1 /*
2 * world_of_warcraft.c
3 *
4 * Copyright (C) 2009-11 - ipoque GmbH
5 * Copyright (C) 2011-21 - ntop.org
6 *
7 * This file is part of nDPI, an open source deep packet inspection
8 * library based on the OpenDPI and PACE technology by ipoque GmbH
9 *
10 * nDPI is free software: you can redistribute it and/or modify
11 * it under the terms of the GNU Lesser General Public License as published by
12 * the Free Software Foundation, either version 3 of the License, or
13 * (at your option) any later version.
14 *
15 * nDPI is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU Lesser General Public License for more details.
19 *
20 * You should have received a copy of the GNU Lesser General Public License
21 * along with nDPI. If not, see <http://www.gnu.org/licenses/>.
22 *
23 */
24 #include "ndpi_protocol_ids.h"
25
26 #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_WORLDOFWARCRAFT
27
28 #include "ndpi_api.h"
29
ndpi_int_worldofwarcraft_add_connection(struct ndpi_detection_module_struct * ndpi_struct,struct ndpi_flow_struct * flow)30 static void ndpi_int_worldofwarcraft_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
31 struct ndpi_flow_struct *flow/* , */
32 /* ndpi_protocol_type_t protocol_type */)
33 {
34 ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WORLDOFWARCRAFT, NDPI_PROTOCOL_UNKNOWN);
35 }
36
37
38 #if !defined(WIN32)
39 static inline
40 #elif defined(MINGW_GCC)
41 __mingw_forceinline static
42 #else
43 __forceinline static
44 #endif
ndpi_int_is_wow_port(const u_int16_t port)45 u_int8_t ndpi_int_is_wow_port(const u_int16_t port)
46 {
47 if (port == htons(3724) || port == htons(6112) || port == htons(6113) ||
48 port == htons(6114) || port == htons(4000) || port == htons(1119)) {
49 return 1;
50 }
51 return 0;
52 }
53
ndpi_search_worldofwarcraft(struct ndpi_detection_module_struct * ndpi_struct,struct ndpi_flow_struct * flow)54 void ndpi_search_worldofwarcraft(struct ndpi_detection_module_struct
55 *ndpi_struct, struct ndpi_flow_struct *flow)
56 {
57 struct ndpi_packet_struct *packet = &flow->packet;
58
59 struct ndpi_id_struct *src = flow->src;
60 struct ndpi_id_struct *dst = flow->dst;
61
62 NDPI_LOG_DBG(ndpi_struct, "search World of Warcraft\n");
63
64 if (packet->tcp != NULL) {
65 /*
66 if ((packet->payload_packet_len > NDPI_STATICSTRING_LEN("POST /") &&
67 memcmp(packet->payload, "POST /", NDPI_STATICSTRING_LEN("POST /")) == 0) ||
68 (packet->payload_packet_len > NDPI_STATICSTRING_LEN("GET /") &&
69 memcmp(packet->payload, "GET /", NDPI_STATICSTRING_LEN("GET /")) == 0)) {
70 ndpi_parse_packet_line_info(ndpi_struct, flow);
71 if (packet->user_agent_line.ptr != NULL &&
72 packet->user_agent_line.len == NDPI_STATICSTRING_LEN("Blizzard Web Client") &&
73 memcmp(packet->user_agent_line.ptr, "Blizzard Web Client",
74 NDPI_STATICSTRING_LEN("Blizzard Web Client")) == 0) {
75 ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow);
76 NDPI_LOG_DBG(ndpi_struct, "World of Warcraft: Web Client found\n");
77 return;
78 }
79 }
80 */
81 if (packet->payload_packet_len > NDPI_STATICSTRING_LEN("GET /")
82 && memcmp(packet->payload, "GET /", NDPI_STATICSTRING_LEN("GET /")) == 0) {
83 ndpi_parse_packet_line_info(ndpi_struct, flow);
84 if (packet->user_agent_line.ptr != NULL && packet->host_line.ptr != NULL
85 && packet->user_agent_line.len > NDPI_STATICSTRING_LEN("Blizzard Downloader")
86 && packet->host_line.len > NDPI_STATICSTRING_LEN("worldofwarcraft.com")
87 && memcmp(packet->user_agent_line.ptr, "Blizzard Downloader",
88 NDPI_STATICSTRING_LEN("Blizzard Downloader")) == 0
89 && memcmp(&packet->host_line.ptr[packet->host_line.len - NDPI_STATICSTRING_LEN("worldofwarcraft.com")],
90 "worldofwarcraft.com", NDPI_STATICSTRING_LEN("worldofwarcraft.com")) == 0) {
91 ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow);
92 NDPI_LOG_INFO(ndpi_struct,
93 "World of Warcraft: Web Client found\n");
94 return;
95 }
96 }
97 if (packet->payload_packet_len == 50 && memcmp(&packet->payload[2], "WORLD OF WARCRAFT CONNECTION",
98 NDPI_STATICSTRING_LEN("WORLD OF WARCRAFT CONNECTION")) == 0) {
99 ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow);
100 NDPI_LOG_INFO(ndpi_struct, "World of Warcraft: Login found\n");
101 return;
102 }
103 if (packet->tcp->dest == htons(3724) && packet->payload_packet_len < 70
104 && packet->payload_packet_len > 40 && (memcmp(&packet->payload[4], "WoW", 3) == 0
105 || memcmp(&packet->payload[5], "WoW", 3) == 0)) {
106 ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow);
