1 /* 2 * ndpi_typedefs.h 3 * 4 * Copyright (C) 2011-21 - ntop.org 5 * 6 * This file is part of nDPI, an open source deep packet inspection 7 * library based on the OpenDPI and PACE technology by ipoque GmbH 8 * 9 * nDPI is free software: you can redistribute it and/or modify 10 * it under the terms of the GNU Lesser General Public License as published by 11 * the Free Software Foundation, either version 3 of the License, or 12 * (at your option) any later version. 13 * 14 * nDPI is distributed in the hope that it will be useful, 15 * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 * GNU Lesser General Public License for more details. 18 * 19 * You should have received a copy of the GNU Lesser General Public License 20 * along with nDPI. If not, see <http://www.gnu.org/licenses/>. 21 * 22 */ 23 24 #ifndef __NDPI_TYPEDEFS_H__ 25 #define __NDPI_TYPEDEFS_H__ 26 27 #include "ndpi_define.h" 28 #include "ndpi_protocol_ids.h" 29 #include "ndpi_utils.h" 30 31 /* Used by both nDPI core and patricia code under third-party */ 32 #include "ndpi_patricia_typedefs.h" 33 34 #ifdef HAVE_MAXMINDDB 35 #include <maxminddb.h> 36 #endif 37 38 /* NDPI_LOG_LEVEL */ 39 typedef enum { 40 NDPI_LOG_ERROR, 41 NDPI_LOG_TRACE, 42 NDPI_LOG_DEBUG, 43 NDPI_LOG_DEBUG_EXTRA 44 } ndpi_log_level_t; 45 46 typedef enum { 47 ndpi_l4_proto_unknown = 0, 48 ndpi_l4_proto_tcp_only, 49 ndpi_l4_proto_udp_only, 50 ndpi_l4_proto_tcp_and_udp, 51 } ndpi_l4_proto_info; 52 53 typedef enum { 54 ndpi_no_tunnel = 0, 55 ndpi_gtp_tunnel, 56 ndpi_capwap_tunnel, 57 ndpi_tzsp_tunnel, 58 ndpi_l2tp_tunnel, 59 ndpi_vxlan_tunnel, 60 } ndpi_packet_tunnel; 61 62 /* 63 NOTE 64 When the typedef below is modified don't forget to update 65 - nDPI/wireshark/ndpi.lua 66 - ndpi_risk2str (in ndpi_utils.c) 67 - https://github.com/ntop/ntopng/blob/dev/scripts/lua/modules/flow_risk_utils.lua 68 - ndpi_risk_enum (in python/ndpi.py) 69 - ndpi_known_risks (ndpi_utils.c) 70 */ 71 typedef enum { 72 NDPI_NO_RISK = 0, 73 NDPI_URL_POSSIBLE_XSS, 74 NDPI_URL_POSSIBLE_SQL_INJECTION, 75 NDPI_URL_POSSIBLE_RCE_INJECTION, 76 NDPI_BINARY_APPLICATION_TRANSFER, 77 NDPI_KNOWN_PROTOCOL_ON_NON_STANDARD_PORT, 78 NDPI_TLS_SELFSIGNED_CERTIFICATE, 79 NDPI_TLS_OBSOLETE_VERSION, 80 NDPI_TLS_WEAK_CIPHER, 81 NDPI_TLS_CERTIFICATE_EXPIRED, 82 NDPI_TLS_CERTIFICATE_MISMATCH, /* 10 */ 83 NDPI_HTTP_SUSPICIOUS_USER_AGENT, 84 NDPI_HTTP_NUMERIC_IP_HOST, 85 NDPI_HTTP_SUSPICIOUS_URL, 86 NDPI_HTTP_SUSPICIOUS_HEADER, 87 NDPI_TLS_NOT_CARRYING_HTTPS, 88 NDPI_SUSPICIOUS_DGA_DOMAIN, 89 NDPI_MALFORMED_PACKET, 90 NDPI_SSH_OBSOLETE_CLIENT_VERSION_OR_CIPHER, 91 NDPI_SSH_OBSOLETE_SERVER_VERSION_OR_CIPHER, 92 NDPI_SMB_INSECURE_VERSION, /* 20 */ 93 NDPI_TLS_SUSPICIOUS_ESNI_USAGE, 94 NDPI_UNSAFE_PROTOCOL, 95 NDPI_DNS_SUSPICIOUS_TRAFFIC, 96 NDPI_TLS_MISSING_SNI, 97 NDPI_HTTP_SUSPICIOUS_CONTENT, 98 NDPI_RISKY_ASN, 99 NDPI_RISKY_DOMAIN, 100 NDPI_MALICIOUS_JA3, 101 NDPI_MALICIOUS_SHA1_CERTIFICATE, 102 NDPI_DESKTOP_OR_FILE_SHARING_SESSION, /* 30 */ 103 NDPI_TLS_UNCOMMON_ALPN, 104 NDPI_TLS_CERT_VALIDITY_TOO_LONG, 105 NDPI_TLS_EXTENSION_SUSPICIOUS, 106 107 /* Leave this as last member */ 108 NDPI_MAX_RISK /* must be <= 63 due to (**) */ 109 } ndpi_risk_enum; 110 111 typedef u_int64_t ndpi_risk; /* (**) */ 112 113 typedef enum { 114 NDPI_RISK_LOW, 115 NDPI_RISK_MEDIUM, 116 NDPI_RISK_HIGH, 117 NDPI_RISK_SEVERE 118 } ndpi_risk_severity; 119 120 typedef enum { 121 NDPI_SCORE_RISK_LOW = 10, 122 NDPI_SCORE_RISK_MEDIUM = 50, 123 NDPI_SCORE_RISK_HIGH = 100, 124 NDPI_SCORE_RISK_SEVERE = 250, 125 } ndpi_risk_score; 126 127 typedef enum { 128 CLIENT_NO_RISK_PERCENTAGE = 0, /* 100% server risk */ 129 CLIENT_LOW_RISK_PERCENTAGE = 10, /* 90% server risk */ 130 CLIENT_FAIR_RISK_PERCENTAGE = 50, /* 50% server risk */ 131 CLIENT_HIGH_RISK_PERCENTAGE = 90, /* 10% server risk */ 132 CLIENT_FULL_RISK_PERCENTAGE = 100 /* 0% server risk */ 133 } risk_percentage; 134 135 typedef struct { 136 ndpi_risk_enum risk; 137 ndpi_risk_severity severity; 138 risk_percentage default_client_risk_pctg; /* 0-100 */ 139 } ndpi_risk_info; 140 141 142 /* NDPI_VISIT */ 143 typedef enum { 144 ndpi_preorder, 145 ndpi_postorder, 146 ndpi_endorder, 147 ndpi_leaf 148 } ndpi_VISIT; 149 150 /* NDPI_NODE */ 151 typedef struct node_t { 152 char *key; 153 struct node_t *left, *right; 154 } ndpi_node; 155 156 /* NDPI_MASK_SIZE */ 157 typedef u_int32_t ndpi_ndpi_mask; 158 159 /* NDPI_PROTO_BITMASK_STRUCT */ 160 typedef struct ndpi_protocol_bitmask_struct { 161 ndpi_ndpi_mask fds_bits[NDPI_NUM_FDS_BITS]; 162 } ndpi_protocol_bitmask_struct_t; 163 164 /* NDPI_DEBUG_FUNCTION_PTR (cast) */ 165 typedef void (*ndpi_debug_function_ptr) (u_int32_t protocol, void *module_struct, 166 ndpi_log_level_t log_level, const char *file, 167 const char *func, unsigned line, 168 const char *format, ...); 169 170 /* ************************************************************ */ 171 /* ******************* NDPI NETWORKS HEADERS ****************** */ 172 /* ************************************************************ */ 173 174 /* ++++++++++++++++++++++++ Cisco headers +++++++++++++++++++++ */ 175 176 /* Cisco HDLC */ 177 #ifdef _MSC_VER 178 /* Windows */ 179 #define PACK_ON __pragma(pack(push, 1)) 180 #define PACK_OFF __pragma(pack(pop)) 181 #elif defined(__GNUC__) 182 /* GNU C */ 183 #define PACK_ON 184 #define PACK_OFF __attribute__((packed)) 185 #endif 186 187 PACK_ON 188 struct ndpi_chdlc 189 { 190 u_int8_t addr; /* 0x0F (Unicast) - 0x8F (Broadcast) */ 191 u_int8_t ctrl; /* always 0x00 */ 192 u_int16_t proto_code; /* protocol type (e.g. 0x0800 IP) */ 193 } PACK_OFF; 194 195 /* SLARP - Serial Line ARP http://tinyurl.com/qa54e95 */ 196 PACK_ON 197 struct ndpi_slarp 198 { 199 /* address requests (0x00) 200 address replies (0x01) 201 keep-alive (0x02) 202 */ 203 u_int32_t slarp_type; 204 u_int32_t addr_1; 205 u_int32_t addr_2; 206 } PACK_OFF; 207 208 /* Cisco Discovery Protocol http://tinyurl.com/qa6yw9l */ 209 PACK_ON 210 struct ndpi_cdp 211 { 212 u_int8_t version; 213 u_int8_t ttl; 214 u_int16_t checksum; 215 u_int16_t type; 216 u_int16_t length; 217 } PACK_OFF; 218 219 /* +++++++++++++++ Ethernet header (IEEE 802.3) +++++++++++++++ */ 220 221 PACK_ON 222 struct ndpi_ethhdr 223 { 224 u_char h_dest[6]; /* destination eth addr */ 225 u_char h_source[6]; /* source ether addr */ 226 u_int16_t h_proto; /* data length (<= 1500) or type ID proto (>=1536) */ 227 } PACK_OFF; 228 229 /* +++++++++++++++ ARP header +++++++++++++++ */ 230 PACK_ON 231 struct ndpi_arphdr { 232 u_int16_t ar_hrd;/* Format of hardware address. */ 233 u_int16_t ar_pro;/* Format of protocol address. */ 234 u_int8_t ar_hln;/* Length of