← Back to branch summary

~ubuntu-branches/ubuntu/wily/ntopng/wily-proposed

« back to all changes in this revision

Viewing changes to nDPI/src/lib/protocols/gnutella.c

  • Committer: Package Import Robot
  • Author(s): Ludovico Cavedon
  • Date: 2014-07-27 16:13:47 UTC
  • mfrom: (1.1.1)
  • Revision ID: package-import@ubuntu.com-20140727161347-0i8n5upu69ibq5d2
Tags: 1.2.0+dfsg1-1
* Imported Upstream version 1.2.0+dfsg1
* Update watch rule for new upstream naming convention.
* get-roig-source: Support both +svn and ~svn in version.
* Remove external hiredis from orig tarball.
* Remove Rickshaw from orig tarball.
* Remove documentation without source from orig tarball and insert an http
* Remove corrupted unused serializeCFJSON-0.1.js from orig tarball.
  link to it in README.Debian.
* Remove nDPI from orig tarball.
* Remove all debian/missing-sources files that are now included not-minified
  by upstream. Remove build-deps on node-uglify and cleancss.
* Remove references to third-party/redis-lua (removed upstream).
* Update copyright.
* Refresh patches and remove those merged upstream.
* Add external-hiredis.patch to use system libhiredis.
* Add rickshaw-keep-one.patch to remove references to additional rickshaw
  library.
* Add no-svn.patch to drop requirement on SVN.
* Add manpage.patch to fix usage of minus signs, hyphens, and dashes,
  missing space and line breaks.
* Add rickshaw.patch to use single rickshaw.{css,js} files.
* Split library removing part of build-flags.patch into remove-libs.patch.
* Rename debian-defaults.patch to path-defaults.patch and use installation
  path from configure.
* Use dh-autoreconf instead of autotools-dev.
* Add build-dep on libsqlite3-dev.
* Update build-dep on newer libndpi-dev.
* Cleanup of dh_install rules.
* Fix typo in font-awesome symlink path and remove and updates symlink links
  in ntopng-data/
* Remove executable bit to non executable files.
* Use system linjs-jquery tablesorter and form.
* Add Build-Dep on libhiredis-dev.
* Remove empty httpdocs/ssl directory.
* Add systemd support.
* Stop supporting ENABLED in /etc/default/ntopng and debian/NEWS to notify
  users.

Show diffs side-by-side

added added

removed removed

Lines of Context:
nDPI/src/lib/protocols/gnutella.c
1
 
/*
2
 
 * gnutella.c
3
 
 *
4
 
 * Copyright (C) 2009-2011 by ipoque GmbH
5
 
 * Copyright (C) 2011-13 - ntop.org
6
 
 *
7
 
 * This file is part of nDPI, an open source deep packet inspection
8
 
 * library based on the OpenDPI and PACE technology by ipoque GmbH
9
 
 *
10
 
 * nDPI is free software: you can redistribute it and/or modify
11
 
 * it under the terms of the GNU Lesser General Public License as published by
12
 
 * the Free Software Foundation, either version 3 of the License, or
13
 
 * (at your option) any later version.
14
 
 *
15
 
 * nDPI is distributed in the hope that it will be useful,
16
 
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17
 
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18
 
 * GNU Lesser General Public License for more details.
19
 
 *
20
 
 * You should have received a copy of the GNU Lesser General Public License
21
 
 * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.
22
 
 * 
23
 
 */
24
 
 
25
 
 
26
 
/* include files */
27
 
 
28
 
#include "ndpi_protocols.h"
29
 
 
30
 
#ifdef NDPI_PROTOCOL_GNUTELLA
31
 
 
32
 
static void ndpi_int_gnutella_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
33
 
                                             struct ndpi_flow_struct *flow,
34
 
                                             ndpi_protocol_type_t protocol_type)
35
 
{
36
 
 
37
 
  struct ndpi_packet_struct *packet = &flow->packet;
38
 
  struct ndpi_id_struct *src = flow->src;
39
 
  struct ndpi_id_struct *dst = flow->dst;
40
 
 
41
 
  ndpi_int_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_GNUTELLA, protocol_type);
42
 
