Merge branch 'dev' into config2

Author: IvanNardi

doc/protocols.rst

@@ -324,3 +324,30 @@ References: `Wireshark wiki: <https://wiki.wireshark.org/EtherSBus>`_.
 `NDPI_PROTOCOL_MONERO`
 ======================
 Monero is a private and decentralized cryptocurrency with focus on confidentiality and security.
+
+
+.. _Proto 370:
+
+`NDPI_PROTOCOL_DCERPC`
+======================
+DCE/RPC is a specification for a remote procedure call mechanism that defines both APIs and an over-the-network protocol.
+
+References: `Wireshark wiki: <https://wiki.wireshark.org/DCE/RPC>`_.
+
+
+.. _Proto 371:
+
+`NDPI_PROTOCOL_PROFINET_IO`
+======================
+PROFINET/IO is a field bus protocol based on connectionless DCE/RPC.
+
+References: `Protocol Specs: <https://www.profibus.com/download/profinet-specification>`_.
+
+
+.. _Proto 372:
+
+`NDPI_PROTOCOL_HISLIP`
+======================
+High-Speed LAN Instrument Protocol (HiSLIP) is a protocol for remote instrument control of LAN-based test and measurement instruments.
+
+References: `Protocol Specs: <https://www.ivifoundation.org/downloads/Protocol%20Specifications/IVI-6.1_HiSLIP-2.0-2020-04-23.pdf>`_.

src/include/ndpi_protocol_ids.h

@@ -398,6 +398,9 @@ typedef enum {
   NDPI_PROTOCOL_IEEE_C37118           = 367,
   NDPI_PROTOCOL_ETHERSBUS             = 368,
   NDPI_PROTOCOL_MONERO                = 369,
+  NDPI_PROTOCOL_DCERPC                = 370,
+  NDPI_PROTOCOL_PROFINET_IO           = 371,
+  NDPI_PROTOCOL_HISLIP                = 372,
 
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_protocol_ids.h"

src/lib/ndpi_main.c

@@ -1480,7 +1480,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
 			  ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
   ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_RPC,
 			  "RPC", NDPI_PROTOCOL_CATEGORY_RPC,
-			  ndpi_build_default_ports(ports_a, 135, 0, 0, 0, 0) /* TCP */,
+			  ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
 			  ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
   ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_NETFLOW,
 			  "NetFlow", NDPI_PROTOCOL_CATEGORY_NETWORK,
@@ -2148,6 +2148,22 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
               "Monero", NDPI_PROTOCOL_CATEGORY_CRYPTO_CURRENCY,
               ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
               ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
+  ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_DCERPC,
+			  "DCERPC", NDPI_PROTOCOL_CATEGORY_RPC,
+			  ndpi_build_default_ports(ports_a, 135, 0, 0, 0, 0) /* TCP */,
+			  ndpi_build_default_ports(ports_b, 135, 0, 0, 0, 0) /* UDP */);
+  ndpi_set_proto_subprotocols(ndpi_str, NDPI_PROTOCOL_DCERPC,
+			      NDPI_PROTOCOL_PROFINET_IO,
+            NDPI_PROTOCOL_MATCHED_BY_CONTENT,
+			      NDPI_PROTOCOL_NO_MORE_SUBPROTOCOLS);
+  ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_PROFINET_IO,
+			  "PROFINET_IO", NDPI_PROTOCOL_CATEGORY_IOT_SCADA,
+			  ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
+			  ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
+  ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, 0 /* nw proto */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_HISLIP,
+			  "HiSLIP", NDPI_PROTOCOL_CATEGORY_IOT_SCADA,
+			  ndpi_build_default_ports(ports_a, 4880, 0, 0, 0, 0) /* TCP */,
+			  ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
 
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_main.c"
@@ -5593,6 +5609,12 @@ static int ndpi_callback_init(struct ndpi_detection_module_struct *ndpi_str) {
   /* Monero Protocol */
   init_monero_dissector(ndpi_str, &a);
 