hardware address. */ 235 u_int8_t ar_pln;/* Length of protocol address. */ 236 u_int16_t ar_op;/* ARP opcode (command). */ 237 u_char arp_sha[6];/* sender hardware address */ 238 u_int32_t arp_spa;/* sender protocol address */ 239 u_char arp_tha[6];/* target hardware address */ 240 u_int32_t arp_tpa;/* target protocol address */ 241 } PACK_OFF; 242 243 /* +++++++++++++++ DHCP header +++++++++++++++ */ 244 PACK_ON 245 struct ndpi_dhcphdr { 246 u_int8_t msgType; 247 u_int8_t htype; 248 u_int8_t hlen; 249 u_int8_t hops; 250 u_int32_t xid;/* 4 */ 251 u_int16_t secs;/* 8 */ 252 u_int16_t flags; 253 u_int32_t ciaddr;/* 12 */ 254 u_int32_t yiaddr;/* 16 */ 255 u_int32_t siaddr;/* 20 */ 256 u_int32_t giaddr;/* 24 */ 257 u_int8_t chaddr[16]; /* 28 */ 258 u_int8_t sname[64]; /* 44 */ 259 u_int8_t file[128]; /* 108 */ 260 u_int32_t magic; /* 236 */ 261 u_int8_t options[308]; 262 } PACK_OFF; 263 264 /* +++++++++++++++ MDNS rsp header +++++++++++++++ */ 265 PACK_ON 266 struct ndpi_mdns_rsp_entry { 267 u_int16_t rsp_type, rsp_class; 268 u_int32_t ttl; 269 u_int16_t data_len; 270 } PACK_OFF; 271 272 /* +++++++++++++++++++ LLC header (IEEE 802.2) ++++++++++++++++ */ 273 274 PACK_ON 275 struct ndpi_snap_extension 276 { 277 u_int16_t oui; 278 u_int8_t oui2; 279 u_int16_t proto_ID; 280 } PACK_OFF; 281 282 PACK_ON 283 struct ndpi_llc_header_snap 284 { 285 u_int8_t dsap; 286 u_int8_t ssap; 287 u_int8_t ctrl; 288 struct ndpi_snap_extension snap; 289 } PACK_OFF; 290 291 /* ++++++++++ RADIO TAP header (for IEEE 802.11) +++++++++++++ */ 292 PACK_ON 293 struct ndpi_radiotap_header 294 { 295 u_int8_t version; /* set to 0 */ 296 u_int8_t pad; 297 u_int16_t len; 298 u_int32_t present; 299 u_int64_t MAC_timestamp; 300 u_int8_t flags; 301 } PACK_OFF; 302 303 /* ++++++++++++ Wireless header (IEEE 802.11) ++++++++++++++++ */ 304 PACK_ON 305 struct ndpi_wifi_header 306 { 307 u_int16_t fc; 308 u_int16_t duration; 309 u_char rcvr[6]; 310 u_char trsm[6]; 311 u_char dest[6]; 312 u_int16_t seq_ctrl; 313 /* u_int64_t ccmp - for data encryption only - check fc.flag */ 314 } PACK_OFF; 315 316 /* +++++++++++++++++++++++ MPLS header +++++++++++++++++++++++ */ 317 318 PACK_ON 319 struct ndpi_mpls_header 320 { 321 /* Before using this strcut to parse an MPLS header, you will need to convert 322 * the 4-byte data to the correct endianess with ntohl(). */ 323 #if defined(__LITTLE_ENDIAN__) 324 u_int32_t ttl:8, s:1, exp:3, label:20; 325 #elif defined(__BIG_ENDIAN__) 326 u_int32_t label:20, exp:3, s:1, ttl:8; 327 #else 328 # error "Byte order must be defined" 329 #endif 330 } PACK_OFF; 331 332 /* ++++++++++++++++++++++++ IP header ++++++++++++++++++++++++ */ 333 334 PACK_ON 335 struct ndpi_iphdr { 336 #if defined(__LITTLE_ENDIAN__) 337 u_int8_t ihl:4, version:4; 338 #elif defined(__BIG_ENDIAN__) 339 u_int8_t version:4, ihl:4; 340 #else 341 # error "Byte order must be defined" 342 #endif 343 u_int8_t tos; 344 u_int16_t tot_len; 345 u_int16_t id; 346 u_int16_t frag_off; 347 u_int8_t ttl; 348 u_int8_t protocol; 349 u_int16_t check; 350 u_int32_t saddr; 351 u_int32_t daddr; 352 } PACK_OFF; 353 354 /* +++++++++++++++++++++++ IPv6 header +++++++++++++++++++++++ */ 355 /* rfc3542 */ 356 357 PACK_ON 358 struct ndpi_in6_addr { 359 union { 360 u_int8_t u6_addr8[16]; 361 u_int16_t u6_addr16[8]; 362 u_int32_t u6_addr32[4]; 363 u_int64_t u6_addr64[2]; 364 } u6_addr; /* 128-bit IP6 address */ 365 } PACK_OFF; 366 367 PACK_ON 368 struct ndpi_ip6_hdrctl { 369 u_int32_t ip6_un1_flow; 370 u_int16_t ip6_un1_plen; 371 u_int8_t ip6_un1_nxt; 372 u_int8_t ip6_un1_hlim; 373 } PACK_OFF; 374 375 PACK_ON 376 struct ndpi_ipv6hdr { 377 struct ndpi_ip6_hdrctl ip6_hdr; 378 struct ndpi_in6_addr ip6_src; 379 struct ndpi_in6_addr ip6_dst; 380 } PACK_OFF; 381 382 /* +++++++++++++++++++++++ TCP header +++++++++++++++++++++++ */ 383 384 PACK_ON 385 struct ndpi_tcphdr 386 { 387 u_int16_t source; 388 u_int16_t dest; 389 u_int32_t seq; 390 u_int32_t ack_seq; 391 #if defined(__LITTLE_ENDIAN__) 392 u_int16_t res1:4, doff:4, fin:1, syn:1, rst:1, psh:1, ack:1, urg:1, ece:1, cwr:1; 393 #elif defined(__BIG_ENDIAN__) 394 u_int16_t doff:4, res1:4, cwr:1, ece:1, urg:1, ack:1, psh:1, rst:1, syn:1, fin:1; 395 #else 396 # error "Byte order must be defined" 397 #endif 398 u_int16_t window; 399 u_int16_t check; 400 u_int16_t urg_ptr; 401 } PACK_OFF; 402 403 /* +++++++++++++++++++++++ UDP header +++++++++++++++++++++++ */ 404 405 PACK_ON 406 struct ndpi_udphdr 407 { 408 u_int16_t source; 409 u_int16_t dest; 410 u_int16_t len; 411 u_int16_t check; 412 } PACK_OFF; 413 414 PACK_ON 415 struct ndpi_dns_packet_header { 416 u_int16_t tr_id; 417 u_int16_t flags; 418 u_int16_t num_queries; 419 u_int16_t num_answers; 420 u_int16_t authority_rrs; 421 u_int16_t additional_rrs; 422 } PACK_OFF; 423 424 typedef union 425 { 426 u_int32_t ipv4; 427 struct ndpi_in6_addr ipv6; 428 } ndpi_ip_addr_t; 429 430 431 /* +++++++++++++++++++++++ ICMP header +++++++++++++++++++++++ */ 432 433 PACK_ON 434 struct ndpi_icmphdr { 435 u_int8_t type;/* message type */ 436 u_int8_t code;/* type sub-code */ 437 u_int16_t checksum; 438 union { 439 struct { 440 u_int16_t id; 441 u_int16_t sequence; 442 } echo; /* echo datagram */ 443 444 u_int32_t gateway; /* gateway address */ 445 struct { 446 u_int16_t _unused; 447 u_int16_t mtu; 448 } frag;/* path mtu discovery */ 449 } un; 450 } PACK_OFF; 451 452 /* +++++++++++++++++++++++ ICMP6 header +++++++++++++++++++++++ */ 453 454 PACK_ON 455 struct ndpi_icmp6hdr { 456 uint8_t icmp6_type; /* type field */ 457 uint8_t icmp6_code; /* code field */ 458 uint16_t icmp6_cksum; /* checksum field */ 459 union { 460 uint32_t icmp6_un_data32[1]; /* type-specific field */ 461 uint16_t icmp6_un_data16[2]; /* type-specific field */ 462 uint8_t icmp6_un_data8[4]; /* type-specific field */ 463 } icmp6_dataun; 464 } PACK_OFF; 465 466 /* +++++++++++++++++++++++ VXLAN header +++++++++++++++++++++++ */ 467 468 PACK_ON 469 struct ndpi_vxlanhdr { 470 u_int16_t flags; 471 u_int16_t groupPolicy; 472 u_int32_t vni; 473 } PACK_OFF; 474 475 /* ************************************************************ */ 476 /* ******************* ********************* ****************** */ 477 /* ************************************************************ */ 478 479 typedef struct message { 480 u_int8_t *buffer; 481 u_int buffer_len, buffer_used, max_expected; 482 u_int32_t next_seq[2]; /* Directions */ 483 } message_t; 484 485 /* NDPI_PROTOCOL_BITTORRENT */ 486 typedef struct spinlock { 487 volatile int val; 488 } spinlock_t; 489 490 typedef struct atomic { 491 volatile int counter; 492 } atomic_t; 493 494 struct hash_ip4p_node { 495 