.36k| if (packet->payload[0] != 0x04) /* type must be equal to 4 */ ------------------ | Branch (59:7): [True: 2.36k, False: 6] ------------------ 60| 2.36k| return false; 61| 6| if (packet->payload[1] > 10) /* must be <= CANCEL ACK or it's not connectionless DCE/RPC */ ------------------ | Branch (61:7): [True: 1, False: 5] ------------------ 62| 1| return false; 63| 5| if (packet->payload[3] & 0xFC) /* flags2: bit 3:8 are reserved for future use and must be set to 0 */ ------------------ | Branch (63:7): [True: 3, False: 2] ------------------ 64| 3| return false; 65| 2| if (packet->payload[4] & 0xEE) /* neither big endian nor little endian */ ------------------ | Branch (65:7): [True: 1, False: 1] ------------------ 66| 1| return false; 67| 1| if (packet->payload[5] > 3) /* invalid floating point type */ ------------------ | Branch (67:7): [True: 0, False: 1] ------------------ 68| 0| return false; 69| | 70| 1| if(packet->payload[4] == 0x10) ------------------ | Branch (70:6): [True: 0, False: 1] ------------------ 71| 0| fragment_len = (packet->payload[75] << 8) + packet->payload[74]; /* Big endian */ 72| 1| else 73| 1| fragment_len = (packet->payload[74] << 8) + packet->payload[75]; /* Little endian */ 74| | 75| 1| if(packet->payload_packet_len != (fragment_len+76 /* offset */ + 4 /* rest of the packet */)) ------------------ | Branch (75:6): [True: 1, False: 0] ------------------ 76| 1| return false; /* Too short or too long, bot RPC */ 77| | 78| 0| return true; 79| 1|} init_dhcp_dissector: 202| 7.08k|void init_dhcp_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 203| 7.08k| ndpi_register_dissector("DHCP", ndpi_struct, 204| 7.08k| ndpi_search_dhcp_udp, 205| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD, ------------------ | | 631| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 617| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IP | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 604| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IP (1<<0) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IP | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 206| 7.08k| 1, NDPI_PROTOCOL_DHCP); 207| 7.08k|} dhcp.c:ndpi_search_dhcp_udp: 75| 4.45k| struct ndpi_flow_struct *flow) { 76| 4.45k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 77| 4.45k| u_int8_t msg_type = 0; 78| | 79| 4.45k| NDPI_LOG_DBG(ndpi_struct, "search DHCP\n"); ------------------ | | 596| 4.45k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 80| | 81| | /* this detection also works for asymmetric dhcp traffic */ 82| | 83| | /* check standard DHCP 0.0.0.0:68 -> 255.255.255.255:67 */ 84| 4.45k| if(packet->udp) { ------------------ | Branch (84:6): [True: 4.45k, False: 0] ------------------ 85| 4.45k| struct dhcp_packet *dhcp = (struct dhcp_packet*)packet->payload; 86| | 87| 4.45k| if((packet->payload_packet_len >= 244 /* 244 is the offset of options[0] in struct dhcp_packet */) ------------------ | Branch (87:8): [True: 868, False: 3.58k] ------------------ 88| 868| && (packet->udp->source == htons(67) || packet->udp->source == htons(68)) ------------------ | Branch (88:12): [True: 1, False: 867] | Branch (88:48): [True: 184, False: 683] ------------------ 89| 185| && (packet->udp->dest == htons(67) || packet->udp->dest == htons(68)) ------------------ | Branch (89:12): [True: 183, False: 2] | Branch (89:46): [True: 1, False: 1] ------------------ 90| 184| && is_dhcp_magic(dhcp->magic)) { ------------------ | Branch (90:11): [True: 112, False: 72] ------------------ 91| 112| u_int i = 0, foundValidMsgType = 0, opt_offset = 0; 92| | 93| 112| u_int dhcp_options_size = ndpi_min(DHCP_VEND_LEN /* maximum size of options in struct dhcp_packet */, ------------------ | | 113| 112|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 112] | | ------------------ ------------------ 94| 112| packet->payload_packet_len - 240); 95| | 96| | 97| | /* Parse options in two steps (since we need first the message type and 98| | it seems there is no specific order in the options list) */ 99| | 100| | /* First iteration: search for the message type */ 101| 167| while(i + 1 /* for the len */ < dhcp_options_size) { ------------------ | Branch (101:13): [True: 155, False: 12] ------------------ 102| 155| u_int8_t id = dhcp->options[i]; 103| | 104| 155| if(id == 0xFF) ------------------ | Branch (104:12): [True: 1, False: 154] ------------------ 105| 1| break; 106| 154| else { 107| | /* Prevent malformed packets to cause out-of-bounds accesses */ 108| 154| u_int8_t len = ndpi_min(dhcp->options[i+1] /* len as found in the packet */, ------------------ | | 113| 154|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 150, False: 4] | | ------------------ ------------------ 109| 154| dhcp_options_size - (i+2) /* 1 for the type and 1 for the value */); 110| 154| if(len == 0) ------------------ | Branch (110:14): [True: 1, False: 153] ------------------ 111| 1| break; 112| | 113| 153| if(id == 53 /* DHCP Message Type */) { ------------------ | Branch (113:14): [True: 99, False: 54] ------------------ 114| 99| msg_type = dhcp->options[i+2]; 115| | 116| 99| if(msg_type <= 8) { ------------------ | Branch (116:16): [True: 98, False: 1] ------------------ 117| 98| foundValidMsgType = 1; 118| 98| break; 119| 98| } 120| 99| } 121| | 122| 55| i += len + 2; 123| 55| } 124| 155| } 125| | 126| 112| if(!foundValidMsgType) { ------------------ | Branch (126:10): [True: 14, False: 98] ------------------ 127| |#ifdef DHCP_DEBUG 128| | NDPI_LOG_DBG2(ndpi_struct, "[DHCP] Invalid message type %d. Not dhcp\n", msg_type); 129| |#endif 130| 14| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 14|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 131| 14| return; 132| 14| } 133| | 134| | /* Ok, we have a valid DHCP packet -> we can write to flow->protos.dhcp */ 135| 98| NDPI_LOG_INFO(ndpi_struct, "found DHCP\n"); ------------------ | | 595| 98|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 136| 98| ndpi_int_dhcp_add_connection(ndpi_struct, flow); 137| | 138| | /* Second iteration: parse the interesting options */ 139| 545| while(i + 1 /* for the len */ < dhcp_options_size) { ------------------ | Branch (139:13): [True: 456, False: 89] ------------------ 140| 456| u_int8_t id = dhcp->options[i]; 141| | 142| 456| if(id == 0xFF) ------------------ | Branch (142:12): [True: 4, False: 452] ------------------ 143| 4| break; 144| 452| else { 145| 452| int rc; 146| | /* Prevent malformed packets to cause out-of-bounds accesses */ 147| 452| u_int8_t len = ndpi_min(dhcp->options[i+1] /* len as found in the packet */, ------------------ | | 113| 452|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 442, False: 10] | | ------------------ ------------------ 148| 452| dhcp_options_size - (i+2) /* 1 for the type and 1 for the value */); 149| | 150| 452| if(len == 0 || opt_offset >= sizeof(flow->protos.dhcp.options)) ------------------ | Branch (150:14): [True: 5, False: 447] | Branch (150:26): [True: 0, False: 447] ------------------ 151| 5| break; 152| | 153| 447| rc = ndpi_snprintf((char*)&flow->protos.dhcp.options[opt_offset], 154| 447| sizeof(flow->protos.dhcp.options) - opt_offset, 155| 447| "%s%u", (i > 0) ? "," : "", id); ------------------ | Branch (155:17): [True: 349, False: 98] ------------------ 156| | 157| 447| if(rc > 0) opt_offset += rc; ------------------ | Branch (157:7): [True: 447, False: 0] ------------------ 158| | 159| |#ifdef DHCP_DEBUG 160| | NDPI_LOG_DBG2(ndpi_struct, "[DHCP] Id=%d [len=%d]\n", id, len); 161| |#endif 162| | 163| 447| if(id == 55 /* Parameter Request List / Fingerprint */) { ------------------ | Branch (163:14): [True: 93, False: 354] ------------------ 164| 93| u_int idx, fing_offset = 0; 165| | 166| 384| for(idx = 0; idx < len && fing_offset < sizeof(flow->protos.dhcp.fingerprint) - 2; idx++) { ------------------ | Branch (166:26): [True: 298, False: 86] | Branch (166:39): [True: 291, False: 7] ------------------ 167| 291| rc = ndpi_snprintf((char*)&flow->protos.dhcp.fingerprint[fing_offset], 168| 291| sizeof(flow->protos.dhcp.fingerprint) - fing_offset, 169| 291| "%s%u", (idx > 0) ? "," : "", ------------------ | Branch (169:14): [True: 198, False: 93] ------------------ 170| 291| (unsigned int)dhcp->options[i+2+idx] & 0xFF); 171| | 172| 291| if(rc < 0) break; else fing_offset += rc; ------------------ | Branch (172:18): [True: 0, False: 291] ------------------ 173| 291| } 174| | 175| 93| flow->protos.dhcp.fingerprint[sizeof(flow->protos.dhcp.fingerprint) - 1] = '\0'; 176| 354| } else if(id == 60 /* Class Identifier */) { ------------------ | Branch (176:21): [True: 84, False: 270] ------------------ 177| 84| char *name = (char*)&dhcp->options[i+2]; 178| 84| int j = 0; 179| | 180| 84| j = ndpi_min(len, sizeof(flow->protos.dhcp.class_ident)-1); ------------------ | | 113| 84|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 84, False: 0] | | ------------------ ------------------ 181| 84| strncpy((char*)flow->protos.dhcp.class_ident, name, j); 182| 84| flow->protos.dhcp.class_ident[j] = '\0'; 183| 270| } else if(id == 12 /* Host Name */) { ------------------ | Branch (183:21): [True: 85, False: 185] ------------------ 184| 85| u_int8_t *name = &dhcp->options[i+2]; 185| | 186| |#ifdef DHCP_DEBUG 187| | NDPI_LOG_DBG2(ndpi_struct, "[DHCP] '%.*s'\n",name,len); 188| | // while(j < len) { printf( "%c", name[j]); j++; }; printf("\n"); 189| |#endif 190| 85| ndpi_hostname_sni_set(flow, name, len, NDPI_HOSTNAME_NORM_ALL); ------------------ | | 516| 85|#define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 512| 85|#define NDPI_HOSTNAME_NORM_LC 1 | | ------------------ | | #define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 513| 85|#define NDPI_HOSTNAME_NORM_REPLACE_IC 2 | | ------------------ | | #define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 514| 85|#define NDPI_HOSTNAME_NORM_STRIP_EOLSP 4 | | ------------------ ------------------ 191| 85| } 192| | 193| 447| i += len + 2; 194| 447| } 195| 456| } 196| 98| } else 197| 4.34k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 4.34k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 198| 4.45k| } 199| 4.45k|} dhcp.c:is_dhcp_magic: 64| 184|static int is_dhcp_magic(uint8_t *magic) { 65| 184| if((magic[0] == 0x63) ------------------ | Branch (65:6): [True: 181, False: 3] ------------------ 66| 181| && (magic[1] == 0x82) ------------------ | Branch (66:9): [True: 180, False: 1] ------------------ 67| 180| && (magic[2] == 0x53) ------------------ | Branch (67:9): [True: 166, False: 14] ------------------ 68| 166| && (magic[3] == 0x63)) ------------------ | Branch (68:9): [True: 112, False: 54] ------------------ 69| 112| return(1); 70| 72| else 71| 72| return(0); 72| 184|} dhcp.c:ndpi_int_dhcp_add_connection: 59| 98| struct ndpi_flow_struct *flow) { 60| 98| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DHCP, 61| 98| NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 62| 98|} init_dhcpv6_dissector: 61| 7.08k|{ 62| 7.08k| ndpi_register_dissector("DHCPV6", ndpi_struct, 63| 7.08k| ndpi_search_dhcpv6_udp, 64| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V6_UDP_WITH_PAYLOAD, ------------------ | | 632| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 622| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 610| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV6 (1<<6) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 65| 7.08k| 1, NDPI_PROTOCOL_DHCPV6); 66| 7.08k|} dhcpv6.c:ndpi_search_dhcpv6_udp: 41| 719|{ 42| 719| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 43| | 44| 719| NDPI_LOG_DBG(ndpi_struct, "search DHCPv6\n"); ------------------ | | 596| 719|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 45| | 46| 719| if (packet->payload_packet_len >= 4 && ------------------ | Branch (46:6): [True: 712, False: 7] ------------------ 47| 712| (packet->udp->source == htons(546) || packet->udp->source == htons(547)) && ------------------ | Branch (47:4): [True: 1, False: 711] | Branch (47:41): [True: 0, False: 711] ------------------ 48| 1| (packet->udp->dest == htons(546) || packet->udp->dest == htons(547)) && ------------------ | Branch (48:4): [True: 0, False: 1] | Branch (48:39): [True: 0, False: 1] ------------------ 49| 0| packet->payload[0] >= 1 && packet->payload[0] <= 13) { ------------------ | Branch (49:3): [True: 0, False: 0] | Branch (49:30): [True: 0, False: 0] ------------------ 50| | 51| 0| NDPI_LOG_INFO(ndpi_struct, "found DHCPv6\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 52| 0| ndpi_int_dhcpv6_add_connection(ndpi_struct, flow); 53| 0| return; 54| 0| } 55| | 56| 719| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 719|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 57| 719|} init_diameter_dissector: 109| 7.08k|{ 110| 7.08k| ndpi_register_dissector("Diameter", ndpi_struct, 111| 7.08k| ndpi_search_diameter, 112| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 113| 7.08k| 1, NDPI_PROTOCOL_DIAMETER); 114| 7.08k|} diameter.c:ndpi_search_diameter: 92| 13.4k|{ 93| 13.4k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 94| | 95| 13.4k| if(packet->tcp) { ------------------ | Branch (95:6): [True: 13.4k, False: 0] ------------------ 96| 13.4k| int ret = is_diameter(packet); 97| 13.4k| if(ret == 0) { ------------------ | Branch (97:8): [True: 0, False: 13.4k] ------------------ 98| 0| NDPI_LOG_INFO(ndpi_struct, "found Diameter\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 99| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIAMETER, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 100| 0| return; 101| 0| } 102| 13.4k| } 103| | 104| 13.4k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.4k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 105| 13.4k|} diameter.c:is_diameter: 67| 13.4k|{ 68| 13.4k| struct diameter_header_t *diameter = (struct diameter_header_t *)packet->payload; 69| | 70| 13.4k| if(packet->payload_packet_len >= sizeof(struct diameter_header_t) && ------------------ | Branch (70:6): [True: 8.93k, False: 4.46k] ------------------ 71| 8.93k| diameter->version == 0x01 && ------------------ | Branch (71:6): [True: 86, False: 8.85k] ------------------ 72| 86| (diameter->flags == DIAMETER_REQUEST || ------------------ | | 34| 172|#define DIAMETER_REQUEST 0X80 ------------------ | Branch (72:7): [True: 1, False: 85] ------------------ 73| 85| diameter->flags == DIAMETER_PROXYABLE || ------------------ | | 35| 171|#define DIAMETER_PROXYABLE 0X40 ------------------ | Branch (73:7): [True: 1, False: 84] ------------------ 74| 84| diameter->flags == DIAMETER_ERROR || ------------------ | | 36| 170|#define DIAMETER_ERROR 0X20 ------------------ | Branch (74:7): [True: 2, False: 82] ------------------ 75| 82| diameter->flags == DIAMETER_RETRASM)) { ------------------ | | 37| 82|#define DIAMETER_RETRASM 0X10 ------------------ | Branch (75:7): [True: 1, False: 81] ------------------ 76| | 77| 5| u_int32_t com_code = diameter->com_code[2] + (diameter->com_code[1] << 8) + (diameter->com_code[0] << 8); 78| | 79| 5| if(com_code == AC || com_code == AS || ------------------ | Branch (79:9): [True: 0, False: 5] | Branch (79:27): [True: 0, False: 5] ------------------ 80| 5| com_code == CC || com_code == CE || ------------------ | Branch (80:2): [True: 0, False: 5] | Branch (80:20): [True: 0, False: 5] ------------------ 81| 5| com_code == DW || com_code == DP || ------------------ | Branch (81:2): [True: 0, False: 5] | Branch (81:20): [True: 0, False: 5] ------------------ 82| 5| com_code == RA || com_code == ST) ------------------ | Branch (82:2): [True: 0, False: 5] | Branch (82:20): [True: 0, False: 5] ------------------ 83| 0| return 0; 84| 5| } 85| | 86| 13.4k| return -1; 87| 13.4k|} init_dicom_dissector: 61| 7.08k|void init_dicom_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 62| 7.08k| ndpi_register_dissector("DICOM", ndpi_struct, 63| 7.08k| ndpi_search_dicom, 64| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 65| 7.08k| 1, NDPI_PROTOCOL_DICOM); 66| 7.08k|} dicom.c:ndpi_search_dicom: 35| 11.6k| struct ndpi_flow_struct *flow) { 36| 11.6k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 37| | 38| 11.6k| NDPI_LOG_DBG(ndpi_struct, "search DICOM\n"); ------------------ | | 596| 11.6k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 39| | 40| 11.6k| if(packet->iph && (packet->payload_packet_len > sizeof(struct dicom_header))) { ------------------ | Branch (40:6): [True: 11.6k, False: 26] | Branch (40:21): [True: 10.8k, False: 786] ------------------ 41| 10.8k| struct dicom_header *h = (struct dicom_header*)packet->payload; 42| | 43| 10.8k| if((h->pdu_type == 0x01 /* A-ASSOCIATE */) ------------------ | Branch (43:8): [True: 178, False: 10.6k] ------------------ 44| 178| && (h->pad == 0x0) ------------------ | Branch (44:11): [True: 25, False: 153] ------------------ 45| 25| && (packet->payload_packet_len <= (ntohl(h->pdu_len)+6)) ------------------ | Branch (45:11): [True: 23, False: 2] ------------------ 46| 23| && (packet->payload_packet_len > 9) ------------------ | Branch (46:11): [True: 21, False: 2] ------------------ 47| 21| && (packet->payload[6] == 0x0) && (packet->payload[7] == 0x1) /* Protocol Version */ ------------------ | Branch (47:11): [True: 9, False: 12] | Branch (47:42): [True: 2, False: 7] ------------------ 48| 2| && (packet->payload[8] == 0x0) && (packet->payload[9] == 0x0) /* Pad */ ------------------ | Branch (48:11): [True: 1, False: 1] | Branch (48:42): [True: 1, False: 0] ------------------ 49| 10.8k| ) { 50| 1| ndpi_set_detected_protocol(ndpi_struct, flow, 51| 1| NDPI_PROTOCOL_DICOM, 52| 1| NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 53| 1| } else 54| 10.8k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 10.8k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 55| 10.8k| } else 56| 812| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 812|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 57| 11.6k|} init_dingtalk_dissector: 55| 7.08k|{ 56| 7.08k| ndpi_register_dissector("DingTalk", ndpi_struct, 57| 7.08k| ndpi_search_dingtalk, 58| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 59| 7.08k| 1, NDPI_PROTOCOL_DINGTALK); 60| 7.08k|} dingtalk.c:ndpi_search_dingtalk: 33| 11.6k|{ 34| 11.6k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 35| | 36| 11.6k| NDPI_LOG_DBG(ndpi_struct, "search DingTalk\n"); ------------------ | | 596| 11.6k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 37| | 38| 11.6k| if (packet->payload_packet_len > 90 && packet->payload[0] == 0x10) ------------------ | Branch (38:7): [True: 2.40k, False: 9.23k] | Branch (38:42): [True: 7, False: 2.39k] ------------------ 39| 7| { 40| 7| if (ntohl(get_u_int32_t(packet->payload, 2)) == 0x87800100 && ------------------ | Branch (40:9): [True: 0, False: 7] ------------------ 41| 7| ntohl(get_u_int32_t(packet->payload, 6)) == 0x1000200 && ------------------ | Branch (41:9): [True: 0, False: 0] ------------------ 42| 7| ntohl(get_u_int32_t(packet->payload, 10)) == 0x2646B03 && ntohs(get_u_int16_t(packet->payload, 14)) == 0x20) ------------------ | Branch (42:9): [True: 0, False: 0] | Branch (42:67): [True: 0, False: 0] ------------------ 43| 0| { 44| 0| NDPI_LOG_INFO(ndpi_struct, "found DingTalk\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 45| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DINGTALK, 46| 0| NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 47| 0| return; 48| 0| } 49| 7| } 50| | 51| 11.6k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.6k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 52| 11.6k|} init_discord_dissector: 79| 7.08k|{ 80| 7.08k| ndpi_register_dissector("Discord", ndpi_struct, 81| 7.08k| ndpi_search_discord, 82| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 83| 7.08k| 1, NDPI_PROTOCOL_DISCORD); 84| 7.08k|} discord.c:ndpi_search_discord: 41| 3.95k|{ 42| 3.95k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 43| | 44| 3.95k| NDPI_LOG_DBG(ndpi_struct, "search discord\n"); ------------------ | | 596| 3.95k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 45| | 46| 3.95k| if (packet->payload_packet_len == 8 && ------------------ | Branch (46:7): [True: 11, False: 3.94k] ------------------ 47| 3.95k| ntohl(get_u_int32_t(packet->payload, 0)) == 0x1337cafe) ------------------ | Branch (47:7): [True: 0, False: 11] ------------------ 48| 0| { 49| 0| ndpi_int_discord_add_connection(ndpi_struct, flow); 50| 0| return; 51| 0| } 52| | 53| 3.95k| if (packet->payload_packet_len == 74) ------------------ | Branch (53:7): [True: 2, False: 3.95k] ------------------ 54| 2| { 55| 2| if (flow->packet_counter == 1 && ------------------ | Branch (55:9): [True: 2, False: 0] ------------------ 56| 2| ntohl(get_u_int32_t(packet->payload, 0)) == 0x00010046) ------------------ | Branch (56:9): [True: 0, False: 2] ------------------ 57| 0| { 58| | /* Wait for the next packet, hopefully beeing able to dissect the client IP. */ 59| 0| return; 60| 0| } 61| | 62| 2| if (flow->packet_counter == 2 && ------------------ | Branch (62:9): [True: 0, False: 2] ------------------ 63| 2| ntohl(get_u_int32_t(packet->payload, 0)) == 0x00020046) ------------------ | Branch (63:9): [True: 0, False: 0] ------------------ 64| 0| { 65| | /* Dissect client IP. */ 66| 0| size_t len = sizeof(flow->protos.discord.client_ip) - 1; 67| 0| strncpy(flow->protos.discord.client_ip, (char const *)&packet->payload[8], len); 68| 0| flow->protos.discord.client_ip[len] = '\0'; 69| 0| ndpi_int_discord_add_connection(ndpi_struct, flow); 70| 0| return; 71| 0| } 72| 2| } 73| | 74| 3.95k| if (flow->packet_counter >= 5) ------------------ | Branch (74:7): [True: 25, False: 3.93k] ------------------ 75| 25| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 25|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 76| 3.95k|} init_dlep_dissector: 74| 7.08k|{ 75| 7.08k| ndpi_register_dissector("DLEP", ndpi_struct, 76| 7.08k| ndpi_search_dlep, 77| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 78| 7.08k| 1, NDPI_PROTOCOL_DLEP); 79| 7.08k|} dlep.c:ndpi_search_dlep: 45| 14.9k|{ 46| 14.9k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 47| | 48| 14.9k| NDPI_LOG_DBG(ndpi_struct, "search DLEP\n"); ------------------ | | 596| 14.9k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 49| | 50| 14.9k| if (packet->udp != NULL && packet->payload_packet_len > 27) { ------------------ | Branch (50:7): [True: 3.33k, False: 11.6k] | Branch (50:30): [True: 2.92k, False: 410] ------------------ 51| 2.92k| if ((memcmp(packet->payload, "DLEP", 4) == 0)) { ------------------ | Branch (51:9): [True: 5, False: 2.91k] ------------------ 52| 5| ndpi_int_dlep_add_connection(ndpi_struct, flow); 53| 5| return; 54| 5| } 55| 12.0k| } else if (packet->tcp != NULL) { ------------------ | Branch (55:14): [True: 11.6k, False: 410] ------------------ 56| | /* Maybe it's unnecessary, but it'll definitely eliminate any false positives. 57| | * 854 port is IANA registered for DLEP. */ 58| 11.6k| if (packet->payload_packet_len > 8 && ------------------ | Branch (58:9): [True: 10.7k, False: 872] ------------------ 59| 10.7k| (ntohs(packet->tcp->dest) == 854 || ntohs(packet->tcp->source) == 854)) ------------------ | Branch (59:10): [True: 0, False: 10.7k] | Branch (59:45): [True: 1, False: 10.7k] ------------------ 60| 1| { 61| 1| if (ntohs(get_u_int16_t(packet->payload, 0)) < 0x11 && ------------------ | Branch (61:11): [True: 0, False: 1] ------------------ 62| 1| ntohs(get_u_int16_t(packet->payload, 2)) == (u_int16_t)(packet->payload_packet_len-4)) ------------------ | Branch (62:11): [True: 0, False: 0] ------------------ 63| 0| { 64| 0| ndpi_int_dlep_add_connection(ndpi_struct, flow); 65| 0| return; 66| 0| } 67| 1| } 68| 11.6k| } 69| | 70| 14.9k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 14.9k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 71| 14.9k|} dlep.c:ndpi_int_dlep_add_connection: 36| 5|{ 37| 5| NDPI_LOG_INFO(ndpi_struct, "found DLEP\n"); ------------------ | | 595| 5|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 38| 5| ndpi_set_detected_protocol(ndpi_struct, flow, 39| 5| NDPI_PROTOCOL_DLEP, NDPI_PROTOCOL_UNKNOWN, 40| 5| NDPI_CONFIDENCE_DPI); 41| 5|} init_dnp3_dissector: 58| 7.08k|void init_dnp3_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 59| | 60| 7.08k| ndpi_register_dissector("DNP3", ndpi_struct, 61| 7.08k| ndpi_search_dnp3_tcp, 62| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 63| 7.08k| 1, NDPI_PROTOCOL_DNP3); 64| 7.08k|} dnp3.c:ndpi_search_dnp3_tcp: 35| 11.7k| struct ndpi_flow_struct *flow) { 36| 11.7k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 37| | 38| 11.7k| NDPI_LOG_DBG(ndpi_struct, "search DNP3\n"); ------------------ | | 596| 11.7k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 39| | 40| 11.7k| if(packet->tcp) { ------------------ | Branch (40:6): [True: 11.7k, False: 0] ------------------ 41| | /* The payload of DNP3 is 10 bytes long. 42| | * Header bytes: 0x0564 43| | */ 44| 11.7k| if ((packet->payload_packet_len >= 10) ------------------ | Branch (44:9): [True: 10.9k, False: 876] ------------------ 45| 10.9k| && (packet->payload[0] == 0x05) ------------------ | Branch (45:5): [True: 15, False: 10.9k] ------------------ 46| 15| && (packet->payload[1] == 0x64)) { ------------------ | Branch (46:5): [True: 0, False: 15] ------------------ 47| 0| NDPI_LOG_INFO(ndpi_struct, "found DNP3\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 48| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DNP3, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 49| 0| return; 50| 0| } 51| 11.7k| } 52| 11.7k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.7k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 53| | 54| 11.7k|} fpc_dns_cache_key_from_flow: 213| 18.2k|u_int64_t fpc_dns_cache_key_from_flow(struct ndpi_flow_struct *flow) { 214| 18.2k| u_int64_t key; 215| | 216| 18.2k| if(flow->is_ipv6) ------------------ | Branch (216:6): [True: 287, False: 17.9k] ------------------ 217| 287| key = ndpi_quick_hash64((const char *)flow->s_address.v6, 16); 218| 17.9k| else 219| 17.9k| key = (u_int64_t)(flow->s_address.v4); 220| | 221| 18.2k| return key; 222| 18.2k|} init_dns_dissector: 998| 7.08k|void init_dns_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 999| 7.08k| ndpi_register_dissector("DNS", ndpi_struct, 1000| 7.08k| ndpi_search_dns, 1001| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 1002| 7.08k| 1, NDPI_PROTOCOL_DNS); 1003| 7.08k|} dns.c:ndpi_search_dns: 945| 20.8k|static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { 946| 20.8k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 947| 20.8k| u_int16_t s_port = 0, d_port = 0; 948| 20.8k| int payload_offset = 0; 949| | 950| 20.8k| NDPI_LOG_DBG(ndpi_struct, "search DNS\n"); ------------------ | | 596| 20.8k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 951| | 952| 20.8k| if(packet->udp != NULL) { ------------------ | Branch (952:6): [True: 7.38k, False: 13.4k] ------------------ 953| 7.38k| s_port = ntohs(packet->udp->source); 954| 7.38k| d_port = ntohs(packet->udp->dest); 955| 7.38k| payload_offset = 0; 956| | 957| | /* For MDNS/LLMNR: If the packet is not a response, dest addr needs to be multicast. */ 958| 7.38k| if ((d_port == MDNS_PORT && isMDNSMulticastAddress(packet) == 0) || ------------------ | | 37| 14.7k|#define MDNS_PORT 5353 ------------------ | Branch (958:10): [True: 707, False: 6.68k] | Branch (958:33): [True: 26, False: 681] ------------------ 959| 7.36k| (d_port == LLMNR_PORT && isLLMNRMulticastAddress(packet) == 0)) ------------------ | | 36| 14.7k|#define LLMNR_PORT 5355 ------------------ | Branch (959:10): [True: 1, False: 7.36k] | Branch (959:34): [True: 1, False: 0] ------------------ 960| 27| { 961| 27| if (packet->payload_packet_len > 5 && ------------------ | Branch (961:11): [True: 26, False: 1] ------------------ 962| 27| ntohs(get_u_int16_t(packet->payload, 2)) != 0 && ------------------ | Branch (962:11): [True: 11, False: 15] ------------------ 963| 27| ntohs(get_u_int16_t(packet->payload, 4)) != 0) ------------------ | Branch (963:11): [True: 1, False: 10] ------------------ 964| 1| { 965| 1| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 966| 1| return; 967| 1| } 968| 27| } 969| 13.4k| } else if(packet->tcp != NULL) { ------------------ | Branch (969:13): [True: 13.4k, False: 0] ------------------ 970| 13.4k| s_port = ntohs(packet->tcp->source); 971| 13.4k| d_port = ntohs(packet->tcp->dest); 972| 13.4k| payload_offset = 2; 973| 13.4k| } 974| | 975| | /* We are able to detect DNS/MDNS/LLMNR only on standard ports (see #1788) */ 976| 20.8k| if(!(s_port == DNS_PORT || d_port == DNS_PORT || ------------------ | | 35| 41.7k|#define DNS_PORT 53 ------------------ if(!(s_port == DNS_PORT || d_port == DNS_PORT || ------------------ | | 35| 41.3k|#define DNS_PORT 53 ------------------ | Branch (976:8): [True: 396, False: 20.4k] | Branch (976:30): [True: 1.32k, False: 19.1k] ------------------ 977| 19.1k| s_port == MDNS_PORT || d_port == MDNS_PORT || ------------------ | | 37| 40.0k|#define MDNS_PORT 5353 ------------------ s_port == MDNS_PORT || d_port == MDNS_PORT || ------------------ | | 37| 39.3k|#define MDNS_PORT 5353 ------------------ | Branch (977:8): [True: 694, False: 18.4k] | Branch (977:31): [True: 25, False: 18.4k] ------------------ 978| 18.4k| d_port == LLMNR_PORT)) { ------------------ | | 36| 18.4k|#define LLMNR_PORT 5355 ------------------ | Branch (978:8): [True: 2, False: 18.4k] ------------------ 979| 18.4k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 18.4k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 980| 18.4k| return; 981| 18.4k| } 982| | 983| | /* Since: 984| | UDP: every packet must contains a complete/valid DNS message; 985| | TCP: we are not able to handle DNS messages spanning multiple TCP packets; 986| | we must be able to detect these protocols on the first packet 987| | */ 988| 2.44k| if(packet->payload_packet_len < sizeof(struct ndpi_dns_packet_header) + payload_offset) { ------------------ | Branch (988:6): [True: 7, False: 2.43k] ------------------ 989| 7| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 7|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 990| 7| return; 991| 7| } 992| | 993| 2.43k| search_dns(ndpi_struct, flow); 994| 2.43k|} dns.c:isMDNSMulticastAddress: 119| 707|{ 120| 707| return (packet->iph && ntohl(packet->iph->daddr) == 0xE00000FB /* multicast: 224.0.0.251 */) || ------------------ | Branch (120:11): [True: 707, False: 0] | Branch (120:26): [True: 681, False: 26] ------------------ 121| 26| (packet->iphv6 && ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[0]) == 0xFF020000 && ------------------ | Branch (121:11): [True: 0, False: 26] | Branch (121:28): [True: 0, False: 0] ------------------ 122| 26| ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[1]) == 0x00000000 && ------------------ | Branch (122:28): [True: 0, False: 0] ------------------ 123| 26| ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[2]) == 0x00000000 && ------------------ | Branch (123:28): [True: 0, False: 0] ------------------ 124| 26| ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[3]) == 0x000000FB /* multicast: FF02::FB */); ------------------ | Branch (124:28): [True: 0, False: 0] ------------------ 125| 707|} dns.c:isLLMNRMulticastAddress: 128| 1|{ 129| 1| return (packet->iph && ntohl(packet->iph->daddr) == 0xE00000FC /* multicast: 224.0.0.252 */) || ------------------ | Branch (129:11): [True: 1, False: 0] | Branch (129:26): [True: 0, False: 1] ------------------ 130| 1| (packet->iphv6 && ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[0]) == 0xFF020000 && ------------------ | Branch (130:11): [True: 0, False: 1] | Branch (130:28): [True: 0, False: 0] ------------------ 131| 1| ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[1]) == 0x00000000 && ------------------ | Branch (131:28): [True: 0, False: 0] ------------------ 132| 1| ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[2]) == 0x00000000 && ------------------ | Branch (132:28): [True: 0, False: 0] ------------------ 133| 1| ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[3]) == 0x00010003 /* multicast: FF02::1:3 */); ------------------ | Branch (133:28): [True: 0, False: 0] ------------------ 134| 1|} dns.c:search_dns: 789| 3.43k|static void search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { 790| 3.43k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 791| 3.43k| int payload_offset = 0; 792| 3.43k| u_int8_t is_query; 793| 3.43k| struct ndpi_dns_packet_header dns_header; 794| 3.43k| u_int off; 795| 3.43k| ndpi_master_app_protocol proto; 796| 3.43k| int rc; 797| | 798| 3.43k| if(packet->udp != NULL) { ------------------ | Branch (798:6): [True: 3.42k, False: 7] ------------------ 799| 3.42k| payload_offset = 0; 800| 3.42k| } else if(packet->tcp != NULL) { ------------------ | Branch (800:13): [True: 7, False: 0] ------------------ 801| 7| payload_offset = 2; 802| 7| } 803| | 804| 3.43k| if(!is_valid_dns(ndpi_struct, flow, &dns_header, payload_offset, &is_query)) { ------------------ | Branch (804:6): [True: 167, False: 3.26k] ------------------ 805| |#ifdef DNS_DEBUG 806| | printf("[DNS] invalid packet\n"); 807| |#endif 808| 167| if(flow->extra_packets_func == NULL) { ------------------ | Branch (808:8): [True: 127, False: 40] ------------------ 809| 127| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 127|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 810| 127| } else { 811| 40| ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid DNS Header"); 812| 40| } 813| 167| return; 814| 167| } 815| | 816| 3.26k| process_hostname(ndpi_struct, flow, &dns_header, &proto); 817| | 818| 3.26k| off = sizeof(struct ndpi_dns_packet_header) + payload_offset; 819| | 820| 3.26k| if(is_query) { ------------------ | Branch (820:6): [True: 1.87k, False: 1.38k] ------------------ 821| 1.87k| flow->protos.dns.is_query = 1; 822| 1.87k| flow->protos.dns.transaction_id = dns_header.tr_id; 823| | 824| 1.87k| rc = process_queries(ndpi_struct, flow, &dns_header, off); 825| |#ifdef DNS_DEBUG 826| | if(rc == -1) 827| | printf("[DNS] Error queries (query msg)\n"); 828| |#endif 829| 1.87k| } else { 830| 1.38k| flow->protos.dns.is_query = 0; 831| 1.38k| flow->protos.dns.transaction_id = dns_header.tr_id; 832| 1.38k| flow->protos.dns.reply_code = dns_header.flags & 0x0F; 833| 1.38k| flow->protos.dns.num_queries = dns_header.num_queries; 834| 1.38k| flow->protos.dns.num_answers = dns_header.num_answers + dns_header.authority_rrs + dns_header.additional_rrs; 835| | 836| 1.38k| if(flow->protos.dns.reply_code != 0) { ------------------ | Branch (836:8): [True: 465, False: 924] ------------------ 837| 465| if(is_flowrisk_info_enabled(ndpi_struct, NDPI_ERROR_CODE_DETECTED)) { ------------------ | Branch (837:10): [True: 465, False: 0] ------------------ 838| 465| char str[32], buf[16]; 839| | 840| 465| snprintf(str, sizeof(str), "DNS Error Code %s", 841| 465| dns_error_code2string(flow->protos.dns.reply_code, buf, sizeof(buf))); 842| 465| ndpi_set_risk(ndpi_struct, flow, NDPI_ERROR_CODE_DETECTED, str); 843| 465| } else { 844| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_ERROR_CODE_DETECTED, NULL); 845| 0| } 846| 924| } else { 847| 924| if(ndpi_isset_risk(flow, NDPI_SUSPICIOUS_DGA_DOMAIN)) { ------------------ | Branch (847:10): [True: 3, False: 921] ------------------ 848| 3| ndpi_set_risk(ndpi_struct, flow, NDPI_RISKY_DOMAIN, "DGA Name Query with no Error Code"); 849| 3| } 850| 924| } 851| | 852| 1.38k| rc = process_queries(ndpi_struct, flow, &dns_header, off); 853| 1.38k| if(rc == -1) { ------------------ | Branch (853:8): [True: 33, False: 1.35k] ------------------ 854| |#ifdef DNS_DEBUG 855| | printf("[DNS] Error queries (response msg)\n"); 856| |#endif 857| 1.35k| } else { 858| 1.35k| off = rc; 859| 1.35k| rc = process_answers(ndpi_struct, flow, &dns_header, off, &proto); 860| 1.35k| if(rc == -1) { ------------------ | Branch (860:10): [True: 158, False: 1.19k] ------------------ 861| |#ifdef DNS_DEBUG 862| | printf("[DNS] Error answers\n"); 863| |#endif 864| 1.19k| } else { 865| 1.19k| off = rc; 866| 1.19k| rc = process_additionals(ndpi_struct, flow, &dns_header, off); 867| |#ifdef DNS_DEBUG 868| | if(rc == -1) 869| | printf("[DNS] Error additionals\n"); 870| |#endif 871| 1.19k| } 872| 1.35k| } 873| | 874| 1.38k| if(proto.master_protocol == NDPI_PROTOCOL_DNS && ------------------ | Branch (874:8): [True: 1.38k, False: 8] ------------------ 875| | /* TODO: add support to RFC6891 to avoid some false positives */ 876| 1.38k| packet->udp && ------------------ | Branch (876:8): [True: 1.38k, False: 0] ------------------ 877| 1.38k| packet->payload_packet_len > PKT_LEN_ALERT && ------------------ | | 39| 2.77k|#define PKT_LEN_ALERT 512 ------------------ | Branch (877:8): [True: 0, False: 1.38k] ------------------ 878| 0| packet->payload_packet_len > flow->protos.dns.edns0_udp_payload_size) { ------------------ | Branch (878:8): [True: 0, False: 0] ------------------ 879| 0| if(is_flowrisk_info_enabled(ndpi_struct, NDPI_DNS_LARGE_PACKET)) { ------------------ | Branch (879:10): [True: 0, False: 0] ------------------ 880| 0| char str[48]; 881| | 882| 0| snprintf(str, sizeof(str), "%u Bytes DNS Packet", packet->payload_packet_len); 883| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_LARGE_PACKET, str); 884| 0| } else { 885| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_LARGE_PACKET, NULL); 886| 0| } 887| 0| } 888| | 889| 1.38k| NDPI_LOG_DBG2(ndpi_struct, "Response: [num_queries=%d][num_answers=%d][reply_code=%u][rsp_type=%u][host_server_name=%s]\n", ------------------ | | 597| 1.38k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 890| 1.38k| flow->protos.dns.num_queries, flow->protos.dns.num_answers, 891| 1.38k| flow->protos.dns.reply_code, flow->protos.dns.rsp_type, flow->host_server_name); 892| 1.38k| } 893| | 894| 3.26k| if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (894:6): [True: 2.30k, False: 956] ------------------ 895| 2.30k| if(ndpi_struct->cfg.dns_subclassification_enabled) ------------------ | Branch (895:8): [True: 0, False: 2.30k] ------------------ 896| 0| ndpi_set_detected_protocol(ndpi_struct, flow, proto.app_protocol, proto.master_protocol, NDPI_CONFIDENCE_DPI); 897| 2.30k| else 898| 2.30k| ndpi_set_detected_protocol(ndpi_struct, flow, 899| 2.30k| (proto.master_protocol == NDPI_PROTOCOL_UNKNOWN) ? NDPI_PROTOCOL_DNS : proto.master_protocol, ------------------ | Branch (899:6): [True: 0, False: 2.30k] ------------------ 900| 2.30k| NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 901| 2.30k| } 902| | /* Category is always NDPI_PROTOCOL_CATEGORY_NETWORK, regardless of the subprotocol. Same for the breed */ 903| 3.26k| flow->category = NDPI_PROTOCOL_CATEGORY_NETWORK; 904| 3.26k| flow->breed = NDPI_PROTOCOL_ACCEPTABLE; 905| | 906| 3.26k| if(!flow->extra_packets_func && ------------------ | Branch (906:6): [True: 2.30k, False: 956] ------------------ 907| 2.30k| ndpi_struct->cfg.dns_parse_response_enabled && ------------------ | Branch (907:6): [True: 2.30k, False: 0] ------------------ 908| | /* We have never triggered extra-dissection for LLMNR. Keep the old behavior */ 909| 2.30k| flow->detected_protocol_stack[0] != NDPI_PROTOCOL_LLMNR && ------------------ | Branch (909:6): [True: 2.30k, False: 7] ------------------ 910| 2.30k| flow->detected_protocol_stack[1] != NDPI_PROTOCOL_LLMNR) { ------------------ | Branch (910:6): [True: 2.30k, False: 0] ------------------ 911| 2.30k| if(keep_extra_dissection(flow)) { ------------------ | Branch (911:8): [True: 1.82k, False: 475] ------------------ 912| 1.82k| NDPI_LOG_DBG(ndpi_struct, "Enabling extra dissection\n"); ------------------ | | 596| 1.82k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 913| 1.82k| flow->max_extra_packets_to_check = 5; 914| 1.82k| flow->extra_packets_func = search_dns_again; 915| 1.82k| } 916| 2.30k| } 917| | 918| | /* The bigger packets are usually the replies, but it shouldn't harm 919| | to check the requests, too */ 920| 3.26k| if((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_DNS) ------------------ | Branch (920:6): [True: 2.54k, False: 715] ------------------ 921| 2.54k| || (flow->detected_protocol_stack[1] == NDPI_PROTOCOL_DNS)) { ------------------ | Branch (921:9): [True: 0, False: 715] ------------------ 922| | 923| 2.54k| if(packet->iph != NULL) { ------------------ | Branch (923:8): [True: 2.54k, False: 0] ------------------ 924| | /* IPv4 */ 925| 2.54k| u_int8_t flags = ((u_int8_t*)packet->iph)[6]; 926| | 927| | /* 0: fragmented; 1: not fragmented */ 928| 2.54k| if((flags & 0x20) ------------------ | Branch (928:10): [True: 4, False: 2.54k] ------------------ 929| 2.54k| || (iph_is_valid_and_not_fragmented(ndpi_struct, packet->iph, packet->l3_packet_len) == 0)) { ------------------ | Branch (929:6): [True: 0, False: 2.54k] ------------------ 930| 4| ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_FRAGMENTED, NULL); 931| 4| } 932| 2.54k| } else if(packet->iphv6 != NULL) { ------------------ | Branch (932:15): [True: 0, False: 0] ------------------ 933| | /* IPv6 */ 934| 0| const struct ndpi_ip6_hdrctl *ip6_hdr = &packet->iphv6->ip6_hdr; 935| | 936| 0| if(ip6_hdr->ip6_un1_nxt == 0x2C /* Next Header: Fragment Header for IPv6 (44) */) { ------------------ | Branch (936:10): [True: 0, False: 0] ------------------ 937| | ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_FRAGMENTED, NULL); 938| 0| } 939| 0| } 940| 2.54k| } 941| 3.26k|} dns.c:is_valid_dns: 634| 3.43k| u_int payload_offset, u_int8_t *is_query) { 635| 3.43k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 636| | 637| 3.43k| if(packet->payload_packet_len < sizeof(struct ndpi_dns_packet_header) + payload_offset) ------------------ | Branch (637:6): [True: 15, False: 3.41k] ------------------ 638| 15| return 0; 639| | 640| 3.41k| memcpy(dns_header, (struct ndpi_dns_packet_header*)&packet->payload[payload_offset], 641| 3.41k| sizeof(struct ndpi_dns_packet_header)); 642| | 643| 3.41k| dns_header->tr_id = ntohs(dns_header->tr_id); 644| 3.41k| dns_header->flags = ntohs(dns_header->flags); 645| 3.41k| dns_header->num_queries = ntohs(dns_header->num_queries); 646| 3.41k| dns_header->num_answers = ntohs(dns_header->num_answers); 647| 3.41k| dns_header->authority_rrs = ntohs(dns_header->authority_rrs); 648| 3.41k| dns_header->additional_rrs = ntohs(dns_header->additional_rrs); 649| | 650| 3.41k| if((dns_header->flags & FLAGS_MASK) == 0x0000) ------------------ | | 31| 3.41k|#define FLAGS_MASK 0x8000 ------------------ | Branch (650:6): [True: 1.98k, False: 1.43k] ------------------ 651| 1.98k| *is_query = 1; 652| 1.43k| else 653| 1.43k| *is_query = 0; 654| | 655| 3.41k| if(*is_query) { ------------------ | Branch (655:6): [True: 1.98k, False: 1.43k] ------------------ 656| 1.98k| if(dns_header->num_queries <= NDPI_MAX_DNS_REQUESTS && ------------------ | | 185| 3.96k|#define NDPI_MAX_DNS_REQUESTS 48 ------------------ | Branch (656:8): [True: 1.90k, False: 75] ------------------ 657| | /* dns_header->num_answers == 0 && */ 658| 1.90k| ((dns_header->flags & 0x2800) == 0x2800 /* Dynamic DNS Update */ || ------------------ | Branch (658:9): [True: 2, False: 1.90k] ------------------ 659| 1.90k| (dns_header->flags & 0xFCF0) == 0x00 /* Standard Query */ || ------------------ | Branch (659:2): [True: 1.79k, False: 106] ------------------ 660| 106| (dns_header->flags & 0xFCFF) == 0x0800 /* Inverse query */ || ------------------ | Branch (660:2): [True: 9, False: 97] ------------------ 661| 1.87k| (dns_header->num_answers == 0 && dns_header->authority_rrs == 0))) { ------------------ | Branch (661:3): [True: 92, False: 5] | Branch (661:35): [True: 64, False: 28] ------------------ 662| | /* This is a good query */ 663| 1.87k| return 1; 664| 1.87k| } 665| 1.98k| } else { 666| 1.43k| if(((dns_header->num_queries > 0 && dns_header->num_queries <= NDPI_MAX_DNS_REQUESTS) || /* Don't assume that num_queries must be zero */ ------------------ | | 185| 1.42k|#define NDPI_MAX_DNS_REQUESTS 48 ------------------ | Branch (666:10): [True: 1.42k, False: 9] | Branch (666:41): [True: 1.39k, False: 34] ------------------ 667| 43| (checkDNSSubprotocol(ntohs(flow->c_port), ntohs(flow->s_port)) == NDPI_PROTOCOL_MDNS && dns_header->num_queries == 0)) && ------------------ | Branch (667:10): [True: 9, False: 34] | Branch (667:97): [True: 5, False: 4] ------------------ 668| 1.39k| ((dns_header->num_answers > 0 && dns_header->num_answers <= NDPI_MAX_DNS_REQUESTS) || ------------------ | | 185| 956|#define NDPI_MAX_DNS_REQUESTS 48 ------------------ | Branch (668:10): [True: 956, False: 439] | Branch (668:41): [True: 865, False: 91] ------------------ 669| 530| (dns_header->authority_rrs > 0 && dns_header->authority_rrs <= NDPI_MAX_DNS_REQUESTS) || ------------------ | | 185| 505|#define NDPI_MAX_DNS_REQUESTS 48 ------------------ | Branch (669:10): [True: 505, False: 25] | Branch (669:43): [True: 439, False: 66] ------------------ 670| 91| (dns_header->additional_rrs > 0 && dns_header->additional_rrs <= NDPI_MAX_DNS_REQUESTS) || ------------------ | | 185| 83|#define NDPI_MAX_DNS_REQUESTS 48 ------------------ | Branch (670:10): [True: 83, False: 8] | Branch (670:44): [True: 79, False: 4] ------------------ 671| 1.38k| (dns_header->num_answers == 0 && dns_header->authority_rrs == 0 && dns_header->additional_rrs == 0))) { ------------------ | Branch (671:10): [True: 8, False: 4] | Branch (671:42): [True: 7, False: 1] | Branch (671:76): [True: 6, False: 1] ------------------ 672| | /* This is a good reply */ 673| 1.38k| return 1; 674| 1.38k| } 675| 44| if(dns_header->num_queries == 0 && dns_header->num_answers == 0 && ------------------ | Branch (675:8): [True: 5, False: 39] | Branch (675:40): [True: 3, False: 2] ------------------ 676| 3| dns_header->authority_rrs == 0 && dns_header->additional_rrs == 0 && ------------------ | Branch (676:8): [True: 2, False: 1] | Branch (676:42): [True: 1, False: 1] ------------------ 677| 1| packet->payload_packet_len == sizeof(struct ndpi_dns_packet_header)) { ------------------ | Branch (677:8): [True: 0, False: 1] ------------------ 678| | /* This is a good empty reply */ 679| 0| return 1; 680| 0| } 681| 44| } 682| 152| return 0; 683| 3.41k|} dns.c:checkDNSSubprotocol: 138| 3.30k|static u_int16_t checkDNSSubprotocol(u_int16_t sport, u_int16_t dport) { 139| 3.30k| u_int16_t rc = checkPort(sport); 140| | 141| 3.30k| if(rc == 0) ------------------ | Branch (141:6): [True: 2.58k, False: 724] ------------------ 142| 2.58k| return(checkPort(dport)); 143| 724| else 144| 724| return(rc); 145| 3.30k|} dns.c:checkPort: 103| 5.88k|static u_int16_t checkPort(u_int16_t port) { 104| 5.88k| switch(port) { ------------------ | Branch (104:10): [True: 3.30k, False: 2.58k] ------------------ 105| 2.57k| case DNS_PORT: ------------------ | | 35| 2.57k|#define DNS_PORT 53 ------------------ | Branch (105:3): [True: 2.57k, False: 3.31k] ------------------ 106| 2.57k| return(NDPI_PROTOCOL_DNS); 107| 11| case LLMNR_PORT: ------------------ | | 36| 11|#define LLMNR_PORT 5355 ------------------ | Branch (107:3): [True: 11, False: 5.87k] ------------------ 108| 11| return(NDPI_PROTOCOL_LLMNR); 109| 717| case MDNS_PORT: ------------------ | | 37| 717|#define MDNS_PORT 5353 ------------------ | Branch (109:3): [True: 717, False: 5.17k] ------------------ 110| 717| return(NDPI_PROTOCOL_MDNS); 111| 5.88k| } 112| | 113| 2.58k| return(0); 114| 5.88k|} dns.c:process_hostname: 713| 3.26k| ndpi_master_app_protocol *proto) { 714| 3.26k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 715| 3.26k| char *dot; 716| 3.26k| u_int len, is_mdns, off = sizeof(struct ndpi_dns_packet_header) + (packet->tcp ? 2 : 0); ------------------ | Branch (716:70): [True: 2, False: 3.26k] ------------------ 717| 3.26k| char _hostname[256]; 718| 3.26k| u_int8_t hostname_is_valid; 719| | 720| 3.26k| proto->master_protocol = checkDNSSubprotocol(ntohs(flow->c_port), ntohs(flow->s_port)); 721| 3.26k| proto->app_protocol = flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN ? flow->detected_protocol_stack[0] : NDPI_PROTOCOL_UNKNOWN; ------------------ | Branch (721:25): [True: 0, False: 3.26k] ------------------ 722| | 723| | /* We try to get hostname only from "standard" query/answer */ 724| 3.26k| if(dns_header->num_queries == 0 && dns_header->num_answers == 0) ------------------ | Branch (724:6): [True: 58, False: 3.20k] | Branch (724:38): [True: 51, False: 7] ------------------ 725| 51| return -1; 726| | 727| 3.21k| is_mdns = (proto->master_protocol == NDPI_PROTOCOL_MDNS); 728| | 729| | /* TODO: should we overwrite existing hostname? 730| | For the time being, keep the old/current behavior */ 731| | 732| 3.21k| hostname_is_valid = ndpi_grab_dns_name(packet, &off, _hostname, sizeof(_hostname), &len, is_mdns); 733| | 734| |#ifdef DNS_DEBUG 735| | printf("[DNS] [%s]\n", _hostname); 736| |#endif 737| | 738| 3.21k| ndpi_hostname_sni_set(flow, (const u_int8_t *)_hostname, len, is_mdns ? NDPI_HOSTNAME_NORM_LC : NDPI_HOSTNAME_NORM_ALL); ------------------ | | 512| 660|#define NDPI_HOSTNAME_NORM_LC 1 ------------------ ndpi_hostname_sni_set(flow, (const u_int8_t *)_hostname, len, is_mdns ? NDPI_HOSTNAME_NORM_LC : NDPI_HOSTNAME_NORM_ALL); ------------------ | | 516| 2.55k|#define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 512| 2.55k|#define NDPI_HOSTNAME_NORM_LC 1 | | ------------------ | | #define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 513| 2.55k|#define NDPI_HOSTNAME_NORM_REPLACE_IC 2 | | ------------------ | | #define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 514| 2.55k|#define NDPI_HOSTNAME_NORM_STRIP_EOLSP 4 | | ------------------ ------------------ | Branch (738:65): [True: 660, False: 2.55k] ------------------ 739| | 740| 3.21k| if (hostname_is_valid == 0) ------------------ | Branch (740:7): [True: 255, False: 2.95k] ------------------ 741| 255| ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, "Invalid chars detected in domain name"); 742| | 743| | /* Ignore reverse DNS queries */ 744| 3.21k| if(strstr(_hostname, ".in-addr.") == NULL) { ------------------ | Branch (744:6): [True: 3.21k, False: 0] ------------------ 745| 3.21k| dot = strchr(_hostname, '.'); 746| | 747| 3.21k| if(dot) { ------------------ | Branch (747:8): [True: 1.94k, False: 1.26k] ------------------ 748| 1.94k| uintptr_t first_element_len = dot - _hostname; 749| | 750| 1.94k| if((first_element_len > 48) && (!is_mdns)) { ------------------ | Branch (750:10): [True: 15, False: 1.93k] | Branch (750:38): [True: 15, False: 0] ------------------ 751| | /* 752| | The length of the first element in the query is very long 753| | and this might be an issue or indicate an exfiltration 754| | */ 755| | 756| 15| if(ends_with(ndpi_struct, _hostname, "multi.surbl.org") ------------------ | Branch (756:12): [True: 0, False: 15] ------------------ 757| 15| || ends_with(ndpi_struct, _hostname, "spamhaus.org") ------------------ | Branch (757:15): [True: 0, False: 15] ------------------ 758| 15| || ends_with(ndpi_struct, _hostname, "rackcdn.com") ------------------ | Branch (758:15): [True: 0, False: 15] ------------------ 759| 15| || ends_with(ndpi_struct, _hostname, "akamaiedge.net") ------------------ | Branch (759:15): [True: 0, False: 15] ------------------ 760| 15| || ends_with(ndpi_struct, _hostname, "mx-verification.google.com") ------------------ | Branch (760:15): [True: 0, False: 15] ------------------ 761| 15| || ends_with(ndpi_struct, _hostname, "amazonaws.com") ------------------ | Branch (761:15): [True: 0, False: 15] ------------------ 762| 15| ) 763| 0| ; /* Check common domain exceptions [TODO: if the list grows too much use a different datastructure] */ 764| 15| else 765| 15| ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_SUSPICIOUS_TRAFFIC, "Long DNS host name"); 766| 15| } 767| 1.94k| } 768| 3.21k| } 769| | 770| 3.21k| if(strlen(flow->host_server_name) > 0) { ------------------ | Branch (770:6): [True: 2.75k, False: 457] ------------------ 771| 2.75k| ndpi_protocol_match_result ret_match; 772| | 773| 2.75k| if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (773:8): [True: 2.75k, False: 0] ------------------ 774| 2.75k| proto->app_protocol = ndpi_match_host_subprotocol(ndpi_struct, flow, 775| 2.75k| flow->host_server_name, 776| 2.75k| strlen(flow->host_server_name), 777| 2.75k| &ret_match, 778| 2.75k| proto->master_protocol, 779| | /* Avoid updating classification if subclassification is disabled */ 780| 2.75k| ndpi_struct->cfg.dns_subclassification_enabled ? 1 : 0); ------------------ | Branch (780:57): [True: 0, False: 2.75k] ------------------ 781| 2.75k| } 782| | 783| 2.75k| ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1, 0, proto->app_protocol != NDPI_PROTOCOL_UNKNOWN); 784| 2.75k| } 785| | 786| 3.21k| return 0; 787| 3.26k|} dns.c:ndpi_grab_dns_name: 243| 3.21k| u_int8_t ignore_checks) { 244| 3.21k| u_int8_t hostname_is_valid = 1; 245| 3.21k| u_int j = 0; 246| | 247| 3.21k| max_len--; 248| | 249| 10.5k| while((j < max_len) ------------------ | Branch (249:9): [True: 10.5k, False: 0] ------------------ 250| 10.5k| && ((*off) < packet->payload_packet_len) ------------------ | Branch (250:5): [True: 10.5k, False: 3] ------------------ 251| 10.5k| && (packet->payload[(*off)] != '\0')) { ------------------ | Branch (251:5): [True: 7.68k, False: 2.82k] ------------------ 252| 7.68k| u_int8_t c, cl = packet->payload[*off]; 253| | 254| 7.68k| if(((cl & 0xc0) != 0) || // we not support compressed names in query ------------------ | Branch (254:8): [True: 237, False: 7.44k] ------------------ 255| 7.44k| (((*off)+1) + cl >= packet->payload_packet_len)) { ------------------ | Branch (255:8): [True: 151, False: 7.29k] ------------------ 256| | /* Don't update the offset */ 257| 388| j = 0; 258| 388| break; 259| 388| } 260| | 261| 7.29k| (*off)++; 262| | 263| 7.29k| if(j && (j < max_len)) _hostname[j++] = '.'; ------------------ | Branch (263:8): [True: 4.29k, False: 2.99k] | Branch (263:13): [True: 4.29k, False: 0] ------------------ 264| | 265| 46.0k| while((j < max_len) && (cl != 0)) { ------------------ | Branch (265:11): [True: 46.0k, False: 0] | Branch (265:28): [True: 38.7k, False: 7.29k] ------------------ 266| 38.7k| c = packet->payload[(*off)++]; 267| | 268| 38.7k| if(ignore_checks) ------------------ | Branch (268:10): [True: 14.0k, False: 24.7k] ------------------ 269| 14.0k| _hostname[j++] = tolower(c); ------------------ | Branch (269:19): [True: 0, False: 0] | Branch (269:19): [True: 0, False: 0] | Branch (269:19): [Folded, False: 14.0k] ------------------ 270| 24.7k| else { 271| 24.7k| u_int32_t shift; 272| | 273| 24.7k| shift = ((u_int32_t) 1) << (c & 0x1f); 274| | 275| 24.7k| if((dns_validchar[c >> 5] & shift)) { ------------------ | Branch (275:5): [True: 22.4k, False: 2.29k] ------------------ 276| 22.4k| _hostname[j++] = tolower(c); ------------------ | Branch (276:21): [True: 0, False: 0] | Branch (276:21): [True: 0, False: 0] | Branch (276:21): [Folded, False: 22.4k] ------------------ 277| 22.4k| } else { 278| | /* printf("---?? '%c'\n", c); */ 279| | 280| 2.29k| hostname_is_valid = 0; 281| | 282| 2.29k| if (ndpi_isprint(c) == 0) { ------------------ | | 2529| 2.29k|#define ndpi_isprint(ch) ((ch) >= 0x20 && (ch) <= 0x7e) | | ------------------ | | | Branch (2529:27): [True: 1.03k, False: 1.25k] | | | Branch (2529:43): [True: 314, False: 725] | | ------------------ ------------------ | Branch (282:8): [True: 1.97k, False: 314] ------------------ 283| 1.97k| _hostname[j++] = '?'; 284| 1.97k| } else { 285| 314| _hostname[j++] = '_'; 286| 314| } 287| 2.29k| } 288| 24.7k| } 289| | 290| 38.7k| cl--; 291| 38.7k| } 292| 7.29k| } 293| | 294| 3.21k| _hostname[j] = '\0', *_hostname_len = j; 295| | 296| 3.21k| return(hostname_is_valid); 297| 3.21k|} dns.c:process_queries: 304| 3.26k| u_int payload_offset) { 305| 3.26k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 306| 3.26k| u_int x = payload_offset; 307| 3.26k| u_int16_t rsp_type; 308| 3.26k| u_int16_t num; 309| | 310| 6.22k| for(num = 0; num < dns_header->num_queries; num++) { ------------------ | Branch (310:16): [True: 3.26k, False: 2.95k] ------------------ 311| 3.26k| u_int16_t data_len; 312| | 313| 3.26k| if((data_len = getNameLength(x, packet->payload, ------------------ | Branch (313:8): [True: 8, False: 3.26k] ------------------ 314| 3.26k| packet->payload_packet_len)) == 0) { 315| 8| return -1; 316| 8| } else 317| 3.26k| x += data_len; 318| | 319| 3.26k| if(data_len > 253) ------------------ | Branch (319:8): [True: 1, False: 3.26k] ------------------ 320| 1| ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid DNS Query Lenght"); 321| | 322| 3.26k| if((x+4) > packet->payload_packet_len) { ------------------ | Branch (322:8): [True: 304, False: 2.95k] ------------------ 323| 304| ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid DNS Query Lenght"); 324| 304| return -1; 325| 304| } 326| | 327| 2.95k| rsp_type = get16(&x, packet->payload); 328| | 329| |#ifdef DNS_DEBUG 330| | printf("[DNS] [response (query)] response_type=%d\n", rsp_type); 331| |#endif 332| 2.95k| if(flow->protos.dns.query_type == 0) { ------------------ | Branch (332:8): [True: 2.12k, False: 834] ------------------ 333| | /* In case we missed the query packet... */ 334| 2.12k| flow->protos.dns.query_type = rsp_type; 335| 2.12k| } 336| | 337| | /* here x points to the response "class" field */ 338| 2.95k| x += 2; /* Skip class */ 339| 2.95k| } 340| | 341| 2.95k| return x; 342| 3.26k|} dns.c:getNameLength: 159| 12.3k|static u_int getNameLength(u_int i, const u_int8_t *payload, u_int payloadLen) { 160| 12.3k| if(i >= payloadLen) ------------------ | Branch (160:6): [True: 476, False: 11.9k] ------------------ 161| 476| return(0); 162| 11.9k| else if(payload[i] == 0x00) ------------------ | Branch (162:11): [True: 3.06k, False: 8.85k] ------------------ 163| 3.06k| return(1); 164| 8.85k| else if((payload[i] & 0xC0)== 0xC0) ------------------ | Branch (164:11): [True: 999, False: 7.85k] ------------------ 165| 999| return(2); 166| 7.85k| else { 167| 7.85k| u_int8_t len = payload[i]; 168| 7.85k| u_int8_t off = len + 1; 169| | 170| 7.85k| return(off + getNameLength(i+off, payload, payloadLen)); 171| 7.85k| } 172| 12.3k|} dns.c:get16: 149| 5.07k|static u_int16_t get16(u_int *i, const u_int8_t *payload) { 150| 5.07k| u_int16_t v = *(u_int16_t*)&payload[*i]; 151| | 152| 5.07k| (*i) += 2; 153| | 154| | return(ntohs(v)); 155| 5.07k|} dns.c:dns_error_code2string: 193| 465|static char* dns_error_code2string(u_int16_t error_code, char *buf, u_int buf_len) { 194| 465| switch(error_code) { 195| 2| case 1: return((char*)"FORMERR"); ------------------ | Branch (195:3): [True: 2, False: 463] ------------------ 196| 2| case 2: return((char*)"SERVFAIL"); ------------------ | Branch (196:3): [True: 2, False: 463] ------------------ 197| 431| case 3: return((char*)"NXDOMAIN"); ------------------ | Branch (197:3): [True: 431, False: 34] ------------------ 198| 0| case 4: return((char*)"NOTIMP"); ------------------ | Branch (198:3): [True: 0, False: 465] ------------------ 199| 1| case 5: return((char*)"REFUSED"); ------------------ | Branch (199:3): [True: 1, False: 464] ------------------ 200| 1| case 6: return((char*)"YXDOMAIN"); ------------------ | Branch (200:3): [True: 1, False: 464] ------------------ 201| 2| case 7: return((char*)"XRRSET"); ------------------ | Branch (201:3): [True: 2, False: 463] ------------------ 202| 6| case 8: return((char*)"NOTAUTH"); ------------------ | Branch (202:3): [True: 6, False: 459] ------------------ 203| 6| case 9: return((char*)"NOTZONE"); ------------------ | Branch (203:3): [True: 6, False: 459] ------------------ 204| | 205| 14| default: ------------------ | Branch (205:3): [True: 14, False: 451] ------------------ 206| 14| snprintf(buf, buf_len, "%u", error_code); 207| 14| return(buf); 208| 465| } 209| 465|} dns.c:process_answers: 348| 1.35k| ndpi_master_app_protocol *proto) { 349| 1.35k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 350| 1.35k| u_int x = payload_offset; 351| 1.35k| u_int16_t rsp_type; 352| 1.35k| u_int32_t rsp_ttl; 353| 1.35k| u_int16_t num; 354| 1.35k| u_int8_t found = 0; 355| 1.35k| int ignore_checks; 356| | 357| 1.35k| ignore_checks = (proto->master_protocol == NDPI_PROTOCOL_MDNS); 358| | 359| 2.35k| for(num = 0; num < dns_header->num_answers; num++) { ------------------ | Branch (359:16): [True: 1.15k, False: 1.19k] ------------------ 360| 1.15k| u_int16_t data_len; 361| | 362| 1.15k| if((data_len = getNameLength(x, packet->payload, ------------------ | Branch (362:8): [True: 23, False: 1.13k] ------------------ 363| 1.15k| packet->payload_packet_len)) == 0) { 364| 23| return -1; 365| 23| } else 366| 1.13k| x += data_len; 367| | 368| 1.13k| if((x+8) >= packet->payload_packet_len) { ------------------ | Branch (368:8): [True: 135, False: 1.00k] ------------------ 369| 135| return -1; 370| 135| } 371| | 372| 1.00k| rsp_type = get16(&x, packet->payload); 373| 1.00k| rsp_ttl = ntohl(*((u_int32_t*)&packet->payload[x+2])); 374| | 375| 1.00k| if(rsp_ttl == 0) ------------------ | Branch (375:8): [True: 29, False: 972] ------------------ 376| 29| ndpi_set_risk(ndpi_struct, flow, NDPI_MINOR_ISSUES, "DNS Record with zero TTL"); 377| | 378| |#ifdef DNS_DEBUG 379| | printf("[DNS] Date len %u; TTL = %u\n", data_len, rsp_ttl); 380| | printf("[DNS] [response] response_type=%d\n", rsp_type); 381| |#endif 382| | 383| 1.00k| if(found == 0) { ------------------ | Branch (383:8): [True: 1.00k, False: 0] ------------------ 384| 1.00k| ndpi_check_dns_type(ndpi_struct, flow, rsp_type); 385| 1.00k| flow->protos.dns.rsp_type = rsp_type; 386| 1.00k| } 387| | 388| | /* x points to the response "class" field */ 389| 1.00k| if((x+12) <= packet->payload_packet_len) { ------------------ | Branch (389:8): [True: 985, False: 16] ------------------ 390| 985| u_int32_t ttl = ntohl(*((u_int32_t*)&packet->payload[x+2])); 391| | 392| 985| x += 6; 393| 985| data_len = get16(&x, packet->payload); 394| | 395| 985| if((x + data_len) <= packet->payload_packet_len) { ------------------ | Branch (395:10): [True: 825, False: 160] ------------------ 396| |#ifdef DNS_DEBUG 397| | printf("[DNS] [rsp_type: %u][data_len: %u]\n", rsp_type, data_len); 398| |#endif 399| | 400| 825| if(rsp_type == 0x05 /* CNAME */) { ------------------ | Branch (400:12): [True: 0, False: 825] ------------------ 401| 0| ; 402| 825| } else if(rsp_type == 0x0C /* PTR */) { ------------------ | Branch (402:19): [True: 0, False: 825] ------------------ 403| 0| u_int16_t ptr_len = (packet->payload[x-2] << 8) + packet->payload[x-1]; 404| | 405| 0| if((x + ptr_len) <= packet->payload_packet_len) { ------------------ | Branch (405:14): [True: 0, False: 0] ------------------ 406| 0| if(found == 0) { ------------------ | Branch (406:16): [True: 0, False: 0] ------------------ 407| 0| u_int len, orig_x; 408| | 409| 0| orig_x = x; 410| 0| ndpi_grab_dns_name(packet, &x, 411| 0| flow->protos.dns.ptr_domain_name, 412| 0| sizeof(flow->protos.dns.ptr_domain_name), &len, 413| 0| ignore_checks); 414| | /* ndpi_grab_dns_name doesn't update the offset if it failed. 415| | We unconditionally update it at the end of the for loop */ 416| 0| x = orig_x; 417| 0| found = 1; 418| 0| } 419| 0| } 420| 825| } else if((((rsp_type == 0x1) && (data_len == 4)) /* A */ ------------------ | Branch (420:21): [True: 701, False: 124] | Branch (420:42): [True: 699, False: 2] ------------------ 421| 126| || ((rsp_type == 0x1c) && (data_len == 16)) /* AAAA */ ------------------ | Branch (421:24): [True: 1, False: 125] | Branch (421:46): [True: 0, False: 1] ------------------ 422| 825| )) { 423| 699| if(found == 0) { ------------------ | Branch (423:14): [True: 699, False: 0] ------------------ 424| | 425| 699| if(flow->protos.dns.num_rsp_addr < MAX_NUM_DNS_RSP_ADDRESSES) { ------------------ | | 1397| 699|#define MAX_NUM_DNS_RSP_ADDRESSES 8 ------------------ | Branch (425:16): [True: 699, False: 0] ------------------ 426| | /* Necessary for IP address comparison */ 427| 699| memset(&flow->protos.dns.rsp_addr[flow->protos.dns.num_rsp_addr], 0, sizeof(ndpi_ip_addr_t)); 428| | 429| 699| memcpy(&flow->protos.dns.rsp_addr[flow->protos.dns.num_rsp_addr], packet->payload + x, data_len); 430| 699| flow->protos.dns.is_rsp_addr_ipv6[flow->protos.dns.num_rsp_addr] = (data_len == 16) ? 1 : 0; ------------------ | Branch (430:82): [True: 0, False: 699] ------------------ 431| 699| flow->protos.dns.rsp_addr_ttl[flow->protos.dns.num_rsp_addr] = ttl; 432| | 433| 699| if(ndpi_struct->cfg.address_cache_size) ------------------ | Branch (433:18): [True: 0, False: 699] ------------------ 434| 0| ndpi_cache_address(ndpi_struct, 435| 0| flow->protos.dns.rsp_addr[flow->protos.dns.num_rsp_addr], 436| 0| flow->host_server_name, 437| 0| packet->current_time_ms/1000, 438| 0| flow->protos.dns.rsp_addr_ttl[flow->protos.dns.num_rsp_addr]); 439| | 440| 699| if(ndpi_struct->cfg.hostname_dns_check_enabled) ------------------ | Branch (440:11): [True: 0, False: 699] ------------------ 441| 0| ndpi_cache_hostname_ip(ndpi_struct, 442| 0| &flow->protos.dns.rsp_addr[flow->protos.dns.num_rsp_addr], 443| 0| flow->host_server_name); 444| | 445| 699| ++flow->protos.dns.num_rsp_addr; 446| 699| } 447| | 448| 699| if(flow->protos.dns.num_rsp_addr >= MAX_NUM_DNS_RSP_ADDRESSES) ------------------ | | 1397| 699|#define MAX_NUM_DNS_RSP_ADDRESSES 8 ------------------ | Branch (448:16): [True: 0, False: 699] ------------------ 449| 0| found = 1; 450| 699| } 451| | 452| | /* Add (all addresses) to FPC DNS cache */ 453| 699| if(ndpi_struct->cfg.fpc_enabled && ------------------ | Branch (453:14): [True: 699, False: 0] ------------------ 454| 699| proto->app_protocol != NDPI_PROTOCOL_UNKNOWN && ------------------ | Branch (454:14): [True: 39, False: 660] ------------------ 455| 39| proto->app_protocol != proto->master_protocol && ------------------ | Branch (455:14): [True: 39, False: 0] ------------------ 456| 39| ndpi_struct->fpc_dns_cache) { ------------------ | Branch (456:14): [True: 33, False: 6] ------------------ 457| 33| ndpi_lru_add_to_cache(ndpi_struct->fpc_dns_cache, 458| 33| fpc_dns_cache_key_from_packet(packet->payload + x, data_len), 459| 33| proto->app_protocol, 460| 33| ndpi_get_current_time(flow)); 461| | 462| 33| NDPI_LOG_DBG(ndpi_struct, "Adding entry to fpc_dns: %s proto %d\n", ------------------ | | 596| 33|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 463| 33| data_len == 4 ? "ipv4" : "ipv6", proto->app_protocol); 464| 33| } 465| 699| } 466| | 467| 825| x += data_len; 468| 825| } 469| 985| } 470| | 471| 1.00k| if(found && (dns_header->additional_rrs == 0)) { ------------------ | Branch (471:8): [True: 0, False: 1.00k] | Branch (471:17): [True: 0, False: 0] ------------------ 472| | /* 473| | In case we have RR we need to iterate 474| | all the answers and not just consider the 475| | first one as we need to properly move 'x' 476| | to the right offset 477| | */ 478| 0| break; 479| 0| } 480| 1.00k| } 481| | 482| 1.19k| return x; 483| 1.35k|} dns.c:ndpi_check_dns_type: 49| 1.00k| u_int16_t dns_type) { 50| | /* https://en.wikipedia.org/wiki/List_of_DNS_record_types */ 51| | 52| 1.00k| switch(dns_type) { ------------------ | Branch (52:10): [True: 90, False: 911] ------------------ 53| | /* Obsolete record types */ 54| 1| case 3: ------------------ | Branch (54:3): [True: 1, False: 1.00k] ------------------ 55| 6| case 4: ------------------ | Branch (55:3): [True: 5, False: 996] ------------------ 56| 9| case 254: ------------------ | Branch (56:3): [True: 3, False: 998] ------------------ 57| 15| case 7: ------------------ | Branch (57:3): [True: 6, False: 995] ------------------ 58| 16| case 8: ------------------ | Branch (58:3): [True: 1, False: 1.00k] ------------------ 59| 25| case 9: ------------------ | Branch (59:3): [True: 9, False: 992] ------------------ 60| 26| case 14: ------------------ | Branch (60:3): [True: 1, False: 1.00k] ------------------ 61| 28| case 253: ------------------ | Branch (61:3): [True: 2, False: 999] ------------------ 62| 29| case 11: ------------------ | Branch (62:3): [True: 1, False: 1.00k] ------------------ 63| | /* case 33: */ /* SRV */ 64| 30| case 10: ------------------ | Branch (64:3): [True: 1, False: 1.00k] ------------------ 65| 32| case 38: ------------------ | Branch (65:3): [True: 2, False: 999] ------------------ 66| 33| case 30: ------------------ | Branch (66:3): [True: 1, False: 1.00k] ------------------ 67| 33| case 25: ------------------ | Branch (67:3): [True: 0, False: 1.00k] ------------------ 68| 33| case 24: ------------------ | Branch (68:3): [True: 0, False: 1.00k] ------------------ 69| 33| case 13: ------------------ | Branch (69:3): [True: 0, False: 1.00k] ------------------ 70| 35| case 17: ------------------ | Branch (70:3): [True: 2, False: 999] ------------------ 71| 36| case 19: ------------------ | Branch (71:3): [True: 1, False: 1.00k] ------------------ 72| 37| case 20: ------------------ | Branch (72:3): [True: 1, False: 1.00k] ------------------ 73| 37| case 21: ------------------ | Branch (73:3): [True: 0, False: 1.00k] ------------------ 74| 38| case 22: ------------------ | Branch (74:3): [True: 1, False: 1.00k] ------------------ 75| 39| case 23: ------------------ | Branch (75:3): [True: 1, False: 1.00k] ------------------ 76| 40| case 26: ------------------ | Branch (76:3): [True: 1, False: 1.00k] ------------------ 77| 41| case 31: ------------------ | Branch (77:3): [True: 1, False: 1.00k] ------------------ 78| 44| case 32: ------------------ | Branch (78:3): [True: 3, False: 998] ------------------ 79| 44| case 34: ------------------ | Branch (79:3): [True: 0, False: 1.00k] ------------------ 80| 44| case 42: ------------------ | Branch (80:3): [True: 0, False: 1.00k] ------------------ 81| 49| case 40: ------------------ | Branch (81:3): [True: 5, False: 996] ------------------ 82| 49| case 27: ------------------ | Branch (82:3): [True: 0, False: 1.00k] ------------------ 83| 50| case 100: ------------------ | Branch (83:3): [True: 1, False: 1.00k] ------------------ 84| 51| case 101: ------------------ | Branch (84:3): [True: 1, False: 1.00k] ------------------ 85| 53| case 102: ------------------ | Branch (85:3): [True: 2, False: 999] ------------------ 86| 55| case 103: ------------------ | Branch (86:3): [True: 2, False: 999] ------------------ 87| 56| case 99: ------------------ | Branch (87:3): [True: 1, False: 1.00k] ------------------ 88| 67| case 56: ------------------ | Branch (88:3): [True: 11, False: 990] ------------------ 89| 68| case 57: ------------------ | Branch (89:3): [True: 1, False: 1.00k] ------------------ 90| 70| case 58: ------------------ | Branch (90:3): [True: 2, False: 999] ------------------ 91| 74| case 104: ------------------ | Branch (91:3): [True: 4, False: 997] ------------------ 92| 74| case 105: ------------------ | Branch (92:3): [True: 0, False: 1.00k] ------------------ 93| 75| case 106: ------------------ | Branch (93:3): [True: 1, False: 1.00k] ------------------ 94| 89| case 107: ------------------ | Branch (94:3): [True: 14, False: 987] ------------------ 95| 90| case 259: ------------------ | Branch (95:3): [True: 1, False: 1.00k] ------------------ 96| 90| ndpi_set_risk(ndpi_struct, flow, NDPI_DNS_SUSPICIOUS_TRAFFIC, "Obsolete DNS record type"); 97| 90| break; 98| 1.00k| } 99| 1.00k|} dns.c:fpc_dns_cache_key_from_packet: 226| 33|static u_int64_t fpc_dns_cache_key_from_packet(const unsigned char *ip, int ip_len) { 227| 33| u_int64_t key; 228| | 229| 33| if(ip_len == 16) ------------------ | Branch (229:6): [True: 0, False: 33] ------------------ 230| 0| key = ndpi_quick_hash64((const char *)ip, 16); 231| 33| else 232| 33| key = (u_int64_t)(*(u_int32_t *)ip); 233| | 234| 33| return key; 235| 33|} dns.c:process_additionals: 488| 1.19k| u_int payload_offset) { 489| 1.19k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 490| 1.19k| u_int x = payload_offset; 491| | 492| | /* 493| | Dissect the rest of the packet only if there are 494| | additional_rrs as we need to check for: 495| | * EDNS(0) 496| | * NSID 497| | 498| | In this case we need to go through the whole packet 499| | as we need to update the 'x' offset 500| | */ 501| | 502| 1.19k| if(dns_header->additional_rrs == 0) ------------------ | Branch (502:6): [True: 1.16k, False: 33] ------------------ 503| 1.16k| return x; 504| | 505| 33| if(dns_header->authority_rrs > 0) { ------------------ | Branch (505:6): [True: 20, False: 13] ------------------ 506| |#ifdef DNS_DEBUG 507| | u_int16_t rsp_type; 508| |#endif 509| 20| u_int16_t num; 510| | 511| 77| for(num = 0; num < dns_header->authority_rrs; num++) { ------------------ | Branch (511:18): [True: 75, False: 2] ------------------ 512| 75| u_int16_t data_len; 513| | 514| 75| if((x+6) >= packet->payload_packet_len) { ------------------ | Branch (514:10): [True: 7, False: 68] ------------------ 515| 7| return -1; 516| 7| } 517| | 518| 68| if((data_len = getNameLength(x, packet->payload, ------------------ | Branch (518:10): [True: 0, False: 68] ------------------ 519| 68| packet->payload_packet_len)) == 0) { 520| 0| return -1; 521| 0| } else 522| 68| x += data_len; 523| | 524| 68| if((x+8) >= packet->payload_packet_len) { ------------------ | Branch (524:10): [True: 11, False: 57] ------------------ 525| 11| return -1; 526| 11| } 527| | 528| | /* To avoid warning: variable ‘rsp_type’ set but not used [-Wunused-but-set-variable] */ 529| |#ifdef DNS_DEBUG 530| | rsp_type = get16(&x, packet->payload); 531| |#else 532| 57| get16(&x, packet->payload); 533| 57|#endif 534| | 535| |#ifdef DNS_DEBUG 536| | printf("[DNS] [RRS response] response_type=%d\n", rsp_type); 537| |#endif 538| | 539| | /* here x points to the response "class" field */ 540| 57| if((x+12) <= packet->payload_packet_len) { ------------------ | Branch (540:10): [True: 54, False: 3] ------------------ 541| 54| x += 6; 542| 54| data_len = get16(&x, packet->payload); 543| | 544| 54| if((x + data_len) <= packet->payload_packet_len) ------------------ | Branch (544:12): [True: 19, False: 35] ------------------ 545| 19| x += data_len; 546| 54| } 547| 57| } 548| 20| } 549| | 550| 15| if(dns_header->additional_rrs > 0) { ------------------ | Branch (550:6): [True: 15, False: 0] ------------------ 551| 15| u_int16_t rsp_type; 552| 15| u_int16_t num; 553| | 554| 34| for(num = 0; num < dns_header->additional_rrs; num++) { ------------------ | Branch (554:18): [True: 32, False: 2] ------------------ 555| 32| u_int16_t data_len, rdata_len, opt_code, opt_len; 556| 32| const unsigned char *opt; 557| | 558| |#ifdef DNS_DEBUG 559| | printf("[DNS] [RR response %d/%d]\n", num + 1, dns_header->additional_rrs); 560| |#endif 561| | 562| 32| if((x+6) > packet->payload_packet_len) { ------------------ | Branch (562:10): [True: 9, False: 23] ------------------ 563| 9| return -1; 564| 9| } 565| | 566| 23| if((data_len = getNameLength(x, packet->payload, packet->payload_packet_len)) == 0) { ------------------ | Branch (566:10): [True: 0, False: 23] ------------------ 567| 0| return -1; 568| 0| } else 569| 23| x += data_len; 570| | 571| 23| if((x+10) > packet->payload_packet_len) { ------------------ | Branch (571:10): [True: 4, False: 19] ------------------ 572| 4| return -1; 573| 4| } 574| | 575| 19| rsp_type = get16(&x, packet->payload); 576| | 577| |#ifdef DNS_DEBUG 578| | printf("[DNS] [RR response] response_type=%d\n", rsp_type); 579| |#endif 580| | 581| 19| if(rsp_type == 41 /* OPT */) { ------------------ | Branch (581:10): [True: 1, False: 18] ------------------ 582| | /* https://en.wikipedia.org/wiki/Extension_Mechanisms_for_DNS */ 583| 1| flow->protos.dns.edns0_udp_payload_size = ntohs(*((u_int16_t*)&packet->payload[x])); /* EDNS(0) */ 584| | 585| |#ifdef DNS_DEBUG 586| | printf("[DNS] [response] edns0_udp_payload_size: %u\n", flow->protos.dns.edns0_udp_payload_size); 587| |#endif 588| 1| x += 6; 589| | 590| 1| rdata_len = ntohs(*((u_int16_t *)&packet->payload[x])); 591| |#ifdef DNS_DEBUG 592| | printf("[DNS] [response] rdata len: %u\n", rdata_len); 593| |#endif 594| 1| if(rdata_len > 0 && ------------------ | Branch (594:12): [True: 1, False: 0] ------------------ 595| 1| x + 6 <= packet->payload_packet_len) { ------------------ | Branch (595:12): [True: 1, False: 0] ------------------ 596| 1| opt_code = ntohs(*((u_int16_t *)&packet->payload[x + 2])); 597| 1| opt_len = ntohs(*((u_int16_t *)&packet->payload[x + 4])); 598| 1| opt = &packet->payload[x + 6]; 599| | /* TODO: parse the TLV list */ 600| 1| if(opt_code == 0x03 && ------------------ | Branch (600:14): [True: 0, False: 1] ------------------ 601| 0| opt_len <= rdata_len + 4 && ------------------ | Branch (601:14): [True: 0, False: 0] ------------------ 602| 0| opt_len > 6 && ------------------ | Branch (602:14): [True: 0, False: 0] ------------------ 603| 0| x + 6 + opt_len <= packet->payload_packet_len) { ------------------ | Branch (603:14): [True: 0, False: 0] ------------------ 604| |#ifdef DNS_DEBUG 605| | printf("[DNS] NSID: [%.*s]\n", opt_len, opt); 606| |#endif 607| 0| if(memcmp(opt, "gpdns-", 6) == 0) { ------------------ | Branch (607:16): [True: 0, False: 0] ------------------ 608| |#ifdef DNS_DEBUG 609| | printf("[DNS] NSID Airport code [%.*s]\n", opt_len - 6, opt + 6); 610| |#endif 611| 0| memcpy(flow->protos.dns.geolocation_iata_code, opt + 6, 612| 0| ndpi_min(opt_len - 6, (int)sizeof(flow->protos.dns.geolocation_iata_code) - 1)); ------------------ | | 113| 0|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 0] | | ------------------ ------------------ 613| 0| } 614| 0| } 615| | 616| 1| } 617| 18| } else { 618| 18| x += 6; 619| 18| } 620| | 621| 19| if((data_len = getNameLength(x, packet->payload, packet->payload_packet_len)) == 0) { ------------------ | Branch (621:10): [True: 0, False: 19] ------------------ 622| 0| return -1; 623| 0| } else 624| 19| x += data_len; 625| 19| } 626| 15| } 627| | 628| 2| return x; 629| 15|} dns.c:keep_extra_dissection: 688| 3.29k|{ 689| | /* As a general rule, we wait for a valid response 690| | (in the ideal world, we want to process the request/response pair) */ 691| 3.29k| return !(!flow->protos.dns.is_query && flow->protos.dns.num_answers != 0); ------------------ | Branch (691:12): [True: 1.39k, False: 1.90k] | Branch (691:42): [True: 1.38k, False: 9] ------------------ 692| 3.29k|} dns.c:search_dns_again: 696| 996|static int search_dns_again(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { 697| 996| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 698| | 699| 996| if(packet->tcp_retransmission || packet->payload_packet_len == 0) ------------------ | Branch (699:6): [True: 0, False: 996] | Branch (699:36): [True: 0, False: 996] ------------------ 700| 0| return keep_extra_dissection(flow); 701| | 702| | /* possibly dissect the DNS reply */ 703| 996| search_dns(ndpi_struct, flow); 704| | 705| 996| return keep_extra_dissection(flow); 706| 996|} init_dnscrypt_dissector: 71| 7.08k|{ 72| 7.08k| ndpi_register_dissector("DNScrypt", ndpi_struct, 73| 7.08k| ndpi_search_dnscrypt, 74| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 75| 7.08k| 1, NDPI_PROTOCOL_DNSCRYPT); 76| 7.08k|} dnscrypt.c:ndpi_search_dnscrypt: 36| 27.3k|{ 37| 27.3k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 38| 27.3k| static char const * const dnscrypt_initial = "2\rdnscrypt"; 39| | 40| 27.3k| NDPI_LOG_DBG(ndpi_struct, "search dnscrypt\n"); ------------------ | | 596| 27.3k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 41| | 42| | /* dnscrypt protocol version 1: check magic */ 43| 27.3k| if (packet->payload_packet_len >= 64 && ------------------ | Branch (43:7): [True: 6.32k, False: 21.0k] ------------------ 44| 6.32k| strncmp((char*)packet->payload, "r6fnvWj8", strlen("r6fnvWj8")) == 0) ------------------ | Branch (44:7): [True: 2, False: 6.32k] ------------------ 45| 2| { 46| 2| ndpi_int_dnscrypt_add_connection(ndpi_struct, flow); 47| 2| return; 48| 2| } 49| | 50| | /* dnscrypt protocol version 1 and 2: resolver ping */ 51| 27.3k| if (packet->payload_packet_len > 13 + strlen(dnscrypt_initial) && ------------------ | Branch (51:7): [True: 16.7k, False: 10.6k] ------------------ 52| 16.7k| strncasecmp((char*)packet->payload + 13, dnscrypt_initial, strlen(dnscrypt_initial)) == 0) ------------------ | Branch (52:7): [True: 4, False: 16.7k] ------------------ 53| 4| { 54| 4| ndpi_int_dnscrypt_add_connection(ndpi_struct, flow); 55| 4| return; 56| 4| } 57| | 58| 27.3k| if ((flow->packet_direction_counter[packet->packet_direction] >= 1 && ------------------ | Branch (58:8): [True: 27.3k, False: 0] ------------------ 59| 27.3k| flow->packet_direction_counter[1 - packet->packet_direction] >= 1) || ------------------ | Branch (59:8): [True: 1.11k, False: 26.2k] ------------------ 60| 26.2k| flow->packet_counter >= 8) { ------------------ | Branch (60:7): [True: 756, False: 25.4k] ------------------ 61| | /* 62| | * Wait for at least one packet per direction, up to a max 63| | * Required as we need to wait for the server response which contains the ASCII pattern below. 64| | */ 65| 1.87k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1.87k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 66| 1.87k| return; 67| 1.87k| } 68| 27.3k|} dnscrypt.c:ndpi_int_dnscrypt_add_connection: 30| 6|{ 31| 6| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DNSCRYPT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 32| 6|} init_dofus_dissector: 58| 7.08k|{ 59| 7.08k| ndpi_register_dissector("Dofus", ndpi_struct, 60| 7.08k| ndpi_search_dofus, 61| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 62| 7.08k| 1, NDPI_PROTOCOL_DOFUS); 63| 7.08k|} dofus.c:ndpi_search_dofus: 39| 13.4k|{ 40| 13.4k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 41| | 42| 13.4k| NDPI_LOG_DBG(ndpi_struct, "search dofus\n"); ------------------ | | 596| 13.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 43| | 44| | /* Dofus 3 */ 45| 13.4k| if(ntohs(flow->c_port) == 5555 || ntohs(flow->s_port) == 5555) { ------------------ | Branch (45:6): [True: 0, False: 13.4k] | Branch (45:37): [True: 0, False: 13.4k] ------------------ 46| 0| if(packet->payload_packet_len > 3 && ------------------ | Branch (46:8): [True: 0, False: 0] ------------------ 47| 0| packet->payload[0] + 1 == packet->payload_packet_len && ------------------ | Branch (47:8): [True: 0, False: 0] ------------------ 48| 0| packet->payload[1] == 0x0a && ------------------ | Branch (48:8): [True: 0, False: 0] ------------------ 49| 0| packet->payload[2] + 2 == packet->payload[0]) { ------------------ | Branch (49:8): [True: 0, False: 0] ------------------ 50| 0| ndpi_dofus_add_connection(ndpi_struct, flow); 51| 0| } 52| 0| } 53| | 54| 13.4k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.4k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 55| 13.4k|} init_drda_dissector: 94| 7.08k|{ 95| 7.08k| ndpi_register_dissector("DRDA", ndpi_struct, 96| 7.08k| ndpi_search_drda, 97| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 98| 7.08k| 1, NDPI_PROTOCOL_DRDA); 99| 7.08k|} drda.c:ndpi_search_drda: 39| 13.3k|{ 40| 13.3k| struct ndpi_packet_struct * packet = &ndpi_struct->packet; 41| 13.3k| u_int16_t payload_len = packet->payload_packet_len; 42| 13.3k| u_int count = 0; // prevent integer overflow 43| | 44| 13.3k| NDPI_LOG_DBG(ndpi_struct, "search DRDA\n"); ------------------ | | 596| 13.3k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 45| | 46| 13.3k| if(packet->tcp != NULL) { ------------------ | Branch (46:6): [True: 13.3k, False: 0] ------------------ 47| | 48| | /* check port */ 49| 13.3k| if(payload_len >= sizeof(struct ndpi_drda_hdr)) { ------------------ | Branch (49:8): [True: 12.5k, False: 876] ------------------ 50| | 51| 12.5k| struct ndpi_drda_hdr * drda = (struct ndpi_drda_hdr *) packet->payload; 52| | 53| 12.5k| u_int16_t len = ntohs(drda->length); 54| | 55| | /* check first header */ 56| 12.5k| if(len != ntohs(drda->length2) + 6 || ------------------ | Branch (56:10): [True: 12.5k, False: 3] ------------------ 57| 3| drda->magic != 0xd0) ------------------ | Branch (57:3): [True: 3, False: 0] ------------------ 58| 12.5k| goto no_drda; 59| | 60| | /* check if there are more drda headers */ 61| 0| if(payload_len > len) { ------------------ | Branch (61:10): [True: 0, False: 0] ------------------ 62| | 63| 0| count = len; 64| | 65| 0| while(count + sizeof(struct ndpi_drda_hdr) < payload_len) ------------------ | Branch (65:8): [True: 0, False: 0] ------------------ 66| 0| { 67| | /* update info */ 68| 0| drda = (struct ndpi_drda_hdr *)(packet->payload + count); 69| 0| len = ntohs(drda->length); 70| | 71| 0| if(len != ntohs(drda->length2) + 6 || ------------------ | Branch (71:7): [True: 0, False: 0] ------------------ 72| 0| drda->magic != 0xd0) ------------------ | Branch (72:7): [True: 0, False: 0] ------------------ 73| 0| goto no_drda; 74| | 75| 0| count += len; 76| 0| } 77| 0| if(count != payload_len) goto no_drda; ------------------ | Branch (77:5): [True: 0, False: 0] ------------------ 78| 0| } 79| 0| NDPI_LOG_INFO(ndpi_struct, "found DRDA\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 80| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DRDA, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 81| 0| return; 82| 0| } 83| 13.3k| } 84| | 85| 13.3k| no_drda: 86| 13.3k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.3k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 87| 13.3k|} init_dropbox_dissector: 78| 7.08k|{ 79| 7.08k| ndpi_register_dissector("DROPBOX", ndpi_struct, 80| 7.08k| ndpi_search_dropbox, 81| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 82| 7.08k| 1, NDPI_PROTOCOL_DROPBOX); 83| 7.08k|} dropbox.c:ndpi_search_dropbox: 70| 4.45k|{ 71| 4.45k| NDPI_LOG_DBG(ndpi_struct, "search dropbox\n"); ------------------ | | 596| 4.45k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 72| | 73| 4.45k| ndpi_check_dropbox(ndpi_struct, flow); 74| 4.45k|} dropbox.c:ndpi_check_dropbox: 41| 4.45k|{ 42| 4.45k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 43| 4.45k| u_int32_t payload_len = packet->payload_packet_len; 44| 4.45k| u_int16_t dropbox_port = htons(DB_LSP_PORT); 45| | 46| 4.45k| if(packet->udp->dest == dropbox_port) { ------------------ | Branch (46:6): [True: 0, False: 4.45k] ------------------ 47| 0| if(packet->udp->source == dropbox_port) { ------------------ | Branch (47:8): [True: 0, False: 0] ------------------ 48| 0| if(payload_len > 10) { ------------------ | Branch (48:10): [True: 0, False: 0] ------------------ 49| 0| if(ndpi_strnstr((const char *)packet->payload, "\"host_int\"", payload_len) != NULL) { ------------------ | Branch (49:12): [True: 0, False: 0] ------------------ 50| 0| NDPI_LOG_INFO(ndpi_struct, "found dropbox\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 51| 0| ndpi_int_dropbox_add_connection(ndpi_struct, flow); 52| 0| return; 53| 0| } 54| 0| } 55| 0| } else { 56| 0| if(payload_len > 10) { ------------------ | Branch (56:10): [True: 0, False: 0] ------------------ 57| 0| if(ndpi_strnstr((const char *)packet->payload, "Bus17Cmd", payload_len) != NULL) { ------------------ | Branch (57:12): [True: 0, False: 0] ------------------ 58| 0| NDPI_LOG_INFO(ndpi_struct, "found dropbox\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 59| 0| ndpi_int_dropbox_add_connection(ndpi_struct, flow); 60| 0| return; 61| 0| } 62| 0| } 63| 0| } 64| 0| } 65| | 66| 4.45k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 4.45k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 67| 4.45k|} init_eaq_dissector: 83| 7.08k|{ 84| 7.08k| ndpi_register_dissector("EAQ", ndpi_struct, 85| 7.08k| ndpi_search_eaq, 86| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 87| 7.08k| 1, NDPI_PROTOCOL_EAQ); 88| 7.08k|} eaq.c:ndpi_search_eaq: 44| 3.42k|static void ndpi_search_eaq(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { 45| 3.42k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 46| 3.42k| u_int16_t sport = ntohs(packet->udp->source), dport = ntohs(packet->udp->dest); 47| | 48| 3.42k| NDPI_LOG_DBG(ndpi_struct, "search eaq\n"); ------------------ | | 596| 3.42k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 49| | 50| 3.42k| do { 51| 3.42k| if( (packet->payload_packet_len != EAQ_DEFAULT_SIZE) || ------------------ | | 36| 3.42k|#define EAQ_DEFAULT_SIZE 16 ------------------ | Branch (51:9): [True: 3.41k, False: 9] ------------------ 52| 9| ((sport != EAQ_DEFAULT_PORT) && (dport != EAQ_DEFAULT_PORT)) ) ------------------ | | 35| 9|#define EAQ_DEFAULT_PORT 6000 ------------------ ((sport != EAQ_DEFAULT_PORT) && (dport != EAQ_DEFAULT_PORT)) ) ------------------ | | 35| 9|#define EAQ_DEFAULT_PORT 6000 ------------------ | Branch (52:10): [True: 9, False: 0] | Branch (52:41): [True: 9, False: 0] ------------------ 53| 3.42k| break; 54| | 55| 0| u_int32_t seq = (packet->payload[0] * 1000) + (packet->payload[1] * 100) + (packet->payload[2] * 10) + packet->payload[3]; 56| | 57| 0| if(flow->l4.udp.eaq_pkt_id == 0) ------------------ | Branch (57:10): [True: 0, False: 0] ------------------ 58| 0| flow->l4.udp.eaq_sequence = seq; 59| 0| else { 60| 0| if( (flow->l4.udp.eaq_sequence != seq) && ------------------ | Branch (60:13): [True: 0, False: 0] ------------------ 61| 0| ((flow->l4.udp.eaq_sequence+1) != seq)) ------------------ | Branch (61:6): [True: 0, False: 0] ------------------ 62| 0| break; 63| 0| else 64| 0| flow->l4.udp.eaq_sequence = seq; 65| 0| } 66| | 67| 0| if(++flow->l4.udp.eaq_pkt_id == 4) { ------------------ | Branch (67:10): [True: 0, False: 0] ------------------ 68| | /* We have collected enough packets so we assume it's EAQ */ 69| 0| NDPI_LOG_INFO(ndpi_struct, "found eaq\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 70| 0| ndpi_int_eaq_add_connection(ndpi_struct, flow); 71| 0| return; 72| 0| } else 73| 0| return; 74| | 75| 0| } while(0); ------------------ | Branch (75:11): [Folded, False: 0] ------------------ 76| | 77| 3.42k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.42k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 78| | 79| 3.42k|} init_easyweather_dissector: 56| 7.08k|{ 57| 7.08k| ndpi_register_dissector("EasyWeather", ndpi_struct, 58| 7.08k| ndpi_search_easyweather, 59| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 60| 7.08k| 1, NDPI_PROTOCOL_EASYWEATHER); 61| 7.08k|} easyweather.c:ndpi_search_easyweather: 40| 3.32k|{ 41| 3.32k| struct ndpi_packet_struct * const packet = &ndpi_struct->packet; 42| | 43| 3.32k| NDPI_LOG_DBG(ndpi_struct, "search EasyWeather Protocol\n"); ------------------ | | 596| 3.32k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 44| | 45| 3.32k| if (packet->payload_packet_len < 5 || ------------------ | Branch (45:7): [True: 124, False: 3.20k] ------------------ 46| 3.32k| ntohl(get_u_int32_t(packet->payload, 0)) != 0xFFFF1200) ------------------ | Branch (46:7): [True: 3.20k, False: 0] ------------------ 47| 3.32k| { 48| 3.32k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.32k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 49| 3.32k| return; 50| 3.32k| } 51| | 52| 0| ndpi_int_easyweather_add_connection(ndpi_struct, flow); 53| 0|} init_edonkey_dissector: 62| 7.08k|{ 63| 7.08k| ndpi_register_dissector("eDonkey", ndpi_struct, 64| 7.08k| ndpi_search_edonkey, 65| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 66| 7.08k| 1, NDPI_PROTOCOL_EDONKEY); 67| 7.08k|} edonkey.c:ndpi_search_edonkey: 36| 13.4k|static void ndpi_search_edonkey(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { 37| 13.4k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 38| 13.4k| u_int8_t protocol; 39| 13.4k| u_int32_t message_length; 40| | 41| 13.4k| NDPI_LOG_DBG(ndpi_struct, "search EDONKEY\n"); ------------------ | | 596| 13.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 42| | 43| 13.4k| if(packet->payload_packet_len > 5) { ------------------ | Branch (43:6): [True: 12.7k, False: 760] ------------------ 44| 12.7k| protocol = packet->payload[0]; 45| | /* 0xE3: Edonkey, 0xC5: eMule extensions, 0xD4: eMule compressed */ 46| 12.7k| if(protocol != 0xE3 && protocol != 0xC5 && protocol != 0xD4) { ------------------ | Branch (46:8): [True: 12.7k, False: 6] | Branch (46:28): [True: 12.7k, False: 3] | Branch (46:48): [True: 12.7k, False: 10] ------------------ 47| 12.7k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 12.7k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 48| 12.7k| return; 49| 12.7k| } 50| 19| message_length = packet->payload_packet_len - 5; 51| 19| if(message_length == le32toh(get_u_int32_t(packet->payload, 1))) { ------------------ | Branch (51:8): [True: 0, False: 19] ------------------ 52| 0| ndpi_int_edonkey_add_connection(ndpi_struct, flow); 53| 0| return; 54| 0| } 55| 19| } 56| | 57| 779| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 779|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 58| 779|} init_egd_dissector: 56| 7.08k|{ 57| 7.08k| ndpi_register_dissector("EthernetGlobalData", ndpi_struct, 58| 7.08k| ndpi_search_egd, 59| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD, ------------------ | | 631| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 617| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IP | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 604| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IP (1<<0) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IP | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 60| 7.08k| 1, NDPI_PROTOCOL_EGD); 61| 7.08k|} egd.c:ndpi_search_egd: 35| 3.04k|{ 36| 3.04k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 37| | 38| 3.04k| NDPI_LOG_DBG(ndpi_struct, "search Ethernet Global Data\n"); ------------------ | | 596| 3.04k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 39| | 40| 3.04k| if (packet->payload_packet_len > 32 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0D01) ------------------ | Branch (40:7): [True: 2.63k, False: 415] | Branch (40:42): [True: 2, False: 2.63k] ------------------ 41| 2| { 42| 2| if (get_u_int32_t(packet->payload, 4) == packet->iph->saddr && /* ProducerID */ ------------------ | | 137| 2|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (42:9): [True: 0, False: 2] ------------------ 43| 2| ntohl(get_u_int32_t(packet->payload, 24)) < 31 && /* Status */ ------------------ | Branch (43:9): [True: 0, False: 0] ------------------ 44| 0| get_u_int32_t(packet->payload, 28) == 0) /* Reserved */ ------------------ | | 137| 0|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (44:9): [True: 0, False: 0] ------------------ 45| 0| { 46| 0| NDPI_LOG_INFO(ndpi_struct, "found Ethernet Global Data\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 47| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_EGD, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 48| 0| return; 49| 0| } 50| 2| } 51| | 52| 3.04k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.04k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 53| 3.04k|} init_elasticsearch_dissector: 75| 7.08k|{ 76| 7.08k| ndpi_register_dissector("Elasticsearch", ndpi_struct, 77| 7.08k| ndpi_search_elasticsearch, 78| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 79| 7.08k| 1, NDPI_PROTOCOL_ELASTICSEARCH); 80| 7.08k|} elastic_search.c:ndpi_search_elasticsearch: 44| 11.7k|{ 45| 11.7k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 46| 11.7k| u_int32_t message_length; 47| | 48| 11.7k| NDPI_LOG_DBG(ndpi_struct, "search elasticsearch\n"); ------------------ | | 596| 11.7k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 49| | 50| 11.7k| if (packet->payload_packet_len < 6) ------------------ | Branch (50:7): [True: 755, False: 10.9k] ------------------ 51| 755| { 52| 755| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 755|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 53| 755| return; 54| 755| } 55| | 56| 10.9k| if (ntohs(get_u_int16_t(packet->payload, 0)) != 0x4553 /* "ES" */) ------------------ | Branch (56:7): [True: 10.9k, False: 0] ------------------ 57| 10.9k| { 58| 10.9k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 10.9k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 59| 10.9k| return; 60| 10.9k| } 61| | 62| 0| message_length = ntohl(get_u_int32_t(packet->payload, 2)); 63| 0| if (packet->payload_packet_len < message_length + 6) ------------------ | Branch (63:7): [True: 0, False: 0] ------------------ 64| 0| { 65| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 66| 0| return; 67| 0| } 68| | 69| 0| ndpi_int_elasticsearch_add_connection(ndpi_struct, flow); 70| 0|} init_epicgames_dissector: 78| 7.08k|{ 79| 7.08k| ndpi_register_dissector("EpicGames", ndpi_struct, 80| 7.08k| ndpi_search_epicgames, 81| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 82| 7.08k| 1, NDPI_PROTOCOL_EPICGAMES); 83| 7.08k|} epicgames.c:ndpi_search_epicgames: 41| 3.36k|{ 42| 3.36k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 43| | 44| 3.36k| NDPI_LOG_DBG(ndpi_struct, "searching EpicGames (stage %d dir %d)\n", ------------------ | | 596| 3.36k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 45| 3.36k| flow->l4.udp.epicgames_stage, packet->packet_direction); 46| | 47| 3.36k| if(flow->packet_counter == 1) { ------------------ | Branch (47:6): [True: 3.36k, False: 0] ------------------ 48| 3.36k| if(packet->payload_packet_len >= 34 && ------------------ | Branch (48:8): [True: 2.85k, False: 502] ------------------ 49| 2.85k| ((ntohl(get_u_int32_t(packet->payload, 0)) & 0x08) == 0) && ------------------ | Branch (49:8): [True: 1.42k, False: 1.43k] ------------------ 50| 1.42k| get_u_int64_t(packet->payload, 10) == 0 && ------------------ | | 148| 1.42k|#define get_u_int64_t(X,O) (*(u_int64_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (50:8): [True: 20, False: 1.40k] ------------------ 51| 20| get_u_int64_t(packet->payload, 18) == 0 && ------------------ | | 148| 20|#define get_u_int64_t(X,O) (*(u_int64_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (51:8): [True: 8, False: 12] ------------------ 52| 8| get_u_int64_t(packet->payload, 26) == 0) { ------------------ | | 148| 8|#define get_u_int64_t(X,O) (*(u_int64_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (52:8): [True: 2, False: 6] ------------------ 53| 2| flow->l4.udp.epicgames_stage = 1 + packet->packet_direction; 54| 2| flow->l4.udp.epicgames_word = ntohl(get_u_int32_t(packet->payload, 0)); 55| 2| return; 56| 3.35k| } else { 57| 3.35k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.35k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 58| 3.35k| return; 59| 3.35k| } 60| 3.36k| } else if(flow->l4.udp.epicgames_stage == 2 - packet->packet_direction) { ------------------ | Branch (60:13): [True: 0, False: 0] ------------------ 61| 0| if(packet->payload_packet_len > 4 && ------------------ | Branch (61:8): [True: 0, False: 0] ------------------ 62| 0| (flow->l4.udp.epicgames_word | 0x08) == ntohl(get_u_int32_t(packet->payload, 0))) { ------------------ | Branch (62:8): [True: 0, False: 0] ------------------ 63| 0| ndpi_int_epicgames_add_connection(ndpi_struct, flow); 64| 0| return; 65| 0| } else { 66| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 67| 0| return; 68| 0| } 69| 0| } 70| | 71| 0| if(flow->packet_counter >= 4) { ------------------ | Branch (71:6): [True: 0, False: 0] ------------------ 72| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 73| 0| return; 74| 0| } 75| 0|} init_ethereum_dissector: 154| 7.08k|{ 155| 7.08k| ndpi_register_dissector("Ethereum", ndpi_struct, 156| 7.08k| ndpi_search_ethereum, 157| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 158| 7.08k| 1, NDPI_PROTOCOL_ETHEREUM); 159| 7.08k|} ethereum.c:ndpi_search_ethereum: 141| 15.0k| struct ndpi_flow_struct *flow) { 142| 15.0k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 143| | 144| 15.0k| if(packet->tcp) ------------------ | Branch (144:6): [True: 11.7k, False: 3.35k] ------------------ 145| 11.7k| ndpi_search_ethereum_tcp(ndpi_struct, flow); 146| 3.35k| else 147| 3.35k| ndpi_search_ethereum_udp(ndpi_struct, flow); 148| 15.0k|} ethereum.c:ndpi_search_ethereum_tcp: 101| 11.7k| struct ndpi_flow_struct *flow) { 102| 11.7k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 103| | 104| 11.7k| NDPI_LOG_DBG(ndpi_struct, "search ETHEREUM TCP\n"); ------------------ | | 596| 11.7k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 105| | 106| | /* Check connection over TCP */ 107| 11.7k| if(packet->payload_packet_len > 10) { ------------------ | Branch (107:6): [True: 10.8k, False: 884] ------------------ 108| 10.8k| if((packet->payload_packet_len > 300) ------------------ | Branch (108:8): [True: 1.31k, False: 9.52k] ------------------ 109| 1.31k| && (packet->payload_packet_len < 600) ------------------ | Branch (109:11): [True: 897, False: 414] ------------------ 110| 897| && (packet->payload[2] == 0x04)) { ------------------ | Branch (110:11): [True: 2, False: 895] ------------------ 111| 2| if(ndpi_is_ether_port(ntohs(packet->tcp->dest)) /* Ethereum port */) { ------------------ | Branch (111:10): [True: 0, False: 2] ------------------ 112| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ETHEREUM, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 113| 0| ndpi_ether_cache_connection(ndpi_struct, flow); 114| 0| return; 115| 0| } 116| 10.8k| } else if(ndpi_strnstr((const char *)packet->payload, "{", packet->payload_packet_len) ------------------ | Branch (116:15): [True: 563, False: 10.2k] ------------------ 117| 563| && ( 118| 563| ndpi_strnstr((const char *)packet->payload, "\"eth1.0\"", packet->payload_packet_len) ------------------ | Branch (118:5): [True: 1, False: 562] ------------------ 119| 562| || ndpi_strnstr((const char *)packet->payload, "\"worker\":", packet->payload_packet_len) ------------------ | Branch (119:8): [True: 4, False: 558] ------------------ 120| | /* || ndpi_strnstr((const char *)packet->payload, "\"id\":", packet->payload_packet_len) - Removed as too generic */ 121| 563| )) { 122| | /* 123| | Ethereum 124| | 125| | {"worker": "eth1.0", "jsonrpc": "2.0", "params": ["0x0fccfff9e61a230ff380530c6827caf4759337c6.rig2", "x"], "id": 2, "method": "eth_submitLogin"} 126| | { "id": 2, "jsonrpc":"2.0","result":true} 127| | {"worker": "", "jsonrpc": "2.0", "params": [], "id": 3, "method": "eth_getWork"} 128| | */ 129| 5| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ETHEREUM, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 130| 5| ndpi_ether_cache_connection(ndpi_struct, flow); 131| 5| return; 132| 5| } 133| 10.8k| } 134| | 135| 11.7k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.7k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 136| 11.7k|} ethereum.c:ndpi_is_ether_port: 94| 2|static u_int8_t ndpi_is_ether_port(u_int16_t dport) { 95| 2| return(((dport >= 30300) && (dport <= 30305)) ? 1 : 0); ------------------ | Branch (95:11): [True: 1, False: 1] | Branch (95:31): [True: 0, False: 1] ------------------ 96| 2|} ethereum.c:ndpi_ether_cache_connection: 41| 5| struct ndpi_flow_struct *flow) { 42| 5| if(ndpi_struct->mining_cache) ------------------ | Branch (42:6): [True: 4, False: 1] ------------------ 43| 4| ndpi_lru_add_to_cache(ndpi_struct->mining_cache, mining_make_lru_cache_key(flow), NDPI_PROTOCOL_ETHEREUM, ndpi_get_current_time(flow)); 44| 5|} ethereum.c:ndpi_search_ethereum_udp: 77| 3.35k| struct ndpi_flow_struct *flow) { 78| 3.35k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 79| | 80| 3.35k| NDPI_LOG_DBG(ndpi_struct, "search ETHEREUM UDP\n"); ------------------ | | 596| 3.35k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 81| 3.35k| if((packet->iph && ((ntohl(packet->iph->daddr) & 0xFF000000) != 0xFF000000 /* 255.0.0.0 */)) ------------------ | Branch (81:7): [True: 3.07k, False: 277] | Branch (81:22): [True: 2.90k, False: 167] ------------------ 82| 3.18k| ||(packet->iphv6 && (ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[0]) != 0xFF020000 /* ff02:: */))) { ------------------ | Branch (82:10): [True: 277, False: 167] | Branch (82:27): [True: 277, False: 0] ------------------ 83| 3.18k| if(ndpi_ether_is_discv4(packet) /*|| ndpi_is_discv5(packet)*/) { ------------------ | Branch (83:8): [True: 0, False: 3.18k] ------------------ 84| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ETHEREUM, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 85| 0| ndpi_ether_cache_connection(ndpi_struct, flow); 86| 0| return; 87| 0| } 88| 3.18k| } 89| 3.35k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.35k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 90| 3.35k|} ethereum.c:ndpi_ether_is_discv4: 51| 3.18k|static bool ndpi_ether_is_discv4(const struct ndpi_packet_struct *packet) { 52| 3.18k| u_int16_t source = ntohs(packet->udp->source); 53| 3.18k| u_int16_t dest = ntohs(packet->udp->dest); 54| 3.18k| if((packet->payload_packet_len > 98) ------------------ | Branch (54:6): [True: 1.14k, False: 2.04k] ------------------ 55| 1.14k| && (packet->payload_packet_len < 1280) ------------------ | Branch (55:7): [True: 1.14k, False: 3] ------------------ 56| 1.14k| && ((source == 30303) || (dest == 30303)) /*one way to remove default port is to compute packet hash and use it for verification*/ ------------------ | Branch (56:8): [True: 0, False: 1.14k] | Branch (56:29): [True: 0, False: 1.14k] ------------------ 57| 3.18k| ) { 58| 0| uint8_t packet_type = packet->payload[97]; 59| 0| switch(packet_type) { 60| 0| case DISC_PING: ------------------ | Branch (60:5): [True: 0, False: 0] ------------------ 61| 0| case DISC_PONG: ------------------ | Branch (61:5): [True: 0, False: 0] ------------------ 62| 0| case DISC_FINDNODE: ------------------ | Branch (62:5): [True: 0, False: 0] ------------------ 63| 0| case DISC_NEIGHBOURS: ------------------ | Branch (63:5): [True: 0, False: 0] ------------------ 64| 0| case DISC_ENRREQUEST: ------------------ | Branch (64:5): [True: 0, False: 0] ------------------ 65| 0| case DISC_ENRRESPONSE: ------------------ | Branch (65:5): [True: 0, False: 0] ------------------ 66| 0| return true; 67| 0| default: ------------------ | Branch (67:5): [True: 0, False: 0] ------------------ 68| 0| return false; 69| 0| } 70| 0| } 71| 3.18k| return false; 72| 3.18k|} init_ethernet_ip_dissector: 63| 7.08k|void init_ethernet_ip_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 64| 7.08k| ndpi_register_dissector("EthernetIP", ndpi_struct, 65| 7.08k| ndpi_search_ethernet_ip, 66| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 67| 7.08k| 1, NDPI_PROTOCOL_ETHERNET_IP); 68| 7.08k|} ethernet_ip.c:ndpi_search_ethernet_ip: 36| 11.7k| struct ndpi_flow_struct *flow) { 37| 11.7k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 38| | 39| 11.7k| NDPI_LOG_DBG(ndpi_struct, "search for ETHERNET_IP\n"); ------------------ | | 596| 11.7k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 40| | 41| 11.7k| if(packet->tcp != NULL) { ------------------ | Branch (41:6): [True: 11.7k, False: 0] ------------------ 42| 11.7k| NDPI_LOG_DBG2(ndpi_struct, "calculating ETHERNET_IP over tcp\n"); ------------------ | | 597| 11.7k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 43| | 44| 11.7k| if(packet->payload_packet_len >= 24) { ------------------ | Branch (44:8): [True: 6.87k, False: 4.86k] ------------------ 45| 6.87k| u_int16_t eth_ip_port = ntohs(44818); 46| | 47| 6.87k| if((packet->tcp->source == eth_ip_port) || (packet->tcp->dest == eth_ip_port)) { ------------------ | Branch (47:10): [True: 0, False: 6.87k] | Branch (47:50): [True: 1, False: 6.87k] ------------------ 48| 1| u_int16_t len = le16toh(*((u_int16_t *)&packet->payload[2])); /* Little endian */ 49| | 50| 1| if((len+24) == packet->payload_packet_len) { ------------------ | Branch (50:5): [True: 0, False: 1] ------------------ 51| 0| NDPI_LOG_INFO(ndpi_struct, "found ethernet_ip\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 52| 0| ndpi_int_ethernet_ip_add_connection(ndpi_struct, flow); 53| 0| return; 54| 0| } 55| 1| } 56| 6.87k| } 57| 11.7k| } 58| | 59| 11.7k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); /* No luck this time */ ------------------ | | 91| 11.7k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 60| 11.7k|} init_ethersbus_dissector: 64| 7.08k|{ 65| 7.08k| ndpi_register_dissector("Ether-S-Bus", ndpi_struct, 66| 7.08k| ndpi_search_ethersbus, 67| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 68| 7.08k| 1, NDPI_PROTOCOL_ETHERSBUS); 69| 7.08k|} ethersbus.c:ndpi_search_ethersbus: 43| 3.35k|{ 44| 3.35k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 45| | 46| 3.35k| NDPI_LOG_DBG(ndpi_struct, "search Ether-S-Bus\n"); ------------------ | | 596| 3.35k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 47| | 48| 3.35k| if ((packet->payload_packet_len > 12) && ------------------ | Branch (48:7): [True: 3.17k, False: 178] ------------------ 49| 3.17k| (ntohl(get_u_int32_t(packet->payload,0)) == packet->payload_packet_len) && ------------------ | Branch (49:7): [True: 0, False: 3.17k] ------------------ 50| 0| (packet->payload[4] < 2) && (packet->payload[5] == 0)) ------------------ | Branch (50:7): [True: 0, False: 0] | Branch (50:35): [True: 0, False: 0] ------------------ 51| 0| { 52| 0| u_int16_t crc = ndpi_crc16_xmodem(packet->payload,packet->payload_packet_len-2); 53| 0| if (get_u_int16_t(packet->payload,packet->payload_packet_len-2) == htons(crc)) ------------------ | | 136| 0|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (53:9): [True: 0, False: 0] ------------------ 54| 0| { 55| 0| ndpi_int_ethersbus_add_connection(ndpi_struct, flow); 56| 0| return; 57| 0| } 58| 0| } 59| | 60| 3.35k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.35k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 61| 3.35k|} init_ethersio_dissector: 55| 7.08k|{ 56| 7.08k| ndpi_register_dissector("EtherSIO", ndpi_struct, 57| 7.08k| ndpi_search_ethersio, 58| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 59| 7.08k| 1, NDPI_PROTOCOL_ETHERSIO); 60| 7.08k|} ethersio.c:ndpi_search_ethersio: 34| 3.35k|{ 35| 3.35k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 36| | 37| 3.35k| NDPI_LOG_DBG(ndpi_struct, "search Ether-SIO\n"); ------------------ | | 596| 3.35k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 38| | 39| 3.35k| if (packet->payload_packet_len >= 20) { ------------------ | Branch (39:7): [True: 3.12k, False: 225] ------------------ 40| 3.12k| if ((memcmp(packet->payload, "ESIO", 4) == 0) && ------------------ | Branch (40:9): [True: 5, False: 3.12k] ------------------ 41| 5| (packet->payload[4] == 0) && (packet->payload[5] <= 0x2) && ------------------ | Branch (41:9): [True: 2, False: 3] | Branch (41:38): [True: 1, False: 1] ------------------ 42| 1| (packet->payload[6] == 0)) { ------------------ | Branch (42:9): [True: 0, False: 1] ------------------ 43| 0| NDPI_LOG_INFO(ndpi_struct, "found EtherSIO\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 44| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ETHERSIO, 45| 0| NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 46| | 47| 0| return; 48| 0| } 49| 3.12k| } 50| | 51| 3.35k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.35k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 52| 3.35k|} init_fastcgi_dissector: 239| 7.08k|{ 240| 7.08k| ndpi_register_dissector("FastCGI", ndpi_struct, 241| 7.08k| ndpi_search_fastcgi, 242| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 243| 7.08k| 1, NDPI_PROTOCOL_FASTCGI); 244| 7.08k|} fastcgi.c:ndpi_search_fastcgi: 152| 11.7k|{ 153| 11.7k| struct ndpi_packet_struct * const packet = &ndpi_struct->packet; 154| 11.7k| struct FCGI_Header const * fcgi_hdr; 155| 11.7k| enum FCGI_Type fcgi_type; 156| 11.7k| u_int16_t content_len; 157| 11.7k| ndpi_protocol_match_result ret_match; 158| | 159| 11.7k| NDPI_LOG_DBG(ndpi_struct, "search fastcgi\n"); ------------------ | | 596| 11.7k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 160| | 161| 11.7k| if (packet->payload_packet_len < sizeof(struct FCGI_Header)) ------------------ | Branch (161:7): [True: 805, False: 10.9k] ------------------ 162| 805| { 163| 805| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 805|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 164| 805| return; 165| 805| } 166| | 167| 10.9k| fcgi_hdr = (struct FCGI_Header const *)&packet->payload[0]; 168| | 169| 10.9k| if (fcgi_hdr->version != 0x01) ------------------ | Branch (169:7): [True: 10.7k, False: 178] ------------------ 170| 10.7k| { 171| 10.7k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 10.7k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 172| 10.7k| return; 173| 10.7k| } 174| | 175| 178| fcgi_type = (enum FCGI_Type)fcgi_hdr->type; 176| 178| if (fcgi_type < FCGI_MIN || fcgi_type > FCGI_MAX) ------------------ | Branch (176:7): [True: 24, False: 154] | Branch (176:31): [True: 44, False: 110] ------------------ 177| 68| { 178| 68| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 68|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 179| 68| return; 180| 68| } 181| | 182| 110| content_len = ntohs(fcgi_hdr->contentLength); 183| 110| if (packet->payload_packet_len != sizeof(*fcgi_hdr) + content_len + fcgi_hdr->paddingLength) ------------------ | Branch (183:7): [True: 110, False: 0] ------------------ 184| 110| { 185| 110| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 110|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 186| 110| return; 187| 110| } 188| | 189| 0| if (fcgi_type == FCGI_PARAMS) ------------------ | Branch (189:7): [True: 0, False: 0] ------------------ 190| 0| { 191| 0| if (content_len == 0) ------------------ | Branch (191:9): [True: 0, False: 0] ------------------ 192| 0| { 193| 0| flow->max_extra_packets_to_check = 0; 194| 0| flow->extra_packets_func = NULL; 195| 0| return; 196| 0| } 197| | 198| 0| if (fcgi_parse_params(flow, packet) != 0) ------------------ | Branch (198:9): [True: 0, False: 0] ------------------ 199| 0| { 200| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid FastCGI PARAMS header"); 201| 0| ndpi_int_fastcgi_add_connection(ndpi_struct, flow, NULL); 202| 0| } else { 203| 0| ndpi_match_host_subprotocol(ndpi_struct, flow, 204| 0| flow->host_server_name, 205| 0| strlen(flow->host_server_name), 206| 0| &ret_match, NDPI_PROTOCOL_FASTCGI, 1); 207| 0| ndpi_check_dga_name(ndpi_struct, flow, 208| 0| flow->host_server_name, 1, 0, 0); 209| 0| if(ndpi_is_valid_hostname((char *)packet->host_line.ptr, ------------------ | Branch (209:10): [True: 0, False: 0] ------------------ 210| 0| packet->host_line.len) == 0) { 211| 0| char str[128]; 212| | 213| 0| snprintf(str, sizeof(str), "Invalid host %s", flow->host_server_name); 214| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, str); 215| | 216| | /* This looks like an attack */ 217| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, "Suspicious hostname: attack ?"); 218| 0| } 219| 0| ndpi_int_fastcgi_add_connection(ndpi_struct, flow, &ret_match); 220| 0| } 221| 0| return; 222| 0| } 223| | 224| 0| if (flow->packet_counter > 2) ------------------ | Branch (224:7): [True: 0, False: 0] ------------------ 225| 0| { 226| | ndpi_int_fastcgi_add_connection(ndpi_struct, flow, NULL); 227| 0| } 228| 0|} init_fins_dissector: 113| 7.08k|{ 114| 7.08k| ndpi_register_dissector("FINS", ndpi_struct, 115| 7.08k| ndpi_search_fins, 116| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 117| 7.08k| 1, NDPI_PROTOCOL_FINS); 118| 7.08k|} fins.c:ndpi_search_fins: 55| 15.0k|{ 56| 15.0k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 57| | 58| 15.0k| NDPI_LOG_DBG(ndpi_struct, "search Omron FINS\n"); ------------------ | | 596| 15.0k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 59| | 60| | /* FINS/TCP header is 20 bytes long, but it's usually followed 61| | * by 10 byte FINS header and command data 62| | */ 63| 15.0k| if (packet->tcp != NULL && packet->payload_packet_len >= 20) { ------------------ | Branch (63:7): [True: 11.6k, False: 3.35k] | Branch (63:30): [True: 7.23k, False: 4.44k] ------------------ 64| | /* The FINS/TCP header always contains the 65| | * 4 byte ASCII magic value 'FINS' 66| | */ 67| 7.23k| if (memcmp(packet->payload, "FINS", 4) == 0) { ------------------ | Branch (67:9): [True: 4, False: 7.23k] ------------------ 68| 4| NDPI_LOG_INFO(ndpi_struct, "found FINS over TCP\n"); ------------------ | | 595| 4|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 69| 4| ndpi_int_fins_add_connection(ndpi_struct, flow); 70| 4| return; 71| 4| } 72| 7.79k| } else if ((packet->udp != NULL) && ------------------ | Branch (72:14): [True: 3.35k, False: 4.44k] ------------------ 73| 3.35k| (packet->payload_packet_len > sizeof(struct fins_hdr))) ------------------ | Branch (73:14): [True: 3.20k, False: 147] ------------------ 74| 3.20k| { 75| 3.20k| struct fins_hdr const * const fins = (struct fins_hdr *)packet->payload; 76| | 77| | /* 0x80 - command, response required 78| | * 0xC0 - response, response not required 79| | * 0xC1 - response, response required 80| | */ 81| 3.20k| if ((fins->icf != 0x80) && (fins->icf != 0xC0) && ------------------ | Branch (81:9): [True: 3.15k, False: 54] | Branch (81:32): [True: 3.13k, False: 21] ------------------ 82| 3.13k| (fins->icf != 0xC1)) ------------------ | Branch (82:9): [True: 3.08k, False: 46] ------------------ 83| 3.08k| { 84| 3.08k| goto not_fins; 85| 3.08k| } 86| | 87| 121| if ((fins->dna > 0x7F) || (fins->sna > 0x7F) || ------------------ | Branch (87:9): [True: 16, False: 105] | Branch (87:32): [True: 42, False: 63] ------------------ 88| 63| (fins->gct != 0x02) || (fins->rsv != 0)) ------------------ | Branch (88:9): [True: 57, False: 6] | Branch (88:32): [True: 5, False: 1] ------------------ 89| 120| { 90| 120| goto not_fins; 91| 120| } 92| | 93| 1| if ((fins->da2 == 0x00) || (fins->da2 == 0xFE) || ------------------ | Branch (93:9): [True: 1, False: 0] | Branch (93:32): [True: 0, False: 0] ------------------ 94| 0| (fins->da2 == 0xE1) || ((fins->da2 >= 0x10) && ------------------ | Branch (94:9): [True: 0, False: 0] | Branch (94:33): [True: 0, False: 0] ------------------ 95| 0| (fins->da2 <= 0x1F))) ------------------ | Branch (95:9): [True: 0, False: 0] ------------------ 96| 1| { 97| 1| if ((fins->sa2 == 0x00) || (fins->sa2 == 0xFE) || ------------------ | Branch (97:11): [True: 0, False: 1] | Branch (97:34): [True: 0, False: 1] ------------------ 98| 1| (fins->sa2 == 0xE1) || ((fins->sa2 >= 0x10) && ------------------ | Branch (98:11): [True: 0, False: 1] | Branch (98:35): [True: 1, False: 0] ------------------ 99| 1| (fins->sa2 <= 0x1F))) ------------------ | Branch (99:11): [True: 0, False: 1] ------------------ 100| 0| { 101| 0| NDPI_LOG_INFO(ndpi_struct, "found FINS over UDP\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 102| 0| ndpi_int_fins_add_connection(ndpi_struct, flow); 103| 0| return; 104| 0| } 105| 1| } 106| 1| } 107| | 108| 15.0k|not_fins: 109| 15.0k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 15.0k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 110| 15.0k|} fins.c:ndpi_int_fins_add_connection: 46| 4|{ 47| 4| ndpi_set_detected_protocol(ndpi_struct, flow, 48| 4| NDPI_PROTOCOL_FINS, 49| 4| NDPI_PROTOCOL_UNKNOWN, 50| 4| NDPI_CONFIDENCE_DPI); 51| 4|} init_fix_dissector: 67| 7.08k|{ 68| 7.08k| ndpi_register_dissector("FIX", ndpi_struct, 69| 7.08k| ndpi_search_fix, 70| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 71| 7.08k| 1, NDPI_PROTOCOL_FIX); 72| 7.08k|} fix.c:ndpi_search_fix: 33| 13.3k|{ 34| 13.3k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 35| | 36| 13.3k| NDPI_LOG_DBG(ndpi_struct, "search FIX\n"); ------------------ | | 596| 13.3k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 37| 13.3k| if(packet->tcp && packet->payload_packet_len > 5) { ------------------ | Branch (37:6): [True: 13.3k, False: 0] | Branch (37:21): [True: 12.6k, False: 758] ------------------ 38| | // 8= 39| 12.6k| if(packet->payload[0] == 0x38 && packet->payload[1] == 0x3d) { ------------------ | Branch (39:8): [True: 11, False: 12.6k] | Branch (39:38): [True: 0, False: 11] ------------------ 40| | // FIX 41| 0| if(packet->payload[2] == 0x46 && ------------------ | Branch (41:10): [True: 0, False: 0] ------------------ 42| 0| packet->payload[3] == 0x49 && ------------------ | Branch (42:3): [True: 0, False: 0] ------------------ 43| 0| packet->payload[4] == 0x58) { ------------------ | Branch (43:3): [True: 0, False: 0] ------------------ 44| | 45| 0| NDPI_LOG_INFO(ndpi_struct, "found FIX\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 46| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_FIX, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 47| 0| return; 48| 0| } 49| | // 0. 9= 50| 0| if(packet->payload[2] == 0x4f && ------------------ | Branch (50:10): [True: 0, False: 0] ------------------ 51| 0| packet->payload[3] == 0x01 && ------------------ | Branch (51:3): [True: 0, False: 0] ------------------ 52| 0| packet->payload[4] == 0x39 && ------------------ | Branch (52:3): [True: 0, False: 0] ------------------ 53| 0| packet->payload[5] == 0x3d) { ------------------ | Branch (53:3): [True: 0, False: 0] ------------------ 54| | 55| 0| NDPI_LOG_INFO(ndpi_struct, "found FIX\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 56| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_FIX, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 57| 0| return; 58| 0| } 59| 0| } 60| 12.6k| } 61| | 62| 13.3k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.3k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 63| 13.3k|} init_flute_dissector: 66| 7.08k|{ 67| 7.08k| ndpi_register_dissector("FLUTE", ndpi_struct, 68| 7.08k| ndpi_search_flute, 69| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 70| 7.08k| 1, NDPI_PROTOCOL_FLUTE); 71| 7.08k|} flute.c:ndpi_search_flute: 36| 3.32k|{ 37| 3.32k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 38| | 39| 3.32k| NDPI_LOG_DBG(ndpi_struct, "search FLUTE\n"); ------------------ | | 596| 3.32k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 40| | 41| 3.32k| if (packet->payload_packet_len > 250) { ------------------ | Branch (41:7): [True: 323, False: 3.00k] ------------------ 42| 323| if (packet->payload[0] != 0x10) { ------------------ | Branch (42:9): [True: 322, False: 1] ------------------ 43| 322| goto not_flute; 44| 322| } 45| | 46| 1| u_int16_t lct_hdr_len = packet->payload[2] * 4; 47| 1| if (packet->payload_packet_len <= lct_hdr_len + 43 + NDPI_STATICSTRING_LEN("payload[lct_hdr_len+4], "payload[lct_hdr_len+43], "current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 63| 3.32k|} init_ftp_control_dissector: 251| 7.08k|void init_ftp_control_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 252| 7.08k| ndpi_register_dissector("FTP_CONTROL", ndpi_struct, 253| 7.08k| ndpi_search_ftp_control, 254| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 255| 7.08k| 1, NDPI_PROTOCOL_FTP_CONTROL); 256| 7.08k|} ftp_control.c:ndpi_search_ftp_control: 243| 28.3k| struct ndpi_flow_struct *flow) { 244| 28.3k| NDPI_LOG_DBG(ndpi_struct, "search FTP_CONTROL\n"); ------------------ | | 596| 28.3k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 245| | 246| 28.3k| ndpi_check_ftp_control(ndpi_struct, flow); 247| 28.3k|} ftp_control.c:ndpi_check_ftp_control: 137| 28.3k| struct ndpi_flow_struct *flow) { 138| 28.3k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 139| 28.3k| u_int32_t payload_len = packet->payload_packet_len; 140| 28.3k| u_int16_t port_25 = htons(25); 141| 28.3k| u_int16_t port_110 = htons(110); 142| 28.3k| int code; 143| | 144| | /* Exclude SMTP and POP3, which use similar commands. */ 145| 28.3k| if(packet->tcp->dest == port_25 || packet->tcp->source == port_25 || ------------------ | Branch (145:6): [True: 1, False: 28.3k] | Branch (145:38): [True: 2, False: 28.3k] ------------------ 146| 28.3k| packet->tcp->dest == port_110 || packet->tcp->source == port_110) { ------------------ | Branch (146:6): [True: 2, False: 28.3k] | Branch (146:39): [True: 1, False: 28.3k] ------------------ 147| 6| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 6|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 148| 6| return; 149| 6| } 150| | 151| | /* Break after 8 packets. */ 152| 28.3k| if(flow->packet_counter > 8) { ------------------ | Branch (152:6): [True: 769, False: 27.5k] ------------------ 153| 769| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 769|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 154| 769| return; 155| 769| } 156| | 157| | /* Check if we so far detected the protocol in the request or not. */ 158| 27.5k| if(flow->l4.tcp.ftp_control_stage == 0) { ------------------ | Branch (158:6): [True: 27.3k, False: 271] ------------------ 159| 27.3k| NDPI_LOG_DBG2(ndpi_struct, "FTP_CONTROL stage 0: \n"); ------------------ | | 597| 27.3k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 160| | 161| 27.3k| if((payload_len > 0) && ------------------ | Branch (161:8): [True: 27.3k, False: 0] ------------------ 162| 27.3k| (ndpi_handle_ftp_auth(ndpi_struct, flow, packet->payload, payload_len) || ------------------ | Branch (162:9): [True: 316, False: 26.9k] ------------------ 163| 26.9k| ndpi_match_ftp_cmd(packet->payload, payload_len) >= 0)) { ------------------ | Branch (163:9): [True: 30, False: 26.9k] ------------------ 164| 346| NDPI_LOG_DBG2(ndpi_struct, ------------------ | | 597| 346|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 165| 346| "Possible FTP_CONTROL request detected, we will look further for the response..\n"); 166| | 167| | /* 168| | Encode the direction of the packet in the stage, so we will know when we need 169| | to look for the response packet. 170| | */ 171| 346| flow->l4.tcp.ftp_control_stage = packet->packet_direction + 1; 172| 346| } 173| 27.3k| } else { 174| 271| NDPI_LOG_DBG2(ndpi_struct, "FTP_CONTROL stage %u: \n", flow->l4.tcp.ftp_control_stage); ------------------ | | 597| 271|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 175| | 176| | /* 177| | At first check, if this is for sure a response packet (in another direction. 178| | If not, do nothing now and return. 179| | */ 180| 271| if((flow->l4.tcp.ftp_control_stage - packet->packet_direction) == 1) { ------------------ | Branch (180:8): [True: 270, False: 1] ------------------ 181| 270| return; 182| 270| } 183| | 184| | /* This is a packet in another direction. Check if we find the proper response. */ 185| 1| if((payload_len > 0) && ------------------ | Branch (185:8): [True: 1, False: 0] ------------------ 186| 1| ((code = ndpi_parse_ftp_reply_code(packet->payload, payload_len)) >= 100) && ------------------ | Branch (186:8): [True: 0, False: 1] ------------------ 187| 0| (code < 600)) { ------------------ | Branch (187:8): [True: 0, False: 0] ------------------ 188| 0| NDPI_LOG_INFO(ndpi_struct, "found FTP_CONTROL\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 189| | 190| |#ifdef FTP_DEBUG 191| | printf("%s() [user: %s][pwd: %s]\n", __FUNCTION__, 192| | flow->l4.tcp.ftp_imap_pop_smtp.username, 193| | flow->l4.tcp.ftp_imap_pop_smtp.password); 194| |#endif 195| | 196| | /* Set auth_tls only for TLS-related response codes */ 197| 0| if((code == 234 || code == 334 || ------------------ | Branch (197:11): [True: 0, False: 0] | Branch (197:26): [True: 0, False: 0] ------------------ 198| 0| code == 631 || code == 632 || code == 633) && ------------------ | Branch (198:11): [True: 0, False: 0] | Branch (198:26): [True: 0, False: 0] | Branch (198:41): [True: 0, False: 0] ------------------ 199| 0| (flow->l4.tcp.ftp_imap_pop_smtp.auth_found == 1)) { ------------------ | Branch (199:10): [True: 0, False: 0] ------------------ 200| 0| flow->l4.tcp.ftp_imap_pop_smtp.auth_tls = 1; 201| 0| } 202| | 203| | /* Set auth_failed for error responses (4xx, 5xx) */ 204| 0| if(code >= 400) { ------------------ | Branch (204:10): [True: 0, False: 0] ------------------ 205| 0| flow->l4.tcp.ftp_imap_pop_smtp.auth_failed = 1; 206| 0| flow->l4.tcp.ftp_imap_pop_smtp.auth_done = 1; 207| 0| } 208| | 209| | /* Check for FTPS switch */ 210| 0| if((flow->l4.tcp.ftp_imap_pop_smtp.auth_tls == 1) && ------------------ | Branch (210:10): [True: 0, False: 0] ------------------ 211| 0| (ndpi_struct->cfg.ftp_opportunistic_tls_enabled == 1)) { ------------------ | Branch (211:10): [True: 0, False: 0] ------------------ 212| 0| flow->host_server_name[0] = '\0'; /* Remove any data set by other dissectors (eg. SMTP) */ 213| | /* Switch classification to FTPS */ 214| 0| ndpi_set_detected_protocol(ndpi_struct, flow, 215| 0| NDPI_PROTOCOL_FTPS, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 216| 0| NDPI_LOG_DBG(ndpi_struct, "Switching to [%d/%d]\n", ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 217| 0| flow->detected_protocol_stack[0], 218| 0| flow->detected_protocol_stack[1]); 219| | /* We are done (in FTP dissector): delegating TLS... */ 220| 0| switch_extra_dissection_to_tls(ndpi_struct, flow); 221| 0| return; /* FTPS detection complete */ 222| 0| } 223| | 224| 0| if((flow->l4.tcp.ftp_imap_pop_smtp.password[0] != '\0') || ------------------ | Branch (224:10): [True: 0, False: 0] ------------------ 225| 0| (flow->l4.tcp.ftp_imap_pop_smtp.auth_done != 0)) { ------------------ | Branch (225:10): [True: 0, False: 0] ------------------ 226| | /* Credentials captured or auth finished: confirm and stop */ 227| 0| ndpi_int_ftp_control_add_connection(ndpi_struct, flow); 228| 0| } else { 229| | /* No credentials yet, reset stage for next command */ 230| 0| flow->l4.tcp.ftp_control_stage = 0; 231| 0| } 232| 1| } else { 233| 1| NDPI_LOG_DBG2(ndpi_struct, ------------------ | | 597| 1|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 234| 1| "The reply did not seem to belong to FTP_CONTROL, resetting the stage to 0\n"); 235| 1| flow->l4.tcp.ftp_control_stage = 0; 236| 1| } 237| 1| } 238| 27.5k|} ftp_control.c:ndpi_handle_ftp_auth: 91| 27.3k| const u_int8_t *payload, size_t payload_len) { 92| 27.3k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 93| 27.3k| u_int16_t port_21 = htons(21); 94| | 95| 27.3k| if(payload_len < 4) return 0; ------------------ | Branch (95:6): [True: 29, False: 27.2k] ------------------ 96| | 97| 27.2k| if(ndpi_memcasecmp(payload, "USER", 4) == 0 && (payload_len == 4 || ndpi_ftp_is_delim(payload[4]))) { ------------------ | Branch (97:6): [True: 8, False: 27.2k] | Branch (97:51): [True: 0, False: 8] | Branch (97:71): [True: 1, False: 7] ------------------ 98| 1| ndpi_user_pwd_payload_copy((u_int8_t*)flow->l4.tcp.ftp_imap_pop_smtp.username, 99| 1| sizeof(flow->l4.tcp.ftp_imap_pop_smtp.username), 5, 100| 1| payload, payload_len); 101| | 102| | /* Log risk immediately if on port 21 or protocol already confirmed */ 103| 1| if(packet->tcp->dest == port_21 || packet->tcp->source == port_21 || ------------------ | Branch (103:8): [True: 0, False: 1] | Branch (103:40): [True: 0, False: 1] ------------------ 104| 1| flow->detected_protocol_stack[0] == NDPI_PROTOCOL_FTP_CONTROL) { ------------------ | Branch (104:8): [True: 0, False: 1] ------------------ 105| 0| char buf[64]; 106| 0| snprintf(buf, sizeof(buf), "Found FTP username (%s)", flow->l4.tcp.ftp_imap_pop_smtp.username); 107| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); 108| 0| } 109| 1| return 1; 110| 1| } 111| | 112| 27.2k| if(ndpi_memcasecmp(payload, "PASS", 4) == 0 && (payload_len == 4 || ndpi_ftp_is_delim(payload[4]))) { ------------------ | Branch (112:6): [True: 319, False: 26.9k] | Branch (112:51): [True: 0, False: 319] | Branch (112:71): [True: 315, False: 4] ------------------ 113| 315| ndpi_user_pwd_payload_copy((u_int8_t*)flow->l4.tcp.ftp_imap_pop_smtp.password, 114| 315| sizeof(flow->l4.tcp.ftp_imap_pop_smtp.password), 5, 115| 315| payload, payload_len); 116| 315| return 1; 117| 315| } 118| | 119| 26.9k| if(ndpi_memcasecmp(payload, "AUTH", 4) == 0 && (payload_len == 4 || ndpi_ftp_is_delim(payload[4]))) { ------------------ | Branch (119:6): [True: 46, False: 26.9k] | Branch (119:51): [True: 0, False: 46] | Branch (119:71): [True: 0, False: 46] ------------------ 120| 0| flow->l4.tcp.ftp_imap_pop_smtp.auth_found = 1; 121| 0| return 1; 122| 0| } 123| 26.9k| return 0; 124| 26.9k|} ftp_control.c:ndpi_ftp_is_delim: 60| 1.36k|static inline int ndpi_ftp_is_delim(u_int8_t c) { 61| 1.36k| return (c == ' ' || c == '\r' || c == '\n' || c == '\t'); ------------------ | Branch (61:11): [True: 328, False: 1.03k] | Branch (61:23): [True: 3, False: 1.03k] | Branch (61:36): [True: 1, False: 1.03k] | Branch (61:49): [True: 0, False: 1.03k] ------------------ 62| 1.36k|} ftp_control.c:ndpi_match_ftp_cmd: 64| 26.9k|static int ndpi_match_ftp_cmd(const u_int8_t *payload, size_t payload_len) { 65| 26.9k| size_t i; 66| 26.9k| if(payload_len < 3) return -1; ------------------ | Branch (66:6): [True: 10, False: 26.9k] ------------------ 67| 1.59M| for(i = 0; i < FTP_CMD_COUNT; i++) { ------------------ | | 58| 1.59M|#define FTP_CMD_COUNT (sizeof(ftp_commands) / sizeof(ftp_commands[0])) ------------------ | Branch (67:14): [True: 1.56M, False: 26.9k] ------------------ 68| 1.56M| if(payload_len >= ftp_commands[i].len && ------------------ | Branch (68:8): [True: 1.56M, False: 969] ------------------ 69| 1.56M| ndpi_memcasecmp(payload, ftp_commands[i].cmd, ftp_commands[i].len) == 0) { ------------------ | Branch (69:8): [True: 1.00k, False: 1.56M] ------------------ 70| 1.00k| if(payload_len == ftp_commands[i].len || ndpi_ftp_is_delim(payload[ftp_commands[i].len])) ------------------ | Branch (70:10): [True: 14, False: 992] | Branch (70:48): [True: 16, False: 976] ------------------ 71| 30| return (int)i; 72| 1.00k| } 73| 1.56M| } 74| 26.9k| return -1; 75| 26.9k|} ftp_control.c:ndpi_parse_ftp_reply_code: 128| 1|static int ndpi_parse_ftp_reply_code(const u_int8_t *payload, size_t payload_len) { 129| 1| if(payload_len < 3 || !isdigit(payload[0]) || !isdigit(payload[1]) || !isdigit(payload[2])) ------------------ | Branch (129:6): [True: 0, False: 1] | Branch (129:25): [True: 1, False: 0] | Branch (129:49): [True: 0, False: 0] | Branch (129:73): [True: 0, False: 0] ------------------ 130| 1| return -1; 131| 0| return (payload[0] - '0') * 100 + (payload[1] - '0') * 10 + (payload[2] - '0'); 132| 1|} init_ftp_data_dissector: 252| 7.08k|{ 253| 7.08k| ndpi_register_dissector("FTP_DATA", ndpi_struct, 254| 7.08k| ndpi_search_ftp_data, 255| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 256| 7.08k| 1, NDPI_PROTOCOL_FTP_DATA); 257| 7.08k|} ftp_data.c:ndpi_search_ftp_data: 244| 13.4k|static void ndpi_search_ftp_data(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { 245| | 246| 13.4k| NDPI_LOG_DBG(ndpi_struct, "search FTP_DATA\n"); ------------------ | | 596| 13.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 247| 13.4k| ndpi_check_ftp_data(ndpi_struct, flow); 248| 13.4k|} ftp_data.c:ndpi_check_ftp_data: 221| 13.4k|static void ndpi_check_ftp_data(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { 222| 13.4k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 223| | 224| | /* 225| | Make sure we see the beginning of the connection as otherwise we might have 226| | false positive results 227| | */ 228| 13.4k| if(ndpi_seen_flow_beginning(flow)) { ------------------ | Branch (228:6): [True: 442, False: 12.9k] ------------------ 229| 442| if((packet->payload_packet_len > 0) ------------------ | Branch (229:8): [True: 442, False: 0] ------------------ 230| 442| && (ndpi_match_file_header(ndpi_struct) ------------------ | Branch (230:12): [True: 34, False: 408] ------------------ 231| 408| || ndpi_match_ftp_data_directory(ndpi_struct) ------------------ | Branch (231:8): [True: 0, False: 408] ------------------ 232| 408| || ndpi_match_ftp_data_port(ndpi_struct) ------------------ | Branch (232:8): [True: 0, False: 408] ------------------ 233| 442| ) 234| 442| ) { 235| 34| NDPI_LOG_INFO(ndpi_struct, "found FTP_DATA request\n"); ------------------ | | 595| 34|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 236| 34| ndpi_int_ftp_data_add_connection(ndpi_struct, flow); 237| 34| return; 238| 34| } 239| 442| } 240| | 241| 13.4k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.4k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 242| 13.4k|} ftp_data.c:ndpi_match_file_header: 73| 442|static int ndpi_match_file_header(struct ndpi_detection_module_struct *ndpi_struct) { 74| 442| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 75| 442| u_int32_t payload_len = packet->payload_packet_len; 76| | 77| | /* A FTP packet is pretty long so 256 is a bit conservative but it should be OK */ 78| 442| if(packet->payload_packet_len < 256) ------------------ | Branch (78:6): [True: 217, False: 225] ------------------ 79| 217| return 0; 80| | 81| | /* RIFF is a meta-format for storing AVI and WAV files */ 82| 225| if(ndpi_match_strprefix(packet->payload, payload_len, "RIFF")) ------------------ | | 81| 225| ndpi_match_prefix((payload), (payload_len), (str), (sizeof(str)-1)) | | ------------------ | | | Branch (81:3): [True: 0, False: 225] | | ------------------ ------------------ 83| 0| return 1; 84| | 85| | /* Ogg files */ 86| 225| if(ndpi_match_strprefix(packet->payload, payload_len, "OggS")) ------------------ | | 81| 225| ndpi_match_prefix((payload), (payload_len), (str), (sizeof(str)-1)) | | ------------------ | | | Branch (81:3): [True: 2, False: 223] | | ------------------ ------------------ 87| 2| return 1; 88| | 89| | /* ZIP files */ 90| 223| if((packet->payload[0] == 'P') && (packet->payload[1] == 'K') && (packet->payload[2] == 0x03) && (packet->payload[3] == 0x04)) ------------------ | Branch (90:6): [True: 1, False: 222] | Branch (90:37): [True: 0, False: 1] | Branch (90:68): [True: 0, False: 0] | Branch (90:100): [True: 0, False: 0] ------------------ 91| 0| return 1; 92| | 93| | /* MPEG files */ 94| 223| if((packet->payload[0] == 0x00) && (packet->payload[1] == 0x00) && (packet->payload[2] == 0x01) && (packet->payload[3] == 0xba)) ------------------ | Branch (94:6): [True: 42, False: 181] | Branch (94:38): [True: 40, False: 2] | Branch (94:70): [True: 4, False: 36] | Branch (94:102): [True: 0, False: 4] ------------------ 95| 0| return 1; 96| | 97| | /* RAR files */ 98| 223| if(ndpi_match_strprefix(packet->payload, payload_len, "Rar!")) ------------------ | | 81| 223| ndpi_match_prefix((payload), (payload_len), (str), (sizeof(str)-1)) | | ------------------ | | | Branch (81:3): [True: 0, False: 223] | | ------------------ ------------------ 99| 0| return 1; 100| | 101| | /* EBML */ 102| 223| if((packet->payload[0] == 0x1a) && (packet->payload[1] == 0x45) && (packet->payload[2] == 0xdf) && (packet->payload[3] == 0xa3)) ------------------ | Branch (102:6): [True: 1, False: 222] | Branch (102:38): [True: 0, False: 1] | Branch (102:70): [True: 0, False: 0] | Branch (102:102): [True: 0, False: 0] ------------------ 103| 0| return 1; 104| | 105| | /* JPG */ 106| 223| if((packet->payload[0] == 0xff) && (packet->payload[1] ==0xd8)) ------------------ | Branch (106:6): [True: 2, False: 221] | Branch (106:38): [True: 0, False: 2] ------------------ 107| 0| return 1; 108| | 109| | /* GIF */ 110| 223| if(ndpi_match_strprefix(packet->payload, payload_len, "GIF8")) ------------------ | | 81| 223| ndpi_match_prefix((payload), (payload_len), (str), (sizeof(str)-1)) | | ------------------ | | | Branch (81:3): [True: 0, False: 223] | | ------------------ ------------------ 111| 0| return 1; 112| | 113| | /* PHP scripts */ 114| 223| if((packet->payload[0] == 0x3c) && (packet->payload[1] == 0x3f) && (packet->payload[2] == 0x70) && (packet->payload[3] == 0x68)) ------------------ | Branch (114:6): [True: 48, False: 175] | Branch (114:38): [True: 5, False: 43] | Branch (114:70): [True: 0, False: 5] | Branch (114:102): [True: 0, False: 0] ------------------ 115| 0| return 1; 116| | 117| | /* PDFs */ 118| 223| if(ndpi_match_strprefix(packet->payload, payload_len, "%PDF")) ------------------ | | 81| 223| ndpi_match_prefix((payload), (payload_len), (str), (sizeof(str)-1)) | | ------------------ | | | Branch (81:3): [True: 1, False: 222] | | ------------------ ------------------ 119| 1| return 1; 120| | 121| | /* PNG */ 122| 222| if((packet->payload[0] == 0x89) && (packet->payload[1] == 'P') && (packet->payload[2] == 'N') && (packet->payload[3] == 'G')) ------------------ | Branch (122:6): [True: 0, False: 222] | Branch (122:38): [True: 0, False: 0] | Branch (122:69): [True: 0, False: 0] | Branch (122:100): [True: 0, False: 0] ------------------ 123| 0| return 1; 124| | 125| | /* HTML */ 126| 222| if(ndpi_match_strprefix(packet->payload, payload_len, "payload[0] == 0x0a) && (packet->payload[1] == '<') && (packet->payload[2] == '!') && (packet->payload[3] == 'D')) ------------------ | Branch (128:6): [True: 1, False: 197] | Branch (128:38): [True: 0, False: 1] | Branch (128:69): [True: 0, False: 0] | Branch (128:100): [True: 0, False: 0] ------------------ 129| 0| return 1; 130| | 131| | /* 7zip */ 132| 198| if((packet->payload[0] == 0x37) && (packet->payload[1] == 0x7a) && (packet->payload[2] == 0xbc) && (packet->payload[3] == 0xaf)) ------------------ | Branch (132:6): [True: 3, False: 195] | Branch (132:38): [True: 2, False: 1] | Branch (132:70): [True: 0, False: 2] | Branch (132:102): [True: 0, False: 0] ------------------ 133| 0| return 1; 134| | 135| | /* gzip */ 136| 198| if((packet->payload[0] == 0x1f) && (packet->payload[1] == 0x8b) && (packet->payload[2] == 0x08)) ------------------ | Branch (136:6): [True: 1, False: 197] | Branch (136:38): [True: 0, False: 1] | Branch (136:70): [True: 0, False: 0] ------------------ 137| 0| return 1; 138| | 139| | /* XML */ 140| 198| if(ndpi_match_strprefix(packet->payload, payload_len, "payload, payload_len, "fLaC")) ------------------ | | 81| 198| ndpi_match_prefix((payload), (payload_len), (str), (sizeof(str)-1)) | | ------------------ | | | Branch (81:3): [True: 0, False: 198] | | ------------------ ------------------ 145| 0| return 1; 146| | 147| | /* MP3 */ 148| 198| if((packet->payload[0] == 'I') && (packet->payload[1] == 'D') && (packet->payload[2] == '3') && (packet->payload[3] == 0x03)) ------------------ | Branch (148:6): [True: 0, False: 198] | Branch (148:37): [True: 0, False: 0] | Branch (148:68): [True: 0, False: 0] | Branch (148:99): [True: 0, False: 0] ------------------ 149| 0| return 1; 150| 198| if(ndpi_match_strprefix(packet->payload, payload_len, "\xff\xfb\x90\xc0")) ------------------ | | 81| 198| ndpi_match_prefix((payload), (payload_len), (str), (sizeof(str)-1)) | | ------------------ | | | Branch (81:3): [True: 0, False: 198] | | ------------------ ------------------ 151| 0| return 1; 152| | 153| | /* RPM */ 154| 198| if((packet->payload[0] == 0xed) && (packet->payload[1] == 0xab) && (packet->payload[2] == 0xee) && (packet->payload[3] == 0xdb)) ------------------ | Branch (154:6): [True: 0, False: 198] | Branch (154:38): [True: 0, False: 0] | Branch (154:70): [True: 0, False: 0] | Branch (154:102): [True: 0, False: 0] ------------------ 155| 0| return 1; 156| | 157| | /* Wz Patch */ 158| 198| if(ndpi_match_strprefix(packet->payload, payload_len, "WzPa")) ------------------ | | 81| 198| ndpi_match_prefix((payload), (payload_len), (str), (sizeof(str)-1)) | | ------------------ | | | Branch (81:3): [True: 0, False: 198] | | ------------------ ------------------ 159| 0| return 1; 160| | 161| | /* Flash Video */ 162| 198| if((packet->payload[0] == 'F') && (packet->payload[1] == 'L') && (packet->payload[2] == 'V') && (packet->payload[3] == 0x01)) ------------------ | Branch (162:6): [True: 2, False: 196] | Branch (162:37): [True: 0, False: 2] | Branch (162:68): [True: 0, False: 0] | Branch (162:99): [True: 0, False: 0] ------------------ 163| 0| return 1; 164| | 165| | /* .BKF (Microsoft Tape Format) */ 166| 198| if(ndpi_match_strprefix(packet->payload, payload_len, "TAPE")) ------------------ | | 81| 198| ndpi_match_prefix((payload), (payload_len), (str), (sizeof(str)-1)) | | ------------------ | | | Branch (81:3): [True: 0, False: 198] | | ------------------ ------------------ 167| 0| return 1; 168| | 169| | /* MS Office Doc file - this is unpleasantly geeky */ 170| 198| if((packet->payload[0] == 0xd0) && (packet->payload[1] == 0xcf) && (packet->payload[2] == 0x11) && (packet->payload[3] == 0xe0)) ------------------ | Branch (170:6): [True: 1, False: 197] | Branch (170:38): [True: 0, False: 1] | Branch (170:70): [True: 0, False: 0] | Branch (170:102): [True: 0, False: 0] ------------------ 171| 0| return 1; 172| | 173| | /* ASP */ 174| 198| if((packet->payload[0] == 0x3c) && (packet->payload[1] == 0x25) && (packet->payload[2] == 0x40) && (packet->payload[3] == 0x20)) ------------------ | Branch (174:6): [True: 24, False: 174] | Branch (174:38): [True: 2, False: 22] | Branch (174:70): [True: 0, False: 2] | Branch (174:102): [True: 0, False: 0] ------------------ 175| 0| return 1; 176| | 177| | /* WMS file */ 178| 198| if((packet->payload[0] == 0x3c) && (packet->payload[1] == 0x21) && (packet->payload[2] == 0x2d) && (packet->payload[3] == 0x2d)) ------------------ | Branch (178:6): [True: 24, False: 174] | Branch (178:38): [True: 14, False: 10] | Branch (178:70): [True: 0, False: 14] | Branch (178:102): [True: 0, False: 0] ------------------ 179| 0| return 1; 180| | 181| | /* ar archive, typically .deb files */ 182| 198| if(ndpi_match_strprefix(packet->payload, payload_len, "!payload, payload_len, "payload, "jabber", packet->payload_packet_len) == NULL)) ------------------ | Branch (187:9): [True: 5, False: 0] ------------------ 188| 5| return 1; 189| | 190| 193| if(ndpi_match_strprefix(packet->payload, payload_len, "payload, payload_len, "SPFI")) ------------------ | | 81| 192| ndpi_match_prefix((payload), (payload_len), (str), (sizeof(str)-1)) | | ------------------ | | | Branch (81:3): [True: 0, False: 192] | | ------------------ ------------------ 195| 0| return 1; 196| | 197| | /* ABIF - Applied Biosystems */ 198| 192| if(ndpi_match_strprefix(packet->payload, payload_len, "ABIF")) ------------------ | | 81| 192| ndpi_match_prefix((payload), (payload_len), (str), (sizeof(str)-1)) | | ------------------ | | | Branch (81:3): [True: 1, False: 191] | | ------------------ ------------------ 199| 1| return 1; 200| | 201| | /* bzip2 - other digits are also possible instead of 9 */ 202| 191| if((packet->payload[0] == 'B') && (packet->payload[1] == 'Z') && (packet->payload[2] == 'h') && (packet->payload[3] == '9')) ------------------ | Branch (202:6): [True: 1, False: 190] | Branch (202:37): [True: 0, False: 1] | Branch (202:68): [True: 0, False: 0] | Branch (202:99): [True: 0, False: 0] ------------------ 203| 0| return 1; 204| | 205| | /* Some other types of files */ 206| | 207| 191| if((packet->payload[0] == '<') && (packet->payload[1] == 'c') && (packet->payload[2] == 'f')) ------------------ | Branch (207:6): [True: 18, False: 173] | Branch (207:37): [True: 0, False: 18] | Branch (207:68): [True: 0, False: 0] ------------------ 208| 0| return 1; 209| 191| if((packet->payload[0] == '<') && (packet->payload[1] == 'C') && (packet->payload[2] == 'F')) ------------------ | Branch (209:6): [True: 18, False: 173] | Branch (209:37): [True: 1, False: 17] | Branch (209:68): [True: 0, False: 1] ------------------ 210| 0| return 1; 211| 191| if(ndpi_match_strprefix(packet->payload, payload_len, ".tem")) ------------------ | | 81| 191| ndpi_match_prefix((payload), (payload_len), (str), (sizeof(str)-1)) | | ------------------ | | | Branch (81:3): [True: 0, False: 191] | | ------------------ ------------------ 212| 0| return 1; 213| 191| if(ndpi_match_strprefix(packet->payload, payload_len, ".ite")) ------------------ | | 81| 191| ndpi_match_prefix((payload), (payload_len), (str), (sizeof(str)-1)) | | ------------------ | | | Branch (81:3): [True: 0, False: 191] | | ------------------ ------------------ 214| 0| return 1; 215| 191| if(ndpi_match_strprefix(packet->payload, payload_len, ".lef")) ------------------ | | 81| 191| ndpi_match_prefix((payload), (payload_len), (str), (sizeof(str)-1)) | | ------------------ | | | Branch (81:3): [True: 0, False: 191] | | ------------------ ------------------ 216| 0| return 1; 217| | 218| 191| return 0; 219| 191|} ftp_data.c:ndpi_match_ftp_data_directory: 49| 408|static int ndpi_match_ftp_data_directory(struct ndpi_detection_module_struct *ndpi_struct) { 50| 408| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 51| 408| u_int32_t payload_len = packet->payload_packet_len; 52| | 53| 408| if(payload_len > 10) { ------------------ | Branch (53:6): [True: 397, False: 11] ------------------ 54| 397| int i; 55| | 56| 397| if(!((packet->payload[0] == '-') || (packet->payload[0] == 'd'))) ------------------ | Branch (56:10): [True: 4, False: 393] | Branch (56:41): [True: 1, False: 392] ------------------ 57| 392| return(0); 58| | 59| 10| for(i=0; i<9; i += 3) ------------------ | Branch (59:14): [True: 10, False: 0] ------------------ 60| 10| if(((packet->payload[1+i] == '-') || (packet->payload[1+i] == 'r')) ------------------ | Branch (60:11): [True: 8, False: 2] | Branch (60:44): [True: 0, False: 2] ------------------ 61| 8| && ((packet->payload[2+i] == '-') || (packet->payload[2+i] == 'w')) ------------------ | Branch (61:7): [True: 7, False: 1] | Branch (61:40): [True: 0, False: 1] ------------------ 62| 7| && ((packet->payload[3+i] == '-') || (packet->payload[3+i] == 'x'))) { ------------------ | Branch (62:7): [True: 5, False: 2] | Branch (62:40): [True: 0, False: 2] ------------------ 63| 5| ; 64| 5| } else 65| 5| return 0; 66| | 67| 0| return 1; 68| 5| } 69| | 70| 11| return 0; 71| 408|} ftp_data.c:ndpi_match_ftp_data_port: 37| 408|static int ndpi_match_ftp_data_port(struct ndpi_detection_module_struct *ndpi_struct) { 38| 408| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 39| | 40| | /* Check connection over TCP */ 41| 408| if(packet->tcp) { ------------------ | Branch (41:6): [True: 408, False: 0] ------------------ 42| 408| if(packet->tcp->dest == htons(20) || packet->tcp->source == htons(20)) { ------------------ | Branch (42:8): [True: 0, False: 408] | Branch (42:42): [True: 0, False: 408] ------------------ 43| 0| return 1; 44| 0| } 45| 408| } 46| 408| return 0; 47| 408|} ftp_data.c:ndpi_int_ftp_data_add_connection: 33| 34|static void ndpi_int_ftp_data_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { 34| 34| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_FTP_DATA, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 35| 34|} init_gaijin_dissector: 70| 7.08k|{ 71| 7.08k| ndpi_register_dissector("GaijinEntertainment", ndpi_struct, 72| 7.08k| ndpi_search_gaijin, 73| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 74| 7.08k| 1, NDPI_PROTOCOL_GAIJIN); 75| 7.08k|} gaijin_entertainment.c:ndpi_search_gaijin: 42| 3.34k|{ 43| 3.34k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 44| | 45| 3.34k| NDPI_LOG_DBG(ndpi_struct, "search Gaijin Entertainment\n"); ------------------ | | 596| 3.34k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 46| | 47| 3.34k| if (packet->payload_packet_len == 52 && ------------------ | Branch (47:7): [True: 11, False: 3.33k] ------------------ 48| 11| packet->payload[2] == 0 && ------------------ | Branch (48:7): [True: 3, False: 8] ------------------ 49| 3.34k| ntohs(get_u_int16_t(packet->payload, 0)) == 0x8FFF && ------------------ | Branch (49:7): [True: 0, False: 3] ------------------ 50| 3.34k| ntohl(get_u_int32_t(packet->payload, 4)) == 0x82FF0001) ------------------ | Branch (50:7): [True: 0, False: 0] ------------------ 51| 0| { 52| 0| ndpi_int_gaijin_add_connection(ndpi_struct, flow); 53| 0| return; 54| 0| } 55| | 56| 3.34k| if (packet->payload_packet_len > 100) { ------------------ | Branch (56:7): [True: 1.28k, False: 2.06k] ------------------ 57| 1.28k| if (memcmp(packet->payload, "embeddedupdater.", NDPI_STATICSTRING_LEN("embeddedupdater.")) == 0 || ------------------ | | 98| 1.28k|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (57:9): [True: 1, False: 1.27k] ------------------ 58| 1.27k| memcmp(packet->payload, "app.start", NDPI_STATICSTRING_LEN("app.start")) == 0 || ------------------ | | 98| 1.27k|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (58:9): [True: 15, False: 1.26k] ------------------ 59| 1.26k| memcmp(packet->payload, "app.stage", NDPI_STATICSTRING_LEN("app.stage")) == 0) ------------------ | | 98| 1.26k|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (59:9): [True: 1, False: 1.26k] ------------------ 60| 17| { 61| 17| ndpi_int_gaijin_add_connection(ndpi_struct, flow); 62| 17| return; 63| 17| } 64| 1.28k| } 65| | 66| 3.33k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.33k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 67| 3.33k|} gaijin_entertainment.c:ndpi_int_gaijin_add_connection: 34| 17|{ 35| 17| NDPI_LOG_INFO(ndpi_struct, "found Gaijin Entertainment\n"); ------------------ | | 595| 17|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 36| 17| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GAIJIN, 37| 17| NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 38| 17|} init_gearman_dissector: 54| 7.08k|{ 55| 7.08k| ndpi_register_dissector("Gearman", ndpi_struct, 56| 7.08k| ndpi_search_gearman, 57| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 58| 7.08k| 1, NDPI_PROTOCOL_GEARMAN); 59| 7.08k|} gearman.c:ndpi_search_gearman: 34| 11.6k|{ 35| 11.6k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 36| | 37| 11.6k| NDPI_LOG_DBG(ndpi_struct, "search Gearman\n"); ------------------ | | 596| 11.6k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 38| | 39| 11.6k| if (packet->payload_packet_len > 12 && packet->payload[0] == 0) { ------------------ | Branch (39:7): [True: 10.4k, False: 1.22k] | Branch (39:42): [True: 997, False: 9.42k] ------------------ 40| 997| if ((memcmp(&packet->payload[1], "REQ", 3) == 0) || ------------------ | Branch (40:9): [True: 1, False: 996] ------------------ 41| 996| (memcmp(&packet->payload[1], "RES", 3) == 0)) ------------------ | Branch (41:9): [True: 2, False: 994] ------------------ 42| 3| { 43| 3| NDPI_LOG_INFO(ndpi_struct, "found Gearman\n"); ------------------ | | 595| 3|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 44| 3| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GEARMAN, 45| 3| NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 46| 3| return; 47| 3| } 48| 997| } 49| | 50| 11.6k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.6k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 51| 11.6k|} init_gearup_booster_dissector: 86| 7.08k|{ 87| 7.08k| ndpi_register_dissector("GeaUP_Booster", ndpi_struct, 88| 7.08k| ndpi_search_gearup_booster, 89| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 90| 7.08k| 1, NDPI_PROTOCOL_GEARUP_BOOSTER); 91| 7.08k|} gearup_booster.c:ndpi_search_gearup_booster: 40| 3.32k|{ 41| 3.32k| struct ndpi_packet_struct * const packet = &ndpi_struct->packet; 42| | 43| 3.32k| NDPI_LOG_DBG(ndpi_struct, "search GearUP Booster\n"); ------------------ | | 596| 3.32k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 44| | 45| 3.32k| if (packet->udp->source != htons(9999) && packet->udp->dest != htons(9999)) ------------------ | Branch (45:7): [True: 3.32k, False: 0] | Branch (45:45): [True: 3.32k, False: 2] ------------------ 46| 3.32k| { 47| 3.32k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.32k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 48| 3.32k| return; 49| 3.32k| } 50| | 51| 2| if (flow->packet_counter == 1) ------------------ | Branch (51:7): [True: 2, False: 0] ------------------ 52| 2| { 53| 2| if (packet->packet_direction != 0 || packet->udp->dest != htons(9999)) ------------------ | Branch (53:9): [True: 1, False: 1] | Branch (53:42): [True: 0, False: 1] ------------------ 54| 1| { 55| 1| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 56| 1| return; 57| 1| } 58| 2| } 59| | 60| 1| if (packet->payload_packet_len == 4) ------------------ | Branch (60:7): [True: 0, False: 1] ------------------ 61| 0| { 62| | // mobile version 63| 0| if (ntohl(get_u_int32_t(packet->payload, 0)) == 0x00000000) ------------------ | Branch (63:9): [True: 0, False: 0] ------------------ 64| 0| { 65| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 66| 0| return; 67| 0| } 68| 1| } else if (packet->payload_packet_len == 8) ------------------ | Branch (68:14): [True: 0, False: 1] ------------------ 69| 0| { 70| | // desktop version 71| 0| if (ntohl(get_u_int32_t(packet->payload, 0)) == 0x00000000 || ------------------ | Branch (71:9): [True: 0, False: 0] ------------------ 72| 0| packet->payload[7] != 0x00 || packet->payload[6] != 0x00 || packet->payload[5] != 0x00) ------------------ | Branch (72:9): [True: 0, False: 0] | Branch (72:39): [True: 0, False: 0] | Branch (72:69): [True: 0, False: 0] ------------------ 73| 0| { 74| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 75| 0| return; 76| 0| } 77| 1| } else { 78| 1| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 79| 1| return; 80| 1| } 81| | 82| 0| ndpi_int_gearup_booster_add_connection(ndpi_struct, flow); 83| 0|} init_genshin_impact_dissector: 77| 7.08k|{ 78| 7.08k| ndpi_register_dissector("GenshinImpact", ndpi_struct, 79| 7.08k| ndpi_search_genshin_impact, 80| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 81| 7.08k| 1, NDPI_PROTOCOL_GENSHIN_IMPACT); 82| 7.08k|} genshin_impact.c:ndpi_search_genshin_impact: 38| 15.1k|{ 39| 15.1k| struct ndpi_packet_struct * packet = &ndpi_struct->packet; 40| | 41| 15.1k| NDPI_LOG_DBG(ndpi_struct, "search genshin-impact\n"); ------------------ | | 596| 15.1k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 42| | 43| 15.1k| if (packet->tcp != NULL && packet->payload_packet_len >= 18) ------------------ | Branch (43:7): [True: 11.7k, False: 3.37k] | Branch (43:30): [True: 7.35k, False: 4.39k] ------------------ 44| 7.35k| { 45| 7.35k| u_int32_t pdu_len = ntohl(get_u_int32_t(packet->payload, 1)); 46| | 47| 7.35k| if (packet->payload[0] == 0x01 && pdu_len == packet->payload_packet_len && ------------------ | Branch (47:9): [True: 85, False: 7.26k] | Branch (47:39): [True: 0, False: 85] ------------------ 48| 0| (packet->payload[5] == 0x01 || packet->payload[5] == 0x07) && ------------------ | Branch (48:10): [True: 0, False: 0] | Branch (48:40): [True: 0, False: 0] ------------------ 49| 7.35k| ntohs(get_u_int16_t(packet->payload, 16)) == 0x4da6) ------------------ | Branch (49:9): [True: 0, False: 0] ------------------ 50| 0| { 51| 0| NDPI_LOG_INFO(ndpi_struct, "found genshin-impact (TCP)\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 52| 0| ndpi_int_genshin_impact_add_connection(ndpi_struct, flow); 53| 0| return; 54| 0| } 55| 7.35k| } 56| 7.76k| else if (packet->udp != NULL) ------------------ | Branch (56:12): [True: 3.37k, False: 4.39k] ------------------ 57| 3.37k| { 58| 3.37k| if (flow->packet_counter == 1 && packet->payload_packet_len >= 20 && ------------------ | Branch (58:9): [True: 3.37k, False: 0] | Branch (58:38): [True: 3.14k, False: 225] ------------------ 59| 3.37k| ntohl(get_u_int32_t(packet->payload, 0)) == 0x000000FF && ------------------ | Branch (59:9): [True: 3, False: 3.14k] ------------------ 60| 3.37k| ntohl(get_u_int32_t(packet->payload, 4)) == 0x00000000 && ------------------ | Branch (60:9): [True: 0, False: 3] ------------------ 61| 3.37k| ntohl(get_u_int32_t(packet->payload, 12)) == 0x499602D2 && ------------------ | Branch (61:9): [True: 0, False: 0] ------------------ 62| 3.37k| ntohl(get_u_int32_t(packet->payload, 16)) == 0xFFFFFFFF) ------------------ | Branch (62:9): [True: 0, False: 0] ------------------ 63| 0| { 64| 0| NDPI_LOG_INFO(ndpi_struct, "found genshin-impact (UDP)\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 65| 0| ndpi_int_genshin_impact_add_connection(ndpi_struct, flow); 66| 0| return; 67| 0| } 68| 3.37k| } 69| | 70| 15.1k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 15.1k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 71| 15.1k|} init_git_dissector: 78| 7.08k|{ 79| 7.08k| ndpi_register_dissector("Git", ndpi_struct, 80| 7.08k| ndpi_search_git, 81| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 82| 7.08k| 1, NDPI_PROTOCOL_GIT); 83| 7.08k|} git.c:ndpi_search_git: 33| 13.3k|{ 34| 13.3k| struct ndpi_packet_struct * packet = &ndpi_struct->packet; 35| | 36| 13.3k| NDPI_LOG_DBG(ndpi_struct, "search Git\n"); ------------------ | | 596| 13.3k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 37| | 38| 13.3k| if((packet->tcp != NULL) && (packet->payload_packet_len > 4)) { ------------------ | Branch (38:6): [True: 13.3k, False: 0] | Branch (38:31): [True: 12.6k, False: 734] ------------------ 39| 12.6k| if((ntohs(packet->tcp->source) == GIT_PORT) ------------------ | | 29| 12.6k|#define GIT_PORT 9418 ------------------ | Branch (39:8): [True: 0, False: 12.6k] ------------------ 40| 12.6k| || (ntohs(packet->tcp->dest) == GIT_PORT)) { ------------------ | | 29| 12.6k|#define GIT_PORT 9418 ------------------ | Branch (40:11): [True: 0, False: 12.6k] ------------------ 41| 0| const u_int8_t * pp = packet->payload; 42| 0| u_int16_t payload_len = packet->payload_packet_len; 43| 0| u_int8_t found_git = 1; 44| 0| u_int16_t offset = 0; 45| | 46| 0| while((offset+4) < payload_len) { ------------------ | Branch (46:13): [True: 0, False: 0] ------------------ 47| 0| char len[5]; 48| 0| u_int32_t git_pkt_len; 49| | 50| 0| memcpy(&len, &pp[offset], 4), len[4] = 0; 51| 0| if(sscanf(len, "%x", &git_pkt_len) != 1) { ------------------ | Branch (51:5): [True: 0, False: 0] ------------------ 52| 0| found_git = 0; 53| 0| break; 54| 0| } 55| | 56| 0| if((payload_len < git_pkt_len) || (git_pkt_len == 0 /* Bad */)) { ------------------ | Branch (56:5): [True: 0, False: 0] | Branch (56:36): [True: 0, False: 0] ------------------ 57| 0| found_git = 0; 58| 0| break; 59| 0| } else 60| 0| offset += git_pkt_len, payload_len -= git_pkt_len; 61| 0| } 62| | 63| 0| if(found_git) { ------------------ | Branch (63:10): [True: 0, False: 0] ------------------ 64| 0| NDPI_LOG_INFO(ndpi_struct, "found Git\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 65| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GIT, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 66| 0| return; 67| 0| } 68| 0| } 69| 12.6k| } 70| | 71| 13.3k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.3k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 72| 13.3k|} init_glbp_dissector: 76| 7.08k|{ 77| 7.08k| ndpi_register_dissector("GLBP", ndpi_struct, 78| 7.08k| ndpi_search_glbp, 79| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 80| 7.08k| 1, NDPI_PROTOCOL_GLBP); 81| 7.08k|} glbp.c:ndpi_search_glbp: 47| 3.32k|{ 48| 3.32k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 49| | 50| 3.32k| NDPI_LOG_DBG(ndpi_struct, "search GLBP\n"); ------------------ | | 596| 3.32k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 51| | 52| 3.32k| if (packet->payload_packet_len < 12) { ------------------ | Branch (52:7): [True: 149, False: 3.17k] ------------------ 53| 149| goto exclude; 54| 149| } 55| | 56| 3.17k| if ((packet->udp->source != htons(GLBP_PORT)) || ------------------ | Branch (56:7): [True: 3.17k, False: 5] ------------------ 57| 5| (packet->udp->dest != htons(GLBP_PORT))) ------------------ | Branch (57:7): [True: 5, False: 0] ------------------ 58| 3.17k| { 59| 3.17k| goto exclude; 60| 3.17k| } 61| | 62| 0| if ((packet->payload[0] > 1) || ------------------ | Branch (62:7): [True: 0, False: 0] ------------------ 63| 0| (ntohs(get_u_int16_t(packet->payload, 2)) > 1023)) ------------------ | Branch (63:7): [True: 0, False: 0] ------------------ 64| 0| { 65| 0| goto exclude; 66| 0| } 67| | 68| 0| ndpi_int_glbp_add_connection(ndpi_struct, flow); 69| 0| return; 70| | 71| 3.32k|exclude: 72| 3.32k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.32k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 73| 3.32k|} init_gnutella_dissector: 84| 7.08k|{ 85| 7.08k| ndpi_register_dissector("Gnutella", ndpi_struct, 86| 7.08k| ndpi_search_gnutella, 87| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 88| 7.08k| 1, NDPI_PROTOCOL_GNUTELLA); 89| 7.08k|} gnutella.c:ndpi_search_gnutella: 43| 19.6k|{ 44| 19.6k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 45| | 46| 19.6k| NDPI_LOG_DBG(ndpi_struct, "search GNUTELLA\n"); ------------------ | | 596| 19.6k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 47| | 48| 19.6k| if (packet->tcp != NULL) { ------------------ | Branch (48:7): [True: 13.4k, False: 6.14k] ------------------ 49| 13.4k| if (packet->payload_packet_len > 17 && memcmp(packet->payload, "GNUTELLA CONNECT/", 17) == 0) { ------------------ | Branch (49:9): [True: 9.07k, False: 4.40k] | Branch (49:44): [True: 0, False: 9.07k] ------------------ 50| 0| ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); 51| | /* Extract some metadata HTTP-like */ 52| 0| ndpi_parse_packet_line_info(ndpi_struct, flow); 53| 0| if(packet->user_agent_line.ptr != NULL) ------------------ | Branch (53:10): [True: 0, False: 0] ------------------ 54| 0| ndpi_user_agent_set(flow, packet->user_agent_line.ptr, packet->user_agent_line.len); 55| 0| return; 56| 0| } 57| 13.4k| } else if (packet->udp != NULL) { ------------------ | Branch (57:14): [True: 6.14k, False: 0] ------------------ 58| | /* Check for Mojito-DHT encapsulated gnutella (gtk-gnutella). */ 59| 6.14k| if (packet->payload_packet_len > 23) { ------------------ | Branch (59:9): [True: 5.70k, False: 436] ------------------ 60| 5.70k| u_int32_t gnutella_payload_len = le32toh(get_u_int32_t(packet->payload, 19)); 61| | 62| 5.70k| if (gnutella_payload_len == (u_int32_t)packet->payload_packet_len - 23 && ------------------ | Branch (62:11): [True: 8, False: 5.69k] ------------------ 63| 8| ((packet->payload_packet_len > 27 && ------------------ | Branch (63:13): [True: 7, False: 1] ------------------ 64| 8| ntohl(get_u_int32_t(packet->payload, 24)) == 0x47544b47 /* GTKG */) || ------------------ | Branch (64:12): [True: 0, False: 7] ------------------ 65| 8| ntohl(get_u_int32_t(packet->payload, packet->payload_packet_len - 4)) == 0x82514b40)) { ------------------ | Branch (65:12): [True: 0, False: 8] ------------------ 66| 0| NDPI_LOG_DBG2(ndpi_struct, "detected mojito-dht/gnutella udp\n"); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 67| 0| ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); 68| 0| return; 69| 0| } 70| 5.70k| } 71| | 72| 6.14k| if (packet->payload_packet_len >= 4 && memcmp(packet->payload, "GND\x10", 4) == 0) { ------------------ | Branch (72:9): [True: 6.02k, False: 122] | Branch (72:44): [True: 1, False: 6.01k] ------------------ 73| 1| NDPI_LOG_DBG2(ndpi_struct, "detected gnutella udp, GND (2)\n"); ------------------ | | 597| 1|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 74| 1| ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); 75| 1| return; 76| 1| } 77| 6.14k| } 78| | 79| 19.6k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 19.6k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 80| 19.6k|} gnutella.c:ndpi_int_gnutella_add_connection: 36| 1|{ 37| 1| NDPI_LOG_INFO(ndpi_struct, "found GNUTELLA\n"); ------------------ | | 595| 1|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 38| 1| ndpi_set_detected_protocol_keeping_master(ndpi_struct, flow, NDPI_PROTOCOL_GNUTELLA, 39| 1| confidence); 40| 1|} init_gtp_dissector: 131| 7.08k|{ 132| 7.08k| ndpi_register_dissector("GTP", ndpi_struct, 133| 7.08k| ndpi_search_gtp, 134| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 135| 7.08k| 1, NDPI_PROTOCOL_GTP); 136| 7.08k|} gtp.c:ndpi_search_gtp: 123| 4.39k|{ 124| 4.39k| NDPI_LOG_DBG(ndpi_struct, "search gtp\n"); ------------------ | | 596| 4.39k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 125| | 126| 4.39k| ndpi_check_gtp(ndpi_struct, flow); 127| 4.39k|} gtp.c:ndpi_check_gtp: 67| 4.39k|{ 68| 4.39k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 69| 4.39k| u_int32_t payload_len = packet->payload_packet_len; 70| | 71| 4.39k| if(payload_len > sizeof(struct gtp_header_generic)) { ------------------ | Branch (71:6): [True: 4.26k, False: 125] ------------------ 72| 4.26k| u_int32_t gtp_u = ntohs(2152); 73| 4.26k| u_int32_t gtp_c = ntohs(2123); 74| 4.26k| u_int32_t gtp_prime = ntohs(3386); 75| | 76| 4.26k| struct gtp_header_generic *gtp = (struct gtp_header_generic *)packet->payload; 77| 4.26k| u_int8_t version = (gtp->flags & 0xE0) >> 5; 78| 4.26k| u_int8_t pt = (gtp->flags & 0x10) >> 4; 79| 4.26k| u_int16_t message_len = ntohs(gtp->message_len); 80| | 81| 4.26k| if((packet->udp->source == gtp_u) || (packet->udp->dest == gtp_u)) { ------------------ | Branch (81:8): [True: 176, False: 4.09k] | Branch (81:42): [True: 21, False: 4.07k] ------------------ 82| 197| if((version == 1) && (pt == 1) && ------------------ | Branch (82:10): [True: 14, False: 183] | Branch (82:28): [True: 10, False: 4] ------------------ 83| 10| (payload_len >= HEADER_LEN_GTP_U) && ------------------ | | 54| 10|#define HEADER_LEN_GTP_U 8 ------------------ | Branch (83:10): [True: 10, False: 0] ------------------ 84| 10| (message_len <= (payload_len - HEADER_LEN_GTP_U))) { ------------------ | | 54| 10|#define HEADER_LEN_GTP_U 8 ------------------ | Branch (84:10): [True: 5, False: 5] ------------------ 85| 5| NDPI_LOG_INFO(ndpi_struct, "found gtp-u\n"); ------------------ | | 595| 5|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 86| 5| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GTP_U, NDPI_PROTOCOL_GTP, NDPI_CONFIDENCE_DPI); 87| 5| return; 88| 5| } 89| 197| } 90| 4.26k| if((packet->udp->source == gtp_c) || (packet->udp->dest == gtp_c)) { ------------------ | Branch (90:8): [True: 3, False: 4.25k] | Branch (90:42): [True: 6, False: 4.25k] ------------------ 91| 9| if(((version == 1) && ------------------ | Branch (91:11): [True: 1, False: 8] ------------------ 92| 1| (payload_len >= HEADER_LEN_GTP_C_V1) && ------------------ | | 55| 1|#define HEADER_LEN_GTP_C_V1 8 ------------------ | Branch (92:11): [True: 1, False: 0] ------------------ 93| 1| (message_len == (payload_len - HEADER_LEN_GTP_C_V1)) && ------------------ | | 55| 1|#define HEADER_LEN_GTP_C_V1 8 ------------------ | Branch (93:11): [True: 0, False: 1] ------------------ 94| 0| (message_len >= 4 * (!!(gtp->flags & 0x07))) && ------------------ | Branch (94:11): [True: 0, False: 0] ------------------ 95| 0| (gtp->message_type > 0 && gtp->message_type <= 129)) || /* Loose check based on TS 29.060 7.1 */ ------------------ | Branch (95:12): [True: 0, False: 0] | Branch (95:37): [True: 0, False: 0] ------------------ 96| 9| ((version == 2) && ------------------ | Branch (96:11): [True: 0, False: 9] ------------------ 97| | /* payload_len is always valid, because HEADER_LEN_GTP_C_V2 == sizeof(struct gtp_header_generic) */ 98| 0| (message_len == (payload_len - HEADER_LEN_GTP_C_V2)))) { ------------------ | | 56| 0|#define HEADER_LEN_GTP_C_V2 4 ------------------ | Branch (98:11): [True: 0, False: 0] ------------------ 99| 0| NDPI_LOG_INFO(ndpi_struct, "found gtp-c\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 100| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GTP_C, NDPI_PROTOCOL_GTP, NDPI_CONFIDENCE_DPI); 101| 0| return; 102| 0| } 103| 9| } 104| 4.26k| if((packet->udp->source == gtp_prime) || (packet->udp->dest == gtp_prime)) { ------------------ | Branch (104:8): [True: 0, False: 4.26k] | Branch (104:46): [True: 71, False: 4.19k] ------------------ 105| 71| if((pt == 0) && ------------------ | Branch (105:10): [True: 64, False: 7] ------------------ 106| 64| ((gtp->flags & 0x0E) >> 1 == 0x7) && /* Spare bits */ ------------------ | Branch (106:10): [True: 63, False: 1] ------------------ 107| 63| (payload_len >= HEADER_LEN_GTP_PRIME) && ------------------ | | 57| 63|#define HEADER_LEN_GTP_PRIME 6 ------------------ | Branch (107:10): [True: 63, False: 0] ------------------ 108| 63| (message_len <= (payload_len - HEADER_LEN_GTP_PRIME)) && ------------------ | | 57| 63|#define HEADER_LEN_GTP_PRIME 6 ------------------ | Branch (108:10): [True: 3, False: 60] ------------------ 109| 3| ((gtp->message_type > 0 && gtp->message_type <= 7) || /* Check based on TS 32.295 6.2.1 */ ------------------ | Branch (109:12): [True: 3, False: 0] | Branch (109:37): [True: 1, False: 2] ------------------ 110| 3| gtp->message_type == 240 || gtp->message_type == 241)) { ------------------ | Branch (110:11): [True: 1, False: 1] | Branch (110:39): [True: 1, False: 0] ------------------ 111| 3| NDPI_LOG_INFO(ndpi_struct, "found gtp-prime\n"); ------------------ | | 595| 3|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 112| 3| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GTP_PRIME, NDPI_PROTOCOL_GTP, NDPI_CONFIDENCE_DPI); 113| 3| return; 114| 3| } 115| 71| } 116| 4.26k| } 117| | 118| 4.38k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 4.38k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 119| 4.38k| return; 120| 4.39k|} init_guildwars2_dissector: 57| 7.08k|{ 58| 7.08k| ndpi_register_dissector("GuildWars2", ndpi_struct, 59| 7.08k| ndpi_search_guildwars2_tcp, 60| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 61| 7.08k| 1, NDPI_PROTOCOL_GUILDWARS2); 62| 7.08k|} guildwars2.c:ndpi_search_guildwars2_tcp: 33| 13.4k|{ 34| 13.4k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 35| | 36| 13.4k| NDPI_LOG_DBG(ndpi_struct, "search Guild Wars 2\n"); ------------------ | | 596| 13.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 37| | 38| 13.4k| if (packet->payload_packet_len > 50) ------------------ | Branch (38:7): [True: 4.90k, False: 8.54k] ------------------ 39| 4.90k| { 40| | /* The connection starts with this preamble containing client info. 41| | * The TLS handshake begins around packet 12. */ 42| 4.90k| if ((memcmp(packet->payload, "P /Sts/Connect STS/1.0", 22) == 0) || ------------------ | Branch (42:9): [True: 1, False: 4.90k] ------------------ 43| 4.90k| (memcmp(packet->payload, "P /Auth/StartTls STS/1.0", 24) == 0) || ------------------ | Branch (43:9): [True: 1, False: 4.90k] ------------------ 44| 4.90k| (memcmp(packet->payload, "STS/1.0 400 Success", 19) == 0)) ------------------ | Branch (44:9): [True: 2, False: 4.90k] ------------------ 45| 4| { 46| 4| NDPI_LOG_INFO(ndpi_struct, "found Guild Wars 2\n"); ------------------ | | 595| 4|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 47| 4| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GUILDWARS2, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 48| 4| return; 49| 4| } 50| 4.90k| } 51| | 52| 13.4k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.4k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 53| 13.4k|} init_h323_dissector: 75| 7.08k|{ 76| 7.08k| ndpi_register_dissector("H323", ndpi_struct, 77| 7.08k| ndpi_search_h323, 78| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 79| 7.08k| 1, NDPI_PROTOCOL_H323); 80| 7.08k|} h323.c:ndpi_search_h323: 39| 17.8k|{ 40| 17.8k| const struct ndpi_packet_struct * const packet = &ndpi_struct->packet; 41| 17.8k| u_int16_t dport = 0, sport = 0; 42| | 43| 17.8k| NDPI_LOG_DBG(ndpi_struct, "search H323\n"); ------------------ | | 596| 17.8k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 44| | 45| | /* TPKT header length + Q.931 header length without IE */ 46| 17.8k| if(tpkt_verify_hdr(packet) && (packet->payload_packet_len > 20)) { ------------------ | Branch (46:6): [True: 0, False: 17.8k] | Branch (46:33): [True: 0, False: 0] ------------------ 47| | /* Check H.245 */ 48| 0| if(packet->payload[7] == 0x06 && ------------------ | Branch (48:8): [True: 0, False: 0] ------------------ 49| 0| ntohl(get_u_int32_t(packet->payload, 8)) == 0x0088175) /* protocolIdentifier OID */ { ------------------ | Branch (49:8): [True: 0, False: 0] ------------------ 50| 0| ndpi_int_h323_add_connection(ndpi_struct, flow); 51| 0| return; 52| 0| } 53| | /* Check H.225.0 : check Q.931 Protocol Discriminator and call reference value length */ 54| 0| if((packet->payload[4] == 0x08) && ((packet->payload[5] & 0xF) <= 3)) { ------------------ | Branch (54:8): [True: 0, False: 0] | Branch (54:40): [True: 0, False: 0] ------------------ 55| 0| ndpi_int_h323_add_connection(ndpi_struct, flow); 56| 0| return; 57| 0| } 58| 17.8k| } else if (packet->udp != NULL) { ------------------ | Branch (58:14): [True: 4.37k, False: 13.4k] ------------------ 59| 4.37k| sport = ntohs(packet->udp->source), dport = ntohs(packet->udp->dest); 60| 4.37k| if(sport == 1719 || dport == 1719) { ------------------ | Branch (60:8): [True: 4, False: 4.37k] | Branch (60:25): [True: 0, False: 4.37k] ------------------ 61| | /* Check H.225.0 RAS */ 62| 4| if(packet->payload_packet_len > 20 && ------------------ | Branch (62:10): [True: 0, False: 4] ------------------ 63| 0| packet->payload[4] == 0x06 && ------------------ | Branch (63:10): [True: 0, False: 0] ------------------ 64| 4| ntohl(get_u_int32_t(packet->payload, 5)) == 0x0008914A /* protocolIdentifier OID */ ) { ------------------ | Branch (64:10): [True: 0, False: 0] ------------------ 65| 0| ndpi_int_h323_add_connection(ndpi_struct, flow); 66| 0| return; 67| 0| } 68| 4| } 69| 4.37k| } 70| | 71| 17.8k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 17.8k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 72| 17.8k|} init_hamachi_dissector: 168| 7.08k|{ 169| 7.08k| ndpi_register_dissector("Hamachi", ndpi_struct, 170| 7.08k| ndpi_search_hamachi, 171| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 172| 7.08k| 1, NDPI_PROTOCOL_HAMACHI); 173| 7.08k|} hamachi.c:ndpi_search_hamachi: 160| 14.9k|{ 161| 14.9k| if(flow->l4_proto == IPPROTO_TCP) ------------------ | Branch (161:6): [True: 11.6k, False: 3.33k] ------------------ 162| 11.6k| search_hamachi_tcp(ndpi_struct, flow); 163| 3.33k| else 164| 3.33k| search_hamachi_udp(ndpi_struct, flow); 165| 14.9k|} hamachi.c:search_hamachi_tcp: 44| 11.6k|{ 45| 11.6k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 46| | 47| 11.6k| NDPI_LOG_DBG(ndpi_struct, "search Hamachi over TCP\n"); ------------------ | | 596| 11.6k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 48| | 49| 11.6k| if (packet->payload_packet_len > 300 && ------------------ | Branch (49:7): [True: 1.28k, False: 10.3k] ------------------ 50| 11.6k| ntohl(get_u_int32_t(packet->payload, 0)) == (u_int32_t)(packet->payload_packet_len-4) && ------------------ | Branch (50:7): [True: 0, False: 1.28k] ------------------ 51| 11.6k| ntohl(get_u_int32_t(packet->payload, 12)) == 0x7B7A0DAD) ------------------ | Branch (51:7): [True: 0, False: 0] ------------------ 52| 0| { 53| 0| ndpi_int_hamachi_add_connection(ndpi_struct, flow); 54| 0| return; 55| 0| } 56| | 57| 11.6k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.6k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 58| 11.6k|} hamachi.c:search_hamachi_udp: 62| 3.33k|{ 63| 3.33k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 64| | 65| 3.33k| NDPI_LOG_DBG(ndpi_struct, "search Hamachi over UDP\n"); ------------------ | | 596| 3.33k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 66| | 67| | /* Skip initial 76-byte handshake (relay mode only) */ 68| 3.33k| if (flow->packet_counter <= 2 && packet->payload_packet_len == 76) ------------------ | Branch (68:7): [True: 3.33k, False: 0] | Branch (68:36): [True: 15, False: 3.32k] ------------------ 69| 15| { 70| 15| if (get_u_int64_t(packet->payload, 0) != 0 || ------------------ | | 148| 15|#define get_u_int64_t(X,O) (*(u_int64_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (70:9): [True: 6, False: 9] ------------------ 71| 9| get_u_int64_t(packet->payload, 68) != 0) ------------------ | | 148| 9|#define get_u_int64_t(X,O) (*(u_int64_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (71:9): [True: 8, False: 1] ------------------ 72| 14| { 73| 14| goto exclude_hamachi; 74| 14| } 75| 1| return; /* Likely Hamachi handshake */ 76| 15| } 77| | 78| | /* Empirically observed minimum */ 79| 3.32k| if (packet->payload_packet_len < 46) { ------------------ | Branch (79:7): [True: 1.18k, False: 2.13k] ------------------ 80| 1.18k| goto exclude_hamachi; 81| 1.18k| } 82| | 83| | /* Reasonable value for heuristics */ 84| 2.13k| u_int32_t seq = ntohl(get_u_int32_t(packet->payload, 4)); 85| 2.13k| if (seq == 0 || seq > 0xFFFF) { ------------------ | Branch (85:7): [True: 48, False: 2.08k] | Branch (85:19): [True: 1.84k, False: 236] ------------------ 86| 1.89k| goto exclude_hamachi; 87| 1.89k| } 88| | 89| 236| u_int32_t hamachi_l = ntohl(get_u_int32_t(packet->payload, 0)); 90| 236| u_int16_t hamachi_s = ntohs(get_u_int16_t(packet->payload, 8)); 91| | 92| 236| if (hamachi_l == 0xFFFFFFFF || hamachi_l == 0) ------------------ | Branch (92:7): [True: 1, False: 235] | Branch (92:34): [True: 78, False: 157] ------------------ 93| 79| { 94| 79| goto exclude_hamachi; 95| 79| } 96| | 97| 157| u_int8_t dir = packet->packet_direction; 98| | 99| | /* 100| | * Hamachi detection logic using 4-stage state machine: 101| | * Stage 0: Initial state, waiting for first packet 102| | * Stage 1: Got packet from dir=0, waiting for dir=1 to complete verification 103| | * Stage 2: Got packet from dir=1, waiting for dir=0 to complete verification 104| | * Stage 3: Both directions verified, protocol identified 105| | * 106| | * Each direction has constant values in bytes 0-3 and 8-9 throughout the session. 107| | * We need to verify consistency within each direction and collect samples from both. 108| | */ 109| | 110| 157| if (flow->l4.udp.hamachi_stage == 0) { ------------------ | Branch (110:7): [True: 152, False: 5] ------------------ 111| | /* Store signature values from first packet and set stage based on direction */ 112| 152| flow->l4.udp.hamachi_long[dir] = hamachi_l; 113| 152| flow->l4.udp.hamachi_short[dir] = hamachi_s; 114| 152| flow->l4.udp.hamachi_stage = dir ? 2 : 1; /* Stage 1 for dir=0, stage 2 for dir=1 */ ------------------ | Branch (114:34): [True: 59, False: 93] ------------------ 115| 152| return; 116| 152| } 117| | 118| 5| if (flow->l4.udp.hamachi_stage == 1 || flow->l4.udp.hamachi_stage == 2) { ------------------ | Branch (118:7): [True: 4, False: 1] | Branch (118:42): [True: 1, False: 0] ------------------ 119| 5| u_int8_t stored_dir = flow->l4.udp.hamachi_stage - 1; 120| | /* Current packet is same direction - verify */ 121| 5| if (dir == stored_dir) { ------------------ | Branch (121:9): [True: 5, False: 0] ------------------ 122| 5| if (hamachi_l != flow->l4.udp.hamachi_long[dir] || ------------------ | Branch (122:11): [True: 2, False: 3] ------------------ 123| 3| hamachi_s != flow->l4.udp.hamachi_short[dir]) ------------------ | Branch (123:11): [True: 1, False: 2] ------------------ 124| 3| { 125| 3| goto exclude_hamachi; 126| 3| } 127| 2| return; /* Still waiting for opposite direction */ 128| 5| } 129| | 130| | /* Opposite direction - verify signatures differ */ 131| 0| if (hamachi_l == flow->l4.udp.hamachi_long[stored_dir] || ------------------ | Branch (131:9): [True: 0, False: 0] ------------------ 132| 0| hamachi_s == flow->l4.udp.hamachi_short[stored_dir]) ------------------ | Branch (132:8): [True: 0, False: 0] ------------------ 133| 0| { 134| 0| goto exclude_hamachi; 135| 0| } 136| | 137| 0| flow->l4.udp.hamachi_long[dir] = hamachi_l; 138| 0| flow->l4.udp.hamachi_short[dir] = hamachi_s; 139| 0| flow->l4.udp.hamachi_stage = 3; 140| 0| return; 141| 0| } 142| | 143| 0| if (flow->l4.udp.hamachi_stage == 3) { ------------------ | Branch (143:7): [True: 0, False: 0] ------------------ 144| | /* Final consistency check */ 145| 0| if (hamachi_l != flow->l4.udp.hamachi_long[dir] || ------------------ | Branch (145:9): [True: 0, False: 0] ------------------ 146| 0| hamachi_s != flow->l4.udp.hamachi_short[dir]) ------------------ | Branch (146:9): [True: 0, False: 0] ------------------ 147| 0| { 148| 0| goto exclude_hamachi; 149| 0| } 150| | 151| 0| ndpi_int_hamachi_add_connection(ndpi_struct, flow); 152| 0| return; 153| 0| } 154| | 155| 3.18k|exclude_hamachi: 156| 3.18k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.18k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 157| 3.18k|} init_haproxy_dissector: 70| 7.08k|{ 71| 7.08k| ndpi_register_dissector("HAProxy", ndpi_struct, 72| 7.08k| ndpi_search_haproxy, 73| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 74| 7.08k| 1, NDPI_PROTOCOL_HAPROXY); 75| 7.08k|} haproxy.c:ndpi_search_haproxy: 34| 11.7k|{ 35| 11.7k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 36| 11.7k| const uint8_t *haproxy_end; 37| | 38| 11.7k| NDPI_LOG_DBG(ndpi_struct, "search HAProxy\n"); ------------------ | | 596| 11.7k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 39| | 40| 11.7k| if (packet->payload_packet_len < NDPI_STATICSTRING_LEN("PROXY TCP")) ------------------ | | 98| 11.7k|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (40:7): [True: 872, False: 10.8k] ------------------ 41| 872| { 42| 872| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 872|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 43| 872| return; 44| 872| } 45| | 46| 10.8k| if (strncmp((char *)packet->payload, "PROXY TCP", NDPI_STATICSTRING_LEN("PROXY TCP")) != 0) ------------------ | | 98| 10.8k|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (46:7): [True: 10.8k, False: 2] ------------------ 47| 10.8k| { 48| 10.8k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 10.8k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 49| 10.8k| return; 50| 10.8k| } 51| | 52| | /* The following code may be also used in the future to call subprotocol dissectors e.g. TLS. */ 53| 2| haproxy_end = (uint8_t *)ndpi_strnstr((char *)packet->payload, "\r\n", packet->payload_packet_len); 54| 2| if (haproxy_end == NULL) ------------------ | Branch (54:7): [True: 1, False: 1] ------------------ 55| 1| { 56| 1| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 57| 1| return; 58| 1| } 59| 1| haproxy_end += 2; 60| 1| if (packet->payload_packet_len - (haproxy_end - packet->payload) == 0) ------------------ | Branch (60:7): [True: 1, False: 0] ------------------ 61| 1| { 62| 1| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 63| 1| return; 64| 1| } 65| | 66| 0| ndpi_int_haproxy_add_connection(ndpi_struct, flow); 67| 0|} init_hart_ip_dissector: 104| 7.08k|{ 105| 7.08k| ndpi_register_dissector("HART-IP", ndpi_struct, 106| 7.08k| ndpi_search_hart_ip, 107| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 108| 7.08k| 1, NDPI_PROTOCOL_HART_IP); 109| 7.08k|} hart-ip.c:ndpi_search_hart_ip: 71| 15.0k|{ 72| 15.0k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 73| | 74| 15.0k| NDPI_LOG_DBG(ndpi_struct, "search HART-IP\n"); ------------------ | | 596| 15.0k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 75| | 76| 15.0k| if (packet->payload_packet_len < sizeof(struct hart_ip_hdr)) { ------------------ | Branch (76:7): [True: 936, False: 14.1k] ------------------ 77| 936| goto not_hart_ip; 78| 936| } 79| | 80| 14.1k| struct hart_ip_hdr const * const hart_ip_header = (struct hart_ip_hdr *)packet->payload; 81| | 82| 14.1k| if (hart_ip_header->version == 1 || hart_ip_header->version == 2) { ------------------ | Branch (82:7): [True: 482, False: 13.6k] | Branch (82:39): [True: 64, False: 13.5k] ------------------ 83| 546| u_int8_t message_type = hart_ip_header->msg_type & 0xF; 84| | 85| 546| if ((message_type > PUBLISH_MSG && message_type != NAK_MSG) && ------------------ | Branch (85:10): [True: 237, False: 309] | Branch (85:40): [True: 227, False: 10] ------------------ 86| 227| hart_ip_header->msg_id > READ_AUDIT_LOG_ID) ------------------ | Branch (86:9): [True: 54, False: 173] ------------------ 87| 54| { 88| 54| goto not_hart_ip; 89| 54| } 90| | 91| 492| if (ntohs(hart_ip_header->msg_len) != packet->payload_packet_len) { ------------------ | Branch (91:9): [True: 491, False: 1] ------------------ 92| 491| goto not_hart_ip; 93| 491| } 94| | 95| 1| ndpi_int_hart_ip_add_connection(ndpi_struct, flow); 96| 1| return; 97| 492| } 98| | 99| 15.0k|not_hart_ip: 100| 15.0k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 15.0k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 101| 15.0k|} hart-ip.c:ndpi_int_hart_ip_add_connection: 61| 1|{ 62| 1| NDPI_LOG_INFO(ndpi_struct, "found HART-IP\n"); ------------------ | | 595| 1|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 63| | 64| 1| ndpi_set_detected_protocol(ndpi_struct, flow, 65| 1| NDPI_PROTOCOL_HART_IP, NDPI_PROTOCOL_UNKNOWN, 66| 1| NDPI_CONFIDENCE_DPI); 67| 1|} init_hcl_notes_dissector: 64| 7.08k|{ 65| 7.08k| ndpi_register_dissector("HCL_Notes", ndpi_struct, 66| 7.08k| ndpi_search_hcl_notes, 67| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 68| 7.08k| 1, NDPI_PROTOCOL_HCL_NOTES); 69| 7.08k|} hcl_notes.c:ndpi_search_hcl_notes: 56| 22.7k|{ 57| 22.7k| NDPI_LOG_DBG(ndpi_struct, "search hcl_notes\n"); ------------------ | | 596| 22.7k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 58| | 59| 22.7k| ndpi_check_hcl_notes(ndpi_struct, flow); 60| 22.7k|} hcl_notes.c:ndpi_check_hcl_notes: 32| 22.7k|{ 33| 22.7k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 34| 22.7k| u_int32_t payload_len = packet->payload_packet_len; 35| | 36| 22.7k| flow->l4.tcp.hcl_notes_packet_id++; 37| | 38| 22.7k| if((flow->l4.tcp.hcl_notes_packet_id == 1) && ------------------ | Branch (38:6): [True: 13.4k, False: 9.27k] ------------------ 39| 13.4k| ndpi_seen_flow_beginning(flow)) { ------------------ | Branch (39:6): [True: 442, False: 13.0k] ------------------ 40| 442| if(payload_len > 16) { ------------------ | Branch (40:8): [True: 430, False: 12] ------------------ 41| 430| char hcl_notes_header[] = { 0x00, 0x00, 0x02, 0x00, 0x00, 0x40, 0x02, 0x0F }; 42| | 43| 430| if(memcmp(&packet->payload[6], hcl_notes_header, sizeof(hcl_notes_header)) == 0) { ------------------ | Branch (43:10): [True: 0, False: 430] ------------------ 44| 0| NDPI_LOG_INFO(ndpi_struct, "found HCL Notes\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 45| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HCL_NOTES, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 46| 0| } 47| 430| return; 48| 430| } 49| | 50| 22.2k| } else if(flow->l4.tcp.hcl_notes_packet_id <= 3) return; ------------------ | Branch (50:13): [True: 20.1k, False: 2.14k] ------------------ 51| | 52| 2.15k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 2.15k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 53| 2.15k|} init_hislip_dissector: 63| 7.08k|{ 64| 7.08k| ndpi_register_dissector("HiSLIP", ndpi_struct, 65| 7.08k| ndpi_search_hislip, 66| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 67| 7.08k| 1, NDPI_PROTOCOL_HISLIP); 68| 7.08k|} hislip.c:ndpi_search_hislip: 46| 11.6k|{ 47| 11.6k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 48| | 49| 11.6k| NDPI_LOG_DBG(ndpi_struct, "search HiSLIP\n"); ------------------ | | 596| 11.6k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 50| | 51| 11.6k| if ((packet->payload_packet_len >= 16) && ------------------ | Branch (51:7): [True: 10.3k, False: 1.33k] ------------------ 52| 10.3k| (memcmp(packet->payload, "HS", 2) == 0) && ((packet->payload[2] - 26) < 0x65) && ------------------ | Branch (52:7): [True: 15, False: 10.3k] | Branch (52:50): [True: 13, False: 2] ------------------ 53| 13| (ndpi_ntohll(get_u_int64_t(packet->payload, 8)) == (u_int64_t)(packet->payload_packet_len - 16))) ------------------ | | 148| 13|#define get_u_int64_t(X,O) (*(u_int64_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (53:7): [True: 0, False: 13] ------------------ 54| 0| { 55| 0| ndpi_int_hislip_add_connection(ndpi_struct, flow); 56| 0| return; 57| 0| } 58| | 59| 11.6k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.6k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 60| 11.6k|} init_hl7_dissector: 73| 7.08k|{ 74| 7.08k| ndpi_register_dissector("HL7", ndpi_struct, 75| 7.08k| ndpi_search_hl7, 76| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 77| 7.08k| 1, NDPI_PROTOCOL_HL7); 78| 7.08k|} hl7.c:ndpi_search_hl7: 36| 12.7k|{ 37| 12.7k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 38| | 39| 12.7k| NDPI_LOG_DBG(ndpi_struct, "search HL7\n"); ------------------ | | 596| 12.7k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 40| | 41| 12.7k| if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP || ------------------ | Branch (41:7): [True: 645, False: 12.0k] ------------------ 42| 12.0k| flow->detected_protocol_stack[1] == NDPI_PROTOCOL_HTTP) ------------------ | Branch (42:7): [True: 412, False: 11.6k] ------------------ 43| 1.05k| { 44| 1.05k| if (packet->content_line.ptr != NULL) { ------------------ | Branch (44:9): [True: 62, False: 995] ------------------ 45| 62| if ((LINE_ENDS(packet->content_line, "x-application/hl7-v2+er7") != 0) || ------------------ | | 81| 62| ((ndpi_int_one_line_struct).len >= strlen(string_to_compare) && \ | | ------------------ | | | Branch (81:4): [True: 55, False: 7] | | ------------------ | | 82| 62| strncasecmp((const char *)((ndpi_int_one_line_struct).ptr) + \ | | ------------------ | | | Branch (82:4): [True: 0, False: 55] | | ------------------ | | 83| 55| ((ndpi_int_one_line_struct).len - strlen(string_to_compare)), \ | | 84| 55| string_to_compare, strlen(string_to_compare)) == 0) ------------------ | Branch (45:11): [True: 0, False: 62] ------------------ 46| 62| (LINE_ENDS(packet->content_line, "x-application/hl7-v2+xml") != 0) || ------------------ | | 81| 62| ((ndpi_int_one_line_struct).len >= strlen(string_to_compare) && \ | | ------------------ | | | Branch (81:4): [True: 55, False: 7] | | ------------------ | | 82| 62| strncasecmp((const char *)((ndpi_int_one_line_struct).ptr) + \ | | ------------------ | | | Branch (82:4): [True: 0, False: 55] | | ------------------ | | 83| 55| ((ndpi_int_one_line_struct).len - strlen(string_to_compare)), \ | | 84| 55| string_to_compare, strlen(string_to_compare)) == 0) ------------------ | Branch (46:11): [True: 0, False: 62] ------------------ 47| 62| (LINE_ENDS(packet->content_line, "x-application/hl7-v3+xml") != 0) || ------------------ | | 81| 62| ((ndpi_int_one_line_struct).len >= strlen(string_to_compare) && \ | | ------------------ | | | Branch (81:4): [True: 55, False: 7] | | ------------------ | | 82| 62| strncasecmp((const char *)((ndpi_int_one_line_struct).ptr) + \ | | ------------------ | | | Branch (82:4): [True: 4, False: 51] | | ------------------ | | 83| 55| ((ndpi_int_one_line_struct).len - strlen(string_to_compare)), \ | | 84| 55| string_to_compare, strlen(string_to_compare)) == 0) ------------------ | Branch (47:11): [True: 4, False: 58] ------------------ 48| 58| (LINE_ENDS(packet->content_line, "x-application/fhir+xml") != 0) || ------------------ | | 81| 58| ((ndpi_int_one_line_struct).len >= strlen(string_to_compare) && \ | | ------------------ | | | Branch (81:4): [True: 51, False: 7] | | ------------------ | | 82| 58| strncasecmp((const char *)((ndpi_int_one_line_struct).ptr) + \ | | ------------------ | | | Branch (82:4): [True: 3, False: 48] | | ------------------ | | 83| 51| ((ndpi_int_one_line_struct).len - strlen(string_to_compare)), \ | | 84| 51| string_to_compare, strlen(string_to_compare)) == 0) ------------------ | Branch (48:11): [True: 3, False: 55] ------------------ 49| 55| (LINE_ENDS(packet->content_line, "x-application/fhir+json") != 0) || ------------------ | | 81| 55| ((ndpi_int_one_line_struct).len >= strlen(string_to_compare) && \ | | ------------------ | | | Branch (81:4): [True: 48, False: 7] | | ------------------ | | 82| 55| strncasecmp((const char *)((ndpi_int_one_line_struct).ptr) + \ | | ------------------ | | | Branch (82:4): [True: 0, False: 48] | | ------------------ | | 83| 48| ((ndpi_int_one_line_struct).len - strlen(string_to_compare)), \ | | 84| 48| string_to_compare, strlen(string_to_compare)) == 0) ------------------ | Branch (49:11): [True: 0, False: 55] ------------------ 50| 55| (LINE_ENDS(packet->content_line, "x-application/xml+cda") != 0)) ------------------ | | 81| 55| ((ndpi_int_one_line_struct).len >= strlen(string_to_compare) && \ | | ------------------ | | | Branch (81:4): [True: 48, False: 7] | | ------------------ | | 82| 55| strncasecmp((const char *)((ndpi_int_one_line_struct).ptr) + \ | | ------------------ | | | Branch (82:4): [True: 3, False: 45] | | ------------------ | | 83| 48| ((ndpi_int_one_line_struct).len - strlen(string_to_compare)), \ | | 84| 48| string_to_compare, strlen(string_to_compare)) == 0) ------------------ | Branch (50:11): [True: 3, False: 52] ------------------ 51| 10| { 52| 10| NDPI_LOG_INFO(ndpi_struct, "found HL7 over HTTP\n"); ------------------ | | 595| 10|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 53| 10| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HL7, NDPI_PROTOCOL_HTTP, 54| 10| NDPI_CONFIDENCE_DPI); 55| 10| } 56| 62| } 57| 1.05k| return; 58| 1.05k| } 59| | 60| 11.6k| if (packet->payload_packet_len > 100 && ------------------ | Branch (60:7): [True: 2.40k, False: 9.26k] ------------------ 61| 2.40k| memcmp(&packet->payload[1], "MSH|^~\\&|", NDPI_STATICSTRING_LEN("MSH|^~\\&|")) == 0) ------------------ | | 98| 2.40k|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (61:7): [True: 12, False: 2.39k] ------------------ 62| 12| { 63| 12| NDPI_LOG_INFO(ndpi_struct, "found HL7\n"); ------------------ | | 595| 12|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 64| 12| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HL7, NDPI_PROTOCOL_UNKNOWN, 65| 12| NDPI_CONFIDENCE_DPI); 66| 12| return; 67| 12| } 68| | 69| 11.6k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.6k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 70| 11.6k|} ndpi_search_hots: 38| 3.08k|{ 39| 3.08k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 40| 3.08k| int i, ports[4] = {1119, 1120, 3724, 6113}; 41| | 42| 3.08k| NDPI_LOG_DBG(ndpi_struct, "search Heroes of the Storm\n"); ------------------ | | 596| 3.08k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 43| | 44| 15.4k| for (i = 0; i < 4; i++) { ------------------ | Branch (44:15): [True: 12.3k, False: 3.07k] ------------------ 45| 12.3k| if (packet->udp->dest == ntohs(ports[i]) || packet->udp->source == ntohs(ports[i])) { ------------------ | Branch (45:9): [True: 4, False: 12.3k] | Branch (45:49): [True: 0, False: 12.3k] ------------------ 46| 4| if (packet->payload_packet_len >= 20 && packet->payload_packet_len <= 122) { ------------------ | Branch (46:11): [True: 4, False: 0] | Branch (46:47): [True: 4, False: 0] ------------------ 47| 4| if (packet->payload[14] == 0x40 && packet->payload[15] == 0x00) { ------------------ | Branch (47:13): [True: 1, False: 3] | Branch (47:44): [True: 0, False: 1] ------------------ 48| 0| if ((packet->payload[2] == 0x03 && packet->payload[3] == 0x00) || ------------------ | Branch (48:16): [True: 0, False: 0] | Branch (48:46): [True: 0, False: 0] ------------------ 49| 0| (packet->payload[2] == 0x34 && packet->payload[3] == 0x00) || ------------------ | Branch (49:16): [True: 0, False: 0] | Branch (49:46): [True: 0, False: 0] ------------------ 50| 0| (packet->payload[0] == 0x00 && packet->payload[1] == 0x00 && packet->payload[2] == 0x00 && ------------------ | Branch (50:16): [True: 0, False: 0] | Branch (50:46): [True: 0, False: 0] | Branch (50:76): [True: 0, False: 0] ------------------ 51| 0| packet->payload[3] == 0x00 && packet->payload[4] == 0x00 && packet->payload[5] == 0x00 && ------------------ | Branch (51:16): [True: 0, False: 0] | Branch (51:46): [True: 0, False: 0] | Branch (51:76): [True: 0, False: 0] ------------------ 52| 0| packet->payload[6] == 0x00 && packet->payload[7] == 0x00 && packet->payload[8] == 0x00 && ------------------ | Branch (52:16): [True: 0, False: 0] | Branch (52:46): [True: 0, False: 0] | Branch (52:76): [True: 0, False: 0] ------------------ 53| 0| packet->payload[9] == 0x00 && packet->payload[10] == 0x00 && packet->payload[11] == 0x00 && ------------------ | Branch (53:16): [True: 0, False: 0] | Branch (53:46): [True: 0, False: 0] | Branch (53:77): [True: 0, False: 0] ------------------ 54| 0| packet->payload[12] == 0x00 && packet->payload[13] == 0x00)) { ------------------ | Branch (54:16): [True: 0, False: 0] | Branch (54:47): [True: 0, False: 0] ------------------ 55| 0| ndpi_hots_add_connection(ndpi_struct, flow); 56| 0| return; 57| 0| } 58| 0| } 59| 4| } 60| 4| break; 61| 4| } 62| 12.3k| } 63| 3.08k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.08k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 64| 3.08k|} init_hots_dissector: 68| 7.08k|{ 69| 7.08k| ndpi_register_dissector("HOTS", ndpi_struct, 70| 7.08k| ndpi_search_hots, 71| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD, /* Only IPv4 UDP traffic is expected. */ ------------------ | | 631| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 617| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IP | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 604| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IP (1<<0) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IP | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 72| 7.08k| 1, NDPI_PROTOCOL_HOTS); 73| 7.08k|} init_hpvirtgrp_dissector: 61| 7.08k|{ 62| 7.08k| ndpi_register_dissector("HP Virtual Machine Group Management", ndpi_struct, 63| 7.08k| ndpi_search_hpvirtgrp, 64| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 65| 7.08k| 1, NDPI_PROTOCOL_HPVIRTGRP); 66| 7.08k|} hpvirtgrp.c:ndpi_search_hpvirtgrp: 38| 11.7k|{ 39| 11.7k| struct ndpi_packet_struct * packet = &ndpi_struct->packet; 40| | 41| 11.7k| NDPI_LOG_DBG(ndpi_struct, "search hpvirtgrp\n"); ------------------ | | 596| 11.7k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 42| | 43| 11.7k| if (packet->tcp != NULL) ------------------ | Branch (43:7): [True: 11.7k, False: 0] ------------------ 44| 11.7k| { 45| 11.7k| if (flow->packet_counter == 1 && packet->payload_packet_len >= 4 && ------------------ | Branch (45:9): [True: 11.7k, False: 0] | Branch (45:38): [True: 11.7k, False: 25] ------------------ 46| 11.7k| packet->payload_packet_len == ntohs(*(u_int16_t*)&packet->payload[1]) && ------------------ | Branch (46:9): [True: 8, False: 11.7k] ------------------ 47| 8| packet->payload[0] == 0x16 && packet->payload[3] == 0x00) ------------------ | Branch (47:9): [True: 3, False: 5] | Branch (47:39): [True: 2, False: 1] ------------------ 48| 2| { 49| 2| ndpi_int_hpvirtgrp_add_connection(ndpi_struct, flow); 50| 2| return; 51| 2| } 52| 11.7k| } 53| | 54| 11.7k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.7k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 55| 11.7k|} hpvirtgrp.c:ndpi_int_hpvirtgrp_add_connection: 32| 2|{ 33| 2| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HPVIRTGRP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 34| 2|} init_hsrp_dissector: 84| 7.08k|void init_hsrp_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 85| 7.08k| ndpi_register_dissector("HSRP", ndpi_struct, 86| 7.08k| ndpi_search_hsrp, 87| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 88| 7.08k| 1, NDPI_PROTOCOL_HSRP); 89| 7.08k|} hsrp.c:ndpi_search_hsrp: 36| 4.38k| struct ndpi_flow_struct *flow) { 37| 4.38k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 38| 4.38k| u_int16_t port_to_match; 39| | 40| 4.38k| NDPI_LOG_DBG(ndpi_struct, "search HSRP\n"); ------------------ | | 596| 4.38k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 41| | 42| 4.38k| if(packet->iphv6) { ------------------ | Branch (42:6): [True: 719, False: 3.66k] ------------------ 43| 719| port_to_match = htons(HSRP_PORT_V6); 44| | 45| 719| if((packet->udp->source == port_to_match) && (packet->udp->dest == port_to_match) ------------------ | Branch (45:8): [True: 0, False: 719] | Branch (45:50): [True: 0, False: 0] ------------------ 46| 0| && (packet->payload[0] <= 0x04) /* Message type */ ------------------ | Branch (46:11): [True: 0, False: 0] ------------------ 47| 0| && (ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[0]) == 0xFF020000) ------------------ | Branch (47:11): [True: 0, False: 0] ------------------ 48| 0| && (ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[1]) == 0x00000000) ------------------ | Branch (48:11): [True: 0, False: 0] ------------------ 49| 0| && (ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[2]) == 0x00000000) ------------------ | Branch (49:11): [True: 0, False: 0] ------------------ 50| 0| && (ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[3]) == 0x00000066)) { /* multicast: ff02::66 */; ------------------ | Branch (50:11): [True: 0, False: 0] ------------------ 51| 0| NDPI_LOG_INFO(ndpi_struct, "found HSRP\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 52| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HSRP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 53| 0| return; 54| 0| } 55| 3.66k| } else if(packet->iph) { ------------------ | Branch (55:13): [True: 3.66k, False: 0] ------------------ 56| 3.66k| port_to_match = htons(HSRP_PORT); 57| | 58| 3.66k| if((packet->udp->source == port_to_match) && (packet->udp->dest == port_to_match)) { ------------------ | Branch (58:8): [True: 1, False: 3.66k] | Branch (58:50): [True: 0, False: 1] ------------------ 59| 0| u_int8_t found = 0; 60| | 61| 0| if((ntohl(packet->iph->daddr) == 0xE0000002 /* 224.0.0.2 v0 */) ------------------ | Branch (61:10): [True: 0, False: 0] ------------------ 62| 0| && (packet->payload_packet_len >= 20) ------------------ | Branch (62:6): [True: 0, False: 0] ------------------ 63| 0| && (packet->payload[0] == 0x0 /* v0 */) ------------------ | Branch (63:6): [True: 0, False: 0] ------------------ 64| 0| && (packet->payload[7] == 0x0 /* reserved */)) ------------------ | Branch (64:6): [True: 0, False: 0] ------------------ 65| 0| found = 1; /* v0 */ 66| 0| else if((packet->payload_packet_len >= 42) ------------------ | Branch (66:15): [True: 0, False: 0] ------------------ 67| 0| && (packet->payload[2] == 0x02) /* Version 2 */ ------------------ | Branch (67:11): [True: 0, False: 0] ------------------ 68| 0| && (packet->payload[5] == 0x04) /* IPv4 */ ------------------ | Branch (68:11): [True: 0, False: 0] ------------------ 69| 0| && (ntohl(packet->iph->daddr) == 0xE0000066 /* 224.0.0.102 v2 */)) ------------------ | Branch (69:11): [True: 0, False: 0] ------------------ 70| 0| found = 1; 71| | 72| 0| if(found) { ------------------ | Branch (72:10): [True: 0, False: 0] ------------------ 73| 0| NDPI_LOG_INFO(ndpi_struct, "found HSRP\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 74| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HSRP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 75| 0| return; 76| 0| } 77| 0| } 78| 3.66k| } 79| | 80| 4.38k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 4.38k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 81| 4.38k|} init_http_dissector: 1791| 7.08k|void init_http_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 1792| 7.08k| ndpi_register_dissector("HTTP", ndpi_struct, 1793| 7.08k| ndpi_search_http_tcp, 1794| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 1795| 7.08k| 1, NDPI_PROTOCOL_HTTP); 1796| 7.08k|} http.c:ndpi_search_http_tcp: 1761| 17.3k| struct ndpi_flow_struct *flow) { 1762| | /* Break after 20 packets. */ 1763| 17.3k| if(flow->packet_counter > 20) { ------------------ | Branch (1763:6): [True: 0, False: 17.3k] ------------------ 1764| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 1765| 0| return; 1766| 0| } 1767| | 1768| 17.3k| NDPI_LOG_DBG(ndpi_struct, "search HTTP\n"); ------------------ | | 596| 17.3k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1769| 17.3k| ndpi_check_http_tcp(ndpi_struct, flow); 1770| | 1771| 17.3k| if((ndpi_struct->cfg.http_parse_response_enabled && ------------------ | Branch (1771:7): [True: 17.3k, False: 0] ------------------ 1772| 17.3k| flow->host_server_name[0] != '\0' && ------------------ | Branch (1772:7): [True: 1.00k, False: 16.3k] ------------------ 1773| 1.00k| flow->http.response_status_code != 0) || ------------------ | Branch (1773:7): [True: 24, False: 977] ------------------ 1774| 17.3k| (!ndpi_struct->cfg.http_parse_response_enabled && ------------------ | Branch (1774:7): [True: 0, False: 17.3k] ------------------ 1775| 0| (flow->host_server_name[0] != '\0' || ------------------ | Branch (1775:8): [True: 0, False: 0] ------------------ 1776| 0| flow->http.response_status_code != 0)) || ------------------ | Branch (1776:8): [True: 0, False: 0] ------------------ 1777| | /* We have found 3 consecutive requests (without the reply) or 3 1778| | consecutive replies (without the request). If the traffic is really 1779| | asymmetric, stop here, because we will never find the metadata from 1780| | both the request and the reply. We wait for 3 events (instead of 2) 1781| | to avoid false positives triggered by missing/dropped packets */ 1782| 17.3k| (flow->l4.tcp.http_asymmetric_stage == 2 && ------------------ | Branch (1782:7): [True: 6, False: 17.3k] ------------------ 1783| 6| (flow->packet_direction_complete_counter[0] == 0 || ------------------ | Branch (1783:8): [True: 0, False: 6] ------------------ 1784| 30| flow->packet_direction_complete_counter[1] == 0))) { ------------------ | Branch (1784:8): [True: 6, False: 0] ------------------ 1785| 30| flow->extra_packets_func = NULL; /* We're good now */ 1786| | 1787| 30| if(flow->initial_binary_bytes_len) ndpi_analyze_content_signature(ndpi_struct, flow); ------------------ | Branch (1787:8): [True: 21, False: 9] ------------------ 1788| 30| } 1789| 17.3k|} http.c:ndpi_check_http_tcp: 1655| 17.3k| struct ndpi_flow_struct *flow) { 1656| 17.3k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 1657| 17.3k| u_int16_t filename_start; 1658| | 1659| 17.3k| NDPI_LOG_DBG(ndpi_struct, "http_stage %d dir %d req/res %d/%d\n", ------------------ | | 596| 17.3k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1660| 17.3k| flow->l4.tcp.http_stage, packet->packet_direction, 1661| 17.3k| is_request(ndpi_struct), is_response(ndpi_struct)); 1662| | 1663| 17.3k| if(flow->l4.tcp.http_stage == 0) { /* Start: waiting for (the beginning of) a request */ ------------------ | Branch (1663:6): [True: 17.2k, False: 111] ------------------ 1664| 17.2k| filename_start = is_request(ndpi_struct); 1665| 17.2k| if(filename_start == 0) { ------------------ | Branch (1665:8): [True: 16.0k, False: 1.23k] ------------------ 1666| | /* Flow starting with a response? */ 1667| 16.0k| if(is_response(ndpi_struct)) { ------------------ | Branch (1667:10): [True: 44, False: 15.9k] ------------------ 1668| 44| NDPI_LOG_DBG2(ndpi_struct, "Response where a request were expected\n"); ------------------ | | 597| 44|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1669| | /* This is tricky. Two opposing goals: 1670| | 1) We want to correctly match request with response!! -> Skip this response 1671| | and keep looking for a request. 1672| | 2) We want to support asymmetric detection 1673| | Trade-off: 1674| | a) set HTTP as master (it is a guess; we can't know it from the reply only) 1675| | b) process the response(s) and save the metadata 1676| | c) look for a request. If we found it, reset everything (master, 1677| | classification and metadata!) */ 1678| 44| ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); 1679| 44| process_response(ndpi_struct, flow); 1680| | 1681| 44| flow->l4.tcp.http_stage = packet->packet_direction + 3; // packet_direction 0: stage 3, packet_direction 1: stage 4 1682| 44| return; 1683| 44| } 1684| | /* The first pkt is neither a request nor a response -> no http */ 1685| 15.9k| NDPI_LOG_DBG2(ndpi_struct, "Neither req nor response -> exclude\n"); ------------------ | | 597| 15.9k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1686| 15.9k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 15.9k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 1687| 15.9k| return; 1688| 16.0k| } 1689| 1.23k| NDPI_LOG_DBG2(ndpi_struct, "Request where expected\n"); ------------------ | | 597| 1.23k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1690| | 1691| 1.23k| process_request(ndpi_struct, flow, filename_start); 1692| | 1693| | /* Wait for the response */ 1694| 1.23k| flow->l4.tcp.http_stage = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 1695| | 1696| 1.23k| return; 1697| 17.2k| } else if(flow->l4.tcp.http_stage == 1 || flow->l4.tcp.http_stage == 2) { ------------------ | Branch (1697:13): [True: 79, False: 32] | Branch (1697:45): [True: 2, False: 30] ------------------ 1698| | /* Found a request, looking for the response */ 1699| | 1700| 81| if(flow->l4.tcp.http_stage - packet->packet_direction == 1) { ------------------ | Branch (1700:8): [True: 54, False: 27] ------------------ 1701| | /* Another pkt from the same direction (probably another fragment of the request) 1702| | Keep lookng for the response */ 1703| 54| NDPI_LOG_DBG2(ndpi_struct, "Another piece of request\n"); ------------------ | | 597| 54|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1704| 54| filename_start = is_request(ndpi_struct); 1705| 54| if(filename_start > 0) { ------------------ | Branch (1705:10): [True: 26, False: 28] ------------------ 1706| | /* Probably a new, separated request (asymmetric flow or missing pkts?). 1707| | What should we do? We definitely don't want to mix data from different 1708| | requests. The easiest (but costly) idea is to reset the state and 1709| | process it (i.e. we keep the metadata of the last request that we 1710| | have processed) */ 1711| 26| if(flow->l4.tcp.http_asymmetric_stage < 2) ------------------ | Branch (1711:12): [True: 26, False: 0] ------------------ 1712| 26| flow->l4.tcp.http_asymmetric_stage++; 1713| 26| reset(ndpi_struct, flow); 1714| 26| process_request(ndpi_struct, flow, filename_start); 1715| 26| return; 1716| 26| } 1717| 28| ndpi_parse_packet_line_info(ndpi_struct, flow); 1718| 28| check_content_type_and_change_protocol(ndpi_struct, flow); 1719| 28| return; 1720| 54| } else if(is_response(ndpi_struct)) { ------------------ | Branch (1720:15): [True: 7, False: 20] ------------------ 1721| 7| NDPI_LOG_DBG2(ndpi_struct, "Response where expected\n"); ------------------ | | 597| 7|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1722| | 1723| 7| process_response(ndpi_struct, flow); 1724| | 1725| 7| flow->l4.tcp.http_stage = 0; 1726| 20| } else { 1727| 20| NDPI_LOG_DBG2(ndpi_struct, "The msg from the server doesn't look like a response...\n"); ------------------ | | 597| 20|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1728| | /* TODO */ 1729| 20| } 1730| 81| } else if(flow->l4.tcp.http_stage == 3 || flow->l4.tcp.http_stage == 4) { ------------------ | Branch (1730:13): [True: 30, False: 0] | Branch (1730:45): [True: 0, False: 0] ------------------ 1731| | /* Found a response but we want a request */ 1732| | 1733| 30| if(flow->l4.tcp.http_stage - packet->packet_direction == 3) { ------------------ | Branch (1733:8): [True: 23, False: 7] ------------------ 1734| | /* Another pkt from the same direction (probably another fragment of the response) 1735| | Keep lookng for the request */ 1736| 23| NDPI_LOG_DBG2(ndpi_struct, "Another piece of response\n"); ------------------ | | 597| 23|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1737| 23| if(is_response(ndpi_struct)) { ------------------ | Branch (1737:10): [True: 0, False: 23] ------------------ 1738| | /* See the comment above about how we handle consecutive requests/responses */ 1739| 0| if(flow->l4.tcp.http_asymmetric_stage < 2) ------------------ | Branch (1739:12): [True: 0, False: 0] ------------------ 1740| 0| flow->l4.tcp.http_asymmetric_stage++; 1741| 0| reset(ndpi_struct, flow); 1742| 0| process_response(ndpi_struct, flow); 1743| 0| return; 1744| 0| } 1745| 23| ndpi_parse_packet_line_info(ndpi_struct, flow); 1746| 23| check_content_type_and_change_protocol(ndpi_struct, flow); 1747| 23| return; 1748| 23| } 1749| | 1750| 7| NDPI_LOG_DBG2(ndpi_struct, "Found a request. We need to reset the state!\n"); ------------------ | | 597| 7|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1751| | 1752| 7| reset(ndpi_struct, flow); 1753| 7| flow->l4.tcp.http_stage = 0; 1754| 7| ndpi_check_http_tcp(ndpi_struct, flow); 1755| 7| } 1756| 17.3k|} http.c:is_request: 1491| 17.3k|static int is_request(struct ndpi_detection_module_struct *ndpi_struct) { 1492| 17.3k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 1493| 17.3k| u_int16_t filename_start; 1494| | 1495| 17.3k| filename_start = http_request_url_offset(ndpi_struct); 1496| | /* This check is required as RTSP is pretty similiar to HTTP */ 1497| 17.3k| if(filename_start > 0 && ------------------ | Branch (1497:6): [True: 1.26k, False: 16.0k] ------------------ 1498| 1.26k| strncasecmp((const char *)packet->payload + filename_start, ------------------ | Branch (1498:6): [True: 1, False: 1.26k] ------------------ 1499| 1.26k| "rtsp://", ndpi_min(7, packet->payload_packet_len - filename_start)) == 0) ------------------ | | 113| 1.26k|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 1.26k, False: 1] | | ------------------ ------------------ 1500| 1| return 0; 1501| 17.3k| return filename_start; 1502| 17.3k|} http.c:http_request_url_offset: 1415| 17.3k|{ 1416| 17.3k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 1417| 17.3k| unsigned int i; 1418| | 1419| 17.3k| NDPI_LOG_DBG2(ndpi_struct, "====>>>> HTTP: %c%c%c%c [len: %u]\n", ------------------ | | 597| 17.3k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1420| 17.3k| packet->payload_packet_len > 0 ? non_ctrl(packet->payload[0]) : '.', 1421| 17.3k| packet->payload_packet_len > 1 ? non_ctrl(packet->payload[1]) : '.', 1422| 17.3k| packet->payload_packet_len > 2 ? non_ctrl(packet->payload[2]) : '.', 1423| 17.3k| packet->payload_packet_len > 3 ? non_ctrl(packet->payload[3]) : '.', 1424| 17.3k| packet->payload_packet_len); 1425| | 1426| | /* Check first char */ 1427| 17.3k| if(!packet->payload_packet_len || !strchr(http_fs,packet->payload[0])) ------------------ | Branch (1427:6): [True: 0, False: 17.3k] | Branch (1427:37): [True: 11.2k, False: 6.11k] ------------------ 1428| 11.2k| return 0; 1429| | 1430| | /** 1431| | FIRST PAYLOAD PACKET FROM CLIENT 1432| | **/ 1433| 98.7k| for(i=0; i < sizeof(http_methods)/sizeof(http_methods[0]); i++) { ------------------ | Branch (1433:12): [True: 93.9k, False: 4.85k] ------------------ 1434| 93.9k| if(packet->payload_packet_len >= http_methods[i].len && ------------------ | Branch (1434:8): [True: 87.6k, False: 6.24k] ------------------ 1435| 87.6k| strncasecmp((const char*)packet->payload,http_methods[i].str,http_methods[i].len) == 0) { ------------------ | Branch (1435:8): [True: 1.26k, False: 86.3k] ------------------ 1436| 1.26k| size_t url_start = http_methods[i].len; 1437| 1.31k| while (url_start < packet->payload_packet_len && ------------------ | Branch (1437:14): [True: 1.31k, False: 0] ------------------ 1438| 1.31k| url_start < http_methods[i].len + 2048 && /* We assume 2048 chars as maximum for URLs. */ ------------------ | Branch (1438:14): [True: 1.31k, False: 0] ------------------ 1439| 1.31k| packet->payload[url_start] == ' ') { url_start++; } ------------------ | Branch (1439:14): [True: 44, False: 1.26k] ------------------ 1440| 1.26k| NDPI_LOG_DBG2(ndpi_struct, "HTTP: %sFOUND\n",http_methods[i].str); ------------------ | | 597| 1.26k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1441| 1.26k| return url_start; 1442| 1.26k| } 1443| 93.9k| } 1444| 4.85k| return 0; 1445| 6.11k|} http.c:is_response: 1504| 16.0k|static int is_response(struct ndpi_detection_module_struct *ndpi_struct) { 1505| 16.0k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 1506| 16.0k| if(packet->payload_packet_len >= 7 && ------------------ | Branch (1506:6): [True: 15.2k, False: 808] ------------------ 1507| 15.2k| strncasecmp((const char *)packet->payload, "HTTP/1.", 7) == 0) ------------------ | Branch (1507:6): [True: 51, False: 15.2k] ------------------ 1508| 51| return 1; 1509| 16.0k| return 0; 1510| 16.0k|} http.c:ndpi_int_http_add_connection: 465| 1.30k| u_int16_t master_protocol) { 466| |#ifdef HTTP_DEBUG 467| | printf("=> %s()\n", __FUNCTION__); 468| |#endif 469| | 470| | /* Update the classification only if we don't already have master + app; 471| | for example don't change the protocols if we have already detected a 472| | sub-protocol via the (content-matched) subprotocols logic (i.e. 473| | MPEGDASH, SOAP, ....) */ 474| 1.30k| if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (474:6): [True: 1.29k, False: 15] ------------------ 475| 1.29k| NDPI_LOG_DBG2(ndpi_struct, "Master: %d\n", master_protocol); ------------------ | | 597| 1.29k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 476| 1.29k| if(flow->detected_protocol_stack[0] != master_protocol) { ------------------ | Branch (476:8): [True: 1.28k, False: 11] ------------------ 477| 1.28k| NDPI_LOG_DBG2(ndpi_struct, "Previous master was different\n"); ------------------ | | 597| 1.28k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 478| 1.28k| proto_stack_reset(&flow->protocol_stack); 479| 1.28k| } 480| 1.29k| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN, 481| 1.29k| master_protocol, NDPI_CONFIDENCE_DPI); 482| 1.29k| } 483| | 484| 1.30k| flow->max_extra_packets_to_check = 8; 485| 1.30k| flow->extra_packets_func = ndpi_search_http_tcp_again; 486| 1.30k|} http.c:ndpi_search_http_tcp_again: 143| 201| struct ndpi_flow_struct *flow) { 144| 201| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 145| | 146| 201| if(packet->payload_packet_len == 0 || packet->tcp_retransmission) { ------------------ | Branch (146:6): [True: 71, False: 130] | Branch (146:41): [True: 19, False: 111] ------------------ 147| 90| NDPI_LOG_DBG(ndpi_struct, "Skip %d/%d\n", packet->payload_packet_len, packet->tcp_retransmission); ------------------ | | 596| 90|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 148| 90| return 1; 149| 90| } 150| | 151| 111| ndpi_search_http_tcp(ndpi_struct, flow); 152| | 153| |#ifdef HTTP_DEBUG 154| | printf("=> %s()\n", __FUNCTION__); 155| |#endif 156| | 157| 111| if(flow->extra_packets_func == NULL) { ------------------ | Branch (157:6): [True: 11, False: 100] ------------------ 158| | /* HTTP stuff completed */ 159| | 160| | /* Loook for TLS over websocket */ 161| 11| if((ndpi_struct->cfg.tls_heuristics & NDPI_HEURISTICS_TLS_OBFUSCATED_HTTP) && /* Feature enabled */ ------------------ | | 832| 11|#define NDPI_HEURISTICS_TLS_OBFUSCATED_HTTP 0x04 /* Enable heuristic to detect proxied/obfuscated TLS flows over HTTP/WebSocket */ ------------------ | Branch (161:8): [True: 0, False: 11] ------------------ 162| 0| (flow->host_server_name[0] != '\0' && ------------------ | Branch (162:9): [True: 0, False: 0] ------------------ 163| 0| flow->http.response_status_code != 0) && /* Bidirectional HTTP traffic */ ------------------ | Branch (163:9): [True: 0, False: 0] ------------------ 164| 0| flow->http.websocket) { ------------------ | Branch (164:8): [True: 0, False: 0] ------------------ 165| | 166| 0| switch_extra_dissection_to_tls_obfuscated_heur(ndpi_struct, flow); 167| 0| return(1); 168| 0| } 169| | 170| 11| return(0); /* We are good now */ 171| 11| } 172| | 173| 100| if (flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (173:7): [True: 85, False: 15] ------------------ 174| 85| ndpi_search_json(ndpi_struct, flow); 175| 85| } 176| 100| if (flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (176:7): [True: 85, False: 15] ------------------ 177| 85| ndpi_search_msgpack(ndpi_struct, flow); 178| 85| } 179| | 180| | /* Possibly more processing */ 181| 100| return(1); 182| 111|} http.c:process_response: 1566| 51| struct ndpi_flow_struct *flow) { 1567| | 1568| 51| ndpi_parse_packet_line_info(ndpi_struct, flow); 1569| 51| parse_response_code(ndpi_struct, flow); 1570| 51| check_content_type_and_change_protocol(ndpi_struct, flow); 1571| | 1572| 51| ndpi_validate_http_content(ndpi_struct, flow); 1573| 51|} http.c:parse_response_code: 1451| 51|{ 1452| 51| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 1453| 51| char buf[4]; 1454| 51| char ec[48]; 1455| | 1456| 51| if(packet->payload_packet_len >= 12) { ------------------ | Branch (1456:6): [True: 51, False: 0] ------------------ 1457| | /* Set server HTTP response code */ 1458| 51| strncpy(buf, (char*)&packet->payload[9], 3); 1459| 51| buf[3] = '\0'; 1460| | 1461| 51| flow->http.response_status_code = atoi(buf); 1462| 51| NDPI_LOG_DBG2(ndpi_struct, "Response code %d\n", flow->http.response_status_code); ------------------ | | 597| 51|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1463| | 1464| | /* https://en.wikipedia.org/wiki/List_of_HTTP_status_codes */ 1465| 51| if((flow->http.response_status_code < 100) || (flow->http.response_status_code > 509)) ------------------ | Branch (1465:8): [True: 3, False: 48] | Branch (1465:51): [True: 1, False: 47] ------------------ 1466| 4| flow->http.response_status_code = 0; /* Out of range */ 1467| | 1468| 51| if(flow->http.response_status_code >= 400) { ------------------ | Branch (1468:8): [True: 2, False: 49] ------------------ 1469| 2| snprintf(ec, sizeof(ec), "HTTP Error Code %u", flow->http.response_status_code); 1470| 2| ndpi_set_risk(ndpi_struct, flow, NDPI_ERROR_CODE_DETECTED, ec); 1471| | 1472| 2| if(flow->http.url != NULL) { ------------------ | Branch (1472:10): [True: 0, False: 2] ------------------ 1473| | /* Let's check for Wordpress */ 1474| 0| char *slash = strchr(flow->http.url, '/'); 1475| | 1476| 0| if(slash != NULL && ------------------ | Branch (1476:5): [True: 0, False: 0] ------------------ 1477| 0| (((flow->http.method == NDPI_HTTP_METHOD_POST) && (strncmp(slash, "/wp-admin/", 10) == 0)) ------------------ | Branch (1477:14): [True: 0, False: 0] | Branch (1477:62): [True: 0, False: 0] ------------------ 1478| 0| || ((flow->http.method == NDPI_HTTP_METHOD_GET) && (strncmp(slash, "/wp-content/uploads/", 20) == 0)) ------------------ | Branch (1478:10): [True: 0, False: 0] | Branch (1478:57): [True: 0, False: 0] ------------------ 1479| 0| )) { 1480| | /* Example of popular exploits https://www.wordfence.com/blog/2022/05/millions-of-attacks-target-tatsu-builder-plugin/ */ 1481| 0| char str[128]; 1482| | 1483| 0| snprintf(str, sizeof(str), "Possible Wordpress Exploit [%s]", slash); 1484| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, str); 1485| 0| } 1486| 0| } 1487| 2| } 1488| 51| } 1489| 51|} http.c:ndpi_validate_http_content: 233| 51| struct ndpi_flow_struct *flow) { 234| 51| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 235| 51| const u_int8_t *double_ret = (const u_int8_t *)ndpi_strnstr((const char *)packet->payload, "\r\n\r\n", packet->payload_packet_len); 236| | 237| 51| NDPI_LOG_DBG(ndpi_struct, "==>>> [len: %u] ", packet->payload_packet_len); ------------------ | | 596| 51|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 238| 51| NDPI_LOG_DBG(ndpi_struct, "->> %.