Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for vxlan decapsulation (#1441) #1900

Merged
merged 5 commits into from
Mar 22, 2023
Merged

Add support for vxlan decapsulation (#1441) #1900

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
0cae394
add support for vxlan decapsulation (#1441)
mmaatuq Mar 13, 2023
e30a328
add new blank line to trigger github actions
mmaatuq Mar 13, 2023
ef5e910
convert function ndpi_skip_vxlan to inline version
mmaatuq Mar 13, 2023
6a863be
remove redifinition of vxlanhdr struct and use existing struct ndpi_v…
mmaatuq Mar 15, 2023
994eb23
fix endianess issue by directly accessing bytes using packet index
mmaatuq Mar 16, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions example/reader_util.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1745,6 +1745,29 @@ int ndpi_is_datalink_supported(int datalink_type) {
}
}

static bool ndpi_is_valid_vxlan(const struct pcap_pkthdr *header, const u_char *packet, u_int16_t ip_offset, u_int16_t ip_len){
if(header->caplen >= ip_offset + ip_len + sizeof(struct ndpi_vxlanhdr)) {
utoni marked this conversation as resolved.
Show resolved Hide resolved
u_int32_t vxlan_dst_port = ntohs(4789);
u_int32_t expected_flags = 0x08; /* only one bit should be set in the first byte */
struct ndpi_udphdr *udp = (struct ndpi_udphdr *)&packet[ip_offset+ip_len];
u_int offset = ip_offset + ip_len + sizeof(struct ndpi_udphdr);
struct ndpi_vxlanhdr *vxlan = (struct ndpi_vxlanhdr *)&packet[offset];

if((udp->dest == vxlan_dst_port || udp->source == vxlan_dst_port) &&
((vxlan->flags & 0xFF) == expected_flags) &&
(((vxlan->flags >> 8) & 0xFF) == 0x0) &&
((vxlan->groupPolicy & 0xFFFF) == 0x0) &&
(((vxlan->vni >> 24) & 0xFF) == 0x0)) {
IvanNardi marked this conversation as resolved.
Show resolved Hide resolved
return true;
}
}
return false;
}

static inline u_int ndpi_skip_vxlan(u_int16_t ip_offset, u_int16_t ip_len){
return ip_offset + ip_len + sizeof(struct ndpi_udphdr) + sizeof(struct ndpi_vxlanhdr);
}

/* ****************************************************** */

struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow,
Expand Down Expand Up @@ -2243,6 +2266,10 @@ struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow,
}
}
}
}else if(ndpi_is_valid_vxlan(header, packet, ip_offset, ip_len)){
tunnel_type = ndpi_vxlan_tunnel;
eth_offset = ndpi_skip_vxlan(ip_offset, ip_len);
goto datalink_check;
}
}
}
Expand Down
37 changes: 19 additions & 18 deletions tests/result/vxlan.pcap.out
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
Guessed flow protos: 0

DPI Packets (UDP): 9 (1.00 pkts/flow)
Confidence DPI : 9 (flows)
Num dissector calls: 9 (1.00 diss/flow)
DPI Packets (TCP): 12 (6.00 pkts/flow)
DPI Packets (UDP): 6 (3.00 pkts/flow)
Confidence DPI : 4 (flows)
Num dissector calls: 4 (1.00 diss/flow)
LRU cache ookla: 0/0/0 (insert/search/found)
LRU cache bittorrent: 0/0/0 (insert/search/found)
LRU cache zoom: 0/0/0 (insert/search/found)
Expand All @@ -11,23 +12,23 @@ LRU cache tls_cert: 0/0/0 (insert/search/found)
LRU cache mining: 0/0/0 (insert/search/found)
LRU cache msteams: 0/0/0 (insert/search/found)
LRU cache stun_zoom: 0/0/0 (insert/search/found)
Automa host: 0/0 (search/found)
Automa domain: 0/0 (search/found)
Automa host: 8/8 (search/found)
Automa domain: 8/0 (search/found)
Automa tls cert: 0/0 (search/found)
Automa risk mask: 0/0 (search/found)
Automa risk mask: 2/0 (search/found)
Automa common alpns: 0/0 (search/found)
Patricia risk mask: 18/0 (search/found)
Patricia risk mask: 8/0 (search/found)
Patricia risk: 0/0 (search/found)
Patricia protocols: 18/0 (search/found)
Patricia protocols: 4/4 (search/found)