struct hash_ip4p_node *next,*prev; 496 time_t lchg; 497 u_int16_t port,count:12,flag:4; 498 u_int32_t ip; 499 // + 12 bytes for ipv6 500 }; 501 502 struct hash_ip4p { 503 struct hash_ip4p_node *top; 504 spinlock_t lock; 505 size_t len; 506 }; 507 508 struct hash_ip4p_table { 509 size_t size; 510 int ipv6; 511 spinlock_t lock; 512 atomic_t count; 513 struct hash_ip4p tbl; 514 }; 515 516 struct bt_announce { // 192 bytes 517 u_int32_t hash[5]; 518 u_int32_t ip[4]; 519 u_int32_t time; 520 u_int16_t port; 521 u_int8_t name_len, 522 name[192 - 4*10 - 2 - 1]; // 149 bytes 523 }; 524 525 /* NDPI_PROTOCOL_TINC */ 526 #define TINC_CACHE_MAX_SIZE 10 527 528 PACK_ON struct tinc_cache_entry { 529 u_int32_t src_address; 530 u_int32_t dst_address; 531 u_int16_t dst_port; 532 } PACK_OFF; 533 534 /* 535 In case the typedef below is modified, please update 536 ndpi_http_method2str (ndpi_utils.c) 537 */ 538 typedef enum { 539 NDPI_HTTP_METHOD_UNKNOWN = 0, 540 NDPI_HTTP_METHOD_OPTIONS, 541 NDPI_HTTP_METHOD_GET, 542 NDPI_HTTP_METHOD_HEAD, 543 NDPI_HTTP_METHOD_PATCH, 544 NDPI_HTTP_METHOD_POST, 545 NDPI_HTTP_METHOD_PUT, 546 NDPI_HTTP_METHOD_DELETE, 547 NDPI_HTTP_METHOD_TRACE, 548 NDPI_HTTP_METHOD_CONNECT 549 } ndpi_http_method; 550 551 struct ndpi_lru_cache_entry { 552 u_int32_t key; /* Store the whole key to avoid ambiguities */ 553 u_int32_t is_full:1, value:16, pad:15; 554 }; 555 556 struct ndpi_lru_cache { 557 u_int32_t num_entries; 558 struct ndpi_lru_cache_entry *entries; 559 }; 560 561 struct ndpi_id_struct { 562 /** 563 detected_protocol_bitmask: 564 access this bitmask to find out whether an id has used skype or not 565 if a flag is set here, it will not be reset 566 to compare this, use: 567 **/ 568 NDPI_PROTOCOL_BITMASK detected_protocol_bitmask; 569 /* NDPI_PROTOCOL_RTSP */ 570 ndpi_ip_addr_t rtsp_ip_address; 571 572 /* NDPI_PROTOCOL_YAHOO */ 573 u_int32_t yahoo_video_lan_timer; 574 575 /* NDPI_PROTOCOL_IRC_MAXPORT % 2 must be 0 */ 576 /* NDPI_PROTOCOL_IRC */ 577 #define NDPI_PROTOCOL_IRC_MAXPORT 8 578 u_int16_t irc_port[NDPI_PROTOCOL_IRC_MAXPORT]; 579 u_int32_t last_time_port_used[NDPI_PROTOCOL_IRC_MAXPORT]; 580 u_int32_t irc_ts; 581 582 /* NDPI_PROTOCOL_GNUTELLA */ 583 u_int32_t gnutella_ts; 584 585 /* NDPI_PROTOCOL_THUNDER */ 586 u_int32_t thunder_ts; 587 588 /* NDPI_PROTOCOL_RTSP */ 589 u_int32_t rtsp_timer; 590 591 /* NDPI_PROTOCOL_ZATTOO */ 592 u_int32_t zattoo_ts; 593 594 /* NDPI_PROTOCOL_JABBER */ 595 u_int32_t jabber_stun_or_ft_ts; 596 597 /* NDPI_PROTOCOL_DIRECTCONNECT */ 598 u_int32_t directconnect_last_safe_access_time; 599 600 /* NDPI_PROTOCOL_SOULSEEK */ 601 u_int32_t soulseek_last_safe_access_time; 602 603 /* NDPI_PROTOCOL_DIRECTCONNECT */ 604 u_int16_t detected_directconnect_port; 605 u_int16_t detected_directconnect_udp_port; 606 u_int16_t detected_directconnect_ssl_port; 607 608 /* NDPI_PROTOCOL_BITTORRENT */ 609 #define NDPI_BT_PORTS 8 610 u_int16_t bt_port_t[NDPI_BT_PORTS]; 611 u_int16_t bt_port_u[NDPI_BT_PORTS]; 612 613 /* NDPI_PROTOCOL_JABBER */ 614 #define JABBER_MAX_STUN_PORTS 6 615 u_int16_t jabber_voice_stun_port[JABBER_MAX_STUN_PORTS]; 616 u_int16_t jabber_file_transfer_port[2]; 617 618 /* NDPI_PROTOCOL_GNUTELLA */ 619 u_int16_t detected_gnutella_port; 620 621 /* NDPI_PROTOCOL_GNUTELLA */ 622 u_int16_t detected_gnutella_udp_port1; 623 u_int16_t detected_gnutella_udp_port2; 624 625 /* NDPI_PROTOCOL_SOULSEEK */ 626 u_int16_t soulseek_listen_port; 627 628 /* NDPI_PROTOCOL_IRC */ 629 u_int8_t irc_number_of_port; 630 631 /* NDPI_PROTOCOL_JABBER */ 632 u_int8_t jabber_voice_stun_used_ports; 633 634 /* NDPI_PROTOCOL_SIP */ 635 /* NDPI_PROTOCOL_YAHOO */ 636 u_int32_t yahoo_video_lan_dir:1; 637 638 /* NDPI_PROTOCOL_YAHOO */ 639 u_int32_t yahoo_conf_logged_in:1; 640 u_int32_t yahoo_voice_conf_logged_in:1; 641 642 /* NDPI_PROTOCOL_RTSP */ 643 u_int32_t rtsp_ts_set:1; 644 }; 645 646 /* ************************************************** */ 647 648 struct ndpi_flow_tcp_struct { 649 /* NDPI_PROTOCOL_MAIL_SMTP */ 650 u_int16_t smtp_command_bitmask; 651 652 /* NDPI_PROTOCOL_MAIL_POP */ 653 u_int16_t pop_command_bitmask; 654 655 /* NDPI_PROTOCOL_QQ */ 656 u_int16_t qq_nxt_len; 657 658 /* NDPI_PROTOCOL_WHATSAPP */ 659 u_int8_t wa_matched_so_far; 660 661 /* NDPI_PROTOCOL_TDS */ 662 u_int8_t tds_login_version; 663 664 /* NDPI_PROTOCOL_IRC */ 665 u_int8_t irc_stage; 666 u_int8_t irc_port; 667 668 /* NDPI_PROTOCOL_H323 */ 669 u_int8_t h323_valid_packets; 670 671 /* NDPI_PROTOCOL_GNUTELLA */ 672 u_int8_t gnutella_msg_id[3]; 673 674 /* NDPI_PROTOCOL_IRC */ 675 u_int32_t irc_3a_counter:3; 676 u_int32_t irc_stage2:5; 677 u_int32_t irc_direction:2; 678 u_int32_t irc_0x1000_full:1; 679 680 /* NDPI_PROTOCOL_SOULSEEK */ 681 u_int32_t soulseek_stage:2; 682 683 /* NDPI_PROTOCOL_TDS */ 684 u_int32_t tds_stage:3; 685 686 /* NDPI_PROTOCOL_USENET */ 687 u_int32_t usenet_stage:2; 688 689 /* NDPI_PROTOCOL_IMESH */ 690 u_int32_t imesh_stage:4; 691 692 /* NDPI_PROTOCOL_HTTP */ 693 u_int32_t http_setup_dir:2; 694 u_int32_t http_stage:2; 695 u_int32_t http_empty_line_seen:1; 696 u_int32_t http_wait_for_retransmission:1; 697 698 /* NDPI_PROTOCOL_GNUTELLA */ 699 u_int32_t gnutella_stage:2; // 0 - 2 700 701 /* NDPI_CONTENT_MMS */ 702 u_int32_t mms_stage:2; 703 704 /* NDPI_PROTOCOL_YAHOO */ 705 u_int32_t yahoo_sip_comm:1; 706 u_int32_t yahoo_http_proxy_stage:2; 707 708 /* NDPI_PROTOCOL_MSN */ 709 u_int32_t msn_stage:3; 710 u_int32_t msn_ssl_ft:2; 711 712 /* NDPI_PROTOCOL_SSH */ 713 u_int32_t ssh_stage:3; 714 715 /* NDPI_PROTOCOL_VNC */ 716 u_int32_t vnc_stage:2; // 0 - 3 717 718 /* NDPI_PROTOCOL_TELNET */ 719 u_int32_t telnet_stage:2; // 0 - 2 720 721 struct { 722 message_t message; 723 724 void* srv_cert_fingerprint_ctx; /* SHA-1 */ 725 726 /* NDPI_PROTOCOL_TLS */ 727 u_int8_t hello_processed:1, certificate_processed:1, subprotocol_detected:1, 728 fingerprint_set:1, _pad:4; 729 u_int8_t num_tls_blocks; 730 int16_t tls_application_blocks_len[NDPI_MAX_NUM_TLS_APPL_BLOCKS]; /* + = src->dst, - = dst->src */ 731 } tls; 732 733 /* NDPI_PROTOCOL_POSTGRES */ 734 u_int32_t postgres_stage:3; 735 736 /* NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK */ 737 u_int32_t ddlink_server_direction:1; 738 u_int32_t seen_syn:1; 739 u_int32_t seen_syn_ack:1; 740 u_int32_t seen_ack:1; 741 742 /* NDPI_PROTOCOL_ICECAST */ 743 u_int32_t icecast_stage:1; 744 745 /* NDPI_PROTOCOL_DOFUS */ 746 u_int32_t dofus_stage:1; 747 748 /* NDPI_PROTOCOL_FIESTA */ 749 u_int32_t fiesta_stage:2; 750 751 /* NDPI_PROTOCOL_WORLDOFWARCRAFT */ 752 u_int32_t wow_stage:2; 753 754 /* NDPI_PROTOCOL_HTTP_APPLICATION_VEOHTV */ 755 u_int32_t veoh_tv_stage:2; 756 757 /* NDPI_PROTOCOL_SHOUTCAST */ 758 u_int32_t shoutcast_stage:2; 759 760 /* NDPI_PROTOCOL_RTP */ 761 u_int32_t rtp_special_packets_seen:1; 762 763 /* NDPI_PROTOCOL_MAIL_POP */ 764 u_int32_t mail_pop_stage:2; 765 766 /* NDPI_PROTOCOL_MAIL_IMAP */ 767 u_int32_t mail_imap_stage:3, mail_imap_starttls:2; 768 769 /* NDPI_PROTOCOL_SOAP */ 770 u_int32_t soap_stage:1; 771 772 /* NDPI_PROTOCOL_SKYPE */ 773 u_int8_t skype_packet_id; 774 775 /* NDPI_PROTOCOL_CITRIX */ 776 u_int8_t citrix_packet_id; 777 778 /* NDPI_PROTOCOL_LOTUS_NOTES */ 779 u_int8_t lotus_notes_packet_id; 780 781 /* NDPI_PROTOCOL_TEAMVIEWER */ 782 u_int8_t teamviewer_stage; 783 784 /* NDPI_PROTOCOL_ZMQ */ 785 u_int8_t prev_zmq_pkt_len; 786 u_char prev_zmq_pkt[10]; 787 788 /* NDPI_PROTOCOL_PPSTREAM */ 789 u_int32_t ppstream_stage:3; 790 791 /* NDPI_PROTOCOL_MEMCACHED */ 792 u_int8_t memcached_matches; 793 794 /* NDPI_PROTOCOL_NEST_LOG_SINK */ 795 u_int8_t nest_log_sink_matches; 796 }; 797 798 /* ************************************************** */ 799 800 struct ndpi_flow_udp_struct { 801 /* NDPI_PROTOCOL_SNMP */ 802 u_int32_t snmp_msg_id; 803 804 /* NDPI_PROTOCOL_SNMP */ 805 u_int32_t snmp_stage:2; 806 807 /* NDPI_PROTOCOL_PPSTREAM */ 808 u_int32_t ppstream_stage:3; // 0 - 7 809 810 /* NDPI_PROTOCOL_HALFLIFE2 */ 811 u_int32_t halflife2_stage:2; // 0 - 2 812 813 /* NDPI_PROTOCOL_TFTP */ 814 u_int32_t tftp_stage:2; 815 816 /* NDPI_PROTOCOL_AIMINI */ 817 u_int32_t aimini_stage:5; 818 819 /* NDPI_PROTOCOL_XBOX */ 820 u_int32_t xbox_stage:1; 821 822 /* NDPI_PROTOCOL_WINDOWS_UPDATE */ 823 u_int32_t wsus_stage:1; 824 825 /* NDPI_PROTOCOL_SKYPE */ 826 u_int8_t skype_packet_id; 827 u_int8_t skype_crc[4]; 828 829 /* NDPI_PROTOCOL_TEAMVIEWER */ 830 u_int8_t teamviewer_stage; 831 832 /* NDPI_PROTOCOL_EAQ */ 833 u_int8_t eaq_pkt_id; 834 u_int32_t eaq_sequence; 835 836 /* NDPI_PROTOCOL_RX */ 837 u_int32_t rx_conn_epoch; 838 u_int32_t rx_conn_id; 839 840 /* NDPI_PROTOCOL_MEMCACHED */ 841 u_int8_t memcached_matches; 842 843 /* NDPI_PROTOCOL_WIREGUARD */ 844 u_int8_t wireguard_stage; 845 u_int32_t wireguard_peer_index[2]; 846 847 /* NDPI_PROTOCOL_QUIC */ 848 u_int8_t *quic_reasm_buf; 849 u_int32_t quic_reasm_buf_len; 850 }; 851 852 /* ************************************************** */ 853 854 #define LINE_EQUALS(ndpi_int_one_line_struct, string_to_compare) \ 855 ((ndpi_int_one_line_struct).len == strlen(string_to_compare) && \ 856 LINE_CMP(ndpi_int_one_line_struct, string_to_compare, strlen(string_to_compare)) == 1) 857 858 #define LINE_STARTS(ndpi_int_one_line_struct, string_to_compare) \ 859 ((ndpi_int_one_line_struct).len >= strlen(string_to_compare) && \ 860 LINE_CMP(ndpi_int_one_line_struct, string_to_compare, strlen(string_to_compare)) == 1) 861 862 #define LINE_ENDS(ndpi_int_one_line_struct, string_to_compare) \ 863 ((ndpi_int_one_line_struct).len >= strlen(string_to_compare) && \ 864 memcmp((ndpi_int_one_line_struct).ptr + \ 865 ((ndpi_int_one_line_struct).len - strlen(string_to_compare)), \ 866 string_to_compare, strlen(string_to_compare)) == 0) 867 868 #define LINE_CMP(ndpi_int_one_line_struct, string_to_compare, string_to_compare_length) \ 869 ((ndpi_int_one_line_struct).ptr != NULL && \ 870 memcmp((ndpi_int_one_line_struct).ptr, string_to_compare, string_to_compare_length) == 0) 871 872 struct ndpi_int_one_line_struct { 873 const u_int8_t *ptr; 874 u_int16_t len; 875 }; 876 877 struct ndpi_packet_struct { 878 const struct ndpi_iphdr *iph; 879 const struct ndpi_ipv6hdr *iphv6; 880 const struct ndpi_tcphdr *tcp; 881 const struct ndpi_udphdr *udp; 882 const u_int8_t *generic_l4_ptr; /* is set only for non tcp-udp traffic */ 883 const u_int8_t *payload; 884 885 u_int64_t current_time_ms; 886 887 u_int16_t detected_protocol_stack[NDPI_PROTOCOL_SIZE]; 888 u_int16_t protocol_stack_info; 889 890 struct ndpi_int_one_line_struct line[NDPI_MAX_PARSE_LINES_PER_PACKET]; 891 /* HTTP headers */ 892 struct ndpi_int_one_line_struct host_line; 893 struct ndpi_int_one_line_struct forwarded_line; 894 struct ndpi_int_one_line_struct referer_line; 895 struct ndpi_int_one_line_struct content_line; 896 struct ndpi_int_one_line_struct content_disposition_line; 897 struct ndpi_int_one_line_struct accept_line; 898 struct ndpi_int_one_line_struct user_agent_line; 899 struct ndpi_int_one_line_struct http_url_name; 900 struct ndpi_int_one_line_struct http_encoding; 901 struct ndpi_int_one_line_struct http_transfer_encoding; 902 struct ndpi_int_one_line_struct http_contentlen; 903 struct ndpi_int_one_line_struct http_cookie; 904 struct ndpi_int_one_line_struct http_origin; 905 struct ndpi_int_one_line_struct http_x_session_type; 906 struct ndpi_int_one_line_struct server_line; 907 struct ndpi_int_one_line_struct http_method; 908 struct ndpi_int_one_line_struct http_response; /* the first "word" in this pointer is the 909 response code in the packet (200, etc) */ 910 u_int8_t http_num_headers; /* number of found (valid) header lines in HTTP request or response */ 911 912 u_int16_t l3_packet_len; 913 u_int16_t l4_packet_len; 914 u_int16_t payload_packet_len; 915 u_int16_t actual_payload_len; 916 u_int16_t num_retried_bytes; 917 u_int16_t parsed_lines; 918 u_int16_t parsed_unix_lines; 919 u_int16_t empty_line_position; 920 u_int8_t tcp_retransmission; 921 u_int8_t l4_protocol; 922 923 u_int8_t tls_certificate_detected:4, tls_certificate_num_checks:4; 924 u_int8_t packet_lines_parsed_complete:1, 925 packet_direction:1, empty_line_position_set:1, http_check_content:1, pad:4; 926 }; 927 928 struct ndpi_detection_module_struct; 929 struct ndpi_flow_struct; 930 931 struct ndpi_call_function_struct { 932 NDPI_PROTOCOL_BITMASK detection_bitmask; 933 NDPI_PROTOCOL_BITMASK excluded_protocol_bitmask; 934 void (*func) (struct ndpi_detection_module_struct *, struct ndpi_flow_struct *flow); 935 NDPI_SELECTION_BITMASK_PROTOCOL_SIZE ndpi_selection_bitmask; 936 u_int16_t ndpi_protocol_id; 937 u_int8_t detection_feature; 938 }; 939 940 struct ndpi_subprotocol_conf_struct { 941 void (*func) (struct ndpi_detection_module_struct *, char *attr, char *value, int protocol_id); 942 }; 943 944 typedef struct { 945 u_int16_t port_low, port_high; 946 } ndpi_port_range; 947 948 typedef enum { 949 NDPI_PROTOCOL_SAFE = 0, /* Surely doesn't provide risks for the network. (e.g., a news site) */ 950 NDPI_PROTOCOL_ACCEPTABLE, /* Probably doesn't provide risks, but could be malicious (e.g., Dropbox) */ 951 NDPI_PROTOCOL_FUN, /* Pure fun protocol, which may be prohibited by the user policy (e.g., Netflix) */ 952 NDPI_PROTOCOL_UNSAFE, /* Probably provides risks, but could be a normal traffic. Unencrypted protocols