Added VXLAN dissector (#1439)

* RFC 7348
ntop · Feb 9, 2022 · 4cf8535 · 4cf8535
1 parent f229068
commit 4cf8535
Show file tree

Hide file tree

Showing 6 changed files with 103 additions and 4 deletions.
diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h
@@ -92,7 +92,7 @@ typedef enum {
   NDPI_PROTOCOL_QQLIVE                = 61,
   NDPI_PROTOCOL_THUNDER               = 62,
   NDPI_PROTOCOL_OCSP                  = 63,
-  NDPI_PROTOCOL_FREE_64               = 64, /* FREE */
+  NDPI_PROTOCOL_VXLAN                 = 64, /* Dmytrii Vitman <[email protected]> */
   NDPI_PROTOCOL_IRC                   = 65,
   NDPI_PROTOCOL_AYIYA                 = 66,
   NDPI_PROTOCOL_JABBER                = 67,

diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h
@@ -169,6 +169,7 @@ void init_vhua_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int
 void init_viber_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
 void init_vmware_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
 void init_vnc_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
+void init_vxlan_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
 void init_warcraft3_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
 void init_whois_das_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);
 void init_world_of_warcraft_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask);

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
@@ -1174,10 +1174,10 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
 			  "OCSP", NDPI_PROTOCOL_CATEGORY_NETWORK,
 			  ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
 			  ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
-  ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_FREE_64,
-			  "FREE_64", NDPI_PROTOCOL_CATEGORY_VIDEO,
+  ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_VXLAN,
+			  "VXLAN", NDPI_PROTOCOL_CATEGORY_NETWORK,
 			  ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
-			  ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
+			  ndpi_build_default_ports(ports_b, 4789, 0, 0, 0, 0) /* UDP */);
   ndpi_set_proto_defaults(ndpi_str, 1 /* cleartext */, NDPI_PROTOCOL_UNSAFE, NDPI_PROTOCOL_IRC,
 			  "IRC", NDPI_PROTOCOL_CATEGORY_CHAT,
 			  ndpi_build_default_ports(ports_a, 194, 0, 0, 0, 0) /* TCP */,
@@ -3826,6 +3826,9 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n
   /* VNC */
   init_vnc_dissector(ndpi_str, &a, detection_bitmask);
 
+  /* VXLAN */
+  init_vxlan_dissector(ndpi_str, &a, detection_bitmask);
+
   /* TEAMVIEWER */
   init_teamviewer_dissector(ndpi_str, &a, detection_bitmask);
 