*s\n", packet->content_line.len, (const char *)packet->content_line.ptr); ------------------ | | 596| 51|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 239| | 240| 51| if(double_ret) { ------------------ | Branch (240:6): [True: 2, False: 49] ------------------ 241| 2| u_int len; 242| | 243| 2| len = packet->payload_packet_len - (double_ret - packet->payload); 244| | 245| 2| if(flow->http.is_form ------------------ | Branch (245:8): [True: 0, False: 2] ------------------ 246| 2| || ndpi_strnstr((const char *)packet->content_line.ptr, "text/", packet->content_line.len) ------------------ | Branch (246:11): [True: 0, False: 2] ------------------ 247| 2| || ndpi_strnstr((const char *)packet->content_line.ptr, "/json", packet->content_line.len) ------------------ | Branch (247:11): [True: 0, False: 2] ------------------ 248| 2| ) { 249| | /* This is supposed to be a human-readeable text file */ 250| 0| packet->http_check_content = 1; 251| | 252| 0| if(len >= 8 /* 4 chars for \r\n\r\n and at least 4 charts for content guess */) { ------------------ | Branch (252:10): [True: 0, False: 0] ------------------ 253| 0| double_ret += 4; 254| 0| len -= 4; 255| | 256| 0| ndpi_http_check_human_redeable_content(ndpi_struct, flow, double_ret, len); 257| 0| if(ndpi_struct->cfg.compute_entropy && ------------------ | Branch (257:5): [True: 0, False: 0] ------------------ 258| 0| flow->skip_entropy_check == 0) { ------------------ | Branch (258:5): [True: 0, False: 0] ------------------ 259| 0| flow->entropy = ndpi_entropy(double_ret, len); 260| 0| } 261| 0| } 262| 0| } 263| | 264| | /* Final checks */ 265| | 266| 2| if(ndpi_isset_risk(flow, NDPI_BINARY_APPLICATION_TRANSFER) ------------------ | Branch (266:8): [True: 0, False: 2] ------------------ 267| 0| && flow->http.user_agent && flow->http.content_type) { ------------------ | Branch (267:11): [True: 0, False: 0] | Branch (267:36): [True: 0, False: 0] ------------------ 268| 0| if(((strncmp((const char *)flow->http.user_agent, "Java/", 5) == 0)) ------------------ | Branch (268:10): [True: 0, False: 0] ------------------ 269| 0| && 270| 0| ((strcmp((const char *)flow->http.content_type, "application/java-vm") == 0)) ------------------ | Branch (270:3): [True: 0, False: 0] ------------------ 271| 0| ) { 272| | /* 273| | Java downloads Java: Log4J: 274| | https://corelight.com/blog/detecting-log4j-exploits-via-zeek-when-java-downloads-java 275| | */ 276| | 277| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, "Suspicious Log4J"); 278| 0| } 279| 0| } 280| | 281| 2| NDPI_LOG_DBG(ndpi_struct, "\n"); ------------------ | | 596| 2|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 282| 2| } 283| | 284| 51| if((flow->http.user_agent == NULL) || (flow->http.user_agent[0] == '\0')) ------------------ | Branch (284:6): [True: 47, False: 4] | Branch (284:41): [True: 3, False: 1] ------------------ 285| 50| ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, "Empty or missing User-Agent"); 286| 51|} http.c:process_request: 1514| 1.26k| u_int16_t filename_start) { 1515| 1.26k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 1516| 1.26k| u_int16_t master_protocol; 1517| | 1518| 1.26k| ndpi_parse_packet_line_info(ndpi_struct, flow); 1519| | 1520| 1.26k| master_protocol = NDPI_PROTOCOL_HTTP; 1521| | 1522| 1.26k| if(packet->parsed_lines == 0 || ------------------ | Branch (1522:6): [True: 38, False: 1.22k] ------------------ 1523| 1.22k| !(packet->line[0].len >= (9 + filename_start) && ------------------ | Branch (1523:8): [True: 1.22k, False: 3] ------------------ 1524| 1.22k| strncasecmp((const char *)&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0)) { ------------------ | Branch (1524:8): [True: 935, False: 289] ------------------ 1525| 330| NDPI_LOG_DBG2(ndpi_struct, "Request with an incomplete or invalid first line\n"); ------------------ | | 597| 330|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1526| | /* Since we don't save data across different packets, we will never have 1527| | the complete url: we can't check for HTTP_PROXY */ 1528| 330| if(filename_start == 8 && ------------------ | Branch (1528:8): [True: 3, False: 327] ------------------ 1529| 3| strncasecmp((const char *)packet->payload, "CONNECT ", 8) == 0) { ------------------ | Branch (1529:8): [True: 3, False: 0] ------------------ 1530| 3| master_protocol = NDPI_PROTOCOL_HTTP_CONNECT; 1531| 3| } 1532| 935| } else { 1533| | /* First line is complete (example: "GET / HTTP/1.1"): extract url */ 1534| | 1535| 935| packet->http_url_name.ptr = &packet->payload[filename_start]; 1536| 935| packet->http_url_name.len = packet->line[0].len - (filename_start + 9); 1537| | 1538| 935| packet->http_method.ptr = packet->line[0].ptr; 1539| 935| packet->http_method.len = filename_start - 1; 1540| | 1541| | /* Set the HTTP requested version: 0=HTTP/1.0 and 1=HTTP/1.1 */ 1542| 935| if(memcmp(&packet->line[0].ptr[packet->line[0].len - 1], "1", 1) == 0) ------------------ | Branch (1542:8): [True: 686, False: 249] ------------------ 1543| 686| flow->http.request_version = 1; 1544| 249| else 1545| 249| flow->http.request_version = 0; 1546| | 1547| 935| if(packet->http_url_name.len > 7 && ------------------ | Branch (1547:8): [True: 935, False: 0] ------------------ 1548| 935| !strncasecmp((const char*) packet->http_url_name.ptr, "http://", 7)) { ------------------ | Branch (1548:8): [True: 1, False: 934] ------------------ 1549| 1| master_protocol = NDPI_PROTOCOL_HTTP_PROXY; 1550| 1| } 1551| 935| if(filename_start == 8 && ------------------ | Branch (1551:8): [True: 2, False: 933] ------------------ 1552| 2| strncasecmp((const char *)packet->payload, "CONNECT ", 8) == 0) { ------------------ | Branch (1552:8): [True: 2, False: 0] ------------------ 1553| 2| master_protocol = NDPI_PROTOCOL_HTTP_CONNECT; 1554| 2| } 1555| 935| } 1556| 1.26k| ndpi_int_http_add_connection(ndpi_struct, flow, master_protocol); 1557| 1.26k| check_content_type_and_change_protocol(ndpi_struct, flow); 1558| | 1559| 1.26k| if(flow->http.user_agent == NULL || ------------------ | Branch (1559:6): [True: 1.12k, False: 141] ------------------ 1560| 1.12k| flow->http.user_agent[0] == '\0') { ------------------ | Branch (1560:6): [True: 4, False: 137] ------------------ 1561| 1.12k| ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, "Empty or missing User-Agent"); 1562| 1.12k| } 1563| 1.26k|} http.c:reset: 1576| 33| struct ndpi_flow_struct *flow) { 1577| | 1578| 33| NDPI_LOG_DBG2(ndpi_struct, "Reset status and risks\n"); ------------------ | | 597| 33|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1579| | 1580| | /* Reset everything in flow->http. 1581| | TODO: Could we be smarter? Probably some info don't change across 1582| | different req-res transactions... */ 1583| | 1584| 33| flow->http.method = 0; 1585| 33| flow->http.request_version = 0; 1586| 33| flow->http.response_status_code = 0; 1587| 33| if(flow->http.url) { ------------------ | Branch (1587:6): [True: 20, False: 13] ------------------ 1588| 20| ndpi_free(flow->http.url); 1589| 20| flow->http.url = NULL; 1590| 20| } 1591| 33| if(flow->http.content_type) { ------------------ | Branch (1591:6): [True: 0, False: 33] ------------------ 1592| 0| ndpi_free(flow->http.content_type); 1593| 0| flow->http.content_type = NULL; 1594| 0| } 1595| 33| if(flow->http.request_content_type) { ------------------ | Branch (1595:6): [True: 0, False: 33] ------------------ 1596| 0| ndpi_free(flow->http.request_content_type); 1597| 0| flow->http.request_content_type = NULL; 1598| 0| } 1599| 33| if(flow->http.user_agent) { ------------------ | Branch (1599:6): [True: 0, False: 33] ------------------ 1600| 0| ndpi_free(flow->http.user_agent); 1601| 0| flow->http.user_agent = NULL; 1602| 0| } 1603| 33| if(flow->http.server) { ------------------ | Branch (1603:6): [True: 0, False: 33] ------------------ 1604| 0| ndpi_free(flow->http.server); 1605| 0| flow->http.server = NULL; 1606| 0| } 1607| 33| if(flow->http.referer) { ------------------ | Branch (1607:6): [True: 0, False: 33] ------------------ 1608| 0| ndpi_free(flow->http.referer); 1609| 0| flow->http.referer = NULL; 1610| 0| } 1611| 33| if(flow->http.host) { ------------------ | Branch (1611:6): [True: 21, False: 12] ------------------ 1612| 21| ndpi_free(flow->http.host); 1613| 21| flow->http.host = NULL; 1614| 21| } 1615| 33| if(flow->http.detected_os) { ------------------ | Branch (1615:6): [True: 0, False: 33] ------------------ 1616| 0| ndpi_free(flow->http.detected_os); 1617| 0| flow->http.detected_os = NULL; 1618| 0| } 1619| 33| if(flow->http.nat_ip) { ------------------ | Branch (1619:6): [True: 0, False: 33] ------------------ 1620| 0| ndpi_free(flow->http.nat_ip); 1621| 0| flow->http.nat_ip = NULL; 1622| 0| } 1623| 33| if(flow->http.filename) { ------------------ | Branch (1623:6): [True: 0, False: 33] ------------------ 1624| 0| ndpi_free(flow->http.filename); 1625| 0| flow->http.filename = NULL; 1626| 0| } 1627| 33| if(flow->http.username) { ------------------ | Branch (1627:6): [True: 0, False: 33] ------------------ 1628| 0| ndpi_free(flow->http.username); 1629| 0| flow->http.username = NULL; 1630| 0| } 1631| 33| if(flow->http.password) { ------------------ | Branch (1631:6): [True: 0, False: 33] ------------------ 1632| 0| ndpi_free(flow->http.password); 1633| 0| flow->http.password = NULL; 1634| 0| } 1635| | 1636| | /* Reset flow risks. We should reset only those risks triggered by 1637| | the previous HTTP response... */ 1638| | /* TODO */ 1639| 33| ndpi_unset_risk(ndpi_struct, flow, NDPI_BINARY_APPLICATION_TRANSFER); 1640| 33| ndpi_unset_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_CONTENT); 1641| 33| ndpi_unset_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT); 1642| 33| ndpi_unset_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT); 1643| 33| ndpi_unset_risk(ndpi_struct, flow, NDPI_HTTP_CRAWLER_BOT); 1644| 33| ndpi_unset_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST); 1645| 33| ndpi_unset_risk(ndpi_struct, flow, NDPI_URL_POSSIBLE_RCE_INJECTION); 1646| 33| ndpi_unset_risk(ndpi_struct, flow, NDPI_HTTP_OBSOLETE_SERVER); 1647| 33| ndpi_unset_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS); 1648| 33| ndpi_unset_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS); 1649| 33| ndpi_unset_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER); 1650| 33| ndpi_unset_risk(ndpi_struct, flow, NDPI_ERROR_CODE_DETECTED); 1651| 33| ndpi_unset_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET); 1652| 33|} http.c:check_content_type_and_change_protocol: 1059| 1.36k| struct ndpi_flow_struct *flow) { 1060| 1.36k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 1061| 1.36k| u_int len; 1062| 1.36k| int hostname_just_set = 0; 1063| | 1064| 1.36k| if((flow->http.url == NULL) ------------------ | Branch (1064:6): [True: 1.36k, False: 7] ------------------ 1065| 1.36k| && (packet->http_url_name.len > 0) ------------------ | Branch (1065:9): [True: 935, False: 425] ------------------ 1066| 935| && (packet->host_line.len > 0)) { ------------------ | Branch (1066:9): [True: 918, False: 17] ------------------ 1067| 918| int len = packet->http_url_name.len + packet->host_line.len + 1; 1068| | 1069| 918| if(ndpi_isdigit(packet->host_line.ptr[0]) ------------------ | | 2526| 1.83k|#define ndpi_isdigit(ch) ((ch) >= '0' && (ch) <= '9') | | ------------------ | | | Branch (2526:27): [True: 832, False: 86] | | | Branch (2526:42): [True: 6, False: 826] | | ------------------ ------------------ 1070| 6| && (packet->host_line.len < 21)) ------------------ | Branch (1070:11): [True: 4, False: 2] ------------------ 1071| 4| ndpi_check_numeric_ip(ndpi_struct, flow, (char*)packet->host_line.ptr, packet->host_line.len); 1072| | 1073| 918| flow->http.url = ndpi_malloc(len); 1074| | 1075| 918| if(flow->http.url) { ------------------ | Branch (1075:8): [True: 908, False: 10] ------------------ 1076| 908| u_int offset = 0, host_end = 0; 1077| | 1078| 908| if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP_CONNECT) { ------------------ | Branch (1078:10): [True: 1, False: 907] ------------------ 1079| 1| strncpy(flow->http.url, (char*)packet->http_url_name.ptr, 1080| 1| packet->http_url_name.len); 1081| | 1082| 1| flow->http.url[packet->http_url_name.len] = '\0'; 1083| 907| } else { 1084| | /* Check if we pass through a proxy (usually there is also the Via: ... header) */ 1085| 907| if(strncmp((char*)packet->http_url_name.ptr, "http://", 7) != 0) { ------------------ | Branch (1085:5): [True: 906, False: 1] ------------------ 1086| 906| strncpy(flow->http.url, (char*)packet->host_line.ptr, offset = packet->host_line.len); 1087| 906| host_end = packet->host_line.len; 1088| 906| } 1089| | 1090| 907| if((packet->host_line.len == packet->http_url_name.len) ------------------ | Branch (1090:5): [True: 1, False: 906] ------------------ 1091| 1| && (strncmp((char*)packet->host_line.ptr, ------------------ | Branch (1091:8): [True: 0, False: 1] ------------------ 1092| 1| (char*)packet->http_url_name.ptr, packet->http_url_name.len) == 0)) 1093| 0| ; 1094| 907| else { 1095| 907| strncpy(&flow->http.url[offset], (char*)packet->http_url_name.ptr, 1096| 907| packet->http_url_name.len); 1097| 907| offset += packet->http_url_name.len; 1098| 907| } 1099| | 1100| 907| flow->http.url[offset] = '\0'; 1101| 907| } 1102| | 1103| 908| ndpi_check_http_url(ndpi_struct, flow, &flow->http.url[host_end]); 1104| 908| ndpi_check_http_url_subprotocol(ndpi_struct, flow); 1105| 908| } 1106| 918| } 1107| | 1108| 1.36k| if(packet->http_method.ptr != NULL) ------------------ | Branch (1108:6): [True: 935, False: 432] ------------------ 1109| 935| flow->http.method = ndpi_http_str2method((const char*)packet->http_method.ptr, 1110| 935| (u_int16_t)packet->http_method.len); 1111| | 1112| 1.36k| if(packet->server_line.ptr != NULL) ------------------ | Branch (1112:6): [True: 29, False: 1.33k] ------------------ 1113| 29| ndpi_check_http_server(ndpi_struct, flow, (const char *)packet->server_line.ptr, packet->server_line.len); 1114| | 1115| 1.36k| if(packet->user_agent_line.ptr != NULL) { ------------------ | Branch (1115:6): [True: 162, False: 1.20k] ------------------ 1116| 162| http_process_user_agent(ndpi_struct, flow, packet->user_agent_line.ptr, packet->user_agent_line.len); 1117| 162| } 1118| | 1119| 1.36k| if(packet->forwarded_line.ptr != NULL) { ------------------ | Branch (1119:6): [True: 3, False: 1.36k] ------------------ 1120| 3| if(flow->http.nat_ip == NULL) { ------------------ | Branch (1120:8): [True: 3, False: 0] ------------------ 1121| 3| len = packet->forwarded_line.len; 1122| 3| flow->http.nat_ip = ndpi_malloc(len + 1); 1123| 3| if(flow->http.nat_ip != NULL) { ------------------ | Branch (1123:10): [True: 2, False: 1] ------------------ 1124| 2| strncpy(flow->http.nat_ip, (char*)packet->forwarded_line.ptr, len); 1125| 2| flow->http.nat_ip[len] = '\0'; 1126| 2| } 1127| 3| } 1128| 3| } 1129| | 1130| 1.36k| if(packet->upgrade_line.ptr != NULL) { ------------------ | Branch (1130:6): [True: 67, False: 1.30k] ------------------ 1131| 67| if((flow->http.response_status_code == 101) ------------------ | Branch (1131:8): [True: 2, False: 65] ------------------ 1132| 2| && (packet->upgrade_line.len >= 9) ------------------ | Branch (1132:11): [True: 1, False: 1] ------------------ 1133| 1| && memcmp((char *)packet->upgrade_line.ptr, "websocket", 9) == 0) ------------------ | Branch (1133:11): [True: 1, False: 0] ------------------ 1134| 1| flow->http.websocket = 1; 1135| 67| } 1136| | 1137| 1.36k| if(packet->server_line.ptr != NULL) { ------------------ | Branch (1137:6): [True: 29, False: 1.33k] ------------------ 1138| 29| if(flow->http.server == NULL && ndpi_struct->cfg.http_resp_server_enabled) { ------------------ | Branch (1138:8): [True: 29, False: 0] | Branch (1138:37): [True: 29, False: 0] ------------------ 1139| 29| len = packet->server_line.len + 1; 1140| 29| flow->http.server = ndpi_malloc(len); 1141| 29| if(flow->http.server) { ------------------ | Branch (1141:10): [True: 25, False: 4] ------------------ 1142| 25| strncpy(flow->http.server, (char*)packet->server_line.ptr, 1143| 25| packet->server_line.len); 1144| 25| flow->http.server[packet->server_line.len] = '\0'; 1145| 25| } 1146| 29| } 1147| 29| } 1148| | 1149| 1.36k| if(packet->authorization_line.ptr != NULL && ------------------ | Branch (1149:6): [True: 0, False: 1.36k] ------------------ 1150| 0| (ndpi_struct->cfg.http_username_enabled || ndpi_struct->cfg.http_password_enabled)) { ------------------ | Branch (1150:7): [True: 0, False: 0] | Branch (1150:49): [True: 0, False: 0] ------------------ 1151| 0| const char *a = NULL, *b = NULL; 1152| | 1153| 0| NDPI_LOG_DBG2(ndpi_struct, "Authorization line found %.*s\n", ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1154| 0| packet->authorization_line.len, packet->authorization_line.ptr); 1155| | 1156| 0| if(flow->http.username == NULL && flow->http.password == NULL) { ------------------ | Branch (1156:8): [True: 0, False: 0] | Branch (1156:39): [True: 0, False: 0] ------------------ 1157| 0| if((a = ndpi_strncasestr((const char*)packet->authorization_line.ptr, ------------------ | Branch (1157:10): [True: 0, False: 0] ------------------ 1158| 0| "Basic", packet->authorization_line.len)) 1159| 0| || (b = ndpi_strncasestr((const char*)packet->authorization_line.ptr, ------------------ | Branch (1159:13): [True: 0, False: 0] ------------------ 1160| 0| "Digest", packet->authorization_line.len))) { 1161| 0| size_t content_len; 1162| 0| u_int len = b ? 7 : 6; ------------------ | Branch (1162:21): [True: 0, False: 0] ------------------ 1163| | 1164| 0| if(packet->authorization_line.len > len) { ------------------ | Branch (1164:5): [True: 0, False: 0] ------------------ 1165| 0| u_char *content = ndpi_base64_decode((const u_char*)&packet->authorization_line.ptr[len], 1166| 0| packet->authorization_line.len - len, &content_len); 1167| | 1168| 0| if(content != NULL) { ------------------ | Branch (1168:7): [True: 0, False: 0] ------------------ 1169| 0| char *double_dot = strchr((char*)content, ':'); 1170| | 1171| 0| if(double_dot) { ------------------ | Branch (1171:9): [True: 0, False: 0] ------------------ 1172| 0| double_dot[0] = '\0'; 1173| 0| if(ndpi_struct->cfg.http_username_enabled) ------------------ | Branch (1173:11): [True: 0, False: 0] ------------------ 1174| 0| flow->http.username = ndpi_strdup((char*)content); 1175| 0| if(ndpi_struct->cfg.http_password_enabled) ------------------ | Branch (1175:11): [True: 0, False: 0] ------------------ 1176| 0| flow->http.password = ndpi_strdup(&double_dot[1]); 1177| 0| } 1178| | 1179| 0| ndpi_free(content); 1180| 0| } 1181| | 1182| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, 1183| 0| "Found credentials in HTTP Auth Line"); 1184| 0| } 1185| 0| } 1186| 0| } 1187| 0| } 1188| | 1189| 1.36k| if((packet->referer_line.ptr != NULL) && (flow->http.referer == NULL)) ------------------ | Branch (1189:6): [True: 15, False: 1.35k] | Branch (1189:44): [True: 15, False: 0] ------------------ 1190| 15| if(ndpi_struct->cfg.http_referer_enabled) ------------------ | Branch (1190:8): [True: 15, False: 0] ------------------ 1191| 15| flow->http.referer = ndpi_strndup((const char *)packet->referer_line.ptr, packet->referer_line.len); 1192| | 1193| 1.36k| if((packet->host_line.ptr != NULL) && (flow->http.host == NULL)) { ------------------ | Branch (1193:6): [True: 1.06k, False: 306] | Branch (1193:41): [True: 1.05k, False: 2] ------------------ 1194| 1.05k| if(ndpi_struct->cfg.http_host_enabled) { ------------------ | Branch (1194:8): [True: 1.05k, False: 0] ------------------ 1195| 1.05k| flow->http.host = ndpi_strndup((const char *)packet->host_line.ptr, packet->host_line.len); 1196| | 1197| 1.05k| if(flow->http.host != NULL) { ------------------ | Branch (1197:10): [True: 998, False: 61] ------------------ 1198| 998| char *double_column = strchr(flow->http.host, ':'); 1199| | 1200| 998| if(double_column != NULL) ------------------ | Branch (1200:5): [True: 289, False: 709] ------------------ 1201| 289| double_column[0] = '\0'; 1202| | 1203| 998| if(ndpi_struct->cfg.hostname_dns_check_enabled ------------------ | Branch (1203:5): [True: 0, False: 998] ------------------ 1204| 0| && (ndpi_check_is_numeric_ip(flow->http.host) == false)) { ------------------ | Branch (1204:8): [True: 0, False: 0] ------------------ 1205| 0| ndpi_ip_addr_t ip_addr; 1206| | 1207| 0| memset(&ip_addr, 0, sizeof(ip_addr)); 1208| | 1209| 0| if(packet->iph) ------------------ | Branch (1209:7): [True: 0, False: 0] ------------------ 1210| 0| ip_addr.ipv4 = packet->iph->daddr; 1211| 0| else 1212| 0| memcpy(&ip_addr.ipv6, &packet->iphv6->ip6_dst, sizeof(struct ndpi_in6_addr)); 1213| | 1214| 0| if(!ndpi_cache_find_hostname_ip(ndpi_struct, &ip_addr, flow->http.host)) { ------------------ | Branch (1214:7): [True: 0, False: 0] ------------------ 1215| |#ifdef DEBUG_HTTP 1216| | printf("[HTTP] Not found host %s\n", flow->http.host); 1217| |#endif 1218| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_UNRESOLVED_HOSTNAME, flow->http.host); 1219| | 1220| 0| } else { 1221| |#ifdef DEBUG_HTTP 1222| | printf("[HTTP] Found host %s\n", flow->http.host); 1223| |#endif 1224| 0| } 1225| | 1226| 0| } 1227| 998| } 1228| 1.05k| } 1229| 1.05k| } 1230| | 1231| 1.36k| if(packet->content_line.ptr != NULL) { ------------------ | Branch (1231:6): [True: 52, False: 1.31k] ------------------ 1232| 52| NDPI_LOG_DBG2(ndpi_struct, "Content Type line found %.*s\n", ------------------ | | 597| 52|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1233| 52| packet->content_line.len, packet->content_line.ptr); 1234| | 1235| 52| if(flow->http.response_status_code == 0) { ------------------ | Branch (1235:8): [True: 49, False: 3] ------------------ 1236| | /* Request */ 1237| 49| if((flow->http.request_content_type == NULL) && (packet->content_line.len > 0)) { ------------------ | Branch (1237:10): [True: 49, False: 0] | Branch (1237:55): [True: 48, False: 1] ------------------ 1238| 48| if(ndpi_struct->cfg.http_request_content_type_enabled) { ------------------ | Branch (1238:5): [True: 48, False: 0] ------------------ 1239| 48| int len = packet->content_line.len + 1; 1240| | 1241| 48| flow->http.request_content_type = ndpi_malloc(len); 1242| 48| if(flow->http.request_content_type) { ------------------ | Branch (1242:14): [True: 47, False: 1] ------------------ 1243| 47| strncpy(flow->http.request_content_type, (char*)packet->content_line.ptr, 1244| 47| packet->content_line.len); 1245| 47| flow->http.request_content_type[packet->content_line.len] = '\0'; 1246| 47| } 1247| 48| } 1248| | 1249| 48| if(ndpi_strnstr((char*)packet->content_line.ptr, "x-www-form-urlencoded", packet->content_line.len)) ------------------ | Branch (1249:5): [True: 0, False: 48] ------------------ 1250| 0| flow->http.is_form = 1; 1251| 48| } 1252| 49| } else { 1253| | /* Response */ 1254| 3| if((flow->http.content_type == NULL) && (packet->content_line.len > 0)) { ------------------ | Branch (1254:10): [True: 3, False: 0] | Branch (1254:47): [True: 3, False: 0] ------------------ 1255| 3| if(ndpi_struct->cfg.http_resp_content_type_enabled) { ------------------ | Branch (1255:12): [True: 3, False: 0] ------------------ 1256| | 1257| 3| int len = packet->content_line.len + 1; 1258| | 1259| 3| flow->http.content_type = ndpi_malloc(len); 1260| 3| if(flow->http.content_type) { ------------------ | Branch (1260:7): [True: 2, False: 1] ------------------ 1261| 2| strncpy(flow->http.content_type, (char*)packet->content_line.ptr, 1262| 2| packet->content_line.len); 1263| 2| flow->http.content_type[packet->content_line.len] = '\0'; 1264| 2| } 1265| 3| } 1266| | 1267| 3| flow->category = ndpi_http_check_content(ndpi_struct, flow); 1268| 3| } 1269| 3| } 1270| 52| } 1271| | 1272| | /* check for host line (only if we don't already have an hostname) */ 1273| 1.36k| if(packet->host_line.ptr != NULL && flow->host_server_name[0] == '\0') { ------------------ | Branch (1273:6): [True: 1.06k, False: 306] | Branch (1273:39): [True: 1.03k, False: 26] ------------------ 1274| | 1275| 1.03k| NDPI_LOG_DBG2(ndpi_struct, "HOST line found %.*s\n", ------------------ | | 597| 1.03k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1276| 1.03k| packet->host_line.len, packet->host_line.ptr); 1277| | 1278| | /* Copy result for nDPI apps */ 1279| 1.03k| ndpi_hostname_sni_set(flow, packet->host_line.ptr, packet->host_line.len, NDPI_HOSTNAME_NORM_ALL | NDPI_HOSTNAME_NORM_STRIP_PORT); ------------------ | | 516| 1.03k|#define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 512| 1.03k|#define NDPI_HOSTNAME_NORM_LC 1 | | ------------------ | | #define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 513| 1.03k|#define NDPI_HOSTNAME_NORM_REPLACE_IC 2 | | ------------------ | | #define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 514| 1.03k|#define NDPI_HOSTNAME_NORM_STRIP_EOLSP 4 | | ------------------ ------------------ ndpi_hostname_sni_set(flow, packet->host_line.ptr, packet->host_line.len, NDPI_HOSTNAME_NORM_ALL | NDPI_HOSTNAME_NORM_STRIP_PORT); ------------------ | | 515| 1.03k|#define NDPI_HOSTNAME_NORM_STRIP_PORT 8 /* Used by SSDP/HTTP, for the time being */ ------------------ 1280| | 1281| 1.03k| if(strlen(flow->host_server_name) > 0) { ------------------ | Branch (1281:8): [True: 969, False: 66] ------------------ 1282| 969| char *double_col; 1283| 969| int a, b, c, d; 1284| 969| u_int16_t host_line_length; 1285| | 1286| 969| hostname_just_set = 1; 1287| 969| host_line_length = packet->host_line.len; 1288| | 1289| | /* If hostname is $hostame:$port, ignore the trailing port. Check 1290| | that it is a valid port */ 1291| 969| double_col = ndpi_memrchr(packet->host_line.ptr, ':', packet->host_line.len); 1292| 969| if(double_col) { ------------------ | Branch (1292:10): [True: 330, False: 639] ------------------ 1293| 330| char *endptr, port_str[6]; /* 65535 + \0 */ 1294| 330| int port_str_len; 1295| 330| long port; 1296| | 1297| 330| port_str_len = (char *)packet->host_line.ptr + packet->host_line.len - double_col - 1; 1298| | 1299| 330| if(port_str_len > 0 && port_str_len < 6) { ------------------ | Branch (1299:12): [True: 329, False: 1] | Branch (1299:32): [True: 27, False: 302] ------------------ 1300| 27| memcpy(port_str, double_col + 1, port_str_len); 1301| 27| port_str[port_str_len] = '\0'; 1302| | 1303| | /* We can't easily use ndpi_strtonum because we want to be sure that there are no 1304| | others characters after the number */ 1305| 27| errno = 0; /* To distinguish success/failure after call */ 1306| 27| port = strtol(port_str, &endptr, 10); 1307| 27| if(errno == 0 && *endptr == '\0' && ------------------ | Branch (1307:14): [True: 27, False: 0] | Branch (1307:28): [True: 18, False: 9] ------------------ 1308| 18| (port >= 0 && port <= 65535)) { ------------------ | Branch (1308:15): [True: 17, False: 1] | Branch (1308:28): [True: 17, False: 0] ------------------ 1309| 17| host_line_length = double_col - (char *)packet->host_line.ptr; 1310| 17| } 1311| 27| } 1312| 330| } 1313| | 1314| 969| if(ndpi_is_valid_hostname((char *)packet->host_line.ptr, ------------------ | Branch (1314:10): [True: 881, False: 88] ------------------ 1315| 969| host_line_length) == 0) { 1316| 881| char str[128]; 1317| | 1318| 881| if(is_flowrisk_info_enabled(ndpi_struct, NDPI_INVALID_CHARACTERS)) { ------------------ | Branch (1318:12): [True: 881, False: 0] ------------------ 1319| 881| snprintf(str, sizeof(str), "Invalid host %s", flow->host_server_name); 1320| 881| ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, str); 1321| 881| } else { 1322| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, NULL); 1323| 0| } 1324| | 1325| | /* This looks like an attack */ 1326| | 1327| 881| snprintf(str, sizeof(str), "Suspicious hostname [%.*s]: attack ?", packet->host_line.len, (char *)packet->host_line.ptr); 1328| 881| ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, str); 1329| 881| } 1330| | 1331| 969| if(ndpi_struct->packet.iph ------------------ | Branch (1331:10): [True: 969, False: 0] ------------------ 1332| 969| && (sscanf(flow->host_server_name, "%d.%d.%d.%d", &a, &b, &c, &d) == 4)) { ------------------ | Branch (1332:13): [True: 19, False: 950] ------------------ 1333| | /* IPv4 */ 1334| | 1335| 19| if(ndpi_struct->packet.iph->daddr != inet_addr(flow->host_server_name)) { ------------------ | Branch (1335:12): [True: 19, False: 0] ------------------ 1336| 19| if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_SUSPICIOUS_HEADER)) { ------------------ | Branch (1336:14): [True: 19, False: 0] ------------------ 1337| 19| char buf[64], msg[128]; 1338| | 1339| 19| snprintf(msg, sizeof(msg), "Expected %s, found %s", 1340| 19| ndpi_intoav4(ntohl(ndpi_struct->packet.iph->daddr), buf, sizeof(buf)), flow->host_server_name); 1341| 19| ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, msg); 1342| 19| } else { 1343| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, NULL); 1344| 0| } 1345| 19| } 1346| 19| } 1347| 969| } 1348| | 1349| 1.03k| } 1350| | 1351| 1.36k| ndpi_http_parse_subprotocol(ndpi_struct, flow, hostname_just_set); 1352| | 1353| 1.36k| if(hostname_just_set && strlen(flow->host_server_name) > 0) { ------------------ | Branch (1353:6): [True: 969, False: 398] | Branch (1353:27): [True: 969, False: 0] ------------------ 1354| 969| ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1, 0, 0); 1355| 969| } 1356| | 1357| | /* At the very end: we want to override any previous category match 1358| | (exception: custom rule via url matching) */ 1359| 1.36k| if(flow->confidence != NDPI_CONFIDENCE_CUSTOM_RULE) { ------------------ | Branch (1359:6): [True: 1.36k, False: 0] ------------------ 1360| 1.36k| if(flow->http.url) { ------------------ | Branch (1360:8): [True: 915, False: 452] ------------------ 1361| 915| if(ends_with(ndpi_struct, (char *)flow->http.url, "/generate_204") || ------------------ | Branch (1361:10): [True: 2, False: 913] ------------------ 1362| 913| ends_with(ndpi_struct, (char *)flow->http.url, "/generate204")) { ------------------ | Branch (1362:10): [True: 4, False: 909] ------------------ 1363| 6| flow->category = NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK; 1364| 6| } 1365| 915| } 1366| 1.36k| } 1367| 1.36k|} http.c:ndpi_check_numeric_ip: 919| 4| char *ip, u_int ip_len) { 920| 4| char buf[22], *double_dot; 921| 4| struct in_addr ip_addr; 922| | 923| 4| strncpy(buf, ip, ip_len); 924| 4| buf[ip_len] = '\0'; 925| | 926| 4| if((double_dot = strchr(buf, ':')) != NULL) ------------------ | Branch (926:6): [True: 2, False: 2] ------------------ 927| 2| double_dot[0] = '\0'; 928| | 929| 4| ip_addr.s_addr = inet_addr(buf); 930| 4| if(strcmp(inet_ntoa(ip_addr), buf) == 0) { ------------------ | Branch (930:6): [True: 3, False: 1] ------------------ 931| 3| if(is_flowrisk_info_enabled(ndpi_struct, NDPI_NUMERIC_IP_HOST)) { ------------------ | Branch (931:8): [True: 3, False: 0] ------------------ 932| 3| char str[64]; 933| | 934| 3| snprintf(str, sizeof(str), "Found host %s", buf); 935| 3| ndpi_set_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST, str); 936| 3| } else { 937| | ndpi_set_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST, NULL); 938| 0| } 939| 3| } 940| 4|} http.c:ndpi_check_http_url: 946| 908| char *url) { 947| 908| char msg[512]; 948| 908| ndpi_risk_enum r; 949| | 950| 908| if(strstr(url, "") != NULL /* PHP code in the URL */) { ------------------ | Branch (950:6): [True: 1, False: 907] ------------------ 951| 1| r = NDPI_URL_POSSIBLE_RCE_INJECTION; 952| 1| snprintf(msg, sizeof(msg), "PHP code in URL [%s]", url); 953| 907| } else if(strncmp(url, "/shell?", 7) == 0) { ------------------ | Branch (953:13): [True: 2, False: 905] ------------------ 954| 2| r = NDPI_URL_POSSIBLE_RCE_INJECTION; 955| 2| snprintf(msg, sizeof(msg), "Possible WebShell detected [%s]", url); 956| 905| } else if(strncmp(url, "/.", 2) == 0) { ------------------ | Branch (956:13): [True: 1, False: 904] ------------------ 957| 1| r = NDPI_POSSIBLE_EXPLOIT; 958| 1| snprintf(msg, sizeof(msg), "URL starting with dot [%s]", url); 959| 904| } else { 960| 904| r = ndpi_validate_url(ndpi_struct, flow, url); 961| 904| return; 962| 904| } 963| | 964| 4| ndpi_set_risk(ndpi_struct, flow, r, msg); 965| 4|} http.c:ndpi_check_http_url_subprotocol: 971| 908| struct ndpi_flow_struct *flow) { 972| 908| if(flow->http.url) { ------------------ | Branch (972:6): [True: 908, False: 0] ------------------ 973| 908| if(ndpi_struct->http_url_hashmap) { ------------------ | Branch (973:8): [True: 0, False: 908] ------------------ 974| 0| u_int64_t id; 975| 0| u_int16_t proto, category, breed; 976| | 977| | /* This protocol has been defined in protos.txt-like files */ 978| 0| if(ndpi_hash_find_entry(ndpi_struct->http_url_hashmap, ------------------ | Branch (978:10): [True: 0, False: 0] ------------------ 979| 0| flow->http.url, strlen(flow->http.url), 980| 0| &id) == 0) { 981| 0| proto = id & 0xFFFF; 982| 0| category = (id & 0xFFFF0000) >> 16; 983| 0| breed = (id & 0xFFFF00000000) >> 32; 984| 0| ndpi_set_detected_protocol(ndpi_struct, flow, proto, 985| 0| ndpi_get_master_proto(ndpi_struct, flow), 986| 0| NDPI_CONFIDENCE_CUSTOM_RULE); 987| 0| flow->category = category; 988| 0| flow->breed = breed; 989| 0| } 990| 0| } 991| 908| } 992| 908|} http.c:ndpi_check_http_server: 1001| 29| const char *server, u_int server_len) { 1002| 29| if(server[0] != '\0') { ------------------ | Branch (1002:6): [True: 27, False: 2] ------------------ 1003| 27| if(server_len > 7) { ------------------ | Branch (1003:8): [True: 26, False: 1] ------------------ 1004| 26| u_int off, i; 1005| | 1006| 26| if((strncasecmp(server, "Apache/", off = 7) == 0) /* X.X.X */ ------------------ | Branch (1006:10): [True: 0, False: 26] ------------------ 1007| 26| || (strncasecmp(server, "nginx/", off = 6) == 0) /* X.X.X */) { ------------------ | Branch (1007:6): [True: 0, False: 26] ------------------ 1008| 0| u_int j, a, b, c; 1009| 0| char buf[16] = { '\0' }; 1010| | 1011| 0| for(i=off, j=0; (i= '0' && (ch) <= '9') | | ------------------ | | | Branch (2526:27): [True: 0, False: 0] | | | Branch (2526:42): [True: 0, False: 0] | | ------------------ ------------------ | Branch (1012:39): [True: 0, False: 0] ------------------ 1013| 0| buf[j++] = server[i]; 1014| | 1015| 0| if(sscanf(buf, "%u.%u.%u", &a, &b, &c) == 3) { ------------------ | Branch (1015:5): [True: 0, False: 0] ------------------ 1016| 0| u_int32_t version = (a * 1000000) + (b * 1000) + c; 1017| 0| char msg[64]; 1018| | 1019| 0| if((off == 7) && (version < MIN_APACHE_VERSION)) { ------------------ | | 996| 0|#define MIN_APACHE_VERSION 2004000 /* 2.4.X [https://endoflife.date/apache] */ ------------------ | Branch (1019:7): [True: 0, False: 0] | Branch (1019:21): [True: 0, False: 0] ------------------ 1020| 0| if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_OBSOLETE_SERVER)) { ------------------ | Branch (1020:9): [True: 0, False: 0] ------------------ 1021| 0| snprintf(msg, sizeof(msg), "Obsolete Apache server %s", buf); 1022| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_OBSOLETE_SERVER, msg); 1023| 0| } else { 1024| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_OBSOLETE_SERVER, NULL); 1025| 0| } 1026| 0| } else if((off == 6) && (version < MIN_NGINX_VERSION)) { ------------------ | | 997| 0|#define MIN_NGINX_VERSION 1022000 /* 1.22.0 [https://endoflife.date/nginx] */ ------------------ | Branch (1026:14): [True: 0, False: 0] | Branch (1026:28): [True: 0, False: 0] ------------------ 1027| 0| if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_OBSOLETE_SERVER)) { ------------------ | Branch (1027:9): [True: 0, False: 0] ------------------ 1028| 0| snprintf(msg, sizeof(msg), "Obsolete nginx server %s", buf); 1029| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_OBSOLETE_SERVER, msg); 1030| 0| } else { 1031| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_OBSOLETE_SERVER, NULL); 1032| 0| } 1033| 0| } 1034| 0| } 1035| 0| } 1036| | 1037| | /* Check server content */ 1038| 259| for(i=0; i= 0x20 && (ch) <= 0x7e) | | ------------------ | | | Branch (2529:27): [True: 233, False: 24] | | | Branch (2529:43): [True: 233, False: 0] | | ------------------ ------------------ 1040| 24| char msg[64]; 1041| | 1042| 24| snprintf(msg, sizeof(msg), "Suspicious Agent [%.*s]", server_len, server); 1043| | 1044| 24| ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_HEADER, msg); 1045| 24| break; 1046| 24| } 1047| 257| } 1048| 26| } 1049| 27| } 1050| 29|} http.c:http_process_user_agent: 844| 162| const u_int8_t *ua_ptr, u_int16_t ua_ptr_len) { 845| | /** 846| | Format examples: 847| | Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) .... 848| | Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0 849| | */ 850| 162| if(ua_ptr_len > 7) { ------------------ | Branch (850:6): [True: 151, False: 11] ------------------ 851| 151| char ua[256]; 852| 151| u_int mlen = ndpi_min(ua_ptr_len, sizeof(ua)-1); ------------------ | | 113| 151|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 114, False: 37] | | ------------------ ------------------ 853| | 854| 151| strncpy(ua, (const char *)ua_ptr, mlen); 855| 151| ua[mlen] = '\0'; 856| | 857| 151| if(strncmp(ua, "Mozilla", 7) == 0) { ------------------ | Branch (857:8): [True: 73, False: 78] ------------------ 858| 73| char *parent = strchr(ua, '('); 859| | 860| 73| if(parent) { ------------------ | Branch (860:10): [True: 70, False: 3] ------------------ 861| 70| char *token, *end; 862| | 863| 70| parent++; 864| 70| end = strchr(parent, ')'); 865| 70| if(end) end[0] = '\0'; ------------------ | Branch (865:5): [True: 8, False: 62] ------------------ 866| | 867| 70| token = strsep(&parent, ";"); 868| 70| if(token) { ------------------ | Branch (868:5): [True: 70, False: 0] ------------------ 869| 70| if((strcmp(token, "X11") == 0) ------------------ | Branch (869:7): [True: 0, False: 70] ------------------ 870| 70| || (strcmp(token, "compatible") == 0) ------------------ | Branch (870:10): [True: 37, False: 33] ------------------ 871| 33| || (strcmp(token, "Linux") == 0) ------------------ | Branch (871:10): [True: 4, False: 29] ------------------ 872| 29| || (strcmp(token, "Macintosh") == 0) ------------------ | Branch (872:10): [True: 0, False: 29] ------------------ 873| 70| ) { 874| 41| token = strsep(&parent, ";"); 875| 41| if(token && (token[0] == ' ')) token++; /* Skip space */ ------------------ | Branch (875:9): [True: 40, False: 1] | Branch (875:18): [True: 37, False: 3] ------------------ 876| | 877| 41| if(token ------------------ | Branch (877:9): [True: 40, False: 1] ------------------ 878| 40| && ((strcmp(token, "U") == 0) ------------------ | Branch (878:13): [True: 0, False: 40] ------------------ 879| 40| || (strncmp(token, "MSIE", 4) == 0))) { ------------------ | Branch (879:9): [True: 28, False: 12] ------------------ 880| 28| token = strsep(&parent, ";"); 881| 28| if(token && (token[0] == ' ')) token++; /* Skip space */ ------------------ | Branch (881:11): [True: 27, False: 1] | Branch (881:20): [True: 2, False: 25] ------------------ 882| | 883| 28| if(token && (strncmp(token, "Update", 6) == 0)) { ------------------ | Branch (883:18): [True: 27, False: 1] | Branch (883:27): [True: 0, False: 27] ------------------ 884| 0| token = strsep(&parent, ";"); 885| | 886| 0| if(token && (token[0] == ' ')) token++; /* Skip space */ ------------------ | Branch (886:20): [True: 0, False: 0] | Branch (886:29): [True: 0, False: 0] ------------------ 887| | 888| 0| if(token && (strncmp(token, "AOL", 3) == 0)) { ------------------ | Branch (888:20): [True: 0, False: 0] | Branch (888:29): [True: 0, False: 0] ------------------ 889| | 890| 0| token = strsep(&parent, ";"); 891| 0| if(token && (token[0] == ' ')) token++; /* Skip space */ ------------------ | Branch (891:22): [True: 0, False: 0] | Branch (891:31): [True: 0, False: 0] ------------------ 892| 0| } 893| 0| } 894| 28| } 895| 41| } 896| | 897| 70| if(token) ------------------ | Branch (897:14): [True: 68, False: 2] ------------------ 898| 68| setHttpUserAgent(flow, token); 899| 70| } 900| 70| } 901| 73| } 902| 151| } 903| | 904| 162| if(ndpi_user_agent_set(flow, ua_ptr, ua_ptr_len) != NULL) { ------------------ | Branch (904:6): [True: 143, False: 19] ------------------ 905| 143| ndpi_unset_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT); 906| 143| ndpi_check_user_agent(ndpi_struct, flow, flow->http.user_agent, ua_ptr_len); 907| 143| } else { 908| 19| NDPI_LOG_DBG2(ndpi_struct, "Could not set HTTP user agent (already set?)\n"); ------------------ | | 597| 19|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 909| 19| } 910| | 911| 162| NDPI_LOG_DBG2(ndpi_struct, "User Agent Type line found %.*s\n", ------------------ | | 597| 162|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 912| 162| ua_ptr_len, ua_ptr); 913| 162|} http.c:setHttpUserAgent: 490| 68|static void setHttpUserAgent(struct ndpi_flow_struct *flow, char *ua) { 491| 68| if( !strcmp(ua, "Windows NT 5.0")) ua = "Windows 2000"; ------------------ | Branch (491:10): [True: 0, False: 68] ------------------ 492| 68| else if(!strcmp(ua, "Windows NT 5.1")) ua = "Windows XP"; ------------------ | Branch (492:11): [True: 0, False: 68] ------------------ 493| 68| else if(!strcmp(ua, "Windows NT 5.2")) ua = "Windows Server 2003"; ------------------ | Branch (493:11): [True: 0, False: 68] ------------------ 494| 68| else if(!strcmp(ua, "Windows NT 6.0")) ua = "Windows Vista"; ------------------ | Branch (494:11): [True: 0, False: 68] ------------------ 495| 68| else if(!strcmp(ua, "Windows NT 6.1")) ua = "Windows 7"; ------------------ | Branch (495:11): [True: 0, False: 68] ------------------ 496| 68| else if(!strcmp(ua, "Windows NT 6.2")) ua = "Windows 8"; ------------------ | Branch (496:11): [True: 0, False: 68] ------------------ 497| 68| else if(!strcmp(ua, "Windows NT 6.3")) ua = "Windows 8.1"; ------------------ | Branch (497:11): [True: 0, False: 68] ------------------ 498| 68| else if(!strcmp(ua, "Windows NT 10.0")) ua = "Windows 10"; ------------------ | Branch (498:11): [True: 0, False: 68] ------------------ 499| 68| else if(!strcmp(ua, "Windows NT 11.0")) ua = "Windows 11"; ------------------ | Branch (499:11): [True: 0, False: 68] ------------------ 500| | 501| | /* Good reference for future implementations: 502| | * https://github.com/ua-parser/uap-core/blob/master/regexes.yaml */ 503| | 504| 68| if(flow->http.detected_os == NULL) ------------------ | Branch (504:6): [True: 68, False: 0] ------------------ 505| 68| flow->http.detected_os = ndpi_strdup(ua); 506| 68|} http.c:ndpi_check_user_agent: 734| 143| char const *ua, size_t ua_len) { 735| 143| char *double_slash; 736| | 737| 143| if((!ua) || (ua[0] == '\0')) ------------------ | Branch (737:6): [True: 0, False: 143] | Branch (737:15): [True: 5, False: 138] ------------------ 738| 5| return; 739| | 740| 138| if (ua_len > 12) ------------------ | Branch (740:7): [True: 130, False: 8] ------------------ 741| 130| { 742| 130| size_t i, upper_case_count = 0; 743| | 744| 955| for (i = 0; i < ua_len; ++i) ------------------ | Branch (744:17): [True: 955, False: 0] ------------------ 745| 955| { 746| | /* 747| | * We assume at least one non alpha char. 748| | * e.g. ' ', '-' or ';' ... 749| | */ 750| 955| if (ndpi_isalpha(ua[i]) == 0) ------------------ | | 2525| 955|#define ndpi_isalpha(ch) (((ch) >= 'a' && (ch) <= 'z') || ((ch) >= 'A' && (ch) <= 'Z')) | | ------------------ | | | Branch (2525:28): [True: 671, False: 284] | | | Branch (2525:43): [True: 670, False: 1] | | | Branch (2525:60): [True: 156, False: 129] | | | Branch (2525:75): [True: 155, False: 1] | | ------------------ ------------------ | Branch (750:11): [True: 130, False: 825] ------------------ 751| 130| { 752| 130| break; 753| 130| } 754| 825| if (isupper((unsigned char)ua[i]) != 0) ------------------ | Branch (754:11): [True: 155, False: 670] ------------------ 755| 155| { 756| 155| upper_case_count++; 757| 155| } 758| 825| } 759| | 760| 130| if (i == ua_len) { ------------------ | Branch (760:9): [True: 0, False: 130] ------------------ 761| 0| float upper_case_ratio = (float)upper_case_count / (float)ua_len; 762| | 763| 0| if (upper_case_ratio >= 0.2f) { ------------------ | Branch (763:11): [True: 0, False: 0] ------------------ 764| 0| if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_SUSPICIOUS_USER_AGENT)) { ------------------ | Branch (764:12): [True: 0, False: 0] ------------------ 765| 0| char str[64]; 766| | 767| 0| snprintf(str, sizeof(str), "UA %s", ua); 768| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, str); 769| 0| } else { 770| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, NULL); 771| 0| } 772| 0| } 773| 0| } 774| 130| } 775| | 776| 138| if((!strncmp(ua, " 256) /* Too long */ ------------------ | Branch (810:7): [True: 34, False: 103] ------------------ 811| 103| || (!strncmp(ua, "test", 4)) ------------------ | Branch (811:7): [True: 1, False: 102] ------------------ 812| 102| || strchr(ua, '{') ------------------ | Branch (812:7): [True: 1, False: 101] ------------------ 813| 101| || strchr(ua, '}') ------------------ | Branch (813:7): [True: 8, False: 93] ------------------ 814| 138| ) { 815| 45| ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_SUSPICIOUS_USER_AGENT, "Suspicious Log4J"); 816| 45| } 817| | 818| | /* 819| | Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots) 820| | Amazon-Route53-Health-Check-Service (ref 68784dad-be98-49e4-a63c-9fbbe2816d7c; report http://amzn.to/1vsZADi) 821| | Anonymous Crawler/1.0 (Webcrawler developed with StormCrawler; http://example.com/; webcrawler@example.com) 822| | */ 823| 138| if((strstr(ua, "+http:") != NULL) ------------------ | Branch (823:6): [True: 3, False: 135] ------------------ 824| 135| || (strstr(ua, " http:") != NULL) ------------------ | Branch (824:9): [True: 0, False: 135] ------------------ 825| 135| || ndpi_strncasestr(ua, "Crawler", ua_len) ------------------ | Branch (825:9): [True: 1, False: 134] ------------------ 826| 134| || ndpi_strncasestr(ua, "Bot", ua_len) /* bot/robot */ ------------------ | Branch (826:9): [True: 0, False: 134] ------------------ 827| 138| ) { 828| 4| if(is_flowrisk_info_enabled(ndpi_struct, NDPI_HTTP_CRAWLER_BOT)) { ------------------ | Branch (828:8): [True: 4, False: 0] ------------------ 829| 4| char str[64]; 830| | 831| 4| snprintf(str, sizeof(str), "UA %s", ua); 832| | 833| 4| ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_CRAWLER_BOT, str); 834| 4| } else { 835| | ndpi_set_risk(ndpi_struct, flow, NDPI_HTTP_CRAWLER_BOT, NULL); 836| 0| } 837| 4| } 838| 138|} http.c:ndpi_http_check_content: 303| 3| struct ndpi_flow_struct *flow) { 304| 3| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 305| | 306| 3| if(packet->content_line.len > 0) { ------------------ | Branch (306:6): [True: 3, False: 0] ------------------ 307| 3| u_int app_len = sizeof("application"); 308| | 309| 3| if(packet->content_line.len > app_len) { ------------------ | Branch (309:8): [True: 2, False: 1] ------------------ 310| 2| const char *app = (const char *)&packet->content_line.ptr[app_len]; 311| 2| u_int app_len_avail = packet->content_line.len-app_len; 312| | 313| 2| if(strncasecmp(app, "mpeg", app_len_avail) == 0) { ------------------ | Branch (313:10): [True: 0, False: 2] ------------------ 314| 0| flow->category = NDPI_PROTOCOL_CATEGORY_STREAMING; 315| 0| return(flow->category); 316| 2| } else if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_WINDOWS_UPDATE) { ------------------ | Branch (316:17): [True: 2, False: 0] ------------------ 317| 2| if(app_len_avail > 3) { ------------------ | Branch (317:5): [True: 1, False: 1] ------------------ 318| 1| const char** cmp_mimes = NULL; 319| 1| bool found = false; 320| | 321| 1| switch(app[0]) { ------------------ | Branch (321:11): [True: 0, False: 1] ------------------ 322| 0| case 'b': cmp_mimes = download_file_mimes_b; break; ------------------ | Branch (322:4): [True: 0, False: 1] ------------------ 323| 0| case 'o': cmp_mimes = download_file_mimes_o; break; ------------------ | Branch (323:4): [True: 0, False: 1] ------------------ 324| 0| case 'x': cmp_mimes = download_file_mimes_x; break; ------------------ | Branch (324:4): [True: 0, False: 1] ------------------ 325| 1| } 326| | 327| 1| if(cmp_mimes != NULL) { ------------------ | Branch (327:7): [True: 0, False: 1] ------------------ 328| 0| u_int8_t i; 329| | 330| 0| for(i = 0; cmp_mimes[i] != NULL; i++) { ------------------ | Branch (330:17): [True: 0, False: 0] ------------------ 331| 0| if(strncasecmp(app, cmp_mimes[i], app_len_avail) == 0) { ------------------ | Branch (331:11): [True: 0, False: 0] ------------------ 332| 0| char str[64]; 333| | 334| 0| flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT; 335| 0| NDPI_LOG_INFO(ndpi_struct, "found HTTP file transfer\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 336| | 337| 0| snprintf(str, sizeof(str), "Found binary mime %s", cmp_mimes[i]); 338| 0| ndpi_set_binary_data_transfer(ndpi_struct, flow, str); 339| 0| found = true; 340| 0| break; 341| 0| } 342| 0| } 343| 0| } 344| | 345| | /* ***************************************** */ 346| | 347| 1| if(!found) { ------------------ | Branch (347:7): [True: 1, False: 0] ------------------ 348| 1| switch(app[0]) { ------------------ | Branch (348:13): [True: 0, False: 1] ------------------ 349| 0| case 'e': cmp_mimes = binary_exec_file_mimes_e; break; ------------------ | Branch (349:6): [True: 0, False: 1] ------------------ 350| 0| case 'j': cmp_mimes = binary_exec_file_mimes_j; break; ------------------ | Branch (350:6): [True: 0, False: 1] ------------------ 351| 0| case 'v': cmp_mimes = binary_exec_file_mimes_v; break; ------------------ | Branch (351:6): [True: 0, False: 1] ------------------ 352| 0| case 'x': cmp_mimes = binary_exec_file_mimes_x; break; ------------------ | Branch (352:6): [True: 0, False: 1] ------------------ 353| 1| } 354| | 355| 1| if(cmp_mimes != NULL) { ------------------ | Branch (355:9): [True: 0, False: 1] ------------------ 356| 0| u_int8_t i; 357| | 358| 0| for(i = 0; cmp_mimes[i] != NULL; i++) { ------------------ | Branch (358:19): [True: 0, False: 0] ------------------ 359| 0| if(strncasecmp(app, cmp_mimes[i], app_len_avail) == 0) { ------------------ | Branch (359:6): [True: 0, False: 0] ------------------ 360| 0| char str[64]; 361| | 362| 0| snprintf(str, sizeof(str), "Found mime exe %s", cmp_mimes[i]); 363| 0| flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT; 364| 0| ndpi_set_binary_application_transfer(ndpi_struct, flow, str); 365| 0| NDPI_LOG_INFO(ndpi_struct, "Found executable HTTP transfer"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 366| 0| } 367| 0| } 368| 0| } 369| 1| } 370| 1| } 371| 2| } 372| 2| } 373| | 374| | /* check for attachment */ 375| 3| if(packet->content_disposition_line.len > 0 && ------------------ | Branch (375:8): [True: 0, False: 3] ------------------ 376| 0| flow->http.filename == NULL) { ------------------ | Branch (376:8): [True: 0, False: 0] ------------------ 377| 0| u_int8_t attachment_len = sizeof("attachment; filename"); 378| | 379| 0| if(packet->content_disposition_line.len > attachment_len && ------------------ | Branch (379:10): [True: 0, False: 0] ------------------ 380| 0| strncmp((char *)packet->content_disposition_line.ptr, "attachment; filename", 20) == 0) { ------------------ | Branch (380:10): [True: 0, False: 0] ------------------ 381| 0| u_int8_t filename_len = packet->content_disposition_line.len - attachment_len; 382| 0| int i; 383| | 384| 0| if(packet->content_disposition_line.ptr[attachment_len] == '\"') { ------------------ | Branch (384:5): [True: 0, False: 0] ------------------ 385| 0| if(packet->content_disposition_line.ptr[packet->content_disposition_line.len-1] != '\"') { ------------------ | Branch (385:7): [True: 0, False: 0] ------------------ 386| | //case: filename="file_name 387| 0| if(filename_len >= 2) { ------------------ | Branch (387:9): [True: 0, False: 0] ------------------ 388| 0| flow->http.filename = ndpi_malloc(filename_len); 389| 0| if(flow->http.filename != NULL) { ------------------ | Branch (389:11): [True: 0, False: 0] ------------------ 390| 0| strncpy(flow->http.filename, (char*)packet->content_disposition_line.ptr+attachment_len+1, filename_len-1); 391| 0| flow->http.filename[filename_len-1] = '\0'; 392| 0| } 393| 0| } 394| 0| } 395| 0| else if(filename_len >= 2) { ------------------ | Branch (395:12): [True: 0, False: 0] ------------------ 396| | //case: filename="file_name" 397| 0| flow->http.filename = ndpi_malloc(filename_len-1); 398| | 399| 0| if(flow->http.filename != NULL) { ------------------ | Branch (399:9): [True: 0, False: 0] ------------------ 400| 0| strncpy(flow->http.filename, (char*)packet->content_disposition_line.ptr+attachment_len+1, 401| 0| filename_len-2); 402| 0| flow->http.filename[filename_len-2] = '\0'; 403| 0| } 404| 0| } 405| 0| } else { 406| | //case: filename=file_name 407| 0| flow->http.filename = ndpi_malloc(filename_len+1); 408| | 409| 0| if(flow->http.filename != NULL) { ------------------ | Branch (409:7): [True: 0, False: 0] ------------------ 410| 0| strncpy(flow->http.filename, (char*)packet->content_disposition_line.ptr+attachment_len, filename_len); 411| 0| flow->http.filename[filename_len] = '\0'; 412| 0| } 413| 0| } 414| | 415| 0| if(filename_len > ATTACHMENT_LEN) { ------------------ | | 48| 0|#define ATTACHMENT_LEN 3 ------------------ | Branch (415:5): [True: 0, False: 0] ------------------ 416| 0| attachment_len += filename_len-ATTACHMENT_LEN-1; ------------------ | | 48| 0|#define ATTACHMENT_LEN 3 ------------------ 417| | 418| 0| if((attachment_len+ATTACHMENT_LEN) <= packet->content_disposition_line.len) { ------------------ | | 48| 0|#define ATTACHMENT_LEN 3 ------------------ | Branch (418:7): [True: 0, False: 0] ------------------ 419| 0| char str[64]; 420| | 421| 0| for(i = 0; binary_exec_file_ext[i] != NULL; i++) { ------------------ | Branch (421:17): [True: 0, False: 0] ------------------ 422| | /* Use memcmp in case content-disposition contains binary data */ 423| 0| if(memcmp(&packet->content_disposition_line.ptr[attachment_len], ------------------ | Branch (423:11): [True: 0, False: 0] ------------------ 424| 0| binary_exec_file_ext[i], ATTACHMENT_LEN) == 0) { ------------------ | | 48| 0|#define ATTACHMENT_LEN 3 ------------------ 425| | 426| 0| snprintf(str, sizeof(str), "Found file extn %s", binary_exec_file_ext[i]); 427| 0| flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT; 428| 0| ndpi_set_binary_application_transfer(ndpi_struct, flow, str); 429| 0| NDPI_LOG_INFO(ndpi_struct, "found executable HTTP transfer"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 430| 0| return(flow->category); 431| 0| } 432| 0| } 433| | 434| | /* No executable but just data transfer */ 435| 0| snprintf(str, sizeof(str), "File download %s", 436| 0| flow->http.filename ? flow->http.filename : ""); ------------------ | Branch (436:8): [True: 0, False: 0] ------------------ 437| 0| ndpi_set_binary_data_transfer(ndpi_struct, flow, str); 438| 0| } 439| 0| } 440| 0| } 441| 0| } 442| | 443| 3| switch(packet->content_line.ptr[0]) { ------------------ | Branch (443:12): [True: 0, False: 3] ------------------ 444| 0| case 'a': ------------------ | Branch (444:5): [True: 0, False: 3] ------------------ 445| 0| if(strncasecmp((const char *)packet->content_line.ptr, "audio", ------------------ | Branch (445:10): [True: 0, False: 0] ------------------ 446| 0| ndpi_min(packet->content_line.len, 5)) == 0) ------------------ | | 113| 0|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 0] | | ------------------ ------------------ 447| 0| flow->category = NDPI_PROTOCOL_CATEGORY_MEDIA; 448| 0| break; 449| | 450| 0| case 'v': ------------------ | Branch (450:5): [True: 0, False: 3] ------------------ 451| 0| if(strncasecmp((const char *)packet->content_line.ptr, "video", ------------------ | Branch (451:10): [True: 0, False: 0] ------------------ 452| 0| ndpi_min(packet->content_line.len, 5)) == 0) ------------------ | | 113| 0|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 0] | | ------------------ ------------------ 453| 0| flow->category = NDPI_PROTOCOL_CATEGORY_MEDIA; 454| 0| break; 455| 3| } 456| 3| } 457| | 458| 3| return(flow->category); 459| 3|} http.c:ndpi_http_parse_subprotocol: 512| 1.36k| int hostname_just_set) { 513| 1.36k| u_int16_t master_protocol; 514| 1.36k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 515| | 516| 1.36k| if(!ndpi_struct->cfg.http_subclassification_enabled) { ------------------ | Branch (516:6): [True: 0, False: 1.36k] ------------------ 517| 0| NDPI_LOG_DBG2(ndpi_struct, "Skip sub-protocol check because subclassification is disabled\n"); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 518| 0| return; 519| 0| } 520| | 521| 1.36k| master_protocol = NDPI_PROTOCOL_HTTP; 522| 1.36k| if(flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN) ------------------ | Branch (522:6): [True: 22, False: 1.34k] ------------------ 523| 22| master_protocol = flow->detected_protocol_stack[1]; 524| 1.34k| else if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP_CONNECT || ------------------ | Branch (524:11): [True: 5, False: 1.34k] ------------------ 525| 1.34k| flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP_PROXY) ------------------ | Branch (525:11): [True: 1, False: 1.33k] ------------------ 526| 6| master_protocol = flow->detected_protocol_stack[0]; 527| | 528| 1.36k| if(packet->server_line.len > 7 && ------------------ | Branch (528:6): [True: 28, False: 1.33k] ------------------ 529| 28| strncmp((const char *)packet->server_line.ptr, "ntopng ", 7) == 0) { ------------------ | Branch (529:6): [True: 0, False: 28] ------------------ 530| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NTOP, master_protocol, NDPI_CONFIDENCE_DPI); 531| 0| update_category_and_breed(ndpi_struct, flow); 532| 0| } 533| | 534| | /* Matching on Content-Type. 535| | OCSP: application/ocsp-request, application/ocsp-response 536| | */ 537| | /* We overwrite any previous sub-classification (example: via hostname) */ 538| 1.36k| if(packet->content_line.len > 17 && ------------------ | Branch (538:6): [True: 43, False: 1.32k] ------------------ 539| 43| strncmp((const char *)packet->content_line.ptr, "application/ocsp-", 17) == 0) { ------------------ | Branch (539:6): [True: 1, False: 42] ------------------ 540| 1| NDPI_LOG_DBG2(ndpi_struct, "Found OCSP\n"); ------------------ | | 597| 1|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 541| 1| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OCSP, master_protocol, NDPI_CONFIDENCE_DPI); 542| 1| update_category_and_breed(ndpi_struct, flow); 543| 1| } 544| | 545| | /* HTTP Live Streaming */ 546| 1.36k| if (packet->content_line.len > 28 && ------------------ | Branch (546:7): [True: 33, False: 1.33k] ------------------ 547| 33| (strncmp((const char *)packet->content_line.ptr, "application/vnd.apple.mpegurl", 29) == 0 || ------------------ | Branch (547:8): [True: 0, False: 33] ------------------ 548| 33| strncmp((const char *)packet->content_line.ptr, "application/x-mpegURL", 21) == 0 || ------------------ | Branch (548:7): [True: 1, False: 32] ------------------ 549| 32| strncmp((const char *)packet->content_line.ptr, "application/x-mpegurl", 21) == 0)) { ------------------ | Branch (549:7): [True: 0, False: 32] ------------------ 550| 1| NDPI_LOG_DBG2(ndpi_struct, "Found HLS\n"); ------------------ | | 597| 1|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 551| 1| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HLS, master_protocol, NDPI_CONFIDENCE_DPI); 552| 1| update_category_and_breed(ndpi_struct, flow); 553| 1| } 554| | 555| 1.36k| if((flow->http.method == NDPI_HTTP_METHOD_RPC_CONNECT) || ------------------ | Branch (555:6): [True: 0, False: 1.36k] ------------------ 556| 1.36k| (flow->http.method == NDPI_HTTP_METHOD_RPC_IN_DATA) || ------------------ | Branch (556:6): [True: 0, False: 1.36k] ------------------ 557| 1.36k| (flow->http.method == NDPI_HTTP_METHOD_RPC_OUT_DATA)) { ------------------ | Branch (557:6): [True: 0, False: 1.36k] ------------------ 558| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MS_RPCH, master_protocol, NDPI_CONFIDENCE_DPI); 559| 0| update_category_and_breed(ndpi_struct, flow); 560| 0| } 561| | 562| 1.36k| switch (flow->http.method) { 563| 0| case NDPI_HTTP_METHOD_MKCOL: ------------------ | Branch (563:5): [True: 0, False: 1.36k] ------------------ 564| 0| case NDPI_HTTP_METHOD_MOVE: ------------------ | Branch (564:5): [True: 0, False: 1.36k] ------------------ 565| 0| case NDPI_HTTP_METHOD_COPY: ------------------ | Branch (565:5): [True: 0, False: 1.36k] ------------------ 566| 0| case NDPI_HTTP_METHOD_LOCK: ------------------ | Branch (566:5): [True: 0, False: 1.36k] ------------------ 567| 1| case NDPI_HTTP_METHOD_UNLOCK: ------------------ | Branch (567:5): [True: 1, False: 1.36k] ------------------ 568| 1| case NDPI_HTTP_METHOD_PROPFIND: ------------------ | Branch (568:5): [True: 0, False: 1.36k] ------------------ 569| 1| case NDPI_HTTP_METHOD_PROPPATCH: ------------------ | Branch (569:5): [True: 0, False: 1.36k] ------------------ 570| 1| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WEBDAV, master_protocol, NDPI_CONFIDENCE_DPI); 571| 1| update_category_and_breed(ndpi_struct, flow); 572| 1| break; 573| 1.36k| default: ------------------ | Branch (573:5): [True: 1.36k, False: 1] ------------------ 574| 1.36k| break; 575| 1.36k| } 576| | 577| 1.36k| if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN && ------------------ | Branch (577:6): [True: 1.34k, False: 25] ------------------ 578| 1.34k| hostname_just_set && flow->host_server_name[0] != '\0') { ------------------ | Branch (578:6): [True: 967, False: 375] | Branch (578:27): [True: 967, False: 0] ------------------ 579| 967| ndpi_match_hostname_protocol(ndpi_struct, flow, 580| 967| master_protocol, 581| 967| flow->host_server_name, 582| 967| strlen(flow->host_server_name)); 583| 967| } 584| | 585| 1.36k| if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN && ------------------ | Branch (585:6): [True: 1.34k, False: 25] ------------------ 586| 1.34k| packet->http_origin.len > 0) { ------------------ | Branch (586:6): [True: 61, False: 1.28k] ------------------ 587| 61| ndpi_protocol_match_result ret_match; 588| 61| char *ptr, *origin_hostname; 589| 61| size_t origin_hostname_len; 590| | 591| | /* Origin syntax: 592| | Origin: null 593| | Origin: :// 594| | Origin: ://: 595| | Try extracting hostname */ 596| | 597| 61| ptr = ndpi_strnstr((const char *)packet->http_origin.ptr, "://", packet->http_origin.len); 598| 61| if(ptr) { ------------------ | Branch (598:8): [True: 49, False: 12] ------------------ 599| 49| origin_hostname = ptr + 3; 600| 49| origin_hostname_len = packet->http_origin.len - (ptr - (char *)packet->http_origin.ptr) - 3; 601| 49| ptr = ndpi_strnstr(origin_hostname, ":", origin_hostname_len); 602| 49| if(ptr) { ------------------ | Branch (602:10): [True: 3, False: 46] ------------------ 603| 3| origin_hostname_len = ptr - origin_hostname; 604| 3| } 605| 49| NDPI_LOG_DBG2(ndpi_struct, "Origin: [%.*s] -> [%.*s]\n", packet->http_origin.len, packet->http_origin.ptr, ------------------ | | 597| 49|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 606| 49| (int)origin_hostname_len, origin_hostname); 607| | /* We already checked hostname...*/ 608| 49| if(strncmp(origin_hostname, flow->host_server_name, origin_hostname_len) != 0) { ------------------ | Branch (608:10): [True: 46, False: 3] ------------------ 609| 46| ndpi_match_host_subprotocol(ndpi_struct, flow, 610| 46| origin_hostname, 611| 46| origin_hostname_len, 612| 46| &ret_match, 613| 46| master_protocol, 1); 614| 46| } 615| 49| } 616| 61| } 617| | 618| 1.36k| if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN && ------------------ | Branch (618:6): [True: 1.34k, False: 25] ------------------ 619| 1.34k| flow->http.url && ------------------ | Branch (619:6): [True: 893, False: 449] ------------------ 620| 893| ((strstr(flow->http.url, ":8080/downloading?n=0.") != NULL) || ------------------ | Branch (620:7): [True: 83, False: 810] ------------------ 621| 810| (strstr(flow->http.url, ":8080/upload?n=0.") != NULL))) { ------------------ | Branch (621:7): [True: 12, False: 798] ------------------ 622| | /* This looks like Ookla speedtest */ 623| 95| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, master_protocol, NDPI_CONFIDENCE_DPI); 624| 95| update_category_and_breed(ndpi_struct, flow); 625| 95| ookla_add_to_cache(ndpi_struct, flow); 626| 95| } 627| | 628| 1.36k| if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN && ------------------ | Branch (628:6): [True: 1.24k, False: 120] ------------------ 629| 1.24k| flow->http.url != NULL && ------------------ | Branch (629:6): [True: 798, False: 449] ------------------ 630| 798| strstr(flow->http.url, "micloud.xiaomi.net") != NULL) { ------------------ | Branch (630:6): [True: 1, False: 797] ------------------ 631| 1| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_XIAOMI, master_protocol, NDPI_CONFIDENCE_DPI); 632| 1| update_category_and_breed(ndpi_struct, flow); 633| 1| } 634| | 635| 1.36k| if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN && ------------------ | Branch (635:6): [True: 1.24k, False: 121] ------------------ 636| 1.24k| packet->referer_line.len > 0 && ------------------ | Branch (636:6): [True: 15, False: 1.23k] ------------------ 637| 15| ndpi_strnstr((const char *)packet->referer_line.ptr, "www.speedtest.net", packet->referer_line.len)) { ------------------ | Branch (637:6): [True: 0, False: 15] ------------------ 638| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, master_protocol, NDPI_CONFIDENCE_DPI); 639| 0| update_category_and_breed(ndpi_struct, flow); 640| 0| ookla_add_to_cache(ndpi_struct, flow); 641| 0| } 642| | 643| | /* WindowsUpdate over some kind of CDN */ 644| 1.36k| if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN && ------------------ | Branch (644:6): [True: 1.24k, False: 121] ------------------ 645| 1.24k| flow->http.user_agent && flow->http.url && ------------------ | Branch (645:6): [True: 143, False: 1.10k] | Branch (645:31): [True: 13, False: 130] ------------------ 646| 13| (strstr(flow->http.url, "delivery.mp.microsoft.com/") || ------------------ | Branch (646:7): [True: 0, False: 13] ------------------ 647| 13| strstr(flow->http.url, "download.windowsupdate.com/")) && ------------------ | Branch (647:7): [True: 3, False: 10] ------------------ 648| 3| strstr(flow->http.user_agent, "Microsoft-Delivery-Optimization/") && ------------------ | Branch (648:6): [True: 0, False: 3] ------------------ 649| 0| ndpi_isset_risk(flow, NDPI_NUMERIC_IP_HOST)) { ------------------ | Branch (649:6): [True: 0, False: 0] ------------------ 650| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WINDOWS_UPDATE, master_protocol, NDPI_CONFIDENCE_DPI); 651| 0| update_category_and_breed(ndpi_struct, flow); 652| 0| } 653| | 654| 1.36k| if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN && ------------------ | Branch (654:6): [True: 1.24k, False: 121] ------------------ 655| 1.24k| packet->payload_packet_len >= 23 && ------------------ | Branch (655:6): [True: 1.22k, False: 24] ------------------ 656| 1.22k| memcmp(packet->payload, "", 23) == 0) { ------------------ | Branch (656:6): [True: 1, False: 1.22k] ------------------ 657| | /* 658| | 659| | 660| | 661| | 662| | 663| | */ 664| 1| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, master_protocol, NDPI_CONFIDENCE_DPI); 665| 1| update_category_and_breed(ndpi_struct, flow); 666| 1| ookla_add_to_cache(ndpi_struct, flow); 667| 1| } 668| | 669| 1.36k| if ((flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) && ------------------ | Branch (669:7): [True: 1.24k, False: 122] ------------------ 670| 1.24k| flow->http.user_agent && strstr(flow->http.user_agent, "MSRPC")) { ------------------ | Branch (670:7): [True: 143, False: 1.10k] | Branch (670:32): [True: 0, False: 143] ------------------ 671| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MS_RPCH, master_protocol, NDPI_CONFIDENCE_DPI); 672| 0| update_category_and_breed(ndpi_struct, flow); 673| 0| } 674| | 675| 1.36k| if ((flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) && ------------------ | Branch (675:7): [True: 1.24k, False: 122] ------------------ 676| 1.24k| flow->http.user_agent && strstr(flow->http.user_agent, "Valve/Steam HTTP Client")) { ------------------ | Branch (676:7): [True: 143, False: 1.10k] | Branch (676:32): [True: 5, False: 138] ------------------ 677| 5| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_STEAM, master_protocol, NDPI_CONFIDENCE_DPI); 678| 5| update_category_and_breed(ndpi_struct, flow); 679| 5| } 680| | 681| 1.36k| if ((flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) && ------------------ | Branch (681:7): [True: 1.24k, False: 127] ------------------ 682| 1.24k| flow->http.user_agent && strstr(flow->http.user_agent, "AirControl Agent v1.0")) { ------------------ | Branch (682:7): [True: 138, False: 1.10k] | Branch (682:32): [True: 0, False: 138] ------------------ 683| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_UBNTAC2, master_protocol, NDPI_CONFIDENCE_DPI); 684| 0| update_category_and_breed(ndpi_struct, flow); 685| 0| } 686| | 687| 1.36k| if ((flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) && ------------------ | Branch (687:7): [True: 1.24k, False: 127] ------------------ 688| 1.24k| flow->http.user_agent && strstr(flow->http.user_agent, "gtk-gnutella")) { ------------------ | Branch (688:7): [True: 138, False: 1.10k] | Branch (688:32): [True: 0, False: 138] ------------------ 689| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GNUTELLA, master_protocol, NDPI_CONFIDENCE_DPI); 690| 0| update_category_and_breed(ndpi_struct, flow); 691| 0| } 692| | 693| 1.36k| if(flow->http.request_header_observed) { ------------------ | Branch (693:6): [True: 1.29k, False: 68] ------------------ 694| 1.29k| if(flow->http.first_payload_after_header_observed == 0) { ------------------ | Branch (694:8): [True: 1.24k, False: 56] ------------------ 695| | /* Skip the last part of the HTTP request */ 696| 1.24k| flow->http.first_payload_after_header_observed = 1; 697| 1.24k| } else if(flow->http.is_form && (packet->payload_packet_len > 0) && ------------------ | Branch (697:15): [True: 0, False: 56] | Branch (697:37): [True: 0, False: 0] ------------------ 698| 0| (ndpi_struct->cfg.http_username_enabled || ndpi_struct->cfg.http_password_enabled)) { ------------------ | Branch (698:16): [True: 0, False: 0] | Branch (698:58): [True: 0, False: 0] ------------------ 699| | /* Response payload */ 700| 0| char *dup = ndpi_strndup((const char *)packet->payload, packet->payload_packet_len); 701| | 702| 0| if(dup) { ------------------ | Branch (702:10): [True: 0, False: 0] ------------------ 703| 0| char *key, *value, *tmp; 704| | 705| 0| key = strtok_r(dup, "=", &tmp); 706| | 707| 0| while((key != NULL) ------------------ | Branch (707:8): [True: 0, False: 0] ------------------ 708| 0| && ((flow->http.username == NULL) || (flow->http.password == NULL))) { ------------------ | Branch (708:12): [True: 0, False: 0] | Branch (708:45): [True: 0, False: 0] ------------------ 709| 0| value = strtok_r(NULL, "&", &tmp); 710| | 711| 0| if(!value) ------------------ | Branch (711:7): [True: 0, False: 0] ------------------ 712| 0| break; 713| | 714| 0| if((strcmp(key, "user") == 0) || (strcmp(key, "username") == 0)) { ------------------ | Branch (714:7): [True: 0, False: 0] | Branch (714:37): [True: 0, False: 0] ------------------ 715| 0| if(!flow->http.username && ndpi_struct->cfg.http_username_enabled) flow->http.username = ndpi_strdup(value); ------------------ | Branch (715:9): [True: 0, False: 0] | Branch (715:33): [True: 0, False: 0] ------------------ 716| 0| } else if((strcmp(key, "pwd") == 0) || (strcmp(key, "password") == 0)) { ------------------ | Branch (716:14): [True: 0, False: 0] | Branch (716:43): [True: 0, False: 0] ------------------ 717| 0| if(!flow->http.password && ndpi_struct->cfg.http_password_enabled) flow->http.password = ndpi_strdup(value); ------------------ | Branch (717:9): [True: 0, False: 0] | Branch (717:33): [True: 0, False: 0] ------------------ 718| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found password"); 719| 0| } 720| | 721| 0| key = strtok_r(NULL, "=", &tmp); 722| 0| } 723| | 724| 0| ndpi_free(dup); 725| 0| } 726| 0| } 727| 1.29k| } 728| 1.36k|} http.c:update_category_and_breed: 291| 105| struct ndpi_flow_struct *flow) { 292| 105| ndpi_master_app_protocol proto; 293| 105| proto.master_protocol = flow->detected_protocol_stack[1]; 294| 105| proto.app_protocol = flow->detected_protocol_stack[0]; 295| 105| flow->category = get_proto_category(ndpi_struct, proto); 296| 105| flow->breed = get_proto_breed(ndpi_struct, proto); 297| 105|} http.c:ndpi_analyze_content_signature: 105| 21| struct ndpi_flow_struct *flow) { 106| 21| u_int8_t set_risk = 0; 107| 21| const char *msg = NULL; 108| | 109| | /* 110| | NOTE: see also (ndpi_main.c) 111| | - ndpi_search_elf 112| | - ndpi_search_portable_executable 113| | - ndpi_search_shellscript 114| | */ 115| | 116| 21| if((flow->initial_binary_bytes_len >= 2) && (flow->initial_binary_bytes[0] == 0x4D) && (flow->initial_binary_bytes[1] == 0x5A)) ------------------ | Branch (116:6): [True: 20, False: 1] | Branch (116:47): [True: 0, False: 20] | Branch (116:90): [True: 0, False: 0] ------------------ 117| 0| set_risk = 1, msg = "Found DOS/Windows Exe"; /* Win executable */ 118| 21| else if((flow->initial_binary_bytes_len >= 4) && (flow->initial_binary_bytes[0] == 0x7F) && (flow->initial_binary_bytes[1] == 'E') ------------------ | Branch (118:11): [True: 19, False: 2] | Branch (118:52): [True: 0, False: 19] | Branch (118:95): [True: 0, False: 0] ------------------ 119| 0| && (flow->initial_binary_bytes[2] == 'L') && (flow->initial_binary_bytes[3] == 'F')) ------------------ | Branch (119:7): [True: 0, False: 0] | Branch (119:49): [True: 0, False: 0] ------------------ 120| 0| set_risk = 1, msg = "Found Linux Exe"; /* Linux ELF executable */ 121| 21| else if((flow->initial_binary_bytes_len >= 4) && (flow->initial_binary_bytes[0] == 0xCF) && (flow->initial_binary_bytes[1] == 0xFA) ------------------ | Branch (121:11): [True: 19, False: 2] | Branch (121:52): [True: 0, False: 19] | Branch (121:95): [True: 0, False: 0] ------------------ 122| 0| && (flow->initial_binary_bytes[2] == 0xED) && (flow->initial_binary_bytes[3] == 0xFE)) ------------------ | Branch (122:7): [True: 0, False: 0] | Branch (122:50): [True: 0, False: 0] ------------------ 123| 0| set_risk = 1, msg = "Found Linux Exe"; /* Linux executable */ 124| 21| else if((flow->initial_binary_bytes_len >= 3) ------------------ | Branch (124:11): [True: 19, False: 2] ------------------ 125| 19| && (flow->initial_binary_bytes[0] == '#') ------------------ | Branch (125:7): [True: 0, False: 19] ------------------ 126| 0| && (flow->initial_binary_bytes[1] == '!') ------------------ | Branch (126:7): [True: 0, False: 0] ------------------ 127| 0| && (flow->initial_binary_bytes[2] == '/')) ------------------ | Branch (127:7): [True: 0, False: 0] ------------------ 128| 0| set_risk = 1, msg = "Found Unix Script"; /* Unix script (e.g. #!/bin/sh) */ 129| 21| else if(flow->initial_binary_bytes_len >= 8) { ------------------ | Branch (129:11): [True: 14, False: 7] ------------------ 130| 14| u_int8_t exec_pattern[] = { 0x64, 0x65, 0x78, 0x0A, 0x30, 0x33, 0x35, 0x00 }; 131| | 132| 14| if(memcmp(flow->initial_binary_bytes, exec_pattern, 8) == 0) ------------------ | Branch (132:8): [True: 0, False: 14] ------------------ 133| 0| set_risk = 1, msg = "Found Android Exe"; /* Dalvik Executable (Android) */ 134| 14| } 135| | 136| 21| if(set_risk) ------------------ | Branch (136:6): [True: 0, False: 21] ------------------ 137| 0| ndpi_set_binary_application_transfer(ndpi_struct, flow, (char*)msg); 138| 21|} ndpi_search_http2: 39| 11.7k|{ 40| 11.7k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 41| 11.7k| const char magic[] = "PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n"; 42| | 43| 11.7k| NDPI_LOG_DBG(ndpi_struct, "search http2\n"); ------------------ | | 596| 11.7k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 44| | 45| 11.7k| if(packet->payload_packet_len < NDPI_STATICSTRING_LEN(magic)) { ------------------ | | 98| 11.7k|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (45:6): [True: 4.85k, False: 6.86k] ------------------ 46| 4.85k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 4.85k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 47| 4.85k| return; 48| 4.85k| } 49| | 50| 6.86k| if(strncmp((char const *)packet->payload, magic, NDPI_STATICSTRING_LEN(magic)) == 0) { ------------------ | | 98| 6.86k|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (50:6): [True: 1, False: 6.86k] ------------------ 51| 1| ndpi_int_http2_add_connection(ndpi_struct, flow); 52| 1| return; 53| 1| } 54| | 55| 6.86k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 6.86k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 56| 6.86k|} init_http2_dissector: 59| 7.08k|{ 60| 7.08k| ndpi_register_dissector("HTTP2", ndpi_struct, 61| 7.08k| ndpi_search_http2, 62| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 63| 7.08k| 1, NDPI_PROTOCOL_HTTP2); 64| 7.08k|} http2.c:ndpi_int_http2_add_connection: 31| 1|{ 32| 1| NDPI_LOG_INFO(ndpi_struct, "found HTTP/2\n"); ------------------ | | 595| 1|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 33| 1| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP2, 34| 1| NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 35| 1|} init_i3d_dissector: 79| 7.08k|{ 80| 7.08k| ndpi_register_dissector("i3D", ndpi_struct, 81| 7.08k| ndpi_search_i3d, 82| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 83| 7.08k| 1, NDPI_PROTOCOL_I3D); 84| 7.08k|} i3d.c:ndpi_search_i3d: 41| 3.36k|{ 42| 3.36k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 43| | 44| 3.36k| NDPI_LOG_DBG(ndpi_struct, "searching i3D\n"); ------------------ | | 596| 3.36k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 45| | 46| | /* 47| | * i3D offers a lot of services. 48| | * The patterns below are mostly used by dedicated game servers. 49| | */ 50| | 51| 3.36k| if (packet->payload_packet_len < 74) ------------------ | Branch (51:7): [True: 1.94k, False: 1.41k] ------------------ 52| 1.94k| { 53| 1.94k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1.94k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 54| 1.94k| return; 55| 1.94k| } 56| | 57| 1.41k| if ((ntohl(get_u_int32_t(packet->payload, 0)) == 0x00010046 || ------------------ | Branch (57:8): [True: 0, False: 1.41k] ------------------ 58| 1.41k| ntohl(get_u_int32_t(packet->payload, 0)) == 0x00020046) && ------------------ | Branch (58:8): [True: 0, False: 1.41k] ------------------ 59| 1.41k| ntohl(get_u_int32_t(packet->payload, 4)) == 0x0003cfa8) ------------------ | Branch (59:7): [True: 0, False: 0] ------------------ 60| 0| { 61| 0| ndpi_int_i3d_add_connection(ndpi_struct, flow); 62| 0| return; 63| 0| } 64| | 65| 1.41k| if ((ntohs(get_u_int16_t(packet->payload, 0)) == 0x9078 || ------------------ | Branch (65:8): [True: 0, False: 1.41k] ------------------ 66| 1.41k| ntohs(get_u_int16_t(packet->payload, 0)) == 0x9067) && ------------------ | Branch (66:8): [True: 0, False: 1.41k] ------------------ 67| 1.41k| ntohl(get_u_int32_t(packet->payload, 8)) == 0x0003cfa9 && ------------------ | Branch (67:7): [True: 0, False: 0] ------------------ 68| 1.41k| ntohl(get_u_int32_t(packet->payload, 12)) == 0xbede0003) ------------------ | Branch (68:7): [True: 0, False: 0] ------------------ 69| 0| { 70| 0| ndpi_int_i3d_add_connection(ndpi_struct, flow); 71| 0| return; 72| 0| } 73| | 74| 1.41k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1.41k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 75| 1.41k| return; 76| 1.41k|} init_iax_dissector: 100| 7.08k|{ 101| 7.08k| ndpi_register_dissector("IAX", ndpi_struct, 102| 7.08k| ndpi_search_iax, 103| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 104| 7.08k| 1, NDPI_PROTOCOL_IAX); 105| 7.08k|} iax.c:ndpi_search_iax: 90| 5.08k|{ 91| 5.08k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 92| | 93| 5.08k| if(packet->udp ------------------ | Branch (93:6): [True: 5.08k, False: 0] ------------------ 94| 5.08k| && (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN)) ------------------ | Branch (94:9): [True: 5.08k, False: 0] ------------------ 95| 5.08k| ndpi_search_setup_iax(ndpi_struct, flow); 96| 5.08k|} iax.c:ndpi_search_setup_iax: 42| 5.08k|{ 43| 5.08k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 44| 5.08k| u_int8_t i; 45| 5.08k| u_int16_t packet_len; 46| | 47| 5.08k| if ( /* 1. iax is udp based, port 4569 */ 48| 5.08k| (packet->udp->source == htons(4569) || packet->udp->dest == htons(4569)) ------------------ | Branch (48:8): [True: 0, False: 5.08k] | Branch (48:46): [True: 0, False: 5.08k] ------------------ 49| | /* check for iax new packet */ 50| 0| && packet->payload_packet_len >= 12 ------------------ | Branch (50:10): [True: 0, False: 0] ------------------ 51| | /* check for dst call id == 0, do not check for highest bit (packet retransmission) */ 52| | // && (ntohs(get_u_int16_t(packet->payload, 2)) & 0x7FFF) == 0 53| | /* check full IAX packet */ 54| 0| && (packet->payload[0] & 0x80) != 0 ------------------ | Branch (54:10): [True: 0, False: 0] ------------------ 55| | /* outbound seq == 0 */ 56| 0| && packet->payload[8] == 0 ------------------ | Branch (56:10): [True: 0, False: 0] ------------------ 57| | /* inbound seq == 0 || 1 */ 58| 0| && (packet->payload[9] == 0 || packet->payload[9] == 0x01) ------------------ | Branch (58:11): [True: 0, False: 0] | Branch (58:38): [True: 0, False: 0] ------------------ 59| | /* */ 60| 0| && packet->payload[10] == 0x06 ------------------ | Branch (60:10): [True: 0, False: 0] ------------------ 61| | /* IAX type: 0-15 */ 62| 0| && packet->payload[11] <= 15) { ------------------ | Branch (62:10): [True: 0, False: 0] ------------------ 63| | 64| 0| if (packet->payload_packet_len == 12) { ------------------ | Branch (64:9): [True: 0, False: 0] ------------------ 65| 0| NDPI_LOG_INFO(ndpi_struct, "found IAX\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 66| 0| ndpi_int_iax_add_connection(ndpi_struct, flow); 67| 0| return; 68| 0| } 69| | 70| 0| packet_len = 12; 71| 0| for(i = 0; i < NDPI_IAX_MAX_INFORMATION_ELEMENTS; i++) { ------------------ | | 34| 0|#define NDPI_IAX_MAX_INFORMATION_ELEMENTS 15 ------------------ | Branch (71:16): [True: 0, False: 0] ------------------ 72| 0| if ((packet_len+1) >= packet->payload_packet_len) ------------------ | Branch (72:11): [True: 0, False: 0] ------------------ 73| 0| break; 74| | 75| 0| packet_len = packet_len + 2 + packet->payload[packet_len + 1]; 76| 0| if(packet_len == packet->payload_packet_len) { ------------------ | Branch (76:10): [True: 0, False: 0] ------------------ 77| 0| NDPI_LOG_INFO(ndpi_struct, "found IAX\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 78| 0| ndpi_int_iax_add_connection(ndpi_struct, flow); 79| 0| return; 80| 0| } 81| 0| } 82| | 83| 0| } 84| | 85| 5.08k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 5.08k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 86| | 87| 5.08k|} init_icecast_dissector: 92| 7.08k|{ 93| 7.08k| ndpi_register_dissector("IceCast", ndpi_struct, 94| 7.08k| ndpi_search_icecast_tcp, 95| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 96| 7.08k| 1, NDPI_PROTOCOL_ICECAST); 97| 7.08k|} icecast.c:ndpi_search_icecast_tcp: 38| 26.2k|{ 39| 26.2k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 40| 26.2k| u_int16_t i; 41| | 42| 26.2k| NDPI_LOG_DBG(ndpi_struct, "search icecast\n"); ------------------ | | 596| 26.2k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 43| | 44| 26.2k| if((packet->payload_packet_len < 500 && ------------------ | Branch (44:7): [True: 24.7k, False: 1.53k] ------------------ 45| 24.7k| packet->payload_packet_len >= 7 && memcmp(packet->payload, "SOURCE ", 7) == 0) ------------------ | Branch (45:8): [True: 23.2k, False: 1.48k] | Branch (45:43): [True: 25, False: 23.2k] ------------------ 46| 26.2k| || flow->l4.tcp.icecast_stage) { ------------------ | Branch (46:10): [True: 27, False: 26.2k] ------------------ 47| 52| ndpi_parse_packet_line_info_any(ndpi_struct); 48| 52| NDPI_LOG_DBG2(ndpi_struct, "Icecast lines=%d\n", packet->parsed_lines); ------------------ | | 597| 52|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 49| 113| for (i = 0; i < packet->parsed_lines; i++) { ------------------ | Branch (49:17): [True: 61, False: 52] ------------------ 50| 61| if(packet->line[i].ptr != NULL && packet->line[i].len > 4 ------------------ | Branch (50:10): [True: 61, False: 0] | Branch (50:41): [True: 34, False: 27] ------------------ 51| 34| && memcmp(packet->line[i].ptr, "ice-", 4) == 0) { ------------------ | Branch (51:7): [True: 0, False: 34] ------------------ 52| 0| NDPI_LOG_INFO(ndpi_struct, "found Icecast\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 53| 0| ndpi_int_icecast_add_connection(ndpi_struct, flow); 54| 0| return; 55| 0| } 56| 61| } 57| | 58| 52| if(packet->parsed_lines < 1 && !flow->l4.tcp.icecast_stage) { ------------------ | Branch (58:8): [True: 35, False: 17] | Branch (58:36): [True: 22, False: 13] ------------------ 59| 22| flow->l4.tcp.icecast_stage = 1; 60| 22| return; 61| 22| } 62| 52| } 63| | 64| 26.2k| if(current_pkt_from_client_to_server(ndpi_struct, flow) ------------------ | Branch (64:6): [True: 23.7k, False: 2.50k] ------------------ 65| 23.7k| && (flow->packet_counter < 10)) { ------------------ | Branch (65:10): [True: 23.1k, False: 584] ------------------ 66| 23.1k| return; 67| 23.1k| } 68| | 69| 3.09k| if(current_pkt_from_server_to_client(ndpi_struct, flow)) { ------------------ | Branch (69:6): [True: 2.50k, False: 584] ------------------ 70| | /* server answer, now test Server for Icecast */ 71| | 72| 2.50k| ndpi_parse_packet_line_info(ndpi_struct, flow); 73| | 74| 2.50k| if((packet->server_line.ptr != NULL) ------------------ | Branch (74:8): [True: 13, False: 2.49k] ------------------ 75| 13| && (packet->server_line.len > NDPI_STATICSTRING_LEN("Icecast")) ------------------ | | 98| 13|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (75:11): [True: 11, False: 2] ------------------ 76| 11| && memcmp(packet->server_line.ptr, "Icecast", ------------------ | Branch (76:12): [True: 0, False: 11] ------------------ 77| 11| NDPI_STATICSTRING_LEN("Icecast")) == 0) { ------------------ | | 98| 11|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ 78| | /* TODO maybe store the previous protocol type as subtype? 79| | * e.g. ogg or mpeg 80| | */ 81| 0| NDPI_LOG_INFO(ndpi_struct, "found Icecast\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 82| 0| ndpi_int_icecast_add_connection(ndpi_struct, flow); 83| 0| return; 84| 0| } 85| 2.50k| } 86| | 87| 3.09k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.09k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 88| 3.09k|} init_104_dissector: 75| 7.08k|void init_104_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 76| 7.08k| ndpi_register_dissector("IEC60870", ndpi_struct, 77| 7.08k| ndpi_search_iec60870_tcp, 78| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 79| 7.08k| 1, NDPI_PROTOCOL_IEC60870); 80| 7.08k|} iec60870-5-104.c:ndpi_search_iec60870_tcp: 33| 11.8k| struct ndpi_flow_struct *flow) { 34| 11.8k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 35| | 36| | /* Check connection over TCP */ 37| 11.8k| NDPI_LOG_DBG(ndpi_struct, "search IEC60870\n"); ------------------ | | 596| 11.8k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 38| | 39| 11.8k| if(packet->tcp) { ------------------ | Branch (39:6): [True: 11.8k, False: 0] ------------------ 40| 11.8k| u_int16_t offset = 0, found = 0; 41| | 42| 11.8k| while(offset + 1 < packet->payload_packet_len) { ------------------ | Branch (42:11): [True: 11.8k, False: 6] ------------------ 43| | /* The start byte of 104 is 0x68 */ 44| 11.8k| if(packet->payload[offset] == 0x68) { ------------------ | Branch (44:10): [True: 13, False: 11.7k] ------------------ 45| 13| u_int8_t len = packet->payload[offset+1]; 46| | 47| 13| if(len == 0) ------------------ | Branch (47:5): [True: 1, False: 12] ------------------ 48| 1| break; 49| 12| else { 50| 12| u_int8_t len = packet->payload[offset+1]; 51| | 52| 12| if((len + offset + 2) == packet->payload_packet_len) { ------------------ | Branch (52:7): [True: 5, False: 7] ------------------ 53| 5| found = 1; 54| 5| break; 55| 5| } 56| | 57| 7| offset += len + 2; 58| 7| } 59| 13| } else 60| 11.7k| break; 61| 11.8k| } 62| | 63| 11.8k| if(found) { ------------------ | Branch (63:8): [True: 5, False: 11.7k] ------------------ 64| 5| NDPI_LOG_INFO(ndpi_struct, "Found IEC60870-104\n"); ------------------ | | 595| 5|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 65| | 66| 5| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_IEC60870, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 67| 5| return; 68| 5| } 69| 11.8k| } 70| | 71| 11.7k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.7k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 72| 11.7k|} init_iec62056_dissector: 65| 7.08k|{ 66| 7.08k| ndpi_register_dissector("IEC62056", ndpi_struct, 67| 7.08k| ndpi_search_iec62056, 68| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 69| 7.08k| 1, NDPI_PROTOCOL_IEC62056); 70| 7.08k|} iec62056.c:ndpi_search_iec62056: 45| 15.0k|{ 46| 15.0k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 47| | 48| 15.0k| NDPI_LOG_DBG(ndpi_struct, "search IEC62056\n"); ------------------ | | 596| 15.0k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 49| | 50| 15.0k| if (packet->payload_packet_len > 8 && /* Smallest suitable packet (SNRM request) is 9 bytes long */ ------------------ | Branch (50:7): [True: 14.0k, False: 1.01k] ------------------ 51| 14.0k| packet->payload[0] == 0x7E && packet->payload[1] == 0xA0 && /* HDLC frame start */ ------------------ | Branch (51:7): [True: 5, False: 13.9k] | Branch (51:37): [True: 0, False: 5] ------------------ 52| 0| packet->payload[packet->payload_packet_len-1] == 0x7E) /* HDLC frame end */ ------------------ | Branch (52:7): [True: 0, False: 0] ------------------ 53| 0| { 54| 0| u_int16_t fcs = le16toh(ndpi_crc16_x25(&packet->payload[1], packet->payload_packet_len-4)); 55| 0| if (fcs == get_u_int16_t(packet->payload, packet->payload_packet_len-3)) { ------------------ | | 136| 0|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (55:9): [True: 0, False: 0] ------------------ 56| 0| ndpi_int_iec62056_add_connection(ndpi_struct, flow); 57| 0| return; 58| 0| } 59| 0| } 60| | 61| 15.0k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 15.0k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 62| 15.0k|} init_ieee_c37118_dissector: 70| 7.08k|{ 71| 7.08k| ndpi_register_dissector("IEEE-C37118", ndpi_struct, 72| 7.08k| ndpi_search_ieee_c37118, 73| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 74| 7.08k| 1, NDPI_PROTOCOL_IEEE_C37118); 75| 7.08k|} ieee-c37118.c:ndpi_search_ieee_c37118: 45| 15.0k|{ 46| 15.0k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 47| | 48| 15.0k| NDPI_LOG_DBG(ndpi_struct, "search IEEE C37.118\n"); ------------------ | | 596| 15.0k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 49| | 50| | /* A little bit of heuristics. Check the minimum length, 51| | * version (0xAA) and frame type (0 to 5) */ 52| 15.0k| if ((packet->payload_packet_len >= 17) && (packet->payload[0] == 0xAA) && ------------------ | Branch (52:7): [True: 10.4k, False: 4.54k] | Branch (52:45): [True: 2, False: 10.4k] ------------------ 53| 2| ((packet->payload[1] >> 4) < 6)) ------------------ | Branch (53:7): [True: 1, False: 1] ------------------ 54| 1| { 55| 1| u_int16_t frame_size = ntohs(get_u_int16_t(packet->payload, 2)); 56| 1| u_int16_t crc = ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len-2)); 57| | 58| 1| if ((frame_size == packet->payload_packet_len) && ------------------ | Branch (58:9): [True: 0, False: 1] ------------------ 59| 0| (crc == ndpi_crc16_ccit_false(packet->payload, packet->payload_packet_len-2))) ------------------ | Branch (59:9): [True: 0, False: 0] ------------------ 60| 0| { 61| 0| ndpi_int_ieee_c37118_add_connection(ndpi_struct, flow); 62| 0| return; 63| 0| } 64| 1| } 65| | 66| 15.0k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 15.0k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 67| 15.0k|} init_imo_dissector: 71| 7.08k|void init_imo_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 72| 7.08k| ndpi_register_dissector("IMO", ndpi_struct, 73| 7.08k| ndpi_search_imo, 74| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 75| 7.08k| 1, NDPI_PROTOCOL_IMO); 76| 7.08k|} imo.c:ndpi_search_imo: 36| 6.75k|static void ndpi_search_imo(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { 37| 6.75k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 38| | 39| 6.75k| NDPI_LOG_DBG(ndpi_struct, "search IMO\n"); ------------------ | | 596| 6.75k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 40| | 41| 6.75k| if(packet->payload_packet_len == 1) { ------------------ | Branch (41:6): [True: 108, False: 6.65k] ------------------ 42| | /* Two one byte consecutive packets with the same payload */ 43| 108| if((flow->l4.udp.imo_last_one_byte_pkt == 1) ------------------ | Branch (43:8): [True: 0, False: 108] ------------------ 44| 0| && (flow->l4.udp.imo_last_byte == packet->payload[0])) ------------------ | Branch (44:11): [True: 0, False: 0] ------------------ 45| 0| ndpi_int_imo_add_connection(ndpi_struct, flow); 46| 108| else 47| 108| flow->l4.udp.imo_last_one_byte_pkt = 1, flow->l4.udp.imo_last_byte = packet->payload[0]; 48| 6.65k| } else if(((packet->payload_packet_len == 10) ------------------ | Branch (48:14): [True: 4, False: 6.64k] ------------------ 49| 4| && (packet->payload[0] == 0x09) ------------------ | Branch (49:6): [True: 0, False: 4] ------------------ 50| 0| && (packet->payload[1] == 0x02)) ------------------ | Branch (50:6): [True: 0, False: 0] ------------------ 51| 6.65k| || ((packet->payload_packet_len == 11) ------------------ | Branch (51:10): [True: 2, False: 6.64k] ------------------ 52| 2| && (packet->payload[0] == 0x00) ------------------ | Branch (52:6): [True: 1, False: 1] ------------------ 53| 1| && (packet->payload[1] == 0x09) ------------------ | Branch (53:6): [True: 0, False: 1] ------------------ 54| 0| && (packet->payload[2] == 0x03)) ------------------ | Branch (54:6): [True: 0, False: 0] ------------------ 55| 6.65k| || ((packet->payload_packet_len == 1099) ------------------ | Branch (55:10): [True: 0, False: 6.65k] ------------------ 56| 0| && (packet->payload[0] == 0x88) ------------------ | Branch (56:6): [True: 0, False: 0] ------------------ 57| 0| && (packet->payload[1] == 0x49) ------------------ | Branch (57:6): [True: 0, False: 0] ------------------ 58| 0| && (packet->payload[2] == 0x1a) ------------------ | Branch (58:6): [True: 0, False: 0] ------------------ 59| 0| && (packet->payload[3] == 0x00))) { ------------------ | Branch (59:6): [True: 0, False: 0] ------------------ 60| 0| NDPI_LOG_INFO(ndpi_struct, "found IMO\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 61| 0| ndpi_int_imo_add_connection(ndpi_struct, flow); 62| 6.65k| } else { 63| 6.65k| if(flow->num_processed_pkts > 5) ------------------ | Branch (63:8): [True: 16, False: 6.63k] ------------------ 64| 16| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 16|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 65| 6.63k| else 66| 6.63k| flow->l4.udp.imo_last_one_byte_pkt = 0; 67| 6.65k| } 68| 6.75k|} init_ipp_dissector: 60| 7.08k|{ 61| 7.08k| ndpi_register_dissector("IPP", ndpi_struct, 62| 7.08k| ndpi_search_ipp, 63| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 64| 7.08k| 1, NDPI_PROTOCOL_IPP); 65| 7.08k|} ipp.c:ndpi_search_ipp: 40| 14.3k|{ 41| 14.3k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 42| | 43| 14.3k| NDPI_LOG_DBG(ndpi_struct, "search ipp\n"); ------------------ | | 596| 14.3k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 44| | 45| | /* Treat IPP as a HTTP sub-protocol */ 46| | 47| 14.3k| if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP && ------------------ | Branch (47:6): [True: 688, False: 13.6k] ------------------ 48| 688| flow->http.method == NDPI_HTTP_METHOD_POST && ------------------ | Branch (48:6): [True: 156, False: 532] ------------------ 49| 156| LINE_STARTS(packet->http_url_name, "/ipp/") == 1) { ------------------ | | 76| 156| ((ndpi_int_one_line_struct).ptr != NULL && \ | | ------------------ | | | Branch (76:4): [True: 156, False: 0] | | ------------------ | | 77| 156| (ndpi_int_one_line_struct).len >= strlen(string_to_compare) && \ | | ------------------ | | | Branch (77:4): [True: 156, False: 0] | | ------------------ | | 78| 156| strncasecmp((const char *)((ndpi_int_one_line_struct).ptr), string_to_compare, strlen(string_to_compare)) == 0) | | ------------------ | | | Branch (78:4): [True: 0, False: 156] | | ------------------ ------------------ | Branch (49:6): [True: 0, False: 156] ------------------ 50| 0| NDPI_LOG_INFO(ndpi_struct, "found ipp\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 51| 0| ndpi_int_ipp_add_connection(ndpi_struct, flow); 52| 0| return; 53| 0| } 54| | 55| 14.3k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 14.3k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 56| 14.3k|} init_ipsec_dissector: 187| 7.08k|{ 188| 7.08k| ndpi_register_dissector("IPSec", ndpi_struct, 189| 7.08k| ndpi_search_ipsec, 190| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 191| 7.08k| 1, NDPI_PROTOCOL_IPSEC); 192| 7.08k|} ipsec.c:ndpi_search_ipsec: 132| 3.36k|{ 133| 3.36k| struct ndpi_packet_struct * const packet = &ndpi_struct->packet; 134| 3.36k| u_int16_t isakmp_offset = 0; 135| 3.36k| enum isakmp_type isakmp_type = ISAKMP_INVALID; 136| | 137| 3.36k| NDPI_LOG_DBG(ndpi_struct, "search IPSEC (UDP)\n"); ------------------ | | 596| 3.36k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 138| | 139| 3.36k| if (packet->payload_packet_len < 28) ------------------ | Branch (139:7): [True: 410, False: 2.95k] ------------------ 140| 410| { 141| 410| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 410|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 142| 410| return; 143| 410| } 144| | 145| | /* check for non-ESP marker required for ISAKMP over UDP */ 146| 2.95k| if (get_u_int32_t(packet->payload, 0) == 0x00000000) ------------------ | | 137| 2.95k|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (146:7): [True: 153, False: 2.80k] ------------------ 147| 153| { 148| 153| isakmp_offset = 4; 149| 153| if (packet->payload_packet_len < 32) ------------------ | Branch (149:9): [True: 1, False: 152] ------------------ 150| 1| { 151| 1| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 152| 1| return; 153| 1| } 154| 153| } 155| | 156| 2.95k| if (packet->payload[isakmp_offset + 17] != 0x20 /* Major Version 2 */) ------------------ | Branch (156:7): [True: 2.94k, False: 13] ------------------ 157| 2.94k| { 158| 2.94k| if (packet->payload[isakmp_offset + 17] != 0x10 /* Major Version 1 */) ------------------ | Branch (158:9): [True: 2.93k, False: 11] ------------------ 159| 2.93k| { 160| 2.93k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 2.93k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 161| 2.93k| return; 162| 2.93k| } else { 163| | /* Version 1 is obsolete, but still used by some embedded devices. */ 164| 11| isakmp_type = ISAKMP_V1; 165| 11| } 166| 2.94k| } else { 167| 13| isakmp_type = ISAKMP_V2; 168| 13| } 169| | 170| 24| if (ntohl(get_u_int32_t(packet->payload, isakmp_offset + 24)) != (u_int32_t)packet->payload_packet_len - isakmp_offset) ------------------ | Branch (170:7): [True: 24, False: 0] ------------------ 171| 24| { 172| 24| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 24|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 173| 24| return; 174| 24| } 175| | 176| 0| if (isakmp_type == ISAKMP_V1) ------------------ | Branch (176:7): [True: 0, False: 0] ------------------ 177| 0| { 178| 0| isakmp_type = ndpi_int_check_isakmp_v1(packet, isakmp_offset, isakmp_type); 179| 0| } else { 180| 0| isakmp_type = ndpi_int_check_isakmp_v2(packet, isakmp_offset, isakmp_type); 181| 0| } 182| | 183| 0| ndpi_int_ipsec_add_connection(ndpi_struct, flow, isakmp_type); 184| 0|} init_iqiyi_dissector: 59| 7.08k|{ 60| 7.08k| ndpi_register_dissector("iQIYI", ndpi_struct, 61| 7.08k| ndpi_search_iqiyi, 62| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 63| 7.08k| 1, NDPI_PROTOCOL_IQIYI); 64| 7.08k|} iqiyi.c:ndpi_search_iqiyi: 41| 3.32k|{ 42| 3.32k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 43| | 44| 3.32k| NDPI_LOG_DBG(ndpi_struct, "search iQIYI\n"); ------------------ | | 596| 3.32k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 45| | 46| 3.32k| if (packet->payload_packet_len > 120 && packet->payload_packet_len < 300) { ------------------ | Branch (46:7): [True: 1.21k, False: 2.10k] | Branch (46:43): [True: 965, False: 250] ------------------ 47| 965| if (ndpi_memmem(packet->payload, packet->payload_packet_len, "PPStream", NDPI_STATICSTRING_LEN("PPStream"))) { ------------------ | | 98| 965|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (47:9): [True: 0, False: 965] ------------------ 48| 0| ndpi_int_iqiyi_add_connection(ndpi_struct, flow); 49| 0| return; 50| 0| } 51| 965| } 52| | 53| | /* Add more iQiyi signatures */ 54| | 55| 3.32k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.32k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 56| 3.32k|} init_irc_dissector: 228| 7.08k|{ 229| 7.08k| ndpi_register_dissector("IRC", ndpi_struct, 230| 7.08k| ndpi_search_irc_tcp, 231| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 232| 7.08k| 1, NDPI_PROTOCOL_IRC); 233| 7.08k|} irc.c:ndpi_search_irc_tcp: 92| 30.2k|{ 93| 30.2k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 94| | 95| 30.2k| u_int16_t c = 0; 96| 30.2k| u_int16_t i = 0; 97| 30.2k| u_int16_t http_content_ptr_len = 0; 98| | 99| 30.2k| NDPI_LOG_DBG(ndpi_struct, "search irc\n"); ------------------ | | 596| 30.2k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 100| 30.2k| if((flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC && (flow->packet_counter > 10)) ------------------ | Branch (100:7): [True: 30.2k, False: 0] | Branch (100:64): [True: 25, False: 30.2k] ------------------ 101| 30.2k| || (flow->packet_counter >= 10)) { ------------------ | Branch (101:9): [True: 644, False: 29.5k] ------------------ 102| 669| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 669|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 103| 669| return; 104| 669| } 105| | 106| 29.5k| if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC && flow->packet_counter < 20 ------------------ | Branch (106:7): [True: 29.5k, False: 0] | Branch (106:64): [True: 29.5k, False: 0] ------------------ 107| 29.5k| && packet->payload_packet_len >= 8) { ------------------ | Branch (107:10): [True: 28.0k, False: 1.50k] ------------------ 108| 28.0k| if (get_u_int8_t(packet->payload, packet->payload_packet_len - 1) == 0x0a ------------------ | | 135| 28.0k|#define get_u_int8_t(X,O) (*(u_int8_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (108:9): [True: 6.90k, False: 21.1k] ------------------ 109| 21.1k| || (ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len - 2)) == 0x0a00)) { ------------------ | Branch (109:5): [True: 7, False: 21.1k] ------------------ 110| 6.90k| if (memcmp(packet->payload, ":", 1) == 0) { ------------------ | Branch (110:11): [True: 12, False: 6.89k] ------------------ 111| 12| if (packet->payload[packet->payload_packet_len - 2] != 0x0d ------------------ | Branch (111:6): [True: 7, False: 5] ------------------ 112| 7| && packet->payload[packet->payload_packet_len - 1] == 0x0a) { ------------------ | Branch (112:9): [True: 6, False: 1] ------------------ 113| 6| ndpi_parse_packet_line_info_any(ndpi_struct); 114| 6| } else if (packet->payload[packet->payload_packet_len - 2] == 0x0d) { ------------------ | Branch (114:13): [True: 5, False: 1] ------------------ 115| 5| ndpi_parse_packet_line_info(ndpi_struct, flow); 116| 5| } else { 117| 1| flow->l4.tcp.irc_3a_counter++; 118| 1| packet->parsed_lines = 0; 119| 1| } 120| 80| for (i = 0; i < packet->parsed_lines; i++) { ------------------ | Branch (120:14): [True: 68, False: 12] ------------------ 121| 68| if ((packet->line[i].len > 0) && packet->line[i].ptr[0] == ':') { ------------------ | Branch (121:8): [True: 42, False: 26] | Branch (121:37): [True: 18, False: 24] ------------------ 122| 18| flow->l4.tcp.irc_3a_counter++; 123| 18| if (flow->l4.tcp.irc_3a_counter == 7) { /* ':' == 0x3a */ ------------------ | Branch (123:10): [True: 0, False: 18] ------------------ 124| 0| NDPI_LOG_INFO(ndpi_struct, "found irc. 0x3a. seven times."); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 125| 0| ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); 126| 0| return; 127| 0| } 128| 18| } 129| 68| } 130| 12| if (flow->l4.tcp.irc_3a_counter == 7) { /* ':' == 0x3a */ ------------------ | Branch (130:6): [True: 0, False: 12] ------------------ 131| 0| NDPI_LOG_INFO(ndpi_struct, "found irc. 0x3a. seven times."); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 132| 0| ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); 133| 0| return; 134| 0| } 135| 12| } 136| | 137| 6.90k| if ((memcmp(packet->payload, "USER ", 5) == 0) ------------------ | Branch (137:11): [True: 1, False: 6.90k] ------------------ 138| 6.90k| || (memcmp(packet->payload, "NICK ", 5) == 0) ------------------ | Branch (138:7): [True: 231, False: 6.67k] ------------------ 139| 6.67k| || (memcmp(packet->payload, "PASS ", 5) == 0) ------------------ | Branch (139:7): [True: 592, False: 6.08k] ------------------ 140| 6.08k| || (memcmp(packet->payload, ":", 1) == 0 && ndpi_check_for_NOTICE_or_PRIVMSG(ndpi_struct) != 0) ------------------ | Branch (140:8): [True: 12, False: 6.07k] | Branch (140:48): [True: 0, False: 12] ------------------ 141| 6.08k| || (memcmp(packet->payload, "PONG ", 5) == 0) ------------------ | Branch (141:7): [True: 0, False: 6.08k] ------------------ 142| 6.08k| || (memcmp(packet->payload, "PING ", 5) == 0) ------------------ | Branch (142:7): [True: 5, False: 6.08k] ------------------ 143| 6.08k| || (memcmp(packet->payload, "JOIN ", 5) == 0) ------------------ | Branch (143:7): [True: 4, False: 6.07k] ------------------ 144| 6.07k| || (memcmp(packet->payload, "MODE ", 5) == 0) ------------------ | Branch (144:7): [True: 0, False: 6.07k] ------------------ 145| 6.07k| || (memcmp(packet->payload, "NOTICE ", 7) == 0) ------------------ | Branch (145:7): [True: 2, False: 6.07k] ------------------ 146| 6.07k| || (memcmp(packet->payload, "PRIVMSG ", 8) == 0) ------------------ | Branch (146:7): [True: 0, False: 6.07k] ------------------ 147| 6.07k| || (memcmp(packet->payload, "VERSION ", 8) == 0)) { ------------------ | Branch (147:7): [True: 3, False: 6.07k] ------------------ 148| 838| char *user = ndpi_strnstr((char*)packet->payload, "USER ", packet->payload_packet_len); 149| | 150| 838| if(user) { ------------------ | Branch (150:5): [True: 1, False: 837] ------------------ 151| 1| char buf[32], msg[64], *sp; 152| | 153| 1| snprintf(buf, sizeof(buf), "%.*s", (int)(packet->payload_packet_len - (user + 5 - (char *)packet->payload)), user + 5); 154| 1| sp = buf; 155| 1| strsep(&sp, " \r\n"); 156| | 157| 1| snprintf(msg, sizeof(msg), "Found IRC username (%s)", buf); 158| 1| ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, msg); 159| 1| } 160| | 161| 838| NDPI_LOG_DBG2(ndpi_struct, ------------------ | | 597| 838|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 162| 838| "USER, NICK, PASS, NOTICE, PRIVMSG one time"); 163| 838| if (flow->l4.tcp.irc_stage == 2) { ------------------ | Branch (163:6): [True: 118, False: 720] ------------------ 164| 118| NDPI_LOG_INFO(ndpi_struct, "found irc"); ------------------ | | 595| 118|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 165| 118| ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); 166| 118| flow->l4.tcp.irc_stage = 3; 167| 118| } 168| 838| if (flow->l4.tcp.irc_stage == 1) { ------------------ | Branch (168:6): [True: 246, False: 592] ------------------ 169| 246| NDPI_LOG_DBG2(ndpi_struct, "second time, stage=2"); ------------------ | | 597| 246|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 170| 246| flow->l4.tcp.irc_stage = 2; 171| 246| } 172| 838| if (flow->l4.tcp.irc_stage == 0) { ------------------ | Branch (172:6): [True: 474, False: 364] ------------------ 173| 474| NDPI_LOG_DBG2(ndpi_struct, "first time, stage=1"); ------------------ | | 597| 474|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 174| 474| flow->l4.tcp.irc_stage = 1; 175| 474| } 176| | /* irc packets can have either windows line breaks (0d0a) or unix line breaks (0a) */ 177| 838| if (packet->payload[packet->payload_packet_len - 2] == 0x0d ------------------ | Branch (177:6): [True: 829, False: 9] ------------------ 178| 829| && packet->payload[packet->payload_packet_len - 1] == 0x0a) { ------------------ | Branch (178:9): [True: 829, False: 0] ------------------ 179| 829| ndpi_parse_packet_line_info(ndpi_struct, flow); 180| 829| if (packet->parsed_lines > 1) { ------------------ | Branch (180:8): [True: 829, False: 0] ------------------ 181| 829| NDPI_LOG_DBG2(ndpi_struct, "packet contains more than one line"); ------------------ | | 597| 829|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 182| 1.79k| for (c = 1; c < packet->parsed_lines; c++) { ------------------ | Branch (182:18): [True: 965, False: 829] ------------------ 183| 965| if (packet->line[c].len > 4 && (memcmp(packet->line[c].ptr, "NICK ", 5) == 0 ------------------ | Branch (183:12): [True: 132, False: 833] | Branch (183:40): [True: 0, False: 132] ------------------ 184| 132| || memcmp(packet->line[c].ptr, "USER ", 5) == 0)) { ------------------ | Branch (184:15): [True: 0, False: 132] ------------------ 185| 0| NDPI_LOG_INFO(ndpi_struct, "found IRC: two icq signal words in the same packet"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 186| 0| ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); 187| 0| flow->l4.tcp.irc_stage = 3; 188| 0| return; 189| 0| } 190| 965| } 191| 829| } 192| | 193| 829| } else if (packet->payload[packet->payload_packet_len - 1] == 0x0a) { ------------------ | Branch (193:13): [True: 9, False: 0] ------------------ 194| 9| ndpi_parse_packet_line_info_any(ndpi_struct); 195| 9| if (packet->parsed_lines > 1) { ------------------ | Branch (195:8): [True: 6, False: 3] ------------------ 196| 6| NDPI_LOG_DBG2(ndpi_struct, "packet contains more than one line"); ------------------ | | 597| 6|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 197| 36| for (c = 1; c < packet->parsed_lines; c++) { ------------------ | Branch (197:18): [True: 30, False: 6] ------------------ 198| 30| if (packet->line[c].len > 4 && (memcmp(packet->line[c].ptr, "NICK ", 5) == 0 ------------------ | Branch (198:12): [True: 17, False: 13] | Branch (198:40): [True: 0, False: 17] ------------------ 199| 17| || memcmp(packet->line[c].ptr, "USER ", ------------------ | Branch (199:15): [True: 0, False: 17] ------------------ 200| 17| 5) == 0)) { 201| 0| NDPI_LOG_INFO(ndpi_struct, "found IRC: two icq signal words in the same packet"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 202| 0| ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); 203| 0| flow->l4.tcp.irc_stage = 3; 204| 0| return; 205| 0| } 206| 30| } 207| 6| } 208| 9| } 209| 838| } 210| 6.90k| } 211| 28.0k| } 212| | 213| 29.5k| if ((flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC) && (flow->l4.tcp.irc_stage == 1)) { ------------------ | Branch (213:7): [True: 29.4k, False: 118] | Branch (213:66): [True: 783, False: 28.6k] ------------------ 214| 783| if ((((packet->payload_packet_len - http_content_ptr_len) > 10) ------------------ | Branch (214:10): [True: 685, False: 98] ------------------ 215| 685| && (memcmp(packet->payload + http_content_ptr_len, "interface=", 10) == 0) ------------------ | Branch (215:6): [True: 0, False: 685] ------------------ 216| 0| && (ndpi_check_for_Nickname(ndpi_struct) != 0)) ------------------ | Branch (216:6): [True: 0, False: 0] ------------------ 217| 783| || (((packet->payload_packet_len - http_content_ptr_len) > 5) ------------------ | Branch (217:6): [True: 685, False: 98] ------------------ 218| 685| && (memcmp(packet->payload + http_content_ptr_len, "item=", 5) == 0) ------------------ | Branch (218:9): [True: 0, False: 685] ------------------ 219| 0| && (ndpi_check_for_cmd(ndpi_struct) != 0))) { ------------------ | Branch (219:9): [True: 0, False: 0] ------------------ 220| 0| NDPI_LOG_INFO(ndpi_struct, "found IRC: Nickname, cmd, one time"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 221| 0| ndpi_int_irc_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); 222| 0| return; 223| 0| } 224| 783| } 225| 29.5k|} irc.c:ndpi_int_irc_add_connection: 34| 118|{ 35| 118| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_IRC, NDPI_PROTOCOL_UNKNOWN, confidence); 36| 118|} irc.c:ndpi_check_for_NOTICE_or_PRIVMSG: 39| 12|{ 40| 12| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 41| | 42| 12| if(ndpi_memmem(packet->payload, packet->payload_packet_len, "NOTICE", 6)) ------------------ | Branch (42:6): [True: 0, False: 12] ------------------ 43| 0| return 1; 44| 12| if(ndpi_memmem(packet->payload, packet->payload_packet_len, "PRIVMSG", 7)) ------------------ | Branch (44:6): [True: 0, False: 12] ------------------ 45| 0| return 1; 46| 12| return 0; 47| 12|} init_iso9506_1_mms_dissector: 76| 7.08k|{ 77| 7.08k| ndpi_register_dissector("ISO9506-1-MMS", ndpi_struct, 78| 7.08k| ndpi_search_iso9506_1_mms, 79| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 80| 7.08k| 1, NDPI_PROTOCOL_ISO9506_1_MMS); 81| 7.08k|} iso9506-1-mms.c:ndpi_search_iso9506_1_mms: 45| 19.2k|{ 46| 19.2k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 47| | 48| 19.2k| NDPI_LOG_DBG(ndpi_struct, "search ISO 9506-1 MMS\n"); ------------------ | | 596| 19.2k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 49| | 50| 19.2k| if ((packet->payload_packet_len > 60) && tpkt_verify_hdr(packet)) ------------------ | Branch (50:7): [True: 4.67k, False: 14.5k] | Branch (50:44): [True: 0, False: 4.67k] ------------------ 51| 0| { 52| 0| if (current_pkt_from_client_to_server(ndpi_struct, flow)) { ------------------ | Branch (52:9): [True: 0, False: 0] ------------------ 53| | /* Check COTP and ISO 8327-1 headers */ 54| 0| if ((packet->payload[4] == 2) && (packet->payload[5] == 0xF0) && ------------------ | Branch (54:11): [True: 0, False: 0] | Branch (54:40): [True: 0, False: 0] ------------------ 55| 0| (packet->payload[6] == 0x80) && (packet->payload[7] - 13 <= 1) && ------------------ | Branch (55:11): [True: 0, False: 0] | Branch (55:43): [True: 0, False: 0] ------------------ 56| 0| (packet->payload[8] == (packet->payload_packet_len - 9))) ------------------ | Branch (56:11): [True: 0, False: 0] ------------------ 57| 0| { 58| | /* Search for a MMS signature in initiate request from client */ 59| 0| if ((get_u_int16_t(packet->payload, packet->payload_packet_len-37) == le16toh(0x280)) || ------------------ | | 136| 0|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (59:13): [True: 0, False: 0] ------------------ 60| 0| (get_u_int16_t(packet->payload, packet->payload_packet_len-38) == le16toh(0x380)) || ------------------ | | 136| 0|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (60:13): [True: 0, False: 0] ------------------ 61| 0| (get_u_int16_t(packet->payload, packet->payload_packet_len-40) == le16toh(0x280))) ------------------ | | 136| 0|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (61:13): [True: 0, False: 0] ------------------ 62| 0| { 63| 0| ndpi_int_iso9506_1_mms_add_connection(ndpi_struct, flow); 64| 0| return; 65| 0| } 66| 0| } 67| 0| } 68| 0| } 69| | 70| 19.2k| if (flow->packet_direction_counter[packet->packet_direction] > 2) { ------------------ | Branch (70:7): [True: 2.51k, False: 16.7k] ------------------ 71| 2.51k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 2.51k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 72| 2.51k| } 73| 19.2k|} init_jabber_dissector: 144| 7.08k|{ 145| 7.08k| ndpi_register_dissector("Jabber", ndpi_struct, 146| 7.08k| ndpi_search_jabber_tcp, 147| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 148| 7.08k| 1, NDPI_PROTOCOL_JABBER); 149| 7.08k|} jabber.c:ndpi_search_jabber_tcp: 66| 13.4k|{ 67| 13.4k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 68| 13.4k| u_int16_t const max_packets = 4; 69| 13.4k| size_t i; 70| 13.4k| static uint8_t const valid_patterns[] = { 0x25, 0x26, 0x30 }; 71| | 72| 13.4k| NDPI_LOG_DBG(ndpi_struct, "search JABBER\n"); ------------------ | | 596| 13.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 73| | 74| 13.4k| if (packet->payload_packet_len >= 3 && ------------------ | Branch (74:7): [True: 13.4k, False: 9] ------------------ 75| 13.4k| packet->payload[1] == 0x00 && packet->payload[2] == packet->payload_packet_len) ------------------ | Branch (75:7): [True: 1.63k, False: 11.8k] | Branch (75:37): [True: 8, False: 1.62k] ------------------ 76| 8| { 77| | /* Old style Jabber/XMPP SSL. */ 78| 8| if (flow->packet_counter > max_packets - 1) ------------------ | Branch (78:9): [True: 0, False: 8] ------------------ 79| 0| { 80| 0| ndpi_int_jabber_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_JABBER, NDPI_CONFIDENCE_DPI); 81| 0| return; 82| 0| } 83| 31| for (i = 0; i < NDPI_ARRAY_LENGTH(valid_patterns); ++i) ------------------ | | 132| 31|#define NDPI_ARRAY_LENGTH(array) (sizeof(array) / sizeof((array)[0])) ------------------ | Branch (83:17): [True: 24, False: 7] ------------------ 84| 24| { 85| 24| if (packet->payload[0] == valid_patterns[i]) ------------------ | Branch (85:11): [True: 1, False: 23] ------------------ 86| 1| { 87| 1| return; 88| 1| } 89| 24| } 90| 7| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 7|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 91| 7| return; 92| 8| } 93| | 94| | /* search for jabber here */ 95| | /* this part is working asymmetrically */ 96| 13.4k| if (packet->payload_packet_len >= NDPI_STATICSTRING_LEN("payload, "payload[0], ------------------ | Branch (98:7): [True: 0, False: 0] ------------------ 99| 0| "xmlns='http://jabber.org/protocol/", packet->payload_packet_len) != NULL) 100| 0| { 101| 0| ndpi_int_jabber_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_JABBER, NDPI_CONFIDENCE_DPI); 102| 0| return; 103| 0| } 104| | 105| 13.4k| if (packet->payload_packet_len >= NDPI_STATICSTRING_LEN("payload_packet_len) != NULL) 109| 0| { 110| 0| ndpi_int_jabber_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_JABBER, NDPI_CONFIDENCE_DPI); 111| 0| return; 112| 0| } 113| | 114| 13.4k| if (packet->payload_packet_len == NDPI_STATICSTRING_LEN("") && ------------------ | | 98| 26.9k|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (114:7): [True: 3.03k, False: 10.4k] ------------------ 115| 3.03k| memcmp(packet->payload, "", NDPI_STATICSTRING_LEN("")) == 0) ------------------ | | 98| 3.03k|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (115:7): [True: 1, False: 3.03k] ------------------ 116| 1| { 117| 1| ndpi_int_jabber_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_JABBER, NDPI_CONFIDENCE_DPI); 118| 1| return; 119| 1| } 120| | 121| 13.4k| if ((packet->payload_packet_len > 13 && memcmp(packet->payload, "payload_packet_len >= NDPI_STATICSTRING_LEN("payload, "payload_packet_len-13; 125| | 126| 6| if(ndpi_strnstr((const char *)&packet->payload[13], "xmlns:stream='http://etherx.jabber.org/streams'", start) ------------------ | Branch (126:8): [True: 0, False: 6] ------------------ 127| 6| || ndpi_strnstr((const char *)&packet->payload[13], "xmlns:stream=\"http://etherx.jabber.org/streams\"", start)) { ------------------ | Branch (127:11): [True: 0, False: 6] ------------------ 128| | 129| | /* Protocol family */ 130| 0| ndpi_int_jabber_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_JABBER, NDPI_CONFIDENCE_DPI); 131| | 132| | /* search for subprotocols */ 133| 0| check_content_type_and_change_protocol(ndpi_struct, flow, 13); 134| 0| } 135| 6| return; 136| 6| } 137| | 138| 13.4k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.4k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 139| 13.4k| return; 140| 13.4k|} jabber.c:ndpi_int_jabber_add_connection: 47| 1|{ 48| 1| ndpi_set_detected_protocol(ndpi_struct, flow, protocol, master, confidence); 49| 1|} init_jrmi_dissector: 56| 7.08k|void init_jrmi_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 57| 7.08k| ndpi_register_dissector("JRMI", ndpi_struct, 58| 7.08k| ndpi_search_jrmi, 59| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 60| 7.08k| 1, NDPI_PROTOCOL_JRMI); 61| 7.08k|} jrmi.c:ndpi_search_jrmi: 34| 11.6k|static void ndpi_search_jrmi(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { 35| | 36| 11.6k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 37| | 38| 11.6k| NDPI_LOG_DBG(ndpi_struct, "search jrmi\n"); ------------------ | | 596| 11.6k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 39| | 40| | //>5 because of the version 41| 11.6k| if(packet->payload_packet_len > 5) { ------------------ | Branch (41:5): [True: 10.8k, False: 755] ------------------ 42| 10.8k| if(packet->payload[0] == 0x4a && ------------------ | Branch (42:6): [True: 8, False: 10.8k] ------------------ 43| 8| packet->payload[1] == 0x52 && ------------------ | Branch (43:4): [True: 0, False: 8] ------------------ 44| 0| packet->payload[2] == 0x4d && ------------------ | Branch (44:4): [True: 0, False: 0] ------------------ 45| 0| packet->payload[3] == 0x49 ) { ------------------ | Branch (45:4): [True: 0, False: 0] ------------------ 46| 0| NDPI_LOG_INFO(ndpi_struct, "found jrmi over tcp\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 47| 0| ndpi_int_jrmi_add_connection(ndpi_struct, flow); 48| 0| return; 49| 0| } 50| 10.8k| } 51| | 52| 11.6k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.6k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 53| 11.6k|} init_json_rpc_dissector: 65| 7.08k|{ 66| 7.08k| ndpi_register_dissector("JSON-RPC", ndpi_struct, 67| 7.08k| ndpi_search_json_rpc, 68| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 69| 7.08k| 1, NDPI_PROTOCOL_JSON_RPC); 70| 7.08k|} json-rpc.c:ndpi_search_json_rpc: 34| 12.7k|{ 35| 12.7k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 36| | 37| 12.7k| NDPI_LOG_DBG(ndpi_struct, "search JSON-RPC\n"); ------------------ | | 596| 12.7k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 38| | 39| 12.7k| if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP || ------------------ | Branch (39:7): [True: 645, False: 12.0k] ------------------ 40| 12.0k| flow->detected_protocol_stack[1] == NDPI_PROTOCOL_HTTP) ------------------ | Branch (40:7): [True: 418, False: 11.6k] ------------------ 41| 1.06k| { 42| 1.06k| if ((packet->content_line.ptr != NULL) && ------------------ | Branch (42:9): [True: 68, False: 995] ------------------ 43| 68| (LINE_ENDS(packet->content_line, "application/json-rpc") != 0)) ------------------ | | 81| 68| ((ndpi_int_one_line_struct).len >= strlen(string_to_compare) && \ | | ------------------ | | | Branch (81:4): [True: 61, False: 7] | | ------------------ | | 82| 68| strncasecmp((const char *)((ndpi_int_one_line_struct).ptr) + \ | | ------------------ | | | Branch (82:4): [True: 0, False: 61] | | ------------------ | | 83| 61| ((ndpi_int_one_line_struct).len - strlen(string_to_compare)), \ | | 84| 61| string_to_compare, strlen(string_to_compare)) == 0) ------------------ | Branch (43:9): [True: 0, False: 68] ------------------ 44| 0| { 45| 0| NDPI_LOG_INFO(ndpi_struct, "found JSON-RPC over HTTP\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 46| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_JSON_RPC, 47| 0| NDPI_PROTOCOL_HTTP, NDPI_CONFIDENCE_DPI); 48| 0| } 49| 1.06k| return; 50| 1.06k| } 51| | 52| 11.6k| if ((packet->payload_packet_len > 30) && (packet->payload[0] == '{') && ------------------ | Branch (52:7): [True: 6.40k, False: 5.27k] | Branch (52:44): [True: 4, False: 6.39k] ------------------ 53| 4| (ndpi_strnstr((const char *)packet->payload, "\"jsonrpc\":", packet->payload_packet_len))) ------------------ | Branch (53:7): [True: 0, False: 4] ------------------ 54| 0| { 55| 0| NDPI_LOG_INFO(ndpi_struct, "found JSON-RPC over TCP\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 56| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_JSON_RPC, 57| 0| NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 58| 0| return; 59| 0| } 60| | 61| 11.6k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.6k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 62| 11.6k|} ndpi_search_json: 46| 15.0k|{ 47| 15.0k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 48| 15.0k| size_t offset = 0, i; 49| 15.0k| size_t bytes_checked = 0; 50| | 51| 15.0k| NDPI_LOG_DBG(ndpi_struct, "search JSON\n"); ------------------ | | 596| 15.0k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 52| | 53| 15.0k| if (packet->payload_packet_len < 2) { ------------------ | Branch (53:7): [True: 111, False: 14.9k] ------------------ 54| 111| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 111|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 55| 111| return; 56| 111| } 57| | 58| 144k| do { 59| 144k| if (offset >= packet->payload_packet_len) { ------------------ | Branch (59:9): [True: 913, False: 143k] ------------------ 60| 913| break; 61| 913| } 62| 143k| if (packet->payload[offset] == '{' || ------------------ | Branch (62:9): [True: 577, False: 143k] ------------------ 63| 143k| packet->payload[offset] == '[') ------------------ | Branch (63:9): [True: 253, False: 142k] ------------------ 64| 830| { 65| 830| break; 66| 830| } 67| 142k| if (packet->payload[offset] != ' ' && ------------------ | Branch (67:9): [True: 135k, False: 7.39k] ------------------ 68| 135k| packet->payload[offset] != '\t' && ------------------ | Branch (68:9): [True: 135k, False: 443] ------------------ 69| 135k| packet->payload[offset] != '\r' && ------------------ | Branch (69:9): [True: 132k, False: 2.13k] ------------------ 70| 132k| packet->payload[offset] != '\n' && ------------------ | Branch (70:9): [True: 130k, False: 2.74k] ------------------ 71| 130k| ndpi_isalnum(packet->payload[offset]) == 0 && ------------------ | | 2527| 130k|#define ndpi_isalnum(ch) (ndpi_isalpha(ch) != 0 || ndpi_isdigit(ch) != 0) | | ------------------ | | | | 2525| 130k|#define ndpi_isalpha(ch) (((ch) >= 'a' && (ch) <= 'z') || ((ch) >= 'A' && (ch) <= 'Z')) | | | | ------------------ | | | | | Branch (2525:28): [True: 38.8k, False: 91.2k] | | | | | Branch (2525:43): [True: 16.9k, False: 21.8k] | | | | | Branch (2525:60): [True: 58.0k, False: 55.1k] | | | | | Branch (2525:75): [True: 35.1k, False: 22.8k] | | | | ------------------ | | ------------------ | | #define ndpi_isalnum(ch) (ndpi_isalpha(ch) != 0 || ndpi_isdigit(ch) != 0) | | ------------------ | | | | 2526| 77.9k|#define ndpi_isdigit(ch) ((ch) >= '0' && (ch) <= '9') | | | | ------------------ | | | | | Branch (2526:27): [True: 31.5k, False: 46.3k] | | | | | Branch (2526:42): [True: 6.40k, False: 25.1k] | | | | ------------------ | | ------------------ | | | Branch (2527:27): [True: 52.1k, False: 77.9k] | | | Branch (2527:52): [True: 6.40k, False: 71.5k] | | ------------------ ------------------ | Branch (71:9): [True: 71.5k, False: 58.5k] ------------------ 72| 71.5k| offset >= 8) ------------------ | Branch (72:9): [True: 12.4k, False: 59.0k] ------------------ 73| 12.4k| { 74| 12.4k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 12.4k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 75| 12.4k| return; 76| 12.4k| } 77| 142k| } while (++offset < JSON_MAX_BYTES_TO_CHECK); ------------------ | | 28| 130k|#define JSON_MAX_BYTES_TO_CHECK 16 ------------------ | Branch (77:12): [True: 129k, False: 694] ------------------ 78| | 79| 4.49k| for (i = offset; i < ndpi_min(JSON_MAX_BYTES_TO_CHECK, packet->payload_packet_len); ++i) { ------------------ | | 113| 4.49k|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 2.03k, False: 2.46k] | | ------------------ ------------------ | Branch (79:20): [True: 2.83k, False: 1.65k] ------------------ 80| 2.83k| if (ndpi_isprint(packet->payload[i]) == 0 && ------------------ | | 2529| 2.83k|#define ndpi_isprint(ch) ((ch) >= 0x20 && (ch) <= 0x7e) | | ------------------ | | | Branch (2529:27): [True: 2.13k, False: 703] | | | Branch (2529:43): [True: 2.01k, False: 121] | | ------------------ ------------------ | Branch (80:9): [True: 824, False: 2.01k] ------------------ 81| 824| packet->payload[i] != '\t' && ------------------ | Branch (81:9): [True: 818, False: 6] ------------------ 82| 818| packet->payload[i] != '\r' && ------------------ | Branch (82:9): [True: 808, False: 10] ------------------ 83| 808| packet->payload[i] != '\n') ------------------ | Branch (83:9): [True: 778, False: 30] ------------------ 84| 778| { 85| 778| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 778|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 86| 778| return; 87| 778| } 88| 2.83k| } 89| | 90| 1.65k| if (offset == JSON_MAX_BYTES_TO_CHECK || offset >= packet->payload_packet_len) { ------------------ | | 28| 3.31k|#define JSON_MAX_BYTES_TO_CHECK 16 ------------------ | Branch (90:7): [True: 694, False: 965] | Branch (90:44): [True: 913, False: 52] ------------------ 91| 1.60k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1.60k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 92| 1.60k| return; 93| 1.60k| } 94| | 95| 52| offset = packet->payload_packet_len; 96| | 97| 337| do { 98| 337| if (packet->payload[offset - 1] == '}' || ------------------ | Branch (98:9): [True: 0, False: 337] ------------------ 99| 337| packet->payload[offset - 1] == ']') ------------------ | Branch (99:9): [True: 1, False: 336] ------------------ 100| 1| { 101| 1| break; 102| 1| } 103| 336| if (packet->payload[offset - 1] != ' ' && ------------------ | Branch (103:9): [True: 272, False: 64] ------------------ 104| 272| packet->payload[offset - 1] != '\t' && ------------------ | Branch (104:9): [True: 253, False: 19] ------------------ 105| 253| packet->payload[offset - 1] != '\r' && ------------------ | Branch (105:9): [True: 245, False: 8] ------------------ 106| 245| packet->payload[offset - 1] != '\n' && ------------------ | Branch (106:9): [True: 235, False: 10] ------------------ 107| 235| ndpi_isalnum(packet->payload[offset - 1]) == 0) ------------------ | | 2527| 235|#define ndpi_isalnum(ch) (ndpi_isalpha(ch) != 0 || ndpi_isdigit(ch) != 0) | | ------------------ | | | | 2525| 235|#define ndpi_isalpha(ch) (((ch) >= 'a' && (ch) <= 'z') || ((ch) >= 'A' && (ch) <= 'Z')) | | | | ------------------ | | | | | Branch (2525:28): [True: 131, False: 104] | | | | | Branch (2525:43): [True: 116, False: 15] | | | | | Branch (2525:60): [True: 51, False: 68] | | | | | Branch (2525:75): [True: 34, False: 17] | | | | ------------------ | | ------------------ | | #define ndpi_isalnum(ch) (ndpi_isalpha(ch) != 0 || ndpi_isdigit(ch) != 0) | | ------------------ | | | | 2526| 85|#define ndpi_isdigit(ch) ((ch) >= '0' && (ch) <= '9') | | | | ------------------ | | | | | Branch (2526:27): [True: 63, False: 22] | | | | | Branch (2526:42): [True: 43, False: 20] | | | | ------------------ | | ------------------ | | | Branch (2527:27): [True: 150, False: 85] | | | Branch (2527:52): [True: 43, False: 42] | | ------------------ ------------------ | Branch (107:9): [True: 42, False: 193] ------------------ 108| 42| { 109| 42| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 42|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 110| 42| return; 111| 42| } 112| 336| } while (--offset > 0 && ++bytes_checked < JSON_MAX_BYTES_TO_CHECK); ------------------ | | 28| 294|#define JSON_MAX_BYTES_TO_CHECK 16 ------------------ | Branch (112:12): [True: 294, False: 0] | Branch (112:28): [True: 285, False: 9] ------------------ 113| | 114| 10| ndpi_int_json_add_connection(ndpi_struct, flow); 115| 10|} init_json_dissector: 118| 7.08k|{ 119| 7.08k| ndpi_register_dissector("JSON", ndpi_struct, 120| 7.08k| ndpi_search_json, 121| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 122| 7.08k| 1, NDPI_PROTOCOL_JSON); 123| 7.08k|} json.c:ndpi_int_json_add_connection: 32| 10|{ 33| 10| NDPI_LOG_INFO(ndpi_struct, "found JSON\n"); ------------------ | | 595| 10|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 34| 10| if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (34:7): [True: 0, False: 10] ------------------ 35| 0| ndpi_set_detected_protocol_keeping_master(ndpi_struct, flow, NDPI_PROTOCOL_JSON, NDPI_CONFIDENCE_DPI); 36| 10| } else { 37| 10| ndpi_set_detected_protocol(ndpi_struct, flow, 38| 10| NDPI_PROTOCOL_JSON, 39| 10| NDPI_PROTOCOL_UNKNOWN, 40| 10| NDPI_CONFIDENCE_DPI); 41| 10| } 42| 10|} init_kafka_dissector: 89| 7.08k|{ 90| 7.08k| ndpi_register_dissector("Kafka", ndpi_struct, 91| 7.08k| ndpi_search_kafka, 92| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 93| 7.08k| 1, NDPI_PROTOCOL_APACHE_KAFKA); 94| 7.08k|} kafka.c:ndpi_search_kafka: 42| 11.6k|{ 43| 11.6k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 44| | 45| 11.6k| NDPI_LOG_DBG(ndpi_struct, "search Apache Kafka\n"); ------------------ | | 596| 11.6k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 46| | 47| | /* All Kafka stuff start with 4 bytes containing the payload length 48| | * minus 4 bytes. 49| | * API keys: https://kafka.apache.org/protocol.html#protocol_api_keys 50| | * API versions: https://cwiki.apache.org/confluence/display/KAFKA/Kafka+APIs 51| | */ 52| 11.6k| if (packet->payload_packet_len < 8 /* min. required packet length */ || ------------------ | Branch (52:7): [True: 805, False: 10.8k] ------------------ 53| 11.6k| ntohl(get_u_int32_t(packet->payload, 0)) != (uint32_t)(packet->payload_packet_len - 4)) ------------------ | Branch (53:7): [True: 10.8k, False: 27] ------------------ 54| 11.6k| { 55| 11.6k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.6k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 56| 11.6k| return; 57| 11.6k| } 58| | 59| | /* Request */ 60| 27| if (ntohs(get_u_int16_t(packet->payload, 4)) < 75 && /* API key */ ------------------ | Branch (60:7): [True: 7, False: 20] ------------------ 61| 27| ntohs(get_u_int16_t(packet->payload, 6)) < 16 /* API version */) ------------------ | Branch (61:7): [True: 6, False: 1] ------------------ 62| 6| { 63| 6| if (packet->payload_packet_len < 14) ------------------ | Branch (63:9): [True: 0, False: 6] ------------------ 64| 0| { 65| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 66| 0| return; 67| 0| } 68| | 69| 6| const uint16_t client_id_len = ntohs(get_u_int16_t(packet->payload, 12)); 70| 6| if (client_id_len + 12 + 2 > packet->payload_packet_len) ------------------ | Branch (70:9): [True: 1, False: 5] ------------------ 71| 1| { 72| 1| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 73| 1| return; 74| 1| } 75| 5| if (ndpi_is_printable_buffer(&packet->payload[14], client_id_len) == 0) ------------------ | Branch (75:9): [True: 2, False: 3] ------------------ 76| 2| { 77| 2| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 2|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 78| 2| return; 79| 2| } 80| | 81| 3| ndpi_int_kafka_add_connection(ndpi_struct, flow); 82| 3| return; 83| 5| } 84| | 85| 21| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 21|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 86| 21|} kafka.c:ndpi_int_kafka_add_connection: 34| 3|{ 35| 3| NDPI_LOG_INFO(ndpi_struct, "found Apache Kafka\n"); ------------------ | | 595| 3|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 36| 3| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_APACHE_KAFKA, 37| 3| NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 38| 3|} init_kakaotalk_voice_dissector: 69| 7.08k|{ 70| 7.08k| ndpi_register_dissector("KakaoTalk_Voice", ndpi_struct, 71| 7.08k| ndpi_search_kakaotalk_voice, 72| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 73| 7.08k| 1, NDPI_PROTOCOL_KAKAOTALK_VOICE); 74| 7.08k|} kakaotalk_voice.c:ndpi_search_kakaotalk_voice: 35| 3.42k|static void ndpi_search_kakaotalk_voice(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { 36| 3.42k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 37| | 38| 3.42k| NDPI_LOG_DBG(ndpi_struct, "search kakaotalk_voice\n"); ------------------ | | 596| 3.42k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 39| | 40| 3.42k| if(packet->iph ------------------ | Branch (40:6): [True: 3.14k, False: 284] ------------------ 41| 3.14k| && packet->udp ------------------ | Branch (41:9): [True: 3.14k, False: 0] ------------------ 42| 3.14k| && (packet->payload_packet_len >= 4) ------------------ | Branch (42:9): [True: 3.02k, False: 114] ------------------ 43| 3.42k| ) { 44| 3.02k| if((packet->payload[0] == 0x81) ------------------ | Branch (44:8): [True: 14, False: 3.01k] ------------------ 45| 3.01k| || (packet->payload[1] == 0xC8) ------------------ | Branch (45:11): [True: 88, False: 2.92k] ------------------ 46| 2.92k| || (packet->payload[2] == 0x00) ------------------ | Branch (46:11): [True: 1.09k, False: 1.82k] ------------------ 47| 1.82k| || (packet->payload[3] == 0x0C)) { ------------------ | Branch (47:11): [True: 1, False: 1.82k] ------------------ 48| | /* Looks good so far */ 49| | 50| | /* 51| | inetnum: 1.201.0.0 - 1.201.255.255 52| | netname: KINXINC-KR 53| | */ 54| | 55| 1.20k| if(((ntohl(packet->iph->saddr) & 0xFFFF0000 /* 255.255.0.0 */) == 0x01C90000 /* 1.201.0.0/16 */) ------------------ | Branch (55:10): [True: 0, False: 1.20k] ------------------ 56| 1.20k| || ((ntohl(packet->iph->daddr) & 0xFFFF0000 /* 255.255.0.0 */) == 0x01C90000 /* 1.201.0.0/16 */)) { ------------------ | Branch (56:6): [True: 0, False: 1.20k] ------------------ 57| 0| NDPI_LOG_INFO(ndpi_struct, "found kakaotalk_voice\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 58| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_KAKAOTALK_VOICE, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 59| 0| return; 60| 0| } 61| 1.20k| } 62| 3.02k| } 63| | 64| 3.42k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.42k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 65| 3.42k|} init_kcp_dissector: 96| 7.08k|{ 97| 7.08k| ndpi_register_dissector("KCP", ndpi_struct, 98| 7.08k| ndpi_search_kcp, 99| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 100| 7.08k| 1, NDPI_PROTOCOL_KCP); 101| 7.08k|} kcp.c:ndpi_search_kcp: 61| 14.9k|{ 62| 14.9k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 63| 14.9k| struct kcp_header const * const kcp_header = (struct kcp_header *)packet->payload; 64| | 65| 14.9k| NDPI_LOG_INFO(ndpi_struct, "search kcp\n"); ------------------ | | 595| 14.9k|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 66| | 67| 14.9k| if (packet->payload_packet_len < sizeof(*kcp_header)) ------------------ | Branch (67:7): [True: 5.16k, False: 9.83k] ------------------ 68| 5.16k| { 69| 5.16k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 5.16k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 70| 5.16k| return; 71| 5.16k| } 72| | 73| 9.83k| switch (kcp_header->command) 74| 9.83k| { 75| 14| case IKCP_CMD_PUSH: ------------------ | Branch (75:5): [True: 14, False: 9.82k] ------------------ 76| 177| case IKCP_CMD_ACK: ------------------ | Branch (76:5): [True: 163, False: 9.67k] ------------------ 77| 274| case IKCP_CMD_WASK: ------------------ | Branch (77:5): [True: 97, False: 9.73k] ------------------ 78| 592| case IKCP_CMD_WINS: ------------------ | Branch (78:5): [True: 318, False: 9.51k] ------------------ 79| 592| break; 80| 9.24k| default: ------------------ | Branch (80:5): [True: 9.24k, False: 592] ------------------ 81| 9.24k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 9.24k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 82| 9.24k| return; 83| 9.83k| } 84| | 85| 592| uint32_t const kcp_pdu_length = le32toh(kcp_header->length); 86| 592| if (kcp_pdu_length + sizeof(*kcp_header) != packet->payload_packet_len) ------------------ | Branch (86:7): [True: 591, False: 1] ------------------ 87| 591| { 88| 591| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 591|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 89| 591| return; 90| 591| } 91| | 92| 1| ndpi_int_kcp_add_connection(ndpi_struct, flow); 93| 1|} kcp.c:ndpi_int_kcp_add_connection: 51| 1|{ 52| 1| NDPI_LOG_INFO(ndpi_struct, "found kcp\n"); ------------------ | | 595| 1|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 53| 1| ndpi_set_detected_protocol(ndpi_struct, flow, 54| 1| NDPI_PROTOCOL_KCP, 55| 1| NDPI_PROTOCOL_UNKNOWN, 56| 1| NDPI_CONFIDENCE_DPI); 57| 1|} init_kerberos_dissector: 700| 7.08k|void init_kerberos_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 701| 7.08k| ndpi_register_dissector("Kerberos", ndpi_struct, 702| 7.08k| ndpi_search_kerberos, 703| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 704| 7.08k| 1, NDPI_PROTOCOL_KERBEROS); 705| 7.08k|} kerberos.c:ndpi_search_kerberos: 309| 18.0k| struct ndpi_flow_struct *flow) { 310| 18.0k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 311| 18.0k| u_int16_t sport = packet->tcp ? ntohs(packet->tcp->source) : ntohs(packet->udp->source); ------------------ | Branch (311:21): [True: 13.4k, False: 4.57k] ------------------ 312| 18.0k| u_int16_t dport = packet->tcp ? ntohs(packet->tcp->dest) : ntohs(packet->udp->dest); ------------------ | Branch (312:21): [True: 13.4k, False: 4.57k] ------------------ 313| 18.0k| const u_int8_t *original_packet_payload = NULL; 314| 18.0k| u_int16_t original_payload_packet_len = 0; 315| | 316| 18.0k| if((sport != KERBEROS_PORT) && (dport != KERBEROS_PORT)) { ------------------ | | 34| 18.0k|#define KERBEROS_PORT 88 ------------------ if((sport != KERBEROS_PORT) && (dport != KERBEROS_PORT)) { ------------------ | | 34| 17.9k|#define KERBEROS_PORT 88 ------------------ | Branch (316:6): [True: 17.9k, False: 43] | Branch (316:34): [True: 17.9k, False: 10] ------------------ 317| 17.9k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 17.9k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 318| 17.9k| return; 319| 17.9k| } 320| | 321| 53| NDPI_LOG_DBG(ndpi_struct, "search KERBEROS\n"); ------------------ | | 596| 53|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 322| | 323| |#ifdef KERBEROS_DEBUG 324| | printf("\n[Kerberos] Process packet [len: %u]\n", packet->payload_packet_len); 325| |#endif 326| | 327| 53| if(flow->kerberos_buf.pktbuf != NULL) { ------------------ | Branch (327:6): [True: 0, False: 53] ------------------ 328| 0| u_int missing = flow->kerberos_buf.pktbuf_maxlen - flow->kerberos_buf.pktbuf_currlen; 329| | 330| 0| if(packet->payload_packet_len <= missing) { ------------------ | Branch (330:8): [True: 0, False: 0] ------------------ 331| 0| memcpy(&flow->kerberos_buf.pktbuf[flow->kerberos_buf.pktbuf_currlen], packet->payload, packet->payload_packet_len); 332| 0| flow->kerberos_buf.pktbuf_currlen += packet->payload_packet_len; 333| | 334| 0| if(flow->kerberos_buf.pktbuf_currlen == flow->kerberos_buf.pktbuf_maxlen) { ------------------ | Branch (334:10): [True: 0, False: 0] ------------------ 335| 0| original_packet_payload = packet->payload; 336| 0| original_payload_packet_len = packet->payload_packet_len; 337| 0| packet->payload = (u_int8_t *)flow->kerberos_buf.pktbuf; 338| 0| packet->payload_packet_len = flow->kerberos_buf.pktbuf_currlen; 339| |#ifdef KERBEROS_DEBUG 340| | printf("[Kerberos] Packet is now full: processing\n"); 341| |#endif 342| 0| } else { 343| |#ifdef KERBEROS_DEBUG 344| | printf("[Kerberos] Missing %u bytes: skipping\n", 345| | flow->kerberos_buf.pktbuf_maxlen - flow->kerberos_buf.pktbuf_currlen); 346| |#endif 347| | 348| 0| return; 349| 0| } 350| 0| } 351| 0| } 352| | 353| | /* I have observed 0a,0c,0d,0e at packet->payload[19/21], maybe there are other possibilities */ 354| 53| if(packet->payload_packet_len >= 4) { ------------------ | Branch (354:6): [True: 52, False: 1] ------------------ 355| 52| u_int32_t kerberos_len, expected_len; 356| 52| u_int16_t base_offset = 0; 357| | 358| 52| if(packet->tcp) { ------------------ | Branch (358:8): [True: 2, False: 50] ------------------ 359| 2| kerberos_len = ntohl(get_u_int32_t(packet->payload, 0)), 360| 2| expected_len = packet->payload_packet_len - 4; 361| 2| base_offset = 4; 362| 2| } else 363| 50| base_offset = 0, kerberos_len = expected_len = packet->payload_packet_len; 364| | 365| |#ifdef KERBEROS_DEBUG 366| | printf("[Kerberos] [Kerberos len: %u][expected_len: %u]\n", kerberos_len, expected_len); 367| |#endif 368| | 369| 52| if(kerberos_len < 12000) { ------------------ | Branch (369:8): [True: 51, False: 1] ------------------ 370| | /* 371| | Kerberos packets might be too long for a TCP packet 372| | so it could be split across two packets. Instead of 373| | rebuilding the stream we use a heuristic approach 374| | */ 375| 51| if(kerberos_len > expected_len) { ------------------ | Branch (375:10): [True: 1, False: 50] ------------------ 376| 1| if(packet->tcp) { ------------------ | Branch (376:5): [True: 1, False: 0] ------------------ 377| 1| if(flow->kerberos_buf.pktbuf == NULL) { ------------------ | Branch (377:7): [True: 1, False: 0] ------------------ 378| 1| flow->kerberos_buf.pktbuf = (char*)ndpi_malloc(kerberos_len+4); 379| | 380| 1| if(flow->kerberos_buf.pktbuf != NULL) { ------------------ | Branch (380:9): [True: 1, False: 0] ------------------ 381| 1| flow->kerberos_buf.pktbuf_maxlen = kerberos_len+4; 382| |#ifdef KERBEROS_DEBUG 383| | printf("[Kerberos] Allocated %u bytes\n", flow->kerberos_buf.pktbuf_maxlen); 384| |#endif 385| 1| } 386| 1| } 387| | 388| 1| if(flow->kerberos_buf.pktbuf != NULL) { ------------------ | Branch (388:7): [True: 1, False: 0] ------------------ 389| 1| if(packet->payload_packet_len <= flow->kerberos_buf.pktbuf_maxlen) { ------------------ | Branch (389:9): [True: 1, False: 0] ------------------ 390| 1| memcpy(flow->kerberos_buf.pktbuf, packet->payload, packet->payload_packet_len); 391| 1| flow->kerberos_buf.pktbuf_currlen = packet->payload_packet_len; 392| 1| } 393| 1| } 394| 1| } 395| | 396| 1| return; 397| 50| } else if(kerberos_len == expected_len) { ------------------ | Branch (397:17): [True: 50, False: 0] ------------------ 398| 50| if(packet->payload_packet_len > 64) { ------------------ | Branch (398:5): [True: 49, False: 1] ------------------ 399| 49| u_int16_t koffset, i; 400| | 401| 441| for(i=8; i<16; i++) ------------------ | Branch (401:13): [True: 392, False: 49] ------------------ 402| 392| if((packet->payload[base_offset+i] == 0x03) ------------------ | Branch (402:9): [True: 15, False: 377] ------------------ 403| 15| && (packet->payload[base_offset+i+1] == 0x02) ------------------ | Branch (403:12): [True: 1, False: 14] ------------------ 404| 1| && (packet->payload[base_offset+i+2] == 0x01) ------------------ | Branch (404:12): [True: 0, False: 1] ------------------ 405| 0| && (packet->payload[base_offset+i+3] != 0x05) ------------------ | Branch (405:12): [True: 0, False: 0] ------------------ 406| 392| ) 407| 0| break; 408| | 409| 49| koffset = base_offset + i + 3; 410| | 411| |#ifdef KERBEROS_DEBUG 412| | printf("[Kerberos] [msg-type: 0x%02X/%u][koffset: %u]\n", 413| | packet->payload[koffset], packet->payload[koffset], koffset); 414| |#endif 415| | 416| 49| if(((packet->payload[koffset] == 0x0A) ------------------ | Branch (416:8): [True: 27, False: 22] ------------------ 417| 22| || (packet->payload[koffset] == 0x0C) ------------------ | Branch (417:11): [True: 10, False: 12] ------------------ 418| 12| || (packet->payload[koffset] == 0x1E) ------------------ | Branch (418:11): [True: 1, False: 11] ------------------ 419| 11| || (packet->payload[koffset] == 0x0D) ------------------ | Branch (419:11): [True: 2, False: 9] ------------------ 420| 41| || (packet->payload[koffset] == 0x0E))) { ------------------ | Branch (420:11): [True: 1, False: 8] ------------------ 421| 41| u_int32_t koffsetp, body_offset = 0, pad_len; 422| 41| u_int8_t msg_type = packet->payload[koffset]; 423| | 424| |#ifdef KERBEROS_DEBUG 425| | printf("[Kerberos] Packet found 0x%02X/%u\n", msg_type, msg_type); 426| |#endif 427| | 428| 41| ndpi_int_kerberos_add_connection(ndpi_struct, flow); 429| | 430| 41| if(msg_type != 0x0d) /* TGS-REP */ { ------------------ | Branch (430:9): [True: 39, False: 2] ------------------ 431| | /* Process only on requests */ 432| 39| if(packet->payload[koffset+1] == 0xA3) { ------------------ | Branch (432:11): [True: 3, False: 36] ------------------ 433| 3| if(packet->payload[koffset+3] == 0x30) ------------------ | Branch (433:6): [True: 0, False: 3] ------------------ 434| 0| pad_len = packet->payload[koffset+4]; 435| 3| else { 436| | /* Long pad */ 437| 3| pad_len = packet->payload[koffset+2]; 438| 18| for(i=3; i<10; i++) if(packet->payload[koffset+i] == pad_len) break; ------------------ | Branch (438:14): [True: 16, False: 2] | Branch (438:28): [True: 1, False: 15] ------------------ 439| | 440| 3| pad_len = (packet->payload[koffset+i+1] << 8) + packet->payload[koffset+i+2]; 441| 3| koffset += i-2; 442| 3| } 443| 3| } else 444| 36| pad_len = 0; 445| | 446| |#ifdef KERBEROS_DEBUG 447| | printf("pad_len=0x%02X/%u\n", pad_len, pad_len); 448| |#endif 449| | 450| 39| if(pad_len > 0) { ------------------ | Branch (450:11): [True: 3, False: 36] ------------------ 451| 3| koffsetp = koffset + 2; 452| 15| for(i=0; i<4; i++) if(packet->payload[koffsetp] != 0x30) koffsetp++; /* ASN.1 */ ------------------ | Branch (452:12): [True: 12, False: 3] | Branch (452:25): [True: 5, False: 7] ------------------ 453| |#ifdef KERBEROS_DEBUG 454| | printf("koffsetp=%u [%02X %02X] [byte 0 must be 0x30]\n", koffsetp, packet->payload[koffsetp], packet->payload[koffsetp+1]); 455| |#endif 456| 3| } else 457| 36| koffsetp = koffset; 458| | 459| 39| body_offset = koffsetp + 1 + pad_len; 460| | 461| 429| for(i=0; i<10; i++) if(body_offsetpayload_packet_len && packet->payload[body_offset] != 0x05) body_offset++; /* ASN.1 */ ------------------ | Branch (461:17): [True: 390, False: 39] | Branch (461:31): [True: 360, False: 30] | Branch (461:73): [True: 292, False: 68] ------------------ 462| |#ifdef KERBEROS_DEBUG 463| | printf("body_offset=%u [%02X %02X] [byte 0 must be 0x05]\n", body_offset, packet->payload[body_offset], packet->payload[body_offset+1]); 464| |#endif 465| 39| } 466| | 467| 41| if(msg_type == 0x0A) /* AS-REQ */ { ------------------ | Branch (467:9): [True: 27, False: 14] ------------------ 468| |#ifdef KERBEROS_DEBUG 469| | printf("[Kerberos] Processing AS-REQ\n"); 470| |#endif 471| | 472| | 473| 27| if(body_offset < packet->payload_packet_len) { ------------------ | Branch (473:11): [True: 27, False: 0] ------------------ 474| 27| u_int16_t name_offset = body_offset + 13; 475| | 476| 567| for(i=0; (i<20) && (name_offset < packet->payload_packet_len); i++) { ------------------ | Branch (476:12): [True: 540, False: 27] | Branch (476:22): [True: 540, False: 0] ------------------ 477| 540| if(packet->payload[name_offset] != 0x1b) ------------------ | Branch (477:8): [True: 490, False: 50] ------------------ 478| 490| name_offset++; /* ASN.1 */ 479| 540| } 480| | 481| |#ifdef KERBEROS_DEBUG 482| | printf("name_offset=%u [%02X %02X] [byte 0 must be 0x1b]\n", name_offset, packet->payload[name_offset], packet->payload[name_offset+1]); 483| |#endif 484| | 485| 27| if(name_offset < packet->payload_packet_len - 1) { ------------------ | Branch (485:6): [True: 27, False: 0] ------------------ 486| 27| u_int cname_len = 0; 487| | 488| 27| name_offset += 1; 489| 27| if(name_offset < packet->payload_packet_len - 1 && ------------------ | Branch (489:8): [True: 27, False: 0] ------------------ 490| 27| ndpi_isprint(packet->payload[name_offset+1]) == 0) /* Isn't printable ? */ ------------------ | | 2529| 27|#define ndpi_isprint(ch) ((ch) >= 0x20 && (ch) <= 0x7e) | | ------------------ | | | Branch (2529:27): [True: 17, False: 10] | | | Branch (2529:43): [True: 15, False: 2] | | ------------------ ------------------ | Branch (490:8): [True: 12, False: 15] ------------------ 491| 12| { 492| 12| name_offset++; 493| 12| } 494| | 495| 27| if(name_offset < packet->payload_packet_len - 3 && ------------------ | Branch (495:8): [True: 27, False: 0] ------------------ 496| 27| packet->payload[name_offset+1] == 0x1b) ------------------ | Branch (496:8): [True: 1, False: 26] ------------------ 497| 1| { 498| 1| name_offset += 2; 499| 1| } 500| | 501| 27| cname_len = packet->payload[name_offset]; 502| | 503| 27| if((cname_len+name_offset) < packet->payload_packet_len) { ------------------ | Branch (503:8): [True: 23, False: 4] ------------------ 504| 23| u_int realm_len, realm_offset; 505| 23| char cname_str[48]; 506| 23| u_int8_t num_cname = 0; 507| | 508| 23| cname_str[0] = '\0'; // required, because cname_len 509| | 510| 23| while(++num_cname <= 2) { ------------------ | Branch (510:13): [True: 23, False: 0] ------------------ 511| 23| if (name_offset + cname_len + 1 >= packet->payload_packet_len) ------------------ | Branch (511:13): [True: 1, False: 22] ------------------ 512| 1| cname_len = 0; 513| 23| krb_strncpy_lower(cname_str, sizeof(cname_str), (char*)&packet->payload[name_offset+1], cname_len); 514| | 515| |#ifdef KERBEROS_DEBUG 516| | printf("[AS-REQ][s/dport: %u/%u][Kerberos Cname][len: %u][%s]\n", sport, dport, cname_len, cname_str); 517| |#endif 518| | 519| 23| if(((strcmp(cname_str, "host") == 0) || (strcmp(cname_str, "ldap") == 0)) && (packet->payload[name_offset+1+cname_len] == 0x1b) && num_cname == 1) { ------------------ | Branch (519:13): [True: 0, False: 23] | Branch (519:49): [True: 0, False: 23] | Branch (519:86): [True: 0, False: 0] | Branch (519:140): [True: 0, False: 0] ------------------ 520| 0| name_offset += cname_len + 2; 521| 0| if (name_offset < packet->payload_packet_len) ------------------ | Branch (521:15): [True: 0, False: 0] ------------------ 522| 0| cname_len = packet->payload[name_offset]; 523| 23| } else{ 524| 23| break; 525| 23| } 526| 23| } 527| | 528| 23| realm_offset = cname_len + name_offset + 3; 529| | 530| | /* if cname does not end with a $ then it's a username */ 531| 23| if(cname_len > 0 && name_offset + cname_len + 1 < packet->payload_packet_len ------------------ | Branch (531:10): [True: 19, False: 4] | Branch (531:27): [True: 19, False: 0] ------------------ 532| 19| && (cname_len < sizeof(cname_str)) ------------------ | Branch (532:13): [True: 18, False: 1] ------------------ 533| 18| && (cname_str[cname_len-1] == '$')) { ------------------ | Branch (533:13): [True: 1, False: 17] ------------------ 534| 1| cname_str[cname_len-1] = '\0'; 535| 1| ndpi_snprintf(flow->protos.kerberos.hostname, sizeof(flow->protos.kerberos.hostname), "%s", cname_str); 536| 1| } else 537| 22| ndpi_snprintf(flow->protos.kerberos.username, sizeof(flow->protos.kerberos.username), "%s", cname_str); 538| | 539| 276| for(i=0; (i < 14) && (realm_offset < packet->payload_packet_len); i++) { ------------------ | Branch (539:16): [True: 263, False: 13] | Branch (539:28): [True: 253, False: 10] ------------------ 540| 253| if(packet->payload[realm_offset] != 0x1b) ------------------ | Branch (540:12): [True: 248, False: 5] ------------------ 541| 248| realm_offset++; /* ASN.1 */ 542| 253| } 543| | 544| |#ifdef KERBEROS_DEBUG 545| | printf("realm_offset=%u [%02X %02X] [byte 0 must be 0x1b]\n", realm_offset, 546| | packet->payload[realm_offset], packet->payload[realm_offset+1]); 547| |#endif 548| | 549| 23| realm_offset += 1; 550| | //if(num_cname == 2) realm_offset++; 551| 23| if(realm_offset < packet->payload_packet_len) { ------------------ | Branch (551:10): [True: 12, False: 11] ------------------ 552| 12| realm_len = packet->payload[realm_offset]; 553| | 554| 12| if((realm_offset+realm_len) < packet->payload_packet_len) { ------------------ | Branch (554:12): [True: 7, False: 5] ------------------ 555| 7| char realm_str[48]; 556| | 557| 7| realm_offset += 1; 558| 7| krb_strncpy_lower(realm_str, sizeof(realm_str), (char*)&packet->payload[realm_offset], realm_len); 559| | 560| |#ifdef KERBEROS_DEBUG 561| | printf("[AS-REQ][Kerberos Realm][len: %u][%s]\n", realm_len, realm_str); 562| |#endif 563| 7| ndpi_snprintf(flow->protos.kerberos.domain, sizeof(flow->protos.kerberos.domain), "%s", realm_str); 564| 7| } 565| 12| } 566| 23| } 567| 27| } 568| 27| } 569| |#ifdef KERBEROS_DEBUG 570| | printf("[Kerberos] Setting extra func from AS-REQ\n"); 571| |#endif 572| 27| flow->max_extra_packets_to_check = 5; /* Reply may be split into multiple segments */ 573| 27| flow->extra_packets_func = ndpi_search_kerberos_extra; 574| 27| } else if(msg_type == 0x0e) /* AS-REQ */ { ------------------ | Branch (574:16): [True: 1, False: 13] ------------------ 575| |#ifdef KERBEROS_DEBUG 576| | printf("[Kerberos] Processing AS-REQ\n"); 577| |#endif 578| | /* Nothing specific to do; stop dissecting this flow */ 579| 1| flow->extra_packets_func = NULL; 580| | 581| 13| } else if(msg_type == 0x0c) /* TGS-REQ */ { ------------------ | Branch (581:16): [True: 10, False: 3] ------------------ 582| |#ifdef KERBEROS_DEBUG 583| | printf("[Kerberos] Processing TGS-REQ\n"); 584| |#endif 585| | 586| 10| if(body_offset < packet->payload_packet_len) { ------------------ | Branch (586:11): [True: 7, False: 3] ------------------ 587| 7| u_int16_t name_offset, padding_offset = body_offset + 4; 588| | 589| 7| name_offset = padding_offset; 590| 105| for(i=0; i<14 && name_offset < packet->payload_packet_len; i++) if(packet->payload[name_offset] != 0x1b) name_offset++; /* ASN.1 */ ------------------ | Branch (590:12): [True: 98, False: 7] | Branch (590:20): [True: 98, False: 0] | Branch (590:70): [True: 96, False: 2] ------------------ 591| | 592| |#ifdef KERBEROS_DEBUG 593| | printf("name_offset=%u [%02X %02X] [byte 0 must be 0x1b]\n", name_offset, packet->payload[name_offset], packet->payload[name_offset+1]); 594| |#endif 595| | 596| 7| if(name_offset < (packet->payload_packet_len - 1)) { ------------------ | Branch (596:6): [True: 7, False: 0] ------------------ 597| 7| u_int realm_len; 598| | 599| 7| name_offset++; 600| 7| realm_len = packet->payload[name_offset]; 601| | 602| 7| if((realm_len+name_offset) < packet->payload_packet_len) { ------------------ | Branch (602:8): [True: 5, False: 2] ------------------ 603| 5| char realm_str[48]; 604| | 605| 5| name_offset += 1; 606| 5| krb_strncpy_lower(realm_str, sizeof(realm_str), (char*)&packet->payload[name_offset], realm_len); 607| | 608| |#ifdef KERBEROS_DEBUG 609| | printf("[TGS-REQ][s/dport: %u/%u][Kerberos Realm][len: %u][%s]\n", sport, dport, realm_len, realm_str); 610| |#endif 611| 5| ndpi_snprintf(flow->protos.kerberos.domain, sizeof(flow->protos.kerberos.domain), "%s", realm_str); 612| | 613| | /* If necessary we can decode sname */ 614| 5| if(flow->kerberos_buf.pktbuf) { ------------------ | Branch (614:10): [True: 0, False: 5] ------------------ 615| 0| ndpi_free(flow->kerberos_buf.pktbuf); 616| 0| packet->payload = original_packet_payload; 617| 0| packet->payload_packet_len = original_payload_packet_len; 618| 0| } 619| 5| flow->kerberos_buf.pktbuf = NULL; 620| 5| } 621| 7| } 622| 7| } 623| |#ifdef KERBEROS_DEBUG 624| | printf("[Kerberos] Setting extra func from TGS-REQ\n"); 625| |#endif 626| 10| if(!packet->udp) { ------------------ | Branch (626:11): [True: 0, False: 10] ------------------ 627| 0| flow->max_extra_packets_to_check = 5; /* Reply may be split into multiple segments */ 628| 0| flow->extra_packets_func = ndpi_search_kerberos_extra; 629| 0| } 630| | 631| 10| if(flow->kerberos_buf.pktbuf != NULL) { ------------------ | Branch (631:11): [True: 0, False: 10] ------------------ 632| 0| ndpi_free(flow->kerberos_buf.pktbuf); 633| 0| packet->payload = original_packet_payload; 634| 0| packet->payload_packet_len = original_payload_packet_len; 635| 0| flow->kerberos_buf.pktbuf = NULL; 636| 0| } 637| | 638| 10| return; 639| 10| } else if(msg_type == 0x0d) /* TGS-REP */ { ------------------ | Branch (639:16): [True: 2, False: 1] ------------------ 640| 2| NDPI_LOG_DBG(ndpi_struct, "[Kerberos] Processing TGS-REP\n"); ------------------ | | 596| 2|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 641| | 642| 2| if (krb_parse(ndpi_struct, flow, 8) != 0) ------------------ | Branch (642:12): [True: 2, False: 0] ------------------ 643| 2| { 644| 2| NDPI_LOG_DBG(ndpi_struct, "[TGS-REP] Invalid packet received\n"); ------------------ | | 596| 2|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 645| 2| return; 646| 2| } 647| 0| NDPI_LOG_DBG(ndpi_struct, ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 648| 0| "[TGS-REP][s/dport: %u/%u][Kerberos Hostname,Domain,Username][%s,%s,%s]\n", 649| 0| sport, dport, flow->protos.kerberos.hostname, flow->protos.kerberos.domain, 650| 0| flow->protos.kerberos.username); 651| 0| flow->extra_packets_func = NULL; 652| 1| } else if(msg_type == 0x1e) /* Error */ { ------------------ | Branch (652:16): [True: 1, False: 0] ------------------ 653| |#ifdef KERBEROS_DEBUG 654| | printf("[Kerberos] Processing KRB-Error\n"); 655| |#endif 656| | /* Nothing specific to do; stop dissecting this flow */ 657| 1| flow->extra_packets_func = NULL; 658| 1| } 659| | 660| 29| return; 661| 41| } 662| 49| } 663| 50| } 664| 51| } else { 665| |#ifdef KERBEROS_DEBUG 666| | printf("[Kerberos][s/dport: %u/%u] Skipping packet: too long [kerberos_len: %u]\n", 667| | sport, dport, kerberos_len); 668| |#endif 669| | 670| 1| if(flow->protos.kerberos.domain[0] != '\0') ------------------ | Branch (670:10): [True: 0, False: 1] ------------------ 671| 0| return; 672| 1| } 673| 52| } 674| | 675| 11| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 676| 11|} kerberos.c:ndpi_int_kerberos_add_connection: 301| 41| struct ndpi_flow_struct *flow) { 302| 41| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_KERBEROS, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 303| 41| NDPI_LOG_INFO(ndpi_struct, "found KERBEROS\n"); ------------------ | | 595| 41|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 304| 41|} kerberos.c:krb_strncpy_lower: 176| 35|{ 177| 35| int i, dst_len = (int)ndpi_min(src_siz, dst_siz - 1); ------------------ | | 113| 35|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 33, False: 2] | | ------------------ ------------------ 178| | 179| 35| dst[dst_len] = '\0'; 180| | 181| 638| for(i = 0; i < dst_len; ++i) ------------------ | Branch (181:15): [True: 603, False: 35] ------------------ 182| 603| { 183| 603| if (ndpi_isprint(src[i]) == 0) ------------------ | | 2529| 603|#define ndpi_isprint(ch) ((ch) >= 0x20 && (ch) <= 0x7e) | | ------------------ | | | Branch (2529:27): [True: 273, False: 330] | | | Branch (2529:43): [True: 273, False: 0] | | ------------------ ------------------ | Branch (183:10): [True: 330, False: 273] ------------------ 184| 330| { 185| 330| dst[i] = '?'; 186| 330| } else { 187| | dst[i] = tolower(src[i]); ------------------ | Branch (187:17): [True: 0, False: 0] | Branch (187:17): [True: 0, False: 0] | Branch (187:17): [Folded, False: 273] ------------------ 188| 273| } 189| 603| } 190| 35|} kerberos.c:krb_parse: 196| 2|{ 197| 2| size_t kasn1_offset = payload_offset; 198| 2| int length, krb_version, msg_type; 199| 2| char const * text; 200| | 201| 2| length = krb_decode_asn1_sequence_type(ndpi_struct, &kasn1_offset); 202| 2| if (length < 0) ------------------ | Branch (202:7): [True: 1, False: 1] ------------------ 203| 1| { 204| 1| return -1; 205| 1| } 206| | 207| 1| length = krb_decode_asn1_blocks_skip(ndpi_struct, &kasn1_offset); 208| 1| if (length < 0) ------------------ | Branch (208:7): [True: 1, False: 0] ------------------ 209| 1| { 210| 1| return -1; 211| 1| } 212| | 213| 0| length = krb_decode_asn1_int_type(ndpi_struct, &kasn1_offset, &krb_version); /* pvno */ 214| 0| if (length != 1 || krb_version != 5) ------------------ | Branch (214:7): [True: 0, False: 0] | Branch (214:22): [True: 0, False: 0] ------------------ 215| 0| { 216| 0| return -1; 217| 0| } 218| | 219| 0| length = krb_decode_asn1_blocks_skip(ndpi_struct, &kasn1_offset); 220| 0| if (length < 0) ------------------ | Branch (220:7): [True: 0, False: 0] ------------------ 221| 0| { 222| 0| return -1; 223| 0| } 224| | 225| 0| length = krb_decode_asn1_int_type(ndpi_struct, &kasn1_offset, &msg_type); /* msg-type */ 226| 0| if (length != 1 || msg_type != 0x0d /* TGS-REP */) ------------------ | Branch (226:7): [True: 0, False: 0] | Branch (226:22): [True: 0, False: 0] ------------------ 227| 0| { 228| 0| return -1; 229| 0| } 230| | 231| 0| krb_decode_asn1_blocks_skip(ndpi_struct, &kasn1_offset); 232| | 233| 0| length = krb_decode_asn1_sequence_type(ndpi_struct, &kasn1_offset); /* Optional PADATA */ 234| 0| if (length > 0) ------------------ | Branch (234:7): [True: 0, False: 0] ------------------ 235| 0| { 236| 0| kasn1_offset += length; 237| 0| } 238| | 239| 0| length = krb_decode_asn1_string_type(ndpi_struct, &kasn1_offset, &text); 240| 0| if (length < 3) ------------------ | Branch (240:7): [True: 0, False: 0] ------------------ 241| 0| { 242| 0| return -1; 243| 0| } 244| | 245| 0| kasn1_offset += length; 246| 0| text += 2; 247| 0| length -= 2; 248| 0| if (flow->protos.kerberos.domain[0] == '\0') ------------------ | Branch (248:7): [True: 0, False: 0] ------------------ 249| 0| { 250| 0| krb_strncpy_lower(flow->protos.kerberos.domain, sizeof(flow->protos.kerberos.domain), 251| 0| text, length); 252| 0| } 253| | 254| 0| length = krb_decode_asn1_string_type(ndpi_struct, &kasn1_offset, NULL); 255| 0| if (length < 0) ------------------ | Branch (255:7): [True: 0, False: 0] ------------------ 256| 0| { 257| 0| return -1; 258| 0| } 259| | 260| 0| length = krb_decode_asn1_sequence_type(ndpi_struct, &kasn1_offset); 261| 0| if (length < 0) ------------------ | Branch (261:7): [True: 0, False: 0] ------------------ 262| 0| { 263| 0| return -1; 264| 0| } 265| | 266| 0| length = krb_decode_asn1_blocks_skip(ndpi_struct, &kasn1_offset); 267| 0| if (length < 0) ------------------ | Branch (267:7): [True: 0, False: 0] ------------------ 268| 0| { 269| 0| return -1; 270| 0| } 271| 0| kasn1_offset += length; 272| | 273| 0| length = krb_decode_asn1_blocks_skip(ndpi_struct, &kasn1_offset); 274| 0| if (length < 0) ------------------ | Branch (274:7): [True: 0, False: 0] ------------------ 275| 0| { 276| 0| return -1; 277| 0| } 278| | 279| 0| length = krb_decode_asn1_string_type(ndpi_struct, &kasn1_offset, &text); 280| 0| if (length < 3) ------------------ | Branch (280:7): [True: 0, False: 0] ------------------ 281| 0| { 282| 0| return -1; 283| 0| } 284| | 285| 0| kasn1_offset += length; 286| 0| text += 2; 287| 0| length -= 2; 288| 0| if (flow->protos.kerberos.hostname[0] == '\0' && text[length - 1] != '$') ------------------ | Branch (288:7): [True: 0, False: 0] | Branch (288:52): [True: 0, False: 0] ------------------ 289| 0| { 290| 0| krb_strncpy_lower(flow->protos.kerberos.hostname, sizeof(flow->protos.kerberos.hostname), 291| 0| text, length); 292| 0| } else if (flow->protos.kerberos.username[0] == '\0') { ------------------ | Branch (292:14): [True: 0, False: 0] ------------------ 293| 0| krb_strncpy_lower(flow->protos.kerberos.username, sizeof(flow->protos.kerberos.username), 294| 0| text, length - 1); 295| 0| } 296| | 297| 0| return 0; 298| 0|} kerberos.c:krb_decode_asn1_sequence_type: 66| 2|{ 67| 2| struct ndpi_packet_struct * const packet = &ndpi_struct->packet; 68| | 69| 2| if (packet->payload_packet_len <= *kasn1_offset + 1 /* length octet */ || ------------------ | Branch (69:7): [True: 0, False: 2] ------------------ 70| 2| packet->payload[*kasn1_offset] != 0x30 /* Universal Constructed Tag Type: Sequence */) ------------------ | Branch (70:7): [True: 1, False: 1] ------------------ 71| 1| { 72| 1| return -1; 73| 1| } 74| | 75| 1| (*kasn1_offset)++; 76| | 77| 1| return krb_decode_asn1_length(ndpi_struct, kasn1_offset); 78| 2|} kerberos.c:krb_decode_asn1_length: 43| 1|{ 44| 1| struct ndpi_packet_struct * const packet = &ndpi_struct->packet; 45| 1| int64_t length; 46| 1| u_int16_t value_len; 47| | 48| 1| length = asn1_ber_decode_length(&packet->payload[*kasn1_offset], 49| 1| packet->payload_packet_len - *kasn1_offset, 50| 1| &value_len); 51| | 52| 1| if (length == -1 || ------------------ | Branch (52:7): [True: 0, False: 1] ------------------ 53| 1| packet->payload_packet_len < *kasn1_offset + value_len + length) ------------------ | Branch (53:7): [True: 0, False: 1] ------------------ 54| 0| { 55| 0| return -1; 56| 0| } 57| | 58| 1| *kasn1_offset += value_len; 59| | 60| 1| return (int)length; 61| 1|} kerberos.c:krb_decode_asn1_blocks_skip: 151| 1|{ 152| 1| struct ndpi_packet_struct * const packet = &ndpi_struct->packet; 153| 1| int length; 154| | 155| 1| if (packet->payload_packet_len <= *kasn1_offset + 1 /* length octet */ || ------------------ | Branch (155:7): [True: 0, False: 1] ------------------ 156| 1| (packet->payload[*kasn1_offset] != 0xA0 /* Constructed Context-specific NULL */ && ------------------ | Branch (156:8): [True: 1, False: 0] ------------------ 157| 1| packet->payload[*kasn1_offset] != 0xA1 /* Constructed Context-specific BOOLEAN */ && ------------------ | Branch (157:8): [True: 1, False: 0] ------------------ 158| 1| packet->payload[*kasn1_offset] != 0xA2 /* Constructed Context-specific INTEGER */)) ------------------ | Branch (158:8): [True: 1, False: 0] ------------------ 159| 1| { 160| 1| return -1; 161| 1| } 162| | 163| 0| (*kasn1_offset)++; 164| | 165| 0| length = krb_decode_asn1_length(ndpi_struct, kasn1_offset); 166| 0| if (length < 0) ------------------ | Branch (166:7): [True: 0, False: 0] ------------------ 167| 0| { 168| 0| return -1; 169| 0| } 170| | 171| 0| return length; 172| 0|} init_kismet_dissector: 62| 7.08k|{ 63| 7.08k| ndpi_register_dissector("kismet", ndpi_struct, 64| 7.08k| ndpi_search_kismet, 65| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 66| 7.08k| 1, NDPI_PROTOCOL_KISMET); 67| 7.08k|} kismet.c:ndpi_search_kismet: 41| 11.7k|{ 42| 11.7k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 43| | 44| 11.7k| NDPI_LOG_DBG(ndpi_struct, "search kismet\n"); ------------------ | | 596| 11.7k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 45| | 46| 11.7k| if (packet->payload_packet_len < NDPI_STATICSTRING_LEN("*KISMET: ")) ------------------ | | 98| 11.7k|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (46:7): [True: 872, False: 10.8k] ------------------ 47| 872| { 48| 872| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 872|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 49| 872| return; 50| 872| } 51| | 52| 10.8k| if (strncmp((char const *)packet->payload, "*KISMET: ", NDPI_STATICSTRING_LEN("*KISMET: ")) == 0) ------------------ | | 98| 10.8k|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (52:7): [True: 3, False: 10.8k] ------------------ 53| 3| { 54| 3| ndpi_int_kismet_add_connection(ndpi_struct, flow); 55| 3| return; 56| 3| } 57| | 58| 10.8k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 10.8k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 59| 10.8k|} kismet.c:ndpi_int_kismet_add_connection: 31| 3|{ 32| 3| NDPI_LOG_INFO(ndpi_struct, "found kismet\n"); ------------------ | | 595| 3|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 33| 3| ndpi_set_detected_protocol(ndpi_struct, flow, 34| 3| NDPI_PROTOCOL_KISMET, 35| 3| NDPI_PROTOCOL_UNKNOWN, 36| 3| NDPI_CONFIDENCE_DPI); 37| 3|} init_knxnet_ip_dissector: 122| 7.08k|{ 123| 7.08k| ndpi_register_dissector("KNXnet_IP", ndpi_struct, 124| 7.08k| ndpi_search_knxnet_ip, 125| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 126| 7.08k| 1, NDPI_PROTOCOL_KNXNET_IP); 127| 7.08k|} knxnet_ip.c:ndpi_search_knxnet_ip: 76| 14.9k|{ 77| 14.9k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 78| | 79| 14.9k| NDPI_LOG_DBG(ndpi_struct, "search KNXnet/IP\n"); ------------------ | | 596| 14.9k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 80| | 81| 14.9k| if ((packet->payload_packet_len < 10) || (packet->payload[0] != 0x06) || ------------------ | Branch (81:7): [True: 1.01k, False: 13.9k] | Branch (81:44): [True: 13.9k, False: 29] ------------------ 82| 29| (packet->payload[1] != 0x10)) ------------------ | Branch (82:7): [True: 29, False: 0] ------------------ 83| 14.9k| { 84| 14.9k| goto not_knxnet_ip; 85| 14.9k| } 86| | 87| 0| u_int16_t service_id = ntohs(get_u_int16_t(packet->payload, 2)); 88| 0| u_int16_t total_length = ntohs(get_u_int16_t(packet->payload, 4)); 89| | 90| 0| if (!is_valid_knxnet_ip_service_id(service_id)) ------------------ | Branch (90:7): [True: 0, False: 0] ------------------ 91| 0| { 92| 0| goto not_knxnet_ip; 93| 0| } 94| | 95| 0| if (total_length == packet->payload_packet_len) ------------------ | Branch (95:7): [True: 0, False: 0] ------------------ 96| 0| { 97| 0| ndpi_int_knxnet_ip_add_connection(ndpi_struct, flow); 98| 0| return; 99| 0| } 100| | 101| | /* Could it be a TCP packet containing multiple messages? */ 102| 0| if (packet->tcp != NULL) ------------------ | Branch (102:7): [True: 0, False: 0] ------------------ 103| 0| { 104| 0| if ((total_length + 10) > packet->payload_packet_len) ------------------ | Branch (104:9): [True: 0, False: 0] ------------------ 105| 0| { 106| 0| goto not_knxnet_ip; 107| 0| } 108| | 109| 0| if (ntohs(get_u_int16_t(packet->payload, total_length)) == 0x610 && ------------------ | Branch (109:9): [True: 0, False: 0] ------------------ 110| 0| is_valid_knxnet_ip_service_id(ntohs(get_u_int16_t(packet->payload, total_length+2)))) ------------------ | Branch (110:9): [True: 0, False: 0] ------------------ 111| 0| { 112| 0| ndpi_int_knxnet_ip_add_connection(ndpi_struct, flow); 113| 0| return; 114| 0| } 115| 0| } 116| | 117| 14.9k|not_knxnet_ip: 118| 14.9k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 14.9k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 119| 14.9k|} init_lagofast_dissector: 66| 7.08k|{ 67| 7.08k| ndpi_register_dissector("LagoFast", ndpi_struct, 68| 7.08k| ndpi_search_lagofast, 69| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 70| 7.08k| 1, NDPI_PROTOCOL_LAGOFAST); 71| 7.08k|} lagofast.c:ndpi_search_lagofast: 40| 3.32k|{ 41| 3.32k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 42| | 43| 3.32k| NDPI_LOG_DBG(ndpi_struct, "search LagoFast\n"); ------------------ | | 596| 3.32k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 44| 3.32k| if (packet->payload_packet_len < 6) { ------------------ | Branch (44:7): [True: 128, False: 3.19k] ------------------ 45| 128| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 128|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 46| 128| return; 47| 128| } 48| | 49| | // LagoFast identifier 50| 3.19k| if (get_u_int32_t(packet->payload, 0) != htonl(0x006e5d03)) { ------------------ | | 137| 3.19k|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (50:7): [True: 3.19k, False: 0] ------------------ 51| 3.19k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.19k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 52| 3.19k| return; 53| 3.19k| } 54| | 55| | // Check encoded length 56| 0| const uint16_t encoded_length = ntohs(get_u_int16_t(packet->payload, 4)); 57| 0| if (packet->payload_packet_len != encoded_length + 6 /* identifier + length */) { ------------------ | Branch (57:7): [True: 0, False: 0] ------------------ 58| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 59| 0| return; 60| 0| } 61| | 62| 0| ndpi_int_lagofast_add_connection(ndpi_struct, flow); 63| 0|} init_ldap_dissector: 74| 7.08k|{ 75| 7.08k| ndpi_register_dissector("LDAP", ndpi_struct, 76| 7.08k| ndpi_search_ldap, 77| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 78| 7.08k| 1, NDPI_PROTOCOL_LDAP); 79| 7.08k|} ldap.c:ndpi_search_ldap: 40| 17.9k|{ 41| 17.9k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 42| 17.9k| int64_t length; 43| 17.9k| u_int16_t length_len = 0, msg_id_len; 44| 17.9k| u_int8_t op; 45| | 46| 17.9k| NDPI_LOG_DBG(ndpi_struct, "search ldap\n"); ------------------ | | 596| 17.9k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 47| | 48| 17.9k| if(packet->payload_packet_len > 1 && ------------------ | Branch (48:6): [True: 17.7k, False: 112] ------------------ 49| 17.7k| packet->payload[0] == 0x30) { ------------------ | Branch (49:6): [True: 124, False: 17.6k] ------------------ 50| 124| length = asn1_ber_decode_length(&packet->payload[1], packet->payload_packet_len - 1, &length_len); 51| 124| NDPI_LOG_DBG(ndpi_struct, "length %d (%d bytes)\n", length, length_len); ------------------ | | 596| 124|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 52| 124| if(length > 0 && ------------------ | Branch (52:8): [True: 93, False: 31] ------------------ 53| 93| packet->payload_packet_len > 1 + length_len + 1 && ------------------ | Branch (53:8): [True: 92, False: 1] ------------------ 54| 92| packet->payload[1 + length_len] == 0x02 /* Integer */) { ------------------ | Branch (54:8): [True: 5, False: 87] ------------------ 55| 5| msg_id_len = packet->payload[1 + length_len + 1]; 56| 5| if(packet->payload_packet_len > 1 + length_len + 1 + msg_id_len + 1) { ------------------ | Branch (56:10): [True: 3, False: 2] ------------------ 57| 3| op = packet->payload[1 + length_len + 1 + msg_id_len + 1]; 58| 3| NDPI_LOG_DBG(ndpi_struct, "Op 0x%x\n", op); ------------------ | | 596| 3|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 59| 3| if((op & 0x60) == 0x60 && /* Application */ ------------------ | Branch (59:12): [True: 2, False: 1] ------------------ 60| 2| (op & 0x1F) <= 25) { ------------------ | Branch (60:12): [True: 1, False: 1] ------------------ 61| 1| NDPI_LOG_INFO(ndpi_struct, "found ldap\n"); ------------------ | | 595| 1|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 62| 1| ndpi_int_ldap_add_connection(ndpi_struct, flow); 63| 1| return; 64| 1| } 65| 3| } 66| 5| } 67| 124| } 68| | 69| 17.9k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 17.9k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 70| 17.9k|} ldap.c:ndpi_int_ldap_add_connection: 35| 1|{ 36| 1| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_LDAP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 37| 1|} init_ldp_dissector: 118| 7.08k|{ 119| 7.08k| ndpi_register_dissector("LDP", ndpi_struct, 120| 7.08k| ndpi_search_ldp, 121| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 122| 7.08k| 1, NDPI_PROTOCOL_LDP); 123| 7.08k|} ldp.c:ndpi_search_ldp: 64| 14.9k|{ 65| 14.9k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 66| | 67| 14.9k| NDPI_LOG_DBG(ndpi_struct, "search LDP\n"); ------------------ | | 596| 14.9k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 68| | 69| 14.9k| if (packet->payload_packet_len > 19 && ------------------ | Branch (69:7): [True: 10.3k, False: 4.66k] ------------------ 70| 14.9k| ntohs(get_u_int16_t(packet->payload, 0)) == 1 && ------------------ | Branch (70:7): [True: 57, False: 10.2k] ------------------ 71| 14.9k| ntohs(get_u_int16_t(packet->payload, 2)) == (u_int16_t)(packet->payload_packet_len-4)) ------------------ | Branch (71:7): [True: 3, False: 54] ------------------ 72| 3| { 73| | /* LDP Hello Message */ 74| 3| if (packet->udp != NULL && ------------------ | Branch (74:9): [True: 0, False: 3] ------------------ 75| 3| ntohs(get_u_int16_t(packet->payload, 10)) == 0x0100) ------------------ | Branch (75:9): [True: 0, False: 0] ------------------ 76| 0| { 77| 0| ndpi_int_ldp_add_connection(ndpi_struct, flow); 78| 0| return; 79| 0| } 80| 3| else if (packet->tcp != NULL) { ------------------ | Branch (80:14): [True: 3, False: 0] ------------------ 81| 3| u_int16_t ldp_msg_type = ntohs(get_u_int16_t(packet->payload, 10)); 82| | 83| | /* Vendor defined message types */ 84| 3| if (ldp_msg_type >= 0x3E00 && ldp_msg_type <= 0x3EFF) { ------------------ | Branch (84:11): [True: 1, False: 2] | Branch (84:37): [True: 0, False: 1] ------------------ 85| 0| ndpi_int_ldp_add_connection(ndpi_struct, flow); 86| 0| return; 87| 0| } 88| | 89| 3| switch (ldp_msg_type) { 90| 0| case LDP_INITIALIZATION: ------------------ | Branch (90:9): [True: 0, False: 3] ------------------ 91| 0| case LDP_KEEPALIVE: ------------------ | Branch (91:9): [True: 0, False: 3] ------------------ 92| 0| case LDP_CAPABILITY: ------------------ | Branch (92:9): [True: 0, False: 3] ------------------ 93| 0| case LDP_ADDRESS: ------------------ | Branch (93:9): [True: 0, False: 3] ------------------ 94| 0| case LDP_ADDRESS_WITHDRAWAL: ------------------ | Branch (94:9): [True: 0, False: 3] ------------------ 95| 1| case LDP_LABEL_MAPPING: ------------------ | Branch (95:9): [True: 1, False: 2] ------------------ 96| 1| case LDP_LABEL_REQUEST: ------------------ | Branch (96:9): [True: 0, False: 3] ------------------ 97| 1| case LDP_LABEL_WITHDRAWAL: ------------------ | Branch (97:9): [True: 0, False: 3] ------------------ 98| 1| case LDP_LABEL_RELEASE: ------------------ | Branch (98:9): [True: 0, False: 3] ------------------ 99| 1| case LDP_LABEL_ABORT_REQUEST: ------------------ | Branch (99:9): [True: 0, False: 3] ------------------ 100| 1| case LDP_CALL_SETUP: ------------------ | Branch (100:9): [True: 0, False: 3] ------------------ 101| 1| case LDP_CALL_RELEASE: ------------------ | Branch (101:9): [True: 0, False: 3] ------------------ 102| 1| case LDP_RG_CONNECT_MESSAGE: ------------------ | Branch (102:9): [True: 0, False: 3] ------------------ 103| 1| case LDP_RG_DISCONNECT_MESSAGE: ------------------ | Branch (103:9): [True: 0, False: 3] ------------------ 104| 1| case LDP_RG_NOTIFICATION_MESSAGE: ------------------ | Branch (104:9): [True: 0, False: 3] ------------------ 105| 1| case LDP_RG_APPLICATION_DATA_MESSAGE: ------------------ | Branch (105:9): [True: 0, False: 3] ------------------ 106| 1| ndpi_int_ldp_add_connection(ndpi_struct, flow); 107| 1| return; 108| 2| default: ------------------ | Branch (108:9): [True: 2, False: 1] ------------------ 109| 2| break; 110| 3| } 111| 3| } 112| 3| } 113| | 114| 14.9k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 14.9k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 115| 14.9k|} ldp.c:ndpi_int_ldp_add_connection: 56| 1|{ 57| 1| NDPI_LOG_INFO(ndpi_struct, "found LDP\n"); ------------------ | | 595| 1|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 58| 1| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_LDP, 59| 1| NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 60| 1|} init_line_dissector: 114| 7.08k|{ 115| 7.08k| ndpi_register_dissector("LineCall", ndpi_struct, 116| 7.08k| ndpi_search_line, 117| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 118| 7.08k| 1, NDPI_PROTOCOL_LINE_CALL); 119| 7.08k|} line.c:ndpi_search_line: 39| 3.76k|{ 40| 3.76k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 41| 3.76k| int rc; 42| | 43| 3.76k| NDPI_LOG_DBG(ndpi_struct, "searching LineCall\n"); ------------------ | | 596| 3.76k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 44| | 45| 3.76k| if(packet->iph && (flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_LINE)) { ------------------ | Branch (45:6): [True: 3.47k, False: 297] | Branch (45:21): [True: 0, False: 3.47k] ------------------ 46| | /* 47| | The heuristic below (coming from reverse engineering packet traces) 48| | will apply only to IPv4 and Line IP addresses. This is to avoid puttin 49| | false positives in other nDPI-decoded protocols. 50| | */ 51| | 52| 0| if ((packet->payload_packet_len == 110 && ------------------ | Branch (52:10): [True: 0, False: 0] ------------------ 53| 0| ndpi_struct->packet.payload[0] == 0xB6 && ndpi_struct->packet.payload[1] == 0x18 && ndpi_struct->packet.payload[2] == 0x00 && ndpi_struct->packet.payload[3] == 0x6A) || ------------------ | Branch (53:3): [True: 0, False: 0] | Branch (53:46): [True: 0, False: 0] | Branch (53:88): [True: 0, False: 0] | Branch (53:130): [True: 0, False: 0] ------------------ 54| 0| (packet->payload_packet_len >= 738 && (ndpi_struct->packet.payload[0] == 0xDA || ndpi_struct->packet.payload[0] == 0xDB) && ------------------ | Branch (54:3): [True: 0, False: 0] | Branch (54:41): [True: 0, False: 0] | Branch (54:83): [True: 0, False: 0] ------------------ 55| 0| ndpi_struct->packet.payload[4] == 0x06 && ndpi_struct->packet.payload[5] == 0x02) || ------------------ | Branch (55:3): [True: 0, False: 0] | Branch (55:45): [True: 0, False: 0] ------------------ 56| 0| (packet->payload_packet_len >= 150 && (ndpi_struct->packet.payload[0] == 0xD9 || ndpi_struct->packet.payload[0] == 0xD8) && ------------------ | Branch (56:3): [True: 0, False: 0] | Branch (56:41): [True: 0, False: 0] | Branch (56:83): [True: 0, False: 0] ------------------ 57| 0| ((ndpi_struct->packet.payload[1] & 0xF0) == 0x90 || (ndpi_struct->packet.payload[1] & 0xF0) == 0xD0 || (ndpi_struct->packet.payload[1] & 0xF0) == 0xE0) && ndpi_struct->packet.payload[4] == 0x06 && ------------------ | Branch (57:4): [True: 0, False: 0] | Branch (57:55): [True: 0, False: 0] | Branch (57:106): [True: 0, False: 0] | Branch (57:158): [True: 0, False: 0] ------------------ 58| 0| ndpi_struct->packet.payload[5] == 0x02)) { ------------------ | Branch (58:3): [True: 0, False: 0] ------------------ 59| 0| ndpi_int_line_add_connection(ndpi_struct, flow); 60| 0| return; 61| 0| } 62| | 63| 0| if ((packet->payload_packet_len == 46 && ntohl(get_u_int32_t(packet->payload, 0)) == 0xb6130006) || ------------------ | Branch (63:10): [True: 0, False: 0] | Branch (63:46): [True: 0, False: 0] ------------------ 64| 0| (packet->payload_packet_len == 8 && ntohl(get_u_int32_t(packet->payload, 0)) == 0xb6070004) || ------------------ | Branch (64:3): [True: 0, False: 0] | Branch (64:38): [True: 0, False: 0] ------------------ 65| 0| (packet->payload_packet_len == 16 && ntohl(get_u_int32_t(packet->payload, 0)) == 0xb609000c) || ------------------ | Branch (65:3): [True: 0, False: 0] | Branch (65:39): [True: 0, False: 0] ------------------ 66| 0| (packet->payload_packet_len >= 2 /* TODO */ && ndpi_struct->packet.payload[0] == 0xD0 && ------------------ | Branch (66:3): [True: 0, False: 0] | Branch (66:49): [True: 0, False: 0] ------------------ 67| 0| (ndpi_struct->packet.payload[1] == 0xB3 || ndpi_struct->packet.payload[1] == 0xB4 ------------------ | Branch (67:4): [True: 0, False: 0] | Branch (67:46): [True: 0, False: 0] ------------------ 68| 0| || ndpi_struct->packet.payload[1] == 0xDA || ndpi_struct->packet.payload[1] == 0xDB))) { ------------------ | Branch (68:7): [True: 0, False: 0] | Branch (68:49): [True: 0, False: 0] ------------------ 69| 0| ndpi_int_line_add_connection(ndpi_struct, flow); 70| 0| return; 71| 0| } 72| 0| } 73| | 74| | /* Some "random" UDP packets before the standard RTP stream: 75| | it seems that the 4th bytes of these packets is some kind of packet 76| | number. Look for 4 packets per direction with consecutive numbers. */ 77| 3.76k| if(packet->payload_packet_len > 10) { ------------------ | Branch (77:6): [True: 3.62k, False: 147] ------------------ 78| 3.62k| if(flow->l4.udp.line_pkts[packet->packet_direction] == 0) { ------------------ | Branch (78:8): [True: 3.28k, False: 341] ------------------ 79| 3.28k| flow->l4.udp.line_base_cnt[packet->packet_direction] = packet->payload[3]; 80| 3.28k| flow->l4.udp.line_pkts[packet->packet_direction] += 1; 81| 3.28k| return; 82| 3.28k| } else { 83| | /* It might be a RTP/RTCP packet. Ignore it and keep looking for the 84| | LINE packet numbers */ 85| | /* Basic RTP detection */ 86| 341| rc = is_rtp_or_rtcp(ndpi_struct, packet->payload, packet->payload_packet_len, NULL); 87| 341| if(rc == IS_RTCP || rc == IS_RTP) { ------------------ | Branch (87:10): [True: 0, False: 341] | Branch (87:27): [True: 6, False: 335] ------------------ 88| 6| if(flow->packet_counter < 10) { ------------------ | Branch (88:12): [True: 6, False: 0] ------------------ 89| 6| NDPI_LOG_DBG(ndpi_struct, "Probably RTP; keep looking for LINE\n"); ------------------ | | 596| 6|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 90| 6| return; 91| 6| } 92| 335| } else { 93| 335| if((u_int8_t)(flow->l4.udp.line_base_cnt[packet->packet_direction] + ------------------ | Branch (93:12): [True: 4, False: 331] ------------------ 94| 335| flow->l4.udp.line_pkts[packet->packet_direction]) == packet->payload[3]) { 95| 4| flow->l4.udp.line_pkts[packet->packet_direction] += 1; 96| 4| if(flow->l4.udp.line_pkts[0] >= 4 && flow->l4.udp.line_pkts[1] >= 4) { ------------------ | Branch (96:14): [True: 0, False: 4] | Branch (96:48): [True: 0, False: 0] ------------------ 97| | /* To avoid false positives: usually "base pkt numbers" per-direction are different */ 98| 0| if(flow->l4.udp.line_base_cnt[0] != flow->l4.udp.line_base_cnt[1]) ------------------ | Branch (98:16): [True: 0, False: 0] ------------------ 99| 0| ndpi_int_line_add_connection(ndpi_struct, flow); 100| 0| else 101| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 102| 0| } 103| 4| return; 104| 4| } 105| 335| } 106| 341| } 107| 3.62k| } 108| | 109| 478| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 478|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 110| 478| return; 111| 3.76k|} init_lisp_dissector: 84| 7.08k|{ 85| 7.08k| ndpi_register_dissector("LISP", ndpi_struct, 86| 7.08k| ndpi_search_lisp, 87| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 88| 7.08k| 1, NDPI_PROTOCOL_LISP); 89| 7.08k|} lisp.c:ndpi_search_lisp: 76| 15.1k|{ 77| 15.1k| NDPI_LOG_DBG(ndpi_struct, "search lisp\n"); ------------------ | | 596| 15.1k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 78| | 79| 15.1k| ndpi_check_lisp(ndpi_struct, flow); 80| 15.1k|} lisp.c:ndpi_check_lisp: 39| 15.1k|{ 40| | 41| 15.1k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 42| 15.1k| u_int16_t lisp_port1 = htons(LISP_PORT1); 43| 15.1k| u_int16_t lisp_port = htons(LISP_PORT); 44| | 45| 15.1k| if(packet->udp != NULL) { ------------------ | Branch (45:6): [True: 3.37k, False: 11.8k] ------------------ 46| 3.37k| if((packet->udp->source == lisp_port && packet->udp->dest == lisp_port) || ------------------ | Branch (46:9): [True: 0, False: 3.37k] | Branch (46:45): [True: 0, False: 0] ------------------ 47| 3.37k| (packet->udp->source == lisp_port1 && packet->udp->dest == lisp_port1)) { ------------------ | Branch (47:9): [True: 0, False: 3.37k] | Branch (47:46): [True: 0, False: 0] ------------------ 48| 0| NDPI_LOG_INFO(ndpi_struct, "found lisp\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 49| 0| ndpi_int_lisp_add_connection(ndpi_struct, flow); 50| 0| return; 51| 0| } 52| 11.8k| } else { 53| | /* See draft-kouvelas-lisp-map-server-reliable-transport-07 */ 54| 11.8k| if(packet->tcp->source == lisp_port1 || ------------------ | Branch (54:8): [True: 1, False: 11.8k] ------------------ 55| 11.8k| packet->tcp->dest == lisp_port1) { ------------------ | Branch (55:8): [True: 2, False: 11.7k] ------------------ 56| 3| if(packet->payload_packet_len >= 8) { ------------------ | Branch (56:10): [True: 3, False: 0] ------------------ 57| 3| u_int16_t msg_len = ntohs(*(u_int16_t *)&packet->payload[2]); 58| 3| if(msg_len >= packet->payload_packet_len && ------------------ | Branch (58:5): [True: 1, False: 2] ------------------ 59| | /* End marker: we don't handle fragmented messages */ 60| 1| packet->payload[packet->payload_packet_len - 1] == 0xE9 && ------------------ | Branch (60:5): [True: 0, False: 1] ------------------ 61| 0| packet->payload[packet->payload_packet_len - 2] == 0xAD && ------------------ | Branch (61:5): [True: 0, False: 0] ------------------ 62| 0| packet->payload[packet->payload_packet_len - 3] == 0xAC && ------------------ | Branch (62:5): [True: 0, False: 0] ------------------ 63| 0| packet->payload[packet->payload_packet_len - 4] == 0x9F) { ------------------ | Branch (63:5): [True: 0, False: 0] ------------------ 64| 0| NDPI_LOG_INFO(ndpi_struct, "found lisp\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 65| 0| ndpi_int_lisp_add_connection(ndpi_struct, flow); 66| 0| return; 67| 0| } 68| 3| } 69| 3| } 70| 11.8k| } 71| | 72| 15.1k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 15.1k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 73| 15.1k|} init_lolwildrift_dissector: 76| 7.08k|{ 77| 7.08k| ndpi_register_dissector("LoLWildRift", ndpi_struct, 78| 7.08k| ndpi_search_lolwildrift, 79| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 80| 7.08k| 1, NDPI_PROTOCOL_LOLWILDRIFT); 81| 7.08k|} lol_wild_rift.c:ndpi_search_lolwildrift: 44| 3.32k|{ 45| 3.32k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 46| | 47| 3.32k| NDPI_LOG_DBG(ndpi_struct, "search League of Legends: Wild Rift\n"); ------------------ | | 596| 3.32k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 48| | 49| 3.32k| if (packet->payload_packet_len == 22 && ------------------ | Branch (49:7): [True: 11, False: 3.31k] ------------------ 50| 3.32k| ntohl(get_u_int32_t(packet->payload, 0)) == 0x102C841 && ------------------ | Branch (50:7): [True: 0, False: 11] ------------------ 51| 3.32k| ntohl(get_u_int32_t(packet->payload, packet->payload_packet_len-4)) == 0x41304231) ------------------ | Branch (51:7): [True: 0, False: 0] ------------------ 52| 0| { 53| 0| ndpi_int_lolwildrift_add_connection(ndpi_struct, flow); 54| 0| return; 55| 0| } 56| | 57| 3.32k| if (packet->payload_packet_len == 69 && ------------------ | Branch (57:7): [True: 1, False: 3.32k] ------------------ 58| 3.32k| ntohl(get_u_int32_t(packet->payload, 0)) == 0x4000000) ------------------ | Branch (58:7): [True: 0, False: 1] ------------------ 59| 0| { 60| 0| flow->l4.udp.lolwildrift_stage = 1; 61| 0| return; 62| 0| } 63| | 64| 3.32k| if (flow->l4.udp.lolwildrift_stage == 1 && ------------------ | Branch (64:7): [True: 0, False: 3.32k] ------------------ 65| 0| packet->payload_packet_len == 359 && ------------------ | Branch (65:7): [True: 0, False: 0] ------------------ 66| 3.32k| ntohl(get_u_int32_t(packet->payload, 0)) == 0x10000000) ------------------ | Branch (66:7): [True: 0, False: 0] ------------------ 67| 0| { 68| 0| ndpi_int_lolwildrift_add_connection(ndpi_struct, flow); 69| 0| return; 70| 0| } 71| | 72| 3.32k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.32k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 73| 3.32k|} init_lustre_dissector: 81| 7.08k|{ 82| 7.08k| ndpi_register_dissector("Lustre", ndpi_struct, 83| 7.08k| ndpi_search_lustre, 84| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, /* Ipv4 only; Lustre doesn't support IPv6 */ ------------------ | | 643| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 616| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IP | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 604| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IP (1<<0) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IP | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 85| 7.08k| 1, NDPI_PROTOCOL_LUSTRE); 86| 7.08k|} lustre.c:ndpi_search_lustre: 42| 11.6k|{ 43| 11.6k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 44| | 45| 11.6k| NDPI_LOG_DBG(ndpi_struct, "search Lustre\n"); ------------------ | | 596| 11.6k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 46| | 47| 11.6k| u_int32_t lnd_dst_address = 0; 48| | 49| 11.6k| if (packet->payload_packet_len > 15) { ------------------ | Branch (49:7): [True: 10.2k, False: 1.32k] ------------------ 50| 10.2k| u_int32_t lnet_magic = le32toh(get_u_int32_t(packet->payload, 0)); 51| 10.2k| lnd_dst_address = le32toh(get_u_int32_t(packet->payload, 8)); 52| | 53| 10.2k| if ((lnet_magic == 0x45726963 || lnet_magic == 0xacce7100) && lnd_dst_address == ntohl(packet->iph->daddr)) ------------------ | Branch (53:10): [True: 0, False: 10.2k] | Branch (53:38): [True: 0, False: 10.2k] | Branch (53:67): [True: 0, False: 0] ------------------ 54| 0| { 55| 0| ndpi_int_lustre_add_connection(ndpi_struct, flow); 56| 0| return; 57| 0| } 58| 10.2k| } 59| | 60| | /* 61| | * Mid-stream detection 62| | */ 63| | 64| 11.6k| if (packet->payload_packet_len > 95 && le32toh(get_u_int32_t(packet->payload, 0)) == 0xC1) ------------------ | Branch (64:7): [True: 2.39k, False: 9.21k] | Branch (64:42): [True: 0, False: 2.39k] ------------------ 65| 0| { 66| 0| lnd_dst_address = le32toh(get_u_int32_t(packet->payload, 24)); 67| 0| u_int32_t lnet_payload_len = le32toh(get_u_int32_t(packet->payload, 52)); 68| | 69| 0| if (lnd_dst_address == ntohl(packet->iph->daddr) && ------------------ | Branch (69:9): [True: 0, False: 0] ------------------ 70| 0| lnet_payload_len == (u_int32_t)(packet->payload_packet_len-96)) ------------------ | Branch (70:9): [True: 0, False: 0] ------------------ 71| 0| { 72| 0| ndpi_int_lustre_add_connection(ndpi_struct, flow); 73| 0| return; 74| 0| } 75| 0| } 76| | 77| 11.6k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.6k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 78| 11.6k|} init_mail_imap_dissector: 277| 7.08k|{ 278| 7.08k| ndpi_register_dissector("MAIL_IMAP", ndpi_struct, 279| 7.08k| ndpi_search_mail_imap_tcp, 280| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 281| 7.08k| 1, NDPI_PROTOCOL_MAIL_IMAP); 282| 7.08k|} mail_imap.c:ndpi_search_mail_imap_tcp: 49| 13.5k|{ 50| 13.5k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 51| 13.5k| u_int16_t i = 0; 52| 13.5k| u_int16_t space_pos = 0; 53| 13.5k| u_int16_t command_start = 0; 54| 13.5k| u_int8_t saw_command = 0; 55| | /* const u_int8_t *command = 0; */ 56| | 57| 13.5k| NDPI_LOG_DBG(ndpi_struct, "search IMAP_IMAP\n"); ------------------ | | 596| 13.5k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 58| | 59| |#ifdef IMAP_DEBUG 60| | printf("%s() [%.*s]\n", __FUNCTION__, packet->payload_packet_len, packet->payload); 61| |#endif 62| | 63| 13.5k| if(packet->payload_packet_len >= 4 && ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len - 2)) == 0x0d0a) { ------------------ | Branch (63:6): [True: 13.4k, False: 25] | Branch (63:41): [True: 2.95k, False: 10.5k] ------------------ 64| | // the DONE command appears without a tag 65| 2.95k| if(packet->payload_packet_len == 6 && ndpi_memcasecmp(packet->payload, "DONE", 4) == 0) { ------------------ | Branch (65:8): [True: 0, False: 2.95k] | Branch (65:43): [True: 0, False: 0] ------------------ 66| 0| SAFE_INC_IMAP_STAGE(flow); ------------------ | | 35| 0| do { \ | | 36| 0| if ((flow)->l4.tcp.mail_imap_stage < 7) { \ | | ------------------ | | | Branch (36:7): [True: 0, False: 0] | | ------------------ | | 37| 0| (flow)->l4.tcp.mail_imap_stage += 1; \ | | 38| 0| } \ | | 39| 0| } while(0) | | ------------------ | | | Branch (39:10): [Folded, False: 0] | | ------------------ ------------------ 67| 0| saw_command = 1; 68| 2.95k| } else { 69| 2.95k| if(flow->l4.tcp.mail_imap_stage < 5) { ------------------ | Branch (69:10): [True: 2.95k, False: 0] ------------------ 70| | // search for the first space character (end of the tag) 71| 13.1k| while (i < 20 && i < packet->payload_packet_len) { ------------------ | Branch (71:9): [True: 13.1k, False: 1] | Branch (71:19): [True: 13.1k, False: 0] ------------------ 72| 13.1k| if(i > 0 && packet->payload[i] == ' ') { ------------------ | Branch (72:7): [True: 10.2k, False: 2.95k] | Branch (72:16): [True: 2.15k, False: 8.08k] ------------------ 73| 2.15k| space_pos = i; 74| 2.15k| break; 75| 2.15k| } 76| 11.0k| if(!((packet->payload[i] >= 'a' && packet->payload[i] <= 'z') || ------------------ | Branch (76:10): [True: 1.44k, False: 9.59k] | Branch (76:39): [True: 1.26k, False: 178] ------------------ 77| 9.77k| (packet->payload[i] >= 'A' && packet->payload[i] <= 'Z') || ------------------ | Branch (77:4): [True: 7.37k, False: 2.39k] | Branch (77:33): [True: 7.18k, False: 185] ------------------ 78| 2.58k| (packet->payload[i] >= '0' && packet->payload[i] <= '9') || packet->payload[i] == '*' || packet->payload[i] == '.')) { ------------------ | Branch (78:4): [True: 593, False: 1.99k] | Branch (78:33): [True: 365, False: 228] | Branch (78:63): [True: 1.10k, False: 1.11k] | Branch (78:92): [True: 308, False: 803] ------------------ 79| 803| goto imap_excluded; 80| 803| } 81| 10.2k| i++; 82| 10.2k| } 83| 2.15k| if(space_pos == 0 || space_pos == (packet->payload_packet_len - 1)) { ------------------ | Branch (83:5): [True: 1, False: 2.15k] | Branch (83:23): [True: 0, False: 2.15k] ------------------ 84| 1| goto imap_excluded; 85| 1| } 86| | // now walk over a possible mail number to the next space 87| 2.15k| i++; 88| 2.15k| if(i < packet->payload_packet_len && (packet->payload[i] >= '0' && packet->payload[i] <= '9')) { ------------------ | Branch (88:5): [True: 2.15k, False: 0] | Branch (88:40): [True: 802, False: 1.34k] | Branch (88:69): [True: 14, False: 788] ------------------ 89| 35| while (i < 20 && i < packet->payload_packet_len) { ------------------ | Branch (89:11): [True: 35, False: 0] | Branch (89:21): [True: 35, False: 0] ------------------ 90| 35| if(i > 0 && packet->payload[i] == ' ') { ------------------ | Branch (90:9): [True: 35, False: 0] | Branch (90:18): [True: 6, False: 29] ------------------ 91| 6| space_pos = i; 92| 6| break; 93| 6| } 94| 29| if(!(packet->payload[i] >= '0' && packet->payload[i] <= '9')) { ------------------ | Branch (94:11): [True: 23, False: 6] | Branch (94:40): [True: 21, False: 2] ------------------ 95| 8| goto imap_excluded; 96| 8| } 97| 21| i++; 98| 21| } 99| 6| if(space_pos == 0 || space_pos == (packet->payload_packet_len - 1)) { ------------------ | Branch (99:7): [True: 0, False: 6] | Branch (99:25): [True: 0, False: 6] ------------------ 100| 0| goto imap_excluded; 101| 0| } 102| 6| } 103| 2.14k| command_start = space_pos + 1; 104| | /* command = &(packet->payload[command_start]); */ 105| 2.14k| } else { 106| 0| command_start = 0; 107| | /* command = &(packet->payload[command_start]); */ 108| 0| } 109| | 110| 2.14k| if((command_start + 3) < packet->payload_packet_len) { ------------------ | Branch (110:10): [True: 2.14k, False: 0] ------------------ 111| 2.14k| if(ndpi_memcasecmp(packet->payload + command_start, "OK ", 3) == 0) { ------------------ | Branch (111:5): [True: 0, False: 2.14k] ------------------ 112| 0| SAFE_INC_IMAP_STAGE(flow); ------------------ | | 35| 0| do { \ | | 36| 0| if ((flow)->l4.tcp.mail_imap_stage < 7) { \ | | ------------------ | | | Branch (36:7): [True: 0, False: 0] | | ------------------ | | 37| 0| (flow)->l4.tcp.mail_imap_stage += 1; \ | | 38| 0| } \ | | 39| 0| } while(0) | | ------------------ | | | Branch (39:10): [Folded, False: 0] | | ------------------ ------------------ 113| 0| if(flow->l4.tcp.mail_imap_starttls == 1) { ------------------ | Branch (113:7): [True: 0, False: 0] ------------------ 114| 0| NDPI_LOG_DBG2(ndpi_struct, "starttls detected\n"); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 115| 0| ndpi_int_mail_imap_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_MAIL_IMAPS); 116| 0| if(ndpi_struct->cfg.imap_opportunistic_tls_enabled) { ------------------ | Branch (116:9): [True: 0, False: 0] ------------------ 117| 0| NDPI_LOG_DBG(ndpi_struct, "Switching to [%d/%d]\n", ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 118| 0| flow->detected_protocol_stack[0], flow->detected_protocol_stack[1]); 119| | /* We are done (in IMAP dissector): delegating TLS... */ 120| 0| switch_extra_dissection_to_tls(ndpi_struct, flow); 121| 0| return; 122| 0| } 123| 0| } 124| 0| saw_command = 1; 125| 2.14k| } else if(ndpi_memcasecmp(packet->payload + command_start, "UID", 3) == 0) { ------------------ | Branch (125:12): [True: 0, False: 2.14k] ------------------ 126| 0| SAFE_INC_IMAP_STAGE(flow); ------------------ | | 35| 0| do { \ | | 36| 0| if ((flow)->l4.tcp.mail_imap_stage < 7) { \ | | ------------------ | | | Branch (36:7): [True: 0, False: 0] | | ------------------ | | 37| 0| (flow)->l4.tcp.mail_imap_stage += 1; \ | | 38| 0| } \ | | 39| 0| } while(0) | | ------------------ | | | Branch (39:10): [Folded, False: 0] | | ------------------ ------------------ 127| 0| saw_command = 1; 128| 2.14k| } else if(ndpi_memcasecmp(packet->payload + command_start, "NO ", 3) == 0) { ------------------ | Branch (128:12): [True: 0, False: 2.14k] ------------------ 129| 0| SAFE_INC_IMAP_STAGE(flow); ------------------ | | 35| 0| do { \ | | 36| 0| if ((flow)->l4.tcp.mail_imap_stage < 7) { \ | | ------------------ | | | Branch (36:7): [True: 0, False: 0] | | ------------------ | | 37| 0| (flow)->l4.tcp.mail_imap_stage += 1; \ | | 38| 0| } \ | | 39| 0| } while(0) | | ------------------ | | | Branch (39:10): [Folded, False: 0] | | ------------------ ------------------ 130| 0| if(flow->l4.tcp.mail_imap_starttls == 1) ------------------ | Branch (130:7): [True: 0, False: 0] ------------------ 131| 0| flow->l4.tcp.mail_imap_starttls = 0; 132| 0| saw_command = 1; 133| 0| } 134| 2.14k| } 135| 2.14k| if((command_start + 10) < packet->payload_packet_len) { ------------------ | Branch (135:10): [True: 1.45k, False: 687] ------------------ 136| 1.45k| if(ndpi_memcasecmp(packet->payload + command_start, "CAPABILITY", 10) == 0) { ------------------ | Branch (136:5): [True: 0, False: 1.45k] ------------------ 137| 0| SAFE_INC_IMAP_STAGE(flow); ------------------ | | 35| 0| do { \ | | 36| 0| if ((flow)->l4.tcp.mail_imap_stage < 7) { \ | | ------------------ | | | Branch (36:7): [True: 0, False: 0] | | ------------------ | | 37| 0| (flow)->l4.tcp.mail_imap_stage += 1; \ | | 38| 0| } \ | | 39| 0| } while(0) | | ------------------ | | | Branch (39:10): [Folded, False: 0] | | ------------------ ------------------ 138| 0| saw_command = 1; 139| 0| } 140| 1.45k| } 141| 2.14k| if((command_start + 8) < packet->payload_packet_len) { ------------------ | Branch (141:10): [True: 2.13k, False: 4] ------------------ 142| 2.13k| if(ndpi_memcasecmp(packet->payload + command_start, "STARTTLS", 8) == 0) { ------------------ | Branch (142:5): [True: 0, False: 2.13k] ------------------ 143| 0| SAFE_INC_IMAP_STAGE(flow); ------------------ | | 35| 0| do { \ | | 36| 0| if ((flow)->l4.tcp.mail_imap_stage < 7) { \ | | ------------------ | | | Branch (36:7): [True: 0, False: 0] | | ------------------ | | 37| 0| (flow)->l4.tcp.mail_imap_stage += 1; \ | | 38| 0| } \ | | 39| 0| } while(0) | | ------------------ | | | Branch (39:10): [Folded, False: 0] | | ------------------ ------------------ 144| 0| flow->l4.tcp.mail_imap_starttls = 1; 145| 0| saw_command = 1; 146| 0| } 147| 2.13k| } 148| 2.14k| if((command_start + 5) < packet->payload_packet_len) { ------------------ | Branch (148:10): [True: 2.14k, False: 0] ------------------ 149| 2.14k| if(ndpi_memcasecmp(packet->payload + command_start, "LOGIN", 5) == 0) { ------------------ | Branch (149:5): [True: 0, False: 2.14k] ------------------ 150| | /* xxxx LOGIN "username" "password" 151| | xxxx LOGIN username password */ 152| 0| char str[256], *user, *saveptr; 153| 0| u_int len = ndpi_min(packet->payload_packet_len - (command_start + 5), (int)sizeof(str) - 1); ------------------ | | 113| 0|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 0] | | ------------------ ------------------ 154| | 155| 0| ndpi_strlcpy(str, (const char*)packet->payload + command_start + 5, sizeof(str), len); 156| | 157| 0| user = strtok_r(str, " \"\r\n", &saveptr); 158| 0| if(user) { ------------------ | Branch (158:7): [True: 0, False: 0] ------------------ 159| 0| char *pwd, buf[64]; 160| | 161| 0| ndpi_snprintf(flow->l4.tcp.ftp_imap_pop_smtp.username, 162| 0| sizeof(flow->l4.tcp.ftp_imap_pop_smtp.username), 163| 0| "%s", user); 164| | 165| 0| snprintf(buf, sizeof(buf), "Found IMAP username (%s)", 166| 0| flow->l4.tcp.ftp_imap_pop_smtp.username); 167| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); 168| | 169| 0| pwd = strtok_r(NULL, " \"\r\n", &saveptr); 170| 0| if(pwd) { ------------------ | Branch (170:9): [True: 0, False: 0] ------------------ 171| 0| ndpi_snprintf(flow->l4.tcp.ftp_imap_pop_smtp.password, 172| 0| sizeof(flow->l4.tcp.ftp_imap_pop_smtp.password), 173| 0| "%s", pwd); 174| 0| } 175| 0| } 176| | 177| 0| SAFE_INC_IMAP_STAGE(flow); ------------------ | | 35| 0| do { \ | | 36| 0| if ((flow)->l4.tcp.mail_imap_stage < 7) { \ | | ------------------ | | | Branch (36:7): [True: 0, False: 0] | | ------------------ | | 37| 0| (flow)->l4.tcp.mail_imap_stage += 1; \ | | 38| 0| } \ | | 39| 0| } while(0) | | ------------------ | | | Branch (39:10): [Folded, False: 0] | | ------------------ ------------------ 178| 0| saw_command = 1; 179| 2.14k| } else if(ndpi_memcasecmp(packet->payload + command_start, "FETCH", 5) == 0) { ------------------ | Branch (179:12): [True: 0, False: 2.14k] ------------------ 180| 0| SAFE_INC_IMAP_STAGE(flow); ------------------ | | 35| 0| do { \ | | 36| 0| if ((flow)->l4.tcp.mail_imap_stage < 7) { \ | | ------------------ | | | Branch (36:7): [True: 0, False: 0] | | ------------------ | | 37| 0| (flow)->l4.tcp.mail_imap_stage += 1; \ | | 38| 0| } \ | | 39| 0| } while(0) | | ------------------ | | | Branch (39:10): [Folded, False: 0] | | ------------------ ------------------ 181| 0| saw_command = 1; 182| 2.14k| } else if(ndpi_memcasecmp(packet->payload + command_start, "FLAGS", 5) == 0) { ------------------ | Branch (182:12): [True: 0, False: 2.14k] ------------------ 183| 0| SAFE_INC_IMAP_STAGE(flow); ------------------ | | 35| 0| do { \ | | 36| 0| if ((flow)->l4.tcp.mail_imap_stage < 7) { \ | | ------------------ | | | Branch (36:7): [True: 0, False: 0] | | ------------------ | | 37| 0| (flow)->l4.tcp.mail_imap_stage += 1; \ | | 38| 0| } \ | | 39| 0| } while(0) | | ------------------ | | | Branch (39:10): [Folded, False: 0] | | ------------------ ------------------ 184| 0| saw_command = 1; 185| 2.14k| } else if(ndpi_memcasecmp(packet->payload + command_start, "CHECK", 5) == 0) { ------------------ | Branch (185:12): [True: 0, False: 2.14k] ------------------ 186| 0| SAFE_INC_IMAP_STAGE(flow); ------------------ | | 35| 0| do { \ | | 36| 0| if ((flow)->l4.tcp.mail_imap_stage < 7) { \ | | ------------------ | | | Branch (36:7): [True: 0, False: 0] | | ------------------ | | 37| 0| (flow)->l4.tcp.mail_imap_stage += 1; \ | | 38| 0| } \ | | 39| 0| } while(0) | | ------------------ | | | Branch (39:10): [Folded, False: 0] | | ------------------ ------------------ 187| 0| saw_command = 1; 188| 2.14k| } else if(ndpi_memcasecmp(packet->payload + command_start, "STORE", 5) == 0) { ------------------ | Branch (188:12): [True: 0, False: 2.14k] ------------------ 189| 0| SAFE_INC_IMAP_STAGE(flow); ------------------ | | 35| 0| do { \ | | 36| 0| if ((flow)->l4.tcp.mail_imap_stage < 7) { \ | | ------------------ | | | Branch (36:7): [True: 0, False: 0] | | ------------------ | | 37| 0| (flow)->l4.tcp.mail_imap_stage += 1; \ | | 38| 0| } \ | | 39| 0| } while(0) | | ------------------ | | | Branch (39:10): [Folded, False: 0] | | ------------------ ------------------ 190| 0| saw_command = 1; 191| 0| } 192| 2.14k| } 193| 2.14k| if((command_start + 12) < packet->payload_packet_len) { ------------------ | Branch (193:10): [True: 35, False: 2.10k] ------------------ 194| 35| if(ndpi_memcasecmp(packet->payload + command_start, "AUTHENTICATE", 12) == 0) { ------------------ | Branch (194:5): [True: 0, False: 35] ------------------ 195| 0| SAFE_INC_IMAP_STAGE(flow); ------------------ | | 35| 0| do { \ | | 36| 0| if ((flow)->l4.tcp.mail_imap_stage < 7) { \ | | ------------------ | | | Branch (36:7): [True: 0, False: 0] | | ------------------ | | 37| 0| (flow)->l4.tcp.mail_imap_stage += 1; \ | | 38| 0| } \ | | 39| 0| } while(0) | | ------------------ | | | Branch (39:10): [Folded, False: 0] | | ------------------ ------------------ 196| | /* Authenticate phase may have multiple messages. Ignore them since they are 197| | somehow encrypted anyway. */ 198| 0| ndpi_int_mail_imap_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_MAIL_IMAPS); 199| 0| saw_command = 1; 200| 0| } 201| 35| } 202| 2.14k| if((command_start + 9) < packet->payload_packet_len) { ------------------ | Branch (202:10): [True: 2.13k, False: 12] ------------------ 203| 2.13k| if(ndpi_memcasecmp(packet->payload + command_start, "NAMESPACE", 9) == 0) { ------------------ | Branch (203:5): [True: 0, False: 2.13k] ------------------ 204| 0| SAFE_INC_IMAP_STAGE(flow); ------------------ | | 35| 0| do { \ | | 36| 0| if ((flow)->l4.tcp.mail_imap_stage < 7) { \ | | ------------------ | | | Branch (36:7): [True: 0, False: 0] | | ------------------ | | 37| 0| (flow)->l4.tcp.mail_imap_stage += 1; \ | | 38| 0| } \ | | 39| 0| } while(0) | | ------------------ | | | Branch (39:10): [Folded, False: 0] | | ------------------ ------------------ 205| 0| saw_command = 1; 206| 0| } 207| 2.13k| } 208| 2.14k| if((command_start + 4) < packet->payload_packet_len) { ------------------ | Branch (208:10): [True: 2.14k, False: 0] ------------------ 209| 2.14k| if(ndpi_memcasecmp(packet->payload + command_start, "LSUB", 4) == 0) { ------------------ | Branch (209:5): [True: 0, False: 2.14k] ------------------ 210| 0| SAFE_INC_IMAP_STAGE(flow); ------------------ | | 35| 0| do { \ | | 36| 0| if ((flow)->l4.tcp.mail_imap_stage < 7) { \ | | ------------------ | | | Branch (36:7): [True: 0, False: 0] | | ------------------ | | 37| 0| (flow)->l4.tcp.mail_imap_stage += 1; \ | | 38| 0| } \ | | 39| 0| } while(0) | | ------------------ | | | Branch (39:10): [Folded, False: 0] | | ------------------ ------------------ 211| 0| saw_command = 1; 212| 2.14k| } else if(ndpi_memcasecmp(packet->payload + command_start, "LIST", 4) == 0) { ------------------ | Branch (212:12): [True: 1, False: 2.14k] ------------------ 213| 1| SAFE_INC_IMAP_STAGE(flow); ------------------ | | 35| 1| do { \ | | 36| 1| if ((flow)->l4.tcp.mail_imap_stage < 7) { \ | | ------------------ | | | Branch (36:7): [True: 1, False: 0] | | ------------------ | | 37| 1| (flow)->l4.tcp.mail_imap_stage += 1; \ | | 38| 1| } \ | | 39| 1| } while(0) | | ------------------ | | | Branch (39:10): [Folded, False: 1] | | ------------------ ------------------ 214| 1| saw_command = 1; 215| 2.14k| } else if(ndpi_memcasecmp(packet->payload + command_start, "NOOP", 4) == 0) { ------------------ | Branch (215:12): [True: 0, False: 2.14k] ------------------ 216| 0| SAFE_INC_IMAP_STAGE(flow); ------------------ | | 35| 0| do { \ | | 36| 0| if ((flow)->l4.tcp.mail_imap_stage < 7) { \ | | ------------------ | | | Branch (36:7): [True: 0, False: 0] | | ------------------ | | 37| 0| (flow)->l4.tcp.mail_imap_stage += 1; \ | | 38| 0| } \ | | 39| 0| } while(0) | | ------------------ | | | Branch (39:10): [Folded, False: 0] | | ------------------ ------------------ 217| 0| saw_command = 1; 218| 2.14k| } else if(ndpi_memcasecmp(packet->payload + command_start, "IDLE", 4) == 0) { ------------------ | Branch (218:12): [True: 0, False: 2.14k] ------------------ 219| 0| SAFE_INC_IMAP_STAGE(flow); ------------------ | | 35| 0| do { \ | | 36| 0| if ((flow)->l4.tcp.mail_imap_stage < 7) { \ | | ------------------ | | | Branch (36:7): [True: 0, False: 0] | | ------------------ | | 37| 0| (flow)->l4.tcp.mail_imap_stage += 1; \ | | 38| 0| } \ | | 39| 0| } while(0) | | ------------------ | | | Branch (39:10): [Folded, False: 0] | | ------------------ ------------------ 220| 0| saw_command = 1; 221| 0| } 222| 2.14k| } 223| 2.14k| if((command_start + 6) < packet->payload_packet_len) { ------------------ | Branch (223:10): [True: 2.14k, False: 0] ------------------ 224| 2.14k| if(ndpi_memcasecmp(packet->payload + command_start, "SELECT", 6) == 0) { ------------------ | Branch (224:5): [True: 0, False: 2.14k] ------------------ 225| 0| SAFE_INC_IMAP_STAGE(flow); ------------------ | | 35| 0| do { \ | | 36| 0| if ((flow)->l4.tcp.mail_imap_stage < 7) { \ | | ------------------ | | | Branch (36:7): [True: 0, False: 0] | | ------------------ | | 37| 0| (flow)->l4.tcp.mail_imap_stage += 1; \ | | 38| 0| } \ | | 39| 0| } while(0) | | ------------------ | | | Branch (39:10): [Folded, False: 0] | | ------------------ ------------------ 226| 0| saw_command = 1; 227| 2.14k| } else if(ndpi_memcasecmp(packet->payload + command_start, "EXISTS", 6) == 0) { ------------------ | Branch (227:12): [True: 0, False: 2.14k] ------------------ 228| 0| SAFE_INC_IMAP_STAGE(flow); ------------------ | | 35| 0| do { \ | | 36| 0| if ((flow)->l4.tcp.mail_imap_stage < 7) { \ | | ------------------ | | | Branch (36:7): [True: 0, False: 0] | | ------------------ | | 37| 0| (flow)->l4.tcp.mail_imap_stage += 1; \ | | 38| 0| } \ | | 39| 0| } while(0) | | ------------------ | | | Branch (39:10): [Folded, False: 0] | | ------------------ ------------------ 229| 0| saw_command = 1; 230| 2.14k| } else if(ndpi_memcasecmp(packet->payload + command_start, "APPEND", 6) == 0) { ------------------ | Branch (230:12): [True: 0, False: 2.14k] ------------------ 231| 0| SAFE_INC_IMAP_STAGE(flow); ------------------ | | 35| 0| do { \ | | 36| 0| if ((flow)->l4.tcp.mail_imap_stage < 7) { \ | | ------------------ | | | Branch (36:7): [True: 0, False: 0] | | ------------------ | | 37| 0| (flow)->l4.tcp.mail_imap_stage += 1; \ | | 38| 0| } \ | | 39| 0| } while(0) | | ------------------ | | | Branch (39:10): [Folded, False: 0] | | ------------------ ------------------ 232| 0| saw_command = 1; 233| 0| } 234| 2.14k| } 235| | 236| 2.14k| } 237| | 238| 2.14k| if(saw_command == 1) { ------------------ | Branch (238:8): [True: 1, False: 2.14k] ------------------ 239| 1| if((flow->l4.tcp.mail_imap_stage == 3) ------------------ | Branch (239:10): [True: 0, False: 1] ------------------ 240| 1| || (flow->l4.tcp.mail_imap_stage == 5) ------------------ | Branch (240:6): [True: 0, False: 1] ------------------ 241| 1| || (flow->l4.tcp.mail_imap_stage == 7) ------------------ | Branch (241:6): [True: 0, False: 1] ------------------ 242| 1| ) { 243| 0| if((flow->l4.tcp.ftp_imap_pop_smtp.username[0] != '\0') ------------------ | Branch (243:5): [True: 0, False: 0] ------------------ 244| 0| || (flow->l4.tcp.mail_imap_stage >= 7)) { ------------------ | Branch (244:8): [True: 0, False: 0] ------------------ 245| 0| NDPI_LOG_INFO(ndpi_struct, "found MAIL_IMAP\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 246| 0| ndpi_int_mail_imap_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_MAIL_IMAP); 247| 0| } 248| | 249| 0| return; 250| 0| } 251| 1| } 252| 2.14k| } 253| | 254| 12.7k| if(packet->payload_packet_len > 1 && packet->payload[packet->payload_packet_len - 1] == ' ') { ------------------ | Branch (254:6): [True: 12.7k, False: 4] | Branch (254:40): [True: 116, False: 12.5k] ------------------ 255| 116| NDPI_LOG_DBG2(ndpi_struct, ------------------ | | 597| 116|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 256| 116| "maybe a split imap command -> need next packet and imap_stage is set to 4.