with clear pass should be here (e.g., telnet) */ 953 NDPI_PROTOCOL_POTENTIALLY_DANGEROUS, /* Possibly dangerous (ex. Tor). */ 954 NDPI_PROTOCOL_DANGEROUS, /* Surely is dangerous (ex. smbv1). Be prepared to troubles */ 955 NDPI_PROTOCOL_TRACKER_ADS, /* Trackers, Advertisements... */ 956 NDPI_PROTOCOL_UNRATED /* No idea, not implemented or impossible to classify */ 957 } ndpi_protocol_breed_t; 958 959 #define NUM_BREEDS (NDPI_PROTOCOL_UNRATED+1) 960 961 /* Abstract categories to group the protocols. */ 962 typedef enum { 963 NDPI_PROTOCOL_CATEGORY_UNSPECIFIED = 0, /* For general services and unknown protocols */ 964 NDPI_PROTOCOL_CATEGORY_MEDIA, /* Multimedia and streaming */ 965 NDPI_PROTOCOL_CATEGORY_VPN, /* Virtual Private Networks */ 966 NDPI_PROTOCOL_CATEGORY_MAIL, /* Protocols to send/receive/sync emails */ 967 NDPI_PROTOCOL_CATEGORY_DATA_TRANSFER, /* AFS/NFS and similar protocols */ 968 NDPI_PROTOCOL_CATEGORY_WEB, /* Web/mobile protocols and services */ 969 NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, /* Social networks */ 970 NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, /* Download, FTP, file transfer/sharing */ 971 NDPI_PROTOCOL_CATEGORY_GAME, /* Online games */ 972 NDPI_PROTOCOL_CATEGORY_CHAT, /* Instant messaging */ 973 NDPI_PROTOCOL_CATEGORY_VOIP, /* Real-time communications and conferencing */ 974 NDPI_PROTOCOL_CATEGORY_DATABASE, /* Protocols for database communication */ 975 NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS, /* Remote access and control */ 976 NDPI_PROTOCOL_CATEGORY_CLOUD, /* Online cloud services */ 977 NDPI_PROTOCOL_CATEGORY_NETWORK, /* Network infrastructure protocols */ 978 NDPI_PROTOCOL_CATEGORY_COLLABORATIVE, /* Software for collaborative development, including Webmail */ 979 NDPI_PROTOCOL_CATEGORY_RPC, /* High level network communication protocols */ 980 NDPI_PROTOCOL_CATEGORY_STREAMING, /* Streaming protocols */ 981 NDPI_PROTOCOL_CATEGORY_SYSTEM_OS, /* System/Operating System level applications */ 982 NDPI_PROTOCOL_CATEGORY_SW_UPDATE, /* Software update */ 983 984 /* See #define NUM_CUSTOM_CATEGORIES */ 985 NDPI_PROTOCOL_CATEGORY_CUSTOM_1, /* User custom category 1 */ 986 NDPI_PROTOCOL_CATEGORY_CUSTOM_2, /* User custom category 2 */ 987 NDPI_PROTOCOL_CATEGORY_CUSTOM_3, /* User custom category 3 */ 988 NDPI_PROTOCOL_CATEGORY_CUSTOM_4, /* User custom category 4 */ 989 NDPI_PROTOCOL_CATEGORY_CUSTOM_5, /* User custom category 5 */ 990 991 /* Further categories... */ 992 NDPI_PROTOCOL_CATEGORY_MUSIC, 993 NDPI_PROTOCOL_CATEGORY_VIDEO, 994 NDPI_PROTOCOL_CATEGORY_SHOPPING, 995 NDPI_PROTOCOL_CATEGORY_PRODUCTIVITY, 996 NDPI_PROTOCOL_CATEGORY_FILE_SHARING, 997 /* 998 The category below is used by sites who are used 999 to test connectivity 1000 */ 1001 NDPI_PROTOCOL_CATEGORY_CONNECTIVITY_CHECK, 1002 NDPI_PROTOCOL_CATEGORY_IOT_SCADA, 1003 /* 1004 The category below is used for vocal assistance services. 1005 */ 1006 NDPI_PROTOCOL_CATEGORY_VIRTUAL_ASSISTANT, 1007 1008 /* Some custom categories */ 1009 CUSTOM_CATEGORY_MINING = 99, 1010 CUSTOM_CATEGORY_MALWARE = 100, 1011 CUSTOM_CATEGORY_ADVERTISEMENT = 101, 1012 CUSTOM_CATEGORY_BANNED_SITE = 102, 1013 CUSTOM_CATEGORY_SITE_UNAVAILABLE = 103, 1014 CUSTOM_CATEGORY_ALLOWED_SITE = 104, 1015 /* 1016 The category below is used to track communications made by 1017 security applications (e.g. sophosxl.net, spamhaus.org) 1018 to track malware, spam etc. 1019 */ 1020 CUSTOM_CATEGORY_ANTIMALWARE = 105, 1021 1022 /* 1023 IMPORTANT 1024 1025 Please keep in sync with 1026 1027 static const char* categories[] = { ..} 1028 1029 in ndpi_main.c 1030 */ 1031 1032 NDPI_PROTOCOL_NUM_CATEGORIES, /* 1033 NOTE: Keep this as last member 1034 Unused as value but useful to getting the number of elements 1035 in this datastructure 1036 */ 1037 NDPI_PROTOCOL_ANY_CATEGORY /* Used to handle wildcards */ 1038 } ndpi_protocol_category_t; 1039 1040 typedef enum { 1041 ndpi_pref_direction_detect_disable = 0, 1042 ndpi_pref_enable_tls_block_dissection /* nDPI considers only those blocks past the certificate exchange */ 1043 } ndpi_detection_preference; 1044 1045 /* ntop extensions */ 1046 typedef struct ndpi_proto_defaults { 1047 char *protoName; 1048 ndpi_protocol_category_t protoCategory; 1049 u_int8_t isClearTextProto; 1050 u_int16_t *subprotocols; 1051 u_int32_t subprotocol_count; 1052 u_int16_t protoId, protoIdx; 1053 u_int16_t tcp_default_ports[MAX_DEFAULT_PORTS], udp_default_ports[MAX_DEFAULT_PORTS]; 1054 ndpi_protocol_breed_t protoBreed; 1055 void (*func) (struct ndpi_detection_module_struct *, struct ndpi_flow_struct *flow); 1056 } ndpi_proto_defaults_t; 1057 1058 typedef struct ndpi_default_ports_tree_node { 1059 ndpi_proto_defaults_t *proto; 1060 u_int8_t customUserProto; 1061 u_int16_t default_port; 1062 } ndpi_default_ports_tree_node_t; 1063 1064 typedef struct _ndpi_automa { 1065 void *ac_automa; /* Real type is AC_AUTOMATA_t */ 1066 } ndpi_automa; 1067 1068 typedef struct ndpi_proto { 1069 /* 1070 Note 1071 below we do not use ndpi_protocol_id_t as users can define their own 1072 custom protocols and thus the typedef could be too short in size. 1073 */ 1074 u_int16_t master_protocol /* e.g. HTTP */, app_protocol /* e.g. FaceBook */; 1075 ndpi_protocol_category_t category; 1076 } ndpi_protocol; 1077 1078 #define NDPI_PROTOCOL_NULL { NDPI_PROTOCOL_UNKNOWN , NDPI_PROTOCOL_UNKNOWN , NDPI_PROTOCOL_CATEGORY_UNSPECIFIED } 1079 1080 #define NUM_CUSTOM_CATEGORIES 5 1081 #define CUSTOM_CATEGORY_LABEL_LEN 32 1082 1083 #ifdef NDPI_LIB_COMPILATION 1084 1085 /* Needed to have access to HAVE_* defines */ 1086 #ifndef _NDPI_CONFIG_H_ 1087 #include "ndpi_config.h" 1088 #define _NDPI_CONFIG_H_ 1089 #endif 1090 1091 #ifdef HAVE_PCRE 1092 #include <pcre.h> 1093 1094 struct pcre_struct { 1095 pcre *compiled; 1096 pcre_extra *optimized; 1097 }; 1098 #endif 1099 1100 typedef enum { 1101 ndpi_stun_cache, 1102 ndpi_hangout_cache 1103 } ndpi_lru_cache_type; 1104 1105 struct ndpi_detection_module_struct { 1106 NDPI_PROTOCOL_BITMASK detection_bitmask; 1107 NDPI_PROTOCOL_BITMASK generic_http_packet_bitmask; 1108 1109 u_int32_t current_ts; 1110 u_int32_t ticks_per_second; 1111 u_int16_t num_tls_blocks_to_follow; 1112 u_int8_t skip_tls_blocks_until_change_cipher:1, enable_ja3_plus:1, _notused:6; 1113 1114 #ifdef NDPI_ENABLE_DEBUG_MESSAGES 1115 void *user_data; 1116 #endif 1117 char custom_category_labels[NUM_CUSTOM_CATEGORIES][CUSTOM_CATEGORY_LABEL_LEN]; 1118 /* callback function buffer */ 1119 struct ndpi_call_function_struct callback_buffer[NDPI_MAX_SUPPORTED_PROTOCOLS + 1]; 1120 u_int32_t callback_buffer_size; 1121 1122 struct ndpi_call_function_struct