Skip to content

Commit

Permalink
protocols/ethereum: enhance node discovery protocol detection.
Browse files Browse the repository at this point in the history
*  packet-type == 0x0 shouldn't be allowed.
* allow more packet-type e.g. ENRRequest, ENRResponse.

Signed-off-by: Mahmoud Maatuq <[email protected]>
  • Loading branch information
mmaatuq committed Nov 14, 2023
1 parent 38f9a74 commit 1b1804f
Showing 1 changed file with 39 additions and 18 deletions.
57 changes: 39 additions & 18 deletions src/lib/protocols/ethereum.c
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,14 @@
#include "ndpi_api.h"
#include "ndpi_private.h"

enum ether_disc_packet_type {
DISC_PING = 0x01,
DISC_PONG = 0x02,
DISC_FINDNODE = 0x03,
DISC_NEIGHBOURS = 0x04,
DISC_ENRREQUEST = 0x05,
DISC_ENRRESPONSE = 0x06
};

/* ************************************************************************** */

Expand All @@ -50,34 +58,47 @@ static void ndpi_ether_cache_connection(struct ndpi_detection_module_struct *ndp

/* ************************************************************************** */

/*
* https://github.com/ethereum/devp2p/blob/master/discv4.md
*/
static bool ndpi_ether_is_discv4(const struct ndpi_packet_struct *packet) {
u_int16_t source = ntohs(packet->udp->source);
u_int16_t dest = ntohs(packet->udp->dest);
if((packet->payload_packet_len > 98)
&& (packet->payload_packet_len < 1280)
&& ((source == 30303) || (dest == 30303)) /*one way to remove default port is to compute packet hash and use it for verification*/
) {
uint8_t packet_type = packet->payload[97];
switch(packet_type) {
case DISC_PING:
case DISC_PONG:
case DISC_FINDNODE:
case DISC_NEIGHBOURS:
case DISC_ENRREQUEST:
case DISC_ENRRESPONSE:
return true;
default:
return false;
}
}
return false;
}

/* ************************************************************************** */

static void ndpi_search_ethereum_udp(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow) {
struct ndpi_packet_struct *packet = &ndpi_struct->packet;
u_int16_t source = ntohs(packet->udp->source);
u_int16_t dest = ntohs(packet->udp->dest);

NDPI_LOG_DBG(ndpi_struct, "search ETHEREUM UDP\n");

/*
Ethereum P2P Discovery Protocol
https://github.com/ConsenSys/ethereum-dissectors/blob/master/packet-ethereum-disc.c
*/
if((packet->payload_packet_len > 98)
&& (packet->payload_packet_len < 1280)
&& ((source == 30303) || (dest == 30303))
&& (packet->payload[97] <= 0x04 /* NODES */)
) {
if((packet->iph) && ((ntohl(packet->iph->daddr) & 0xFF000000 /* 255.0.0.0 */) == 0xFF000000))
;
else if(packet->iphv6 && ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[0]) == 0xFF020000)
;
else {
if((packet->iph && ((ntohl(packet->iph->daddr) & 0xFF000000) != 0xFF000000 /* 255.0.0.0 */))
||(packet->iphv6 && (ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[0]) != 0xFF020000 /* ff02:: */))) {
if(ndpi_ether_is_discv4(packet) /*|| ndpi_is_discv5(packet)*/) {
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ETHEREUM, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
ndpi_ether_cache_connection(ndpi_struct, flow);
return;
}
}

NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}

Expand Down

0 comments on commit 1b1804f

Please sign in to comment.