Luca Deri
14b076a58b
Improved TCP fingerprint
2024-10-20 22:25:55 +02:00
Luca Deri
0cc84e4fdd
Improved TCP fingepring calculation
...
Adde basidc OS detection based on TCP fingerprint
2024-10-18 23:47:34 +02:00
Luca Deri
0ef0752c80
Increased struct ndpi_flow_struct size ( #2596 )
...
Build fix
2024-10-18 07:17:03 +02:00
Ivan Nardi
85501c9aaa
FPC: add DPI information ( #2514 )
...
If the flow is classified (via DPI) after the first packet, we should
use this information as FPC
2024-07-23 08:50:27 +02:00
Ivan Nardi
65e31b0ea3
FPC: small improvements ( #2512 )
...
Add printing of fpc_dns statistics and add a general cconfiguration option.
Rework the code to be more generic and ready to handle other logics.
2024-07-22 17:42:23 +02:00
Ivan Nardi
843e487270
Add infrastructure for explicit support of Fist Packet Classification ( #2488 )
...
Let's start with some basic helpers and with FPC based on flow addresses.
See: #2322
2024-07-03 18:02:07 +02:00
Nardi Ivan
526cf6f291
Zoom: remove "stun_zoom" LRU cache
...
Since 070a0908b
2024-06-17 10:19:55 +02:00
Ivan Nardi
fd02baa13a
DTLS: fix JA4 fingerprint ( #2446 )
2024-05-21 18:13:25 +02:00
Ivan Nardi
95fe21015d
Remove "zoom" cache ( #2420 )
...
This cache was added in b6b4967aa63f349319
2024-05-06 12:51:45 +02:00
Ivan Nardi
e31ef00715
TLS: avoid setting NDPI_TLS_SELFSIGNED_CERTIFICATE for webrtc traffic ( #2417 )
...
See RFC8122: it is quite likely that STUN/DTLS/SRTP flows use
self-signed certificates
Follow-up of b287d6ec8
2024-05-06 10:20:07 +02:00
Luca Deri
57ecbf38c0
Updated JA4 test results
2024-05-02 17:40:24 +02:00
Ivan Nardi
0535e54484
STUN: fix boundary checks on attribute list parsing ( #2387 )
...
Restore all unit tests.
Add some configuration knobs.
Fix the endianess.
2024-04-12 22:55:51 +02:00
Luca Deri
b83eb7c7a2
Implemented STUN peer_address, relayed_address, response_origin, other_address parsing
...
Added code to ignore invalid STUN realm
Extended JSON output with STUN information
2024-04-12 19:50:04 +02:00
Ivan Nardi
1b3ef7d7b2
STUN: improve extraction of Mapped-Address metadata ( #2370 )
...
Enable parsing of Mapped-Address attribute for all STUN flows: that
means that STUN classification might require more packets.
Add a configuration knob to enable/disable this feature.
Note that we can have (any) STUN metadata also for flows *not*
classified as STUN (because of DTLS).
Add support for ipv6.
Restore the correct extra dissection logic for Telegram flows.
2024-04-08 10:24:51 +02:00
Nardi Ivan
b287d6ec85
TLS: avoid setting some flow risks for webrtc traffic
...
Is quite rare to have a SNI or an ALPN on Client Hello of STUN/DTLS/SRTP
traffic
2024-02-26 10:20:05 +01:00
Ivan Nardi
c83698c957
STUN: fix flow risks when DTLS packets are found ( #2266 )
...
When switching to (D)TLS dissector from the STUN one, we need to clear
any flow risks set from the latter (because we don't have anymore
`NDPI_PROTOCOL_STUN` in the classification results)
2024-01-19 08:57:39 +01:00
Ivan Nardi
40797521af
ndpiReader: add breed stats on output used for CI ( #2236 )
2024-01-05 13:02:39 +01:00
Luca Deri
8285fffdae
Implements JA4 Support ( #2191 )
2023-12-22 20:40:42 +01:00
Ivan Nardi
241c42ad7e
ndpiReader: fix guessed_flow_protocols statistic ( #2203 )
...
Increment the counter only if the flow has been guessed
2023-12-12 19:44:03 +01:00
Ivan Nardi
42d24f8799
STUN: major code rework ( #2116 )
...
Try to have a faster classification, on first packet; use standard extra
dissection data path for sub-classification, metadata extraction and
monitoring.
STUN caches:
* use the proper confidence value
* lookup into the caches only once per flow, after having found a proper
STUN classification
Add identification of Telegram VoIP calls.
2023-10-30 10:28:19 +01:00
Ivan Nardi
32b50f5aa4
IPv6: add support for IPv6 risk exceptions ( #2122 )
2023-10-29 12:14:20 +01:00
Ivan Nardi
e8e4b9e8ff
IPv6: add support for IPv6 risk tree ( #2118 )
...
Fix the script to download crawler addressess
2023-10-27 13:58:15 +02:00
Ivan Nardi
8b07be4b9f
Jabber: remove support for UDP ( #2115 )
...
Jabber/XMPP is only over TCP (even the name `ndpi_search_jabber_tcp`
suggests that...).
Bug introduced in 5266c726f
2023-10-26 20:16:27 +02:00
Ivan Nardi
611c3b66f0
ipv6: add support for ipv6 addresses lists ( #2113 )
2023-10-26 20:15:44 +02:00
Toni
e70333de87
Added generic Google Protobuf dissector. ( #2109 )
...
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
2023-10-24 12:18:31 +02:00
Toni Uhlig
a443bba0dd
Add CAN over Ethernet dissector.
...
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
2023-10-23 13:45:56 +02:00
Toni Uhlig
f69909d49b
Add Remote Management Control Protocol (RMCP).
...
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
2023-10-19 19:50:57 +02:00
Toni
e4d3d619bc
Add Service Location Protocol dissector. ( #2036 )
...
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
2023-08-01 08:50:46 +02:00
Luca Deri
fea09e825b
Fixes risk mask exception handling while improving the overall performance
2023-07-14 19:52:34 +02:00
Ivan Nardi
2c7fb91794
Hangout: detect Hangout/Duo/GoogleMeet/... in the STUN code ( #2025 )
...
Regardless of the name, the removed trace doesn't contain meaningful
Hangout traffic.
Remove last piece of sub-classifiction based only on ip addresses.
2023-06-27 10:33:28 +02:00
Toni
1678888284
Add Apache Thrift protocol dissector. ( #2007 )
...
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
2023-06-22 13:07:32 +02:00
Ivan Nardi
3608ab01b6
STUN: keep monitoring/processing STUN flows ( #2012 )
...
Look for RTP packets in the STUN sessions.
TODO: tell RTP from RTCP
2023-06-21 09:16:20 +02:00
Ivan Nardi
b11e6a453b
Add support for Epic Games and GeForceNow/Nvidia ( #1990 )
2023-05-27 12:13:54 +02:00
