Skip to content

Commit

Permalink
Improved line protocol dissection with heuristic
Browse files Browse the repository at this point in the history
  • Loading branch information
@lucaderi
lucaderi committed Jun 13, 2023
1 parent de3cf26 commit 66bee47
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 7 deletions.
30 changes: 29 additions & 1 deletion src/lib/protocols/line.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,10 +42,38 @@ static void ndpi_search_line(struct ndpi_detection_module_struct *ndpi_struct,

NDPI_LOG_DBG(ndpi_struct, "searching LineCall\n");

if(packet->iph && (flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_LINE)) {
/*
The heuristic below (coming from reverse engineering packet traces)
will apply only to IPv4 and Line IP addresses. This is to avoid puttin
false positives in other nDPI-decoded protocols.
*/

if ((packet->payload_packet_len == 110 &&
ndpi_struct->packet.payload[0] == 0xB6 && ndpi_struct->packet.payload[1] == 0x18 && ndpi_struct->packet.payload[2] == 0x00 && ndpi_struct->packet.payload[3] == 0x6A) ||
(packet->payload_packet_len >= 738 && (ndpi_struct->packet.payload[0] == 0xDA || ndpi_struct->packet.payload[0] == 0xDB) &&
ndpi_struct->packet.payload[4] == 0x06 && ndpi_struct->packet.payload[5] == 0x02) ||
(packet->payload_packet_len >= 150 && (ndpi_struct->packet.payload[0] == 0xD9 || ndpi_struct->packet.payload[0] == 0xD8) &&
((ndpi_struct->packet.payload[1] & 0xF0) == 0x90 || (ndpi_struct->packet.payload[1] & 0xF0) == 0xD0 || (ndpi_struct->packet.payload[1] & 0xF0) == 0xE0) && ndpi_struct->packet.payload[4] == 0x06 &&
ndpi_struct->packet.payload[5] == 0x02)) {
ndpi_int_line_add_connection(ndpi_struct, flow);
return;
}

if ((packet->payload_packet_len == 46 && ntohl(get_u_int32_t(packet->payload, 0)) == 0xb6130006) ||
(packet->payload_packet_len == 8 && ntohl(get_u_int32_t(packet->payload, 0)) == 0xb6070004) ||
(packet->payload_packet_len == 16 && ntohl(get_u_int32_t(packet->payload, 0)) == 0xb609000c) ||
(ndpi_struct->packet.payload[0] == 0xD0 &&
(ndpi_struct->packet.payload[1] == 0xB3 || ndpi_struct->packet.payload[1] == 0xB4
|| ndpi_struct->packet.payload[1] == 0xDA || ndpi_struct->packet.payload[1] == 0xDB))) {
ndpi_int_line_add_connection(ndpi_struct, flow);
return;
}
}

/* Some "random" UDP packets before the standard RTP stream:
it seems that the 4th bytes of these packets is some kind of packet
number. Look for 4 packets per direction with consecutive numbers. */

if(packet->payload_packet_len > 10) {
if(flow->l4.udp.line_pkts[packet->packet_direction] == 0) {
flow->l4.udp.line_base_cnt[packet->packet_direction] = packet->payload[3];
Expand Down
12 changes: 6 additions & 6 deletions tests/cfgs/default/result/line.pcap.out
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
Guessed flow protos: 0

DPI Packets (TCP): 13 (6.50 pkts/flow)
DPI Packets (UDP): 40 (13.33 pkts/flow)
DPI Packets (UDP): 3 (1.00 pkts/flow)
Confidence DPI : 5 (flows)
Num dissector calls: 605 (121.00 diss/flow)
Num dissector calls: 308 (61.60 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/9/0 (insert/search/found)
LRU cache bittorrent: 0/0/0 (insert/search/found)
LRU cache zoom: 0/0/0 (insert/search/found)
LRU cache stun: 0/0/0 (insert/search/found)
LRU cache tls_cert: 0/0/0 (insert/search/found)
Expand All @@ -30,8 +30,8 @@ JA3 Host Stats:
1 10.200.3.125 1


