search

ntop / nDPI

Open Source Deep Packet Inspection Software Toolkit
http://www.ntop.org
GNU Lesser General Public License v3.0
3.86k stars 900 forks source link

all packet content is null #1987

Closed alexnovichkov closed 2 months ago

alexnovichkov commented 1 year ago

I'm trying to write a dissector, and all the packets contents are null (tcp and udp both). So I have nothing to dissect. How can it be possible? Am I missing smth? The program I'm trying to dissect uses UDP, and wireshark captures it OK.

IvanNardi commented 1 year ago

Not sure what you are doing, but "packet content" is always available in packet->payload. Example of trivial code handling a simple UDP protocol: src/lib/protocols/sflow.c

alexnovichkov commented 1 year ago

I thought as much, but all pointers in the ndpi_packet_struct are null and all uints are 0.

IvanNardi commented 1 year ago

As I said, I don't know what you are exactly doing, but if you are ONLY adding a new dissector, please test it with ndpireader: packet structure will be filled "automagically" for you

utoni commented 1 year ago

I thought as much, but all pointers in the ndpi_packet_struct are null and all uints are 0.

Can you please share some code with us?

alexnovichkov commented 1 year ago

Sure

include

include

include "ndpi_protocol_ids.h"

define NDPI_CURRENT_PROTO NDPI_PROTOCOL_TEEWORLDS

define NDPI_ENABLE_DEBUG_MESSAGES

include "ndpi_api.h"

static void ndpi_teeworlds_add_connection(struct ndpi_detection_module_struct ndpi_struct, struct ndpi_flow_struct flow) { NDPI_LOG_INFO(ndpi_struct, "found teeworlds\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TEEWORLDS, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); }

define TEEWORLDS_CLIENT_TO_SERVERS_PORT 60667

define TEEWORLDS_CLIENT_TO_SERVERS_PORT_2 21116

define TEEWORLDS_CLIENT_TO_SERVER_PORT 60565

define TEEWORLDS_SERVER_TO_CLIENT_PORT 8305

static void ndpi_search_teeworlds(struct ndpi_detection_module_struct ndpi_struct, struct ndpi_flow_struct flow) { / skip marked packets / if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_TEEWORLDS) {

  struct ndpi_packet_struct* packet = &ndpi_struct->packet;
  NDPI_LOG_DBG(ndpi_struct, "search teeworlds\n");

    if (packet->udp != NULL) {
      struct ndpi_udphdr *udp = packet->udp;

      u_int16_t s_port = ntohs(udp->source);
      u_int16_t d_port = ntohs(udp->dest);

      //pattern 1
      if (s_port == TEEWORLDS_CLIENT_TO_SERVER_PORT && d_port ==

TEEWORLDS_SERVER_TO_CLIENT_PORT && packet->payload_packet_len >= 7 && get_u_int32_t(packet->payload, 3) == 0xe5dbe063) { ndpi_teeworlds_add_connection(ndpi_struct, flow); } //pattern 2 if (d_port == TEEWORLDS_CLIENT_TO_SERVER_PORT && s_port == TEEWORLDS_SERVER_TO_CLIENT_PORT && packet->payload_packet_len >= 7 && get_u_int32_t(packet->payload, 3) == 0x610bf2e5) { ndpi_teeworlds_add_connection(ndpi_struct, flow); } //pattern 3 if ((s_port == TEEWORLDS_CLIENT_TO_SERVERS_PORT || d_port == TEEWORLDS_CLIENT_TO_SERVERS_PORT) && packet->payload_packet_len >= 13 && packet->payload[0] == 0x21 && get_u_int32_t(packet->payload, 9) == 0xffffffff) { ndpi_teeworlds_add_connection(ndpi_struct, flow); } //pattern 4 if ((s_port == TEEWORLDS_CLIENT_TO_SERVERS_PORT || d_port == TEEWORLDS_CLIENT_TO_SERVERS_PORT) && packet->payload_packet_len >= 8 && packet->payload[0] == 0x04 && packet->payload[1] == 0x00 && packet->payload[2] == 0x00 && packet->payload[7] == 0x05 ) { ndpi_teeworlds_add_connection(ndpi_struct, flow); } //pattern 5 if (d_port == TEEWORLDS_CLIENT_TO_SERVERS_PORT_2 && packet->payload_packet_len == 15 && get_u_int32_t(packet->payload, 0) == 0x320d0a09 && get_u_int32_t(packet->payload, 4) == 0x31363033 && get_u_int32_t(packet->payload, 8) == 0x38363438 && get_u_int32_t(packet->payload, 11) == 0x38311001) { ndpi_teeworlds_add_connection(ndpi_struct, flow); } //pattern 6 if (s_port == TEEWORLDS_CLIENT_TO_SERVERS_PORT_2 && packet->payload_packet_len == 2 && get_u_int16_t(packet->payload, 0) == 0x3a00) { ndpi_teeworlds_add_connection(ndpi_struct, flow); } }

  NDPI_EXCLUDE_PROTO(ndpi_struct, flow);

} }

void init_teeworlds_dissector(struct ndpi_detection_module_struct ndpi_struct, u_int32_t id) { ndpi_set_bitmask_protocol_detection("TeeWorlds", ndpi_struct, *id, NDPI_PROTOCOL_TEEWORLDS, ndpi_search_teeworlds, NDPI_SELECTION_BITMASK_PROTOCOL_UDP, SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK);

*id += 1; }

ср, 24 мая 2023 г. в 13:20, Toni @.***>:

I thought as much, but all pointers in the ndpi_packet_struct are null and all uints are 0.

Can you please share some code with us?

— Reply to this email directly, view it on GitHub https://github.com/ntop/nDPI/issues/1987#issuecomment-1560848701, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA77EC2MJOMQIGIBU7CTK5DXHXOH5ANCNFSM6AAAAAAYKXWV2Y . You are receiving this because you authored the thread.Message ID: @.***>

IvanNardi commented 2 months ago

Closing. If you still have some issues, please try latest code. If something is still wrong, open a new ticket with detailed information