\n"); 257| 116| flow->l4.tcp.mail_imap_stage = 4; 258| 116| return; 259| 116| } 260| | 261| 13.4k| imap_excluded: 262| | 263| | // skip over possible authentication hashes etc. that cannot be identified as imap commands or responses 264| | // if the packet count is low enough and at least one command or response was seen before 265| 13.4k| if((packet->payload_packet_len >= 2 && ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len - 2)) == 0x0d0a) ------------------ | Branch (265:7): [True: 13.4k, False: 4] | Branch (265:42): [True: 2.95k, False: 10.4k] ------------------ 266| 2.95k| && flow->packet_counter < 8 && flow->l4.tcp.mail_imap_stage >= 1) { ------------------ | Branch (266:10): [True: 2.95k, False: 1] | Branch (266:38): [True: 23, False: 2.93k] ------------------ 267| 23| NDPI_LOG_DBG2(ndpi_struct, ------------------ | | 597| 23|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 268| 23| "no imap command or response but packet count < 6 and imap stage >= 1 -> skip\n"); 269| 23| return; 270| 23| } 271| | 272| 13.3k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.3k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 273| 13.3k|} init_mail_pop_dissector: 233| 7.08k|void init_mail_pop_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 234| 7.08k| ndpi_register_dissector("MAIL_POP", ndpi_struct, 235| 7.08k| ndpi_search_mail_pop_tcp, 236| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 237| 7.08k| 1, NDPI_PROTOCOL_MAIL_POP); 238| 7.08k|} mail_pop.c:ndpi_search_mail_pop_tcp: 124| 17.8k|{ 125| 17.8k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 126| 17.8k| u_int8_t a = 0; 127| 17.8k| u_int8_t bit_count = 0; 128| | 129| 17.8k| NDPI_LOG_DBG(ndpi_struct, "search mail_pop\n"); ------------------ | | 596| 17.8k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 130| | 131| 17.8k| if((packet->payload_packet_len > 3 ------------------ | Branch (131:7): [True: 17.8k, False: 25] ------------------ 132| 17.8k| && ndpi_memcasecmp(packet->payload, "+OK", 3) == 0) ------------------ | Branch (132:10): [True: 0, False: 17.8k] ------------------ 133| 17.8k| || (packet->payload_packet_len > 4 ------------------ | Branch (133:11): [True: 16.9k, False: 939] ------------------ 134| 16.9k| && ndpi_memcasecmp(packet->payload, "-ERR", 4) == 0)) { ------------------ | Branch (134:7): [True: 0, False: 16.9k] ------------------ 135| | // +OK or -ERR seen 136| 0| flow->l4.tcp.mail_pop_stage += 1; 137| 0| if(packet->payload[0] == '+' && flow->l4.tcp.mail_imap_starttls == 1) { ------------------ | Branch (137:8): [True: 0, False: 0] | Branch (137:37): [True: 0, False: 0] ------------------ 138| 0| NDPI_LOG_DBG2(ndpi_struct, "starttls detected\n"); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 139| 0| ndpi_int_mail_pop_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_MAIL_POPS); 140| 0| if(ndpi_struct->cfg.pop_opportunistic_tls_enabled) { ------------------ | Branch (140:10): [True: 0, False: 0] ------------------ 141| 0| NDPI_LOG_DBG(ndpi_struct, "Switching to [%d/%d]\n", ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 142| 0| flow->detected_protocol_stack[0], flow->detected_protocol_stack[1]); 143| | /* We are done (in POP dissector): delegating TLS... */ 144| 0| switch_extra_dissection_to_tls(ndpi_struct, flow); 145| 0| return; 146| 0| } 147| 0| } 148| 0| if(packet->payload[0] == '-' && flow->l4.tcp.mail_imap_starttls == 1) ------------------ | Branch (148:8): [True: 0, False: 0] | Branch (148:37): [True: 0, False: 0] ------------------ 149| 0| flow->l4.tcp.mail_imap_starttls = 0; 150| 17.8k| } else if(!ndpi_int_mail_pop_check_for_client_commands(ndpi_struct, flow)) { ------------------ | Branch (150:13): [True: 17.0k, False: 864] ------------------ 151| 17.0k| goto maybe_split_pop; 152| 17.0k| } 153| | 154| 864| if(packet->payload_packet_len > 2 && ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len - 2)) == 0x0d0a) { ------------------ | Branch (154:6): [True: 864, False: 0] | Branch (154:40): [True: 764, False: 100] ------------------ 155| | // count the bits set in the bitmask 156| 764| if(flow->l4.tcp.pop_command_bitmask != 0) { ------------------ | Branch (156:8): [True: 764, False: 0] ------------------ 157| 12.9k| for (a = 0; a < 16; a++) { ------------------ | Branch (157:19): [True: 12.2k, False: 764] ------------------ 158| 12.2k| bit_count += (flow->l4.tcp.pop_command_bitmask >> a) & 0x01; 159| 12.2k| } 160| 764| } 161| | 162| 764| NDPI_LOG_DBG2(ndpi_struct, ------------------ | | 597| 764|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 163| 764| "mail_pop +OK/-ERR responses: %u, unique commands: %u\n", 164| 764| flow->l4.tcp.mail_pop_stage, bit_count); 165| | 166| 764| if((bit_count + flow->l4.tcp.mail_pop_stage) >= 3) { ------------------ | Branch (166:8): [True: 0, False: 764] ------------------ 167| 0| if(flow->l4.tcp.mail_pop_stage > 0) { ------------------ | Branch (167:10): [True: 0, False: 0] ------------------ 168| | 169| 0| if((flow->l4.tcp.ftp_imap_pop_smtp.password[0] != '\0') ------------------ | Branch (169:5): [True: 0, False: 0] ------------------ 170| 0| || (flow->l4.tcp.mail_pop_stage >= 3)) { ------------------ | Branch (170:8): [True: 0, False: 0] ------------------ 171| 0| ndpi_int_mail_pop_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_MAIL_POP); 172| 0| if(flow->l4.tcp.ftp_imap_pop_smtp.password[0] == '\0') ------------------ | Branch (172:7): [True: 0, False: 0] ------------------ 173| 0| popInitExtraPacketProcessing(flow); 174| 0| } 175| 0| } 176| | 177| 0| return; 178| 0| } else 179| 764| return; 180| 764| } else { 181| | // first part of a split packet 182| 100| NDPI_LOG_DBG2(ndpi_struct, ------------------ | | 597| 100|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 183| 100| "mail_pop command without line ending -> skip\n"); 184| 100| return; 185| 100| } 186| | 187| | 188| 17.0k| maybe_split_pop: 189| | 190| 17.0k| if(((packet->payload_packet_len > 2 && ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len - 2)) == 0x0d0a) ------------------ | Branch (190:8): [True: 17.0k, False: 9] | Branch (190:42): [True: 6.39k, False: 10.6k] ------------------ 191| 10.6k| || flow->l4.tcp.pop_command_bitmask != 0 || flow->l4.tcp.mail_pop_stage != 0) && flow->packet_counter < 12) { ------------------ | Branch (191:11): [True: 45, False: 10.5k] | Branch (191:52): [True: 0, False: 10.5k] | Branch (191:89): [True: 6.30k, False: 134] ------------------ 192| | // maybe part of a split pop packet 193| 6.30k| NDPI_LOG_DBG2(ndpi_struct, ------------------ | | 597| 6.30k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 194| 6.30k| "maybe part of split mail_pop packet -> skip\n"); 195| 6.30k| return; 196| 6.30k| } 197| | 198| 10.7k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 10.7k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 199| 10.7k|} mail_pop.c:ndpi_int_mail_pop_check_for_client_commands: 62| 17.8k| *ndpi_struct, struct ndpi_flow_struct *flow) { 63| 17.8k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 64| | 65| 17.8k| if(packet->payload_packet_len > 4) { ------------------ | Branch (65:6): [True: 16.9k, False: 939] ------------------ 66| 16.9k| if(ndpi_memcasecmp(packet->payload, "AUTH", 4) == 0) { ------------------ | Branch (66:8): [True: 4, False: 16.9k] ------------------ 67| 4| flow->l4.tcp.pop_command_bitmask |= POP_BIT_AUTH; ------------------ | | 34| 4|#define POP_BIT_AUTH 0x0001 ------------------ 68| 4| return 1; 69| 16.9k| } else if(ndpi_memcasecmp(packet->payload, "APOP", 4) == 0) { ------------------ | Branch (69:15): [True: 0, False: 16.9k] ------------------ 70| 0| flow->l4.tcp.pop_command_bitmask |= POP_BIT_APOP; ------------------ | | 35| 0|#define POP_BIT_APOP 0x0002 ------------------ 71| 0| return 1; 72| 16.9k| } else if(ndpi_memcasecmp(packet->payload, "USER", 4) == 0) { ------------------ | Branch (72:15): [True: 8, False: 16.9k] ------------------ 73| 8| char buf[64]; 74| | 75| 8| ndpi_user_pwd_payload_copy((u_int8_t*)flow->l4.tcp.ftp_imap_pop_smtp.username, 76| 8| sizeof(flow->l4.tcp.ftp_imap_pop_smtp.username), 5, 77| 8| packet->payload, packet->payload_packet_len); 78| | 79| 8| snprintf(buf, sizeof(buf), "Found username (%s)", 80| 8| flow->l4.tcp.ftp_imap_pop_smtp.username); 81| 8| ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); 82| | 83| 8| flow->l4.tcp.pop_command_bitmask |= POP_BIT_USER; ------------------ | | 36| 8|#define POP_BIT_USER 0x0004 ------------------ 84| 8| return 1; 85| 16.9k| } else if(ndpi_memcasecmp(packet->payload, "PASS", 4) == 0) { ------------------ | Branch (85:15): [True: 527, False: 16.4k] ------------------ 86| 527| ndpi_user_pwd_payload_copy((u_int8_t*)flow->l4.tcp.ftp_imap_pop_smtp.password, 87| 527| sizeof(flow->l4.tcp.ftp_imap_pop_smtp.password), 5, 88| 527| packet->payload, packet->payload_packet_len); 89| | 90| 527| ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found password"); 91| 527| flow->l4.tcp.pop_command_bitmask |= POP_BIT_PASS; ------------------ | | 37| 527|#define POP_BIT_PASS 0x0008 ------------------ 92| 527| return 1; 93| 16.4k| } else if(ndpi_memcasecmp(packet->payload, "CAPA", 4) == 0) { ------------------ | Branch (93:15): [True: 0, False: 16.4k] ------------------ 94| 0| flow->l4.tcp.pop_command_bitmask |= POP_BIT_CAPA; ------------------ | | 38| 0|#define POP_BIT_CAPA 0x0010 ------------------ 95| 0| return 1; 96| 16.4k| } else if(ndpi_memcasecmp(packet->payload, "LIST", 4) == 0) { ------------------ | Branch (96:15): [True: 8, False: 16.4k] ------------------ 97| 8| flow->l4.tcp.pop_command_bitmask |= POP_BIT_LIST; ------------------ | | 39| 8|#define POP_BIT_LIST 0x0020 ------------------ 98| 8| return 1; 99| 16.4k| } else if(ndpi_memcasecmp(packet->payload, "STAT", 4) == 0) { ------------------ | Branch (99:15): [True: 293, False: 16.1k] ------------------ 100| 293| flow->l4.tcp.pop_command_bitmask |= POP_BIT_STAT; ------------------ | | 40| 293|#define POP_BIT_STAT 0x0040 ------------------ 101| 293| return 1; 102| 16.1k| } else if(ndpi_memcasecmp(packet->payload, "UIDL", 4) == 0) { ------------------ | Branch (102:15): [True: 0, False: 16.1k] ------------------ 103| 0| flow->l4.tcp.pop_command_bitmask |= POP_BIT_UIDL; ------------------ | | 41| 0|#define POP_BIT_UIDL 0x0080 ------------------ 104| 0| return 1; 105| 16.1k| } else if(ndpi_memcasecmp(packet->payload, "RETR", 4) == 0) { ------------------ | Branch (105:15): [True: 1, False: 16.1k] ------------------ 106| 1| flow->l4.tcp.pop_command_bitmask |= POP_BIT_RETR; ------------------ | | 42| 1|#define POP_BIT_RETR 0x0100 ------------------ 107| 1| return 1; 108| 16.1k| } else if(ndpi_memcasecmp(packet->payload, "DELE", 4) == 0) { ------------------ | Branch (108:15): [True: 23, False: 16.0k] ------------------ 109| 23| flow->l4.tcp.pop_command_bitmask |= POP_BIT_DELE; ------------------ | | 43| 23|#define POP_BIT_DELE 0x0200 ------------------ 110| 23| return 1; 111| 16.0k| } else if(ndpi_memcasecmp(packet->payload, "STLS", 4) == 0) { ------------------ | Branch (111:15): [True: 0, False: 16.0k] ------------------ 112| 0| flow->l4.tcp.pop_command_bitmask |= POP_BIT_STLS; ------------------ | | 44| 0|#define POP_BIT_STLS 0x0400 ------------------ 113| 0| flow->l4.tcp.mail_imap_starttls = 1; 114| 0| return 1; 115| 0| } 116| 16.9k| } 117| 17.0k| return 0; 118| 17.8k|} init_mail_smtp_dissector: 429| 7.08k|void init_mail_smtp_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 430| 7.08k| ndpi_register_dissector("MAIL_SMTP", ndpi_struct, 431| 7.08k| ndpi_search_mail_smtp_tcp, 432| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 433| 7.08k| 1, NDPI_PROTOCOL_MAIL_SMTP); 434| 7.08k|} mail_smtp.c:ndpi_search_mail_smtp_tcp: 122| 16.4k| struct ndpi_flow_struct *flow) { 123| 16.4k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 124| | 125| 16.4k| NDPI_LOG_DBG(ndpi_struct, "search mail_smtp\n"); ------------------ | | 596| 16.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 126| | 127| 16.4k| if((packet->payload_packet_len > 2) ------------------ | Branch (127:6): [True: 16.3k, False: 9] ------------------ 128| 16.3k| && (packet->parsed_lines < NDPI_MAX_PARSE_LINES_PER_PACKET) ------------------ | | 86| 16.3k|#define NDPI_MAX_PARSE_LINES_PER_PACKET 64 ------------------ | Branch (128:9): [True: 16.3k, False: 1] ------------------ 129| 16.3k| && (ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len - 2)) == 0x0d0a) ------------------ | Branch (129:9): [True: 5.72k, False: 10.6k] ------------------ 130| 16.4k| ) { 131| 5.72k| u_int16_t a; 132| 5.72k| u_int8_t bit_count = 0; 133| | 134| 5.72k| NDPI_PARSE_PACKET_LINE_INFO(ndpi_struct, flow, packet); ------------------ | | 521| 5.72k| if (packet->packet_lines_parsed_complete != 1) { \ | | ------------------ | | | Branch (521:29): [True: 2.50k, False: 3.21k] | | ------------------ | | 522| 2.50k| ndpi_parse_packet_line_info(ndpi_struct,flow); \ | | 523| 2.50k| } ------------------ 135| | 136| 17.7k| for(a = 0; a < packet->parsed_lines; a++) { ------------------ | Branch (136:16): [True: 12.0k, False: 5.72k] ------------------ 137| | // expected server responses 138| 12.0k| if(packet->line[a].len >= 3) { ------------------ | Branch (138:10): [True: 5.94k, False: 6.12k] ------------------ 139| 5.94k| if(memcmp(packet->line[a].ptr, "220", 3) == 0) { ------------------ | Branch (139:5): [True: 0, False: 5.94k] ------------------ 140| 0| flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_220; ------------------ | | 34| 0|#define SMTP_BIT_220 0x01 ------------------ 141| | 142| 0| if(flow->host_server_name[0] == '\0') { ------------------ | Branch (142:7): [True: 0, False: 0] ------------------ 143| 0| if(packet->line[a].len > 4) { ------------------ | Branch (143:9): [True: 0, False: 0] ------------------ 144| 0| int i; 145| 0| unsigned int len; 146| | 147| 0| if(packet->line[a].ptr[4] != '(') { ------------------ | Branch (147:11): [True: 0, False: 0] ------------------ 148| 0| for(i=5; (iline[a].len-1) && (packet->line[a].ptr[i] != ' '); i++) ------------------ | Branch (148:12): [True: 0, False: 0] | Branch (148:41): [True: 0, False: 0] ------------------ 149| 0| ; 150| | 151| 0| if((packet->line[a].ptr[i+1] != '\r') ------------------ | Branch (151:6): [True: 0, False: 0] ------------------ 152| 0| && (packet->line[a].ptr[i+1] != '\n')) { ------------------ | Branch (152:9): [True: 0, False: 0] ------------------ 153| 0| len = i-4; 154| | /* Copy result for nDPI apps */ 155| 0| ndpi_hostname_sni_set(flow, &packet->line[a].ptr[4], len, NDPI_HOSTNAME_NORM_ALL); ------------------ | | 516| 0|#define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 512| 0|#define NDPI_HOSTNAME_NORM_LC 1 | | ------------------ | | #define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 513| 0|#define NDPI_HOSTNAME_NORM_REPLACE_IC 2 | | ------------------ | | #define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 514| 0|#define NDPI_HOSTNAME_NORM_STRIP_EOLSP 4 | | ------------------ ------------------ 156| 0| NDPI_LOG_DBG(ndpi_struct, "SMTP: hostname [%s]\n", flow->host_server_name); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 157| | 158| 0| ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MAIL_SMTP, 159| 0| flow->host_server_name, 160| 0| strlen(flow->host_server_name)); 161| 0| if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (161:8): [True: 0, False: 0] ------------------ 162| | /* We set the protocols; we need to initialize extra dissection 163| | to search for credentials */ 164| 0| NDPI_LOG_DBG(ndpi_struct, "SMTP: hostname matched\n"); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 165| 0| smtpInitExtraPacketProcessing(flow); 166| 0| } 167| 0| } 168| 0| } 169| 0| } 170| 0| } 171| 5.94k| } else if(memcmp(packet->line[a].ptr, "250", 3) == 0) { ------------------ | Branch (171:12): [True: 3, False: 5.94k] ------------------ 172| 3| flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_250; ------------------ | | 35| 3|#define SMTP_BIT_250 0x02 ------------------ 173| 5.94k| } else if(memcmp(packet->line[a].ptr, "235", 3) == 0) { ------------------ | Branch (173:12): [True: 2, False: 5.94k] ------------------ 174| 2| flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_235; ------------------ | | 36| 2|#define SMTP_BIT_235 0x04 ------------------ 175| 5.94k| } else if(memcmp(packet->line[a].ptr, "334", 3) == 0) { ------------------ | Branch (175:12): [True: 1, False: 5.94k] ------------------ 176| 1| flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_334; ------------------ | | 37| 1|#define SMTP_BIT_334 0x08 ------------------ 177| 5.94k| } else if(memcmp(packet->line[a].ptr, "354", 3) == 0) { ------------------ | Branch (177:12): [True: 3, False: 5.93k] ------------------ 178| 3| flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_354; ------------------ | | 38| 3|#define SMTP_BIT_354 0x10 ------------------ 179| 3| } 180| 5.94k| } 181| | 182| | // expected client requests 183| 12.0k| if(packet->line[a].len >= 5) { ------------------ | Branch (183:10): [True: 5.93k, False: 6.13k] ------------------ 184| 5.93k| if(ndpi_memcasecmp(packet->line[a].ptr, "HELO ", 5) == 0 || ------------------ | Branch (184:5): [True: 0, False: 5.93k] ------------------ 185| 5.93k| ndpi_memcasecmp(packet->line[a].ptr, "EHLO ", 5) == 0) { ------------------ | Branch (185:5): [True: 0, False: 5.93k] ------------------ 186| 0| flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_HELO_EHLO; ------------------ | | 39| 0|#define SMTP_BIT_HELO_EHLO 0x20 ------------------ 187| 0| flow->l4.tcp.ftp_imap_pop_smtp.auth_found = 0; 188| 5.93k| } else if(ndpi_memcasecmp(packet->line[a].ptr, "MAIL ", 5) == 0) { ------------------ | Branch (188:12): [True: 0, False: 5.93k] ------------------ 189| 0| flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_MAIL; ------------------ | | 40| 0|#define SMTP_BIT_MAIL 0x40 ------------------ 190| 0| flow->l4.tcp.ftp_imap_pop_smtp.auth_found = 0; 191| | /* We shouldn't be here if there are credentials */ 192| 0| flow->l4.tcp.ftp_imap_pop_smtp.auth_done = 1; 193| 5.93k| } else if(ndpi_memcasecmp(packet->line[a].ptr, "RCPT ", 5) == 0) { ------------------ | Branch (193:12): [True: 0, False: 5.93k] ------------------ 194| 0| flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_RCPT; ------------------ | | 41| 0|#define SMTP_BIT_RCPT 0x80 ------------------ 195| 0| flow->l4.tcp.ftp_imap_pop_smtp.auth_found = 0; 196| | /* We shouldn't be here if there are credentials */ 197| 0| flow->l4.tcp.ftp_imap_pop_smtp.auth_done = 1; 198| 5.93k| } else if(ndpi_memcasecmp(packet->line[a].ptr, "AUTH ", 5) == 0) { ------------------ | Branch (198:12): [True: 0, False: 5.93k] ------------------ 199| |#ifdef SMTP_DEBUG 200| | printf("%s() AUTH [%.*s]\n", __FUNCTION__, packet->line[a].len, packet->line[a].ptr); 201| |#endif 202| 0| flow->l4.tcp.ftp_imap_pop_smtp.auth_found = 1; 203| 0| if(packet->line[a].len >= 6) { ------------------ | Branch (203:7): [True: 0, False: 0] ------------------ 204| 0| if(packet->line[a].ptr[5] == 'L' || packet->line[a].ptr[5] == 'l') { ------------------ | Branch (204:16): [True: 0, False: 0] | Branch (204:49): [True: 0, False: 0] ------------------ 205| 0| flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_AUTH_LOGIN; ------------------ | | 42| 0|#define SMTP_BIT_AUTH_LOGIN 0x100 ------------------ 206| | /* AUTH LOGIN: Username and pwd on the next messages */ 207| 0| } else if(packet->line[a].ptr[5] == 'P' || packet->line[a].ptr[5] == 'p') { ------------------ | Branch (207:16): [True: 0, False: 0] | Branch (207:49): [True: 0, False: 0] ------------------ 208| 0| flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_AUTH_PLAIN; ------------------ | | 48| 0|#define SMTP_BIT_AUTH_PLAIN 0x4000 ------------------ 209| | /* AUTH PLAIN: username and pwd here */ 210| 0| get_credentials_auth_plain(ndpi_struct, flow, 211| 0| packet->line[a].ptr, packet->line[a].len); 212| 0| flow->l4.tcp.ftp_imap_pop_smtp.auth_done = 1; 213| 0| } 214| 0| } 215| 5.93k| } else { 216| 5.93k| if(packet->line[a].ptr[3] != ' ') { ------------------ | Branch (216:7): [True: 3.58k, False: 2.35k] ------------------ 217| |#ifdef SMTP_DEBUG 218| | printf("%s() => [%.*s]\n", __FUNCTION__, packet->line[a].len, packet->line[a].ptr); 219| |#endif 220| | 221| 3.58k| if(flow->l4.tcp.ftp_imap_pop_smtp.auth_found && ------------------ | Branch (221:9): [True: 0, False: 3.58k] ------------------ 222| 0| (flow->l4.tcp.smtp_command_bitmask & SMTP_BIT_AUTH_LOGIN)) { ------------------ | | 42| 0|#define SMTP_BIT_AUTH_LOGIN 0x100 ------------------ | Branch (222:9): [True: 0, False: 0] ------------------ 223| 0| if(flow->l4.tcp.ftp_imap_pop_smtp.username[0] == '\0') { ------------------ | Branch (223:11): [True: 0, False: 0] ------------------ 224| | /* Username */ 225| 0| u_int8_t buf[48]; 226| 0| u_char *out; 227| 0| size_t out_len; 228| 0| char msg[64]; 229| | 230| 0| ndpi_user_pwd_payload_copy(buf, sizeof(buf), 0, 231| 0| packet->line[a].ptr, packet->line[a].len); 232| | 233| |#ifdef SMTP_DEBUG 234| | printf("%s() => [auth: %u] (username) [%s]\n", __FUNCTION__, flow->l4.tcp.ftp_imap_pop_smtp.auth_found, buf); 235| |#endif 236| | 237| 0| out = ndpi_base64_decode((const u_char*)buf, (size_t)strlen((const char*)buf), &out_len); 238| | 239| 0| if(out) { ------------------ | Branch (239:6): [True: 0, False: 0] ------------------ 240| 0| size_t len = ndpi_min(out_len, sizeof(flow->l4.tcp.ftp_imap_pop_smtp.username) - 1); ------------------ | | 113| 0|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 0] | | ------------------ ------------------ 241| | 242| 0| memcpy(flow->l4.tcp.ftp_imap_pop_smtp.username, out, len); 243| 0| flow->l4.tcp.ftp_imap_pop_smtp.username[len] = '\0'; 244| | 245| 0| ndpi_free(out); 246| 0| } 247| | 248| 0| snprintf(msg, sizeof(msg), "Found SMTP username (%s)", 249| 0| flow->l4.tcp.ftp_imap_pop_smtp.username); 250| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, msg); 251| 0| } else if(flow->l4.tcp.ftp_imap_pop_smtp.password[0] == '\0') { ------------------ | Branch (251:18): [True: 0, False: 0] ------------------ 252| | /* Password */ 253| 0| u_int8_t buf[48]; 254| 0| u_char *out; 255| 0| size_t out_len; 256| | 257| 0| ndpi_user_pwd_payload_copy(buf, sizeof(buf), 0, 258| 0| packet->line[a].ptr, packet->line[a].len); 259| | 260| |#ifdef SMTP_DEBUG 261| | printf("%s() => [auth: %u] (password) [%s]\n", __FUNCTION__, flow->l4.tcp.ftp_imap_pop_smtp.auth_found, buf); 262| |#endif 263| | 264| 0| out = ndpi_base64_decode((const u_char*)buf, (size_t)strlen((const char*)buf), &out_len); 265| | 266| 0| if(out) { ------------------ | Branch (266:6): [True: 0, False: 0] ------------------ 267| 0| size_t len = ndpi_min(out_len, sizeof(flow->l4.tcp.ftp_imap_pop_smtp.password) - 1); ------------------ | | 113| 0|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 0] | | ------------------ ------------------ 268| | 269| 0| memcpy(flow->l4.tcp.ftp_imap_pop_smtp.password, out, len); 270| 0| flow->l4.tcp.ftp_imap_pop_smtp.password[len] = '\0'; 271| | 272| 0| ndpi_free(out); 273| 0| } 274| | 275| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found password"); 276| | 277| 0| flow->l4.tcp.ftp_imap_pop_smtp.auth_done = 1; 278| 0| } else { 279| 0| flow->host_server_name[0] = '\0'; 280| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 281| 0| return; 282| 0| } 283| 0| } 284| 3.58k| } 285| 5.93k| } 286| 5.93k| } 287| | 288| 12.0k| if(packet->line[a].len >= 8) { ------------------ | Branch (288:6): [True: 5.69k, False: 6.37k] ------------------ 289| 5.69k| if(ndpi_memcasecmp(packet->line[a].ptr, "STARTTLS", 8) == 0) { ------------------ | Branch (289:8): [True: 0, False: 5.69k] ------------------ 290| 0| flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_STARTTLS; ------------------ | | 43| 0|#define SMTP_BIT_STARTTLS 0x200 ------------------ 291| 0| flow->l4.tcp.ftp_imap_pop_smtp.auth_tls = 1; 292| 0| flow->l4.tcp.ftp_imap_pop_smtp.auth_done = 0; 293| 0| } 294| 5.69k| } 295| | 296| 12.0k| if(packet->line[a].len >= 14) { ------------------ | Branch (296:10): [True: 5.64k, False: 6.42k] ------------------ 297| 5.64k| if(ndpi_memcasecmp(packet->line[a].ptr, "X-AnonymousTLS", 14) == 0) { ------------------ | Branch (297:12): [True: 0, False: 5.64k] ------------------ 298| 0| flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_STARTTLS; ------------------ | | 43| 0|#define SMTP_BIT_STARTTLS 0x200 ------------------ 299| 0| flow->l4.tcp.ftp_imap_pop_smtp.auth_tls = 1; 300| 0| flow->l4.tcp.ftp_imap_pop_smtp.auth_done = 0; 301| 0| } 302| 5.64k| } 303| | 304| 12.0k| if(packet->line[a].len >= 4) { ------------------ | Branch (304:10): [True: 5.94k, False: 6.12k] ------------------ 305| 5.94k| if(ndpi_memcasecmp(packet->line[a].ptr, "DATA", 4) == 0) { ------------------ | Branch (305:5): [True: 0, False: 5.94k] ------------------ 306| 0| flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_DATA; ------------------ | | 44| 0|#define SMTP_BIT_DATA 0x400 ------------------ 307| 5.94k| } else if(ndpi_memcasecmp(packet->line[a].ptr, "NOOP", 4) == 0) { ------------------ | Branch (307:12): [True: 0, False: 5.94k] ------------------ 308| 0| flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_NOOP; ------------------ | | 45| 0|#define SMTP_BIT_NOOP 0x800 ------------------ 309| 5.94k| } else if(ndpi_memcasecmp(packet->line[a].ptr, "RSET", 4) == 0) { ------------------ | Branch (309:12): [True: 0, False: 5.94k] ------------------ 310| 0| flow->l4.tcp.smtp_command_bitmask |= SMTP_BIT_RSET; ------------------ | | 46| 0|#define SMTP_BIT_RSET 0x1000 ------------------ 311| 0| } 312| 5.94k| } 313| 12.0k| } 314| | 315| | // now count the bits set in the bitmask 316| 5.72k| if(flow->l4.tcp.smtp_command_bitmask != 0) { ------------------ | Branch (316:8): [True: 11, False: 5.71k] ------------------ 317| 187| for(a = 0; a < 16; a++) { ------------------ | Branch (317:18): [True: 176, False: 11] ------------------ 318| 176| bit_count += (flow->l4.tcp.smtp_command_bitmask >> a) & 0x01; 319| 176| } 320| 11| } 321| 5.72k| NDPI_LOG_DBG2(ndpi_struct, "seen smtp commands and responses: %u\n", ------------------ | | 597| 5.72k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 322| 5.72k| bit_count); 323| | 324| 5.72k| if(bit_count >= 3) { ------------------ | Branch (324:8): [True: 0, False: 5.72k] ------------------ 325| 0| NDPI_LOG_INFO(ndpi_struct, "mail smtp identified\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 326| | 327| |#ifdef SMTP_DEBUG 328| | printf("%s() [bit_count: %u][%s]\n", __FUNCTION__, 329| | bit_count, flow->l4.tcp.ftp_imap_pop_smtp.password); 330| |#endif 331| | 332| | /* Only if we don't have already set the protocol via hostname matching */ 333| 0| if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN && ------------------ | Branch (333:10): [True: 0, False: 0] ------------------ 334| 0| flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (334:10): [True: 0, False: 0] ------------------ 335| 0| ndpi_int_mail_smtp_add_connection(ndpi_struct, flow); 336| 0| smtpInitExtraPacketProcessing(flow); 337| 0| } 338| 0| return; 339| 0| } 340| | 341| 5.72k| if(bit_count >= 1 && flow->packet_counter < 12) { ------------------ | Branch (341:8): [True: 11, False: 5.71k] | Branch (341:26): [True: 11, False: 0] ------------------ 342| 11| return; 343| 11| } 344| 5.72k| } 345| | 346| | /* when the first or second packets are split into two packets, those packets are ignored. */ 347| 16.3k| if(flow->packet_counter <= 4 && ------------------ | Branch (347:6): [True: 15.9k, False: 428] ------------------ 348| 15.9k| packet->payload_packet_len >= 4 && ------------------ | Branch (348:6): [True: 15.9k, False: 25] ------------------ 349| 15.9k| (ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len - 2)) == 0x0d0a ------------------ | Branch (349:7): [True: 5.28k, False: 10.6k] ------------------ 350| 10.6k| || memcmp(packet->payload, "220", 3) == 0 || memcmp(packet->payload, "EHLO", 4) == 0)) { ------------------ | Branch (350:10): [True: 0, False: 10.6k] | Branch (350:52): [True: 1, False: 10.6k] ------------------ 351| 5.29k| NDPI_LOG_DBG2(ndpi_struct, "maybe SMTP, need next packet\n"); ------------------ | | 597| 5.29k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 352| 5.29k| return; 353| 5.29k| } 354| | 355| 11.1k| if((!flow->extra_packets_func) || (flow->packet_counter > 12)) ------------------ | Branch (355:6): [True: 11.1k, False: 0] | Branch (355:37): [True: 0, False: 0] ------------------ 356| 11.1k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.1k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 357| 11.1k|} init_matter_dissector: 82| 7.08k|void init_matter_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 83| 7.08k| ndpi_register_dissector("Matter", ndpi_struct, 84| 7.08k| ndpi_search_matter, 85| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V6_UDP_WITH_PAYLOAD, /* MATTER is only over IPv6 */ ------------------ | | 632| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 622| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 610| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV6 (1<<6) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 86| 7.08k| 1, NDPI_PROTOCOL_MATTER); 87| 7.08k|} matter.c:ndpi_search_matter: 28| 277| struct ndpi_flow_struct *flow) { 29| 277| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 30| | 31| 277| NDPI_LOG_DBG(ndpi_struct, "search Matter\n"); ------------------ | | 596| 277|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 32| | 33| 277| if(packet->udp) { ------------------ | Branch (33:6): [True: 277, False: 0] ------------------ 34| 277| u_int16_t sport = ntohs(packet->udp->source); 35| 277| u_int16_t dport = ntohs(packet->udp->dest); 36| | 37| | /* Matter typically uses UDP ports 5540 (operational), 5542 (commissioning) */ 38| 277| if(!(sport == 5540 || dport == 5540 || sport == 5542 || dport == 5542)) { ------------------ | Branch (38:10): [True: 0, False: 277] | Branch (38:27): [True: 0, False: 277] | Branch (38:44): [True: 0, False: 277] | Branch (38:61): [True: 0, False: 277] ------------------ 39| 277| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 277|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 40| 277| return; 41| 277| } 42| | 43| 0| { 44| | /* Matter messages usually have at least a 16-byte header (secure session framing) */ 45| 0| if(packet->payload_packet_len >= 16) { ------------------ | Branch (45:10): [True: 0, False: 0] ------------------ 46| 0| uint8_t message_flags, version, dsiz, security_flags; 47| | 48| 0| message_flags = packet->payload[0]; 49| 0| version = (message_flags >> 4) & 0x0F; 50| 0| dsiz = message_flags & 0x03; 51| 0| security_flags = packet->payload[3]; 52| 0| uint8_t session_type = security_flags & 0x03; 53| | 54| | /* https://csa-iot.org/wp-content/uploads/2024/11/24-27349-006_Matter-1.4-Core-Specification.pdf 4.4.1 */ 55| | /* TODO: quite weak...*/ 56| 0| if(version <= 1 && ------------------ | Branch (56:12): [True: 0, False: 0] ------------------ 57| 0| (message_flags & 0x08) == 0 /* Reserved bit */ && ------------------ | Branch (57:12): [True: 0, False: 0] ------------------ 58| 0| dsiz <= 2 && ------------------ | Branch (58:12): [True: 0, False: 0] ------------------ 59| 0| (security_flags & 0x1C) == 0 /* Reserved bits */ && ------------------ | Branch (59:12): [True: 0, False: 0] ------------------ 60| 0| session_type <= 2) { ------------------ | Branch (60:13): [True: 0, False: 0] ------------------ 61| | 62| 0| uint16_t session_id = ntohs(*(uint16_t *)&packet->payload[1]); 63| | 64| 0| if((session_type == 0 && session_id != 0) || ------------------ | Branch (64:15): [True: 0, False: 0] | Branch (64:36): [True: 0, False: 0] ------------------ 65| 0| (session_type > 0 && session_id == 0)) { ------------------ | Branch (65:15): [True: 0, False: 0] | Branch (65:35): [True: 0, False: 0] ------------------ 66| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 67| 0| return; 68| 0| } 69| | 70| 0| NDPI_LOG_INFO(ndpi_struct, "Found Matter\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 71| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MATTER, 72| 0| NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 73| 0| return; 74| 0| } 75| 0| } 76| 0| } 77| 0| } 78| | 79| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 80| 0|} init_megaco_dissector: 55| 7.08k|{ 56| 7.08k| ndpi_register_dissector("Megaco", ndpi_struct, 57| 7.08k| ndpi_search_megaco, 58| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 59| 7.08k| 1, NDPI_PROTOCOL_MEGACO); 60| 7.08k|} megaco.c:ndpi_search_megaco: 31| 4.36k|{ 32| 4.36k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 33| | 34| 4.36k| NDPI_LOG_DBG(ndpi_struct, "search for MEGACO\n"); ------------------ | | 596| 4.36k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 35| | 36| 4.36k| if(packet->udp != NULL) { ------------------ | Branch (36:6): [True: 4.36k, False: 0] ------------------ 37| 4.36k| if((packet->payload_packet_len > 4 && packet->payload[0] == '!' && packet->payload[1] == '/' && ------------------ | Branch (37:9): [True: 4.23k, False: 124] | Branch (37:43): [True: 11, False: 4.22k] | Branch (37:72): [True: 0, False: 11] ------------------ 38| 0| packet->payload[2] == '1' && packet->payload[3] == ' ' && ------------------ | Branch (38:9): [True: 0, False: 0] | Branch (38:38): [True: 0, False: 0] ------------------ 39| 0| (packet->payload[4] == '[' || packet->payload[4] == '<')) ------------------ | Branch (39:10): [True: 0, False: 0] | Branch (39:39): [True: 0, False: 0] ------------------ 40| 4.36k| || (packet->payload_packet_len > 9 && packet->payload[0] == 'M' && packet->payload[1] == 'E' && ------------------ | Branch (40:12): [True: 4.21k, False: 143] | Branch (40:46): [True: 103, False: 4.11k] | Branch (40:75): [True: 2, False: 101] ------------------ 41| 2| packet->payload[2] == 'G' && packet->payload[3] == 'A' && packet->payload[4] == 'C' && ------------------ | Branch (41:9): [True: 0, False: 2] | Branch (41:38): [True: 0, False: 0] | Branch (41:67): [True: 0, False: 0] ------------------ 42| 0| packet->payload[5] == 'O' && packet->payload[6] == '/' && ------------------ | Branch (42:9): [True: 0, False: 0] | Branch (42:38): [True: 0, False: 0] ------------------ 43| 0| packet->payload[7] == '1' && packet->payload[8] == ' ' && packet->payload[9] == '[')) { ------------------ | Branch (43:9): [True: 0, False: 0] | Branch (43:38): [True: 0, False: 0] | Branch (43:67): [True: 0, False: 0] ------------------ 44| 0| NDPI_LOG_INFO(ndpi_struct, "found MEGACO\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 45| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MEGACO, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 46| 0| return; 47| 0| } 48| 4.36k| } 49| | 50| 4.36k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 4.36k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 51| 4.36k|} init_melsec_dissector: 58| 7.08k|{ 59| 7.08k| ndpi_register_dissector("MELSEC", ndpi_struct, 60| 7.08k| ndpi_search_melsec, 61| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 647| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 618| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IP | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 604| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IP (1<<0) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IP | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 62| 7.08k| 1, NDPI_PROTOCOL_MELSEC); 63| 7.08k|} melsec.c:ndpi_search_melsec: 35| 22.0k|{ 36| 22.0k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 37| | 38| 22.0k| NDPI_LOG_DBG(ndpi_struct, "search MELSEC\n"); ------------------ | | 596| 22.0k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 39| | 40| 22.0k| if (packet->payload_packet_len > 40 && ------------------ | Branch (40:7): [True: 8.20k, False: 13.8k] ------------------ 41| 8.20k| (packet->payload[0] == 0x57 || packet->payload[0] == 0xD7)) ------------------ | Branch (41:8): [True: 18, False: 8.19k] | Branch (41:38): [True: 5, False: 8.18k] ------------------ 42| 23| { 43| 23| u_int16_t melsec_payload_len = packet->payload_packet_len - 21; 44| 23| if (le16toh(get_u_int16_t(packet->payload, 19)) == melsec_payload_len && ------------------ | Branch (44:9): [True: 1, False: 22] ------------------ 45| 23| ntohl(get_u_int32_t(packet->payload, 3)) == 0x00001111) ------------------ | Branch (45:9): [True: 0, False: 1] ------------------ 46| 0| { 47| 0| NDPI_LOG_INFO(ndpi_struct, "found MELSEC\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 48| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MELSEC, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 49| 0| } 50| 23| } 51| | 52| 22.0k| if (flow->packet_counter > 2) { ------------------ | Branch (52:7): [True: 2.95k, False: 19.0k] ------------------ 53| 2.95k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 2.95k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 54| 2.95k| } 55| 22.0k|} init_memcached_dissector: 177| 7.08k|{ 178| 7.08k| ndpi_register_dissector("MEMCACHED", ndpi_struct, 179| 7.08k| ndpi_search_memcached, 180| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 181| 7.08k| 1, NDPI_PROTOCOL_MEMCACHED); 182| 7.08k|} memcached.c:ndpi_search_memcached: 105| 26.5k|{ 106| 26.5k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 107| 26.5k| const u_int8_t *offset = packet->payload; 108| 26.5k| u_int16_t length = packet->payload_packet_len; 109| 26.5k| u_int8_t *matches = NULL; 110| | 111| 26.5k| NDPI_LOG_DBG(ndpi_struct, "search memcached\n"); ------------------ | | 596| 26.5k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 112| | 113| 26.5k| if (packet->tcp != NULL) { ------------------ | Branch (113:7): [True: 23.1k, False: 3.39k] ------------------ 114| 23.1k| if (packet->payload_packet_len < MEMCACHED_MIN_LEN) { ------------------ | | 88| 23.1k|#define MEMCACHED_MIN_LEN MCDR_END_LEN | | ------------------ | | | | 79| 23.1k|#define MCDR_END_LEN (sizeof(MCDR_END) - 1) | | | | ------------------ | | | | | | 78| 23.1k|#define MCDR_END "END\r\n" | | | | ------------------ | | ------------------ ------------------ | Branch (114:9): [True: 807, False: 22.3k] ------------------ 115| 807| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 807|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 116| 807| return; 117| 807| } 118| | 119| 22.3k| matches = &flow->l4.tcp.memcached_matches; 120| 22.3k| } 121| 3.39k| else { 122| 3.39k| if (packet->payload_packet_len < MEMCACHED_MIN_UDP_LEN) { ------------------ | | 89| 3.39k|#define MEMCACHED_MIN_UDP_LEN (MEMCACHED_MIN_LEN + MEMCACHED_UDP_HDR_LEN) | | ------------------ | | | | 88| 3.39k|#define MEMCACHED_MIN_LEN MCDR_END_LEN | | | | ------------------ | | | | | | 79| 3.39k|#define MCDR_END_LEN (sizeof(MCDR_END) - 1) | | | | | | ------------------ | | | | | | | | 78| 3.39k|#define MCDR_END "END\r\n" | | | | | | ------------------ | | | | ------------------ | | ------------------ | | #define MEMCACHED_MIN_UDP_LEN (MEMCACHED_MIN_LEN + MEMCACHED_UDP_HDR_LEN) | | ------------------ | | | | 87| 3.39k|#define MEMCACHED_UDP_HDR_LEN 8 | | ------------------ ------------------ | Branch (122:9): [True: 178, False: 3.21k] ------------------ 123| 178| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 178|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 124| 178| return; 125| 178| } 126| | 127| 3.21k| if ((offset[4] == 0x00 && offset[5] == 0x00) || ------------------ | Branch (127:10): [True: 789, False: 2.42k] | Branch (127:31): [True: 444, False: 345] ------------------ 128| 2.93k| offset[6] != 0x00 || offset[7] != 0x00) { ------------------ | Branch (128:2): [True: 2.40k, False: 371] | Branch (128:23): [True: 86, False: 285] ------------------ 129| 2.93k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 2.93k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 130| 2.93k| return; 131| 2.93k| } 132| | 133| 285| offset += MEMCACHED_UDP_HDR_LEN; ------------------ | | 87| 285|#define MEMCACHED_UDP_HDR_LEN 8 ------------------ 134| 285| length -= MEMCACHED_UDP_HDR_LEN; ------------------ | | 87| 285|#define MEMCACHED_UDP_HDR_LEN 8 ------------------ 135| 285| matches = &flow->l4.udp.memcached_matches; 136| 285| } 137| | 138| | /* grep MCD memcached.c |\ 139| | * egrep -v '(LEN|MATCH)' |\ 140| | * sed -e 's/^#define //g' |\ 141| | * awk '{ printf "else if (! MEMCACHED_MATCH(%s)) *matches += 1;\n",$1 }' */ 142| | 143| 22.5k| if (! MEMCACHED_MATCH(MCDC_SET)) *matches += 1; ------------------ | | 93| 22.5k|#define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 34| 22.5k|#define MCDC_SET_LEN (sizeof(MCDC_SET) - 1) | | | | ------------------ | | | | | | 33| 22.5k|#define MCDC_SET "set " | | | | ------------------ | | ------------------ | | #define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 34| 22.5k|#define MCDC_SET_LEN (sizeof(MCDC_SET) - 1) | | | | ------------------ | | | | | | 33| 22.5k|#define MCDC_SET "set " | | | | ------------------ | | ------------------ | | | Branch (93:34): [True: 0, False: 22.5k] | | | Branch (93:57): [True: 22.5k, False: 13] | | ------------------ ------------------ 144| 22.5k| else if (! MEMCACHED_MATCH(MCDC_ADD)) *matches += 1; ------------------ | | 93| 22.5k|#define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 36| 22.5k|#define MCDC_ADD_LEN (sizeof(MCDC_ADD) - 1) | | | | ------------------ | | | | | | 35| 22.5k|#define MCDC_ADD "add " | | | | ------------------ | | ------------------ | | #define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 36| 22.5k|#define MCDC_ADD_LEN (sizeof(MCDC_ADD) - 1) | | | | ------------------ | | | | | | 35| 22.5k|#define MCDC_ADD "add " | | | | ------------------ | | ------------------ | | | Branch (93:34): [True: 0, False: 22.5k] | | | Branch (93:57): [True: 22.5k, False: 5] | | ------------------ ------------------ 145| 22.5k| else if (! MEMCACHED_MATCH(MCDC_REPLACE)) *matches += 1; ------------------ | | 93| 22.5k|#define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 38| 22.5k|#define MCDC_REPLACE_LEN (sizeof(MCDC_REPLACE) - 1) | | | | ------------------ | | | | | | 37| 22.5k|#define MCDC_REPLACE "replace " | | | | ------------------ | | ------------------ | | #define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 38| 22.4k|#define MCDC_REPLACE_LEN (sizeof(MCDC_REPLACE) - 1) | | | | ------------------ | | | | | | 37| 22.4k|#define MCDC_REPLACE "replace " | | | | ------------------ | | ------------------ | | | Branch (93:34): [True: 121, False: 22.4k] | | | Branch (93:57): [True: 22.4k, False: 3] | | ------------------ ------------------ 146| 22.5k| else if (! MEMCACHED_MATCH(MCDC_APPEND)) *matches += 1; ------------------ | | 93| 22.5k|#define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 40| 22.5k|#define MCDC_APPEND_LEN (sizeof(MCDC_APPEND) - 1) | | | | ------------------ | | | | | | 39| 22.5k|#define MCDC_APPEND "append " | | | | ------------------ | | ------------------ | | #define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 40| 22.5k|#define MCDC_APPEND_LEN (sizeof(MCDC_APPEND) - 1) | | | | ------------------ | | | | | | 39| 22.5k|#define MCDC_APPEND "append " | | | | ------------------ | | ------------------ | | | Branch (93:34): [True: 65, False: 22.5k] | | | Branch (93:57): [True: 22.5k, False: 1] | | ------------------ ------------------ 147| 22.5k| else if (! MEMCACHED_MATCH(MCDC_PREPEND)) *matches += 1; ------------------ | | 93| 22.5k|#define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 42| 22.5k|#define MCDC_PREPEND_LEN (sizeof(MCDC_PREPEND) - 1) | | | | ------------------ | | | | | | 41| 22.5k|#define MCDC_PREPEND "prepend " | | | | ------------------ | | ------------------ | | #define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 42| 22.4k|#define MCDC_PREPEND_LEN (sizeof(MCDC_PREPEND) - 1) | | | | ------------------ | | | | | | 41| 22.4k|#define MCDC_PREPEND "prepend " | | | | ------------------ | | ------------------ | | | Branch (93:34): [True: 121, False: 22.4k] | | | Branch (93:57): [True: 22.4k, False: 2] | | ------------------ ------------------ 148| 22.5k| else if (! MEMCACHED_MATCH(MCDC_CAS)) *matches += 1; ------------------ | | 93| 22.5k|#define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 44| 22.5k|#define MCDC_CAS_LEN (sizeof(MCDC_CAS) - 1) | | | | ------------------ | | | | | | 43| 22.5k|#define MCDC_CAS "cas " | | | | ------------------ | | ------------------ | | #define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 44| 22.5k|#define MCDC_CAS_LEN (sizeof(MCDC_CAS) - 1) | | | | ------------------ | | | | | | 43| 22.5k|#define MCDC_CAS "cas " | | | | ------------------ | | ------------------ | | | Branch (93:34): [True: 0, False: 22.5k] | | | Branch (93:57): [True: 22.5k, False: 3] | | ------------------ ------------------ 149| 22.5k| else if (! MEMCACHED_MATCH(MCDC_GET)) *matches += 1; ------------------ | | 93| 22.5k|#define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 46| 22.5k|#define MCDC_GET_LEN (sizeof(MCDC_GET) - 1) | | | | ------------------ | | | | | | 45| 22.5k|#define MCDC_GET "get " | | | | ------------------ | | ------------------ | | #define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 46| 22.5k|#define MCDC_GET_LEN (sizeof(MCDC_GET) - 1) | | | | ------------------ | | | | | | 45| 22.5k|#define MCDC_GET "get " | | | | ------------------ | | ------------------ | | | Branch (93:34): [True: 0, False: 22.5k] | | | Branch (93:57): [True: 22.5k, False: 1] | | ------------------ ------------------ 150| 22.5k| else if (! MEMCACHED_MATCH(MCDC_GETS)) *matches += 1; ------------------ | | 93| 22.5k|#define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 48| 22.5k|#define MCDC_GETS_LEN (sizeof(MCDC_GETS) - 1) | | | | ------------------ | | | | | | 47| 22.5k|#define MCDC_GETS "gets " | | | | ------------------ | | ------------------ | | #define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 48| 22.5k|#define MCDC_GETS_LEN (sizeof(MCDC_GETS) - 1) | | | | ------------------ | | | | | | 47| 22.5k|#define MCDC_GETS "gets " | | | | ------------------ | | ------------------ | | | Branch (93:34): [True: 0, False: 22.5k] | | | Branch (93:57): [True: 22.5k, False: 1] | | ------------------ ------------------ 151| 22.5k| else if (! MEMCACHED_MATCH(MCDC_DELETE)) *matches += 1; ------------------ | | 93| 22.5k|#define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 50| 22.5k|#define MCDC_DELETE_LEN (sizeof(MCDC_DELETE) - 1) | | | | ------------------ | | | | | | 49| 22.5k|#define MCDC_DELETE "delete " | | | | ------------------ | | ------------------ | | #define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 50| 22.4k|#define MCDC_DELETE_LEN (sizeof(MCDC_DELETE) - 1) | | | | ------------------ | | | | | | 49| 22.4k|#define MCDC_DELETE "delete " | | | | ------------------ | | ------------------ | | | Branch (93:34): [True: 64, False: 22.4k] | | | Branch (93:57): [True: 22.4k, False: 10] | | ------------------ ------------------ 152| 22.5k| else if (! MEMCACHED_MATCH(MCDC_INCR)) *matches += 1; ------------------ | | 93| 22.5k|#define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 52| 22.5k|#define MCDC_INCR_LEN (sizeof(MCDC_INCR) - 1) | | | | ------------------ | | | | | | 51| 22.5k|#define MCDC_INCR "incr " | | | | ------------------ | | ------------------ | | #define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 52| 22.5k|#define MCDC_INCR_LEN (sizeof(MCDC_INCR) - 1) | | | | ------------------ | | | | | | 51| 22.5k|#define MCDC_INCR "incr " | | | | ------------------ | | ------------------ | | | Branch (93:34): [True: 0, False: 22.5k] | | | Branch (93:57): [True: 22.5k, False: 9] | | ------------------ ------------------ 153| 22.5k| else if (! MEMCACHED_MATCH(MCDC_DECR)) *matches += 1; ------------------ | | 93| 22.5k|#define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 54| 22.5k|#define MCDC_DECR_LEN (sizeof(MCDC_DECR) - 1) | | | | ------------------ | | | | | | 53| 22.5k|#define MCDC_DECR "decr " | | | | ------------------ | | ------------------ | | #define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 54| 22.5k|#define MCDC_DECR_LEN (sizeof(MCDC_DECR) - 1) | | | | ------------------ | | | | | | 53| 22.5k|#define MCDC_DECR "decr " | | | | ------------------ | | ------------------ | | | Branch (93:34): [True: 0, False: 22.5k] | | | Branch (93:57): [True: 22.5k, False: 14] | | ------------------ ------------------ 154| 22.5k| else if (! MEMCACHED_MATCH(MCDC_TOUCH)) *matches += 1; ------------------ | | 93| 22.5k|#define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 56| 22.5k|#define MCDC_TOUCH_LEN (sizeof(MCDC_TOUCH) - 1) | | | | ------------------ | | | | | | 55| 22.5k|#define MCDC_TOUCH "touch " | | | | ------------------ | | ------------------ | | #define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 56| 22.5k|#define MCDC_TOUCH_LEN (sizeof(MCDC_TOUCH) - 1) | | | | ------------------ | | | | | | 55| 22.5k|#define MCDC_TOUCH "touch " | | | | ------------------ | | ------------------ | | | Branch (93:34): [True: 26, False: 22.5k] | | | Branch (93:57): [True: 22.4k, False: 21] | | ------------------ ------------------ 155| 22.5k| else if (! MEMCACHED_MATCH(MCDC_GAT)) *matches += 1; ------------------ | | 93| 22.5k|#define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 58| 22.5k|#define MCDC_GAT_LEN (sizeof(MCDC_GAT) - 1) | | | | ------------------ | | | | | | 57| 22.5k|#define MCDC_GAT "gat " | | | | ------------------ | | ------------------ | | #define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 58| 22.5k|#define MCDC_GAT_LEN (sizeof(MCDC_GAT) - 1) | | | | ------------------ | | | | | | 57| 22.5k|#define MCDC_GAT "gat " | | | | ------------------ | | ------------------ | | | Branch (93:34): [True: 0, False: 22.5k] | | | Branch (93:57): [True: 22.5k, False: 2] | | ------------------ ------------------ 156| 22.5k| else if (! MEMCACHED_MATCH(MCDC_GATS)) *matches += 1; ------------------ | | 93| 22.5k|#define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 60| 22.5k|#define MCDC_GATS_LEN (sizeof(MCDC_GATS) - 1) | | | | ------------------ | | | | | | 59| 22.5k|#define MCDC_GATS "gats " | | | | ------------------ | | ------------------ | | #define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 60| 22.5k|#define MCDC_GATS_LEN (sizeof(MCDC_GATS) - 1) | | | | ------------------ | | | | | | 59| 22.5k|#define MCDC_GATS "gats " | | | | ------------------ | | ------------------ | | | Branch (93:34): [True: 0, False: 22.5k] | | | Branch (93:57): [True: 22.5k, False: 1] | | ------------------ ------------------ 157| 22.5k| else if (! MEMCACHED_MATCH(MCDC_STATS)) *matches += 1; ------------------ | | 93| 22.5k|#define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 62| 22.5k|#define MCDC_STATS_LEN (sizeof(MCDC_STATS) - 1) | | | | ------------------ | | | | | | 61| 22.5k|#define MCDC_STATS "stats" | | | | ------------------ | | ------------------ | | #define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 62| 22.5k|#define MCDC_STATS_LEN (sizeof(MCDC_STATS) - 1) | | | | ------------------ | | | | | | 61| 22.5k|#define MCDC_STATS "stats" | | | | ------------------ | | ------------------ | | | Branch (93:34): [True: 0, False: 22.5k] | | | Branch (93:57): [True: 22.2k, False: 286] | | ------------------ ------------------ 158| 22.2k| else if (! MEMCACHED_MATCH(MCDR_ERROR)) *matches += 1; ------------------ | | 93| 22.2k|#define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 65| 22.2k|#define MCDR_ERROR_LEN (sizeof(MCDR_ERROR) - 1) | | | | ------------------ | | | | | | 64| 22.2k|#define MCDR_ERROR "ERROR\r\n" | | | | ------------------ | | ------------------ | | #define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 65| 22.1k|#define MCDR_ERROR_LEN (sizeof(MCDR_ERROR) - 1) | | | | ------------------ | | | | | | 64| 22.1k|#define MCDR_ERROR "ERROR\r\n" | | | | ------------------ | | ------------------ | | | Branch (93:34): [True: 48, False: 22.1k] | | | Branch (93:57): [True: 22.1k, False: 3] | | ------------------ ------------------ 159| 22.2k| else if (! MEMCACHED_MATCH(MCDR_CLIENT_ERROR)) *matches += 1; ------------------ | | 93| 22.2k|#define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 67| 22.2k|#define MCDR_CLIENT_ERROR_LEN (sizeof(MCDR_CLIENT_ERROR) - 1) | | | | ------------------ | | | | | | 66| 22.2k|#define MCDR_CLIENT_ERROR "CLIENT_ERROR " | | | | ------------------ | | ------------------ | | #define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 67| 21.6k|#define MCDR_CLIENT_ERROR_LEN (sizeof(MCDR_CLIENT_ERROR) - 1) | | | | ------------------ | | | | | | 66| 21.6k|#define MCDR_CLIENT_ERROR "CLIENT_ERROR " | | | | ------------------ | | ------------------ | | | Branch (93:34): [True: 559, False: 21.6k] | | | Branch (93:57): [True: 21.6k, False: 30] | | ------------------ ------------------ 160| 22.1k| else if (! MEMCACHED_MATCH(MCDR_SERVER_ERROR)) *matches += 1; ------------------ | | 93| 22.1k|#define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 69| 22.1k|#define MCDR_SERVER_ERROR_LEN (sizeof(MCDR_SERVER_ERROR) - 1) | | | | ------------------ | | | | | | 68| 22.1k|#define MCDR_SERVER_ERROR "SERVER_ERROR " | | | | ------------------ | | ------------------ | | #define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 69| 21.6k|#define MCDR_SERVER_ERROR_LEN (sizeof(MCDR_SERVER_ERROR) - 1) | | | | ------------------ | | | | | | 68| 21.6k|#define MCDR_SERVER_ERROR "SERVER_ERROR " | | | | ------------------ | | ------------------ | | | Branch (93:34): [True: 559, False: 21.6k] | | | Branch (93:57): [True: 21.6k, False: 1] | | ------------------ ------------------ 161| 22.1k| else if (! MEMCACHED_MATCH(MCDR_STORED)) *matches += 1; ------------------ | | 93| 22.1k|#define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 71| 22.1k|#define MCDR_STORED_LEN (sizeof(MCDR_STORED) - 1) | | | | ------------------ | | | | | | 70| 22.1k|#define MCDR_STORED "STORED\r\n" | | | | ------------------ | | ------------------ | | #define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 71| 22.0k|#define MCDR_STORED_LEN (sizeof(MCDR_STORED) - 1) | | | | ------------------ | | | | | | 70| 22.0k|#define MCDR_STORED "STORED\r\n" | | | | ------------------ | | ------------------ | | | Branch (93:34): [True: 104, False: 22.0k] | | | Branch (93:57): [True: 22.0k, False: 26] | | ------------------ ------------------ 162| 22.1k| else if (! MEMCACHED_MATCH(MCDR_NOT_STORED)) *matches += 1; ------------------ | | 93| 22.1k|#define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 73| 22.1k|#define MCDR_NOT_STORED_LEN (sizeof(MCDR_NOT_STORED) - 1) | | | | ------------------ | | | | | | 72| 22.1k|#define MCDR_NOT_STORED "NOT_STORED\r\n" | | | | ------------------ | | ------------------ | | #define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 73| 21.9k|#define MCDR_NOT_STORED_LEN (sizeof(MCDR_NOT_STORED) - 1) | | | | ------------------ | | | | | | 72| 21.9k|#define MCDR_NOT_STORED "NOT_STORED\r\n" | | | | ------------------ | | ------------------ | | | Branch (93:34): [True: 201, False: 21.9k] | | | Branch (93:57): [True: 21.9k, False: 4] | | ------------------ ------------------ 163| 22.1k| else if (! MEMCACHED_MATCH(MCDR_EXISTS)) *matches += 1; ------------------ | | 93| 22.1k|#define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 75| 22.1k|#define MCDR_EXISTS_LEN (sizeof(MCDR_EXISTS) - 1) | | | | ------------------ | | | | | | 74| 22.1k|#define MCDR_EXISTS "EXISTS\r\n" | | | | ------------------ | | ------------------ | | #define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 75| 22.0k|#define MCDR_EXISTS_LEN (sizeof(MCDR_EXISTS) - 1) | | | | ------------------ | | | | | | 74| 22.0k|#define MCDR_EXISTS "EXISTS\r\n" | | | | ------------------ | | ------------------ | | | Branch (93:34): [True: 104, False: 22.0k] | | | Branch (93:57): [True: 22.0k, False: 6] | | ------------------ ------------------ 164| 22.1k| else if (! MEMCACHED_MATCH(MCDR_NOT_FOUND)) *matches += 1; ------------------ | | 93| 22.1k|#define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 77| 22.1k|#define MCDR_NOT_FOUND_LEN (sizeof(MCDR_NOT_FOUND) - 1) | | | | ------------------ | | | | | | 76| 22.1k|#define MCDR_NOT_FOUND "NOT_FOUND\r\n" | | | | ------------------ | | ------------------ | | #define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 77| 21.9k|#define MCDR_NOT_FOUND_LEN (sizeof(MCDR_NOT_FOUND) - 1) | | | | ------------------ | | | | | | 76| 21.9k|#define MCDR_NOT_FOUND "NOT_FOUND\r\n" | | | | ------------------ | | ------------------ | | | Branch (93:34): [True: 199, False: 21.9k] | | | Branch (93:57): [True: 21.9k, False: 1] | | ------------------ ------------------ 165| 22.1k| else if (! MEMCACHED_MATCH(MCDR_END)) *matches += 1; ------------------ | | 93| 22.1k|#define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 79| 22.1k|#define MCDR_END_LEN (sizeof(MCDR_END) - 1) | | | | ------------------ | | | | | | 78| 22.1k|#define MCDR_END "END\r\n" | | | | ------------------ | | ------------------ | | #define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 79| 22.1k|#define MCDR_END_LEN (sizeof(MCDR_END) - 1) | | | | ------------------ | | | | | | 78| 22.1k|#define MCDR_END "END\r\n" | | | | ------------------ | | ------------------ | | | Branch (93:34): [True: 0, False: 22.1k] | | | Branch (93:57): [True: 22.1k, False: 4] | | ------------------ ------------------ 166| 22.1k| else if (! MEMCACHED_MATCH(MCDR_DELETED)) *matches += 1; ------------------ | | 93| 22.1k|#define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 81| 22.1k|#define MCDR_DELETED_LEN (sizeof(MCDR_DELETED) - 1) | | | | ------------------ | | | | | | 80| 22.1k|#define MCDR_DELETED "DELETED\r\n" | | | | ------------------ | | ------------------ | | #define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 81| 21.9k|#define MCDR_DELETED_LEN (sizeof(MCDR_DELETED) - 1) | | | | ------------------ | | | | | | 80| 21.9k|#define MCDR_DELETED "DELETED\r\n" | | | | ------------------ | | ------------------ | | | Branch (93:34): [True: 174, False: 21.9k] | | | Branch (93:57): [True: 21.9k, False: 3] | | ------------------ ------------------ 167| 22.1k| else if (! MEMCACHED_MATCH(MCDR_TOUCHED)) *matches += 1; ------------------ | | 93| 22.1k|#define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 83| 22.1k|#define MCDR_TOUCHED_LEN (sizeof(MCDR_TOUCHED) - 1) | | | | ------------------ | | | | | | 82| 22.1k|#define MCDR_TOUCHED "TOUCHED\r\n" | | | | ------------------ | | ------------------ | | #define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 83| 21.9k|#define MCDR_TOUCHED_LEN (sizeof(MCDR_TOUCHED) - 1) | | | | ------------------ | | | | | | 82| 21.9k|#define MCDR_TOUCHED "TOUCHED\r\n" | | | | ------------------ | | ------------------ | | | Branch (93:34): [True: 174, False: 21.9k] | | | Branch (93:57): [True: 21.9k, False: 1] | | ------------------ ------------------ 168| 22.1k| else if (! MEMCACHED_MATCH(MCDR_STAT)) *matches += 1; ------------------ | | 93| 22.1k|#define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 85| 22.1k|#define MCDR_STAT_LEN (sizeof(MCDR_STAT) - 1) | | | | ------------------ | | | | | | 84| 22.1k|#define MCDR_STAT "STAT " | | | | ------------------ | | ------------------ | | #define MEMCACHED_MATCH(cr) (cr ## _LEN > length || memcmp(offset, cr, cr ## _LEN)) | | ------------------ | | | | 85| 22.1k|#define MCDR_STAT_LEN (sizeof(MCDR_STAT) - 1) | | | | ------------------ | | | | | | 84| 22.1k|#define MCDR_STAT "STAT " | | | | ------------------ | | ------------------ | | | Branch (93:34): [True: 0, False: 22.1k] | | | Branch (93:57): [True: 22.1k, False: 4] | | ------------------ ------------------ 169| | 170| 22.5k| if (*matches >= MEMCACHED_MIN_MATCH) ------------------ | | 91| 22.5k|#define MEMCACHED_MIN_MATCH 2 /* Minimum number of command/responses required */ ------------------ | Branch (170:7): [True: 104, False: 22.4k] ------------------ 171| 104| ndpi_int_memcached_add_connection(ndpi_struct, flow); 172| 22.4k| else if(flow->packet_counter > 5) ------------------ | Branch (172:11): [True: 1.26k, False: 21.2k] ------------------ 173| 1.26k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1.26k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 174| 22.5k|} memcached.c:ndpi_int_memcached_add_connection: 97| 104|{ 98| 104| NDPI_LOG_INFO(ndpi_struct, "found memcached\n"); ------------------ | | 595| 104|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 99| 104| ndpi_set_detected_protocol(ndpi_struct, flow, 100| 104| NDPI_PROTOCOL_MEMCACHED, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 101| 104|} init_merakicloud_dissector: 53| 7.08k|{ 54| 7.08k| ndpi_register_dissector("MerakiCloud", ndpi_struct, 55| 7.08k| ndpi_search_merakicloud, 56| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 57| 7.08k| 1, NDPI_PROTOCOL_MERAKI_CLOUD); 58| 7.08k|} merakicloud.c:ndpi_search_merakicloud: 38| 3.36k|{ 39| 3.36k| struct ndpi_packet_struct * const packet = &ndpi_struct->packet; 40| | 41| 3.36k| NDPI_LOG_DBG(ndpi_struct, "search MerakiCloud\n"); ------------------ | | 596| 3.36k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 42| | 43| 3.36k| if((flow->c_port == ntohs(7351) || flow->s_port == ntohs(7351)) && ------------------ | Branch (43:7): [True: 0, False: 3.36k] | Branch (43:38): [True: 0, False: 3.36k] ------------------ 44| 0| packet->payload_packet_len > 4 && ------------------ | Branch (44:6): [True: 0, False: 0] ------------------ 45| 0| get_u_int32_t(packet->payload, 0) == ntohl(0xfef72891)) { ------------------ | | 137| 0|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (45:6): [True: 0, False: 0] ------------------ 46| 0| ndpi_int_merakicloud_add_connection(ndpi_struct, flow); 47| 0| return; 48| 0| } 49| 3.36k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.36k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 50| 3.36k|} init_mgcp_dissector: 105| 7.08k|{ 106| 7.08k| ndpi_register_dissector("MGCP", ndpi_struct, 107| 7.08k| ndpi_search_mgcp, 108| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 109| 7.08k| 1, NDPI_PROTOCOL_MGCP); 110| 7.08k|} mgcp.c:ndpi_search_mgcp: 40| 5.08k|{ 41| | 42| 5.08k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 43| | 44| 5.08k| char const * endpoint; 45| 5.08k| char const * endpoint_hostname; 46| 5.08k| char const * mgcp; 47| | 48| 5.08k| NDPI_LOG_DBG(ndpi_struct, "search MGCP\n"); ------------------ | | 596| 5.08k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 49| | 50| 5.08k| do { 51| 5.08k| if (packet->payload_packet_len < 8) break; ------------------ | Branch (51:9): [True: 132, False: 4.94k] ------------------ 52| | 53| | /* packet must end with 0x0d0a or with 0x0a */ 54| 4.94k| if (packet->payload[packet->payload_packet_len - 1] != 0x0a && ------------------ | Branch (54:9): [True: 4.92k, False: 24] ------------------ 55| 4.92k| packet->payload[packet->payload_packet_len - 1] != 0x0d) ------------------ | Branch (55:9): [True: 4.91k, False: 15] ------------------ 56| 4.91k| break; 57| | 58| 39| if (packet->payload[0] != 'A' && packet->payload[0] != 'C' && packet->payload[0] != 'D' && ------------------ | Branch (58:9): [True: 37, False: 2] | Branch (58:38): [True: 36, False: 1] | Branch (58:67): [True: 35, False: 1] ------------------ 59| 35| packet->payload[0] != 'E' && packet->payload[0] != 'M' && packet->payload[0] != 'N' && ------------------ | Branch (59:9): [True: 34, False: 1] | Branch (59:38): [True: 31, False: 3] | Branch (59:67): [True: 29, False: 2] ------------------ 60| 29| packet->payload[0] != 'R') ------------------ | Branch (60:9): [True: 28, False: 1] ------------------ 61| 28| break; 62| | 63| 11| if (memcmp(packet->payload, "AUEP ", 5) != 0 && memcmp(packet->payload, "AUCX ", 5) != 0 && ------------------ | Branch (63:9): [True: 11, False: 0] | Branch (63:53): [True: 10, False: 1] ------------------ 64| 10| memcmp(packet->payload, "CRCX ", 5) != 0 && memcmp(packet->payload, "DLCX ", 5) != 0 && ------------------ | Branch (64:9): [True: 10, False: 0] | Branch (64:53): [True: 10, False: 0] ------------------ 65| 10| memcmp(packet->payload, "EPCF ", 5) != 0 && memcmp(packet->payload, "MDCX ", 5) != 0 && ------------------ | Branch (65:9): [True: 10, False: 0] | Branch (65:53): [True: 10, False: 0] ------------------ 66| 10| memcmp(packet->payload, "NTFY ", 5) != 0 && memcmp(packet->payload, "RQNT ", 5) != 0 && ------------------ | Branch (66:9): [True: 9, False: 1] | Branch (66:53): [True: 9, False: 0] ------------------ 67| 9| memcmp(packet->payload, "RSIP ", 5) != 0) ------------------ | Branch (67:9): [True: 9, False: 0] ------------------ 68| 9| break; 69| | 70| 2| endpoint = ndpi_strnstr((char const *)packet->payload + 5, " ", packet->payload_packet_len - 5); 71| 2| if (endpoint == NULL) ------------------ | Branch (71:9): [True: 1, False: 1] ------------------ 72| 1| { 73| 1| break; 74| 1| } 75| 1| endpoint++; 76| | 77| 1| mgcp = ndpi_strnstr(endpoint, " ", packet->payload_packet_len - ((u_int8_t const *)endpoint - packet->payload)); 78| 1| if (mgcp == NULL) ------------------ | Branch (78:9): [True: 0, False: 1] ------------------ 79| 0| { 80| 0| break; 81| 0| } 82| 1| mgcp++; 83| | 84| 1| if (strncmp(mgcp, "MGCP ", ndpi_min(5, packet->payload_packet_len - ((u_int8_t const *)mgcp - packet->payload))) == 0) ------------------ | | 113| 1|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 1, False: 0] | | ------------------ ------------------ | Branch (84:9): [True: 0, False: 1] ------------------ 85| 0| { 86| 0| ndpi_int_mgcp_add_connection(ndpi_struct, flow); 87| | 88| 0| endpoint_hostname = ndpi_strnstr(endpoint, "@", packet->payload_packet_len - ((u_int8_t const *)endpoint - packet->payload)); 89| 0| if (endpoint_hostname == NULL || endpoint_hostname >= mgcp) ------------------ | Branch (89:11): [True: 0, False: 0] | Branch (89:40): [True: 0, False: 0] ------------------ 90| 0| { 91| 0| ndpi_hostname_sni_set(flow, (u_int8_t const *)endpoint, (mgcp - endpoint) - 1, NDPI_HOSTNAME_NORM_ALL); ------------------ | | 516| 0|#define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 512| 0|#define NDPI_HOSTNAME_NORM_LC 1 | | ------------------ | | #define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 513| 0|#define NDPI_HOSTNAME_NORM_REPLACE_IC 2 | | ------------------ | | #define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 514| 0|#define NDPI_HOSTNAME_NORM_STRIP_EOLSP 4 | | ------------------ ------------------ 92| 0| } else { 93| 0| endpoint_hostname++; 94| 0| ndpi_hostname_sni_set(flow, (u_int8_t const *)endpoint_hostname, (mgcp - endpoint_hostname) - 1, NDPI_HOSTNAME_NORM_ALL); ------------------ | | 516| 0|#define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 512| 0|#define NDPI_HOSTNAME_NORM_LC 1 | | ------------------ | | #define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 513| 0|#define NDPI_HOSTNAME_NORM_REPLACE_IC 2 | | ------------------ | | #define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 514| 0|#define NDPI_HOSTNAME_NORM_STRIP_EOLSP 4 | | ------------------ ------------------ 95| 0| } 96| 0| return; 97| 0| } 98| 1| } while(0); ------------------ | Branch (98:11): [Folded, False: 1] ------------------ 99| | 100| 5.08k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 5.08k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 101| 5.08k|} init_mikrotik_dissector: 111| 7.08k|void init_mikrotik_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 112| 7.08k| ndpi_register_dissector("MIKROTIK", ndpi_struct, 113| 7.08k| ndpi_search_mikrotik, 114| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 115| 7.08k| 1, NDPI_PROTOCOL_MIKROTIK); 116| 7.08k|} mikrotik.c:ndpi_search_mikrotik: 30| 3.44k| struct ndpi_flow_struct *flow) { 31| 3.44k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 32| | 33| 3.44k| NDPI_LOG_DBG(ndpi_struct, "search MIKROTIK\n"); ------------------ | | 596| 3.44k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 34| | 35| 3.44k| if((packet->iph && (packet->iph->daddr== 0xFFFFFFFF)) ------------------ | Branch (35:7): [True: 3.15k, False: 284] | Branch (35:22): [True: 173, False: 2.98k] ------------------ 36| 3.26k| || (packet->iphv6 && (ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[0]) == 0xFF020000 /* ff02:: */)) ------------------ | Branch (36:10): [True: 284, False: 2.98k] | Branch (36:27): [True: 0, False: 284] ------------------ 37| 3.44k| ) { 38| 173| if(ntohs(packet->udp->dest) == 5678) { ------------------ | Branch (38:8): [True: 0, False: 173] ------------------ 39| 0| const u_int8_t *payload; 40| 0| u_int16_t offset; 41| | 42| 0| if (packet->payload_packet_len < 8) { ------------------ | Branch (42:11): [True: 0, False: 0] ------------------ 43| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 44| 0| return; 45| 0| } else { 46| 0| offset = 4; 47| 0| payload = packet->payload; 48| 0| } 49| | 50| 0| while((offset+4) < packet->payload_packet_len) { ------------------ | Branch (50:13): [True: 0, False: 0] ------------------ 51| 0| u_int16_t m_type = ((u_int16_t)payload[offset] << 8) + payload[offset+1]; 52| 0| u_int16_t m_len = ((u_int16_t)payload[offset+2] << 8) + payload[offset+3]; 53| | 54| | // printf("%d\n", m_type); 55| | 56| 0| if((4+m_len+offset) < packet->payload_packet_len) { ------------------ | Branch (56:5): [True: 0, False: 0] ------------------ 57| 0| switch(m_type) { ------------------ | Branch (57:11): [True: 0, False: 0] ------------------ 58| 0| case 1 /* MAC Address */: ------------------ | Branch (58:4): [True: 0, False: 0] ------------------ 59| 0| if(m_len == 6) ------------------ | Branch (59:9): [True: 0, False: 0] ------------------ 60| 0| memcpy(flow->protos.mikrotik.mac_addr, &payload[offset+4], m_len); 61| 0| break; 62| 0| case 5 /* Identity */: ------------------ | Branch (62:4): [True: 0, False: 0] ------------------ 63| 0| snprintf(flow->protos.mikrotik.identity, sizeof(flow->protos.mikrotik.identity), 64| 0| "%.*s", m_len, &payload[offset+4]); 65| 0| break; 66| 0| case 7 /* Version */: ------------------ | Branch (66:4): [True: 0, False: 0] ------------------ 67| 0| snprintf(flow->protos.mikrotik.version, sizeof(flow->protos.mikrotik.version), 68| 0| "%.*s", m_len, &payload[offset+4]); 69| 0| break; 70| 0| case 10: /* Uptime */ ------------------ | Branch (70:4): [True: 0, False: 0] ------------------ 71| 0| if(m_len == 4) ------------------ | Branch (71:9): [True: 0, False: 0] ------------------ 72| 0| flow->protos.mikrotik.uptime = ntohl(*((u_int32_t*)&payload[offset+4])); 73| 0| break; 74| 0| case 11: /* Software-ID */ ------------------ | Branch (74:4): [True: 0, False: 0] ------------------ 75| 0| snprintf(flow->protos.mikrotik.sw_id, sizeof(flow->protos.mikrotik.sw_id), 76| 0| "%.*s", m_len, &payload[offset+4]); 77| 0| break; 78| 0| case 12: /* Board */ ------------------ | Branch (78:4): [True: 0, False: 0] ------------------ 79| 0| snprintf(flow->protos.mikrotik.board, sizeof(flow->protos.mikrotik.board), 80| 0| "%.*s", m_len, &payload[offset+4]); 81| 0| break; 82| 0| case 15: /* IPv6 */ ------------------ | Branch (82:4): [True: 0, False: 0] ------------------ 83| 0| if(m_len == 16) ------------------ | Branch (83:9): [True: 0, False: 0] ------------------ 84| 0| memcpy(&flow->protos.mikrotik.ipv6_addr, &payload[offset+4], m_len); 85| 0| break; 86| 0| case 16: /* Interface Name */ ------------------ | Branch (86:4): [True: 0, False: 0] ------------------ 87| 0| snprintf(flow->protos.mikrotik.iface_name, sizeof(flow->protos.mikrotik.iface_name), 88| 0| "%.*s", m_len, &payload[offset+4]); 89| 0| break; 90| 0| case 14: /* IPv4 */ ------------------ | Branch (90:4): [True: 0, False: 0] ------------------ 91| 0| if(m_len == 4) ------------------ | Branch (91:9): [True: 0, False: 0] ------------------ 92| 0| flow->protos.mikrotik.ipv4_addr = ntohl(*((u_int32_t*)&payload[offset+4])); 93| 0| break; 94| 0| } 95| | 96| 0| offset += 4 + m_len; 97| 0| } else 98| 0| break; 99| 0| } /* while */ 100| | 101| 0| ndpi_set_detected_protocol(ndpi_struct, flow, 102| 0| NDPI_PROTOCOL_MIKROTIK, 103| 0| NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 104| 0| } 105| 173| } else 106| 3.26k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.26k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 107| 3.44k|} mining_make_lru_cache_key: 31| 717|u_int64_t mining_make_lru_cache_key(struct ndpi_flow_struct *flow) { 32| 717| u_int64_t key; 33| | 34| | /* network byte order */ 35| 717| if(flow->is_ipv6) ------------------ | Branch (35:6): [True: 0, False: 717] ------------------ 36| 0| key = (ndpi_quick_hash64((const char *)flow->c_address.v6, 16) << 32) | (ndpi_quick_hash64((const char *)flow->s_address.v6, 16) & 0xFFFFFFFF); 37| 717| else 38| 717| key = ((u_int64_t)flow->c_address.v4 << 32) | flow->s_address.v4; 39| | 40| 717| return key; 41| 717|} init_mining_dissector: 98| 7.08k|{ 99| 7.08k| ndpi_register_dissector("Mining", ndpi_struct, 100| 7.08k| ndpi_search_mining, 101| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 102| 7.08k| 1, NDPI_PROTOCOL_MINING); 103| 7.08k|} mining.c:ndpi_search_mining: 54| 13.4k| struct ndpi_flow_struct *flow) { 55| 13.4k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 56| | 57| 13.4k| NDPI_LOG_DBG(ndpi_struct, "search MINING\n"); ------------------ | | 596| 13.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 58| | 59| | /* Quick test: we are looking for only Json format */ 60| 13.4k| if(packet->payload[0] != '{') { ------------------ | Branch (60:6): [True: 13.4k, False: 7] ------------------ 61| 13.4k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.4k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 62| 13.4k| return; 63| 13.4k| } 64| | 65| | /* STRATUMv1 */ 66| 7| if(ndpi_strnstr((const char *)packet->payload, "\"mining.subscribe\"", packet->payload_packet_len) || ------------------ | Branch (66:6): [True: 0, False: 7] ------------------ 67| 7| ndpi_strnstr((const char *)packet->payload, "\"mining.configure\"", packet->payload_packet_len)) { ------------------ | Branch (67:6): [True: 0, False: 7] ------------------ 68| | 69| | /* Try matching some zcash domains like "eu1-zcash.flypool.org" */ 70| 0| if(ndpi_strnstr((const char *)packet->payload, "zcash", packet->payload_packet_len)) ------------------ | Branch (70:8): [True: 0, False: 0] ------------------ 71| 0| ndpi_snprintf(flow->protos.mining.currency, sizeof(flow->protos.mining.currency), "%s", "ZCash"); 72| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 73| 0| cacheMiningHostTwins(ndpi_struct, flow); 74| 0| return; 75| 0| } 76| | 77| | /* Xmr-stak-cpu is a ZCash/Monero CPU miner */ 78| 7| if(ndpi_strnstr((const char *)packet->payload, "\"agent\":\"xmr-stak-cpu", packet->payload_packet_len)) { ------------------ | Branch (78:6): [True: 0, False: 7] ------------------ 79| 0| ndpi_snprintf(flow->protos.mining.currency, sizeof(flow->protos.mining.currency), "%s", "ZCash/Monero"); 80| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 81| 0| cacheMiningHostTwins(ndpi_struct, flow); 82| 0| return; 83| 0| } 84| | 85| 7| if(ndpi_strnstr((const char *)packet->payload, "\"method\": \"eth_submitLogin", packet->payload_packet_len)) { ------------------ | Branch (85:6): [True: 0, False: 7] ------------------ 86| 0| ndpi_snprintf(flow->protos.mining.currency, sizeof(flow->protos.mining.currency), "%s", "Ethereum"); 87| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MINING, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 88| 0| cacheMiningHostTwins(ndpi_struct, flow); 89| 0| return; 90| 0| } 91| | 92| 7| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 7|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 93| 7|} init_modbus_dissector: 70| 7.08k|void init_modbus_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 71| | 72| 7.08k| ndpi_register_dissector("Modbus", ndpi_struct, 73| 7.08k| ndpi_search_modbus_tcp, 74| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 75| 7.08k| 1, NDPI_PROTOCOL_MODBUS); 76| 7.08k|} modbus.c:ndpi_search_modbus_tcp: 32| 13.3k| struct ndpi_flow_struct *flow) { 33| 13.3k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 34| 13.3k| NDPI_LOG_DBG(ndpi_struct, "search Modbus\n"); ------------------ | | 596| 13.3k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 35| 13.3k| u_int16_t modbus_port = htons(502); // port used by modbus 36| | 37| | /* Check connection over TCP */ 38| | 39| 13.3k| if(packet->tcp) { ------------------ | Branch (39:6): [True: 13.3k, False: 0] ------------------ 40| | /* The payload of Modbus-TCP segment must be at least 8 bytes (7 bytes of header application 41| | packet plus 1 byte of minimum payload of application packet) 42| | */ 43| 13.3k| if((packet->payload_packet_len >= 8) ------------------ | Branch (43:8): [True: 12.5k, False: 808] ------------------ 44| 12.5k| &&((packet->tcp->dest == modbus_port) || (packet->tcp->source == modbus_port))) { ------------------ | Branch (44:11): [True: 2, False: 12.5k] | Branch (44:49): [True: 1, False: 12.5k] ------------------ 45| | // Modbus uses the port 502 46| 3| u_int16_t modbus_len = htons(*((u_int16_t*)&packet->payload[4])); 47| | 48| | // the fourth parameter of the payload is the length of the segment 49| 3| if(((modbus_len-1) == (packet->payload_packet_len - 7 /* ModbusTCP header len */)) ------------------ | Branch (49:10): [True: 0, False: 3] ------------------ 50| 0| && (packet->payload[2] == 0x0) && (packet->payload[3] == 0x0) /* Protocol identifier */) { ------------------ | Branch (50:6): [True: 0, False: 0] | Branch (50:37): [True: 0, False: 0] ------------------ 51| | /* Check Modbus function code. 0x5A (90) is reserved for UMAS protocol */ 52| 0| if (packet->payload[7] == 0x5A) { ------------------ | Branch (52:13): [True: 0, False: 0] ------------------ 53| 0| NDPI_LOG_INFO(ndpi_struct, "found Schneider Electric UMAS\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 54| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_UMAS, NDPI_PROTOCOL_MODBUS, NDPI_CONFIDENCE_DPI); 55| 0| return; 56| 0| } 57| | 58| 0| NDPI_LOG_INFO(ndpi_struct, "found MODBUS\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 59| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MODBUS, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 60| 0| return; 61| 0| } 62| 3| } 63| 13.3k| } 64| 13.3k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.3k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 65| | 66| 13.3k|} init_monero_dissector: 72| 7.08k|{ 73| 7.08k| ndpi_register_dissector("Monero", ndpi_struct, 74| 7.08k| ndpi_search_monero, 75| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 76| 7.08k| 1, NDPI_PROTOCOL_MONERO); 77| 7.08k|} monero.c:ndpi_search_monero: 51| 11.6k|{ 52| 11.6k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 53| | 54| 11.6k| NDPI_LOG_DBG(ndpi_struct, "search Monero Protocol\n"); ------------------ | | 596| 11.6k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 55| | 56| 11.6k| if (packet->payload_packet_len < 8) ------------------ | Branch (56:7): [True: 805, False: 10.8k] ------------------ 57| 805| { 58| 805| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 805|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 59| 805| return; 60| 805| } 61| | 62| 10.8k| if (get_u_int64_t(packet->payload, 0) == ndpi_htonll(0x0121010101010101)) ------------------ | | 148| 10.8k|#define get_u_int64_t(X,O) (*(u_int64_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (62:7): [True: 1, False: 10.8k] ------------------ 63| 1| { 64| 1| ndpi_int_monero_add_connection(ndpi_struct, flow); 65| 1| return; 66| 1| } 67| | 68| 10.8k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 10.8k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 69| 10.8k|} monero.c:ndpi_int_monero_add_connection: 33| 1|{ 34| 1| NDPI_LOG_INFO(ndpi_struct, "found Monero Protocol\n"); ------------------ | | 595| 1|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 35| | 36| 1| ndpi_set_detected_protocol(ndpi_struct, flow, 37| 1| NDPI_PROTOCOL_MONERO, NDPI_PROTOCOL_UNKNOWN, 38| 1| NDPI_CONFIDENCE_DPI); 39| | 40| 1| if(ndpi_struct->mining_cache) ------------------ | Branch (40:6): [True: 1, False: 0] ------------------ 41| 1| { 42| 1| ndpi_lru_add_to_cache(ndpi_struct->mining_cache, 43| 1| mining_make_lru_cache_key(flow), 44| 1| NDPI_PROTOCOL_MONERO, 45| 1| ndpi_get_current_time(flow)); 46| 1| } 47| 1|} init_mongodb_dissector: 141| 7.08k|void init_mongodb_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 142| 7.08k| ndpi_register_dissector("MongoDB", ndpi_struct, 143| 7.08k| ndpi_search_mongodb, 144| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 145| 7.08k| 1, NDPI_PROTOCOL_MONGODB); 146| 7.08k|} mongodb.c:ndpi_search_mongodb: 125| 11.7k|{ 126| | // Break after 6 packets. 127| 11.7k| if(flow->packet_counter > 6) { ------------------ | Branch (127:6): [True: 0, False: 11.7k] ------------------ 128| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 129| 0| return; 130| 0| } 131| | 132| 11.7k| NDPI_LOG_DBG(ndpi_struct, "search MongoDB\n"); ------------------ | | 596| 11.7k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 133| 11.7k| ndpi_check_mongodb(ndpi_struct, flow); 134| | 135| 11.7k| return; 136| 11.7k|} mongodb.c:ndpi_check_mongodb: 65| 11.7k| struct ndpi_flow_struct *flow) { 66| 11.7k| struct mongo_message_header mongodb_hdr; 67| 11.7k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 68| 11.7k| uint32_t responseFlags; 69| | 70| 11.7k| if (packet->payload_packet_len <= sizeof(mongodb_hdr)) { ------------------ | Branch (70:7): [True: 4.36k, False: 7.37k] ------------------ 71| 4.36k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 4.36k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 72| 4.36k| return; 73| 4.36k| } 74| | 75| 7.37k| memcpy(&mongodb_hdr, packet->payload, sizeof(struct mongo_message_header)); 76| | 77| | /* All MongoDB numbers are in host byte order */ 78| | // mongodb_hdr.message_length = ntohl(mongodb_hdr.message_length); 79| | 80| 7.37k| if((le32toh(mongodb_hdr.message_length) < 4) ------------------ | Branch (80:6): [True: 55, False: 7.32k] ------------------ 81| 7.32k| || (le32toh(mongodb_hdr.message_length) > 1000000) /* Used to avoid false positives */ ------------------ | Branch (81:9): [True: 6.99k, False: 328] ------------------ 82| 7.37k| ) { 83| 7.04k| NDPI_LOG_DBG(ndpi_struct, "Invalid MONGODB length"); ------------------ | | 596| 7.04k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 84| 7.04k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 7.04k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 85| 7.04k| return; 86| 7.04k| } 87| | 88| 328| switch(le32toh(mongodb_hdr.op_code)) { 89| 0| case OP_UPDATE: ------------------ | Branch (89:3): [True: 0, False: 328] ------------------ 90| 0| case OP_INSERT: ------------------ | Branch (90:3): [True: 0, False: 328] ------------------ 91| 0| case RESERVED: ------------------ | Branch (91:3): [True: 0, False: 328] ------------------ 92| 0| case OP_QUERY: ------------------ | Branch (92:3): [True: 0, False: 328] ------------------ 93| 0| case OP_GET_MORE: ------------------ | Branch (93:3): [True: 0, False: 328] ------------------ 94| 0| case OP_DELETE: ------------------ | Branch (94:3): [True: 0, False: 328] ------------------ 95| 0| case OP_KILL_CURSORS: ------------------ | Branch (95:3): [True: 0, False: 328] ------------------ 96| 0| case OP_MSG: ------------------ | Branch (96:3): [True: 0, False: 328] ------------------ 97| 0| set_mongodb_detected(ndpi_struct, flow); 98| 0| break; 99| 10| case OP_REPLY: ------------------ | Branch (99:3): [True: 10, False: 318] ------------------ 100| | /* struct { 101| | MsgHeader header; // standard message header 102| | int32 responseFlags; // bit vector - see details below 103| | int64 cursorID; // cursor id if client needs to do get more's 104| | int32 startingFrom; // where in the cursor this reply is starting 105| | int32 numberReturned; // number of documents in the reply 106| | document* documents; // documents 107| | } 108| | */ 109| 10| if(packet->payload_packet_len > sizeof(mongodb_hdr) + 20) { ------------------ | Branch (109:8): [True: 8, False: 2] ------------------ 110| 8| responseFlags = le32toh(*(uint32_t *)(packet->payload + sizeof(mongodb_hdr))); 111| 8| if((responseFlags & 0xFFFFFFF0) == 0) ------------------ | Branch (111:10): [True: 1, False: 7] ------------------ 112| 1| set_mongodb_detected(ndpi_struct, flow); 113| 8| } 114| 10| break; 115| | 116| 318| default: ------------------ | Branch (116:3): [True: 318, False: 10] ------------------ 117| 318| NDPI_LOG_DBG(ndpi_struct, "Invalid MONGODB length"); ------------------ | | 596| 318|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 118| 318| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 318|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 119| 318| break; 120| 328| } 121| 328|} mongodb.c:set_mongodb_detected: 54| 1| struct ndpi_flow_struct *flow) { 55| | 56| 1| if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (56:6): [True: 1, False: 0] ------------------ 57| 1| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MONGODB, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 58| 1| } 59| 1|} init_mpegdash_dissector: 91| 7.08k|{ 92| 7.08k| ndpi_register_dissector("MpegDash", ndpi_struct, 93| 7.08k| ndpi_search_mpegdash_http, 94| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 95| 7.08k| 1, NDPI_PROTOCOL_MPEGDASH); 96| 7.08k|} mpegdash.c:ndpi_search_mpegdash_http: 42| 19.5k|{ 43| 19.5k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 44| | 45| 19.5k| NDPI_LOG_DBG(ndpi_struct, "search MpegDash\n"); ------------------ | | 596| 19.5k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 46| | 47| 19.5k| if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_HTTP && ------------------ | Branch (47:7): [True: 18.8k, False: 688] ------------------ 48| 18.8k| flow->detected_protocol_stack[1] != NDPI_PROTOCOL_HTTP) ------------------ | Branch (48:7): [True: 18.6k, False: 231] ------------------ 49| 18.6k| { 50| 18.6k| if (flow->packet_counter > 2) ------------------ | Branch (50:9): [True: 2.84k, False: 15.7k] ------------------ 51| 2.84k| { 52| 2.84k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 2.84k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 53| 2.84k| } 54| 18.6k| return; 55| 18.6k| } 56| | 57| 919| if (packet->parsed_lines == 0) ------------------ | Branch (57:7): [True: 38, False: 881] ------------------ 58| 38| { 59| 38| ndpi_parse_packet_line_info(ndpi_struct, flow); 60| 38| } 61| | 62| 919| if (packet->parsed_lines > 0) ------------------ | Branch (62:7): [True: 881, False: 38] ------------------ 63| 881| { 64| 881| size_t i; 65| | 66| 881| if (LINE_ENDS(packet->line[0], "RTSP/1.0") != 0 || ------------------ | | 81| 881| ((ndpi_int_one_line_struct).len >= strlen(string_to_compare) && \ | | ------------------ | | | Branch (81:4): [True: 880, False: 1] | | ------------------ | | 82| 881| strncasecmp((const char *)((ndpi_int_one_line_struct).ptr) + \ | | ------------------ | | | Branch (82:4): [True: 14, False: 866] | | ------------------ | | 83| 880| ((ndpi_int_one_line_struct).len - strlen(string_to_compare)), \ | | 84| 880| string_to_compare, strlen(string_to_compare)) == 0) ------------------ | Branch (66:9): [True: 14, False: 867] ------------------ 67| 867| LINE_ENDS(packet->line[0], ".mp4 HTTP/1.1") != 0 || ------------------ | | 81| 867| ((ndpi_int_one_line_struct).len >= strlen(string_to_compare) && \ | | ------------------ | | | Branch (81:4): [True: 865, False: 2] | | ------------------ | | 82| 867| strncasecmp((const char *)((ndpi_int_one_line_struct).ptr) + \ | | ------------------ | | | Branch (82:4): [True: 26, False: 839] | | ------------------ | | 83| 865| ((ndpi_int_one_line_struct).len - strlen(string_to_compare)), \ | | 84| 865| string_to_compare, strlen(string_to_compare)) == 0) ------------------ | Branch (67:9): [True: 26, False: 841] ------------------ 68| 841| LINE_ENDS(packet->line[0], ".m4s HTTP/1.1") != 0) ------------------ | | 81| 841| ((ndpi_int_one_line_struct).len >= strlen(string_to_compare) && \ | | ------------------ | | | Branch (81:4): [True: 839, False: 2] | | ------------------ | | 82| 841| strncasecmp((const char *)((ndpi_int_one_line_struct).ptr) + \ | | ------------------ | | | Branch (82:4): [True: 4, False: 835] | | ------------------ | | 83| 839| ((ndpi_int_one_line_struct).len - strlen(string_to_compare)), \ | | 84| 839| string_to_compare, strlen(string_to_compare)) == 0) ------------------ | Branch (68:9): [True: 4, False: 837] ------------------ 69| 44| { 70| 44| ndpi_int_mpegdash_add_connection(ndpi_struct, flow); 71| 44| return; 72| 44| } 73| | 74| 4.91k| for (i = 0; i < packet->parsed_lines && packet->line[i].len > 0; ++i) ------------------ | Branch (74:17): [True: 4.17k, False: 733] | Branch (74:45): [True: 4.11k, False: 58] ------------------ 75| 4.11k| { 76| 4.11k| if ((LINE_STARTS(packet->line[i], "Content-Type:") != 0 && ------------------ | | 76| 4.11k| ((ndpi_int_one_line_struct).ptr != NULL && \ | | ------------------ | | | Branch (76:4): [True: 4.11k, False: 0] | | ------------------ | | 77| 4.11k| (ndpi_int_one_line_struct).len >= strlen(string_to_compare) && \ | | ------------------ | | | Branch (77:4): [True: 3.69k, False: 423] | | ------------------ | | 78| 4.11k| strncasecmp((const char *)((ndpi_int_one_line_struct).ptr), string_to_compare, strlen(string_to_compare)) == 0) | | ------------------ | | | Branch (78:4): [True: 138, False: 3.55k] | | ------------------ ------------------ | Branch (76:12): [True: 138, False: 3.98k] ------------------ 77| 138| LINE_ENDS(packet->line[i], "video/mp4") != 0) || ------------------ | | 81| 138| ((ndpi_int_one_line_struct).len >= strlen(string_to_compare) && \ | | ------------------ | | | Branch (81:4): [True: 138, False: 0] | | ------------------ | | 82| 138| strncasecmp((const char *)((ndpi_int_one_line_struct).ptr) + \ | | ------------------ | | | Branch (82:4): [True: 7, False: 131] | | ------------------ | | 83| 138| ((ndpi_int_one_line_struct).len - strlen(string_to_compare)), \ | | 84| 138| string_to_compare, strlen(string_to_compare)) == 0) ------------------ | Branch (77:12): [True: 7, False: 131] ------------------ 78| 4.11k| LINE_STARTS(packet->line[i], "DASH") != 0) ------------------ | | 76| 4.11k| ((ndpi_int_one_line_struct).ptr != NULL && \ | | ------------------ | | | Branch (76:4): [True: 4.11k, False: 0] | | ------------------ | | 77| 4.11k| (ndpi_int_one_line_struct).len >= strlen(string_to_compare) && \ | | ------------------ | | | Branch (77:4): [True: 4.00k, False: 104] | | ------------------ | | 78| 4.11k| strncasecmp((const char *)((ndpi_int_one_line_struct).ptr), string_to_compare, strlen(string_to_compare)) == 0) | | ------------------ | | | Branch (78:4): [True: 39, False: 3.96k] | | ------------------ ------------------ | Branch (78:11): [True: 39, False: 4.07k] ------------------ 79| 46| { 80| 46| ndpi_int_mpegdash_add_connection(ndpi_struct, flow); 81| 46| return; 82| 46| } 83| 4.11k| } 84| 837| } 85| | 86| 829| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 829|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 87| 829| return; 88| 919|} mpegdash.c:ndpi_int_mpegdash_add_connection: 34| 90|{ 35| 90| NDPI_LOG_INFO(ndpi_struct, "found MpegDash\n"); ------------------ | | 595| 90|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 36| 90| ndpi_set_detected_protocol_keeping_master(ndpi_struct, flow, NDPI_PROTOCOL_MPEGDASH, 37| 90| NDPI_CONFIDENCE_DPI); 38| 90|} init_mpegts_dissector: 56| 7.08k|{ 57| 7.08k| ndpi_register_dissector("MPEG_TS", ndpi_struct, 58| 7.08k| ndpi_search_mpegts, 59| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 60| 7.08k| 1, NDPI_PROTOCOL_MPEGTS); 61| 7.08k|} mpegts.c:ndpi_search_mpegts: 30| 3.42k|{ 31| 3.42k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 32| | 33| 3.42k| NDPI_LOG_DBG(ndpi_struct, "search MPEGTS\n"); ------------------ | | 596| 3.42k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 34| | 35| 3.42k| if((packet->udp != NULL) && ((packet->payload_packet_len % 188) == 0)) { ------------------ | Branch (35:6): [True: 3.42k, False: 0] | Branch (35:31): [True: 8, False: 3.41k] ------------------ 36| 8| u_int i, num_chunks = packet->payload_packet_len / 188; 37| | 38| 8| for(i=0; ipayload[offset] != 0x47) goto no_mpegts; ------------------ | Branch (41:10): [True: 8, False: 0] ------------------ 42| 8| } 43| | 44| | /* This looks MPEG TS */ 45| 0| NDPI_LOG_INFO(ndpi_struct, "found MPEGTS\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 46| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MPEGTS, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 47| 0| return; 48| 8| } 49| | 50| 3.42k| no_mpegts: 51| 3.42k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.42k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 52| 3.42k|} init_mqtt_dissector: 251| 7.08k|{ 252| 7.08k| ndpi_register_dissector("MQTT", ndpi_struct, 253| 7.08k| ndpi_search_mqtt, 254| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 255| 7.08k| 1, NDPI_PROTOCOL_MQTT); 256| 7.08k|} mqtt.c:ndpi_search_mqtt: 88| 13.4k|{ 89| 13.4k| u_int8_t pt,flags, rl_len; 90| 13.4k| int64_t rl; 91| | 92| 13.4k| NDPI_LOG_DBG(ndpi_struct, "search Mqtt\n"); ------------------ | | 596| 13.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 93| 13.4k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 94| 13.4k| if (flow->packet_counter > 10) { ------------------ | Branch (94:6): [True: 0, False: 13.4k] ------------------ 95| 0| NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt .. mandatory header not found!\n"); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 96| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 97| 0| return; 98| 0| } 99| | 100| 13.4k| NDPI_LOG_DBG2(ndpi_struct, "====>>>> Mqtt header: %4x%4x%4x%4x [len: %u]\n", ------------------ | | 597| 13.4k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 101| 13.4k| packet->payload_packet_len > 0 ? packet->payload[0] : '.', 102| 13.4k| packet->payload_packet_len > 1 ? packet->payload[1] : '.', 103| 13.4k| packet->payload_packet_len > 2 ? packet->payload[2] : '.', 104| 13.4k| packet->payload_packet_len > 3 ? packet->payload[3] : '.', 105| 13.4k| packet->payload_packet_len); 106| 13.4k| if (packet->payload_packet_len < 2) { ------------------ | Branch (106:6): [True: 4, False: 13.3k] ------------------ 107| 4| NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt .. mandatory header not found!\n"); ------------------ | | 596| 4|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 108| 4| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 4|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 109| 4| return; 110| 4| } 111| | // we extract the remaining length 112| 13.3k| rl = get_var_int(&packet->payload[1], packet->payload_packet_len - 1, &rl_len); 113| 13.3k| if (rl < 0) { ------------------ | Branch (113:6): [True: 25, False: 13.3k] ------------------ 114| 25| NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt .. invalid length!\n"); ------------------ | | 596| 25|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 115| 25| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 25|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 116| 25| return; 117| 25| } 118| 13.3k| NDPI_LOG_DBG(ndpi_struct, "Mqtt: msg_len %d\n", (unsigned long long)rl); ------------------ | | 596| 13.3k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 119| 13.3k| if (packet->payload_packet_len != rl + 1 + rl_len) { ------------------ | Branch (119:6): [True: 12.0k, False: 1.32k] ------------------ 120| 12.0k| NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt .. maximum packet size exceeded!\n"); ------------------ | | 596| 12.0k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 121| 12.0k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 12.0k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 122| 12.0k| return; 123| 12.0k| } 124| | // we extract the packet type 125| 1.32k| pt = (u_int8_t) ((packet->payload[0] & 0xF0) >> 4); 126| 1.32k| NDPI_LOG_DBG2(ndpi_struct,"====>>>> Mqtt packet type: [%d]\n",pt); ------------------ | | 597| 1.32k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 127| 1.32k| if ((pt == 0) || (pt == 15)) { ------------------ | Branch (127:6): [True: 158, False: 1.16k] | Branch (127:19): [True: 7, False: 1.15k] ------------------ 128| 165| NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt .. invalid packet type!\n"); ------------------ | | 596| 165|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 129| 165| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 165|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 130| 165| return; 131| 165| } 132| | // we extract the flags 133| 1.15k| flags = (u_int8_t) (packet->payload[0] & 0x0F); 134| 1.15k| NDPI_LOG_DBG2(ndpi_struct,"====>>>> Mqtt flags type: [%d]\n",flags); ------------------ | | 597| 1.15k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 135| | // first stage verification 136| 1.15k| if (((pt == CONNECT) || (pt == CONNACK) || (pt == PUBACK) || (pt == PUBREC) || ------------------ | Branch (136:7): [True: 1.00k, False: 149] | Branch (136:26): [True: 3, False: 146] | Branch (136:45): [True: 4, False: 142] | Branch (136:63): [True: 2, False: 140] ------------------ 137| 140| (pt == PUBCOMP) || (pt == SUBACK) || (pt == UNSUBACK) || (pt == PINGREQ) || ------------------ | Branch (137:6): [True: 20, False: 120] | Branch (137:25): [True: 1, False: 119] | Branch (137:43): [True: 5, False: 114] | Branch (137:63): [True: 3, False: 111] ------------------ 138| 1.05k| (pt == PINGRESP) || (pt == DISCONNECT)) && (flags > 0)) { ------------------ | Branch (138:6): [True: 0, False: 111] | Branch (138:26): [True: 4, False: 107] | Branch (138:49): [True: 1.03k, False: 13] ------------------ 139| 1.03k| NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid Packet-Flag combination flag!=0\n"); ------------------ | | 596| 1.03k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 140| 1.03k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1.03k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 141| 1.03k| return; 142| 1.03k| } 143| 120| if (((pt == PUBREL) || (pt == SUBSCRIBE) || (pt == UNSUBSCRIBE)) && (flags != 2)) { ------------------ | Branch (143:7): [True: 13, False: 107] | Branch (143:25): [True: 71, False: 36] | Branch (143:46): [True: 4, False: 32] | Branch (143:70): [True: 80, False: 8] ------------------ 144| 80| NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid Packet-Flag combination flag!=2\n"); ------------------ | | 596| 80|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 145| 80| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 80|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 146| 80| return; 147| 80| } 148| 40| NDPI_LOG_DBG2(ndpi_struct,"====>>>> Passed first stage of identification\n"); ------------------ | | 597| 40|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 149| | // second stage verification (no payload, just variable headers) 150| 40| if ((pt == CONNACK) || (pt == PUBACK) || (pt == PUBREL) || ------------------ | Branch (150:6): [True: 2, False: 38] | Branch (150:25): [True: 1, False: 37] | Branch (150:43): [True: 4, False: 33] ------------------ 151| 33| (pt == PUBREC) || (pt == PUBCOMP) || (pt == UNSUBACK)) { ------------------ | Branch (151:4): [True: 1, False: 32] | Branch (151:22): [True: 0, False: 32] | Branch (151:41): [True: 2, False: 30] ------------------ 152| 10| if (packet->payload_packet_len != 4) { // these packets are always 4 bytes long ------------------ | Branch (152:7): [True: 9, False: 1] ------------------ 153| 9| NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid Packet-Length < 4 \n"); ------------------ | | 596| 9|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 154| 9| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 9|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 155| 9| return; 156| 9| } else { 157| 1| NDPI_LOG_INFO(ndpi_struct, "found Mqtt CONNACK/PUBACK/PUBREL/PUBREC/PUBCOMP/UNSUBACK\n"); ------------------ | | 595| 1|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 158| 1| ndpi_int_mqtt_add_connection(ndpi_struct,flow); 159| 1| return; 160| 1| } 161| 10| } 162| 30| if ((pt == PINGREQ) || (pt == PINGRESP) || (pt == DISCONNECT)) { ------------------ | Branch (162:6): [True: 3, False: 27] | Branch (162:25): [True: 0, False: 27] | Branch (162:45): [True: 2, False: 25] ------------------ 163| 5| if (packet->payload_packet_len != 2) { // these packets are always 2 bytes long ------------------ | Branch (163:7): [True: 5, False: 0] ------------------ 164| 5| NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid Packet-Length <2 \n"); ------------------ | | 596| 5|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 165| 5| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 5|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 166| 5| return; 167| 5| } else { 168| 0| NDPI_LOG_INFO(ndpi_struct, "found Mqtt PING/PINGRESP/DISCONNECT\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 169| 0| ndpi_int_mqtt_add_connection(ndpi_struct,flow); 170| 0| return; 171| 0| } 172| 5| } 173| 25| NDPI_LOG_DBG2(ndpi_struct,"====>>>> Passed second stage of identification\n"); ------------------ | | 597| 25|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 174| | // third stage verification (payload) 175| 25| if (pt == CONNECT) { ------------------ | Branch (175:6): [True: 1, False: 24] ------------------ 176| 1| NDPI_LOG_DBG(ndpi_struct, "found Mqtt CONNECT\n"); ------------------ | | 596| 1|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 177| 1| ndpi_int_mqtt_add_connection(ndpi_struct,flow); 178| 1| return; 179| 1| } 180| 24| if (pt == PUBLISH) { ------------------ | Branch (180:6): [True: 19, False: 5] ------------------ 181| | // payload CAN be zero bytes length (section 3.3.3 of MQTT standard) 182| 19| u_int8_t qos = (u_int8_t) (flags & 0x06) >> 1; 183| 19| u_int8_t dup = (u_int8_t) (flags & 0x08) >> 3; 184| 19| if (qos > 2) { // qos values possible are 0,1,2 ------------------ | Branch (184:7): [True: 1, False: 18] ------------------ 185| 1| NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH qos\n"); ------------------ | | 596| 1|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 186| 1| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 187| 1| return; 188| 1| } 189| 18| if (qos == 0) { ------------------ | Branch (189:7): [True: 4, False: 14] ------------------ 190| 4| if (dup != 0) { ------------------ | Branch (190:8): [True: 1, False: 3] ------------------ 191| 1| NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH qos0 and dup combination\n"); ------------------ | | 596| 1|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 192| 1| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 193| 1| return; 194| 1| } 195| 3| if (packet->payload_packet_len < 5) { // at least topic (3Bytes + 2Bytes fixed header) ------------------ | Branch (195:8): [True: 1, False: 2] ------------------ 196| 1| NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH qos0 size\n"); ------------------ | | 596| 1|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 197| 1| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 198| 1| return; 199| 1| } 200| 3| } 201| 16| if ((qos == 1) || (qos == 2)) { ------------------ | Branch (201:7): [True: 3, False: 13] | Branch (201:21): [True: 11, False: 2] ------------------ 202| 14| if (packet->payload_packet_len < 7 ) { // at least topic + pkt identifier (3Bytes + 2Bytes + 2Bytes fixed header) ------------------ | Branch (202:8): [True: 1, False: 13] ------------------ 203| 1| NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH qos1&2\n"); ------------------ | | 596| 1|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 204| 1| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 205| 1| return; 206| 1| } 207| 14| } 208| 15| NDPI_LOG_INFO(ndpi_struct, "found Mqtt PUBLISH\n"); ------------------ | | 595| 15|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 209| 15| ndpi_int_mqtt_add_connection(ndpi_struct,flow); 210| 15| return; 211| 16| } 212| 5| if (pt == SUBSCRIBE) { ------------------ | Branch (212:6): [True: 0, False: 5] ------------------ 213| 0| if (packet->payload_packet_len < 8) { // at least one topic+filter is required in the payload ------------------ | Branch (213:7): [True: 0, False: 0] ------------------ 214| 0| NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid SUBSCRIBE\n"); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 215| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 216| 0| return; 217| 0| } else { 218| 0| NDPI_LOG_INFO(ndpi_struct, "found Mqtt SUBSCRIBE\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 219| 0| ndpi_int_mqtt_add_connection(ndpi_struct,flow); 220| 0| return; 221| 0| } 222| 0| } 223| 5| if (pt == SUBACK ) { ------------------ | Branch (223:6): [True: 1, False: 4] ------------------ 224| 1| if (packet->payload_packet_len <5 ) { // must have at least a response code ------------------ | Branch (224:7): [True: 0, False: 1] ------------------ 225| 0| NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid SUBACK\n"); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 226| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 227| 0| return; 228| 1| } else { 229| 1| NDPI_LOG_INFO(ndpi_struct, "found Mqtt SUBACK\n"); ------------------ | | 595| 1|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 230| 1| ndpi_int_mqtt_add_connection(ndpi_struct,flow); 231| 1| return; 232| 1| } 233| 1| } 234| 4| if (pt == UNSUBSCRIBE) { ------------------ | Branch (234:6): [True: 4, False: 0] ------------------ 235| 4| if (packet->payload_packet_len < 7) { // at least a topic ------------------ | Branch (235:7): [True: 1, False: 3] ------------------ 236| 1| NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid UNSUBSCRIBE\n"); ------------------ | | 596| 1|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 237| 1| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 238| 1| return; 239| 3| } else { 240| 3| NDPI_LOG_INFO(ndpi_struct, "found Mqtt UNSUBSCRIBE\n"); ------------------ | | 595| 3|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 241| 3| ndpi_int_mqtt_add_connection(ndpi_struct,flow); 242| 3| return; 243| 3| } 244| 4| } 245| | /* We already checked every possible values of pt: we are never here */ 246| 4|} mqtt.c:get_var_int: 64| 13.3k|{ 65| 13.3k| int i, multiplier = 1; 66| 13.3k| u_int32_t value = 0; 67| 13.3k| u_int8_t encodedByte; 68| | 69| 13.3k| *num_bytes= 0; 70| 15.0k| for (i = 0; i < 4; i++) { ------------------ | Branch (70:14): [True: 14.8k, False: 189] ------------------ 71| 14.8k| if (i >= buf_len) ------------------ | Branch (71:7): [True: 25, False: 14.8k] ------------------ 72| 25| return -1; 73| 14.8k| (*num_bytes)++; 74| 14.8k| encodedByte = buf[i]; 75| 14.8k| value += ((encodedByte & 127) * multiplier); 76| 14.8k| if ((encodedByte & 128) == 0) ------------------ | Branch (76:7): [True: 13.1k, False: 1.65k] ------------------ 77| 13.1k| break; 78| 1.65k| multiplier *= 128; 79| 1.65k| } 80| 13.3k| return value; 81| 13.3k|} mqtt.c:ndpi_int_mqtt_add_connection: 58| 21|{ 59| 21| ndpi_set_detected_protocol(ndpi_struct,flow,NDPI_PROTOCOL_MQTT,NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 60| 21| NDPI_LOG_INFO(ndpi_struct, "found Mqtt\n"); ------------------ | | 595| 21|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 61| 21|} init_msdo_dissector: 68| 7.08k|{ 69| 7.08k| ndpi_register_dissector("MSDO", ndpi_struct, 70| 7.08k| ndpi_search_msdo, 71| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 72| 7.08k| 1, NDPI_PROTOCOL_MSDO); 73| 7.08k|} msdo.c:ndpi_search_msdo: 45| 11.6k|{ 46| 11.6k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 47| | 48| 11.6k| NDPI_LOG_DBG(ndpi_struct, "search Microsoft Delivery Optimization protocol\n"); ------------------ | | 596| 11.6k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 49| | 50| | /* 51| | * Usually the handshake starts with 0x0E and the string "Swarm protocol" at the start of the payload, 52| | * but this may vary. 53| | */ 54| 11.6k| if (packet->payload_packet_len > 16 && packet->payload[0] == 0x0E) ------------------ | Branch (54:7): [True: 7.28k, False: 4.35k] | Branch (54:42): [True: 3, False: 7.28k] ------------------ 55| 3| { 56| 3| if (memcmp(&packet->payload[1], "Swarm protocol", NDPI_STATICSTRING_LEN("Swarm protocol")) == 0) ------------------ | | 98| 3|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (56:9): [True: 0, False: 3] ------------------ 57| 0| { 58| 0| ndpi_int_msdo_add_connection(ndpi_struct, flow); 59| 0| return; 60| 0| } 61| 3| } 62| | 63| 11.6k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.6k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 64| 11.6k|} ndpi_search_msgpack: 234| 19.7k|{ 235| 19.7k| struct ndpi_packet_struct * const packet = &ndpi_struct->packet; 236| | 237| 19.7k| NDPI_LOG_DBG(ndpi_struct, "search MessagePack\n"); ------------------ | | 596| 19.7k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 238| | 239| 19.7k| u_int8_t const * cur_msg = &packet->payload[0]; 240| 19.7k| u_int16_t rem_siz = packet->payload_packet_len; 241| 19.7k| u_int16_t msgpack_objects = 0; 242| 19.7k| u_int16_t byte_type_objects = 0; // required to prevent false positives due to fixint's 243| 19.7k| u_int16_t tlv_objects = 0; 244| | 245| 363k| do { 246| 363k| u_int8_t first_byte = 0xC1; 247| 363k| u_int32_t type_size = msgpack_dissect_next(&cur_msg, &rem_siz, &first_byte); 248| 363k| if (type_size == 0 || first_byte == 0xC1) ------------------ | Branch (248:9): [True: 14.0k, False: 349k] | Branch (248:27): [True: 0, False: 349k] ------------------ 249| 14.0k| break; 250| 349k| if (type_size == 1) { ------------------ | Branch (250:9): [True: 344k, False: 5.75k] ------------------ 251| | // fixmap's and fixarray's get also counted as byte type objects.. 252| 344k| if ((first_byte & 0xF0) != 0x80 /* fixmap: 1000 xxxx */ && ------------------ | Branch (252:11): [True: 340k, False: 4.01k] ------------------ 253| 340k| (first_byte & 0xF0) != 0x90 /* fixarray: 1001 xxxx */) ------------------ | Branch (253:11): [True: 336k, False: 3.61k] ------------------ 254| 336k| { 255| 336k| byte_type_objects++; 256| 336k| } 257| 344k| } 258| 349k| if (type_size >= 2) { ------------------ | Branch (258:9): [True: 5.75k, False: 344k] ------------------ 259| | // check for variable sized ext's / str's / bin's 260| 5.75k| if ((first_byte >= 0xC4 && first_byte <= 0xC9 /* bin8, bin16, bin32, ext8, ext16, ext32 */) ------------------ | Branch (260:12): [True: 4.46k, False: 1.29k] | Branch (260:34): [True: 239, False: 4.22k] ------------------ 261| 5.51k| || (first_byte & 0xE0) == 0xA0 /* fixstr */ ------------------ | Branch (261:14): [True: 1.29k, False: 4.22k] ------------------ 262| 4.22k| || (first_byte >= 0xD9 && first_byte <= 0xDB /* str8, str16, str32 */)) ------------------ | Branch (262:15): [True: 1.39k, False: 2.83k] | Branch (262:37): [True: 23, False: 1.37k] ------------------ 263| 1.55k| { 264| 1.55k| tlv_objects++; 265| 1.55k| } 266| 5.75k| } 267| 349k| } while (++msgpack_objects < MSGPACK_MAX_OBJECTS); ------------------ | | 28| 349k|#define MSGPACK_MAX_OBJECTS 32 ------------------ | Branch (267:12): [True: 344k, False: 5.66k] ------------------ 268| | 269| 19.7k| NDPI_LOG_DBG(ndpi_struct, " [Objects: %u][ByteTypes: %u][TLVs: %u][Remaining: %u][Length %u]\n", ------------------ | | 596| 19.7k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 270| 19.7k| msgpack_objects, byte_type_objects, tlv_objects, rem_siz, packet->payload_packet_len); 271| | 272| 19.7k| if (byte_type_objects * 2 >= msgpack_objects || ------------------ | Branch (272:7): [True: 19.3k, False: 406] ------------------ 273| 406| rem_siz * 4 >= packet->payload_packet_len) ------------------ | Branch (273:7): [True: 381, False: 25] ------------------ 274| 19.7k| { 275| 19.7k| if (rem_siz > 0 || flow->packet_counter >= MSGPACK_MAX_PACKETS) ------------------ | | 29| 10.5k|#define MSGPACK_MAX_PACKETS 4 ------------------ | Branch (275:9): [True: 9.17k, False: 10.5k] | Branch (275:24): [True: 1.08k, False: 9.45k] ------------------ 276| 10.2k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 10.2k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 277| 19.7k| return; 278| 19.7k| } 279| | 280| 25| if ((rem_siz == 0 && flow->packet_counter > 1) || tlv_objects > 0 ------------------ | Branch (280:8): [True: 15, False: 10] | Branch (280:24): [True: 2, False: 13] | Branch (280:53): [True: 6, False: 17] ------------------ 281| 17| || (byte_type_objects * 4 < msgpack_objects && packet->tcp != NULL)) ------------------ | Branch (281:11): [True: 14, False: 3] | Branch (281:54): [True: 9, False: 5] ------------------ 282| 17| { 283| 17| ndpi_int_msgpack_add_connection(ndpi_struct, flow); 284| 17| } 285| | 286| 25| if (flow->packet_counter < MSGPACK_MAX_PACKETS) ------------------ | | 29| 25|#define MSGPACK_MAX_PACKETS 4 ------------------ | Branch (286:7): [True: 23, False: 2] ------------------ 287| 23| return; 288| | 289| 2| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 2|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 290| 2|} init_msgpack_dissector: 293| 7.08k|{ 294| 7.08k| ndpi_register_dissector("MessagePack", ndpi_struct, 295| 7.08k| ndpi_search_msgpack, 296| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 297| 7.08k| 1, NDPI_PROTOCOL_MSGPACK); 298| 7.08k|} msgpack.c:msgpack_dissect_next: 48| 363k|{ 49| 363k| if (*size == 0) ------------------ | Branch (49:7): [True: 7.78k, False: 356k] ------------------ 50| 7.78k| return 0; 51| | 52| 356k| u_int32_t next_size = 0; 53| 356k| u_int8_t first_byte = *fb = (*start)[0]; 54| | 55| | // unused 56| 356k| if (first_byte == 0xC1) ------------------ | Branch (56:7): [True: 306, False: 355k] ------------------ 57| 306| return 0; 58| | 59| | /* 60| | * 1. positive fixint (MSB is zero) 61| | * 2. negative fixint (three consecutive bits set starting with the MSB) 62| | * 3. nil 63| | * 4. false / true 64| | */ 65| 355k| if ((first_byte & 0x80 /* 0xxx xxxx */) == 0 || ------------------ | Branch (65:7): [True: 325k, False: 30.0k] ------------------ 66| 30.0k| (first_byte & 0xE0 /* 111x xxxx */) == 0xE0 || ------------------ | Branch (66:7): [True: 9.71k, False: 20.3k] ------------------ 67| 20.3k| (first_byte == 0xC0 /* 1100 0000 */) || ------------------ | Branch (67:7): [True: 268, False: 20.1k] ------------------ 68| 20.1k| (first_byte & 0xFE /* 1100 001x */) == 0xC2) ------------------ | Branch (68:7): [True: 483, False: 19.6k] ------------------ 69| 336k| { 70| 336k| (*start)++; 71| 336k| (*size)--; 72| 336k| return 1; 73| 336k| } 74| | 75| 19.6k| if (first_byte == 0xCC /* uint8 */ || ------------------ | Branch (75:7): [True: 140, False: 19.4k] ------------------ 76| 19.4k| first_byte == 0xD0 /* int8 */) ------------------ | Branch (76:7): [True: 137, False: 19.3k] ------------------ 77| 277| { 78| 277| next_size += 2; 79| 277| } 80| 19.3k| else if (first_byte == 0xCD /* uint16 */ || ------------------ | Branch (80:12): [True: 195, False: 19.1k] ------------------ 81| 19.1k| first_byte == 0xD1 /* int16 */) ------------------ | Branch (81:12): [True: 384, False: 18.7k] ------------------ 82| 579| { 83| 579| next_size += 3; 84| 579| } 85| 18.7k| else if (first_byte == 0xCE /* uint32 */ || ------------------ | Branch (85:12): [True: 249, False: 18.5k] ------------------ 86| 18.5k| first_byte == 0xD2 /* int32 */ || ------------------ | Branch (86:12): [True: 213, False: 18.3k] ------------------ 87| 18.3k| first_byte == 0xCE /* float32 aka float */) ------------------ | Branch (87:12): [True: 0, False: 18.3k] ------------------ 88| 462| { 89| 462| next_size += 5; 90| 462| } 91| 18.3k| else if (first_byte == 0xCF /* uint64 */ || ------------------ | Branch (91:12): [True: 562, False: 17.7k] ------------------ 92| 17.7k| first_byte == 0xD3 /* int64 */ || ------------------ | Branch (92:12): [True: 58, False: 17.6k] ------------------ 93| 17.6k| first_byte == 0xCB /* float64 aka double */) ------------------ | Branch (93:12): [True: 105, False: 17.5k] ------------------ 94| 725| { 95| 725| next_size += 9; 96| 725| } 97| | // ext format 98| 17.5k| else if (first_byte == 0xD4 /* fixext1 */) ------------------ | Branch (98:12): [True: 299, False: 17.2k] ------------------ 99| 299| { 100| 299| next_size += 3; 101| 299| } 102| 17.2k| else if (first_byte == 0xD5 /* fixext2 */) ------------------ | Branch (102:12): [True: 139, False: 17.1k] ------------------ 103| 139| { 104| 139| next_size += 4; 105| 139| } 106| 17.1k| else if (first_byte == 0xD6 /* fixext4 / timestamp32 */) ------------------ | Branch (106:12): [True: 112, False: 17.0k] ------------------ 107| 112| { 108| 112| next_size += 6; 109| 112| } 110| 17.0k| else if (first_byte == 0xD7 /* fixext8 / timestamp64 */) ------------------ | Branch (110:12): [True: 79, False: 16.9k] ------------------ 111| 79| { 112| 79| next_size += 10; 113| 79| } 114| 16.9k| else if (first_byte == 0xD8 /* fixext16 */) ------------------ | Branch (114:12): [True: 415, False: 16.5k] ------------------ 115| 415| { 116| 415| next_size += 18; 117| 415| } 118| 16.5k| else if (first_byte == 0xC7 /* ext8 / timestamp96 */) ------------------ | Branch (118:12): [True: 196, False: 16.3k] ------------------ 119| 196| { 120| 196| if (*size < 3) ------------------ | Branch (120:9): [True: 1, False: 195] ------------------ 121| 1| return 0; 122| 195| next_size += 3 + get_u_int8_t(*start, 1); ------------------ | | 135| 195|#define get_u_int8_t(X,O) (*(u_int8_t *)((&(((u_int8_t *)X)[O])))) ------------------ 123| 195| if (next_size < 3) // check for possible overflow ------------------ | Branch (123:9): [True: 0, False: 195] ------------------ 124| 0| return 0; 125| 195| } 126| 16.3k| else if (first_byte == 0xC8 /* ext16 */) ------------------ | Branch (126:12): [True: 150, False: 16.1k] ------------------ 127| 150| { 128| 150| if (*size < 4) ------------------ | Branch (128:9): [True: 2, False: 148] ------------------ 129| 2| return 0; 130| 148| next_size += 4 + ntohs(get_u_int16_t(*start, 1)); 131| 148| if (next_size < 4) // check for possible overflow ------------------ | Branch (131:9): [True: 0, False: 148] ------------------ 132| 0| return 0; 133| 148| } 134| 16.1k| else if (first_byte == 0xC9 /* ext32 */) ------------------ | Branch (134:12): [True: 77, False: 16.1k] ------------------ 135| 77| { 136| 77| if (*size < 6) ------------------ | Branch (136:9): [True: 6, False: 71] ------------------ 137| 6| return 0; 138| 71| next_size += 6 + ntohl(get_u_int32_t(*start, 1)); 139| 71| if (next_size < 6) // check for possible overflow ------------------ | Branch (139:9): [True: 0, False: 71] ------------------ 140| 0| return 0; 141| 71| } 142| | // map / array / string / bin format 143| 16.1k| else if ((first_byte & 0xF0) == 0x80 /* fixmap: 1000 xxxx */ || ------------------ | Branch (143:12): [True: 4.01k, False: 12.0k] ------------------ 144| 12.0k| (first_byte & 0xF0) == 0x90 /* fixarray: 1001 xxxx */) ------------------ | Branch (144:12): [True: 3.61k, False: 8.48k] ------------------ 145| 7.62k| { 146| 7.62k| next_size++; // (probably) more to dissect 147| 7.62k| } 148| 8.48k| else if ((first_byte & 0xE0) == 0xA0 /* fixstr: 101x xxxx */) ------------------ | Branch (148:12): [True: 5.68k, False: 2.79k] ------------------ 149| 5.68k| { 150| 5.68k| next_size += 1 + (first_byte & 0x1F); 151| 5.68k| if (next_size < 1) // check for possible overflow ------------------ | Branch (151:9): [True: 0, False: 5.68k] ------------------ 152| 0| return 0; 153| 5.68k| } 154| 2.79k| else if (first_byte == 0xDE /* map16 */ || ------------------ | Branch (154:12): [True: 484, False: 2.31k] ------------------ 155| 2.31k| first_byte == 0xDC /* array16 */) ------------------ | Branch (155:12): [True: 542, False: 1.77k] ------------------ 156| 1.02k| { 157| 1.02k| next_size += 3; // (probably) more to dissect 158| 1.02k| } 159| 1.77k| else if (first_byte == 0xDF /* map32 */ || ------------------ | Branch (159:12): [True: 278, False: 1.49k] ------------------ 160| 1.49k| first_byte == 0xDD /* array32 */) ------------------ | Branch (160:12): [True: 71, False: 1.42k] ------------------ 161| 349| { 162| 349| next_size += 5; // (probably) more to dissect 163| 349| } 164| 1.42k| else if (first_byte == 0xD9 /* str8 */ || ------------------ | Branch (164:12): [True: 392, False: 1.02k] ------------------ 165| 1.02k| first_byte == 0xC4 /* bin8 */) ------------------ | Branch (165:12): [True: 94, False: 935] ------------------ 166| 486| { 167| 486| if (*size < 2) ------------------ | Branch (167:9): [True: 2, False: 484] ------------------ 168| 2| return 0; 169| 484| next_size += 2 + get_u_int8_t(*start, 1); ------------------ | | 135| 484|#define get_u_int8_t(X,O) (*(u_int8_t *)((&(((u_int8_t *)X)[O])))) ------------------ 170| 484| if (next_size < 2) // check for possible overflow ------------------ | Branch (170:9): [True: 0, False: 484] ------------------ 171| 0| return 0; 172| 484| } 173| 935| else if (first_byte == 0xDA /* str16 */ || ------------------ | Branch (173:12): [True: 221, False: 714] ------------------ 174| 714| first_byte == 0xC5 /* bin16 */) ------------------ | Branch (174:12): [True: 197, False: 517] ------------------ 175| 418| { 176| 418| if (*size < 3) ------------------ | Branch (176:9): [True: 1, False: 417] ------------------ 177| 1| return 0; 178| 417| next_size += 3 + ntohs(get_u_int16_t(*start, 1)); 179| 417| if (next_size < 3) // check for possible overflow ------------------ | Branch (179:9): [True: 0, False: 417] ------------------ 180| 0| return 0; 181| 417| } 182| 517| else if (first_byte == 0xDB /* str32 */ || ------------------ | Branch (182:12): [True: 279, False: 238] ------------------ 183| 238| first_byte == 0xC6 /* bin32 */) ------------------ | Branch (183:12): [True: 148, False: 90] ------------------ 184| 427| { 185| 427| if (*size < 5) ------------------ | Branch (185:9): [True: 3, False: 424] ------------------ 186| 3| return 0; 187| 424| next_size += 5 + ntohl(get_u_int32_t(*start, 1)); 188| 424| if (next_size < 5) // check for possible overflow ------------------ | Branch (188:9): [True: 1, False: 423] ------------------ 189| 1| return 0; 190| 424| } 191| | 192| 19.6k| if (next_size == 0) ------------------ | Branch (192:7): [True: 90, False: 19.5k] ------------------ 193| 90| return 0; 194| 19.5k| if (next_size > *size) ------------------ | Branch (194:7): [True: 2.43k, False: 17.0k] ------------------ 195| 2.43k| return 0; 196| | 197| | // check for valid UTF-8 / ASCII strings 198| 17.0k| char const * str = NULL; 199| 17.0k| u_int32_t str_len = 0; 200| 17.0k| if ((first_byte & 0xE0) == 0xA0 /* fixstr */) { ------------------ | Branch (200:7): [True: 4.74k, False: 12.3k] ------------------ 201| 4.74k| str = (const char *)(*start + 1); 202| 4.74k| str_len = next_size - 1; 203| 4.74k| } 204| 12.3k| else if (first_byte == 0xD9 /* str8 */) ------------------ | Branch (204:12): [True: 258, False: 12.0k] ------------------ 205| 258| { 206| 258| str = (const char *)(*start + 2); 207| 258| str_len = next_size - 2; 208| 258| } 209| 12.0k| else if (first_byte == 0xDA /* str16 */) ------------------ | Branch (209:12): [True: 9, False: 12.0k] ------------------ 210| 9| { 211| 9| str = (const char *)(*start + 3); 212| 9| str_len = next_size - 3; 213| 9| } 214| 12.0k| else if (first_byte == 0xDB /* str32 */) ------------------ | Branch (214:12): [True: 4, False: 12.0k] ------------------ 215| 4| { 216| 4| str = (const char *)(*start + 5); 217| 4| str_len = next_size - 5; 218| 4| } 219| 17.0k| if (str != NULL && str_len > 0) { ------------------ | Branch (219:7): [True: 5.01k, False: 12.0k] | Branch (219:22): [True: 4.74k, False: 265] ------------------ 220| 4.74k| u_int32_t i; 221| 31.2k| for (i = 0; i < str_len; ++i) { ------------------ | Branch (221:17): [True: 29.9k, False: 1.30k] ------------------ 222| 29.9k| if (isascii(str[i]) != 0 && ndpi_isprint(str[i]) == 0 && ndpi_isspace(str[i]) == 0) ------------------ | | 2529| 15.9k|#define ndpi_isprint(ch) ((ch) >= 0x20 && (ch) <= 0x7e) | | ------------------ | | | Branch (2529:27): [True: 12.1k, False: 3.81k] | | | Branch (2529:43): [True: 11.9k, False: 182] | | ------------------ ------------------ if (isascii(str[i]) != 0 && ndpi_isprint(str[i]) == 0 && ndpi_isspace(str[i]) == 0) ------------------ | | 2528| 3.99k|#define ndpi_isspace(ch) (((ch) >= '\t' && (ch) <= '\r') || ((ch) == ' ')) | | ------------------ | | | Branch (2528:28): [True: 2.11k, False: 1.88k] | | | Branch (2528:44): [True: 549, False: 1.56k] | | | Branch (2528:61): [True: 0, False: 3.44k] | | ------------------ ------------------ | Branch (222:11): [True: 15.9k, False: 14.0k] | Branch (222:35): [True: 3.99k, False: 11.9k] | Branch (222:64): [True: 3.44k, False: 549] ------------------ 223| 3.44k| return 0; 224| 29.9k| } 225| 4.74k| } 226| | 227| 13.6k| (*start) += next_size; 228| 13.6k| (*size) -= next_size; 229| 13.6k| return next_size; 230| 17.0k|} msgpack.c:ndpi_int_msgpack_add_connection: 33| 17|{ 34| 17| NDPI_LOG_INFO(ndpi_struct, "found MessagePack\n"); ------------------ | | 595| 17|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 35| 17| if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (35:7): [True: 1, False: 16] ------------------ 36| 1| ndpi_set_detected_protocol_keeping_master(ndpi_struct, flow, NDPI_PROTOCOL_MSGPACK, NDPI_CONFIDENCE_DPI); 37| 16| } else { 38| 16| ndpi_set_detected_protocol(ndpi_struct, flow, 39| 16| NDPI_PROTOCOL_MSGPACK, 40| 16| NDPI_PROTOCOL_UNKNOWN, 41| 16| NDPI_CONFIDENCE_DPI); 42| 16| } 43| 17|} init_mssql_tds_dissector: 80| 7.08k|{ 81| 7.08k| ndpi_register_dissector("MsSQL_TDS", ndpi_struct, 82| 7.08k| ndpi_search_mssql_tds, 83| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 84| 7.08k| 1, NDPI_PROTOCOL_MSSQL_TDS); 85| 7.08k|} mssql_tds.c:ndpi_search_mssql_tds: 49| 13.4k|{ 50| 13.4k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 51| 13.4k| struct tds_packet_header *h = (struct tds_packet_header*) packet->payload; 52| | 53| 13.4k| NDPI_LOG_DBG(ndpi_struct, "search mssql_tds\n"); ------------------ | | 596| 13.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 54| | 55| 13.4k| if((packet->payload_packet_len < sizeof(struct tds_packet_header)) ------------------ | Branch (55:6): [True: 809, False: 12.6k] ------------------ 56| | /* 57| | The TPKT protocol used by ISO 8072 (on port 102) is similar 58| | to this potocol and it can cause false positives 59| | */ 60| 12.6k| || (packet->tcp->dest == ntohs(102))) { ------------------ | Branch (60:9): [True: 4, False: 12.6k] ------------------ 61| 813| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 813|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 62| 813| return; 63| 813| } 64| | 65| 12.6k| if((h->number > 0 && h->type >= 1 && h->type <= 8) || (h->type >= 14 && h->type <= 18)) { ------------------ | Branch (65:7): [True: 11.6k, False: 1.03k] | Branch (65:24): [True: 10.7k, False: 909] | Branch (65:40): [True: 612, False: 10.0k] | Branch (65:58): [True: 10.7k, False: 1.23k] | Branch (65:75): [True: 57, False: 10.7k] ------------------ 66| 669| if(h->status == 0x00 || h->status == 0x01 || h->status == 0x02 || h->status == 0x04 || h->status == 0x08 || h->status == 0x09 || h->status == 0x10) { ------------------ | Branch (66:8): [True: 34, False: 635] | Branch (66:29): [True: 115, False: 520] | Branch (66:50): [True: 230, False: 290] | Branch (66:71): [True: 13, False: 277] | Branch (66:92): [True: 15, False: 262] | Branch (66:113): [True: 0, False: 262] | Branch (66:134): [True: 1, False: 261] ------------------ 67| 408| if(ntohs(h->length) == packet->payload_packet_len && h->window == 0x00) { ------------------ | Branch (67:10): [True: 0, False: 408] | Branch (67:60): [True: 0, False: 0] ------------------ 68| 0| NDPI_LOG_INFO(ndpi_struct, "found mssql_tds\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 69| 0| ndpi_int_mssql_tds_add_connection(ndpi_struct, flow); 70| 0| return; 71| 0| } 72| 408| } 73| 669| } 74| | 75| 12.6k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 12.6k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 76| 12.6k|} init_mudfish_dissector: 92| 7.08k|{ 93| 7.08k| ndpi_register_dissector("Mudfish", ndpi_struct, 94| 7.08k| ndpi_search_mudfish, 95| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 96| 7.08k| 1, NDPI_PROTOCOL_MUDFISH); 97| 7.08k|} mudfish.c:ndpi_search_mudfish: 40| 19.6k|{ 41| 19.6k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 42| | 43| 19.6k| NDPI_LOG_DBG(ndpi_struct, "search Mudfish\n"); ------------------ | | 596| 19.6k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 44| | 45| 19.6k| if (packet->udp != NULL) ------------------ | Branch (45:7): [True: 6.14k, False: 13.4k] ------------------ 46| 6.14k| { 47| 6.14k| if ((packet->udp->source < htons(10000) || ------------------ | Branch (47:10): [True: 469, False: 5.67k] ------------------ 48| 5.67k| packet->udp->source > htons(10010)) && ------------------ | Branch (48:10): [True: 5.42k, False: 247] ------------------ 49| 5.89k| (packet->udp->dest < htons(10000) || ------------------ | Branch (49:10): [True: 436, False: 5.45k] ------------------ 50| 5.45k| packet->udp->dest > htons(10010))) ------------------ | Branch (50:10): [True: 5.43k, False: 29] ------------------ 51| 5.86k| { 52| 5.86k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 5.86k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 53| 5.86k| return; 54| 5.86k| } 55| | 56| | // Mudfish ping 57| 276| if (packet->payload_packet_len == 1 && ------------------ | Branch (57:9): [True: 103, False: 173] ------------------ 58| 103| packet->payload[0] == 0x50) ------------------ | Branch (58:9): [True: 1, False: 102] ------------------ 59| 1| { 60| 1| if (flow->packet_counter >= 2) ------------------ | Branch (60:11): [True: 0, False: 1] ------------------ 61| 0| ndpi_int_mudfish_add_connection(ndpi_struct, flow); 62| 1| return; 63| 1| } 64| | 65| 275| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 275|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 66| 275| return; 67| 276| } 68| | 69| | // Mudfish discovery request 70| 13.4k| if (packet->payload_packet_len == 7 && ------------------ | Branch (70:7): [True: 14, False: 13.4k] ------------------ 71| 14| get_u_int32_t(packet->payload, 0) == htonl(0x554e2076) && ------------------ | | 137| 14|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (71:7): [True: 0, False: 14] ------------------ 72| 0| get_u_int16_t(packet->payload, 4) == htons(0x320d) && ------------------ | | 136| 0|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (72:7): [True: 0, False: 0] ------------------ 73| 0| packet->payload[6] == 0x0a) ------------------ | Branch (73:7): [True: 0, False: 0] ------------------ 74| 0| { 75| 0| ndpi_int_mudfish_add_connection(ndpi_struct, flow); 76| 0| return; 77| 0| } 78| | 79| | // Check discovery response 80| 13.4k| if (packet->payload_packet_len > 8 && ------------------ | Branch (80:7): [True: 12.6k, False: 877] ------------------ 81| 12.6k| get_u_int32_t(packet->payload, 0) == htonl(0x554e2041) && ------------------ | | 137| 12.6k|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (81:7): [True: 0, False: 12.6k] ------------------ 82| 0| get_u_int32_t(packet->payload, 0) == htonl(0x465f494e)) ------------------ | | 137| 0|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (82:7): [True: 0, False: 0] ------------------ 83| 0| { 84| 0| ndpi_int_mudfish_add_connection(ndpi_struct, flow); 85| 0| return; 86| 0| } 87| | 88| 13.4k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.4k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 89| 13.4k|} init_mumble_dissector: 65| 7.08k|{ 66| 7.08k| ndpi_register_dissector("Mumble", ndpi_struct, 67| 7.08k| ndpi_search_mumble, 68| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 69| 7.08k| 1, NDPI_PROTOCOL_MUMBLE); 70| 7.08k|} mumble.c:ndpi_search_mumble: 34| 3.35k|{ 35| 3.35k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 36| | 37| 3.35k| NDPI_LOG_DBG(ndpi_struct, "search Mumble\n"); ------------------ | | 596| 3.35k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 38| | 39| 3.35k| if (current_pkt_from_client_to_server(ndpi_struct, flow) && ------------------ | Branch (39:7): [True: 3.16k, False: 189] ------------------ 40| 3.16k| packet->payload_packet_len == 12) ------------------ | Branch (40:7): [True: 28, False: 3.13k] ------------------ 41| 28| { 42| 28| if (get_u_int32_t(packet->payload, 0) == 0) { ------------------ | | 137| 28|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (42:9): [True: 1, False: 27] ------------------ 43| 1| flow->l4.udp.mumble_stage = 1; 44| 1| flow->l4.udp.mumble_ident = ndpi_ntohll(get_u_int64_t(packet->payload, 4)); ------------------ | | 148| 1|#define get_u_int64_t(X,O) (*(u_int64_t *)((&(((u_int8_t *)X)[O])))) ------------------ 45| 1| return; 46| 1| } 47| 27| goto not_mumble; 48| 28| } 49| | 50| 3.32k| if (flow->l4.udp.mumble_stage == 1 && packet->payload_packet_len == 24) { ------------------ | Branch (50:7): [True: 0, False: 3.32k] | Branch (50:41): [True: 0, False: 0] ------------------ 51| 0| if (ndpi_ntohll(get_u_int64_t(packet->payload, 4)) == flow->l4.udp.mumble_ident) { ------------------ | | 148| 0|#define get_u_int64_t(X,O) (*(u_int64_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (51:9): [True: 0, False: 0] ------------------ 52| 0| NDPI_LOG_INFO(ndpi_struct, "found Mumble\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 53| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MUMBLE, 54| 0| NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 55| 0| return; 56| 0| } 57| 0| goto not_mumble; 58| 0| } 59| | 60| 3.35k|not_mumble: 61| 3.35k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.35k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 62| 3.35k|} init_munin_dissector: 83| 7.08k|{ 84| 7.08k| ndpi_register_dissector("Munin", ndpi_struct, 85| 7.08k| ndpi_search_munin, 86| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 87| 7.08k| 1, NDPI_PROTOCOL_MUNIN); 88| 7.08k|} munin.c:ndpi_search_munin: 44| 11.7k|{ 45| 11.7k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 46| 11.7k| static char const munin_prefix[] = "# munin node at "; 47| | 48| 11.7k| NDPI_LOG_DBG(ndpi_struct, "search munin\n"); ------------------ | | 596| 11.7k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 49| | 50| | // "# munin node at " 51| 11.7k| if (packet->payload_packet_len < NDPI_STATICSTRING_LEN(munin_prefix)) ------------------ | | 98| 11.7k|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (51:7): [True: 1.33k, False: 10.3k] ------------------ 52| 1.33k| { 53| 1.33k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1.33k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 54| 1.33k| return; 55| 1.33k| } 56| | 57| 10.3k| if (memcmp(packet->payload, munin_prefix, NDPI_STATICSTRING_LEN(munin_prefix)) != 0) ------------------ | | 98| 10.3k|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (57:7): [True: 10.3k, False: 3] ------------------ 58| 10.3k| { 59| 10.3k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 10.3k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 60| 10.3k| return; 61| 10.3k| } 62| | 63| 3| ndpi_int_munin_add_connection(ndpi_struct, flow); 64| | 65| 3| if (packet->payload[packet->payload_packet_len - 1] != '\n') ------------------ | Branch (65:7): [True: 2, False: 1] ------------------ 66| 2| { 67| 2| ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Missing Munin Hostname"); 68| 2| return; 69| 2| } 70| | 71| 1| size_t host_len = packet->payload_packet_len - NDPI_STATICSTRING_LEN(munin_prefix) - 1; ------------------ | | 98| 1|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ 72| 1| if (host_len > 0) ------------------ | Branch (72:7): [True: 1, False: 0] ------------------ 73| 1| { 74| 1| ndpi_hostname_sni_set(flow, packet->payload + NDPI_STATICSTRING_LEN(munin_prefix), host_len, NDPI_HOSTNAME_NORM_ALL); ------------------ | | 98| 1|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ ndpi_hostname_sni_set(flow, packet->payload + NDPI_STATICSTRING_LEN(munin_prefix), host_len, NDPI_HOSTNAME_NORM_ALL); ------------------ | | 516| 1|#define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 512| 1|#define NDPI_HOSTNAME_NORM_LC 1 | | ------------------ | | #define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 513| 1|#define NDPI_HOSTNAME_NORM_REPLACE_IC 2 | | ------------------ | | #define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 514| 1|#define NDPI_HOSTNAME_NORM_STRIP_EOLSP 4 | | ------------------ ------------------ 75| 1| } else { 76| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Missing Munin Hostname"); 77| 0| } 78| 1|} munin.c:ndpi_int_munin_add_connection: 31| 3|{ 32| 3| NDPI_LOG_INFO(ndpi_struct, "found munin\n"); ------------------ | | 595| 3|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 33| | 34| 3| ndpi_set_detected_protocol(ndpi_struct, flow, 35| 3| NDPI_PROTOCOL_MUNIN, 36| 3| NDPI_PROTOCOL_UNKNOWN, 37| 3| NDPI_CONFIDENCE_DPI); 38| 3|} init_mysql_dissector: 66| 7.08k|{ 67| 7.08k| ndpi_register_dissector("MySQL", ndpi_struct, 68| 7.08k| ndpi_search_mysql_tcp, 69| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 70| 7.08k| 1, NDPI_PROTOCOL_MYSQL); 71| 7.08k|} mysql.c:ndpi_search_mysql_tcp: 35| 13.4k|{ 36| 13.4k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 37| | 38| 13.4k| NDPI_LOG_DBG(ndpi_struct, "search MySQL\n"); ------------------ | | 596| 13.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 39| | 40| 13.4k| if(packet->payload_packet_len > 70 && packet->payload_packet_len < 120) { ------------------ | Branch (40:6): [True: 3.35k, False: 10.1k] | Branch (40:41): [True: 761, False: 2.59k] ------------------ 41| 761| u_int32_t length = (packet->payload[2] << 16) + (packet->payload[1] << 8) + packet->payload[0]; 42| | 43| 761| if ((u_int32_t)(packet->payload_packet_len-4) == length && ------------------ | Branch (43:9): [True: 0, False: 761] ------------------ 44| 0| packet->payload[4] == 0x0A && ((memcmp(&packet->payload[5], "5.5.5-", 6) == 0) || ------------------ | Branch (44:9): [True: 0, False: 0] | Branch (44:40): [True: 0, False: 0] ------------------ 45| 0| (packet->payload[5] > 0x33 && packet->payload[5] < 0x39))) ------------------ | Branch (45:10): [True: 0, False: 0] | Branch (45:39): [True: 0, False: 0] ------------------ 46| 0| { 47| 0| if ((memcmp(&packet->payload[packet->payload_packet_len-10], "_password", 9) == 0) || ------------------ | Branch (47:11): [True: 0, False: 0] ------------------ 48| 0| (memcmp(&packet->payload[packet->payload_packet_len-10], "_kerberos", 9) == 0) || ------------------ | Branch (48:11): [True: 0, False: 0] ------------------ 49| 0| (memcmp(&packet->payload[packet->payload_packet_len-9], "_windows", 8) == 0) || ------------------ | Branch (49:11): [True: 0, False: 0] ------------------ 50| 0| (memcmp(&packet->payload[packet->payload_packet_len-8], "_simple", 7) == 0) || ------------------ | Branch (50:11): [True: 0, False: 0] ------------------ 51| 0| (memcmp(&packet->payload[packet->payload_packet_len-8], "_gssapi", 7) == 0) || ------------------ | Branch (51:11): [True: 0, False: 0] ------------------ 52| 0| (memcmp(&packet->payload[packet->payload_packet_len-5], "_pam", 4) == 0)) ------------------ | Branch (52:11): [True: 0, False: 0] ------------------ 53| 0| { 54| 0| NDPI_LOG_INFO(ndpi_struct, "found MySQL\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 55| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MYSQL, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 56| 0| return; 57| 0| } 58| 0| } 59| 761| } 60| | 61| 13.4k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.4k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 62| 13.4k|} init_nano_dissector: 83| 7.08k|{ 84| 7.08k| ndpi_register_dissector("Nano", ndpi_struct, 85| 7.08k| ndpi_search_nano, 86| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 87| 7.08k| 1, NDPI_PROTOCOL_NANO); 88| 7.08k|} nano.c:ndpi_search_nano: 57| 11.6k|{ 58| 11.6k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 59| | 60| 11.6k| NDPI_LOG_DBG(ndpi_struct, "search Nano Network Protocol\n"); ------------------ | | 596| 11.6k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 61| | 62| 11.6k| if (packet->payload_packet_len > 32 && ------------------ | Branch (62:7): [True: 4.75k, False: 6.88k] ------------------ 63| 4.75k| packet->payload[0] == 'R' && packet->payload[1] == 'C') ------------------ | Branch (63:7): [True: 7, False: 4.74k] | Branch (63:36): [True: 1, False: 6] ------------------ 64| 1| { 65| 1| const u_int8_t max_ver = packet->payload[2]; 66| 1| const u_int8_t use_ver = packet->payload[3]; 67| 1| const u_int8_t min_ver = packet->payload[4]; 68| | 69| 1| if (max_ver == NANO_MAX_PROTOCOL_VER && ------------------ | | 38| 2|#define NANO_MAX_PROTOCOL_VER 20 ------------------ | Branch (69:9): [True: 0, False: 1] ------------------ 70| 0| use_ver <= NANO_MAX_PROTOCOL_VER && use_ver >= NANO_MIN_PROTOCOL_VER && ------------------ | | 38| 1|#define NANO_MAX_PROTOCOL_VER 20 ------------------ use_ver <= NANO_MAX_PROTOCOL_VER && use_ver >= NANO_MIN_PROTOCOL_VER && ------------------ | | 37| 1|#define NANO_MIN_PROTOCOL_VER 18 ------------------ | Branch (70:9): [True: 0, False: 0] | Branch (70:45): [True: 0, False: 0] ------------------ 71| 0| min_ver >= NANO_MIN_PROTOCOL_VER && min_ver < NANO_MAX_PROTOCOL_VER && ------------------ | | 37| 1|#define NANO_MIN_PROTOCOL_VER 18 ------------------ min_ver >= NANO_MIN_PROTOCOL_VER && min_ver < NANO_MAX_PROTOCOL_VER && ------------------ | | 38| 1|#define NANO_MAX_PROTOCOL_VER 20 ------------------ | Branch (71:9): [True: 0, False: 0] | Branch (71:45): [True: 0, False: 0] ------------------ 72| 0| packet->payload[5] <= 0x0F) ------------------ | Branch (72:9): [True: 0, False: 0] ------------------ 73| 0| { 74| 0| ndpi_int_nano_add_connection(ndpi_struct, flow); 75| 0| return; 76| 0| } 77| 1| } 78| | 79| 11.6k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.6k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 80| 11.6k|} init_natpmp_dissector: 192| 7.08k|{ 193| 7.08k| ndpi_register_dissector("NAT-PMP", ndpi_struct, 194| 7.08k| ndpi_search_natpmp, 195| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 196| 7.08k| 1, NDPI_PROTOCOL_NATPMP); 197| 7.08k|} natpmp.c:ndpi_search_natpmp: 168| 3.36k|{ 169| 3.36k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 170| 3.36k| enum natpmp_type natpmp_type; 171| | 172| 3.36k| NDPI_LOG_DBG(ndpi_struct, "search nat-pmp\n"); ------------------ | | 596| 3.36k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 173| | 174| 3.36k| if (natpmp_is_valid(packet, &natpmp_type) == 0) ------------------ | Branch (174:7): [True: 3.35k, False: 4] ------------------ 175| 3.35k| { 176| 3.35k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.35k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 177| 3.35k| return; 178| 3.35k| } 179| | 180| 4| if ((flow->packet_counter > 2 && natpmp_type != NATPMP_REQUEST_ADDRESS) || ------------------ | Branch (180:8): [True: 0, False: 4] | Branch (180:36): [True: 0, False: 0] ------------------ 181| 4| ntohs(packet->udp->source) == NATPMP_PORT || ntohs(packet->udp->dest) == NATPMP_PORT) ------------------ | | 29| 8|#define NATPMP_PORT 5351 ------------------ ntohs(packet->udp->source) == NATPMP_PORT || ntohs(packet->udp->dest) == NATPMP_PORT) ------------------ | | 29| 4|#define NATPMP_PORT 5351 ------------------ | Branch (181:7): [True: 0, False: 4] | Branch (181:52): [True: 0, False: 4] ------------------ 182| 0| { 183| 0| ndpi_int_natpmp_add_connection(ndpi_struct, flow); 184| 0| if (ndpi_search_natpmp_extra(ndpi_struct, flow) == 0) ------------------ | Branch (184:9): [True: 0, False: 0] ------------------ 185| 0| { 186| 0| natpmp_disable_extra_dissection(flow); 187| 0| } 188| 0| } 189| 4|} natpmp.c:natpmp_is_valid: 70| 3.36k|{ 71| 3.36k| if (natpmp_is_common_header(packet) == 0) ------------------ | Branch (71:7): [True: 2.39k, False: 968] ------------------ 72| 2.39k| { 73| 2.39k| return 0; 74| 2.39k| } 75| | 76| 968| *natpmp_type = packet->payload[1]; 77| 968| switch (*natpmp_type) 78| 968| { 79| 250| case NATPMP_REQUEST_ADDRESS: ------------------ | Branch (79:5): [True: 250, False: 718] ------------------ 80| 250| if (packet->payload_packet_len != 2) ------------------ | Branch (80:11): [True: 246, False: 4] ------------------ 81| 246| { 82| 246| return 0; 83| 246| } 84| 4| break; 85| 47| case NATPMP_REQUEST_UDP_MAPPING: ------------------ | Branch (85:5): [True: 47, False: 921] ------------------ 86| 76| case NATPMP_REQUEST_TCP_MAPPING: ------------------ | Branch (86:5): [True: 29, False: 939] ------------------ 87| 76| if (packet->payload_packet_len != 12 || get_u_int16_t(packet->payload, 2) != 0x0000) ------------------ | | 136| 1|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (87:11): [True: 75, False: 1] | Branch (87:47): [True: 1, False: 0] ------------------ 88| 76| { 89| 76| return 0; 90| 76| } 91| 0| break; 92| 1| case NATPMP_RESPONSE_ADDRESS: ------------------ | Branch (92:5): [True: 1, False: 967] ------------------ 93| 3| case NATPMP_RESPONSE_UDP_MAPPING: ------------------ | Branch (93:5): [True: 2, False: 966] ------------------ 94| 4| case NATPMP_RESPONSE_TCP_MAPPING: ------------------ | Branch (94:5): [True: 1, False: 967] ------------------ 95| 4| if ((*natpmp_type == NATPMP_RESPONSE_ADDRESS && packet->payload_packet_len != 12) || ------------------ | Branch (95:12): [True: 1, False: 3] | Branch (95:55): [True: 1, False: 0] ------------------ 96| 3| (*natpmp_type != NATPMP_RESPONSE_ADDRESS && packet->payload_packet_len != 16)) ------------------ | Branch (96:12): [True: 3, False: 0] | Branch (96:55): [True: 3, False: 0] ------------------ 97| 4| { 98| 4| return 0; 99| 4| } 100| | 101| 0| { 102| 0| u_int16_t result_code = ntohs(get_u_int16_t(packet->payload, 2)); 103| 0| if (result_code > 5) ------------------ | Branch (103:13): [True: 0, False: 0] ------------------ 104| 0| { 105| 0| return 0; 106| 0| } 107| 0| } 108| 0| break; 109| | 110| 638| default: ------------------ | Branch (110:5): [True: 638, False: 330] ------------------ 111| 638| return 0; 112| 968| } 113| | 114| 4| return 1; 115| 968|} natpmp.c:natpmp_is_common_header: 65| 3.36k|{ 66| 3.36k| return packet->payload_packet_len >= 2 && packet->payload[0] == 0x00 /* Protocol version: 0x00 */; ------------------ | Branch (66:10): [True: 3.25k, False: 107] | Branch (66:45): [True: 968, False: 2.28k] ------------------ 67| 3.36k|} init_nats_dissector: 76| 7.08k|void init_nats_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 77| 7.08k| ndpi_register_dissector("Nats", ndpi_struct, 78| 7.08k| ndpi_search_nats_tcp, 79| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 80| 7.08k| 1, NDPI_PROTOCOL_NATS); 81| 7.08k|} nats.c:ndpi_search_nats_tcp: 42| 13.4k| struct ndpi_flow_struct *flow) { 43| 13.4k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 44| | 45| | /* Check connection over TCP */ 46| 13.4k| NDPI_LOG_DBG(ndpi_struct, "search NATS\n"); ------------------ | | 596| 13.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 47| | 48| 13.4k| if(packet->tcp) { ------------------ | Branch (48:6): [True: 13.4k, False: 0] ------------------ 49| 13.4k| int i; 50| | 51| 13.4k| if(packet->payload_packet_len <= 4) ------------------ | Branch (51:8): [True: 736, False: 12.7k] ------------------ 52| 736| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 736|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 53| | 54| 121k| for(i=0; commands[i] != NULL; i++) { ------------------ | Branch (54:14): [True: 107k, False: 13.4k] ------------------ 55| 107k| int len = ndpi_min(strlen(commands[i]), packet->payload_packet_len); ------------------ | | 113| 107k|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 101k, False: 6.15k] | | ------------------ ------------------ 56| 107k| int rc = strncmp((const char *)packet->payload, commands[i], len); 57| | 58| 107k| if(rc != 0) continue; ------------------ | Branch (58:10): [True: 107k, False: 11] ------------------ 59| | 60| 11| if(ndpi_strnstr((const char *)packet->payload, ------------------ | Branch (60:10): [True: 1, False: 10] ------------------ 61| 11| "\r\n", 62| 11| packet->payload_packet_len) != NULL) { 63| 1| NDPI_LOG_INFO(ndpi_struct, "found NATS\n"); ------------------ | | 595| 1|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 64| | 65| 1| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NATS, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 66| 1| return; 67| 1| } 68| 11| } 69| | 70| 13.4k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.4k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 71| 13.4k| } 72| 13.4k|} init_nest_log_sink_dissector: 67| 7.08k|{ 68| 7.08k| ndpi_register_dissector("NEST_LOG_SINK", ndpi_struct, 69| 7.08k| ndpi_search_nest_log_sink, 70| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 71| 7.08k| 1, NDPI_PROTOCOL_NEST_LOG_SINK); 72| 7.08k|} nest_log_sink.c:ndpi_search_nest_log_sink: 39| 11.8k|{ 40| 11.8k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 41| | 42| 11.8k| NDPI_LOG_DBG(ndpi_struct, "search nest_log_sink\n"); ------------------ | | 596| 11.8k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 43| | 44| 11.8k| if (packet->payload_packet_len < NEST_LOG_SINK_MIN_LEN) { ------------------ | | 34| 11.8k|#define NEST_LOG_SINK_MIN_LEN 8 ------------------ | Branch (44:9): [True: 808, False: 10.9k] ------------------ 45| 808| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 808|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 46| 808| return; 47| 808| } 48| | 49| 10.9k| if (ntohs(packet->tcp->source) != NEST_LOG_SINK_PORT && ------------------ | | 33| 21.9k|#define NEST_LOG_SINK_PORT 11095 ------------------ | Branch (49:9): [True: 10.9k, False: 0] ------------------ 50| 10.9k| ntohs(packet->tcp->dest) != NEST_LOG_SINK_PORT) { ------------------ | | 33| 10.9k|#define NEST_LOG_SINK_PORT 11095 ------------------ | Branch (50:13): [True: 10.9k, False: 0] ------------------ 51| 10.9k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 10.9k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 52| 10.9k| return; 53| 10.9k| } 54| | 55| 0| if (packet->payload[1] <= 0x02 && ------------------ | Branch (55:9): [True: 0, False: 0] ------------------ 56| 0| (packet->payload[2] == 0x00 || packet->payload[2] == 0x10) && ------------------ | Branch (56:14): [True: 0, False: 0] | Branch (56:44): [True: 0, False: 0] ------------------ 57| 0| packet->payload[3] == 0x13) ------------------ | Branch (57:13): [True: 0, False: 0] ------------------ 58| 0| flow->l4.tcp.nest_log_sink_matches++; 59| | 60| 0| if (flow->l4.tcp.nest_log_sink_matches == NEST_LOG_SINK_MIN_MATCH) { ------------------ | | 35| 0|#define NEST_LOG_SINK_MIN_MATCH 3 ------------------ | Branch (60:9): [True: 0, False: 0] ------------------ 61| 0| NDPI_LOG_INFO(ndpi_struct, "found nest_log_sink\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 62| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NEST_LOG_SINK, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 63| 0| } 64| 0|} ndpi_netbios_name_interpret: 54| 688|int ndpi_netbios_name_interpret(u_char *in, u_int in_len, u_char *out, u_int out_len) { 55| 688| u_int ret = 0, len, idx = in_len, out_idx = 0; 56| | 57| 688| len = in[0] / 2; 58| 688| in++, in_len--; 59| | 60| 688| out_len--; 61| 688| out[out_idx] = 0; 62| | 63| 688| if((len > out_len) || (len < 1) || ((2*len) > in_len)) ------------------ | Branch (63:6): [True: 1, False: 687] | Branch (63:25): [True: 1, False: 686] | Branch (63:38): [True: 2, False: 684] ------------------ 64| 4| return(-1); 65| | 66| 10.5k| while((len--) && (out_idx < out_len)) { ------------------ | Branch (66:9): [True: 10.0k, False: 552] | Branch (66:20): [True: 10.0k, False: 0] ------------------ 67| 10.0k| if((idx < 2) || is_stop_char(in[0]) || is_stop_char(in[1])) { ------------------ | Branch (67:8): [True: 0, False: 10.0k] | Branch (67:21): [True: 109, False: 9.90k] | Branch (67:44): [True: 23, False: 9.88k] ------------------ 68| 132| out[out_idx] = 0; 69| 132| break; 70| 132| } 71| | 72| 9.88k| out[out_idx] = ((in[0] - 'A') << 4) + (in[1] - 'A'); 73| 9.88k| in += 2, idx -= 2; 74| | 75| 9.88k| if(is_printable_char(out[out_idx])) ------------------ | Branch (75:8): [True: 9.40k, False: 480] ------------------ 76| 9.40k| out_idx++, ret++; 77| 9.88k| } 78| | 79| | /* Trim trailing whitespace from the returned string */ 80| 684| if(out_idx > 0) { ------------------ | Branch (80:6): [True: 682, False: 2] ------------------ 81| 682| out[out_idx] = 0; 82| 682| out_idx--; 83| | 84| 3.87k| while((out_idx > 0) && (out[out_idx] == ' ')) { ------------------ | Branch (84:11): [True: 3.86k, False: 13] | Branch (84:28): [True: 3.19k, False: 669] ------------------ 85| 3.19k| out[out_idx] = 0; 86| 3.19k| out_idx--; 87| 3.19k| } 88| 682| } 89| | 90| 684| return(ret); 91| 688|} init_netbios_dissector: 419| 7.08k|{ 420| 7.08k| ndpi_register_dissector("NETBIOS", ndpi_struct, 421| 7.08k| ndpi_search_netbios, 422| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 423| 7.08k| 1, NDPI_PROTOCOL_NETBIOS); 424| 7.08k|} netbios.c:is_stop_char: 47| 19.9k|static int is_stop_char(u_char c) { 48| 19.9k| return(((c < 'A') || (c > 'P')) ? 1 : 0); ------------------ | Branch (48:11): [True: 22, False: 19.8k] | Branch (48:24): [True: 110, False: 19.7k] ------------------ 49| 19.9k|} netbios.c:is_printable_char: 41| 9.88k|static int is_printable_char(unsigned char c) { 42| 9.88k| return(((c >= 0x20) && (c <= 0x7e)) ? 1 : 0); ------------------ | Branch (42:11): [True: 9.40k, False: 477] | Branch (42:26): [True: 9.40k, False: 3] ------------------ 43| 9.88k|} netbios.c:ndpi_search_netbios: 120| 18.6k| struct ndpi_flow_struct *flow) { 121| 18.6k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 122| 18.6k| u_int16_t dport; 123| | 124| 18.6k| NDPI_LOG_DBG(ndpi_struct, "search netbios\n"); ------------------ | | 596| 18.6k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 125| | 126| 18.6k| if(packet->udp != NULL) { ------------------ | Branch (126:6): [True: 5.14k, False: 13.4k] ------------------ 127| 5.14k| dport = ntohs(packet->udp->dest); 128| | 129| | /*check standard NETBIOS over udp to port 137 */ 130| 5.14k| if((dport == 137 || 0) && packet->payload_packet_len >= 50) { ------------------ | Branch (130:9): [True: 823, False: 4.32k] | Branch (130:25): [Folded, False: 0] | Branch (130:31): [True: 806, False: 17] ------------------ 131| 806| struct netbios_header h; 132| | 133| 806| memcpy(&h, packet->payload, sizeof(struct netbios_header)); 134| 806| h.transaction_id = ntohs(h.transaction_id), h.flags = ntohs(h.flags), 135| 806| h.questions = ntohs(h.questions), h.answer_rrs = ntohs(h.answer_rrs), 136| 806| h.authority_rrs = ntohs(h.authority_rrs), h.additional_rrs = ntohs(h.additional_rrs); 137| | 138| 806| NDPI_LOG_DBG(ndpi_struct, "found netbios port 137 and payload_packet_len 50\n"); ------------------ | | 596| 806|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 139| | 140| 806| if(h.flags == 0 && ------------------ | Branch (140:10): [True: 4, False: 802] ------------------ 141| 4| h.questions == 1 && ------------------ | Branch (141:3): [True: 2, False: 2] ------------------ 142| 2| h.answer_rrs == 0 && ------------------ | Branch (142:3): [True: 2, False: 0] ------------------ 143| 2| h.authority_rrs == 0 && h.additional_rrs == 0) { ------------------ | Branch (143:3): [True: 1, False: 1] | Branch (143:27): [True: 0, False: 1] ------------------ 144| | 145| 0| NDPI_LOG_INFO(ndpi_struct, "found netbios with questions = 1 and answers = 0, authority = 0 \n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 146| | 147| 0| ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); 148| 0| return; 149| 0| } 150| | 151| 806| if(((h.flags & 0x8710) == 0x10) && ------------------ | Branch (151:10): [True: 713, False: 93] ------------------ 152| 713| h.questions == 1 && ------------------ | Branch (152:3): [True: 704, False: 9] ------------------ 153| 704| h.answer_rrs == 0 && ------------------ | Branch (153:3): [True: 702, False: 2] ------------------ 154| 702| h.authority_rrs == 0) { ------------------ | Branch (154:3): [True: 681, False: 21] ------------------ 155| | 156| 681| NDPI_LOG_INFO(ndpi_struct, "found netbios with questions = 1 and answers = 0, authority = 0 and broadcast \n"); ------------------ | | 595| 681|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 157| | 158| 681| ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); 159| 681| return; 160| 681| } 161| | 162| 125| if(packet->payload[2] == 0x80 && ------------------ | Branch (162:10): [True: 2, False: 123] ------------------ 163| 2| h.questions == 1 && ------------------ | Branch (163:3): [True: 2, False: 0] ------------------ 164| 2| h.answer_rrs == 0 && ------------------ | Branch (164:3): [True: 2, False: 0] ------------------ 165| 2| h.authority_rrs == 0 && h.additional_rrs == 1) { ------------------ | Branch (165:3): [True: 1, False: 1] | Branch (165:27): [True: 1, False: 0] ------------------ 166| | 167| 1| NDPI_LOG_INFO(ndpi_struct, "found netbios with questions = 1 and answers, authority, additional = 0 \n"); ------------------ | | 595| 1|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 168| | 169| 1| ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); 170| 1| return; 171| 1| } 172| | 173| 124| if(h.flags == 0x4000 && ------------------ | Branch (173:10): [True: 3, False: 121] ------------------ 174| 3| h.questions == 1 && ------------------ | Branch (174:3): [True: 2, False: 1] ------------------ 175| 2| h.answer_rrs == 0 && ------------------ | Branch (175:3): [True: 2, False: 0] ------------------ 176| 2| h.authority_rrs == 0 && h.additional_rrs == 1) { ------------------ | Branch (176:3): [True: 1, False: 1] | Branch (176:27): [True: 1, False: 0] ------------------ 177| | 178| 1| NDPI_LOG_INFO(ndpi_struct, "found netbios with questions = 1 and answers = 0, authority = 0 \n"); ------------------ | | 595| 1|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 179| | 180| 1| ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); 181| 1| return; 182| 1| } 183| | 184| 123| if(h.flags == 0x8400 && ------------------ | Branch (184:10): [True: 5, False: 118] ------------------ 185| 5| h.questions == 0 && ------------------ | Branch (185:3): [True: 4, False: 1] ------------------ 186| 4| h.answer_rrs == 1 && ------------------ | Branch (186:3): [True: 0, False: 4] ------------------ 187| 0| h.authority_rrs == 0 && h.additional_rrs == 0) { ------------------ | Branch (187:3): [True: 0, False: 0] | Branch (187:27): [True: 0, False: 0] ------------------ 188| | 189| 0| NDPI_LOG_INFO(ndpi_struct, ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 190| 0| "found netbios with flag 8400 questions = 0 and answers = 1, authority, additional = 0 \n"); 191| | 192| 0| ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); 193| 0| return; 194| 0| } 195| | 196| 123| if(h.flags == 0x8500 && ------------------ | Branch (196:10): [True: 0, False: 123] ------------------ 197| 0| h.questions == 0 && ------------------ | Branch (197:3): [True: 0, False: 0] ------------------ 198| 0| h.answer_rrs == 1 && ------------------ | Branch (198:3): [True: 0, False: 0] ------------------ 199| 0| h.authority_rrs == 0 && h.additional_rrs == 0) { ------------------ | Branch (199:3): [True: 0, False: 0] | Branch (199:27): [True: 0, False: 0] ------------------ 200| | 201| 0| NDPI_LOG_INFO(ndpi_struct, ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 202| 0| "found netbios with flag 8500 questions = 0 and answers = 1, authority, additional = 0 \n"); 203| | 204| 0| ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); 205| 0| return; 206| 0| } 207| | 208| 123| if(((h.flags == 0x2900) || (h.flags == 0x2910)) && ------------------ | Branch (208:11): [True: 0, False: 123] | Branch (208:34): [True: 8, False: 115] ------------------ 209| 8| h.questions == 1 && ------------------ | Branch (209:3): [True: 6, False: 2] ------------------ 210| 6| h.answer_rrs == 0 && ------------------ | Branch (210:3): [True: 5, False: 1] ------------------ 211| 5| h.authority_rrs == 0 && h.additional_rrs == 1) { ------------------ | Branch (211:3): [True: 5, False: 0] | Branch (211:27): [True: 5, False: 0] ------------------ 212| | 213| 5| NDPI_LOG_INFO(ndpi_struct, ------------------ | | 595| 5|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 214| 5| "found netbios with flag 2910, questions = 1 and answers, authority=0, additional = 1 \n"); 215| | 216| 5| ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); 217| 5| return; 218| 5| } 219| | 220| 118| if(h.flags == 0xAD86 && ------------------ | Branch (220:10): [True: 0, False: 118] ------------------ 221| 0| h.questions == 0 && ------------------ | Branch (221:3): [True: 0, False: 0] ------------------ 222| 0| h.answer_rrs == 1 && ------------------ | Branch (222:3): [True: 0, False: 0] ------------------ 223| 0| h.authority_rrs == 0 && h.additional_rrs == 0) { ------------------ | Branch (223:3): [True: 0, False: 0] | Branch (223:27): [True: 0, False: 0] ------------------ 224| | 225| 0| NDPI_LOG_INFO(ndpi_struct, ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 226| 0| "found netbios with flag ad86 questions = 0 and answers = 1, authority, additional = 0 \n"); 227| | 228| 0| ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); 229| 0| return; 230| 0| } 231| | 232| 118| if(h.flags == 0x0110 && ------------------ | Branch (232:10): [True: 7, False: 111] ------------------ 233| 7| h.questions == 1 && ------------------ | Branch (233:3): [True: 6, False: 1] ------------------ 234| 6| h.answer_rrs == 0 && ------------------ | Branch (234:3): [True: 5, False: 1] ------------------ 235| 5| h.authority_rrs == 0 && h.additional_rrs == 0) { ------------------ | Branch (235:3): [True: 0, False: 5] | Branch (235:27): [True: 0, False: 0] ------------------ 236| | 237| 0| NDPI_LOG_INFO(ndpi_struct, ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 238| 0| "found netbios with flag 0110 questions = 1 and answers = 0, authority, additional = 0 \n"); 239| | 240| 0| ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); 241| 0| return; 242| 0| } 243| | 244| 118| if((h.flags & 0xf800) == 0) { ------------------ | Branch (244:10): [True: 13, False: 105] ------------------ 245| 13| NDPI_LOG_DBG2(ndpi_struct, "possible netbios name query request\n"); ------------------ | | 597| 13|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 246| | 247| 13| if(get_u_int16_t(packet->payload, 4) == htons(1) && ------------------ | | 136| 13|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (247:5): [True: 9, False: 4] ------------------ 248| 9| get_u_int16_t(packet->payload, 6) == 0 && ------------------ | | 136| 9|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (248:5): [True: 8, False: 1] ------------------ 249| 8| get_u_int16_t(packet->payload, 8) == 0 && get_u_int16_t(packet->payload, 10) == 0) { ------------------ | | 136| 8|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ get_u_int16_t(packet->payload, 8) == 0 && get_u_int16_t(packet->payload, 10) == 0) { ------------------ | | 136| 2|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (249:5): [True: 2, False: 6] | Branch (249:47): [True: 0, False: 2] ------------------ 250| | 251| | /* name is encoded as described in rfc883 */ 252| 0| u_int8_t name_length = packet->payload[12]; 253| | 254| 0| NDPI_LOG_DBG2(ndpi_struct, ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 255| 0| "possible netbios name query request, one question\n"); 256| | 257| 0| if(packet->payload_packet_len == 12 + 1 + name_length + 1 + 2 + 2) { ------------------ | Branch (257:7): [True: 0, False: 0] ------------------ 258| | 259| 0| NDPI_LOG_DBG2(ndpi_struct, ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 260| 0| "possible netbios name query request, length matches\n"); 261| | 262| | /* null terminated? */ 263| 0| if(packet->payload[12 + name_length + 1] == 0 && ------------------ | Branch (263:9): [True: 0, False: 0] ------------------ 264| 0| get_u_int16_t(packet->payload, 12 + name_length + 2) == htons(0x0020) && ------------------ | | 136| 0|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (264:9): [True: 0, False: 0] ------------------ 265| 0| get_u_int16_t(packet->payload, 12 + name_length + 4) == htons(0x0001)) { ------------------ | | 136| 0|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (265:9): [True: 0, False: 0] ------------------ 266| | 267| 0| NDPI_LOG_INFO(ndpi_struct, ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 268| 0| "found netbios name query request\n"); 269| 0| ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); 270| 0| return; 271| 0| } 272| 0| } 273| 0| } 274| 105| } else if((h.flags & 0xf800) == 0x8000) { ------------------ | Branch (274:17): [True: 15, False: 90] ------------------ 275| 15| NDPI_LOG_DBG2(ndpi_struct, ------------------ | | 597| 15|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 276| 15| "possible netbios name query response\n"); 277| | 278| 15| if(get_u_int16_t(packet->payload, 4) == 0 && ------------------ | | 136| 15|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (278:5): [True: 12, False: 3] ------------------ 279| 12| get_u_int16_t(packet->payload, 6) == htons(1) && ------------------ | | 136| 12|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (279:5): [True: 5, False: 7] ------------------ 280| 5| get_u_int16_t(packet->payload, 8) == 0 && get_u_int16_t(packet->payload, 10) == 0) { ------------------ | | 136| 5|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ get_u_int16_t(packet->payload, 8) == 0 && get_u_int16_t(packet->payload, 10) == 0) { ------------------ | | 136| 4|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (280:5): [True: 4, False: 1] | Branch (280:47): [True: 3, False: 1] ------------------ 281| | 282| | /* name is encoded as described in rfc883 */ 283| 3| u_int8_t name_length = packet->payload[12]; 284| | 285| 3| NDPI_LOG_DBG2(ndpi_struct, ------------------ | | 597| 3|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 286| 3| "possible netbios positive name query response, one answer\n"); 287| | 288| 3| if(packet->payload_packet_len >= 12 + 1 + name_length + 1 + 2 + 2) { ------------------ | Branch (288:7): [True: 2, False: 1] ------------------ 289| | 290| 2| NDPI_LOG_DBG2(ndpi_struct, ------------------ | | 597| 2|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 291| 2| "possible netbios name query response, length matches\n"); 292| | 293| | /* null terminated? */ 294| 2| if(packet->payload[12 + name_length + 1] == 0 && ------------------ | Branch (294:9): [True: 1, False: 1] ------------------ 295| 1| get_u_int16_t(packet->payload, 12 + name_length + 2) == htons(0x0020) && ------------------ | | 136| 1|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (295:9): [True: 0, False: 1] ------------------ 296| 0| get_u_int16_t(packet->payload, 12 + name_length + 4) == htons(0x0001)) { ------------------ | | 136| 0|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (296:9): [True: 0, False: 0] ------------------ 297| | 298| 0| NDPI_LOG_INFO(ndpi_struct, ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 299| 0| "found netbios name query response\n"); 300| 0| ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); 301| 0| return; 302| 0| } 303| 2| } 304| 12| } else if(get_u_int16_t(packet->payload, 4) == 0 && ------------------ | | 136| 12|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (304:12): [True: 9, False: 3] ------------------ 305| 9| get_u_int16_t(packet->payload, 6) == 0 && ------------------ | | 136| 9|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (305:5): [True: 6, False: 3] ------------------ 306| 6| get_u_int16_t(packet->payload, 8) == 0 && get_u_int16_t(packet->payload, 10) == 0) { ------------------ | | 136| 6|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ get_u_int16_t(packet->payload, 8) == 0 && get_u_int16_t(packet->payload, 10) == 0) { ------------------ | | 136| 3|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (306:5): [True: 3, False: 3] | Branch (306:47): [True: 3, False: 0] ------------------ 307| | 308| | /* name is encoded as described in rfc883 */ 309| 3| u_int8_t name_length = packet->payload[12]; 310| | 311| 3| NDPI_LOG_DBG2(ndpi_struct, ------------------ | | 597| 3|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 312| 3| "possible netbios negative name query response, one answer\n"); 313| | 314| 3| if(packet->payload_packet_len >= 12 + 1 + name_length + 1 + 2 + 2) { ------------------ | Branch (314:7): [True: 2, False: 1] ------------------ 315| | 316| 2| NDPI_LOG_DBG2(ndpi_struct, ------------------ | | 597| 2|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 317| 2| "possible netbios name query response, length matches\n"); 318| | 319| | /* null terminated? */ 320| 2| if(packet->payload[12 + name_length + 1] == 0 && ------------------ | Branch (320:9): [True: 1, False: 1] ------------------ 321| 1| get_u_int16_t(packet->payload, 12 + name_length + 2) == htons(0x000A) && ------------------ | | 136| 1|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (321:9): [True: 0, False: 1] ------------------ 322| 0| get_u_int16_t(packet->payload, 12 + name_length + 4) == htons(0x0001)) { ------------------ | | 136| 0|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (322:9): [True: 0, False: 0] ------------------ 323| | 324| 0| NDPI_LOG_INFO(ndpi_struct, ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 325| 0| "found netbios name query response\n"); 326| 0| ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); 327| 0| return; 328| 0| } 329| 2| } 330| 9| } else if(get_u_int16_t(packet->payload, 4) == 0 && ------------------ | | 136| 9|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (330:12): [True: 6, False: 3] ------------------ 331| 6| get_u_int16_t(packet->payload, 6) == 0 && ------------------ | | 136| 6|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (331:5): [True: 3, False: 3] ------------------ 332| 3| get_u_int16_t(packet->payload, 8) == htons(1) && get_u_int16_t(packet->payload, 10) == htons(1)) { ------------------ | | 136| 3|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ get_u_int16_t(packet->payload, 8) == htons(1) && get_u_int16_t(packet->payload, 10) == htons(1)) { ------------------ | | 136| 1|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (332:5): [True: 1, False: 2] | Branch (332:54): [True: 0, False: 1] ------------------ 333| | 334| | /* name is encoded as described in rfc883 */ 335| 0| u_int8_t name_length = packet->payload[12]; 336| | 337| 0| NDPI_LOG_DBG2(ndpi_struct, ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 338| 0| "possible netbios redirect name query response, one answer\n"); 339| | 340| 0| if(packet->payload_packet_len >= 12 + 1 + name_length + 1 + 2 + 2) { ------------------ | Branch (340:7): [True: 0, False: 0] ------------------ 341| | 342| 0| NDPI_LOG_DBG2(ndpi_struct, ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 343| 0| "possible netbios name query response, length matches\n"); 344| | 345| | /* null terminated? */ 346| 0| if(packet->payload[12 + name_length + 1] == 0 && ------------------ | Branch (346:9): [True: 0, False: 0] ------------------ 347| 0| get_u_int16_t(packet->payload, 12 + name_length + 2) == htons(0x0002) && ------------------ | | 136| 0|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (347:9): [True: 0, False: 0] ------------------ 348| 0| get_u_int16_t(packet->payload, 12 + name_length + 4) == htons(0x0001)) { ------------------ | | 136| 0|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (348:9): [True: 0, False: 0] ------------------ 349| | 350| 0| NDPI_LOG_INFO(ndpi_struct, ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 351| 0| "found netbios name query response\n"); 352| 0| ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); 353| 0| return; 354| 0| } 355| 0| } 356| 0| } 357| 15| } 358| | /* TODO: extend according to rfc1002 */ 359| 118| } 360| | 361| | /* check standard NETBIOS over udp to port 138 */ 362| | 363| | /* netbios header token from http://www.protocolbase.net/protocols/protocol_NBDGM.php */ 364| | 365| 4.46k| if((dport == 138) && (packet->payload_packet_len >= 14)) { ------------------ | Branch (365:8): [True: 1, False: 4.45k] | Branch (365:26): [True: 1, False: 0] ------------------ 366| 1| u_int16_t netbios_len = ntohs(get_u_int16_t(packet->payload, 10)); 367| | 368| 1| if(netbios_len == packet->payload_packet_len - 14) { ------------------ | Branch (368:10): [True: 0, False: 1] ------------------ 369| 0| NDPI_LOG_DBG2(ndpi_struct, "found netbios port 138 and payload length >= 112 \n"); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 370| | 371| | /* TODO: ipv6 */ 372| 0| if(packet->iph && packet->payload[0] >= 0x10 && packet->payload[0] <= 0x16) { ------------------ | Branch (372:5): [True: 0, False: 0] | Branch (372:20): [True: 0, False: 0] | Branch (372:50): [True: 0, False: 0] ------------------ 373| 0| u_int32_t source_ip = ntohl(get_u_int32_t(packet->payload, 4)); 374| | 375| 0| NDPI_LOG_DBG2(ndpi_struct, "found netbios with MSG-type 0x10,0x11,0x12,0x13,0x14,0x15 or 0x16\n"); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 376| | 377| 0| if(source_ip == ntohl(packet->iph->saddr)) { ------------------ | Branch (377:7): [True: 0, False: 0] ------------------ 378| 0| int16_t leftover = netbios_len - 82; /* NetBIOS len */ 379| | 380| 0| NDPI_LOG_INFO(ndpi_struct, "found netbios with checked ip-address\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 381| | 382| 0| ndpi_int_netbios_add_connection(ndpi_struct, flow, (leftover > 0) ? NDPI_PROTOCOL_SMBV1 : NDPI_PROTOCOL_UNKNOWN); ------------------ | Branch (382:57): [True: 0, False: 0] ------------------ 383| 0| return; 384| 0| } 385| 0| } 386| 0| } 387| 1| } 388| 4.46k| } 389| | 390| 17.9k| if(packet->tcp != NULL) { ------------------ | Branch (390:6): [True: 13.4k, False: 4.46k] ------------------ 391| 13.4k| dport = ntohs(packet->tcp->dest); 392| | 393| | /* destination port must be 139 */ 394| 13.4k| if(dport == 139) { ------------------ | Branch (394:8): [True: 1, False: 13.4k] ------------------ 395| 1| NDPI_LOG_DBG2(ndpi_struct, "found netbios with destination port 139\n"); ------------------ | | 597| 1|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 396| | 397| | /* payload_packet_len must be 72 */ 398| 1| if(packet->payload_packet_len == 72) { ------------------ | Branch (398:10): [True: 0, False: 1] ------------------ 399| 0| NDPI_LOG_DBG2(ndpi_struct, "found netbios with payload_packen_len = 72. \n"); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 400| | 401| 0| if(packet->payload[0] == 0x81 && packet->payload[1] == 0 && ntohs(get_u_int16_t(packet->payload, 2)) == 68) { ------------------ | Branch (401:5): [True: 0, False: 0] | Branch (401:35): [True: 0, False: 0] | Branch (401:62): [True: 0, False: 0] ------------------ 402| 0| NDPI_LOG_INFO(ndpi_struct, ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 403| 0| "found netbios with session request = 81, flags=0 and length od following bytes = 68. \n"); 404| | 405| 0| ndpi_int_netbios_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); 406| 0| return; 407| 0| } 408| 0| } 409| 1| } 410| | 411| 13.4k| } 412| | 413| 17.9k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 17.9k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 414| 17.9k|} netbios.c:ndpi_int_netbios_add_connection: 97| 688| u_int16_t sub_protocol) { 98| 688| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 99| | 100| 688| unsigned char name[64]; 101| 688| u_int off = packet->payload[12] == 0x20 ? 12 : 14; ------------------ | Branch (101:15): [True: 681, False: 7] ------------------ 102| | 103| 688| if((off < packet->payload_packet_len) ------------------ | Branch (103:6): [True: 688, False: 0] ------------------ 104| 688| && ndpi_netbios_name_interpret((unsigned char*)&packet->payload[off], ------------------ | Branch (104:9): [True: 682, False: 6] ------------------ 105| 688| (u_int)(packet->payload_packet_len - off), name, sizeof(name)-1) > 0) { 106| 682| ndpi_hostname_sni_set(flow, (const u_int8_t *)name, strlen((char *)name), NDPI_HOSTNAME_NORM_ALL); ------------------ | | 516| 682|#define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 512| 682|#define NDPI_HOSTNAME_NORM_LC 1 | | ------------------ | | #define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 513| 682|#define NDPI_HOSTNAME_NORM_REPLACE_IC 2 | | ------------------ | | #define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 514| 682|#define NDPI_HOSTNAME_NORM_STRIP_EOLSP 4 | | ------------------ ------------------ 107| | 108| 682| ndpi_check_dga_name(ndpi_struct, flow, flow->host_server_name, 1, 1, 0); 109| 682| } 110| | 111| 688| if(sub_protocol == NDPI_PROTOCOL_UNKNOWN) ------------------ | Branch (111:6): [True: 688, False: 0] ------------------ 112| 688| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NETBIOS, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 113| 0| else 114| 0| ndpi_set_detected_protocol(ndpi_struct, flow, sub_protocol, NDPI_PROTOCOL_NETBIOS, NDPI_CONFIDENCE_DPI); 115| 688|} init_netease_games_dissector: 80| 7.08k|{ 81| 7.08k| ndpi_register_dissector("NetEaseGames", ndpi_struct, 82| 7.08k| ndpi_search_netease, 83| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 84| 7.08k| 1, NDPI_PROTOCOL_NETEASE_GAMES); 85| 7.08k|} netease_games.c:ndpi_search_netease: 42| 3.32k|{ 43| 3.32k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 44| | 45| | /* I've seen this pattern in traffic of few games from 46| | * NetEase (Lost Light, Badlanders, Naraka: Bladepoint) */ 47| | 48| 3.32k| if (packet->payload_packet_len == 12 && ------------------ | Branch (48:7): [True: 29, False: 3.29k] ------------------ 49| 29| current_pkt_from_client_to_server(ndpi_struct, flow) && ------------------ | Branch (49:7): [True: 28, False: 1] ------------------ 50| 28| packet->payload[0] == 0x01 && ------------------ | Branch (50:7): [True: 8, False: 20] ------------------ 51| 3.32k| le16toh(get_u_int16_t(packet->payload, 2)) == 0x1D0 && ------------------ | Branch (51:7): [True: 0, False: 8] ------------------ 52| 3.32k| le32toh(get_u_int32_t(packet->payload, 8)) == 0x1010100) ------------------ | Branch (52:7): [True: 0, False: 0] ------------------ 53| 0| { 54| 0| ndpi_int_netease_add_connection(ndpi_struct, flow); 55| 0| return; 56| 0| } 57| | 58| | /* Lost Light */ 59| 3.32k| if (packet->payload_packet_len >= 30 && ------------------ | Branch (59:7): [True: 2.87k, False: 452] ------------------ 60| 3.32k| ntohl(get_u_int32_t(packet->payload, 0)) == 0xB3AF8DE8) ------------------ | Branch (60:7): [True: 0, False: 2.87k] ------------------ 61| 0| { 62| 0| ndpi_int_netease_add_connection(ndpi_struct, flow); 63| 0| return; 64| 0| } 65| | 66| | /* Naraka: Bladepoint */ 67| 3.32k| if (packet->payload_packet_len > 30 && ------------------ | Branch (67:7): [True: 2.87k, False: 452] ------------------ 68| 3.32k| le32toh(get_u_int32_t(packet->payload, 0)) == 0x0C080807) ------------------ | Branch (68:7): [True: 0, False: 2.87k] ------------------ 69| 0| { 70| 0| ndpi_int_netease_add_connection(ndpi_struct, flow); 71| 0| return; 72| 0| } 73| | 74| | /* TODO: add more NetEase Games signatures */ 75| | 76| 3.32k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.32k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 77| 3.32k|} init_netflow_dissector: 186| 7.08k|{ 187| 7.08k| ndpi_register_dissector("NetFlow", ndpi_struct, 188| 7.08k| ndpi_search_netflow, 189| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 190| 7.08k| 1, NDPI_PROTOCOL_NETFLOW); 191| 7.08k|} netflow.c:ndpi_search_netflow: 102| 4.37k|{ 103| 4.37k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 104| | // const u_int8_t *packet_payload = packet->payload; 105| 4.37k| u_int32_t payload_len = packet->payload_packet_len; 106| 4.37k| time_t now; 107| 4.37k| struct timeval now_tv; 108| | 109| 4.37k| NDPI_LOG_DBG(ndpi_struct, "search netflow\n"); ------------------ | | 596| 4.37k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 110| | 111| 4.37k| if((packet->udp != NULL) && (payload_len >= 24)) { ------------------ | Branch (111:6): [True: 4.37k, False: 0] | Branch (111:31): [True: 4.05k, False: 325] ------------------ 112| 4.05k| u_int16_t version = (packet->payload[0] << 8) + packet->payload[1], uptime_offset; 113| 4.05k| u_int32_t when, *_when; 114| 4.05k| u_int16_t n = (packet->payload[2] << 8) + packet->payload[3], expected_len = 0; 115| | 116| 4.05k| switch(version) { 117| 47| case 1: ------------------ | Branch (117:5): [True: 47, False: 4.00k] ------------------ 118| 142| case 5: ------------------ | Branch (118:5): [True: 95, False: 3.95k] ------------------ 119| 146| case 7: ------------------ | Branch (119:5): [True: 4, False: 4.05k] ------------------ 120| 151| case 9: ------------------ | Branch (120:5): [True: 5, False: 4.04k] ------------------ 121| 151| if((n == 0) || (n > 30)) { ------------------ | Branch (121:10): [True: 2, False: 149] | Branch (121:22): [True: 127, False: 22] ------------------ 122| 129| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 129|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 123| 129| return; 124| 129| } 125| | 126| 22| switch(version) { ------------------ | Branch (126:14): [True: 22, False: 0] ------------------ 127| 16| case 1: ------------------ | Branch (127:7): [True: 16, False: 6] ------------------ 128| 16| expected_len = n * sizeof(struct flow_ver1_rec) + 16 /* header */; 129| 16| break; 130| | 131| 2| case 5: ------------------ | Branch (131:7): [True: 2, False: 20] ------------------ 132| 2| expected_len = n * sizeof(struct flow_ver5_rec) + 24 /* header */; 133| 2| break; 134| | 135| 0| case 7: ------------------ | Branch (135:7): [True: 0, False: 22] ------------------ 136| 0| expected_len = n * sizeof(struct flow_ver7_rec) + 24 /* header */; 137| 0| break; 138| | 139| 4| case 9: ------------------ | Branch (139:7): [True: 4, False: 18] ------------------ 140| | /* We need to check the template */ 141| 4| break; 142| 22| } 143| | 144| 22| if((expected_len > 0) && (expected_len != payload_len)) { ------------------ | Branch (144:10): [True: 18, False: 4] | Branch (144:32): [True: 18, False: 0] ------------------ 145| 18| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 18|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 146| 18| return; 147| 18| } 148| | 149| 4| uptime_offset = 8; 150| 4| break; 151| | 152| 3| case 10: /* IPFIX */ ------------------ | Branch (152:5): [True: 3, False: 4.05k] ------------------ 153| 3| { 154| 3| u_int16_t ipfix_len = n; 155| | 156| 3| if(ipfix_len != payload_len) { ------------------ | Branch (156:5): [True: 3, False: 0] ------------------ 157| 3| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 158| 3| return; 159| 3| } 160| 3| } 161| 0| uptime_offset = 4; 162| 0| break; 163| | 164| 3.90k| default: ------------------ | Branch (164:5): [True: 3.90k, False: 154] ------------------ 165| 3.90k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.90k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 166| 3.90k| return; 167| 4.05k| } 168| | 169| 4| _when = (u_int32_t*)&packet->payload[uptime_offset]; /* Sysuptime */ 170| 4| when = ntohl(*_when); 171| | 172| 4| do_gettimeofday(&now_tv); ------------------ | | 32| 4|#define do_gettimeofday(a) gettimeofday(a, NULL) ------------------ 173| 4| now = now_tv.tv_sec; 174| | 175| 4| if(((version == 1) && (when == 0)) ------------------ | Branch (175:9): [True: 0, False: 4] | Branch (175:27): [True: 0, False: 0] ------------------ 176| 4| || ((when >= 946684800 /* 1/1/2000 */) && (when <= (u_int32_t)now))) { ------------------ | Branch (176:12): [True: 2, False: 2] | Branch (176:50): [True: 1, False: 1] ------------------ 177| 1| NDPI_LOG_INFO(ndpi_struct, "found netflow\n"); ------------------ | | 595| 1|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 178| 1| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NETFLOW, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 179| 1| return; 180| 1| } 181| 4| } else 182| 325| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 325|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 183| 4.37k|} init_nexon_dissector: 66| 7.08k|{ 67| 7.08k| ndpi_register_dissector("Nexon", ndpi_struct, 68| 7.08k| ndpi_search_nexon, 69| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 70| 7.08k| 1, NDPI_PROTOCOL_NEXON); 71| 7.08k|} nexon.c:ndpi_search_nexon: 39| 13.4k|{ 40| 13.4k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 41| | 42| 13.4k| NDPI_LOG_DBG(ndpi_struct, "search nexon\n"); ------------------ | | 596| 13.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 43| | 44| 13.4k| if(packet->payload_packet_len == 24 && ------------------ | Branch (44:6): [True: 317, False: 13.1k] ------------------ 45| 13.4k| ntohl(get_u_int32_t(packet->payload, 0)) == 0x18000000 && ------------------ | Branch (45:6): [True: 0, False: 317] ------------------ 46| 13.4k| ntohl(get_u_int32_t(packet->payload, 4)) == 0x64000000) { ------------------ | Branch (46:6): [True: 0, False: 0] ------------------ 47| 0| NDPI_LOG_INFO(ndpi_struct, "found nexon\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 48| 0| ndpi_int_nexon_add_connection(ndpi_struct, flow); 49| 0| return; 50| 0| } 51| 13.4k| if(packet->payload_packet_len == 20 && ------------------ | Branch (51:6): [True: 182, False: 13.2k] ------------------ 52| 13.4k| ntohl(get_u_int32_t(packet->payload, 4)) == 0x163A992E) { ------------------ | Branch (52:6): [True: 0, False: 182] ------------------ 53| 0| NDPI_LOG_INFO(ndpi_struct, "found nexon\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 54| 0| ndpi_int_nexon_add_connection(ndpi_struct, flow); 55| 0| return; 56| 0| } 57| | 58| | /* TODO: detect UDP traffic */ 59| | 60| 13.4k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.4k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 61| | 62| 13.4k|} init_nfs_dissector: 92| 7.08k|{ 93| 7.08k| ndpi_register_dissector("NFS", ndpi_struct, 94| 7.08k| ndpi_search_nfs, 95| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 96| 7.08k| 1, NDPI_PROTOCOL_NFS); 97| 7.08k|} nfs.c:ndpi_search_nfs: 41| 18.5k|{ 42| 18.5k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 43| | 44| 18.5k| NDPI_LOG_DBG(ndpi_struct, "search NFS\n"); ------------------ | | 596| 18.5k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 45| | 46| 18.5k| u_int8_t offset = 0; 47| 18.5k| if (packet->tcp != NULL) ------------------ | Branch (47:6): [True: 13.4k, False: 5.07k] ------------------ 48| 13.4k| offset = 4; 49| | 50| 18.5k| if (packet->payload_packet_len < (40 + offset)) ------------------ | Branch (50:6): [True: 8.73k, False: 9.80k] ------------------ 51| 8.73k| goto exclude_nfs; 52| | 53| 9.80k| NDPI_LOG_DBG2(ndpi_struct, "NFS user match stage 1\n"); ------------------ | | 597| 9.80k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 54| | 55| | 56| 9.80k| if (offset != 0 && get_u_int32_t(packet->payload, 0) != htonl(0x80000000 + packet->payload_packet_len - 4)) ------------------ | | 137| 5.26k|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (56:6): [True: 5.26k, False: 4.53k] | Branch (56:21): [True: 5.26k, False: 1] ------------------ 57| 5.26k| goto exclude_nfs; 58| | 59| 4.53k| NDPI_LOG_DBG2(ndpi_struct, "NFS user match stage 2\n"); ------------------ | | 597| 4.53k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 60| | 61| 4.53k| if (get_u_int32_t(packet->payload, 4 + offset) != 0) ------------------ | | 137| 4.53k|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (61:6): [True: 4.47k, False: 64] ------------------ 62| 4.47k| goto exclude_nfs; 63| | 64| 64| NDPI_LOG_DBG2(ndpi_struct, "NFS user match stage 3\n"); ------------------ | | 597| 64|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 65| | 66| 64| if (get_u_int32_t(packet->payload, 8 + offset) != htonl(0x02)) ------------------ | | 137| 64|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (66:6): [True: 63, False: 1] ------------------ 67| 63| goto exclude_nfs; 68| | 69| 1| NDPI_LOG_DBG2(ndpi_struct, "NFS match stage 3\n"); ------------------ | | 597| 1|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 70| | 71| 1| if (get_u_int32_t(packet->payload, 12 + offset) != htonl(0x000186a5) ------------------ | | 137| 1|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (71:6): [True: 1, False: 0] ------------------ 72| 1| && get_u_int32_t(packet->payload, 12 + offset) != htonl(0x000186a3) ------------------ | | 137| 1|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (72:6): [True: 1, False: 0] ------------------ 73| 1| && get_u_int32_t(packet->payload, 12 + offset) != htonl(0x000186a0)) ------------------ | | 137| 1|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (73:6): [True: 1, False: 0] ------------------ 74| 1| goto exclude_nfs; 75| | 76| 0| NDPI_LOG_DBG2(ndpi_struct, "NFS match stage 4\n"); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 77| | 78| 0| if (ntohl(get_u_int32_t(packet->payload, 16 + offset)) > 4) ------------------ | Branch (78:6): [True: 0, False: 0] ------------------ 79| 0| goto exclude_nfs; 80| | 81| 0| NDPI_LOG_INFO(ndpi_struct, "found NFS\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 82| | 83| 0| ndpi_int_nfs_add_connection(ndpi_struct, flow); 84| 0| return; 85| | 86| 18.5k| exclude_nfs: 87| 18.5k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 18.5k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 88| 18.5k|} init_nintendo_dissector: 57| 7.08k|void init_nintendo_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 58| 7.08k| ndpi_register_dissector("Nintendo", ndpi_struct, 59| 7.08k| ndpi_search_nintendo, 60| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 61| 7.08k| 1, NDPI_PROTOCOL_NINTENDO); 62| 7.08k|} nintendo.c:ndpi_search_nintendo: 37| 3.41k|static void ndpi_search_nintendo(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { 38| 3.41k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 39| 3.41k| u_int32_t payload_len = packet->payload_packet_len; 40| | 41| 3.41k| if(packet->udp != NULL) { ------------------ | Branch (41:6): [True: 3.41k, False: 0] ------------------ 42| 3.41k| if(payload_len > 48) { ------------------ | Branch (42:8): [True: 2.20k, False: 1.20k] ------------------ 43| 2.20k| const char *payload = (const char *)packet->payload; 44| 2.20k| const unsigned char nintendo_pattern[] = { 0x32, 0xab, 0x98, 0x64, 0x02 }; 45| | 46| 2.20k| if(memcmp(payload, nintendo_pattern, 5) == 0) { ------------------ | Branch (46:10): [True: 4, False: 2.20k] ------------------ 47| 4| NDPI_LOG_INFO(ndpi_struct, "found nintendo\n"); ------------------ | | 595| 4|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 48| 4| ndpi_int_nintendo_add_connection(ndpi_struct, flow); 49| 4| return; 50| 4| } 51| 2.20k| } 52| 3.41k| } 53| | 54| 3.41k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.41k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 55| 3.41k|} nintendo.c:ndpi_int_nintendo_add_connection: 32| 4| struct ndpi_flow_struct *flow) { 33| 4| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NINTENDO, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 34| 4|} init_noe_dissector: 75| 7.08k|{ 76| 7.08k| ndpi_register_dissector("NOE", ndpi_struct, 77| 7.08k| ndpi_search_noe, 78| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 79| 7.08k| 1, NDPI_PROTOCOL_NOE); 80| 7.08k|} noe.c:ndpi_search_noe: 42| 4.37k|{ 43| 4.37k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 44| | 45| 4.37k| NDPI_LOG_DBG(ndpi_struct, "search NOE\n"); ------------------ | | 596| 4.37k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 46| | 47| 4.37k| if(packet->udp != NULL) { ------------------ | Branch (47:6): [True: 4.37k, False: 0] ------------------ 48| 4.37k| NDPI_LOG_DBG2(ndpi_struct, "calculating dport over udp\n"); ------------------ | | 597| 4.37k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 49| | 50| 4.37k| if (packet->payload_packet_len == 1 && ( packet->payload[0] == 0x05 || packet->payload[0] == 0x04 )) { ------------------ | Branch (50:9): [True: 108, False: 4.27k] | Branch (50:46): [True: 0, False: 108] | Branch (50:76): [True: 1, False: 107] ------------------ 51| 1| ndpi_int_noe_add_connection(ndpi_struct, flow); 52| 1| return; 53| 4.37k| } else if((packet->payload_packet_len == 5 || packet->payload_packet_len == 12) && ------------------ | Branch (53:16): [True: 4, False: 4.37k] | Branch (53:51): [True: 29, False: 4.34k] ------------------ 54| 33| (packet->payload[0] == 0x07 ) && ------------------ | Branch (54:8): [True: 1, False: 32] ------------------ 55| 1| (packet->payload[1] == 0x00 ) && ------------------ | Branch (55:8): [True: 0, False: 1] ------------------ 56| 0| (packet->payload[2] != 0x00 ) && ------------------ | Branch (56:8): [True: 0, False: 0] ------------------ 57| 0| (packet->payload[3] == 0x00 )) { ------------------ | Branch (57:8): [True: 0, False: 0] ------------------ 58| 0| ndpi_int_noe_add_connection(ndpi_struct, flow); 59| 0| return; 60| 4.37k| } else if((packet->payload_packet_len >= 25) && ------------------ | Branch (60:15): [True: 4.01k, False: 360] ------------------ 61| 4.01k| (packet->payload[0] == 0x00 && ------------------ | Branch (61:9): [True: 943, False: 3.07k] ------------------ 62| 943| packet->payload[1] == 0x06 && ------------------ | Branch (62:9): [True: 3, False: 940] ------------------ 63| 3| packet->payload[2] == 0x62 && ------------------ | Branch (63:9): [True: 0, False: 3] ------------------ 64| 0| packet->payload[3] == 0x6c)) { ------------------ | Branch (64:9): [True: 0, False: 0] ------------------ 65| 0| ndpi_int_noe_add_connection(ndpi_struct, flow); 66| 0| return; 67| 0| } 68| 4.37k| } 69| | 70| 4.37k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 4.37k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 71| 4.37k|} noe.c:ndpi_int_noe_add_connection: 35| 1|{ 36| 1| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NOE, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 37| 1| NDPI_LOG_INFO(ndpi_struct, "found noe\n"); ------------------ | | 595| 1|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 38| 1|} init_nomachine_dissector: 73| 7.08k|{ 74| 7.08k| ndpi_register_dissector("NoMachine", ndpi_struct, 75| 7.08k| ndpi_search_nomachine, 76| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 77| 7.08k| 1, NDPI_PROTOCOL_NOMACHINE); 78| 7.08k|} nomachine.c:ndpi_search_nomachine: 43| 15.0k|{ 44| 15.0k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 45| | 46| 15.0k| NDPI_LOG_DBG(ndpi_struct, "search NoMachine\n"); ------------------ | | 596| 15.0k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 47| | 48| 15.0k| if (packet->tcp != NULL) { ------------------ | Branch (48:7): [True: 11.6k, False: 3.35k] ------------------ 49| | /* A NoMachine connection starts with a handshake that contains 50| | * only the characters NXSH (request) & NXD (response) and a version 51| | * number. After that it is followed by a TLS handshake. */ 52| 11.6k| if ((packet->payload_packet_len > 10 && packet->payload_packet_len < 15) && ------------------ | Branch (52:10): [True: 10.7k, False: 884] | Branch (52:45): [True: 443, False: 10.3k] ------------------ 53| 443| ((memcmp(packet->payload, "NXSH-", 5) == 0) || (memcmp(packet->payload, "NXD-", 4) == 0))) ------------------ | Branch (53:10): [True: 1, False: 442] | Branch (53:56): [True: 1, False: 441] ------------------ 54| 2| { 55| 2| ndpi_int_nomachine_add_connection(ndpi_struct, flow); 56| 2| return; 57| 2| } 58| 11.6k| } else if (packet->udp != NULL) { ------------------ | Branch (58:14): [True: 3.35k, False: 0] ------------------ 59| | /* NoMachine uses UDP for multimedia data */ 60| 3.35k| if (packet->payload_packet_len > 9 && /* Shortest valid packet is 10 bytes long, probably it's keep-alive */ ------------------ | Branch (60:9): [True: 3.20k, False: 143] ------------------ 61| 3.35k| le16toh(get_u_int16_t(packet->payload, 2)) == 1 && ------------------ | Branch (61:9): [True: 60, False: 3.14k] ------------------ 62| 3.35k| le16toh(get_u_int16_t(packet->payload, 4)) == packet->payload_packet_len && ------------------ | Branch (62:9): [True: 0, False: 60] ------------------ 63| 0| get_u_int16_t(packet->payload, 8) == 0) ------------------ | | 136| 0|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (63:9): [True: 0, False: 0] ------------------ 64| 0| { 65| 0| ndpi_int_nomachine_add_connection(ndpi_struct, flow); 66| 0| return; 67| 0| } 68| 3.35k| } 69| | 70| 15.0k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 15.0k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 71| 15.0k|} nomachine.c:ndpi_int_nomachine_add_connection: 34| 2|{ 35| 2| NDPI_LOG_INFO(ndpi_struct, "found NoMachine\n"); ------------------ | | 595| 2|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 36| 2| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NOMACHINE, 37| 2| NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 38| 2| ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found NoMachine"); 39| 2|} init_non_tcp_udp_dissector: 166| 7.08k|{ 167| 7.08k| ndpi_register_dissector("Non_TCP_UDP", ndpi_struct, 168| 7.08k| ndpi_search_in_non_tcp_udp, 169| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6, ------------------ | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) ------------------ 170| 7.08k| 13, 171| 7.08k| NDPI_PROTOCOL_IP_ESP, 172| 7.08k| NDPI_PROTOCOL_IP_AH, 173| 7.08k| NDPI_PROTOCOL_IP_GRE, 174| 7.08k| NDPI_PROTOCOL_IP_ICMP, 175| 7.08k| NDPI_PROTOCOL_IP_IGMP, 176| 7.08k| NDPI_PROTOCOL_IP_EGP, 177| 7.08k| NDPI_PROTOCOL_IP_SCTP, 178| 7.08k| NDPI_PROTOCOL_IP_PGM, 179| 7.08k| NDPI_PROTOCOL_IP_OSPF, 180| 7.08k| NDPI_PROTOCOL_IP_IP_IN_IP, 181| 7.08k| NDPI_PROTOCOL_IP_ICMPV6, 182| 7.08k| NDPI_PROTOCOL_IP_PIM, 183| 7.08k| NDPI_PROTOCOL_IP_VRRP); 184| 7.08k|} non_tcp_udp.c:ndpi_search_in_non_tcp_udp: 43| 1.99k|{ 44| 1.99k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 45| | 46| 1.99k| switch (flow->l4_proto) { ------------------ | Branch (46:11): [True: 882, False: 1.11k] ------------------ 47| 21| case NDPI_IPSEC_PROTOCOL_ESP: ------------------ | | 118| 21|#define NDPI_IPSEC_PROTOCOL_ESP 50 ------------------ | Branch (47:3): [True: 21, False: 1.97k] ------------------ 48| 21| set_protocol_and_bmask(NDPI_PROTOCOL_IP_ESP); ------------------ | | 32| 21| { \ | | 33| 21| if (is_proto_enabled(ndpi_struct, nprot)) \ | | ------------------ | | | Branch (33:9): [True: 21, False: 0] | | ------------------ | | 34| 21| { \ | | 35| 21| ndpi_set_detected_protocol(ndpi_struct, flow, \ | | 36| 21| nprot, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); \ | | 37| 21| } \ | | 38| 21| } ------------------ 49| 21| break; 50| | 51| 1| case NDPI_IPSEC_PROTOCOL_AH: ------------------ | | 119| 1|#define NDPI_IPSEC_PROTOCOL_AH 51 ------------------ | Branch (51:3): [True: 1, False: 1.99k] ------------------ 52| 1| set_protocol_and_bmask(NDPI_PROTOCOL_IP_AH); ------------------ | | 32| 1| { \ | | 33| 1| if (is_proto_enabled(ndpi_struct, nprot)) \ | | ------------------ | | | Branch (33:9): [True: 1, False: 0] | | ------------------ | | 34| 1| { \ | | 35| 1| ndpi_set_detected_protocol(ndpi_struct, flow, \ | | 36| 1| nprot, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); \ | | 37| 1| } \ | | 38| 1| } ------------------ 53| 1| break; 54| | 55| 1| case NDPI_GRE_PROTOCOL_TYPE: ------------------ | | 120| 1|#define NDPI_GRE_PROTOCOL_TYPE 0x2F ------------------ | Branch (55:3): [True: 1, False: 1.99k] ------------------ 56| 1| set_protocol_and_bmask(NDPI_PROTOCOL_IP_GRE); ------------------ | | 32| 1| { \ | | 33| 1| if (is_proto_enabled(ndpi_struct, nprot)) \ | | ------------------ | | | Branch (33:9): [True: 1, False: 0] | | ------------------ | | 34| 1| { \ | | 35| 1| ndpi_set_detected_protocol(ndpi_struct, flow, \ | | 36| 1| nprot, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); \ | | 37| 1| } \ | | 38| 1| } ------------------ 57| 1| break; 58| | 59| 750| case NDPI_ICMP_PROTOCOL_TYPE: ------------------ | | 121| 750|#define NDPI_ICMP_PROTOCOL_TYPE 0x01 ------------------ | Branch (59:3): [True: 750, False: 1.24k] ------------------ 60| 750| set_protocol_and_bmask(NDPI_PROTOCOL_IP_ICMP); ------------------ | | 32| 750| { \ | | 33| 750| if (is_proto_enabled(ndpi_struct, nprot)) \ | | ------------------ | | | Branch (33:9): [True: 750, False: 0] | | ------------------ | | 34| 750| { \ | | 35| 750| ndpi_set_detected_protocol(ndpi_struct, flow, \ | | 36| 750| nprot, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); \ | | 37| 750| } \ | | 38| 750| } ------------------ 61| | 62| 750| if(packet->payload_packet_len < sizeof(struct ndpi_icmphdr)) { ------------------ | Branch (62:8): [True: 0, False: 750] ------------------ 63| 0| char buf[64]; 64| | 65| 0| snprintf(buf, sizeof(buf), "Packet too short (%d vs %u)", 66| 0| packet->payload_packet_len, (unsigned int)sizeof(struct ndpi_icmphdr)); 67| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, buf); 68| 750| } else { 69| 750| u_int8_t icmp_type = (u_int8_t)packet->payload[0]; 70| 750| u_int8_t icmp_code = (u_int8_t)packet->payload[1]; 71| | 72| | /* https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml */ 73| 750| if(((icmp_type >= 44) && (icmp_type <= 252)) ------------------ | Branch (73:11): [True: 35, False: 715] | Branch (73:32): [True: 34, False: 1] ------------------ 74| 716| || (icmp_code > 15)) { ------------------ | Branch (74:13): [True: 21, False: 695] ------------------ 75| 55| char buf[64]; 76| | 77| 55| snprintf(buf, sizeof(buf), "Invalid type (%u)/code(%u)", 78| 55| icmp_type, icmp_code); 79| | 80| 55| ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, buf); 81| 55| } 82| | 83| 750| if(packet->payload_packet_len > sizeof(struct ndpi_icmphdr)) { ------------------ | Branch (83:10): [True: 747, False: 3] ------------------ 84| 747| if(ndpi_struct->cfg.compute_entropy && (flow->skip_entropy_check == 0)) { ------------------ | Branch (84:12): [True: 747, False: 0] | Branch (84:48): [True: 747, False: 0] ------------------ 85| 747| flow->entropy = ndpi_entropy(packet->payload + sizeof(struct ndpi_icmphdr), 86| 747| packet->payload_packet_len - sizeof(struct ndpi_icmphdr)); 87| 747| ndpi_entropy2risk(ndpi_struct, flow); 88| 747| } 89| | 90| 747| u_int16_t chksm = icmp4_checksum(packet->payload, packet->payload_packet_len); 91| | 92| 747| if(chksm) { ------------------ | Branch (92:12): [True: 117, False: 630] ------------------ 93| 117| ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid ICMP checksum"); 94| 117| } 95| 747| } 96| 750| } 97| | 98| 750| break; 99| | 100| 12| case NDPI_IGMP_PROTOCOL_TYPE: ------------------ | | 122| 12|#define NDPI_IGMP_PROTOCOL_TYPE 0x02 ------------------ | Branch (100:3): [True: 12, False: 1.98k] ------------------ 101| 12| set_protocol_and_bmask(NDPI_PROTOCOL_IP_IGMP); ------------------ | | 32| 12| { \ | | 33| 12| if (is_proto_enabled(ndpi_struct, nprot)) \ | | ------------------ | | | Branch (33:9): [True: 12, False: 0] | | ------------------ | | 34| 12| { \ | | 35| 12| ndpi_set_detected_protocol(ndpi_struct, flow, \ | | 36| 12| nprot, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); \ | | 37| 12| } \ | | 38| 12| } ------------------ 102| 12| break; 103| | 104| 9| case NDPI_EGP_PROTOCOL_TYPE: ------------------ | | 123| 9|#define NDPI_EGP_PROTOCOL_TYPE 0x08 ------------------ | Branch (104:3): [True: 9, False: 1.98k] ------------------ 105| 9| set_protocol_and_bmask(NDPI_PROTOCOL_IP_EGP); ------------------ | | 32| 9| { \ | | 33| 9| if (is_proto_enabled(ndpi_struct, nprot)) \ | | ------------------ | | | Branch (33:9): [True: 9, False: 0] | | ------------------ | | 34| 9| { \ | | 35| 9| ndpi_set_detected_protocol(ndpi_struct, flow, \ | | 36| 9| nprot, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); \ | | 37| 9| } \ | | 38| 9| } ------------------ 106| 9| break; 107| | 108| 11| case NDPI_SCTP_PROTOCOL_TYPE: ------------------ | | 126| 11|#define NDPI_SCTP_PROTOCOL_TYPE 132 ------------------ | Branch (108:3): [True: 11, False: 1.98k] ------------------ 109| 11| set_protocol_and_bmask(NDPI_PROTOCOL_IP_SCTP); ------------------ | | 32| 11| { \ | | 33| 11| if (is_proto_enabled(ndpi_struct, nprot)) \ | | ------------------ | | | Branch (33:9): [True: 11, False: 0] | | ------------------ | | 34| 11| { \ | | 35| 11| ndpi_set_detected_protocol(ndpi_struct, flow, \ | | 36| 11| nprot, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); \ | | 37| 11| } \ | | 38| 11| } ------------------ 110| 11| break; 111| | 112| 4| case NDPI_PGM_PROTOCOL_TYPE: ------------------ | | 129| 4|#define NDPI_PGM_PROTOCOL_TYPE 0x71 ------------------ | Branch (112:3): [True: 4, False: 1.98k] ------------------ 113| 4| set_protocol_and_bmask(NDPI_PROTOCOL_IP_PGM); ------------------ | | 32| 4| { \ | | 33| 4| if (is_proto_enabled(ndpi_struct, nprot)) \ | | ------------------ | | | Branch (33:9): [True: 4, False: 0] | | ------------------ | | 34| 4| { \ | | 35| 4| ndpi_set_detected_protocol(ndpi_struct, flow, \ | | 36| 4| nprot, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); \ | | 37| 4| } \ | | 38| 4| } ------------------ 114| 4| break; 115| | 116| 1| case NDPI_OSPF_PROTOCOL_TYPE: ------------------ | | 124| 1|#define NDPI_OSPF_PROTOCOL_TYPE 0x59 ------------------ | Branch (116:3): [True: 1, False: 1.99k] ------------------ 117| 1| set_protocol_and_bmask(NDPI_PROTOCOL_IP_OSPF); ------------------ | | 32| 1| { \ | | 33| 1| if (is_proto_enabled(ndpi_struct, nprot)) \ | | ------------------ | | | Branch (33:9): [True: 1, False: 0] | | ------------------ | | 34| 1| { \ | | 35| 1| ndpi_set_detected_protocol(ndpi_struct, flow, \ | | 36| 1| nprot, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); \ | | 37| 1| } \ | | 38| 1| } ------------------ 118| 1| break; 119| | 120| 1| case NDPI_IPIP_PROTOCOL_TYPE: ------------------ | | 127| 1|#define NDPI_IPIP_PROTOCOL_TYPE 0x04 ------------------ | Branch (120:3): [True: 1, False: 1.99k] ------------------ 121| 1| set_protocol_and_bmask(NDPI_PROTOCOL_IP_IP_IN_IP); ------------------ | | 32| 1| { \ | | 33| 1| if (is_proto_enabled(ndpi_struct, nprot)) \ | | ------------------ | | | Branch (33:9): [True: 1, False: 0] | | ------------------ | | 34| 1| { \ | | 35| 1| ndpi_set_detected_protocol(ndpi_struct, flow, \ | | 36| 1| nprot, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); \ | | 37| 1| } \ | | 38| 1| } ------------------ 122| 1| break; 123| | 124| 67| case NDPI_ICMPV6_PROTOCOL_TYPE: ------------------ | | 128| 67|#define NDPI_ICMPV6_PROTOCOL_TYPE 0x3a ------------------ | Branch (124:3): [True: 67, False: 1.92k] ------------------ 125| 67| set_protocol_and_bmask(NDPI_PROTOCOL_IP_ICMPV6); ------------------ | | 32| 67| { \ | | 33| 67| if (is_proto_enabled(ndpi_struct, nprot)) \ | | ------------------ | | | Branch (33:9): [True: 67, False: 0] | | ------------------ | | 34| 67| { \ | | 35| 67| ndpi_set_detected_protocol(ndpi_struct, flow, \ | | 36| 67| nprot, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); \ | | 37| 67| } \ | | 38| 67| } ------------------ 126| | 127| 67| if(packet->payload_packet_len < sizeof(struct ndpi_icmp6hdr)) { ------------------ | Branch (127:8): [True: 0, False: 67] ------------------ 128| 0| char buf[64]; 129| | 130| 0| snprintf(buf, sizeof(buf), "Packet too short (%d vs %u)", 131| 0| packet->payload_packet_len, (unsigned int)sizeof(struct ndpi_icmp6hdr)); 132| | 133| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, buf); 134| 67| } else { 135| 67| u_int8_t icmp6_type = (u_int8_t)packet->payload[0]; 136| 67| u_int8_t icmp6_code = (u_int8_t)packet->payload[1]; 137| | 138| | /* https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol_for_IPv6 */ 139| 67| if(((icmp6_type >= 5) && (icmp6_type <= 127)) ------------------ | Branch (139:11): [True: 8, False: 59] | Branch (139:32): [True: 3, False: 5] ------------------ 140| 64| || ((icmp6_code >= 156) && (icmp6_type != 255))) { ------------------ | Branch (140:14): [True: 4, False: 60] | Branch (140:37): [True: 1, False: 3] ------------------ 141| 4| char buf[64]; 142| | 143| 4| snprintf(buf, sizeof(buf), "Invalid type (%u)/code(%u)", 144| 4| icmp6_type, icmp6_code); 145| | 146| 4| ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, buf); 147| 4| } 148| 67| } 149| | 150| 67| break; 151| | 152| 3| case NDPI_PIM_PROTOCOL_TYPE: ------------------ | | 130| 3|#define NDPI_PIM_PROTOCOL_TYPE 0x67 ------------------ | Branch (152:3): [True: 3, False: 1.99k] ------------------ 153| 3| set_protocol_and_bmask(NDPI_PROTOCOL_IP_PIM); ------------------ | | 32| 3| { \ | | 33| 3| if (is_proto_enabled(ndpi_struct, nprot)) \ | | ------------------ | | | Branch (33:9): [True: 3, False: 0] | | ------------------ | | 34| 3| { \ | | 35| 3| ndpi_set_detected_protocol(ndpi_struct, flow, \ | | 36| 3| nprot, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); \ | | 37| 3| } \ | | 38| 3| } ------------------ 154| 3| break; 155| | 156| 1| case 112: ------------------ | Branch (156:3): [True: 1, False: 1.99k] ------------------ 157| 1| set_protocol_and_bmask(NDPI_PROTOCOL_IP_VRRP); ------------------ | | 32| 1| { \ | | 33| 1| if (is_proto_enabled(ndpi_struct, nprot)) \ | | ------------------ | | | Branch (33:9): [True: 1, False: 0] | | ------------------ | | 34| 1| { \ | | 35| 1| ndpi_set_detected_protocol(ndpi_struct, flow, \ | | 36| 1| nprot, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); \ | | 37| 1| } \ | | 38| 1| } ------------------ 158| 1| break; 159| 1.99k| } 160| | 161| 1.99k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1.99k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 162| 1.99k|} init_ntp_dissector: 144| 7.08k|{ 145| 7.08k| ndpi_register_dissector("NTP", ndpi_struct, 146| 7.08k| ndpi_search_ntp_udp, 147| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 148| 7.08k| 1, NDPI_PROTOCOL_NTP); 149| 7.08k|} ntp.c:ndpi_search_ntp_udp: 89| 5.07k|{ 90| 5.07k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 91| | 92| 5.07k| NDPI_LOG_DBG(ndpi_struct, "search NTP\n"); ------------------ | | 596| 5.07k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 93| | 94| 5.07k| if (packet->udp->dest != htons(123) && packet->udp->source != htons(123)) { ------------------ | Branch (94:7): [True: 5.07k, False: 2] | Branch (94:42): [True: 5.06k, False: 7] ------------------ 95| 5.06k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 5.06k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 96| 5.06k| return; 97| 5.06k| } 98| | 99| 9| if (packet->payload_packet_len < 48) { ------------------ | Branch (99:7): [True: 1, False: 8] ------------------ 100| 1| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 101| 1| return; 102| 1| } 103| | 104| 8| uint8_t version = (packet->payload[0] & 56) >> 3; 105| | 106| 8| if (version == 2) { ------------------ | Branch (106:7): [True: 4, False: 4] ------------------ 107| 4| if(ndpi_struct->cfg.ntp_metadata_enabled) ------------------ | Branch (107:8): [True: 4, False: 0] ------------------ 108| 4| flow->protos.ntp[flow->l4.udp.ntp_stage].version = version; 109| 4| ndpi_int_ntp_add_connection(ndpi_struct, flow); 110| 4| return; 111| 4| } 112| | 113| 4| if (version > 4) { ------------------ | Branch (113:7): [True: 1, False: 3] ------------------ 114| 1| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 115| 1| return; 116| 1| } 117| | 118| 3| uint8_t mode = packet->payload[0] & 7; 119| 3| uint8_t stratum = packet->payload[1]; 120| | 121| 3| if (stratum > 16) { ------------------ | Branch (121:7): [True: 1, False: 2] ------------------ 122| 1| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 123| 1| return; 124| 1| } 125| | 126| 2| if(ndpi_struct->cfg.ntp_metadata_enabled) { ------------------ | Branch (126:6): [True: 2, False: 0] ------------------ 127| 2| flow->protos.ntp[flow->l4.udp.ntp_stage].version = version; 128| 2| flow->protos.ntp[flow->l4.udp.ntp_stage].mode = mode; 129| 2| flow->protos.ntp[flow->l4.udp.ntp_stage].leap_indicator = (packet->payload[0] & 192) >> 6; 130| 2| flow->protos.ntp[flow->l4.udp.ntp_stage].stratum = stratum; 131| | 132| 2| get_ntp_info(flow, packet, flow->l4.udp.ntp_stage); 133| | 134| 2| flow->l4.udp.ntp_stage = 1; 135| 2| ndpi_set_extra_dissection(flow); 136| 2| } 137| 2| NDPI_LOG_INFO(ndpi_struct, "found NTP\n"); ------------------ | | 595| 2|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 138| 2| ndpi_int_ntp_add_connection(ndpi_struct, flow); 139| 2| return; 140| 3|} ntp.c:ndpi_int_ntp_add_connection: 50| 6|{ 51| 6| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NTP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 52| 6|} ntp.c:get_ntp_info: 55| 2|{ 56| 2| u_int32_t tmp = 0; 57| 2| flow->protos.ntp[stage].ppol = (int8_t)packet->payload[2]; 58| 2| flow->protos.ntp[stage].precision = (int8_t)packet->payload[3]; 59| | 60| | // https://github.com/wireshark/wireshark/blob/c383ce5173cb15463259ca862cd5b469c2a3aab8/epan/dissectors/packet-ntp.c#L1574 61| 2| tmp = ntohl(get_u_int32_t(packet->payload, 4)); 62| 2| flow->protos.ntp[stage].root_delay = (tmp >> 16) + (tmp & 0xffff) / 65536.0; 63| 2| tmp = ntohl(get_u_int32_t(packet->payload, 8)); 64| 2| flow->protos.ntp[stage].root_dispersion = (tmp >> 16) + (tmp & 0xffff) / 65536.0; 65| | 66| 2| if (flow->protos.ntp[stage].stratum == 0 || flow->protos.ntp[stage].stratum == 1) { ------------------ | Branch (66:7): [True: 1, False: 1] | Branch (66:47): [True: 0, False: 1] ------------------ 67| 1| ndpi_snprintf(flow->protos.ntp[stage].ref_id, sizeof(flow->protos.ntp[stage].ref_id), "%c%c%c%c", packet->payload[12], 68| 1| packet->payload[13], 69| 1| packet->payload[14], 70| 1| packet->payload[15]); 71| 1| } else { 72| 1| if(packet->iph) { ------------------ | Branch (72:8): [True: 1, False: 0] ------------------ 73| 1| tmp = get_u_int32_t(packet->payload, 12); ------------------ | | 137| 1|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ 74| 1| inet_ntop(AF_INET, &tmp, flow->protos.ntp[stage].ref_id, sizeof(flow->protos.ntp[stage].ref_id)); 75| 1| } else { 76| 0| ndpi_snprintf(flow->protos.ntp[stage].ref_id, sizeof(flow->protos.ntp[stage].ref_id), "%c:%c:%c:%c", packet->payload[12], 77| 0| packet->payload[13], 78| 0| packet->payload[14], 79| 0| packet->payload[15]); 80| 0| } 81| 1| } 82| 2| flow->protos.ntp[stage].ref_time = get_u_int64_t(packet->payload, 16); ------------------ | | 148| 2|#define get_u_int64_t(X,O) (*(u_int64_t *)((&(((u_int8_t *)X)[O])))) ------------------ 83| 2| flow->protos.ntp[stage].org_time = get_u_int64_t(packet->payload, 24); ------------------ | | 148| 2|#define get_u_int64_t(X,O) (*(u_int64_t *)((&(((u_int8_t *)X)[O])))) ------------------ 84| 2| flow->protos.ntp[stage].rec_time = get_u_int64_t(packet->payload, 32); ------------------ | | 148| 2|#define get_u_int64_t(X,O) (*(u_int64_t *)((&(((u_int8_t *)X)[O])))) ------------------ 85| 2| flow->protos.ntp[stage].trans_time = get_u_int64_t(packet->payload, 40); ------------------ | | 148| 2|#define get_u_int64_t(X,O) (*(u_int64_t *)((&(((u_int8_t *)X)[O])))) ------------------ 86| 2|} ntp.c:ndpi_set_extra_dissection: 43| 2|{ 44| 2| flow->max_extra_packets_to_check = 1; 45| 2| flow->extra_packets_func = ndpi_search_ntp_again; 46| 2|} init_oicq_dissector: 92| 7.08k|{ 93| 7.08k| ndpi_register_dissector("OICQ", ndpi_struct, 94| 7.08k| ndpi_search_oicq, 95| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 96| 7.08k| 1, NDPI_PROTOCOL_OICQ); 97| 7.08k|} oicq.c:ndpi_search_oicq: 54| 3.36k|{ 55| 3.36k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 56| 3.36k| struct oicq_hdr const * const hdr = (struct oicq_hdr *)&packet->payload[0]; 57| | 58| 3.36k| NDPI_LOG_DBG(ndpi_struct, "search OICQ\n"); ------------------ | | 596| 3.36k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 59| | 60| 3.36k| if (packet->payload_packet_len < sizeof(*hdr)) ------------------ | Branch (60:7): [True: 128, False: 3.23k] ------------------ 61| 128| { 62| 128| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 128|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 63| 128| return; 64| 128| } 65| | 66| 3.23k| if (hdr->flag != 0x02) ------------------ | Branch (66:7): [True: 3.20k, False: 27] ------------------ 67| 3.20k| { 68| 3.20k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.20k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 69| 3.20k| return; 70| 3.20k| } 71| | 72| 27| if (ntohs(hdr->version) != 0x3b0b) ------------------ | Branch (72:7): [True: 27, False: 0] ------------------ 73| 27| { 74| 27| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 27|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 75| 27| return; 76| 27| } 77| | 78| 0| uint16_t command = ntohs(hdr->command); 79| 0| if (command == 0x0000 || (command > 0x00b5 && command < 0x03f7) || ------------------ | Branch (79:7): [True: 0, False: 0] | Branch (79:29): [True: 0, False: 0] | Branch (79:49): [True: 0, False: 0] ------------------ 80| 0| command > 0x03f7) ------------------ | Branch (80:7): [True: 0, False: 0] ------------------ 81| 0| { 82| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 83| 0| return; 84| 0| } 85| | 86| 0| ndpi_int_oicq_add_connection(ndpi_struct, flow); 87| 0|} ookla_add_to_cache: 73| 96|{ 74| 96| u_int64_t key; 75| | 76| 96| if(ndpi_struct->ookla_cache) { ------------------ | Branch (76:6): [True: 80, False: 16] ------------------ 77| 80| key = get_ookla_key(flow); 78| |#ifdef DEBUG_OOKLA_LRU 79| | printf("[LRU OOKLA] ADDING %lu [%u <-> %u]\n", key, ntohs(flow->c_port), ntohs(flow->s_port)); 80| |#endif 81| 80| ndpi_lru_add_to_cache(ndpi_struct->ookla_cache, key, 1 /* dummy */, 82| 80| ndpi_get_current_time(flow)); 83| 80| } 84| | 85| 96|} ndpi_search_ookla: 89| 15.1k|void ndpi_search_ookla(struct ndpi_detection_module_struct* ndpi_struct, struct ndpi_flow_struct* flow) { 90| 15.1k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 91| | 92| 15.1k| NDPI_LOG_DBG(ndpi_struct, "Ookla detection\n"); ------------------ | | 596| 15.1k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 93| | 94| 15.1k| if(ntohs(flow->s_port) != ookla_port && ntohs(flow->c_port) != ookla_port) { ------------------ | Branch (94:6): [True: 15.1k, False: 1] | Branch (94:43): [True: 15.1k, False: 1] ------------------ 95| 15.1k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 15.1k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 96| 15.1k| return; 97| 15.1k| } 98| | 99| 2| if(flow->packet_counter == 1 && ------------------ | Branch (99:6): [True: 2, False: 0] ------------------ 100| 2| packet->payload_packet_len >= NDPI_STATICSTRING_LEN("HI") && ------------------ | | 98| 4|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (100:6): [True: 2, False: 0] ------------------ 101| 2| memcmp(packet->payload, "HI", NDPI_STATICSTRING_LEN("HI")) == 0) { ------------------ | | 98| 2|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (101:6): [True: 0, False: 2] ------------------ 102| 0| flow->ookla_stage = 1; 103| 0| return; 104| 0| } 105| | 106| 2| if(flow->packet_counter == 2 && ------------------ | Branch (106:6): [True: 0, False: 2] ------------------ 107| 0| flow->ookla_stage == 1 && ------------------ | Branch (107:6): [True: 0, False: 0] ------------------ 108| 0| packet->payload_packet_len >= NDPI_STATICSTRING_LEN("HELLO") && ------------------ | | 98| 2|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (108:6): [True: 0, False: 0] ------------------ 109| 0| memcmp(packet->payload, "HELLO", NDPI_STATICSTRING_LEN("HELLO")) == 0) { ------------------ | | 98| 0|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (109:6): [True: 0, False: 0] ------------------ 110| 0| NDPI_LOG_INFO(ndpi_struct, "found ookla (Hi + Hello)\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 111| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 112| 0| ookla_add_to_cache(ndpi_struct, flow); 113| 0| return; 114| 0| } 115| | 116| 2| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 2|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 117| 2|} init_ookla_dissector: 121| 7.08k|void init_ookla_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 122| 7.08k| ndpi_register_dissector("Ookla", ndpi_struct, 123| 7.08k| ndpi_search_ookla, 124| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 125| 7.08k| 1, NDPI_PROTOCOL_OOKLA); 126| 7.08k|} ookla.c:get_ookla_key: 34| 80|{ 35| 80| if(flow->is_ipv6) ------------------ | Branch (35:6): [True: 0, False: 80] ------------------ 36| 0| return ndpi_quick_hash64((const char *)flow->c_address.v6, 16); 37| 80| else 38| 80| return flow->c_address.v4; 39| 80|} init_opc_ua_dissector: 73| 7.08k|{ 74| 7.08k| ndpi_register_dissector("OPC-UA", ndpi_struct, 75| 7.08k| ndpi_search_opc_ua, 76| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 77| 7.08k| 1, NDPI_PROTOCOL_OPC_UA); 78| 7.08k|} opc-ua.c:ndpi_search_opc_ua: 45| 11.7k|{ 46| 11.7k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 47| | 48| 11.7k| NDPI_LOG_DBG(ndpi_struct, "search OPC UA\n"); ------------------ | | 596| 11.7k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 49| | 50| | /* Shortest OPC UA packet I've ever seen */ 51| 11.7k| if (packet->payload_packet_len >= 16) { ------------------ | Branch (51:7): [True: 10.3k, False: 1.33k] ------------------ 52| | /* Each OPC UA MessageChunk starts with a 3 byte ASCII code that defines 53| | * the MessageType. The 4th byte is nowadays ignored and must always be set to 54| | * ASCII character 'F' 55| | */ 56| 10.3k| if ((memcmp(packet->payload, "HELF", 4) == 0) || ------------------ | Branch (56:10): [True: 8, False: 10.3k] ------------------ 57| 10.3k| (memcmp(packet->payload, "ACKF", 4) == 0) || ------------------ | Branch (57:10): [True: 3, False: 10.3k] ------------------ 58| 10.3k| (memcmp(packet->payload, "RHEF", 4) == 0) || ------------------ | Branch (58:10): [True: 5, False: 10.3k] ------------------ 59| 10.3k| (memcmp(packet->payload, "OPNF", 4) == 0) || ------------------ | Branch (59:10): [True: 2, False: 10.3k] ------------------ 60| 10.3k| (memcmp(packet->payload, "MSGF", 4) == 0) || ------------------ | Branch (60:10): [True: 10, False: 10.3k] ------------------ 61| 10.3k| (memcmp(packet->payload, "ERRF", 4) == 0) || ------------------ | Branch (61:10): [True: 1, False: 10.3k] ------------------ 62| 10.3k| (memcmp(packet->payload, "CLOF", 4) == 0)) ------------------ | Branch (62:10): [True: 4, False: 10.3k] ------------------ 63| 33| { 64| 33| ndpi_int_opc_ua_add_connection(ndpi_struct, flow); 65| 33| return; 66| 33| } 67| 10.3k| } 68| | 69| 11.6k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.6k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 70| 11.6k|} opc-ua.c:ndpi_int_opc_ua_add_connection: 36| 33|{ 37| 33| NDPI_LOG_INFO(ndpi_struct, "found OPC-UA\n"); ------------------ | | 595| 33|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 38| 33| ndpi_set_detected_protocol(ndpi_struct, flow, 39| 33| NDPI_PROTOCOL_OPC_UA, NDPI_PROTOCOL_UNKNOWN, 40| 33| NDPI_CONFIDENCE_DPI); 41| 33|} init_openflow_dissector: 60| 7.08k|{ 61| 7.08k| ndpi_register_dissector("OpenFlow", ndpi_struct, 62| 7.08k| ndpi_search_openflow, 63| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 64| 7.08k| 1, NDPI_PROTOCOL_OPENFLOW); 65| 7.08k|} openflow.c:ndpi_search_openflow: 43| 11.6k|{ 44| 11.6k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 45| | 46| 11.6k| NDPI_LOG_DBG(ndpi_struct, "search OpenFlow\n"); ------------------ | | 596| 11.6k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 47| | 48| 11.6k| if (packet->payload_packet_len >= 8 && ------------------ | Branch (48:7): [True: 10.8k, False: 805] ------------------ 49| 10.8k| packet->payload[0] == 0x06 && packet->payload[1] < 36 && ------------------ | Branch (49:7): [True: 13, False: 10.8k] | Branch (49:37): [True: 8, False: 5] ------------------ 50| 8| packet->payload_packet_len == ntohs(get_u_int16_t(packet->payload, 2))) ------------------ | Branch (50:7): [True: 0, False: 8] ------------------ 51| 0| { 52| 0| ndpi_int_openflow_add_connection(ndpi_struct, flow); 53| 0| return; 54| 0| } 55| | 56| 11.6k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.6k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 57| 11.6k|} init_openvpn_dissector: 499| 7.08k|void init_openvpn_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 500| 7.08k| ndpi_register_dissector("OpenVPN", ndpi_struct, 501| 7.08k| ndpi_search_openvpn, 502| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 503| 7.08k| 1, NDPI_PROTOCOL_OPENVPN); 504| 7.08k|} openvpn.c:ndpi_search_openvpn: 456| 17.9k| struct ndpi_flow_struct* flow) { 457| 17.9k| struct ndpi_packet_struct* packet = &ndpi_struct->packet; 458| | 459| 17.9k| NDPI_LOG_DBG(ndpi_struct, "Search opnvpn\n"); ------------------ | | 596| 17.9k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 460| | 461| 17.9k| if(packet->payload_packet_len > 10 && ------------------ | Branch (461:6): [True: 16.9k, False: 1.03k] ------------------ 462| 17.9k| ntohl(*(u_int32_t *)&packet->payload[4 + 2 * (packet->tcp != NULL)]) == 0x2112A442) { ------------------ | Branch (462:6): [True: 494, False: 16.4k] ------------------ 463| 494| NDPI_LOG_DBG2(ndpi_struct, "Avoid collision with STUN\n"); ------------------ | | 597| 494|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 464| 494| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 494|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 465| 494| return; 466| 494| } 467| | 468| 17.4k| NDPI_LOG_DBG2(ndpi_struct, "States (before): %d %d\n", ------------------ | | 597| 17.4k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 469| 17.4k| flow->ovpn_alg_standard_state, 470| 17.4k| flow->ovpn_alg_heur_opcode_state); 471| | 472| 17.4k| if(flow->ovpn_alg_standard_state == 0) { ------------------ | Branch (472:6): [True: 17.4k, False: 0] ------------------ 473| 17.4k| flow->ovpn_alg_standard_state = search_standard(ndpi_struct, flow); 474| 17.4k| } 475| 17.4k| if(ndpi_struct->cfg.openvpn_heuristics & NDPI_HEURISTICS_OPENVPN_OPCODE) { ------------------ | | 827| 17.4k|#define NDPI_HEURISTICS_OPENVPN_OPCODE 0x01 /* Enable heuristic based on opcode frequency */ ------------------ | Branch (475:6): [True: 0, False: 17.4k] ------------------ 476| 0| if(flow->ovpn_alg_heur_opcode_state == 0) { ------------------ | Branch (476:8): [True: 0, False: 0] ------------------ 477| 0| flow->ovpn_alg_heur_opcode_state = search_heur_opcode(ndpi_struct, flow); 478| 0| } 479| 17.4k| } else { 480| 17.4k| flow->ovpn_alg_heur_opcode_state = 1; 481| 17.4k| } 482| | 483| 17.4k| NDPI_LOG_DBG2(ndpi_struct, "States (after): %d %d\n", ------------------ | | 597| 17.4k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 484| 17.4k| flow->ovpn_alg_standard_state, 485| 17.4k| flow->ovpn_alg_heur_opcode_state); 486| | 487| 17.4k| if(flow->ovpn_alg_standard_state == 2) { ------------------ | Branch (487:6): [True: 6, False: 17.4k] ------------------ 488| 6| ndpi_int_openvpn_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); 489| 17.4k| } else if (flow->ovpn_alg_heur_opcode_state == 2) { ------------------ | Branch (489:14): [True: 0, False: 17.4k] ------------------ 490| 0| ndpi_int_openvpn_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI_AGGRESSIVE); 491| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_OBFUSCATED_TRAFFIC, "Obfuscated OpenVPN"); 492| 17.4k| } else if(flow->ovpn_alg_standard_state == 1 && ------------------ | Branch (492:13): [True: 17.2k, False: 238] ------------------ 493| 17.2k| flow->ovpn_alg_heur_opcode_state == 1) { ------------------ | Branch (493:13): [True: 17.2k, False: 0] ------------------ 494| 17.2k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 17.2k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 495| 17.2k| } 496| | 497| 17.4k|} openvpn.c:search_standard: 137| 17.4k| struct ndpi_flow_struct* flow) { 138| 17.4k| struct ndpi_packet_struct* packet = &ndpi_struct->packet; 139| 17.4k| const u_int8_t * ovpn_payload = packet->payload; 140| 17.4k| const u_int8_t * session_remote; 141| 17.4k| u_int8_t opcode; 142| 17.4k| u_int8_t alen; 143| 17.4k| int8_t hmac_size; 144| 17.4k| int8_t failed = 0; 145| 17.4k| /* No u_ */int16_t ovpn_payload_len = packet->payload_packet_len; 146| 17.4k| int dir = packet->packet_direction; 147| | 148| | /* Detection: 149| | * (1) server and client resets matching (via session id -> remote session id) 150| | * (2) consecutive packets (in both directions) with the same session id 151| | * (3) asymmetric traffic 152| | */ 153| | 154| 17.4k| if(ovpn_payload_len < 14 + 2 * (packet->tcp != NULL)) { ------------------ | Branch (154:6): [True: 1.50k, False: 15.9k] ------------------ 155| 1.50k| return 1; /* Exclude */ 156| 1.50k| } 157| | 158| | /* Skip openvpn TCP transport packet size */ 159| 15.9k| if(packet->tcp != NULL) ------------------ | Branch (159:6): [True: 12.1k, False: 3.74k] ------------------ 160| 12.1k| ovpn_payload += 2, ovpn_payload_len -= 2; 161| | 162| 15.9k| opcode = ovpn_payload[0] & P_OPCODE_MASK; ------------------ | | 54| 15.9k|#define P_OPCODE_MASK 0xF8 ------------------ 163| 15.9k| if(!is_opcode_valid(opcode)) { ------------------ | Branch (163:6): [True: 11.5k, False: 4.42k] ------------------ 164| 11.5k| return 1; /* Exclude */ 165| 11.5k| } 166| | /* Maybe a strong assumption... */ 167| 4.42k| if((ovpn_payload[0] & ~P_OPCODE_MASK) != 0) { ------------------ | | 54| 4.42k|#define P_OPCODE_MASK 0xF8 ------------------ | Branch (167:6): [True: 3.47k, False: 954] ------------------ 168| 3.47k| NDPI_LOG_DBG2(ndpi_struct, "Invalid key id\n"); ------------------ | | 597| 3.47k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 169| 3.47k| return 1; /* Exclude */ 170| 3.47k| } 171| 954| if(flow->packet_direction_counter[dir] == 1 && ------------------ | Branch (171:6): [True: 880, False: 74] ------------------ 172| 880| !