+  /* PROFINET/IO */
+  init_profinet_io_dissector(ndpi_str, &a);
+
+  /* HiSLIP */
+  init_hislip_dissector(ndpi_str, &a);
+
 #ifdef CUSTOM_NDPI_PROTOCOLS
 #include "../../../nDPI-custom/custom_ndpi_main_init.c"
 #endif

src/lib/ndpi_private.h

@@ -606,6 +606,8 @@ void init_beckhoff_ads_dissector(struct ndpi_detection_module_struct *ndpi_struc
 void init_iso9506_1_mms_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
 void init_ieee_c37118_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
 void init_ethersbus_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
+void init_profinet_io_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
+void init_hislip_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
 
 #endif
 

src/lib/protocols/dcerpc.c

@@ -23,7 +23,7 @@
 
 #include "ndpi_protocol_ids.h"
 
-#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_RPC
+#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_DCERPC
 
 #include "ndpi_api.h"
 #include "ndpi_private.h"
@@ -32,7 +32,7 @@
 static void ndpi_int_dcerpc_add_connection(struct ndpi_detection_module_struct
 					     *ndpi_struct, struct ndpi_flow_struct *flow)
 {
-  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RPC, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DCERPC, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
 }
 
 static bool is_connection_oriented_dcerpc(struct ndpi_packet_struct *packet, struct ndpi_flow_struct *flow)
@@ -96,8 +96,8 @@ static void ndpi_search_dcerpc(struct ndpi_detection_module_struct *ndpi_struct,
 
 void init_dcerpc_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id)
 {
-  ndpi_set_bitmask_protocol_detection("RPC", ndpi_struct, *id,
-				      NDPI_PROTOCOL_RPC,
+  ndpi_set_bitmask_protocol_detection("DCERPC", ndpi_struct, *id,
+				      NDPI_PROTOCOL_DCERPC,
 				      ndpi_search_dcerpc,
 				      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
 				      SAVE_DETECTION_BITMASK_AS_UNKNOWN,

src/lib/protocols/hislip.c

@@ -0,0 +1,70 @@
+/*
+ * hisleep.c
+ *
+ * High-Speed LAN Instrument Protocol
+ * 
+ * Copyright (C) 2023 - ntop.org
+ * Copyright (C) 2023 - V.G <[email protected]>
+ *
+ * This file is part of nDPI, an open source deep packet inspection
+ * library based on the OpenDPI and PACE technology by ipoque GmbH
+ *
+ * nDPI is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * nDPI is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.
+ * 
+ */
+
+#include "ndpi_protocol_ids.h"
+
+#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_HISLIP
+
+#include "ndpi_api.h"
+#include "ndpi_private.h"
+
+static void ndpi_int_hislip_add_connection(struct ndpi_detection_module_struct * const ndpi_struct,
+                                           struct ndpi_flow_struct * const flow)
+{
+  NDPI_LOG_INFO(ndpi_struct, "found HiSLIP\n");
+  ndpi_set_detected_protocol(ndpi_struct, flow,
+                             NDPI_PROTOCOL_HISLIP,
+                             NDPI_PROTOCOL_UNKNOWN,
+                             NDPI_CONFIDENCE_DPI);
+}
+
+static void ndpi_search_hislip(struct ndpi_detection_module_struct *ndpi_struct,
+                               struct ndpi_flow_struct *flow)
+{
+  struct ndpi_packet_struct const * const packet = &ndpi_struct->packet;
+
+  if ((packet->payload_packet_len >= 16) &&
+      (memcmp(packet->payload, "HS", 2) == 0) && ((packet->payload[2] - 26) < 0x65) &&
+      (ndpi_ntohll(get_u_int64_t(packet->payload, 8)) == (u_int64_t)(packet->payload_packet_len - 16)))
+  {
+    ndpi_int_hislip_add_connection(ndpi_struct, flow);
+    return;
+  }
+
+  NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+}
+
+void init_hislip_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id)
+{
+  ndpi_set_bitmask_protocol_detection("HiSLIP", ndpi_struct, *id,
+              NDPI_PROTOCOL_HISLIP,
+              ndpi_search_hislip,
+              NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
+              SAVE_DETECTION_BITMASK_AS_UNKNOWN,
+              ADD_TO_DETECTION_BITMASK);
+
+  *id += 1;
+}

