Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

protocols/ethereum: enhance node discovery protocol detection. #2145

Merged
merged 1 commit into from
Nov 15, 2023
Merged

protocols/ethereum: enhance node discovery protocol detection. #2145

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 39 additions & 18 deletions src/lib/protocols/ethereum.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,14 @@
#include "ndpi_api.h"
#include "ndpi_private.h"

enum ether_disc_packet_type {
DISC_PING = 0x01,
DISC_PONG = 0x02,
DISC_FINDNODE = 0x03,
DISC_NEIGHBOURS = 0x04,
DISC_ENRREQUEST = 0x05,
DISC_ENRRESPONSE = 0x06
};

/* ************************************************************************** */

Expand All @@ -50,34 +58,47 @@ static void ndpi_ether_cache_connection(struct ndpi_detection_module_struct *ndp

/* ************************************************************************** */

/*
* https://github.com/ethereum/devp2p/blob/master/discv4.md
*/
static bool ndpi_ether_is_discv4(const struct ndpi_packet_struct *packet) {
u_int16_t source = ntohs(packet->udp->source);
u_int16_t dest = ntohs(packet->udp->dest);
if((packet->payload_packet_len > 98)
&& (packet->payload_packet_len < 1280)
&& ((source == 30303) || (dest == 30303)) /*one way to remove default port is to compute packet hash and use it for verification*/
) {
uint8_t packet_type = packet->payload[97];
switch(packet_type) {
case DISC_PING:
case DISC_PONG:
case DISC_FINDNODE:
case DISC_NEIGHBOURS:
case DISC_ENRREQUEST:
case DISC_ENRRESPONSE:
return true;
default:
return false;
}
}
return false;
}

/* ************************************************************************** */

static void ndpi_search_ethereum_udp(struct ndpi_detection_module_struct *ndpi_struct,
struct ndpi_flow_struct *flow) {
struct ndpi_packet_struct *packet = &ndpi_struct->packet;
u_int16_t source = ntohs(packet->udp->source);
u_int16_t dest = ntohs(packet->udp->dest);

NDPI_LOG_DBG(ndpi_struct, "search ETHEREUM UDP\n");

/*
Ethereum P2P Discovery Protocol
https://github.com/ConsenSys/ethereum-dissectors/blob/master/packet-ethereum-disc.c
*/
if((packet->payload_packet_len > 98)
&& (packet->payload_packet_len < 1280)
&& ((source == 30303) || (dest == 30303))
&& (packet->payload[97] <= 0x04 /* NODES */)
) {
if((packet->iph) && ((ntohl(packet->iph->daddr) & 0xFF000000 /* 255.0.0.0 */) == 0xFF000000))
;
else if(packet->iphv6 && ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[0]) == 0xFF020000)
;
else {
if((packet->iph && ((ntohl(packet->iph->daddr) & 0xFF000000) != 0xFF000000 /* 255.0.0.0 */))
IvanNardi marked this conversation as resolved.
Show resolved Hide resolved
||(packet->iphv6 && (ntohl(packet->iphv6->ip6_dst.u6_addr.u6_addr32[0]) != 0xFF020000 /* ff02:: */))) {
if(ndpi_ether_is_discv4(packet) /*|| ndpi_is_discv5(packet)*/) {
ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ETHEREUM, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
ndpi_ether_cache_connection(ndpi_struct, flow);
return;
}
}

NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
}

Expand Down
Loading