Implemented nDPI TCP fingerprint

Author: lucaderi

example/ndpiReader.c

@@ -2056,6 +2056,9 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
 	fprintf(out, "[Risk Info: %s]", flow->risk_str);
     }
 
+    if(flow->tcp_fingerprint)
+      fprintf(out, "[TCP Fingerprint: %s]", flow->tcp_fingerprint);
+    
     if(flow->ssh_tls.ssl_version != 0) fprintf(out, "[%s]", ndpi_ssl_version2str(buf_ver, sizeof(buf_ver),
 										 flow->ssh_tls.ssl_version, &known_tls));
 

example/reader_util.c

@@ -609,8 +609,9 @@ void ndpi_flow_info_free_data(struct ndpi_flow_info *flow) {
   ndpi_free_bin(&flow->payload_len_bin);
 #endif
 
-  if(flow->risk_str)     ndpi_free(flow->risk_str);
-  if(flow->flow_payload) ndpi_free(flow->flow_payload);
+  if(flow->tcp_fingerprint) ndpi_free(flow->tcp_fingerprint);
+  if(flow->risk_str)        ndpi_free(flow->risk_str);
+  if(flow->flow_payload)    ndpi_free(flow->flow_payload);
 }
 
 /* ***************************************************** */
@@ -623,7 +624,7 @@ void ndpi_workflow_free(struct ndpi_workflow * workflow) {
 
   if(addr_dump_path != NULL)
     ndpi_cache_address_dump(workflow->ndpi_struct, addr_dump_path, 0);
-  
+
   ndpi_exit_detection_module(workflow->ndpi_struct);
   ndpi_free(workflow->ndpi_flows_root);
   ndpi_free(workflow);
@@ -1131,7 +1132,7 @@ static void dump_flow_fingerprint(struct ndpi_workflow * workflow,
 
     if(flow->server_hostname)
       ndpi_serialize_string_string(&serializer, "server_hostname", flow->server_hostname);
-    
+
     buffer = ndpi_serializer_get_buffer(&serializer, &buffer_len);
     fprintf(fingerprint_fp, "%s\n", buffer);
   }
@@ -1408,24 +1409,24 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
       /* For consistency across platforms replace :0: with :: */
       ndpi_patchIPv6Address(flow->info);
     }
-    
+
     if(flow->ndpi_flow->protos.dns.geolocation_iata_code[0] != '\0')
       strcpy(flow->dns.geolocation_iata_code, flow->ndpi_flow->protos.dns.geolocation_iata_code);
 
     if(0) {
       u_int8_t i;
-      
+
       for(i=0; i<flow->ndpi_flow->protos.dns.num_rsp_addr; i++) {
 	char buf[64];
-	
+
 	if(flow->ndpi_flow->protos.dns.is_rsp_addr_ipv6[i] == 0) {
 	  inet_ntop(AF_INET, &flow->ndpi_flow->protos.dns.rsp_addr[i].ipv4, buf, sizeof(buf));
 	} else {
-	  inet_ntop(AF_INET6, &flow->ndpi_flow->protos.dns.rsp_addr[i].ipv6, buf, sizeof(buf));	  
+	  inet_ntop(AF_INET6, &flow->ndpi_flow->protos.dns.rsp_addr[i].ipv6, buf, sizeof(buf));
 	}
 
 	printf("(%s) %s [ttl: %u]\n", flow->host_server_name, buf, flow->ndpi_flow->protos.dns.rsp_addr_ttl[i]);
-      }      
+      }
     }
   }
   /* MDNS */
@@ -1520,7 +1521,7 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
 
     if(flow->ndpi_flow->protos.tls_quic.ja4_client_raw)
       flow->ssh_tls.ja4_client_raw = strdup(flow->ndpi_flow->protos.tls_quic.ja4_client_raw);
-    
+
    ndpi_snprintf(flow->ssh_tls.ja3_server, sizeof(flow->ssh_tls.ja3_server), "%s",
 	     flow->ndpi_flow->protos.tls_quic.ja3_server);
     flow->ssh_tls.server_unsafe_cipher = flow->ndpi_flow->protos.tls_quic.server_unsafe_cipher;
@@ -1585,6 +1586,9 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
 
   flow->multimedia_flow_type = flow->ndpi_flow->flow_multimedia_type;
 
