Skip to content

Commit

Permalink
Implemented Mikrotik discovery protocol dissection and metadata extra…
Browse files Browse the repository at this point in the history
…ction
  • Loading branch information
lucaderi committed Nov 14, 2024
1 parent dfc3168 commit 946015a
Show file tree
Hide file tree
Showing 140 changed files with 599 additions and 429 deletions.
1 change: 1 addition & 0 deletions src/include/ndpi_private.h
Original file line number Diff line number Diff line change
Expand Up @@ -759,6 +759,7 @@ void init_maplestory_dissector(struct ndpi_detection_module_struct *ndpi_struct,
void init_megaco_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
void init_mgcp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
void init_mining_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
void init_mikrotik_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
void init_mms_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
void init_monero_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
void init_nats_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
Expand Down
1 change: 1 addition & 0 deletions src/include/ndpi_protocol_ids.h
Original file line number Diff line number Diff line change
Expand Up @@ -465,6 +465,7 @@ typedef enum {
NDPI_PROTOCOL_SHEIN = 434,
NDPI_PROTOCOL_TEMU = 435,
NDPI_PROTOCOL_TAOBAO = 436,
NDPI_PROTOCOL_MIKROTIK = 437,

#ifdef CUSTOM_NDPI_PROTOCOLS
#include "../../../nDPI-custom/custom_ndpi_protocol_ids.h"
Expand Down
8 changes: 7 additions & 1 deletion src/include/ndpi_typedefs.h
Original file line number Diff line number Diff line change
Expand Up @@ -1532,7 +1532,13 @@ struct ndpi_flow_struct {
char *to;
char to_imsi[16];
} sip;
} protos;

struct {
char mac_addr[6], identity[16], version[48], sw_id[16], board[32], iface_name[32];
u_int32_t ipv4_addr, uptime;
struct ndpi_in6_addr ipv6_addr;
} mikrotik;
} protos;

/* **Packet** metadata for flows where monitoring is enabled. It is reset after each packet! */
struct ndpi_metadata_monitoring *monit;
Expand Down
7 changes: 7 additions & 0 deletions src/lib/ndpi_main.c
Original file line number Diff line number Diff line change
Expand Up @@ -1634,6 +1634,10 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
"MPEG_TS", NDPI_PROTOCOL_CATEGORY_MEDIA,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_MIKROTIK,
"Mikrotik", NDPI_PROTOCOL_CATEGORY_NETWORK,
ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
/* http://en.wikipedia.org/wiki/Link-local_Multicast_Name_Resolution */
ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_LLMNR,
"LLMNR", NDPI_PROTOCOL_CATEGORY_NETWORK,
Expand Down Expand Up @@ -5950,6 +5954,9 @@ static int ndpi_callback_init(struct ndpi_detection_module_struct *ndpi_str) {
/* KAKAOTALK_VOICE */
init_kakaotalk_voice_dissector(ndpi_str, &a);

/* MIKROTIK */
init_mikrotik_dissector(ndpi_str, &a);

/* MPEGTS */
init_mpegts_dissector(ndpi_str, &a);

Expand Down
16 changes: 8 additions & 8 deletions src/lib/protocols/ajp.c
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ enum ajp_direction {
enum ajp_packet_type {
AJP_UNKNOWN = 0,

/* packet types */
/* packet types */
AJP_FORWARD_REQUEST = 2,
AJP_SEND_BODY_CHUNK = 3,
AJP_SEND_HEADERS = 4,
Expand All @@ -56,10 +56,10 @@ struct ajp_header {
} PACK_OFF;

static void set_ajp_detected(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow) {
struct ndpi_flow_struct *flow) {

if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) {
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_AJP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_AJP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
}
}

Expand Down Expand Up @@ -121,13 +121,13 @@ static void ndpi_search_ajp(struct ndpi_detection_module_struct *ndpi_struct,


void init_ajp_dissector(struct ndpi_detection_module_struct *ndpi_struct,
u_int32_t *id)
u_int32_t *id)
{
ndpi_set_bitmask_protocol_detection("AJP", ndpi_struct,
*id, NDPI_PROTOCOL_AJP, ndpi_search_ajp,
NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
SAVE_DETECTION_BITMASK_AS_UNKNOWN,
ADD_TO_DETECTION_BITMASK);
*id, NDPI_PROTOCOL_AJP, ndpi_search_ajp,
NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
SAVE_DETECTION_BITMASK_AS_UNKNOWN,
ADD_TO_DETECTION_BITMASK);

*id += 1;
}
120 changes: 120 additions & 0 deletions src/lib/protocols/mikrotik.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
/*
* mikrotik.c
*
* Copyright (C) 2012-24 - ntop.org
*
* nDPI is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* nDPI is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with nDPI. If not, see <http://www.gnu.org/licenses/>.
*/

#include "ndpi_protocol_ids.h"

#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MIKROTIK

#include "ndpi_api.h"
#include "ndpi_private.h"

/* ********************************* */

static void ndpi_search_mikrotik(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow) {
struct ndpi_packet_struct *packet = &ndpi_struct->packet;

