Improve TencentGames detection (#2353)

* Improve TencentGames detection * Add more signatures
ntop · Mar 20, 2024 · 27f9ca9 · 27f9ca9
1 parent 15a8052
commit 27f9ca9
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 10 deletions.
diff --git a/src/lib/protocols/tencent_games.c b/src/lib/protocols/tencent_games.c
@@ -29,6 +29,14 @@
 #include "ndpi_api.h"
 #include "ndpi_private.h"
 
+static void ndpi_int_tencent_games_add_connection(struct ndpi_detection_module_struct *ndpi_struct, 
+                                                  struct ndpi_flow_struct *flow)
+{
+  NDPI_LOG_INFO(ndpi_struct, "found Tencent Games\n");
+  ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TENCENTGAMES,
+                             NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+}
+
 static void ndpi_search_tencent_games(struct ndpi_detection_module_struct *ndpi_struct,
                                       struct ndpi_flow_struct *flow)
 {
@@ -40,9 +48,29 @@ static void ndpi_search_tencent_games(struct ndpi_detection_module_struct *ndpi_
     if (ntohl(get_u_int32_t(packet->payload, 0)) == 0x3366000B &&
         ntohs(get_u_int16_t(packet->payload, 4)) == 0xB)
     {
-      NDPI_LOG_INFO(ndpi_struct, "found Tencent Games\n");
-      ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TENCENTGAMES,
-                                 NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+      ndpi_int_tencent_games_add_connection(ndpi_struct, flow);
+      return;
+    }
+
+    if (ntohl(get_u_int32_t(packet->payload, 0)) == 0x4366AA00 &&
+        ntohl(get_u_int32_t(packet->payload, 12)) == 0x10E68601)
+    {
+      ndpi_int_tencent_games_add_connection(ndpi_struct, flow);
+      return;
+    }
+
+    if (ntohl(get_u_int32_t(packet->payload, 0)) == 0xAA000000 &&
+        ntohl(get_u_int32_t(packet->payload, 10)) == 0x10E68601)
+    {
+      ndpi_int_tencent_games_add_connection(ndpi_struct, flow);
+      return;
+    }
+
+    if (get_u_int16_t(packet->payload, 0) == 0 &&
+        ntohs(get_u_int16_t(packet->payload, 2)) == (u_int16_t)(packet->payload_packet_len-4) &&
+        ntohs(get_u_int16_t(packet->payload, 4)) == 0x7801)
+    {
+      ndpi_int_tencent_games_add_connection(ndpi_struct, flow);
       return;
     }
   }

diff --git a/tests/cfgs/default/pcap/tencent_games.pcap b/tests/cfgs/default/pcap/tencent_games.pcap
diff --git a/tests/cfgs/default/result/tencent_games.pcap.out b/tests/cfgs/default/result/tencent_games.pcap.out
@@ -1,6 +1,6 @@
-DPI Packets (TCP):	4	(4.00 pkts/flow)
-Confidence DPI              : 1 (flows)
-Num dissector calls: 144 (144.00 diss/flow)
+DPI Packets (TCP):	12	(4.00 pkts/flow)
+Confidence DPI              : 3 (flows)
+Num dissector calls: 432 (144.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)
@@ -18,11 +18,13 @@ Patricia risk mask:   0/0 (search/found)
 Patricia risk mask IPv6: 0/0 (search/found)
 Patricia risk:        0/0 (search/found)
 Patricia risk IPv6:   0/0 (search/found)
-Patricia protocols:   1/1 (search/found)
+Patricia protocols:   3/3 (search/found)
 Patricia protocols IPv6: 0/0 (search/found)
 
-TencentGames	10	818	1
+TencentGames	22	2400	3
 
-Fun                             10 818           1            
+Fun                             22 2400          3            
 
-	1	TCP 10.215.173.1:43300 <-> 43.130.19.227:65010 [proto: 395/TencentGames][IP: 285/Tencent][ClearText][Confidence: DPI][DPI packets: 4][cat: Game/8][5 pkts/413 bytes <-> 5 pkts/405 bytes][Goodput ratio: 47/49][0.61 sec][bytes ratio: 0.010 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 4/4 103/104 200/200 95/96][Pkt Len c2s/s2c min/avg/max/stddev: 40/40 83/81 157/173 46/52][PLAIN TEXT (9089499565149320430)][Plen Bins: 0,0,50,25,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	1	TCP 10.215.173.1:42864 <-> 162.62.116.201:20731 [proto: 395/TencentGames][IP: 285/Tencent][ClearText][Confidence: DPI][DPI packets: 4][cat: Game/8][4 pkts/951 bytes <-> 2 pkts/88 bytes][Goodput ratio: 81/0][0.23 sec][bytes ratio: 0.831 (Upload)][IAT c2s/s2c min/avg/max/stddev: 32/124 75/124 124/124 38/0][Pkt Len c2s/s2c min/avg/max/stddev: 40/40 238/44 473/48 191/4][Plen Bins: 0,0,0,0,0,0,0,0,0,0,50,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	2	TCP 10.215.173.1:43300 <-> 43.130.19.227:65010 [proto: 395/TencentGames][IP: 285/Tencent][ClearText][Confidence: DPI][DPI packets: 4][cat: Game/8][5 pkts/413 bytes <-> 5 pkts/405 bytes][Goodput ratio: 47/49][0.61 sec][bytes ratio: 0.010 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 4/4 103/104 200/200 95/96][Pkt Len c2s/s2c min/avg/max/stddev: 40/40 83/81 157/173 46/52][PLAIN TEXT (9089499565149320430)][Plen Bins: 0,0,50,25,25,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	3	TCP 10.215.173.1:46658 <-> 162.62.97.166:8085 [proto: 395/TencentGames][IP: 285/Tencent][ClearText][Confidence: DPI][DPI packets: 4][cat: Game/8][3 pkts/290 bytes <-> 3 pkts/253 bytes][Goodput ratio: 52/49][0.17 sec][bytes ratio: 0.068 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 7/8 51/40 95/71 44/32][Pkt Len c2s/s2c min/avg/max/stddev: 40/40 97/84 190/165 66/57][PLAIN TEXT (gcloud)][Plen Bins: 0,0,0,50,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]