callback_buffer_tcp_no_payload[NDPI_MAX_SUPPORTED_PROTOCOLS + 1]; 1123 u_int32_t callback_buffer_size_tcp_no_payload; 1124 1125 struct ndpi_call_function_struct callback_buffer_tcp_payload[NDPI_MAX_SUPPORTED_PROTOCOLS + 1]; 1126 u_int32_t callback_buffer_size_tcp_payload; 1127 1128 struct ndpi_call_function_struct callback_buffer_udp[NDPI_MAX_SUPPORTED_PROTOCOLS + 1]; 1129 u_int32_t callback_buffer_size_udp; 1130 1131 struct ndpi_call_function_struct callback_buffer_non_tcp_udp[NDPI_MAX_SUPPORTED_PROTOCOLS + 1]; 1132 u_int32_t callback_buffer_size_non_tcp_udp; 1133 1134 ndpi_default_ports_tree_node_t *tcpRoot, *udpRoot; 1135 1136 ndpi_log_level_t ndpi_log_level; /* default error */ 1137 1138 #ifdef NDPI_ENABLE_DEBUG_MESSAGES 1139 /* debug callback, only set when debug is used */ 1140 ndpi_debug_function_ptr ndpi_debug_printf; 1141 const char *ndpi_debug_print_file; 1142 const char *ndpi_debug_print_function; 1143 u_int32_t ndpi_debug_print_line; 1144 NDPI_PROTOCOL_BITMASK debug_bitmask; 1145 #endif 1146 1147 /* misc parameters */ 1148 u_int32_t tcp_max_retransmission_window_size; 1149 1150 u_int32_t directconnect_connection_ip_tick_timeout; 1151 1152 /* subprotocol registration handler */ 1153 struct ndpi_subprotocol_conf_struct subprotocol_conf[NDPI_MAX_SUPPORTED_PROTOCOLS + 1]; 1154 1155 u_int ndpi_num_supported_protocols; 1156 u_int ndpi_num_custom_protocols; 1157 1158 int ac_automa_finalized; 1159 /* HTTP/DNS/HTTPS/QUIC host matching */ 1160 ndpi_automa host_automa, /* Used for DNS/HTTPS */ 1161 content_automa, /* Used for HTTP subprotocol_detection */ 1162 subprotocol_automa, /* Used for HTTP subprotocol_detection */ 1163 risky_domain_automa, tls_cert_subject_automa, 1164 malicious_ja3_automa, malicious_sha1_automa, 1165 host_risk_mask_automa, common_alpns_automa; 1166 /* IMPORTANT: please update ndpi_finalize_initialization() whenever you add a new automa */ 1167 1168 void *ip_risk_mask_ptree; 1169 1170 struct { 1171 ndpi_automa hostnames, hostnames_shadow; 1172 void *ipAddresses, *ipAddresses_shadow; /* Patricia */ 1173 u_int8_t categories_loaded; 1174 } custom_categories; 1175 1176 /* IP-based protocol detection */ 1177 void *protocols_ptree; 1178 1179 /* irc parameters */ 1180 u_int32_t irc_timeout; 1181 /* gnutella parameters */ 1182 u_int32_t gnutella_timeout; 1183 /* thunder parameters */ 1184 u_int32_t thunder_timeout; 1185 /* SoulSeek parameters */ 1186 u_int32_t soulseek_connection_ip_tick_timeout; 1187 /* rtsp parameters */ 1188 u_int32_t rtsp_connection_timeout; 1189 /* rstp */ 1190 u_int32_t orb_rstp_ts_timeout; 1191 /* yahoo */ 1192 u_int8_t yahoo_detect_http_connections; 1193 u_int32_t yahoo_lan_video_timeout; 1194 u_int32_t zattoo_connection_timeout; 1195 u_int32_t jabber_stun_timeout; 1196 u_int32_t jabber_file_transfer_timeout; 1197 u_int8_t ip_version_limit; 1198 /* NDPI_PROTOCOL_BITTORRENT */ 1199 struct hash_ip4p_table *bt_ht, *bt6_ht; 1200 1201 /* BT_ANNOUNCE */ 1202 struct bt_announce *bt_ann; 1203 int bt_ann_len; 1204 1205 /* NDPI_PROTOCOL_OOKLA */ 1206 struct ndpi_lru_cache *ookla_cache; 1207 1208 /* NDPI_PROTOCOL_TINC */ 1209 struct cache *tinc_cache; 1210 1211 /* NDPI_PROTOCOL_STUN and subprotocols */ 1212 struct ndpi_lru_cache *stun_cache; 1213 1214 /* NDPI_PROTOCOL_TLS and subprotocols */ 1215 struct ndpi_lru_cache *tls_cert_cache; 1216 1217 /* NDPI_PROTOCOL_MINING and subprotocols */ 1218 struct ndpi_lru_cache *mining_cache; 1219 1220 /* NDPI_PROTOCOL_MSTEAMS */ 1221 struct ndpi_lru_cache *msteams_cache; 1222 1223 ndpi_proto_defaults_t proto_defaults[NDPI_MAX_SUPPORTED_PROTOCOLS+NDPI_MAX_NUM_CUSTOM_PROTOCOLS]; 1224 1225 u_int8_t direction_detect_disable:1, /* disable internal detection of packet direction */ _pad:7; 1226 1227 void (*ndpi_notify_lru_add_handler_ptr)(ndpi_lru_cache_type cache_type, u_int32_t proto, u_int32_t app_proto); 1228 1229 #ifdef CUSTOM_NDPI_PROTOCOLS 1230 #include "../../../nDPI-custom/custom_ndpi_typedefs.h" 1231 #endif 1232 1233 #ifdef HAVE_MAXMINDDB 1234 MMDB_s mmdb_city, mmdb_as; 1235 u_int8_t mmdb_city_loaded, mmdb_as_loaded; 1236 #endif 1237 }; 1238 1239 #endif /* NDPI_LIB_COMPILATION */ 1240 1241 typedef enum { 1242 ndpi_cipher_safe = NDPI_CIPHER_SAFE, 1243 ndpi_cipher_weak = NDPI_CIPHER_WEAK, 1244 ndpi_cipher_insecure = NDPI_CIPHER_INSECURE 1245 } ndpi_cipher_weakness; 1246 1247 #define MAX_NUM_TLS_SIGNATURE_ALGORITHMS 16 1248 1249 struct tls_heuristics { 1250 /* 1251 TLS heuristics for detecting browsers usage 1252 NOTE: expect false positives 1253 */ 1254 u_int8_t is_safari_tls:1, is_firefox_tls:1, is_chrome_tls:1, notused:5; 1255 }; 1256 1257 /* 1258 NOTE 1259 When the struct below is modified don't forget to update 1260 - ndpi_flow_struct (in python/ndpi.py) 1261 */ 1262 struct ndpi_flow_struct { 1263 u_int16_t detected_protocol_stack[NDPI_PROTOCOL_SIZE]; 1264 u_int16_t protocol_stack_info; 1265 1266 /* init parameter, internal used to set up timestamp,... */ 1267 u_int16_t guessed_protocol_id, guessed_host_protocol_id, guessed_category, guessed_header_category; 1268 u_int8_t l4_proto, protocol_id_already_guessed:1, host_already_guessed:1, fail_with_unknown:1, 1269 init_finished:1, setup_packet_direction:1, packet_direction:1, check_extra_packets:1; 1270 1271 /* 1272 if ndpi_struct->direction_detect_disable == 1 1273 tcp sequence number connection tracking 1274 */ 1275 u_int32_t next_tcp_seq_nr[2]; 1276 1277 // ----------------------------------------- 1278 1279 u_int8_t max_extra_packets_to_check; 1280 u_int8_t num_extra_packets_checked; 1281 u_int16_t num_processed_pkts; /* <= WARNING it can wrap but we do expect people to giveup earlier */ 1282 1283 int (*extra_packets_func) (struct ndpi_detection_module_struct *, struct ndpi_flow_struct *flow); 1284 1285 /* 1286 the tcp / udp / other l4 value union 1287 used to reduce the number of bytes for tcp or udp protocol states 1288 */ 1289 union { 1290 struct ndpi_flow_tcp_struct tcp; 1291 struct ndpi_flow_udp_struct udp; 1292 } l4; 1293 1294 /* Place textual flow info here */ 1295 char flow_extra_info[16]; 1296 1297 /* 1298 Pointer to src or dst that identifies the 1299 server of this connection 1300 */ 1301 struct ndpi_id_struct *server_id; 1302 /* HTTP host or DNS query */ 1303 u_char host_server_name[240]; 1304 u_int8_t initial_binary_bytes[8], initial_binary_bytes_len; 1305 u_int8_t risk_checked:1, ip_risk_mask_evaluated:1, host_risk_mask_evaluated:1, _notused:5; 1306 ndpi_risk risk_mask; /* Stores the flow risk mask for flow peers */ 1307 ndpi_risk risk; /* Issues found with this flow [bitmask of ndpi_risk] */ 1308 1309 /* 1310 This structure below will not not stay inside the protos 1311 structure below as HTTP is used by many subprotocols 1312 such as FaceBook, Google... so it is hard to know 1313 when to use it or not. Thus we leave it outside for the 1314 time being. 