NDPI_LOG_DBG(ndpi_struct, "search MIKROTIK\n");

if((packet->iph && (packet->iph->daddr== 0xFFFFFFFF))
|| (packet->iphv6 && (ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[0]) == 0xFF020000 /* ff02:: */))
) {
if(ntohs(packet->udp->dest) == 5678) {
const u_int8_t *payload;
u_int16_t offset;

if (packet->payload_packet_len < 8) {
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
return;
} else {
offset = 4;
payload = packet->payload;
}

while((offset+4) < packet->payload_packet_len) {
u_int16_t m_type = ((u_int16_t)payload[offset] << 8) + payload[offset+1];
u_int16_t m_len = ((u_int16_t)payload[offset+2] << 8) + payload[offset+3];

// printf("%d\n", m_type);

if((m_len+offset) < packet->payload_packet_len) {
switch(m_type) {
case 1 /* MAC Address */:
if(m_len == 6)
memcpy(flow->protos.mikrotik.mac_addr, &payload[offset+4], m_len);
break;
case 5 /* Identity */:
snprintf(flow->protos.mikrotik.identity, sizeof(flow->protos.mikrotik.identity),
"%.*s", m_len, &payload[offset+4]);
break;
case 7 /* Version */:
snprintf(flow->protos.mikrotik.version, sizeof(flow->protos.mikrotik.version),
"%.*s", m_len, &payload[offset+4]);
break;
case 10: /* Uptime */
if(m_len == 4)
flow->protos.mikrotik.uptime = ntohl(*((u_int32_t*)&payload[offset+4]));
break;
case 11: /* Software-ID */
snprintf(flow->protos.mikrotik.sw_id, sizeof(flow->protos.mikrotik.sw_id),
"%.*s", m_len, &payload[offset+4]);
break;
case 12: /* Board */
snprintf(flow->protos.mikrotik.board, sizeof(flow->protos.mikrotik.board),
"%.*s", m_len, &payload[offset+4]);
break;
case 15: /* IPv6 */
if(m_len == 16)
memcpy(&flow->protos.mikrotik.ipv6_addr, &payload[offset+4], m_len);
break;
case 16: /* Interface Name */
snprintf(flow->protos.mikrotik.iface_name, sizeof(flow->protos.mikrotik.iface_name),
"%.*s", m_len, &payload[offset+4]);
break;
case 14: /* IPv4 */
if(m_len == 4)
flow->protos.mikrotik.ipv4_addr = ntohl(*((u_int32_t*)&payload[offset+4]));
break;
}

offset += 4 + m_len;
} else
break;
} /* while */

ndpi_set_detected_protocol(ndpi_struct, flow,
NDPI_PROTOCOL_MIKROTIK,
NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
}
} else
NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}

/* ********************************* */

void init_mikrotik_dissector(struct ndpi_detection_module_struct *ndpi_struct,
u_int32_t *id) {
ndpi_set_bitmask_protocol_detection("MIKROTIK", ndpi_struct,
*id, NDPI_PROTOCOL_MIKROTIK, ndpi_search_mikrotik,
NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD,
SAVE_DETECTION_BITMASK_AS_UNKNOWN,
ADD_TO_DETECTION_BITMASK);

*id += 1;
}
2 changes: 1 addition & 1 deletion tests/cfgs/caches_cfg/result/teams.pcap.out
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ Confidence Unknown : 1 (flows)
Confidence Match by port : 1 (flows)
Confidence DPI (partial) : 1 (flows)
Confidence DPI : 80 (flows)
Num dissector calls: 525 (6.33 diss/flow)
Num dissector calls: 526 (6.34 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/9/0 (insert/search/found)
LRU cache stun: 30/0/0 (insert/search/found)
Expand Down
2 changes: 1 addition & 1 deletion tests/cfgs/caches_global/result/lru_ipv6_caches.pcapng.out
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ DPI Packets (TCP): 9 (3.00 pkts/flow)
DPI Packets (UDP): 35 (3.89 pkts/flow)
Confidence DPI (cache) : 4 (flows)
Confidence DPI : 8 (flows)
Num dissector calls: 599 (49.92 diss/flow)
Num dissector calls: 605 (50.42 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 25/4/2 (insert/search/found)
LRU cache stun: 6/0/0 (insert/search/found)
Expand Down
2 changes: 1 addition & 1 deletion tests/cfgs/caches_global/result/teams.pcap.out
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ Confidence Unknown : 1 (flows)
Confidence Match by port : 1 (flows)
Confidence DPI (partial) : 5 (flows)
Confidence DPI : 76 (flows)
Num dissector calls: 525 (6.33 diss/flow)
Num dissector calls: 526 (6.34 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/9/0 (insert/search/found)
LRU cache stun: 30/0/0 (insert/search/found)
Expand Down
2 changes: 1 addition & 1 deletion tests/cfgs/caches_global/result/zoom_p2p.pcapng.out
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
DPI Packets (UDP): 28 (2.80 pkts/flow)
DPI Packets (other): 2 (1.00 pkts/flow)
Confidence DPI : 12 (flows)
Num dissector calls: 518 (43.17 diss/flow)
Num dissector calls: 522 (43.50 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/0/0 (insert/search/found)
LRU cache stun: 8/0/0 (insert/search/found)
Expand Down
Binary file added tests/cfgs/default/pcap/mikrotik_mndp.pcap
Binary file not shown.
Loading

0 comments on commit 946015a

Please sign in to comment.