add support for vxlan decapsulation (ntop#1441)

mmaatuq · Mar 13, 2023 · 0cae394 · 0cae394
1 parent d398f23
commit 0cae394
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 18 deletions.
diff --git a/example/reader_util.c b/example/reader_util.c
@@ -1744,6 +1744,30 @@ int ndpi_is_datalink_supported(int datalink_type) {
     return 0;
   }
 }
+struct vxlan_packet_header {
+  u_int8_t flags[4]; /* the first byte is flags, other three are reserved */
+  u_int8_t vni[4];   /* the first three bytes are VNI, the last byte is reserved */
+};
+static bool ndpi_is_valid_vxlan(const struct pcap_pkthdr *header, const u_char *packet, u_int16_t ip_offset, u_int16_t ip_len){
+  if(header->caplen >= ip_offset + ip_len + sizeof(struct vxlan_packet_header)) {
+    u_int32_t vxlan_dst_port  = ntohs(4789);
+    u_int32_t expected_flags = 0x08; /* only one bit should be set in the first byte */
+    struct ndpi_udphdr *udp = (struct ndpi_udphdr *)&packet[ip_offset+ip_len];
+    u_int offset = ip_offset + ip_len + sizeof(struct ndpi_udphdr);
+    struct vxlan_packet_header *vxlan = (struct vxlan_packet_header *)&packet[offset];
+
+    if((udp->dest == vxlan_dst_port || udp->source == vxlan_dst_port) &&
+      (vxlan->flags[0] == expected_flags) && (vxlan->flags[1] == 0x0) &&
+      (vxlan->flags[2] == 0x0) && (vxlan->flags[3] == 0x0) &&
+      (vxlan->vni[3] == 0x0)) {
+      return true;
+    }
+  }
+  return false;
+}
+static int ndpi_skip_vxlan(u_int16_t ip_offset, u_int16_t ip_len){
+  return ip_offset + ip_len + sizeof(struct ndpi_udphdr) + sizeof(struct vxlan_packet_header);
+}
 
 /* ****************************************************** */
 
@@ -2243,6 +2267,10 @@ struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow,
 	    }
 	  }
 	}
+      }else if(ndpi_is_valid_vxlan(header, packet, ip_offset, ip_len)){
+	      tunnel_type = ndpi_vxlan_tunnel;
+        eth_offset = ndpi_skip_vxlan(ip_offset, ip_len);
+	      goto datalink_check;
       }
     }
   }

diff --git a/tests/result/vxlan.pcap.out b/tests/result/vxlan.pcap.out
@@ -1,8 +1,9 @@
 Guessed flow protos:	0
 
-DPI Packets (UDP):	9	(1.00 pkts/flow)
-Confidence DPI              : 9 (flows)
-Num dissector calls: 9 (1.00 diss/flow)
+DPI Packets (TCP):	12	(6.00 pkts/flow)
+DPI Packets (UDP):	6	(3.00 pkts/flow)
+Confidence DPI              : 4 (flows)
+Num dissector calls: 4 (1.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
@@ -11,23 +12,23 @@ LRU cache tls_cert:   0/0/0 (insert/search/found)
 LRU cache mining:     0/0/0 (insert/search/found)
 LRU cache msteams:    0/0/0 (insert/search/found)
 LRU cache stun_zoom:  0/0/0 (insert/search/found)
-Automa host:          0/0 (search/found)
-Automa domain:        0/0 (search/found)
+Automa host:          8/8 (search/found)
+Automa domain:        8/0 (search/found)
 Automa tls cert:      0/0 (search/found)
-Automa risk mask:     0/0 (search/found)
+Automa risk mask:     2/0 (search/found)
 Automa common alpns:  0/0 (search/found)
-Patricia risk mask:   18/0 (search/found)
+Patricia risk mask:   8/0 (search/found)
 Patricia risk:        0/0 (search/found)
-Patricia protocols:   18/0 (search/found)
+Patricia protocols:   4/4 (search/found)
 