107 NDPI_LOG_INFO(ndpi_struct, "World of Warcraft: Login found\n");
108 return;
109 }
110
111 if (NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_WORLDOFWARCRAFT) != 0) {
112 if (packet->tcp->source == htons(3724)
113 && packet->payload_packet_len == 8 && get_u_int32_t(packet->payload, 0) == htonl(0x0006ec01)) {
114 ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow);
115 NDPI_LOG_INFO(ndpi_struct, "World of Warcraft: connection detected\n");
116 return;
117 }
118
119 }
120
121 /* for some well known WoW ports
122 check another pattern */
123 if (flow->l4.tcp.wow_stage == 0) {
124 if (ndpi_int_is_wow_port(packet->tcp->source) &&
125 packet->payload_packet_len >= 14 &&
126 ntohs(get_u_int16_t(packet->payload, 0)) == (packet->payload_packet_len - 2)) {
127 if (get_u_int32_t(packet->payload, 2) == htonl(0xec010100)) {
128
129 NDPI_LOG_DBG2(ndpi_struct, "probably World of Warcraft, waiting for final packet\n");
130 flow->l4.tcp.wow_stage = 2;
131 return;
132 } else if (packet->payload_packet_len == 41 &&
133 (get_u_int16_t(packet->payload, 2) == htons(0x0085) ||
134 get_u_int16_t(packet->payload, 2) == htons(0x0034) ||
135 get_u_int16_t(packet->payload, 2) == htons(0x1960))) {
136 NDPI_LOG_DBG2(ndpi_struct, "maybe World of Warcraft, need next\n");
137 flow->l4.tcp.wow_stage = 1;
138 return;
139 }
140 }
141 }
142
143 if (flow->l4.tcp.wow_stage == 1) {
144 if (packet->payload_packet_len == 325 &&
145 ntohs(get_u_int16_t(packet->payload, 0)) == (packet->payload_packet_len - 2) &&
146 get_u_int16_t(packet->payload, 4) == 0 &&
147 (get_u_int16_t(packet->payload, packet->payload_packet_len - 3) == htons(0x2331) ||
148 get_u_int16_t(packet->payload, 67) == htons(0x2331)) &&
149 (memcmp
150 (&packet->payload[packet->payload_packet_len - 18],
151 "\x94\xec\xff\xfd\x67\x62\xd4\x67\xfb\xf9\xdd\xbd\xfd\x01\xc0\x8f\xf9\x81", 18) == 0
152 || memcmp(&packet->payload[packet->payload_packet_len - 30],
153 "\x94\xec\xff\xfd\x67\x62\xd4\x67\xfb\xf9\xdd\xbd\xfd\x01\xc0\x8f\xf9\x81", 18) == 0)) {
154 ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow);
155 NDPI_LOG_INFO(ndpi_struct, "World of Warcraft: connection detected\n");
156 return;
157 }
158 if (packet->payload_packet_len > 32 &&
159 ntohs(get_u_int16_t(packet->payload, 0)) == (packet->payload_packet_len - 2)) {
160 if (get_u_int16_t(packet->payload, 4) == 0) {
161
162 NDPI_LOG_DBG2(ndpi_struct, "probably World of Warcraft, waiting for final packet\n");
163 flow->l4.tcp.wow_stage = 2;
164 return;
165 } else if (get_u_int32_t(packet->payload, 2) == htonl(0x12050000)) {
166 NDPI_LOG_DBG2(ndpi_struct, "probably World of Warcraft, waiting for final packet\n");
167 flow->l4.tcp.wow_stage = 2;
168 return;
169 }
170 }
171 }
172
173 if (flow->l4.tcp.wow_stage == 2) {
174 if (packet->payload_packet_len == 4) {
175 ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow);
176 NDPI_LOG_INFO(ndpi_struct, "World of Warcraft: connection detected\n");
177 return;
178 } else if (packet->payload_packet_len > 4 && packet->payload_packet_len <= 16 && packet->payload[4] == 0x0c) {
179 ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow);
180 NDPI_LOG_INFO(ndpi_struct, "World of Warcraft: connection detected\n");
181 return;
182 } else if (flow->packet_counter < 3) {
183 NDPI_LOG_DBG2(ndpi_struct, "waiting for final packet\n");
184 return;
185 }
186 }
187 if (flow->l4.tcp.wow_stage == 0 && packet->tcp->dest == htons(1119)) {
188 /* special log in port for battle.net/world of warcraft */
189
190 if (packet->payload_packet_len >= 77 &&
191 get_u_int32_t(packet->payload, 0) == htonl(0x40000aed) && get_u_int32_t(packet->payload, 4) == htonl(0xea070aed)) {
192
193 ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow);
194 NDPI_LOG_INFO(ndpi_struct, "World of Warcraft: connection detected\n");
195 return;
196 }
197 }
198 }
199
200 NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
201 }
202
203
init_world_of_warcraft_dissector(struct ndpi_detection_module_struct * ndpi_struct,u_int32_t * id,NDPI_PROTOCOL_BITMASK * detection_bitmask)204 void init_world_of_warcraft_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
205 {
206 ndpi_set_bitmask_protocol_detection("WorldOfWarcraft", ndpi_struct, detection_bitmask, *id,
207 NDPI_PROTOCOL_WORLDOFWARCRAFT,
208 ndpi_search_worldofwarcraft,
209 NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
210 SAVE_DETECTION_BITMASK_AS_UNKNOWN,
211 ADD_TO_DETECTION_BITMASK);
212
213 *id += 1;
214 }
215
216