【智能路由器】ndpi深度报文分析之协议分析器
2016-09-20 10:15
211 查看
【智能路由器】系列文章连接
http://blog.csdn.net/u012819339/article/category/5803489
本篇博客讲述ndpi已经实现的QQ协议分析器的实现 以及 编写一个微信协议分析器的框架要点。
关于ndpi源码的叙述在上篇博客已有提及,点击这里(或者查看链接http://blog.csdn.net/u012819339/article/details/52443705)
协议分析器格式
协议分析器的初始化函数,初始化函数中调用
一个回调函数,用来处理数据包,这个函数就是初始化中注册的函数,这个函数将细分情况,然后交给实际的分析函数,这里分别是
协议分析器的框架就到此为止,然后将初始化函数添加到ndpi_main.c文件的
宏定义
协议分析器的结构框架大概如此了
看一下qq的udp报文是怎么探测的,在下面这个函数中
该函数有点长,不过基本都是属于探测OICQ协议的报头,oicq协议是qq用于即时通信的协议,数据流经8000端口,具体oicq协议头的解释可参看arvik的另一篇博客http://blog.csdn.net/u012819339/article/details/50374252
得到payload头指针后起始可以直接强制指针类型转换成 oicqhdr *,就比较方便啦
tcp检测就不叙述了,总之都是先抓包分析QQ报文头的结构特征,然后拿到协议分析器中做匹配。
这里主要是弄清微信协议的格式,这需要自己抓包分析,arvik已经做好了一部分微信抓包分析的过程,见我的博客微信数据包(链接地址http://blog.csdn.net/u012819339/article/details/52588288),微信客户端有很多模块,比如发红包,漂流瓶,摇一摇,传图片,发语音,发短视频等等,每个模块都可能会有一种协议格式,arvik并没有完全对这些模块进行分析,需要开发者自行抓包。
好了,本文到此结束,作者arvik。
【智能路由器】系列文章连接
http://blog.csdn.net/u012819339/article/category/5803489
http://blog.csdn.net/u012819339/article/category/5803489
本篇博客讲述ndpi已经实现的QQ协议分析器的实现 以及 编写一个微信协议分析器的框架要点。
关于ndpi源码的叙述在上篇博客已有提及,点击这里(或者查看链接http://blog.csdn.net/u012819339/article/details/52443705)
ndpi协议分析器结构框架
每个协议分析器都必须定义一个独有的id,例如:/*ndpi_protocol_ids.h*/ #define NDPI_PROTOCOL_QQ 48
协议分析器格式
#include "ndpi_utils.h" #ifdef NDPI_PROTOCOL_QQ ..... #endif
协议分析器的初始化函数,初始化函数中调用
ndpi_set_bitmask_protocol_detection来输入自己的注册信息,以及处理数据包的类型
void init_qq_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { ndpi_set_bitmask_protocol_detection("QQ", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_QQ, ndpi_search_qq, NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD, SAVE_DETECTION_BITMASK_AS_UNKNOWN, ADD_TO_DETECTION_BITMASK); *id += 1; }
一个回调函数,用来处理数据包,这个函数就是初始化中注册的函数,这个函数将细分情况,然后交给实际的分析函数,这里分别是
ndpi_search_qq_udp和
ndpi_search_qq_tcp。虽然也可以直接在这里分析处理,但这样会显得层次结构不清晰
void ndpi_search_qq(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; if (packet->udp != NULL && flow->detected_protocol_stack[0] != NDPI_PROTOCOL_QQ) ndpi_search_qq_udp(ndpi_struct, flow); if (packet->tcp != NULL && flow->detected_protocol_stack[0] != NDPI_PROTOCOL_QQ) ndpi_search_qq_tcp(ndpi_struct, flow); }
协议分析器的框架就到此为止,然后将初始化函数添加到ndpi_main.c文件的
ndpi_init_protocol_defaults函数中,像这样:
static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndpi_mod) { int i; ndpi_port_range ports_a[MAX_DEFAULT_PORTS], ports_b[MAX_DEFAULT_PORTS]; u_int16_t no_master[2] = { NDPI_PROTOCOL_NO_MASTER_PROTO, NDPI_PROTOCOL_NO_MASTER_PROTO }, custom_master[2]; /* Reset all settings */ memset(ndpi_mod->proto_defaults, 0, sizeof(ndpi_mod->proto_defaults)); //...... ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_QQ, no_master, no_master, "QQ", ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); //...... }
宏定义
NDPI_PROTOCOL_LONG_STRING和
NDPI_PROTOCOL_SHORT_STRING中添加协议名称字符串。
协议分析器的结构框架大概如此了
ndpi协议分析中QQ协议分析器的代码概要
根据packet是tcp还是udp将探测过程被分为两中情况:void ndpi_search_qq(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; if (packet->udp != NULL && flow->detected_protocol_stack[0] != NDPI_PROTOCOL_QQ) ndpi_search_qq_udp(ndpi_struct, flow); if (packet->tcp != NULL && flow->detected_protocol_stack[0] != NDPI_PROTOCOL_QQ) ndpi_search_qq_tcp(ndpi_struct, flow); }
看一下qq的udp报文是怎么探测的,在下面这个函数中