-VXLAN	127	85322	9
+Facebook	127	85322	4
 
-	1	UDP 192.168.22.5:36286 -> 192.168.22.4:4789 [VLAN: 5][proto: 64/VXLAN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][56 pkts/71223 bytes -> 0 pkts/0 bytes][Goodput ratio: 96/0][0.34 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 3/0 113/0 16/0][Pkt Len c2s/s2c min/avg/max/stddev: 120/0 1272/0 1500/0 477/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (Ev0@ED)][Plen Bins: 0,0,10,0,0,0,0,1,0,0,0,0,0,0,0,0,3,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,83,0,0]
-	2	UDP 192.168.22.5:60230 -> 192.168.22.4:4789 [VLAN: 5][proto: 64/VXLAN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][13 pkts/5656 bytes -> 0 pkts/0 bytes][Goodput ratio: 89/0][0.38 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 34/0 233/0 70/0][Pkt Len c2s/s2c min/avg/max/stddev: 120/0 435/0 1500/0 497/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,55,7,0,0,0,7,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0]
-	3	UDP 192.168.22.4:40646 -> 192.168.22.5:4789 [VLAN: 5][proto: 64/VXLAN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][35 pkts/4938 bytes -> 0 pkts/0 bytes][Goodput ratio: 67/0][0.34 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 11/0 150/0 30/0][Pkt Len c2s/s2c min/avg/max/stddev: 120/0 141/0 438/0 66/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (www.facebook.com)][Plen Bins: 0,0,91,0,2,0,0,2,2,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	4	UDP 192.168.22.4:49762 -> 192.168.22.5:4789 [VLAN: 5][proto: 64/VXLAN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][12 pkts/2011 bytes -> 0 pkts/0 bytes][Goodput ratio: 73/0][0.38 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 15/0 81/0 25/0][Pkt Len c2s/s2c min/avg/max/stddev: 120/0 168/0 434/0 92/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (facebook.com)][Plen Bins: 0,0,67,8,8,0,0,8,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	5	UDP 192.168.22.5:50251 -> 192.168.22.4:4789 [VLAN: 5][proto: 64/VXLAN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][2 pkts/362 bytes -> 0 pkts/0 bytes][Goodput ratio: 74/0][0.03 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (facebook)][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	6	UDP 192.168.22.4:60230 -> 192.168.22.5:4789 [VLAN: 5][proto: 64/VXLAN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][3 pkts/324 bytes -> 0 pkts/0 bytes][Goodput ratio: 57/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	7	UDP 192.168.22.5:43866 -> 192.168.22.4:4789 [VLAN: 5][proto: 64/VXLAN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][2 pkts/296 bytes -> 0 pkts/0 bytes][Goodput ratio: 69/0][0.03 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (facebook)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	8	UDP 192.168.22.4:60351 -> 192.168.22.5:4789 [VLAN: 5][proto: 64/VXLAN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][2 pkts/260 bytes -> 0 pkts/0 bytes][Goodput ratio: 64/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (facebook)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	9	UDP 192.168.22.4:60887 -> 192.168.22.5:4789 [VLAN: 5][proto: 64/VXLAN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][2 pkts/252 bytes -> 0 pkts/0 bytes][Goodput ratio: 63/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (facebook)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 10.10.20.4               	 1      
+
+
+	1	TCP 10.10.20.4:45228 <-> 157.240.224.35:443 [VLAN: 5][proto: VXLAN:91.119/TLS.Facebook][IP: 119/Facebook][Encrypted][Confidence: DPI][DPI packets: 6][cat: SocialNetwork/6][35 pkts/4938 bytes <-> 56 pkts/71223 bytes][Goodput ratio: 15/91][0.34 sec][Hostname/SNI: www.facebook.com][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.870 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 7/6 81/140 17/26][Pkt Len c2s/s2c min/avg/max/stddev: 120/120 141/1272 438/1500 66/477][Risk: ** TLS (probably) Not Carrying HTTPS **** Malicious JA3 Fingerp. **][Risk Score: 60][Risk Info: 40adfd923eb82b89d8836ba37a19bca1 / No ALPN][TLSv1.3][JA3C: 40adfd923eb82b89d8836ba37a19bca1][JA3S: 475c9302dc42b2751db9edcac3b74891][Firefox][Cipher: TLS_CHACHA20_POLY1305_SHA256][Plen Bins: 0,0,1,0,0,5,0,0,0,1,0,0,0,0,3,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,87,0,0,0,0]
+	2	TCP 10.10.20.4:45226 <-> 157.240.224.35:443 [VLAN: 5][proto: VXLAN:91.119/TLS.Facebook][IP: 119/Facebook][Encrypted][Confidence: DPI][DPI packets: 6][cat: SocialNetwork/6][15 pkts/2335 bytes <-> 13 pkts/5656 bytes][Goodput ratio: 24/72][0.38 sec][Hostname/SNI: facebook.com][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.416 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 32/15 224/113 62/35][Pkt Len c2s/s2c min/avg/max/stddev: 108/120 156/435 434/1500 86/497][Risk: ** TLS (probably) Not Carrying HTTPS **** Malicious JA3 Fingerp. **][Risk Score: 60][Risk Info: 40adfd923eb82b89d8836ba37a19bca1 / No ALPN][TLSv1.3][JA3C: 40adfd923eb82b89d8836ba37a19bca1][JA3S: 475c9302dc42b2751db9edcac3b74891][Firefox][Cipher: TLS_CHACHA20_POLY1305_SHA256][Plen Bins: 20,0,10,0,0,20,0,0,0,10,0,0,0,0,10,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0]
+	3	UDP 10.10.20.4:32860 <-> 8.8.8.8:53 [VLAN: 5][proto: VXLAN:5.119/DNS.Facebook][IP: 126/Google][ClearText][Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/260 bytes <-> 2 pkts/362 bytes][Goodput ratio: 26/47][0.07 sec][Hostname/SNI: www.facebook.com][157.240.224.35][PLAIN TEXT (facebook)][Plen Bins: 0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	4	UDP 10.10.20.4:44437 <-> 8.8.8.8:53 [VLAN: 5][proto: VXLAN:5.119/DNS.Facebook][IP: 126/Google][ClearText][Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/252 bytes <-> 2 pkts/296 bytes][Goodput ratio: 24/35][0.07 sec][Hostname/SNI: facebook.com][157.240.224.35][PLAIN TEXT (facebook)][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]