(opcode == P_CONTROL_HARD_RESET_CLIENT_V1 || ------------------ | | 45| 1.76k|#define P_CONTROL_HARD_RESET_CLIENT_V1 (0x01 << 3) ------------------ | Branch (172:8): [True: 424, False: 456] ------------------ 173| 456| opcode == P_CONTROL_HARD_RESET_CLIENT_V2 || ------------------ | | 49| 1.33k|#define P_CONTROL_HARD_RESET_CLIENT_V2 (0x07 << 3) ------------------ | Branch (173:8): [True: 116, False: 340] ------------------ 174| 340| opcode == P_CONTROL_HARD_RESET_SERVER_V1 || ------------------ | | 46| 1.22k|#define P_CONTROL_HARD_RESET_SERVER_V1 (0x02 << 3) ------------------ | Branch (174:8): [True: 48, False: 292] ------------------ 175| 292| opcode == P_CONTROL_HARD_RESET_SERVER_V2 || ------------------ | | 50| 1.17k|#define P_CONTROL_HARD_RESET_SERVER_V2 (0x08 << 3) ------------------ | Branch (175:8): [True: 109, False: 183] ------------------ 176| 183| opcode == P_CONTROL_HARD_RESET_CLIENT_V3)) { ------------------ | | 51| 183|#define P_CONTROL_HARD_RESET_CLIENT_V3 (0x0A << 3) ------------------ | Branch (176:8): [True: 9, False: 174] ------------------ 177| 174| NDPI_LOG_DBG2(ndpi_struct, "Invalid first packet\n"); ------------------ | | 597| 174|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 178| 174| return 1; /* Exclude */ 179| 174| } 180| | /* Resets are small packets */ 181| 780| if(packet->payload_packet_len >= 1200 && ------------------ | Branch (181:6): [True: 9, False: 771] ------------------ 182| 9| (opcode == P_CONTROL_HARD_RESET_CLIENT_V1 || ------------------ | | 45| 18|#define P_CONTROL_HARD_RESET_CLIENT_V1 (0x01 << 3) ------------------ | Branch (182:7): [True: 2, False: 7] ------------------ 183| 7| opcode == P_CONTROL_HARD_RESET_CLIENT_V2 || ------------------ | | 49| 16|#define P_CONTROL_HARD_RESET_CLIENT_V2 (0x07 << 3) ------------------ | Branch (183:7): [True: 3, False: 4] ------------------ 184| 4| opcode == P_CONTROL_HARD_RESET_SERVER_V1 || ------------------ | | 46| 13|#define P_CONTROL_HARD_RESET_SERVER_V1 (0x02 << 3) ------------------ | Branch (184:7): [True: 2, False: 2] ------------------ 185| 2| opcode == P_CONTROL_HARD_RESET_SERVER_V2 || ------------------ | | 50| 11|#define P_CONTROL_HARD_RESET_SERVER_V2 (0x08 << 3) ------------------ | Branch (185:7): [True: 1, False: 1] ------------------ 186| 9| opcode == P_CONTROL_HARD_RESET_CLIENT_V3)) { ------------------ | | 51| 1|#define P_CONTROL_HARD_RESET_CLIENT_V3 (0x0A << 3) ------------------ | Branch (186:7): [True: 1, False: 0] ------------------ 187| 9| NDPI_LOG_DBG2(ndpi_struct, "Invalid len first pkt (QUIC collision)\n"); ------------------ | | 597| 9|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 188| 9| return 1; /* Exclude */ 189| 9| } 190| 771| if(flow->packet_direction_counter[dir] == 1 && ------------------ | Branch (190:6): [True: 697, False: 74] ------------------ 191| 697| packet->tcp && ------------------ | Branch (191:6): [True: 657, False: 40] ------------------ 192| 771| ntohs(*(u_int16_t *)(packet->payload)) != ovpn_payload_len) { ------------------ | Branch (192:6): [True: 520, False: 137] ------------------ 193| 520| NDPI_LOG_DBG2(ndpi_struct, "Invalid tcp len on reset\n"); ------------------ | | 597| 520|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 194| 520| return 1; /* Exclude */ 195| 520| } 196| | 197| 251| NDPI_LOG_DBG2(ndpi_struct, "[packets %d/%d][opcode: %u][len: %u]\n", ------------------ | | 597| 251|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 198| 251| flow->packet_direction_counter[dir], 199| 251| flow->packet_direction_counter[!dir], 200| 251| opcode, ovpn_payload_len); 201| | 202| 251| if(flow->packet_direction_counter[dir] > 1) { ------------------ | Branch (202:6): [True: 74, False: 177] ------------------ 203| 74| if(memcmp(flow->ovpn_session_id[dir], ovpn_payload + 1, 8) != 0) { ------------------ | Branch (203:8): [True: 5, False: 69] ------------------ 204| 5| NDPI_LOG_DBG2(ndpi_struct, "Invalid session id on two consecutive pkts in the same dir\n"); ------------------ | | 597| 5|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 205| 5| return 1; /* Exclude */ 206| 5| } 207| 69| if(flow->packet_direction_counter[dir] >= 2 && ------------------ | Branch (207:8): [True: 69, False: 0] ------------------ 208| 69| flow->packet_direction_counter[!dir] >= 2) { ------------------ | Branch (208:8): [True: 4, False: 65] ------------------ 209| | /* (2) */ 210| 4| NDPI_LOG_INFO(ndpi_struct,"found openvpn (session ids match on both direction)\n"); ------------------ | | 595| 4|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 211| 4| return 2; /* Found */ 212| 4| } 213| 65| if(flow->packet_direction_counter[dir] >= 4 && ------------------ | Branch (213:8): [True: 5, False: 60] ------------------ 214| 5| flow->packet_direction_counter[!dir] == 0) { ------------------ | Branch (214:8): [True: 2, False: 3] ------------------ 215| | /* (3) */ 216| 2| NDPI_LOG_INFO(ndpi_struct,"found openvpn (asymmetric)\n"); ------------------ | | 595| 2|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 217| 2| return 2; /* Found */ 218| 2| } 219| 177| } else { 220| 177| memcpy(flow->ovpn_session_id[dir], ovpn_payload + 1, 8); 221| 177| NDPI_LOG_DBG2(ndpi_struct, "Session key [%d]: 0x%lx\n", dir, ------------------ | | 597| 177|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 222| 177| ndpi_ntohll(*(u_int64_t *)flow->ovpn_session_id[dir])); 223| 177| } 224| | 225| | /* (1) */ 226| 240| if(flow->packet_direction_counter[!dir] > 0 && ------------------ | Branch (226:6): [True: 24, False: 216] ------------------ 227| 24| (opcode == P_CONTROL_HARD_RESET_SERVER_V1 || ------------------ | | 46| 48|#define P_CONTROL_HARD_RESET_SERVER_V1 (0x02 << 3) ------------------ | Branch (227:7): [True: 2, False: 22] ------------------ 228| 22| opcode == P_CONTROL_HARD_RESET_SERVER_V2)) { ------------------ | | 50| 22|#define P_CONTROL_HARD_RESET_SERVER_V2 (0x08 << 3) ------------------ | Branch (228:7): [True: 12, False: 10] ------------------ 229| | 230| 14| hmac_size = detect_hmac_size(ovpn_payload, ovpn_payload_len); 231| 14| NDPI_LOG_DBG2(ndpi_struct, "hmac size %d\n", hmac_size); ------------------ | | 597| 14|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 232| 14| failed = 0; 233| 14| if(hmac_size >= 0 && ------------------ | Branch (233:8): [True: 3, False: 11] ------------------ 234| 3| P_PACKET_ID_ARRAY_LEN_OFFSET(hmac_size) < ovpn_payload_len) { ------------------ | | 60| 3|#define P_PACKET_ID_ARRAY_LEN_OFFSET(hmac_size) (P_HARD_RESET_PACKET_ID_OFFSET(hmac_size) + 8 * (!!(hmac_size))) | | ------------------ | | | | 59| 3|#define P_HARD_RESET_PACKET_ID_OFFSET(hmac_size) (9 + hmac_size) | | ------------------ ------------------ | Branch (234:8): [True: 3, False: 0] ------------------ 235| 3| u_int16_t offset = P_PACKET_ID_ARRAY_LEN_OFFSET(hmac_size); ------------------ | | 60| 3|#define P_PACKET_ID_ARRAY_LEN_OFFSET(hmac_size) (P_HARD_RESET_PACKET_ID_OFFSET(hmac_size) + 8 * (!!(hmac_size))) | | ------------------ | | | | 59| 3|#define P_HARD_RESET_PACKET_ID_OFFSET(hmac_size) (9 + hmac_size) | | ------------------ ------------------ 236| | 237| 3| alen = ovpn_payload[offset]; 238| | 239| 3| if(alen > 0) { ------------------ | Branch (239:10): [True: 2, False: 1] ------------------ 240| 2| offset += 1 + alen * 4; 241| | 242| 2| if((offset + 8) <= ovpn_payload_len) { ------------------ | Branch (242:12): [True: 1, False: 1] ------------------ 243| 1| session_remote = &ovpn_payload[offset]; 244| | 245| 1| if(memcmp(flow->ovpn_session_id[!dir], session_remote, 8) == 0) { ------------------ | Branch (245:14): [True: 0, False: 1] ------------------ 246| 0| NDPI_LOG_INFO(ndpi_struct,"found openvpn\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 247| 0| return 2; /* Found */ 248| 1| } else { 249| 1| NDPI_LOG_DBG2(ndpi_struct, "key mismatch 0x%lx\n", ndpi_ntohll(*(u_int64_t *)session_remote)); ------------------ | | 597| 1|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 250| 1| } 251| 1| } 252| 2| failed = 1; 253| 2| } else { 254| | /* Server reset without remote session id field; no failure */ 255| 1| } 256| 3| } 257| 14| } 258| | 259| 240| if(failed || flow->packet_counter > 5) ------------------ | Branch (259:6): [True: 2, False: 238] | Branch (259:16): [True: 0, False: 238] ------------------ 260| 2| return 1; /* Exclude */ 261| 238| return 0; /* Continue */ 262| 240|} openvpn.c:is_opcode_valid: 76| 15.9k|{ 77| | /* Ignore: 78| | * P_DATA_V1/2: they don't have any (useful) info in the header 79| | * P_CONTROL_SOFT_RESET_V1: it is used to key renegotiation -> it is not at the beginning of the session 80| | */ 81| 15.9k| return opcode == P_CONTROL_HARD_RESET_CLIENT_V1 || ------------------ | | 45| 31.8k|#define P_CONTROL_HARD_RESET_CLIENT_V1 (0x01 << 3) ------------------ | Branch (81:10): [True: 511, False: 15.4k] ------------------ 82| 15.4k| opcode == P_CONTROL_HARD_RESET_SERVER_V1 || ------------------ | | 46| 31.3k|#define P_CONTROL_HARD_RESET_SERVER_V1 (0x02 << 3) ------------------ | Branch (82:3): [True: 482, False: 14.9k] ------------------ 83| 14.9k| opcode == P_CONTROL_V1 || ------------------ | | 47| 30.8k|#define P_CONTROL_V1 (0x04 << 3) ------------------ | Branch (83:3): [True: 196, False: 14.7k] ------------------ 84| 14.7k| opcode == P_ACK_V1 || ------------------ | | 48| 30.6k|#define P_ACK_V1 (0x05 << 3) ------------------ | Branch (84:3): [True: 1.34k, False: 13.4k] ------------------ 85| 13.4k| opcode == P_CONTROL_HARD_RESET_CLIENT_V2 || ------------------ | | 49| 29.3k|#define P_CONTROL_HARD_RESET_CLIENT_V2 (0x07 << 3) ------------------ | Branch (85:3): [True: 223, False: 13.1k] ------------------ 86| 13.1k| opcode == P_CONTROL_HARD_RESET_SERVER_V2 || ------------------ | | 50| 29.1k|#define P_CONTROL_HARD_RESET_SERVER_V2 (0x08 << 3) ------------------ | Branch (86:3): [True: 396, False: 12.7k] ------------------ 87| 12.7k| opcode == P_CONTROL_HARD_RESET_CLIENT_V3 || ------------------ | | 51| 28.7k|#define P_CONTROL_HARD_RESET_CLIENT_V3 (0x0A << 3) ------------------ | Branch (87:3): [True: 1.22k, False: 11.5k] ------------------ 88| 11.5k| opcode == P_CONTROL_WKC_V1; ------------------ | | 52| 11.5k|#define P_CONTROL_WKC_V1 (0x0B << 3) ------------------ | Branch (88:3): [True: 50, False: 11.5k] ------------------ 89| 15.9k|} openvpn.c:detect_hmac_size: 117| 14|static int8_t detect_hmac_size(const u_int8_t *payload, int payload_len) { 118| | // try to guess 119| 14| if((payload_len >= P_HARD_RESET_PACKET_ID_OFFSET(P_HMAC_160) + 4) && ------------------ | | 59| 14|#define P_HARD_RESET_PACKET_ID_OFFSET(hmac_size) (9 + hmac_size) ------------------ | Branch (119:6): [True: 13, False: 1] ------------------ 120| 13| get_packet_id(payload, P_HMAC_160) == 1) ------------------ | | 57| 13|#define P_HMAC_160 20 // (RSA-|DSA-)SHA(1), ..others, SHA1 is openvpn default ------------------ | Branch (120:6): [True: 0, False: 13] ------------------ 121| 0| return P_HMAC_160; ------------------ | | 57| 0|#define P_HMAC_160 20 // (RSA-|DSA-)SHA(1), ..others, SHA1 is openvpn default ------------------ 122| | 123| 14| if((payload_len >= P_HARD_RESET_PACKET_ID_OFFSET(P_HMAC_128) + 4) && ------------------ | | 59| 14|#define P_HARD_RESET_PACKET_ID_OFFSET(hmac_size) (9 + hmac_size) ------------------ | Branch (123:6): [True: 13, False: 1] ------------------ 124| 13| get_packet_id(payload, P_HMAC_128) == 1) ------------------ | | 56| 13|#define P_HMAC_128 16 // (RSA-)MD5, (RSA-)MD4, ..others ------------------ | Branch (124:6): [True: 0, False: 13] ------------------ 125| 0| return P_HMAC_128; ------------------ | | 56| 0|#define P_HMAC_128 16 // (RSA-)MD5, (RSA-)MD4, ..others ------------------ 126| | 127| | /* Heuristic from Wireshark, to detect no-HMAC flows (i.e. tls-crypt) */ 128| 14| if(payload_len >= 14 && ------------------ | Branch (128:6): [True: 14, False: 0] ------------------ 129| 14| !(payload[9] > 0 && ------------------ | Branch (129:8): [True: 13, False: 1] ------------------ 130| 13| check_for_valid_hmac(ntohl(*(u_int32_t*)(payload + 9))))) ------------------ | Branch (130:8): [True: 11, False: 2] ------------------ 131| 3| return P_HMAC_NONE; ------------------ | | 58| 3|#define P_HMAC_NONE 0 // No HMAC ------------------ 132| | 133| 11| return(-1); 134| 14|} openvpn.c:get_packet_id: 91| 26|static u_int32_t get_packet_id(const u_int8_t * payload, u_int8_t hms) { 92| | return(ntohl(*(u_int32_t*)(payload + P_HARD_RESET_PACKET_ID_OFFSET(hms)))); 93| 26|} openvpn.c:check_for_valid_hmac: 101| 13|{ 102| 13| int c = 0; 103| | 104| 13| if((hmac & 0x000000FF) == 0x00000000) ------------------ | Branch (104:6): [True: 2, False: 11] ------------------ 105| 2| c++; 106| 13| if((hmac & 0x0000FF00) == 0x00000000) ------------------ | Branch (106:6): [True: 2, False: 11] ------------------ 107| 2| c++; 108| 13| if ((hmac & 0x00FF0000) == 0x00000000) ------------------ | Branch (108:7): [True: 1, False: 12] ------------------ 109| 1| c++; 110| 13| if ((hmac & 0xFF000000) == 0x00000000) ------------------ | Branch (110:7): [True: 0, False: 13] ------------------ 111| 0| c++; 112| 13| if (c > 1) ------------------ | Branch (112:7): [True: 2, False: 11] ------------------ 113| 2| return 0; 114| 11| return 1; 115| 13|} openvpn.c:ndpi_int_openvpn_add_connection: 66| 6|{ 67| 6| if(ndpi_struct->cfg.openvpn_subclassification_by_ip && ------------------ | Branch (67:6): [True: 6, False: 0] ------------------ 68| 6| ndpi_struct->proto_defaults[flow->guessed_protocol_id_by_ip].protoCategory == NDPI_PROTOCOL_CATEGORY_VPN) { ------------------ | Branch (68:6): [True: 0, False: 6] ------------------ 69| 0| ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_protocol_id_by_ip, NDPI_PROTOCOL_OPENVPN, confidence); 70| 6| } else { 71| 6| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OPENVPN, NDPI_PROTOCOL_UNKNOWN, confidence); 72| 6| } 73| 6|} init_openwire_dissector: 54| 7.08k|{ 55| 7.08k| ndpi_register_dissector("OpenWire", ndpi_struct, 56| 7.08k| ndpi_search_openwire, 57| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 58| 7.08k| 1, NDPI_PROTOCOL_OPENWIRE); 59| 7.08k|} openwire.c:ndpi_search_openwire: 33| 11.6k|{ 34| 11.6k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 35| | 36| 11.6k| NDPI_LOG_DBG(ndpi_struct, "search OpenWire\n"); ------------------ | | 596| 11.6k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 37| | 38| 11.6k| if (packet->payload_packet_len > 22 && ------------------ | Branch (38:7): [True: 6.92k, False: 4.71k] ------------------ 39| 11.6k| ntohl(get_u_int32_t(packet->payload, 0)) == (u_int32_t)(packet->payload_packet_len-4) && ------------------ | Branch (39:7): [True: 11, False: 6.91k] ------------------ 40| 11| packet->payload[4] == 0x01) ------------------ | Branch (40:7): [True: 1, False: 10] ------------------ 41| 1| { 42| 1| if (memcmp(&packet->payload[5], "ActiveMQ", 8) == 0) { ------------------ | Branch (42:9): [True: 0, False: 1] ------------------ 43| 0| NDPI_LOG_INFO(ndpi_struct, "found OpenWire\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 44| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OPENWIRE, 45| 0| NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 46| 0| return; 47| 0| } 48| 1| } 49| | 50| 11.6k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.6k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 51| 11.6k|} init_oracle_dissector: 64| 7.08k|{ 65| 7.08k| ndpi_register_dissector("Oracle", ndpi_struct, 66| 7.08k| ndpi_search_oracle, 67| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 68| 7.08k| 1, NDPI_PROTOCOL_ORACLE); 69| 7.08k|} oracle.c:ndpi_search_oracle: 36| 13.4k|{ 37| 13.4k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 38| 13.4k| u_int16_t dport = 0, sport = 0; 39| | 40| 13.4k| NDPI_LOG_DBG(ndpi_struct, "search ORACLE\n"); ------------------ | | 596| 13.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 41| | 42| | /* For the time being, check only on default port since the logic is quite weak */ 43| 13.4k| sport = ntohs(packet->tcp->source); 44| 13.4k| dport = ntohs(packet->tcp->dest); 45| | 46| | /* Check for Connect Request */ 47| 13.4k| if((dport == 1521 || sport == 1521) && ------------------ | Branch (47:7): [True: 0, False: 13.4k] | Branch (47:24): [True: 0, False: 13.4k] ------------------ 48| 0| packet->payload_packet_len >= 8 && ------------------ | Branch (48:6): [True: 0, False: 0] ------------------ 49| 13.4k| ntohs(get_u_int16_t(packet->payload, 0)) == packet->payload_packet_len && ------------------ | Branch (49:6): [True: 0, False: 0] ------------------ 50| 0| packet->payload[2] == 0x00 && packet->payload[3] == 0x00 && /* Packet Checksum */ ------------------ | Branch (50:6): [True: 0, False: 0] | Branch (50:36): [True: 0, False: 0] ------------------ 51| 0| packet->payload[4] == 0x01 && /* Connect */ ------------------ | Branch (51:6): [True: 0, False: 0] ------------------ 52| 0| packet->payload[5] == 0x00 && /* Reserved */ ------------------ | Branch (52:6): [True: 0, False: 0] ------------------ 53| 0| packet->payload[6] == 0x00 && packet->payload[7] == 0x00 /* Header Checksum */) { ------------------ | Branch (53:6): [True: 0, False: 0] | Branch (53:36): [True: 0, False: 0] ------------------ 54| 0| NDPI_LOG_INFO(ndpi_struct, "found oracle\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 55| 0| ndpi_int_oracle_add_connection(ndpi_struct, flow); 56| 0| return; 57| 0| } 58| | 59| 13.4k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.4k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 60| 13.4k|} init_paltalk_dissector: 64| 7.08k|{ 65| 7.08k| ndpi_register_dissector("Paltalk", ndpi_struct, 66| 7.08k| ndpi_search_paltalk, 67| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 68| 7.08k| 1, NDPI_PROTOCOL_PALTALK); 69| 7.08k|} paltalk.c:ndpi_search_paltalk: 41| 11.6k|{ 42| 11.6k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 43| | 44| 11.6k| NDPI_LOG_DBG(ndpi_struct, "search Paltalk\n"); ------------------ | | 596| 11.6k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 45| | 46| 11.6k| if (packet->payload_packet_len == 20 && get_u_int32_t(packet->payload, 8) == htonl(0x020001) && ------------------ | | 137| 171|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (46:7): [True: 171, False: 11.4k] | Branch (46:43): [True: 0, False: 171] ------------------ 47| 0| get_u_int32_t(packet->payload, 16) == htonl(0x5AFDFFFF)) ------------------ | | 137| 0|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (47:7): [True: 0, False: 0] ------------------ 48| 0| { 49| 0| ndpi_int_paltalk_add_connection(ndpi_struct, flow); 50| 0| return; 51| 0| } 52| | 53| 11.6k| if (packet->payload_packet_len == 22 && get_u_int32_t(packet->payload, 2) == htonl(0x24C2E80B) && ------------------ | | 137| 17|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (53:7): [True: 17, False: 11.6k] | Branch (53:43): [True: 0, False: 17] ------------------ 54| 0| get_u_int32_t(packet->payload, 17) == htonl(0x5B732B00)) ------------------ | | 137| 0|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (54:7): [True: 0, False: 0] ------------------ 55| 0| { 56| 0| ndpi_int_paltalk_add_connection(ndpi_struct, flow); 57| 0| return; 58| 0| } 59| | 60| 11.6k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.6k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 61| 11.6k|} init_pathofexile_dissector: 73| 7.08k|{ 74| 7.08k| ndpi_register_dissector("PathofExile", ndpi_struct, 75| 7.08k| ndpi_search_pathofexile, 76| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 77| 7.08k| 1, NDPI_PROTOCOL_PATHOFEXILE); 78| 7.08k|} path_of_exile.c:ndpi_search_pathofexile: 34| 11.6k|{ 35| 11.6k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 36| | 37| 11.6k| NDPI_LOG_DBG(ndpi_struct, "search Path of Exile\n"); ------------------ | | 596| 11.6k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 38| | 39| | /* Path of Exile 2 */ 40| 11.6k| if (packet->payload_packet_len == 19 && packet->payload[0] == 0) { ------------------ | Branch (40:7): [True: 63, False: 11.5k] | Branch (40:43): [True: 55, False: 8] ------------------ 41| 55| if (ntohs(get_u_int16_t(packet->payload, 1)) == 0x300 && ------------------ | Branch (41:9): [True: 0, False: 55] ------------------ 42| 55| ntohs(get_u_int16_t(packet->payload, 7)) == 0x200 && ------------------ | Branch (42:9): [True: 0, False: 0] ------------------ 43| 55| ntohl(get_u_int32_t(packet->payload, 14)) == 0x40) ------------------ | Branch (43:9): [True: 0, False: 0] ------------------ 44| 0| { 45| 0| NDPI_LOG_INFO(ndpi_struct, "found Path of Exile 2\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 46| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PATHOFEXILE, NDPI_PROTOCOL_UNKNOWN, 47| 0| NDPI_CONFIDENCE_DPI); 48| 0| return; 49| 0| } 50| 55| } 51| | 52| | /* The first packet always contains these signatures and the character's 53| | * nickname (from 4 to 23 chars). 54| | */ 55| 11.6k| if ((packet->payload_packet_len > 25 && packet->payload_packet_len < 50) && ------------------ | Branch (55:8): [True: 6.48k, False: 5.15k] | Branch (55:43): [True: 3.13k, False: 3.34k] ------------------ 56| 3.13k| (packet->payload[0] == 0 && packet->payload[6] == 0)) ------------------ | Branch (56:8): [True: 285, False: 2.85k] | Branch (56:35): [True: 31, False: 254] ------------------ 57| 31| { 58| 31| if (ntohs(get_u_int16_t(packet->payload, 1)) == 0x300 && ------------------ | Branch (58:9): [True: 1, False: 30] ------------------ 59| 31| ntohs(get_u_int16_t(packet->payload, 7)) == 0x200 && ------------------ | Branch (59:9): [True: 0, False: 1] ------------------ 60| 31| ntohl(get_u_int32_t(packet->payload, packet->payload_packet_len-8)) == 0 && ------------------ | Branch (60:9): [True: 0, False: 0] ------------------ 61| 31| ntohl(get_u_int32_t(packet->payload, packet->payload_packet_len-4)) == 0x40000001) ------------------ | Branch (61:9): [True: 0, False: 0] ------------------ 62| 0| { 63| 0| NDPI_LOG_INFO(ndpi_struct, "found Path of Exile\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 64| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PATHOFEXILE, NDPI_PROTOCOL_UNKNOWN, 65| 0| NDPI_CONFIDENCE_DPI); 66| 0| } 67| 31| } 68| | 69| 11.6k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.6k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 70| 11.6k|} init_pfcp_dissector: 62| 7.08k|{ 63| 7.08k| ndpi_register_dissector("PFCP", ndpi_struct, 64| 7.08k| ndpi_search_pfcp, 65| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 66| 7.08k| 1, NDPI_PROTOCOL_PFCP); 67| 7.08k|} pfcp.c:ndpi_search_pfcp: 36| 3.32k|{ 37| 3.32k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 38| | 39| 3.32k| NDPI_LOG_DBG(ndpi_struct, "search PFCP\n"); ------------------ | | 596| 3.32k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 40| | 41| 3.32k| if (packet->payload_packet_len > 12 && ------------------ | Branch (41:7): [True: 3.14k, False: 178] ------------------ 42| 3.14k| (ntohs(packet->udp->dest) == 8805 || ntohs(packet->udp->source) == 8805)) ------------------ | Branch (42:8): [True: 5, False: 3.14k] | Branch (42:44): [True: 0, False: 3.14k] ------------------ 43| 5| { 44| 5| u_int8_t version = packet->payload[0] & 0x0F; 45| | /* Values from 18 to 49, 58 to 99 and 100 to 255 are reserved for future use 46| | * and aren't used now. */ 47| 5| u_int8_t message_type = packet->payload[1]; 48| 5| if (version == 1 && (message_type <= 17 || (message_type - 50) <= 7) && ------------------ | Branch (48:9): [True: 1, False: 4] | Branch (48:26): [True: 0, False: 1] | Branch (48:48): [True: 0, False: 1] ------------------ 49| 5| ntohs(get_u_int16_t(packet->payload, 2)) == (u_int16_t)(packet->payload_packet_len-4)) ------------------ | Branch (49:9): [True: 0, False: 0] ------------------ 50| 0| { 51| 0| NDPI_LOG_INFO(ndpi_struct, "found PFCP\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 52| 0| ndpi_set_detected_protocol(ndpi_struct, flow, 53| 0| NDPI_PROTOCOL_PFCP, NDPI_PROTOCOL_UNKNOWN, 54| 0| NDPI_CONFIDENCE_DPI); 55| 0| return; 56| 0| } 57| 5| } 58| | 59| 3.32k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.32k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 60| 3.32k|} init_postgres_dissector: 127| 7.08k|{ 128| 7.08k| ndpi_register_dissector("PostgreSQL", ndpi_struct, 129| 7.08k| ndpi_search_postgres_tcp, 130| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 131| 7.08k| 1, NDPI_PROTOCOL_POSTGRES); 132| 7.08k|} postgres.c:ndpi_search_postgres_tcp: 42| 13.4k|{ 43| 13.4k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 44| | 45| 13.4k| if (flow->l4.tcp.postgres_stage == 0) { ------------------ | Branch (45:6): [True: 13.4k, False: 0] ------------------ 46| | //SSL 47| 13.4k| if (packet->payload_packet_len > 7 && ------------------ | Branch (47:7): [True: 12.6k, False: 809] ------------------ 48| 12.6k| packet->payload[4] == 0x04 && ------------------ | Branch (48:4): [True: 231, False: 12.4k] ------------------ 49| 231| packet->payload[5] == 0xd2 && ------------------ | Branch (49:4): [True: 2, False: 229] ------------------ 50| 2| packet->payload[6] == 0x16 && ------------------ | Branch (50:4): [True: 0, False: 2] ------------------ 51| 13.4k| packet->payload[7] == 0x2f && ntohl(get_u_int32_t(packet->payload, 0)) == packet->payload_packet_len) { ------------------ | Branch (51:4): [True: 0, False: 0] | Branch (51:34): [True: 0, False: 0] ------------------ 52| 0| flow->l4.tcp.postgres_stage = 1 + packet->packet_direction; 53| 0| return; 54| 0| } 55| | //no SSL 56| 13.4k| if (packet->payload_packet_len > 7 && ------------------ | Branch (56:7): [True: 12.6k, False: 809] ------------------ 57| | //protocol version number - to be updated 58| 13.4k| ntohl(get_u_int32_t(packet->payload, 4)) < 0x00040000 && ------------------ | Branch (58:4): [True: 638, False: 12.0k] ------------------ 59| 13.4k| ntohl(get_u_int32_t(packet->payload, 0)) == packet->payload_packet_len) { ------------------ | Branch (59:4): [True: 0, False: 638] ------------------ 60| 0| flow->l4.tcp.postgres_stage = 3 + packet->packet_direction; 61| 0| return; 62| 0| } 63| | //GSS 64| 13.4k| if (packet->payload_packet_len > 7 && ------------------ | Branch (64:7): [True: 12.6k, False: 809] ------------------ 65| 12.6k| packet->payload[4] == 0x04 && ------------------ | Branch (65:4): [True: 231, False: 12.4k] ------------------ 66| 231| packet->payload[5] == 0xd2 && ------------------ | Branch (66:4): [True: 2, False: 229] ------------------ 67| 2| packet->payload[6] == 0x16 && ------------------ | Branch (67:4): [True: 0, False: 2] ------------------ 68| 0| packet->payload[7] == 0x30 && ------------------ | Branch (68:4): [True: 0, False: 0] ------------------ 69| 13.4k| ntohl(get_u_int32_t(packet->payload, 0)) == packet->payload_packet_len) { ------------------ | Branch (69:4): [True: 0, False: 0] ------------------ 70| 0| flow->l4.tcp.postgres_stage = 5 + packet->packet_direction; 71| 0| return; 72| 0| } 73| 13.4k| } else { 74| 0| if (flow->l4.tcp.postgres_stage == 2 - packet->packet_direction) { ------------------ | Branch (74:7): [True: 0, False: 0] ------------------ 75| | //SSL accepted 76| 0| if (packet->payload_packet_len == 1 && packet->payload[0] == 'S') { ------------------ | Branch (76:8): [True: 0, False: 0] | Branch (76:43): [True: 0, False: 0] ------------------ 77| 0| NDPI_LOG_INFO(ndpi_struct, "PostgreSQL detected, SSL accepted\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 78| 0| ndpi_int_postgres_add_connection(ndpi_struct, flow); 79| 0| return; 80| 0| } 81| | //SSL denied 82| 0| if (packet->payload_packet_len == 1 && packet->payload[0] == 'N') { ------------------ | Branch (82:8): [True: 0, False: 0] | Branch (82:43): [True: 0, False: 0] ------------------ 83| 0| NDPI_LOG_INFO(ndpi_struct, "PostgreSQL detected, SSL denied\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 84| 0| ndpi_int_postgres_add_connection(ndpi_struct, flow); 85| 0| return; 86| 0| } 87| 0| } 88| | //no SSL 89| 0| if (flow->l4.tcp.postgres_stage == 4 - packet->packet_direction) { ------------------ | Branch (89:7): [True: 0, False: 0] ------------------ 90| 0| if (packet->payload_packet_len > 8 && ------------------ | Branch (90:8): [True: 0, False: 0] ------------------ 91| 0| ntohl(get_u_int32_t(packet->payload, 5)) < 10 && ------------------ | Branch (91:5): [True: 0, False: 0] ------------------ 92| 0| ntohl(get_u_int32_t(packet->payload, 1)) == (uint32_t)packet->payload_packet_len - 1 && packet->payload[0] == 0x52) { ------------------ | Branch (92:5): [True: 0, False: 0] | Branch (92:93): [True: 0, False: 0] ------------------ 93| 0| NDPI_LOG_INFO(ndpi_struct, "PostgreSQL detected, no SSL\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 94| 0| ndpi_int_postgres_add_connection(ndpi_struct, flow); 95| 0| return; 96| 0| } 97| 0| if (packet->payload_packet_len > 8 && ------------------ | Branch (97:8): [True: 0, False: 0] ------------------ 98| 0| ntohl(get_u_int32_t(packet->payload, 5)) == 0 && ------------------ | Branch (98:5): [True: 0, False: 0] ------------------ 99| 0| ntohl(get_u_int32_t(packet->payload, 1)) == 8 && packet->payload[0] == 0x52) { ------------------ | Branch (99:5): [True: 0, False: 0] | Branch (99:54): [True: 0, False: 0] ------------------ 100| 0| NDPI_LOG_INFO(ndpi_struct, "PostgreSQL detected, no SSL, auth succ, multiple msg\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 101| 0| ndpi_int_postgres_add_connection(ndpi_struct, flow); 102| 0| return; 103| 0| } 104| 0| } 105| | //GSS 106| 0| if (flow->l4.tcp.postgres_stage == 6 - packet->packet_direction) { ------------------ | Branch (106:7): [True: 0, False: 0] ------------------ 107| | //GSS accepted 108| 0| if (packet->payload_packet_len == 1 && packet->payload[0] == 'G') { ------------------ | Branch (108:8): [True: 0, False: 0] | Branch (108:43): [True: 0, False: 0] ------------------ 109| 0| NDPI_LOG_INFO(ndpi_struct, "PostgreSQL detected, GSS accepted\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 110| 0| ndpi_int_postgres_add_connection(ndpi_struct, flow); 111| 0| return; 112| 0| } 113| | //GSS denied 114| 0| if (packet->payload_packet_len == 1 && packet->payload[0] == 'N') { ------------------ | Branch (114:8): [True: 0, False: 0] | Branch (114:43): [True: 0, False: 0] ------------------ 115| 0| NDPI_LOG_INFO(ndpi_struct, "PostgreSQL detected, GSS denied\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 116| 0| ndpi_int_postgres_add_connection(ndpi_struct, flow); 117| 0| return; 118| 0| } 119| 0| } 120| 0| } 121| | 122| 13.4k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.4k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 123| 13.4k|} init_pptp_dissector: 61| 7.08k|{ 62| 7.08k| ndpi_register_dissector("PPTP", ndpi_struct, 63| 7.08k| ndpi_search_pptp, 64| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 65| 7.08k| 1, NDPI_PROTOCOL_PPTP); 66| 7.08k|} pptp.c:ndpi_search_pptp: 40| 13.4k|{ 41| 13.4k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 42| | 43| 13.4k| NDPI_LOG_DBG(ndpi_struct, "search pptp\n"); ------------------ | | 596| 13.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 44| | 45| 13.4k| if (packet->payload_packet_len >= 10 && get_u_int16_t(packet->payload, 0) == htons(packet->payload_packet_len) ------------------ | | 136| 12.5k|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (45:6): [True: 12.5k, False: 877] | Branch (45:42): [True: 3, False: 12.5k] ------------------ 46| 3| && get_u_int16_t(packet->payload, 2) == htons(0x0001) /* message type: control message */ ------------------ | | 136| 3|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (46:6): [True: 0, False: 3] ------------------ 47| 0| &&get_u_int32_t(packet->payload, 4) == htonl(0x1a2b3c4d) /* cookie: correct */ ------------------ | | 137| 0|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (47:5): [True: 0, False: 0] ------------------ 48| 0| &&(get_u_int16_t(packet->payload, 8) == htons(0x0001) /* control type: start-control-connection-request */ ------------------ | | 136| 0|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (48:5): [True: 0, False: 0] ------------------ 49| 0| )) { 50| | 51| 0| NDPI_LOG_INFO(ndpi_struct, "found pptp\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 52| 0| ndpi_int_pptp_add_connection(ndpi_struct, flow); 53| 0| return; 54| 0| } 55| | 56| 13.4k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.4k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 57| 13.4k|} init_profinet_io_dissector: 79| 7.08k|{ 80| 7.08k| ndpi_register_dissector("PROFINET_IO", ndpi_struct, 81| 7.08k| ndpi_search_profinet_io, 82| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 83| 7.08k| 1, NDPI_PROTOCOL_PROFINET_IO); 84| 7.08k|} profinet_io.c:ndpi_search_profinet_io: 43| 3.35k|{ 44| 3.35k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 45| | 46| 3.35k| NDPI_LOG_DBG(ndpi_struct, "searching PROFINET/IO\n"); ------------------ | | 596| 3.35k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 47| | 48| | /* PROFINET/IO is based on connectionless DCE/RPC */ 49| 3.35k| if ((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_DCERPC) && ------------------ | Branch (49:7): [True: 0, False: 3.35k] ------------------ 50| 0| (packet->payload_packet_len > 43)) ------------------ | Branch (50:7): [True: 0, False: 0] ------------------ 51| 0| { 52| 0| u_int8_t byte_order = (packet->payload[4] >> 4) & 0xF; 53| 0| u_int32_t time_low = 0; 54| 0| u_int16_t time_mid = 0; 55| 0| u_int16_t time_hi_and_version = 0; 56| | 57| 0| if (byte_order == 0) { /* Big Endian */ ------------------ | Branch (57:9): [True: 0, False: 0] ------------------ 58| 0| time_low = ntohl(get_u_int32_t(packet->payload, 8)); 59| 0| time_mid = ntohs(get_u_int16_t(packet->payload, 12)); 60| 0| time_hi_and_version = ntohs(get_u_int16_t(packet->payload, 14)); 61| 0| } else { /* Little Endian */ 62| 0| time_low = le32toh(get_u_int32_t(packet->payload, 8)); 63| 0| time_mid = le16toh(get_u_int16_t(packet->payload, 12)); 64| 0| time_hi_and_version = le16toh(get_u_int16_t(packet->payload, 14)); 65| 0| } 66| | 67| 0| if ((time_low == 0xDEA00000) && (time_mid == 0x6C97) && ------------------ | Branch (67:9): [True: 0, False: 0] | Branch (67:37): [True: 0, False: 0] ------------------ 68| 0| (time_hi_and_version == 0x11D1)) ------------------ | Branch (68:9): [True: 0, False: 0] ------------------ 69| 0| { 70| 0| ndpi_int_profinet_io_add_connection(ndpi_struct, flow); 71| 0| return; 72| 0| } 73| 0| } 74| | 75| 3.35k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.35k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 76| 3.35k|} init_protobuf_dissector: 253| 7.08k|{ 254| 7.08k| ndpi_register_dissector("Protobuf", ndpi_struct, 255| 7.08k| ndpi_search_protobuf, 256| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 257| 7.08k| 1, NDPI_PROTOCOL_PROTOBUF); 258| 7.08k|} protobuf.c:ndpi_search_protobuf: 101| 15.0k|{ 102| 15.0k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 103| | 104| 15.0k| NDPI_LOG_DBG(ndpi_struct, "search Protobuf\n"); ------------------ | | 596| 15.0k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 105| | 106| 15.0k| size_t protobuf_elements = 0; 107| 15.0k| size_t protobuf_len_elements = 0; 108| 15.0k| size_t offset = 0; 109| | 110| |#ifdef DEBUG_PROTOBUF 111| | printf("Protobuf:"); 112| |#endif 113| 23.4k| do { 114| |#ifdef DEBUG_PROTOBUF 115| | printf(" "); 116| |#endif 117| 23.4k| uint64_t tag; 118| | // A Protobuf tag has a type and a field number stored as u32 varint. 119| 23.4k| if (protobuf_dissect_varint(packet, &offset, &tag) != 0) ------------------ | Branch (119:9): [True: 3.20k, False: 20.2k] ------------------ 120| 3.20k| { 121| 3.20k| break; 122| 3.20k| } 123| | 124| 20.2k| uint64_t field_number; 125| 20.2k| enum protobuf_type type = protobuf_dissect_tag(tag, &field_number); 126| 20.2k| if (type == PT_INVALID || field_number == 0 || field_number > (UINT_MAX >> 3)) ------------------ | Branch (126:9): [True: 3.07k, False: 17.2k] | Branch (126:31): [True: 4.83k, False: 12.3k] | Branch (126:52): [True: 208, False: 12.1k] ------------------ 127| 8.11k| { 128| 8.11k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 8.11k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 129| 8.11k| return; 130| 8.11k| } 131| | 132| |#ifdef DEBUG_PROTOBUF 133| | printf("[id: %llu]", (unsigned long long int)field_number); 134| |#endif 135| 12.1k| switch (type) ------------------ | Branch (135:13): [True: 12.1k, False: 0] ------------------ 136| 12.1k| { 137| 2.90k| case PT_VARINT: ------------------ | Branch (137:7): [True: 2.90k, False: 9.26k] ------------------ 138| 2.90k| { 139| 2.90k| uint64_t value; 140| 2.90k| if (protobuf_dissect_varint(packet, &offset, &value) != 0) ------------------ | Branch (140:13): [True: 23, False: 2.88k] ------------------ 141| 23| { 142| 23| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 23|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 143| 23| return; 144| 23| } 145| |#ifdef DEBUG_PROTOBUF 146| | printf("[VARINT: %llu / %llx]", (unsigned long long int)value, 147| | (unsigned long long int)value); 148| |#endif 149| 2.88k| break; 150| 2.90k| } 151| 2.88k| case PT_I64: { ------------------ | Branch (151:7): [True: 1.03k, False: 11.1k] ------------------ 152| 1.03k| if (packet->payload_packet_len < offset + sizeof(uint64_t)) ------------------ | Branch (152:13): [True: 46, False: 991] ------------------ 153| 46| { 154| 46| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 46|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 155| 46| return; 156| 46| } 157| |#ifdef DEBUG_PROTOBUF 158| | union { 159| | int64_t as_i64; 160| | uint64_t as_u64; 161| | double as_double; 162| | } value; 163| | value.as_u64 = le64toh(*(uint64_t *)&packet->payload[offset]); 164| | printf("[I64: %lld / %llu / %lf]", (long long int)value.as_i64, 165| | (unsigned long long int)value.as_u64, value.as_double); 166| |#endif 167| 991| offset += 8; 168| 991| break; 169| 1.03k| } 170| 3.67k| case PT_LEN: ------------------ | Branch (170:7): [True: 3.67k, False: 8.49k] ------------------ 171| 3.67k| { 172| 3.67k| uint64_t length; 173| 3.67k| if (protobuf_dissect_varint(packet, &offset, &length) != 0) ------------------ | Branch (173:13): [True: 5, False: 3.66k] ------------------ 174| 5| { 175| 5| if (packet->payload_packet_len >= offset) ------------------ | Branch (175:15): [True: 5, False: 0] ------------------ 176| 5| { 177| 5| break; // We are not excluding the protocol immediately. Let's wait for more packets to arrive.. 178| 5| } else { 179| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 180| 0| return; 181| 0| } 182| 5| } 183| 3.66k| if (length == 0 || length > INT_MAX) ------------------ | Branch (183:13): [True: 59, False: 3.60k] | Branch (183:28): [True: 48, False: 3.55k] ------------------ 184| 107| { 185| 107| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 107|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 186| 107| return; 187| 107| } 188| 3.55k| offset += length; 189| 3.55k| protobuf_len_elements++; 190| |#ifdef DEBUG_PROTOBUF 191| | printf("[LEN length: %llu]", (unsigned long long int)length); 192| |#endif 193| 3.55k| break; 194| 3.66k| } 195| 1.41k| case PT_SGROUP: ------------------ | Branch (195:7): [True: 1.41k, False: 10.7k] ------------------ 196| 3.55k| case PT_EGROUP: ------------------ | Branch (196:7): [True: 2.14k, False: 10.0k] ------------------ 197| | // Start/End groups are deprecated and therefor ignored to reduce false positives. 198| 3.55k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.55k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 199| 3.55k| return; 200| 994| case PT_I32: { ------------------ | Branch (200:7): [True: 994, False: 11.1k] ------------------ 201| 994| if (packet->payload_packet_len < offset + sizeof(uint32_t)) ------------------ | Branch (201:13): [True: 22, False: 972] ------------------ 202| 22| { 203| 22| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 22|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 204| 22| return; 205| 22| } 206| |#ifdef DEBUG_PROTOBUF 207| | union { 208| | int32_t as_i32; 209| | uint32_t as_u32; 210| | float as_float; 211| | } value; 212| | value.as_u32 = le32toh(*(uint32_t *)&packet->payload[offset]); 213| | printf("[I32: %d / %u / %f]", value.as_i32, value.as_u32, value.as_float); 214| |#endif 215| 972| offset += 4; 216| 972| break; 217| 994| } 218| 0| case PT_INVALID: ------------------ | Branch (218:7): [True: 0, False: 12.1k] ------------------ 219| 0| break; 220| 12.1k| } 221| 12.1k| } while (++protobuf_elements < PROTOBUF_MAX_ELEMENTS); ------------------ | | 29| 8.41k|#define PROTOBUF_MAX_ELEMENTS 32 ------------------ | Branch (221:12): [True: 8.41k, False: 3] ------------------ 222| | 223| |#ifdef DEBUG_PROTOBUF 224| | printf(" [offset: %llu][length: %u][elems: %llu][len_elems: %llu]\n", 225| | (unsigned long long int)offset, packet->payload_packet_len, 226| | (unsigned long long int)protobuf_elements, 227| | (unsigned long long int)protobuf_len_elements); 228| |#endif 229| 3.21k| if ((protobuf_elements >= PROTOBUF_REQUIRED_ELEMENTS && protobuf_len_elements > 0 && ------------------ | | 30| 6.42k|#define PROTOBUF_REQUIRED_ELEMENTS 8 ------------------ | Branch (229:8): [True: 10, False: 3.20k] | Branch (229:59): [True: 4, False: 6] ------------------ 230| | /* (On UDP) this packet might be also a RTP/RTCP one. Wait for the next one */ 231| 4| (flow->packet_counter > 1 || flow->l4_proto == IPPROTO_TCP || flow->rtp_stage == 0)) ------------------ | Branch (231:9): [True: 0, False: 4] | Branch (231:37): [True: 3, False: 1] | Branch (231:70): [True: 1, False: 0] ------------------ 232| 3.20k| || (flow->packet_counter >= PROTOBUF_MIN_PACKETS && protobuf_elements >= PROTOBUF_MIN_ELEMENTS)) ------------------ | | 31| 6.41k|#define PROTOBUF_MIN_PACKETS 4 ------------------ || (flow->packet_counter >= PROTOBUF_MIN_PACKETS && protobuf_elements >= PROTOBUF_MIN_ELEMENTS)) ------------------ | | 28| 0|#define PROTOBUF_MIN_ELEMENTS 2 ------------------ | Branch (232:11): [True: 0, False: 3.20k] | Branch (232:59): [True: 0, False: 0] ------------------ 233| 4| { 234| |#ifdef DEBUG_PROTOBUF 235| | printf("Protobuf found after %u packets.\n", flow->packet_counter); 236| |#endif 237| 4| ndpi_int_protobuf_add_connection(ndpi_struct, flow); 238| 4| return; 239| 4| } 240| | 241| 3.20k| if (packet->payload_packet_len >= offset ------------------ | Branch (241:7): [True: 41, False: 3.16k] ------------------ 242| 41| && protobuf_elements > 0 ------------------ | Branch (242:10): [True: 28, False: 13] ------------------ 243| 28| && flow->packet_counter <= PROTOBUF_MAX_PACKETS) ------------------ | | 32| 28|#define PROTOBUF_MAX_PACKETS 8 ------------------ | Branch (243:10): [True: 28, False: 0] ------------------ 244| 28| { 245| 28| return; // We probably need more packets to dissect. 246| 28| } 247| | 248| 3.17k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.17k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 249| 3.17k|} protobuf.c:protobuf_dissect_varint: 77| 30.0k|{ 78| 30.0k| size_t i; 79| 30.0k| *value = 0; 80| | 81| 38.3k| for (i = 0; i < 9; ++i) ------------------ | Branch (81:15): [True: 38.2k, False: 191] ------------------ 82| 38.2k| { 83| 38.2k| if (packet->payload_packet_len < *offset + i + 1) ------------------ | Branch (83:9): [True: 3.23k, False: 34.9k] ------------------ 84| 3.23k| { 85| 3.23k| return -1; 86| 3.23k| } 87| | 88| 34.9k| *value |= ((uint64_t)(packet->payload[*offset + i] & 0x7F)) << (i * 8 - i); 89| 34.9k| if ((packet->payload[*offset + i] & 0x80) == 0) ------------------ | Branch (89:9): [True: 26.6k, False: 8.32k] ------------------ 90| 26.6k| { 91| 26.6k| break; 92| 26.6k| } 93| 34.9k| } 94| | 95| 26.8k| *offset += i + 1; 96| 26.8k| return 0; 97| 30.0k|} protobuf.c:protobuf_dissect_tag: 56| 20.2k|{ 57| 20.2k| uint8_t const wire_type = tag & 0x07; 58| 20.2k| *field_number = tag >> 3; 59| | 60| 20.2k| switch (wire_type) ------------------ | Branch (60:11): [True: 17.2k, False: 3.07k] ------------------ 61| 20.2k| { 62| 6.46k| case PT_VARINT: ------------------ | Branch (62:5): [True: 6.46k, False: 13.8k] ------------------ 63| 8.20k| case PT_I64: ------------------ | Branch (63:5): [True: 1.74k, False: 18.5k] ------------------ 64| 12.0k| case PT_LEN: ------------------ | Branch (64:5): [True: 3.81k, False: 16.4k] ------------------ 65| 13.5k| case PT_SGROUP: ------------------ | Branch (65:5): [True: 1.56k, False: 18.7k] ------------------ 66| 16.1k| case PT_EGROUP: ------------------ | Branch (66:5): [True: 2.54k, False: 17.7k] ------------------ 67| 17.2k| case PT_I32: ------------------ | Branch (67:5): [True: 1.08k, False: 19.1k] ------------------ 68| 17.2k| return wire_type; 69| 20.2k| } 70| | 71| 3.07k| return PT_INVALID; 72| 20.2k|} protobuf.c:ndpi_int_protobuf_add_connection: 49| 4|{ 50| 4| NDPI_LOG_INFO(ndpi_struct, "found Protobuf\n"); ------------------ | | 595| 4|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 51| 4| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PROTOBUF, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 52| 4|} init_ptpv2_dissector: 70| 7.08k|{ 71| 7.08k| ndpi_register_dissector("PTPv2", ndpi_struct, 72| 7.08k| ndpi_search_ptpv2_udp, 73| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 74| 7.08k| 1, NDPI_PROTOCOL_PTPV2); 75| 7.08k|} ptpv2.c:ndpi_search_ptpv2_udp: 44| 3.35k|{ 45| 3.35k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 46| | 47| 3.35k| NDPI_LOG_DBG(ndpi_struct, "search PTPv2\n"); ------------------ | | 596| 3.35k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 48| | 49| | /* PTPv2 header is 34 bytes long */ 50| 3.35k| if (packet->payload_packet_len > 34) { ------------------ | Branch (50:7): [True: 2.84k, False: 503] ------------------ 51| 2.84k| u_int16_t sport = ntohs(packet->udp->source); 52| 2.84k| u_int16_t dport = ntohs(packet->udp->dest); 53| | 54| 2.84k| if ((sport == PTP_EVENT_MSG_PORT && dport == PTP_EVENT_MSG_PORT) || ------------------ | | 34| 5.69k|#define PTP_EVENT_MSG_PORT 319 ------------------ if ((sport == PTP_EVENT_MSG_PORT && dport == PTP_EVENT_MSG_PORT) || ------------------ | | 34| 0|#define PTP_EVENT_MSG_PORT 319 ------------------ | Branch (54:10): [True: 0, False: 2.84k] | Branch (54:41): [True: 0, False: 0] ------------------ 55| 2.84k| (sport == PTP_GENERAL_MSG_PORT && dport == PTP_GENERAL_MSG_PORT)) ------------------ | | 35| 5.69k|#define PTP_GENERAL_MSG_PORT 320 ------------------ (sport == PTP_GENERAL_MSG_PORT && dport == PTP_GENERAL_MSG_PORT)) ------------------ | | 35| 0|#define PTP_GENERAL_MSG_PORT 320 ------------------ | Branch (55:10): [True: 0, False: 2.84k] | Branch (55:43): [True: 0, False: 0] ------------------ 56| 0| { 57| | /* Check PTP version and message type */ 58| 0| if (((packet->payload[0] & 0xF) < 0xF) && packet->payload[1] == 0x02) { ------------------ | Branch (58:11): [True: 0, False: 0] | Branch (58:49): [True: 0, False: 0] ------------------ 59| 0| NDPI_LOG_INFO(ndpi_struct, "found PTPv2\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 60| 0| ndpi_int_ptpv2_add_connection(ndpi_struct, flow); 61| 0| return; 62| 0| } 63| 0| } 64| 2.84k| } 65| | 66| 3.35k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.35k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 67| 3.35k|} init_qq_dissector: 62| 7.08k|{ 63| 7.08k| ndpi_register_dissector("QQ", ndpi_struct, 64| 7.08k| ndpi_search_qq, 65| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 66| 7.08k| 1, NDPI_PROTOCOL_QQ); 67| 7.08k|} qq.c:ndpi_search_qq: 41| 5.68k|{ 42| 5.68k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 43| | 44| 5.68k| NDPI_LOG_DBG(ndpi_struct, "search QQ\n"); ------------------ | | 596| 5.68k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 45| | 46| 5.68k| if ((packet->payload_packet_len == 72 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x02004800) || ------------------ | Branch (46:8): [True: 2, False: 5.68k] | Branch (46:44): [True: 0, False: 2] ------------------ 47| 5.68k| (packet->payload_packet_len == 64 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x02004000) || ------------------ | Branch (47:8): [True: 40, False: 5.64k] | Branch (47:44): [True: 0, False: 40] ------------------ 48| 5.68k| (packet->payload_packet_len == 60 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x02004200) || ------------------ | Branch (48:8): [True: 20, False: 5.66k] | Branch (48:44): [True: 0, False: 20] ------------------ 49| 5.68k| (packet->payload_packet_len == 84 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x02005a00) || ------------------ | Branch (49:8): [True: 6, False: 5.67k] | Branch (49:44): [True: 0, False: 6] ------------------ 50| 5.68k| (packet->payload_packet_len == 56 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x02003800) || ------------------ | Branch (50:8): [True: 129, False: 5.55k] | Branch (50:44): [True: 0, False: 129] ------------------ 51| 5.68k| (packet->payload_packet_len >= 39 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x28000000)) { ------------------ | Branch (51:8): [True: 5.12k, False: 553] | Branch (51:44): [True: 0, False: 5.12k] ------------------ 52| 0| NDPI_LOG_INFO(ndpi_struct, "found QQ\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 53| 0| ndpi_int_qq_add_connection(ndpi_struct, flow); 54| 5.68k| } else { 55| 5.68k| if(flow->num_processed_pkts > 4) ------------------ | Branch (55:12): [True: 26, False: 5.65k] ------------------ 56| 26| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 26|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 57| 5.68k| } 58| 5.68k|} is_quic_ver_greater_than: 133| 1.46k|{ 134| 1.46k| return get_u8_quic_ver(version) >= min_version; 135| 1.46k|} is_version_with_var_int_transport_params: 181| 15|{ 182| 15| return (is_version_quic(version) && is_quic_ver_greater_than(version, 27)) || ------------------ | Branch (182:11): [True: 0, False: 15] | Branch (182:39): [True: 0, False: 0] ------------------ 183| 15| (version == V_T051); ------------------ | | 63| 15|#define V_T051 0x54303531 ------------------ | Branch (183:5): [True: 0, False: 15] ------------------ 184| 15|} is_version_with_ietf_long_header: 186| 1.49k|{ 187| | /* At least draft-ietf-quic-invariants-06, or newer*/ 188| 1.49k| return is_version_quic(version) || ------------------ | Branch (188:10): [True: 1.48k, False: 16] ------------------ 189| 16| ((version & 0xFFFFFF00) == 0x51303500) /* Q05X */ || ------------------ | Branch (189:5): [True: 0, False: 16] ------------------ 190| 16| ((version & 0xFFFFFF00) == 0x54303500) /* T05X */; ------------------ | Branch (190:5): [True: 15, False: 1] ------------------ 191| 1.49k|} ndpi_quic_version2str: 204| 252|char *ndpi_quic_version2str(char *buf, int buf_len, u_int32_t version) { 205| | 206| 252| if(buf == NULL || buf_len <= 1) ------------------ | Branch (206:6): [True: 0, False: 252] | Branch (206:21): [True: 0, False: 252] ------------------ 207| 0| return NULL; 208| | 209| 252| switch(version) { ------------------ | Branch (209:10): [True: 15, False: 237] ------------------ 210| 0| case V_2: strncpy(buf, "V-2", buf_len); buf[buf_len - 1] = '\0'; return buf; ------------------ | | 49| 0|#define V_2 0x6b3343cf ------------------ | Branch (210:3): [True: 0, False: 252] ------------------ 211| 0| case V_1: strncpy(buf, "V-1", buf_len); buf[buf_len - 1] = '\0'; return buf; ------------------ | | 50| 0|#define V_1 0x00000001 ------------------ | Branch (211:3): [True: 0, False: 252] ------------------ 212| 0| case V_Q024: strncpy(buf, "Q024", buf_len); buf[buf_len - 1] = '\0'; return buf; ------------------ | | 51| 0|#define V_Q024 0x51303234 ------------------ | Branch (212:3): [True: 0, False: 252] ------------------ 213| 0| case V_Q025: strncpy(buf, "Q025", buf_len); buf[buf_len - 1] = '\0'; return buf; ------------------ | | 52| 0|#define V_Q025 0x51303235 ------------------ | Branch (213:3): [True: 0, False: 252] ------------------ 214| 0| case V_Q030: strncpy(buf, "Q030", buf_len); buf[buf_len - 1] = '\0'; return buf; ------------------ | | 53| 0|#define V_Q030 0x51303330 ------------------ | Branch (214:3): [True: 0, False: 252] ------------------ 215| 0| case V_Q033: strncpy(buf, "Q033", buf_len); buf[buf_len - 1] = '\0'; return buf; ------------------ | | 54| 0|#define V_Q033 0x51303333 ------------------ | Branch (215:3): [True: 0, False: 252] ------------------ 216| 1| case V_Q034: strncpy(buf, "Q034", buf_len); buf[buf_len - 1] = '\0'; return buf; ------------------ | | 55| 1|#define V_Q034 0x51303334 ------------------ | Branch (216:3): [True: 1, False: 251] ------------------ 217| 0| case V_Q035: strncpy(buf, "Q035", buf_len); buf[buf_len - 1] = '\0'; return buf; ------------------ | | 56| 0|#define V_Q035 0x51303335 ------------------ | Branch (217:3): [True: 0, False: 252] ------------------ 218| 0| case V_Q037: strncpy(buf, "Q037", buf_len); buf[buf_len - 1] = '\0'; return buf; ------------------ | | 57| 0|#define V_Q037 0x51303337 ------------------ | Branch (218:3): [True: 0, False: 252] ------------------ 219| 0| case V_Q039: strncpy(buf, "Q039", buf_len); buf[buf_len - 1] = '\0'; return buf; ------------------ | | 58| 0|#define V_Q039 0x51303339 ------------------ | Branch (219:3): [True: 0, False: 252] ------------------ 220| 0| case V_Q043: strncpy(buf, "Q043", buf_len); buf[buf_len - 1] = '\0'; return buf; ------------------ | | 59| 0|#define V_Q043 0x51303433 ------------------ | Branch (220:3): [True: 0, False: 252] ------------------ 221| 0| case V_Q046: strncpy(buf, "Q046", buf_len); buf[buf_len - 1] = '\0'; return buf; ------------------ | | 60| 0|#define V_Q046 0x51303436 ------------------ | Branch (221:3): [True: 0, False: 252] ------------------ 222| 0| case V_Q050: strncpy(buf, "Q050", buf_len); buf[buf_len - 1] = '\0'; return buf; ------------------ | | 61| 0|#define V_Q050 0x51303530 ------------------ | Branch (222:3): [True: 0, False: 252] ------------------ 223| 1| case V_T050: strncpy(buf, "T050", buf_len); buf[buf_len - 1] = '\0'; return buf; ------------------ | | 62| 1|#define V_T050 0x54303530 ------------------ | Branch (223:3): [True: 1, False: 251] ------------------ 224| 13| case V_T051: strncpy(buf, "T051", buf_len); buf[buf_len - 1] = '\0'; return buf; ------------------ | | 63| 13|#define V_T051 0x54303531 ------------------ | Branch (224:3): [True: 13, False: 239] ------------------ 225| 0| case V_MVFST_22: strncpy(buf, "MVFST-22", buf_len); buf[buf_len - 1] = '\0'; return buf; ------------------ | | 64| 0|#define V_MVFST_22 0xfaceb001 ------------------ | Branch (225:3): [True: 0, False: 252] ------------------ 226| 0| case V_MVFST_27: strncpy(buf, "MVFST-27", buf_len); buf[buf_len - 1] = '\0'; return buf; ------------------ | | 65| 0|#define V_MVFST_27 0xfaceb002 ------------------ | Branch (226:3): [True: 0, False: 252] ------------------ 227| 0| case V_MVFST_EXP: strncpy(buf, "MVFST-EXP", buf_len); buf[buf_len - 1] = '\0'; return buf; ------------------ | | 66| 0|#define V_MVFST_EXP 0xfaceb00e ------------------ | Branch (227:3): [True: 0, False: 252] ------------------ 228| 252| } 229| | 230| 237| if(is_version_forcing_vn(version)) { ------------------ | Branch (230:6): [True: 205, False: 32] ------------------ 231| 205| strncpy(buf, "Ver-Negotiation", buf_len); 232| 205| buf[buf_len - 1] = '\0'; 233| 205| return buf; 234| 205| } 235| 32| if(((version & 0xFFFFFF00) == 0xFF000000)) { ------------------ | Branch (235:6): [True: 24, False: 8] ------------------ 236| 24| snprintf(buf, buf_len, "Draft-%d", version & 0x000000FF); 237| 24| buf[buf_len - 1] = '\0'; 238| 24| return buf; 239| 24| } 240| | 241| 8| ndpi_snprintf(buf, buf_len, "Unknown (%04X)", version); 242| 8| return buf; 243| 32|} quic_len: 246| 43|{ 247| 43| *value = buf[0]; 248| 43| switch((*value) >> 6) { 249| 27| case 0: ------------------ | Branch (249:3): [True: 27, False: 16] ------------------ 250| 27| (*value) &= 0x3F; 251| 27| return 1; 252| 5| case 1: ------------------ | Branch (252:3): [True: 5, False: 38] ------------------ 253| 5| *value = ntohs(*(uint16_t *)buf) & 0x3FFF; 254| 5| return 2; 255| 9| case 2: ------------------ | Branch (255:3): [True: 9, False: 34] ------------------ 256| 9| *value = ntohl(*(uint32_t *)buf) & 0x3FFFFFFF; 257| 9| return 4; 258| 2| case 3: ------------------ | Branch (258:3): [True: 2, False: 41] ------------------ 259| 2| *value = ndpi_ntohll(get_u_int64_t(buf, 0)) & 0x3FFFFFFFFFFFFFFF; ------------------ | | 148| 2|#define get_u_int64_t(X,O) (*(u_int64_t *)((&(((u_int8_t *)X)[O])))) ------------------ 260| 2| return 8; 261| 0| default: /* No Possible */ ------------------ | Branch (261:3): [True: 0, False: 43] ------------------ 262| 0| return 0; 263| 43| } 264| 43|} get_crypto_data: 1192| 1|{ 1193| 1| const u_int8_t *crypto_data = NULL; 1194| 1| uint32_t counter; 1195| 1| uint8_t first_nonzero_payload_byte, offset_len; 1196| 1| uint64_t unused, frag_offset, frag_len; 1197| 1| u_int32_t version = flow->protos.tls_quic.quic_version; 1198| | 1199| 1| counter = 0; 1200| 1| while(counter < clear_payload_len && clear_payload[counter] == 0) ------------------ | Branch (1200:9): [True: 1, False: 0] | Branch (1200:40): [True: 0, False: 1] ------------------ 1201| 0| counter += 1; 1202| 1| if(counter >= clear_payload_len) ------------------ | Branch (1202:6): [True: 0, False: 1] ------------------ 1203| 0| return NULL; 1204| 1| first_nonzero_payload_byte = clear_payload[counter]; 1205| 1| NDPI_LOG_DBG2(ndpi_struct, "first_nonzero_payload_byte 0x%x\n", first_nonzero_payload_byte); ------------------ | | 597| 1|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1206| 1| if(is_gquic_ver_less_than(version, 46)) { ------------------ | Branch (1206:6): [True: 1, False: 0] ------------------ 1207| 1| if(first_nonzero_payload_byte == 0x40 || ------------------ | Branch (1207:8): [True: 0, False: 1] ------------------ 1208| 1| first_nonzero_payload_byte == 0x60) { ------------------ | Branch (1208:8): [True: 0, False: 1] ------------------ 1209| | /* Probably an ACK/NACK frame: this CHLO is not the first one but try 1210| | decoding it nonetheless */ 1211| 0| counter += (first_nonzero_payload_byte == 0x40) ? 6 : 9; ------------------ | Branch (1211:18): [True: 0, False: 0] ------------------ 1212| 0| if(counter >= clear_payload_len) ------------------ | Branch (1212:10): [True: 0, False: 0] ------------------ 1213| 0| return NULL; 1214| 0| first_nonzero_payload_byte = clear_payload[counter]; 1215| 0| } 1216| 1| if((first_nonzero_payload_byte != 0xA0) && ------------------ | Branch (1216:8): [True: 1, False: 0] ------------------ 1217| 1| (first_nonzero_payload_byte != 0xA4)) { ------------------ | Branch (1217:8): [True: 1, False: 0] ------------------ 1218| 1| NDPI_LOG_DBG(ndpi_struct, "Unexpected frame 0x%x version 0x%x\n",\ ------------------ | | 596| 1|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1219| 1| first_nonzero_payload_byte, version); 1220| 1| return NULL; 1221| 1| } 1222| 0| offset_len = (first_nonzero_payload_byte & 0x1C) >> 2; 1223| 0| if(offset_len > 0) ------------------ | Branch (1223:8): [True: 0, False: 0] ------------------ 1224| 0| offset_len += 1; 1225| 0| if(counter + 2 + offset_len + 2 /*gquic_get_u16 reads 2 bytes */ > clear_payload_len) ------------------ | Branch (1225:8): [True: 0, False: 0] ------------------ 1226| 0| return NULL; 1227| 0| if(clear_payload[counter + 1] != 0x01) { ------------------ | Branch (1227:8): [True: 0, False: 0] ------------------ 1228| 0| NDPI_LOG_DBG(ndpi_struct, "Unexpected stream ID version 0x%x\n", version); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1229| 0| return NULL; 1230| 0| } 1231| 0| counter += 2 + offset_len; 1232| 0| *crypto_data_len = gquic_get_u16(&clear_payload[counter], version); 1233| 0| counter += 2; 1234| 0| if(*crypto_data_len + counter > clear_payload_len) { ------------------ | Branch (1234:8): [True: 0, False: 0] ------------------ 1235| 0| NDPI_LOG_DBG(ndpi_struct, "Invalid length %lu + %d > %d version 0x%x\n", ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1236| 0| (unsigned long)*crypto_data_len, counter, clear_payload_len, version); 1237| 0| return NULL; 1238| 0| } 1239| 0| crypto_data = &clear_payload[counter]; 1240| | 1241| 0| } else if(version == V_Q050 || version == V_T050 || version == V_T051) { ------------------ | | 61| 0|#define V_Q050 0x51303530 ------------------ } else if(version == V_Q050 || version == V_T050 || version == V_T051) { ------------------ | | 62| 0|#define V_T050 0x54303530 ------------------ } else if(version == V_Q050 || version == V_T050 || version == V_T051) { ------------------ | | 63| 0|#define V_T051 0x54303531 ------------------ | Branch (1241:13): [True: 0, False: 0] | Branch (1241:34): [True: 0, False: 0] | Branch (1241:55): [True: 0, False: 0] ------------------ 1242| 0| if(first_nonzero_payload_byte == 0x40 || ------------------ | Branch (1242:8): [True: 0, False: 0] ------------------ 1243| 0| first_nonzero_payload_byte == 0x60) { ------------------ | Branch (1243:8): [True: 0, False: 0] ------------------ 1244| | /* Probably an ACK/NACK frame: this CHLO is not the first one but try 1245| | decoding it nonetheless */ 1246| 0| counter += (first_nonzero_payload_byte == 0x40) ? 6 : 9; ------------------ | Branch (1246:18): [True: 0, False: 0] ------------------ 1247| 0| if(counter >= clear_payload_len) ------------------ | Branch (1247:10): [True: 0, False: 0] ------------------ 1248| 0| return NULL; 1249| 0| first_nonzero_payload_byte = clear_payload[counter]; 1250| 0| } 1251| 0| if(first_nonzero_payload_byte != 0x08) { ------------------ | Branch (1251:8): [True: 0, False: 0] ------------------ 1252| 0| NDPI_LOG_DBG(ndpi_struct, "Unexpected frame 0x%x\n", first_nonzero_payload_byte); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1253| 0| return NULL; 1254| 0| } 1255| 0| counter += 1; 1256| 0| if(counter + 8 + 8 >= clear_payload_len) /* quic_len reads 8 bytes, at most */ ------------------ | Branch (1256:8): [True: 0, False: 0] ------------------ 1257| 0| return NULL; 1258| 0| counter += quic_len(&clear_payload[counter], &unused); 1259| 0| counter += quic_len(&clear_payload[counter], crypto_data_len); 1260| 0| if(*crypto_data_len + counter > clear_payload_len) { ------------------ | Branch (1260:8): [True: 0, False: 0] ------------------ 1261| 0| NDPI_LOG_DBG(ndpi_struct, "Invalid length %lu + %d > %d version 0x%x\n", ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1262| 0| (unsigned long)*crypto_data_len, counter, clear_payload_len, version); 1263| 0| return NULL; 1264| 0| } 1265| 0| crypto_data = &clear_payload[counter]; 1266| | 1267| 0| } else { /* All other versions */ 1268| 0| while(counter < clear_payload_len) { ------------------ | Branch (1268:11): [True: 0, False: 0] ------------------ 1269| 0| uint8_t frame_type = clear_payload[counter]; 1270| 0| switch(frame_type) { 1271| 0| case 0x00: ------------------ | Branch (1271:7): [True: 0, False: 0] ------------------ 1272| 0| NDPI_LOG_DBG2(ndpi_struct, "PADDING frame\n"); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1273| 0| while(counter < clear_payload_len && ------------------ | Branch (1273:15): [True: 0, False: 0] ------------------ 1274| 0| clear_payload[counter] == 0) ------------------ | Branch (1274:15): [True: 0, False: 0] ------------------ 1275| 0| counter += 1; 1276| 0| break; 1277| 0| case 0x01: ------------------ | Branch (1277:7): [True: 0, False: 0] ------------------ 1278| 0| NDPI_LOG_DBG2(ndpi_struct, "PING frame\n"); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1279| 0| counter += 1; 1280| 0| break; 1281| 0| case 0x06: ------------------ | Branch (1281:7): [True: 0, False: 0] ------------------ 1282| 0| NDPI_LOG_DBG2(ndpi_struct, "CRYPTO frame\n"); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1283| 0| counter += 1; 1284| 0| if(counter >= clear_payload_len || ------------------ | Branch (1284:12): [True: 0, False: 0] ------------------ 1285| 0| counter + quic_len_buffer_still_required(clear_payload[counter]) >= clear_payload_len) ------------------ | Branch (1285:12): [True: 0, False: 0] ------------------ 1286| 0| return NULL; 1287| 0| counter += quic_len(&clear_payload[counter], &frag_offset); 1288| 0| if(counter >= clear_payload_len || ------------------ | Branch (1288:12): [True: 0, False: 0] ------------------ 1289| 0| counter + quic_len_buffer_still_required(clear_payload[counter]) >= clear_payload_len) ------------------ | Branch (1289:12): [True: 0, False: 0] ------------------ 1290| 0| return NULL; 1291| 0| counter += quic_len(&clear_payload[counter], &frag_len); 1292| 0| if(frag_len + counter > clear_payload_len) { ------------------ | Branch (1292:12): [True: 0, False: 0] ------------------ 1293| 0| NDPI_LOG_DBG(ndpi_struct, "Invalid crypto frag length %lu + %d > %d version 0x%x\n", ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1294| 0| (unsigned long)frag_len, counter, clear_payload_len, version); 1295| 0| return NULL; 1296| 0| } 1297| 0| crypto_data = get_reassembled_crypto_data(ndpi_struct, flow, 1298| 0| &clear_payload[counter], 1299| 0| frag_offset, frag_len, 1300| 0| crypto_data_len); 1301| 0| if(crypto_data) { ------------------ | Branch (1301:12): [True: 0, False: 0] ------------------ 1302| 0| return crypto_data; 1303| 0| } 1304| 0| NDPI_LOG_DBG(ndpi_struct, "Crypto reassembler pending\n"); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1305| 0| counter += frag_len; 1306| 0| break; 1307| 0| case 0x1C: /* CC */ ------------------ | Branch (1307:7): [True: 0, False: 0] ------------------ 1308| 0| case 0x02: /* ACK */ ------------------ | Branch (1308:7): [True: 0, False: 0] ------------------ 1309| 0| NDPI_LOG_DBG2(ndpi_struct, "Unexpected CC/ACK frame\n"); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1310| 0| return NULL; 1311| 0| default: ------------------ | Branch (1311:7): [True: 0, False: 0] ------------------ 1312| 0| NDPI_LOG_DBG(ndpi_struct, "Unexpected frame 0x%x\n", frame_type); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1313| 0| return NULL; 1314| 0| } 1315| 0| } 1316| 0| if(counter > clear_payload_len) { ------------------ | Branch (1316:8): [True: 0, False: 0] ------------------ 1317| 0| NDPI_LOG_DBG(ndpi_struct, "Error parsing frames %d %d\n", counter, clear_payload_len); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1318| 0| return NULL; 1319| 0| } 1320| 0| } 1321| 0| return crypto_data; 1322| 1|} init_quic_dissector: 2071| 7.08k|{ 2072| 7.08k| ndpi_register_dissector("QUIC", ndpi_struct, 2073| 7.08k| ndpi_search_quic, 2074| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 2075| 7.08k| 1, NDPI_PROTOCOL_QUIC); 2076| 7.08k|} quic.c:get_u8_quic_ver: 95| 1.59k|{ 96| | /* IETF Draft versions */ 97| 1.59k| if((version >> 8) == 0xff0000) ------------------ | Branch (97:6): [True: 153, False: 1.43k] ------------------ 98| 153| return (uint8_t)version; 99| | /* QUIC (final?) constants for v1 are defined in draft-33, but latest 100| | draft version is -34 */ 101| 1.43k| if (version == 0x00000001) { ------------------ | Branch (101:7): [True: 0, False: 1.43k] ------------------ 102| 0| return 34; 103| 0| } 104| | 105| 1.43k| if (version == V_MVFST_22) ------------------ | | 64| 1.43k|#define V_MVFST_22 0xfaceb001 ------------------ | Branch (105:7): [True: 0, False: 1.43k] ------------------ 106| 0| return 22; 107| 1.43k| if (version == V_MVFST_27 || version == V_MVFST_EXP) ------------------ | | 65| 2.87k|#define V_MVFST_27 0xfaceb002 ------------------ if (version == V_MVFST_27 || version == V_MVFST_EXP) ------------------ | | 66| 1.43k|#define V_MVFST_EXP 0xfaceb00e ------------------ | Branch (107:7): [True: 0, False: 1.43k] | Branch (107:32): [True: 0, False: 1.43k] ------------------ 108| 0| return 27; 109| | 110| | /* "Versions that follow the pattern 0x?a?a?a?a are reserved for use in 111| | forcing version negotiation to be exercised". 112| | We can't return a correct draft version because we don't have a real 113| | version here! That means that we can't decode any data and we can dissect 114| | only the cleartext header. 115| | Let's return v1 (any other numbers should be fine, anyway) to only allow 116| | the dissection of the (expected) long header */ 117| 1.43k| if(is_version_forcing_vn(version)) ------------------ | Branch (117:6): [True: 1.43k, False: 1] ------------------ 118| 1.43k| return 34; 119| | 120| | /* QUIC Version 2 */ 121| 1| if (version == V_2) ------------------ | | 49| 1|#define V_2 0x6b3343cf ------------------ | Branch (121:7): [True: 0, False: 1] ------------------ 122| 0| return 100; 123| | 124| 1| return 0; 125| 1|} quic.c:is_version_quic: 83| 8.05k|{ 84| 8.05k| return version == V_1 || ------------------ | | 50| 16.1k|#define V_1 0x00000001 ------------------ | Branch (84:10): [True: 7, False: 8.04k] ------------------ 85| 8.04k| ((version & 0xFFFFFF00) == 0xFF000000) /* IETF Drafts*/ || ------------------ | Branch (85:5): [True: 110, False: 7.93k] ------------------ 86| 7.93k| ((version & 0xFFFFF000) == 0xfaceb000) /* Facebook */ || ------------------ | Branch (86:5): [True: 0, False: 7.93k] ------------------ 87| 7.93k| is_version_forcing_vn(version) || ------------------ | Branch (87:5): [True: 4.48k, False: 3.44k] ------------------ 88| 3.44k| (version == V_2); ------------------ | | 49| 3.44k|#define V_2 0x6b3343cf ------------------ | Branch (88:5): [True: 0, False: 3.44k] ------------------ 89| 8.05k|} quic.c:is_version_forcing_vn: 71| 12.5k|{ 72| 12.5k| return (version & 0x0F0F0F0F) == 0x0a0a0a0a; /* Forcing Version Negotiation */ 73| 12.5k|} quic.c:is_gquic_ver_less_than: 145| 1.57k|{ 146| 1.57k| uint8_t u8_ver = get_u8_gquic_ver(version); 147| 1.57k| return u8_ver && u8_ver <= max_version; ------------------ | Branch (147:10): [True: 34, False: 1.53k] | Branch (147:20): [True: 4, False: 30] ------------------ 148| 1.57k|} quic.c:get_u8_gquic_ver: 137| 1.57k|{ 138| 1.57k| if(is_version_gquic(version)) { ------------------ | Branch (138:6): [True: 34, False: 1.53k] ------------------ 139| 34| version = ntohl(((uint16_t)version) << 16); 140| 34| return atoi((char *)&version); 141| 34| } 142| 1.53k| return 0; 143| 1.57k|} quic.c:is_version_gquic: 75| 3.26k|{ 76| 3.26k| return ((version & 0xFFFFFF00) == 0x54303500) /* T05X */ || ------------------ | Branch (76:10): [True: 46, False: 3.21k] ------------------ 77| 3.21k| ((version & 0xFFFFFF00) == 0x51303500) /* Q05X */ || ------------------ | Branch (77:5): [True: 0, False: 3.21k] ------------------ 78| 3.21k| ((version & 0xFFFFFF00) == 0x51303400) /* Q04X */ || ------------------ | Branch (78:5): [True: 0, False: 3.21k] ------------------ 79| 3.21k| ((version & 0xFFFFFF00) == 0x51303300) /* Q03X */ || ------------------ | Branch (79:5): [True: 5, False: 3.21k] ------------------ 80| 3.21k| ((version & 0xFFFFFF00) == 0x51303200) /* Q02X */; ------------------ | Branch (80:5): [True: 0, False: 3.21k] ------------------ 81| 3.26k|} quic.c:ndpi_search_quic: 1916| 4.93k|{ 1917| 4.93k| u_int32_t version; 1918| 4.93k| u_int8_t *clear_payload; 1919| 4.93k| uint32_t clear_payload_len = 0; 1920| 4.93k| const u_int8_t *crypto_data; 1921| 4.93k| uint64_t crypto_data_len; 1922| 4.93k| int is_initial_quic, ret; 1923| | 1924| 4.93k| NDPI_LOG_DBG2(ndpi_struct, "search QUIC\n"); ------------------ | | 597| 4.93k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1925| | 1926| | /* Buffers: packet->payload ---> clear_payload ---> crypto_data */ 1927| | 1928| | /* 1929| | * 1) (Very) basic heuristic to check if it is a QUIC packet. 1930| | * The first packet of each QUIC session should contain a valid 1931| | * CHLO/ClientHello message and we need (only) it to sub-classify 1932| | * the flow. 1933| | * Detecting QUIC sessions where the first captured packet is not a 1934| | * CHLO/CH is VERY hard. Let try only some easy cases: 1935| | * * out-of-order 0-RTT, i.e 0-RTT packets received before the Initial; 1936| | * in that case, keep looking for the Initial 1937| | * * if we have only SH pkts, focus on standard case where server 1938| | * port is 443 and default length of Server CID is >=8 (as it happens 1939| | * with most common broswer and apps). Look for 3 consecutive SH 1940| | * pkts send by the client and check their CIDs (note that 1941| | * some QUIC implementations have Client CID length set to 0, so 1942| | * checking pkts sent by server is useless). Since we don't know the 1943| | * real CID length, use the min value 8, i.e. QUIC_SERVER_CID_HEURISTIC_LENGTH 1944| | * * with only GQUIC packets from server (usefull with unidirectional 1945| | * captures) look for Rejection packet 1946| | * Avoid the generic cases and let's see if anyone complains... 1947| | */ 1948| | 1949| 4.93k| is_initial_quic = may_be_initial_pkt(ndpi_struct, &version); 1950| 4.93k| if(!is_initial_quic) { ------------------ | Branch (1950:6): [True: 3.46k, False: 1.47k] ------------------ 1951| 3.46k| if(!is_ch_reassembler_pending(flow)) { /* Better safe than sorry */ ------------------ | Branch (1951:8): [True: 3.46k, False: 0] ------------------ 1952| 3.46k| ret = may_be_0rtt(ndpi_struct, &version); 1953| 3.46k| if(ret == 1) { ------------------ | Branch (1953:10): [True: 9, False: 3.45k] ------------------ 1954| 9| NDPI_LOG_DBG(ndpi_struct, "Found 0-RTT, keep looking for Initial\n"); ------------------ | | 596| 9|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1955| 9| flow->l4.udp.quic_0rtt_found = 1; 1956| 9| if(flow->packet_counter >= 3) { ------------------ | Branch (1956:12): [True: 0, False: 9] ------------------ 1957| | /* We haven't still found an Initial.. give up */ 1958| 0| NDPI_LOG_INFO(ndpi_struct, "QUIC 0RTT\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1959| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_QUIC, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 1960| 0| flow->protos.tls_quic.quic_version = version; 1961| 0| } 1962| 9| return; 1963| 3.45k| } else if(flow->l4.udp.quic_0rtt_found == 1) { ------------------ | Branch (1963:17): [True: 7, False: 3.44k] ------------------ 1964| | /* Unknown packet (probably an Handshake one) after a 0-RTT */ 1965| 7| NDPI_LOG_INFO(ndpi_struct, "QUIC 0RTT (without Initial)\n"); ------------------ | | 595| 7|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1966| 7| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_QUIC, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 1967| 7| flow->protos.tls_quic.quic_version = 0; /* unknown */ 1968| 7| return; 1969| 7| } 1970| 3.44k| ret = may_be_sh(ndpi_struct, flow); 1971| 3.44k| if(ret == 1) { ------------------ | Branch (1971:10): [True: 0, False: 3.44k] ------------------ 1972| 0| NDPI_LOG_INFO(ndpi_struct, "SH Quic\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1973| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_QUIC, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 1974| 0| flow->protos.tls_quic.quic_version = 0; /* unknown */ 1975| 0| return; 1976| 0| } 1977| 3.44k| if(ret == -1) { ------------------ | Branch (1977:10): [True: 113, False: 3.33k] ------------------ 1978| 113| NDPI_LOG_DBG2(ndpi_struct, "Keep looking for SH by client\n"); ------------------ | | 597| 113|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1979| 113| if(flow->packet_counter > 10 /* TODO */) ------------------ | Branch (1979:12): [True: 0, False: 113] ------------------ 1980| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 1981| 113| return; 1982| 113| } 1983| 3.33k| ret = may_be_gquic_rej(ndpi_struct); 1984| 3.33k| if(ret == 1) { ------------------ | Branch (1984:10): [True: 0, False: 3.33k] ------------------ 1985| 0| NDPI_LOG_INFO(ndpi_struct, "GQUIC REJ\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1986| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_QUIC, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 1987| 0| flow->protos.tls_quic.quic_version = 0; /* unknown */ 1988| 0| return; 1989| 0| } 1990| 3.33k| } 1991| 3.33k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.33k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 1992| 3.33k| return; 1993| 3.46k| } 1994| | 1995| | /* 1996| | * 2) Ok, this packet seems to be QUIC 1997| | */ 1998| | 1999| 1.47k| NDPI_LOG_INFO(ndpi_struct, "found QUIC\n"); ------------------ | | 595| 1.47k|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 2000| 1.47k| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_QUIC, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 2001| 1.47k| flow->protos.tls_quic.quic_version = version; 2002| | 2003| | /* 2004| | * 3) Skip not supported versions 2005| | */ 2006| | 2007| 1.47k| if(!is_version_supported(version)) { ------------------ | Branch (2007:6): [True: 2, False: 1.47k] ------------------ 2008| 2| NDPI_LOG_DBG(ndpi_struct, "Unsupported version 0x%x\n", version); ------------------ | | 596| 2|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 2009| 2| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 2|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 2010| 2| return; 2011| 2| } 2012| | 2013| | /* 2014| | * 3a) Forcing VN. There is no payload to analyze yet. 2015| | * Expecteed flow: 2016| | * *) C->S: Forcing VN 2017| | * *) S->C: VN 2018| | * *) C->S: "Standard" Initial with crypto data 2019| | */ 2020| 1.47k| if(is_version_forcing_vn(version)) { ------------------ | Branch (2020:6): [True: 1.43k, False: 38] ------------------ 2021| 1.43k| NDPI_LOG_DBG(ndpi_struct, "Forcing VN\n"); ------------------ | | 596| 1.43k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 2022| 1.43k| flow->max_extra_packets_to_check = 4; /* TODO */ 2023| 1.43k| flow->extra_packets_func = ndpi_search_quic_extra_vn; 2024| 1.43k| return; 2025| 1.43k| } 2026| | 2027| | /* 2028| | * 4) Extract the Payload from Initial Packets 2029| | */ 2030| 38| clear_payload = get_clear_payload(ndpi_struct, flow, version, &clear_payload_len); 2031| 38| if(!clear_payload) { ------------------ | Branch (2031:6): [True: 37, False: 1] ------------------ 2032| 37| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 37|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 2033| 37| return; 2034| 37| } 2035| | 2036| | /* 2037| | * 5) Extract Crypto Data from the Payload 2038| | */ 2039| 1| crypto_data = get_crypto_data(ndpi_struct, flow, 2040| 1| clear_payload, clear_payload_len, 2041| 1| &crypto_data_len); 2042| | 2043| | /* 2044| | * 6) Process ClientHello/CHLO from the Crypto Data (if any) 2045| | */ 2046| 1| if(crypto_data) { ------------------ | Branch (2046:6): [True: 0, False: 1] ------------------ 2047| 0| if(!is_version_with_tls(version)) { ------------------ | Branch (2047:8): [True: 0, False: 0] ------------------ 2048| 0| process_chlo(ndpi_struct, flow, crypto_data, crypto_data_len); 2049| 0| } else { 2050| 0| process_tls(ndpi_struct, flow, crypto_data, crypto_data_len); 2051| 0| } 2052| 0| } 2053| 1| if(is_version_with_encrypted_header(version)) { ------------------ | Branch (2053:6): [True: 0, False: 1] ------------------ 2054| 0| ndpi_free(clear_payload); 2055| 0| } 2056| | 2057| | /* 2058| | * 7) We need to process other packets than (the first) ClientHello/CHLO? 2059| | */ 2060| 1| if(eval_extra_processing(ndpi_struct, flow)) { ------------------ | Branch (2060:6): [True: 0, False: 1] ------------------ 2061| 0| flow->max_extra_packets_to_check = 24; /* TODO */ 2062| 0| flow->extra_packets_func = ndpi_search_quic_extra; 2063| 1| } else if(!crypto_data) { ------------------ | Branch (2063:13): [True: 1, False: 0] ------------------ 2064| 1| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 2065| 1| } 2066| 1|} quic.c:may_be_initial_pkt: 1643| 4.93k|{ 1644| 4.93k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 1645| 4.93k| u_int8_t first_byte; 1646| 4.93k| u_int8_t pub_bit1, pub_bit2, pub_bit3, pub_bit4, pub_bit5, pub_bit7, pub_bit8; 1647| 4.93k| u_int8_t dest_conn_id_len, source_conn_id_len; 1648| | 1649| | /* According to draft-ietf-quic-transport-29: "Clients MUST ensure that UDP 1650| | datagrams containing Initial packets have UDP payloads of at least 1200 1651| | bytes". Similar limit exists for previous versions */ 1652| 4.93k| if(packet->payload_packet_len < 1200) { ------------------ | Branch (1652:6): [True: 3.24k, False: 1.69k] ------------------ 1653| 3.24k| return 0; 1654| 3.24k| } 1655| | 1656| 1.69k| first_byte = packet->payload[0]; 1657| 1.69k| pub_bit1 = ((first_byte & 0x80) != 0); 1658| 1.69k| pub_bit2 = ((first_byte & 0x40) != 0); 1659| 1.69k| pub_bit3 = ((first_byte & 0x20) != 0); 1660| 1.69k| pub_bit4 = ((first_byte & 0x10) != 0); 1661| 1.69k| pub_bit5 = ((first_byte & 0x08) != 0); 1662| 1.69k| pub_bit7 = ((first_byte & 0x02) != 0); 1663| 1.69k| pub_bit8 = ((first_byte & 0x01) != 0); 1664| | 1665| 1.69k| *version = 0; 1666| 1.69k| if(pub_bit1) { ------------------ | Branch (1666:6): [True: 1.57k, False: 120] ------------------ 1667| 1.57k| *version = ntohl(*((u_int32_t *)&packet->payload[1])); 1668| 1.57k| } else if(pub_bit5 && !pub_bit2) { ------------------ | Branch (1668:13): [True: 47, False: 73] | Branch (1668:25): [True: 26, False: 21] ------------------ 1669| 26| if(!pub_bit8) { ------------------ | Branch (1669:8): [True: 5, False: 21] ------------------ 1670| 5| NDPI_LOG_DBG2(ndpi_struct, "Packet without version\n") ------------------ | | 597| 5|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1671| 21| } else { 1672| 21| *version = ntohl(*((u_int32_t *)&packet->payload[9])); 1673| 21| } 1674| 26| } 1675| 1.69k| if(!is_version_valid(*version)) { ------------------ | Branch (1675:6): [True: 160, False: 1.53k] ------------------ 1676| 160| NDPI_LOG_DBG2(ndpi_struct, "Invalid version 0x%x\n", *version); ------------------ | | 597| 160|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1677| 160| return 0; 1678| 160| } 1679| | 1680| 1.53k| if(is_gquic_ver_less_than(*version, 43) && ------------------ | Branch (1680:6): [True: 2, False: 1.53k] ------------------ 1681| 2| (!pub_bit5 || pub_bit3 != 0 || pub_bit4 != 0)) { ------------------ | Branch (1681:7): [True: 0, False: 2] | Branch (1681:20): [True: 0, False: 2] | Branch (1681:37): [True: 1, False: 1] ------------------ 1682| 1| NDPI_LOG_DBG(ndpi_struct, "Version 0x%x invalid flags 0x%x\n", *version, first_byte); ------------------ | | 596| 1|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1683| 1| return 0; 1684| 1| } 1685| 1.53k| if((*version == V_Q046) && ------------------ | | 60| 1.53k|#define V_Q046 0x51303436 ------------------ | Branch (1685:6): [True: 0, False: 1.53k] ------------------ 1686| 0| (pub_bit7 != 1 || pub_bit8 != 1)) { ------------------ | Branch (1686:7): [True: 0, False: 0] | Branch (1686:24): [True: 0, False: 0] ------------------ 1687| 0| NDPI_LOG_DBG(ndpi_struct, "Q46 invalid flag 0x%x\n", first_byte); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1688| 0| return 0; 1689| 0| } 1690| 1.53k| if(((is_version_quic(*version) && !is_version_quic_v2(*version)) || ------------------ | Branch (1690:8): [True: 1.51k, False: 16] | Branch (1690:37): [True: 1.51k, False: 0] ------------------ 1691| 16| (*version == V_Q046) || (*version == V_Q050)) && ------------------ | | 60| 16|#define V_Q046 0x51303436 ------------------ (*version == V_Q046) || (*version == V_Q050)) && ------------------ | | 61| 16|#define V_Q050 0x51303530 ------------------ | Branch (1691:7): [True: 0, False: 16] | Branch (1691:31): [True: 0, False: 16] ------------------ 1692| 1.51k| (pub_bit3 != 0 || pub_bit4 != 0)) { ------------------ | Branch (1692:7): [True: 9, False: 1.50k] | Branch (1692:24): [True: 10, False: 1.49k] ------------------ 1693| 19| NDPI_LOG_DBG2(ndpi_struct, "Version 0x%x not Initial Packet\n", *version); ------------------ | | 597| 19|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1694| 19| return 0; 1695| 19| } 1696| 1.51k| if(is_version_quic_v2(*version) && ------------------ | Branch (1696:6): [True: 0, False: 1.51k] ------------------ 1697| 0| (pub_bit3 != 0 || pub_bit4 != 1)) { ------------------ | Branch (1697:7): [True: 0, False: 0] | Branch (1697:24): [True: 0, False: 0] ------------------ 1698| 0| NDPI_LOG_DBG2(ndpi_struct, "Version 0x%x not Initial Packet\n", *version); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1699| 0| return 0; 1700| 0| } 1701| | 1702| | /* Forcing Version Negotiation packets are QUIC Initial Packets (i.e. 1703| | Long Header). It should also be quite rare that a client sends this kind 1704| | of traffic with the QUIC bit greased i.e. having a server token. 1705| | Accordind to https://tools.ietf.org/html/draft-thomson-quic-bit-grease-00#section-3.1 1706| | "A client MAY also clear the QUIC Bit in Initial packets that are sent 1707| | to establish a new connection. A client can only clear the QUIC Bit 1708| | if the packet includes a token provided by the server in a NEW_TOKEN 1709| | frame on a connection where the server also included the 1710| | grease_quic_bit transport parameter." */ 1711| 1.51k| if(is_version_forcing_vn(*version) && ------------------ | Branch (1711:6): [True: 1.47k, False: 42] ------------------ 1712| 1.47k| !(pub_bit1 == 1 && pub_bit2 == 1)) { ------------------ | Branch (1712:8): [True: 1.47k, False: 0] | Branch (1712:25): [True: 1.45k, False: 14] ------------------ 1713| 14| NDPI_LOG_DBG2(ndpi_struct, "Version 0x%x with first byte 0x%x\n", *version, first_byte); ------------------ | | 597| 14|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1714| 14| return 0; 1715| 14| } 1716| | 1717| | /* Check that CIDs lengths are valid: QUIC limits the CID length to 20 */ 1718| 1.49k| if(is_version_with_ietf_long_header(*version)) { ------------------ | Branch (1718:6): [True: 1.49k, False: 1] ------------------ 1719| 1.49k| dest_conn_id_len = packet->payload[5]; 1720| 1.49k| source_conn_id_len = packet->payload[5 + 1 + dest_conn_id_len]; 1721| 1.49k| if (dest_conn_id_len > QUIC_MAX_CID_LENGTH || ------------------ | | 68| 2.99k|#define QUIC_MAX_CID_LENGTH 20 ------------------ | Branch (1721:9): [True: 4, False: 1.49k] ------------------ 1722| 1.49k| source_conn_id_len > QUIC_MAX_CID_LENGTH) { ------------------ | | 68| 1.49k|#define QUIC_MAX_CID_LENGTH 20 ------------------ | Branch (1722:9): [True: 18, False: 1.47k] ------------------ 1723| 22| NDPI_LOG_DBG2(ndpi_struct, "Version 0x%x invalid CIDs length %u %u", ------------------ | | 597| 22|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1724| 22| *version, dest_conn_id_len, source_conn_id_len); 1725| 22| return 0; 1726| 22| } 1727| 1.49k| } 1728| | 1729| | /* TODO: add some other checks to avoid false positives */ 1730| | 1731| 1.47k| return 1; 1732| 1.49k|} quic.c:is_version_valid: 91| 1.69k|{ 92| 1.69k| return is_version_gquic(version) || is_version_quic(version); ------------------ | Branch (92:10): [True: 17, False: 1.67k] | Branch (92:39): [True: 1.51k, False: 160] ------------------ 93| 1.69k|} quic.c:is_version_quic_v2: 200| 3.08k|{ 201| 3.08k| return version == V_2; ------------------ | | 49| 3.08k|#define V_2 0x6b3343cf ------------------ 202| 3.08k|} quic.c:is_ch_reassembler_pending: 1149| 3.46k|{ 1150| 3.46k| return flow->l4.udp.quic_reasm_buf != NULL && ------------------ | Branch (1150:10): [True: 0, False: 3.46k] ------------------ 1151| 0| !(is_reasm_buf_complete(flow->l4.udp.quic_reasm_buf_bitmap, flow->l4.udp.quic_reasm_buf_last_pos) ------------------ | Branch (1151:7): [True: 0, False: 0] ------------------ 1152| 0| && is_ch_complete(flow->l4.udp.quic_reasm_buf, flow->l4.udp.quic_reasm_buf_last_pos)); ------------------ | Branch (1152:10): [True: 0, False: 0] ------------------ 1153| 3.46k|} quic.c:may_be_0rtt: 1582| 3.46k|{ 1583| 3.46k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 1584| 3.46k| u_int8_t first_byte; 1585| 3.46k| u_int8_t pub_bit1, pub_bit2, pub_bit3, pub_bit4; 1586| 3.46k| u_int8_t dest_conn_id_len, source_conn_id_len; 1587| | 1588| | /* First byte + version + dest_conn_id_len */ 1589| 3.46k| if(packet->payload_packet_len < 5 + 1) { ------------------ | Branch (1589:6): [True: 128, False: 3.33k] ------------------ 1590| 128| NDPI_LOG_DBG2(ndpi_struct, "Pkt too short\n"); ------------------ | | 597| 128|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1591| 128| return 0; 1592| 128| } 1593| | 1594| 3.33k| first_byte = packet->payload[0]; 1595| 3.33k| pub_bit1 = ((first_byte & 0x80) != 0); 1596| 3.33k| pub_bit2 = ((first_byte & 0x40) != 0); 1597| 3.33k| pub_bit3 = ((first_byte & 0x20) != 0); 1598| 3.33k| pub_bit4 = ((first_byte & 0x10) != 0); 1599| | 1600| 3.33k| *version = ntohl(*((u_int32_t *)&packet->payload[1])); 1601| | 1602| | /* IETF versions, Long header, fixed bit (ignore QUIC-bit-greased case), 0RTT */ 1603| | 1604| 3.33k| if(!(is_version_quic(*version) && ------------------ | Branch (1604:8): [True: 94, False: 3.24k] ------------------ 1605| 3.28k| pub_bit1 && pub_bit2)) { ------------------ | Branch (1605:8): [True: 66, False: 28] | Branch (1605:20): [True: 49, False: 17] ------------------ 1606| 3.28k| NDPI_LOG_DBG2(ndpi_struct, "Invalid header or version\n"); ------------------ | | 597| 3.28k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1607| 3.28k| return 0; 1608| 3.28k| } 1609| 49| if(!is_version_quic_v2(*version) && ------------------ | Branch (1609:6): [True: 49, False: 0] ------------------ 1610| 49| (pub_bit3 != 0 || pub_bit4 != 1)) { ------------------ | Branch (1610:7): [True: 11, False: 38] | Branch (1610:24): [True: 27, False: 11] ------------------ 1611| 38| NDPI_LOG_DBG2(ndpi_struct, "Version 0x%x not 0-RTT Packet\n", *version); ------------------ | | 597| 38|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1612| 38| return 0; 1613| 38| } 1614| 11| if(is_version_quic_v2(*version) && ------------------ | Branch (1614:6): [True: 0, False: 11] ------------------ 1615| 0| (pub_bit3 != 1 || pub_bit4 != 0)) { ------------------ | Branch (1615:7): [True: 0, False: 0] | Branch (1615:24): [True: 0, False: 0] ------------------ 1616| 0| NDPI_LOG_DBG2(ndpi_struct, "Version 0x%x not 0-RTT Packet\n", *version); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1617| 0| return 0; 1618| 0| } 1619| | 1620| | /* Check that CIDs lengths are valid */ 1621| 11| dest_conn_id_len = packet->payload[5]; 1622| 11| if(packet->payload_packet_len <= 5 + 1 + dest_conn_id_len) { ------------------ | Branch (1622:6): [True: 1, False: 10] ------------------ 1623| 1| NDPI_LOG_DBG2(ndpi_struct, "Dcid too short\n"); ------------------ | | 597| 1|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1624| 1| return 0; 1625| 1| } 1626| 10| source_conn_id_len = packet->payload[5 + 1 + dest_conn_id_len]; 1627| 10| if(packet->payload_packet_len <= 5 + 1 + dest_conn_id_len + 1 + source_conn_id_len) { ------------------ | Branch (1627:6): [True: 0, False: 10] ------------------ 1628| 0| NDPI_LOG_DBG2(ndpi_struct, "Scid too short\n"); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1629| 0| return 0; 1630| 0| } 1631| 10| if(dest_conn_id_len > QUIC_MAX_CID_LENGTH || ------------------ | | 68| 20|#define QUIC_MAX_CID_LENGTH 20 ------------------ | Branch (1631:6): [True: 1, False: 9] ------------------ 1632| 9| source_conn_id_len > QUIC_MAX_CID_LENGTH) { ------------------ | | 68| 9|#define QUIC_MAX_CID_LENGTH 20 ------------------ | Branch (1632:6): [True: 0, False: 9] ------------------ 1633| 1| NDPI_LOG_DBG2(ndpi_struct, "Version 0x%x invalid CIDs length %u %u\n", ------------------ | | 597| 1|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1634| 1| *version, dest_conn_id_len, source_conn_id_len); 1635| 1| return 0; 1636| 1| } 1637| | 1638| 9| return 1; 1639| 10|} quic.c:may_be_sh: 1534| 3.44k|{ 1535| 3.44k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 1536| 3.44k| u_int8_t last_byte; 1537| | 1538| 3.44k| if((packet->payload[0] & 0x40) == 0) ------------------ | Branch (1538:6): [True: 2.24k, False: 1.20k] ------------------ 1539| 2.24k| return 0; 1540| 1.20k| if(packet->udp->dest != ntohs(443)) { ------------------ | Branch (1540:6): [True: 1.13k, False: 70] ------------------ 1541| 1.13k| if(packet->udp->source == ntohs(443)) { ------------------ | Branch (1541:8): [True: 51, False: 1.08k] ------------------ 1542| 51| return -1; /* Keep looking for packets sent by the client */ 1543| 51| } 1544| 1.08k| return 0; 1545| 1.13k| } 1546| | 1547| | /* SH packet sent by the client */ 1548| | 1549| | /* QUIC never retransmits packet, but we should also somehow check that 1550| | * these 3 packets from the client are really different from each other 1551| | * to avoid matching retransmissions on some other protocols. 1552| | * To avoid saving too much state, simply check the last byte of each packet 1553| | * (the idea is that being QUIC fully encrypted, the bytes are somehow always 1554| | * different; a weak assumption, but it allow us to save only 1 byte in 1555| | * flow structure and it seems to work) 1556| | * TODO: do we need something better? 1557| | */ 1558| | 1559| 70| if(packet->payload_packet_len < 1 + QUIC_SERVER_CID_HEURISTIC_LENGTH) ------------------ | | 1038| 70|#define QUIC_SERVER_CID_HEURISTIC_LENGTH 8 ------------------ | Branch (1559:6): [True: 1, False: 69] ------------------ 1560| 1| return 0; 1561| 69| last_byte = packet->payload[packet->payload_packet_len - 1]; 1562| 69| if(flow->l4.udp.quic_server_cid_stage > 0) { ------------------ | Branch (1562:6): [True: 7, False: 62] ------------------ 1563| 7| if(memcmp(flow->l4.udp.quic_server_cid, &packet->payload[1], ------------------ | Branch (1563:8): [True: 6, False: 1] ------------------ 1564| 7| QUIC_SERVER_CID_HEURISTIC_LENGTH) != 0 || ------------------ | | 1038| 7|#define QUIC_SERVER_CID_HEURISTIC_LENGTH 8 ------------------ 1565| 1| flow->l4.udp.quic_client_last_byte == last_byte) ------------------ | Branch (1565:8): [True: 1, False: 0] ------------------ 1566| 7| return 0; 1567| 0| flow->l4.udp.quic_server_cid_stage++; 1568| 0| if(flow->l4.udp.quic_server_cid_stage == 3) { ------------------ | Branch (1568:8): [True: 0, False: 0] ------------------ 1569| | /* Found QUIC via 3 SHs by client */ 1570| 0| return 1; 1571| 0| } 1572| 62| } else { 1573| 62| memcpy(flow->l4.udp.quic_server_cid, &packet->payload[1], QUIC_SERVER_CID_HEURISTIC_LENGTH); ------------------ | | 1038| 62|#define QUIC_SERVER_CID_HEURISTIC_LENGTH 8 ------------------ 1574| 62| flow->l4.udp.quic_server_cid_stage = 1; 1575| 62| } 1576| 62| flow->l4.udp.quic_client_last_byte = last_byte; 1577| 62| return -1; /* Keep looking for other packets sent by client */ 1578| 69|} quic.c:may_be_gquic_rej: 1513| 3.33k|{ 1514| 3.33k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 1515| 3.33k| void *ptr; 1516| | 1517| | /* Common case: msg from server default port */ 1518| 3.33k| if(packet->udp->source != ntohs(443)) ------------------ | Branch (1518:6): [True: 3.32k, False: 14] ------------------ 1519| 3.32k| return 0; 1520| | /* GQUIC. Common case: cid length 8, no version, packet number length 1 */ 1521| 14| if(packet->payload[0] != 0x08) ------------------ | Branch (1521:6): [True: 14, False: 0] ------------------ 1522| 14| return 0; 1523| 0| if(packet->payload_packet_len < 1 + 8 + 1 + 12 /* Message auth hash */ + 16 /* Arbitrary length */) ------------------ | Branch (1523:6): [True: 0, False: 0] ------------------ 1524| 0| return 0; 1525| | /* Search for "REJ" tag in the first 16 bytes after the hash */ 1526| 0| ptr = memchr(&packet->payload[1 + 8 + 1 + 12], 'R', 16 - 3); 1527| 0| if(ptr && memcmp(ptr, "REJ", 3) == 0) ------------------ | Branch (1527:6): [True: 0, False: 0] | Branch (1527:13): [True: 0, False: 0] ------------------ 1528| 0| return 1; 1529| 0| return 0; 1530| 0|} quic.c:is_version_supported: 150| 1.47k|{ 151| 1.47k| return (version == V_Q024 || ------------------ | | 51| 2.95k|#define V_Q024 0x51303234 ------------------ | Branch (151:11): [True: 0, False: 1.47k] ------------------ 152| 1.47k| version == V_Q025 || ------------------ | | 52| 2.95k|#define V_Q025 0x51303235 ------------------ | Branch (152:11): [True: 0, False: 1.47k] ------------------ 153| 1.47k| version == V_Q030 || ------------------ | | 53| 2.95k|#define V_Q030 0x51303330 ------------------ | Branch (153:11): [True: 0, False: 1.47k] ------------------ 154| 1.47k| version == V_Q033 || ------------------ | | 54| 2.95k|#define V_Q033 0x51303333 ------------------ | Branch (154:11): [True: 0, False: 1.47k] ------------------ 155| 1.47k| version == V_Q034 || ------------------ | | 55| 2.95k|#define V_Q034 0x51303334 ------------------ | Branch (155:11): [True: 1, False: 1.47k] ------------------ 156| 1.47k| version == V_Q035 || ------------------ | | 56| 2.95k|#define V_Q035 0x51303335 ------------------ | Branch (156:11): [True: 0, False: 1.47k] ------------------ 157| 1.47k| version == V_Q037 || ------------------ | | 57| 2.95k|#define V_Q037 0x51303337 ------------------ | Branch (157:11): [True: 0, False: 1.47k] ------------------ 158| 1.47k| version == V_Q039 || ------------------ | | 58| 2.95k|#define V_Q039 0x51303339 ------------------ | Branch (158:11): [True: 0, False: 1.47k] ------------------ 159| 1.47k| version == V_Q043 || ------------------ | | 59| 2.95k|#define V_Q043 0x51303433 ------------------ | Branch (159:11): [True: 0, False: 1.47k] ------------------ 160| 1.47k| version == V_Q046 || ------------------ | | 60| 2.95k|#define V_Q046 0x51303436 ------------------ | Branch (160:11): [True: 0, False: 1.47k] ------------------ 161| 1.47k| version == V_Q050 || ------------------ | | 61| 2.95k|#define V_Q050 0x51303530 ------------------ | Branch (161:11): [True: 0, False: 1.47k] ------------------ 162| 1.47k| version == V_T050 || ------------------ | | 62| 2.95k|#define V_T050 0x54303530 ------------------ | Branch (162:11): [True: 1, False: 1.47k] ------------------ 163| 1.47k| version == V_T051 || ------------------ | | 63| 2.95k|#define V_T051 0x54303531 ------------------ | Branch (163:11): [True: 13, False: 1.46k] ------------------ 164| 1.46k| version == V_MVFST_22 || ------------------ | | 64| 2.93k|#define V_MVFST_22 0xfaceb001 ------------------ | Branch (164:4): [True: 0, False: 1.46k] ------------------ 165| 1.46k| version == V_MVFST_27 || ------------------ | | 65| 2.93k|#define V_MVFST_27 0xfaceb002 ------------------ | Branch (165:4): [True: 0, False: 1.46k] ------------------ 166| 1.46k| version == V_MVFST_EXP || ------------------ | | 66| 2.93k|#define V_MVFST_EXP 0xfaceb00e ------------------ | Branch (166:4): [True: 0, False: 1.46k] ------------------ 167| 1.46k| is_quic_ver_greater_than(version, 23)); ------------------ | Branch (167:11): [True: 1.45k, False: 2] ------------------ 168| 1.47k|} quic.c:ndpi_search_quic_extra_vn: 1884| 418|{ 1885| 418| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 1886| | 1887| | /* We are elaborating a packet following the Forcing VN, i.e. we are expecting: 1888| | 1) first a VN packet (from the server) 1889| | 2) then a "standard" Initial from the client */ 1890| | /* TODO: could we unify ndpi_search_quic() and ndpi_search_quic_extra_vn() somehow? */ 1891| | 1892| 418| NDPI_LOG_DBG(ndpi_struct, "search QUIC extra func VN\n"); ------------------ | | 596| 418|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1893| | 1894| 418| if(packet->payload_packet_len == 0) ------------------ | Branch (1894:6): [True: 0, False: 418] ------------------ 1895| 0| return 1; /* Keep going */ 1896| | 1897| 418| if(flow->l4.udp.quic_vn_pair == 0) { ------------------ | Branch (1897:6): [True: 417, False: 1] ------------------ 1898| 417| if(is_vn(ndpi_struct)) { ------------------ | Branch (1898:8): [True: 213, False: 204] ------------------ 1899| 213| NDPI_LOG_DBG(ndpi_struct, "Valid VN\n"); ------------------ | | 596| 213|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1900| 213| flow->l4.udp.quic_vn_pair = 1; 1901| 213| return 1; 1902| 213| } else { 1903| 204| NDPI_LOG_DBG(ndpi_struct, "Invalid reply to a Force VN. Stop\n"); ------------------ | | 596| 204|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1904| 204| flow->extra_packets_func = NULL; 1905| 204| return 0; /* Stop */ 1906| 204| } 1907| 417| } else { 1908| | flow->extra_packets_func = NULL; 1909| 1| ndpi_search_quic(ndpi_struct, flow); 1910| 1| return 0; 1911| 1| } 1912| 418|} quic.c:is_vn: 1838| 417|{ 1839| 417| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 1840| 417| u_int32_t version; 1841| 417| u_int8_t first_byte; 1842| 417| u_int8_t pub_bit1; 1843| 417| u_int8_t dest_conn_id_len, source_conn_id_len; 1844| | 1845| | /* RFC 8999 6 */ 1846| | 1847| | /* First byte + version (4) + 2 CID lengths (set to 0) + at least one supported version */ 1848| 417| if(packet->payload_packet_len < 11) { ------------------ | Branch (1848:6): [True: 5, False: 412] ------------------ 1849| 5| return 0; 1850| 5| } 1851| | 1852| 412| first_byte = packet->payload[0]; 1853| 412| pub_bit1 = ((first_byte & 0x80) != 0); 1854| 412| if(!pub_bit1) { ------------------ | Branch (1854:6): [True: 1, False: 411] ------------------ 1855| 1| NDPI_LOG_DBG2(ndpi_struct, "Not a long header\n"); ------------------ | | 597| 1|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1856| 1| return 0; 1857| 1| } 1858| | 1859| 411| version = ntohl(*((u_int32_t *)&packet->payload[1])); 1860| 411| if(version != 0) { ------------------ | Branch (1860:6): [True: 194, False: 217] ------------------ 1861| 194| NDPI_LOG_DBG2(ndpi_struct, "Invalid version 0x%x\n", version); ------------------ | | 597| 194|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1862| 194| return 0; 1863| 194| } 1864| | 1865| | /* Check that CIDs lengths are valid: QUIC limits the CID length to 20 */ 1866| 217| dest_conn_id_len = packet->payload[5]; 1867| 217| if(5 + 1 + dest_conn_id_len >= packet->payload_packet_len) { ------------------ | Branch (1867:6): [True: 0, False: 217] ------------------ 1868| 0| NDPI_LOG_DBG2(ndpi_struct, "Invalid Length %d\n", packet->payload_packet_len); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1869| 0| return 0; 1870| 0| } 1871| 217| source_conn_id_len = packet->payload[5 + 1 + dest_conn_id_len]; 1872| 217| if (dest_conn_id_len > QUIC_MAX_CID_LENGTH || ------------------ | | 68| 434|#define QUIC_MAX_CID_LENGTH 20 ------------------ | Branch (1872:7): [True: 0, False: 217] ------------------ 1873| 217| source_conn_id_len > QUIC_MAX_CID_LENGTH) { ------------------ | | 68| 217|#define QUIC_MAX_CID_LENGTH 20 ------------------ | Branch (1873:7): [True: 4, False: 213] ------------------ 1874| 4| NDPI_LOG_DBG2(ndpi_struct, "Invalid CIDs length %u %u", ------------------ | | 597| 4|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1875| 4| dest_conn_id_len, source_conn_id_len); 1876| 4| return 0; 1877| 4| } 1878| | 1879| 213| return 1; 1880| 217|} quic.c:get_clear_payload: 1327| 38|{ 1328| 38| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 1329| 38| u_int8_t *clear_payload; 1330| 38| u_int8_t dest_conn_id_len; 1331| 38| u_int8_t source_conn_id_len; 1332| | 1333| 38| if(is_gquic_ver_less_than(version, 43)) { ------------------ | Branch (1333:6): [True: 1, False: 37] ------------------ 1334| 1| clear_payload = (uint8_t *)&packet->payload[26]; 1335| 1| *clear_payload_len = packet->payload_packet_len - 26; 1336| | /* Skip Private-flag field for version for < Q34 */ 1337| 1| if(is_gquic_ver_less_than(version, 33)) { ------------------ | Branch (1337:8): [True: 0, False: 1] ------------------ 1338| 0| clear_payload += 1; 1339| 0| (*clear_payload_len) -= 1; 1340| 0| } 1341| 37| } else if(version == V_Q046) { ------------------ | | 60| 37|#define V_Q046 0x51303436 ------------------ | Branch (1341:13): [True: 0, False: 37] ------------------ 1342| 0| if(packet->payload[5] != 0x50) { ------------------ | Branch (1342:8): [True: 0, False: 0] ------------------ 1343| 0| NDPI_LOG_DBG(ndpi_struct, "Q46 invalid conn id len 0x%x\n", ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1344| 0| packet->payload[5]); 1345| 0| return NULL; 1346| 0| } 1347| 0| clear_payload = (uint8_t *)&packet->payload[30]; 1348| 0| *clear_payload_len = packet->payload_packet_len - 30; 1349| 37| } else { 1350| | /* Upper limit of CIDs length has been already validated. If dest_conn_id_len is 0, 1351| | this is probably the Initial Packet from the server */ 1352| 37| dest_conn_id_len = packet->payload[5]; 1353| 37| if(dest_conn_id_len == 0) { ------------------ | Branch (1353:8): [True: 1, False: 36] ------------------ 1354| 1| NDPI_LOG_DBG(ndpi_struct, "Packet 0x%x with dest_conn_id_len %d\n", ------------------ | | 596| 1|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1355| 1| version, dest_conn_id_len); 1356| 1| return NULL; 1357| 1| } 1358| | 1359| 36| source_conn_id_len = packet->payload[6 + dest_conn_id_len]; 1360| 36| const u_int8_t *dest_conn_id = &packet->payload[6]; 1361| | 1362| | /* For initializing the ciphers we need the DCID of the very first Initial 1363| | sent by the client. This is quite important when CH is fragmented into multiple 1364| | packets and these packets have different DCID */ 1365| 36| if(flow->l4.udp.quic_orig_dest_conn_id_len == 0) { ------------------ | Branch (1365:8): [True: 36, False: 0] ------------------ 1366| 36| memcpy(flow->l4.udp.quic_orig_dest_conn_id, 1367| 36| dest_conn_id, dest_conn_id_len); 1368| 36| flow->l4.udp.quic_orig_dest_conn_id_len = dest_conn_id_len; 1369| 36| } 1370| | 1371| 36| clear_payload = decrypt_initial_packet(ndpi_struct, 1372| 36| flow->l4.udp.quic_orig_dest_conn_id, 1373| 36| flow->l4.udp.quic_orig_dest_conn_id_len, 1374| 36| dest_conn_id_len, 1375| 36| source_conn_id_len, version, 1376| 36| clear_payload_len); 1377| 36| } 1378| | 1379| 37| return clear_payload; 1380| 38|} quic.c:decrypt_initial_packet: 989| 36|{ 990| 36| uint64_t token_length, payload_length, packet_number; 991| 36| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 992| 36| uint8_t first_byte; 993| 36| uint32_t pkn32, pn_offset, pkn_len, offset; 994| 36| quic_ciphers ciphers; /* Client initial ciphers */ 995| 36| quic_decrypt_result_t decryption = { 0, 0}; 996| 36| uint8_t client_secret[HASH_SHA2_256_LENGTH]; 997| | 998| 36| memset(&ciphers, '\0', sizeof(ciphers)); 999| 36| if(quic_derive_initial_secrets(ndpi_struct, version, orig_dest_conn_id, orig_dest_conn_id_len, ------------------ | Branch (999:6): [True: 4, False: 32] ------------------ 1000| 36| client_secret) != 0) { 1001| 4| NDPI_LOG_DBG(ndpi_struct, "Error quic_derive_initial_secrets\n"); ------------------ | | 596| 4|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1002| 4| return NULL; 1003| 4| } 1004| | 1005| | /* Packet numbers are protected with AES128-CTR, 1006| | Initial packets are protected with AEAD_AES_128_GCM. */ 1007| 32| if(!quic_ciphers_prepare(ndpi_struct, &ciphers, GCRY_MD_SHA256, ------------------ | | 18| 32|#define GCRY_MD_SHA256 8 ------------------ | Branch (1007:6): [True: 8, False: 24] ------------------ 1008| 32| GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_GCM, ------------------ | | 13| 32|#define GCRY_CIPHER_AES128 7 ------------------ GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_GCM, ------------------ | | 16| 32|#define GCRY_CIPHER_MODE_GCM 8 ------------------ 1009| 32| client_secret, version)) { 1010| 8| NDPI_LOG_DBG(ndpi_struct, "Error quic_cipher_prepare\n"); ------------------ | | 596| 8|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1011| 8| return NULL; 1012| 8| } 1013| | 1014| | /* Type(1) + version(4) + DCIL + DCID + SCIL + SCID */ 1015| 24| pn_offset = 1 + 4 + 1 + dest_conn_id_len + 1 + source_conn_id_len; 1016| 24| pn_offset += quic_len(&packet->payload[pn_offset], &token_length); 1017| 24| pn_offset += token_length; 1018| | /* Checks: quic_len reads 8 bytes, at most; quic_decrypt_header reads other 20 bytes. 1019| | Promote to uint64_t to avoid unsigned wrapping */ 1020| 24| if((uint64_t)pn_offset + 8 + (4 + 16) >= (uint64_t)packet->payload_packet_len) { ------------------ | Branch (1020:6): [True: 5, False: 19] ------------------ 1021| 5| quic_ciphers_reset(&ciphers); 1022| 5| return NULL; 1023| 5| } 1024| 19| pn_offset += quic_len(&packet->payload[pn_offset], &payload_length); 1025| | 1026| 19| NDPI_LOG_DBG2(ndpi_struct, "pn_offset %d token_length %d payload_length %d\n", ------------------ | | 597| 19|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1027| 19| pn_offset, token_length, payload_length); 1028| | 1029| 19| if (pn_offset + payload_length > packet->payload_packet_len) { ------------------ | Branch (1029:7): [True: 1, False: 18] ------------------ 1030| 1| NDPI_LOG_DBG(ndpi_struct, "Too short %d %d\n", pn_offset + payload_length, ------------------ | | 596| 1|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1031| 1| packet->payload_packet_len); 1032| 1| quic_ciphers_reset(&ciphers); 1033| 1| return NULL; 1034| 1| } 1035| | 1036| 18| if(!quic_decrypt_header(&packet->payload[0], pn_offset, &ciphers.hp_cipher, ------------------ | Branch (1036:6): [True: 1, False: 17] ------------------ 1037| 18| GCRY_CIPHER_AES128, &first_byte, &pkn32, 0)) { ------------------ | | 13| 18|#define GCRY_CIPHER_AES128 7 ------------------ 1038| 1| quic_ciphers_reset(&ciphers); 1039| 1| return NULL; 1040| 1| } 1041| 17| NDPI_LOG_DBG2(ndpi_struct, "first_byte 0x%x pkn32 0x%x\n", first_byte, pkn32); ------------------ | | 597| 17|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1042| | 1043| 17| pkn_len = (first_byte & 3) + 1; 1044| | /* TODO: is it always true in Initial Packets? */ 1045| 17| packet_number = pkn32; 1046| | 1047| 17| offset = pn_offset + pkn_len; 1048| 17| if (!(pn_offset + payload_length >= offset + 16)) { ------------------ | Branch (1048:7): [True: 1, False: 16] ------------------ 1049| 1| NDPI_LOG_DBG(ndpi_struct, "No room for Auth Tag %d %d", ------------------ | | 596| 1|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1050| 1| pn_offset + payload_length, offset); 1051| 1| quic_ciphers_reset(&ciphers); 1052| 1| return NULL; 1053| 1| } 1054| 16| quic_decrypt_message(ndpi_struct, &ciphers.pp_cipher, &packet->payload[0], pn_offset + payload_length, 1055| 16| offset, first_byte, pkn_len, packet_number, &decryption); 1056| | 1057| 16| quic_ciphers_reset(&ciphers); 1058| | 1059| 16| if(decryption.data_len) { ------------------ | Branch (1059:6): [True: 0, False: 16] ------------------ 1060| 0| *clear_payload_len = decryption.data_len; 1061| 0| return decryption.data; 1062| 0| } 1063| 16| return NULL; 1064| 16|} quic.c:quic_derive_initial_secrets: 883| 36|{ 884| | /* 885| | * https://tools.ietf.org/html/draft-ietf-quic-tls-29#section-5.2 886| | * 887| | * initial_secret = HKDF-Extract(initial_salt, client_dst_connection_id) 888| | * 889| | * client_initial_secret = HKDF-Expand-Label(initial_secret, 890| | * "client in", "", Hash.length) 891| | * 892| | * Hash for handshake packets is SHA-256 (output size 32). 893| | */ 894| 36| static const uint8_t handshake_salt_draft_22[20] = { 895| 36| 0x7f, 0xbc, 0xdb, 0x0e, 0x7c, 0x66, 0xbb, 0xe9, 0x19, 0x3a, 896| 36| 0x96, 0xcd, 0x21, 0x51, 0x9e, 0xbd, 0x7a, 0x02, 0x64, 0x4a 897| 36| }; 898| 36| static const uint8_t handshake_salt_draft_23[20] = { 899| 36| 0xc3, 0xee, 0xf7, 0x12, 0xc7, 0x2e, 0xbb, 0x5a, 0x11, 0xa7, 900| 36| 0xd2, 0x43, 0x2b, 0xb4, 0x63, 0x65, 0xbe, 0xf9, 0xf5, 0x02, 901| 36| }; 902| 36| static const uint8_t handshake_salt_draft_29[20] = { 903| 36| 0xaf, 0xbf, 0xec, 0x28, 0x99, 0x93, 0xd2, 0x4c, 0x9e, 0x97, 904| 36| 0x86, 0xf1, 0x9c, 0x61, 0x11, 0xe0, 0x43, 0x90, 0xa8, 0x99 905| 36| }; 906| 36| static const uint8_t hanshake_salt_draft_q50[20] = { 907| 36| 0x50, 0x45, 0x74, 0xEF, 0xD0, 0x66, 0xFE, 0x2F, 0x9D, 0x94, 908| 36| 0x5C, 0xFC, 0xDB, 0xD3, 0xA7, 0xF0, 0xD3, 0xB5, 0x6B, 0x45 909| 36| }; 910| 36| static const uint8_t hanshake_salt_draft_t50[20] = { 911| 36| 0x7f, 0xf5, 0x79, 0xe5, 0xac, 0xd0, 0x72, 0x91, 0x55, 0x80, 912| 36| 0x30, 0x4c, 0x43, 0xa2, 0x36, 0x7c, 0x60, 0x48, 0x83, 0x10 913| 36| }; 914| 36| static const uint8_t hanshake_salt_draft_t51[20] = { 915| 36| 0x7a, 0x4e, 0xde, 0xf4, 0xe7, 0xcc, 0xee, 0x5f, 0xa4, 0x50, 916| 36| 0x6c, 0x19, 0x12, 0x4f, 0xc8, 0xcc, 0xda, 0x6e, 0x03, 0x3d 917| 36| }; 918| 36| static const uint8_t handshake_salt_v1[20] = { 919| 36| 0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34, 0xb3, 0x4d, 0x17, 920| 36| 0x9a, 0xe6, 0xa4, 0xc8, 0x0c, 0xad, 0xcc, 0xbb, 0x7f, 0x0a 921| 36| }; 922| 36| static const uint8_t handshake_salt_v2_draft_00[20] = { 923| 36| 0x0d, 0xed, 0xe3, 0xde, 0xf7, 0x00, 0xa6, 0xdb, 0x81, 0x93, 924| 36| 0x81, 0xbe, 0x6e, 0x26, 0x9d, 0xcb, 0xf9, 0xbd, 0x2e, 0xd9 925| 36| }; 926| 36| gcry_error_t err; 927| 36| uint8_t secret[HASH_SHA2_256_LENGTH]; 928| |#ifdef NDPI_ENABLE_DEBUG_MESSAGES 929| | char buferr[128]; 930| |#endif 931| | 932| 36| if(version == V_Q050) { ------------------ | | 61| 36|#define V_Q050 0x51303530 ------------------ | Branch (932:6): [True: 0, False: 36] ------------------ 933| 0| err = hkdf_extract(GCRY_MD_SHA256, hanshake_salt_draft_q50, ------------------ | | 18| 0|#define GCRY_MD_SHA256 8 ------------------ 934| 0| sizeof(hanshake_salt_draft_q50), 935| 0| cid, cid_len, secret); 936| 36| } else if(version == V_T050) { ------------------ | | 62| 36|#define V_T050 0x54303530 ------------------ | Branch (936:13): [True: 1, False: 35] ------------------ 937| 1| err = hkdf_extract(GCRY_MD_SHA256, hanshake_salt_draft_t50, ------------------ | | 18| 1|#define GCRY_MD_SHA256 8 ------------------ 938| 1| sizeof(hanshake_salt_draft_t50), 939| 1| cid, cid_len, secret); 940| 35| } else if(version == V_T051) { ------------------ | | 63| 35|#define V_T051 0x54303531 ------------------ | Branch (940:13): [True: 13, False: 22] ------------------ 941| 13| err = hkdf_extract(GCRY_MD_SHA256, hanshake_salt_draft_t51, ------------------ | | 18| 13|#define GCRY_MD_SHA256 8 ------------------ 942| 13| sizeof(hanshake_salt_draft_t51), 943| 13| cid, cid_len, secret); 944| 22| } else if(is_quic_ver_less_than(version, 22)) { ------------------ | Branch (944:13): [True: 0, False: 22] ------------------ 945| 0| err = hkdf_extract(GCRY_MD_SHA256, handshake_salt_draft_22, ------------------ | | 18| 0|#define GCRY_MD_SHA256 8 ------------------ 946| 0| sizeof(handshake_salt_draft_22), 947| 0| cid, cid_len, secret); 948| 22| } else if(is_quic_ver_less_than(version, 28)) { ------------------ | Branch (948:13): [True: 1, False: 21] ------------------ 949| 1| err = hkdf_extract(GCRY_MD_SHA256, handshake_salt_draft_23, ------------------ | | 18| 1|#define GCRY_MD_SHA256 8 ------------------ 950| 1| sizeof(handshake_salt_draft_23), 951| 1| cid, cid_len, secret); 952| 21| } else if(is_quic_ver_less_than(version, 32)) { ------------------ | Branch (952:13): [True: 3, False: 18] ------------------ 953| 3| err = hkdf_extract(GCRY_MD_SHA256, handshake_salt_draft_29, ------------------ | | 18| 3|#define GCRY_MD_SHA256 8 ------------------ 954| 3| sizeof(handshake_salt_draft_29), 955| 3| cid, cid_len, secret); 956| 18| } else if (is_quic_ver_less_than(version, 34)) { ------------------ | Branch (956:14): [True: 0, False: 18] ------------------ 957| 0| err = hkdf_extract(GCRY_MD_SHA256, handshake_salt_v1, ------------------ | | 18| 0|#define GCRY_MD_SHA256 8 ------------------ 958| 0| sizeof(handshake_salt_v1), 959| 0| cid, cid_len, secret); 960| 18| } else { 961| 18| err = hkdf_extract(GCRY_MD_SHA256, handshake_salt_v2_draft_00, ------------------ | | 18| 18|#define GCRY_MD_SHA256 8 ------------------ 962| 18| sizeof(handshake_salt_v2_draft_00), 963| 18| cid, cid_len, secret); 964| 18| } 965| 36| if(err) { ------------------ | Branch (965:6): [True: 1, False: 35] ------------------ 966| 1| NDPI_LOG_DBG(ndpi_struct, "Failed to extract secrets: %s\n", __gcry_err(err, buferr, sizeof(buferr))); ------------------ | | 596| 1|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 967| 1| return -1; 968| 1| } 969| | 970| 35| if(!quic_hkdf_expand_label(ndpi_struct, GCRY_MD_SHA256, secret, sizeof(secret), "client in", ------------------ | | 18| 35|#define GCRY_MD_SHA256 8 ------------------ | Branch (970:6): [True: 3, False: 32] ------------------ 971| 35| client_initial_secret, HASH_SHA2_256_LENGTH)) { ------------------ | | 338| 35|#define HASH_SHA2_256_LENGTH 32 ------------------ 972| 3| NDPI_LOG_DBG(ndpi_struct, "Key expansion (client) failed: %s\n", __gcry_err(err, buferr, sizeof(buferr))); ------------------ | | 596| 3|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 973| 3| return -1; 974| 3| } 975| | 976| 32| return 0; 977| 35|} quic.c:hkdf_extract: 435| 36|{ 436| | /* PRK = HMAC-Hash(salt, IKM) where salt is key, and IKM is input. */ 437| 36| return ws_hmac_buffer(hashalgo, prk, ikm, ikm_len, salt, salt_len); 438| 36|} quic.c:ws_hmac_buffer: 372| 36|{ 373| 36| gcry_md_hd_t hmac_handle; 374| 36| gcry_error_t result = gcry_md_open(&hmac_handle, algo, GCRY_MD_FLAG_HMAC); ------------------ | | 19| 36|#define GCRY_MD_FLAG_HMAC 2 ------------------ 375| 36| if(result) { ------------------ | Branch (375:6): [True: 1, False: 35] ------------------ 376| 1| return result; 377| 1| } 378| 35| result = gcry_md_setkey(hmac_handle, key, keylen); 379| 35| if(result) { ------------------ | Branch (379:6): [True: 0, False: 35] ------------------ 380| 0| gcry_md_close(hmac_handle); 381| 0| return result; 382| 0| } 383| 35| gcry_md_write(hmac_handle, buffer, length); 384| 35| memcpy(digest, gcry_md_read(hmac_handle, 0), gcry_md_get_algo_dlen(algo)); 385| 35| gcry_md_close(hmac_handle); 386| 35| return GPG_ERR_NO_ERROR; ------------------ | | 20| 35|#define GPG_ERR_NO_ERROR 0 ------------------ 387| 35|} quic.c:is_quic_ver_less_than: 128| 129|{ 129| 129| uint8_t u8_ver = get_u8_quic_ver(version); 130| 129| return u8_ver && u8_ver <= max_version; ------------------ | Branch (130:10): [True: 129, False: 0] | Branch (130:20): [True: 14, False: 115] ------------------ 131| 129|} quic.c:quic_hkdf_expand_label: 555| 117|{ 556| 117| const StringInfo secret_si = { secret, secret_len }; 557| 117| uint8_t *out_mem = NULL; 558| 117| if(tls13_hkdf_expand_label(ndpi_struct, hash_algo, &secret_si, "tls13 ", label, out_len, &out_mem)) { ------------------ | Branch (558:6): [True: 109, False: 8] ------------------ 559| 109| memcpy(out, out_mem, out_len); 560| 109| ndpi_free(out_mem); 561| 109| return 1; 562| 109| } 563| 8| return 0; 564| 117|} quic.c:tls13_hkdf_expand_label: 543| 117|{ 544| | return tls13_hkdf_expand_label_context(ndpi_struct, md, secret, label_prefix, label, NULL, 0, out_len, out); 545| 117|} quic.c:tls13_hkdf_expand_label_context: 455| 117|{ 456| | /* RFC 8446 Section 7.1: 457| | * HKDF-Expand-Label(Secret, Label, Context, Length) = 458| | * HKDF-Expand(Secret, HkdfLabel, Length) 459| | * struct { 460| | * uint16 length = Length; 461| | * opaque label<7..255> = "tls13 " + Label; // "tls13 " is label prefix. 462| | * opaque context<0..255> = Context; 463| | * } HkdfLabel; 464| | * 465| | * RFC 5869 HMAC-based Extract-and-Expand Key Derivation Function (HKDF): 466| | * HKDF-Expand(PRK, info, L) -> OKM 467| | */ 468| 117| gcry_error_t err; 469| 117| const unsigned int label_prefix_length = (unsigned int)strlen(label_prefix); 470| 117| const unsigned label_length = (unsigned int)strlen(label); 471| |#ifdef NDPI_ENABLE_DEBUG_MESSAGES 472| | char buferr[128]; 473| |#endif 474| | 475| | /* Some sanity checks */ 476| 117| if(!(label_length > 0 && label_prefix_length + label_length <= 255)) { ------------------ | Branch (476:8): [True: 117, False: 0] | Branch (476:28): [True: 117, False: 0] ------------------ 477| 0| NDPI_LOG_DBG(ndpi_struct, "Failed sanity checks\n"); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 478| 0| return 0; 479| 0| } 480| | 481| | /* info = HkdfLabel { length, label, context } */ 482| | /* Keep original Wireshark code as reference */ 483| |#if 0 484| | GByteArray *info = g_byte_array_new(); 485| | const uint16_t length = htons(out_len); 486| | g_byte_array_append(info, (const guint8 *)&length, sizeof(length)); 487| | 488| | const uint8_t label_vector_length = label_prefix_length + label_length; 489| | g_byte_array_append(info, &label_vector_length, 1); 490| | g_byte_array_append(info, (const uint8_t *)label_prefix, label_prefix_length); 491| | g_byte_array_append(info, (const uint8_t *)label, label_length); 492| | 493| | g_byte_array_append(info, &context_length, 1); 494| | if (context_length) { 495| | g_byte_array_append(info, context_hash, context_length); 496| | } 497| |#else 498| 117| uint32_t info_len = 0; 499| 117| uint8_t *info_data = (uint8_t *)ndpi_malloc(1024); 500| 117| if(!info_data) ------------------ | Branch (500:6): [True: 5, False: 112] ------------------ 501| 5| return 0; 502| 112| const uint16_t length = htons(out_len); 503| 112| memcpy(&info_data[info_len], &length, sizeof(length)); 504| 112| info_len += sizeof(length); 505| | 506| 112| const uint8_t label_vector_length = label_prefix_length + label_length; 507| 112| memcpy(&info_data[info_len], &label_vector_length, 1); 508| 112| info_len += 1; 509| 112| memcpy(&info_data[info_len], (const uint8_t *)label_prefix, label_prefix_length); 510| 112| info_len += label_prefix_length; 511| 112| memcpy(&info_data[info_len], (const uint8_t *)label, label_length); 512| 112| info_len += label_length; 513| | 514| 112| memcpy(&info_data[info_len], &context_length, 1); 515| 112| info_len += 1; 516| 112| if(context_length && context_hash != NULL) { ------------------ | Branch (516:6): [True: 0, False: 112] | Branch (516:24): [True: 0, False: 0] ------------------ 517| 0| memcpy(&info_data[info_len], context_hash, context_length); 518| 0| info_len += context_length; 519| 0| } 520| 112|#endif 521| | 522| 112| *out = (uint8_t *)ndpi_malloc(out_len); 523| 112| if(!*out) { ------------------ | Branch (523:6): [True: 2, False: 110] ------------------ 524| 2| ndpi_free(info_data); 525| 2| return 0; 526| 2| } 527| 110| err = hkdf_expand(md, secret->data, secret->data_len, info_data, info_len, *out, out_len); 528| 110| ndpi_free(info_data); 529| | 530| 110| if(err) { ------------------ | Branch (530:6): [True: 1, False: 109] ------------------ 531| 1| NDPI_LOG_DBG(ndpi_struct, "Failed hkdf_expand: %s\n", __gcry_err(err, buferr, sizeof(buferr))); ------------------ | | 596| 1|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 532| 1| ndpi_free(*out); 533| 1| *out = NULL; 534| 1| return 0; 535| 1| } 536| | 537| 109| return 1; 538| 110|} quic.c:hkdf_expand: 391| 110|{ 392| | /* Current maximum hash output size: 48 bytes for SHA-384. */ 393| 110| uint8_t lastoutput[48]; 394| 110| gcry_md_hd_t h; 395| 110| gcry_error_t err; 396| 110| const unsigned int hash_len = gcry_md_get_algo_dlen(hashalgo); 397| 110| uint32_t offset; 398| | 399| | /* Some sanity checks */ 400| 110| if(!(out_len > 0 && out_len <= 255 * hash_len) || ------------------ | Branch (400:8): [True: 110, False: 0] | Branch (400:23): [True: 110, False: 0] ------------------ 401| 110| !(hash_len > 0 && hash_len <= sizeof(lastoutput))) { ------------------ | Branch (401:8): [True: 110, False: 0] | Branch (401:24): [True: 110, False: 0] ------------------ 402| 0| return GPG_ERR_INV_ARG; ------------------ | | 23| 0|#define GPG_ERR_INV_ARG -3 ------------------ 403| 0| } 404| | 405| 110| err = gcry_md_open(&h, hashalgo, GCRY_MD_FLAG_HMAC); ------------------ | | 19| 110|#define GCRY_MD_FLAG_HMAC 2 ------------------ 406| 110| if(err) { ------------------ | Branch (406:6): [True: 1, False: 109] ------------------ 407| 1| return err; 408| 1| } 409| | 410| 218| for(offset = 0; offset < out_len; offset += hash_len) { ------------------ | Branch (410:19): [True: 109, False: 109] ------------------ 411| 109| gcry_md_reset(h); 412| 109| gcry_md_setkey(h, prk, prk_len); /* Set PRK */ 413| 109| if(offset > 0) { ------------------ | Branch (413:8): [True: 0, False: 109] ------------------ 414| 0| gcry_md_write(h, lastoutput, hash_len); /* T(1..N) */ 415| 0| } 416| 109| gcry_md_write(h, info, info_len); /* info */ 417| | 418| 109| uint8_t c = offset / hash_len + 1; 419| 109| gcry_md_write(h, &c, sizeof(c)); /* constant 0x01..N */ 420| | 421| 109| memcpy(lastoutput, gcry_md_read(h, hashalgo), hash_len); 422| 109| memcpy(out + offset, lastoutput, ndpi_min(hash_len, out_len - offset)); ------------------ | | 113| 109|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 109] | | ------------------ ------------------ 423| 109| } 424| | 425| 109| gcry_md_close(h); 426| 109| return 0; 427| 110|} quic.c:quic_ciphers_prepare: 705| 32|{ 706| 32| int ret; 707| | 708| 32| ret = quic_hp_cipher_prepare(ndpi_struct, &ciphers->hp_cipher, hash_algo, cipher_algo, secret, version); 709| 32| if(ret != 1) ------------------ | Branch (709:6): [True: 4, False: 28] ------------------ 710| 4| return ret; 711| 28| ret = quic_pp_cipher_prepare(ndpi_struct, &ciphers->pp_cipher, hash_algo, cipher_algo, cipher_mode, secret, version); 712| 28| if(ret != 1) ------------------ | Branch (712:6): [True: 4, False: 24] ------------------ 713| 4| quic_hp_cipher_reset(&ciphers->hp_cipher); 714| 28| return ret; 715| 32|} quic.c:quic_hp_cipher_prepare: 647| 32|{ 648| |#if 0 649| | /* Clear previous state (if any). */ 650| | quic_hp_cipher_reset(hp_cipher); 651| |#endif 652| | 653| 32| int hp_cipher_mode; 654| 32| if(!quic_get_pn_cipher_algo(cipher_algo, &hp_cipher_mode)) { ------------------ | Branch (654:6): [True: 0, False: 32] ------------------ 655| 0| NDPI_LOG_DBG(ndpi_struct, "Unsupported cipher algorithm\n"); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 656| 0| return 0; 657| 0| } 658| | 659| 32| if(gcry_cipher_open(&hp_cipher->hp_cipher, cipher_algo, hp_cipher_mode, 0)) { ------------------ | Branch (659:6): [True: 1, False: 31] ------------------ 660| 1| quic_hp_cipher_reset(hp_cipher); 661| 1| NDPI_LOG_DBG(ndpi_struct, "Failed to create HP cipher\n"); ------------------ | | 596| 1|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 662| 1| return 0; 663| 1| } 664| | 665| 31| if(secret) { ------------------ | Branch (665:6): [True: 31, False: 0] ------------------ 666| 31| uint32_t cipher_keylen = (uint8_t)gcry_cipher_get_algo_keylen(cipher_algo); 667| 31| if(!quic_hp_cipher_init(ndpi_struct, hp_cipher, hash_algo, cipher_keylen, secret, version)) { ------------------ | Branch (667:8): [True: 3, False: 28] ------------------ 668| 3| quic_hp_cipher_reset(hp_cipher); 669| 3| NDPI_LOG_DBG(ndpi_struct, "Failed to derive key material for HP cipher\n"); ------------------ | | 596| 3|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 670| 3| return 0; 671| 3| } 672| 31| } 673| | 674| 28| return 1; 675| 31|} quic.c:quic_get_pn_cipher_algo: 629| 32|{ 630| 32| switch (cipher_algo) { 631| 32| case GCRY_CIPHER_AES128: ------------------ | | 13| 32|#define GCRY_CIPHER_AES128 7 ------------------ | Branch (631:3): [True: 32, False: 0] ------------------ 632| 32| case GCRY_CIPHER_AES256: ------------------ | | 14| 32|#define GCRY_CIPHER_AES256 8 ------------------ | Branch (632:3): [True: 0, False: 32] ------------------ 633| 32| *hp_cipher_mode = GCRY_CIPHER_MODE_ECB; ------------------ | | 15| 32|#define GCRY_CIPHER_MODE_ECB 1 ------------------ 634| 32| return 1; 635| 0| default: ------------------ | Branch (635:3): [True: 0, False: 32] ------------------ 636| 0| return 0; 637| 32| } 638| 32|} quic.c:quic_hp_cipher_init: 592| 31|{ 593| 31| uint8_t hp_key[256/8]; /* Maximum key size is for AES256 cipher. */ 594| 31| uint32_t hash_len = gcry_md_get_algo_dlen(hash_algo); 595| 31| char const * const label = is_version_with_v1_labels(version) ? "quic hp" : "quicv2 hp"; ------------------ | Branch (595:30): [True: 17, False: 14] ------------------ 596| | 597| 31| if(!quic_hkdf_expand_label(ndpi_struct, hash_algo, secret, hash_len, label, hp_key, key_length)) { ------------------ | Branch (597:6): [True: 3, False: 28] ------------------ 598| 3| return 0; 599| 3| } 600| | 601| 28| return gcry_cipher_setkey(hp_cipher->hp_cipher, hp_key, key_length) == 0; 602| 31|} quic.c:is_version_with_v1_labels: 193| 83|{ 194| 83| if(((version & 0xFFFFFF00) == 0x51303500) /* Q05X */ || ------------------ | Branch (194:6): [True: 0, False: 83] ------------------ 195| 83| ((version & 0xFFFFFF00) == 0x54303500)) /* T05X */ ------------------ | Branch (195:6): [True: 37, False: 46] ------------------ 196| 37| return 1; 197| 46| return is_quic_ver_less_than(version, 34); 198| 83|} quic.c:quic_pp_cipher_prepare: 679| 28|{ 680| |#if 0 681| | /* Clear previous state (if any). */ 682| | quic_pp_cipher_reset(pp_cipher); 683| |#endif 684| | 685| 28| if(gcry_cipher_open(&pp_cipher->pp_cipher, cipher_algo, cipher_mode, 0)) { ------------------ | Branch (685:6): [True: 2, False: 26] ------------------ 686| 2| quic_pp_cipher_reset(pp_cipher); 687| 2| NDPI_LOG_DBG(ndpi_struct, "Failed to create PP cipher\n"); ------------------ | | 596| 2|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 688| 2| return 0; 689| 2| } 690| | 691| 26| if(secret) { ------------------ | Branch (691:6): [True: 26, False: 0] ------------------ 692| 26| uint32_t cipher_keylen = (uint8_t)gcry_cipher_get_algo_keylen(cipher_algo); 693| 26| if(!quic_pp_cipher_init(ndpi_struct, pp_cipher, hash_algo, cipher_keylen, secret, version)) { ------------------ | Branch (693:8): [True: 2, False: 24] ------------------ 694| 2| quic_pp_cipher_reset(pp_cipher); 695| 2| NDPI_LOG_DBG(ndpi_struct, "Failed to derive key material for PP cipher\n"); ------------------ | | 596| 2|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 696| 2| return 0; 697| 2| } 698| 26| } 699| | 700| 24| return 1; 701| 26|} quic.c:quic_pp_cipher_reset: 573| 28|{ 574| 28| gcry_cipher_close(pp_cipher->pp_cipher); 575| |#if 0 576| | memset(pp_cipher, 0, sizeof(*pp_cipher)); 577| |#endif 578| 28|} quic.c:quic_pp_cipher_init: 607| 26|{ 608| 26| uint8_t write_key[256/8]; /* Maximum key size is for AES256 cipher. */ 609| 26| uint32_t hash_len = gcry_md_get_algo_dlen(hash_algo); 610| 26| char const * const key_label = is_version_with_v1_labels(version) ? "quic key" : "quicv2 key"; ------------------ | Branch (610:34): [True: 15, False: 11] ------------------ 611| 26| char const * const iv_label = is_version_with_v1_labels(version) ? "quic iv" : "quicv2 iv"; ------------------ | Branch (611:33): [True: 15, False: 11] ------------------ 612| | 613| 26| if(key_length > sizeof(write_key)) { ------------------ | Branch (613:6): [True: 0, False: 26] ------------------ 614| 0| return 0; 615| 0| } 616| | 617| 26| if(!quic_hkdf_expand_label(ndpi_struct, hash_algo, secret, hash_len, key_label, write_key, key_length) || ------------------ | Branch (617:6): [True: 1, False: 25] ------------------ 618| 25| !quic_hkdf_expand_label(ndpi_struct, hash_algo, secret, hash_len, iv_label, pp_cipher->pp_iv, sizeof(pp_cipher->pp_iv))) { ------------------ | Branch (618:6): [True: 1, False: 24] ------------------ 619| 2| return 0; 620| 2| } 621| | 622| 24| return gcry_cipher_setkey(pp_cipher->pp_cipher, write_key, key_length) == 0; 623| 26|} quic.c:quic_hp_cipher_reset: 566| 32|{ 567| 32| gcry_cipher_close(hp_cipher->hp_cipher); 568| |#if 0 569| | memset(hp_cipher, 0, sizeof(*hp_cipher)); 570| |#endif 571| 32|} quic.c:quic_ciphers_reset: 580| 24|{ 581| 24| quic_hp_cipher_reset(&ciphers->hp_cipher); 582| 24| quic_pp_cipher_reset(&ciphers->pp_cipher); 583| 24|} quic.c:quic_decrypt_header: 726| 18|{ 727| 18| if(!hp_cipher->hp_cipher) { ------------------ | Branch (727:6): [True: 0, False: 18] ------------------ 728| | /* Need to know the cipher */ 729| 0| return 0; 730| 0| } 731| 18| gcry_cipher_hd_t h = hp_cipher->hp_cipher; 732| | 733| | /* Sample is always 16 bytes and starts after PKN (assuming length 4). 734| | https://tools.ietf.org/html/draft-ietf-quic-tls-22#section-5.4.2 */ 735| 18| uint8_t sample[16]; 736| 18| memcpy(sample, packet_payload + pn_offset + 4, 16); 737| | 738| 18| uint8_t mask[5] = { 0 }; 739| 18| switch (hp_cipher_algo) { 740| 18| case GCRY_CIPHER_AES128: ------------------ | | 13| 18|#define GCRY_CIPHER_AES128 7 ------------------ | Branch (740:3): [True: 18, False: 0] ------------------ 741| 18| case GCRY_CIPHER_AES256: ------------------ | | 14| 18|#define GCRY_CIPHER_AES256 8 ------------------ | Branch (741:3): [True: 0, False: 18] ------------------ 742| | /* Encrypt in-place with AES-ECB and extract the mask. */ 743| 18| if(gcry_cipher_encrypt(h, sample, sizeof(sample), NULL, 0)) { ------------------ | Branch (743:8): [True: 1, False: 17] ------------------ 744| 1| return 0; 745| 1| } 746| 17| memcpy(mask, sample, sizeof(mask)); 747| 17| break; 748| 0| default: ------------------ | Branch (748:3): [True: 0, False: 18] ------------------ 749| 0| return 0; 750| 18| } 751| | 752| | /* https://tools.ietf.org/html/draft-ietf-quic-tls-22#section-5.4.1 */ 753| 17| uint8_t packet0 = packet_payload[0]; 754| 17| if((packet0 & 0x80) == 0x80) { ------------------ | Branch (754:6): [True: 17, False: 0] ------------------ 755| | /* Long header: 4 bits masked */ 756| 17| packet0 ^= mask[0] & 0x0f; 757| 17| } else { 758| | /* Short header */ 759| 0| if(loss_bits_negotiated == 0) { ------------------ | Branch (759:8): [True: 0, False: 0] ------------------ 760| | /* Standard mask: 5 bits masked */ 761| 0| packet0 ^= mask[0] & 0x1F; 762| 0| } else { 763| | /* https://tools.ietf.org/html/draft-ferrieuxhamchaoui-quic-lossbits-03#section-5.3 */ 764| 0| packet0 ^= mask[0] & 0x07; 765| 0| } 766| 0| } 767| 17| uint32_t pkn_len = (packet0 & 0x03) + 1; 768| | /* printf("packet0 0x%x pkn_len %d\n", packet0, pkn_len); */ 769| | 770| 17| uint8_t pkn_bytes[4]; 771| 17| memcpy(pkn_bytes, packet_payload + pn_offset, pkn_len); 772| 17| uint32_t pkt_pkn = 0, i; 773| 59| for(i = 0; i < pkn_len; i++) { ------------------ | Branch (773:14): [True: 42, False: 17] ------------------ 774| 42| pkt_pkn |= (uint32_t)(pkn_bytes[i] ^ mask[1 + i]) << (8 * (pkn_len - 1 - i)); 775| 42| } 776| 17| *first_byte = packet0; 777| 17| *pn = pkt_pkn; 778| 17| return 1; 779| 18|} quic.c:quic_decrypt_message: 793| 16|{ 794| 16| gcry_error_t err; 795| 16| uint8_t *header; 796| 16| uint8_t nonce[TLS13_AEAD_NONCE_LENGTH]; 797| 16| uint8_t *buffer; 798| 16| uint8_t atag[16]; 799| 16| uint32_t buffer_length, i; 800| |#ifdef NDPI_ENABLE_DEBUG_MESSAGES 801| | char buferr[128]; 802| |#endif 803| | 804| 16| if(!(pp_cipher != NULL) || ------------------ | Branch (804:6): [True: 0, False: 16] ------------------ 805| 16| !(pp_cipher->pp_cipher != NULL) || ------------------ | Branch (805:6): [True: 0, False: 16] ------------------ 806| 16| !(pkn_len < header_length) || ------------------ | Branch (806:6): [True: 0, False: 16] ------------------ 807| 16| !(1 <= pkn_len && pkn_len <= 4)) { ------------------ | Branch (807:8): [True: 16, False: 0] | Branch (807:24): [True: 16, False: 0] ------------------ 808| 0| NDPI_LOG_DBG(ndpi_struct, "Failed sanity checks\n"); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 809| 0| return; 810| 0| } 811| | /* Copy header, but replace encrypted first byte and PKN by plaintext. */ 812| 16| header = (uint8_t *)memdup(packet_payload, header_length); 813| 16| if(!header) ------------------ | Branch (813:6): [True: 1, False: 15] ------------------ 814| 1| return; 815| 15| header[0] = first_byte; 816| 51| for( i = 0; i < pkn_len; i++) { ------------------ | Branch (816:15): [True: 36, False: 15] ------------------ 817| 36| header[header_length - 1 - i] = (uint8_t)(packet_number >> (8 * i)); 818| 36| } 819| | 820| | /* Input is "header || ciphertext (buffer) || auth tag (16 bytes)" */ 821| 15| buffer_length = packet_payload_len - (header_length + 16); 822| 15| if(buffer_length == 0) { ------------------ | Branch (822:6): [True: 0, False: 15] ------------------ 823| 0| NDPI_LOG_DBG(ndpi_struct, "Decryption not possible, ciphertext is too short\n"); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 824| 0| ndpi_free(header); 825| 0| return; 826| 0| } 827| 15| buffer = (uint8_t *)memdup(packet_payload + header_length, buffer_length); 828| 15| if(!buffer) { ------------------ | Branch (828:6): [True: 1, False: 14] ------------------ 829| 1| ndpi_free(header); 830| 1| return; 831| 1| } 832| 14| memcpy(atag, packet_payload + header_length + buffer_length, 16); 833| | 834| 14| memcpy(nonce, pp_cipher->pp_iv, TLS13_AEAD_NONCE_LENGTH); ------------------ | | 339| 14|#define TLS13_AEAD_NONCE_LENGTH 12 ------------------ 835| | /* Packet number is left-padded with zeroes and XORed with write_iv */ 836| 14| phton64(nonce + sizeof(nonce) - 8, pntoh64(nonce + sizeof(nonce) - 8) ^ packet_number); 837| | 838| 14| gcry_cipher_reset(pp_cipher->pp_cipher); 839| 14| err = gcry_cipher_setiv(pp_cipher->pp_cipher, nonce, TLS13_AEAD_NONCE_LENGTH); ------------------ | | 339| 14|#define TLS13_AEAD_NONCE_LENGTH 12 ------------------ 840| 14| if(err) { ------------------ | Branch (840:6): [True: 0, False: 14] ------------------ 841| 0| NDPI_LOG_DBG(ndpi_struct, "Decryption (setiv) failed: %s\n", __gcry_err(err, buferr, sizeof(buferr))); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 842| 0| ndpi_free(header); 843| 0| ndpi_free(buffer); 844| 0| return; 845| 0| } 846| | 847| | /* associated data (A) is the contents of QUIC header */ 848| 14| err = gcry_cipher_authenticate(pp_cipher->pp_cipher, header, header_length); 849| 14| if(err) { ------------------ | Branch (849:6): [True: 0, False: 14] ------------------ 850| 0| NDPI_LOG_DBG(ndpi_struct, "Decryption (authenticate) failed: %s\n", __gcry_err(err, buferr, sizeof(buferr))); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 851| 0| ndpi_free(header); 852| 0| ndpi_free(buffer); 853| 0| return; 854| 0| } 855| | 856| 14| ndpi_free(header); 857| | 858| | /* Output ciphertext (C) */ 859| 14| err = gcry_cipher_decrypt(pp_cipher->pp_cipher, buffer, buffer_length, NULL, 0); 860| 14| if(err) { ------------------ | Branch (860:6): [True: 1, False: 13] ------------------ 861| 1| NDPI_LOG_DBG(ndpi_struct, "Decryption (decrypt) failed: %s\n", __gcry_err(err, buferr, sizeof(buferr))); ------------------ | | 596| 1|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 862| 1| ndpi_free(buffer); 863| 1| return; 864| 1| } 865| | 866| 13| err = gcry_cipher_checktag(pp_cipher->pp_cipher, atag, 16); 867| 13| if(err) { ------------------ | Branch (867:6): [True: 13, False: 0] ------------------ 868| 13| NDPI_LOG_DBG(ndpi_struct, "Decryption (checktag) failed: %s\n", __gcry_err(err, buferr, sizeof(buferr))); ------------------ | | 596| 13|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 869| 13| ndpi_free(buffer); 870| 13| return; 871| 13| } 872| | 873| 0| result->data = buffer; 874| 0| result->data_len = buffer_length; 875| 0|} quic.c:memdup: 326| 31|{ 327| 31| void *dest = ndpi_malloc(len); 328| 31| if(dest) ------------------ | Branch (328:6): [True: 29, False: 2] ------------------ 329| 29| memcpy(dest, orig, len); 330| 31| return dest; 331| 31|} quic.c:phton64: 314| 14|{ 315| 14| p[0] = (uint8_t)(v >> 56); 316| 14| p[1] = (uint8_t)(v >> 48); 317| 14| p[2] = (uint8_t)(v >> 40); 318| 14| p[3] = (uint8_t)(v >> 32); 319| 14| p[4] = (uint8_t)(v >> 24); 320| 14| p[5] = (uint8_t)(v >> 16); 321| 14| p[6] = (uint8_t)(v >> 8); 322| 14| p[7] = (uint8_t)(v >> 0); 323| 14|} quic.c:pntoh64: 303| 14|{ 304| 14| return (uint64_t)*((const uint8_t *)(p)+0)<<56| 305| 14| (uint64_t)*((const uint8_t *)(p)+1)<<48| 306| 14| (uint64_t)*((const uint8_t *)(p)+2)<<40| 307| 14| (uint64_t)*((const uint8_t *)(p)+3)<<32| 308| 14| (uint64_t)*((const uint8_t *)(p)+4)<<24| 309| 14| (uint64_t)*((const uint8_t *)(p)+5)<<16| 310| 14| (uint64_t)*((const uint8_t *)(p)+6)<<8| 311| 14| (uint64_t)*((const uint8_t *)(p)+7)<<0; 312| 14|} quic.c:is_version_with_encrypted_header: 170| 1|{ 171| 1| return is_version_quic(version) || ------------------ | Branch (171:10): [True: 0, False: 1] ------------------ 172| 1| ((version & 0xFFFFFF00) == 0x51303500) /* Q05X */ || ------------------ | Branch (172:5): [True: 0, False: 1] ------------------ 173| 1| ((version & 0xFFFFFF00) == 0x54303500) /* T05X */; ------------------ | Branch (173:5): [True: 0, False: 1] ------------------ 174| 1|} quic.c:eval_extra_processing: 1738| 1|{ 1739| 1| u_int32_t version = flow->protos.tls_quic.quic_version; 1740| | 1741| | /* For the time being we need extra processing in two cases only: 1742| | 1) to detect Snapchat calls, i.e. RTP/RTCP multiplxed with QUIC. 1743| | Two cases: 1744| | a) [old] Q046, without any SNI 1745| | b) v1 with SNI *.addlive.io 1746| | 2) to reassemble CH fragments on multiple UDP packets. 1747| | These two cases are mutually exclusive 1748| | */ 1749| | 1750| 1| if(version == V_Q046 && flow->host_server_name[0] == '\0') { ------------------ | | 60| 2|#define V_Q046 0x51303436 ------------------ | Branch (1750:6): [True: 0, False: 1] | Branch (1750:27): [True: 0, False: 0] ------------------ 1751| 0| NDPI_LOG_DBG2(ndpi_struct, "We have further work to do (old snapchat call?)\n"); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1752| 0| return 1; 1753| 0| } 1754| | 1755| 1| if(version == V_1 && ------------------ | | 50| 2|#define V_1 0x00000001 ------------------ | Branch (1755:6): [True: 0, False: 1] ------------------ 1756| 0| flow->detected_protocol_stack[0] == NDPI_PROTOCOL_SNAPCHAT) { ------------------ | Branch (1756:6): [True: 0, False: 0] ------------------ 1757| 0| size_t sni_len = strlen(flow->host_server_name); 1758| 0| if(sni_len > 11 && ------------------ | Branch (1758:8): [True: 0, False: 0] ------------------ 1759| 0| strcmp(flow->host_server_name + sni_len - 11, ".addlive.io") == 0) { ------------------ | Branch (1759:8): [True: 0, False: 0] ------------------ 1760| 0| NDPI_LOG_DBG2(ndpi_struct, "We have further work to do (new snapchat call?)\n"); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1761| 0| return 1; 1762| 0| } 1763| 0| } 1764| | 1765| 1| if(is_ch_reassembler_pending(flow)) { ------------------ | Branch (1765:6): [True: 0, False: 1] ------------------ 1766| 0| NDPI_LOG_DBG2(ndpi_struct, "We have further work to do (reasm)\n"); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1767| 0| return 1; 1768| 0| } 1769| | 1770| 1| return 0; 1771| 1|} init_radius_dissector: 77| 7.08k|{ 78| 7.08k| ndpi_register_dissector("Radius", ndpi_struct, 79| 7.08k| ndpi_search_radius, 80| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 81| 7.08k| 1, NDPI_PROTOCOL_RADIUS); 82| 7.08k|} radius_proto.c:ndpi_search_radius: 69| 4.95k|{ 70| 4.95k| NDPI_LOG_DBG(ndpi_struct, "search radius\n"); ------------------ | | 596| 4.95k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 71| | 72| 4.95k| ndpi_check_radius(ndpi_struct, flow); 73| 4.95k|} radius_proto.c:ndpi_check_radius: 40| 4.95k|{ 41| 4.95k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 42| | // const u_int8_t *packet_payload = packet->payload; 43| 4.95k| u_int32_t payload_len = packet->payload_packet_len; 44| | 45| 4.95k| if((packet->udp->dest == htons(RADIUS_PORT) || packet->udp->source == htons(RADIUS_PORT) || ------------------ | Branch (45:7): [True: 10, False: 4.94k] | Branch (45:50): [True: 1, False: 4.94k] ------------------ 46| 4.94k| packet->udp->dest == htons(RADIUS_PORT_ACC) || packet->udp->source == htons(RADIUS_PORT_ACC) || ------------------ | Branch (46:7): [True: 2, False: 4.94k] | Branch (46:54): [True: 0, False: 4.94k] ------------------ 47| 4.94k| packet->udp->dest == htons(RADIUS_PORT_ACC_ALTERNATIVE) || packet->udp->source == htons(RADIUS_PORT_ACC_ALTERNATIVE))) { ------------------ | Branch (47:7): [True: 0, False: 4.94k] | Branch (47:66): [True: 0, False: 4.94k] ------------------ 48| 13| struct radius_header *h = (struct radius_header*)packet->payload; 49| | /* RFC2865: The minimum length is 20 and maximum length is 4096. */ 50| 13| if((payload_len < 20) || (payload_len > 4096)) { ------------------ | Branch (50:8): [True: 1, False: 12] | Branch (50:30): [True: 0, False: 12] ------------------ 51| 1| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 52| 1| return; 53| 1| } 54| | 55| 12| if((h->code > 0) ------------------ | Branch (55:8): [True: 11, False: 1] ------------------ 56| 11| && (h->code <= 13) ------------------ | Branch (56:11): [True: 5, False: 6] ------------------ 57| 5| && (ntohs(h->len) == payload_len)) { ------------------ | Branch (57:11): [True: 0, False: 5] ------------------ 58| 0| NDPI_LOG_INFO(ndpi_struct, "Found radius\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 59| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RADIUS, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 60| 0| return; 61| 0| } 62| 12| } 63| 4.95k| if(flow->packet_counter > 3) ------------------ | Branch (63:6): [True: 56, False: 4.90k] ------------------ 64| 56| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 56|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 65| 4.95k| return; 66| 4.95k|} init_radmin_dissector: 92| 7.08k|{ 93| 7.08k| ndpi_register_dissector("Radmin", ndpi_struct, 94| 7.08k| ndpi_search_radmin, 95| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 96| 7.08k| 1, NDPI_PROTOCOL_RADMIN); 97| 7.08k|} radmin.c:ndpi_search_radmin: 44| 11.6k|{ 45| 11.6k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 46| | 47| 11.6k| NDPI_LOG_DBG(ndpi_struct, "search Radmin\n"); ------------------ | | 596| 11.6k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 48| | 49| 11.6k| if (current_pkt_from_client_to_server(ndpi_struct, flow) && packet->payload_packet_len == 10 && ------------------ | Branch (49:7): [True: 10.1k, False: 1.51k] | Branch (49:63): [True: 4, False: 10.1k] ------------------ 50| 4| !flow->l4.tcp.radmin_stage) ------------------ | Branch (50:7): [True: 4, False: 0] ------------------ 51| 4| { 52| 4| if (ntohl(get_u_int32_t(packet->payload, 0)) == 0x1000000 && ------------------ | Branch (52:9): [True: 0, False: 4] ------------------ 53| 0| packet->payload[4] == 1 && ------------------ | Branch (53:9): [True: 0, False: 0] ------------------ 54| 4| ntohs(get_u_int16_t(packet->payload, 8) == 0x808)) ------------------ | Branch (54:9): [True: 0, False: 0] ------------------ 55| 0| { 56| 0| flow->l4.tcp.radmin_stage = 1; 57| 0| return; 58| 0| } 59| 4| } 60| | 61| 11.6k| if (current_pkt_from_server_to_client(ndpi_struct, flow) && packet->payload_packet_len == 46 && ------------------ | Branch (61:7): [True: 1.51k, False: 10.1k] | Branch (61:63): [True: 2, False: 1.50k] ------------------ 62| 2| flow->l4.tcp.radmin_stage) ------------------ | Branch (62:7): [True: 0, False: 2] ------------------ 63| 0| { 64| 0| if (ntohl(get_u_int32_t(packet->payload, 0)) == 0x1000000 && ------------------ | Branch (64:9): [True: 0, False: 0] ------------------ 65| 0| packet->payload[4] == 0x25 && ------------------ | Branch (65:9): [True: 0, False: 0] ------------------ 66| 0| ntohl(get_u_int32_t(packet->payload, 7)) == 0x2120802 && ------------------ | Branch (66:9): [True: 0, False: 0] ------------------ 67| 0| packet->payload[13] == 0x0A) ------------------ | Branch (67:9): [True: 0, False: 0] ------------------ 68| 0| { 69| 0| ndpi_int_radmin_add_connection(ndpi_struct, flow); 70| 0| return; 71| 0| } 72| 0| } 73| | 74| 11.6k| if (packet->payload_packet_len == 14 && ------------------ | Branch (74:7): [True: 94, False: 11.5k] ------------------ 75| 11.6k| ntohl(get_u_int32_t(packet->payload, 0)) == 0x1000000 && ------------------ | Branch (75:7): [True: 0, False: 94] ------------------ 76| 0| packet->payload[4] == 5 && ------------------ | Branch (76:7): [True: 0, False: 0] ------------------ 77| 11.6k| ntohs(get_u_int16_t(packet->payload, 8)) == 0x2727) ------------------ | Branch (77:7): [True: 0, False: 0] ------------------ 78| 0| { 79| 0| if (!flow->l4.tcp.radmin_stage) { ------------------ | Branch (79:9): [True: 0, False: 0] ------------------ 80| 0| flow->l4.tcp.radmin_stage = 1; 81| 0| return; 82| 0| } 83| | 84| 0| ndpi_int_radmin_add_connection(ndpi_struct, flow); 85| 0| return; 86| 0| } 87| | 88| 11.6k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.6k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 89| 11.6k|} init_raft_dissector: 100| 7.08k|{ 101| 7.08k| ndpi_register_dissector("Raft", ndpi_struct, 102| 7.08k| ndpi_search_raft, 103| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 104| 7.08k| 1, NDPI_PROTOCOL_RAFT); 105| 7.08k|} raft.c:ndpi_search_raft: 56| 11.6k|{ 57| 11.6k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 58| 11.6k| struct raft_header const * const raft_header = (struct raft_header *)packet->payload; 59| | 60| 11.6k| NDPI_LOG_DBG(ndpi_struct, "search raft\n"); ------------------ | | 596| 11.6k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 61| | 62| 11.6k| if (packet->payload_packet_len < sizeof(*raft_header)) ------------------ | Branch (62:7): [True: 1.33k, False: 10.3k] ------------------ 63| 1.33k| { 64| 1.33k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1.33k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 65| 1.33k| return; 66| 1.33k| } 67| | 68| 10.3k| uint64_t msg_type = le64toh(raft_header->msg_type); 69| 10.3k| switch (msg_type) 70| 10.3k| { 71| 0| case RAFT_IO_APPEND_ENTRIES: ------------------ | Branch (71:5): [True: 0, False: 10.3k] ------------------ 72| 0| case RAFT_IO_APPEND_ENTRIES_RESULT: ------------------ | Branch (72:5): [True: 0, False: 10.3k] ------------------ 73| 1| case RAFT_IO_REQUEST_VOTE: ------------------ | Branch (73:5): [True: 1, False: 10.3k] ------------------ 74| 4| case RAFT_IO_REQUEST_VOTE_RESULT: ------------------ | Branch (74:5): [True: 3, False: 10.3k] ------------------ 75| 4| case RAFT_IO_INSTALL_SNAPSHOT: ------------------ | Branch (75:5): [True: 0, False: 10.3k] ------------------ 76| 4| case RAFT_IO_TIMEOUT_NOW: ------------------ | Branch (76:5): [True: 0, False: 10.3k] ------------------ 77| 4| break; 78| | 79| 10.3k| default: ------------------ | Branch (79:5): [True: 10.3k, False: 4] ------------------ 80| 10.3k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 10.3k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 81| 10.3k| return; 82| 10.3k| } 83| | 84| 4| uint64_t msg_length = le64toh(raft_header->msg_length); 85| 4| if (msg_length == packet->payload_packet_len - sizeof(*raft_header)) ------------------ | Branch (85:7): [True: 0, False: 4] ------------------ 86| 0| { 87| 0| ndpi_int_raft_add_connection(ndpi_struct, flow); 88| 0| return; 89| 0| } 90| | 91| 4| if (flow->packet_counter < 3) ------------------ | Branch (91:7): [True: 4, False: 0] ------------------ 92| 4| { 93| 4| return; 94| 4| } 95| | 96| 0| ndpi_int_raft_add_connection(ndpi_struct, flow); 97| 0|} init_raknet_dissector: 395| 7.08k|{ 396| 7.08k| ndpi_register_dissector("RakNet", ndpi_struct, 397| 7.08k| ndpi_search_raknet, 398| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 399| 7.08k| 1, NDPI_PROTOCOL_RAKNET); 400| 7.08k|} raknet.c:ndpi_search_raknet: 89| 3.39k|{ 90| 3.39k| struct ndpi_packet_struct * const packet = &ndpi_struct->packet; 91| 3.39k| u_int8_t op, ip_addr_offset, required_packets = 3; 92| | 93| 3.39k| NDPI_LOG_DBG(ndpi_struct, "search RakNet\n"); ------------------ | | 596| 3.39k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 94| | 95| | /* There are two "versions" of Raknet: 96| | * plaintext one: we need multiple packets for classification and for extracting metadata 97| | * custom/encrypted one: an extension used by Roblox games (and others?). 98| | Only the first pkt is required. 99| | The main issue is that these two versions "overlap", i.e. some plaintext flows might be wrongly 100| | identified as encrypted one (losing their metadata). 101| | Solution: check for the custoom/encrypted version, cache the result and use it only if/when the 102| | standard detection ends. 103| | */ 104| 3.39k| if (flow->packet_counter == 1) ------------------ | Branch (104:7): [True: 3.37k, False: 27] ------------------ 105| 3.37k| { 106| 3.37k| flow->l4.udp.raknet_custom = is_custom_version(ndpi_struct); 107| 3.37k| } 108| | 109| 3.39k| if (packet->payload_packet_len < 7) ------------------ | Branch (109:7): [True: 128, False: 3.27k] ------------------ 110| 128| { 111| 128| exclude_proto(ndpi_struct, flow); 112| 128| return; 113| 128| } 114| | 115| 3.27k| op = packet->payload[0]; 116| | 117| 3.27k| switch (op) 118| 3.27k| { 119| 965| case 0x00: /* Connected Ping */ ------------------ | Branch (119:5): [True: 965, False: 2.30k] ------------------ 120| 965| if (packet->payload_packet_len != 8) ------------------ | Branch (120:11): [True: 963, False: 2] ------------------ 121| 963| { 122| 963| exclude_proto(ndpi_struct, flow); 123| 963| return; 124| 963| } 125| 2| required_packets = 6; 126| 2| break; 127| | 128| 308| case 0x01: /* Unconnected Ping */ ------------------ | Branch (128:5): [True: 308, False: 2.96k] ------------------ 129| 335| case 0x02: /* Unconnected Ping */ ------------------ | Branch (129:5): [True: 27, False: 3.24k] ------------------ 130| 335| if (packet->payload_packet_len != 32) ------------------ | Branch (130:11): [True: 324, False: 11] ------------------ 131| 324| { 132| 324| exclude_proto(ndpi_struct, flow); 133| 324| return; 134| 324| } 135| 11| required_packets = 6; 136| 11| break; 137| | 138| 27| case 0x03: /* Connected Pong */ ------------------ | Branch (138:5): [True: 27, False: 3.24k] ------------------ 139| 27| if (packet->payload_packet_len != 16) ------------------ | Branch (139:11): [True: 26, False: 1] ------------------ 140| 26| { 141| 26| exclude_proto(ndpi_struct, flow); 142| 26| return; 143| 26| } 144| 1| required_packets = 6; 145| 1| break; 146| | 147| 25| case 0x05: /* Open Connection Request 1 */ ------------------ | Branch (147:5): [True: 25, False: 3.24k] ------------------ 148| 25| if (packet->payload_packet_len < 18 || ------------------ | Branch (148:11): [True: 1, False: 24] ------------------ 149| 24| packet->payload[17] > 10 /* maximum supported protocol version */) ------------------ | Branch (149:11): [True: 20, False: 4] ------------------ 150| 21| { 151| 21| exclude_proto(ndpi_struct, flow); 152| 21| return; 153| 21| } 154| 4| required_packets = 6; 155| 4| break; 156| | 157| 16| case 0x06: /* Open Connection Reply 1 */ ------------------ | Branch (157:5): [True: 16, False: 3.25k] ------------------ 158| 16| if (packet->payload_packet_len != 28 || ------------------ | Branch (158:11): [True: 15, False: 1] ------------------ 159| 1| packet->payload[25] > 0x01 /* connection uses encryption: bool -> 0x00 or 0x01 */) ------------------ | Branch (159:11): [True: 1, False: 0] ------------------ 160| 16| { 161| 16| exclude_proto(ndpi_struct, flow); 162| 16| return; 163| 16| } 164| | 165| 0| { 166| 0| u_int16_t mtu_size = ntohs(get_u_int16_t(packet->payload, 26)); 167| 0| if (mtu_size > 1500 /* Max. supported MTU, see: http://www.jenkinssoftware.com/raknet/manual/programmingtips.html */) ------------------ | Branch (167:13): [True: 0, False: 0] ------------------ 168| 0| { 169| 0| exclude_proto(ndpi_struct, flow); 170| 0| return; 171| 0| } 172| 0| } 173| 0| required_packets = 4; 174| 0| break; 175| | 176| 3| case 0x07: /* Open Connection Request 2 */ ------------------ | Branch (176:5): [True: 3, False: 3.26k] ------------------ 177| 3| ip_addr_offset = raknet_dissect_ip(packet, 17); 178| 3| if (ip_addr_offset == 0 || ------------------ | Branch (178:11): [True: 3, False: 0] ------------------ 179| 0| !((ip_addr_offset == 16 && packet->payload_packet_len == 46) || ------------------ | Branch (179:14): [True: 0, False: 0] | Branch (179:38): [True: 0, False: 0] ------------------ 180| 0| (ip_addr_offset == 4 && packet->payload_packet_len == 34))) ------------------ | Branch (180:14): [True: 0, False: 0] | Branch (180:37): [True: 0, False: 0] ------------------ 181| 3| { 182| 3| exclude_proto(ndpi_struct, flow); 183| 3| return; 184| 3| } 185| | 186| 0| { 187| 0| u_int16_t mtu_size = ntohs(get_u_int16_t(packet->payload, 20 + ip_addr_offset)); 188| 0| if (mtu_size > 1500 /* Max. supported MTU, see: http://www.jenkinssoftware.com/raknet/manual/programmingtips.html */) ------------------ | Branch (188:15): [True: 0, False: 0] ------------------ 189| 0| { 190| 0| exclude_proto(ndpi_struct, flow); 191| 0| return; 192| 0| } 193| 0| } 194| 0| break; 195| | 196| 7| case 0x08: /* Open Connection Reply 2 */ ------------------ | Branch (196:5): [True: 7, False: 3.26k] ------------------ 197| 7| ip_addr_offset = raknet_dissect_ip(packet, 25); 198| 7| if (ip_addr_offset == 0 || ------------------ | Branch (198:11): [True: 6, False: 1] ------------------ 199| 1| !((ip_addr_offset == 16 && packet->payload_packet_len == 47) || ------------------ | Branch (199:14): [True: 0, False: 1] | Branch (199:38): [True: 0, False: 0] ------------------ 200| 1| (ip_addr_offset == 4 && packet->payload_packet_len == 35))) ------------------ | Branch (200:14): [True: 1, False: 0] | Branch (200:37): [True: 0, False: 1] ------------------ 201| 7| { 202| 7| exclude_proto(ndpi_struct, flow); 203| 7| return; 204| 7| } 205| | 206| 0| { 207| 0| u_int16_t mtu_size = ntohs(get_u_int16_t(packet->payload, 28 + ip_addr_offset)); 208| 0| if (mtu_size > 1500 /* Max. supported MTU, see: http://www.jenkinssoftware.com/raknet/manual/programmingtips.html */) ------------------ | Branch (208:15): [True: 0, False: 0] ------------------ 209| 0| { 210| 0| exclude_proto(ndpi_struct, flow); 211| 0| return; 212| 0| } 213| 0| } 214| 0| break; 215| | 216| 12| case 0x10: /* Connection Request Accepted */ ------------------ | Branch (216:5): [True: 12, False: 3.25k] ------------------ 217| 15| case 0x13: /* New Incoming Connection */ ------------------ | Branch (217:5): [True: 3, False: 3.26k] ------------------ 218| 15| { 219| 15| size_t i; 220| | 221| 15| ip_addr_offset = 4 + raknet_dissect_ip(packet, 0); 222| 15| if (op == 0x10) ------------------ | Branch (222:13): [True: 12, False: 3] ------------------ 223| 12| { 224| 12| ip_addr_offset += 2; // System Index 225| 12| } 226| 165| for (i = 0; i < 10; ++i) ------------------ | Branch (226:21): [True: 150, False: 15] ------------------ 227| 150| { 228| 150| ip_addr_offset += 3 + raknet_dissect_ip(packet, ip_addr_offset); 229| 150| } 230| 15| ip_addr_offset += 16; 231| 15| if (ip_addr_offset != packet->payload_packet_len) ------------------ | Branch (231:13): [True: 15, False: 0] ------------------ 232| 15| { 233| 15| exclude_proto(ndpi_struct, flow); 234| 15| return; 235| 15| } 236| 15| } 237| 0| break; 238| | 239| | /* Check for Frame Set Packet's */ 240| 55| case 0x80: ------------------ | Branch (240:5): [True: 55, False: 3.21k] ------------------ 241| 69| case 0x81: ------------------ | Branch (241:5): [True: 14, False: 3.25k] ------------------ 242| 82| case 0x82: ------------------ | Branch (242:5): [True: 13, False: 3.25k] ------------------ 243| 83| case 0x83: ------------------ | Branch (243:5): [True: 1, False: 3.27k] ------------------ 244| 85| case 0x84: ------------------ | Branch (244:5): [True: 2, False: 3.26k] ------------------ 245| 86| case 0x85: ------------------ | Branch (245:5): [True: 1, False: 3.27k] ------------------ 246| 91| case 0x86: ------------------ | Branch (246:5): [True: 5, False: 3.26k] ------------------ 247| 96| case 0x87: ------------------ | Branch (247:5): [True: 5, False: 3.26k] ------------------ 248| 98| case 0x88: ------------------ | Branch (248:5): [True: 2, False: 3.26k] ------------------ 249| 99| case 0x89: ------------------ | Branch (249:5): [True: 1, False: 3.27k] ------------------ 250| 100| case 0x8a: ------------------ | Branch (250:5): [True: 1, False: 3.27k] ------------------ 251| 101| case 0x8b: ------------------ | Branch (251:5): [True: 1, False: 3.27k] ------------------ 252| 107| case 0x8c: ------------------ | Branch (252:5): [True: 6, False: 3.26k] ------------------ 253| 109| case 0x8d: ------------------ | Branch (253:5): [True: 2, False: 3.26k] ------------------ 254| 109| { 255| 109| size_t frame_offset = 4; 256| | 257| 130| do { 258| 130| u_int8_t msg_flags = get_u_int8_t(packet->payload, frame_offset); ------------------ | | 135| 130|#define get_u_int8_t(X,O) (*(u_int8_t *)((&(((u_int8_t *)X)[O])))) ------------------ 259| 130| if ((msg_flags & 0x0F) != 0) ------------------ | Branch (259:15): [True: 85, False: 45] ------------------ 260| 85| { 261| 85| exclude_proto(ndpi_struct, flow); 262| 85| return; 263| 85| } 264| | 265| 45| u_int16_t msg_size = ntohs(get_u_int16_t(packet->payload, frame_offset + 1)); 266| 45| msg_size /= 8; 267| 45| if (msg_size == 0) ------------------ | Branch (267:15): [True: 6, False: 39] ------------------ 268| 6| { 269| 6| exclude_proto(ndpi_struct, flow); 270| 6| break; 271| 6| } 272| | 273| 39| u_int8_t reliability_type = (msg_flags & 0xE0) >> 5; 274| 39| if (reliability_type >= 2 && reliability_type <= 4 /* is reliable? */) ------------------ | Branch (274:15): [True: 6, False: 33] | Branch (274:40): [True: 4, False: 2] ------------------ 275| 4| { 276| 4| frame_offset += 3; 277| 4| } 278| 39| if (reliability_type == 1 || reliability_type == 4 /* is sequenced? */) ------------------ | Branch (278:15): [True: 2, False: 37] | Branch (278:40): [True: 3, False: 34] ------------------ 279| 5| { 280| 5| frame_offset += 3; 281| 5| } 282| 39| if (reliability_type == 3 || reliability_type == 7 /* is ordered? */) ------------------ | Branch (282:15): [True: 0, False: 39] | Branch (282:40): [True: 1, False: 38] ------------------ 283| 1| { 284| 1| frame_offset += 4; 285| 1| } 286| 39| if ((msg_flags & 0x10) != 0 /* is fragmented? */) ------------------ | Branch (286:15): [True: 8, False: 31] ------------------ 287| 8| { 288| 8| frame_offset += 10; 289| 8| } 290| | 291| 39| frame_offset += msg_size + 3; 292| 39| } while (frame_offset + 3 <= packet->payload_packet_len); ------------------ | Branch (292:18): [True: 21, False: 18] ------------------ 293| | 294| | /* We've dissected enough to be sure. */ 295| 24| if (frame_offset == packet->payload_packet_len) ------------------ | Branch (295:13): [True: 4, False: 20] ------------------ 296| 4| { 297| | /* This packet might also be a RTP/RTCP one: give precedence to RTP/RTCP dissector */ 298| 4| if(flow->rtp_stage == 0 && flow->rtcp_stage == 0) ------------------ | Branch (298:14): [True: 2, False: 2] | Branch (298:38): [True: 1, False: 1] ------------------ 299| 1| ndpi_int_raknet_add_connection(ndpi_struct, flow); 300| 20| } else { 301| 20| exclude_proto(ndpi_struct, flow); 302| 20| } 303| 24| return; 304| 109| } 305| | 306| 5| case 0x09: /* Connection Request */ ------------------ | Branch (306:5): [True: 5, False: 3.26k] ------------------ 307| 5| if (packet->payload_packet_len != 16) ------------------ | Branch (307:11): [True: 5, False: 0] ------------------ 308| 5| { 309| 5| exclude_proto(ndpi_struct, flow); 310| 5| return; 311| 5| } 312| 0| required_packets = 6; 313| 0| break; 314| | 315| 1| case 0x15: /* Disconnect */ ------------------ | Branch (315:5): [True: 1, False: 3.27k] ------------------ 316| 1| required_packets = 8; 317| 1| break; 318| | 319| 2| case 0x19: /* Incompatible Protocol */ ------------------ | Branch (319:5): [True: 2, False: 3.26k] ------------------ 320| 2| if (packet->payload_packet_len != 25 || ------------------ | Branch (320:11): [True: 2, False: 0] ------------------ 321| 0| packet->payload[17] > 10) ------------------ | Branch (321:11): [True: 0, False: 0] ------------------ 322| 2| { 323| 2| exclude_proto(ndpi_struct, flow); 324| 2| return; 325| 2| } 326| 0| break; 327| | 328| 22| case 0x1c: /* Unconnected Pong */ ------------------ | Branch (328:5): [True: 22, False: 3.24k] ------------------ 329| 22| if (packet->payload_packet_len < 35) ------------------ | Branch (329:11): [True: 6, False: 16] ------------------ 330| 6| { 331| 6| exclude_proto(ndpi_struct, flow); 332| 6| return; 333| 6| } 334| | 335| 16| { 336| 16| u_int16_t motd_len = ntohs(get_u_int16_t(packet->payload, 33)); 337| | 338| 16| if (motd_len == 0 || motd_len + 35 != packet->payload_packet_len) ------------------ | Branch (338:13): [True: 1, False: 15] | Branch (338:30): [True: 15, False: 0] ------------------ 339| 16| { 340| 16| exclude_proto(ndpi_struct, flow); 341| 16| return; 342| 16| } 343| 16| } 344| 0| break; 345| | 346| 5| case 0xa0: /* NACK */ ------------------ | Branch (346:5): [True: 5, False: 3.26k] ------------------ 347| 26| case 0xc0: /* ACK */ ------------------ | Branch (347:5): [True: 21, False: 3.25k] ------------------ 348| 26| { 349| 26| u_int16_t record_count = ntohs(get_u_int16_t(packet->payload, 1)); 350| 26| size_t record_index = 0, record_offset = 3; 351| | 352| 44| do { 353| 44| if (packet->payload[record_offset] == 0x00 /* Range */) ------------------ | Branch (353:15): [True: 23, False: 21] ------------------ 354| 23| { 355| 23| record_offset += 7; 356| 23| } else if (packet->payload[record_offset] == 0x01 /* No Range */) ------------------ | Branch (356:22): [True: 10, False: 11] ------------------ 357| 10| { 358| 10| record_offset += 4; 359| 11| } else { 360| 11| exclude_proto(ndpi_struct, flow); 361| 11| return; 362| 11| } 363| 44| } while (++record_index < record_count && ------------------ | Branch (363:18): [True: 19, False: 14] ------------------ 364| 19| record_offset + 4 <= packet->payload_packet_len); ------------------ | Branch (364:18): [True: 18, False: 1] ------------------ 365| | 366| 15| if (record_index == record_count && record_offset == packet->payload_packet_len) ------------------ | Branch (366:13): [True: 1, False: 14] | Branch (366:45): [True: 0, False: 1] ------------------ 367| 0| { 368| | /* This packet might also be a RTP/RTCP one: give precedence to RTP/RTCP dissector */ 369| 0| if(flow->rtp_stage == 0 && flow->rtcp_stage == 0) ------------------ | Branch (369:14): [True: 0, False: 0] | Branch (369:38): [True: 0, False: 0] ------------------ 370| 0| ndpi_int_raknet_add_connection(ndpi_struct, flow); 371| 15| } else { 372| 15| exclude_proto(ndpi_struct, flow); 373| 15| } 374| 15| return; 375| 26| } 376| | 377| 90| case 0xfe: /* Game Packet */ ------------------ | Branch (377:5): [True: 90, False: 3.18k] ------------------ 378| 90| required_packets = 8; 379| 90| break; 380| | 381| 1.62k| default: /* Invalid RakNet packet */ ------------------ | Branch (381:5): [True: 1.62k, False: 1.64k] ------------------ 382| 1.62k| exclude_proto(ndpi_struct, flow); 383| 1.62k| return; 384| 3.27k| } 385| | 386| 109| if (flow->packet_counter < required_packets) ------------------ | Branch (386:7): [True: 109, False: 0] ------------------ 387| 109| { 388| 109| return; 389| 109| } 390| | 391| 0| ndpi_int_raknet_add_connection(ndpi_struct, flow); 392| 0|} raknet.c:is_custom_version: 51| 3.37k|{ 52| 3.37k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 53| 3.37k| unsigned char magic[] = { 0x00, 0xFF, 0xFF, 0x00, 0xFE, 0xFE, 0xFE, 0xFE, 54| 3.37k| 0xFD, 0xFD, 0xFD, 0xFD, 0x12, 0x34, 0x56, 0x78 }; 55| | 56| 3.37k| if (packet->payload_packet_len >= 1200) /* Full MTU packet */ ------------------ | Branch (56:7): [True: 203, False: 3.16k] ------------------ 57| 203| { 58| | /* Offset 32 has been found only in the traces; the other ones are present 59| | also in the Raknet heuristic in Wireshark */ 60| 203| if (memcmp(magic, &packet->payload[1], sizeof(magic)) == 0 || ------------------ | Branch (60:9): [True: 2, False: 201] ------------------ 61| 201| memcmp(magic, &packet->payload[9], sizeof(magic)) == 0 || ------------------ | Branch (61:9): [True: 4, False: 197] ------------------ 62| 197| memcmp(magic, &packet->payload[17], sizeof(magic)) == 0 || ------------------ | Branch (62:9): [True: 0, False: 197] ------------------ 63| 197| memcmp(magic, &packet->payload[32], sizeof(magic)) == 0) ------------------ | Branch (63:9): [True: 0, False: 197] ------------------ 64| 6| { 65| 6| return 1; 66| 6| } 67| 203| } 68| 3.36k| return 0; 69| 3.37k|} raknet.c:exclude_proto: 73| 3.29k|{ 74| 3.29k| if (flow->l4.udp.raknet_custom == 1) ------------------ | Branch (74:7): [True: 6, False: 3.28k] ------------------ 75| 6| { 76| 6| NDPI_LOG_INFO(ndpi_struct, "found RakNet (custom version)\n"); ------------------ | | 595| 6|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 77| | /* Classify as Raknet or as Roblox? 78| | This pattern ha been observed with Roblox games but it might be used by 79| | other protocols too. Keep the generic classification, for the time being */ 80| 6| ndpi_int_raknet_add_connection(ndpi_struct, flow); 81| 3.28k| } else { 82| 3.28k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.28k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 83| 3.28k| } 84| 3.29k|} raknet.c:raknet_dissect_ip: 39| 175|{ 40| 175| if (offset + 1 >= packet->payload_packet_len || ------------------ | Branch (40:7): [True: 24, False: 151] ------------------ 41| 151| (packet->payload[offset] != 0x04 /* IPv4 */ && ------------------ | Branch (41:8): [True: 143, False: 8] ------------------ 42| 143| packet->payload[offset] != 0x06 /* IPv6 */)) ------------------ | Branch (42:8): [True: 142, False: 1] ------------------ 43| 166| { 44| 166| return 0; 45| 166| } 46| | 47| 9| return (packet->payload[offset] == 0x04 ? 4 : 16); ------------------ | Branch (47:11): [True: 8, False: 1] ------------------ 48| 175|} raknet.c:ndpi_int_raknet_add_connection: 30| 7|{ 31| 7| NDPI_LOG_INFO(ndpi_struct, "found RakNet\n"); ------------------ | | 595| 7|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 32| 7| ndpi_set_detected_protocol(ndpi_struct, flow, 33| 7| NDPI_PROTOCOL_RAKNET, 34| 7| NDPI_PROTOCOL_UNKNOWN, 35| 7| NDPI_CONFIDENCE_DPI); 36| 7|} init_rdp_dissector: 199| 7.08k|{ 200| 7.08k| ndpi_register_dissector("RDP", ndpi_struct, 201| 7.08k| ndpi_search_rdp, 202| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 203| 7.08k| 1, NDPI_PROTOCOL_RDP); 204| 7.08k|} rdp.c:ndpi_search_rdp: 69| 20.6k| struct ndpi_flow_struct *flow) { 70| 20.6k| const struct ndpi_packet_struct * const packet = &ndpi_struct->packet; 71| | 72| 20.6k| NDPI_LOG_DBG(ndpi_struct, "search RDP\n"); ------------------ | | 596| 20.6k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 73| | 74| 20.6k| if (packet->tcp != NULL) { ------------------ | Branch (74:7): [True: 13.5k, False: 7.07k] ------------------ 75| 13.5k| int verified = tpkt_verify_hdr(packet); 76| 13.5k| if(packet->payload_packet_len > 13 && verified && ------------------ | Branch (76:8): [True: 12.2k, False: 1.24k] | Branch (76:43): [True: 0, False: 12.2k] ------------------ 77| | /* COTP */ 78| 0| packet->payload[4] == packet->payload_packet_len - 5) { ------------------ | Branch (78:8): [True: 0, False: 0] ------------------ 79| | 80| 0| if(current_pkt_from_client_to_server(ndpi_struct, flow)) { ------------------ | Branch (80:10): [True: 0, False: 0] ------------------ 81| 0| if(packet->payload[5] == 0xE0 && /* COTP CR */ ------------------ | Branch (81:12): [True: 0, False: 0] ------------------ 82| 0| ((packet->payload[11] == 0x01 && /* RDP Negotiation Request */ ------------------ | Branch (82:7): [True: 0, False: 0] ------------------ 83| 0| packet->payload[13] == 0x08 /* RDP Length */) || ------------------ | Branch (83:14): [True: 0, False: 0] ------------------ 84| 0| (packet->payload_packet_len > 17 && ------------------ | Branch (84:7): [True: 0, False: 0] ------------------ 85| 0| memcmp(&packet->payload[11], "Cookie:", 7) == 0))) /* RDP Cookie */ { ------------------ | Branch (85:7): [True: 0, False: 0] ------------------ 86| 0| if(packet->payload_packet_len > 43) { ------------------ | Branch (86:7): [True: 0, False: 0] ------------------ 87| 0| u_int8_t rdp_requested_proto = packet->payload[43]; 88| | 89| | /* Check if TLS support has been requested in RDP */ 90| 0| if((rdp_requested_proto & 0x1) == 0x1) { ------------------ | Branch (90:9): [True: 0, False: 0] ------------------ 91| | /* RDP Response + Client Hello + Server hello */ 92| 0| flow->max_extra_packets_to_check = 5; 93| 0| flow->tls_quic.from_rdp = 1; 94| 0| flow->extra_packets_func = ndpi_search_tls_over_rdp; 95| 0| } 96| 0| } 97| | 98| 0| if((flow->num_processed_pkts > 4) || flow->tls_quic.from_rdp) ------------------ | Branch (98:7): [True: 0, False: 0] | Branch (98:41): [True: 0, False: 0] ------------------ 99| 0| ndpi_int_rdp_add_connection(ndpi_struct, flow); 100| 0| else 101| 0| flow->l4.tcp.rdp_protocol_detected = 1 /* this looks like RDP */; 102| 0| return; 103| 0| } 104| 0| } else { 105| | /* Asymmetric detection via RDP Negotiation Response */ 106| 0| if(packet->payload[5] == 0xD0 && /* COTP CC */ ------------------ | Branch (106:12): [True: 0, False: 0] ------------------ 107| 0| packet->payload[11] == 0x02 && /* RDP Negotiation Response */ ------------------ | Branch (107:5): [True: 0, False: 0] ------------------ 108| 0| packet->payload[13] == 0x08 /* RDP Length */) { ------------------ | Branch (108:12): [True: 0, False: 0] ------------------ 109| | 110| 0| ndpi_int_rdp_add_connection(ndpi_struct, flow); 111| 0| return; 112| 0| } 113| 0| } 114| 0| } 115| | 116| 13.5k| if( flow->l4.tcp.rdp_protocol_detected) { ------------------ | Branch (116:9): [True: 0, False: 13.5k] ------------------ 117| | /* The first message os RDP but the responseis not */ 118| 0| ndpi_int_rdp_add_connection(ndpi_struct, flow); 119| | 120| 0| if(!verified) ------------------ | Branch (120:10): [True: 0, False: 0] ------------------ 121| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_PROBING_ATTEMPT, "Mismatching client/server protocol"); 122| | 123| 0| return; 124| 0| } 125| | 126| 13.5k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.5k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 127| 13.5k| } else if(packet->udp != NULL) { ------------------ | Branch (127:13): [True: 7.07k, False: 0] ------------------ 128| 7.07k| u_int16_t s_port = ntohs(packet->udp->source); 129| 7.07k| u_int16_t d_port = ntohs(packet->udp->dest); 130| | 131| | /* Detection: 132| | * initial syn/syn-ack pair for RDPUDP v1 & v2 133| | * mid-flow (only v1) */ 134| | 135| 7.07k| if((packet->payload_packet_len >= 10) && ((s_port == RDP_PORT) || (d_port == RDP_PORT))) { ------------------ | | 30| 6.93k|#define RDP_PORT 3389 ------------------ if((packet->payload_packet_len >= 10) && ((s_port == RDP_PORT) || (d_port == RDP_PORT))) { ------------------ | | 30| 6.92k|#define RDP_PORT 3389 ------------------ | Branch (135:8): [True: 6.93k, False: 144] | Branch (135:47): [True: 9, False: 6.92k] | Branch (135:71): [True: 1, False: 6.92k] ------------------ 136| 10| if(s_port == RDP_PORT) { ------------------ | | 30| 10|#define RDP_PORT 3389 ------------------ | Branch (136:10): [True: 9, False: 1] ------------------ 137| | /* Server -> Client */ 138| 9| if(flow->l4.udp.rdp_from_srv_pkts == 0) { ------------------ | Branch (138:5): [True: 8, False: 1] ------------------ 139| 8| if(memcmp(packet->payload, flow->l4.udp.rdp_from_srv, 3) == 0 && ------------------ | Branch (139:7): [True: 0, False: 8] ------------------ 140| 0| packet->payload_packet_len >= 16 && ------------------ | Branch (140:7): [True: 0, False: 0] ------------------ 141| 0| (ntohs(get_u_int16_t(packet->payload, 6)) & 0x0003) && /* Flags: syn-ack */ ------------------ | Branch (141:7): [True: 0, False: 0] ------------------ 142| 8| ntohs(get_u_int16_t(packet->payload, 12)) <= 1600 && /* Sensible values for upstream MTU */ ------------------ | Branch (142:7): [True: 0, False: 0] ------------------ 143| 8| ntohs(get_u_int16_t(packet->payload, 14)) <= 1600) { /* Sensible values for downstream MTU */ ------------------ | Branch (143:7): [True: 0, False: 0] ------------------ 144| | /* Initial "syn-ack" */ 145| | 146| 0| ndpi_int_rdp_add_connection(ndpi_struct, flow); 147| 0| return; 148| 8| } else { 149| | /* Mid-flow session? */ 150| 8| memcpy(flow->l4.udp.rdp_from_srv, packet->payload, 3), flow->l4.udp.rdp_from_srv_pkts = 1; 151| 8| } 152| 8| } else { 153| 1| if(memcmp(flow->l4.udp.rdp_from_srv, packet->payload, 3) != 0) ------------------ | Branch (153:7): [True: 1, False: 0] ------------------ 154| 1| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 155| 0| else { 156| 0| flow->l4.udp.rdp_from_srv_pkts = 2 /* stage 2 */; 157| | 158| 0| if(flow->l4.udp.rdp_to_srv_pkts == 2) { ------------------ | Branch (158:9): [True: 0, False: 0] ------------------ 159| 0| ndpi_int_rdp_add_connection(ndpi_struct, flow); 160| 0| return; 161| 0| } 162| 0| } 163| 1| } 164| 9| } else { 165| | /* Client -> Server */ 166| 1| if(flow->l4.udp.rdp_to_srv_pkts == 0) { ------------------ | Branch (166:5): [True: 1, False: 0] ------------------ 167| 1| if(get_u_int32_t(packet->payload, 0) == 0xFFFFFFFF && ------------------ | | 137| 1|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (167:7): [True: 0, False: 1] ------------------ 168| 0| packet->payload_packet_len >= 16 && ------------------ | Branch (168:7): [True: 0, False: 0] ------------------ 169| 0| (ntohs(get_u_int16_t(packet->payload, 6)) & 0x0001) && /* Flags: syn */ ------------------ | Branch (169:7): [True: 0, False: 0] ------------------ 170| 1| ntohs(get_u_int16_t(packet->payload, 12)) <= 1600 && /* Sensible values for upstream MTU */ ------------------ | Branch (170:7): [True: 0, False: 0] ------------------ 171| 1| ntohs(get_u_int16_t(packet->payload, 14)) <= 1600) { /* Sensible values for downstream MTU */ ------------------ | Branch (171:7): [True: 0, False: 0] ------------------ 172| | /* Initial "syn" */ 173| 0| memcpy(flow->l4.udp.rdp_from_srv, packet->payload + 8, 3); 174| 1| } else { 175| | /* Mid-flow session? */ 176| 1| memcpy(flow->l4.udp.rdp_to_srv, packet->payload, 3), flow->l4.udp.rdp_to_srv_pkts = 1; 177| 1| } 178| 1| } else { 179| 0| if(memcmp(flow->l4.udp.rdp_to_srv, packet->payload, 3) != 0) ------------------ | Branch (179:7): [True: 0, False: 0] ------------------ 180| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 181| 0| else { 182| 0| flow->l4.udp.rdp_to_srv_pkts = 2 /* stage 2 */; 183| | 184| 0| if(flow->l4.udp.rdp_from_srv_pkts == 2) { ------------------ | Branch (184:9): [True: 0, False: 0] ------------------ 185| 0| ndpi_int_rdp_add_connection(ndpi_struct, flow); 186| 0| return; 187| 0| } 188| 0| } 189| 0| } 190| 1| } 191| 10| } else 192| 7.06k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 7.06k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 193| 7.07k| } 194| 20.6k|} init_resp_dissector: 73| 7.08k|{ 74| 7.08k| ndpi_register_dissector("RESP", ndpi_struct, 75| 7.08k| ndpi_search_resp, 76| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 77| 7.08k| 1, NDPI_PROTOCOL_RESP); 78| 7.08k|} resp.c:ndpi_search_resp: 36| 13.4k|{ 37| 13.4k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 38| | 39| 13.4k| NDPI_LOG_DBG(ndpi_struct, "search RESP\n"); ------------------ | | 596| 13.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 40| | 41| 13.4k| if (packet->payload_packet_len < 10) ------------------ | Branch (41:7): [True: 877, False: 12.5k] ------------------ 42| 877| goto exclude; 43| | 44| 12.5k| switch(packet->payload[0]) 45| 12.5k| { 46| 22| case '*': ------------------ | Branch (46:5): [True: 22, False: 12.5k] ------------------ 47| 24| case '$': ------------------ | Branch (47:5): [True: 2, False: 12.5k] ------------------ 48| 28| case '~': ------------------ | Branch (48:5): [True: 4, False: 12.5k] ------------------ 49| 28| break; 50| 12.4k| default: ------------------ | Branch (50:5): [True: 12.4k, False: 28] ------------------ 51| 12.4k| goto exclude; 52| 12.5k| } 53| | 54| 28| u_int8_t offset = 1; 55| 35| while (offset < 4 && packet->payload[offset] != '\r') ------------------ | Branch (55:10): [True: 33, False: 2] | Branch (55:24): [True: 33, False: 0] ------------------ 56| 33| { 57| 33| if (!ndpi_isdigit(packet->payload[offset])) ------------------ | | 2526| 33|#define ndpi_isdigit(ch) ((ch) >= '0' && (ch) <= '9') | | ------------------ | | | Branch (2526:27): [True: 19, False: 14] | | | Branch (2526:42): [True: 7, False: 12] | | ------------------ ------------------ 58| 26| goto exclude; 59| 7| offset++; 60| 7| } 61| | 62| 2| if (memcmp(&packet->payload[offset], "\r\n", 2) == 0) { ------------------ | Branch (62:7): [True: 0, False: 2] ------------------ 63| 0| NDPI_LOG_INFO(ndpi_struct, "found RESP\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 64| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RESP, 65| 0| NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 66| 0| } 67| | 68| 13.4k|exclude: 69| 13.4k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.4k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 70| 13.4k|} init_riotgames_dissector: 71| 7.08k|{ 72| 7.08k| ndpi_register_dissector("RiotGames", ndpi_struct, 73| 7.08k| ndpi_search_riotgames, 74| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 75| 7.08k| 1, NDPI_PROTOCOL_RIOTGAMES); 76| 7.08k|} riotgames.c:ndpi_search_riotgames: 41| 3.36k|{ 42| 3.36k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 43| | 44| 3.36k| NDPI_LOG_DBG(ndpi_struct, "searching RiotGames\n"); ------------------ | | 596| 3.36k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 45| | 46| 3.36k| if (packet->payload_packet_len > 8 && ------------------ | Branch (46:7): [True: 3.22k, False: 142] ------------------ 47| 3.36k| ntohl(get_u_int32_t(packet->payload, packet->payload_packet_len - 8)) == 0xaaaaaaaa && ------------------ | Branch (47:7): [True: 1, False: 3.21k] ------------------ 48| 3.36k| ntohl(get_u_int32_t(packet->payload, packet->payload_packet_len - 4)) == 0xbbbbbbbb) ------------------ | Branch (48:7): [True: 0, False: 1] ------------------ 49| 0| { 50| 0| ndpi_int_riotgames_add_connection(ndpi_struct, flow); 51| 0| return; 52| 0| } 53| | 54| 3.36k| if (packet->payload_packet_len == 53 && ------------------ | Branch (54:7): [True: 2, False: 3.36k] ------------------ 55| 3.36k| ntohl(get_u_int32_t(packet->payload, packet->payload_packet_len - 4)) == 0xea23460c && ------------------ | Branch (55:7): [True: 0, False: 2] ------------------ 56| 3.36k| ntohl(get_u_int32_t(packet->payload, packet->payload_packet_len - 8)) == 0x3cb11f2d) ------------------ | Branch (56:7): [True: 0, False: 0] ------------------ 57| 0| { 58| 0| ndpi_int_riotgames_add_connection(ndpi_struct, flow); 59| 0| return; 60| 0| } 61| | 62| | /* 63| | * Please add new patterns for games made by RiotGames here 64| | */ 65| | 66| 3.36k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.36k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 67| 3.36k| return; 68| 3.36k|} init_ripe_atlas_dissector: 63| 7.08k|{ 64| 7.08k| ndpi_register_dissector("RipeAtlas", ndpi_struct, 65| 7.08k| ndpi_search_ripe_atlas, 66| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 67| 7.08k| 1, NDPI_PROTOCOL_RIPE_ATLAS); 68| 7.08k|} ripe_atlas.c:ndpi_search_ripe_atlas: 42| 3.32k|{ 43| 3.32k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 44| 3.32k| char const * const payload = (char const *)packet->payload; 45| 3.32k| char const needle[] = "MGLNDD"; 46| | 47| 3.32k| NDPI_LOG_DBG(ndpi_struct, "search (Magellan) Ripe Atlas Tool\n"); ------------------ | | 596| 3.32k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 48| | 49| 3.32k| if (packet->payload_packet_len != 25) { ------------------ | Branch (49:7): [True: 3.32k, False: 3] ------------------ 50| 3.32k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.32k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 51| 3.32k| return; 52| 3.32k| } 53| | 54| 3| if (strncmp(payload, needle, NDPI_STATICSTRING_LEN(needle)) == 0) { ------------------ | | 98| 3|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (54:7): [True: 0, False: 3] ------------------ 55| 0| ndpi_int_ripe_atlas_add_connection(ndpi_struct, flow); 56| 0| return; 57| 0| } 58| | 59| 3| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 60| 3|} init_rmcp_dissector: 90| 7.08k|{ 91| 7.08k| ndpi_register_dissector("RMCP", ndpi_struct, 92| 7.08k| ndpi_search_rmcp, 93| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 94| 7.08k| 1, NDPI_PROTOCOL_RMCP); 95| 7.08k|} rmcp.c:ndpi_search_rmcp: 55| 3.35k|{ 56| 3.35k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 57| | 58| 3.35k| NDPI_LOG_DBG(ndpi_struct, "search RMCP\n"); ------------------ | | 596| 3.35k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 59| | 60| 3.35k| if (packet->payload_packet_len < sizeof(struct rmcp_header)) { ------------------ | Branch (60:7): [True: 121, False: 3.23k] ------------------ 61| 121| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 121|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 62| 121| return; 63| 121| } 64| | 65| 3.23k| struct rmcp_header const * const rmcp_header = (struct rmcp_header *)packet->payload; 66| | 67| 3.23k| if (rmcp_header->version != 0x06 || rmcp_header->reserved != 0x00) { ------------------ | Branch (67:7): [True: 3.21k, False: 16] | Branch (67:39): [True: 6, False: 10] ------------------ 68| 3.22k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.22k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 69| 3.22k| return; 70| 3.22k| } 71| | 72| 10| if (rmcp_header->type != 0 && rmcp_header->sequence == 0xFF) { ------------------ | Branch (72:7): [True: 3, False: 7] | Branch (72:33): [True: 1, False: 2] ------------------ 73| | // No ACK allowed if SEQUENCE number is 255. 74| 1| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 75| 1| return; 76| 1| } 77| | 78| 9| if (rmcp_header->class != 0x06 /* Alert Standard Forum (ASF)*/ ------------------ | Branch (78:7): [True: 9, False: 0] ------------------ 79| 9| && rmcp_header->class != 0x07 /* Intelligent Platform Management Interface (IPMI) */) ------------------ | Branch (79:10): [True: 9, False: 0] ------------------ 80| 9| { 81| 9| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 9|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 82| 9| return; 83| 9| } 84| | 85| 0| ndpi_int_rmcp_add_connection(ndpi_struct, flow); 86| 0|} init_roughtime_dissector: 128| 7.08k|{ 129| 7.08k| ndpi_register_dissector("Roughtime", ndpi_struct, 130| 7.08k| ndpi_search_roughtime, 131| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 132| 7.08k| 1, NDPI_PROTOCOL_ROUGHTIME); 133| 7.08k|} roughtime.c:ndpi_search_roughtime: 73| 14.9k|{ 74| 14.9k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 75| | 76| 14.9k| NDPI_LOG_INFO(ndpi_struct, "search roughtime\n"); ------------------ | | 595| 14.9k|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 77| | 78| 14.9k| if (packet->payload_packet_len < 4) ------------------ | Branch (78:7): [True: 146, False: 14.8k] ------------------ 79| 146| { 80| 146| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 146|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 81| 146| return; 82| 146| } 83| | 84| 14.8k| u_int32_t number_of_tags = le32toh(get_u_int32_t(packet->payload, 0)); 85| 14.8k| size_t const minimum_length = 4 /* number of tags (N) */ + 86| 14.8k| (number_of_tags - 1) * 4 /* number of tag offsets (N-1) */ + 87| 14.8k| (number_of_tags * 4) /* tags itself (N) */; 88| 14.8k| if (number_of_tags < 1 || packet->payload_packet_len < minimum_length || ------------------ | Branch (88:7): [True: 530, False: 14.3k] | Branch (88:29): [True: 14.2k, False: 89] ------------------ 89| 89| number_of_tags > NDPI_ARRAY_LENGTH(valid_tags)) ------------------ | | 132| 89|#define NDPI_ARRAY_LENGTH(array) (sizeof(array) / sizeof((array)[0])) ------------------ | Branch (89:7): [True: 36, False: 53] ------------------ 90| 14.8k| { 91| 14.8k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 14.8k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 92| 14.8k| return; 93| 14.8k| } 94| | 95| 53| if (number_of_tags > 1) { ------------------ | Branch (95:7): [True: 26, False: 27] ------------------ 96| 26| u_int32_t tag_offset = le32toh(get_u_int32_t(packet->payload, 4 + (number_of_tags - 2) * 4)); 97| 26| if (packet->payload_packet_len < 4 + (number_of_tags - 1) * 4 + tag_offset) ------------------ | Branch (97:9): [True: 25, False: 1] ------------------ 98| 25| { 99| 25| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 25|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 100| 25| return; 101| 25| } 102| 26| } 103| | 104| 28| size_t i; 105| 28| for (i = 0; i < number_of_tags; ++i) ------------------ | Branch (105:15): [True: 28, False: 0] ------------------ 106| 28| { 107| 28| u_int32_t tag = le32toh(get_u_int32_t(packet->payload, 4 + (number_of_tags - 1) * 4 + i * 4)); 108| | 109| 28| size_t j; 110| 644| for (j = 0; j < NDPI_ARRAY_LENGTH(valid_tags); ++j) ------------------ | | 132| 644|#define NDPI_ARRAY_LENGTH(array) (sizeof(array) / sizeof((array)[0])) ------------------ | Branch (110:17): [True: 616, False: 28] ------------------ 111| 616| { 112| 616| if (tag == valid_tags[j]) ------------------ | Branch (112:11): [True: 0, False: 616] ------------------ 113| 0| { 114| 0| break; 115| 0| } 116| 616| } 117| 28| if (j == NDPI_ARRAY_LENGTH(valid_tags)) ------------------ | | 132| 28|#define NDPI_ARRAY_LENGTH(array) (sizeof(array) / sizeof((array)[0])) ------------------ | Branch (117:9): [True: 28, False: 0] ------------------ 118| 28| { 119| 28| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 28|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 120| 28| return; 121| 28| } 122| 28| } 123| | 124| 0| ndpi_int_roughtime_add_connection(ndpi_struct, flow); 125| 0|} init_rsh_dissector: 154| 7.08k|{ 155| 7.08k| ndpi_register_dissector("RSH", ndpi_struct, 156| 7.08k| ndpi_search_rsh, 157| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 158| 7.08k| 1, NDPI_PROTOCOL_RSH); 159| 7.08k|} rsh.c:ndpi_search_rsh: 42| 11.7k|{ 43| 11.7k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 44| | 45| | /* Use a port based approach for midstream detection. */ 46| 11.7k| if (packet->tcp->dest == RSH_DEFAULT_PORT || ------------------ | | 31| 23.4k|#define RSH_DEFAULT_PORT 514 ------------------ | Branch (46:7): [True: 13, False: 11.7k] ------------------ 47| 11.7k| packet->tcp->source == RSH_DEFAULT_PORT) ------------------ | | 31| 11.7k|#define RSH_DEFAULT_PORT 514 ------------------ | Branch (47:7): [True: 1, False: 11.7k] ------------------ 48| 14| { 49| 14| if (packet->payload[packet->payload_packet_len - 1] == '\n') ------------------ | Branch (49:9): [True: 7, False: 7] ------------------ 50| 7| { 51| 7| if (flow->packet_counter > 5) ------------------ | Branch (51:11): [True: 0, False: 7] ------------------ 52| 0| { 53| 0| ndpi_int_rsh_add_connection(ndpi_struct, flow); 54| 0| flow->protos.rsh.client_username[0] = '\0'; 55| 0| flow->protos.rsh.server_username[0] = '\0'; 56| 0| flow->protos.rsh.command[0] = '\0'; 57| 0| } 58| 7| return; 59| 7| } 60| 14| } 61| | 62| 11.7k| switch (flow->packet_counter) 63| 11.7k| { 64| 11.7k| case 1: ------------------ | Branch (64:5): [True: 11.7k, False: 2] ------------------ 65| 11.7k| if (packet->payload_packet_len >= 2 && ------------------ | Branch (65:11): [True: 11.7k, False: 4] ------------------ 66| 11.7k| packet->payload_packet_len <= 6) ------------------ | Branch (66:11): [True: 787, False: 10.9k] ------------------ 67| 787| { 68| 787| int i; 69| | 70| 802| for (i = 0; i < packet->payload_packet_len - 1; ++i) ------------------ | Branch (70:21): [True: 799, False: 3] ------------------ 71| 799| { 72| 799| if (ndpi_isdigit(packet->payload[i]) == 0) ------------------ | | 2526| 799|#define ndpi_isdigit(ch) ((ch) >= '0' && (ch) <= '9') | | ------------------ | | | Branch (2526:27): [True: 99, False: 700] | | | Branch (2526:42): [True: 15, False: 84] | | ------------------ ------------------ | Branch (72:15): [True: 784, False: 15] ------------------ 73| 784| { 74| 784| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 784|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 75| 784| return; 76| 784| } 77| 799| } 78| 10.9k| } else { 79| 10.9k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 10.9k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 80| 10.9k| } 81| 10.9k| return; 82| | 83| 10.9k| case 2: ------------------ | Branch (83:5): [True: 2, False: 11.7k] ------------------ 84| 2| if (packet->payload_packet_len < 3 || ------------------ | Branch (84:11): [True: 0, False: 2] ------------------ 85| 2| packet->payload[packet->payload_packet_len - 1] != '\0') ------------------ | Branch (85:11): [True: 1, False: 1] ------------------ 86| 1| { 87| 1| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 88| 1| return; 89| 1| } 90| | 91| 1| { 92| 1| char str[64]; 93| 1| char const * dissected_info[] = { (char const *)packet->payload, 94| 1| NULL, NULL }; 95| 1| size_t i; 96| | 97| 1| for (i = 1; i < NDPI_ARRAY_LENGTH(dissected_info); ++i) { ------------------ | | 132| 1|#define NDPI_ARRAY_LENGTH(array) (sizeof(array) / sizeof((array)[0])) ------------------ | Branch (97:21): [True: 1, False: 0] ------------------ 98| 1| dissected_info[i] = memchr(dissected_info[i - 1], '\0', 99| 1| packet->payload_packet_len - 100| 1| (dissected_info[i - 1] - dissected_info[0])); 101| | 102| 1| if (dissected_info[i] == NULL || ------------------ | Branch (102:15): [True: 0, False: 1] ------------------ 103| 1| ndpi_is_printable_buffer((uint8_t const *)dissected_info[i - 1], ------------------ | Branch (103:15): [True: 1, False: 0] ------------------ 104| 1| (dissected_info[i] - dissected_info[i - 1])) == 0) 105| 1| { 106| 1| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 107| 1| return; 108| 1| } 109| | 110| 0| if (dissected_info[i] - dissected_info[0] >= packet->payload_packet_len - 1) ------------------ | Branch (110:15): [True: 0, False: 0] ------------------ 111| 0| { 112| 0| if (dissected_info[NDPI_ARRAY_LENGTH(dissected_info) - 1] == NULL) ------------------ | | 132| 0|#define NDPI_ARRAY_LENGTH(array) (sizeof(array) / sizeof((array)[0])) ------------------ | Branch (112:17): [True: 0, False: 0] ------------------ 113| 0| { 114| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 115| 0| return; 116| 0| } 117| 0| break; 118| 0| } 119| | 120| 0| dissected_info[i]++; 121| 0| } 122| | 123| 0| ndpi_int_rsh_add_connection(ndpi_struct, flow); 124| | 125| 0| strncpy(flow->protos.rsh.client_username, dissected_info[0], 126| 0| ndpi_min(NDPI_ARRAY_LENGTH(flow->protos.rsh.client_username), ------------------ | | 113| 0|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 0] | | ------------------ ------------------ 127| 0| (unsigned long)(dissected_info[1] - dissected_info[0]))); 128| 0| strncpy(flow->protos.rsh.server_username, dissected_info[1], 129| 0| ndpi_min(NDPI_ARRAY_LENGTH(flow->protos.rsh.server_username), ------------------ | | 113| 0|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 0] | | ------------------ ------------------ 130| 0| (unsigned long)(dissected_info[2] - dissected_info[1]))); 131| 0| strncpy(flow->protos.rsh.command, dissected_info[2], 132| 0| ndpi_min(NDPI_ARRAY_LENGTH(flow->protos.rsh.command), ------------------ | | 113| 0|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 0] | | ------------------ ------------------ 133| 0| (unsigned long)packet->payload_packet_len - 134| 0| (unsigned long)(dissected_info[2] - dissected_info[0]))); 135| | 136| | 137| 0| if (snprintf(str, NDPI_ARRAY_LENGTH(str), "User '%s' executing '%s'", ------------------ | | 132| 0|#define NDPI_ARRAY_LENGTH(array) (sizeof(array) / sizeof((array)[0])) ------------------ | Branch (137:13): [True: 0, False: 0] ------------------ 138| 0| flow->protos.rsh.server_username, 139| 0| flow->protos.rsh.command) < 0) 140| 0| str[0] = '\0'; 141| | 142| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, str); 143| 0| } 144| 0| return; 145| | 146| 0| default: ------------------ | Branch (146:5): [True: 0, False: 11.7k] ------------------ 147| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 148| 0| return; 149| 11.7k| } 150| 11.7k|} init_rsync_dissector: 62| 7.08k|{ 63| 7.08k| ndpi_register_dissector("RSYNC", ndpi_struct, 64| 7.08k| ndpi_search_rsync, 65| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 66| 7.08k| 1, NDPI_PROTOCOL_RSYNC); 67| 7.08k|} rsync.c:ndpi_search_rsync: 36| 25.7k|{ 37| 25.7k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 38| | 39| 25.7k| NDPI_LOG_DBG(ndpi_struct, "search RSYNC\n"); ------------------ | | 596| 25.7k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 40| | 41| 25.7k| if(packet->tcp) { ------------------ | Branch (41:6): [True: 25.7k, False: 0] ------------------ 42| 25.7k| NDPI_LOG_DBG2(ndpi_struct, "calculating RSYNC over tcp\n"); ------------------ | | 597| 25.7k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 43| | /* 44| | * Should match: memcmp(packet->payload, "@RSYNCD:", 8) == 0) 45| | */ 46| 25.7k| if (packet->payload_packet_len >= 8 && packet->payload[0] == 0x40 && ------------------ | Branch (46:9): [True: 24.3k, False: 1.37k] | Branch (46:44): [True: 28, False: 24.3k] ------------------ 47| 28| packet->payload[1] == 0x52 && packet->payload[2] == 0x53 && ------------------ | Branch (47:2): [True: 0, False: 28] | Branch (47:32): [True: 0, False: 0] ------------------ 48| 0| packet->payload[3] == 0x59 && packet->payload[4] == 0x4e && ------------------ | Branch (48:2): [True: 0, False: 0] | Branch (48:32): [True: 0, False: 0] ------------------ 49| 0| packet->payload[5] == 0x43 && packet->payload[6] == 0x44 && ------------------ | Branch (49:2): [True: 0, False: 0] | Branch (49:32): [True: 0, False: 0] ------------------ 50| 0| packet->payload[7] == 0x3a ) { ------------------ | Branch (50:2): [True: 0, False: 0] ------------------ 51| 0| NDPI_LOG_INFO(ndpi_struct, "found rsync\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 52| 0| ndpi_int_rsync_add_connection(ndpi_struct, flow); 53| 0| return; 54| 0| } 55| 25.7k| } 56| 25.7k| if(flow->packet_counter > 5) ------------------ | Branch (56:6): [True: 1.39k, False: 24.3k] ------------------ 57| 1.39k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1.39k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 58| 25.7k|} init_rtmp_dissector: 95| 7.08k|{ 96| 7.08k| ndpi_register_dissector("RTMP", ndpi_struct, 97| 7.08k| ndpi_search_rtmp, 98| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 99| 7.08k| 1, NDPI_PROTOCOL_RTMP); 100| 7.08k|} rtmp.c:ndpi_search_rtmp: 87| 13.4k|{ 88| 13.4k| NDPI_LOG_DBG(ndpi_struct, "search RTMP\n"); ------------------ | | 596| 13.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 89| | 90| 13.4k| ndpi_check_rtmp(ndpi_struct, flow); 91| 13.4k|} rtmp.c:ndpi_check_rtmp: 40| 13.4k|{ 41| 13.4k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 42| | 43| | /* Look for the handshake, which is only at the beginning of the flow: 44| | C->S: 0x03 + 1536 bytes 45| | S->C: 0X03 + something...; we don't really check the length of the burst sent by the server, to avoid to save further state 46| | See: https://en.wikipedia.org/w/index.php?title=Real-Time_Messaging_Protocol§ion=12#Handshake */ 47| | 48| 13.4k| if(!ndpi_seen_flow_beginning(flow)) { ------------------ | Branch (48:6): [True: 12.9k, False: 445] ------------------ 49| 12.9k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 12.9k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 50| 12.9k| return; 51| 12.9k| } 52| | 53| | /* TODO: should we check somehow for mid-flows? */ 54| | 55| 445| if(flow->l4.tcp.rtmp_stage == 0) { ------------------ | Branch (55:6): [True: 442, False: 3] ------------------ 56| 442| NDPI_LOG_DBG2(ndpi_struct, "RTMP stage 0: \n"); ------------------ | | 597| 442|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 57| | 58| 442| if(packet->payload[0] == 0x03) { ------------------ | Branch (58:8): [True: 4, False: 438] ------------------ 59| 4| flow->l4.tcp.rtmp_stage = packet->packet_direction + 1; 60| 4| flow->l4.tcp.rtmp_client_buffer_len = packet->payload_packet_len; 61| 4| return; 62| 4| } 63| 442| } else { 64| 3| NDPI_LOG_DBG2(ndpi_struct, "RTMP stage %u (client already sent %d bytes)\n", ------------------ | | 597| 3|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 65| 3| flow->l4.tcp.rtmp_stage, flow->l4.tcp.rtmp_client_buffer_len); 66| | 67| | /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ 68| 3| if(flow->l4.tcp.rtmp_stage - packet->packet_direction == 1) { ------------------ | Branch (68:8): [True: 1, False: 2] ------------------ 69| | /* From the same direction */ 70| 1| flow->l4.tcp.rtmp_client_buffer_len += packet->payload_packet_len; 71| 1| if(flow->l4.tcp.rtmp_client_buffer_len <= 1537) ------------------ | Branch (71:10): [True: 1, False: 0] ------------------ 72| 1| return; 73| 1| } 74| | 75| | /* This is a packet in another direction */ 76| 2| if(packet->payload[0] == 0x03 && flow->l4.tcp.rtmp_client_buffer_len == 1537) { ------------------ | Branch (76:8): [True: 0, False: 2] | Branch (76:38): [True: 0, False: 0] ------------------ 77| 0| NDPI_LOG_INFO(ndpi_struct, "found RTMP\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 78| 0| ndpi_int_rtmp_add_connection(ndpi_struct, flow); 79| 0| return; 80| 0| } 81| 2| } 82| | 83| 440| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 440|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 84| 440|} is_valid_rtp_payload_type: 42| 386|{ 43| 386| if(!(type <= 34 || (type >= 96 && type <= 127))) ------------------ | Branch (43:8): [True: 270, False: 116] | Branch (43:23): [True: 48, False: 68] | Branch (43:37): [True: 48, False: 0] ------------------ 44| 68| return 0; 45| 318| return 1; 46| 386|} rtp_get_stream_type: 51| 101|{ 52| | /* General, from IANA */ 53| 101| switch(payloadType) { ------------------ | Branch (53:10): [True: 79, False: 22] ------------------ 54| 44| case 0: /* G.711 u-Law */ ------------------ | Branch (54:3): [True: 44, False: 57] ------------------ 55| 59| case 3: /* GSM 6.10 */ ------------------ | Branch (55:3): [True: 15, False: 86] ------------------ 56| 59| case 4: /* G.723.1 */ ------------------ | Branch (56:3): [True: 0, False: 101] ------------------ 57| 59| case 5: /* DVI4 */ ------------------ | Branch (57:3): [True: 0, False: 101] ------------------ 58| 60| case 6: /* DVI4 */ ------------------ | Branch (58:3): [True: 1, False: 100] ------------------ 59| 64| case 7: /* LPC */ ------------------ | Branch (59:3): [True: 4, False: 97] ------------------ 60| 64| case 8: /* G.711 A-Law */ ------------------ | Branch (60:3): [True: 0, False: 101] ------------------ 61| 64| case 9: /* G.722 */ ------------------ | Branch (61:3): [True: 0, False: 101] ------------------ 62| 64| case 10: /* L16 */ ------------------ | Branch (62:3): [True: 0, False: 101] ------------------ 63| 67| case 11: /* L16 */ ------------------ | Branch (63:3): [True: 3, False: 98] ------------------ 64| 67| case 12: /* QCELP */ ------------------ | Branch (64:3): [True: 0, False: 101] ------------------ 65| 67| case 13: /* Comfort Noise */ ------------------ | Branch (65:3): [True: 0, False: 101] ------------------ 66| 67| case 14: /* MPA */ ------------------ | Branch (66:3): [True: 0, False: 101] ------------------ 67| 68| case 15: /* G728 */ ------------------ | Branch (67:3): [True: 1, False: 100] ------------------ 68| 69| case 16: /* DVI4 */ ------------------ | Branch (68:3): [True: 1, False: 100] ------------------ 69| 69| case 17: /* DVI4 */ ------------------ | Branch (69:3): [True: 0, False: 101] ------------------ 70| 72| case 18: /* G729 */ ------------------ | Branch (70:3): [True: 3, False: 98] ------------------ 71| 72| *s_type |= ndpi_multimedia_audio_flow; 72| 72| return(1); 73| | 74| 0| case 25: /* CelB */ ------------------ | Branch (74:3): [True: 0, False: 101] ------------------ 75| 1| case 26: /* JPEG */ ------------------ | Branch (75:3): [True: 1, False: 100] ------------------ 76| 1| case 28: /* nv */ ------------------ | Branch (76:3): [True: 0, False: 101] ------------------ 77| 4| case 31: /* H261 */ ------------------ | Branch (77:3): [True: 3, False: 98] ------------------ 78| 7| case 32: /* MPV */ ------------------ | Branch (78:3): [True: 3, False: 98] ------------------ 79| 7| case 34: /* H263 */ ------------------ | Branch (79:3): [True: 0, False: 101] ------------------ 80| 7| *s_type |= ndpi_multimedia_video_flow; 81| 7| return(1); 82| 101| } 83| | 84| | /* Microsoft; from https://learn.microsoft.com/en-us/openspecs/office_protocols/ms-rtp/3b8dc3c6-34b8-4827-9b38-3b00154f471c */ 85| 22| if(sub_proto == NDPI_PROTOCOL_MSTEAMS_CALL) { ------------------ | Branch (85:6): [True: 0, False: 22] ------------------ 86| 0| switch(payloadType) { 87| 0| case 103: /* SILK Narrowband */ ------------------ | Branch (87:5): [True: 0, False: 0] ------------------ 88| 0| case 104: /* SILK Wideband */ ------------------ | Branch (88:5): [True: 0, False: 0] ------------------ 89| 0| case 106: /* OPUS */ ------------------ | Branch (89:5): [True: 0, False: 0] ------------------ 90| 0| case 111: /* Siren */ ------------------ | Branch (90:5): [True: 0, False: 0] ------------------ 91| 0| case 112: /* G.722.1 */ ------------------ | Branch (91:5): [True: 0, False: 0] ------------------ 92| 0| case 114: /* RT Audio Wideband */ ------------------ | Branch (92:5): [True: 0, False: 0] ------------------ 93| 0| case 115: /* RT Audio Narrowband */ ------------------ | Branch (93:5): [True: 0, False: 0] ------------------ 94| 0| case 116: /* G.726 */ ------------------ | Branch (94:5): [True: 0, False: 0] ------------------ 95| 0| case 117: /* G.722 */ ------------------ | Branch (95:5): [True: 0, False: 0] ------------------ 96| 0| case 118: /* Comfort Noise Wideband */ ------------------ | Branch (96:5): [True: 0, False: 0] ------------------ 97| 0| *s_type |= ndpi_multimedia_audio_flow; 98| 0| return(1); 99| | 100| 0| case 34: /* H.263 [MS-H26XPF] */ ------------------ | Branch (100:5): [True: 0, False: 0] ------------------ 101| 0| case 121: /* RT Video */ ------------------ | Branch (101:5): [True: 0, False: 0] ------------------ 102| 0| case 122: /* H.264 [MS-H264PF] */ ------------------ | Branch (102:5): [True: 0, False: 0] ------------------ 103| 0| case 123: /* H.264 FEC [MS-H264PF] */ ------------------ | Branch (103:5): [True: 0, False: 0] ------------------ 104| 0| *s_type |= ndpi_multimedia_video_flow; 105| 0| return(1); 106| | 107| 0| default: ------------------ | Branch (107:5): [True: 0, False: 0] ------------------ 108| 0| *s_type |= ndpi_multimedia_unknown_flow; 109| 0| return(0); 110| 0| } 111| 0| } 112| | 113| | /* Dynamic PTs are... dynamic... :D 114| | * Looking at some traces, it seems specific applications keep using 115| | * always the same PT for audio/video... 116| | * TODO: something better? 117| | * Bottom line: checking only PT is very fast/easy, but we might have 118| | * false positives/negatives 119| | */ 120| | 121| 22| if(sub_proto == NDPI_PROTOCOL_GOOGLE_CALL) { ------------------ | Branch (121:6): [True: 0, False: 22] ------------------ 122| 0| switch(payloadType) { 123| 0| case 111: ------------------ | Branch (123:5): [True: 0, False: 0] ------------------ 124| 0| *s_type |= ndpi_multimedia_audio_flow; 125| 0| return(1); 126| | 127| 0| case 96: ------------------ | Branch (127:5): [True: 0, False: 0] ------------------ 128| 0| case 100: ------------------ | Branch (128:5): [True: 0, False: 0] ------------------ 129| 0| *s_type |= ndpi_multimedia_video_flow; 130| 0| return(1); 131| | 132| 0| default: ------------------ | Branch (132:5): [True: 0, False: 0] ------------------ 133| 0| *s_type |= ndpi_multimedia_unknown_flow; 134| 0| return(0); 135| 0| } 136| 0| } 137| | 138| 22| if(sub_proto == NDPI_PROTOCOL_WHATSAPP_CALL) { ------------------ | Branch (138:6): [True: 7, False: 15] ------------------ 139| 7| switch(payloadType) { 140| 0| case 120: ------------------ | Branch (140:5): [True: 0, False: 7] ------------------ 141| 0| *s_type |= ndpi_multimedia_audio_flow; 142| 0| return(1); 143| | 144| 4| case 97: ------------------ | Branch (144:5): [True: 4, False: 3] ------------------ 145| 4| case 102: ------------------ | Branch (145:5): [True: 0, False: 7] ------------------ 146| 4| *s_type |= ndpi_multimedia_video_flow; 147| 4| return(1); 148| | 149| 3| default: ------------------ | Branch (149:5): [True: 3, False: 4] ------------------ 150| 3| *s_type |= ndpi_multimedia_unknown_flow; 151| 3| return(0); 152| 7| } 153| 7| } 154| | 155| 15| if(sub_proto == NDPI_PROTOCOL_FACEBOOK_VOIP) { ------------------ | Branch (155:6): [True: 0, False: 15] ------------------ 156| 0| switch(payloadType) { 157| 0| case 96: ------------------ | Branch (157:5): [True: 0, False: 0] ------------------ 158| 0| case 97: ------------------ | Branch (158:5): [True: 0, False: 0] ------------------ 159| 0| case 101: ------------------ | Branch (159:5): [True: 0, False: 0] ------------------ 160| 0| case 109: ------------------ | Branch (160:5): [True: 0, False: 0] ------------------ 161| 0| *s_type |= ndpi_multimedia_audio_flow; 162| 0| return(1); 163| | 164| 0| case 127: ------------------ | Branch (164:5): [True: 0, False: 0] ------------------ 165| 0| *s_type |= ndpi_multimedia_video_flow; 166| 0| return(1); 167| | 168| 0| default: ------------------ | Branch (168:5): [True: 0, False: 0] ------------------ 169| 0| *s_type |= ndpi_multimedia_unknown_flow; 170| 0| return(0); 171| 0| } 172| 0| } 173| | 174| 15| if(sub_proto == NDPI_PROTOCOL_TELEGRAM_VOIP) { ------------------ | Branch (174:6): [True: 0, False: 15] ------------------ 175| 0| switch(payloadType) { 176| 0| case 111: ------------------ | Branch (176:5): [True: 0, False: 0] ------------------ 177| 0| *s_type |= ndpi_multimedia_audio_flow; 178| 0| return(1); 179| | 180| 0| case 106: ------------------ | Branch (180:5): [True: 0, False: 0] ------------------ 181| 0| *s_type |= ndpi_multimedia_video_flow; 182| 0| return(1); 183| | 184| 0| default: ------------------ | Branch (184:5): [True: 0, False: 0] ------------------ 185| 0| *s_type |= ndpi_multimedia_unknown_flow; 186| 0| return(0); 187| 0| } 188| 0| } 189| | 190| 15| if(sub_proto == NDPI_PROTOCOL_SIGNAL_VOIP) { ------------------ | Branch (190:6): [True: 0, False: 15] ------------------ 191| 0| switch(payloadType) { 192| 0| case 102: ------------------ | Branch (192:5): [True: 0, False: 0] ------------------ 193| 0| *s_type |= ndpi_multimedia_audio_flow; 194| 0| return(1); 195| | 196| 0| case 108: ------------------ | Branch (196:5): [True: 0, False: 0] ------------------ 197| 0| case 120: ------------------ | Branch (197:5): [True: 0, False: 0] ------------------ 198| 0| *s_type |= ndpi_multimedia_video_flow; 199| 0| return(1); 200| | 201| 0| default: ------------------ | Branch (201:5): [True: 0, False: 0] ------------------ 202| 0| *s_type |= ndpi_multimedia_unknown_flow; 203| 0| return(0); 204| 0| } 205| 0| } 206| | 207| 15| *s_type |= ndpi_multimedia_unknown_flow; 208| 15| return(0); 209| 15|} is_rtp_or_rtcp: 221| 6.04k|{ 222| 6.04k| u_int8_t csrc_count, ext_header; 223| 6.04k| u_int16_t ext_len; 224| 6.04k| u_int32_t min_len; 225| | 226| 6.04k| if(payload_len < 2) ------------------ | Branch (226:6): [True: 4, False: 6.04k] ------------------ 227| 4| return NO_RTP_RTCP; 228| | 229| 6.04k| if((payload[0] & 0xC0) != 0x80) { /* Version 2 */ ------------------ | Branch (229:6): [True: 5.65k, False: 386] ------------------ 230| 5.65k| NDPI_LOG_DBG(ndpi_struct, "Not version 2\n"); ------------------ | | 596| 5.65k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 231| 5.65k| return NO_RTP_RTCP; 232| 5.65k| } 233| | 234| 386| if(is_valid_rtp_payload_type(payload[1] & 0x7F) && ------------------ | Branch (234:6): [True: 318, False: 68] ------------------ 235| 318| payload_len >= RTP_MIN_HEADER) { ------------------ | | 32| 318|#define RTP_MIN_HEADER 12 ------------------ | Branch (235:6): [True: 316, False: 2] ------------------ 236| | /* RTP */ 237| 316| csrc_count = payload[0] & 0x0F; 238| 316| ext_header = !!(payload[0] & 0x10); 239| 316| min_len = RTP_MIN_HEADER + 4 * csrc_count + 4 * ext_header; ------------------ | | 32| 316|#define RTP_MIN_HEADER 12 ------------------ 240| 316| if(ext_header) { ------------------ | Branch (240:8): [True: 40, False: 276] ------------------ 241| 40| if(min_len > payload_len) { ------------------ | Branch (241:10): [True: 14, False: 26] ------------------ 242| 14| NDPI_LOG_DBG(ndpi_struct, "Too short (a) %d vs %d\n", min_len, payload_len); ------------------ | | 596| 14|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 243| 14| return NO_RTP_RTCP; 244| 14| } 245| 26| ext_len = ntohs(*(unsigned short *)&payload[min_len - 2]); 246| 26| min_len += ext_len * 4; 247| 26| } 248| 302| if(min_len > payload_len) { ------------------ | Branch (248:8): [True: 39, False: 263] ------------------ 249| 39| NDPI_LOG_DBG(ndpi_struct, "Too short (b) %d vs %d\n", min_len, payload_len); ------------------ | | 596| 39|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 250| 39| return NO_RTP_RTCP; 251| 39| } 252| | /* Check on padding doesn't work because: 253| | * we may have multiple RTP packets in the same TCP/UDP datagram 254| | * with SRTP, padding_length field is encrypted */ 255| 263| if(seq) ------------------ | Branch (255:8): [True: 155, False: 108] ------------------ 256| 155| *seq = ntohs(*(unsigned short *)&payload[2]); 257| 263| return IS_RTP; 258| 302| } else if(is_valid_rtcp_payload_type(payload[1]) && ------------------ | Branch (258:13): [True: 13, False: 57] ------------------ 259| 13| payload_len >= RTCP_MIN_HEADER) { ------------------ | | 33| 13|#define RTCP_MIN_HEADER 8 ------------------ | Branch (259:13): [True: 13, False: 0] ------------------ 260| 13| min_len = (ntohs(*(unsigned short *)&payload[2]) + 1) * 4; 261| 13| if(min_len > payload_len) { ------------------ | Branch (261:8): [True: 11, False: 2] ------------------ 262| 11| NDPI_LOG_DBG(ndpi_struct, "Too short (c) %d vs %d\n", min_len, payload_len); ------------------ | | 596| 11|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 263| 11| return NO_RTP_RTCP; 264| 11| } 265| 2| return IS_RTCP; 266| 13| } 267| 57| NDPI_LOG_DBG(ndpi_struct, "not RTP/RTCP\n"); ------------------ | | 596| 57|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 268| 57| return NO_RTP_RTCP; 269| 386|} init_rtp_dissector: 547| 7.08k|void init_rtp_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 548| 7.08k| ndpi_register_dissector("RT(C)P", ndpi_struct, 549| 7.08k| ndpi_search_rtp, 550| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 551| 7.08k| 2, NDPI_PROTOCOL_RTP, NDPI_PROTOCOL_RTCP); 552| 7.08k|} rtp.c:is_valid_rtcp_payload_type: 213| 70|static int is_valid_rtcp_payload_type(uint8_t type) { 214| 70| return (type >= 192 && type <= 213); ------------------ | Branch (214:11): [True: 29, False: 41] | Branch (214:26): [True: 13, False: 16] ------------------ 215| 70|} rtp.c:ndpi_search_rtp: 536| 21.2k|{ 537| 21.2k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 538| 21.2k| if(packet->tcp != NULL) { ------------------ | Branch (538:6): [True: 13.6k, False: 7.61k] ------------------ 539| 13.6k| ndpi_search_rtp_tcp(ndpi_struct, flow); 540| 13.6k| } else { 541| 7.61k| ndpi_search_rtp_udp(ndpi_struct, flow); 542| 7.61k| } 543| 21.2k|} rtp.c:ndpi_search_rtp_tcp: 494| 13.6k|{ 495| 13.6k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 496| 13.6k| const u_int8_t *payload = packet->payload; 497| | 498| 13.6k| if(packet->payload_packet_len < 4){ /* (2) len field + (2) min rtp/rtcp*/ ------------------ | Branch (498:6): [True: 25, False: 13.6k] ------------------ 499| 25| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 25|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 500| 25| return; 501| 25| } 502| | 503| 13.6k| u_int16_t len = ntohs(get_u_int16_t(payload, 0)); 504| 13.6k| if(len + sizeof(len) != packet->payload_packet_len) { /*fragmented packets are not handled*/ ------------------ | Branch (504:6): [True: 13.3k, False: 327] ------------------ 505| 13.3k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.3k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 506| 13.3k| } else { 507| 327| ndpi_rtp_search(ndpi_struct, flow); 508| 327| } 509| | 510| 13.6k|} rtp.c:ndpi_rtp_search: 392| 5.65k| struct ndpi_flow_struct *flow) { 393| 5.65k| u_int8_t is_rtp; 394| 5.65k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 395| 5.65k| const u_int8_t *payload = packet->payload; 396| 5.65k| u_int16_t payload_len = packet->payload_packet_len; 397| 5.65k| u_int16_t seq; 398| | 399| 5.65k| if(packet->payload_packet_len == 0 || packet->tcp_retransmission) ------------------ | Branch (399:6): [True: 0, False: 5.65k] | Branch (399:41): [True: 0, False: 5.65k] ------------------ 400| 0| return; 401| | 402| 5.65k| if(packet->tcp != NULL) { ------------------ | Branch (402:6): [True: 327, False: 5.33k] ------------------ 403| 327| if (payload_len < 2) { ------------------ | Branch (403:9): [True: 0, False: 327] ------------------ 404| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 405| 0| return; 406| 0| } 407| 327| payload += 2; /* Skip the length field */ 408| 327| payload_len -= 2; 409| 327| } 410| 5.65k| NDPI_LOG_DBG(ndpi_struct, "search RTP (stage %d/%d)\n", flow->rtp_stage, flow->rtcp_stage); ------------------ | | 596| 5.65k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 411| | 412| | /* * Let some "unknown" packets at the beginning: 413| | * search for 3/4 consecutive RTP/RTCP packets. 