src/lib/protocols/profinet_io.c

@@ -0,0 +1,89 @@
+/*
+ * profinet_io.c
+ *
+ * Copyright (C) 2023 - ntop.org
+ * Copyright (C) 2023 - V.G <[email protected]>
+ *
+ * This file is part of nDPI, an open source deep packet inspection
+ * library based on the OpenDPI and PACE technology by ipoque GmbH
+ *
+ * nDPI is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * nDPI is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.
+ * 
+ */
+
+#include "ndpi_protocol_ids.h"
+
+#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_PROFINET_IO
+
+#include "ndpi_api.h"
+#include "ndpi_private.h"
+
+static void ndpi_int_profinet_io_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
+                                                struct ndpi_flow_struct *flow)
+{
+  NDPI_LOG_INFO(ndpi_struct, "found PROFINET/IO\n");
+  ndpi_set_detected_protocol(ndpi_struct, flow,
+                             NDPI_PROTOCOL_PROFINET_IO, NDPI_PROTOCOL_DCERPC,
+                             NDPI_CONFIDENCE_DPI);
+}
+
+static void ndpi_search_profinet_io(struct ndpi_detection_module_struct *ndpi_struct,
+                                    struct ndpi_flow_struct *flow)
+{
+  struct ndpi_packet_struct const * const packet = &ndpi_struct->packet;
+
+  NDPI_LOG_DBG(ndpi_struct, "searching PROFINET/IO\n");
+
+  /* PROFINET/IO is based on connectionless DCE/RPC */
+  if ((flow->detected_protocol_stack[0] == NDPI_PROTOCOL_DCERPC) &&
+      (packet->payload_packet_len > 43))
+  {
+    u_int8_t byte_order = (packet->payload[4] >> 4) & 0xF;
+    u_int32_t time_low = 0;
+    u_int16_t time_mid = 0;
+    u_int16_t time_hi_and_version = 0;
+
+    if (byte_order == 0) { /* Big Endian */
+      time_low = ntohl(get_u_int32_t(packet->payload, 8));
+      time_mid = ntohs(get_u_int16_t(packet->payload, 12));
+      time_hi_and_version = ntohs(get_u_int16_t(packet->payload, 14));
+    } else { /* Little Endian */
+      time_low = le32toh(get_u_int32_t(packet->payload, 8));
+      time_mid = le16toh(get_u_int16_t(packet->payload, 12));
+      time_hi_and_version = le16toh(get_u_int16_t(packet->payload, 14));
+    }
+
+    if ((time_low == 0xDEA00000) && (time_mid == 0x6C97) && 
+        (time_hi_and_version == 0x11D1))
+    {
+      ndpi_int_profinet_io_add_connection(ndpi_struct, flow);
+      return;
+    }
+  }
+
+  NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+}
+
+void init_profinet_io_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id)
+{
+  ndpi_set_bitmask_protocol_detection("PROFINET_IO", ndpi_struct, *id,
+                                      NDPI_PROTOCOL_PROFINET_IO,
+                                      ndpi_search_profinet_io,
+                                      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD,
+                                      SAVE_DETECTION_BITMASK_AS_UNKNOWN,
+                                      ADD_TO_DETECTION_BITMASK
+                                     );
+
+  *id += 1;
+}

tests/cfgs/caches_cfg/result/ookla.pcap.out

@@ -3,7 +3,7 @@ Guessed flow protos:	1
 DPI Packets (TCP):	40	(6.67 pkts/flow)
 Confidence Match by port    : 1 (flows)
 Confidence DPI              : 5 (flows)
-Num dissector calls: 530 (88.33 diss/flow)
+Num dissector calls: 533 (88.83 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

tests/cfgs/caches_cfg/result/teams.pcap.out

@@ -6,7 +6,7 @@ DPI Packets (other):	1	(1.00 pkts/flow)
 Confidence Unknown          : 1 (flows)
 Confidence Match by port    : 2 (flows)
 Confidence DPI              : 80 (flows)
-Num dissector calls: 520 (6.27 diss/flow)
+Num dissector calls: 522 (6.29 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/9/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)