diff --git a/src/lib/protocols/vxlan.c b/src/lib/protocols/vxlan.c
@@ -0,0 +1,79 @@
+/*
+ * vxlan.c
+ *
+ * Copyright (C) 2011-22 - ntop.org
+ *
+ * nDPI is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * nDPI is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "ndpi_protocol_ids.h"
+
+#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_VXLAN
+
+#include "ndpi_api.h"
+
+/* This code handles VXLAN as per RFC 7348 */
+
+struct vxlan_header {
+  u_int8_t flags[4]; /* the first byte is flags, other three are reserved */
+  u_int8_t vni[4];   /* the first three bytes are VNI, the last byte is reserved */
+};
+
+static void ndpi_check_vxlan(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
+{
+  struct ndpi_packet_struct *packet = &ndpi_struct->packet;
+  u_int32_t payload_len = packet->payload_packet_len;
+
+  if((packet->udp != NULL) && (payload_len >= sizeof(struct vxlan_header))) {
+    u_int32_t vxlan_dst_port  = ntohs(4789);
+    u_int32_t expected_flags = 0x08; /* only one bit should be set in the first byte */
+
+    struct vxlan_header *vxlan = (struct vxlan_header *)packet->payload;
+
+    if((packet->udp->dest == vxlan_dst_port) &&
+      (vxlan->flags[0] == expected_flags) && (vxlan->flags[1] == 0x0) &&
+      (vxlan->flags[2] == 0x0) && (vxlan->flags[3] == 0x0) &&
+      (vxlan->vni[3] == 0x0)) {
+
+      NDPI_LOG_INFO(ndpi_struct, "found vxlan\n");
+      ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VXLAN, NDPI_PROTOCOL_VXLAN, NDPI_CONFIDENCE_DPI);
+      return;
+    }
+  }
+
+  NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+  return;
+}
+
+void ndpi_search_vxlan(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
+{
+  NDPI_LOG_DBG(ndpi_struct, "search vxlan\n");
+
+  /* skip marked packets */
+  if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_VXLAN)
+    ndpi_check_vxlan(ndpi_struct, flow);
+}
+
+void init_vxlan_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask)
+{
+  ndpi_set_bitmask_protocol_detection("VXLAN", ndpi_struct, detection_bitmask, *id,
+              NDPI_PROTOCOL_VXLAN,
+              ndpi_search_vxlan,
+              NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD,
+              SAVE_DETECTION_BITMASK_AS_UNKNOWN,
+              ADD_TO_DETECTION_BITMASK);
+
+  *id += 1;
+}
diff --git a/tests/pcap/vxlan.pcap b/tests/pcap/vxlan.pcap
diff --git a/tests/result/vxlan.pcap.out b/tests/result/vxlan.pcap.out
@@ -0,0 +1,16 @@
+Guessed flow protos:	0
+
+DPI Packets (UDP):	9	(1.00 pkts/flow)
+Confidence DPI              : 9 (flows)
+
+VXLAN	127	85322	9
+
+	1	UDP 192.168.22.5:36286 -> 192.168.22.4:4789 [VLAN: 5][proto: 64/VXLAN][ClearText][Confidence: DPI][cat: Network/14][56 pkts/71223 bytes -> 0 pkts/0 bytes][Goodput ratio: 96/0][0.34 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 3/0 113/0 16/0][Pkt Len c2s/s2c min/avg/max/stddev: 120/0 1272/0 1500/0 477/0][PLAIN TEXT (Ev0@ED)][Plen Bins: 0,0,10,0,0,0,0,1,0,0,0,0,0,0,0,0,3,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,83,0,0]
+	2	UDP 192.168.22.5:60230 -> 192.168.22.4:4789 [VLAN: 5][proto: 64/VXLAN][ClearText][Confidence: DPI][cat: Network/14][13 pkts/5656 bytes -> 0 pkts/0 bytes][Goodput ratio: 89/0][0.38 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 34/0 233/0 70/0][Pkt Len c2s/s2c min/avg/max/stddev: 120/0 435/0 1500/0 497/0][Plen Bins: 0,0,55,7,0,0,0,7,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0]
+	3	UDP 192.168.22.4:40646 -> 192.168.22.5:4789 [VLAN: 5][proto: 64/VXLAN][ClearText][Confidence: DPI][cat: Network/14][35 pkts/4938 bytes -> 0 pkts/0 bytes][Goodput ratio: 67/0][0.34 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 11/0 150/0 30/0][Pkt Len c2s/s2c min/avg/max/stddev: 120/0 141/0 438/0 66/0][PLAIN TEXT (www.facebook.com)][Plen Bins: 0,0,91,0,2,0,0,2,2,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	4	UDP 192.168.22.4:49762 -> 192.168.22.5:4789 [VLAN: 5][proto: 64/VXLAN][ClearText][Confidence: DPI][cat: Network/14][12 pkts/2011 bytes -> 0 pkts/0 bytes][Goodput ratio: 73/0][0.38 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 15/0 81/0 25/0][Pkt Len c2s/s2c min/avg/max/stddev: 120/0 168/0 434/0 92/0][PLAIN TEXT (facebook.com)][Plen Bins: 0,0,67,8,8,0,0,8,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	5	UDP 192.168.22.5:50251 -> 192.168.22.4:4789 [VLAN: 5][proto: 64/VXLAN][ClearText][Confidence: DPI][cat: Network/14][2 pkts/362 bytes -> 0 pkts/0 bytes][Goodput ratio: 74/0][0.03 sec][PLAIN TEXT (facebook)][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	6	UDP 192.168.22.4:60230 -> 192.168.22.5:4789 [VLAN: 5][proto: 64/VXLAN][ClearText][Confidence: DPI][cat: Network/14][3 pkts/324 bytes -> 0 pkts/0 bytes][Goodput ratio: 57/0][< 1 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	7	UDP 192.168.22.5:43866 -> 192.168.22.4:4789 [VLAN: 5][proto: 64/VXLAN][ClearText][Confidence: DPI][cat: Network/14][2 pkts/296 bytes -> 0 pkts/0 bytes][Goodput ratio: 69/0][0.03 sec][PLAIN TEXT (facebook)][Plen Bins: 0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	8	UDP 192.168.22.4:60351 -> 192.168.22.5:4789 [VLAN: 5][proto: 64/VXLAN][ClearText][Confidence: DPI][cat: Network/14][2 pkts/260 bytes -> 0 pkts/0 bytes][Goodput ratio: 64/0][< 1 sec][PLAIN TEXT (facebook)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	9	UDP 192.168.22.4:60887 -> 192.168.22.5:4789 [VLAN: 5][proto: 64/VXLAN][ClearText][Confidence: DPI][cat: Network/14][2 pkts/252 bytes -> 0 pkts/0 bytes][Goodput ratio: 63/0][< 1 sec][PLAIN TEXT (facebook)][Plen Bins: 0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]