414| | * Wait a little longer (4 vs 3 pkts) for RTCP to try to tell if there are only 415| | * RTCP packets in the flow or if RTP/RTCP are multiplexed together */ 416| | 417| 5.65k| if(flow->packet_counter > 3 && ------------------ | Branch (417:6): [True: 99, False: 5.55k] ------------------ 418| 99| flow->rtp_stage == 0 && ------------------ | Branch (418:6): [True: 75, False: 24] ------------------ 419| 75| flow->rtcp_stage == 0) { ------------------ | Branch (419:6): [True: 75, False: 0] ------------------ 420| 75| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 75|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 421| 75| return; 422| 75| } 423| | 424| 5.58k| is_rtp = is_rtp_or_rtcp(ndpi_struct, payload, payload_len, &seq); 425| | 426| 5.58k| if(is_rtp == IS_RTP) { ------------------ | Branch (426:6): [True: 155, False: 5.42k] ------------------ 427| 155| if(flow->rtp_stage == 2) { ------------------ | Branch (427:8): [True: 2, False: 153] ------------------ 428| 2| if(flow->l4_proto == IPPROTO_UDP && ------------------ | Branch (428:10): [True: 2, False: 0] ------------------ 429| 2| flow->l4.udp.line_pkts[0] >= 2 && flow->l4.udp.line_pkts[1] >= 2) { ------------------ | Branch (429:10): [True: 0, False: 2] | Branch (429:44): [True: 0, False: 0] ------------------ 430| | /* It seems that it is a LINE stuff; let its dissector to evaluate */ 431| 2| } else if(flow->l4_proto == IPPROTO_UDP && flow->l4.udp.epicgames_stage > 0) { ------------------ | Branch (431:17): [True: 2, False: 0] | Branch (431:50): [True: 0, False: 2] ------------------ 432| | /* It seems that it is a EpicGames stuff; let its dissector to evaluate */ 433| 2| } else if(flow->rtp_seq_set[packet->packet_direction] && ------------------ | Branch (433:17): [True: 2, False: 0] ------------------ 434| 2| flow->rtp_seq[packet->packet_direction] == seq) { ------------------ | Branch (434:17): [True: 0, False: 2] ------------------ 435| | /* Simple heuristic to avoid false positives. Tradeoff between: 436| | - consecutive RTP packets should have different sequence number 437| | - we should handle duplicated traffic */ 438| 0| NDPI_LOG_DBG(ndpi_struct, "Same seq on consecutive pkts\n"); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 439| 0| flow->rtp_stage = 0; 440| 0| flow->rtcp_stage = 0; 441| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 442| 2| } else { 443| 2| get_rtp_info(ndpi_struct, flow, payload, payload_len); 444| 2| rtp_get_stream_type(flow->rtp[packet->packet_direction].payload_type, 445| 2| &flow->flow_multimedia_types, NDPI_PROTOCOL_UNKNOWN); 446| | 447| 2| NDPI_LOG_INFO(ndpi_struct, "Found RTP\n"); ------------------ | | 595| 2|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 448| 2| ndpi_int_rtp_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_RTP); 449| 2| } 450| 2| return; 451| 2| } 452| 153| if(flow->rtp_stage == 0) { ------------------ | Branch (452:8): [True: 146, False: 7] ------------------ 453| 146| flow->rtp_seq[packet->packet_direction] = seq; 454| 146| flow->rtp_seq_set[packet->packet_direction] = 1; 455| 146| } 456| 153| flow->rtp_stage += 1; 457| 5.42k| } else if(is_rtp == IS_RTCP && flow->rtp_stage > 0) { ------------------ | Branch (457:13): [True: 2, False: 5.42k] | Branch (457:34): [True: 0, False: 2] ------------------ 458| | /* RTCP after (some) RTP. Keep looking for RTP */ 459| 5.42k| } else if(is_rtp == IS_RTCP && flow->rtp_stage == 0) { ------------------ | Branch (459:13): [True: 2, False: 5.42k] | Branch (459:34): [True: 2, False: 0] ------------------ 460| 2| if(flow->rtcp_stage == 3) { ------------------ | Branch (460:8): [True: 0, False: 2] ------------------ 461| 0| NDPI_LOG_INFO(ndpi_struct, "Found RTCP\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 462| 0| ndpi_int_rtp_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_RTCP); 463| 0| return; 464| 0| } 465| 2| flow->rtcp_stage += 1; 466| 5.42k| } else { 467| 5.42k| if(flow->rtp_stage || flow->rtcp_stage) { ------------------ | Branch (467:8): [True: 52, False: 5.37k] | Branch (467:27): [True: 0, False: 5.37k] ------------------ 468| 52| u_int32_t unused; 469| 52| u_int16_t app_proto = NDPI_PROTOCOL_UNKNOWN; 470| 52| ndpi_protocol_category_t category; 471| | 472| | /* TODO: we should switch to the demultiplexing-code in stun dissector */ 473| 52| if(is_stun(ndpi_struct, flow, &app_proto, &category) != 0 && ------------------ | Branch (473:10): [True: 6, False: 46] ------------------ 474| 6| !is_dtls(packet->payload, packet->payload_packet_len, &unused)) { ------------------ | Branch (474:10): [True: 6, False: 0] ------------------ 475| 6| flow->rtp_stage = 0; 476| 6| flow->rtcp_stage = 0; 477| 6| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 6|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 478| 6| } 479| 52| } 480| 5.42k| } 481| 5.58k|} rtp.c:get_rtp_info: 276| 2| u_int16_t payload_len) { 277| 2| u_int8_t packet_direction = current_pkt_from_client_to_server(ndpi_struct, flow) ? 0 : 1; ------------------ | Branch (277:31): [True: 2, False: 0] ------------------ 278| | 279| 2| if(flow->rtp[packet_direction].payload_detected == false) { ------------------ | Branch (279:6): [True: 2, False: 0] ------------------ 280| 2| flow->rtp[packet_direction].payload_type = payload[1] & 0x7F; 281| 2| flow->rtp[packet_direction].payload_detected = true; 282| | 283| | /* printf("********* [direction: %d] payload_type=%u\n", packet_direction, flow->protos.rtp[packet_direction].payload_type); */ 284| | 285| 2| if(((flow->rtp[packet_direction].payload_type == 126 /* Enhanced Voice Services (EVS) */) ------------------ | Branch (285:9): [True: 0, False: 2] ------------------ 286| 2| || (flow->rtp[packet_direction].payload_type == 127 /* Enhanced Voice Services (EVS) */)) ------------------ | Branch (286:12): [True: 0, False: 2] ------------------ 287| 0| && (payload_len > 12 /* RTP header */)) { ------------------ | Branch (287:11): [True: 0, False: 0] ------------------ 288| 0| const u_int8_t *evs = &payload[12]; 289| 0| u_int packet_len = payload_len - 12; 290| 0| u_int num_bits = packet_len * 8; 291| | 292| 0| flow->flow_multimedia_types = ndpi_multimedia_audio_flow; 293| | /* printf("********* %02X [bits %u]\n", evs[0], num_bits); */ 294| | 295| 0| if(num_bits == 56) { ------------------ | Branch (295:10): [True: 0, False: 0] ------------------ 296| | /* A.2.1.3 Special case for 56 bit payload size (EVS Primary or EVS AMR-WB IO SID) */ 297| | 298| 0| if((evs[0] & 0x80) == 0) ------------------ | Branch (298:12): [True: 0, False: 0] ------------------ 299| 0| flow->rtp[packet_direction].evs_subtype = evs[0] & 0xF; 300| 0| else 301| 0| flow->rtp[packet_direction].evs_subtype = evs[1] & 0xF; 302| 0| } else { 303| | 304| | /* See ndpi_rtp_payload_type2str() */ 305| 0| switch(num_bits) { 306| 0| case 48: ------------------ | Branch (306:9): [True: 0, False: 0] ------------------ 307| 0| case 136: ------------------ | Branch (307:9): [True: 0, False: 0] ------------------ 308| 0| case 144: ------------------ | Branch (308:9): [True: 0, False: 0] ------------------ 309| 0| case 160: ------------------ | Branch (309:9): [True: 0, False: 0] ------------------ 310| 0| case 184: ------------------ | Branch (310:9): [True: 0, False: 0] ------------------ 311| 0| case 192: ------------------ | Branch (311:9): [True: 0, False: 0] ------------------ 312| 0| case 256: ------------------ | Branch (312:9): [True: 0, False: 0] ------------------ 313| 0| case 264: ------------------ | Branch (313:9): [True: 0, False: 0] ------------------ 314| 0| case 288: ------------------ | Branch (314:9): [True: 0, False: 0] ------------------ 315| 0| case 320: ------------------ | Branch (315:9): [True: 0, False: 0] ------------------ 316| 0| case 328: ------------------ | Branch (316:9): [True: 0, False: 0] ------------------ 317| 0| case 368: ------------------ | Branch (317:9): [True: 0, False: 0] ------------------ 318| 0| case 400: ------------------ | Branch (318:9): [True: 0, False: 0] ------------------ 319| 0| case 464: ------------------ | Branch (319:9): [True: 0, False: 0] ------------------ 320| 0| case 480: ------------------ | Branch (320:9): [True: 0, False: 0] ------------------ 321| 0| case 488: ------------------ | Branch (321:9): [True: 0, False: 0] ------------------ 322| 0| case 640: ------------------ | Branch (322:9): [True: 0, False: 0] ------------------ 323| 0| case 960: ------------------ | Branch (323:9): [True: 0, False: 0] ------------------ 324| 0| case 1280: ------------------ | Branch (324:9): [True: 0, False: 0] ------------------ 325| 0| case 1920: ------------------ | Branch (325:9): [True: 0, False: 0] ------------------ 326| 0| case 2560: ------------------ | Branch (326:9): [True: 0, False: 0] ------------------ 327| 0| flow->rtp[packet_direction].evs_subtype = num_bits; 328| 0| break; 329| | 330| 0| default: ------------------ | Branch (330:9): [True: 0, False: 0] ------------------ 331| 0| if((evs[0] >> 7) == 1) { ------------------ | Branch (331:14): [True: 0, False: 0] ------------------ 332| | /* EVS Codec Mode Request (EVS-CMR) */ 333| 0| u_int8_t d_bits = evs[0] & 0X0F; 334| | 335| 0| flow->rtp[packet_direction].evs_subtype = d_bits + 30 /* dummy offset */; 336| 0| } 337| 0| break; 338| 0| } 339| 0| } 340| 0| } 341| 2| } 342| 2| return 0; 343| 2|} rtp.c:ndpi_int_rtp_add_connection: 367| 2|{ 368| 2| ndpi_set_detected_protocol(ndpi_struct, flow, 369| 2| NDPI_PROTOCOL_UNKNOWN, proto, 370| 2| NDPI_CONFIDENCE_DPI); 371| 2| if(ndpi_struct->cfg.rtp_search_for_stun) { ------------------ | Branch (371:6): [True: 0, False: 2] ------------------ 372| | /* It makes sense to look for STUN only if we didn't capture the entire flow, 373| | from the beginning */ 374| 0| if(!(flow->l4_proto == IPPROTO_TCP && ndpi_seen_flow_beginning(flow))) { ------------------ | Branch (374:10): [True: 0, False: 0] | Branch (374:43): [True: 0, False: 0] ------------------ 375| 0| NDPI_LOG_DBG(ndpi_struct, "Enabling (STUN) extra dissection\n"); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 376| 0| switch_extra_dissection_to_stun(ndpi_struct, flow, 1); 377| 0| } 378| 2| } else if(proto == NDPI_PROTOCOL_RTP) { ------------------ | Branch (378:13): [True: 2, False: 0] ------------------ 379| 2| if(!flow->extra_packets_func && ------------------ | Branch (379:8): [True: 2, False: 0] ------------------ 380| 2| keep_extra_dissection(flow) && ------------------ | Branch (380:8): [True: 2, False: 0] ------------------ 381| 2| ndpi_struct->cfg.rtp_max_packets_extra_dissection > 0) { ------------------ | Branch (381:8): [True: 2, False: 0] ------------------ 382| 2| NDPI_LOG_DBG(ndpi_struct, "Enabling extra dissection\n"); ------------------ | | 596| 2|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 383| 2| flow->max_extra_packets_to_check = ndpi_struct->cfg.rtp_max_packets_extra_dissection; 384| 2| flow->extra_packets_func = rtp_search_again; 385| 2| } 386| 2| } 387| 2|} rtp.c:keep_extra_dissection: 347| 2|static int keep_extra_dissection(struct ndpi_flow_struct *flow) { 348| 2| return ((flow->rtp[0].payload_detected && flow->rtp[1].payload_detected) ? false :true); ------------------ | Branch (348:12): [True: 2, False: 0] | Branch (348:45): [True: 0, False: 2] ------------------ 349| 2|} rtp.c:ndpi_search_rtp_udp: 515| 7.61k|{ 516| 7.61k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 517| 7.61k| u_int16_t source = ntohs(packet->udp->source); 518| 7.61k| u_int16_t dest = ntohs(packet->udp->dest); 519| | /* 520| | * XXX: not sure if rtp/rtcp over tcp will also mix with Ethereum 521| | * for now, will not add it unitl we have a false positive. 522| | */ 523| 7.61k| if((source == 30303) || (dest == 30303 /* Avoid to mix it with Ethereum that looks alike */) ------------------ | Branch (523:6): [True: 0, False: 7.61k] | Branch (523:27): [True: 0, False: 7.61k] ------------------ 524| 7.61k| || (dest == 5355 /* LLMNR_PORT */) ------------------ | Branch (524:9): [True: 1, False: 7.61k] ------------------ 525| 7.61k| || (dest == 5353 /* MDNS_PORT */) ------------------ | Branch (525:9): [True: 707, False: 6.91k] ------------------ 526| 6.91k| || (dest == 9600 /* FINS_PORT */) ------------------ | Branch (526:9): [True: 0, False: 6.91k] ------------------ 527| 6.91k| || (dest <= 1023)){ ------------------ | Branch (527:9): [True: 1.58k, False: 5.33k] ------------------ 528| 2.28k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 2.28k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 529| 2.28k| return; 530| 2.28k| } 531| 5.33k| ndpi_rtp_search(ndpi_struct, flow); 532| 5.33k|} init_rtps_dissector: 64| 7.08k|{ 65| 7.08k| ndpi_register_dissector("RTPS", ndpi_struct, 66| 7.08k| ndpi_search_rtps, 67| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 68| 7.08k| 1, NDPI_PROTOCOL_RTPS); 69| 7.08k|} rtps.c:ndpi_search_rtps: 42| 3.35k|{ 43| 3.35k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 44| | 45| 3.35k| NDPI_LOG_DBG(ndpi_struct, "searching RTPS\n"); ------------------ | | 596| 3.35k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 46| | 47| 3.35k| if (packet->payload_packet_len >= 16) { ------------------ | Branch (47:7): [True: 3.17k, False: 181] ------------------ 48| 3.17k| if (((memcmp(packet->payload, "RTPS", 4) == 0) || ------------------ | Branch (48:10): [True: 1, False: 3.17k] ------------------ 49| 3.17k| (memcmp(packet->payload, "RTPX", 4) == 0)) && ------------------ | Branch (49:10): [True: 10, False: 3.16k] ------------------ 50| 11| ((packet->payload[4] == RTPS_LAST_MAJOR_VER) && ------------------ | | 37| 11|#define RTPS_LAST_MAJOR_VER 2 ------------------ | Branch (50:10): [True: 0, False: 11] ------------------ 51| 0| (packet->payload[5] <= RTPS_LAST_MINOR_VER))) ------------------ | | 38| 0|#define RTPS_LAST_MINOR_VER 5 ------------------ | Branch (51:10): [True: 0, False: 0] ------------------ 52| 0| { 53| 0| NDPI_LOG_INFO(ndpi_struct, "found RTPS\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 54| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RTPS, 55| 0| NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 56| 0| return; 57| 0| } 58| 3.17k| } 59| | 60| 3.35k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.35k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 61| 3.35k|} init_rtsp_dissector: 75| 7.08k|{ 76| 7.08k| ndpi_register_dissector("RTSP", ndpi_struct, 77| 7.08k| ndpi_search_rtsp_tcp_udp, 78| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 79| 7.08k| 1, NDPI_PROTOCOL_RTSP); 80| 7.08k|} rtsp.c:ndpi_search_rtsp_tcp_udp: 44| 21.5k|{ 45| 21.5k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 46| | 47| 21.5k| NDPI_LOG_DBG(ndpi_struct, "search RTSP\n"); ------------------ | | 596| 21.5k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 48| | 49| 21.5k| if (packet->parsed_lines == 0) ------------------ | Branch (49:7): [True: 20.6k, False: 872] ------------------ 50| 20.6k| { 51| 20.6k| ndpi_parse_packet_line_info(ndpi_struct, flow); 52| 20.6k| } 53| | 54| 21.5k| if (packet->parsed_lines > 0 && ------------------ | Branch (54:7): [True: 7.28k, False: 14.2k] ------------------ 55| 7.28k| (LINE_ENDS(packet->line[0], "RTSP/1.0") != 0 || ------------------ | | 81| 7.28k| ((ndpi_int_one_line_struct).len >= strlen(string_to_compare) && \ | | ------------------ | | | Branch (81:4): [True: 6.00k, False: 1.28k] | | ------------------ | | 82| 7.28k| strncasecmp((const char *)((ndpi_int_one_line_struct).ptr) + \ | | ------------------ | | | Branch (82:4): [True: 20, False: 5.98k] | | ------------------ | | 83| 6.00k| ((ndpi_int_one_line_struct).len - strlen(string_to_compare)), \ | | 84| 6.00k| string_to_compare, strlen(string_to_compare)) == 0) ------------------ | Branch (55:8): [True: 20, False: 7.26k] ------------------ 56| 7.26k| LINE_STARTS(packet->line[0], "RTSP/1.0") != 0 || /* Response */ ------------------ | | 76| 7.26k| ((ndpi_int_one_line_struct).ptr != NULL && \ | | ------------------ | | | Branch (76:4): [True: 7.26k, False: 0] | | ------------------ | | 77| 7.26k| (ndpi_int_one_line_struct).len >= strlen(string_to_compare) && \ | | ------------------ | | | Branch (77:4): [True: 5.98k, False: 1.28k] | | ------------------ | | 78| 7.26k| strncasecmp((const char *)((ndpi_int_one_line_struct).ptr), string_to_compare, strlen(string_to_compare)) == 0) | | ------------------ | | | Branch (78:4): [True: 3, False: 5.98k] | | ------------------ ------------------ | Branch (56:8): [True: 3, False: 7.26k] ------------------ 57| 7.26k| LINE_ENDS(packet->accept_line, "application/x-rtsp-tunnelled") != 0 || ------------------ | | 81| 7.26k| ((ndpi_int_one_line_struct).len >= strlen(string_to_compare) && \ | | ------------------ | | | Branch (81:4): [True: 4, False: 7.26k] | | ------------------ | | 82| 7.26k| strncasecmp((const char *)((ndpi_int_one_line_struct).ptr) + \ | | ------------------ | | | Branch (82:4): [True: 0, False: 4] | | ------------------ | | 83| 4| ((ndpi_int_one_line_struct).len - strlen(string_to_compare)), \ | | 84| 4| string_to_compare, strlen(string_to_compare)) == 0) ------------------ | Branch (57:8): [True: 0, False: 7.26k] ------------------ 58| 7.26k| LINE_ENDS(packet->content_line, "application/x-rtsp-tunnelled") != 0 ------------------ | | 81| 7.26k| ((ndpi_int_one_line_struct).len >= strlen(string_to_compare) && \ | | ------------------ | | | Branch (81:4): [True: 35, False: 7.22k] | | ------------------ | | 82| 7.26k| strncasecmp((const char *)((ndpi_int_one_line_struct).ptr) + \ | | ------------------ | | | Branch (82:4): [True: 0, False: 35] | | ------------------ | | 83| 35| ((ndpi_int_one_line_struct).len - strlen(string_to_compare)), \ | | 84| 35| string_to_compare, strlen(string_to_compare)) == 0) ------------------ | Branch (58:8): [True: 0, False: 7.26k] ------------------ 59| 7.28k| /* Should we also check for "rtsp://" in the packet? */)) 60| 23| { 61| 23| ndpi_int_rtsp_add_connection(ndpi_struct, flow); 62| | 63| | /* Extract some metadata HTTP-like */ 64| 23| if(packet->user_agent_line.ptr != NULL) ------------------ | Branch (64:8): [True: 10, False: 13] ------------------ 65| 10| ndpi_user_agent_set(flow, packet->user_agent_line.ptr, packet->user_agent_line.len); 66| | 67| 23| return; 68| 23| } 69| | 70| 21.5k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 21.5k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 71| 21.5k|} rtsp.c:ndpi_int_rtsp_add_connection: 35| 23|{ 36| 23| NDPI_LOG_INFO(ndpi_struct, "found RTSP\n"); ------------------ | | 595| 23|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 37| 23| ndpi_set_detected_protocol_keeping_master(ndpi_struct, flow, NDPI_PROTOCOL_RTSP, 38| 23| NDPI_CONFIDENCE_DPI); 39| 23|} init_rx_dissector: 216| 7.08k|{ 217| 7.08k| ndpi_register_dissector("RX", ndpi_struct, 218| 7.08k| ndpi_search_rx, 219| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 220| 7.08k| 1, NDPI_PROTOCOL_RX); 221| 7.08k|} rx.c:ndpi_search_rx: 208| 3.44k|{ 209| 3.44k| NDPI_LOG_DBG(ndpi_struct, "search RX\n"); ------------------ | | 596| 3.44k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 210| 3.44k| if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_RX) { ------------------ | Branch (210:7): [True: 3.44k, False: 0] ------------------ 211| 3.44k| ndpi_check_rx(ndpi_struct, flow); 212| 3.44k| } 213| 3.44k|} rx.c:ndpi_check_rx: 82| 3.44k|{ 83| 3.44k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 84| 3.44k| u_int32_t payload_len = packet->payload_packet_len; 85| | 86| 3.44k| NDPI_LOG_DBG2(ndpi_struct, "RX: pck: %d, dir[0]: %d, dir[1]: %d\n", ------------------ | | 597| 3.44k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 87| 3.44k| flow->packet_counter, flow->packet_direction_counter[0], flow->packet_direction_counter[1]); 88| | 89| | /* Check that packet is long enough */ 90| 3.44k| if (payload_len < sizeof(struct ndpi_rx_header)) { ------------------ | Branch (90:7): [True: 411, False: 3.03k] ------------------ 91| 411| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 411|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 92| 411| return; 93| 411| } 94| | 95| 3.03k| struct ndpi_rx_header *header = (struct ndpi_rx_header*) packet->payload; 96| | 97| | /** 98| | * Useless check: a session could be detected also after it starts 99| | * and this check limit the correct detection for -d option (disable guess) 100| | * TODO - maybe to improve 101| | **/ 102| | /* Check whether the packet has counters beginning from one; the 103| | Sequence Number can be zero if the packet is just an ACK. */ 104| | /* if ((ntohl(header->sequence_number) | 1) != 1 || ntohl(header->serial_number) != 1) */ 105| | 106| | 107| | /** 108| | * Check the TYPE and FLAGS fields of an RX packet header. 109| | * This check is necessary because we could detect an RX session already begun 110| | **/ 111| | 112| | /* TYPE field */ 113| 3.03k| if((header->type < RX_DATA) || (header->type > RX_VERS)) { ------------------ | | 52| 3.03k|#define RX_DATA 1 ------------------ if((header->type < RX_DATA) || (header->type > RX_VERS)) { ------------------ | | 64| 2.48k|#define RX_VERS 13 ------------------ | Branch (113:6): [True: 549, False: 2.48k] | Branch (113:34): [True: 1.92k, False: 557] ------------------ 114| 2.47k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 2.47k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 115| 2.47k| return; 116| 2.47k| } 117| | 118| | /* FLAGS fields */ 119| 557| if(header->flags == EMPTY || header->flags == LAST_PKT || ------------------ | | 67| 1.11k|#define EMPTY 0 ------------------ if(header->flags == EMPTY || header->flags == LAST_PKT || ------------------ | | 71| 933|#define LAST_PKT 4 ------------------ | Branch (119:6): [True: 181, False: 376] | Branch (119:32): [True: 1, False: 375] ------------------ 120| 375| header->flags == PLUS_0 || header->flags == PLUS_1 || ------------------ | | 70| 932|#define PLUS_0 3 ------------------ header->flags == PLUS_0 || header->flags == PLUS_1 || ------------------ | | 72| 902|#define PLUS_1 5 ------------------ | Branch (120:6): [True: 30, False: 345] | Branch (120:33): [True: 1, False: 344] ------------------ 121| 344| header->flags == PLUS_2 || header->flags == REQ_ACK || ------------------ | | 73| 901|#define PLUS_2 6 ------------------ header->flags == PLUS_2 || header->flags == REQ_ACK || ------------------ | | 69| 898|#define REQ_ACK 2 ------------------ | Branch (121:6): [True: 3, False: 341] | Branch (121:33): [True: 2, False: 339] ------------------ 122| 339| header->flags == MORE_1 || header->flags == CLIENT_INIT_1 || ------------------ | | 74| 896|#define MORE_1 9 ------------------ header->flags == MORE_1 || header->flags == CLIENT_INIT_1 || ------------------ | | 68| 880|#define CLIENT_INIT_1 1 ------------------ | Branch (122:6): [True: 16, False: 323] | Branch (122:33): [True: 196, False: 127] ------------------ 123| 432| header->flags == CLIENT_INIT_2 || header->flags == PLUS_3) { ------------------ | | 75| 684|#define CLIENT_INIT_2 33 ------------------ header->flags == CLIENT_INIT_2 || header->flags == PLUS_3) { ------------------ | | 76| 126|#define PLUS_3 34 ------------------ | Branch (123:6): [True: 1, False: 126] | Branch (123:40): [True: 1, False: 125] ------------------ 124| | 125| | /* TYPE and FLAGS combo */ 126| 432| switch(header->type) 127| 432| { 128| 224| case RX_DATA: ------------------ | | 52| 224|#define RX_DATA 1 ------------------ | Branch (128:7): [True: 224, False: 208] ------------------ 129| 224| if(header->flags == LAST_PKT || header->flags == EMPTY || ------------------ | | 71| 448|#define LAST_PKT 4 ------------------ if(header->flags == LAST_PKT || header->flags == EMPTY || ------------------ | | 67| 448|#define EMPTY 0 ------------------ | Branch (129:5): [True: 0, False: 224] | Branch (129:34): [True: 11, False: 213] ------------------ 130| 213| header->flags == PLUS_0 || header->flags == PLUS_1 || ------------------ | | 70| 437|#define PLUS_0 3 ------------------ header->flags == PLUS_0 || header->flags == PLUS_1 || ------------------ | | 72| 409|#define PLUS_1 5 ------------------ | Branch (130:5): [True: 28, False: 185] | Branch (130:32): [True: 0, False: 185] ------------------ 131| 185| header->flags == PLUS_2 || header->flags == REQ_ACK || ------------------ | | 73| 409|#define PLUS_2 6 ------------------ header->flags == PLUS_2 || header->flags == REQ_ACK || ------------------ | | 69| 409|#define REQ_ACK 2 ------------------ | Branch (131:5): [True: 0, False: 185] | Branch (131:32): [True: 0, False: 185] ------------------ 132| 185| header->flags == MORE_1) ------------------ | | 74| 185|#define MORE_1 9 ------------------ | Branch (132:5): [True: 0, False: 185] ------------------ 133| 39| goto security; 134| | /* Fall-through */ 135| 210| case RX_ACK: ------------------ | | 53| 210|#define RX_ACK 2 ------------------ | Branch (135:7): [True: 25, False: 407] ------------------ 136| 210| if(header->flags == CLIENT_INIT_1 || header->flags == CLIENT_INIT_2 || ------------------ | | 68| 420|#define CLIENT_INIT_1 1 ------------------ if(header->flags == CLIENT_INIT_1 || header->flags == CLIENT_INIT_2 || ------------------ | | 75| 232|#define CLIENT_INIT_2 33 ------------------ | Branch (136:5): [True: 188, False: 22] | Branch (136:39): [True: 0, False: 22] ------------------ 137| 22| header->flags == EMPTY || header->flags == PLUS_3) ------------------ | | 67| 232|#define EMPTY 0 ------------------ header->flags == EMPTY || header->flags == PLUS_3) ------------------ | | 76| 4|#define PLUS_3 34 ------------------ | Branch (137:5): [True: 18, False: 4] | Branch (137:31): [True: 0, False: 4] ------------------ 138| 206| goto security; 139| | /* Fall-through */ 140| 23| case RX_CHALLENGE: ------------------ | | 57| 23|#define RX_CHALLENGE 6 ------------------ | Branch (140:7): [True: 19, False: 413] ------------------ 141| 23| if(header->flags == EMPTY || header->call_number == 0) ------------------ | | 67| 46|#define EMPTY 0 ------------------ | Branch (141:5): [True: 12, False: 11] | Branch (141:31): [True: 3, False: 8] ------------------ 142| 15| goto security; 143| | /* Fall-through */ 144| 9| case RX_RESPONSE: ------------------ | | 58| 9|#define RX_RESPONSE 7 ------------------ | Branch (144:7): [True: 1, False: 431] ------------------ 145| 9| if(header->flags == EMPTY || header->call_number == 0) ------------------ | | 67| 18|#define EMPTY 0 ------------------ | Branch (145:5): [True: 1, False: 8] | Branch (145:31): [True: 0, False: 8] ------------------ 146| 1| goto security; 147| | /* Fall-through */ 148| 12| case RX_ACKALL: ------------------ | | 56| 12|#define RX_ACKALL 5 ------------------ | Branch (148:7): [True: 4, False: 428] ------------------ 149| 12| if(header->flags == EMPTY) ------------------ | | 67| 12|#define EMPTY 0 ------------------ | Branch (149:5): [True: 3, False: 9] ------------------ 150| 3| goto security; 151| | /* Fall-through */ 152| 24| case RX_BUSY: ------------------ | | 54| 24|#define RX_BUSY 3 ------------------ | Branch (152:7): [True: 15, False: 417] ------------------ 153| 24| goto security; 154| 4| case RX_ABORT: ------------------ | | 55| 4|#define RX_ABORT 4 ------------------ | Branch (154:7): [True: 4, False: 428] ------------------ 155| 4| goto security; 156| 9| case RX_DEBUG: ------------------ | | 59| 9|#define RX_DEBUG 8 ------------------ | Branch (156:7): [True: 9, False: 423] ------------------ 157| 9| goto security; 158| 18| case RX_PARAM_1: ------------------ | | 60| 18|#define RX_PARAM_1 9 ------------------ | Branch (158:7): [True: 18, False: 414] ------------------ 159| 18| goto security; 160| 25| case RX_PARAM_2: ------------------ | | 61| 25|#define RX_PARAM_2 10 ------------------ | Branch (160:7): [True: 25, False: 407] ------------------ 161| 25| goto security; 162| 84| case RX_PARAM_3: ------------------ | | 62| 84|#define RX_PARAM_3 11 ------------------ | Branch (162:7): [True: 84, False: 348] ------------------ 163| 84| goto security; 164| 3| case RX_VERS: ------------------ | | 64| 3|#define RX_VERS 13 ------------------ | Branch (164:7): [True: 3, False: 429] ------------------ 165| 3| goto security; 166| 1| default: ------------------ | Branch (166:7): [True: 1, False: 431] ------------------ 167| 1| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 168| 1| return; 169| 432| } // switch 170| 432| } else { // FLAG 171| 125| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 125|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 172| 125| return; 173| 125| } 174| | 175| 431| security: 176| | /* SECURITY field */ 177| 431| if(header->security > 3) ------------------ | Branch (177:6): [True: 255, False: 176] ------------------ 178| 255| { 179| 255| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 255|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 180| 255| return; 181| 255| } 182| | 183| | /* If we have already seen one packet in the other direction, then 184| | the two must have matching connection numbers. Otherwise store 185| | them. */ 186| 176| if(flow->packet_direction_counter[!packet->packet_direction] != 0) ------------------ | Branch (186:6): [True: 0, False: 176] ------------------ 187| 0| { 188| 0| if (flow->l4.udp.rx_conn_epoch == header->conn_epoch && ------------------ | Branch (188:9): [True: 0, False: 0] ------------------ 189| 0| flow->l4.udp.rx_conn_id == header->conn_id) ------------------ | Branch (189:2): [True: 0, False: 0] ------------------ 190| 0| { 191| 0| NDPI_LOG_INFO(ndpi_struct, "found RX\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 192| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RX, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 193| 0| } 194| | /* https://www.central.org/frameless/numbers/rxservice.html. */ 195| 0| else 196| 0| { 197| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 198| 0| return; 199| 0| } 200| 176| } else { 201| 176| flow->l4.udp.rx_conn_epoch = header->conn_epoch; 202| 176| flow->l4.udp.rx_conn_id = header->conn_id; 203| 176| } 204| 176|} init_s7comm_dissector: 236| 7.08k|{ 237| 7.08k| ndpi_register_dissector("S7Comm", ndpi_struct, 238| 7.08k| ndpi_search_s7comm, 239| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 240| 7.08k| 1, NDPI_PROTOCOL_S7COMM); 241| 7.08k|} s7comm.c:ndpi_search_s7comm: 186| 11.8k|{ 187| 11.8k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 188| 11.8k| u_int8_t s7comm_offset = 7; /* TPKT(4) + COTP(3) = offset 7 for S7Comm header */ 189| | 190| 11.8k| NDPI_LOG_DBG(ndpi_struct, "search S7comm\n"); ------------------ | | 596| 11.8k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 191| | 192| | /* Initial detection */ 193| 11.8k| if (tpkt_verify_hdr(packet) && (packet->payload_packet_len > 17) && ------------------ | Branch (193:7): [True: 0, False: 11.8k] | Branch (193:34): [True: 0, False: 0] ------------------ 194| 0| ((packet->tcp->source == htons(TPKT_PORT)) || ------------------ | Branch (194:8): [True: 0, False: 0] ------------------ 195| 0| (packet->tcp->dest == htons(TPKT_PORT)))) ------------------ | Branch (195:8): [True: 0, False: 0] ------------------ 196| 0| { 197| 0| if (packet->payload[s7comm_offset] == S7COMM_PLUS_MAGIC_BYTE) { ------------------ | | 34| 0|#define S7COMM_PLUS_MAGIC_BYTE 0x72 ------------------ | Branch (197:9): [True: 0, False: 0] ------------------ 198| 0| const u_int16_t trail_byte_offset = packet->payload_packet_len - 4; 199| 0| if (packet->payload[trail_byte_offset] == S7COMM_PLUS_MAGIC_BYTE) { ------------------ | | 34| 0|#define S7COMM_PLUS_MAGIC_BYTE 0x72 ------------------ | Branch (199:11): [True: 0, False: 0] ------------------ 200| 0| NDPI_LOG_INFO(ndpi_struct, "found S7CommPlus\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 201| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_S7COMM_PLUS, 202| 0| NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 203| | /* TODO: monitoring? */ 204| 0| return; 205| 0| } 206| 0| } else if (packet->payload[s7comm_offset] == S7COMM_MAGIC_BYTE) { ------------------ | | 33| 0|#define S7COMM_MAGIC_BYTE 0x32 ------------------ | Branch (206:16): [True: 0, False: 0] ------------------ 207| 0| if (((packet->payload[s7comm_offset + 1] <= 0x03) || (packet->payload[s7comm_offset + 1] == 0x07)) && ------------------ | Branch (207:12): [True: 0, False: 0] | Branch (207:60): [True: 0, False: 0] ------------------ 208| 0| (get_u_int16_t(packet->payload, s7comm_offset + 2) == 0)) ------------------ | | 136| 0|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (208:11): [True: 0, False: 0] ------------------ 209| 0| { 210| 0| NDPI_LOG_INFO(ndpi_struct, "found S7Comm\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 211| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_S7COMM, 212| 0| NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 213| | 214| 0| if(is_monitoring_enabled(ndpi_struct, NDPI_PROTOCOL_S7COMM)) { ------------------ | Branch (214:12): [True: 0, False: 0] ------------------ 215| | /* Parse this first message for statistics. 216| | * It makes sense only in monitoring */ 217| 0| ndpi_parse_s7comm_message(ndpi_struct, flow, 218| 0| &packet->payload[s7comm_offset], 219| 0| packet->payload_packet_len - s7comm_offset); 220| | 221| 0| NDPI_LOG_DBG(ndpi_struct, "Enabled monitoring\n"); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 222| 0| flow->state = NDPI_STATE_MONITORING; 223| | /* No extra dissection, we move directly to monitor state */ 224| 0| flow->extra_packets_func = ndpi_search_s7comm_again; 225| 0| } 226| 0| return; 227| 0| } 228| 0| } 229| 0| return; 230| 0| } 231| | 232| 11.8k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.8k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 233| 11.8k|} init_samsung_sdp_dissector: 59| 7.08k|{ 60| 7.08k| ndpi_register_dissector("SamsungSDP", ndpi_struct, 61| 7.08k| ndpi_search_samsung_sdp, 62| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 63| 7.08k| 1, NDPI_PROTOCOL_SAMSUNG_SDP); 64| 7.08k|} samsung_sdp.c:ndpi_search_samsung_sdp: 40| 3.32k|{ 41| 3.32k| struct ndpi_packet_struct * const packet = &ndpi_struct->packet; 42| | 43| 3.32k| NDPI_LOG_DBG(ndpi_struct, "search Samsung Service Discovery Protocol\n"); ------------------ | | 596| 3.32k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 44| | 45| 3.32k| if (packet->payload_packet_len < NDPI_STATICSTRING_LEN("SEARCH BSDP/")) { ------------------ | | 98| 3.32k|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (45:7): [True: 148, False: 3.17k] ------------------ 46| 148| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 148|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 47| 148| return; 48| 148| } 49| | 50| 3.17k| if (memcmp(packet->payload, "SEARCH BSDP/", NDPI_STATICSTRING_LEN("SEARCH BSDP/")) != 0) { ------------------ | | 98| 3.17k|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (50:7): [True: 3.17k, False: 4] ------------------ 51| 3.17k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.17k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 52| 3.17k| return; 53| 3.17k| } 54| | 55| 4| ndpi_int_samsung_sdp_add_connection(ndpi_struct, flow); 56| 4|} samsung_sdp.c:ndpi_int_samsung_sdp_add_connection: 30| 4|{ 31| 4| NDPI_LOG_INFO(ndpi_struct, "found Samsung Service Discovery Protocol\n"); ------------------ | | 595| 4|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 32| 4| ndpi_set_detected_protocol(ndpi_struct, flow, 33| 4| NDPI_PROTOCOL_SAMSUNG_SDP, 34| 4| NDPI_PROTOCOL_UNKNOWN, 35| 4| NDPI_CONFIDENCE_DPI); 36| 4|} init_sd_rtn_dissector: 87| 7.08k|{ 88| 7.08k| ndpi_register_dissector("SD-RTN", ndpi_struct, 89| 7.08k| ndpi_search_sd_rtn, 90| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 91| 7.08k| 1, NDPI_PROTOCOL_SD_RTN); 92| 7.08k|} sd_rtn.c:ndpi_search_sd_rtn: 61| 3.37k|{ 62| 3.37k| struct ndpi_packet_struct * const packet = &ndpi_struct->packet; 63| | 64| 3.37k| NDPI_LOG_DBG(ndpi_struct, "search Software Defined Real-time Network (SD-RTN)\n"); ------------------ | | 596| 3.37k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 65| | 66| 3.37k| if (packet->udp != NULL) ------------------ | Branch (66:7): [True: 3.37k, False: 0] ------------------ 67| 3.37k| { 68| 3.37k| if (packet->payload_packet_len >= 20 ------------------ | Branch (68:9): [True: 3.14k, False: 225] ------------------ 69| 3.14k| && packet->payload[6] == 0x21 ------------------ | Branch (69:12): [True: 52, False: 3.09k] ------------------ 70| 3.37k| && ntohl(get_u_int32_t(packet->payload, 12)) == 0x04534e49 /* "\x04SNI" */) ------------------ | Branch (70:12): [True: 0, False: 52] ------------------ 71| 0| { 72| 0| int ret = ndpi_int_sd_rtn_dissect_sni(flow, packet->payload, 73| 0| packet->payload_packet_len); 74| | 75| 0| if (ret == 0) ------------------ | Branch (75:11): [True: 0, False: 0] ------------------ 76| 0| { 77| 0| ndpi_int_sd_rtn_add_connection(ndpi_struct, flow); 78| 0| return; 79| 0| } 80| 0| } 81| 3.37k| } 82| | 83| 3.37k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.37k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 84| 3.37k|} init_sflow_dissector: 59| 7.08k|{ 60| 7.08k| ndpi_register_dissector("sFlow", ndpi_struct, 61| 7.08k| ndpi_search_sflow, 62| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 63| 7.08k| 1, NDPI_PROTOCOL_SFLOW); 64| 7.08k|} sflow.c:ndpi_search_sflow: 29| 4.37k|{ 30| 4.37k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 31| | // const u_int8_t *packet_payload = packet->payload; 32| 4.37k| u_int32_t payload_len = packet->payload_packet_len; 33| | 34| 4.37k| NDPI_LOG_DBG(ndpi_struct, "search sflow\n"); ------------------ | | 596| 4.37k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 35| | 36| 4.37k| if((packet->udp != NULL) ------------------ | Branch (36:6): [True: 4.37k, False: 0] ------------------ 37| 4.37k| && (payload_len >= 24) ------------------ | Branch (37:9): [True: 4.05k, False: 325] ------------------ 38| | /* Version */ 39| 4.37k| && ntohl(get_u_int32_t(packet->payload, 0)) == 0x00000005 ------------------ | Branch (39:9): [True: 2, False: 4.05k] ------------------ 40| | /* Agent Address type: IPv4 / IPv6 */ 41| 2| && (ntohl(get_u_int32_t(packet->payload, 4)) == 0x00000001 || ------------------ | Branch (41:10): [True: 0, False: 2] ------------------ 42| 2| ntohl(get_u_int32_t(packet->payload, 4)) == 0x00000002)) { ------------------ | Branch (42:10): [True: 0, False: 2] ------------------ 43| 0| NDPI_LOG_INFO(ndpi_struct, "found (probably) sflow\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 44| 0| if (flow->packet_counter >= 2) ------------------ | Branch (44:9): [True: 0, False: 0] ------------------ 45| 0| { 46| 0| NDPI_LOG_INFO(ndpi_struct, "found sflow\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 47| 0| ndpi_set_detected_protocol(ndpi_struct, flow, 48| 0| NDPI_PROTOCOL_SFLOW, 49| 0| NDPI_PROTOCOL_UNKNOWN, 50| 0| NDPI_CONFIDENCE_DPI); 51| 0| } 52| 0| return; 53| 0| } 54| | 55| 4.37k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 4.37k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 56| 4.37k|} init_sip_dissector: 276| 7.08k|void init_sip_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 277| 7.08k| ndpi_register_dissector("SIP", ndpi_struct, 278| 7.08k| ndpi_search_sip, 279| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 280| 7.08k| 1, NDPI_PROTOCOL_SIP); 281| 7.08k|} sip.c:ndpi_search_sip: 231| 29.3k|static void ndpi_search_sip(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { 232| 29.3k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 233| 29.3k| const u_int8_t *packet_payload = packet->payload; 234| 29.3k| u_int32_t payload_len = packet->payload_packet_len; 235| | 236| 29.3k| NDPI_LOG_DBG(ndpi_struct, "Searching for SIP\n"); ------------------ | | 596| 29.3k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 237| | 238| 29.3k| if(flow->packet_counter >= 8) { ------------------ | Branch (238:6): [True: 584, False: 28.7k] ------------------ 239| 584| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 584|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 240| 584| return; 241| 584| } 242| | 243| 28.7k| if(payload_len > 4) { ------------------ | Branch (243:6): [True: 27.3k, False: 1.41k] ------------------ 244| | /* search for STUN Turn ChannelData Prefix */ 245| 27.3k| u_int16_t message_len = ntohs(get_u_int16_t(packet->payload, 2)); 246| | 247| 27.3k| if(payload_len - 4 == message_len) { ------------------ | Branch (247:8): [True: 70, False: 27.2k] ------------------ 248| 70| NDPI_LOG_DBG2(ndpi_struct, "found STUN TURN ChannelData prefix\n"); ------------------ | | 597| 70|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 249| 70| payload_len -= 4; 250| 70| packet_payload += 4; 251| 70| } 252| | 253| 27.3k| if(!isprint(packet_payload[0])) { ------------------ | Branch (253:8): [True: 10.3k, False: 16.9k] ------------------ 254| 10.3k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 10.3k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 255| 10.3k| return; 256| 10.3k| } 257| 27.3k| } 258| | 259| 18.3k| if(payload_len == 5 && memcmp(packet_payload, "hello", 5) == 0) { ------------------ | Branch (259:6): [True: 15, False: 18.3k] | Branch (259:26): [True: 0, False: 15] ------------------ 260| 0| NDPI_LOG_INFO(ndpi_struct, "found sip via HELLO (kind of ping)\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 261| 0| ndpi_int_sip_add_connection(ndpi_struct, flow); 262| 0| return; 263| 0| } 264| | 265| 18.3k| if(payload_len >= 30) { /* Arbitrary value: SIP packets are quite big */ ------------------ | Branch (265:6): [True: 9.47k, False: 8.90k] ------------------ 266| 9.47k| if(search_cmd(ndpi_struct) == 1) { ------------------ | Branch (266:8): [True: 37, False: 9.43k] ------------------ 267| 37| NDPI_LOG_INFO(ndpi_struct, "found sip command\n"); ------------------ | | 595| 37|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 268| 37| ndpi_int_sip_add_connection(ndpi_struct, flow); 269| 37| return; 270| 37| } 271| 9.47k| } 272| 18.3k|} sip.c:ndpi_int_sip_add_connection: 35| 37| struct ndpi_flow_struct *flow) { 36| 37| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SIP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 37| | 38| 37| search_metadata(ndpi_struct, flow); 39| 37|} sip.c:search_metadata: 173| 37|{ 174| 37| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 175| 37| u_int16_t a; 176| 37| int str_len, imsi_len; 177| 37| char *str, *imsi; 178| | 179| 37| if(!metadata_enabled(ndpi_struct)) ------------------ | Branch (179:6): [True: 0, False: 37] ------------------ 180| 0| return; 181| | 182| 37| NDPI_PARSE_PACKET_LINE_INFO(ndpi_struct, flow, packet); ------------------ | | 521| 37| if (packet->packet_lines_parsed_complete != 1) { \ | | ------------------ | | | Branch (521:29): [True: 1, False: 36] | | ------------------ | | 522| 1| ndpi_parse_packet_line_info(ndpi_struct,flow); \ | | 523| 1| } ------------------ 183| | 184| 523| for(a = 0; a < packet->parsed_lines; a++) { ------------------ | Branch (184:14): [True: 486, False: 37] ------------------ 185| | /* From */ 186| 486| if(ndpi_struct->cfg.sip_attribute_from_enabled && ------------------ | Branch (186:8): [True: 486, False: 0] ------------------ 187| 486| flow->protos.sip.from == NULL && ------------------ | Branch (187:8): [True: 463, False: 23] ------------------ 188| 463| packet->line[a].len >= 5 && ------------------ | Branch (188:8): [True: 225, False: 238] ------------------ 189| 225| memcmp(packet->line[a].ptr, "From:", 5) == 0) { ------------------ | Branch (189:8): [True: 13, False: 212] ------------------ 190| 13| str_len = packet->line[a].len - 5; 191| 13| str = ndpi_strip_leading_trailing_spaces((char *)packet->line[a].ptr + 5, &str_len); 192| 13| if(str) { ------------------ | Branch (192:10): [True: 12, False: 1] ------------------ 193| 12| NDPI_LOG_DBG2(ndpi_struct, "Found From: %.*s\n", str_len, str); ------------------ | | 597| 12|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 194| 12| flow->protos.sip.from = ndpi_strndup(str, str_len); 195| 12| if(ndpi_struct->cfg.sip_attribute_from_imsi_enabled && ------------------ | Branch (195:12): [True: 12, False: 0] ------------------ 196| 12| flow->protos.sip.from) { ------------------ | Branch (196:12): [True: 11, False: 1] ------------------ 197| 11| imsi = get_imsi(flow->protos.sip.from, &imsi_len); 198| 11| if(imsi) { ------------------ | Branch (198:14): [True: 0, False: 11] ------------------ 199| 0| NDPI_LOG_DBG2(ndpi_struct, "Found From IMSI: %.*s\n", imsi_len, imsi); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 200| 0| memcpy(flow->protos.sip.from_imsi, imsi, imsi_len); 201| 0| } 202| 11| } 203| 12| } 204| 13| } 205| | 206| | /* To */ 207| 486| if(ndpi_struct->cfg.sip_attribute_to_enabled && ------------------ | Branch (207:8): [True: 486, False: 0] ------------------ 208| 486| flow->protos.sip.to == NULL && ------------------ | Branch (208:8): [True: 330, False: 156] ------------------ 209| 330| packet->line[a].len >= 3 && ------------------ | Branch (209:8): [True: 175, False: 155] ------------------ 210| 175| memcmp(packet->line[a].ptr, "To:", 3) == 0) { ------------------ | Branch (210:8): [True: 16, False: 159] ------------------ 211| 16| str_len = packet->line[a].len - 3; 212| 16| str = ndpi_strip_leading_trailing_spaces((char *)packet->line[a].ptr + 3, &str_len); 213| 16| if(str) { ------------------ | Branch (213:10): [True: 15, False: 1] ------------------ 214| 15| NDPI_LOG_DBG2(ndpi_struct, "Found To: %.*s\n", str_len, str); ------------------ | | 597| 15|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 215| 15| flow->protos.sip.to = ndpi_strndup(str, str_len); 216| 15| if(ndpi_struct->cfg.sip_attribute_to_imsi_enabled && ------------------ | Branch (216:12): [True: 15, False: 0] ------------------ 217| 15| flow->protos.sip.to) { ------------------ | Branch (217:12): [True: 14, False: 1] ------------------ 218| 14| imsi = get_imsi(flow->protos.sip.to, &imsi_len); 219| 14| if(imsi) { ------------------ | Branch (219:14): [True: 0, False: 14] ------------------ 220| 0| NDPI_LOG_DBG2(ndpi_struct, "Found To IMSI: %.*s\n", imsi_len, imsi); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 221| 0| memcpy(flow->protos.sip.to_imsi, imsi, imsi_len); 222| 0| } 223| 14| } 224| 15| } 225| 16| } 226| 486| } 227| 37|} sip.c:metadata_enabled: 162| 37|{ 163| | /* At least one */ 164| 37| return ndpi_struct->cfg.sip_attribute_from_enabled || ------------------ | Branch (164:10): [True: 37, False: 0] ------------------ 165| 0| ndpi_struct->cfg.sip_attribute_from_imsi_enabled || ------------------ | Branch (165:10): [True: 0, False: 0] ------------------ 166| 0| ndpi_struct->cfg.sip_attribute_to_enabled || ------------------ | Branch (166:10): [True: 0, False: 0] ------------------ 167| 0| ndpi_struct->cfg.sip_attribute_to_imsi_enabled; ------------------ | Branch (167:10): [True: 0, False: 0] ------------------ 168| 37|} sip.c:get_imsi: 138| 25|{ 139| 25| char *s, *e, *c; 140| | 141| | /* Format: ;tag=YpUNxYCzz0dMHM */ 142| | 143| 25| s = ndpi_strnstr(str, "packet; 46| 9.47k| const u_int8_t *packet_payload = packet->payload; 47| 9.47k| u_int32_t payload_len = packet->payload_packet_len; 48| 9.47k| const char **cs; 49| 9.47k| size_t length; 50| 9.47k| const char *cmds_a[] = { "Ack sip", 51| 9.47k| "Ack tel", 52| 9.47k| NULL }; 53| 9.47k| const char *cmds_b[] = { "Bye sip", 54| 9.47k| NULL}; 55| 9.47k| const char *cmds_c[] = { "Cancel sip", 56| 9.47k| "Cancel tel", 57| 9.47k| NULL}; 58| 9.47k| const char *cmds_i[] = { "Invite sip", 59| 9.47k| "Info sip", 60| 9.47k| NULL}; 61| 9.47k| const char *cmds_m[] = { "Message sip", 62| 9.47k| NULL}; 63| 9.47k| const char *cmds_n[] = { "Notify sip", 64| 9.47k| NULL}; 65| 9.47k| const char *cmds_o[] = { "Options sip", 66| 9.47k| "Options tel", 67| 9.47k| NULL}; 68| 9.47k| const char *cmds_p[] = { "Publish sip", 69| 9.47k| "Prack sip", 70| 9.47k| NULL}; 71| 9.47k| const char *cmds_r[] = { "Register sip", 72| 9.47k| "Refer sip", 73| 9.47k| NULL}; 74| 9.47k| const char *cmds_s[] = { "Subscribe sip", 75| 9.47k| "SIP/2.0", /* Reply; useful with asymmetric flows */ 76| 9.47k| NULL}; 77| | 78| 9.47k| switch(packet_payload[0]) { 79| 79| case 'a': ------------------ | Branch (79:3): [True: 79, False: 9.39k] ------------------ 80| 120| case 'A': ------------------ | Branch (80:3): [True: 41, False: 9.43k] ------------------ 81| 120| cs = cmds_a; 82| 120| break; 83| 14| case 'b': ------------------ | Branch (83:3): [True: 14, False: 9.45k] ------------------ 84| 36| case 'B': ------------------ | Branch (84:3): [True: 22, False: 9.45k] ------------------ 85| 36| cs = cmds_b; 86| 36| break; 87| 19| case 'c': ------------------ | Branch (87:3): [True: 19, False: 9.45k] ------------------ 88| 47| case 'C': ------------------ | Branch (88:3): [True: 28, False: 9.44k] ------------------ 89| 47| cs = cmds_c; 90| 47| break; 91| 78| case 'i': ------------------ | Branch (91:3): [True: 78, False: 9.39k] ------------------ 92| 108| case 'I': ------------------ | Branch (92:3): [True: 30, False: 9.44k] ------------------ 93| 108| cs = cmds_i; 94| 108| break; 95| 98| case 'm': ------------------ | Branch (95:3): [True: 98, False: 9.37k] ------------------ 96| 696| case 'M': ------------------ | Branch (96:3): [True: 598, False: 8.87k] ------------------ 97| 696| cs = cmds_m; 98| 696| break; 99| 57| case 'n': ------------------ | Branch (99:3): [True: 57, False: 9.41k] ------------------ 100| 152| case 'N': ------------------ | Branch (100:3): [True: 95, False: 9.37k] ------------------ 101| 152| cs = cmds_n; 102| 152| break; 103| 60| case 'o': ------------------ | Branch (103:3): [True: 60, False: 9.41k] ------------------ 104| 70| case 'O': ------------------ | Branch (104:3): [True: 10, False: 9.46k] ------------------ 105| 70| cs = cmds_o; 106| 70| break; 107| 20| case 'p': ------------------ | Branch (107:3): [True: 20, False: 9.45k] ------------------ 108| 509| case 'P': ------------------ | Branch (108:3): [True: 489, False: 8.98k] ------------------ 109| 509| cs = cmds_p; 110| 509| break; 111| 72| case 'r': ------------------ | Branch (111:3): [True: 72, False: 9.40k] ------------------ 112| 1.56k| case 'R': ------------------ | Branch (112:3): [True: 1.48k, False: 7.98k] ------------------ 113| 1.56k| cs = cmds_r; 114| 1.56k| break; 115| 450| case 's': ------------------ | Branch (115:3): [True: 450, False: 9.02k] ------------------ 116| 561| case 'S': ------------------ | Branch (116:3): [True: 111, False: 9.36k] ------------------ 117| 561| cs = cmds_s; 118| 561| break; 119| 5.61k| default: ------------------ | Branch (119:3): [True: 5.61k, False: 3.86k] ------------------ 120| 5.61k| return 0; 121| 9.47k| } 122| | 123| 10.6k| while(*cs) { ------------------ | Branch (123:9): [True: 6.83k, False: 3.82k] ------------------ 124| 6.83k| length = strlen(*cs); 125| 6.83k| if(payload_len > length && ------------------ | Branch (125:8): [True: 6.83k, False: 0] ------------------ 126| 6.83k| strncasecmp((const char *)packet_payload, *cs, length) == 0) { ------------------ | Branch (126:8): [True: 37, False: 6.79k] ------------------ 127| 37| NDPI_LOG_DBG(ndpi_struct, "Matching with [%s]\n", *cs); ------------------ | | 596| 37|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 128| 37| return 1; 129| 37| } 130| 6.79k| cs++; 131| 6.79k| } 132| 3.82k| return 0; 133| 3.86k|} init_skinny_dissector: 95| 7.08k|{ 96| 7.08k| ndpi_register_dissector("CiscoSkinny", ndpi_struct, 97| 7.08k| ndpi_search_skinny, 98| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 99| 7.08k| 1, NDPI_PROTOCOL_SKINNY); 100| 7.08k|} skinny.c:ndpi_search_skinny: 64| 13.4k|{ 65| 13.4k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 66| 13.4k| u_int16_t dport, sport; 67| | 68| 13.4k| NDPI_LOG_DBG(ndpi_struct, "search for SKINNY\n"); ------------------ | | 596| 13.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 69| | 70| 13.4k| if(packet->tcp != NULL) { ------------------ | Branch (70:6): [True: 13.4k, False: 0] ------------------ 71| 13.4k| sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest); 72| 13.4k| NDPI_LOG_DBG2(ndpi_struct, "calculating SKINNY over tcp\n"); ------------------ | | 597| 13.4k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 73| 13.4k| if((dport == 2000 || sport == 2000) && ------------------ | Branch (73:9): [True: 1, False: 13.4k] | Branch (73:26): [True: 0, False: 13.4k] ------------------ 74| 1| (packet->payload_packet_len >= 12)) { ------------------ | Branch (74:8): [True: 1, False: 0] ------------------ 75| 1| u_int32_t data_length, version, opcode; 76| | 77| 1| data_length = le32toh(get_u_int32_t(packet->payload, 0)); 78| 1| version = le32toh(get_u_int32_t(packet->payload, 4)); 79| 1| opcode = le32toh(get_u_int32_t(packet->payload, 8)); 80| | 81| 1| if(data_length + 8 == packet->payload_packet_len && ------------------ | Branch (81:10): [True: 0, False: 1] ------------------ 82| 0| is_valid_version(version) && ------------------ | Branch (82:10): [True: 0, False: 0] ------------------ 83| 0| is_valid_opcode(opcode)) { ------------------ | Branch (83:10): [True: 0, False: 0] ------------------ 84| 0| NDPI_LOG_INFO(ndpi_struct, "found skinny\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 85| 0| ndpi_int_skinny_add_connection(ndpi_struct, flow); 86| 0| return; 87| 0| } 88| 1| } 89| 13.4k| } 90| 13.4k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.4k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 91| 13.4k|} init_slp_dissector: 325| 7.08k|{ 326| 7.08k| ndpi_register_dissector("Service_Location_Protocol", ndpi_struct, 327| 7.08k| ndpi_search_slp, 328| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 329| 7.08k| 1, NDPI_PROTOCOL_SERVICE_LOCATION); 330| 7.08k|} slp.c:ndpi_search_slp: 304| 15.0k|{ 305| 15.0k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 306| | 307| 15.0k| NDPI_LOG_DBG(ndpi_struct, "search Service Location Protocol\n"); ------------------ | | 596| 15.0k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 308| | 309| 15.0k| switch (packet->payload[0]) { 310| 520| case 0x01: ------------------ | Branch (310:5): [True: 520, False: 14.5k] ------------------ 311| 520| ndpi_search_slp_v1(ndpi_struct, flow); 312| 520| break; 313| 64| case 0x02: ------------------ | Branch (313:5): [True: 64, False: 15.0k] ------------------ 314| 64| if (ndpi_search_slp_v2(ndpi_struct, flow) == 0) { ------------------ | Branch (314:11): [True: 0, False: 64] ------------------ 315| 0| ndpi_dissect_slp_v2(ndpi_struct, flow); 316| 0| } 317| 64| break; 318| 14.4k| default: ------------------ | Branch (318:5): [True: 14.4k, False: 584] ------------------ 319| 14.4k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 14.4k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 320| 14.4k| break; 321| 15.0k| } 322| 15.0k|} slp.c:ndpi_search_slp_v1: 195| 520|{ 196| 520| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 197| 520| struct slp_hdr_v1 const * const hdr = (struct slp_hdr_v1 *)&packet->payload[0]; 198| | 199| 520| NDPI_LOG_DBG(ndpi_struct, "search Service Location Protocol v1\n"); ------------------ | | 596| 520|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 200| | 201| 520| if (packet->payload_packet_len < sizeof(*hdr)) { ------------------ | Branch (201:7): [True: 45, False: 475] ------------------ 202| 45| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 45|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 203| 45| return; 204| 45| } 205| | 206| 475| const unsigned int packet_length = ntohs(hdr->length); 207| 475| if (slp_check_packet_length(ndpi_struct, flow, packet_length) != 0) ------------------ | Branch (207:7): [True: 472, False: 3] ------------------ 208| 472| return; 209| | 210| 3| if (slp_check_fid(ndpi_struct, flow, hdr->function, hdr->version) != 0) ------------------ | Branch (210:7): [True: 2, False: 1] ------------------ 211| 2| return; 212| | 213| 1| ndpi_int_slp_add_connection(ndpi_struct, flow); 214| 1|} slp.c:slp_check_packet_length: 100| 536|{ 101| 536| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 102| | 103| 536| if (packet->payload_packet_len != packet_length) { ------------------ | Branch (103:7): [True: 533, False: 3] ------------------ 104| 533| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 533|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 105| 533| return 1; 106| 533| } 107| | 108| 3| return 0; 109| 536|} slp.c:slp_check_fid: 114| 3|{ 115| 3| if (fid <= FID_UNKNOWN) { ------------------ | Branch (115:7): [True: 1, False: 2] ------------------ 116| 1| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 117| 1| return 1; 118| 1| } 119| | 120| 2| switch (slp_version) { 121| 2| case 0x01: ------------------ | Branch (121:5): [True: 2, False: 0] ------------------ 122| 2| if (fid >= FID_MAX_v1) { ------------------ | Branch (122:11): [True: 1, False: 1] ------------------ 123| 1| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 124| 1| return 1; 125| 1| } 126| 1| break; 127| 1| case 0x02: ------------------ | Branch (127:5): [True: 0, False: 2] ------------------ 128| 0| if (fid >= FID_MAX) { ------------------ | Branch (128:11): [True: 0, False: 0] ------------------ 129| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 130| 0| return 1; 131| 0| } 132| 0| break; 133| 0| default: ------------------ | Branch (133:5): [True: 0, False: 2] ------------------ 134| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 135| 0| return 1; 136| 2| } 137| | 138| 1| return 0; 139| 2|} slp.c:ndpi_int_slp_add_connection: 89| 1|{ 90| 1| NDPI_LOG_INFO(ndpi_struct, "found Service Location Protocol\n"); ------------------ | | 595| 1|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 91| | 92| 1| ndpi_set_detected_protocol(ndpi_struct, flow, 93| 1| NDPI_PROTOCOL_SERVICE_LOCATION, NDPI_PROTOCOL_UNKNOWN, 94| 1| NDPI_CONFIDENCE_DPI); 95| 1|} slp.c:ndpi_search_slp_v2: 218| 64|{ 219| 64| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 220| 64| struct slp_hdr_v2 const * const hdr = (struct slp_hdr_v2 *)&packet->payload[0]; 221| | 222| 64| NDPI_LOG_DBG(ndpi_struct, "search Service Location Protocol v2\n"); ------------------ | | 596| 64|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 223| | 224| 64| if (packet->payload_packet_len < sizeof(*hdr)) { ------------------ | Branch (224:7): [True: 3, False: 61] ------------------ 225| 3| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 226| 3| return 1; 227| 3| } 228| | 229| 61| const unsigned int packet_length = (ntohs(hdr->length.high) << 8) | hdr->length.low; 230| 61| if (slp_check_packet_length(ndpi_struct, flow, packet_length) != 0) ------------------ | Branch (230:7): [True: 61, False: 0] ------------------ 231| 61| return 1; 232| | 233| 0| if (slp_check_fid(ndpi_struct, flow, hdr->function_id, hdr->version) != 0) ------------------ | Branch (233:7): [True: 0, False: 0] ------------------ 234| 0| return 1; 235| | 236| 0| ndpi_int_slp_add_connection(ndpi_struct, flow); 237| 0| return 0; 238| 0|} init_smb_dissector: 84| 7.08k|{ 85| 7.08k| ndpi_register_dissector("SMB", ndpi_struct, 86| 7.08k| ndpi_search_smb_tcp, 87| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 88| 7.08k| 1, NDPI_PROTOCOL_SMBV23); 89| 7.08k|} smb.c:ndpi_search_smb_tcp: 30| 13.4k|{ 31| 13.4k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 32| | 33| 13.4k| NDPI_LOG_DBG(ndpi_struct, "search SMB\n"); ------------------ | | 596| 13.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 34| | 35| | /* Check connection over TCP */ 36| 13.4k| if(packet->tcp) { ------------------ | Branch (36:6): [True: 13.4k, False: 0] ------------------ 37| 13.4k| u_int16_t fourfourfive = htons(445); 38| | 39| 13.4k| if(((packet->tcp->dest == fourfourfive) || (packet->tcp->source == fourfourfive)) ------------------ | Branch (39:9): [True: 6, False: 13.4k] | Branch (39:48): [True: 2, False: 13.4k] ------------------ 40| 8| && packet->payload_packet_len > (32 + 4 + 4) ------------------ | Branch (40:11): [True: 6, False: 2] ------------------ 41| 6| && packet->payload[0] == 0x00) { ------------------ | Branch (41:11): [True: 2, False: 4] ------------------ 42| 2| u_int32_t length; 43| | 44| 2| length = (packet->payload[1] << 16) + (packet->payload[2] << 8) + packet->payload[3]; 45| | /* If the message is split into multiple TCP segments, let's hope that 46| | the first message we receive is the first segment */ 47| 2| if(length >= (uint32_t)packet->payload_packet_len - 4) { ------------------ | Branch (47:10): [True: 2, False: 0] ------------------ 48| 2| u_int8_t smbv1[] = { 0xff, 0x53, 0x4d, 0x42 }; 49| 2| u_int8_t smbv2[] = { 0xfe, 0x53, 0x4d, 0x42 }; 50| | 51| 2| if(memcmp(&packet->payload[4], smbv1, sizeof(smbv1)) == 0) { ------------------ | Branch (51:12): [True: 0, False: 2] ------------------ 52| 0| if(packet->payload[8] != 0x72) /* Skip Negotiate request */ { ------------------ | Branch (52:14): [True: 0, False: 0] ------------------ 53| 0| NDPI_LOG_INFO(ndpi_struct, "found SMBv1\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 54| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV1, NDPI_PROTOCOL_NETBIOS, NDPI_CONFIDENCE_DPI); 55| | 56| | /* 57| | Before we complain let's check if this is a broadacast message 58| | as for broadcast we can tolerate v1 as it can be used to 59| | discover old device versions. 60| | 61| | As nDPI has not MAC address visibility (checking for destination MAC 62| | FF:FF:FF:FF:FF:FF would have been easier) we need to implement 63| | some heuristic here. 64| | */ 65| | 66| 0| if(packet->payload[8] != 0x25) /* Skip SMB command Trans */ ------------------ | Branch (66:9): [True: 0, False: 0] ------------------ 67| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_SMB_INSECURE_VERSION, "Found SMBv1"); 68| 0| } 69| 0| return; 70| 2| } else if(memcmp(&packet->payload[4], smbv2, sizeof(smbv2)) == 0) { ------------------ | Branch (70:19): [True: 0, False: 2] ------------------ 71| 0| NDPI_LOG_INFO(ndpi_struct, "found SMBv23\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 72| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMBV23, NDPI_PROTOCOL_NETBIOS, NDPI_CONFIDENCE_DPI); 73| 0| return; 74| 0| } 75| 2| } 76| 2| } 77| 13.4k| } 78| | 79| 13.4k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.4k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 80| 13.4k|} init_smpp_dissector: 314| 7.08k|{ 315| 7.08k| ndpi_register_dissector("SMPP", ndpi_struct, 316| 7.08k| ndpi_search_smpp_tcp, 317| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 318| 7.08k| 1, NDPI_PROTOCOL_SMPP); 319| 7.08k|} smpp.c:ndpi_search_smpp_tcp: 44| 21.6k|{ 45| 21.6k| struct ndpi_packet_struct* packet = &ndpi_struct->packet; 46| | 47| 21.6k| NDPI_LOG_DBG(ndpi_struct, "search SMPP\n"); ------------------ | | 596| 21.6k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 48| 21.6k| if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_SMPP){ ------------------ | Branch (48:7): [True: 21.6k, False: 0] ------------------ 49| | // min SMPP packet length = 16 bytes 50| 21.6k| if (packet->payload_packet_len < 16) { ------------------ | Branch (50:9): [True: 1.55k, False: 20.1k] ------------------ 51| 1.55k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1.55k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 52| 1.55k| return; 53| 1.55k| } 54| | // get PDU length 55| 20.1k| u_int32_t pdu_l = ntohl(get_u_int32_t(packet->payload, 0)); 56| | 57| 20.1k| NDPI_LOG_DBG2(ndpi_struct, ------------------ | | 597| 20.1k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 58| 20.1k| "calculated PDU Length: %d, received PDU Length: %d\n", 59| 20.1k| pdu_l, packet->payload_packet_len); 60| | 61| | // if PDU size was invalid, try the following TCP segments, 3 attempts max 62| 20.1k| if(flow->packet_counter > 3) { ------------------ | Branch (62:8): [True: 1.79k, False: 18.3k] ------------------ 63| 1.79k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1.79k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 64| 1.79k| return; 65| 1.79k| } 66| | // verify PDU length 67| 18.3k| if(pdu_l != packet->payload_packet_len) { ------------------ | Branch (67:8): [True: 18.3k, False: 11] ------------------ 68| | // check if multiple PDUs included 69| 18.3k| u_int32_t total_pdu_l = pdu_l; 70| 18.3k| u_int32_t tmp_pdu_l = 0; 71| |#ifdef NDPI_ENABLE_DEBUG_MESSAGES 72| | u_int16_t pdu_c = 1; 73| |#endif 74| | // loop PDUs (check if lengths are valid) 75| 18.5k| while(total_pdu_l < ((uint32_t)packet->payload_packet_len-4)) { ------------------ | Branch (75:13): [True: 340, False: 18.2k] ------------------ 76| | // get next PDU length 77| 340| tmp_pdu_l = ntohl(get_u_int32_t(packet->payload, total_pdu_l)); 78| | // if zero or overflowing , return, will try the next TCP segment 79| 340| if(tmp_pdu_l == 0 || ndpi_check_overflow(tmp_pdu_l, total_pdu_l) ) return; ------------------ | Branch (79:5): [True: 55, False: 285] | Branch (79:24): [True: 15, False: 270] ------------------ 80| | // inc total PDU length 81| 270| total_pdu_l += ntohl(get_u_int32_t(packet->payload, total_pdu_l)); 82| |#ifdef NDPI_ENABLE_DEBUG_MESSAGES 83| | // inc total PDU count 84| | ++pdu_c; 85| |#endif 86| 270| } 87| | 88| 18.2k| NDPI_LOG_DBG2(ndpi_struct, ------------------ | | 597| 18.2k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 89| 18.2k| "multiple PDUs included, calculated total PDU Length: %d, PDU count: %d, TCP payload length: %d\n", 90| 18.2k| total_pdu_l, pdu_c, packet->payload_packet_len); 91| | 92| | // verify multi PDU total length 93| 18.2k| if(total_pdu_l != packet->payload_packet_len){ ------------------ | Branch (93:10): [True: 18.2k, False: 0] ------------------ 94| | // return, will try the next TCP segment 95| 18.2k| return; 96| 18.2k| } 97| 18.2k| } 98| | 99| | // *** check PDU type *** 100| 11| u_int32_t pdu_type = ntohl(get_u_int32_t(packet->payload, 4)); 101| | // first byte of PDU type is either 0x00 of 0x80 102| 11| if(!(packet->payload[4] == 0x00 || packet->payload[4] == 0x80)) { ------------------ | Branch (102:10): [True: 0, False: 11] | Branch (102:40): [True: 0, False: 11] ------------------ 103| 11| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 104| 11| return; 105| 11| } 106| | // remove 0x80, get request type pdu 107| 0| u_int32_t pdu_req = pdu_type & 0x00FFFFFF; 108| | // list of known PDU types 109| 0| if((pdu_req <= 0x00000009) || /* [0-9] */ ------------------ | Branch (109:8): [True: 0, False: 0] ------------------ 110| 0| (pdu_req == 0x0000000B || pdu_req == 0x00000015 || ------------------ | Branch (110:9): [True: 0, False: 0] | Branch (110:34): [True: 0, False: 0] ------------------ 111| 0| pdu_req == 0x00000021 || pdu_req == 0x00000102 || ------------------ | Branch (111:9): [True: 0, False: 0] | Branch (111:34): [True: 0, False: 0] ------------------ 112| 0| pdu_req == 0x00000103)){ ------------------ | Branch (112:9): [True: 0, False: 0] ------------------ 113| | 114| 0| NDPI_LOG_DBG2(ndpi_struct, ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 115| 0| "PDU type: %x, Request PDU type = %x\n", 116| 0| pdu_type, pdu_req); 117| | 118| | // fresult flag 119| 0| char extra_passed = 1; 120| | // check PDU type specifics 121| 0| switch(pdu_type){ 122| | // GENERIC_NACK 123| 0| case 0x80000000: ------------------ | Branch (123:7): [True: 0, False: 0] ------------------ 124| | // body length must be zero 125| 0| if(pdu_l > 16) extra_passed = 0; ------------------ | Branch (125:5): [True: 0, False: 0] ------------------ 126| 0| break; 127| | 128| | // BIND_RECEIVER 129| | // BIND_TRANSMITTER 130| | // BIND_TRANSCEIVER 131| 0| case 0x00000001: ------------------ | Branch (131:7): [True: 0, False: 0] ------------------ 132| 0| case 0x00000002: ------------------ | Branch (132:7): [True: 0, False: 0] ------------------ 133| 0| case 0x00000009: ------------------ | Branch (133:7): [True: 0, False: 0] ------------------ 134| | // status field must be NULL 135| 0| if(get_u_int32_t(packet->payload, 8) != 0) extra_passed = 0; ------------------ | | 137| 0|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (135:5): [True: 0, False: 0] ------------------ 136| | // min body length = 10 bytes (+16 in header) 137| 0| if(pdu_l < 26) extra_passed = 0; ------------------ | Branch (137:5): [True: 0, False: 0] ------------------ 138| 0| break; 139| | 140| | // BIND_RECEIVER_RESP 141| | // BIND_TRANSMITTER_RESP 142| | // BIND_TRANSCEIVER_RESP 143| 0| case 0x80000001: ------------------ | Branch (143:7): [True: 0, False: 0] ------------------ 144| 0| case 0x80000002: ------------------ | Branch (144:7): [True: 0, False: 0] ------------------ 145| 0| case 0x80000009: ------------------ | Branch (145:7): [True: 0, False: 0] ------------------ 146| | // min body length = 2 bytes (+16 in header) 147| 0| if(pdu_l < 18) extra_passed = 0; ------------------ | Branch (147:5): [True: 0, False: 0] ------------------ 148| 0| break; 149| | 150| | // OUTBIND 151| 0| case 0x0000000B: ------------------ | Branch (151:7): [True: 0, False: 0] ------------------ 152| | // status field must be NULL 153| 0| if(get_u_int32_t(packet->payload, 8) != 0) extra_passed = 0; ------------------ | | 137| 0|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (153:5): [True: 0, False: 0] ------------------ 154| | // min body length = 4 bytes (+16 in header) 155| 0| if(pdu_l < 20) extra_passed = 0; ------------------ | Branch (155:5): [True: 0, False: 0] ------------------ 156| 0| break; 157| | 158| | // UNBIND 159| 0| case 0x00000006: ------------------ | Branch (159:7): [True: 0, False: 0] ------------------ 160| | // status field must be NULL 161| 0| if(get_u_int32_t(packet->payload, 8) != 0) extra_passed = 0; ------------------ | | 137| 0|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (161:5): [True: 0, False: 0] ------------------ 162| | // body length must be zero 163| 0| if(pdu_l > 16) extra_passed = 0; ------------------ | Branch (163:5): [True: 0, False: 0] ------------------ 164| 0| break; 165| | 166| | // UNBIND_RESP 167| 0| case 0x80000006: ------------------ | Branch (167:7): [True: 0, False: 0] ------------------ 168| | // body length must be zero 169| 0| if(pdu_l > 16) extra_passed = 0; ------------------ | Branch (169:5): [True: 0, False: 0] ------------------ 170| 0| break; 171| | 172| | 173| | // SUBMIT_SM 174| 0| case 0x00000004: ------------------ | Branch (174:7): [True: 0, False: 0] ------------------ 175| | // status field must be NULL 176| 0| if(get_u_int32_t(packet->payload, 8) != 0) extra_passed = 0; ------------------ | | 137| 0|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (176:5): [True: 0, False: 0] ------------------ 177| | // min body length = 17 bytes (+16 in header) 178| 0| if(pdu_l < 33) extra_passed = 0; ------------------ | Branch (178:5): [True: 0, False: 0] ------------------ 179| 0| break; 180| | 181| | // SUBMIT_SM_RESP 182| 0| case 0x80000004: ------------------ | Branch (182:7): [True: 0, False: 0] ------------------ 183| | // - if status != 0, body length is 2 bytes min 184| | // - if status > 0, body lenth must be zero 185| 0| if(get_u_int32_t(packet->payload, 8) != 0){ ------------------ | | 137| 0|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (185:5): [True: 0, False: 0] ------------------ 186| 0| if(pdu_l > 16) extra_passed = 0; ------------------ | Branch (186:7): [True: 0, False: 0] ------------------ 187| | 188| 0| }else if(pdu_l < 18) extra_passed = 0; ------------------ | Branch (188:11): [True: 0, False: 0] ------------------ 189| 0| break; 190| | 191| | // SUBMIT_MULTI 192| 0| case 0x00000021: ------------------ | Branch (192:7): [True: 0, False: 0] ------------------ 193| | // status field must be NULL 194| 0| if(get_u_int32_t(packet->payload, 8) != 0) extra_passed = 0; ------------------ | | 137| 0|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (194:5): [True: 0, False: 0] ------------------ 195| | // min body length = 17 bytes (+16 in header) 196| 0| if(pdu_l < 33) extra_passed = 0; ------------------ | Branch (196:5): [True: 0, False: 0] ------------------ 197| 0| break; 198| | 199| | // SUBMIT_MULTI_RESP 200| 0| case 0x80000021: ------------------ | Branch (200:7): [True: 0, False: 0] ------------------ 201| | // min body length = 10 bytes (+16 in header) 202| 0| if(pdu_l < 26) extra_passed = 0; ------------------ | Branch (202:5): [True: 0, False: 0] ------------------ 203| 0| break; 204| | 205| | // DELIVER_SM 206| 0| case 0x00000005: ------------------ | Branch (206:7): [True: 0, False: 0] ------------------ 207| | // status field must be NULL 208| 0| if(get_u_int32_t(packet->payload, 8) != 0) extra_passed = 0; ------------------ | | 137| 0|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (208:5): [True: 0, False: 0] ------------------ 209| | // min body length = 17 bytes (+16 in header) 210| 0| if(pdu_l < 33) extra_passed = 0; ------------------ | Branch (210:5): [True: 0, False: 0] ------------------ 211| 0| break; 212| | 213| | // DELIVER_SM_RESP 214| 0| case 0x80000005: ------------------ | Branch (214:7): [True: 0, False: 0] ------------------ 215| | // min body length = 1 byte (+16 in header) 216| 0| if(pdu_l < 17) extra_passed = 0; ------------------ | Branch (216:5): [True: 0, False: 0] ------------------ 217| 0| break; 218| | 219| | // DATA_SM 220| 0| case 0x00000103: ------------------ | Branch (220:7): [True: 0, False: 0] ------------------ 221| | // status field must be NULL 222| 0| if(get_u_int32_t(packet->payload, 8) != 0) extra_passed = 0; ------------------ | | 137| 0|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (222:5): [True: 0, False: 0] ------------------ 223| | // min body length = 10 bytes (+16 in header) 224| 0| if(pdu_l < 26) extra_passed = 0; ------------------ | Branch (224:5): [True: 0, False: 0] ------------------ 225| 0| break; 226| | 227| | // DATA_SM_RESP 228| 0| case 0x80000103: ------------------ | Branch (228:7): [True: 0, False: 0] ------------------ 229| | // min body length = 2 bytes (+16 in header) 230| 0| if(pdu_l < 18) extra_passed = 0; ------------------ | Branch (230:5): [True: 0, False: 0] ------------------ 231| 0| break; 232| | 233| | // QUERY_SM 234| 0| case 0x00000003: ------------------ | Branch (234:7): [True: 0, False: 0] ------------------ 235| | // status field must be NULL 236| 0| if(get_u_int32_t(packet->payload, 8) != 0) extra_passed = 0; ------------------ | | 137| 0|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (236:5): [True: 0, False: 0] ------------------ 237| | // min body length = 4 bytes (+16 in header) 238| 0| if(pdu_l < 20) extra_passed = 0; ------------------ | Branch (238:5): [True: 0, False: 0] ------------------ 239| 0| break; 240| | 241| | // QUERY_SM_RESP 242| 0| case 0x80000003: ------------------ | Branch (242:7): [True: 0, False: 0] ------------------ 243| | // min body length = 5 bytes (+16 in header) 244| 0| if(pdu_l < 21) extra_passed = 0; ------------------ | Branch (244:5): [True: 0, False: 0] ------------------ 245| 0| break; 246| | 247| | // CANCEL_SM 248| 0| case 0x00000008: ------------------ | Branch (248:7): [True: 0, False: 0] ------------------ 249| | // status field must be NULL 250| 0| if(get_u_int32_t(packet->payload, 8) != 0) extra_passed = 0; ------------------ | | 137| 0|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (250:5): [True: 0, False: 0] ------------------ 251| | // min body length = 8 bytes (+16 in header) 252| 0| if(pdu_l < 24) extra_passed = 0; ------------------ | Branch (252:5): [True: 0, False: 0] ------------------ 253| 0| break; 254| | 255| | // CANCEL_SM_RESP 256| 0| case 0x80000008: ------------------ | Branch (256:7): [True: 0, False: 0] ------------------ 257| | // body lenth must be zero 258| 0| if(pdu_l > 16) extra_passed = 0; ------------------ | Branch (258:5): [True: 0, False: 0] ------------------ 259| 0| break; 260| | 261| | // REPLACE_SM 262| 0| case 0x00000007: ------------------ | Branch (262:7): [True: 0, False: 0] ------------------ 263| | // status field must be NULL 264| 0| if(get_u_int32_t(packet->payload, 8) != 0) extra_passed = 0; ------------------ | | 137| 0|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (264:5): [True: 0, False: 0] ------------------ 265| | // min body length = 9 bytes (+16 in header) 266| 0| if(pdu_l < 25) extra_passed = 0; ------------------ | Branch (266:5): [True: 0, False: 0] ------------------ 267| 0| break; 268| | 269| | // REPLACE_SM_RESP 270| 0| case 0x80000007: ------------------ | Branch (270:7): [True: 0, False: 0] ------------------ 271| | // body lenth must be zero 272| 0| if(pdu_l > 16) extra_passed = 0; ------------------ | Branch (272:5): [True: 0, False: 0] ------------------ 273| 0| break; 274| | 275| | // ENQUIRE_LINK 276| 0| case 0x00000015: ------------------ | Branch (276:7): [True: 0, False: 0] ------------------ 277| | // status field must be NULL 278| 0| if(get_u_int32_t(packet->payload, 8) != 0) extra_passed = 0; ------------------ | | 137| 0|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (278:5): [True: 0, False: 0] ------------------ 279| | // body length must be zero 280| 0| if(pdu_l > 16) extra_passed = 0; ------------------ | Branch (280:5): [True: 0, False: 0] ------------------ 281| 0| break; 282| | 283| | // ENQUIRE_LINK_RESP 284| 0| case 0x80000015: ------------------ | Branch (284:7): [True: 0, False: 0] ------------------ 285| | // body length must be zero 286| 0| if(pdu_l > 16) extra_passed = 0; ------------------ | Branch (286:5): [True: 0, False: 0] ------------------ 287| 0| break; 288| | 289| | // ALERT_NOTIFICATION 290| 0| case 0x00000102: ------------------ | Branch (290:7): [True: 0, False: 0] ------------------ 291| | // status field must be NULL 292| 0| if(get_u_int32_t(packet->payload, 8) != 0) extra_passed = 0; ------------------ | | 137| 0|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (292:5): [True: 0, False: 0] ------------------ 293| | // min body length = 6 bytes (+16 in header) 294| 0| if(pdu_l < 22) extra_passed = 0; ------------------ | Branch (294:5): [True: 0, False: 0] ------------------ 295| 0| break; 296| | 297| 0| default: break; ------------------ | Branch (297:7): [True: 0, False: 0] ------------------ 298| 0| } 299| | 300| | // if extra checks passed, set as identified 301| 0| if(extra_passed) { ------------------ | Branch (301:10): [True: 0, False: 0] ------------------ 302| 0| NDPI_LOG_INFO(ndpi_struct, "found SMPP\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 303| 0| ndpi_int_smpp_add_connection(ndpi_struct, flow); 304| 0| return; 305| 0| } 306| 0| } 307| | 308| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 309| 0| } 310| 21.6k|} smpp.c:ndpi_check_overflow: 38| 285|{ 39| 285| return (current_length > 0 && current_length > INT_MAX - total_lenth); ------------------ | Branch (39:13): [True: 285, False: 0] | Branch (39:35): [True: 15, False: 270] ------------------ 40| 285|} init_snmp_dissector: 147| 7.08k|void init_snmp_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 148| 7.08k| ndpi_register_dissector("SNMP", ndpi_struct, 149| 7.08k| ndpi_search_snmp, 150| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 151| 7.08k| 1, NDPI_PROTOCOL_SNMP); 152| 7.08k|} snmp_proto.c:ndpi_search_snmp: 59| 4.56k| struct ndpi_flow_struct *flow) { 60| 4.56k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 61| 4.56k| u_int16_t snmp_port = htons(161), trap_port = htons(162); 62| | 63| 4.56k| if((packet->udp->source != snmp_port) && ------------------ | Branch (63:6): [True: 4.55k, False: 3] ------------------ 64| 4.55k| (packet->udp->dest != snmp_port) && ------------------ | Branch (64:6): [True: 4.55k, False: 2] ------------------ 65| 4.55k| (packet->udp->source != trap_port) && ------------------ | Branch (65:6): [True: 4.55k, False: 1] ------------------ 66| 4.55k| (packet->udp->dest != trap_port)) { ------------------ | Branch (66:6): [True: 4.55k, False: 2] ------------------ 67| 4.55k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 4.55k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 68| 4.55k| return; 69| 4.55k| } 70| | 71| 8| if(packet->payload_packet_len > 16 && packet->payload[0] == 0x30) { ------------------ | Branch (71:6): [True: 6, False: 2] | Branch (71:41): [True: 1, False: 5] ------------------ 72| 1| u_int16_t len_length = 0, offset; 73| 1| int64_t len; 74| | 75| 1| len = asn1_ber_decode_length(&packet->payload[1], packet->payload_packet_len - 1, &len_length); 76| | 77| 1| if(len > 2 && ------------------ | Branch (77:8): [True: 0, False: 1] ------------------ 78| 0| 1 + len_length + len == packet->payload_packet_len && ------------------ | Branch (78:8): [True: 0, False: 0] ------------------ 79| 0| (packet->payload[1 + len_length + 2] == 0 /* SNMPv1 */ || ------------------ | Branch (79:9): [True: 0, False: 0] ------------------ 80| 0| packet->payload[1 + len_length + 2] == 1 /* SNMPv2c */ || ------------------ | Branch (80:9): [True: 0, False: 0] ------------------ 81| 0| packet->payload[1 + len_length + 2] == 3 /* SNMPv3 */)) { ------------------ | Branch (81:9): [True: 0, False: 0] ------------------ 82| | 83| 0| if(flow->extra_packets_func == NULL) { ------------------ | Branch (83:10): [True: 0, False: 0] ------------------ 84| 0| ndpi_int_snmp_add_connection(ndpi_struct, flow); 85| 0| flow->protos.snmp.version = packet->payload[1 + len_length + 2]; 86| 0| } 87| | 88| 0| offset = 1 + len_length + 2; 89| 0| if((packet->payload[offset] == 0 /* SNMPv1 */ || ------------------ | Branch (89:11): [True: 0, False: 0] ------------------ 90| 0| packet->payload[offset] == 1 /* SNMPv2c */) && ------------------ | Branch (90:11): [True: 0, False: 0] ------------------ 91| 0| (offset + 2 < packet->payload_packet_len)) { ------------------ | Branch (91:3): [True: 0, False: 0] ------------------ 92| | 93| 0| if(flow->extra_packets_func == NULL) { ------------------ | Branch (93:12): [True: 0, False: 0] ------------------ 94| 0| flow->max_extra_packets_to_check = 8; 95| 0| flow->extra_packets_func = ndpi_search_snmp_again; 96| 0| } 97| | 98| 0| u_int8_t community_len = packet->payload[offset + 2]; 99| 0| u_int8_t snmp_primitive_offset = offset + 2 + 1 + community_len; 100| | 101| 0| if(snmp_primitive_offset < packet->payload_packet_len) { ------------------ | Branch (101:12): [True: 0, False: 0] ------------------ 102| 0| u_int8_t snmp_primitive = packet->payload[snmp_primitive_offset] & 0xF; 103| | 104| 0| flow->protos.snmp.primitive = snmp_primitive; 105| | 106| 0| if(snmp_primitive == 2 /* Get Response */ && ------------------ | Branch (106:14): [True: 0, False: 0] ------------------ 107| 0| snmp_primitive_offset + 1 < packet->payload_packet_len) { ------------------ | Branch (107:14): [True: 0, False: 0] ------------------ 108| 0| offset = snmp_primitive_offset + 1; 109| 0| asn1_ber_decode_length(&packet->payload[offset], packet->payload_packet_len - offset, &len_length); 110| 0| offset += len_length + 1; 111| 0| if(offset < packet->payload_packet_len) { ------------------ | Branch (111:16): [True: 0, False: 0] ------------------ 112| 0| len = asn1_ber_decode_length(&packet->payload[offset], packet->payload_packet_len - offset, &len_length); 113| | 114| 0| u_int8_t error_status_offset = offset + len_length + len + 2; 115| | 116| 0| if(error_status_offset < packet->payload_packet_len) { ------------------ | Branch (116:18): [True: 0, False: 0] ------------------ 117| 0| u_int8_t error_status = packet->payload[error_status_offset]; 118| | 119| |#ifdef SNMP_DEBUG 120| | printf("-> %u [offset: %u][primitive: %u]\n", 121| | error_status, error_status_offset, snmp_primitive); 122| |#endif 123| | 124| 0| flow->extra_packets_func = NULL; /* We're good now */ 125| | 126| 0| flow->protos.snmp.error_status = error_status; 127| | 128| 0| if(error_status != 0) { ------------------ | Branch (128:20): [True: 0, False: 0] ------------------ 129| 0| char str[64]; 130| | 131| 0| snprintf(str, sizeof(str), "SNMP Error %d", error_status); 132| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_ERROR_CODE_DETECTED, str); 133| 0| } 134| 0| } 135| 0| } 136| 0| } 137| 0| } 138| 0| } 139| | 140| 0| return; 141| 0| } 142| 1| } 143| | 144| 8| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 8|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 145| 8|} init_soap_dissector: 84| 7.08k|{ 85| 7.08k| ndpi_register_dissector("SOAP", ndpi_struct, 86| 7.08k| ndpi_search_soap, 87| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 88| 7.08k| 1, NDPI_PROTOCOL_SOAP); 89| 7.08k|} soap.c:ndpi_search_soap: 38| 21.8k|{ 39| 21.8k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 40| | 41| 21.8k| NDPI_LOG_DBG(ndpi_struct, "search soap\n"); ------------------ | | 596| 21.8k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 42| | 43| 21.8k| if (packet->parsed_lines == 0) ------------------ | Branch (43:7): [True: 12.9k, False: 8.94k] ------------------ 44| 12.9k| { 45| 12.9k| ndpi_parse_packet_line_info(ndpi_struct, flow); 46| 12.9k| } 47| | 48| 21.8k| if (packet->parsed_lines > 0) ------------------ | Branch (48:7): [True: 12.0k, False: 9.78k] ------------------ 49| 12.0k| { 50| 12.0k| size_t i; 51| | 52| 37.9k| for (i = 0; i < packet->parsed_lines && packet->line[i].len > 0; ++i) ------------------ | Branch (52:17): [True: 31.3k, False: 6.56k] | Branch (52:45): [True: 25.8k, False: 5.48k] ------------------ 53| 25.8k| { 54| 25.8k| if (LINE_STARTS(packet->line[i], "SOAPAction") != 0) ------------------ | | 76| 25.8k| ((ndpi_int_one_line_struct).ptr != NULL && \ | | ------------------ | | | Branch (76:4): [True: 25.8k, False: 0] | | ------------------ | | 77| 25.8k| (ndpi_int_one_line_struct).len >= strlen(string_to_compare) && \ | | ------------------ | | | Branch (77:4): [True: 22.7k, False: 3.06k] | | ------------------ | | 78| 25.8k| strncasecmp((const char *)((ndpi_int_one_line_struct).ptr), string_to_compare, strlen(string_to_compare)) == 0) | | ------------------ | | | Branch (78:4): [True: 18, False: 22.7k] | | ------------------ ------------------ | Branch (54:11): [True: 18, False: 25.8k] ------------------ 55| 18| { 56| 18| ndpi_int_soap_add_connection(ndpi_struct, flow); 57| 18| return; 58| 18| } 59| 25.8k| } 60| 12.0k| } 61| | 62| 21.8k| if (flow->packet_counter > 3) ------------------ | Branch (62:7): [True: 2.17k, False: 19.6k] ------------------ 63| 2.17k| { 64| 2.17k| if (flow->l4.tcp.soap_stage == 1) ------------------ | Branch (64:9): [True: 3, False: 2.17k] ------------------ 65| 3| { 66| 3| ndpi_int_soap_add_connection(ndpi_struct, flow); 67| 3| } 68| 2.17k| else { 69| 2.17k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 2.17k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 70| 2.17k| } 71| 2.17k| } 72| | 73| 21.8k| if (flow->l4.tcp.soap_stage == 0 && ------------------ | Branch (73:7): [True: 21.8k, False: 5] ------------------ 74| 21.8k| packet->payload_packet_len >= 19) ------------------ | Branch (74:7): [True: 13.9k, False: 7.89k] ------------------ 75| 13.9k| { 76| 13.9k| if (strncmp((char*)packet->payload, "l4.tcp.soap_stage = 1; 79| 7| } 80| 13.9k| } 81| 21.8k|} soap.c:ndpi_int_soap_add_connection: 30| 21|{ 31| 21| NDPI_LOG_INFO(ndpi_struct, "found Soap\n"); ------------------ | | 595| 21|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 32| 21| ndpi_set_detected_protocol_keeping_master(ndpi_struct, flow, NDPI_PROTOCOL_SOAP, 33| 21| NDPI_CONFIDENCE_DPI); 34| 21|} init_socks_dissector: 126| 7.08k|{ 127| 7.08k| ndpi_register_dissector("SOCKS", ndpi_struct, 128| 7.08k| ndpi_search_socks, 129| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 130| 7.08k| 1, NDPI_PROTOCOL_SOCKS); 131| 7.08k|} socks45.c:ndpi_search_socks: 111| 29.1k|{ 112| 29.1k| NDPI_LOG_DBG(ndpi_struct, "search SOCKS\n"); ------------------ | | 596| 29.1k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 113| | 114| 29.1k| if(flow->packet_counter >= 10) { ------------------ | Branch (114:6): [True: 669, False: 28.4k] ------------------ 115| 669| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 669|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 116| 669| return; 117| 669| } 118| | 119| 28.4k| ndpi_check_socks4(ndpi_struct, flow); 120| | 121| 28.4k| if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_SOCKS) ------------------ | Branch (121:6): [True: 28.4k, False: 0] ------------------ 122| 28.4k| ndpi_check_socks5(ndpi_struct, flow); 123| 28.4k|} socks45.c:ndpi_check_socks4: 39| 28.4k|{ 40| 28.4k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 41| 28.4k| u_int32_t payload_len = packet->payload_packet_len; 42| | 43| | /* Check if we so far detected the protocol in the request or not. */ 44| 28.4k| if(flow->l4.tcp.socks4_stage == 0) { ------------------ | Branch (44:6): [True: 27.5k, False: 930] ------------------ 45| 27.5k| NDPI_LOG_DBG2(ndpi_struct, "SOCKS4 stage 0: \n"); ------------------ | | 597| 27.5k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 46| | 47| 27.5k| if(payload_len >= 9 && packet->payload[0] == 0x04 && ------------------ | Branch (47:8): [True: 25.9k, False: 1.57k] | Branch (47:28): [True: 658, False: 25.3k] ------------------ 48| 658| (packet->payload[1] == 0x01 || packet->payload[1] == 0x02) && ------------------ | Branch (48:8): [True: 1, False: 657] | Branch (48:38): [True: 400, False: 257] ------------------ 49| 401| packet->payload[payload_len - 1] == 0x00) { ------------------ | Branch (49:7): [True: 385, False: 16] ------------------ 50| 385| NDPI_LOG_DBG2(ndpi_struct, "Possible SOCKS4 request detected, we will look further for the response\n"); ------------------ | | 597| 385|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 51| | /* TODO: check port and ip address is valid */ 52| | /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ 53| 385| flow->l4.tcp.socks4_stage = packet->packet_direction + 1; 54| 385| } 55| 27.5k| } else { 56| 930| NDPI_LOG_DBG2(ndpi_struct, "SOCKS4 stage %u: \n", flow->l4.tcp.socks4_stage); ------------------ | | 597| 930|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 57| | 58| | /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ 59| 930| if((flow->l4.tcp.socks4_stage - packet->packet_direction) == 1) { ------------------ | Branch (59:8): [True: 929, False: 1] ------------------ 60| 929| return; 61| 929| } 62| | /* This is a packet in another direction. Check if we find the proper response. */ 63| 1| if(payload_len == 8 && packet->payload[0] == 0x00 && packet->payload[1] >= 0x5a && packet->payload[1] <= 0x5d) { ------------------ | Branch (63:8): [True: 0, False: 1] | Branch (63:28): [True: 0, False: 0] | Branch (63:58): [True: 0, False: 0] | Branch (63:88): [True: 0, False: 0] ------------------ 64| 0| NDPI_LOG_INFO(ndpi_struct, "found SOCKS4\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 65| 0| ndpi_int_socks_add_connection(ndpi_struct, flow); 66| 1| } else { 67| 1| NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to SOCKS4, resetting the stage to 0\n"); ------------------ | | 597| 1|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 68| 1| flow->l4.tcp.socks4_stage = 0; 69| 1| } 70| 1| } 71| 28.4k|} socks45.c:ndpi_check_socks5: 74| 28.4k|{ 75| 28.4k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 76| 28.4k| u_int32_t payload_len = packet->payload_packet_len; 77| | 78| | /* Check if we so far detected the protocol in the request or not. */ 79| 28.4k| if(flow->l4.tcp.socks5_stage == 0) { ------------------ | Branch (79:6): [True: 28.4k, False: 0] ------------------ 80| 28.4k| NDPI_LOG_DBG2(ndpi_struct, "SOCKS5 stage 0: \n"); ------------------ | | 597| 28.4k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 81| | 82| 28.4k| if(((payload_len == 3) && (packet->payload[0] == 0x05) && (packet->payload[1] == 0x01) && (packet->payload[2] == 0x00)) || ------------------ | Branch (82:9): [True: 19, False: 28.4k] | Branch (82:31): [True: 0, False: 19] | Branch (82:63): [True: 0, False: 0] | Branch (82:95): [True: 0, False: 0] ------------------ 83| 28.4k| ((payload_len == 4) && (packet->payload[0] == 0x05) && (packet->payload[1] == 0x02) && (packet->payload[2] == 0x00) && (packet->payload[3] == 0x01))) { ------------------ | Branch (83:9): [True: 1.35k, False: 27.1k] | Branch (83:31): [True: 25, False: 1.32k] | Branch (83:63): [True: 0, False: 25] | Branch (83:95): [True: 0, False: 0] | Branch (83:127): [True: 0, False: 0] ------------------ 84| 0| NDPI_LOG_DBG2(ndpi_struct, "Possible SOCKS5 request detected, we will look further for the response\n"); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 85| | 86| | /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ 87| 0| flow->l4.tcp.socks5_stage = packet->packet_direction + 1; 88| 0| } 89| | 90| 28.4k| } else { 91| 0| NDPI_LOG_DBG2(ndpi_struct, "SOCKS5 stage %u: \n", flow->l4.tcp.socks5_stage); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 92| | 93| | /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ 94| 0| if((flow->l4.tcp.socks5_stage - packet->packet_direction) == 1) { ------------------ | Branch (94:8): [True: 0, False: 0] ------------------ 95| 0| return; 96| 0| } 97| | 98| | /* This is a packet in another direction. Check if we find the proper response. */ 99| 0| if((payload_len == 0) || ((payload_len == 2) && (packet->payload[0] == 0x05) && (packet->payload[1] == 0x00))) { ------------------ | Branch (99:8): [True: 0, False: 0] | Branch (99:31): [True: 0, False: 0] | Branch (99:53): [True: 0, False: 0] | Branch (99:85): [True: 0, False: 0] ------------------ 100| 0| NDPI_LOG_INFO(ndpi_struct, "found SOCKS5\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 101| 0| ndpi_int_socks_add_connection(ndpi_struct, flow); 102| 0| } else { 103| 0| NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to SOCKS5, resetting the stage to 0\n"); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 104| 0| flow->l4.tcp.socks5_stage = 0; 105| 0| } 106| | 107| 0| } 108| 28.4k|} init_softether_dissector: 350| 7.08k|void init_softether_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 351| 7.08k| ndpi_register_dissector("Softether", ndpi_struct, 352| 7.08k| ndpi_search_softether, 353| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 354| 7.08k| 1, NDPI_PROTOCOL_SOFTETHER); 355| 7.08k|} softether.c:ndpi_search_softether: 299| 3.36k| struct ndpi_flow_struct *flow) { 300| 3.36k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 301| | 302| 3.36k| NDPI_LOG_DBG(ndpi_struct, "search softether\n"); ------------------ | | 596| 3.36k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 303| | 304| 3.36k| if(packet->payload_packet_len == 1) { ------------------ | Branch (304:6): [True: 107, False: 3.25k] ------------------ 305| | 306| 107| if((packet->payload[0] != 0x41) || (flow->packet_counter > 2)) ------------------ | Branch (306:8): [True: 106, False: 1] | Branch (306:40): [True: 0, False: 1] ------------------ 307| 106| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 106|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 308| | 309| 107| return; 310| 107| } 311| | 312| 3.25k| if(packet->payload_packet_len > 9 && packet->payload_packet_len < 30) { ------------------ | Branch (312:6): [True: 3.21k, False: 36] | Branch (312:40): [True: 309, False: 2.91k] ------------------ 313| 309| if(dissect_softether_ip_port(flow, packet) == 0) { ------------------ | Branch (313:8): [True: 0, False: 309] ------------------ 314| 0| ndpi_int_softether_add_connection(ndpi_struct, flow); 315| 0| return; 316| 0| } 317| 309| } 318| | 319| 3.25k| if(packet->payload_packet_len >= 99) { ------------------ | Branch (319:6): [True: 1.30k, False: 1.95k] ------------------ 320| 1.30k| if(dissect_softether_host_fqdn(flow, packet) == 0) { ------------------ | Branch (320:8): [True: 0, False: 1.30k] ------------------ 321| 0| ndpi_int_softether_add_connection(ndpi_struct, flow); 322| 0| return; 323| 0| } 324| 1.30k| } 325| | 326| 3.25k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.25k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 327| 3.25k|} softether.c:dissect_softether_ip_port: 255| 309| struct ndpi_packet_struct const *packet) { 256| 309| char * ip_port_separator; 257| 309| size_t ip_len, port_len; 258| | 259| 309| if(packet->payload_packet_len < NDPI_STATICSTRING_LEN("IP=") + ------------------ | | 98| 309|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (259:6): [True: 0, False: 309] ------------------ 260| 309| NDPI_STATICSTRING_LEN(",PORT=")) ------------------ | | 98| 309|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ 261| 0| return 1; 262| | 263| 309| if(strncmp((char *)&packet->payload[0], "IP=", NDPI_STATICSTRING_LEN("IP=")) != 0) ------------------ | | 98| 309|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (263:6): [True: 307, False: 2] ------------------ 264| 307| return 1; 265| | 266| 2| ip_port_separator = ndpi_strnstr((char const *)packet->payload + NDPI_STATICSTRING_LEN("IP="), ------------------ | | 98| 2|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ 267| 2| ",PORT=", 268| 2| packet->payload_packet_len - NDPI_STATICSTRING_LEN("IP=")); ------------------ | | 98| 2|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ 269| 2| if(ip_port_separator == NULL) ------------------ | Branch (269:6): [True: 2, False: 0] ------------------ 270| 2| return 1; 271| | 272| 0| ip_len = ndpi_min(sizeof(flow->protos.softether.ip) - 1, ------------------ | | 113| 0|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 0] | | ------------------ ------------------ 273| 0| ip_port_separator - (char const *)packet->payload - 274| 0| NDPI_STATICSTRING_LEN("IP=")); 275| | 276| 0| strncpy(flow->protos.softether.ip, 277| 0| (char const *)packet->payload + NDPI_STATICSTRING_LEN("IP="), ------------------ | | 98| 0|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ 278| 0| ip_len); 279| 0| flow->protos.softether.ip[ip_len] = '\0'; 280| | 281| 0| if (packet->payload_packet_len < (ip_port_separator - (char const *)packet->payload) + ------------------ | Branch (281:7): [True: 0, False: 0] ------------------ 282| 0| NDPI_STATICSTRING_LEN(",PORT=")) ------------------ | | 98| 0|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ 283| 0| return 1; 284| | 285| 0| port_len = ndpi_min(sizeof(flow->protos.softether.port) - 1, ------------------ | | 113| 0|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 0] | | ------------------ ------------------ 286| 0| packet->payload_packet_len - (ip_port_separator - (char const *)packet->payload) - 287| 0| NDPI_STATICSTRING_LEN(",PORT=")); 288| 0| strncpy(flow->protos.softether.port, ip_port_separator + NDPI_STATICSTRING_LEN(",PORT="), ------------------ | | 98| 0|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ 289| 0| port_len); 290| | 291| 0| flow->protos.softether.port[port_len] = '\0'; 292| | 293| 0| return 0; 294| 0|} softether.c:dissect_softether_host_fqdn: 177| 1.30k| struct ndpi_packet_struct const *packet) { 178| 1.30k| u_int8_t const *payload = packet->payload; 179| 1.30k| u_int16_t payload_len = packet->payload_packet_len; 180| 1.30k| u_int32_t tuple_count; 181| 1.30k| size_t value_siz, hostname_len = 0, fqdn_len; 182| 1.30k| struct softether_value val1, val2; 183| 1.30k| uint8_t got_hostname = 0, got_fqdn = 0; 184| 1.30k| const char *hostname_ptr = NULL, *fqdn_ptr = NULL; 185| | 186| 1.30k| if(payload_len < 4) ------------------ | Branch (186:6): [True: 0, False: 1.30k] ------------------ 187| 0| return 1; 188| | 189| 1.30k| tuple_count = ntohl(get_u_int32_t(payload, 0)); 190| 1.30k| if(tuple_count == 0 || tuple_count * 8 > payload_len) ------------------ | Branch (190:6): [True: 60, False: 1.24k] | Branch (190:26): [True: 1.21k, False: 22] ------------------ 191| 1.27k| return 1; 192| | 193| 22| payload += 4; 194| 22| payload_len -= 4; 195| | 196| 22| value_siz = dissect_softether_type(VALUE_DATA, &val1, payload, payload_len); 197| 22| if(value_siz == 0) ------------------ | Branch (197:6): [True: 8, False: 14] ------------------ 198| 8| return 1; 199| | 200| 14| payload += value_siz; 201| 14| payload_len -= value_siz; 202| | 203| 14| if(strncmp(val1.value.ptr.value_str, "host_name", value_siz) == 0) ------------------ | Branch (203:6): [True: 0, False: 14] ------------------ 204| 0| got_hostname = 1; 205| | 206| 39| for (; tuple_count > 0; --tuple_count) { ------------------ | Branch (206:10): [True: 39, False: 0] ------------------ 207| 39| value_siz = dissect_softether_tuples(payload, payload_len, &val1, &val2); 208| 39| if(value_siz == 0) ------------------ | Branch (208:8): [True: 14, False: 25] ------------------ 209| 14| break; 210| | 211| 25| if(got_hostname == 1) { ------------------ | Branch (211:8): [True: 0, False: 25] ------------------ 212| 0| if(val1.type == VALUE_STR && val1.value_size > 0) { ------------------ | Branch (212:10): [True: 0, False: 0] | Branch (212:36): [True: 0, False: 0] ------------------ 213| 0| hostname_len = ndpi_min(val1.value_size, sizeof(flow->protos.softether.hostname) - 1); ------------------ | | 113| 0|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 0] | | ------------------ ------------------ 214| 0| hostname_ptr = val1.value.ptr.value_str; 215| 0| } 216| | 217| 0| got_hostname = 0; 218| 0| } 219| 25| if(got_fqdn == 1) { ------------------ | Branch (219:8): [True: 0, False: 25] ------------------ 220| 0| if(val1.type == VALUE_STR && val1.value_size > 0) { ------------------ | Branch (220:10): [True: 0, False: 0] | Branch (220:36): [True: 0, False: 0] ------------------ 221| 0| fqdn_len = ndpi_min(val1.value_size, sizeof(flow->protos.softether.fqdn) - 1); ------------------ | | 113| 0|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 0] | | ------------------ ------------------ 222| 0| fqdn_ptr = val1.value.ptr.value_str; 223| 0| } 224| | 225| 0| got_fqdn = 0; 226| 0| } 227| | 228| 25| if(val2.type == VALUE_DATA && val2.value_size > 0 && ------------------ | Branch (228:8): [True: 1, False: 24] | Branch (228:35): [True: 0, False: 1] ------------------ 229| 0| strncmp(val2.value.ptr.value_str, "ddns_fqdn", val2.value_size) == 0) { ------------------ | Branch (229:8): [True: 0, False: 0] ------------------ 230| 0| got_fqdn = 1; 231| 0| } 232| | 233| 25| payload += value_siz; 234| 25| payload_len -= value_siz; 235| 25| } 236| | 237| 14| if(payload_len != 0 || tuple_count != 0) ------------------ | Branch (237:6): [True: 14, False: 0] | Branch (237:26): [True: 0, False: 0] ------------------ 238| 14| return 1; 239| | 240| | /* Ok, write to `flow->protos.softether` */ 241| 0| if(hostname_ptr) { ------------------ | Branch (241:6): [True: 0, False: 0] ------------------ 242| 0| strncpy(flow->protos.softether.hostname, hostname_ptr, hostname_len); 243| 0| flow->protos.softether.hostname[hostname_len] = '\0'; 244| 0| } 245| 0| if(fqdn_ptr) { ------------------ | Branch (245:6): [True: 0, False: 0] ------------------ 246| 0| strncpy(flow->protos.softether.fqdn, fqdn_ptr, fqdn_len); 247| 0| flow->protos.softether.fqdn[fqdn_len] = '\0'; 248| 0| } 249| 0| return 0; 250| 14|} softether.c:dissect_softether_type: 77| 72| u_int16_t payload_len) { 78| 72| size_t ret = 0; 79| 72| v->type = t; 80| 72| v->value_size = 0; 81| | 82| 72| switch (t) ------------------ | Branch (82:11): [True: 72, False: 0] ------------------ 83| 72| { 84| 27| case VALUE_INT: ------------------ | Branch (84:5): [True: 27, False: 45] ------------------ 85| 27| if(payload_len < 4) ------------------ | Branch (85:10): [True: 0, False: 27] ------------------ 86| 0| return 0; 87| | 88| 27| v->value.value_int = ntohl(get_u_int32_t(payload, 0)); 89| 27| v->value_size = sizeof(v->value.value_int); 90| 27| ret = v->value_size; 91| 27| break; 92| | 93| 36| case VALUE_DATA: ------------------ | Branch (93:5): [True: 36, False: 36] ------------------ 94| 37| case VALUE_STR: ------------------ | Branch (94:5): [True: 1, False: 71] ------------------ 95| 39| case VALUE_UNISTR: ------------------ | Branch (95:5): [True: 2, False: 70] ------------------ 96| 39| if(payload_len < 4) ------------------ | Branch (96:10): [True: 0, False: 39] ------------------ 97| 0| return 0; 98| | 99| 39| v->value.ptr.raw = payload + 4; 100| 39| u_int32_t siz = ntohl(get_u_int32_t(payload, 0)); 101| 39| if(siz == 0 || (u_int64_t)payload_len < (u_int64_t)siz + sizeof(siz)) ------------------ | Branch (101:10): [True: 2, False: 37] | Branch (101:22): [True: 22, False: 15] ------------------ 102| 24| return 0; 103| | 104| 15| if(t == VALUE_DATA) ------------------ | Branch (104:10): [True: 15, False: 0] ------------------ 105| 15| siz--; 106| | 107| 15| v->value_size = siz; 108| 15| ret = siz + sizeof(siz); 109| 15| break; 110| | 111| 6| case VALUE_INT64: ------------------ | Branch (111:5): [True: 6, False: 66] ------------------ 112| 6| if(payload_len < 8) ------------------ | Branch (112:10): [True: 0, False: 6] ------------------ 113| 0| return 0; 114| | 115| 6| v->value.value_int64 = ndpi_ntohll(get_u_int64_t(payload, 0)); ------------------ | | 148| 6|#define get_u_int64_t(X,O) (*(u_int64_t *)((&(((u_int8_t *)X)[O])))) ------------------ 116| 6| v->value_size = sizeof(v->value.value_int64); 117| 6| ret = v->value_size; 118| 6| break; 119| 72| } 120| | 121| 48| if(ret > payload_len) ------------------ | Branch (121:6): [True: 0, False: 48] ------------------ 122| 0| return 0; 123| | 124| 48| return ret; 125| 48|} softether.c:dissect_softether_tuples: 148| 39| struct softether_value *second_value) { 149| 39| enum softether_value_type first_tuple_type; 150| 39| enum softether_value_type second_tuple_type; 151| 39| size_t value_siz; 152| 39| size_t const tuple_type_len = 8; 153| | 154| 39| if(payload_len < tuple_type_len) ------------------ | Branch (154:6): [True: 0, False: 39] ------------------ 155| 0| return 0; 156| | 157| 39| if(softether_type_to_enum(ntohl(get_u_int32_t(payload, 0)), &first_tuple_type) != 0 || ------------------ | Branch (157:6): [True: 10, False: 29] ------------------ 158| 29| softether_type_to_enum(ntohl(get_u_int32_t(payload, 4)), &second_tuple_type) != 0) ------------------ | Branch (158:6): [True: 4, False: 25] ------------------ 159| 14| return 0; 160| | 161| 25| payload += tuple_type_len; 162| 25| payload_len -= tuple_type_len; 163| | 164| 25| value_siz = dissect_softether_type(first_tuple_type, first_value, payload, payload_len); 165| | 166| 25| payload += value_siz; 167| 25| payload_len -= value_siz; 168| | 169| 25| value_siz += dissect_softether_type(second_tuple_type, second_value, payload, payload_len); 170| | 171| 25| return value_siz + tuple_type_len; 172| 39|} softether.c:softether_type_to_enum: 129| 68|static int softether_type_to_enum(u_int32_t type, enum softether_value_type *result) { 130| 68| switch (type) ------------------ | Branch (130:11): [True: 54, False: 14] ------------------ 131| 68| { 132| 29| case VALUE_INT: ------------------ | Branch (132:5): [True: 29, False: 39] ------------------ 133| 44| case VALUE_DATA: ------------------ | Branch (133:5): [True: 15, False: 53] ------------------ 134| 45| case VALUE_STR: ------------------ | Branch (134:5): [True: 1, False: 67] ------------------ 135| 47| case VALUE_UNISTR: ------------------ | Branch (135:5): [True: 2, False: 66] ------------------ 136| 54| case VALUE_INT64: ------------------ | Branch (136:5): [True: 7, False: 61] ------------------ 137| 54| *result = (enum softether_value_type)type; 138| 54| return 0; 139| 68| } 140| | 141| 14| return 1; 142| 68|} init_someip_dissector: 195| 7.08k|{ 196| 7.08k| ndpi_register_dissector("SOME/IP", ndpi_struct, 197| 7.08k| ndpi_search_someip, 198| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 199| 7.08k| 1, NDPI_PROTOCOL_SOMEIP); 200| 7.08k|} someip.c:ndpi_search_someip: 96| 16.8k|{ 97| 16.8k| const struct ndpi_packet_struct *packet = &ndpi_struct->packet; 98| | 99| 16.8k| if (packet->payload_packet_len < 16) { ------------------ | Branch (99:7): [True: 1.52k, False: 15.2k] ------------------ 100| 1.52k| NDPI_LOG_DBG(ndpi_struct, ------------------ | | 596| 1.52k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 101| 1.52k| "Excluding SOME/IP .. mandatory header not found (not enough data for all fields)\n"); 102| 1.52k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1.52k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 103| 1.52k| return; 104| 1.52k| } 105| | 106| | //####Maybe check carrier protocols?#### 107| | 108| 15.2k| NDPI_LOG_DBG(ndpi_struct, "search SOME/IP\n"); ------------------ | | 596| 15.2k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 109| | 110| | //we extract the Message ID and Request ID and check for special cases later 111| 15.2k| u_int32_t message_id = ntohl(someip_data_cover_32(&packet->payload[0])); 112| 15.2k| u_int32_t request_id = ntohl(someip_data_cover_32(&packet->payload[8])); 113| | 114| 15.2k| NDPI_LOG_DBG2(ndpi_struct, "====>>>> SOME/IP Message ID: %08x [len: %u]\n", ------------------ | | 597| 15.2k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 115| 15.2k| message_id, packet->payload_packet_len); 116| | 117| | //####Maximum packet size in SOMEIP depends on the carrier protocol, and I'm not certain how well enforced it is, so let's leave that for round 2#### 118| | 119| | // we extract the remaining length 120| 15.2k| u_int32_t someip_len = ntohl(someip_data_cover_32(&packet->payload[4])); 121| 15.2k| if (packet->payload_packet_len != (someip_len + 8)) { ------------------ | Branch (121:7): [True: 15.2k, False: 2] ------------------ 122| 15.2k| NDPI_LOG_DBG(ndpi_struct, "Excluding SOME/IP .. Length field invalid!\n"); ------------------ | | 596| 15.2k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 123| 15.2k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 15.2k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 124| 15.2k| return; 125| 15.2k| } 126| | 127| 2| u_int8_t protocol_version = (u_int8_t) (packet->payload[12]); 128| 2| NDPI_LOG_DBG2(ndpi_struct,"====>>>> SOME/IP protocol version: [%d]\n",protocol_version); ------------------ | | 597| 2|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 129| 2| if (protocol_version != LEGAL_PROTOCOL_VERSION){ ------------------ | Branch (129:7): [True: 2, False: 0] ------------------ 130| 2| NDPI_LOG_DBG(ndpi_struct, "Excluding SOME/IP .. invalid protocol version!\n"); ------------------ | | 596| 2|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 131| 2| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 2|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 132| 2| return; 133| 2| } 134| | 135| 0| u_int8_t interface_version = (packet->payload[13]); 136| | 137| 0| u_int8_t message_type = (u_int8_t) (packet->payload[14]); 138| 0| message_type &= (~0x20); /* Clear TP bit */ 139| 0| NDPI_LOG_DBG2(ndpi_struct,"====>>>> SOME/IP message type: [%d]\n",message_type); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 140| | 141| 0| if ((message_type != SOMEIP_REQUEST) && (message_type != SOMEIP_REQUEST_NO_RETURN) && (message_type != SOMEIP_NOTIFICATION) && (message_type != SOMEIP_REQUEST_ACK) && ------------------ | Branch (141:7): [True: 0, False: 0] | Branch (141:43): [True: 0, False: 0] | Branch (141:89): [True: 0, False: 0] | Branch (141:130): [True: 0, False: 0] ------------------ 142| 0| (message_type != SOMEIP_REQUEST_NO_RETURN_ACK) && (message_type != SOMEIP_NOTIFICATION_ACK) && (message_type != SOMEIP_RESPONSE) && ------------------ | Branch (142:7): [True: 0, False: 0] | Branch (142:57): [True: 0, False: 0] | Branch (142:102): [True: 0, False: 0] ------------------ 143| 0| (message_type != SOMEIP_ERROR) && (message_type != SOMEIP_RESPONSE_ACK) && (message_type != SOMEIP_ERROR_ACK)) { ------------------ | Branch (143:7): [True: 0, False: 0] | Branch (143:41): [True: 0, False: 0] | Branch (143:82): [True: 0, False: 0] ------------------ 144| 0| NDPI_LOG_DBG(ndpi_struct, "Excluding SOME/IP .. invalid message type!\n"); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 145| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 146| 0| return; 147| 0| } 148| | 149| 0| u_int8_t return_code = (u_int8_t) (packet->payload[15]); 150| 0| NDPI_LOG_DBG2(ndpi_struct,"====>>>> SOME/IP return code: [%d]\n", return_code); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 151| 0| if ((return_code >= E_RETURN_CODE_LEGAL_THRESHOLD)) { ------------------ | Branch (151:7): [True: 0, False: 0] ------------------ 152| 0| NDPI_LOG_DBG(ndpi_struct, "Excluding SOME/IP .. invalid return code!\n"); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 153| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 154| 0| return; 155| 0| } 156| | 157| 0| if (message_id == MSG_MAGIC_COOKIE){ ------------------ | Branch (157:7): [True: 0, False: 0] ------------------ 158| 0| if ((someip_len == MC_LENGTH) && (request_id == MC_REQUEST_ID) && (interface_version == MC_INTERFACE_VERSION) && ------------------ | Branch (158:9): [True: 0, False: 0] | Branch (158:38): [True: 0, False: 0] | Branch (158:71): [True: 0, False: 0] ------------------ 159| 0| (message_type == SOMEIP_REQUEST_NO_RETURN) && (return_code == E_OK)){ ------------------ | Branch (159:2): [True: 0, False: 0] | Branch (159:48): [True: 0, False: 0] ------------------ 160| 0| NDPI_LOG_DBG2(ndpi_struct, "found SOME/IP Magic Cookie 0x%x\n",message_type); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 161| 0| ndpi_int_someip_add_connection(ndpi_struct, flow); 162| 0| return; 163| 0| } 164| 0| else{ 165| 0| NDPI_LOG_DBG(ndpi_struct, "Excluding SOME/IP, invalid header for Magic Cookie\n"); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 166| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 167| 0| return; 168| 0| } 169| 0| } 170| | 171| 0| if (message_id == MSG_MAGIC_COOKIE_ACK){ ------------------ | Branch (171:7): [True: 0, False: 0] ------------------ 172| 0| if ((someip_len == MC_LENGTH) && (request_id == MC_REQUEST_ID) && (interface_version == MC_INTERFACE_VERSION) && ------------------ | Branch (172:9): [True: 0, False: 0] | Branch (172:38): [True: 0, False: 0] | Branch (172:71): [True: 0, False: 0] ------------------ 173| 0| (message_type == SOMEIP_REQUEST_NO_RETURN) && (return_code == E_OK)){ ------------------ | Branch (173:2): [True: 0, False: 0] | Branch (173:48): [True: 0, False: 0] ------------------ 174| 0| NDPI_LOG_DBG2(ndpi_struct, "found SOME/IP Magic Cookie ACK 0x%x\n",message_type); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 175| 0| ndpi_int_someip_add_connection(ndpi_struct, flow); 176| 0| return; 177| 0| } 178| 0| else{ 179| 0| NDPI_LOG_DBG(ndpi_struct, "Excluding SOME/IP, invalid header for Magic Cookie ACK\n"); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 180| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 181| 0| return; 182| 0| } 183| 0| } 184| | 185| 0| if (message_id == MSG_SD){ ------------------ | Branch (185:7): [True: 0, False: 0] ------------------ 186| 0| NDPI_LOG_DBG2(ndpi_struct, "SOME/IP-SD currently not supported [%d]\n", message_type); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 187| 0| } 188| | 189| 0| ndpi_int_someip_add_connection(ndpi_struct, flow); 190| 0|} someip.c:someip_data_cover_32: 84| 45.8k|{ 85| 45.8k| u_int32_t value; 86| | 87| 45.8k| memcpy(&value,data,sizeof(u_int32_t)); 88| | 89| 45.8k| return value; 90| 45.8k|} ndpi_search_sonos: 36| 3.73k|void ndpi_search_sonos(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { 37| 3.73k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 38| | 39| 3.73k| NDPI_LOG_DBG(ndpi_struct, "Searching Sonos\n"); ------------------ | | 596| 3.73k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 40| | 41| 3.73k| if((!ndpi_is_public_ipv4(ntohl(packet->iph->daddr))) ------------------ | Branch (41:6): [True: 1.16k, False: 2.56k] ------------------ 42| 1.16k| && ((ntohl(packet->iph->daddr) & 0xF0000000) != 0xE0000000 /* Not a multicast address */)) { ------------------ | Branch (42:9): [True: 955, False: 214] ------------------ 43| 955| if(packet->payload_packet_len == 48) { ------------------ | Branch (43:8): [True: 1, False: 954] ------------------ 44| 1| u_int16_t sonos_port = htons(12301); 45| | 46| 1| if((packet->udp->dest == sonos_port) || (packet->udp->source == sonos_port)) { ------------------ | Branch (46:10): [True: 0, False: 1] | Branch (46:47): [True: 0, False: 1] ------------------ 47| 0| ndpi_sonos_add_connection(ndpi_struct, flow); 48| 0| } 49| 954| } else { 50| 954| u_int16_t sonos_port = htons(7080); 51| | 52| 954| if((packet->udp->dest == sonos_port) ------------------ | Branch (52:10): [True: 0, False: 954] ------------------ 53| 0| && ((packet->payload_packet_len < 200) ------------------ | Branch (53:7): [True: 0, False: 0] ------------------ 54| 0| || ((packet->payload_packet_len > 1000) && (packet->payload_packet_len < 1100)))) { ------------------ | Branch (54:11): [True: 0, False: 0] | Branch (54:50): [True: 0, False: 0] ------------------ 55| 0| ndpi_sonos_add_connection(ndpi_struct, flow); 56| 0| } 57| 954| } 58| 955| } 59| | 60| 3.73k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.73k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 61| 3.73k|} init_sonos_dissector: 65| 7.08k|{ 66| 7.08k| ndpi_register_dissector("Sonos", ndpi_struct, 67| 7.08k| ndpi_search_sonos, 68| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD, /* Only IPv4 UDP traffic is expected. */ ------------------ | | 631| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 617| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IP | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 604| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IP (1<<0) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IP | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 69| 7.08k| 1, NDPI_PROTOCOL_SONOS); 70| 7.08k|} init_source_engine_dissector: 98| 7.08k|{ 99| 7.08k| ndpi_register_dissector("Source_Engine", ndpi_struct, 100| 7.08k| ndpi_search_source_engine, 101| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 102| 7.08k| 1, NDPI_PROTOCOL_SOURCE_ENGINE); 103| 7.08k|} source_engine.c:ndpi_search_source_engine: 46| 3.36k|{ 47| 3.36k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 48| | 49| 3.36k| NDPI_LOG_DBG(ndpi_struct, "search Source Engine\n"); ------------------ | | 596| 3.36k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 50| | 51| | /* https://developer.valvesoftware.com/wiki/Server_queries */ 52| | 53| | /* A2S request */ 54| 3.36k| if (current_pkt_from_client_to_server(ndpi_struct, flow) && ------------------ | Branch (54:7): [True: 3.16k, False: 195] ------------------ 55| 3.16k| (packet->payload_packet_len > 8 && packet->payload_packet_len < 30) && ------------------ | Branch (55:8): [True: 3.03k, False: 129] | Branch (55:42): [True: 273, False: 2.76k] ------------------ 56| 273| get_u_int32_t(packet->payload, 0) == 0xFFFFFFFF) ------------------ | | 137| 273|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (56:7): [True: 2, False: 271] ------------------ 57| 2| { 58| 2| if (packet->payload[4] == 'T' || /* A2S_INFO */ ------------------ | Branch (58:9): [True: 0, False: 2] ------------------ 59| 2| packet->payload[4] == 'U' || /* A2S_PLAYER */ ------------------ | Branch (59:9): [True: 0, False: 2] ------------------ 60| 2| packet->payload[4] == 'V') /* A2S_RULES */ ------------------ | Branch (60:9): [True: 0, False: 2] ------------------ 61| 0| { 62| 0| ndpi_int_source_engine_add_connection(ndpi_struct, flow); 63| 0| return; 64| 0| } 65| 2| } 66| | 67| | /* A2S response */ 68| 3.36k| if (current_pkt_from_server_to_client(ndpi_struct, flow)) ------------------ | Branch (68:7): [True: 195, False: 3.16k] ------------------ 69| 195| { 70| | /* Challenge response */ 71| 195| if (packet->payload_packet_len == 9 && ------------------ | Branch (71:9): [True: 1, False: 194] ------------------ 72| 1| get_u_int32_t(packet->payload, 0) == 0xFFFFFFFF && ------------------ | | 137| 1|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (72:9): [True: 0, False: 1] ------------------ 73| 0| packet->payload[4] == 'A') ------------------ | Branch (73:9): [True: 0, False: 0] ------------------ 74| 0| { 75| 0| ndpi_int_source_engine_add_connection(ndpi_struct, flow); 76| 0| return; 77| 0| } 78| | 79| 195| if (packet->payload_packet_len > 30 && /* A reasonable length for euristics */ ------------------ | Branch (79:9): [True: 145, False: 50] ------------------ 80| 145| get_u_int32_t(packet->payload, 0) == 0xFFFFFFFF) ------------------ | | 137| 145|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (80:9): [True: 2, False: 143] ------------------ 81| 2| { 82| 2| if (packet->payload[4] == 'I' || /* A2S_INFO */ ------------------ | Branch (82:11): [True: 0, False: 2] ------------------ 83| 2| packet->payload[4] == 'D' || /* A2S_PLAYER */ ------------------ | Branch (83:11): [True: 0, False: 2] ------------------ 84| 2| packet->payload[4] == 'E') /* A2S_RULES */ ------------------ | Branch (84:11): [True: 0, False: 2] ------------------ 85| 0| { 86| 0| ndpi_int_source_engine_add_connection(ndpi_struct, flow); 87| 0| return; 88| 0| } 89| 2| } 90| 195| } 91| | 92| 3.36k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.36k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 93| 3.36k|} init_spotify_dissector: 80| 7.08k|{ 81| 7.08k| ndpi_register_dissector("SPOTIFY", ndpi_struct, 82| 7.08k| ndpi_search_spotify, 83| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 84| 7.08k| 1, NDPI_PROTOCOL_SPOTIFY); 85| 7.08k|} spotify.c:ndpi_search_spotify: 72| 17.8k|{ 73| 17.8k| NDPI_LOG_DBG(ndpi_struct, "search spotify\n"); ------------------ | | 596| 17.8k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 74| | 75| 17.8k| ndpi_check_spotify(ndpi_struct, flow); 76| 17.8k|} spotify.c:ndpi_check_spotify: 40| 17.8k|{ 41| 17.8k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 42| 17.8k| u_int32_t payload_len = packet->payload_packet_len; 43| | 44| 17.8k| if(packet->udp != NULL) { ------------------ | Branch (44:6): [True: 4.45k, False: 13.4k] ------------------ 45| 4.45k| u_int16_t spotify_port = htons(57621); 46| | 47| 4.45k| if((packet->udp->source == spotify_port) ------------------ | Branch (47:8): [True: 70, False: 4.38k] ------------------ 48| 70| && (packet->udp->dest == spotify_port)) { ------------------ | Branch (48:11): [True: 69, False: 1] ------------------ 49| 69| if(payload_len >= 7) { ------------------ | Branch (49:10): [True: 69, False: 0] ------------------ 50| 69| if(memcmp(packet->payload, "SpotUdp", 7) == 0) { ------------------ | Branch (50:5): [True: 68, False: 1] ------------------ 51| 68| NDPI_LOG_INFO(ndpi_struct, "found spotify udp dissector\n"); ------------------ | | 595| 68|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 52| 68| ndpi_int_spotify_add_connection(ndpi_struct, flow); 53| 68| return; 54| 68| } 55| 69| } 56| 69| } 57| 13.4k| } else if(packet->tcp != NULL) { ------------------ | Branch (57:13): [True: 13.4k, False: 0] ------------------ 58| | 59| 13.4k| if(payload_len >= 9 && packet->payload[0] == 0x00 && packet->payload[1] == 0x04 && ------------------ | Branch (59:8): [True: 12.5k, False: 876] | Branch (59:28): [True: 1.15k, False: 11.4k] | Branch (59:58): [True: 4, False: 1.14k] ------------------ 60| 4| packet->payload[2] == 0x00 && packet->payload[3] == 0x00&& ------------------ | Branch (60:8): [True: 2, False: 2] | Branch (60:38): [True: 1, False: 1] ------------------ 61| 1| packet->payload[6] == 0x52 && (packet->payload[7] == 0x0e || packet->payload[7] == 0x0f) && ------------------ | Branch (61:8): [True: 0, False: 1] | Branch (61:39): [True: 0, False: 0] | Branch (61:69): [True: 0, False: 0] ------------------ 62| 0| packet->payload[8] == 0x50 ) { ------------------ | Branch (62:8): [True: 0, False: 0] ------------------ 63| 0| NDPI_LOG_INFO(ndpi_struct, "found spotify tcp dissector\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 64| 0| ndpi_int_spotify_add_connection(ndpi_struct, flow); 65| 0| } 66| 13.4k| } 67| | 68| 17.8k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 17.8k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 69| 17.8k|} spotify.c:ndpi_int_spotify_add_connection: 34| 68|{ 35| 68| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SPOTIFY, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 36| 68|} init_ssdp_dissector: 207| 7.08k|{ 208| 7.08k| ndpi_register_dissector("SSDP", ndpi_struct, 209| 7.08k| ndpi_search_ssdp, 210| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 211| 7.08k| 1, NDPI_PROTOCOL_SSDP); 212| 7.08k|} ssdp.c:ndpi_search_ssdp: 167| 5.07k|{ 168| 5.07k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 169| | 170| 5.07k| NDPI_LOG_DBG(ndpi_struct, "search ssdp\n"); ------------------ | | 596| 5.07k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 171| | 172| 5.07k| if (packet->udp != NULL) { ------------------ | Branch (172:7): [True: 5.07k, False: 0] ------------------ 173| 5.07k| if (packet->payload_packet_len >= 19) { ------------------ | Branch (173:9): [True: 4.85k, False: 221] ------------------ 174| 4.85k| unsigned int i; 175| | 176| 13.6k| for (i=0; i < sizeof(SSDP_METHODS)/sizeof(SSDP_METHODS[0]); i++) { ------------------ | Branch (176:17): [True: 9.25k, False: 4.34k] ------------------ 177| 9.25k| if(memcmp(packet->payload, SSDP_METHODS[i].detection_line, strlen(SSDP_METHODS[i].detection_line)) == 0) { ------------------ | Branch (177:12): [True: 503, False: 8.75k] ------------------ 178| 503| if(ndpi_struct->cfg.ssdp_metadata_enabled) { ------------------ | Branch (178:14): [True: 503, False: 0] ------------------ 179| 503| flow->protos.ssdp.method = ndpi_malloc(strlen(SSDP_METHODS[i].detection_line) + 1); 180| | 181| 503| if (flow->protos.ssdp.method) { ------------------ | Branch (181:17): [True: 481, False: 22] ------------------ 182| 481| memcpy(flow->protos.ssdp.method, SSDP_METHODS[i].method, strlen(SSDP_METHODS[i].method)); 183| 481| flow->protos.ssdp.method[strlen(SSDP_METHODS[i].method)] = '\0'; 184| 481| } 185| 503| } 186| | 187| 503| NDPI_LOG_INFO(ndpi_struct, "found ssdp\n"); ------------------ | | 595| 503|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 188| 503| ndpi_int_ssdp_add_connection(ndpi_struct, flow); 189| 503| return; 190| 503| } 191| 9.25k| } 192| | 193| 4.34k|#define SSDP_HTTP "HTTP/1.1 200 OK\r\n" 194| 4.34k| if(memcmp(packet->payload, SSDP_HTTP, strlen(SSDP_HTTP)) == 0) { ------------------ | | 193| 4.34k|#define SSDP_HTTP "HTTP/1.1 200 OK\r\n" ------------------ if(memcmp(packet->payload, SSDP_HTTP, strlen(SSDP_HTTP)) == 0) { ------------------ | | 193| 4.34k|#define SSDP_HTTP "HTTP/1.1 200 OK\r\n" ------------------ | Branch (194:10): [True: 9, False: 4.33k] ------------------ 195| 9| NDPI_LOG_INFO(ndpi_struct, "found ssdp\n"); ------------------ | | 595| 9|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 196| 9| ndpi_int_ssdp_add_connection(ndpi_struct, flow); 197| 9| return; 198| 9| } 199| 4.34k| } 200| 5.07k| } 201| | 202| 4.55k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 4.55k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 203| 4.55k|} ssdp.c:ndpi_int_ssdp_add_connection: 159| 512|{ 160| 512| if(ndpi_struct->cfg.ssdp_metadata_enabled) ------------------ | Branch (160:6): [True: 512, False: 0] ------------------ 161| 512| ssdp_parse_lines(ndpi_struct, flow); 162| 512| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSDP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 163| 512|} ssdp.c:ssdp_parse_lines: 42| 512|{ 43| 512| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 44| | 45| 512| ndpi_parse_packet_line_info(ndpi_struct, flow); 46| | 47| | /* Save user-agent for device discovery if available */ 48| 512| if(packet->user_agent_line.ptr != NULL && packet->user_agent_line.len > 0) { ------------------ | Branch (48:6): [True: 41, False: 471] | Branch (48:45): [True: 41, False: 0] ------------------ 49| 41| if (ndpi_user_agent_set(flow, packet->user_agent_line.ptr, packet->user_agent_line.len) == NULL) ------------------ | Branch (49:9): [True: 1, False: 40] ------------------ 50| 1| { 51| 1| NDPI_LOG_DBG2(ndpi_struct, "Could not set SSDP user agent\n"); ------------------ | | 597| 1|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 52| 1| } 53| 41| } 54| | 55| | /* Save host which provides a service if available */ 56| 512| if (packet->host_line.ptr != NULL && packet->host_line.len > 0) { ------------------ | Branch (56:7): [True: 451, False: 61] | Branch (56:40): [True: 451, False: 0] ------------------ 57| 451| ndpi_hostname_sni_set(flow, packet->host_line.ptr, packet->host_line.len, NDPI_HOSTNAME_NORM_ALL | NDPI_HOSTNAME_NORM_STRIP_PORT); ------------------ | | 516| 451|#define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 512| 451|#define NDPI_HOSTNAME_NORM_LC 1 | | ------------------ | | #define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 513| 451|#define NDPI_HOSTNAME_NORM_REPLACE_IC 2 | | ------------------ | | #define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 514| 451|#define NDPI_HOSTNAME_NORM_STRIP_EOLSP 4 | | ------------------ ------------------ ndpi_hostname_sni_set(flow, packet->host_line.ptr, packet->host_line.len, NDPI_HOSTNAME_NORM_ALL | NDPI_HOSTNAME_NORM_STRIP_PORT); ------------------ | | 515| 451|#define NDPI_HOSTNAME_NORM_STRIP_PORT 8 /* Used by SSDP/HTTP, for the time being */ ------------------ 58| 451| } 59| | 60| 512| if (packet->bootid.ptr != NULL && packet->bootid.len > 0) { ------------------ | Branch (60:7): [True: 0, False: 512] | Branch (60:37): [True: 0, False: 0] ------------------ 61| 0| flow->protos.ssdp.bootid = ndpi_malloc(packet->bootid.len + 1); 62| 0| if (flow->protos.ssdp.bootid) { ------------------ | Branch (62:9): [True: 0, False: 0] ------------------ 63| 0| memcpy(flow->protos.ssdp.bootid, packet->bootid.ptr, packet->bootid.len); 64| 0| flow->protos.ssdp.bootid[packet->bootid.len] = '\0'; 65| 0| } 66| 0| } 67| | 68| 512| if (packet->usn.ptr != NULL && packet->usn.len > 0) { ------------------ | Branch (68:7): [True: 4, False: 508] | Branch (68:34): [True: 4, False: 0] ------------------ 69| 4| flow->protos.ssdp.usn = ndpi_malloc(packet->usn.len + 1); 70| 4| if (flow->protos.ssdp.usn) { ------------------ | Branch (70:9): [True: 4, False: 0] ------------------ 71| 4| memcpy(flow->protos.ssdp.usn, packet->usn.ptr, packet->usn.len); 72| 4| flow->protos.ssdp.usn[packet->usn.len] = '\0'; 73| 4| } 74| 4| } 75| | 76| 512| if (packet->cache_controle.ptr != NULL && packet->cache_controle.len > 0) { ------------------ | Branch (76:7): [True: 3, False: 509] | Branch (76:45): [True: 3, False: 0] ------------------ 77| 3| flow->protos.ssdp.cache_controle = ndpi_malloc(packet->cache_controle.len + 1); 78| 3| if (flow->protos.ssdp.cache_controle) { ------------------ | Branch (78:9): [True: 2, False: 1] ------------------ 79| 2| memcpy(flow->protos.ssdp.cache_controle, packet->cache_controle.ptr, packet->cache_controle.len); 80| 2| flow->protos.ssdp.cache_controle[packet->cache_controle.len] = '\0'; 81| 2| } 82| 3| } 83| | 84| 512| if (packet->location.ptr != NULL && packet->location.len > 0) { ------------------ | Branch (84:7): [True: 0, False: 512] | Branch (84:39): [True: 0, False: 0] ------------------ 85| 0| flow->protos.ssdp.location = ndpi_malloc(packet->location.len + 1); 86| 0| if (flow->protos.ssdp.location) { ------------------ | Branch (86:9): [True: 0, False: 0] ------------------ 87| 0| memcpy(flow->protos.ssdp.location, packet->location.ptr, packet->location.len); 88| 0| flow->protos.ssdp.location[packet->location.len] = '\0'; 89| 0| } 90| 0| } 91| | 92| 512| if (packet->securelocation_upnp.ptr != NULL && packet->securelocation_upnp.len > 0) { ------------------ | Branch (92:7): [True: 6, False: 506] | Branch (92:50): [True: 6, False: 0] ------------------ 93| 6| flow->protos.ssdp.securelocation_upnp = ndpi_malloc(packet->securelocation_upnp.len + 1); 94| 6| if (flow->protos.ssdp.securelocation_upnp) { ------------------ | Branch (94:9): [True: 4, False: 2] ------------------ 95| 4| memcpy(flow->protos.ssdp.securelocation_upnp, packet->securelocation_upnp.ptr, packet->securelocation_upnp.len); 96| 4| flow->protos.ssdp.securelocation_upnp[packet->securelocation_upnp.len] = '\0'; 97| 4| } 98| 6| } 99| | 100| 512| if (packet->nt.ptr != NULL && packet->nt.len > 0) { ------------------ | Branch (100:7): [True: 10, False: 502] | Branch (100:33): [True: 10, False: 0] ------------------ 101| 10| flow->protos.ssdp.nt = ndpi_malloc(packet->nt.len + 1); 102| 10| if (flow->protos.ssdp.nt) { ------------------ | Branch (102:9): [True: 8, False: 2] ------------------ 103| 8| memcpy(flow->protos.ssdp.nt, packet->nt.ptr, packet->nt.len); 104| 8| flow->protos.ssdp.nt[packet->nt.len] = '\0'; 105| 8| } 106| 10| } 107| | 108| 512| if (packet->nts.ptr != NULL && packet->nts.len > 0) { ------------------ | Branch (108:7): [True: 0, False: 512] | Branch (108:34): [True: 0, False: 0] ------------------ 109| 0| flow->protos.ssdp.nts = ndpi_malloc(packet->nts.len + 1); 110| 0| if (flow->protos.ssdp.nts) { ------------------ | Branch (110:9): [True: 0, False: 0] ------------------ 111| 0| memcpy(flow->protos.ssdp.nts, packet->nts.ptr, packet->nts.len); 112| 0| flow->protos.ssdp.nts[packet->nts.len] = '\0'; 113| 0| } 114| 0| } 115| | 116| 512| if (packet->server_line.ptr != NULL && packet->server_line.len > 0) { ------------------ | Branch (116:7): [True: 1, False: 511] | Branch (116:42): [True: 1, False: 0] ------------------ 117| 1| flow->protos.ssdp.server = ndpi_malloc(packet->server_line.len + 1); 118| 1| if (flow->protos.ssdp.server) { ------------------ | Branch (118:9): [True: 1, False: 0] ------------------ 119| 1| memcpy(flow->protos.ssdp.server, packet->server_line.ptr, packet->server_line.len); 120| 1| flow->protos.ssdp.server[packet->server_line.len] = '\0'; 121| 1| } 122| 1| } 123| | 124| 512| if (packet->man.ptr != NULL && packet->man.len > 0) { ------------------ | Branch (124:7): [True: 435, False: 77] | Branch (124:34): [True: 435, False: 0] ------------------ 125| 435| flow->protos.ssdp.man = ndpi_malloc(packet->man.len + 1); 126| 435| if (flow->protos.ssdp.man) { ------------------ | Branch (126:9): [True: 418, False: 17] ------------------ 127| 418| memcpy(flow->protos.ssdp.man, packet->man.ptr, packet->man.len); 128| 418| flow->protos.ssdp.man[packet->man.len] = '\0'; 129| 418| } 130| 435| } 131| | 132| 512| if (packet->mx.ptr != NULL && packet->mx.len > 0) { ------------------ | Branch (132:7): [True: 434, False: 78] | Branch (132:33): [True: 434, False: 0] ------------------ 133| 434| flow->protos.ssdp.mx = ndpi_malloc(packet->mx.len + 1); 134| 434| if (flow->protos.ssdp.mx) { ------------------ | Branch (134:9): [True: 415, False: 19] ------------------ 135| 415| memcpy(flow->protos.ssdp.mx, packet->mx.ptr, packet->mx.len); 136| 415| flow->protos.ssdp.mx[packet->mx.len] = '\0'; 137| 415| } 138| 434| } 139| | 140| 512| if (packet->st.ptr != NULL && packet->st.len > 0) { ------------------ | Branch (140:7): [True: 431, False: 81] | Branch (140:33): [True: 431, False: 0] ------------------ 141| 431| flow->protos.ssdp.st = ndpi_malloc(packet->st.len + 1); 142| 431| if (flow->protos.ssdp.st) { ------------------ | Branch (142:9): [True: 414, False: 17] ------------------ 143| 414| memcpy(flow->protos.ssdp.st, packet->st.ptr, packet->st.len); 144| 414| flow->protos.ssdp.st[packet->st.len] = '\0'; 145| 414| } 146| 431| } 147| | 148| 512| if (packet->user_agent_line.ptr != NULL && packet->user_agent_line.len > 0) { ------------------ | Branch (148:7): [True: 41, False: 471] | Branch (148:46): [True: 41, False: 0] ------------------ 149| 41| flow->protos.ssdp.user_agent = ndpi_malloc(packet->user_agent_line.len + 1); 150| 41| if (flow->protos.ssdp.user_agent) { ------------------ | Branch (150:9): [True: 40, False: 1] ------------------ 151| 40| memcpy(flow->protos.ssdp.user_agent, packet->user_agent_line.ptr, packet->user_agent_line.len); 152| 40| flow->protos.ssdp.user_agent[packet->user_agent_line.len] = '\0'; 153| 40| } 154| 41| } 155| 512|} init_ssh_dissector: 587| 7.08k|{ 588| 7.08k| ndpi_register_dissector("SSH", ndpi_struct, 589| 7.08k| ndpi_search_ssh_tcp, 590| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 591| 7.08k| 1, NDPI_PROTOCOL_SSH); 592| 7.08k|} ssh.c:ndpi_search_ssh_tcp: 448| 13.4k| struct ndpi_flow_struct *flow) { 449| 13.4k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 450| | 451| |#ifdef SSH_DEBUG 452| | printf("[SSH] %s()\n", __FUNCTION__); 453| |#endif 454| | 455| 13.4k| if(flow->l4.tcp.ssh_stage <= 1) { ------------------ | Branch (455:6): [True: 13.4k, False: 0] ------------------ 456| 13.4k| if(packet->payload_packet_len > 7 && memcmp(packet->payload, "SSH-", 4) == 0) { ------------------ | Branch (456:8): [True: 12.6k, False: 810] | Branch (456:42): [True: 6, False: 12.6k] ------------------ 457| 6| if(current_pkt_from_client_to_server(ndpi_struct, flow)) { ------------------ | Branch (457:10): [True: 3, False: 3] ------------------ 458| 3| int len = ndpi_min(sizeof(flow->protos.ssh.client_signature)-1, packet->payload_packet_len); ------------------ | | 113| 3|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 1, False: 2] | | ------------------ ------------------ 459| | 460| 3| strncpy(flow->protos.ssh.client_signature, (const char *)packet->payload, len); 461| 3| flow->protos.ssh.client_signature[len] = '\0'; 462| 3| ndpi_ssh_zap_cr(flow->protos.ssh.client_signature, len); 463| | 464| 3| ssh_analyze_signature_version(ndpi_struct, flow, flow->protos.ssh.client_signature, 1); 465| | 466| |#ifdef SSH_DEBUG 467| | printf("[SSH] [client_signature: %s]\n", flow->protos.ssh.client_signature); 468| |#endif 469| | 470| 3| ndpi_int_ssh_add_connection(ndpi_struct, flow); 471| 3| } else { 472| 3| int len = ndpi_min(sizeof(flow->protos.ssh.server_signature)-1, packet->payload_packet_len); ------------------ | | 113| 3|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 3] | | ------------------ ------------------ 473| | 474| 3| strncpy(flow->protos.ssh.server_signature, (const char *)packet->payload, len); 475| 3| flow->protos.ssh.server_signature[len] = '\0'; 476| 3| ndpi_ssh_zap_cr(flow->protos.ssh.server_signature, len); 477| | 478| 3| ssh_analyze_signature_version(ndpi_struct, flow, flow->protos.ssh.server_signature, 0); 479| | 480| |#ifdef SSH_DEBUG 481| | printf("[SSH] [server_signature: %s]\n", flow->protos.ssh.server_signature); 482| |#endif 483| | 484| 3| NDPI_LOG_DBG2(ndpi_struct, "ssh stage 1 passed\n"); ------------------ | | 597| 3|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 485| 3| flow->fast_callback_protocol_id = NDPI_PROTOCOL_SSH; 486| | 487| |#ifdef SSH_DEBUG 488| | printf("[SSH] [completed stage: %u]\n", flow->l4.tcp.ssh_stage); 489| |#endif 490| 3| } 491| | 492| 6| flow->l4.tcp.ssh_stage++; 493| 6| return; 494| 6| } 495| 13.4k| } else if(packet->payload_packet_len > 5) { ------------------ | Branch (495:13): [True: 0, False: 0] ------------------ 496| 0| u_int8_t msgcode = *(packet->payload + 5); 497| 0| ndpi_MD5_CTX ctx; 498| | 499| 0| if(msgcode == 20 /* key exchange init */) { ------------------ | Branch (499:8): [True: 0, False: 0] ------------------ 500| 0| if(ndpi_struct->cfg.ssh_hassh_fingerprint_enabled || ndpi_struct->cfg.ssh_hassh_data_enabled) { ------------------ | Branch (500:10): [True: 0, False: 0] | Branch (500:60): [True: 0, False: 0] ------------------ 501| 0| char *hassh_buf = ndpi_calloc(packet->payload_packet_len, sizeof(char)); 502| 0| u_int i, len; 503| | 504| |#ifdef SSH_DEBUG 505| | printf("[SSH] [stage: %u][msg: %u][direction: %u][key exchange init]\n", flow->l4.tcp.ssh_stage, msgcode, packet->packet_direction); 506| |#endif 507| | 508| 0| if(hassh_buf) { ------------------ | Branch (508:5): [True: 0, False: 0] ------------------ 509| 0| if(packet->packet_direction == 0 /* client */) { ------------------ | Branch (509:7): [True: 0, False: 0] ------------------ 510| 0| u_char fingerprint_client[16]; 511| | 512| 0| len = concat_hash_string(ndpi_struct, flow, packet, hassh_buf, 1 /* client */); 513| | 514| 0| if(ndpi_struct->cfg.ssh_hassh_fingerprint_enabled) { ------------------ | Branch (514:9): [True: 0, False: 0] ------------------ 515| 0| ndpi_MD5Init(&ctx); 516| 0| ndpi_MD5Update(&ctx, (const unsigned char *)hassh_buf, len); 517| 0| ndpi_MD5Final(fingerprint_client, &ctx); 518| | 519| |#ifdef SSH_DEBUG 520| | { 521| | printf("[SSH] [client][%s][", hassh_buf); 522| | for(i=0; i<16; i++) printf("%02X", fingerprint_client[i]); 523| | printf("]\n"); 524| | } 525| |#endif 526| 0| for(i=0; i<16; i++) ------------------ | Branch (526:17): [True: 0, False: 0] ------------------ 527| 0| snprintf(&flow->protos.ssh.hassh_client[i*2], 528| 0| sizeof(flow->protos.ssh.hassh_client) - (i*2), 529| 0| "%02X", fingerprint_client[i] & 0xFF); 530| | 531| 0| flow->protos.ssh.hassh_client[32] = '\0'; 532| 0| } 533| 0| } else { 534| 0| u_char fingerprint_server[16]; 535| | 536| 0| len = concat_hash_string(ndpi_struct, flow, packet, hassh_buf, 0 /* server */); 537| | 538| 0| if(ndpi_struct->cfg.ssh_hassh_fingerprint_enabled) { ------------------ | Branch (538:9): [True: 0, False: 0] ------------------ 539| 0| ndpi_MD5Init(&ctx); 540| 0| ndpi_MD5Update(&ctx, (const unsigned char *)hassh_buf, len); 541| 0| ndpi_MD5Final(fingerprint_server, &ctx); 542| | 543| |#ifdef SSH_DEBUG 544| | { 545| | printf("[SSH] [server][%s][", hassh_buf); 546| | for(i=0; i<16; i++) printf("%02X", fingerprint_server[i]); 547| | printf("]\n"); 548| | } 549| |#endif 550| | 551| 0| for(i=0; i<16; i++) ------------------ | Branch (551:17): [True: 0, False: 0] ------------------ 552| 0| snprintf(&flow->protos.ssh.hassh_server[i*2], 553| 0| sizeof(flow->protos.ssh.hassh_server) - (i*2), 554| 0| "%02X", fingerprint_server[i] & 0xFF); 555| 0| flow->protos.ssh.hassh_server[32] = '\0'; 556| 0| } 557| 0| } 558| | 559| 0| ndpi_free(hassh_buf); 560| 0| } 561| 0| } 562| | 563| 0| ndpi_int_ssh_add_connection(ndpi_struct, flow); 564| 0| } 565| | 566| 0| if((flow->protos.ssh.hassh_client[0] != '\0') && (flow->protos.ssh.hassh_server[0] != '\0')) { ------------------ | Branch (566:8): [True: 0, False: 0] | Branch (566:54): [True: 0, False: 0] ------------------ 567| |#ifdef SSH_DEBUG 568| | printf("[SSH] Dissection completed\n"); 569| |#endif 570| 0| flow->extra_packets_func = NULL; /* We're good now */ 571| 0| } 572| | 573| 0| return; 574| 0| } 575| | 576| |#ifdef SSH_DEBUG 577| | printf("[SSH] Excluding SSH"); 578| |#endif 579| | 580| 13.4k| NDPI_LOG_DBG(ndpi_struct, "excluding ssh at stage %d\n", flow->l4.tcp.ssh_stage); ------------------ | | 596| 13.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 581| 13.4k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.4k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 582| 13.4k|} ssh.c:ndpi_ssh_zap_cr: 434| 6|static void ndpi_ssh_zap_cr(char *str, int len) { 435| 6| int i; 436| | 437| 217| for(i = 0; i < len; i++) { ------------------ | Branch (437:14): [True: 211, False: 6] ------------------ 438| 211| if((str[i] == '\n') || (str[i] == '\r')) { ------------------ | Branch (438:8): [True: 0, False: 211] | Branch (438:28): [True: 0, False: 211] ------------------ 439| 0| str[i] = '\0'; 440| 0| break; 441| 0| } 442| 211| } 443| 6|} ssh.c:ssh_analyze_signature_version: 74| 6| u_int8_t is_client_signature) { 75| 6| u_int i; 76| 6| u_int8_t obsolete_ssh_version = 0; 77| 6| const ssh_pattern ssh_servers_strings[] = 78| 6| { 79| 6| { (const char*)"SSH-%*f-OpenSSH_%d.%d.%d", 7, 0, 0 }, /* OpenSSH */ 80| 6| { (const char*)"SSH-%*f-APACHE-SSHD-%d.%d.%d", 2, 5, 1 }, /* Apache MINA SSHD */ 81| 6| { (const char*)"SSH-%*f-FileZilla_%d.%d.%d", 3, 40, 0 }, /* FileZilla SSH*/ 82| 6| { (const char*)"SSH-%*f-paramiko_%d.%d.%d", 2, 4, 0 }, /* Paramiko SSH */ 83| 6| { (const char*)"SSH-%*f-dropbear_%d.%d", 2020, 0, 0 }, /* Dropbear SSH */ 84| 6| { NULL, 0, 0, 0 } 85| 6| }; 86| | 87| 36| for(i = 0; ssh_servers_strings[i].signature != NULL; i++) { ------------------ | Branch (87:14): [True: 30, False: 6] ------------------ 88| 30| int matches; 89| 30| int major = 0; 90| 30| int minor = 0; 91| 30| int patch = 0; 92| 30| matches = sscanf(str_to_check, ssh_servers_strings[i].signature, &major, &minor, &patch); 93| | 94| 30| if(matches == 3 || matches == 2) { ------------------ | Branch (94:8): [True: 0, False: 30] | Branch (94:24): [True: 0, False: 30] ------------------ 95| | /* checking if is an old version */ 96| 0| if(major < ssh_servers_strings[i].major) ------------------ | Branch (96:10): [True: 0, False: 0] ------------------ 97| 0| obsolete_ssh_version = 1; 98| 0| else if(major == ssh_servers_strings[i].major) { ------------------ | Branch (98:15): [True: 0, False: 0] ------------------ 99| 0| if(minor < ssh_servers_strings[i].minor) ------------------ | Branch (99:5): [True: 0, False: 0] ------------------ 100| 0| obsolete_ssh_version = 1; 101| 0| else if(minor == ssh_servers_strings[i].minor) ------------------ | Branch (101:10): [True: 0, False: 0] ------------------ 102| 0| if(patch < ssh_servers_strings[i].patch) ------------------ | Branch (102:7): [True: 0, False: 0] ------------------ 103| 0| obsolete_ssh_version = 1; 104| 0| } 105| | 106| |#ifdef SSH_DEBUG 107| | printf("[SSH] [SSH Version: %d.%d.%d]\n", major, minor, patch); 108| |#endif 109| | 110| 0| break; 111| 0| } 112| 30| } 113| | 114| 6| if(obsolete_ssh_version) ------------------ | Branch (114:6): [True: 0, False: 6] ------------------ 115| 0| ndpi_set_risk(ndpi_struct, flow, 116| 0| (is_client_signature ? NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER : NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER), ------------------ | Branch (116:20): [True: 0, False: 0] ------------------ 117| | NULL); 118| 6|} ssh.c:ndpi_int_ssh_add_connection: 206| 3| *ndpi_struct, struct ndpi_flow_struct *flow) { 207| 3| if(flow->extra_packets_func != NULL) ------------------ | Branch (207:6): [True: 0, False: 3] ------------------ 208| 0| return; 209| | 210| 3| flow->max_extra_packets_to_check = 12; 211| 3| flow->extra_packets_func = search_ssh_again; 212| | 213| 3| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSH, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 214| 3|} ssh.c:search_ssh_again: 189| 1|static int search_ssh_again(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { 190| 1| ndpi_search_ssh_tcp(ndpi_struct, flow); 191| | 192| 1| if((flow->protos.ssh.hassh_client[0] != '\0') ------------------ | Branch (192:6): [True: 0, False: 1] ------------------ 193| 0| && (flow->protos.ssh.hassh_server[0] != '\0')) { ------------------ | Branch (193:9): [True: 0, False: 0] ------------------ 194| | /* stop extra processing */ 195| 0| flow->extra_packets_func = NULL; /* We're good now */ 196| 0| return(0); 197| 0| } 198| | 199| | /* Possibly more processing */ 200| 1| return(1); 201| 1|} init_steam_dissector: 57| 7.08k|{ 58| 7.08k| ndpi_register_dissector("Steam", ndpi_struct, 59| 7.08k| ndpi_search_steam, 60| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 61| 7.08k| 1, NDPI_PROTOCOL_STEAM); 62| 7.08k|} steam.c:ndpi_search_steam: 34| 5.07k|{ 35| 5.07k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 36| | 37| 5.07k| NDPI_LOG_DBG(ndpi_struct, "search Steam\n"); ------------------ | | 596| 5.07k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 38| | 39| | /* Steam In-Home Streaming Discovery */ 40| 5.07k| if (packet->payload_packet_len >= 40) ------------------ | Branch (40:7): [True: 4.54k, False: 537] ------------------ 41| 4.54k| { 42| 4.54k| if (le64toh(get_u_int64_t(packet->payload, 0)) == 0xA05F4C21FFFFFFFF) ------------------ | Branch (42:9): [True: 2, False: 4.53k] ------------------ 43| 2| { 44| 2| NDPI_LOG_INFO(ndpi_struct, "found Steam In-Home Streaming Discovery\n"); ------------------ | | 595| 2|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 45| 2| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_STEAM, 46| 2| NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 47| 2| return; 48| 2| } 49| 4.54k| } 50| | 51| | /* TODO: implement Steam Remote Play detection */ 52| | 53| 5.07k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 5.07k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 54| 5.07k|} init_valve_sdr_dissector: 61| 7.08k|{ 62| 7.08k| ndpi_register_dissector("SteamDatagramRelay", ndpi_struct, 63| 7.08k| ndpi_search_valve_sdr, 64| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 65| 7.08k| 1, NDPI_PROTOCOL_VALVE_SDR); 66| 7.08k|} steam_datagram_relay.c:ndpi_search_valve_sdr: 42| 3.37k|{ 43| 3.37k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 44| | 45| 3.37k| NDPI_LOG_DBG(ndpi_struct, "search Steam Datagram Relay\n"); ------------------ | | 596| 3.37k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 46| | 47| | /* Shortest ping packet I've ever seen. It's actually only 30 bytes long, 48| | * but the rest is filled with zeros. */ 49| 3.37k| if (packet->payload_packet_len >= 100) { ------------------ | Branch (49:7): [True: 1.29k, False: 2.08k] ------------------ 50| 1.29k| if (memcmp(&packet->payload[2], "sdping", NDPI_STATICSTRING_LEN("sdping")) == 0) ------------------ | | 98| 1.29k|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (50:9): [True: 3, False: 1.29k] ------------------ 51| 3| { 52| 3| ndpi_int_valve_sdr_add_connection(ndpi_struct, flow); 53| 3| return; 54| 3| } 55| 1.29k| } 56| | 57| 3.37k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.37k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 58| 3.37k|} steam_datagram_relay.c:ndpi_int_valve_sdr_add_connection: 34| 3|{ 35| 3| NDPI_LOG_INFO(ndpi_struct, "found Steam Datagram Relay\n"); ------------------ | | 595| 3|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 36| 3| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VALVE_SDR, 37| 3| NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 38| 3|} init_stomp_dissector: 69| 7.08k|{ 70| 7.08k| ndpi_register_dissector("STOMP", ndpi_struct, 71| 7.08k| ndpi_search_stomp, 72| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 73| 7.08k| 1, NDPI_PROTOCOL_STOMP); 74| 7.08k|} stomp.c:ndpi_search_stomp: 44| 11.6k|{ 45| 11.6k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 46| | 47| 11.6k| NDPI_LOG_DBG(ndpi_struct, "search STOMP\n"); ------------------ | | 596| 11.6k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 48| | 49| 11.6k| if (packet->payload_packet_len > 26 && ------------------ | Branch (49:7): [True: 6.49k, False: 5.15k] ------------------ 50| 6.49k| current_pkt_from_client_to_server(ndpi_struct, flow) && ------------------ | Branch (50:7): [True: 5.37k, False: 1.11k] ------------------ 51| 5.37k| memcmp(packet->payload, "STOMP", NDPI_STATICSTRING_LEN("STOMP")) == 0) ------------------ | | 98| 5.37k|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (51:7): [True: 3, False: 5.37k] ------------------ 52| 3| { 53| 3| ndpi_int_stomp_add_connection(ndpi_struct, flow); 54| 3| return; 55| 3| } 56| | 57| 11.6k| if (packet->payload_packet_len > 100 && ------------------ | Branch (57:7): [True: 2.38k, False: 9.26k] ------------------ 58| 2.38k| current_pkt_from_server_to_client(ndpi_struct, flow) && ------------------ | Branch (58:7): [True: 573, False: 1.81k] ------------------ 59| 573| memcmp(packet->payload, "CONNECTED", NDPI_STATICSTRING_LEN("CONNECTED")) == 0) ------------------ | | 98| 573|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (59:7): [True: 1, False: 572] ------------------ 60| 1| { 61| 1| ndpi_int_stomp_add_connection(ndpi_struct, flow); 62| 1| return; 63| 1| } 64| | 65| 11.6k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.6k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 66| 11.6k|} stomp.c:ndpi_int_stomp_add_connection: 35| 4|{ 36| 4| NDPI_LOG_INFO(ndpi_struct, "found STOMP\n"); ------------------ | | 595| 4|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 37| 4| ndpi_set_detected_protocol(ndpi_struct, flow, 38| 4| NDPI_PROTOCOL_STOMP, NDPI_PROTOCOL_UNKNOWN, 39| 4| NDPI_CONFIDENCE_DPI); 40| 4|} is_stun: 359| 36.5k| ndpi_protocol_category_t *category) { 360| 36.5k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 361| 36.5k| u_int16_t msg_type, msg_len, method; 362| 36.5k| int off; 363| 36.5k| const u_int8_t *payload = packet->payload; 364| 36.5k| u_int16_t payload_length = packet->payload_packet_len; 365| 36.5k| const u_int8_t *orig_payload; 366| 36.5k| u_int16_t orig_payload_length; 367| 36.5k| u_int32_t magic_cookie; 368| 36.5k| u_int32_t transaction_id[3]; 369| | 370| 36.5k| *category = NDPI_PROTOCOL_CATEGORY_UNSPECIFIED; 371| | 372| 36.5k| if(payload_length < STUN_HDR_LEN) ------------------ | | 33| 36.5k|#define STUN_HDR_LEN 20 /* STUN message header length, Classic-STUN (RFC 3489) and STUN (RFC 8489) both */ ------------------ | Branch (372:6): [True: 9.66k, False: 26.9k] ------------------ 373| 9.66k| return(-1); 374| | 375| | /* Some really old/legacy stuff */ 376| 26.9k| if(strncmp((const char *)payload, "RSP/", 4) == 0 && ------------------ | Branch (376:6): [True: 4, False: 26.9k] ------------------ 377| 4| strncmp((const char *)&payload[7], " STUN_", 6) == 0) { ------------------ | Branch (377:6): [True: 1, False: 3] ------------------ 378| 1| NDPI_LOG_DBG(ndpi_struct, "found old/legacy stun in rsp\n"); ------------------ | | 596| 1|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 379| 1| return 1; /* No real metadata */ 380| 1| } 381| | 382| | /* STUN may be encapsulated in TCP packets with a special TCP framing described in RFC 4571 */ 383| 26.9k| if(packet->tcp && ------------------ | Branch (383:6): [True: 16.5k, False: 10.3k] ------------------ 384| 16.5k| payload_length >= STUN_HDR_LEN + 2 && ------------------ | | 33| 16.5k|#define STUN_HDR_LEN 20 /* STUN message header length, Classic-STUN (RFC 3489) and STUN (RFC 8489) both */ ------------------ | Branch (384:6): [True: 16.1k, False: 418] ------------------ 385| | /* TODO: multiple STUN messagges */ 386| 16.1k| ((ntohs(get_u_int16_t(payload, 0)) + 2) == payload_length)) { ------------------ | Branch (386:6): [True: 442, False: 15.6k] ------------------ 387| 442| payload += 2; 388| 442| payload_length -=2; 389| 442| } 390| | 391| | /* Microsoft Multiplexed TURN messages */ 392| 26.9k| if(payload_length >= STUN_HDR_LEN + 12 && ------------------ | | 33| 26.9k|#define STUN_HDR_LEN 20 /* STUN message header length, Classic-STUN (RFC 3489) and STUN (RFC 8489) both */ ------------------ | Branch (392:6): [True: 25.0k, False: 1.83k] ------------------ 393| 26.9k| ntohs(get_u_int16_t(payload, 0)) == 0xFF10 && ------------------ | Branch (393:6): [True: 27, False: 25.0k] ------------------ 394| 26.9k| ntohs(get_u_int16_t(payload, 2)) + 4 == payload_length) { ------------------ | Branch (394:6): [True: 0, False: 27] ------------------ 395| 0| payload += 12; 396| 0| payload_length -= 12; 397| 0| } 398| | 399| 26.9k| msg_type = ntohs(*((u_int16_t *)&payload[0])); 400| 26.9k| msg_len = ntohs(*((u_int16_t *)&payload[2])); 401| 26.9k| magic_cookie = ntohl(*((u_int32_t *)&payload[4])); 402| 26.9k| transaction_id[0] = ntohl(*((u_int32_t *)&payload[8])); 403| 26.9k| transaction_id[1] = ntohl(*((u_int32_t *)&payload[12])); 404| 26.9k| transaction_id[2] = ntohl(*((u_int32_t *)&payload[16])); 405| | 406| | /* No magic_cookie on classic-stun */ 407| | /* Let's hope that we don't have anymore classic-stun over TCP */ 408| 26.9k| if(packet->tcp && magic_cookie != 0x2112A442) { ------------------ | Branch (408:6): [True: 16.5k, False: 10.3k] | Branch (408:21): [True: 16.4k, False: 68] ------------------ 409| 16.4k| return 0; 410| 16.4k| } 411| | 412| 10.4k| NDPI_LOG_DBG2(ndpi_struct, "msg_type = %04X msg_len = %d\n", msg_type, msg_len); ------------------ | | 597| 10.4k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 413| | 414| | /* With tcp, we might have multiple msg in the same TCP pkt. 415| | Parse only the first one. TODO */ 416| 10.4k| if(packet->tcp) { ------------------ | Branch (416:6): [True: 68, False: 10.3k] ------------------ 417| 68| if(msg_len + STUN_HDR_LEN > payload_length) ------------------ | | 33| 68|#define STUN_HDR_LEN 20 /* STUN message header length, Classic-STUN (RFC 3489) and STUN (RFC 8489) both */ ------------------ | Branch (417:8): [True: 3, False: 65] ------------------ 418| 3| return 0; 419| | 420| 65| payload_length = msg_len + STUN_HDR_LEN; ------------------ | | 33| 65|#define STUN_HDR_LEN 20 /* STUN message header length, Classic-STUN (RFC 3489) and STUN (RFC 8489) both */ ------------------ 421| 65| } 422| | 423| 10.4k| if(msg_type == 0 || (msg_len + STUN_HDR_LEN != payload_length)) { ------------------ | | 33| 10.2k|#define STUN_HDR_LEN 20 /* STUN message header length, Classic-STUN (RFC 3489) and STUN (RFC 8489) both */ ------------------ | Branch (423:6): [True: 228, False: 10.2k] | Branch (423:23): [True: 4.36k, False: 5.83k] ------------------ 424| 4.59k| NDPI_LOG_DBG(ndpi_struct, "Invalid msg_type = %04X or len %d %d\n", ------------------ | | 596| 4.59k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 425| 4.59k| msg_type, msg_len, payload_length); 426| 4.59k| return -1; 427| 4.59k| } 428| | 429| | /* https://www.iana.org/assignments/stun-parameters/stun-parameters.xhtml */ 430| 5.83k| if(((msg_type & 0x3EEF) > 0x000B) && ------------------ | Branch (430:6): [True: 346, False: 5.48k] ------------------ 431| 346| msg_type != 0x0800 && msg_type != 0x0801 && msg_type != 0x0802 && ------------------ | Branch (431:6): [True: 309, False: 37] | Branch (431:28): [True: 308, False: 1] | Branch (431:50): [True: 308, False: 0] ------------------ 432| 308| msg_type != 0x0804 && msg_type != 0x0805) { ------------------ | Branch (432:6): [True: 307, False: 1] | Branch (432:28): [True: 305, False: 2] ------------------ 433| 305| NDPI_LOG_DBG(ndpi_struct, "Invalid msg_type = %04X\n", msg_type); ------------------ | | 596| 305|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 434| 305| return -1; 435| 305| } 436| | 437| 5.53k| if(magic_cookie != 0x2112A442) { ------------------ | Branch (437:6): [True: 1.46k, False: 4.06k] ------------------ 438| | /* Some heuristic to detect classic-stun: 439| | * msg type check (list from Wireshark) 440| | * let's see if attributes list seems ok */ 441| 1.46k| if(msg_type != 0x0001 && msg_type != 0x0101 && msg_type != 0x0111 && /* Binding */ ------------------ | Branch (441:8): [True: 459, False: 1.00k] | Branch (441:30): [True: 439, False: 20] | Branch (441:52): [True: 439, False: 0] ------------------ 442| 439| msg_type != 0x0002 && msg_type != 0x0102 && msg_type != 0x0112 && /* Shared secret */ ------------------ | Branch (442:8): [True: 324, False: 115] | Branch (442:30): [True: 322, False: 2] | Branch (442:52): [True: 322, False: 0] ------------------ 443| 322| msg_type != 0x0003 && msg_type != 0x0103 && msg_type != 0x0113 && /* Allocate */ ------------------ | Branch (443:8): [True: 91, False: 231] | Branch (443:30): [True: 29, False: 62] | Branch (443:52): [True: 28, False: 1] ------------------ 444| 28| msg_type != 0x0004 && msg_type != 0x0104 && msg_type != 0x0114 && /* Send */ ------------------ | Branch (444:8): [True: 27, False: 1] | Branch (444:30): [True: 24, False: 3] | Branch (444:52): [True: 24, False: 0] ------------------ 445| 24| msg_type != 0x0115 && /* Data Indication */ ------------------ | Branch (445:8): [True: 24, False: 0] ------------------ 446| 24| msg_type != 0x0006 && msg_type != 0x0106 && msg_type != 0x0116 /* Set Active Destination */) { ------------------ | Branch (446:8): [True: 23, False: 1] | Branch (446:30): [True: 23, False: 0] | Branch (446:52): [True: 23, False: 0] ------------------ 447| 23| NDPI_LOG_DBG(ndpi_struct, "No classic-stun 0x%x\n", msg_type); ------------------ | | 596| 23|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 448| 23| return 0; 449| 23| } 450| | 451| 1.44k| off = STUN_HDR_LEN; ------------------ | | 33| 1.44k|#define STUN_HDR_LEN 20 /* STUN message header length, Classic-STUN (RFC 3489) and STUN (RFC 8489) both */ ------------------ 452| 2.94k| while(off + 4 < payload_length) { ------------------ | Branch (452:11): [True: 1.50k, False: 1.44k] ------------------ 453| 1.50k| u_int16_t len = ntohs(*((u_int16_t *)&payload[off + 2])); 454| 1.50k| u_int16_t real_len = (len + 3) & 0xFFFFFFFC; 455| | 456| 1.50k| off += 4 + real_len; 457| 1.50k| } 458| 1.44k| if(off != payload_length) { ------------------ | Branch (458:8): [True: 295, False: 1.14k] ------------------ 459| 295| NDPI_LOG_DBG(ndpi_struct, "No classic-stun %d/%d\n", off, payload_length); ------------------ | | 596| 295|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 460| 295| return 0; 461| 295| } 462| 1.44k| } 463| | 464| | /* STUN */ 465| | 466| 5.21k| if(flow->monit == NULL && ------------------ | Branch (466:6): [True: 5.21k, False: 0] ------------------ 467| 5.21k| is_monitoring_enabled(ndpi_struct, NDPI_PROTOCOL_STUN)) ------------------ | Branch (467:6): [True: 0, False: 5.21k] ------------------ 468| 0| flow->monit = ndpi_calloc(1, sizeof(struct ndpi_metadata_monitoring)); 469| | 470| 5.21k| if(msg_type == 0x0800 || msg_type == 0x0801 || msg_type == 0x0802 || ------------------ | Branch (470:6): [True: 22, False: 5.19k] | Branch (470:28): [True: 1, False: 5.18k] | Branch (470:50): [True: 0, False: 5.18k] ------------------ 471| 5.18k| msg_type == 0x0804 || msg_type == 0x0805) { ------------------ | Branch (471:6): [True: 1, False: 5.18k] | Branch (471:28): [True: 2, False: 5.18k] ------------------ 472| 26| *app_proto = NDPI_PROTOCOL_WHATSAPP_CALL; 473| 26| return 1; 474| 26| } 475| | 476| 5.18k| method = (msg_type & 0x000F) | ((msg_type & 0x00E0) >> 1) | ((msg_type & 0x3E00) >> 2); 477| 5.18k| switch(method) { ------------------ | Branch (477:10): [True: 4.06k, False: 1.11k] ------------------ 478| 4.06k| case METHOD_ALLOCATE: ------------------ | | 39| 4.06k|#define METHOD_ALLOCATE 0x0003 /* RFC8489 */ ------------------ | Branch (478:3): [True: 4.06k, False: 1.12k] ------------------ 479| 4.06k| case METHOD_REFRESH: ------------------ | | 40| 4.06k|#define METHOD_REFRESH 0x0004 /* RFC8489 */ ------------------ | Branch (479:3): [True: 4, False: 5.18k] ------------------ 480| 4.06k| case METHOD_SEND: ------------------ | | 42| 4.06k|#define METHOD_SEND 0x0006 /* RFC8656 */ ------------------ | Branch (480:3): [True: 0, False: 5.18k] ------------------ 481| 4.06k| case METHOD_DATA_IND: ------------------ | | 43| 4.06k|#define METHOD_DATA_IND 0x0007 /* RFC8656 */ ------------------ | Branch (481:3): [True: 0, False: 5.18k] ------------------ 482| 4.06k| case METHOD_DATA_IND_OLD: ------------------ | | 41| 4.06k|#define METHOD_DATA_IND_OLD 0x0005 ------------------ | Branch (482:3): [True: 0, False: 5.18k] ------------------ 483| 4.06k| case METHOD_CREATE_PERMISSION: ------------------ | | 44| 4.06k|#define METHOD_CREATE_PERMISSION 0x0008 /* RFC8656 */ ------------------ | Branch (483:3): [True: 0, False: 5.18k] ------------------ 484| 4.06k| case METHOD_CHANNELBIND: ------------------ | | 45| 4.06k|#define METHOD_CHANNELBIND 0x0009 /* RFC8656 */ ------------------ | Branch (484:3): [True: 0, False: 5.18k] ------------------ 485| 4.06k| case METHOD_CONNECT: ------------------ | | 47| 4.06k|#define METHOD_CONNECT 0x000a /* RFC6062 */ ------------------ | Branch (485:3): [True: 0, False: 5.18k] ------------------ 486| 4.06k| case METHOD_CONNECTION_BIND: ------------------ | | 48| 4.06k|#define METHOD_CONNECTION_BIND 0x000b /* RFC6062 */ ------------------ | Branch (486:3): [True: 0, False: 5.18k] ------------------ 487| 4.06k| case METHOD_CONNECTION_ATTEMPT: ------------------ | | 49| 4.06k|#define METHOD_CONNECTION_ATTEMPT 0x000c /* RFC6062 */ ------------------ | Branch (487:3): [True: 0, False: 5.18k] ------------------ 488| 4.06k| NDPI_LOG_DBG(ndpi_struct, "TURN flow (method %d)\n", method); ------------------ | | 596| 4.06k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 489| 4.06k| flow->stun.is_turn = 1; 490| 4.06k| break; 491| 5.18k| } 492| | 493| | /* See https://support.signal.org/hc/en-us/articles/360007320291-Firewall-and-Internet-settings. 494| | Since the check is quite weak, give time to other applications to kick in */ 495| 5.18k| if(flow->packet_counter > 4 && !flow->stun.is_turn && ------------------ | Branch (495:6): [True: 353, False: 4.83k] | Branch (495:34): [True: 0, False: 353] ------------------ 496| 0| !is_subclassification_real(flow) && ------------------ | Branch (496:6): [True: 0, False: 0] ------------------ 497| 0| (ntohs(flow->c_port) == 10000 || ntohs(flow->s_port) == 10000)) { ------------------ | Branch (497:7): [True: 0, False: 0] | Branch (497:39): [True: 0, False: 0] ------------------ 498| 0| *app_proto = NDPI_PROTOCOL_SIGNAL_VOIP; 499| 0| } 500| | 501| 5.18k| if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TELEGRAM) ------------------ | Branch (501:6): [True: 0, False: 5.18k] ------------------ 502| 0| *app_proto = NDPI_PROTOCOL_TELEGRAM_VOIP; 503| | 504| 5.18k| off = STUN_HDR_LEN; ------------------ | | 33| 5.18k|#define STUN_HDR_LEN 20 /* STUN message header length, Classic-STUN (RFC 3489) and STUN (RFC 8489) both */ ------------------ 505| 11.0k| while(off + 4 < payload_length) { ------------------ | Branch (505:9): [True: 6.95k, False: 4.11k] ------------------ 506| 6.95k| u_int16_t attribute = ntohs(*((u_int16_t *)&payload[off])); 507| 6.95k| u_int16_t len = ntohs(*((u_int16_t *)&payload[off + 2])); 508| 6.95k| u_int16_t real_len = (len + 3) & 0xFFFFFFFC; 509| | 510| 6.95k| NDPI_LOG_DBG(ndpi_struct, "Attribute 0x%x (%d/%d)\n", attribute, len, real_len); ------------------ | | 596| 6.95k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 511| | 512| 6.95k| switch(attribute) { 513| 60| case 0x0001: /* MAPPED-ADDRESS */ ------------------ | Branch (513:5): [True: 60, False: 6.89k] ------------------ 514| 60| if(ndpi_struct->cfg.stun_mapped_address_enabled) { ------------------ | Branch (514:10): [True: 60, False: 0] ------------------ 515| 60| parse_ip_port_attribute(payload, payload_length, off, real_len, &flow->stun.mapped_address, 516| 60| flow->monit ? &flow->monit->protos.dtls_stun_rtp.mapped_address : NULL); ------------------ | Branch (516:33): [True: 0, False: 60] ------------------ 517| 60| } 518| 60| break; 519| | 520| 0| case 0x802b: /* RESPONSE-ORIGIN */ ------------------ | Branch (520:5): [True: 0, False: 6.95k] ------------------ 521| 0| if(ndpi_struct->cfg.stun_response_origin_enabled) { ------------------ | Branch (521:10): [True: 0, False: 0] ------------------ 522| 0| parse_ip_port_attribute(payload, payload_length, off, real_len, &flow->stun.response_origin, 523| 0| flow->monit ? &flow->monit->protos.dtls_stun_rtp.response_origin : NULL); ------------------ | Branch (523:33): [True: 0, False: 0] ------------------ 524| 0| } 525| 0| break; 526| | 527| 0| case 0x802c: /* OTHER-ADDRESS */ ------------------ | Branch (527:5): [True: 0, False: 6.95k] ------------------ 528| 0| if(ndpi_struct->cfg.stun_other_address_enabled) { ------------------ | Branch (528:10): [True: 0, False: 0] ------------------ 529| 0| parse_ip_port_attribute(payload, payload_length, off, real_len, &flow->stun.other_address, 530| 0| flow->monit ? &flow->monit->protos.dtls_stun_rtp.other_address : NULL); ------------------ | Branch (530:33): [True: 0, False: 0] ------------------ 531| 0| } 532| 0| break; 533| | 534| 17| case 0x0012: /* XOR-PEER-ADDRESS */ ------------------ | Branch (534:5): [True: 17, False: 6.93k] ------------------ 535| 17| if(ndpi_struct->cfg.stun_peer_address_enabled) { ------------------ | Branch (535:10): [True: 17, False: 0] ------------------ 536| 17| parse_xor_ip_port_attribute(ndpi_struct, flow, 537| 17| payload, payload_length, off, real_len, 538| 17| &flow->stun.peer_address, 539| 17| flow->monit ? &flow->monit->protos.dtls_stun_rtp.peer_address : NULL, ------------------ | Branch (539:37): [True: 0, False: 17] ------------------ 540| 17| transaction_id, magic_cookie, 1); 541| 17| } 542| 17| break; 543| | 544| 978| case 0x0101: ------------------ | Branch (544:5): [True: 978, False: 5.97k] ------------------ 545| 1.06k| case 0x0103: ------------------ | Branch (545:5): [True: 91, False: 6.86k] ------------------ 546| 1.06k| *app_proto = NDPI_PROTOCOL_ZOOM; 547| 1.06k| return 1; 548| | 549| 1.23k| case 0x4000: ------------------ | Branch (549:5): [True: 1.23k, False: 5.72k] ------------------ 550| 1.24k| case 0x4001: ------------------ | Branch (550:5): [True: 14, False: 6.93k] ------------------ 551| 2.65k| case 0x4002: ------------------ | Branch (551:5): [True: 1.41k, False: 5.53k] ------------------ 552| 2.66k| case 0x4003: ------------------ | Branch (552:5): [True: 2, False: 6.94k] ------------------ 553| 2.66k| case 0x4004: ------------------ | Branch (553:5): [True: 1, False: 6.95k] ------------------ 554| 2.66k| case 0x4007: ------------------ | Branch (554:5): [True: 2, False: 6.94k] ------------------ 555| | /* These are the only messages apparently whatsapp voice can use */ 556| 2.66k| *app_proto = NDPI_PROTOCOL_WHATSAPP_CALL; 557| 2.66k| break; 558| | 559| 12| case 0x0014: /* Realm */ ------------------ | Branch (559:5): [True: 12, False: 6.93k] ------------------ 560| 12| if(flow->host_server_name[0] == '\0') { ------------------ | Branch (560:10): [True: 12, False: 0] ------------------ 561| 12| int i; 562| 12| bool valid = true; 563| | 564| 12| ndpi_hostname_sni_set(flow, payload + off + 4, ndpi_min(len, payload_length - off - 4), NDPI_HOSTNAME_NORM_ALL); ------------------ | | 113| 12|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 6, False: 6] | | ------------------ ------------------ ndpi_hostname_sni_set(flow, payload + off + 4, ndpi_min(len, payload_length - off - 4), NDPI_HOSTNAME_NORM_ALL); ------------------ | | 516| 12|#define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 512| 12|#define NDPI_HOSTNAME_NORM_LC 1 | | ------------------ | | #define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 513| 12|#define NDPI_HOSTNAME_NORM_REPLACE_IC 2 | | ------------------ | | #define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 514| 12|#define NDPI_HOSTNAME_NORM_STRIP_EOLSP 4 | | ------------------ ------------------ 565| 12| NDPI_LOG_DBG(ndpi_struct, "Realm [%s]\n", flow->host_server_name); ------------------ | | 596| 12|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 566| | 567| | /* Some Realm contain junk, so let's validate it */ 568| 18| for(i=0; flow->host_server_name[i] != '\0'; i++) { ------------------ | Branch (568:11): [True: 12, False: 6] ------------------ 569| 12| if(flow->host_server_name[i] == '?') { ------------------ | Branch (569:7): [True: 6, False: 6] ------------------ 570| 6| valid = false; 571| 6| break; 572| 6| } 573| 12| } 574| | 575| 12| if(valid) { ------------------ | Branch (575:5): [True: 6, False: 6] ------------------ 576| 6| if(strstr(flow->host_server_name, "google.com") != NULL) { ------------------ | Branch (576:7): [True: 0, False: 6] ------------------ 577| 0| *app_proto = NDPI_PROTOCOL_GOOGLE_CALL; 578| 6| } else if(strstr(flow->host_server_name, "whispersystems.org") != NULL || ------------------ | Branch (578:14): [True: 0, False: 6] ------------------ 579| 6| strstr(flow->host_server_name, "signal.org") != NULL) { ------------------ | Branch (579:7): [True: 0, False: 6] ------------------ 580| 0| *app_proto = NDPI_PROTOCOL_SIGNAL_VOIP; 581| 6| } else if(strstr(flow->host_server_name, "facebook") != NULL) { ------------------ | Branch (581:14): [True: 0, False: 6] ------------------ 582| 0| *app_proto = NDPI_PROTOCOL_FACEBOOK_VOIP; 583| 6| } else if(strstr(flow->host_server_name, "stripcdn.com") != NULL) { ------------------ | Branch (583:14): [True: 0, False: 6] ------------------ 584| 0| *category = NDPI_PROTOCOL_CATEGORY_ADULT_CONTENT; 585| 6| } else if(strstr(flow->host_server_name, "telegram") != NULL) { ------------------ | Branch (585:14): [True: 0, False: 6] ------------------ 586| 0| *app_proto = NDPI_PROTOCOL_TELEGRAM_VOIP; 587| 6| } else if(strstr(flow->host_server_name, "viber") != NULL) { ------------------ | Branch (587:14): [True: 0, False: 6] ------------------ 588| 0| *app_proto = NDPI_PROTOCOL_VIBER_VOIP; 589| 6| } else if(strstr(flow->host_server_name, "turn.cloudflare.com") != NULL) { ------------------ | Branch (589:14): [True: 0, False: 6] ------------------ 590| | /* The latest signal implementations hide behind cloudflare */ 591| 0| if(signal_search_into_cache(ndpi_struct, flow)) { ------------------ | Branch (591:9): [True: 0, False: 0] ------------------ 592| 0| *app_proto = NDPI_PROTOCOL_SIGNAL_VOIP; 593| 0| } 594| 0| } 595| 6| } else 596| 6| flow->host_server_name[0] = '\0'; 597| 12| } 598| 12| break; 599| | 600| | /* Proprietary fields found on Microsoft Teams/Skype calls */ 601| 0| case 0x8054: /* Candidate Identifier: Either skype for business or "normal" skype with multiparty call */ ------------------ | Branch (601:5): [True: 0, False: 6.95k] ------------------ 602| 0| case 0x24DF: ------------------ | Branch (602:5): [True: 0, False: 6.95k] ------------------ 603| 3| case 0x3802: ------------------ | Branch (603:5): [True: 3, False: 6.94k] ------------------ 604| 3| case 0x8036: ------------------ | Branch (604:5): [True: 0, False: 6.95k] ------------------ 605| 3| case 0x8095: /* MS-Multiplexed-TURN-Session-ID */ ------------------ | Branch (605:5): [True: 0, False: 6.95k] ------------------ 606| 62| case 0x0800: ------------------ | Branch (606:5): [True: 59, False: 6.89k] ------------------ 607| 62| case 0x8006: ------------------ | Branch (607:5): [True: 0, False: 6.95k] ------------------ 608| 62| case 0x8070: /* MS Implementation Version */ ------------------ | Branch (608:5): [True: 0, False: 6.95k] ------------------ 609| 62| case 0x8055: /* MS Service Quality */ ------------------ | Branch (609:5): [True: 0, False: 6.95k] ------------------ 610| 62| *app_proto = NDPI_PROTOCOL_MSTEAMS_CALL; 611| 62| break; 612| | 613| 0| case 0x8029: /* ICE-CONTROLLED */ ------------------ | Branch (613:5): [True: 0, False: 6.95k] ------------------ 614| 0| if(current_pkt_from_client_to_server(ndpi_struct, flow)) ------------------ | Branch (614:10): [True: 0, False: 0] ------------------ 615| 0| flow->stun.is_client_controlling = 0; 616| 0| else 617| 0| flow->stun.is_client_controlling = 1; 618| 0| break; 619| | 620| 0| case 0x802A: /* ICE-CONTROLLING */ ------------------ | Branch (620:5): [True: 0, False: 6.95k] ------------------ 621| 0| if(current_pkt_from_client_to_server(ndpi_struct, flow)) ------------------ | Branch (621:10): [True: 0, False: 0] ------------------ 622| 0| flow->stun.is_client_controlling = 1; 623| 0| else 624| 0| flow->stun.is_client_controlling = 0; 625| 0| break; 626| | 627| 0| case 0xFF03: ------------------ | Branch (627:5): [True: 0, False: 6.95k] ------------------ 628| 0| *app_proto = NDPI_PROTOCOL_GOOGLE_CALL; 629| 0| break; 630| | 631| 7| case 0x0013: ------------------ | Branch (631:5): [True: 7, False: 6.94k] ------------------ 632| 7| NDPI_LOG_DBG(ndpi_struct, "DATA attribute (%d/%d)\n", ------------------ | | 596| 7|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 633| 7| real_len, payload_length - off - 4); 634| 7| if(real_len <= payload_length - off - 4) { ------------------ | Branch (634:10): [True: 2, False: 5] ------------------ 635| 2| orig_payload = packet->payload; 636| 2| orig_payload_length = packet->payload_packet_len; 637| 2| packet->payload = payload + off + 4; 638| 2| packet->payload_packet_len = real_len; 639| | 640| 2| stun_search_again(ndpi_struct, flow); 641| 2| NDPI_LOG_DBG(ndpi_struct, "End recursion\n"); ------------------ | | 596| 2|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 642| | 643| 2| packet->payload = orig_payload; 644| 2| packet->payload_packet_len = orig_payload_length; 645| 2| } 646| 7| break; 647| | 648| 1.65k| case 0x0020: /* XOR-MAPPED-ADDRESS */ ------------------ | Branch (648:5): [True: 1.65k, False: 5.29k] ------------------ 649| 1.65k| if(ndpi_struct->cfg.stun_mapped_address_enabled) { ------------------ | Branch (649:10): [True: 1.65k, False: 0] ------------------ 650| 1.65k| parse_xor_ip_port_attribute(ndpi_struct, flow, 651| 1.65k| payload, payload_length, off, real_len, 652| 1.65k| &flow->stun.mapped_address, 653| 1.65k| flow->monit ? &flow->monit->protos.dtls_stun_rtp.mapped_address : NULL, ------------------ | Branch (653:37): [True: 0, False: 1.65k] ------------------ 654| 1.65k| transaction_id, magic_cookie, 0); 655| 1.65k| flow->stun.num_xor_mapped_addresses++; 656| 1.65k| } 657| 1.65k| break; 658| | 659| 1| case 0x0016: /* XOR-RELAYED-ADDRESS */ ------------------ | Branch (659:5): [True: 1, False: 6.95k] ------------------ 660| 1| if(ndpi_struct->cfg.stun_relayed_address_enabled) { ------------------ | Branch (660:10): [True: 1, False: 0] ------------------ 661| 1| parse_xor_ip_port_attribute(ndpi_struct, flow, 662| 1| payload, payload_length, off, real_len, 663| 1| &flow->stun.relayed_address, 664| 1| flow->monit ? &flow->monit->protos.dtls_stun_rtp.relayed_address : NULL, ------------------ | Branch (664:37): [True: 0, False: 1] ------------------ 665| 1| transaction_id, magic_cookie, 0); 666| 1| flow->stun.num_xor_relayed_addresses++; 667| 1| } 668| 1| break; 669| | 670| 1.40k| default: ------------------ | Branch (670:5): [True: 1.40k, False: 5.54k] ------------------ 671| 1.40k| NDPI_LOG_DBG2(ndpi_struct, "Unknown attribute %04X\n", attribute); ------------------ | | 597| 1.40k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 672| 1.40k| break; 673| 6.95k| } 674| | 675| 5.88k| off += 4 + real_len; 676| 5.88k| } 677| | 678| 4.11k| return 1; 679| 5.18k|} switch_extra_dissection_to_stun: 1249| 3.53k|{ 1250| 3.53k| if(!flow->extra_packets_func) { ------------------ | Branch (1250:6): [True: 3.06k, False: 476] ------------------ 1251| 3.06k| if(keep_extra_dissection(ndpi_struct, flow)) { ------------------ | Branch (1251:8): [True: 2.03k, False: 1.02k] ------------------ 1252| 2.03k| NDPI_LOG_DBG(ndpi_struct, "Enabling extra dissection\n"); ------------------ | | 596| 2.03k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1253| 2.03k| flow->max_extra_packets_to_check = ndpi_struct->cfg.stun_max_packets_extra_dissection; 1254| 2.03k| if(std_callback) ------------------ | Branch (1254:10): [True: 2.03k, False: 0] ------------------ 1255| 2.03k| flow->extra_packets_func = stun_search_again; 1256| 0| else 1257| 0| flow->extra_packets_func = stun_telegram_search_again; 1258| 2.03k| } 1259| 3.06k| } 1260| 3.53k|} signal_add_to_cache: 1337| 22|{ 1338| 22| u_int64_t key; 1339| | 1340| 22| if(ndpi_struct->signal_cache) { ------------------ | Branch (1340:6): [True: 19, False: 3] ------------------ 1341| 19| key = get_signal_key(flow); 1342| |#ifdef DEBUG_SIGNAL_LRU 1343| | printf("[LRU SIGNAL] ADDING %lu [%u <-> %u]\n", key, ntohs(flow->c_port), ntohs(flow->s_port)); 1344| |#endif 1345| 19| ndpi_lru_add_to_cache(ndpi_struct->signal_cache, key, 1 /* dummy */, 1346| 19| ndpi_get_current_time(flow)); 1347| 19| } 1348| 22|} init_stun_dissector: 1352| 7.08k|void init_stun_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 1353| 7.08k| ndpi_register_dissector("STUN", ndpi_struct, 1354| 7.08k| ndpi_search_stun, 1355| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 1356| 7.08k| 1, NDPI_PROTOCOL_STUN); 1357| 7.08k|} stun.c:is_subclassification_real: 93| 9.42k|{ 94| | /* No previous subclassification */ 95| 9.42k| if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) ------------------ | Branch (95:6): [True: 1.35k, False: 8.07k] ------------------ 96| 1.35k| return 0; 97| 8.07k| return is_subclassification_real_by_proto(flow->detected_protocol_stack[0]); 98| 9.42k|} stun.c:is_subclassification_real_by_proto: 78| 15.1k|{ 79| 15.1k| if(proto == NDPI_PROTOCOL_UNKNOWN || ------------------ | Branch (79:6): [True: 1.88k, False: 13.2k] ------------------ 80| 13.2k| proto == NDPI_PROTOCOL_STUN || ------------------ | Branch (80:6): [True: 0, False: 13.2k] ------------------ 81| 13.2k| proto == NDPI_PROTOCOL_RTP || ------------------ | Branch (81:6): [True: 170, False: 13.0k] ------------------ 82| 13.0k| proto == NDPI_PROTOCOL_RTCP || ------------------ | Branch (82:6): [True: 0, False: 13.0k] ------------------ 83| 13.0k| proto == NDPI_PROTOCOL_SRTP || ------------------ | Branch (83:6): [True: 0, False: 13.0k] ------------------ 84| 13.0k| proto == NDPI_PROTOCOL_DTLS || ------------------ | Branch (84:6): [True: 0, False: 13.0k] ------------------ 85| 13.0k| proto == NDPI_PROTOCOL_TELEGRAM) ------------------ | Branch (85:6): [True: 0, False: 13.0k] ------------------ 86| 2.05k| return 0; 87| 13.0k| return 1; 88| 15.1k|} stun.c:parse_ip_port_attribute: 205| 60|{ 206| 60| if(off + 4 + real_len <= payload_length && ------------------ | Branch (206:6): [True: 50, False: 10] ------------------ 207| 50| (real_len == 8 || real_len == 20)) { ------------------ | Branch (207:7): [True: 5, False: 45] | Branch (207:24): [True: 42, False: 3] ------------------ 208| 47| u_int8_t protocol_family = payload[off+5]; 209| | 210| 47| if(protocol_family == 0x01 /* IPv4 */ && ------------------ | Branch (210:8): [True: 2, False: 45] ------------------ 211| 2| real_len == 8) { ------------------ | Branch (211:8): [True: 2, False: 0] ------------------ 212| 2| u_int16_t port = ntohs(*((u_int16_t*)&payload[off+6])); 213| 2| u_int32_t ip = ntohl(*((u_int32_t*)&payload[off+8])); 214| | 215| | /* Only the first attribute ever in the flow */ 216| 2| if(ap->port == 0) { ------------------ | Branch (216:10): [True: 2, False: 0] ------------------ 217| 2| ap->port = port; 218| 2| ap->address.v4 = htonl(ip); 219| 2| ap->is_ipv6 = 0; 220| 2| } 221| | 222| 2| if(ap_monit) { ------------------ | Branch (222:10): [True: 0, False: 2] ------------------ 223| 0| ap_monit->port = port; 224| 0| ap_monit->address.v4 = htonl(ip); 225| 0| ap_monit->is_ipv6 = 0; 226| 0| } 227| 45| } else if(protocol_family == 0x02 /* IPv6 */ && ------------------ | Branch (227:15): [True: 0, False: 45] ------------------ 228| 0| real_len == 20) { ------------------ | Branch (228:15): [True: 0, False: 0] ------------------ 229| 0| u_int16_t port = ntohs(*((u_int16_t*)&payload[off+6])); 230| 0| u_int32_t ip[4]; 231| | 232| 0| ip[0] = *((u_int32_t *)&payload[off + 8]); 233| 0| ip[1] = *((u_int32_t *)&payload[off + 12]); 234| 0| ip[2] = *((u_int32_t *)&payload[off + 16]); 235| 0| ip[3] = *((u_int32_t *)&payload[off + 20]); 236| | 237| | /* Only the first attribute ever in the flow */ 238| 0| if(ap->port == 0) { ------------------ | Branch (238:10): [True: 0, False: 0] ------------------ 239| 0| ap->port = port; 240| 0| memcpy(&ap->address, &ip, 16); 241| 0| ap->is_ipv6 = 1; 242| 0| } 243| | 244| 0| if(ap_monit) { ------------------ | Branch (244:10): [True: 0, False: 0] ------------------ 245| 0| ap_monit->port = port; 246| 0| memcpy(&ap_monit->address, &ip, 16); 247| 0| ap_monit->is_ipv6 = 1; 248| 0| } 249| 0| } 250| 47| } 251| 60|} stun.c:parse_xor_ip_port_attribute: 262| 1.67k|{ 263| |#ifdef NDPI_ENABLE_DEBUG_MESSAGES 264| | char buf[128]; 265| |#endif 266| | 267| 1.67k| if(off + 4 + real_len <= payload_length && ------------------ | Branch (267:6): [True: 1.58k, False: 94] ------------------ 268| 1.58k| (real_len == 8 || real_len == 20)) { ------------------ | Branch (268:7): [True: 1.51k, False: 68] | Branch (268:24): [True: 7, False: 61] ------------------ 269| 1.51k| u_int8_t protocol_family = payload[off+5]; 270| | 271| 1.51k| if(protocol_family == 0x01 /* IPv4 */ && ------------------ | Branch (271:8): [True: 1.45k, False: 64] ------------------ 272| 1.45k| real_len == 8) { ------------------ | Branch (272:8): [True: 1.44k, False: 7] ------------------ 273| 1.44k| u_int32_t ip; 274| 1.44k| u_int16_t port; 275| | 276| 1.44k| port = ntohs(*((u_int16_t *)&payload[off + 6])) ^ (magic_cookie >> 16); 277| 1.44k| ip = *((u_int32_t *)&payload[off + 8]) ^ htonl(magic_cookie); 278| | 279| | /* Only the first attribute ever in the flow */ 280| 1.44k| if(ap->port == 0) { ------------------ | Branch (280:10): [True: 909, False: 539] ------------------ 281| 909| ap->port = port; 282| 909| ap->address.v4 = ip; 283| 909| ap->is_ipv6 = 0; 284| 909| } 285| | 286| 1.44k| if(ap_monit) { ------------------ | Branch (286:10): [True: 0, False: 1.44k] ------------------ 287| 0| ap_monit->port = port; 288| 0| ap_monit->address.v4 = ip; 289| 0| ap_monit->is_ipv6 = 0; 290| 0| } 291| | 292| 1.44k| if(add_to_cache) { ------------------ | Branch (292:10): [True: 15, False: 1.43k] ------------------ 293| 15| NDPI_LOG_DBG(ndpi_struct, "Peer %s:%d [proto %d]\n", ------------------ | | 596| 15|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 294| 15| inet_ntop(AF_INET, &ip, buf, sizeof(buf)), port, 295| 15| flow->detected_protocol_stack[0]); 296| | 297| 15| if(ndpi_struct->stun_cache && ------------------ | Branch (297:12): [True: 11, False: 4] ------------------ 298| 11| is_subclassification_real(flow)) { ------------------ | Branch (298:12): [True: 6, False: 5] ------------------ 299| 6| u_int64_t key = get_stun_lru_key_raw4(ip, port); 300| | 301| 6| ndpi_lru_add_to_cache(ndpi_struct->stun_cache, key, 302| 6| flow->detected_protocol_stack[0], 303| 6| ndpi_get_current_time(flow)); 304| |#ifdef DEBUG_LRU 305| | printf("[LRU] Add peer 0x%llx %d\n", (long long unsigned int)key, flow->detected_protocol_stack[0]); 306| |#endif 307| 6| } 308| 15| } 309| 1.44k| } else if(protocol_family == 0x02 /* IPv6 */ && ------------------ | Branch (309:15): [True: 26, False: 45] ------------------ 310| 26| real_len == 20) { ------------------ | Branch (310:15): [True: 0, False: 26] ------------------ 311| 0| u_int32_t ip[4]; 312| 0| u_int16_t port; 313| | 314| 0| port = ntohs(*((u_int16_t *)&payload[off + 6])) ^ (magic_cookie >> 16); 315| 0| ip[0] = *((u_int32_t *)&payload[off + 8]) ^ htonl(magic_cookie); 316| 0| ip[1] = *((u_int32_t *)&payload[off + 12]) ^ htonl(transaction_id[0]); 317| 0| ip[2] = *((u_int32_t *)&payload[off + 16]) ^ htonl(transaction_id[1]); 318| 0| ip[3] = *((u_int32_t *)&payload[off + 20]) ^ htonl(transaction_id[2]); 319| | 320| | /* Only the first attribute ever in the flow */ 321| 0| if(ap->port == 0) { ------------------ | Branch (321:10): [True: 0, False: 0] ------------------ 322| 0| ap->port = port; 323| 0| memcpy(&ap->address, &ip, 16); 324| 0| ap->is_ipv6 = 1; 325| 0| } 326| | 327| 0| if(ap_monit) { ------------------ | Branch (327:10): [True: 0, False: 0] ------------------ 328| 0| ap_monit->port = port; 329| 0| memcpy(&ap_monit->address, &ip, 16); 330| 0| ap_monit->is_ipv6 = 1; 331| 0| } 332| | 333| 0| if(add_to_cache) { ------------------ | Branch (333:10): [True: 0, False: 0] ------------------ 334| 0| NDPI_LOG_DBG(ndpi_struct, "Peer %s:%d [proto %d]\n", ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 335| 0| inet_ntop(AF_INET6, &ip, buf, sizeof(buf)), port, 336| 0| flow->detected_protocol_stack[0]); 337| | 338| 0| if(ndpi_struct->stun_cache && ------------------ | Branch (338:12): [True: 0, False: 0] ------------------ 339| 0| is_subclassification_real(flow)) { ------------------ | Branch (339:12): [True: 0, False: 0] ------------------ 340| 0| u_int64_t key = get_stun_lru_key_raw6((u_int8_t *)ip, port); 341| | 342| 0| ndpi_lru_add_to_cache(ndpi_struct->stun_cache, key, 343| 0| flow->detected_protocol_stack[0], 344| 0| ndpi_get_current_time(flow)); 345| |#ifdef DEBUG_LRU 346| | printf("[LRU] Add peer 0x%llx %d\n", (long long unsigned int)key, flow->detected_protocol_stack[0]); 347| |#endif 348| 0| } 349| 0| } 350| 0| } 351| 1.51k| } 352| 1.67k|} stun.c:get_stun_lru_key_raw4: 1138| 6|static u_int64_t get_stun_lru_key_raw4(u_int32_t ip, u_int16_t port_host_order) { 1139| | return ((u_int64_t)ip << 32) | htons(port_host_order); 1140| 6|} stun.c:stun_search_again: 809| 2.62k|{ 810| 2.62k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 811| 2.62k| int rtp_rtcp; 812| 2.62k| u_int8_t first_byte; 813| 2.62k| u_int16_t msg_type, app_proto = NDPI_PROTOCOL_UNKNOWN; 814| 2.62k| u_int32_t unused; 815| 2.62k| int first_dtls_pkt = 0; 816| 2.62k| u_int16_t old_proto_stack[2] = {NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_UNKNOWN}; 817| | 818| 2.62k| NDPI_LOG_DBG2(ndpi_struct, "Packet counter %d protos %d/%d Monitoring? %d\n", ------------------ | | 597| 2.62k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 819| 2.62k| flow->packet_counter, 820| 2.62k| flow->detected_protocol_stack[0], flow->detected_protocol_stack[1], 821| 2.62k| flow->state == NDPI_STATE_MONITORING); 822| | 823| | /* TODO: check TCP support. We need to pay some attention because: 824| | * multiple msg in the same TCP segment 825| | * same msg split across multiple segments */ 826| | 827| 2.62k| if(packet->payload_packet_len <= 1) ------------------ | Branch (827:6): [True: 93, False: 2.53k] ------------------ 828| 93| return keep_extra_dissection(ndpi_struct, flow); 829| | 830| 2.53k| first_byte = packet->payload[0]; 831| 2.53k| msg_type = ntohs(*((u_int16_t *)&packet->payload[0])); 832| | 833| | /* RFC9443 */ 834| 2.53k| if(first_byte <= 3 || ------------------ | Branch (834:6): [True: 2.27k, False: 257] ------------------ 835| | /* Whatsapp special case */ 836| 257| (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_WHATSAPP_CALL && ------------------ | Branch (836:7): [True: 134, False: 123] ------------------ 837| 134| (msg_type == 0x0800 || msg_type == 0x0801 || msg_type == 0x0802 || ------------------ | Branch (837:8): [True: 36, False: 98] | Branch (837:30): [True: 0, False: 98] | Branch (837:52): [True: 0, False: 98] ------------------ 838| 2.31k| msg_type == 0x0804 || msg_type == 0x0805))) { ------------------ | Branch (838:8): [True: 0, False: 98] | Branch (838:30): [True: 2, False: 96] ------------------ 839| 2.31k| ndpi_protocol_category_t category; 840| | 841| 2.31k| NDPI_LOG_DBG(ndpi_struct, "Still STUN\n"); ------------------ | | 596| 2.31k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 842| | 843| 2.31k| if(is_stun(ndpi_struct, flow, &app_proto, &category) == 1) { /* To extract other metadata */ ------------------ | Branch (843:8): [True: 2.14k, False: 170] ------------------ 844| 2.14k| if(is_new_subclassification_better(ndpi_struct, flow, app_proto)) { ------------------ | Branch (844:10): [True: 417, False: 1.72k] ------------------ 845| 417| ndpi_int_stun_add_connection(ndpi_struct, flow, 846| 417| app_proto, __get_master(flow), category); 847| 417| } 848| 2.14k| } 849| 2.31k| } else if(first_byte <= 15) { ------------------ | Branch (849:13): [True: 3, False: 216] ------------------ 850| 3| NDPI_LOG_DBG(ndpi_struct, "DROP range. Unexpected\n"); ------------------ | | 596| 3|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 851| 216| } else if(first_byte <= 19) { ------------------ | Branch (851:13): [True: 4, False: 212] ------------------ 852| 4| NDPI_LOG_DBG(ndpi_struct, "ZRTP range. Unexpected\n"); ------------------ | | 596| 4|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 853| 212| } else if(first_byte <= 63) { ------------------ | Branch (853:13): [True: 15, False: 197] ------------------ 854| 15| NDPI_LOG_DBG(ndpi_struct, "DTLS\n"); ------------------ | | 596| 15|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 855| | 856| 15| if(ndpi_struct->cfg.stun_opportunistic_tls_enabled && ------------------ | Branch (856:8): [True: 15, False: 0] ------------------ 857| 15| is_dtls(packet->payload, packet->payload_packet_len, &unused)) { ------------------ | Branch (857:8): [True: 0, False: 15] ------------------ 858| | 859| | /* Process this DTLS packet via TLS/DTLS code but keep using STUN dissection. 860| | This way we can keep demultiplexing DTLS/STUN/RTP */ 861| | 862| | /* Switching to TLS dissector is tricky, because we are calling one dissector 863| | from another one, and that is not a common operation... 864| | Additionally: 865| | * at that point protocol stack is already set to STUN or STUN/XXX 866| | * we have room for only two protocols in flow->detected_protocol_stack[] so 867| | we can't have something like STUN/DTLS/SNAPCHAT_CALL 868| | * the easiest (!?) solution is to remove everything, and let the TLS dissector 869| | to set both master (i.e. DTLS) and subprotocol (if any) */ 870| | 871| | /* If we already have a real sub-classification, and the DTLS code doesn't set any 872| | subclassification iself (it is quite unlikely that we have a subprotocol only via 873| | Client Hello, for example), keep the original one */ 874| | 875| | /* In same rare cases, with malformed/fuzzed traffic, `is_dtls()` might return false 876| | positives. In that case, the TLS dissector doesn't set the master protocol, so we 877| | need to rollback to the current state */ 878| | 879| 0| if(flow->tls_quic.certificate_processed == 1) { ------------------ | Branch (879:10): [True: 0, False: 0] ------------------ 880| 0| NDPI_LOG_DBG(ndpi_struct, "Interesting DTLS stuff already processed. Ignoring\n"); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 881| 0| } else if(flow->state != NDPI_STATE_MONITORING) { ------------------ | Branch (881:17): [True: 0, False: 0] ------------------ 882| 0| NDPI_LOG_DBG(ndpi_struct, "Switch to DTLS (%d/%d)\n", ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 883| 0| flow->detected_protocol_stack[0], flow->detected_protocol_stack[1]); 884| | 885| 0| if(flow->stun.maybe_dtls == 0) { ------------------ | Branch (885:12): [True: 0, False: 0] ------------------ 886| | /* First DTLS packet of the flow */ 887| 0| first_dtls_pkt = 1; 888| | 889| | /* We might need to rollback this change... */ 890| 0| old_proto_stack[0] = flow->detected_protocol_stack[0]; 891| 0| old_proto_stack[1] = flow->detected_protocol_stack[1]; 892| | 893| | /* TODO: right way? It is a bit scary... do we need to reset something else too? */ 894| 0| reset_detected_protocol(flow); 895| | /* We keep the category/breed related to STUN traffic */ 896| | /* TODO: clear some risks? */ 897| | 898| | /* Give room for DTLS handshake, where we might have 899| | retransmissions and fragments */ 900| 0| flow->max_extra_packets_to_check = ndpi_min(255, (int)flow->max_extra_packets_to_check + 10); ------------------ | | 113| 0|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 0] | | ------------------ ------------------ 901| 0| flow->stun.maybe_dtls = 1; 902| 0| } 903| | 904| 0| switch_to_tls(ndpi_struct, flow, first_dtls_pkt); 905| | 906| 0| if(first_dtls_pkt && ------------------ | Branch (906:12): [True: 0, False: 0] ------------------ 907| 0| flow->detected_protocol_stack[0] == NDPI_PROTOCOL_DTLS && ------------------ | Branch (907:12): [True: 0, False: 0] ------------------ 908| 0| flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN && ------------------ | Branch (908:12): [True: 0, False: 0] ------------------ 909| 0| old_proto_stack[0] != NDPI_PROTOCOL_UNKNOWN && ------------------ | Branch (909:12): [True: 0, False: 0] ------------------ 910| 0| old_proto_stack[0] != NDPI_PROTOCOL_STUN) { ------------------ | Branch (910:12): [True: 0, False: 0] ------------------ 911| 0| NDPI_LOG_DBG(ndpi_struct, "Keeping old subclassification %d\n", old_proto_stack[0]); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 912| 0| ndpi_int_stun_add_connection(ndpi_struct, flow, 913| 0| old_proto_stack[0] == NDPI_PROTOCOL_RTP ? NDPI_PROTOCOL_SRTP : old_proto_stack[0], ------------------ | Branch (913:40): [True: 0, False: 0] ------------------ 914| 0| __get_master(flow), NDPI_PROTOCOL_CATEGORY_UNSPECIFIED); 915| 0| } 916| | 917| | /* If this is not a real DTLS packet, we need to restore the old state */ 918| 0| if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN && ------------------ | Branch (918:12): [True: 0, False: 0] ------------------ 919| 0| first_dtls_pkt) { ------------------ | Branch (919:12): [True: 0, False: 0] ------------------ 920| 0| NDPI_LOG_DBG(ndpi_struct, "Switch to TLS failed. Rollback to old classification\n"); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 921| | 922| 0| ndpi_set_detected_protocol(ndpi_struct, flow, 923| 0| old_proto_stack[0], old_proto_stack[1], 924| 0| NDPI_CONFIDENCE_DPI); 925| | 926| 0| flow->stun.maybe_dtls = 0; 927| 0| flow->max_extra_packets_to_check -= 10; 928| 0| } 929| | 930| 0| NDPI_LOG_DBG(ndpi_struct, "(%d/%d)\n", ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 931| 0| flow->detected_protocol_stack[0], flow->detected_protocol_stack[1]); 932| 0| } else { 933| 0| NDPI_LOG_DBG(ndpi_struct, "Skip DTLS packet because in monitoring\n"); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 934| 0| } 935| 0| } 936| 197| } else if(first_byte <= 79) { ------------------ | Branch (936:13): [True: 27, False: 170] ------------------ 937| 27| if(flow->stun.is_turn) { ------------------ | Branch (937:8): [True: 23, False: 4] ------------------ 938| 23| NDPI_LOG_DBG(ndpi_struct, "TURN range\n"); ------------------ | | 596| 23|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 939| | 940| 23| if(packet->payload_packet_len >= 4) { ------------------ | Branch (940:10): [True: 22, False: 1] ------------------ 941| 22| u_int16_t ch_len; 942| | 943| 22| ch_len = ntohs(*(u_int16_t *)&packet->payload[2]); 944| | 945| 22| if(ch_len <= packet->payload_packet_len - 4) { ------------------ | Branch (945:12): [True: 12, False: 10] ------------------ 946| 12| const u_int8_t *orig_payload; 947| 12| u_int16_t orig_payload_length; 948| | 949| 12| orig_payload = packet->payload; 950| 12| orig_payload_length = packet->payload_packet_len; 951| 12| packet->payload = packet->payload + 4; 952| 12| packet->payload_packet_len = ch_len; 953| | 954| 12| stun_search_again(ndpi_struct, flow); 955| 12| NDPI_LOG_DBG(ndpi_struct, "End recursion on turn channel\n"); ------------------ | | 596| 12|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 956| | 957| 12| packet->payload = orig_payload; 958| 12| packet->payload_packet_len = orig_payload_length; 959| | 960| 12| } else { 961| 10| if(flow->l4_proto == IPPROTO_UDP) /* The error is quite common on TCP since we don't reassemble msgs */ ------------------ | Branch (961:14): [True: 2, False: 8] ------------------ 962| 2| NDPI_LOG_DBG(ndpi_struct, "Invalid channel length %d %d\n", ------------------ | | 596| 2|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 963| 10| ch_len, packet->payload_packet_len - 4); 964| 10| } 965| 22| } 966| 23| } else { 967| 4| NDPI_LOG_DBG(ndpi_struct, "QUIC range (not turn). Unexpected\n"); ------------------ | | 596| 4|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 968| 4| } 969| 170| } else if(first_byte <= 127) { ------------------ | Branch (969:13): [True: 15, False: 155] ------------------ 970| 15| NDPI_LOG_DBG(ndpi_struct, "QUIC range. Unexpected\n"); ------------------ | | 596| 15|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 971| 155| } else if(first_byte <= 191) { ------------------ | Branch (971:13): [True: 114, False: 41] ------------------ 972| | 973| 114| rtp_rtcp = is_rtp_or_rtcp(ndpi_struct, packet->payload, packet->payload_packet_len, NULL); 974| 114| if(rtp_rtcp == IS_RTP) { ------------------ | Branch (974:8): [True: 99, False: 15] ------------------ 975| 99| NDPI_LOG_DBG(ndpi_struct, "RTP (dir %d) [%d/%d]\n", packet->packet_direction, ------------------ | | 596| 99|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 976| 99| flow->stun.rtp_counters[0], flow->stun.rtp_counters[1]); 977| | 978| 99| flow->stun.rtp_counters[packet->packet_direction]++; 979| | /* TODO: store RTP information in 'struct rtp_info' */ 980| 99| NDPI_LOG_INFO(ndpi_struct, "Found RTP over STUN\n"); ------------------ | | 595| 99|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 981| | 982| 99| if(flow->stun.t_start != 0) { ------------------ | Branch (982:10): [True: 12, False: 87] ------------------ 983| 12| flow->stun.t_end = ndpi_get_current_time(flow); 984| 87| } else if(flow->stun.rtp_counters[0] != 0 && flow->stun.rtp_counters[1] != 0) { ------------------ | Branch (984:17): [True: 58, False: 29] | Branch (984:52): [True: 15, False: 43] ------------------ 985| 15| flow->stun.t_start = ndpi_get_current_time(flow); 986| 15| flow->stun.t_end = ndpi_get_current_time(flow); 987| 15| } 988| | 989| 99| rtp_get_stream_type(packet->payload[1] & 0x7F, &flow->flow_multimedia_types, flow->detected_protocol_stack[0]); 990| | 991| 99| if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_RTP && ------------------ | Branch (991:10): [True: 60, False: 39] ------------------ 992| 60| flow->detected_protocol_stack[0] != NDPI_PROTOCOL_RTCP && ------------------ | Branch (992:10): [True: 60, False: 0] ------------------ 993| 60| flow->detected_protocol_stack[1] != NDPI_PROTOCOL_SRTP) { ------------------ | Branch (993:10): [True: 59, False: 1] ------------------ 994| | 995| 59| if(flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (995:12): [True: 27, False: 32] ------------------ 996| 27| if(flow->detected_protocol_stack[1] == NDPI_PROTOCOL_DTLS) { ------------------ | Branch (996:14): [True: 0, False: 27] ------------------ 997| | /* Keep DTLS/SUBPROTO since we already wrote to flow->protos.tls_quic */ 998| 27| } else { 999| | /* STUN/SUBPROTO -> SRTP/SUBPROTO */ 1000| 27| ndpi_int_stun_add_connection(ndpi_struct, flow, 1001| 27| flow->detected_protocol_stack[0], NDPI_PROTOCOL_SRTP, 1002| 27| NDPI_PROTOCOL_CATEGORY_UNSPECIFIED); 1003| 27| } 1004| 32| } else { 1005| | /* STUN -> STUN/RTP, or 1006| | DTLS -> DTLS/SRTP */ 1007| 32| ndpi_int_stun_add_connection(ndpi_struct, flow, 1008| 32| __get_master(flow) == NDPI_PROTOCOL_STUN ? NDPI_PROTOCOL_RTP: NDPI_PROTOCOL_SRTP, ------------------ | Branch (1008:40): [True: 32, False: 0] ------------------ 1009| 32| __get_master(flow), NDPI_PROTOCOL_CATEGORY_UNSPECIFIED); 1010| 32| } 1011| 59| } else if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_RTCP && ------------------ | Branch (1011:17): [True: 0, False: 40] ------------------ 1012| 0| flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (1012:17): [True: 0, False: 0] ------------------ 1013| | /* From RTP dissector; if we have RTP and RTCP multiplexed together (but not STUN, yet) we always 1014| | use RTP, as we do in RTP dissector */ 1015| 0| if(flow->state != NDPI_STATE_MONITORING) ------------------ | Branch (1015:12): [True: 0, False: 0] ------------------ 1016| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_RTP, NDPI_CONFIDENCE_DPI); 1017| 0| else 1018| 0| NDPI_LOG_DBG(ndpi_struct, "Skip RTP packet because in monitoring\n"); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1019| 0| } 1020| 99| } else if(rtp_rtcp == IS_RTCP) { ------------------ | Branch (1020:15): [True: 0, False: 15] ------------------ 1021| 0| NDPI_LOG_DBG(ndpi_struct, "RTCP\n"); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1022| 0| flow->stun.rtcp_seen = 1; 1023| 15| } else { 1024| 15| NDPI_LOG_DBG(ndpi_struct, "Unexpected\n"); ------------------ | | 596| 15|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1025| 15| } 1026| 114| } else { 1027| | /* Microsoft Multiplexed TURN messages. 1028| | See: https://msopenspecs.azureedge.net/files/MS-TURN/%5bMS-TURN%5d.pdf 2.2.3 */ 1029| 41| if(packet->payload_packet_len >= 12 && ------------------ | Branch (1029:8): [True: 40, False: 1] ------------------ 1030| 41| ntohs(get_u_int16_t(packet->payload, 0)) == 0xFF10 && ------------------ | Branch (1030:8): [True: 0, False: 40] ------------------ 1031| 0| flow->detected_protocol_stack[0] == NDPI_PROTOCOL_MSTEAMS_CALL) { ------------------ | Branch (1031:8): [True: 0, False: 0] ------------------ 1032| 0| u_int16_t ch_len; 1033| | 1034| 0| ch_len = ntohs(get_u_int16_t(packet->payload, 2)); 1035| | 1036| 0| if(ch_len == packet->payload_packet_len - 4 && ------------------ | Branch (1036:10): [True: 0, False: 0] ------------------ 1037| 0| ch_len >= 8) { ------------------ | Branch (1037:10): [True: 0, False: 0] ------------------ 1038| 0| const u_int8_t *orig_payload; 1039| 0| u_int16_t orig_payload_length; 1040| | 1041| 0| orig_payload = packet->payload; 1042| 0| orig_payload_length = packet->payload_packet_len; 1043| 0| packet->payload = packet->payload + 12; 1044| 0| packet->payload_packet_len = ch_len - 8; 1045| | 1046| 0| stun_search_again(ndpi_struct, flow); 1047| | 1048| 0| NDPI_LOG_DBG(ndpi_struct, "End recursion on MS channel\n"); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1049| | 1050| 0| packet->payload = orig_payload; 1051| 0| packet->payload_packet_len = orig_payload_length; 1052| | 1053| 0| } else { 1054| 0| NDPI_LOG_DBG(ndpi_struct, "Invalid MS channel length %d %d\n", ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1055| 0| ch_len, packet->payload_packet_len - 4); 1056| 0| } 1057| 41| } else { 1058| 41| NDPI_LOG_DBG(ndpi_struct, "QUIC other range. Unexpected\n"); ------------------ | | 596| 41|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1059| 41| } 1060| 41| } 1061| 2.53k| return keep_extra_dissection(ndpi_struct, flow); 1062| 2.62k|} stun.c:is_new_subclassification_better: 105| 2.14k|{ 106| 2.14k| NDPI_LOG_DBG(ndpi_struct, "%d/%d -> %d\n", ------------------ | | 596| 2.14k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 107| 2.14k| flow->detected_protocol_stack[1], flow->detected_protocol_stack[0], 108| 2.14k| new_app_proto); 109| | 110| | /* If we don't have a real subclassification, we might want to lookup into the cache again 111| | (even if new_app_proto == NDPI_PROTOCOL_UNKNOWN) */ 112| | 113| 2.14k| if(is_subclassification_real(flow) && ------------------ | Branch (113:6): [True: 1.78k, False: 362] ------------------ 114| 1.78k| new_app_proto == NDPI_PROTOCOL_UNKNOWN) ------------------ | Branch (114:6): [True: 274, False: 1.51k] ------------------ 115| 274| return 0; 116| | 117| | /* Debug */ 118| 1.87k| if(new_app_proto != NDPI_PROTOCOL_UNKNOWN && ------------------ | Branch (118:6): [True: 1.57k, False: 294] ------------------ 119| 1.57k| is_subclassification_real(flow) && ------------------ | Branch (119:6): [True: 1.51k, False: 68] ------------------ 120| 1.51k| new_app_proto != flow->detected_protocol_stack[0]) { ------------------ | Branch (120:6): [True: 55, False: 1.45k] ------------------ 121| 55| NDPI_LOG_DBG(ndpi_struct, "Incoherent sub-classification change %d/%d->%d \n", ------------------ | | 596| 55|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 122| 55| flow->detected_protocol_stack[1], 123| 55| flow->detected_protocol_stack[0], new_app_proto); 124| 55| } 125| | 126| 1.87k| if(new_app_proto != flow->detected_protocol_stack[0]) ------------------ | Branch (126:6): [True: 417, False: 1.45k] ------------------ 127| 417| return 1; 128| 1.45k| return 0; 129| 1.87k|} stun.c:ndpi_int_stun_add_connection: 1154| 3.53k| ndpi_protocol_category_t category) { 1155| 3.53k| ndpi_confidence_t confidence = NDPI_CONFIDENCE_DPI; 1156| 3.53k| u_int16_t new_app_proto; 1157| | 1158| | /* In monitoring the classification can't change again */ 1159| 3.53k| if(flow->state == NDPI_STATE_MONITORING) ------------------ | Branch (1159:6): [True: 0, False: 3.53k] ------------------ 1160| 0| return; 1161| | 1162| 3.53k| NDPI_LOG_DBG(ndpi_struct, "Wanting %d/%d\n", master_proto, app_proto); ------------------ | | 596| 3.53k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1163| | 1164| 3.53k| if(app_proto == NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (1164:6): [True: 1.11k, False: 2.42k] ------------------ 1165| | /* https://support.google.com/a/answer/1279090?hl=en */ 1166| 1.11k| if((ntohs(flow->c_port) >= 19302 && ntohs(flow->c_port) <= 19309) || ------------------ | Branch (1166:9): [True: 638, False: 478] | Branch (1166:41): [True: 0, False: 638] ------------------ 1167| 1.11k| ntohs(flow->c_port) == 3478 || ------------------ | Branch (1167:8): [True: 291, False: 825] ------------------ 1168| 825| (ntohs(flow->s_port) >= 19302 && ntohs(flow->s_port) <= 19309) || ------------------ | Branch (1168:9): [True: 12, False: 813] | Branch (1168:41): [True: 0, False: 12] ------------------ 1169| 1.11k| ntohs(flow->s_port) == 3478) { ------------------ | Branch (1169:8): [True: 504, False: 321] ------------------ 1170| 795| if(flow->is_ipv6) { ------------------ | Branch (1170:10): [True: 0, False: 795] ------------------ 1171| 0| u_int64_t pref1 = ndpi_htonll(0x2001486048640005); /* 2001:4860:4864:5::/64 */ 1172| 0| u_int64_t pref2 = ndpi_htonll(0x2001486048640006); /* 2001:4860:4864:6::/64 */ 1173| | 1174| 0| if(memcmp(flow->c_address.v6, &pref1, sizeof(pref1)) == 0 || ------------------ | Branch (1174:12): [True: 0, False: 0] ------------------ 1175| 0| memcmp(flow->c_address.v6, &pref2, sizeof(pref2)) == 0 || ------------------ | Branch (1175:12): [True: 0, False: 0] ------------------ 1176| 0| memcmp(flow->s_address.v6, &pref1, sizeof(pref1)) == 0 || ------------------ | Branch (1176:12): [True: 0, False: 0] ------------------ 1177| 0| memcmp(flow->s_address.v6, &pref2, sizeof(pref2)) == 0) { ------------------ | Branch (1177:12): [True: 0, False: 0] ------------------ 1178| 0| app_proto = NDPI_PROTOCOL_GOOGLE_CALL; 1179| 0| } 1180| 795| } else { 1181| 795| u_int32_t c_address, s_address; 1182| | 1183| 795| c_address = ntohl(flow->c_address.v4); 1184| 795| s_address = ntohl(flow->s_address.v4); 1185| 795| if((c_address & 0xFFFFFF00) == 0x4a7dfa00 || /* 74.125.250.0/24 */ ------------------ | Branch (1185:5): [True: 0, False: 795] ------------------ 1186| 795| (c_address & 0xFFFFFF00) == 0x8efa5200 || /* 142.250.82.0/24 */ ------------------ | Branch (1186:12): [True: 0, False: 795] ------------------ 1187| 795| (s_address & 0xFFFFFF00) == 0x4a7dfa00 || ------------------ | Branch (1187:12): [True: 0, False: 795] ------------------ 1188| 795| (s_address & 0xFFFFFF00) == 0x8efa5200) { ------------------ | Branch (1188:12): [True: 0, False: 795] ------------------ 1189| 0| app_proto = NDPI_PROTOCOL_GOOGLE_CALL; 1190| 0| } 1191| 795| } 1192| 795| } 1193| 1.11k| } 1194| | 1195| 3.53k| if(!is_subclassification_real_by_proto(app_proto)) { ------------------ | Branch (1195:6): [True: 1.14k, False: 2.38k] ------------------ 1196| 1.14k| new_app_proto = search_into_cache(ndpi_struct, flow); 1197| 1.14k| if(new_app_proto != NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (1197:8): [True: 351, False: 797] ------------------ 1198| 351| confidence = NDPI_CONFIDENCE_DPI_CACHE; 1199| 351| if(app_proto == NDPI_PROTOCOL_RTP) ------------------ | Branch (1199:10): [True: 1, False: 350] ------------------ 1200| 1| master_proto = NDPI_PROTOCOL_SRTP; /* STUN/RTP --> SRTP/APP */ 1201| 351| if(master_proto == NDPI_PROTOCOL_RTP || master_proto == NDPI_PROTOCOL_RTCP) ------------------ | Branch (1201:10): [True: 0, False: 351] | Branch (1201:47): [True: 0, False: 351] ------------------ 1202| 0| master_proto = NDPI_PROTOCOL_SRTP; /* RTP|RTCP --> SRTP/APP */ 1203| 351| app_proto = new_app_proto; 1204| 351| } 1205| 1.14k| } 1206| | 1207| | /* From RTP dissector */ 1208| 3.53k| if(master_proto == NDPI_PROTOCOL_RTP || master_proto == NDPI_PROTOCOL_RTCP) { ------------------ | Branch (1208:6): [True: 0, False: 3.53k] | Branch (1208:43): [True: 0, False: 3.53k] ------------------ 1209| 0| if(app_proto == NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (1209:8): [True: 0, False: 0] ------------------ 1210| 0| app_proto = NDPI_PROTOCOL_RTP; 1211| 0| master_proto = NDPI_PROTOCOL_STUN; /* RTP|RTCP -> STUN/RTP */ 1212| 0| } else { 1213| 0| master_proto = NDPI_PROTOCOL_SRTP; 1214| 0| } 1215| 0| } 1216| | 1217| | /* Adding only real subclassifications */ 1218| 3.53k| if(is_subclassification_real_by_proto(app_proto)) ------------------ | Branch (1218:6): [True: 2.74k, False: 797] ------------------ 1219| 2.74k| add_to_cache(ndpi_struct, flow, app_proto); 1220| | 1221| 3.53k| if(category != NDPI_PROTOCOL_CATEGORY_UNSPECIFIED) ------------------ | Branch (1221:6): [True: 0, False: 3.53k] ------------------ 1222| 0| flow->category = category; 1223| | 1224| 3.53k| if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN || ------------------ | Branch (1224:6): [True: 3.06k, False: 476] ------------------ 1225| 3.33k| app_proto != NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (1225:6): [True: 272, False: 204] ------------------ 1226| 3.33k| NDPI_LOG_DBG(ndpi_struct, "Setting %d/%d\n", master_proto, app_proto); ------------------ | | 596| 3.33k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1227| 3.33k| ndpi_set_detected_protocol(ndpi_struct, flow, app_proto, master_proto, confidence); 1228| | 1229| | /* In "normal" data-path the generic code in `ndpi_internal_detection_process_packet()` 1230| | takes care of setting the category */ 1231| 3.33k| if(flow->extra_packets_func) { ------------------ | Branch (1231:8): [True: 272, False: 3.06k] ------------------ 1232| 272| ndpi_master_app_protocol proto; 1233| | 1234| 272| proto.master_protocol = master_proto; 1235| 272| proto.app_protocol = app_proto; 1236| 272| flow->category = get_proto_category(ndpi_struct, proto); 1237| 272| flow->breed = get_proto_breed(ndpi_struct, proto); 1238| 272| } 1239| 3.33k| } 1240| | 1241| 3.53k| switch_extra_dissection_to_stun(ndpi_struct, flow, 1); 1242| 3.53k|} stun.c:search_into_cache: 135| 1.14k|{ 136| 1.14k| u_int16_t proto; 137| 1.14k| u_int64_t key; 138| 1.14k| int rc; 139| | 140| 1.14k| if(ndpi_struct->stun_cache) { ------------------ | Branch (140:6): [True: 1.00k, False: 140] ------------------ 141| 1.00k| key = get_stun_lru_key(flow, 0); 142| 1.00k| rc = ndpi_lru_find_cache(ndpi_struct->stun_cache, key, &proto, 143| 1.00k| 0 /* Don't remove it as it can be used for other connections */, 144| 1.00k| ndpi_get_current_time(flow)); 145| |#ifdef DEBUG_LRU 146| | printf("[LRU] Searching 0x%llx\n", (long long unsigned int)key); 147| |#endif 148| | 149| 1.00k| if(!rc) { ------------------ | Branch (149:8): [True: 769, False: 239] ------------------ 150| 769| key = get_stun_lru_key(flow, 1); 151| 769| rc = ndpi_lru_find_cache(ndpi_struct->stun_cache, key, &proto, 152| 769| 0 /* Don't remove it as it can be used for other connections */, 153| 769| ndpi_get_current_time(flow)); 154| |#ifdef DEBUG_LRU 155| | printf("[LRU] Searching 0x%llx\n", (long long unsigned int)key); 156| |#endif 157| 769| } 158| | 159| 1.00k| if(rc) { ------------------ | Branch (159:8): [True: 351, False: 657] ------------------ 160| |#ifdef DEBUG_LRU 161| | printf("[LRU] Cache FOUND 0x%llx / %u\n", (long long unsigned int)key, proto); 162| |#endif 163| | 164| 351| return proto; 165| 657| } else { 166| |#ifdef DEBUG_LRU 167| | printf("[LRU] NOT FOUND 0x%llx\n", (long long unsigned int)key); 168| |#endif 169| 657| } 170| 1.00k| } else { 171| |#ifdef DEBUG_LRU 172| | printf("[LRU] NO/EMPTY CACHE\n"); 173| |#endif 174| 140| } 175| 797| return NDPI_PROTOCOL_UNKNOWN; 176| 1.14k|} stun.c:get_stun_lru_key: 1122| 6.66k|static u_int64_t get_stun_lru_key(struct ndpi_flow_struct *flow, u_int8_t rev) { 1123| 6.66k| if(rev) { ------------------ | Branch (1123:6): [True: 3.21k, False: 3.45k] ------------------ 1124| 3.21k| if(flow->is_ipv6) ------------------ | Branch (1124:8): [True: 0, False: 3.21k] ------------------ 1125| 0| return (ndpi_quick_hash64((const char *)flow->s_address.v6, 16) << 16) | ntohs(flow->s_port); 1126| 3.21k| else 1127| 3.21k| return ((u_int64_t)flow->s_address.v4 << 32) | flow->s_port; 1128| 3.45k| } else { 1129| 3.45k| if(flow->is_ipv6) ------------------ | Branch (1129:8): [True: 0, False: 3.45k] ------------------ 1130| 0| return (ndpi_quick_hash64((const char *)flow->c_address.v6, 16) << 16) | ntohs(flow->c_port); 1131| 3.45k| else 1132| 3.45k| return ((u_int64_t)flow->c_address.v4 << 32) | flow->c_port; 1133| 3.45k| } 1134| 6.66k|} stun.c:add_to_cache: 183| 2.74k|{ 184| 2.74k| u_int64_t key, key_rev; 185| | 186| 2.74k| if(ndpi_struct->stun_cache) { ------------------ | Branch (186:6): [True: 2.44k, False: 298] ------------------ 187| 2.44k| key = get_stun_lru_key(flow, 0); 188| 2.44k| ndpi_lru_add_to_cache(ndpi_struct->stun_cache, key, app_proto, ndpi_get_current_time(flow)); 189| 2.44k| key_rev = get_stun_lru_key(flow, 1); 190| 2.44k| ndpi_lru_add_to_cache(ndpi_struct->stun_cache, key_rev, app_proto, ndpi_get_current_time(flow)); 191| | 192| |#ifdef DEBUG_LRU 193| | printf("[LRU] ADDING 0x%llx 0x%llx app %u [%u -> %u]\n", 194| | (long long unsigned int)key, (long long unsigned int)key_rev, app_proto, 195| | ntohs(flow->c_port), ntohs(flow->s_port)); 196| |#endif 197| 2.44k| } 198| 2.74k|} stun.c:__get_master: 795| 3.54k|static u_int32_t __get_master(struct ndpi_flow_struct *flow) { 796| | 797| 3.54k| if(flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN) ------------------ | Branch (797:6): [True: 57, False: 3.48k] ------------------ 798| 57| return flow->detected_protocol_stack[1]; 799| 3.48k| if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN && ------------------ | Branch (799:6): [True: 424, False: 3.06k] ------------------ 800| 424| flow->detected_protocol_stack[0] != NDPI_PROTOCOL_TELEGRAM) ------------------ | Branch (800:6): [True: 424, False: 0] ------------------ 801| 424| return flow->detected_protocol_stack[0]; 802| 3.06k| return NDPI_PROTOCOL_STUN; 803| 3.48k|} stun.c:keep_extra_dissection: 685| 5.68k|{ 686| 5.68k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 687| | 688| | /* We want extra dissection for: 689| | * sub-classification 690| | * metadata extraction (*-ADDRESS) or looking for RTP 691| | * At the moment: 692| | * it seems ZOOM doens't have any meaningful attributes 693| | * we want (all) XOR-PEER-ADDRESS only for Telegram. 694| | * for the other protocols, we stop after we have all metadata (if enabled) 695| | * for some specific protocol, we might know that some attributes are never used 696| | * if monitoring is enabled, keep looking for (S)RTP anyway 697| | 698| | **After** extra dissection is ended, we might move to monitoring. Note that: 699| | * classification doesn't change while in monitoring! 700| | */ 701| | 702| 5.68k| if(packet->udp ------------------ | Branch (702:6): [True: 5.41k, False: 272] ------------------ 703| 5.41k| && (ntohs(packet->udp->source) == 3478) ------------------ | Branch (703:9): [True: 1.96k, False: 3.44k] ------------------ 704| 1.96k| && (packet->payload_packet_len > 0) ------------------ | Branch (704:9): [True: 1.96k, False: 2] ------------------ 705| 1.96k| && (packet->payload[0] != 0x0) && (packet->payload[0] != 0x1)) { ------------------ | Branch (705:9): [True: 1.94k, False: 18] | Branch (705:40): [True: 56, False: 1.89k] ------------------ 706| 56| if(flow->stun.num_non_stun_pkt < 2) { ------------------ | Branch (706:8): [True: 56, False: 0] ------------------ 707| 56| flow->stun.non_stun_pkt_len[flow->stun.num_non_stun_pkt++] = packet->payload_packet_len; 708| | 709| |#ifdef STUN_DEBUG 710| | if(flow->stun.num_non_stun_pkt == 2) 711| | printf("%d %d\n", flow->stun.non_stun_pkt_len[0], flow->stun.non_stun_pkt_len[1]); 712| |#endif 713| 56| } 714| 56| } 715| | 716| 5.68k| if(packet->payload_packet_len > 699) { ------------------ | Branch (716:6): [True: 1, False: 5.68k] ------------------ 717| 1| if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TELEGRAM_VOIP) { ------------------ | Branch (717:8): [True: 0, False: 1] ------------------ 718| 0| if((packet->payload[0] == 0x16) && (packet->payload[1] == 0xfe) ------------------ | Branch (718:10): [True: 0, False: 0] | Branch (718:42): [True: 0, False: 0] ------------------ 719| 0| && ((packet->payload[2] == 0xff) /* DTLS 1.0 */ ------------------ | Branch (719:7): [True: 0, False: 0] ------------------ 720| 0| || (packet->payload[2] == 0xfd) /* DTLS 1.2 */ )) ------------------ | Branch (720:10): [True: 0, False: 0] ------------------ 721| 0| ; /* Skip DTLS */ 722| 0| else { 723| | /* STUN or RTP */ 724| | /* This packet is too big to be audio: add video */ 725| 0| flow->flow_multimedia_types |= ndpi_multimedia_video_flow; 726| 0| } 727| 0| } 728| 1| } 729| | 730| 5.68k| if(flow->state == NDPI_STATE_MONITORING) ------------------ | Branch (730:6): [True: 0, False: 5.68k] ------------------ 731| 0| return 1; 732| | 733| 5.68k| if(flow->num_extra_packets_checked + 1 == flow->max_extra_packets_to_check) { ------------------ | Branch (733:6): [True: 112, False: 5.57k] ------------------ 734| 112| if(is_monitoring_enabled(ndpi_struct, NDPI_PROTOCOL_STUN)) { ------------------ | Branch (734:8): [True: 0, False: 112] ------------------ 735| 0| NDPI_LOG_DBG(ndpi_struct, "Enabling monitoring (end extra dissection)\n"); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 736| 0| flow->state = NDPI_STATE_MONITORING; 737| 0| return 1; 738| 0| } 739| 112| } 740| | 741| 5.68k| if(!is_subclassification_real(flow)) ------------------ | Branch (741:6): [True: 1.02k, False: 4.66k] ------------------ 742| 1.02k| return 1; 743| | 744| 4.66k| if(is_monitoring_enabled(ndpi_struct, NDPI_PROTOCOL_STUN) && ------------------ | Branch (744:6): [True: 0, False: 4.66k] ------------------ 745| 0| (flow->detected_protocol_stack[1] != NDPI_PROTOCOL_SRTP && ------------------ | Branch (745:7): [True: 0, False: 0] ------------------ 746| 0| flow->detected_protocol_stack[1] != NDPI_PROTOCOL_DTLS)) ------------------ | Branch (746:7): [True: 0, False: 0] ------------------ 747| 0| return 1; 748| | 749| 4.66k| if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TELEGRAM_VOIP && ------------------ | Branch (749:6): [True: 0, False: 4.66k] ------------------ 750| 0| ndpi_struct->cfg.stun_peer_address_enabled) ------------------ | Branch (750:6): [True: 0, False: 0] ------------------ 751| 0| return 1; 752| | 753| | /* General rule */ 754| 4.66k| if((flow->stun.mapped_address.port || !ndpi_struct->cfg.stun_mapped_address_enabled) && ------------------ | Branch (754:7): [True: 1.90k, False: 2.76k] | Branch (754:41): [True: 0, False: 2.76k] ------------------ 755| 1.90k| (flow->stun.peer_address.port || !ndpi_struct->cfg.stun_peer_address_enabled) && ------------------ | Branch (755:7): [True: 0, False: 1.90k] | Branch (755:39): [True: 0, False: 1.90k] ------------------ 756| 0| (flow->stun.relayed_address.port || !ndpi_struct->cfg.stun_relayed_address_enabled) && ------------------ | Branch (756:7): [True: 0, False: 0] | Branch (756:42): [True: 0, False: 0] ------------------ 757| 0| (flow->stun.response_origin.port || !ndpi_struct->cfg.stun_response_origin_enabled) && ------------------ | Branch (757:7): [True: 0, False: 0] | Branch (757:42): [True: 0, False: 0] ------------------ 758| 0| (flow->stun.other_address.port || !ndpi_struct->cfg.stun_other_address_enabled)) { ------------------ | Branch (758:7): [True: 0, False: 0] | Branch (758:40): [True: 0, False: 0] ------------------ 759| 0| if(is_monitoring_enabled(ndpi_struct, NDPI_PROTOCOL_STUN)) { ------------------ | Branch (759:8): [True: 0, False: 0] ------------------ 760| 0| NDPI_LOG_DBG(ndpi_struct, "Enabling monitoring (found all metadata)\n"); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 761| 0| flow->state = NDPI_STATE_MONITORING; 762| 0| return 1; 763| 0| } 764| 0| return 0; 765| 0| } 766| | 767| | /* Exception WA: only relayed and mapped address attributes but we keep looking for RTP packets */ 768| 4.66k| if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_WHATSAPP_CALL && ------------------ | Branch (768:6): [True: 3.51k, False: 1.15k] ------------------ 769| 3.51k| flow->detected_protocol_stack[1] == NDPI_PROTOCOL_SRTP && ------------------ | Branch (769:6): [True: 48, False: 3.46k] ------------------ 770| 48| (flow->stun.mapped_address.port || !ndpi_struct->cfg.stun_mapped_address_enabled) && ------------------ | Branch (770:7): [True: 27, False: 21] | Branch (770:41): [True: 0, False: 21] ------------------ 771| 27| (flow->stun.relayed_address.port || !ndpi_struct->cfg.stun_relayed_address_enabled)) { ------------------ | Branch (771:7): [True: 0, False: 27] | Branch (771:42): [True: 0, False: 27] ------------------ 772| 0| if(is_monitoring_enabled(ndpi_struct, NDPI_PROTOCOL_STUN)) { ------------------ | Branch (772:8): [True: 0, False: 0] ------------------ 773| 0| NDPI_LOG_DBG(ndpi_struct, "Enabling monitor (found all metadata; wa case)\n"); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 774| 0| flow->state = NDPI_STATE_MONITORING; 775| 0| return 1; 776| 0| } 777| 0| return 0; 778| 0| } 779| | 780| | /* Exception Zoom: no metadata */ 781| 4.66k| if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_ZOOM) { ------------------ | Branch (781:6): [True: 1.06k, False: 3.59k] ------------------ 782| 1.06k| if(is_monitoring_enabled(ndpi_struct, NDPI_PROTOCOL_STUN)) { ------------------ | Branch (782:8): [True: 0, False: 1.06k] ------------------ 783| 0| NDPI_LOG_DBG(ndpi_struct, "Enabling monitor (zoom case)\n"); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 784| 0| flow->state = NDPI_STATE_MONITORING; 785| 0| return 1; 786| 0| } 787| 1.06k| return 0; 788| 1.06k| } 789| | 790| 3.59k| return 1; 791| 4.66k|} stun.c:get_signal_key: 1298| 19|{ 1299| 19| if(flow->is_ipv6) ------------------ | Branch (1299:6): [True: 0, False: 19] ------------------ 1300| 0| return ndpi_quick_hash64((const char *)flow->c_address.v6, 16); 1301| 19| else 1302| 19| return flow->c_address.v4; 1303| 19|} stun.c:ndpi_search_stun: 1265| 35.7k|{ 1266| 35.7k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 1267| 35.7k| u_int16_t app_proto; 1268| 35.7k| ndpi_protocol_category_t category; 1269| 35.7k| int rc; 1270| | 1271| 35.7k| NDPI_LOG_DBG(ndpi_struct, "search stun\n"); ------------------ | | 596| 35.7k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1272| | 1273| 35.7k| app_proto = NDPI_PROTOCOL_UNKNOWN; 1274| | 1275| 35.7k| if(packet->iph && ------------------ | Branch (1275:6): [True: 34.9k, False: 770] ------------------ 1276| 34.9k| ((packet->iph->daddr == 0xFFFFFFFF /* 255.255.255.255 */) || ------------------ | Branch (1276:7): [True: 172, False: 34.7k] ------------------ 1277| 34.7k| ((ntohl(packet->iph->daddr) & 0xF0000000) == 0xE0000000 /* A multicast address */))) { ------------------ | Branch (1277:7): [True: 1.36k, False: 33.4k] ------------------ 1278| 1.53k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1.53k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 1279| 1.53k| return; 1280| 1.53k| } 1281| | 1282| 34.2k| rc = is_stun(ndpi_struct, flow, &app_proto, &category); 1283| | 1284| 34.2k| if(rc == 1) { ------------------ | Branch (1284:6): [True: 3.06k, False: 31.1k] ------------------ 1285| 3.06k| ndpi_int_stun_add_connection(ndpi_struct, flow, app_proto, 1286| 3.06k| __get_master(flow), category); 1287| 3.06k| return; 1288| 3.06k| } 1289| | 1290| | /* TODO: can we stop earlier? */ 1291| 31.1k| if(flow->packet_counter > 5) ------------------ | Branch (1291:6): [True: 1.41k, False: 29.7k] ------------------ 1292| 1.41k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1.41k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 1293| 31.1k|} init_syncthing_dissector: 64| 7.08k|{ 65| 7.08k| ndpi_register_dissector("Syncthing", ndpi_struct, 66| 7.08k| ndpi_search_syncthing, 67| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 68| 7.08k| 1, NDPI_PROTOCOL_SYNCTHING); 69| 7.08k|} syncthing.c:ndpi_search_syncthing: 41| 3.36k|{ 42| 3.36k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 43| | 44| 3.36k| NDPI_LOG_DBG(ndpi_struct, "search syncthing\n"); ------------------ | | 596| 3.36k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 45| | 46| 3.36k| if (packet->payload_packet_len <= 4) ------------------ | Branch (46:7): [True: 124, False: 3.23k] ------------------ 47| 124| { 48| 124| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 124|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 49| 124| return; 50| 124| } 51| | 52| 3.23k| if (ntohl(get_u_int32_t(packet->payload, 0)) == 0x2EA7D90B /* Magic */) ------------------ | Branch (52:7): [True: 0, False: 3.23k] ------------------ 53| 0| { 54| 0| ndpi_int_syncthing_add_connection(ndpi_struct, flow); 55| | /* ToDo: Dissect Announce Message. Protocol buffer dissector required. */ 56| 0| return; 57| 0| } 58| | 59| 3.23k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.23k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 60| 3.23k| return; 61| 3.23k|} init_syslog_dissector: 108| 7.08k|{ 109| 7.08k| ndpi_register_dissector("Syslog", ndpi_struct, 110| 7.08k| ndpi_search_syslog, 111| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 112| 7.08k| 1, NDPI_PROTOCOL_SYSLOG); 113| 7.08k|} syslog.c:ndpi_search_syslog: 40| 17.9k|{ 41| 17.9k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 42| 17.9k| u_int16_t i; 43| | 44| 17.9k| NDPI_LOG_DBG(ndpi_struct, "search syslog\n"); ------------------ | | 596| 17.9k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 45| | 46| 17.9k| if (packet->payload_packet_len > 20 && packet->payload[0] == '<') { ------------------ | Branch (46:7): [True: 13.1k, False: 4.87k] | Branch (46:42): [True: 101, False: 13.0k] ------------------ 47| 101| NDPI_LOG_DBG2(ndpi_struct, "checked len>20 and <1024 and first symbol=<\n"); ------------------ | | 597| 101|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 48| | 49| 104| for (i = 1; i <= 3; i++) { ------------------ | Branch (49:17): [True: 104, False: 0] ------------------ 50| 104| if (packet->payload[i] < '0' || packet->payload[i] > '9') { ------------------ | Branch (50:11): [True: 22, False: 82] | Branch (50:39): [True: 79, False: 3] ------------------ 51| 101| break; 52| 101| } 53| 104| } 54| 101| NDPI_LOG_DBG2(ndpi_struct, ------------------ | | 597| 101|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 55| 101| "read symbols while the symbol is a number.