+  if(flow->ndpi_flow->tcp.fingerprint)
+    flow->tcp_fingerprint = ndpi_strdup(flow->ndpi_flow->tcp.fingerprint);
+
   /* HTTP metadata are "global" not in `flow->ndpi_flow->protos` union; for example, we can have
      HTTP/BitTorrent and in that case we want to export also HTTP attributes */
   if(is_ndpi_proto(flow, NDPI_PROTOCOL_HTTP)
@@ -1608,16 +1612,16 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
   {
     ndpi_ip_addr_t ip_addr;
     struct ndpi_address_cache_item *c;
-    
+
     memset(&ip_addr, 0, sizeof(ip_addr));
-    
+
     if(flow->ip_version == 4)
       ip_addr.ipv4 = flow->dst_ip;
     else
       memcpy(&ip_addr.ipv6, &flow->dst_ip6, sizeof(struct ndpi_in6_addr));
 
     c = ndpi_cache_address_find(workflow->ndpi_struct, ip_addr);
-				
+
     if(c) {
       flow->server_hostname = ndpi_strdup(c->hostname);
     }
@@ -2205,7 +2209,7 @@ struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow,
     /* At the first packet flush expired cached addresses */
     ndpi_cache_address_flush_expired(workflow->ndpi_struct, header->ts.tv_sec);
   }
-  
+
   /* Increment raw packet counter */
   workflow->stats.raw_packet_count++;
 

example/reader_util.h

@@ -324,7 +324,7 @@ typedef struct ndpi_flow_info {
   ndpi_multimedia_flow_type multimedia_flow_type;
 
   void *src_id, *dst_id;
-
+  char *tcp_fingerprint;
   struct ndpi_entropy *entropy;
   struct ndpi_entropy *last_entropy;
 

src/include/ndpi_typedefs.h

@@ -1312,6 +1312,10 @@ struct ndpi_flow_struct {
   ndpi_risk risk, risk_shadow; /* Issues found with this flow [bitmask of ndpi_risk] */
   struct ndpi_risk_information risk_infos[MAX_NUM_RISK_INFOS]; /* String that contains information about the risks found */
   u_int8_t num_risk_infos;
+
+  struct {
+    char *fingerprint;
+  } tcp;
 
   /*
     This structure below will not not stay inside the protos

src/lib/ndpi_main.c

@@ -60,6 +60,8 @@
 #define TH_PUSH       0x08
 #define TH_ACK        0x10
 #define TH_URG        0x20
+#define TH_ECE        0x40
+#define TH_CWR        0x80
 #endif
 
 #if defined __FreeBSD__ || defined __NetBSD__ || defined __OpenBSD__
@@ -4400,7 +4402,7 @@ void ndpi_exit_detection_module(struct ndpi_detection_module_struct *ndpi_str) {
 
     if(ndpi_str->address_cache)
       ndpi_term_address_cache(ndpi_str->address_cache);
-    
+
     ndpi_free(ndpi_str);
   }
 
@@ -4794,7 +4796,7 @@ static int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_str,
     def = NULL;
   else
     def = &ndpi_str->proto_defaults[subprotocol_id];
-  
+
   if(def == NULL) {
       ndpi_port_range ports_a[MAX_DEFAULT_PORTS], ports_b[MAX_DEFAULT_PORTS];
       char *equal = strchr(proto, '=');
@@ -6724,6 +6726,9 @@ void ndpi_free_flow_data(struct ndpi_flow_struct* flow) {
 	ndpi_free(flow->risk_infos[i].info);
     }
 
+    if(flow->tcp.fingerprint)
+      ndpi_free(flow->tcp.fingerprint);
+
     if(flow->http.url)
       ndpi_free(flow->http.url);
 
@@ -6904,14 +6909,86 @@ static int ndpi_init_packet(struct ndpi_detection_module_struct *ndpi_str,
 
   /* TCP / UDP detection */
   if(l4protocol == IPPROTO_TCP) {
+    u_int16_t header_len;
+
     if(l4_packet_len < 20 /* min size of tcp */)
       return(1);
 