static void ndpi_search_qq_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; static const u_int16_t p8000_patt_02[13] = // maybe version numbers { 0x1549, 0x1801, 0x180d, 0x0961, 0x01501, 0x0e35, 0x113f, 0x0b37, 0x1131, 0x163a, 0x1e0d, 0x3619,}; u_int16_t no_of_patterns = 12, index = 0; NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "search qq udp.\n"); if (flow->qq_stage <= 3) { if ((packet->payload_packet_len == 27 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0300 && packet->payload[2] == 0x01) || (packet->payload_packet_len == 84 && ((ntohs(get_u_int16_t(packet->payload, 0)) == 0x000e && packet->payload[2] == 0x35) || (ntohs(get_u_int16_t(packet->payload, 0)) == 0x0015 && packet->payload[2] == 0x01) || (ntohs(get_u_int16_t(packet->payload, 0)) == 0x000b && packet->payload[2] == 0x37) || (ntohs(get_u_int16_t(packet->payload, 0)) == 0x0015 && packet->payload[2] == 0x49))) || (packet->payload_packet_len > 10 && ((get_u_int16_t(packet->payload, 0) == htons(0x000b) && packet->payload[2] == 0x37) || (get_u_int32_t(packet->payload, 0) == htonl(0x04163a00) && packet->payload[packet->payload_packet_len - 1] == 0x03 && packet->payload[4] == packet->payload_packet_len)))) { /* if (flow->qq_stage == 3 && flow->detected_protocol == NDPI_PROTOCOL_QQ) { if (flow->packet_direction_counter[0] > 0 && flow->packet_direction_counter[1] > 0) { flow->protocol_subtype = NDPI_PROTOCOL_QQ_SUBTYPE_AUDIO; return; } else if (flow->packet_counter < 10) { return; } } */ flow->qq_stage++; if (flow->qq_stage == 3) { NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "found qq udp pattern 030001 or 000e35 four times.\n"); ndpi_int_qq_add_connection(ndpi_struct, flow); return; } return; } if (packet->payload_packet_len > 2 && (packet->payload[0] == 0x02 || packet->payload[0] == 0x04)) { u_int16_t pat = ntohs(get_u_int16_t(packet->payload, 1)); for (index = 0; index < no_of_patterns; index++) { if (pat == p8000_patt_02[index] && packet->payload[packet->payload_packet_len - 1] == 0x03) { flow->qq_stage++; // maybe we can test here packet->payload[4] == packet->payload_packet_len if (flow->qq_stage == 3) { NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "found qq udp pattern 02 ... 03 four times.\n"); /* if (packet->payload[0] == 0x04) { ndpi_int_qq_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } */ ndpi_int_qq_add_connection(ndpi_struct, flow); return; } return; } } } if (packet->payload_packet_len == 84 && (packet->payload[0] == 0 || packet->payload[0] == 0x03)) { u_int16_t pat = ntohs(get_u_int16_t(packet->payload, 1)); for (index = 0; index < no_of_patterns; index++) { if (pat == p8000_patt_02[index]) { flow->qq_stage++; /* if (flow->qq_stage == 3 && flow->packet_direction_counter[0] > 0 && flow->packet_direction_counter[1] > 0) { NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "found qq udp pattern four times.\n"); ndpi_int_qq_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } else */ if (flow->qq_stage == 3) { NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "found qq udp pattern four times.\n"); ndpi_int_qq_add_connection(ndpi_struct, flow); return; } return; } } } if (packet->payload_packet_len > 2 && packet->payload[0] == 0x04 && ((ntohs(get_u_int16_t(packet->payload, 1)) == 0x1549 || ntohs(get_u_int16_t(packet->payload, 1)) == 0x1801 || ntohs(get_u_int16_t(packet->payload, 1)) == 0x0961) || (packet->payload_packet_len > 16 && (ntohs(get_u_int16_t(packet->payload, 1)) == 0x180d || ntohs(get_u_int16_t(packet->payload, 1)) == 0x096d) && ntohl(get_u_int32_t(packet->payload, 12)) == 0x28000000 && ntohs(get_u_int16_t(packet->payload, 3)) == packet->payload_packet_len)) && packet->payload[packet->payload_packet_len - 1] == 0x03) { flow->qq_stage++; if (flow->qq_stage == 3) { NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "found qq udp pattern 04 1159 ... 03 four times.\n"); ndpi_int_qq_add_connection(ndpi_struct, flow); return; } return; } if (packet->payload_packet_len > 2 && (packet->payload[0] == 0x06 || packet->payload[0] == 0x02) && ntohs(get_u_int16_t(packet->payload, 1)) == 0x0100 && (packet->payload[packet->payload_packet_len - 1] == 0x00 || packet->payload[packet->payload_packet_len - 1] == 0x03)) { flow->qq_stage++; if (flow->qq_stage == 3) { NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "found qq udp pattern 02/06 0100 ... 