VXLAN 127 85322 9
Facebook 127 85322 4

1 UDP 192.168.22.5:36286 -> 192.168.22.4:4789 [VLAN: 5][proto: 64/VXLAN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][56 pkts/71223 bytes -> 0 pkts/0 bytes][Goodput ratio: 96/0][0.34 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 3/0 113/0 16/0][Pkt Len c2s/s2c min/avg/max/stddev: 120/0 1272/0 1500/0 477/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (Ev0@ED)][Plen Bins: 0,0,10,0,0,0,0,1,0,0,0,0,0,0,0,0,3,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,83,0,0]
2 UDP 192.168.22.5:60230 -> 192.168.22.4:4789 [VLAN: 5][proto: 64/VXLAN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][13 pkts/5656 bytes -> 0 pkts/0 bytes][Goodput ratio: 89/0][0.38 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 34/0 233/0 70/0][Pkt Len c2s/s2c min/avg/max/stddev: 120/0 435/0 1500/0 497/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,0,55,7,0,0,0,7,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0]
3 UDP 192.168.22.4:40646 -> 192.168.22.5:4789 [VLAN: 5][proto: 64/VXLAN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][35 pkts/4938 bytes -> 0 pkts/0 bytes][Goodput ratio: 67/0][0.34 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 11/0 150/0 30/0][Pkt Len c2s/s2c min/avg/max/stddev: 120/0 141/0 438/0 66/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (www.facebook.com)][Plen Bins: 0,0,91,0,2,0,0,2,2,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
4 UDP 192.168.22.4:49762 -> 192.168.22.5:4789 [VLAN: 5][proto: 64/VXLAN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][12 pkts/2011 bytes -> 0 pkts/0 bytes][Goodput ratio: 73/0][0.38 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 15/0 81/0 25/0][Pkt Len c2s/s2c min/avg/max/stddev: 120/0 168/0 434/0 92/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (facebook.com)][Plen Bins: 0,0,67,8,8,0,0,8,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
5 UDP 192.168.22.5:50251 -> 192.168.22.4:4789 [VLAN: 5][proto: 64/VXLAN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][2 pkts/362 bytes -> 0 pkts/0 bytes][Goodput ratio: 74/0][0.03 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (facebook)][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
6 UDP 192.168.22.4:60230 -> 192.168.22.5:4789 [VLAN: 5][proto: 64/VXLAN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][3 pkts/324 bytes -> 0 pkts/0 bytes][Goodput ratio: 57/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
7 UDP 192.168.22.5:43866 -> 192.168.22.4:4789 [VLAN: 5][proto: 64/VXLAN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][2 pkts/296 bytes -> 0 pkts/0 bytes][Goodput ratio: 69/0][0.03 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (facebook)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
8 UDP 192.168.22.4:60351 -> 192.168.22.5:4789 [VLAN: 5][proto: 64/VXLAN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][2 pkts/260 bytes -> 0 pkts/0 bytes][Goodput ratio: 64/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (facebook)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
9 UDP 192.168.22.4:60887 -> 192.168.22.5:4789 [VLAN: 5][proto: 64/VXLAN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][2 pkts/252 bytes -> 0 pkts/0 bytes][Goodput ratio: 63/0][< 1 sec][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][PLAIN TEXT (facebook)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
JA3 Host Stats:
IP Address # JA3C
1 10.10.20.4 1


1 TCP 10.10.20.4:45228 <-> 157.240.224.35:443 [VLAN: 5][proto: VXLAN:91.119/TLS.Facebook][IP: 119/Facebook][Encrypted][Confidence: DPI][DPI packets: 6][cat: SocialNetwork/6][35 pkts/4938 bytes <-> 56 pkts/71223 bytes][Goodput ratio: 15/91][0.34 sec][Hostname/SNI: www.facebook.com][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.870 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 7/6 81/140 17/26][Pkt Len c2s/s2c min/avg/max/stddev: 120/120 141/1272 438/1500 66/477][Risk: ** TLS (probably) Not Carrying HTTPS **** Malicious JA3 Fingerp. **][Risk Score: 60][Risk Info: 40adfd923eb82b89d8836ba37a19bca1 / No ALPN][TLSv1.3][JA3C: 40adfd923eb82b89d8836ba37a19bca1][JA3S: 475c9302dc42b2751db9edcac3b74891][Firefox][Cipher: TLS_CHACHA20_POLY1305_SHA256][Plen Bins: 0,0,1,0,0,5,0,0,0,1,0,0,0,0,3,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,87,0,0,0,0]
2 TCP 10.10.20.4:45226 <-> 157.240.224.35:443 [VLAN: 5][proto: VXLAN:91.119/TLS.Facebook][IP: 119/Facebook][Encrypted][Confidence: DPI][DPI packets: 6][cat: SocialNetwork/6][15 pkts/2335 bytes <-> 13 pkts/5656 bytes][Goodput ratio: 24/72][0.38 sec][Hostname/SNI: facebook.com][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.416 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 32/15 224/113 62/35][Pkt Len c2s/s2c min/avg/max/stddev: 108/120 156/435 434/1500 86/497][Risk: ** TLS (probably) Not Carrying HTTPS **** Malicious JA3 Fingerp. **][Risk Score: 60][Risk Info: 40adfd923eb82b89d8836ba37a19bca1 / No ALPN][TLSv1.3][JA3C: 40adfd923eb82b89d8836ba37a19bca1][JA3S: 475c9302dc42b2751db9edcac3b74891][Firefox][Cipher: TLS_CHACHA20_POLY1305_SHA256][Plen Bins: 20,0,10,0,0,20,0,0,0,10,0,0,0,0,10,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0]
3 UDP 10.10.20.4:32860 <-> 8.8.8.8:53 [VLAN: 5][proto: VXLAN:5.119/DNS.Facebook][IP: 126/Google][ClearText][Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/260 bytes <-> 2 pkts/362 bytes][Goodput ratio: 26/47][0.07 sec][Hostname/SNI: www.facebook.com][157.240.224.35][PLAIN TEXT (facebook)][Plen Bins: 0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
4 UDP 10.10.20.4:44437 <-> 8.8.8.8:53 [VLAN: 5][proto: VXLAN:5.119/DNS.Facebook][IP: 126/Google][ClearText][Confidence: DPI][DPI packets: 3][cat: Network/14][2 pkts/252 bytes <-> 2 pkts/296 bytes][Goodput ratio: 24/35][0.07 sec][Hostname/SNI: facebook.com][157.240.224.35][PLAIN TEXT (facebook)][Plen Bins: 50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]