1315 */ 1316 struct { 1317 ndpi_http_method method; 1318 char *url, *content_type /* response */, *request_content_type /* e.g. for POST */, *user_agent; 1319 u_int8_t num_request_headers, num_response_headers; 1320 u_int8_t request_version; /* 0=1.0 and 1=1.1. Create an enum for this? */ 1321 u_int16_t response_status_code; /* 200, 404, etc. */ 1322 u_char detected_os[32]; /* Via HTTP/QUIC User-Agent */ 1323 } http; 1324 1325 /* 1326 Put outside of the union to avoid issues in case the protocol 1327 is remapped to somethign pther than Kerberos due to a faulty 1328 dissector 1329 */ 1330 struct { 1331 char *pktbuf; 1332 u_int16_t pktbuf_maxlen, pktbuf_currlen; 1333 } kerberos_buf; 1334 1335 union { 1336 /* the only fields useful for nDPI and ntopng */ 1337 struct { 1338 u_int8_t num_queries, num_answers, reply_code, is_query; 1339 u_int16_t query_type, query_class, rsp_type; 1340 ndpi_ip_addr_t rsp_addr; /* The first address in a DNS response packet */ 1341 } dns; 1342 1343 struct { 1344 u_int8_t request_code; 1345 u_int8_t version; 1346 } ntp; 1347 1348 struct { 1349 char hostname[48], domain[48], username[48]; 1350 } kerberos; 1351 1352 struct { 1353 struct { 1354 char ssl_version_str[12]; 1355 u_int16_t ssl_version, server_names_len; 1356 char client_requested_server_name[256], /* SNI hostname length: RFC 4366 */ 1357 *server_names, *alpn, *tls_supported_versions, *issuerDN, *subjectDN; 1358 u_int32_t notBefore, notAfter; 1359 char ja3_client[33], ja3_server[33]; 1360 u_int16_t server_cipher; 1361 u_int8_t sha1_certificate_fingerprint[20]; 1362 1363 #ifdef TLS_HANDLE_SIGNATURE_ALGORITMS 1364 /* Under #ifdef to save memory for those who do not need them */ 1365 u_int8_t num_tls_signature_algorithms; 1366 u_int16_t client_signature_algorithms[MAX_NUM_TLS_SIGNATURE_ALGORITHMS]; 1367 #endif 1368 1369 struct tls_heuristics browser_heuristics; 1370 1371 struct { 1372 u_int16_t cipher_suite; 1373 char *esni; 1374 } encrypted_sni; 1375 ndpi_cipher_weakness server_unsafe_cipher; 1376 } tls_quic; 1377 1378 struct { 1379 u_int8_t num_udp_pkts, num_binding_requests; 1380 u_int16_t num_processed_pkts; 1381 } stun; 1382 1383 /* We can have STUN over SSL/TLS thus they need to live together */ 1384 } tls_quic_stun; 1385 1386 struct { 1387 char client_signature[48], server_signature[48]; 1388 char hassh_client[33], hassh_server[33]; 1389 } ssh; 1390 1391 struct { 1392 u_int8_t last_one_byte_pkt, last_byte; 1393 } imo; 1394 1395 struct { 1396 u_int8_t username_detected:1, username_found:1, 1397 password_detected:1, password_found:1, 1398 _pad:4; 1399 u_int8_t character_id; 1400 char username[32], password[32]; 1401 } telnet; 1402 1403 struct { 1404 char version[32]; 1405 } ubntac2; 1406 1407 struct { 1408 /* Via HTTP X-Forwarded-For */ 1409 u_char nat_ip[24]; 1410 } http; 1411 1412 struct { 1413 u_int8_t auth_found:1, auth_failed:1, _pad:5; 1414 char username[16], password[16]; 1415 } ftp_imap_pop_smtp; 1416 1417 struct { 1418 /* Bittorrent hash */ 1419 u_char hash[20]; 1420 } bittorrent; 1421 1422 struct { 1423 char fingerprint[48]; 1424 char class_ident[48]; 1425 } dhcp; 1426 } protos; 1427 1428 /*** ALL protocol specific 64 bit variables here ***/ 1429 1430 /* protocols which have marked a connection as this connection cannot be protocol XXX, multiple u_int64_t */ 1431 NDPI_PROTOCOL_BITMASK excluded_protocol_bitmask; 1432 1433 ndpi_protocol_category_t category; 1434 1435 /* NDPI_PROTOCOL_REDIS */ 1436 u_int8_t redis_s2d_first_char, redis_d2s_first_char; 1437 1438 u_int16_t packet_counter; // can be 0 - 65000 1439 u_int16_t packet_direction_counter[2]; 1440 u_int16_t byte_counter[2]; 1441 /* NDPI_PROTOCOL_BITTORRENT */ 1442 u_int8_t bittorrent_stage; // can be 0 - 255 1443 1444 /* NDPI_PROTOCOL_DIRECTCONNECT */ 1445 u_int8_t directconnect_stage:2; // 0 - 1 1446 1447 /* NDPI_PROTOCOL_HTTP */ 1448 u_int8_t http_detected:1; 1449 1450 /* NDPI_PROTOCOL_RTSP */ 1451 u_int8_t rtsprdt_stage:2, rtsp_control_flow:1; 1452 1453 /* NDPI_PROTOCOL_YAHOO */ 1454 u_int8_t yahoo_detection_finished:2; 1455 1456 /* NDPI_PROTOCOL_ZATTOO */ 1457 u_int8_t zattoo_stage:3; 1458 1459 /* NDPI_PROTOCOL_QQ */ 1460 u_int8_t qq_stage:3; 1461 1462 /* NDPI_PROTOCOL_THUNDER */ 1463 u_int8_t thunder_stage:2; // 0 - 3 1464 1465 /* NDPI_PROTOCOL_FLORENSIA */ 1466 u_int8_t florensia_stage:1; 1467 1468 /* NDPI_PROTOCOL_SOCKS */ 1469 u_int8_t socks5_stage:2, socks4_stage:2; // 0 - 3 1470 1471 /* NDPI_PROTOCOL_EDONKEY */ 1472 u_int8_t edonkey_stage:2; // 0 - 3 1473 1474 /* NDPI_PROTOCOL_FTP_CONTROL */ 1475 u_int8_t ftp_control_stage:2; 1476 1477 /* NDPI_PROTOCOL_RTMP */ 1478 u_int8_t rtmp_stage:2; 1479 1480 /* NDPI_PROTOCOL_STEAM */ 1481 u_int16_t steam_stage:3, steam_stage1:3, steam_stage2:2, steam_stage3:2; 1482 1483 /* NDPI_PROTOCOL_STARCRAFT */ 1484 u_int8_t starcraft_udp_stage : 3; // 0-7 1485 1486 /* NDPI_PROTOCOL_Z3950 */ 1487 u_int8_t z3950_stage : 2; // 0-3 1488 1489 /* NDPI_PROTOCOL_OPENVPN */ 1490 u_int8_t ovpn_session_id[8]; 1491 u_int8_t ovpn_counter; 1492 1493 /* NDPI_PROTOCOL_TINC */ 1494 u_int8_t tinc_state; 1495 struct tinc_cache_entry tinc_cache_entry; 1496 1497 /* NDPI_PROTOCOL_CSGO */ 1498 u_int8_t csgo_strid[18],csgo_state,csgo_s2; 1499 u_int32_t csgo_id2; 1500 1501 /* internal structures to save functions calls */ 1502 struct ndpi_packet_struct packet; 1503 struct ndpi_flow_struct *flow; 1504 struct ndpi_id_struct *src; 1505 struct ndpi_id_struct *dst; 1506 }; 1507 1508 typedef struct { 1509 char *string_to_match, *proto_name; 1510 u_int16_t protocol_id; 1511 ndpi_protocol_category_t protocol_category; 1512 ndpi_protocol_breed_t protocol_breed; 1513 int level; /* 0 by default */ 1514 } ndpi_protocol_match; 1515 1516 typedef struct { 1517 char *string_to_match; 1518 ndpi_protocol_category_t protocol_category; 1519 } ndpi_category_match; 1520 1521 typedef struct { 1522 char *string_to_match; 1523 u_int16_t protocol_id; 1524 } ndpi_tls_cert_name_match; 1525 1526 typedef struct { 1527 u_int32_t network; 1528 u_int8_t cidr; 1529 u_int8_t value; 1530 } ndpi_network; 1531 1532 typedef u_int32_t ndpi_init_prefs; 1533 1534 typedef enum 1535 { 1536 ndpi_no_prefs = 0, 1537 ndpi_dont_load_tor_hosts = 1, 1538 ndpi_dont_init_libgcrypt = 2, 1539 ndpi_enable_ja3_plus = 4 1540 } ndpi_prefs; 1541 1542 typedef struct { 1543 u_int32_t protocol_id; 1544 ndpi_protocol_category_t protocol_category; 1545 ndpi_protocol_breed_t protocol_breed; 1546 } ndpi_protocol_match_result; 1547 1548 typedef enum { 1549 ndpi_serialization_format_unknown = 0, 1550 ndpi_serialization_format_tlv, 1551 ndpi_serialization_format_json, 1552 ndpi_serialization_format_csv 1553 } ndpi_serialization_format; 1554 1555 /* Note: 1556 * - up to 16 types (TLV encoding: "4 bit key type" << 4 | "4 bit value type") 1557 * - key supports string and uint32 (compressed to uint8/uint16) only, this is also enforced by the API */ 1558 typedef enum { 1559 ndpi_serialization_unknown = 0, 1560 ndpi_serialization_end_of_record, 1561 ndpi_serialization_uint8, 1562 ndpi_serialization_uint16, 1563 ndpi_serialization_uint32, 1564 ndpi_serialization_uint64, 1565 ndpi_serialization_int8, 1566 ndpi_serialization_int16, 1567 ndpi_serialization_int32, 1568 ndpi_serialization_int64, 1569 ndpi_serialization_float, 1570 ndpi_serialization_string, 1571 ndpi_serialization_start_of_block, 1572 ndpi_serialization_end_of_block, 1573 ndpi_serialization_start_of_list, 1574 ndpi_serialization_end_of_list 1575 } ndpi_serialization_type; 1576 1577 #define NDPI_SERIALIZER_DEFAULT_HEADER_SIZE 1024 1578 #define NDPI_SERIALIZER_DEFAULT_BUFFER_SIZE 8192 1579 #define NDPI_SERIALIZER_DEFAULT_BUFFER_INCR 1024 1580 1581 #define NDPI_SERIALIZER_STATUS_COMMA (1 << 0) 1582 #define NDPI_SERIALIZER_STATUS_ARRAY (1 << 1) 1583 #define NDPI_SERIALIZER_STATUS_EOR (1 << 2) 1584 #define NDPI_SERIALIZER_STATUS_SOB (1 << 3) 1585 #define NDPI_SERIALIZER_STATUS_NOT_EMPTY (1 << 4) 1586 #define NDPI_SERIALIZER_STATUS_LIST (1 << 5) 1587 #define NDPI_SERIALIZER_STATUS_SOL (1 << 6) 1588 #define NDPI_SERIALIZER_STATUS_HDR_DONE (1 << 7) 1589 1590 typedef struct { 1591 u_int32_t size_used; 1592 } ndpi_private_serializer_buffer_status; 1593 1594 typedef struct { 1595 u_int32_t flags; 1596 ndpi_private_serializer_buffer_status buffer; 1597 ndpi_private_serializer_buffer_status header; 1598 } ndpi_private_serializer_status; 1599 1600 typedef struct { 1601 u_int32_t initial_size; 1602 u_int32_t size; 1603 u_int8_t *data; 1604 } ndpi_private_serializer_buffer; 1605 1606 typedef struct { 1607 ndpi_private_serializer_status status; 1608 ndpi_private_serializer_buffer buffer; 1609 ndpi_private_serializer_buffer header; 1610 ndpi_serialization_format fmt; 1611 char csv_separator[2]; 1612 u_int8_t has_snapshot; 1613 ndpi_private_serializer_status snapshot; 1614 } ndpi_private_serializer; 1615 1616 #define ndpi_private_deserializer ndpi_private_serializer 1617 1618 typedef struct { char c[sizeof(ndpi_private_serializer)]; } ndpi_serializer; 1619 1620 #define ndpi_deserializer ndpi_serializer 1621 1622 typedef struct { 1623 char *str; 1624 u_int16_t str_len; 1625 } ndpi_string; 1626 1627 /* **************************************** */ 1628 1629 struct ndpi_analyze_struct { 1630 u_int32_t *values; 1631 u_int32_t min_val, max_val, sum_total, num_data_entries, next_value_insert_index; 1632 u_int16_t num_values_array_len /* length of the values array */; 1633 1634 struct { 1635 u_int64_t sum_square_total; 1636 } stddev; 1637 }; 1638 1639 #define DEFAULT_SERIES_LEN 64 1640 #define MAX_SERIES_LEN 512 1641 #define MIN_SERIES_LEN 8 1642 1643 /* **************************************** */ 1644 1645 struct ndpi_rsi_struct { 1646 u_int8_t empty:1, rsi_ready:1, _notused:6; 1647 u_int16_t num_values, next_index; 1648 u_int32_t *gains, *losses; 1649 u_int32_t last_value, total_gains, total_losses; 1650 }; 1651 1652 /* **************************************** */ 1653 1654 struct ndpi_jitter_struct { 1655 u_int8_t empty:1, jitter_ready:1, _notused:6; 1656 u_int16_t num_values, next_index; 1657 float *observations, last_value, jitter_total; 1658 }; 1659 1660 /* **************************************** */ 1661 1662 #ifndef AF_MAC 1663 #define AF_MAC 99 1664 #endif 1665 1666 typedef void (*ndpi_void_fn_t)(void *data); 1667 typedef void (*ndpi_void_fn2_t)(ndpi_prefix_t *prefix, void *data); 1668 typedef void (*ndpi_void_fn3_t)(ndpi_patricia_node_t *node, void *data, void *user_data); 1669 1670 /* **************************************** */ 1671 1672 typedef struct ndpi_ptree ndpi_ptree_t; 1673 1674 /* **************************************** */ 1675 1676 struct ndpi_hll { 1677 u_int8_t bits; 1678 size_t size; 1679 u_int8_t *registers; 1680 }; 1681 1682 /* **************************************** */ 1683 1684 enum ndpi_bin_family { 1685 ndpi_bin_family8, 1686 ndpi_bin_family16, 1687 ndpi_bin_family32 1688 }; 1689 1690 struct ndpi_bin { 1691 u_int8_t num_bins, is_empty; 1692 enum ndpi_bin_family family; 1693 1694 union { 1695 u_int8_t *bins8; /* num_bins bins */ 1696 u_int16_t *bins16; /* num_bins bins */ 1697 u_int32_t *bins32; /* num_bins bins */ 1698 } u; 1699 }; 1700 1701 /* **************************************** */ 1702 1703 struct ndpi_str_hash_info { 1704 char *key; /* Key */ 1705 u_int8_t key_len; 1706 u_int8_t value; /* Value */ 1707 struct ndpi_str_hash_info *next; 1708 }; 1709 1710 typedef struct { 1711 u_int32_t num_buckets, max_num_entries; 1712 struct ndpi_str_hash_info **buckets; 1713 } ndpi_str_hash; 1714 1715 1716 /* **************************************** */ 1717 1718 #define HW_HISTORY_LEN 4 1719 #define MAX_SQUARE_ERROR_ITERATIONS 64 /* MUST be < num_values_rollup (256 max) */ 1720 1721 struct ndpi_hw_struct { 1722 struct { 1723 u_int8_t use_hw_additive_seasonal; 1724 double alpha, beta, gamma, ro; 1725 u_int16_t num_season_periods; /* num of values of a season */ 1726 } params; 1727 1728 struct { 1729 double sum_square_error; 1730 u_int8_t num_values_rollup; 1731 } prev_error; 1732 1733 u_int32_t num_values; 1734 double u, v, sum_square_error; 1735 1736 /* These two values need to store the signal history */ 1737 u_int64_t *y; 1738 double *s; 1739 }; 1740 1741 struct ndpi_ses_struct { 1742 struct { 1743 double alpha, ro; 1744 } params; 1745 1746 struct { 1747 double sum_square_error; 1748 u_int8_t num_values_rollup; 1749 } prev_error; 1750 1751 u_int32_t num_values; 1752 double sum_square_error, last_forecast, last_value; 1753 }; 1754 1755 struct ndpi_des_struct { 1756 struct { 1757 double alpha, beta, ro; 1758 } params; 1759 1760 struct { 1761 double sum_square_error; 1762 u_int8_t num_values_rollup; 1763 } prev_error; 1764 1765 u_int32_t num_values; 1766 double sum_square_error, last_forecast, last_trend, last_value; 1767 }; 1768 1769 /* **************************************** */ 1770 1771 /* Prototype used to define custom DGA detection function */ 1772 typedef int (*ndpi_custom_dga_predict_fctn)(const char* domain, int domain_length); 1773 1774 /* **************************************** */ 1775 1776 #endif /* __NDPI_TYPEDEFS_H__ */ 1777