 
43
 
  if (src != NULL) {
44
 
    src->gnutella_ts = packet->tick_timestamp;
45
 
    if (packet->udp != NULL) {
46
 
      if (!src->detected_gnutella_udp_port1) {
47
 
        src->detected_gnutella_udp_port1 = (packet->udp->source);
48
 
        NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct,
49
 
                          NDPI_LOG_DEBUG, "GNUTELLA UDP PORT1 DETECTED as %u\n",
50
 
                          src->detected_gnutella_udp_port1);
51
 
 
52
 
      } else if ((ntohs(packet->udp->source) != src->detected_gnutella_udp_port1)
53
 
                 && !src->detected_gnutella_udp_port2) {
54
 
        src->detected_gnutella_udp_port2 = (packet->udp->source);
55
 
        NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct,
56
 
                          NDPI_LOG_DEBUG, "GNUTELLA UDP PORT2 DETECTED as %u\n",
57
 
                          src->detected_gnutella_udp_port2);
58
 
 
59
 
      }
60
 
    }
61
 
  }
62
 
  if (dst != NULL) {
63
 
    dst->gnutella_ts = packet->tick_timestamp;
64
 
  }
65
 
}
66
 
 
67
 
void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
68
 
{
69
 
  struct ndpi_packet_struct *packet = &flow->packet;
70
 
        
71
 
  struct ndpi_id_struct *src = flow->src;
72
 
  struct ndpi_id_struct *dst = flow->dst;
73
 
 
74
 
  u_int16_t c;
75
 
  if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_GNUTELLA) {
76
 
    if (src != NULL && ((u_int32_t)
77
 
                        (packet->tick_timestamp - src->gnutella_ts) < ndpi_struct->gnutella_timeout)) {
78
 
      NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct,
79
 
                        NDPI_LOG_DEBUG, "gnutella : save src connection packet detected\n");
80
 
      src->gnutella_ts = packet->tick_timestamp;
81
 
    } else if (dst != NULL && ((u_int32_t)
82
 
                               (packet->tick_timestamp - dst->gnutella_ts) < ndpi_struct->gnutella_timeout)) {
83
 
      NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct,
84
 
                        NDPI_LOG_DEBUG, "gnutella : save dst connection packet detected\n");
85
 
      dst->gnutella_ts = packet->tick_timestamp;
86
 
    }
87
 
    if (src != NULL && (packet->tick_timestamp - src->gnutella_ts) > ndpi_struct->gnutella_timeout) {
88
 
      src->detected_gnutella_udp_port1 = 0;
89
 
      src->detected_gnutella_udp_port2 = 0;
90
 
    }
91
 
    if (dst != NULL && (packet->tick_timestamp - dst->gnutella_ts) > ndpi_struct->gnutella_timeout) {
92
 
      dst->detected_gnutella_udp_port1 = 0;
93
 
      dst->detected_gnutella_udp_port2 = 0;
94
 
    }
95
 
 
96
 
    return;
97
 
  }
98
 
 
99
 
  /* skip packets without payload */
100
 
  if (packet->payload_packet_len < 2) {
101
 
    return;
102
 
  }
103
 
  if (packet->tcp != NULL) {
104
 
    /* this case works asymmetrically */
105
 
    if (packet->payload_packet_len > 10 && memcmp(packet->payload, "GNUTELLA/", 9) == 0) {
106
 
      NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE, "GNUTELLA DETECTED\n");
107
 
      ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
108
 
      return;
109
 
    }
110
 
    /* this case works asymmetrically */
111
 
    if (packet->payload_packet_len > 17 && memcmp(packet->payload, "GNUTELLA CONNECT/", 17) == 0) {
112
 
      NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE, "GNUTELLA DETECTED\n");
113
 
      ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
114
 
      return;
115
 
    }
116
 
 
117
 
    if (packet->payload_packet_len > 50 && ((memcmp(packet->payload, "GET /get/", 9) == 0)
118
 
                                            || (memcmp(packet->payload, "GET /uri-res/", 13) == 0)
119
 
                                            )) {
120
 
      ndpi_parse_packet_line_info(ndpi_struct, flow);
121
 
      for (c = 0; c < packet->parsed_lines; c++) {
122
 
        if ((packet->line[c].len > 19 && memcmp(packet->line[c].ptr, "User-Agent: Gnutella", 20) == 0)
123
 
            || (packet->line[c].len > 10 && memcmp(packet->line[c].ptr, "X-Gnutella-", 11) == 0)
124
 
            || (packet->line[c].len > 7 && memcmp(packet->line[c].ptr, "X-Queue:", 8) == 0)
125
 
            || (packet->line[c].len > 36 && memcmp(packet->line[c].ptr,
126
 
                                                   "Content-Type: application/x-gnutella-", 37) == 0)) {
127
 
          NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG, "DETECTED GNUTELLA GET.\n");
128
 
          ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
129
 
          return;
130
 
        }
131
 
      }
132
 
    }
133
 
    if (packet->payload_packet_len > 50 && ((memcmp(packet->payload, "GET / HTTP", 9) == 0))) {
134
 
      ndpi_parse_packet_line_info(ndpi_struct, flow);
135
 
      if ((packet->user_agent_line.ptr != NULL && packet->user_agent_line.len > 15
136
 
           && memcmp(packet->user_agent_line.ptr, "BearShare Lite ", 15) == 0)
137
 
          || (packet->accept_line.ptr != NULL && packet->accept_line.len > 24
138
 
              && memcmp(packet->accept_line.ptr, "application n/x-gnutella", 24) == 0)) {
139
 
        NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG, "DETECTED GNUTELLA GET.\n");
140
 
        ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
141
 
      }
142
 
 
143
 
    }
144
 
    /* haven't found this pattern in any trace. */
145
 
    if (packet->payload_packet_len > 50 && ((memcmp(packet->payload, "GET /get/", 9) == 0)
146
 
                                            || (memcmp(packet->payload, "GET /uri-res/", 13) == 0))) {
147
 
      c = 8;
148
 
      while (c < (packet->payload_packet_len - 9)) {
149
 
        if (packet->payload[c] == '?')
150
 
          break;
151
 
        c++;
152
 
      }
153
 
 
154
 
      if (c < (packet->payload_packet_len - 9) && memcmp(&packet->payload[c], "urn:sha1:", 9) == 0) {
155
 
        NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE,
156
 
                 "detected GET /get/ or GET /uri-res/.\n");
157
 
        ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
158
 
      }
159
 
 
160
 
    }
161
 
 
162
 
    /* answer to this packet is HTTP/1.1 ..... Content-Type: application/x-gnutella-packets,
163
 
     * it is searched in the upper paragraph. */
164
 
    if (packet->payload_packet_len > 30 && memcmp(packet->payload, "HEAD /gnutella/push-proxy?", 26) == 0) {
165
 
      NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE, "detected HEAD /gnutella/push-proxy?\n");
166
 
      ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
167
 
      return;
168
 
    }
169
 
    /* haven't found any trace with this pattern */
170
 
    if (packet->payload_packet_len == 46
171
 
        && memcmp(packet->payload, "\x50\x55\x53\x48\x20\x67\x75\x69\x64\x3a", 10) == 0) {
172
 
      NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE,
173
 
               "detected \x50\x55\x53\x48\x20\x67\x75\x69\x64\x3a\n");
174
 
      ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
175
 
      return;
176
 
    }
177
 
    /* haven't found any trace with this pattern */
178
 
    if (packet->payload_packet_len > 250 && memcmp(packet->payload, "GET /gnutella/", 14) == 0)
179
 