03/00 four times.\n"); ndpi_int_qq_add_connection(ndpi_struct, flow); return; } return; } if (packet->payload_packet_len > 2 && (packet->payload[0] == 0x02) && ntohs(get_u_int16_t(packet->payload, 1)) == 0x1131 && packet->payload[packet->payload_packet_len - 1] == 0x03) { flow->qq_stage++; if (flow->qq_stage == 3) { NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "found qq udp pattern 02 1131 ... 03 four times.\n"); ndpi_int_qq_add_connection(ndpi_struct, flow); return; } return; } if (packet->payload_packet_len > 5 && get_u_int16_t(packet->payload, 0) == htons(0x0203) && ntohs(get_u_int16_t(packet->payload, 2)) == packet->payload_packet_len && get_u_int16_t(packet->payload, 4) == htons(0x0b0b)) { flow->qq_stage++; if (flow->qq_stage == 3) { NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "found qq udp pattern 0203[packet_length_0b0b] three times.\n"); ndpi_int_qq_add_connection(ndpi_struct, flow); return; } return; } if (packet->udp->dest == htons(9000) || packet->udp->source == htons(9000)) { if (packet->payload_packet_len > 3 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0202 && ntohs(get_u_int16_t(packet->payload, 2)) == packet->payload_packet_len) { flow->qq_stage++; if (flow->qq_stage == 3) { NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "found qq udp pattern 02 02 <length> four times.\n"); ndpi_int_qq_add_connection(ndpi_struct, flow); return; } return; } } } if (ndpi_is_valid_qq_packet(packet)) { flow->qq_stage++; if (flow->qq_stage == 3) { NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "found qq over udp.\n"); ndpi_int_qq_add_connection(ndpi_struct, flow); return; } NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "found qq packet stage %d\n", flow->qq_stage); return; } if (ndpi_is_valid_qq_ft_packet(packet)) { flow->qq_stage++; if (flow->qq_stage == 3) { NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "found qq ft over udp.\n"); ndpi_int_qq_add_connection(ndpi_struct, flow); return; } return; } if (flow->qq_stage && flow->packet_counter <= 5) { return; } NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "QQ excluded\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_QQ); }
该函数有点长,不过基本都是属于探测OICQ协议的报头,oicq协议是qq用于即时通信的协议,数据流经8000端口,具体oicq协议头的解释可参看arvik的另一篇博客http://blog.csdn.net/u012819339/article/details/50374252
得到payload头指针后起始可以直接强制指针类型转换成 oicqhdr *,就比较方便啦
typedef struct _oicqhdr { uint8_t flag; uint16_t ver; uint16_t command; uint16_t sequence; uint32_t qq; } __attribute__((packed)) oicqhdr;
tcp检测就不叙述了,总之都是先抓包分析QQ报文头的结构特征,然后拿到协议分析器中做匹配。
ndpi协议分析中编写一个微信协议分析器的方法指导
协议分析器框架见上文所述,可以参照QQ协议分析器依葫芦画瓢,这里主要是弄清微信协议的格式,这需要自己抓包分析,arvik已经做好了一部分微信抓包分析的过程,见我的博客微信数据包(链接地址http://blog.csdn.net/u012819339/article/details/52588288),微信客户端有很多模块,比如发红包,漂流瓶,摇一摇,传图片,发语音,发短视频等等,每个模块都可能会有一种协议格式,arvik并没有完全对这些模块进行分析,需要开发者自行抓包。
好了,本文到此结束,作者arvik。
【智能路由器】系列文章连接
http://blog.csdn.net/u012819339/article/category/5803489
相关文章推荐
- 【智能路由器】ndpi深度报文分析源码框架
- 基于DPI(深度报文解析)的应用识别2------实际分析
- 基于DPI(深度报文解析)的应用识别2------实际分析
- 深度分析QCN(Congestion Notification)报文格式
- 基于DPI(深度报文解析)的应用识别2------实际分析
- SharpMap深度分析:地图数据Provider
- Java中对HashMap的深度分析与比较
- SharpMap深度分析:地图渲染、坐标和比例尺
- Java中对HashMap的深度分析与比较
- 深度分析:Linux的反扑野心
- Java中对HashMap的深度分析
- [转]Memcached深度分析
- Castle ActiveRecord学习实践(10):深度分析Schema Pitfals
- Java中对HashMap的深度分析
- ServletContext与ServletConfig的深度分析
- Java Collections--HashMap深度分析与比较
- hashMap深度分析
- 神州数码私有报文分析完毕,庆祝一下[神州数码认证客户端破解]
- Java中对HashMap的深度分析
- Java中对HashMap的深度分析与比较Java中对HashMap的深度分析与比较