\n"); 56| | 57| 101| if (packet->payload[i++] != '>') { ------------------ | Branch (57:9): [True: 90, False: 11] ------------------ 58| 90| NDPI_LOG_DBG(ndpi_struct, "excluded, there is no > following the number\n"); ------------------ | | 596| 90|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 59| 90| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 90|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 60| 90| return; 61| 90| } else { 62| 11| NDPI_LOG_DBG2(ndpi_struct, "a > following the number\n"); ------------------ | | 597| 11|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 63| 11| } 64| | 65| 11| if (packet->payload[i] == 0x20) { ------------------ | Branch (65:9): [True: 1, False: 10] ------------------ 66| 1| NDPI_LOG_DBG2(ndpi_struct, "a blank following the >: increment i\n"); ------------------ | | 597| 1|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 67| 1| i++; 68| 10| } else { 69| 10| NDPI_LOG_DBG2(ndpi_struct, "no blank following the >: do nothing\n"); ------------------ | | 597| 10|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 70| 10| } 71| | 72| 68| while (i < packet->payload_packet_len - 1) ------------------ | Branch (72:12): [True: 68, False: 0] ------------------ 73| 68| { 74| 68| if (ndpi_isalnum(packet->payload[i]) == 0) ------------------ | | 2527| 68|#define ndpi_isalnum(ch) (ndpi_isalpha(ch) != 0 || ndpi_isdigit(ch) != 0) | | ------------------ | | | | 2525| 68|#define ndpi_isalpha(ch) (((ch) >= 'a' && (ch) <= 'z') || ((ch) >= 'A' && (ch) <= 'Z')) | | | | ------------------ | | | | | Branch (2525:28): [True: 56, False: 12] | | | | | Branch (2525:43): [True: 55, False: 1] | | | | | Branch (2525:60): [True: 3, False: 10] | | | | | Branch (2525:75): [True: 1, False: 2] | | | | ------------------ | | ------------------ | | #define ndpi_isalnum(ch) (ndpi_isalpha(ch) != 0 || ndpi_isdigit(ch) != 0) | | ------------------ | | | | 2526| 12|#define ndpi_isdigit(ch) ((ch) >= '0' && (ch) <= '9') | | | | ------------------ | | | | | Branch (2526:27): [True: 5, False: 7] | | | | | Branch (2526:42): [True: 1, False: 4] | | | | ------------------ | | ------------------ | | | Branch (2527:27): [True: 56, False: 12] | | | Branch (2527:52): [True: 1, False: 11] | | ------------------ ------------------ | Branch (74:13): [True: 11, False: 57] ------------------ 75| 11| { 76| 11| if (packet->payload[i] == ' ' || packet->payload[i] == ':' || ------------------ | Branch (76:17): [True: 4, False: 7] | Branch (76:46): [True: 1, False: 6] ------------------ 77| 6| packet->payload[i] == '=' || packet->payload[i] == '[' || ------------------ | Branch (77:17): [True: 1, False: 5] | Branch (77:46): [True: 1, False: 4] ------------------ 78| 4| packet->payload[i] == '-') ------------------ | Branch (78:17): [True: 1, False: 3] ------------------ 79| 8| { 80| 8| break; 81| 8| } 82| 3| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 83| 3| return; 84| 11| } 85| | 86| 57| i++; 87| 57| } 88| | 89| 8| if (packet->payload[i] == ':') ------------------ | Branch (89:9): [True: 1, False: 7] ------------------ 90| 1| { 91| 1| if (++i >= packet->payload_packet_len || ------------------ | Branch (91:13): [True: 0, False: 1] ------------------ 92| 1| packet->payload[i] != ' ') ------------------ | Branch (92:13): [True: 1, False: 0] ------------------ 93| 1| { 94| 1| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 95| 1| return; 96| 1| } 97| 1| } 98| | 99| 7| NDPI_LOG_INFO(ndpi_struct, "found syslog\n"); ------------------ | | 595| 7|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 100| 7| ndpi_int_syslog_add_connection(ndpi_struct, flow); 101| 7| return; 102| 8| } 103| 17.8k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 17.8k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 104| 17.8k|} syslog.c:ndpi_int_syslog_add_connection: 34| 7|{ 35| 7| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SYSLOG, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 36| 7|} init_tailscale_dissector: 51| 7.08k|void init_tailscale_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 52| 7.08k| ndpi_register_dissector("Tailscale", ndpi_struct, 53| 7.08k| ndpi_search_tailscale, 54| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 55| 7.08k| 1, NDPI_PROTOCOL_TAILSCALE); 56| 7.08k|} tailscale.c:ndpi_search_tailscale: 33| 3.36k|{ 34| 3.36k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 35| 3.36k| unsigned char magic[6] = { 0x54, 0x53, 0xf0, 0x9f, 0x92, 0xac }; 36| 3.36k| unsigned short port = 41641; 37| | 38| 3.36k| NDPI_LOG_DBG(ndpi_struct, "search Tailscale\n"); ------------------ | | 596| 3.36k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 39| | 40| 3.36k| if(packet->payload_packet_len > sizeof(magic) && ------------------ | Branch (40:6): [True: 3.23k, False: 128] ------------------ 41| 3.23k| (ntohs(flow->c_port) == port || ntohs(flow->s_port) == port) && ------------------ | Branch (41:7): [True: 0, False: 3.23k] | Branch (41:38): [True: 0, False: 3.23k] ------------------ 42| 0| memcmp(packet->payload, magic, sizeof(magic)) == 0) { ------------------ | Branch (42:6): [True: 0, False: 0] ------------------ 43| 0| NDPI_LOG_INFO(ndpi_struct, "found Tailscale\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 44| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TAILSCALE, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 45| 0| return; 46| 0| } 47| | 48| 3.36k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.36k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 49| 3.36k|} init_teamspeak_dissector: 97| 7.08k|{ 98| 7.08k| ndpi_register_dissector("TeamSpeak", ndpi_struct, 99| 7.08k| ndpi_search_teamspeak, 100| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 101| 7.08k| 1, NDPI_PROTOCOL_TEAMSPEAK); 102| 7.08k|} teamspeak.c:ndpi_search_teamspeak: 35| 17.8k|{ 36| 17.8k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 37| | 38| 17.8k| NDPI_LOG_DBG(ndpi_struct, "search teamspeak\n"); ------------------ | | 596| 17.8k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 39| | 40| 17.8k| if (packet->payload_packet_len >= 20) { ------------------ | Branch (40:7): [True: 13.1k, False: 4.68k] ------------------ 41| 13.1k| if (packet->udp != NULL) { ------------------ | Branch (41:9): [True: 4.15k, False: 8.98k] ------------------ 42| 4.15k| if (memcmp(packet->payload, "TS3INIT1", strlen("TS3INIT1")) == 0) ------------------ | Branch (42:11): [True: 10, False: 4.14k] ------------------ 43| 10| { 44| 10| NDPI_LOG_INFO(ndpi_struct, "found TEAMSPEAK udp\n"); ------------------ | | 595| 10|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 45| 10| ndpi_int_teamspeak_add_connection(ndpi_struct, flow); 46| 10| return; 47| 10| } 48| 8.98k| } else if(packet->tcp != NULL) { ------------------ | Branch (48:15): [True: 8.98k, False: 0] ------------------ 49| | /* https://github.com/Youx/soliloque-server/wiki/Connection-packet */ 50| 8.98k| if(((memcmp(packet->payload, "\xf4\xbe\x03\x00", 4) == 0)) || ------------------ | Branch (50:10): [True: 2, False: 8.97k] ------------------ 51| 8.97k| ((memcmp(packet->payload, "\xf4\xbe\x02\x00", 4) == 0)) || ------------------ | Branch (51:10): [True: 1, False: 8.97k] ------------------ 52| 8.97k| ((memcmp(packet->payload, "\xf4\xbe\x01\x00", 4) == 0))) ------------------ | Branch (52:10): [True: 1, False: 8.97k] ------------------ 53| 4| { 54| 4| NDPI_LOG_INFO(ndpi_struct, "found TEAMSPEAK tcp\n"); ------------------ | | 595| 4|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 55| 4| ndpi_int_teamspeak_add_connection(ndpi_struct, flow); 56| 4| return; 57| 4| } /* http://www.imfirewall.com/en/protocols/teamSpeak.htm */ 58| 8.98k| } 59| 13.1k| } 60| | 61| 17.8k| if (packet->udp != NULL) ------------------ | Branch (61:7): [True: 4.36k, False: 13.4k] ------------------ 62| 4.36k| { 63| 4.36k| if (packet->payload_packet_len == 16 && ------------------ | Branch (63:9): [True: 9, False: 4.35k] ------------------ 64| 9| packet->payload[0] == 0x01 && packet->payload[3] == 0x02 && ------------------ | Branch (64:9): [True: 1, False: 8] | Branch (64:39): [True: 0, False: 1] ------------------ 65| 0| get_u_int32_t(packet->payload, 11) == 0x00000000 && packet->payload[15] == 0x00) ------------------ | | 137| 0|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (65:9): [True: 0, False: 0] | Branch (65:61): [True: 0, False: 0] ------------------ 66| 0| { 67| 0| goto ts3_license_weblist; 68| 0| } 69| | 70| 4.36k| if ((packet->payload_packet_len == 4 || packet->payload_packet_len == 8) && ------------------ | Branch (70:10): [True: 3, False: 4.36k] | Branch (70:45): [True: 11, False: 4.35k] ------------------ 71| 14| packet->payload[0] == 0x01 && packet->payload[3] == 0x01) ------------------ | Branch (71:9): [True: 2, False: 12] | Branch (71:39): [True: 1, False: 1] ------------------ 72| 1| { 73| 1| goto ts3_license_weblist; 74| 1| } 75| | 76| 4.36k| if (packet->payload_packet_len == 5 && ------------------ | Branch (76:9): [True: 4, False: 4.36k] ------------------ 77| 4| packet->payload[0] == 0x01 && packet->payload[3] == 0x02 && ------------------ | Branch (77:9): [True: 1, False: 3] | Branch (77:39): [True: 0, False: 1] ------------------ 78| 0| packet->payload[4] == 0x00) ------------------ | Branch (78:9): [True: 0, False: 0] ------------------ 79| 0| { 80| 0| goto ts3_license_weblist; 81| 0| } 82| 4.36k| } 83| | 84| 17.8k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 17.8k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 85| 17.8k| return; 86| | 87| 1|ts3_license_weblist: 88| 1| if (flow->packet_counter == 3) ------------------ | Branch (88:7): [True: 0, False: 1] ------------------ 89| 0| { 90| 0| NDPI_LOG_INFO(ndpi_struct, "found TEAMSPEAK license/weblist\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 91| 0| ndpi_int_teamspeak_add_connection(ndpi_struct, flow); 92| 0| return; 93| 0| } 94| 1|} teamspeak.c:ndpi_int_teamspeak_add_connection: 29| 14|{ 30| 14| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TEAMSPEAK, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 31| 14|} init_teamviewer_dissector: 87| 7.08k|{ 88| 7.08k| ndpi_register_dissector("TeamViewer", ndpi_struct, 89| 7.08k| ndpi_search_teamview, 90| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 91| 7.08k| 1, NDPI_PROTOCOL_TEAMVIEWER); 92| 7.08k|} teamviewer.c:ndpi_search_teamview: 42| 18.5k|{ 43| 18.5k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 44| | 45| 18.5k| NDPI_LOG_DBG(ndpi_struct, "search teamwiewer\n"); ------------------ | | 596| 18.5k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 46| | 47| 18.5k| if (packet->udp != NULL) { ------------------ | Branch (47:7): [True: 5.08k, False: 13.4k] ------------------ 48| 5.08k| if (packet->payload_packet_len > 13) { ------------------ | Branch (48:9): [True: 4.90k, False: 180] ------------------ 49| 4.90k| if (packet->payload[0] == 0x00 && packet->payload[11] == 0x17 && packet->payload[12] == 0x24) { /* byte 0 is a counter/seq number, and at the start is 0 */ ------------------ | Branch (49:11): [True: 963, False: 3.93k] | Branch (49:41): [True: 32, False: 931] | Branch (49:72): [True: 1, False: 31] ------------------ 50| 1| flow->teamviewer_stage++; 51| 1| if (flow->teamviewer_stage == 4 || ------------------ | Branch (51:6): [True: 0, False: 1] ------------------ 52| 1| packet->udp->dest == ntohs(5938) || packet->udp->source == ntohs(5938)) { ------------------ | Branch (52:6): [True: 0, False: 1] | Branch (52:42): [True: 0, False: 1] ------------------ 53| 0| ndpi_int_teamview_add_connection(ndpi_struct, flow); 54| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found TeamViewer"); /* Remote assistance (UDP only) */ 55| 0| } 56| 1| return; 57| 1| } 58| 4.90k| } 59| 5.08k| } 60| 13.4k| else if(packet->tcp != NULL) { ------------------ | Branch (60:11): [True: 13.4k, False: 0] ------------------ 61| 13.4k| if (packet->payload_packet_len > 2) { ------------------ | Branch (61:9): [True: 13.4k, False: 9] ------------------ 62| 13.4k| if (packet->payload[0] == 0x17 && packet->payload[1] == 0x24) { ------------------ | Branch (62:11): [True: 211, False: 13.2k] | Branch (62:41): [True: 5, False: 206] ------------------ 63| 5| flow->teamviewer_stage++; 64| 5| if (flow->teamviewer_stage == 4 || ------------------ | Branch (64:6): [True: 0, False: 5] ------------------ 65| 5| packet->tcp->dest == ntohs(5938) || packet->tcp->source == ntohs(5938)) { ------------------ | Branch (65:6): [True: 0, False: 5] | Branch (65:42): [True: 0, False: 5] ------------------ 66| 0| ndpi_int_teamview_add_connection(ndpi_struct, flow); 67| 0| } 68| 5| return; 69| 5| } 70| 13.4k| else if (flow->teamviewer_stage) { ------------------ | Branch (70:16): [True: 12, False: 13.4k] ------------------ 71| 12| if (packet->payload[0] == 0x11 && packet->payload[1] == 0x30) { ------------------ | Branch (71:6): [True: 0, False: 12] | Branch (71:36): [True: 0, False: 0] ------------------ 72| 0| flow->teamviewer_stage++; 73| 0| if (flow->teamviewer_stage == 4) { ------------------ | Branch (73:8): [True: 0, False: 0] ------------------ 74| 0| ndpi_int_teamview_add_connection(ndpi_struct, flow); 75| 0| } 76| 0| } 77| 12| return; 78| 12| } 79| 13.4k| } 80| 13.4k| } 81| | 82| 18.5k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 18.5k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 83| 18.5k|} init_telegram_dissector: 115| 7.08k|{ 116| 7.08k| ndpi_register_dissector("Telegram", ndpi_struct, 117| 7.08k| ndpi_search_telegram, 118| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 119| 7.08k| 1, NDPI_PROTOCOL_TELEGRAM); 120| 7.08k|} telegram.c:ndpi_search_telegram: 49| 17.7k| struct ndpi_flow_struct *flow) { 50| 17.7k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 51| | 52| 17.7k| NDPI_LOG_DBG(ndpi_struct, "search telegram\n"); ------------------ | | 596| 17.7k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 53| | 54| 17.7k| if(packet->tcp != NULL) { ------------------ | Branch (54:6): [True: 13.4k, False: 4.36k] ------------------ 55| | /* With MTProto 2.0 telegram via app is no longer TLS-based (althought based on TCP/443) so 56| | we need to detect it with Telegram IPs. 57| | Basically, we want a fast classification by ip. Note that, real Telegram traffic over 58| | TLS (i.e. Telegram Web) is correctly classified as TLS/Telegram because TLS dissector 59| | already kicked in. 60| | Let's check every port for the time being */ 61| 13.4k| if(flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_TELEGRAM) { ------------------ | Branch (61:8): [True: 0, False: 13.4k] ------------------ 62| 0| ndpi_int_telegram_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_MATCH_BY_IP); 63| 0| return; 64| 0| } 65| 13.4k| } else if(packet->udp != NULL) { ------------------ | Branch (65:13): [True: 4.36k, False: 0] ------------------ 66| | /* 67| | The latest telegram protocol 68| | - contains a sequence of 12 consecutive 0xFF packets 69| | - it uses low UDP ports in the 500 range 70| | */ 71| | 72| 4.36k| if(packet->payload_packet_len >= 40) { ------------------ | Branch (72:8): [True: 3.82k, False: 536] ------------------ 73| 3.82k| u_int16_t sport = ntohs(packet->udp->source), dport = ntohs(packet->udp->dest); 74| | 75| 3.82k| if(is_telegram_port_range(sport) || is_telegram_port_range(dport)) { ------------------ | Branch (75:10): [True: 23, False: 3.80k] | Branch (75:43): [True: 32, False: 3.77k] ------------------ 76| 55| u_int i, found = 0; 77| | 78| 8.19k| for(i=0; ipayload_packet_len; i++) { ------------------ | Branch (78:11): [True: 8.17k, False: 25] ------------------ 79| 8.17k| if(packet->payload[i] == 0xFF) { ------------------ | Branch (79:7): [True: 30, False: 8.14k] ------------------ 80| 30| found = 1; 81| 30| break; 82| 30| } 83| 8.17k| } 84| | 85| 55| if(!found) return; ------------------ | Branch (85:5): [True: 25, False: 30] ------------------ 86| | 87| 89| for(i += 1; ipayload_packet_len; i++) { ------------------ | Branch (87:14): [True: 88, False: 1] ------------------ 88| 88| if(packet->payload[i] == 0xFF) ------------------ | Branch (88:7): [True: 59, False: 29] ------------------ 89| 59| found++; 90| 29| else 91| 29| break; 92| 88| } 93| | 94| 30| if(found == 12) { ------------------ | Branch (94:5): [True: 0, False: 30] ------------------ 95| 0| ndpi_int_telegram_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI); 96| | /* It seems this kind of traffic is used: 97| | * for "normal" stuff (at least years ago... and now? TODO) 98| | * for calls, as a custom encapsulation of STUN/DTLS/RTP packets 99| | Since we are not able to tell the former from the latter, always 100| | switch to STUN dissection. If we find STUN/DTLS/RTP stuff we will 101| | update the classification to something like STUN/Telegram_voip, 102| | otherwise it will remain Telegram */ 103| 0| switch_extra_dissection_to_stun(ndpi_struct, flow, 0); 104| 0| return; 105| 0| } 106| 30| } 107| 3.82k| } 108| 4.36k| } 109| | 110| 17.7k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 17.7k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 111| 17.7k|} telegram.c:is_telegram_port_range: 40| 7.62k|static u_int8_t is_telegram_port_range(u_int16_t port) { 41| 7.62k| if((port >= 500) && (port <= 600)) ------------------ | Branch (41:6): [True: 6.49k, False: 1.12k] | Branch (41:23): [True: 55, False: 6.44k] ------------------ 42| 55| return(1); 43| | 44| | 45| 7.57k| return(0); 46| 7.62k|} init_telnet_dissector: 204| 7.08k|{ 205| 7.08k| ndpi_register_dissector("Telnet", ndpi_struct, 206| 7.08k| ndpi_search_telnet_tcp, 207| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 208| 7.08k| 1, NDPI_PROTOCOL_TELNET); 209| 7.08k|} telnet.c:ndpi_search_telnet_tcp: 188| 13.4k| struct ndpi_flow_struct *flow) { 189| 13.4k| NDPI_LOG_DBG(ndpi_struct, "search telnet\n"); ------------------ | | 596| 13.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 190| | 191| 13.4k| if(search_iac(ndpi_struct) == 1) { ------------------ | Branch (191:6): [True: 16, False: 13.4k] ------------------ 192| 16| NDPI_LOG_INFO(ndpi_struct, "found telnet\n"); ------------------ | | 595| 16|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 193| 16| ndpi_int_telnet_add_connection(ndpi_struct, flow); 194| 16| return; 195| 16| } 196| | 197| 13.4k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.4k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 198| | 199| 13.4k| return; 200| 13.4k|} telnet.c:search_iac: 149| 13.4k|u_int8_t search_iac(struct ndpi_detection_module_struct *ndpi_struct) { 150| 13.4k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 151| | 152| 13.4k| u_int16_t a; 153| | 154| |#ifdef TELNET_DEBUG 155| | printf("==> %s()\n", __FUNCTION__); 156| |#endif 157| | 158| 13.4k| if(packet->payload_packet_len < 3) ------------------ | Branch (158:6): [True: 9, False: 13.4k] ------------------ 159| 9| return(0); 160| | 161| 13.4k| if(!((packet->payload[0] == 0xff) ------------------ | Branch (161:8): [True: 88, False: 13.3k] ------------------ 162| 88| && (packet->payload[1] > 0xf9) ------------------ | Branch (162:11): [True: 54, False: 34] ------------------ 163| 54| && (packet->payload[1] != 0xff) ------------------ | Branch (163:11): [True: 21, False: 33] ------------------ 164| 21| && (packet->payload[2] < 0x28))) ------------------ | Branch (164:11): [True: 18, False: 3] ------------------ 165| 13.4k| return(0); 166| | 167| 18| a = 3; 168| | 169| 293| while (a < packet->payload_packet_len - 2) { ------------------ | Branch (169:10): [True: 277, False: 16] ------------------ 170| | // commands start with a 0xff byte followed by a command byte >= 0xf0 and < 0xff 171| | // command bytes 0xfb to 0xfe are followed by an option byte <= 0x28 172| 277| if(!(packet->payload[a] != 0xff || ------------------ | Branch (172:10): [True: 274, False: 3] ------------------ 173| 3| (packet->payload[a] == 0xff && (packet->payload[a + 1] >= 0xf0) && (packet->payload[a + 1] <= 0xfa)) || ------------------ | Branch (173:5): [True: 3, False: 0] | Branch (173:35): [True: 2, False: 1] | Branch (173:71): [True: 1, False: 1] ------------------ 174| 2| (packet->payload[a] == 0xff && (packet->payload[a + 1] >= 0xfb) && (packet->payload[a + 1] != 0xff) ------------------ | Branch (174:5): [True: 2, False: 0] | Branch (174:35): [True: 1, False: 1] | Branch (174:71): [True: 0, False: 1] ------------------ 175| 0| && (packet->payload[a + 2] <= 0x28)))) ------------------ | Branch (175:8): [True: 0, False: 0] ------------------ 176| 2| return(0); 177| | 178| 275| a += 3; 179| 275| } 180| | 181| 16| return 1; 182| 18|} telnet.c:ndpi_int_telnet_add_connection: 133| 16| *ndpi_struct, struct ndpi_flow_struct *flow) { 134| 16| flow->max_extra_packets_to_check = 64; 135| 16| flow->extra_packets_func = search_telnet_again; 136| | 137| 16| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TELNET, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 138| 16|} telnet.c:search_telnet_again: 38| 83| struct ndpi_flow_struct *flow) { 39| 83| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 40| 83| int i; 41| | 42| |#ifdef TELNET_DEBUG 43| | printf("==> %s() [%.*s][direction: %u]\n", __FUNCTION__, packet->payload_packet_len, 44| | packet->payload, packet->packet_direction); 45| |#endif 46| | 47| 83| if((packet->payload == NULL) ------------------ | Branch (47:6): [True: 0, False: 83] ------------------ 48| 83| || (packet->payload_packet_len == 0) ------------------ | Branch (48:9): [True: 47, False: 36] ------------------ 49| 36| || (packet->payload[0] == 0xFF)) ------------------ | Branch (49:9): [True: 3, False: 33] ------------------ 50| 50| return(1); 51| | 52| 33| if(flow->protos.telnet.username_detected) { ------------------ | Branch (52:6): [True: 0, False: 33] ------------------ 53| 0| if((!flow->protos.telnet.password_found) ------------------ | Branch (53:8): [True: 0, False: 0] ------------------ 54| 0| && (packet->payload_packet_len > 9)) { ------------------ | Branch (54:5): [True: 0, False: 0] ------------------ 55| | 56| 0| if(strncasecmp((char*)packet->payload, "password:", 9) == 0) { ------------------ | Branch (56:10): [True: 0, False: 0] ------------------ 57| 0| flow->protos.telnet.password_found = 1; 58| 0| } 59| | 60| 0| return(1); 61| 0| } 62| | 63| 0| if(packet->payload[0] == '\r' || packet->payload[0] == '\n') { ------------------ | Branch (63:8): [True: 0, False: 0] | Branch (63:38): [True: 0, False: 0] ------------------ 64| 0| if(!flow->protos.telnet.password_found) ------------------ | Branch (64:10): [True: 0, False: 0] ------------------ 65| 0| return(1); 66| | 67| 0| flow->protos.telnet.password_detected = 1; 68| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, "Found password"); 69| 0| flow->protos.telnet.password[flow->protos.telnet.character_id] = '\0'; 70| 0| return(0); 71| 0| } 72| | 73| 0| if(packet->packet_direction == 0) /* client -> server */ { ------------------ | Branch (73:8): [True: 0, False: 0] ------------------ 74| 0| for(i=0; ipayload_packet_len; i++) { ------------------ | Branch (74:16): [True: 0, False: 0] ------------------ 75| 0| if(flow->protos.telnet.character_id < (sizeof(flow->protos.telnet.password)-1)) ------------------ | Branch (75:5): [True: 0, False: 0] ------------------ 76| 0| flow->protos.telnet.password[flow->protos.telnet.character_id++] = packet->payload[i]; 77| 0| } 78| 0| } 79| | 80| 0| return(1); 81| 0| } 82| | 83| 33| if((!flow->protos.telnet.username_found) ------------------ | Branch (83:6): [True: 33, False: 0] ------------------ 84| 33| && (packet->payload_packet_len > 6)) { ------------------ | Branch (84:9): [True: 28, False: 5] ------------------ 85| | 86| 28| if(strncasecmp((char*)packet->payload, "login:", 6) == 0) { ------------------ | Branch (86:8): [True: 0, False: 28] ------------------ 87| 0| flow->protos.telnet.username_found = 1; 88| 0| } 89| | 90| 28| return(1); 91| 28| } 92| | 93| 5| if(packet->payload[0] == '\r' || packet->payload[0] == '\n') { ------------------ | Branch (93:6): [True: 0, False: 5] | Branch (93:36): [True: 0, False: 5] ------------------ 94| 0| char buf[64]; 95| | 96| 0| flow->protos.telnet.username_detected = 1; 97| 0| flow->protos.telnet.username[flow->protos.telnet.character_id] = '\0'; 98| 0| flow->protos.telnet.character_id = 0; 99| | 100| 0| snprintf(buf, sizeof(buf), "Found Telnet username (%s)", 101| 0| flow->protos.telnet.username); 102| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_CLEAR_TEXT_CREDENTIALS, buf); 103| | 104| 0| return(1); 105| 0| } 106| | 107| 18| for(i=0; ipayload_packet_len; i++) { ------------------ | Branch (107:12): [True: 13, False: 5] ------------------ 108| 13| if(packet->packet_direction == 0) /* client -> server */ { ------------------ | Branch (108:8): [True: 13, False: 0] ------------------ 109| 13| if(flow->protos.telnet.character_id < (sizeof(flow->protos.telnet.username)-1)) ------------------ | Branch (109:10): [True: 13, False: 0] ------------------ 110| 13| { 111| 13| if (i>=packet->payload_packet_len-2 && ------------------ | Branch (111:13): [True: 9, False: 4] ------------------ 112| 9| (packet->payload[i] == '\r' || packet->payload[i] == '\n')) ------------------ | Branch (112:14): [True: 0, False: 9] | Branch (112:44): [True: 0, False: 9] ------------------ 113| 0| { 114| 0| continue; 115| 0| } 116| 13| else if (ndpi_isprint(packet->payload[i]) == 0) ------------------ | | 2529| 13|#define ndpi_isprint(ch) ((ch) >= 0x20 && (ch) <= 0x7e) | | ------------------ | | | Branch (2529:27): [True: 9, False: 4] | | | Branch (2529:43): [True: 7, False: 2] | | ------------------ ------------------ | Branch (116:18): [True: 6, False: 7] ------------------ 117| 6| { 118| 6| flow->protos.telnet.username[flow->protos.telnet.character_id++] = '?'; 119| 7| } else { 120| 7| flow->protos.telnet.username[flow->protos.telnet.character_id++] = packet->payload[i]; 121| 7| } 122| 13| } 123| 13| } 124| 13| } 125| | 126| | /* Possibly more processing */ 127| 5| return(1); 128| 5|} init_tencent_games_dissector: 89| 7.08k|{ 90| 7.08k| ndpi_register_dissector("TencentGames", ndpi_struct, 91| 7.08k| ndpi_search_tencent_games, 92| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 93| 7.08k| 1, NDPI_PROTOCOL_TENCENTGAMES); 94| 7.08k|} tencent_games.c:ndpi_search_tencent_games: 42| 11.6k|{ 43| 11.6k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 44| | 45| 11.6k| NDPI_LOG_DBG(ndpi_struct, "search Tencent Games\n"); ------------------ | | 596| 11.6k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 46| | 47| 11.6k| if (packet->payload_packet_len > 50) { ------------------ | Branch (47:7): [True: 3.25k, False: 8.39k] ------------------ 48| 3.25k| if (ntohl(get_u_int32_t(packet->payload, 0)) == 0x3366000B && ------------------ | Branch (48:9): [True: 0, False: 3.25k] ------------------ 49| 3.25k| ntohs(get_u_int16_t(packet->payload, 4)) == 0xB) ------------------ | Branch (49:9): [True: 0, False: 0] ------------------ 50| 0| { 51| 0| ndpi_int_tencent_games_add_connection(ndpi_struct, flow); 52| 0| return; 53| 0| } 54| | 55| 3.25k| if (ntohl(get_u_int32_t(packet->payload, 0)) == 0x4366AA00 && ------------------ | Branch (55:9): [True: 0, False: 3.25k] ------------------ 56| 3.25k| ntohl(get_u_int32_t(packet->payload, 12)) == 0x10E68601) ------------------ | Branch (56:9): [True: 0, False: 0] ------------------ 57| 0| { 58| 0| ndpi_int_tencent_games_add_connection(ndpi_struct, flow); 59| 0| return; 60| 0| } 61| | 62| 3.25k| if (ntohl(get_u_int32_t(packet->payload, 0)) == 0xAA000000 && ------------------ | Branch (62:9): [True: 0, False: 3.25k] ------------------ 63| 3.25k| ntohl(get_u_int32_t(packet->payload, 10)) == 0x10E68601) ------------------ | Branch (63:9): [True: 0, False: 0] ------------------ 64| 0| { 65| 0| ndpi_int_tencent_games_add_connection(ndpi_struct, flow); 66| 0| return; 67| 0| } 68| | 69| 3.25k| if (get_u_int16_t(packet->payload, 0) == 0 && ------------------ | | 136| 3.25k|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (69:9): [True: 315, False: 2.93k] ------------------ 70| 3.25k| ntohs(get_u_int16_t(packet->payload, 2)) == (u_int16_t)(packet->payload_packet_len-4) && ------------------ | Branch (70:9): [True: 11, False: 304] ------------------ 71| 3.25k| ntohs(get_u_int16_t(packet->payload, 4)) == 0x7801) ------------------ | Branch (71:9): [True: 0, False: 11] ------------------ 72| 0| { 73| 0| ndpi_int_tencent_games_add_connection(ndpi_struct, flow); 74| 0| return; 75| 0| } 76| | 77| 3.25k| if (ntohl(get_u_int32_t(packet->payload, 0)) == 0x4215F787 && ------------------ | Branch (77:9): [True: 0, False: 3.25k] ------------------ 78| 0| get_u_int16_t(packet->payload, 6) == 0) ------------------ | | 136| 0|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (78:9): [True: 0, False: 0] ------------------ 79| 0| { 80| 0| ndpi_int_tencent_games_add_connection(ndpi_struct, flow); 81| 0| return; 82| 0| } 83| 3.25k| } 84| | 85| 11.6k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.6k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 86| 11.6k|} init_teredo_dissector: 48| 7.08k|{ 49| 7.08k| ndpi_register_dissector("TEREDO", ndpi_struct, 50| 7.08k| ndpi_search_teredo, 51| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD, /* Teredo is inherently IPV4 only */ ------------------ | | 631| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 617| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IP | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 604| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IP (1<<0) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IP | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 52| 7.08k| 1, NDPI_PROTOCOL_TEREDO); 53| 7.08k|} teredo.c:ndpi_search_teredo: 30| 5.42k|{ 31| 5.42k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 32| | 33| 5.42k| NDPI_LOG_DBG(ndpi_struct,"search teredo\n"); ------------------ | | 596| 5.42k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 34| 5.42k| if(packet->udp ------------------ | Branch (34:6): [True: 5.42k, False: 0] ------------------ 35| 5.42k| && packet->iph ------------------ | Branch (35:9): [True: 5.42k, False: 0] ------------------ 36| 5.42k| && ((ntohl(packet->iph->daddr) & 0xF0000000) != 0xE0000000 /* Not a multicast address */) ------------------ | Branch (36:9): [True: 4.08k, False: 1.33k] ------------------ 37| 4.08k| && ((ntohs(packet->udp->source) == 3544) || (ntohs(packet->udp->dest) == 3544)) ------------------ | Branch (37:10): [True: 0, False: 4.08k] | Branch (37:50): [True: 0, False: 4.08k] ------------------ 38| 0| && (packet->payload_packet_len >= 40 /* IPv6 header */)) { ------------------ | Branch (38:9): [True: 0, False: 0] ------------------ 39| 0| NDPI_LOG_INFO(ndpi_struct,"found teredo\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 40| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TEREDO, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 41| 5.42k| } else { 42| 5.42k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 5.42k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 43| 5.42k| } 44| 5.42k|} init_teso_dissector: 82| 7.08k|{ 83| 7.08k| ndpi_register_dissector("TES_Online", ndpi_struct, 84| 7.08k| ndpi_search_teso, 85| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 86| 7.08k| 1, NDPI_PROTOCOL_TESO); 87| 7.08k|} teso.c:ndpi_search_teso: 44| 11.6k|{ 45| 11.6k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 46| | 47| 11.6k| NDPI_LOG_DBG(ndpi_struct, "search TES Online\n"); ------------------ | | 596| 11.6k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 48| | 49| 11.6k| if (packet->payload_packet_len < 600 || ------------------ | Branch (49:7): [True: 11.2k, False: 408] ------------------ 50| 11.6k| ntohl(get_u_int32_t(packet->payload, 0)) != (u_int32_t)(packet->payload_packet_len-4)) ------------------ | Branch (50:7): [True: 408, False: 0] ------------------ 51| 11.6k| { 52| 11.6k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.6k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 53| 11.6k| return; 54| 11.6k| } 55| | 56| | /* 57| | * I'd like to use just memcmp and a couple ifs here, but the offset to 58| | * the string "eso.live" or the 0x8B789C01 byte sequence can be different - 59| | * it varies by the amount of characters in the account name, weather on Mars, 60| | * etc. 61| | */ 62| | 63| 0| const u_int8_t magic[] = { 0x8B, 0x78, 0x9C, 0x01 }; 64| | 65| 0| if (ndpi_memmem(packet->payload, packet->payload_packet_len, "eso.live", ------------------ | Branch (65:7): [True: 0, False: 0] ------------------ 66| 0| NDPI_STATICSTRING_LEN("eso.live"))) ------------------ | | 98| 0|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ 67| 0| { 68| 0| ndpi_int_teso_add_connection(ndpi_struct, flow); 69| 0| return; 70| 0| } 71| 0| else if (ndpi_memmem(packet->payload, packet->payload_packet_len, magic, ------------------ | Branch (71:12): [True: 0, False: 0] ------------------ 72| 0| sizeof(magic))) 73| 0| { 74| 0| ndpi_int_teso_add_connection(ndpi_struct, flow); 75| 0| return; 76| 0| } 77| | 78| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 79| 0|} init_tftp_dissector: 285| 7.08k|{ 286| 7.08k| ndpi_register_dissector("TFTP", ndpi_struct, 287| 7.08k| ndpi_search_tftp, 288| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 289| 7.08k| 1, NDPI_PROTOCOL_TFTP); 290| 7.08k|} tftp.c:ndpi_search_tftp: 135| 4.61k|{ 136| 4.61k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 137| 4.61k| u_int16_t block_num; 138| 4.61k| u_int16_t prev_num; 139| | 140| 4.61k| NDPI_LOG_DBG(ndpi_struct, "search TFTP\n"); ------------------ | | 596| 4.61k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 141| | 142| 4.61k| if (packet->payload_packet_len < 4 /* min. header size */ || ------------------ | Branch (142:7): [True: 122, False: 4.49k] ------------------ 143| 4.49k| get_u_int8_t(packet->payload, 0) != 0x00) ------------------ | | 135| 4.49k|#define get_u_int8_t(X,O) (*(u_int8_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (143:7): [True: 3.36k, False: 1.12k] ------------------ 144| 3.48k| { 145| 3.48k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.48k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 146| 3.48k| return; 147| 3.48k| } 148| | 149| | /* parse TFTP opcode */ 150| 1.12k| switch (get_u_int8_t(packet->payload, 1)) ------------------ | | 135| 1.12k|#define get_u_int8_t(X,O) (*(u_int8_t *)((&(((u_int8_t *)X)[O])))) ------------------ 151| 1.12k| { 152| 48| case 0x01: ------------------ | Branch (152:5): [True: 48, False: 1.07k] ------------------ 153| | /* Read request (RRQ) */ 154| 77| case 0x02: ------------------ | Branch (154:5): [True: 29, False: 1.09k] ------------------ 155| | /* Write request (WWQ) */ 156| | 157| 77| if (packet->payload[packet->payload_packet_len - 1] != 0x00 /* last pdu element is a nul terminated string */) ------------------ | Branch (157:13): [True: 43, False: 34] ------------------ 158| 43| { 159| 43| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 43|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 160| 43| return; 161| 43| } 162| | 163| 34| { 164| 34| size_t filename_len = 0; 165| 34| size_t offset = 2; 166| 34| char const * filename_start; 167| | 168| 34| filename_len = tftp_dissect_szstr(packet, &offset, &filename_start); 169| | 170| | /* Exclude the flow as TFPT if there was no filename and mode in the first two strings. */ 171| 34| if (filename_len == 0 || ndpi_is_printable_buffer((uint8_t *)filename_start, filename_len) == 0) ------------------ | Branch (171:15): [True: 13, False: 21] | Branch (171:36): [True: 17, False: 4] ------------------ 172| 30| { 173| 30| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 30|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 174| 30| return; 175| 30| } 176| | 177| 4| if (tftp_dissect_mode(packet, &offset) != 0) ------------------ | Branch (177:15): [True: 4, False: 0] ------------------ 178| 4| { 179| 4| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 4|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 180| 4| return; 181| 4| } 182| | 183| 0| if (tftp_dissect_options(packet, &offset) != 0) ------------------ | Branch (183:15): [True: 0, False: 0] ------------------ 184| 0| { 185| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 186| 0| return; 187| 0| } 188| | 189| | /* Dissect RRQ/WWQ filename. */ 190| 0| filename_len = ndpi_min(filename_len, sizeof(flow->protos.tftp.filename) - 1); ------------------ | | 113| 0|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 0] | | ------------------ ------------------ 191| 0| memcpy(flow->protos.tftp.filename, filename_start, filename_len); 192| 0| flow->protos.tftp.filename[filename_len] = '\0'; 193| | 194| | /* We have seen enough and do not need any more TFTP packets. */ 195| 0| NDPI_LOG_INFO(ndpi_struct, "found tftp (RRQ/WWQ)\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 196| 0| ndpi_int_tftp_add_connection(ndpi_struct, flow); 197| 0| } 198| 0| return; 199| | 200| 587| case 0x03: ------------------ | Branch (200:5): [True: 587, False: 537] ------------------ 201| | /* Data (DATA) */ 202| 587| if (packet->payload_packet_len <= 4 /* min DATA header size */) ------------------ | Branch (202:13): [True: 1, False: 586] ------------------ 203| 1| { 204| 1| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 205| 1| return; 206| 1| } 207| | /* First 2 bytes were opcode so next 16 bits are the block number. 208| | * This should increment every packet but give some leeway for midstream and packet loss. */ 209| 586| block_num = ntohs(get_u_int16_t(packet->payload, 2)); 210| 586| prev_num = flow->l4.udp.tftp_data_num; 211| 586| flow->l4.udp.tftp_data_num = block_num; 212| 586| if (!(block_num == prev_num + 1 || (prev_num != 0 && block_num == prev_num))) ------------------ | Branch (212:15): [True: 2, False: 584] | Branch (212:45): [True: 154, False: 430] | Branch (212:62): [True: 81, False: 73] ------------------ 213| 503| { 214| 503| return; 215| 503| } 216| 83| break; 217| | 218| 83| case 0x04: ------------------ | Branch (218:5): [True: 3, False: 1.12k] ------------------ 219| | /* Acknowledgment (ACK) */ 220| | 221| 3| if (packet->payload_packet_len != 4 /* ACK has a fixed packet size */) ------------------ | Branch (221:13): [True: 3, False: 0] ------------------ 222| 3| { 223| 3| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 224| 3| return; 225| 3| } 226| | /* First 2 bytes were opcode so next 16 bits are the block number. 227| | * This should increment every packet but give some leeway for midstream and packet loss. */ 228| 0| block_num = ntohs(get_u_int16_t(packet->payload, 2)); 229| 0| prev_num = flow->l4.udp.tftp_ack_num; 230| 0| flow->l4.udp.tftp_ack_num = block_num; 231| 0| if (!(block_num == prev_num + 1 || (block_num == prev_num))) ------------------ | Branch (231:15): [True: 0, False: 0] | Branch (231:44): [True: 0, False: 0] ------------------ 232| 0| { 233| 0| return; 234| 0| } 235| 0| break; 236| | 237| 95| case 0x05: ------------------ | Branch (237:5): [True: 95, False: 1.02k] ------------------ 238| | /* Error (ERROR) */ 239| | 240| 95| if (packet->payload_packet_len < 5 || ------------------ | Branch (240:13): [True: 0, False: 95] ------------------ 241| 95| packet->payload[packet->payload_packet_len - 1] != 0x00 || ------------------ | Branch (241:13): [True: 1, False: 94] ------------------ 242| 94| packet->payload[2] != 0x00 || packet->payload[3] > 0x07) ------------------ | Branch (242:13): [True: 92, False: 2] | Branch (242:43): [True: 1, False: 1] ------------------ 243| 94| { 244| 94| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 94|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 245| 94| return; 246| 94| } 247| 1| break; 248| | 249| 3| case 0x06: ------------------ | Branch (249:5): [True: 3, False: 1.12k] ------------------ 250| | /* Option Acknowledgment (OACK) */ 251| | 252| 3| { 253| 3| size_t offset = 2; 254| | 255| 3| if (tftp_dissect_options(packet, &offset) != 0) ------------------ | Branch (255:15): [True: 3, False: 0] ------------------ 256| 3| { 257| 3| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 258| 3| return; 259| 3| } 260| 3| } 261| | 262| | /* We have seen enough and do not need any more TFTP packets. */ 263| 0| NDPI_LOG_INFO(ndpi_struct, "found tftp (OACK)\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 264| 0| ndpi_int_tftp_add_connection(ndpi_struct, flow); 265| 0| break; 266| | 267| 359| default: ------------------ | Branch (267:5): [True: 359, False: 765] ------------------ 268| 359| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 359|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 269| 359| return; 270| 1.12k| } 271| | 272| 84| if (flow->l4.udp.tftp_stage < 3) ------------------ | Branch (272:7): [True: 84, False: 0] ------------------ 273| 84| { 274| 84| NDPI_LOG_DBG2(ndpi_struct, "maybe tftp. need next packet\n"); ------------------ | | 597| 84|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 275| 84| flow->l4.udp.tftp_stage++; 276| 84| return; 277| 84| } 278| | 279| 0| NDPI_LOG_INFO(ndpi_struct, "found tftp\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 280| 0| ndpi_int_tftp_add_connection(ndpi_struct, flow); 281| 0|} tftp.c:tftp_dissect_szstr: 41| 43|{ 42| 43| if (packet->payload_packet_len <= *offset) ------------------ | Branch (42:7): [True: 1, False: 42] ------------------ 43| 1| { 44| 1| return 0; 45| 1| } 46| | 47| 42| const union { 48| 42| uint8_t const * const as_ptr; 49| 42| char const * const as_str; 50| 42| } payload = { .as_ptr = packet->payload + *offset }; 51| | 52| 42| size_t len = strnlen(payload.as_str, packet->payload_packet_len - *offset); 53| 42| if (len == 0 || ------------------ | Branch (53:7): [True: 16, False: 26] ------------------ 54| 26| packet->payload_packet_len <= *offset + len || ------------------ | Branch (54:7): [True: 0, False: 26] ------------------ 55| 26| payload.as_str[len] != '\0') ------------------ | Branch (55:7): [True: 0, False: 26] ------------------ 56| 16| { 57| 16| return 0; 58| 16| } 59| | 60| 26| if (string_start != NULL) ------------------ | Branch (60:7): [True: 25, False: 1] ------------------ 61| 25| { 62| 25| *string_start = payload.as_str; 63| 25| } 64| 26| *offset += len + 1; 65| 26| return len; 66| 42|} tftp.c:tftp_dissect_mode: 70| 4|{ 71| 4| static char const * const valid_modes[] = { 72| 4| "netascii", "octet", "mail" 73| 4| }; 74| 4| char const * string_start; 75| 4| size_t string_length = tftp_dissect_szstr(packet, offset, &string_start); 76| 4| size_t i; 77| | 78| 4| if (string_length == 0) ------------------ | Branch (78:7): [True: 2, False: 2] ------------------ 79| 2| { 80| 2| return 1; 81| 2| } 82| | 83| 8| for (i = 0; i < NDPI_ARRAY_LENGTH(valid_modes); ++i) ------------------ | | 132| 8|#define NDPI_ARRAY_LENGTH(array) (sizeof(array) / sizeof((array)[0])) ------------------ | Branch (83:15): [True: 6, False: 2] ------------------ 84| 6| { 85| 6| if (strncasecmp(string_start, valid_modes[i], string_length) == 0) ------------------ | Branch (85:9): [True: 0, False: 6] ------------------ 86| 0| { 87| 0| break; 88| 0| } 89| 6| } 90| | 91| 2| return i == NDPI_ARRAY_LENGTH(valid_modes); ------------------ | | 132| 2|#define NDPI_ARRAY_LENGTH(array) (sizeof(array) / sizeof((array)[0])) ------------------ 92| 4|} tftp.c:tftp_dissect_options: 96| 3|{ 97| 3| static char const * const valid_options[] = { 98| 3| "blksize", "tsize" 99| 3| }; 100| 3| uint8_t options_used[NDPI_ARRAY_LENGTH(valid_options)] = {0, 0}; 101| 3| size_t i; 102| | 103| 3| do { 104| 3| char const * string_start; 105| 3| size_t string_length = tftp_dissect_szstr(packet, offset, &string_start); 106| | 107| 3| if (string_length == 0 || ------------------ | Branch (107:9): [True: 1, False: 2] ------------------ 108| 2| tftp_dissect_szstr(packet, offset, NULL) == 0 /* value, not interested */) ------------------ | Branch (108:9): [True: 1, False: 1] ------------------ 109| 2| { 110| 2| break; 111| 2| } 112| | 113| 3| for (i = 0; i < NDPI_ARRAY_LENGTH(valid_options); ++i) ------------------ | | 132| 3|#define NDPI_ARRAY_LENGTH(array) (sizeof(array) / sizeof((array)[0])) ------------------ | Branch (113:17): [True: 2, False: 1] ------------------ 114| 2| { 115| 2| if (strncasecmp(string_start, valid_options[i], string_length) == 0) ------------------ | Branch (115:11): [True: 0, False: 2] ------------------ 116| 0| { 117| 0| break; 118| 0| } 119| 2| } 120| | 121| 1| if (i == NDPI_ARRAY_LENGTH(valid_options) /* option not found in valid_options */ || ------------------ | | 132| 2|#define NDPI_ARRAY_LENGTH(array) (sizeof(array) / sizeof((array)[0])) ------------------ | Branch (121:9): [True: 1, False: 0] ------------------ 122| 0| options_used[i] != 0 /* duplicate options are not allowed */) ------------------ | Branch (122:9): [True: 0, False: 0] ------------------ 123| 1| { 124| 1| break; 125| 1| } 126| | 127| 0| options_used[i] = 1; 128| 0| } while (1); ------------------ | Branch (128:12): [True: 0, Folded] ------------------ 129| | 130| 3| return *offset != packet->payload_packet_len; 131| 3|} init_threema_dissector: 93| 7.08k|{ 94| 7.08k| ndpi_register_dissector("Threema", ndpi_struct, 95| 7.08k| ndpi_search_threema, 96| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 97| 7.08k| 1, NDPI_PROTOCOL_THREEMA); 98| 7.08k|} threema.c:ndpi_search_threema: 40| 11.7k|{ 41| 11.7k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 42| | 43| 11.7k| NDPI_LOG_DBG(ndpi_struct, "search Threema\n"); ------------------ | | 596| 11.7k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 44| | 45| 11.7k| if (ntohs(packet->tcp->source) != 5222 && ntohs(packet->tcp->dest) != 5222) { ------------------ | Branch (45:7): [True: 11.7k, False: 24] | Branch (45:45): [True: 11.7k, False: 5] ------------------ 46| 11.7k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.7k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 47| 11.7k| return; 48| 11.7k| } 49| | 50| 29| switch (flow->packet_counter) 51| 29| { 52| 29| case 1: ------------------ | Branch (52:5): [True: 29, False: 0] ------------------ 53| 29| if (packet->payload_packet_len != 48) ------------------ | Branch (53:11): [True: 29, False: 0] ------------------ 54| 29| { 55| 29| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 29|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 56| 29| } 57| 29| return; 58| 0| case 2: ------------------ | Branch (58:5): [True: 0, False: 29] ------------------ 59| 0| if (packet->payload_packet_len != 80) ------------------ | Branch (59:11): [True: 0, False: 0] ------------------ 60| 0| { 61| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 62| 0| } 63| 0| return; 64| 0| case 3: ------------------ | Branch (64:5): [True: 0, False: 29] ------------------ 65| 0| if (packet->payload_packet_len != 191) ------------------ | Branch (65:11): [True: 0, False: 0] ------------------ 66| 0| { 67| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 68| 0| } 69| 0| return; 70| 0| case 4: ------------------ | Branch (70:5): [True: 0, False: 29] ------------------ 71| 0| return; // packet length varies 72| 0| default: ------------------ | Branch (72:5): [True: 0, False: 29] ------------------ 73| 0| break; 74| 29| } 75| | 76| 0| if (packet->payload_packet_len < 2) ------------------ | Branch (76:7): [True: 0, False: 0] ------------------ 77| 0| { 78| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 79| 0| return; 80| 0| } 81| | 82| 0| uint16_t len = le16toh(get_u_int16_t(packet->payload, 0)); 83| 0| if (len + 2 != packet->payload_packet_len) ------------------ | Branch (83:7): [True: 0, False: 0] ------------------ 84| 0| { 85| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 86| 0| return; 87| 0| } 88| | 89| 0| ndpi_int_threema_add_connection(ndpi_struct, flow); 90| 0|} init_apache_thrift_dissector: 259| 7.08k|{ 260| 7.08k| ndpi_register_dissector("Thrift", ndpi_struct, 261| 7.08k| ndpi_search_thrift_tcp_udp, 262| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 263| 7.08k| 1, NDPI_PROTOCOL_APACHE_THRIFT); 264| 7.08k|} thrift.c:ndpi_search_thrift_tcp_udp: 206| 15.9k|{ 207| 15.9k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 208| | 209| 15.9k| NDPI_LOG_DBG(ndpi_struct, "search Apache Thrift\n"); ------------------ | | 596| 15.9k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 210| | 211| 15.9k| if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP || ------------------ | Branch (211:7): [True: 646, False: 15.3k] ------------------ 212| 15.3k| flow->detected_protocol_stack[1] == NDPI_PROTOCOL_HTTP) ------------------ | Branch (212:7): [True: 253, False: 15.0k] ------------------ 213| 899| { 214| | /* Check Thrift over HTTP */ 215| 899| if (packet->content_line.ptr != NULL) ------------------ | Branch (215:9): [True: 47, False: 852] ------------------ 216| 47| { 217| 47| if ((LINE_ENDS(packet->content_line, "application/vnd.apache.thrift.binary") != 0) || ------------------ | | 81| 47| ((ndpi_int_one_line_struct).len >= strlen(string_to_compare) && \ | | ------------------ | | | Branch (81:4): [True: 28, False: 19] | | ------------------ | | 82| 47| strncasecmp((const char *)((ndpi_int_one_line_struct).ptr) + \ | | ------------------ | | | Branch (82:4): [True: 0, False: 28] | | ------------------ | | 83| 28| ((ndpi_int_one_line_struct).len - strlen(string_to_compare)), \ | | 84| 28| string_to_compare, strlen(string_to_compare)) == 0) ------------------ | Branch (217:11): [True: 0, False: 47] ------------------ 218| 47| (LINE_ENDS(packet->content_line, "application/vnd.apache.thrift.compact") != 0) || ------------------ | | 81| 47| ((ndpi_int_one_line_struct).len >= strlen(string_to_compare) && \ | | ------------------ | | | Branch (81:4): [True: 28, False: 19] | | ------------------ | | 82| 47| strncasecmp((const char *)((ndpi_int_one_line_struct).ptr) + \ | | ------------------ | | | Branch (82:4): [True: 0, False: 28] | | ------------------ | | 83| 28| ((ndpi_int_one_line_struct).len - strlen(string_to_compare)), \ | | 84| 28| string_to_compare, strlen(string_to_compare)) == 0) ------------------ | Branch (218:11): [True: 0, False: 47] ------------------ 219| 47| (LINE_ENDS(packet->content_line, "application/vnd.apache.thrift.json") != 0)) ------------------ | | 81| 47| ((ndpi_int_one_line_struct).len >= strlen(string_to_compare) && \ | | ------------------ | | | Branch (81:4): [True: 28, False: 19] | | ------------------ | | 82| 47| strncasecmp((const char *)((ndpi_int_one_line_struct).ptr) + \ | | ------------------ | | | Branch (82:4): [True: 1, False: 27] | | ------------------ | | 83| 28| ((ndpi_int_one_line_struct).len - strlen(string_to_compare)), \ | | 84| 28| string_to_compare, strlen(string_to_compare)) == 0) ------------------ | Branch (219:11): [True: 1, False: 46] ------------------ 220| 1| { 221| 1| NDPI_LOG_INFO(ndpi_struct, "found Apache Thrift over HTTP\n"); ------------------ | | 595| 1|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 222| 1| ndpi_int_thrift_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); 223| 1| return; 224| 1| } 225| 47| } 226| 15.0k| } else if (packet->payload_packet_len >= sizeof(struct thrift_compact_hdr)) { ------------------ | Branch (226:14): [True: 14.2k, False: 883] ------------------ 227| 14.2k| const union { 228| 14.2k| uint8_t const * const raw_ptr; 229| 14.2k| struct thrift_strict_hdr const * const strict_hdr; 230| 14.2k| struct thrift_compact_hdr const * const compact_hdr; 231| 14.2k| } thrift_data = { .raw_ptr = &packet->payload[0] }; 232| | 233| 14.2k| if (thrift_data.raw_ptr[0] == 0x80) ------------------ | Branch (233:9): [True: 847, False: 13.3k] ------------------ 234| 847| { 235| | /* Strict Binary Protocol */ 236| 847| if (packet->payload_packet_len < sizeof(*thrift_data.strict_hdr)) ------------------ | Branch (236:11): [True: 2, False: 845] ------------------ 237| 2| { 238| 2| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 2|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 239| 2| return; 240| 2| } 241| | 242| 845| ndpi_dissect_strict_hdr(ndpi_struct, flow, thrift_data.strict_hdr); 243| 845| return; 244| 13.3k| } else if (thrift_data.raw_ptr[0] == 0x82) { ------------------ | Branch (244:16): [True: 14, False: 13.3k] ------------------ 245| | /* Compact Protocol */ 246| 14| ndpi_dissect_compact_hdr(ndpi_struct, flow, thrift_data.compact_hdr); 247| 14| return; 248| 13.3k| } else { 249| | /* Probably not Apache Thrift. */ 250| 13.3k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.3k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 251| 13.3k| return; 252| 13.3k| } 253| 14.2k| } 254| | 255| 1.78k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1.78k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 256| 1.78k|} thrift.c:ndpi_int_thrift_add_connection: 77| 10|{ 78| 10| switch (master_protocol) ------------------ | Branch (78:11): [True: 10, False: 0] ------------------ 79| 10| { 80| 9| case NDPI_PROTOCOL_UNKNOWN: ------------------ | Branch (80:5): [True: 9, False: 1] ------------------ 81| 9| NDPI_LOG_DBG(ndpi_struct, "found Apache Thrift TCP/UDP\n"); ------------------ | | 596| 9|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 82| 9| break; 83| 1| case NDPI_PROTOCOL_HTTP: ------------------ | Branch (83:5): [True: 1, False: 9] ------------------ 84| 1| NDPI_LOG_DBG(ndpi_struct, "found Apache Thrift HTTP\n"); ------------------ | | 596| 1|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 85| 1| break; 86| 10| } 87| | 88| 10| ndpi_set_detected_protocol(ndpi_struct, flow, 89| 10| NDPI_PROTOCOL_APACHE_THRIFT, master_protocol, 90| 10| NDPI_CONFIDENCE_DPI); 91| 10|} thrift.c:ndpi_dissect_strict_hdr: 142| 845|{ 143| 845| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 144| 845| const size_t method_length = ntohl(strict_hdr->method_length); 145| | 146| 845| if (packet->tcp == NULL) { ------------------ | Branch (146:7): [True: 54, False: 791] ------------------ 147| 54| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 54|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 148| 54| return; 149| 54| } 150| | 151| 791| if (packet->payload_packet_len < sizeof(*strict_hdr) + method_length) { ------------------ | Branch (151:7): [True: 785, False: 6] ------------------ 152| 785| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 785|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 153| 785| return; 154| 785| } 155| | 156| 6| if (thrift_validate_version(strict_hdr->version) == 0) { ------------------ | Branch (156:7): [True: 2, False: 4] ------------------ 157| 2| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 2|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 158| 2| return; 159| 2| } 160| | 161| 4| if (thrift_validate_type(strict_hdr->message_type) == 0) { ------------------ | Branch (161:7): [True: 1, False: 3] ------------------ 162| 1| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 163| 1| return; 164| 1| } 165| | 166| 3| ndpi_int_thrift_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); 167| | 168| 3| thrift_set_method(ndpi_struct, flow, strict_hdr->method, method_length); 169| 3| thrift_set_type(ndpi_struct, flow, strict_hdr->message_type); 170| 3|} thrift.c:thrift_validate_version: 104| 17|{ 105| 17| return version <= 0x01; 106| 17|} thrift.c:thrift_validate_type: 109| 11|{ 110| 11| return message_type < TMT_TYPE_MAX; 111| 11|} thrift.c:thrift_set_method: 116| 9|{ 117| 9| if (thrift_validate_method(method, method_length) == 0) { ------------------ | Branch (117:7): [True: 6, False: 3] ------------------ 118| 6| ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, "Invalid method name"); 119| 6| flow->protos.thrift.method[0] = '\0'; 120| 6| } else { 121| 3| strncpy(flow->protos.thrift.method, method, ndpi_min(sizeof(flow->protos.thrift.method), method_length)); ------------------ | | 113| 3|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 3] | | ------------------ ------------------ 122| 3| } 123| 9|} thrift.c:thrift_validate_method: 94| 9|{ 95| 9| const union { 96| 9| uint8_t const * const ptr; 97| 9| char const * const str; 98| 9| } m = { .str = method }; 99| | 100| 9| return ndpi_is_printable_buffer(m.ptr, method_length); 101| 9|} thrift.c:thrift_set_type: 128| 9|{ 129| 9| if (message_type == TMT_INVALID_TMESSAGE_TYPE) { ------------------ | Branch (129:7): [True: 6, False: 3] ------------------ 130| 6| ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid message type"); 131| 6| } 132| 9| flow->protos.thrift.message_type = message_type; 133| | 134| 9| if (message_type == TMT_EXCEPTION) { ------------------ | Branch (134:7): [True: 1, False: 8] ------------------ 135| 1| ndpi_set_risk(ndpi_struct, flow, NDPI_ERROR_CODE_DETECTED, "Apache Thrift Exception"); 136| 1| } 137| 9|} thrift.c:ndpi_dissect_compact_hdr: 175| 14|{ 176| 14| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 177| | 178| 14| if (packet->udp == NULL) { ------------------ | Branch (178:7): [True: 1, False: 13] ------------------ 179| 1| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 180| 1| return; 181| 1| } 182| | 183| 13| if (packet->payload_packet_len < sizeof(*compact_hdr) + compact_hdr->method_length) { ------------------ | Branch (183:7): [True: 2, False: 11] ------------------ 184| 2| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 2|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 185| 2| return; 186| 2| } 187| | 188| 11| if (thrift_validate_version(compact_hdr->version) == 0) { ------------------ | Branch (188:7): [True: 4, False: 7] ------------------ 189| 4| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 4|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 190| 4| return; 191| 4| } 192| | 193| 7| if (thrift_validate_type(compact_hdr->message_type) == 0) { ------------------ | Branch (193:7): [True: 1, False: 6] ------------------ 194| 1| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 1|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 195| 1| return; 196| 1| } 197| | 198| 6| ndpi_int_thrift_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); 199| | 200| 6| thrift_set_method(ndpi_struct, flow, compact_hdr->method, compact_hdr->method_length); 201| 6| thrift_set_type(ndpi_struct, flow, compact_hdr->message_type); 202| 6|} init_tinc_dissector: 145| 7.08k|{ 146| 7.08k| ndpi_register_dissector("TINC", ndpi_struct, 147| 7.08k| ndpi_search_tinc, 148| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, /* TODO: IPv6? */ ------------------ | | 647| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 618| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IP | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 604| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IP (1<<0) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IP | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 149| 7.08k| 1, NDPI_PROTOCOL_TINC); 150| 7.08k|} tinc.c:ndpi_search_tinc: 136| 16.4k|static void ndpi_search_tinc(struct ndpi_detection_module_struct* ndpi_struct, struct ndpi_flow_struct* flow) { 137| 16.4k| NDPI_LOG_DBG(ndpi_struct, "tinc detection\n"); ------------------ | | 596| 16.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 138| | 139| 16.4k| if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_TINC) { ------------------ | Branch (139:6): [True: 16.4k, False: 0] ------------------ 140| 16.4k| ndpi_check_tinc(ndpi_struct, flow); 141| 16.4k| } 142| 16.4k|} tinc.c:ndpi_check_tinc: 36| 16.4k|{ 37| 16.4k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 38| 16.4k| const u_int8_t *packet_payload = packet->payload; 39| 16.4k| u_int32_t payload_len = packet->payload_packet_len; 40| | 41| 16.4k| if(packet->udp != NULL) { ------------------ | Branch (41:6): [True: 3.13k, False: 13.3k] ------------------ 42| 3.13k| if(ndpi_struct->tinc_cache != NULL) { ------------------ | Branch (42:8): [True: 0, False: 3.13k] ------------------ 43| 0| struct tinc_cache_entry tinc_cache_entry1 = { 44| 0| .src_address = packet->iph->saddr, 45| 0| .dst_address = packet->iph->daddr, 46| 0| .dst_port = packet->udp->dest 47| 0| }; 48| | 49| 0| struct tinc_cache_entry tinc_cache_entry2 = { 50| 0| .src_address = packet->iph->daddr, 51| 0| .dst_address = packet->iph->saddr, 52| 0| .dst_port = packet->udp->source 53| 0| }; 54| | 55| 0| if(cache_remove(ndpi_struct->tinc_cache, &tinc_cache_entry1, sizeof(tinc_cache_entry1)) == CACHE_NO_ERROR || ------------------ | Branch (55:10): [True: 0, False: 0] ------------------ 56| 0| cache_remove(ndpi_struct->tinc_cache, &tinc_cache_entry2, sizeof(tinc_cache_entry2)) == CACHE_NO_ERROR) { ------------------ | Branch (56:3): [True: 0, False: 0] ------------------ 57| | 58| 0| cache_remove(ndpi_struct->tinc_cache, &tinc_cache_entry1, sizeof(tinc_cache_entry1)); 59| 0| cache_remove(ndpi_struct->tinc_cache, &tinc_cache_entry2, sizeof(tinc_cache_entry2)); 60| | 61| | /* cache_free(ndpi_struct->tinc_cache); */ 62| | 63| 0| NDPI_LOG_INFO(ndpi_struct, "found tinc udp connection\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 64| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TINC, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI_CACHE); 65| 0| } 66| 0| } 67| | 68| 3.13k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.13k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 69| 3.13k| return; 70| 13.3k| } else if(packet->tcp != NULL) { ------------------ | Branch (70:13): [True: 13.3k, False: 0] ------------------ 71| | 72| 13.3k| switch(flow->tinc_state) { 73| 13.3k| case 0: ------------------ | Branch (73:5): [True: 13.3k, False: 0] ------------------ 74| 13.3k| case 1: ------------------ | Branch (74:5): [True: 0, False: 13.3k] ------------------ 75| 13.3k| if(payload_len > 6 && memcmp(packet_payload, "0 ", 2) == 0 && packet_payload[2] != ' ') { ------------------ | Branch (75:10): [True: 12.5k, False: 789] | Branch (75:29): [True: 9, False: 12.5k] | Branch (75:69): [True: 8, False: 1] ------------------ 76| 8| u_int32_t i = 3; 77| 524| while(i < payload_len && packet_payload[i++] != ' '); ------------------ | Branch (77:8): [True: 521, False: 3] | Branch (77:27): [True: 516, False: 5] ------------------ 78| 8| if(i+3 == payload_len && memcmp((packet_payload+i), "17\n", 3) == 0) { ------------------ | Branch (78:5): [True: 0, False: 8] | Branch (78:27): [True: 0, False: 0] ------------------ 79| 0| flow->tinc_state++; 80| 0| return; 81| 0| } 82| 8| } 83| 13.3k| break; 84| | 85| 13.3k| case 2: ------------------ | Branch (85:5): [True: 0, False: 13.3k] ------------------ 86| 0| case 3: ------------------ | Branch (86:5): [True: 0, False: 13.3k] ------------------ 87| 0| if(payload_len > 11 && memcmp(packet_payload, "1 ", 2) == 0 && packet_payload[2] != ' ') { ------------------ | Branch (87:10): [True: 0, False: 0] | Branch (87:30): [True: 0, False: 0] | Branch (87:70): [True: 0, False: 0] ------------------ 88| 0| u_int16_t i = 3; 89| 0| u_int8_t numbers_left = 4; 90| 0| while(numbers_left) { ------------------ | Branch (90:8): [True: 0, False: 0] ------------------ 91| 0| while(i < payload_len && packet_payload[i] >= '0' && packet_payload[i] <= '9') { ------------------ | Branch (91:10): [True: 0, False: 0] | Branch (91:29): [True: 0, False: 0] | Branch (91:57): [True: 0, False: 0] ------------------ 92| 0| i++; 93| 0| } 94| | 95| 0| if(i < payload_len && packet_payload[i++] == ' ') { ------------------ | Branch (95:7): [True: 0, False: 0] | Branch (95:26): [True: 0, False: 0] ------------------ 96| 0| numbers_left--; 97| 0| } 98| 0| else break; 99| 0| } 100| | 101| 0| if(numbers_left) break; ------------------ | Branch (101:5): [True: 0, False: 0] ------------------ 102| | 103| 0| while(i < payload_len && ------------------ | Branch (103:8): [True: 0, False: 0] ------------------ 104| 0| ((packet_payload[i] >= '0' && packet_payload[i] <= '9') || ------------------ | Branch (104:10): [True: 0, False: 0] | Branch (104:38): [True: 0, False: 0] ------------------ 105| 0| (packet_payload[i] >= 'A' && packet_payload[i] <= 'Z'))) { ------------------ | Branch (105:10): [True: 0, False: 0] | Branch (105:38): [True: 0, False: 0] ------------------ 106| 0| i++; 107| 0| } 108| | 109| 0| if(i < payload_len && packet_payload[i] == '\n') { ------------------ | Branch (109:5): [True: 0, False: 0] | Branch (109:24): [True: 0, False: 0] ------------------ 110| 0| if(++flow->tinc_state > 3) { ------------------ | Branch (110:7): [True: 0, False: 0] ------------------ 111| 0| struct tinc_cache_entry tinc_cache_entry = { 112| 0| .src_address = flow->c_address.v4, 113| 0| .dst_address = flow->s_address.v4, 114| 0| .dst_port = flow->s_port, 115| 0| }; 116| | 117| 0| if(ndpi_struct->tinc_cache == NULL) ------------------ | Branch (117:9): [True: 0, False: 0] ------------------ 118| 0| ndpi_struct->tinc_cache = cache_new(TINC_CACHE_MAX_SIZE); ------------------ | | 697| 0|#define TINC_CACHE_MAX_SIZE 10 ------------------ 119| | 120| 0| cache_add(ndpi_struct->tinc_cache, &tinc_cache_entry, sizeof(tinc_cache_entry)); 121| 0| NDPI_LOG_INFO(ndpi_struct, "found tinc tcp connection\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 122| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TINC, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 123| 0| } 124| 0| return; 125| 0| } 126| 0| } 127| 0| break; 128| | 129| 0| default: break; ------------------ | Branch (129:5): [True: 0, False: 13.3k] ------------------ 130| 13.3k| } 131| 13.3k| } 132| | 133| 13.3k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.3k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 134| 13.3k|} init_tivoconnect_dissector: 137| 7.08k|{ 138| 7.08k| ndpi_register_dissector("TiVoConnect", ndpi_struct, 139| 7.08k| ndpi_search_tivoconnect, 140| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 141| 7.08k| 1, NDPI_PROTOCOL_TIVOCONNECT); 142| 7.08k|} tivoconnect.c:ndpi_search_tivoconnect: 118| 15.1k|{ 119| 15.1k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 120| | 121| 15.1k| NDPI_LOG_INFO(ndpi_struct, "search tivoconnect\n"); ------------------ | | 595| 15.1k|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 122| | 123| 15.1k| if (packet->payload_packet_len >= NDPI_STATICSTRING_LEN("tivoconnect=") && ------------------ | | 98| 30.2k|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (123:7): [True: 14.0k, False: 1.03k] ------------------ 124| 14.0k| strncasecmp((char const *)packet->payload, ------------------ | Branch (124:7): [True: 11, False: 14.0k] ------------------ 125| 14.0k| "tivoconnect=", NDPI_STATICSTRING_LEN("tivoconnect=")) == 0) ------------------ | | 98| 14.0k|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ 126| 11| { 127| 11| ndpi_int_tivoconnect_add_connection(ndpi_struct, flow); 128| 15.0k| } else { 129| 15.0k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 15.0k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 130| 15.0k| return; 131| 15.0k| } 132| | 133| 11| dissect_tivoconnect_data(ndpi_struct, flow); 134| 11|} tivoconnect.c:ndpi_int_tivoconnect_add_connection: 31| 11|{ 32| 11| NDPI_LOG_INFO(ndpi_struct, "found tivoconnect\n"); ------------------ | | 595| 11|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 33| 11| ndpi_set_detected_protocol(ndpi_struct, flow, 34| 11| NDPI_PROTOCOL_TIVOCONNECT, 35| 11| NDPI_PROTOCOL_UNKNOWN, 36| 11| NDPI_CONFIDENCE_DPI); 37| 11|} tivoconnect.c:dissect_tivoconnect_data: 41| 11|{ 42| 11| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 43| 11| char const * const payload = (char const *)packet->payload; 44| 11| size_t const payload_len = packet->payload_packet_len; 45| 11| char const *key = payload; 46| 11| char const *newline; 47| | 48| 11| for (newline = ndpi_strnstr(payload, "\n", payload_len); 49| 121| newline != NULL; ------------------ | Branch (49:8): [True: 110, False: 11] ------------------ 50| 110| key = ++newline, 51| 110| newline = ndpi_strnstr(newline, "\n", payload_len - (newline - payload))) 52| 110| { 53| 110| size_t const line_len = newline - key; 54| 110| char const *value = ndpi_strnstr(key, "=", line_len); 55| | 56| 110| if (value == NULL) ------------------ | Branch (56:9): [True: 94, False: 16] ------------------ 57| 94| { 58| 94| ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Missing value type in TiViConnect beacon"); 59| 94| continue; 60| 94| } 61| 16| value++; 62| | 63| 16| size_t const key_len = value - 1 - key; 64| 16| size_t const value_len = newline - value; 65| | 66| 16| if (key_len == NDPI_STATICSTRING_LEN("identity") && ------------------ | | 98| 32|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (66:9): [True: 4, False: 12] ------------------ 67| 4| strncasecmp(key, "identity", key_len) == 0) ------------------ | Branch (67:9): [True: 0, False: 4] ------------------ 68| 0| { 69| 0| if (value_len >= NDPI_STATICSTRING_LEN("uuid:") && ------------------ | | 98| 0|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (69:11): [True: 0, False: 0] ------------------ 70| 0| strncasecmp(value, "uuid:", NDPI_STATICSTRING_LEN("uuid:")) == 0) ------------------ | | 98| 0|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (70:11): [True: 0, False: 0] ------------------ 71| 0| { 72| 0| size_t const len = ndpi_min(sizeof(flow->protos.tivoconnect.identity_uuid) - 1, ------------------ | | 113| 0|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 0] | | ------------------ ------------------ 73| 0| value_len - NDPI_STATICSTRING_LEN("uuid:")); 74| 0| strncpy(flow->protos.tivoconnect.identity_uuid, 75| 0| value + NDPI_STATICSTRING_LEN("uuid:"), len); ------------------ | | 98| 0|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ 76| 0| flow->protos.tivoconnect.identity_uuid[len] = '\0'; 77| 0| } 78| 0| continue; 79| 0| } 80| 16| if (key_len == NDPI_STATICSTRING_LEN("machine") && ------------------ | | 98| 32|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (80:9): [True: 0, False: 16] ------------------ 81| 0| strncasecmp(key, "machine", key_len) == 0) ------------------ | Branch (81:9): [True: 0, False: 0] ------------------ 82| 0| { 83| 0| size_t const len = ndpi_min(sizeof(flow->protos.tivoconnect.machine) - 1, ------------------ | | 113| 0|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 0] | | ------------------ ------------------ 84| 0| value_len); 85| 0| strncpy(flow->protos.tivoconnect.machine, value, len); 86| 0| flow->protos.tivoconnect.machine[len] = '\0'; 87| 0| continue; 88| 0| } 89| 16| if (key_len == NDPI_STATICSTRING_LEN("platform") && ------------------ | | 98| 32|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (89:9): [True: 4, False: 12] ------------------ 90| 4| strncasecmp(key, "platform", key_len) == 0) ------------------ | Branch (90:9): [True: 0, False: 4] ------------------ 91| 0| { 92| 0| size_t const len = ndpi_min(sizeof(flow->protos.tivoconnect.platform) - 1, ------------------ | | 113| 0|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 0] | | ------------------ ------------------ 93| 0| value_len); 94| 0| strncpy(flow->protos.tivoconnect.platform, value, len); 95| 0| flow->protos.tivoconnect.platform[len] = '\0'; 96| 0| continue; 97| 0| } 98| 16| if (key_len == NDPI_STATICSTRING_LEN("services") && ------------------ | | 98| 32|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (98:9): [True: 4, False: 12] ------------------ 99| 4| strncasecmp(key, "services", key_len) == 0) ------------------ | Branch (99:9): [True: 0, False: 4] ------------------ 100| 0| { 101| 0| size_t const len = ndpi_min(sizeof(flow->protos.tivoconnect.services) - 1, ------------------ | | 113| 0|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 0] | | ------------------ ------------------ 102| 0| value_len); 103| 0| strncpy(flow->protos.tivoconnect.services, value, len); 104| 0| flow->protos.tivoconnect.services[len] = '\0'; 105| 0| continue; 106| 0| } 107| 16| } 108| | 109| 11| if ((size_t)(key - payload) != payload_len) ------------------ | Branch (109:7): [True: 11, False: 0] ------------------ 110| 11| { 111| 11| ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, 112| 11| "TiViConnect beacon malformed packet"); 113| 11| } 114| 11|} processCertificateElements: 685| 654| u_int16_t p_offset, u_int16_t certificate_len) { 686| 654| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 687| 654| u_int16_t num_found = 0; 688| 654| int32_t i; 689| 654| char buffer[64] = { '\0' }, rdnSeqBuf[2048]; 690| 654| u_int rdn_len = 0; 691| | 692| 654| rdnSeqBuf[0] = '\0'; 693| | 694| |#ifdef DEBUG_TLS 695| | printf("[TLS] %s() [offset: %u][certificate_len: %u]\n", __FUNCTION__, p_offset, certificate_len); 696| |#endif 697| | 698| | /* Check after handshake protocol header (5 bytes) and message header (4 bytes) */ 699| 1.02M| for(i = p_offset; i < certificate_len - 2; i++) { ------------------ | Branch (699:21): [True: 1.02M, False: 645] ------------------ 700| | /* 701| | See https://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.sec.doc/q009860_.htm 702| | for X.509 certificate labels 703| | */ 704| 1.02M| if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x04) && (packet->payload[i+2] == 0x03)) { ------------------ | Branch (704:8): [True: 14.8k, False: 1.01M] | Branch (704:40): [True: 6.01k, False: 8.88k] | Branch (704:74): [True: 1.34k, False: 4.66k] ------------------ 705| | /* Common Name */ 706| 1.34k| int rc = extractRDNSequence(packet, i, buffer, sizeof(buffer), rdnSeqBuf, &rdn_len, sizeof(rdnSeqBuf), "CN"); 707| 1.34k| if(rc == -1) break; ------------------ | Branch (707:10): [True: 0, False: 1.34k] ------------------ 708| | 709| |#ifdef DEBUG_TLS 710| | printf("[TLS] %s() [%s][%s: %s]\n", __FUNCTION__, (num_found == 0) ? "Subject" : "Issuer", "Common Name", buffer); 711| |#endif 712| 1.02M| } else if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x04) && (packet->payload[i+2] == 0x06)) { ------------------ | Branch (712:15): [True: 13.5k, False: 1.01M] | Branch (712:47): [True: 4.66k, False: 8.88k] | Branch (712:81): [True: 906, False: 3.75k] ------------------ 713| | /* Country */ 714| 906| int rc = extractRDNSequence(packet, i, buffer, sizeof(buffer), rdnSeqBuf, &rdn_len, sizeof(rdnSeqBuf), "C"); 715| 906| if(rc == -1) break; ------------------ | Branch (715:10): [True: 1, False: 905] ------------------ 716| | 717| |#ifdef DEBUG_TLS 718| | printf("[TLS] %s() [%s][%s: %s]\n", __FUNCTION__, (num_found == 0) ? "Subject" : "Issuer", "Country", buffer); 719| |#endif 720| 1.02M| } else if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x04) && (packet->payload[i+2] == 0x07)) { ------------------ | Branch (720:15): [True: 12.6k, False: 1.01M] | Branch (720:47): [True: 3.75k, False: 8.88k] | Branch (720:81): [True: 838, False: 2.91k] ------------------ 721| | /* Locality */ 722| 838| int rc = extractRDNSequence(packet, i, buffer, sizeof(buffer), rdnSeqBuf, &rdn_len, sizeof(rdnSeqBuf), "L"); 723| 838| if(rc == -1) break; ------------------ | Branch (723:10): [True: 1, False: 837] ------------------ 724| | 725| |#ifdef DEBUG_TLS 726| | printf("[TLS] %s() [%s][%s: %s]\n", __FUNCTION__, (num_found == 0) ? "Subject" : "Issuer", "Locality", buffer); 727| |#endif 728| 1.02M| } else if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x04) && (packet->payload[i+2] == 0x08)) { ------------------ | Branch (728:15): [True: 11.8k, False: 1.01M] | Branch (728:47): [True: 2.91k, False: 8.88k] | Branch (728:81): [True: 1.06k, False: 1.85k] ------------------ 729| | /* State or Province */ 730| 1.06k| int rc = extractRDNSequence(packet, i, buffer, sizeof(buffer), rdnSeqBuf, &rdn_len, sizeof(rdnSeqBuf), "ST"); 731| 1.06k| if(rc == -1) break; ------------------ | Branch (731:10): [True: 4, False: 1.06k] ------------------ 732| | 733| |#ifdef DEBUG_TLS 734| | printf("[TLS] %s() [%s][%s: %s]\n", __FUNCTION__, (num_found == 0) ? "Subject" : "Issuer", "State or Province", buffer); 735| |#endif 736| 1.02M| } else if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x04) && (packet->payload[i+2] == 0x0a)) { ------------------ | Branch (736:15): [True: 10.7k, False: 1.01M] | Branch (736:47): [True: 1.85k, False: 8.88k] | Branch (736:81): [True: 972, False: 881] ------------------ 737| | /* Organization Name */ 738| 972| int rc = extractRDNSequence(packet, i, buffer, sizeof(buffer), rdnSeqBuf, &rdn_len, sizeof(rdnSeqBuf), "O"); 739| 972| if(rc == -1) break; ------------------ | Branch (739:10): [True: 2, False: 970] ------------------ 740| | 741| |#ifdef DEBUG_TLS 742| | printf("[TLS] %s() [%s][%s: %s]\n", __FUNCTION__, (num_found == 0) ? "Subject" : "Issuer", "Organization Name", buffer); 743| |#endif 744| | 745| 1.02M| } else if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x04) && (packet->payload[i+2] == 0x0b)) { ------------------ | Branch (745:15): [True: 9.76k, False: 1.01M] | Branch (745:47): [True: 881, False: 8.88k] | Branch (745:81): [True: 801, False: 80] ------------------ 746| | /* Organization Unit */ 747| 801| int rc = extractRDNSequence(packet, i, buffer, sizeof(buffer), rdnSeqBuf, &rdn_len, sizeof(rdnSeqBuf), "OU"); 748| 801| if(rc == -1) break; ------------------ | Branch (748:10): [True: 1, False: 800] ------------------ 749| | 750| |#ifdef DEBUG_TLS 751| | printf("[TLS] %s() [%s][%s: %s]\n", __FUNCTION__, (num_found == 0) ? "Subject" : "Issuer", "Organization Unit", buffer); 752| |#endif 753| 1.02M| } else if((packet->payload[i] == 0x30) && (packet->payload[i+1] == 0x1e) && (packet->payload[i+2] == 0x17)) { ------------------ | Branch (753:15): [True: 32.1k, False: 991k] | Branch (753:47): [True: 635, False: 31.4k] | Branch (753:81): [True: 622, False: 13] ------------------ 754| | /* Certificate Validity */ 755| 622| u_int offset = i+4; 756| | 757| 622| if(num_found == 0) { ------------------ | Branch (757:10): [True: 463, False: 159] ------------------ 758| 463| num_found++; 759| | 760| |#ifdef DEBUG_TLS 761| | printf("[TLS] %s() IssuerDN [%s]\n", __FUNCTION__, rdnSeqBuf); 762| |#endif 763| | 764| 463| if(rdn_len && (flow->protos.tls_quic.issuerDN == NULL) && ------------------ | Branch (764:5): [True: 429, False: 34] | Branch (764:16): [True: 429, False: 0] ------------------ 765| 429| ndpi_struct->cfg.tls_cert_issuer_enabled) { ------------------ | Branch (765:5): [True: 429, False: 0] ------------------ 766| 429| flow->protos.tls_quic.issuerDN = ndpi_strdup(rdnSeqBuf); 767| 429| if(ndpi_normalize_printable_string(rdnSeqBuf, rdn_len) == 0) { ------------------ | Branch (767:7): [True: 0, False: 429] ------------------ 768| 0| if(is_flowrisk_info_enabled(ndpi_struct, NDPI_INVALID_CHARACTERS)) { ------------------ | Branch (768:9): [True: 0, False: 0] ------------------ 769| 0| char str[64]; 770| 0| snprintf(str, sizeof(str), "Invalid issuerDN %s", flow->protos.tls_quic.issuerDN); 771| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, str); 772| 0| } else { 773| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, NULL); 774| 0| } 775| 0| } 776| 429| } 777| | 778| 463| rdn_len = 0; /* Reset buffer */ 779| 463| } 780| | 781| 622| if(i + 3 < certificate_len && ------------------ | Branch (781:10): [True: 621, False: 1] ------------------ 782| 621| (offset+packet->payload[i+3]) < packet->payload_packet_len && ------------------ | Branch (782:3): [True: 617, False: 4] ------------------ 783| 617| ndpi_struct->cfg.tls_cert_validity_enabled) { ------------------ | Branch (783:3): [True: 617, False: 0] ------------------ 784| 617| char utcDate[32]; 785| 617| u_int8_t len = packet->payload[i+3]; 786| | 787| |#ifdef DEBUG_TLS 788| | u_int j; 789| | 790| | printf("[CERTIFICATE] notBefore [len: %u][", len); 791| | for(j=0; jpayload[i+4+j]); 792| | printf("]\n"); 793| |#endif 794| | 795| 617| if(len < (sizeof(utcDate)-1)) { ------------------ | Branch (795:5): [True: 550, False: 67] ------------------ 796| 550| struct tm utc; 797| 550| utc.tm_isdst = -1; /* Not set by strptime */ 798| | 799| 550| strncpy(utcDate, (const char*)&packet->payload[i+4], len); 800| 550| utcDate[len] = '\0'; 801| | 802| | /* 141021000000Z */ 803| 550| if(strptime(utcDate, "%y%m%d%H%M%SZ", &utc) != NULL) { ------------------ | Branch (803:7): [True: 490, False: 60] ------------------ 804| 490| flow->protos.tls_quic.notBefore = timegm(&utc); 805| |#ifdef DEBUG_TLS 806| | printf("[CERTIFICATE] notBefore %u [%s]\n", 807| | flow->protos.tls_quic.notBefore, utcDate); 808| |#endif 809| 490| } 810| 550| } 811| | 812| 617| offset += len; 813| | 814| 617| if((offset+1) < packet->payload_packet_len) { ------------------ | Branch (814:5): [True: 617, False: 0] ------------------ 815| 617| len = packet->payload[offset+1]; 816| | 817| 617| offset += 2; 818| | 819| 617| if((offset+len) < packet->payload_packet_len) { ------------------ | Branch (819:7): [True: 607, False: 10] ------------------ 820| 607| u_int32_t time_sec = packet->current_time_ms / 1000; 821| |#ifdef DEBUG_TLS 822| | u_int j; 823| | 824| | printf("[CERTIFICATE] notAfter [len: %u][", len); 825| | for(j=0; jpayload[offset+j]); 826| | printf("]\n"); 827| |#endif 828| | 829| 607| if(len < (sizeof(utcDate)-1)) { ------------------ | Branch (829:9): [True: 524, False: 83] ------------------ 830| 524| struct tm utc; 831| 524| utc.tm_isdst = -1; /* Not set by strptime */ 832| | 833| 524| strncpy(utcDate, (const char*)&packet->payload[offset], len); 834| 524| utcDate[len] = '\0'; 835| | 836| | /* 141021000000Z */ 837| 524| if(strptime(utcDate, "%y%m%d%H%M%SZ", &utc) != NULL) { ------------------ | Branch (837:11): [True: 433, False: 91] ------------------ 838| 433| flow->protos.tls_quic.notAfter = timegm(&utc); 839| |#ifdef DEBUG_TLS 840| | printf("[CERTIFICATE] notAfter %u [%s]\n", 841| | flow->protos.tls_quic.notAfter, utcDate); 842| |#endif 843| 433| } 844| 524| } 845| | 846| 607| if(flow->protos.tls_quic.notBefore > TLS_LIMIT_DATE) ------------------ | | 83| 607|#define TLS_LIMIT_DATE 1598918400 /* From 01/09/2020 TLS certificates lifespan is limited to 13 months */ ------------------ | Branch (846:9): [True: 34, False: 573] ------------------ 847| 34| if((flow->protos.tls_quic.notAfter-flow->protos.tls_quic.notBefore) > TLS_THRESHOLD) { ------------------ | | 82| 34|#define TLS_THRESHOLD 34387200 /* Threshold for certificate validity */ ------------------ | Branch (847:11): [True: 24, False: 10] ------------------ 848| 24| if(is_flowrisk_info_enabled(ndpi_struct, NDPI_TLS_CERT_VALIDITY_TOO_LONG)) { ------------------ | Branch (848:13): [True: 24, False: 0] ------------------ 849| 24| char str[64]; 850| | 851| 24| snprintf(str, sizeof(str), "TLS Cert lasts %u days", 852| 24| (flow->protos.tls_quic.notAfter-flow->protos.tls_quic.notBefore) / 86400); 853| | 854| 24| ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERT_VALIDITY_TOO_LONG, str); /* Certificate validity longer than 13 months */ 855| 24| } else { 856| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERT_VALIDITY_TOO_LONG, NULL); 857| 0| } 858| 24| } 859| | 860| 607| if((time_sec < flow->protos.tls_quic.notBefore) || (time_sec > flow->protos.tls_quic.notAfter)) { ------------------ | Branch (860:9): [True: 88, False: 519] | Branch (860:57): [True: 397, False: 122] ------------------ 861| 485| if(is_flowrisk_info_enabled(ndpi_struct, NDPI_TLS_CERTIFICATE_EXPIRED)) { ------------------ | Branch (861:11): [True: 485, False: 0] ------------------ 862| 485| char str[96], b[32], e[32]; 863| 485| struct tm result; 864| 485| time_t theTime; 865| | 866| 485| theTime = flow->protos.tls_quic.notBefore; 867| 485| strftime(b, sizeof(b), "%d/%b/%Y %H:%M:%S", ndpi_gmtime_r(&theTime, &result)); 868| | 869| 485| theTime = flow->protos.tls_quic.notAfter; 870| 485| strftime(e, sizeof(e), "%d/%b/%Y %H:%M:%S", ndpi_gmtime_r(&theTime, &result)); 871| | 872| 485| snprintf(str, sizeof(str), "%s - %s", b, e); 873| 485| ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERTIFICATE_EXPIRED, str); /* Certificate expired */ 874| 485| } else { 875| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERTIFICATE_EXPIRED, NULL); 876| 0| } 877| 485| } else if((time_sec > flow->protos.tls_quic.notBefore) ------------------ | Branch (877:16): [True: 122, False: 0] ------------------ 878| 122| && (time_sec > (flow->protos.tls_quic.notAfter - (ndpi_struct->cfg.tls_certificate_expire_in_x_days * 86400)))) { ------------------ | Branch (878:12): [True: 29, False: 93] ------------------ 879| 29| if(is_flowrisk_info_enabled(ndpi_struct, NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE)) { ------------------ | Branch (879:11): [True: 29, False: 0] ------------------ 880| 29| char str[96], b[32], e[32]; 881| 29| struct tm result; 882| 29| time_t theTime; 883| | 884| 29| theTime = flow->protos.tls_quic.notBefore; 885| 29| strftime(b, sizeof(b), "%d/%b/%Y %H:%M:%S", ndpi_gmtime_r(&theTime, &result)); 886| | 887| 29| theTime = flow->protos.tls_quic.notAfter; 888| 29| strftime(e, sizeof(e), "%d/%b/%Y %H:%M:%S", ndpi_gmtime_r(&theTime, &result)); 889| | 890| 29| snprintf(str, sizeof(str), "%s - %s", b, e); 891| 29| ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE, str); /* Certificate almost expired */ 892| 29| } else { 893| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE, NULL); 894| 0| } 895| 29| } 896| 607| } 897| 617| } 898| 617| } 899| 1.02M| } else if((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x1d) && (packet->payload[i+2] == 0x11)) { ------------------ | Branch (899:15): [True: 8.96k, False: 1.01M] | Branch (899:47): [True: 4.52k, False: 4.44k] | Branch (899:81): [True: 1.56k, False: 2.95k] ------------------ 900| | /* Organization OID: 2.5.29.17 (subjectAltName) */ 901| 1.56k| u_int8_t matched_name = 0; 902| | 903| | /* If the client hello was not observed or the requested name was missing, there is no need to trigger an alert */ 904| 1.56k| if(flow->host_server_name[0] == '\0') ------------------ | Branch (904:10): [True: 1.20k, False: 358] ------------------ 905| 1.20k| matched_name = 1; 906| | 907| |#ifdef DEBUG_TLS 908| | printf("******* [TLS] Found subjectAltName\n"); 909| |#endif 910| | 911| 1.56k| i += 3 /* skip the initial patten 55 1D 11 */; 912| | 913| | /* skip the first type, 0x04 == BIT STRING, and jump to it's length */ 914| 1.56k| if(i < packet->payload_packet_len && packet->payload[i] == 0x04) i++; else i += 4; /* 4 bytes, with the last byte set to 04 */ ------------------ | Branch (914:10): [True: 1.56k, False: 0] | Branch (914:44): [True: 1.47k, False: 87] ------------------ 915| | 916| 1.56k| if(i < packet->payload_packet_len) { ------------------ | Branch (916:10): [True: 1.56k, False: 0] ------------------ 917| 1.56k| i += (packet->payload[i] & 0x80) ? (packet->payload[i] & 0x7F) : 0; /* skip BIT STRING length */ ------------------ | Branch (917:7): [True: 1.16k, False: 401] ------------------ 918| 1.56k| if(i < packet->payload_packet_len) { ------------------ | Branch (918:5): [True: 1.56k, False: 3] ------------------ 919| 1.56k| i += 2; /* skip the second type, 0x30 == SEQUENCE, and jump to it's length */ 920| 1.56k| if(i < packet->payload_packet_len) { ------------------ | Branch (920:7): [True: 1.56k, False: 1] ------------------ 921| 1.56k| i += (packet->payload[i] & 0x80) ? (packet->payload[i] & 0x7F) : 0; /* skip SEQUENCE length */ ------------------ | Branch (921:11): [True: 216, False: 1.34k] ------------------ 922| 1.56k| i++; 923| | 924| 3.95k| while(i < packet->payload_packet_len) { ------------------ | Branch (924:12): [True: 3.95k, False: 1] ------------------ 925| 3.95k| u_int8_t general_name_type = packet->payload[i]; 926| | 927| 3.95k| if((general_name_type == 0x81) /* rfc822Name */ ------------------ | Branch (927:11): [True: 879, False: 3.07k] ------------------ 928| 3.07k| || (general_name_type == 0x82) /* dNSName */ ------------------ | Branch (928:7): [True: 1.34k, False: 1.73k] ------------------ 929| 1.73k| || (general_name_type == 0x87) /* ipAddress */ ------------------ | Branch (929:7): [True: 232, False: 1.50k] ------------------ 930| 3.95k| ) 931| 2.45k| { 932| 2.45k| if((i < (packet->payload_packet_len - 1)) ------------------ | Branch (932:8): [True: 2.45k, False: 1] ------------------ 933| 2.45k| && ((i + packet->payload[i + 1] + 2) < packet->payload_packet_len)) { ------------------ | Branch (933:11): [True: 2.42k, False: 26] ------------------ 934| 2.42k| u_int8_t len = packet->payload[i + 1]; 935| 2.42k| char dNSName[256]; 936| 2.42k| u_int16_t dNSName_len; 937| | 938| 2.42k| i += 2; 939| | 940| | /* The check "len > sizeof(dNSName) - 1" will be always false. If we add it, 941| | the compiler is smart enough to detect it and throws a warning */ 942| 2.42k| if((len == 0 /* Looks something went wrong */) ------------------ | Branch (942:10): [True: 27, False: 2.39k] ------------------ 943| 2.39k| || ((i+len) > packet->payload_packet_len)) ------------------ | Branch (943:13): [True: 0, False: 2.39k] ------------------ 944| 27| break; 945| | 946| 2.39k| if(general_name_type == 0x87) { ------------------ | Branch (946:10): [True: 227, False: 2.17k] ------------------ 947| 227| if(len == 4 /* IPv4 */) { ------------------ | Branch (947:12): [True: 37, False: 190] ------------------ 948| 37| ndpi_snprintf(dNSName, sizeof(dNSName), "%u.%u.%u.%u", 949| 37| packet->payload[i] & 0xFF, 950| 37| packet->payload[i+1] & 0xFF, 951| 37| packet->payload[i+2] & 0xFF, 952| 37| packet->payload[i+3] & 0xFF); 953| 190| } else if(len == 16 /* IPv6 */) { ------------------ | Branch (953:19): [True: 180, False: 10] ------------------ 954| 180| struct in6_addr addr = *(struct in6_addr *)&packet->payload[i]; 955| 180| inet_ntop(AF_INET6, &addr, dNSName, sizeof(dNSName)); 956| 180| } else { 957| | /* Is that possibile? Better safe than sorry */ 958| 10| dNSName[0] = '\0'; 959| 10| } 960| 2.17k| } else { 961| 2.17k| strncpy(dNSName, (const char*)&packet->payload[i], len); 962| 2.17k| dNSName[len] = '\0'; 963| 2.17k| } 964| | 965| 2.39k| dNSName_len = strlen(dNSName); 966| 2.39k| cleanupServerName(dNSName, dNSName_len); 967| | 968| |#if DEBUG_TLS 969| | printf("[TLS] dNSName %s [%s][len: %u][leftover: %d]\n", dNSName, 970| | flow->host_server_name, len, 971| | packet->payload_packet_len-i-len); 972| |#endif 973| | 974| | /* 975| | We cannot use ndpi_is_valid_hostname() as we can have wildcards 976| | here that will create false positives 977| | */ 978| 2.39k| if(ndpi_normalize_printable_string(dNSName, dNSName_len) == 0) { ------------------ | Branch (978:10): [True: 954, False: 1.44k] ------------------ 979| 954| ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, dNSName); 980| | 981| | /* This looks like an attack */ 982| 954| ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, "Invalid dNSName name"); 983| 954| } 984| | 985| 2.39k| if(matched_name == 0) { ------------------ | Branch (985:10): [True: 428, False: 1.96k] ------------------ 986| |#if DEBUG_TLS 987| | printf("[TLS] Trying to match '%s' with '%s'\n", 988| | flow->host_server_name, dNSName); 989| |#endif 990| | 991| 428| if(dNSName[0] == '*') { ------------------ | Branch (991:12): [True: 340, False: 88] ------------------ 992| 340| char * label = strstr(flow->host_server_name, &dNSName[1]); 993| | 994| 340| if(label != NULL) { ------------------ | Branch (994:7): [True: 289, False: 51] ------------------ 995| 289| char * first_dot = strchr(flow->host_server_name, '.'); 996| | 997| 289| if((first_dot == NULL) || (first_dot <= label)) { ------------------ | Branch (997:9): [True: 10, False: 279] | Branch (997:32): [True: 279, False: 0] ------------------ 998| 289| matched_name = 1; 999| 289| } 1000| 289| } 1001| 340| } else if(strcmp(flow->host_server_name, dNSName) == 0) { ------------------ | Branch (1001:19): [True: 25, False: 63] ------------------ 1002| 25| matched_name = 1; 1003| 25| } 1004| 428| } 1005| | 1006| 2.39k| if(ndpi_struct->cfg.tls_cert_server_names_enabled) { ------------------ | Branch (1006:10): [True: 2.39k, False: 0] ------------------ 1007| 2.39k| if(flow->protos.tls_quic.server_names == NULL) { ------------------ | Branch (1007:26): [True: 620, False: 1.77k] ------------------ 1008| 620| flow->protos.tls_quic.server_names = ndpi_strdup(dNSName); 1009| 620| flow->protos.tls_quic.server_names_len = strlen(dNSName); 1010| 1.77k| } else if((u_int16_t)(flow->protos.tls_quic.server_names_len + dNSName_len + 1) > flow->protos.tls_quic.server_names_len) { ------------------ | Branch (1010:33): [True: 1.77k, False: 0] ------------------ 1011| 1.77k| u_int16_t newstr_len = flow->protos.tls_quic.server_names_len + dNSName_len + 1; 1012| 1.77k| char *newstr = (char*)ndpi_realloc(flow->protos.tls_quic.server_names, 1013| 1.77k| newstr_len + 1); 1014| | 1015| 1.77k| if(newstr) { ------------------ | Branch (1015:28): [True: 1.68k, False: 95] ------------------ 1016| 1.68k| flow->protos.tls_quic.server_names = newstr; 1017| 1.68k| flow->protos.tls_quic.server_names[flow->protos.tls_quic.server_names_len] = ','; 1018| 1.68k| strncpy(&flow->protos.tls_quic.server_names[flow->protos.tls_quic.server_names_len+1], 1019| 1.68k| dNSName, dNSName_len+1); 1020| 1.68k| flow->protos.tls_quic.server_names[newstr_len] = '\0'; 1021| 1.68k| flow->protos.tls_quic.server_names_len = newstr_len; 1022| 1.68k| } 1023| 1.77k| } 1024| 2.39k| } 1025| | 1026| 2.39k| if(ndpi_struct->cfg.tls_subclassification_enabled && ------------------ | Branch (1026:10): [True: 2.39k, False: 0] ------------------ 1027| 2.39k| !flow->protos.tls_quic.subprotocol_detected && ------------------ | Branch (1027:10): [True: 2.30k, False: 97] ------------------ 1028| 2.30k| !flow->tls_quic.from_rdp) { /* No (other) sub-classification; we will have TLS.RDP anyway */ ------------------ | Branch (1028:10): [True: 2.30k, False: 0] ------------------ 1029| 2.30k| if(ndpi_match_hostname_protocol(ndpi_struct, flow, ndpi_get_master_proto(ndpi_struct, flow), dNSName, dNSName_len)) { ------------------ | Branch (1029:12): [True: 8, False: 2.29k] ------------------ 1030| 8| flow->protos.tls_quic.subprotocol_detected = 1; 1031| 8| ndpi_unset_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST); 1032| 8| } 1033| 2.30k| } 1034| | 1035| 2.39k| i += len; 1036| 2.39k| } else { 1037| 27| char buf[32]; 1038| | 1039| 27| snprintf(buf, sizeof(buf), "Unknown extension %02X", general_name_type); 1040| |#if DEBUG_TLS 1041| | printf("[TLS] Leftover %u bytes", packet->payload_packet_len - i); 1042| |#endif 1043| 27| ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION, buf); 1044| 27| break; 1045| 27| } 1046| 2.45k| } else { 1047| 1.50k| break; 1048| 1.50k| } 1049| 3.95k| } /* while */ 1050| | 1051| 1.56k| if(!matched_name) { ------------------ | Branch (1051:9): [True: 44, False: 1.51k] ------------------ 1052| 44| if(is_flowrisk_info_enabled(ndpi_struct, NDPI_TLS_CERTIFICATE_MISMATCH)) { ------------------ | Branch (1052:11): [True: 44, False: 0] ------------------ 1053| 44| char str[128]; 1054| | 1055| 44| snprintf(str, sizeof(str), "%s vs %s", flow->host_server_name, flow->protos.tls_quic.server_names); 1056| 44| ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERTIFICATE_MISMATCH, str); /* Certificate mismatch */ 1057| 44| } else { 1058| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERTIFICATE_MISMATCH, NULL); /* Certificate mismatch */ 1059| 0| } 1060| 44| } 1061| 1.56k| } 1062| 1.56k| } 1063| 1.56k| } 1064| 1.56k| } 1065| 1.02M| } /* for */ 1066| | 1067| 654| if(rdn_len && (flow->protos.tls_quic.subjectDN == NULL)) { ------------------ | Branch (1067:6): [True: 611, False: 43] | Branch (1067:17): [True: 611, False: 0] ------------------ 1068| 611| if(ndpi_struct->cfg.tls_cert_subject_enabled) ------------------ | Branch (1068:8): [True: 611, False: 0] ------------------ 1069| 611| flow->protos.tls_quic.subjectDN = ndpi_strdup(rdnSeqBuf); 1070| | 1071| 611| if(ndpi_struct->cfg.tls_subclassification_enabled && ------------------ | Branch (1071:8): [True: 611, False: 0] ------------------ 1072| 611| flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (1072:8): [True: 580, False: 31] ------------------ 1073| | /* No idea what is happening behind the scenes: let's check the certificate */ 1074| 580| u_int32_t val; 1075| 580| int rc = ndpi_match_string_value(ndpi_struct->tls_cert_subject_automa.ac_automa, 1076| 580| rdnSeqBuf, strlen(rdnSeqBuf), &val); 1077| | 1078| 580| if(rc == 0) { ------------------ | Branch (1078:10): [True: 0, False: 580] ------------------ 1079| | /* Match found */ 1080| 0| u_int16_t proto_id = (u_int16_t)val; 1081| 0| ndpi_master_app_protocol proto; 1082| | 1083| 0| ndpi_set_detected_protocol(ndpi_struct, flow, proto_id, ndpi_get_master_proto(ndpi_struct, flow), NDPI_CONFIDENCE_DPI); 1084| 0| proto.master_protocol = ndpi_get_master_proto(ndpi_struct, flow); 1085| 0| proto.app_protocol = proto_id; 1086| 0| flow->category = get_proto_category(ndpi_struct, proto); 1087| 0| flow->breed = get_proto_breed(ndpi_struct, proto); 1088| 0| ndpi_check_subprotocol_risk(ndpi_struct, flow, proto_id); 1089| 0| ndpi_unset_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST); 1090| | 1091| 0| if(ndpi_struct->tls_cert_cache) { ------------------ | Branch (1091:5): [True: 0, False: 0] ------------------ 1092| 0| u_int64_t key = make_tls_cert_key(packet, 0 /* from the server */); 1093| | 1094| 0| ndpi_lru_add_to_cache(ndpi_struct->tls_cert_cache, key, proto_id, ndpi_get_current_time(flow)); 1095| 0| } 1096| 0| } 1097| 580| } 1098| 611| } 1099| | 1100| 654| if(flow->protos.tls_quic.subjectDN && flow->protos.tls_quic.issuerDN ------------------ | Branch (1100:6): [True: 584, False: 70] | Branch (1100:41): [True: 379, False: 205] ------------------ 1101| 379| && (!strcmp(flow->protos.tls_quic.subjectDN, flow->protos.tls_quic.issuerDN))) { ------------------ | Branch (1101:9): [True: 1, False: 378] ------------------ 1102| | /* Last resort: we check if this is a trusted issuerDN */ 1103| 1| if(ndpi_check_issuerdn_risk_exception(ndpi_struct, flow->protos.tls_quic.issuerDN)) ------------------ | Branch (1103:8): [True: 0, False: 1] ------------------ 1104| 0| return; /* This is a trusted DN */ 1105| | 1106| 1| if(!flow->protos.tls_quic.webrtc) ------------------ | Branch (1106:8): [True: 1, False: 0] ------------------ 1107| 1| ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SELFSIGNED_CERTIFICATE, flow->protos.tls_quic.subjectDN); 1108| 1| } 1109| | 1110| |#if DEBUG_TLS 1111| | printf("[TLS] %s() SubjectDN [%s]\n", __FUNCTION__, rdnSeqBuf); 1112| |#endif 1113| 654|} processCertificate: 1154| 660| struct ndpi_flow_struct *flow) { 1155| 660| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 1156| 660| int is_dtls = packet->udp || flow->stun.maybe_dtls; /* No certificate with QUIC */ ------------------ | Branch (1156:17): [True: 0, False: 660] | Branch (1156:32): [True: 0, False: 660] ------------------ 1157| 660| u_int32_t certificates_length, length = (packet->payload[1] << 16) + (packet->payload[2] << 8) + packet->payload[3]; 1158| 660| u_int32_t certificates_offset = 7 + (is_dtls ? 8 : 0); ------------------ | Branch (1158:40): [True: 0, False: 660] ------------------ 1159| 660| u_int8_t num_certificates_found = 0; 1160| | 1161| |#ifdef DEBUG_TLS 1162| | printf("[TLS] %s() [payload_packet_len=%u][direction: %u][%02X %02X %02X %02X %02X %02X...]\n", 1163| | __FUNCTION__, packet->payload_packet_len, 1164| | packet->packet_direction, 1165| | packet->payload[0], packet->payload[1], packet->payload[2], 1166| | packet->payload[3], packet->payload[4], packet->payload[5]); 1167| |#endif 1168| | 1169| 660| if((packet->payload_packet_len != (length + 4 + (is_dtls ? 8 : 0))) || (packet->payload[1] != 0x0) || ------------------ | Branch (1169:6): [True: 0, False: 660] | Branch (1169:52): [True: 0, False: 660] | Branch (1169:74): [True: 0, False: 660] ------------------ 1170| 660| certificates_offset >= packet->payload_packet_len) { ------------------ | Branch (1170:6): [True: 1, False: 659] ------------------ 1171| 1| ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Unvalid lenght"); 1172| 1| return(-1); /* Invalid length */ 1173| 1| } 1174| | 1175| 659| certificates_length = (packet->payload[certificates_offset - 3] << 16) + 1176| 659| (packet->payload[certificates_offset - 2] << 8) + 1177| 659| packet->payload[certificates_offset - 1]; 1178| | 1179| 659| if((packet->payload[certificates_offset - 3] != 0x0) || ((certificates_length+3) != length)) { ------------------ | Branch (1179:6): [True: 1, False: 658] | Branch (1179:59): [True: 1, False: 657] ------------------ 1180| 2| ndpi_set_risk(ndpi_struct, flow, NDPI_MALFORMED_PACKET, "Invalid certificate offset"); 1181| 2| return(-2); /* Invalid length */ 1182| 2| } 1183| | 1184| | /* Now let's process each individual certificates */ 1185| 2.40k| while(certificates_offset < certificates_length) { ------------------ | Branch (1185:9): [True: 2.04k, False: 361] ------------------ 1186| 2.04k| u_int32_t certificate_len = (packet->payload[certificates_offset] << 16) + (packet->payload[certificates_offset+1] << 8) + packet->payload[certificates_offset+2]; 1187| | 1188| | /* Invalid lenght */ 1189| 2.04k| if((certificate_len == 0) ------------------ | Branch (1189:8): [True: 13, False: 2.02k] ------------------ 1190| 2.02k| || (packet->payload[certificates_offset] != 0x0) ------------------ | Branch (1190:11): [True: 274, False: 1.75k] ------------------ 1191| 1.75k| || ((certificates_offset+certificate_len) > (4+certificates_length+(is_dtls ? 8 : 0)))) { ------------------ | Branch (1191:11): [True: 9, False: 1.74k] | Branch (1191:76): [True: 0, False: 1.75k] ------------------ 1192| |#ifdef DEBUG_TLS 1193| | printf("[TLS] Invalid length [certificate_len: %u][certificates_offset: %u][%u vs %u]\n", 1194| | certificate_len, certificates_offset, 1195| | (certificates_offset+certificate_len), 1196| | certificates_length); 1197| |#endif 1198| 296| break; 1199| 296| } 1200| | 1201| 1.74k| certificates_offset += 3; 1202| |#ifdef DEBUG_TLS 1203| | printf("[TLS] Processing %u bytes certificate [%02X %02X %02X]\n", 1204| | certificate_len, 1205| | packet->payload[certificates_offset], 1206| | packet->payload[certificates_offset+1], 1207| | packet->payload[certificates_offset+2]); 1208| |#endif 1209| | 1210| 1.74k| if(num_certificates_found++ == 0) /* Dissect only the first certificate that is the one we care */ { ------------------ | Branch (1210:8): [True: 654, False: 1.09k] ------------------ 1211| | 1212| |#ifdef DEBUG_CERTIFICATE_HASH 1213| | { 1214| | u_int32_t i; 1215| | 1216| | for(i=0;ipayload[certificates_offset+i]); 1218| | 1219| | printf("\n"); 1220| | } 1221| |#endif 1222| | 1223| | /* For SHA-1 we take into account only the first certificate and not all of them */ 1224| 654| if(ndpi_struct->cfg.tls_sha1_fingerprint_enabled) { ------------------ | Branch (1224:10): [True: 654, False: 0] ------------------ 1225| 654| SHA1_CTX srv_cert_fingerprint_ctx ; 1226| | 1227| 654| SHA1Init(&srv_cert_fingerprint_ctx); 1228| 654| SHA1Update(&srv_cert_fingerprint_ctx, 1229| 654| &packet->payload[certificates_offset], 1230| 654| certificate_len); 1231| | 1232| 654| SHA1Final(flow->protos.tls_quic.sha1_certificate_fingerprint, &srv_cert_fingerprint_ctx); 1233| | 1234| 654| flow->protos.tls_quic.fingerprint_set = 1; 1235| | 1236| 654| uint8_t * sha1 = flow->protos.tls_quic.sha1_certificate_fingerprint; 1237| 654| const size_t sha1_siz = sizeof(flow->protos.tls_quic.sha1_certificate_fingerprint); 1238| 654| char sha1_str[20 /* sha1_siz */ * 2 + 1]; 1239| 654| static const char hexalnum[] = "0123456789ABCDEF"; 1240| 654| size_t i; 1241| 13.7k| for (i = 0; i < sha1_siz; ++i) { ------------------ | Branch (1241:21): [True: 13.0k, False: 654] ------------------ 1242| 13.0k| u_int8_t lower = (sha1[i] & 0x0F); 1243| 13.0k| u_int8_t upper = (sha1[i] & 0xF0) >> 4; 1244| 13.0k| sha1_str[i*2] = hexalnum[upper]; 1245| 13.0k| sha1_str[i*2 + 1] = hexalnum[lower]; 1246| 13.0k| } 1247| 654| sha1_str[sha1_siz * 2] = '\0'; 1248| | 1249| |#ifdef DEBUG_TLS 1250| | printf("[TLS] SHA-1: %s\n", sha1_str); 1251| |#endif 1252| | 1253| 654| if(ndpi_struct->malicious_sha1_hashmap != NULL) { ------------------ | Branch (1253:12): [True: 0, False: 654] ------------------ 1254| 0| u_int16_t rc1 = ndpi_hash_find_entry(ndpi_struct->malicious_sha1_hashmap, sha1_str, sha1_siz * 2, NULL); 1255| | 1256| 0| if(rc1 == 0) ------------------ | Branch (1256:14): [True: 0, False: 0] ------------------ 1257| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_SHA1_CERTIFICATE, sha1_str); 1258| 0| } 1259| 654| } 1260| | 1261| 654| processCertificateElements(ndpi_struct, flow, certificates_offset, certificate_len); 1262| 654| } 1263| | 1264| 1.74k| certificates_offset += certificate_len; 1265| 1.74k| } 1266| | 1267| 657| return(1); 1268| 659|} ndpi_search_tls_tcp: 1436| 26.7k| struct ndpi_flow_struct *flow) { 1437| 26.7k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 1438| 26.7k| u_int8_t something_went_wrong = 0; 1439| 26.7k| message_t *message; 1440| 26.7k| bool same_packet = false; 1441| | 1442| 26.7k| if(packet->tcp == NULL) ------------------ | Branch (1442:6): [True: 0, False: 26.7k] ------------------ 1443| 0| return 0; /* Error -> stop (this doesn't seem to be TCP) */ 1444| | 1445| |#ifdef DEBUG_TLS_MEMORY 1446| | printf("[TLS Mem] ndpi_search_tls_tcp() Processing new packet [payload_packet_len: %u][Dir: %u]\n", 1447| | packet->payload_packet_len, packet->packet_direction); 1448| |#endif 1449| | 1450| | /* This function is also called by "extra dissection" data path. Unfortunately, 1451| | generic "extra function" code doesn't honour protocol bitmask. 1452| | TODO: handle that in ndpi_main.c for all the protocols */ 1453| 26.7k| if(packet->payload_packet_len == 0 || ------------------ | Branch (1453:6): [True: 3.18k, False: 23.5k] ------------------ 1454| 23.5k| packet->tcp_retransmission) { ------------------ | Branch (1454:6): [True: 424, False: 23.1k] ------------------ 1455| |#ifdef DEBUG_TLS_MEMORY 1456| | printf("[TLS Mem] Ack or retransmission %d/%d. Skip\n", 1457| | packet->payload_packet_len, packet->tcp_retransmission); 1458| |#endif 1459| 3.60k| return 1; /* Keep working */ 1460| 3.60k| } 1461| | 1462| 23.1k| message = &flow->tls_quic.message[packet->packet_direction]; 1463| 23.1k| if(ndpi_search_tls_memory(packet->payload, ------------------ | Branch (1463:6): [True: 1.32k, False: 21.8k] ------------------ 1464| 23.1k| packet->payload_packet_len, ntohl(packet->tcp->seq), 1465| 23.1k| message) == -1) 1466| 1.32k| return 0; /* Error -> stop */ 1467| | 1468| 24.6k| while(!something_went_wrong) { ------------------ | Branch (1468:9): [True: 24.5k, False: 27] ------------------ 1469| 24.5k| u_int32_t len; 1470| 24.5k| u_int16_t p_len; 1471| 24.5k| const u_int8_t *p; 1472| 24.5k| u_int8_t content_type; 1473| | 1474| 24.5k| if(message->buffer_used < 5) ------------------ | Branch (1474:8): [True: 2.14k, False: 22.4k] ------------------ 1475| 2.14k| break; 1476| | 1477| 22.4k| if(!check_tls_type_and_version(message->buffer, message->buffer_used)) { ------------------ | Branch (1477:8): [True: 12.1k, False: 10.2k] ------------------ 1478| |#ifdef DEBUG_TLS_MEMORY 1479| | printf("[TLS Mem] Invalid record type/version"); 1480| |#endif 1481| 12.1k| something_went_wrong = 1; 1482| 12.1k| break; 1483| 12.1k| } 1484| | 1485| 10.2k| len = (message->buffer[3] << 8) + message->buffer[4] + 5; 1486| | 1487| 10.2k| if(len > message->buffer_used) { ------------------ | Branch (1487:8): [True: 2.22k, False: 8.05k] ------------------ 1488| |#ifdef DEBUG_TLS_MEMORY 1489| | printf("[TLS Mem] Not enough TLS data [%u < %u][%02X %02X %02X %02X %02X]\n", 1490| | len, message->buffer_used, 1491| | message->buffer[0], 1492| | message->buffer[1], 1493| | message->buffer[2], 1494| | message->buffer[3], 1495| | message->buffer[4]); 1496| |#endif 1497| 2.22k| break; 1498| 2.22k| } 1499| | 1500| |#ifdef DEBUG_TLS_MEMORY 1501| | printf("[TLS Mem] Processing %u bytes message\n", len); 1502| |#endif 1503| | 1504| 8.05k| content_type = message->buffer[0]; 1505| | 1506| 8.05k| if(content_type != 0x16) ------------------ | Branch (1506:8): [True: 2.14k, False: 5.91k] ------------------ 1507| 2.14k| handleTLSBlockStat(ndpi_struct, flow, &same_packet, content_type, 0, len - 5); 1508| | 1509| | /* Overwriting packet payload */ 1510| 8.05k| p = packet->payload; 1511| 8.05k| p_len = packet->payload_packet_len; /* Backup */ 1512| | 1513| 8.05k| if(content_type == 0x14 /* Change Cipher Spec */) { ------------------ | Branch (1513:8): [True: 1.00k, False: 7.05k] ------------------ 1514| 1.00k| if(len == 6 && ------------------ | Branch (1514:10): [True: 997, False: 4] ------------------ 1515| 997| message->buffer[1] == 0x03 && /* TLS >= 1.0 */ ------------------ | Branch (1515:10): [True: 997, False: 0] ------------------ 1516| 997| ((message->buffer[3] << 8) + (message->buffer[4])) == 1) { ------------------ | Branch (1516:10): [True: 997, False: 0] ------------------ 1517| |#ifdef DEBUG_TLS 1518| | printf("[TLS] Change Cipher Spec\n"); 1519| |#endif 1520| 997| if(current_pkt_from_client_to_server(ndpi_struct, flow)) ------------------ | Branch (1520:12): [True: 355, False: 642] ------------------ 1521| 355| flow->tls_quic.change_cipher_from_client = 1; 1522| 642| else 1523| 642| flow->tls_quic.change_cipher_from_server = 1; 1524| | 1525| 997| ndpi_int_tls_add_connection(ndpi_struct, flow); 1526| 997| flow->l4.tcp.tls.app_data_seen[packet->packet_direction] = 1; 1527| | /* Further data is encrypted so we are not able to parse it without 1528| | errors and without setting `something_went_wrong` variable */ 1529| | 1530| 997| if(ndpi_struct->cfg.tls_max_num_blocks_to_analyze == 0) { ------------------ | Branch (1530:5): [True: 997, False: 0] ------------------ 1531| | /* 1532| | In case of TLS blocks analysis we want to analize all the blocks 1533| | whereas in "standard" mode we can use this shortcut and break 1534| | */ 1535| 997| break; 1536| 997| } 1537| 997| } 1538| 7.05k| } else if(content_type == 0x15 /* Alert */) { ------------------ | Branch (1538:15): [True: 63, False: 6.99k] ------------------ 1539| | /* https://techcommunity.microsoft.com/t5/iis-support-blog/ssl-tls-alert-protocol-and-the-alert-codes/ba-p/377132 */ 1540| |#ifdef DEBUG_TLS 1541| | printf("[TLS] *** TLS ALERT ***\n"); 1542| |#endif 1543| | 1544| 63| flow->tls_quic.alert = 1; 1545| | 1546| | /* Basic heuristic to tell if the alert is encrypted or not */ 1547| 63| if(len == 7 && ------------------ | Branch (1547:10): [True: 0, False: 63] ------------------ 1548| 0| (message->buffer[5] == 1 || ------------------ | Branch (1548:11): [True: 0, False: 0] ------------------ 1549| 0| message->buffer[5] == 2)) { ------------------ | Branch (1549:11): [True: 0, False: 0] ------------------ 1550| 0| u_int8_t alert_level = message->buffer[5]; 1551| | 1552| 0| if(alert_level == 2 /* Warning (1), Fatal (2) */) ------------------ | Branch (1552:5): [True: 0, False: 0] ------------------ 1553| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_FATAL_ALERT, "Found fatal TLS alert"); 1554| 0| else 1555| 0| flow->tls_quic.alert = 0; 1556| 0| } 1557| | 1558| 63| u_int16_t const alert_len = ntohs(*(u_int16_t const *)&message->buffer[3]); 1559| 63| if(alert_len == (u_int32_t)message->buffer_used - 5) ------------------ | Branch (1559:10): [True: 47, False: 16] ------------------ 1560| 47| ndpi_int_tls_add_connection(ndpi_struct, flow); 1561| 6.99k| } else if(content_type == 0x16 /* Handshake */) { ------------------ | Branch (1561:15): [True: 5.91k, False: 1.08k] ------------------ 1562| | /* Split the element in blocks */ 1563| 5.91k| u_int32_t processed = 5; 1564| | 1565| 5.91k| if(len >= 9) { ------------------ | Branch (1565:10): [True: 5.89k, False: 16] ------------------ 1566| 11.8k| while((processed+4) <= len) { ------------------ | Branch (1566:15): [True: 6.09k, False: 5.78k] ------------------ 1567| 6.09k| const u_int8_t *block = (const u_int8_t *)&message->buffer[processed]; 1568| 6.09k| u_int32_t block_len = (block[1] << 16) + (block[2] << 8) + block[3]; 1569| | 1570| 6.09k| if((current_pkt_from_client_to_server(ndpi_struct, flow) && ------------------ | Branch (1570:15): [True: 3.24k, False: 2.84k] ------------------ 1571| 3.24k| flow->tls_quic.change_cipher_from_client == 1) || ------------------ | Branch (1571:15): [True: 0, False: 3.24k] ------------------ 1572| 6.09k| (!current_pkt_from_client_to_server(ndpi_struct, flow) && ------------------ | Branch (1572:15): [True: 2.84k, False: 3.24k] ------------------ 1573| 2.84k| flow->tls_quic.change_cipher_from_server == 1)) { ------------------ | Branch (1573:15): [True: 0, False: 2.84k] ------------------ 1574| |#ifdef DEBUG_TLS_MEMORY 1575| | printf("[TLS Mem] Encrypted Handshake msg. Skip\n"); 1576| |#endif 1577| | 1578| 0| handleTLSBlockStat(ndpi_struct, flow, &same_packet, 0x16, 0, len - 5); 1579| | 1580| | /* We don't have block len, so ignore the entire record */ 1581| 0| processed += len - 5; 1582| 0| break; 1583| 0| } 1584| | 1585| 6.09k| if(/* (block_len == 0) || */ /* Note blocks can have zero lenght */ 1586| 6.09k| (block_len > len) || ((block[1] != 0x0))) { ------------------ | Branch (1586:14): [True: 103, False: 5.98k] | Branch (1586:35): [True: 0, False: 5.98k] ------------------ 1587| 103| something_went_wrong = 1; 1588| 103| break; 1589| 103| } 1590| | 1591| 5.98k| packet->payload = block; 1592| 5.98k| packet->payload_packet_len = ndpi_min(block_len+4, message->buffer_used); ------------------ | | 113| 5.98k|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 5.98k, False: 1] | | ------------------ ------------------ 1593| | 1594| 5.98k| if((processed+packet->payload_packet_len) > len) { ------------------ | Branch (1594:14): [True: 6, False: 5.98k] ------------------ 1595| 6| something_went_wrong = 1; 1596| 6| break; 1597| 6| } 1598| | 1599| 5.98k| handleTLSBlockStat(ndpi_struct, flow, &same_packet, 0x16, block[0], block_len); 1600| | 1601| 5.98k| processHandshakeTLSBlock(ndpi_struct, flow); 1602| 5.98k| ndpi_looks_like_tls(ndpi_struct, flow); 1603| | 1604| 5.98k| processed += packet->payload_packet_len; 1605| 5.98k| } 1606| 5.89k| } 1607| 5.91k| } else if(content_type == 0x17 /* Application Data */) { ------------------ | Branch (1607:15): [True: 1.07k, False: 2] ------------------ 1608| 1.07k| u_int32_t block_len = (message->buffer[3] << 8) + (message->buffer[4]); 1609| | 1610| | /* Let's do a quick check to make sure this really looks like TLS */ 1611| 1.07k| if(block_len < 16384 /* Max TLS block size */) ------------------ | Branch (1611:10): [True: 1.07k, False: 0] ------------------ 1612| 1.07k| ndpi_looks_like_tls(ndpi_struct, flow); 1613| | 1614| 1.07k| if(block_len == (u_int32_t)message->buffer_used - 5) ------------------ | Branch (1614:10): [True: 1.06k, False: 13] ------------------ 1615| 1.06k| ndpi_int_tls_add_connection(ndpi_struct, flow); 1616| | 1617| | /* If we have seen Application Data blocks in both directions, it means 1618| | we are after the handshake. Stop extra processing */ 1619| 1.07k| flow->l4.tcp.tls.app_data_seen[packet->packet_direction] = 1; 1620| 1.07k| if(flow->l4.tcp.tls.app_data_seen[!packet->packet_direction] == 1) ------------------ | Branch (1620:10): [True: 133, False: 946] ------------------ 1621| 133| flow->tls_quic.certificate_processed = 1; 1622| 1.07k| } 1623| | 1624| 7.05k| packet->payload = p; 1625| 7.05k| packet->payload_packet_len = p_len; /* Restore */ 1626| 7.05k| message->buffer_used -= len; 1627| | 1628| 7.05k| if(message->buffer_used > 0) ------------------ | Branch (1628:8): [True: 2.76k, False: 4.29k] ------------------ 1629| 2.76k| memmove(message->buffer, &message->buffer[len], message->buffer_used); 1630| 4.29k| else 1631| 4.29k| break; 1632| | 1633| |#ifdef DEBUG_TLS_MEMORY 1634| | printf("[TLS Mem] Left memory buffer %u bytes\n", message->buffer_used); 1635| |#endif 1636| 7.05k| } 1637| | 1638| |#ifdef DEBUG_TLS_MEMORY 1639| | printf("[TLS] Eval if keep going [%p][blocks:%d/%d][wrong:%d]\n", 1640| | flow->extra_packets_func, 1641| | flow->l4.tcp.tls.num_tls_blocks, ndpi_struct->cfg.tls_max_num_blocks_to_analyze, 1642| | something_went_wrong); 1643| |#endif 1644| | 1645| 21.8k| if(something_went_wrong ------------------ | Branch (1645:6): [True: 12.2k, False: 9.57k] ------------------ 1646| 9.57k| || ((ndpi_struct->cfg.tls_max_num_blocks_to_analyze > 0) ------------------ | Branch (1646:10): [True: 0, False: 9.57k] ------------------ 1647| 0| && (flow->l4.tcp.tls.num_tls_blocks == ndpi_struct->cfg.tls_max_num_blocks_to_analyze)) ------------------ | Branch (1647:6): [True: 0, False: 0] ------------------ 1648| 9.57k| || ((ndpi_struct->cfg.tls_max_num_blocks_to_analyze == 0) ------------------ | Branch (1648:10): [True: 9.57k, False: 0] ------------------ 1649| 9.57k| && (!keep_extra_dissection_tcp(ndpi_struct, flow))) ------------------ | Branch (1649:6): [True: 1.07k, False: 8.50k] ------------------ 1650| 21.8k| ) { 1651| |#ifdef DEBUG_TLS_BLOCKS 1652| | printf("*** [TLS Block] No more blocks\n"); 1653| |#endif 1654| | /* An ookla flow? */ 1655| 13.3k| if((ndpi_struct->cfg.ookla_aggressiveness & NDPI_AGGRESSIVENESS_OOKLA_TLS) && /* Feature enabled */ ------------------ | | 824| 13.3k|#define NDPI_AGGRESSIVENESS_OOKLA_TLS 0x01 /* Enable detection over TLS (using ookla cache) */ ------------------ | Branch (1655:8): [True: 13.3k, False: 0] ------------------ 1656| 13.3k| (!something_went_wrong && ------------------ | Branch (1656:9): [True: 1.07k, False: 12.2k] ------------------ 1657| 1.07k| flow->tls_quic.certificate_processed == 1 && ------------------ | Branch (1657:9): [True: 490, False: 581] ------------------ 1658| 490| flow->protos.tls_quic.client_hello_processed == 1 && ------------------ | Branch (1658:9): [True: 352, False: 138] ------------------ 1659| 352| flow->protos.tls_quic.server_hello_processed == 1) && /* TLS handshake found without errors */ ------------------ | Branch (1659:9): [True: 341, False: 11] ------------------ 1660| 341| flow->detected_protocol_stack[0] == NDPI_PROTOCOL_TLS && /* No IMAPS/FTPS/... */ ------------------ | Branch (1660:8): [True: 316, False: 25] ------------------ 1661| 316| flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN && /* No sub-classification */ ------------------ | Branch (1661:8): [True: 316, False: 0] ------------------ 1662| 13.3k| ntohs(flow->s_port) == 8080 && /* Ookla port */ ------------------ | Branch (1662:8): [True: 0, False: 316] ------------------ 1663| 0| ookla_search_into_cache(ndpi_struct, flow)) { ------------------ | Branch (1663:8): [True: 0, False: 0] ------------------ 1664| 0| NDPI_LOG_INFO(ndpi_struct, "found ookla (cache over TLS)\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 1665| | /* Even if a LRU cache is involved, NDPI_CONFIDENCE_DPI_AGGRESSIVE seems more 1666| | suited than NDPI_CONFIDENCE_DPI_CACHE */ 1667| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OOKLA, NDPI_PROTOCOL_TLS, NDPI_CONFIDENCE_DPI_AGGRESSIVE); 1668| | 1669| 0| tls_match_ja4(ndpi_struct, flow); 1670| 0| flow->extra_packets_func = NULL; 1671| | 1672| 0| return(0); /* That's all */ 1673| | /* Loook for TLS-in-TLS */ 1674| 13.3k| } else if((ndpi_struct->cfg.tls_heuristics & NDPI_HEURISTICS_TLS_OBFUSCATED_TLS) && /* Feature enabled */ ------------------ | | 831| 13.3k|#define NDPI_HEURISTICS_TLS_OBFUSCATED_TLS 0x02 /* Enable heuristic to detect proxied/obfuscated TLS flows over TLS tunnels, i.e. TLS over TLS */ ------------------ | Branch (1674:15): [True: 0, False: 13.3k] ------------------ 1675| 0| (!something_went_wrong && ------------------ | Branch (1675:16): [True: 0, False: 0] ------------------ 1676| 0| flow->tls_quic.certificate_processed == 1 && ------------------ | Branch (1676:16): [True: 0, False: 0] ------------------ 1677| 0| flow->protos.tls_quic.client_hello_processed == 1 && ------------------ | Branch (1677:16): [True: 0, False: 0] ------------------ 1678| 0| flow->protos.tls_quic.server_hello_processed == 1) && /* TLS handshake found without errors */ ------------------ | Branch (1678:16): [True: 0, False: 0] ------------------ 1679| 0| flow->tls_quic.from_opportunistic_tls == 0 && /* No from plaintext Mails or FTP */ ------------------ | Branch (1679:16): [True: 0, False: 0] ------------------ 1680| 0| !is_flow_addr_informative(flow) /* The proxy server is likely hosted on some cloud providers */ ) { ------------------ | Branch (1680:15): [True: 0, False: 0] ------------------ 1681| 0| switch_extra_dissection_to_tls_obfuscated_heur(ndpi_struct, flow); 1682| 0| return(1); 1683| 13.3k| } else { 1684| 13.3k| tls_match_ja4(ndpi_struct, flow); 1685| | 1686| 13.3k| flow->extra_packets_func = NULL; 1687| 13.3k| return(0); /* That's all */ 1688| 13.3k| } 1689| 13.3k| } else 1690| 8.50k| return(1); 1691| 21.8k|} is_dtls: 1695| 6.92k|int is_dtls(const u_int8_t *buf, u_int32_t buf_len, u_int32_t *block_len) { 1696| 6.92k| if(buf_len <= 13) ------------------ | Branch (1696:6): [True: 2, False: 6.92k] ------------------ 1697| 2| return 0; 1698| | 1699| 6.92k| if((buf[0] != 0x16 && buf[0] != 0x14 && buf[0] != 0x17 && buf[0] != 0x15) || /* Handshake, change-cipher-spec, Application-Data, Alert */ ------------------ | Branch (1699:7): [True: 6.91k, False: 5] | Branch (1699:25): [True: 6.87k, False: 46] | Branch (1699:43): [True: 6.87k, False: 1] | Branch (1699:61): [True: 6.87k, False: 1] ------------------ 1700| 53| !((buf[1] == 0xfe && buf[2] == 0xff) || /* Versions */ ------------------ | Branch (1700:9): [True: 1, False: 52] | Branch (1700:27): [True: 0, False: 1] ------------------ 1701| 53| (buf[1] == 0xfe && buf[2] == 0xfd) || ------------------ | Branch (1701:9): [True: 1, False: 52] | Branch (1701:27): [True: 0, False: 1] ------------------ 1702| 53| (buf[1] == 0xfe && buf[2] == 0xfc) || ------------------ | Branch (1702:9): [True: 1, False: 52] | Branch (1702:27): [True: 0, False: 1] ------------------ 1703| 6.88k| (buf[1] == 0x01 && buf[2] == 0x00))) { ------------------ | Branch (1703:9): [True: 40, False: 13] | Branch (1703:27): [True: 38, False: 2] ------------------ 1704| |#ifdef DEBUG_TLS 1705| | printf("[TLS] DTLS invalid block 0x%x or old version 0x%x-0x%x-0x%x\n", 1706| | buf[0], buf[1], buf[2], buf[3]); 1707| |#endif 1708| 6.88k| return 0; 1709| 6.88k| } 1710| 38| *block_len = ntohs(*((u_int16_t*)&buf[11])); 1711| |#ifdef DEBUG_TLS 1712| | printf("[TLS] DTLS block len: %d\n", *block_len); 1713| |#endif 1714| 38| if(*block_len == 0 || (*block_len + 12 >= buf_len)) { /* We might have multiple DTLS records */ ------------------ | Branch (1714:6): [True: 0, False: 38] | Branch (1714:25): [True: 38, False: 0] ------------------ 1715| |#ifdef DEBUG_TLS 1716| | printf("[TLS] DTLS invalid block len %d (buf_len %d)\n", 1717| | *block_len, buf_len); 1718| |#endif 1719| 38| return 0; 1720| 38| } 1721| 0| return 1; 1722| 38|} skipTLSextension: 2169| 35.5k| u_int16_t extension_id) { 2170| 35.5k| if((extension_id == 0x0 /* SNI */) && ndpi_struct->cfg.tls_ndpifp_ignore_sni_extension) ------------------ | Branch (2170:6): [True: 5.86k, False: 29.7k] | Branch (2170:41): [True: 0, False: 5.86k] ------------------ 2171| 0| return(true); 2172| | 2173| 35.5k| if(ndpi_struct->cfg.tls_ja_ignore_ephemeral_extensions) { ------------------ | Branch (2173:6): [True: 0, False: 35.5k] ------------------ 2174| 0| switch(extension_id) { ------------------ | Branch (2174:12): [True: 0, False: 0] ------------------ 2175| 0| case 0x23: /* session ticket - RFC 9149 */ ------------------ | Branch (2175:5): [True: 0, False: 0] ------------------ 2176| 0| case 0x29: /* pre-shared key - RFC 8446 */ ------------------ | Branch (2176:5): [True: 0, False: 0] ------------------ 2177| 0| case 0x15: /* padding - RFC 7685 */ ------------------ | Branch (2177:5): [True: 0, False: 0] ------------------ 2178| | /* Noisy extensions */ 2179| 0| case 0x2b: /* Supported TLS versions */ ------------------ | Branch (2179:5): [True: 0, False: 0] ------------------ 2180| 0| case 0x0a: /* Supported groups */ ------------------ | Branch (2180:5): [True: 0, False: 0] ------------------ 2181| 0| return(true); 2182| 0| } 2183| 0| } 2184| | 2185| 35.5k| return(false); 2186| 35.5k|} processClientServerHello: 2546| 4.70k| struct ndpi_flow_struct *flow, u_int32_t quic_version) { 2547| 4.70k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 2548| 4.70k| union ndpi_ja_info ja; 2549| 4.70k| ndpi_tls_server_info *s = &ja.server; 2550| 4.70k| u_int8_t invalid_ja = 0; 2551| 4.70k| u_int16_t tls_version; 2552| 4.70k| u_int32_t i, j; 2553| 4.70k| u_int16_t total_len; 2554| 4.70k| u_int8_t handshake_type; 2555| 4.70k| bool is_quic = (quic_version != 0); 2556| 4.70k| bool is_dtls = (packet->udp && !is_quic) || flow->stun.maybe_dtls; ------------------ | Branch (2556:19): [True: 0, False: 4.70k] | Branch (2556:34): [True: 0, False: 0] | Branch (2556:47): [True: 0, False: 4.70k] ------------------ 2557| | 2558| |#ifdef DEBUG_TLS 2559| | printf("TLS %s() called\n", __FUNCTION__); 2560| |#endif 2561| | 2562| 4.70k| handshake_type = packet->payload[0]; 2563| 4.70k| total_len = (packet->payload[1] << 16) + (packet->payload[2] << 8) + packet->payload[3]; 2564| | 2565| 4.70k| if((total_len > packet->payload_packet_len) || (packet->payload[1] != 0x0)) ------------------ | Branch (2565:6): [True: 0, False: 4.70k] | Branch (2565:50): [True: 0, False: 4.70k] ------------------ 2566| 0| return(0); /* Not found */ 2567| | 2568| 4.70k| total_len = packet->payload_packet_len; 2569| | 2570| | /* At least "magic" 3 bytes, null for string end, otherwise no need to waste cpu cycles */ 2571| 4.70k| if(total_len > 4) { ------------------ | Branch (2571:6): [True: 4.69k, False: 9] ------------------ 2572| 4.69k| u_int16_t base_offset = (!is_dtls) ? 38 : 46; ------------------ | Branch (2572:32): [True: 4.69k, False: 0] ------------------ 2573| 4.69k| u_int16_t version_offset = (!is_dtls) ? 4 : 12; ------------------ | Branch (2573:32): [True: 4.69k, False: 0] ------------------ 2574| 4.69k| u_int16_t offset = (!is_dtls) ? 38 : 46; ------------------ | Branch (2574:24): [True: 4.69k, False: 0] ------------------ 2575| 4.69k| u_int32_t tot_extension_len; 2576| 4.69k| u_int8_t session_id_len = 0; 2577| | 2578| 4.69k| if((base_offset >= total_len) || ------------------ | Branch (2578:8): [True: 3, False: 4.69k] ------------------ 2579| 4.69k| (version_offset + 1) >= total_len) ------------------ | Branch (2579:8): [True: 0, False: 4.69k] ------------------ 2580| 3| return 0; /* Not found */ 2581| | 2582| 4.69k| session_id_len = packet->payload[base_offset]; 2583| | 2584| |#ifdef DEBUG_TLS 2585| | printf("TLS [len: %u][handshake_type: %02X]\n", packet->payload_packet_len, handshake_type); 2586| |#endif 2587| | 2588| 4.69k| tls_version = ntohs(*((u_int16_t*)&packet->payload[version_offset])); 2589| | 2590| 4.69k| if(handshake_type == 0x02 /* Server Hello */) { ------------------ | Branch (2590:8): [True: 1.77k, False: 2.91k] ------------------ 2591| 1.77k| int rc; 2592| | 2593| 1.77k| memset(&ja.server, 0, sizeof(ja.server)); 2594| | 2595| 1.77k| ja.server.tls_handshake_version = tls_version; 2596| | 2597| |#ifdef DEBUG_TLS 2598| | printf("TLS Server Hello [version: 0x%04X]\n", tls_version); 2599| |#endif 2600| | 2601| | /* 2602| | The server hello decides about the TLS version of this flow 2603| | https://networkengineering.stackexchange.com/questions/55752/why-does-wireshark-show-version-tls-1-2-here-instead-of-tls-1-3 2604| | */ 2605| 1.77k| if(packet->udp) ------------------ | Branch (2605:10): [True: 0, False: 1.77k] ------------------ 2606| 0| offset += session_id_len + 1; 2607| 1.77k| else { 2608| 1.77k| if(tls_version < 0x7F15 /* TLS 1.3 lacks of session id */) ------------------ | Branch (2608:5): [True: 1.76k, False: 9] ------------------ 2609| 1.76k| offset += session_id_len+1; 2610| 1.77k| } 2611| | 2612| 1.77k| if((offset+3) > packet->payload_packet_len) ------------------ | Branch (2612:10): [True: 23, False: 1.75k] ------------------ 2613| 23| return(0); /* Not found */ 2614| | 2615| 1.75k| ja.server.num_ciphers = 1, ja.server.cipher[0] = ntohs(*((u_int16_t*)&packet->payload[offset])); 2616| | 2617| 1.75k| if(ndpi_struct->cfg.tls_cipher_enabled) { ------------------ | Branch (2617:10): [True: 1.75k, False: 0] ------------------ 2618| 1.75k| if((flow->protos.tls_quic.server_unsafe_cipher = ndpi_is_safe_ssl_cipher(ja.server.cipher[0])) != NDPI_CIPHER_SAFE) { ------------------ | | 189| 1.75k|#define NDPI_CIPHER_SAFE 0 ------------------ | Branch (2618:12): [True: 32, False: 1.72k] ------------------ 2619| 32| if(is_flowrisk_info_enabled(ndpi_struct, NDPI_TLS_WEAK_CIPHER)) { ------------------ | Branch (2619:14): [True: 32, False: 0] ------------------ 2620| 32| char str[64]; 2621| 32| char unknown_cipher[8]; 2622| | 2623| 32| snprintf(str, sizeof(str), "Cipher %s", ndpi_cipher2str(ja.server.cipher[0], unknown_cipher)); 2624| 32| ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_WEAK_CIPHER, str); 2625| 32| } else { 2626| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_WEAK_CIPHER, NULL); 2627| 0| } 2628| 32| } 2629| | 2630| 1.75k| flow->protos.tls_quic.server_cipher = ja.server.cipher[0]; 2631| 1.75k| } 2632| | 2633| |#ifdef DEBUG_TLS 2634| | printf("TLS [server][session_id_len: %u][cipher: %04X]\n", session_id_len, ja.server.cipher[0]); 2635| |#endif 2636| | 2637| 1.75k| offset += 2 + 1; 2638| | 2639| 1.75k| if((offset + 1) < packet->payload_packet_len) /* +1 because we are goint to read 2 bytes */ ------------------ | Branch (2639:10): [True: 1.75k, False: 2] ------------------ 2640| 1.75k| tot_extension_len = ntohs(*((u_int16_t*)&packet->payload[offset])); 2641| 2| else 2642| 2| tot_extension_len = 0; 2643| | 2644| |#ifdef DEBUG_TLS 2645| | printf("TLS [server][tot_extension_len: %u]\n", tot_extension_len); 2646| |#endif 2647| 1.75k| offset += 2; 2648| | 2649| 7.18k| for(i=0; i packet->payload_packet_len) break; ------------------ | Branch (2653:5): [True: 971, False: 5.72k] ------------------ 2654| | 2655| 5.72k| extension_id = ntohs(*((u_int16_t*)&packet->payload[offset])); 2656| 5.72k| extension_len = ntohs(*((u_int16_t*)&packet->payload[offset+2])); 2657| 5.72k| if(offset+4+extension_len > packet->payload_packet_len) { ------------------ | Branch (2657:5): [True: 149, False: 5.57k] ------------------ 2658| 149| break; 2659| 149| } 2660| | 2661| 5.57k| if(ja.server.num_tls_extensions < MAX_NUM_JA) ------------------ | | 396| 5.57k|#define MAX_NUM_JA 128 ------------------ | Branch (2661:5): [True: 5.57k, False: 0] ------------------ 2662| 5.57k| ja.server.tls_extension[ja.server.num_tls_extensions++] = extension_id; 2663| | 2664| |#ifdef DEBUG_TLS 2665| | printf("TLS [server][extension_id: %u/0x%04X][len: %u]\n", 2666| | extension_id, extension_id, extension_len); 2667| |#endif 2668| 5.57k| checkExtensions(ndpi_struct, flow, is_dtls, extension_id, extension_len, offset + 4); 2669| | 2670| 5.57k| if(extension_id == 43 /* supported versions */) { ------------------ | Branch (2670:5): [True: 2, False: 5.57k] ------------------ 2671| 2| if(extension_len >= 2) { ------------------ | Branch (2671:7): [True: 1, False: 1] ------------------ 2672| 1| u_int16_t tls_version = ntohs(*((u_int16_t*)&packet->payload[offset+4])); 2673| | 2674| |#ifdef DEBUG_TLS 2675| | printf("TLS [server] [TLS version: 0x%04X]\n", tls_version); 2676| |#endif 2677| | 2678| 1| flow->protos.tls_quic.ssl_version = ja.server.tls_supported_version = tls_version; 2679| 1| } 2680| 5.57k| } else if(extension_id == 16 /* application_layer_protocol_negotiation (ALPN) */ && ------------------ | Branch (2680:12): [True: 165, False: 5.40k] ------------------ 2681| 165| offset + 6 < packet->payload_packet_len) { ------------------ | Branch (2681:12): [True: 164, False: 1] ------------------ 2682| 164| u_int16_t s_offset = offset+4; 2683| 164| u_int16_t tot_alpn_len = ntohs(*((u_int16_t*)&packet->payload[s_offset])); 2684| 164| char alpn_str[256]; 2685| 164| u_int16_t alpn_str_len = 0, i; 2686| | 2687| |#ifdef DEBUG_TLS 2688| | printf("Server TLS [ALPN: block_len=%u/len=%u]\n", extension_len, tot_alpn_len); 2689| |#endif 2690| 164| s_offset += 2; 2691| 164| tot_alpn_len += s_offset; 2692| | 2693| 164| if(tot_alpn_len > packet->payload_packet_len) ------------------ | Branch (2693:7): [True: 146, False: 18] ------------------ 2694| 146| return 0; 2695| | 2696| 58| while(s_offset < tot_alpn_len && s_offset < total_len) { ------------------ | Branch (2696:10): [True: 56, False: 2] | Branch (2696:37): [True: 56, False: 0] ------------------ 2697| 56| u_int8_t alpn_i, alpn_len = packet->payload[s_offset++]; 2698| | 2699| 56| if((s_offset + alpn_len) <= tot_alpn_len) { ------------------ | Branch (2699:9): [True: 40, False: 16] ------------------ 2700| |#ifdef DEBUG_TLS 2701| | printf("Server TLS [ALPN: %u]\n", alpn_len); 2702| |#endif 2703| | 2704| 40| if(((uint32_t)alpn_str_len+alpn_len+1) < (sizeof(alpn_str)-1)) { ------------------ | Branch (2704:11): [True: 40, False: 0] ------------------ 2705| 40| if(alpn_str_len > 0) { ------------------ | Branch (2705:13): [True: 9, False: 31] ------------------ 2706| 9| alpn_str[alpn_str_len] = ','; 2707| 9| alpn_str_len++; 2708| 9| } 2709| | 2710| 124| for(alpn_i=0; alpn_ipayload[s_offset+alpn_i]; 2712| 84| } 2713| | 2714| 40| s_offset += alpn_len, alpn_str_len += alpn_len;; 2715| 40| } else { 2716| 0| alpn_str[alpn_str_len] = '\0'; 2717| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_UNCOMMON_ALPN, alpn_str); 2718| 0| break; 2719| 0| } 2720| 40| } else { 2721| 16| alpn_str[alpn_str_len] = '\0'; 2722| 16| ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_UNCOMMON_ALPN, alpn_str); 2723| 16| break; 2724| 16| } 2725| 56| } /* while */ 2726| | 2727| 18| alpn_str[alpn_str_len] = '\0'; 2728| | 2729| |#ifdef DEBUG_TLS 2730| | printf("Server TLS [ALPN: %s][len: %u]\n", alpn_str, alpn_str_len); 2731| |#endif 2732| 18| if(ndpi_normalize_printable_string(alpn_str, alpn_str_len) == 0) ------------------ | Branch (2732:7): [True: 11, False: 7] ------------------ 2733| 11| ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, alpn_str); 2734| | 2735| 18| if(flow->protos.tls_quic.negotiated_alpn == NULL && ------------------ | Branch (2735:7): [True: 18, False: 0] ------------------ 2736| 18| ndpi_struct->cfg.tls_alpn_negotiated_enabled) ------------------ | Branch (2736:7): [True: 18, False: 0] ------------------ 2737| 18| flow->protos.tls_quic.negotiated_alpn = ndpi_strdup(alpn_str); 2738| | 2739| | /* Check ALPN only if not already checked (client-side) */ 2740| 18| if(flow->protos.tls_quic.negotiated_alpn != NULL && ------------------ | Branch (2740:7): [True: 15, False: 3] ------------------ 2741| 15| flow->protos.tls_quic.advertised_alpns == NULL) ------------------ | Branch (2741:7): [True: 5, False: 10] ------------------ 2742| 5| tlsCheckUncommonALPN(ndpi_struct, flow, flow->protos.tls_quic.negotiated_alpn); 2743| | 2744| 18| alpn_str_len = ndpi_min(sizeof(ja.server.alpn), (size_t)alpn_str_len); ------------------ | | 113| 18|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 18] | | ------------------ ------------------ 2745| 18| memcpy(ja.server.alpn, alpn_str, alpn_str_len); 2746| 18| if(alpn_str_len > 0) ------------------ | Branch (2746:7): [True: 12, False: 6] ------------------ 2747| 12| ja.server.alpn[alpn_str_len] = '\0'; 2748| | 2749| | /* Replace , with - as in JA3 */ 2750| 111| for(i=0; ja.server.alpn[i] != '\0'; i++) ------------------ | Branch (2750:13): [True: 93, False: 18] ------------------ 2751| 93| if(ja.server.alpn[i] == ',') ja.server.alpn[i] = '-'; ------------------ | Branch (2751:9): [True: 9, False: 84] ------------------ 2752| 5.40k| } else if(extension_id == 11 /* ec_point_formats groups */) { ------------------ | Branch (2752:12): [True: 830, False: 4.57k] ------------------ 2753| 830| u_int16_t s_offset = offset+4 + 1; 2754| | 2755| |#ifdef DEBUG_TLS 2756| | printf("Server TLS [EllipticCurveFormat: len=%u]\n", extension_len); 2757| |#endif 2758| 830| if((s_offset+extension_len-1) <= total_len) { ------------------ | Branch (2758:7): [True: 830, False: 0] ------------------ 2759| 3.25k| for(i=0; ipayload_packet_len; i++) { ------------------ | Branch (2759:15): [True: 2.42k, False: 830] | Branch (2759:36): [True: 2.42k, False: 0] ------------------ 2760| 2.42k| u_int8_t s_group = packet->payload[s_offset+i]; 2761| | 2762| |#ifdef DEBUG_TLS 2763| | printf("Server TLS [EllipticCurveFormat: %u]\n", s_group); 2764| |#endif 2765| | 2766| 2.42k| if(ja.server.num_elliptic_curve_point_format < MAX_NUM_JA) ------------------ | | 396| 2.42k|#define MAX_NUM_JA 128 ------------------ | Branch (2766:11): [True: 2.42k, False: 0] ------------------ 2767| 2.42k| ja.server.elliptic_curve_point_format[ja.server.num_elliptic_curve_point_format++] = s_group; 2768| 0| else { 2769| 0| invalid_ja = 1; 2770| |#ifdef DEBUG_TLS 2771| | printf("Server TLS Invalid num elliptic %u\n", ja.server.num_elliptic_curve_point_format); 2772| |#endif 2773| 0| } 2774| 2.42k| } 2775| 830| } else { 2776| 0| invalid_ja = 1; 2777| |#ifdef DEBUG_TLS 2778| | printf("Server TLS Invalid len %u vs %u\n", s_offset+extension_len, total_len); 2779| |#endif 2780| 0| } 2781| 830| } 2782| | 2783| 5.42k| i += 4 + extension_len, offset += 4 + extension_len; 2784| 5.42k| } /* for */ 2785| | 2786| | /* If the CH is not available and if "supported_versions" extension is not present in the SH 2787| | (i.e. (D)TLS <= 1.2), use the version field present in the record layer */ 2788| 1.60k| if(flow->protos.tls_quic.ssl_version == 0) ------------------ | Branch (2788:10): [True: 562, False: 1.04k] ------------------ 2789| 562| flow->protos.tls_quic.ssl_version = tls_version; 2790| | 2791| 1.60k| if(ndpi_struct->cfg.ndpi_server_fingerprint_enabled ------------------ | Branch (2791:10): [True: 1.60k, False: 0] ------------------ 2792| 1.60k| && (flow->ndpi.server_fingerprint == NULL)) ------------------ | Branch (2792:6): [True: 1.60k, False: 3] ------------------ 2793| 1.60k| ndpi_compute_tls_server_fingerprint(flow, is_dtls, quic_version, s); 2794| | 2795| 1.60k| if(ndpi_struct->cfg.tls_ja3s_fingerprint_enabled) { ------------------ | Branch (2795:10): [True: 1.60k, False: 0] ------------------ 2796| 1.60k| u_int16_t ja_str_len; 2797| 1.60k| char ja_str[JA_STR_LEN]; 2798| 1.60k| ndpi_MD5_CTX ctx; 2799| 1.60k| u_char md5_hash[16]; 2800| | 2801| 1.60k| ja_str_len = ndpi_snprintf(ja_str, JA_STR_LEN, "%u,", ja.server.tls_handshake_version); ------------------ | | 59| 1.60k|#define JA_STR_LEN 1024 ------------------ 2802| | 2803| 3.21k| for(i=0; (i ja_str_len); i++) { ------------------ | | 59| 1.60k|#define JA_STR_LEN 1024 ------------------ | Branch (2803:18): [True: 1.60k, False: 1.60k] | Branch (2803:47): [True: 1.60k, False: 0] ------------------ 2804| 1.60k| rc = ndpi_snprintf(&ja_str[ja_str_len], JA_STR_LEN-ja_str_len, "%s%u", (i > 0) ? "-" : "", ja.server.cipher[i]); ------------------ | | 59| 1.60k|#define JA_STR_LEN 1024 ------------------ | Branch (2804:75): [True: 0, False: 1.60k] ------------------ 2805| | 2806| 1.60k| if(rc <= 0) break; else ja_str_len += rc; ------------------ | Branch (2806:7): [True: 0, False: 1.60k] ------------------ 2807| 1.60k| } 2808| | 2809| 1.60k| if(JA_STR_LEN > ja_str_len) { ------------------ | | 59| 1.60k|#define JA_STR_LEN 1024 ------------------ | Branch (2809:12): [True: 1.60k, False: 0] ------------------ 2810| 1.60k| rc = ndpi_snprintf(&ja_str[ja_str_len], JA_STR_LEN-ja_str_len, ","); ------------------ | | 59| 1.60k|#define JA_STR_LEN 1024 ------------------ 2811| 1.60k| if(rc > 0 && ja_str_len + rc < JA_STR_LEN) ja_str_len += rc; ------------------ | | 59| 1.60k|#define JA_STR_LEN 1024 ------------------ | Branch (2811:7): [True: 1.60k, False: 0] | Branch (2811:17): [True: 1.60k, False: 0] ------------------ 2812| 1.60k| } 2813| | 2814| | /* ********** */ 2815| | 2816| 6.74k| for(i=0; (i ja_str_len); i++) { ------------------ | | 59| 5.13k|#define JA_STR_LEN 1024 ------------------ | Branch (2816:18): [True: 5.13k, False: 1.60k] | Branch (2816:54): [True: 5.13k, False: 0] ------------------ 2817| 5.13k| int rc = ndpi_snprintf(&ja_str[ja_str_len], JA_STR_LEN-ja_str_len, "%s%u", (i > 0) ? "-" : "", ja.server.tls_extension[i]); ------------------ | | 59| 5.13k|#define JA_STR_LEN 1024 ------------------ | Branch (2817:79): [True: 3.64k, False: 1.49k] ------------------ 2818| | 2819| 5.13k| if(rc <= 0) break; else ja_str_len += rc; ------------------ | Branch (2819:7): [True: 0, False: 5.13k] ------------------ 2820| 5.13k| } 2821| | 2822| |#ifdef DEBUG_TLS 2823| | printf("[JA3] Server: %s \n", ja_str); 2824| |#endif 2825| | 2826| 1.60k| ndpi_MD5Init(&ctx); 2827| 1.60k| ndpi_MD5Update(&ctx, (const unsigned char *)ja_str, strlen(ja_str)); 2828| 1.60k| ndpi_MD5Final(md5_hash, &ctx); 2829| | 2830| 27.3k| for(i=0, j=0; i<16; i++) { ------------------ | Branch (2830:23): [True: 25.7k, False: 1.60k] ------------------ 2831| 25.7k| int rc = ndpi_snprintf(&flow->protos.tls_quic.ja3_server[j], 2832| 25.7k| sizeof(flow->protos.tls_quic.ja3_server)-j, "%02x", md5_hash[i]); 2833| 25.7k| if(rc <= 0) break; else j += rc; ------------------ | Branch (2833:7): [True: 0, False: 25.7k] ------------------ 2834| 25.7k| } 2835| | 2836| |#ifdef DEBUG_TLS 2837| | printf("[JA3] Server: %s \n", flow->protos.tls_quic.ja3_server); 2838| |#endif 2839| | 2840| 1.60k| if(ndpi_struct->cfg.tls_ja_data_enabled) { ------------------ | Branch (2840:5): [True: 0, False: 1.60k] ------------------ 2841| 0| if(flow->protos.tls_quic.ja_server == NULL) { ------------------ | Branch (2841:7): [True: 0, False: 0] ------------------ 2842| 0| flow->protos.tls_quic.ja_server = ndpi_malloc(sizeof(ndpi_tls_server_info)); 2843| | 2844| 0| if(flow->protos.tls_quic.ja_server != NULL) ------------------ | Branch (2844:9): [True: 0, False: 0] ------------------ 2845| 0| memcpy(flow->protos.tls_quic.ja_server, &ja.server, sizeof(ndpi_tls_server_info)); 2846| 0| } 2847| 0| } 2848| 1.60k| } 2849| 2.91k| } else if(handshake_type == 0x01 /* Client Hello */) { ------------------ | Branch (2849:15): [True: 2.91k, False: 0] ------------------ 2850| 2.91k| u_int16_t cipher_len, cipher_offset; 2851| 2.91k| u_int8_t cookie_len = 0; 2852| | 2853| 2.91k| memset(&ja.client, 0, sizeof(ja.client)); 2854| 2.91k| ja.client.alpn_original_last = '0'; /* Initialize to '0' if no ALPN */ 2855| | 2856| 2.91k| flow->protos.tls_quic.ssl_version = ja.client.tls_handshake_version = tls_version; 2857| 2.91k| if(flow->protos.tls_quic.ssl_version < 0x0303) /* < TLSv1.2 */ { ------------------ | Branch (2857:10): [True: 1.07k, False: 1.84k] ------------------ 2858| 1.07k| if(is_flowrisk_info_enabled(ndpi_struct, NDPI_TLS_OBSOLETE_VERSION)) { ------------------ | Branch (2858:12): [True: 1.07k, False: 0] ------------------ 2859| 1.07k| char str[32], buf[32]; 2860| 1.07k| u_int8_t unknown_tls_version; 2861| | 2862| 1.07k| snprintf(str, sizeof(str), "%s", ndpi_ssl_version2str(buf, sizeof(buf), 2863| 1.07k| flow->protos.tls_quic.ssl_version, 2864| 1.07k| &unknown_tls_version)); 2865| 1.07k| ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_OBSOLETE_VERSION, str); 2866| 1.07k| } else { 2867| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_OBSOLETE_VERSION, NULL); 2868| 0| } 2869| 1.07k| } 2870| | 2871| 2.91k| if((session_id_len+base_offset+3) > packet->payload_packet_len) ------------------ | Branch (2871:10): [True: 17, False: 2.89k] ------------------ 2872| 17| return(0); /* Not found */ 2873| | 2874| 2.89k| if(!is_dtls) { ------------------ | Branch (2874:10): [True: 2.89k, False: 0] ------------------ 2875| 2.89k| cipher_len = packet->payload[session_id_len+base_offset+2] + (packet->payload[session_id_len+base_offset+1] << 8); 2876| 2.89k| cipher_offset = base_offset + session_id_len + 3; 2877| 2.89k| } else { 2878| 0| cookie_len = packet->payload[base_offset+session_id_len+1]; 2879| |#ifdef DEBUG_TLS 2880| | printf("[JA3] Client: DTLS cookie len %d\n", cookie_len); 2881| |#endif 2882| 0| if((session_id_len+base_offset+cookie_len+4) > packet->payload_packet_len) ------------------ | Branch (2882:5): [True: 0, False: 0] ------------------ 2883| 0| return(0); /* Not found */ 2884| 0| cipher_len = ntohs(*((u_int16_t*)&packet->payload[base_offset+session_id_len+cookie_len+2])); 2885| 0| cipher_offset = base_offset + session_id_len + cookie_len + 4; 2886| 0| } 2887| | 2888| |#ifdef DEBUG_TLS 2889| | printf("Client TLS [client cipher_len: %u][tls_version: 0x%04X]\n", cipher_len, tls_version); 2890| |#endif 2891| | 2892| 2.89k| if((cipher_offset+cipher_len) <= total_len - 1) { /* -1 because variable "id" is a u_int16_t */ ------------------ | Branch (2892:10): [True: 2.84k, False: 51] ------------------ 2893| 2.84k| u_int8_t safari_ciphers = 0, chrome_ciphers = 0, this_is_not_safari = 0, looks_like_safari_on_big_sur = 0; 2894| | 2895| 151k| for(i=0; ipayload[cipher_offset+i]; 2897| 148k| u_int16_t cipher_id = ntohs(*id); 2898| | 2899| 148k| if(cipher_offset+i+1 < packet->payload_packet_len && ------------------ | Branch (2899:7): [True: 148k, False: 0] ------------------ 2900| 148k| ((packet->payload[cipher_offset+i] != packet->payload[cipher_offset+i+1]) || ------------------ | Branch (2900:8): [True: 147k, False: 1.11k] ------------------ 2901| 148k| ((packet->payload[cipher_offset+i] & 0xF) != 0xA)) /* Skip GREASE */) { ------------------ | Branch (2901:8): [True: 976, False: 136] ------------------ 2902| | /* 2903| | Skip GREASE [https://datatracker.ietf.org/doc/html/rfc8701] 2904| | https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967 2905| | */ 2906| | 2907| |#if defined(DEBUG_TLS) || defined(DEBUG_HEURISTIC) 2908| | printf("Client TLS [non-GREASE cipher suite: %u/0x%04X] [%d/%u]\n", cipher_id, cipher_id, i, cipher_len); 2909| |#endif 2910| | 2911| 148k| if(ja.client.num_ciphers < MAX_NUM_JA) ------------------ | | 396| 148k|#define MAX_NUM_JA 128 ------------------ | Branch (2911:9): [True: 148k, False: 198] ------------------ 2912| 148k| ja.client.cipher[ja.client.num_ciphers++] = cipher_id; 2913| 198| else { 2914| 198| invalid_ja = 1; 2915| |#ifdef DEBUG_TLS 2916| | printf("Client TLS Invalid cipher %u\n", ja.client.num_ciphers); 2917| |#endif 2918| 198| } 2919| | 2920| |#if defined(DEBUG_TLS) || defined(DEBUG_HEURISTIC) 2921| | printf("Client TLS [cipher suite: %u/0x%04X] [%d/%u]\n", cipher_id, cipher_id, i, cipher_len); 2922| |#endif 2923| | 2924| 148k| switch(cipher_id) { ------------------ | Branch (2924:13): [True: 22.5k, False: 126k] ------------------ 2925| 1.72k| case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: ------------------ | | 223| 1.72k|#define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B ------------------ | Branch (2925:6): [True: 1.72k, False: 146k] ------------------ 2926| 3.45k| case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: ------------------ | | 224| 3.45k|#define TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C ------------------ | Branch (2926:6): [True: 1.73k, False: 146k] ------------------ 2927| 3.45k| safari_ciphers++; 2928| 3.45k| break; 2929| | 2930| 39| case TLS_AES_128_GCM_SHA256: ------------------ | | 359| 39|#define TLS_AES_128_GCM_SHA256 0x1301 ------------------ | Branch (2930:6): [True: 39, False: 148k] ------------------ 2931| 78| case TLS_AES_256_GCM_SHA384: ------------------ | | 360| 78|#define TLS_AES_256_GCM_SHA384 0x1302 ------------------ | Branch (2931:6): [True: 39, False: 148k] ------------------ 2932| 109| case TLS_CHACHA20_POLY1305_SHA256: ------------------ | | 363| 109|#define TLS_CHACHA20_POLY1305_SHA256 0x1303 ------------------ | Branch (2932:6): [True: 31, False: 148k] ------------------ 2933| 109| chrome_ciphers++; 2934| 109| break; 2935| | 2936| 83| case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: ------------------ | | 237| 83|#define TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA9 ------------------ | Branch (2936:6): [True: 83, False: 148k] ------------------ 2937| 1.81k| case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: ------------------ | | 189| 1.81k|#define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xC030 ------------------ | Branch (2937:6): [True: 1.73k, False: 146k] ------------------ 2938| 3.53k| case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: ------------------ | | 188| 3.53k|#define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F ------------------ | Branch (2938:6): [True: 1.72k, False: 146k] ------------------ 2939| 3.61k| case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: ------------------ | | 198| 3.61k|#define TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA8 ------------------ | Branch (2939:6): [True: 76, False: 148k] ------------------ 2940| 6.35k| case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: ------------------ | | 184| 6.35k|#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC013 ------------------ | Branch (2940:6): [True: 2.73k, False: 145k] ------------------ 2941| 9.11k| case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: ------------------ | | 185| 9.11k|#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xC014 ------------------ | Branch (2941:6): [True: 2.76k, False: 145k] ------------------ 2942| 11.8k| case TLS_RSA_WITH_AES_128_CBC_SHA: ------------------ | | 36| 11.8k|#define TLS_RSA_WITH_AES_128_CBC_SHA 0x002F ------------------ | Branch (2942:6): [True: 2.71k, False: 145k] ------------------ 2943| 14.5k| case TLS_RSA_WITH_AES_256_CBC_SHA: ------------------ | | 37| 14.5k|#define TLS_RSA_WITH_AES_256_CBC_SHA 0x0035 ------------------ | Branch (2943:6): [True: 2.75k, False: 145k] ------------------ 2944| 16.2k| case TLS_RSA_WITH_AES_128_GCM_SHA256: ------------------ | | 40| 16.2k|#define TLS_RSA_WITH_AES_128_GCM_SHA256 0x009C ------------------ | Branch (2944:6): [True: 1.65k, False: 147k] ------------------ 2945| 17.9k| case TLS_RSA_WITH_AES_256_GCM_SHA384: ------------------ | | 41| 17.9k|#define TLS_RSA_WITH_AES_256_GCM_SHA384 0x009D ------------------ | Branch (2945:6): [True: 1.68k, False: 147k] ------------------ 2946| 17.9k| safari_ciphers++, chrome_ciphers++; 2947| 17.9k| break; 2948| | 2949| 1.07k| case TLS_RSA_WITH_3DES_EDE_CBC_SHA: ------------------ | | 35| 1.07k|#define TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x000A ------------------ | Branch (2949:6): [True: 1.07k, False: 147k] ------------------ 2950| 1.07k| looks_like_safari_on_big_sur = 1; 2951| 1.07k| break; 2952| 148k| } 2953| 148k| } else { 2954| |#if defined(DEBUG_TLS) || defined(DEBUG_HEURISTIC) 2955| | printf("Client TLS [GREASE cipher suite: %u/0x%04X] [%d/%u]\n", cipher_id, cipher_id, i, cipher_len); 2956| |#endif 2957| | 2958| 136| this_is_not_safari = 1; /* NOTE: BugSur and up have grease support */ 2959| 136| } 2960| | 2961| 148k| i += 2; 2962| 148k| } /* for */ 2963| | 2964| 2.84k| if(ndpi_struct->cfg.tls_browser_enabled) { ------------------ | Branch (2964:5): [True: 2.84k, False: 0] ------------------ 2965| | /* NOTE: 2966| | we do not check for duplicates as with signatures because 2967| | this is time consuming and we want to avoid overhead whem possible 2968| | */ 2969| 2.84k| if(this_is_not_safari) ------------------ | Branch (2969:14): [True: 8, False: 2.83k] ------------------ 2970| 8| flow->protos.tls_quic.browser_heuristics.is_safari_tls = 0; 2971| 2.83k| else if((safari_ciphers == 12) || (this_is_not_safari && looks_like_safari_on_big_sur)) ------------------ | Branch (2971:19): [True: 37, False: 2.80k] | Branch (2971:46): [True: 0, False: 2.80k] | Branch (2971:68): [True: 0, False: 0] ------------------ 2972| 37| flow->protos.tls_quic.browser_heuristics.is_safari_tls = 1; 2973| | 2974| 2.84k| if(chrome_ciphers == 13) ------------------ | Branch (2974:14): [True: 14, False: 2.83k] ------------------ 2975| 14| flow->protos.tls_quic.browser_heuristics.is_chrome_tls = 1; 2976| | 2977| | /* Note that both Safari and Chrome can overlap */ 2978| |#ifdef DEBUG_HEURISTIC 2979| | printf("[CIPHERS] [is_chrome_tls: %u (%u)][is_safari_tls: %u (%u)][this_is_not_safari: %u]\n", 2980| | flow->protos.tls_quic.browser_heuristics.is_chrome_tls, 2981| | chrome_ciphers, 2982| | flow->protos.tls_quic.browser_heuristics.is_safari_tls, 2983| | safari_ciphers, 2984| | this_is_not_safari); 2985| |#endif 2986| 2.84k| } 2987| 2.84k| } else { 2988| 51| invalid_ja = 1; 2989| |#ifdef DEBUG_TLS 2990| | printf("Client TLS Invalid len %u vs %u\n", (cipher_offset+cipher_len), total_len); 2991| |#endif 2992| 51| } 2993| | 2994| 2.89k| offset = base_offset + session_id_len + cookie_len + cipher_len + 2; 2995| 2.89k| offset += (!is_dtls) ? 1 : 2; ------------------ | Branch (2995:17): [True: 2.89k, False: 0] ------------------ 2996| | 2997| 2.89k| if(offset < total_len) { ------------------ | Branch (2997:10): [True: 2.84k, False: 50] ------------------ 2998| 2.84k| u_int16_t compression_len; 2999| 2.84k| u_int16_t extensions_len; 3000| | 3001| 2.84k| compression_len = packet->payload[offset]; 3002| 2.84k| offset++; 3003| | 3004| |#ifdef DEBUG_TLS 3005| | printf("Client TLS [compression_len: %u]\n", compression_len); 3006| |#endif 3007| | 3008| | // offset += compression_len + 3; 3009| 2.84k| offset += compression_len; 3010| | 3011| 2.84k| if(offset+1 < total_len) { ------------------ | Branch (3011:5): [True: 2.79k, False: 52] ------------------ 3012| 2.79k| extensions_len = ntohs(*((u_int16_t*)&packet->payload[offset])); 3013| 2.79k| offset += 2; 3014| | 3015| |#ifdef DEBUG_TLS 3016| | printf("Client TLS [extensions_len: %u]\n", extensions_len); 3017| |#endif 3018| | 3019| 2.79k| if((extensions_len+offset) <= total_len) { ------------------ | Branch (3019:7): [True: 2.71k, False: 78] ------------------ 3020| | /* Move to the first extension 3021| | Type is u_int to avoid possible overflow on extension_len addition */ 3022| 2.71k| u_int extension_offset = 0; 3023| | 3024| 24.3k| while(extension_offset < extensions_len && ------------------ | Branch (3024:12): [True: 22.3k, False: 1.97k] ------------------ 3025| 22.3k| offset+extension_offset+4 <= total_len) { ------------------ | Branch (3025:5): [True: 22.2k, False: 88] ------------------ 3026| 22.2k| u_int16_t extension_id, extension_len, extn_off = offset+extension_offset; 3027| | 3028| 22.2k| extension_id = ntohs(*((u_int16_t*)&packet->payload[offset+extension_offset])); 3029| 22.2k| extension_offset += 2; 3030| | 3031| 22.2k| extension_len = ntohs(*((u_int16_t*)&packet->payload[offset+extension_offset])); 3032| 22.2k| extension_offset += 2; 3033| | 3034| |#ifdef DEBUG_TLS 3035| | printf("Client TLS [extension_id: %u][extension_len: %u]\n", extension_id, extension_len); 3036| |#endif 3037| 22.2k| checkExtensions(ndpi_struct, flow, is_dtls, 3038| 22.2k| extension_id, extension_len, offset + extension_offset); 3039| | 3040| 22.2k| if(offset + 4 + extension_len > total_len) { ------------------ | Branch (3040:11): [True: 653, False: 21.5k] ------------------ 3041| |#ifdef DEBUG_TLS 3042| | printf("[TLS] extension length %u too long (%u, offset %u)\n", 3043| | extension_len, total_len, offset); 3044| |#endif 3045| 653| break; 3046| 653| } 3047| | 3048| 21.5k| if((extension_id == 0) || (packet->payload[extn_off] != packet->payload[extn_off+1]) || ------------------ | Branch (3048:11): [True: 5.86k, False: 15.7k] | Branch (3048:34): [True: 15.7k, False: 17] ------------------ 3049| 21.5k| ((packet->payload[extn_off] & 0xF) != 0xA)) { ------------------ | Branch (3049:4): [True: 16, False: 1] ------------------ 3050| | /* Skip GREASE */ 3051| | 3052| 21.5k| if(ja.client.num_tls_extensions < MAX_NUM_JA) { ------------------ | | 396| 21.5k|#define MAX_NUM_JA 128 ------------------ | Branch (3052:6): [True: 21.5k, False: 0] ------------------ 3053| 21.5k| if(((extension_id == 0xFE0D /* ECHO */) || skipTLSextension(ndpi_struct, extension_id)) ------------------ | Branch (3053:9): [True: 0, False: 21.5k] | Branch (3053:48): [True: 0, False: 21.5k] ------------------ 3054| 0| && (flow->l4_proto == IPPROTO_TCP) ------------------ | Branch (3054:11): [True: 0, False: 0] ------------------ 3055| 0| && (ndpi_struct->cfg.tls_max_num_blocks_to_analyze > 0) ------------------ | Branch (3055:11): [True: 0, False: 0] ------------------ 3056| 0| && (flow->l4.tcp.tls.tls_blocks != NULL) ------------------ | Branch (3056:11): [True: 0, False: 0] ------------------ 3057| 0| && (flow->l4.tcp.tls.num_tls_blocks > 0) /* It should always be like that */) { ------------------ | Branch (3057:11): [True: 0, False: 0] ------------------ 3058| | /* 3059| | Taking EncryptedClientHello (ECHO) lenght out of the block lenght 3060| | allows us to have a consistent measurement regardless of the SNI being used 3061| | and other information put in ECHO across requests 3062| | */ 3063| 0| if(extension_id == 0x0 /* SNI */) ------------------ | Branch (3063:10): [True: 0, False: 0] ------------------ 3064| 0| ; /* Nothing to do as already handled by (***) */ 3065| 0| else 3066| 0| flow->l4.tcp.tls.tls_blocks[flow->l4.tcp.tls.num_tls_blocks-1].len -= extension_len + 4 /* id + len */; 3067| 0| } 3068| | 3069| 21.5k| ja.client.tls_extension[ja.client.num_tls_extensions++] = extension_id; 3070| 21.5k| } else { 3071| 0| invalid_ja = 1; 3072| |#ifdef DEBUG_TLS 3073| | printf("Client TLS Invalid extensions %u\n", ja.client.num_tls_extensions); 3074| |#endif 3075| 0| } 3076| 21.5k| } 3077| | 3078| 21.5k| if(extension_id == 0 /* server name */) { ------------------ | Branch (3078:11): [True: 5.86k, False: 15.7k] ------------------ 3079| 5.86k| u_int16_t len; 3080| 5.86k| bool sni_numeric = false; 3081| | 3082| |#ifdef DEBUG_TLS 3083| | printf("[TLS] Extensions: found server name\n"); 3084| |#endif 3085| 5.86k| if((offset+extension_offset+4) < packet->payload_packet_len) { ------------------ | Branch (3085:6): [True: 5.76k, False: 107] ------------------ 3086| 5.76k| len = (packet->payload[offset+extension_offset+3] << 8) + packet->payload[offset+extension_offset+4]; 3087| | 3088| 5.76k| if((offset+extension_offset+5+len) <= packet->payload_packet_len) { ------------------ | Branch (3088:8): [True: 5.67k, False: 87] ------------------ 3089| 5.67k| char *sni = ndpi_hostname_sni_set(flow, &packet->payload[offset+extension_offset+5], len, NDPI_HOSTNAME_NORM_ALL); ------------------ | | 516| 5.67k|#define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 512| 5.67k|#define NDPI_HOSTNAME_NORM_LC 1 | | ------------------ | | #define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 513| 5.67k|#define NDPI_HOSTNAME_NORM_REPLACE_IC 2 | | ------------------ | | #define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 514| 5.67k|#define NDPI_HOSTNAME_NORM_STRIP_EOLSP 4 | | ------------------ ------------------ 3090| 5.67k| int sni_len = strlen(sni); 3091| |#ifdef DEBUG_TLS 3092| | printf("[TLS] SNI: [%s]\n", sni); 3093| |#endif 3094| 5.67k| if(sni /* It should always be like that */ ------------------ | Branch (3094:10): [True: 5.67k, False: 0] ------------------ 3095| 5.67k| && (flow->l4_proto == IPPROTO_TCP) ------------------ | Branch (3095:13): [True: 5.67k, False: 0] ------------------ 3096| 5.67k| && (ndpi_struct->cfg.tls_max_num_blocks_to_analyze > 0) ------------------ | Branch (3096:13): [True: 0, False: 5.67k] ------------------ 3097| 0| && (flow->l4.tcp.tls.tls_blocks != NULL) ------------------ | Branch (3097:13): [True: 0, False: 0] ------------------ 3098| 0| && (flow->l4.tcp.tls.num_tls_blocks > 0) /* It should always be like that */ ------------------ | Branch (3098:13): [True: 0, False: 0] ------------------ 3099| 5.67k| ) { 3100| | /* 3101| | Taking SNI lenght out of the block lenght allows us to have a consistent 3102| | measurement regardless of the SNI being used 3103| | */ 3104| 0| if(ndpi_struct->cfg.tls_ndpifp_ignore_sni_extension) ------------------ | Branch (3104:12): [True: 0, False: 0] ------------------ 3105| 0| flow->l4.tcp.tls.tls_blocks[flow->l4.tcp.tls.num_tls_blocks-1].len -= extension_len + 4 /* id + len */; 3106| 0| else 3107| 0| flow->l4.tcp.tls.tls_blocks[flow->l4.tcp.tls.num_tls_blocks-1].len -= sni_len; /* (***) */ 3108| 0| } 3109| | 3110| 5.67k| if(ndpi_is_valid_hostname((char *)&packet->payload[offset+extension_offset+5], len) == 0) { ------------------ | Branch (3110:10): [True: 3.52k, False: 2.15k] ------------------ 3111| 3.52k| ndpi_set_risk(ndpi_struct, flow, NDPI_INVALID_CHARACTERS, sni); 3112| | 3113| | /* This looks like an attack */ 3114| 3.52k| ndpi_set_risk(ndpi_struct, flow, NDPI_POSSIBLE_EXPLOIT, "Invalid chars found in SNI: exploit or misconfiguration?"); 3115| 3.52k| } 3116| | 3117| 5.67k| if(!is_quic) { ------------------ | Branch (3117:10): [True: 5.67k, False: 0] ------------------ 3118| 5.67k| if(ndpi_struct->cfg.tls_subclassification_enabled && ------------------ | Branch (3118:12): [True: 5.67k, False: 0] ------------------ 3119| 5.67k| flow->protos.tls_quic.subprotocol_detected == 0 && ------------------ | Branch (3119:12): [True: 5.56k, False: 107] ------------------ 3120| 5.56k| !flow->tls_quic.from_rdp && /* No (other) sub-classification; we will have TLS.RDP anyway */ ------------------ | Branch (3120:12): [True: 5.56k, False: 0] ------------------ 3121| 5.56k| ndpi_match_hostname_protocol(ndpi_struct, flow, ndpi_get_master_proto(ndpi_struct, flow), sni, sni_len)) ------------------ | Branch (3121:12): [True: 77, False: 5.49k] ------------------ 3122| 77| flow->protos.tls_quic.subprotocol_detected = 1; 3123| 5.67k| } else { 3124| 0| if(ndpi_struct->cfg.quic_subclassification_enabled && ------------------ | Branch (3124:12): [True: 0, False: 0] ------------------ 3125| 0| flow->protos.tls_quic.subprotocol_detected == 0 && ------------------ | Branch (3125:12): [True: 0, False: 0] ------------------ 3126| 0| !flow->tls_quic.from_rdp && /* No (other) sub-classification; we will have TLS.RDP anyway */ ------------------ | Branch (3126:12): [True: 0, False: 0] ------------------ 3127| 0| ndpi_match_hostname_protocol(ndpi_struct, flow, NDPI_PROTOCOL_QUIC, sni, sni_len)) ------------------ | Branch (3127:12): [True: 0, False: 0] ------------------ 3128| 0| flow->protos.tls_quic.subprotocol_detected = 1; 3129| 0| } 3130| | 3131| 5.67k| if((flow->protos.tls_quic.subprotocol_detected == 0) ------------------ | Branch (3131:10): [True: 5.49k, False: 184] ------------------ 3132| 5.49k| && (ndpi_check_is_numeric_ip(sni) == 1)) { ------------------ | Branch (3132:13): [True: 0, False: 5.49k] ------------------ 3133| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST, sni); 3134| 0| sni_numeric = true; 3135| 0| } 3136| | 3137| 5.67k| if(ndpi_str_endswith(sni, "signal.org")) { ------------------ | Branch (3137:10): [True: 22, False: 5.65k] ------------------ 3138| | /* printf("[SIGNAL] SNI: [%s]\n", sni); */ 3139| 22| signal_add_to_cache(ndpi_struct, flow); 3140| 22| } 3141| | 3142| 5.67k| if(ndpi_check_dga_name(ndpi_struct, flow, sni, 1, 0, 0)) { ------------------ | Branch (3142:10): [True: 274, False: 5.40k] ------------------ 3143| |#ifdef DEBUG_TLS 3144| | printf("[TLS] SNI: (DGA) [%s]\n", sni); 3145| |#endif 3146| | 3147| 274| if((sni_len >= 4) ------------------ | Branch (3147:12): [True: 274, False: 0] ------------------ 3148| | /* Check if it ends in .com or .net */ 3149| 274| && ((strcmp(&sni[sni_len-4], ".com") == 0) || (strcmp(&sni[sni_len-4], ".net") == 0)) ------------------ | Branch (3149:16): [True: 33, False: 241] | Branch (3149:58): [True: 0, False: 241] ------------------ 3150| 33| && (strncmp(sni, "www.", 4) == 0)) /* Starting with www.... */ ------------------ | Branch (3150:15): [True: 24, False: 9] ------------------ 3151| 24| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TOR, ndpi_get_master_proto(ndpi_struct, flow), NDPI_CONFIDENCE_DPI); 3152| 5.40k| } else { 3153| |#ifdef DEBUG_TLS 3154| | printf("[TLS] SNI: (NO DGA) [%s]\n", sni); 3155| |#endif 3156| 5.40k| } 3157| | 3158| 5.67k| if(ndpi_struct->cfg.hostname_dns_check_enabled && (!sni_numeric)) { ------------------ | Branch (3158:10): [True: 0, False: 5.67k] | Branch (3158:57): [True: 0, False: 0] ------------------ 3159| 0| ndpi_ip_addr_t ip_addr; 3160| | 3161| 0| memset(&ip_addr, 0, sizeof(ip_addr)); 3162| | 3163| 0| if(packet->iph) ------------------ | Branch (3163:12): [True: 0, False: 0] ------------------ 3164| 0| ip_addr.ipv4 = packet->iph->daddr; 3165| 0| else 3166| 0| memcpy(&ip_addr.ipv6, &packet->iphv6->ip6_dst, 3167| 0| sizeof(struct ndpi_in6_addr)); 3168| | 3169| 0| if(!ndpi_cache_find_hostname_ip(ndpi_struct, &ip_addr, sni)) { ------------------ | Branch (3169:12): [True: 0, False: 0] ------------------ 3170| |#ifdef DEBUG_TLS 3171| | printf("[TLS] Not found SNI %s\n", sni); 3172| |#endif 3173| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_UNRESOLVED_HOSTNAME, sni); 3174| | 3175| 0| } else { 3176| |#ifdef DEBUG_TLS 3177| | printf("[TLS] Found SNI %s\n", sni); 3178| |#endif 3179| 0| } 3180| 0| } 3181| 5.67k| } else { 3182| |#ifdef DEBUG_TLS 3183| | printf("[TLS] Extensions server len too short: %u vs %u\n", 3184| | offset+extension_offset+5+len, 3185| | packet->payload_packet_len); 3186| |#endif 3187| 87| } 3188| 5.76k| } 3189| 15.7k| } else if(extension_id == 10 /* supported groups */) { ------------------ | Branch (3189:18): [True: 2.05k, False: 13.6k] ------------------ 3190| 2.05k| u_int16_t s_offset = offset+extension_offset + 2; 3191| | 3192| |#ifdef DEBUG_TLS 3193| | printf("Client TLS [EllipticCurveGroups: len=%u]\n", extension_len); 3194| |#endif 3195| | 3196| 2.05k| if((s_offset+extension_len-2) <= total_len) { ------------------ | Branch (3196:6): [True: 2.03k, False: 13] ------------------ 3197| 25.7k| for(i=0; i<(u_int32_t)extension_len-2 && s_offset + i + 1 < total_len; i += 2) { ------------------ | Branch (3197:14): [True: 23.7k, False: 2.00k] | Branch (3197:46): [True: 23.6k, False: 32] ------------------ 3198| 23.6k| u_int16_t s_group = ntohs(*((u_int16_t*)&packet->payload[s_offset+i])); 3199| | 3200| |#ifdef DEBUG_TLS 3201| | printf("Client TLS [EllipticCurve: %u/0x%04X]\n", s_group, s_group); 3202| |#endif 3203| | 3204| 23.6k| if((s_group == 0) || (packet->payload[s_offset+i] != packet->payload[s_offset+i+1]) ------------------ | Branch (3204:10): [True: 524, False: 23.1k] | Branch (3204:28): [True: 22.1k, False: 986] ------------------ 3205| 23.4k| || ((packet->payload[s_offset+i] & 0xF) != 0xA)) { ------------------ | Branch (3205:13): [True: 756, False: 230] ------------------ 3206| | /* Skip GREASE */ 3207| 23.4k| if(ja.client.num_elliptic_curve_groups < MAX_NUM_JA) ------------------ | | 396| 23.4k|#define MAX_NUM_JA 128 ------------------ | Branch (3207:12): [True: 22.5k, False: 910] ------------------ 3208| 22.5k| ja.client.elliptic_curve_group[ja.client.num_elliptic_curve_groups++] = s_group; 3209| 910| else { 3210| 910| invalid_ja = 1; 3211| |#ifdef DEBUG_TLS 3212| | printf("Client TLS Invalid num elliptic group %u\n", ja.client.num_elliptic_curve_groups); 3213| |#endif 3214| 910| } 3215| 23.4k| } 3216| 23.6k| } 3217| 2.03k| } else { 3218| 13| invalid_ja = 1; 3219| |#ifdef DEBUG_TLS 3220| | printf("Client TLS Invalid len %u vs %u\n", (s_offset+extension_len-1), total_len); 3221| |#endif 3222| 13| } 3223| 13.6k| } else if(extension_id == 11 /* ec_point_formats groups */) { ------------------ | Branch (3223:18): [True: 2.15k, False: 11.5k] ------------------ 3224| 2.15k| u_int16_t s_offset = offset+extension_offset + 1; 3225| | 3226| |#ifdef DEBUG_TLS 3227| | printf("Client TLS [EllipticCurveFormat: len=%u]\n", extension_len); 3228| |#endif 3229| 2.15k| if((s_offset+extension_len-1) <= total_len) { ------------------ | Branch (3229:6): [True: 2.15k, False: 3] ------------------ 3230| 16.8k| for(i=0; i<(u_int32_t)extension_len-1 && s_offset+i < total_len; i++) { ------------------ | Branch (3230:14): [True: 14.6k, False: 2.15k] | Branch (3230:46): [True: 14.6k, False: 3] ------------------ 3231| 14.6k| u_int8_t s_group = packet->payload[s_offset+i]; 3232| | 3233| |#ifdef DEBUG_TLS 3234| | printf("Client TLS [EllipticCurveFormat: %u]\n", s_group); 3235| |#endif 3236| | 3237| 14.6k| if(ja.client.num_elliptic_curve_point_format < MAX_NUM_JA) ------------------ | | 396| 14.6k|#define MAX_NUM_JA 128 ------------------ | Branch (3237:10): [True: 13.2k, False: 1.44k] ------------------ 3238| 13.2k| ja.client.elliptic_curve_point_format[ja.client.num_elliptic_curve_point_format++] = s_group; 3239| 1.44k| else { 3240| 1.44k| invalid_ja = 1; 3241| |#ifdef DEBUG_TLS 3242| | printf("Client TLS Invalid num elliptic %u\n", ja.client.num_elliptic_curve_point_format); 3243| |#endif 3244| 1.44k| } 3245| 14.6k| } 3246| 2.15k| } else { 3247| 3| invalid_ja = 1; 3248| |#ifdef DEBUG_TLS 3249| | printf("Client TLS Invalid len %u vs %u\n", s_offset+extension_len, total_len); 3250| |#endif 3251| 3| } 3252| 11.5k| } else if(extension_id == 13 /* signature algorithms */ && ------------------ | Branch (3252:18): [True: 1.19k, False: 10.3k] ------------------ 3253| 1.19k| offset+extension_offset+1 < total_len) { ------------------ | Branch (3253:18): [True: 1.19k, False: 0] ------------------ 3254| 1.19k| int s_offset = offset+extension_offset, safari_signature_algorithms = 0, id; 3255| 1.19k| u_int16_t tot_signature_algorithms_len = ntohs(*((u_int16_t*)&packet->payload[s_offset])); 3256| | 3257| |#ifdef DEBUG_TLS 3258| | printf("Client TLS [SIGNATURE_ALGORITHMS: block_len=%u/len=%u]\n", extension_len, tot_signature_algorithms_len); 3259| |#endif 3260| | 3261| 1.19k| s_offset += 2; 3262| 1.19k| tot_signature_algorithms_len = ndpi_min((sizeof(ja.client.signature_algorithms_str) / 2) - 1, tot_signature_algorithms_len); ------------------ | | 113| 1.19k|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 20, False: 1.17k] | | ------------------ ------------------ 3263| | 3264| 19.8k| for(i=0, id=0; ipayload[s_offset+i]); 3266| | 3267| 1.19k| ja.client.num_signature_algorithms = id; 3268| | 3269| 38.4k| for(i=0, id=0; ipayload[s_offset+i]); 3273| 37.2k| if(rc < 0) break; ------------------ | Branch (3273:8): [True: 0, False: 37.2k] ------------------ 3274| 37.2k| } 3275| | 3276| 1.19k| if(ndpi_struct->cfg.tls_browser_enabled) { ------------------ | Branch (3276:6): [True: 1.19k, False: 0] ------------------ 3277| 1.19k| int chrome_signature_algorithms = 0, duplicate_found = 0, last_signature = 0; 3278| | 3279| 19.8k| for(i=0; ipayload_packet_len; i+=2) { ------------------ | Branch (3279:28): [True: 18.6k, False: 1.18k] | Branch (3279:62): [True: 18.6k, False: 15] ------------------ 3280| 18.6k| u_int16_t signature_algo = (u_int16_t)ntohs(*((u_int16_t*)&packet->payload[s_offset+i])); 3281| | 3282| 18.6k| if(last_signature == signature_algo) { ------------------ | Branch (3282:24): [True: 19, False: 18.6k] ------------------ 3283| | /* Consecutive duplication */ 3284| 19| duplicate_found = 1; 3285| 19| continue; 3286| 18.6k| } else { 3287| | /* Check for other duplications */ 3288| 18.6k| u_int all_ok = 1; 3289| | 3290| 350k| for(j=0; jpayload_packet_len) { ------------------ | Branch (3291:28): [True: 314k, False: 18.6k] | Branch (3291:38): [True: 307k, False: 6.67k] ------------------ 3292| 307k| u_int16_t j_signature_algo = (u_int16_t)ntohs(*((u_int16_t*)&packet->payload[s_offset+j])); 3293| | 3294| 307k| if((signature_algo == j_signature_algo) ------------------ | Branch (3294:30): [True: 11.2k, False: 296k] ------------------ 3295| 11.2k| && (i < j) /* Don't skip both of them */) { ------------------ | Branch (3295:33): [True: 789, False: 10.4k] ------------------ 3296| |#ifdef DEBUG_HEURISTIC 3297| | printf("[SIGNATURE] [TLS Signature Algorithm] Skipping duplicate 0x%04X\n", signature_algo); 3298| |#endif 3299| | 3300| 789| duplicate_found = 1, all_ok = 0; 3301| 789| break; 3302| 789| } 3303| 307k| } 3304| 333k| } 3305| | 3306| 18.6k| if(!all_ok) ------------------ | Branch (3306:26): [True: 789, False: 17.8k] ------------------ 3307| 789| continue; 3308| 18.6k| } 3309| | 3310| 17.8k| last_signature = signature_algo; 3311| | 3312| |#ifdef DEBUG_HEURISTIC 3313| | printf("[SIGNATURE] [TLS Signature Algorithm] 0x%04X\n", signature_algo); 3314| |#endif 3315| 17.8k| switch(signature_algo) { ------------------ | Branch (3315:28): [True: 6.97k, False: 10.8k] ------------------ 3316| 1.13k| case ECDSA_SECP521R1_SHA512: ------------------ | | 400| 1.13k|#define ECDSA_SECP521R1_SHA512 0x0603 ------------------ | Branch (3316:21): [True: 1.13k, False: 16.7k] ------------------ 3317| 1.13k| flow->protos.tls_quic.browser_heuristics.is_firefox_tls = 1; 3318| 1.13k| break; 3319| | 3320| 1.14k| case ECDSA_SECP256R1_SHA256: ------------------ | | 396| 1.14k|#define ECDSA_SECP256R1_SHA256 0x0403 ------------------ | Branch (3320:21): [True: 1.14k, False: 16.7k] ------------------ 3321| 2.28k| case ECDSA_SECP384R1_SHA384: ------------------ | | 398| 2.28k|#define ECDSA_SECP384R1_SHA384 0x0503 ------------------ | Branch (3321:21): [True: 1.14k, False: 16.7k] ------------------ 3322| 3.42k| case RSA_PKCS1_SHA256: ------------------ | | 395| 3.42k|#define RSA_PKCS1_SHA256 0x0401 ------------------ | Branch (3322:21): [True: 1.14k, False: 16.7k] ------------------ 3323| 4.56k| case RSA_PKCS1_SHA384: ------------------ | | 397| 4.56k|#define RSA_PKCS1_SHA384 0x0501 ------------------ | Branch (3323:21): [True: 1.14k, False: 16.7k] ------------------ 3324| 5.71k| case RSA_PKCS1_SHA512: ------------------ | | 399| 5.71k|#define RSA_PKCS1_SHA512 0x0601 ------------------ | Branch (3324:21): [True: 1.15k, False: 16.7k] ------------------ 3325| 5.75k| case RSA_PSS_RSAE_SHA256: ------------------ | | 401| 5.75k|#define RSA_PSS_RSAE_SHA256 0x0804 ------------------ | Branch (3325:21): [True: 42, False: 17.8k] ------------------ 3326| 5.80k| case RSA_PSS_RSAE_SHA384: ------------------ | | 402| 5.80k|#define RSA_PSS_RSAE_SHA384 0x0805 ------------------ | Branch (3326:21): [True: 43, False: 17.8k] ------------------ 3327| 5.84k| case RSA_PSS_RSAE_SHA512: ------------------ | | 403| 5.84k|#define RSA_PSS_RSAE_SHA512 0x0806 ------------------ | Branch (3327:21): [True: 43, False: 17.8k] ------------------ 3328| 5.84k| chrome_signature_algorithms++, safari_signature_algorithms++; 3329| |#ifdef DEBUG_HEURISTIC 3330| | printf("[SIGNATURE] [Chrome/Safari] Found 0x%04X [chrome: %u][safari: %u]\n", 3331| | signature_algo, chrome_signature_algorithms, safari_signature_algorithms); 3332| |#endif 3333| | 3334| 5.84k| break; 3335| 17.8k| } 3336| 17.8k| } 3337| | 3338| |#ifdef DEBUG_HEURISTIC 3339| | printf("[SIGNATURE] [safari_signature_algorithms: %u][chrome_signature_algorithms: %u]\n", 3340| | safari_signature_algorithms, chrome_signature_algorithms); 3341| |#endif 3342| | 3343| 1.19k| if(flow->protos.tls_quic.browser_heuristics.is_firefox_tls) ------------------ | Branch (3343:22): [True: 1.13k, False: 62] ------------------ 3344| 1.13k| flow->protos.tls_quic.browser_heuristics.is_safari_tls = 0, 3345| 1.13k| flow->protos.tls_quic.browser_heuristics.is_chrome_tls = 0; 3346| | 3347| 1.19k| if(safari_signature_algorithms != 8) ------------------ | Branch (3347:22): [True: 1.15k, False: 42] ------------------ 3348| 1.15k| flow->protos.tls_quic.browser_heuristics.is_safari_tls = 0; 3349| | 3350| 1.19k| if((chrome_signature_algorithms != 8) || duplicate_found) ------------------ | Branch (3350:22): [True: 1.15k, False: 42] | Branch (3350:60): [True: 2, False: 40] ------------------ 3351| 1.15k| flow->protos.tls_quic.browser_heuristics.is_chrome_tls = 0; 3352| | 3353| | /* Avoid Chrome and Safari overlaps, thing that cannot happen with Firefox */ 3354| 1.19k| if(flow->protos.tls_quic.browser_heuristics.is_safari_tls) ------------------ | Branch (3354:22): [True: 2, False: 1.19k] ------------------ 3355| 2| flow->protos.tls_quic.browser_heuristics.is_chrome_tls = 0; 3356| | 3357| 1.19k| if((flow->protos.tls_quic.browser_heuristics.is_chrome_tls == 0) ------------------ | Branch (3357:22): [True: 1.19k, False: 0] ------------------ 3358| 1.19k| && duplicate_found) ------------------ | Branch (3358:25): [True: 88, False: 1.10k] ------------------ 3359| 88| flow->protos.tls_quic.browser_heuristics.is_safari_tls = 1; /* Safari */ 3360| | 3361| |#ifdef DEBUG_HEURISTIC 3362| | printf("[SIGNATURE] [is_firefox_tls: %u][is_chrome_tls: %u][is_safari_tls: %u][duplicate_found: %u]\n", 3363| | flow->protos.tls_quic.browser_heuristics.is_firefox_tls, 3364| | flow->protos.tls_quic.browser_heuristics.is_chrome_tls, 3365| | flow->protos.tls_quic.browser_heuristics.is_safari_tls, 3366| | duplicate_found); 3367| |#endif 3368| 1.19k| } 3369| | 3370| 1.19k| if(i > 0 && i >= tot_signature_algorithms_len) { ------------------ | Branch (3370:6): [True: 1.19k, False: 1] | Branch (3370:15): [True: 1.18k, False: 15] ------------------ 3371| 1.18k| ja.client.signature_algorithms_str[i*2 - 1] = '\0'; 3372| 1.18k| } else { 3373| 16| ja.client.signature_algorithms_str[i*2] = '\0'; 3374| 16| } 3375| | 3376| |#ifdef DEBUG_TLS 3377| | printf("Client TLS [SIGNATURE_ALGORITHMS: %s]\n", ja.client.signature_algorithms_str); 3378| |#endif 3379| 10.3k| } else if(extension_id == 14 /* use_srtp */) { ------------------ | Branch (3379:18): [True: 2, False: 10.3k] ------------------ 3380| | /* This is likely a werbrtc flow */ 3381| 2| if(flow->stun.maybe_dtls || flow->detected_protocol_stack[0] == NDPI_PROTOCOL_DTLS) ------------------ | Branch (3381:20): [True: 0, False: 2] | Branch (3381:45): [True: 0, False: 2] ------------------ 3382| 0| flow->protos.tls_quic.webrtc = 1; 3383| |#ifdef DEBUG_TLS 3384| | printf("Client TLS: use_srtp\n"); 3385| |#endif 3386| 10.3k| } else if(extension_id == 16 /* application_layer_protocol_negotiation */ && ------------------ | Branch (3386:18): [True: 1.45k, False: 8.85k] ------------------ 3387| 1.45k| offset+extension_offset+1 < total_len) { ------------------ | Branch (3387:18): [True: 1.45k, False: 1] ------------------ 3388| 1.45k| u_int16_t s_offset = offset+extension_offset; 3389| 1.45k| u_int16_t tot_alpn_len = ntohs(*((u_int16_t*)&packet->payload[s_offset])); 3390| 1.45k| char alpn_str[256]; 3391| 1.45k| u_int16_t alpn_str_len = 0, i; 3392| | 3393| |#ifdef DEBUG_TLS 3394| | printf("Client TLS [ALPN: block_len=%u/len=%u]\n", extension_len, tot_alpn_len); 3395| |#endif 3396| 1.45k| s_offset += 2; 3397| 1.45k| tot_alpn_len += s_offset; 3398| | 3399| 10.7k| while(s_offset < tot_alpn_len && s_offset < total_len) { ------------------ | Branch (3399:9): [True: 9.53k, False: 1.23k] | Branch (3399:36): [True: 9.51k, False: 16] ------------------ 3400| 9.51k| u_int8_t alpn_i, alpn_len = packet->payload[s_offset++]; 3401| | 3402| 9.51k| if((s_offset + alpn_len) <= tot_alpn_len && ------------------ | Branch (3402:8): [True: 9.36k, False: 154] ------------------ 3403| 9.36k| (s_offset + alpn_len) <= total_len) { ------------------ | Branch (3403:8): [True: 9.31k, False: 46] ------------------ 3404| |#ifdef DEBUG_TLS 3405| | printf("Client TLS [ALPN: %u]\n", alpn_len); 3406| |#endif 3407| | 3408| 9.31k| if(((uint32_t)alpn_str_len+alpn_len+1) < (sizeof(alpn_str)-1)) { ------------------ | Branch (3408:10): [True: 9.31k, False: 9] ------------------ 3409| 9.31k| if(alpn_str_len > 0) { ------------------ | Branch (3409:12): [True: 7.45k, False: 1.85k] ------------------ 3410| 7.45k| alpn_str[alpn_str_len] = ','; 3411| 7.45k| alpn_str_len++; 3412| 7.45k| } 3413| | 3414| 47.7k| for(alpn_i=0; alpn_ipayload[s_offset+alpn_i]; 3416| | 3417| 9.31k| s_offset += alpn_len, alpn_str_len += alpn_len;; 3418| 9.31k| } else 3419| 9| break; 3420| 9.31k| } else 3421| 200| break; 3422| 9.51k| } /* while */ 3423| | 3424| 1.45k| alpn_str[alpn_str_len] = '\0'; 3425| | 3426| |#ifdef DEBUG_TLS 3427| | printf("Client TLS [ALPN: %s][len: %u]\n", alpn_str, alpn_str_len); 3428| |#endif 3429| 1.45k| if(flow->protos.tls_quic.advertised_alpns == NULL) { ------------------ | Branch (3429:6): [True: 1.43k, False: 23] ------------------ 3430| 1.43k| flow->protos.tls_quic.advertised_alpns = ndpi_strdup(alpn_str); 3431| 1.43k| if(flow->protos.tls_quic.advertised_alpns) { ------------------ | Branch (3431:8): [True: 1.35k, False: 76] ------------------ 3432| 1.35k| tlsCheckUncommonALPN(ndpi_struct, flow, flow->protos.tls_quic.advertised_alpns); 3433| | 3434| | /* Without SNI matching we can try to sub-classify the flow via ALPN. 3435| | Note that this happens only on very rare cases, not the common ones 3436| | ("h2", "http/1.1", ...). Usefull for asymmetric traffic */ 3437| 1.35k| if(!flow->protos.tls_quic.subprotocol_detected) { ------------------ | Branch (3437:10): [True: 1.32k, False: 34] ------------------ 3438| 1.32k| if((is_quic && ndpi_struct->cfg.quic_subclassification_enabled) || ------------------ | Branch (3438:13): [True: 0, False: 1.32k] | Branch (3438:24): [True: 0, False: 0] ------------------ 3439| 1.32k| (!is_quic && ndpi_struct->cfg.tls_subclassification_enabled)) ------------------ | Branch (3439:13): [True: 1.32k, False: 0] | Branch (3439:25): [True: 1.32k, False: 0] ------------------ 3440| 1.32k| tls_subclassify_by_alpn(ndpi_struct, flow); 3441| 1.32k| } 3442| 1.35k| } 3443| 1.43k| } 3444| | 3445| 1.45k| alpn_str_len = ndpi_min(sizeof(ja.client.alpn), (size_t)alpn_str_len); ------------------ | | 113| 1.45k|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 1.45k] | | ------------------ ------------------ 3446| 1.45k| memcpy(ja.client.alpn, alpn_str, alpn_str_len); 3447| | 3448| | /* Store the last character of the first ALPN protocol (before any semicolon) */ 3449| 1.45k| ja.client.alpn_original_last = '0'; 3450| 1.45k| if(alpn_str_len > 0) { ------------------ | Branch (3450:6): [True: 1.42k, False: 27] ------------------ 3451| | /* Find the end of the first ALPN protocol (before semicolon or comma) */ 3452| 1.42k| int first_alpn_end = 0; 3453| 9.54k| for(first_alpn_end = 0; first_alpn_end < alpn_str_len; first_alpn_end++) { ------------------ | Branch (3453:29): [True: 9.02k, False: 515] ------------------ 3454| 9.02k| if(ja.client.alpn[first_alpn_end] == ';' || ja.client.alpn[first_alpn_end] == ',') { ------------------ | Branch (3454:10): [True: 3, False: 9.02k] | Branch (3454:51): [True: 911, False: 8.11k] ------------------ 3455| 914| break; 3456| 914| } 3457| 9.02k| } 3458| 1.42k| if(first_alpn_end > 0) { ------------------ | Branch (3458:8): [True: 1.42k, False: 1] ------------------ 3459| 1.42k| ja.client.alpn_original_last = ja.client.alpn[first_alpn_end - 1]; 3460| 1.42k| } 3461| 1.42k| } 3462| | 3463| 1.45k| if(alpn_str_len > 0) ------------------ | Branch (3463:6): [True: 1.42k, False: 27] ------------------ 3464| 1.42k| ja.client.alpn[alpn_str_len - 1] = '\0'; 3465| | 3466| | /* Replace , with - as in JA3 */ 3467| 40.6k| for(i=0; ja.client.alpn[i] != '\0'; i++) ------------------ | Branch (3467:12): [True: 39.2k, False: 1.45k] ------------------ 3468| 39.2k| if(ja.client.alpn[i] == ',') ja.client.alpn[i] = '-'; ------------------ | Branch (3468:8): [True: 5.60k, False: 33.6k] ------------------ 3469| | 3470| 8.85k| } else if(extension_id == 43 /* supported versions */ && ------------------ | Branch (3470:18): [True: 27, False: 8.82k] ------------------ 3471| 27| offset+extension_offset < total_len) { ------------------ | Branch (3471:18): [True: 27, False: 0] ------------------ 3472| 27| u_int16_t s_offset = offset+extension_offset; 3473| 27| u_int8_t version_len = packet->payload[s_offset]; 3474| 27| char version_str[256]; 3475| 27| char buf_ver_tmp[16]; 3476| 27| size_t version_str_len = 0; 3477| 27| version_str[0] = 0; 3478| |#ifdef DEBUG_TLS 3479| | printf("Client TLS [TLS version len: %u]\n", version_len); 3480| |#endif 3481| | 3482| 27| if(version_len == (extension_len-1)) { ------------------ | Branch (3482:6): [True: 26, False: 1] ------------------ 3483| 26| u_int8_t j; 3484| | 3485| 26| s_offset++; 3486| | 3487| | // careful not to overflow and loop forever with u_int8_t 3488| 84| for(j=0; j+1payload_packet_len; j += 2) { ------------------ | Branch (3488:14): [True: 58, False: 26] | Branch (3488:33): [True: 58, False: 0] ------------------ 3489| 58| u_int16_t tls_version = ntohs(*((u_int16_t*)&packet->payload[s_offset+j])); 3490| 58| u_int8_t unknown_tls_version; 3491| | 3492| |#ifdef DEBUG_TLS 3493| | printf("Client TLS [TLS version: %s/0x%04X]\n", 3494| | ndpi_ssl_version2str(buf_ver_tmp, sizeof(buf_ver_tmp), tls_version, &unknown_tls_version), tls_version); 3495| |#endif 3496| | 3497| 58| if((version_str_len+8) < sizeof(version_str)) { ------------------ | Branch (3497:10): [True: 58, False: 0] ------------------ 3498| 58| int rc = ndpi_snprintf(&version_str[version_str_len], 3499| 58| sizeof(version_str) - version_str_len, "%s%s", 3500| 58| (version_str_len > 0) ? "," : "", ------------------ | Branch (3500:11): [True: 35, False: 23] ------------------ 3501| 58| ndpi_ssl_version2str(buf_ver_tmp, sizeof(buf_ver_tmp), tls_version, &unknown_tls_version)); 3502| 58| if(rc <= 0) ------------------ | Branch (3502:12): [True: 0, False: 58] ------------------ 3503| 0| break; 3504| 58| else 3505| 58| version_str_len += rc; 3506| | 3507| 58| if(ja.client.num_supported_versions < MAX_NUM_JA) ------------------ | | 396| 58|#define MAX_NUM_JA 128 ------------------ | Branch (3507:12): [True: 58, False: 0] ------------------ 3508| 58| ja.client.supported_version[ja.client.num_supported_versions++] = tls_version; 3509| 58| } 3510| 58| } 3511| | 3512| |#ifdef DEBUG_TLS 3513| | printf("Client TLS [SUPPORTED_VERSIONS: %s]\n", version_str); 3514| |#endif 3515| | 3516| 26| if(flow->protos.tls_quic.tls_supported_versions == NULL && ------------------ | Branch (3516:8): [True: 24, False: 2] ------------------ 3517| 24| ndpi_struct->cfg.tls_versions_supported_enabled) ------------------ | Branch (3517:8): [True: 24, False: 0] ------------------ 3518| 24| flow->protos.tls_quic.tls_supported_versions = ndpi_strdup(version_str); 3519| 26| } 3520| 8.82k| } else if(extension_id == 65037 /* ECH: latest drafts */) { ------------------ | Branch (3520:18): [True: 0, False: 8.82k] ------------------ 3521| |#ifdef DEBUG_TLS 3522| | printf("Client TLS: ECH version 0x%x\n", extension_id); 3523| |#endif 3524| | /* Beginning with draft-08, the version is the same as the code point 3525| | for the "encrypted_client_hello" extension. */ 3526| 0| flow->protos.tls_quic.encrypted_ch.version = extension_id; 3527| 8.82k| } else if(extension_id == 65445 || /* QUIC transport parameters (drafts version) */ ------------------ | Branch (3527:18): [True: 11, False: 8.81k] ------------------ 3528| 8.81k| extension_id == 57) { /* QUIC transport parameters (final version) */ ------------------ | Branch (3528:11): [True: 4, False: 8.81k] ------------------ 3529| 15| u_int16_t s_offset = offset+extension_offset; 3530| 15| uint16_t final_offset; 3531| 15| int using_var_int = is_version_with_var_int_transport_params(quic_version); 3532| | 3533| 15| if(!using_var_int) { ------------------ | Branch (3533:6): [True: 15, False: 0] ------------------ 3534| 15| if(s_offset+1 >= total_len) { ------------------ | Branch (3534:8): [True: 0, False: 15] ------------------ 3535| 0| final_offset = 0; /* Force skipping extension */ 3536| 15| } else { 3537| 15| u_int16_t seq_len = ntohs(*((u_int16_t*)&packet->payload[s_offset])); 3538| 15| s_offset += 2; 3539| 15| final_offset = ndpi_min(total_len, s_offset + seq_len); ------------------ | | 113| 15|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 5, False: 10] | | ------------------ ------------------ 3540| 15| } 3541| 15| } else { 3542| 0| final_offset = ndpi_min(total_len, s_offset + extension_len); ------------------ | | 113| 0|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 0] | | ------------------ ------------------ 3543| 0| } 3544| | 3545| 25| while(s_offset < final_offset) { ------------------ | Branch (3545:9): [True: 16, False: 9] ------------------ 3546| 16| u_int64_t param_type, param_len; 3547| | 3548| 16| if(!using_var_int) { ------------------ | Branch (3548:22): [True: 16, False: 0] ------------------ 3549| 16| if(s_offset+3 >= final_offset) ------------------ | Branch (3549:10): [True: 1, False: 15] ------------------ 3550| 1| break; 3551| 15| param_type = ntohs(*((u_int16_t*)&packet->payload[s_offset])); 3552| 15| param_len = ntohs(*((u_int16_t*)&packet->payload[s_offset + 2])); 3553| 15| s_offset += 4; 3554| 15| } else { 3555| 0| if(s_offset >= final_offset || ------------------ | Branch (3555:10): [True: 0, False: 0] ------------------ 3556| 0| (s_offset + quic_len_buffer_still_required(packet->payload[s_offset])) >= final_offset) ------------------ | Branch (3556:10): [True: 0, False: 0] ------------------ 3557| 0| break; 3558| 0| s_offset += quic_len(&packet->payload[s_offset], ¶m_type); 3559| | 3560| 0| if(s_offset >= final_offset || ------------------ | Branch (3560:10): [True: 0, False: 0] ------------------ 3561| 0| (s_offset + quic_len_buffer_still_required(packet->payload[s_offset])) >= final_offset) ------------------ | Branch (3561:10): [True: 0, False: 0] ------------------ 3562| 0| break; 3563| 0| s_offset += quic_len(&packet->payload[s_offset], ¶m_len); 3564| 0| } 3565| | 3566| |#ifdef DEBUG_TLS 3567| | printf("Client TLS [QUIC TP: Param 0x%x Len %d]\n", (int)param_type, (int)param_len); 3568| |#endif 3569| 15| if(s_offset+param_len > final_offset) ------------------ | Branch (3569:8): [True: 5, False: 10] ------------------ 3570| 5| break; 3571| | 3572| 10| s_offset += param_len; 3573| 10| } 3574| 8.81k| } else if(extension_id == 21) { /* Padding */ ------------------ | Branch (3574:18): [True: 1.15k, False: 7.66k] ------------------ 3575| | /* Padding is usually some hundreds byte long. Longer padding 3576| | might be used as obfuscation technique to force unusual CH fragmentation */ 3577| 1.15k| if(extension_len > 500 /* Arbitrary value */) { ------------------ | Branch (3577:6): [True: 0, False: 1.15k] ------------------ 3578| |#ifdef DEBUG_TLS 3579| | printf("Padding length: %d\n", extension_len); 3580| |#endif 3581| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_OBFUSCATED_TRAFFIC, "Abnormal Client Hello/Padding length"); 3582| 0| } 3583| 7.66k| } else if(extension_id == 22) { /* Encrypt-then-MAC */ ------------------ | Branch (3583:18): [True: 45, False: 7.61k] ------------------ 3584| 45| if(extension_len == 0) { ------------------ | Branch (3584:6): [True: 44, False: 1] ------------------ 3585| 44| char *sni = flow->host_server_name; 3586| | 3587| 44| if(sni != NULL) { ------------------ | Branch (3587:8): [True: 44, False: 0] ------------------ 3588| 44| u_int sni_len = strlen(sni); 3589| | 3590| 44| if((flow->protos.tls_quic.advertised_alpns == NULL) /* No ALPN */ ------------------ | Branch (3590:10): [True: 44, False: 0] ------------------ 3591| 44| && (sni_len > 8) ------------------ | Branch (3591:13): [True: 15, False: 29] ------------------ 3592| 15| && ((strcmp(&sni[sni_len-4], ".com") == 0) || (strcmp(&sni[sni_len-4], ".net") == 0)) ------------------ | Branch (3592:14): [True: 13, False: 2] | Branch (3592:56): [True: 0, False: 2] ------------------ 3593| 13| && (strncmp(sni, "www.", 4) == 0) /* Starting with www.... */ ------------------ | Branch (3593:13): [True: 12, False: 1] ------------------ 3594| 12| && str_contains_digit(&sni[4])) { ------------------ | Branch (3594:13): [True: 1, False: 11] ------------------ 3595| 1| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TOR, ndpi_get_master_proto(ndpi_struct, flow), NDPI_CONFIDENCE_DPI); 3596| 1| } 3597| 44| } 3598| 44| } 3599| 7.61k| } else if(extension_id == 51 && /* key_share */ ------------------ | Branch (3599:18): [True: 30, False: 7.58k] ------------------ 3600| 30| offset + extension_offset < total_len) { ------------------ | Branch (3600:18): [True: 30, False: 0] ------------------ 3601| 30| u_int32_t extn_offset = extn_off + 4; 3602| 30| u_int16_t extn_end = extn_offset + extension_len; 3603| | 3604| 30| if(extn_offset + extension_len <= total_len) { ------------------ | Branch (3604:6): [True: 29, False: 1] ------------------ 3605| |#ifdef DEBUG_TLS 3606| | u_int16_t key_share_extn_len = ntohs(*((u_int16_t*)&(packet->payload[extn_offset]))); 3607| | 3608| | printf("[key_share] [len=%u][key_share_extn_len: %u][%02X %02X]\n", 3609| | extension_len, key_share_extn_len, 3610| | (packet->payload[extn_offset] & 0xFF), 3611| | (packet->payload[extn_offset+1] & 0xFF)); 3612| |#endif 3613| | 3614| 29| extn_offset += 2; 3615| | 3616| 83| while(extn_offset + 4 < extn_end) { ------------------ | Branch (3616:25): [True: 54, False: 29] ------------------ 3617| 54| u_int16_t group_id = ntohs(*((u_int16_t*)&(packet->payload[extn_offset]))); 3618| 54| u_int16_t key_extn_len = ntohs(*((u_int16_t*)&(packet->payload[extn_offset + 2]))); 3619| | 3620| | #ifdef DEBUG_TLS 3621| | printf("\t[%02X %02X][extn_offset: %u][group_id: %u][key_extn_len: %u]\n", 3622| | (packet->payload[extn_offset] & 0xFF), 3623| | (packet->payload[extn_offset+1] & 0xFF), 3624| | extn_offset, 3625| | group_id, key_extn_len); 3626| | #endif 3627| 54| if(group_id != 0x2A2A /* Skip GREASE */) { ------------------ | Branch (3627:10): [True: 54, False: 0] ------------------ 3628| 54| if(ja.client.num_key_share_groups < MAX_NUM_JA) ------------------ | | 396| 54|#define MAX_NUM_JA 128 ------------------ | Branch (3628:12): [True: 54, False: 0] ------------------ 3629| 54| ja.client.key_share_group[ja.client.num_key_share_groups++] = group_id; 3630| 54| } 3631| | 3632| 54| extn_offset += key_extn_len + 4; 3633| 54| } 3634| 29| } 3635| | 3636| |#ifdef DEBUG_TLS 3637| | printf("[extn_offset: %u][extn_end: %u]\n", extn_offset, extn_end); 3638| |#endif 3639| 30| } 3640| | 3641| 21.5k| extension_offset += extension_len; /* Move to the next extension */ 3642| | 3643| |#ifdef DEBUG_TLS 3644| | printf("Client TLS [extension_offset/len: %u/%u]\n", extension_offset, extension_len); 3645| |#endif 3646| 21.5k| } /* while */ 3647| | 3648| 2.71k| if(!invalid_ja) { ------------------ | Branch (3648:9): [True: 2.61k, False: 103] ------------------ 3649| | /* Compute JA4 client */ 3650| | 3651| 2.64k|compute_ja4c: 3652| 2.64k| if(ndpi_struct->cfg.tls_ja4c_fingerprint_enabled) { ------------------ | Branch (3652:11): [True: 2.64k, False: 0] ------------------ 3653| 2.64k| ndpi_compute_ja4(ndpi_struct, flow, quic_version, &ja); 3654| 2.64k| tls_match_ja4(ndpi_struct, flow); 3655| 2.64k| } 3656| | 3657| 2.64k| if(ndpi_struct->cfg.tls_ja_data_enabled) { ------------------ | Branch (3657:11): [True: 0, False: 2.64k] ------------------ 3658| 0| if(flow->protos.tls_quic.ja_client == NULL) { ------------------ | Branch (3658:6): [True: 0, False: 0] ------------------ 3659| 0| flow->protos.tls_quic.ja_client = ndpi_malloc(sizeof(ndpi_tls_client_info)); 3660| | 3661| 0| if(flow->protos.tls_quic.ja_client != NULL) ------------------ | Branch (3661:8): [True: 0, False: 0] ------------------ 3662| 0| memcpy(flow->protos.tls_quic.ja_client, &ja.client, sizeof(ndpi_tls_client_info)); 3663| 0| } 3664| 0| } 3665| | 3666| | /* End JA4 */ 3667| 2.64k| } 3668| | 3669| | /* Before returning to the caller we need to make a final check */ 3670| 2.75k| if((flow->protos.tls_quic.ssl_version >= 0x0303) /* >= TLSv1.2 */ ------------------ | Branch (3670:9): [True: 1.72k, False: 1.02k] ------------------ 3671| 1.72k| && !flow->protos.tls_quic.webrtc ------------------ | Branch (3671:12): [True: 1.72k, False: 0] ------------------ 3672| 1.72k| && (flow->protos.tls_quic.advertised_alpns == NULL) /* No ALPN */) { ------------------ | Branch (3672:12): [True: 1.17k, False: 552] ------------------ 3673| 1.17k| ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_NOT_CARRYING_HTTPS, "No ALPN"); 3674| 1.17k| } 3675| | 3676| | /* Add check for missing SNI */ 3677| 2.75k| if(flow->host_server_name[0] == '\0' ------------------ | Branch (3677:9): [True: 371, False: 2.38k] ------------------ 3678| 371| && (flow->protos.tls_quic.ssl_version >= 0x0302) /* TLSv1.1 */ ------------------ | Branch (3678:12): [True: 256, False: 115] ------------------ 3679| 256| && !flow->protos.tls_quic.webrtc ------------------ | Branch (3679:12): [True: 256, False: 0] ------------------ 3680| 2.75k| ) { 3681| | /* This is a bit suspicious */ 3682| 256| ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_MISSING_SNI, "SNI should always be present"); 3683| | 3684| 256| if(flow->protos.tls_quic.advertised_alpns != NULL) { ------------------ | Branch (3684:11): [True: 73, False: 183] ------------------ 3685| 73| char buf[256], *tmp, *item; 3686| | 3687| 73| snprintf(buf, sizeof(buf), "%s", flow->protos.tls_quic.advertised_alpns); 3688| | 3689| 73| item = strtok_r(buf, ",", &tmp); 3690| | 3691| 107| while(item != NULL) { ------------------ | Branch (3691:9): [True: 68, False: 39] ------------------ 3692| 68| if(item[0] == 'h') { ------------------ | Branch (3692:8): [True: 34, False: 34] ------------------ 3693| | /* Example 'h2' */ 3694| 34| ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_ALPN_SNI_MISMATCH, item); 3695| 34| break; 3696| 34| } else 3697| 34| item = strtok_r(NULL, ",", &tmp); 3698| 68| } 3699| 73| } 3700| 256| } 3701| | 3702| 2.75k| return(2 /* Client Certificate */); 3703| 2.71k| } else { 3704| |#ifdef DEBUG_TLS 3705| | printf("[TLS] Client: too short [%u vs %u]\n", 3706| | (extensions_len+offset), total_len); 3707| |#endif 3708| 78| } 3709| 2.79k| } else if(offset == total_len) { ------------------ | Branch (3709:12): [True: 34, False: 18] ------------------ 3710| | /* TLS does not have extensions etc */ 3711| 34| goto compute_ja4c; 3712| 34| } 3713| 2.84k| } else { 3714| |#ifdef DEBUG_TLS 3715| | printf("[JA3] Client: invalid length detected\n"); 3716| |#endif 3717| 50| } 3718| 2.89k| } 3719| 4.69k| } 3720| | 3721| 1.76k| return(0); /* Not found */ 3722| 4.70k|} init_tls_dissector: 3778| 7.08k|void init_tls_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 3779| 7.08k| ndpi_register_dissector("(D)TLS", ndpi_struct, 3780| 7.08k| ndpi_search_tls_wrapper, 3781| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 3782| 7.08k| 2, 3783| 7.08k| NDPI_PROTOCOL_TLS, 3784| 7.08k| NDPI_PROTOCOL_DTLS); 3785| 7.08k|} tls.c:extractRDNSequence: 565| 5.93k| const char *label) { 566| 5.93k| u_int8_t str_len, is_printable = 1; 567| 5.93k| char *str; 568| 5.93k| u_int len; 569| | 570| 5.93k| if(*rdnSeqBuf_offset >= rdnSeqBuf_len) { ------------------ | Branch (570:6): [True: 0, False: 5.93k] ------------------ 571| |#ifdef DEBUG_TLS 572| | printf("[TLS] %s() [buffer capacity reached][%u]\n", 573| | __FUNCTION__, rdnSeqBuf_len); 574| |#endif 575| 0| return -1; 576| 0| } 577| 5.93k| if((offset+4) >= packet->payload_packet_len) ------------------ | Branch (577:6): [True: 0, False: 5.93k] ------------------ 578| 0| return(-1); 579| | 580| 5.93k| str_len = packet->payload[offset+4]; 581| | 582| | // packet is truncated... further inspection is not needed 583| 5.93k| if((offset+4+str_len) >= packet->payload_packet_len) ------------------ | Branch (583:6): [True: 9, False: 5.92k] ------------------ 584| 9| return(-1); 585| | 586| 5.92k| str = (char*)&packet->payload[offset+5]; 587| | 588| 5.92k| len = (u_int)ndpi_min(str_len, buffer_len-1); ------------------ | | 113| 5.92k|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 5.72k, False: 199] | | ------------------ ------------------ 589| 5.92k| strncpy(buffer, str, len); 590| 5.92k| buffer[len] = '\0'; 591| | 592| | // check string is printable 593| 5.92k| is_printable = ndpi_normalize_printable_string(buffer, len); 594| | 595| 5.92k| if(is_printable) { ------------------ | Branch (595:6): [True: 5.06k, False: 860] ------------------ 596| 5.06k| int rc = ndpi_snprintf(&rdnSeqBuf[*rdnSeqBuf_offset], 597| 5.06k| rdnSeqBuf_len-(*rdnSeqBuf_offset), 598| 5.06k| "%s%s=%s", (*rdnSeqBuf_offset > 0) ? ", " : "", ------------------ | Branch (598:18): [True: 4.02k, False: 1.04k] ------------------ 599| 5.06k| label, buffer); 600| | 601| 5.06k| if(rc > 0 && ((u_int)rc > rdnSeqBuf_len-(*rdnSeqBuf_offset))) ------------------ | Branch (601:8): [True: 5.06k, False: 0] | Branch (601:18): [True: 0, False: 5.06k] ------------------ 602| 0| return -1; /* Truncated; not enough buffer */ 603| 5.06k| if(rc > 0) ------------------ | Branch (603:8): [True: 5.06k, False: 0] ------------------ 604| 5.06k| (*rdnSeqBuf_offset) += rc; 605| 5.06k| } 606| | 607| 5.92k| return(is_printable); 608| 5.92k|} tls.c:cleanupServerName: 545| 2.39k|static void cleanupServerName(char *buffer, u_int buffer_len) { 546| 2.39k| u_int i; 547| | 548| | /* Now all lowecase */ 549| 116k| for(i=0; iiphv6 == NULL) { ------------------ | Branch (617:6): [True: 4.10k, False: 0] ------------------ 618| 4.10k| if(packet->tcp) { ------------------ | Branch (618:8): [True: 4.10k, False: 0] ------------------ 619| 4.10k| if(is_from_client) ------------------ | Branch (619:10): [True: 2.53k, False: 1.57k] ------------------ 620| 2.53k| key = ((u_int64_t)packet->iph->daddr << 32) | packet->tcp->dest; 621| 1.57k| else 622| 1.57k| key = ((u_int64_t)packet->iph->saddr << 32) | packet->tcp->source; 623| 4.10k| } else { 624| 0| if(is_from_client) ------------------ | Branch (624:10): [True: 0, False: 0] ------------------ 625| 0| key = ((u_int64_t)packet->iph->daddr << 32) | packet->udp->dest; 626| 0| else 627| 0| key = ((u_int64_t)packet->iph->saddr << 32) | packet->udp->source; 628| 0| } 629| 4.10k| } else { 630| 0| if(packet->tcp) { ------------------ | Branch (630:8): [True: 0, False: 0] ------------------ 631| 0| if(is_from_client) ------------------ | Branch (631:10): [True: 0, False: 0] ------------------ 632| 0| key = (ndpi_quick_hash64((const char *)&packet->iphv6->ip6_dst, 16) << 16) | packet->tcp->dest; 633| 0| else 634| 0| key = (ndpi_quick_hash64((const char *)&packet->iphv6->ip6_src, 16) << 16) | packet->tcp->source; 635| 0| } else { 636| 0| if(is_from_client) ------------------ | Branch (636:10): [True: 0, False: 0] ------------------ 637| 0| key = (ndpi_quick_hash64((const char *)&packet->iphv6->ip6_dst, 16) << 16) | packet->udp->dest; 638| 0| else 639| 0| key = (ndpi_quick_hash64((const char *)&packet->iphv6->ip6_src, 16) << 16) | packet->udp->source; 640| 0| } 641| 0| } 642| | 643| 4.10k| return key; 644| 4.10k|} tls.c:ndpi_search_tls_memory: 471| 23.1k| message_t *message) { 472| 23.1k| u_int avail_bytes; 473| | 474| |#ifdef DEBUG_TLS_MEMORY 475| | printf("[TLS Mem] Handling TLS flow [payload_len: %u][buffer_len: %u]\n", 476| | payload_len, 477| | message->buffer_len); 478| |#endif 479| | 480| 23.1k| if(message->buffer == NULL) { ------------------ | Branch (480:6): [True: 19.8k, False: 3.29k] ------------------ 481| | /* Allocate buffer */ 482| 19.8k| message->buffer_len = 2048, message->buffer_used = 0; 483| 19.8k| message->buffer = (u_int8_t*)ndpi_malloc(message->buffer_len); 484| | 485| 19.8k| if(message->buffer == NULL) ------------------ | Branch (485:8): [True: 1.20k, False: 18.6k] ------------------ 486| 1.20k| return -1; 487| | 488| |#ifdef DEBUG_TLS_MEMORY 489| | printf("[TLS Mem] Allocating %u buffer\n", message->buffer_len); 490| |#endif 491| 19.8k| } 492| | 493| 21.9k| avail_bytes = message->buffer_len - message->buffer_used; 494| | 495| 21.9k| if(avail_bytes < payload_len) { ------------------ | Branch (495:6): [True: 1.84k, False: 20.1k] ------------------ 496| 1.84k| u_int new_len = message->buffer_len + payload_len - avail_bytes + 1; 497| 1.84k| void *newbuf = ndpi_realloc(message->buffer, new_len); 498| 1.84k| if(!newbuf) return -1; ------------------ | Branch (498:8): [True: 117, False: 1.73k] ------------------ 499| | 500| |#ifdef DEBUG_TLS_MEMORY 501| | printf("[TLS Mem] Enlarging %u -> %u buffer\n", message->buffer_len, new_len); 502| |#endif 503| | 504| 1.73k| message->buffer = (u_int8_t*)newbuf; 505| 1.73k| message->buffer_len = new_len; 506| 1.73k| avail_bytes = message->buffer_len - message->buffer_used; 507| 1.73k| } 508| | 509| 21.8k| if(payload_len > 0 && avail_bytes >= payload_len) { ------------------ | Branch (509:6): [True: 21.8k, False: 0] | Branch (509:25): [True: 21.8k, False: 0] ------------------ 510| 21.8k| u_int8_t ok = 0; 511| | 512| 21.8k| if(message->next_seq != 0) { ------------------ | Branch (512:8): [True: 3.18k, False: 18.6k] ------------------ 513| 3.18k| if(seq == message->next_seq) ------------------ | Branch (513:10): [True: 1.58k, False: 1.60k] ------------------ 514| 1.58k| ok = 1; 515| 3.18k| } else 516| 18.6k| ok = 1; 517| | 518| 21.8k| if(ok) { ------------------ | Branch (518:8): [True: 20.2k, False: 1.60k] ------------------ 519| 20.2k| memcpy(&message->buffer[message->buffer_used], 520| 20.2k| payload, payload_len); 521| | 522| 20.2k| message->buffer_used += payload_len; 523| |#ifdef DEBUG_TLS_MEMORY 524| | printf("[TLS Mem] Copied data to buffer [%u/%u bytes][tcp_seq: %u][next: %u]\n", 525| | message->buffer_used, message->buffer_len, 526| | seq, 527| | seq + payload_len); 528| |#endif 529| | 530| 20.2k| message->next_seq = seq + payload_len; 531| 20.2k| } else { 532| |#ifdef DEBUG_TLS_MEMORY 533| | printf("[TLS Mem] Skipping packet [%u bytes][tcp_seq: %u][expected next: %u]\n", 534| | message->buffer_len, 535| | seq, 536| | message->next_seq); 537| |#endif 538| 1.60k| } 539| 21.8k| } 540| 21.8k| return 0; 541| 21.9k|} tls.c:check_tls_type_and_version: 1414| 22.4k|{ 1415| | /* Valid TLS Content Types: 1416| | https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-5 */ 1417| 22.4k| if(buf_len >= 1 && ------------------ | Branch (1417:6): [True: 22.4k, False: 0] ------------------ 1418| 22.4k| !(buf[0] >= 20 && buf[0] <= 26)) ------------------ | Branch (1418:8): [True: 18.9k, False: 3.45k] | Branch (1418:24): [True: 10.4k, False: 8.56k] ------------------ 1419| 12.0k| return 0; 1420| | 1421| | /* Valid version in Record Layer 1422| | "Earlier versions of the TLS specification were not fully clear on what the record layer version 1423| | number (TLSPlaintext.version) should contain when sending ClientHello (i.e., before it is known 1424| | which version of the protocol will be employed). Thus, TLS servers compliant with this 1425| | specification MUST accept any value {03,XX} as the record layer version number for ClientHello." 1426| | */ 1427| 10.4k| if(buf_len >=2 && buf[1] != 0x03) ------------------ | Branch (1427:6): [True: 10.4k, False: 0] | Branch (1427:21): [True: 135, False: 10.2k] ------------------ 1428| 135| return 0; 1429| | 1430| 10.2k| return 1; /* ok */ 1431| 10.4k|} tls.c:handleTLSBlockStat: 1275| 8.12k| u_int16_t block_len) { 1276| 8.12k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 1277| | 1278| 8.12k| if(flow->l4_proto == IPPROTO_TCP && ------------------ | Branch (1278:6): [True: 8.12k, False: 0] ------------------ 1279| 8.12k| ndpi_struct->cfg.tls_max_num_blocks_to_analyze != 0) { ------------------ | Branch (1279:6): [True: 0, False: 8.12k] ------------------ 1280| 0| if(flow->l4.tcp.tls.tls_blocks == NULL) { ------------------ | Branch (1280:8): [True: 0, False: 0] ------------------ 1281| 0| u_int len = sizeof(struct ndpi_tls_block) * ndpi_struct->cfg.tls_max_num_blocks_to_analyze; 1282| | 1283| 0| flow->l4.tcp.tls.tls_blocks = (struct ndpi_tls_block *)ndpi_malloc(len); 1284| 0| } 1285| | 1286| 0| if((flow->l4.tcp.tls.tls_blocks != NULL) ------------------ | Branch (1286:8): [True: 0, False: 0] ------------------ 1287| 0| && (flow->l4.tcp.tls.num_tls_blocks < ndpi_struct->cfg.tls_max_num_blocks_to_analyze)) { ------------------ | Branch (1287:11): [True: 0, False: 0] ------------------ 1288| | 1289| 0| int32_t blen; 1290| 0| u_int32_t tdelta; 1291| 0| u_int16_t enc_block_type; 1292| | 1293| 0| enc_block_type = ndpi_encode_tls_block_type(record_type, handshake_type); 1294| 0| blen = block_len; 1295| | 1296| 0| if(flow->l4.tcp.tls.last_tls_block_time_ms) ------------------ | Branch (1296:10): [True: 0, False: 0] ------------------ 1297| 0| tdelta = ndpi_struct->packet.current_time_ms - flow->l4.tcp.tls.last_tls_block_time_ms; 1298| 0| else 1299| 0| tdelta = 0; 1300| | 1301| 0| if(packet->packet_direction == 1 /* srv -> cli */) blen *= -1; ------------------ | Branch (1301:10): [True: 0, False: 0] ------------------ 1302| | 1303| 0| flow->l4.tcp.tls.tls_blocks[flow->l4.tcp.tls.num_tls_blocks].len = blen, 1304| 0| flow->l4.tcp.tls.tls_blocks[flow->l4.tcp.tls.num_tls_blocks].msec_delta = 1305| 0| (tdelta > 0xFFFF) ? 0xFFFF : (u_int16_t)tdelta, ------------------ | Branch (1305:9): [True: 0, False: 0] ------------------ 1306| 0| flow->l4.tcp.tls.tls_blocks[flow->l4.tcp.tls.num_tls_blocks].same_pkt = same_packet ? 1 : 0; ------------------ | Branch (1306:81): [True: 0, False: 0] ------------------ 1307| 0| flow->l4.tcp.tls.tls_blocks[flow->l4.tcp.tls.num_tls_blocks++].block_type = enc_block_type; 1308| | 1309| 0| flow->l4.tcp.tls.last_tls_block_time_ms = ndpi_struct->packet.current_time_ms; 1310| 0| } 1311| 0| } 1312| 8.12k| if(*same_packet == false) ------------------ | Branch (1312:6): [True: 6.60k, False: 1.51k] ------------------ 1313| 6.60k| *same_packet = true; 1314| 8.12k|} tls.c:processHandshakeTLSBlock: 1319| 5.98k| struct ndpi_flow_struct *flow) { 1320| 5.98k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 1321| 5.98k| int ret; 1322| 5.98k| int is_dtls = packet->udp || flow->stun.maybe_dtls; ------------------ | Branch (1322:17): [True: 0, False: 5.98k] | Branch (1322:32): [True: 0, False: 5.98k] ------------------ 1323| 5.98k| u_int8_t handshake_type = packet->payload[0]; 1324| | 1325| |#ifdef DEBUG_TLS 1326| | printf("[TLS] Processing block %u\n", packet->payload[0]); 1327| |#endif 1328| | 1329| 5.98k| switch(handshake_type) { ------------------ | Branch (1329:10): [True: 5.36k, False: 615] ------------------ 1330| 2.92k| case 0x01: /* Client Hello */ ------------------ | Branch (1330:3): [True: 2.92k, False: 3.05k] ------------------ 1331| 2.92k| if((flow->l4.tcp.three_way_handshake.syn_time != 0) /* Check only if 3WH was observed */ ------------------ | Branch (1331:8): [True: 1.08k, False: 1.83k] ------------------ 1332| 1.08k| && (flow->l4.tcp.three_way_handshake.ack_time != 0) ------------------ | Branch (1332:11): [True: 1.07k, False: 10] ------------------ 1333| 2.92k| ) { 1334| 1.07k| u_int64_t tdiff_ms = packet->current_time_ms - flow->l4.tcp.three_way_handshake.ack_time; 1335| | 1336| 1.07k| if((tdiff_ms > 3000 /* 3 sec */) && (!ndpi_isset_risk(flow, NDPI_SLOW_DOS))) { ------------------ | Branch (1336:10): [True: 120, False: 959] | Branch (1336:43): [True: 120, False: 0] ------------------ 1337| 120| char buf[64]; 1338| | 1339| 120| snprintf(buf, sizeof(buf), "Slow TLS Request: %.1f sec", tdiff_ms/1000.); 1340| 120| ndpi_set_risk(ndpi_struct, flow, NDPI_SLOW_DOS, buf); 1341| 120| } 1342| 1.07k| } 1343| | 1344| 2.92k| flow->protos.tls_quic.client_hello_processed = 1; 1345| 2.92k| flow->protos.tls_quic.ch_direction = packet->packet_direction; 1346| 2.92k| processClientServerHello(ndpi_struct, flow, 0); 1347| 2.92k| ndpi_int_tls_add_connection(ndpi_struct, flow); 1348| | 1349| |#ifdef DEBUG_TLS 1350| | printf("*** TLS [version: %02X][Client Hello]\n", 1351| | flow->protos.tls_quic.ssl_version); 1352| |#endif 1353| | 1354| 2.92k| checkTLSSubprotocol(ndpi_struct, flow, packet->payload[0] == 0x01); 1355| 2.92k| break; 1356| | 1357| 1.77k| case 0x02: /* Server Hello */ ------------------ | Branch (1357:3): [True: 1.77k, False: 4.20k] ------------------ 1358| 1.77k| flow->protos.tls_quic.server_hello_processed = 1; 1359| 1.77k| flow->protos.tls_quic.ch_direction = !packet->packet_direction; 1360| 1.77k| processClientServerHello(ndpi_struct, flow, 0); 1361| 1.77k| ndpi_int_tls_add_connection(ndpi_struct, flow); 1362| | 1363| |#ifdef DEBUG_TLS 1364| | printf("*** TLS [version: %02X][Server Hello]\n", 1365| | flow->protos.tls_quic.ssl_version); 1366| |#endif 1367| | 1368| 1.77k| if(!is_dtls && flow->protos.tls_quic.ssl_version >= 0x0304 /* TLS 1.3 */) ------------------ | Branch (1368:8): [True: 1.77k, False: 0] | Branch (1368:20): [True: 22, False: 1.75k] ------------------ 1369| 22| flow->tls_quic.certificate_processed = 1; /* No Certificate with TLS 1.3+ */ 1370| | 1371| 1.77k| if(is_dtls && flow->protos.tls_quic.ssl_version == 0xFEFC /* DTLS 1.3 */) ------------------ | Branch (1371:8): [True: 0, False: 1.77k] | Branch (1371:19): [True: 0, False: 0] ------------------ 1372| 0| flow->tls_quic.certificate_processed = 1; /* No Certificate with DTLS 1.3+ */ 1373| | 1374| 1.77k| checkTLSSubprotocol(ndpi_struct, flow, packet->payload[0] == 0x01); 1375| 1.77k| break; 1376| | 1377| 665| case 0x0b: /* Certificate */ ------------------ | Branch (1377:3): [True: 665, False: 5.31k] ------------------ 1378| | /* Important: populate the tls union fields only after 1379| | * ndpi_int_tls_add_connection has been called */ 1380| 665| if(flow->protos.tls_quic.client_hello_processed || ------------------ | Branch (1380:8): [True: 358, False: 307] ------------------ 1381| 661| flow->protos.tls_quic.server_hello_processed) { ------------------ | Branch (1381:8): [True: 303, False: 4] ------------------ 1382| | /* Only certificates from the server */ 1383| 661| if(flow->protos.tls_quic.ch_direction != packet->packet_direction) { ------------------ | Branch (1383:10): [True: 660, False: 1] ------------------ 1384| 660| ret = processCertificate(ndpi_struct, flow); 1385| 660| if(ret != 1) { ------------------ | Branch (1385:12): [True: 3, False: 657] ------------------ 1386| |#ifdef DEBUG_TLS 1387| | printf("[TLS] Error processing certificate: %d\n", ret); 1388| |#endif 1389| 3| } 1390| 660| } else { 1391| |#ifdef DEBUG_TLS 1392| | printf("[TLS] Certificate from client. Ignoring it\n"); 1393| |#endif 1394| 1| } 1395| 661| flow->tls_quic.certificate_processed = 1; 1396| 661| } 1397| 665| break; 1398| 5.98k| } 1399| | 1400| 5.98k| return(0); 1401| 5.98k|} tls.c:checkTLSSubprotocol: 650| 4.70k| int is_from_client) { 651| 4.70k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 652| | 653| 4.70k| if(ndpi_struct->cfg.tls_subclassification_enabled && ------------------ | Branch (653:6): [True: 4.70k, False: 0] ------------------ 654| 4.70k| flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN) { ------------------ | Branch (654:6): [True: 4.54k, False: 154] ------------------ 655| | /* Subprotocol not yet set */ 656| | 657| 4.54k| if(ndpi_struct->tls_cert_cache) { ------------------ | Branch (657:8): [True: 4.10k, False: 440] ------------------ 658| 4.10k| u_int16_t cached_proto; 659| 4.10k| u_int64_t key; 660| | 661| 4.10k| key = make_tls_cert_key(packet, is_from_client); 662| | 663| 4.10k| if(ndpi_lru_find_cache(ndpi_struct->tls_cert_cache, key, ------------------ | Branch (663:10): [True: 0, False: 4.10k] ------------------ 664| 4.10k| &cached_proto, 0 /* Don't remove it as it can be used for other connections */, 665| 4.10k| ndpi_get_current_time(flow))) { 666| 0| ndpi_master_app_protocol proto; 667| | 668| 0| ndpi_set_detected_protocol(ndpi_struct, flow, cached_proto, ndpi_get_master_proto(ndpi_struct, flow), NDPI_CONFIDENCE_DPI_CACHE); 669| 0| proto.master_protocol = ndpi_get_master_proto(ndpi_struct, flow); 670| 0| proto.app_protocol = cached_proto; 671| 0| flow->category = get_proto_category(ndpi_struct, proto); 672| 0| flow->breed = get_proto_breed(ndpi_struct, proto); 673| 0| ndpi_check_subprotocol_risk(ndpi_struct, flow, cached_proto); 674| 0| ndpi_unset_risk(ndpi_struct, flow, NDPI_NUMERIC_IP_HOST); 675| 0| } 676| 4.10k| } 677| 4.54k| } 678| 4.70k|} tls.c:ndpi_looks_like_tls: 1406| 7.06k| struct ndpi_flow_struct *flow) { 1407| 7.06k| if(flow->fast_callback_protocol_id == NDPI_PROTOCOL_UNKNOWN) ------------------ | Branch (1407:6): [True: 4.57k, False: 2.48k] ------------------ 1408| 4.57k| flow->fast_callback_protocol_id = ndpi_get_master_proto(ndpi_struct, flow); 1409| 7.06k|} tls.c:keep_extra_dissection_tcp: 106| 9.57k| struct ndpi_flow_struct *flow) { 107| 9.57k| if(ndpi_struct->cfg.tls_max_num_blocks_to_analyze > 0) ------------------ | Branch (107:6): [True: 0, False: 9.57k] ------------------ 108| 0| return(1); /* Process as much TLS blocks as the max packet number */ 109| | 110| | /* Common path: found handshake on both directions */ 111| 9.57k| if( 112| 9.57k| (flow->tls_quic.certificate_processed == 1 && flow->protos.tls_quic.client_hello_processed) ------------------ | Branch (112:7): [True: 542, False: 9.03k] | Branch (112:52): [True: 352, False: 190] ------------------ 113| | 114| | /* Application Data on both directions: handshake already ended (did we miss it?) */ 115| 9.22k| || (flow->l4.tcp.tls.app_data_seen[0] == 1 && flow->l4.tcp.tls.app_data_seen[1] == 1) ------------------ | Branch (115:10): [True: 1.10k, False: 8.11k] | Branch (115:52): [True: 354, False: 755] ------------------ 116| | 117| | /* Handshake on one direction and Application Data on the other */ 118| 8.87k| || ((flow->protos.tls_quic.client_hello_processed && flow->l4.tcp.tls.app_data_seen[!flow->protos.tls_quic.ch_direction] == 1) || ------------------ | Branch (118:11): [True: 5.03k, False: 3.83k] | Branch (118:59): [True: 282, False: 4.75k] ------------------ 119| 8.59k| (flow->protos.tls_quic.server_hello_processed && flow->l4.tcp.tls.app_data_seen[flow->protos.tls_quic.ch_direction] == 1)) ------------------ | Branch (119:4): [True: 2.27k, False: 6.31k] | Branch (119:52): [True: 35, False: 2.24k] ------------------ 120| 9.57k| ) { 121| 1.02k| return 0; 122| 1.02k| } 123| | 124| | /* Non-warning alert */ 125| 8.55k| if(flow->tls_quic.alert) ------------------ | Branch (125:6): [True: 48, False: 8.50k] ------------------ 126| 48| return 0; 127| | 128| | /* Are we interested only in the (sub)-classification? */ 129| | 130| 8.50k| if(/* Subclassification */ 131| 8.50k| flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN && ------------------ | Branch (131:6): [True: 211, False: 8.29k] ------------------ 132| | /* No metadata from SH or certificate */ 133| 211| !ndpi_struct->cfg.tls_alpn_negotiated_enabled && ------------------ | Branch (133:6): [True: 0, False: 211] ------------------ 134| 0| !ndpi_struct->cfg.tls_cipher_enabled && ------------------ | Branch (134:6): [True: 0, False: 0] ------------------ 135| 0| !ndpi_struct->cfg.tls_sha1_fingerprint_enabled && ------------------ | Branch (135:6): [True: 0, False: 0] ------------------ 136| 0| !ndpi_struct->cfg.tls_cert_server_names_enabled && ------------------ | Branch (136:6): [True: 0, False: 0] ------------------ 137| 0| !ndpi_struct->cfg.tls_cert_validity_enabled && ------------------ | Branch (137:6): [True: 0, False: 0] ------------------ 138| 0| !ndpi_struct->cfg.tls_cert_issuer_enabled && ------------------ | Branch (138:6): [True: 0, False: 0] ------------------ 139| 0| !ndpi_struct->cfg.tls_cert_subject_enabled && ------------------ | Branch (139:6): [True: 0, False: 0] ------------------ 140| 0| !ndpi_struct->cfg.tls_browser_enabled && ------------------ | Branch (140:6): [True: 0, False: 0] ------------------ 141| 0| !ndpi_struct->cfg.tls_ja3s_fingerprint_enabled && ------------------ | Branch (141:6): [True: 0, False: 0] ------------------ 142| | /* No flow risks from SH or certificate: we should have disabled all 143| | metadata needed for flow risks, so we should not need to explicitly 144| | check them */ 145| | /* Ookla aggressiveness has no impact here because it is evaluated only 146| | without sub-classification */ 147| | /* TLS heuristics */ 148| 0| (ndpi_struct->cfg.tls_heuristics == 0 || is_flow_addr_informative(flow))) { ------------------ | Branch (148:7): [True: 0, False: 0] | Branch (148:47): [True: 0, False: 0] ------------------ 149| 0| return 0; 150| 0| } 151| | 152| 8.50k| return 1; 153| 8.50k|} tls.c:tls_match_ja4: 1118| 15.9k| struct ndpi_flow_struct *flow) { 1119| 15.9k| if(ndpi_struct->ja4_custom_protos != NULL) { ------------------ | Branch (1119:6): [True: 0, False: 15.9k] ------------------ 1120| 0| u_int64_t proto_id; 1121| 0| ndpi_list *extra_data = NULL; 1122| | 1123| | /* This protocol has been defined in protos.txt-like files */ 1124| 0| if(ndpi_hash_find_entry_extra(ndpi_struct->ja4_custom_protos, ------------------ | Branch (1124:8): [True: 0, False: 0] ------------------ 1125| 0| flow->protos.tls_quic.ja4_client, 1126| 0| NDPI_ARRAY_LENGTH(flow->protos.tls_quic.ja4_client) - 1, ------------------ | | 132| 0|#define NDPI_ARRAY_LENGTH(array) (sizeof(array) / sizeof((array)[0])) ------------------ 1127| 0| &proto_id, &extra_data) != 0) 1128| 0| return; /* Not found */ 1129| 0| else 1130| 0| proto_id = ndpi_compare_flow_tls_blocks(ndpi_struct, flow, extra_data, proto_id); 1131| | 1132| 0| if(proto_id != NDPI_PROTOCOL_UNKNOWN) ------------------ | Branch (1132:8): [True: 0, False: 0] ------------------ 1133| 0| ndpi_set_detected_protocol(ndpi_struct, flow, proto_id, 1134| 0| ndpi_get_master_proto(ndpi_struct, flow), 1135| 0| NDPI_CONFIDENCE_CUSTOM_RULE); 1136| 0| } 1137| | 1138| 15.9k| if(ndpi_struct->malicious_ja4_hashmap != NULL) { ------------------ | Branch (1138:6): [True: 0, False: 15.9k] ------------------ 1139| 0| u_int16_t rc1 = ndpi_hash_find_entry(ndpi_struct->malicious_ja4_hashmap, 1140| 0| flow->protos.tls_quic.ja4_client, 1141| 0| NDPI_ARRAY_LENGTH(flow->protos.tls_quic.ja4_client) - 1, ------------------ | | 132| 0|#define NDPI_ARRAY_LENGTH(array) (sizeof(array) / sizeof((array)[0])) ------------------ 1142| 0| NULL); 1143| | 1144| 0| if(rc1 == 0) ------------------ | Branch (1144:8): [True: 0, False: 0] ------------------ 1145| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_MALICIOUS_FINGERPRINT, 1146| 0| flow->protos.tls_quic.ja4_client); 1147| 0| } 1148| 15.9k|} tls.c:tlsInitExtraPacketProcessing: 1894| 4.63k| struct ndpi_flow_struct *flow) { 1895| 4.63k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 1896| | 1897| | /* At most 12 packets should almost always be enough to find the server certificate if it's there. 