      //PATTERN IS :: GET /gnutella/tigertree/v3?urn:tree:tiger/:
180
 
      {
181
 
        const u_int16_t end = packet->payload_packet_len - 3;
182
 
 
183
 
        c = 13;
184
 
        while (c < end) {
185
 
          if ((memcmp(&packet->payload[14], "tigertree/", 10) == 0)
186
 
              || (end - c > 18 && memcmp(&packet->payload[c], "\r\nUser-Agent: Foxy", 18) == 0)
187
 
              || (end - c > 44
188
 
                  && memcmp(&packet->payload[c],
189
 
                            "\r\nAccept: application/tigertree-breadthfirst",
190
 
                            44) == 0) || (end - c > 10 && memcmp(&packet->payload[c], "\r\nX-Queue:", 10) == 0)
191
 
              || (end - c > 13 && memcmp(&packet->payload[c], "\r\nX-Features:", 13) == 0)) {
192
 
 
193
 
            NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA,
194
 
                              ndpi_struct, NDPI_LOG_TRACE, "FOXY :: GNUTELLA GET 2 DETECTED\n");
195
 
            ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
196
 
            return;
197
 
          }
198
 
 
199
 
          c++;
200
 
        }
201
 
      }
202
 
    /* haven't found any trace with this pattern */
203
 
    if (packet->payload_packet_len > 1 && packet->payload[packet->payload_packet_len - 1] == 0x0a
204
 
        && packet->payload[packet->payload_packet_len - 2] == 0x0a) {
205
 
      if (packet->payload_packet_len > 3 && memcmp(packet->payload, "GIV", 3) == 0) {
206
 
        NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE, "MORPHEUS GIV DETECTED\n");
207
 
        /* Not Excludeing the flow now.. We shall Check the next Packet too for Gnutella Patterns */
208
 
        return;
209
 
      }
210
 
    }
211
 
    /* might be super tricky new ssl gnutella transmission, but the certificate is strange... */
212
 
    if (packet->payload_packet_len == 46 && get_u_int32_t(packet->payload, 0) == htonl(0x802c0103) &&
213
 
        get_u_int32_t(packet->payload, 4) == htonl(0x01000300) && get_u_int32_t(packet->payload, 8) == htonl(0x00002000) &&
214
 
        get_u_int16_t(packet->payload, 12) == htons(0x0034)) {
215
 
      NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE, "detected gnutella len == 46.\n");
216
 
      ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
217
 
      return;
218
 
    }
219
 
    if (packet->payload_packet_len == 49 &&
220
 
        memcmp(packet->payload, "\x80\x2f\x01\x03\x01\x00\x06\x00\x00\x00\x20\x00\x00\x34\x00\x00\xff\x4d\x6c",
221
 
               19) == 0) {
222
 
      NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE, "detected gnutella len == 49.\n");
223
 
      ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
224
 
      return;
225
 
    }
226
 
    if (packet->payload_packet_len == 89 && memcmp(&packet->payload[43], "\x20\x4d\x6c", 3) == 0 &&
227
 
        memcmp(packet->payload, "\x16\x03\x01\x00\x54\x01\x00\x00\x50\x03\x01\x4d\x6c", 13) == 0 &&
228
 
        memcmp(&packet->payload[76], "\x00\x02\x00\x34\x01\x00\x00\x05", 8) == 0) {
229
 
      NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE,
230
 
               "detected gnutella asymmetrically len == 388.\n");
231
 
      ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
232
 
      return;
233
 
    } else if (packet->payload_packet_len == 82) {
234
 
      if (get_u_int32_t(packet->payload, 0) == htonl(0x16030100)
235
 
          && get_u_int32_t(packet->payload, 4) == htonl(0x4d010000)
236
 
          && get_u_int16_t(packet->payload, 8) == htons(0x4903)
237
 
          && get_u_int16_t(packet->payload, 76) == htons(0x0002)
238
 
          && get_u_int32_t(packet->payload, 78) == htonl(0x00340100)) {
239
 
        NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE, "detected len == 82.\n");
240
 
        ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
241
 
        return;
242
 
      }
243
 
    }
244
 
  } else if (packet->udp != NULL) {
245
 
    if (src != NULL && (packet->udp->source == src->detected_gnutella_udp_port1 ||
246
 
                        packet->udp->source == src->detected_gnutella_udp_port2) &&
247
 
        (packet->tick_timestamp - src->gnutella_ts) < ndpi_struct->gnutella_timeout) {
248
 
      NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG, "port based detection\n\n");
249
 
      ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_CORRELATED_PROTOCOL);
250
 
    }
251
 
    /* observations:
252
 
     * all the following patterns send out many packets which are the only ones of their flows,
253
 
     * often on the very beginning of the traces, or flows with many packets in one direction only.
254
 
     * but then suddenly, one gets an answer as you can see in netpeker-gnutella-rpc.pcap packet 11483.
255
 
     * Maybe gnutella tries to send out keys?
256
 
     */
257
 
    if (packet->payload_packet_len == 23 && packet->payload[15] == 0x00
258
 
        && packet->payload[16] == 0x41 && packet->payload[17] == 0x01
259
 
        && packet->payload[18] == 0x00 && packet->payload[19] == 0x00
260
 
        && packet->payload[20] == 0x00 && packet->payload[21] == 0x00 && packet->payload[22] == 0x00) {
261
 
      NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG,
262
 
                        "detected gnutella udp, len = 23.\n");
263
 
      ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
264
 
 
265
 
      return;
266
 
    }
267
 
    if (packet->payload_packet_len == 35 && packet->payload[25] == 0x49
268
 
        && packet->payload[26] == 0x50 && packet->payload[27] == 0x40
269
 
        && packet->payload[28] == 0x83 && packet->payload[29] == 0x53
270
 
        && packet->payload[30] == 0x43 && packet->payload[31] == 0x50 && packet->payload[32] == 0x41) {
271
 
      NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG,
272
 
                        "detected gnutella udp, len = 35.\n");
273
 
      ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
274
 
      return;
275
 
    }
276
 
    if (packet->payload_packet_len == 32
277
 
        && (memcmp(&packet->payload[16], "\x31\x01\x00\x09\x00\x00\x00\x4c\x49\x4d\x45", 11) == 0)) {
278
 
      NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG,
279
 
                        "detected gnutella udp, len = 32.\n");
280
 
      ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
281
 
      return;
282
 
    }
283
 
    if (packet->payload_packet_len == 34 && (memcmp(&packet->payload[25], "SCP@", 4) == 0)
284
 
        && (memcmp(&packet->payload[30], "DNA@", 4) == 0)) {
285
 
      NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG,
286
 
                        "detected gnutella udp, len = 34.\n");
287
 
      ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
288
 
      return;
289
 
    }
290
 
    if ((packet->payload_packet_len == 73 || packet->payload_packet_len == 96)
291
 
        && memcmp(&packet->payload[32], "urn:sha1:", 9) == 0) {
292
 
      NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG,
293
 
                        "detected gnutella udp, len = 73,96.\n");
294
 
      ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
295
 
      return;
296
 
    }
297
 
 
298
 
    if (memcmp(packet->payload, "GND", 3) == 0) {
299
 
      if ((packet->payload_packet_len == 8 && (memcmp(&packet->payload[6], "\x01\x00", 2) == 0))
300
 
          || (packet->payload_packet_len == 11 && (memcmp(&packet->payload[6], "\x01\x01\x08\x50\x49", 5)
301
 
                                                   == 0)) || (packet->payload_packet_len == 17
302
 
                                                              &&
303
 
                                                              (memcmp
304
 
                                                               (&packet->payload[6], "\x01\x01\x4c\x05\x50",
305
 
                                                                5) == 0))
306
 
          || (packet->payload_packet_len == 28
307
 
              && (memcmp(&packet->payload[6], "\x01\x01\x54\x0f\x51\x4b\x52\x50\x06\x52", 10) == 0))
308
 
          || (packet->payload_packet_len == 41
309
 
              && (memcmp(&packet->payload[6], "\x01\x01\x5c\x1b\x50\x55\x53\x48\x48\x10", 10) == 0))
310
 
          || (packet->payload_packet_len > 200 && packet->payload_packet_len < 300 && packet->payload[3] == 0x03)
311
 
          || (packet->payload_packet_len > 300 && (packet->payload[3] == 0x01 || packet->payload[3] == 0x03))) {
312
 
        NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG,
313
 
                          "detected gnutella udp, GND.\n");
314
 
        ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
315
 
        return;
316
 
      }
317
 
    }
318
 
 
319
 
    if ((packet->payload_packet_len == 32)
320
 
        && memcmp(&packet->payload[16], "\x31\x01\x00\x09\x00\x00\x00", 7) == 0) {
321
 
      NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG,
322
 
                        "detected gnutella udp, len = 32 ii.\n");
323
 
      ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
324
 
      return;
325
 
    }
326
 
    if ((packet->payload_packet_len == 23)
327
 
        && memcmp(&packet->payload[16], "\x00\x01\x00\x00\x00\x00\x00", 7) == 0) {
328
 
      NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG,
329
 
                        "detected gnutella udp, len = 23 ii.\n");
330
 
      ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
331
 
      return;
332
 
    }
333
 
  }
334
 
  //neonet detection follows
335
 
 
336
 
  /* haven't found any trace with this pattern */
337
 
  if (packet->tcp != NULL && ntohs(packet->tcp->source) >= 1024 && ntohs(packet->tcp->dest) >= 1024) {
338
 
    if (flow->l4.tcp.gnutella_stage == 0) {
339
 
      if (flow->packet_counter == 1
340
 
          && (packet->payload_packet_len == 11
341
 
              || packet->payload_packet_len == 33 || packet->payload_packet_len == 37)) {
342
 
        flow->l4.tcp.gnutella_msg_id[0] = packet->payload[4];
343
 
        flow->l4.tcp.gnutella_msg_id[1] = packet->payload[6];
344
 
        flow->l4.tcp.gnutella_msg_id[2] = packet->payload[8];
345
 
        flow->l4.tcp.gnutella_stage = 1 + packet->packet_direction;
346
 
        return;
347
 
      }
348
 
    } else if (flow->l4.tcp.gnutella_stage == 1 + packet->packet_direction) {
349
 
      if (flow->packet_counter == 2 && (packet->payload_packet_len == 33 || packet->payload_packet_len == 22)
350
 
          && flow->l4.tcp.gnutella_msg_id[0] == packet->payload[0]
351
 
          && flow->l4.tcp.gnutella_msg_id[1] == packet->payload[2]
352
 
          && flow->l4.tcp.gnutella_msg_id[2] == packet->payload[4]
353
 
          && NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_GNUTELLA)) {
354
 
        NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct,
355
 
                          NDPI_LOG_TRACE, "GNUTELLA DETECTED due to message ID match (NEONet protocol)\n");
356
 
        ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
357
 
        return;
358
 
      }
359
 
    } else if (flow->l4.tcp.gnutella_stage == 2 - packet->packet_direction) {
360
 
      if (flow->packet_counter == 2 && (packet->payload_packet_len == 10 || packet->payload_packet_len == 75)
361
 
          && flow->l4.tcp.gnutella_msg_id[0] == packet->payload[0]
362
 
          && flow->l4.tcp.gnutella_msg_id[1] == packet->payload[2]
363
 
          && flow->l4.tcp.gnutella_msg_id[2] == packet->payload[4]
364
 
          && NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_GNUTELLA)) {
365
 
        NDPI_LOG_GNUTELLA(NDPI_PROTOCOL_GNUTELLA, ndpi_struct,
366
 
                          NDPI_LOG_TRACE, "GNUTELLA DETECTED due to message ID match (NEONet protocol)\n");
367
 
        ndpi_int_gnutella_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL);
368
 
        return;
369
 
      }
370
 
    }
371
 
  }
372
 
 
373
 
  NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_GNUTELLA);
374
 
}
375
 
#endif