1 UDP 10.200.3.125:51161 <-> 147.92.169.90:29070 [proto: 316/LineCall][IP: 315/Line][Encrypted][Confidence: DPI][DPI packets: 23][cat: VoIP/10][55 pkts/14935 bytes <-> 66 pkts/16136 bytes][Goodput ratio: 85/83][8.68 sec][bytes ratio: -0.039 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 22/145 225/7269 38/970][Pkt Len c2s/s2c min/avg/max/stddev: 72/72 272/244 895/584 229/209][Plen Bins: 2,28,23,15,1,0,0,0,0,0,1,0,0,0,0,0,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
1 UDP 10.200.3.125:51161 <-> 147.92.169.90:29070 [proto: 316/LineCall][IP: 315/Line][Encrypted][Confidence: DPI][DPI packets: 1][cat: VoIP/10][55 pkts/14935 bytes <-> 66 pkts/16136 bytes][Goodput ratio: 85/83][8.68 sec][bytes ratio: -0.039 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/1 22/145 225/7269 38/970][Pkt Len c2s/s2c min/avg/max/stddev: 72/72 272/244 895/584 229/209][Plen Bins: 2,28,23,15,1,0,0,0,0,0,1,0,0,0,0,0,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
2 TCP 10.200.3.125:57841 <-> 147.92.165.194:443 [proto: 91/TLS][IP: 315/Line][Encrypted][Confidence: DPI][DPI packets: 5][cat: Web/5][31 pkts/6628 bytes <-> 41 pkts/4871 bytes][Goodput ratio: 75/51][85.95 sec][bytes ratio: 0.153 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1025/720 14545/14632 2971/2537][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 214/119 3192/388 546/101][Plen Bins: 0,50,10,15,0,5,2,0,5,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2]
3 TCP 10.200.3.125:58160 <-> 147.92.242.232:443 [proto: 91.315/TLS.Line][IP: 315/Line][Encrypted][Confidence: DPI][DPI packets: 8][cat: Chat/9][16 pkts/4057 bytes <-> 21 pkts/5423 bytes][Goodput ratio: 78/78][70.05 sec][Hostname/SNI: uts-front.line-apps.com][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1][bytes ratio: -0.144 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/0 5755/2607 29999/29999 11001/7538][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 254/258 627/1514 230/419][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: ca75ea4a95a9164cc96e372d7d075183][ServerNames: *.line-apps.com,line-apps.com][JA3S: 567bb420d39046dbfd1f68b558d86382][Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018][Subject: C=JP, ST=Tokyo-to, L=Shinjuku-ku, O=LINE Corporation, CN=*.line-apps.com][Certificate SHA-1: 3C:37:D7:AB:BE:E6:5A:A5:BE:14:62:C8:21:8C:BC:E3:3E:A8:3E:96][Firefox][Validity: 2020-08-17 06:21:02 - 2022-11-13 12:00:00][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 5,15,5,0,0,15,0,0,5,15,5,0,0,0,0,0,10,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]
4 UDP 10.0.2.15:50835 <-> 125.209.252.210:20610 [proto: 316/LineCall][IP: 315/Line][Encrypted][Confidence: DPI][DPI packets: 9][cat: VoIP/10][28 pkts/5296 bytes <-> 22 pkts/3942 bytes][Goodput ratio: 78/77][1.93 sec][bytes ratio: 0.147 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 64/59 602/533 152/133][Pkt Len c2s/s2c min/avg/max/stddev: 72/78 189/179 914/782 220/158][Plen Bins: 2,58,4,0,4,8,2,6,6,2,0,2,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
5 UDP 10.200.3.125:51170 <-> 147.92.169.90:29070 [proto: 316/LineCall][IP: 315/Line][Encrypted][Confidence: DPI][DPI packets: 8][cat: VoIP/10][5 pkts/898 bytes <-> 5 pkts/1046 bytes][Goodput ratio: 77/80][8.07 sec][bytes ratio: -0.076 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1999/1999 2009/2009 2038/2037 17/16][Pkt Len c2s/s2c min/avg/max/stddev: 174/198 180/209 202/254 11/22][Plen Bins: 0,0,0,0,80,10,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
4 UDP 10.0.2.15:50835 <-> 125.209.252.210:20610 [proto: 316/LineCall][IP: 315/Line][Encrypted][Confidence: DPI][DPI packets: 1][cat: VoIP/10][28 pkts/5296 bytes <-> 22 pkts/3942 bytes][Goodput ratio: 78/77][1.93 sec][bytes ratio: 0.147 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 64/59 602/533 152/133][Pkt Len c2s/s2c min/avg/max/stddev: 72/78 189/179 914/782 220/158][Plen Bins: 2,58,4,0,4,8,2,6,6,2,0,2,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
5 UDP 10.200.3.125:51170 <-> 147.92.169.90:29070 [proto: 316/LineCall][IP: 315/Line][Encrypted][Confidence: DPI][DPI packets: 1][cat: VoIP/10][5 pkts/898 bytes <-> 5 pkts/1046 bytes][Goodput ratio: 77/80][8.07 sec][bytes ratio: -0.076 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1999/1999 2009/2009 2038/2037 17/16][Pkt Len c2s/s2c min/avg/max/stddev: 174/198 180/209 202/254 11/22][Plen Bins: 0,0,0,0,80,10,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]

0 comments on commit 66bee47

Please sign in to comment.