1898| | Exception: DTLS traffic with fragments, retransmissions and STUN packets */ 1899| 4.63k| flow->max_extra_packets_to_check = ((packet->udp != NULL) ? 20 : 12) + (ndpi_struct->cfg.tls_max_num_blocks_to_analyze*4); ------------------ | Branch (1899:39): [True: 0, False: 4.63k] ------------------ 1900| 4.63k| flow->extra_packets_func = (packet->udp != NULL) ? ndpi_search_dtls : ndpi_search_tls_tcp; ------------------ | Branch (1900:30): [True: 0, False: 4.63k] ------------------ 1901| 4.63k|} tls.c:ndpi_search_dtls: 1728| 7.08k| struct ndpi_flow_struct *flow) { 1729| 7.08k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 1730| 7.08k| u_int32_t handshake_len, handshake_frag_off, handshake_frag_len; 1731| 7.08k| u_int16_t p_len, processed; 1732| 7.08k| const u_int8_t *p; 1733| 7.08k| u_int8_t no_dtls = 0, change_cipher_found = 0; 1734| 7.08k| message_t *message = NULL; 1735| | 1736| |#ifdef DEBUG_TLS 1737| | printf("[TLS] %s()\n", __FUNCTION__); 1738| |#endif 1739| | 1740| | /* Overwriting packet payload */ 1741| 7.08k| p = packet->payload, p_len = packet->payload_packet_len; /* Backup */ 1742| | 1743| | /* Split the element in blocks */ 1744| 7.08k| processed = 0; 1745| 7.08k| while(processed + 13 < p_len) { ------------------ | Branch (1745:9): [True: 6.90k, False: 180] ------------------ 1746| 6.90k| u_int32_t block_len; 1747| 6.90k| const u_int8_t *block = (const u_int8_t *)&p[processed]; 1748| | 1749| 6.90k| if(!is_dtls(block, p_len, &block_len)) { ------------------ | Branch (1749:8): [True: 6.90k, False: 0] ------------------ 1750| 6.90k| no_dtls = 1; 1751| 6.90k| break; 1752| 6.90k| } 1753| | 1754| | /* We process only handshake msgs */ 1755| 0| if(block[0] == 0x16) { ------------------ | Branch (1755:8): [True: 0, False: 0] ------------------ 1756| 0| if(processed + block_len + 13 > p_len) { ------------------ | Branch (1756:10): [True: 0, False: 0] ------------------ 1757| |#ifdef DEBUG_TLS 1758| | printf("[TLS] DTLS invalid len %d %d %d\n", processed, block_len, p_len); 1759| |#endif 1760| 0| no_dtls = 1; 1761| 0| break; 1762| 0| } 1763| | /* TODO: handle (certificate) fragments */ 1764| 0| if(block_len > 24) { ------------------ | Branch (1764:10): [True: 0, False: 0] ------------------ 1765| 0| handshake_len = (block[14] << 16) + (block[15] << 8) + block[16]; 1766| 0| handshake_frag_off = (block[19] << 16) + (block[20] << 8) + block[21]; 1767| 0| handshake_frag_len = (block[22] << 16) + (block[23] << 8) + block[24]; 1768| 0| message = &flow->tls_quic.message[packet->packet_direction]; 1769| | 1770| | 1771| |#ifdef DEBUG_TLS 1772| | printf("[TLS] DTLS frag off %d len %d\n", handshake_frag_off, handshake_frag_len); 1773| |#endif 1774| | 1775| 0| if((handshake_len + 12) == block_len) { ------------------ | Branch (1775:5): [True: 0, False: 0] ------------------ 1776| 0| packet->payload = &block[13]; 1777| 0| packet->payload_packet_len = block_len; 1778| 0| processHandshakeTLSBlock(ndpi_struct, flow); 1779| 0| } else if(handshake_len + 12 > block_len) { ------------------ | Branch (1779:12): [True: 0, False: 0] ------------------ 1780| 0| int rc; 1781| | 1782| |#ifdef DEBUG_TLS 1783| | printf("[TLS] DTLS fragment off %d len %d\n", handshake_frag_off, handshake_frag_len); 1784| |#endif 1785| 0| if(handshake_frag_len + 12 > block_len) { ------------------ | Branch (1785:14): [True: 0, False: 0] ------------------ 1786| |#ifdef DEBUG_TLS 1787| | printf("[TLS] DTLS fragment invalid len %d + 12 > %d\n", handshake_frag_len, block_len); 1788| |#endif 1789| 0| no_dtls = 1; 1790| 0| break; 1791| 0| } 1792| | 1793| 0| if(handshake_frag_off == 0) { ------------------ | Branch (1793:14): [True: 0, False: 0] ------------------ 1794| 0| rc = ndpi_search_tls_memory(&block[13], 1795| 0| handshake_frag_len + 12, 1796| 0| handshake_frag_off, message); 1797| 0| } else { 1798| 0| rc = ndpi_search_tls_memory(&block[13 + 12], 1799| 0| handshake_frag_len, 1800| 0| handshake_frag_off + 12, message); 1801| 0| } 1802| 0| if(rc == -1) { ------------------ | Branch (1802:7): [True: 0, False: 0] ------------------ 1803| 0| no_dtls = 1; 1804| 0| break; 1805| 0| } 1806| |#ifdef DEBUG_TLS 1807| | printf("[TLS] DTLS reassembled len %d vs %d\n", 1808| | message->buffer_used, handshake_len + 12); 1809| |#endif 1810| | 1811| 0| if(handshake_len + 12 == message->buffer_used) { ------------------ | Branch (1811:14): [True: 0, False: 0] ------------------ 1812| 0| packet->payload = message->buffer; 1813| 0| packet->payload_packet_len = message->buffer_used; 1814| 0| processHandshakeTLSBlock(ndpi_struct, flow); 1815| | 1816| 0| ndpi_free(message->buffer); 1817| 0| memset(message, '\0', sizeof(*message)); 1818| 0| message = NULL; 1819| 0| } else { 1820| | /* No break, next fragments might be in the same packet */ 1821| 0| } 1822| | 1823| 0| } else { 1824| |#ifdef DEBUG_TLS 1825| | printf("[TLS] DTLS invalid handshake_len %d, %d\n", 1826| | handshake_len, block_len); 1827| |#endif 1828| 0| no_dtls = 1; 1829| 0| break; 1830| 0| } 1831| 0| } 1832| 0| } else if(block[0] == 0x14) { ------------------ | Branch (1832:15): [True: 0, False: 0] ------------------ 1833| | /* Change-cipher-spec: any subsequent block might be encrypted */ 1834| |#ifdef DEBUG_TLS 1835| | printf("[TLS] Change-cipher-spec\n"); 1836| |#endif 1837| 0| change_cipher_found = 1; 1838| 0| processed += block_len + 13; 1839| 0| flow->tls_quic.certificate_processed = 1; /* Fake, to avoid extra dissection */ 1840| 0| break; 1841| 0| } else if(block[0] == 0x15 /* Alert */) { ------------------ | Branch (1841:15): [True: 0, False: 0] ------------------ 1842| |#ifdef DEBUG_TLS 1843| | printf("[TLS] TLS Alert\n"); 1844| |#endif 1845| | 1846| 0| if(block_len == 2) { ------------------ | Branch (1846:10): [True: 0, False: 0] ------------------ 1847| 0| u_int8_t alert_level = block[13]; 1848| | 1849| 0| if(alert_level == 2 /* Warning (1), Fatal (2) */) ------------------ | Branch (1849:11): [True: 0, False: 0] ------------------ 1850| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_FATAL_ALERT, "Found fatal TLS alert"); 1851| 0| } 1852| 0| } else { 1853| |#ifdef DEBUG_TLS 1854| | printf("[TLS] Application Data\n"); 1855| |#endif 1856| 0| processed += block_len + 13; 1857| | /* DTLS mid session: no need to further inspect the flow */ 1858| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DTLS, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 1859| | 1860| 0| ndpi_master_app_protocol proto; 1861| 0| proto.master_protocol = ndpi_get_master_proto(ndpi_struct, flow); 1862| 0| proto.app_protocol = NDPI_PROTOCOL_UNKNOWN; 1863| 0| flow->category = get_proto_category(ndpi_struct, proto); 1864| 0| flow->breed = get_proto_breed(ndpi_struct, proto); 1865| | 1866| 0| flow->tls_quic.certificate_processed = 1; /* Fake, to avoid extra dissection */ 1867| 0| break; 1868| 0| } 1869| | 1870| 0| processed += block_len + 13; 1871| 0| } 1872| | 1873| 7.08k| if(processed != p_len && message == NULL /* No pending reassembler */) { ------------------ | Branch (1873:6): [True: 7.08k, False: 0] | Branch (1873:28): [True: 7.08k, False: 0] ------------------ 1874| |#ifdef DEBUG_TLS 1875| | printf("[TLS] DTLS invalid processed len %d/%d (%d)\n", processed, p_len, change_cipher_found); 1876| |#endif 1877| 7.08k| if(!change_cipher_found) ------------------ | Branch (1877:8): [True: 7.08k, False: 0] ------------------ 1878| 7.08k| no_dtls = 1; 1879| 7.08k| } 1880| | 1881| 7.08k| packet->payload = p; 1882| 7.08k| packet->payload_packet_len = p_len; /* Restore */ 1883| | 1884| 7.08k| if(no_dtls || change_cipher_found || flow->tls_quic.certificate_processed) { ------------------ | Branch (1884:6): [True: 7.08k, False: 0] | Branch (1884:17): [True: 0, False: 0] | Branch (1884:40): [True: 0, False: 0] ------------------ 1885| 7.08k| return(0); /* That's all */ 1886| 7.08k| } else { 1887| 0| return(1); /* Keep working */ 1888| 0| } 1889| 7.08k|} tls.c:ndpi_int_tls_add_connection: 2019| 6.81k| struct ndpi_flow_struct *flow) { 2020| 6.81k| u_int32_t protocol; 2021| | 2022| |#if DEBUG_TLS 2023| | printf("[TLS] %s()\n", __FUNCTION__); 2024| |#endif 2025| | 2026| 6.81k| if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_RDP) { ------------------ | Branch (2026:6): [True: 0, False: 6.81k] ------------------ 2027| | /* RDP over TLS */ 2028| 0| ndpi_set_detected_protocol(ndpi_struct, flow, 2029| 0| NDPI_PROTOCOL_RDP, NDPI_PROTOCOL_TLS, NDPI_CONFIDENCE_DPI); 2030| 0| return; 2031| 0| } 2032| | 2033| 6.81k| if((flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) || ------------------ | Branch (2033:6): [True: 2.28k, False: 4.53k] ------------------ 2034| 4.53k| (flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN)) { ------------------ | Branch (2034:6): [True: 0, False: 4.53k] ------------------ 2035| 2.28k| if(!flow->extra_packets_func) ------------------ | Branch (2035:8): [True: 102, False: 2.17k] ------------------ 2036| 102| tlsInitExtraPacketProcessing(ndpi_struct, flow); 2037| | 2038| 2.28k| return; 2039| 2.28k| } 2040| | 2041| 4.53k| protocol = ndpi_get_master_proto(ndpi_struct, flow); 2042| | 2043| 4.53k| ndpi_set_detected_protocol(ndpi_struct, flow, protocol, protocol, NDPI_CONFIDENCE_DPI); 2044| | /* We don't want to ovewrite STUN extra dissection, if enabled */ 2045| 4.53k| if(!flow->extra_packets_func) ------------------ | Branch (2045:6): [True: 4.53k, False: 0] ------------------ 2046| 4.53k| tlsInitExtraPacketProcessing(ndpi_struct, flow); 2047| 4.53k|} tls.c:checkExtensions: 2054| 27.8k| u_int16_t extension_payload_offset) { 2055| 27.8k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 2056| | 2057| 27.8k| if((extension_payload_offset + extension_len) > packet->payload_packet_len) { ------------------ | Branch (2057:6): [True: 721, False: 27.0k] ------------------ 2058| |#ifdef DEBUG_TLS 2059| | printf("[TLS] extension length exceeds remaining packet length: %u > %u.\n", 2060| | extension_len, packet->payload_packet_len - extension_payload_offset); 2061| |#endif 2062| 721| ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION, "Invalid extension len"); 2063| 721| return; 2064| 721| } 2065| | 2066| | /* see: https://www.wireshark.org/docs/wsar_html/packet-tls-utils_8h_source.html */ 2067| 27.0k| static u_int16_t const allowed_non_iana_extensions[] = { 2068| 27.0k| /* 65486 ESNI is suspicious nowadays */ 13172 /* NPN - Next Proto Neg */, 2069| 27.0k| 30032 /* Channel ID */, 65445 /* QUIC transport params */, 2070| | /* GREASE extensions */ 2071| 27.0k| 2570, 6682, 10794, 14906, 19018, 23130, 27242, 2072| 27.0k| 31354, 35466, 39578, 43690, 47802, 51914, 56026, 2073| 27.0k| 60138, 64250, 2074| | /* Groups */ 2075| 27.0k| 1035, 10794, 16696, 23130, 31354, 35466, 51914, 2076| | /* Ciphers */ 2077| 27.0k| 102, 129, 52243, 52244, 57363, 65279, 65413, 2078| | /* ALPS */ 2079| 27.0k| 17513, 17613 2080| 27.0k| }; 2081| 27.0k| size_t const allowed_non_iana_extensions_size = sizeof(allowed_non_iana_extensions) / 2082| 27.0k| sizeof(allowed_non_iana_extensions[0]); 2083| | 2084| | /* see: https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */ 2085| | /* 65281 renegotiation_info, 65037 ECH */ 2086| 27.0k| if(extension_id > 59 && extension_id != 65281 && extension_id != 65037) ------------------ | Branch (2086:6): [True: 4.93k, False: 22.1k] | Branch (2086:27): [True: 2.50k, False: 2.43k] | Branch (2086:52): [True: 2.50k, False: 0] ------------------ 2087| 2.50k| { 2088| 2.50k| u_int8_t extension_found = 0; 2089| 2.50k| size_t i; 2090| | 2091| 23.7k| for (i = 0; i < allowed_non_iana_extensions_size; ++i) { ------------------ | Branch (2091:19): [True: 23.1k, False: 606] ------------------ 2092| 23.1k| if(allowed_non_iana_extensions[i] == extension_id) { ------------------ | Branch (2092:5): [True: 1.90k, False: 21.2k] ------------------ 2093| 1.90k| extension_found = 1; 2094| 1.90k| break; 2095| 1.90k| } 2096| 23.1k| } 2097| | 2098| 2.50k| if(extension_found == 0) { ------------------ | Branch (2098:10): [True: 606, False: 1.90k] ------------------ 2099| |#ifdef DEBUG_TLS 2100| | printf("[TLS] suspicious extension id: %u\n", extension_id); 2101| |#endif 2102| | 2103| 606| if(is_flowrisk_info_enabled(ndpi_struct, NDPI_TLS_SUSPICIOUS_EXTENSION)) { ------------------ | Branch (2103:12): [True: 606, False: 0] ------------------ 2104| 606| char str[64]; 2105| | 2106| 606| snprintf(str, sizeof(str), "Extn id %u", extension_id); 2107| 606| ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION, str); 2108| 606| } else { 2109| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION, NULL); 2110| 0| } 2111| 606| return; 2112| 606| } 2113| 2.50k| } 2114| | 2115| | /* Check for DTLS-only extensions. */ 2116| 26.4k| if(is_dtls == 0) ------------------ | Branch (2116:6): [True: 26.4k, False: 0] ------------------ 2117| 26.4k| { 2118| 26.4k| if(extension_id == 53 || extension_id == 54) ------------------ | Branch (2118:10): [True: 1, False: 26.4k] | Branch (2118:32): [True: 1, False: 26.4k] ------------------ 2119| 2| { 2120| |#ifdef DEBUG_TLS 2121| | printf("[TLS] suspicious DTLS-only extension id: %u\n", extension_id); 2122| |#endif 2123| | 2124| 2| if(is_flowrisk_info_enabled(ndpi_struct, NDPI_TLS_SUSPICIOUS_EXTENSION)) { ------------------ | Branch (2124:14): [True: 2, False: 0] ------------------ 2125| 2| char str[64]; 2126| | 2127| 2| snprintf(str, sizeof(str), "Extn id %u", extension_id); 2128| 2| ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION, str); 2129| 2| } else { 2130| | ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_SUSPICIOUS_EXTENSION, NULL); 2131| 0| } 2132| 2| return; 2133| 2| } 2134| 26.4k| } 2135| 26.4k|} tls.c:tlsCheckUncommonALPN: 1976| 1.36k| char *alpn_start) { 1977| 1.36k| char * comma_or_nul = alpn_start; 1978| | 1979| 4.02k| do { 1980| 4.02k| size_t alpn_len; 1981| | 1982| 4.02k| comma_or_nul = strchr(comma_or_nul, ','); 1983| | 1984| 4.02k| if(comma_or_nul == NULL) ------------------ | Branch (1984:8): [True: 951, False: 3.07k] ------------------ 1985| 951| comma_or_nul = alpn_start + strlen(alpn_start); 1986| | 1987| 4.02k| alpn_len = comma_or_nul - alpn_start; 1988| | 1989| 4.02k| if(!is_a_common_alpn(ndpi_struct, alpn_start, alpn_len)) { ------------------ | Branch (1989:8): [True: 771, False: 3.25k] ------------------ 1990| 771| if(is_flowrisk_info_enabled(ndpi_struct, NDPI_TLS_UNCOMMON_ALPN)) { ------------------ | Branch (1990:10): [True: 771, False: 0] ------------------ 1991| 771| char str[64]; 1992| 771| size_t str_len; 1993| | 1994| |#ifdef DEBUG_TLS 1995| | printf("TLS uncommon ALPN found: %.*s\n", (int)alpn_len, alpn_start); 1996| |#endif 1997| | 1998| 771| str[0] = '\0'; 1999| 771| str_len = ndpi_min(alpn_len, sizeof(str)); ------------------ | | 113| 771|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 770, False: 1] | | ------------------ ------------------ 2000| 771| if(str_len > 0) { ------------------ | Branch (2000:12): [True: 735, False: 36] ------------------ 2001| 735| strncpy(str, alpn_start, str_len); 2002| 735| str[str_len - 1] = '\0'; 2003| 735| } 2004| | 2005| 771| ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_UNCOMMON_ALPN, str); 2006| 771| } else { 2007| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_UNCOMMON_ALPN, NULL); 2008| 0| } 2009| 771| break; 2010| 771| } 2011| | 2012| 3.25k| alpn_start = comma_or_nul + 1; 2013| 3.25k| } while (*(comma_or_nul++) != '\0'); ------------------ | Branch (2013:12): [True: 2.66k, False: 591] ------------------ 2014| 1.36k|} tls.c:ndpi_compute_tls_server_fingerprint: 2463| 1.60k| ndpi_tls_server_info *s) { 2464| 1.60k| char tls_s[128], fp_buf[13]; 2465| 1.60k| u_int tls_s_len, i; 2466| 1.60k| u_int8_t sha_hash[NDPI_SHA256_BLOCK_SIZE]; 2467| | 2468| 1.60k| tls_s[0] = is_dtls ? 'd' : ((quic_version != 0) ? 'q' : 't'); ------------------ | Branch (2468:14): [True: 0, False: 1.60k] | Branch (2468:31): [True: 0, False: 1.60k] ------------------ 2469| 1.60k| ndpi_fill_version_str(tls_s, s->tls_handshake_version); 2470| 1.60k| tls_s_len = 3; 2471| | 2472| 1.60k| if(sizeof(tls_s) > tls_s_len) { ------------------ | Branch (2472:6): [True: 1.60k, False: 0] ------------------ 2473| 1.60k| int b_diff = sizeof(tls_s)-tls_s_len-1; 2474| | 2475| 1.60k| if(b_diff > 0) { ------------------ | Branch (2475:8): [True: 1.60k, False: 0] ------------------ 2476| 1.60k| int rc = ndpi_snprintf(&tls_s[tls_s_len], b_diff, "%02u_%s_%04x", 2477| 1.60k| s->num_tls_extensions, 2478| 1.60k| (s->alpn[0] == '\0') ? "00" : s->alpn, ------------------ | Branch (2478:9): [True: 1.59k, False: 12] ------------------ 2479| 1.60k| (s->num_ciphers > 0) ? s->cipher[0] : 0); ------------------ | Branch (2479:9): [True: 1.60k, False: 0] ------------------ 2480| | 2481| 1.60k| if(rc > 0) ------------------ | Branch (2481:10): [True: 1.60k, False: 0] ------------------ 2482| 1.60k| tls_s_len += rc; 2483| 1.60k| } 2484| 1.60k| } 2485| | 2486| 1.60k| if(sizeof(tls_s) > tls_s_len) ------------------ | Branch (2486:6): [True: 1.60k, False: 0] ------------------ 2487| 1.60k| tls_s[tls_s_len++] = '_'; 2488| | 2489| 6.72k| for(i=0; inum_tls_extensions; i++) { ------------------ | Branch (2489:12): [True: 5.12k, False: 1.60k] ------------------ 2490| 5.12k| int b_diff = sizeof(tls_s)-tls_s_len-1; 2491| | 2492| 5.12k| if(b_diff > 0) { ------------------ | Branch (2492:8): [True: 5.12k, False: 0] ------------------ 2493| 5.12k| int rc = ndpi_snprintf(&tls_s[tls_s_len], b_diff, "%04x", 2494| 5.12k| s->tls_extension[i]); 2495| | 2496| 5.12k| if(rc <= 0) ------------------ | Branch (2496:10): [True: 0, False: 5.12k] ------------------ 2497| 0| break; 2498| 5.12k| else 2499| 5.12k| tls_s_len += rc; 2500| 5.12k| } else 2501| 0| break; 2502| 5.12k| } 2503| | 2504| 1.60k| if(sizeof(tls_s) > tls_s_len) ------------------ | Branch (2504:6): [True: 1.60k, False: 0] ------------------ 2505| 1.60k| tls_s[tls_s_len++] = '_'; 2506| | 2507| 1.60k| if(s->num_elliptic_curve_point_format > 0) { ------------------ | Branch (2507:6): [True: 827, False: 777] ------------------ 2508| 3.24k| for(i=0; inum_elliptic_curve_point_format; i++) { ------------------ | Branch (2508:14): [True: 2.42k, False: 827] ------------------ 2509| 2.42k| int b_diff = sizeof(tls_s)-tls_s_len-1; 2510| | 2511| 2.42k| if(b_diff > 0) { ------------------ | Branch (2511:10): [True: 2.42k, False: 0] ------------------ 2512| 2.42k| int rc = ndpi_snprintf(&tls_s[tls_s_len], b_diff, "%04x", 2513| 2.42k| s->elliptic_curve_point_format[i]); 2514| | 2515| 2.42k| if(rc <= 0) ------------------ | Branch (2515:5): [True: 0, False: 2.42k] ------------------ 2516| 0| break; 2517| 2.42k| else 2518| 2.42k| tls_s_len += rc; 2519| 2.42k| } else 2520| 0| break; 2521| 2.42k| } 2522| 827| } else { 2523| 777| int b_diff = sizeof(tls_s)-tls_s_len-1; 2524| | 2525| 777| if(b_diff > 0) { ------------------ | Branch (2525:8): [True: 777, False: 0] ------------------ 2526| 777| int rc = ndpi_snprintf(&tls_s[tls_s_len], b_diff, "%04x", 0); 2527| | 2528| 777| if(rc > 0) ------------------ | Branch (2528:10): [True: 777, False: 0] ------------------ 2529| 777| tls_s_len += rc; 2530| 777| } 2531| 777| } 2532| | 2533| 1.60k| ndpi_sha256((const u_char *)tls_s, tls_s_len, sha_hash); 2534| | 2535| 1.60k| ndpi_snprintf(fp_buf, sizeof(fp_buf), 2536| 1.60k| "%02x%02x%02x%02x%02x%02x", 2537| 1.60k| sha_hash[0], sha_hash[1], sha_hash[2], 2538| 1.60k| sha_hash[3], sha_hash[4], sha_hash[5]); 2539| | 2540| 1.60k| flow->ndpi.server_fingerprint = ndpi_strdup((char*)fp_buf); 2541| 1.60k|} tls.c:ndpi_fill_version_str: 2191| 4.25k| u_int16_t tls_handshake_version) { 2192| 4.25k| switch(tls_handshake_version) { 2193| 13| case 0x0304: /* TLS 1.3 = “13” */ ------------------ | Branch (2193:3): [True: 13, False: 4.24k] ------------------ 2194| 13| ja_str[1] = '1'; 2195| 13| ja_str[2] = '3'; 2196| 13| break; 2197| | 2198| 3.14k| case 0x0303: /* TLS 1.2 = “12” */ ------------------ | Branch (2198:3): [True: 3.14k, False: 1.10k] ------------------ 2199| 3.14k| ja_str[1] = '1'; 2200| 3.14k| ja_str[2] = '2'; 2201| 3.14k| break; 2202| | 2203| 4| case 0x0302: /* TLS 1.1 = “11” */ ------------------ | Branch (2203:3): [True: 4, False: 4.24k] ------------------ 2204| 4| ja_str[1] = '1'; 2205| 4| ja_str[2] = '1'; 2206| 4| break; 2207| | 2208| 994| case 0x0301: /* TLS 1.0 = “10” */ ------------------ | Branch (2208:3): [True: 994, False: 3.25k] ------------------ 2209| 994| ja_str[1] = '1'; 2210| 994| ja_str[2] = '0'; 2211| 994| break; 2212| 3| case 0x0300: /* SSL 3.0 = “s3” */ ------------------ | Branch (2212:3): [True: 3, False: 4.25k] ------------------ 2213| 3| ja_str[1] = 's'; 2214| 3| ja_str[2] = '3'; 2215| 3| break; 2216| | 2217| 2| case 0x0002: /* SSL 2.0 = “s2” */ ------------------ | Branch (2217:3): [True: 2, False: 4.25k] ------------------ 2218| 2| ja_str[1] = 's'; 2219| 2| ja_str[2] = '2'; 2220| 2| break; 2221| | 2222| 0| case 0xFEFF: /* DTLS 1.0 = “d1” */ ------------------ | Branch (2222:3): [True: 0, False: 4.25k] ------------------ 2223| 0| ja_str[1] = 'd'; 2224| 0| ja_str[2] = '1'; 2225| 0| break; 2226| | 2227| 0| case 0xFEFD: /* DTLS 1.2 = “d2” */ ------------------ | Branch (2227:3): [True: 0, False: 4.25k] ------------------ 2228| 0| ja_str[1] = 'd'; 2229| 0| ja_str[2] = '2'; 2230| 0| break; 2231| 1| case 0xFEFC: /* DTLS 1.3 = “d3” */ ------------------ | Branch (2231:3): [True: 1, False: 4.25k] ------------------ 2232| 1| ja_str[1] = 'd'; 2233| 1| ja_str[2] = '3'; 2234| 1| break; 2235| | 2236| 90| default: ------------------ | Branch (2236:3): [True: 90, False: 4.16k] ------------------ 2237| 90| ja_str[1] = '0'; 2238| 90| ja_str[2] = '0'; 2239| 90| break; 2240| 4.25k| } 2241| 4.25k|} tls.c:tls_subclassify_by_alpn: 1958| 1.32k| struct ndpi_flow_struct *flow) { 1959| | /* Right now we have only one rule so we can keep it trivial */ 1960| | 1961| 1.32k| if(strlen(flow->protos.tls_quic.advertised_alpns) > NDPI_STATICSTRING_LEN("anydesk/") && ------------------ | | 98| 2.64k|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (1961:6): [True: 790, False: 533] ------------------ 1962| 790| strncmp(flow->protos.tls_quic.advertised_alpns, "anydesk/", NDPI_STATICSTRING_LEN("anydesk/")) == 0) { ------------------ | | 98| 790|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (1962:6): [True: 0, False: 790] ------------------ 1963| |#ifdef DEBUG_TLS 1964| | printf("Matching ANYDESK via alpn\n"); 1965| |#endif 1966| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ANYDESK, 1967| 0| ndpi_get_master_proto(ndpi_struct, flow), NDPI_CONFIDENCE_DPI); 1968| 0| flow->protos.tls_quic.subprotocol_detected = 1; 1969| 0| } 1970| 1.32k|} tls.c:str_contains_digit: 91| 12|static bool str_contains_digit(char *str) { 92| 12| u_int i = 0; 93| | 94| 181| for(i=0; (str[i] != '.') && (str[i] != '\0'); i++) { ------------------ | Branch (94:12): [True: 170, False: 11] | Branch (94:31): [True: 170, False: 0] ------------------ 95| 170| if(isdigit(str[i])) ------------------ | Branch (95:8): [True: 1, False: 169] ------------------ 96| 1| return(true); 97| 170| } 98| | 99| 11| return(false); 100| 12|} tls.c:ndpi_compute_ja4: 2248| 2.64k| union ndpi_ja_info *ja) { 2249| 2.64k| u_int8_t tmp_str[JA_STR_LEN], tmp_ndpi_str[512]; 2250| 2.64k| u_int tmp_str_len, tmp_ndpi_str_len = 0, num_extn, num_ndpi_extn; 2251| 2.64k| u_int8_t sha_hash[NDPI_SHA256_BLOCK_SIZE]; 2252| 2.64k| u_int16_t ja_str_len, i, ja_offset; 2253| 2.64k| int rc; 2254| 2.64k| u_int16_t tls_handshake_version = ja->client.tls_handshake_version; 2255| 2.64k| char * const ja_str = &flow->protos.tls_quic.ja4_client[0]; 2256| 2.64k| char * const ja_ndpi_str = &flow->protos.tls_quic.ja4_ndpi_client[0]; 2257| 2.64k| const u_int16_t ja_max_len = sizeof(flow->protos.tls_quic.ja4_client); 2258| 2.64k| bool is_dtls = ((flow->l4_proto == IPPROTO_UDP) && (quic_version == 0)) || flow->stun.maybe_dtls; ------------------ | Branch (2258:19): [True: 0, False: 2.64k] | Branch (2258:54): [True: 0, False: 0] | Branch (2258:78): [True: 0, False: 2.64k] ------------------ 2259| 2.64k| int ja4_r_len = 0; 2260| 2.64k| char ja4_r[1024]; 2261| | 2262| | /* 2263| | Compute JA4 TLS/QUIC client 2264| | 2265| | https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/JA4.md 2266| | 2267| | (QUIC=”q”, DTLS="d" or TCP=”t”) 2268| | (2 character TLS version) 2269| | (SNI=”d” or no SNI=”i”) 2270| | (2 character count of ciphers) 2271| | (2 character count of extensions) 2272| | (first and last characters of first ALPN extension value) 2273| | _ 2274| | (sha256 hash of the list of cipher hex codes sorted in hex order, truncated to 12 characters) 2275| | _ 2276| | (sha256 hash of (the list of extension hex codes sorted in hex order) 2277| | _ 2278| | (the list of signature algorithms), truncated to 12 characters) 2279| | */ 2280| 2.64k| ja_str[0] = is_dtls ? 'd' : ((quic_version != 0) ? 'q' : 't'); ------------------ | Branch (2280:15): [True: 0, False: 2.64k] | Branch (2280:32): [True: 0, False: 2.64k] ------------------ 2281| | 2282| 2.70k| for(i=0; iclient.num_supported_versions; i++) { ------------------ | Branch (2282:12): [True: 54, False: 2.64k] ------------------ 2283| 54| if((!is_grease_version(ja->client.supported_version[i])) ------------------ | Branch (2283:8): [True: 54, False: 0] ------------------ 2284| 54| && (tls_handshake_version < ja->client.supported_version[i])) ------------------ | Branch (2284:11): [True: 28, False: 26] ------------------ 2285| 28| tls_handshake_version = ja->client.supported_version[i]; 2286| 54| } 2287| | 2288| 2.64k| ndpi_fill_version_str(ja_str, tls_handshake_version); 2289| | 2290| | /* Check if SNI extension exists at all */ 2291| 2.64k| if(flow->host_server_name[0] == '\0') { ------------------ | Branch (2291:6): [True: 304, False: 2.34k] ------------------ 2292| 304| ja_str[3] = 'i'; /* No SNI extension */ 2293| 2.34k| } else if(ndpi_isset_risk(flow, NDPI_NUMERIC_IP_HOST)) { ------------------ | Branch (2293:13): [True: 0, False: 2.34k] ------------------ 2294| 0| ja_str[3] = 'i'; /* SNI contains IP address */ 2295| 2.34k| } else { 2296| 2.34k| ja_str[3] = 'd'; /* SNI contains domain name */ 2297| 2.34k| } 2298| 2.64k| ja_str_len = 4; 2299| | 2300| | /* JA4_a */ 2301| | /* first + last character of the ALPN string (or '0' if missing) */ 2302| 2.64k| char alpn_first = (ja->client.alpn[0] != '\0') ? ja->client.alpn[0] : '0'; ------------------ | Branch (2302:21): [True: 1.40k, False: 1.24k] ------------------ 2303| 2.64k| char alpn_last = ja->client.alpn_original_last; /* Use original last character before null terminator */ 2304| | 2305| |#ifdef DEBUG_JA 2306| | size_t alpn_len = strlen(ja->client.alpn); 2307| | printf("[JA4 DEBUG] ALPN string: '%s' (len=%zu)\n", ja->client.alpn, alpn_len); 2308| | printf("[JA4 DEBUG] First='%c', Last='%c'\n", alpn_first, alpn_last); 2309| |#endif 2310| | 2311| 2.64k| rc = ndpi_snprintf(&ja_str[ja_str_len], ja_max_len - ja_str_len, 2312| 2.64k| "%02u%02u%c%c_", 2313| 2.64k| ndpi_min(99, ja->client.num_ciphers), ------------------ | | 113| 2.64k|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 2.64k] | | ------------------ ------------------ 2314| 2.64k| ndpi_min(99, ja->client.num_tls_extensions), ------------------ | | 113| 2.64k|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 2.64k] | | ------------------ ------------------ 2315| 2.64k| alpn_first, alpn_last); 2316| 2.64k| if((rc > 0) && (ja_str_len + rc < JA_STR_LEN)) ja_str_len += rc; ------------------ | | 59| 2.64k|#define JA_STR_LEN 1024 ------------------ | Branch (2316:6): [True: 2.64k, False: 0] | Branch (2316:18): [True: 2.64k, False: 0] ------------------ 2317| | 2318| | /* Sort ciphers and extensions */ 2319| 2.64k| qsort(&ja->client.cipher, ja->client.num_ciphers, sizeof(u_int16_t), u_int16_t_cmpfunc); 2320| 2.64k| qsort(&ja->client.tls_extension, ja->client.num_tls_extensions, sizeof(u_int16_t), u_int16_t_cmpfunc); 2321| | 2322| 2.64k| tmp_str_len = 0; 2323| 139k| for(i=0; iclient.num_ciphers; i++) { ------------------ | Branch (2323:12): [True: 136k, False: 2.64k] ------------------ 2324| |#ifdef JA4R_DECIMAL 2325| | rc = snprintf(&ja4_r[ja4_r_len], sizeof(ja4_r)-ja4_r_len, "%s%u", (i > 0) ? "," : "", ja->client.cipher[i]); 2326| | if(rc > 0) ja4_r_len += rc; 2327| |#endif 2328| 136k| rc = ndpi_snprintf((char *)&tmp_str[tmp_str_len], JA_STR_LEN-tmp_str_len, "%s%04x", ------------------ | | 59| 136k|#define JA_STR_LEN 1024 ------------------ 2329| 136k| (i > 0) ? "," : "", ja->client.cipher[i]); ------------------ | Branch (2329:10): [True: 133k, False: 2.60k] ------------------ 2330| 136k| if((rc > 0) && (tmp_str_len + rc < JA_STR_LEN)) tmp_str_len += rc; else break; ------------------ | | 59| 136k|#define JA_STR_LEN 1024 ------------------ | Branch (2330:8): [True: 136k, False: 0] | Branch (2330:20): [True: 136k, False: 0] ------------------ 2331| 136k| } 2332| | 2333| 2.64k|#ifndef JA4R_DECIMAL 2334| 2.64k| ja_str[ja_str_len] = 0; 2335| 2.64k| i = snprintf(&ja4_r[ja4_r_len], sizeof(ja4_r)-ja4_r_len, "%s", ja_str); if(i > 0) ja4_r_len += i; ------------------ | Branch (2335:78): [True: 2.64k, False: 0] ------------------ 2336| | 2337| 2.64k| tmp_str[tmp_str_len] = 0; 2338| 2.64k| i = snprintf(&ja4_r[ja4_r_len], sizeof(ja4_r)-ja4_r_len, "%s_", tmp_str); if(i > 0) ja4_r_len += i; ------------------ | Branch (2338:80): [True: 2.64k, False: 0] ------------------ 2339| 2.64k|#endif 2340| | 2341| 2.64k| if(ja->client.num_ciphers > 0) { ------------------ | Branch (2341:6): [True: 2.60k, False: 42] ------------------ 2342| 2.60k| ndpi_sha256(tmp_str, tmp_str_len, sha_hash); 2343| 2.60k| } else { 2344| 42| memset(sha_hash, '\0', 6); 2345| 42| } 2346| | 2347| 2.64k| rc = ndpi_snprintf(&ja_str[ja_str_len], ja_max_len - ja_str_len, 2348| 2.64k| "%02x%02x%02x%02x%02x%02x_", 2349| 2.64k| sha_hash[0], sha_hash[1], sha_hash[2], 2350| 2.64k| sha_hash[3], sha_hash[4], sha_hash[5]); 2351| 2.64k| if((rc > 0) && (ja_str_len + rc < JA_STR_LEN)) ja_str_len += rc; ------------------ | | 59| 2.64k|#define JA_STR_LEN 1024 ------------------ | Branch (2351:6): [True: 2.64k, False: 0] | Branch (2351:18): [True: 2.64k, False: 0] ------------------ 2352| | 2353| |#ifdef DEBUG_JA 2354| | printf("[CIPHER] %s [len: %u]\n", tmp_str, tmp_str_len); 2355| |#endif 2356| | 2357| |#ifdef JA4R_DECIMAL 2358| | rc = snprintf(&ja4_r[ja4_r_len], sizeof(ja4_r)-ja4_r_len, "_"); 2359| | if(rc > 0) ja4_r_len += rc; 2360| |#endif 2361| | 2362| 2.64k| tmp_str_len = 0; 2363| 23.1k| for(i=0, num_extn = num_ndpi_extn = 0; iclient.num_tls_extensions; i++) { ------------------ | Branch (2363:42): [True: 20.4k, False: 2.64k] ------------------ 2364| 20.4k| if((ja->client.tls_extension[i] > 0) && (ja->client.tls_extension[i] != 0x10 /* ALPN extension */)) { ------------------ | Branch (2364:8): [True: 15.4k, False: 5.01k] | Branch (2364:45): [True: 13.9k, False: 1.44k] ------------------ 2365| |#ifdef JA4R_DECIMAL 2366| | rc = snprintf(&ja4_r[ja4_r_len], sizeof(ja4_r)-ja4_r_len, "%s%u", (num_extn > 0) ? "," : "", ja->client.tls_extension[i]); 2367| | if((rc > 0) && (ja4_r_len + rc < JA_STR_LEN)) ja4_r_len += rc; else break; 2368| |#endif 2369| | 2370| 13.9k| rc = ndpi_snprintf((char *)&tmp_str[tmp_str_len], JA_STR_LEN-tmp_str_len, "%s%04x", ------------------ | | 59| 13.9k|#define JA_STR_LEN 1024 ------------------ 2371| 13.9k| (num_extn > 0) ? "," : "", ja->client.tls_extension[i]); ------------------ | Branch (2371:5): [True: 11.6k, False: 2.30k] ------------------ 2372| 13.9k| if((rc > 0) && (tmp_str_len + rc < JA_STR_LEN)) tmp_str_len += rc; else break; ------------------ | | 59| 13.9k|#define JA_STR_LEN 1024 ------------------ | Branch (2372:10): [True: 13.9k, False: 0] | Branch (2372:22): [True: 13.9k, False: 0] ------------------ 2373| 13.9k| num_extn++; 2374| | 2375| 13.9k| if(!skipTLSextension(ndpi_struct, ja->client.tls_extension[i])) { ------------------ | Branch (2375:10): [True: 13.9k, False: 0] ------------------ 2376| 13.9k| rc = ndpi_snprintf((char *)&tmp_ndpi_str[tmp_ndpi_str_len], sizeof(tmp_ndpi_str)-tmp_ndpi_str_len, "%s%04x", 2377| 13.9k| (num_ndpi_extn > 0) ? "," : "", ja->client.tls_extension[i]); ------------------ | Branch (2377:7): [True: 11.6k, False: 2.30k] ------------------ 2378| 13.9k| if((rc > 0) && (tmp_ndpi_str_len + rc < sizeof(tmp_ndpi_str))) tmp_ndpi_str_len += rc; else break; ------------------ | Branch (2378:5): [True: 13.9k, False: 0] | Branch (2378:17): [True: 13.9k, False: 0] ------------------ 2379| 13.9k| num_ndpi_extn++; 2380| 13.9k| } 2381| 13.9k| } 2382| 20.4k| } 2383| | 2384| 21.2k| for(i=0; iclient.num_signature_algorithms; i++) { ------------------ | Branch (2384:12): [True: 18.6k, False: 2.64k] ------------------ 2385| 18.6k| rc = ndpi_snprintf((char *)&tmp_str[tmp_str_len], JA_STR_LEN-tmp_str_len, "%s%04x", ------------------ | | 59| 18.6k|#define JA_STR_LEN 1024 ------------------ 2386| 18.6k| (i > 0) ? "," : "_", ja->client.signature_algorithm[i]); ------------------ | Branch (2386:10): [True: 17.4k, False: 1.19k] ------------------ 2387| 18.6k| if((rc > 0) && (tmp_str_len + rc < JA_STR_LEN)) tmp_str_len += rc; else break; ------------------ | | 59| 18.6k|#define JA_STR_LEN 1024 ------------------ | Branch (2387:8): [True: 18.6k, False: 0] | Branch (2387:20): [True: 18.6k, False: 0] ------------------ 2388| | 2389| 18.6k| rc = ndpi_snprintf((char *)&tmp_ndpi_str[tmp_ndpi_str_len], sizeof(tmp_ndpi_str)-tmp_ndpi_str_len, "%s%04x", 2390| 18.6k| (i > 0) ? "," : "_", ja->client.signature_algorithm[i]); ------------------ | Branch (2390:10): [True: 17.4k, False: 1.19k] ------------------ 2391| 18.6k| if((rc > 0) && (tmp_ndpi_str_len + rc < sizeof(tmp_ndpi_str))) tmp_ndpi_str_len += rc; else break; ------------------ | Branch (2391:8): [True: 18.6k, False: 0] | Branch (2391:20): [True: 18.6k, False: 0] ------------------ 2392| 18.6k| } 2393| | 2394| |#ifdef DEBUG_JA 2395| | printf("[EXTN] %s [len: %u]\n", tmp_str, tmp_str_len); 2396| |#endif 2397| | 2398| |#ifdef DEBUG_NDPIFP 2399| | printf("[EXTN] %s [len: %u]\n", tmp_ndpi_str, tmp_ndpi_str_len); 2400| |#endif 2401| | 2402| 2.64k| tmp_str[tmp_str_len] = 0; 2403| | 2404| 2.64k|#ifndef JA4R_DECIMAL 2405| 2.64k| i = snprintf(&ja4_r[ja4_r_len], sizeof(ja4_r)-ja4_r_len, "%s", tmp_str); 2406| 2.64k| if(i > 0) ja4_r_len += i; ------------------ | Branch (2406:6): [True: 2.30k, False: 346] ------------------ 2407| 2.64k|#endif 2408| | 2409| 2.64k| if(ndpi_struct->cfg.tls_ja4r_fingerprint_enabled) { ------------------ | Branch (2409:6): [True: 0, False: 2.64k] ------------------ 2410| 0| if(flow->protos.tls_quic.ja4_client_raw == NULL) ------------------ | Branch (2410:8): [True: 0, False: 0] ------------------ 2411| 0| flow->protos.tls_quic.ja4_client_raw = ndpi_strdup(ja4_r); 2412| |#ifdef DEBUG_JA 2413| | printf("[JA4_r] %s [len: %u]\n", ja4_r, ja4_r_len); 2414| |#endif 2415| 0| } 2416| | 2417| 2.64k| if(ja->client.num_tls_extensions > 0) ------------------ | Branch (2417:6): [True: 2.57k, False: 78] ------------------ 2418| 2.57k| ndpi_sha256(tmp_str, tmp_str_len, sha_hash); 2419| 78| else 2420| 78| memset(sha_hash, '\0', 6); 2421| | 2422| 2.64k| ja_offset = ja_str_len; 2423| 2.64k| rc = ndpi_snprintf(&ja_str[ja_str_len], ja_max_len - ja_str_len, 2424| 2.64k| "%02x%02x%02x%02x%02x%02x", 2425| 2.64k| sha_hash[0], sha_hash[1], sha_hash[2], 2426| 2.64k| sha_hash[3], sha_hash[4], sha_hash[5]); 2427| 2.64k| if((rc > 0) && (ja_str_len + rc < JA_STR_LEN)) ja_str_len += rc; ------------------ | | 59| 2.64k|#define JA_STR_LEN 1024 ------------------ | Branch (2427:6): [True: 2.64k, False: 0] | Branch (2427:18): [True: 2.64k, False: 0] ------------------ 2428| 2.64k| ja_str[36] = 0; 2429| | 2430| | /* nDPI */ 2431| 2.64k| if(ja->client.num_tls_extensions > 0) ------------------ | Branch (2431:6): [True: 2.57k, False: 78] ------------------ 2432| 2.57k| ndpi_sha256(tmp_ndpi_str, tmp_ndpi_str_len, sha_hash); 2433| 78| else 2434| 78| memset(sha_hash, '\0', 6); 2435| | 2436| 2.64k| ja_str_len = ja_offset; 2437| 2.64k| strncpy(ja_ndpi_str, ja_str, ja_str_len); 2438| | 2439| | /* Overwrite the extensions number */ 2440| 2.64k| ndpi_snprintf(&ja_ndpi_str[6], 2, "%02u", num_ndpi_extn); 2441| | 2442| 2.64k| rc = ndpi_snprintf(&ja_ndpi_str[ja_str_len], ja_max_len - ja_str_len, 2443| 2.64k| "%02x%02x%02x%02x%02x%02x", 2444| 2.64k| sha_hash[0], sha_hash[1], sha_hash[2], 2445| 2.64k| sha_hash[3], sha_hash[4], sha_hash[5]); 2446| 2.64k| if((rc > 0) && (ja_str_len + rc < JA_STR_LEN)) ja_str_len += rc; ------------------ | | 59| 2.64k|#define JA_STR_LEN 1024 ------------------ | Branch (2446:6): [True: 2.64k, False: 0] | Branch (2446:18): [True: 2.64k, False: 0] ------------------ 2447| 2.64k| ja_ndpi_str[36] = 0; 2448| | 2449| |#ifdef DEBUG_JA 2450| | printf("[JA4] %s [len: %lu]\n", ja_str, strlen(ja_str)); 2451| |#endif 2452| | 2453| |#ifdef DEBUG_NDPIFP 2454| | printf("[EXTN] %s\n", ja_ndpi_str); 2455| |#endif 2456| 2.64k|} tls.c:is_grease_version: 2141| 54|static bool is_grease_version(u_int16_t version) { 2142| 54| switch(version) { 2143| 0| case 0x0a0a: ------------------ | Branch (2143:3): [True: 0, False: 54] ------------------ 2144| 0| case 0x1a1a: ------------------ | Branch (2144:3): [True: 0, False: 54] ------------------ 2145| 0| case 0x2a2a: ------------------ | Branch (2145:3): [True: 0, False: 54] ------------------ 2146| 0| case 0x3a3a: ------------------ | Branch (2146:3): [True: 0, False: 54] ------------------ 2147| 0| case 0x4a4a: ------------------ | Branch (2147:3): [True: 0, False: 54] ------------------ 2148| 0| case 0x5a5a: ------------------ | Branch (2148:3): [True: 0, False: 54] ------------------ 2149| 0| case 0x6a6a: ------------------ | Branch (2149:3): [True: 0, False: 54] ------------------ 2150| 0| case 0x7a7a: ------------------ | Branch (2150:3): [True: 0, False: 54] ------------------ 2151| 0| case 0x8a8a: ------------------ | Branch (2151:3): [True: 0, False: 54] ------------------ 2152| 0| case 0x9a9a: ------------------ | Branch (2152:3): [True: 0, False: 54] ------------------ 2153| 0| case 0xaaaa: ------------------ | Branch (2153:3): [True: 0, False: 54] ------------------ 2154| 0| case 0xbaba: ------------------ | Branch (2154:3): [True: 0, False: 54] ------------------ 2155| 0| case 0xcaca: ------------------ | Branch (2155:3): [True: 0, False: 54] ------------------ 2156| 0| case 0xdada: ------------------ | Branch (2156:3): [True: 0, False: 54] ------------------ 2157| 0| case 0xeaea: ------------------ | Branch (2157:3): [True: 0, False: 54] ------------------ 2158| 0| case 0xfafa: ------------------ | Branch (2158:3): [True: 0, False: 54] ------------------ 2159| 0| return(true); 2160| | 2161| 54| default: ------------------ | Branch (2161:3): [True: 54, False: 0] ------------------ 2162| | return(false); 2163| 54| } 2164| 54|} tls.c:u_int16_t_cmpfunc: 2139| 673k|static int u_int16_t_cmpfunc(const void * a, const void * b) { return(*(u_int16_t*)a - *(u_int16_t*)b); } tls.c:ndpi_search_tls_wrapper: 3727| 26.6k| struct ndpi_flow_struct *flow) { 3728| 26.6k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 3729| 26.6k| int rc = 0; 3730| | 3731| |#ifdef DEBUG_TLS 3732| | printf("==>> %s() [len: %u][version: %u]\n", 3733| | __FUNCTION__, 3734| | packet->payload_packet_len, 3735| | flow->protos.tls_quic.ssl_version); 3736| |#endif 3737| | 3738| | /* It is not easy to handle "standard" TLS/DTLS detection and (plain) obfuscated 3739| | heuristic at the SAME time. Use a trivial logic: switch to heuristic 3740| | code only if the standard functions fail */ 3741| | 3742| | /* We might be in extra-dissection data-path here (if we have been 3743| | called from STUN or from Mails/FTP/...), but plain obfuscated heuristic 3744| | is always checked in "standard" data-path! */ 3745| | 3746| 26.6k| if(flow->tls_quic.obfuscated_heur_state == NULL) { ------------------ | Branch (3746:6): [True: 26.6k, False: 0] ------------------ 3747| 26.6k| if(packet->udp != NULL || flow->stun.maybe_dtls) ------------------ | Branch (3747:8): [True: 7.08k, False: 19.5k] | Branch (3747:31): [True: 0, False: 19.5k] ------------------ 3748| 7.08k| rc = ndpi_search_dtls(ndpi_struct, flow); 3749| 19.5k| else 3750| 19.5k| rc = ndpi_search_tls_tcp(ndpi_struct, flow); 3751| | 3752| | /* We should check for this TLS heuristic if: 3753| | * the feature is enabled 3754| | * this flow doesn't seem a real TLS/DTLS one 3755| | * we are not here from STUN code or from opportunistic tls path (mails/ftp) 3756| | * with TCP, we got the 3WHS (so that we can process the beginning of the flow) 3757| | */ 3758| 26.6k| if(rc == 0 && ------------------ | Branch (3758:8): [True: 20.2k, False: 6.39k] ------------------ 3759| 20.2k| (ndpi_struct->cfg.tls_heuristics & NDPI_HEURISTICS_TLS_OBFUSCATED_PLAIN) && ------------------ | | 830| 20.2k|#define NDPI_HEURISTICS_TLS_OBFUSCATED_PLAIN 0x01 /* Enable heuristic to detect proxied/obfuscated TLS flows over generic/unknown flows */ ------------------ | Branch (3759:8): [True: 0, False: 20.2k] ------------------ 3760| 0| flow->stun.maybe_dtls == 0 && ------------------ | Branch (3760:8): [True: 0, False: 0] ------------------ 3761| 0| flow->tls_quic.from_opportunistic_tls == 0 && ------------------ | Branch (3761:8): [True: 0, False: 0] ------------------ 3762| 0| ((flow->l4_proto == IPPROTO_TCP && ndpi_seen_flow_beginning(flow)) || ------------------ | Branch (3762:10): [True: 0, False: 0] | Branch (3762:43): [True: 0, False: 0] ------------------ 3763| 0| flow->l4_proto == IPPROTO_UDP) && ------------------ | Branch (3763:9): [True: 0, False: 0] ------------------ 3764| 0| !is_flow_addr_informative(flow) /* The proxy server is likely hosted on some cloud providers */ ) { ------------------ | Branch (3764:8): [True: 0, False: 0] ------------------ 3765| 0| flow->tls_quic.obfuscated_heur_state = ndpi_calloc(1, sizeof(struct tls_obfuscated_heuristic_state)); 3766| 0| } 3767| 26.6k| } 3768| | 3769| 26.6k| if(flow->tls_quic.obfuscated_heur_state) { ------------------ | Branch (3769:6): [True: 0, False: 26.6k] ------------------ 3770| 0| tls_obfuscated_heur_search_again(ndpi_struct, flow); 3771| 26.6k| } else if(rc == 0) { ------------------ | Branch (3771:13): [True: 20.2k, False: 6.39k] ------------------ 3772| 20.2k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 20.2k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 3773| 20.2k| } 3774| 26.6k|} init_toca_boca_dissector: 80| 7.08k|{ 81| 7.08k| ndpi_register_dissector("TocaBoca", ndpi_struct, 82| 7.08k| ndpi_search_toca_boca, 83| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 84| 7.08k| 1, NDPI_PROTOCOL_TOCA_BOCA); 85| 7.08k|} tocaboca.c:ndpi_search_toca_boca: 38| 3.37k|{ 39| 3.37k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 40| 3.37k| u_int32_t payload_len = packet->payload_packet_len; 41| | 42| 3.37k| NDPI_LOG_DBG(ndpi_struct, "search TocaBoca\n"); ------------------ | | 596| 3.37k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 43| | 44| 3.37k| if (packet->udp != NULL) ------------------ | Branch (44:7): [True: 3.37k, False: 0] ------------------ 45| 3.37k| { 46| 3.37k| if (payload_len >= 13 ------------------ | Branch (46:9): [True: 3.19k, False: 178] ------------------ 47| 3.19k| && get_u_int32_t(packet->payload, 0) == 0x7d7d7d7d ------------------ | | 137| 3.19k|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (47:12): [True: 1, False: 3.19k] ------------------ 48| 1| && get_u_int32_t(packet->payload, 4) == 0x7d7d7d7d) ------------------ | | 137| 1|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (48:12): [True: 1, False: 0] ------------------ 49| 1| { 50| 1| ndpi_int_toca_boca_add_connection(ndpi_struct, flow); 51| 1| return; 52| 1| } 53| | 54| 3.37k| if (flow->packet_counter == 1 ------------------ | Branch (54:9): [True: 3.37k, False: 0] ------------------ 55| 3.37k| && payload_len >= 24 ------------------ | Branch (55:12): [True: 3.04k, False: 323] ------------------ 56| 3.37k| && ntohl(get_u_int32_t(packet->payload, 0)) == 0xffff0001 ------------------ | Branch (56:12): [True: 0, False: 3.04k] ------------------ 57| 3.37k| && ntohl(get_u_int32_t(packet->payload, 12)) == 0x02ff0104) ------------------ | Branch (57:12): [True: 0, False: 0] ------------------ 58| 0| { 59| 0| ndpi_int_toca_boca_add_connection(ndpi_struct, flow); 60| 0| return; 61| 0| } 62| | 63| 3.37k| if (payload_len >= 32 ------------------ | Branch (63:9): [True: 2.91k, False: 455] ------------------ 64| 2.91k| && (ntohs(get_u_int16_t(packet->payload, 2)) == 0x0001 ------------------ | Branch (64:13): [True: 11, False: 2.90k] ------------------ 65| 2.91k| || ntohs(get_u_int16_t(packet->payload, 2)) == 0x0002 ------------------ | Branch (65:16): [True: 7, False: 2.89k] ------------------ 66| 2.91k| || ntohs(get_u_int16_t(packet->payload, 2)) == 0x0003) ------------------ | Branch (66:16): [True: 2, False: 2.89k] ------------------ 67| 20| && (ntohl(get_u_int32_t(packet->payload, 12)) == 0x01ff0000 ------------------ | Branch (67:13): [True: 0, False: 20] ------------------ 68| 20| || ntohl(get_u_int32_t(packet->payload, 12)) == 0x01000000) ------------------ | Branch (68:16): [True: 1, False: 19] ------------------ 69| 3.37k| && ntohl(get_u_int32_t(packet->payload, 16)) == 0x00000014) ------------------ | Branch (69:12): [True: 0, False: 1] ------------------ 70| 0| { 71| 0| ndpi_int_toca_boca_add_connection(ndpi_struct, flow); 72| 0| return; 73| 0| } 74| 3.37k| } 75| | 76| 3.37k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.37k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 77| 3.37k|} tocaboca.c:ndpi_int_toca_boca_add_connection: 30| 1|{ 31| 1| NDPI_LOG_INFO(ndpi_struct, "found TocaBoca\n"); ------------------ | | 595| 1|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 32| 1| ndpi_set_detected_protocol(ndpi_struct, flow, 33| 1| NDPI_PROTOCOL_TOCA_BOCA, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 34| 1|} init_tplink_shp_dissector: 85| 7.08k|{ 86| 7.08k| ndpi_register_dissector("TPLINK SHP", ndpi_struct, 87| 7.08k| ndpi_search_tplink_shp, 88| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 89| 7.08k| 1, NDPI_PROTOCOL_TPLINK_SHP); 90| 7.08k|} tplink_shp.c:ndpi_search_tplink_shp: 49| 15.0k|{ 50| 15.0k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 51| | 52| 15.0k| NDPI_LOG_DBG(ndpi_struct, "search TPLINK SHP\n"); ------------------ | | 596| 15.0k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 53| | 54| 15.0k| u_int16_t offset = 0; 55| | /* Skip length header (TCP payloads only) */ 56| 15.0k| if(packet->tcp != NULL) offset = _TPLSHP_TCP_LEN_HDR; ------------------ | | 32| 11.7k|#define _TPLSHP_TCP_LEN_HDR 4 ------------------ | Branch (56:6): [True: 11.7k, False: 3.36k] ------------------ 57| | 58| 15.0k| if (packet->payload_packet_len - offset < _TPLSHP_MIN_LEN) ------------------ | | 31| 15.0k|#define _TPLSHP_MIN_LEN 2 ------------------ | Branch (58:7): [True: 862, False: 14.2k] ------------------ 59| 862| { 60| 862| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 862|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 61| 862| return; 62| 862| } 63| | 64| 14.2k| u_int16_t i; 65| 14.2k| u_int8_t k = 171, b[_TPLSHP_MIN_LEN]; 66| | 67| 42.6k| for (i = 0 ; i < _TPLSHP_MIN_LEN; i++) ------------------ | | 31| 42.6k|#define _TPLSHP_MIN_LEN 2 ------------------ | Branch (67:16): [True: 28.4k, False: 14.2k] ------------------ 68| 28.4k| { 69| 28.4k| b[i] = packet->payload[i + offset] ^ k; 70| 28.4k| k = packet->payload[i + offset]; 71| 28.4k| } 72| | 73| 14.2k| if (b[0] != '{' || (b[1] != '}' && b[1] != '"')) ------------------ | Branch (73:7): [True: 14.2k, False: 15] | Branch (73:23): [True: 15, False: 0] | Branch (73:38): [True: 15, False: 0] ------------------ 74| 14.2k| { 75| 14.2k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 14.2k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 76| 14.2k| return; 77| 14.2k| } 78| | 79| 0| ndpi_int_tplink_shp_add_connection(ndpi_struct, flow); 80| 0|} init_trdp_dissector: 87| 7.08k|{ 88| 7.08k| ndpi_register_dissector("TRDP", ndpi_struct, 89| 7.08k| ndpi_search_trdp, 90| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 91| 7.08k| 1, NDPI_PROTOCOL_TRDP); 92| 7.08k|} trdp.c:ndpi_search_trdp: 45| 14.9k|{ 46| 14.9k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 47| | 48| 14.9k| NDPI_LOG_DBG(ndpi_struct, "search TRDP\n"); ------------------ | | 596| 14.9k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 49| | 50| 14.9k| if (packet->payload_packet_len >= TRDP_PD_HDR_LEN) ------------------ | | 35| 14.9k|#define TRDP_PD_HDR_LEN 40 ------------------ | Branch (50:7): [True: 7.50k, False: 7.46k] ------------------ 51| 7.50k| { 52| 7.50k| u_int32_t header_fcs = 0; 53| 7.50k| u_int32_t dataset_len = 0; 54| | 55| 7.50k| if (!packet->tcp && packet->payload[6] == 'P') { /* Process Data */ ------------------ | Branch (55:9): [True: 2.79k, False: 4.71k] | Branch (55:25): [True: 4, False: 2.78k] ------------------ 56| 4| dataset_len = ntohl(get_u_int32_t(packet->payload, 20)); 57| 4| if ((u_int32_t)(packet->payload_packet_len-TRDP_PD_HDR_LEN) == dataset_len && ------------------ | | 35| 4|#define TRDP_PD_HDR_LEN 40 ------------------ | Branch (57:11): [True: 0, False: 4] ------------------ 58| 0| get_u_int32_t(packet->payload, 24) == 0) /* Reserved, must be zero */ ------------------ | | 137| 0|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (58:11): [True: 0, False: 0] ------------------ 59| 0| { 60| 0| header_fcs = ndpi_crc32(packet->payload, TRDP_PD_HDR_LEN-4, 0); ------------------ | | 35| 0|#define TRDP_PD_HDR_LEN 40 ------------------ 61| 0| if (header_fcs == le32toh(get_u_int32_t(packet->payload, TRDP_PD_HDR_LEN-4))) { ------------------ | Branch (61:13): [True: 0, False: 0] ------------------ 62| 0| ndpi_int_trdp_add_connection(ndpi_struct, flow); 63| 0| return; 64| 0| } 65| 0| } 66| 4| } 67| | 68| 7.50k| if (packet->payload_packet_len >= TRDP_MD_HDR_LEN && packet->payload[6] == 'M') { /* Message Data */ ------------------ | | 34| 15.0k|#define TRDP_MD_HDR_LEN 116 ------------------ | Branch (68:9): [True: 3.57k, False: 3.93k] | Branch (68:58): [True: 3, False: 3.56k] ------------------ 69| 3| dataset_len = ntohl(get_u_int32_t(packet->payload, 20)); 70| 3| u_int32_t padding = (4 - (dataset_len % 4)) % 4; 71| | 72| 3| if ((u_int32_t)(packet->payload_packet_len - TRDP_MD_HDR_LEN - padding) == dataset_len) ------------------ | | 34| 3|#define TRDP_MD_HDR_LEN 116 ------------------ | Branch (72:11): [True: 0, False: 3] ------------------ 73| 0| { 74| 0| header_fcs = ndpi_crc32(packet->payload, TRDP_MD_HDR_LEN-4, 0); ------------------ | | 34| 0|#define TRDP_MD_HDR_LEN 116 ------------------ 75| 0| if (header_fcs == le32toh(get_u_int32_t(packet->payload, TRDP_MD_HDR_LEN-4))) { ------------------ | Branch (75:13): [True: 0, False: 0] ------------------ 76| 0| ndpi_int_trdp_add_connection(ndpi_struct, flow); 77| 0| return; 78| 0| } 79| 0| } 80| 3| } 81| 7.50k| } 82| | 83| 14.9k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 14.9k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 84| 14.9k|} init_tristation_dissector: 75| 7.08k|{ 76| 7.08k| ndpi_register_dissector("TriStation", ndpi_struct, 77| 7.08k| ndpi_search_tristation, 78| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 79| 7.08k| 1, NDPI_PROTOCOL_TRISTATION); 80| 7.08k|} tristation.c:ndpi_search_tristation: 49| 3.32k|{ 50| 3.32k| struct ndpi_packet_struct * const packet = &ndpi_struct->packet; 51| | 52| 3.32k| NDPI_LOG_DBG(ndpi_struct, "search TriStation Safety Instrumented Systems\n"); ------------------ | | 596| 3.32k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 53| | 54| 3.32k| if (packet->payload_packet_len < sizeof(struct ts_header)) { ------------------ | Branch (54:7): [True: 128, False: 3.19k] ------------------ 55| 128| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 128|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 56| 128| return; 57| 128| } 58| | 59| 3.19k| struct ts_header const * const hdr = (struct ts_header const *)&packet->payload[0]; 60| 3.19k| if (hdr->direction > 1) { ------------------ | Branch (60:7): [True: 2.40k, False: 787] ------------------ 61| 2.40k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 2.40k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 62| 2.40k| return; 63| 2.40k| } 64| | 65| 787| uint16_t len = le16toh(hdr->length); 66| 787| if (packet->payload_packet_len != len + 6) { ------------------ | Branch (66:7): [True: 786, False: 1] ------------------ 67| 786| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 786|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 68| 786| return; 69| 786| } 70| | 71| 1| ndpi_int_tristation_add_connection(ndpi_struct, flow); 72| 1|} tristation.c:ndpi_int_tristation_add_connection: 39| 1|{ 40| 1| NDPI_LOG_INFO(ndpi_struct, "found TriStation Safety Instrumented Systems\n"); ------------------ | | 595| 1|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 41| 1| ndpi_set_detected_protocol(ndpi_struct, flow, 42| 1| NDPI_PROTOCOL_TRISTATION, 43| 1| NDPI_PROTOCOL_UNKNOWN, 44| 1| NDPI_CONFIDENCE_DPI); 45| 1|} init_tuya_lp_dissector: 84| 7.08k|{ 85| 7.08k| ndpi_register_dissector("TUYA LP", ndpi_struct, 86| 7.08k| ndpi_search_tuya_lp, 87| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 88| 7.08k| 1, NDPI_PROTOCOL_TUYA_LP); 89| 7.08k|} tuya_lp.c:ndpi_search_tuya_lp: 44| 3.36k|{ 45| 3.36k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 46| | 47| 3.36k| NDPI_LOG_DBG(ndpi_struct, "search TUYA LP\n"); ------------------ | | 596| 3.36k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 48| | 49| 3.36k| if (packet->payload_packet_len < 16) ------------------ | Branch (49:7): [True: 181, False: 3.17k] ------------------ 50| 181| { 51| 181| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 181|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 52| 181| return; 53| 181| } 54| | 55| | /* https://github.com/tuya/tuya-iotos-embeded-sdk-wifi-ble-bk7231n/blob/0eff617610cc97e0d134bb8136cebb518a2a403b/sdk/include/lan_protocol.h#L73 */ 56| 3.17k| if (ntohl(get_u_int32_t(packet->payload, 0)) != 0x000055AA) ------------------ | Branch (56:7): [True: 3.17k, False: 0] ------------------ 57| 3.17k| { 58| 3.17k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.17k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 59| 3.17k| return; 60| 3.17k| } 61| | 62| 0| if (packet->payload_packet_len < ------------------ | Branch (62:7): [True: 0, False: 0] ------------------ 63| 0| ntohl(get_u_int32_t(packet->payload, 4))) 64| 0| { 65| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 66| 0| return; 67| 0| } 68| | 69| 0| if (packet->payload[packet->payload_packet_len - 4] != 0x00 || ------------------ | Branch (69:7): [True: 0, False: 0] ------------------ 70| 0| packet->payload[packet->payload_packet_len - 3] != 0x00 || ------------------ | Branch (70:7): [True: 0, False: 0] ------------------ 71| 0| packet->payload[packet->payload_packet_len - 2] != 0xAA || ------------------ | Branch (71:7): [True: 0, False: 0] ------------------ 72| 0| packet->payload[packet->payload_packet_len - 1] != 0x55) ------------------ | Branch (72:7): [True: 0, False: 0] ------------------ 73| 0| { 74| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 75| 0| return; 76| 0| } 77| | 78| 0| ndpi_int_tuya_lp_add_connection(ndpi_struct, flow); 79| 0|} init_ubntac2_dissector: 76| 7.08k|{ 77| 7.08k| ndpi_register_dissector("UBNTAC2", ndpi_struct, 78| 7.08k| ndpi_search_ubntac2, 79| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 80| 7.08k| 1, NDPI_PROTOCOL_UBNTAC2); 81| 7.08k|} ubntac2.c:ndpi_search_ubntac2: 36| 3.42k|{ 37| 3.42k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 38| 3.42k| u_int8_t tlv_type; 39| 3.42k| u_int16_t tlv_length, version_len; 40| 3.42k| int off; 41| | 42| 3.42k| NDPI_LOG_DBG(ndpi_struct, "search ubntac2\n"); ------------------ | | 596| 3.42k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 43| | 44| 3.42k| if(packet->payload_packet_len >= 4 && ------------------ | Branch (44:6): [True: 3.30k, False: 121] ------------------ 45| 3.30k| (packet->udp->source == htons(10001) || packet->udp->dest == htons(10001)) && ------------------ | Branch (45:7): [True: 0, False: 3.30k] | Branch (45:46): [True: 0, False: 3.30k] ------------------ 46| 0| (ntohs(get_u_int16_t(packet->payload, 0)) == 0x0206 || ------------------ | Branch (46:7): [True: 0, False: 0] ------------------ 47| 0| ntohs(get_u_int16_t(packet->payload, 0)) == 0x0100 /* discovery request/reply */) && ------------------ | Branch (47:7): [True: 0, False: 0] ------------------ 48| 0| (4 + ntohs(*(u_int16_t *)&packet->payload[2]) == packet->payload_packet_len)) { ------------------ | Branch (48:6): [True: 0, False: 0] ------------------ 49| 0| NDPI_LOG_INFO(ndpi_struct, "UBNT AirControl 2 request\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 50| 0| ndpi_int_ubntac2_add_connection(ndpi_struct, flow); 51| | 52| | /* Parse TLV list: 1 byte type + 2 byte length + (optional) data */ 53| 0| off = 4; 54| 0| while (off + 3 < packet->payload_packet_len) { ------------------ | Branch (54:12): [True: 0, False: 0] ------------------ 55| 0| tlv_type = packet->payload[off]; 56| 0| tlv_length = ntohs(*(u_int16_t *)&packet->payload[off + 1]); 57| | 58| 0| NDPI_LOG_DBG2(ndpi_struct, "0x%x Len %d\n", tlv_type, tlv_length); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 59| | 60| 0| if(tlv_type == 0x03 && off + 3 + tlv_length < packet->payload_packet_len) { ------------------ | Branch (60:10): [True: 0, False: 0] | Branch (60:30): [True: 0, False: 0] ------------------ 61| 0| version_len = ndpi_min(sizeof(flow->protos.ubntac2.version) - 1, tlv_length); ------------------ | | 113| 0|#define ndpi_min(a,b) ((a < b) ? a : b) | | ------------------ | | | Branch (113:26): [True: 0, False: 0] | | ------------------ ------------------ 62| 0| memcpy(flow->protos.ubntac2.version, (const char *)&packet->payload[off + 3], version_len); 63| 0| flow->protos.ubntac2.version[version_len] = '\0'; 64| 0| } 65| | 66| 0| off += 3 + tlv_length; 67| 0| } 68| 0| return; 69| 0| } 70| | 71| 3.42k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.42k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 72| 3.42k|} init_uftp_dissector: 61| 7.08k|{ 62| 7.08k| ndpi_register_dissector("UFTP", ndpi_struct, 63| 7.08k| ndpi_search_uftp, 64| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 65| 7.08k| 1, NDPI_PROTOCOL_UFTP); 66| 7.08k|} uftp.c:ndpi_search_uftp: 43| 3.35k|{ 44| 3.35k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 45| | 46| 3.35k| NDPI_LOG_DBG(ndpi_struct, "search UFTP\n"); ------------------ | | 596| 3.35k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 47| | 48| 3.35k| if ((packet->payload_packet_len > 23) && ------------------ | Branch (48:7): [True: 3.02k, False: 323] ------------------ 49| 3.02k| ((packet->payload[0] == 0x40) || (packet->payload[0] == 0x50)) && ------------------ | Branch (49:8): [True: 7, False: 3.02k] | Branch (49:40): [True: 3, False: 3.01k] ------------------ 50| 10| (packet->payload[1] < 22) && (packet->payload[15] == 0) && ------------------ | Branch (50:7): [True: 6, False: 4] | Branch (50:36): [True: 4, False: 2] ------------------ 51| 4| (packet->payload[16] == packet->payload[1])) ------------------ | Branch (51:7): [True: 1, False: 3] ------------------ 52| 1| { 53| 1| ndpi_int_uftp_add_connection(ndpi_struct, flow); 54| 1| return; 55| 1| } 56| | 57| 3.35k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.35k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 58| 3.35k|} uftp.c:ndpi_int_uftp_add_connection: 34| 1|{ 35| 1| NDPI_LOG_INFO(ndpi_struct, "found UFTP\n"); ------------------ | | 595| 1|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 36| 1| ndpi_set_detected_protocol(ndpi_struct, flow, 37| 1| NDPI_PROTOCOL_UFTP, NDPI_PROTOCOL_UNKNOWN, 38| 1| NDPI_CONFIDENCE_DPI); 39| 1|} init_ultrasurf_dissector: 62| 7.08k|{ 63| 7.08k| ndpi_register_dissector("UltraSurf", ndpi_struct, 64| 7.08k| ndpi_search_ultrasurf, 65| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 66| 7.08k| 1, NDPI_PROTOCOL_ULTRASURF); 67| 7.08k|} ultrasurf.c:ndpi_search_ultrasurf: 41| 11.7k|{ 42| 11.7k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 43| | 44| 11.7k| NDPI_LOG_DBG(ndpi_struct, "search UltraSurf\n"); ------------------ | | 596| 11.7k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 45| | 46| 11.7k| if (packet->payload_packet_len < 8) ------------------ | Branch (46:7): [True: 805, False: 10.9k] ------------------ 47| 805| { 48| 805| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 805|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 49| 805| return; 50| 805| } 51| | 52| 10.9k| if (htonl(get_u_int32_t(packet->payload, 0)) == 0xcc1c3041 && ------------------ | Branch (52:7): [True: 0, False: 10.9k] ------------------ 53| 10.9k| htonl(get_u_int32_t(packet->payload, 4)) == 0x5ba43866) ------------------ | Branch (53:7): [True: 0, False: 0] ------------------ 54| 0| { 55| 0| ndpi_int_ultrasurf_add_connection(ndpi_struct, flow); 56| 0| } 57| | 58| 10.9k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 10.9k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 59| 10.9k|} init_usenet_dissector: 100| 7.08k|{ 101| 7.08k| ndpi_register_dissector("Usenet", ndpi_struct, 102| 7.08k| ndpi_search_usenet_tcp, 103| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 104| 7.08k| 1, NDPI_PROTOCOL_USENET); 105| 7.08k|} usenet.c:ndpi_search_usenet_tcp: 43| 13.4k|{ 44| 13.4k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 45| | 46| 13.4k| NDPI_LOG_DBG(ndpi_struct, "search usenet\n"); ------------------ | | 596| 13.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 47| | 48| 13.4k| NDPI_LOG_DBG2(ndpi_struct, "STAGE IS %u\n", flow->l4.tcp.usenet_stage); ------------------ | | 597| 13.4k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 49| | 50| | // check for the first server replay 51| | /* 52| | 200 Service available, posting allowed 53| | 201 Service available, posting prohibited 54| | */ 55| 13.4k| if (flow->l4.tcp.usenet_stage == 0 && packet->payload_packet_len > 10 ------------------ | Branch (55:6): [True: 13.4k, False: 1] | Branch (55:40): [True: 12.5k, False: 889] ------------------ 56| 12.5k| && ((memcmp(packet->payload, "200 ", 4) == 0) ------------------ | Branch (56:7): [True: 1, False: 12.5k] ------------------ 57| 12.5k| || (memcmp(packet->payload, "201 ", 4) == 0))) { ------------------ | Branch (57:7): [True: 1, False: 12.5k] ------------------ 58| | 59| 2| NDPI_LOG_DBG2(ndpi_struct, "found 200 or 201\n"); ------------------ | | 597| 2|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 60| 2| flow->l4.tcp.usenet_stage = 1 + packet->packet_direction; 61| | 62| 2| NDPI_LOG_DBG2(ndpi_struct, "maybe hit\n"); ------------------ | | 597| 2|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 63| 2| return; 64| 2| } 65| | 66| | /* 67| | [C] AUTHINFO USER fred 68| | [S] 381 Enter passphrase 69| | [C] AUTHINFO PASS flintstone 70| | [S] 281 Authentication accepted 71| | */ 72| | // check for client username 73| 13.4k| if (flow->l4.tcp.usenet_stage == 2 - packet->packet_direction) { ------------------ | Branch (73:6): [True: 1, False: 13.4k] ------------------ 74| 1| if (packet->payload_packet_len > 20 && (memcmp(packet->payload, "AUTHINFO USER ", 14) == 0)) { ------------------ | Branch (74:7): [True: 0, False: 1] | Branch (74:42): [True: 0, False: 0] ------------------ 75| 0| NDPI_LOG_DBG2(ndpi_struct, "username found\n"); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 76| 0| flow->l4.tcp.usenet_stage = 3 + packet->packet_direction; 77| | 78| 0| NDPI_LOG_INFO(ndpi_struct, "found usenet\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 79| 0| ndpi_int_usenet_add_connection(ndpi_struct, flow); 80| 0| return; 81| 1| } else if (packet->payload_packet_len == 13 && (memcmp(packet->payload, "MODE READER\r\n", 13) == 0)) { ------------------ | Branch (81:14): [True: 0, False: 1] | Branch (81:50): [True: 0, False: 0] ------------------ 82| 0| NDPI_LOG_DBG2(ndpi_struct, ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 83| 0| "no login necessary but we are a client.\n"); 84| | 85| 0| NDPI_LOG_INFO(ndpi_struct, "found usenet\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 86| 0| ndpi_int_usenet_add_connection(ndpi_struct, flow); 87| 0| return; 88| 1| } else if (packet->payload_packet_len == 6 && (memcmp(packet->payload, "HELP\r\n", 6) == 0)) { ------------------ | Branch (88:15): [True: 0, False: 1] | Branch (88:50): [True: 0, False: 0] ------------------ 89| 0| NDPI_LOG_INFO(ndpi_struct, "found usenet\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 90| 0| ndpi_int_usenet_add_connection(ndpi_struct, flow); 91| 0| return; 92| 0| } 93| 1| } 94| | 95| 13.4k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.4k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 96| 13.4k|} init_viber_dissector: 102| 7.08k|{ 103| 7.08k| ndpi_register_dissector("Viber", ndpi_struct, 104| 7.08k| ndpi_search_viber, 105| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 106| 7.08k| 1, NDPI_PROTOCOL_VIBER); 107| 7.08k|} viber.c:ndpi_search_viber: 40| 16.7k|{ 41| 16.7k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 42| | 43| 16.7k| NDPI_LOG_DBG(ndpi_struct, "search for Viber\n"); ------------------ | | 596| 16.7k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 44| | 45| 16.7k| if(packet->udp && packet->iph) { ------------------ | Branch (45:6): [True: 3.41k, False: 13.3k] | Branch (45:21): [True: 3.12k, False: 283] ------------------ 46| | /* ignore broadcast as this isn't viber */ 47| 3.12k| if((packet->iph->saddr == 0xFFFFFFFF) || (packet->iph->daddr == 0xFFFFFFFF)) { ------------------ | Branch (47:8): [True: 3, False: 3.12k] | Branch (47:46): [True: 157, False: 2.96k] ------------------ 48| 160| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 160|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 49| 160| return; 50| 160| } 51| 3.12k| } 52| | 53| 16.6k| if (packet->tcp != NULL) ------------------ | Branch (53:7): [True: 13.3k, False: 3.25k] ------------------ 54| 13.3k| { 55| 13.3k| NDPI_LOG_DBG2(ndpi_struct, "searching Viber over tcp\n"); ------------------ | | 597| 13.3k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 56| | 57| 13.3k| if (packet->payload_packet_len >= 11 && ------------------ | Branch (57:9): [True: 12.4k, False: 887] ------------------ 58| 13.3k| le16toh(get_u_int16_t(packet->payload, 0)) == packet->payload_packet_len) ------------------ | Branch (58:9): [True: 4, False: 12.4k] ------------------ 59| 4| { 60| 4| if (ntohs(get_u_int16_t(packet->payload, 6)) == 0xfcff && ------------------ | Branch (60:11): [True: 0, False: 4] ------------------ 61| 0| packet->payload[9] == 0x80) ------------------ | Branch (61:11): [True: 0, False: 0] ------------------ 62| 0| { 63| 0| viber_add_connection(ndpi_struct, flow); 64| 0| return; 65| 0| } 66| 4| if (ntohs(get_u_int16_t(packet->payload, 4)) == 0x0380 && ------------------ | Branch (66:11): [True: 0, False: 4] ------------------ 67| 0| packet->payload[10] == 0x0a) ------------------ | Branch (67:11): [True: 0, False: 0] ------------------ 68| 0| { 69| 0| viber_add_connection(ndpi_struct, flow); 70| 0| return; 71| 0| } 72| 4| } 73| | 74| 13.3k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.3k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 75| 13.3k| return; 76| 13.3k| } 77| | 78| 3.25k| if((packet->udp != NULL) && (packet->payload_packet_len > 5)) { ------------------ | Branch (78:6): [True: 3.25k, False: 0] | Branch (78:31): [True: 3.12k, False: 128] ------------------ 79| 3.12k| NDPI_LOG_DBG2(ndpi_struct, "calculating dport over udp\n"); ------------------ | | 597| 3.12k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 80| | 81| 3.12k| if((flow->rtp_stage == 0) && (flow->rtcp_stage == 0) /* Avoid collisions with RTP/RTCP */ && ------------------ | Branch (81:8): [True: 3.01k, False: 111] | Branch (81:34): [True: 3.01k, False: 2] ------------------ 82| 3.01k| ((packet->payload[2] == 0x03 && packet->payload[3] == 0x00) ------------------ | Branch (82:10): [True: 19, False: 2.99k] | Branch (82:40): [True: 13, False: 6] ------------------ 83| 2.99k| || (packet->payload_packet_len == 20 && packet->payload[2] == 0x09 && packet->payload[3] == 0x00) ------------------ | Branch (83:13): [True: 2, False: 2.99k] | Branch (83:49): [True: 1, False: 1] | Branch (83:79): [True: 0, False: 1] ------------------ 84| 2.99k| || (packet->payload[2] == 0x01 && packet->payload[3] == 0x00 && packet->payload[4] == 0x05 && packet->payload[5] == 0x00) ------------------ | Branch (84:13): [True: 146, False: 2.85k] | Branch (84:43): [True: 62, False: 84] | Branch (84:73): [True: 1, False: 61] | Branch (84:103): [True: 1, False: 0] ------------------ 85| 2.99k| || (packet->payload_packet_len == 34 && packet->payload[2] == 0x19 && packet->payload[3] == 0x00) ------------------ | Branch (85:13): [True: 1, False: 2.99k] | Branch (85:49): [True: 0, False: 1] | Branch (85:79): [True: 0, False: 0] ------------------ 86| 2.99k| || (packet->payload_packet_len == 34 && packet->payload[2] == 0x1b && packet->payload[3] == 0x00) ------------------ | Branch (86:13): [True: 1, False: 2.99k] | Branch (86:49): [True: 0, False: 1] | Branch (86:79): [True: 0, False: 0] ------------------ 87| 3.01k| )) { 88| 14| viber_add_connection(ndpi_struct, flow); 89| 14| return; 90| 14| } 91| | 92| 3.10k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.10k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 93| 3.10k| return; 94| 3.12k| } 95| | 96| 128| if(flow->packet_counter > 3) ------------------ | Branch (96:6): [True: 0, False: 128] ------------------ 97| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 98| 128|} viber.c:viber_add_connection: 31| 14|{ 32| 14| NDPI_LOG_INFO(ndpi_struct, "found Viber\n"); ------------------ | | 595| 14|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 33| 14| ndpi_set_detected_protocol(ndpi_struct, flow, 34| 14| NDPI_PROTOCOL_VIBER, 35| 14| NDPI_PROTOCOL_UNKNOWN, 36| 14| NDPI_CONFIDENCE_DPI); 37| 14|} init_vmware_dissector: 48| 7.08k|{ 49| 7.08k| ndpi_register_dissector("VMWARE", ndpi_struct, 50| 7.08k| ndpi_search_vmware, 51| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 52| 7.08k| 1, NDPI_PROTOCOL_VMWARE); 53| 7.08k|} vmware.c:ndpi_search_vmware: 29| 5.08k|{ 30| 5.08k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 31| | 32| 5.08k| NDPI_LOG_DBG(ndpi_struct, "search vmware\n"); ------------------ | | 596| 5.08k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 33| | /* Check whether this is an VMWARE flow */ 34| 5.08k| if(packet->udp != NULL){ ------------------ | Branch (34:6): [True: 5.08k, False: 0] ------------------ 35| 5.08k| if((packet->payload_packet_len == 66) && ------------------ | Branch (35:8): [True: 1, False: 5.08k] ------------------ 36| 1| (ntohs(packet->udp->dest) == 902) && ------------------ | Branch (36:8): [True: 0, False: 1] ------------------ 37| 0| ((packet->payload[0] & 0xFF) == 0xA4)){ ------------------ | Branch (37:8): [True: 0, False: 0] ------------------ 38| | 39| 0| NDPI_LOG_INFO(ndpi_struct, "found vmware\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 40| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VMWARE, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 41| 0| return; 42| 0| } 43| 5.08k| } 44| 5.08k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 5.08k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 45| 5.08k|} init_vnc_dissector: 65| 7.08k|{ 66| 7.08k| ndpi_register_dissector("VNC", ndpi_struct, 67| 7.08k| ndpi_search_vnc_tcp, 68| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 69| 7.08k| 1, NDPI_PROTOCOL_VNC); 70| 7.08k|} vnc.c:ndpi_search_vnc_tcp: 31| 13.4k|{ 32| 13.4k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 33| | 34| 13.4k| NDPI_LOG_DBG(ndpi_struct, "search vnc\n"); ------------------ | | 596| 13.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 35| | /* search over TCP */ 36| 13.4k| if(packet->tcp) { ------------------ | Branch (36:6): [True: 13.4k, False: 0] ------------------ 37| | 38| 13.4k| if(flow->l4.tcp.vnc_stage == 0) { ------------------ | Branch (38:8): [True: 13.4k, False: 0] ------------------ 39| 13.4k| if((packet->payload_packet_len == 12) && ------------------ | Branch (39:10): [True: 346, False: 13.1k] ------------------ 40| 346| (((memcmp(packet->payload, "RFB 003.", 7) == 0) && (packet->payload[11] == 0x0a)) ------------------ | Branch (40:5): [True: 0, False: 346] | Branch (40:54): [True: 0, False: 0] ------------------ 41| 346| || 42| 346| ((memcmp(packet->payload, "RFB 004.", 7) == 0) && (packet->payload[11] == 0x0a)))) { ------------------ | Branch (42:5): [True: 0, False: 346] | Branch (42:54): [True: 0, False: 0] ------------------ 43| 0| NDPI_LOG_DBG2(ndpi_struct, "reached vnc stage one\n"); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 44| 0| flow->l4.tcp.vnc_stage = 1 + packet->packet_direction; 45| 0| return; 46| 0| } 47| 13.4k| } else if(flow->l4.tcp.vnc_stage == 2 - packet->packet_direction) { ------------------ | Branch (47:15): [True: 0, False: 0] ------------------ 48| | 49| 0| if((packet->payload_packet_len == 12) && ------------------ | Branch (49:10): [True: 0, False: 0] ------------------ 50| 0| (((memcmp(packet->payload, "RFB 003.", 7) == 0) && (packet->payload[11] == 0x0a)) ------------------ | Branch (50:5): [True: 0, False: 0] | Branch (50:54): [True: 0, False: 0] ------------------ 51| 0| || 52| 0| ((memcmp(packet->payload, "RFB 004.", 7) == 0) && (packet->payload[11] == 0x0a)))) { ------------------ | Branch (52:5): [True: 0, False: 0] | Branch (52:54): [True: 0, False: 0] ------------------ 53| 0| NDPI_LOG_INFO(ndpi_struct, "found vnc\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 54| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VNC, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 55| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_DESKTOP_OR_FILE_SHARING_SESSION, "Found VNC"); /* Remote assistance */ 56| 0| return; 57| 0| } 58| 0| } 59| 13.4k| } 60| 13.4k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.4k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 61| 13.4k|} init_vxlan_dissector: 68| 7.08k|{ 69| 7.08k| ndpi_register_dissector("VXLAN", ndpi_struct, 70| 7.08k| ndpi_search_vxlan, 71| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 72| 7.08k| 1, NDPI_PROTOCOL_VXLAN); 73| 7.08k|} vxlan.c:ndpi_search_vxlan: 61| 5.08k|{ 62| 5.08k| NDPI_LOG_DBG(ndpi_struct, "search vxlan\n"); ------------------ | | 596| 5.08k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 63| | 64| 5.08k| ndpi_check_vxlan(ndpi_struct, flow); 65| 5.08k|} vxlan.c:ndpi_check_vxlan: 31| 5.08k|{ 32| 5.08k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 33| | 34| 5.08k| if(packet->payload_packet_len >= sizeof(struct ndpi_vxlanhdr)) { ------------------ | Branch (34:6): [True: 4.94k, False: 132] ------------------ 35| | 36| | /* 37| | *rfc-7348 vxlan header 38| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 39| | |R|R|R|R|I|R|R|R| Reserved | 40| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 41| | | VXLAN Network Identifier (VNI) | Reserved | 42| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 43| | */ 44| 4.94k| u_int32_t vxlan_dst_port = ntohs(4789); 45| 4.94k| struct ndpi_vxlanhdr *vxlanhdr = (struct ndpi_vxlanhdr *)packet->payload; 46| 4.94k| if((packet->udp->dest == vxlan_dst_port) && ------------------ | Branch (46:8): [True: 1, False: 4.94k] ------------------ 47| 1| (vxlanhdr->flags == ntohs(0x0800)) && ------------------ | Branch (47:7): [True: 0, False: 1] ------------------ 48| 0| (vxlanhdr->groupPolicy == 0x0) && ------------------ | Branch (48:7): [True: 0, False: 0] ------------------ 49| 0| (vxlanhdr->reserved == 0x0)) { ------------------ | Branch (49:7): [True: 0, False: 0] ------------------ 50| 0| NDPI_LOG_INFO(ndpi_struct, "found vxlan\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 51| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VXLAN, NDPI_PROTOCOL_VXLAN, NDPI_CONFIDENCE_DPI); 52| 0| return; 53| 0| } 54| 4.94k| } 55| | 56| 5.08k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 5.08k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 57| 5.08k| return; 58| 5.08k|} init_websocket_dissector: 152| 7.08k|{ 153| 7.08k| ndpi_register_dissector("WEBSOCKET", ndpi_struct, 154| 7.08k| ndpi_search_websocket, 155| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 156| 7.08k| 1, NDPI_PROTOCOL_WEBSOCKET); 157| 7.08k|} websocket.c:ndpi_search_websocket: 98| 12.7k|{ 99| | // Break after 10 packets. 100| 12.7k| if (flow->packet_counter > 10) ------------------ | Branch (100:7): [True: 0, False: 12.7k] ------------------ 101| 0| { 102| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 103| 0| return; 104| 0| } 105| | 106| 12.7k| NDPI_LOG_DBG(ndpi_struct, "search WEBSOCKET\n"); ------------------ | | 596| 12.7k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 107| 12.7k| ndpi_check_websocket(ndpi_struct, flow); 108| | 109| | // Check also some HTTP headers indicating an upcoming WebSocket connection 110| 12.7k| if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP && ------------------ | Branch (110:7): [True: 810, False: 11.8k] ------------------ 111| 810| flow->detected_protocol_stack[1] != NDPI_PROTOCOL_WEBSOCKET) ------------------ | Branch (111:7): [True: 810, False: 0] ------------------ 112| 810| { 113| 810| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 114| 810| uint16_t i; 115| 810| int found = 0; 116| | 117| 810| NDPI_PARSE_PACKET_LINE_INFO(ndpi_struct, flow, packet); ------------------ | | 521| 810| if (packet->packet_lines_parsed_complete != 1) { \ | | ------------------ | | | Branch (521:29): [True: 0, False: 810] | | ------------------ | | 522| 0| ndpi_parse_packet_line_info(ndpi_struct,flow); \ | | 523| 0| } ------------------ 118| 5.21k| for (i = 0; i < packet->parsed_lines; i++) { ------------------ | Branch (118:17): [True: 4.40k, False: 810] ------------------ 119| 4.40k| if (LINE_STARTS(packet->line[i], "upgrade:") != 0 && ------------------ | | 76| 4.40k| ((ndpi_int_one_line_struct).ptr != NULL && \ | | ------------------ | | | Branch (76:4): [True: 4.40k, False: 0] | | ------------------ | | 77| 4.40k| (ndpi_int_one_line_struct).len >= strlen(string_to_compare) && \ | | ------------------ | | | Branch (77:4): [True: 4.03k, False: 367] | | ------------------ | | 78| 4.40k| strncasecmp((const char *)((ndpi_int_one_line_struct).ptr), string_to_compare, strlen(string_to_compare)) == 0) | | ------------------ | | | Branch (78:4): [True: 156, False: 3.87k] | | ------------------ ------------------ | Branch (119:11): [True: 156, False: 4.24k] ------------------ 120| 156| LINE_ENDS(packet->line[i], "websocket") != 0) ------------------ | | 81| 156| ((ndpi_int_one_line_struct).len >= strlen(string_to_compare) && \ | | ------------------ | | | Branch (81:4): [True: 155, False: 1] | | ------------------ | | 82| 156| strncasecmp((const char *)((ndpi_int_one_line_struct).ptr) + \ | | ------------------ | | | Branch (82:4): [True: 85, False: 70] | | ------------------ | | 83| 155| ((ndpi_int_one_line_struct).len - strlen(string_to_compare)), \ | | 84| 155| string_to_compare, strlen(string_to_compare)) == 0) ------------------ | Branch (120:11): [True: 85, False: 71] ------------------ 121| 85| { 122| 85| if(found == 0) ------------------ | Branch (122:12): [True: 40, False: 45] ------------------ 123| 40| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WEBSOCKET, 124| 40| NDPI_PROTOCOL_HTTP, NDPI_CONFIDENCE_DPI); 125| 85| found = 1; 126| 4.31k| } else if (LINE_STARTS(packet->line[i], "sec-websocket") != 0) { ------------------ | | 76| 4.31k| ((ndpi_int_one_line_struct).ptr != NULL && \ | | ------------------ | | | Branch (76:4): [True: 4.31k, False: 0] | | ------------------ | | 77| 4.31k| (ndpi_int_one_line_struct).len >= strlen(string_to_compare) && \ | | ------------------ | | | Branch (77:4): [True: 3.72k, False: 592] | | ------------------ | | 78| 4.31k| strncasecmp((const char *)((ndpi_int_one_line_struct).ptr), string_to_compare, strlen(string_to_compare)) == 0) | | ------------------ | | | Branch (78:4): [True: 156, False: 3.56k] | | ------------------ ------------------ | Branch (126:18): [True: 156, False: 4.16k] ------------------ 127| 156| if(found == 0) ------------------ | Branch (127:12): [True: 39, False: 117] ------------------ 128| 39| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WEBSOCKET, 129| 39| NDPI_PROTOCOL_HTTP, NDPI_CONFIDENCE_DPI); 130| 156| if (ndpi_strncasestr((const char *)packet->line[i].ptr, "chisel", ------------------ | Branch (130:13): [True: 0, False: 156] ------------------ 131| 156| packet->line[i].len) != NULL) 132| 0| { 133| 0| ndpi_set_risk(ndpi_struct, flow, NDPI_OBFUSCATED_TRAFFIC, 134| 0| "Obfuscated SSH-in-HTTP-WebSocket traffic"); 135| 0| } 136| 156| found = 1; 137| 156| } 138| 4.40k| } 139| 810| if (i == packet->parsed_lines) ------------------ | Branch (139:9): [True: 810, False: 0] ------------------ 140| 810| { 141| 810| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 810|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 142| 810| return; 143| 810| } 144| 810| } 145| | 146| 11.8k| return; 147| 12.7k|} websocket.c:ndpi_check_websocket: 61| 12.7k|{ 62| 12.7k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 63| | 64| 12.7k| if (packet->payload_packet_len < sizeof(u_int16_t)) ------------------ | Branch (64:7): [True: 4, False: 12.6k] ------------------ 65| 4| { 66| 4| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 4|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 67| 4| return; 68| 4| } 69| | 70| 12.6k| u_int8_t websocket_payload_length = packet->payload[1] & 0x7F; 71| 12.6k| u_int8_t websocket_masked = packet->payload[1] & 0x80; 72| | 73| 12.6k| uint8_t hdr_size = (websocket_masked == 1) ? 6 : 2; ------------------ | Branch (73:22): [True: 0, False: 12.6k] ------------------ 74| | 75| 12.6k| if (packet->payload_packet_len != hdr_size + websocket_payload_length) ------------------ | Branch (75:7): [True: 12.2k, False: 402] ------------------ 76| 12.2k| { 77| 12.2k| NDPI_LOG_DBG(ndpi_struct, "Invalid WEBSOCKET payload\n"); ------------------ | | 596| 12.2k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 78| 12.2k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 12.2k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 79| 12.2k| return; 80| 12.2k| } 81| | 82| 402| if (packet->payload[0] == TEXT_FRAME || packet->payload[0] == FIN_TEXT_FRAME || ------------------ | Branch (82:7): [True: 1, False: 401] | Branch (82:44): [True: 1, False: 400] ------------------ 83| 400| packet->payload[0] == BINARY_FRAME || packet->payload[0] == FIN_BINARY_FRAME || ------------------ | Branch (83:7): [True: 2, False: 398] | Branch (83:45): [True: 0, False: 398] ------------------ 84| 398| packet->payload[0] == CONNECTION_CLOSE_FRAME || packet->payload[0] == FIN_CONNECTION_CLOSE_FRAME || ------------------ | Branch (84:7): [True: 4, False: 394] | Branch (84:55): [True: 14, False: 380] ------------------ 85| 380| packet->payload[0] == PING_FRAME || packet->payload[0] == FIN_PING_FRAME || ------------------ | Branch (85:7): [True: 1, False: 379] | Branch (85:43): [True: 19, False: 360] ------------------ 86| 360| packet->payload[0] == PONG_FRAME || packet->payload[0] == FIN_PONG_FRAME) { ------------------ | Branch (86:7): [True: 1, False: 359] | Branch (86:43): [True: 1, False: 358] ------------------ 87| | 88| 44| set_websocket_detected(ndpi_struct, flow); 89| | 90| 358| } else { 91| 358| NDPI_LOG_DBG(ndpi_struct, "Invalid WEBSOCKET payload\n"); ------------------ | | 596| 358|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 92| 358| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 358|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 93| 358| return; 94| 358| } 95| 402|} websocket.c:set_websocket_detected: 50| 44|{ 51| | /* If no custom protocol has been detected */ 52| 44| if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) ------------------ | Branch (52:7): [True: 44, False: 0] ------------------ 53| 44| { 54| 44| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WEBSOCKET, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 55| 44| } 56| 44|} init_whatsapp_dissector: 124| 7.08k|{ 125| 7.08k| ndpi_register_dissector("WhatsApp", ndpi_struct, 126| 7.08k| ndpi_search_whatsapp, 127| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 128| 7.08k| 1, NDPI_PROTOCOL_WHATSAPP); 129| 7.08k|} whatsapp.c:ndpi_search_whatsapp: 89| 11.9k| struct ndpi_flow_struct *flow) { 90| 11.9k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 91| | 92| 11.9k| NDPI_LOG_DBG(ndpi_struct, "search WhatsApp\n"); ------------------ | | 596| 11.9k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 93| | 94| 11.9k| if (flow->packet_counter > 3) ------------------ | Branch (94:7): [True: 0, False: 11.9k] ------------------ 95| 0| { 96| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 97| 0| return; 98| 0| } 99| | 100| | /* 101| | * This is a very old sequence (2015?) but we still have it in our unit tests. 102| | * Try to detect it, without too much effort... 103| | */ 104| 11.9k| if (flow->l4.tcp.wa_matched_so_far == 0 && ------------------ | Branch (104:7): [True: 11.9k, False: 0] ------------------ 105| 11.9k| packet->payload_packet_len > GET_SEQ_SIZE(WA_SEQ_VERY_OLD) && ------------------ | | 29| 23.8k|#define GET_SEQ_SIZE(id) (whatsapp_sequences[id].sequence_size) ------------------ | Branch (105:7): [True: 11.1k, False: 734] ------------------ 106| 11.1k| memcmp(packet->payload, GET_SEQ(WA_SEQ_VERY_OLD), GET_SEQ_SIZE(WA_SEQ_VERY_OLD)) == 0) ------------------ | | 30| 11.1k|#define GET_SEQ(id) (whatsapp_sequences[id].sequence) ------------------ memcmp(packet->payload, GET_SEQ(WA_SEQ_VERY_OLD), GET_SEQ_SIZE(WA_SEQ_VERY_OLD)) == 0) ------------------ | | 29| 11.1k|#define GET_SEQ_SIZE(id) (whatsapp_sequences[id].sequence_size) ------------------ | Branch (106:7): [True: 118, False: 11.0k] ------------------ 107| 118| { 108| 118| NDPI_LOG_INFO(ndpi_struct, "found WhatsApp (old sequence)\n"); ------------------ | | 595| 118|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 109| 118| ndpi_int_whatsapp_add_connection(ndpi_struct, flow); 110| 118| return; 111| 118| } 112| | 113| 11.8k| if (ndpi_int_match_whatsapp_sequence(ndpi_struct, flow, WA_SEQ_NEW) == 0 || ------------------ | Branch (113:7): [True: 2, False: 11.8k] ------------------ 114| 11.8k| ndpi_int_match_whatsapp_sequence(ndpi_struct, flow, WA_SEQ_OLD) == 0) ------------------ | Branch (114:7): [True: 3, False: 11.8k] ------------------ 115| 5| { 116| 5| return; 117| 5| } 118| | 119| 11.8k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.8k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 120| 11.8k|} whatsapp.c:ndpi_int_whatsapp_add_connection: 53| 120|{ 54| 120| NDPI_LOG_INFO(ndpi_struct, "found WhatsApp\n"); ------------------ | | 595| 120|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 55| 120| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, 56| 120| NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 57| 120|} whatsapp.c:ndpi_int_match_whatsapp_sequence: 62| 23.6k|{ 63| 23.6k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 64| | 65| 23.6k| if (flow->l4.tcp.wa_matched_so_far < GET_SEQ_SIZE(seq_id)) ------------------ | | 29| 23.6k|#define GET_SEQ_SIZE(id) (whatsapp_sequences[id].sequence_size) ------------------ | Branch (65:7): [True: 23.6k, False: 0] ------------------ 66| 23.6k| { 67| 23.6k| size_t match_len = GET_SEQ_SIZE(seq_id) - flow->l4.tcp.wa_matched_so_far; ------------------ | | 29| 23.6k|#define GET_SEQ_SIZE(id) (whatsapp_sequences[id].sequence_size) ------------------ 68| 23.6k| if (packet->payload_packet_len < match_len) ------------------ | Branch (68:9): [True: 1.61k, False: 21.9k] ------------------ 69| 1.61k| { 70| 1.61k| match_len = packet->payload_packet_len; 71| 1.61k| } 72| | 73| 23.6k| if (memcmp(packet->payload, &GET_SEQ(seq_id)[flow->l4.tcp.wa_matched_so_far], ------------------ | | 30| 23.6k|#define GET_SEQ(id) (whatsapp_sequences[id].sequence) ------------------ | Branch (73:9): [True: 5, False: 23.6k] ------------------ 74| 23.6k| match_len) == 0) 75| 5| { 76| 5| flow->l4.tcp.wa_matched_so_far += match_len; 77| 5| if (flow->l4.tcp.wa_matched_so_far == GET_SEQ_SIZE(seq_id)) ------------------ | | 29| 5|#define GET_SEQ_SIZE(id) (whatsapp_sequences[id].sequence_size) ------------------ | Branch (77:11): [True: 2, False: 3] ------------------ 78| 2| { 79| 2| ndpi_int_whatsapp_add_connection(ndpi_struct, flow); 80| 2| } 81| 5| return 0; 82| 5| } 83| 23.6k| } 84| | 85| 23.6k| return 1; 86| 23.6k|} init_whois_das_dissector: 62| 7.08k|{ 63| 7.08k| ndpi_register_dissector("Whois-DA", ndpi_struct, 64| 7.08k| ndpi_search_whois_das, 65| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 66| 7.08k| 1, NDPI_PROTOCOL_WHOIS_DAS); 67| 7.08k|} whoisdas.c:ndpi_search_whois_das: 30| 13.4k|{ 31| 13.4k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 32| | 33| 13.4k| NDPI_LOG_DBG(ndpi_struct, "search WHOIS/DAS\n"); ------------------ | | 596| 13.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 34| 13.4k| if(packet->tcp != NULL) { ------------------ | Branch (34:6): [True: 13.4k, False: 0] ------------------ 35| 13.4k| u_int16_t sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest); 36| | 37| 13.4k| if((((sport == 43) || (dport == 43)) || ((sport == 4343) || (dport == 4343))) && ------------------ | Branch (37:10): [True: 1, False: 13.4k] | Branch (37:27): [True: 2, False: 13.4k] | Branch (37:46): [True: 0, False: 13.4k] | Branch (37:65): [True: 0, False: 13.4k] ------------------ 38| 3| packet->payload_packet_len > 2 && ------------------ | Branch (38:8): [True: 3, False: 0] ------------------ 39| 3| packet->payload[packet->payload_packet_len - 2] == '\r' && ------------------ | Branch (39:8): [True: 2, False: 1] ------------------ 40| 2| packet->payload[packet->payload_packet_len - 1] == '\n' && ------------------ | Branch (40:8): [True: 1, False: 1] ------------------ 41| | /* To avoid false positives with other cleartext protocol (i.e. mails). 42| | This check is maybe not perfect, but WHOIS/DAS is not the most 43| | important/used protocols nowadays 44| | */ 45| 1| ndpi_is_valid_hostname((char * const)&packet->payload[0], packet->payload_packet_len - 2)) { ------------------ | Branch (45:8): [True: 0, False: 1] ------------------ 46| | 47| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHOIS_DAS, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 48| | 49| 0| if((dport == 43) || (dport == 4343)) { /* Request */ ------------------ | Branch (49:10): [True: 0, False: 0] | Branch (49:27): [True: 0, False: 0] ------------------ 50| 0| ndpi_hostname_sni_set(flow, &packet->payload[0], packet->payload_packet_len - 2, NDPI_HOSTNAME_NORM_ALL); /* Skip \r\n */ ------------------ | | 516| 0|#define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 512| 0|#define NDPI_HOSTNAME_NORM_LC 1 | | ------------------ | | #define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 513| 0|#define NDPI_HOSTNAME_NORM_REPLACE_IC 2 | | ------------------ | | #define NDPI_HOSTNAME_NORM_ALL (NDPI_HOSTNAME_NORM_LC | NDPI_HOSTNAME_NORM_REPLACE_IC | NDPI_HOSTNAME_NORM_STRIP_EOLSP) | | ------------------ | | | | 514| 0|#define NDPI_HOSTNAME_NORM_STRIP_EOLSP 4 | | ------------------ ------------------ 51| 0| NDPI_LOG_INFO(ndpi_struct, "[WHOIS/DAS] %s\n", flow->host_server_name); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 52| 0| } 53| 0| return; 54| 0| } 55| 13.4k| } 56| | 57| 13.4k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.4k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 58| 13.4k|} init_wireguard_dissector: 202| 7.08k|{ 203| 7.08k| ndpi_register_dissector("WireGuard", ndpi_struct, 204| 7.08k| ndpi_search_wireguard, 205| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 206| 7.08k| 1, NDPI_PROTOCOL_WIREGUARD); 207| 7.08k|} wireguard.c:ndpi_search_wireguard: 60| 3.37k|{ 61| 3.37k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 62| 3.37k| const u_int8_t *payload = packet->payload; 63| 3.37k| u_int8_t message_type = payload[0]; 64| | 65| 3.37k| NDPI_LOG_DBG(ndpi_struct, "search WireGuard\n"); ------------------ | | 596| 3.37k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 66| | 67| | /* 68| | * First, try some easy ways to rule out the protocol. 69| | * The packet size and the reserved bytes in the header are good candidates. 70| | */ 71| | 72| | /* 73| | * A transport packet contains at minimum the following fields: 74| | * u8 message_type 75| | * u8 reserved_zero[3] 76| | * u32 receiver_index 77| | * u64 counter 78| | * u8 encrypted_encapsulated_packet[] 79| | * In the case of a keepalive message, the encapsulated packet will have 80| | * zero length, but will still have a 16 byte poly1305 authentication tag. 81| | * Thus, packet->payload will be at least 32 bytes in size. 82| | * Note that handshake packets have a slightly different structure, but they are larger. 83| | */ 84| 3.37k| if (packet->payload_packet_len < 32) { ------------------ | Branch (84:7): [True: 455, False: 2.92k] ------------------ 85| 455| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 455|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 86| 455| return; 87| 455| } 88| | /* 89| | * The next three bytes after the message type are reserved and set to zero. 90| | */ 91| 2.92k| if (payload[1] != 0 || payload[2] != 0 || payload[3] != 0) { ------------------ | Branch (91:7): [True: 2.49k, False: 423] | Branch (91:26): [True: 92, False: 331] | Branch (91:45): [True: 98, False: 233] ------------------ 92| 2.68k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 2.68k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 93| 2.68k| return; 94| 2.68k| } 95| | 96| | /* 97| | * Below we make a deeper analysis; possibly inspecting multiple packets to 98| | * look for consistent sender/receiver index fields. We also exploit the fact 99| | * that handshake messages always have a fixed size. 100| | * 101| | * Stages 1-2 means we are processing a handshake sequence. 102| | * Stages 3-4 means we are processing a transport packet sequence. 103| | * 104| | * Message type can be one of the following: 105| | * 1) Handshake Initiation (148 bytes) 106| | * 2) Handshake Response (92 bytes) 107| | * 3) Cookie Reply (64 bytes) 108| | * 4) Transport Data (variable length, min 32 bytes) 109| | * 110| | * 111| | * TunnelBear VPN uses slightly different handshake packets: the format seems the same, 112| | * but the length is different (204/100). Not sure why and I don't know if it is some 113| | * kind of generic "obfuscation" attempt, used also by other apps. For the time being, 114| | * classify this kind of traffic as Wireguard/TunnelBear 115| | */ 116| 233| if (message_type == WG_TYPE_HANDSHAKE_INITIATION && ------------------ | Branch (116:7): [True: 17, False: 216] ------------------ 117| 17| (packet->payload_packet_len == 148 || packet->payload_packet_len == 204)) { ------------------ | Branch (117:8): [True: 0, False: 17] | Branch (117:45): [True: 0, False: 17] ------------------ 118| 0| u_int32_t sender_index = get_u_int32_t(payload, 4); ------------------ | | 137| 0|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ 119| | /* 120| | * We always start a new detection stage on a handshake initiation. 121| | */ 122| 0| flow->l4.udp.wireguard_stage = 1 + packet->packet_direction; 123| 0| flow->l4.udp.wireguard_peer_index[packet->packet_direction] = sender_index; 124| | 125| 0| if(flow->num_processed_pkts > 1) { ------------------ | Branch (125:8): [True: 0, False: 0] ------------------ 126| | /* This looks like a retransmission and probably this communication is blocked hence let's stop here */ 127| 0| ndpi_int_wireguard_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); 128| 0| return; 129| 0| } 130| | /* need more packets before deciding */ 131| 233| } else if (message_type == WG_TYPE_HANDSHAKE_RESPONSE && ------------------ | Branch (131:14): [True: 3, False: 230] ------------------ 132| 3| (packet->payload_packet_len == 92 || packet->payload_packet_len == 100)) { ------------------ | Branch (132:15): [True: 0, False: 3] | Branch (132:51): [True: 0, False: 3] ------------------ 133| 0| if (flow->l4.udp.wireguard_stage == 2 - packet->packet_direction) { ------------------ | Branch (133:9): [True: 0, False: 0] ------------------ 134| | /* 135| | * This means we are probably processing a handshake response to a handshake 136| | * initiation that we've just processed, so we check if the receiver index 137| | * matches the index in the handshake initiation. 138| | */ 139| 0| u_int32_t receiver_index = get_u_int32_t(payload, 8); ------------------ | | 137| 0|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ 140| | 141| 0| if (receiver_index == flow->l4.udp.wireguard_peer_index[1 - packet->packet_direction]) { ------------------ | Branch (141:11): [True: 0, False: 0] ------------------ 142| 0| if(packet->payload_packet_len == 100 && ------------------ | Branch (142:12): [True: 0, False: 0] ------------------ 143| 0| ndpi_struct->cfg.wireguard_subclassification_by_ip /* TODO: the right option? */) ------------------ | Branch (143:12): [True: 0, False: 0] ------------------ 144| 0| ndpi_int_wireguard_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TUNNELBEAR); 145| 0| else 146| 0| ndpi_int_wireguard_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); 147| 0| } else { 148| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 149| 0| } 150| 0| } 151| | /* need more packets before deciding */ 152| 233| } else if (message_type == WG_TYPE_COOKIE_REPLY && packet->payload_packet_len == 64) { ------------------ | Branch (152:14): [True: 5, False: 228] | Branch (152:54): [True: 0, False: 5] ------------------ 153| | /* 154| | * A cookie reply is sent as response to a handshake initiation when under load, 155| | * for DoS mitigation. If we have just seen a handshake initiation before 156| | * this cookie reply packet, we check if the receiver index in this packet 157| | * matches the sender index in that handshake initiation packet. 158| | */ 159| 0| if (flow->l4.udp.wireguard_stage == 2 - packet->packet_direction) { ------------------ | Branch (159:9): [True: 0, False: 0] ------------------ 160| 0| u_int32_t receiver_index = get_u_int32_t(payload, 4); ------------------ | | 137| 0|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ 161| 0| if (receiver_index == flow->l4.udp.wireguard_peer_index[1 - packet->packet_direction]) { ------------------ | Branch (161:11): [True: 0, False: 0] ------------------ 162| 0| ndpi_int_wireguard_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); 163| 0| } else { 164| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 165| 0| } 166| 0| } 167| | /* need more packets before deciding */ 168| 233| } else if (message_type == WG_TYPE_TRANSPORT_DATA) { ------------------ | Branch (168:14): [True: 2, False: 231] ------------------ 169| | /* 170| | * For detecting transport data packets, we save the peer 171| | * indices in both directions first. This requires at least one packet in each 172| | * direction (stages 3-4). The third packet that we process will be checked 173| | * against the appropriate index for a match (stage 5). 174| | */ 175| 2| u_int32_t receiver_index = get_u_int32_t(payload, 4); ------------------ | | 137| 2|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ 176| | 177| | /* We speculate this is wireguard, so let's remember it */ 178| 2| flow->fast_callback_protocol_id = NDPI_PROTOCOL_WIREGUARD; 179| | 180| 2| if (flow->l4.udp.wireguard_stage == 0) { ------------------ | Branch (180:9): [True: 2, False: 0] ------------------ 181| 2| flow->l4.udp.wireguard_stage = 3 + packet->packet_direction; 182| 2| flow->l4.udp.wireguard_peer_index[packet->packet_direction] = receiver_index; 183| | /* need more packets before deciding */ 184| 2| } else if (flow->l4.udp.wireguard_stage == 4 - packet->packet_direction) { ------------------ | Branch (184:16): [True: 0, False: 0] ------------------ 185| 0| flow->l4.udp.wireguard_peer_index[packet->packet_direction] = receiver_index; 186| 0| flow->l4.udp.wireguard_stage = 5; 187| | /* need more packets before deciding */ 188| 0| } else if (flow->l4.udp.wireguard_stage == 5) { ------------------ | Branch (188:16): [True: 0, False: 0] ------------------ 189| 0| if (receiver_index == flow->l4.udp.wireguard_peer_index[packet->packet_direction]) { ------------------ | Branch (189:11): [True: 0, False: 0] ------------------ 190| 0| ndpi_int_wireguard_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN); 191| 0| } else { 192| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 193| 0| } 194| 0| } 195| | /* need more packets before deciding */ 196| 231| } else { 197| 231| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 231|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 198| 231| } 199| 233|} init_wsd_dissector: 56| 7.08k|void init_wsd_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 57| 7.08k| ndpi_register_dissector("WSD", ndpi_struct, 58| 7.08k| ndpi_search_wsd, 59| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 60| 7.08k| 1, NDPI_PROTOCOL_WSD); 61| 7.08k|} wsd.c:ndpi_search_wsd: 33| 3.37k| struct ndpi_flow_struct *flow) { 34| 3.37k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 35| | 36| 3.37k| NDPI_LOG_DBG(ndpi_struct, "search wsd\n"); ------------------ | | 596| 3.37k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 37| | 38| 3.37k| if(packet->udp ------------------ | Branch (38:6): [True: 3.37k, False: 0] ------------------ 39| 3.37k| && ( 40| 3.37k| (packet->iph && ((ntohl(packet->iph->daddr) & 0xF0000000) == 0xE0000000 /* A multicast address */)) ------------------ | Branch (40:4): [True: 3.09k, False: 283] | Branch (40:19): [True: 211, False: 2.87k] ------------------ 41| 3.16k| || 42| 3.16k| (packet->iphv6 && ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[0]) == 0xFF020000) ------------------ | Branch (42:4): [True: 283, False: 2.87k] | Branch (42:21): [True: 0, False: 283] ------------------ 43| 3.37k| ) 44| 211| && (ntohs(packet->udp->dest) == WSD_PORT) ------------------ | | 30| 211|#define WSD_PORT 3702 ------------------ | Branch (44:9): [True: 0, False: 211] ------------------ 45| 0| && (packet->payload_packet_len >= 40) ------------------ | Branch (45:9): [True: 0, False: 0] ------------------ 46| 0| && (strncmp((char*)packet->payload, "current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 52| 3.37k| } 53| 3.37k|} init_xbox_dissector: 102| 7.08k|{ 103| 7.08k| ndpi_register_dissector("Xbox", ndpi_struct, 104| 7.08k| ndpi_search_xbox, 105| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 106| 7.08k| 1, NDPI_PROTOCOL_XBOX); 107| 7.08k|} xbox.c:ndpi_search_xbox: 38| 5.67k|{ 39| 5.67k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 40| | 41| | /* 42| | * XBOX UDP DETCTION ONLY 43| | * this detection also works for asymmetric xbox udp traffic 44| | */ 45| 5.67k| if(packet->udp != NULL) { ------------------ | Branch (45:6): [True: 5.67k, False: 0] ------------------ 46| | 47| 5.67k| u_int16_t dport = ntohs(packet->udp->dest); 48| 5.67k| u_int16_t sport = ntohs(packet->udp->source); 49| | 50| 5.67k| NDPI_LOG_DBG(ndpi_struct, "search xbox\n"); ------------------ | | 596| 5.67k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 51| | 52| 5.67k| if (packet->payload_packet_len > 12 && ------------------ | Branch (52:9): [True: 5.49k, False: 181] ------------------ 53| 5.49k| get_u_int32_t(packet->payload, 0) == 0 && packet->payload[5] == 0x58 && ------------------ | | 137| 5.49k|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (53:2): [True: 176, False: 5.32k] | Branch (53:44): [True: 4, False: 172] ------------------ 54| 4| memcmp(&packet->payload[7], "\x00\x00\x00", 3) == 0) { ------------------ | Branch (54:2): [True: 3, False: 1] ------------------ 55| | 56| 3| if ((packet->payload[4] == 0x0c && packet->payload[6] == 0x76) || ------------------ | Branch (56:12): [True: 0, False: 3] | Branch (56:42): [True: 0, False: 0] ------------------ 57| 3| (packet->payload[4] == 0x02 && packet->payload[6] == 0x18) || ------------------ | Branch (57:5): [True: 0, False: 3] | Branch (57:35): [True: 0, False: 0] ------------------ 58| 3| (packet->payload[4] == 0x0b && packet->payload[6] == 0x80) || ------------------ | Branch (58:5): [True: 0, False: 3] | Branch (58:35): [True: 0, False: 0] ------------------ 59| 3| (packet->payload[4] == 0x03 && packet->payload[6] == 0x40) || ------------------ | Branch (59:5): [True: 0, False: 3] | Branch (59:35): [True: 0, False: 0] ------------------ 60| 3| (packet->payload[4] == 0x06 && packet->payload[6] == 0x4e)) { ------------------ | Branch (60:5): [True: 0, False: 3] | Branch (60:35): [True: 0, False: 0] ------------------ 61| | 62| 0| ndpi_int_xbox_add_connection(ndpi_struct, flow); 63| 0| NDPI_LOG_INFO(ndpi_struct, "found xbox udp connection detected\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 64| 0| return; 65| 0| } 66| 3| } 67| 5.67k| if ((dport == 3074 || sport == 3074) ------------------ | Branch (67:10): [True: 4, False: 5.67k] | Branch (67:27): [True: 3, False: 5.67k] ------------------ 68| 7| && ((packet->payload_packet_len == 24 && packet->payload[0] == 0x00) ------------------ | Branch (68:7): [True: 2, False: 5] | Branch (68:43): [True: 1, False: 1] ------------------ 69| 6| || (packet->payload_packet_len == 42 && packet->payload[0] == 0x4f && packet->payload[2] == 0x0a) ------------------ | Branch (69:10): [True: 0, False: 6] | Branch (69:46): [True: 0, False: 0] | Branch (69:76): [True: 0, False: 0] ------------------ 70| 6| || (packet->payload_packet_len == 80 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x50bc ------------------ | Branch (70:10): [True: 2, False: 4] | Branch (70:46): [True: 0, False: 2] ------------------ 71| 0| && packet->payload[2] == 0x45) ------------------ | Branch (71:6): [True: 0, False: 0] ------------------ 72| 6| || (packet->payload_packet_len == 40 && ntohl(get_u_int32_t(packet->payload, 0)) == 0xcf5f3202) ------------------ | Branch (72:10): [True: 1, False: 5] | Branch (72:46): [True: 0, False: 1] ------------------ 73| 6| || (packet->payload_packet_len == 38 && ntohl(get_u_int32_t(packet->payload, 0)) == 0xc1457f03) ------------------ | Branch (73:10): [True: 0, False: 6] | Branch (73:46): [True: 0, False: 0] ------------------ 74| 6| || (packet->payload_packet_len == 28 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x015f2c00))) { ------------------ | Branch (74:10): [True: 2, False: 4] | Branch (74:46): [True: 0, False: 2] ------------------ 75| 1| if (flow->l4.udp.xbox_stage == 1) { ------------------ | Branch (75:11): [True: 0, False: 1] ------------------ 76| 0| ndpi_int_xbox_add_connection(ndpi_struct, flow); 77| 0| NDPI_LOG_INFO(ndpi_struct, "found xbox udp connection detected\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 78| 0| return; 79| 0| } 80| 1| NDPI_LOG_DBG(ndpi_struct, "maybe xbox\n"); ------------------ | | 596| 1|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 81| 1| flow->l4.udp.xbox_stage++; 82| 1| return; 83| 1| } 84| |/* Disable this code. These checks are quite weak and these ports are not mentioned at 85| | https://support.xbox.com/en-US/help/hardware-network/connect-network/network-ports-used-xbox-live */ 86| |#if 0 87| | else if ((dport == 3075 || dport == 3076 || dport == 3077 || dport == 3078) || 88| | (sport == 3075 || sport == 3076 || sport == 3077 || sport == 3078)) { 89| | ndpi_int_xbox_add_connection(ndpi_struct, flow); 90| | NDPI_LOG_INFO(ndpi_struct, "found xbox udp port connection detected\n"); 91| | return; 92| | } 93| |#endif 94| 5.67k| } 95| | 96| 5.67k| if(flow->packet_counter >= 5) ------------------ | Branch (96:6): [True: 26, False: 5.65k] ------------------ 97| 26| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 26|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 98| 5.67k|} init_xdmcp_dissector: 69| 7.08k|{ 70| 7.08k| ndpi_register_dissector("XDMCP", ndpi_struct, 71| 7.08k| ndpi_search_xdmcp, 72| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 73| 7.08k| 1, NDPI_PROTOCOL_XDMCP); 74| 7.08k|} xdmcp.c:ndpi_search_xdmcp: 41| 17.9k|{ 42| 17.9k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 43| | 44| 17.9k| NDPI_LOG_DBG(ndpi_struct, "search xdmcp\n"); ------------------ | | 596| 17.9k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 45| | 46| 17.9k| if (packet->tcp != NULL && (ntohs(packet->tcp->dest) >= 6000 && ntohs(packet->tcp->dest) <= 6005) ------------------ | Branch (46:7): [True: 13.4k, False: 4.45k] | Branch (46:31): [True: 10.3k, False: 3.08k] | Branch (46:67): [True: 1, False: 10.3k] ------------------ 47| 1| && packet->payload_packet_len == 48 ------------------ | Branch (47:10): [True: 0, False: 1] ------------------ 48| 0| && packet->payload[0] == 0x6c && packet->payload[1] == 0x00 ------------------ | Branch (48:10): [True: 0, False: 0] | Branch (48:40): [True: 0, False: 0] ------------------ 49| 17.9k| && ntohs(get_u_int16_t(packet->payload, 6)) == 0x1200 && ntohs(get_u_int16_t(packet->payload, 8)) == 0x1000) { ------------------ | Branch (49:10): [True: 0, False: 0] | Branch (49:64): [True: 0, False: 0] ------------------ 50| | 51| 0| NDPI_LOG_INFO(ndpi_struct, "found xdmcp over tcp\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 52| 0| ndpi_int_xdmcp_add_connection(ndpi_struct, flow); 53| 0| return; 54| 0| } 55| 17.9k| if (packet->udp != NULL && ntohs(packet->udp->dest) == 177 ------------------ | Branch (55:7): [True: 4.45k, False: 13.4k] | Branch (55:30): [True: 1, False: 4.45k] ------------------ 56| 1| && packet->payload_packet_len >= 6 && packet->payload_packet_len == 6 + ntohs(get_u_int16_t(packet->payload, 4)) ------------------ | Branch (56:10): [True: 1, False: 0] | Branch (56:45): [True: 0, False: 1] ------------------ 57| 17.9k| && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0001 && ntohs(get_u_int16_t(packet->payload, 2)) == 0x0002) { ------------------ | Branch (57:10): [True: 0, False: 0] | Branch (57:64): [True: 0, False: 0] ------------------ 58| | 59| 0| NDPI_LOG_INFO(ndpi_struct, "found xdmcp over udp\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 60| 0| ndpi_int_xdmcp_add_connection(ndpi_struct, flow); 61| 0| return; 62| 0| } 63| | 64| 17.9k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 17.9k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 65| 17.9k|} init_xiaomi_dissector: 113| 7.08k|void init_xiaomi_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 114| 7.08k| ndpi_register_dissector("Xiaomi", ndpi_struct, 115| 7.08k| ndpi_search_xiaomi, 116| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 117| 7.08k| 1, NDPI_PROTOCOL_XIAOMI); 118| 7.08k|} xiaomi.c:ndpi_search_xiaomi: 83| 11.7k|{ 84| 11.7k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 85| | 86| 11.7k| NDPI_LOG_DBG(ndpi_struct, "search Xiaomi\n"); ------------------ | | 596| 11.7k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 87| | 88| 11.7k| if(packet->payload_packet_len >= 12) { ------------------ | Branch (88:6): [True: 10.8k, False: 886] ------------------ 89| 10.8k| uint32_t len; 90| | 91| 10.8k| len = ntohl(get_u_int32_t(packet->payload, 4)); 92| 10.8k| if(len + 12 == packet->payload_packet_len && ------------------ | Branch (92:8): [True: 147, False: 10.7k] ------------------ 93| 10.8k| ntohl(get_u_int32_t(packet->payload, 0)) == 0xC2FE0005 && ------------------ | Branch (93:8): [True: 0, False: 147] ------------------ 94| 10.8k| ntohl(get_u_int32_t(packet->payload, 8)) == 0x00020016) { ------------------ | Branch (94:8): [True: 0, False: 0] ------------------ 95| 0| NDPI_LOG_INFO(ndpi_struct, "found Xiaomi\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 96| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_XIAOMI, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 97| | 98| | /* Better way to detect "client" packets? */ 99| 0| if(ntohs(packet->tcp->dest) == 5222) { ------------------ | Branch (99:10): [True: 0, False: 0] ------------------ 100| | /* It seems that the "TLV list" is different for client and for server messages. 101| | For example, the type 0x12 is used as user-agent by the client and 102| | as something else by the server. We are interested in the metadata sent by the client */ 103| 0| xiaomi_dissect_metadata(ndpi_struct, flow, packet->payload, packet->payload_packet_len); 104| 0| } 105| | 106| 0| return; 107| 0| } 108| 10.8k| } 109| | 110| 11.7k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 11.7k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 111| 11.7k|} init_yojimbo_dissector: 64| 7.08k|{ 65| 7.08k| ndpi_register_dissector("Yojimbo", ndpi_struct, 66| 7.08k| ndpi_search_yojimbo, 67| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 68| 7.08k| 1, NDPI_PROTOCOL_YOJIMBO); 69| 7.08k|} yojimbo.c:ndpi_search_yojimbo: 40| 3.34k|{ 41| 3.34k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 42| | 43| 3.34k| NDPI_LOG_DBG(ndpi_struct, "search Yojimbo\n"); ------------------ | | 596| 3.34k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 44| | 45| 3.34k| uint64_t const magic = 0x4e4554434f444520; // "NETCODE " 46| | 47| 3.34k| if (packet->payload_packet_len < 9) ------------------ | Branch (47:7): [True: 142, False: 3.20k] ------------------ 48| 142| { 49| 142| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 142|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 50| 142| return; 51| 142| } 52| | 53| 3.20k| if (packet->payload[0] == 0x00 && ------------------ | Branch (53:7): [True: 960, False: 2.24k] ------------------ 54| 960| get_u_int64_t(packet->payload, 1) == ndpi_htonll(magic)) ------------------ | | 148| 960|#define get_u_int64_t(X,O) (*(u_int64_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (54:7): [True: 0, False: 960] ------------------ 55| 0| { 56| 0| ndpi_int_yojimbo_add_connection(ndpi_struct, flow); 57| 0| return; 58| 0| } 59| | 60| 3.20k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.20k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 61| 3.20k|} init_z3950_dissector: 128| 7.08k|void init_z3950_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 129| 7.08k| ndpi_register_dissector("Z3950", ndpi_struct, 130| 7.08k| ndpi_search_z3950, 131| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 132| 7.08k| 1, NDPI_PROTOCOL_Z3950); 133| 7.08k|} z3950.c:ndpi_search_z3950: 92| 11.9k| struct ndpi_flow_struct *flow) { 93| 11.9k| struct ndpi_packet_struct * packet = &ndpi_struct->packet; 94| 11.9k| int const minimum_expected_sequences = 6; 95| | 96| 11.9k| NDPI_LOG_DBG(ndpi_struct, "search z39.50\n"); ------------------ | | 596| 11.9k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 97| | 98| 11.9k| if(packet->tcp != NULL && packet->payload_packet_len >= 6 && ------------------ | Branch (98:6): [True: 11.9k, False: 0] | Branch (98:29): [True: 11.2k, False: 755] ------------------ 99| 11.2k| flow->packet_counter >= 1 && flow->packet_counter <= 8) { ------------------ | Branch (99:6): [True: 11.2k, False: 0] | Branch (99:35): [True: 11.2k, False: 0] ------------------ 100| 11.2k| int ret = z3950_parse_sequences(flow, packet, minimum_expected_sequences); 101| | 102| 11.2k| if(ret < 0) { ------------------ | Branch (102:8): [True: 10.3k, False: 856] ------------------ 103| 10.3k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 10.3k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 104| 10.3k| return; 105| 10.3k| } 106| | 107| 856| if(ret < minimum_expected_sequences) { ------------------ | Branch (107:8): [True: 398, False: 458] ------------------ 108| | /* We've seen not enough sequences, wait for the next packet. */ 109| 398| return; 110| 398| } 111| | 112| 458| if(flow->l4.tcp.z3950_stage == 3) { ------------------ | Branch (112:8): [True: 5, False: 453] ------------------ 113| 5| if(flow->packet_direction_counter[0] && flow->packet_direction_counter[1]) ------------------ | Branch (113:10): [True: 5, False: 0] | Branch (113:47): [True: 5, False: 0] ------------------ 114| 5| ndpi_int_z3950_add_connection(ndpi_struct, flow); 115| 0| else 116| 0| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); /* Skip if unidirectional traffic */ ------------------ | | 91| 0|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 117| 5| } else 118| 453| flow->l4.tcp.z3950_stage++; 119| | 120| 458| return; 121| 856| } 122| | 123| 755| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 755|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 124| 755|} z3950.c:z3950_parse_sequences: 38| 11.2k| int max_sequences) { 39| 11.2k| size_t payload_offset = 2; 40| 11.2k| int cur_sequences = 0; 41| 11.2k| u_int8_t pdu_type; 42| | 43| 11.2k| pdu_type = packet->payload[0] & 0x1F; 44| | 45| 11.2k| if((pdu_type < 20) || ((pdu_type > 36) && ((pdu_type < 43) || (pdu_type > 48)))) ------------------ | Branch (45:6): [True: 8.81k, False: 2.38k] | Branch (45:26): [True: 0, False: 2.38k] | Branch (45:46): [True: 0, False: 0] | Branch (45:65): [True: 0, False: 0] ------------------ 46| 8.81k| return(-1); 47| | 48| | /* Simple check to avoid false positives: the first pkt after the 3WHS 49| | should be a initRequest or a initResponse */ 50| 2.38k| if(ndpi_seen_flow_beginning(flow) && flow->packet_counter == 1 && ------------------ | Branch (50:6): [True: 115, False: 2.27k] | Branch (50:40): [True: 108, False: 7] ------------------ 51| 108| pdu_type != 20 && pdu_type != 21) ------------------ | Branch (51:6): [True: 107, False: 1] | Branch (51:24): [True: 105, False: 2] ------------------ 52| 105| return(-1); 53| | 54| 6.52k| while(cur_sequences++ < max_sequences) { ------------------ | Branch (54:9): [True: 6.08k, False: 444] ------------------ 55| 6.08k| u_int8_t const * payload; 56| 6.08k| u_int8_t seq_type; 57| 6.08k| u_int8_t seq_length; 58| | 59| 6.08k| if((payload_offset + 2) >= packet->payload_packet_len) ------------------ | Branch (59:8): [True: 43, False: 6.03k] ------------------ 60| 43| return(-1); 61| | 62| 6.03k| payload = &packet->payload[payload_offset]; 63| | 64| 6.03k| if((payload[0] & 0x1F) == 0x1F) ------------------ | Branch (64:8): [True: 327, False: 5.71k] ------------------ 65| | /* We ignore decoding of complex sequences for now. */ 66| 327| return(cur_sequences); 67| 5.71k| else 68| 5.71k| seq_type = payload[0] & 0x1F; 69| | 70| 5.71k| seq_length = payload[1]; 71| | 72| 5.71k| if(seq_type > 51 && (seq_type < 100 || seq_type > 105) && ------------------ | Branch (72:8): [True: 0, False: 5.71k] | Branch (72:26): [True: 0, False: 0] | Branch (72:44): [True: 0, False: 0] ------------------ 73| 0| (seq_type < 110 || seq_type > 112) && (seq_type < 120 || seq_type > 121) && ------------------ | Branch (73:9): [True: 0, False: 0] | Branch (73:27): [True: 0, False: 0] | Branch (73:47): [True: 0, False: 0] | Branch (73:65): [True: 0, False: 0] ------------------ 74| 0| (seq_type < 201 || seq_type > 221)) ------------------ | Branch (74:9): [True: 0, False: 0] | Branch (74:27): [True: 0, False: 0] ------------------ 75| 0| return(-1); 76| | 77| 5.71k| if(seq_length >= packet->payload_packet_len - payload_offset + 1) ------------------ | Branch (77:8): [True: 1.38k, False: 4.32k] ------------------ 78| 1.38k| return(-1); 79| | 80| 4.32k| payload_offset += seq_length + 2; 81| | 82| 4.32k| if(payload_offset == packet->payload_packet_len) ------------------ | Branch (82:8): [True: 85, False: 4.24k] ------------------ 83| 85| return(cur_sequences); 84| 4.32k| } 85| | 86| 444| return(cur_sequences - 1); 87| 2.28k|} z3950.c:ndpi_int_z3950_add_connection: 31| 5| struct ndpi_flow_struct *flow) { 32| 5| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_Z3950, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 33| 5|} init_zabbix_dissector: 53| 7.08k|void init_zabbix_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 54| 7.08k| ndpi_register_dissector("Zabbix", ndpi_struct, 55| 7.08k| ndpi_search_zabbix, 56| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 57| 7.08k| 1, NDPI_PROTOCOL_ZABBIX); 58| 7.08k|} zabbix.c:ndpi_search_zabbix: 38| 13.3k| struct ndpi_flow_struct *flow) { 39| 13.3k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 40| 13.3k| u_int8_t tomatch[] = { 'Z', 'B', 'X', 'D' }; 41| | 42| 13.3k| NDPI_LOG_DBG(ndpi_struct, "search Zabbix\n"); ------------------ | | 596| 13.3k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 43| | 44| 13.3k| if((packet->payload_packet_len >= 4) ------------------ | Branch (44:6): [True: 13.3k, False: 25] ------------------ 45| 13.3k| && (memcmp(packet->payload, tomatch, 4) == 0)) ------------------ | Branch (45:9): [True: 13, False: 13.3k] ------------------ 46| 13| ndpi_int_zabbix_add_connection(ndpi_struct, flow); 47| 13.3k| else 48| 13.3k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.3k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 49| 13.3k|} zabbix.c:ndpi_int_zabbix_add_connection: 31| 13| struct ndpi_flow_struct *flow) { 32| 13| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZABBIX, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 33| 13|} init_zattoo_dissector: 212| 7.08k|{ 213| 7.08k| ndpi_register_dissector("Zattoo", ndpi_struct, 214| 7.08k| ndpi_search_zattoo, 215| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 649| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 628| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP) | | | | ------------------ | | | | | | 607| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 216| 7.08k| 1, NDPI_PROTOCOL_ZATTOO); 217| 7.08k|} zattoo.c:ndpi_search_zattoo: 54| 19.4k|{ 55| 19.4k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 56| | 57| 19.4k| u_int16_t i; 58| | 59| 19.4k| NDPI_LOG_DBG(ndpi_struct, "search ZATTOO\n"); ------------------ | | 596| 19.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 60| | 61| | /* search over TCP */ 62| 19.4k| if(packet->tcp != NULL) { ------------------ | Branch (62:6): [True: 14.3k, False: 5.08k] ------------------ 63| 14.3k| if(packet->payload_packet_len > 50 && memcmp(packet->payload, "GET /frontdoor/fd?brand=Zattoo&v=", 33) == 0) { ------------------ | Branch (63:8): [True: 5.80k, False: 8.58k] | Branch (63:43): [True: 1, False: 5.80k] ------------------ 64| | 65| 1| NDPI_LOG_INFO(ndpi_struct, "found zattoo. add connection over tcp with pattern GET /frontdoor/fd?brand=Zattoo&v=\n"); ------------------ | | 595| 1|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 66| 1| ZATTOO_DETECTED; ------------------ | | 51| 1| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI /* TODO */) ------------------ 67| 1| return; 68| 1| } 69| 14.3k| if(packet->payload_packet_len > 50 && memcmp(packet->payload, "GET /ZattooAdRedirect/redirect.jsp?user=", 40) == 0) { ------------------ | Branch (69:8): [True: 5.80k, False: 8.58k] | Branch (69:43): [True: 3, False: 5.80k] ------------------ 70| | 71| 3| NDPI_LOG_INFO(ndpi_struct, "found zattoo. add connection over tcp with pattern GET /ZattooAdRedirect/redirect.jsp?user=\n"); ------------------ | | 595| 3|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 72| 3| ZATTOO_DETECTED; ------------------ | | 51| 3| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI /* TODO */) ------------------ 73| 3| return; 74| 3| } 75| 14.3k| if(packet->payload_packet_len > 50 && (memcmp(packet->payload, "POST /channelserver/player/channel/update HTTP/1.1", 50) == 0 ------------------ | Branch (75:8): [True: 5.80k, False: 8.58k] | Branch (75:44): [True: 64, False: 5.73k] ------------------ 76| 5.73k| || memcmp(packet->payload, "GET /epg/query", 14) == 0)) { ------------------ | Branch (76:12): [True: 26, False: 5.71k] ------------------ 77| | 78| 90| ndpi_parse_packet_line_info(ndpi_struct, flow); 79| | 80| 812| for(i = 0; i < packet->parsed_lines; i++) { ------------------ | Branch (80:18): [True: 723, False: 89] ------------------ 81| 723| if(packet->line[i].len >= 18 && (memcmp(packet->line[i].ptr, "User-Agent: Zattoo", 18) == 0)) { ------------------ | Branch (81:5): [True: 602, False: 121] | Branch (81:34): [True: 1, False: 601] ------------------ 82| | 83| 1| NDPI_LOG_INFO(ndpi_struct, "found zattoo. add connection over tcp with pattern POST /channelserver/player/channel/update HTTP/1.1\n"); ------------------ | | 595| 1|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 84| 1| ZATTOO_DETECTED; ------------------ | | 51| 1| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI /* TODO */) ------------------ 85| 1| return; 86| 1| } 87| 723| } 88| 14.2k| } else if(packet->payload_packet_len > 50 && (memcmp(packet->payload, "GET /", 5) == 0 || memcmp(packet->payload, "POST /", NDPI_STATICSTRING_LEN("POST /")) == 0)) { ------------------ | | 98| 5.15k|#define NDPI_STATICSTRING_LEN( s ) ( sizeof( s ) - 1 ) ------------------ | Branch (88:15): [True: 5.71k, False: 8.58k] | Branch (88:51): [True: 554, False: 5.15k] | Branch (88:95): [True: 112, False: 5.04k] ------------------ 89| | /* TODO to avoid searching currently only a specific length and offset is used 90| | * that might be changed later */ 91| 666| ndpi_parse_packet_line_info(ndpi_struct, flow); 92| | 93| 666| if(ndpi_int_zattoo_user_agent_set(ndpi_struct)) { ------------------ | Branch (93:10): [True: 0, False: 666] ------------------ 94| | 95| 0| NDPI_LOG_INFO(ndpi_struct, "found zattoo. add connection over tcp with pattern GET / or POST /\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 96| 0| ZATTOO_DETECTED; ------------------ | | 51| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI /* TODO */) ------------------ 97| 0| return; 98| 0| } 99| 13.6k| } else if(packet->payload_packet_len > 50 && memcmp(packet->payload, "POST http://", 12) == 0) { ------------------ | Branch (99:15): [True: 5.04k, False: 8.58k] | Branch (99:50): [True: 4, False: 5.04k] ------------------ 100| | 101| 4| ndpi_parse_packet_line_info(ndpi_struct, flow); 102| | 103| | // test for unique character of the zattoo header 104| 4| if(packet->parsed_lines == 4 && packet->host_line.ptr != NULL && packet->iph) { ------------------ | Branch (104:10): [True: 2, False: 2] | Branch (104:39): [True: 0, False: 2] | Branch (104:72): [True: 0, False: 0] ------------------ 105| 0| u_int32_t ip; 106| 0| u_int16_t bytes_read = 0; 107| | 108| 0| ip = ndpi_bytestream_to_ipv4(&packet->payload[12], packet->payload_packet_len, &bytes_read); 109| | 110| | // and now test the firt 5 bytes of the payload for zattoo pattern 111| 0| if(ip == packet->iph->daddr ------------------ | Branch (111:5): [True: 0, False: 0] ------------------ 112| 0| && packet->empty_line_position_set != 0 ------------------ | Branch (112:8): [True: 0, False: 0] ------------------ 113| 0| && ((packet->payload_packet_len - packet->empty_line_position) > 10) ------------------ | Branch (113:8): [True: 0, False: 0] ------------------ 114| 0| && packet->payload[packet->empty_line_position + 2] == ------------------ | Branch (114:8): [True: 0, False: 0] ------------------ 115| 0| 0x03 116| 0| && packet->payload[packet->empty_line_position + 3] == ------------------ | Branch (116:8): [True: 0, False: 0] ------------------ 117| 0| 0x04 118| 0| && packet->payload[packet->empty_line_position + 4] == ------------------ | Branch (118:8): [True: 0, False: 0] ------------------ 119| 0| 0x00 120| 0| && packet->payload[packet->empty_line_position + 5] == ------------------ | Branch (120:8): [True: 0, False: 0] ------------------ 121| 0| 0x04 122| 0| && packet->payload[packet->empty_line_position + 6] == ------------------ | Branch (122:8): [True: 0, False: 0] ------------------ 123| 0| 0x0a && packet->payload[packet->empty_line_position + 7] == 0x00) { ------------------ | Branch (123:13): [True: 0, False: 0] ------------------ 124| | 125| 0| NDPI_LOG_INFO(ndpi_struct, "found zattoo. add connection over tcp with pattern POST http://\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 126| 0| ZATTOO_DETECTED; ------------------ | | 51| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI /* TODO */) ------------------ 127| 0| return; 128| 0| } 129| 0| } 130| 13.6k| } else if(flow->zattoo_stage == 0) { ------------------ | Branch (130:15): [True: 13.6k, False: 0] ------------------ 131| | 132| 13.6k| if(packet->payload_packet_len > 50 ------------------ | Branch (132:10): [True: 5.04k, False: 8.58k] ------------------ 133| 5.04k| && packet->payload[0] == 0x03 ------------------ | Branch (133:6): [True: 15, False: 5.02k] ------------------ 134| 15| && packet->payload[1] == 0x04 ------------------ | Branch (134:6): [True: 1, False: 14] ------------------ 135| 1| && packet->payload[2] == 0x00 ------------------ | Branch (135:6): [True: 0, False: 1] ------------------ 136| 0| && packet->payload[3] == 0x04 && packet->payload[4] == 0x0a && packet->payload[5] == 0x00) { ------------------ | Branch (136:6): [True: 0, False: 0] | Branch (136:36): [True: 0, False: 0] | Branch (136:66): [True: 0, False: 0] ------------------ 137| 0| flow->zattoo_stage = 1 + packet->packet_direction; 138| 0| NDPI_LOG_DBG2(ndpi_struct, "need next packet, seen pattern 0x030400040a00\n"); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 139| 0| return; 140| 0| } 141| | /* the following is searching for flash, not for zattoo. */ 142| 13.6k| } else if(flow->zattoo_stage == 2 - packet->packet_direction && packet->payload_packet_len > 50 && packet->payload[0] == 0x03 && packet->payload[1] == 0x04) { ------------------ | Branch (142:15): [True: 0, False: 0] | Branch (142:69): [True: 0, False: 0] | Branch (142:104): [True: 0, False: 0] | Branch (142:134): [True: 0, False: 0] ------------------ 143| | 144| 0| NDPI_LOG_INFO(ndpi_struct, "found zattoo. add connection over tcp with 0x0304\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 145| 0| ZATTOO_DETECTED; ------------------ | | 51| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI /* TODO */) ------------------ 146| 0| return; 147| | 148| 0| } else if(flow->zattoo_stage == 1 + packet->packet_direction) { ------------------ | Branch (148:15): [True: 0, False: 0] ------------------ 149| 0| if(packet->payload_packet_len > 500 && packet->payload[0] == 0x00 && packet->payload[1] == 0x00) { ------------------ | Branch (149:10): [True: 0, False: 0] | Branch (149:46): [True: 0, False: 0] | Branch (149:76): [True: 0, False: 0] ------------------ 150| | 151| 0| flow->zattoo_stage = 3 + packet->packet_direction; 152| | 153| 0| NDPI_LOG_DBG2(ndpi_struct, "need next packet, seen pattern 0x0000\n"); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 154| 0| return; 155| 0| } 156| |#if 0 157| | if(packet->payload_packet_len > 50 158| | && packet->payload[0] == 0x03 159| | && packet->payload[1] == 0x04 160| | && packet->payload[2] == 0x00 161| | && packet->payload[3] == 0x04 && packet->payload[4] == 0x0a && packet->payload[5] == 0x00) { 162| | } 163| |#endif 164| | 165| 0| NDPI_LOG_DBG2(ndpi_struct, "need next packet, seen pattern 0x030400040a00\n"); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 166| 0| return; 167| | 168| 0| } else if(flow->zattoo_stage == 4 - packet->packet_direction && packet->payload_packet_len > 50 && packet->payload[0] == 0x03 && packet->payload[1] == 0x04) { ------------------ | Branch (168:15): [True: 0, False: 0] | Branch (168:69): [True: 0, False: 0] | Branch (168:104): [True: 0, False: 0] | Branch (168:134): [True: 0, False: 0] ------------------ 169| | 170| 0| NDPI_LOG_INFO(ndpi_struct, "found zattoo. add connection over tcp with 0x0304\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 171| 0| ZATTOO_DETECTED; ------------------ | | 51| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI /* TODO */) ------------------ 172| 0| return; 173| | 174| 0| } 175| | 176| 14.3k| NDPI_LOG_DBG2(ndpi_struct, ------------------ | | 597| 14.3k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 177| 14.3k| "ZATTOO: discarded the flow (TCP): packet_size: %u; Flowstage: %u\n", 178| 14.3k| packet->payload_packet_len, flow->zattoo_stage); 179| | 180| 14.3k| } 181| | /* search over UDP */ 182| 5.08k| else if(packet->udp != NULL) { ------------------ | Branch (182:11): [True: 5.08k, False: 0] ------------------ 183| | 184| 5.08k| if(packet->payload_packet_len > 20 && (packet->udp->dest == htons(5003) || packet->udp->source == htons(5003)) ------------------ | Branch (184:8): [True: 4.85k, False: 228] | Branch (184:44): [True: 0, False: 4.85k] | Branch (184:80): [True: 0, False: 4.85k] ------------------ 185| 0| && (get_u_int16_t(packet->payload, 0) == htons(0x037a) ------------------ | | 136| 0|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (185:12): [True: 0, False: 0] ------------------ 186| 0| || get_u_int16_t(packet->payload, 0) == htons(0x0378) ------------------ | | 136| 0|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (186:8): [True: 0, False: 0] ------------------ 187| 0| || get_u_int16_t(packet->payload, 0) == htons(0x0305) ------------------ | | 136| 0|#define get_u_int16_t(X,O) (*(u_int16_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (187:8): [True: 0, False: 0] ------------------ 188| 0| || get_u_int32_t(packet->payload, 0) == htonl(0x03040004) ------------------ | | 137| 0|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (188:8): [True: 0, False: 0] ------------------ 189| 0| || get_u_int32_t(packet->payload, 0) == htonl(0x03010005))) { ------------------ | | 137| 0|#define get_u_int32_t(X,O) (*(u_int32_t *)((&(((u_int8_t *)X)[O])))) ------------------ | Branch (189:8): [True: 0, False: 0] ------------------ 190| | 191| 0| if(++flow->zattoo_stage == 2) { ------------------ | Branch (191:10): [True: 0, False: 0] ------------------ 192| | 193| 0| NDPI_LOG_INFO(ndpi_struct, "found zattoo. add connection over udp\n"); ------------------ | | 595| 0|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 194| 0| ZATTOO_DETECTED; ------------------ | | 51| 0| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI /* TODO */) ------------------ 195| 0| return; 196| 0| } 197| 0| NDPI_LOG_DBG2(ndpi_struct, "need next packet udp\n"); ------------------ | | 597| 0|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 198| 0| return; 199| 0| } 200| | 201| 5.08k| NDPI_LOG_DBG2(ndpi_struct, ------------------ | | 597| 5.08k|# define NDPI_LOG_DBG2(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 202| 5.08k| "ZATTOO: discarded the flow (UDP): packet_size: %u; Flowstage: %u\n", 203| 5.08k| packet->payload_packet_len, flow->zattoo_stage); 204| | 205| 5.08k| } 206| | 207| 19.4k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 19.4k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 208| 19.4k|} zattoo.c:ndpi_int_zattoo_user_agent_set: 38| 666|{ 39| 666| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 40| | 41| 666| if(packet->user_agent_line.ptr != NULL && packet->user_agent_line.len == 111) { ------------------ | Branch (41:6): [True: 124, False: 542] | Branch (41:45): [True: 1, False: 123] ------------------ 42| 1| if(memcmp(packet->user_agent_line.ptr + packet->user_agent_line.len - 25, "Zattoo/4", sizeof("Zattoo/4") - 1) == 0) { ------------------ | Branch (42:8): [True: 0, False: 1] ------------------ 43| 0| NDPI_LOG_DBG(ndpi_struct, "found zattoo useragent\n"); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 44| 0| return 1; 45| 0| } 46| 1| } 47| 666| return 0; 48| 666|} init_zmq_dissector: 49| 7.08k|{ 50| 7.08k| ndpi_register_dissector("ZeroMQ", ndpi_struct, 51| 7.08k| ndpi_search_zmq, 52| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, ------------------ | | 645| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 626| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP) | | | | ------------------ | | | | | | 605| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 609| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5) | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 53| 7.08k| 1, NDPI_PROTOCOL_ZMQ); 54| 7.08k|} zeromq.c:ndpi_search_zmq: 30| 13.4k|{ 31| 13.4k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 32| | 33| 13.4k| NDPI_LOG_DBG(ndpi_struct, "search ZMQ\n"); ------------------ | | 596| 13.4k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 34| | 35| 13.4k| if (packet->payload_packet_len > 9) { ------------------ | Branch (35:7): [True: 12.5k, False: 877] ------------------ 36| 12.5k| if (memcmp(packet->payload, zmtp_signature, sizeof(zmtp_signature)) == 0) { ------------------ | Branch (36:9): [True: 4, False: 12.5k] ------------------ 37| 4| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZMQ, 38| 4| NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); 39| 4| NDPI_LOG_INFO(ndpi_struct, "found ZMQ\n"); ------------------ | | 595| 4|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 40| 4| return; 41| 4| } 42| 12.5k| } 43| | 44| 13.4k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 13.4k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 45| 13.4k|} init_zoom_dissector: 250| 7.08k|void init_zoom_dissector(struct ndpi_detection_module_struct *ndpi_struct) { 251| 7.08k| ndpi_register_dissector("Zoom", ndpi_struct, 252| 7.08k| ndpi_search_zoom, 253| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 254| 7.08k| 1, NDPI_PROTOCOL_ZOOM); 255| 7.08k|} zoom.c:ndpi_search_zoom: 181| 3.35k| struct ndpi_flow_struct *flow) { 182| 3.35k| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 183| 3.35k| u_int8_t tomatch[] = { 0x01, 0x00, 0x03 }; /* Usually first pkt from the client */ 184| 3.35k| u_int8_t tomatch_a[] = { 0x01, 0x00, 0x02 }; /* Other first pkt from the client */ 185| 3.35k| u_int8_t tomatch2[] = { 0x02, 0x00, 0x03 }; /* Usually first pkt from the server: useful with asymmetric traffic */ 186| 3.35k| u_int8_t tomatch2_a[] = { 0x02, 0x00, 0x02 }; /* Other first pkt from the server */ 187| 3.35k| u_int8_t tomatch_p2p[] = { 0x1f, 0x02, 0x01 }; /* Usually first pkt for P2P connections */ 188| | 189| 3.35k| NDPI_LOG_DBG(ndpi_struct, "search Zoom\n"); ------------------ | | 596| 3.35k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 190| | 191| 3.35k| if(is_zoom_port(flow) && ------------------ | Branch (191:6): [True: 24, False: 3.32k] ------------------ 192| 24| packet->payload_packet_len > sizeof(struct zoom_sfu_enc)) { ------------------ | Branch (192:6): [True: 23, False: 1] ------------------ 193| | /* SFU types 1 and 2 */ 194| 23| if(memcmp(packet->payload, tomatch, 3) == 0 || ------------------ | Branch (194:8): [True: 0, False: 23] ------------------ 195| 23| memcmp(packet->payload, tomatch_a, 3) == 0 || ------------------ | Branch (195:8): [True: 0, False: 23] ------------------ 196| 23| memcmp(packet->payload, tomatch2, 3) == 0 || ------------------ | Branch (196:8): [True: 0, False: 23] ------------------ 197| 23| memcmp(packet->payload, tomatch2_a, 3) == 0) { ------------------ | Branch (197:8): [True: 0, False: 23] ------------------ 198| 0| ndpi_int_zoom_add_connection(ndpi_struct, flow); 199| 0| return; 200| | 201| | /* SFU types 3 and 4. This check is quite weak: let give time to the other 202| | dissectors to kick in */ 203| 23| } else if((packet->payload[0] == 0x03 || packet->payload[0] == 0x04)) { ------------------ | Branch (203:16): [True: 0, False: 23] | Branch (203:46): [True: 1, False: 22] ------------------ 204| 1| if(flow->packet_counter < 4) ------------------ | Branch (204:10): [True: 1, False: 0] ------------------ 205| 1| return; 206| 0| ndpi_int_zoom_add_connection(ndpi_struct, flow); 207| 0| return; 208| | 209| | /* SFU types 5 */ 210| 22| } else if(is_sfu_5(ndpi_struct, flow)) { ------------------ | Branch (210:15): [True: 4, False: 18] ------------------ 211| 4| ndpi_int_zoom_add_connection(ndpi_struct, flow); 212| 4| return; 213| 4| } 214| 3.32k| } else if(packet->payload_packet_len > 36 && ------------------ | Branch (214:13): [True: 2.80k, False: 528] ------------------ 215| 2.80k| memcmp(packet->payload, tomatch_p2p, 3) == 0 && ------------------ | Branch (215:13): [True: 8, False: 2.79k] ------------------ 216| 8| *(u_int32_t *)&packet->payload[packet->payload_packet_len - 4] == 0) { ------------------ | Branch (216:13): [True: 2, False: 6] ------------------ 217| 2| u_int64_t ip_len, uuid_len; 218| | 219| | /* Check if it is a Peer-To-Peer call. 220| | According to the paper, P2P calls should use "Zoom Media Encapsulation" 221| | header without any "Zoom SFU Encapsulation". 222| | Looking at the traces, it seems that the packet structure is something like: 223| | * ZME type 0x1F 224| | * initial header 24 byte long, without any obvious sequence number field 225| | * a Length-Value list of attributes (4 bytes length field) 226| | * an ip address (as string) 227| | * some kind of UUID 228| | * 4 bytes as 0x00 at the end 229| | */ 230| | 231| 2| ip_len = ntohl(*(u_int32_t *)&packet->payload[24]); 232| | 233| 2| if(24 + 4 + ip_len + 4 < packet->payload_packet_len) { ------------------ | Branch (233:8): [True: 1, False: 1] ------------------ 234| 1| uuid_len = ntohl(*(u_int32_t *)&packet->payload[24 + 4 + ip_len]); 235| | 236| 1| if(packet->payload_packet_len == 24 + 4 + ip_len + 4 + uuid_len + 4) { ------------------ | Branch (236:10): [True: 0, False: 1] ------------------ 237| 0| NDPI_LOG_DBG(ndpi_struct, "found P2P Zoom\n"); ------------------ | | 596| 0|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 238| 0| flow->l4.udp.zoom_p2p = 1; 239| 0| ndpi_int_zoom_add_connection(ndpi_struct, flow); 240| 0| return; 241| 0| } 242| 1| } 243| 2| } 244| | 245| 3.34k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.34k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 246| 3.34k|} zoom.c:is_zoom_port: 75| 3.35k|{ 76| | /* https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0060548 */ 77| 3.35k| if((ntohs(flow->c_port) >= 8801 && ntohs(flow->c_port) <= 8810) || ------------------ | Branch (77:7): [True: 2.25k, False: 1.09k] | Branch (77:38): [True: 14, False: 2.24k] ------------------ 78| 3.33k| (ntohs(flow->s_port) >= 8801 && ntohs(flow->s_port) <= 8810)) ------------------ | Branch (78:7): [True: 1.20k, False: 2.13k] | Branch (78:38): [True: 10, False: 1.19k] ------------------ 79| 24| return 1; 80| 3.32k| return 0; 81| 3.35k|} zoom.c:ndpi_int_zoom_add_connection: 53| 4| struct ndpi_flow_struct *flow) { 54| 4| u_int16_t master; 55| | 56| 4| if(flow->flow_multimedia_types != ndpi_multimedia_unknown_flow) ------------------ | Branch (56:6): [True: 3, False: 1] ------------------ 57| 3| master = NDPI_PROTOCOL_SRTP; 58| 1| else 59| 1| master = NDPI_PROTOCOL_UNKNOWN; 60| | 61| 4| NDPI_LOG_INFO(ndpi_struct, "found Zoom\n"); ------------------ | | 595| 4|# define NDPI_LOG_INFO(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 62| 4| ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZOOM, master, NDPI_CONFIDENCE_DPI); 63| | 64| 4| if(!flow->extra_packets_func) { ------------------ | Branch (64:6): [True: 4, False: 0] ------------------ 65| 4| if(keep_extra_dissection(flow) && ------------------ | Branch (65:8): [True: 1, False: 3] ------------------ 66| 1| ndpi_struct->cfg.zoom_max_packets_extra_dissection > 0) { ------------------ | Branch (66:8): [True: 1, False: 0] ------------------ 67| 1| NDPI_LOG_DBG(ndpi_struct, "Enabling extra dissection\n"); ------------------ | | 596| 1|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 68| 1| flow->max_extra_packets_to_check = ndpi_struct->cfg.zoom_max_packets_extra_dissection; 69| 1| flow->extra_packets_func = zoom_search_again; 70| 1| } 71| 4| } 72| 4|} zoom.c:keep_extra_dissection: 156| 4|{ 157| 4| return flow->detected_protocol_stack[1] == NDPI_PROTOCOL_UNKNOWN; /* No sub-classification */ 158| 4|} zoom.c:is_zme: 86| 19|{ 87| 19| if(payload_len > sizeof(struct zoom_media_enc)) { ------------------ | Branch (87:6): [True: 19, False: 0] ------------------ 88| 19| struct zoom_media_enc *enc = (struct zoom_media_enc *)payload; 89| | 90| 19| switch(enc->enc_type) { 91| 1| case 13: /* Screen Share: RTP is not always there, expecially at the beginning of the flow */ ------------------ | Branch (91:5): [True: 1, False: 18] ------------------ 92| 1| if(payload_len > 27) { ------------------ | Branch (92:10): [True: 1, False: 0] ------------------ 93| 1| if(is_rtp_or_rtcp(ndpi_struct, payload + 27, payload_len - 27, NULL) == IS_RTP) { ------------------ | Branch (93:13): [True: 0, False: 1] ------------------ 94| 0| flow->flow_multimedia_types |= ndpi_multimedia_screen_sharing_flow; 95| 0| } 96| 1| return 1; 97| 1| } 98| 0| break; 99| | 100| 0| case 30: /* P2P Screen Share: it seems RTP is always present */ ------------------ | Branch (100:5): [True: 0, False: 19] ------------------ 101| 0| if(payload_len > 20 && ------------------ | Branch (101:10): [True: 0, False: 0] ------------------ 102| 0| is_rtp_or_rtcp(ndpi_struct, payload + 20, payload_len - 20, NULL) == IS_RTP) { ------------------ | Branch (102:10): [True: 0, False: 0] ------------------ 103| 0| flow->flow_multimedia_types |= ndpi_multimedia_screen_sharing_flow; 104| 0| return 1; 105| 0| } 106| 0| break; 107| | 108| 3| case 15: /* RTP Audio */ ------------------ | Branch (108:5): [True: 3, False: 16] ------------------ 109| 3| if(payload_len > 19 && ------------------ | Branch (109:10): [True: 3, False: 0] ------------------ 110| 3| is_rtp_or_rtcp(ndpi_struct, payload + 19, payload_len - 19, NULL) == IS_RTP) { ------------------ | Branch (110:10): [True: 0, False: 3] ------------------ 111| 0| flow->flow_multimedia_types |= ndpi_multimedia_audio_flow; 112| 0| return 1; 113| 0| } 114| 3| break; 115| | 116| 4| case 16: /* RTP Video */ ------------------ | Branch (116:5): [True: 4, False: 15] ------------------ 117| 4| if(payload_len > 24 && ------------------ | Branch (117:10): [True: 4, False: 0] ------------------ 118| 4| is_rtp_or_rtcp(ndpi_struct, payload + 24, payload_len - 24, NULL) == IS_RTP) { ------------------ | Branch (118:10): [True: 3, False: 1] ------------------ 119| 3| flow->flow_multimedia_types |= ndpi_multimedia_video_flow; 120| 3| return 1; 121| 3| } 122| 1| break; 123| | 124| 1| case 33: /* RTCP */ ------------------ | Branch (124:5): [True: 0, False: 19] ------------------ 125| 0| case 34: /* RTCP */ ------------------ | Branch (125:5): [True: 0, False: 19] ------------------ 126| 1| case 35: /* RTCP */ ------------------ | Branch (126:5): [True: 1, False: 18] ------------------ 127| 1| if(payload_len > 16 && ------------------ | Branch (127:10): [True: 1, False: 0] ------------------ 128| 1| is_rtp_or_rtcp(ndpi_struct, payload + 16, payload_len - 16, NULL) == IS_RTCP) { ------------------ | Branch (128:10): [True: 0, False: 1] ------------------ 129| 0| return 1; 130| 0| } 131| 1| break; 132| | 133| 10| default: ------------------ | Branch (133:5): [True: 10, False: 9] ------------------ 134| 10| return 0; 135| 19| } 136| 19| } 137| 5| return 0; 138| 19|} zoom.c:is_sfu_5: 142| 22|{ 143| 22| struct ndpi_packet_struct *packet = &ndpi_struct->packet; 144| | 145| | /* SFU types 5 */ 146| 22| if(packet->payload[0] == 0x05 && ------------------ | Branch (146:6): [True: 19, False: 3] ------------------ 147| 19| packet->payload_packet_len > sizeof(struct zoom_sfu_enc) + ------------------ | Branch (147:6): [True: 19, False: 0] ------------------ 148| 19| sizeof(struct zoom_media_enc)) { 149| 19| return is_zme(ndpi_struct, flow, &packet->payload[sizeof(struct zoom_sfu_enc)], 150| 19| packet->payload_packet_len - sizeof(struct zoom_sfu_enc)); 151| 19| } 152| 3| return 0; 153| 22|} init_zug_dissector: 62| 7.08k|{ 63| 7.08k| ndpi_register_dissector("ZUG", ndpi_struct, 64| 7.08k| ndpi_search_zug, 65| 7.08k| NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, ------------------ | | 633| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 627| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 611| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7) | | | | ------------------ | | | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP (NDPI_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 | NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP) | | | | ------------------ | | | | | | 606| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2) | | | | ------------------ | | ------------------ | | #define NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD (NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) | | ------------------ | | | | 608| 7.08k|#define NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4) | | ------------------ ------------------ 66| 7.08k| 1, NDPI_PROTOCOL_ZUG); 67| 7.08k|} zug.c:ndpi_search_zug: 40| 3.32k|{ 41| 3.32k| struct ndpi_packet_struct const * const packet = &ndpi_struct->packet; 42| | 43| 3.32k| NDPI_LOG_DBG(ndpi_struct, "search ZUG Consensus Protocol (ZUG)\n"); ------------------ | | 596| 3.32k|# define NDPI_LOG_DBG(mod, args...) { (void)mod; /* printf(args); */ } ------------------ 44| | 45| 3.32k| if (packet->payload_packet_len < 5) ------------------ | Branch (45:7): [True: 124, False: 3.20k] ------------------ 46| 124| { 47| 124| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 124|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 48| 124| return; 49| 124| } 50| | 51| 3.20k| if (ntohl(get_u_int32_t(packet->payload, 0)) == 0x007a5547 /* "\x00ZUG" */ && ------------------ | Branch (51:7): [True: 0, False: 3.20k] ------------------ 52| 0| packet->payload[4] == 0x10) ------------------ | Branch (52:7): [True: 0, False: 0] ------------------ 53| 0| { 54| 0| ndpi_int_zug_add_connection(ndpi_struct, flow); 55| 0| return; 56| 0| } 57| | 58| 3.20k| NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow); ------------------ | | 91| 3.20k|#define NDPI_EXCLUDE_DISSECTOR(mod,flow) exclude_dissector(mod, flow, mod->current_dissector_idx, __FILE__, __func__, __LINE__) ------------------ 59| 3.20k|} gcrypt_light.c:mbedtls_cipher_get_block_size: 574| 222|{ 575| 222| MBEDTLS_INTERNAL_VALIDATE_RET( ctx != NULL, 0 ); ------------------ | | 30| 222|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | ------------------ | | | Branch (30:67): [Folded, False: 222] | | ------------------ ------------------ 576| 222| if( ctx->cipher_info == NULL ) ------------------ | Branch (576:9): [True: 0, False: 222] ------------------ 577| 0| return 0; 578| | 579| 222| return ctx->cipher_info->block_size; 580| 222|} ac_automata_init: 164| 28.8k|{ 165| 28.8k| AC_AUTOMATA_t * thiz; 166| |// if(!mc) return NULL; 167| 28.8k| thiz = (AC_AUTOMATA_t *)acho_calloc(1,sizeof(AC_AUTOMATA_t)); ------------------ | | 107| 28.8k|#define acho_calloc(a,b) ndpi_calloc(a,b) ------------------ 168| 28.8k| if(!thiz) return NULL; ------------------ | Branch (168:6): [True: 1.89k, False: 26.9k] ------------------ 169| 26.9k| thiz->root = node_create (); 170| 26.9k| if(!thiz->root) { ------------------ | Branch (170:6): [True: 1.39k, False: 25.5k] ------------------ 171| 1.39k| acho_free(thiz); ------------------ | | 109| 1.39k|#define acho_free(a) ndpi_free(a) ------------------ 172| 1.39k| return NULL; 173| 1.39k| } 174| 25.5k| thiz->root->id = 1; 175| 25.5k| thiz->root->root = 1; 176| 25.5k| thiz->total_patterns = 0; 177| 25.5k| thiz->automata_open = 1; 178| 25.5k| thiz->match_handler = mc; 179| 25.5k| thiz->to_lc = 0; 180| 25.5k| thiz->no_root_range = 0; 181| 25.5k| thiz->add_to_range = REALLOC_CHUNK_OUTGOING*2; ------------------ | | 36| 25.5k|#define REALLOC_CHUNK_OUTGOING 8 ------------------ 182| 25.5k| return thiz; 183| 26.9k|} ac_automata_feature: 194| 25.4k|{ 195| 25.4k| if(!thiz) return ACERR_ERROR; ------------------ | Branch (195:6): [True: 0, False: 25.4k] ------------------ 196| 25.4k| if(thiz->all_nodes_num || thiz->total_patterns) return ACERR_ERROR; ------------------ | Branch (196:6): [True: 0, False: 25.4k] | Branch (196:29): [True: 0, False: 25.4k] ------------------ 197| 25.4k| thiz->to_lc = (feature & AC_FEATURE_LC) != 0; ------------------ | | 256| 25.4k|#define AC_FEATURE_LC 2 ------------------ 198| 25.4k| thiz->no_root_range = (feature & AC_FEATURE_NO_ROOT_RANGE) != 0; ------------------ | | 257| 25.4k|#define AC_FEATURE_NO_ROOT_RANGE 4 ------------------ 199| 25.4k| return ACERR_SUCCESS; 200| 25.4k|} ac_automata_name: 203| 25.4k|{ 204| 25.4k| if(!thiz) return ACERR_ERROR; ------------------ | Branch (204:6): [True: 0, False: 25.4k] ------------------ 205| 25.4k| strncpy(thiz->name,name,sizeof(thiz->name)-1); 206| 25.4k| thiz->debug = debug != 0; 207| 25.4k| return ACERR_SUCCESS; 208| 25.4k|} ac_automata_add: 226| 10.7M|{ 227| 10.7M| unsigned int i; 228| 10.7M| AC_NODE_t * n; 229| 10.7M| AC_NODE_t * next; 230| 10.7M| AC_ALPHABET_t alpha; 231| | 232| 10.7M| if(!thiz || !patt || !patt->astring) ------------------ | Branch (232:6): [True: 44.4k, False: 10.6M] | Branch (232:15): [True: 0, False: 10.6M] | Branch (232:24): [True: 0, False: 10.6M] ------------------ 233| 44.4k| return ACERR_ERROR; 234| | 235| 10.6M| n = thiz->root; 236| | 237| 10.6M| if(!thiz->automata_open) ------------------ | Branch (237:6): [True: 0, False: 10.6M] ------------------ 238| 0| return ACERR_AUTOMATA_CLOSED; 239| | 240| 10.6M| if (!patt->length) ------------------ | Branch (240:7): [True: 0, False: 10.6M] ------------------ 241| 0| return ACERR_ZERO_PATTERN; 242| | 243| 10.6M| if (patt->length > AC_PATTRN_MAX_LENGTH) ------------------ | | 29| 10.6M|#define AC_PATTRN_MAX_LENGTH 256 ------------------ | Branch (243:7): [True: 0, False: 10.6M] ------------------ 244| 0| return ACERR_LONG_PATTERN; 245| | 246| 180M| for (i=0; ilength; i++) { ------------------ | Branch (246:13): [True: 176M, False: 4.44M] ------------------ 247| 176M| alpha = patt->astring[i]; 248| 176M| if(thiz->to_lc) ------------------ | Branch (248:10): [True: 176M, False: 0] ------------------ 249| 176M| alpha = (AC_ALPHABET_t)aho_lc[(uint8_t)alpha]; 250| | 251| 176M| if((next = node_find_next(n, alpha)) != 0) { ------------------ | Branch (251:10): [True: 81.1M, False: 94.9M] ------------------ 252| 81.1M| n = next; 253| 81.1M| continue; 254| 81.1M| } 255| 94.9M| if(!(next = node_create_next(n, alpha))) ------------------ | Branch (255:10): [True: 6.23M, False: 88.7M] ------------------ 256| 6.23M| return ACERR_ERROR; 257| 88.7M| next->id = ++thiz->id; 258| 88.7M| thiz->all_nodes_num++; 259| 88.7M| n = next; 260| 88.7M| } 261| 4.44M| if(thiz->max_str_len < patt->length) ------------------ | Branch (261:6): [True: 126k, False: 4.32M] ------------------ 262| 126k| thiz->max_str_len = patt->length; 263| | 264| 4.44M| if(n->final && n->matched_patterns) { ------------------ | Branch (264:6): [True: 0, False: 4.44M] | Branch (264:18): [True: 0, False: 0] ------------------ 265| | /* original code */ 266| 0| patt->rep.number = n->matched_patterns->patterns[0].rep.number; 267| 0| return ACERR_DUPLICATE_PATTERN; 268| 0| } 269| | 270| 4.44M| if(node_register_matchstr(n, patt, 0)) ------------------ | Branch (270:6): [True: 271k, False: 4.17M] ------------------ 271| 271k| return ACERR_ERROR; 272| | 273| 4.17M| thiz->total_patterns++; 274| | 275| 4.17M| return ACERR_SUCCESS; 276| 4.44M|} ac_automata_walk: 280| 73.8k|{ 281| 73.8k| unsigned int ip; 282| 73.8k| AC_NODE_t *next, *n; 283| 73.8k| struct ac_path * path = thiz->ac_path; 284| 73.8k| AC_ERROR_t r; 285| | 286| 73.8k| ip = 1; 287| 73.8k| path[1].n = thiz->root; 288| 73.8k| path[1].idx = 0; 289| | 290| 386M| while(ip) { ------------------ | Branch (290:9): [True: 386M, False: 68.0k] ------------------ 291| 386M| unsigned int i,last; 292| 386M| n = path[ip].n; 293| 386M| i = path[ip].idx; 294| 386M| last = !n->outgoing || (n->one && i > 0) || (!n->one && i >= n->outgoing->degree); ------------------ | Branch (294:12): [True: 19.2M, False: 366M] | Branch (294:29): [True: 329M, False: 37.4M] | Branch (294:39): [True: 164M, False: 164M] | Branch (294:50): [True: 37.4M, False: 164M] | Branch (294:61): [True: 9.12M, False: 28.3M] ------------------ 295| 386M| if(node_cb && (!i || last)) { ------------------ | Branch (295:8): [True: 216M, False: 169M] | Branch (295:20): [True: 108M, False: 108M] | Branch (295:26): [True: 97.2M, False: 10.8M] ------------------ 296| 205M| r = node_cb(thiz, n, i, data); 297| 205M| if(r != ACERR_SUCCESS) return r; ------------------ | Branch (297:16): [True: 5.79k, False: 205M] ------------------ 298| 205M| } 299| 385M| if(last) { ------------------ | Branch (299:8): [True: 192M, False: 193M] ------------------ 300| 192M| ip--; continue; 301| 192M| } 302| 193M| next = NULL; 303| 193M| if(n->one) { ------------------ | Branch (303:8): [True: 164M, False: 28.3M] ------------------ 304| 164M| next = (AC_NODE_t *)n->outgoing; 305| 164M| } else { 306| 40.6M| while(i < n->outgoing->degree) { ------------------ | Branch (306:15): [True: 40.6M, False: 0] ------------------ 307| 40.6M| next = n->outgoing->next[i]; 308| 40.6M| if(next) break; ------------------ | Branch (308:16): [True: 28.3M, False: 12.3M] ------------------ 309| 12.3M| i++; 310| 12.3M| } 311| 28.3M| } 312| 193M| if(!next) { ------------------ | Branch (312:8): [True: 0, False: 193M] ------------------ 313| 0| if(!n->range || i >= n->outgoing->degree) { ------------------ | Branch (313:12): [True: 0, False: 0] | Branch (313:25): [True: 0, False: 0] ------------------ 314| 0| r = node_cb ? node_cb(thiz, n, i, data):ACERR_SUCCESS; ------------------ | Branch (314:17): [True: 0, False: 0] ------------------ 315| 0| if(r != ACERR_SUCCESS) return r; ------------------ | Branch (315:16): [True: 0, False: 0] ------------------ 316| 0| } 317| 0| ip--; continue; 318| 0| } 319| | 320| 193M| if(n->depth < AC_PATTRN_MAX_LENGTH) { ------------------ | | 29| 193M|#define AC_PATTRN_MAX_LENGTH 256 ------------------ | Branch (320:8): [True: 193M, False: 0] ------------------ 321| 193M| path[n->depth].l = n->one ? n->one_alpha: ------------------ | Branch (321:32): [True: 164M, False: 28.3M] ------------------ 322| 193M| edge_get_alpha(n->outgoing)[i]; 323| 193M| if(alpha_cb) ------------------ | Branch (323:16): [True: 84.8M, False: 108M] ------------------ 324| 84.8M| alpha_cb(thiz, n, next, i, data); 325| 193M| } 326| | 327| 193M| path[ip].idx = i+1; 328| 193M| if(ip > AC_PATTRN_MAX_LENGTH) ------------------ | | 29| 193M|#define AC_PATTRN_MAX_LENGTH 256 ------------------ | Branch (328:8): [True: 0, False: 193M] ------------------ 329| 0| continue; 330| | 331| 193M| ip++; 332| | 333| 193M| path[ip].n = next; 334| 193M| path[ip].idx = 0; 335| | 336| 193M| } 337| 68.0k| return ACERR_SUCCESS; 338| 73.8k|} ac_automata_finalize: 375| 24.1k|AC_ERROR_t ac_automata_finalize (AC_AUTOMATA_t * thiz) { 376| | 377| 24.1k| AC_ERROR_t r = ACERR_SUCCESS; 378| 24.1k| if(!thiz || !thiz->automata_open) return r; ------------------ | Branch (378:8): [True: 0, False: 24.1k] | Branch (378:17): [True: 0, False: 24.1k] ------------------ 379| | 380| 24.1k| ac_automata_traverse_setfailure (thiz); 381| 24.1k| thiz->id=0; 382| 24.1k| thiz->n_oc = 0; 383| 24.1k| thiz->n_range = 0; 384| 24.1k| thiz->n_find = 0; 385| 24.1k| r = ac_automata_walk(thiz,ac_finalize_node,NULL,NULL); 386| 24.1k| if(r == ACERR_SUCCESS) ------------------ | Branch (386:8): [True: 18.3k, False: 5.79k] ------------------ 387| 18.3k| thiz->automata_open = 0; 388| 24.1k| return r; 389| 24.1k|} ac_automata_exact_match: 391| 5.09k|int ac_automata_exact_match(AC_PATTERNS_t *mp,int pos, AC_TEXT_t *txt) { 392| 5.09k| AC_PATTERN_t *patterns = mp->patterns; 393| 5.09k| AC_PATTERN_t **matched = txt->match.matched; 394| 5.09k| unsigned int i; 395| 5.09k| int match_map = 0; 396| 10.1k| for(i=0; i < mp->num && i < ((sizeof(int)*8)-1); i++,patterns++) { ------------------ | Branch (396:14): [True: 5.09k, False: 5.09k] | Branch (396:29): [True: 5.09k, False: 0] ------------------ 397| 5.09k| do { 398| 5.09k| if(patterns->rep.from_start && patterns->rep.at_end) { ------------------ | Branch (398:12): [True: 0, False: 5.09k] | Branch (398:40): [True: 0, False: 0] ------------------ 399| 0| if(pos == txt->length && patterns->length == pos) ------------------ | Branch (399:16): [True: 0, False: 0] | Branch (399:38): [True: 0, False: 0] ------------------ 400| 0| matched[0] = patterns, match_map |= 1 << i; 401| 0| break; 402| 0| } 403| 5.09k| if(patterns->rep.from_start) { ------------------ | Branch (403:12): [True: 0, False: 5.09k] ------------------ 404| 0| if(patterns->length == pos) ------------------ | Branch (404:16): [True: 0, False: 0] ------------------ 405| 0| matched[1] = patterns, match_map |= 1 << i; 406| 0| break; 407| 0| } 408| 5.09k| if(patterns->rep.at_end) { ------------------ | Branch (408:12): [True: 372, False: 4.72k] ------------------ 409| 372| if(pos == txt->length) ------------------ | Branch (409:16): [True: 152, False: 220] ------------------ 410| 152| matched[2] = patterns, match_map |= 1 << i; 411| 372| break; 412| 372| } 413| | 414| 4.72k| { 415| | /* 416| | nDPI 417| | 418| | Handle matches such as google. that should match 419| | google.it and google.com but not google.hello.com 420| | */ 421| 4.72k| size_t len = strlen(patterns->astring); 422| | 423| 4.72k| if((len > 0) && (patterns->astring[len-1] == '.') /* google. */) { ------------------ | Branch (423:7): [True: 4.72k, False: 0] | Branch (423:20): [True: 15, False: 4.70k] ------------------ 424| 15| char *dot = strchr(&txt->astring[pos], '.'); 425| | 426| 15| if(dot != NULL) { ------------------ | Branch (426:9): [True: 6, False: 9] ------------------ 427| | /* We're happy to match google.com but not google.hello.com */ 428| | 429| 6| if(dot[1] == '0') { ------------------ | Branch (429:11): [True: 0, False: 6] ------------------ 430| 0| ; /* google.com */ 431| 6| } else { 432| | /* google.hello.com */ 433| 6| continue; 434| 6| } 435| 6| } 436| 15| } 437| 4.72k| } /* end nDPI */ 438| | 439| 4.71k| matched[3] = patterns, match_map |= 1 << i; 440| 4.72k| } while(0); ------------------ | Branch (440:15): [Folded, False: 4.72k] ------------------ 441| 5.09k| } 442| 5.09k| return match_map; 443| 5.09k|} ac_automata_search: 463| 8.01k|{ 464| 8.01k| unsigned long position; 465| 8.01k| int icase = 0,i,debug=0; 466| 8.01k| AC_MATCH_t *match; 467| 8.01k| AC_NODE_t *curr; 468| 8.01k| AC_NODE_t *next; 469| 8.01k| AC_ALPHABET_t *apos; 470| | 471| 8.01k| if(!thiz || !txt) return -1; ------------------ | Branch (471:6): [True: 0, False: 8.01k] | Branch (471:15): [True: 0, False: 8.01k] ------------------ 472| | 473| 8.01k| thiz->stats.n_search++; 474| | 475| 8.01k| if(thiz->automata_open) ------------------ | Branch (475:6): [True: 3, False: 8.00k] ------------------ 476| | /* you must call ac_automata_locate_failure() first */ 477| 3| return -1; 478| 8.00k| position = 0; 479| 8.00k| curr = thiz->root; 480| 8.00k| apos = txt->astring; 481| 8.00k|#ifndef __KERNEL__ 482| 8.00k| if(thiz->debug && ac_automata_global_debug) debug = 1; ------------------ | Branch (482:6): [True: 8.00k, False: 0] | Branch (482:21): [True: 0, False: 8.00k] ------------------ 483| 8.00k| if(debug) { ------------------ | Branch (483:6): [True: 0, False: 8.00k] ------------------ 484| 0| txt->option = debug; /* for callback */ 485| 0| printf("aho %s: search %.*s\n", thiz->name[0] ? thiz->name:"unknown", txt->length, apos); ------------------ | | 45| 0|#define printf(...) do {} while(0); | | ------------------ | | | Branch (45:33): [Folded, False: 0] | | ------------------ ------------------ 486| 0| } 487| 8.00k|#endif 488| 8.00k| match = &txt->match; 489| 8.00k| memset((char*)match,0,sizeof(*match)); 490| | 491| | /* The 'txt->ignore_case' option is checked 492| | * separately otherwise clang will detect 493| | * uninitialized memory usage much later. */ 494| 8.00k| if(txt->option & AC_FEATURE_LC) icase = 1; ------------------ | | 256| 8.00k|#define AC_FEATURE_LC 2 ------------------ | Branch (494:6): [True: 0, False: 8.00k] ------------------ 495| | /* This is the main search loop. 496| | * it must be keep as lightweight as possible. */ 497| 243k| while (position < txt->length) { ------------------ | Branch (497:10): [True: 238k, False: 5.24k] ------------------ 498| 238k| uint8_t alpha = (uint8_t)apos[position]; 499| 238k| if(thiz->to_lc) alpha = aho_lc[alpha]; ------------------ | Branch (499:10): [True: 238k, False: 0] ------------------ 500| 238k| if(!(next = node_findbs_next_ac(curr, (uint8_t)alpha, icase))) { ------------------ | Branch (500:10): [True: 141k, False: 96.6k] ------------------ 501| 141k| if(curr->failure_node) /* we are not in the root node */ ------------------ | Branch (501:14): [True: 58.2k, False: 83.4k] ------------------ 502| 58.2k| curr = curr->failure_node; 503| 83.4k| else 504| 83.4k| position++; 505| 141k| } else { 506| 96.6k| curr = next; 507| 96.6k| position++; 508| 96.6k| if(curr->final && curr->matched_patterns) { ------------------ | Branch (508:14): [True: 5.78k, False: 90.8k] | Branch (508:29): [True: 5.09k, False: 688] ------------------ 509| | /* select best match */ 510| 5.09k| match->match_map = ac_automata_exact_match(curr->matched_patterns,position,txt); 511| 5.09k| if(match->match_map) { ------------------ | Branch (511:18): [True: 4.86k, False: 224] ------------------ 512| 4.86k| match->match_counter++; /* we have a matching */ 513| 4.86k|#ifndef __KERNEL__ 514| |#ifdef NDPI_ENABLE_DEBUG_MESSAGES 515| | if(debug) { 516| | int i; 517| | AC_PATTERN_t *patterns = curr->matched_patterns->patterns; 518| | for(i=0; i < curr->matched_patterns->num; i++) { 519| | if(!(match->match_map & (1 << i))) continue; 520| | printf(" match%d: %c%.*s%c [%u]\n",i+1, 521| | patterns[i].rep.from_start ? '^':' ', 522| | patterns[i].length,patterns[i].astring, 523| | patterns[i].rep.at_end ? '$':' ', 524| | patterns[i].rep.number); 525| | } 526| | } 527| |#endif 528| 4.86k|#endif 529| 4.86k| if(thiz->match_handler) { ------------------ | Branch (529:22): [True: 4.86k, False: 0] ------------------ 530| | /* We check 'next' to find out if we came here after a alphabet 531| | * transition or due to a fail. in second case we should not report 532| | * matching because it was reported in previous node */ 533| 4.86k| match->position = position; 534| 4.86k| match->match_num = curr->matched_patterns->num; 535| 4.86k| match->patterns = curr->matched_patterns->patterns; 536| 4.86k| if (thiz->match_handler(match, txt, param)) { ------------------ | Branch (536:27): [True: 2.76k, False: 2.10k] ------------------ 537| 2.76k| thiz->stats.n_found++; 538| 2.76k| return 1; 539| 2.76k| } 540| 4.86k| } 541| 4.86k| } /* match->match_map */ 542| 5.09k| } 543| 96.6k| } 544| 238k| } 545| 5.24k| if(thiz->match_handler) { ------------------ | Branch (545:6): [True: 4.72k, False: 523] ------------------ 546| 4.72k| if(match->match_counter > 0) ------------------ | Branch (546:8): [True: 667, False: 4.05k] ------------------ 547| 667| thiz->stats.n_found++; 548| 4.72k| return match->match_counter > 0 ? 1:0; ------------------ | Branch (548:12): [True: 667, False: 4.05k] ------------------ 549| 4.72k| } 550| | 551| 2.61k| for(i = 0; i < 4; i++) ------------------ | Branch (551:14): [True: 2.09k, False: 523] ------------------ 552| 2.09k| if(txt->match.matched[i]) { ------------------ | Branch (552:10): [True: 0, False: 2.09k] ------------------ 553| 0| *param = (txt->match.matched[i])->rep; 554| 0|#ifndef __KERNEL__ 555| |#ifdef NDPI_ENABLE_DEBUG_MESSAGES 556| | if(debug) { 557| | AC_PATTERN_t *pattern = txt->match.matched[i]; 558| | printf("best match: %c%.*s%c [%u]\n", 559| | pattern->rep.from_start ? '^':' ', 560| | pattern->length,pattern->astring, 561| | pattern->rep.at_end ? '$':' ', 562| | pattern->rep.number); 563| | } 564| |#endif 565| 0|#endif 566| 0| thiz->stats.n_found++; 567| 0| return 1; 568| 0| } 569| 523| return 0; 570| 523|} ac_automata_release: 597| 25.5k|void ac_automata_release (AC_AUTOMATA_t * thiz, uint8_t free_pattern) { 598| | 599| 25.5k| if(!thiz) ------------------ | Branch (599:8): [True: 0, False: 25.5k] ------------------ 600| 0| return; 601| | 602| 25.5k| ac_automata_walk(thiz,ac_automata_release_node,NULL,free_pattern ? (void *)1:NULL); ------------------ | Branch (602:57): [True: 19.1k, False: 6.34k] ------------------ 603| | 604| 25.5k| if(free_pattern <= 1) { ------------------ | Branch (604:8): [True: 25.5k, False: 0] ------------------ 605| 25.5k| node_release(thiz->root,free_pattern | 0x4); 606| 25.5k| thiz->root = NULL; 607| 25.5k| acho_free(thiz); ------------------ | | 109| 25.5k|#define acho_free(a) ndpi_free(a) ------------------ 608| 25.5k| } else { 609| 0| AC_NODE_t *n; 610| 0| thiz->all_nodes_num = 0; 611| 0| thiz->total_patterns = 0; 612| 0| thiz->max_str_len = 0; 613| 0| thiz->automata_open = 1; 614| | 615| 0| n = thiz->root; 616| 0| n->failure_node = NULL; 617| 0| n->id = 0; 618| 0| n->final = 0; 619| 0| n->depth = 0; 620| 0| if(n->outgoing) { ------------------ | Branch (620:12): [True: 0, False: 0] ------------------ 621| 0| acho_free(n->outgoing); ------------------ | | 109| 0|#define acho_free(a) ndpi_free(a) ------------------ 622| 0| n->outgoing = NULL; 623| 0| } 624| 0| if(n->matched_patterns) { ------------------ | Branch (624:12): [True: 0, False: 0] ------------------ 625| 0| acho_free(n->matched_patterns); ------------------ | | 109| 0|#define acho_free(a) ndpi_free(a) ------------------ 626| | n->matched_patterns=NULL; 627| 0| } 628| 0| n->use = 0; 629| 0| n->one = 0; 630| 0| } 631| 25.5k|} ahocorasick.c:edge_get_alpha: 88| 2.61G|static inline AC_ALPHABET_t *edge_get_alpha(struct edge *e) { 89| 2.61G| return (AC_ALPHABET_t *)(&e->next[e->max]); 90| 2.61G|} ahocorasick.c:ac_finalize_node: 341| 36.6M|static AC_ERROR_t ac_finalize_node(AC_AUTOMATA_t * thiz,AC_NODE_t * n, int idx, void *data) { 342| 36.6M| if(!n->ff) { ------------------ | Branch (342:8): [True: 19.4M, False: 17.2M] ------------------ 343| 19.4M| n->id = ++(thiz->id); 344| 19.4M| n->ff = 1; 345| 19.4M| if(ac_automata_union_matchstrs (n)) ------------------ | Branch (345:12): [True: 5.79k, False: 19.4M] ------------------ 346| 5.79k| return ACERR_ERROR; 347| 19.4M| if(n->use) { ------------------ | Branch (347:12): [True: 17.3M, False: 2.12M] ------------------ 348| 17.3M| if(!n->one) { ------------------ | Branch (348:16): [True: 984k, False: 16.3M] ------------------ 349| 984k| if(node_range_edges (thiz,n)) { ------------------ | Branch (349:20): [True: 736k, False: 248k] ------------------ 350| 736k| node_sort_edges (n); 351| 736k| thiz->n_range++; 352| 736k| } else 353| 248k| thiz->n_find++; 354| 984k| } else 355| 16.3M| thiz->n_oc++; 356| 17.3M| } 357| 19.4M| } 358| 36.6M| if(!n->a_ptr && n->outgoing && !n->one) { ------------------ | Branch (358:8): [True: 35.6M, False: 961k] | Branch (358:21): [True: 33.5M, False: 2.12M] | Branch (358:36): [True: 984k, False: 32.5M] ------------------ 359| 984k| n->a_ptr = (unsigned char *)edge_get_alpha(n->outgoing); 360| 984k| } 361| 36.6M| return ACERR_SUCCESS; 362| 36.6M|} ahocorasick.c:ac_automata_union_matchstrs: 758| 19.4M|{ 759| 19.4M| unsigned int i; 760| 19.4M| AC_NODE_t * m; 761| | 762| 87.6M| for (m = node; m; m = m->failure_node) { ------------------ | Branch (762:18): [True: 68.1M, False: 19.4M] ------------------ 763| 68.1M| if(!m->matched_patterns) continue; ------------------ | Branch (763:10): [True: 66.8M, False: 1.31M] ------------------ 764| | 765| 2.62M| for (i=0; i < m->matched_patterns->num; i++) ------------------ | Branch (765:17): [True: 1.31M, False: 1.30M] ------------------ 766| 1.31M| if(node_register_matchstr(node, &(m->matched_patterns->patterns[i]), 1)) ------------------ | Branch (766:12): [True: 5.79k, False: 1.30M] ------------------ 767| 5.79k| return 1; 768| | 769| 1.30M| if (m->final) ------------------ | Branch (769:11): [True: 1.30M, False: 0] ------------------ 770| 1.30M| node->final = 1; 771| 1.30M| } 772| 19.4M| return 0; 773| 19.4M|} ahocorasick.c:node_range_edges: 1201| 984k|{ 1202| 984k| struct edge *e = node->outgoing; 1203| 984k| uint8_t *c = (uint8_t *)edge_get_alpha(node->outgoing); 1204| 984k| uint8_t low = 0xff,high = 0; 1205| 984k| int i; 1206| | 1207| 984k| memset((char *)&e->cmap,0,sizeof(e->cmap)); 1208| 4.28M| for(i = 0; i < e->degree; i++) { ------------------ | Branch (1208:16): [True: 3.29M, False: 984k] ------------------ 1209| 3.29M| uint8_t cc = c[i]; 1210| 3.29M| if(cc < low) low = cc; ------------------ | Branch (1210:10): [True: 1.58M, False: 1.71M] ------------------ 1211| 3.29M| if(cc > high) high = cc; ------------------ | Branch (1211:10): [True: 2.02M, False: 1.27M] ------------------ 1212| 3.29M| e->cmap[(cc >> 5) & 0x7] |= 1u << (cc & 0x1f); 1213| 3.29M| } 1214| 984k| if(high - low + 1 == e->degree) { ------------------ | Branch (1214:8): [True: 144k, False: 840k] ------------------ 1215| 144k| node->range = 1; 1216| 144k| node->one_alpha = (AC_ALPHABET_t)low; 1217| 144k| return 1; 1218| 144k| } 1219| 840k| if(high - low + 1 < e->max) { ------------------ | Branch (1219:8): [True: 158k, False: 681k] ------------------ 1220| 158k| acho_2range(node,low,high); 1221| 158k| return 1; 1222| 158k| } 1223| | 1224| 681k| i = (high - low)/8; 1225| 681k| if (i < thiz->add_to_range) i = thiz->add_to_range; ------------------ | Branch (1225:9): [True: 681k, False: 0] ------------------ 1226| 681k| i += REALLOC_CHUNK_OUTGOING-1; ------------------ | | 36| 681k|#define REALLOC_CHUNK_OUTGOING 8 ------------------ 1227| 681k| i -= i % REALLOC_CHUNK_OUTGOING; ------------------ | | 36| 681k|#define REALLOC_CHUNK_OUTGOING 8 ------------------ 1228| | 1229| 681k| if(high - low + 1 < e->max + i || (node->root && !thiz->no_root_range)) { ------------------ | Branch (1229:8): [True: 449k, False: 232k] | Branch (1229:40): [True: 11.9k, False: 220k] | Branch (1229:54): [True: 11.9k, False: 0] ------------------ 1230| 461k| int added = (high - low + 1) - e->max; 1231| 461k| struct edge *new_o = node_resize_outgoing(node->outgoing,added); 1232| 461k| if(new_o) { ------------------ | Branch (1232:12): [True: 433k, False: 27.8k] ------------------ 1233| 433k| node->outgoing = new_o; 1234| 433k| acho_2range(node,low,high); 1235| 433k| return 1; 1236| 433k| } 1237| 27.8k| return 0; 1238| 461k| } 1239| | 1240| 220k| return 0; 1241| 681k|} ahocorasick.c:acho_2range: 1180| 592k|static void acho_2range(AC_NODE_t * thiz,uint8_t low, uint8_t high) { 1181| 592k| struct edge *e; 1182| 592k| int i; 1183| 592k| uint8_t *c = (uint8_t *)edge_get_alpha(thiz->outgoing); 1184| | 1185| 592k| thiz->range = 1; 1186| 592k| thiz->one_alpha = (AC_ALPHABET_t)low; 1187| 592k| e = thiz->outgoing; 1188| 8.74M| for (i=0; low <= high && i < e->max; i++,low++) { ------------------ | Branch (1188:15): [True: 8.15M, False: 592k] | Branch (1188:30): [True: 8.15M, False: 0] ------------------ 1189| 8.15M| if(e->cmap[(low >> 5) & 0x7] & (1u << (low & 0x1f))) continue; ------------------ | Branch (1189:10): [True: 1.97M, False: 6.17M] ------------------ 1190| 6.17M| c[e->degree] = low; 1191| | e->next[e->degree] = NULL; 1192| 6.17M| e->degree++; 1193| 6.17M| } 1194| 592k|} ahocorasick.c:node_resize_outgoing: 1091| 5.10M|static struct edge *node_resize_outgoing(struct edge * e,size_t added) { 1092| 5.10M|struct edge *new_e; 1093| 5.10M|int ds; 1094| | 1095| 5.10M| if(!added) added = REALLOC_CHUNK_OUTGOING; ------------------ | | 36| 4.67M|#define REALLOC_CHUNK_OUTGOING 8 ------------------ | Branch (1095:8): [True: 4.67M, False: 430k] ------------------ 1096| 5.10M| if(!e) { ------------------ | Branch (1096:8): [True: 4.44M, False: 656k] ------------------ 1097| 4.44M| e = acho_calloc(1,sizeof(struct edge) + edge_data_size(REALLOC_CHUNK_OUTGOING)); ------------------ | | 107| 4.44M|#define acho_calloc(a,b) ndpi_calloc(a,b) ------------------ 1098| 4.44M| if(!e) return e; ------------------ | Branch (1098:12): [True: 275k, False: 4.17M] ------------------ 1099| 4.17M| e->max = REALLOC_CHUNK_OUTGOING; ------------------ | | 36| 4.17M|#define REALLOC_CHUNK_OUTGOING 8 ------------------ 1100| 4.17M| return e; 1101| 4.44M| } 1102| 656k| ds = edge_data_size(e->max + added); 1103| 656k| new_e = acho_calloc(1,sizeof(struct edge) + ds); ------------------ | | 107| 656k|#define acho_calloc(a,b) ndpi_calloc(a,b) ------------------ 1104| 656k| if(!new_e) return new_e; ------------------ | Branch (1104:8): [True: 40.6k, False: 616k] ------------------ 1105| 616k| memcpy(new_e,e,sizeof(struct edge) + sizeof(AC_NODE_t *)*e->max); 1106| 616k| new_e->max += added; 1107| | 1108| 616k| if(e->degree) ------------------ | Branch (1108:8): [True: 616k, False: 0] ------------------ 1109| 616k| memcpy(edge_get_alpha(new_e),edge_get_alpha(e),e->degree); 1110| | 1111| 616k| acho_free(e); ------------------ | | 109| 616k|#define acho_free(a) ndpi_free(a) ------------------ 1112| 616k| return new_e; 1113| 656k|} ahocorasick.c:edge_data_size: 91| 5.10M|static inline size_t edge_data_size(int num) { 92| 5.10M| return sizeof(void *)*num + ((num + sizeof(void *) - 1) & ~(sizeof(void *)-1)); 93| 5.10M|} ahocorasick.c:node_sort_edges: 1247| 736k|{ 1248| | 1249| 736k| acho_sort (thiz->outgoing, thiz->outgoing->degree, 1250| 736k| node_edge_compare, node_edge_swap); 1251| 736k|} ahocorasick.c:acho_sort: 1273| 736k|{ 1274| | /* pre-scale counters for performance */ 1275| 736k| int i = (num/2 - 1) , n = num, c, r; 1276| | 1277| 736k| if (!swap_func) return; ------------------ | Branch (1277:7): [True: 0, False: 736k] ------------------ 1278| 736k| if (!cmp_func) return; ------------------ | Branch (1278:7): [True: 0, False: 736k] ------------------ 1279| | 1280| | /* heapify */ 1281| 4.80M| for ( ; i >= 0; i -= 1) { ------------------ | Branch (1281:11): [True: 4.06M, False: 736k] ------------------ 1282| 8.91M| for (r = i; r * 2 + 1 < n; r = c) { ------------------ | Branch (1282:17): [True: 5.94M, False: 2.97M] ------------------ 1283| 5.94M| c = r * 2 + 1; 1284| 5.94M| if (c < n - 1 && cmp_func(e, c, c + 1) == 0) ------------------ | Branch (1284:11): [True: 5.39M, False: 546k] | Branch (1284:24): [True: 3.45M, False: 1.94M] ------------------ 1285| 3.45M| c += 1; 1286| 5.94M| if (cmp_func(e, r, c) != 0) ------------------ | Branch (1286:11): [True: 1.08M, False: 4.85M] ------------------ 1287| 1.08M| break; 1288| 4.85M| swap_func(e, r, c); 1289| 4.85M| } 1290| 4.06M| } 1291| | 1292| | /* sort */ 1293| 8.50M| for (i = n - 1; i > 0; i -= 1) { ------------------ | Branch (1293:19): [True: 7.77M, False: 736k] ------------------ 1294| 7.77M| swap_func(e,0,i); 1295| 22.9M| for (r = 0; r * 2 + 1 < i; r = c) { ------------------ | Branch (1295:17): [True: 16.7M, False: 6.19M] ------------------ 1296| 16.7M| c = r * 2 + 1; 1297| 16.7M| if (c < i - 1 && cmp_func(e, c, c + 1) == 0) ------------------ | Branch (1297:11): [True: 14.3M, False: 2.49M] | Branch (1297:24): [True: 5.91M, False: 8.38M] ------------------ 1298| 5.91M| c += 1; 1299| 16.7M| if (cmp_func(e, r, c) != 0) ------------------ | Branch (1299:11): [True: 1.57M, False: 15.2M] ------------------ 1300| 1.57M| break; 1301| 15.2M| swap_func(e, r, c); 1302| 15.2M| } 1303| 7.77M| } 1304| 736k|} ahocorasick.c:node_edge_compare: 1162| 42.4M|static int node_edge_compare (struct edge * e, int a, int b) { 1163| 42.4M| unsigned char *c = (unsigned char *)edge_get_alpha(e); 1164| 42.4M| return c[a] >= c[b] ? 1:0; ------------------ | Branch (1164:12): [True: 12.9M, False: 29.4M] ------------------ 1165| 42.4M|} ahocorasick.c:node_edge_swap: 1168| 27.8M|{ 1169| 27.8M|AC_ALPHABET_t *c,tc; 1170| 27.8M|AC_NODE_t *tn; 1171| 27.8M| c = edge_get_alpha(e); 1172| 27.8M| tc = c[a]; c[a] = c[b]; c[b] = tc; 1173| 27.8M| tn = e->next[a]; e->next[a] = e->next[b]; e->next[b] = tn; 1174| 27.8M|} ahocorasick.c:ac_automata_release_node: 584| 168M| AC_NODE_t *n, int idx, void *data) { 585| | 586| 168M| if(!n->outgoing || idx) { ------------------ | Branch (586:8): [True: 8.74M, False: 160M] | Branch (586:24): [True: 80.0M, False: 80.0M] ------------------ 587| 88.7M| if(n->outgoing) { ------------------ | Branch (587:12): [True: 80.0M, False: 8.74M] ------------------ 588| 80.0M| if(n->one) thiz->n_oc--; ------------------ | Branch (588:14): [True: 75.8M, False: 4.17M] ------------------ 589| 4.17M| else if(n->range) thiz->n_range--; ------------------ | Branch (589:21): [True: 736k, False: 3.43M] ------------------ 590| 3.43M| else thiz->n_find--; 591| 80.0M| } 592| 88.7M| node_release(n,data != NULL); 593| 88.7M| } 594| | 595| 168M| return ACERR_SUCCESS; 596| 168M|} ahocorasick.c:ac_automata_traverse_setfailure: 808| 24.1k|{ 809| 24.1k| ac_automata_walk(thiz,NULL,ac_automata_set_failure,NULL); 810| 24.1k|} ahocorasick.c:ac_automata_set_failure: 781| 84.8M|{ 782| 84.8M| unsigned int i, j; 783| 84.8M| AC_NODE_t * m; 784| 84.8M| struct ac_path * path = thiz->ac_path; 785| | 786| 1.11G| for (i=1; i < next->depth; i++) { ------------------ | Branch (786:13): [True: 1.11G, False: 7.56M] ------------------ 787| 1.11G| m = thiz->root; 788| 4.01G| for (j=i; j < next->depth && m; j++) { ------------------ | Branch (788:19): [True: 3.89G, False: 128M] | Branch (788:38): [True: 2.90G, False: 984M] ------------------ 789| 2.90G| m = node_find_next (m, path[j].l); 790| 2.90G| } 791| 1.11G| if (m) { ------------------ | Branch (791:13): [True: 77.2M, False: 1.03G] ------------------ 792| 77.2M| next->failure_node = m; 793| 77.2M| break; 794| 77.2M| } 795| 1.11G| } 796| 84.8M| if (!next->failure_node) ------------------ | Branch (796:7): [True: 7.56M, False: 77.2M] ------------------ 797| 7.56M| next->failure_node = thiz->root; 798| 84.8M|} ahocorasick.c:node_create: 817| 94.9M|{ 818| 94.9M| return (AC_NODE_t *) acho_calloc (1,sizeof(AC_NODE_t)); ------------------ | | 107| 94.9M|#define acho_calloc(a,b) ndpi_calloc(a,b) ------------------ 819| 94.9M|} ahocorasick.c:node_release: 845| 89.0M|{ 846| 89.0M| if(thiz->root && (free_pattern & 0x4) == 0) return; ------------------ | Branch (846:6): [True: 51.0k, False: 89.0M] | Branch (846:20): [True: 25.5k, False: 25.5k] ------------------ 847| | 848| 89.0M| if(free_pattern & 1) node_release_pattern(thiz); ------------------ | Branch (848:6): [True: 87.5M, False: 1.51M] ------------------ 849| | 850| 89.0M| if(thiz->matched_patterns) { ------------------ | Branch (850:6): [True: 4.25M, False: 84.7M] ------------------ 851| 4.25M| acho_free(thiz->matched_patterns); ------------------ | | 109| 4.25M|#define acho_free(a) ndpi_free(a) ------------------ 852| 4.25M| thiz->matched_patterns = NULL; 853| 4.25M| } 854| 89.0M| if(!thiz->one && thiz->outgoing) { ------------------ | Branch (854:6): [True: 13.2M, False: 75.8M] | Branch (854:20): [True: 4.17M, False: 9.03M] ------------------ 855| 4.17M| acho_free(thiz->outgoing); ------------------ | | 109| 4.17M|#define acho_free(a) ndpi_free(a) ------------------ 856| 4.17M| } 857| 89.0M| thiz->outgoing = NULL; 858| 89.0M| acho_free(thiz); ------------------ | | 109| 89.0M|#define acho_free(a) ndpi_free(a) ------------------ 859| 89.0M|} ahocorasick.c:node_release_pattern: 823| 87.5M|{ 824| 87.5M| int i; 825| 87.5M| AC_PATTERN_t * str; 826| | 827| 87.5M| if(!thiz->matched_patterns) return; ------------------ | Branch (827:8): [True: 83.3M, False: 4.19M] ------------------ 828| 4.19M| str = thiz->matched_patterns->patterns; 829| | 830| 8.49M| for (i=0; i < thiz->matched_patterns->num; str++,i++) ------------------ | Branch (830:15): [True: 4.29M, False: 4.19M] ------------------ 831| 4.29M| { 832| 4.29M| if(!str->is_existing && str->astring) { ------------------ | Branch (832:10): [True: 4.12M, False: 177k] | Branch (832:31): [True: 4.12M, False: 0] ------------------ 833| 4.12M| acho_free(str->astring); ------------------ | | 109| 4.12M|#define acho_free(a) ndpi_free(a) ------------------ 834| | str->astring = NULL; 835| 4.12M| } 836| 4.29M| } 837| 4.19M|} ahocorasick.c:node_find_next: 938| 3.17G|{ 939| 3.17G| unsigned char *alphas, *fc; 940| | 941| 3.17G| if(thiz->one) return alpha == thiz->one_alpha ? (AC_NODE_t *)thiz->outgoing:NULL; ------------------ | Branch (941:6): [True: 486M, False: 2.69G] | Branch (941:24): [True: 197M, False: 289M] ------------------ 942| 2.69G| if(!thiz->outgoing) return NULL; ------------------ | Branch (942:6): [True: 187M, False: 2.50G] ------------------ 943| | 944| 2.50G| alphas = (unsigned char *)edge_get_alpha(thiz->outgoing); 945| 2.50G| fc = xmemchr(alphas,(unsigned char)alpha,thiz->outgoing->degree); 946| 2.50G| return fc ? thiz->outgoing->next[fc-alphas] : NULL; ------------------ | Branch (946:10): [True: 1.75G, False: 748M] ------------------ 947| 2.69G|} ahocorasick.c:xmemchr: 905| 2.50G|{ 906| 5.98G| while(n > 0) { ------------------ | Branch (906:9): [True: 5.24G, False: 737M] ------------------ 907| 5.24G| if (n >= LBLOCKSIZE && !UNALIGNED (s)) { ------------------ | | 865| 10.4G|#define LBLOCKSIZE __SIZEOF_LONG__ ------------------ if (n >= LBLOCKSIZE && !UNALIGNED (s)) { ------------------ | | 863| 1.83G|#define UNALIGNED(X) ((intptr_t)X & (__SIZEOF_LONG__ - 1)) ------------------ | Branch (907:9): [True: 1.83G, False: 3.40G] | Branch (907:28): [True: 1.83G, False: 0] ------------------ 908| 1.83G| unsigned long int mask = c * DUPC; ------------------ | | 886| 1.83G|#define DUPC 0x0101010101010101UL ------------------ 909| | 910| 3.42G| while (n >= LBLOCKSIZE) { ------------------ | | 865| 3.42G|#define LBLOCKSIZE __SIZEOF_LONG__ ------------------ | Branch (910:14): [True: 2.96G, False: 459M] ------------------ 911| |#if __SIZEOF_LONG__ == 4 912| | unsigned long int nc = DETECTNULL(le32toh(*(unsigned long int *)s) ^ mask); 913| |#else 914| 2.96G| unsigned long int nc = DETECTNULL(le64toh(*(unsigned long int *)s) ^ mask); ------------------ | | 885| 2.96G|#define DETECTNULL(X) (((X) - 0x0101010101010101ULL) & ~(X) & 0x8080808080808080ULL) ------------------ 915| 2.96G|#endif 916| 2.96G| if(nc) ------------------ | Branch (916:12): [True: 1.37G, False: 1.58G] ------------------ 917| 1.37G| return s + (bsf(nc) >> 3); 918| 1.58G| s += LBLOCKSIZE; ------------------ | | 865| 1.58G|#define LBLOCKSIZE __SIZEOF_LONG__ ------------------ 919| 1.58G| n -= LBLOCKSIZE; ------------------ | | 865| 1.58G|#define LBLOCKSIZE __SIZEOF_LONG__ ------------------ 920| 1.58G| } 921| 459M| if(!n) return NULL; ------------------ | Branch (921:10): [True: 11.3M, False: 448M] ------------------ 922| 459M| } 923| 3.85G| if (*s == c) return s; ------------------ | Branch (923:9): [True: 378M, False: 3.47G] ------------------ 924| 3.47G| s++; 925| 3.47G| n--; 926| 3.47G| } 927| 737M| return NULL; 928| 2.50G|} ahocorasick.c:bsf: 889| 1.37G|{ 890| 1.37G|#ifdef __GNUC__ 891| 1.37G| return __builtin_ctzll(bits); 892| |#else 893| | size_t i=0; 894| | if(!bits) return i; 895| | if((bits & 0xffffffff) == 0) { i+=32; bits >>=32; } 896| | if((bits & 0xffff) == 0) { i+=16; bits >>=16; } 897| | if((bits & 0xff) == 0) i+=8; 898| | return i; 899| |#endif 900| 1.37G|} ahocorasick.c:node_findbs_next_ac: 972| 238k|static AC_NODE_t *node_findbs_next_ac (AC_NODE_t * thiz, uint8_t alpha,int icase) { 973| 238k| AC_NODE_t *next; 974| 238k| uint8_t alpha_c; 975| | 976| 238k| if(!thiz->outgoing) return NULL; ------------------ | Branch (976:6): [True: 1.15k, False: 237k] ------------------ 977| | 978| 237k| next = node_findbs_next(thiz,alpha); 979| 237k| if(next || !icase) return next; ------------------ | Branch (979:6): [True: 96.6k, False: 140k] | Branch (979:14): [True: 140k, False: 0] ------------------ 980| | 981| 0| alpha_c = aho_xc[alpha]; 982| 0| if(!alpha_c) return NULL; ------------------ | Branch (982:6): [True: 0, False: 0] ------------------ 983| 0| return node_findbs_next(thiz, alpha ^ alpha_c); 984| 0|} ahocorasick.c:node_findbs_next: 957| 237k|{ 958| | 959| 237k| if(thiz->one) ------------------ | Branch (959:6): [True: 39.8k, False: 197k] ------------------ 960| 39.8k| return alpha == thiz->one_alpha ? (AC_NODE_t *)thiz->outgoing:NULL; ------------------ | Branch (960:16): [True: 18.8k, False: 20.9k] ------------------ 961| | 962| 197k| if(!(thiz->outgoing->cmap[(uint8_t)alpha >> 5] & (1u << (alpha & 0x1f)))) ------------------ | Branch (962:6): [True: 119k, False: 77.7k] ------------------ 963| 119k| return NULL; 964| | 965| 77.7k| if(thiz->range) ------------------ | Branch (965:6): [True: 56.7k, False: 21.0k] ------------------ 966| 56.7k| return thiz->outgoing->next[alpha - (uint8_t)thiz->one_alpha]; 967| | 968| 21.0k| return thiz->outgoing->next[ 969| 21.0k| xmemchr(thiz->a_ptr,alpha,thiz->outgoing->degree) - thiz->a_ptr]; 970| 77.7k|} ahocorasick.c:node_create_next: 1016| 94.9M|{ 1017| 94.9M| AC_NODE_t * next; 1018| 94.9M| next = node_find_next (thiz, alpha); 1019| 94.9M| if (next) ------------------ | Branch (1019:7): [True: 0, False: 94.9M] ------------------ 1020| | /* The edge already exists */ 1021| 0| return NULL; 1022| | /* Otherwise register new edge */ 1023| 94.9M| next = node_create (); 1024| 94.9M| if(next) { ------------------ | Branch (1024:6): [True: 89.0M, False: 5.94M] ------------------ 1025| 89.0M| if(node_register_outgoing(thiz, next, alpha)) { ------------------ | Branch (1025:8): [True: 288k, False: 88.7M] ------------------ 1026| 288k| node_release(next,0); 1027| 288k| return NULL; 1028| 288k| } 1029| 88.7M| next->depth = thiz->depth+1; 1030| 88.7M| } 1031| | 1032| 94.6M| return next; 1033| 94.9M|} ahocorasick.c:node_register_outgoing: 1121| 89.0M|{ 1122| 89.0M| struct edge *o; 1123| 89.0M| if(!thiz->use) { ------------------ | Branch (1123:6): [True: 80.0M, False: 9.00M] ------------------ 1124| 80.0M| thiz->use = 1; 1125| 80.0M| thiz->one = 1; 1126| 80.0M| thiz->one_alpha = alpha; 1127| 80.0M| thiz->outgoing = (struct edge *)next; 1128| 80.0M| return 0; 1129| 80.0M| } 1130| 9.00M| if(thiz->one) { ------------------ | Branch (1130:6): [True: 4.44M, False: 4.55M] ------------------ 1131| 4.44M| o = node_resize_outgoing(NULL,0); 1132| 4.44M| if(!o) return 1; ------------------ | Branch (1132:12): [True: 275k, False: 4.17M] ------------------ 1133| 4.17M| o->next[0] = (AC_NODE_t *)thiz->outgoing; 1134| 4.17M| *edge_get_alpha(o) = thiz->one_alpha; 1135| 4.17M| o->degree = 1; 1136| 4.17M| thiz->one = 0; 1137| 4.17M| thiz->one_alpha = 0; 1138| 4.17M| thiz->outgoing = o; 1139| 4.17M| } else 1140| 4.55M| o = thiz->outgoing; 1141| | 1142| 8.72M| if(!o) return 1; ------------------ | Branch (1142:6): [True: 0, False: 8.72M] ------------------ 1143| | 1144| 8.72M| if(o->degree >= o->max) ------------------ | Branch (1144:6): [True: 195k, False: 8.53M] ------------------ 1145| 195k| { 1146| 195k| struct edge *new_o = node_resize_outgoing(thiz->outgoing,0); 1147| 195k| if(!new_o) return 1; ------------------ | Branch (1147:12): [True: 12.8k, False: 182k] ------------------ 1148| | 1149| 182k| thiz->outgoing = new_o; 1150| 182k| o = new_o; 1151| 182k| } 1152| 8.71M| edge_get_alpha(o)[o->degree] = alpha; 1153| 8.71M| o->next[o->degree] = next; 1154| 8.71M| o->degree++; 1155| 8.71M| return 0; 1156| 8.72M|} ahocorasick.c:node_register_matchstr: 1061| 5.76M|{ 1062| 5.76M| AC_PATTERN_t *l; 1063| | 1064| 5.76M| if(!is_existing) ------------------ | Branch (1064:6): [True: 4.44M, False: 1.31M] ------------------ 1065| 4.44M| thiz->final = 1; 1066| | /* Check if the new pattern already exists in the node list */ 1067| 5.76M| if (thiz->matched_patterns && node_has_matchstr(thiz, str)) ------------------ | Branch (1067:7): [True: 1.22M, False: 4.53M] | Branch (1067:33): [True: 1.12M, False: 99.9k] ------------------ 1068| 1.12M| return 0; 1069| | 1070| 4.63M| if(!thiz->matched_patterns) { ------------------ | Branch (1070:6): [True: 4.53M, False: 99.9k] ------------------ 1071| 4.53M| thiz->matched_patterns = node_resize_mp(thiz->matched_patterns); 1072| 4.53M| if(!thiz->matched_patterns) ------------------ | Branch (1072:8): [True: 277k, False: 4.25M] ------------------ 1073| 277k| return 1; 1074| 4.53M| } 1075| | 1076| | /* Manage memory */ 1077| 4.35M| if (thiz->matched_patterns->num >= thiz->matched_patterns->max) { ------------------ | Branch (1077:7): [True: 0, False: 4.35M] ------------------ 1078| 0| AC_PATTERNS_t *new_mp = node_resize_mp(thiz->matched_patterns); 1079| 0| if(!new_mp) return 1; ------------------ | Branch (1079:10): [True: 0, False: 0] ------------------ 1080| 0| thiz->matched_patterns = new_mp; 1081| 0| } 1082| 4.35M| l = &thiz->matched_patterns->patterns[thiz->matched_patterns->num]; 1083| 4.35M| l->astring = str->astring; 1084| 4.35M| l->length = str->length; 1085| 4.35M| l->is_existing = is_existing; 1086| 4.35M| l->rep = str->rep; 1087| 4.35M| thiz->matched_patterns->num++; 1088| 4.35M| return 0; 1089| 4.35M|} ahocorasick.c:node_has_matchstr: 992| 1.22M|{ 993| 1.22M| int i; 994| | 995| 1.22M| if(!thiz->matched_patterns) return 0; ------------------ | Branch (995:6): [True: 0, False: 1.22M] ------------------ 996| | 997| 1.33M| for (i=0; i < thiz->matched_patterns->num; i++) ------------------ | Branch (997:13): [True: 1.23M, False: 99.9k] ------------------ 998| 1.23M| { 999| 1.23M| AC_PATTERN_t *str = &(thiz->matched_patterns->patterns[i]); 1000| | 1001| 1.23M| if (str->length != newstr->length) ------------------ | Branch (1001:9): [True: 103k, False: 1.12M] ------------------ 1002| 103k| continue; 1003| | 1004| 1.12M| if(!memcmp(str->astring,newstr->astring,str->length)) ------------------ | Branch (1004:8): [True: 1.12M, False: 0] ------------------ 1005| 1.12M| return 1; 1006| 1.12M| } 1007| | 1008| 99.9k| return 0; 1009| 1.22M|} ahocorasick.c:node_resize_mp: 1039| 4.53M|static AC_PATTERNS_t * node_resize_mp(AC_PATTERNS_t *m) { 1040| 4.53M|AC_PATTERNS_t *new_m; 1041| | 1042| 4.53M| if(!m) { ------------------ | Branch (1042:8): [True: 4.53M, False: 0] ------------------ 1043| 4.53M| m = acho_calloc(1,mp_data_size(REALLOC_CHUNK_MATCHSTR)); ------------------ | | 107| 4.53M|#define acho_calloc(a,b) ndpi_calloc(a,b) ------------------ 1044| 4.53M| if(!m) return m; ------------------ | Branch (1044:12): [True: 277k, False: 4.25M] ------------------ 1045| 4.25M| m->max = REALLOC_CHUNK_MATCHSTR; ------------------ | | 32| 4.25M|#define REALLOC_CHUNK_MATCHSTR 8 ------------------ 1046| 4.25M| return m; 1047| 4.53M| } 1048| 0| new_m = acho_malloc(mp_data_size(m->max+REALLOC_CHUNK_MATCHSTR)); ------------------ | | 108| 0|#define acho_malloc(a) ndpi_malloc(a) ------------------ 1049| 0| if(!new_m) return new_m; ------------------ | Branch (1049:8): [True: 0, False: 0] ------------------ 1050| 0| memcpy((char *)new_m,(char *)m,mp_data_size(m->max)); 1051| 0| new_m->max += REALLOC_CHUNK_MATCHSTR; ------------------ | | 32| 0|#define REALLOC_CHUNK_MATCHSTR 8 ------------------ 1052| 0| acho_free(m); ------------------ | | 109| 0|#define acho_free(a) ndpi_free(a) ------------------ 1053| 0| return new_m; 1054| 0|} ahocorasick.c:mp_data_size: 1035| 4.53M|static inline size_t mp_data_size(int n) { 1036| 4.53M| return sizeof(AC_PATTERNS_t) + n*sizeof(AC_PATTERN_t); 1037| 4.53M|} mbedtls_aes_init: 158| 55|{ 159| 55| AES_VALIDATE( ctx != NULL ); ------------------ | | 30| 55|#define AES_VALIDATE( cond ) MBEDTLS_INTERNAL_VALIDATE( cond ) | | ------------------ | | | | 31| 55|#define MBEDTLS_INTERNAL_VALIDATE( cond ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (31:67): [Folded, False: 55] | | | | ------------------ | | ------------------ ------------------ 160| | 161| 55| memset( ctx, 0, sizeof( mbedtls_aes_context ) ); 162| 55|} mbedtls_aes_free: 165| 31|{ 166| 31| if( ctx == NULL ) ------------------ | Branch (166:9): [True: 0, False: 31] ------------------ 167| 0| return; 168| | 169| | // mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) ); 170| 31|} mbedtls_aes_setkey_enc: 178| 52|{ 179| 52| unsigned int i; 180| 52| uint32_t *RK; 181| | 182| 52| AES_VALIDATE_RET( ctx != NULL ); ------------------ | | 29| 52| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA ) | | ------------------ | | | | 30| 52|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 52] | | | | ------------------ | | ------------------ ------------------ 183| 52| AES_VALIDATE_RET( key != NULL ); ------------------ | | 29| 52| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA ) | | ------------------ | | | | 30| 52|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 52] | | | | ------------------ | | ------------------ ------------------ 184| | 185| 52| switch( keybits ) 186| 52| { 187| 52| case 128: ctx->nr = 10; break; ------------------ | Branch (187:9): [True: 52, False: 0] ------------------ 188| 0| case 192: ctx->nr = 12; break; ------------------ | Branch (188:9): [True: 0, False: 52] ------------------ 189| 0| case 256: ctx->nr = 14; break; ------------------ | Branch (189:9): [True: 0, False: 52] ------------------ 190| 0| default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH ); ------------------ | | 51| 0|#define MBEDTLS_ERR_AES_INVALID_KEY_LENGTH -0x0020 ------------------ | Branch (190:9): [True: 0, False: 52] ------------------ 191| 52| } 192| | 193| 52| if( aes_init_done == 0 ) ------------------ | Branch (193:9): [True: 52, False: 0] ------------------ 194| 52| { 195| 52| aes_gen_tables(); 196| | 197| | /* Allow to test both aesni and not aesni data path when fuzzing. 198| | We can call aes_gen_tables() at every iteration without any issues 199| | (performances asides) */ 200| |#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION 201| | aes_init_done = 1; 202| |#endif 203| 52| } 204| | 205| 52| ctx->rk = RK = ctx->buf; 206| | 207| 52|#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) 208| 52| if( aes_aesni_has_support ) ------------------ | Branch (208:9): [True: 52, False: 0] ------------------ 209| 52| return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) ); 210| 0|#endif 211| | 212| 0| for( i = 0; i < ( keybits >> 5 ); i++ ) ------------------ | Branch (212:17): [True: 0, False: 0] ------------------ 213| 0| { 214| 0| RK[i] = MBEDTLS_GET_UINT32_LE( key, i << 2 ); ------------------ | | 90| 0|#define MBEDTLS_GET_UINT32_LE(b,i) (*(uint32_t *) (&(b)[(i)])) ------------------ 215| 0| } 216| | 217| 0| switch( ctx->nr ) ------------------ | Branch (217:13): [True: 0, False: 0] ------------------ 218| 0| { 219| 0| case 10: ------------------ | Branch (219:9): [True: 0, False: 0] ------------------ 220| | 221| 0| for( i = 0; i < 10; i++, RK += 4 ) ------------------ | Branch (221:25): [True: 0, False: 0] ------------------ 222| 0| { 223| 0| RK[4] = RK[0] ^ RCON[i] ^ 224| 0| ( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[3] ) ] ) ^ ------------------ | | 108| 0|#define MBEDTLS_BYTE_1( x ) ( (uint8_t) ( ( ( x ) >> 8 ) & 0xff ) ) ------------------ 225| 0| ( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[3] ) ] << 8 ) ^ ------------------ | | 109| 0|#define MBEDTLS_BYTE_2( x ) ( (uint8_t) ( ( ( x ) >> 16 ) & 0xff ) ) ------------------ 226| 0| ( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[3] ) ] << 16 ) ^ ------------------ | | 110| 0|#define MBEDTLS_BYTE_3( x ) ( (uint8_t) ( ( ( x ) >> 24 ) & 0xff ) ) ------------------ 227| 0| ( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[3] ) ] << 24 ); ------------------ | | 107| 0|#define MBEDTLS_BYTE_0( x ) ( (uint8_t) ( ( x ) & 0xff ) ) ------------------ 228| | 229| 0| RK[5] = RK[1] ^ RK[4]; 230| 0| RK[6] = RK[2] ^ RK[5]; 231| 0| RK[7] = RK[3] ^ RK[6]; 232| 0| } 233| 0| break; 234| | 235| 0| case 12: ------------------ | Branch (235:9): [True: 0, False: 0] ------------------ 236| | 237| 0| for( i = 0; i < 8; i++, RK += 6 ) ------------------ | Branch (237:25): [True: 0, False: 0] ------------------ 238| 0| { 239| 0| RK[6] = RK[0] ^ RCON[i] ^ 240| 0| ( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[5] ) ] ) ^ ------------------ | | 108| 0|#define MBEDTLS_BYTE_1( x ) ( (uint8_t) ( ( ( x ) >> 8 ) & 0xff ) ) ------------------ 241| 0| ( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[5] ) ] << 8 ) ^ ------------------ | | 109| 0|#define MBEDTLS_BYTE_2( x ) ( (uint8_t) ( ( ( x ) >> 16 ) & 0xff ) ) ------------------ 242| 0| ( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[5] ) ] << 16 ) ^ ------------------ | | 110| 0|#define MBEDTLS_BYTE_3( x ) ( (uint8_t) ( ( ( x ) >> 24 ) & 0xff ) ) ------------------ 243| 0| ( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[5] ) ] << 24 ); ------------------ | | 107| 0|#define MBEDTLS_BYTE_0( x ) ( (uint8_t) ( ( x ) & 0xff ) ) ------------------ 244| | 245| 0| RK[7] = RK[1] ^ RK[6]; 246| 0| RK[8] = RK[2] ^ RK[7]; 247| 0| RK[9] = RK[3] ^ RK[8]; 248| 0| RK[10] = RK[4] ^ RK[9]; 249| 0| RK[11] = RK[5] ^ RK[10]; 250| 0| } 251| 0| break; 252| | 253| 0| case 14: ------------------ | Branch (253:9): [True: 0, False: 0] ------------------ 254| | 255| 0| for( i = 0; i < 7; i++, RK += 8 ) ------------------ | Branch (255:25): [True: 0, False: 0] ------------------ 256| 0| { 257| 0| RK[8] = RK[0] ^ RCON[i] ^ 258| 0| ( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[7] ) ] ) ^ ------------------ | | 108| 0|#define MBEDTLS_BYTE_1( x ) ( (uint8_t) ( ( ( x ) >> 8 ) & 0xff ) ) ------------------ 259| 0| ( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[7] ) ] << 8 ) ^ ------------------ | | 109| 0|#define MBEDTLS_BYTE_2( x ) ( (uint8_t) ( ( ( x ) >> 16 ) & 0xff ) ) ------------------ 260| 0| ( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[7] ) ] << 16 ) ^ ------------------ | | 110| 0|#define MBEDTLS_BYTE_3( x ) ( (uint8_t) ( ( ( x ) >> 24 ) & 0xff ) ) ------------------ 261| 0| ( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[7] ) ] << 24 ); ------------------ | | 107| 0|#define MBEDTLS_BYTE_0( x ) ( (uint8_t) ( ( x ) & 0xff ) ) ------------------ 262| | 263| 0| RK[9] = RK[1] ^ RK[8]; 264| 0| RK[10] = RK[2] ^ RK[9]; 265| 0| RK[11] = RK[3] ^ RK[10]; 266| | 267| 0| RK[12] = RK[4] ^ 268| 0| ( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[11] ) ] ) ^ ------------------ | | 107| 0|#define MBEDTLS_BYTE_0( x ) ( (uint8_t) ( ( x ) & 0xff ) ) ------------------ 269| 0| ( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[11] ) ] << 8 ) ^ ------------------ | | 108| 0|#define MBEDTLS_BYTE_1( x ) ( (uint8_t) ( ( ( x ) >> 8 ) & 0xff ) ) ------------------ 270| 0| ( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[11] ) ] << 16 ) ^ ------------------ | | 109| 0|#define MBEDTLS_BYTE_2( x ) ( (uint8_t) ( ( ( x ) >> 16 ) & 0xff ) ) ------------------ 271| 0| ( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[11] ) ] << 24 ); ------------------ | | 110| 0|#define MBEDTLS_BYTE_3( x ) ( (uint8_t) ( ( ( x ) >> 24 ) & 0xff ) ) ------------------ 272| | 273| 0| RK[13] = RK[5] ^ RK[12]; 274| 0| RK[14] = RK[6] ^ RK[13]; 275| 0| RK[15] = RK[7] ^ RK[14]; 276| 0| } 277| 0| break; 278| 0| } 279| | 280| 0| return( 0 ); 281| 0|} mbedtls_aes_crypt_ecb: 498| 239|{ 499| 239| AES_VALIDATE_RET( ctx != NULL ); ------------------ | | 29| 239| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA ) | | ------------------ | | | | 30| 239|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 239] | | | | ------------------ | | ------------------ ------------------ 500| 239| AES_VALIDATE_RET( input != NULL ); ------------------ | | 29| 239| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA ) | | ------------------ | | | | 30| 239|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 239] | | | | ------------------ | | ------------------ ------------------ 501| 239| AES_VALIDATE_RET( output != NULL ); ------------------ | | 29| 239| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA ) | | ------------------ | | | | 30| 239|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 239] | | | | ------------------ | | ------------------ ------------------ 502| 239| AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || ------------------ | | 29| 239| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA ) | | ------------------ | | | | 30| 239|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 239] | | | | ------------------ | | ------------------ ------------------ 503| 239| mode == MBEDTLS_AES_DECRYPT ); 504| | 505| 239|#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) 506| 239| if( aes_aesni_has_support ) ------------------ | Branch (506:9): [True: 239, False: 0] ------------------ 507| 239| return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) ); 508| 0|#endif 509| | 510| | 511| 0| if( mode == MBEDTLS_AES_ENCRYPT ) ------------------ | | 46| 0|#define MBEDTLS_AES_ENCRYPT 1 /**< AES encryption. */ ------------------ | Branch (511:9): [True: 0, False: 0] ------------------ 512| 0| return( mbedtls_internal_aes_encrypt( ctx, input, output ) ); 513| 0| else 514| 0| return( mbedtls_internal_aes_decrypt( ctx, input, output ) ); 515| 0|} gcrypt_light.c:aes_gen_tables: 65| 52|{ 66| 52| int i, x, y, z; 67| 52| int pow[256]; 68| 52| int log[256]; 69| | 70| 52|#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) 71| 52| if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) ) ------------------ | | 30| 52|#define MBEDTLS_AESNI_AES 0x02000000u ------------------ | Branch (71:9): [True: 52, False: 0] ------------------ 72| 52| aes_aesni_has_support = 1; 73| 0| else 74| 0| aes_aesni_has_support = 0; 75| 52|#endif 76| | 77| | /* 78| | * compute pow and log tables over GF(2^8) 79| | */ 80| 13.3k| for( i = 0, x = 1; i < 256; i++ ) ------------------ | Branch (80:24): [True: 13.3k, False: 52] ------------------ 81| 13.3k| { 82| 13.3k| pow[i] = x; 83| 13.3k| log[x] = i; 84| 13.3k| x = MBEDTLS_BYTE_0( x ^ XTIME( x ) ); ------------------ | | 107| 26.6k|#define MBEDTLS_BYTE_0( x ) ( (uint8_t) ( ( x ) & 0xff ) ) | | ------------------ | | | Branch (107:47): [True: 6.65k, False: 6.65k] | | ------------------ ------------------ 85| 13.3k| } 86| | 87| | /* 88| | * calculate the round constants 89| | */ 90| 572| for( i = 0, x = 1; i < 10; i++ ) ------------------ | Branch (90:24): [True: 520, False: 52] ------------------ 91| 520| { 92| 520| RCON[i] = (uint32_t) x; 93| 520| x = MBEDTLS_BYTE_0( XTIME( x ) ); ------------------ | | 107| 1.04k|#define MBEDTLS_BYTE_0( x ) ( (uint8_t) ( ( x ) & 0xff ) ) | | ------------------ | | | Branch (107:47): [True: 52, False: 468] | | ------------------ ------------------ 94| 520| } 95| | 96| | /* 97| | * generate the forward and reverse S-boxes 98| | */ 99| 52| FSb[0x00] = 0x63; 100| 52| RSb[0x63] = 0x00; 101| | 102| 13.3k| for( i = 1; i < 256; i++ ) ------------------ | Branch (102:17): [True: 13.2k, False: 52] ------------------ 103| 13.2k| { 104| 13.2k| x = pow[255 - log[i]]; 105| | 106| 13.2k| y = x; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) ); ------------------ | | 107| 13.2k|#define MBEDTLS_BYTE_0( x ) ( (uint8_t) ( ( x ) & 0xff ) ) ------------------ 107| 13.2k| x ^= y; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) ); ------------------ | | 107| 13.2k|#define MBEDTLS_BYTE_0( x ) ( (uint8_t) ( ( x ) & 0xff ) ) ------------------ 108| 13.2k| x ^= y; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) ); ------------------ | | 107| 13.2k|#define MBEDTLS_BYTE_0( x ) ( (uint8_t) ( ( x ) & 0xff ) ) ------------------ 109| 13.2k| x ^= y; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) ); ------------------ | | 107| 13.2k|#define MBEDTLS_BYTE_0( x ) ( (uint8_t) ( ( x ) & 0xff ) ) ------------------ 110| 13.2k| x ^= y ^ 0x63; 111| | 112| 13.2k| FSb[i] = (unsigned char) x; 113| 13.2k| RSb[x] = (unsigned char) i; 114| 13.2k| } 115| | 116| | /* 117| | * generate the forward and reverse tables 118| | */ 119| 13.3k| for( i = 0; i < 256; i++ ) ------------------ | Branch (119:17): [True: 13.3k, False: 52] ------------------ 120| 13.3k| { 121| 13.3k| x = FSb[i]; 122| 13.3k| y = MBEDTLS_BYTE_0( XTIME( x ) ); ------------------ | | 107| 26.6k|#define MBEDTLS_BYTE_0( x ) ( (uint8_t) ( ( x ) & 0xff ) ) | | ------------------ | | | Branch (107:47): [True: 6.65k, False: 6.65k] | | ------------------ ------------------ 123| 13.3k| z = MBEDTLS_BYTE_0( y ^ x ); ------------------ | | 107| 13.3k|#define MBEDTLS_BYTE_0( x ) ( (uint8_t) ( ( x ) & 0xff ) ) ------------------ 124| | 125| 13.3k| FT0[i] = ( (uint32_t) y ) ^ 126| 13.3k| ( (uint32_t) x << 8 ) ^ 127| 13.3k| ( (uint32_t) x << 16 ) ^ 128| 13.3k| ( (uint32_t) z << 24 ); 129| | 130| 13.3k| FT1[i] = ROTL8( FT0[i] ); ------------------ | | 356| 13.3k|#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) ) ------------------ 131| 13.3k| FT2[i] = ROTL8( FT1[i] ); ------------------ | | 356| 13.3k|#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) ) ------------------ 132| 13.3k| FT3[i] = ROTL8( FT2[i] ); ------------------ | | 356| 13.3k|#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) ) ------------------ 133| | 134| 13.3k| x = RSb[i]; 135| | 136| 13.3k| RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^ ------------------ | | 59| 13.3k|#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 ) | | ------------------ | | | Branch (59:22): [True: 13.3k, Folded] | | | Branch (59:29): [True: 13.2k, False: 52] | | ------------------ ------------------ 137| 13.3k| ( (uint32_t) MUL( 0x09, x ) << 8 ) ^ ------------------ | | 59| 13.3k|#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 ) | | ------------------ | | | Branch (59:22): [True: 13.3k, Folded] | | | Branch (59:29): [True: 13.2k, False: 52] | | ------------------ ------------------ 138| 13.3k| ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^ ------------------ | | 59| 13.3k|#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 ) | | ------------------ | | | Branch (59:22): [True: 13.3k, Folded] | | | Branch (59:29): [True: 13.2k, False: 52] | | ------------------ ------------------ 139| 13.3k| ( (uint32_t) MUL( 0x0B, x ) << 24 ); ------------------ | | 59| 13.3k|#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 ) | | ------------------ | | | Branch (59:22): [True: 13.3k, Folded] | | | Branch (59:29): [True: 13.2k, False: 52] | | ------------------ ------------------ 140| | 141| 13.3k| RT1[i] = ROTL8( RT0[i] ); ------------------ | | 356| 13.3k|#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) ) ------------------ 142| 13.3k| RT2[i] = ROTL8( RT1[i] ); ------------------ | | 356| 13.3k|#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) ) ------------------ 143| 13.3k| RT3[i] = ROTL8( RT2[i] ); ------------------ | | 356| 13.3k|#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) ) ------------------ 144| 13.3k| } 145| 52|} mbedtls_aesni_has_support: 60| 76|{ 61| 76|#if defined(__has_feature) 62| |# if __has_feature(memory_sanitizer) 63| | return 0; 64| |# endif 65| 76|#endif 66| | 67| 76|#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION 68| 76| if(force_no_aesni == 1) ------------------ | Branch (68:6): [True: 0, False: 76] ------------------ 69| 0| return 0; 70| 76|#endif 71| | 72| |#if defined __FreeBSD__ || defined __NetBSD__ || defined __OpenBSD__ 73| | /* In FreeBSD we don't have a reliable way to check AES-NI so better disable it */ 74| | return(0); 75| |#endif 76| | 77| 76|#if defined(linux) || defined(__linux__) 78| 76| if(has_aesni_checked == 0) { ------------------ | Branch (78:6): [True: 1, False: 75] ------------------ 79| | /* 80| | NOTE 81| | 82| | This code is necessary as __get_cpuid() is not reliable 83| | Example with Intel(R) Celeron(R) CPU N2930 (that has NO AES-NI) 84| | the code based on __get_cpuid() reports that AES-NI is present 85| | and thus nDPI crashes on such platform. 86| | */ 87| 1| FILE *fd = fopen("/proc/cpuinfo", "r"); 88| | 89| 1| if(fd != NULL) { ------------------ | Branch (89:8): [True: 1, False: 0] ------------------ 90| 1| char *line = NULL; 91| 1| size_t len = 0; 92| 1| u_int8_t num_lines = 0; 93| | 94| 20| while(getline(&line, &len, fd) != -1) { ------------------ | Branch (94:13): [True: 20, False: 0] ------------------ 95| 20| if(strstr(line, "aes")) { ------------------ | Branch (95:12): [True: 1, False: 19] ------------------ 96| | /* printf("FOUND %s", line); */ 97| 1| cached_has_aesni = 1; 98| 1| break; 99| 1| } 100| | 101| 19| if(++num_lines > 99) ------------------ | Branch (101:5): [True: 0, False: 19] ------------------ 102| 0| break; /* We giveup */ 103| 19| } 104| | 105| 1| free(line); // Do not replace with ndpi_free(). See `man 3 getline`. 106| 1| fclose(fd); 107| | 108| 1| has_aesni_checked = 1; 109| 1| } 110| 1| } 111| | 112| 76| return(cached_has_aesni); 113| | 114| |#if 0 115| | if (__get_cpuid(1, &eax, &ebx, &ecx, &edx) == 0) 116| | { 117| | return 0; 118| | } 119| | 120| | return ( (ecx & what) != 0 ); 121| |#endif 122| | 123| |#elif defined(WIN32) || defined(WIN64) 124| | int cpuInfo[4]; 125| | 126| | __cpuid(cpuInfo, 1); 127| | 128| | return ( (cpuInfo[2] & what) != 0 ); 129| |#else 130| | volatile unsigned int c = 0; 131| | 132| | asm( "movl $1, %%eax \n\t" 133| | "cpuid \n\t" 134| | : "=c" (c) 135| | : 136| | : "eax", "ebx", "edx" ); 137| | 138| | return( ( c & what ) != 0 ); 139| |#endif 140| 76|} mbedtls_aesni_crypt_ecb: 175| 239|{ 176| 239| asm( "movdqu (%3), %%xmm0 \n\t" // load input ------------------ | | 36| 239|#define asm __asm ------------------ 177| 239| "movdqu (%1), %%xmm1 \n\t" // load round key 0 178| 239| "pxor %%xmm1, %%xmm0 \n\t" // round 0 179| 239| "add $16, %1 \n\t" // point to next round key 180| 239| "subl $1, %0 \n\t" // normal rounds = nr - 1 181| 239| "test %2, %2 \n\t" // mode? 182| 239| "jz 2f \n\t" // 0 = decrypt 183| | 184| 239| "1: \n\t" // encryption loop 185| 239| "movdqu (%1), %%xmm1 \n\t" // load round key 186| 239| AESENC xmm1_xmm0 "\n\t" // do round 187| 239| "add $16, %1 \n\t" // point to next round key 188| 239| "subl $1, %0 \n\t" // loop 189| 239| "jnz 1b \n\t" 190| 239| "movdqu (%1), %%xmm1 \n\t" // load round key 191| 239| AESENCLAST xmm1_xmm0 "\n\t" // last round 192| 239| "jmp 3f \n\t" 193| | 194| 239| "2: \n\t" // decryption loop 195| 239| "movdqu (%1), %%xmm1 \n\t" 196| 239| AESDEC xmm1_xmm0 "\n\t" // do round 197| 239| "add $16, %1 \n\t" 198| 239| "subl $1, %0 \n\t" 199| 239| "jnz 2b \n\t" 200| 239| "movdqu (%1), %%xmm1 \n\t" // load round key 201| 239| AESDECLAST xmm1_xmm0 "\n\t" // last round 202| | 203| 239| "3: \n\t" 204| 239| "movdqu %%xmm0, (%4) \n\t" // export output 205| 239| : 206| 239| : "r" (ctx->nr), "r" (ctx->rk), "r" (mode), "r" (input), "r" (output) 207| 239| : "memory", "cc", "xmm0", "xmm1" ); 208| | 209| | 210| 239| return( 0 ); 211| 239|} mbedtls_aesni_gcm_mult: 220| 234|{ 221| 234| unsigned char aa[16], bb[16], cc[16]; 222| 234| size_t i; 223| | 224| | /* The inputs are in big-endian order, so byte-reverse them */ 225| 3.97k| for( i = 0; i < 16; i++ ) ------------------ | Branch (225:17): [True: 3.74k, False: 234] ------------------ 226| 3.74k| { 227| 3.74k| aa[i] = a[15 - i]; 228| 3.74k| bb[i] = b[15 - i]; 229| 3.74k| } 230| | 231| 234| asm( "movdqu (%0), %%xmm0 \n\t" // a1:a0 ------------------ | | 36| 234|#define asm __asm ------------------ 232| 234| "movdqu (%1), %%xmm1 \n\t" // b1:b0 233| | 234| | /* 235| | * Caryless multiplication xmm2:xmm1 = xmm0 * xmm1 236| | * using [CLMUL-WP] algorithm 1 (p. 13). 237| | */ 238| 234| "movdqa %%xmm1, %%xmm2 \n\t" // copy of b1:b0 239| 234| "movdqa %%xmm1, %%xmm3 \n\t" // same 240| 234| "movdqa %%xmm1, %%xmm4 \n\t" // same 241| 234| PCLMULQDQ xmm0_xmm1 ",0x00 \n\t" // a0*b0 = c1:c0 242| 234| PCLMULQDQ xmm0_xmm2 ",0x11 \n\t" // a1*b1 = d1:d0 243| 234| PCLMULQDQ xmm0_xmm3 ",0x10 \n\t" // a0*b1 = e1:e0 244| 234| PCLMULQDQ xmm0_xmm4 ",0x01 \n\t" // a1*b0 = f1:f0 245| 234| "pxor %%xmm3, %%xmm4 \n\t" // e1+f1:e0+f0 246| 234| "movdqa %%xmm4, %%xmm3 \n\t" // same 247| 234| "psrldq $8, %%xmm4 \n\t" // 0:e1+f1 248| 234| "pslldq $8, %%xmm3 \n\t" // e0+f0:0 249| 234| "pxor %%xmm4, %%xmm2 \n\t" // d1:d0+e1+f1 250| 234| "pxor %%xmm3, %%xmm1 \n\t" // c1+e0+f1:c0 251| | 252| | /* 253| | * Now shift the result one bit to the left, 254| | * taking advantage of [CLMUL-WP] eq 27 (p. 20) 255| | */ 256| 234| "movdqa %%xmm1, %%xmm3 \n\t" // r1:r0 257| 234| "movdqa %%xmm2, %%xmm4 \n\t" // r3:r2 258| 234| "psllq $1, %%xmm1 \n\t" // r1<<1:r0<<1 259| 234| "psllq $1, %%xmm2 \n\t" // r3<<1:r2<<1 260| 234| "psrlq $63, %%xmm3 \n\t" // r1>>63:r0>>63 261| 234| "psrlq $63, %%xmm4 \n\t" // r3>>63:r2>>63 262| 234| "movdqa %%xmm3, %%xmm5 \n\t" // r1>>63:r0>>63 263| 234| "pslldq $8, %%xmm3 \n\t" // r0>>63:0 264| 234| "pslldq $8, %%xmm4 \n\t" // r2>>63:0 265| 234| "psrldq $8, %%xmm5 \n\t" // 0:r1>>63 266| 234| "por %%xmm3, %%xmm1 \n\t" // r1<<1|r0>>63:r0<<1 267| 234| "por %%xmm4, %%xmm2 \n\t" // r3<<1|r2>>62:r2<<1 268| 234| "por %%xmm5, %%xmm2 \n\t" // r3<<1|r2>>62:r2<<1|r1>>63 269| | 270| | /* 271| | * Now reduce modulo the GCM polynomial x^128 + x^7 + x^2 + x + 1 272| | * using [CLMUL-WP] algorithm 5 (p. 20). 273| | * Currently xmm2:xmm1 holds x3:x2:x1:x0 (already shifted). 274| | */ 275| | /* Step 2 (1) */ 276| 234| "movdqa %%xmm1, %%xmm3 \n\t" // x1:x0 277| 234| "movdqa %%xmm1, %%xmm4 \n\t" // same 278| 234| "movdqa %%xmm1, %%xmm5 \n\t" // same 279| 234| "psllq $63, %%xmm3 \n\t" // x1<<63:x0<<63 = stuff:a 280| 234| "psllq $62, %%xmm4 \n\t" // x1<<62:x0<<62 = stuff:b 281| 234| "psllq $57, %%xmm5 \n\t" // x1<<57:x0<<57 = stuff:c 282| | 283| | /* Step 2 (2) */ 284| 234| "pxor %%xmm4, %%xmm3 \n\t" // stuff:a+b 285| 234| "pxor %%xmm5, %%xmm3 \n\t" // stuff:a+b+c 286| 234| "pslldq $8, %%xmm3 \n\t" // a+b+c:0 287| 234| "pxor %%xmm3, %%xmm1 \n\t" // x1+a+b+c:x0 = d:x0 288| | 289| | /* Steps 3 and 4 */ 290| 234| "movdqa %%xmm1,%%xmm0 \n\t" // d:x0 291| 234| "movdqa %%xmm1,%%xmm4 \n\t" // same 292| 234| "movdqa %%xmm1,%%xmm5 \n\t" // same 293| 234| "psrlq $1, %%xmm0 \n\t" // e1:x0>>1 = e1:e0' 294| 234| "psrlq $2, %%xmm4 \n\t" // f1:x0>>2 = f1:f0' 295| 234| "psrlq $7, %%xmm5 \n\t" // g1:x0>>7 = g1:g0' 296| 234| "pxor %%xmm4, %%xmm0 \n\t" // e1+f1:e0'+f0' 297| 234| "pxor %%xmm5, %%xmm0 \n\t" // e1+f1+g1:e0'+f0'+g0' 298| | // e0'+f0'+g0' is almost e0+f0+g0, ex\tcept for some missing 299| | // bits carried from d. Now get those\t bits back in. 300| 234| "movdqa %%xmm1,%%xmm3 \n\t" // d:x0 301| 234| "movdqa %%xmm1,%%xmm4 \n\t" // same 302| 234| "movdqa %%xmm1,%%xmm5 \n\t" // same 303| 234| "psllq $63, %%xmm3 \n\t" // d<<63:stuff 304| 234| "psllq $62, %%xmm4 \n\t" // d<<62:stuff 305| 234| "psllq $57, %%xmm5 \n\t" // d<<57:stuff 306| 234| "pxor %%xmm4, %%xmm3 \n\t" // d<<63+d<<62:stuff 307| 234| "pxor %%xmm5, %%xmm3 \n\t" // missing bits of d:stuff 308| 234| "psrldq $8, %%xmm3 \n\t" // 0:missing bits of d 309| 234| "pxor %%xmm3, %%xmm0 \n\t" // e1+f1+g1:e0+f0+g0 310| 234| "pxor %%xmm1, %%xmm0 \n\t" // h1:h0 311| 234| "pxor %%xmm2, %%xmm0 \n\t" // x3+h1:x2+h0 312| | 313| 234| "movdqu %%xmm0, (%2) \n\t" // done 314| 234| : 315| 234| : "r" (aa), "r" (bb), "r" (cc) 316| 234| : "memory", "cc", "xmm0", "xmm1", "xmm2", "xmm3", "xmm4", "xmm5" ); 317| | 318| | /* Now byte-reverse the outputs */ 319| 3.97k| for( i = 0; i < 16; i++ ) ------------------ | Branch (319:17): [True: 3.74k, False: 234] ------------------ 320| 3.74k| c[i] = cc[15 - i]; 321| | 322| 234| return; 323| 234|} mbedtls_aesni_setkey_enc: 526| 52|{ 527| 52| switch( bits ) 528| 52| { 529| 52| case 128: aesni_setkey_enc_128( rk, key ); break; ------------------ | Branch (529:9): [True: 52, False: 0] ------------------ 530| 0| case 192: aesni_setkey_enc_192( rk, key ); break; ------------------ | Branch (530:9): [True: 0, False: 52] ------------------ 531| 0| case 256: aesni_setkey_enc_256( rk, key ); break; ------------------ | Branch (531:9): [True: 0, False: 52] ------------------ 532| 0| default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH ); ------------------ | | 51| 0|#define MBEDTLS_ERR_AES_INVALID_KEY_LENGTH -0x0020 ------------------ | Branch (532:9): [True: 0, False: 52] ------------------ 533| 52| } 534| | 535| 52| return( 0 ); 536| 52|} gcrypt_light.c:aesni_setkey_enc_128: 352| 52|{ 353| 52| asm( "movdqu (%1), %%xmm0 \n\t" // copy the original key ------------------ | | 36| 52|#define asm __asm ------------------ 354| 52| "movdqu %%xmm0, (%0) \n\t" // as round key 0 355| 52| "jmp 2f \n\t" // skip auxiliary routine 356| | 357| | /* 358| | * Finish generating the next round key. 359| | * 360| | * On entry xmm0 is r3:r2:r1:r0 and xmm1 is X:stuff:stuff:stuff 361| | * with X = rot( sub( r3 ) ) ^ RCON. 362| | * 363| | * On exit, xmm0 is r7:r6:r5:r4 364| | * with r4 = X + r0, r5 = r4 + r1, r6 = r5 + r2, r7 = r6 + r3 365| | * and those are written to the round key buffer. 