     /* tcp */
     packet->tcp = (struct ndpi_tcphdr *) l4ptr;
-    if(l4_packet_len >= packet->tcp->doff * 4) {
-      packet->payload_packet_len = l4_packet_len - packet->tcp->doff * 4;
-      packet->payload = ((u_int8_t *) packet->tcp) + (packet->tcp->doff * 4);
+    header_len = packet->tcp->doff * 4;
+
+    if(l4_packet_len >= header_len) {
+      if(flow->tcp.fingerprint == NULL) {
+	u_int8_t *t = (u_int8_t*)packet->tcp;
+	u_int16_t flags = ntohs(*((u_int16_t*)&t[12]));
+
+	if((flags & (TH_SYN | TH_ECE | TH_CWR)) == TH_SYN) {
+	  u_int8_t *options = (u_int8_t*)(&t[sizeof(struct ndpi_tcphdr)]);
+	  char fingerprint[128], options_fp[128];
+	  u_int8_t i, fp_idx = 0, options_fp_idx = 0;
+	  u_int8_t options_len = header_len - sizeof(struct ndpi_tcphdr);
+	  u_int16_t tcp_win = ntohs(packet->tcp->window);
+	  u_int8_t ip_ttl;
+	  u_int8_t sha_hash[NDPI_SHA256_BLOCK_SIZE];
+	  
+	  if(packet->iph)
+	    ip_ttl = packet->iph->ttl;
+	  else
+	    ip_ttl = packet->iphv6->ip6_hdr.ip6_un1_hlim;
+
+	  if(ip_ttl <= 32) ip_ttl = 32;
+	  else if(ip_ttl <= 64)  ip_ttl = 64;
+	  else if(ip_ttl <= 128) ip_ttl = 128;
+	  else if(ip_ttl <= 192) ip_ttl = 192;
+	  else ip_ttl = 255;
+	  
+	  fp_idx = snprintf(fingerprint, sizeof(fingerprint), "%u_%u_", ip_ttl, tcp_win);
+	  
+	  for(i=0; i<options_len; ) {
+	    u_int8_t kind = options[i];
+	    int rc;
+
+	    rc = snprintf(&options_fp[options_fp_idx], sizeof(options_fp)-options_fp_idx, "%02x", kind);
+ 	    options_fp_idx += rc;
+
+	    if(kind == 0) /* EOF */
+	      break;
+	    else if(kind == 1) /* NOP */
+	      i++;
+	    else {
+	      u_int8_t len = options[i+1];
+
+	      if(len == 0)
+		break;
+	      else if(kind == 8) {
+		/* Timestamp: ignore it */
+	      } else {
+		int j = i+2;
+		u_int8_t opt_len = len - 2;
+
+		while(opt_len > 0) {
+		  rc = snprintf(&options_fp[options_fp_idx], sizeof(options_fp)-options_fp_idx, "%02x", options[j]);
+		  options_fp_idx += rc;
+		  j++, opt_len--;
+		}
+	      }
+
+	      i += len;
+	    }
+	  } /* for */
+
+	  ndpi_sha256((const u_char*)options_fp, options_fp_idx, sha_hash);
+	  snprintf(&fingerprint[fp_idx], sizeof(fingerprint)-fp_idx, "%02x%02x%02x%02x%02x%02x",
+		   sha_hash[0], sha_hash[1], sha_hash[2],
+		   sha_hash[3], sha_hash[4], sha_hash[5]);
+
+	  flow->tcp.fingerprint = ndpi_strdup(fingerprint);
+	}
+      }
+
+      packet->payload_packet_len = l4_packet_len - header_len;
+      packet->payload = ((u_int8_t *) packet->tcp) + header_len;
     } else {
       /* tcp header not complete */
       return(1);
@@ -7546,7 +7623,7 @@ static void ndpi_reconcile_msteams_udp(struct ndpi_detection_module_struct *ndpi
 				       struct ndpi_flow_struct *flow,
 				       u_int16_t master) {
   /* This function can NOT access &ndpi_str->packet since it is called also from ndpi_detection_giveup(), via ndpi_reconcile_protocols() */
-  
+
   if(flow->l4_proto == IPPROTO_UDP) {
     u_int16_t sport = ntohs(flow->c_port);
     u_int16_t dport = ntohs(flow->s_port);
@@ -7694,7 +7771,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s
 				 NDPI_CONFIDENCE_DPI_PARTIAL);
       }
     break;
-    
+
   case NDPI_PROTOCOL_SKYPE_TEAMS:
   case NDPI_PROTOCOL_SKYPE_TEAMS_CALL:
     if(flow->l4_proto == IPPROTO_UDP && ndpi_str->msteams_cache) {
@@ -9066,8 +9143,7 @@ struct header_line {
   struct ndpi_int_one_line_struct *line;
 };
 
-static void parse_single_packet_line(struct ndpi_detection_module_struct *ndpi_str)
-{
+static void parse_single_packet_line(struct ndpi_detection_module_struct *ndpi_str) {
   struct ndpi_packet_struct *packet = &ndpi_str->packet;
   struct ndpi_int_one_line_struct *line;
   size_t length;
@@ -11366,7 +11442,7 @@ static const struct cfg_param {
   { "tls",           "subclassification",                       "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_subclassification_enabled), NULL },
 
   { "quic",          "subclassification",                       "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(quic_subclassification_enabled), NULL },
-    
+
   { "smtp",          "tls_dissection",                          "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(smtp_opportunistic_tls_enabled), NULL },
 
   { "imap",          "tls_dissection",                          "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(imap_opportunistic_tls_enabled), NULL },

src/lib/ndpi_utils.c

@@ -1651,7 +1651,11 @@ int ndpi_flow2json(struct ndpi_detection_module_struct *ndpi_struct,
 
   ndpi_serialize_string_uint32(serializer, "ip", ip_version);
 
-  ndpi_serialize_string_string(serializer, "proto", ndpi_get_ip_proto_name(l4_protocol, l4_proto_name, sizeof(l4_proto_name)));
+  if(flow->tcp.fingerprint)
+    ndpi_serialize_string_string(serializer, "tcp_fingerprint", flow->tcp.fingerprint);
+  
+  ndpi_serialize_string_string(serializer, "proto",
+			       ndpi_get_ip_proto_name(l4_protocol, l4_proto_name, sizeof(l4_proto_name)));
 
   return(ndpi_dpi2json(ndpi_struct, flow, l7_protocol, serializer));
 }