366| | */ 367| 52| "1: \n\t" 368| 52| "pshufd $0xff, %%xmm1, %%xmm1 \n\t" // X:X:X:X 369| 52| "pxor %%xmm0, %%xmm1 \n\t" // X+r3:X+r2:X+r1:r4 370| 52| "pslldq $4, %%xmm0 \n\t" // r2:r1:r0:0 371| 52| "pxor %%xmm0, %%xmm1 \n\t" // X+r3+r2:X+r2+r1:r5:r4 372| 52| "pslldq $4, %%xmm0 \n\t" // etc 373| 52| "pxor %%xmm0, %%xmm1 \n\t" 374| 52| "pslldq $4, %%xmm0 \n\t" 375| 52| "pxor %%xmm1, %%xmm0 \n\t" // update xmm0 for next time! 376| 52| "add $16, %0 \n\t" // point to next round key 377| 52| "movdqu %%xmm0, (%0) \n\t" // write it 378| 52| "ret \n\t" 379| | 380| | /* Main "loop" */ 381| 52| "2: \n\t" 382| 52| AESKEYGENA xmm0_xmm1 ",0x01 \n\tcall 1b \n\t" 383| 52| AESKEYGENA xmm0_xmm1 ",0x02 \n\tcall 1b \n\t" 384| 52| AESKEYGENA xmm0_xmm1 ",0x04 \n\tcall 1b \n\t" 385| 52| AESKEYGENA xmm0_xmm1 ",0x08 \n\tcall 1b \n\t" 386| 52| AESKEYGENA xmm0_xmm1 ",0x10 \n\tcall 1b \n\t" 387| 52| AESKEYGENA xmm0_xmm1 ",0x20 \n\tcall 1b \n\t" 388| 52| AESKEYGENA xmm0_xmm1 ",0x40 \n\tcall 1b \n\t" 389| 52| AESKEYGENA xmm0_xmm1 ",0x80 \n\tcall 1b \n\t" 390| 52| AESKEYGENA xmm0_xmm1 ",0x1B \n\tcall 1b \n\t" 391| 52| AESKEYGENA xmm0_xmm1 ",0x36 \n\tcall 1b \n\t" 392| 52| : 393| 52| : "r" (rk), "r" (key) 394| 52| : "memory", "cc", "0" ); 395| 52|} mbedtls_cipher_info_from_values: 84| 24|{ 85| 24| const mbedtls_cipher_definition_t *def; 86| | 87| 24| for( def = mbedtls_cipher_definitions; def->info != NULL; def++ ) ------------------ | Branch (87:44): [True: 24, False: 0] ------------------ 88| 24| if( def->info->base->cipher == cipher_id && ------------------ | Branch (88:13): [True: 24, False: 0] ------------------ 89| 24| def->info->key_bitlen == (unsigned) key_bitlen && ------------------ | Branch (89:13): [True: 24, False: 0] ------------------ 90| 24| def->info->mode == mode ) ------------------ | Branch (90:13): [True: 24, False: 0] ------------------ 91| 24| return( def->info ); 92| | 93| 0| return( NULL ); 94| 24|} mbedtls_cipher_setkey: 106| 24|{ 107| 24| CIPHER_VALIDATE_RET( ctx != NULL ); ------------------ | | 26| 24| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ) | | ------------------ | | | | 30| 24|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 24] | | | | ------------------ | | ------------------ ------------------ 108| 24| CIPHER_VALIDATE_RET( key != NULL ); ------------------ | | 26| 24| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ) | | ------------------ | | | | 30| 24|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 24] | | | | ------------------ | | ------------------ ------------------ 109| 24| CIPHER_VALIDATE_RET( operation == MBEDTLS_ENCRYPT || ------------------ | | 26| 24| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ) | | ------------------ | | | | 30| 24|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 24] | | | | ------------------ | | ------------------ ------------------ 110| 24| operation == MBEDTLS_DECRYPT ); 111| 24| if( ctx->cipher_info == NULL ) ------------------ | Branch (111:9): [True: 0, False: 24] ------------------ 112| 0| return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); ------------------ | | 53| 0|#define MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA -0x6100 ------------------ 113| | 114| | 115| 24| if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN ) == 0 && ------------------ | | 66| 24|#define MBEDTLS_CIPHER_VARIABLE_KEY_LEN 0x02 /**< Cipher accepts keys of variable length. */ ------------------ | Branch (115:9): [True: 24, False: 0] ------------------ 116| 24| (int) ctx->cipher_info->key_bitlen != key_bitlen ) ------------------ | Branch (116:9): [True: 0, False: 24] ------------------ 117| 0| { 118| 0| return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); ------------------ | | 53| 0|#define MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA -0x6100 ------------------ 119| 0| } 120| | 121| 24| ctx->key_bitlen = key_bitlen; 122| 24| ctx->operation = operation; 123| | 124| | /* 125| | * For OFB, CFB and CTR mode always use the encryption key schedule 126| | */ 127| 24| if( MBEDTLS_ENCRYPT == operation || ------------------ | Branch (127:9): [True: 24, False: 0] ------------------ 128| 0| MBEDTLS_MODE_CFB == ctx->cipher_info->mode || ------------------ | Branch (128:9): [True: 0, False: 0] ------------------ 129| 0| MBEDTLS_MODE_OFB == ctx->cipher_info->mode || ------------------ | Branch (129:9): [True: 0, False: 0] ------------------ 130| 0| MBEDTLS_MODE_CTR == ctx->cipher_info->mode ) ------------------ | Branch (130:9): [True: 0, False: 0] ------------------ 131| 24| { 132| 24| return( ctx->cipher_info->base->setkey_enc_func( ctx->cipher_ctx, key, 133| 24| ctx->key_bitlen ) ); 134| 24| } 135| | 136| 0| if( MBEDTLS_DECRYPT == operation ) ------------------ | Branch (136:9): [True: 0, False: 0] ------------------ 137| 0| return( ctx->cipher_info->base->setkey_dec_func( ctx->cipher_ctx, key, 138| 0| ctx->key_bitlen ) ); 139| | 140| 0| return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); ------------------ | | 53| 0|#define MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA -0x6100 ------------------ 141| 0|} mbedtls_cipher_reset: 190| 14|{ 191| 14| CIPHER_VALIDATE_RET( ctx != NULL ); ------------------ | | 26| 14| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ) | | ------------------ | | | | 30| 14|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 14] | | | | ------------------ | | ------------------ ------------------ 192| 14| if( ctx->cipher_info == NULL ) ------------------ | Branch (192:9): [True: 0, False: 14] ------------------ 193| 0| return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); ------------------ | | 53| 0|#define MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA -0x6100 ------------------ 194| | 195| | 196| 14| ctx->unprocessed_len = 0; 197| | 198| 14| return( 0 ); 199| 14|} mbedtls_cipher_update: 226| 222|{ 227| 222| int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; ------------------ | | 112| 222|#define MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED -0x006E ------------------ 228| 222| size_t block_size; 229| | 230| 222| CIPHER_VALIDATE_RET( ctx != NULL ); ------------------ | | 26| 222| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ) | | ------------------ | | | | 30| 222|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 222] | | | | ------------------ | | ------------------ ------------------ 231| 222| CIPHER_VALIDATE_RET( ilen == 0 || input != NULL ); ------------------ | | 26| 222| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ) | | ------------------ | | | | 30| 222|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 222] | | | | ------------------ | | ------------------ ------------------ 232| 222| CIPHER_VALIDATE_RET( output != NULL ); ------------------ | | 26| 222| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ) | | ------------------ | | | | 30| 222|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 222] | | | | ------------------ | | ------------------ ------------------ 233| 222| CIPHER_VALIDATE_RET( olen != NULL ); ------------------ | | 26| 222| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ) | | ------------------ | | | | 30| 222|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 222] | | | | ------------------ | | ------------------ ------------------ 234| 222| if( ctx->cipher_info == NULL ) ------------------ | Branch (234:9): [True: 0, False: 222] ------------------ 235| 0| return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); ------------------ | | 53| 0|#define MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA -0x6100 ------------------ 236| | 237| | 238| 222| *olen = 0; 239| 222| block_size = mbedtls_cipher_get_block_size( ctx ); 240| 222| if ( 0 == block_size ) ------------------ | Branch (240:10): [True: 0, False: 222] ------------------ 241| 0| { 242| 0| return( MBEDTLS_ERR_CIPHER_INVALID_CONTEXT ); ------------------ | | 63| 0|#define MBEDTLS_ERR_CIPHER_INVALID_CONTEXT -0x6380 ------------------ 243| 0| } 244| | 245| 222| if( ctx->cipher_info->mode == MBEDTLS_MODE_ECB ) ------------------ | Branch (245:9): [True: 222, False: 0] ------------------ 246| 222| { 247| 222| if( ilen != block_size ) ------------------ | Branch (247:13): [True: 0, False: 222] ------------------ 248| 0| return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED ); ------------------ | | 59| 0|#define MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED -0x6280 ------------------ 249| | 250| 222| *olen = ilen; 251| | 252| 222| if( 0 != ( ret = ctx->cipher_info->base->ecb_func( ctx->cipher_ctx, ------------------ | Branch (252:13): [True: 0, False: 222] ------------------ 253| 222| ctx->operation, input, output ) ) ) 254| 0| { 255| 0| return( ret ); 256| 0| } 257| | 258| 222| return( 0 ); 259| 222| } 260| | 261| 0|#if defined(MBEDTLS_GCM_C) 262| 0| if( ctx->cipher_info->mode == MBEDTLS_MODE_GCM ) ------------------ | Branch (262:9): [True: 0, False: 0] ------------------ 263| 0| { 264| 0| return( mbedtls_gcm_update( (mbedtls_gcm_context *) ctx->cipher_ctx, 265| 0| input, ilen, 266| 0| output, ilen, olen ) ); 267| 0| } 268| 0|#endif 269| | 270| | 271| | 272| 0| if( input == output && ------------------ | Branch (272:9): [True: 0, False: 0] ------------------ 273| 0| ( ctx->unprocessed_len != 0 || ilen % block_size ) ) ------------------ | Branch (273:10): [True: 0, False: 0] | Branch (273:39): [True: 0, False: 0] ------------------ 274| 0| { 275| 0| return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); ------------------ | | 53| 0|#define MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA -0x6100 ------------------ 276| 0| } 277| | 278| |#if defined(MBEDTLS_CIPHER_MODE_CBC) 279| | if( ctx->cipher_info->mode == MBEDTLS_MODE_CBC ) 280| | { 281| | size_t copy_len = 0; 282| | 283| | /* 284| | * If there is not enough data for a full block, cache it. 285| | */ 286| | if( ( ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding && 287| | ilen <= block_size - ctx->unprocessed_len ) || 288| | ( ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding && 289| | ilen < block_size - ctx->unprocessed_len ) || 290| | ( ctx->operation == MBEDTLS_ENCRYPT && 291| | ilen < block_size - ctx->unprocessed_len ) ) 292| | { 293| | memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input, 294| | ilen ); 295| | 296| | ctx->unprocessed_len += ilen; 297| | return( 0 ); 298| | } 299| | 300| | /* 301| | * Process cached data first 302| | */ 303| | if( 0 != ctx->unprocessed_len ) 304| | { 305| | copy_len = block_size - ctx->unprocessed_len; 306| | 307| | memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input, 308| | copy_len ); 309| | 310| | if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx, 311| | ctx->operation, block_size, ctx->iv, 312| | ctx->unprocessed_data, output ) ) ) 313| | { 314| | return( ret ); 315| | } 316| | 317| | *olen += block_size; 318| | output += block_size; 319| | ctx->unprocessed_len = 0; 320| | 321| | input += copy_len; 322| | ilen -= copy_len; 323| | } 324| | 325| | /* 326| | * Cache final, incomplete block 327| | */ 328| | if( 0 != ilen ) 329| | { 330| | /* Encryption: only cache partial blocks 331| | * Decryption w/ padding: always keep at least one whole block 332| | * Decryption w/o padding: only cache partial blocks 333| | */ 334| | copy_len = ilen % block_size; 335| | if( copy_len == 0 && 336| | ctx->operation == MBEDTLS_DECRYPT && 337| | NULL != ctx->add_padding) 338| | { 339| | copy_len = block_size; 340| | } 341| | 342| | memcpy( ctx->unprocessed_data, &( input[ilen - copy_len] ), 343| | copy_len ); 344| | 345| | ctx->unprocessed_len += copy_len; 346| | ilen -= copy_len; 347| | } 348| | 349| | /* 350| | * Process remaining full blocks 351| | */ 352| | if( ilen ) 353| | { 354| | if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx, 355| | ctx->operation, ilen, ctx->iv, input, output ) ) ) 356| | { 357| | return( ret ); 358| | } 359| | 360| | *olen += ilen; 361| | } 362| | 363| | return( 0 ); 364| | } 365| |#endif /* MBEDTLS_CIPHER_MODE_CBC */ 366| | 367| | 368| | 369| | 370| | 371| | 372| 0| return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); ------------------ | | 51| 0|#define MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE -0x6080 ------------------ 373| 0|} gcrypt_light.c:aes_crypt_ecb_wrap: 28| 222|{ 29| 222| return mbedtls_aes_crypt_ecb( (mbedtls_aes_context *) ctx, operation, input, output ); 30| 222|} gcrypt_light.c:aes_setkey_enc_wrap: 41| 24|{ 42| 24| return mbedtls_aes_setkey_enc( (mbedtls_aes_context *) ctx, key, key_bitlen ); 43| 24|} gcrypt_light.c:aes_ctx_zero: 46| 24|{ 47| 24| mbedtls_aes_init( (mbedtls_aes_context *) ctx ); 48| 24|} sha256_final: 219| 288|{ 220| 288| uint64_t lenInBits = (p->count << 3); 221| 288| uint32_t curBufferPos = (uint32_t)p->count & 0x3F; 222| 288| unsigned i; 223| 288| p->buffer[curBufferPos++] = 0x80; 224| 9.12k| while (curBufferPos != (64 - 8)) ------------------ | Branch (224:10): [True: 8.83k, False: 288] ------------------ 225| 8.83k| { 226| 8.83k| curBufferPos &= 0x3F; 227| 8.83k| if (curBufferPos == 0) ------------------ | Branch (227:9): [True: 0, False: 8.83k] ------------------ 228| 0| sha256_write_byte_block(p); 229| 8.83k| p->buffer[curBufferPos++] = 0; 230| 8.83k| } 231| 2.59k| for (i = 0; i < 8; i++) ------------------ | Branch (231:15): [True: 2.30k, False: 288] ------------------ 232| 2.30k| { 233| 2.30k| p->buffer[curBufferPos++] = (unsigned char)(lenInBits >> 56); 234| 2.30k| lenInBits <<= 8; 235| 2.30k| } 236| 288| sha256_write_byte_block(p); 237| | 238| 2.59k| for (i = 0; i < 8; i++) ------------------ | Branch (238:15): [True: 2.30k, False: 288] ------------------ 239| 2.30k| { 240| 2.30k| *digest++ = (unsigned char)(p->state[i] >> 24); 241| 2.30k| *digest++ = (unsigned char)(p->state[i] >> 16); 242| 2.30k| *digest++ = (unsigned char)(p->state[i] >> 8); 243| 2.30k| *digest++ = (unsigned char)(p->state[i]); 244| 2.30k| } 245| 288| sha256_init(p); 246| 288|} hmac_sha256: 270| 144|{ 271| 144| sha256_t ss; 272| 144| uint8_t kx[B]; 273| 144| size_t i; 274| | 275| 144| if(!out) return; ------------------ | Branch (275:8): [True: 0, False: 144] ------------------ 276| 144| if(!data) return; ------------------ | Branch (276:8): [True: 0, False: 144] ------------------ 277| 144| if(!key) return; ------------------ | Branch (277:8): [True: 0, False: 144] ------------------ 278| 144| if(key_len > B) return; ------------------ | | 259| 144|#define B 64 ------------------ | Branch (278:8): [True: 0, False: 144] ------------------ 279| | 280| | /* 281| | * (1) append zeros to the end of K to create a B byte string 282| | * (e.g., if K is of length 20 bytes and B=64, then K will be 283| | * appended with 44 zero bytes 0x00) 284| | * (2) XOR (bitwise exclusive-OR) the B byte string computed in step 285| | * (1) with ipad 286| | */ 287| 4.33k| for (i = 0; i < key_len; i++) kx[i] = I_PAD ^ key[i]; ------------------ | | 263| 4.18k|#define I_PAD 0x36 ------------------ | Branch (287:17): [True: 4.18k, False: 144] ------------------ 288| 5.17k| for (i = key_len; i < B; i++) kx[i] = I_PAD ^ 0; ------------------ | | 259| 5.17k|#define B 64 ------------------ for (i = key_len; i < B; i++) kx[i] = I_PAD ^ 0; ------------------ | | 263| 5.02k|#define I_PAD 0x36 ------------------ | Branch (288:23): [True: 5.02k, False: 144] ------------------ 289| | 290| | /* 291| | * (3) append the stream of data 'text' to the B byte string resulting 292| | * from step (2) 293| | * (4) apply H to the stream generated in step (3) 294| | */ 295| 144| sha256_init (&ss); 296| 144| sha256_update (&ss, kx, B); ------------------ | | 259| 144|#define B 64 ------------------ 297| 144| sha256_update (&ss, data, data_len); 298| 144| sha256_final (&ss, out); 299| | 300| | /* 301| | * (5) XOR (bitwise exclusive-OR) the B byte string computed in 302| | * step (1) with opad 303| | * 304| | * NOTE: The "kx" variable is reused. 305| | */ 306| 4.33k| for (i = 0; i < key_len; i++) kx[i] = O_PAD ^ key[i]; ------------------ | | 264| 4.18k|#define O_PAD 0x5C ------------------ | Branch (306:17): [True: 4.18k, False: 144] ------------------ 307| 5.17k| for (i = key_len; i < B; i++) kx[i] = O_PAD ^ 0; ------------------ | | 259| 5.17k|#define B 64 ------------------ for (i = key_len; i < B; i++) kx[i] = O_PAD ^ 0; ------------------ | | 264| 5.02k|#define O_PAD 0x5C ------------------ | Branch (307:23): [True: 5.02k, False: 144] ------------------ 308| | 309| | /* 310| | * (6) append the H result from step (4) to the B byte string 311| | * resulting from step (5) 312| | * (7) apply H to the stream generated in step (6) and output 313| | * the result 314| | */ 315| 144| sha256_init (&ss); 316| 144| sha256_update (&ss, kx, B); ------------------ | | 259| 144|#define B 64 ------------------ 317| 144| sha256_update (&ss, out, SHA256_DIGEST_SIZE); ------------------ | | 12| 144|#define SHA256_DIGEST_SIZE 32 ------------------ 318| 144| sha256_final (&ss, out); 319| 144|} gcrypt_light.c:sha256_write_byte_block: 187| 576|{ 188| 576| uint32_t data32[16]; 189| 576| unsigned i; 190| 9.79k| for (i = 0; i < 16; i++) ------------------ | Branch (190:15): [True: 9.21k, False: 576] ------------------ 191| 9.21k| data32[i] = 192| 9.21k| ((uint32_t)(p->buffer[i * 4 ]) << 24) + 193| 9.21k| ((uint32_t)(p->buffer[i * 4 + 1]) << 16) + 194| 9.21k| ((uint32_t)(p->buffer[i * 4 + 2]) << 8) + 195| 9.21k| ((uint32_t)(p->buffer[i * 4 + 3])); 196| 576| sha256_transform(p->state, data32); 197| 576|} gcrypt_light.c:sha256_transform: 132| 576|{ 133| 576| uint32_t W[16] = {0}; 134| 576| unsigned j; 135| 576| #ifdef _SHA256_UNROLL2 136| 576| uint32_t a,b,c,d,e,f,g,h; 137| 576| a = state[0]; 138| 576| b = state[1]; 139| 576| c = state[2]; 140| 576| d = state[3]; 141| 576| e = state[4]; 142| 576| f = state[5]; 143| 576| g = state[6]; 144| 576| h = state[7]; 145| | #else 146| | uint32_t T[8]; 147| | for (j = 0; j < 8; j++) 148| | T[j] = state[j]; 149| | #endif 150| | 151| 2.88k| for (j = 0; j < 64; j += 16) ------------------ | Branch (151:15): [True: 2.30k, False: 576] ------------------ 152| 2.30k| { 153| 2.30k| #if defined(_SHA256_UNROLL) || defined(_SHA256_UNROLL2) 154| 2.30k| RX_8(0); RX_8(8); ------------------ | | 75| 2.30k| R(a,b,c,d,e,f,g,h, i); \ | | ------------------ | | | | 71| 2.30k|#define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 49| 2.30k|#define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 56| 2.30k|#define Ch(x,y,z) (z^(x&(y^z))) | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 54| 1.72k|#define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 51| 1.72k|#define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 50| 1.72k|#define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 53| 576|#define blk0(i) (W[i] = data[i]) | | | | ------------------ | | | | | Branch (71:66): [True: 1.72k, False: 576] | | | | ------------------ | | | | 72| 2.30k| d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 48| 2.30k|#define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 57| 2.30k|#define Maj(x,y,z) ((x&y)|(z&(x|y))) | | | | ------------------ | | ------------------ | | 76| 2.30k| R(h,a,b,c,d,e,f,g, (i+1)); \ | | ------------------ | | | | 71| 2.30k|#define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 49| 2.30k|#define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 56| 2.30k|#define Ch(x,y,z) (z^(x&(y^z))) | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 54| 1.72k|#define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 51| 1.72k|#define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 50| 1.72k|#define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 53| 576|#define blk0(i) (W[i] = data[i]) | | | | ------------------ | | | | | Branch (71:66): [True: 1.72k, False: 576] | | | | ------------------ | | | | 72| 2.30k| d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 48| 2.30k|#define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 57| 2.30k|#define Maj(x,y,z) ((x&y)|(z&(x|y))) | | | | ------------------ | | ------------------ | | 77| 2.30k| R(g,h,a,b,c,d,e,f, (i+2)); \ | | ------------------ | | | | 71| 2.30k|#define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 49| 2.30k|#define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 56| 2.30k|#define Ch(x,y,z) (z^(x&(y^z))) | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 54| 1.72k|#define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 51| 1.72k|#define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 50| 1.72k|#define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 53| 576|#define blk0(i) (W[i] = data[i]) | | | | ------------------ | | | | | Branch (71:66): [True: 1.72k, False: 576] | | | | ------------------ | | | | 72| 2.30k| d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 48| 2.30k|#define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 57| 2.30k|#define Maj(x,y,z) ((x&y)|(z&(x|y))) | | | | ------------------ | | ------------------ | | 78| 2.30k| R(f,g,h,a,b,c,d,e, (i+3)); \ | | ------------------ | | | | 71| 2.30k|#define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 49| 2.30k|#define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 56| 2.30k|#define Ch(x,y,z) (z^(x&(y^z))) | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 54| 1.72k|#define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 51| 1.72k|#define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 50| 1.72k|#define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 53| 576|#define blk0(i) (W[i] = data[i]) | | | | ------------------ | | | | | Branch (71:66): [True: 1.72k, False: 576] | | | | ------------------ | | | | 72| 2.30k| d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 48| 2.30k|#define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 57| 2.30k|#define Maj(x,y,z) ((x&y)|(z&(x|y))) | | | | ------------------ | | ------------------ | | 79| 2.30k| R(e,f,g,h,a,b,c,d, (i+4)); \ | | ------------------ | | | | 71| 2.30k|#define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 49| 2.30k|#define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 56| 2.30k|#define Ch(x,y,z) (z^(x&(y^z))) | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 54| 1.72k|#define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 51| 1.72k|#define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 50| 1.72k|#define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 53| 576|#define blk0(i) (W[i] = data[i]) | | | | ------------------ | | | | | Branch (71:66): [True: 1.72k, False: 576] | | | | ------------------ | | | | 72| 2.30k| d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 48| 2.30k|#define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 57| 2.30k|#define Maj(x,y,z) ((x&y)|(z&(x|y))) | | | | ------------------ | | ------------------ | | 80| 2.30k| R(d,e,f,g,h,a,b,c, (i+5)); \ | | ------------------ | | | | 71| 2.30k|#define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 49| 2.30k|#define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 56| 2.30k|#define Ch(x,y,z) (z^(x&(y^z))) | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 54| 1.72k|#define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 51| 1.72k|#define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 50| 1.72k|#define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 53| 576|#define blk0(i) (W[i] = data[i]) | | | | ------------------ | | | | | Branch (71:66): [True: 1.72k, False: 576] | | | | ------------------ | | | | 72| 2.30k| d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 48| 2.30k|#define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 57| 2.30k|#define Maj(x,y,z) ((x&y)|(z&(x|y))) | | | | ------------------ | | ------------------ | | 81| 2.30k| R(c,d,e,f,g,h,a,b, (i+6)); \ | | ------------------ | | | | 71| 2.30k|#define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 49| 2.30k|#define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 56| 2.30k|#define Ch(x,y,z) (z^(x&(y^z))) | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 54| 1.72k|#define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 51| 1.72k|#define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 50| 1.72k|#define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 53| 576|#define blk0(i) (W[i] = data[i]) | | | | ------------------ | | | | | Branch (71:66): [True: 1.72k, False: 576] | | | | ------------------ | | | | 72| 2.30k| d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 48| 2.30k|#define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 57| 2.30k|#define Maj(x,y,z) ((x&y)|(z&(x|y))) | | | | ------------------ | | ------------------ | | 82| 2.30k| R(b,c,d,e,f,g,h,a, (i+7)) | | ------------------ | | | | 71| 2.30k|#define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 49| 2.30k|#define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 56| 2.30k|#define Ch(x,y,z) (z^(x&(y^z))) | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 54| 1.72k|#define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 51| 1.72k|#define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 50| 1.72k|#define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 53| 576|#define blk0(i) (W[i] = data[i]) | | | | ------------------ | | | | | Branch (71:66): [True: 1.72k, False: 576] | | | | ------------------ | | | | 72| 2.30k| d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 48| 2.30k|#define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 57| 2.30k|#define Maj(x,y,z) ((x&y)|(z&(x|y))) | | | | ------------------ | | ------------------ ------------------ RX_8(0); RX_8(8); ------------------ | | 75| 2.30k| R(a,b,c,d,e,f,g,h, i); \ | | ------------------ | | | | 71| 2.30k|#define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 49| 2.30k|#define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 56| 2.30k|#define Ch(x,y,z) (z^(x&(y^z))) | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 54| 1.72k|#define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 51| 1.72k|#define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 50| 1.72k|#define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 53| 576|#define blk0(i) (W[i] = data[i]) | | | | ------------------ | | | | | Branch (71:66): [True: 1.72k, False: 576] | | | | ------------------ | | | | 72| 2.30k| d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 48| 2.30k|#define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 57| 2.30k|#define Maj(x,y,z) ((x&y)|(z&(x|y))) | | | | ------------------ | | ------------------ | | 76| 2.30k| R(h,a,b,c,d,e,f,g, (i+1)); \ | | ------------------ | | | | 71| 2.30k|#define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 49| 2.30k|#define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 56| 2.30k|#define Ch(x,y,z) (z^(x&(y^z))) | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 54| 1.72k|#define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 51| 1.72k|#define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 50| 1.72k|#define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 53| 576|#define blk0(i) (W[i] = data[i]) | | | | ------------------ | | | | | Branch (71:66): [True: 1.72k, False: 576] | | | | ------------------ | | | | 72| 2.30k| d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 48| 2.30k|#define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 57| 2.30k|#define Maj(x,y,z) ((x&y)|(z&(x|y))) | | | | ------------------ | | ------------------ | | 77| 2.30k| R(g,h,a,b,c,d,e,f, (i+2)); \ | | ------------------ | | | | 71| 2.30k|#define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 49| 2.30k|#define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 56| 2.30k|#define Ch(x,y,z) (z^(x&(y^z))) | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 54| 1.72k|#define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 51| 1.72k|#define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 50| 1.72k|#define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 53| 576|#define blk0(i) (W[i] = data[i]) | | | | ------------------ | | | | | Branch (71:66): [True: 1.72k, False: 576] | | | | ------------------ | | | | 72| 2.30k| d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 48| 2.30k|#define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 57| 2.30k|#define Maj(x,y,z) ((x&y)|(z&(x|y))) | | | | ------------------ | | ------------------ | | 78| 2.30k| R(f,g,h,a,b,c,d,e, (i+3)); \ | | ------------------ | | | | 71| 2.30k|#define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 49| 2.30k|#define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 56| 2.30k|#define Ch(x,y,z) (z^(x&(y^z))) | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 54| 1.72k|#define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 51| 1.72k|#define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 50| 1.72k|#define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 53| 576|#define blk0(i) (W[i] = data[i]) | | | | ------------------ | | | | | Branch (71:66): [True: 1.72k, False: 576] | | | | ------------------ | | | | 72| 2.30k| d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 48| 2.30k|#define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 57| 2.30k|#define Maj(x,y,z) ((x&y)|(z&(x|y))) | | | | ------------------ | | ------------------ | | 79| 2.30k| R(e,f,g,h,a,b,c,d, (i+4)); \ | | ------------------ | | | | 71| 2.30k|#define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 49| 2.30k|#define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 56| 2.30k|#define Ch(x,y,z) (z^(x&(y^z))) | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 54| 1.72k|#define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 51| 1.72k|#define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 50| 1.72k|#define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 53| 576|#define blk0(i) (W[i] = data[i]) | | | | ------------------ | | | | | Branch (71:66): [True: 1.72k, False: 576] | | | | ------------------ | | | | 72| 2.30k| d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 48| 2.30k|#define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 57| 2.30k|#define Maj(x,y,z) ((x&y)|(z&(x|y))) | | | | ------------------ | | ------------------ | | 80| 2.30k| R(d,e,f,g,h,a,b,c, (i+5)); \ | | ------------------ | | | | 71| 2.30k|#define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 49| 2.30k|#define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 56| 2.30k|#define Ch(x,y,z) (z^(x&(y^z))) | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 54| 1.72k|#define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 51| 1.72k|#define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 50| 1.72k|#define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 53| 576|#define blk0(i) (W[i] = data[i]) | | | | ------------------ | | | | | Branch (71:66): [True: 1.72k, False: 576] | | | | ------------------ | | | | 72| 2.30k| d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 48| 2.30k|#define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 57| 2.30k|#define Maj(x,y,z) ((x&y)|(z&(x|y))) | | | | ------------------ | | ------------------ | | 81| 2.30k| R(c,d,e,f,g,h,a,b, (i+6)); \ | | ------------------ | | | | 71| 2.30k|#define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 49| 2.30k|#define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 56| 2.30k|#define Ch(x,y,z) (z^(x&(y^z))) | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 54| 1.72k|#define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 51| 1.72k|#define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 50| 1.72k|#define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 53| 576|#define blk0(i) (W[i] = data[i]) | | | | ------------------ | | | | | Branch (71:66): [True: 1.72k, False: 576] | | | | ------------------ | | | | 72| 2.30k| d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 48| 2.30k|#define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 57| 2.30k|#define Maj(x,y,z) ((x&y)|(z&(x|y))) | | | | ------------------ | | ------------------ | | 82| 2.30k| R(b,c,d,e,f,g,h,a, (i+7)) | | ------------------ | | | | 71| 2.30k|#define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 49| 2.30k|#define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S1(x) (ROTR32(x, 6) ^ ROTR32(x,11) ^ ROTR32(x, 25)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 56| 2.30k|#define Ch(x,y,z) (z^(x&(y^z))) | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 54| 1.72k|#define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 51| 1.72k|#define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s1(x) (ROTR32(x,17) ^ ROTR32(x,19) ^ (x >> 10)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define blk2(i) (W[i&15] += s1(W[(i-2)&15]) + W[(i-7)&15] + s0(W[(i-15)&15])) | | | | | | ------------------ | | | | | | | | 50| 1.72k|#define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | | | #define s0(x) (ROTR32(x, 7) ^ ROTR32(x,18) ^ (x >> 3)) | | | | | | | | ------------------ | | | | | | | | | | 35| 1.72k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | | | ------------------ | | | | | | | | | | | | 30| 1.72k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | | | ------------------ | | | | | | | | | | | | | | 27| 1.72k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | | | ------------------ | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | #define R(a,b,c,d,e,f,g,h, i) h += S1(e) + Ch(e,f,g) + K[i+j] + (j?blk2(i):blk0(i));\ | | | | ------------------ | | | | | | 53| 576|#define blk0(i) (W[i] = data[i]) | | | | ------------------ | | | | | Branch (71:66): [True: 1.72k, False: 576] | | | | ------------------ | | | | 72| 2.30k| d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 48| 2.30k|#define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | | | #define S0(x) (ROTR32(x, 2) ^ ROTR32(x,13) ^ ROTR32(x, 22)) | | | | | | ------------------ | | | | | | | | 35| 2.30k|#define ROTR32(v, n) ROTL32(v, 32 - (n)) | | | | | | | | ------------------ | | | | | | | | | | 30| 2.30k|#define ROTL32(v, n) (U32V((uint32_t)(v) << (n)) | ((uint32_t)(v) >> (32 - (n)))) | | | | | | | | | | ------------------ | | | | | | | | | | | | 27| 2.30k|#define U32V(v) ((uint32_t)(v) & 0xFFFFFFFFU) | | | | | | | | | | ------------------ | | | | | | | | ------------------ | | | | | | ------------------ | | | | ------------------ | | | | d += h; h += S0(a) + Maj(a, b, c) | | | | ------------------ | | | | | | 57| 2.30k|#define Maj(x,y,z) ((x&y)|(z&(x|y))) | | | | ------------------ | | ------------------ ------------------ 155| | #else 156| | unsigned i; 157| | for (i = 0; i < 16; i++) { R(i); } 158| | #endif 159| 2.30k| } 160| | 161| 576| #ifdef _SHA256_UNROLL2 162| 576| state[0] += a; 163| 576| state[1] += b; 164| 576| state[2] += c; 165| 576| state[3] += d; 166| 576| state[4] += e; 167| 576| state[5] += f; 168| 576| state[6] += g; 169| 576| state[7] += h; 170| | #else 171| | for (j = 0; j < 8; j++) 172| | state[j] += T[j]; 173| | #endif 174| | 175| | /* Wipe variables */ 176| | /* memset(W, 0, sizeof(W)); */ 177| | /* memset(T, 0, sizeof(T)); */ 178| 576|} gcrypt_light.c:sha256_init: 118| 576|{ 119| 576| p->state[0] = 0x6a09e667; 120| 576| p->state[1] = 0xbb67ae85; 121| 576| p->state[2] = 0x3c6ef372; 122| 576| p->state[3] = 0xa54ff53a; 123| 576| p->state[4] = 0x510e527f; 124| 576| p->state[5] = 0x9b05688c; 125| 576| p->state[6] = 0x1f83d9ab; 126| 576| p->state[7] = 0x5be0cd19; 127| 576| p->count = 0; 128| 576|} gcrypt_light.c:sha256_update: 201| 576|{ 202| 576| uint32_t curBufferPos = (uint32_t)p->count & 0x3F; 203| 26.0k| while (size > 0) ------------------ | Branch (203:10): [True: 25.4k, False: 576] ------------------ 204| 25.4k| { 205| 25.4k| p->buffer[curBufferPos++] = *data++; 206| 25.4k| p->count++; 207| 25.4k| size--; 208| 25.4k| if (curBufferPos == 64) ------------------ | Branch (208:9): [True: 288, False: 25.1k] ------------------ 209| 288| { 210| 288| curBufferPos = 0; 211| 288| sha256_write_byte_block(p); 212| 288| } 213| 25.4k| } 214| 576|} mbedtls_gcm_init: 99| 26|{ 100| 26| GCM_VALIDATE( ctx != NULL ); ------------------ | | 35| 26| MBEDTLS_INTERNAL_VALIDATE( cond ) | | ------------------ | | | | 31| 26|#define MBEDTLS_INTERNAL_VALIDATE( cond ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (31:67): [Folded, False: 26] | | | | ------------------ | | ------------------ ------------------ 101| 26| memset( ctx, 0, sizeof( mbedtls_gcm_context ) ); 102| 26| ctx->cipher_ctx.cipher_ctx = aes_ctx; 103| 26|} mbedtls_gcm_setkey: 179| 24|{ 180| 24| int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; ------------------ | | 112| 24|#define MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED -0x006E ------------------ 181| 24| const mbedtls_cipher_info_t *cipher_info; 182| | 183| 24| GCM_VALIDATE_RET( ctx != NULL ); ------------------ | | 33| 24| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_GCM_BAD_INPUT ) | | ------------------ | | | | 30| 24|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 24] | | | | ------------------ | | ------------------ ------------------ 184| 24| GCM_VALIDATE_RET( key != NULL ); ------------------ | | 33| 24| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_GCM_BAD_INPUT ) | | ------------------ | | | | 30| 24|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 24] | | | | ------------------ | | ------------------ ------------------ 185| 24| GCM_VALIDATE_RET( keybits == 128 || keybits == 192 || keybits == 256 ); ------------------ | | 33| 24| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_GCM_BAD_INPUT ) | | ------------------ | | | | 30| 24|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 24] | | | | ------------------ | | ------------------ ------------------ 186| | 187| 24| cipher_info = mbedtls_cipher_info_from_values( cipher, keybits, 188| 24| MBEDTLS_MODE_ECB ); 189| 24| if( cipher_info == NULL ) ------------------ | Branch (189:9): [True: 0, False: 24] ------------------ 190| 0| return( MBEDTLS_ERR_GCM_BAD_INPUT ); ------------------ | | 43| 0|#define MBEDTLS_ERR_GCM_BAD_INPUT -0x0014 ------------------ 191| | 192| 24| if( cipher_info->block_size != 16 ) ------------------ | Branch (192:9): [True: 0, False: 24] ------------------ 193| 0| return( MBEDTLS_ERR_GCM_BAD_INPUT ); ------------------ | | 43| 0|#define MBEDTLS_ERR_GCM_BAD_INPUT -0x0014 ------------------ 194| | 195| 24| if(ctx->cipher_ctx.cipher_ctx == NULL) return MBEDTLS_ERR_GCM_BAD_INPUT; ------------------ | | 43| 0|#define MBEDTLS_ERR_GCM_BAD_INPUT -0x0014 ------------------ | Branch (195:8): [True: 0, False: 24] ------------------ 196| 24| if(!cipher_info->base->ctx_zero_func) return MBEDTLS_ERR_GCM_BAD_INPUT; ------------------ | | 43| 0|#define MBEDTLS_ERR_GCM_BAD_INPUT -0x0014 ------------------ | Branch (196:8): [True: 0, False: 24] ------------------ 197| 24| (*cipher_info->base->ctx_zero_func)(ctx->cipher_ctx.cipher_ctx); 198| 24| ctx->cipher_ctx.cipher_info = cipher_info; 199| | 200| 24| if( ( ret = mbedtls_cipher_setkey( &ctx->cipher_ctx, key, keybits, ------------------ | Branch (200:9): [True: 0, False: 24] ------------------ 201| 24| MBEDTLS_ENCRYPT ) ) != 0 ) 202| 0| { 203| 0| return( ret ); 204| 0| } 205| | 206| 24| if( ( ret = gcm_gen_table( ctx ) ) != 0 ) ------------------ | Branch (206:9): [True: 0, False: 24] ------------------ 207| 0| return( ret ); 208| | 209| 24| return( 0 ); 210| 24|} mbedtls_gcm_starts: 283| 13|{ 284| 13| int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; ------------------ | | 112| 13|#define MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED -0x006E ------------------ 285| 13| unsigned char work_buf[16]; 286| 13| const unsigned char *p; 287| 13| size_t use_len, olen = 0; 288| 13| uint64_t iv_bits; 289| | 290| 13| GCM_VALIDATE_RET( ctx != NULL ); ------------------ | | 33| 13| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_GCM_BAD_INPUT ) | | ------------------ | | | | 30| 13|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 13] | | | | ------------------ | | ------------------ ------------------ 291| 13| GCM_VALIDATE_RET( iv != NULL ); ------------------ | | 33| 13| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_GCM_BAD_INPUT ) | | ------------------ | | | | 30| 13|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 13] | | | | ------------------ | | ------------------ ------------------ 292| | 293| | /* IV is limited to 2^64 bits, so 2^61 bytes */ 294| | /* IV is not allowed to be zero length */ 295| 13| if( iv_len == 0) ------------------ | Branch (295:9): [True: 0, False: 13] ------------------ 296| 0| return( MBEDTLS_ERR_GCM_BAD_INPUT ); ------------------ | | 43| 0|#define MBEDTLS_ERR_GCM_BAD_INPUT -0x0014 ------------------ 297| 13|#if __SIZE_WIDTH__ == 64 298| 13| if( iv_len >= (1ULL << 32 )) ------------------ | Branch (298:9): [True: 0, False: 13] ------------------ 299| 0| return( MBEDTLS_ERR_GCM_BAD_INPUT ); ------------------ | | 43| 0|#define MBEDTLS_ERR_GCM_BAD_INPUT -0x0014 ------------------ 300| 13|#endif 301| | 302| 13| memset( ctx->y, 0x00, sizeof(ctx->y) ); 303| 13| memset( ctx->buf, 0x00, sizeof(ctx->buf) ); 304| | 305| 13| ctx->mode = mode; 306| 13| ctx->len = 0; 307| 13| ctx->add_len = 0; 308| | 309| 13| if( iv_len == 12 ) ------------------ | Branch (309:9): [True: 13, False: 0] ------------------ 310| 13| { 311| 13| memcpy( ctx->y, iv, iv_len ); 312| 13| ctx->y[15] = 1; 313| 13| } 314| 0| else 315| 0| { 316| 0| memset( work_buf, 0x00, 16 ); 317| 0| iv_bits = (uint64_t)iv_len * 8; 318| 0| MBEDTLS_PUT_UINT64_BE( iv_bits, work_buf, 8 ); ------------------ | | 93| 0|#define MBEDTLS_PUT_UINT64_BE(n,b,i) *(uint64_t *) (&(b)[(i)]) = bswap_64(n); ------------------ 319| | 320| 0| p = iv; 321| 0| while( iv_len > 0 ) ------------------ | Branch (321:16): [True: 0, False: 0] ------------------ 322| 0| { 323| 0| use_len = ( iv_len < 16 ) ? iv_len : 16; ------------------ | Branch (323:23): [True: 0, False: 0] ------------------ 324| | 325| 0| xorbytes(ctx->y,p,use_len); 326| | 327| 0| gcm_mult( ctx, ctx->y, ctx->y ); 328| | 329| 0| iv_len -= use_len; 330| 0| p += use_len; 331| 0| } 332| | 333| 0| xorbytes(ctx->y,work_buf,16); 334| | 335| 0| gcm_mult( ctx, ctx->y, ctx->y ); 336| 0| } 337| | 338| 13| if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->y, 16, ------------------ | Branch (338:9): [True: 0, False: 13] ------------------ 339| 13| ctx->base_ectr, &olen ) ) != 0 ) 340| 0| { 341| 0| return( ret ); 342| 0| } 343| | 344| 13| return( 0 ); 345| 13|} mbedtls_gcm_update_ad: 366| 13|{ 367| 13| const unsigned char *p; 368| 13| size_t use_len, offset; 369| | 370| 13| GCM_VALIDATE_RET( add_len == 0 || add != NULL ); ------------------ | | 33| 13| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_GCM_BAD_INPUT ) | | ------------------ | | | | 30| 13|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 13] | | | | ------------------ | | ------------------ ------------------ 371| | 372| | /* IV is limited to 2^64 bits, so 2^61 bytes */ 373| 13| if( (uint64_t) add_len >> 61 != 0 ) ------------------ | Branch (373:9): [True: 0, False: 13] ------------------ 374| 0| return( MBEDTLS_ERR_GCM_BAD_INPUT ); ------------------ | | 43| 0|#define MBEDTLS_ERR_GCM_BAD_INPUT -0x0014 ------------------ 375| | 376| 13| offset = ctx->add_len % 16; 377| 13| p = add; 378| | 379| 13| if( offset != 0 ) ------------------ | Branch (379:9): [True: 0, False: 13] ------------------ 380| 0| { 381| 0| use_len = 16 - offset; 382| 0| if( use_len > add_len ) ------------------ | Branch (382:13): [True: 0, False: 0] ------------------ 383| 0| use_len = add_len; 384| | 385| 0| xorbytes(ctx->buf,p,use_len); 386| | 387| 0| if( offset + use_len == 16 ) ------------------ | Branch (387:13): [True: 0, False: 0] ------------------ 388| 0| gcm_mult( ctx, ctx->buf, ctx->buf ); 389| | 390| 0| ctx->add_len += use_len; 391| 0| add_len -= use_len; 392| 0| p += use_len; 393| 0| } 394| | 395| 13| ctx->add_len += add_len; 396| | 397| 36| while( add_len >= 16 ) ------------------ | Branch (397:12): [True: 23, False: 13] ------------------ 398| 23| { 399| 23| xorbytes(ctx->buf,p,16); 400| | 401| 23| gcm_mult( ctx, ctx->buf, ctx->buf ); 402| | 403| 23| add_len -= 16; 404| 23| p += 16; 405| 23| } 406| | 407| 13| if( add_len > 0 ) ------------------ | Branch (407:9): [True: 13, False: 0] ------------------ 408| 13| xorbytes(ctx->buf,p,add_len); 409| | 410| 13| return( 0 ); 411| 13|} mbedtls_gcm_update: 452| 13|{ 453| 13| int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; ------------------ | | 112| 13|#define MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED -0x006E ------------------ 454| 13| const unsigned char *p = input; 455| 13| unsigned char *out_p = output; 456| 13| size_t offset; 457| 13| unsigned char ectr[16]; 458| | 459| 13| if( output_size < input_length ) ------------------ | Branch (459:9): [True: 0, False: 13] ------------------ 460| 0| return( MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL ); ------------------ | | 45| 0|#define MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL -0x0016 ------------------ 461| 13| GCM_VALIDATE_RET( output_length != NULL ); ------------------ | | 33| 13| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_GCM_BAD_INPUT ) | | ------------------ | | | | 30| 13|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 13] | | | | ------------------ | | ------------------ ------------------ 462| 13| *output_length = input_length; 463| | 464| | /* Exit early if input_length==0 so that we don't do any pointer arithmetic 465| | * on a potentially null pointer. 466| | * Returning early also means that the last partial block of AD remains 467| | * untouched for mbedtls_gcm_finish */ 468| 13| if( input_length == 0 ) ------------------ | Branch (468:9): [True: 0, False: 13] ------------------ 469| 0| return( 0 ); 470| | 471| 13| GCM_VALIDATE_RET( ctx != NULL ); ------------------ | | 33| 13| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_GCM_BAD_INPUT ) | | ------------------ | | | | 30| 13|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 13] | | | | ------------------ | | ------------------ ------------------ 472| 13| GCM_VALIDATE_RET( input != NULL ); ------------------ | | 33| 13| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_GCM_BAD_INPUT ) | | ------------------ | | | | 30| 13|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 13] | | | | ------------------ | | ------------------ ------------------ 473| 13| GCM_VALIDATE_RET( output != NULL ); ------------------ | | 33| 13| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_GCM_BAD_INPUT ) | | ------------------ | | | | 30| 13|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 13] | | | | ------------------ | | ------------------ ------------------ 474| | 475| 13| if( output > input && (size_t) ( output - input ) < input_length ) ------------------ | Branch (475:9): [True: 6, False: 7] | Branch (475:27): [True: 0, False: 6] ------------------ 476| 0| return( MBEDTLS_ERR_GCM_BAD_INPUT ); ------------------ | | 43| 0|#define MBEDTLS_ERR_GCM_BAD_INPUT -0x0014 ------------------ 477| | 478| | /* Total length is restricted to 2^39 - 256 bits, ie 2^36 - 2^5 bytes 479| | * Also check for possible overflow */ 480| 13| if( ctx->len + input_length < ctx->len || ------------------ | Branch (480:9): [True: 0, False: 13] ------------------ 481| 13| (uint64_t) ctx->len + input_length > 0xFFFFFFFE0ull ) ------------------ | Branch (481:9): [True: 0, False: 13] ------------------ 482| 0| { 483| 0| return( MBEDTLS_ERR_GCM_BAD_INPUT ); ------------------ | | 43| 0|#define MBEDTLS_ERR_GCM_BAD_INPUT -0x0014 ------------------ 484| 0| } 485| | 486| 13| if( ctx->len == 0 && ctx->add_len % 16 != 0 ) ------------------ | Branch (486:9): [True: 13, False: 0] | Branch (486:26): [True: 13, False: 0] ------------------ 487| 13| { 488| 13| gcm_mult( ctx, ctx->buf, ctx->buf ); 489| 13| } 490| | 491| 13| offset = ctx->len % 16; 492| 13| if( offset != 0 ) ------------------ | Branch (492:9): [True: 0, False: 13] ------------------ 493| 0| { 494| 0| size_t use_len = 16 - offset; 495| 0| if( use_len > input_length ) ------------------ | Branch (495:13): [True: 0, False: 0] ------------------ 496| 0| use_len = input_length; 497| | 498| 0| if( ( ret = gcm_mask( ctx, ectr, offset, use_len, p, out_p ) ) != 0 ) ------------------ | Branch (498:13): [True: 0, False: 0] ------------------ 499| 0| return( ret ); 500| | 501| 0| if( offset + use_len == 16 ) ------------------ | Branch (501:13): [True: 0, False: 0] ------------------ 502| 0| gcm_mult( ctx, ctx->buf, ctx->buf ); 503| | 504| 0| ctx->len += use_len; 505| 0| input_length -= use_len; 506| 0| p += use_len; 507| 0| out_p += use_len; 508| 0| } 509| | 510| 13| ctx->len += input_length; 511| | 512| 188| while( input_length >= 16 ) ------------------ | Branch (512:12): [True: 175, False: 13] ------------------ 513| 175| { 514| 175| gcm_incr( ctx->y ); 515| 175| if( ( ret = gcm_mask( ctx, ectr, 0, 16, p, out_p ) ) != 0 ) ------------------ | Branch (515:13): [True: 0, False: 175] ------------------ 516| 0| return( ret ); 517| | 518| 175| gcm_mult( ctx, ctx->buf, ctx->buf ); 519| | 520| 175| input_length -= 16; 521| 175| p += 16; 522| 175| out_p += 16; 523| 175| } 524| | 525| 13| if( input_length > 0 ) ------------------ | Branch (525:9): [True: 10, False: 3] ------------------ 526| 10| { 527| 10| gcm_incr( ctx->y ); 528| 10| if( ( ret = gcm_mask( ctx, ectr, 0, input_length, p, out_p ) ) != 0 ) ------------------ | Branch (528:13): [True: 0, False: 10] ------------------ 529| 0| return( ret ); 530| 10| } 531| | 532| 13| return( 0 ); 533| 13|} mbedtls_gcm_finish: 539| 13|{ 540| 13| unsigned char work_buf[16]; 541| 13| uint64_t orig_len; 542| 13| uint64_t orig_add_len; 543| | 544| 13| GCM_VALIDATE_RET( ctx != NULL ); ------------------ | | 33| 13| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_GCM_BAD_INPUT ) | | ------------------ | | | | 30| 13|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 13] | | | | ------------------ | | ------------------ ------------------ 545| 13| GCM_VALIDATE_RET( tag != NULL ); ------------------ | | 33| 13| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_GCM_BAD_INPUT ) | | ------------------ | | | | 30| 13|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 13] | | | | ------------------ | | ------------------ ------------------ 546| | 547| | /* We never pass any output in finish(). The output parameter exists only 548| | * for the sake of alternative implementations. */ 549| 13| (void) output; 550| 13| (void) output_size; 551| 13| *output_length = 0; 552| | 553| 13| orig_len = ctx->len * 8; 554| 13| orig_add_len = ctx->add_len * 8; 555| | 556| 13| if( ctx->len == 0 && ctx->add_len % 16 != 0 ) ------------------ | Branch (556:9): [True: 0, False: 13] | Branch (556:26): [True: 0, False: 0] ------------------ 557| 0| { 558| 0| gcm_mult( ctx, ctx->buf, ctx->buf ); 559| 0| } 560| | 561| 13| if( tag_len > 16 || tag_len < 4 ) ------------------ | Branch (561:9): [True: 0, False: 13] | Branch (561:25): [True: 0, False: 13] ------------------ 562| 0| return( MBEDTLS_ERR_GCM_BAD_INPUT ); ------------------ | | 43| 0|#define MBEDTLS_ERR_GCM_BAD_INPUT -0x0014 ------------------ 563| | 564| 13| if( ctx->len % 16 != 0 ) ------------------ | Branch (564:9): [True: 10, False: 3] ------------------ 565| 10| gcm_mult( ctx, ctx->buf, ctx->buf ); 566| | 567| 13| memcpy( tag, ctx->base_ectr, tag_len ); 568| | 569| 13| if( orig_len || orig_add_len ) ------------------ | Branch (569:9): [True: 13, False: 0] | Branch (569:21): [True: 0, False: 0] ------------------ 570| 13| { 571| 13| MBEDTLS_PUT_UINT64_BE( ( orig_add_len ), work_buf, 0 ); ------------------ | | 93| 13|#define MBEDTLS_PUT_UINT64_BE(n,b,i) *(uint64_t *) (&(b)[(i)]) = bswap_64(n); ------------------ 572| 13| MBEDTLS_PUT_UINT64_BE( ( orig_len ), work_buf, 8 ); ------------------ | | 93| 13|#define MBEDTLS_PUT_UINT64_BE(n,b,i) *(uint64_t *) (&(b)[(i)]) = bswap_64(n); ------------------ 573| | 574| 13| xorbytes(ctx->buf,work_buf,16); 575| | 576| 13| gcm_mult( ctx, ctx->buf, ctx->buf ); 577| | 578| 13| xorbytes(tag,ctx->buf,tag_len); 579| 13| } 580| | 581| 13| return( 0 ); 582| 13|} mbedtls_gcm_crypt_and_tag: 595| 13|{ 596| 13| int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; ------------------ | | 112| 13|#define MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED -0x006E ------------------ 597| 13| size_t olen; 598| | 599| 13| GCM_VALIDATE_RET( ctx != NULL ); ------------------ | | 33| 13| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_GCM_BAD_INPUT ) | | ------------------ | | | | 30| 13|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 13] | | | | ------------------ | | ------------------ ------------------ 600| 13| GCM_VALIDATE_RET( iv != NULL ); ------------------ | | 33| 13| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_GCM_BAD_INPUT ) | | ------------------ | | | | 30| 13|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 13] | | | | ------------------ | | ------------------ ------------------ 601| 13| GCM_VALIDATE_RET( add_len == 0 || add != NULL ); ------------------ | | 33| 13| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_GCM_BAD_INPUT ) | | ------------------ | | | | 30| 13|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 13] | | | | ------------------ | | ------------------ ------------------ 602| 13| GCM_VALIDATE_RET( length == 0 || input != NULL ); ------------------ | | 33| 13| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_GCM_BAD_INPUT ) | | ------------------ | | | | 30| 13|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 13] | | | | ------------------ | | ------------------ ------------------ 603| 13| GCM_VALIDATE_RET( length == 0 || output != NULL ); ------------------ | | 33| 13| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_GCM_BAD_INPUT ) | | ------------------ | | | | 30| 13|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 13] | | | | ------------------ | | ------------------ ------------------ 604| 13| GCM_VALIDATE_RET( tag != NULL ); ------------------ | | 33| 13| MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_GCM_BAD_INPUT ) | | ------------------ | | | | 30| 13|#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret ) do { } while( 0 ) | | | | ------------------ | | | | | Branch (30:67): [Folded, False: 13] | | | | ------------------ | | ------------------ ------------------ 605| | 606| 13| if( ( ret = mbedtls_gcm_starts( ctx, mode, iv, iv_len ) ) != 0 ) ------------------ | Branch (606:9): [True: 0, False: 13] ------------------ 607| 0| return( ret ); 608| | 609| 13| if( ( ret = mbedtls_gcm_update_ad( ctx, add, add_len ) ) != 0 ) ------------------ | Branch (609:9): [True: 0, False: 13] ------------------ 610| 0| return( ret ); 611| | 612| 13| if( ( ret = mbedtls_gcm_update( ctx, input, length, ------------------ | Branch (612:9): [True: 0, False: 13] ------------------ 613| 13| output, length, &olen ) ) != 0 ) 614| 0| return( ret ); 615| | 616| 13| if( ( ret = mbedtls_gcm_finish( ctx, NULL, 0, &olen, tag, tag_len ) ) != 0 ) ------------------ | Branch (616:9): [True: 0, False: 13] ------------------ 617| 0| return( ret ); 618| | 619| 13| return( 0 ); 620| 13|} mbedtls_gcm_free: 666| 26|{ 667| 26| if( ctx == NULL ) ------------------ | Branch (667:9): [True: 0, False: 26] ------------------ 668| 0| return; 669| | // mbedtls_cipher_free( &ctx->cipher_ctx ); 670| 26|} gcrypt_light.c:gcm_gen_table: 114| 24|{ 115| 24| int ret, i, j; 116| 24| uint64_t hi, lo; 117| 24| uint64_t vl, vh; 118| 24| unsigned char h[16]; 119| 24| size_t olen = 0; 120| | 121| 24| memset( h, 0, 16 ); 122| 24| if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, h, 16, h, &olen ) ) != 0 ) ------------------ | Branch (122:9): [True: 0, False: 24] ------------------ 123| 0| return( ret ); 124| | 125| | /* pack h as two 64-bits ints, big-endian */ 126| 24| hi = MBEDTLS_GET_UINT32_BE( h, 0 ); ------------------ | | 91| 24|#define MBEDTLS_GET_UINT32_BE(b,i) htonl(*(uint32_t *) (&(b)[(i)])) ------------------ 127| 24| lo = MBEDTLS_GET_UINT32_BE( h, 4 ); ------------------ | | 91| 24|#define MBEDTLS_GET_UINT32_BE(b,i) htonl(*(uint32_t *) (&(b)[(i)])) ------------------ 128| 24| vh = (uint64_t) hi << 32 | lo; 129| | 130| 24| hi = MBEDTLS_GET_UINT32_BE( h, 8 ); ------------------ | | 91| 24|#define MBEDTLS_GET_UINT32_BE(b,i) htonl(*(uint32_t *) (&(b)[(i)])) ------------------ 131| 24| lo = MBEDTLS_GET_UINT32_BE( h, 12 ); ------------------ | | 91| 24|#define MBEDTLS_GET_UINT32_BE(b,i) htonl(*(uint32_t *) (&(b)[(i)])) ------------------ 132| 24| vl = (uint64_t) hi << 32 | lo; 133| | 134| | /* 8 = 1000 corresponds to 1 in GF(2^128) */ 135| 24| ctx->HL[8] = vl; 136| 24| ctx->HH[8] = vh; 137| | 138| 24|#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) 139| | /* With CLMUL support, we need only h, not the rest of the table */ 140| 24| if( mbedtls_aesni_has_support( MBEDTLS_AESNI_CLMUL ) ) { ------------------ | | 31| 24|#define MBEDTLS_AESNI_CLMUL 0x00000002u ------------------ | Branch (140:9): [True: 24, False: 0] ------------------ 141| 24| aes_aesni_has_support = 1; 142| 24| return( 0 ); 143| 24| } 144| 0|#endif 145| | 146| | /* 0 corresponds to 0 in GF(2^128) */ 147| 0| ctx->HH[0] = 0; 148| 0| ctx->HL[0] = 0; 149| | 150| 0| for( i = 4; i > 0; i >>= 1 ) ------------------ | Branch (150:17): [True: 0, False: 0] ------------------ 151| 0| { 152| 0| uint32_t T = ( vl & 1 ) * 0xe1000000U; 153| 0| vl = ( vh << 63 ) | ( vl >> 1 ); 154| 0| vh = ( vh >> 1 ) ^ ( (uint64_t) T << 32); 155| | 156| 0| ctx->HL[i] = vl; 157| 0| ctx->HH[i] = vh; 158| 0| } 159| | 160| 0| for( i = 2; i <= 8; i *= 2 ) ------------------ | Branch (160:17): [True: 0, False: 0] ------------------ 161| 0| { 162| 0| uint64_t *HiL = ctx->HL + i, *HiH = ctx->HH + i; 163| 0| vh = *HiH; 164| 0| vl = *HiL; 165| 0| for( j = 1; j < i; j++ ) ------------------ | Branch (165:21): [True: 0, False: 0] ------------------ 166| 0| { 167| 0| HiH[j] = vh ^ ctx->HH[j]; 168| 0| HiL[j] = vl ^ ctx->HL[j]; 169| 0| } 170| 0| } 171| | 172| 0| return( 0 ); 173| 24|} gcrypt_light.c:xorbytes: 43| 62|static void xorbytes( unsigned char *dst, const unsigned char *src, int n) { 44| 114| while(n > LBLOCKSIZE) { ------------------ | | 40| 114|#define LBLOCKSIZE __SIZEOF_LONG__ ------------------ | Branch (44:11): [True: 52, False: 62] ------------------ 45| 52| *(unsigned long int *)dst ^= *(const unsigned long int *)src; 46| 52| dst += LBLOCKSIZE; ------------------ | | 40| 52|#define LBLOCKSIZE __SIZEOF_LONG__ ------------------ 47| 52| src += LBLOCKSIZE; ------------------ | | 40| 52|#define LBLOCKSIZE __SIZEOF_LONG__ ------------------ 48| 52| n -= LBLOCKSIZE; ------------------ | | 40| 52|#define LBLOCKSIZE __SIZEOF_LONG__ ------------------ 49| 52| } 50| 518| while(n) { ------------------ | Branch (50:11): [True: 456, False: 62] ------------------ 51| 456| *dst++ ^= *src++; 52| 456| n--; 53| 456| } 54| 62|} gcrypt_light.c:gcm_mult: 231| 234|{ 232| 234| int i = 0; 233| 234| unsigned char lo, hi, rem; 234| 234| uint64_t zh, zl; 235| | 236| 234|#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) 237| 234| if( aes_aesni_has_support) { ------------------ | Branch (237:9): [True: 234, False: 0] ------------------ 238| 234| unsigned char h[16]; 239| | 240| 234| MBEDTLS_PUT_UINT64_BE( ctx->HH[8], h, 0 ); ------------------ | | 93| 234|#define MBEDTLS_PUT_UINT64_BE(n,b,i) *(uint64_t *) (&(b)[(i)]) = bswap_64(n); ------------------ 241| 234| MBEDTLS_PUT_UINT64_BE( ctx->HL[8], h, 8 ); ------------------ | | 93| 234|#define MBEDTLS_PUT_UINT64_BE(n,b,i) *(uint64_t *) (&(b)[(i)]) = bswap_64(n); ------------------ 242| | 243| 234| mbedtls_aesni_gcm_mult( output, x, h ); 244| 234| return; 245| 234| } 246| 0|#endif /* MBEDTLS_AESNI_C && MBEDTLS_HAVE_X86_64 */ 247| | 248| 0| lo = x[15] & 0xf; 249| | 250| 0| zh = ctx->HH[lo]; 251| 0| zl = ctx->HL[lo]; 252| | 253| 0| for( i = 15; i >= 0; i-- ) ------------------ | Branch (253:18): [True: 0, False: 0] ------------------ 254| 0| { 255| 0| lo = x[i] & 0xf; 256| 0| hi = ( x[i] >> 4 ) & 0xf; 257| | 258| 0| if( i != 15 ) ------------------ | Branch (258:13): [True: 0, False: 0] ------------------ 259| 0| { 260| 0| rem = (unsigned char) zl & 0xf; 261| 0| zl = ( zh << 60 ) | ( zl >> 4 ); 262| 0| zh = ( zh >> 4 ); 263| 0| zh ^= (uint64_t) last4[rem]; 264| 0| zh ^= ctx->HH[lo]; 265| 0| zl ^= ctx->HL[lo]; 266| | 267| 0| } 268| | 269| 0| rem = (unsigned char) zl & 0xf; 270| 0| zl = ( zh << 60 ) | ( zl >> 4 ); 271| 0| zh = ( zh >> 4 ); 272| 0| zh ^= (uint64_t) last4[rem]; 273| 0| zh ^= ctx->HH[hi]; 274| 0| zl ^= ctx->HL[hi]; 275| 0| } 276| 0| MBEDTLS_PUT_UINT64_BE( zh, output, 0 ); ------------------ | | 93| 0|#define MBEDTLS_PUT_UINT64_BE(n,b,i) *(uint64_t *) (&(b)[(i)]) = bswap_64(n); ------------------ 277| | MBEDTLS_PUT_UINT64_BE( zl, output, 8 ); ------------------ | | 93| 0|#define MBEDTLS_PUT_UINT64_BE(n,b,i) *(uint64_t *) (&(b)[(i)]) = bswap_64(n); ------------------ 278| 0|} gcrypt_light.c:gcm_mask: 429| 185|{ 430| 185| size_t olen = 0; 431| 185| int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; ------------------ | | 112| 185|#define MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED -0x006E ------------------ 432| | 433| 185| if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->y, 16, ectr, ------------------ | Branch (433:9): [True: 0, False: 185] ------------------ 434| 185| &olen ) ) != 0 ) 435| 0| { 436| 0| mbedtls_platform_zeroize( ectr, 16 ); ------------------ | | 33| 0|#define mbedtls_platform_zeroize(a,b) memset(a,0,b) ------------------ 437| 0| return( ret ); 438| 0| } 439| | 440| 185| if(ctx->mode == MBEDTLS_GCM_DECRYPT ) ------------------ | | 38| 185|#define MBEDTLS_GCM_DECRYPT 0 ------------------ | Branch (440:8): [True: 185, False: 0] ------------------ 441| 185| xorbytes3d(output,&ctx->buf[offset],&ectr[offset],input,use_len); 442| 0| else 443| 0| xorbytes3e(output,&ctx->buf[offset],&ectr[offset],input,use_len); 444| | 445| 185| return( 0 ); 446| 185|} gcrypt_light.c:xorbytes3d: 57| 185| const unsigned char *ectr, const unsigned char *input, int n) { 58| 367| while(n > LBLOCKSIZE) { ------------------ | | 40| 367|#define LBLOCKSIZE __SIZEOF_LONG__ ------------------ | Branch (58:11): [True: 182, False: 185] ------------------ 59| 182| *(unsigned long int *)buf ^= *(const unsigned long int *)input; 60| 182| *(unsigned long int *)output = *(const unsigned long int *)input ^ *(const unsigned long int *)ectr; 61| 182| buf += LBLOCKSIZE; ------------------ | | 40| 182|#define LBLOCKSIZE __SIZEOF_LONG__ ------------------ 62| 182| output += LBLOCKSIZE; ------------------ | | 40| 182|#define LBLOCKSIZE __SIZEOF_LONG__ ------------------ 63| 182| ectr += LBLOCKSIZE; ------------------ | | 40| 182|#define LBLOCKSIZE __SIZEOF_LONG__ ------------------ 64| 182| input += LBLOCKSIZE; ------------------ | | 40| 182|#define LBLOCKSIZE __SIZEOF_LONG__ ------------------ 65| 182| n -= LBLOCKSIZE; ------------------ | | 40| 182|#define LBLOCKSIZE __SIZEOF_LONG__ ------------------ 66| 182| } 67| 1.62k| while(n) { ------------------ | Branch (67:11): [True: 1.44k, False: 185] ------------------ 68| 1.44k| *buf++ ^= *input; 69| 1.44k| *output++ = *input++ ^ *ectr++; 70| 1.44k| n--; 71| 1.44k| } 72| 185|} gcrypt_light.c:gcm_incr: 415| 185|{ 416| 185| size_t i; 417| 185| for( i = 16; i > 12; i-- ) ------------------ | Branch (417:18): [True: 185, False: 0] ------------------ 418| 185| if( ++y[i - 1] != 0 ) ------------------ | Branch (418:13): [True: 185, False: 0] ------------------ 419| 185| break; 420| 185|} gcry_control: 105| 13.9k|int gcry_control (int ctl,int val) { 106| 13.9k| if(ctl == GCRYCTL_INITIALIZATION_FINISHED || ------------------ | | 25| 27.9k|#define GCRYCTL_INITIALIZATION_FINISHED 2 ------------------ | Branch (106:8): [True: 6.99k, False: 6.99k] ------------------ 107| 6.99k| (ctl == 1 && val == 0) /* GCRYCTL_INITIALIZATION_FINISHED_P */) ------------------ | Branch (107:9): [True: 6.99k, False: 0] | Branch (107:21): [True: 6.99k, False: 0] ------------------ 108| 13.9k| return GPG_ERR_NO_ERROR; ------------------ | | 20| 13.9k|#define GPG_ERR_NO_ERROR 0 ------------------ 109| 0| return MBEDTLS_ERR_NOT_SUPPORT; ------------------ | | 68| 0|#define MBEDTLS_ERR_NOT_SUPPORT 0x50f9 ------------------ 110| 13.9k|} gcry_check_version: 112| 6.99k|const char *gcry_check_version(void *unused) { 113| 6.99k| return "1.8.6internal"; 114| 6.99k|} gcry_md_open: 116| 146|gcry_error_t gcry_md_open(gcry_md_hd_t *h,int algo,int flags) { 117| 146| gcry_md_hd_t ctx; 118| 146| if(!(algo == GCRY_MD_SHA256 && flags == GCRY_MD_FLAG_HMAC)) return MBEDTLS_ERR_MD_NOT_SUPPORT; ------------------ | | 18| 292|#define GCRY_MD_SHA256 8 ------------------ if(!(algo == GCRY_MD_SHA256 && flags == GCRY_MD_FLAG_HMAC)) return MBEDTLS_ERR_MD_NOT_SUPPORT; ------------------ | | 19| 146|#define GCRY_MD_FLAG_HMAC 2 ------------------ if(!(algo == GCRY_MD_SHA256 && flags == GCRY_MD_FLAG_HMAC)) return MBEDTLS_ERR_MD_NOT_SUPPORT; ------------------ | | 60| 0|#define MBEDTLS_ERR_MD_NOT_SUPPORT 0x50f1 ------------------ | Branch (118:10): [True: 146, False: 0] | Branch (118:36): [True: 146, False: 0] ------------------ 119| 146| ctx = (gcry_md_hd_t)ndpi_calloc(1,sizeof(struct gcry_md_hd)); 120| 146| if(!ctx) return MBEDTLS_ERR_MD_ALLOC_FAILED; ------------------ | | 59| 2|#define MBEDTLS_ERR_MD_ALLOC_FAILED 0x50f0 ------------------ | Branch (120:8): [True: 2, False: 144] ------------------ 121| 144| *h = ctx; 122| 144| return GPG_ERR_NO_ERROR; ------------------ | | 20| 144|#define GPG_ERR_NO_ERROR 0 ------------------ 123| 146|} gcry_md_close: 125| 144|void gcry_md_close(gcry_md_hd_t h) { 126| 144| if(h) ndpi_free(h); ------------------ | Branch (126:8): [True: 144, False: 0] ------------------ 127| 144|} gcry_md_reset: 129| 109|void gcry_md_reset(gcry_md_hd_t h) { 130| 109| memset((char *)h, 0, sizeof(*h)); 131| 109|} gcry_md_setkey: 133| 144|gcry_error_t gcry_md_setkey(gcry_md_hd_t h,const uint8_t *key,size_t key_len) { 134| 144| if(h->key_len) return MBEDTLS_ERR_MD_REKEY; ------------------ | | 61| 0|#define MBEDTLS_ERR_MD_REKEY 0x50f2 ------------------ | Branch (134:8): [True: 0, False: 144] ------------------ 135| 144| h->key_len = key_len <= sizeof(h->key) ? key_len : sizeof(h->key); ------------------ | Branch (135:18): [True: 144, False: 0] ------------------ 136| 144| if(h->key_len > 0) ------------------ | Branch (136:8): [True: 144, False: 0] ------------------ 137| 144| memcpy(h->key,key,h->key_len); 138| 144| return GPG_ERR_NO_ERROR; ------------------ | | 20| 144|#define GPG_ERR_NO_ERROR 0 ------------------ 139| 144|} gcry_md_write: 141| 253|gcry_error_t gcry_md_write(gcry_md_hd_t h,const uint8_t *data,size_t data_len) { 142| 253| if(h->data_len + data_len > GCRY_MD_BUFF_SIZE) return MBEDTLS_ERR_MD_DATA_TOO_BIG; ------------------ | | 11| 253|#define GCRY_MD_BUFF_SIZE 256 ------------------ if(h->data_len + data_len > GCRY_MD_BUFF_SIZE) return MBEDTLS_ERR_MD_DATA_TOO_BIG; ------------------ | | 62| 0|#define MBEDTLS_ERR_MD_DATA_TOO_BIG 0x50f3 ------------------ | Branch (142:8): [True: 0, False: 253] ------------------ 143| 253| if(data_len > 0) ------------------ | Branch (143:8): [True: 253, False: 0] ------------------ 144| 253| memcpy(&h->data_buf[h->data_len],data,data_len); 145| 253| h->data_len += data_len; 146| 253| return GPG_ERR_NO_ERROR; ------------------ | | 20| 253|#define GPG_ERR_NO_ERROR 0 ------------------ 147| 253|} gcry_md_get_algo_dlen: 149| 202|size_t gcry_md_get_algo_dlen(int algo) { 150| 202| return algo == GCRY_MD_SHA256 ? HMAC_SHA256_DIGEST_SIZE:0; ------------------ | | 18| 202|#define GCRY_MD_SHA256 8 ------------------ return algo == GCRY_MD_SHA256 ? HMAC_SHA256_DIGEST_SIZE:0; ------------------ | | 11| 202|#define HMAC_SHA256_DIGEST_SIZE 32 /* Same as SHA-256's output size. */ ------------------ | Branch (150:12): [True: 202, False: 0] ------------------ 151| 202|} gcry_md_read: 157| 144|uint8_t *gcry_md_read(gcry_md_hd_t h, int flag) { 158| 144| hmac_sha256(h->out,h->data_buf,h->data_len,h->key,h->key_len); 159| 144| return h->out; 160| 144|} gcry_cipher_open: 174| 60| int algo, int mode, unsigned int flags) { 175| | 176| 60|struct gcry_cipher_hd *r = 0; 177| 60|size_t s_len = ROUND_SIZE8(sizeof(struct gcry_cipher_hd));; ------------------ | | 171| 60|#define ROUND_SIZE8(a) (((a)+7UL) & ~7UL) ------------------ 178| | 179| 60| if(flags || algo != GCRY_CIPHER_AES128) return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; ------------------ | | 13| 60|#define GCRY_CIPHER_AES128 7 ------------------ if(flags || algo != GCRY_CIPHER_AES128) return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; ------------------ | | 51| 0|#define MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE -0x6080 ------------------ | Branch (179:8): [True: 0, False: 60] | Branch (179:17): [True: 0, False: 60] ------------------ 180| | 181| 60| switch(mode) { 182| 32| case GCRY_CIPHER_MODE_ECB: ------------------ | | 15| 32|#define GCRY_CIPHER_MODE_ECB 1 ------------------ | Branch (182:9): [True: 32, False: 28] ------------------ 183| 32| r = (struct gcry_cipher_hd *)ndpi_calloc(1,s_len + sizeof(mbedtls_aes_context)); 184| 32| if(!r) return MBEDTLS_ERR_CIPHER_ALLOC_FAILED; ------------------ | | 55| 1|#define MBEDTLS_ERR_CIPHER_ALLOC_FAILED -0x6180 ------------------ | Branch (184:16): [True: 1, False: 31] ------------------ 185| 31| r->ctx.ecb = (mbedtls_aes_context *)(r+1); 186| 31| mbedtls_aes_init(r->ctx.ecb); 187| 31| break; 188| 28| case GCRY_CIPHER_MODE_GCM: ------------------ | | 16| 28|#define GCRY_CIPHER_MODE_GCM 8 ------------------ | Branch (188:9): [True: 28, False: 32] ------------------ 189| 28| { 190| 28| size_t aes_ctx_size = ROUND_SIZE8(sizeof( mbedtls_aes_context )); ------------------ | | 171| 28|#define ROUND_SIZE8(a) (((a)+7UL) & ~7UL) ------------------ 191| 28| size_t gcm_ctx_size = ROUND_SIZE8(sizeof( mbedtls_gcm_context )); ------------------ | | 171| 28|#define ROUND_SIZE8(a) (((a)+7UL) & ~7UL) ------------------ 192| | 193| 28| r = (struct gcry_cipher_hd *)ndpi_calloc(1,s_len + gcm_ctx_size + aes_ctx_size); 194| 28| if(!r) return MBEDTLS_ERR_CIPHER_ALLOC_FAILED; ------------------ | | 55| 2|#define MBEDTLS_ERR_CIPHER_ALLOC_FAILED -0x6180 ------------------ | Branch (194:16): [True: 2, False: 26] ------------------ 195| 26| r->ctx.gcm = (mbedtls_gcm_context *)(r+1); 196| 26| mbedtls_gcm_init(r->ctx.gcm,(void *)(((char *)(r+1)) + gcm_ctx_size)); 197| 26| } 198| 0| break; 199| 0| default: ------------------ | Branch (199:9): [True: 0, False: 60] ------------------ 200| 0| return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; ------------------ | | 51| 0|#define MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE -0x6080 ------------------ 201| 60| } 202| 57| r->algo = algo; 203| 57| r->mode = mode; 204| 57| *handle = r; 205| 57| return GPG_ERR_NO_ERROR; ------------------ | | 20| 57|#define GPG_ERR_NO_ERROR 0 ------------------ 206| 60|} gcry_cipher_close: 208| 60|void gcry_cipher_close (gcry_cipher_hd_t h) { 209| 60| if(h && !check_valid_algo_mode(h)) { ------------------ | Branch (209:8): [True: 57, False: 3] | Branch (209:13): [True: 57, False: 0] ------------------ 210| 57| switch(h->mode) { ------------------ | Branch (210:16): [True: 57, False: 0] ------------------ 211| 31| case GCRY_CIPHER_MODE_ECB: ------------------ | | 15| 31|#define GCRY_CIPHER_MODE_ECB 1 ------------------ | Branch (211:13): [True: 31, False: 26] ------------------ 212| 31| mbedtls_aes_free(h->ctx.ecb); 213| 31| break; 214| 26| case GCRY_CIPHER_MODE_GCM: ------------------ | | 16| 26|#define GCRY_CIPHER_MODE_GCM 8 ------------------ | Branch (214:9): [True: 26, False: 31] ------------------ 215| 26| mbedtls_gcm_free(h->ctx.gcm); 216| 26| break; 217| 57| } 218| 57| ndpi_free(h); 219| 57| } 220| 60|} gcry_cipher_reset: 226| 14|gcry_error_t gcry_cipher_reset (gcry_cipher_hd_t h) { 227| | 228| 14| gcry_error_t err = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; ------------------ | | 51| 14|#define MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE -0x6080 ------------------ 229| 14| if(check_valid_algo_mode(h)) return err; ------------------ | Branch (229:8): [True: 0, False: 14] ------------------ 230| 14| h->authlen = 0; h->taglen = 0; h->ivlen = 0; 231| 14| h->s_auth = 0; h->s_iv = 0; h->s_crypt_ok = 0; 232| 14| memset((char *)h->iv,0,sizeof(h->iv)); 233| 14| memset((char *)h->auth,0,sizeof(h->auth)); 234| 14| memset((char *)h->tag,0,sizeof(h->tag)); 235| 14| switch(h->mode) { 236| 0| case GCRY_CIPHER_MODE_ECB: ------------------ | | 15| 0|#define GCRY_CIPHER_MODE_ECB 1 ------------------ | Branch (236:9): [True: 0, False: 14] ------------------ 237| 0| break; 238| 14| case GCRY_CIPHER_MODE_GCM: ------------------ | | 16| 14|#define GCRY_CIPHER_MODE_GCM 8 ------------------ | Branch (238:9): [True: 14, False: 0] ------------------ 239| 14| mbedtls_cipher_reset(&h->ctx.gcm->cipher_ctx); 240| 14| break; 241| 0| default: ------------------ | Branch (241:9): [True: 0, False: 14] ------------------ 242| 0| return err; 243| 14| } 244| 14| return 0; 245| 14|} gcry_cipher_setkey: 248| 52|gcry_error_t gcry_cipher_setkey (gcry_cipher_hd_t h, const void *key, size_t keylen) { 249| 52| gcry_error_t r = MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA; ------------------ | | 53| 52|#define MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA -0x6100 ------------------ 250| 52| if(check_valid_algo_mode(h)) return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; ------------------ | | 51| 0|#define MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE -0x6080 ------------------ | Branch (250:8): [True: 0, False: 52] ------------------ 251| 52| if( h->s_key ) return MBEDTLS_ERR_CIPHER_BAD_KEY; ------------------ | | 63| 0|#define MBEDTLS_ERR_CIPHER_BAD_KEY 0x50f4 ------------------ | Branch (251:9): [True: 0, False: 52] ------------------ 252| 52| if( keylen != gcry_cipher_get_algo_keylen(h->algo)) return MBEDTLS_ERR_CIPHER_BAD_KEY; ------------------ | | 63| 0|#define MBEDTLS_ERR_CIPHER_BAD_KEY 0x50f4 ------------------ | Branch (252:9): [True: 0, False: 52] ------------------ 253| 52| switch(h->mode) { ------------------ | Branch (253:12): [True: 52, False: 0] ------------------ 254| 28| case GCRY_CIPHER_MODE_ECB: ------------------ | | 15| 28|#define GCRY_CIPHER_MODE_ECB 1 ------------------ | Branch (254:9): [True: 28, False: 24] ------------------ 255| 28| r = mbedtls_aes_setkey_enc( h->ctx.ecb, (const unsigned char *)key, keylen*8 ); 256| 28| break; 257| 24| case GCRY_CIPHER_MODE_GCM: ------------------ | | 16| 24|#define GCRY_CIPHER_MODE_GCM 8 ------------------ | Branch (257:9): [True: 24, False: 28] ------------------ 258| 24| r = mbedtls_gcm_setkey( h->ctx.gcm, MBEDTLS_CIPHER_ID_AES, (const unsigned char *)key, keylen*8 ); 259| 24| break; 260| 52| } 261| 52| if(!r) { ------------------ | Branch (261:8): [True: 52, False: 0] ------------------ 262| 52| h->s_key = 1; 263| 52| h->keylen = keylen; 264| 52| } 265| 52| return r; 266| 52|} gcry_cipher_setiv: 268| 14|gcry_error_t gcry_cipher_setiv (gcry_cipher_hd_t h, const void *iv, size_t ivlen) { 269| 14| if(check_valid_algo_mode(h)) return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; ------------------ | | 51| 0|#define MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE -0x6080 ------------------ | Branch (269:8): [True: 0, False: 14] ------------------ 270| 14| if(h->s_iv) return MBEDTLS_ERR_CIPHER_BAD_KEY; ------------------ | | 63| 0|#define MBEDTLS_ERR_CIPHER_BAD_KEY 0x50f4 ------------------ | Branch (270:8): [True: 0, False: 14] ------------------ 271| 14| switch(h->mode) { ------------------ | Branch (271:12): [True: 14, False: 0] ------------------ 272| 14| case GCRY_CIPHER_MODE_GCM: ------------------ | | 16| 14|#define GCRY_CIPHER_MODE_GCM 8 ------------------ | Branch (272:9): [True: 14, False: 0] ------------------ 273| 14| if(ivlen != 12) return MBEDTLS_ERR_CIPHER_BAD_KEY; ------------------ | | 63| 0|#define MBEDTLS_ERR_CIPHER_BAD_KEY 0x50f4 ------------------ | Branch (273:16): [True: 0, False: 14] ------------------ 274| 14| h->s_iv = 1; 275| 14| h->ivlen = ivlen; 276| 14| memcpy( h->iv, iv, ivlen ); 277| 14| return 0; 278| 14| } 279| 0| return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; ------------------ | | 51| 0|#define MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE -0x6080 ------------------ 280| 14|} gcry_cipher_authenticate: 282| 14|gcry_error_t gcry_cipher_authenticate (gcry_cipher_hd_t h, const void *abuf, size_t abuflen) { 283| 14| if(check_valid_algo_mode(h)) return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; ------------------ | | 51| 0|#define MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE -0x6080 ------------------ | Branch (283:8): [True: 0, False: 14] ------------------ 284| 14| if(h->s_auth) return MBEDTLS_ERR_CIPHER_BAD_KEY; ------------------ | | 63| 0|#define MBEDTLS_ERR_CIPHER_BAD_KEY 0x50f4 ------------------ | Branch (284:8): [True: 0, False: 14] ------------------ 285| 14| switch(h->mode) { ------------------ | Branch (285:12): [True: 14, False: 0] ------------------ 286| 14| case GCRY_CIPHER_MODE_GCM: ------------------ | | 16| 14|#define GCRY_CIPHER_MODE_GCM 8 ------------------ | Branch (286:9): [True: 14, False: 0] ------------------ 287| 14| if(abuflen > sizeof(h->auth)) return MBEDTLS_ERR_CIPHER_BAD_KEY; ------------------ | | 63| 0|#define MBEDTLS_ERR_CIPHER_BAD_KEY 0x50f4 ------------------ | Branch (287:16): [True: 0, False: 14] ------------------ 288| 14| h->s_auth = 1; 289| 14| h->authlen = abuflen; 290| 14| if(abuflen > 0) ------------------ | Branch (290:16): [True: 14, False: 0] ------------------ 291| 14| memcpy(h->auth,abuf,abuflen); 292| 14| return 0; 293| 14| } 294| 0| return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; ------------------ | | 51| 0|#define MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE -0x6080 ------------------ 295| 14|} gcry_cipher_checktag: 297| 13|gcry_error_t gcry_cipher_checktag (gcry_cipher_hd_t h, const void *intag, size_t taglen) { 298| 13| if(check_valid_algo_mode(h)) return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; ------------------ | | 51| 0|#define MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE -0x6080 ------------------ | Branch (298:8): [True: 0, False: 13] ------------------ 299| 13| switch(h->mode) { ------------------ | Branch (299:12): [True: 13, False: 0] ------------------ 300| 13| case GCRY_CIPHER_MODE_GCM: ------------------ | | 16| 13|#define GCRY_CIPHER_MODE_GCM 8 ------------------ | Branch (300:9): [True: 13, False: 0] ------------------ 301| 13| if(h->s_crypt_ok && h->taglen == taglen) { ------------------ | Branch (301:16): [True: 13, False: 0] | Branch (301:33): [True: 13, False: 0] ------------------ 302| 13| size_t i; 303| 13| int diff; 304| 13| const uint8_t *ctag = (const uint8_t *)intag; 305| 221| for( diff = 0, i = 0; i < taglen; i++ ) ------------------ | Branch (305:39): [True: 208, False: 13] ------------------ 306| 208| diff |= ctag[i] ^ h->tag[i]; 307| 13| if(!diff) return 0; ------------------ | Branch (307:20): [True: 0, False: 13] ------------------ 308| 13| } 309| 13| return MBEDTLS_ERR_GCM_AUTH_FAILED; ------------------ | | 41| 13|#define MBEDTLS_ERR_GCM_AUTH_FAILED -0x0012 ------------------ 310| 13| } 311| 0| return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; ------------------ | | 51| 0|#define MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE -0x6080 ------------------ 312| 13|} gcry_cipher_get_algo_keylen: 314| 109|size_t gcry_cipher_get_algo_keylen (int algo) { 315| 109| switch(algo) { 316| 109| case GCRY_CIPHER_AES128: return 16; ------------------ | | 13| 109|#define GCRY_CIPHER_AES128 7 ------------------ | Branch (316:9): [True: 109, False: 0] ------------------ 317| 0| default: return 0; ------------------ | Branch (317:9): [True: 0, False: 109] ------------------ 318| 109| } 319| 0| return 0; 320| 109|} gcry_cipher_encrypt: 374| 18| const void *in, size_t inlen) { 375| 18| return _gcry_cipher_crypt(h,out,outsize,in,inlen,1); 376| 18|} gcry_cipher_decrypt: 380| 14| const void *in, size_t inlen) { 381| 14| return _gcry_cipher_crypt(h,out,outsize,in,inlen,0); 382| 14|} gcrypt_light.c:check_valid_algo_mode: 164| 196|static int check_valid_algo_mode(gcry_cipher_hd_t h) { 165| 196| if(!h) return 1; ------------------ | Branch (165:8): [True: 0, False: 196] ------------------ 166| 196| if(h->algo == GCRY_CIPHER_AES128 && ------------------ | | 13| 392|#define GCRY_CIPHER_AES128 7 ------------------ | Branch (166:8): [True: 196, False: 0] ------------------ 167| 196| (h->mode == GCRY_CIPHER_MODE_ECB || h->mode == GCRY_CIPHER_MODE_GCM)) return 0; ------------------ | | 15| 392|#define GCRY_CIPHER_MODE_ECB 1 ------------------ (h->mode == GCRY_CIPHER_MODE_ECB || h->mode == GCRY_CIPHER_MODE_GCM)) return 0; ------------------ | | 16| 119|#define GCRY_CIPHER_MODE_GCM 8 ------------------ | Branch (167:9): [True: 77, False: 119] | Branch (167:44): [True: 119, False: 0] ------------------ 168| 0| return 1; 169| 196|} gcrypt_light.c:_gcry_cipher_crypt: 324| 32| const void *in, size_t inlen,int encrypt) { 325| 32| uint8_t *src = NULL; 326| 32| size_t srclen = 0; 327| 32| gcry_error_t rv = MBEDTLS_ERR_GCM_BAD_INPUT; ------------------ | | 43| 32|#define MBEDTLS_ERR_GCM_BAD_INPUT -0x0014 ------------------ 328| | 329| 32| if(check_valid_algo_mode(h)) return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE; ------------------ | | 51| 0|#define MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE -0x6080 ------------------ | Branch (329:8): [True: 0, False: 32] ------------------ 330| 32| if(!inlen && !outsize) return MBEDTLS_ERR_GCM_BAD_INPUT; ------------------ | | 43| 0|#define MBEDTLS_ERR_GCM_BAD_INPUT -0x0014 ------------------ | Branch (330:8): [True: 32, False: 0] | Branch (330:18): [True: 0, False: 32] ------------------ 331| 32| if(!in && !inlen) { ------------------ | Branch (331:8): [True: 32, False: 0] | Branch (331:15): [True: 32, False: 0] ------------------ 332| 32| src = (uint8_t *)ndpi_malloc(outsize); 333| 32| if(!src) return MBEDTLS_ERR_GCM_ALLOC_FAILED; ------------------ | | 64| 2|#define MBEDTLS_ERR_GCM_ALLOC_FAILED 0x50f5 ------------------ | Branch (333:12): [True: 2, False: 30] ------------------ 334| 30| srclen = outsize; 335| 30| memcpy(src,out,outsize); 336| 30| } else { 337| 0| if(inlen != outsize) return MBEDTLS_ERR_GCM_BAD_INPUT; ------------------ | | 43| 0|#define MBEDTLS_ERR_GCM_BAD_INPUT -0x0014 ------------------ | Branch (337:12): [True: 0, False: 0] ------------------ 338| 0| } 339| 30| switch(h->mode) { ------------------ | Branch (339:12): [True: 30, False: 0] ------------------ 340| 17| case GCRY_CIPHER_MODE_ECB: ------------------ | | 15| 17|#define GCRY_CIPHER_MODE_ECB 1 ------------------ | Branch (340:9): [True: 17, False: 13] ------------------ 341| 17| if(!encrypt) return MBEDTLS_ERR_GCM_NOT_SUPPORT; ------------------ | | 65| 0|#define MBEDTLS_ERR_GCM_NOT_SUPPORT 0x50f6 ------------------ | Branch (341:16): [True: 0, False: 17] ------------------ 342| 17| if(!( h->s_key && !h->s_crypt_ok)) return MBEDTLS_ERR_AES_MISSING_KEY; ------------------ | | 67| 0|#define MBEDTLS_ERR_AES_MISSING_KEY 0x50f8 ------------------ | Branch (342:19): [True: 17, False: 0] | Branch (342:31): [True: 17, False: 0] ------------------ 343| 17| rv = mbedtls_aes_crypt_ecb(h->ctx.ecb, MBEDTLS_AES_ENCRYPT, ------------------ | | 46| 17|#define MBEDTLS_AES_ENCRYPT 1 /**< AES encryption. */ ------------------ 344| 17| src ? src:(const unsigned char *)in, (unsigned char *)out); ------------------ | Branch (344:25): [True: 17, False: 0] ------------------ 345| 17| break; 346| 13| case GCRY_CIPHER_MODE_GCM: ------------------ | | 16| 13|#define GCRY_CIPHER_MODE_GCM 8 ------------------ | Branch (346:9): [True: 13, False: 17] ------------------ 347| 13| if(encrypt) { ------------------ | Branch (347:16): [True: 0, False: 13] ------------------ 348| 0| ndpi_free(src); 349| 0| return MBEDTLS_ERR_GCM_NOT_SUPPORT; ------------------ | | 65| 0|#define MBEDTLS_ERR_GCM_NOT_SUPPORT 0x50f6 ------------------ 350| 0| } 351| 13| if(!( h->s_key && h->s_auth && h->s_iv && !h->s_crypt_ok)) { ------------------ | Branch (351:19): [True: 13, False: 0] | Branch (351:31): [True: 13, False: 0] | Branch (351:44): [True: 13, False: 0] | Branch (351:55): [True: 13, False: 0] ------------------ 352| 0| ndpi_free(src); 353| 0| return MBEDTLS_ERR_GCM_MISSING_KEY; ------------------ | | 66| 0|#define MBEDTLS_ERR_GCM_MISSING_KEY 0x50f7 ------------------ 354| 0| } 355| 13| h->taglen = 16; 356| 13| rv = mbedtls_gcm_crypt_and_tag(h->ctx.gcm, 357| 13| MBEDTLS_GCM_DECRYPT, ------------------ | | 38| 13|#define MBEDTLS_GCM_DECRYPT 0 ------------------ 358| 13| src ? srclen:outsize, ------------------ | Branch (358:25): [True: 13, False: 0] ------------------ 359| 13| h->iv,h->ivlen, 360| 13| h->auth,h->authlen, 361| 13| src ? src:(const unsigned char *)in, (unsigned char *)out, ------------------ | Branch (361:25): [True: 13, False: 0] ------------------ 362| 13| h->taglen, h->tag); 363| 13| break; 364| 30| } 365| 30| if(!rv) h->s_crypt_ok = 1; ------------------ | Branch (365:8): [True: 30, False: 0] ------------------ 366| | 367| 30| if(src) ndpi_free(src); ------------------ | Branch (367:8): [True: 30, False: 0] ------------------ 368| 30| return rv; 369| 30|} libinjection_h5_init: 67| 7.49k|{ 68| 7.49k| memset(hs, 0, sizeof(h5_state_t)); 69| 7.49k| hs->s = s; 70| 7.49k| hs->len = len; 71| | 72| 7.49k| switch (flags) { ------------------ | Branch (72:13): [True: 7.49k, False: 0] ------------------ 73| 1.50k| case DATA_STATE: ------------------ | Branch (73:5): [True: 1.50k, False: 5.98k] ------------------ 74| 1.50k| hs->state = h5_state_data; 75| 1.50k| break; 76| 1.49k| case VALUE_NO_QUOTE: ------------------ | Branch (76:5): [True: 1.49k, False: 5.99k] ------------------ 77| 1.49k| hs->state = h5_state_before_attribute_name; 78| 1.49k| break; 79| 1.49k| case VALUE_SINGLE_QUOTE: ------------------ | Branch (79:5): [True: 1.49k, False: 5.99k] ------------------ 80| 1.49k| hs->state = h5_state_attribute_value_single_quote; 81| 1.49k| break; 82| 1.49k| case VALUE_DOUBLE_QUOTE: ------------------ | Branch (82:5): [True: 1.49k, False: 5.99k] ------------------ 83| 1.49k| hs->state = h5_state_attribute_value_double_quote; 84| 1.49k| break; 85| 1.49k| case VALUE_BACK_QUOTE: ------------------ | Branch (85:5): [True: 1.49k, False: 5.99k] ------------------ 86| 1.49k| hs->state = h5_state_attribute_value_back_quote; 87| 1.49k| break; 88| 7.49k| } 89| 7.49k|} libinjection_h5_next: 95| 43.9k|{ 96| 43.9k| assert(hs->state != NULL); ------------------ | Branch (96:5): [True: 0, False: 43.9k] | Branch (96:5): [True: 43.9k, False: 0] ------------------ 97| 43.9k| return (*hs->state)(hs); 98| 43.9k|} libinjection_html5.c:h5_state_data: 148| 8.94k|{ 149| 8.94k| const char* idx; 150| | 151| 8.94k| TRACE(); 152| 8.94k| assert(hs->len >= hs->pos); ------------------ | Branch (152:5): [True: 0, False: 8.94k] | Branch (152:5): [True: 8.94k, False: 0] ------------------ 153| 8.94k| idx = (const char*) memchr(hs->s + hs->pos, CHAR_LT, hs->len - hs->pos); ------------------ | | 22| 8.94k|#define CHAR_LT 60 ------------------ 154| 8.94k| if (idx == NULL) { ------------------ | Branch (154:9): [True: 1.67k, False: 7.27k] ------------------ 155| 1.67k| hs->token_start = hs->s + hs->pos; 156| 1.67k| hs->token_len = hs->len - hs->pos; 157| 1.67k| hs->token_type = DATA_TEXT; 158| 1.67k| hs->state = h5_state_eof; 159| 1.67k| if (hs->token_len == 0) { ------------------ | Branch (159:13): [True: 13, False: 1.66k] ------------------ 160| 13| return 0; 161| 13| } 162| 7.27k| } else { 163| 7.27k| hs->token_start = hs->s + hs->pos; 164| 7.27k| hs->token_type = DATA_TEXT; 165| 7.27k| hs->token_len = (size_t)(idx - hs->s) - hs->pos; 166| 7.27k| hs->pos = (size_t)(idx - hs->s) + 1; 167| 7.27k| hs->state = h5_state_tag_open; 168| 7.27k| if (hs->token_len == 0) { ------------------ | Branch (168:13): [True: 3.87k, False: 3.39k] ------------------ 169| 3.87k| return h5_state_tag_open(hs); 170| 3.87k| } 171| 7.27k| } 172| 5.05k| return 1; 173| 8.94k|} libinjection_html5.c:h5_state_eof: 141| 7.00k|{ 142| | /* eliminate unused function argument warning */ 143| 7.00k| (void)hs; 144| 7.00k| return 0; 145| 7.00k|} libinjection_html5.c:h5_state_tag_open: 179| 7.27k|{ 180| 7.27k| char ch; 181| | 182| 7.27k| TRACE(); 183| 7.27k| if (hs->pos >= hs->len) { ------------------ | Branch (183:9): [True: 12, False: 7.26k] ------------------ 184| 12| return 0; 185| 12| } 186| 7.26k| ch = hs->s[hs->pos]; 187| 7.26k| if (ch == CHAR_BANG) { ------------------ | | 16| 7.26k|#define CHAR_BANG 33 ------------------ | Branch (187:9): [True: 565, False: 6.69k] ------------------ 188| 565| hs->pos += 1; 189| 565| return h5_state_markup_declaration_open(hs); 190| 6.69k| } else if (ch == CHAR_SLASH) { ------------------ | | 21| 6.69k|#define CHAR_SLASH 47 ------------------ | Branch (190:16): [True: 391, False: 6.30k] ------------------ 191| 391| hs->pos += 1; 192| 391| hs->is_close = 1; 193| 391| return h5_state_end_tag_open(hs); 194| 6.30k| } else if (ch == CHAR_QUESTION) { ------------------ | | 25| 6.30k|#define CHAR_QUESTION 63 ------------------ | Branch (194:16): [True: 150, False: 6.15k] ------------------ 195| 150| hs->pos += 1; 196| 150| return h5_state_bogus_comment(hs); 197| 6.15k| } else if (ch == CHAR_PERCENT) { ------------------ | | 18| 6.15k|#define CHAR_PERCENT 37 ------------------ | Branch (197:16): [True: 0, False: 6.15k] ------------------ 198| | /* this is not in spec.. alternative comment format used 199| | by IE <= 9 and Safari < 4.0.3 */ 200| 0| hs->pos += 1; 201| 0| return h5_state_bogus_comment2(hs); 202| 6.15k| } else if ((ch >= 'a' && ch <= 'z') || (ch >= 'A' && ch <= 'Z')) { ------------------ | Branch (202:17): [True: 552, False: 5.60k] | Branch (202:30): [True: 130, False: 422] | Branch (202:45): [True: 1.10k, False: 4.92k] | Branch (202:58): [True: 578, False: 526] ------------------ 203| 708| return h5_state_tag_name(hs); 204| 5.44k| } else if (ch == CHAR_NULL) { ------------------ | | 15| 5.44k|#define CHAR_NULL 0 ------------------ | Branch (204:16): [True: 0, False: 5.44k] ------------------ 205| | /* IE-ism NULL characters are ignored */ 206| 0| return h5_state_tag_name(hs); 207| 5.44k| } else { 208| | /* user input mistake in configuring state */ 209| 5.44k| if (hs->pos == 0) { ------------------ | Branch (209:13): [True: 0, False: 5.44k] ------------------ 210| 0| return h5_state_data(hs); 211| 0| } 212| 5.44k| hs->token_start = hs->s + hs->pos - 1; 213| 5.44k| hs->token_len = 1; 214| 5.44k| hs->token_type = DATA_TEXT; 215| 5.44k| hs->state = h5_state_data; 216| 5.44k| return 1; 217| 5.44k| } 218| 7.26k|} libinjection_html5.c:h5_state_markup_declaration_open: 683| 565|{ 684| 565| size_t remaining; 685| | 686| 565| TRACE(); 687| 565| remaining = hs->len - hs->pos; 688| 565| if (remaining >= 7 && ------------------ | Branch (688:9): [True: 546, False: 19] ------------------ 689| | /* case insensitive */ 690| 546| (hs->s[hs->pos + 0] == 'D' || hs->s[hs->pos + 0] == 'd') && ------------------ | Branch (690:10): [True: 2, False: 544] | Branch (690:39): [True: 6, False: 538] ------------------ 691| 8| (hs->s[hs->pos + 1] == 'O' || hs->s[hs->pos + 1] == 'o') && ------------------ | Branch (691:10): [True: 0, False: 8] | Branch (691:39): [True: 0, False: 8] ------------------ 692| 0| (hs->s[hs->pos + 2] == 'C' || hs->s[hs->pos + 2] == 'c') && ------------------ | Branch (692:10): [True: 0, False: 0] | Branch (692:39): [True: 0, False: 0] ------------------ 693| 0| (hs->s[hs->pos + 3] == 'T' || hs->s[hs->pos + 3] == 't') && ------------------ | Branch (693:10): [True: 0, False: 0] | Branch (693:39): [True: 0, False: 0] ------------------ 694| 0| (hs->s[hs->pos + 4] == 'Y' || hs->s[hs->pos + 4] == 'y') && ------------------ | Branch (694:10): [True: 0, False: 0] | Branch (694:39): [True: 0, False: 0] ------------------ 695| 0| (hs->s[hs->pos + 5] == 'P' || hs->s[hs->pos + 5] == 'p') && ------------------ | Branch (695:10): [True: 0, False: 0] | Branch (695:39): [True: 0, False: 0] ------------------ 696| 0| (hs->s[hs->pos + 6] == 'E' || hs->s[hs->pos + 6] == 'e') ------------------ | Branch (696:10): [True: 0, False: 0] | Branch (696:39): [True: 0, False: 0] ------------------ 697| 565| ) { 698| 0| return h5_state_doctype(hs); 699| 565| } else if (remaining >= 7 && ------------------ | Branch (699:16): [True: 546, False: 19] ------------------ 700| | /* upper case required */ 701| 546| hs->s[hs->pos + 0] == '[' && ------------------ | Branch (701:16): [True: 0, False: 546] ------------------ 702| 0| hs->s[hs->pos + 1] == 'C' && ------------------ | Branch (702:16): [True: 0, False: 0] ------------------ 703| 0| hs->s[hs->pos + 2] == 'D' && ------------------ | Branch (703:16): [True: 0, False: 0] ------------------ 704| 0| hs->s[hs->pos + 3] == 'A' && ------------------ | Branch (704:16): [True: 0, False: 0] ------------------ 705| 0| hs->s[hs->pos + 4] == 'T' && ------------------ | Branch (705:16): [True: 0, False: 0] ------------------ 706| 0| hs->s[hs->pos + 5] == 'A' && ------------------ | Branch (706:16): [True: 0, False: 0] ------------------ 707| 0| hs->s[hs->pos + 6] == '[' ------------------ | Branch (707:16): [True: 0, False: 0] ------------------ 708| 565| ) { 709| 0| hs->pos += 7; 710| 0| return h5_state_cdata(hs); 711| 565| } else if (remaining >= 2 && ------------------ | Branch (711:16): [True: 559, False: 6] ------------------ 712| 559| hs->s[hs->pos + 0] == '-' && ------------------ | Branch (712:16): [True: 342, False: 217] ------------------ 713| 342| hs->s[hs->pos + 1] == '-') { ------------------ | Branch (713:16): [True: 315, False: 27] ------------------ 714| 315| hs->pos += 2; 715| 315| return h5_state_comment(hs); 716| 315| } 717| | 718| 250| return h5_state_bogus_comment(hs); 719| 565|} libinjection_html5.c:h5_state_comment: 733| 315|{ 734| 315| char ch; 735| 315| const char* idx; 736| 315| size_t pos; 737| 315| size_t offset; 738| 315| const char* end = hs->s + hs->len; 739| | 740| 315| TRACE(); 741| 315| pos = hs->pos; 742| 2.21k| while (1) { ------------------ | Branch (742:12): [True: 2.21k, Folded] ------------------ 743| | 744| 2.21k| idx = (const char*) memchr(hs->s + pos, CHAR_DASH, hs->len - pos); ------------------ | | 20| 2.21k|#define CHAR_DASH 45 ------------------ 745| | 746| | /* did not find anything or has less than 3 chars left */ 747| 2.21k| if (idx == NULL || idx > hs->s + hs->len - 3) { ------------------ | Branch (747:13): [True: 37, False: 2.18k] | Branch (747:28): [True: 18, False: 2.16k] ------------------ 748| 55| hs->state = h5_state_eof; 749| 55| hs->token_start = hs->s + hs->pos; 750| 55| hs->token_len = hs->len - hs->pos; 751| 55| hs->token_type = TAG_COMMENT; 752| 55| return 1; 753| 55| } 754| 2.16k| offset = 1; 755| | 756| | /* skip all nulls */ 757| 2.16k| while (idx + offset < end && *(idx + offset) == 0) { ------------------ | Branch (757:16): [True: 2.16k, False: 0] | Branch (757:38): [True: 0, False: 2.16k] ------------------ 758| 0| offset += 1; 759| 0| } 760| 2.16k| if (idx + offset == end) { ------------------ | Branch (760:13): [True: 0, False: 2.16k] ------------------ 761| 0| hs->state = h5_state_eof; 762| 0| hs->token_start = hs->s + hs->pos; 763| 0| hs->token_len = hs->len - hs->pos; 764| 0| hs->token_type = TAG_COMMENT; 765| 0| return 1; 766| 0| } 767| | 768| 2.16k| ch = *(idx + offset); 769| 2.16k| if (ch != CHAR_DASH && ch != CHAR_BANG) { ------------------ | | 20| 4.32k|#define CHAR_DASH 45 ------------------ if (ch != CHAR_DASH && ch != CHAR_BANG) { ------------------ | | 16| 386|#define CHAR_BANG 33 ------------------ | Branch (769:13): [True: 386, False: 1.77k] | Branch (769:32): [True: 380, False: 6] ------------------ 770| 380| pos = (size_t)(idx - hs->s) + 1; 771| 380| continue; 772| 380| } 773| | 774| | /* need to test */ 775| |#if 0 776| | /* skip all nulls */ 777| | while (idx + offset < end && *(idx + offset) == 0) { 778| | offset += 1; 779| | } 780| | if (idx + offset == end) { 781| | hs->state = h5_state_eof; 782| | hs->token_start = hs->s + hs->pos; 783| | hs->token_len = hs->len - hs->pos; 784| | hs->token_type = TAG_COMMENT; 785| | return 1; 786| | } 787| |#endif 788| | 789| 1.78k| offset += 1; 790| 1.78k| if (idx + offset == end) { ------------------ | Branch (790:13): [True: 0, False: 1.78k] ------------------ 791| 0| hs->state = h5_state_eof; 792| 0| hs->token_start = hs->s + hs->pos; 793| 0| hs->token_len = hs->len - hs->pos; 794| 0| hs->token_type = TAG_COMMENT; 795| 0| return 1; 796| 0| } 797| | 798| | 799| 1.78k| ch = *(idx + offset); 800| 1.78k| if (ch != CHAR_GT) { ------------------ | | 24| 1.78k|#define CHAR_GT 62 ------------------ | Branch (800:13): [True: 1.52k, False: 260] ------------------ 801| 1.52k| pos = (size_t)(idx - hs->s) + 1; 802| 1.52k| continue; 803| 1.52k| } 804| 260| offset += 1; 805| | 806| | /* ends in --> or -!> */ 807| 260| hs->token_start = hs->s + hs->pos; 808| 260| hs->token_len = (size_t)(idx - hs->s) - hs->pos; 809| 260| hs->pos = (size_t)(idx + offset - hs->s); 810| 260| hs->state = h5_state_data; 811| 260| hs->token_type = TAG_COMMENT; 812| 260| return 1; 813| 1.78k| } 814| 315|} libinjection_html5.c:h5_state_end_tag_open: 223| 391|{ 224| 391| char ch; 225| | 226| 391| TRACE(); 227| | 228| 391| if (hs->pos >= hs->len) { ------------------ | Branch (228:9): [True: 6, False: 385] ------------------ 229| 6| return 0; 230| 6| } 231| 385| ch = hs->s[hs->pos]; 232| 385| if (ch == CHAR_GT) { ------------------ | | 24| 385|#define CHAR_GT 62 ------------------ | Branch (232:9): [True: 2, False: 383] ------------------ 233| 2| return h5_state_data(hs); 234| 383| } else if ((ch >= 'a' && ch <= 'z') || (ch >= 'A' && ch <= 'Z')) { ------------------ | Branch (234:17): [True: 341, False: 42] | Branch (234:30): [True: 301, False: 40] | Branch (234:45): [True: 45, False: 37] | Branch (234:58): [True: 5, False: 40] ------------------ 235| 306| return h5_state_tag_name(hs); 236| 306| } 237| | 238| 77| hs->is_close = 0; 239| 77| return h5_state_bogus_comment(hs); 240| 385|} libinjection_html5.c:h5_state_bogus_comment: 622| 477|{ 623| 477| const char* idx; 624| | 625| 477| TRACE(); 626| 477| idx = (const char*) memchr(hs->s + hs->pos, CHAR_GT, hs->len - hs->pos); ------------------ | | 24| 477|#define CHAR_GT 62 ------------------ 627| 477| if (idx == NULL) { ------------------ | Branch (627:9): [True: 167, False: 310] ------------------ 628| 167| hs->token_start = hs->s + hs->pos; 629| 167| hs->token_len = hs->len - hs->pos; 630| 167| hs->pos = hs->len; 631| 167| hs->state = h5_state_eof; 632| 310| } else { 633| 310| hs->token_start = hs->s + hs->pos; 634| 310| hs->token_len = (size_t)(idx - hs->s) - hs->pos; 635| 310| hs->pos = (size_t)(idx - hs->s) + 1; 636| 310| hs->state = h5_state_data; 637| 310| } 638| | 639| 477| hs->token_type = TAG_COMMENT; 640| 477| return 1; 641| 477|} libinjection_html5.c:h5_state_tag_name: 265| 1.01k|{ 266| 1.01k| char ch; 267| 1.01k| size_t pos; 268| | 269| 1.01k| TRACE(); 270| 1.01k| pos = hs->pos; 271| 17.2k| while (pos < hs->len) { ------------------ | Branch (271:12): [True: 16.9k, False: 293] ------------------ 272| 16.9k| ch = hs->s[pos]; 273| 16.9k| if (ch == 0) { ------------------ | Branch (273:13): [True: 0, False: 16.9k] ------------------ 274| | /* special non-standard case */ 275| | /* allow nulls in tag name */ 276| | /* some old browsers apparently allow and ignore them */ 277| 0| pos += 1; 278| 16.9k| } else if (h5_is_white(ch)) { ------------------ | Branch (278:20): [True: 495, False: 16.4k] ------------------ 279| 495| hs->token_start = hs->s + hs->pos; 280| 495| hs->token_len = pos - hs->pos; 281| 495| hs->token_type = TAG_NAME_OPEN; 282| 495| hs->pos = pos + 1; 283| 495| hs->state = h5_state_before_attribute_name; 284| 495| return 1; 285| 16.4k| } else if (ch == CHAR_SLASH) { ------------------ | | 21| 16.4k|#define CHAR_SLASH 47 ------------------ | Branch (285:20): [True: 56, False: 16.3k] ------------------ 286| 56| hs->token_start = hs->s + hs->pos; 287| 56| hs->token_len = pos - hs->pos; 288| 56| hs->token_type = TAG_NAME_OPEN; 289| 56| hs->pos = pos + 1; 290| 56| hs->state = h5_state_self_closing_start_tag; 291| 56| return 1; 292| 16.3k| } else if (ch == CHAR_GT) { ------------------ | | 24| 16.3k|#define CHAR_GT 62 ------------------ | Branch (292:20): [True: 170, False: 16.2k] ------------------ 293| 170| hs->token_start = hs->s + hs->pos; 294| 170| hs->token_len = pos - hs->pos; 295| 170| if (hs->is_close) { ------------------ | Branch (295:17): [True: 30, False: 140] ------------------ 296| 30| hs->pos = pos + 1; 297| 30| hs->is_close = 0; 298| 30| hs->token_type = TAG_CLOSE; 299| 30| hs->state = h5_state_data; 300| 140| } else { 301| 140| hs->pos = pos; 302| 140| hs->token_type = TAG_NAME_OPEN; 303| 140| hs->state = h5_state_tag_name_close; 304| 140| } 305| 170| return 1; 306| 16.2k| } else { 307| 16.2k| pos += 1; 308| 16.2k| } 309| 16.9k| } 310| | 311| 293| hs->token_start = hs->s + hs->pos; 312| 293| hs->token_len = hs->len - hs->pos; 313| 293| hs->token_type = TAG_NAME_OPEN; 314| 293| hs->state = h5_state_eof; 315| 293| return 1; 316| 1.01k|} libinjection_html5.c:h5_is_white: 107| 245k|{ 108| | /* 109| | * \t = horizontal tab = 0x09 110| | * \n = newline = 0x0A 111| | * \v = vertical tab = 0x0B 112| | * \f = form feed = 0x0C 113| | * \r = cr = 0x0D 114| | */ 115| | return strchr(" \t\n\v\f\r", ch) != NULL; 116| 245k|} libinjection_html5.c:h5_state_self_closing_start_tag: 597| 3.52k|{ 598| 3.52k| char ch; 599| | 600| 3.52k| TRACE(); 601| 3.52k| if (hs->pos >= hs->len) { ------------------ | Branch (601:9): [True: 77, False: 3.45k] ------------------ 602| 77| return 0; 603| 77| } 604| 3.45k| ch = hs->s[hs->pos]; 605| 3.45k| if (ch == CHAR_GT) { ------------------ | | 24| 3.45k|#define CHAR_GT 62 ------------------ | Branch (605:9): [True: 172, False: 3.28k] ------------------ 606| 172| assert(hs->pos > 0); ------------------ | Branch (606:9): [True: 0, False: 172] | Branch (606:9): [True: 172, False: 0] ------------------ 607| 172| hs->token_start = hs->s + hs->pos -1; 608| 172| hs->token_len = 2; 609| 172| hs->token_type = TAG_NAME_SELFCLOSE; 610| 172| hs->state = h5_state_data; 611| 172| hs->pos += 1; 612| 172| return 1; 613| 3.28k| } else { 614| 3.28k| return h5_state_before_attribute_name(hs); 615| 3.28k| } 616| 3.45k|} libinjection_html5.c:h5_state_tag_name_close: 245| 1.21k|{ 246| 1.21k| TRACE(); 247| 1.21k| hs->is_close = 0; 248| 1.21k| hs->token_start = hs->s + hs->pos; 249| 1.21k| hs->token_len = 1; 250| 1.21k| hs->token_type = TAG_NAME_CLOSE; 251| 1.21k| hs->pos += 1; 252| 1.21k| if (hs->pos < hs->len) { ------------------ | Branch (252:9): [True: 1.19k, False: 11] ------------------ 253| 1.19k| hs->state = h5_state_data; 254| 1.19k| } else { 255| 11| hs->state = h5_state_eof; 256| 11| } 257| | 258| 1.21k| return 1; 259| 1.21k|} libinjection_html5.c:h5_state_before_attribute_name: 322| 8.28k|{ 323| 8.28k| int ch; 324| | 325| 8.28k| TRACE(); 326| | 327| | /* for manual tail call optimization, see comment below */ 328| 10.4k| tail_call:; 329| | 330| 10.4k| ch = h5_skip_white(hs); 331| 10.4k| switch (ch) { 332| 61| case CHAR_EOF: { ------------------ | | 14| 61|#define CHAR_EOF -1 ------------------ | Branch (332:5): [True: 61, False: 10.4k] ------------------ 333| 61| return 0; 334| 0| } 335| 2.25k| case CHAR_SLASH: { ------------------ | | 21| 2.25k|#define CHAR_SLASH 47 ------------------ | Branch (335:5): [True: 2.25k, False: 8.23k] ------------------ 336| 2.25k| hs->pos += 1; 337| | /* Logically, We want to call h5_state_self_closing_start_tag(hs) here. 338| | 339| | As this function may call us back and the compiler 340| | might not implement automatic tail call optimization, 341| | this might result in a deep recursion. 342| | 343| | We detect this case here and start over with the current state. 344| | */ 345| | 346| 2.25k| if (hs->pos < hs->len && hs->s[hs->pos] != CHAR_GT) { ------------------ | | 24| 2.21k|#define CHAR_GT 62 ------------------ | Branch (346:13): [True: 2.21k, False: 38] | Branch (346:34): [True: 2.21k, False: 8] ------------------ 347| 2.21k| goto tail_call; 348| 2.21k| } 349| 46| return h5_state_self_closing_start_tag(hs); 350| 2.25k| } 351| 24| case CHAR_GT: { ------------------ | | 24| 24|#define CHAR_GT 62 ------------------ | Branch (351:5): [True: 24, False: 10.4k] ------------------ 352| 24| hs->state = h5_state_data; 353| 24| hs->token_start = hs->s + hs->pos; 354| 24| hs->token_len = 1; 355| 24| hs->token_type = TAG_NAME_CLOSE; 356| 24| hs->pos += 1; 357| 24| return 1; 358| 2.25k| } 359| 8.15k| default: { ------------------ | Branch (359:5): [True: 8.15k, False: 2.34k] ------------------ 360| 8.15k| return h5_state_attribute_name(hs); 361| 2.25k| } 362| 10.4k| } 363| 10.4k|} libinjection_html5.c:h5_skip_white: 119| 22.4k|{ 120| 22.4k| char ch; 121| 45.5k| while (hs->pos < hs->len) { ------------------ | Branch (121:12): [True: 45.2k, False: 303] ------------------ 122| 45.2k| ch = hs->s[hs->pos]; 123| 45.2k| switch (ch) { 124| 0| case 0x00: /* IE only */ ------------------ | Branch (124:9): [True: 0, False: 45.2k] ------------------ 125| 15.7k| case 0x20: ------------------ | Branch (125:9): [True: 15.7k, False: 29.4k] ------------------ 126| 16.7k| case 0x09: ------------------ | Branch (126:9): [True: 989, False: 44.2k] ------------------ 127| 18.7k| case 0x0A: ------------------ | Branch (127:9): [True: 1.93k, False: 43.2k] ------------------ 128| 19.0k| case 0x0B: /* IE only */ ------------------ | Branch (128:9): [True: 308, False: 44.8k] ------------------ 129| 22.3k| case 0x0C: ------------------ | Branch (129:9): [True: 3.37k, False: 41.8k] ------------------ 130| 23.0k| case 0x0D: /* IE only */ ------------------ | Branch (130:9): [True: 695, False: 44.5k] ------------------ 131| 23.0k| hs->pos += 1; 132| 23.0k| break; 133| 22.1k| default: ------------------ | Branch (133:9): [True: 22.1k, False: 23.0k] ------------------ 134| 22.1k| return ch; 135| 45.2k| } 136| 45.2k| } 137| 303| return CHAR_EOF; ------------------ | | 14| 303|#define CHAR_EOF -1 ------------------ 138| 22.4k|} libinjection_html5.c:h5_state_attribute_name: 366| 15.8k|{ 367| 15.8k| char ch; 368| 15.8k| size_t pos; 369| | 370| 15.8k| TRACE(); 371| 15.8k| pos = hs->pos + 1; 372| 181k| while (pos < hs->len) { ------------------ | Branch (372:12): [True: 180k, False: 1.11k] ------------------ 373| 180k| ch = hs->s[pos]; 374| 180k| if (h5_is_white(ch)) { ------------------ | Branch (374:13): [True: 9.51k, False: 170k] ------------------ 375| 9.51k| hs->token_start = hs->s + hs->pos; 376| 9.51k| hs->token_len = pos - hs->pos; 377| 9.51k| hs->token_type = ATTR_NAME; 378| 9.51k| hs->state = h5_state_after_attribute_name; 379| 9.51k| hs->pos = pos + 1; 380| 9.51k| return 1; 381| 170k| } else if (ch == CHAR_SLASH) { ------------------ | | 21| 170k|#define CHAR_SLASH 47 ------------------ | Branch (381:20): [True: 2.30k, False: 168k] ------------------ 382| 2.30k| hs->token_start = hs->s + hs->pos; 383| 2.30k| hs->token_len = pos - hs->pos; 384| 2.30k| hs->token_type = ATTR_NAME; 385| 2.30k| hs->state = h5_state_self_closing_start_tag; 386| 2.30k| hs->pos = pos + 1; 387| 2.30k| return 1; 388| 168k| } else if (ch == CHAR_EQUALS) { ------------------ | | 23| 168k|#define CHAR_EQUALS 61 ------------------ | Branch (388:20): [True: 1.97k, False: 166k] ------------------ 389| 1.97k| hs->token_start = hs->s + hs->pos; 390| 1.97k| hs->token_len = pos - hs->pos; 391| 1.97k| hs->token_type = ATTR_NAME; 392| 1.97k| hs->state = h5_state_before_attribute_value; 393| 1.97k| hs->pos = pos + 1; 394| 1.97k| return 1; 395| 166k| } else if (ch == CHAR_GT) { ------------------ | | 24| 166k|#define CHAR_GT 62 ------------------ | Branch (395:20): [True: 973, False: 165k] ------------------ 396| 973| hs->token_start = hs->s + hs->pos; 397| 973| hs->token_len = pos - hs->pos; 398| 973| hs->token_type = ATTR_NAME; 399| 973| hs->state = h5_state_tag_name_close; 400| 973| hs->pos = pos; 401| 973| return 1; 402| 165k| } else { 403| 165k| pos += 1; 404| 165k| } 405| 180k| } 406| | /* EOF */ 407| 1.11k| hs->token_start = hs->s + hs->pos; 408| 1.11k| hs->token_len = hs->len - hs->pos; 409| 1.11k| hs->token_type = ATTR_NAME; 410| 1.11k| hs->state = h5_state_eof; 411| 1.11k| hs->pos = hs->len; 412| 1.11k| return 1; 413| 15.8k|} libinjection_html5.c:h5_state_after_attribute_name: 419| 9.51k|{ 420| 9.51k| int c; 421| | 422| 9.51k| TRACE(); 423| 9.51k| c = h5_skip_white(hs); 424| 9.51k| switch (c) { 425| 269| case CHAR_EOF: { ------------------ | | 14| 269|#define CHAR_EOF -1 ------------------ | Branch (425:5): [True: 269, False: 9.24k] ------------------ 426| 269| return 0; 427| 0| } 428| 1.07k| case CHAR_SLASH: { ------------------ | | 21| 1.07k|#define CHAR_SLASH 47 ------------------ | Branch (428:5): [True: 1.07k, False: 8.44k] ------------------ 429| 1.07k| hs->pos += 1; 430| 1.07k| return h5_state_self_closing_start_tag(hs); 431| 0| } 432| 435| case CHAR_EQUALS: { ------------------ | | 23| 435|#define CHAR_EQUALS 61 ------------------ | Branch (432:5): [True: 435, False: 9.08k] ------------------ 433| 435| hs->pos += 1; 434| 435| return h5_state_before_attribute_value(hs); 435| 0| } 436| 12| case CHAR_GT: { ------------------ | | 24| 12|#define CHAR_GT 62 ------------------ | Branch (436:5): [True: 12, False: 9.50k] ------------------ 437| 12| return h5_state_tag_name_close(hs); 438| 0| } 439| 7.72k| default: { ------------------ | Branch (439:5): [True: 7.72k, False: 1.79k] ------------------ 440| 7.72k| return h5_state_attribute_name(hs); 441| 0| } 442| 9.51k| } 443| 9.51k|} libinjection_html5.c:h5_state_before_attribute_value: 449| 2.40k|{ 450| 2.40k| int c; 451| 2.40k| TRACE(); 452| | 453| 2.40k| c = h5_skip_white(hs); 454| | 455| 2.40k| if (c == CHAR_EOF) { ------------------ | | 14| 2.40k|#define CHAR_EOF -1 ------------------ | Branch (455:9): [True: 29, False: 2.37k] ------------------ 456| 29| hs->state = h5_state_eof; 457| 29| return 0; 458| 29| } 459| | 460| 2.37k| if (c == CHAR_DOUBLE) { ------------------ | | 17| 2.37k|#define CHAR_DOUBLE 34 ------------------ | Branch (460:9): [True: 54, False: 2.32k] ------------------ 461| 54| return h5_state_attribute_value_double_quote(hs); 462| 2.32k| } else if (c == CHAR_SINGLE) { ------------------ | | 19| 2.32k|#define CHAR_SINGLE 39 ------------------ | Branch (462:16): [True: 14, False: 2.30k] ------------------ 463| 14| return h5_state_attribute_value_single_quote(hs); 464| 2.30k| } else if (c == CHAR_TICK) { ------------------ | | 27| 2.30k|#define CHAR_TICK 96 ------------------ | Branch (464:16): [True: 86, False: 2.22k] ------------------ 465| | /* NON STANDARD IE */ 466| 86| return h5_state_attribute_value_back_quote(hs); 467| 2.22k| } else { 468| 2.22k| return h5_state_attribute_value_no_quote(hs); 469| 2.22k| } 470| 2.37k|} libinjection_html5.c:h5_state_attribute_value_no_quote: 527| 2.22k|{ 528| 2.22k| char ch; 529| 2.22k| size_t pos; 530| | 531| 2.22k| TRACE(); 532| 2.22k| pos = hs->pos; 533| 47.8k| while (pos < hs->len) { ------------------ | Branch (533:12): [True: 47.4k, False: 440] ------------------ 534| 47.4k| ch = hs->s[pos]; 535| 47.4k| if (h5_is_white(ch)) { ------------------ | Branch (535:13): [True: 1.69k, False: 45.7k] ------------------ 536| 1.69k| hs->token_type = ATTR_VALUE; 537| 1.69k| hs->token_start = hs->s + hs->pos; 538| 1.69k| hs->token_len = pos - hs->pos; 539| 1.69k| hs->pos = pos + 1; 540| 1.69k| hs->state = h5_state_before_attribute_name; 541| 1.69k| return 1; 542| 45.7k| } else if (ch == CHAR_GT) { ------------------ | | 24| 45.7k|#define CHAR_GT 62 ------------------ | Branch (542:20): [True: 85, False: 45.6k] ------------------ 543| 85| hs->token_type = ATTR_VALUE; 544| 85| hs->token_start = hs->s + hs->pos; 545| 85| hs->token_len = pos - hs->pos; 546| 85| hs->pos = pos; 547| 85| hs->state = h5_state_tag_name_close; 548| 85| return 1; 549| 85| } 550| 45.6k| pos += 1; 551| 45.6k| } 552| 440| TRACE(); 553| | /* EOF */ 554| 440| hs->state = h5_state_eof; 555| 440| hs->token_start = hs->s + hs->pos; 556| 440| hs->token_len = hs->len - hs->pos; 557| 440| hs->token_type = ATTR_VALUE; 558| 440| return 1; 559| 2.22k|} libinjection_html5.c:h5_state_attribute_value_double_quote: 507| 1.55k|{ 508| 1.55k| TRACE(); 509| 1.55k| return h5_state_attribute_value_quote(hs, CHAR_DOUBLE); ------------------ | | 17| 1.55k|#define CHAR_DOUBLE 34 ------------------ 510| 1.55k|} libinjection_html5.c:h5_state_attribute_value_quote: 474| 4.64k|{ 475| 4.64k| const char* idx; 476| | 477| 4.64k| TRACE(); 478| | 479| | /* skip initial quote in normal case. 480| | * don't do this "if (pos == 0)" since it means we have started 481| | * in a non-data state. given an input of '>pos > 0) { ------------------ | Branch (484:9): [True: 154, False: 4.48k] ------------------ 485| 154| hs->pos += 1; 486| 154| } 487| | 488| | 489| 4.64k| idx = (const char*) memchr(hs->s + hs->pos, qchar, hs->len - hs->pos); 490| 4.64k| if (idx == NULL) { ------------------ | Branch (490:9): [True: 3.27k, False: 1.36k] ------------------ 491| 3.27k| hs->token_start = hs->s + hs->pos; 492| 3.27k| hs->token_len = hs->len - hs->pos; 493| 3.27k| hs->token_type = ATTR_VALUE; 494| 3.27k| hs->state = h5_state_eof; 495| 3.27k| } else { 496| 1.36k| hs->token_start = hs->s + hs->pos; 497| 1.36k| hs->token_len = (size_t)(idx - hs->s) - hs->pos; 498| 1.36k| hs->token_type = ATTR_VALUE; 499| 1.36k| hs->state = h5_state_after_attribute_value_quoted_state; 500| 1.36k| hs->pos += hs->token_len + 1; 501| 1.36k| } 502| 4.64k| return 1; 503| 4.64k|} libinjection_html5.c:h5_state_after_attribute_value_quoted_state: 565| 1.36k|{ 566| 1.36k| char ch; 567| | 568| 1.36k| TRACE(); 569| 1.36k| if (hs->pos >= hs->len) { ------------------ | Branch (569:9): [True: 6, False: 1.36k] ------------------ 570| 6| return 0; 571| 6| } 572| 1.36k| ch = hs->s[hs->pos]; 573| 1.36k| if (h5_is_white(ch)) { ------------------ | Branch (573:9): [True: 223, False: 1.13k] ------------------ 574| 223| hs->pos += 1; 575| 223| return h5_state_before_attribute_name(hs); 576| 1.13k| } else if (ch == CHAR_SLASH) { ------------------ | | 21| 1.13k|#define CHAR_SLASH 47 ------------------ | Branch (576:16): [True: 44, False: 1.09k] ------------------ 577| 44| hs->pos += 1; 578| 44| return h5_state_self_closing_start_tag(hs); 579| 1.09k| } else if (ch == CHAR_GT) { ------------------ | | 24| 1.09k|#define CHAR_GT 62 ------------------ | Branch (579:16): [True: 1, False: 1.09k] ------------------ 580| 1| hs->token_start = hs->s + hs->pos; 581| 1| hs->token_len = 1; 582| 1| hs->token_type = TAG_NAME_CLOSE; 583| 1| hs->pos += 1; 584| 1| hs->state = h5_state_data; 585| 1| return 1; 586| 1.09k| } else { 587| 1.09k| return h5_state_before_attribute_name(hs); 588| 1.09k| } 589| 1.36k|} libinjection_html5.c:h5_state_attribute_value_single_quote: 514| 1.51k|{ 515| 1.51k| TRACE(); 516| 1.51k| return h5_state_attribute_value_quote(hs, CHAR_SINGLE); ------------------ | | 19| 1.51k|#define CHAR_SINGLE 39 ------------------ 517| 1.51k|} libinjection_html5.c:h5_state_attribute_value_back_quote: 521| 1.58k|{ 522| 1.58k| TRACE(); 523| 1.58k| return h5_state_attribute_value_quote(hs, CHAR_TICK); ------------------ | | 27| 1.58k|#define CHAR_TICK 96 ------------------ 524| 1.58k|} libinjection_sqli_tokenize: 1215| 58.1k|{ 1216| 58.1k| pt2Function fnptr; 1217| 58.1k| size_t *pos = &sf->pos; 1218| 58.1k| stoken_t *current = sf->current; 1219| 58.1k| const char *s = sf->s; 1220| 58.1k| const size_t slen = sf->slen; 1221| | 1222| 58.1k| if (slen == 0) { ------------------ | Branch (1222:9): [True: 0, False: 58.1k] ------------------ 1223| 0| return FALSE; ------------------ | | 30| 0|#define FALSE 0 ------------------ 1224| 0| } 1225| | 1226| 58.1k| st_clear(current); 1227| 58.1k| sf->current = current; 1228| | 1229| | /* 1230| | * if we are at beginning of string 1231| | * and in single-quote or double quote mode 1232| | * then pretend the input starts with a quote 1233| | */ 1234| 58.1k| if (*pos == 0 && (sf->flags & (FLAG_QUOTE_SINGLE | FLAG_QUOTE_DOUBLE))) { ------------------ | Branch (1234:9): [True: 3.56k, False: 54.5k] | Branch (1234:22): [True: 1.26k, False: 2.30k] ------------------ 1235| 1.26k| *pos = parse_string_core(s, slen, 0, current, flag2delim(sf->flags), 0); 1236| 1.26k| sf->stats_tokens += 1; 1237| 1.26k| return TRUE; ------------------ | | 27| 1.26k|#define TRUE 1 ------------------ 1238| 1.26k| } 1239| | 1240| 74.1k| while (*pos < slen) { ------------------ | Branch (1240:12): [True: 72.1k, False: 1.98k] ------------------ 1241| | 1242| | /* 1243| | * get current character 1244| | */ 1245| 72.1k| const unsigned char ch = (unsigned char) (s[*pos]); 1246| | 1247| | /* 1248| | * look up the parser, and call it 1249| | * 1250| | * Porting Note: this is mapping of char to function 1251| | * charparsers[ch]() 1252| | */ 1253| 72.1k| fnptr = char_parse_map[ch]; 1254| | 1255| 72.1k| *pos = (*fnptr) (sf); 1256| | 1257| | /* 1258| | * 1259| | */ 1260| 72.1k| if (current->type != CHAR_NULL) { ------------------ | | 33| 72.1k|#define CHAR_NULL '\0' ------------------ | Branch (1260:13): [True: 54.8k, False: 17.2k] ------------------ 1261| 54.8k| sf->stats_tokens += 1; 1262| 54.8k| return TRUE; ------------------ | | 27| 54.8k|#define TRUE 1 ------------------ 1263| 54.8k| } 1264| 72.1k| } 1265| 1.98k| return FALSE; ------------------ | | 30| 1.98k|#define FALSE 0 ------------------ 1266| 56.8k|} libinjection_sqli_init: 1269| 5.06k|{ 1270| 5.06k| if (flags == 0) { ------------------ | Branch (1270:9): [True: 1.49k, False: 3.56k] ------------------ 1271| 1.49k| flags = FLAG_QUOTE_NONE | FLAG_SQL_ANSI; 1272| 1.49k| } 1273| | 1274| 5.06k| memset(sf, 0, sizeof(struct libinjection_sqli_state)); 1275| 5.06k| sf->s = s; 1276| 5.06k| sf->slen = len; 1277| 5.06k| sf->lookup = libinjection_sqli_lookup_word; 1278| 5.06k| sf->userdata = 0; 1279| 5.06k| sf->flags = flags; 1280| 5.06k| sf->current = &(sf->tokenvec[0]); 1281| 5.06k|} libinjection_sqli_reset: 1284| 3.56k|{ 1285| 3.56k| void *userdata = sf->userdata; 1286| 3.56k| ptr_lookup_fn lookup = sf->lookup;; 1287| | 1288| 3.56k| if (flags == 0) { ------------------ | Branch (1288:9): [True: 0, False: 3.56k] ------------------ 1289| 0| flags = FLAG_QUOTE_NONE | FLAG_SQL_ANSI; 1290| 0| } 1291| 3.56k| libinjection_sqli_init(sf, sf->s, sf->slen, flags); 1292| 3.56k| sf->lookup = lookup; 1293| 3.56k| sf->userdata = userdata; 1294| 3.56k|} libinjection_sqli_fold: 1381| 3.56k|{ 1382| 3.56k| stoken_t last_comment; 1383| | 1384| | /* POS is the position of where the NEXT token goes */ 1385| 3.56k| size_t pos = 0; 1386| | 1387| | /* LEFT is a count of how many tokens that are already 1388| | folded or processed (i.e. part of the fingerprint) */ 1389| 3.56k| size_t left = 0; 1390| | 1391| 3.56k| int more = 1; 1392| | 1393| 3.56k| st_clear(&last_comment); 1394| | 1395| | /* Skip all initial comments, right-parens ( and unary operators 1396| | * 1397| | */ 1398| 3.56k| sf->current = &(sf->tokenvec[0]); 1399| 3.80k| while (more) { ------------------ | Branch (1399:12): [True: 3.80k, False: 0] ------------------ 1400| 3.80k| more = libinjection_sqli_tokenize(sf); 1401| 3.80k| if ( ! (sf->current->type == TYPE_COMMENT || ------------------ | Branch (1401:17): [True: 15, False: 3.79k] ------------------ 1402| 3.79k| sf->current->type == TYPE_LEFTPARENS || ------------------ | Branch (1402:17): [True: 33, False: 3.76k] ------------------ 1403| 3.76k| sf->current->type == TYPE_SQLTYPE || ------------------ | Branch (1403:17): [True: 0, False: 3.76k] ------------------ 1404| 3.76k| st_is_unary_op(sf->current))) { ------------------ | Branch (1404:17): [True: 191, False: 3.56k] ------------------ 1405| 3.56k| break; 1406| 3.56k| } 1407| 3.80k| } 1408| | 1409| 3.56k| if (! more) { ------------------ | Branch (1409:9): [True: 6, False: 3.56k] ------------------ 1410| | /* If input was only comments, unary or (, then exit */ 1411| 6| return 0; 1412| 3.56k| } else { 1413| | /* it's some other token */ 1414| 3.56k| pos += 1; 1415| 3.56k| } 1416| | 1417| 98.4k| while (1) { ------------------ | Branch (1417:12): [True: 98.4k, Folded] ------------------ 1418| 98.4k| FOLD_DEBUG; 1419| | 1420| | /* do we have all the max number of tokens? if so do 1421| | * some special cases for 5 tokens 1422| | */ 1423| 98.4k| if (pos >= LIBINJECTION_SQLI_MAX_TOKENS) { ------------------ | | 24| 98.4k|#define LIBINJECTION_SQLI_MAX_TOKENS 5 ------------------ | Branch (1423:13): [True: 29.9k, False: 68.4k] ------------------ 1424| 29.9k| if ( 1425| 29.9k| ( 1426| 29.9k| sf->tokenvec[0].type == TYPE_NUMBER && ------------------ | Branch (1426:21): [True: 4.09k, False: 25.8k] ------------------ 1427| 4.09k| (sf->tokenvec[1].type == TYPE_OPERATOR || sf->tokenvec[1].type == TYPE_COMMA) && ------------------ | Branch (1427:22): [True: 849, False: 3.25k] | Branch (1427:63): [True: 131, False: 3.11k] ------------------ 1428| 980| sf->tokenvec[2].type == TYPE_LEFTPARENS && ------------------ | Branch (1428:21): [True: 229, False: 751] ------------------ 1429| 229| sf->tokenvec[3].type == TYPE_NUMBER && ------------------ | Branch (1429:21): [True: 28, False: 201] ------------------ 1430| 28| sf->tokenvec[4].type == TYPE_RIGHTPARENS ------------------ | Branch (1430:21): [True: 1, False: 27] ------------------ 1431| 29.9k| ) || 1432| 29.9k| ( 1433| 29.9k| sf->tokenvec[0].type == TYPE_BAREWORD && ------------------ | Branch (1433:21): [True: 3.28k, False: 26.6k] ------------------ 1434| 3.28k| sf->tokenvec[1].type == TYPE_OPERATOR && ------------------ | Branch (1434:21): [True: 1.32k, False: 1.95k] ------------------ 1435| 1.32k| sf->tokenvec[2].type == TYPE_LEFTPARENS && ------------------ | Branch (1435:21): [True: 661, False: 668] ------------------ 1436| 661| (sf->tokenvec[3].type == TYPE_BAREWORD || sf->tokenvec[3].type == TYPE_NUMBER) && ------------------ | Branch (1436:22): [True: 311, False: 350] | Branch (1436:63): [True: 38, False: 312] ------------------ 1437| 349| sf->tokenvec[4].type == TYPE_RIGHTPARENS ------------------ | Branch (1437:21): [True: 6, False: 343] ------------------ 1438| 29.9k| ) || 1439| 29.9k| ( 1440| 29.9k| sf->tokenvec[0].type == TYPE_NUMBER && ------------------ | Branch (1440:21): [True: 4.09k, False: 25.8k] ------------------ 1441| 4.09k| sf->tokenvec[1].type == TYPE_RIGHTPARENS && ------------------ | Branch (1441:21): [True: 451, False: 3.64k] ------------------ 1442| 451| sf->tokenvec[2].type == TYPE_COMMA && ------------------ | Branch (1442:21): [True: 201, False: 250] ------------------ 1443| 201| sf->tokenvec[3].type == TYPE_LEFTPARENS && ------------------ | Branch (1443:21): [True: 7, False: 194] ------------------ 1444| 7| sf->tokenvec[4].type == TYPE_NUMBER ------------------ | Branch (1444:21): [True: 0, False: 7] ------------------ 1445| 29.9k| ) || 1446| 29.9k| ( 1447| 29.9k| sf->tokenvec[0].type == TYPE_BAREWORD && ------------------ | Branch (1447:21): [True: 3.28k, False: 26.6k] ------------------ 1448| 3.28k| sf->tokenvec[1].type == TYPE_RIGHTPARENS && ------------------ | Branch (1448:21): [True: 237, False: 3.04k] ------------------ 1449| 237| sf->tokenvec[2].type == TYPE_OPERATOR && ------------------ | Branch (1449:21): [True: 25, False: 212] ------------------ 1450| 25| sf->tokenvec[3].type == TYPE_LEFTPARENS && ------------------ | Branch (1450:21): [True: 2, False: 23] ------------------ 1451| 2| sf->tokenvec[4].type == TYPE_BAREWORD ------------------ | Branch (1451:21): [True: 2, False: 0] ------------------ 1452| 29.9k| ) 1453| 29.9k| ) 1454| 9| { 1455| 9| if (pos > LIBINJECTION_SQLI_MAX_TOKENS) { ------------------ | | 24| 9|#define LIBINJECTION_SQLI_MAX_TOKENS 5 ------------------ | Branch (1455:21): [True: 0, False: 9] ------------------ 1456| 0| st_copy(&(sf->tokenvec[1]), &(sf->tokenvec[LIBINJECTION_SQLI_MAX_TOKENS])); ------------------ | | 24| 0|#define LIBINJECTION_SQLI_MAX_TOKENS 5 ------------------ 1457| 0| pos = 2; 1458| 0| left = 0; 1459| 9| } else { 1460| 9| pos = 1; 1461| 9| left = 0; 1462| 9| } 1463| 9| } 1464| 29.9k| } 1465| | 1466| 98.4k| if (! more || left >= LIBINJECTION_SQLI_MAX_TOKENS) { ------------------ | | 24| 96.4k|#define LIBINJECTION_SQLI_MAX_TOKENS 5 ------------------ | Branch (1466:13): [True: 1.97k, False: 96.4k] | Branch (1466:23): [True: 1.58k, False: 94.8k] ------------------ 1467| 3.56k| left = pos; 1468| 3.56k| break; 1469| 3.56k| } 1470| | 1471| | /* get up to two tokens */ 1472| 101k| while (more && pos <= LIBINJECTION_SQLI_MAX_TOKENS && (pos - left) < 2) { ------------------ | | 24| 202k|#define LIBINJECTION_SQLI_MAX_TOKENS 5 ------------------ | Branch (1472:16): [True: 100k, False: 233] | Branch (1472:24): [True: 95.6k, False: 5.32k] | Branch (1472:63): [True: 6.36k, False: 89.2k] ------------------ 1473| 6.36k| sf->current = &(sf->tokenvec[pos]); 1474| 6.36k| more = libinjection_sqli_tokenize(sf); 1475| 6.36k| if (more) { ------------------ | Branch (1475:17): [True: 6.13k, False: 233] ------------------ 1476| 6.13k| if (sf->current->type == TYPE_COMMENT) { ------------------ | Branch (1476:21): [True: 256, False: 5.87k] ------------------ 1477| 256| st_copy(&last_comment, sf->current); 1478| 5.87k| } else { 1479| 5.87k| last_comment.type = CHAR_NULL; ------------------ | | 33| 5.87k|#define CHAR_NULL '\0' ------------------ 1480| 5.87k| pos += 1; 1481| 5.87k| } 1482| 6.13k| } 1483| 6.36k| } 1484| 94.8k| FOLD_DEBUG; 1485| | /* did we get 2 tokens? if not then we are done */ 1486| 94.8k| if (pos - left < 2) { ------------------ | Branch (1486:13): [True: 233, False: 94.6k] ------------------ 1487| 233| left = pos; 1488| 233| continue; 1489| 233| } 1490| | 1491| | /* FOLD: "ss" -> "s" 1492| | * "foo" "bar" is valid SQL 1493| | * just ignore second string 1494| | */ 1495| 94.6k| if (sf->tokenvec[left].type == TYPE_STRING && sf->tokenvec[left+1].type == TYPE_STRING) { ------------------ | Branch (1495:13): [True: 7.03k, False: 87.5k] | Branch (1495:55): [True: 178, False: 6.85k] ------------------ 1496| 178| pos -= 1; 1497| 178| sf->stats_folds += 1; 1498| 178| continue; 1499| 94.4k| } else if (sf->tokenvec[left].type == TYPE_SEMICOLON && sf->tokenvec[left+1].type == TYPE_SEMICOLON) { ------------------ | Branch (1499:20): [True: 297, False: 94.1k] | Branch (1499:65): [True: 41, False: 256] ------------------ 1500| | /* not sure how various engines handle 1501| | * 'select 1;;drop table foo' or 1502| | * 'select 1; /x foo x/; drop table foo' 1503| | * to prevent surprises, just fold away repeated semicolons 1504| | */ 1505| 41| pos -= 1; 1506| 41| sf->stats_folds += 1; 1507| 41| continue; 1508| 94.3k| } else if ((sf->tokenvec[left].type == TYPE_OPERATOR || ------------------ | Branch (1508:21): [True: 24.1k, False: 70.2k] ------------------ 1509| 70.2k| sf->tokenvec[left].type == TYPE_LOGIC_OPERATOR) && ------------------ | Branch (1509:21): [True: 100, False: 70.1k] ------------------ 1510| 24.2k| (st_is_unary_op(&sf->tokenvec[left+1]) || ------------------ | Branch (1510:21): [True: 12.8k, False: 11.3k] ------------------ 1511| 12.8k| sf->tokenvec[left+1].type == TYPE_SQLTYPE)) { ------------------ | Branch (1511:21): [True: 0, False: 11.3k] ------------------ 1512| 12.8k| pos -= 1; 1513| 12.8k| sf->stats_folds += 1; 1514| 12.8k| left = 0; 1515| 12.8k| continue; 1516| 81.5k| } else if (sf->tokenvec[left].type == TYPE_LEFTPARENS && ------------------ | Branch (1516:20): [True: 5.03k, False: 76.5k] ------------------ 1517| 5.03k| st_is_unary_op(&sf->tokenvec[left+1])) { ------------------ | Branch (1517:20): [True: 2.38k, False: 2.65k] ------------------ 1518| 2.38k| pos -= 1; 1519| 2.38k| sf->stats_folds += 1; 1520| 2.38k| if (left > 0) { ------------------ | Branch (1520:17): [True: 2.38k, False: 0] ------------------ 1521| 2.38k| left -= 1; 1522| 2.38k| } 1523| 2.38k| continue; 1524| 79.1k| } else if (syntax_merge_words(sf, &sf->tokenvec[left], &sf->tokenvec[left+1])) { ------------------ | Branch (1524:20): [True: 0, False: 79.1k] ------------------ 1525| 0| pos -= 1; 1526| 0| sf->stats_folds += 1; 1527| 0| if (left > 0) { ------------------ | Branch (1527:17): [True: 0, False: 0] ------------------ 1528| 0| left -= 1; 1529| 0| } 1530| 0| continue; 1531| 79.1k| } else if (sf->tokenvec[left].type == TYPE_SEMICOLON && ------------------ | Branch (1531:20): [True: 256, False: 78.9k] ------------------ 1532| 256| sf->tokenvec[left+1].type == TYPE_FUNCTION && ------------------ | Branch (1532:20): [True: 0, False: 256] ------------------ 1533| 0| (sf->tokenvec[left+1].val[0] == 'I' || ------------------ | Branch (1533:7): [True: 0, False: 0] ------------------ 1534| 0| sf->tokenvec[left+1].val[0] == 'i' ) && ------------------ | Branch (1534:7): [True: 0, False: 0] ------------------ 1535| 0| (sf->tokenvec[left+1].val[1] == 'F' || ------------------ | Branch (1535:7): [True: 0, False: 0] ------------------ 1536| 0| sf->tokenvec[left+1].val[1] == 'f' )) { ------------------ | Branch (1536:21): [True: 0, False: 0] ------------------ 1537| | /* IF is normally a function, except in Transact-SQL where it can be used as a 1538| | * standalone control flow operator, e.g. ; IF 1=1 ... 1539| | * if found after a semicolon, convert from 'f' type to 'T' type 1540| | */ 1541| 0| sf->tokenvec[left+1].type = TYPE_TSQL; 1542| | /* left += 2; */ 1543| 0| continue; /* reparse everything, but we probably can advance left, and pos */ 1544| 79.1k| } else if ((sf->tokenvec[left].type == TYPE_BAREWORD || sf->tokenvec[left].type == TYPE_VARIABLE) && ------------------ | Branch (1544:21): [True: 22.2k, False: 56.9k] | Branch (1544:65): [True: 1.47k, False: 55.4k] ------------------ 1545| 23.6k| sf->tokenvec[left+1].type == TYPE_LEFTPARENS && ( ------------------ | Branch (1545:20): [True: 2.67k, False: 21.0k] ------------------ 1546| | /* TSQL functions but common enough to be column names */ 1547| 2.67k| cstrcasecmp("USER_ID", sf->tokenvec[left].val, sf->tokenvec[left].len) == 0 || ------------------ | Branch (1547:24): [True: 0, False: 2.67k] ------------------ 1548| 2.67k| cstrcasecmp("USER_NAME", sf->tokenvec[left].val, sf->tokenvec[left].len) == 0 || ------------------ | Branch (1548:24): [True: 0, False: 2.67k] ------------------ 1549| | 1550| | /* Function in MYSQL */ 1551| 2.67k| cstrcasecmp("DATABASE", sf->tokenvec[left].val, sf->tokenvec[left].len) == 0 || ------------------ | Branch (1551:24): [True: 0, False: 2.67k] ------------------ 1552| 2.67k| cstrcasecmp("PASSWORD", sf->tokenvec[left].val, sf->tokenvec[left].len) == 0 || ------------------ | Branch (1552:24): [True: 0, False: 2.67k] ------------------ 1553| 2.67k| cstrcasecmp("USER", sf->tokenvec[left].val, sf->tokenvec[left].len) == 0 || ------------------ | Branch (1553:24): [True: 0, False: 2.67k] ------------------ 1554| | 1555| | /* Mysql words that act as a variable and are a function */ 1556| | 1557| | /* TSQL current_users is fake-variable */ 1558| | /* http://msdn.microsoft.com/en-us/library/ms176050.aspx */ 1559| 2.67k| cstrcasecmp("CURRENT_USER", sf->tokenvec[left].val, sf->tokenvec[left].len) == 0 || ------------------ | Branch (1559:24): [True: 0, False: 2.67k] ------------------ 1560| 2.67k| cstrcasecmp("CURRENT_DATE", sf->tokenvec[left].val, sf->tokenvec[left].len) == 0 || ------------------ | Branch (1560:24): [True: 0, False: 2.67k] ------------------ 1561| 2.67k| cstrcasecmp("CURRENT_TIME", sf->tokenvec[left].val, sf->tokenvec[left].len) == 0 || ------------------ | Branch (1561:24): [True: 0, False: 2.67k] ------------------ 1562| 2.67k| cstrcasecmp("CURRENT_TIMESTAMP", sf->tokenvec[left].val, sf->tokenvec[left].len) == 0 || ------------------ | Branch (1562:24): [True: 0, False: 2.67k] ------------------ 1563| 2.67k| cstrcasecmp("LOCALTIME", sf->tokenvec[left].val, sf->tokenvec[left].len) == 0 || ------------------ | Branch (1563:24): [True: 0, False: 2.67k] ------------------ 1564| 2.67k| cstrcasecmp("LOCALTIMESTAMP", sf->tokenvec[left].val, sf->tokenvec[left].len) == 0 ------------------ | Branch (1564:24): [True: 0, False: 2.67k] ------------------ 1565| 2.67k| )) { 1566| | 1567| | /* pos is the same 1568| | * other conversions need to go here... for instance 1569| | * password CAN be a function, coalesce CAN be a function 1570| | */ 1571| 0| sf->tokenvec[left].type = TYPE_FUNCTION; 1572| 0| continue; 1573| 79.1k| } else if (sf->tokenvec[left].type == TYPE_KEYWORD && ( ------------------ | Branch (1573:20): [True: 228, False: 78.9k] ------------------ 1574| 228| cstrcasecmp("IN", sf->tokenvec[left].val, sf->tokenvec[left].len) == 0 || ------------------ | Branch (1574:24): [True: 12, False: 216] ------------------ 1575| 216| cstrcasecmp("NOT IN", sf->tokenvec[left].val, sf->tokenvec[left].len) == 0 ------------------ | Branch (1575:24): [True: 0, False: 216] ------------------ 1576| 228| )) { 1577| | 1578| 12| if (sf->tokenvec[left+1].type == TYPE_LEFTPARENS) { ------------------ | Branch (1578:17): [True: 9, False: 3] ------------------ 1579| | /* got .... IN ( ... (or 'NOT IN') 1580| | * it's an operator 1581| | */ 1582| 9| sf->tokenvec[left].type = TYPE_OPERATOR; 1583| 9| } else { 1584| | /* 1585| | * it's a nothing 1586| | */ 1587| 3| sf->tokenvec[left].type = TYPE_BAREWORD; 1588| 3| } 1589| | 1590| | /* "IN" can be used as "IN BOOLEAN MODE" for mysql 1591| | * in which case merging of words can be done later 1592| | * other wise it acts as an equality operator __ IN (values..) 1593| | * 1594| | * here we got "IN" "(" so it's an operator. 1595| | * also back track to handle "NOT IN" 1596| | * might need to do the same with like 1597| | * two use cases "foo" LIKE "BAR" (normal operator) 1598| | * "foo" = LIKE(1,2) 1599| | */ 1600| 12| continue; 1601| 79.1k| } else if ((sf->tokenvec[left].type == TYPE_OPERATOR) && ( ------------------ | Branch (1601:20): [True: 11.2k, False: 67.8k] ------------------ 1602| 11.2k| cstrcasecmp("LIKE", sf->tokenvec[left].val, sf->tokenvec[left].len) == 0 || ------------------ | Branch (1602:24): [True: 0, False: 11.2k] ------------------ 1603| 11.2k| cstrcasecmp("NOT LIKE", sf->tokenvec[left].val, sf->tokenvec[left].len) == 0)) { ------------------ | Branch (1603:24): [True: 0, False: 11.2k] ------------------ 1604| 0| if (sf->tokenvec[left+1].type == TYPE_LEFTPARENS) { ------------------ | Branch (1604:17): [True: 0, False: 0] ------------------ 1605| | /* SELECT LIKE(... 1606| | * it's a function 1607| | */ 1608| 0| sf->tokenvec[left].type = TYPE_FUNCTION; 1609| 0| } 1610| 79.1k| } else if (sf->tokenvec[left].type == TYPE_SQLTYPE && ------------------ | Branch (1610:20): [True: 0, False: 79.1k] ------------------ 1611| 0| (sf->tokenvec[left+1].type == TYPE_BAREWORD || ------------------ | Branch (1611:21): [True: 0, False: 0] ------------------ 1612| 0| sf->tokenvec[left+1].type == TYPE_NUMBER || ------------------ | Branch (1612:21): [True: 0, False: 0] ------------------ 1613| 0| sf->tokenvec[left+1].type == TYPE_SQLTYPE || ------------------ | Branch (1613:21): [True: 0, False: 0] ------------------ 1614| 0| sf->tokenvec[left+1].type == TYPE_LEFTPARENS || ------------------ | Branch (1614:21): [True: 0, False: 0] ------------------ 1615| 0| sf->tokenvec[left+1].type == TYPE_FUNCTION || ------------------ | Branch (1615:21): [True: 0, False: 0] ------------------ 1616| 0| sf->tokenvec[left+1].type == TYPE_VARIABLE || ------------------ | Branch (1616:21): [True: 0, False: 0] ------------------ 1617| 0| sf->tokenvec[left+1].type == TYPE_STRING)) { ------------------ | Branch (1617:21): [True: 0, False: 0] ------------------ 1618| 0| st_copy(&sf->tokenvec[left], &sf->tokenvec[left+1]); 1619| 0| pos -= 1; 1620| 0| sf->stats_folds += 1; 1621| 0| left = 0; 1622| 0| continue; 1623| 79.1k| } else if (sf->tokenvec[left].type == TYPE_COLLATE && ------------------ | Branch (1623:20): [True: 0, False: 79.1k] ------------------ 1624| 0| sf->tokenvec[left+1].type == TYPE_BAREWORD) { ------------------ | Branch (1624:20): [True: 0, False: 0] ------------------ 1625| | /* 1626| | * there are too many collation types.. so if the bareword has a "_" 1627| | * then it's TYPE_SQLTYPE 1628| | */ 1629| 0| if (strchr(sf->tokenvec[left+1].val, '_') != NULL) { ------------------ | Branch (1629:17): [True: 0, False: 0] ------------------ 1630| 0| sf->tokenvec[left+1].type = TYPE_SQLTYPE; 1631| 0| left = 0; 1632| 0| } 1633| 79.1k| } else if (sf->tokenvec[left].type == TYPE_BACKSLASH) { ------------------ | Branch (1633:20): [True: 1.94k, False: 77.2k] ------------------ 1634| 1.94k| if (st_is_arithmetic_op(&(sf->tokenvec[left+1]))) { ------------------ | Branch (1634:17): [True: 42, False: 1.90k] ------------------ 1635| | /* very weird case in TSQL where '\%1' is parsed as '0 % 1', etc */ 1636| 42| sf->tokenvec[left].type = TYPE_NUMBER; 1637| 1.90k| } else { 1638| | /* just ignore it.. Again T-SQL seems to parse \1 as "1" */ 1639| 1.90k| st_copy(&sf->tokenvec[left], &sf->tokenvec[left+1]); 1640| 1.90k| pos -= 1; 1641| 1.90k| sf->stats_folds += 1; 1642| 1.90k| } 1643| 1.94k| left = 0; 1644| 1.94k| continue; 1645| 77.2k| } else if (sf->tokenvec[left].type == TYPE_LEFTPARENS && ------------------ | Branch (1645:20): [True: 2.65k, False: 74.5k] ------------------ 1646| 2.65k| sf->tokenvec[left+1].type == TYPE_LEFTPARENS) { ------------------ | Branch (1646:20): [True: 192, False: 2.45k] ------------------ 1647| 192| pos -= 1; 1648| 192| left = 0; 1649| 192| sf->stats_folds += 1; 1650| 192| continue; 1651| 77.0k| } else if (sf->tokenvec[left].type == TYPE_RIGHTPARENS && ------------------ | Branch (1651:20): [True: 957, False: 76.0k] ------------------ 1652| 957| sf->tokenvec[left+1].type == TYPE_RIGHTPARENS) { ------------------ | Branch (1652:20): [True: 64, False: 893] ------------------ 1653| 64| pos -= 1; 1654| 64| left = 0; 1655| 64| sf->stats_folds += 1; 1656| 64| continue; 1657| 76.9k| } else if (sf->tokenvec[left].type == TYPE_LEFTBRACE && ------------------ | Branch (1657:20): [True: 494, False: 76.4k] ------------------ 1658| 494| sf->tokenvec[left+1].type == TYPE_BAREWORD) { ------------------ | Branch (1658:20): [True: 170, False: 324] ------------------ 1659| | 1660| | /* 1661| | * MySQL Degenerate case -- 1662| | * 1663| | * select { ``.``.id }; -- valid !!! 1664| | * select { ``.``.``.id }; -- invalid 1665| | * select ``.``.id; -- invalid 1666| | * select { ``.id }; -- invalid 1667| | * 1668| | * so it appears {``.``.id} is a magic case 1669| | * I suspect this is "current database, current table, field id" 1670| | * 1671| | * The folding code can't look at more than 3 tokens, and 1672| | * I don't want to make two passes. 1673| | * 1674| | * Since "{ ``" so rare, we are just going to blacklist it. 1675| | * 1676| | * Highly likely this will need revisiting! 1677| | * 1678| | * CREDIT @rsalgado 2013-11-25 1679| | */ 1680| 170| if (sf->tokenvec[left+1].len == 0) { ------------------ | Branch (1680:17): [True: 1, False: 169] ------------------ 1681| 1| sf->tokenvec[left+1].type = TYPE_EVIL; 1682| 1| return (int)(left+2); 1683| 1| } 1684| | /* weird ODBC / MYSQL {foo expr} --> expr 1685| | * but for this rule we just strip away the "{ foo" part 1686| | */ 1687| 169| left = 0; 1688| 169| pos -= 2; 1689| 169| sf->stats_folds += 2; 1690| 169| continue; 1691| 76.8k| } else if (sf->tokenvec[left+1].type == TYPE_RIGHTBRACE) { ------------------ | Branch (1691:20): [True: 550, False: 76.2k] ------------------ 1692| 550| pos -= 1; 1693| 550| left = 0; 1694| 550| sf->stats_folds += 1; 1695| 550| continue; 1696| 550| } 1697| | 1698| | /* all cases of handing 2 tokens is done 1699| | and nothing matched. Get one more token 1700| | */ 1701| 76.2k| FOLD_DEBUG; 1702| 124k| while (more && pos <= LIBINJECTION_SQLI_MAX_TOKENS && pos - left < 3) { ------------------ | | 24| 246k|#define LIBINJECTION_SQLI_MAX_TOKENS 5 ------------------ | Branch (1702:16): [True: 122k, False: 1.74k] | Branch (1702:24): [True: 113k, False: 8.64k] | Branch (1702:63): [True: 47.9k, False: 65.8k] ------------------ 1703| 47.9k| sf->current = &(sf->tokenvec[pos]); 1704| 47.9k| more = libinjection_sqli_tokenize(sf); 1705| 47.9k| if (more) { ------------------ | Branch (1705:17): [True: 46.2k, False: 1.74k] ------------------ 1706| 46.2k| if (sf->current->type == TYPE_COMMENT) { ------------------ | Branch (1706:21): [True: 1.77k, False: 44.4k] ------------------ 1707| 1.77k| st_copy(&last_comment, sf->current); 1708| 44.4k| } else { 1709| 44.4k| last_comment.type = CHAR_NULL; ------------------ | | 33| 44.4k|#define CHAR_NULL '\0' ------------------ 1710| 44.4k| pos += 1; 1711| 44.4k| } 1712| 46.2k| } 1713| 47.9k| } 1714| | 1715| | /* do we have three tokens? If not then we are done */ 1716| 76.2k| if (pos -left < 3) { ------------------ | Branch (1716:13): [True: 3.32k, False: 72.9k] ------------------ 1717| 3.32k| left = pos; 1718| 3.32k| continue; 1719| 3.32k| } 1720| | 1721| | /* 1722| | * now look for three token folding 1723| | */ 1724| 72.9k| if (sf->tokenvec[left].type == TYPE_NUMBER && ------------------ | Branch (1724:13): [True: 16.8k, False: 56.0k] ------------------ 1725| 16.8k| sf->tokenvec[left+1].type == TYPE_OPERATOR && ------------------ | Branch (1725:13): [True: 9.99k, False: 6.89k] ------------------ 1726| 9.99k| sf->tokenvec[left+2].type == TYPE_NUMBER) { ------------------ | Branch (1726:13): [True: 585, False: 9.40k] ------------------ 1727| 585| pos -= 2; 1728| 585| left = 0; 1729| 585| continue; 1730| 72.3k| } else if (sf->tokenvec[left].type == TYPE_OPERATOR && ------------------ | Branch (1730:20): [True: 10.0k, False: 62.2k] ------------------ 1731| 10.0k| sf->tokenvec[left+1].type != TYPE_LEFTPARENS && ------------------ | Branch (1731:20): [True: 8.02k, False: 2.02k] ------------------ 1732| 8.02k| sf->tokenvec[left+2].type == TYPE_OPERATOR) { ------------------ | Branch (1732:20): [True: 4.56k, False: 3.45k] ------------------ 1733| 4.56k| left = 0; 1734| 4.56k| pos -= 2; 1735| 4.56k| continue; 1736| 67.7k| } else if (sf->tokenvec[left].type == TYPE_LOGIC_OPERATOR && ------------------ | Branch (1736:20): [True: 88, False: 67.6k] ------------------ 1737| 88| sf->tokenvec[left+2].type == TYPE_LOGIC_OPERATOR) { ------------------ | Branch (1737:20): [True: 30, False: 58] ------------------ 1738| 30| pos -= 2; 1739| 30| left = 0; 1740| 30| continue; 1741| 67.7k| } else if (sf->tokenvec[left].type == TYPE_VARIABLE && ------------------ | Branch (1741:20): [True: 1.45k, False: 66.2k] ------------------ 1742| 1.45k| sf->tokenvec[left+1].type == TYPE_OPERATOR && ------------------ | Branch (1742:20): [True: 1.11k, False: 340] ------------------ 1743| 1.11k| (sf->tokenvec[left+2].type == TYPE_VARIABLE || ------------------ | Branch (1743:21): [True: 26, False: 1.08k] ------------------ 1744| 1.08k| sf->tokenvec[left+2].type == TYPE_NUMBER || ------------------ | Branch (1744:21): [True: 128, False: 959] ------------------ 1745| 959| sf->tokenvec[left+2].type == TYPE_BAREWORD)) { ------------------ | Branch (1745:21): [True: 202, False: 757] ------------------ 1746| 356| pos -= 2; 1747| 356| left = 0; 1748| 356| continue; 1749| 67.3k| } else if ((sf->tokenvec[left].type == TYPE_BAREWORD || ------------------ | Branch (1749:21): [True: 20.9k, False: 46.4k] ------------------ 1750| 46.4k| sf->tokenvec[left].type == TYPE_NUMBER ) && ------------------ | Branch (1750:21): [True: 16.3k, False: 30.1k] ------------------ 1751| 37.2k| sf->tokenvec[left+1].type == TYPE_OPERATOR && ------------------ | Branch (1751:20): [True: 15.6k, False: 21.6k] ------------------ 1752| 15.6k| (sf->tokenvec[left+2].type == TYPE_NUMBER || ------------------ | Branch (1752:21): [True: 381, False: 15.2k] ------------------ 1753| 15.2k| sf->tokenvec[left+2].type == TYPE_BAREWORD)) { ------------------ | Branch (1753:21): [True: 2.98k, False: 12.2k] ------------------ 1754| 3.36k| pos -= 2; 1755| 3.36k| left = 0; 1756| 3.36k| continue; 1757| 64.0k| } else if ((sf->tokenvec[left].type == TYPE_BAREWORD || ------------------ | Branch (1757:21): [True: 19.1k, False: 44.9k] ------------------ 1758| 44.9k| sf->tokenvec[left].type == TYPE_NUMBER || ------------------ | Branch (1758:21): [True: 14.7k, False: 30.1k] ------------------ 1759| 30.1k| sf->tokenvec[left].type == TYPE_VARIABLE || ------------------ | Branch (1759:21): [True: 1.09k, False: 29.0k] ------------------ 1760| 29.0k| sf->tokenvec[left].type == TYPE_STRING) && ------------------ | Branch (1760:21): [True: 6.62k, False: 22.3k] ------------------ 1761| 41.6k| sf->tokenvec[left+1].type == TYPE_OPERATOR && ------------------ | Branch (1761:20): [True: 15.7k, False: 25.9k] ------------------ 1762| 15.7k| streq(sf->tokenvec[left+1].val, "::") && ------------------ | Branch (1762:20): [True: 94, False: 15.6k] ------------------ 1763| 94| sf->tokenvec[left+2].type == TYPE_SQLTYPE) { ------------------ | Branch (1763:20): [True: 0, False: 94] ------------------ 1764| 0| pos -= 2; 1765| 0| left = 0; 1766| 0| sf->stats_folds += 2; 1767| 0| continue; 1768| 64.0k| } else if ((sf->tokenvec[left].type == TYPE_BAREWORD || ------------------ | Branch (1768:21): [True: 19.1k, False: 44.9k] ------------------ 1769| 44.9k| sf->tokenvec[left].type == TYPE_NUMBER || ------------------ | Branch (1769:21): [True: 14.7k, False: 30.1k] ------------------ 1770| 30.1k| sf->tokenvec[left].type == TYPE_STRING || ------------------ | Branch (1770:21): [True: 6.62k, False: 23.4k] ------------------ 1771| 23.4k| sf->tokenvec[left].type == TYPE_VARIABLE) && ------------------ | Branch (1771:21): [True: 1.09k, False: 22.3k] ------------------ 1772| 41.6k| sf->tokenvec[left+1].type == TYPE_COMMA && ------------------ | Branch (1772:20): [True: 3.96k, False: 37.6k] ------------------ 1773| 3.96k| (sf->tokenvec[left+2].type == TYPE_NUMBER || ------------------ | Branch (1773:21): [True: 22, False: 3.94k] ------------------ 1774| 3.94k| sf->tokenvec[left+2].type == TYPE_BAREWORD || ------------------ | Branch (1774:21): [True: 130, False: 3.81k] ------------------ 1775| 3.81k| sf->tokenvec[left+2].type == TYPE_STRING || ------------------ | Branch (1775:21): [True: 27, False: 3.79k] ------------------ 1776| 3.79k| sf->tokenvec[left+2].type == TYPE_VARIABLE)) { ------------------ | Branch (1776:21): [True: 1, False: 3.78k] ------------------ 1777| 180| pos -= 2; 1778| 180| left = 0; 1779| 180| continue; 1780| 63.8k| } else if ((sf->tokenvec[left].type == TYPE_EXPRESSION || ------------------ | Branch (1780:21): [True: 61, False: 63.7k] ------------------ 1781| 63.7k| sf->tokenvec[left].type == TYPE_GROUP || ------------------ | Branch (1781:21): [True: 0, False: 63.7k] ------------------ 1782| 63.7k| sf->tokenvec[left].type == TYPE_COMMA) && ------------------ | Branch (1782:21): [True: 4.04k, False: 59.7k] ------------------ 1783| 4.10k| st_is_unary_op(&sf->tokenvec[left+1]) && ------------------ | Branch (1783:20): [True: 3.65k, False: 450] ------------------ 1784| 3.65k| sf->tokenvec[left+2].type == TYPE_LEFTPARENS) { ------------------ | Branch (1784:20): [True: 5, False: 3.64k] ------------------ 1785| | /* got something like SELECT + (, LIMIT + ( 1786| | * remove unary operator 1787| | */ 1788| 5| st_copy(&sf->tokenvec[left+1], &sf->tokenvec[left+2]); 1789| 5| pos -= 1; 1790| 5| left = 0; 1791| 5| continue; 1792| 63.8k| } else if ((sf->tokenvec[left].type == TYPE_KEYWORD || ------------------ | Branch (1792:21): [True: 199, False: 63.6k] ------------------ 1793| 63.6k| sf->tokenvec[left].type == TYPE_EXPRESSION || ------------------ | Branch (1793:21): [True: 61, False: 63.5k] ------------------ 1794| 63.5k| sf->tokenvec[left].type == TYPE_GROUP ) && ------------------ | Branch (1794:21): [True: 0, False: 63.5k] ------------------ 1795| 260| st_is_unary_op(&sf->tokenvec[left+1]) && ------------------ | Branch (1795:20): [True: 58, False: 202] ------------------ 1796| 58| (sf->tokenvec[left+2].type == TYPE_NUMBER || ------------------ | Branch (1796:21): [True: 1, False: 57] ------------------ 1797| 57| sf->tokenvec[left+2].type == TYPE_BAREWORD || ------------------ | Branch (1797:21): [True: 13, False: 44] ------------------ 1798| 44| sf->tokenvec[left+2].type == TYPE_VARIABLE || ------------------ | Branch (1798:21): [True: 0, False: 44] ------------------ 1799| 44| sf->tokenvec[left+2].type == TYPE_STRING || ------------------ | Branch (1799:21): [True: 0, False: 44] ------------------ 1800| 44| sf->tokenvec[left+2].type == TYPE_FUNCTION )) { ------------------ | Branch (1800:21): [True: 0, False: 44] ------------------ 1801| | /* remove unary operators 1802| | * select - 1 1803| | */ 1804| 14| st_copy(&sf->tokenvec[left+1], &sf->tokenvec[left+2]); 1805| 14| pos -= 1; 1806| 14| left = 0; 1807| 14| continue; 1808| 63.8k| } else if (sf->tokenvec[left].type == TYPE_COMMA && ------------------ | Branch (1808:20): [True: 4.03k, False: 59.7k] ------------------ 1809| 4.03k| st_is_unary_op(&sf->tokenvec[left+1]) && ------------------ | Branch (1809:20): [True: 3.63k, False: 400] ------------------ 1810| 3.63k| (sf->tokenvec[left+2].type == TYPE_NUMBER || ------------------ | Branch (1810:21): [True: 8, False: 3.63k] ------------------ 1811| 3.63k| sf->tokenvec[left+2].type == TYPE_BAREWORD || ------------------ | Branch (1811:21): [True: 253, False: 3.37k] ------------------ 1812| 3.37k| sf->tokenvec[left+2].type == TYPE_VARIABLE || ------------------ | Branch (1812:21): [True: 8, False: 3.36k] ------------------ 1813| 3.36k| sf->tokenvec[left+2].type == TYPE_STRING)) { ------------------ | Branch (1813:21): [True: 75, False: 3.29k] ------------------ 1814| | /* 1815| | * interesting case turn ", -1" ->> ",1" PLUS we need to back up 1816| | * one token if possible to see if more folding can be done 1817| | * "1,-1" --> "1" 1818| | */ 1819| 344| st_copy(&sf->tokenvec[left+1], &sf->tokenvec[left+2]); 1820| 344| left = 0; 1821| | /* pos is >= 3 so this is safe */ 1822| 344| assert(pos >= 3); ------------------ | Branch (1822:13): [True: 0, False: 344] | Branch (1822:13): [True: 344, False: 0] ------------------ 1823| 344| pos -= 3; 1824| 344| continue; 1825| 63.4k| } else if (sf->tokenvec[left].type == TYPE_COMMA && ------------------ | Branch (1825:20): [True: 3.69k, False: 59.7k] ------------------ 1826| 3.69k| st_is_unary_op(&sf->tokenvec[left+1]) && ------------------ | Branch (1826:20): [True: 3.29k, False: 400] ------------------ 1827| 3.29k| sf->tokenvec[left+2].type == TYPE_FUNCTION) { ------------------ | Branch (1827:20): [True: 0, False: 3.29k] ------------------ 1828| | 1829| | /* Separate case from above since you end up with 1830| | * 1,-sin(1) --> 1 (1) 1831| | * Here, just do 1832| | * 1,-sin(1) --> 1,sin(1) 1833| | * just remove unary operator 1834| | */ 1835| 0| st_copy(&sf->tokenvec[left+1], &sf->tokenvec[left+2]); 1836| 0| pos -= 1; 1837| 0| left = 0; 1838| 0| continue; 1839| 63.4k| } else if ((sf->tokenvec[left].type == TYPE_BAREWORD) && ------------------ | Branch (1839:20): [True: 18.9k, False: 44.4k] ------------------ 1840| 18.9k| (sf->tokenvec[left+1].type == TYPE_DOT) && ------------------ | Branch (1840:20): [True: 93, False: 18.8k] ------------------ 1841| 93| (sf->tokenvec[left+2].type == TYPE_BAREWORD)) { ------------------ | Branch (1841:20): [True: 75, False: 18] ------------------ 1842| | /* ignore the '.n' 1843| | * typically is this databasename.table 1844| | */ 1845| 75| assert(pos >= 3); ------------------ | Branch (1845:13): [True: 0, False: 75] | Branch (1845:13): [True: 75, False: 0] ------------------ 1846| 75| pos -= 2; 1847| 75| left = 0; 1848| 75| continue; 1849| 63.4k| } else if ((sf->tokenvec[left].type == TYPE_EXPRESSION) && ------------------ | Branch (1849:20): [True: 52, False: 63.3k] ------------------ 1850| 52| (sf->tokenvec[left+1].type == TYPE_DOT) && ------------------ | Branch (1850:20): [True: 1, False: 51] ------------------ 1851| 1| (sf->tokenvec[left+2].type == TYPE_BAREWORD)) { ------------------ | Branch (1851:20): [True: 1, False: 0] ------------------ 1852| | /* select . `foo` --> select `foo` */ 1853| 1| st_copy(&sf->tokenvec[left+1], &sf->tokenvec[left+2]); 1854| 1| pos -= 1; 1855| 1| left = 0; 1856| 1| continue; 1857| 63.4k| } else if ((sf->tokenvec[left].type == TYPE_FUNCTION) && ------------------ | Branch (1857:20): [True: 25, False: 63.3k] ------------------ 1858| 25| (sf->tokenvec[left+1].type == TYPE_LEFTPARENS) && ------------------ | Branch (1858:20): [True: 3, False: 22] ------------------ 1859| 3| (sf->tokenvec[left+2].type != TYPE_RIGHTPARENS)) { ------------------ | Branch (1859:20): [True: 3, False: 0] ------------------ 1860| | /* 1861| | * whats going on here 1862| | * Some SQL functions like USER() have 0 args 1863| | * if we get User(foo), then User is not a function 1864| | * This should be expanded since it eliminated a lot of false 1865| | * positives. 1866| | */ 1867| 3| if (cstrcasecmp("USER", sf->tokenvec[left].val, sf->tokenvec[left].len) == 0) { ------------------ | Branch (1867:18): [True: 0, False: 3] ------------------ 1868| 0| sf->tokenvec[left].type = TYPE_BAREWORD; 1869| 0| } 1870| 3| } 1871| | 1872| | /* no folding -- assume left-most token is 1873| | is good, now use the existing 2 tokens -- 1874| | do not get another 1875| | */ 1876| | 1877| 63.4k| left += 1; 1878| | 1879| 63.4k| } /* while(1) */ 1880| | 1881| | /* if we have 4 or less tokens, and we had a comment token 1882| | * at the end, add it back 1883| | */ 1884| | 1885| 3.56k| if (left < LIBINJECTION_SQLI_MAX_TOKENS && last_comment.type == TYPE_COMMENT) { ------------------ | | 24| 7.12k|#define LIBINJECTION_SQLI_MAX_TOKENS 5 ------------------ | Branch (1885:9): [True: 1.61k, False: 1.94k] | Branch (1885:48): [True: 597, False: 1.02k] ------------------ 1886| 597| st_copy(&sf->tokenvec[left], &last_comment); 1887| 597| left += 1; 1888| 597| } 1889| | 1890| | /* sometimes we grab a 6th token to help 1891| | determine the type of token 5. 1892| | */ 1893| 3.56k| if (left > LIBINJECTION_SQLI_MAX_TOKENS) { ------------------ | | 24| 3.56k|#define LIBINJECTION_SQLI_MAX_TOKENS 5 ------------------ | Branch (1893:9): [True: 1.58k, False: 1.97k] ------------------ 1894| 1.58k| left = LIBINJECTION_SQLI_MAX_TOKENS; ------------------ | | 24| 1.58k|#define LIBINJECTION_SQLI_MAX_TOKENS 5 ------------------ 1895| 1.58k| } 1896| | 1897| 3.56k| return (int)left; 1898| 3.56k|} libinjection_sqli_fingerprint: 1911| 3.56k|{ 1912| 3.56k| int i; 1913| 3.56k| int tlen = 0; 1914| | 1915| 3.56k| libinjection_sqli_reset(sql_state, flags); 1916| | 1917| 3.56k| tlen = libinjection_sqli_fold(sql_state); 1918| | 1919| | /* Check for magic PHP backquote comment 1920| | * If: 1921| | * * last token is of type "bareword" 1922| | * * And is quoted in a backtick 1923| | * * And isn't closed 1924| | * * And it's empty? 1925| | * Then convert it to comment 1926| | */ 1927| 3.56k| if (tlen > 2 && ------------------ | Branch (1927:9): [True: 3.13k, False: 437] ------------------ 1928| 3.13k| sql_state->tokenvec[tlen-1].type == TYPE_BAREWORD && ------------------ | Branch (1928:9): [True: 1.00k, False: 2.12k] ------------------ 1929| 1.00k| sql_state->tokenvec[tlen-1].str_open == CHAR_TICK && ------------------ | | 36| 4.57k|#define CHAR_TICK '`' ------------------ | Branch (1929:9): [True: 3, False: 1.00k] ------------------ 1930| 3| sql_state->tokenvec[tlen-1].len == 0 && ------------------ | Branch (1930:9): [True: 0, False: 3] ------------------ 1931| 0| sql_state->tokenvec[tlen-1].str_close == CHAR_NULL) { ------------------ | | 33| 0|#define CHAR_NULL '\0' ------------------ | Branch (1931:9): [True: 0, False: 0] ------------------ 1932| 0| sql_state->tokenvec[tlen-1].type = TYPE_COMMENT; 1933| 0| } 1934| | 1935| 18.5k| for (i = 0; i < tlen; ++i) { ------------------ | Branch (1935:17): [True: 15.0k, False: 3.56k] ------------------ 1936| 15.0k| sql_state->fingerprint[i] = sql_state->tokenvec[i].type; 1937| 15.0k| } 1938| | 1939| | /* 1940| | * make the fingerprint pattern a c-string (null delimited) 1941| | */ 1942| 3.56k| sql_state->fingerprint[tlen] = CHAR_NULL; ------------------ | | 33| 3.56k|#define CHAR_NULL '\0' ------------------ 1943| | 1944| | /* 1945| | * check for 'X' in pattern, and then 1946| | * clear out all tokens 1947| | * 1948| | * this means parsing could not be done 1949| | * accurately due to pgsql's double comments 1950| | * or other syntax that isn't consistent. 1951| | * Should be very rare false positive 1952| | */ 1953| 3.56k| if (strchr(sql_state->fingerprint, TYPE_EVIL)) { ------------------ | Branch (1953:9): [True: 1, False: 3.56k] ------------------ 1954| | /* needed for SWIG */ 1955| 1| memset((void*)sql_state->fingerprint, 0, LIBINJECTION_SQLI_MAX_TOKENS + 1); ------------------ | | 24| 1|#define LIBINJECTION_SQLI_MAX_TOKENS 5 ------------------ 1956| 1| memset((void*)sql_state->tokenvec[0].val, 0, LIBINJECTION_SQLI_TOKEN_SIZE); ------------------ | | 23| 1|#define LIBINJECTION_SQLI_TOKEN_SIZE sizeof(((stoken_t*)(0))->val) ------------------ 1957| | 1958| 1| sql_state->fingerprint[0] = TYPE_EVIL; 1959| | 1960| 1| sql_state->tokenvec[0].type = TYPE_EVIL; 1961| 1| sql_state->tokenvec[0].val[0] = TYPE_EVIL; 1962| 1| sql_state->tokenvec[1].type = CHAR_NULL; ------------------ | | 33| 1|#define CHAR_NULL '\0' ------------------ 1963| 1| } 1964| | 1965| | 1966| 3.56k| return sql_state->fingerprint; 1967| 3.56k|} libinjection_sqli_check_fingerprint: 1970| 3.56k|{ 1971| 3.56k| return libinjection_sqli_blacklist(sql_state) && ------------------ | Branch (1971:12): [True: 190, False: 3.37k] ------------------ 1972| 190| libinjection_sqli_not_whitelist(sql_state); ------------------ | Branch (1972:9): [True: 123, False: 67] ------------------ 1973| 3.56k|} libinjection_sqli_lookup_word: 1977| 37.6k|{ 1978| 37.6k| if (lookup_type == LOOKUP_FINGERPRINT) { ------------------ | Branch (1978:9): [True: 3.56k, False: 34.0k] ------------------ 1979| 3.56k| return libinjection_sqli_check_fingerprint(sql_state) ? 'X' : '\0'; ------------------ | Branch (1979:16): [True: 123, False: 3.44k] ------------------ 1980| 34.0k| } else { 1981| 34.0k| return bsearch_keyword_type(str, len, sql_keywords, sql_keywords_sz); 1982| 34.0k| } 1983| 37.6k|} libinjection_sqli_blacklist: 1986| 3.56k|{ 1987| | /* 1988| | * use minimum of 8 bytes to make sure gcc -fstack-protector 1989| | * works correctly 1990| | */ 1991| 3.56k| char fp2[8]; 1992| 3.56k| char ch; 1993| 3.56k| size_t i; 1994| 3.56k| size_t len = strlen(sql_state->fingerprint); 1995| 3.56k| int patmatch; 1996| | 1997| 3.56k| if (len < 1) { ------------------ | Branch (1997:9): [True: 6, False: 3.56k] ------------------ 1998| 6| sql_state->reason = __LINE__; 1999| 6| return FALSE; ------------------ | | 30| 6|#define FALSE 0 ------------------ 2000| 6| } 2001| | 2002| | /* 2003| | to keep everything compatible, convert the 2004| | v0 fingerprint pattern to v1 2005| | v0: up to 5 chars, mixed case 2006| | v1: 1 char is '0', up to 5 more chars, upper case 2007| | */ 2008| | 2009| 3.56k| fp2[0] = '0'; 2010| 18.5k| for (i = 0; i < len; ++i) { ------------------ | Branch (2010:17): [True: 15.0k, False: 3.56k] ------------------ 2011| 15.0k| ch = sql_state->fingerprint[i]; 2012| 15.0k| if (ch >= 'a' && ch <= 'z') { ------------------ | Branch (2012:13): [True: 10.5k, False: 4.51k] | Branch (2012:26): [True: 10.4k, False: 60] ------------------ 2013| 10.4k| ch -= 0x20; 2014| 10.4k| } 2015| 15.0k| fp2[i+1] = ch; 2016| 15.0k| } 2017| 3.56k| fp2[i+1] = '\0'; 2018| | 2019| 3.56k| patmatch = is_keyword(fp2, len + 1) == TYPE_FINGERPRINT; 2020| | 2021| | /* 2022| | * No match. 2023| | * 2024| | * Set sql_state->reason to current line number 2025| | * only for debugging purposes. 2026| | */ 2027| 3.56k| if (!patmatch) { ------------------ | Branch (2027:9): [True: 3.37k, False: 190] ------------------ 2028| 3.37k| sql_state->reason = __LINE__; 2029| 3.37k| return FALSE; ------------------ | | 30| 3.37k|#define FALSE 0 ------------------ 2030| 3.37k| } 2031| | 2032| 190| return TRUE; ------------------ | | 27| 190|#define TRUE 1 ------------------ 2033| 3.56k|} libinjection_sqli_not_whitelist: 2039| 190|{ 2040| | /* 2041| | * We assume we got a SQLi match 2042| | * This next part just helps reduce false positives. 2043| | * 2044| | */ 2045| 190| char ch; 2046| 190| size_t tlen = strlen(sql_state->fingerprint); 2047| | 2048| 190| if (tlen > 1 && sql_state->fingerprint[tlen-1] == TYPE_COMMENT) { ------------------ | Branch (2048:9): [True: 189, False: 1] | Branch (2048:21): [True: 101, False: 88] ------------------ 2049| | /* 2050| | * if ending comment is contains 'sp_password' then it's SQLi! 2051| | * MS Audit log apparently ignores anything with 2052| | * 'sp_password' in it. Unable to find primary reference to 2053| | * this "feature" of SQL Server but seems to be known SQLi 2054| | * technique 2055| | */ 2056| 101| if (my_memmem(sql_state->s, sql_state->slen, ------------------ | Branch (2056:13): [True: 0, False: 101] ------------------ 2057| 101| "sp_password", strlen("sp_password"))) { 2058| 0| sql_state->reason = __LINE__; 2059| 0| return TRUE; ------------------ | | 27| 0|#define TRUE 1 ------------------ 2060| 0| } 2061| 101| } 2062| | 2063| 190| switch (tlen) { ------------------ | Branch (2063:13): [True: 189, False: 1] ------------------ 2064| 80| case 2:{ ------------------ | Branch (2064:5): [True: 80, False: 110] ------------------ 2065| | /* 2066| | * case 2 are "very small SQLi" which make them 2067| | * hard to tell from normal input... 2068| | */ 2069| | 2070| 80| if (sql_state->fingerprint[1] == TYPE_UNION) { ------------------ | Branch (2070:13): [True: 0, False: 80] ------------------ 2071| 0| if (sql_state->stats_tokens == 2) { ------------------ | Branch (2071:17): [True: 0, False: 0] ------------------ 2072| | /* not sure why but 1U comes up in SQLi attack 2073| | * likely part of parameter splitting/etc. 2074| | * lots of reasons why "1 union" might be normal 2075| | * input, so beep only if other SQLi things are present 2076| | */ 2077| | /* it really is a number and 'union' 2078| | * other wise it has folding or comments 2079| | */ 2080| 0| sql_state->reason = __LINE__; 2081| 0| return FALSE; ------------------ | | 30| 0|#define FALSE 0 ------------------ 2082| 0| } else { 2083| 0| sql_state->reason = __LINE__; 2084| 0| return TRUE; ------------------ | | 27| 0|#define TRUE 1 ------------------ 2085| 0| } 2086| 0| } 2087| | /* 2088| | * if 'comment' is '#' ignore.. too many FP 2089| | */ 2090| 80| if (sql_state->tokenvec[1].val[0] == '#') { ------------------ | Branch (2090:13): [True: 26, False: 54] ------------------ 2091| 26| sql_state->reason = __LINE__; 2092| 26| return FALSE; ------------------ | | 30| 26|#define FALSE 0 ------------------ 2093| 26| } 2094| | 2095| | /* 2096| | * for fingerprint like 'nc', only comments of /x are treated 2097| | * as SQL... ending comments of "--" and "#" are not SQLi 2098| | */ 2099| 54| if (sql_state->tokenvec[0].type == TYPE_BAREWORD && ------------------ | Branch (2099:13): [True: 43, False: 11] ------------------ 2100| 43| sql_state->tokenvec[1].type == TYPE_COMMENT && ------------------ | Branch (2100:13): [True: 43, False: 0] ------------------ 2101| 43| sql_state->tokenvec[1].val[0] != '/') { ------------------ | Branch (2101:13): [True: 24, False: 19] ------------------ 2102| 24| sql_state->reason = __LINE__; 2103| 24| return FALSE; ------------------ | | 30| 24|#define FALSE 0 ------------------ 2104| 24| } 2105| | 2106| | /* 2107| | * if '1c' ends with '/x' then it's SQLi 2108| | */ 2109| 30| if (sql_state->tokenvec[0].type == TYPE_NUMBER && ------------------ | Branch (2109:13): [True: 4, False: 26] ------------------ 2110| 4| sql_state->tokenvec[1].type == TYPE_COMMENT && ------------------ | Branch (2110:13): [True: 4, False: 0] ------------------ 2111| 4| sql_state->tokenvec[1].val[0] == '/') { ------------------ | Branch (2111:13): [True: 1, False: 3] ------------------ 2112| 1| return TRUE; ------------------ | | 27| 1|#define TRUE 1 ------------------ 2113| 1| } 2114| | 2115| | /** 2116| | * there are some odd base64-looking query string values 2117| | * 1234-ABCDEFEhfhihwuefi-- 2118| | * which evaluate to "1c"... these are not SQLi 2119| | * but 1234-- probably is. 2120| | * Make sure the "1" in "1c" is actually a true decimal number 2121| | * 2122| | * Need to check -original- string since the folding step 2123| | * may have merged tokens, e.g. "1+FOO" is folded into "1" 2124| | * 2125| | * Note: evasion: 1*1-- 2126| | */ 2127| 29| if (sql_state->tokenvec[0].type == TYPE_NUMBER && ------------------ | Branch (2127:13): [True: 3, False: 26] ------------------ 2128| 3| sql_state->tokenvec[1].type == TYPE_COMMENT) { ------------------ | Branch (2128:13): [True: 3, False: 0] ------------------ 2129| 3| if (sql_state->stats_tokens > 2) { ------------------ | Branch (2129:17): [True: 2, False: 1] ------------------ 2130| | /* we have some folding going on, highly likely SQLi */ 2131| 2| sql_state->reason = __LINE__; 2132| 2| return TRUE; ------------------ | | 27| 2|#define TRUE 1 ------------------ 2133| 2| } 2134| | /* 2135| | * we check that next character after the number is either whitespace, 2136| | * or '/' or a '-' ==> SQLi. 2137| | */ 2138| 1| ch = sql_state->s[sql_state->tokenvec[0].len]; 2139| 1| if ( ch <= 32 ) { ------------------ | Branch (2139:18): [True: 0, False: 1] ------------------ 2140| | /* next char was whitespace,e.g. "1234 --" 2141| | * this isn't exactly correct.. ideally we should skip over all whitespace 2142| | * but this seems to be ok for now 2143| | */ 2144| 0| return TRUE; ------------------ | | 27| 0|#define TRUE 1 ------------------ 2145| 0| } 2146| 1| if (ch == '/' && sql_state->s[sql_state->tokenvec[0].len + 1] == '*') { ------------------ | Branch (2146:17): [True: 0, False: 1] | Branch (2146:30): [True: 0, False: 0] ------------------ 2147| 0| return TRUE; ------------------ | | 27| 0|#define TRUE 1 ------------------ 2148| 0| } 2149| 1| if (ch == '-' && sql_state->s[sql_state->tokenvec[0].len + 1] == '-') { ------------------ | Branch (2149:17): [True: 1, False: 0] | Branch (2149:30): [True: 1, False: 0] ------------------ 2150| 1| return TRUE; ------------------ | | 27| 1|#define TRUE 1 ------------------ 2151| 1| } 2152| | 2153| 0| sql_state->reason = __LINE__; 2154| 0| return FALSE; ------------------ | | 30| 0|#define FALSE 0 ------------------ 2155| 1| } 2156| | 2157| | /* 2158| | * detect obvious SQLi scans.. many people put '--' in plain text 2159| | * so only detect if input ends with '--', e.g. 1-- but not 1-- foo 2160| | */ 2161| 26| if ((sql_state->tokenvec[1].len > 2) ------------------ | Branch (2161:13): [True: 25, False: 1] ------------------ 2162| 25| && sql_state->tokenvec[1].val[0] == '-') { ------------------ | Branch (2162:16): [True: 7, False: 18] ------------------ 2163| 7| sql_state->reason = __LINE__; 2164| 7| return FALSE; ------------------ | | 30| 7|#define FALSE 0 ------------------ 2165| 7| } 2166| | 2167| 19| break; 2168| 26| } /* case 2 */ 2169| 28| case 3:{ ------------------ | Branch (2169:5): [True: 28, False: 162] ------------------ 2170| | /* 2171| | * ...foo' + 'bar... 2172| | * no opening quote, no closing quote 2173| | * and each string has data 2174| | */ 2175| | 2176| 28| if (streq(sql_state->fingerprint, "sos") ------------------ | Branch (2176:13): [True: 8, False: 20] ------------------ 2177| 20| || streq(sql_state->fingerprint, "s&s")) { ------------------ | Branch (2177:16): [True: 0, False: 20] ------------------ 2178| | 2179| 8| if ((sql_state->tokenvec[0].str_open == CHAR_NULL) ------------------ | | 33| 8|#define CHAR_NULL '\0' ------------------ | Branch (2179:21): [True: 8, False: 0] ------------------ 2180| 8| && (sql_state->tokenvec[2].str_close == CHAR_NULL) ------------------ | | 33| 8|#define CHAR_NULL '\0' ------------------ | Branch (2180:24): [True: 8, False: 0] ------------------ 2181| 8| && (sql_state->tokenvec[0].str_close == sql_state->tokenvec[2].str_open)) { ------------------ | Branch (2181:24): [True: 1, False: 7] ------------------ 2182| | /* 2183| | * if ....foo" + "bar.... 2184| | */ 2185| 1| sql_state->reason = __LINE__; 2186| 1| return TRUE; ------------------ | | 27| 1|#define TRUE 1 ------------------ 2187| 1| } 2188| 7| if (sql_state->stats_tokens == 3) { ------------------ | Branch (2188:21): [True: 1, False: 6] ------------------ 2189| 1| sql_state->reason = __LINE__; 2190| 1| return FALSE; ------------------ | | 30| 1|#define FALSE 0 ------------------ 2191| 1| } 2192| | 2193| | /* 2194| | * not SQLi 2195| | */ 2196| 6| sql_state->reason = __LINE__; 2197| 6| return FALSE; ------------------ | | 30| 6|#define FALSE 0 ------------------ 2198| 20| } else if (streq(sql_state->fingerprint, "s&n") || ------------------ | Branch (2198:20): [True: 0, False: 20] ------------------ 2199| 20| streq(sql_state->fingerprint, "n&1") || ------------------ | Branch (2199:20): [True: 0, False: 20] ------------------ 2200| 20| streq(sql_state->fingerprint, "1&1") || ------------------ | Branch (2200:20): [True: 0, False: 20] ------------------ 2201| 20| streq(sql_state->fingerprint, "1&v") || ------------------ | Branch (2201:20): [True: 0, False: 20] ------------------ 2202| 20| streq(sql_state->fingerprint, "1&s")) { ------------------ | Branch (2202:20): [True: 0, False: 20] ------------------ 2203| | /* 'sexy and 17' not SQLi 2204| | * 'sexy and 17<18' SQLi 2205| | */ 2206| 0| if (sql_state->stats_tokens == 3) { ------------------ | Branch (2206:17): [True: 0, False: 0] ------------------ 2207| 0| sql_state->reason = __LINE__; 2208| 0| return FALSE; ------------------ | | 30| 0|#define FALSE 0 ------------------ 2209| 0| } 2210| 20| } else if (sql_state->tokenvec[1].type == TYPE_KEYWORD) { ------------------ | Branch (2210:20): [True: 3, False: 17] ------------------ 2211| 3| if ((sql_state->tokenvec[1].len < 5) || ------------------ | Branch (2211:17): [True: 3, False: 0] ------------------ 2212| 3| cstrcasecmp("INTO", sql_state->tokenvec[1].val, 4)) { ------------------ | Branch (2212:17): [True: 0, False: 0] ------------------ 2213| | /* if it's not "INTO OUTFILE", or "INTO DUMPFILE" (MySQL) 2214| | * then treat as safe 2215| | */ 2216| 3| sql_state->reason = __LINE__; 2217| 3| return FALSE; ------------------ | | 30| 3|#define FALSE 0 ------------------ 2218| 3| } 2219| 3| } 2220| 17| break; 2221| 28| } /* case 3 */ 2222| 26| case 4: ------------------ | Branch (2222:5): [True: 26, False: 164] ------------------ 2223| 81| case 5: { ------------------ | Branch (2223:5): [True: 55, False: 135] ------------------ 2224| | /* nothing right now */ 2225| 81| break; 2226| 26| } /* case 5 */ 2227| 190| } /* end switch */ 2228| | 2229| 118| return TRUE; ------------------ | | 27| 118|#define TRUE 1 ------------------ 2230| 190|} libinjection_is_sqli: 2255| 1.49k|{ 2256| 1.49k| const char *s = sql_state->s; 2257| 1.49k| size_t slen = sql_state->slen; 2258| | 2259| | /* 2260| | * no input? not SQLi 2261| | */ 2262| 1.49k| if (slen == 0) { ------------------ | Branch (2262:9): [True: 0, False: 1.49k] ------------------ 2263| 0| return FALSE; ------------------ | | 30| 0|#define FALSE 0 ------------------ 2264| 0| } 2265| | 2266| | /* 2267| | * test input "as-is" 2268| | */ 2269| 1.49k| libinjection_sqli_fingerprint(sql_state, FLAG_QUOTE_NONE | FLAG_SQL_ANSI); 2270| 1.49k| if (sql_state->lookup(sql_state, LOOKUP_FINGERPRINT, ------------------ | Branch (2270:9): [True: 40, False: 1.45k] ------------------ 2271| 1.49k| sql_state->fingerprint, strlen(sql_state->fingerprint))) { 2272| 40| return TRUE; ------------------ | | 27| 40|#define TRUE 1 ------------------ 2273| 1.45k| } else if (reparse_as_mysql(sql_state)) { ------------------ | Branch (2273:16): [True: 804, False: 652] ------------------ 2274| 804| libinjection_sqli_fingerprint(sql_state, FLAG_QUOTE_NONE | FLAG_SQL_MYSQL); 2275| 804| if (sql_state->lookup(sql_state, LOOKUP_FINGERPRINT, ------------------ | Branch (2275:13): [True: 26, False: 778] ------------------ 2276| 804| sql_state->fingerprint, strlen(sql_state->fingerprint))) { 2277| 26| return TRUE; ------------------ | | 27| 26|#define TRUE 1 ------------------ 2278| 26| } 2279| 804| } 2280| | 2281| | /* 2282| | * if input has a single_quote, then 2283| | * test as if input was actually ' 2284| | * example: if input if "1' = 1", then pretend it's 2285| | * "'1' = 1" 2286| | * Porting Notes: example the same as doing 2287| | * is_string_sqli(sql_state, "'" + s, slen+1, NULL, fn, arg) 2288| | * 2289| | */ 2290| 1.43k| if (memchr(s, CHAR_SINGLE, slen)) { ------------------ | | 34| 1.43k|#define CHAR_SINGLE '\'' ------------------ | Branch (2290:9): [True: 562, False: 868] ------------------ 2291| 562| libinjection_sqli_fingerprint(sql_state, FLAG_QUOTE_SINGLE | FLAG_SQL_ANSI); 2292| 562| if (sql_state->lookup(sql_state, LOOKUP_FINGERPRINT, ------------------ | Branch (2292:13): [True: 38, False: 524] ------------------ 2293| 562| sql_state->fingerprint, strlen(sql_state->fingerprint))) { 2294| 38| return TRUE; ------------------ | | 27| 38|#define TRUE 1 ------------------ 2295| 524| } else if (reparse_as_mysql(sql_state)) { ------------------ | Branch (2295:20): [True: 337, False: 187] ------------------ 2296| 337| libinjection_sqli_fingerprint(sql_state, FLAG_QUOTE_SINGLE | FLAG_SQL_MYSQL); 2297| 337| if (sql_state->lookup(sql_state, LOOKUP_FINGERPRINT, ------------------ | Branch (2297:17): [True: 11, False: 326] ------------------ 2298| 337| sql_state->fingerprint, strlen(sql_state->fingerprint))) { 2299| 11| return TRUE; ------------------ | | 27| 11|#define TRUE 1 ------------------ 2300| 11| } 2301| 337| } 2302| 562| } 2303| | 2304| | /* 2305| | * same as above but with a double-quote " 2306| | */ 2307| 1.38k| if (memchr(s, CHAR_DOUBLE, slen)) { ------------------ | | 35| 1.38k|#define CHAR_DOUBLE '"' ------------------ | Branch (2307:9): [True: 370, False: 1.01k] ------------------ 2308| 370| libinjection_sqli_fingerprint(sql_state, FLAG_QUOTE_DOUBLE | FLAG_SQL_MYSQL); 2309| 370| if (sql_state->lookup(sql_state, LOOKUP_FINGERPRINT, ------------------ | Branch (2309:13): [True: 8, False: 362] ------------------ 2310| 370| sql_state->fingerprint, strlen(sql_state->fingerprint))) { 2311| 8| return TRUE; ------------------ | | 27| 8|#define TRUE 1 ------------------ 2312| 8| } 2313| 370| } 2314| | 2315| | /* 2316| | * Hurray, input is not SQLi 2317| | */ 2318| 1.37k| return FALSE; ------------------ | | 30| 1.37k|#define FALSE 0 ------------------ 2319| 1.38k|} libinjection_sqli.c:st_clear: 286| 61.7k|{ 287| 61.7k| memset(st, 0, sizeof(stoken_t)); 288| 61.7k|} libinjection_sqli.c:parse_string_core: 644| 2.41k|{ 645| | /* 646| | * offset is to skip the perhaps first quote char 647| | */ 648| 2.41k| const char *qpos = 649| 2.41k| (const char *) memchr((const void *) (cs + pos + offset), delim, 650| 2.41k| len - pos - offset); 651| | 652| | /* 653| | * then keep string open/close info 654| | */ 655| 2.41k| if (offset > 0) { ------------------ | Branch (655:9): [True: 1.14k, False: 1.26k] ------------------ 656| | /* 657| | * this is real quote 658| | */ 659| 1.14k| st->str_open = delim; 660| 1.26k| } else { 661| | /* 662| | * this was a simulated quote 663| | */ 664| 1.26k| st->str_open = CHAR_NULL; ------------------ | | 33| 1.26k|#define CHAR_NULL '\0' ------------------ 665| 1.26k| } 666| | 667| 2.64k| while (TRUE) { ------------------ | | 27| 2.64k|#define TRUE 1 | | ------------------ | | | Branch (27:14): [True: 2.64k, Folded] | | ------------------ ------------------ 668| 2.64k| if (qpos == NULL) { ------------------ | Branch (668:13): [True: 603, False: 2.04k] ------------------ 669| | /* 670| | * string ended with no trailing quote 671| | * assign what we have 672| | */ 673| 603| st_assign(st, TYPE_STRING, pos + offset, len - pos - offset, cs + pos + offset); 674| 603| st->str_close = CHAR_NULL; ------------------ | | 33| 603|#define CHAR_NULL '\0' ------------------ 675| 603| return len; 676| 2.04k| } else if ( is_backslash_escaped(qpos - 1, cs + pos + offset)) { ------------------ | Branch (676:21): [True: 10, False: 2.03k] ------------------ 677| | /* keep going, move ahead one character */ 678| 10| qpos = 679| 10| (const char *) memchr((const void *) (qpos + 1), delim, 680| 10| (size_t)((cs + len) - (qpos + 1))); 681| 10| continue; 682| 2.03k| } else if (is_double_delim_escaped(qpos, cs + len)) { ------------------ | Branch (682:20): [True: 218, False: 1.81k] ------------------ 683| | /* keep going, move ahead two characters */ 684| 218| qpos = 685| 218| (const char *) memchr((const void *) (qpos + 2), delim, 686| 218| (size_t)((cs + len) - (qpos + 2))); 687| 218| continue; 688| 1.81k| } else { 689| | /* hey it's a normal string */ 690| 1.81k| st_assign(st, TYPE_STRING, pos + offset, 691| 1.81k| (size_t)(qpos - (cs + pos + offset)), cs + pos + offset); 692| 1.81k| st->str_close = delim; 693| 1.81k| return (size_t)(qpos - cs + 1); 694| 1.81k| } 695| 2.64k| } 696| 2.41k|} libinjection_sqli.c:st_assign: 304| 21.1k|{ 305| 21.1k| const size_t MSIZE = LIBINJECTION_SQLI_TOKEN_SIZE; ------------------ | | 23| 21.1k|#define LIBINJECTION_SQLI_TOKEN_SIZE sizeof(((stoken_t*)(0))->val) ------------------ 306| 21.1k| size_t last = len < MSIZE ? len : (MSIZE - 1); ------------------ | Branch (306:19): [True: 18.2k, False: 2.90k] ------------------ 307| 21.1k| st->type = (char) stype; 308| 21.1k| st->pos = pos; 309| 21.1k| st->len = last; 310| 21.1k| memcpy(st->val, value, last); 311| 21.1k| st->val[last] = CHAR_NULL; ------------------ | | 33| 21.1k|#define CHAR_NULL '\0' ------------------ 312| 21.1k|} libinjection_sqli.c:is_backslash_escaped: 616| 2.04k|{ 617| 2.04k| const char* ptr; 618| 2.09k| for (ptr = end; ptr >= start; ptr--) { ------------------ | Branch (618:21): [True: 2.06k, False: 27] ------------------ 619| 2.06k| if (*ptr != '\\') { ------------------ | Branch (619:13): [True: 2.01k, False: 52] ------------------ 620| 2.01k| break; 621| 2.01k| } 622| 2.06k| } 623| | /* if number of backslashes is odd, it is escaped */ 624| | 625| 2.04k| return (end - ptr) & 1; 626| 2.04k|} libinjection_sqli.c:is_double_delim_escaped: 630| 2.03k|{ 631| 2.03k| return ((cur + 1) < end) && *(cur+1) == *cur; ------------------ | Branch (631:13): [True: 2.02k, False: 3] | Branch (631:34): [True: 218, False: 1.80k] ------------------ 632| 2.03k|} libinjection_sqli.c:flag2delim: 86| 1.26k|{ 87| 1.26k| if (flag & FLAG_QUOTE_SINGLE) { ------------------ | Branch (87:9): [True: 899, False: 370] ------------------ 88| 899| return CHAR_SINGLE; ------------------ | | 34| 899|#define CHAR_SINGLE '\'' ------------------ 89| 899| } else if (flag & FLAG_QUOTE_DOUBLE) { ------------------ | Branch (89:16): [True: 370, False: 0] ------------------ 90| 370| return CHAR_DOUBLE; ------------------ | | 35| 370|#define CHAR_DOUBLE '"' ------------------ 91| 370| } else { 92| 0| return CHAR_NULL; ------------------ | | 33| 0|#define CHAR_NULL '\0' ------------------ 93| 0| } 94| 1.26k|} libinjection_sqli.c:parse_white: 353| 17.2k|{ 354| 17.2k| return sf->pos + 1; 355| 17.2k|} libinjection_sqli.c:parse_operator2: 556| 8.64k|{ 557| 8.64k| char ch; 558| 8.64k| const char *cs = sf->s; 559| 8.64k| const size_t slen = sf->slen; 560| 8.64k| size_t pos = sf->pos; 561| | 562| 8.64k| if (pos + 1 >= slen) { ------------------ | Branch (562:9): [True: 18, False: 8.62k] ------------------ 563| 18| return parse_operator1(sf); 564| 18| } 565| | 566| 8.62k| if (pos + 2 < slen && ------------------ | Branch (566:9): [True: 8.59k, False: 29] ------------------ 567| 8.59k| cs[pos] == '<' && ------------------ | Branch (567:9): [True: 3.57k, False: 5.02k] ------------------ 568| 3.57k| cs[pos + 1] == '=' && ------------------ | Branch (568:9): [True: 20, False: 3.55k] ------------------ 569| 20| cs[pos + 2] == '>') { ------------------ | Branch (569:9): [True: 3, False: 17] ------------------ 570| | /* 571| | * special 3-char operator 572| | */ 573| 3| st_assign(sf->current, TYPE_OPERATOR, pos, 3, cs + pos); 574| 3| return pos + 3; 575| 3| } 576| | 577| 8.62k| ch = sf->lookup(sf, LOOKUP_OPERATOR, cs + pos, 2); 578| 8.62k| if (ch != CHAR_NULL) { ------------------ | | 33| 8.62k|#define CHAR_NULL '\0' ------------------ | Branch (578:9): [True: 2.47k, False: 6.15k] ------------------ 579| 2.47k| st_assign(sf->current, ch, pos, 2, cs+pos); 580| 2.47k| return pos + 2; 581| 2.47k| } 582| | 583| | /* 584| | * not an operator.. what to do with the two 585| | * characters we got? 586| | */ 587| | 588| 6.15k| if (cs[pos] == ':') { ------------------ | Branch (588:9): [True: 796, False: 5.35k] ------------------ 589| | /* ':' is not an operator */ 590| 796| st_assign(sf->current, TYPE_COLON, pos, 1, cs+pos); 591| 796| return pos + 1; 592| 5.35k| } else { 593| | /* 594| | * must be a single char operator 595| | */ 596| 5.35k| return parse_operator1(sf); 597| 5.35k| } 598| 6.15k|} libinjection_sqli.c:parse_string: 702| 1.03k|{ 703| 1.03k| const char *cs = sf->s; 704| 1.03k| const size_t slen = sf->slen; 705| 1.03k| size_t pos = sf->pos; 706| | 707| | /* 708| | * assert cs[pos] == single or double quote 709| | */ 710| 1.03k| return parse_string_core(cs, slen, pos, sf->current, cs[pos], 1); 711| 1.03k|} libinjection_sqli.c:parse_hash: 405| 1.10k|{ 406| 1.10k| sf->stats_comment_hash += 1; 407| 1.10k| if (sf->flags & FLAG_SQL_MYSQL) { ------------------ | Branch (407:9): [True: 542, False: 567] ------------------ 408| 542| sf->stats_comment_hash += 1; 409| 542| return parse_eol_comment(sf); 410| 567| } else { 411| 567| st_assign_char(sf->current, TYPE_OPERATOR, sf->pos, 1, '#'); 412| 567| return sf->pos + 1; 413| 567| } 414| 1.10k|} libinjection_sqli.c:parse_eol_comment: 385| 1.99k|{ 386| 1.99k| const char *cs = sf->s; 387| 1.99k| const size_t slen = sf->slen; 388| 1.99k| size_t pos = sf->pos; 389| | 390| 1.99k| const char *endpos = 391| 1.99k| (const char *) memchr((const void *) (cs + pos), '\n', slen - pos); 392| 1.99k| if (endpos == NULL) { ------------------ | Branch (392:9): [True: 634, False: 1.36k] ------------------ 393| 634| st_assign(sf->current, TYPE_COMMENT, pos, slen - pos, cs + pos); 394| 634| return slen; 395| 1.36k| } else { 396| 1.36k| st_assign(sf->current, TYPE_COMMENT, pos, (size_t)(endpos - cs) - pos, cs + pos); 397| 1.36k| return (size_t)((endpos - cs) + 1); 398| 1.36k| } 399| 1.99k|} libinjection_sqli.c:st_assign_char: 292| 35.0k|{ 293| | /* done to eliminate unused warning */ 294| 35.0k| (void)len; 295| 35.0k| st->type = (char) stype; 296| 35.0k| st->pos = pos; 297| 35.0k| st->len = 1; 298| 35.0k| st->val[0] = value; 299| 35.0k| st->val[1] = CHAR_NULL; ------------------ | | 33| 35.0k|#define CHAR_NULL '\0' ------------------ 300| 35.0k|} libinjection_sqli.c:parse_money: 1025| 348|{ 1026| 348| size_t xlen; 1027| 348| const char* strend; 1028| 348| const char *cs = sf->s; 1029| 348| const size_t slen = sf->slen; 1030| 348| size_t pos = sf->pos; 1031| | 1032| 348| if (pos + 1 == slen) { ------------------ | Branch (1032:9): [True: 6, False: 342] ------------------ 1033| | /* end of line */ 1034| 6| st_assign_char(sf->current, TYPE_BAREWORD, pos, 1, '$'); 1035| 6| return slen; 1036| 6| } 1037| | 1038| | /* 1039| | * $1,000.00 or $1.000,00 ok! 1040| | * This also parses $....,,,111 but that's ok 1041| | */ 1042| | 1043| 342| xlen = strlenspn(cs + pos + 1, slen - pos - 1, "0123456789.,"); 1044| 342| if (xlen == 0) { ------------------ | Branch (1044:9): [True: 321, False: 21] ------------------ 1045| 321| if (cs[pos + 1] == '$') { ------------------ | Branch (1045:13): [True: 175, False: 146] ------------------ 1046| | /* we have $$ .. find ending $$ and make string */ 1047| 175| strend = memchr2(cs + pos + 2, slen - pos -2, '$', '$'); 1048| 175| if (strend == NULL) { ------------------ | Branch (1048:17): [True: 17, False: 158] ------------------ 1049| | /* fell off edge */ 1050| 17| st_assign(sf->current, TYPE_STRING, pos + 2, slen - (pos + 2), cs + pos + 2); 1051| 17| sf->current->str_open = '$'; 1052| 17| sf->current->str_close = CHAR_NULL; ------------------ | | 33| 17|#define CHAR_NULL '\0' ------------------ 1053| 17| return slen; 1054| 158| } else { 1055| 158| st_assign(sf->current, TYPE_STRING, pos + 2, 1056| 158| (size_t)(strend - (cs + pos + 2)), cs + pos + 2); 1057| 158| sf->current->str_open = '$'; 1058| 158| sf->current->str_close = '$'; 1059| 158| return (size_t)(strend - cs + 2); 1060| 158| } 1061| 175| } else { 1062| | /* ok it's not a number or '$$', but maybe it's pgsql "$ quoted strings" */ 1063| 146| xlen = strlenspn(cs + pos + 1, slen - pos - 1, "abcdefghjiklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"); 1064| 146| if (xlen == 0) { ------------------ | Branch (1064:17): [True: 53, False: 93] ------------------ 1065| | /* hmm it's "$" _something_ .. just add $ and keep going*/ 1066| 53| st_assign_char(sf->current, TYPE_BAREWORD, pos, 1, '$'); 1067| 53| return pos + 1; 1068| 53| } 1069| | /* we have $foobar????? */ 1070| | /* is it $foobar$ */ 1071| 93| if (pos + xlen + 1 == slen || cs[pos+xlen+1] != '$') { ------------------ | Branch (1071:17): [True: 4, False: 89] | Branch (1071:43): [True: 52, False: 37] ------------------ 1072| | /* not $foobar$, or fell off edge */ 1073| 56| st_assign_char(sf->current, TYPE_BAREWORD, pos, 1, '$'); 1074| 56| return pos + 1; 1075| 56| } 1076| | 1077| | /* we have $foobar$ ... find it again */ 1078| 37| strend = my_memmem(cs+pos+xlen+2, slen - (pos+xlen+2), cs + pos, xlen+2); 1079| | 1080| 37| if (strend == NULL) { ------------------ | Branch (1080:17): [True: 13, False: 24] ------------------ 1081| | /* fell off edge */ 1082| 13| st_assign(sf->current, TYPE_STRING, pos+xlen+2, slen - pos - xlen - 2, cs+pos+xlen+2); 1083| 13| sf->current->str_open = '$'; 1084| 13| sf->current->str_close = CHAR_NULL; ------------------ | | 33| 13|#define CHAR_NULL '\0' ------------------ 1085| 13| return slen; 1086| 24| } else { 1087| | /* got one */ 1088| 24| st_assign(sf->current, TYPE_STRING, pos+xlen+2, 1089| 24| (size_t)(strend - (cs + pos + xlen + 2)), cs+pos+xlen+2); 1090| 24| sf->current->str_open = '$'; 1091| 24| sf->current->str_close = '$'; 1092| 24| return (size_t)((strend + xlen + 2) - cs); 1093| 24| } 1094| 37| } 1095| 321| } else if (xlen == 1 && cs[pos + 1] == '.') { ------------------ | Branch (1095:16): [True: 5, False: 16] | Branch (1095:29): [True: 2, False: 3] ------------------ 1096| | /* $. should parsed as a word */ 1097| 2| return parse_word(sf); 1098| 19| } else { 1099| 19| st_assign(sf->current, TYPE_NUMBER, pos, 1 + xlen, cs + pos); 1100| 19| return pos + 1 + xlen; 1101| 19| } 1102| 342|} libinjection_sqli.c:strlenspn: 159| 490|{ 160| 490| size_t i; 161| 813| for (i = 0; i < len; ++i) { ------------------ | Branch (161:17): [True: 803, False: 10] ------------------ 162| | /* likely we can do better by inlining this function 163| | * but this works for now 164| | */ 165| 803| if (strchr(accept, s[i]) == NULL) { ------------------ | Branch (165:13): [True: 480, False: 323] ------------------ 166| 480| return i; 167| 480| } 168| 803| } 169| 10| return len; 170| 490|} libinjection_sqli.c:memchr2: 106| 393|{ 107| 393| const char *cur = haystack; 108| 393| const char *last = haystack + haystack_len - 1; 109| | 110| 393| if (haystack_len < 2) { ------------------ | Branch (110:9): [True: 6, False: 387] ------------------ 111| 6| return NULL; 112| 6| } 113| | 114| 23.8k| while (cur < last) { ------------------ | Branch (114:12): [True: 23.7k, False: 163] ------------------ 115| | /* safe since cur < len - 1 always */ 116| 23.7k| if (cur[0] == c0 && cur[1] == c1) { ------------------ | Branch (116:13): [True: 2.73k, False: 20.9k] | Branch (116:29): [True: 224, False: 2.51k] ------------------ 117| 224| return cur; 118| 224| } 119| 23.5k| cur += 1; 120| 23.5k| } 121| | 122| 163| return NULL; 123| 387|} libinjection_sqli.c:parse_operator1: 358| 18.7k|{ 359| 18.7k| const char *cs = sf->s; 360| 18.7k| size_t pos = sf->pos; 361| | 362| 18.7k| st_assign_char(sf->current, TYPE_OPERATOR, pos, 1, cs[pos]); 363| 18.7k| return pos + 1; 364| 18.7k|} libinjection_sqli.c:parse_char: 376| 3.40k|{ 377| 3.40k| const char *cs = sf->s; 378| 3.40k| size_t pos = sf->pos; 379| | 380| 3.40k| st_assign_char(sf->current, cs[pos], pos, 1, cs[pos]); 381| 3.40k| return pos + 1; 382| 3.40k|} libinjection_sqli.c:parse_dash: 417| 10.4k|{ 418| 10.4k| const char *cs = sf->s; 419| 10.4k| const size_t slen = sf->slen; 420| 10.4k| size_t pos = sf->pos; 421| | 422| | /* 423| | * five cases 424| | * 1) --[white] this is always a SQL comment 425| | * 2) --[EOF] this is a comment 426| | * 3) --[notwhite] in MySQL this is NOT a comment but two unary operators 427| | * 4) --[notwhite] everyone else thinks this is a comment 428| | * 5) -[not dash] '-' is a unary operator 429| | */ 430| | 431| 10.4k| if (pos + 2 < slen && cs[pos + 1] == '-' && char_is_white(cs[pos+2]) ) { ------------------ | Branch (431:9): [True: 10.3k, False: 76] | Branch (431:27): [True: 7.71k, False: 2.67k] | Branch (431:49): [True: 257, False: 7.45k] ------------------ 432| 257| return parse_eol_comment(sf); 433| 10.2k| } else if (pos +2 == slen && cs[pos + 1] == '-') { ------------------ | Branch (433:16): [True: 57, False: 10.1k] | Branch (433:34): [True: 42, False: 15] ------------------ 434| 42| return parse_eol_comment(sf); 435| 10.1k| } else if (pos + 1 < slen && cs[pos + 1] == '-' && (sf->flags & FLAG_SQL_ANSI)) { ------------------ | Branch (435:16): [True: 10.1k, False: 19] | Branch (435:34): [True: 7.45k, False: 2.69k] | Branch (435:56): [True: 1.15k, False: 6.30k] ------------------ 436| | /* --[not-white] not-white case: 437| | * 438| | */ 439| 1.15k| sf->stats_comment_ddx += 1; 440| 1.15k| return parse_eol_comment(sf); 441| 9.01k| } else { 442| 9.01k| st_assign_char(sf->current, TYPE_OPERATOR, pos, 1, '-'); 443| 9.01k| return pos + 1; 444| 9.01k| } 445| 10.4k|} libinjection_sqli.c:char_is_white: 186| 7.73k|static int char_is_white(char ch) { 187| | /* ' ' space is 0x32 188| | '\t 0x09 \011 horizontal tab 189| | '\n' 0x0a \012 new line 190| | '\v' 0x0b \013 vertical tab 191| | '\f' 0x0c \014 new page 192| | '\r' 0x0d \015 carriage return 193| | 0x00 \000 null (oracle) 194| | 0xa0 \240 is Latin-1 195| | */ 196| | return strchr(" \t\n\v\f\r\240\000", ch) != NULL; 197| 7.73k|} libinjection_sqli.c:parse_number: 1105| 3.89k|{ 1106| 3.89k| size_t xlen; 1107| 3.89k| size_t start; 1108| 3.89k| const char* digits = NULL; 1109| 3.89k| const char *cs = sf->s; 1110| 3.89k| const size_t slen = sf->slen; 1111| 3.89k| size_t pos = sf->pos; 1112| 3.89k| int have_e = 0; 1113| 3.89k| int have_exp = 0; 1114| | 1115| | /* cs[pos] == '0' has 1/10 chance of being true, 1116| | * while pos+1< slen is almost always true 1117| | */ 1118| 3.89k| if (cs[pos] == '0' && pos + 1 < slen) { ------------------ | Branch (1118:9): [True: 715, False: 3.17k] | Branch (1118:27): [True: 712, False: 3] ------------------ 1119| 712| if (cs[pos + 1] == 'X' || cs[pos + 1] == 'x') { ------------------ | Branch (1119:13): [True: 0, False: 712] | Branch (1119:35): [True: 0, False: 712] ------------------ 1120| 0| digits = "0123456789ABCDEFabcdef"; 1121| 712| } else if (cs[pos + 1] == 'B' || cs[pos + 1] == 'b') { ------------------ | Branch (1121:20): [True: 0, False: 712] | Branch (1121:42): [True: 1, False: 711] ------------------ 1122| 1| digits = "01"; 1123| 1| } 1124| | 1125| 712| if (digits) { ------------------ | Branch (1125:13): [True: 1, False: 711] ------------------ 1126| 1| xlen = strlenspn(cs + pos + 2, slen - pos - 2, digits); 1127| 1| if (xlen == 0) { ------------------ | Branch (1127:17): [True: 1, False: 0] ------------------ 1128| 1| st_assign(sf->current, TYPE_BAREWORD, pos, 2, cs + pos); 1129| 1| return pos + 2; 1130| 1| } else { 1131| 0| st_assign(sf->current, TYPE_NUMBER, pos, 2 + xlen, cs + pos); 1132| 0| return pos + 2 + xlen; 1133| 0| } 1134| 1| } 1135| 712| } 1136| | 1137| 3.89k| start = pos; 1138| 8.35k| while (pos < slen && ISDIGIT(cs[pos])) { ------------------ | | 39| 8.34k|#define ISDIGIT(a) ((unsigned)((a) - '0') <= 9) | | ------------------ | | | Branch (39:20): [True: 4.46k, False: 3.88k] | | ------------------ ------------------ | Branch (1138:12): [True: 8.34k, False: 8] ------------------ 1139| 4.46k| pos += 1; 1140| 4.46k| } 1141| | 1142| 3.89k| if (pos < slen && cs[pos] == '.') { ------------------ | Branch (1142:9): [True: 3.88k, False: 8] | Branch (1142:23): [True: 1.60k, False: 2.27k] ------------------ 1143| 1.60k| pos += 1; 1144| 2.26k| while (pos < slen && ISDIGIT(cs[pos])) { ------------------ | | 39| 2.25k|#define ISDIGIT(a) ((unsigned)((a) - '0') <= 9) | | ------------------ | | | Branch (39:20): [True: 657, False: 1.60k] | | ------------------ ------------------ | Branch (1144:16): [True: 2.25k, False: 4] ------------------ 1145| 657| pos += 1; 1146| 657| } 1147| 1.60k| if (pos - start == 1) { ------------------ | Branch (1147:13): [True: 487, False: 1.11k] ------------------ 1148| | /* only one character read so far */ 1149| 487| st_assign_char(sf->current, TYPE_DOT, start, 1, '.'); 1150| 487| return pos; 1151| 487| } 1152| 1.60k| } 1153| | 1154| 3.40k| if (pos < slen) { ------------------ | Branch (1154:9): [True: 3.39k, False: 10] ------------------ 1155| 3.39k| if (cs[pos] == 'E' || cs[pos] == 'e') { ------------------ | Branch (1155:13): [True: 58, False: 3.33k] | Branch (1155:31): [True: 30, False: 3.30k] ------------------ 1156| 88| have_e = 1; 1157| 88| pos += 1; 1158| 88| if (pos < slen && (cs[pos] == '+' || cs[pos] == '-')) { ------------------ | Branch (1158:17): [True: 87, False: 1] | Branch (1158:32): [True: 0, False: 87] | Branch (1158:50): [True: 21, False: 66] ------------------ 1159| 21| pos += 1; 1160| 21| } 1161| 259| while (pos < slen && ISDIGIT(cs[pos])) { ------------------ | | 39| 254|#define ISDIGIT(a) ((unsigned)((a) - '0') <= 9) | | ------------------ | | | Branch (39:20): [True: 171, False: 83] | | ------------------ ------------------ | Branch (1161:20): [True: 254, False: 5] ------------------ 1162| 171| have_exp = 1; 1163| 171| pos += 1; 1164| 171| } 1165| 88| } 1166| 3.39k| } 1167| | 1168| | /* oracle's ending float or double suffix 1169| | * http://docs.oracle.com/cd/B19306_01/server.102/b14200/sql_elements003.htm#i139891 1170| | */ 1171| 3.40k| if (pos < slen && (cs[pos] == 'd' || cs[pos] == 'D' || cs[pos] == 'f' || cs[pos] == 'F')) { ------------------ | Branch (1171:9): [True: 3.38k, False: 15] | Branch (1171:24): [True: 11, False: 3.37k] | Branch (1171:42): [True: 33, False: 3.34k] | Branch (1171:60): [True: 1, False: 3.34k] | Branch (1171:78): [True: 3, False: 3.34k] ------------------ 1172| 48| if (pos + 1 == slen) { ------------------ | Branch (1172:13): [True: 25, False: 23] ------------------ 1173| | /* line ends evaluate "... 1.2f$" as '1.2f' */ 1174| 25| pos += 1; 1175| 25| } else if ((char_is_white(cs[pos+1]) || cs[pos+1] == ';')) { ------------------ | Branch (1175:21): [True: 6, False: 17] | Branch (1175:49): [True: 0, False: 17] ------------------ 1176| | /* 1177| | * easy case, evaluate "... 1.2f ... as '1.2f' 1178| | */ 1179| 6| pos += 1; 1180| 17| } else if (cs[pos+1] == 'u' || cs[pos+1] == 'U') { ------------------ | Branch (1180:20): [True: 2, False: 15] | Branch (1180:40): [True: 0, False: 15] ------------------ 1181| | /* 1182| | * a bit of a hack but makes '1fUNION' parse as '1f UNION' 1183| | */ 1184| 2| pos += 1; 1185| 15| } else { 1186| | /* it's like "123FROM" */ 1187| | /* parse as "123" only */ 1188| 15| } 1189| 48| } 1190| | 1191| 3.40k| if (have_e == 1 && have_exp == 0) { ------------------ | Branch (1191:9): [True: 88, False: 3.31k] | Branch (1191:24): [True: 67, False: 21] ------------------ 1192| | /* very special form of 1193| | * "1234.e" 1194| | * "10.10E" 1195| | * ".E" 1196| | * this is a WORD not a number!! */ 1197| 67| st_assign(sf->current, TYPE_BAREWORD, start, pos - start, cs + start); 1198| 3.33k| } else { 1199| 3.33k| st_assign(sf->current, TYPE_NUMBER, start, pos - start, cs + start); 1200| 3.33k| } 1201| 3.40k| return pos; 1202| 3.89k|} libinjection_sqli.c:parse_slash: 489| 3.25k|{ 490| 3.25k| const char* ptr; 491| 3.25k| size_t clen; 492| 3.25k| const char *cs = sf->s; 493| 3.25k| const size_t slen = sf->slen; 494| 3.25k| size_t pos = sf->pos; 495| 3.25k| const char* cur = cs + pos; 496| 3.25k| char ctype = TYPE_COMMENT; 497| 3.25k| size_t pos1 = pos + 1; 498| 3.25k| if (pos1 == slen || cs[pos1] != '*') { ------------------ | Branch (498:9): [True: 18, False: 3.24k] | Branch (498:25): [True: 3.17k, False: 65] ------------------ 499| 3.19k| return parse_operator1(sf); 500| 3.19k| } 501| | 502| | /* 503| | * skip over initial '/x' 504| | */ 505| 65| ptr = memchr2(cur + 2, slen - (pos + 2), '*', '/'); 506| 65| if (ptr == NULL) { ------------------ | Branch (506:9): [True: 30, False: 35] ------------------ 507| | /* till end of line */ 508| 30| clen = slen - pos; 509| 35| } else { 510| 35| clen = (size_t)(ptr + 2 - cur); 511| 35| } 512| | 513| | /* 514| | * postgresql allows nested comments which makes 515| | * this is incompatible with parsing so 516| | * if we find a '/x' inside the coment, then 517| | * make a new token. 518| | * 519| | * Also, Mysql's "conditional" comments for version 520| | * are an automatic black ban! 521| | */ 522| | 523| 65| if ( 524| 65| ptr != NULL && ------------------ | Branch (524:9): [True: 35, False: 30] ------------------ 525| 35| memchr2(cur + 2, (size_t)(ptr - (cur + 1)), '/', '*') != NULL ------------------ | Branch (525:9): [True: 18, False: 17] ------------------ 526| 65| ) { 527| 18| ctype = TYPE_EVIL; 528| 47| } else if (is_mysql_comment(cs, slen, pos)) { ------------------ | Branch (528:16): [True: 0, False: 47] ------------------ 529| 0| ctype = TYPE_EVIL; 530| 0| } 531| | 532| 65| st_assign(sf->current, ctype, pos, clen, cs + pos); 533| 65| return pos + clen; 534| 3.25k|} libinjection_sqli.c:is_mysql_comment: 466| 47|{ 467| | /* so far... 468| | * cs[pos] == '/' && cs[pos+1] == '*' 469| | */ 470| | 471| 47| if (pos + 2 >= len) { ------------------ | Branch (471:9): [True: 1, False: 46] ------------------ 472| | /* not a mysql comment */ 473| 1| return 0; 474| 1| } 475| | 476| 46| if (cs[pos + 2] != '!') { ------------------ | Branch (476:9): [True: 46, False: 0] ------------------ 477| | /* not a mysql comment */ 478| 46| return 0; 479| 46| } 480| | 481| | /* 482| | * this is a mysql comment 483| | * got "/x!" 484| | */ 485| 0| return 1; 486| 46|} libinjection_sqli.c:parse_other: 367| 541|{ 368| 541| const char *cs = sf->s; 369| 541| size_t pos = sf->pos; 370| | 371| 541| st_assign_char(sf->current, TYPE_UNKNOWN, pos, 1, cs[pos]); 372| 541| return pos + 1; 373| 541|} libinjection_sqli.c:parse_var: 973| 175|{ 974| 175| size_t xlen; 975| 175| const char *cs = sf->s; 976| 175| const size_t slen = sf->slen; 977| 175| size_t pos = sf->pos + 1; 978| | 979| | /* 980| | * var_count is only used to reconstruct 981| | * the input. It counts the number of '@' 982| | * seen 0 in the case of NULL, 1 or 2 983| | */ 984| | 985| | /* 986| | * move past optional other '@' 987| | */ 988| 175| if (pos < slen && cs[pos] == '@') { ------------------ | Branch (988:9): [True: 165, False: 10] | Branch (988:23): [True: 11, False: 154] ------------------ 989| 11| pos += 1; 990| 11| sf->current->count = 2; 991| 164| } else { 992| 164| sf->current->count = 1; 993| 164| } 994| | 995| | /* 996| | * MySQL allows @@`version` 997| | */ 998| 175| if (pos < slen) { ------------------ | Branch (998:9): [True: 165, False: 10] ------------------ 999| 165| if (cs[pos] == '`') { ------------------ | Branch (999:13): [True: 3, False: 162] ------------------ 1000| 3| sf->pos = pos; 1001| 3| pos = parse_tick(sf); 1002| 3| sf->current->type = TYPE_VARIABLE; 1003| 3| return pos; 1004| 162| } else if (cs[pos] == CHAR_SINGLE || cs[pos] == CHAR_DOUBLE) { ------------------ | | 34| 324|#define CHAR_SINGLE '\'' ------------------ } else if (cs[pos] == CHAR_SINGLE || cs[pos] == CHAR_DOUBLE) { ------------------ | | 35| 161|#define CHAR_DOUBLE '"' ------------------ | Branch (1004:20): [True: 1, False: 161] | Branch (1004:46): [True: 12, False: 149] ------------------ 1005| 13| sf->pos = pos; 1006| 13| pos = parse_string(sf); 1007| 13| sf->current->type = TYPE_VARIABLE; 1008| 13| return pos; 1009| 13| } 1010| 165| } 1011| | 1012| | 1013| 159| xlen = strlencspn(cs + pos, slen - pos, 1014| 159| " <>:\\?=@!#~+-*/&|^%(),';\t\n\v\f\r'`\""); 1015| 159| if (xlen == 0) { ------------------ | Branch (1015:9): [True: 63, False: 96] ------------------ 1016| 63| st_assign(sf->current, TYPE_VARIABLE, pos, 0, cs + pos); 1017| 63| return pos; 1018| 96| } else { 1019| 96| st_assign(sf->current, TYPE_VARIABLE, pos, xlen, cs + pos); 1020| 96| return pos + xlen; 1021| 96| } 1022| 159|} libinjection_sqli.c:strlencspn: 174| 9.40k|{ 175| 9.40k| size_t i; 176| 62.1k| for (i = 0; i < len; ++i) { ------------------ | Branch (176:17): [True: 61.8k, False: 388] ------------------ 177| | /* likely we can do better by inlining this function 178| | * but this works for now 179| | */ 180| 61.8k| if (strchr(accept, s[i]) != NULL) { ------------------ | Branch (180:13): [True: 9.01k, False: 52.7k] ------------------ 181| 9.01k| return i; 182| 9.01k| } 183| 61.8k| } 184| 388| return len; 185| 9.40k|} libinjection_sqli.c:parse_word: 897| 9.24k|{ 898| 9.24k| char ch; 899| 9.24k| char delim; 900| 9.24k| size_t i; 901| 9.24k| const char *cs = sf->s; 902| 9.24k| size_t pos = sf->pos; 903| 9.24k| size_t wlen = strlencspn(cs + pos, sf->slen - pos, 904| 9.24k| " []{}<>:\\?=@!#~+-*/&|^%(),';\t\n\v\f\r\"\240\000"); 905| | 906| 9.24k| st_assign(sf->current, TYPE_BAREWORD, pos, wlen, cs + pos); 907| | 908| | /* now we need to look inside what we good for "." and "`" 909| | * and see if what is before is a keyword or not 910| | */ 911| 58.9k| for (i =0; i < sf->current->len; ++i) { ------------------ | Branch (911:16): [True: 49.7k, False: 9.24k] ------------------ 912| 49.7k| delim = sf->current->val[i]; 913| 49.7k| if (delim == '.' || delim == '`') { ------------------ | Branch (913:13): [True: 1.30k, False: 48.4k] | Branch (913:29): [True: 215, False: 48.2k] ------------------ 914| 1.52k| ch = sf->lookup(sf, LOOKUP_WORD, sf->current->val, i); 915| 1.52k| if (ch != TYPE_NONE && ch != TYPE_BAREWORD) { ------------------ | Branch (915:17): [True: 5, False: 1.51k] | Branch (915:36): [True: 2, False: 3] ------------------ 916| | /* needed for swig */ 917| 2| st_clear(sf->current); 918| | /* 919| | * we got something like "SELECT.1" 920| | * or SELECT`column` 921| | */ 922| 2| st_assign(sf->current, ch, pos, i, cs + pos); 923| 2| return pos + i; 924| 2| } 925| 1.52k| } 926| 49.7k| } 927| | 928| | /* 929| | * do normal lookup with word including '.' 930| | */ 931| 9.24k| if (wlen < LIBINJECTION_SQLI_TOKEN_SIZE) { ------------------ | | 23| 9.24k|#define LIBINJECTION_SQLI_TOKEN_SIZE sizeof(((stoken_t*)(0))->val) ------------------ | Branch (931:9): [True: 9.02k, False: 215] ------------------ 932| | 933| 9.02k| ch = sf->lookup(sf, LOOKUP_WORD, sf->current->val, wlen); 934| 9.02k| if (ch == CHAR_NULL) { ------------------ | | 33| 9.02k|#define CHAR_NULL '\0' ------------------ | Branch (934:13): [True: 8.86k, False: 160] ------------------ 935| 8.86k| ch = TYPE_BAREWORD; 936| 8.86k| } 937| 9.02k| sf->current->type = ch; 938| 9.02k| } 939| 9.24k| return pos + wlen; 940| 9.24k|} libinjection_sqli.c:parse_bstring: 826| 141|{ 827| 141| size_t wlen; 828| 141| const char *cs = sf->s; 829| 141| size_t pos = sf->pos; 830| 141| size_t slen = sf->slen; 831| | 832| | /* need at least 2 more characters 833| | * if next char isn't a single quote, then 834| | * continue as normal word 835| | */ 836| 141| if (pos + 2 >= slen || cs[pos+1] != '\'') { ------------------ | Branch (836:9): [True: 7, False: 134] | Branch (836:28): [True: 134, False: 0] ------------------ 837| 141| return parse_word(sf); 838| 141| } 839| | 840| 0| wlen = strlenspn(cs + pos + 2, sf->slen - pos - 2, "01"); 841| 0| if (pos + 2 + wlen >= slen || cs[pos + 2 + wlen] != '\'') { ------------------ | Branch (841:9): [True: 0, False: 0] | Branch (841:36): [True: 0, False: 0] ------------------ 842| 0| return parse_word(sf); 843| 0| } 844| 0| st_assign(sf->current, TYPE_NUMBER, pos, wlen + 3, cs + pos); 845| 0| return pos + 2 + wlen + 1; 846| 0|} libinjection_sqli.c:parse_estring: 719| 307|{ 720| 307| const char *cs = sf->s; 721| 307| const size_t slen = sf->slen; 722| 307| size_t pos = sf->pos; 723| | 724| 307| if (pos + 2 >= slen || cs[pos+1] != CHAR_SINGLE) { ------------------ | | 34| 294|#define CHAR_SINGLE '\'' ------------------ | Branch (724:9): [True: 13, False: 294] | Branch (724:28): [True: 283, False: 11] ------------------ 725| 296| return parse_word(sf); 726| 296| } 727| 11| return parse_string_core(cs, slen, pos, sf->current, CHAR_SINGLE, 2); ------------------ | | 34| 11|#define CHAR_SINGLE '\'' ------------------ 728| 307|} libinjection_sqli.c:parse_nqstring: 812| 194|{ 813| 194| size_t slen = sf->slen; 814| 194| size_t pos = sf->pos; 815| 194| if (pos + 2 < slen && sf->s[pos+1] == CHAR_SINGLE) { ------------------ | | 34| 192|#define CHAR_SINGLE '\'' ------------------ | Branch (815:9): [True: 192, False: 2] | Branch (815:27): [True: 11, False: 181] ------------------ 816| 11| return parse_estring(sf); 817| 11| } 818| 183| return parse_qstring_core(sf, 1); 819| 194|} libinjection_sqli.c:parse_qstring_core: 750| 551|{ 751| 551| char ch; 752| 551| const char *strend; 753| 551| const char *cs = sf->s; 754| 551| size_t slen = sf->slen; 755| 551| size_t pos = sf->pos + offset; 756| | 757| | /* if we are already at end of string.. 758| | if current char is not q or Q 759| | if we don't have 2 more chars 760| | if char2 != a single quote 761| | then, just treat as word 762| | */ 763| 551| if (pos >= slen || ------------------ | Branch (763:9): [True: 2, False: 549] ------------------ 764| 549| (cs[pos] != 'q' && cs[pos] != 'Q') || ------------------ | Branch (764:10): [True: 221, False: 328] | Branch (764:28): [True: 181, False: 40] ------------------ 765| 368| pos + 2 >= slen || ------------------ | Branch (765:9): [True: 6, False: 362] ------------------ 766| 362| cs[pos + 1] != '\'') { ------------------ | Branch (766:9): [True: 157, False: 205] ------------------ 767| 346| return parse_word(sf); 768| 346| } 769| | 770| 205| ch = cs[pos + 2]; 771| | 772| | /* the ch > 127 is un-needed since 773| | * we assume char is signed 774| | */ 775| 205| if (ch < 33 /* || ch > 127 */) { ------------------ | Branch (775:9): [True: 87, False: 118] ------------------ 776| 87| return parse_word(sf); 777| 87| } 778| 118| switch (ch) { ------------------ | Branch (778:13): [True: 7, False: 111] ------------------ 779| 3| case '(' : ch = ')'; break; ------------------ | Branch (779:5): [True: 3, False: 115] ------------------ 780| 2| case '[' : ch = ']'; break; ------------------ | Branch (780:5): [True: 2, False: 116] ------------------ 781| 2| case '{' : ch = '}'; break; ------------------ | Branch (781:5): [True: 2, False: 116] ------------------ 782| 0| case '<' : ch = '>'; break; ------------------ | Branch (782:5): [True: 0, False: 118] ------------------ 783| 118| } 784| | 785| 118| strend = memchr2(cs + pos + 3, slen - pos - 3, ch, '\''); 786| 118| if (strend == NULL) { ------------------ | Branch (786:9): [True: 105, False: 13] ------------------ 787| 105| st_assign(sf->current, TYPE_STRING, pos + 3, slen - pos - 3, cs + pos + 3); 788| 105| sf->current->str_open = 'q'; 789| 105| sf->current->str_close = CHAR_NULL; ------------------ | | 33| 105|#define CHAR_NULL '\0' ------------------ 790| 105| return slen; 791| 105| } else { 792| 13| st_assign(sf->current, TYPE_STRING, pos + 3, (size_t)(strend - cs) - pos - 3, cs + pos + 3); 793| 13| sf->current->str_open = 'q'; 794| 13| sf->current->str_close = 'q'; 795| 13| return (size_t)(strend - cs + 2); 796| 13| } 797| 118|} libinjection_sqli.c:parse_qstring: 803| 368|{ 804| 368| return parse_qstring_core(sf, 0); 805| 368|} libinjection_sqli.c:parse_ustring: 731| 510|{ 732| 510| const char *cs = sf->s; 733| 510| size_t slen = sf->slen; 734| 510| size_t pos = sf->pos; 735| | 736| 510| if (pos + 2 < slen && cs[pos+1] == '&' && cs[pos+2] == '\'') { ------------------ | Branch (736:9): [True: 507, False: 3] | Branch (736:27): [True: 0, False: 507] | Branch (736:47): [True: 0, False: 0] ------------------ 737| 0| sf->pos += 2; 738| 0| pos = parse_string(sf); 739| 0| sf->current->str_open = 'u'; 740| 0| if (sf->current->str_close == '\'') { ------------------ | Branch (740:13): [True: 0, False: 0] ------------------ 741| 0| sf->current->str_close = 'u'; 742| 0| } 743| 0| return pos; 744| 510| } else { 745| 510| return parse_word(sf); 746| 510| } 747| 510|} libinjection_sqli.c:parse_xstring: 855| 57|{ 856| 57| size_t wlen; 857| 57| const char *cs = sf->s; 858| 57| size_t pos = sf->pos; 859| 57| size_t slen = sf->slen; 860| | 861| | /* need at least 2 more characters 862| | * if next char isn't a single quote, then 863| | * continue as normal word 864| | */ 865| 57| if (pos + 2 >= slen || cs[pos+1] != '\'') { ------------------ | Branch (865:9): [True: 1, False: 56] | Branch (865:28): [True: 55, False: 1] ------------------ 866| 56| return parse_word(sf); 867| 56| } 868| | 869| 1| wlen = strlenspn(cs + pos + 2, sf->slen - pos - 2, "0123456789ABCDEFabcdef"); 870| 1| if (pos + 2 + wlen >= slen || cs[pos + 2 + wlen] != '\'') { ------------------ | Branch (870:9): [True: 0, False: 1] | Branch (870:36): [True: 1, False: 0] ------------------ 871| 1| return parse_word(sf); 872| 1| } 873| 0| st_assign(sf->current, TYPE_NUMBER, pos, wlen + 3, cs + pos); 874| 0| return pos + 2 + wlen + 1; 875| 1|} libinjection_sqli.c:parse_bword: 883| 191|{ 884| 191| const char *cs = sf->s; 885| 191| size_t pos = sf->pos; 886| 191| const char* endptr = (const char*) memchr(cs + pos, ']', sf->slen - pos); 887| 191| if (endptr == NULL) { ------------------ | Branch (887:9): [True: 144, False: 47] ------------------ 888| 144| st_assign(sf->current, TYPE_BAREWORD, pos, sf->slen - pos, cs + pos); 889| 144| return sf->slen; 890| 144| } else { 891| 47| st_assign(sf->current, TYPE_BAREWORD, pos, (size_t)(endptr - cs) - pos + 1, cs + pos); 892| 47| return (size_t)((endptr - cs) + 1); 893| 47| } 894| 191|} libinjection_sqli.c:parse_backslash: 538| 2.15k|{ 539| 2.15k| const char *cs = sf->s; 540| 2.15k| const size_t slen = sf->slen; 541| 2.15k| size_t pos = sf->pos; 542| | 543| | /* 544| | * Weird MySQL alias for NULL, "\N" (capital N only) 545| | */ 546| 2.15k| if (pos + 1 < slen && cs[pos +1] == 'N') { ------------------ | Branch (546:9): [True: 2.15k, False: 3] | Branch (546:27): [True: 31, False: 2.12k] ------------------ 547| 31| st_assign(sf->current, TYPE_NUMBER, pos, 2, cs + pos); 548| 31| return pos + 2; 549| 2.12k| } else { 550| 2.12k| st_assign_char(sf->current, TYPE_BACKSLASH, pos, 1, cs[pos]); 551| 2.12k| return pos + 1; 552| 2.12k| } 553| 2.15k|} libinjection_sqli.c:parse_tick: 947| 99|{ 948| 99| size_t pos = parse_string_core(sf->s, sf->slen, sf->pos, sf->current, CHAR_TICK, 1); ------------------ | | 36| 99|#define CHAR_TICK '`' ------------------ 949| | 950| | /* we could check to see if start and end of 951| | * of string are both "`", i.e. make sure we have 952| | * matching set. `foo` vs. `foo 953| | * but I don't think it matters much 954| | */ 955| | 956| | /* check value of string to see if it's a keyword, 957| | * function, operator, etc 958| | */ 959| 99| char ch = sf->lookup(sf, LOOKUP_WORD, sf->current->val, sf->current->len); 960| 99| if (ch == TYPE_FUNCTION) { ------------------ | Branch (960:9): [True: 0, False: 99] ------------------ 961| | /* if it's a function, then convert token */ 962| 0| sf->current->type = TYPE_FUNCTION; 963| 99| } else { 964| | /* otherwise it's a 'n' type -- mysql treats 965| | * everything as a bare word 966| | */ 967| 99| sf->current->type = TYPE_BAREWORD; 968| 99| } 969| 99| return pos; 970| 99|} libinjection_sqli.c:st_is_unary_op: 327| 45.1k|{ 328| 45.1k| const char* str = st->val; 329| 45.1k| const size_t len = st->len; 330| | 331| 45.1k| if (st->type != TYPE_OPERATOR) { ------------------ | Branch (331:9): [True: 13.0k, False: 32.0k] ------------------ 332| 13.0k| return FALSE; ------------------ | | 30| 13.0k|#define FALSE 0 ------------------ 333| 13.0k| } 334| | 335| 32.0k| switch (len) { 336| 30.8k| case 1: ------------------ | Branch (336:5): [True: 30.8k, False: 1.26k] ------------------ 337| 30.8k| return *str == '+' || *str == '-' || *str == '!' || *str == '~'; ------------------ | Branch (337:16): [True: 0, False: 30.8k] | Branch (337:31): [True: 9.54k, False: 21.2k] | Branch (337:46): [True: 528, False: 20.7k] | Branch (337:61): [True: 15.6k, False: 5.04k] ------------------ 338| 1.26k| case 2: ------------------ | Branch (338:5): [True: 1.26k, False: 30.8k] ------------------ 339| 1.26k| return str[0] == '!' && str[1] == '!'; ------------------ | Branch (339:16): [True: 347, False: 921] | Branch (339:33): [True: 274, False: 73] ------------------ 340| 0| case 3: ------------------ | Branch (340:5): [True: 0, False: 32.0k] ------------------ 341| 0| return cstrcasecmp("NOT", str, 3) == 0; 342| 0| default: ------------------ | Branch (342:5): [True: 0, False: 32.0k] ------------------ 343| 0| return FALSE; ------------------ | | 30| 0|#define FALSE 0 ------------------ 344| 32.0k| } 345| 32.0k|} libinjection_sqli.c:st_copy: 315| 4.89k|{ 316| 4.89k| memcpy(dest, src, sizeof(stoken_t)); 317| 4.89k|} libinjection_sqli.c:syntax_merge_words: 1324| 79.1k|{ 1325| 79.1k| size_t sz1; 1326| 79.1k| size_t sz2; 1327| 79.1k| size_t sz3; 1328| 79.1k| char tmp[LIBINJECTION_SQLI_TOKEN_SIZE]; 1329| 79.1k| char ch; 1330| | 1331| | /* first token is of right type? */ 1332| 79.1k| if (! 1333| 79.1k| (a->type == TYPE_KEYWORD || ------------------ | Branch (1333:10): [True: 228, False: 78.9k] ------------------ 1334| 78.9k| a->type == TYPE_BAREWORD || ------------------ | Branch (1334:10): [True: 22.2k, False: 56.7k] ------------------ 1335| 56.7k| a->type == TYPE_OPERATOR || ------------------ | Branch (1335:10): [True: 11.2k, False: 45.4k] ------------------ 1336| 45.4k| a->type == TYPE_UNION || ------------------ | Branch (1336:10): [True: 20, False: 45.4k] ------------------ 1337| 45.4k| a->type == TYPE_FUNCTION || ------------------ | Branch (1337:10): [True: 26, False: 45.4k] ------------------ 1338| 45.4k| a->type == TYPE_EXPRESSION || ------------------ | Branch (1338:10): [True: 63, False: 45.3k] ------------------ 1339| 45.3k| a->type == TYPE_TSQL || ------------------ | Branch (1339:10): [True: 49, False: 45.2k] ------------------ 1340| 45.2k| a->type == TYPE_SQLTYPE)) { ------------------ | Branch (1340:10): [True: 0, False: 45.2k] ------------------ 1341| 45.2k| return FALSE; ------------------ | | 30| 45.2k|#define FALSE 0 ------------------ 1342| 45.2k| } 1343| | 1344| 33.8k| if (! 1345| 33.8k| (b->type == TYPE_KEYWORD || ------------------ | Branch (1345:10): [True: 11, False: 33.8k] ------------------ 1346| 33.8k| b->type == TYPE_BAREWORD || ------------------ | Branch (1346:10): [True: 4.51k, False: 29.3k] ------------------ 1347| 29.3k| b->type == TYPE_OPERATOR || ------------------ | Branch (1347:10): [True: 10.8k, False: 18.5k] ------------------ 1348| 18.5k| b->type == TYPE_UNION || ------------------ | Branch (1348:10): [True: 20, False: 18.5k] ------------------ 1349| 18.5k| b->type == TYPE_FUNCTION || ------------------ | Branch (1349:10): [True: 7, False: 18.5k] ------------------ 1350| 18.5k| b->type == TYPE_EXPRESSION || ------------------ | Branch (1350:10): [True: 32, False: 18.4k] ------------------ 1351| 18.4k| b->type == TYPE_TSQL || ------------------ | Branch (1351:10): [True: 9, False: 18.4k] ------------------ 1352| 18.4k| b->type == TYPE_SQLTYPE || ------------------ | Branch (1352:10): [True: 0, False: 18.4k] ------------------ 1353| 18.4k| b->type == TYPE_LOGIC_OPERATOR)) { ------------------ | Branch (1353:10): [True: 48, False: 18.4k] ------------------ 1354| 18.4k| return FALSE; ------------------ | | 30| 18.4k|#define FALSE 0 ------------------ 1355| 18.4k| } 1356| | 1357| 15.4k| sz1 = a->len; 1358| 15.4k| sz2 = b->len; 1359| 15.4k| sz3 = sz1 + sz2 + 1; /* +1 for space in the middle */ 1360| 15.4k| if (sz3 >= LIBINJECTION_SQLI_TOKEN_SIZE) { /* make sure there is room for ending null */ ------------------ | | 23| 15.4k|#define LIBINJECTION_SQLI_TOKEN_SIZE sizeof(((stoken_t*)(0))->val) ------------------ | Branch (1360:9): [True: 697, False: 14.7k] ------------------ 1361| 697| return FALSE; ------------------ | | 30| 697|#define FALSE 0 ------------------ 1362| 697| } 1363| | /* 1364| | * oddly annoying last.val + ' ' + current.val 1365| | */ 1366| 14.7k| memcpy(tmp, a->val, sz1); 1367| 14.7k| tmp[sz1] = ' '; 1368| 14.7k| memcpy(tmp + sz1 + 1, b->val, sz2); 1369| 14.7k| tmp[sz3] = CHAR_NULL; ------------------ | | 33| 14.7k|#define CHAR_NULL '\0' ------------------ 1370| 14.7k| ch = sf->lookup(sf, LOOKUP_WORD, tmp, sz3); 1371| | 1372| 14.7k| if (ch != CHAR_NULL) { ------------------ | | 33| 14.7k|#define CHAR_NULL '\0' ------------------ | Branch (1372:9): [True: 0, False: 14.7k] ------------------ 1373| 0| st_assign(a, ch, a->pos, sz3, tmp); 1374| 0| return TRUE; ------------------ | | 27| 0|#define TRUE 1 ------------------ 1375| 14.7k| } else { 1376| 14.7k| return FALSE; ------------------ | | 30| 14.7k|#define FALSE 0 ------------------ 1377| 14.7k| } 1378| 14.7k|} libinjection_sqli.c:cstrcasecmp: 212| 589k|{ 213| 589k| char cb; 214| | 215| 826k| for (; n > 0; a++, b++, n--) { ------------------ | Branch (215:12): [True: 807k, False: 19.1k] ------------------ 216| 807k| cb = *b; 217| 807k| if (cb >= 'a' && cb <= 'z') { ------------------ | Branch (217:13): [True: 211k, False: 595k] | Branch (217:26): [True: 181k, False: 30.6k] ------------------ 218| 181k| cb -= 0x20; 219| 181k| } 220| 807k| if (*a != cb) { ------------------ | Branch (220:13): [True: 570k, False: 236k] ------------------ 221| 570k| return *a - cb; 222| 570k| } else if (*a == '\0') { ------------------ | Branch (222:20): [True: 0, False: 236k] ------------------ 223| 0| return -1; 224| 0| } 225| 807k| } 226| | 227| 19.1k| return (*a == 0) ? 0 : 1; ------------------ | Branch (227:12): [True: 5.66k, False: 13.4k] ------------------ 228| 589k|} libinjection_sqli.c:st_is_arithmetic_op: 320| 1.94k|{ 321| 1.94k| const char ch = st->val[0]; 322| 1.94k| return (st->type == TYPE_OPERATOR && st->len == 1 && ------------------ | Branch (322:13): [True: 617, False: 1.33k] | Branch (322:42): [True: 372, False: 245] ------------------ 323| 372| (ch == '*' || ch == '/' || ch == '-' || ch == '+' || ch == '%')); ------------------ | Branch (323:14): [True: 3, False: 369] | Branch (323:27): [True: 3, False: 366] | Branch (323:40): [True: 36, False: 330] | Branch (323:53): [True: 0, False: 330] | Branch (323:66): [True: 0, False: 330] ------------------ 324| 1.94k|} libinjection_sqli.c:streq: 235| 15.8k|{ 236| 15.8k| return strcmp(a, b) == 0; 237| 15.8k|} libinjection_sqli.c:bsearch_keyword_type: 251| 37.6k|{ 252| 37.6k| size_t pos; 253| 37.6k| size_t left = 0; 254| 37.6k| size_t right = numb - 1; 255| | 256| 537k| while (left < right) { ------------------ | Branch (256:12): [True: 499k, False: 37.6k] ------------------ 257| 499k| pos = (left + right) >> 1; 258| | 259| | /* arg0 = upper case only, arg1 = mixed case */ 260| 499k| if (cstrcasecmp(keywords[pos].word, key, len) < 0) { ------------------ | Branch (260:13): [True: 218k, False: 281k] ------------------ 261| 218k| left = pos + 1; 262| 281k| } else { 263| 281k| right = pos; 264| 281k| } 265| 499k| } 266| 37.6k| if ((left == right) && cstrcasecmp(keywords[left].word, key, len) == 0) { ------------------ | Branch (266:9): [True: 37.6k, False: 0] | Branch (266:28): [True: 2.82k, False: 34.7k] ------------------ 267| 2.82k| return keywords[left].type; 268| 34.7k| } else { 269| 34.7k| return CHAR_NULL; ------------------ | | 33| 34.7k|#define CHAR_NULL '\0' ------------------ 270| 34.7k| } 271| 37.6k|} libinjection_sqli.c:is_keyword: 274| 3.56k|{ 275| 3.56k| return bsearch_keyword_type(key, len, sql_keywords, sql_keywords_sz); 276| 3.56k|} libinjection_sqli.c:my_memmem: 130| 138|{ 131| 138| const char* cur; 132| 138| const char* last; 133| 138| assert(haystack); ------------------ | Branch (133:5): [True: 0, False: 138] | Branch (133:5): [True: 138, False: 0] ------------------ 134| 138| assert(needle); ------------------ | Branch (134:5): [True: 0, False: 138] | Branch (134:5): [True: 138, False: 0] ------------------ 135| 138| assert(nlen > 1); ------------------ | Branch (135:5): [True: 0, False: 138] | Branch (135:5): [True: 138, False: 0] ------------------ 136| 138| last = haystack + hlen - nlen; 137| 14.4k| for (cur = haystack; cur <= last; ++cur) { ------------------ | Branch (137:26): [True: 14.3k, False: 114] ------------------ 138| 14.3k| if (cur[0] == needle[0] && memcmp(cur, needle, nlen) == 0) { ------------------ | Branch (138:13): [True: 871, False: 13.4k] | Branch (138:36): [True: 24, False: 847] ------------------ 139| 24| return cur; 140| 24| } 141| 14.3k| } 142| 114| return NULL; 143| 138|} libinjection_sqli.c:reparse_as_mysql: 2237| 1.98k|{ 2238| 1.98k| return sql_state->stats_comment_ddx || ------------------ | Branch (2238:12): [True: 918, False: 1.06k] ------------------ 2239| 1.06k| sql_state->stats_comment_hash; ------------------ | Branch (2239:9): [True: 223, False: 839] ------------------ 2240| 1.98k|} libinjection_is_xss: 419| 7.49k|{ 420| 7.49k| h5_state_t h5; 421| 7.49k| attribute_t attr = TYPE_NONE; 422| | 423| 7.49k| libinjection_h5_init(&h5, s, len, (enum html5_flags) flags); 424| 43.9k| while (libinjection_h5_next(&h5)) { ------------------ | Branch (424:12): [True: 36.4k, False: 7.48k] ------------------ 425| 36.4k| if (h5.token_type != ATTR_VALUE) { ------------------ | Branch (425:13): [True: 29.5k, False: 6.86k] ------------------ 426| 29.5k| attr = TYPE_NONE; 427| 29.5k| } 428| | 429| 36.4k| if (h5.token_type == DOCTYPE) { ------------------ | Branch (429:13): [True: 0, False: 36.4k] ------------------ 430| 0| return 1; 431| 36.4k| } else if (h5.token_type == TAG_NAME_OPEN) { ------------------ | Branch (431:20): [True: 984, False: 35.4k] ------------------ 432| 984| if (is_black_tag(h5.token_start, h5.token_len)) { ------------------ | Branch (432:17): [True: 1, False: 983] ------------------ 433| 1| return 1; 434| 1| } 435| 35.4k| } else if (h5.token_type == ATTR_NAME) { ------------------ | Branch (435:20): [True: 15.8k, False: 19.5k] ------------------ 436| 15.8k| attr = is_black_attr(h5.token_start, h5.token_len); 437| 19.5k| } else if (h5.token_type == ATTR_VALUE) { ------------------ | Branch (437:20): [True: 6.86k, False: 12.7k] ------------------ 438| | /* 439| | * IE6,7,8 parsing works a bit differently so 440| | * a whole